Return to sshkey.c CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/sshkey.c, Revision 1.131

1.131   ! djm         1: /* $OpenBSD: sshkey.c,v 1.130 2022/10/28 00:43:08 djm Exp $ */
1.1       djm         2: /*
                      3:  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
                      4:  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
                      5:  * Copyright (c) 2010,2011 Damien Miller.  All rights reserved.
                      6:  *
                      7:  * Redistribution and use in source and binary forms, with or without
                      8:  * modification, are permitted provided that the following conditions
                      9:  * are met:
                     10:  * 1. Redistributions of source code must retain the above copyright
                     11:  *    notice, this list of conditions and the following disclaimer.
                     12:  * 2. Redistributions in binary form must reproduce the above copyright
                     13:  *    notice, this list of conditions and the following disclaimer in the
                     14:  *    documentation and/or other materials provided with the distribution.
                     15:  *
                     16:  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
                     17:  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
                     18:  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
                     19:  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
                     20:  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
                     21:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
                     22:  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
                     23:  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
                     24:  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
                     25:  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
                     26:  */
                     27:
                     28: #include <sys/types.h>
1.7       djm        29: #include <netinet/in.h>
1.1       djm        30:
1.12      djm        31: #ifdef WITH_OPENSSL
1.1       djm        32: #include <openssl/evp.h>
                     33: #include <openssl/err.h>
                     34: #include <openssl/pem.h>
1.12      djm        35: #endif
1.1       djm        36:
                     37: #include "crypto_api.h"
                     38:
                     39: #include <errno.h>
                     40: #include <stdio.h>
                     41: #include <string.h>
                     42: #include <util.h>
1.13      deraadt    43: #include <limits.h>
1.7       djm        44: #include <resolv.h>
1.1       djm        45:
                     46: #include "ssh2.h"
                     47: #include "ssherr.h"
                     48: #include "misc.h"
                     49: #include "sshbuf.h"
                     50: #include "cipher.h"
                     51: #include "digest.h"
                     52: #define SSHKEY_INTERNAL
                     53: #include "sshkey.h"
1.11      djm        54: #include "match.h"
1.86      djm        55: #include "ssh-sk.h"
1.1       djm        56:
1.74      dtucker    57: #ifdef WITH_XMSS
                     58: #include "sshkey-xmss.h"
1.62      markus     59: #include "xmss_fast.h"
1.74      dtucker    60: #endif
1.62      markus     61:
1.1       djm        62: /* openssh private key file format */
                     63: #define MARK_BEGIN             "-----BEGIN OPENSSH PRIVATE KEY-----\n"
                     64: #define MARK_END               "-----END OPENSSH PRIVATE KEY-----\n"
                     65: #define MARK_BEGIN_LEN         (sizeof(MARK_BEGIN) - 1)
                     66: #define MARK_END_LEN           (sizeof(MARK_END) - 1)
                     67: #define KDFNAME                        "bcrypt"
                     68: #define AUTH_MAGIC             "openssh-key-v1"
                     69: #define SALT_LEN               16
1.56      djm        70: #define DEFAULT_CIPHERNAME     "aes256-ctr"
1.1       djm        71: #define        DEFAULT_ROUNDS          16
                     72:
                     73: /* Version identification string for SSH v1 identity files. */
                     74: #define LEGACY_BEGIN           "SSH PRIVATE KEY FILE FORMAT 1.1\n"
                     75:
1.76      djm        76: /*
                     77:  * Constants relating to "shielding" support; protection of keys expected
                     78:  * to remain in memory for long durations
                     79:  */
                     80: #define SSHKEY_SHIELD_PREKEY_LEN       (16 * 1024)
                     81: #define SSHKEY_SHIELD_CIPHER           "aes256-ctr" /* XXX want AES-EME* */
                     82: #define SSHKEY_SHIELD_PREKEY_HASH      SSH_DIGEST_SHA512
                     83:
                     84: int    sshkey_private_serialize_opt(struct sshkey *key,
1.62      markus     85:     struct sshbuf *buf, enum sshkey_serialize_rep);
1.14      djm        86: static int sshkey_from_blob_internal(struct sshbuf *buf,
1.1       djm        87:     struct sshkey **keyp, int allow_cert);
                     88:
                     89: /* Supported key types */
1.123     djm        90: extern const struct sshkey_impl sshkey_ed25519_impl;
                     91: extern const struct sshkey_impl sshkey_ed25519_cert_impl;
                     92: extern const struct sshkey_impl sshkey_ed25519_sk_impl;
                     93: extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl;
                     94: #ifdef WITH_OPENSSL
                     95: extern const struct sshkey_impl sshkey_ecdsa_sk_impl;
                     96: extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl;
                     97: extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl;
                     98: extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl;
                     99: extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl;
                    100: extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl;
                    101: extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl;
                    102: extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl;
                    103: extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl;
                    104: extern const struct sshkey_impl sshkey_rsa_impl;
                    105: extern const struct sshkey_impl sshkey_rsa_cert_impl;
                    106: extern const struct sshkey_impl sshkey_rsa_sha256_impl;
                    107: extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl;
                    108: extern const struct sshkey_impl sshkey_rsa_sha512_impl;
                    109: extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
                    110: extern const struct sshkey_impl sshkey_dss_impl;
                    111: extern const struct sshkey_impl sshkey_dsa_cert_impl;
                    112: #endif /* WITH_OPENSSL */
1.62      markus    113: #ifdef WITH_XMSS
1.123     djm       114: extern const struct sshkey_impl sshkey_xmss_impl;
                    115: extern const struct sshkey_impl sshkey_xmss_cert_impl;
                    116: #endif
                    117:
                    118: const struct sshkey_impl * const keyimpls[] = {
                    119:        &sshkey_ed25519_impl,
                    120:        &sshkey_ed25519_cert_impl,
                    121:        &sshkey_ed25519_sk_impl,
                    122:        &sshkey_ed25519_sk_cert_impl,
                    123: #ifdef WITH_OPENSSL
                    124:        &sshkey_ecdsa_nistp256_impl,
                    125:        &sshkey_ecdsa_nistp256_cert_impl,
                    126:        &sshkey_ecdsa_nistp384_impl,
                    127:        &sshkey_ecdsa_nistp384_cert_impl,
                    128:        &sshkey_ecdsa_nistp521_impl,
                    129:        &sshkey_ecdsa_nistp521_cert_impl,
                    130:        &sshkey_ecdsa_sk_impl,
                    131:        &sshkey_ecdsa_sk_cert_impl,
                    132:        &sshkey_ecdsa_sk_webauthn_impl,
                    133:        &sshkey_dss_impl,
                    134:        &sshkey_dsa_cert_impl,
                    135:        &sshkey_rsa_impl,
                    136:        &sshkey_rsa_cert_impl,
                    137:        &sshkey_rsa_sha256_impl,
                    138:        &sshkey_rsa_sha256_cert_impl,
                    139:        &sshkey_rsa_sha512_impl,
                    140:        &sshkey_rsa_sha512_cert_impl,
1.1       djm       141: #endif /* WITH_OPENSSL */
1.123     djm       142: #ifdef WITH_XMSS
                    143:        &sshkey_xmss_impl,
                    144:        &sshkey_xmss_cert_impl,
                    145: #endif
                    146:        NULL
1.1       djm       147: };
                    148:
1.123     djm       149: static const struct sshkey_impl *
                    150: sshkey_impl_from_type(int type)
                    151: {
                    152:        int i;
                    153:
                    154:        for (i = 0; keyimpls[i] != NULL; i++) {
                    155:                if (keyimpls[i]->type == type)
                    156:                        return keyimpls[i];
                    157:        }
                    158:        return NULL;
                    159: }
                    160:
                    161: static const struct sshkey_impl *
                    162: sshkey_impl_from_type_nid(int type, int nid)
                    163: {
                    164:        int i;
                    165:
                    166:        for (i = 0; keyimpls[i] != NULL; i++) {
                    167:                if (keyimpls[i]->type == type &&
                    168:                    (keyimpls[i]->nid == 0 || keyimpls[i]->nid == nid))
                    169:                        return keyimpls[i];
                    170:        }
                    171:        return NULL;
                    172: }
                    173:
1.126     djm       174: static const struct sshkey_impl *
                    175: sshkey_impl_from_key(const struct sshkey *k)
                    176: {
                    177:        if (k == NULL)
                    178:                return NULL;
                    179:        return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid);
                    180: }
                    181:
1.1       djm       182: const char *
                    183: sshkey_type(const struct sshkey *k)
                    184: {
1.123     djm       185:        const struct sshkey_impl *impl;
1.1       djm       186:
1.126     djm       187:        if ((impl = sshkey_impl_from_key(k)) == NULL)
1.123     djm       188:                return "unknown";
                    189:        return impl->shortname;
1.1       djm       190: }
                    191:
                    192: static const char *
                    193: sshkey_ssh_name_from_type_nid(int type, int nid)
                    194: {
1.123     djm       195:        const struct sshkey_impl *impl;
1.1       djm       196:
1.123     djm       197:        if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL)
                    198:                return "ssh-unknown";
                    199:        return impl->name;
1.1       djm       200: }
                    201:
                    202: int
                    203: sshkey_type_is_cert(int type)
                    204: {
1.123     djm       205:        const struct sshkey_impl *impl;
1.1       djm       206:
1.123     djm       207:        if ((impl = sshkey_impl_from_type(type)) == NULL)
                    208:                return 0;
                    209:        return impl->cert;
1.1       djm       210: }
                    211:
                    212: const char *
                    213: sshkey_ssh_name(const struct sshkey *k)
                    214: {
                    215:        return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
                    216: }
                    217:
                    218: const char *
                    219: sshkey_ssh_name_plain(const struct sshkey *k)
                    220: {
                    221:        return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
                    222:            k->ecdsa_nid);
                    223: }
                    224:
                    225: int
                    226: sshkey_type_from_name(const char *name)
                    227: {
1.123     djm       228:        int i;
                    229:        const struct sshkey_impl *impl;
1.1       djm       230:
1.123     djm       231:        for (i = 0; keyimpls[i] != NULL; i++) {
                    232:                impl = keyimpls[i];
1.1       djm       233:                /* Only allow shortname matches for plain key types */
1.123     djm       234:                if ((impl->name != NULL && strcmp(name, impl->name) == 0) ||
                    235:                    (!impl->cert && strcasecmp(impl->shortname, name) == 0))
                    236:                        return impl->type;
1.1       djm       237:        }
                    238:        return KEY_UNSPEC;
                    239: }
                    240:
1.85      djm       241: static int
                    242: key_type_is_ecdsa_variant(int type)
                    243: {
                    244:        switch (type) {
                    245:        case KEY_ECDSA:
                    246:        case KEY_ECDSA_CERT:
                    247:        case KEY_ECDSA_SK:
                    248:        case KEY_ECDSA_SK_CERT:
                    249:                return 1;
                    250:        }
                    251:        return 0;
                    252: }
                    253:
1.1       djm       254: int
                    255: sshkey_ecdsa_nid_from_name(const char *name)
                    256: {
1.123     djm       257:        int i;
1.1       djm       258:
1.123     djm       259:        for (i = 0; keyimpls[i] != NULL; i++) {
                    260:                if (!key_type_is_ecdsa_variant(keyimpls[i]->type))
1.4       djm       261:                        continue;
1.123     djm       262:                if (keyimpls[i]->name != NULL &&
                    263:                    strcmp(name, keyimpls[i]->name) == 0)
                    264:                        return keyimpls[i]->nid;
1.4       djm       265:        }
1.1       djm       266:        return -1;
1.120     djm       267: }
                    268:
                    269: int
                    270: sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
                    271: {
                    272:        int ktype;
                    273:
                    274:        if (sigalgs == NULL || *sigalgs == '\0' ||
                    275:            (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
                    276:                return 0;
                    277:        else if (ktype == KEY_RSA) {
                    278:                return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 ||
                    279:                    match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 ||
                    280:                    match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
                    281:        } else if (ktype == KEY_RSA_CERT) {
                    282:                return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
                    283:                    sigalgs, 0) == 1 ||
                    284:                    match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
                    285:                    sigalgs, 0) == 1 ||
                    286:                    match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
                    287:                    sigalgs, 0) == 1;
                    288:        } else
                    289:                return match_pattern_list(keyname, sigalgs, 0) == 1;
1.1       djm       290: }
                    291:
                    292: char *
1.45      djm       293: sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
1.1       djm       294: {
                    295:        char *tmp, *ret = NULL;
1.123     djm       296:        size_t i, nlen, rlen = 0;
                    297:        const struct sshkey_impl *impl;
1.1       djm       298:
1.123     djm       299:        for (i = 0; keyimpls[i] != NULL; i++) {
                    300:                impl = keyimpls[i];
                    301:                if (impl->name == NULL)
1.45      djm       302:                        continue;
1.123     djm       303:                if (!include_sigonly && impl->sigonly)
1.1       djm       304:                        continue;
1.123     djm       305:                if ((certs_only && !impl->cert) || (plain_only && impl->cert))
1.1       djm       306:                        continue;
                    307:                if (ret != NULL)
1.38      djm       308:                        ret[rlen++] = sep;
1.123     djm       309:                nlen = strlen(impl->name);
1.1       djm       310:                if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
                    311:                        free(ret);
                    312:                        return NULL;
                    313:                }
                    314:                ret = tmp;
1.123     djm       315:                memcpy(ret + rlen, impl->name, nlen + 1);
1.1       djm       316:                rlen += nlen;
                    317:        }
                    318:        return ret;
                    319: }
                    320:
                    321: int
1.11      djm       322: sshkey_names_valid2(const char *names, int allow_wildcard)
1.1       djm       323: {
                    324:        char *s, *cp, *p;
1.123     djm       325:        const struct sshkey_impl *impl;
                    326:        int i, type;
1.1       djm       327:
                    328:        if (names == NULL || strcmp(names, "") == 0)
                    329:                return 0;
                    330:        if ((s = cp = strdup(names)) == NULL)
                    331:                return 0;
                    332:        for ((p = strsep(&cp, ",")); p && *p != '\0';
                    333:            (p = strsep(&cp, ","))) {
1.11      djm       334:                type = sshkey_type_from_name(p);
                    335:                if (type == KEY_UNSPEC) {
                    336:                        if (allow_wildcard) {
                    337:                                /*
                    338:                                 * Try matching key types against the string.
                    339:                                 * If any has a positive or negative match then
                    340:                                 * the component is accepted.
                    341:                                 */
1.123     djm       342:                                impl = NULL;
                    343:                                for (i = 0; keyimpls[i] != NULL; i++) {
                    344:                                        if (match_pattern_list(
                    345:                                            keyimpls[i]->name, p, 0) != 0) {
                    346:                                                impl = keyimpls[i];
1.11      djm       347:                                                break;
1.123     djm       348:                                        }
1.11      djm       349:                                }
1.123     djm       350:                                if (impl != NULL)
1.11      djm       351:                                        continue;
                    352:                        }
1.1       djm       353:                        free(s);
                    354:                        return 0;
                    355:                }
                    356:        }
                    357:        free(s);
                    358:        return 1;
                    359: }
                    360:
                    361: u_int
                    362: sshkey_size(const struct sshkey *k)
                    363: {
1.123     djm       364:        const struct sshkey_impl *impl;
1.69      djm       365:
1.126     djm       366:        if ((impl = sshkey_impl_from_key(k)) == NULL)
1.123     djm       367:                return 0;
                    368:        if (impl->funcs->size != NULL)
                    369:                return impl->funcs->size(k);
                    370:        return impl->keybits;
1.1       djm       371: }
                    372:
                    373: static int
                    374: sshkey_type_is_valid_ca(int type)
                    375: {
1.123     djm       376:        const struct sshkey_impl *impl;
                    377:
                    378:        if ((impl = sshkey_impl_from_type(type)) == NULL)
1.1       djm       379:                return 0;
1.123     djm       380:        /* All non-certificate types may act as CAs */
                    381:        return !impl->cert;
1.1       djm       382: }
                    383:
                    384: int
                    385: sshkey_is_cert(const struct sshkey *k)
                    386: {
                    387:        if (k == NULL)
                    388:                return 0;
                    389:        return sshkey_type_is_cert(k->type);
                    390: }
                    391:
1.90      markus    392: int
                    393: sshkey_is_sk(const struct sshkey *k)
                    394: {
                    395:        if (k == NULL)
                    396:                return 0;
                    397:        switch (sshkey_type_plain(k->type)) {
                    398:        case KEY_ECDSA_SK:
                    399:        case KEY_ED25519_SK:
                    400:                return 1;
                    401:        default:
                    402:                return 0;
                    403:        }
                    404: }
                    405:
1.1       djm       406: /* Return the cert-less equivalent to a certified key type */
                    407: int
                    408: sshkey_type_plain(int type)
                    409: {
                    410:        switch (type) {
                    411:        case KEY_RSA_CERT:
                    412:                return KEY_RSA;
                    413:        case KEY_DSA_CERT:
                    414:                return KEY_DSA;
                    415:        case KEY_ECDSA_CERT:
                    416:                return KEY_ECDSA;
1.85      djm       417:        case KEY_ECDSA_SK_CERT:
                    418:                return KEY_ECDSA_SK;
1.1       djm       419:        case KEY_ED25519_CERT:
                    420:                return KEY_ED25519;
1.90      markus    421:        case KEY_ED25519_SK_CERT:
                    422:                return KEY_ED25519_SK;
1.62      markus    423:        case KEY_XMSS_CERT:
                    424:                return KEY_XMSS;
1.1       djm       425:        default:
                    426:                return type;
                    427:        }
                    428: }
                    429:
1.131   ! djm       430: /* Return the cert equivalent to a plain key type */
        !           431: static int
        !           432: sshkey_type_certified(int type)
        !           433: {
        !           434:        switch (type) {
        !           435:        case KEY_RSA:
        !           436:                return KEY_RSA_CERT;
        !           437:        case KEY_DSA:
        !           438:                return KEY_DSA_CERT;
        !           439:        case KEY_ECDSA:
        !           440:                return KEY_ECDSA_CERT;
        !           441:        case KEY_ECDSA_SK:
        !           442:                return KEY_ECDSA_SK_CERT;
        !           443:        case KEY_ED25519:
        !           444:                return KEY_ED25519_CERT;
        !           445:        case KEY_ED25519_SK:
        !           446:                return KEY_ED25519_SK_CERT;
        !           447:        case KEY_XMSS:
        !           448:                return KEY_XMSS_CERT;
        !           449:        default:
        !           450:                return -1;
        !           451:        }
        !           452: }
        !           453:
1.1       djm       454: #ifdef WITH_OPENSSL
                    455: /* XXX: these are really begging for a table-driven approach */
                    456: int
                    457: sshkey_curve_name_to_nid(const char *name)
                    458: {
                    459:        if (strcmp(name, "nistp256") == 0)
                    460:                return NID_X9_62_prime256v1;
                    461:        else if (strcmp(name, "nistp384") == 0)
                    462:                return NID_secp384r1;
                    463:        else if (strcmp(name, "nistp521") == 0)
                    464:                return NID_secp521r1;
                    465:        else
                    466:                return -1;
                    467: }
                    468:
                    469: u_int
                    470: sshkey_curve_nid_to_bits(int nid)
                    471: {
                    472:        switch (nid) {
                    473:        case NID_X9_62_prime256v1:
                    474:                return 256;
                    475:        case NID_secp384r1:
                    476:                return 384;
                    477:        case NID_secp521r1:
                    478:                return 521;
                    479:        default:
                    480:                return 0;
                    481:        }
                    482: }
                    483:
                    484: int
                    485: sshkey_ecdsa_bits_to_nid(int bits)
                    486: {
                    487:        switch (bits) {
                    488:        case 256:
                    489:                return NID_X9_62_prime256v1;
                    490:        case 384:
                    491:                return NID_secp384r1;
                    492:        case 521:
                    493:                return NID_secp521r1;
                    494:        default:
                    495:                return -1;
                    496:        }
                    497: }
                    498:
                    499: const char *
                    500: sshkey_curve_nid_to_name(int nid)
                    501: {
                    502:        switch (nid) {
                    503:        case NID_X9_62_prime256v1:
                    504:                return "nistp256";
                    505:        case NID_secp384r1:
                    506:                return "nistp384";
                    507:        case NID_secp521r1:
                    508:                return "nistp521";
                    509:        default:
                    510:                return NULL;
                    511:        }
                    512: }
                    513:
                    514: int
                    515: sshkey_ec_nid_to_hash_alg(int nid)
                    516: {
                    517:        int kbits = sshkey_curve_nid_to_bits(nid);
                    518:
                    519:        if (kbits <= 0)
                    520:                return -1;
                    521:
                    522:        /* RFC5656 section 6.2.1 */
                    523:        if (kbits <= 256)
                    524:                return SSH_DIGEST_SHA256;
                    525:        else if (kbits <= 384)
                    526:                return SSH_DIGEST_SHA384;
                    527:        else
                    528:                return SSH_DIGEST_SHA512;
                    529: }
                    530: #endif /* WITH_OPENSSL */
                    531:
                    532: static void
                    533: cert_free(struct sshkey_cert *cert)
                    534: {
                    535:        u_int i;
                    536:
                    537:        if (cert == NULL)
                    538:                return;
1.31      mmcc      539:        sshbuf_free(cert->certblob);
                    540:        sshbuf_free(cert->critical);
                    541:        sshbuf_free(cert->extensions);
1.29      mmcc      542:        free(cert->key_id);
1.1       djm       543:        for (i = 0; i < cert->nprincipals; i++)
                    544:                free(cert->principals[i]);
1.29      mmcc      545:        free(cert->principals);
1.30      mmcc      546:        sshkey_free(cert->signature_key);
1.67      djm       547:        free(cert->signature_type);
1.61      jsing     548:        freezero(cert, sizeof(*cert));
1.1       djm       549: }
                    550:
                    551: static struct sshkey_cert *
                    552: cert_new(void)
                    553: {
                    554:        struct sshkey_cert *cert;
                    555:
                    556:        if ((cert = calloc(1, sizeof(*cert))) == NULL)
                    557:                return NULL;
                    558:        if ((cert->certblob = sshbuf_new()) == NULL ||
                    559:            (cert->critical = sshbuf_new()) == NULL ||
                    560:            (cert->extensions = sshbuf_new()) == NULL) {
                    561:                cert_free(cert);
                    562:                return NULL;
                    563:        }
                    564:        cert->key_id = NULL;
                    565:        cert->principals = NULL;
                    566:        cert->signature_key = NULL;
1.67      djm       567:        cert->signature_type = NULL;
1.1       djm       568:        return cert;
                    569: }
                    570:
                    571: struct sshkey *
                    572: sshkey_new(int type)
                    573: {
                    574:        struct sshkey *k;
1.123     djm       575:        const struct sshkey_impl *impl = NULL;
                    576:
                    577:        if (type != KEY_UNSPEC &&
                    578:            (impl = sshkey_impl_from_type(type)) == NULL)
                    579:                return NULL;
1.1       djm       580:
1.123     djm       581:        /* All non-certificate types may act as CAs */
1.1       djm       582:        if ((k = calloc(1, sizeof(*k))) == NULL)
                    583:                return NULL;
                    584:        k->type = type;
                    585:        k->ecdsa_nid = -1;
1.123     djm       586:        if (impl != NULL && impl->funcs->alloc != NULL) {
                    587:                if (impl->funcs->alloc(k) != 0) {
1.1       djm       588:                        free(k);
                    589:                        return NULL;
                    590:                }
                    591:        }
                    592:        if (sshkey_is_cert(k)) {
                    593:                if ((k->cert = cert_new()) == NULL) {
                    594:                        sshkey_free(k);
                    595:                        return NULL;
                    596:                }
                    597:        }
                    598:
                    599:        return k;
                    600: }
                    601:
1.124     djm       602: /* Frees common FIDO fields */
                    603: void
                    604: sshkey_sk_cleanup(struct sshkey *k)
                    605: {
                    606:        free(k->sk_application);
                    607:        sshbuf_free(k->sk_key_handle);
                    608:        sshbuf_free(k->sk_reserved);
                    609:        k->sk_application = NULL;
                    610:        k->sk_key_handle = k->sk_reserved = NULL;
                    611: }
                    612:
1.126     djm       613: static void
                    614: sshkey_free_contents(struct sshkey *k)
1.1       djm       615: {
1.123     djm       616:        const struct sshkey_impl *impl;
                    617:
1.1       djm       618:        if (k == NULL)
                    619:                return;
1.123     djm       620:        if ((impl = sshkey_impl_from_type(k->type)) != NULL &&
                    621:            impl->funcs->cleanup != NULL)
                    622:                impl->funcs->cleanup(k);
1.1       djm       623:        if (sshkey_is_cert(k))
                    624:                cert_free(k->cert);
1.76      djm       625:        freezero(k->shielded_private, k->shielded_len);
                    626:        freezero(k->shield_prekey, k->shield_prekey_len);
1.126     djm       627: }
                    628:
                    629: void
                    630: sshkey_free(struct sshkey *k)
                    631: {
                    632:        sshkey_free_contents(k);
1.61      jsing     633:        freezero(k, sizeof(*k));
1.1       djm       634: }
                    635:
                    636: static int
                    637: cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
                    638: {
                    639:        if (a == NULL && b == NULL)
                    640:                return 1;
                    641:        if (a == NULL || b == NULL)
                    642:                return 0;
                    643:        if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
                    644:                return 0;
                    645:        if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
                    646:            sshbuf_len(a->certblob)) != 0)
                    647:                return 0;
                    648:        return 1;
                    649: }
                    650:
1.124     djm       651: /* Compares FIDO-specific pubkey fields only */
                    652: int
                    653: sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b)
                    654: {
                    655:        if (a->sk_application == NULL || b->sk_application == NULL)
                    656:                return 0;
                    657:        if (strcmp(a->sk_application, b->sk_application) != 0)
                    658:                return 0;
                    659:        return 1;
                    660: }
                    661:
1.1       djm       662: /*
                    663:  * Compare public portions of key only, allowing comparisons between
                    664:  * certificates and plain keys too.
