Annotation of src/usr.bin/ssh/key.c, Revision 1.112
1.112 ! djm 1: /* $OpenBSD: key.c,v 1.111 2013/12/29 02:28:10 djm Exp $ */
1.1 markus 2: /*
1.11 deraadt 3: * read_bignum():
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: *
6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
11: *
12: *
1.28 markus 13: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1.76 grunk 14: * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
1.1 markus 15: *
16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
24: *
25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35: */
1.67 deraadt 36:
1.70 grunk 37: #include <sys/param.h>
1.67 deraadt 38: #include <sys/types.h>
1.1 markus 39:
1.2 markus 40: #include <openssl/evp.h>
1.109 markus 41: #include "crypto_api.h"
1.65 stevesk 42:
1.66 stevesk 43: #include <stdio.h>
1.65 stevesk 44: #include <string.h>
1.15 markus 45:
1.1 markus 46: #include "xmalloc.h"
47: #include "key.h"
1.12 markus 48: #include "rsa.h"
1.3 markus 49: #include "uuencode.h"
1.12 markus 50: #include "buffer.h"
1.15 markus 51: #include "log.h"
1.89 djm 52: #include "misc.h"
1.83 djm 53: #include "ssh2.h"
54:
1.100 djm 55: static int to_blob(const Key *, u_char **, u_int *, int);
1.105 djm 56: static Key *key_from_blob2(const u_char *, u_int, int);
1.100 djm 57:
1.83 djm 58: static struct KeyCert *
59: cert_new(void)
60: {
61: struct KeyCert *cert;
62:
63: cert = xcalloc(1, sizeof(*cert));
64: buffer_init(&cert->certblob);
1.87 djm 65: buffer_init(&cert->critical);
66: buffer_init(&cert->extensions);
1.83 djm 67: cert->key_id = NULL;
68: cert->principals = NULL;
69: cert->signature_key = NULL;
70: return cert;
71: }
1.1 markus 72:
73: Key *
74: key_new(int type)
75: {
76: Key *k;
77: RSA *rsa;
78: DSA *dsa;
1.63 djm 79: k = xcalloc(1, sizeof(*k));
1.1 markus 80: k->type = type;
1.92 djm 81: k->ecdsa = NULL;
82: k->ecdsa_nid = -1;
1.3 markus 83: k->dsa = NULL;
84: k->rsa = NULL;
1.83 djm 85: k->cert = NULL;
1.109 markus 86: k->ed25519_sk = NULL;
87: k->ed25519_pk = NULL;
1.1 markus 88: switch (k->type) {
1.12 markus 89: case KEY_RSA1:
1.1 markus 90: case KEY_RSA:
1.87 djm 91: case KEY_RSA_CERT_V00:
1.83 djm 92: case KEY_RSA_CERT:
1.38 markus 93: if ((rsa = RSA_new()) == NULL)
94: fatal("key_new: RSA_new failed");
95: if ((rsa->n = BN_new()) == NULL)
96: fatal("key_new: BN_new failed");
97: if ((rsa->e = BN_new()) == NULL)
98: fatal("key_new: BN_new failed");
1.1 markus 99: k->rsa = rsa;
100: break;
101: case KEY_DSA:
1.87 djm 102: case KEY_DSA_CERT_V00:
1.83 djm 103: case KEY_DSA_CERT:
1.38 markus 104: if ((dsa = DSA_new()) == NULL)
105: fatal("key_new: DSA_new failed");
106: if ((dsa->p = BN_new()) == NULL)
107: fatal("key_new: BN_new failed");
108: if ((dsa->q = BN_new()) == NULL)
109: fatal("key_new: BN_new failed");
110: if ((dsa->g = BN_new()) == NULL)
111: fatal("key_new: BN_new failed");
112: if ((dsa->pub_key = BN_new()) == NULL)
113: fatal("key_new: BN_new failed");
1.1 markus 114: k->dsa = dsa;
115: break;
1.92 djm 116: case KEY_ECDSA:
117: case KEY_ECDSA_CERT:
118: /* Cannot do anything until we know the group */
119: break;
1.109 markus 120: case KEY_ED25519:
121: case KEY_ED25519_CERT:
122: /* no need to prealloc */
123: break;
1.12 markus 124: case KEY_UNSPEC:
1.1 markus 125: break;
126: default:
127: fatal("key_new: bad key type %d", k->type);
128: break;
129: }
1.83 djm 130:
131: if (key_is_cert(k))
132: k->cert = cert_new();
133:
1.1 markus 134: return k;
135: }
1.45 deraadt 136:
1.83 djm 137: void
138: key_add_private(Key *k)
1.12 markus 139: {
140: switch (k->type) {
141: case KEY_RSA1:
142: case KEY_RSA:
1.87 djm 143: case KEY_RSA_CERT_V00:
1.83 djm 144: case KEY_RSA_CERT:
1.38 markus 145: if ((k->rsa->d = BN_new()) == NULL)
146: fatal("key_new_private: BN_new failed");
147: if ((k->rsa->iqmp = BN_new()) == NULL)
148: fatal("key_new_private: BN_new failed");
149: if ((k->rsa->q = BN_new()) == NULL)
150: fatal("key_new_private: BN_new failed");
151: if ((k->rsa->p = BN_new()) == NULL)
152: fatal("key_new_private: BN_new failed");
153: if ((k->rsa->dmq1 = BN_new()) == NULL)
154: fatal("key_new_private: BN_new failed");
155: if ((k->rsa->dmp1 = BN_new()) == NULL)
156: fatal("key_new_private: BN_new failed");
1.12 markus 157: break;
158: case KEY_DSA:
1.87 djm 159: case KEY_DSA_CERT_V00:
1.83 djm 160: case KEY_DSA_CERT:
1.38 markus 161: if ((k->dsa->priv_key = BN_new()) == NULL)
162: fatal("key_new_private: BN_new failed");
1.12 markus 163: break;
1.92 djm 164: case KEY_ECDSA:
165: case KEY_ECDSA_CERT:
166: /* Cannot do anything until we know the group */
167: break;
1.109 markus 168: case KEY_ED25519:
169: case KEY_ED25519_CERT:
170: /* no need to prealloc */
171: break;
1.12 markus 172: case KEY_UNSPEC:
173: break;
174: default:
175: break;
176: }
1.83 djm 177: }
178:
179: Key *
180: key_new_private(int type)
181: {
182: Key *k = key_new(type);
183:
184: key_add_private(k);
1.12 markus 185: return k;
186: }
1.45 deraadt 187:
1.83 djm 188: static void
189: cert_free(struct KeyCert *cert)
190: {
191: u_int i;
192:
193: buffer_free(&cert->certblob);
1.87 djm 194: buffer_free(&cert->critical);
195: buffer_free(&cert->extensions);
1.103 djm 196: free(cert->key_id);
1.83 djm 197: for (i = 0; i < cert->nprincipals; i++)
1.103 djm 198: free(cert->principals[i]);
199: free(cert->principals);
1.83 djm 200: if (cert->signature_key != NULL)
201: key_free(cert->signature_key);
1.103 djm 202: free(cert);
1.83 djm 203: }
204:
1.1 markus 205: void
206: key_free(Key *k)
207: {
1.60 djm 208: if (k == NULL)
1.62 deraadt 209: fatal("key_free: key is NULL");
1.1 markus 210: switch (k->type) {
1.12 markus 211: case KEY_RSA1:
1.1 markus 212: case KEY_RSA:
1.87 djm 213: case KEY_RSA_CERT_V00:
1.83 djm 214: case KEY_RSA_CERT:
1.1 markus 215: if (k->rsa != NULL)
216: RSA_free(k->rsa);
217: k->rsa = NULL;
218: break;
219: case KEY_DSA:
1.87 djm 220: case KEY_DSA_CERT_V00:
1.83 djm 221: case KEY_DSA_CERT:
1.1 markus 222: if (k->dsa != NULL)
223: DSA_free(k->dsa);
224: k->dsa = NULL;
225: break;
1.92 djm 226: case KEY_ECDSA:
227: case KEY_ECDSA_CERT:
228: if (k->ecdsa != NULL)
229: EC_KEY_free(k->ecdsa);
230: k->ecdsa = NULL;
231: break;
1.109 markus 232: case KEY_ED25519:
233: case KEY_ED25519_CERT:
234: if (k->ed25519_pk) {
235: memset(k->ed25519_pk, 0, ED25519_PK_SZ);
236: free(k->ed25519_pk);
237: k->ed25519_pk = NULL;
238: }
239: if (k->ed25519_sk) {
240: memset(k->ed25519_sk, 0, ED25519_SK_SZ);
241: free(k->ed25519_sk);
242: k->ed25519_sk = NULL;
243: }
244: break;
1.12 markus 245: case KEY_UNSPEC:
246: break;
1.1 markus 247: default:
248: fatal("key_free: bad key type %d", k->type);
249: break;
250: }
1.83 djm 251: if (key_is_cert(k)) {
252: if (k->cert != NULL)
253: cert_free(k->cert);
254: k->cert = NULL;
255: }
256:
1.103 djm 257: free(k);
1.1 markus 258: }
1.55 jakob 259:
1.83 djm 260: static int
261: cert_compare(struct KeyCert *a, struct KeyCert *b)
262: {
263: if (a == NULL && b == NULL)
264: return 1;
265: if (a == NULL || b == NULL)
266: return 0;
267: if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
268: return 0;
1.90 djm 269: if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
1.83 djm 270: buffer_len(&a->certblob)) != 0)
271: return 0;
272: return 1;
273: }
274:
275: /*
276: * Compare public portions of key only, allowing comparisons between
277: * certificates and plain keys too.
