• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2019 Google LLC
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "includes.h"
18 
19 #include <stdio.h>
20 #include <stdlib.h>
21 #include <stdarg.h>
22 #include <errno.h>
23 #include <string.h>
24 #include <unistd.h>
25 
26 #include "authfd.h"
27 #include "authfile.h"
28 #include "log.h"
29 #include "misc.h"
30 #include "sshbuf.h"
31 #include "sshsig.h"
32 #include "ssherr.h"
33 #include "sshkey.h"
34 #include "match.h"
35 #include "digest.h"
36 
37 #define SIG_VERSION		0x01
38 #define MAGIC_PREAMBLE		"SSHSIG"
39 #define MAGIC_PREAMBLE_LEN	(sizeof(MAGIC_PREAMBLE) - 1)
40 #define BEGIN_SIGNATURE		"-----BEGIN SSH SIGNATURE-----\n"
41 #define END_SIGNATURE		"-----END SSH SIGNATURE-----"
42 #define RSA_SIGN_ALG		"rsa-sha2-512" /* XXX maybe make configurable */
43 #define RSA_SIGN_ALLOWED	"rsa-sha2-512,rsa-sha2-256"
44 #define HASHALG_DEFAULT		"sha512" /* XXX maybe make configurable */
45 #define HASHALG_ALLOWED		"sha256,sha512"
46 
47 int
sshsig_armor(const struct sshbuf * blob,struct sshbuf ** out)48 sshsig_armor(const struct sshbuf *blob, struct sshbuf **out)
49 {
50 	struct sshbuf *buf = NULL;
51 	int r = SSH_ERR_INTERNAL_ERROR;
52 
53 	*out = NULL;
54 
55 	if ((buf = sshbuf_new()) == NULL) {
56 		error("%s: sshbuf_new failed", __func__);
57 		r = SSH_ERR_ALLOC_FAIL;
58 		goto out;
59 	}
60 
61 	if ((r = sshbuf_put(buf, BEGIN_SIGNATURE,
62 	    sizeof(BEGIN_SIGNATURE)-1)) != 0) {
63 		error("%s: sshbuf_putf failed: %s", __func__, ssh_err(r));
64 		goto out;
65 	}
66 
67 	if ((r = sshbuf_dtob64(blob, buf, 1)) != 0) {
68 		error("%s: Couldn't base64 encode signature blob: %s",
69 		    __func__, ssh_err(r));
70 		goto out;
71 	}
72 
73 	if ((r = sshbuf_put(buf, END_SIGNATURE,
74 	    sizeof(END_SIGNATURE)-1)) != 0 ||
75 	    (r = sshbuf_put_u8(buf, '\n')) != 0) {
76 		error("%s: sshbuf_put failed: %s", __func__, ssh_err(r));
77 		goto out;
78 	}
79 	/* success */
80 	*out = buf;
81 	buf = NULL; /* transferred */
82 	r = 0;
83  out:
84 	sshbuf_free(buf);
85 	return r;
86 }
87 
88 int
sshsig_dearmor(struct sshbuf * sig,struct sshbuf ** out)89 sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out)
90 {
91 	int r;
92 	size_t eoffset = 0;
93 	struct sshbuf *buf = NULL;
94 	struct sshbuf *sbuf = NULL;
95 	char *b64 = NULL;
96 
97 	if ((sbuf = sshbuf_fromb(sig)) == NULL) {
98 		error("%s: sshbuf_fromb failed", __func__);
99 		return SSH_ERR_ALLOC_FAIL;
100 	}
101 
102 	if ((r = sshbuf_cmp(sbuf, 0,
103 	    BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
104 		error("Couldn't parse signature: missing header");
105 		goto done;
106 	}
107 
108 	if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) {
109 		error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r));
110 		goto done;
111 	}
112 
113 	if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE,
114 	    sizeof("\n" END_SIGNATURE)-1, &eoffset)) != 0) {
115 		error("Couldn't parse signature: missing footer");
116 		goto done;
117 	}
118 
119 	if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) {
120 		error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r));
121 		goto done;
122 	}
123 
124 	if ((b64 = sshbuf_dup_string(sbuf)) == NULL) {
125 		error("%s: sshbuf_dup_string failed", __func__);
126 		r = SSH_ERR_ALLOC_FAIL;
127 		goto done;
128 	}
129 
130 	if ((buf = sshbuf_new()) == NULL) {
131 		error("%s: sshbuf_new() failed", __func__);
132 		r = SSH_ERR_ALLOC_FAIL;
133 		goto done;
134 	}
135 
136 	if ((r = sshbuf_b64tod(buf, b64)) != 0) {
137 		error("Couldn't decode signature: %s", ssh_err(r));
138 		goto done;
139 	}
140 
141 	/* success */
142 	*out = buf;
143 	r = 0;
144 	buf = NULL; /* transferred */
145 done:
146 	sshbuf_free(buf);
147 	sshbuf_free(sbuf);
148 	free(b64);
149 	return r;
150 }
151 
152 static int
sshsig_wrap_sign(struct sshkey * key,const char * hashalg,const char * sk_provider,const struct sshbuf * h_message,const char * sig_namespace,struct sshbuf ** out,sshsig_signer * signer,void * signer_ctx)153 sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
154     const char *sk_provider, const struct sshbuf *h_message,
155     const char *sig_namespace, struct sshbuf **out,