                    665:  */
                    666: int
                    667: sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
                    668: {
1.124     djm       669:        const struct sshkey_impl *impl;
1.1       djm       670:
                    671:        if (a == NULL || b == NULL ||
                    672:            sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
                    673:                return 0;
1.124     djm       674:        if ((impl = sshkey_impl_from_type(a->type)) == NULL)
1.1       djm       675:                return 0;
1.124     djm       676:        return impl->funcs->equal(a, b);
1.1       djm       677: }
                    678:
                    679: int
                    680: sshkey_equal(const struct sshkey *a, const struct sshkey *b)
                    681: {
                    682:        if (a == NULL || b == NULL || a->type != b->type)
                    683:                return 0;
                    684:        if (sshkey_is_cert(a)) {
                    685:                if (!cert_compare(a->cert, b->cert))
                    686:                        return 0;
                    687:        }
                    688:        return sshkey_equal_public(a, b);
                    689: }
                    690:
1.125     djm       691:
                    692: /* Serialise common FIDO key parts */
                    693: int
                    694: sshkey_serialize_sk(const struct sshkey *key, struct sshbuf *b)
                    695: {
                    696:        int r;
                    697:
                    698:        if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0)
                    699:                return r;
                    700:
                    701:        return 0;
                    702: }
                    703:
1.1       djm       704: static int
1.62      markus    705: to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain,
                    706:   enum sshkey_serialize_rep opts)
1.1       djm       707: {
                    708:        int type, ret = SSH_ERR_INTERNAL_ERROR;
                    709:        const char *typename;
1.125     djm       710:        const struct sshkey_impl *impl;
1.1       djm       711:
                    712:        if (key == NULL)
                    713:                return SSH_ERR_INVALID_ARGUMENT;
                    714:
1.125     djm       715:        type = force_plain ? sshkey_type_plain(key->type) : key->type;
                    716:
                    717:        if (sshkey_type_is_cert(type)) {
1.19      djm       718:                if (key->cert == NULL)
                    719:                        return SSH_ERR_EXPECTED_CERT;
                    720:                if (sshbuf_len(key->cert->certblob) == 0)
                    721:                        return SSH_ERR_KEY_LACKS_CERTBLOB;
1.1       djm       722:                /* Use the existing blob */
                    723:                if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
                    724:                        return ret;
1.125     djm       725:                return 0;
                    726:        }
                    727:        if ((impl = sshkey_impl_from_type(type)) == NULL)
1.1       djm       728:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.125     djm       729:
                    730:        typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
1.129     djm       731:        if ((ret = sshbuf_put_cstring(b, typename)) != 0)
                    732:                return ret;
                    733:        return impl->funcs->serialize_public(key, b, opts);
1.1       djm       734: }
                    735:
                    736: int
1.14      djm       737: sshkey_putb(const struct sshkey *key, struct sshbuf *b)
1.1       djm       738: {
1.62      markus    739:        return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       740: }
                    741:
                    742: int
1.62      markus    743: sshkey_puts_opts(const struct sshkey *key, struct sshbuf *b,
                    744:     enum sshkey_serialize_rep opts)
1.14      djm       745: {
                    746:        struct sshbuf *tmp;
                    747:        int r;
                    748:
                    749:        if ((tmp = sshbuf_new()) == NULL)
                    750:                return SSH_ERR_ALLOC_FAIL;
1.62      markus    751:        r = to_blob_buf(key, tmp, 0, opts);
1.14      djm       752:        if (r == 0)
                    753:                r = sshbuf_put_stringb(b, tmp);
                    754:        sshbuf_free(tmp);
                    755:        return r;
                    756: }
                    757:
                    758: int
1.62      markus    759: sshkey_puts(const struct sshkey *key, struct sshbuf *b)
                    760: {
                    761:        return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
                    762: }
                    763:
                    764: int
1.14      djm       765: sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
1.1       djm       766: {
1.62      markus    767:        return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       768: }
                    769:
                    770: static int
1.62      markus    771: to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain,
                    772:     enum sshkey_serialize_rep opts)
1.1       djm       773: {
                    774:        int ret = SSH_ERR_INTERNAL_ERROR;
                    775:        size_t len;
                    776:        struct sshbuf *b = NULL;
                    777:
                    778:        if (lenp != NULL)
                    779:                *lenp = 0;
                    780:        if (blobp != NULL)
                    781:                *blobp = NULL;
                    782:        if ((b = sshbuf_new()) == NULL)
                    783:                return SSH_ERR_ALLOC_FAIL;
1.62      markus    784:        if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
1.1       djm       785:                goto out;
                    786:        len = sshbuf_len(b);
                    787:        if (lenp != NULL)
                    788:                *lenp = len;
                    789:        if (blobp != NULL) {
                    790:                if ((*blobp = malloc(len)) == NULL) {
                    791:                        ret = SSH_ERR_ALLOC_FAIL;
                    792:                        goto out;
                    793:                }
                    794:                memcpy(*blobp, sshbuf_ptr(b), len);
                    795:        }
                    796:        ret = 0;
                    797:  out:
                    798:        sshbuf_free(b);
                    799:        return ret;
                    800: }
                    801:
                    802: int
                    803: sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
                    804: {
1.62      markus    805:        return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       806: }
                    807:
                    808: int
                    809: sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
                    810: {
1.62      markus    811:        return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
1.1       djm       812: }
                    813:
                    814: int
1.7       djm       815: sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
1.1       djm       816:     u_char **retp, size_t *lenp)
                    817: {
                    818:        u_char *blob = NULL, *ret = NULL;
                    819:        size_t blob_len = 0;
1.7       djm       820:        int r = SSH_ERR_INTERNAL_ERROR;
1.1       djm       821:
                    822:        if (retp != NULL)
                    823:                *retp = NULL;
                    824:        if (lenp != NULL)
                    825:                *lenp = 0;
1.7       djm       826:        if (ssh_digest_bytes(dgst_alg) == 0) {
1.1       djm       827:                r = SSH_ERR_INVALID_ARGUMENT;
                    828:                goto out;
                    829:        }
1.62      markus    830:        if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
                    831:            != 0)
1.1       djm       832:                goto out;
                    833:        if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
                    834:                r = SSH_ERR_ALLOC_FAIL;
                    835:                goto out;
                    836:        }
1.7       djm       837:        if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
1.1       djm       838:            ret, SSH_DIGEST_MAX_LENGTH)) != 0)
                    839:                goto out;
                    840:        /* success */
                    841:        if (retp != NULL) {
                    842:                *retp = ret;
                    843:                ret = NULL;
                    844:        }
                    845:        if (lenp != NULL)
1.7       djm       846:                *lenp = ssh_digest_bytes(dgst_alg);
1.1       djm       847:        r = 0;
                    848:  out:
                    849:        free(ret);
1.100     jsg       850:        if (blob != NULL)
                    851:                freezero(blob, blob_len);
1.1       djm       852:        return r;
                    853: }
                    854:
                    855: static char *
1.7       djm       856: fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
                    857: {
                    858:        char *ret;
                    859:        size_t plen = strlen(alg) + 1;
                    860:        size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
                    861:
                    862:        if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
                    863:                return NULL;
                    864:        strlcpy(ret, alg, rlen);
                    865:        strlcat(ret, ":", rlen);
                    866:        if (dgst_raw_len == 0)
                    867:                return ret;
1.79      dtucker   868:        if (b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
1.61      jsing     869:                freezero(ret, rlen);
1.7       djm       870:                return NULL;
                    871:        }
                    872:        /* Trim padding characters from end */
                    873:        ret[strcspn(ret, "=")] = '\0';
                    874:        return ret;
                    875: }
                    876:
                    877: static char *
                    878: fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
1.1       djm       879: {
1.7       djm       880:        char *retval, hex[5];
                    881:        size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
1.1       djm       882:
1.7       djm       883:        if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
1.1       djm       884:                return NULL;
1.7       djm       885:        strlcpy(retval, alg, rlen);
                    886:        strlcat(retval, ":", rlen);
1.1       djm       887:        for (i = 0; i < dgst_raw_len; i++) {
1.7       djm       888:                snprintf(hex, sizeof(hex), "%s%02x",
                    889:                    i > 0 ? ":" : "", dgst_raw[i]);
                    890:                strlcat(retval, hex, rlen);
1.1       djm       891:        }
                    892:        return retval;
                    893: }
                    894:
                    895: static char *
                    896: fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
                    897: {
                    898:        char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
                    899:        char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
                    900:            'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
                    901:        u_int i, j = 0, rounds, seed = 1;
                    902:        char *retval;
                    903:
                    904:        rounds = (dgst_raw_len / 2) + 1;
                    905:        if ((retval = calloc(rounds, 6)) == NULL)
                    906:                return NULL;
                    907:        retval[j++] = 'x';
                    908:        for (i = 0; i < rounds; i++) {
                    909:                u_int idx0, idx1, idx2, idx3, idx4;
                    910:                if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
                    911:                        idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
                    912:                            seed) % 6;
                    913:                        idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
                    914:                        idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
                    915:                            (seed / 6)) % 6;
                    916:                        retval[j++] = vowels[idx0];
                    917:                        retval[j++] = consonants[idx1];
                    918:                        retval[j++] = vowels[idx2];
                    919:                        if ((i + 1) < rounds) {
                    920:                                idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
                    921:                                idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
                    922:                                retval[j++] = consonants[idx3];
                    923:                                retval[j++] = '-';
                    924:                                retval[j++] = consonants[idx4];
                    925:                                seed = ((seed * 5) +
                    926:                                    ((((u_int)(dgst_raw[2 * i])) * 7) +
                    927:                                    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
                    928:                        }
                    929:                } else {
                    930:                        idx0 = seed % 6;
                    931:                        idx1 = 16;
                    932:                        idx2 = seed / 6;
                    933:                        retval[j++] = vowels[idx0];
                    934:                        retval[j++] = consonants[idx1];
                    935:                        retval[j++] = vowels[idx2];
                    936:                }
                    937:        }
                    938:        retval[j++] = 'x';
                    939:        retval[j++] = '\0';
                    940:        return retval;
                    941: }
                    942:
                    943: /*
                    944:  * Draw an ASCII-Art representing the fingerprint so human brain can
                    945:  * profit from its built-in pattern recognition ability.
                    946:  * This technique is called "random art" and can be found in some
                    947:  * scientific publications like this original paper:
                    948:  *
                    949:  * "Hash Visualization: a New Technique to improve Real-World Security",
                    950:  * Perrig A. and Song D., 1999, International Workshop on Cryptographic
                    951:  * Techniques and E-Commerce (CrypTEC '99)
                    952:  * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
                    953:  *
                    954:  * The subject came up in a talk by Dan Kaminsky, too.
                    955:  *
                    956:  * If you see the picture is different, the key is different.
                    957:  * If the picture looks the same, you still know nothing.
                    958:  *
                    959:  * The algorithm used here is a worm crawling over a discrete plane,
                    960:  * leaving a trace (augmenting the field) everywhere it goes.
                    961:  * Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
                    962:  * makes the respective movement vector be ignored for this turn.
                    963:  * Graphs are not unambiguous, because circles in graphs can be
                    964:  * walked in either direction.
                    965:  */
                    966:
                    967: /*
                    968:  * Field sizes for the random art.  Have to be odd, so the starting point
                    969:  * can be in the exact middle of the picture, and FLDBASE should be >=8 .
                    970:  * Else pictures would be too dense, and drawing the frame would
                    971:  * fail, too, because the key type would not fit in anymore.
                    972:  */
                    973: #define        FLDBASE         8
                    974: #define        FLDSIZE_Y       (FLDBASE + 1)
                    975: #define        FLDSIZE_X       (FLDBASE * 2 + 1)
                    976: static char *
1.7       djm       977: fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
1.1       djm       978:     const struct sshkey *k)
                    979: {
                    980:        /*
                    981:         * Chars to be used after each other every time the worm
                    982:         * intersects with itself.  Matter of taste.
