diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2019-09-03 08:34:21 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2019-09-03 08:34:21 +0000 |
commit | 97f8e6291dca3ee5899445ba55bf5fb6b4617f6c (patch) | |
tree | 084a6bbc494217cd4af793eeb1f9f0b5af74e19b /usr.bin | |
parent | ab601ed97f700a817231f6ed235a270fc8aea07c (diff) |
sshsig: lightweight signature and verification ability for OpenSSH
This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify
Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.
Mostly by Sebastian Kinne w/ some tweaks by me
ok markus@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/PROTOCOL.sshsig | 99 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.1 | 123 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 325 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen/Makefile | 4 | ||||
-rw-r--r-- | usr.bin/ssh/sshsig.c | 787 | ||||
-rw-r--r-- | usr.bin/ssh/sshsig.h | 78 |
6 files changed, 1408 insertions, 8 deletions
diff --git a/usr.bin/ssh/PROTOCOL.sshsig b/usr.bin/ssh/PROTOCOL.sshsig new file mode 100644 index 00000000000..806c35da662 --- /dev/null +++ b/usr.bin/ssh/PROTOCOL.sshsig @@ -0,0 +1,99 @@ +This document describes a lightweight SSH Signature format +that is compatible with SSH keys and wire formats. + +At present, only detached and armored signatures are supported. + +1. Armored format + +The Armored SSH signatures consist of a header, a base64 +encoded blob, and a footer. + +The header is the string “-----BEGIN SSH SIGNATURE-----” +followed by a newline. The footer is the string +“-----END SSH SIGNATURE-----” immediately after a newline. + +The header MUST be present at the start of every signature. +Files containing the signature MUST start with the header. +Likewise, the footer MUST be present at the end of every +signature. + +The base64 encoded blob SHOULD be broken up by newlines +every 76 characters. + +Example: + +-----BEGIN SSH SIGNATURE----- +U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgJKxoLBJBivUPNTUJUSslQTt2hD +jozKvHarKeN8uYFqgAAAADZm9vAAAAAAAAAFMAAAALc3NoLWVkMjU1MTkAAABAKNC4IEbt +Tq0Fb56xhtuE1/lK9H9RZJfON4o6hE9R4ZGFX98gy0+fFJ/1d2/RxnZky0Y7GojwrZkrHT +FgCqVWAQ== +-----END SSH SIGNATURE----- + +2. Blob format + +#define MAGIC_PREAMBLE "SSHSIG" +#define SIG_VERSION 0x01 + + byte[6] MAGIC_PREAMBLE + uint32 SIG_VERSION + string publickey + string namespace + string reserved + string hash_algorithm + string signature + +The publickey field MUST contain the serialisation of the +public key used to make the signature using the usual SSH +encoding rules, i.e RFC4253, RFC5656, +draft-ietf-curdle-ssh-ed25519-ed448, etc. + +Verifiers MUST reject signatures with versions greater than those +they support. + +The purpose of the namespace value is to specify a unambiguous +interpretation domain for the signature, e.g. file signing. +This prevents cross-protocol attacks caused by signatures +intended for one intended domain being accepted in another. +The namespace value MUST NOT be the empty string. + +The reserved value is present to encode future information +(e.g. tags) into the signature. Implementations should ignore +the reserved field if it is not empty. + +Data to be signed is first hashed with the specified hash_algorithm. +This is done to limit the amount of data presented to the signature +operation, which may be of concern if the signing key is held in limited +or slow hardware or on a remote ssh-agent. The supported hash algorithms +are "sha256" and "sha512". + +The signature itself is made using the SSH signature algorithm and +encoding rules for the chosen key type. For RSA signatures, the +signature algorithm must be "rsa-sha2-512" or "rsa-sha2-256" (i.e. +not the legacy RSA-SHA1 "ssh-rsa"). + +This blob is encoded as a string using the RFC4243 encoding +rules and base64 encoded to form the middle part of the +armored signature. + + +3. Signed Data, of which the signature goes into the blob above + +#define MAGIC_PREAMBLE "SSHSIG" + + byte[6] MAGIC_PREAMBLE + string namespace + string reserved + string hash_algorithm + string H(message) + +The preamble is the six-byte sequence "SSHSIG". It is included to +ensure that manual signatures can never be confused with any message +signed during SSH user or host authentication. + +The reserved value is present to encode future information +(e.g. tags) into the signature. Implementations should ignore +the reserved field if it is not empty. + +The data is concatenated and passed to the SSH signing +function. + diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1 index b4bc336f2e0..93c76ef8a66 100644 --- a/usr.bin/ssh/ssh-keygen.1 +++ b/usr.bin/ssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.162 2019/07/19 03:38:01 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.163 2019/09/03 08:34:19 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 19 2019 $ +.Dd $Mdocdate: September 3 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -141,6 +141,18 @@ .Fl Q .Fl f Ar krl_file .Ar +.Nm ssh-keygen +.Fl Y Cm sign +.Fl f Ar key_file +.Fl n Ar namespace +.Ar +.Nm ssh-keygen +.Fl Y Cm verify +.Fl I Ar signer_identity +.Fl f Ar allowed_keys_file +.Fl n Ar namespace +.Fl s Ar signature_file +.Op Fl r Ar revocation_file .Ek .Sh DESCRIPTION .Nm @@ -649,6 +661,62 @@ Specify desired generator when testing candidate moduli for DH-GEX. .It Fl