1264377Sdes/* $OpenBSD: key.c,v 1.116 2014/02/02 03:44:31 djm Exp $ */ 258582Skris/* 365674Skris * read_bignum(): 465674Skris * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 565674Skris * 665674Skris * As far as I am concerned, the code I have written for this software 765674Skris * can be used freely for any purpose. Any derived versions of this 865674Skris * software must be clearly marked as such, and if the derived work is 965674Skris * incompatible with the protocol description in the RFC file, it must be 1065674Skris * called by a name other than "ssh" or "Secure Shell". 1165674Skris * 1265674Skris * 1392559Sdes * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 14181111Sdes * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 1558582Skris * 1658582Skris * Redistribution and use in source and binary forms, with or without 1758582Skris * modification, are permitted provided that the following conditions 1858582Skris * are met: 1958582Skris * 1. Redistributions of source code must retain the above copyright 2058582Skris * notice, this list of conditions and the following disclaimer. 2158582Skris * 2. Redistributions in binary form must reproduce the above copyright 2258582Skris * notice, this list of conditions and the following disclaimer in the 2358582Skris * documentation and/or other materials provided with the distribution. 2458582Skris * 2558582Skris * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 2658582Skris * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 2758582Skris * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2858582Skris * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2958582Skris * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 3058582Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 3158582Skris * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 3258582Skris * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 3358582Skris * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3458582Skris * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3558582Skris */ 36162856Sdes 3776262Sgreen#include "includes.h" 3858582Skris 39181111Sdes#include <sys/param.h> 40162856Sdes#include <sys/types.h> 41162856Sdes 42262566Sdes#include "crypto_api.h" 43262566Sdes 4458592Skris#include <openssl/evp.h> 45181111Sdes#include <openbsd-compat/openssl-compat.h> 4676262Sgreen 47162856Sdes#include <stdarg.h> 48162856Sdes#include <stdio.h> 49162856Sdes#include <string.h> 50162856Sdes 5158582Skris#include "xmalloc.h" 5258582Skris#include "key.h" 5376262Sgreen#include "rsa.h" 5460576Skris#include "uuencode.h" 5576262Sgreen#include "buffer.h" 5676262Sgreen#include "log.h" 57215116Sdes#include "misc.h" 58204917Sdes#include "ssh2.h" 59262566Sdes#include "digest.h" 6058582Skris 61248619Sdesstatic int to_blob(const Key *, u_char **, u_int *, int); 62262566Sdesstatic Key *key_from_blob2(const u_char *, u_int, int); 63248619Sdes 64204917Sdesstatic struct KeyCert * 65204917Sdescert_new(void) 66204917Sdes{ 67204917Sdes struct KeyCert *cert; 68204917Sdes 69204917Sdes cert = xcalloc(1, sizeof(*cert)); 70204917Sdes buffer_init(&cert->certblob); 71215116Sdes buffer_init(&cert->critical); 72215116Sdes buffer_init(&cert->extensions); 73204917Sdes cert->key_id = NULL; 74204917Sdes cert->principals = NULL; 75204917Sdes cert->signature_key = NULL; 76204917Sdes return cert; 77204917Sdes} 78204917Sdes 7958582SkrisKey * 8058582Skriskey_new(int type) 8158582Skris{ 8258582Skris Key *k; 8358582Skris RSA *rsa; 8458582Skris DSA *dsa; 85162856Sdes k = xcalloc(1, sizeof(*k)); 8658582Skris k->type = type; 87221420Sdes k->ecdsa = NULL; 88221420Sdes k->ecdsa_nid = -1; 8960576Skris k->dsa = NULL; 9060576Skris k->rsa = NULL; 91204917Sdes k->cert = NULL; 92262566Sdes k->ed25519_sk = NULL; 93262566Sdes k->ed25519_pk = NULL; 9458582Skris switch (k->type) { 9576262Sgreen case KEY_RSA1: 9658582Skris case KEY_RSA: 97215116Sdes case KEY_RSA_CERT_V00: 98204917Sdes case KEY_RSA_CERT: 9992559Sdes if ((rsa = RSA_new()) == NULL) 10092559Sdes fatal("key_new: RSA_new failed"); 10192559Sdes if ((rsa->n = BN_new()) == NULL) 10292559Sdes fatal("key_new: BN_new failed"); 10392559Sdes if ((rsa->e = BN_new()) == NULL) 10492559Sdes fatal("key_new: BN_new failed"); 10558582Skris k->rsa = rsa; 10658582Skris break; 10758582Skris case KEY_DSA: 108215116Sdes case KEY_DSA_CERT_V00: 109204917Sdes case KEY_DSA_CERT: 11092559Sdes if ((dsa = DSA_new()) == NULL) 11192559Sdes fatal("key_new: DSA_new failed"); 11292559Sdes if ((dsa->p = BN_new()) == NULL) 11392559Sdes fatal("key_new: BN_new failed"); 11492559Sdes if ((dsa->q = BN_new()) == NULL) 11592559Sdes fatal("key_new: BN_new failed"); 11692559Sdes if ((dsa->g = BN_new()) == NULL) 11792559Sdes fatal("key_new: BN_new failed"); 11892559Sdes if ((dsa->pub_key = BN_new()) == NULL) 11992559Sdes fatal("key_new: BN_new failed"); 12058582Skris k->dsa = dsa; 12158582Skris break; 122221420Sdes#ifdef OPENSSL_HAS_ECC 123221420Sdes case KEY_ECDSA: 124221420Sdes case KEY_ECDSA_CERT: 125221420Sdes /* Cannot do anything until we know the group */ 126221420Sdes break; 127221420Sdes#endif 128262566Sdes case KEY_ED25519: 129262566Sdes case KEY_ED25519_CERT: 130262566Sdes /* no need to prealloc */ 131262566Sdes break; 13276262Sgreen case KEY_UNSPEC: 13358582Skris break; 13458582Skris default: 13558582Skris fatal("key_new: bad key type %d", k->type); 13658582Skris break; 13758582Skris } 138204917Sdes 139204917Sdes if (key_is_cert(k)) 140204917Sdes k->cert = cert_new(); 141204917Sdes 14258582Skris return k; 14358582Skris} 14499063Sdes 145204917Sdesvoid 146204917Sdeskey_add_private(Key *k) 14776262Sgreen{ 14876262Sgreen switch (k->type) { 14976262Sgreen case KEY_RSA1: 15076262Sgreen case KEY_RSA: 151215116Sdes case KEY_RSA_CERT_V00: 152204917Sdes case KEY_RSA_CERT: 15392559Sdes if ((k->rsa->d = BN_new()) == NULL) 15492559Sdes fatal("key_new_private: BN_new failed"); 15592559Sdes if ((k->rsa->iqmp = BN_new()) == NULL) 15692559Sdes fatal("key_new_private: BN_new failed"); 15792559Sdes if ((k->rsa->q = BN_new()) == NULL) 15892559Sdes fatal("key_new_private: BN_new failed"); 15992559Sdes if ((k->rsa->p = BN_new()) == NULL) 16092559Sdes fatal("key_new_private: BN_new failed"); 16192559Sdes if ((k->rsa->dmq1 = BN_new()) == NULL) 16292559Sdes fatal("key_new_private: BN_new failed"); 16392559Sdes if ((k->rsa->dmp1 = BN_new()) == NULL) 16492559Sdes fatal("key_new_private: BN_new failed"); 16576262Sgreen break; 16676262Sgreen case KEY_DSA: 167215116Sdes case KEY_DSA_CERT_V00: 168204917Sdes case KEY_DSA_CERT: 16992559Sdes if ((k->dsa->priv_key = BN_new()) == NULL) 17092559Sdes fatal("key_new_private: BN_new failed"); 17176262Sgreen break; 172221420Sdes case KEY_ECDSA: 173221420Sdes case KEY_ECDSA_CERT: 174221420Sdes /* Cannot do anything until we know the group */ 175221420Sdes break; 176262566Sdes case KEY_ED25519: 177262566Sdes case KEY_ED25519_CERT: 178262566Sdes /* no need to