Annotation of src/usr.bin/ssh/key.c, Revision 1.110
1.110 ! djm 1: /* $OpenBSD: key.c,v 1.109 2013/12/06 13:39:49 markus Exp $ */
1.1 markus 2: /*
1.11 deraadt 3: * read_bignum():
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: *
6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
11: *
12: *
1.28 markus 13: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1.76 grunk 14: * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
1.1 markus 15: *
16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
24: *
25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35: */
1.67 deraadt 36:
1.70 grunk 37: #include <sys/param.h>
1.67 deraadt 38: #include <sys/types.h>
1.1 markus 39:
1.2 markus 40: #include <openssl/evp.h>
1.109 markus 41: #include "crypto_api.h"
1.65 stevesk 42:
1.66 stevesk 43: #include <stdio.h>
1.65 stevesk 44: #include <string.h>
1.15 markus 45:
1.1 markus 46: #include "xmalloc.h"
47: #include "key.h"
1.12 markus 48: #include "rsa.h"
1.3 markus 49: #include "uuencode.h"
1.12 markus 50: #include "buffer.h"
1.15 markus 51: #include "log.h"
1.89 djm 52: #include "misc.h"
1.83 djm 53: #include "ssh2.h"
54:
1.100 djm 55: static int to_blob(const Key *, u_char **, u_int *, int);
1.105 djm 56: static Key *key_from_blob2(const u_char *, u_int, int);
1.100 djm 57:
1.83 djm 58: static struct KeyCert *
59: cert_new(void)
60: {
61: struct KeyCert *cert;
62:
63: cert = xcalloc(1, sizeof(*cert));
64: buffer_init(&cert->certblob);
1.87 djm 65: buffer_init(&cert->critical);
66: buffer_init(&cert->extensions);
1.83 djm 67: cert->key_id = NULL;
68: cert->principals = NULL;
69: cert->signature_key = NULL;
70: return cert;
71: }
1.1 markus 72:
73: Key *
74: key_new(int type)
75: {
76: Key *k;
77: RSA *rsa;
78: DSA *dsa;
1.63 djm 79: k = xcalloc(1, sizeof(*k));
1.1 markus 80: k->type = type;
1.92 djm 81: k->ecdsa = NULL;
82: k->ecdsa_nid = -1;
1.3 markus 83: k->dsa = NULL;
84: k->rsa = NULL;
1.83 djm 85: k->cert = NULL;
1.109 markus 86: k->ed25519_sk = NULL;
87: k->ed25519_pk = NULL;
1.1 markus 88: switch (k->type) {
1.12 markus 89: case KEY_RSA1:
1.1 markus 90: case KEY_RSA:
1.87 djm 91: case KEY_RSA_CERT_V00:
1.83 djm 92: case KEY_RSA_CERT:
1.38 markus 93: if ((rsa = RSA_new()) == NULL)
94: fatal("key_new: RSA_new failed");
95: if ((rsa->n = BN_new()) == NULL)
96: fatal("key_new: BN_new failed");
97: if ((rsa->e = BN_new()) == NULL)
98: fatal("key_new: BN_new failed");
1.1 markus 99: k->rsa = rsa;
100: break;
101: case KEY_DSA:
1.87 djm 102: case KEY_DSA_CERT_V00:
1.83 djm 103: case KEY_DSA_CERT:
1.38 markus 104: if ((dsa = DSA_new()) == NULL)
105: fatal("key_new: DSA_new failed");
106: if ((dsa->p = BN_new()) == NULL)
107: fatal("key_new: BN_new failed");
108: if ((dsa->q = BN_new()) == NULL)
109: fatal("key_new: BN_new failed");
110: if ((dsa->g = BN_new()) == NULL)
111: fatal("key_new: BN_new failed");
112: if ((dsa->pub_key = BN_new()) == NULL)
113: fatal("key_new: BN_new failed");
1.1 markus 114: k->dsa = dsa;
115: break;
1.92 djm 116: case KEY_ECDSA:
117: case KEY_ECDSA_CERT:
118: /* Cannot do anything until we know the group */
119: break;
1.109 markus 120: case KEY_ED25519:
121: case KEY_ED25519_CERT:
122: /* no need to prealloc */
123: break;
1.12 markus 124: case KEY_UNSPEC:
1.1 markus 125: break;
126: default:
127: fatal("key_new: bad key type %d", k->type);
128: break;
129: }
1.83 djm 130:
131: if (key_is_cert(k))
132: k->cert = cert_new();
133:
1.1 markus 134: return k;
135: }
1.45 deraadt 136:
1.83 djm 137: void
138: key_add_private(Key *k)
1.12 markus 139: {
140: switch (k->type) {
141: case KEY_RSA1:
142: case KEY_RSA:
1.87 djm 143: case KEY_RSA_CERT_V00:
1.83 djm 144: case KEY_RSA_CERT:
1.38 markus 145: if ((k->rsa->d = BN_new()) == NULL)
146: fatal("key_new_private: BN_new failed");
147: if ((k->rsa->iqmp = BN_new()) == NULL)
148: fatal("key_new_private: BN_new failed");
149: if ((k->rsa->q = BN_new()) == NULL)
150: fatal("key_new_private: BN_new failed");
151: if ((k->rsa->p = BN_new()) == NULL)
152: fatal("key_new_private: BN_new failed");
153: if ((k->rsa->dmq1 = BN_new()) == NULL)
154: fatal("key_new_private: BN_new failed");
155: if ((k->rsa->dmp1 = BN_new()) == NULL)
156: fatal("key_new_private: BN_new failed");
1.12 markus 157: break;
158: case KEY_DSA:
1.87 djm 159: case KEY_DSA_CERT_V00:
1.83 djm 160: case KEY_DSA_CERT:
1.38 markus 161: if ((k->dsa->priv_key = BN_new()) == NULL)
162: fatal("key_new_private: BN_new failed");
1.12 markus 163: break;
1.92 djm 164: case KEY_ECDSA:
165: case KEY_ECDSA_CERT:
166: /* Cannot do anything until we know the group */
167: break;
1.109 markus 168: case KEY_ED25519:
169: case KEY_ED25519_CERT:
170: /* no need to prealloc */
171: break;
1.12 markus 172: case KEY_UNSPEC:
173: break;
174: default:
175: break;
176: }
1.83 djm 177: }
178:
179: Key *
180: key_new_private(int type)
181: {
182: Key *k = key_new(type);
183:
184: key_add_private(k);
1.12 markus 185: return k;
186: }
1.45 deraadt 187:
1.83 djm 188: static void
189: cert_free(struct KeyCert *cert)
190: {
191: u_int i;
192:
193: buffer_free(&cert->certblob);
1.87 djm 194: buffer_free(&cert->critical);
195: buffer_free(&cert->extensions);
1.103 djm 196: free(cert->key_id);
1.83 djm 197: for (i = 0; i < cert->nprincipals; i++)
1.103 djm 198: free(cert->principals[i]);
199: free(cert->principals);
1.83 djm 200: if (cert->signature_key != NULL)
201: key_free(cert->signature_key);
1.103 djm 202: free(cert);
1.83 djm 203: }
204:
1.1 markus 205: void
206: key_free(Key *k)
207: {
1.60 djm 208: if (k == NULL)
1.62 deraadt 209: fatal("key_free: key is NULL");
1.1 markus 210: switch (k->type) {
1.12 markus 211: case KEY_RSA1:
1.1 markus 212: case KEY_RSA:
1.87 djm 213: case KEY_RSA_CERT_V00:
1.83 djm 214: case KEY_RSA_CERT:
1.1 markus 215: if (k->rsa != NULL)
216: RSA_free(k->rsa);
217: k->rsa = NULL;
218: break;
219: case KEY_DSA:
1.87 djm 220: case KEY_DSA_CERT_V00:
1.83 djm 221: case KEY_DSA_CERT:
1.1 markus 222: if (k->dsa != NULL)
223: DSA_free(k->dsa);
224: k->dsa = NULL;
225: break;
1.92 djm 226: case KEY_ECDSA:
227: case KEY_ECDSA_CERT:
228: if (k->ecdsa != NULL)
229: EC_KEY_free(k->ecdsa);
230: k->ecdsa = NULL;
231: break;
1.109 markus 232: case KEY_ED25519:
233: case KEY_ED25519_CERT:
234: if (k->ed25519_pk) {
235: memset(k->ed25519_pk, 0, ED25519_PK_SZ);
236: free(k->ed25519_pk);
237: k->ed25519_pk = NULL;
238: }
239: if (k->ed25519_sk) {
240: memset(k->ed25519_sk, 0, ED25519_SK_SZ);
241: free(k->ed25519_sk);
242: k->ed25519_sk = NULL;
243: }
244: break;
1.12 markus 245: case KEY_UNSPEC:
246: break;
1.1 markus 247: default:
248: fatal("key_free: bad key type %d", k->type);
249: break;
250: }
1.83 djm 251: if (key_is_cert(k)) {
252: if (k->cert != NULL)
253: cert_free(k->cert);
254: k->cert = NULL;
255: }
256:
1.103 djm 257: free(k);
1.1 markus 258: }
1.55 jakob 259:
1.83 djm 260: static int
261: cert_compare(struct KeyCert *a, struct KeyCert *b)
262: {
263: if (a == NULL && b == NULL)
264: return 1;
265: if (a == NULL || b == NULL)
266: return 0;
267: if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
268: return 0;
1.90 djm 269: if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
1.83 djm 270: buffer_len(&a->certblob)) != 0)
271: return 0;
272: return 1;
273: }
274:
275: /*
276: * Compare public portions of key only, allowing comparisons between
277: * certificates and plain keys too.
