Annotation of src/usr.bin/ssh/key.c, Revision 1.109
1.109 ! markus 1: /* $OpenBSD: key.c,v 1.108 2013/12/06 13:34:54 markus Exp $ */
1.1 markus 2: /*
1.11 deraadt 3: * read_bignum():
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: *
6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
11: *
12: *
1.28 markus 13: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1.76 grunk 14: * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
1.1 markus 15: *
16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
24: *
25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35: */
1.67 deraadt 36:
1.70 grunk 37: #include <sys/param.h>
1.67 deraadt 38: #include <sys/types.h>
1.1 markus 39:
1.2 markus 40: #include <openssl/evp.h>
1.109 ! markus 41: #include "crypto_api.h"
1.65 stevesk 42:
1.66 stevesk 43: #include <stdio.h>
1.65 stevesk 44: #include <string.h>
1.15 markus 45:
1.1 markus 46: #include "xmalloc.h"
47: #include "key.h"
1.12 markus 48: #include "rsa.h"
1.3 markus 49: #include "uuencode.h"
1.12 markus 50: #include "buffer.h"
1.15 markus 51: #include "log.h"
1.89 djm 52: #include "misc.h"
1.83 djm 53: #include "ssh2.h"
54:
1.100 djm 55: static int to_blob(const Key *, u_char **, u_int *, int);
1.105 djm 56: static Key *key_from_blob2(const u_char *, u_int, int);
1.100 djm 57:
1.83 djm 58: static struct KeyCert *
59: cert_new(void)
60: {
61: struct KeyCert *cert;
62:
63: cert = xcalloc(1, sizeof(*cert));
64: buffer_init(&cert->certblob);
1.87 djm 65: buffer_init(&cert->critical);
66: buffer_init(&cert->extensions);
1.83 djm 67: cert->key_id = NULL;
68: cert->principals = NULL;
69: cert->signature_key = NULL;
70: return cert;
71: }
1.1 markus 72:
73: Key *
74: key_new(int type)
75: {
76: Key *k;
77: RSA *rsa;
78: DSA *dsa;
1.63 djm 79: k = xcalloc(1, sizeof(*k));
1.1 markus 80: k->type = type;
1.92 djm 81: k->ecdsa = NULL;
82: k->ecdsa_nid = -1;
1.3 markus 83: k->dsa = NULL;
84: k->rsa = NULL;
1.83 djm 85: k->cert = NULL;
1.109 ! markus 86: k->ed25519_sk = NULL;
! 87: k->ed25519_pk = NULL;
1.1 markus 88: switch (k->type) {
1.12 markus 89: case KEY_RSA1:
1.1 markus 90: case KEY_RSA:
1.87 djm 91: case KEY_RSA_CERT_V00:
1.83 djm 92: case KEY_RSA_CERT:
1.38 markus 93: if ((rsa = RSA_new()) == NULL)
94: fatal("key_new: RSA_new failed");
95: if ((rsa->n = BN_new()) == NULL)
96: fatal("key_new: BN_new failed");
97: if ((rsa->e = BN_new()) == NULL)
98: fatal("key_new: BN_new failed");
1.1 markus 99: k->rsa = rsa;
100: break;
101: case KEY_DSA:
1.87 djm 102: case KEY_DSA_CERT_V00:
1.83 djm 103: case KEY_DSA_CERT:
1.38 markus 104: if ((dsa = DSA_new()) == NULL)
105: fatal("key_new: DSA_new failed");
106: if ((dsa->p = BN_new()) == NULL)
107: fatal("key_new: BN_new failed");
108: if ((dsa->q = BN_new()) == NULL)
109: fatal("key_new: BN_new failed");
110: if ((dsa->g = BN_new()) == NULL)
111: fatal("key_new: BN_new failed");
112: if ((dsa->pub_key = BN_new()) == NULL)
113: fatal("key_new: BN_new failed");
1.1 markus 114: k->dsa = dsa;
115: break;
1.92 djm 116: case KEY_ECDSA:
117: case KEY_ECDSA_CERT:
118: /* Cannot do anything until we know the group */
119: break;
1.109 ! markus 120: case KEY_ED25519:
! 121: case KEY_ED25519_CERT:
! 122: /* no need to prealloc */
! 123: break;
1.12 markus 124: case KEY_UNSPEC:
1.1 markus 125: break;
126: default:
127: fatal("key_new: bad key type %d", k->type);
128: break;
129: }
1.83 djm 130:
131: if (key_is_cert(k))
132: k->cert = cert_new();
133:
1.1 markus 134: return k;
135: }
1.45 deraadt 136:
1.83 djm 137: void
138: key_add_private(Key *k)
1.12 markus 139: {
140: switch (k->type) {
141: case KEY_RSA1:
142: case KEY_RSA:
1.87 djm 143: case KEY_RSA_CERT_V00:
1.83 djm 144: case KEY_RSA_CERT:
1.38 markus 145: if ((k->rsa->d = BN_new()) == NULL)
146: fatal("key_new_private: BN_new failed");
147: if ((k->rsa->iqmp = BN_new()) == NULL)
148: fatal("key_new_private: BN_new failed");
149: if ((k->rsa->q = BN_new()) == NULL)
150: fatal("key_new_private: BN_new failed");
151: if ((k->rsa->p = BN_new()) == NULL)
152: fatal("key_new_private: BN_new failed");
153: if ((k->rsa->dmq1 = BN_new()) == NULL)
154: fatal("key_new_private: BN_new failed");
155: if ((k->rsa->dmp1 = BN_new()) == NULL)
156: fatal("key_new_private: BN_new failed");
1.12 markus 157: break;
158: case KEY_DSA:
1.87 djm 159: case KEY_DSA_CERT_V00:
1.83 djm 160: case KEY_DSA_CERT:
1.38 markus 161: if ((k->dsa->priv_key = BN_new()) == NULL)
162: fatal("key_new_private: BN_new failed");
1.12 markus 163: break;
1.92 djm 164: case KEY_ECDSA:
165: case KEY_ECDSA_CERT:
166: /* Cannot do anything until we know the group */
167: break;
1.109 ! markus 168: case KEY_ED25519:
! 169: case KEY_ED25519_CERT:
! 170: /* no need to prealloc */
! 171: break;
1.12 markus 172: case KEY_UNSPEC:
173: break;
174: default:
175: break;
176: }
1.83 djm 177: }
178:
179: Key *
180: key_new_private(int type)
181: {
182: Key *k = key_new(type);
183:
184: key_add_private(k);
1.12 markus 185: return k;
186: }
1.45 deraadt 187:
1.83 djm 188: static void
189: cert_free(struct KeyCert *cert)
190: {
191: u_int i;
192:
193: buffer_free(&cert->certblob);
1.87 djm 194: buffer_free(&cert->critical);
195: buffer_free(&cert->extensions);
1.103 djm 196: free(cert->key_id);
1.83 djm 197: for (i = 0; i < cert->nprincipals; i++)
1.103 djm 198: free(cert->principals[i]);
199: free(cert->principals);
1.83 djm 200: if (cert->signature_key != NULL)
201: key_free(cert->signature_key);
1.103 djm 202: free(cert);
1.83 djm 203: }
204:
1.1 markus 205: void
206: key_free(Key *k)
207: {
1.60 djm 208: if (k == NULL)
1.62 deraadt 209: fatal("key_free: key is NULL");
1.1 markus 210: switch (k->type) {
1.12 markus 211: case KEY_RSA1:
1.1 markus 212: case KEY_RSA:
1.87 djm 213: case KEY_RSA_CERT_V00:
1.83 djm 214: case KEY_RSA_CERT:
1.1 markus 215: if (k->rsa != NULL)
216: RSA_free(k->rsa);
217: k->rsa = NULL;
218: break;
219: case KEY_DSA:
1.87 djm 220: case KEY_DSA_CERT_V00:
1.83 djm 221: case KEY_DSA_CERT:
1.1 markus 222: if (k->dsa != NULL)
223: DSA_free(k->dsa);
224: k->dsa = NULL;
225: break;
1.92 djm 226: case KEY_ECDSA:
227: case KEY_ECDSA_CERT:
228: if (k->ecdsa != NULL)
229: EC_KEY_free(k->ecdsa);
230: k->ecdsa = NULL;
231: break;
1.109 ! markus 232: case KEY_ED25519:
! 233: case KEY_ED25519_CERT:
! 234: if (k->ed25519_pk) {
! 235: memset(k->ed25519_pk, 0, ED25519_PK_SZ);
! 236: free(k->ed25519_pk);
! 237: k->ed25519_pk = NULL;
! 238: }
! 239: if (k->ed25519_sk) {
! 240: memset(k->ed25519_sk, 0, ED25519_SK_SZ);
! 241: free(k->ed25519_sk);
! 242: k->ed25519_sk = NULL;
! 243: }
! 244: break;
1.12 markus 245: case KEY_UNSPEC:
246: break;
1.1 markus 247: default:
248: fatal("key_free: bad key type %d", k->type);
249: break;
250: }
1.83 djm 251: if (key_is_cert(k)) {
252: if (k->cert != NULL)
253: cert_free(k->cert);
254: k->cert = NULL;
255: }
256:
1.103 djm 257: free(k);
1.1 markus 258: }
1.55 jakob 259:
1.83 djm 260: static int
261: cert_compare(struct KeyCert *a, struct KeyCert *b)
262: {
263: if (a == NULL && b == NULL)
264: return 1;
265: if (a == NULL || b == NULL)
266: return 0;
267: if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
268: return 0;
1.90 djm 269: if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
1.83 djm 270: buffer_len(&a->certblob)) != 0)
271: return 0;
272: return 1;
273: }
274:
275: /*
276: * Compare public portions of key only, allowing comparisons between
277: * certificates and plain keys too.