prealloc */ 179262566Sdes break; 18076262Sgreen case KEY_UNSPEC: 18176262Sgreen break; 18276262Sgreen default: 18376262Sgreen break; 18476262Sgreen } 185204917Sdes} 186204917Sdes 187204917SdesKey * 188204917Sdeskey_new_private(int type) 189204917Sdes{ 190204917Sdes Key *k = key_new(type); 191204917Sdes 192204917Sdes key_add_private(k); 19376262Sgreen return k; 19476262Sgreen} 19599063Sdes 196204917Sdesstatic void 197204917Sdescert_free(struct KeyCert *cert) 198204917Sdes{ 199204917Sdes u_int i; 200204917Sdes 201204917Sdes buffer_free(&cert->certblob); 202215116Sdes buffer_free(&cert->critical); 203215116Sdes buffer_free(&cert->extensions); 204255767Sdes free(cert->key_id); 205204917Sdes for (i = 0; i < cert->nprincipals; i++) 206255767Sdes free(cert->principals[i]); 207255767Sdes free(cert->principals); 208204917Sdes if (cert->signature_key != NULL) 209204917Sdes key_free(cert->signature_key); 210255767Sdes free(cert); 211204917Sdes} 212204917Sdes 21358582Skrisvoid 21458582Skriskey_free(Key *k) 21558582Skris{ 216162856Sdes if (k == NULL) 217162856Sdes fatal("key_free: key is NULL"); 21858582Skris switch (k->type) { 21976262Sgreen case KEY_RSA1: 22058582Skris case KEY_RSA: 221215116Sdes case KEY_RSA_CERT_V00: 222204917Sdes case KEY_RSA_CERT: 22358582Skris if (k->rsa != NULL) 22458582Skris RSA_free(k->rsa); 22558582Skris k->rsa = NULL; 22658582Skris break; 22758582Skris case KEY_DSA: 228215116Sdes case KEY_DSA_CERT_V00: 229204917Sdes case KEY_DSA_CERT: 23058582Skris if (k->dsa != NULL) 23158582Skris DSA_free(k->dsa); 23258582Skris k->dsa = NULL; 23358582Skris break; 234221420Sdes#ifdef OPENSSL_HAS_ECC 235221420Sdes case KEY_ECDSA: 236221420Sdes case KEY_ECDSA_CERT: 237221420Sdes if (k->ecdsa != NULL) 238221420Sdes EC_KEY_free(k->ecdsa); 239221420Sdes k->ecdsa = NULL; 240221420Sdes break; 241221420Sdes#endif 242262566Sdes case KEY_ED25519: 243262566Sdes case KEY_ED25519_CERT: 244262566Sdes if (k->ed25519_pk) { 245264377Sdes explicit_bzero(k->ed25519_pk, ED25519_PK_SZ); 246262566Sdes free(k->ed25519_pk); 247262566Sdes k->ed25519_pk = NULL; 248262566Sdes } 249262566Sdes if (k->ed25519_sk) { 250264377Sdes explicit_bzero(k->ed25519_sk, ED25519_SK_SZ); 251262566Sdes free(k->ed25519_sk); 252262566Sdes k->ed25519_sk = NULL; 253262566Sdes } 254262566Sdes break; 25576262Sgreen case KEY_UNSPEC: 25676262Sgreen break; 25758582Skris default: 25858582Skris fatal("key_free: bad key type %d", k->type); 25958582Skris break; 26058582Skris } 261204917Sdes if (key_is_cert(k)) { 262204917Sdes if (k->cert != NULL) 263204917Sdes cert_free(k->cert); 264204917Sdes k->cert = NULL; 265204917Sdes } 266204917Sdes 267255767Sdes free(k); 26858582Skris} 269126277Sdes 270204917Sdesstatic int 271204917Sdescert_compare(struct KeyCert *a, struct KeyCert *b) 272204917Sdes{ 273204917Sdes if (a == NULL && b == NULL) 274204917Sdes return 1; 275204917Sdes if (a == NULL || b == NULL) 276204917Sdes return 0; 277204917Sdes if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 278204917Sdes return 0; 279215116Sdes if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), 280204917Sdes buffer_len(&a->certblob)) != 0) 281204917Sdes return 0; 282204917Sdes return 1; 283204917Sdes} 284204917Sdes 285204917Sdes/* 286204917Sdes * Compare public portions of key only, allowing comparisons between 287204917Sdes * certificates and plain keys too. 288204917Sdes */ 28958582Skrisint 290204917Sdeskey_equal_public(const Key *a, const Key *b) 29158582Skris{ 292221420Sdes#ifdef OPENSSL_HAS_ECC 293221420Sdes BN_CTX *bnctx; 294221420Sdes#endif 295221420Sdes 296204917Sdes if (a == NULL || b == NULL || 297204917Sdes key_type_plain(a->type) != key_type_plain(b->type)) 29858582Skris return 0; 299204917Sdes 30058582Skris switch (a->type) { 30176262Sgreen case KEY_RSA1: 302215116Sdes case KEY_RSA_CERT_V00: 303204917Sdes case KEY_RSA_CERT: 30458582Skris case KEY_RSA: 30558582Skris return a->rsa != NULL && b->rsa != NULL && 30658582Skris BN_cmp(a->rsa->e, b->rsa->e) == 0 && 30758582Skris BN_cmp(a->rsa->n, b->rsa->n) == 0; 308215116Sdes case KEY_DSA_CERT_V00: 309204917Sdes case KEY_DSA_CERT: 31058582Skris case KEY_DSA: 31158582Skris return a->dsa != NULL && b->dsa != NULL && 31258582Skris BN_cmp(a->dsa->p, b->dsa->p) == 0 && 31358582Skris BN_cmp(a->dsa->q, b->dsa->q) == 0 && 31458582Skris BN_cmp(a->dsa->g, b->dsa->g) == 0 && 31558582Skris BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 316221420Sdes#ifdef OPENSSL_HAS_ECC 317221420Sdes case KEY_ECDSA_CERT: 318221420Sdes case KEY_ECDSA: 319221420Sdes if (a->ecdsa == NULL || b->ecdsa == NULL || 320221420Sdes EC_KEY_get0_public_key(a->ecdsa) == NULL || 321221420Sdes EC_KEY_get0_public_key(b->ecdsa) == NULL) 322221420Sdes return 0; 323221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 324221420Sdes fatal("%s: BN_CTX_new failed", __func__); 325221420Sdes if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 326221420Sdes EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 327221420Sdes EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 328221420Sdes EC_KEY_get0_public_key(a->ecdsa), 329221420Sdes EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 330221420Sdes BN_CTX_free(bnctx); 331221420Sdes return 0; 332221420Sdes } 333221420Sdes BN_CTX_free(bnctx); 334221420Sdes return 1; 335221420Sdes#endif /* OPENSSL_HAS_ECC */ 336262566Sdes case KEY_ED25519: 337262566Sdes case KEY_ED25519_CERT: 338262566Sdes return a->ed25519_pk != NULL && b->ed25519_pk != NULL && 339262566Sdes memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; 34058582Skris default: 34160576Skris fatal("key_equal: bad key type %d", a->type); 34258582Skris } 343181111Sdes /* NOTREACHED */ 34458582Skris} 34558582Skris 346204917Sdesint 347204917Sdeskey_equal(const Key *a, const Key *b) 348204917Sdes{ 349204917Sdes if (a == NULL || b == NULL || a->type != b->type) 350204917Sdes return 0; 351204917Sdes if (key_is_cert(a)) { 352204917Sdes if (!cert_compare(a->cert, b->cert)) 353204917Sdes return 0; 354204917Sdes } 355204917Sdes return key_equal_public(a, b); 356204917Sdes} 357204917Sdes 358124211Sdesu_char* 359248619Sdeskey_fingerprint_raw(const Key *k, enum fp_type dgst_type, 360248619Sdes u_int *dgst_raw_length) 36158582Skris{ 36276262Sgreen u_char *blob = NULL; 36376262Sgreen u_char *retval = NULL; 36492559Sdes u_int len = 0; 365262566Sdes int nlen, elen, hash_alg = -1; 36658582Skris 36776262Sgreen *dgst_raw_length = 0; 36876262Sgreen 369262566Sdes /* XXX switch to DIGEST_* directly? */ 37076262Sgreen switch (dgst_type) { 37176262Sgreen case SSH_FP_MD5: 372262566Sdes hash_alg = SSH_DIGEST_MD5; 37376262Sgreen break; 37476262Sgreen case SSH_FP_SHA1: 375262566Sdes hash_alg = SSH_DIGEST_SHA1; 37676262Sgreen break; 377240075Sdes case SSH_FP_SHA256: 378262566Sdes hash_alg = SSH_DIGEST_SHA256; 379240075Sdes break; 38076262Sgreen default: 381262566Sdes fatal("%s: bad digest type %d", __func__, dgst_type); 38276262Sgreen } 38358582Skris switch (k->type) { 38476262Sgreen case KEY_RSA1: 38558582Skris nlen = BN_num_bytes(k->rsa->n); 38658582Skris elen = BN_num_bytes(k->rsa->e); 38758582Skris len = nlen + elen; 38860576Skris blob = xmalloc(len); 38960576Skris BN_bn2bin(k->rsa->n, blob); 39060576Skris BN_bn2bin(k->rsa->e, blob + nlen); 39158582Skris break; 39258582Skris case KEY_DSA: 393221420Sdes case KEY_ECDSA: 39476262Sgreen case KEY_RSA: 395262566Sdes case KEY_ED25519: 39676262Sgreen key_to_blob(k, &blob, &len); 39758582Skris break; 398215116Sdes case KEY_DSA_CERT_V00: 399215116Sdes case KEY_RSA_CERT_V00: 400204917Sdes case KEY_DSA_CERT: 401221420Sdes case KEY_ECDSA_CERT: 402204917Sdes case KEY_RSA_CERT: 403262566Sdes case KEY_ED25519_CERT: 404204917Sdes /* We want a fingerprint of the _key_ not of the cert */ 405248619Sdes to_blob(k, &blob, &len, 1); 406204917Sdes break; 40776262Sgreen case KEY_UNSPEC: 40876262Sgreen return retval; 40958582Skris default: 410262566Sdes fatal("%s: bad key type %d", __func__, k->type); 41158582Skris break; 41258582Skris } 41360576Skris if (blob != NULL) { 414262566Sdes retval = xmalloc(SSH_DIGEST_MAX_LENGTH); 415262566Sdes if ((ssh_digest_memory(hash_alg, blob, len, 416262566Sdes retval, SSH_DIGEST_MAX_LENGTH)) != 0) 417262566Sdes fatal("%s: digest_memory failed", __func__); 418264377Sdes explicit_bzero(blob, len); 419255767Sdes free(blob); 420262566Sdes *dgst_raw_length = ssh_digest_bytes(hash_alg); 42176262Sgreen } else { 422262566Sdes fatal("%s: blob is null", __func__); 42358582Skris } 42458582Skris return retval; 42558582Skris} 42658582Skris 427106130Sdesstatic char * 428106130Sdeskey_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len) 42976262Sgreen{ 43076262Sgreen char *retval; 431149753Sdes u_int i; 43276262Sgreen 433162856Sdes retval = xcalloc(1, dgst_raw_len * 3 + 1); 43492559Sdes for (i = 0; i < dgst_raw_len; i++) { 43576262Sgreen char hex[4]; 43676262Sgreen snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 437124211Sdes strlcat(retval, hex, dgst_raw_len * 3 + 1); 43876262Sgreen } 439124211Sdes 440124211Sdes /* Remove the trailing ':' character */ 44176262Sgreen retval[(dgst_raw_len * 3) - 1] = '\0'; 44276262Sgreen return retval; 44376262Sgreen} 44476262Sgreen 445106130Sdesstatic char * 446106130Sdeskey_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) 44776262Sgreen{ 44876262Sgreen char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 44976262Sgreen char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 45076262Sgreen 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 45176262Sgreen u_int i, j = 0, rounds, seed = 1; 45276262Sgreen char *retval; 45376262Sgreen 45476262Sgreen rounds = (dgst_raw_len / 2) + 1; 455162856Sdes retval = xcalloc((rounds * 6), sizeof(char)); 45676262Sgreen retval[j++] = 'x'; 45776262Sgreen for (i = 0; i < rounds; i++) { 45876262Sgreen u_int idx0, idx1, idx2, idx3, idx4; 45976262Sgreen if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 46076262Sgreen idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 46176262Sgreen seed) % 6; 46276262Sgreen idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 46376262Sgreen idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 46476262Sgreen (seed / 6)) % 6; 46576262Sgreen retval[j++] = vowels[idx0]; 46676262Sgreen retval[j++] = consonants[idx1]; 46776262Sgreen retval[j++] = vowels[idx2]; 46876262Sgreen if ((i + 1) < rounds) { 46976262Sgreen idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 47076262Sgreen idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 47176262Sgreen retval[j++] = consonants[idx3]; 47276262Sgreen retval[j++] = '-'; 47376262Sgreen retval[j++] = consonants[idx4]; 47476262Sgreen seed = ((seed * 5) + 47576262Sgreen ((((u_int)(dgst_raw[2 * i])) * 7) + 47676262Sgreen ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 47776262Sgreen } 47876262Sgreen } else { 47976262Sgreen idx0 = seed % 6; 48076262Sgreen idx1 = 16; 48176262Sgreen idx2 = seed / 6; 48276262Sgreen retval[j++] = vowels[idx0]; 48376262Sgreen retval[j++] = consonants[idx1]; 48476262Sgreen retval[j++] = vowels[idx2]; 48576262Sgreen } 48676262Sgreen } 48776262Sgreen retval[j++] = 'x'; 48876262Sgreen retval[j++] = '\0'; 48976262Sgreen return retval; 49076262Sgreen} 49176262Sgreen 492181111Sdes/* 493181111Sdes * Draw an ASCII-Art representing the fingerprint so human brain can 494181111Sdes * profit from its built-in pattern recognition ability. 495181111Sdes * This technique is called "random art" and can be found in some 496181111Sdes * scientific publications like this original paper: 497181111Sdes * 498181111Sdes * "Hash Visualization: a New Technique to improve Real-World Security", 499181111Sdes * Perrig A. and Song D., 1999, International Workshop on Cryptographic 500181111Sdes * Techniques and E-Commerce (CrypTEC '99) 501181111Sdes * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 502181111Sdes * 503181111Sdes * The subject came up in a talk by Dan Kaminsky, too. 504181111Sdes * 505181111Sdes * If you see the picture is different, the key is different. 506181111Sdes * If the picture looks the same, you still know nothing. 507181111Sdes * 508181111Sdes * The algorithm used here is a worm crawling over a discrete plane, 509181111Sdes * leaving a trace (augmenting the field) everywhere it goes. 510181111Sdes * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 511181111Sdes * makes the respective movement vector be ignored for this turn. 512181111Sdes * Graphs are not unambiguous, because circles in graphs can be 513181111Sdes * walked in either direction. 514181111Sdes */ 515181111Sdes 516181111Sdes/* 517181111Sdes * Field sizes for the random art. Have to be odd, so the starting point 518181111Sdes * can be in the exact middle of the picture, and FLDBASE should be >=8 . 519181111Sdes * Else pictures would be too dense, and drawing the frame would 520181111Sdes * fail, too, because the key type would not fit in anymore. 521181111Sdes */ 522181111Sdes#define FLDBASE 8 523181111Sdes#define FLDSIZE_Y (FLDBASE + 1) 524181111Sdes#define FLDSIZE_X (FLDBASE * 2 + 1) 525181111Sdesstatic char * 526181111Sdeskey_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) 527181111Sdes{ 528181111Sdes /* 529181111Sdes * Chars to be used after each other every time the worm 530181111Sdes * intersects with itself. Matter of taste. 531181111Sdes */ 532181111Sdes char *augmentation_string = " .o+=*BOX@%&#/^SE"; 533181111Sdes char *retval, *p; 534181111Sdes u_char field[FLDSIZE_X][FLDSIZE_Y]; 535181111Sdes u_int i, b; 536181111Sdes int x, y; 537181111Sdes size_t len = strlen(augmentation_string) - 1; 538181111Sdes 539181111Sdes retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); 540181111Sdes 541181111Sdes /* initialize field */ 542181111Sdes memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 543181111Sdes x = FLDSIZE_X / 2; 544181111Sdes y = FLDSIZE_Y / 2; 545181111Sdes 546181111Sdes /* process raw key */ 547181111Sdes for (i = 0; i < dgst_raw_len; i++) { 548181111Sdes int input; 549181111Sdes /* each byte conveys four 2-bit move commands */ 550181111Sdes input = dgst_raw[i]; 551181111Sdes for (b = 0; b < 4; b++) { 552181111Sdes /* evaluate 2 bit, rest is shifted later */ 553181111Sdes x += (input & 0x1) ? 