278: */
1.1 markus 279: int
1.83 djm 280: key_equal_public(const Key *a, const Key *b)
1.1 markus 281: {
1.92 djm 282: BN_CTX *bnctx;
283:
1.83 djm 284: if (a == NULL || b == NULL ||
285: key_type_plain(a->type) != key_type_plain(b->type))
1.1 markus 286: return 0;
1.83 djm 287:
1.1 markus 288: switch (a->type) {
1.12 markus 289: case KEY_RSA1:
1.87 djm 290: case KEY_RSA_CERT_V00:
1.83 djm 291: case KEY_RSA_CERT:
1.1 markus 292: case KEY_RSA:
293: return a->rsa != NULL && b->rsa != NULL &&
294: BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
295: BN_cmp(a->rsa->n, b->rsa->n) == 0;
1.87 djm 296: case KEY_DSA_CERT_V00:
1.83 djm 297: case KEY_DSA_CERT:
1.1 markus 298: case KEY_DSA:
299: return a->dsa != NULL && b->dsa != NULL &&
300: BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
301: BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
302: BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
303: BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
1.92 djm 304: case KEY_ECDSA_CERT:
305: case KEY_ECDSA:
306: if (a->ecdsa == NULL || b->ecdsa == NULL ||
307: EC_KEY_get0_public_key(a->ecdsa) == NULL ||
308: EC_KEY_get0_public_key(b->ecdsa) == NULL)
309: return 0;
310: if ((bnctx = BN_CTX_new()) == NULL)
311: fatal("%s: BN_CTX_new failed", __func__);
312: if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
313: EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
314: EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
315: EC_KEY_get0_public_key(a->ecdsa),
316: EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
317: BN_CTX_free(bnctx);
318: return 0;
319: }
320: BN_CTX_free(bnctx);
321: return 1;
1.109 markus 322: case KEY_ED25519:
323: case KEY_ED25519_CERT:
324: return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
325: memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
1.1 markus 326: default:
1.3 markus 327: fatal("key_equal: bad key type %d", a->type);
1.1 markus 328: }
1.78 stevesk 329: /* NOTREACHED */
1.1 markus 330: }
331:
1.83 djm 332: int
333: key_equal(const Key *a, const Key *b)
334: {
335: if (a == NULL || b == NULL || a->type != b->type)
336: return 0;
337: if (key_is_cert(a)) {
338: if (!cert_compare(a->cert, b->cert))
339: return 0;
340: }
341: return key_equal_public(a, b);
342: }
343:
1.52 jakob 344: u_char*
1.100 djm 345: key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
346: u_int *dgst_raw_length)
1.1 markus 347: {
1.41 markus 348: const EVP_MD *md = NULL;
1.21 markus 349: EVP_MD_CTX ctx;
1.13 markus 350: u_char *blob = NULL;
1.19 jakob 351: u_char *retval = NULL;
1.40 markus 352: u_int len = 0;
1.100 djm 353: int nlen, elen;
1.1 markus 354:
1.19 jakob 355: *dgst_raw_length = 0;
356:
1.21 markus 357: switch (dgst_type) {
358: case SSH_FP_MD5:
359: md = EVP_md5();
360: break;
361: case SSH_FP_SHA1:
362: md = EVP_sha1();
1.99 djm 363: break;
364: case SSH_FP_SHA256:
365: md = EVP_sha256();
1.21 markus 366: break;
367: default:
368: fatal("key_fingerprint_raw: bad digest type %d",
369: dgst_type);
370: }
1.1 markus 371: switch (k->type) {
1.12 markus 372: case KEY_RSA1:
1.1 markus 373: nlen = BN_num_bytes(k->rsa->n);
374: elen = BN_num_bytes(k->rsa->e);
375: len = nlen + elen;
1.3 markus 376: blob = xmalloc(len);
377: BN_bn2bin(k->rsa->n, blob);
378: BN_bn2bin(k->rsa->e, blob + nlen);
1.1 markus 379: break;
380: case KEY_DSA:
1.92 djm 381: case KEY_ECDSA:
1.12 markus 382: case KEY_RSA:
1.109 markus 383: case KEY_ED25519:
1.12 markus 384: key_to_blob(k, &blob, &len);
385: break;
1.87 djm 386: case KEY_DSA_CERT_V00:
387: case KEY_RSA_CERT_V00:
1.83 djm 388: case KEY_DSA_CERT:
1.92 djm 389: case KEY_ECDSA_CERT:
1.83 djm 390: case KEY_RSA_CERT:
1.109 markus 391: case KEY_ED25519_CERT:
1.83 djm 392: /* We want a fingerprint of the _key_ not of the cert */
1.100 djm 393: to_blob(k, &blob, &len, 1);
1.83 djm 394: break;
1.12 markus 395: case KEY_UNSPEC:
396: return retval;
1.1 markus 397: default:
1.19 jakob 398: fatal("key_fingerprint_raw: bad key type %d", k->type);
1.1 markus 399: break;
400: }
1.3 markus 401: if (blob != NULL) {
1.19 jakob 402: retval = xmalloc(EVP_MAX_MD_SIZE);
1.8 markus 403: EVP_DigestInit(&ctx, md);
404: EVP_DigestUpdate(&ctx, blob, len);
1.39 markus 405: EVP_DigestFinal(&ctx, retval, dgst_raw_length);
1.3 markus 406: memset(blob, 0, len);
1.103 djm 407: free(blob);
1.19 jakob 408: } else {
409: fatal("key_fingerprint_raw: blob is null");
1.1 markus 410: }
1.19 jakob 411: return retval;
412: }
413:
1.46 deraadt 414: static char *
415: key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 416: {
417: char *retval;
1.58 djm 418: u_int i;
1.19 jakob 419:
1.63 djm 420: retval = xcalloc(1, dgst_raw_len * 3 + 1);
1.36 deraadt 421: for (i = 0; i < dgst_raw_len; i++) {
1.19 jakob 422: char hex[4];
423: snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
1.54 avsm 424: strlcat(retval, hex, dgst_raw_len * 3 + 1);
1.19 jakob 425: }
1.54 avsm 426:
427: /* Remove the trailing ':' character */
1.19 jakob 428: retval[(dgst_raw_len * 3) - 1] = '\0';
429: return retval;
430: }
431:
1.46 deraadt 432: static char *
433: key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 434: {
435: char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
436: char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
437: 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
1.20 jakob 438: u_int i, j = 0, rounds, seed = 1;
1.19 jakob 439: char *retval;
440:
441: rounds = (dgst_raw_len / 2) + 1;
1.63 djm 442: retval = xcalloc((rounds * 6), sizeof(char));
1.20 jakob 443: retval[j++] = 'x';
444: for (i = 0; i < rounds; i++) {
1.19 jakob 445: u_int idx0, idx1, idx2, idx3, idx4;
1.20 jakob 446: if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
447: idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1.19 jakob 448: seed) % 6;
1.20 jakob 449: idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
450: idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1.19 jakob 451: (seed / 6)) % 6;
1.20 jakob 452: retval[j++] = vowels[idx0];
453: retval[j++] = consonants[idx1];
454: retval[j++] = vowels[idx2];
455: if ((i + 1) < rounds) {
456: idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
457: idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
458: retval[j++] = consonants[idx3];
459: retval[j++] = '-';
460: retval[j++] = consonants[idx4];
1.19 jakob 461: seed = ((seed * 5) +
1.20 jakob 462: ((((u_int)(dgst_raw[2 * i])) * 7) +
463: ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1.19 jakob 464: }
465: } else {
466: idx0 = seed % 6;
467: idx1 = 16;
468: idx2 = seed / 6;
1.20 jakob 469: retval[j++] = vowels[idx0];
470: retval[j++] = consonants[idx1];
471: retval[j++] = vowels[idx2];
1.19 jakob 472: }
473: }
1.20 jakob 474: retval[j++] = 'x';
475: retval[j++] = '\0';
1.19 jakob 476: return retval;
477: }
478:
1.70 grunk 479: /*
480: * Draw an ASCII-Art representing the fingerprint so human brain can
481: * profit from its built-in pattern recognition ability.
482: * This technique is called "random art" and can be found in some
483: * scientific publications like this original paper:
484: *
485: * "Hash Visualization: a New Technique to improve Real-World Security",
486: * Perrig A. and Song D., 1999, International Workshop on Cryptographic
487: * Techniques and E-Commerce (CrypTEC '99)
488: * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
489: *
490: * The subject came up in a talk by Dan Kaminsky, too.
491: *
492: * If you see the picture is different, the key is different.
493: * If the picture looks the same, you still know nothing.
494: *
495: * The algorithm used here is a worm crawling over a discrete plane,
496: * leaving a trace (augmenting the field) everywhere it goes.
497: * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
498: * makes the respective movement vector be ignored for this turn.
499: * Graphs are not unambiguous, because circles in graphs can be
500: * walked in either direction.
501: */
1.74 grunk 502:
503: /*
504: * Field sizes for the random art. Have to be odd, so the starting point
505: * can be in the exact middle of the picture, and FLDBASE should be >=8 .
506: * Else pictures would be too dense, and drawing the frame would
507: * fail, too, because the key type would not fit in anymore.
508: */
509: #define FLDBASE 8
510: #define FLDSIZE_Y (FLDBASE + 1)
511: #define FLDSIZE_X (FLDBASE * 2 + 1)
1.70 grunk 512: static char *
1.74 grunk 513: key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
1.70 grunk 514: {
515: /*
516: * Chars to be used after each other every time the worm
517: * intersects with itself. Matter of taste.
518: */
1.75 grunk 519: char *augmentation_string = " .o+=*BOX@%&#/^SE";
1.70 grunk 520: char *retval, *p;
1.71 otto 521: u_char field[FLDSIZE_X][FLDSIZE_Y];
1.70 grunk 522: u_int i, b;
523: int x, y;
1.72 grunk 524: size_t len = strlen(augmentation_string) - 1;
1.70 grunk 525:
526: retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
527:
528: /* initialize field */
1.71 otto 529: memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1.70 grunk 530: x = FLDSIZE_X / 2;
531: y = FLDSIZE_Y / 2;
532:
533: /* process raw key */
534: for (i = 0; i < dgst_raw_len; i++) {
535: int input;
536: /* each byte conveys four 2-bit move commands */
537: input = dgst_raw[i];
538: for (b = 0; b < 4; b++) {
539: /* evaluate 2 bit, rest is shifted later */
540: x += (input & 0x1) ? 1 : -1;
541: y += (input & 0x2) ? 1 : -1;
542:
543: /* assure we are still in bounds */
544: x = MAX(x, 0);
545: y = MAX(y, 0);
546: x = MIN(x, FLDSIZE_X - 1);
547: y = MIN(y, FLDSIZE_Y - 1);
548:
549: /* augment the field */
1.79 grunk 550: if (field[x][y] < len - 2)
551: field[x][y]++;
1.70 grunk 552: input = input >> 2;
553: }
554: }
1.75 grunk 555:
556: /* mark starting point and end point*/
557: field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
558: field[x][y] = len;
1.70 grunk 559:
560: /* fill in retval */
1.77 otto 561: snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
1.74 grunk 562: p = strchr(retval, '\0');
1.70 grunk 563:
564: /* output upper border */
1.77 otto 565: for (i = p - retval - 1; i < FLDSIZE_X; i++)
1.70 grunk 566: *p++ = '-';
567: *p++ = '+';
568: *p++ = '\n';
569:
570: /* output content */
571: for (y = 0; y < FLDSIZE_Y; y++) {
572: *p++ = '|';
573: for (x = 0; x < FLDSIZE_X; x++)
1.72 grunk 574: *p++ = augmentation_string[MIN(field[x][y], len)];
1.70 grunk 575: *p++ = '|';
576: *p++ = '\n';
577: }
578:
579: /* output lower border */
580: *p++ = '+';
581: for (i = 0; i < FLDSIZE_X; i++)
582: *p++ = '-';
583: *p++ = '+';
584:
585: return retval;
586: }
587:
1.46 deraadt 588: char *
1.104 djm 589: key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
1.19 jakob 590: {
1.23 markus 591: char *retval = NULL;
1.19 jakob 592: u_char *dgst_raw;
1.39 markus 593: u_int dgst_raw_len;
1.36 deraadt 594:
1.19 jakob 595: dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
596: if (!dgst_raw)
1.22 markus 597: fatal("key_fingerprint: null from key_fingerprint_raw()");
1.35 deraadt 598: switch (dgst_rep) {
1.19 jakob 599: case SSH_FP_HEX:
600: retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
601: break;
602: case SSH_FP_BUBBLEBABBLE:
603: retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1.70 grunk 604: break;
605: case SSH_FP_RANDOMART:
1.74 grunk 606: retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
1.19 jakob 607: break;
608: default:
1.80 stevesk 609: fatal("key_fingerprint: bad digest representation %d",
1.19 jakob 610: dgst_rep);
611: break;
612: }
613: memset(dgst_raw, 0, dgst_raw_len);
1.103 djm 614: free(dgst_raw);
1.1 markus 615: return retval;
616: }
617:
618: /*
619: * Reads a multiple-precision integer in decimal from the buffer, and advances
620: * the pointer. The integer must already be initialized. This function is
621: * permitted to modify the buffer. This leaves *cpp to point just beyond the
622: * last processed (and maybe modified) character. Note that this may modify
623: * the buffer containing the number.