156     sshsig_signer *signer, void *signer_ctx)
157 {
158 	int r;
159 	size_t slen = 0;
160 	u_char *sig = NULL;
161 	struct sshbuf *blob = NULL;
162 	struct sshbuf *tosign = NULL;
163 	const char *sign_alg = NULL;
164 
165 	if ((tosign = sshbuf_new()) == NULL ||
166 	    (blob = sshbuf_new()) == NULL) {
167 		error("%s: sshbuf_new failed", __func__);
168 		r = SSH_ERR_ALLOC_FAIL;
169 		goto done;
170 	}
171 
172 	if ((r = sshbuf_put(tosign, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
173 	    (r = sshbuf_put_cstring(tosign, sig_namespace)) != 0 ||
174 	    (r = sshbuf_put_string(tosign, NULL, 0)) != 0 || /* reserved */
175 	    (r = sshbuf_put_cstring(tosign, hashalg)) != 0 ||
176 	    (r = sshbuf_put_stringb(tosign, h_message)) != 0) {
177 		error("Couldn't construct message to sign: %s", ssh_err(r));
178 		goto done;
179 	}
180 
181 	/* If using RSA keys then default to a good signature algorithm */
182 	if (sshkey_type_plain(key->type) == KEY_RSA)
183 		sign_alg = RSA_SIGN_ALG;
184 
185 	if (signer != NULL) {
186 		if ((r = signer(key, &sig, &slen,
187 		    sshbuf_ptr(tosign), sshbuf_len(tosign),
188 		    sign_alg, sk_provider, 0, signer_ctx)) != 0) {
189 			error("Couldn't sign message: %s", ssh_err(r));
190 			goto done;
191 		}
192 	} else {
193 		if ((r = sshkey_sign(key, &sig, &slen,
194 		    sshbuf_ptr(tosign), sshbuf_len(tosign),
195 		    sign_alg, sk_provider, 0)) != 0) {
196 			error("Couldn't sign message: %s", ssh_err(r));
197 			goto done;
198 		}
199 	}
200 
201 	if ((r = sshbuf_put(blob, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
202 	    (r = sshbuf_put_u32(blob, SIG_VERSION)) != 0 ||
203 	    (r = sshkey_puts(key, blob)) != 0 ||
204 	    (r = sshbuf_put_cstring(blob, sig_namespace)) != 0 ||
205 	    (r = sshbuf_put_string(blob, NULL, 0)) != 0 || /* reserved */
206 	    (r = sshbuf_put_cstring(blob, hashalg)) != 0 ||
207 	    (r = sshbuf_put_string(blob, sig, slen)) != 0) {
208 		error("Couldn't populate blob: %s", ssh_err(r));
209 		goto done;
210 	}
211 
212 	if (out != NULL) {
213 		*out = blob;
214 		blob = NULL;
215 	}
216 	r = 0;
217 done:
218 	free(sig);
219 	sshbuf_free(blob);
220 	sshbuf_free(tosign);
221 	return r;
222 }
223 
224 /* Check preamble and version. */
225 static int
sshsig_parse_preamble(struct sshbuf * buf)226 sshsig_parse_preamble(struct sshbuf *buf)
227 {
228 	int r = SSH_ERR_INTERNAL_ERROR;
229 	uint32_t sversion;
230 
231 	if ((r = sshbuf_cmp(buf, 0, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 ||
232 	    (r = sshbuf_consume(buf, (sizeof(MAGIC_PREAMBLE)-1))) != 0 ||
233 	    (r = sshbuf_get_u32(buf, &sversion)) != 0) {
234 		error("Couldn't verify signature: invalid format");
235 		return r;
236 	}
237 
238 	if (sversion > SIG_VERSION) {
239 		error("Signature version %lu is larger than supported "
240 		    "version %u", (unsigned long)sversion, SIG_VERSION);
241 		return SSH_ERR_INVALID_FORMAT;
242 	}
243 	return 0;
244 }
245 
246 static int
sshsig_check_hashalg(const char * hashalg)247 sshsig_check_hashalg(const char *hashalg)
248 {
249 	if (hashalg == NULL ||
250 	    match_pattern_list(hashalg, HASHALG_ALLOWED, 0) == 1)
251 		return 0;
252 	error("%s: unsupported hash algorithm \"%.100s\"", __func__, hashalg);
253 	return SSH_ERR_SIGN_ALG_UNSUPPORTED;
254 }
255 
256 static int
sshsig_peek_hashalg(struct sshbuf * signature,char ** hashalgp)257 sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp)
258 {
259 	struct sshbuf *buf = NULL;
260 	char *hashalg = NULL;
261 	int r = SSH_ERR_INTERNAL_ERROR;
262 
263 	if (hashalgp != NULL)
264 		*hashalgp = NULL;
265 	if ((buf = sshbuf_fromb(signature)) == NULL)
266 		return SSH_ERR_ALLOC_FAIL;
267 	if ((r = sshsig_parse_preamble(buf)) != 0)
268 		goto done;
269 	if ((r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 ||
270 	    (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 ||
271 	    (r = sshbuf_get_string(buf, NULL, NULL)) != 0 ||
272 	    (r = sshbuf_get_cstring(buf, &hashalg, NULL)) != 0 ||
273 	    (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0) {
274 		error("Couldn't parse signature blob: %s", ssh_err(r));
275 		goto done;
276 	}
277 