1 : -1; 554181111Sdes y += (input & 0x2) ? 1 : -1; 555181111Sdes 556181111Sdes /* assure we are still in bounds */ 557181111Sdes x = MAX(x, 0); 558181111Sdes y = MAX(y, 0); 559181111Sdes x = MIN(x, FLDSIZE_X - 1); 560181111Sdes y = MIN(y, FLDSIZE_Y - 1); 561181111Sdes 562181111Sdes /* augment the field */ 563192595Sdes if (field[x][y] < len - 2) 564192595Sdes field[x][y]++; 565181111Sdes input = input >> 2; 566181111Sdes } 567181111Sdes } 568181111Sdes 569181111Sdes /* mark starting point and end point*/ 570181111Sdes field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 571181111Sdes field[x][y] = len; 572181111Sdes 573181111Sdes /* fill in retval */ 574181111Sdes snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k)); 575181111Sdes p = strchr(retval, '\0'); 576181111Sdes 577181111Sdes /* output upper border */ 578181111Sdes for (i = p - retval - 1; i < FLDSIZE_X; i++) 579181111Sdes *p++ = '-'; 580181111Sdes *p++ = '+'; 581181111Sdes *p++ = '\n'; 582181111Sdes 583181111Sdes /* output content */ 584181111Sdes for (y = 0; y < FLDSIZE_Y; y++) { 585181111Sdes *p++ = '|'; 586181111Sdes for (x = 0; x < FLDSIZE_X; x++) 587181111Sdes *p++ = augmentation_string[MIN(field[x][y], len)]; 588181111Sdes *p++ = '|'; 589181111Sdes *p++ = '\n'; 590181111Sdes } 591181111Sdes 592181111Sdes /* output lower border */ 593181111Sdes *p++ = '+'; 594181111Sdes for (i = 0; i < FLDSIZE_X; i++) 595181111Sdes *p++ = '-'; 596181111Sdes *p++ = '+'; 597181111Sdes 598181111Sdes return retval; 599181111Sdes} 600181111Sdes 601106130Sdeschar * 602255767Sdeskey_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 60376262Sgreen{ 60476262Sgreen char *retval = NULL; 60576262Sgreen u_char *dgst_raw; 60692559Sdes u_int dgst_raw_len; 60792559Sdes 60876262Sgreen dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); 60976262Sgreen if (!dgst_raw) 61076262Sgreen fatal("key_fingerprint: null from key_fingerprint_raw()"); 61192559Sdes switch (dgst_rep) { 61276262Sgreen case SSH_FP_HEX: 61376262Sgreen retval = key_fingerprint_hex(dgst_raw, dgst_raw_len); 61476262Sgreen break; 61576262Sgreen case SSH_FP_BUBBLEBABBLE: 61676262Sgreen retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 61776262Sgreen break; 618181111Sdes case SSH_FP_RANDOMART: 619181111Sdes retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k); 620181111Sdes break; 62176262Sgreen default: 622192595Sdes fatal("key_fingerprint: bad digest representation %d", 62376262Sgreen dgst_rep); 62476262Sgreen break; 62576262Sgreen } 626264377Sdes explicit_bzero(dgst_raw, dgst_raw_len); 627255767Sdes free(dgst_raw); 62876262Sgreen return retval; 62976262Sgreen} 63076262Sgreen 63158582Skris/* 63258582Skris * Reads a multiple-precision integer in decimal from the buffer, and advances 63358582Skris * the pointer. The integer must already be initialized. This function is 63458582Skris * permitted to modify the buffer. This leaves *cpp to point just beyond the 63558582Skris * last processed (and maybe modified) character. Note that this may modify 63658582Skris * the buffer containing the number. 63758582Skris */ 63892559Sdesstatic int 63958582Skrisread_bignum(char **cpp, BIGNUM * value) 64058582Skris{ 64158582Skris char *cp = *cpp; 64258582Skris int old; 64358582Skris 64458582Skris /* Skip any leading whitespace. */ 64558582Skris for (; *cp == ' ' || *cp == '\t'; cp++) 64658582Skris ; 64758582Skris 64858582Skris /* Check that it begins with a decimal digit. */ 64958582Skris if (*cp < '0' || *cp > '9') 65058582Skris return 0; 65158582Skris 65258582Skris /* Save starting position. */ 65358582Skris *cpp = cp; 65458582Skris 65558582Skris /* Move forward until all decimal digits skipped. */ 65658582Skris for (; *cp >= '0' && *cp <= '9'; cp++) 65758582Skris ; 65858582Skris 65958582Skris /* Save the old terminating character, and replace it by \0. */ 66058582Skris old = *cp; 66158582Skris *cp = 0; 66258582Skris 66358582Skris /* Parse the number. */ 66458582Skris if (BN_dec2bn(&value, *cpp) == 0) 66558582Skris return 0; 66658582Skris 66758582Skris /* Restore old terminating character. */ 66858582Skris *cp = old; 66958582Skris 67058582Skris /* Move beyond the number and return success. */ 67158582Skris *cpp = cp; 67258582Skris return 1; 67358582Skris} 67499063Sdes 67592559Sdesstatic int 67658582Skriswrite_bignum(FILE *f, BIGNUM *num) 67758582Skris{ 67858582Skris char *buf = BN_bn2dec(num); 67958582Skris if (buf == NULL) { 68058582Skris error("write_bignum: BN_bn2dec() failed"); 68158582Skris return 0; 68258582Skris } 68358582Skris fprintf(f, " %s", buf); 68492559Sdes OPENSSL_free(buf); 68558582Skris return 1; 68658582Skris} 68776262Sgreen 68892559Sdes/* returns 1 ok, -1 error */ 68976262Sgreenint 69060576Skriskey_read(Key *ret, char **cpp) 69158582Skris{ 69260576Skris Key *k; 69376262Sgreen int success = -1; 69476262Sgreen char *cp, *space; 69576262Sgreen int len, n, type; 69676262Sgreen u_int bits; 69776262Sgreen u_char *blob; 698221420Sdes#ifdef OPENSSL_HAS_ECC 699221420Sdes int curve_nid = -1; 700221420Sdes#endif 70160576Skris 70260576Skris cp = *cpp; 70360576Skris 70492559Sdes switch (ret->type) { 70576262Sgreen case KEY_RSA1: 70660576Skris /* Get number of bits. */ 70760576Skris if (*cp < '0' || *cp > '9') 70876262Sgreen return -1; /* Bad bit count... */ 70960576Skris for (bits = 0; *cp >= '0' && *cp <= '9'; cp++) 71060576Skris bits = 10 * bits + *cp - '0'; 71158582Skris if (bits == 0) 71276262Sgreen return -1; 71360576Skris *cpp = cp; 71458582Skris /* Get public exponent, public modulus. */ 71558582Skris if (!read_bignum(cpp, ret->rsa->e)) 71676262Sgreen return -1; 71758582Skris if (!read_bignum(cpp, ret->rsa->n)) 71876262Sgreen return -1; 719204917Sdes /* validate the claimed number of bits */ 720204917Sdes if ((u_int)BN_num_bits(ret->rsa->n) != bits) { 721204917Sdes verbose("key_read: claimed key size %d does not match " 722204917Sdes "actual %d", bits, BN_num_bits(ret->rsa->n)); 723204917Sdes return -1; 724204917Sdes } 72576262Sgreen success = 1; 72658582Skris break; 72776262Sgreen case KEY_UNSPEC: 72876262Sgreen case KEY_RSA: 72958582Skris case KEY_DSA: 730221420Sdes case KEY_ECDSA: 731262566Sdes case KEY_ED25519: 732215116Sdes case KEY_DSA_CERT_V00: 733215116Sdes case KEY_RSA_CERT_V00: 734204917Sdes case KEY_DSA_CERT: 735221420Sdes case KEY_ECDSA_CERT: 736204917Sdes case KEY_RSA_CERT: 737262566Sdes case KEY_ED25519_CERT: 73876262Sgreen space = strchr(cp, ' '); 73976262Sgreen if (space == NULL) { 740113911Sdes debug3("key_read: missing whitespace"); 74176262Sgreen return -1; 74276262Sgreen } 74376262Sgreen *space = '\0'; 74476262Sgreen type = key_type_from_name(cp); 745221420Sdes#ifdef OPENSSL_HAS_ECC 746221420Sdes if (key_type_plain(type) == KEY_ECDSA && 747221420Sdes (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { 748221420Sdes debug("key_read: invalid curve"); 749221420Sdes return -1; 750221420Sdes } 751221420Sdes#endif 75276262Sgreen *space = ' '; 75376262Sgreen if (type == KEY_UNSPEC) { 754113911Sdes debug3("key_read: missing keytype"); 75576262Sgreen return -1; 75676262Sgreen } 75776262Sgreen cp = space+1; 75876262Sgreen if (*cp == '\0') { 75976262Sgreen debug3("key_read: short string"); 76076262Sgreen return -1; 76176262Sgreen } 76276262Sgreen if (ret->type == KEY_UNSPEC) { 76376262Sgreen ret->type = type; 76476262Sgreen } else if (ret->type != type) { 76576262Sgreen /* is a key, but different type */ 76676262Sgreen debug3("key_read: type mismatch"); 76792559Sdes return -1; 76876262Sgreen } 76960576Skris len = 2*strlen(cp); 77060576Skris blob = xmalloc(len); 77160576Skris n = uudecode(cp, blob, len); 77260576Skris if (n < 0) { 77361203Skris error("key_read: uudecode %s failed", cp); 774255767Sdes free(blob); 77576262Sgreen return -1; 77660576Skris } 777124211Sdes k = key_from_blob(blob, (u_int)n); 778255767Sdes free(blob); 77961203Skris if (k == NULL) { 78076262Sgreen error("key_read: key_from_blob %s failed", cp); 78176262Sgreen return -1; 78261203Skris } 78376262Sgreen if (k->type != type) { 78476262Sgreen error("key_read: type mismatch: encoding error"); 78576262Sgreen key_free(k); 78676262Sgreen return -1; 78776262Sgreen } 788221420Sdes#ifdef OPENSSL_HAS_ECC 789221420Sdes if (key_type_plain(type) == KEY_ECDSA && 790221420Sdes curve_nid != k->ecdsa_nid) { 791221420Sdes error("key_read: type mismatch: EC curve mismatch"); 792221420Sdes key_free(k); 793221420Sdes return -1; 794221420Sdes } 795221420Sdes#endif 79676262Sgreen/*XXXX*/ 797204917Sdes if (key_is_cert(ret)) { 798204917Sdes if (!key_is_cert(k)) { 799204917Sdes error("key_read: loaded key is not a cert"); 800204917Sdes key_free(k); 801204917Sdes return -1; 802204917Sdes } 803204917Sdes if (ret->cert != NULL) 804204917Sdes cert_free(ret->cert); 805204917Sdes ret->cert = k->cert; 806204917Sdes k->cert = NULL; 807204917Sdes } 808204917Sdes if (key_type_plain(ret->type) == KEY_RSA) { 80976262Sgreen if (ret->rsa != NULL) 81076262Sgreen RSA_free(ret->rsa); 81176262Sgreen ret->rsa = k->rsa; 81276262Sgreen k->rsa = NULL; 81376262Sgreen#ifdef DEBUG_PK 81476262Sgreen RSA_print_fp(stderr, ret->rsa, 8); 81576262Sgreen#endif 816204917Sdes } 817204917Sdes if (key_type_plain(ret->type) == KEY_DSA) { 81876262Sgreen if (ret->dsa != NULL) 81976262Sgreen DSA_free(ret->dsa); 82076262Sgreen ret->dsa = k->dsa; 82176262Sgreen k->dsa = NULL; 82276262Sgreen#ifdef DEBUG_PK 82376262Sgreen DSA_print_fp(stderr, ret->dsa, 8); 82476262Sgreen#endif 82576262Sgreen } 826221420Sdes#ifdef OPENSSL_HAS_ECC 827221420Sdes if (key_type_plain(ret->type) == KEY_ECDSA) { 828221420Sdes if (ret->ecdsa != NULL) 829221420Sdes EC_KEY_free(ret->ecdsa); 830221420Sdes ret->ecdsa = k->ecdsa; 831221420Sdes ret->ecdsa_nid = k->ecdsa_nid; 832221420Sdes k->ecdsa = NULL; 833221420Sdes k->ecdsa_nid = -1; 834221420Sdes#ifdef DEBUG_PK 835221420Sdes key_dump_ec_key(ret->ecdsa); 836221420Sdes#endif 837221420Sdes } 838221420Sdes#endif 839262566Sdes if (key_type_plain(ret->type) == KEY_ED25519) { 840262566Sdes free(ret->ed25519_pk); 841262566Sdes ret->ed25519_pk = k->ed25519_pk; 842262566Sdes k->ed25519_pk = NULL; 843262566Sdes#ifdef DEBUG_PK 844262566Sdes /* XXX */ 845262566Sdes#endif 846262566Sdes } 847204917Sdes success = 1; 84876262Sgreen/*XXXX*/ 84992559Sdes key_free(k); 85076262Sgreen if (success != 1) 85176262Sgreen break; 85261203Skris /* advance cp: skip whitespace and data */ 85361203Skris while (*cp == ' ' || *cp == '\t') 85461203Skris cp++; 85561203Skris while (*cp != '\0' && *cp != ' ' && *cp != '\t') 85661203Skris cp++; 85761203Skris *cpp = cp; 85858582Skris break; 85958582Skris default: 86060576Skris fatal("key_read: bad key type: %d", ret->type); 86158582Skris break; 86258582Skris } 86376262Sgreen return success; 86458582Skris} 86599063Sdes 86658582Skrisint 867126277Sdeskey_write(const Key *key, FILE *f) 86858582Skris{ 86992559Sdes int n, success = 0; 87092559Sdes u_int len, bits = 0; 871106130Sdes u_char *blob; 872106130Sdes char *uu; 87358582Skris 874204917Sdes if (key_is_cert(key)) { 875204917Sdes if (key->cert == NULL) { 876204917Sdes error("%s: no cert data", __func__); 877204917Sdes return 0; 878204917Sdes } 879204917Sdes if (buffer_len(&key->cert->certblob) == 0) { 880204917Sdes error("%s: no signed certificate blob", __func__); 881204917Sdes return 0; 882204917Sdes } 883204917Sdes } 884204917Sdes 885204917Sdes switch (key->type) { 886204917Sdes case KEY_RSA1: 887204917Sdes if (key->rsa == NULL) 888204917Sdes return 0; 88958582Skris /* size of modulus 'n' */ 89058582Skris bits = BN_num_bits(key->rsa->n); 89158582Skris fprintf(f, "%u", bits); 89258582Skris if (write_bignum(f, key->rsa->e) && 893204917Sdes write_bignum(f, key->rsa->n)) 894204917Sdes return 1; 895204917Sdes error("key_write: failed for RSA key"); 896204917Sdes return 0; 897204917Sdes case KEY_DSA: 898215116Sdes case KEY_DSA_CERT_V00: 899204917Sdes case KEY_DSA_CERT: 900204917Sdes if (key->dsa == NULL) 901204917Sdes return 0; 902204917Sdes break; 903221420Sdes#ifdef OPENSSL_HAS_ECC 904221420Sdes case KEY_ECDSA: 905221420Sdes case KEY_ECDSA_CERT: 906221420Sdes if (key->ecdsa == NULL) 907221420Sdes return 0; 908221420Sdes break; 909221420Sdes#endif 910262566Sdes case KEY_ED25519: 911262566Sdes case KEY_ED25519_CERT: 912262566Sdes if (key->ed25519_pk == NULL) 913262566Sdes return 0; 914262566Sdes break; 915204917Sdes case KEY_RSA: 916215116Sdes case KEY_RSA_CERT_V00: 917204917Sdes case KEY_RSA_CERT: 918204917Sdes if (key->rsa == NULL) 919204917Sdes return 0; 920204917Sdes break; 921204917Sdes default: 922204917Sdes return 0; 92358582Skris } 924204917Sdes 925204917Sdes key_to_blob(key, &blob, &len); 926204917Sdes uu = xmalloc(2*len); 927204917Sdes n = uuencode(blob, len, uu, 2*len); 928204917Sdes if (n > 0) { 929204917Sdes fprintf(f, "%s %s", key_ssh_name(key), uu); 930204917Sdes success = 1; 931204917Sdes } 932255767Sdes free(blob); 933255767Sdes free(uu); 934204917Sdes 93558582Skris return success; 93658582Skris} 93799063Sdes 938126277Sdesconst char * 939207319Sdeskey_cert_type(const Key *k) 940207319Sdes{ 941207319Sdes switch (k->cert->type) { 942207319Sdes case SSH2_CERT_TYPE_USER: 943207319Sdes return "user"; 944207319Sdes case SSH2_CERT_TYPE_HOST: 945207319Sdes return "host"; 946207319Sdes default: 947207319Sdes return "unknown"; 948207319Sdes } 949207319Sdes} 950207319Sdes 951255767Sdesstruct keytype { 952255767Sdes char *name; 953255767Sdes char *shortname; 954255767Sdes int type; 955255767Sdes int nid; 956255767Sdes int cert; 957255767Sdes}; 958255767Sdesstatic const struct keytype keytypes[] = { 959255767Sdes { NULL, "RSA1", KEY_RSA1, 