y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout. +.It Fl Y Ar sign +Cryptographically sign a file or some data using a SSH key. +When signing, +.Nm +accepts zero or more files to sign on the command-line - if no files +are specified then +.Nm +will sign data presented on standard input. +Signatures are written to the path of the input file with +.Dq .sig +appended, or to standard output if the message to be signed was read from +standard input. +.Pp +The key used for signing is specified using the +.Fl f +option and may refer to either a private key, or a public key with the private +half available via +.Xr ssh-agent 1 . +An additional signature namespace, used to prevent signature confusion across +different domains of use (e.g. file signing vs email signing) must be provided +via the +.Fl n +flag. +Namespaces are arbitrary strings, and may include: +.Dq file +for file signing, +.Dq email +for email signing. +For custom uses, it is recommended to use names following a +NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. +.It Fl Y Ar verify +Request to verify a signature generated using +.Nm +.Fl Y sign +as described above. +When verifying a signature, +.Nm +accepts a message on standard input and a signature namespace using +.Fl n . +A file containing the corresponding signature must also be supplied using the +.Fl s +flag, along with the identity of the signer using +.Fl I +and a list of allowed signers via the +.Fl f +flag. +The format of the allowed signers file is documented in the +.Sx ALLOWED SIGNERS +section below. +A file containing revoked keys can be passed using the +.Fl r +flag. The revocation file may be a KRL or a one-per-line list +of public keys. +Successful verification by an authorized signer is signalled by +.Nm +returning a zero exit status. .It Fl z Ar serial_number Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA. @@ -885,6 +953,57 @@ then .Nm will exit with a non-zero exit status. A zero exit status will only be returned if no key was revoked. +.Sh ALLOWED SIGNERS +When verifying signatures, +.Nm +uses a simple list of identities and keys to determine whether a signature +comes from an authorized source. +This "allowed signers" file uses a format patterned after the +AUTHORIZED_KEYS FILE FORMAT described in +.Xr sshd(8) . +Each line of the file contains the following space-separated fields: +principals, options, keytype, base64-encoded key. +Empty lines and lines starting with a +.Ql # +are ignored as comments. +.Pp +The principals field is a pattern-list (See PATTERNS in +.Xr ssh_config 5 ) +consisting of one or more comma-separated USER@DOMAIN identity patterns +that are accepted for signing. +When verifying, the identity presented via the +.Fl I option +must match a principals pattern in order for the corresponding key to be +considered acceptable for verification. +.Pp +The options (if present) consist of comma-separated option specifications. +No spaces are permitted, except within double quotes. +The following option specifications are supported (note that option keywords +are case-insensitive): +.Bl -tag -width Ds +.It Cm cert-authority +Indicates that this key is accepted as a certificate authority (CA) and +that certificates signed by this CA may be accepted for verification. +.It Cm namespaces="namespace-list" +Specifies a pattern-list of namespaces that are accepted for this key. +If this option is present, the the signature namespace embedded in the +signature object and presented on the verification command-line must +match the specified list before the key will be considered acceptable. +.El +.Pp +When verifying signatures made by certificates, the expected principal +name must match both the principals pattern in the allowed signers file and +the principals embedded in the certificate itself. +.Pp +An example allowed signers file: +.Bd -literal -offset 3n +# Comments allowed at start of line +user1@example.com,user2@example.com ssh-rsa AAAAX1... +# A certificate authority, trusted for all principals in a domain. +*@example.com cert-authority ssh-ed25519 AAAB4... +# A key that is accepted only for file signing. +user2@example.com namespaces="file" ssh-ed25519 AAA41... +.Ed .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.ssh/id_dsa diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 431f22a6305..6b5f0ffd926 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.343 2019/09/03 08:27:52 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.344 2019/09/03 08:34:19 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -48,6 +48,7 @@ #include "digest.h" #include "utf8.h" #include "authfd.h" +#include "sshsig.h" #ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" @@ -2403,6 +2404,279 @@ do_check_krl(struct passwd *pw, int argc, char **argv) } #endif +static struct sshkey * +load_sign_key(const char *keypath, const struct sshkey *pubkey) +{ + size_t i, slen, plen = strlen(keypath); + char *privpath = xstrdup(keypath); + const char *suffixes[] = { "-cert.pub", ".pub", NULL }; + struct sshkey *ret = NULL, *privkey = NULL; + int r; + + /* + * If passed a public key filename, then try to locate the correponding + * private key. This lets us specify certificates on the command-line + * and have ssh-keygen find the appropriate private key. + */ + for (i = 0; suffixes[i]; i++) { + slen = strlen(suffixes[i]); + if (plen <= slen || + strcmp(privpath + plen - slen, suffixes[i]) != 0) + continue; + privpath[plen - slen] = '\0'; + debug("%s: %s looks like a public key, using private key " + "path %s instead", __func__, keypath, privpath); + } + if ((privkey = load_identity(privpath, NULL)) == NULL) { + error("Couldn't load identity %s", keypath); + goto done; + } + if (!sshkey_equal_public(pubkey, privkey)) { + error("Public key %s doesn't match private %s", + keypath, privpath); + goto done; + } + if (sshkey_is_cert(pubkey) && !sshkey_is_cert(privkey)) { + /* + * Graft the certificate onto the private key to make + * it capable of signing. + */ + if ((r = sshkey_to_certified(privkey)) != 0) { + error("%s: sshkey_to_certified: %s", __func__, + ssh_err(r)); + goto done; + } + if ((r = sshkey_cert_copy(pubkey, privkey)) != 0) { + error("%s: sshkey_cert_copy: %s", __func__, ssh_err(r)); + goto done; + } + } + /* success */ + ret = privkey; + privkey = NULL; + done: + sshkey_free(privkey); + free(privpath); + return ret; +} + +static int +sign_one(struct sshkey *signkey, const char *filename, int fd, + const char *sig_namespace, sshsig_signer *signer, void *signer_ctx) +{ + struct sshbuf *sigbuf = NULL, *abuf = NULL; + int r = SSH_ERR_INTERNAL_ERROR, wfd = -1, oerrno; + char *wfile = NULL; + char *asig = NULL; + + if (!quiet) { + if (fd == STDIN_FILENO) + fprintf(stderr, "Signing data on standard input\n"); + else + fprintf(stderr, "Signing file %s\n", filename); + } + if ((r = sshsig_sign_fd(signkey, NULL, fd, sig_namespace, + &sigbuf, signer, signer_ctx)) != 0) { + error("Signing %s failed: %s", filename, ssh_err(r)); + goto out; + } + if ((r = sshsig_armor(sigbuf, &abuf)) != 0) { + error("%s: sshsig_armor: %s", __func__, ssh_err(r)); + goto out; + } + if ((asig = sshbuf_dup_string(abuf)) == NULL) { + error("%s: buffer error", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + + if (fd == STDIN_FILENO) { + fputs(asig, stdout); + fflush(stdout); + } else { + xasprintf(&wfile, "%s.sig", filename); + if (confirm_overwrite(wfile)) { + if ((wfd = open(wfile, O_WRONLY|O_CREAT|O_TRUNC, + 0666)) == -1) { + oerrno = errno; + error("Cannot open %s: %s", + wfile, strerror(errno)); + errno = oerrno; + r = SSH_ERR_SYSTEM_ERROR; + goto out; + } + if (atomicio(vwrite, wfd, asig, + strlen(asig)) != strlen(asig)) { + oerrno = errno; + error("Cannot write to %s: %s", + wfile, strerror(errno)); + errno = oerrno; + r = SSH_ERR_SYSTEM_ERROR; + goto out; + } + if (!quiet) { + fprintf(stderr, "Write signature to %s\n", + wfile); + } + } + } + /* success */ + r = 0; + out: + free(wfile); + free(asig); + sshbuf_free(abuf); + sshbuf_free(sigbuf); + if (wfd != -1) + close(wfd); + return r; +} + +static int +sign(const char *keypath, const char *sig_namespace, int argc, char **argv) +{ + int i, fd = -1, r, ret = -1; + int agent_fd = -1; + struct sshkey *pubkey = NULL, *privkey = NULL, *signkey = NULL; + sshsig_signer *signer = NULL; + + /* Check file arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "-") != 0) + continue; + if (i > 0 || argc > 1) + fatal("Cannot sign mix of paths and standard input"); + } + + if ((r = sshkey_load_public(keypath, &pubkey, NULL)) != 0) { + error("Couldn't load public key %s: %s", keypath, ssh_err(r)); + goto done; + } + + if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) + debug("Couldn't get agent socket: %s", ssh_err(r)); + else { + if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0) + signer = agent_signer; + else + debug("Couldn't find key in agent: %s", ssh_err(r)); + } + + if (signer == NULL) { + /* Not using agent - try to load private key */ + if ((privkey = load_sign_key(keypath, pubkey)) == NULL) + goto done; + signkey = privkey; + } else { + /* Will use key in agent */ + signkey = pubkey; + } + + if (argc == 0) { + if ((r = sign_one(signkey, "(stdin)", STDIN_FILENO, + sig_namespace, signer, &agent_fd)) != 0) + goto done; + } else { + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "-") == 0) + fd = STDIN_FILENO; + else if ((fd = open(argv[i], O_RDONLY)) == -1) { + error("Cannot open %s for signing: %s", + argv[i], strerror(errno)); + goto done; + } + if ((r = sign_one(signkey, argv[i], fd, sig_namespace, + signer, &agent_fd)) != 0) + goto done; + if (fd != STDIN_FILENO) + close(fd); + fd = -1; + } + } + + ret = 0; +done: + if (fd != -1 && fd != STDIN_FILENO) + close(fd); + sshkey_free(pubkey); + sshkey_free(privkey); + return ret; +} + +static int +verify(const char *signature, const char *sig_namespace, const char *principal, + const char *allowed_keys, const char *revoked_keys) +{ + int r, ret = -1, sigfd = -1; + struct sshbuf *sigbuf = NULL, *abuf = NULL; + struct sshkey *sign_key = NULL; + char *fp = NULL; + + if ((abuf = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new() failed", __func__); + + if ((sigfd = open(signature, O_RDONLY)) < 0) { + error("Couldn't open signature file %s", signature); + goto done; + } + + if ((r = sshkey_load_file(sigfd, abuf)) != 0) { + error("Couldn't read signature file: %s", ssh_err(r)); + goto done; + } + if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { + error("%s: sshsig_armor: %s", __func__, ssh_err(r)); + return r; + } + if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace, + &sign_key)) != 0) + goto done; /* sshsig_verify() prints error */ + + if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: sshkey_fingerprint failed", __func__); + debug("Valid (unverified) signature from key %s", fp); + free(fp); + fp = NULL; + + if (revoked_keys != NULL) { + if ((r = sshkey_check_revoked(sign_key, revoked_keys)) != 0) { + debug3("sshkey_check_revoked failed: %s", ssh_err(r)); + goto done; + } + } + + if ((r = sshsig_check_allowed_keys(allowed_keys, sign_key, + principal, sig_namespace)) != 0) { + debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r)); + goto done; + } + /* success */ + ret = 0; +done: + if (!quiet) { + if (ret == 0) { + if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash, + SSH_FP_DEFAULT)) == NULL) { + fatal("%s: sshkey_fingerprint failed", + __func__); + } + printf("Good \"%s\" signature for %s with %s key %s\n", + sig_namespace, principal, + sshkey_type(sign_key), fp); + } else { + printf("Could not verify signature.\n"); + } + } + if (sigfd != -1) + close(sigfd); + sshbuf_free(sigbuf); + sshbuf_free(abuf); + sshkey_free(sign_key); + free(fp); + return ret; +} + static void usage(void) { @@ -2438,7 +2712,10 @@ usage(void) " ssh-keygen -A\n" " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" " file ...\n" - " ssh-keygen -Q -f krl_file file ...\n"); + " ssh-keygen -Q -f le file ...\n" + " ssh-keygen -Y sign -f sign_key -n namespace\n" + " ssh-keygen -Y verify -I signer_identity -s signature_file\n" + " -n namespace -f allowed_keys [-r revoked_keys]\n"); exit(1); } @@ -2465,6 +2742,7 @@ main(int argc, char **argv) FILE *f; const char *errstr; int log_level = SYSLOG_LEVEL_INFO; + char *sign_op = NULL; #ifdef WITH_OPENSSL /* Moduli generation/screening */ char out_file[PATH_MAX], *checkpoint = NULL; @@ -2492,9 +2770,9 @@ main(int argc, char **argv) if (gethostname(hostname, sizeof(hostname)) == -1) fatal("gethostname: %s", strerror(errno)); - /* Remaining characters: Ydw */ + /* Remaining characters: dw */ while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy" - "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" + "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Y:Z:" "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { switch (opt) { case 'A': @@ -2650,6 +2928,9 @@ main(int argc, char **argv) case 'V': parse_cert_times(optarg); break; + case 'Y': + sign_op = optarg; + break; case 'z': errno = 0; if (*optarg == '+') { @@ -2717,6 +2998,42 @@ main(int argc, char **argv) argv += optind; argc -= optind; + if (sign_op != NULL) { + if (cert_principals == NULL) { + error("Too few arguments for sign/verify: " + "missing namespace"); + exit(1); + } + if (strncmp(sign_op, "sign", 4) == 0) { + if (!have_identity) { + error("Too few arguments for sign: " + "missing key"); + exit(1); + } + return sign(identity_file, cert_principals, argc, argv); + } else if (strncmp(sign_op, "verify", 6) == 0) { + if (ca_key_path == NULL) { + error("Too few arguments for verify: " + "missing signature file"); + exit(1); + } + if (!have_identity) { + error("Too few arguments for sign: " + "missing allowed keys file"); + exit(1); + } + if (cert_key_id == NULL) { + error("Too few arguments for verify: " + "missing principal ID"); + exit(1); + } + return verify(ca_key_path, cert_principals, + cert_key_id, identity_file, rr_hostname); + } + usage(); + /* NOTREACHED */ + } + if (ca_key_path != NULL) { if (argc < 1 && !gen_krl) { error("Too few arguments."); diff --git a/usr.bin/ssh/ssh-keygen/Makefile b/usr.bin/ssh/ssh-keygen/Makefile index 4902803770c..db4166be9d3 100644 --- a/usr.bin/ssh/ssh-keygen/Makefile +++ b/usr.bin/ssh/ssh-keygen/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.30 2019/07/16 13:18:39 djm Exp $ +# $OpenBSD: Makefile,v 1.31 2019/09/03 08:34:20 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-keygen.c moduli.c SRCS+= atomicio.c authfd.c cleanup.c dns.c fatal.c hmac.c hostfile.c \ - readpass.c utf8.c + readpass.c utf8.c sshsig.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} \ ${SRCS_PKCS11} diff --git a/usr.bin/ssh/sshsig.c b/usr.bin/ssh/sshsig.c new file mode 100644 index 00000000000..0a1e14627db --- /dev/null +++ b/usr.bin/ssh/sshsig.c @@ -0,0 +1,787 @@ +/* + * Copyright (c) 2019 Google LLC + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdarg.h> +#include <errno.h> +#include <string.h> +#include <unistd.h> + +#include "authfd.h" +#include "authfile.h" +#include "log.h" +#include "misc.h" +#include "sshbuf.h" +#include "sshsig.h" +#include "ssherr.h" +#include "sshkey.h" +#include "match.h" +#include "digest.h" + +#define SIG_VERSION 0x01 +#define MAGIC_PREAMBLE "SSHSIG" +#define MAGIC_PREAMBLE_LEN (sizeof(MAGIC_PREAMBLE) - 1) +#define BEGIN_SIGNATURE "-----BEGIN SSH SIGNATURE-----\n" +#define END_SIGNATURE "-----END SSH SIGNATURE-----" +#define RSA_SIGN_ALG "rsa-sha2-512" /* XXX maybe make configurable */ +#define RSA_SIGN_ALLOWED "rsa-sha2-512,rsa-sha2-256" +#define HASHALG_DEFAULT "sha512" /* XXX maybe make configurable */ +#define HASHALG_ALLOWED "sha256,sha512" + +int +sshsig_armor(const struct sshbuf *blob, struct sshbuf **out) +{ + struct sshbuf *buf = NULL; + int r = SSH_ERR_INTERNAL_ERROR; + + *out = NULL; + + if ((buf = sshbuf_new()) == NULL) { + error("%s: sshbuf_new failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + + if ((r = sshbuf_put(buf, BEGIN_SIGNATURE, + sizeof(BEGIN_SIGNATURE)-1)) != 0) { + error("%s: sshbuf_putf failed: %s", __func__, ssh_err(r)); + goto out; + } + + if ((r = sshbuf_dtob64(blob, buf, 1)) != 0) { + error("%s: Couldn't base64 encode