                    983:         */
                    984:        char    *augmentation_string = " .o+=*BOX@%&#/^SE";
1.7       djm       985:        char    *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
1.1       djm       986:        u_char   field[FLDSIZE_X][FLDSIZE_Y];
1.7       djm       987:        size_t   i, tlen, hlen;
1.1       djm       988:        u_int    b;
1.3       djm       989:        int      x, y, r;
1.1       djm       990:        size_t   len = strlen(augmentation_string) - 1;
                    991:
                    992:        if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
                    993:                return NULL;
                    994:
                    995:        /* initialize field */
                    996:        memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
                    997:        x = FLDSIZE_X / 2;
                    998:        y = FLDSIZE_Y / 2;
                    999:
                   1000:        /* process raw key */
                   1001:        for (i = 0; i < dgst_raw_len; i++) {
                   1002:                int input;
                   1003:                /* each byte conveys four 2-bit move commands */
                   1004:                input = dgst_raw[i];
                   1005:                for (b = 0; b < 4; b++) {
                   1006:                        /* evaluate 2 bit, rest is shifted later */
                   1007:                        x += (input & 0x1) ? 1 : -1;
                   1008:                        y += (input & 0x2) ? 1 : -1;
                   1009:
                   1010:                        /* assure we are still in bounds */
1.37      deraadt  1011:                        x = MAXIMUM(x, 0);
                   1012:                        y = MAXIMUM(y, 0);
                   1013:                        x = MINIMUM(x, FLDSIZE_X - 1);
                   1014:                        y = MINIMUM(y, FLDSIZE_Y - 1);
1.1       djm      1015:
                   1016:                        /* augment the field */
                   1017:                        if (field[x][y] < len - 2)
                   1018:                                field[x][y]++;
                   1019:                        input = input >> 2;
                   1020:                }
                   1021:        }
                   1022:
                   1023:        /* mark starting point and end point*/
                   1024:        field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
                   1025:        field[x][y] = len;
                   1026:
1.3       djm      1027:        /* assemble title */
                   1028:        r = snprintf(title, sizeof(title), "[%s %u]",
                   1029:                sshkey_type(k), sshkey_size(k));
                   1030:        /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
                   1031:        if (r < 0 || r > (int)sizeof(title))
1.7       djm      1032:                r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
                   1033:        tlen = (r <= 0) ? 0 : strlen(title);
                   1034:
                   1035:        /* assemble hash ID. */
                   1036:        r = snprintf(hash, sizeof(hash), "[%s]", alg);
                   1037:        hlen = (r <= 0) ? 0 : strlen(hash);
1.1       djm      1038:
                   1039:        /* output upper border */
1.3       djm      1040:        p = retval;
                   1041:        *p++ = '+';
                   1042:        for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
                   1043:                *p++ = '-';
                   1044:        memcpy(p, title, tlen);
                   1045:        p += tlen;
1.7       djm      1046:        for (i += tlen; i < FLDSIZE_X; i++)
1.1       djm      1047:                *p++ = '-';
                   1048:        *p++ = '+';
                   1049:        *p++ = '\n';
                   1050:
                   1051:        /* output content */
                   1052:        for (y = 0; y < FLDSIZE_Y; y++) {
                   1053:                *p++ = '|';
                   1054:                for (x = 0; x < FLDSIZE_X; x++)
1.37      deraadt  1055:                        *p++ = augmentation_string[MINIMUM(field[x][y], len)];
1.1       djm      1056:                *p++ = '|';
                   1057:                *p++ = '\n';
                   1058:        }
                   1059:
                   1060:        /* output lower border */
                   1061:        *p++ = '+';
1.7       djm      1062:        for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
                   1063:                *p++ = '-';
                   1064:        memcpy(p, hash, hlen);
                   1065:        p += hlen;
                   1066:        for (i += hlen; i < FLDSIZE_X; i++)
1.1       djm      1067:                *p++ = '-';
                   1068:        *p++ = '+';
                   1069:
                   1070:        return retval;
                   1071: }
                   1072:
                   1073: char *
1.7       djm      1074: sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1.1       djm      1075:     enum sshkey_fp_rep dgst_rep)
                   1076: {
                   1077:        char *retval = NULL;
                   1078:        u_char *dgst_raw;
                   1079:        size_t dgst_raw_len;
                   1080:
1.7       djm      1081:        if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1.1       djm      1082:                return NULL;
                   1083:        switch (dgst_rep) {
1.7       djm      1084:        case SSH_FP_DEFAULT:
                   1085:                if (dgst_alg == SSH_DIGEST_MD5) {
                   1086:                        retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
                   1087:                            dgst_raw, dgst_raw_len);
                   1088:                } else {
                   1089:                        retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
                   1090:                            dgst_raw, dgst_raw_len);
                   1091:                }
                   1092:                break;
1.1       djm      1093:        case SSH_FP_HEX:
1.7       djm      1094:                retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
                   1095:                    dgst_raw, dgst_raw_len);
                   1096:                break;
                   1097:        case SSH_FP_BASE64:
                   1098:                retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
                   1099:                    dgst_raw, dgst_raw_len);
1.1       djm      1100:                break;
                   1101:        case SSH_FP_BUBBLEBABBLE:
                   1102:                retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
                   1103:                break;
                   1104:        case SSH_FP_RANDOMART:
1.7       djm      1105:                retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
                   1106:                    dgst_raw, dgst_raw_len, k);
1.1       djm      1107:                break;
                   1108:        default:
1.100     jsg      1109:                freezero(dgst_raw, dgst_raw_len);
1.1       djm      1110:                return NULL;
                   1111:        }
1.100     jsg      1112:        freezero(dgst_raw, dgst_raw_len);
1.1       djm      1113:        return retval;
                   1114: }
                   1115:
1.63      djm      1116: static int
                   1117: peek_type_nid(const char *s, size_t l, int *nid)
                   1118: {
1.123     djm      1119:        const struct sshkey_impl *impl;
                   1120:        int i;
1.63      djm      1121:
1.123     djm      1122:        for (i = 0; keyimpls[i] != NULL; i++) {
                   1123:                impl = keyimpls[i];
                   1124:                if (impl->name == NULL || strlen(impl->name) != l)
1.63      djm      1125:                        continue;
1.123     djm      1126:                if (memcmp(s, impl->name, l) == 0) {
1.63      djm      1127:                        *nid = -1;
1.123     djm      1128:                        if (key_type_is_ecdsa_variant(impl->type))
                   1129:                                *nid = impl->nid;
                   1130:                        return impl->type;
1.63      djm      1131:                }
                   1132:        }
                   1133:        return KEY_UNSPEC;
                   1134: }
1.1       djm      1135:
1.63      djm      1136: /* XXX this can now be made const char * */
1.1       djm      1137: int
                   1138: sshkey_read(struct sshkey *ret, char **cpp)
                   1139: {
                   1140:        struct sshkey *k;
1.63      djm      1141:        char *cp, *blobcopy;
                   1142:        size_t space;
1.1       djm      1143:        int r, type, curve_nid = -1;
                   1144:        struct sshbuf *blob;
1.44      dtucker  1145:
                   1146:        if (ret == NULL)
                   1147:                return SSH_ERR_INVALID_ARGUMENT;
1.126     djm      1148:        if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL)
1.63      djm      1149:                return SSH_ERR_INVALID_ARGUMENT;
                   1150:
                   1151:        /* Decode type */
                   1152:        cp = *cpp;
                   1153:        space = strcspn(cp, " \t");
                   1154:        if (space == strlen(cp))
                   1155:                return SSH_ERR_INVALID_FORMAT;
                   1156:        if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
                   1157:                return SSH_ERR_INVALID_FORMAT;
                   1158:
                   1159:        /* skip whitespace */
                   1160:        for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
                   1161:                ;
                   1162:        if (*cp == '\0')
                   1163:                return SSH_ERR_INVALID_FORMAT;
                   1164:        if (ret->type != KEY_UNSPEC && ret->type != type)
                   1165:                return SSH_ERR_KEY_TYPE_MISMATCH;
                   1166:        if ((blob = sshbuf_new()) == NULL)
                   1167:                return SSH_ERR_ALLOC_FAIL;
                   1168:
                   1169:        /* find end of keyblob and decode */
                   1170:        space = strcspn(cp, " \t");
                   1171:        if ((blobcopy = strndup(cp, space)) == NULL) {
                   1172:                sshbuf_free(blob);
                   1173:                return SSH_ERR_ALLOC_FAIL;
                   1174:        }
                   1175:        if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
                   1176:                free(blobcopy);
                   1177:                sshbuf_free(blob);
                   1178:                return r;
                   1179:        }
                   1180:        free(blobcopy);
                   1181:        if ((r = sshkey_fromb(blob, &k)) != 0) {
1.1       djm      1182:                sshbuf_free(blob);
1.63      djm      1183:                return r;
                   1184:        }
                   1185:        sshbuf_free(blob);
                   1186:
                   1187:        /* skip whitespace and leave cp at start of comment */
                   1188:        for (cp += space; *cp == ' ' || *cp == '\t'; cp++)
                   1189:                ;
                   1190:
                   1191:        /* ensure type of blob matches type at start of line */
                   1192:        if (k->type != type) {
                   1193:                sshkey_free(k);
                   1194:                return SSH_ERR_KEY_TYPE_MISMATCH;
                   1195:        }
1.85      djm      1196:        if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
1.63      djm      1197:                sshkey_free(k);
                   1198:                return SSH_ERR_EC_CURVE_MISMATCH;
                   1199:        }
                   1200:
                   1201:        /* Fill in ret from parsed key */
1.126     djm      1202:        sshkey_free_contents(ret);
                   1203:        *ret = *k;
                   1204:        freezero(k, sizeof(*k));
1.63      djm      1205:
                   1206:        /* success */
                   1207:        *cpp = cp;
                   1208:        return 0;
1.1       djm      1209: }
                   1210:
                   1211: int
1.19      djm      1212: sshkey_to_base64(const struct sshkey *key, char **b64p)
1.1       djm      1213: {
1.19      djm      1214:        int r = SSH_ERR_INTERNAL_ERROR;
                   1215:        struct sshbuf *b = NULL;
1.1       djm      1216:        char *uu = NULL;
1.19      djm      1217:
                   1218:        if (b64p != NULL)
                   1219:                *b64p = NULL;
                   1220:        if ((b = sshbuf_new()) == NULL)
                   1221:                return SSH_ERR_ALLOC_FAIL;
                   1222:        if ((r = sshkey_putb(key, b)) != 0)
                   1223:                goto out;
1.81      djm      1224:        if ((uu = sshbuf_dtob64_string(b, 0)) == NULL) {
1.19      djm      1225:                r = SSH_ERR_ALLOC_FAIL;
                   1226:                goto out;
                   1227:        }
                   1228:        /* Success */
                   1229:        if (b64p != NULL) {
                   1230:                *b64p = uu;
                   1231:                uu = NULL;
                   1232:        }
                   1233:        r = 0;
                   1234:  out:
                   1235:        sshbuf_free(b);
                   1236:        free(uu);
                   1237:        return r;
                   1238: }
                   1239:
1.52      djm      1240: int
1.19      djm      1241: sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
                   1242: {
                   1243:        int r = SSH_ERR_INTERNAL_ERROR;
                   1244:        char *uu = NULL;
                   1245:
1.48      djm      1246:        if ((r = sshkey_to_base64(key, &uu)) != 0)
                   1247:                goto out;
                   1248:        if ((r = sshbuf_putf(b, "%s %s",
                   1249:            sshkey_ssh_name(key), uu)) != 0)
                   1250:                goto out;
1.19      djm      1251:        r = 0;
                   1252:  out:
                   1253:        free(uu);
                   1254:        return r;
                   1255: }
                   1256:
                   1257: int
                   1258: sshkey_write(const struct sshkey *key, FILE *f)
                   1259: {
                   1260:        struct sshbuf *b = NULL;
                   1261:        int r = SSH_ERR_INTERNAL_ERROR;
                   1262:
                   1263:        if ((b = sshbuf_new()) == NULL)
                   1264:                return SSH_ERR_ALLOC_FAIL;
                   1265:        if ((r = sshkey_format_text(key, b)) != 0)
1.1       djm      1266:                goto out;
                   1267:        if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
                   1268:                if (feof(f))
                   1269:                        errno = EPIPE;
1.19      djm      1270:                r = SSH_ERR_SYSTEM_ERROR;
1.1       djm      1271:                goto out;
                   1272:        }
1.19      djm      1273:        /* Success */
                   1274:        r = 0;
1.1       djm      1275:  out:
1.19      djm      1276:        sshbuf_free(b);
                   1277:        return r;
1.1       djm      1278: }
                   1279:
                   1280: const char *
                   1281: sshkey_cert_type(const struct sshkey *k)
                   1282: {
                   1283:        switch (k->cert->type) {
                   1284:        case SSH2_CERT_TYPE_USER:
                   1285:                return "user";
                   1286:        case SSH2_CERT_TYPE_HOST:
                   1287:                return "host";
                   1288:        default:
                   1289:                return "unknown";
                   1290:        }
                   1291: }
                   1292:
                   1293: #ifdef WITH_OPENSSL
                   1294: int
                   1295: sshkey_ecdsa_key_to_nid(EC_KEY *k)
                   1296: {
                   1297:        EC_GROUP *eg;
                   1298:        int nids[] = {
                   1299:                NID_X9_62_prime256v1,
                   1300:                NID_secp384r1,
                   1301:                NID_secp521r1,
                   1302:                -1
                   1303:        };
                   1304:        int nid;
                   1305:        u_int i;
                   1306:        const EC_GROUP *g = EC_KEY_get0_group(k);
                   1307:
                   1308:        /*
                   1309:         * The group may be stored in a ASN.1 encoded private key in one of two
                   1310:         * ways: as a "named group", which is reconstituted by ASN.1 object ID
                   1311:         * or explicit group parameters encoded into the key blob. Only the
                   1312:         * "named group" case sets the group NID for us, but we can figure
                   1313:         * it out for the other case by comparing against all the groups that
                   1314:         * are supported.
                   1315:         */
                   1316:        if ((nid = EC_GROUP_get_curve_name(g)) > 0)
                   1317:                return nid;
                   1318:        for (i = 0; nids[i] != -1; i++) {
1.93      djm      1319:                if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1.1       djm      1320:                        return -1;
1.93      djm      1321:                if (EC_GROUP_cmp(g, eg, NULL) == 0)
1.1       djm      1322:                        break;
                   1323:                EC_GROUP_free(eg);
                   1324:        }
                   1325:        if (nids[i] != -1) {
                   1326:                /* Use the group with the NID attached */
                   1327:                EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
                   1328:                if (EC_KEY_set_group(k, eg) != 1) {
                   1329:                        EC_GROUP_free(eg);
                   1330:                        return -1;
                   1331:                }
                   1332:        }
                   1333:        return nids[i];
                   1334: }
                   1335:
                   1336: #endif /* WITH_OPENSSL */
                   1337:
                   1338: int
                   1339: sshkey_generate(int type, u_int bits, struct sshkey **keyp)
                   1340: {
                   1341:        struct sshkey *k;
                   1342:        int ret = SSH_ERR_INTERNAL_ERROR;
1.127     djm      1343:        const struct sshkey_impl *impl;
1.1       djm      1344:
1.127     djm      1345:        if (keyp == NULL || sshkey_type_is_cert(type))
1.1       djm      1346:                return SSH_ERR_INVALID_ARGUMENT;
                   1347:        *keyp = NULL;
1.127     djm      1348:        if ((impl = sshkey_impl_from_type(type)) == NULL)
                   1349:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   1350:        if (impl->funcs->generate == NULL)
                   1351:                return SSH_ERR_FEATURE_UNSUPPORTED;
1.1       djm      1352:        if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
                   1353:                return SSH_ERR_ALLOC_FAIL;
1.127     djm      1354:        k->type = type;
                   1355:        if ((ret = impl->funcs->generate(k, bits)) != 0) {
                   1356:                sshkey_free(k);
                   1357:                return ret;
1.1       djm      1358:        }
1.127     djm      1359:        /* success */
                   1360:        *keyp = k;
                   1361:        return 0;
1.1       djm      1362: }
                   1363:
                   1364: int
                   1365: sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
                   1366: {
                   1367:        u_int i;
                   1368:        const struct sshkey_cert *from;
                   1369:        struct sshkey_cert *to;
1.67      djm      1370:        int r = SSH_ERR_INTERNAL_ERROR;
1.1       djm      1371:
1.67      djm      1372:        if (to_key == NULL || (from = from_key->cert) == NULL)
1.1       djm      1373:                return SSH_ERR_INVALID_ARGUMENT;
                   1374:
1.67      djm      1375:        if ((to = cert_new()) == NULL)
1.1       djm      1376:                return SSH_ERR_ALLOC_FAIL;
                   1377:
1.67      djm      1378:        if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
                   1379:            (r = sshbuf_putb(to->critical, from->critical)) != 0 ||
                   1380:            (r = sshbuf_putb(to->extensions, from->extensions)) != 0)
                   1381:                goto out;
1.1       djm      1382:
                   1383:        to->serial = from->serial;
                   1384:        to->type = from->type;
                   1385:        if (from->key_id == NULL)
                   1386:                to->key_id = NULL;
1.67      djm      1387:        else if ((to->key_id = strdup(from->key_id)) == NULL) {
                   1388:                r = SSH_ERR_ALLOC_FAIL;
                   1389:                goto out;
                   1390:        }
1.1       djm      1391:        to->valid_after = from->valid_after;
                   1392:        to->valid_before = from->valid_before;
                   1393:        if (from->signature_key == NULL)
                   1394:                to->signature_key = NULL;
1.67      djm      1395:        else if ((r = sshkey_from_private(from->signature_key,
1.1       djm      1396:            &to->signature_key)) != 0)
1.67      djm      1397:                goto out;
                   1398:        if (from->signature_type != NULL &&
                   1399:            (to->signature_type = strdup(from->signature_type)) == NULL) {
                   1400:                r = SSH_ERR_ALLOC_FAIL;
                   1401:                goto out;
                   1402:        }
                   1403:        if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS) {
                   1404:                r = SSH_ERR_INVALID_ARGUMENT;
                   1405:                goto out;
                   1406:        }
1.1       djm      1407:        if (from->nprincipals > 0) {
                   1408:                if ((to->principals = calloc(from->nprincipals,
1.67      djm      1409:                    sizeof(*to->principals))) == NULL) {
                   1410:                        r = SSH_ERR_ALLOC_FAIL;
                   1411:                        goto out;
                   1412:                }
1.1       djm      1413:                for (i = 0; i < from->nprincipals; i++) {
                   1414:                        to->principals[i] = strdup(from->principals[i]);
                   1415:                        if (to->principals[i] == NULL) {
                   1416:                                to->nprincipals = i;
1.67      djm      1417:                                r = SSH_ERR_ALLOC_FAIL;
                   1418:                                goto out;
1.1       djm      1419:                        }
                   1420:                }
                   1421:        }
                   1422:        to->nprincipals = from->nprincipals;
1.67      djm      1423:
                   1424:        /* success */
                   1425:        cert_free(to_key->cert);
                   1426:        to_key->cert = to;
                   1427:        to = NULL;
                   1428:        r = 0;
                   1429:  out:
                   1430:        cert_free(to);
                   1431:        return r;
1.1       djm      1432: }
                   1433:
                   1434: int
1.128     djm      1435: sshkey_copy_public_sk(const struct sshkey *from, struct sshkey *to)
                   1436: {
                   1437:        /* Append security-key application string */
                   1438:        if ((to->sk_application = strdup(from->sk_application)) == NULL)
                   1439:                return SSH_ERR_ALLOC_FAIL;
                   1440:        return 0;
                   1441: }
                   1442:
                   1443: int
1.1       djm      1444: sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
                   1445: {
                   1446:        struct sshkey *n = NULL;
1.69      djm      1447:        int r = SSH_ERR_INTERNAL_ERROR;
1.128     djm      1448:        const struct sshkey_impl *impl;
1.1       djm      1449:
1.24      djm      1450:        *pkp = NULL;
1.128     djm      1451:        if ((impl = sshkey_impl_from_key(k)) == NULL)
                   1452:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.85      djm      1453:        if ((n = sshkey_new(k->type)) == NULL) {
                   1454:                r = SSH_ERR_ALLOC_FAIL;
                   1455:                goto out;
                   1456:        }
1.128     djm      1457:        if ((r = impl->funcs->copy_public(k, n)) != 0)
1.69      djm      1458:                goto out;
                   1459:        if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
                   1460:                goto out;
                   1461:        /* success */
1.1       djm      1462:        *pkp = n;
1.69      djm      1463:        n = NULL;
                   1464:        r = 0;
                   1465:  out:
                   1466:        sshkey_free(n);
                   1467:        return r;
1.1       djm      1468: }
                   1469:
1.76      djm      1470: int
                   1471: sshkey_is_shielded(struct sshkey *k)
                   1472: {
                   1473:        return k != NULL && k->shielded_private != NULL;
                   1474: }
                   1475:
                   1476: int
                   1477: sshkey_shield_private(struct sshkey *k)
                   1478: {
                   1479:        struct sshbuf *prvbuf = NULL;
                   1480:        u_char *prekey = NULL, *enc = NULL, keyiv[SSH_DIGEST_MAX_LENGTH];
                   1481:        struct sshcipher_ctx *cctx = NULL;
                   1482:        const struct sshcipher *cipher;
                   1483:        size_t i, enclen = 0;
                   1484:        struct sshkey *kswap = NULL, tmp;
                   1485:        int r = SSH_ERR_INTERNAL_ERROR;
                   1486:
                   1487: #ifdef DEBUG_PK
                   1488:        fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
                   1489: #endif
                   1490:        if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
                   1491:                r = SSH_ERR_INVALID_ARGUMENT;
                   1492:                goto out;
                   1493:        }
                   1494:        if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
                   1495:            ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
                   1496:                r = SSH_ERR_INTERNAL_ERROR;
                   1497:                goto out;
                   1498:        }
                   1499:
                   1500:        /* Prepare a random pre-key, and from it an ephemeral key */
                   1501:        if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN)) == NULL) {
                   1502:                r = SSH_ERR_ALLOC_FAIL;