624: */
1.27 itojun 625: static int
1.1 markus 626: read_bignum(char **cpp, BIGNUM * value)
627: {
628: char *cp = *cpp;
629: int old;
630:
631: /* Skip any leading whitespace. */
632: for (; *cp == ' ' || *cp == '\t'; cp++)
633: ;
634:
635: /* Check that it begins with a decimal digit. */
636: if (*cp < '0' || *cp > '9')
637: return 0;
638:
639: /* Save starting position. */
640: *cpp = cp;
641:
642: /* Move forward until all decimal digits skipped. */
643: for (; *cp >= '0' && *cp <= '9'; cp++)
644: ;
645:
646: /* Save the old terminating character, and replace it by \0. */
647: old = *cp;
648: *cp = 0;
649:
650: /* Parse the number. */
651: if (BN_dec2bn(&value, *cpp) == 0)
652: return 0;
653:
654: /* Restore old terminating character. */
655: *cp = old;
656:
657: /* Move beyond the number and return success. */
658: *cpp = cp;
659: return 1;
660: }
1.45 deraadt 661:
1.27 itojun 662: static int
1.1 markus 663: write_bignum(FILE *f, BIGNUM *num)
664: {
665: char *buf = BN_bn2dec(num);
666: if (buf == NULL) {
667: error("write_bignum: BN_bn2dec() failed");
668: return 0;
669: }
670: fprintf(f, " %s", buf);
1.33 markus 671: OPENSSL_free(buf);
1.1 markus 672: return 1;
673: }
1.12 markus 674:
1.32 markus 675: /* returns 1 ok, -1 error */
1.12 markus 676: int
1.3 markus 677: key_read(Key *ret, char **cpp)
1.1 markus 678: {
1.3 markus 679: Key *k;
1.12 markus 680: int success = -1;
681: char *cp, *space;
1.92 djm 682: int len, n, type, curve_nid = -1;
1.12 markus 683: u_int bits;
1.13 markus 684: u_char *blob;
1.3 markus 685:
686: cp = *cpp;
687:
1.35 deraadt 688: switch (ret->type) {
1.12 markus 689: case KEY_RSA1:
1.3 markus 690: /* Get number of bits. */
691: if (*cp < '0' || *cp > '9')
1.12 markus 692: return -1; /* Bad bit count... */
1.3 markus 693: for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
694: bits = 10 * bits + *cp - '0';
1.1 markus 695: if (bits == 0)
1.12 markus 696: return -1;
1.3 markus 697: *cpp = cp;
1.1 markus 698: /* Get public exponent, public modulus. */
699: if (!read_bignum(cpp, ret->rsa->e))
1.12 markus 700: return -1;
1.1 markus 701: if (!read_bignum(cpp, ret->rsa->n))
1.12 markus 702: return -1;
1.82 dtucker 703: /* validate the claimed number of bits */
704: if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
705: verbose("key_read: claimed key size %d does not match "
706: "actual %d", bits, BN_num_bits(ret->rsa->n));
707: return -1;
708: }
1.12 markus 709: success = 1;
1.1 markus 710: break;
1.12 markus 711: case KEY_UNSPEC:
712: case KEY_RSA:
1.1 markus 713: case KEY_DSA:
1.92 djm 714: case KEY_ECDSA:
1.109 markus 715: case KEY_ED25519:
1.87 djm 716: case KEY_DSA_CERT_V00:
717: case KEY_RSA_CERT_V00:
1.83 djm 718: case KEY_DSA_CERT:
1.92 djm 719: case KEY_ECDSA_CERT:
1.83 djm 720: case KEY_RSA_CERT:
1.109 markus 721: case KEY_ED25519_CERT:
1.12 markus 722: space = strchr(cp, ' ');
723: if (space == NULL) {
1.50 markus 724: debug3("key_read: missing whitespace");
1.12 markus 725: return -1;
726: }
727: *space = '\0';
728: type = key_type_from_name(cp);
1.92 djm 729: if (key_type_plain(type) == KEY_ECDSA &&
730: (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
731: debug("key_read: invalid curve");
732: return -1;
733: }
1.12 markus 734: *space = ' ';
735: if (type == KEY_UNSPEC) {
1.50 markus 736: debug3("key_read: missing keytype");
1.12 markus 737: return -1;
738: }
739: cp = space+1;
740: if (*cp == '\0') {
741: debug3("key_read: short string");
742: return -1;
743: }
744: if (ret->type == KEY_UNSPEC) {
745: ret->type = type;
746: } else if (ret->type != type) {
747: /* is a key, but different type */
748: debug3("key_read: type mismatch");
1.32 markus 749: return -1;
1.12 markus 750: }
1.3 markus 751: len = 2*strlen(cp);
752: blob = xmalloc(len);
753: n = uudecode(cp, blob, len);
1.6 markus 754: if (n < 0) {
1.7 markus 755: error("key_read: uudecode %s failed", cp);
1.103 djm 756: free(blob);
1.12 markus 757: return -1;
1.6 markus 758: }
1.53 markus 759: k = key_from_blob(blob, (u_int)n);
1.103 djm 760: free(blob);
1.7 markus 761: if (k == NULL) {
1.12 markus 762: error("key_read: key_from_blob %s failed", cp);
763: return -1;
1.7 markus 764: }
1.12 markus 765: if (k->type != type) {
766: error("key_read: type mismatch: encoding error");
767: key_free(k);
768: return -1;
769: }
1.92 djm 770: if (key_type_plain(type) == KEY_ECDSA &&
771: curve_nid != k->ecdsa_nid) {
772: error("key_read: type mismatch: EC curve mismatch");
773: key_free(k);
774: return -1;
775: }
1.12 markus 776: /*XXXX*/
1.83 djm 777: if (key_is_cert(ret)) {
778: if (!key_is_cert(k)) {
779: error("key_read: loaded key is not a cert");
780: key_free(k);
781: return -1;
782: }
783: if (ret->cert != NULL)
784: cert_free(ret->cert);
785: ret->cert = k->cert;
786: k->cert = NULL;
787: }
788: if (key_type_plain(ret->type) == KEY_RSA) {
1.12 markus 789: if (ret->rsa != NULL)
790: RSA_free(ret->rsa);
791: ret->rsa = k->rsa;
792: k->rsa = NULL;
793: #ifdef DEBUG_PK
794: RSA_print_fp(stderr, ret->rsa, 8);
795: #endif
1.83 djm 796: }
797: if (key_type_plain(ret->type) == KEY_DSA) {
1.12 markus 798: if (ret->dsa != NULL)
799: DSA_free(ret->dsa);
800: ret->dsa = k->dsa;
801: k->dsa = NULL;
802: #ifdef DEBUG_PK
803: DSA_print_fp(stderr, ret->dsa, 8);
804: #endif
805: }
1.92 djm 806: if (key_type_plain(ret->type) == KEY_ECDSA) {
807: if (ret->ecdsa != NULL)
808: EC_KEY_free(ret->ecdsa);
809: ret->ecdsa = k->ecdsa;
810: ret->ecdsa_nid = k->ecdsa_nid;
811: k->ecdsa = NULL;
812: k->ecdsa_nid = -1;
813: #ifdef DEBUG_PK
814: key_dump_ec_key(ret->ecdsa);
815: #endif
816: }
1.109 markus 817: if (key_type_plain(ret->type) == KEY_ED25519) {
818: free(ret->ed25519_pk);
819: ret->ed25519_pk = k->ed25519_pk;
820: k->ed25519_pk = NULL;
821: #ifdef DEBUG_PK
822: /* XXX */
823: #endif
824: }
1.83 djm 825: success = 1;
1.12 markus 826: /*XXXX*/
1.34 markus 827: key_free(k);
1.12 markus 828: if (success != 1)
829: break;
1.7 markus 830: /* advance cp: skip whitespace and data */
831: while (*cp == ' ' || *cp == '\t')
832: cp++;
833: while (*cp != '\0' && *cp != ' ' && *cp != '\t')
834: cp++;
835: *cpp = cp;
1.1 markus 836: break;
837: default:
1.3 markus 838: fatal("key_read: bad key type: %d", ret->type);
1.1 markus 839: break;
840: }
1.12 markus 841: return success;
1.1 markus 842: }
1.45 deraadt 843:
1.1 markus 844: int
1.55 jakob 845: key_write(const Key *key, FILE *f)
1.1 markus 846: {
1.40 markus 847: int n, success = 0;
848: u_int len, bits = 0;
1.49 markus 849: u_char *blob;
850: char *uu;
1.1 markus 851:
1.83 djm 852: if (key_is_cert(key)) {
853: if (key->cert == NULL) {
854: error("%s: no cert data", __func__);
855: return 0;
856: }
857: if (buffer_len(&key->cert->certblob) == 0) {
858: error("%s: no signed certificate blob", __func__);
859: return 0;
860: }
861: }
862:
863: switch (key->type) {
864: case KEY_RSA1:
865: if (key->rsa == NULL)
866: return 0;
1.1 markus 867: /* size of modulus 'n' */
868: bits = BN_num_bits(key->rsa->n);
869: fprintf(f, "%u", bits);
870: if (write_bignum(f, key->rsa->e) &&
1.83 djm 871: write_bignum(f, key->rsa->n))
872: return 1;
873: error("key_write: failed for RSA key");
874: return 0;
875: case KEY_DSA:
1.87 djm 876: case KEY_DSA_CERT_V00:
1.83 djm 877: case KEY_DSA_CERT:
878: if (key->dsa == NULL)
879: return 0;
880: break;
1.92 djm 881: case KEY_ECDSA:
882: case KEY_ECDSA_CERT:
883: if (key->ecdsa == NULL)
884: return 0;
885: break;
1.109 markus 886: case KEY_ED25519:
887: case KEY_ED25519_CERT:
888: if (key->ed25519_pk == NULL)
889: return 0;
890: break;
1.83 djm 891: case KEY_RSA:
1.87 djm 892: case KEY_RSA_CERT_V00:
1.83 djm 893: case KEY_RSA_CERT:
894: if (key->rsa == NULL)
895: return 0;
896: break;
897: default:
898: return 0;
899: }
900:
901: key_to_blob(key, &blob, &len);
902: uu = xmalloc(2*len);
903: n = uuencode(blob, len, uu, 2*len);
904: if (n > 0) {
905: fprintf(f, "%s %s", key_ssh_name(key), uu);
906: success = 1;
1.1 markus 907: }
1.103 djm 908: free(blob);
909: free(uu);
1.83 djm 910:
1.1 markus 911: return success;
912: }
1.45 deraadt 913:
1.55 jakob 914: const char *
1.86 stevesk 915: key_cert_type(const Key *k)
916: {
917: switch (k->cert->type) {
918: case SSH2_CERT_TYPE_USER:
919: return "user";
920: case SSH2_CERT_TYPE_HOST:
921: return "host";
922: default:
923: return "unknown";
924: }
1.10 markus 925: }
1.45 deraadt 926:
1.101 djm 927: struct keytype {
928: char *name;
929: char *shortname;
930: int type;
931: int nid;
932: int cert;
933: };
934: static const struct keytype keytypes[] = {
935: { NULL, "RSA1", KEY_RSA1, 0, 0 },
936: { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
937: { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
1.109 markus 938: { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
1.101 djm 939: { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
940: { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
941: { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
942: { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
943: { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
944: { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
945: KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
946: { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
947: KEY_ECDSA_CERT, NID_secp384r1, 1 },
948: { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
949: KEY_ECDSA_CERT, NID_secp521r1, 1 },