0, 0 }, 960255767Sdes { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 961255767Sdes { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 962262566Sdes { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, 963255767Sdes#ifdef OPENSSL_HAS_ECC 964255767Sdes { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 965255767Sdes { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 966262566Sdes# ifdef OPENSSL_HAS_NISTP521 967255767Sdes { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 968262566Sdes# endif 969255767Sdes#endif /* OPENSSL_HAS_ECC */ 970255767Sdes { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 971255767Sdes { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 972255767Sdes#ifdef OPENSSL_HAS_ECC 973255767Sdes { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 974255767Sdes KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 975255767Sdes { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 976255767Sdes KEY_ECDSA_CERT, NID_secp384r1, 1 }, 977262566Sdes# ifdef OPENSSL_HAS_NISTP521 978255767Sdes { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 979255767Sdes KEY_ECDSA_CERT, NID_secp521r1, 1 }, 980262566Sdes# endif 981255767Sdes#endif /* OPENSSL_HAS_ECC */ 982255767Sdes { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 983255767Sdes KEY_RSA_CERT_V00, 0, 1 }, 984255767Sdes { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 985255767Sdes KEY_DSA_CERT_V00, 0, 1 }, 986262566Sdes { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", 987262566Sdes KEY_ED25519_CERT, 0, 1 }, 988255767Sdes { NULL, NULL, -1, -1, 0 } 989255767Sdes}; 990255767Sdes 991255767Sdesconst char * 992255767Sdeskey_type(const Key *k) 993255767Sdes{ 994255767Sdes const struct keytype *kt; 995255767Sdes 996255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 997255767Sdes if (kt->type == k->type) 998255767Sdes return kt->shortname; 999255767Sdes } 1000255767Sdes return "unknown"; 1001255767Sdes} 1002255767Sdes 1003221420Sdesstatic const char * 1004221420Sdeskey_ssh_name_from_type_nid(int type, int nid) 100576262Sgreen{ 1006255767Sdes const struct keytype *kt; 1007255767Sdes 1008255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 1009255767Sdes if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 1010255767Sdes return kt->name; 101176262Sgreen } 101276262Sgreen return "ssh-unknown"; 101376262Sgreen} 101499063Sdes 1015221420Sdesconst char * 1016221420Sdeskey_ssh_name(const Key *k) 1017221420Sdes{ 1018221420Sdes return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 1019221420Sdes} 1020221420Sdes 1021221420Sdesconst char * 1022221420Sdeskey_ssh_name_plain(const Key *k) 1023221420Sdes{ 1024221420Sdes return key_ssh_name_from_type_nid(key_type_plain(k->type), 1025221420Sdes k->ecdsa_nid); 1026221420Sdes} 1027221420Sdes 1028255767Sdesint 1029255767Sdeskey_type_from_name(char *name) 1030255767Sdes{ 1031255767Sdes const struct keytype *kt; 1032255767Sdes 1033255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 1034255767Sdes /* Only allow shortname matches for plain key types */ 1035255767Sdes if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 1036255767Sdes (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 1037255767Sdes return kt->type; 1038255767Sdes } 1039255767Sdes debug2("key_type_from_name: unknown key type '%s'", name); 1040255767Sdes return KEY_UNSPEC; 1041255767Sdes} 1042255767Sdes 1043255767Sdesint 1044255767Sdeskey_ecdsa_nid_from_name(const char *name) 1045255767Sdes{ 1046255767Sdes const struct keytype *kt; 1047255767Sdes 1048255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 1049255767Sdes if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 1050255767Sdes continue; 1051255767Sdes if (kt->name != NULL && strcmp(name, kt->name) == 0) 1052255767Sdes return kt->nid; 1053255767Sdes } 1054255767Sdes debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); 1055255767Sdes return -1; 1056255767Sdes} 1057255767Sdes 1058255767Sdeschar * 1059262566Sdeskey_alg_list(int certs_only, int plain_only) 1060255767Sdes{ 1061255767Sdes char *ret = NULL; 1062255767Sdes size_t nlen, rlen = 0; 1063255767Sdes const struct keytype *kt; 1064255767Sdes 1065255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 1066255767Sdes if (kt->name == NULL) 1067255767Sdes continue; 1068262566Sdes if ((certs_only && !kt->cert) || (plain_only && kt->cert)) 1069262566Sdes continue; 1070255767Sdes if (ret != NULL) 1071255767Sdes ret[rlen++] = '\n'; 1072255767Sdes nlen = strlen(kt->name); 1073255767Sdes ret = xrealloc(ret, 1, rlen + nlen + 2); 1074255767Sdes memcpy(ret + rlen, kt->name, nlen + 1); 1075255767Sdes rlen += nlen; 1076255767Sdes } 1077255767Sdes return ret; 1078255767Sdes} 1079255767Sdes 1080262566Sdesint 1081262566Sdeskey_type_is_cert(int type) 1082262566Sdes{ 1083262566Sdes const struct keytype *kt; 1084262566Sdes 1085262566Sdes for (kt = keytypes; kt->type != -1; kt++) { 1086262566Sdes if (kt->type == type) 1087262566Sdes return kt->cert; 1088262566Sdes } 1089262566Sdes return 0; 1090262566Sdes} 1091262566Sdes 1092262566Sdesstatic int 1093262566Sdeskey_type_is_valid_ca(int type) 1094262566Sdes{ 1095262566Sdes switch (type) { 1096262566Sdes case KEY_RSA: 1097262566Sdes case KEY_DSA: 1098262566Sdes case KEY_ECDSA: 1099262566Sdes case KEY_ED25519: 1100262566Sdes return 1; 1101262566Sdes default: 1102262566Sdes return 0; 1103262566Sdes } 1104262566Sdes} 1105262566Sdes 110676262Sgreenu_int 1107126277Sdeskey_size(const Key *k) 110892559Sdes{ 110965674Skris switch (k->type) { 111076262Sgreen case KEY_RSA1: 111165674Skris case KEY_RSA: 1112215116Sdes case KEY_RSA_CERT_V00: 1113204917Sdes case KEY_RSA_CERT: 111465674Skris return BN_num_bits(k->rsa->n); 111565674Skris case KEY_DSA: 1116215116Sdes case KEY_DSA_CERT_V00: 1117204917Sdes case KEY_DSA_CERT: 111865674Skris return BN_num_bits(k->dsa->p); 1119262566Sdes case KEY_ED25519: 1120262566Sdes return 256; /* XXX */ 1121221420Sdes#ifdef OPENSSL_HAS_ECC 1122221420Sdes case KEY_ECDSA: 1123221420Sdes case KEY_ECDSA_CERT: 1124221420Sdes return key_curve_nid_to_bits(k->ecdsa_nid); 1125221420Sdes#endif 112665674Skris } 112765674Skris return 0; 112865674Skris} 112976262Sgreen 113092559Sdesstatic RSA * 113176262Sgreenrsa_generate_private_key(u_int bits) 113276262Sgreen{ 1133221420Sdes RSA *private = RSA_new(); 1134221420Sdes BIGNUM *f4 = BN_new(); 1135162856Sdes 113676262Sgreen if (private == NULL) 1137221420Sdes fatal("%s: RSA_new failed", __func__); 1138221420Sdes if (f4 == NULL) 1139221420Sdes fatal("%s: BN_new failed", __func__); 1140221420Sdes if (!BN_set_word(f4, RSA_F4)) 1141221420Sdes fatal("%s: BN_new failed", __func__); 1142221420Sdes if (!RSA_generate_key_ex(private, bits, f4, NULL)) 1143221420Sdes fatal("%s: key generation failed.", __func__); 1144221420Sdes BN_free(f4); 114576262Sgreen return private; 114676262Sgreen} 114776262Sgreen 114892559Sdesstatic DSA* 114976262Sgreendsa_generate_private_key(u_int