278: */
1.1 markus 279: int
1.83 djm 280: key_equal_public(const Key *a, const Key *b)
1.1 markus 281: {
1.92 djm 282: BN_CTX *bnctx;
283:
1.83 djm 284: if (a == NULL || b == NULL ||
285: key_type_plain(a->type) != key_type_plain(b->type))
1.1 markus 286: return 0;
1.83 djm 287:
1.1 markus 288: switch (a->type) {
1.12 markus 289: case KEY_RSA1:
1.87 djm 290: case KEY_RSA_CERT_V00:
1.83 djm 291: case KEY_RSA_CERT:
1.1 markus 292: case KEY_RSA:
293: return a->rsa != NULL && b->rsa != NULL &&
294: BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
295: BN_cmp(a->rsa->n, b->rsa->n) == 0;
1.87 djm 296: case KEY_DSA_CERT_V00:
1.83 djm 297: case KEY_DSA_CERT:
1.1 markus 298: case KEY_DSA:
299: return a->dsa != NULL && b->dsa != NULL &&
300: BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
301: BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
302: BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
303: BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
1.92 djm 304: case KEY_ECDSA_CERT:
305: case KEY_ECDSA:
306: if (a->ecdsa == NULL || b->ecdsa == NULL ||
307: EC_KEY_get0_public_key(a->ecdsa) == NULL ||
308: EC_KEY_get0_public_key(b->ecdsa) == NULL)
309: return 0;
310: if ((bnctx = BN_CTX_new()) == NULL)
311: fatal("%s: BN_CTX_new failed", __func__);
312: if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
313: EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
314: EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
315: EC_KEY_get0_public_key(a->ecdsa),
316: EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
317: BN_CTX_free(bnctx);
318: return 0;
319: }
320: BN_CTX_free(bnctx);
321: return 1;
1.109 markus 322: case KEY_ED25519:
323: case KEY_ED25519_CERT:
324: return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
325: memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
1.1 markus 326: default:
1.3 markus 327: fatal("key_equal: bad key type %d", a->type);
1.1 markus 328: }
1.78 stevesk 329: /* NOTREACHED */
1.1 markus 330: }
331:
1.83 djm 332: int
333: key_equal(const Key *a, const Key *b)
334: {
335: if (a == NULL || b == NULL || a->type != b->type)
336: return 0;
337: if (key_is_cert(a)) {
338: if (!cert_compare(a->cert, b->cert))
339: return 0;
340: }
341: return key_equal_public(a, b);
342: }
343:
1.52 jakob 344: u_char*
1.100 djm 345: key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
346: u_int *dgst_raw_length)
1.1 markus 347: {
1.41 markus 348: const EVP_MD *md = NULL;
1.21 markus 349: EVP_MD_CTX ctx;
1.13 markus 350: u_char *blob = NULL;
1.19 jakob 351: u_char *retval = NULL;
1.40 markus 352: u_int len = 0;
1.100 djm 353: int nlen, elen;
1.1 markus 354:
1.19 jakob 355: *dgst_raw_length = 0;
356:
1.21 markus 357: switch (dgst_type) {
358: case SSH_FP_MD5:
359: md = EVP_md5();
360: break;
361: case SSH_FP_SHA1:
362: md = EVP_sha1();
1.99 djm 363: break;
364: case SSH_FP_SHA256:
365: md = EVP_sha256();
1.21 markus 366: break;
367: default:
368: fatal("key_fingerprint_raw: bad digest type %d",
369: dgst_type);
370: }
1.1 markus 371: switch (k->type) {
1.12 markus 372: case KEY_RSA1:
1.1 markus 373: nlen = BN_num_bytes(k->rsa->n);
374: elen = BN_num_bytes(k->rsa->e);
375: len = nlen + elen;
1.3 markus 376: blob = xmalloc(len);
377: BN_bn2bin(k->rsa->n, blob);
378: BN_bn2bin(k->rsa->e, blob + nlen);
1.1 markus 379: break;
380: case KEY_DSA:
1.92 djm 381: case KEY_ECDSA:
1.12 markus 382: case KEY_RSA:
1.109 markus 383: case KEY_ED25519:
1.12 markus 384: key_to_blob(k, &blob, &len);
385: break;
1.87 djm 386: case KEY_DSA_CERT_V00:
387: case KEY_RSA_CERT_V00:
1.83 djm 388: case KEY_DSA_CERT:
1.92 djm 389: case KEY_ECDSA_CERT:
1.83 djm 390: case KEY_RSA_CERT:
1.109 markus 391: case KEY_ED25519_CERT:
1.83 djm 392: /* We want a fingerprint of the _key_ not of the cert */
1.100 djm 393: to_blob(k, &blob, &len, 1);
1.83 djm 394: break;
1.12 markus 395: case KEY_UNSPEC:
396: return retval;
1.1 markus 397: default:
1.19 jakob 398: fatal("key_fingerprint_raw: bad key type %d", k->type);
1.1 markus 399: break;
400: }
1.3 markus 401: if (blob != NULL) {
1.19 jakob 402: retval = xmalloc(EVP_MAX_MD_SIZE);
1.8 markus 403: EVP_DigestInit(&ctx, md);
404: EVP_DigestUpdate(&ctx, blob, len);
1.39 markus 405: EVP_DigestFinal(&ctx, retval, dgst_raw_length);
1.3 markus 406: memset(blob, 0, len);
1.103 djm 407: free(blob);
1.19 jakob 408: } else {
409: fatal("key_fingerprint_raw: blob is null");
1.1 markus 410: }
1.19 jakob 411: return retval;
412: }
413:
1.46 deraadt 414: static char *
415: key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 416: {
417: char *retval;
1.58 djm 418: u_int i;
1.19 jakob 419:
1.63 djm 420: retval = xcalloc(1, dgst_raw_len * 3 + 1);
1.36 deraadt 421: for (i = 0; i < dgst_raw_len; i++) {
1.19 jakob 422: char hex[4];
423: snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
1.54 avsm 424: strlcat(retval, hex, dgst_raw_len * 3 + 1);
1.19 jakob 425: }
1.54 avsm 426:
427: /* Remove the trailing ':' character */
1.19 jakob 428: retval[(dgst_raw_len * 3) - 1] = '\0';
429: return retval;
430: }
431:
1.46 deraadt 432: static char *
433: key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 434: {
435: char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
436: char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
437: 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
1.20 jakob 438: u_int i, j = 0, rounds, seed = 1;
1.19 jakob 439: char *retval;
440:
441: rounds = (dgst_raw_len / 2) + 1;
1.63 djm 442: retval = xcalloc((rounds * 6), sizeof(char));
1.20 jakob 443: retval[j++] = 'x';
444: for (i = 0; i < rounds; i++) {
1.19 jakob 445: u_int idx0, idx1, idx2, idx3, idx4;
1.20 jakob 446: if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
447: idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1.19 jakob 448: seed) % 6;
1.20 jakob 449: idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
450: idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1.19 jakob 451: (seed / 6)) % 6;
1.20 jakob 452: retval[j++] = vowels[idx0];
453: retval[j++] = consonants[idx1];
454: retval[j++] = vowels[idx2];
455: if ((i + 1) < rounds) {
456: idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
457: idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
458: retval[j++] = consonants[idx3];
459: retval[j++] = '-';
460: retval[j++] = consonants[idx4];
1.19 jakob 461: seed = ((seed * 5) +
1.20 jakob 462: ((((u_int)(dgst_raw[2 * i])) * 7) +
463: ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1.19 jakob 464: }
465: } else {
466: idx0 = seed % 6;
467: idx1 = 16;
468: idx2 = seed / 6;
1.20 jakob 469: retval[j++] = vowels[idx0];
470: retval[j++] = consonants[idx1];
471: retval[j++] = vowels[idx2];
1.19 jakob 472: }
473: }
1.20 jakob 474: retval[j++] = 'x';
475: retval[j++] = '\0';
1.19 jakob 476: return retval;
477: }
478:
1.70 grunk 479: /*
480: * Draw an ASCII-Art representing the fingerprint so human brain can
481: * profit from its built-in pattern recognition ability.
482: * This technique is called "random art" and can be found in some
483: * scientific publications like this original paper:
484: *
485: * "Hash Visualization: a New Technique to improve Real-World Security",
486: * Perrig A. and Song D., 1999, International Workshop on Cryptographic
487: * Techniques and E-Commerce (CrypTEC '99)
488: * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
489: *
490: * The subject came up in a talk by Dan Kaminsky, too.
491: *
492: * If you see the picture is different, the key is different.
493: * If the picture looks the same, you still know nothing.
494: *
495: * The algorithm used here is a worm crawling over a discrete plane,
496: * leaving a trace (augmenting the field) everywhere it goes.
497: * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
498: * makes the respective movement vector be ignored for this turn.
499: * Graphs are not unambiguous, because circles in graphs can be
500: * walked in either direction.
501: */
1.74 grunk 502:
503: /*
504: * Field sizes for the random art. Have to be odd, so the starting point
505: * can be in the exact middle of the picture, and FLDBASE should be >=8 .
506: * Else pictures would be too dense, and drawing the frame would
507: * fail, too, because the key type would not fit in anymore.
508: */
509: #define FLDBASE 8
510: #define FLDSIZE_Y (FLDBASE + 1)
511: #define FLDSIZE_X (FLDBASE * 2 + 1)
1.70 grunk 512: static char *
1.74 grunk 513: key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
1.70 grunk 514: {
515: /*
516: * Chars to be used after each other every time the worm
517: * intersects with itself. Matter of taste.
518: */
1.75 grunk 519: char *augmentation_string = " .o+=*BOX@%&#/^SE";
1.70 grunk 520: char *retval, *p;
1.71 otto 521: u_char field[FLDSIZE_X][FLDSIZE_Y];
1.70 grunk 522: u_int i, b;
523: int x, y;
1.72 grunk 524: size_t len = strlen(augmentation_string) - 1;
1.70 grunk 525:
526: retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
527:
528: /* initialize field */
1.71 otto 529: memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1.70 grunk 530: x = FLDSIZE_X / 2;
531: y = FLDSIZE_Y / 2;
532:
533: /* process raw key */
534: for (i = 0; i < dgst_raw_len; i++) {
535: int input;
536: /* each byte conveys four 2-bit move commands */
537: input = dgst_raw[i];
538: for (b = 0; b < 4; b++) {
539: /* evaluate 2 bit, rest is shifted later */
540: x += (input & 0x1) ? 1 : -1;
541: y += (input & 0x2) ? 1 : -1;
542:
543: /* assure we are still in bounds */
544: x = MAX(x, 0);
545: y = MAX(y, 0);
546: x = MIN(x, FLDSIZE_X - 1);
547: y = MIN(y, FLDSIZE_Y - 1);
548:
549: /* augment the field */
1.79 grunk 550: if (field[x][y] < len - 2)
551: field[x][y]++;
1.70 grunk 552: input = input >> 2;
553: }
554: }
1.75 grunk 555:
556: /* mark starting point and end point*/
557: field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
558: field[x][y] = len;
1.70 grunk 559:
560: /* fill in retval */
1.77 otto 561: snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
1.74 grunk 562: p = strchr(retval, '\0');
1.70 grunk 563:
564: /* output upper border */
1.77 otto 565: for (i = p - retval - 1; i < FLDSIZE_X; i++)
1.70 grunk 566: *p++ = '-';
567: *p++ = '+';
568: *p++ = '\n';
569:
570: /* output content */
571: for (y = 0; y < FLDSIZE_Y; y++) {
572: *p++ = '|';
573: for (x = 0; x < FLDSIZE_X; x++)
1.72 grunk 574: *p++ = augmentation_string[MIN(field[x][y], len)];
1.70 grunk 575: *p++ = '|';
576: *p++ = '\n';
577: }
578:
579: /* output lower border */
580: *p++ = '+';
581: for (i = 0; i < FLDSIZE_X; i++)
582: *p++ = '-';
583: *p++ = '+';
584:
585: return retval;
586: }
587:
1.46 deraadt 588: char *
1.104 djm 589: key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
1.19 jakob 590: {
1.23 markus 591: char *retval = NULL;
1.19 jakob 592: u_char *dgst_raw;
1.39 markus 593: u_int dgst_raw_len;
1.36 deraadt 594:
1.19 jakob 595: dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
596: if (!dgst_raw)
1.22 markus 597: fatal("key_fingerprint: null from key_fingerprint_raw()");
1.35 deraadt 598: switch (dgst_rep) {
1.19 jakob 599: case SSH_FP_HEX:
600: retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
601: break;
602: case SSH_FP_BUBBLEBABBLE:
603: retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1.70 grunk 604: break;
605: case SSH_FP_RANDOMART:
1.74 grunk 606: retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
1.19 jakob 607: break;
608: default:
1.80 stevesk 609: fatal("key_fingerprint: bad digest representation %d",
1.19 jakob 610: dgst_rep);
611: break;
612: }
613: memset(dgst_raw, 0, dgst_raw_len);
1.103 djm 614: free(dgst_raw);
1.1 markus 615: return retval;
616: }
617:
618: /*
619: * Reads a multiple-precision integer in decimal from the buffer, and advances
620: * the pointer. The integer must already be initialized. This function is
621: * permitted to modify the buffer. This leaves *cpp to point just beyond the
622: * last processed (and maybe modified) character. Note that this may modify
623: * the buffer containing the number.