278: */
1.1 markus 279: int
1.83 djm 280: key_equal_public(const Key *a, const Key *b)
1.1 markus 281: {
1.92 djm 282: BN_CTX *bnctx;
283:
1.83 djm 284: if (a == NULL || b == NULL ||
285: key_type_plain(a->type) != key_type_plain(b->type))
1.1 markus 286: return 0;
1.83 djm 287:
1.1 markus 288: switch (a->type) {
1.12 markus 289: case KEY_RSA1:
1.87 djm 290: case KEY_RSA_CERT_V00:
1.83 djm 291: case KEY_RSA_CERT:
1.1 markus 292: case KEY_RSA:
293: return a->rsa != NULL && b->rsa != NULL &&
294: BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
295: BN_cmp(a->rsa->n, b->rsa->n) == 0;
1.87 djm 296: case KEY_DSA_CERT_V00:
1.83 djm 297: case KEY_DSA_CERT:
1.1 markus 298: case KEY_DSA:
299: return a->dsa != NULL && b->dsa != NULL &&
300: BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
301: BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
302: BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
303: BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
1.92 djm 304: case KEY_ECDSA_CERT:
305: case KEY_ECDSA:
306: if (a->ecdsa == NULL || b->ecdsa == NULL ||
307: EC_KEY_get0_public_key(a->ecdsa) == NULL ||
308: EC_KEY_get0_public_key(b->ecdsa) == NULL)
309: return 0;
310: if ((bnctx = BN_CTX_new()) == NULL)
311: fatal("%s: BN_CTX_new failed", __func__);
312: if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
313: EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
314: EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
315: EC_KEY_get0_public_key(a->ecdsa),
316: EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
317: BN_CTX_free(bnctx);
318: return 0;
319: }
320: BN_CTX_free(bnctx);
321: return 1;
1.109 ! markus 322: case KEY_ED25519:
! 323: case KEY_ED25519_CERT:
! 324: return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
! 325: memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
1.1 markus 326: default:
1.3 markus 327: fatal("key_equal: bad key type %d", a->type);
1.1 markus 328: }
1.78 stevesk 329: /* NOTREACHED */
1.1 markus 330: }
331:
1.83 djm 332: int
333: key_equal(const Key *a, const Key *b)
334: {
335: if (a == NULL || b == NULL || a->type != b->type)
336: return 0;
337: if (key_is_cert(a)) {
338: if (!cert_compare(a->cert, b->cert))
339: return 0;
340: }
341: return key_equal_public(a, b);
342: }
343:
1.52 jakob 344: u_char*
1.100 djm 345: key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
346: u_int *dgst_raw_length)
1.1 markus 347: {
1.41 markus 348: const EVP_MD *md = NULL;
1.21 markus 349: EVP_MD_CTX ctx;
1.13 markus 350: u_char *blob = NULL;
1.19 jakob 351: u_char *retval = NULL;
1.40 markus 352: u_int len = 0;
1.100 djm 353: int nlen, elen;
1.1 markus 354:
1.19 jakob 355: *dgst_raw_length = 0;
356:
1.21 markus 357: switch (dgst_type) {
358: case SSH_FP_MD5:
359: md = EVP_md5();
360: break;
361: case SSH_FP_SHA1:
362: md = EVP_sha1();
1.99 djm 363: break;
364: case SSH_FP_SHA256:
365: md = EVP_sha256();
1.21 markus 366: break;
367: default:
368: fatal("key_fingerprint_raw: bad digest type %d",
369: dgst_type);
370: }
1.1 markus 371: switch (k->type) {
1.12 markus 372: case KEY_RSA1:
1.1 markus 373: nlen = BN_num_bytes(k->rsa->n);
374: elen = BN_num_bytes(k->rsa->e);
375: len = nlen + elen;
1.3 markus 376: blob = xmalloc(len);
377: BN_bn2bin(k->rsa->n, blob);
378: BN_bn2bin(k->rsa->e, blob + nlen);
1.1 markus 379: break;
380: case KEY_DSA:
1.92 djm 381: case KEY_ECDSA:
1.12 markus 382: case KEY_RSA:
1.109 ! markus 383: case KEY_ED25519:
1.12 markus 384: key_to_blob(k, &blob, &len);
385: break;
1.87 djm 386: case KEY_DSA_CERT_V00:
387: case KEY_RSA_CERT_V00:
1.83 djm 388: case KEY_DSA_CERT:
1.92 djm 389: case KEY_ECDSA_CERT:
1.83 djm 390: case KEY_RSA_CERT:
1.109 ! markus 391: case KEY_ED25519_CERT:
1.83 djm 392: /* We want a fingerprint of the _key_ not of the cert */
1.100 djm 393: to_blob(k, &blob, &len, 1);
1.83 djm 394: break;
1.12 markus 395: case KEY_UNSPEC:
396: return retval;
1.1 markus 397: default:
1.19 jakob 398: fatal("key_fingerprint_raw: bad key type %d", k->type);
1.1 markus 399: break;
400: }
1.3 markus 401: if (blob != NULL) {
1.19 jakob 402: retval = xmalloc(EVP_MAX_MD_SIZE);
1.8 markus 403: EVP_DigestInit(&ctx, md);
404: EVP_DigestUpdate(&ctx, blob, len);
1.39 markus 405: EVP_DigestFinal(&ctx, retval, dgst_raw_length);
1.3 markus 406: memset(blob, 0, len);
1.103 djm 407: free(blob);
1.19 jakob 408: } else {
409: fatal("key_fingerprint_raw: blob is null");
1.1 markus 410: }
1.19 jakob 411: return retval;
412: }
413:
1.46 deraadt 414: static char *
415: key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 416: {
417: char *retval;
1.58 djm 418: u_int i;
1.19 jakob 419:
1.63 djm 420: retval = xcalloc(1, dgst_raw_len * 3 + 1);
1.36 deraadt 421: for (i = 0; i < dgst_raw_len; i++) {
1.19 jakob 422: char hex[4];
423: snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
1.54 avsm 424: strlcat(retval, hex, dgst_raw_len * 3 + 1);
1.19 jakob 425: }
1.54 avsm 426:
427: /* Remove the trailing ':' character */
1.19 jakob 428: retval[(dgst_raw_len * 3) - 1] = '\0';
429: return retval;
430: }
431:
1.46 deraadt 432: static char *
433: key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 434: {
435: char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
436: char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
437: 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
1.20 jakob 438: u_int i, j = 0, rounds, seed = 1;
1.19 jakob 439: char *retval;
440:
441: rounds = (dgst_raw_len / 2) + 1;
1.63 djm 442: retval = xcalloc((rounds * 6), sizeof(char));
1.20 jakob 443: retval[j++] = 'x';
444: for (i = 0; i < rounds; i++) {
1.19 jakob 445: u_int idx0, idx1, idx2, idx3, idx4;
1.20 jakob 446: if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
447: idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1.19 jakob 448: seed) % 6;
1.20 jakob 449: idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
450: idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1.19 jakob 451: (seed / 6)) % 6;
1.20 jakob 452: retval[j++] = vowels[idx0];
453: retval[j++] = consonants[idx1];
454: retval[j++] = vowels[idx2];
455: if ((i + 1) < rounds) {
456: idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
457: idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
458: retval[j++] = consonants[idx3];
459: retval[j++] = '-';
460: retval[j++] = consonants[idx4];
1.19 jakob 461: seed = ((seed * 5) +
1.20 jakob 462: ((((u_int)(dgst_raw[2 * i])) * 7) +
463: ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1.19 jakob 464: }
465: } else {
466: idx0 = seed % 6;
467: idx1 = 16;
468: idx2 = seed / 6;
1.20 jakob 469: retval[j++] = vowels[idx0];
470: retval[j++] = consonants[idx1];
471: retval[j++] = vowels[idx2];
1.19 jakob 472: }
473: }
1.20 jakob 474: retval[j++] = 'x';
475: retval[j++] = '\0';
1.19 jakob 476: return retval;
477: }
478:
1.70 grunk 479: /*
480: * Draw an ASCII-Art representing the fingerprint so human brain can
481: * profit from its built-in pattern recognition ability.
482: * This technique is called "random art" and can be found in some
483: * scientific publications like this original paper:
484: *
485: * "Hash Visualization: a New Technique to improve Real-World Security",
486: * Perrig A. and Song D., 1999, International Workshop on Cryptographic
487: * Techniques and E-Commerce (CrypTEC '99)
488: * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
489: *
490: * The subject came up in a talk by Dan Kaminsky, too.
491: *
492: * If you see the picture is different, the key is different.
493: * If the picture looks the same, you still know nothing.
494: *
495: * The algorithm used here is a worm crawling over a discrete plane,
496: * leaving a trace (augmenting the field) everywhere it goes.
497: * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
498: * makes the respective movement vector be ignored for this turn.
499: * Graphs are not unambiguous, because circles in graphs can be
500: * walked in either direction.
501: */
1.74 grunk 502:
503: /*
504: * Field sizes for the random art. Have to be odd, so the starting point
505: * can be in the exact middle of the picture, and FLDBASE should be >=8 .
506: * Else pictures would be too dense, and drawing the frame would
507: * fail, too, because the key type would not fit in anymore.
508: */
509: #define FLDBASE 8
510: #define FLDSIZE_Y (FLDBASE + 1)
511: #define FLDSIZE_X (FLDBASE * 2 + 1)
1.70 grunk 512: static char *
1.74 grunk 513: key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
1.70 grunk 514: {
515: /*
516: * Chars to be used after each other every time the worm
517: * intersects with itself. Matter of taste.
518: */
1.75 grunk 519: char *augmentation_string = " .o+=*BOX@%&#/^SE";
1.70 grunk 520: char *retval, *p;
1.71 otto 521: u_char field[FLDSIZE_X][FLDSIZE_Y];
1.70 grunk 522: u_int i, b;
523: int x, y;
1.72 grunk 524: size_t len = strlen(augmentation_string) - 1;
1.70 grunk 525:
526: retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
527:
528: /* initialize field */
1.71 otto 529: memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1.70 grunk 530: x = FLDSIZE_X / 2;
531: y = FLDSIZE_Y / 2;
532:
533: /* process raw key */
534: for (i = 0; i < dgst_raw_len; i++) {
535: int input;
536: /* each byte conveys four 2-bit move commands */
537: input = dgst_raw[i];
538: for (b = 0; b < 4; b++) {
539: /* evaluate 2 bit, rest is shifted later */
540: x += (input & 0x1) ? 1 : -1;
541: y += (input & 0x2) ? 1 : -1;
542:
543: /* assure we are still in bounds */
544: x = MAX(x, 0);
545: y = MAX(y, 0);
546: x = MIN(x, FLDSIZE_X - 1);
547: y = MIN(y, FLDSIZE_Y - 1);
548:
549: /* augment the field */
1.79 grunk 550: if (field[x][y] < len - 2)
551: field[x][y]++;
1.70 grunk 552: input = input >> 2;
553: }
554: }
1.75 grunk 555:
556: /* mark starting point and end point*/
557: field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
558: field[x][y] = len;
1.70 grunk 559:
560: /* fill in retval */
1.77 otto 561: snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
1.74 grunk 562: p = strchr(retval, '\0');
1.70 grunk 563:
564: /* output upper border */
1.77 otto 565: for (i = p - retval - 1; i < FLDSIZE_X; i++)
1.70 grunk 566: *p++ = '-';
567: *p++ = '+';
568: *p++ = '\n';
569:
570: /* output content */
571: for (y = 0; y < FLDSIZE_Y; y++) {
572: *p++ = '|';
573: for (x = 0; x < FLDSIZE_X; x++)
1.72 grunk 574: *p++ = augmentation_string[MIN(field[x][y], len)];
1.70 grunk 575: *p++ = '|';
576: *p++ = '\n';
577: }
578:
579: /* output lower border */
580: *p++ = '+';
581: for (i = 0; i < FLDSIZE_X; i++)
582: *p++ = '-';
583: *p++ = '+';
584:
585: return retval;
586: }
587:
1.46 deraadt 588: char *
1.104 djm 589: key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
1.19 jakob 590: {
1.23 markus 591: char *retval = NULL;
1.19 jakob 592: u_char *dgst_raw;
1.39 markus 593: u_int dgst_raw_len;
1.36 deraadt 594:
1.19 jakob 595: dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
596: if (!dgst_raw)
1.22 markus 597: fatal("key_fingerprint: null from key_fingerprint_raw()");
1.35 deraadt 598: switch (dgst_rep) {
1.19 jakob 599: case SSH_FP_HEX:
600: retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
601: break;
602: case SSH_FP_BUBBLEBABBLE:
603: retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1.70 grunk 604: break;
605: case SSH_FP_RANDOMART:
1.74 grunk 606: retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
1.19 jakob 607: break;
608: default:
1.80 stevesk 609: fatal("key_fingerprint: bad digest representation %d",
1.19 jakob 610: dgst_rep);
611: break;
612: }
613: memset(dgst_raw, 0, dgst_raw_len);
1.103 djm 614: free(dgst_raw);
1.1 markus 615: return retval;
616: }
617:
618: /*
619: * Reads a multiple-precision integer in decimal from the buffer, and advances
620: * the pointer. The integer must already be initialized. This function is
621: * permitted to modify the buffer. This leaves *cpp to point just beyond the
622: * last processed (and maybe modified) character. Note that this may modify
623: * the buffer containing the number.
