Annotation of src/usr.bin/ssh/key.c, Revision 1.87
1.87 ! djm 1: /* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */
1.1 markus 2: /*
1.11 deraadt 3: * read_bignum():
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: *
6: * As far as I am concerned, the code I have written for this software
7: * can be used freely for any purpose. Any derived versions of this
8: * software must be clearly marked as such, and if the derived work is
9: * incompatible with the protocol description in the RFC file, it must be
10: * called by a name other than "ssh" or "Secure Shell".
11: *
12: *
1.28 markus 13: * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1.76 grunk 14: * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
1.1 markus 15: *
16: * Redistribution and use in source and binary forms, with or without
17: * modification, are permitted provided that the following conditions
18: * are met:
19: * 1. Redistributions of source code must retain the above copyright
20: * notice, this list of conditions and the following disclaimer.
21: * 2. Redistributions in binary form must reproduce the above copyright
22: * notice, this list of conditions and the following disclaimer in the
23: * documentation and/or other materials provided with the distribution.
24: *
25: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35: */
1.67 deraadt 36:
1.70 grunk 37: #include <sys/param.h>
1.67 deraadt 38: #include <sys/types.h>
1.1 markus 39:
1.2 markus 40: #include <openssl/evp.h>
1.65 stevesk 41:
1.66 stevesk 42: #include <stdio.h>
1.65 stevesk 43: #include <string.h>
1.15 markus 44:
1.1 markus 45: #include "xmalloc.h"
46: #include "key.h"
1.12 markus 47: #include "rsa.h"
1.3 markus 48: #include "uuencode.h"
1.12 markus 49: #include "buffer.h"
1.15 markus 50: #include "log.h"
1.83 djm 51: #include "ssh2.h"
52:
53: static struct KeyCert *
54: cert_new(void)
55: {
56: struct KeyCert *cert;
57:
58: cert = xcalloc(1, sizeof(*cert));
59: buffer_init(&cert->certblob);
1.87 ! djm 60: buffer_init(&cert->critical);
! 61: buffer_init(&cert->extensions);
1.83 djm 62: cert->key_id = NULL;
63: cert->principals = NULL;
64: cert->signature_key = NULL;
65: return cert;
66: }
1.1 markus 67:
68: Key *
69: key_new(int type)
70: {
71: Key *k;
72: RSA *rsa;
73: DSA *dsa;
1.63 djm 74: k = xcalloc(1, sizeof(*k));
1.1 markus 75: k->type = type;
1.3 markus 76: k->dsa = NULL;
77: k->rsa = NULL;
1.83 djm 78: k->cert = NULL;
1.1 markus 79: switch (k->type) {
1.12 markus 80: case KEY_RSA1:
1.1 markus 81: case KEY_RSA:
1.87 ! djm 82: case KEY_RSA_CERT_V00:
1.83 djm 83: case KEY_RSA_CERT:
1.38 markus 84: if ((rsa = RSA_new()) == NULL)
85: fatal("key_new: RSA_new failed");
86: if ((rsa->n = BN_new()) == NULL)
87: fatal("key_new: BN_new failed");
88: if ((rsa->e = BN_new()) == NULL)
89: fatal("key_new: BN_new failed");
1.1 markus 90: k->rsa = rsa;
91: break;
92: case KEY_DSA:
1.87 ! djm 93: case KEY_DSA_CERT_V00:
1.83 djm 94: case KEY_DSA_CERT:
1.38 markus 95: if ((dsa = DSA_new()) == NULL)
96: fatal("key_new: DSA_new failed");
97: if ((dsa->p = BN_new()) == NULL)
98: fatal("key_new: BN_new failed");
99: if ((dsa->q = BN_new()) == NULL)
100: fatal("key_new: BN_new failed");
101: if ((dsa->g = BN_new()) == NULL)
102: fatal("key_new: BN_new failed");
103: if ((dsa->pub_key = BN_new()) == NULL)
104: fatal("key_new: BN_new failed");
1.1 markus 105: k->dsa = dsa;
106: break;
1.12 markus 107: case KEY_UNSPEC:
1.1 markus 108: break;
109: default:
110: fatal("key_new: bad key type %d", k->type);
111: break;
112: }
1.83 djm 113:
114: if (key_is_cert(k))
115: k->cert = cert_new();
116:
1.1 markus 117: return k;
118: }
1.45 deraadt 119:
1.83 djm 120: void
121: key_add_private(Key *k)
1.12 markus 122: {
123: switch (k->type) {
124: case KEY_RSA1:
125: case KEY_RSA:
1.87 ! djm 126: case KEY_RSA_CERT_V00:
1.83 djm 127: case KEY_RSA_CERT:
1.38 markus 128: if ((k->rsa->d = BN_new()) == NULL)
129: fatal("key_new_private: BN_new failed");
130: if ((k->rsa->iqmp = BN_new()) == NULL)
131: fatal("key_new_private: BN_new failed");
132: if ((k->rsa->q = BN_new()) == NULL)
133: fatal("key_new_private: BN_new failed");
134: if ((k->rsa->p = BN_new()) == NULL)
135: fatal("key_new_private: BN_new failed");
136: if ((k->rsa->dmq1 = BN_new()) == NULL)
137: fatal("key_new_private: BN_new failed");
138: if ((k->rsa->dmp1 = BN_new()) == NULL)
139: fatal("key_new_private: BN_new failed");
1.12 markus 140: break;
141: case KEY_DSA:
1.87 ! djm 142: case KEY_DSA_CERT_V00:
1.83 djm 143: case KEY_DSA_CERT:
1.38 markus 144: if ((k->dsa->priv_key = BN_new()) == NULL)
145: fatal("key_new_private: BN_new failed");
1.12 markus 146: break;
147: case KEY_UNSPEC:
148: break;
149: default:
150: break;
151: }
1.83 djm 152: }
153:
154: Key *
155: key_new_private(int type)
156: {
157: Key *k = key_new(type);
158:
159: key_add_private(k);
1.12 markus 160: return k;
161: }
1.45 deraadt 162:
1.83 djm 163: static void
164: cert_free(struct KeyCert *cert)
165: {
166: u_int i;
167:
168: buffer_free(&cert->certblob);
1.87 ! djm 169: buffer_free(&cert->critical);
! 170: buffer_free(&cert->extensions);
1.83 djm 171: if (cert->key_id != NULL)
172: xfree(cert->key_id);
173: for (i = 0; i < cert->nprincipals; i++)
174: xfree(cert->principals[i]);
175: if (cert->principals != NULL)
176: xfree(cert->principals);
177: if (cert->signature_key != NULL)
178: key_free(cert->signature_key);
179: }
180:
1.1 markus 181: void
182: key_free(Key *k)
183: {
1.60 djm 184: if (k == NULL)
1.62 deraadt 185: fatal("key_free: key is NULL");
1.1 markus 186: switch (k->type) {
1.12 markus 187: case KEY_RSA1:
1.1 markus 188: case KEY_RSA:
1.87 ! djm 189: case KEY_RSA_CERT_V00:
1.83 djm 190: case KEY_RSA_CERT:
1.1 markus 191: if (k->rsa != NULL)
192: RSA_free(k->rsa);
193: k->rsa = NULL;
194: break;
195: case KEY_DSA:
1.87 ! djm 196: case KEY_DSA_CERT_V00:
1.83 djm 197: case KEY_DSA_CERT:
1.1 markus 198: if (k->dsa != NULL)
199: DSA_free(k->dsa);
200: k->dsa = NULL;
201: break;
1.12 markus 202: case KEY_UNSPEC:
203: break;
1.1 markus 204: default:
205: fatal("key_free: bad key type %d", k->type);
206: break;
207: }
1.83 djm 208: if (key_is_cert(k)) {
209: if (k->cert != NULL)
210: cert_free(k->cert);
211: k->cert = NULL;
212: }
213:
1.1 markus 214: xfree(k);
215: }
1.55 jakob 216:
1.83 djm 217: static int
218: cert_compare(struct KeyCert *a, struct KeyCert *b)
219: {
220: if (a == NULL && b == NULL)
221: return 1;
222: if (a == NULL || b == NULL)
223: return 0;
224: if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
225: return 0;
226: if (memcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
227: buffer_len(&a->certblob)) != 0)
228: return 0;
229: return 1;
230: }
231:
232: /*
233: * Compare public portions of key only, allowing comparisons between
234: * certificates and plain keys too.