624: */
1.27 itojun 625: static int
1.1 markus 626: read_bignum(char **cpp, BIGNUM * value)
627: {
628: char *cp = *cpp;
629: int old;
630:
631: /* Skip any leading whitespace. */
632: for (; *cp == ' ' || *cp == '\t'; cp++)
633: ;
634:
635: /* Check that it begins with a decimal digit. */
636: if (*cp < '0' || *cp > '9')
637: return 0;
638:
639: /* Save starting position. */
640: *cpp = cp;
641:
642: /* Move forward until all decimal digits skipped. */
643: for (; *cp >= '0' && *cp <= '9'; cp++)
644: ;
645:
646: /* Save the old terminating character, and replace it by \0. */
647: old = *cp;
648: *cp = 0;
649:
650: /* Parse the number. */
651: if (BN_dec2bn(&value, *cpp) == 0)
652: return 0;
653:
654: /* Restore old terminating character. */
655: *cp = old;
656:
657: /* Move beyond the number and return success. */
658: *cpp = cp;
659: return 1;
660: }
1.45 deraadt 661:
1.27 itojun 662: static int
1.1 markus 663: write_bignum(FILE *f, BIGNUM *num)
664: {
665: char *buf = BN_bn2dec(num);
666: if (buf == NULL) {
667: error("write_bignum: BN_bn2dec() failed");
668: return 0;
669: }
670: fprintf(f, " %s", buf);
1.33 markus 671: OPENSSL_free(buf);
1.1 markus 672: return 1;
673: }
1.12 markus 674:
1.32 markus 675: /* returns 1 ok, -1 error */
1.12 markus 676: int
1.3 markus 677: key_read(Key *ret, char **cpp)
1.1 markus 678: {
1.3 markus 679: Key *k;
1.12 markus 680: int success = -1;
681: char *cp, *space;
1.92 djm 682: int len, n, type, curve_nid = -1;
1.12 markus 683: u_int bits;
1.13 markus 684: u_char *blob;
1.3 markus 685:
686: cp = *cpp;
687:
1.35 deraadt 688: switch (ret->type) {
1.12 markus 689: case KEY_RSA1:
1.3 markus 690: /* Get number of bits. */
691: if (*cp < '0' || *cp > '9')
1.12 markus 692: return -1; /* Bad bit count... */
1.3 markus 693: for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
694: bits = 10 * bits + *cp - '0';
1.1 markus 695: if (bits == 0)
1.12 markus 696: return -1;
1.3 markus 697: *cpp = cp;
1.1 markus 698: /* Get public exponent, public modulus. */
699: if (!read_bignum(cpp, ret->rsa->e))
1.12 markus 700: return -1;
1.1 markus 701: if (!read_bignum(cpp, ret->rsa->n))
1.12 markus 702: return -1;
1.82 dtucker 703: /* validate the claimed number of bits */
704: if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
705: verbose("key_read: claimed key size %d does not match "
706: "actual %d", bits, BN_num_bits(ret->rsa->n));
707: return -1;
708: }
1.12 markus 709: success = 1;
1.1 markus 710: break;
1.12 markus 711: case KEY_UNSPEC:
712: case KEY_RSA:
1.1 markus 713: case KEY_DSA:
1.92 djm 714: case KEY_ECDSA:
1.109 markus 715: case KEY_ED25519:
1.87 djm 716: case KEY_DSA_CERT_V00:
717: case KEY_RSA_CERT_V00:
1.83 djm 718: case KEY_DSA_CERT:
1.92 djm 719: case KEY_ECDSA_CERT:
1.83 djm 720: case KEY_RSA_CERT:
1.109 markus 721: case KEY_ED25519_CERT:
1.12 markus 722: space = strchr(cp, ' ');
723: if (space == NULL) {
1.50 markus 724: debug3("key_read: missing whitespace");
1.12 markus 725: return -1;
726: }
727: *space = '\0';
728: type = key_type_from_name(cp);
1.92 djm 729: if (key_type_plain(type) == KEY_ECDSA &&
730: (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
731: debug("key_read: invalid curve");
732: return -1;
733: }
1.12 markus 734: *space = ' ';
735: if (type == KEY_UNSPEC) {
1.50 markus 736: debug3("key_read: missing keytype");
1.12 markus 737: return -1;
738: }
739: cp = space+1;
740: if (*cp == '\0') {
741: debug3("key_read: short string");
742: return -1;
743: }
744: if (ret->type == KEY_UNSPEC) {
745: ret->type = type;
746: } else if (ret->type != type) {
747: /* is a key, but different type */
748: debug3("key_read: type mismatch");
1.32 markus 749: return -1;
1.12 markus 750: }
1.3 markus 751: len = 2*strlen(cp);
752: blob = xmalloc(len);
753: n = uudecode(cp, blob, len);
1.6 markus 754: if (n < 0) {
1.7 markus 755: error("key_read: uudecode %s failed", cp);
1.103 djm 756: free(blob);
1.12 markus 757: return -1;
1.6 markus 758: }
1.53 markus 759: k = key_from_blob(blob, (u_int)n);
1.103 djm 760: free(blob);
1.7 markus 761: if (k == NULL) {
1.12 markus 762: error("key_read: key_from_blob %s failed", cp);
763: return -1;
1.7 markus 764: }
1.12 markus 765: if (k->type != type) {
766: error("key_read: type mismatch: encoding error");
767: key_free(k);
768: return -1;
769: }
1.92 djm 770: if (key_type_plain(type) == KEY_ECDSA &&
771: curve_nid != k->ecdsa_nid) {
772: error("key_read: type mismatch: EC curve mismatch");
773: key_free(k);
774: return -1;
775: }
1.12 markus 776: /*XXXX*/
1.83 djm 777: if (key_is_cert(ret)) {
778: if (!key_is_cert(k)) {
779: error("key_read: loaded key is not a cert");
780: key_free(k);
781: return -1;
782: }
783: if (ret->cert != NULL)
784: cert_free(ret->cert);
785: ret->cert = k->cert;
786: k->cert = NULL;
787: }
788: if (key_type_plain(ret->type) == KEY_RSA) {
1.12 markus 789: if (ret->rsa != NULL)
790: RSA_free(ret->rsa);
791: ret->rsa = k->rsa;
792: k->rsa = NULL;
793: #ifdef DEBUG_PK
794: RSA_print_fp(stderr, ret->rsa, 8);
795: #endif
1.83 djm 796: }
797: if (key_type_plain(ret->type) == KEY_DSA) {
1.12 markus 798: if (ret->dsa != NULL)
799: DSA_free(ret->dsa);
800: ret->dsa = k->dsa;
801: k->dsa = NULL;
802: #ifdef DEBUG_PK
803: DSA_print_fp(stderr, ret->dsa, 8);
804: #endif
805: }
1.92 djm 806: if (key_type_plain(ret->type) == KEY_ECDSA) {
807: if (ret->ecdsa != NULL)
808: EC_KEY_free(ret->ecdsa);
809: ret->ecdsa = k->ecdsa;
810: ret->ecdsa_nid = k->ecdsa_nid;
811: k->ecdsa = NULL;
812: k->ecdsa_nid = -1;
813: #ifdef DEBUG_PK
814: key_dump_ec_key(ret->ecdsa);
815: #endif
816: }
1.109 markus 817: if (key_type_plain(ret->type) == KEY_ED25519) {
818: free(ret->ed25519_pk);
819: ret->ed25519_pk = k->ed25519_pk;
820: k->ed25519_pk = NULL;
821: #ifdef DEBUG_PK
822: /* XXX */
823: #endif
824: }
1.83 djm 825: success = 1;
1.12 markus 826: /*XXXX*/
1.34 markus 827: key_free(k);
1.12 markus 828: if (success != 1)
829: break;
1.7 markus 830: /* advance cp: skip whitespace and data */
831: while (*cp == ' ' || *cp == '\t')
832: cp++;
833: while (*cp != '\0' && *cp != ' ' && *cp != '\t')
834: cp++;
835: *cpp = cp;
1.1 markus 836: break;
837: default:
1.3 markus 838: fatal("key_read: bad key type: %d", ret->type);
1.1 markus 839: break;
840: }
1.12 markus 841: return success;
1.1 markus 842: }
1.45 deraadt 843:
1.1 markus 844: int
1.55 jakob 845: key_write(const Key *key, FILE *f)
1.1 markus 846: {
1.40 markus 847: int n, success = 0;
848: u_int len, bits = 0;
1.49 markus 849: u_char *blob;
850: char *uu;
1.1 markus 851:
1.83 djm 852: if (key_is_cert(key)) {
853: if (key->cert == NULL) {
854: error("%s: no cert data", __func__);
855: return 0;
856: }
857: if (buffer_len(&key->cert->certblob) == 0) {
858: error("%s: no signed certificate blob", __func__);
859: return 0;
860: }
861: }
862:
863: switch (key->type) {
864: case KEY_RSA1:
865: if (key->rsa == NULL)
866: return 0;
1.1 markus 867: /* size of modulus 'n' */
868: bits = BN_num_bits(key->rsa->n);
869: fprintf(f, "%u", bits);
870: if (write_bignum(f, key->rsa->e) &&
1.83 djm 871: write_bignum(f, key->rsa->n))
872: return 1;
873: error("key_write: failed for RSA key");
874: return 0;
875: case KEY_DSA:
1.87 djm 876: case KEY_DSA_CERT_V00:
1.83 djm 877: case KEY_DSA_CERT:
878: if (key->dsa == NULL)
879: return 0;
880: break;
1.92 djm 881: case KEY_ECDSA:
882: case KEY_ECDSA_CERT:
883: if (key->ecdsa == NULL)
884: return 0;
885: break;
1.109 markus 886: case KEY_ED25519:
887: case KEY_ED25519_CERT:
888: if (key->ed25519_pk == NULL)
889: return 0;
890: break;
1.83 djm 891: case KEY_RSA:
1.87 djm 892: case KEY_RSA_CERT_V00:
1.83 djm 893: case KEY_RSA_CERT:
894: if (key->rsa == NULL)
895: return 0;
896: break;
897: default:
898: return 0;
899: }
900:
901: key_to_blob(key, &blob, &len);
902: uu = xmalloc(2*len);
903: n = uuencode(blob, len, uu, 2*len);
904: if (n > 0) {
905: fprintf(f, "%s %s", key_ssh_name(key), uu);
906: success = 1;
1.1 markus 907: }
1.103 djm 908: free(blob);
909: free(uu);
1.83 djm 910:
1.1 markus 911: return success;
912: }
1.45 deraadt 913:
1.55 jakob 914: const char *
1.86 stevesk 915: key_cert_type(const Key *k)
916: {
917: switch (k->cert->type) {
918: case SSH2_CERT_TYPE_USER:
919: return "user";
920: case SSH2_CERT_TYPE_HOST:
921: return "host";
922: default:
923: return "unknown";
924: }
1.10 markus 925: }
1.45 deraadt 926:
1.101 djm 927: struct keytype {
928: char *name;
929: char *shortname;
930: int type;
931: int nid;
932: int cert;
933: };
934: static const struct keytype keytypes[] = {
935: { NULL, "RSA1", KEY_RSA1, 0, 0 },
936: { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
937: { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
1.109 markus 938: { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
1.101 djm 939: { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
940: { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
941: { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
942: { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
943: { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
944: { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
945: KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
946: { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
947: KEY_ECDSA_CERT, NID_secp384r1, 1 },
948: { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
949: KEY_ECDSA_CERT, NID_secp521r1, 1 },