624: */
1.27 itojun 625: static int
1.1 markus 626: read_bignum(char **cpp, BIGNUM * value)
627: {
628: char *cp = *cpp;
629: int old;
630:
631: /* Skip any leading whitespace. */
632: for (; *cp == ' ' || *cp == '\t'; cp++)
633: ;
634:
635: /* Check that it begins with a decimal digit. */
636: if (*cp < '0' || *cp > '9')
637: return 0;
638:
639: /* Save starting position. */
640: *cpp = cp;
641:
642: /* Move forward until all decimal digits skipped. */
643: for (; *cp >= '0' && *cp <= '9'; cp++)
644: ;
645:
646: /* Save the old terminating character, and replace it by \0. */
647: old = *cp;
648: *cp = 0;
649:
650: /* Parse the number. */
651: if (BN_dec2bn(&value, *cpp) == 0)
652: return 0;
653:
654: /* Restore old terminating character. */
655: *cp = old;
656:
657: /* Move beyond the number and return success. */
658: *cpp = cp;
659: return 1;
660: }
1.45 deraadt 661:
1.27 itojun 662: static int
1.1 markus 663: write_bignum(FILE *f, BIGNUM *num)
664: {
665: char *buf = BN_bn2dec(num);
666: if (buf == NULL) {
667: error("write_bignum: BN_bn2dec() failed");
668: return 0;
669: }
670: fprintf(f, " %s", buf);
1.33 markus 671: OPENSSL_free(buf);
1.1 markus 672: return 1;
673: }
1.12 markus 674:
1.32 markus 675: /* returns 1 ok, -1 error */
1.12 markus 676: int
1.3 markus 677: key_read(Key *ret, char **cpp)
1.1 markus 678: {
1.3 markus 679: Key *k;
1.12 markus 680: int success = -1;
681: char *cp, *space;
1.92 djm 682: int len, n, type, curve_nid = -1;
1.12 markus 683: u_int bits;
1.13 markus 684: u_char *blob;
1.3 markus 685:
686: cp = *cpp;
687:
1.35 deraadt 688: switch (ret->type) {
1.12 markus 689: case KEY_RSA1:
1.3 markus 690: /* Get number of bits. */
691: if (*cp < '0' || *cp > '9')
1.12 markus 692: return -1; /* Bad bit count... */
1.3 markus 693: for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
694: bits = 10 * bits + *cp - '0';
1.1 markus 695: if (bits == 0)
1.12 markus 696: return -1;
1.3 markus 697: *cpp = cp;
1.1 markus 698: /* Get public exponent, public modulus. */
699: if (!read_bignum(cpp, ret->rsa->e))
1.12 markus 700: return -1;
1.1 markus 701: if (!read_bignum(cpp, ret->rsa->n))
1.12 markus 702: return -1;
1.82 dtucker 703: /* validate the claimed number of bits */
704: if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
705: verbose("key_read: claimed key size %d does not match "
706: "actual %d", bits, BN_num_bits(ret->rsa->n));
707: return -1;
708: }
1.12 markus 709: success = 1;
1.1 markus 710: break;
1.12 markus 711: case KEY_UNSPEC:
712: case KEY_RSA:
1.1 markus 713: case KEY_DSA:
1.92 djm 714: case KEY_ECDSA:
1.109 ! markus 715: case KEY_ED25519:
1.87 djm 716: case KEY_DSA_CERT_V00:
717: case KEY_RSA_CERT_V00:
1.83 djm 718: case KEY_DSA_CERT:
1.92 djm 719: case KEY_ECDSA_CERT:
1.83 djm 720: case KEY_RSA_CERT:
1.109 ! markus 721: case KEY_ED25519_CERT:
1.12 markus 722: space = strchr(cp, ' ');
723: if (space == NULL) {
1.50 markus 724: debug3("key_read: missing whitespace");
1.12 markus 725: return -1;
726: }
727: *space = '\0';
728: type = key_type_from_name(cp);
1.92 djm 729: if (key_type_plain(type) == KEY_ECDSA &&
730: (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
731: debug("key_read: invalid curve");
732: return -1;
733: }
1.12 markus 734: *space = ' ';
735: if (type == KEY_UNSPEC) {
1.50 markus 736: debug3("key_read: missing keytype");
1.12 markus 737: return -1;
738: }
739: cp = space+1;
740: if (*cp == '\0') {
741: debug3("key_read: short string");
742: return -1;
743: }
744: if (ret->type == KEY_UNSPEC) {
745: ret->type = type;
746: } else if (ret->type != type) {
747: /* is a key, but different type */
748: debug3("key_read: type mismatch");
1.32 markus 749: return -1;
1.12 markus 750: }
1.3 markus 751: len = 2*strlen(cp);
752: blob = xmalloc(len);
753: n = uudecode(cp, blob, len);
1.6 markus 754: if (n < 0) {
1.7 markus 755: error("key_read: uudecode %s failed", cp);
1.103 djm 756: free(blob);
1.12 markus 757: return -1;
1.6 markus 758: }
1.53 markus 759: k = key_from_blob(blob, (u_int)n);
1.103 djm 760: free(blob);
1.7 markus 761: if (k == NULL) {
1.12 markus 762: error("key_read: key_from_blob %s failed", cp);
763: return -1;
1.7 markus 764: }
1.12 markus 765: if (k->type != type) {
766: error("key_read: type mismatch: encoding error");
767: key_free(k);
768: return -1;
769: }
1.92 djm 770: if (key_type_plain(type) == KEY_ECDSA &&
771: curve_nid != k->ecdsa_nid) {
772: error("key_read: type mismatch: EC curve mismatch");
773: key_free(k);
774: return -1;
775: }
1.12 markus 776: /*XXXX*/
1.83 djm 777: if (key_is_cert(ret)) {
778: if (!key_is_cert(k)) {
779: error("key_read: loaded key is not a cert");
780: key_free(k);
781: return -1;
782: }
783: if (ret->cert != NULL)
784: cert_free(ret->cert);
785: ret->cert = k->cert;
786: k->cert = NULL;
787: }
788: if (key_type_plain(ret->type) == KEY_RSA) {
1.12 markus 789: if (ret->rsa != NULL)
790: RSA_free(ret->rsa);
791: ret->rsa = k->rsa;
792: k->rsa = NULL;
793: #ifdef DEBUG_PK
794: RSA_print_fp(stderr, ret->rsa, 8);
795: #endif
1.83 djm 796: }
797: if (key_type_plain(ret->type) == KEY_DSA) {
1.12 markus 798: if (ret->dsa != NULL)
799: DSA_free(ret->dsa);
800: ret->dsa = k->dsa;
801: k->dsa = NULL;
802: #ifdef DEBUG_PK
803: DSA_print_fp(stderr, ret->dsa, 8);
804: #endif
805: }
1.92 djm 806: if (key_type_plain(ret->type) == KEY_ECDSA) {
807: if (ret->ecdsa != NULL)
808: EC_KEY_free(ret->ecdsa);
809: ret->ecdsa = k->ecdsa;
810: ret->ecdsa_nid = k->ecdsa_nid;
811: k->ecdsa = NULL;
812: k->ecdsa_nid = -1;
813: #ifdef DEBUG_PK
814: key_dump_ec_key(ret->ecdsa);
815: #endif
816: }
1.109 ! markus 817: if (key_type_plain(ret->type) == KEY_ED25519) {
! 818: free(ret->ed25519_pk);
! 819: ret->ed25519_pk = k->ed25519_pk;
! 820: k->ed25519_pk = NULL;
! 821: #ifdef DEBUG_PK
! 822: /* XXX */
! 823: #endif
! 824: }
1.83 djm 825: success = 1;
1.12 markus 826: /*XXXX*/
1.34 markus 827: key_free(k);
1.12 markus 828: if (success != 1)
829: break;
1.7 markus 830: /* advance cp: skip whitespace and data */
831: while (*cp == ' ' || *cp == '\t')
832: cp++;
833: while (*cp != '\0' && *cp != ' ' && *cp != '\t')
834: cp++;
835: *cpp = cp;
1.1 markus 836: break;
837: default:
1.3 markus 838: fatal("key_read: bad key type: %d", ret->type);
1.1 markus 839: break;
840: }
1.12 markus 841: return success;
1.1 markus 842: }
1.45 deraadt 843:
1.1 markus 844: int
1.55 jakob 845: key_write(const Key *key, FILE *f)
1.1 markus 846: {
1.40 markus 847: int n, success = 0;
848: u_int len, bits = 0;
1.49 markus 849: u_char *blob;
850: char *uu;
1.1 markus 851:
1.83 djm 852: if (key_is_cert(key)) {
853: if (key->cert == NULL) {
854: error("%s: no cert data", __func__);
855: return 0;
856: }
857: if (buffer_len(&key->cert->certblob) == 0) {
858: error("%s: no signed certificate blob", __func__);
859: return 0;
860: }
861: }
862:
863: switch (key->type) {
864: case KEY_RSA1:
865: if (key->rsa == NULL)
866: return 0;
1.1 markus 867: /* size of modulus 'n' */
868: bits = BN_num_bits(key->rsa->n);
869: fprintf(f, "%u", bits);
870: if (write_bignum(f, key->rsa->e) &&
1.83 djm 871: write_bignum(f, key->rsa->n))
872: return 1;
873: error("key_write: failed for RSA key");
874: return 0;
875: case KEY_DSA:
1.87 djm 876: case KEY_DSA_CERT_V00:
1.83 djm 877: case KEY_DSA_CERT:
878: if (key->dsa == NULL)
879: return 0;
880: break;
1.92 djm 881: case KEY_ECDSA:
882: case KEY_ECDSA_CERT:
883: if (key->ecdsa == NULL)
884: return 0;
885: break;
1.109 ! markus 886: case KEY_ED25519:
! 887: case KEY_ED25519_CERT:
! 888: if (key->ed25519_pk == NULL)
! 889: return 0;
! 890: break;
1.83 djm 891: case KEY_RSA:
1.87 djm 892: case KEY_RSA_CERT_V00:
1.83 djm 893: case KEY_RSA_CERT:
894: if (key->rsa == NULL)
895: return 0;
896: break;
897: default:
898: return 0;
899: }
900:
901: key_to_blob(key, &blob, &len);
902: uu = xmalloc(2*len);
903: n = uuencode(blob, len, uu, 2*len);
904: if (n > 0) {
905: fprintf(f, "%s %s", key_ssh_name(key), uu);
906: success = 1;
1.1 markus 907: }
1.103 djm 908: free(blob);
909: free(uu);
1.83 djm 910:
1.1 markus 911: return success;
912: }
1.45 deraadt 913:
1.55 jakob 914: const char *
1.86 stevesk 915: key_cert_type(const Key *k)
916: {
917: switch (k->cert->type) {
918: case SSH2_CERT_TYPE_USER:
919: return "user";
920: case SSH2_CERT_TYPE_HOST:
921: return "host";
922: default:
923: return "unknown";
924: }
1.10 markus 925: }
1.45 deraadt 926:
1.101 djm 927: struct keytype {
928: char *name;
929: char *shortname;
930: int type;
931: int nid;
932: int cert;
933: };
934: static const struct keytype keytypes[] = {
935: { NULL, "RSA1", KEY_RSA1, 0, 0 },
936: { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
937: { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
1.109 ! markus 938: { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
1.101 djm 939: { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
940: { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
941: { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
942: { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
943: { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
944: { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
945: KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
946: { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
947: KEY_ECDSA_CERT, NID_secp384r1, 1 },
948: { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
949: KEY_ECDSA_CERT, NID_secp521r1, 1 },