235: */
1.1 markus 236: int
1.83 djm 237: key_equal_public(const Key *a, const Key *b)
1.1 markus 238: {
1.83 djm 239: if (a == NULL || b == NULL ||
240: key_type_plain(a->type) != key_type_plain(b->type))
1.1 markus 241: return 0;
1.83 djm 242:
1.1 markus 243: switch (a->type) {
1.12 markus 244: case KEY_RSA1:
1.87 ! djm 245: case KEY_RSA_CERT_V00:
1.83 djm 246: case KEY_RSA_CERT:
1.1 markus 247: case KEY_RSA:
248: return a->rsa != NULL && b->rsa != NULL &&
249: BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
250: BN_cmp(a->rsa->n, b->rsa->n) == 0;
1.87 ! djm 251: case KEY_DSA_CERT_V00:
1.83 djm 252: case KEY_DSA_CERT:
1.1 markus 253: case KEY_DSA:
254: return a->dsa != NULL && b->dsa != NULL &&
255: BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
256: BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
257: BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
258: BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
259: default:
1.3 markus 260: fatal("key_equal: bad key type %d", a->type);
1.1 markus 261: }
1.78 stevesk 262: /* NOTREACHED */
1.1 markus 263: }
264:
1.83 djm 265: int
266: key_equal(const Key *a, const Key *b)
267: {
268: if (a == NULL || b == NULL || a->type != b->type)
269: return 0;
270: if (key_is_cert(a)) {
271: if (!cert_compare(a->cert, b->cert))
272: return 0;
273: }
274: return key_equal_public(a, b);
275: }
276:
1.52 jakob 277: u_char*
1.83 djm 278: key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
1.1 markus 279: {
1.41 markus 280: const EVP_MD *md = NULL;
1.21 markus 281: EVP_MD_CTX ctx;
1.13 markus 282: u_char *blob = NULL;
1.19 jakob 283: u_char *retval = NULL;
1.40 markus 284: u_int len = 0;
1.83 djm 285: int nlen, elen, otype;
1.1 markus 286:
1.19 jakob 287: *dgst_raw_length = 0;
288:
1.21 markus 289: switch (dgst_type) {
290: case SSH_FP_MD5:
291: md = EVP_md5();
292: break;
293: case SSH_FP_SHA1:
294: md = EVP_sha1();
295: break;
296: default:
297: fatal("key_fingerprint_raw: bad digest type %d",
298: dgst_type);
299: }
1.1 markus 300: switch (k->type) {
1.12 markus 301: case KEY_RSA1:
1.1 markus 302: nlen = BN_num_bytes(k->rsa->n);
303: elen = BN_num_bytes(k->rsa->e);
304: len = nlen + elen;
1.3 markus 305: blob = xmalloc(len);
306: BN_bn2bin(k->rsa->n, blob);
307: BN_bn2bin(k->rsa->e, blob + nlen);
1.1 markus 308: break;
309: case KEY_DSA:
1.12 markus 310: case KEY_RSA:
311: key_to_blob(k, &blob, &len);
312: break;
1.87 ! djm 313: case KEY_DSA_CERT_V00:
! 314: case KEY_RSA_CERT_V00:
1.83 djm 315: case KEY_DSA_CERT:
316: case KEY_RSA_CERT:
317: /* We want a fingerprint of the _key_ not of the cert */
318: otype = k->type;
319: k->type = key_type_plain(k->type);
320: key_to_blob(k, &blob, &len);
321: k->type = otype;
322: break;
1.12 markus 323: case KEY_UNSPEC:
324: return retval;
1.1 markus 325: default:
1.19 jakob 326: fatal("key_fingerprint_raw: bad key type %d", k->type);
1.1 markus 327: break;
328: }
1.3 markus 329: if (blob != NULL) {
1.19 jakob 330: retval = xmalloc(EVP_MAX_MD_SIZE);
1.8 markus 331: EVP_DigestInit(&ctx, md);
332: EVP_DigestUpdate(&ctx, blob, len);
1.39 markus 333: EVP_DigestFinal(&ctx, retval, dgst_raw_length);
1.3 markus 334: memset(blob, 0, len);
335: xfree(blob);
1.19 jakob 336: } else {
337: fatal("key_fingerprint_raw: blob is null");
1.1 markus 338: }
1.19 jakob 339: return retval;
340: }
341:
1.46 deraadt 342: static char *
343: key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 344: {
345: char *retval;
1.58 djm 346: u_int i;
1.19 jakob 347:
1.63 djm 348: retval = xcalloc(1, dgst_raw_len * 3 + 1);
1.36 deraadt 349: for (i = 0; i < dgst_raw_len; i++) {
1.19 jakob 350: char hex[4];
351: snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
1.54 avsm 352: strlcat(retval, hex, dgst_raw_len * 3 + 1);
1.19 jakob 353: }
1.54 avsm 354:
355: /* Remove the trailing ':' character */
1.19 jakob 356: retval[(dgst_raw_len * 3) - 1] = '\0';
357: return retval;
358: }
359:
1.46 deraadt 360: static char *
361: key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
1.19 jakob 362: {
363: char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
364: char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
365: 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
1.20 jakob 366: u_int i, j = 0, rounds, seed = 1;
1.19 jakob 367: char *retval;
368:
369: rounds = (dgst_raw_len / 2) + 1;
1.63 djm 370: retval = xcalloc((rounds * 6), sizeof(char));
1.20 jakob 371: retval[j++] = 'x';
372: for (i = 0; i < rounds; i++) {
1.19 jakob 373: u_int idx0, idx1, idx2, idx3, idx4;
1.20 jakob 374: if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
375: idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1.19 jakob 376: seed) % 6;
1.20 jakob 377: idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
378: idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1.19 jakob 379: (seed / 6)) % 6;
1.20 jakob 380: retval[j++] = vowels[idx0];
381: retval[j++] = consonants[idx1];
382: retval[j++] = vowels[idx2];
383: if ((i + 1) < rounds) {
384: idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
385: idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
386: retval[j++] = consonants[idx3];
387: retval[j++] = '-';
388: retval[j++] = consonants[idx4];
1.19 jakob 389: seed = ((seed * 5) +
1.20 jakob 390: ((((u_int)(dgst_raw[2 * i])) * 7) +
391: ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1.19 jakob 392: }
393: } else {
394: idx0 = seed % 6;
395: idx1 = 16;
396: idx2 = seed / 6;
1.20 jakob 397: retval[j++] = vowels[idx0];
398: retval[j++] = consonants[idx1];
399: retval[j++] = vowels[idx2];
1.19 jakob 400: }
401: }
1.20 jakob 402: retval[j++] = 'x';
403: retval[j++] = '\0';
1.19 jakob 404: return retval;
405: }
406:
1.70 grunk 407: /*
408: * Draw an ASCII-Art representing the fingerprint so human brain can
409: * profit from its built-in pattern recognition ability.