                   1503:                goto out;
                   1504:        }
                   1505:        arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN);
                   1506:        if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
                   1507:            prekey, SSHKEY_SHIELD_PREKEY_LEN,
                   1508:            keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
                   1509:                goto out;
                   1510: #ifdef DEBUG_PK
                   1511:        fprintf(stderr, "%s: key+iv\n", __func__);
                   1512:        sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
                   1513:            stderr);
                   1514: #endif
                   1515:        if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
                   1516:            keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
                   1517:                goto out;
                   1518:
                   1519:        /* Serialise and encrypt the private key using the ephemeral key */
                   1520:        if ((prvbuf = sshbuf_new()) == NULL) {
                   1521:                r = SSH_ERR_ALLOC_FAIL;
                   1522:                goto out;
                   1523:        }
                   1524:        if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
                   1525:                goto out;
                   1526:        if ((r = sshkey_private_serialize_opt(k, prvbuf,
1.116     djm      1527:            SSHKEY_SERIALIZE_SHIELD)) != 0)
1.76      djm      1528:                goto out;
                   1529:        /* pad to cipher blocksize */
                   1530:        i = 0;
                   1531:        while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
                   1532:                if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
                   1533:                        goto out;
                   1534:        }
                   1535: #ifdef DEBUG_PK
                   1536:        fprintf(stderr, "%s: serialised\n", __func__);
                   1537:        sshbuf_dump(prvbuf, stderr);
                   1538: #endif
                   1539:        /* encrypt */
                   1540:        enclen = sshbuf_len(prvbuf);
                   1541:        if ((enc = malloc(enclen)) == NULL) {
                   1542:                r = SSH_ERR_ALLOC_FAIL;
                   1543:                goto out;
                   1544:        }
                   1545:        if ((r = cipher_crypt(cctx, 0, enc,
                   1546:            sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
                   1547:                goto out;
                   1548: #ifdef DEBUG_PK
                   1549:        fprintf(stderr, "%s: encrypted\n", __func__);
                   1550:        sshbuf_dump_data(enc, enclen, stderr);
                   1551: #endif
                   1552:
                   1553:        /* Make a scrubbed, public-only copy of our private key argument */
                   1554:        if ((r = sshkey_from_private(k, &kswap)) != 0)
                   1555:                goto out;
                   1556:
                   1557:        /* Swap the private key out (it will be destroyed below) */
                   1558:        tmp = *kswap;
                   1559:        *kswap = *k;
                   1560:        *k = tmp;
                   1561:
                   1562:        /* Insert the shielded key into our argument */
                   1563:        k->shielded_private = enc;
                   1564:        k->shielded_len = enclen;
                   1565:        k->shield_prekey = prekey;
                   1566:        k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN;
                   1567:        enc = prekey = NULL; /* transferred */
                   1568:        enclen = 0;
1.99      djm      1569:
                   1570:        /* preserve key fields that are required for correct operation */
                   1571:        k->sk_flags = kswap->sk_flags;
1.76      djm      1572:
                   1573:        /* success */
                   1574:        r = 0;
                   1575:
                   1576:  out:
                   1577:        /* XXX behaviour on error - invalidate original private key? */
                   1578:        cipher_free(cctx);
                   1579:        explicit_bzero(keyiv, sizeof(keyiv));
                   1580:        explicit_bzero(&tmp, sizeof(tmp));
1.78      djm      1581:        freezero(enc, enclen);
1.76      djm      1582:        freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN);
                   1583:        sshkey_free(kswap);
                   1584:        sshbuf_free(prvbuf);
                   1585:        return r;
                   1586: }
                   1587:
1.121     djm      1588: /* Check deterministic padding after private key */
                   1589: static int
                   1590: private2_check_padding(struct sshbuf *decrypted)
                   1591: {
                   1592:        u_char pad;
                   1593:        size_t i;
                   1594:        int r;
                   1595:
                   1596:        i = 0;
                   1597:        while (sshbuf_len(decrypted)) {
                   1598:                if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
                   1599:                        goto out;
                   1600:                if (pad != (++i & 0xff)) {
                   1601:                        r = SSH_ERR_INVALID_FORMAT;
                   1602:                        goto out;
                   1603:                }
                   1604:        }
                   1605:        /* success */
                   1606:        r = 0;
                   1607:  out:
                   1608:        explicit_bzero(&pad, sizeof(pad));
                   1609:        explicit_bzero(&i, sizeof(i));
                   1610:        return r;
                   1611: }
                   1612:
1.76      djm      1613: int
                   1614: sshkey_unshield_private(struct sshkey *k)
                   1615: {
                   1616:        struct sshbuf *prvbuf = NULL;
1.121     djm      1617:        u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH];
1.76      djm      1618:        struct sshcipher_ctx *cctx = NULL;
                   1619:        const struct sshcipher *cipher;
                   1620:        struct sshkey *kswap = NULL, tmp;
                   1621:        int r = SSH_ERR_INTERNAL_ERROR;
                   1622:
                   1623: #ifdef DEBUG_PK
                   1624:        fprintf(stderr, "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
                   1625: #endif
                   1626:        if (!sshkey_is_shielded(k))
                   1627:                return 0; /* nothing to do */
                   1628:
                   1629:        if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER)) == NULL) {
                   1630:                r = SSH_ERR_INVALID_ARGUMENT;
                   1631:                goto out;
                   1632:        }
                   1633:        if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
                   1634:            ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH)) {
                   1635:                r = SSH_ERR_INTERNAL_ERROR;
                   1636:                goto out;
                   1637:        }
                   1638:        /* check size of shielded key blob */
                   1639:        if (k->shielded_len < cipher_blocksize(cipher) ||
                   1640:            (k->shielded_len % cipher_blocksize(cipher)) != 0) {
                   1641:                r = SSH_ERR_INVALID_FORMAT;
                   1642:                goto out;
                   1643:        }
                   1644:
                   1645:        /* Calculate the ephemeral key from the prekey */
                   1646:        if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH,
                   1647:            k->shield_prekey, k->shield_prekey_len,
                   1648:            keyiv, SSH_DIGEST_MAX_LENGTH)) != 0)
                   1649:                goto out;
                   1650:        if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
                   1651:            keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
                   1652:                goto out;
                   1653: #ifdef DEBUG_PK
                   1654:        fprintf(stderr, "%s: key+iv\n", __func__);
                   1655:        sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH),
                   1656:            stderr);
                   1657: #endif
                   1658:
                   1659:        /* Decrypt and parse the shielded private key using the ephemeral key */
                   1660:        if ((prvbuf = sshbuf_new()) == NULL) {
                   1661:                r = SSH_ERR_ALLOC_FAIL;
                   1662:                goto out;
                   1663:        }
                   1664:        if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
                   1665:                goto out;
                   1666:        /* decrypt */
                   1667: #ifdef DEBUG_PK
                   1668:        fprintf(stderr, "%s: encrypted\n", __func__);
                   1669:        sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr);
                   1670: #endif
                   1671:        if ((r = cipher_crypt(cctx, 0, cp,
                   1672:            k->shielded_private, k->shielded_len, 0, 0)) != 0)
                   1673:                goto out;
                   1674: #ifdef DEBUG_PK
                   1675:        fprintf(stderr, "%s: serialised\n", __func__);
                   1676:        sshbuf_dump(prvbuf, stderr);
                   1677: #endif
                   1678:        /* Parse private key */
                   1679:        if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
                   1680:                goto out;
1.121     djm      1681:
                   1682:        if ((r = private2_check_padding(prvbuf)) != 0)
                   1683:                goto out;
1.76      djm      1684:
                   1685:        /* Swap the parsed key back into place */
                   1686:        tmp = *kswap;
                   1687:        *kswap = *k;
                   1688:        *k = tmp;
                   1689:
                   1690:        /* success */
                   1691:        r = 0;
                   1692:
                   1693:  out:
                   1694:        cipher_free(cctx);
                   1695:        explicit_bzero(keyiv, sizeof(keyiv));
                   1696:        explicit_bzero(&tmp, sizeof(tmp));
                   1697:        sshkey_free(kswap);
                   1698:        sshbuf_free(prvbuf);
                   1699:        return r;
                   1700: }
                   1701:
1.1       djm      1702: static int
1.14      djm      1703: cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1.1       djm      1704: {
1.14      djm      1705:        struct sshbuf *principals = NULL, *crit = NULL;
                   1706:        struct sshbuf *exts = NULL, *ca = NULL;
                   1707:        u_char *sig = NULL;
                   1708:        size_t signed_len = 0, slen = 0, kidlen = 0;
1.1       djm      1709:        int ret = SSH_ERR_INTERNAL_ERROR;
                   1710:
                   1711:        /* Copy the entire key blob for verification and later serialisation */
1.14      djm      1712:        if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1.1       djm      1713:                return ret;
                   1714:
1.20      djm      1715:        /* Parse body of certificate up to signature */
                   1716:        if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1.1       djm      1717:            (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
                   1718:            (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1.4       djm      1719:            (ret = sshbuf_froms(b, &principals)) != 0 ||
1.1       djm      1720:            (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
                   1721:            (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1.4       djm      1722:            (ret = sshbuf_froms(b, &crit)) != 0 ||
1.20      djm      1723:            (ret = sshbuf_froms(b, &exts)) != 0 ||
1.1       djm      1724:            (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1.14      djm      1725:            (ret = sshbuf_froms(b, &ca)) != 0) {
1.1       djm      1726:                /* XXX debug print error for ret */
                   1727:                ret = SSH_ERR_INVALID_FORMAT;
                   1728:                goto out;
                   1729:        }
                   1730:
                   1731:        /* Signature is left in the buffer so we can calculate this length */
                   1732:        signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
                   1733:
                   1734:        if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
                   1735:                ret = SSH_ERR_INVALID_FORMAT;
                   1736:                goto out;
                   1737:        }
                   1738:
                   1739:        if (key->cert->type != SSH2_CERT_TYPE_USER &&
                   1740:            key->cert->type != SSH2_CERT_TYPE_HOST) {
                   1741:                ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
                   1742:                goto out;
                   1743:        }
                   1744:
1.4       djm      1745:        /* Parse principals section */
                   1746:        while (sshbuf_len(principals) > 0) {
                   1747:                char *principal = NULL;
                   1748:                char **oprincipals = NULL;
                   1749:
1.1       djm      1750:                if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
                   1751:                        ret = SSH_ERR_INVALID_FORMAT;
                   1752:                        goto out;
                   1753:                }
1.4       djm      1754:                if ((ret = sshbuf_get_cstring(principals, &principal,
                   1755:                    NULL)) != 0) {
1.1       djm      1756:                        ret = SSH_ERR_INVALID_FORMAT;
                   1757:                        goto out;
                   1758:                }
                   1759:                oprincipals = key->cert->principals;
1.51      deraadt  1760:                key->cert->principals = recallocarray(key->cert->principals,
                   1761:                    key->cert->nprincipals, key->cert->nprincipals + 1,
                   1762:                    sizeof(*key->cert->principals));
1.1       djm      1763:                if (key->cert->principals == NULL) {
                   1764:                        free(principal);
                   1765:                        key->cert->principals = oprincipals;
                   1766:                        ret = SSH_ERR_ALLOC_FAIL;
                   1767:                        goto out;
                   1768:                }
                   1769:                key->cert->principals[key->cert->nprincipals++] = principal;
                   1770:        }
                   1771:
1.4       djm      1772:        /*
                   1773:         * Stash a copies of the critical options and extensions sections
                   1774:         * for later use.
                   1775:         */
                   1776:        if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
                   1777:            (exts != NULL &&
                   1778:            (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1.1       djm      1779:                goto out;
                   1780:
1.4       djm      1781:        /*
                   1782:         * Validate critical options and extensions sections format.
                   1783:         */
                   1784:        while (sshbuf_len(crit) != 0) {
                   1785:                if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
                   1786:                    (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
                   1787:                        sshbuf_reset(key->cert->critical);
1.1       djm      1788:                        ret = SSH_ERR_INVALID_FORMAT;
                   1789:                        goto out;
                   1790:                }
                   1791:        }
1.4       djm      1792:        while (exts != NULL && sshbuf_len(exts) != 0) {
                   1793:                if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
                   1794:                    (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
                   1795:                        sshbuf_reset(key->cert->extensions);
1.1       djm      1796:                        ret = SSH_ERR_INVALID_FORMAT;
                   1797:                        goto out;
                   1798:                }
                   1799:        }
                   1800:
1.4       djm      1801:        /* Parse CA key and check signature */
1.14      djm      1802:        if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
1.1       djm      1803:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1804:                goto out;
                   1805:        }
                   1806:        if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
                   1807:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1808:                goto out;
                   1809:        }
                   1810:        if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
1.96      djm      1811:            sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)
1.1       djm      1812:                goto out;
1.82      djm      1813:        if ((ret = sshkey_get_sigtype(sig, slen,
                   1814:            &key->cert->signature_type)) != 0)
1.67      djm      1815:                goto out;
1.4       djm      1816:
                   1817:        /* Success */
1.1       djm      1818:        ret = 0;
                   1819:  out:
1.14      djm      1820:        sshbuf_free(ca);
1.4       djm      1821:        sshbuf_free(crit);
                   1822:        sshbuf_free(exts);
                   1823:        sshbuf_free(principals);
1.1       djm      1824:        free(sig);
                   1825:        return ret;
                   1826: }
                   1827:
1.122     djm      1828: int
1.129     djm      1829: sshkey_deserialize_sk(struct sshbuf *b, struct sshkey *key)
1.122     djm      1830: {
1.129     djm      1831:        /* Parse additional security-key application string */
                   1832:        if (sshbuf_get_cstring(b, &key->sk_application, NULL) != 0)
                   1833:                return SSH_ERR_INVALID_FORMAT;
1.69      djm      1834:        return 0;
                   1835: }
                   1836:
                   1837: static int
1.14      djm      1838: sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
                   1839:     int allow_cert)
1.1       djm      1840: {
1.12      djm      1841:        int type, ret = SSH_ERR_INTERNAL_ERROR;
1.129     djm      1842:        char *ktype = NULL;
1.1       djm      1843:        struct sshkey *key = NULL;
1.14      djm      1844:        struct sshbuf *copy;
1.129     djm      1845:        const struct sshkey_impl *impl;
1.1       djm      1846:
                   1847: #ifdef DEBUG_PK /* XXX */
1.14      djm      1848:        sshbuf_dump(b, stderr);
1.1       djm      1849: #endif
1.32      djm      1850:        if (keyp != NULL)
                   1851:                *keyp = NULL;
1.14      djm      1852:        if ((copy = sshbuf_fromb(b)) == NULL) {
                   1853:                ret = SSH_ERR_ALLOC_FAIL;
                   1854:                goto out;
                   1855:        }
1.1       djm      1856:        if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
                   1857:                ret = SSH_ERR_INVALID_FORMAT;
                   1858:                goto out;
                   1859:        }
                   1860:
                   1861:        type = sshkey_type_from_name(ktype);
                   1862:        if (!allow_cert && sshkey_type_is_cert(type)) {
                   1863:                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   1864:                goto out;
                   1865:        }
1.129     djm      1866:        if ((impl = sshkey_impl_from_type(type)) == NULL) {
                   1867:                ret = SSH_ERR_KEY_TYPE_UNKNOWN;
                   1868:                goto out;
                   1869:        }
                   1870:        if ((key = sshkey_new(type)) == NULL) {
                   1871:                ret = SSH_ERR_ALLOC_FAIL;
                   1872:                goto out;
                   1873:        }
                   1874:        if (sshkey_type_is_cert(type)) {
                   1875:                /* Skip nonce that preceeds all certificates */
1.1       djm      1876:                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
                   1877:                        ret = SSH_ERR_INVALID_FORMAT;
                   1878:                        goto out;
                   1879:                }
1.129     djm      1880:        }
                   1881:        if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0)
1.1       djm      1882:                goto out;
                   1883:
                   1884:        /* Parse certificate potion */
1.14      djm      1885:        if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
1.1       djm      1886:                goto out;
                   1887:
                   1888:        if (key != NULL && sshbuf_len(b) != 0) {
                   1889:                ret = SSH_ERR_INVALID_FORMAT;
                   1890:                goto out;
                   1891:        }
                   1892:        ret = 0;
1.32      djm      1893:        if (keyp != NULL) {
                   1894:                *keyp = key;
                   1895:                key = NULL;
                   1896:        }
1.1       djm      1897:  out:
1.14      djm      1898:        sshbuf_free(copy);
1.1       djm      1899:        sshkey_free(key);
                   1900:        free(ktype);
                   1901:        return ret;
                   1902: }
                   1903:
                   1904: int
                   1905: sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
                   1906: {
1.14      djm      1907:        struct sshbuf *b;
                   1908:        int r;
                   1909:
                   1910:        if ((b = sshbuf_from(blob, blen)) == NULL)
                   1911:                return SSH_ERR_ALLOC_FAIL;
                   1912:        r = sshkey_from_blob_internal(b, keyp, 1);
                   1913:        sshbuf_free(b);
                   1914:        return r;
                   1915: }
                   1916:
                   1917: int
                   1918: sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
                   1919: {
                   1920:        return sshkey_from_blob_internal(b, keyp, 1);
                   1921: }
                   1922:
                   1923: int
                   1924: sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
                   1925: {
                   1926:        struct sshbuf *b;
                   1927:        int r;
                   1928:
                   1929:        if ((r = sshbuf_froms(buf, &b)) != 0)
                   1930:                return r;
                   1931:        r = sshkey_from_blob_internal(b, keyp, 1);
1.58      djm      1932:        sshbuf_free(b);
                   1933:        return r;
                   1934: }
                   1935:
1.82      djm      1936: int
                   1937: sshkey_get_sigtype(const u_char *sig, size_t siglen, char **sigtypep)
1.58      djm      1938: {
                   1939:        int r;
                   1940:        struct sshbuf *b = NULL;
                   1941:        char *sigtype = NULL;
                   1942:
                   1943:        if (sigtypep != NULL)
                   1944:                *sigtypep = NULL;
                   1945:        if ((b = sshbuf_from(sig, siglen)) == NULL)
                   1946:                return SSH_ERR_ALLOC_FAIL;
                   1947:        if ((r = sshbuf_get_cstring(b, &sigtype, NULL)) != 0)
                   1948:                goto out;
                   1949:        /* success */
                   1950:        if (sigtypep != NULL) {
                   1951:                *sigtypep = sigtype;
                   1952:                sigtype = NULL;
                   1953:        }
                   1954:        r = 0;
                   1955:  out:
                   1956:        free(sigtype);
1.14      djm      1957:        sshbuf_free(b);
                   1958:        return r;
1.68      djm      1959: }
                   1960:
                   1961: /*
                   1962:  *
                   1963:  * Checks whether a certificate's signature type is allowed.
                   1964:  * Returns 0 (success) if the certificate signature type appears in the
                   1965:  * "allowed" pattern-list, or the key is not a certificate to begin with.
                   1966:  * Otherwise returns a ssherr.h code.
                   1967:  */
                   1968: int
                   1969: sshkey_check_cert_sigtype(const struct sshkey *key, const char *allowed)
                   1970: {
                   1971:        if (key == NULL || allowed == NULL)
                   1972:                return SSH_ERR_INVALID_ARGUMENT;
                   1973:        if (!sshkey_type_is_cert(key->type))
                   1974:                return 0;
                   1975:        if (key->cert == NULL || key->cert->signature_type == NULL)
                   1976:                return SSH_ERR_INVALID_ARGUMENT;
                   1977:        if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
                   1978:                return SSH_ERR_SIGN_ALG_UNSUPPORTED;
                   1979:        return 0;
1.65      djm      1980: }
                   1981:
                   1982: /*
                   1983:  * Returns the expected signature algorithm for a given public key algorithm.
                   1984:  */
1.66      djm      1985: const char *
                   1986: sshkey_sigalg_by_name(const char *name)
1.65      djm      1987: {
1.123     djm      1988:        const struct sshkey_impl *impl;
                   1989:        int i;
1.65      djm      1990:
1.123     djm      1991:        for (i = 0; keyimpls[i] != NULL; i++) {
                   1992:                impl = keyimpls[i];
                   1993:                if (strcmp(impl->name, name) != 0)
1.65      djm      1994:                        continue;
1.123     djm      1995:                if (impl->sigalg != NULL)
                   1996:                        return impl->sigalg;
                   1997:                if (!impl->cert)
                   1998:                        return impl->name;
1.65      djm      1999:                return sshkey_ssh_name_from_type_nid(
1.123     djm      2000:                    sshkey_type_plain(impl->type), impl->nid);
1.65      djm      2001:        }
                   2002:        return NULL;
                   2003: }
                   2004:
                   2005: /*
                   2006:  * Verifies that the signature algorithm appearing inside the signature blob
                   2007:  * matches that which was requested.