950: { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
951: KEY_RSA_CERT_V00, 0, 1 },
952: { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
953: KEY_DSA_CERT_V00, 0, 1 },
1.109 ! markus 954: { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
! 955: KEY_ED25519_CERT, 0, 1 },
1.101 djm 956: { NULL, NULL, -1, -1, 0 }
957: };
958:
959: const char *
960: key_type(const Key *k)
961: {
962: const struct keytype *kt;
963:
964: for (kt = keytypes; kt->type != -1; kt++) {
965: if (kt->type == k->type)
966: return kt->shortname;
967: }
968: return "unknown";
969: }
970:
1.92 djm 971: static const char *
972: key_ssh_name_from_type_nid(int type, int nid)
1.12 markus 973: {
1.101 djm 974: const struct keytype *kt;
975:
976: for (kt = keytypes; kt->type != -1; kt++) {
977: if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
978: return kt->name;
1.12 markus 979: }
980: return "ssh-unknown";
981: }
1.45 deraadt 982:
1.92 djm 983: const char *
984: key_ssh_name(const Key *k)
985: {
986: return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
987: }
988:
989: const char *
990: key_ssh_name_plain(const Key *k)
991: {
992: return key_ssh_name_from_type_nid(key_type_plain(k->type),
993: k->ecdsa_nid);
994: }
995:
1.101 djm 996: int
997: key_type_from_name(char *name)
998: {
999: const struct keytype *kt;
1000:
1001: for (kt = keytypes; kt->type != -1; kt++) {
1002: /* Only allow shortname matches for plain key types */
1003: if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
1004: (!kt->cert && strcasecmp(kt->shortname, name) == 0))
1005: return kt->type;
1006: }
1007: debug2("key_type_from_name: unknown key type '%s'", name);
1008: return KEY_UNSPEC;
1009: }
1010:
1011: int
1012: key_ecdsa_nid_from_name(const char *name)
1013: {
1014: const struct keytype *kt;
1015:
1016: for (kt = keytypes; kt->type != -1; kt++) {
1017: if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
1018: continue;
1019: if (kt->name != NULL && strcmp(name, kt->name) == 0)
1020: return kt->nid;
1021: }
1022: debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1023: return -1;
1024: }
1025:
1026: char *
1.109 ! markus 1027: key_alg_list(int certs_only, int plain_only)
1.101 djm 1028: {
1029: char *ret = NULL;
1030: size_t nlen, rlen = 0;
1031: const struct keytype *kt;
1032:
1033: for (kt = keytypes; kt->type != -1; kt++) {
1034: if (kt->name == NULL)
1035: continue;
1.109 ! markus 1036: if ((certs_only && !kt->cert) || (plain_only && kt->cert))
! 1037: continue;
1.101 djm 1038: if (ret != NULL)
1039: ret[rlen++] = '\n';
1040: nlen = strlen(kt->name);
1041: ret = xrealloc(ret, 1, rlen + nlen + 2);
1042: memcpy(ret + rlen, kt->name, nlen + 1);
1043: rlen += nlen;
1044: }
1045: return ret;
1046: }
1047:
1.105 djm 1048: int
1049: key_type_is_cert(int type)
1050: {
1051: const struct keytype *kt;
1052:
1053: for (kt = keytypes; kt->type != -1; kt++) {
1054: if (kt->type == type)
1055: return kt->cert;
1056: }
1057: return 0;
1058: }
1059:
1.12 markus 1060: u_int
1.55 jakob 1061: key_size(const Key *k)
1.35 deraadt 1062: {
1.10 markus 1063: switch (k->type) {
1.12 markus 1064: case KEY_RSA1:
1.10 markus 1065: case KEY_RSA:
1.87 djm 1066: case KEY_RSA_CERT_V00:
1.83 djm 1067: case KEY_RSA_CERT:
1.10 markus 1068: return BN_num_bits(k->rsa->n);
1069: case KEY_DSA:
1.87 djm 1070: case KEY_DSA_CERT_V00:
1.83 djm 1071: case KEY_DSA_CERT:
1.10 markus 1072: return BN_num_bits(k->dsa->p);
1.109 ! markus 1073: case KEY_ED25519:
! 1074: return 256; /* XXX */
1.92 djm 1075: case KEY_ECDSA:
1076: case KEY_ECDSA_CERT:
1.93 djm 1077: return key_curve_nid_to_bits(k->ecdsa_nid);
1.10 markus 1078: }
1079: return 0;
1.12 markus 1080: }
1081:
1.27 itojun 1082: static RSA *
1.13 markus 1083: rsa_generate_private_key(u_int bits)
1.12 markus 1084: {
1.95 djm 1085: RSA *private = RSA_new();
1086: BIGNUM *f4 = BN_new();
1.61 deraadt 1087:
1.17 stevesk 1088: if (private == NULL)
1.95 djm 1089: fatal("%s: RSA_new failed", __func__);
1090: if (f4 == NULL)
1091: fatal("%s: BN_new failed", __func__);
1092: if (!BN_set_word(f4, RSA_F4))
1093: fatal("%s: BN_new failed", __func__);
1094: if (!RSA_generate_key_ex(private, bits, f4, NULL))
1095: fatal("%s: key generation failed.", __func__);
1096: BN_free(f4);
1.17 stevesk 1097: return private;
1.12 markus 1098: }
1099:
1.27 itojun 1100: static DSA*
1.13 markus 1101: dsa_generate_private_key(u_int bits)
1.12 markus 1102: {
1.95 djm 1103: DSA *private = DSA_new();
1.61 deraadt 1104:
1.12 markus 1105: if (private == NULL)
1.95 djm 1106: fatal("%s: DSA_new failed", __func__);
1107: if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1108: NULL, NULL))
1109: fatal("%s: DSA_generate_parameters failed", __func__);
1.12 markus 1110: if (!DSA_generate_key(private))
1.95 djm 1111: fatal("%s: DSA_generate_key failed.", __func__);
1.12 markus 1112: return private;
1113: }
1114:
1.92 djm 1115: int
1116: key_ecdsa_bits_to_nid(int bits)
1117: {
1118: switch (bits) {
1119: case 256:
1120: return NID_X9_62_prime256v1;
1121: case 384:
1122: return NID_secp384r1;
1123: case 521:
1124: return NID_secp521r1;
1125: default:
1126: return -1;
1127: }
1128: }
1129:
1130: int
1.94 djm 1131: key_ecdsa_key_to_nid(EC_KEY *k)
1.92 djm 1132: {
1133: EC_GROUP *eg;
1134: int nids[] = {
1135: NID_X9_62_prime256v1,
1136: NID_secp384r1,
1137: NID_secp521r1,
1138: -1
1139: };
1.94 djm 1140: int nid;
1.92 djm 1141: u_int i;
1142: BN_CTX *bnctx;
1.94 djm 1143: const EC_GROUP *g = EC_KEY_get0_group(k);
1.92 djm 1144:
1.94 djm 1145: /*
1146: * The group may be stored in a ASN.1 encoded private key in one of two
1147: * ways: as a "named group", which is reconstituted by ASN.1 object ID
1148: * or explicit group parameters encoded into the key blob. Only the
1149: * "named group" case sets the group NID for us, but we can figure
1150: * it out for the other case by comparing against all the groups that
1151: * are supported.
1152: */
1153: if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1154: return nid;
1.92 djm 1155: if ((bnctx = BN_CTX_new()) == NULL)
1156: fatal("%s: BN_CTX_new() failed", __func__);
1157: for (i = 0; nids[i] != -1; i++) {
1158: if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1159: fatal("%s: EC_GROUP_new_by_curve_name failed",
1160: __func__);
1.94 djm 1161: if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1.92 djm 1162: break;
1163: EC_GROUP_free(eg);
1164: }
1165: BN_CTX_free(bnctx);
1166: debug3("%s: nid = %d", __func__, nids[i]);
1.94 djm 1167: if (nids[i] != -1) {
1168: /* Use the group with the NID attached */
1169: EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1170: if (EC_KEY_set_group(k, eg) != 1)
1171: fatal("%s: EC_KEY_set_group", __func__);
1172: }
1.92 djm 1173: return nids[i];
1174: }
1175:
1176: static EC_KEY*
1177: ecdsa_generate_private_key(u_int bits, int *nid)
1178: {
1179: EC_KEY *private;
1180:
1181: if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
1182: fatal("%s: invalid key length", __func__);
1183: if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
1184: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1185: if (EC_KEY_generate_key(private) != 1)
1186: fatal("%s: EC_KEY_generate_key failed", __func__);
1.94 djm 1187: EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1.92 djm 1188: return private;
1189: }
1190:
1.12 markus 1191: Key *
1.13 markus 1192: key_generate(int type, u_int bits)
1.12 markus 1193: {
1194: Key *k = key_new(KEY_UNSPEC);
1195: switch (type) {
1.17 stevesk 1196: case KEY_DSA:
1.12 markus 1197: k->dsa = dsa_generate_private_key(bits);
1198: break;
1.92 djm 1199: case KEY_ECDSA:
1200: k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
1201: break;
1.12 markus 1202: case KEY_RSA:
1203: case KEY_RSA1:
1204: k->rsa = rsa_generate_private_key(bits);
1205: break;
1.109 ! markus 1206: case KEY_ED25519:
! 1207: k->ed25519_pk = xmalloc(ED25519_PK_SZ);
! 1208: k->ed25519_sk = xmalloc(ED25519_SK_SZ);
! 1209: crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
! 1210: break;
1.87 djm 1211: case KEY_RSA_CERT_V00:
1212: case KEY_DSA_CERT_V00:
1.83 djm 1213: case KEY_RSA_CERT:
1214: case KEY_DSA_CERT:
1215: fatal("key_generate: cert keys cannot be generated directly");
1.12 markus 1216: default:
1.17 stevesk 1217: fatal("key_generate: unknown type %d", type);
1.12 markus 1218: }
1.17 stevesk 1219: k->type = type;
1.12 markus 1220: return k;
1221: }
1222:
1.83 djm 1223: void
1224: key_cert_copy(const Key *from_key, struct Key *to_key)
1225: {
1226: u_int i;
1227: const struct KeyCert *from;
1228: struct KeyCert *to;
1229:
1230: if (to_key->cert != NULL) {
1231: cert_free(to_key->cert);
1232: to_key->cert = NULL;
1233: }
1234:
1235: if ((from = from_key->cert) == NULL)
1236: return;
1237:
1238: to = to_key->cert = cert_new();
1239:
1240: buffer_append(&to->certblob, buffer_ptr(&from->certblob),
1241: buffer_len(&from->certblob));
1242:
1.87 djm 1243: buffer_append(&to->critical,
1244: buffer_ptr(&from->critical), buffer_len(&from->critical));
1245: buffer_append(&to->extensions,
1246: buffer_ptr(&from->extensions), buffer_len(&from->extensions));
1.83 djm 1247:
1.87 djm 1248: to->serial = from->serial;
1.83 djm 1249: to->type = from->type;
1250: to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
1251: to->valid_after = from->valid_after;
1252: to->valid_before = from->valid_before;
1253: to->signature_key = from->signature_key == NULL ?