278 	/* success */
279 	r = 0;
280 	*hashalgp = hashalg;
281 	hashalg = NULL;
282  done:
283 	free(hashalg);
284 	sshbuf_free(buf);
285 	return r;
286 }
287 
288 static int
sshsig_wrap_verify(struct sshbuf * signature,const char * hashalg,const struct sshbuf * h_message,const char * expect_namespace,struct sshkey ** sign_keyp,struct sshkey_sig_details ** sig_details)289 sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg,
290     const struct sshbuf *h_message, const char *expect_namespace,
291     struct sshkey **sign_keyp, struct sshkey_sig_details **sig_details)
292 {
293 	int r = SSH_ERR_INTERNAL_ERROR;
294 	struct sshbuf *buf = NULL, *toverify = NULL;
295 	struct sshkey *key = NULL;
296 	const u_char *sig;
297 	char *got_namespace = NULL, *sigtype = NULL, *sig_hashalg = NULL;
298 	size_t siglen;
299 
300 	debug("%s: verify message length %zu", __func__, sshbuf_len(h_message));
301 	if (sig_details != NULL)
302 		*sig_details = NULL;
303 	if (sign_keyp != NULL)
304 		*sign_keyp = NULL;
305 
306 	if ((toverify = sshbuf_new()) == NULL) {
307 		error("%s: sshbuf_new failed", __func__);
308 		r = SSH_ERR_ALLOC_FAIL;
309 		goto done;
310 	}
311 	if ((r = sshbuf_put(toverify, MAGIC_PREAMBLE,
312 	    MAGIC_PREAMBLE_LEN)) != 0 ||
313 	    (r = sshbuf_put_cstring(toverify, expect_namespace)) != 0 ||
314 	    (r = sshbuf_put_string(toverify, NULL, 0)) != 0 || /* reserved */
315 	    (r = sshbuf_put_cstring(toverify, hashalg)) != 0 ||
316 	    (r = sshbuf_put_stringb(toverify, h_message)) != 0) {
317 		error("Couldn't construct message to verify: %s", ssh_err(r));
318 		goto done;
319 	}
320 
321 	if ((r = sshsig_parse_preamble(signature)) != 0)
322 		goto done;
323 
324 	if ((r = sshkey_froms(signature, &key)) != 0 ||
325 	    (r = sshbuf_get_cstring(signature, &got_namespace, NULL)) != 0 ||
326 	    (r = sshbuf_get_string(signature, NULL, NULL)) != 0 ||
327 	    (r = sshbuf_get_cstring(signature, &sig_hashalg, NULL)) != 0 ||
328 	    (r = sshbuf_get_string_direct(signature, &sig, &siglen)) != 0) {
329 		error("Couldn't parse signature blob: %s", ssh_err(r));
330 		goto done;
331 	}
332 
333 	if (sshbuf_len(signature) != 0) {
334 		error("Signature contains trailing data");
335 		r = SSH_ERR_INVALID_FORMAT;
336 		goto done;
337 	}
338 
339 	if (strcmp(expect_namespace, got_namespace) != 0) {
340 		error("Couldn't verify signature: namespace does not match");
341 		debug("%s: expected namespace \"%s\" received \"%s\"",
342 		    __func__, expect_namespace, got_namespace);
343 		r = SSH_ERR_SIGNATURE_INVALID;
344 		goto done;
345 	}
346 	if (strcmp(hashalg, sig_hashalg) != 0) {
347 		error("Couldn't verify signature: hash algorithm mismatch");
348 		debug("%s: expected algorithm \"%s\" received \"%s\"",
349 		    __func__, hashalg, sig_hashalg);
350 		r = SSH_ERR_SIGNATURE_INVALID;
351 		goto done;
352 	}
353 	/* Ensure that RSA keys use an acceptable signature algorithm */
354 	if (sshkey_type_plain(key->type) == KEY_RSA) {
355 		if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) {
356 			error("Couldn't verify signature: unable to get "
357 			    "signature type: %s", ssh_err(r));
358 			goto done;
359 		}
360 		if (match_pattern_list(sigtype, RSA_SIGN_ALLOWED, 0) != 1) {
361 			error("Couldn't verify signature: unsupported RSA "
362 			    "signature algorithm %s", sigtype);
363 			r = SSH_ERR_SIGN_ALG_UNSUPPORTED;
364 			goto done;
365 		}
366 	}
367 	if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify),
368 	    sshbuf_len(toverify), NULL, 0, sig_details)) != 0) {
369 		error("Signature verification failed: %s", ssh_err(r));
370 		goto done;
371 	}
372 
373 	/* success */
374 	r = 0;
375 	if (sign_keyp != NULL) {
376 		*sign_keyp = key;
377 		key = NULL; /* transferred */
378 	}
379 done:
380 	free(got_namespace);
381 	free(sigtype);
382 	free(sig_hashalg);
383 	sshbuf_free(buf);
384 	sshbuf_free(toverify);
385 	sshkey_free(key);
386 	return r;
387 }
388 
389 static int
hash_buffer(const struct sshbuf * m,const char * hashalg,struct sshbuf ** bp)390 hash_buffer(const struct sshbuf *m, const char *hashalg, struct sshbuf **bp)
391 {
392 	char *hex, hash[SSH_DIGEST_MAX_LENGTH];
393 	int alg, r = SSH_ERR_INTERNAL_ERROR;