410: * This technique is called "random art" and can be found in some
411: * scientific publications like this original paper:
412: *
413: * "Hash Visualization: a New Technique to improve Real-World Security",
414: * Perrig A. and Song D., 1999, International Workshop on Cryptographic
415: * Techniques and E-Commerce (CrypTEC '99)
416: * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
417: *
418: * The subject came up in a talk by Dan Kaminsky, too.
419: *
420: * If you see the picture is different, the key is different.
421: * If the picture looks the same, you still know nothing.
422: *
423: * The algorithm used here is a worm crawling over a discrete plane,
424: * leaving a trace (augmenting the field) everywhere it goes.
425: * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
426: * makes the respective movement vector be ignored for this turn.
427: * Graphs are not unambiguous, because circles in graphs can be
428: * walked in either direction.
429: */
1.74 grunk 430:
431: /*
432: * Field sizes for the random art. Have to be odd, so the starting point
433: * can be in the exact middle of the picture, and FLDBASE should be >=8 .
434: * Else pictures would be too dense, and drawing the frame would
435: * fail, too, because the key type would not fit in anymore.
436: */
437: #define FLDBASE 8
438: #define FLDSIZE_Y (FLDBASE + 1)
439: #define FLDSIZE_X (FLDBASE * 2 + 1)
1.70 grunk 440: static char *
1.74 grunk 441: key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
1.70 grunk 442: {
443: /*
444: * Chars to be used after each other every time the worm
445: * intersects with itself. Matter of taste.
446: */
1.75 grunk 447: char *augmentation_string = " .o+=*BOX@%&#/^SE";
1.70 grunk 448: char *retval, *p;
1.71 otto 449: u_char field[FLDSIZE_X][FLDSIZE_Y];
1.70 grunk 450: u_int i, b;
451: int x, y;
1.72 grunk 452: size_t len = strlen(augmentation_string) - 1;
1.70 grunk 453:
454: retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
455:
456: /* initialize field */
1.71 otto 457: memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1.70 grunk 458: x = FLDSIZE_X / 2;
459: y = FLDSIZE_Y / 2;
460:
461: /* process raw key */
462: for (i = 0; i < dgst_raw_len; i++) {
463: int input;
464: /* each byte conveys four 2-bit move commands */
465: input = dgst_raw[i];
466: for (b = 0; b < 4; b++) {
467: /* evaluate 2 bit, rest is shifted later */
468: x += (input & 0x1) ? 1 : -1;
469: y += (input & 0x2) ? 1 : -1;
470:
471: /* assure we are still in bounds */
472: x = MAX(x, 0);
473: y = MAX(y, 0);
474: x = MIN(x, FLDSIZE_X - 1);
475: y = MIN(y, FLDSIZE_Y - 1);
476:
477: /* augment the field */
1.79 grunk 478: if (field[x][y] < len - 2)
479: field[x][y]++;
1.70 grunk 480: input = input >> 2;
481: }
482: }
1.75 grunk 483:
484: /* mark starting point and end point*/
485: field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
486: field[x][y] = len;
1.70 grunk 487:
488: /* fill in retval */
1.77 otto 489: snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
1.74 grunk 490: p = strchr(retval, '\0');
1.70 grunk 491:
492: /* output upper border */
1.77 otto 493: for (i = p - retval - 1; i < FLDSIZE_X; i++)
1.70 grunk 494: *p++ = '-';
495: *p++ = '+';
496: *p++ = '\n';
497:
498: /* output content */
499: for (y = 0; y < FLDSIZE_Y; y++) {
500: *p++ = '|';
501: for (x = 0; x < FLDSIZE_X; x++)
1.72 grunk 502: *p++ = augmentation_string[MIN(field[x][y], len)];
1.70 grunk 503: *p++ = '|';
504: *p++ = '\n';
505: }
506:
507: /* output lower border */
508: *p++ = '+';
509: for (i = 0; i < FLDSIZE_X; i++)
510: *p++ = '-';
511: *p++ = '+';
512:
513: return retval;
514: }
515:
1.46 deraadt 516: char *
1.83 djm 517: key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
1.19 jakob 518: {
1.23 markus 519: char *retval = NULL;
1.19 jakob 520: u_char *dgst_raw;
1.39 markus 521: u_int dgst_raw_len;
1.36 deraadt 522:
1.19 jakob 523: dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
524: if (!dgst_raw)
1.22 markus 525: fatal("key_fingerprint: null from key_fingerprint_raw()");
1.35 deraadt 526: switch (dgst_rep) {
1.19 jakob 527: case SSH_FP_HEX:
528: retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
529: break;
530: case SSH_FP_BUBBLEBABBLE:
531: retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1.70 grunk 532: break;
533: case SSH_FP_RANDOMART:
1.74 grunk 534: retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
1.19 jakob 535: break;
536: default:
1.80 stevesk 537: fatal("key_fingerprint: bad digest representation %d",
1.19 jakob 538: dgst_rep);
539: break;
540: }
541: memset(dgst_raw, 0, dgst_raw_len);
542: xfree(dgst_raw);
1.1 markus 543: return retval;
544: }
545:
546: /*
547: * Reads a multiple-precision integer in decimal from the buffer, and advances
548: * the pointer. The integer must already be initialized. This function is
549: * permitted to modify the buffer. This leaves *cpp to point just beyond the
550: * last processed (and maybe modified) character. Note that this may modify
551: * the buffer containing the number.