950: { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
951: KEY_RSA_CERT_V00, 0, 1 },
952: { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
953: KEY_DSA_CERT_V00, 0, 1 },
1.109 markus 954: { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
955: KEY_ED25519_CERT, 0, 1 },
1.101 djm 956: { NULL, NULL, -1, -1, 0 }
957: };
958:
959: const char *
960: key_type(const Key *k)
961: {
962: const struct keytype *kt;
963:
964: for (kt = keytypes; kt->type != -1; kt++) {
965: if (kt->type == k->type)
966: return kt->shortname;
967: }
968: return "unknown";
969: }
970:
1.92 djm 971: static const char *
972: key_ssh_name_from_type_nid(int type, int nid)
1.12 markus 973: {
1.101 djm 974: const struct keytype *kt;
975:
976: for (kt = keytypes; kt->type != -1; kt++) {
977: if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
978: return kt->name;
1.12 markus 979: }
980: return "ssh-unknown";
981: }
1.45 deraadt 982:
1.92 djm 983: const char *
984: key_ssh_name(const Key *k)
985: {
986: return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
987: }
988:
989: const char *
990: key_ssh_name_plain(const Key *k)
991: {
992: return key_ssh_name_from_type_nid(key_type_plain(k->type),
993: k->ecdsa_nid);
994: }
995:
1.101 djm 996: int
997: key_type_from_name(char *name)
998: {
999: const struct keytype *kt;
1000:
1001: for (kt = keytypes; kt->type != -1; kt++) {
1002: /* Only allow shortname matches for plain key types */
1003: if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
1004: (!kt->cert && strcasecmp(kt->shortname, name) == 0))
1005: return kt->type;
1006: }
1007: debug2("key_type_from_name: unknown key type '%s'", name);
1008: return KEY_UNSPEC;
1009: }
1010:
1011: int
1012: key_ecdsa_nid_from_name(const char *name)
1013: {
1014: const struct keytype *kt;
1015:
1016: for (kt = keytypes; kt->type != -1; kt++) {
1017: if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
1018: continue;
1019: if (kt->name != NULL && strcmp(name, kt->name) == 0)
1020: return kt->nid;
1021: }
1022: debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1023: return -1;
1024: }
1025:
1026: char *
1.109 markus 1027: key_alg_list(int certs_only, int plain_only)
1.101 djm 1028: {
1029: char *ret = NULL;
1030: size_t nlen, rlen = 0;
1031: const struct keytype *kt;
1032:
1033: for (kt = keytypes; kt->type != -1; kt++) {
1034: if (kt->name == NULL)
1035: continue;
1.109 markus 1036: if ((certs_only && !kt->cert) || (plain_only && kt->cert))
1037: continue;
1.101 djm 1038: if (ret != NULL)
1039: ret[rlen++] = '\n';
1040: nlen = strlen(kt->name);
1041: ret = xrealloc(ret, 1, rlen + nlen + 2);
1042: memcpy(ret + rlen, kt->name, nlen + 1);
1043: rlen += nlen;
1044: }
1045: return ret;
1046: }
1047:
1.105 djm 1048: int
1049: key_type_is_cert(int type)
1050: {
1051: const struct keytype *kt;
1052:
1053: for (kt = keytypes; kt->type != -1; kt++) {
1054: if (kt->type == type)
1055: return kt->cert;
1056: }
1057: return 0;
1058: }
1059:
1.12 markus 1060: u_int
1.55 jakob 1061: key_size(const Key *k)
1.35 deraadt 1062: {
1.10 markus 1063: switch (k->type) {
1.12 markus 1064: case KEY_RSA1:
1.10 markus 1065: case KEY_RSA:
1.87 djm 1066: case KEY_RSA_CERT_V00:
1.83 djm 1067: case KEY_RSA_CERT:
1.10 markus 1068: return BN_num_bits(k->rsa->n);
1069: case KEY_DSA:
1.87 djm 1070: case KEY_DSA_CERT_V00:
1.83 djm 1071: case KEY_DSA_CERT:
1.10 markus 1072: return BN_num_bits(k->dsa->p);
1.109 markus 1073: case KEY_ED25519:
1074: return 256; /* XXX */
1.92 djm 1075: case KEY_ECDSA:
1076: case KEY_ECDSA_CERT:
1.93 djm 1077: return key_curve_nid_to_bits(k->ecdsa_nid);
1.10 markus 1078: }
1079: return 0;
1.12 markus 1080: }
1081:
1.27 itojun 1082: static RSA *
1.13 markus 1083: rsa_generate_private_key(u_int bits)
1.12 markus 1084: {
1.95 djm 1085: RSA *private = RSA_new();
1086: BIGNUM *f4 = BN_new();
1.61 deraadt 1087:
1.17 stevesk 1088: if (private == NULL)
1.95 djm 1089: fatal("%s: RSA_new failed", __func__);
1090: if (f4 == NULL)
1091: fatal("%s: BN_new failed", __func__);
1092: if (!BN_set_word(f4, RSA_F4))
1093: fatal("%s: BN_new failed", __func__);
1094: if (!RSA_generate_key_ex(private, bits, f4, NULL))
1095: fatal("%s: key generation failed.", __func__);
1096: BN_free(f4);
1.17 stevesk 1097: return private;
1.12 markus 1098: }
1099:
1.27 itojun 1100: static DSA*
1.13 markus 1101: dsa_generate_private_key(u_int bits)
1.12 markus 1102: {
1.95 djm 1103: DSA *private = DSA_new();
1.61 deraadt 1104:
1.12 markus 1105: if (private == NULL)
1.95 djm 1106: fatal("%s: DSA_new failed", __func__);
1107: if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1108: NULL, NULL))
1109: fatal("%s: DSA_generate_parameters failed", __func__);
1.12 markus 1110: if (!DSA_generate_key(private))
1.95 djm 1111: fatal("%s: DSA_generate_key failed.", __func__);
1.12 markus 1112: return private;
1113: }
1114:
1.92 djm 1115: int
1116: key_ecdsa_bits_to_nid(int bits)
1117: {
1118: switch (bits) {
1119: case 256:
1120: return NID_X9_62_prime256v1;
1121: case 384:
1122: return NID_secp384r1;
1123: case 521:
1124: return NID_secp521r1;
1125: default:
1126: return -1;
1127: }
1128: }
1129:
1130: int
1.94 djm 1131: key_ecdsa_key_to_nid(EC_KEY *k)
1.92 djm 1132: {
1133: EC_GROUP *eg;
1134: int nids[] = {
1135: NID_X9_62_prime256v1,
1136: NID_secp384r1,
1137: NID_secp521r1,
1138: -1
1139: };
1.94 djm 1140: int nid;
1.92 djm 1141: u_int i;
1142: BN_CTX *bnctx;
1.94 djm 1143: const EC_GROUP *g = EC_KEY_get0_group(k);
1.92 djm 1144:
1.94 djm 1145: /*
1146: * The group may be stored in a ASN.1 encoded private key in one of two
1147: * ways: as a "named group", which is reconstituted by ASN.1 object ID
1148: * or explicit group parameters encoded into the key blob. Only the
1149: * "named group" case sets the group NID for us, but we can figure
1150: * it out for the other case by comparing against all the groups that
1151: * are supported.
1152: */
1153: if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1154: return nid;
1.92 djm 1155: if ((bnctx = BN_CTX_new()) == NULL)
1156: fatal("%s: BN_CTX_new() failed", __func__);
1157: for (i = 0; nids[i] != -1; i++) {
1158: if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1159: fatal("%s: EC_GROUP_new_by_curve_name failed",
1160: __func__);
1.94 djm 1161: if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1.92 djm 1162: break;
1163: EC_GROUP_free(eg);
1164: }
1165: BN_CTX_free(bnctx);
1166: debug3("%s: nid = %d", __func__, nids[i]);
1.94 djm 1167: if (nids[i] != -1) {
1168: /* Use the group with the NID attached */
1169: EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1170: if (EC_KEY_set_group(k, eg) != 1)
1171: fatal("%s: EC_KEY_set_group", __func__);
1172: }
1.92 djm 1173: return nids[i];
1174: }
1175:
1176: static EC_KEY*
1177: ecdsa_generate_private_key(u_int bits, int *nid)
1178: {
1179: EC_KEY *private;
1180:
1181: if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
1182: fatal("%s: invalid key length", __func__);
1183: if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
1184: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1185: if (EC_KEY_generate_key(private) != 1)
1186: fatal("%s: EC_KEY_generate_key failed", __func__);
1.94 djm 1187: EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1.92 djm 1188: return private;
1189: }
1190:
1.12 markus 1191: Key *
1.13 markus 1192: key_generate(int type, u_int bits)
1.12 markus 1193: {
1194: Key *k = key_new(KEY_UNSPEC);
1195: switch (type) {
1.17 stevesk 1196: case KEY_DSA:
1.12 markus 1197: k->dsa = dsa_generate_private_key(bits);
1198: break;
1.92 djm 1199: case KEY_ECDSA:
1200: k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
1201: break;
1.12 markus 1202: case KEY_RSA:
1203: case KEY_RSA1:
1204: k->rsa = rsa_generate_private_key(bits);
1205: break;
1.109 markus 1206: case KEY_ED25519:
1207: k->ed25519_pk = xmalloc(ED25519_PK_SZ);
1208: k->ed25519_sk = xmalloc(ED25519_SK_SZ);
1209: crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1210: break;
1.87 djm 1211: case KEY_RSA_CERT_V00:
1212: case KEY_DSA_CERT_V00:
1.83 djm 1213: case KEY_RSA_CERT:
1214: case KEY_DSA_CERT:
1215: fatal("key_generate: cert keys cannot be generated directly");
1.12 markus 1216: default:
1.17 stevesk 1217: fatal("key_generate: unknown type %d", type);
1.12 markus 1218: }
1.17 stevesk 1219: k->type = type;
1.12 markus 1220: return k;
1221: }
1222:
1.83 djm 1223: void
1224: key_cert_copy(const Key *from_key, struct Key *to_key)
1225: {
1226: u_int i;
1227: const struct KeyCert *from;
1228: struct KeyCert *to;
1229:
1230: if (to_key->cert != NULL) {
1231: cert_free(to_key->cert);
1232: to_key->cert = NULL;
1233: }
1234:
1235: if ((from = from_key->cert) == NULL)
1236: return;
1237:
1238: to = to_key->cert = cert_new();
1239:
1240: buffer_append(&to->certblob, buffer_ptr(&from->certblob),
1241: buffer_len(&from->certblob));
1242:
1.87 djm 1243: buffer_append(&to->critical,
1244: buffer_ptr(&from->critical), buffer_len(&from->critical));
1245: buffer_append(&to->extensions,
1246: buffer_ptr(&from->extensions), buffer_len(&from->extensions));
1.83 djm 1247:
1.87 djm 1248: to->serial = from->serial;
1.83 djm 1249: to->type = from->type;
1250: to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
1251: to->valid_after = from->valid_after;
1252: to->valid_before = from->valid_before;
1253: to->signature_key = from->signature_key == NULL ?