                   2008:  */
                   2009: int
                   2010: sshkey_check_sigtype(const u_char *sig, size_t siglen,
                   2011:     const char *requested_alg)
                   2012: {
                   2013:        const char *expected_alg;
                   2014:        char *sigtype = NULL;
                   2015:        int r;
                   2016:
                   2017:        if (requested_alg == NULL)
                   2018:                return 0;
1.66      djm      2019:        if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL)
1.65      djm      2020:                return SSH_ERR_INVALID_ARGUMENT;
1.82      djm      2021:        if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
1.65      djm      2022:                return r;
                   2023:        r = strcmp(expected_alg, sigtype) == 0;
                   2024:        free(sigtype);
                   2025:        return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED;
1.1       djm      2026: }
                   2027:
                   2028: int
1.76      djm      2029: sshkey_sign(struct sshkey *key,
1.1       djm      2030:     u_char **sigp, size_t *lenp,
1.86      djm      2031:     const u_char *data, size_t datalen,
1.111     djm      2032:     const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
1.1       djm      2033: {
1.76      djm      2034:        int was_shielded = sshkey_is_shielded(key);
                   2035:        int r2, r = SSH_ERR_INTERNAL_ERROR;
1.130     djm      2036:        const struct sshkey_impl *impl;
1.76      djm      2037:
1.1       djm      2038:        if (sigp != NULL)
                   2039:                *sigp = NULL;
                   2040:        if (lenp != NULL)
                   2041:                *lenp = 0;
                   2042:        if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
                   2043:                return SSH_ERR_INVALID_ARGUMENT;
1.130     djm      2044:        if ((impl = sshkey_impl_from_key(key)) == NULL)
                   2045:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.76      djm      2046:        if ((r = sshkey_unshield_private(key)) != 0)
                   2047:                return r;
1.130     djm      2048:        if (sshkey_is_sk(key)) {
1.97      djm      2049:                r = sshsk_sign(sk_provider, key, sigp, lenp, data,
1.111     djm      2050:                    datalen, compat, sk_pin);
1.130     djm      2051:        } else {
                   2052:                if (impl->funcs->sign == NULL)
                   2053:                        r = SSH_ERR_SIGN_ALG_UNSUPPORTED;
                   2054:                else {
                   2055:                        r = impl->funcs->sign(key, sigp, lenp, data, datalen,
                   2056:                            alg, sk_provider, sk_pin, compat);
                   2057:                 }
1.1       djm      2058:        }
1.76      djm      2059:        if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
                   2060:                return r2;
                   2061:        return r;
1.1       djm      2062: }
                   2063:
                   2064: /*
                   2065:  * ssh_key_verify returns 0 for a correct signature  and < 0 on error.
1.59      djm      2066:  * If "alg" specified, then the signature must use that algorithm.
1.1       djm      2067:  */
                   2068: int
                   2069: sshkey_verify(const struct sshkey *key,
                   2070:     const u_char *sig, size_t siglen,
1.96      djm      2071:     const u_char *data, size_t dlen, const char *alg, u_int compat,
                   2072:     struct sshkey_sig_details **detailsp)
1.1       djm      2073: {
1.130     djm      2074:        const struct sshkey_impl *impl;
                   2075:
1.96      djm      2076:        if (detailsp != NULL)
                   2077:                *detailsp = NULL;
1.6       djm      2078:        if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
1.1       djm      2079:                return SSH_ERR_INVALID_ARGUMENT;
1.130     djm      2080:        if ((impl = sshkey_impl_from_key(key)) == NULL)
1.1       djm      2081:                return SSH_ERR_KEY_TYPE_UNKNOWN;
1.130     djm      2082:        return impl->funcs->verify(key, sig, siglen, data, dlen,
                   2083:            alg, compat, detailsp);
1.1       djm      2084: }
                   2085:
                   2086: /* Convert a plain key to their _CERT equivalent */
                   2087: int
1.20      djm      2088: sshkey_to_certified(struct sshkey *k)
1.1       djm      2089: {
                   2090:        int newtype;
                   2091:
1.131   ! djm      2092:        if ((newtype = sshkey_type_certified(k->type)) == -1)
1.1       djm      2093:                return SSH_ERR_INVALID_ARGUMENT;
                   2094:        if ((k->cert = cert_new()) == NULL)
                   2095:                return SSH_ERR_ALLOC_FAIL;
                   2096:        k->type = newtype;
                   2097:        return 0;
                   2098: }
                   2099:
                   2100: /* Convert a certificate to its raw key equivalent */
                   2101: int
                   2102: sshkey_drop_cert(struct sshkey *k)
                   2103: {
                   2104:        if (!sshkey_type_is_cert(k->type))
                   2105:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   2106:        cert_free(k->cert);
                   2107:        k->cert = NULL;
                   2108:        k->type = sshkey_type_plain(k->type);
                   2109:        return 0;
                   2110: }
                   2111:
                   2112: /* Sign a certified key, (re-)generating the signed certblob. */
                   2113: int
1.53      djm      2114: sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg,
1.111     djm      2115:     const char *sk_provider, const char *sk_pin,
                   2116:     sshkey_certify_signer *signer, void *signer_ctx)
1.1       djm      2117: {
1.131   ! djm      2118:        const struct sshkey_impl *impl;
1.1       djm      2119:        struct sshbuf *principals = NULL;
                   2120:        u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
                   2121:        size_t i, ca_len, sig_len;
                   2122:        int ret = SSH_ERR_INTERNAL_ERROR;
1.67      djm      2123:        struct sshbuf *cert = NULL;
                   2124:        char *sigtype = NULL;
1.1       djm      2125:
                   2126:        if (k == NULL || k->cert == NULL ||
                   2127:            k->cert->certblob == NULL || ca == NULL)
                   2128:                return SSH_ERR_INVALID_ARGUMENT;
                   2129:        if (!sshkey_is_cert(k))
                   2130:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   2131:        if (!sshkey_type_is_valid_ca(ca->type))
                   2132:                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1.131   ! djm      2133:        if ((impl = sshkey_impl_from_key(k)) == NULL)
        !          2134:                return SSH_ERR_INTERNAL_ERROR;
1.1       djm      2135:
1.67      djm      2136:        /*
                   2137:         * If no alg specified as argument but a signature_type was set,
                   2138:         * then prefer that. If both were specified, then they must match.
                   2139:         */
                   2140:        if (alg == NULL)
                   2141:                alg = k->cert->signature_type;
                   2142:        else if (k->cert->signature_type != NULL &&
                   2143:            strcmp(alg, k->cert->signature_type) != 0)
                   2144:                return SSH_ERR_INVALID_ARGUMENT;
1.75      djm      2145:
                   2146:        /*
                   2147:         * If no signing algorithm or signature_type was specified and we're
                   2148:         * using a RSA key, then default to a good signature algorithm.
                   2149:         */
                   2150:        if (alg == NULL && ca->type == KEY_RSA)
                   2151:                alg = "rsa-sha2-512";
1.67      djm      2152:
1.1       djm      2153:        if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
                   2154:                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
                   2155:
                   2156:        cert = k->cert->certblob; /* for readability */
                   2157:        sshbuf_reset(cert);
                   2158:        if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
                   2159:                goto out;
                   2160:
                   2161:        /* -v01 certs put nonce first */
                   2162:        arc4random_buf(&nonce, sizeof(nonce));
1.20      djm      2163:        if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
                   2164:                goto out;
1.1       djm      2165:
1.131   ! djm      2166:        /* Public key next */
        !          2167:        if ((ret = impl->funcs->serialize_public(k, cert,
        !          2168:            SSHKEY_SERIALIZE_DEFAULT)) != 0)
1.15      djm      2169:                goto out;
1.1       djm      2170:
1.131   ! djm      2171:        /* Then remaining cert fields */
1.20      djm      2172:        if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
                   2173:            (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
1.1       djm      2174:            (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
                   2175:                goto out;
                   2176:
                   2177:        if ((principals = sshbuf_new()) == NULL) {
                   2178:                ret = SSH_ERR_ALLOC_FAIL;
                   2179:                goto out;
                   2180:        }
                   2181:        for (i = 0; i < k->cert->nprincipals; i++) {
                   2182:                if ((ret = sshbuf_put_cstring(principals,
                   2183:                    k->cert->principals[i])) != 0)
                   2184:                        goto out;
                   2185:        }
                   2186:        if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
                   2187:            (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
                   2188:            (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
1.20      djm      2189:            (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
                   2190:            (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
                   2191:            (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
1.1       djm      2192:            (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
                   2193:                goto out;
                   2194:
                   2195:        /* Sign the whole mess */
1.53      djm      2196:        if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
1.111     djm      2197:            sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)
1.1       djm      2198:                goto out;
1.67      djm      2199:        /* Check and update signature_type against what was actually used */
1.82      djm      2200:        if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
1.67      djm      2201:                goto out;
                   2202:        if (alg != NULL && strcmp(alg, sigtype) != 0) {
                   2203:                ret = SSH_ERR_SIGN_ALG_UNSUPPORTED;
                   2204:                goto out;
                   2205:        }
                   2206:        if (k->cert->signature_type == NULL) {
                   2207:                k->cert->signature_type = sigtype;
                   2208:                sigtype = NULL;
                   2209:        }
1.1       djm      2210:        /* Append signature and we are done */
                   2211:        if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
                   2212:                goto out;
                   2213:        ret = 0;
                   2214:  out:
                   2215:        if (ret != 0)
                   2216:                sshbuf_reset(cert);
1.29      mmcc     2217:        free(sig_blob);
                   2218:        free(ca_blob);
1.67      djm      2219:        free(sigtype);
1.31      mmcc     2220:        sshbuf_free(principals);
1.1       djm      2221:        return ret;
1.53      djm      2222: }
                   2223:
                   2224: static int
1.76      djm      2225: default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
1.53      djm      2226:     const u_char *data, size_t datalen,
1.111     djm      2227:     const char *alg, const char *sk_provider, const char *sk_pin,
                   2228:     u_int compat, void *ctx)
1.53      djm      2229: {
                   2230:        if (ctx != NULL)
                   2231:                return SSH_ERR_INVALID_ARGUMENT;
1.86      djm      2232:        return sshkey_sign(key, sigp, lenp, data, datalen, alg,
1.111     djm      2233:            sk_provider, sk_pin, compat);
1.53      djm      2234: }
                   2235:
                   2236: int
1.86      djm      2237: sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg,
1.111     djm      2238:     const char *sk_provider, const char *sk_pin)
1.53      djm      2239: {
1.111     djm      2240:        return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin,
1.86      djm      2241:            default_key_sign, NULL);
1.1       djm      2242: }
                   2243:
                   2244: int
                   2245: sshkey_cert_check_authority(const struct sshkey *k,
1.114     djm      2246:     int want_host, int require_principal, int wildcard_pattern,
1.119     djm      2247:     uint64_t verify_time, const char *name, const char **reason)
1.1       djm      2248: {
                   2249:        u_int i, principal_matches;
                   2250:
1.102     markus   2251:        if (reason == NULL)
                   2252:                return SSH_ERR_INVALID_ARGUMENT;
1.114     djm      2253:        if (!sshkey_is_cert(k)) {
                   2254:                *reason = "Key is not a certificate";
                   2255:                return SSH_ERR_KEY_CERT_INVALID;
                   2256:        }
1.1       djm      2257:        if (want_host) {
                   2258:                if (k->cert->type != SSH2_CERT_TYPE_HOST) {
                   2259:                        *reason = "Certificate invalid: not a host certificate";
                   2260:                        return SSH_ERR_KEY_CERT_INVALID;
                   2261:                }
                   2262:        } else {
                   2263:                if (k->cert->type != SSH2_CERT_TYPE_USER) {
                   2264:                        *reason = "Certificate invalid: not a user certificate";
                   2265:                        return SSH_ERR_KEY_CERT_INVALID;
                   2266:                }
                   2267:        }
1.119     djm      2268:        if (verify_time < k->cert->valid_after) {
1.1       djm      2269:                *reason = "Certificate invalid: not yet valid";
                   2270:                return SSH_ERR_KEY_CERT_INVALID;
                   2271:        }
1.119     djm      2272:        if (verify_time >= k->cert->valid_before) {
1.1       djm      2273:                *reason = "Certificate invalid: expired";
                   2274:                return SSH_ERR_KEY_CERT_INVALID;
                   2275:        }
                   2276:        if (k->cert->nprincipals == 0) {
                   2277:                if (require_principal) {
                   2278:                        *reason = "Certificate lacks principal list";
                   2279:                        return SSH_ERR_KEY_CERT_INVALID;
                   2280:                }
                   2281:        } else if (name != NULL) {
                   2282:                principal_matches = 0;
                   2283:                for (i = 0; i < k->cert->nprincipals; i++) {
1.114     djm      2284:                        if (wildcard_pattern) {
                   2285:                                if (match_pattern(k->cert->principals[i],
                   2286:                                    name)) {
                   2287:                                        principal_matches = 1;
                   2288:                                        break;
                   2289:                                }
                   2290:                        } else if (strcmp(name, k->cert->principals[i]) == 0) {
1.1       djm      2291:                                principal_matches = 1;
                   2292:                                break;
                   2293:                        }
                   2294:                }
                   2295:                if (!principal_matches) {
                   2296:                        *reason = "Certificate invalid: name is not a listed "
                   2297:                            "principal";
                   2298:                        return SSH_ERR_KEY_CERT_INVALID;
                   2299:                }
1.114     djm      2300:        }
                   2301:        return 0;
                   2302: }
                   2303:
                   2304: int
1.119     djm      2305: sshkey_cert_check_authority_now(const struct sshkey *k,
                   2306:     int want_host, int require_principal, int wildcard_pattern,
                   2307:     const char *name, const char **reason)
                   2308: {
                   2309:        time_t now;
                   2310:
                   2311:        if ((now = time(NULL)) < 0) {
                   2312:                /* yikes - system clock before epoch! */
                   2313:                *reason = "Certificate invalid: not yet valid";
                   2314:                return SSH_ERR_KEY_CERT_INVALID;
                   2315:        }
                   2316:        return sshkey_cert_check_authority(k, want_host, require_principal,
                   2317:            wildcard_pattern, (uint64_t)now, name, reason);
                   2318: }
                   2319:
                   2320: int
1.114     djm      2321: sshkey_cert_check_host(const struct sshkey *key, const char *host,
                   2322:     int wildcard_principals, const char *ca_sign_algorithms,
                   2323:     const char **reason)
                   2324: {
                   2325:        int r;
                   2326:
1.119     djm      2327:        if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals,
1.114     djm      2328:            host, reason)) != 0)
                   2329:                return r;
                   2330:        if (sshbuf_len(key->cert->critical) != 0) {
                   2331:                *reason = "Certificate contains unsupported critical options";
                   2332:                return SSH_ERR_KEY_CERT_INVALID;
                   2333:        }
                   2334:        if (ca_sign_algorithms != NULL &&
                   2335:            (r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) {
                   2336:                *reason = "Certificate signed with disallowed algorithm";
                   2337:                return SSH_ERR_KEY_CERT_INVALID;
1.1       djm      2338:        }
                   2339:        return 0;
1.27      djm      2340: }
                   2341:
                   2342: size_t
                   2343: sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
                   2344: {
1.113     dtucker  2345:        char from[32], to[32], ret[128];
1.27      djm      2346:
                   2347:        *from = *to = '\0';
                   2348:        if (cert->valid_after == 0 &&
                   2349:            cert->valid_before == 0xffffffffffffffffULL)
                   2350:                return strlcpy(s, "forever", l);
                   2351:
1.118     dtucker  2352:        if (cert->valid_after != 0)
                   2353:                format_absolute_time(cert->valid_after, from, sizeof(from));
                   2354:        if (cert->valid_before != 0xffffffffffffffffULL)
                   2355:                format_absolute_time(cert->valid_before, to, sizeof(to));
1.27      djm      2356:
                   2357:        if (cert->valid_after == 0)
                   2358:                snprintf(ret, sizeof(ret), "before %s", to);
                   2359:        else if (cert->valid_before == 0xffffffffffffffffULL)
                   2360:                snprintf(ret, sizeof(ret), "after %s", from);
                   2361:        else
                   2362:                snprintf(ret, sizeof(ret), "from %s to %s", from, to);
                   2363:
                   2364:        return strlcpy(s, ret, l);
1.1       djm      2365: }
                   2366:
                   2367: int
1.76      djm      2368: sshkey_private_serialize_opt(struct sshkey *key, struct sshbuf *buf,
1.62      markus   2369:     enum sshkey_serialize_rep opts)
1.1       djm      2370: {
                   2371:        int r = SSH_ERR_INTERNAL_ERROR;
1.76      djm      2372:        int was_shielded = sshkey_is_shielded(key);
                   2373:        struct sshbuf *b = NULL;
1.69      djm      2374: #ifdef WITH_OPENSSL
                   2375:        const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
                   2376:        const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key, *dsa_priv_key;
                   2377: #endif /* WITH_OPENSSL */
1.1       djm      2378:
1.76      djm      2379:        if ((r = sshkey_unshield_private(key)) != 0)
                   2380:                return r;
                   2381:        if ((b = sshbuf_new()) == NULL)
                   2382:                return SSH_ERR_ALLOC_FAIL;
1.1       djm      2383:        if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
                   2384:                goto out;
                   2385:        switch (key->type) {
                   2386: #ifdef WITH_OPENSSL
                   2387:        case KEY_RSA:
1.69      djm      2388:                RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
                   2389:                RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
                   2390:                RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
                   2391:                if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
                   2392:                    (r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
                   2393:                    (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
                   2394:                    (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
                   2395:                    (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
                   2396:                    (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1       djm      2397:                        goto out;
                   2398:                break;
                   2399:        case KEY_RSA_CERT:
                   2400:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2401:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2402:                        goto out;
                   2403:                }
1.69      djm      2404:                RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);
                   2405:                RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
                   2406:                RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);
1.1       djm      2407:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.69      djm      2408:                    (r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
                   2409:                    (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
                   2410:                    (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
                   2411:                    (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
1.1       djm      2412:                        goto out;
                   2413:                break;
                   2414:        case KEY_DSA:
1.69      djm      2415:                DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
                   2416:                DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
                   2417:                if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
                   2418:                    (r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
                   2419:                    (r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
                   2420:                    (r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 ||
                   2421:                    (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1       djm      2422:                        goto out;
                   2423:                break;
                   2424:        case KEY_DSA_CERT:
                   2425:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2426:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2427:                        goto out;
                   2428:                }
1.69      djm      2429:                DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
1.1       djm      2430:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
1.69      djm      2431:                    (r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
1.1       djm      2432:                        goto out;
                   2433:                break;
                   2434:        case KEY_ECDSA:
                   2435:                if ((r = sshbuf_put_cstring(b,
                   2436:                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
                   2437:                    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
                   2438:                    (r = sshbuf_put_bignum2(b,
                   2439:                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
                   2440:                        goto out;
                   2441:                break;
                   2442:        case KEY_ECDSA_CERT:
                   2443:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2444:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2445:                        goto out;
                   2446:                }
                   2447:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2448:                    (r = sshbuf_put_bignum2(b,
                   2449:                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
                   2450:                        goto out;
                   2451:                break;
1.85      djm      2452:        case KEY_ECDSA_SK:
                   2453:                if ((r = sshbuf_put_cstring(b,
                   2454:                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
                   2455:                    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
                   2456:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2457:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2458:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2459:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2460:                        goto out;
                   2461:                break;
                   2462:        case KEY_ECDSA_SK_CERT:
                   2463:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2464:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2465:                        goto out;
                   2466:                }
                   2467:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2468:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2469:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2470:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2471:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2472:                        goto out;
                   2473:                break;
1.1       djm      2474: #endif /* WITH_OPENSSL */
                   2475:        case KEY_ED25519:
                   2476:                if ((r = sshbuf_put_string(b, key->ed25519_pk,
                   2477:                    ED25519_PK_SZ)) != 0 ||
                   2478:                    (r = sshbuf_put_string(b, key->ed25519_sk,
                   2479:                    ED25519_SK_SZ)) != 0)
                   2480:                        goto out;
                   2481:                break;
                   2482:        case KEY_ED25519_CERT:
                   2483:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2484:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2485:                        goto out;
                   2486:                }
                   2487:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2488:                    (r = sshbuf_put_string(b, key->ed25519_pk,
                   2489:                    ED25519_PK_SZ)) != 0 ||
                   2490:                    (r = sshbuf_put_string(b, key->ed25519_sk,
                   2491:                    ED25519_SK_SZ)) != 0)
                   2492:                        goto out;
                   2493:                break;
1.90      markus   2494:        case KEY_ED25519_SK:
                   2495:                if ((r = sshbuf_put_string(b, key->ed25519_pk,
                   2496:                    ED25519_PK_SZ)) != 0 ||
                   2497:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2498:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2499:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2500:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2501:                        goto out;
                   2502:                break;
                   2503:        case KEY_ED25519_SK_CERT:
                   2504:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
                   2505:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2506:                        goto out;
                   2507:                }
                   2508:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2509:                    (r = sshbuf_put_string(b, key->ed25519_pk,
                   2510:                    ED25519_PK_SZ)) != 0 ||
                   2511:                    (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
                   2512:                    (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
                   2513:                    (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
                   2514:                    (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
                   2515:                        goto out;
                   2516:                break;
1.62      markus   2517: #ifdef WITH_XMSS
                   2518:        case KEY_XMSS:
                   2519:                if (key->xmss_name == NULL) {
                   2520:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2521:                        goto out;
                   2522:                }
                   2523:                if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
                   2524:                    (r = sshbuf_put_string(b, key->xmss_pk,
                   2525:                    sshkey_xmss_pklen(key))) != 0 ||
                   2526:                    (r = sshbuf_put_string(b, key->xmss_sk,
                   2527:                    sshkey_xmss_sklen(key))) != 0 ||
                   2528:                    (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
                   2529:                        goto out;
                   2530:                break;
                   2531:        case KEY_XMSS_CERT:
                   2532:                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0 ||
                   2533:                    key->xmss_name == NULL) {
                   2534:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2535:                        goto out;
                   2536:                }
                   2537:                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
                   2538:                    (r = sshbuf_put_cstring(b, key->xmss_name)) != 0 ||
                   2539:                    (r = sshbuf_put_string(b, key->xmss_pk,
                   2540:                    sshkey_xmss_pklen(key))) != 0 ||
                   2541:                    (r = sshbuf_put_string(b, key->xmss_sk,
                   2542:                    sshkey_xmss_sklen(key))) != 0 ||
                   2543:                    (r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
                   2544:                        goto out;
                   2545:                break;
                   2546: #endif /* WITH_XMSS */
1.1       djm      2547:        default:
                   2548:                r = SSH_ERR_INVALID_ARGUMENT;
                   2549:                goto out;
                   2550:        }
1.76      djm      2551:        /*
                   2552:         * success (but we still need to append the output to buf after
                   2553:         * possibly re-shielding the private key)
                   2554:         */
1.1       djm      2555:        r = 0;
                   2556:  out:
1.76      djm      2557:        if (was_shielded)
                   2558:                r = sshkey_shield_private(key);
                   2559:        if (r == 0)
                   2560:                r = sshbuf_putb(buf, b);
                   2561:        sshbuf_free(b);
                   2562:
1.1       djm      2563:        return r;
                   2564: }
                   2565:
                   2566: int
1.76      djm      2567: sshkey_private_serialize(struct sshkey *key, struct sshbuf *b)
1.62      markus   2568: {
                   2569:        return sshkey_private_serialize_opt(key, b,
                   2570:            SSHKEY_SERIALIZE_DEFAULT);
                   2571: }
                   2572:
                   2573: int
1.1       djm      2574: sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
                   2575: {
1.62      markus   2576:        char *tname = NULL, *curve = NULL, *xmss_name = NULL;
1.115     djm      2577:        char *expect_sk_application = NULL;
1.1       djm      2578:        struct sshkey *k = NULL;
1.14      djm      2579:        size_t pklen = 0, sklen = 0;
1.1       djm      2580:        int type, r = SSH_ERR_INTERNAL_ERROR;
                   2581:        u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
1.115     djm      2582:        u_char *expect_ed25519_pk = NULL;
1.62      markus   2583:        u_char *xmss_pk = NULL, *xmss_sk = NULL;
1.1       djm      2584: #ifdef WITH_OPENSSL
                   2585:        BIGNUM *exponent = NULL;
1.69      djm      2586:        BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
                   2587:        BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
                   2588:        BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
                   2589:        BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
1.1       djm      2590: #endif /* WITH_OPENSSL */
                   2591:
                   2592:        if (kp != NULL)
                   2593:                *kp = NULL;
                   2594:        if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
                   2595:                goto out;
                   2596:        type = sshkey_type_from_name(tname);
1.108     djm      2597:        if (sshkey_type_is_cert(type)) {
                   2598:                /*
                   2599:                 * Certificate key private keys begin with the certificate
                   2600:                 * itself. Make sure this matches the type of the enclosing
                   2601:                 * private key.