552: */
1.27 itojun 553: static int
1.1 markus 554: read_bignum(char **cpp, BIGNUM * value)
555: {
556: char *cp = *cpp;
557: int old;
558:
559: /* Skip any leading whitespace. */
560: for (; *cp == ' ' || *cp == '\t'; cp++)
561: ;
562:
563: /* Check that it begins with a decimal digit. */
564: if (*cp < '0' || *cp > '9')
565: return 0;
566:
567: /* Save starting position. */
568: *cpp = cp;
569:
570: /* Move forward until all decimal digits skipped. */
571: for (; *cp >= '0' && *cp <= '9'; cp++)
572: ;
573:
574: /* Save the old terminating character, and replace it by \0. */
575: old = *cp;
576: *cp = 0;
577:
578: /* Parse the number. */
579: if (BN_dec2bn(&value, *cpp) == 0)
580: return 0;
581:
582: /* Restore old terminating character. */
583: *cp = old;
584:
585: /* Move beyond the number and return success. */
586: *cpp = cp;
587: return 1;
588: }
1.45 deraadt 589:
1.27 itojun 590: static int
1.1 markus 591: write_bignum(FILE *f, BIGNUM *num)
592: {
593: char *buf = BN_bn2dec(num);
594: if (buf == NULL) {
595: error("write_bignum: BN_bn2dec() failed");
596: return 0;
597: }
598: fprintf(f, " %s", buf);
1.33 markus 599: OPENSSL_free(buf);
1.1 markus 600: return 1;
601: }
1.12 markus 602:
1.32 markus 603: /* returns 1 ok, -1 error */
1.12 markus 604: int
1.3 markus 605: key_read(Key *ret, char **cpp)
1.1 markus 606: {
1.3 markus 607: Key *k;
1.12 markus 608: int success = -1;
609: char *cp, *space;
610: int len, n, type;
611: u_int bits;
1.13 markus 612: u_char *blob;
1.3 markus 613:
614: cp = *cpp;
615:
1.35 deraadt 616: switch (ret->type) {
1.12 markus 617: case KEY_RSA1:
1.3 markus 618: /* Get number of bits. */
619: if (*cp < '0' || *cp > '9')
1.12 markus 620: return -1; /* Bad bit count... */
1.3 markus 621: for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
622: bits = 10 * bits + *cp - '0';
1.1 markus 623: if (bits == 0)
1.12 markus 624: return -1;
1.3 markus 625: *cpp = cp;
1.1 markus 626: /* Get public exponent, public modulus. */
627: if (!read_bignum(cpp, ret->rsa->e))
1.12 markus 628: return -1;
1.1 markus 629: if (!read_bignum(cpp, ret->rsa->n))
1.12 markus 630: return -1;
1.82 dtucker 631: /* validate the claimed number of bits */
632: if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
633: verbose("key_read: claimed key size %d does not match "
634: "actual %d", bits, BN_num_bits(ret->rsa->n));
635: return -1;
636: }
1.12 markus 637: success = 1;
1.1 markus 638: break;
1.12 markus 639: case KEY_UNSPEC:
640: case KEY_RSA:
1.1 markus 641: case KEY_DSA:
1.87 ! djm 642: case KEY_DSA_CERT_V00:
! 643: case KEY_RSA_CERT_V00:
1.83 djm 644: case KEY_DSA_CERT:
645: case KEY_RSA_CERT:
1.12 markus 646: space = strchr(cp, ' ');
647: if (space == NULL) {
1.50 markus 648: debug3("key_read: missing whitespace");
1.12 markus 649: return -1;
650: }
651: *space = '\0';
652: type = key_type_from_name(cp);
653: *space = ' ';
654: if (type == KEY_UNSPEC) {
1.50 markus 655: debug3("key_read: missing keytype");
1.12 markus 656: return -1;
657: }
658: cp = space+1;
659: if (*cp == '\0') {
660: debug3("key_read: short string");
661: return -1;
662: }
663: if (ret->type == KEY_UNSPEC) {
664: ret->type = type;
665: } else if (ret->type != type) {
666: /* is a key, but different type */
667: debug3("key_read: type mismatch");
1.32 markus 668: return -1;
1.12 markus 669: }
1.3 markus 670: len = 2*strlen(cp);
671: blob = xmalloc(len);
672: n = uudecode(cp, blob, len);
1.6 markus 673: if (n < 0) {
1.7 markus 674: error("key_read: uudecode %s failed", cp);
1.34 markus 675: xfree(blob);
1.12 markus 676: return -1;
1.6 markus 677: }
1.53 markus 678: k = key_from_blob(blob, (u_int)n);
1.34 markus 679: xfree(blob);
1.7 markus 680: if (k == NULL) {
1.12 markus 681: error("key_read: key_from_blob %s failed", cp);
682: return -1;
1.7 markus 683: }
1.12 markus 684: if (k->type != type) {
685: error("key_read: type mismatch: encoding error");
686: key_free(k);
687: return -1;
688: }
689: /*XXXX*/
1.83 djm 690: if (key_is_cert(ret)) {
691: if (!key_is_cert(k)) {
692: error("key_read: loaded key is not a cert");
693: key_free(k);
694: return -1;
695: }
696: if (ret->cert != NULL)
697: cert_free(ret->cert);
698: ret->cert = k->cert;
699: k->cert = NULL;
700: }
701: if (key_type_plain(ret->type) == KEY_RSA) {
1.12 markus 702: if (ret->rsa != NULL)
703: RSA_free(ret->rsa);
704: ret->rsa = k->rsa;
705: k->rsa = NULL;
706: #ifdef DEBUG_PK
707: RSA_print_fp(stderr, ret->rsa, 8);
708: #endif
1.83 djm 709: }
710: if (key_type_plain(ret->type) == KEY_DSA) {
1.12 markus 711: if (ret->dsa != NULL)
712: DSA_free(ret->dsa);
713: ret->dsa = k->dsa;
714: k->dsa = NULL;
715: #ifdef DEBUG_PK
716: DSA_print_fp(stderr, ret->dsa, 8);
717: #endif
718: }
1.83 djm 719: success = 1;
1.12 markus 720: /*XXXX*/
1.34 markus 721: key_free(k);
1.12 markus 722: if (success != 1)
723: break;
1.7 markus 724: /* advance cp: skip whitespace and data */
725: while (*cp == ' ' || *cp == '\t')
726: cp++;
727: while (*cp != '\0' && *cp != ' ' && *cp != '\t')
728: cp++;
729: *cpp = cp;
1.1 markus 730: break;
731: default:
1.3 markus 732: fatal("key_read: bad key type: %d", ret->type);
1.1 markus 733: break;
734: }
1.12 markus 735: return success;
1.1 markus 736: }
1.45 deraadt 737:
1.1 markus 738: int
1.55 jakob 739: key_write(const Key *key, FILE *f)
1.1 markus 740: {
1.40 markus 741: int n, success = 0;
742: u_int len, bits = 0;
1.49 markus 743: u_char *blob;
744: char *uu;
1.1 markus 745:
1.83 djm 746: if (key_is_cert(key)) {
747: if (key->cert == NULL) {
748: error("%s: no cert data", __func__);
749: return 0;
750: }
751: if (buffer_len(&key->cert->certblob) == 0) {
752: error("%s: no signed certificate blob", __func__);
753: return 0;
754: }
755: }
756:
757: switch (key->type) {
758: case KEY_RSA1:
759: if (key->rsa == NULL)
760: return 0;
1.1 markus 761: /* size of modulus 'n' */
762: bits = BN_num_bits(key->rsa->n);
763: fprintf(f, "%u", bits);
764: if (write_bignum(f, key->rsa->e) &&
1.83 djm 765: write_bignum(f, key->rsa->n))
766: return 1;
767: error("key_write: failed for RSA key");
768: return 0;
769: case KEY_DSA:
1.87 ! djm 770: case KEY_DSA_CERT_V00:
1.83 djm 771: case KEY_DSA_CERT:
772: if (key->dsa == NULL)
773: return 0;
774: break;
775: case KEY_RSA:
1.87 ! djm 776: case KEY_RSA_CERT_V00:
1.83 djm 777: case KEY_RSA_CERT:
778: if (key->rsa == NULL)
779: return 0;
780: break;
781: default:
782: return 0;
783: }
784:
785: key_to_blob(key, &blob, &len);
786: uu = xmalloc(2*len);
787: n = uuencode(blob, len, uu, 2*len);
788: if (n > 0) {
789: fprintf(f, "%s %s", key_ssh_name(key), uu);
790: success = 1;
1.1 markus 791: }
1.83 djm 792: xfree(blob);
793: xfree(uu);
794:
1.1 markus 795: return success;
796: }
1.45 deraadt 797:
1.55 jakob 798: const char *
799: key_type(const Key *k)
1.4 markus 800: {