1254: NULL : key_from_private(from->signature_key);
1255:
1256: to->nprincipals = from->nprincipals;
1257: if (to->nprincipals > CERT_MAX_PRINCIPALS)
1258: fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
1259: __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
1260: if (to->nprincipals > 0) {
1261: to->principals = xcalloc(from->nprincipals,
1262: sizeof(*to->principals));
1263: for (i = 0; i < to->nprincipals; i++)
1264: to->principals[i] = xstrdup(from->principals[i]);
1265: }
1266: }
1267:
1.12 markus 1268: Key *
1.55 jakob 1269: key_from_private(const Key *k)
1.12 markus 1270: {
1271: Key *n = NULL;
1272: switch (k->type) {
1.17 stevesk 1273: case KEY_DSA:
1.87 djm 1274: case KEY_DSA_CERT_V00:
1.83 djm 1275: case KEY_DSA_CERT:
1.12 markus 1276: n = key_new(k->type);
1.68 markus 1277: if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1278: (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1279: (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1280: (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
1281: fatal("key_from_private: BN_copy failed");
1.12 markus 1282: break;
1.92 djm 1283: case KEY_ECDSA:
1284: case KEY_ECDSA_CERT:
1285: n = key_new(k->type);
1286: n->ecdsa_nid = k->ecdsa_nid;
1287: if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
1288: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1289: if (EC_KEY_set_public_key(n->ecdsa,
1290: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1291: fatal("%s: EC_KEY_set_public_key failed", __func__);
1292: break;
1.12 markus 1293: case KEY_RSA:
1294: case KEY_RSA1:
1.87 djm 1295: case KEY_RSA_CERT_V00:
1.83 djm 1296: case KEY_RSA_CERT:
1.12 markus 1297: n = key_new(k->type);
1.68 markus 1298: if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1299: (BN_copy(n->rsa->e, k->rsa->e) == NULL))
1300: fatal("key_from_private: BN_copy failed");
1.12 markus 1301: break;
1.109 markus 1302: case KEY_ED25519:
1303: case KEY_ED25519_CERT:
1304: n = key_new(k->type);
1305: if (k->ed25519_pk != NULL) {
1306: n->ed25519_pk = xmalloc(ED25519_PK_SZ);
1307: memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1308: }
1309: break;
1.12 markus 1310: default:
1.17 stevesk 1311: fatal("key_from_private: unknown type %d", k->type);
1.12 markus 1312: break;
1313: }
1.83 djm 1314: if (key_is_cert(k))
1315: key_cert_copy(k, n);
1.12 markus 1316: return n;
1.92 djm 1317: }
1318:
1319: int
1.25 markus 1320: key_names_valid2(const char *names)
1321: {
1322: char *s, *cp, *p;
1323:
1324: if (names == NULL || strcmp(names, "") == 0)
1325: return 0;
1326: s = cp = xstrdup(names);
1327: for ((p = strsep(&cp, ",")); p && *p != '\0';
1.36 deraadt 1328: (p = strsep(&cp, ","))) {
1.25 markus 1329: switch (key_type_from_name(p)) {
1330: case KEY_RSA1:
1331: case KEY_UNSPEC:
1.103 djm 1332: free(s);
1.25 markus 1333: return 0;
1334: }
1335: }
1336: debug3("key names ok: [%s]", names);
1.103 djm 1337: free(s);
1.25 markus 1338: return 1;
1.12 markus 1339: }
1340:
1.83 djm 1341: static int
1342: cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1343: {
1.87 djm 1344: u_char *principals, *critical, *exts, *sig_key, *sig;
1345: u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
1.83 djm 1346: Buffer tmp;
1347: char *principal;
1348: int ret = -1;
1.87 djm 1349: int v00 = key->type == KEY_DSA_CERT_V00 ||
1350: key->type == KEY_RSA_CERT_V00;
1.83 djm 1351:
1352: buffer_init(&tmp);
1353:
1354: /* Copy the entire key blob for verification and later serialisation */
1355: buffer_append(&key->cert->certblob, blob, blen);
1356:
1.87 djm 1357: elen = 0; /* Not touched for v00 certs */
1358: principals = exts = critical = sig_key = sig = NULL;
1359: if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1360: buffer_get_int_ret(&key->cert->type, b) != 0 ||
1.91 djm 1361: (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
1.83 djm 1362: (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1363: buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1364: buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1.87 djm 1365: (critical = buffer_get_string_ret(b, &clen)) == NULL ||
1366: (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
1367: (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
1368: buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
1.83 djm 1369: (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1370: error("%s: parse error", __func__);
1.84 djm 1371: goto out;
1372: }
1373:
1.83 djm 1374: /* Signature is left in the buffer so we can calculate this length */
1375: signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1376:
1377: if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1378: error("%s: parse error", __func__);
1379: goto out;
1380: }
1381:
1382: if (key->cert->type != SSH2_CERT_TYPE_USER &&
1383: key->cert->type != SSH2_CERT_TYPE_HOST) {
1384: error("Unknown certificate type %u", key->cert->type);
1385: goto out;
1386: }
1387:
1388: buffer_append(&tmp, principals, plen);
1389: while (buffer_len(&tmp) > 0) {
1390: if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1.84 djm 1391: error("%s: Too many principals", __func__);
1.83 djm 1392: goto out;
1393: }
1.91 djm 1394: if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
1.84 djm 1395: error("%s: Principals data invalid", __func__);
1396: goto out;
1397: }
1.83 djm 1398: key->cert->principals = xrealloc(key->cert->principals,
1399: key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1400: key->cert->principals[key->cert->nprincipals++] = principal;
1401: }
1402:
1403: buffer_clear(&tmp);
1404:
1.87 djm 1405: buffer_append(&key->cert->critical, critical, clen);
1406: buffer_append(&tmp, critical, clen);
1.83 djm 1407: /* validate structure */
1408: while (buffer_len(&tmp) != 0) {
1.85 djm 1409: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1410: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1.87 djm 1411: error("%s: critical option data invalid", __func__);
1412: goto out;
1413: }
1414: }
1415: buffer_clear(&tmp);
1416:
1417: buffer_append(&key->cert->extensions, exts, elen);
1418: buffer_append(&tmp, exts, elen);
1419: /* validate structure */
1420: while (buffer_len(&tmp) != 0) {
1421: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1422: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1423: error("%s: extension data invalid", __func__);
1.83 djm 1424: goto out;
1425: }
1426: }
1427: buffer_clear(&tmp);
1428:
1.105 djm 1429: if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0))
1430: == NULL) {
1.84 djm 1431: error("%s: Signature key invalid", __func__);
1.83 djm 1432: goto out;
1433: }
1434: if (key->cert->signature_key->type != KEY_RSA &&
1.92 djm 1435: key->cert->signature_key->type != KEY_DSA &&
1436: key->cert->signature_key->type != KEY_ECDSA) {
1.84 djm 1437: error("%s: Invalid signature key type %s (%d)", __func__,
1.83 djm 1438: key_type(key->cert->signature_key),
1439: key->cert->signature_key->type);
1440: goto out;
1441: }
1442:
1443: switch (key_verify(key->cert->signature_key, sig, slen,
1444: buffer_ptr(&key->cert->certblob), signed_len)) {
1445: case 1:
1.84 djm 1446: ret = 0;
1.83 djm 1447: break; /* Good signature */
1448: case 0:
1.84 djm 1449: error("%s: Invalid signature on certificate", __func__);
1.83 djm 1450: goto out;
1451: case -1:
1.84 djm 1452: error("%s: Certificate signature verification failed",
1453: __func__);
1.83 djm 1454: goto out;
1455: }
1456:
1457: out:
1458: buffer_free(&tmp);
1.103 djm 1459: free(principals);
1460: free(critical);
1461: free(exts);
1462: free(sig_key);
1463: free(sig);
1.83 djm 1464: return ret;
1465: }
1466:
1.105 djm 1467: static Key *
1468: key_from_blob2(const u_char *blob, u_int blen, int allow_cert)
1.12 markus 1469: {
1470: Buffer b;
1.92 djm 1471: int rlen, type, nid = -1;
1.109 markus 1472: u_int len;
1.92 djm 1473: char *ktype = NULL, *curve = NULL;
1.109 markus 1474: u_char *pk = NULL;
1.12 markus 1475: Key *key = NULL;
1.92 djm 1476: EC_POINT *q = NULL;
1.12 markus 1477:
1478: #ifdef DEBUG_PK
1479: dump_base64(stderr, blob, blen);
1480: #endif
1481: buffer_init(&b);
1482: buffer_append(&b, blob, blen);
1.91 djm 1483: if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
1.57 djm 1484: error("key_from_blob: can't read key type");
1485: goto out;
1486: }
1487:
1.12 markus 1488: type = key_type_from_name(ktype);
1.92 djm 1489: if (key_type_plain(type) == KEY_ECDSA)
1490: nid = key_ecdsa_nid_from_name(ktype);
1.105 djm 1491: if (!allow_cert && key_type_is_cert(type)) {
1492: error("key_from_blob: certificate not allowed in this context");
1493: goto out;
1494: }
1.35 deraadt 1495: switch (type) {
1.87 djm 1496: case KEY_RSA_CERT:
1497: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1498: /* FALLTHROUGH */
1.12 markus 1499: case KEY_RSA:
1.87 djm 1500: case KEY_RSA_CERT_V00:
1.12 markus 1501: key = key_new(type);
1.57 djm 1502: if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1503: buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1504: error("key_from_blob: can't read rsa key");
1.83 djm 1505: badkey:
1.57 djm 1506: key_free(key);
1507: key = NULL;
1508: goto out;
1509: }
1.12 markus 1510: #ifdef DEBUG_PK
1511: RSA_print_fp(stderr, key->rsa, 8);
1512: #endif
1513: break;
1.87 djm 1514: case KEY_DSA_CERT:
1515: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1516: /* FALLTHROUGH */
1.12 markus 1517: case KEY_DSA:
1.87 djm 1518: case KEY_DSA_CERT_V00:
1.12 markus 1519: key = key_new(type);
1.57 djm 1520: if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1521: buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1522: buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1523: buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1524: error("key_from_blob: can't read dsa key");
1.83 djm 1525: goto badkey;
1.57 djm 1526: }
1.12 markus 1527: #ifdef DEBUG_PK
1528: DSA_print_fp(stderr, key->dsa, 8);
1529: #endif
1530: break;
1.92 djm 1531: case KEY_ECDSA_CERT:
1532: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1533: /* FALLTHROUGH */