                   2602:                 */
                   2603:                if ((r = sshkey_froms(buf, &k)) != 0)
                   2604:                        goto out;
                   2605:                if (k->type != type) {
                   2606:                        r = SSH_ERR_KEY_CERT_MISMATCH;
                   2607:                        goto out;
                   2608:                }
                   2609:                /* For ECDSA keys, the group must match too */
                   2610:                if (k->type == KEY_ECDSA &&
                   2611:                    k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
                   2612:                        r = SSH_ERR_KEY_CERT_MISMATCH;
                   2613:                        goto out;
                   2614:                }
1.115     djm      2615:                /*
                   2616:                 * Several fields are redundant between certificate and
                   2617:                 * private key body, we require these to match.
                   2618:                 */
                   2619:                expect_sk_application = k->sk_application;
                   2620:                expect_ed25519_pk = k->ed25519_pk;
                   2621:                k->sk_application = NULL;
                   2622:                k->ed25519_pk = NULL;
1.108     djm      2623:        } else {
1.70      djm      2624:                if ((k = sshkey_new(type)) == NULL) {
1.1       djm      2625:                        r = SSH_ERR_ALLOC_FAIL;
                   2626:                        goto out;
                   2627:                }
1.108     djm      2628:        }
                   2629:        switch (type) {
                   2630: #ifdef WITH_OPENSSL
                   2631:        case KEY_DSA:
1.73      djm      2632:                if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 ||
                   2633:                    (r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 ||
                   2634:                    (r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 ||
1.108     djm      2635:                    (r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0)
1.69      djm      2636:                        goto out;
                   2637:                if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
                   2638:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2639:                        goto out;
                   2640:                }
                   2641:                dsa_p = dsa_q = dsa_g = NULL; /* transferred */
1.108     djm      2642:                if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL)) {
1.69      djm      2643:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.1       djm      2644:                        goto out;
1.69      djm      2645:                }
1.108     djm      2646:                dsa_pub_key = NULL; /* transferred */
                   2647:                /* FALLTHROUGH */
1.1       djm      2648:        case KEY_DSA_CERT:
1.108     djm      2649:                if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
1.84      djm      2650:                        goto out;
1.69      djm      2651:                if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
                   2652:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2653:                        goto out;
                   2654:                }
                   2655:                dsa_priv_key = NULL; /* transferred */
1.1       djm      2656:                break;
                   2657:        case KEY_ECDSA:
                   2658:                if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
                   2659:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2660:                        goto out;
                   2661:                }
                   2662:                if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
                   2663:                        goto out;
                   2664:                if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
                   2665:                        r = SSH_ERR_EC_CURVE_MISMATCH;
                   2666:                        goto out;
                   2667:                }
                   2668:                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1.73      djm      2669:                if (k->ecdsa  == NULL) {
1.1       djm      2670:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2671:                        goto out;
                   2672:                }
1.108     djm      2673:                if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0)
1.1       djm      2674:                        goto out;
1.108     djm      2675:                /* FALLTHROUGH */
1.1       djm      2676:        case KEY_ECDSA_CERT:
1.108     djm      2677:                if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
1.1       djm      2678:                        goto out;
                   2679:                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
                   2680:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2681:                        goto out;
                   2682:                }
                   2683:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
1.22      jsg      2684:                    EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
1.1       djm      2685:                    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
                   2686:                        goto out;
                   2687:                break;
1.85      djm      2688:        case KEY_ECDSA_SK:
                   2689:                if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
                   2690:                        r = SSH_ERR_INVALID_ARGUMENT;
                   2691:                        goto out;
                   2692:                }
                   2693:                if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
                   2694:                        goto out;
                   2695:                if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
                   2696:                        r = SSH_ERR_EC_CURVE_MISMATCH;
                   2697:                        goto out;
                   2698:                }
                   2699:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   2700:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   2701:                        r = SSH_ERR_ALLOC_FAIL;
                   2702:                        goto out;
                   2703:                }
                   2704:                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
                   2705:                if (k->ecdsa  == NULL) {
                   2706:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2707:                        goto out;
                   2708:                }
                   2709:                if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
                   2710:                    (r = sshbuf_get_cstring(buf, &k->sk_application,
                   2711:                    NULL)) != 0 ||
                   2712:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   2713:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   2714:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   2715:                        goto out;
                   2716:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
                   2717:                    EC_KEY_get0_public_key(k->ecdsa))) != 0)
                   2718:                        goto out;
                   2719:                break;
                   2720:        case KEY_ECDSA_SK_CERT:
                   2721:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   2722:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   2723:                        r = SSH_ERR_ALLOC_FAIL;
                   2724:                        goto out;
                   2725:                }
                   2726:                if ((r = sshbuf_get_cstring(buf, &k->sk_application,
                   2727:                    NULL)) != 0 ||
                   2728:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   2729:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   2730:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   2731:                        goto out;
                   2732:                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
                   2733:                    EC_KEY_get0_public_key(k->ecdsa))) != 0)
                   2734:                        goto out;
                   2735:                break;
1.1       djm      2736:        case KEY_RSA:
1.73      djm      2737:                if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 ||
1.108     djm      2738:                    (r = sshbuf_get_bignum2(buf, &rsa_e)) != 0)
1.1       djm      2739:                        goto out;
1.108     djm      2740:                if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL)) {
1.69      djm      2741:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2742:                        goto out;
                   2743:                }
1.108     djm      2744:                rsa_n = rsa_e = NULL; /* transferred */
                   2745:                /* FALLTHROUGH */
1.1       djm      2746:        case KEY_RSA_CERT:
1.108     djm      2747:                if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 ||
1.73      djm      2748:                    (r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 ||
                   2749:                    (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
                   2750:                    (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
1.1       djm      2751:                        goto out;
1.69      djm      2752:                if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
                   2753:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.49      djm      2754:                        goto out;
                   2755:                }
1.69      djm      2756:                rsa_d = NULL; /* transferred */
                   2757:                if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
                   2758:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2759:                        goto out;
                   2760:                }
                   2761:                rsa_p = rsa_q = NULL; /* transferred */
1.122     djm      2762:                if ((r = sshkey_check_rsa_length(k, 0)) != 0)
1.69      djm      2763:                        goto out;
                   2764:                if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
                   2765:                        goto out;
1.1       djm      2766:                break;
                   2767: #endif /* WITH_OPENSSL */
                   2768:        case KEY_ED25519:
1.108     djm      2769:        case KEY_ED25519_CERT:
1.1       djm      2770:                if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
                   2771:                    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
                   2772:                        goto out;
                   2773:                if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
                   2774:                        r = SSH_ERR_INVALID_FORMAT;
                   2775:                        goto out;
                   2776:                }
                   2777:                k->ed25519_pk = ed25519_pk;
                   2778:                k->ed25519_sk = ed25519_sk;
1.84      djm      2779:                ed25519_pk = ed25519_sk = NULL; /* transferred */
1.1       djm      2780:                break;
1.90      markus   2781:        case KEY_ED25519_SK:
1.108     djm      2782:        case KEY_ED25519_SK_CERT:
1.90      markus   2783:                if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
                   2784:                        goto out;
                   2785:                if (pklen != ED25519_PK_SZ) {
                   2786:                        r = SSH_ERR_INVALID_FORMAT;
                   2787:                        goto out;
                   2788:                }
                   2789:                if ((k->sk_key_handle = sshbuf_new()) == NULL ||
                   2790:                    (k->sk_reserved = sshbuf_new()) == NULL) {
                   2791:                        r = SSH_ERR_ALLOC_FAIL;
                   2792:                        goto out;
                   2793:                }
                   2794:                if ((r = sshbuf_get_cstring(buf, &k->sk_application,
                   2795:                    NULL)) != 0 ||
                   2796:                    (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
                   2797:                    (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
                   2798:                    (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
                   2799:                        goto out;
                   2800:                k->ed25519_pk = ed25519_pk;
                   2801:                ed25519_pk = NULL; /* transferred */
                   2802:                break;
1.62      markus   2803: #ifdef WITH_XMSS
                   2804:        case KEY_XMSS:
1.108     djm      2805:        case KEY_XMSS_CERT:
1.62      markus   2806:                if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 ||
                   2807:                    (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
                   2808:                    (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
1.110     markus   2809:                        goto out;
                   2810:                if (type == KEY_XMSS &&
                   2811:                    (r = sshkey_xmss_init(k, xmss_name)) != 0)
1.62      markus   2812:                        goto out;
                   2813:                if (pklen != sshkey_xmss_pklen(k) ||
                   2814:                    sklen != sshkey_xmss_sklen(k)) {
                   2815:                        r = SSH_ERR_INVALID_FORMAT;
                   2816:                        goto out;
                   2817:                }
                   2818:                k->xmss_pk = xmss_pk;
                   2819:                k->xmss_sk = xmss_sk;
                   2820:                xmss_pk = xmss_sk = NULL;
                   2821:                /* optional internal state */
                   2822:                if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
                   2823:                        goto out;
                   2824:                break;
                   2825: #endif /* WITH_XMSS */
1.1       djm      2826:        default:
                   2827:                r = SSH_ERR_KEY_TYPE_UNKNOWN;
                   2828:                goto out;
                   2829:        }
                   2830: #ifdef WITH_OPENSSL
                   2831:        /* enable blinding */
                   2832:        switch (k->type) {
                   2833:        case KEY_RSA:
                   2834:        case KEY_RSA_CERT:
                   2835:                if (RSA_blinding_on(k->rsa, NULL) != 1) {
                   2836:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   2837:                        goto out;
                   2838:                }
                   2839:                break;
                   2840:        }
                   2841: #endif /* WITH_OPENSSL */
1.115     djm      2842:        if ((expect_sk_application != NULL && (k->sk_application == NULL ||
                   2843:            strcmp(expect_sk_application, k->sk_application) != 0)) ||
                   2844:            (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL ||
1.116     djm      2845:            memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) {
1.115     djm      2846:                r = SSH_ERR_KEY_CERT_MISMATCH;
                   2847:                goto out;
                   2848:        }
1.1       djm      2849:        /* success */
                   2850:        r = 0;
                   2851:        if (kp != NULL) {
                   2852:                *kp = k;
                   2853:                k = NULL;
                   2854:        }
                   2855:  out:
                   2856:        free(tname);
                   2857:        free(curve);
                   2858: #ifdef WITH_OPENSSL
1.60      jsing    2859:        BN_clear_free(exponent);
1.69      djm      2860:        BN_clear_free(dsa_p);
                   2861:        BN_clear_free(dsa_q);
                   2862:        BN_clear_free(dsa_g);
                   2863:        BN_clear_free(dsa_pub_key);
                   2864:        BN_clear_free(dsa_priv_key);
                   2865:        BN_clear_free(rsa_n);
                   2866:        BN_clear_free(rsa_e);
                   2867:        BN_clear_free(rsa_d);
                   2868:        BN_clear_free(rsa_p);
                   2869:        BN_clear_free(rsa_q);
                   2870:        BN_clear_free(rsa_iqmp);
1.1       djm      2871: #endif /* WITH_OPENSSL */
                   2872:        sshkey_free(k);
1.61      jsing    2873:        freezero(ed25519_pk, pklen);
                   2874:        freezero(ed25519_sk, sklen);
1.62      markus   2875:        free(xmss_name);
                   2876:        freezero(xmss_pk, pklen);
                   2877:        freezero(xmss_sk, sklen);
1.115     djm      2878:        free(expect_sk_application);
                   2879:        free(expect_ed25519_pk);
1.1       djm      2880:        return r;
                   2881: }
                   2882:
                   2883: #ifdef WITH_OPENSSL
                   2884: int
                   2885: sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
                   2886: {
                   2887:        EC_POINT *nq = NULL;
1.93      djm      2888:        BIGNUM *order = NULL, *x = NULL, *y = NULL, *tmp = NULL;
1.1       djm      2889:        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
1.40      djm      2890:
                   2891:        /*
                   2892:         * NB. This assumes OpenSSL has already verified that the public
                   2893:         * point lies on the curve. This is done by EC_POINT_oct2point()
                   2894:         * implicitly calling EC_POINT_is_on_curve(). If this code is ever
                   2895:         * reachable with public points not unmarshalled using
                   2896:         * EC_POINT_oct2point then the caller will need to explicitly check.
                   2897:         */
1.1       djm      2898:
                   2899:        /*
                   2900:         * We shouldn't ever hit this case because bignum_get_ecpoint()
                   2901:         * refuses to load GF2m points.