394 	struct sshbuf *b = NULL;
395 
396 	*bp = NULL;
397 	memset(hash, 0, sizeof(hash));
398 
399 	if ((r = sshsig_check_hashalg(hashalg)) != 0)
400 		return r;
401 	if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) {
402 		error("%s: can't look up hash algorithm %s",
403 		    __func__, hashalg);
404 		return SSH_ERR_INTERNAL_ERROR;
405 	}
406 	if ((r = ssh_digest_buffer(alg, m, hash, sizeof(hash))) != 0) {
407 		error("%s: ssh_digest_buffer failed: %s", __func__, ssh_err(r));
408 		return r;
409 	}
410 	if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) {
411 		debug3("%s: final hash: %s", __func__, hex);
412 		freezero(hex, strlen(hex));
413 	}
414 	if ((b = sshbuf_new()) == NULL) {
415 		r = SSH_ERR_ALLOC_FAIL;
416 		goto out;
417 	}
418 	if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) {
419 		error("%s: sshbuf_put: %s", __func__, ssh_err(r));
420 		goto out;
421 	}
422 	*bp = b;
423 	b = NULL; /* transferred */
424 	/* success */
425 	r = 0;
426  out:
427 	sshbuf_free(b);
428 	explicit_bzero(hash, sizeof(hash));
429 	return r;
430 }
431 
432 int
sshsig_signb(struct sshkey * key,const char * hashalg,const char * sk_provider,const struct sshbuf * message,const char * sig_namespace,struct sshbuf ** out,sshsig_signer * signer,void * signer_ctx)433 sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
434     const struct sshbuf *message, const char *sig_namespace,
435     struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
436 {
437 	struct sshbuf *b = NULL;
438 	int r = SSH_ERR_INTERNAL_ERROR;
439 
440 	if (hashalg == NULL)
441 		hashalg = HASHALG_DEFAULT;
442 	if (out != NULL)
443 		*out = NULL;
444 	if ((r = hash_buffer(message, hashalg, &b)) != 0) {
445 		error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
446 		goto out;
447 	}
448 	if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
449 	    sig_namespace, out, signer, signer_ctx)) != 0)
450 		goto out;
451 	/* success */
452 	r = 0;
453  out:
454 	sshbuf_free(b);
455 	return r;
456 }
457 
458 int
sshsig_verifyb(struct sshbuf * signature,const struct sshbuf * message,const char * expect_namespace,struct sshkey ** sign_keyp,struct sshkey_sig_details ** sig_details)459 sshsig_verifyb(struct sshbuf *signature, const struct sshbuf *message,
460     const char *expect_namespace, struct sshkey **sign_keyp,
461     struct sshkey_sig_details **sig_details)
462 {
463 	struct sshbuf *b = NULL;
464 	int r = SSH_ERR_INTERNAL_ERROR;
465 	char *hashalg = NULL;
466 
467 	if (sig_details != NULL)
468 		*sig_details = NULL;
469 	if (sign_keyp != NULL)
470 		*sign_keyp = NULL;
471 	if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0)
472 		return r;
473 	debug("%s: signature made with hash \"%s\"", __func__, hashalg);
474 	if ((r = hash_buffer(message, hashalg, &b)) != 0) {
475 		error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
476 		goto out;
477 	}
478 	if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace,
479 	    sign_keyp, sig_details)) != 0)
480 		goto out;
481 	/* success */
482 	r = 0;
483  out:
484 	sshbuf_free(b);
485 	free(hashalg);
486 	return r;
487 }
488 
489 static int
hash_file(int fd,const char * hashalg,struct sshbuf ** bp)490 hash_file(int fd, const char *hashalg, struct sshbuf **bp)
491 {
492 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
493 	ssize_t n, total = 0;
494 	struct ssh_digest_ctx *ctx;
495 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
496 	struct sshbuf *b = NULL;
497 
498 	*bp = NULL;
499 	memset(hash, 0, sizeof(hash));
500 
501 	if ((r = sshsig_check_hashalg(hashalg)) != 0)
502 		return r;
503 	if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) {
504 		error("%s: can't look up hash algorithm %s",
505 		    __func__, hashalg);
506 		return SSH_ERR_INTERNAL_ERROR;
507 	}
508 	if ((ctx = ssh_digest_start(alg)) == NULL) {
509 		error("%s: ssh_digest_start failed", __func__);
510 		return SSH_ERR_INTERNAL_ERROR;
511 	}
512 	for (;;) {
513 		if ((n = read(fd, rbuf, sizeof(rbuf))) == -1) {
514 			if (errno == EINTR || errno == EAGAIN)
515 				continue;
516 			oerrno = errno;
517 			error("%s: read: %s", __func__, strerror(errno));
518 			ssh_digest_free(ctx);