801: switch (k->type) {
1.12 markus 802: case KEY_RSA1:
803: return "RSA1";
1.4 markus 804: case KEY_RSA:
805: return "RSA";
806: case KEY_DSA:
807: return "DSA";
1.87 ! djm 808: case KEY_RSA_CERT_V00:
! 809: return "RSA-CERT-V00";
! 810: case KEY_DSA_CERT_V00:
! 811: return "DSA-CERT-V00";
1.83 djm 812: case KEY_RSA_CERT:
813: return "RSA-CERT";
814: case KEY_DSA_CERT:
815: return "DSA-CERT";
1.4 markus 816: }
817: return "unknown";
1.86 stevesk 818: }
819:
820: const char *
821: key_cert_type(const Key *k)
822: {
823: switch (k->cert->type) {
824: case SSH2_CERT_TYPE_USER:
825: return "user";
826: case SSH2_CERT_TYPE_HOST:
827: return "host";
828: default:
829: return "unknown";
830: }
1.10 markus 831: }
1.45 deraadt 832:
1.55 jakob 833: const char *
834: key_ssh_name(const Key *k)
1.12 markus 835: {
836: switch (k->type) {
837: case KEY_RSA:
838: return "ssh-rsa";
839: case KEY_DSA:
840: return "ssh-dss";
1.87 ! djm 841: case KEY_RSA_CERT_V00:
! 842: return "ssh-rsa-cert-v00@openssh.com";
! 843: case KEY_DSA_CERT_V00:
! 844: return "ssh-dss-cert-v00@openssh.com";
1.83 djm 845: case KEY_RSA_CERT:
1.87 ! djm 846: return "ssh-rsa-cert-v01@openssh.com";
1.83 djm 847: case KEY_DSA_CERT:
1.87 ! djm 848: return "ssh-dss-cert-v01@openssh.com";
1.12 markus 849: }
850: return "ssh-unknown";
851: }
1.45 deraadt 852:
1.12 markus 853: u_int
1.55 jakob 854: key_size(const Key *k)
1.35 deraadt 855: {
1.10 markus 856: switch (k->type) {
1.12 markus 857: case KEY_RSA1:
1.10 markus 858: case KEY_RSA:
1.87 ! djm 859: case KEY_RSA_CERT_V00:
1.83 djm 860: case KEY_RSA_CERT:
1.10 markus 861: return BN_num_bits(k->rsa->n);
862: case KEY_DSA:
1.87 ! djm 863: case KEY_DSA_CERT_V00:
1.83 djm 864: case KEY_DSA_CERT:
1.10 markus 865: return BN_num_bits(k->dsa->p);
866: }
867: return 0;
1.12 markus 868: }
869:
1.27 itojun 870: static RSA *
1.13 markus 871: rsa_generate_private_key(u_int bits)
1.12 markus 872: {
1.17 stevesk 873: RSA *private;
1.61 deraadt 874:
1.81 markus 875: private = RSA_generate_key(bits, RSA_F4, NULL, NULL);
1.17 stevesk 876: if (private == NULL)
877: fatal("rsa_generate_private_key: key generation failed.");
878: return private;
1.12 markus 879: }
880:
1.27 itojun 881: static DSA*
1.13 markus 882: dsa_generate_private_key(u_int bits)
1.12 markus 883: {
884: DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
1.61 deraadt 885:
1.12 markus 886: if (private == NULL)
887: fatal("dsa_generate_private_key: DSA_generate_parameters failed");
888: if (!DSA_generate_key(private))
1.17 stevesk 889: fatal("dsa_generate_private_key: DSA_generate_key failed.");
890: if (private == NULL)
891: fatal("dsa_generate_private_key: NULL.");
1.12 markus 892: return private;
893: }
894:
895: Key *
1.13 markus 896: key_generate(int type, u_int bits)
1.12 markus 897: {
898: Key *k = key_new(KEY_UNSPEC);
899: switch (type) {
1.17 stevesk 900: case KEY_DSA:
1.12 markus 901: k->dsa = dsa_generate_private_key(bits);
902: break;
903: case KEY_RSA:
904: case KEY_RSA1:
905: k->rsa = rsa_generate_private_key(bits);
906: break;
1.87 ! djm 907: case KEY_RSA_CERT_V00:
! 908: case KEY_DSA_CERT_V00:
1.83 djm 909: case KEY_RSA_CERT:
910: case KEY_DSA_CERT:
911: fatal("key_generate: cert keys cannot be generated directly");
1.12 markus 912: default:
1.17 stevesk 913: fatal("key_generate: unknown type %d", type);
1.12 markus 914: }
1.17 stevesk 915: k->type = type;
1.12 markus 916: return k;
917: }
918:
1.83 djm 919: void
920: key_cert_copy(const Key *from_key, struct Key *to_key)
921: {
922: u_int i;
923: const struct KeyCert *from;
924: struct KeyCert *to;
925:
926: if (to_key->cert != NULL) {
927: cert_free(to_key->cert);
928: to_key->cert = NULL;
929: }
930:
931: if ((from = from_key->cert) == NULL)
932: return;
933:
934: to = to_key->cert = cert_new();
935:
936: buffer_append(&to->certblob, buffer_ptr(&from->certblob),
937: buffer_len(&from->certblob));
938:
1.87 ! djm 939: buffer_append(&to->critical,
! 940: buffer_ptr(&from->critical), buffer_len(&from->critical));
! 941: buffer_append(&to->extensions,
! 942: buffer_ptr(&from->extensions), buffer_len(&from->extensions));
1.83 djm 943:
1.87 ! djm 944: to->serial = from->serial;
1.83 djm 945: to->type = from->type;
946: to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
947: to->valid_after = from->valid_after;
948: to->valid_before = from->valid_before;
949: to->signature_key = from->signature_key == NULL ?
950: NULL : key_from_private(from->signature_key);
951:
952: to->nprincipals = from->nprincipals;
953: if (to->nprincipals > CERT_MAX_PRINCIPALS)
954: fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
955: __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
956: if (to->nprincipals > 0) {
957: to->principals = xcalloc(from->nprincipals,
958: sizeof(*to->principals));
959: for (i = 0; i < to->nprincipals; i++)
960: to->principals[i] = xstrdup(from->principals[i]);
961: }
962: }
963:
1.12 markus 964: Key *
1.55 jakob 965: key_from_private(const Key *k)
1.12 markus 966: {
967: Key *n = NULL;
968: switch (k->type) {
1.17 stevesk 969: case KEY_DSA:
1.87 ! djm 970: case KEY_DSA_CERT_V00:
1.83 djm 971: case KEY_DSA_CERT:
1.12 markus 972: n = key_new(k->type);
1.68 markus 973: if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
974: (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
975: (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
976: (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
977: fatal("key_from_private: BN_copy failed");
1.12 markus 978: break;
979: case KEY_RSA:
980: case KEY_RSA1:
1.87 ! djm 981: case KEY_RSA_CERT_V00:
1.83 djm 982: case KEY_RSA_CERT:
1.12 markus 983: n = key_new(k->type);
1.68 markus 984: if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
985: (BN_copy(n->rsa->e, k->rsa->e) == NULL))
986: fatal("key_from_private: BN_copy failed");
1.12 markus 987: break;
988: default:
1.17 stevesk 989: fatal("key_from_private: unknown type %d", k->type);
1.12 markus 990: break;
991: }
1.83 djm 992: if (key_is_cert(k))
993: key_cert_copy(k, n);
1.12 markus 994: return n;
995: }
996:
997: int
998: key_type_from_name(char *name)
999: {
1.35 deraadt 1000: if (strcmp(name, "rsa1") == 0) {
1.12 markus 1001: return KEY_RSA1;
1.35 deraadt 1002: } else if (strcmp(name, "rsa") == 0) {
1.12 markus 1003: return KEY_RSA;
1.35 deraadt 1004: } else if (strcmp(name, "dsa") == 0) {
1.12 markus 1005: return KEY_DSA;
1.35 deraadt 1006: } else if (strcmp(name, "ssh-rsa") == 0) {
1.12 markus 1007: return KEY_RSA;
1.35 deraadt 1008: } else if (strcmp(name, "ssh-dss") == 0) {
1.12 markus 1009: return KEY_DSA;
1.83 djm 1010: } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
1.87 ! djm 1011: return KEY_RSA_CERT_V00;
! 1012: } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
! 1013: return KEY_DSA_CERT_V00;