                   2902:         */
                   2903:        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
                   2904:            NID_X9_62_prime_field)
                   2905:                goto out;
                   2906:
                   2907:        /* Q != infinity */
                   2908:        if (EC_POINT_is_at_infinity(group, public))
                   2909:                goto out;
                   2910:
1.93      djm      2911:        if ((x = BN_new()) == NULL ||
                   2912:            (y = BN_new()) == NULL ||
                   2913:            (order = BN_new()) == NULL ||
                   2914:            (tmp = BN_new()) == NULL) {
1.1       djm      2915:                ret = SSH_ERR_ALLOC_FAIL;
                   2916:                goto out;
                   2917:        }
                   2918:
                   2919:        /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
1.93      djm      2920:        if (EC_GROUP_get_order(group, order, NULL) != 1 ||
1.1       djm      2921:            EC_POINT_get_affine_coordinates_GFp(group, public,
1.93      djm      2922:            x, y, NULL) != 1) {
1.1       djm      2923:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   2924:                goto out;
                   2925:        }
                   2926:        if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
                   2927:            BN_num_bits(y) <= BN_num_bits(order) / 2)
                   2928:                goto out;
                   2929:
                   2930:        /* nQ == infinity (n == order of subgroup) */
                   2931:        if ((nq = EC_POINT_new(group)) == NULL) {
                   2932:                ret = SSH_ERR_ALLOC_FAIL;
                   2933:                goto out;
                   2934:        }
1.93      djm      2935:        if (EC_POINT_mul(group, nq, NULL, public, order, NULL) != 1) {
1.1       djm      2936:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   2937:                goto out;
                   2938:        }
                   2939:        if (EC_POINT_is_at_infinity(group, nq) != 1)
                   2940:                goto out;
                   2941:
                   2942:        /* x < order - 1, y < order - 1 */
                   2943:        if (!BN_sub(tmp, order, BN_value_one())) {
                   2944:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   2945:                goto out;
                   2946:        }
                   2947:        if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
                   2948:                goto out;
                   2949:        ret = 0;
                   2950:  out:
1.93      djm      2951:        BN_clear_free(x);
                   2952:        BN_clear_free(y);
                   2953:        BN_clear_free(order);
                   2954:        BN_clear_free(tmp);
1.60      jsing    2955:        EC_POINT_free(nq);
1.1       djm      2956:        return ret;
                   2957: }
                   2958:
                   2959: int
                   2960: sshkey_ec_validate_private(const EC_KEY *key)
                   2961: {
1.93      djm      2962:        BIGNUM *order = NULL, *tmp = NULL;
1.1       djm      2963:        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
                   2964:
1.93      djm      2965:        if ((order = BN_new()) == NULL || (tmp = BN_new()) == NULL) {
1.1       djm      2966:                ret = SSH_ERR_ALLOC_FAIL;
                   2967:                goto out;
                   2968:        }
                   2969:
                   2970:        /* log2(private) > log2(order)/2 */
1.93      djm      2971:        if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL) != 1) {
1.1       djm      2972:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   2973:                goto out;
                   2974:        }
                   2975:        if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
                   2976:            BN_num_bits(order) / 2)
                   2977:                goto out;
                   2978:
                   2979:        /* private < order - 1 */
                   2980:        if (!BN_sub(tmp, order, BN_value_one())) {
                   2981:                ret = SSH_ERR_LIBCRYPTO_ERROR;
                   2982:                goto out;
                   2983:        }
                   2984:        if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
                   2985:                goto out;
                   2986:        ret = 0;
                   2987:  out:
1.93      djm      2988:        BN_clear_free(order);
                   2989:        BN_clear_free(tmp);
1.1       djm      2990:        return ret;
                   2991: }
                   2992:
                   2993: void
                   2994: sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
                   2995: {
1.93      djm      2996:        BIGNUM *x = NULL, *y = NULL;
1.1       djm      2997:
                   2998:        if (point == NULL) {
                   2999:                fputs("point=(NULL)\n", stderr);
                   3000:                return;
                   3001:        }
1.93      djm      3002:        if ((x = BN_new()) == NULL || (y = BN_new()) == NULL) {
                   3003:                fprintf(stderr, "%s: BN_new failed\n", __func__);
                   3004:                goto out;
1.1       djm      3005:        }
                   3006:        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
                   3007:            NID_X9_62_prime_field) {
                   3008:                fprintf(stderr, "%s: group is not a prime field\n", __func__);
1.93      djm      3009:                goto out;
1.1       djm      3010:        }
1.93      djm      3011:        if (EC_POINT_get_affine_coordinates_GFp(group, point,
                   3012:            x, y, NULL) != 1) {
1.1       djm      3013:                fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
                   3014:                    __func__);
1.93      djm      3015:                goto out;
1.1       djm      3016:        }
                   3017:        fputs("x=", stderr);
                   3018:        BN_print_fp(stderr, x);
                   3019:        fputs("\ny=", stderr);
                   3020:        BN_print_fp(stderr, y);
                   3021:        fputs("\n", stderr);
1.93      djm      3022:  out:
                   3023:        BN_clear_free(x);
                   3024:        BN_clear_free(y);
1.1       djm      3025: }
                   3026:
                   3027: void
                   3028: sshkey_dump_ec_key(const EC_KEY *key)
                   3029: {
                   3030:        const BIGNUM *exponent;
                   3031:
                   3032:        sshkey_dump_ec_point(EC_KEY_get0_group(key),
                   3033:            EC_KEY_get0_public_key(key));
                   3034:        fputs("exponent=", stderr);
                   3035:        if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
                   3036:                fputs("(NULL)", stderr);
                   3037:        else
                   3038:                BN_print_fp(stderr, EC_KEY_get0_private_key(key));
                   3039:        fputs("\n", stderr);
                   3040: }
                   3041: #endif /* WITH_OPENSSL */
                   3042:
                   3043: static int
1.76      djm      3044: sshkey_private_to_blob2(struct sshkey *prv, struct sshbuf *blob,
1.1       djm      3045:     const char *passphrase, const char *comment, const char *ciphername,
                   3046:     int rounds)
                   3047: {
1.4       djm      3048:        u_char *cp, *key = NULL, *pubkeyblob = NULL;
1.1       djm      3049:        u_char salt[SALT_LEN];
1.4       djm      3050:        char *b64 = NULL;
1.1       djm      3051:        size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
                   3052:        u_int check;
                   3053:        int r = SSH_ERR_INTERNAL_ERROR;
1.36      djm      3054:        struct sshcipher_ctx *ciphercontext = NULL;
1.1       djm      3055:        const struct sshcipher *cipher;
                   3056:        const char *kdfname = KDFNAME;
                   3057:        struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
                   3058:
                   3059:        if (rounds <= 0)
                   3060:                rounds = DEFAULT_ROUNDS;
                   3061:        if (passphrase == NULL || !strlen(passphrase)) {
                   3062:                ciphername = "none";
                   3063:                kdfname = "none";
                   3064:        } else if (ciphername == NULL)
                   3065:                ciphername = DEFAULT_CIPHERNAME;
1.47      djm      3066:        if ((cipher = cipher_by_name(ciphername)) == NULL) {
1.1       djm      3067:                r = SSH_ERR_INVALID_ARGUMENT;
                   3068:                goto out;
                   3069:        }
                   3070:
                   3071:        if ((kdf = sshbuf_new()) == NULL ||
                   3072:            (encoded = sshbuf_new()) == NULL ||
                   3073:            (encrypted = sshbuf_new()) == NULL) {
                   3074:                r = SSH_ERR_ALLOC_FAIL;
                   3075:                goto out;
                   3076:        }
                   3077:        blocksize = cipher_blocksize(cipher);
                   3078:        keylen = cipher_keylen(cipher);
                   3079:        ivlen = cipher_ivlen(cipher);
                   3080:        authlen = cipher_authlen(cipher);
                   3081:        if ((key = calloc(1, keylen + ivlen)) == NULL) {
                   3082:                r = SSH_ERR_ALLOC_FAIL;
                   3083:                goto out;
                   3084:        }
                   3085:        if (strcmp(kdfname, "bcrypt") == 0) {
                   3086:                arc4random_buf(salt, SALT_LEN);
                   3087:                if (bcrypt_pbkdf(passphrase, strlen(passphrase),
                   3088:                    salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
                   3089:                        r = SSH_ERR_INVALID_ARGUMENT;
                   3090:                        goto out;
                   3091:                }
                   3092:                if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
                   3093:                    (r = sshbuf_put_u32(kdf, rounds)) != 0)
                   3094:                        goto out;
                   3095:        } else if (strcmp(kdfname, "none") != 0) {
                   3096:                /* Unsupported KDF type */
                   3097:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3098:                goto out;
                   3099:        }
                   3100:        if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
                   3101:            key + keylen, ivlen, 1)) != 0)
                   3102:                goto out;
                   3103:
                   3104:        if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
                   3105:            (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
                   3106:            (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
                   3107:            (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
                   3108:            (r = sshbuf_put_u32(encoded, 1)) != 0 ||    /* number of keys */
                   3109:            (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
                   3110:            (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
                   3111:                goto out;
                   3112:
                   3113:        /* set up the buffer that will be encrypted */
                   3114:
                   3115:        /* Random check bytes */
                   3116:        check = arc4random();
                   3117:        if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
                   3118:            (r = sshbuf_put_u32(encrypted, check)) != 0)
                   3119:                goto out;
                   3120:
                   3121:        /* append private key and comment*/
1.62      markus   3122:        if ((r = sshkey_private_serialize_opt(prv, encrypted,
1.116     djm      3123:            SSHKEY_SERIALIZE_FULL)) != 0 ||
1.1       djm      3124:            (r = sshbuf_put_cstring(encrypted, comment)) != 0)
                   3125:                goto out;
                   3126:
                   3127:        /* padding */
                   3128:        i = 0;
                   3129:        while (sshbuf_len(encrypted) % blocksize) {
                   3130:                if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
                   3131:                        goto out;
                   3132:        }
                   3133:
                   3134:        /* length in destination buffer */
                   3135:        if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
                   3136:                goto out;
                   3137:
                   3138:        /* encrypt */
                   3139:        if ((r = sshbuf_reserve(encoded,
                   3140:            sshbuf_len(encrypted) + authlen, &cp)) != 0)
                   3141:                goto out;
1.36      djm      3142:        if ((r = cipher_crypt(ciphercontext, 0, cp,
1.1       djm      3143:            sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
                   3144:                goto out;
                   3145:
1.81      djm      3146:        sshbuf_reset(blob);
1.1       djm      3147:
1.81      djm      3148:        /* assemble uuencoded key */
                   3149:        if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0 ||
                   3150:            (r = sshbuf_dtob64(encoded, blob, 1)) != 0 ||
                   3151:            (r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
1.1       djm      3152:                goto out;
                   3153:
                   3154:        /* success */
                   3155:        r = 0;
                   3156:
                   3157:  out:
                   3158:        sshbuf_free(kdf);
                   3159:        sshbuf_free(encoded);
                   3160:        sshbuf_free(encrypted);
1.36      djm      3161:        cipher_free(ciphercontext);
1.1       djm      3162:        explicit_bzero(salt, sizeof(salt));
1.100     jsg      3163:        if (key != NULL)
                   3164:                freezero(key, keylen + ivlen);
1.121     djm      3165:        if (pubkeyblob != NULL)
1.100     jsg      3166:                freezero(pubkeyblob, pubkeylen);
1.121     djm      3167:        if (b64 != NULL)
1.100     jsg      3168:                freezero(b64, strlen(b64));
1.1       djm      3169:        return r;
                   3170: }
                   3171:
                   3172: static int
1.103     djm      3173: private2_uudecode(struct sshbuf *blob, struct sshbuf **decodedp)
1.1       djm      3174: {
                   3175:        const u_char *cp;
                   3176:        size_t encoded_len;
1.103     djm      3177:        int r;
                   3178:        u_char last;
1.1       djm      3179:        struct sshbuf *encoded = NULL, *decoded = NULL;
                   3180:
1.103     djm      3181:        if (blob == NULL || decodedp == NULL)
                   3182:                return SSH_ERR_INVALID_ARGUMENT;
                   3183:
                   3184:        *decodedp = NULL;
1.1       djm      3185:
                   3186:        if ((encoded = sshbuf_new()) == NULL ||
1.103     djm      3187:            (decoded = sshbuf_new()) == NULL) {
1.1       djm      3188:                r = SSH_ERR_ALLOC_FAIL;
                   3189:                goto out;
                   3190:        }
                   3191:
                   3192:        /* check preamble */
                   3193:        cp = sshbuf_ptr(blob);
                   3194:        encoded_len = sshbuf_len(blob);
                   3195:        if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
                   3196:            memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
                   3197:                r = SSH_ERR_INVALID_FORMAT;
                   3198:                goto out;
                   3199:        }
                   3200:        cp += MARK_BEGIN_LEN;
                   3201:        encoded_len -= MARK_BEGIN_LEN;
                   3202:
                   3203:        /* Look for end marker, removing whitespace as we go */
                   3204:        while (encoded_len > 0) {
                   3205:                if (*cp != '\n' && *cp != '\r') {
                   3206:                        if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
                   3207:                                goto out;
                   3208:                }
                   3209:                last = *cp;
                   3210:                encoded_len--;
                   3211:                cp++;
                   3212:                if (last == '\n') {
                   3213:                        if (encoded_len >= MARK_END_LEN &&
                   3214:                            memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
                   3215:                                /* \0 terminate */
                   3216:                                if ((r = sshbuf_put_u8(encoded, 0)) != 0)
                   3217:                                        goto out;
                   3218:                                break;
                   3219:                        }
                   3220:                }
                   3221:        }
                   3222:        if (encoded_len == 0) {
                   3223:                r = SSH_ERR_INVALID_FORMAT;
                   3224:                goto out;
                   3225:        }
                   3226:
                   3227:        /* decode base64 */
1.4       djm      3228:        if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
1.1       djm      3229:                goto out;
                   3230:
                   3231:        /* check magic */
                   3232:        if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
                   3233:            memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
                   3234:                r = SSH_ERR_INVALID_FORMAT;
                   3235:                goto out;
                   3236:        }
1.103     djm      3237:        /* success */
                   3238:        *decodedp = decoded;
                   3239:        decoded = NULL;
                   3240:        r = 0;
                   3241:  out:
                   3242:        sshbuf_free(encoded);
                   3243:        sshbuf_free(decoded);
                   3244:        return r;
                   3245: }
                   3246:
                   3247: static int
1.104     djm      3248: private2_decrypt(struct sshbuf *decoded, const char *passphrase,
                   3249:     struct sshbuf **decryptedp, struct sshkey **pubkeyp)
1.103     djm      3250: {
                   3251:        char *ciphername = NULL, *kdfname = NULL;
                   3252:        const struct sshcipher *cipher = NULL;
                   3253:        int r = SSH_ERR_INTERNAL_ERROR;
                   3254:        size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0;
                   3255:        struct sshbuf *kdf = NULL, *decrypted = NULL;
                   3256:        struct sshcipher_ctx *ciphercontext = NULL;
1.104     djm      3257:        struct sshkey *pubkey = NULL;
1.103     djm      3258:        u_char *key = NULL, *salt = NULL, *dp;
                   3259:        u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
                   3260:
1.104     djm      3261:        if (decoded == NULL || decryptedp == NULL || pubkeyp == NULL)
1.103     djm      3262:                return SSH_ERR_INVALID_ARGUMENT;
                   3263:
                   3264:        *decryptedp = NULL;
1.104     djm      3265:        *pubkeyp = NULL;
1.103     djm      3266:
                   3267:        if ((decrypted = sshbuf_new()) == NULL) {
                   3268:                r = SSH_ERR_ALLOC_FAIL;
                   3269:                goto out;
                   3270:        }
                   3271:
1.1       djm      3272:        /* parse public portion of key */
                   3273:        if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
                   3274:            (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
                   3275:            (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
                   3276:            (r = sshbuf_froms(decoded, &kdf)) != 0 ||
1.103     djm      3277:            (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
                   3278:                goto out;
                   3279:
                   3280:        if (nkeys != 1) {
                   3281:                /* XXX only one key supported at present */
                   3282:                r = SSH_ERR_INVALID_FORMAT;
                   3283:                goto out;
                   3284:        }
                   3285:
1.104     djm      3286:        if ((r = sshkey_froms(decoded, &pubkey)) != 0 ||
1.1       djm      3287:            (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
                   3288:                goto out;
                   3289:
                   3290:        if ((cipher = cipher_by_name(ciphername)) == NULL) {
                   3291:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3292:                goto out;
                   3293:        }
                   3294:        if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
                   3295:                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
                   3296:                goto out;
                   3297:        }
1.101     markus   3298:        if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) {
1.1       djm      3299:                r = SSH_ERR_INVALID_FORMAT;
1.101     markus   3300:                goto out;
                   3301:        }
                   3302:        if ((passphrase == NULL || strlen(passphrase) == 0) &&
                   3303:            strcmp(kdfname, "none") != 0) {
                   3304:                /* passphrase required */
                   3305:                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
1.1       djm      3306:                goto out;
                   3307:        }
                   3308:
                   3309:        /* check size of encrypted key blob */
                   3310:        blocksize = cipher_blocksize(cipher);
                   3311:        if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
                   3312:                r = SSH_ERR_INVALID_FORMAT;
                   3313:                goto out;
                   3314:        }
                   3315:
                   3316:        /* setup key */
                   3317:        keylen = cipher_keylen(cipher);
                   3318:        ivlen = cipher_ivlen(cipher);
1.18      djm      3319:        authlen = cipher_authlen(cipher);
1.1       djm      3320:        if ((key = calloc(1, keylen + ivlen)) == NULL) {
                   3321:                r = SSH_ERR_ALLOC_FAIL;
                   3322:                goto out;
                   3323:        }
                   3324:        if (strcmp(kdfname, "bcrypt") == 0) {
                   3325:                if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
                   3326:                    (r = sshbuf_get_u32(kdf, &rounds)) != 0)
                   3327:                        goto out;
                   3328:                if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
                   3329:                    key, keylen + ivlen, rounds) < 0) {
                   3330:                        r = SSH_ERR_INVALID_FORMAT;
                   3331:                        goto out;
                   3332:                }
                   3333:        }
                   3334:
1.18      djm      3335:        /* check that an appropriate amount of auth data is present */
1.84      djm      3336:        if (sshbuf_len(decoded) < authlen ||
                   3337:            sshbuf_len(decoded) - authlen < encrypted_len) {
1.18      djm      3338:                r = SSH_ERR_INVALID_FORMAT;
                   3339:                goto out;
                   3340:        }
                   3341:
1.1       djm      3342:        /* decrypt private portion of key */
                   3343:        if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
                   3344:            (r = cipher_init(&ciphercontext, cipher, key, keylen,
                   3345:            key + keylen, ivlen, 0)) != 0)
                   3346:                goto out;
1.36      djm      3347:        if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
1.18      djm      3348:            encrypted_len, 0, authlen)) != 0) {
1.1       djm      3349:                /* an integrity error here indicates an incorrect passphrase */
                   3350:                if (r == SSH_ERR_MAC_INVALID)
                   3351:                        r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3352:                goto out;
                   3353:        }
1.18      djm      3354:        if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
1.1       djm      3355:                goto out;
                   3356:        /* there should be no trailing data */
                   3357:        if (sshbuf_len(decoded) != 0) {
                   3358:                r = SSH_ERR_INVALID_FORMAT;
                   3359:                goto out;
                   3360:        }
                   3361:
                   3362:        /* check check bytes */
                   3363:        if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
                   3364:            (r = sshbuf_get_u32(decrypted, &check2)) != 0)
                   3365:                goto out;
                   3366:        if (check1 != check2) {
                   3367:                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3368:                goto out;
                   3369:        }
1.103     djm      3370:        /* success */
                   3371:        *decryptedp = decrypted;
                   3372:        decrypted = NULL;
1.104     djm      3373:        *pubkeyp = pubkey;
                   3374:        pubkey = NULL;
1.103     djm      3375:        r = 0;
                   3376:  out:
                   3377:        cipher_free(ciphercontext);
                   3378:        free(ciphername);
                   3379:        free(kdfname);
1.104     djm      3380:        sshkey_free(pubkey);
1.103     djm      3381:        if (salt != NULL) {
                   3382:                explicit_bzero(salt, slen);
                   3383:                free(salt);
                   3384:        }
                   3385:        if (key != NULL) {
                   3386:                explicit_bzero(key, keylen + ivlen);
                   3387:                free(key);
                   3388:        }
                   3389:        sshbuf_free(kdf);
                   3390:        sshbuf_free(decrypted);
                   3391:        return r;
                   3392: }
                   3393:
                   3394: static int
                   3395: sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
                   3396:     struct sshkey **keyp, char **commentp)
                   3397: {
                   3398:        char *comment = NULL;
                   3399:        int r = SSH_ERR_INTERNAL_ERROR;
                   3400:        struct sshbuf *decoded = NULL, *decrypted = NULL;
1.104     djm      3401:        struct sshkey *k = NULL, *pubkey = NULL;
1.103     djm      3402:
                   3403:        if (keyp != NULL)
                   3404:                *keyp = NULL;
                   3405:        if (commentp != NULL)
                   3406:                *commentp = NULL;
                   3407:
                   3408:        /* Undo base64 encoding and decrypt the private section */
                   3409:        if ((r = private2_uudecode(blob, &decoded)) != 0 ||
1.104     djm      3410:            (r = private2_decrypt(decoded, passphrase,
                   3411:            &decrypted, &pubkey)) != 0)
1.103     djm      3412:                goto out;
1.105     djm      3413:
                   3414:        if (type != KEY_UNSPEC &&