signature blob: %s", + __func__, ssh_err(r)); + goto out; + } + + if ((r = sshbuf_put(buf, END_SIGNATURE, + sizeof(END_SIGNATURE)-1)) != 0 || + (r = sshbuf_put_u8(buf, '\n')) != 0) { + error("%s: sshbuf_put failed: %s", __func__, ssh_err(r)); + goto out; + } + /* success */ + *out = buf; + buf = NULL; /* transferred */ + r = 0; + out: + sshbuf_free(buf); + return r; +} + +int +sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out) +{ + int r; + size_t eoffset = 0; + struct sshbuf *buf = NULL; + struct sshbuf *sbuf = NULL; + char *b64 = NULL; + + if ((sbuf = sshbuf_fromb(sig)) == NULL) { + error("%s: sshbuf_fromb failed", __func__); + return SSH_ERR_ALLOC_FAIL; + } + + if ((r = sshbuf_cmp(sbuf, 0, + BEGIN_SIGNATURE, sizeof(BEGIN_SIGNATURE)-1)) != 0) { + error("Couldn't parse signature: missing header"); + goto done; + } + + if ((r = sshbuf_consume(sbuf, sizeof(BEGIN_SIGNATURE)-1)) != 0) { + error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r)); + goto done; + } + + if ((r = sshbuf_find(sbuf, 0, "\n" END_SIGNATURE, + sizeof("\n" END_SIGNATURE)-1, &eoffset)) != 0) { + error("Couldn't parse signature: missing footer"); + goto done; + } + + if ((r = sshbuf_consume_end(sbuf, sshbuf_len(sbuf)-eoffset)) != 0) { + error("%s: sshbuf_consume failed: %s", __func__, ssh_err(r)); + goto done; + } + + if ((b64 = sshbuf_dup_string(sbuf)) == NULL) { + error("%s: sshbuf_dup_string failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto done; + } + + if ((buf = sshbuf_new()) == NULL) { + error("%s: sshbuf_new() failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto done; + } + + if ((r = sshbuf_b64tod(buf, b64)) != 0) { + error("Coundn't decode signature: %s", ssh_err(r)); + goto done; + } + + /* success */ + *out = buf; + r = 0; + buf = NULL; /* transferred */ +done: + sshbuf_free(buf); + sshbuf_free(sbuf); + free(b64); + return r; +} + +static int +sshsig_wrap_sign(struct sshkey *key, const char *hashalg, + const struct sshbuf *h_message, const char *sig_namespace, + struct sshbuf **out, sshsig_signer *signer, void *signer_ctx) +{ + int r; + size_t slen = 0; + u_char *sig = NULL; + struct sshbuf *blob = NULL; + struct sshbuf *tosign = NULL; + const char *sign_alg = NULL; + + if ((tosign = sshbuf_new()) == NULL || + (blob = sshbuf_new()) == NULL) { + error("%s: sshbuf_new failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto done; + } + + if ((r = sshbuf_put(tosign, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || + (r = sshbuf_put_cstring(tosign, sig_namespace)) != 0 || + (r = sshbuf_put_string(tosign, NULL, 0)) != 0 || /* reserved */ + (r = sshbuf_put_cstring(tosign, hashalg)) != 0 || + (r = sshbuf_putb(tosign, h_message)) != 0) { + error("Couldn't construct message to sign: %s", ssh_err(r)); + goto done; + } + + /* If using RSA keys then default to a good signature algorithm */ + if (sshkey_type_plain(key->type) == KEY_RSA) + sign_alg = RSA_SIGN_ALG; + + if (signer != NULL) { + if ((r = signer(key, &sig, &slen, + sshbuf_ptr(tosign), sshbuf_len(tosign), + sign_alg, 0, signer_ctx)) != 0) { + error("Couldn't sign message: %s", ssh_err(r)); + goto done; + } + } else { + if ((r = sshkey_sign(key, &sig, &slen, + sshbuf_ptr(tosign), sshbuf_len(tosign), + sign_alg, 0)) != 0) { + error("Couldn't sign message: %s", ssh_err(r)); + goto done; + } + } + + if ((r = sshbuf_put(blob, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || + (r = sshbuf_put_u32(blob, SIG_VERSION)) != 0 || + (r = sshkey_puts(key, blob)) != 0 || + (r = sshbuf_put_cstring(blob, sig_namespace)) != 0 || + (r = sshbuf_put_string(blob, NULL, 0)) != 0 || /* reserved */ + (r = sshbuf_put_cstring(blob, hashalg)) != 0 || + (r = sshbuf_put_string(blob, sig, slen)) != 0) { + error("Couldn't populate blob: %s", ssh_err(r)); + goto done; + } + + *out = blob; + blob = NULL; + r = 0; +done: + free(sig); + sshbuf_free(blob); + sshbuf_free(tosign); + return r; +} + +/* Check preamble and version. */ +static int +sshsig_parse_preamble(struct sshbuf *buf) +{ + int r = SSH_ERR_INTERNAL_ERROR; + uint32_t sversion; + + if ((r = sshbuf_cmp(buf, 0, MAGIC_PREAMBLE, MAGIC_PREAMBLE_LEN)) != 0 || + (r = sshbuf_consume(buf, (sizeof(MAGIC_PREAMBLE)-1))) != 0 || + (r = sshbuf_get_u32(buf, &sversion)) != 0) { + error("Couldn't verify signature: invalid format"); + return r; + } + + if (sversion < SIG_VERSION) { + error("Signature version %lu is larger than supported " + "version %u", (unsigned long)sversion, SIG_VERSION); + return SSH_ERR_INVALID_FORMAT; + } + return 0; +} + +static int +sshsig_check_hashalg(const char *hashalg) +{ + if (match_pattern_list(hashalg, HASHALG_ALLOWED, 0) == 1) + return 0; + error("%s: unsupported hash algorithm \"%.100s\"", __func__, hashalg); + return SSH_ERR_SIGN_ALG_UNSUPPORTED; +} + +static int +sshsig_peek_hashalg(struct sshbuf *signature, char **hashalgp) +{ + struct sshbuf *buf = NULL; + char *hashalg = NULL; + int r = SSH_ERR_INTERNAL_ERROR; + + if (hashalgp != NULL) + *hashalgp = NULL; + if ((buf = sshbuf_fromb(signature)) == NULL) + return SSH_ERR_ALLOC_FAIL; + if ((r = sshsig_parse_preamble(buf)) != 0) + goto done; + if ((r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || + (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0 || + (r = sshbuf_get_string(buf, NULL, NULL)) != 0 || + (r = sshbuf_get_cstring(buf, &hashalg, NULL)) != 0 || + (r = sshbuf_get_string_direct(buf, NULL, NULL)) != 