! 1014: } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
1.83 djm 1015: return KEY_RSA_CERT;
1.87 ! djm 1016: } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1.83 djm 1017: return KEY_DSA_CERT;
1.12 markus 1018: }
1.18 markus 1019: debug2("key_type_from_name: unknown key type '%s'", name);
1.12 markus 1020: return KEY_UNSPEC;
1.25 markus 1021: }
1022:
1023: int
1024: key_names_valid2(const char *names)
1025: {
1026: char *s, *cp, *p;
1027:
1028: if (names == NULL || strcmp(names, "") == 0)
1029: return 0;
1030: s = cp = xstrdup(names);
1031: for ((p = strsep(&cp, ",")); p && *p != '\0';
1.36 deraadt 1032: (p = strsep(&cp, ","))) {
1.25 markus 1033: switch (key_type_from_name(p)) {
1034: case KEY_RSA1:
1035: case KEY_UNSPEC:
1036: xfree(s);
1037: return 0;
1038: }
1039: }
1040: debug3("key names ok: [%s]", names);
1041: xfree(s);
1042: return 1;
1.12 markus 1043: }
1044:
1.83 djm 1045: static int
1046: cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1047: {
1.87 ! djm 1048: u_char *principals, *critical, *exts, *sig_key, *sig;
! 1049: u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
1.83 djm 1050: Buffer tmp;
1051: char *principal;
1052: int ret = -1;
1.87 ! djm 1053: int v00 = key->type == KEY_DSA_CERT_V00 ||
! 1054: key->type == KEY_RSA_CERT_V00;
1.83 djm 1055:
1056: buffer_init(&tmp);
1057:
1058: /* Copy the entire key blob for verification and later serialisation */
1059: buffer_append(&key->cert->certblob, blob, blen);
1060:
1.87 ! djm 1061: elen = 0; /* Not touched for v00 certs */
! 1062: principals = exts = critical = sig_key = sig = NULL;
! 1063: if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
! 1064: buffer_get_int_ret(&key->cert->type, b) != 0 ||
1.84 djm 1065: (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL ||
1.83 djm 1066: (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1067: buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1068: buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1.87 ! djm 1069: (critical = buffer_get_string_ret(b, &clen)) == NULL ||
! 1070: (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
! 1071: (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
! 1072: buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
1.83 djm 1073: (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1074: error("%s: parse error", __func__);
1075: goto out;
1076: }
1077:
1.84 djm 1078: if (kidlen != strlen(key->cert->key_id)) {
1079: error("%s: key ID contains \\0 character", __func__);
1080: goto out;
1081: }
1082:
1.83 djm 1083: /* Signature is left in the buffer so we can calculate this length */
1084: signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1085:
1086: if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1087: error("%s: parse error", __func__);
1088: goto out;
1089: }
1090:
1091: if (key->cert->type != SSH2_CERT_TYPE_USER &&
1092: key->cert->type != SSH2_CERT_TYPE_HOST) {
1093: error("Unknown certificate type %u", key->cert->type);
1094: goto out;
1095: }
1096:
1097: buffer_append(&tmp, principals, plen);
1098: while (buffer_len(&tmp) > 0) {
1099: if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1.84 djm 1100: error("%s: Too many principals", __func__);
1.83 djm 1101: goto out;
1102: }
1.84 djm 1103: if ((principal = buffer_get_string_ret(&tmp, &plen)) == NULL) {
1104: error("%s: Principals data invalid", __func__);
1105: goto out;
1106: }
1107: if (strlen(principal) != plen) {
1108: error("%s: Principal contains \\0 character",
1109: __func__);
1.83 djm 1110: goto out;
1111: }
1112: key->cert->principals = xrealloc(key->cert->principals,
1113: key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1114: key->cert->principals[key->cert->nprincipals++] = principal;
1115: }
1116:
1117: buffer_clear(&tmp);
1118:
1.87 ! djm 1119: buffer_append(&key->cert->critical, critical, clen);
! 1120: buffer_append(&tmp, critical, clen);
1.83 djm 1121: /* validate structure */
1122: while (buffer_len(&tmp) != 0) {
1.85 djm 1123: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1124: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1.87 ! djm 1125: error("%s: critical option data invalid", __func__);
! 1126: goto out;
! 1127: }
! 1128: }
! 1129: buffer_clear(&tmp);
! 1130:
! 1131: buffer_append(&key->cert->extensions, exts, elen);
! 1132: buffer_append(&tmp, exts, elen);
! 1133: /* validate structure */
! 1134: while (buffer_len(&tmp) != 0) {
! 1135: if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
! 1136: buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
! 1137: error("%s: extension data invalid", __func__);
1.83 djm 1138: goto out;
1139: }
1140: }
1141: buffer_clear(&tmp);
1142:
1143: if ((key->cert->signature_key = key_from_blob(sig_key,
1144: sklen)) == NULL) {
1.84 djm 1145: error("%s: Signature key invalid", __func__);
1.83 djm 1146: goto out;
1147: }
1148: if (key->cert->signature_key->type != KEY_RSA &&
1149: key->cert->signature_key->type != KEY_DSA) {
1.84 djm 1150: error("%s: Invalid signature key type %s (%d)", __func__,
1.83 djm 1151: key_type(key->cert->signature_key),
1152: key->cert->signature_key->type);
1153: goto out;
1154: }
1155:
1156: switch (key_verify(key->cert->signature_key, sig, slen,
1157: buffer_ptr(&key->cert->certblob), signed_len)) {
1158: case 1:
1.84 djm 1159: ret = 0;
1.83 djm 1160: break; /* Good signature */
1161: case 0:
1.84 djm 1162: error("%s: Invalid signature on certificate", __func__);
1.83 djm 1163: goto out;
1164: case -1:
1.84 djm 1165: error("%s: Certificate signature verification failed",
1166: __func__);
1.83 djm 1167: goto out;
1168: }
1169:
1170: out:
1171: buffer_free(&tmp);
1172: if (principals != NULL)
1173: xfree(principals);
1.87 ! djm 1174: if (critical != NULL)
! 1175: xfree(critical);
! 1176: if (exts != NULL)
! 1177: xfree(exts);
1.83 djm 1178: if (sig_key != NULL)
1179: xfree(sig_key);
1180: if (sig != NULL)
1181: xfree(sig);
1182: return ret;
1183: }
1184:
1.12 markus 1185: Key *
1.55 jakob 1186: key_from_blob(const u_char *blob, u_int blen)
1.12 markus 1187: {
1188: Buffer b;
1189: int rlen, type;
1.57 djm 1190: char *ktype = NULL;
1.12 markus 1191: Key *key = NULL;
1192:
1193: #ifdef DEBUG_PK
1194: dump_base64(stderr, blob, blen);
1195: #endif
1196: buffer_init(&b);
1197: buffer_append(&b, blob, blen);
1.57 djm 1198: if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
1199: error("key_from_blob: can't read key type");
1200: goto out;
1201: }
1202:
1.12 markus 1203: type = key_type_from_name(ktype);
1204:
1.35 deraadt 1205: switch (type) {
1.87 ! djm 1206: case KEY_RSA_CERT:
! 1207: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
! 1208: /* FALLTHROUGH */
1.12 markus 1209: case KEY_RSA:
1.87 ! djm 1210: case KEY_RSA_CERT_V00:
1.12 markus 1211: key = key_new(type);