1254: NULL : key_from_private(from->signature_key);
1255:
1256: to->nprincipals = from->nprincipals;
1257: if (to->nprincipals > CERT_MAX_PRINCIPALS)
1258: fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
1259: __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
1260: if (to->nprincipals > 0) {
1261: to->principals = xcalloc(from->nprincipals,
1262: sizeof(*to->principals));
1263: for (i = 0; i < to->nprincipals; i++)
1264: to->principals[i] = xstrdup(from->principals[i]);
1265: }
1266: }
1267:
1.12 markus 1268: Key *
1.55 jakob 1269: key_from_private(const Key *k)
1.12 markus 1270: {
1271: Key *n = NULL;
1272: switch (k->type) {
1.17 stevesk 1273: case KEY_DSA:
1.87 djm 1274: case KEY_DSA_CERT_V00:
1.83 djm 1275: case KEY_DSA_CERT:
1.12 markus 1276: n = key_new(k->type);
1.68 markus 1277: if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1278: (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1279: (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1280: (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
1281: fatal("key_from_private: BN_copy failed");
1.12 markus 1282: break;
1.92 djm 1283: case KEY_ECDSA:
1284: case KEY_ECDSA_CERT:
1285: n = key_new(k->type);
1286: n->ecdsa_nid = k->ecdsa_nid;
1287: if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
1288: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1289: if (EC_KEY_set_public_key(n->ecdsa,
1290: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1291: fatal("%s: EC_KEY_set_public_key failed", __func__);
1292: break;
1.12 markus 1293: case KEY_RSA:
1294: case KEY_RSA1:
1.87 djm 1295: case KEY_RSA_CERT_V00:
1.83 djm 1296: case KEY_RSA_CERT:
1.12 markus 1297: n = key_new(k->type);
1.68 markus 1298: if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1299: (BN_copy(n->rsa->e, k->rsa->e) == NULL))
1300: fatal("key_from_private: BN_copy failed");
1.12 markus 1301: break;
1.109 ! markus 1302: case KEY_ED25519:
! 1303: case KEY_ED25519_CERT:
! 1304: n = key_new(k->type);
! 1305: if (k->ed25519_pk != NULL) {
! 1306: n->ed25519_pk = xmalloc(ED25519_PK_SZ);
! 1307: memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
! 1308: }
! 1309: break;
1.12 markus 1310: default:
1.17 stevesk 1311: fatal("key_from_private: unknown type %d", k->type);
1.12 markus 1312: break;
1313: }
1.83 djm 1314: if (key_is_cert(k))
1315: key_cert_copy(k, n);
1.12 markus 1316: return n;
1.92 djm 1317: }
1318:
1319: int
1.25 markus 1320: key_names_valid2(const char *names)
1321: {
1322: char *s, *cp, *p;
1323:
1324: if (names == NULL || strcmp(names, "") == 0)
1325: return 0;
1326: s = cp = xstrdup(names);
1327: for ((p = strsep(&cp, ",")); p && *p != '\0';
1.36 deraadt 1328: (p = strsep(&cp, ","))) {
1.25 markus 1329: switch (key_type_from_name(p)) {
1330: case KEY_RSA1:
1331: case KEY_UNSPEC:
1.103 djm 1332: free(s);
1.25 markus 1333: return 0;
1334: }
1335: }
1336: debug3("key names ok: [%s]", names);
1.103 djm 1337: free(s);
1.25 markus 1338: return 1;
1.12 markus 1339: }
1340:
1.83 djm 1341: static int
1342: cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1343: {
1.87 djm 1344: u_char *principals, *critical, *exts, *sig_key, *sig;
1345: u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
1.83 djm 1346: Buffer tmp;
1347: char *principal;
1348: int ret = -1;
1.87 djm 1349: int v00 = key->type == KEY_DSA_CERT_V00 ||
1350: key->type == KEY_RSA_CERT_V00;
1.83 djm 1351:
1352: buffer_init(&tmp);
1353:
1354: /* Copy the entire key blob for verification and later serialisation */
1355: buffer_append(&key->cert->certblob, blob, blen);
1356:
1.87 djm 1357: elen = 0; /* Not touched for v00 certs */
1358: principals = exts = critical = sig_key = sig = NULL;
1359: if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1360: buffer_get_int_ret(&key->cert->type, b) != 0 ||
1.91 djm 1361: (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
1.83 djm 1362: (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1363: buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1364: buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1.87 djm 1365: (critical = buffer_get_string_ret(b, &clen)) == NULL ||
1366: (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
1367: (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
1368: buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
1.83 djm 1369: (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1370: error("%s: parse error", __func__);
1.84 djm 1371: goto out;
1372: }
1373:
1.83 djm 1374: /* Signature is left in the buffer so we can calculate this length */
1375: signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1376:
1377: if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1378: error("%s: parse error", __func__);
1379: goto out;
1380: }
1381:
1382: if (key->cert->type != SSH2_CERT_TYPE_USER &&
1383: key->cert->type != SSH2_CERT_TYPE_HOST) {
1384: error("Unknown certificate type %u", key->cert->type);
1385: goto out;
1386: }
1387:
1388: buffer_append(&tmp, principals, plen);
1389: while (buffer_len(&tmp) > 0) {
1390: if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1.84 djm 1391: error("%s: Too many principals", __func__);
1.83 djm 1392: goto out;
1393: }
1.91 djm 1394: if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
1.84 djm 1395: error("%s: Principals data invalid", __func__);
1396: goto out;
1397: }
1.83 djm 1398: key->cert->principals = xrealloc(key->cert->principals,
1399: key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1400: key->cert->principals[key->cert->nprincipals++] = principal;
1401: }
1402:
1403: buffer_clear(&tmp);
1404:
1.87 djm 1405: buffer_append(&key->cert->critical, critical, clen);
1406: buffer_append(&tmp, critical, clen);
1.83 djm 1407: /* validate structure */
1408: while (buffer_len(&tmp) != 0) {
1.85 djm 1409: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1410: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1.87 djm 1411: error("%s: critical option data invalid", __func__);
1412: goto out;
1413: }
1414: }
1415: buffer_clear(&tmp);
1416:
1417: buffer_append(&key->cert->extensions, exts, elen);
1418: buffer_append(&tmp, exts, elen);
1419: /* validate structure */
1420: while (buffer_len(&tmp) != 0) {
1421: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1422: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1423: error("%s: extension data invalid", __func__);
1.83 djm 1424: goto out;
1425: }
1426: }
1427: buffer_clear(&tmp);
1428:
1.105 djm 1429: if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0))
1430: == NULL) {
1.84 djm 1431: error("%s: Signature key invalid", __func__);
1.83 djm 1432: goto out;
1433: }
1434: if (key->cert->signature_key->type != KEY_RSA &&
1.92 djm 1435: key->cert->signature_key->type != KEY_DSA &&
1436: key->cert->signature_key->type != KEY_ECDSA) {
1.84 djm 1437: error("%s: Invalid signature key type %s (%d)", __func__,
1.83 djm 1438: key_type(key->cert->signature_key),
1439: key->cert->signature_key->type);
1440: goto out;
1441: }
1442:
1443: switch (key_verify(key->cert->signature_key, sig, slen,
1444: buffer_ptr(&key->cert->certblob), signed_len)) {
1445: case 1:
1.84 djm 1446: ret = 0;
1.83 djm 1447: break; /* Good signature */
1448: case 0:
1.84 djm 1449: error("%s: Invalid signature on certificate", __func__);
1.83 djm 1450: goto out;
1451: case -1:
1.84 djm 1452: error("%s: Certificate signature verification failed",
1453: __func__);
1.83 djm 1454: goto out;
1455: }
1456:
1457: out:
1458: buffer_free(&tmp);
1.103 djm 1459: free(principals);
1460: free(critical);
1461: free(exts);
1462: free(sig_key);
1463: free(sig);
1.83 djm 1464: return ret;
1465: }
1466:
1.105 djm 1467: static Key *
1468: key_from_blob2(const u_char *blob, u_int blen, int allow_cert)
1.12 markus 1469: {
1470: Buffer b;
1.92 djm 1471: int rlen, type, nid = -1;
1.109 ! markus 1472: u_int len;
1.92 djm 1473: char *ktype = NULL, *curve = NULL;
1.109 ! markus 1474: u_char *pk = NULL;
1.12 markus 1475: Key *key = NULL;
1.92 djm 1476: EC_POINT *q = NULL;
1.12 markus 1477:
1478: #ifdef DEBUG_PK
1479: dump_base64(stderr, blob, blen);
1480: #endif
1481: buffer_init(&b);
1482: buffer_append(&b, blob, blen);
1.91 djm 1483: if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
1.57 djm 1484: error("key_from_blob: can't read key type");
1485: goto out;
1486: }
1487:
1.12 markus 1488: type = key_type_from_name(ktype);
1.92 djm 1489: if (key_type_plain(type) == KEY_ECDSA)
1490: nid = key_ecdsa_nid_from_name(ktype);
1.105 djm 1491: if (!allow_cert && key_type_is_cert(type)) {
1492: error("key_from_blob: certificate not allowed in this context");
1493: goto out;
1494: }
1.35 deraadt 1495: switch (type) {
1.87 djm 1496: case KEY_RSA_CERT:
1497: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1498: /* FALLTHROUGH */
1.12 markus 1499: case KEY_RSA:
1.87 djm 1500: case KEY_RSA_CERT_V00:
1.12 markus 1501: key = key_new(type);
1.57 djm 1502: if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1503: buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1504: error("key_from_blob: can't read rsa key");
1.83 djm 1505: badkey:
1.57 djm 1506: key_free(key);
1507: key = NULL;
1508: goto out;
1509: }
1.12 markus 1510: #ifdef DEBUG_PK
1511: RSA_print_fp(stderr, key->rsa, 8);
1512: #endif
1513: break;
1.87 djm 1514: case KEY_DSA_CERT:
1515: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1516: /* FALLTHROUGH */
1.12 markus 1517: case KEY_DSA:
1.87 djm 1518: case KEY_DSA_CERT_V00:
1.12 markus 1519: key = key_new(type);
1.57 djm 1520: if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1521: buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1522: buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1523: buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1524: error("key_from_blob: can't read dsa key");
1.83 djm 1525: goto badkey;
1.57 djm 1526: }
1.12 markus 1527: #ifdef DEBUG_PK
1528: DSA_print_fp(stderr, key->dsa, 8);
1529: #endif
1530: break;
1.92 djm 1531: case KEY_ECDSA_CERT:
1532: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1533: /* FALLTHROUGH */