519 			errno = oerrno;
520 			r = SSH_ERR_SYSTEM_ERROR;
521 			goto out;
522 		} else if (n == 0) {
523 			debug2("%s: hashed %zu bytes", __func__, total);
524 			break; /* EOF */
525 		}
526 		total += (size_t)n;
527 		if ((r = ssh_digest_update(ctx, rbuf, (size_t)n)) != 0) {
528 			error("%s: ssh_digest_update: %s",
529 			    __func__, ssh_err(r));
530 			goto out;
531 		}
532 	}
533 	if ((r = ssh_digest_final(ctx, hash, sizeof(hash))) != 0) {
534 		error("%s: ssh_digest_final: %s", __func__, ssh_err(r));
535 		goto out;
536 	}
537 	if ((hex = tohex(hash, ssh_digest_bytes(alg))) != NULL) {
538 		debug3("%s: final hash: %s", __func__, hex);
539 		freezero(hex, strlen(hex));
540 	}
541 	if ((b = sshbuf_new()) == NULL) {
542 		r = SSH_ERR_ALLOC_FAIL;
543 		goto out;
544 	}
545 	if ((r = sshbuf_put(b, hash, ssh_digest_bytes(alg))) != 0) {
546 		error("%s: sshbuf_put: %s", __func__, ssh_err(r));
547 		goto out;
548 	}
549 	*bp = b;
550 	b = NULL; /* transferred */
551 	/* success */
552 	r = 0;
553  out:
554 	sshbuf_free(b);
555 	ssh_digest_free(ctx);
556 	explicit_bzero(hash, sizeof(hash));
557 	return r;
558 }
559 
560 int
sshsig_sign_fd(struct sshkey * key,const char * hashalg,const char * sk_provider,int fd,const char * sig_namespace,struct sshbuf ** out,sshsig_signer * signer,void * signer_ctx)561 sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
562     int fd, const char *sig_namespace, struct sshbuf **out,
563     sshsig_signer *signer, void *signer_ctx)
564 {
565 	struct sshbuf *b = NULL;
566 	int r = SSH_ERR_INTERNAL_ERROR;
567 
568 	if (hashalg == NULL)
569 		hashalg = HASHALG_DEFAULT;
570 	if (out != NULL)
571 		*out = NULL;
572 	if ((r = hash_file(fd, hashalg, &b)) != 0) {
573 		error("%s: hash_file failed: %s", __func__, ssh_err(r));
574 		return r;
575 	}
576 	if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
577 	    sig_namespace, out, signer, signer_ctx)) != 0)
578 		goto out;
579 	/* success */
580 	r = 0;
581  out:
582 	sshbuf_free(b);
583 	return r;
584 }
585 
586 int
sshsig_verify_fd(struct sshbuf * signature,int fd,const char * expect_namespace,struct sshkey ** sign_keyp,struct sshkey_sig_details ** sig_details)587 sshsig_verify_fd(struct sshbuf *signature, int fd,
588     const char *expect_namespace, struct sshkey **sign_keyp,
589     struct sshkey_sig_details **sig_details)
590 {
591 	struct sshbuf *b = NULL;
592 	int r = SSH_ERR_INTERNAL_ERROR;
593 	char *hashalg = NULL;
594 
595 	if (sig_details != NULL)
596 		*sig_details = NULL;
597 	if (sign_keyp != NULL)
598 		*sign_keyp = NULL;
599 	if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0)
600 		return r;
601 	debug("%s: signature made with hash \"%s\"", __func__, hashalg);
602 	if ((r = hash_file(fd, hashalg, &b)) != 0) {
603 		error("%s: hash_file failed: %s", __func__, ssh_err(r));
604 		goto out;
605 	}
606 	if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace,
607 	    sign_keyp, sig_details)) != 0)
608 		goto out;
609 	/* success */
610 	r = 0;
611  out:
612 	sshbuf_free(b);
613 	free(hashalg);
614 	return r;
615 }
616 
617 struct sshsigopt {
618 	int ca;
619 	char *namespaces;
620 };
621 
622 struct sshsigopt *
sshsigopt_parse(const char * opts,const char * path,u_long linenum,const char ** errstrp)623 sshsigopt_parse(const char *opts, const char *path, u_long linenum,
624     const char **errstrp)
625 {
626 	struct sshsigopt *ret;
627 	int r;
628 	const char *errstr = NULL;
629 
630 	if ((ret = calloc(1, sizeof(*ret))) == NULL)
631 		return NULL;
632 	if (opts == NULL || *opts == '\0')
633 		return ret; /* Empty options yields empty options :) */
634 
635 	while (*opts && *opts != ' ' && *opts != '\t') {
636 		/* flag options */
637 		if ((r = opt_flag("cert-authority", 0, &opts)) != -1) {
638 			ret->ca = 1;
639 		} else if (opt_match(&opts, "namespaces")) {
640 			if (ret->namespaces != NULL) {
641 				errstr = "multiple \"namespaces\" clauses";
642 				goto fail;
643 			}
644 			ret->namespaces = opt_dequote(&opts, &errstr);
645 			if (ret->namespaces == NULL)
646 				goto fail;
647 		}
648 		/*
649 		 * Skip the comma, and move to the next option
650 		 * (or break out if there are no more).