1.57 djm 1212: if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1213: buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1214: error("key_from_blob: can't read rsa key");
1.83 djm 1215: badkey:
1.57 djm 1216: key_free(key);
1217: key = NULL;
1218: goto out;
1219: }
1.12 markus 1220: #ifdef DEBUG_PK
1221: RSA_print_fp(stderr, key->rsa, 8);
1222: #endif
1223: break;
1.87 ! djm 1224: case KEY_DSA_CERT:
! 1225: (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
! 1226: /* FALLTHROUGH */
1.12 markus 1227: case KEY_DSA:
1.87 ! djm 1228: case KEY_DSA_CERT_V00:
1.12 markus 1229: key = key_new(type);
1.57 djm 1230: if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1231: buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1232: buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1233: buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1234: error("key_from_blob: can't read dsa key");
1.83 djm 1235: goto badkey;
1.57 djm 1236: }
1.12 markus 1237: #ifdef DEBUG_PK
1238: DSA_print_fp(stderr, key->dsa, 8);
1239: #endif
1240: break;
1241: case KEY_UNSPEC:
1242: key = key_new(type);
1243: break;
1244: default:
1245: error("key_from_blob: cannot handle type %s", ktype);
1.57 djm 1246: goto out;
1.12 markus 1247: }
1.83 djm 1248: if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1249: error("key_from_blob: can't parse cert data");
1250: goto badkey;
1251: }
1.12 markus 1252: rlen = buffer_len(&b);
1253: if (key != NULL && rlen != 0)
1254: error("key_from_blob: remaining bytes in key blob %d", rlen);
1.57 djm 1255: out:
1256: if (ktype != NULL)
1257: xfree(ktype);
1.12 markus 1258: buffer_free(&b);
1259: return key;
1260: }
1261:
1262: int
1.55 jakob 1263: key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1.12 markus 1264: {
1265: Buffer b;
1266: int len;
1267:
1268: if (key == NULL) {
1269: error("key_to_blob: key == NULL");
1270: return 0;
1271: }
1272: buffer_init(&b);
1.35 deraadt 1273: switch (key->type) {
1.87 ! djm 1274: case KEY_DSA_CERT_V00:
! 1275: case KEY_RSA_CERT_V00:
1.83 djm 1276: case KEY_DSA_CERT:
1277: case KEY_RSA_CERT:
1278: /* Use the existing blob */
1279: buffer_append(&b, buffer_ptr(&key->cert->certblob),
1280: buffer_len(&key->cert->certblob));
1281: break;
1.12 markus 1282: case KEY_DSA:
1283: buffer_put_cstring(&b, key_ssh_name(key));
1284: buffer_put_bignum2(&b, key->dsa->p);
1285: buffer_put_bignum2(&b, key->dsa->q);
1286: buffer_put_bignum2(&b, key->dsa->g);
1287: buffer_put_bignum2(&b, key->dsa->pub_key);
1288: break;
1289: case KEY_RSA:
1290: buffer_put_cstring(&b, key_ssh_name(key));
1.14 markus 1291: buffer_put_bignum2(&b, key->rsa->e);
1.12 markus 1292: buffer_put_bignum2(&b, key->rsa->n);
1293: break;
1294: default:
1.31 markus 1295: error("key_to_blob: unsupported key type %d", key->type);
1296: buffer_free(&b);
1297: return 0;
1.12 markus 1298: }
1299: len = buffer_len(&b);
1.48 markus 1300: if (lenp != NULL)
1301: *lenp = len;
1302: if (blobp != NULL) {
1303: *blobp = xmalloc(len);
1304: memcpy(*blobp, buffer_ptr(&b), len);
1305: }
1.12 markus 1306: memset(buffer_ptr(&b), 0, len);
1307: buffer_free(&b);
1308: return len;
1309: }
1310:
1311: int
1312: key_sign(
1.55 jakob 1313: const Key *key,
1.40 markus 1314: u_char **sigp, u_int *lenp,
1.55 jakob 1315: const u_char *data, u_int datalen)
1.12 markus 1316: {
1.35 deraadt 1317: switch (key->type) {
1.87 ! djm 1318: case KEY_DSA_CERT_V00:
1.83 djm 1319: case KEY_DSA_CERT:
1.12 markus 1320: case KEY_DSA:
1321: return ssh_dss_sign(key, sigp, lenp, data, datalen);
1.87 ! djm 1322: case KEY_RSA_CERT_V00:
1.83 djm 1323: case KEY_RSA_CERT:
1.12 markus 1324: case KEY_RSA:
1325: return ssh_rsa_sign(key, sigp, lenp, data, datalen);
1326: default:
1.56 markus 1327: error("key_sign: invalid key type %d", key->type);
1.12 markus 1328: return -1;
1329: }
1330: }
1331:
1.44 markus 1332: /*
1333: * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1334: * and -1 on error.
1335: */
1.12 markus 1336: int
1337: key_verify(
1.55 jakob 1338: const Key *key,
1339: const u_char *signature, u_int signaturelen,
1340: const u_char *data, u_int datalen)
1.12 markus 1341: {
1.26 markus 1342: if (signaturelen == 0)
1343: return -1;
1344:
1.35 deraadt 1345: switch (key->type) {
1.87 ! djm 1346: case KEY_DSA_CERT_V00:
1.83 djm 1347: case KEY_DSA_CERT:
1.12 markus 1348: case KEY_DSA:
1349: return ssh_dss_verify(key, signature, signaturelen, data, datalen);
1.87 ! djm 1350: case KEY_RSA_CERT_V00:
1.83 djm 1351: case KEY_RSA_CERT:
1.12 markus 1352: case KEY_RSA:
1353: return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
1354: default:
1.56 markus 1355: error("key_verify: invalid key type %d", key->type);
1.12 markus 1356: return -1;
1357: }
1.42 markus 1358: }
1359:
1360: /* Converts a private to a public key */
1361: Key *
1.55 jakob 1362: key_demote(const Key *k)
1.42 markus 1363: {
1364: Key *pk;
1.43 markus 1365:
1.63 djm 1366: pk = xcalloc(1, sizeof(*pk));
1.42 markus 1367: pk->type = k->type;
1368: pk->flags = k->flags;
1369: pk->dsa = NULL;
1370: pk->rsa = NULL;
1371:
1372: switch (k->type) {
1.87 ! djm 1373: case KEY_RSA_CERT_V00:
1.83 djm 1374: case KEY_RSA_CERT:
1375: key_cert_copy(k, pk);
1376: /* FALLTHROUGH */
1.42 markus 1377: case KEY_RSA1:
1378: case KEY_RSA:
1379: if ((pk->rsa = RSA_new()) == NULL)
1380: fatal("key_demote: RSA_new failed");
1381: if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1382: fatal("key_demote: BN_dup failed");
1383: if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1384: fatal("key_demote: BN_dup failed");
1385: break;
1.87 ! djm 1386: case KEY_DSA_CERT_V00:
1.83 djm 1387: case KEY_DSA_CERT:
1388: key_cert_copy(k, pk);
1389: /* FALLTHROUGH */
1.42 markus 1390: case KEY_DSA:
1391: if ((pk->dsa = DSA_new()) == NULL)
1392: fatal("key_demote: DSA_new failed");
1393: if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1394: fatal("key_demote: BN_dup failed");
1395: if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1396: fatal("key_demote: BN_dup failed");
1397: if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1398: fatal("key_demote: BN_dup failed");
1399: if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1400: fatal("key_demote: BN_dup failed");
1401: break;
1402: default:
1403: fatal("key_free: bad key type %d", k->type);
1404: break;
1405: }
1406:
1407: return (pk);
1.83 djm 1408: }
1409:
1410: int
1411: key_is_cert(const Key *k)
1412: {
1.87 ! djm 1413: if (k == NULL)
! 1414: return 0;
! 1415: switch (k->type) {
! 1416: case KEY_RSA_CERT_V00:
! 1417: case KEY_DSA_CERT_V00:
! 1418: case KEY_RSA_CERT:
! 1419: case KEY_DSA_CERT:
! 1420: return 1;
! 1421: default:
! 1422: return 0;
! 1423: }
1.83 djm 1424: }
1425:
1426: /* Return the cert-less equivalent to a certified key type */
1427: int
1428: key_type_plain(int type)
1429: {
1430: switch (type) {