1534: case KEY_ECDSA:
1535: key = key_new(type);
1536: key->ecdsa_nid = nid;
1537: if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
1538: error("key_from_blob: can't read ecdsa curve");
1539: goto badkey;
1540: }
1541: if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
1542: error("key_from_blob: ecdsa curve doesn't match type");
1543: goto badkey;
1544: }
1545: if (key->ecdsa != NULL)
1546: EC_KEY_free(key->ecdsa);
1547: if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
1548: == NULL)
1549: fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
1550: if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
1551: fatal("key_from_blob: EC_POINT_new failed");
1552: if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
1553: q) == -1) {
1554: error("key_from_blob: can't read ecdsa key point");
1555: goto badkey;
1556: }
1557: if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1558: q) != 0)
1559: goto badkey;
1560: if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
1561: fatal("key_from_blob: EC_KEY_set_public_key failed");
1562: #ifdef DEBUG_PK
1563: key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
1564: #endif
1565: break;
1.109 ! markus 1566: case KEY_ED25519_CERT:
! 1567: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
! 1568: /* FALLTHROUGH */
! 1569: case KEY_ED25519:
! 1570: if ((pk = buffer_get_string_ret(&b, &len)) == NULL) {
! 1571: error("key_from_blob: can't read ed25519 key");
! 1572: goto badkey;
! 1573: }
! 1574: if (len != ED25519_PK_SZ) {
! 1575: error("key_from_blob: ed25519 len %d != %d",
! 1576: len, ED25519_PK_SZ);
! 1577: goto badkey;
! 1578: }
! 1579: key = key_new(type);
! 1580: key->ed25519_pk = pk;
! 1581: pk = NULL;
! 1582: break;
1.12 markus 1583: case KEY_UNSPEC:
1584: key = key_new(type);
1585: break;
1586: default:
1587: error("key_from_blob: cannot handle type %s", ktype);
1.57 djm 1588: goto out;
1.12 markus 1589: }
1.83 djm 1590: if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1591: error("key_from_blob: can't parse cert data");
1592: goto badkey;
1593: }
1.12 markus 1594: rlen = buffer_len(&b);
1595: if (key != NULL && rlen != 0)
1596: error("key_from_blob: remaining bytes in key blob %d", rlen);
1.57 djm 1597: out:
1.103 djm 1598: free(ktype);
1599: free(curve);
1.109 ! markus 1600: free(pk);
1.92 djm 1601: if (q != NULL)
1602: EC_POINT_free(q);
1.12 markus 1603: buffer_free(&b);
1604: return key;
1605: }
1606:
1.105 djm 1607: Key *
1608: key_from_blob(const u_char *blob, u_int blen)
1609: {
1610: return key_from_blob2(blob, blen, 1);
1611: }
1612:
1.100 djm 1613: static int
1614: to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1.12 markus 1615: {
1616: Buffer b;
1.100 djm 1617: int len, type;
1.12 markus 1618:
1.106 djm 1619: if (blobp != NULL)
1620: *blobp = NULL;
1621: if (lenp != NULL)
1622: *lenp = 0;
1.12 markus 1623: if (key == NULL) {
1624: error("key_to_blob: key == NULL");
1625: return 0;
1626: }
1627: buffer_init(&b);
1.100 djm 1628: type = force_plain ? key_type_plain(key->type) : key->type;
1629: switch (type) {
1.87 djm 1630: case KEY_DSA_CERT_V00:
1631: case KEY_RSA_CERT_V00:
1.83 djm 1632: case KEY_DSA_CERT:
1.92 djm 1633: case KEY_ECDSA_CERT:
1.83 djm 1634: case KEY_RSA_CERT:
1.109 ! markus 1635: case KEY_ED25519_CERT:
1.83 djm 1636: /* Use the existing blob */
1637: buffer_append(&b, buffer_ptr(&key->cert->certblob),
1638: buffer_len(&key->cert->certblob));
1639: break;
1.12 markus 1640: case KEY_DSA:
1.100 djm 1641: buffer_put_cstring(&b,
1642: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.12 markus 1643: buffer_put_bignum2(&b, key->dsa->p);
1644: buffer_put_bignum2(&b, key->dsa->q);
1645: buffer_put_bignum2(&b, key->dsa->g);
1646: buffer_put_bignum2(&b, key->dsa->pub_key);
1647: break;
1.92 djm 1648: case KEY_ECDSA:
1.100 djm 1649: buffer_put_cstring(&b,
1650: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.92 djm 1651: buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1652: buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1653: EC_KEY_get0_public_key(key->ecdsa));
1654: break;
1.12 markus 1655: case KEY_RSA:
1.100 djm 1656: buffer_put_cstring(&b,
1657: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.14 markus 1658: buffer_put_bignum2(&b, key->rsa->e);
1.12 markus 1659: buffer_put_bignum2(&b, key->rsa->n);
1660: break;
1.109 ! markus 1661: case KEY_ED25519:
! 1662: buffer_put_cstring(&b,
! 1663: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
! 1664: buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
! 1665: break;
1.12 markus 1666: default:
1.31 markus 1667: error("key_to_blob: unsupported key type %d", key->type);
1668: buffer_free(&b);
1669: return 0;
1.12 markus 1670: }
1671: len = buffer_len(&b);
1.48 markus 1672: if (lenp != NULL)
1673: *lenp = len;
1674: if (blobp != NULL) {
1675: *blobp = xmalloc(len);
1676: memcpy(*blobp, buffer_ptr(&b), len);
1677: }
1.12 markus 1678: memset(buffer_ptr(&b), 0, len);
1679: buffer_free(&b);
1680: return len;
1681: }
1682:
1683: int
1.100 djm 1684: key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1685: {
1686: return to_blob(key, blobp, lenp, 0);
1687: }
1688:
1689: int
1.12 markus 1690: key_sign(
1.55 jakob 1691: const Key *key,
1.40 markus 1692: u_char **sigp, u_int *lenp,
1.55 jakob 1693: const u_char *data, u_int datalen)
1.12 markus 1694: {
1.35 deraadt 1695: switch (key->type) {
1.87 djm 1696: case KEY_DSA_CERT_V00:
1.83 djm 1697: case KEY_DSA_CERT:
1.12 markus 1698: case KEY_DSA:
1699: return ssh_dss_sign(key, sigp, lenp, data, datalen);
1.92 djm 1700: case KEY_ECDSA_CERT:
1701: case KEY_ECDSA:
1702: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
1.87 djm 1703: case KEY_RSA_CERT_V00:
1.83 djm 1704: case KEY_RSA_CERT:
1.12 markus 1705: case KEY_RSA:
1706: return ssh_rsa_sign(key, sigp, lenp, data, datalen);
1.109 ! markus 1707: case KEY_ED25519:
! 1708: case KEY_ED25519_CERT:
! 1709: return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
1.12 markus 1710: default:
1.56 markus 1711: error("key_sign: invalid key type %d", key->type);
1.12 markus 1712: return -1;
1713: }
1714: }
1715:
1.44 markus 1716: /*
1717: * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1718: * and -1 on error.
1719: */
1.12 markus 1720: int
1721: key_verify(
1.55 jakob 1722: const Key *key,
1723: const u_char *signature, u_int signaturelen,
1724: const u_char *data, u_int datalen)
1.12 markus 1725: {
1.26 markus 1726: if (signaturelen == 0)
1727: return -1;
1728:
1.35 deraadt 1729: switch (key->type) {
1.87 djm 1730: case KEY_DSA_CERT_V00:
1.83 djm 1731: case KEY_DSA_CERT:
1.12 markus 1732: case KEY_DSA:
1733: return ssh_dss_verify(key, signature, signaturelen, data, datalen);
1.92 djm 1734: case KEY_ECDSA_CERT:
1735: case KEY_ECDSA:
1736: return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
1.87 djm 1737: case KEY_RSA_CERT_V00:
1.83 djm 1738: case KEY_RSA_CERT:
1.12 markus 1739: case KEY_RSA:
1740: return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
1.109 ! markus 1741: case KEY_ED25519:
! 1742: case KEY_ED25519_CERT:
! 1743: return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
1.12 markus 1744: default:
1.56 markus 1745: error("key_verify: invalid key type %d", key->type);
1.12 markus 1746: return -1;
1747: }
1.42 markus 1748: }
1749:
1750: /* Converts a private to a public key */
1751: Key *
1.55 jakob 1752: key_demote(const Key *k)
1.42 markus 1753: {
1754: Key *pk;
1.43 markus 1755:
1.63 djm 1756: pk = xcalloc(1, sizeof(*pk));
1.42 markus 1757: pk->type = k->type;
1758: pk->flags = k->flags;
1.92 djm 1759: pk->ecdsa_nid = k->ecdsa_nid;
1.42 markus 1760: pk->dsa = NULL;
1.92 djm 1761: pk->ecdsa = NULL;
1.42 markus 1762: pk->rsa = NULL;
1.109 ! markus 1763: pk->ed25519_pk = NULL;
! 1764: pk->ed25519_sk = NULL;
1.42 markus 1765:
1766: switch (k->type) {
1.87 djm 1767: case KEY_RSA_CERT_V00:
1.83 djm 1768: case KEY_RSA_CERT:
1769: key_cert_copy(k, pk);
1770: /* FALLTHROUGH */
1.42 markus 1771: case KEY_RSA1:
1772: case KEY_RSA:
1773: if ((pk->rsa = RSA_new()) == NULL)
1774: fatal("key_demote: RSA_new failed");
1775: if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1776: fatal("key_demote: BN_dup failed");
1777: if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1778: fatal("key_demote: BN_dup failed");
1779: break;
1.87 djm 1780: case KEY_DSA_CERT_V00:
1.83 djm 1781: case KEY_DSA_CERT:
1782: key_cert_copy(k, pk);
1783: /* FALLTHROUGH */
1.42 markus 1784: case KEY_DSA:
1785: if ((pk->dsa = DSA_new()) == NULL)
1786: fatal("key_demote: DSA_new failed");
1787: if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1788: fatal("key_demote: BN_dup failed");
1789: if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1790: fatal("key_demote: BN_dup failed");
1791: if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1792: fatal("key_demote: BN_dup failed");
1793: if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1794: fatal("key_demote: BN_dup failed");
1795: break;
1.92 djm 1796: case KEY_ECDSA_CERT:
1797: key_cert_copy(k, pk);
1798: /* FALLTHROUGH */
1799: case KEY_ECDSA:
1800: if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
1801: fatal("key_demote: EC_KEY_new_by_curve_name failed");
1802: if (EC_KEY_set_public_key(pk->ecdsa,
1803: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1804: fatal("key_demote: EC_KEY_set_public_key failed");
1805: break;
1.109 ! markus 1806: case KEY_ED25519_CERT:
! 1807: key_cert_copy(k, pk);
! 1808: /* FALLTHROUGH */
! 1809: case KEY_ED25519:
! 1810: if (k->ed25519_pk != NULL) {
! 1811: pk->ed25519_pk = xmalloc(ED25519_PK_SZ);
! 1812: memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
! 1813: }
! 1814: break;
1.42 markus 1815: default:
1.109 ! markus 1816: fatal("key_demote: bad key type %d", k->type);
1.42 markus 1817: break;
1818: }
1819:
1820: return (pk);
1.83 djm 1821: }
1822:
1823: int
1824: key_is_cert(const Key *k)
1825: {
1.87 djm 1826: if (k == NULL)
1827: return 0;
1.105 djm 1828: return key_type_is_cert(k->type);