950: { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
951: KEY_RSA_CERT_V00, 0, 1 },
952: { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
953: KEY_DSA_CERT_V00, 0, 1 },
1.109 markus 954: { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
955: KEY_ED25519_CERT, 0, 1 },
1.101 djm 956: { NULL, NULL, -1, -1, 0 }
957: };
958:
959: const char *
960: key_type(const Key *k)
961: {
962: const struct keytype *kt;
963:
964: for (kt = keytypes; kt->type != -1; kt++) {
965: if (kt->type == k->type)
966: return kt->shortname;
967: }
968: return "unknown";
969: }
970:
1.92 djm 971: static const char *
972: key_ssh_name_from_type_nid(int type, int nid)
1.12 markus 973: {
1.101 djm 974: const struct keytype *kt;
975:
976: for (kt = keytypes; kt->type != -1; kt++) {
977: if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
978: return kt->name;
1.12 markus 979: }
980: return "ssh-unknown";
981: }
1.45 deraadt 982:
1.92 djm 983: const char *
984: key_ssh_name(const Key *k)
985: {
986: return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
987: }
988:
989: const char *
990: key_ssh_name_plain(const Key *k)
991: {
992: return key_ssh_name_from_type_nid(key_type_plain(k->type),
993: k->ecdsa_nid);
994: }
995:
1.101 djm 996: int
997: key_type_from_name(char *name)
998: {
999: const struct keytype *kt;
1000:
1001: for (kt = keytypes; kt->type != -1; kt++) {
1002: /* Only allow shortname matches for plain key types */
1003: if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
1004: (!kt->cert && strcasecmp(kt->shortname, name) == 0))
1005: return kt->type;
1006: }
1007: debug2("key_type_from_name: unknown key type '%s'", name);
1008: return KEY_UNSPEC;
1009: }
1010:
1011: int
1012: key_ecdsa_nid_from_name(const char *name)
1013: {
1014: const struct keytype *kt;
1015:
1016: for (kt = keytypes; kt->type != -1; kt++) {
1017: if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
1018: continue;
1019: if (kt->name != NULL && strcmp(name, kt->name) == 0)
1020: return kt->nid;
1021: }
1022: debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1023: return -1;
1024: }
1025:
1026: char *
1.109 markus 1027: key_alg_list(int certs_only, int plain_only)
1.101 djm 1028: {
1029: char *ret = NULL;
1030: size_t nlen, rlen = 0;
1031: const struct keytype *kt;
1032:
1033: for (kt = keytypes; kt->type != -1; kt++) {
1034: if (kt->name == NULL)
1035: continue;
1.109 markus 1036: if ((certs_only && !kt->cert) || (plain_only && kt->cert))
1037: continue;
1.101 djm 1038: if (ret != NULL)
1039: ret[rlen++] = '\n';
1040: nlen = strlen(kt->name);
1041: ret = xrealloc(ret, 1, rlen + nlen + 2);
1042: memcpy(ret + rlen, kt->name, nlen + 1);
1043: rlen += nlen;
1044: }
1045: return ret;
1046: }
1047:
1.105 djm 1048: int
1049: key_type_is_cert(int type)
1050: {
1051: const struct keytype *kt;
1052:
1053: for (kt = keytypes; kt->type != -1; kt++) {
1054: if (kt->type == type)
1055: return kt->cert;
1056: }
1057: return 0;
1058: }
1059:
1.12 markus 1060: u_int
1.55 jakob 1061: key_size(const Key *k)
1.35 deraadt 1062: {
1.10 markus 1063: switch (k->type) {
1.12 markus 1064: case KEY_RSA1:
1.10 markus 1065: case KEY_RSA:
1.87 djm 1066: case KEY_RSA_CERT_V00:
1.83 djm 1067: case KEY_RSA_CERT:
1.10 markus 1068: return BN_num_bits(k->rsa->n);
1069: case KEY_DSA:
1.87 djm 1070: case KEY_DSA_CERT_V00:
1.83 djm 1071: case KEY_DSA_CERT:
1.10 markus 1072: return BN_num_bits(k->dsa->p);
1.109 markus 1073: case KEY_ED25519:
1074: return 256; /* XXX */
1.92 djm 1075: case KEY_ECDSA:
1076: case KEY_ECDSA_CERT:
1.93 djm 1077: return key_curve_nid_to_bits(k->ecdsa_nid);
1.10 markus 1078: }
1079: return 0;
1.12 markus 1080: }
1081:
1.27 itojun 1082: static RSA *
1.13 markus 1083: rsa_generate_private_key(u_int bits)
1.12 markus 1084: {
1.95 djm 1085: RSA *private = RSA_new();
1086: BIGNUM *f4 = BN_new();
1.61 deraadt 1087:
1.17 stevesk 1088: if (private == NULL)
1.95 djm 1089: fatal("%s: RSA_new failed", __func__);
1090: if (f4 == NULL)
1091: fatal("%s: BN_new failed", __func__);
1092: if (!BN_set_word(f4, RSA_F4))
1093: fatal("%s: BN_new failed", __func__);
1094: if (!RSA_generate_key_ex(private, bits, f4, NULL))
1095: fatal("%s: key generation failed.", __func__);
1096: BN_free(f4);
1.17 stevesk 1097: return private;
1.12 markus 1098: }
1099:
1.27 itojun 1100: static DSA*
1.13 markus 1101: dsa_generate_private_key(u_int bits)
1.12 markus 1102: {
1.95 djm 1103: DSA *private = DSA_new();
1.61 deraadt 1104:
1.12 markus 1105: if (private == NULL)
1.95 djm 1106: fatal("%s: DSA_new failed", __func__);
1107: if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1108: NULL, NULL))
1109: fatal("%s: DSA_generate_parameters failed", __func__);
1.12 markus 1110: if (!DSA_generate_key(private))
1.95 djm 1111: fatal("%s: DSA_generate_key failed.", __func__);
1.12 markus 1112: return private;
1113: }
1114:
1.92 djm 1115: int
1116: key_ecdsa_bits_to_nid(int bits)
1117: {
1118: switch (bits) {
1119: case 256:
1120: return NID_X9_62_prime256v1;
1121: case 384:
1122: return NID_secp384r1;
1123: case 521:
1124: return NID_secp521r1;
1125: default:
1126: return -1;
1127: }
1128: }
1129:
1130: int
1.94 djm 1131: key_ecdsa_key_to_nid(EC_KEY *k)
1.92 djm 1132: {
1133: EC_GROUP *eg;
1134: int nids[] = {
1135: NID_X9_62_prime256v1,
1136: NID_secp384r1,
1137: NID_secp521r1,
1138: -1
1139: };
1.94 djm 1140: int nid;
1.92 djm 1141: u_int i;
1142: BN_CTX *bnctx;
1.94 djm 1143: const EC_GROUP *g = EC_KEY_get0_group(k);
1.92 djm 1144:
1.94 djm 1145: /*
1146: * The group may be stored in a ASN.1 encoded private key in one of two
1147: * ways: as a "named group", which is reconstituted by ASN.1 object ID
1148: * or explicit group parameters encoded into the key blob. Only the
1149: * "named group" case sets the group NID for us, but we can figure
1150: * it out for the other case by comparing against all the groups that
1151: * are supported.
1152: */
1153: if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1154: return nid;
1.92 djm 1155: if ((bnctx = BN_CTX_new()) == NULL)
1156: fatal("%s: BN_CTX_new() failed", __func__);
1157: for (i = 0; nids[i] != -1; i++) {
1158: if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1159: fatal("%s: EC_GROUP_new_by_curve_name failed",
1160: __func__);
1.94 djm 1161: if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1.92 djm 1162: break;
1163: EC_GROUP_free(eg);
1164: }
1165: BN_CTX_free(bnctx);
1166: debug3("%s: nid = %d", __func__, nids[i]);
1.94 djm 1167: if (nids[i] != -1) {
1168: /* Use the group with the NID attached */
1169: EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1170: if (EC_KEY_set_group(k, eg) != 1)
1171: fatal("%s: EC_KEY_set_group", __func__);
1172: }
1.92 djm 1173: return nids[i];
1174: }
1175:
1176: static EC_KEY*
1177: ecdsa_generate_private_key(u_int bits, int *nid)
1178: {
1179: EC_KEY *private;
1180:
1181: if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
1182: fatal("%s: invalid key length", __func__);
1183: if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
1184: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1185: if (EC_KEY_generate_key(private) != 1)
1186: fatal("%s: EC_KEY_generate_key failed", __func__);
1.94 djm 1187: EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1.92 djm 1188: return private;
1189: }
1190:
1.12 markus 1191: Key *
1.13 markus 1192: key_generate(int type, u_int bits)
1.12 markus 1193: {
1194: Key *k = key_new(KEY_UNSPEC);
1195: switch (type) {
1.17 stevesk 1196: case KEY_DSA:
1.12 markus 1197: k->dsa = dsa_generate_private_key(bits);
1198: break;
1.92 djm 1199: case KEY_ECDSA:
1200: k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
1201: break;
1.12 markus 1202: case KEY_RSA:
1203: case KEY_RSA1:
1204: k->rsa = rsa_generate_private_key(bits);
1205: break;
1.109 markus 1206: case KEY_ED25519:
1207: k->ed25519_pk = xmalloc(ED25519_PK_SZ);
1208: k->ed25519_sk = xmalloc(ED25519_SK_SZ);
1209: crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1210: break;
1.87 djm 1211: case KEY_RSA_CERT_V00:
1212: case KEY_DSA_CERT_V00:
1.83 djm 1213: case KEY_RSA_CERT:
1214: case KEY_DSA_CERT:
1215: fatal("key_generate: cert keys cannot be generated directly");
1.12 markus 1216: default:
1.17 stevesk 1217: fatal("key_generate: unknown type %d", type);
1.12 markus 1218: }
1.17 stevesk 1219: k->type = type;
1.12 markus 1220: return k;
1221: }
1222:
1.83 djm 1223: void
1224: key_cert_copy(const Key *from_key, struct Key *to_key)
1225: {
1226: u_int i;
1227: const struct KeyCert *from;
1228: struct KeyCert *to;
1229:
1230: if (to_key->cert != NULL) {
1231: cert_free(to_key->cert);
1232: to_key->cert = NULL;
1233: }
1234:
1235: if ((from = from_key->cert) == NULL)
1236: return;
1237:
1238: to = to_key->cert = cert_new();
1239:
1240: buffer_append(&to->certblob, buffer_ptr(&from->certblob),
1241: buffer_len(&from->certblob));
1242:
1.87 djm 1243: buffer_append(&to->critical,
1244: buffer_ptr(&from->critical), buffer_len(&from->critical));
1245: buffer_append(&to->extensions,
1246: buffer_ptr(&from->extensions), buffer_len(&from->extensions));
1.83 djm 1247:
1.87 djm 1248: to->serial = from->serial;
1.83 djm 1249: to->type = from->type;
1250: to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
1251: to->valid_after = from->valid_after;
1252: to->valid_before = from->valid_before;
1253: to->signature_key = from->signature_key == NULL ?