1.87 ! djm 1431: case KEY_RSA_CERT_V00:
1.83 djm 1432: case KEY_RSA_CERT:
1433: return KEY_RSA;
1.87 ! djm 1434: case KEY_DSA_CERT_V00:
1.83 djm 1435: case KEY_DSA_CERT:
1436: return KEY_DSA;
1437: default:
1438: return type;
1439: }
1440: }
1441:
1442: /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
1443: int
1.87 ! djm 1444: key_to_certified(Key *k, int legacy)
1.83 djm 1445: {
1446: switch (k->type) {
1447: case KEY_RSA:
1448: k->cert = cert_new();
1.87 ! djm 1449: k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
1.83 djm 1450: return 0;
1451: case KEY_DSA:
1452: k->cert = cert_new();
1.87 ! djm 1453: k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
1.83 djm 1454: return 0;
1455: default:
1456: error("%s: key has incorrect type %s", __func__, key_type(k));
1457: return -1;
1458: }
1459: }
1460:
1461: /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1462: int
1463: key_drop_cert(Key *k)
1464: {
1465: switch (k->type) {
1.87 ! djm 1466: case KEY_RSA_CERT_V00:
1.83 djm 1467: case KEY_RSA_CERT:
1468: cert_free(k->cert);
1469: k->type = KEY_RSA;
1470: return 0;
1.87 ! djm 1471: case KEY_DSA_CERT_V00:
1.83 djm 1472: case KEY_DSA_CERT:
1473: cert_free(k->cert);
1474: k->type = KEY_DSA;
1475: return 0;
1476: default:
1477: error("%s: key has incorrect type %s", __func__, key_type(k));
1478: return -1;
1479: }
1480: }
1481:
1482: /* Sign a KEY_RSA_CERT or KEY_DSA_CERT, (re-)generating the signed certblob */
1483: int
1484: key_certify(Key *k, Key *ca)
1485: {
1486: Buffer principals;
1487: u_char *ca_blob, *sig_blob, nonce[32];
1488: u_int i, ca_len, sig_len;
1489:
1490: if (k->cert == NULL) {
1491: error("%s: key lacks cert info", __func__);
1492: return -1;
1493: }
1494:
1495: if (!key_is_cert(k)) {
1496: error("%s: certificate has unknown type %d", __func__,
1497: k->cert->type);
1498: return -1;
1499: }
1500:
1501: if (ca->type != KEY_RSA && ca->type != KEY_DSA) {
1502: error("%s: CA key has unsupported type %s", __func__,
1503: key_type(ca));
1504: return -1;
1505: }
1506:
1507: key_to_blob(ca, &ca_blob, &ca_len);
1508:
1509: buffer_clear(&k->cert->certblob);
1510: buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1511:
1.87 ! djm 1512: /* -v01 certs put nonce first */
! 1513: if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) {
! 1514: arc4random_buf(&nonce, sizeof(nonce));
! 1515: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
! 1516: }
! 1517:
1.83 djm 1518: switch (k->type) {
1.87 ! djm 1519: case KEY_DSA_CERT_V00:
1.83 djm 1520: case KEY_DSA_CERT:
1521: buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1522: buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1523: buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1524: buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1525: break;
1.87 ! djm 1526: case KEY_RSA_CERT_V00:
1.83 djm 1527: case KEY_RSA_CERT:
1528: buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1529: buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1530: break;
1531: default:
1532: error("%s: key has incorrect type %s", __func__, key_type(k));
1533: buffer_clear(&k->cert->certblob);
1534: xfree(ca_blob);
1535: return -1;
1536: }
1537:
1.87 ! djm 1538: /* -v01 certs have a serial number next */
! 1539: if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT)
! 1540: buffer_put_int64(&k->cert->certblob, k->cert->serial);
! 1541:
1.83 djm 1542: buffer_put_int(&k->cert->certblob, k->cert->type);
1543: buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1544:
1545: buffer_init(&principals);
1546: for (i = 0; i < k->cert->nprincipals; i++)
1547: buffer_put_cstring(&principals, k->cert->principals[i]);
1548: buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1549: buffer_len(&principals));
1550: buffer_free(&principals);
1551:
1552: buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1553: buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1554: buffer_put_string(&k->cert->certblob,
1.87 ! djm 1555: buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
! 1556:
! 1557: /* -v01 certs have non-critical options here */
! 1558: if (k->type == KEY_DSA_CERT || k->type == KEY_RSA_CERT) {
! 1559: buffer_put_string(&k->cert->certblob,
! 1560: buffer_ptr(&k->cert->extensions),
! 1561: buffer_len(&k->cert->extensions));
! 1562: }
! 1563:
! 1564: /* -v00 certs put the nonce at the end */
! 1565: if (k->type == KEY_DSA_CERT_V00 || k->type == KEY_RSA_CERT_V00)
! 1566: buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1.83 djm 1567:
1568: buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1569: buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1570: xfree(ca_blob);
1571:
1572: /* Sign the whole mess */
1573: if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
1574: buffer_len(&k->cert->certblob)) != 0) {
1575: error("%s: signature operation failed", __func__);
1576: buffer_clear(&k->cert->certblob);
1577: return -1;
1578: }
1579: /* Append signature and we are done */
1580: buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1581: xfree(sig_blob);
1582:
1583: return 0;
1584: }
1585:
1586: int
1587: key_cert_check_authority(const Key *k, int want_host, int require_principal,
1588: const char *name, const char **reason)
1589: {
1590: u_int i, principal_matches;
1591: time_t now = time(NULL);
1592:
1593: if (want_host) {
1594: if (k->cert->type != SSH2_CERT_TYPE_HOST) {
1595: *reason = "Certificate invalid: not a host certificate";
1596: return -1;
1597: }
1598: } else {
1599: if (k->cert->type != SSH2_CERT_TYPE_USER) {
1600: *reason = "Certificate invalid: not a user certificate";
1601: return -1;
1602: }
1603: }
1604: if (now < 0) {
1605: error("%s: system clock lies before epoch", __func__);
1606: *reason = "Certificate invalid: not yet valid";
1607: return -1;
1608: }
1609: if ((u_int64_t)now < k->cert->valid_after) {
1610: *reason = "Certificate invalid: not yet valid";
1611: return -1;
1612: }
1613: if ((u_int64_t)now >= k->cert->valid_before) {
1614: *reason = "Certificate invalid: expired";
1615: return -1;
1616: }
1617: if (k->cert->nprincipals == 0) {
1618: if (require_principal) {
1619: *reason = "Certificate lacks principal list";
1620: return -1;
1621: }
1622: } else {
1623: principal_matches = 0;
1624: for (i = 0; i < k->cert->nprincipals; i++) {
1625: if (strcmp(name, k->cert->principals[i]) == 0) {
1626: principal_matches = 1;
1627: break;
1628: }
1629: }
1630: if (!principal_matches) {
1631: *reason = "Certificate invalid: name is not a listed "
1632: "principal";
1633: return -1;
1634: }
1635: }
1636: return 0;
1.87 ! djm 1637: }
! 1638:
! 1639: int
! 1640: key_cert_is_legacy(Key *k)
! 1641: {
! 1642: switch (k->type) {
! 1643: case KEY_DSA_CERT_V00:
! 1644: case KEY_RSA_CERT_V00:
! 1645: return 1;
! 1646: default:
! 1647: return 0;
! 1648: }
1.4 markus 1649: }