1534: case KEY_ECDSA:
1535: key = key_new(type);
1536: key->ecdsa_nid = nid;
1537: if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
1538: error("key_from_blob: can't read ecdsa curve");
1539: goto badkey;
1540: }
1541: if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
1542: error("key_from_blob: ecdsa curve doesn't match type");
1543: goto badkey;
1544: }
1545: if (key->ecdsa != NULL)
1546: EC_KEY_free(key->ecdsa);
1547: if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
1548: == NULL)
1549: fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
1550: if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
1551: fatal("key_from_blob: EC_POINT_new failed");
1552: if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
1553: q) == -1) {
1554: error("key_from_blob: can't read ecdsa key point");
1555: goto badkey;
1556: }
1557: if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1558: q) != 0)
1559: goto badkey;
1560: if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
1561: fatal("key_from_blob: EC_KEY_set_public_key failed");
1562: #ifdef DEBUG_PK
1563: key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
1564: #endif
1565: break;
1.109 markus 1566: case KEY_ED25519_CERT:
1567: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1568: /* FALLTHROUGH */
1569: case KEY_ED25519:
1570: if ((pk = buffer_get_string_ret(&b, &len)) == NULL) {
1571: error("key_from_blob: can't read ed25519 key");
1572: goto badkey;
1573: }
1574: if (len != ED25519_PK_SZ) {
1575: error("key_from_blob: ed25519 len %d != %d",
1576: len, ED25519_PK_SZ);
1577: goto badkey;
1578: }
1579: key = key_new(type);
1580: key->ed25519_pk = pk;
1581: pk = NULL;
1582: break;
1.12 markus 1583: case KEY_UNSPEC:
1584: key = key_new(type);
1585: break;
1586: default:
1587: error("key_from_blob: cannot handle type %s", ktype);
1.57 djm 1588: goto out;
1.12 markus 1589: }
1.83 djm 1590: if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1591: error("key_from_blob: can't parse cert data");
1592: goto badkey;
1593: }
1.12 markus 1594: rlen = buffer_len(&b);
1595: if (key != NULL && rlen != 0)
1596: error("key_from_blob: remaining bytes in key blob %d", rlen);
1.57 djm 1597: out:
1.103 djm 1598: free(ktype);
1599: free(curve);
1.109 markus 1600: free(pk);
1.92 djm 1601: if (q != NULL)
1602: EC_POINT_free(q);
1.12 markus 1603: buffer_free(&b);
1604: return key;
1605: }
1606:
1.105 djm 1607: Key *
1608: key_from_blob(const u_char *blob, u_int blen)
1609: {
1610: return key_from_blob2(blob, blen, 1);
1611: }
1612:
1.100 djm 1613: static int
1614: to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1.12 markus 1615: {
1616: Buffer b;
1.100 djm 1617: int len, type;
1.12 markus 1618:
1.106 djm 1619: if (blobp != NULL)
1620: *blobp = NULL;
1621: if (lenp != NULL)
1622: *lenp = 0;
1.12 markus 1623: if (key == NULL) {
1624: error("key_to_blob: key == NULL");
1625: return 0;
1626: }
1627: buffer_init(&b);
1.100 djm 1628: type = force_plain ? key_type_plain(key->type) : key->type;
1629: switch (type) {
1.87 djm 1630: case KEY_DSA_CERT_V00:
1631: case KEY_RSA_CERT_V00:
1.83 djm 1632: case KEY_DSA_CERT:
1.92 djm 1633: case KEY_ECDSA_CERT:
1.83 djm 1634: case KEY_RSA_CERT:
1.109 markus 1635: case KEY_ED25519_CERT:
1.83 djm 1636: /* Use the existing blob */
1637: buffer_append(&b, buffer_ptr(&key->cert->certblob),
1638: buffer_len(&key->cert->certblob));
1639: break;
1.12 markus 1640: case KEY_DSA:
1.100 djm 1641: buffer_put_cstring(&b,
1642: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.12 markus 1643: buffer_put_bignum2(&b, key->dsa->p);
1644: buffer_put_bignum2(&b, key->dsa->q);
1645: buffer_put_bignum2(&b, key->dsa->g);
1646: buffer_put_bignum2(&b, key->dsa->pub_key);
1647: break;
1.92 djm 1648: case KEY_ECDSA:
1.100 djm 1649: buffer_put_cstring(&b,
1650: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.92 djm 1651: buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1652: buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1653: EC_KEY_get0_public_key(key->ecdsa));
1654: break;
1.12 markus 1655: case KEY_RSA:
1.100 djm 1656: buffer_put_cstring(&b,
1657: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.14 markus 1658: buffer_put_bignum2(&b, key->rsa->e);
1.12 markus 1659: buffer_put_bignum2(&b, key->rsa->n);
1660: break;
1.109 markus 1661: case KEY_ED25519:
1662: buffer_put_cstring(&b,
1663: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1664: buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
1665: break;
1.12 markus 1666: default:
1.31 markus 1667: error("key_to_blob: unsupported key type %d", key->type);
1668: buffer_free(&b);
1669: return 0;
1.12 markus 1670: }
1671: len = buffer_len(&b);
1.48 markus 1672: if (lenp != NULL)
1673: *lenp = len;
1674: if (blobp != NULL) {
1675: *blobp = xmalloc(len);
1676: memcpy(*blobp, buffer_ptr(&b), len);
1677: }
1.12 markus 1678: memset(buffer_ptr(&b), 0, len);
1679: buffer_free(&b);
1680: return len;
1681: }
1682:
1683: int
1.100 djm 1684: key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1685: {
1686: return to_blob(key, blobp, lenp, 0);
1687: }
1688:
1689: int
1.12 markus 1690: key_sign(
1.55 jakob 1691: const Key *key,
1.40 markus 1692: u_char **sigp, u_int *lenp,
1.55 jakob 1693: const u_char *data, u_int datalen)
1.12 markus 1694: {
1.35 deraadt 1695: switch (key->type) {
1.87 djm 1696: case KEY_DSA_CERT_V00:
1.83 djm 1697: case KEY_DSA_CERT:
1.12 markus 1698: case KEY_DSA:
1699: return ssh_dss_sign(key, sigp, lenp, data, datalen);
1.92 djm 1700: case KEY_ECDSA_CERT:
1701: case KEY_ECDSA:
1702: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
1.87 djm 1703: case KEY_RSA_CERT_V00:
1.83 djm 1704: case KEY_RSA_CERT:
1.12 markus 1705: case KEY_RSA:
1706: return ssh_rsa_sign(key, sigp, lenp, data, datalen);
1.109 markus 1707: case KEY_ED25519:
1708: case KEY_ED25519_CERT:
1709: return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
1.12 markus 1710: default:
1.56 markus 1711: error("key_sign: invalid key type %d", key->type);
1.12 markus 1712: return -1;
1713: }
1714: }
1715:
1.44 markus 1716: /*
1717: * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1718: * and -1 on error.
1719: */
1.12 markus 1720: int
1721: key_verify(
1.55 jakob 1722: const Key *key,
1723: const u_char *signature, u_int signaturelen,
1724: const u_char *data, u_int datalen)
1.12 markus 1725: {
1.26 markus 1726: if (signaturelen == 0)
1727: return -1;
1728:
1.35 deraadt 1729: switch (key->type) {
1.87 djm 1730: case KEY_DSA_CERT_V00:
1.83 djm 1731: case KEY_DSA_CERT:
1.12 markus 1732: case KEY_DSA:
1733: return ssh_dss_verify(key, signature, signaturelen, data, datalen);
1.92 djm 1734: case KEY_ECDSA_CERT:
1735: case KEY_ECDSA:
1736: return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
1.87 djm 1737: case KEY_RSA_CERT_V00:
1.83 djm 1738: case KEY_RSA_CERT:
1.12 markus 1739: case KEY_RSA:
1740: return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
1.109 markus 1741: case KEY_ED25519:
1742: case KEY_ED25519_CERT:
1743: return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
1.12 markus 1744: default:
1.56 markus 1745: error("key_verify: invalid key type %d", key->type);
1.12 markus 1746: return -1;
1747: }
1.42 markus 1748: }
1749:
1750: /* Converts a private to a public key */
1751: Key *
1.55 jakob 1752: key_demote(const Key *k)
1.42 markus 1753: {
1754: Key *pk;
1.43 markus 1755:
1.63 djm 1756: pk = xcalloc(1, sizeof(*pk));
1.42 markus 1757: pk->type = k->type;
1758: pk->flags = k->flags;
1.92 djm 1759: pk->ecdsa_nid = k->ecdsa_nid;
1.42 markus 1760: pk->dsa = NULL;
1.92 djm 1761: pk->ecdsa = NULL;
1.42 markus 1762: pk->rsa = NULL;
1.109 markus 1763: pk->ed25519_pk = NULL;
1764: pk->ed25519_sk = NULL;
1.42 markus 1765:
1766: switch (k->type) {
1.87 djm 1767: case KEY_RSA_CERT_V00:
1.83 djm 1768: case KEY_RSA_CERT:
1769: key_cert_copy(k, pk);
1770: /* FALLTHROUGH */
1.42 markus 1771: case KEY_RSA1:
1772: case KEY_RSA:
1773: if ((pk->rsa = RSA_new()) == NULL)
1774: fatal("key_demote: RSA_new failed");
1775: if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1776: fatal("key_demote: BN_dup failed");
1777: if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1778: fatal("key_demote: BN_dup failed");
1779: break;
1.87 djm 1780: case KEY_DSA_CERT_V00:
1.83 djm 1781: case KEY_DSA_CERT:
1782: key_cert_copy(k, pk);
1783: /* FALLTHROUGH */
1.42 markus 1784: case KEY_DSA:
1785: if ((pk->dsa = DSA_new()) == NULL)
1786: fatal("key_demote: DSA_new failed");
1787: if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1788: fatal("key_demote: BN_dup failed");
1789: if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1790: fatal("key_demote: BN_dup failed");
1791: if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1792: fatal("key_demote: BN_dup failed");
1793: if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1794: fatal("key_demote: BN_dup failed");
1795: break;
1.92 djm 1796: case KEY_ECDSA_CERT:
1797: key_cert_copy(k, pk);
1798: /* FALLTHROUGH */
1799: case KEY_ECDSA:
1800: if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
1801: fatal("key_demote: EC_KEY_new_by_curve_name failed");
1802: if (EC_KEY_set_public_key(pk->ecdsa,
1803: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1804: fatal("key_demote: EC_KEY_set_public_key failed");
1805: break;
1.109 markus 1806: case KEY_ED25519_CERT:
1807: key_cert_copy(k, pk);
1808: /* FALLTHROUGH */
1809: case KEY_ED25519:
1810: if (k->ed25519_pk != NULL) {
1811: pk->ed25519_pk = xmalloc(ED25519_PK_SZ);
1812: memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1813: }
1814: break;
1.42 markus 1815: default:
1.109 markus 1816: fatal("key_demote: bad key type %d", k->type);
1.42 markus 1817: break;
1818: }
1819:
1820: return (pk);
1.83 djm 1821: }
1822:
1823: int
1824: key_is_cert(const Key *k)
1825: {
1.87 djm 1826: if (k == NULL)
1827: return 0;
1.105 djm 1828: return key_type_is_cert(k->type);
1.83 djm 1829: }
1830:
1831: /* Return the cert-less equivalent to a certified key type */
1832: int
1833: key_type_plain(int type)
1834: {
1835: switch (type) {
1.87 djm 1836: case KEY_RSA_CERT_V00:
1.83 djm 1837: case KEY_RSA_CERT:
1838: return KEY_RSA;
1.87 djm 1839: case KEY_DSA_CERT_V00:
1.83 djm 1840: case KEY_DSA_CERT:
1841: return KEY_DSA;
1.92 djm 1842: case KEY_ECDSA_CERT:
1843: return KEY_ECDSA;
1.109 markus 1844: case KEY_ED25519_CERT:
1845: return KEY_ED25519;
1.83 djm 1846: default:
1847: return type;
1848: }
1849: }
1850:
1851: /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
1852: int
1.87 djm 1853: key_to_certified(Key *k, int legacy)
1.83 djm 1854: {
1855: switch (k->type) {
1856: case KEY_RSA:
1857: k->cert = cert_new();
1.87 djm 1858: k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
1.83 djm 1859: return 0;
1860: case KEY_DSA:
1861: k->cert = cert_new();
1.87 djm 1862: k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
1.83 djm 1863: return 0;
1.92 djm 1864: case KEY_ECDSA:
1.97 djm 1865: if (legacy)
1866: fatal("%s: legacy ECDSA certificates are not supported",
1867: __func__);
1.92 djm 1868: k->cert = cert_new();
1869: k->type = KEY_ECDSA_CERT;
1870: return 0;
1.109 markus 1871: case KEY_ED25519:
1872: if (legacy)
1873: fatal("%s: legacy ED25519 certificates are not "
1874: "supported", __func__);
1875: k->cert = cert_new();
1876: k->type = KEY_ED25519_CERT;
1877: return 0;
1.83 djm 1878: default:
1879: error("%s: key has incorrect type %s", __func__, key_type(k));
1880: return -1;
1881: }
1882: }
1883:
1884: /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1885: int
1886: key_drop_cert(Key *k)
1887: {
1.109 markus 1888: if (!key_type_is_cert(k->type)) {
1.83 djm 1889: error("%s: key has incorrect type %s", __func__, key_type(k));
1890: return -1;
1891: }
1.109 markus 1892: cert_free(k->cert);
1.110 ! djm 1893: k->cert = NULL;
1.109 markus 1894: k->type = key_type_plain(k->type);
1895: return 0;
1.83 djm 1896: }
1897:
1.109 markus 1898: /* Sign a certified key, (re-)generating the signed certblob. */
1.83 djm 1899: int
1900: key_certify(Key *k, Key *ca)
1901: {
1902: Buffer principals;
1903: u_char *ca_blob, *sig_blob, nonce[32];
1904: u_int i, ca_len, sig_len;
1905:
1906: if (k->cert == NULL) {
1907: error("%s: key lacks cert info", __func__);
1908: return -1;
1909: }
1910:
1911: if (!key_is_cert(k)) {
1912: error("%s: certificate has unknown type %d", __func__,
1913: k->cert->type);
1914: return -1;
1915: }
1916:
1.92 djm 1917: if (ca->type != KEY_RSA && ca->type != KEY_DSA &&
1.109 markus 1918: ca->type != KEY_ECDSA && ca->type != KEY_ED25519) {
1.83 djm 1919: error("%s: CA key has unsupported type %s", __func__,
1920: key_type(ca));
1921: return -1;
1922: }
1923:
1924: key_to_blob(ca, &ca_blob, &ca_len);
1925:
1926: buffer_clear(&k->cert->certblob);
1927: buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1928:
1.87 djm 1929: /* -v01 certs put nonce first */
1.96 djm 1930: arc4random_buf(&nonce, sizeof(nonce));
1931: if (!key_cert_is_legacy(k))
1.87 djm 1932: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1933:
1.108 markus 1934: /* XXX this substantially duplicates to_blob(); refactor */
1.83 djm 1935: switch (k->type) {
1.87 djm 1936: case KEY_DSA_CERT_V00:
1.83 djm 1937: case KEY_DSA_CERT:
1938: buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1939: buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1940: buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1941: buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1942: break;
1.92 djm 1943: case KEY_ECDSA_CERT:
1944: buffer_put_cstring(&k->cert->certblob,
1945: key_curve_nid_to_name(k->ecdsa_nid));
1946: buffer_put_ecpoint(&k->cert->certblob,
1947: EC_KEY_get0_group(k->ecdsa),
1948: EC_KEY_get0_public_key(k->ecdsa));
1949: break;
1.87 djm 1950: case KEY_RSA_CERT_V00:
1.83 djm 1951: case KEY_RSA_CERT:
1952: buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1953: buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1954: break;
1.109 markus 1955: case KEY_ED25519_CERT:
1956: buffer_put_string(&k->cert->certblob,
1957: k->ed25519_pk, ED25519_PK_SZ);
1958: break;
1.83 djm 1959: default:
1960: error("%s: key has incorrect type %s", __func__, key_type(k));
1961: buffer_clear(&k->cert->certblob);
1.103 djm 1962: free(ca_blob);
1.83 djm 1963: return -1;
1964: }
1965:
1.87 djm 1966: /* -v01 certs have a serial number next */
1.92 djm 1967: if (!key_cert_is_legacy(k))
1.87 djm 1968: buffer_put_int64(&k->cert->certblob, k->cert->serial);
1969:
1.83 djm 1970: buffer_put_int(&k->cert->certblob, k->cert->type);
1971: buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1972:
1973: buffer_init(&principals);
1974: for (i = 0; i < k->cert->nprincipals; i++)
1975: buffer_put_cstring(&principals, k->cert->principals[i]);
1976: buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1977: buffer_len(&principals));
1978: buffer_free(&principals);
1979:
1980: buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1981: buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1982: buffer_put_string(&k->cert->certblob,
1.87 djm 1983: buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
1984:
1985: /* -v01 certs have non-critical options here */
1.92 djm 1986: if (!key_cert_is_legacy(k)) {
1.87 djm 1987: buffer_put_string(&k->cert->certblob,
1988: buffer_ptr(&k->cert->extensions),
1989: buffer_len(&k->cert->extensions));
1990: }
1991:
1992: /* -v00 certs put the nonce at the end */
1.92 djm 1993: if (key_cert_is_legacy(k))
1.87 djm 1994: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1.83 djm 1995:
1996: buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1997: buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1.103 djm 1998: free(ca_blob);
1.83 djm 1999:
2000: /* Sign the whole mess */
2001: if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
2002: buffer_len(&k->cert->certblob)) != 0) {
2003: error("%s: signature operation failed", __func__);
2004: buffer_clear(&k->cert->certblob);
2005: return -1;
2006: }
2007: /* Append signature and we are done */
2008: buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1.103 djm 2009: free(sig_blob);
1.83 djm 2010:
2011: return 0;
2012: }
2013:
2014: int
2015: key_cert_check_authority(const Key *k, int want_host, int require_principal,
2016: const char *name, const char **reason)
2017: {
2018: u_int i, principal_matches;
2019: time_t now = time(NULL);
2020:
2021: if (want_host) {
2022: if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2023: *reason = "Certificate invalid: not a host certificate";
2024: return -1;
2025: }
2026: } else {
2027: if (k->cert->type != SSH2_CERT_TYPE_USER) {
2028: *reason = "Certificate invalid: not a user certificate";
2029: return -1;
2030: }
2031: }
2032: if (now < 0) {
2033: error("%s: system clock lies before epoch", __func__);
2034: *reason = "Certificate invalid: not yet valid";
2035: return -1;
2036: }
2037: if ((u_int64_t)now < k->cert->valid_after) {
2038: *reason = "Certificate invalid: not yet valid";
2039: return -1;
2040: }
2041: if ((u_int64_t)now >= k->cert->valid_before) {
2042: *reason = "Certificate invalid: expired";
2043: return -1;
2044: }
2045: if (k->cert->nprincipals == 0) {
2046: if (require_principal) {
2047: *reason = "Certificate lacks principal list";
2048: return -1;
2049: }
1.88 djm 2050: } else if (name != NULL) {
1.83 djm 2051: principal_matches = 0;
2052: for (i = 0; i < k->cert->nprincipals; i++) {
2053: if (strcmp(name, k->cert->principals[i]) == 0) {
2054: principal_matches = 1;
2055: break;
2056: }
2057: }
2058: if (!principal_matches) {
2059: *reason = "Certificate invalid: name is not a listed "
2060: "principal";
2061: return -1;
2062: }
2063: }
2064: return 0;
1.87 djm 2065: }
2066:
2067: int
1.100 djm 2068: key_cert_is_legacy(const Key *k)
1.87 djm 2069: {
2070: switch (k->type) {
2071: case KEY_DSA_CERT_V00:
2072: case KEY_RSA_CERT_V00:
2073: return 1;
2074: default:
2075: return 0;
2076: }
1.4 markus 2077: }
1.92 djm 2078:
1.93 djm 2079: /* XXX: these are really begging for a table-driven approach */
1.92 djm 2080: int
2081: key_curve_name_to_nid(const char *name)
2082: {
2083: if (strcmp(name, "nistp256") == 0)
2084: return NID_X9_62_prime256v1;
2085: else if (strcmp(name, "nistp384") == 0)
2086: return NID_secp384r1;
2087: else if (strcmp(name, "nistp521") == 0)
2088: return NID_secp521r1;
2089:
2090: debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
2091: return -1;
2092: }
2093:
1.93 djm 2094: u_int
2095: key_curve_nid_to_bits(int nid)
2096: {
2097: switch (nid) {
2098: case NID_X9_62_prime256v1:
2099: return 256;
2100: case NID_secp384r1:
2101: return 384;
2102: case NID_secp521r1:
2103: return 521;
2104: default:
2105: error("%s: unsupported EC curve nid %d", __func__, nid);
2106: return 0;
2107: }
2108: }
2109:
1.92 djm 2110: const char *
2111: key_curve_nid_to_name(int nid)
2112: {
2113: if (nid == NID_X9_62_prime256v1)
2114: return "nistp256";
2115: else if (nid == NID_secp384r1)
2116: return "nistp384";
2117: else if (nid == NID_secp521r1)
2118: return "nistp521";
2119:
2120: error("%s: unsupported EC curve nid %d", __func__, nid);
2121: return NULL;
1.93 djm 2122: }
2123:
2124: const EVP_MD *
2125: key_ec_nid_to_evpmd(int nid)
2126: {
2127: int kbits = key_curve_nid_to_bits(nid);
2128:
2129: if (kbits == 0)
2130: fatal("%s: invalid nid %d", __func__, nid);
2131: /* RFC5656 section 6.2.1 */
2132: if (kbits <= 256)
2133: return EVP_sha256();
2134: else if (kbits <= 384)
2135: return EVP_sha384();
2136: else
2137: return EVP_sha512();
1.92 djm 2138: }
2139:
2140: int
2141: key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
2142: {
2143: BN_CTX *bnctx;
2144: EC_POINT *nq = NULL;
2145: BIGNUM *order, *x, *y, *tmp;
2146: int ret = -1;
2147:
2148: if ((bnctx = BN_CTX_new()) == NULL)
2149: fatal("%s: BN_CTX_new failed", __func__);
2150: BN_CTX_start(bnctx);
2151:
2152: /*
2153: * We shouldn't ever hit this case because bignum_get_ecpoint()
2154: * refuses to load GF2m points.