1.83 djm 1829: }
1830:
1831: /* Return the cert-less equivalent to a certified key type */
1832: int
1833: key_type_plain(int type)
1834: {
1835: switch (type) {
1.87 djm 1836: case KEY_RSA_CERT_V00:
1.83 djm 1837: case KEY_RSA_CERT:
1838: return KEY_RSA;
1.87 djm 1839: case KEY_DSA_CERT_V00:
1.83 djm 1840: case KEY_DSA_CERT:
1841: return KEY_DSA;
1.92 djm 1842: case KEY_ECDSA_CERT:
1843: return KEY_ECDSA;
1.109 ! markus 1844: case KEY_ED25519_CERT:
! 1845: return KEY_ED25519;
1.83 djm 1846: default:
1847: return type;
1848: }
1849: }
1850:
1851: /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
1852: int
1.87 djm 1853: key_to_certified(Key *k, int legacy)
1.83 djm 1854: {
1855: switch (k->type) {
1856: case KEY_RSA:
1857: k->cert = cert_new();
1.87 djm 1858: k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
1.83 djm 1859: return 0;
1860: case KEY_DSA:
1861: k->cert = cert_new();
1.87 djm 1862: k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
1.83 djm 1863: return 0;
1.92 djm 1864: case KEY_ECDSA:
1.97 djm 1865: if (legacy)
1866: fatal("%s: legacy ECDSA certificates are not supported",
1867: __func__);
1.92 djm 1868: k->cert = cert_new();
1869: k->type = KEY_ECDSA_CERT;
1870: return 0;
1.109 ! markus 1871: case KEY_ED25519:
! 1872: if (legacy)
! 1873: fatal("%s: legacy ED25519 certificates are not "
! 1874: "supported", __func__);
! 1875: k->cert = cert_new();
! 1876: k->type = KEY_ED25519_CERT;
! 1877: return 0;
1.83 djm 1878: default:
1879: error("%s: key has incorrect type %s", __func__, key_type(k));
1880: return -1;
1881: }
1882: }
1883:
1884: /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1885: int
1886: key_drop_cert(Key *k)
1887: {
1.109 ! markus 1888: if (!key_type_is_cert(k->type)) {
1.83 djm 1889: error("%s: key has incorrect type %s", __func__, key_type(k));
1890: return -1;
1891: }
1.109 ! markus 1892: cert_free(k->cert);
! 1893: k->type = key_type_plain(k->type);
! 1894: return 0;
1.83 djm 1895: }
1896:
1.109 ! markus 1897: /* Sign a certified key, (re-)generating the signed certblob. */
1.83 djm 1898: int
1899: key_certify(Key *k, Key *ca)
1900: {
1901: Buffer principals;
1902: u_char *ca_blob, *sig_blob, nonce[32];
1903: u_int i, ca_len, sig_len;
1904:
1905: if (k->cert == NULL) {
1906: error("%s: key lacks cert info", __func__);
1907: return -1;
1908: }
1909:
1910: if (!key_is_cert(k)) {
1911: error("%s: certificate has unknown type %d", __func__,
1912: k->cert->type);
1913: return -1;
1914: }
1915:
1.92 djm 1916: if (ca->type != KEY_RSA && ca->type != KEY_DSA &&
1.109 ! markus 1917: ca->type != KEY_ECDSA && ca->type != KEY_ED25519) {
1.83 djm 1918: error("%s: CA key has unsupported type %s", __func__,
1919: key_type(ca));
1920: return -1;
1921: }
1922:
1923: key_to_blob(ca, &ca_blob, &ca_len);
1924:
1925: buffer_clear(&k->cert->certblob);
1926: buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1927:
1.87 djm 1928: /* -v01 certs put nonce first */
1.96 djm 1929: arc4random_buf(&nonce, sizeof(nonce));
1930: if (!key_cert_is_legacy(k))
1.87 djm 1931: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1932:
1.108 markus 1933: /* XXX this substantially duplicates to_blob(); refactor */
1.83 djm 1934: switch (k->type) {
1.87 djm 1935: case KEY_DSA_CERT_V00:
1.83 djm 1936: case KEY_DSA_CERT:
1937: buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1938: buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1939: buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1940: buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1941: break;
1.92 djm 1942: case KEY_ECDSA_CERT:
1943: buffer_put_cstring(&k->cert->certblob,
1944: key_curve_nid_to_name(k->ecdsa_nid));
1945: buffer_put_ecpoint(&k->cert->certblob,
1946: EC_KEY_get0_group(k->ecdsa),
1947: EC_KEY_get0_public_key(k->ecdsa));
1948: break;
1.87 djm 1949: case KEY_RSA_CERT_V00:
1.83 djm 1950: case KEY_RSA_CERT:
1951: buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1952: buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1953: break;
1.109 ! markus 1954: case KEY_ED25519_CERT:
! 1955: buffer_put_string(&k->cert->certblob,
! 1956: k->ed25519_pk, ED25519_PK_SZ);
! 1957: break;
1.83 djm 1958: default:
1959: error("%s: key has incorrect type %s", __func__, key_type(k));
1960: buffer_clear(&k->cert->certblob);
1.103 djm 1961: free(ca_blob);
1.83 djm 1962: return -1;
1963: }
1964:
1.87 djm 1965: /* -v01 certs have a serial number next */
1.92 djm 1966: if (!key_cert_is_legacy(k))
1.87 djm 1967: buffer_put_int64(&k->cert->certblob, k->cert->serial);
1968:
1.83 djm 1969: buffer_put_int(&k->cert->certblob, k->cert->type);
1970: buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1971:
1972: buffer_init(&principals);
1973: for (i = 0; i < k->cert->nprincipals; i++)
1974: buffer_put_cstring(&principals, k->cert->principals[i]);
1975: buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1976: buffer_len(&principals));
1977: buffer_free(&principals);
1978:
1979: buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1980: buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1981: buffer_put_string(&k->cert->certblob,
1.87 djm 1982: buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
1983:
1984: /* -v01 certs have non-critical options here */
1.92 djm 1985: if (!key_cert_is_legacy(k)) {
1.87 djm 1986: buffer_put_string(&k->cert->certblob,
1987: buffer_ptr(&k->cert->extensions),
1988: buffer_len(&k->cert->extensions));
1989: }
1990:
1991: /* -v00 certs put the nonce at the end */
1.92 djm 1992: if (key_cert_is_legacy(k))
1.87 djm 1993: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1.83 djm 1994:
1995: buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1996: buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1.103 djm 1997: free(ca_blob);
1.83 djm 1998:
1999: /* Sign the whole mess */
2000: if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
2001: buffer_len(&k->cert->certblob)) != 0) {
2002: error("%s: signature operation failed", __func__);
2003: buffer_clear(&k->cert->certblob);
2004: return -1;
2005: }
2006: /* Append signature and we are done */
2007: buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1.103 djm 2008: free(sig_blob);
1.83 djm 2009:
2010: return 0;
2011: }
2012:
2013: int
2014: key_cert_check_authority(const Key *k, int want_host, int require_principal,
2015: const char *name, const char **reason)
2016: {
2017: u_int i, principal_matches;
2018: time_t now = time(NULL);
2019:
2020: if (want_host) {
2021: if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2022: *reason = "Certificate invalid: not a host certificate";
2023: return -1;
2024: }
2025: } else {
2026: if (k->cert->type != SSH2_CERT_TYPE_USER) {
2027: *reason = "Certificate invalid: not a user certificate";
2028: return -1;
2029: }
2030: }
2031: if (now < 0) {
2032: error("%s: system clock lies before epoch", __func__);
2033: *reason = "Certificate invalid: not yet valid";
2034: return -1;
2035: }
2036: if ((u_int64_t)now < k->cert->valid_after) {
2037: *reason = "Certificate invalid: not yet valid";
2038: return -1;
2039: }
2040: if ((u_int64_t)now >= k->cert->valid_before) {
2041: *reason = "Certificate invalid: expired";
2042: return -1;
2043: }
2044: if (k->cert->nprincipals == 0) {
2045: if (require_principal) {
2046: *reason = "Certificate lacks principal list";
2047: return -1;
2048: }
1.88 djm 2049: } else if (name != NULL) {
1.83 djm 2050: principal_matches = 0;
2051: for (i = 0; i < k->cert->nprincipals; i++) {
2052: if (strcmp(name, k->cert->principals[i]) == 0) {
2053: principal_matches = 1;
2054: break;
2055: }
2056: }
2057: if (!principal_matches) {
2058: *reason = "Certificate invalid: name is not a listed "
2059: "principal";
2060: return -1;
2061: }
2062: }
2063: return 0;
1.87 djm 2064: }
2065:
2066: int
1.100 djm 2067: key_cert_is_legacy(const Key *k)
1.87 djm 2068: {
2069: switch (k->type) {
2070: case KEY_DSA_CERT_V00:
2071: case KEY_RSA_CERT_V00:
2072: return 1;
2073: default:
2074: return 0;
2075: }
1.4 markus 2076: }
1.92 djm 2077:
1.93 djm 2078: /* XXX: these are really begging for a table-driven approach */
1.92 djm 2079: int
2080: key_curve_name_to_nid(const char *name)
2081: {
2082: if (strcmp(name, "nistp256") == 0)
2083: return NID_X9_62_prime256v1;
2084: else if (strcmp(name, "nistp384") == 0)
2085: return NID_secp384r1;
2086: else if (strcmp(name, "nistp521") == 0)
2087: return NID_secp521r1;
2088:
2089: debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
2090: return -1;
2091: }
2092:
1.93 djm 2093: u_int
2094: key_curve_nid_to_bits(int nid)
2095: {
2096: switch (nid) {
2097: case NID_X9_62_prime256v1:
2098: return 256;
2099: case NID_secp384r1:
2100: return 384;
2101: case NID_secp521r1:
2102: return 521;
2103: default:
2104: error("%s: unsupported EC curve nid %d", __func__, nid);
2105: return 0;
2106: }
2107: }
2108:
1.92 djm 2109: const char *
2110: key_curve_nid_to_name(int nid)
2111: {
2112: if (nid == NID_X9_62_prime256v1)
2113: return "nistp256";
2114: else if (nid == NID_secp384r1)
2115: return "nistp384";
2116: else if (nid == NID_secp521r1)
2117: return "nistp521";
2118:
2119: error("%s: unsupported EC curve nid %d", __func__, nid);
2120: return NULL;
1.93 djm 2121: }
2122:
2123: const EVP_MD *
2124: key_ec_nid_to_evpmd(int nid)
2125: {
2126: int kbits = key_curve_nid_to_bits(nid);
2127:
2128: if (kbits == 0)
2129: fatal("%s: invalid nid %d", __func__, nid);
2130: /* RFC5656 section 6.2.1 */
2131: if (kbits <= 256)
2132: return EVP_sha256();
2133: else if (kbits <= 384)
2134: return EVP_sha384();
2135: else
2136: return EVP_sha512();
1.92 djm 2137: }
2138:
2139: int
2140: key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
2141: {
2142: BN_CTX *bnctx;
2143: EC_POINT *nq = NULL;
2144: BIGNUM *order, *x, *y, *tmp;
2145: int ret = -1;
2146:
2147: if ((bnctx = BN_CTX_new()) == NULL)
2148: fatal("%s: BN_CTX_new failed", __func__);
2149: BN_CTX_start(bnctx);
2150:
2151: /*
2152: * We shouldn't ever hit this case because bignum_get_ecpoint()
2153: * refuses to load GF2m points.