1254: NULL : key_from_private(from->signature_key);
1255:
1256: to->nprincipals = from->nprincipals;
1257: if (to->nprincipals > CERT_MAX_PRINCIPALS)
1258: fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
1259: __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
1260: if (to->nprincipals > 0) {
1261: to->principals = xcalloc(from->nprincipals,
1262: sizeof(*to->principals));
1263: for (i = 0; i < to->nprincipals; i++)
1264: to->principals[i] = xstrdup(from->principals[i]);
1265: }
1266: }
1267:
1.12 markus 1268: Key *
1.55 jakob 1269: key_from_private(const Key *k)
1.12 markus 1270: {
1271: Key *n = NULL;
1272: switch (k->type) {
1.17 stevesk 1273: case KEY_DSA:
1.87 djm 1274: case KEY_DSA_CERT_V00:
1.83 djm 1275: case KEY_DSA_CERT:
1.12 markus 1276: n = key_new(k->type);
1.68 markus 1277: if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1278: (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1279: (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1280: (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
1281: fatal("key_from_private: BN_copy failed");
1.12 markus 1282: break;
1.92 djm 1283: case KEY_ECDSA:
1284: case KEY_ECDSA_CERT:
1285: n = key_new(k->type);
1286: n->ecdsa_nid = k->ecdsa_nid;
1287: if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
1288: fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1289: if (EC_KEY_set_public_key(n->ecdsa,
1290: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1291: fatal("%s: EC_KEY_set_public_key failed", __func__);
1292: break;
1.12 markus 1293: case KEY_RSA:
1294: case KEY_RSA1:
1.87 djm 1295: case KEY_RSA_CERT_V00:
1.83 djm 1296: case KEY_RSA_CERT:
1.12 markus 1297: n = key_new(k->type);
1.68 markus 1298: if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1299: (BN_copy(n->rsa->e, k->rsa->e) == NULL))
1300: fatal("key_from_private: BN_copy failed");
1.12 markus 1301: break;
1.109 markus 1302: case KEY_ED25519:
1303: case KEY_ED25519_CERT:
1304: n = key_new(k->type);
1305: if (k->ed25519_pk != NULL) {
1306: n->ed25519_pk = xmalloc(ED25519_PK_SZ);
1307: memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1308: }
1309: break;
1.12 markus 1310: default:
1.17 stevesk 1311: fatal("key_from_private: unknown type %d", k->type);
1.12 markus 1312: break;
1313: }
1.83 djm 1314: if (key_is_cert(k))
1315: key_cert_copy(k, n);
1.12 markus 1316: return n;
1.92 djm 1317: }
1318:
1319: int
1.25 markus 1320: key_names_valid2(const char *names)
1321: {
1322: char *s, *cp, *p;
1323:
1324: if (names == NULL || strcmp(names, "") == 0)
1325: return 0;
1326: s = cp = xstrdup(names);
1327: for ((p = strsep(&cp, ",")); p && *p != '\0';
1.36 deraadt 1328: (p = strsep(&cp, ","))) {
1.25 markus 1329: switch (key_type_from_name(p)) {
1330: case KEY_RSA1:
1331: case KEY_UNSPEC:
1.103 djm 1332: free(s);
1.25 markus 1333: return 0;
1334: }
1335: }
1336: debug3("key names ok: [%s]", names);
1.103 djm 1337: free(s);
1.25 markus 1338: return 1;
1.12 markus 1339: }
1340:
1.83 djm 1341: static int
1342: cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1343: {
1.87 djm 1344: u_char *principals, *critical, *exts, *sig_key, *sig;
1345: u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
1.83 djm 1346: Buffer tmp;
1347: char *principal;
1348: int ret = -1;
1.87 djm 1349: int v00 = key->type == KEY_DSA_CERT_V00 ||
1350: key->type == KEY_RSA_CERT_V00;
1.83 djm 1351:
1352: buffer_init(&tmp);
1353:
1354: /* Copy the entire key blob for verification and later serialisation */
1355: buffer_append(&key->cert->certblob, blob, blen);
1356:
1.87 djm 1357: elen = 0; /* Not touched for v00 certs */
1358: principals = exts = critical = sig_key = sig = NULL;
1359: if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1360: buffer_get_int_ret(&key->cert->type, b) != 0 ||
1.91 djm 1361: (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
1.83 djm 1362: (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1363: buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1364: buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1.87 djm 1365: (critical = buffer_get_string_ret(b, &clen)) == NULL ||
1366: (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
1367: (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
1368: buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
1.83 djm 1369: (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1370: error("%s: parse error", __func__);
1.84 djm 1371: goto out;
1372: }
1373:
1.83 djm 1374: /* Signature is left in the buffer so we can calculate this length */
1375: signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1376:
1377: if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1378: error("%s: parse error", __func__);
1379: goto out;
1380: }
1381:
1382: if (key->cert->type != SSH2_CERT_TYPE_USER &&
1383: key->cert->type != SSH2_CERT_TYPE_HOST) {
1384: error("Unknown certificate type %u", key->cert->type);
1385: goto out;
1386: }
1387:
1388: buffer_append(&tmp, principals, plen);
1389: while (buffer_len(&tmp) > 0) {
1390: if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1.84 djm 1391: error("%s: Too many principals", __func__);
1.83 djm 1392: goto out;
1393: }
1.91 djm 1394: if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
1.84 djm 1395: error("%s: Principals data invalid", __func__);
1396: goto out;
1397: }
1.83 djm 1398: key->cert->principals = xrealloc(key->cert->principals,
1399: key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1400: key->cert->principals[key->cert->nprincipals++] = principal;
1401: }
1402:
1403: buffer_clear(&tmp);
1404:
1.87 djm 1405: buffer_append(&key->cert->critical, critical, clen);
1406: buffer_append(&tmp, critical, clen);
1.83 djm 1407: /* validate structure */
1408: while (buffer_len(&tmp) != 0) {
1.85 djm 1409: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1410: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1.87 djm 1411: error("%s: critical option data invalid", __func__);
1412: goto out;
1413: }
1414: }
1415: buffer_clear(&tmp);
1416:
1417: buffer_append(&key->cert->extensions, exts, elen);
1418: buffer_append(&tmp, exts, elen);
1419: /* validate structure */
1420: while (buffer_len(&tmp) != 0) {
1421: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1422: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1423: error("%s: extension data invalid", __func__);
1.83 djm 1424: goto out;
1425: }
1426: }
1427: buffer_clear(&tmp);
1428:
1.105 djm 1429: if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0))
1430: == NULL) {
1.84 djm 1431: error("%s: Signature key invalid", __func__);
1.83 djm 1432: goto out;
1433: }
1434: if (key->cert->signature_key->type != KEY_RSA &&
1.92 djm 1435: key->cert->signature_key->type != KEY_DSA &&
1.111 djm 1436: key->cert->signature_key->type != KEY_ECDSA &&
1437: key->cert->signature_key->type != KEY_ED25519) {
1.84 djm 1438: error("%s: Invalid signature key type %s (%d)", __func__,
1.83 djm 1439: key_type(key->cert->signature_key),
1440: key->cert->signature_key->type);
1441: goto out;
1442: }
1443:
1444: switch (key_verify(key->cert->signature_key, sig, slen,
1445: buffer_ptr(&key->cert->certblob), signed_len)) {
1446: case 1:
1.84 djm 1447: ret = 0;
1.83 djm 1448: break; /* Good signature */
1449: case 0:
1.84 djm 1450: error("%s: Invalid signature on certificate", __func__);
1.83 djm 1451: goto out;
1452: case -1:
1.84 djm 1453: error("%s: Certificate signature verification failed",
1454: __func__);
1.83 djm 1455: goto out;
1456: }
1457:
1458: out:
1459: buffer_free(&tmp);
1.103 djm 1460: free(principals);
1461: free(critical);
1462: free(exts);
1463: free(sig_key);
1464: free(sig);
1.83 djm 1465: return ret;
1466: }
1467:
1.105 djm 1468: static Key *
1469: key_from_blob2(const u_char *blob, u_int blen, int allow_cert)
1.12 markus 1470: {
1471: Buffer b;
1.92 djm 1472: int rlen, type, nid = -1;
1.109 markus 1473: u_int len;
1.92 djm 1474: char *ktype = NULL, *curve = NULL;
1.109 markus 1475: u_char *pk = NULL;
1.12 markus 1476: Key *key = NULL;
1.92 djm 1477: EC_POINT *q = NULL;
1.12 markus 1478:
1479: #ifdef DEBUG_PK
1480: dump_base64(stderr, blob, blen);
1481: #endif
1482: buffer_init(&b);
1483: buffer_append(&b, blob, blen);
1.91 djm 1484: if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
1.57 djm 1485: error("key_from_blob: can't read key type");
1486: goto out;
1487: }
1488:
1.12 markus 1489: type = key_type_from_name(ktype);
1.92 djm 1490: if (key_type_plain(type) == KEY_ECDSA)
1491: nid = key_ecdsa_nid_from_name(ktype);
1.105 djm 1492: if (!allow_cert && key_type_is_cert(type)) {
1493: error("key_from_blob: certificate not allowed in this context");
1494: goto out;
1495: }
1.35 deraadt 1496: switch (type) {
1.87 djm 1497: case KEY_RSA_CERT:
1498: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1499: /* FALLTHROUGH */
1.12 markus 1500: case KEY_RSA:
1.87 djm 1501: case KEY_RSA_CERT_V00:
1.12 markus 1502: key = key_new(type);
1.57 djm 1503: if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1504: buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1505: error("key_from_blob: can't read rsa key");
1.83 djm 1506: badkey:
1.57 djm 1507: key_free(key);
1508: key = NULL;
1509: goto out;
1510: }
1.12 markus 1511: #ifdef DEBUG_PK
1512: RSA_print_fp(stderr, key->rsa, 8);
1513: #endif
1514: break;
1.87 djm 1515: case KEY_DSA_CERT:
1516: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1517: /* FALLTHROUGH */
1.12 markus 1518: case KEY_DSA:
1.87 djm 1519: case KEY_DSA_CERT_V00:
1.12 markus 1520: key = key_new(type);
1.57 djm 1521: if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1522: buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1523: buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1524: buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1525: error("key_from_blob: can't read dsa key");
1.83 djm 1526: goto badkey;
1.57 djm 1527: }
1.12 markus 1528: #ifdef DEBUG_PK
1529: DSA_print_fp(stderr, key->dsa, 8);
1530: #endif
1531: break;
1.92 djm 1532: case KEY_ECDSA_CERT:
1533: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1534: /* FALLTHROUGH */
1535: case KEY_ECDSA:
1536: key = key_new(type);
1537: key->ecdsa_nid = nid;
1538: if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
1539: error("key_from_blob: can't read ecdsa curve");
1540: goto badkey;
1541: }
1542: if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
1543: error("key_from_blob: ecdsa curve doesn't match type");
1544: goto badkey;
1545: }
1546: if (key->ecdsa != NULL)
1547: EC_KEY_free(key->ecdsa);
1548: if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
1549: == NULL)
1550: fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
1551: if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
1552: fatal("key_from_blob: EC_POINT_new failed");
1553: if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
1554: q) == -1) {
1555: error("key_from_blob: can't read ecdsa key point");
1556: goto badkey;
1557: }
1558: if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1559: q) != 0)
1560: goto badkey;
1561: if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
1562: fatal("key_from_blob: EC_KEY_set_public_key failed");
1563: #ifdef DEBUG_PK
1564: key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
1565: #endif
1566: break;
1.109 markus 1567: case KEY_ED25519_CERT:
1568: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1569: /* FALLTHROUGH */
1570: case KEY_ED25519:
1571: if ((pk = buffer_get_string_ret(&b, &len)) == NULL) {
1572: error("key_from_blob: can't read ed25519 key");
1573: goto badkey;
1574: }
1575: if (len != ED25519_PK_SZ) {
1576: error("key_from_blob: ed25519 len %d != %d",
1577: len, ED25519_PK_SZ);
1578: goto badkey;
1579: }
1580: key = key_new(type);
1581: key->ed25519_pk = pk;
1582: pk = NULL;
1583: break;
1.12 markus 1584: case KEY_UNSPEC:
1585: key = key_new(type);
1586: break;
1587: default:
1588: error("key_from_blob: cannot handle type %s", ktype);
1.57 djm 1589: goto out;
1.12 markus 1590: }
1.83 djm 1591: if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1592: error("key_from_blob: can't parse cert data");
1593: goto badkey;
1594: }
1.12 markus 1595: rlen = buffer_len(&b);
1596: if (key != NULL && rlen != 0)
1597: error("key_from_blob: remaining bytes in key blob %d", rlen);
1.57 djm 1598: out:
1.103 djm 1599: free(ktype);
1600: free(curve);
1.109 markus 1601: free(pk);
1.92 djm 1602: if (q != NULL)
1603: EC_POINT_free(q);
1.12 markus 1604: buffer_free(&b);
1605: return key;
1606: }
1607:
1.105 djm 1608: Key *
1609: key_from_blob(const u_char *blob, u_int blen)
1610: {
1611: return key_from_blob2(blob, blen, 1);
1612: }
1613:
1.100 djm 1614: static int
1615: to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
1.12 markus 1616: {
1617: Buffer b;
1.100 djm 1618: int len, type;
1.12 markus 1619:
1.106 djm 1620: if (blobp != NULL)
1621: *blobp = NULL;
1622: if (lenp != NULL)
1623: *lenp = 0;
1.12 markus 1624: if (key == NULL) {
1625: error("key_to_blob: key == NULL");
1626: return 0;
1627: }
1628: buffer_init(&b);
1.100 djm 1629: type = force_plain ? key_type_plain(key->type) : key->type;
1630: switch (type) {
1.87 djm 1631: case KEY_DSA_CERT_V00:
1632: case KEY_RSA_CERT_V00:
1.83 djm 1633: case KEY_DSA_CERT:
1.92 djm 1634: case KEY_ECDSA_CERT:
1.83 djm 1635: case KEY_RSA_CERT:
1.109 markus 1636: case KEY_ED25519_CERT:
1.83 djm 1637: /* Use the existing blob */
1638: buffer_append(&b, buffer_ptr(&key->cert->certblob),
1639: buffer_len(&key->cert->certblob));
1640: break;
1.12 markus 1641: case KEY_DSA:
1.100 djm 1642: buffer_put_cstring(&b,
1643: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.12 markus 1644: buffer_put_bignum2(&b, key->dsa->p);
1645: buffer_put_bignum2(&b, key->dsa->q);
1646: buffer_put_bignum2(&b, key->dsa->g);
1647: buffer_put_bignum2(&b, key->dsa->pub_key);
1648: break;
1.92 djm 1649: case KEY_ECDSA:
1.100 djm 1650: buffer_put_cstring(&b,
1651: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.92 djm 1652: buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1653: buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1654: EC_KEY_get0_public_key(key->ecdsa));
1655: break;
1.12 markus 1656: case KEY_RSA:
1.100 djm 1657: buffer_put_cstring(&b,
1658: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1.14 markus 1659: buffer_put_bignum2(&b, key->rsa->e);
1.12 markus 1660: buffer_put_bignum2(&b, key->rsa->n);
1661: break;
1.109 markus 1662: case KEY_ED25519:
1663: buffer_put_cstring(&b,
1664: key_ssh_name_from_type_nid(type, key->ecdsa_nid));
1665: buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
1666: break;
1.12 markus 1667: default:
1.31 markus 1668: error("key_to_blob: unsupported key type %d", key->type);
1669: buffer_free(&b);
1670: return 0;
1.12 markus 1671: }
1672: len = buffer_len(&b);
1.48 markus 1673: if (lenp != NULL)
1674: *lenp = len;
1675: if (blobp != NULL) {
1676: *blobp = xmalloc(len);
1677: memcpy(*blobp, buffer_ptr(&b), len);
1678: }
1.12 markus 1679: memset(buffer_ptr(&b), 0, len);
1680: buffer_free(&b);
1681: return len;
1682: }
1683:
1684: int
1.100 djm 1685: key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1686: {
1687: return to_blob(key, blobp, lenp, 0);
1688: }
1689:
1690: int
1.12 markus 1691: key_sign(
1.55 jakob 1692: const Key *key,
1.40 markus 1693: u_char **sigp, u_int *lenp,
1.55 jakob 1694: const u_char *data, u_int datalen)
1.12 markus 1695: {
1.35 deraadt 1696: switch (key->type) {
1.87 djm 1697: case KEY_DSA_CERT_V00:
1.83 djm 1698: case KEY_DSA_CERT:
1.12 markus 1699: case KEY_DSA:
1700: return ssh_dss_sign(key, sigp, lenp, data, datalen);
1.92 djm 1701: case KEY_ECDSA_CERT:
1702: case KEY_ECDSA:
1703: return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
1.87 djm 1704: case KEY_RSA_CERT_V00:
1.83 djm 1705: case KEY_RSA_CERT:
1.12 markus 1706: case KEY_RSA:
1707: return ssh_rsa_sign(key, sigp, lenp, data, datalen);
1.109 markus 1708: case KEY_ED25519:
1709: case KEY_ED25519_CERT:
1710: return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
1.12 markus 1711: default:
1.56 markus 1712: error("key_sign: invalid key type %d", key->type);
1.12 markus 1713: return -1;
1714: }
1715: }
1716:
1.44 markus 1717: /*
1718: * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1719: * and -1 on error.
1720: */
1.12 markus 1721: int
1722: key_verify(
1.55 jakob 1723: const Key *key,
1724: const u_char *signature, u_int signaturelen,
1725: const u_char *data, u_int datalen)
1.12 markus 1726: {
1.26 markus 1727: if (signaturelen == 0)
1728: return -1;
1729:
1.35 deraadt 1730: switch (key->type) {
1.87 djm 1731: case KEY_DSA_CERT_V00:
1.83 djm 1732: case KEY_DSA_CERT:
1.12 markus 1733: case KEY_DSA:
1734: return ssh_dss_verify(key, signature, signaturelen, data, datalen);
1.92 djm 1735: case KEY_ECDSA_CERT:
1736: case KEY_ECDSA:
1737: return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
1.87 djm 1738: case KEY_RSA_CERT_V00:
1.83 djm 1739: case KEY_RSA_CERT:
1.12 markus 1740: case KEY_RSA:
1741: return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
1.109 markus 1742: case KEY_ED25519:
1743: case KEY_ED25519_CERT:
1744: return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
1.12 markus 1745: default:
1.56 markus 1746: error("key_verify: invalid key type %d", key->type);
1.12 markus 1747: return -1;
1748: }
1.42 markus 1749: }
1750:
1751: /* Converts a private to a public key */
1752: Key *
1.55 jakob 1753: key_demote(const Key *k)
1.42 markus 1754: {
1755: Key *pk;
1.43 markus 1756:
1.63 djm 1757: pk = xcalloc(1, sizeof(*pk));
1.42 markus 1758: pk->type = k->type;
1759: pk->flags = k->flags;
1.92 djm 1760: pk->ecdsa_nid = k->ecdsa_nid;
1.42 markus 1761: pk->dsa = NULL;
1.92 djm 1762: pk->ecdsa = NULL;
1.42 markus 1763: pk->rsa = NULL;
1.109 markus 1764: pk->ed25519_pk = NULL;
1765: pk->ed25519_sk = NULL;
1.42 markus 1766:
1767: switch (k->type) {
1.87 djm 1768: case KEY_RSA_CERT_V00:
1.83 djm 1769: case KEY_RSA_CERT:
1770: key_cert_copy(k, pk);
1771: /* FALLTHROUGH */
1.42 markus 1772: case KEY_RSA1:
1773: case KEY_RSA:
1774: if ((pk->rsa = RSA_new()) == NULL)
1775: fatal("key_demote: RSA_new failed");
1776: if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1777: fatal("key_demote: BN_dup failed");
1778: if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1779: fatal("key_demote: BN_dup failed");
1780: break;
1.87 djm 1781: case KEY_DSA_CERT_V00:
1.83 djm 1782: case KEY_DSA_CERT:
1783: key_cert_copy(k, pk);
1784: /* FALLTHROUGH */
1.42 markus 1785: case KEY_DSA:
1786: if ((pk->dsa = DSA_new()) == NULL)
1787: fatal("key_demote: DSA_new failed");
1788: if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1789: fatal("key_demote: BN_dup failed");
1790: if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1791: fatal("key_demote: BN_dup failed");
1792: if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1793: fatal("key_demote: BN_dup failed");
1794: if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1795: fatal("key_demote: BN_dup failed");
1796: break;
1.92 djm 1797: case KEY_ECDSA_CERT:
1798: key_cert_copy(k, pk);
1799: /* FALLTHROUGH */
1800: case KEY_ECDSA:
1801: if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
1802: fatal("key_demote: EC_KEY_new_by_curve_name failed");
1803: if (EC_KEY_set_public_key(pk->ecdsa,
1804: EC_KEY_get0_public_key(k->ecdsa)) != 1)
1805: fatal("key_demote: EC_KEY_set_public_key failed");
1806: break;
1.109 markus 1807: case KEY_ED25519_CERT:
1808: key_cert_copy(k, pk);
1809: /* FALLTHROUGH */
1810: case KEY_ED25519:
1811: if (k->ed25519_pk != NULL) {
1812: pk->ed25519_pk = xmalloc(ED25519_PK_SZ);
1813: memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1814: }
1815: break;
1.42 markus 1816: default:
1.109 markus 1817: fatal("key_demote: bad key type %d", k->type);
1.42 markus 1818: break;
1819: }
1820:
1821: return (pk);
1.83 djm 1822: }
1823:
1824: int
1825: key_is_cert(const Key *k)
1826: {
1.87 djm 1827: if (k == NULL)
1828: return 0;
1.105 djm 1829: return key_type_is_cert(k->type);
1.83 djm 1830: }
1831:
1832: /* Return the cert-less equivalent to a certified key type */
1833: int
1834: key_type_plain(int type)
1835: {
1836: switch (type) {
1.87 djm 1837: case KEY_RSA_CERT_V00:
1.83 djm 1838: case KEY_RSA_CERT:
1839: return KEY_RSA;
1.87 djm 1840: case KEY_DSA_CERT_V00:
1.83 djm 1841: case KEY_DSA_CERT:
1842: return KEY_DSA;
1.92 djm 1843: case KEY_ECDSA_CERT:
1844: return KEY_ECDSA;
1.109 markus 1845: case KEY_ED25519_CERT:
1846: return KEY_ED25519;
1.83 djm 1847: default:
1848: return type;
1849: }
1850: }
1851:
1.112 ! djm 1852: /* Convert a plain key to their _CERT equivalent */
1.83 djm 1853: int
1.87 djm 1854: key_to_certified(Key *k, int legacy)
1.83 djm 1855: {
1856: switch (k->type) {
1857: case KEY_RSA:
1858: k->cert = cert_new();
1.87 djm 1859: k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
1.83 djm 1860: return 0;
1861: case KEY_DSA:
1862: k->cert = cert_new();
1.87 djm 1863: k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
1.83 djm 1864: return 0;
1.92 djm 1865: case KEY_ECDSA:
1.97 djm 1866: if (legacy)
1867: fatal("%s: legacy ECDSA certificates are not supported",
1868: __func__);
1.92 djm 1869: k->cert = cert_new();
1870: k->type = KEY_ECDSA_CERT;
1871: return 0;
1.109 markus 1872: case KEY_ED25519:
1873: if (legacy)
1874: fatal("%s: legacy ED25519 certificates are not "
1875: "supported", __func__);
1876: k->cert = cert_new();
1877: k->type = KEY_ED25519_CERT;
1878: return 0;
1.83 djm 1879: default:
1880: error("%s: key has incorrect type %s", __func__, key_type(k));
1881: return -1;
1882: }
1883: }
1884:
1885: /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1886: int
1887: key_drop_cert(Key *k)
1888: {
1.109 markus 1889: if (!key_type_is_cert(k->type)) {
1.83 djm 1890: error("%s: key has incorrect type %s", __func__, key_type(k));
1891: return -1;
1892: }
1.109 markus 1893: cert_free(k->cert);
1.110 djm 1894: k->cert = NULL;
1.109 markus 1895: k->type = key_type_plain(k->type);
1896: return 0;
1.83 djm 1897: }
1898:
1.109 markus 1899: /* Sign a certified key, (re-)generating the signed certblob. */
1.83 djm 1900: int
1901: key_certify(Key *k, Key *ca)
1902: {
1903: Buffer principals;
1904: u_char *ca_blob, *sig_blob, nonce[32];
1905: u_int i, ca_len, sig_len;
1906:
1907: if (k->cert == NULL) {
1908: error("%s: key lacks cert info", __func__);
1909: return -1;
1910: }
1911:
1912: if (!key_is_cert(k)) {
1913: error("%s: certificate has unknown type %d", __func__,
1914: k->cert->type);
1915: return -1;
1916: }
1917:
1.92 djm 1918: if (ca->type != KEY_RSA && ca->type != KEY_DSA &&
1.109 markus 1919: ca->type != KEY_ECDSA && ca->type != KEY_ED25519) {
1.83 djm 1920: error("%s: CA key has unsupported type %s", __func__,
1921: key_type(ca));
1922: return -1;
1923: }
1924:
1925: key_to_blob(ca, &ca_blob, &ca_len);
1926:
1927: buffer_clear(&k->cert->certblob);
1928: buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1929:
1.87 djm 1930: /* -v01 certs put nonce first */
1.96 djm 1931: arc4random_buf(&nonce, sizeof(nonce));
1932: if (!key_cert_is_legacy(k))
1.87 djm 1933: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1934:
1.108 markus 1935: /* XXX this substantially duplicates to_blob(); refactor */
1.83 djm 1936: switch (k->type) {
1.87 djm 1937: case KEY_DSA_CERT_V00:
1.83 djm 1938: case KEY_DSA_CERT:
1939: buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1940: buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1941: buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1942: buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1943: break;
1.92 djm 1944: case KEY_ECDSA_CERT:
1945: buffer_put_cstring(&k->cert->certblob,
1946: key_curve_nid_to_name(k->ecdsa_nid));
1947: buffer_put_ecpoint(&k->cert->certblob,
1948: EC_KEY_get0_group(k->ecdsa),
1949: EC_KEY_get0_public_key(k->ecdsa));
1950: break;
1.87 djm 1951: case KEY_RSA_CERT_V00:
1.83 djm 1952: case KEY_RSA_CERT:
1953: buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1954: buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1955: break;
1.109 markus 1956: case KEY_ED25519_CERT:
1957: buffer_put_string(&k->cert->certblob,
1958: k->ed25519_pk, ED25519_PK_SZ);
1959: break;
1.83 djm 1960: default:
1961: error("%s: key has incorrect type %s", __func__, key_type(k));
1962: buffer_clear(&k->cert->certblob);
1.103 djm 1963: free(ca_blob);
1.83 djm 1964: return -1;
1965: }
1966:
1.87 djm 1967: /* -v01 certs have a serial number next */
1.92 djm 1968: if (!key_cert_is_legacy(k))
1.87 djm 1969: buffer_put_int64(&k->cert->certblob, k->cert->serial);
1970:
1.83 djm 1971: buffer_put_int(&k->cert->certblob, k->cert->type);
1972: buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1973:
1974: buffer_init(&principals);
1975: for (i = 0; i < k->cert->nprincipals; i++)
1976: buffer_put_cstring(&principals, k->cert->principals[i]);
1977: buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1978: buffer_len(&principals));
1979: buffer_free(&principals);
1980:
1981: buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1982: buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1983: buffer_put_string(&k->cert->certblob,
1.87 djm 1984: buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
1985:
1986: /* -v01 certs have non-critical options here */
1.92 djm 1987: if (!key_cert_is_legacy(k)) {
1.87 djm 1988: buffer_put_string(&k->cert->certblob,
1989: buffer_ptr(&k->cert->extensions),
1990: buffer_len(&k->cert->extensions));
1991: }
1992:
1993: /* -v00 certs put the nonce at the end */
1.92 djm 1994: if (key_cert_is_legacy(k))
1.87 djm 1995: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1.83 djm 1996:
1997: buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1998: buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1.103 djm 1999: free(ca_blob);
1.83 djm 2000:
2001: /* Sign the whole mess */
2002: if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
2003: buffer_len(&k->cert->certblob)) != 0) {
2004: error("%s: signature operation failed", __func__);
2005: buffer_clear(&k->cert->certblob);
2006: return -1;
2007: }
2008: /* Append signature and we are done */
2009: buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1.103 djm 2010: free(sig_blob);
1.83 djm 2011:
2012: return 0;
2013: }
2014:
2015: int
2016: key_cert_check_authority(const Key *k, int want_host, int require_principal,
2017: const char *name, const char **reason)
2018: {
2019: u_int i, principal_matches;
2020: time_t now = time(NULL);
2021:
2022: if (want_host) {
2023: if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2024: *reason = "Certificate invalid: not a host certificate";
2025: return -1;
2026: }
2027: } else {
2028: if (k->cert->type != SSH2_CERT_TYPE_USER) {
2029: *reason = "Certificate invalid: not a user certificate";
2030: return -1;
2031: }
2032: }
2033: if (now < 0) {
2034: error("%s: system clock lies before epoch", __func__);
2035: *reason = "Certificate invalid: not yet valid";
2036: return -1;
2037: }
2038: if ((u_int64_t)now < k->cert->valid_after) {
2039: *reason = "Certificate invalid: not yet valid";
2040: return -1;
2041: }
2042: if ((u_int64_t)now >= k->cert->valid_before) {
2043: *reason = "Certificate invalid: expired";
2044: return -1;
2045: }
2046: if (k->cert->nprincipals == 0) {
2047: if (require_principal) {
2048: *reason = "Certificate lacks principal list";
2049: return -1;
2050: }
1.88 djm 2051: } else if (name != NULL) {
1.83 djm 2052: principal_matches = 0;
2053: for (i = 0; i < k->cert->nprincipals; i++) {
2054: if (strcmp(name, k->cert->principals[i]) == 0) {
2055: principal_matches = 1;
2056: break;
2057: }
2058: }
2059: if (!principal_matches) {
2060: *reason = "Certificate invalid: name is not a listed "
2061: "principal";
2062: return -1;
2063: }
2064: }
2065: return 0;
1.87 djm 2066: }
2067:
2068: int
1.100 djm 2069: key_cert_is_legacy(const Key *k)
1.87 djm 2070: {
2071: switch (k->type) {
2072: case KEY_DSA_CERT_V00:
2073: case KEY_RSA_CERT_V00:
2074: return 1;
2075: default:
2076: return 0;
2077: }
1.4 markus 2078: }
1.92 djm 2079:
1.93 djm 2080: /* XXX: these are really begging for a table-driven approach */
1.92 djm 2081: int
2082: key_curve_name_to_nid(const char *name)
2083: {
2084: if (strcmp(name, "nistp256") == 0)
2085: return NID_X9_62_prime256v1;
2086: else if (strcmp(name, "nistp384") == 0)
2087: return NID_secp384r1;
2088: else if (strcmp(name, "nistp521") == 0)
2089: return NID_secp521r1;
2090:
2091: debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
2092: return -1;
2093: }
2094:
1.93 djm 2095: u_int
2096: key_curve_nid_to_bits(int nid)
2097: {
2098: switch (nid) {
2099: case NID_X9_62_prime256v1:
2100: return 256;
2101: case NID_secp384r1:
2102: return 384;
2103: case NID_secp521r1:
2104: return 521;
2105: default:
2106: error("%s: unsupported EC curve nid %d", __func__, nid);
2107: return 0;
2108: }
2109: }
2110:
1.92 djm 2111: const char *
2112: key_curve_nid_to_name(int nid)
2113: {
2114: if (nid == NID_X9_62_prime256v1)
2115: return "nistp256";
2116: else if (nid == NID_secp384r1)
2117: return "nistp384";
2118: else if (nid == NID_secp521r1)
2119: return "nistp521";
2120:
2121: error("%s: unsupported EC curve nid %d", __func__, nid);
2122: return NULL;
1.93 djm 2123: }
2124:
2125: const EVP_MD *
2126: key_ec_nid_to_evpmd(int nid)
2127: {
2128: int kbits = key_curve_nid_to_bits(nid);
2129:
2130: if (kbits == 0)
2131: fatal("%s: invalid nid %d", __func__, nid);
2132: /* RFC5656 section 6.2.1 */
2133: if (kbits <= 256)
2134: return EVP_sha256();
2135: else if (kbits <= 384)
2136: return EVP_sha384();
2137: else
2138: return EVP_sha512();
1.92 djm 2139: }
2140:
2141: int
2142: key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
2143: {
2144: BN_CTX *bnctx;
2145: EC_POINT *nq = NULL;
2146: BIGNUM *order, *x, *y, *tmp;
2147: int ret = -1;
2148:
2149: if ((bnctx = BN_CTX_new()) == NULL)
2150: fatal("%s: BN_CTX_new failed", __func__);
2151: BN_CTX_start(bnctx);
2152:
2153: /*
2154: * We shouldn't ever hit this case because bignum_get_ecpoint()
2155: * refuses to load GF2m points.
