1 /* $OpenBSD: authfile.c,v 1.107 2014/06/24 01:13:21 djm Exp $ */
3 * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/types.h>
30 #include <sys/param.h>
52 #define MAX_KEY_FILE_SIZE (1024 * 1024)
54 /* Save a key blob to a file */
56 sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
60 if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600)) < 0)
61 return SSH_ERR_SYSTEM_ERROR;
62 if (atomicio(vwrite, fd, (u_char *)sshbuf_ptr(keybuf),
63 sshbuf_len(keybuf)) != sshbuf_len(keybuf)) {
68 return SSH_ERR_SYSTEM_ERROR;
75 sshkey_save_private(struct sshkey *key, const char *filename,
76 const char *passphrase, const char *comment,
77 int force_new_format, const char *new_format_cipher, int new_format_rounds)
79 struct sshbuf *keyblob = NULL;
82 if ((keyblob = sshbuf_new()) == NULL)
83 return SSH_ERR_ALLOC_FAIL;
84 if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
85 force_new_format, new_format_cipher, new_format_rounds)) != 0)
87 if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
95 /* Load a key from a fd into a buffer */
97 sshkey_load_file(int fd, const char *filename, struct sshbuf *blob)
104 if (fstat(fd, &st) < 0)
105 return SSH_ERR_SYSTEM_ERROR;
106 if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
107 st.st_size > MAX_KEY_FILE_SIZE)
108 return SSH_ERR_INVALID_FORMAT;
110 if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
113 r = SSH_ERR_SYSTEM_ERROR;
116 if ((r = sshbuf_put(blob, buf, len)) != 0)
118 if (sshbuf_len(blob) > MAX_KEY_FILE_SIZE) {
119 r = SSH_ERR_INVALID_FORMAT;
123 if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
124 st.st_size != (off_t)sshbuf_len(blob)) {
125 r = SSH_ERR_FILE_CHANGED;
131 explicit_bzero(buf, sizeof(buf));
139 * Loads the public part of the ssh v1 key file. Returns NULL if an error was
140 * encountered (the file does not exist or is not readable), and the key
144 sshkey_load_public_rsa1(int fd, const char *filename,
145 struct sshkey **keyp, char **commentp)
147 struct sshbuf *b = NULL;
151 if (commentp != NULL)
154 if ((b = sshbuf_new()) == NULL)
155 return SSH_ERR_ALLOC_FAIL;
156 if ((r = sshkey_load_file(fd, filename, b)) != 0)
158 if ((r = sshkey_parse_public_rsa1_fileblob(b, keyp, commentp)) != 0)
165 #endif /* WITH_SSH1 */
170 sshkey_load_private_pem(int fd, int type, const char *passphrase,
171 struct sshkey **keyp, char **commentp)
173 struct sshbuf *buffer = NULL;
177 if (commentp != NULL)
180 if ((buffer = sshbuf_new()) == NULL)
181 return SSH_ERR_ALLOC_FAIL;
182 if ((r = sshkey_load_file(fd, NULL, buffer)) != 0)
184 if ((r = sshkey_parse_private_pem_fileblob(buffer, type, passphrase,
185 keyp, commentp)) != 0)
192 #endif /* WITH_OPENSSL */
194 /* XXX remove error() calls from here? */
196 sshkey_perm_ok(int fd, const char *filename)
200 if (fstat(fd, &st) < 0)
201 return SSH_ERR_SYSTEM_ERROR;
203 * if a key owned by the user is accessed, then we check the
204 * permissions of the file. if the key owned by a different user,
205 * then we don't care.
208 if (check_ntsec(filename))
210 if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
211 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
212 error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
213 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
214 error("Permissions 0%3.3o for '%s' are too open.",
215 (u_int)st.st_mode & 0777, filename);
216 error("It is recommended that your private key files are NOT accessible by others.");
217 error("This private key will be ignored.");
218 return SSH_ERR_KEY_BAD_PERMISSIONS;
223 /* XXX kill perm_ok now that we have SSH_ERR_KEY_BAD_PERMISSIONS? */
225 sshkey_load_private_type(int type, const char *filename, const char *passphrase,
226 struct sshkey **keyp, char **commentp, int *perm_ok)
229 struct sshbuf *buffer = NULL;
232 if (commentp != NULL)
235 if ((fd = open(filename, O_RDONLY)) < 0) {
238 return SSH_ERR_SYSTEM_ERROR;
240 if (sshkey_perm_ok(fd, filename) != 0) {
243 r = SSH_ERR_KEY_BAD_PERMISSIONS;
249 if ((buffer = sshbuf_new()) == NULL) {
250 r = SSH_ERR_ALLOC_FAIL;
253 if ((r = sshkey_load_file(fd, filename, buffer)) != 0)
255 if ((r = sshkey_parse_private_fileblob_type(buffer, type, passphrase,
256 keyp, commentp)) != 0)
266 /* XXX this is almost identical to sshkey_load_private_type() */
268 sshkey_load_private(const char *filename, const char *passphrase,
269 struct sshkey **keyp, char **commentp)
271 struct sshbuf *buffer = NULL;
275 if (commentp != NULL)
278 if ((fd = open(filename, O_RDONLY)) < 0)
279 return SSH_ERR_SYSTEM_ERROR;
280 if (sshkey_perm_ok(fd, filename) != 0) {
281 r = SSH_ERR_KEY_BAD_PERMISSIONS;
285 if ((buffer = sshbuf_new()) == NULL) {
286 r = SSH_ERR_ALLOC_FAIL;
289 if ((r = sshkey_load_file(fd, filename, buffer)) != 0 ||
290 (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
291 keyp, commentp)) != 0)
302 sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
305 char line[SSH_MAX_PUBKEY_BYTES];
310 if (commentp != NULL)
312 if ((f = fopen(filename, "r")) == NULL)
313 return SSH_ERR_SYSTEM_ERROR;
314 while (read_keyfile_line(f, filename, line, sizeof(line),
323 /* Abort loading if this looks like a private key */
324 if (strncmp(cp, "-----BEGIN", 10) == 0 ||
325 strcmp(cp, "SSH PRIVATE KEY FILE") == 0)
327 /* Skip leading whitespace. */
328 for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
331 if ((r = sshkey_read(k, &cp)) == 0) {
332 cp[strcspn(cp, "\r\n")] = '\0';
334 *commentp = strdup(*cp ?