bits) 115076262Sgreen{ 1151221420Sdes DSA *private = DSA_new(); 1152162856Sdes 115376262Sgreen if (private == NULL) 1154221420Sdes fatal("%s: DSA_new failed", __func__); 1155221420Sdes if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1156221420Sdes NULL, NULL)) 1157221420Sdes fatal("%s: DSA_generate_parameters failed", __func__); 115876262Sgreen if (!DSA_generate_key(private)) 1159221420Sdes fatal("%s: DSA_generate_key failed.", __func__); 116076262Sgreen return private; 116176262Sgreen} 116276262Sgreen 1163221420Sdesint 1164221420Sdeskey_ecdsa_bits_to_nid(int bits) 1165221420Sdes{ 1166221420Sdes switch (bits) { 1167221420Sdes#ifdef OPENSSL_HAS_ECC 1168221420Sdes case 256: 1169221420Sdes return NID_X9_62_prime256v1; 1170221420Sdes case 384: 1171221420Sdes return NID_secp384r1; 1172262566Sdes# ifdef OPENSSL_HAS_NISTP521 1173221420Sdes case 521: 1174221420Sdes return NID_secp521r1; 1175262566Sdes# endif 1176221420Sdes#endif 1177221420Sdes default: 1178221420Sdes return -1; 1179221420Sdes } 1180221420Sdes} 1181221420Sdes 1182221420Sdes#ifdef OPENSSL_HAS_ECC 1183221420Sdesint 1184221420Sdeskey_ecdsa_key_to_nid(EC_KEY *k) 1185221420Sdes{ 1186221420Sdes EC_GROUP *eg; 1187221420Sdes int nids[] = { 1188221420Sdes NID_X9_62_prime256v1, 1189221420Sdes NID_secp384r1, 1190262566Sdes# ifdef OPENSSL_HAS_NISTP521 1191221420Sdes NID_secp521r1, 1192262566Sdes# endif 1193221420Sdes -1 1194221420Sdes }; 1195221420Sdes int nid; 1196221420Sdes u_int i; 1197221420Sdes BN_CTX *bnctx; 1198221420Sdes const EC_GROUP *g = EC_KEY_get0_group(k); 1199221420Sdes 1200221420Sdes /* 1201221420Sdes * The group may be stored in a ASN.1 encoded private key in one of two 1202221420Sdes * ways: as a "named group", which is reconstituted by ASN.1 object ID 1203221420Sdes * or explicit group parameters encoded into the key blob. Only the 1204221420Sdes * "named group" case sets the group NID for us, but we can figure 1205221420Sdes * it out for the other case by comparing against all the groups that 1206221420Sdes * are supported. 1207221420Sdes */ 1208221420Sdes if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1209221420Sdes return nid; 1210221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 1211221420Sdes fatal("%s: BN_CTX_new() failed", __func__); 1212221420Sdes for (i = 0; nids[i] != -1; i++) { 1213221420Sdes if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1214221420Sdes fatal("%s: EC_GROUP_new_by_curve_name failed", 1215221420Sdes __func__); 1216221420Sdes if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1217221420Sdes break; 1218221420Sdes EC_GROUP_free(eg); 1219221420Sdes } 1220221420Sdes BN_CTX_free(bnctx); 1221221420Sdes debug3("%s: nid = %d", __func__, nids[i]); 1222221420Sdes if (nids[i] != -1) { 1223221420Sdes /* Use the group with the NID attached */ 1224221420Sdes EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1225221420Sdes if (EC_KEY_set_group(k, eg) != 1) 1226221420Sdes fatal("%s: EC_KEY_set_group", __func__); 1227221420Sdes } 1228221420Sdes return nids[i]; 1229221420Sdes} 1230221420Sdes 1231221420Sdesstatic EC_KEY* 1232221420Sdesecdsa_generate_private_key(u_int bits, int *nid) 1233221420Sdes{ 1234221420Sdes EC_KEY *private; 1235221420Sdes 1236221420Sdes if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1) 1237221420Sdes fatal("%s: invalid key length", __func__); 1238221420Sdes if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) 1239221420Sdes fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1240221420Sdes if (EC_KEY_generate_key(private) != 1) 1241221420Sdes fatal("%s: EC_KEY_generate_key failed", __func__); 1242221420Sdes EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1243221420Sdes return private; 1244221420Sdes} 1245221420Sdes#endif /* OPENSSL_HAS_ECC */ 1246221420Sdes 124776262SgreenKey * 124876262Sgreenkey_generate(int type, u_int bits) 124976262Sgreen{ 125076262Sgreen Key *k = key_new(KEY_UNSPEC); 125176262Sgreen switch (type) { 125276262Sgreen case KEY_DSA: 125376262Sgreen k->dsa = dsa_generate_private_key(bits); 125476262Sgreen break; 1255221420Sdes#ifdef OPENSSL_HAS_ECC 1256221420Sdes case KEY_ECDSA: 1257221420Sdes k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); 1258221420Sdes break; 1259221420Sdes#endif 126076262Sgreen case KEY_RSA: 126176262Sgreen case KEY_RSA1: 126276262Sgreen k->rsa = rsa_generate_private_key(bits); 126376262Sgreen break; 1264262566Sdes case KEY_ED25519: 1265262566Sdes k->ed25519_pk = xmalloc(ED25519_PK_SZ); 1266262566Sdes k->ed25519_sk = xmalloc(ED25519_SK_SZ); 1267262566Sdes crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); 1268262566Sdes break; 1269215116Sdes case KEY_RSA_CERT_V00: 1270215116Sdes case KEY_DSA_CERT_V00: 1271204917Sdes case KEY_RSA_CERT: 1272204917Sdes case KEY_DSA_CERT: 1273204917Sdes fatal("key_generate: cert keys cannot be generated directly"); 127476262Sgreen default: 127576262Sgreen fatal("key_generate: unknown type %d", type); 127676262Sgreen } 127776262Sgreen k->type = type; 127876262Sgreen return k; 127976262Sgreen} 128076262Sgreen 1281204917Sdesvoid 1282204917Sdeskey_cert_copy(const Key *from_key, struct Key *to_key) 1283204917Sdes{ 1284204917Sdes u_int i; 1285204917Sdes const struct KeyCert *from; 1286204917Sdes struct KeyCert *to; 1287204917Sdes 1288204917Sdes if (to_key->cert != NULL) { 1289204917Sdes cert_free(to_key->cert); 1290204917Sdes to_key->cert = NULL; 1291204917Sdes } 1292204917Sdes 1293204917Sdes if ((from = from_key->cert) == NULL) 1294204917Sdes return; 1295204917Sdes 1296204917Sdes to = to_key->cert = cert_new(); 1297204917Sdes 1298204917Sdes buffer_append(&to->certblob, buffer_ptr(&from->certblob), 1299204917Sdes buffer_len(&from->certblob)); 1300204917Sdes 1301215116Sdes buffer_append(&to->critical, 1302215116Sdes buffer_ptr(&from->critical), buffer_len(&from->critical)); 1303215116Sdes buffer_append(&to->extensions, 1304215116Sdes buffer_ptr(&from->extensions), buffer_len(&from->extensions)); 1305204917Sdes 1306215116Sdes to->serial = from->serial; 1307204917Sdes to->type = from->type; 1308204917Sdes to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 1309204917Sdes to->valid_after = from->valid_after; 1310204917Sdes to->valid_before = from->valid_before; 1311204917Sdes to->signature_key = from->signature_key == NULL ? 