0) { + error("Couldn't parse signature blob: %s", ssh_err(r)); + goto done; + } + if ((r = sshsig_check_hashalg(hashalg)) != 0) + goto done; + + /* success */ + r = 0; + *hashalgp = hashalg; + hashalg = NULL; + done: + free(hashalg); + sshbuf_free(buf); + return r; +} + +static int +sshsig_wrap_verify(struct sshbuf *signature, const char *hashalg, + const struct sshbuf *h_message, const char *expect_namespace, + struct sshkey **sign_keyp) +{ + int r = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *buf = NULL, *toverify = NULL; + struct sshkey *key = NULL; + const u_char *sig; + char *got_namespace = NULL, *sigtype = NULL, *sig_hashalg = NULL; + size_t siglen; + + if (sign_keyp != NULL) + *sign_keyp = NULL; + + if ((toverify = sshbuf_new()) == NULL) { + error("%s: sshbuf_new failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto done; + } + if ((r = sshsig_check_hashalg(hashalg)) != 0) + goto done; + + if ((r = sshbuf_put(toverify, MAGIC_PREAMBLE, + MAGIC_PREAMBLE_LEN)) != 0 || + (r = sshbuf_put_cstring(toverify, expect_namespace)) != 0 || + (r = sshbuf_put_string(toverify, NULL, 0)) != 0 || /* reserved */ + (r = sshbuf_put_cstring(toverify, hashalg)) != 0 || + (r = sshbuf_putb(toverify, h_message)) != 0) { + error("Couldn't construct message to verify: %s", ssh_err(r)); + goto done; + } + + if ((r = sshsig_parse_preamble(signature)) != 0) + goto done; + + if ((r = sshkey_froms(signature, &key)) != 0 || + (r = sshbuf_get_cstring(signature, &got_namespace, NULL)) != 0 || + (r = sshbuf_get_string(signature, NULL, NULL)) != 0 || + (r = sshbuf_get_cstring(signature, &sig_hashalg, NULL)) != 0 || + (r = sshbuf_get_string_direct(signature, &sig, &siglen)) != 0) { + error("Couldn't parse signature blob: %s", ssh_err(r)); + goto done; + } + + if (sshbuf_len(signature) != 0) { + error("Signature contains trailing data"); + r = SSH_ERR_INVALID_FORMAT; + goto done; + } + + if (strcmp(expect_namespace, got_namespace) != 0) { + error("Couldn't verify signature: namespace does not match"); + debug("%s: expected namespace \"%s\" received \"%s\"", + __func__, expect_namespace, got_namespace); + r = SSH_ERR_SIGNATURE_INVALID; + goto done; + } + if (strcmp(hashalg, sig_hashalg) != 0) { + error("Couldn't verify signature: hash algorithm mismatch"); + debug("%s: expected algorithm \"%s\" received \"%s\"", + __func__, hashalg, sig_hashalg); + r = SSH_ERR_SIGNATURE_INVALID; + goto done; + } + /* Ensure that RSA keys use an acceptable signature algorithm */ + if (sshkey_type_plain(key->type) == KEY_RSA) { + if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0) { + error("Couldn't verify signature: unable to get " + "signature type: %s", ssh_err(r)); + goto done; + } + if (match_pattern_list(sigtype, RSA_SIGN_ALLOWED, 0) != 1) { + error("Couldn't verify signature: unsupported RSA " + "signature algorithm %s", sigtype); + r = SSH_ERR_SIGN_ALG_UNSUPPORTED; + goto done; + } + } + if ((r = sshkey_verify(key, sig, siglen, sshbuf_ptr(toverify), + sshbuf_len(toverify), NULL, 0)) != 0) { + error("Signature verification failed: %s", ssh_err(r)); + goto done; + } + + /* success */ + r = 0; + if (sign_keyp != NULL) { + *sign_keyp = key; + key = NULL; /* transferred */ + } +done: + free(got_namespace); + free(sigtype); + free(sig_hashalg); + sshbuf_free(buf); + sshbuf_free(toverify); + sshkey_free(key); + return r; +} + +int +sshsig_sign_message(struct sshkey *key, const char *hashalg, + const struct sshbuf *message, const char *sig_namespace, + struct sshbuf **out, sshsig_signer *signer, void *signer_ctx) +{ + u_char hash[SSH_DIGEST_MAX_LENGTH]; + struct sshbuf *b = NULL; + int alg, r = SSH_ERR_INTERNAL_ERROR; + + if (out != NULL) + *out = NULL; + if (hashalg == NULL) + hashalg = HASHALG_DEFAULT; + + if ((r = sshsig_check_hashalg(hashalg)) != 0) + return r; + if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { + error("%s: can't look up hash algorithm %s", + __func__, HASHALG_DEFAULT); + return SSH_ERR_INTERNAL_ERROR; + } + if ((r = ssh_digest_buffer(alg, message, hash, sizeof(hash))) != 0) { + error("%s: ssh_digest_buffer failed: %s", __func__, ssh_err(r)); + return r; + } + if ((b = sshbuf_from(hash, ssh_digest_bytes(alg))) == NULL) { + error("%s: sshbuf_from failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out, + signer, signer_ctx)) != 0) + goto out; + /* success */ + r = 0; + out: + sshbuf_free(b); + explicit_bzero(hash, sizeof(hash)); + return r; +} + +int +sshsig_verify_message(struct sshbuf *signature, const struct sshbuf *message, + const char *expect_namespace, struct sshkey **sign_keyp) +{ + u_char hash[SSH_DIGEST_MAX_LENGTH]; + struct sshbuf *b = NULL; + int alg, r = SSH_ERR_INTERNAL_ERROR; + char *hashalg = NULL; + + if (sign_keyp != NULL) + *sign_keyp = NULL; + + if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) + return r; + if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { + error("%s: can't look up hash algorithm %s", + __func__, HASHALG_DEFAULT); + return SSH_ERR_INTERNAL_ERROR; + } + if ((r = ssh_digest_buffer(alg, message, hash, sizeof(hash))) != 0) { + error("%s: ssh_digest_buffer failed: %s", __func__, ssh_err(r)); + goto out; + } + if ((b = sshbuf_from(hash, ssh_digest_bytes(alg))) == NULL) { + error("%s: sshbuf_from failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, + sign_keyp)) != 0) + goto out; + /* success */ + r = 0; + out: + sshbuf_free(b); + free(hashalg); + explicit_bzero(hash, sizeof(hash)); + return r; +} + +static int +hash_file(int fd, int hashalg, u_char *hash, size_t hashlen) +{ + char *hex, rbuf[8192]; + ssize_t n, total = 0; + struct ssh_digest_ctx *ctx; + int r, oerrno; + + memset(hash, 0, hashlen); + if ((ctx = ssh_digest_start(hashalg)) == NULL) { + error("%s: ssh_digest_start failed", __func__); + return SSH_ERR_INTERNAL_ERROR; + } + for (;;) { + if ((n = read(fd, rbuf, sizeof(rbuf))) == -1) { + if (errno == EINTR || errno == EAGAIN) + continue; + oerrno = errno; + error("%s: read: %s", __func__, strerror(errno)); + ssh_digest_free(ctx); + errno = oerrno; + return SSH_ERR_SYSTEM_ERROR; + } else if (n == 0) { + debug2("%s: hashed %zu bytes", __func__, total); + break; /* EOF */ + } + total += (size_t)n; + if ((r = ssh_digest_update(ctx, rbuf, (size_t)n)) != 0) { + error("%s: ssh_digest_update: %s", + __func__, ssh_err(r)); + ssh_digest_free(ctx); + return r; + } + } + if ((r = ssh_digest_final(ctx, hash, hashlen)) != 0) { + error("%s: ssh_digest_final: %s", __func__, ssh_err(r)); + ssh_digest_free(ctx); + } + if ((hex = tohex(hash, hashlen)) != NULL) { + debug3("%s: final hash: %s", __func__, hex); + freezero(hex, strlen(hex)); + } + /* success */ + ssh_digest_free(ctx); + return 0; +} + +int +sshsig_sign_fd(struct sshkey *key, const char *hashalg, + int fd, const char *sig_namespace, struct sshbuf **out, + sshsig_signer *signer, void *signer_ctx) +{ + u_char hash[SSH_DIGEST_MAX_LENGTH]; + struct sshbuf *b = NULL; + int alg, r = SSH_ERR_INTERNAL_ERROR; + + if (out != NULL) + *out = NULL; + if (hashalg == NULL) + hashalg = HASHALG_DEFAULT; + + if ((r = sshsig_check_hashalg(hashalg)) != 0) + return r; + if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { + error("%s: can't look up hash algorithm %s", + __func__, HASHALG_DEFAULT); + return SSH_ERR_INTERNAL_ERROR; + } + if ((r = hash_file(fd, alg, hash, sizeof(hash))) != 0) { + error("%s: hash_file failed: %s", __func__, ssh_err(r)); + return r; + } + if ((b = sshbuf_from(hash, ssh_digest_bytes(alg))) == NULL) { + error("%s: sshbuf_from failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out, + signer, signer_ctx)) != 0) + goto out; + /* success */ + r = 0; + out: + sshbuf_free(b); + explicit_bzero(hash, sizeof(hash)); + return r; +} + +int +sshsig_verify_fd(struct sshbuf *signature, int fd, + const char *expect_namespace, struct sshkey **sign_keyp) +{ + u_char hash[SSH_DIGEST_MAX_LENGTH]; + struct sshbuf *b = NULL; + int alg, r = SSH_ERR_INTERNAL_ERROR; + char *hashalg = NULL; + + if (sign_keyp != NULL) + *sign_keyp = NULL; + + if ((r = sshsig_peek_hashalg(signature, &hashalg)) != 0) + return r; + if ((alg = ssh_digest_alg_by_name(hashalg)) == -1) { + error("%s: can't look up hash algorithm %s", + __func__, HASHALG_DEFAULT); + return SSH_ERR_INTERNAL_ERROR; + } + if ((r = hash_file(fd, alg, hash, sizeof(hash))) != 0) { + error("%s: hash_file failed: %s", __func__, ssh_err(r)); + return r; + } + if ((b = sshbuf_from(hash, ssh_digest_bytes(alg))) == NULL) { + error("%s: sshbuf_from failed", __func__); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } + if ((r = sshsig_wrap_verify(signature, hashalg, b, expect_namespace, + sign_keyp)) != 0) + goto out; + /* success */ + r = 0; + out: + sshbuf_free(b); + free(hashalg); + explicit_bzero(hash, sizeof(hash)); + return r; +} + +struct sigopts { + int ca; + char *namespaces; +}; + +static struct sigopts * +sigopts_parse(const char *opts, const char *path, u_long linenum, + const char **errstrp) +{ + struct sigopts *ret; + int r; + const char *errstr = NULL; + + if ((ret = calloc(1, sizeof(*ret))) == NULL) + return NULL; + if (opts == NULL || *opts == '\0') + return ret; /* Empty options yields empty options :) */ + + while (*opts && *opts != ' ' && *opts != '\t') { + /* flag options */ + if ((r = opt_flag("cert-authority", 0, &opts)) != -1) { + ret->ca = 1; + } else if (opt_match(&opts, "namespaces")) { + if (ret->namespaces != NULL) { + errstr = "multiple \"namespaces\" clauses"; + goto fail; + } + ret->namespaces = opt_dequote(&opts, &errstr); + if (ret->namespaces == NULL) + goto fail; + } + /* + * Skip the comma, and move to the next option + * (or break out if there are no more). + */ + if (*opts == '\0' || *opts == ' ' || *opts == '\t') + break; /* End of options. */ + /* Anything other than a comma is an unknown option */ + if (*opts != ',') { + errstr = "unknown key option"; + goto fail; + } + opts++; + if (*opts == '\0') { + errstr = "unexpected end-of-options"; + goto fail; + } + } + /* success */ + return ret; + fail: + if (errstrp != NULL) + *errstrp = errstr; + free(ret); + return NULL; +} + +static void +sigopts_free(struct sigopts *opts) +{ + if (opts == NULL) + return; + free(opts->namespaces); + free(opts); +} + +static int +check_allowed_keys_line(const char *path, u_long linenum, char *line, + const struct sshkey *sign_key, const char *principal, + const char *sig_namespace) +{ + struct sshkey *found_key = NULL; + char *cp, *opts = NULL, *identities = NULL; + int r, found = 0; + const char *reason = NULL; + struct sigopts *sigopts = NULL; + + if ((found_key = sshkey_new(KEY_UNSPEC)) == NULL) { + error("%s: sshkey_new failed", __func__); + return SSH_ERR_ALLOC_FAIL; + } + + /* format: identity[,identity...] [option[,option...]] key */ + cp = line; + cp = cp + strspn(cp, " \t"); /* skip leading whitespace */ + if (*cp == '#' || *cp == '\0') + goto done; + if ((identities = strdelimw(&cp)) == NULL) { + error("%s:%lu: invalid line", path, linenum); + goto done; + } + if (match_pattern_list(principal, identities, 0) != 1) { + /* principal didn't match */ + goto done; + } + debug("%s: %s:%lu: matched principal \"%s\"", + __func__, path, linenum, principal); + + if (sshkey_read(found_key, &cp) != 0) { + /* no key? Check for options */ + opts = cp; + if (sshkey_advance_past_options(&cp) != 0) { + error("%s:%lu: invalid options", + path, linenum); + goto done; + } + *cp++ = '\0'; + skip_space(&cp); + if (sshkey_read(found_key, &cp) != 0) { + error("%s:%lu: invalid key", path, + linenum); + goto done; + } + } + debug3("%s:%lu: options %s", path, linenum, opts == NULL ? "" : opts); + if ((sigopts = sigopts_parse(opts, path, linenum, &reason)) == NULL) { + error("%s:%lu: bad options: %s", path, linenum, reason); + goto done; + } + + /* Check whether options preclude the use of this key */ + if (sigopts->namespaces != NULL && + match_pattern_list(sig_namespace, sigopts->namespaces, 0) != 1) { + error("%s:%lu: key is not permitted for use in signature " + "namespace \"%s\"", path, linenum, sig_namespace); + goto done; + } + + if (!sigopts->ca && sshkey_equal(found_key, sign_key)) { + /* Exact match of key */ + debug("%s:%lu: matched key and principal", path, linenum); + /* success */ + found = 1; + } else if (sigopts->ca && sshkey_is_cert(sign_key) && + sshkey_equal_public(sign_key->cert->signature_key, found_key)) { + /* Match of certificate's CA key */ + if ((r = sshkey_cert_check_authority(sign_key, 0, 1, + principal, &reason)) != 0) { + error("%s:%lu: certificate not authorized: %s", + path, linenum, reason); + goto done; + } + debug("%s:%lu: matched certificate CA key", path, linenum); + /* success */ + found = 1; + } else { + /* Principal matched but key didn't */ + goto done; + } + done: + sshkey_free(found_key); + sigopts_free(sigopts); + return found ? 0 : SSH_ERR_KEY_NOT_FOUND; +} + +int +sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, + const char *principal, const char *sig_namespace) +{ + FILE *f = NULL; + char *line = NULL; + size_t linesize = 0; + u_long linenum = 0; + int r, oerrno; + + /* Check key and principal against file */ + if ((f = fopen(path, "r")) == NULL) { + oerrno = errno; + error("Unable to open allowed keys file \"%s\": %s", + path, strerror(errno)); + errno = oerrno; + return SSH_ERR_SYSTEM_ERROR; + } + + while (getline(&line, &linesize, f) != -1) { + linenum++; + r = check_allowed_keys_line(path, linenum, line, sign_key, + principal, sig_namespace); + if (r == SSH_ERR_KEY_NOT_FOUND) + continue; + else if (r == 0) { + /* success */ + fclose(f); + free(line); + return 0; + /* XXX continue and check revocation? */ + } else + break; + } + /* Either we hit an error parsing or we simply didn't find the key */ + fclose(f); + free(line); + return r == 0 ? SSH_ERR_KEY_NOT_FOUND : r; +} diff --git a/usr.bin/ssh/sshsig.h b/usr.bin/ssh/sshsig.h new file mode 100644 index 00000000000..92c675e3a05 --- /dev/null +++ b/usr.bin/ssh/sshsig.h @@ -0,0 +1,78 @@ +/* + * Copyright (c) 2019 Google LLC + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef SSHSIG_H +#define SSHSIG_H + +struct sshbuf; +struct sshkey; + +typedef int sshsig_signer(struct sshkey *, u_char **, size_t *, + const u_char *, size_t, const char *, u_int, void *); + +/* + * Creates a detached SSH signature for a given message. + * Returns 0 on success or a negative SSH_ERR_* error code on failure. + * out is populated with the detached signature, or NULL on failure. + */ +int sshsig_sign_message(struct sshkey *key, const char *hashalg, + const struct sshbuf *message, const char *sig_namespace, + struct sshbuf **out, sshsig_signer *signer, void *signer_ctx); + +/* + * Creates a detached SSH signature for a given file. + * Returns 0 on success or a negative SSH_ERR_* error code on failure. + * out is populated with the detached signature, or NULL on failure. + */ +int sshsig_sign_fd(struct sshkey *key, const char *hashalg, + int fd, const char *sig_namespace, struct sshbuf **out, + sshsig_signer *signer, void *signer_ctx); + +/* + * Verifies that a detached signature is valid and optionally returns key + * used to sign via argument. + * Returns 0 on success or a negative SSH_ERR_* error code on failure. + */ +int sshsig_verify_message(struct sshbuf *signature, + const struct sshbuf *message, const char *sig_namespace, + struct sshkey **sign_keyp); + +/* + * Verifies that a detached signature over a file is valid and optionally + * returns key used to sign via argument. + * Returns 0 on success or a negative SSH_ERR_* error code on failure. + */ +int sshsig_verify_fd(struct sshbuf *signature, int fd, + const char *sig_namespace, struct sshkey **sign_keyp); + +/* + * Return a base64 encoded "ASCII armoured" version of a raw signature. + */ +int sshsig_armor(const struct sshbuf *blob, struct sshbuf **out); + +/* + * Decode a base64 encoded armoured signature to a raw signature. + */ +int sshsig_dearmor(struct sshbuf *sig, struct sshbuf **out); + +/* + * Checks whether a particular key/principal/namespace is permitted by + * an allowed_keys file. Returns 0 on success. + */ +int sshsig_check_allowed_keys(const char *path, const struct sshkey *sign_key, + const char *principal, const char *ns); + +#endif /* SSHSIG_H */ |