651 		 */
652 		if (*opts == '\0' || *opts == ' ' || *opts == '\t')
653 			break;		/* End of options. */
654 		/* Anything other than a comma is an unknown option */
655 		if (*opts != ',') {
656 			errstr = "unknown key option";
657 			goto fail;
658 		}
659 		opts++;
660 		if (*opts == '\0') {
661 			errstr = "unexpected end-of-options";
662 			goto fail;
663 		}
664 	}
665 	/* success */
666 	return ret;
667  fail:
668 	if (errstrp != NULL)
669 		*errstrp = errstr;
670 	sshsigopt_free(ret);
671 	return NULL;
672 }
673 
674 void
sshsigopt_free(struct sshsigopt * opts)675 sshsigopt_free(struct sshsigopt *opts)
676 {
677 	if (opts == NULL)
678 		return;
679 	free(opts->namespaces);
680 	free(opts);
681 }
682 
683 static int
parse_principals_key_and_options(const char * path,u_long linenum,char * line,const char * required_principal,char ** principalsp,struct sshkey ** keyp,struct sshsigopt ** sigoptsp)684 parse_principals_key_and_options(const char *path, u_long linenum, char *line,
685     const char *required_principal, char **principalsp, struct sshkey **keyp,
686     struct sshsigopt **sigoptsp)
687 {
688 	char *opts = NULL, *tmp, *cp, *principals = NULL;
689 	const char *reason = NULL;
690 	struct sshsigopt *sigopts = NULL;
691 	struct sshkey *key = NULL;
692 	int r = SSH_ERR_INTERNAL_ERROR;
693 
694 	if (principalsp != NULL)
695 		*principalsp = NULL;
696 	if (sigoptsp != NULL)
697 		*sigoptsp = NULL;
698 	if (keyp != NULL)
699 		*keyp = NULL;
700 
701 	cp = line;
702 	cp = cp + strspn(cp, " \t"); /* skip leading whitespace */
703 	if (*cp == '#' || *cp == '\0')
704 		return SSH_ERR_KEY_NOT_FOUND; /* blank or all-comment line */
705 
706 	/* format: identity[,identity...] [option[,option...]] key */
707 	if ((tmp = strdelimw(&cp)) == NULL) {
708 		error("%s:%lu: invalid line", path, linenum);
709 		r = SSH_ERR_INVALID_FORMAT;
710 		goto out;
711 	}
712 	if ((principals = strdup(tmp)) == NULL) {
713 		error("%s: strdup failed", __func__);
714 		r = SSH_ERR_ALLOC_FAIL;
715 		goto out;
716 	}
717 	/*
718 	 * Bail out early if we're looking for a particular principal and this
719 	 * line does not list it.
720 	 */
721 	if (required_principal != NULL) {
722 		if (match_pattern_list(required_principal,
723 		    principals, 0) != 1) {
724 			/* principal didn't match */
725 			r = SSH_ERR_KEY_NOT_FOUND;
726 			goto out;
727 		}
728 		debug("%s: %s:%lu: matched principal \"%s\"",
729 		    __func__, path, linenum, required_principal);
730 	}
731 
732 	if ((key = sshkey_new(KEY_UNSPEC)) == NULL) {
733 		error("%s: sshkey_new failed", __func__);
734 		r = SSH_ERR_ALLOC_FAIL;
735 		goto out;
736 	}
737 	if (sshkey_read(key, &cp) != 0) {
738 		/* no key? Check for options */
739 		opts = cp;
740 		if (sshkey_advance_past_options(&cp) != 0) {
741 			error("%s:%lu: invalid options", path, linenum);
742 			r = SSH_ERR_INVALID_FORMAT;
743 			goto out;
744 		}
745 		*cp++ = '\0';
746 		skip_space(&cp);
747 		if (sshkey_read(key, &cp) != 0) {
748 			error("%s:%lu: invalid key", path, linenum);
749 			r = SSH_ERR_INVALID_FORMAT;
750 			goto out;
751 		}
752 	}
753 	debug3("%s:%lu: options %s", path, linenum, opts == NULL ? "" : opts);
754 	if ((sigopts = sshsigopt_parse(opts, path, linenum, &reason)) == NULL) {
755 		error("%s:%lu: bad options: %s", path, linenum, reason);
756 		r = SSH_ERR_INVALID_FORMAT;
757 		goto out;
758 	}
759 	/* success */
760 	if (principalsp != NULL) {
761 		*principalsp = principals;
762 		principals = NULL; /* transferred */
763 	}
764 	if (sigoptsp != NULL) {
765 		*sigoptsp = sigopts;
766 		sigopts = NULL; /* transferred */
767 	}
768 	if (keyp != NULL) {
769 		*keyp = key;
770 		key = NULL; /* transferred */
771 	}
772 	r = 0;
773  out:
774 	free(principals);
775 	sshsigopt_free(sigopts);
776 	sshkey_free(key);
777 	return r;
778 }
779 
780 static int
check_allowed_keys_line(const char * path,u_long linenum,char * line,const struct sshkey * sign_key,const char * principal,const char * sig_namespace)781 check_allowed_keys_line(const char *path, u_long linenum, char *line,
782     const struct sshkey *sign_key, const char *principal,