2155: */
2156: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2157: NID_X9_62_prime_field) {
2158: error("%s: group is not a prime field", __func__);
2159: goto out;
2160: }
2161:
2162: /* Q != infinity */
2163: if (EC_POINT_is_at_infinity(group, public)) {
2164: error("%s: received degenerate public key (infinity)",
2165: __func__);
2166: goto out;
2167: }
2168:
2169: if ((x = BN_CTX_get(bnctx)) == NULL ||
2170: (y = BN_CTX_get(bnctx)) == NULL ||
2171: (order = BN_CTX_get(bnctx)) == NULL ||
2172: (tmp = BN_CTX_get(bnctx)) == NULL)
2173: fatal("%s: BN_CTX_get failed", __func__);
2174:
2175: /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2176: if (EC_GROUP_get_order(group, order, bnctx) != 1)
2177: fatal("%s: EC_GROUP_get_order failed", __func__);
2178: if (EC_POINT_get_affine_coordinates_GFp(group, public,
2179: x, y, bnctx) != 1)
2180: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2181: if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
2182: error("%s: public key x coordinate too small: "
2183: "bits(x) = %d, bits(order)/2 = %d", __func__,
2184: BN_num_bits(x), BN_num_bits(order) / 2);
2185: goto out;
2186: }
2187: if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
2188: error("%s: public key y coordinate too small: "
2189: "bits(y) = %d, bits(order)/2 = %d", __func__,
2190: BN_num_bits(x), BN_num_bits(order) / 2);
2191: goto out;
2192: }
2193:
2194: /* nQ == infinity (n == order of subgroup) */
2195: if ((nq = EC_POINT_new(group)) == NULL)
2196: fatal("%s: BN_CTX_tmp failed", __func__);
2197: if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
2198: fatal("%s: EC_GROUP_mul failed", __func__);
2199: if (EC_POINT_is_at_infinity(group, nq) != 1) {
2200: error("%s: received degenerate public key (nQ != infinity)",
2201: __func__);
2202: goto out;
2203: }
2204:
2205: /* x < order - 1, y < order - 1 */
2206: if (!BN_sub(tmp, order, BN_value_one()))
2207: fatal("%s: BN_sub failed", __func__);
2208: if (BN_cmp(x, tmp) >= 0) {
2209: error("%s: public key x coordinate >= group order - 1",
2210: __func__);
2211: goto out;
2212: }
2213: if (BN_cmp(y, tmp) >= 0) {
2214: error("%s: public key y coordinate >= group order - 1",
2215: __func__);
2216: goto out;
2217: }
2218: ret = 0;
2219: out:
2220: BN_CTX_free(bnctx);
2221: EC_POINT_free(nq);
2222: return ret;
2223: }
2224:
2225: int
2226: key_ec_validate_private(const EC_KEY *key)
2227: {
2228: BN_CTX *bnctx;
2229: BIGNUM *order, *tmp;
2230: int ret = -1;
2231:
2232: if ((bnctx = BN_CTX_new()) == NULL)
2233: fatal("%s: BN_CTX_new failed", __func__);
2234: BN_CTX_start(bnctx);
2235:
2236: if ((order = BN_CTX_get(bnctx)) == NULL ||
2237: (tmp = BN_CTX_get(bnctx)) == NULL)
2238: fatal("%s: BN_CTX_get failed", __func__);
2239:
2240: /* log2(private) > log2(order)/2 */
2241: if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
2242: fatal("%s: EC_GROUP_get_order failed", __func__);
2243: if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2244: BN_num_bits(order) / 2) {
2245: error("%s: private key too small: "
2246: "bits(y) = %d, bits(order)/2 = %d", __func__,
2247: BN_num_bits(EC_KEY_get0_private_key(key)),
2248: BN_num_bits(order) / 2);
2249: goto out;
2250: }
2251:
2252: /* private < order - 1 */
2253: if (!BN_sub(tmp, order, BN_value_one()))
2254: fatal("%s: BN_sub failed", __func__);
2255: if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
2256: error("%s: private key >= group order - 1", __func__);
2257: goto out;
2258: }
2259: ret = 0;
2260: out:
2261: BN_CTX_free(bnctx);
2262: return ret;
2263: }
2264:
2265: #if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
2266: void
2267: key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2268: {
2269: BIGNUM *x, *y;
2270: BN_CTX *bnctx;
2271:
2272: if (point == NULL) {
2273: fputs("point=(NULL)\n", stderr);
2274: return;
2275: }
2276: if ((bnctx = BN_CTX_new()) == NULL)
2277: fatal("%s: BN_CTX_new failed", __func__);
2278: BN_CTX_start(bnctx);
2279: if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
2280: fatal("%s: BN_CTX_get failed", __func__);
2281: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2282: NID_X9_62_prime_field)
2283: fatal("%s: group is not a prime field", __func__);
2284: if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
2285: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2286: fputs("x=", stderr);
2287: BN_print_fp(stderr, x);
2288: fputs("\ny=", stderr);
2289: BN_print_fp(stderr, y);
2290: fputs("\n", stderr);
2291: BN_CTX_free(bnctx);
2292: }
2293:
2294: void
2295: key_dump_ec_key(const EC_KEY *key)
2296: {
2297: const BIGNUM *exponent;
2298:
2299: key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
2300: fputs("exponent=", stderr);
2301: if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
2302: fputs("(NULL)", stderr);
2303: else
2304: BN_print_fp(stderr, EC_KEY_get0_private_key(key));
2305: fputs("\n", stderr);
2306: }
2307: #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
2308:
1.107 markus 2309: void
2310: key_private_serialize(const Key *key, Buffer *b)
2311: {
2312: buffer_put_cstring(b, key_ssh_name(key));
2313: switch (key->type) {
2314: case KEY_RSA:
2315: buffer_put_bignum2(b, key->rsa->n);
2316: buffer_put_bignum2(b, key->rsa->e);
2317: buffer_put_bignum2(b, key->rsa->d);
2318: buffer_put_bignum2(b, key->rsa->iqmp);
2319: buffer_put_bignum2(b, key->rsa->p);
2320: buffer_put_bignum2(b, key->rsa->q);
2321: break;
2322: case KEY_RSA_CERT_V00:
2323: case KEY_RSA_CERT:
2324: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2325: fatal("%s: no cert/certblob", __func__);
2326: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2327: buffer_len(&key->cert->certblob));
2328: buffer_put_bignum2(b, key->rsa->d);
2329: buffer_put_bignum2(b, key->rsa->iqmp);
2330: buffer_put_bignum2(b, key->rsa->p);
2331: buffer_put_bignum2(b, key->rsa->q);
2332: break;
2333: case KEY_DSA:
2334: buffer_put_bignum2(b, key->dsa->p);
2335: buffer_put_bignum2(b, key->dsa->q);
2336: buffer_put_bignum2(b, key->dsa->g);
2337: buffer_put_bignum2(b, key->dsa->pub_key);
2338: buffer_put_bignum2(b, key->dsa->priv_key);
2339: break;
2340: case KEY_DSA_CERT_V00:
2341: case KEY_DSA_CERT:
2342: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2343: fatal("%s: no cert/certblob", __func__);
2344: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2345: buffer_len(&key->cert->certblob));
2346: buffer_put_bignum2(b, key->dsa->priv_key);
2347: break;
2348: case KEY_ECDSA:
2349: buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid));
2350: buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa),
2351: EC_KEY_get0_public_key(key->ecdsa));
2352: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2353: break;
2354: case KEY_ECDSA_CERT:
2355: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2356: fatal("%s: no cert/certblob", __func__);
2357: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2358: buffer_len(&key->cert->certblob));
2359: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2360: break;
1.109 markus 2361: case KEY_ED25519:
2362: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
2363: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
2364: break;
2365: case KEY_ED25519_CERT:
2366: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2367: fatal("%s: no cert/certblob", __func__);
2368: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2369: buffer_len(&key->cert->certblob));
2370: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
2371: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
2372: break;
1.107 markus 2373: }
2374: }
2375:
2376: Key *
2377: key_private_deserialize(Buffer *blob)
2378: {
2379: char *type_name, *curve;
2380: Key *k = NULL;
2381: BIGNUM *exponent;
2382: EC_POINT *q;
2383: u_char *cert;
1.109 markus 2384: u_int len, pklen, sklen;
1.107 markus 2385: int type;
2386:
2387: type_name = buffer_get_string(blob, NULL);
2388: type = key_type_from_name(type_name);
2389: switch (type) {
2390: case KEY_DSA:
2391: k = key_new_private(type);
2392: buffer_get_bignum2(blob, k->dsa->p);
2393: buffer_get_bignum2(blob, k->dsa->q);
2394: buffer_get_bignum2(blob, k->dsa->g);
2395: buffer_get_bignum2(blob, k->dsa->pub_key);
2396: buffer_get_bignum2(blob, k->dsa->priv_key);
2397: break;
2398: case KEY_DSA_CERT_V00:
2399: case KEY_DSA_CERT:
2400: cert = buffer_get_string(blob, &len);
2401: if ((k = key_from_blob(cert, len)) == NULL)
2402: fatal("Certificate parse failed");
2403: free(cert);
2404: key_add_private(k);
2405: buffer_get_bignum2(blob, k->dsa->priv_key);
2406: break;
2407: case KEY_ECDSA:
2408: k = key_new_private(type);
2409: k->ecdsa_nid = key_ecdsa_nid_from_name(type_name);
2410: curve = buffer_get_string(blob, NULL);
2411: if (k->ecdsa_nid != key_curve_name_to_nid(curve))
2412: fatal("%s: curve names mismatch", __func__);
2413: free(curve);
2414: k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
2415: if (k->ecdsa == NULL)
2416: fatal("%s: EC_KEY_new_by_curve_name failed",
2417: __func__);
2418: q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa));
2419: if (q == NULL)
2420: fatal("%s: BN_new failed", __func__);
2421: if ((exponent = BN_new()) == NULL)
2422: fatal("%s: BN_new failed", __func__);
2423: buffer_get_ecpoint(blob,
2424: EC_KEY_get0_group(k->ecdsa), q);
2425: buffer_get_bignum2(blob, exponent);
2426: if (EC_KEY_set_public_key(k->ecdsa, q) != 1)
2427: fatal("%s: EC_KEY_set_public_key failed",
2428: __func__);
2429: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2430: fatal("%s: EC_KEY_set_private_key failed",
2431: __func__);
2432: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2433: EC_KEY_get0_public_key(k->ecdsa)) != 0)
2434: fatal("%s: bad ECDSA public key", __func__);
2435: if (key_ec_validate_private(k->ecdsa) != 0)
2436: fatal("%s: bad ECDSA private key", __func__);
2437: BN_clear_free(exponent);
2438: EC_POINT_free(q);
2439: break;
2440: case KEY_ECDSA_CERT:
2441: cert = buffer_get_string(blob, &len);
2442: if ((k = key_from_blob(cert, len)) == NULL)
2443: fatal("Certificate parse failed");
2444: free(cert);
2445: key_add_private(k);
2446: if ((exponent = BN_new()) == NULL)
2447: fatal("%s: BN_new failed", __func__);
2448: buffer_get_bignum2(blob, exponent);
2449: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2450: fatal("%s: EC_KEY_set_private_key failed",
2451: __func__);
2452: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2453: EC_KEY_get0_public_key(k->ecdsa)) != 0 ||
2454: key_ec_validate_private(k->ecdsa) != 0)
2455: fatal("%s: bad ECDSA key", __func__);
2456: BN_clear_free(exponent);
2457: break;
2458: case KEY_RSA:
2459: k = key_new_private(type);
2460: buffer_get_bignum2(blob, k->rsa->n);
2461: buffer_get_bignum2(blob, k->rsa->e);
2462: buffer_get_bignum2(blob, k->rsa->d);
2463: buffer_get_bignum2(blob, k->rsa->iqmp);
2464: buffer_get_bignum2(blob, k->rsa->p);
2465: buffer_get_bignum2(blob, k->rsa->q);
2466:
2467: /* Generate additional parameters */
2468: rsa_generate_additional_parameters(k->rsa);
2469: break;
2470: case KEY_RSA_CERT_V00:
2471: case KEY_RSA_CERT:
2472: cert = buffer_get_string(blob, &len);
2473: if ((k = key_from_blob(cert, len)) == NULL)
2474: fatal("Certificate parse failed");
2475: free(cert);
2476: key_add_private(k);
2477: buffer_get_bignum2(blob, k->rsa->d);
2478: buffer_get_bignum2(blob, k->rsa->iqmp);
2479: buffer_get_bignum2(blob, k->rsa->p);
2480: buffer_get_bignum2(blob, k->rsa->q);
1.109 markus 2481: break;
2482: case KEY_ED25519:
2483: k = key_new_private(type);
2484: k->ed25519_pk = buffer_get_string(blob, &pklen);
2485: k->ed25519_sk = buffer_get_string(blob, &sklen);
2486: if (pklen != ED25519_PK_SZ)
2487: fatal("%s: ed25519 pklen %d != %d",
2488: __func__, pklen, ED25519_PK_SZ);
2489: if (sklen != ED25519_SK_SZ)
2490: fatal("%s: ed25519 sklen %d != %d",
2491: __func__, sklen, ED25519_SK_SZ);
2492: break;
2493: case KEY_ED25519_CERT:
2494: cert = buffer_get_string(blob, &len);
2495: if ((k = key_from_blob(cert, len)) == NULL)
2496: fatal("Certificate parse failed");
2497: free(cert);
2498: key_add_private(k);
2499: k->ed25519_pk = buffer_get_string(blob, &pklen);
2500: k->ed25519_sk = buffer_get_string(blob, &sklen);
2501: if (pklen != ED25519_PK_SZ)
2502: fatal("%s: ed25519 pklen %d != %d",
2503: __func__, pklen, ED25519_PK_SZ);
2504: if (sklen != ED25519_SK_SZ)
2505: fatal("%s: ed25519 sklen %d != %d",
2506: __func__, sklen, ED25519_SK_SZ);
1.107 markus 2507: break;
2508: default:
2509: free(type_name);
2510: buffer_clear(blob);
2511: return NULL;
2512: }
2513: free(type_name);
2514:
2515: /* enable blinding */
2516: switch (k->type) {
2517: case KEY_RSA:
2518: case KEY_RSA_CERT_V00:
2519: case KEY_RSA_CERT:
2520: case KEY_RSA1:
2521: if (RSA_blinding_on(k->rsa, NULL) != 1) {
2522: error("%s: RSA_blinding_on failed", __func__);
2523: key_free(k);
2524: return NULL;
2525: }
2526: break;
2527: }
2528: return k;
2529: }