2156: */
2157: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2158: NID_X9_62_prime_field) {
2159: error("%s: group is not a prime field", __func__);
2160: goto out;
2161: }
2162:
2163: /* Q != infinity */
2164: if (EC_POINT_is_at_infinity(group, public)) {
2165: error("%s: received degenerate public key (infinity)",
2166: __func__);
2167: goto out;
2168: }
2169:
2170: if ((x = BN_CTX_get(bnctx)) == NULL ||
2171: (y = BN_CTX_get(bnctx)) == NULL ||
2172: (order = BN_CTX_get(bnctx)) == NULL ||
2173: (tmp = BN_CTX_get(bnctx)) == NULL)
2174: fatal("%s: BN_CTX_get failed", __func__);
2175:
2176: /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2177: if (EC_GROUP_get_order(group, order, bnctx) != 1)
2178: fatal("%s: EC_GROUP_get_order failed", __func__);
2179: if (EC_POINT_get_affine_coordinates_GFp(group, public,
2180: x, y, bnctx) != 1)
2181: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2182: if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
2183: error("%s: public key x coordinate too small: "
2184: "bits(x) = %d, bits(order)/2 = %d", __func__,
2185: BN_num_bits(x), BN_num_bits(order) / 2);
2186: goto out;
2187: }
2188: if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
2189: error("%s: public key y coordinate too small: "
2190: "bits(y) = %d, bits(order)/2 = %d", __func__,
2191: BN_num_bits(x), BN_num_bits(order) / 2);
2192: goto out;
2193: }
2194:
2195: /* nQ == infinity (n == order of subgroup) */
2196: if ((nq = EC_POINT_new(group)) == NULL)
2197: fatal("%s: BN_CTX_tmp failed", __func__);
2198: if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
2199: fatal("%s: EC_GROUP_mul failed", __func__);
2200: if (EC_POINT_is_at_infinity(group, nq) != 1) {
2201: error("%s: received degenerate public key (nQ != infinity)",
2202: __func__);
2203: goto out;
2204: }
2205:
2206: /* x < order - 1, y < order - 1 */
2207: if (!BN_sub(tmp, order, BN_value_one()))
2208: fatal("%s: BN_sub failed", __func__);
2209: if (BN_cmp(x, tmp) >= 0) {
2210: error("%s: public key x coordinate >= group order - 1",
2211: __func__);
2212: goto out;
2213: }
2214: if (BN_cmp(y, tmp) >= 0) {
2215: error("%s: public key y coordinate >= group order - 1",
2216: __func__);
2217: goto out;
2218: }
2219: ret = 0;
2220: out:
2221: BN_CTX_free(bnctx);
2222: EC_POINT_free(nq);
2223: return ret;
2224: }
2225:
2226: int
2227: key_ec_validate_private(const EC_KEY *key)
2228: {
2229: BN_CTX *bnctx;
2230: BIGNUM *order, *tmp;
2231: int ret = -1;
2232:
2233: if ((bnctx = BN_CTX_new()) == NULL)
2234: fatal("%s: BN_CTX_new failed", __func__);
2235: BN_CTX_start(bnctx);
2236:
2237: if ((order = BN_CTX_get(bnctx)) == NULL ||
2238: (tmp = BN_CTX_get(bnctx)) == NULL)
2239: fatal("%s: BN_CTX_get failed", __func__);
2240:
2241: /* log2(private) > log2(order)/2 */
2242: if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
2243: fatal("%s: EC_GROUP_get_order failed", __func__);
2244: if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2245: BN_num_bits(order) / 2) {
2246: error("%s: private key too small: "
2247: "bits(y) = %d, bits(order)/2 = %d", __func__,
2248: BN_num_bits(EC_KEY_get0_private_key(key)),
2249: BN_num_bits(order) / 2);
2250: goto out;
2251: }
2252:
2253: /* private < order - 1 */
2254: if (!BN_sub(tmp, order, BN_value_one()))
2255: fatal("%s: BN_sub failed", __func__);
2256: if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
2257: error("%s: private key >= group order - 1", __func__);
2258: goto out;
2259: }
2260: ret = 0;
2261: out:
2262: BN_CTX_free(bnctx);
2263: return ret;
2264: }
2265:
2266: #if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
2267: void
2268: key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2269: {
2270: BIGNUM *x, *y;
2271: BN_CTX *bnctx;
2272:
2273: if (point == NULL) {
2274: fputs("point=(NULL)\n", stderr);
2275: return;
2276: }
2277: if ((bnctx = BN_CTX_new()) == NULL)
2278: fatal("%s: BN_CTX_new failed", __func__);
2279: BN_CTX_start(bnctx);
2280: if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
2281: fatal("%s: BN_CTX_get failed", __func__);
2282: if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2283: NID_X9_62_prime_field)
2284: fatal("%s: group is not a prime field", __func__);
2285: if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
2286: fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2287: fputs("x=", stderr);
2288: BN_print_fp(stderr, x);
2289: fputs("\ny=", stderr);
2290: BN_print_fp(stderr, y);
2291: fputs("\n", stderr);
2292: BN_CTX_free(bnctx);
2293: }
2294:
2295: void
2296: key_dump_ec_key(const EC_KEY *key)
2297: {
2298: const BIGNUM *exponent;
2299:
2300: key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
2301: fputs("exponent=", stderr);
2302: if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
2303: fputs("(NULL)", stderr);
2304: else
2305: BN_print_fp(stderr, EC_KEY_get0_private_key(key));
2306: fputs("\n", stderr);
2307: }
2308: #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
2309:
1.107 markus 2310: void
2311: key_private_serialize(const Key *key, Buffer *b)
2312: {
2313: buffer_put_cstring(b, key_ssh_name(key));
2314: switch (key->type) {
2315: case KEY_RSA:
2316: buffer_put_bignum2(b, key->rsa->n);
2317: buffer_put_bignum2(b, key->rsa->e);
2318: buffer_put_bignum2(b, key->rsa->d);
2319: buffer_put_bignum2(b, key->rsa->iqmp);
2320: buffer_put_bignum2(b, key->rsa->p);
2321: buffer_put_bignum2(b, key->rsa->q);
2322: break;
2323: case KEY_RSA_CERT_V00:
2324: case KEY_RSA_CERT:
2325: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2326: fatal("%s: no cert/certblob", __func__);
2327: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2328: buffer_len(&key->cert->certblob));
2329: buffer_put_bignum2(b, key->rsa->d);
2330: buffer_put_bignum2(b, key->rsa->iqmp);
2331: buffer_put_bignum2(b, key->rsa->p);
2332: buffer_put_bignum2(b, key->rsa->q);
2333: break;
2334: case KEY_DSA:
2335: buffer_put_bignum2(b, key->dsa->p);
2336: buffer_put_bignum2(b, key->dsa->q);
2337: buffer_put_bignum2(b, key->dsa->g);
2338: buffer_put_bignum2(b, key->dsa->pub_key);
2339: buffer_put_bignum2(b, key->dsa->priv_key);
2340: break;
2341: case KEY_DSA_CERT_V00:
2342: case KEY_DSA_CERT:
2343: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2344: fatal("%s: no cert/certblob", __func__);
2345: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2346: buffer_len(&key->cert->certblob));
2347: buffer_put_bignum2(b, key->dsa->priv_key);
2348: break;
2349: case KEY_ECDSA:
2350: buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid));
2351: buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa),
2352: EC_KEY_get0_public_key(key->ecdsa));
2353: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2354: break;
2355: case KEY_ECDSA_CERT:
2356: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2357: fatal("%s: no cert/certblob", __func__);
2358: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2359: buffer_len(&key->cert->certblob));
2360: buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
2361: break;
1.109 markus 2362: case KEY_ED25519:
2363: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
2364: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
2365: break;
2366: case KEY_ED25519_CERT:
2367: if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
2368: fatal("%s: no cert/certblob", __func__);
2369: buffer_put_string(b, buffer_ptr(&key->cert->certblob),
2370: buffer_len(&key->cert->certblob));
2371: buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
2372: buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
2373: break;
1.107 markus 2374: }
2375: }
2376:
2377: Key *
2378: key_private_deserialize(Buffer *blob)
2379: {
2380: char *type_name, *curve;
2381: Key *k = NULL;
2382: BIGNUM *exponent;
2383: EC_POINT *q;
2384: u_char *cert;
1.109 markus 2385: u_int len, pklen, sklen;
1.107 markus 2386: int type;
2387:
2388: type_name = buffer_get_string(blob, NULL);
2389: type = key_type_from_name(type_name);
2390: switch (type) {
2391: case KEY_DSA:
2392: k = key_new_private(type);
2393: buffer_get_bignum2(blob, k->dsa->p);
2394: buffer_get_bignum2(blob, k->dsa->q);
2395: buffer_get_bignum2(blob, k->dsa->g);
2396: buffer_get_bignum2(blob, k->dsa->pub_key);
2397: buffer_get_bignum2(blob, k->dsa->priv_key);
2398: break;
2399: case KEY_DSA_CERT_V00:
2400: case KEY_DSA_CERT:
2401: cert = buffer_get_string(blob, &len);
2402: if ((k = key_from_blob(cert, len)) == NULL)
2403: fatal("Certificate parse failed");
2404: free(cert);
2405: key_add_private(k);
2406: buffer_get_bignum2(blob, k->dsa->priv_key);
2407: break;
2408: case KEY_ECDSA:
2409: k = key_new_private(type);
2410: k->ecdsa_nid = key_ecdsa_nid_from_name(type_name);
2411: curve = buffer_get_string(blob, NULL);
2412: if (k->ecdsa_nid != key_curve_name_to_nid(curve))
2413: fatal("%s: curve names mismatch", __func__);
2414: free(curve);
2415: k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
2416: if (k->ecdsa == NULL)
2417: fatal("%s: EC_KEY_new_by_curve_name failed",
2418: __func__);
2419: q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa));
2420: if (q == NULL)
2421: fatal("%s: BN_new failed", __func__);
2422: if ((exponent = BN_new()) == NULL)
2423: fatal("%s: BN_new failed", __func__);
2424: buffer_get_ecpoint(blob,
2425: EC_KEY_get0_group(k->ecdsa), q);
2426: buffer_get_bignum2(blob, exponent);
2427: if (EC_KEY_set_public_key(k->ecdsa, q) != 1)
2428: fatal("%s: EC_KEY_set_public_key failed",
2429: __func__);
2430: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2431: fatal("%s: EC_KEY_set_private_key failed",
2432: __func__);
2433: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2434: EC_KEY_get0_public_key(k->ecdsa)) != 0)
2435: fatal("%s: bad ECDSA public key", __func__);
2436: if (key_ec_validate_private(k->ecdsa) != 0)
2437: fatal("%s: bad ECDSA private key", __func__);
2438: BN_clear_free(exponent);
2439: EC_POINT_free(q);
2440: break;
2441: case KEY_ECDSA_CERT:
2442: cert = buffer_get_string(blob, &len);
2443: if ((k = key_from_blob(cert, len)) == NULL)
2444: fatal("Certificate parse failed");
2445: free(cert);
2446: key_add_private(k);
2447: if ((exponent = BN_new()) == NULL)
2448: fatal("%s: BN_new failed", __func__);
2449: buffer_get_bignum2(blob, exponent);
2450: if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
2451: fatal("%s: EC_KEY_set_private_key failed",
2452: __func__);
2453: if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2454: EC_KEY_get0_public_key(k->ecdsa)) != 0 ||
2455: key_ec_validate_private(k->ecdsa) != 0)
2456: fatal("%s: bad ECDSA key", __func__);
2457: BN_clear_free(exponent);
2458: break;
2459: case KEY_RSA:
2460: k = key_new_private(type);
2461: buffer_get_bignum2(blob, k->rsa->n);
2462: buffer_get_bignum2(blob, k->rsa->e);
2463: buffer_get_bignum2(blob, k->rsa->d);
2464: buffer_get_bignum2(blob, k->rsa->iqmp);
2465: buffer_get_bignum2(blob, k->rsa->p);
2466: buffer_get_bignum2(blob, k->rsa->q);
2467:
2468: /* Generate additional parameters */
2469: rsa_generate_additional_parameters(k->rsa);
2470: break;
2471: case KEY_RSA_CERT_V00:
2472: case KEY_RSA_CERT:
2473: cert = buffer_get_string(blob, &len);
2474: if ((k = key_from_blob(cert, len)) == NULL)
2475: fatal("Certificate parse failed");
2476: free(cert);
2477: key_add_private(k);
2478: buffer_get_bignum2(blob, k->rsa->d);
2479: buffer_get_bignum2(blob, k->rsa->iqmp);
2480: buffer_get_bignum2(blob, k->rsa->p);
2481: buffer_get_bignum2(blob, k->rsa->q);
1.109 markus 2482: break;
2483: case KEY_ED25519:
2484: k = key_new_private(type);
2485: k->ed25519_pk = buffer_get_string(blob, &pklen);
2486: k->ed25519_sk = buffer_get_string(blob, &sklen);
2487: if (pklen != ED25519_PK_SZ)
2488: fatal("%s: ed25519 pklen %d != %d",
2489: __func__, pklen, ED25519_PK_SZ);
2490: if (sklen != ED25519_SK_SZ)
2491: fatal("%s: ed25519 sklen %d != %d",
2492: __func__, sklen, ED25519_SK_SZ);
2493: break;
2494: case KEY_ED25519_CERT:
2495: cert = buffer_get_string(blob, &len);
2496: if ((k = key_from_blob(cert, len)) == NULL)
2497: fatal("Certificate parse failed");
2498: free(cert);
2499: key_add_private(k);
2500: k->ed25519_pk = buffer_get_string(blob, &pklen);
2501: k->ed25519_sk = buffer_get_string(blob, &sklen);
2502: if (pklen != ED25519_PK_SZ)
2503: fatal("%s: ed25519 pklen %d != %d",
2504: __func__, pklen, ED25519_PK_SZ);
2505: if (sklen != ED25519_SK_SZ)
2506: fatal("%s: ed25519 sklen %d != %d",
2507: __func__, sklen, ED25519_SK_SZ);
1.107 markus 2508: break;
2509: default:
2510: free(type_name);
2511: buffer_clear(blob);
2512: return NULL;
2513: }
2514: free(type_name);
2515:
2516: /* enable blinding */
2517: switch (k->type) {
2518: case KEY_RSA:
2519: case KEY_RSA_CERT_V00:
2520: case KEY_RSA_CERT:
2521: case KEY_RSA1:
2522: if (RSA_blinding_on(k->rsa, NULL) != 1) {
2523: error("%s: RSA_blinding_on failed", __func__);
2524: key_free(k);
2525: return NULL;
2526: }
2527: break;
2528: }
2529: return k;
2530: }