                   3415:            sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
                   3416:                r = SSH_ERR_KEY_TYPE_MISMATCH;
                   3417:                goto out;
                   3418:        }
1.103     djm      3419:
                   3420:        /* Load the private key and comment */
                   3421:        if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
                   3422:            (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
                   3423:                goto out;
                   3424:
                   3425:        /* Check deterministic padding after private section */
                   3426:        if ((r = private2_check_padding(decrypted)) != 0)
                   3427:                goto out;
1.1       djm      3428:
1.104     djm      3429:        /* Check that the public key in the envelope matches the private key */
                   3430:        if (!sshkey_equal(pubkey, k)) {
                   3431:                r = SSH_ERR_INVALID_FORMAT;
                   3432:                goto out;
                   3433:        }
1.1       djm      3434:
                   3435:        /* success */
                   3436:        r = 0;
                   3437:        if (keyp != NULL) {
                   3438:                *keyp = k;
                   3439:                k = NULL;
                   3440:        }
                   3441:        if (commentp != NULL) {
                   3442:                *commentp = comment;
                   3443:                comment = NULL;
                   3444:        }
                   3445:  out:
                   3446:        free(comment);
                   3447:        sshbuf_free(decoded);
                   3448:        sshbuf_free(decrypted);
                   3449:        sshkey_free(k);
1.104     djm      3450:        sshkey_free(pubkey);
1.1       djm      3451:        return r;
                   3452: }
                   3453:
1.107     djm      3454: static int
                   3455: sshkey_parse_private2_pubkey(struct sshbuf *blob, int type,
                   3456:     struct sshkey **keyp)
                   3457: {
                   3458:        int r = SSH_ERR_INTERNAL_ERROR;
                   3459:        struct sshbuf *decoded = NULL;
                   3460:        struct sshkey *pubkey = NULL;
                   3461:        u_int nkeys = 0;
                   3462:
                   3463:        if (keyp != NULL)
                   3464:                *keyp = NULL;
                   3465:
                   3466:        if ((r = private2_uudecode(blob, &decoded)) != 0)
                   3467:                goto out;
                   3468:        /* parse public key from unencrypted envelope */
                   3469:        if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
                   3470:            (r = sshbuf_skip_string(decoded)) != 0 || /* cipher */
                   3471:            (r = sshbuf_skip_string(decoded)) != 0 || /* KDF alg */
                   3472:            (r = sshbuf_skip_string(decoded)) != 0 || /* KDF hint */
                   3473:            (r = sshbuf_get_u32(decoded, &nkeys)) != 0)
                   3474:                goto out;
                   3475:
                   3476:        if (nkeys != 1) {
                   3477:                /* XXX only one key supported at present */
                   3478:                r = SSH_ERR_INVALID_FORMAT;
                   3479:                goto out;
                   3480:        }
                   3481:
                   3482:        /* Parse the public key */
                   3483:        if ((r = sshkey_froms(decoded, &pubkey)) != 0)
                   3484:                goto out;
                   3485:
                   3486:        if (type != KEY_UNSPEC &&
                   3487:            sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
                   3488:                r = SSH_ERR_KEY_TYPE_MISMATCH;
                   3489:                goto out;
                   3490:        }
                   3491:
                   3492:        /* success */
                   3493:        r = 0;
                   3494:        if (keyp != NULL) {
                   3495:                *keyp = pubkey;
                   3496:                pubkey = NULL;
                   3497:        }
                   3498:  out:
                   3499:        sshbuf_free(decoded);
                   3500:        sshkey_free(pubkey);
                   3501:        return r;
                   3502: }
                   3503:
1.1       djm      3504: #ifdef WITH_OPENSSL
1.80      djm      3505: /* convert SSH v2 key to PEM or PKCS#8 format */
1.1       djm      3506: static int
1.80      djm      3507: sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
                   3508:     int format, const char *_passphrase, const char *comment)
1.1       djm      3509: {
1.76      djm      3510:        int was_shielded = sshkey_is_shielded(key);
1.1       djm      3511:        int success, r;
                   3512:        int blen, len = strlen(_passphrase);
                   3513:        u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
                   3514:        const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
1.57      djm      3515:        char *bptr;
1.1       djm      3516:        BIO *bio = NULL;
1.76      djm      3517:        struct sshbuf *blob;
1.80      djm      3518:        EVP_PKEY *pkey = NULL;
1.1       djm      3519:
                   3520:        if (len > 0 && len <= 4)
                   3521:                return SSH_ERR_PASSPHRASE_TOO_SHORT;
1.76      djm      3522:        if ((blob = sshbuf_new()) == NULL)
1.1       djm      3523:                return SSH_ERR_ALLOC_FAIL;
1.76      djm      3524:        if ((bio = BIO_new(BIO_s_mem())) == NULL) {
1.80      djm      3525:                r = SSH_ERR_ALLOC_FAIL;
                   3526:                goto out;
                   3527:        }
                   3528:        if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
                   3529:                r = SSH_ERR_ALLOC_FAIL;
                   3530:                goto out;
1.76      djm      3531:        }
                   3532:        if ((r = sshkey_unshield_private(key)) != 0)
                   3533:                goto out;
1.1       djm      3534:
                   3535:        switch (key->type) {
                   3536:        case KEY_DSA:
1.80      djm      3537:                if (format == SSHKEY_PRIVATE_PEM) {
                   3538:                        success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
                   3539:                            cipher, passphrase, len, NULL, NULL);
                   3540:                } else {
                   3541:                        success = EVP_PKEY_set1_DSA(pkey, key->dsa);
                   3542:                }
1.1       djm      3543:                break;
                   3544:        case KEY_ECDSA:
1.80      djm      3545:                if (format == SSHKEY_PRIVATE_PEM) {
                   3546:                        success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
                   3547:                            cipher, passphrase, len, NULL, NULL);
                   3548:                } else {
                   3549:                        success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
                   3550:                }
1.1       djm      3551:                break;
                   3552:        case KEY_RSA:
1.80      djm      3553:                if (format == SSHKEY_PRIVATE_PEM) {
                   3554:                        success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
                   3555:                            cipher, passphrase, len, NULL, NULL);
                   3556:                } else {
                   3557:                        success = EVP_PKEY_set1_RSA(pkey, key->rsa);
                   3558:                }
1.1       djm      3559:                break;
                   3560:        default:
                   3561:                success = 0;
                   3562:                break;
                   3563:        }
                   3564:        if (success == 0) {
                   3565:                r = SSH_ERR_LIBCRYPTO_ERROR;
                   3566:                goto out;
                   3567:        }
1.80      djm      3568:        if (format == SSHKEY_PRIVATE_PKCS8) {
                   3569:                if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
                   3570:                    passphrase, len, NULL, NULL)) == 0) {
                   3571:                        r = SSH_ERR_LIBCRYPTO_ERROR;
                   3572:                        goto out;
                   3573:                }
                   3574:        }
1.1       djm      3575:        if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
                   3576:                r = SSH_ERR_INTERNAL_ERROR;
                   3577:                goto out;
                   3578:        }
                   3579:        if ((r = sshbuf_put(blob, bptr, blen)) != 0)
                   3580:                goto out;
                   3581:        r = 0;
                   3582:  out:
1.76      djm      3583:        if (was_shielded)
                   3584:                r = sshkey_shield_private(key);
                   3585:        if (r == 0)
                   3586:                r = sshbuf_putb(buf, blob);
1.80      djm      3587:
                   3588:        EVP_PKEY_free(pkey);
1.76      djm      3589:        sshbuf_free(blob);
1.1       djm      3590:        BIO_free(bio);
                   3591:        return r;
                   3592: }
                   3593: #endif /* WITH_OPENSSL */
                   3594:
                   3595: /* Serialise "key" to buffer "blob" */
                   3596: int
                   3597: sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
                   3598:     const char *passphrase, const char *comment,
1.80      djm      3599:     int format, const char *openssh_format_cipher, int openssh_format_rounds)
1.1       djm      3600: {
                   3601:        switch (key->type) {
1.9       markus   3602: #ifdef WITH_OPENSSL
1.1       djm      3603:        case KEY_DSA:
                   3604:        case KEY_ECDSA:
                   3605:        case KEY_RSA:
1.80      djm      3606:                break; /* see below */
1.1       djm      3607: #endif /* WITH_OPENSSL */
                   3608:        case KEY_ED25519:
1.90      markus   3609:        case KEY_ED25519_SK:
1.62      markus   3610: #ifdef WITH_XMSS
                   3611:        case KEY_XMSS:
                   3612: #endif /* WITH_XMSS */
1.85      djm      3613: #ifdef WITH_OPENSSL
                   3614:        case KEY_ECDSA_SK:
                   3615: #endif /* WITH_OPENSSL */
1.1       djm      3616:                return sshkey_private_to_blob2(key, blob, passphrase,
1.80      djm      3617:                    comment, openssh_format_cipher, openssh_format_rounds);
1.1       djm      3618:        default:
                   3619:                return SSH_ERR_KEY_TYPE_UNKNOWN;
                   3620:        }
1.80      djm      3621:
                   3622: #ifdef WITH_OPENSSL
                   3623:        switch (format) {
                   3624:        case SSHKEY_PRIVATE_OPENSSH:
                   3625:                return sshkey_private_to_blob2(key, blob, passphrase,
                   3626:                    comment, openssh_format_cipher, openssh_format_rounds);
                   3627:        case SSHKEY_PRIVATE_PEM:
                   3628:        case SSHKEY_PRIVATE_PKCS8:
                   3629:                return sshkey_private_to_blob_pem_pkcs8(key, blob,
                   3630:                    format, passphrase, comment);
                   3631:        default:
                   3632:                return SSH_ERR_INVALID_ARGUMENT;
                   3633:        }
                   3634: #endif /* WITH_OPENSSL */
1.1       djm      3635: }
                   3636:
                   3637: #ifdef WITH_OPENSSL
1.8       djm      3638: static int
1.52      djm      3639: translate_libcrypto_error(unsigned long pem_err)
                   3640: {
                   3641:        int pem_reason = ERR_GET_REASON(pem_err);
                   3642:
                   3643:        switch (ERR_GET_LIB(pem_err)) {
                   3644:        case ERR_LIB_PEM:
                   3645:                switch (pem_reason) {
                   3646:                case PEM_R_BAD_PASSWORD_READ:
                   3647:                case PEM_R_PROBLEMS_GETTING_PASSWORD:
                   3648:                case PEM_R_BAD_DECRYPT:
                   3649:                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3650:                default:
                   3651:                        return SSH_ERR_INVALID_FORMAT;
                   3652:                }
                   3653:        case ERR_LIB_EVP:
                   3654:                switch (pem_reason) {
                   3655:                case EVP_R_BAD_DECRYPT:
                   3656:                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
1.69      djm      3657: #ifdef EVP_R_BN_DECODE_ERROR
1.52      djm      3658:                case EVP_R_BN_DECODE_ERROR:
1.69      djm      3659: #endif
1.52      djm      3660:                case EVP_R_DECODE_ERROR:
                   3661: #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
                   3662:                case EVP_R_PRIVATE_KEY_DECODE_ERROR:
                   3663: #endif
                   3664:                        return SSH_ERR_INVALID_FORMAT;
                   3665:                default:
                   3666:                        return SSH_ERR_LIBCRYPTO_ERROR;
                   3667:                }
                   3668:        case ERR_LIB_ASN1:
                   3669:                return SSH_ERR_INVALID_FORMAT;
                   3670:        }
                   3671:        return SSH_ERR_LIBCRYPTO_ERROR;
                   3672: }
                   3673:
                   3674: static void
                   3675: clear_libcrypto_errors(void)
                   3676: {
                   3677:        while (ERR_get_error() != 0)
                   3678:                ;
                   3679: }
                   3680:
                   3681: /*
                   3682:  * Translate OpenSSL error codes to determine whether
                   3683:  * passphrase is required/incorrect.
                   3684:  */
                   3685: static int
                   3686: convert_libcrypto_error(void)
                   3687: {
                   3688:        /*
                   3689:         * Some password errors are reported at the beginning
                   3690:         * of the error queue.
                   3691:         */
                   3692:        if (translate_libcrypto_error(ERR_peek_error()) ==
                   3693:            SSH_ERR_KEY_WRONG_PASSPHRASE)
                   3694:                return SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3695:        return translate_libcrypto_error(ERR_peek_last_error());
                   3696: }
                   3697:
                   3698: static int
1.1       djm      3699: sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
1.8       djm      3700:     const char *passphrase, struct sshkey **keyp)
1.1       djm      3701: {
                   3702:        EVP_PKEY *pk = NULL;
                   3703:        struct sshkey *prv = NULL;
                   3704:        BIO *bio = NULL;
                   3705:        int r;
                   3706:
1.32      djm      3707:        if (keyp != NULL)
                   3708:                *keyp = NULL;
1.1       djm      3709:
                   3710:        if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
                   3711:                return SSH_ERR_ALLOC_FAIL;
                   3712:        if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
                   3713:            (int)sshbuf_len(blob)) {
                   3714:                r = SSH_ERR_ALLOC_FAIL;
                   3715:                goto out;
                   3716:        }
                   3717:
1.52      djm      3718:        clear_libcrypto_errors();
1.1       djm      3719:        if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
                   3720:            (char *)passphrase)) == NULL) {
1.116     djm      3721:                /*
                   3722:                 * libcrypto may return various ASN.1 errors when attempting
                   3723:                 * to parse a key with an incorrect passphrase.
                   3724:                 * Treat all format errors as "incorrect passphrase" if a
                   3725:                 * passphrase was supplied.
                   3726:                 */
1.71      djm      3727:                if (passphrase != NULL && *passphrase != '\0')
                   3728:                        r = SSH_ERR_KEY_WRONG_PASSPHRASE;
                   3729:                else
                   3730:                        r = convert_libcrypto_error();
1.1       djm      3731:                goto out;
                   3732:        }
1.69      djm      3733:        if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA &&
1.1       djm      3734:            (type == KEY_UNSPEC || type == KEY_RSA)) {
                   3735:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   3736:                        r = SSH_ERR_ALLOC_FAIL;
                   3737:                        goto out;
                   3738:                }
                   3739:                prv->rsa = EVP_PKEY_get1_RSA(pk);
                   3740:                prv->type = KEY_RSA;
                   3741: #ifdef DEBUG_PK
                   3742:                RSA_print_fp(stderr, prv->rsa, 8);
                   3743: #endif
                   3744:                if (RSA_blinding_on(prv->rsa, NULL) != 1) {
                   3745:                        r = SSH_ERR_LIBCRYPTO_ERROR;
1.49      djm      3746:                        goto out;
                   3747:                }
1.122     djm      3748:                if ((r = sshkey_check_rsa_length(prv, 0)) != 0)
1.1       djm      3749:                        goto out;
1.69      djm      3750:        } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
1.1       djm      3751:            (type == KEY_UNSPEC || type == KEY_DSA)) {
                   3752:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   3753:                        r = SSH_ERR_ALLOC_FAIL;
                   3754:                        goto out;
                   3755:                }
                   3756:                prv->dsa = EVP_PKEY_get1_DSA(pk);
                   3757:                prv->type = KEY_DSA;
                   3758: #ifdef DEBUG_PK
                   3759:                DSA_print_fp(stderr, prv->dsa, 8);
                   3760: #endif
1.69      djm      3761:        } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
1.1       djm      3762:            (type == KEY_UNSPEC || type == KEY_ECDSA)) {
                   3763:                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
                   3764:                        r = SSH_ERR_ALLOC_FAIL;
                   3765:                        goto out;
                   3766:                }
                   3767:                prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
                   3768:                prv->type = KEY_ECDSA;
                   3769:                prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
                   3770:                if (prv->ecdsa_nid == -1 ||
                   3771:                    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
                   3772:                    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
                   3773:                    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
                   3774:                    sshkey_ec_validate_private(prv->ecdsa) != 0) {
                   3775:                        r = SSH_ERR_INVALID_FORMAT;
                   3776:                        goto out;
                   3777:                }
                   3778: #ifdef DEBUG_PK
                   3779:                if (prv != NULL && prv->ecdsa != NULL)
                   3780:                        sshkey_dump_ec_key(prv->ecdsa);
                   3781: #endif
                   3782:        } else {
                   3783:                r = SSH_ERR_INVALID_FORMAT;
                   3784:                goto out;
                   3785:        }
                   3786:        r = 0;
1.32      djm      3787:        if (keyp != NULL) {
                   3788:                *keyp = prv;
                   3789:                prv = NULL;
                   3790:        }
1.1       djm      3791:  out:
                   3792:        BIO_free(bio);
1.60      jsing    3793:        EVP_PKEY_free(pk);
1.30      mmcc     3794:        sshkey_free(prv);
1.1       djm      3795:        return r;
                   3796: }
                   3797: #endif /* WITH_OPENSSL */
                   3798:
                   3799: int
                   3800: sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
                   3801:     const char *passphrase, struct sshkey **keyp, char **commentp)
                   3802: {
1.42      djm      3803:        int r = SSH_ERR_INTERNAL_ERROR;
                   3804:
1.32      djm      3805:        if (keyp != NULL)
                   3806:                *keyp = NULL;
1.1       djm      3807:        if (commentp != NULL)
                   3808:                *commentp = NULL;
                   3809:
                   3810:        switch (type) {
                   3811:        case KEY_ED25519:
1.62      markus   3812:        case KEY_XMSS:
1.106     djm      3813:                /* No fallback for new-format-only keys */
1.1       djm      3814:                return sshkey_parse_private2(blob, type, passphrase,
                   3815:                    keyp, commentp);
1.106     djm      3816:        default:
1.42      djm      3817:                r = sshkey_parse_private2(blob, type, passphrase, keyp,
                   3818:                    commentp);
1.106     djm      3819:                /* Only fallback to PEM parser if a format error occurred. */
                   3820:                if (r != SSH_ERR_INVALID_FORMAT)
1.42      djm      3821:                        return r;
1.1       djm      3822: #ifdef WITH_OPENSSL
1.8       djm      3823:                return sshkey_parse_private_pem_fileblob(blob, type,
                   3824:                    passphrase, keyp);
1.1       djm      3825: #else
                   3826:                return SSH_ERR_INVALID_FORMAT;
                   3827: #endif /* WITH_OPENSSL */
                   3828:        }
                   3829: }
                   3830:
                   3831: int
                   3832: sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
1.23      tim      3833:     struct sshkey **keyp, char **commentp)
1.1       djm      3834: {
                   3835:        if (keyp != NULL)
                   3836:                *keyp = NULL;
                   3837:        if (commentp != NULL)
                   3838:                *commentp = NULL;
                   3839:
1.23      tim      3840:        return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
                   3841:            passphrase, keyp, commentp);
1.96      djm      3842: }
                   3843:
                   3844: void
                   3845: sshkey_sig_details_free(struct sshkey_sig_details *details)
                   3846: {
                   3847:        freezero(details, sizeof(*details));
1.107     djm      3848: }
                   3849:
                   3850: int
                   3851: sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type,
                   3852:     struct sshkey **pubkeyp)
                   3853: {
                   3854:        int r = SSH_ERR_INTERNAL_ERROR;
                   3855:
                   3856:        if (pubkeyp != NULL)
                   3857:                *pubkeyp = NULL;
                   3858:        /* only new-format private keys bundle a public key inside */
                   3859:        if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0)
                   3860:                return r;
                   3861:        return 0;
1.1       djm      3862: }
1.62      markus   3863:
                   3864: #ifdef WITH_XMSS
                   3865: /*
                   3866:  * serialize the key with the current state and forward the state
                   3867:  * maxsign times.
                   3868:  */
                   3869: int
1.77      djm      3870: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.112     dtucker  3871:     u_int32_t maxsign, int printerror)
1.62      markus   3872: {
                   3873:        int r, rupdate;
                   3874:
                   3875:        if (maxsign == 0 ||
                   3876:            sshkey_type_plain(k->type) != KEY_XMSS)
                   3877:                return sshkey_private_serialize_opt(k, b,
                   3878:                    SSHKEY_SERIALIZE_DEFAULT);
1.112     dtucker  3879:        if ((r = sshkey_xmss_get_state(k, printerror)) != 0 ||
1.62      markus   3880:            (r = sshkey_private_serialize_opt(k, b,
                   3881:            SSHKEY_SERIALIZE_STATE)) != 0 ||
                   3882:            (r = sshkey_xmss_forward_state(k, maxsign)) != 0)
                   3883:                goto out;
                   3884:        r = 0;
                   3885: out:
1.112     dtucker  3886:        if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) {
1.62      markus   3887:                if (r == 0)
                   3888:                        r = rupdate;
                   3889:        }
                   3890:        return r;
                   3891: }
                   3892:
                   3893: u_int32_t
                   3894: sshkey_signatures_left(const struct sshkey *k)
                   3895: {
                   3896:        if (sshkey_type_plain(k->type) == KEY_XMSS)
                   3897:                return sshkey_xmss_signatures_left(k);
                   3898:        return 0;
                   3899: }
                   3900:
                   3901: int
                   3902: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
                   3903: {
                   3904:        if (sshkey_type_plain(k->type) != KEY_XMSS)
                   3905:                return SSH_ERR_INVALID_ARGUMENT;
                   3906:        return sshkey_xmss_enable_maxsign(k, maxsign);
                   3907: }
                   3908:
                   3909: int
                   3910: sshkey_set_filename(struct sshkey *k, const char *filename)
                   3911: {
                   3912:        if (k == NULL)
                   3913:                return SSH_ERR_INVALID_ARGUMENT;
                   3914:        if (sshkey_type_plain(k->type) != KEY_XMSS)
                   3915:                return 0;
                   3916:        if (filename == NULL)
                   3917:                return SSH_ERR_INVALID_ARGUMENT;
                   3918:        if ((k->xmss_filename = strdup(filename)) == NULL)
                   3919:                return SSH_ERR_ALLOC_FAIL;
                   3920:        return 0;
                   3921: }
                   3922: #else
                   3923: int
1.76      djm      3924: sshkey_private_serialize_maxsign(struct sshkey *k, struct sshbuf *b,
1.112     dtucker  3925:     u_int32_t maxsign, int printerror)
1.62      markus   3926: {
                   3927:        return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
                   3928: }
                   3929:
                   3930: u_int32_t
                   3931: sshkey_signatures_left(const struct sshkey *k)
                   3932: {
                   3933:        return 0;
                   3934: }
                   3935:
                   3936: int
                   3937: sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
                   3938: {
                   3939:        return SSH_ERR_INVALID_ARGUMENT;
                   3940: }
                   3941:
                   3942: int
                   3943: sshkey_set_filename(struct sshkey *k, const char *filename)
                   3944: {
                   3945:        if (k == NULL)
                   3946:                return SSH_ERR_INVALID_ARGUMENT;
                   3947:        return 0;
                   3948: }
                   3949: #endif /* WITH_XMSS */