783     const char *sig_namespace)
784 {
785 	struct sshkey *found_key = NULL;
786 	int r, found = 0;
787 	const char *reason = NULL;
788 	struct sshsigopt *sigopts = NULL;
789 
790 	/* Parse the line */
791 	if ((r = parse_principals_key_and_options(path, linenum, line,
792 	    principal, NULL, &found_key, &sigopts)) != 0) {
793 		/* error already logged */
794 		goto done;
795 	}
796 
797 	/* Check whether options preclude the use of this key */
798 	if (sigopts->namespaces != NULL &&
799 	    match_pattern_list(sig_namespace, sigopts->namespaces, 0) != 1) {
800 		error("%s:%lu: key is not permitted for use in signature "
801 		    "namespace \"%s\"", path, linenum, sig_namespace);
802 		goto done;
803 	}
804 
805 	if (!sigopts->ca && sshkey_equal(found_key, sign_key)) {
806 		/* Exact match of key */
807 		debug("%s:%lu: matched key and principal", path, linenum);
808 		/* success */
809 		found = 1;
810 	} else if (sigopts->ca && sshkey_is_cert(sign_key) &&
811 	    sshkey_equal_public(sign_key->cert->signature_key, found_key)) {
812 		/* Match of certificate's CA key */
813 		if ((r = sshkey_cert_check_authority(sign_key, 0, 1,
814 		    principal, &reason)) != 0) {
815 			error("%s:%lu: certificate not authorized: %s",
816 			    path, linenum, reason);
817 			goto done;
818 		}
819 		debug("%s:%lu: matched certificate CA key", path, linenum);
820 		/* success */
821 		found = 1;
822 	} else {
823 		/* Principal matched but key didn't */
824 		goto done;
825 	}
826  done:
827 	sshkey_free(found_key);
828 	sshsigopt_free(sigopts);
829 	return found ? 0 : SSH_ERR_KEY_NOT_FOUND;
830 }
831 
832 int
sshsig_check_allowed_keys(const char * path,const struct sshkey * sign_key,const char * principal,const char * sig_namespace)833 sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key,
834     const char *principal, const char *sig_namespace)
835 {
836 	FILE *f = NULL;
837 	char *line = NULL;
838 	size_t linesize = 0;
839 	u_long linenum = 0;
840 	int r = SSH_ERR_INTERNAL_ERROR, oerrno;
841 
842 	/* Check key and principal against file */
843 	if ((f = fopen(path, "r")) == NULL) {
844 		oerrno = errno;
845 		error("Unable to open allowed keys file \"%s\": %s",
846 		    path, strerror(errno));
847 		errno = oerrno;
848 		return SSH_ERR_SYSTEM_ERROR;
849 	}
850 
851 	while (getline(&line, &linesize, f) != -1) {
852 		linenum++;
853 		r = check_allowed_keys_line(path, linenum, line, sign_key,
854 		    principal, sig_namespace);
855 		free(line);
856 		line = NULL;
857 		if (r == SSH_ERR_KEY_NOT_FOUND)
858 			continue;
859 		else if (r == 0) {
860 			/* success */
861 			fclose(f);
862 			return 0;
863 		} else
864 			break;
865 	}
866 	/* Either we hit an error parsing or we simply didn't find the key */
867 	fclose(f);
868 	free(line);
869 	return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r;
870 }
871 
872 static int
cert_filter_principals(const char * path,u_long linenum,char ** principalsp,const struct sshkey * cert)873 cert_filter_principals(const char *path, u_long linenum,
874     char **principalsp, const struct sshkey *cert)
875 {
876 	char *cp, *oprincipals, *principals;
877 	const char *reason;
878 	struct sshbuf *nprincipals;
879 	int r = SSH_ERR_INTERNAL_ERROR, success = 0;
880 
881 	oprincipals = principals = *principalsp;
882 	*principalsp = NULL;
883 
884 	if ((nprincipals = sshbuf_new()) == NULL) {
885 		r = SSH_ERR_ALLOC_FAIL;
886 		goto out;
887 	}
888 
889 	while ((cp = strsep(&principals, ",")) != NULL && *cp != '\0') {
890 		if (strcspn(cp, "!?*") != strlen(cp)) {
891 			debug("%s:%lu: principal \"%s\" not authorized: "
892 			    "contains wildcards", path, linenum, cp);
893 			continue;
894 		}
895 		/* Check against principals list in certificate */
896 		if ((r = sshkey_cert_check_authority(cert, 0, 1,
897 		    cp, &reason)) != 0) {
898 			debug("%s:%lu: principal \"%s\" not authorized: %s",
899 			    path, linenum, cp, reason);
900 			continue;
901 		}
902 		if ((r = sshbuf_putf(nprincipals, "%s%s",
903 		    sshbuf_len(nprincipals) != 0 ? "," : "", cp)) != 0) {
904 			error("%s: buffer error", __func__);
905 			goto out;
906 		}
907 	}