2154: */
2155: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2156: NID_X9_62_prime_field) {
2157: error("%s: group is not a prime field", __func__);
2158: goto out;
2159: }
2160:
2161: /* Q != infinity */
2162: if (EC_POINT_is_at_infinity(group, public)) {
2163: error("%s: received degenerate public key (infinity)",
2164: __func__);
2165: goto out;
2166: }
2167:
2168: if ((x = BN_CTX_get(bnctx)) == NULL ||
2169: (y = BN_CTX_get(bnctx)) == NULL ||
2170: (order = BN_CTX_get(bnctx)) == NULL ||
2171: (tmp = BN_CTX_get(bnctx)) == NULL)
2172: fatal("%s: BN_CTX_get failed", __func__);
2173:
2174: /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2175: if (EC_GROUP_get_order(group, order, bnctx) != 1)
2176: fatal("%s: EC_GROUP_get_order failed", __func__);
2177: if (EC_POINT_get_affine_coordinates_GFp(group, public,
2178: x, y, bnctx) != 1)
2179: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2180: if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
2181: error("%s: public key x coordinate too small: "
2182: "bits(x) = %d, bits(order)/2 = %d", __func__,
2183: BN_num_bits(x), BN_num_bits(order) / 2);
2184: goto out;
2185: }
2186: if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
2187: error("%s: public key y coordinate too small: "
2188: "bits(y) = %d, bits(order)/2 = %d", __func__,
2189: BN_num_bits(x), BN_num_bits(order) / 2);
2190: goto out;
2191: }
2192:
2193: /* nQ == infinity (n == order of subgroup) */
2194: if ((nq = EC_POINT_new(group)) == NULL)
2195: fatal("%s: BN_CTX_tmp failed", __func__);
2196: if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
2197: fatal("%s: EC_GROUP_mul failed", __func__);
2198: if (EC_POINT_is_at_infinity(group, nq) != 1) {
2199: error("%s: received degenerate public key (nQ != infinity)",
2200: __func__);
2201: goto out;
2202: }
2203:
2204: /* x < order - 1, y < order - 1 */
2205: if (!BN_sub(tmp, order, BN_value_one()))
2206: fatal("%s: BN_sub failed", __func__);
2207: if (BN_cmp(x, tmp) >= 0) {
2208: error("%s: public key x coordinate >= group order - 1",
2209: __func__);
2210: goto out;
2211: }
2212: if (BN_cmp(y, tmp) >= 0) {
2213: error("%s: public key y coordinate >= group order - 1",
2214: __func__);
2215: goto out;
2216: }
2217: ret = 0;
2218: out:
2219: BN_CTX_free(bnctx);
2220: EC_POINT_free(nq);
2221: return ret;
2222: }
2223:
2224: int
2225: key_ec_validate_private(const EC_KEY *key)
2226: {
2227: BN_CTX *bnctx;
2228: BIGNUM *order, *tmp;
2229: int ret = -1;
2230:
2231: if ((bnctx = BN_CTX_new()) == NULL)
2232: fatal("%s: BN_CTX_new failed", __func__);
2233: BN_CTX_start(bnctx);
2234:
2235: if ((order = BN_CTX_get(bnctx)) == NULL ||
2236: (tmp = BN_CTX_get(bnctx)) == NULL)
2237: fatal("%s: BN_CTX_get failed", __func__);
2238:
2239: /* log2(private) > log2(order)/2 */
2240: if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
2241: fatal("%s: EC_GROUP_get_order failed", __func__);
2242: if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2243: BN_num_bits(order) / 2) {
2244: error("%s: private key too small: "
2245: "bits(y) = %d, bits(order)/2 = %d", __func__,
2246: BN_num_bits(EC_KEY_get0_private_key(key)),
2247: BN_num_bits(order) / 2);
2248: goto out;
2249: }
2250:
2251: /* private < order - 1 */
2252: if (!BN_sub(tmp, order, BN_value_one()))
2253: fatal("%s: BN_sub failed", __func__);
2254: if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
2255: error("%s: private key >= group order - 1", __func__);
2256: goto out;
2257: }
2258: ret = 0;
2259: out:
2260: BN_CTX_free(bnctx);
2261: return ret;
2262: }
2263:
2264: #if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
2265: void
2266: key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2267: {
2268: BIGNUM *x, *y;
2269: BN_CTX *bnctx;
2270:
2271: if (point == NULL) {
2272: fputs("point=(NULL)\n", stderr);
2273: return;
2274: }
2275: if ((bnctx = BN_CTX_new()) == NULL)
2276: fatal("%s: BN_CTX_new failed", __func__);
2277: BN_CTX_start(bnctx);
2278: if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
2279: fatal("%s: BN_CTX_get failed", __func__);
2280: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2281: NID_X9_62_prime_field)
2282: fatal("%s: group is not a prime field", __func__);
2283: if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
2284: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2285: fputs("x=", stderr);
2286: BN_print_fp(stderr, x);
2287: fputs("\ny=", stderr);
2288: BN_print_fp(stderr, y);
2289: fputs("\n", stderr);
2290: BN_CTX_free(bnctx);
2291: }
2292:
2293: void
2294: key_dump_ec_key(const EC_KEY *key)
2295: {
2296: const BIGNUM *exponent;
2297:
2298: key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
2299: fputs("exponent=", stderr);
2300: if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
2301: fputs("(NULL)", stderr);
2302: else
2303: BN_print_fp(stderr, EC_KEY_get0_private_key(key));
2304: fputs("\n", stderr);
2305: }
2306: #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
2307:
1.107 markus 2308: void
2309: key_private_serialize(const Key *key, Buffer *b)
2310: {
2311: buffer_put_cstring(b, key_ssh_name(key));
2312: switch (key->type) {
2313: case KEY_RSA:
2314: buffer_put_bignum2(b, key->rsa->n);
2315: buffer_put_bignum2(b, key->rsa->e);
2316: buffer_put_bignum2(b, key->rsa->d);
2317: buffer_put_bignum2(b, key->rsa->iqmp);
2318: buffer_put_bignum2(b, key->rsa->p);
2319: buffer_put_bignum2(b, key->rsa->q);
2320: break;
2321: case KEY_RSA_CERT_V00:
2322: case KEY_RSA_CERT:
2323: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2324: fatal("%s: no cert/certblob", __func__);
2325: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2326: buffer_len(&key->cert->certblob));
2327: buffer_put_bignum2(b, key->rsa->d);
2328: buffer_put_bignum2(b, key->rsa->iqmp);
2329: buffer_put_bignum2(b, key->rsa->p);
2330: buffer_put_bignum2(b, key->rsa->q);
2331: break;
2332: case KEY_DSA:
2333: buffer_put_bignum2(b, key->dsa->p);
2334: buffer_put_bignum2(b, key->dsa->q);
2335: buffer_put_bignum2(b, key->dsa->g);
2336: buffer_put_bignum2(b, key->dsa->pub_key);
2337: buffer_put_bignum2(b, key->dsa->priv_key);
2338: break;
2339: case KEY_DSA_CERT_V00:
2340: case KEY_DSA_CERT:
2341: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2342: fatal("%s: no cert/certblob", __func__);
2343: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2344: buffer_len(&key->cert->certblob));
2345: buffer_put_bignum2(b, key->dsa->priv_key);
2346: break;
2347: case KEY_ECDSA:
2348: buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid));
2349: buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa),
2350: EC_KEY_get0_public_key(key->ecdsa));
2351: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2352: break;
2353: case KEY_ECDSA_CERT:
2354: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2355: fatal("%s: no cert/certblob", __func__);
2356: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2357: buffer_len(&key->cert->certblob));
2358: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2359: break;
1.109 ! markus 2360: case KEY_ED25519:
! 2361: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
! 2362: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
! 2363: break;
! 2364: case KEY_ED25519_CERT:
! 2365: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
! 2366: fatal("%s: no cert/certblob", __func__);
! 2367: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
! 2368: buffer_len(&key->cert->certblob));
! 2369: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
! 2370: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
! 2371: break;
1.107 markus 2372: }
2373: }
2374:
2375: Key *
2376: key_private_deserialize(Buffer *blob)
2377: {
2378: char *type_name, *curve;
2379: Key *k = NULL;
2380: BIGNUM *exponent;
2381: EC_POINT *q;
2382: u_char *cert;
1.109 ! markus 2383: u_int len, pklen, sklen;
1.107 markus 2384: int type;
2385:
2386: type_name = buffer_get_string(blob, NULL);
2387: type = key_type_from_name(type_name);
2388: switch (type) {
2389: case KEY_DSA:
2390: k = key_new_private(type);
2391: buffer_get_bignum2(blob, k->dsa->p);
2392: buffer_get_bignum2(blob, k->dsa->q);
2393: buffer_get_bignum2(blob, k->dsa->g);
2394: buffer_get_bignum2(blob, k->dsa->pub_key);
2395: buffer_get_bignum2(blob, k->dsa->priv_key);
2396: break;
2397: case KEY_DSA_CERT_V00:
2398: case KEY_DSA_CERT:
2399: cert = buffer_get_string(blob, &len);
2400: if ((k = key_from_blob(cert, len)) == NULL)
2401: fatal("Certificate parse failed");
2402: free(cert);
2403: key_add_private(k);
2404: buffer_get_bignum2(blob, k->dsa->priv_key);
2405: break;
2406: case KEY_ECDSA:
2407: k = key_new_private(type);
2408: k->ecdsa_nid = key_ecdsa_nid_from_name(type_name);
2409: curve = buffer_get_string(blob, NULL);
2410: if (k->ecdsa_nid != key_curve_name_to_nid(curve))
2411: fatal("%s: curve names mismatch", __func__);
2412: free(curve);
2413: k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
2414: if (k->ecdsa == NULL)
2415: fatal("%s: EC_KEY_new_by_curve_name failed",
2416: __func__);
2417: q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa));
2418: if (q == NULL)
2419: fatal("%s: BN_new failed", __func__);
2420: if ((exponent = BN_new()) == NULL)
2421: fatal("%s: BN_new failed", __func__);
2422: buffer_get_ecpoint(blob,
2423: EC_KEY_get0_group(k->ecdsa), q);
2424: buffer_get_bignum2(blob, exponent);
2425: if (EC_KEY_set_public_key(k->ecdsa, q) != 1)
2426: fatal("%s: EC_KEY_set_public_key failed",
2427: __func__);
2428: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2429: fatal("%s: EC_KEY_set_private_key failed",
2430: __func__);
2431: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2432: EC_KEY_get0_public_key(k->ecdsa)) != 0)
2433: fatal("%s: bad ECDSA public key", __func__);
2434: if (key_ec_validate_private(k->ecdsa) != 0)
2435: fatal("%s: bad ECDSA private key", __func__);
2436: BN_clear_free(exponent);
2437: EC_POINT_free(q);
2438: break;
2439: case KEY_ECDSA_CERT:
2440: cert = buffer_get_string(blob, &len);
2441: if ((k = key_from_blob(cert, len)) == NULL)
2442: fatal("Certificate parse failed");
2443: free(cert);
2444: key_add_private(k);
2445: if ((exponent = BN_new()) == NULL)
2446: fatal("%s: BN_new failed", __func__);
2447: buffer_get_bignum2(blob, exponent);
2448: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2449: fatal("%s: EC_KEY_set_private_key failed",
2450: __func__);
2451: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2452: EC_KEY_get0_public_key(k->ecdsa)) != 0 ||
2453: key_ec_validate_private(k->ecdsa) != 0)
2454: fatal("%s: bad ECDSA key", __func__);
2455: BN_clear_free(exponent);
2456: break;
2457: case KEY_RSA:
2458: k = key_new_private(type);
2459: buffer_get_bignum2(blob, k->rsa->n);
2460: buffer_get_bignum2(blob, k->rsa->e);
2461: buffer_get_bignum2(blob, k->rsa->d);
2462: buffer_get_bignum2(blob, k->rsa->iqmp);
2463: buffer_get_bignum2(blob, k->rsa->p);
2464: buffer_get_bignum2(blob, k->rsa->q);
2465:
2466: /* Generate additional parameters */
2467: rsa_generate_additional_parameters(k->rsa);
2468: break;
2469: case KEY_RSA_CERT_V00:
2470: case KEY_RSA_CERT:
2471: cert = buffer_get_string(blob, &len);
2472: if ((k = key_from_blob(cert, len)) == NULL)
2473: fatal("Certificate parse failed");
2474: free(cert);
2475: key_add_private(k);
2476: buffer_get_bignum2(blob, k->rsa->d);
2477: buffer_get_bignum2(blob, k->rsa->iqmp);
2478: buffer_get_bignum2(blob, k->rsa->p);
2479: buffer_get_bignum2(blob, k->rsa->q);
1.109 ! markus 2480: break;
! 2481: case KEY_ED25519:
! 2482: k = key_new_private(type);
! 2483: k->ed25519_pk = buffer_get_string(blob, &pklen);
! 2484: k->ed25519_sk = buffer_get_string(blob, &sklen);
! 2485: if (pklen != ED25519_PK_SZ)
! 2486: fatal("%s: ed25519 pklen %d != %d",
! 2487: __func__, pklen, ED25519_PK_SZ);
! 2488: if (sklen != ED25519_SK_SZ)
! 2489: fatal("%s: ed25519 sklen %d != %d",
! 2490: __func__, sklen, ED25519_SK_SZ);
! 2491: break;
! 2492: case KEY_ED25519_CERT:
! 2493: cert = buffer_get_string(blob, &len);
! 2494: if ((k = key_from_blob(cert, len)) == NULL)
! 2495: fatal("Certificate parse failed");
! 2496: free(cert);
! 2497: key_add_private(k);
! 2498: k->ed25519_pk = buffer_get_string(blob, &pklen);
! 2499: k->ed25519_sk = buffer_get_string(blob, &sklen);
! 2500: if (pklen != ED25519_PK_SZ)
! 2501: fatal("%s: ed25519 pklen %d != %d",
! 2502: __func__, pklen, ED25519_PK_SZ);
! 2503: if (sklen != ED25519_SK_SZ)
! 2504: fatal("%s: ed25519 sklen %d != %d",
! 2505: __func__, sklen, ED25519_SK_SZ);
1.107 markus 2506: break;
2507: default:
2508: free(type_name);
2509: buffer_clear(blob);
2510: return NULL;
2511: }
2512: free(type_name);
2513:
2514: /* enable blinding */
2515: switch (k->type) {
2516: case KEY_RSA:
2517: case KEY_RSA_CERT_V00:
2518: case KEY_RSA_CERT:
2519: case KEY_RSA1:
2520: if (RSA_blinding_on(k->rsa, NULL) != 1) {
2521: error("%s: RSA_blinding_on failed", __func__);
2522: key_free(k);
2523: return NULL;
2524: }
2525: break;
2526: }
2527: return k;
2528: }