336 if (*commentp == NULL)
337 r = SSH_ERR_ALLOC_FAIL;
345 return SSH_ERR_INVALID_FORMAT;
348 /* load public key from ssh v1 private or any pubkey file */
350 sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
352 struct sshkey *pub = NULL;
353 char file[MAXPATHLEN];
358 if (commentp != NULL)
361 if ((fd = open(filename, O_RDONLY)) < 0)
364 /* try rsa1 private key */
365 r = sshkey_load_public_rsa1(fd, filename, keyp, commentp);
368 case SSH_ERR_INTERNAL_ERROR:
369 case SSH_ERR_ALLOC_FAIL:
370 case SSH_ERR_INVALID_ARGUMENT:
371 case SSH_ERR_SYSTEM_ERROR:
375 #endif /* WITH_SSH1 */
377 /* try ssh2 public key */
378 if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
379 return SSH_ERR_ALLOC_FAIL;
380 if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
388 /* try rsa1 public key */
389 if ((pub = sshkey_new(KEY_RSA1)) == NULL)
390 return SSH_ERR_ALLOC_FAIL;
391 if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
397 #endif /* WITH_SSH1 */
400 /* try .pub suffix */
401 if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
402 return SSH_ERR_ALLOC_FAIL;
403 r = SSH_ERR_ALLOC_FAIL; /* in case strlcpy or strlcat fail */
404 if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
405 (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
406 (r = sshkey_try_load_public(pub, file, commentp)) == 0) {
415 /* Load the certificate associated with the named private key */
417 sshkey_load_cert(const char *filename, struct sshkey **keyp)
419 struct sshkey *pub = NULL;
421 int r = SSH_ERR_INTERNAL_ERROR;
425 if (asprintf(&file, "%s-cert.pub", filename) == -1)
426 return SSH_ERR_ALLOC_FAIL;
428 if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
431 if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
446 /* Load private key and certificate */
448 sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
449 struct sshkey **keyp, int *perm_ok)
451 struct sshkey *key = NULL, *cert = NULL;
462 #endif /* WITH_OPENSSL */
466 return SSH_ERR_KEY_TYPE_UNKNOWN;
469 if ((r = sshkey_load_private_type(type, filename,
470 passphrase, &key, NULL, perm_ok)) != 0 ||
471 (r = sshkey_load_cert(filename, &cert)) != 0)
474 /* Make sure the private key matches the certificate */
475 if (sshkey_equal_public(key, cert) == 0) {
476 r = SSH_ERR_KEY_CERT_MISMATCH;
480 if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 ||
481 (r = sshkey_cert_copy(cert, key)) != 0)
495 * Returns success if the specified "key" is listed in the file "filename",
496 * SSH_ERR_KEY_NOT_FOUND: if the key is not listed or another error.
497 * If strict_type is set then the key type must match exactly,
498 * otherwise a comparison that ignores certficiate data is performed.
501 sshkey_in_file(struct sshkey *key, const char *filename, int strict_type)
504 char line[SSH_MAX_PUBKEY_BYTES];
508 struct sshkey *pub = NULL;
509 int (*sshkey_compare)(const struct sshkey *, const struct sshkey *) =
510 strict_type ? sshkey_equal : sshkey_equal_public;
512 if ((f = fopen(filename, "r")) == NULL) {
514 return SSH_ERR_KEY_NOT_FOUND;
516 return SSH_ERR_SYSTEM_ERROR;
519 while (read_keyfile_line(f, filename, line, sizeof(line),
523 /* Skip leading whitespace. */
524 for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
527 /* Skip comments and empty lines */
535 if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
536 r = SSH_ERR_ALLOC_FAIL;
539 if ((r = sshkey_read(pub, &cp)) != 0)
541 if (sshkey_compare(key, pub)) {
548 r = SSH_ERR_KEY_NOT_FOUND;