908 	if (sshbuf_len(nprincipals) == 0) {
909 		error("%s:%lu: no valid principals found", path, linenum);
910 		r = SSH_ERR_KEY_CERT_INVALID;
911 		goto out;
912 	}
913 	if ((principals = sshbuf_dup_string(nprincipals)) == NULL) {
914 		error("%s: buffer error", __func__);
915 		goto out;
916 	}
917 	/* success */
918 	success = 1;
919 	*principalsp = principals;
920  out:
921 	sshbuf_free(nprincipals);
922 	free(oprincipals);
923 	return success ? 0 : r;
924 }
925 
926 static int
get_matching_principals_from_line(const char * path,u_long linenum,char * line,const struct sshkey * sign_key,char ** principalsp)927 get_matching_principals_from_line(const char *path, u_long linenum, char *line,
928     const struct sshkey *sign_key, char **principalsp)
929 {
930 	struct sshkey *found_key = NULL;
931 	char *principals = NULL;
932 	int r, found = 0;
933 	struct sshsigopt *sigopts = NULL;
934 
935 	if (principalsp != NULL)
936 		*principalsp = NULL;
937 
938 	/* Parse the line */
939 	if ((r = parse_principals_key_and_options(path, linenum, line,
940 	    NULL, &principals, &found_key, &sigopts)) != 0) {
941 		/* error already logged */
942 		goto done;
943 	}
944 
945 	if (!sigopts->ca && sshkey_equal(found_key, sign_key)) {
946 		/* Exact match of key */
947 		debug("%s:%lu: matched key", path, linenum);
948 		/* success */
949 		found = 1;
950 	} else if (sigopts->ca && sshkey_is_cert(sign_key) &&
951 	    sshkey_equal_public(sign_key->cert->signature_key, found_key)) {
952 		/* Remove principals listed in file but not allowed by cert */
953 		if ((r = cert_filter_principals(path, linenum,
954 		    &principals, sign_key)) != 0) {
955 			/* error already displayed */
956 			debug("%s:%lu: cert_filter_principals: %s",
957 			    path, linenum, ssh_err(r));
958 			goto done;
959 		}
960 		debug("%s:%lu: matched certificate CA key", path, linenum);
961 		/* success */
962 		found = 1;
963 	} else {
964 		/* Key didn't match */
965 		goto done;
966 	}
967  done:
968 	if (found && principalsp != NULL) {
969 		*principalsp = principals;
970 		principals = NULL; /* transferred */
971 	}
972 	free(principals);
973 	sshkey_free(found_key);
974 	sshsigopt_free(sigopts);
975 	return found ? 0 : SSH_ERR_KEY_NOT_FOUND;
976 }
977 
978 int
sshsig_find_principals(const char * path,const struct sshkey * sign_key,char ** principals)979 sshsig_find_principals(const char *path, const struct sshkey *sign_key,
980     char **principals)
981 {
982 	FILE *f = NULL;
983 	char *line = NULL;
984 	size_t linesize = 0;
985 	u_long linenum = 0;
986 	int r = SSH_ERR_INTERNAL_ERROR, oerrno;
987 
988 	if ((f = fopen(path, "r")) == NULL) {
989 		oerrno = errno;
990 		error("Unable to open allowed keys file \"%s\": %s",
991 		    path, strerror(errno));
992 		errno = oerrno;
993 		return SSH_ERR_SYSTEM_ERROR;
994 	}
995 
996 	while (getline(&line, &linesize, f) != -1) {
997 		linenum++;
998 		r = get_matching_principals_from_line(path, linenum, line,
999 		    sign_key, principals);
1000 		free(line);
1001 		line = NULL;
1002 		if (r == SSH_ERR_KEY_NOT_FOUND)
1003 			continue;
1004 		else if (r == 0) {
1005 			/* success */
1006 			fclose(f);
1007 			return 0;
1008 		} else
1009 			break;
1010 	}
1011 	free(line);
1012 	/* Either we hit an error parsing or we simply didn't find the key */
1013 	if (ferror(f) != 0) {
1014 		oerrno = errno;
1015 		fclose(f);
1016 		error("Unable to read allowed keys file \"%s\": %s",
1017 		    path, strerror(errno));
1018 		errno = oerrno;
1019 		return SSH_ERR_SYSTEM_ERROR;
1020 	}
1021 	fclose(f);
1022 	return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r;
1023 }
1024 
1025 int
sshsig_get_pubkey(struct sshbuf * signature,struct sshkey ** pubkey)1026 sshsig_get_pubkey(struct sshbuf *signature, struct sshkey **pubkey)
1027 {
1028 	struct sshkey *pk = NULL;
1029 	int r = SSH_ERR_SIGNATURE_INVALID;
1030 
1031 	if (pubkey == NULL)
1032 		return SSH_ERR_INTERNAL_ERROR;
1033 	if ((r = sshsig_parse_preamble(signature)) != 0)
1034 		return r;
1035 	if ((r = sshkey_froms(signature, &pk)) != 0)
1036 		return r;
1037 
1038 	*pubkey = pk;
1039 	pk = NULL;
1040 	return 0;
1041 }
1042