1312204917Sdes NULL : key_from_private(from->signature_key); 1313204917Sdes 1314204917Sdes to->nprincipals = from->nprincipals; 1315204917Sdes if (to->nprincipals > CERT_MAX_PRINCIPALS) 1316204917Sdes fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)", 1317204917Sdes __func__, to->nprincipals, CERT_MAX_PRINCIPALS); 1318204917Sdes if (to->nprincipals > 0) { 1319204917Sdes to->principals = xcalloc(from->nprincipals, 1320204917Sdes sizeof(*to->principals)); 1321204917Sdes for (i = 0; i < to->nprincipals; i++) 1322204917Sdes to->principals[i] = xstrdup(from->principals[i]); 1323204917Sdes } 1324204917Sdes} 1325204917Sdes 132676262SgreenKey * 1327126277Sdeskey_from_private(const Key *k) 132876262Sgreen{ 132976262Sgreen Key *n = NULL; 133076262Sgreen switch (k->type) { 133176262Sgreen case KEY_DSA: 1332215116Sdes case KEY_DSA_CERT_V00: 1333204917Sdes case KEY_DSA_CERT: 133476262Sgreen n = key_new(k->type); 1335164149Sdes if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1336164149Sdes (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1337164149Sdes (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1338164149Sdes (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 1339164149Sdes fatal("key_from_private: BN_copy failed"); 134076262Sgreen break; 1341221420Sdes#ifdef OPENSSL_HAS_ECC 1342221420Sdes case KEY_ECDSA: 1343221420Sdes case KEY_ECDSA_CERT: 1344221420Sdes n = key_new(k->type); 1345221420Sdes n->ecdsa_nid = k->ecdsa_nid; 1346221420Sdes if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 1347221420Sdes fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1348221420Sdes if (EC_KEY_set_public_key(n->ecdsa, 1349221420Sdes EC_KEY_get0_public_key(k->ecdsa)) != 1) 1350221420Sdes fatal("%s: EC_KEY_set_public_key failed", __func__); 1351221420Sdes break; 1352221420Sdes#endif 135376262Sgreen case KEY_RSA: 135476262Sgreen case KEY_RSA1: 1355215116Sdes case KEY_RSA_CERT_V00: 1356204917Sdes case KEY_RSA_CERT: 135776262Sgreen n = key_new(k->type); 1358164149Sdes if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1359164149Sdes (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 1360164149Sdes fatal("key_from_private: BN_copy failed"); 136176262Sgreen break; 1362262566Sdes case KEY_ED25519: 1363262566Sdes case KEY_ED25519_CERT: 1364262566Sdes n = key_new(k->type); 1365262566Sdes if (k->ed25519_pk != NULL) { 1366262566Sdes n->ed25519_pk = xmalloc(ED25519_PK_SZ); 1367262566Sdes memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1368262566Sdes } 1369262566Sdes break; 137076262Sgreen default: 137176262Sgreen fatal("key_from_private: unknown type %d", k->type); 137276262Sgreen break; 137376262Sgreen } 1374204917Sdes if (key_is_cert(k)) 1375204917Sdes key_cert_copy(k, n); 137676262Sgreen return n; 137776262Sgreen} 137876262Sgreen 137976262Sgreenint 138076262Sgreenkey_names_valid2(const char *names) 138176262Sgreen{ 138276262Sgreen char *s, *cp, *p; 138376262Sgreen 138476262Sgreen if (names == NULL || strcmp(names, "") == 0) 138576262Sgreen return 0; 138676262Sgreen s = cp = xstrdup(names); 138776262Sgreen for ((p = strsep(&cp, ",")); p && *p != '\0'; 138892559Sdes (p = strsep(&cp, ","))) { 138976262Sgreen switch (key_type_from_name(p)) { 139076262Sgreen case KEY_RSA1: 139176262Sgreen case KEY_UNSPEC: 1392255767Sdes free(s); 139376262Sgreen return 0; 139476262Sgreen } 139576262Sgreen } 139676262Sgreen debug3("key names ok: [%s]", names); 1397255767Sdes free(s); 139876262Sgreen return 1; 139976262Sgreen} 140076262Sgreen 1401204917Sdesstatic int 1402204917Sdescert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1403204917Sdes{ 1404215116Sdes u_char *principals, *critical, *exts, *sig_key, *sig; 1405215116Sdes u_int signed_len, plen, clen, sklen, slen, kidlen, elen; 1406204917Sdes Buffer tmp; 1407204917Sdes char *principal; 1408204917Sdes int ret = -1; 1409215116Sdes int v00 = key->type == KEY_DSA_CERT_V00 || 1410215116Sdes key->type == KEY_RSA_CERT_V00; 1411204917Sdes 1412204917Sdes buffer_init(&tmp); 1413204917Sdes 1414204917Sdes /* Copy the entire key blob for verification and later serialisation */ 1415204917Sdes buffer_append(&key->cert->certblob, blob, blen); 1416204917Sdes 1417215116Sdes elen = 0; /* Not touched for v00 certs */ 1418215116Sdes principals = exts = critical = sig_key = sig = NULL; 1419215116Sdes if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) || 1420215116Sdes buffer_get_int_ret(&key->cert->type, b) != 0 || 1421221420Sdes (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL || 1422204917Sdes (principals = buffer_get_string_ret(b, &plen)) == NULL || 1423204917Sdes buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1424204917Sdes buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || 1425215116Sdes (critical = buffer_get_string_ret(b, &clen)) == NULL || 1426215116Sdes (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) || 1427215116Sdes (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */ 1428215116Sdes buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */ 1429204917Sdes (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1430204917Sdes error("%s: parse error", __func__); 1431204917Sdes goto out; 1432204917Sdes } 1433204917Sdes 1434204917Sdes /* Signature is left in the buffer so we can calculate this length */ 1435204917Sdes signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); 1436204917Sdes 1437204917Sdes if ((sig = buffer_get_string_ret(b, &slen)) == NULL) { 1438204917Sdes error("%s: parse error", __func__); 1439204917Sdes goto out; 1440204917Sdes } 1441204917Sdes 1442204917Sdes if (key->cert->type != SSH2_CERT_TYPE_USER && 1443204917Sdes key->cert->type != SSH2_CERT_TYPE_HOST) { 1444204917Sdes error("Unknown certificate type %u", key->cert->type); 1445204917Sdes goto out; 1446204917Sdes } 1447204917Sdes 1448204917Sdes buffer_append(&tmp, principals, plen); 1449204917Sdes while (buffer_len(&tmp) > 0) { 1450204917Sdes if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { 1451204917Sdes error("%s: Too many principals", __func__); 1452204917Sdes goto out; 1453204917Sdes } 1454221420Sdes if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) { 1455204917Sdes error("%s: Principals data invalid", __func__); 1456204917Sdes goto out; 1457204917Sdes } 1458204917Sdes key->cert->principals = xrealloc(key->cert->principals, 1459204917Sdes key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1460204917Sdes key->cert->principals[key->cert->nprincipals++] = principal; 1461204917Sdes } 1462204917Sdes 1463204917Sdes buffer_clear(&tmp); 1464204917Sdes 1465215116Sdes buffer_append(&key->cert->critical, critical, clen); 1466215116Sdes buffer_append(&tmp, critical, clen); 1467204917Sdes /* validate structure */ 1468204917Sdes while (buffer_len(&tmp) != 0) { 1469204917Sdes if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1470204917Sdes buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1471215116Sdes error("%s: critical option data invalid", __func__); 1472204917Sdes goto out; 1473204917Sdes } 1474204917Sdes } 1475204917Sdes buffer_clear(&tmp); 1476204917Sdes 1477215116Sdes buffer_append(&key->cert->extensions, exts, elen); 1478215116Sdes buffer_append(&tmp, exts, elen); 1479215116Sdes /* validate structure */ 1480215116Sdes while (buffer_len(&tmp) != 0) { 1481215116Sdes if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1482215116Sdes buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1483215116Sdes error("%s: extension data invalid", __func__); 1484215116Sdes goto out; 1485215116Sdes } 1486215116Sdes } 1487215116Sdes buffer_clear(&tmp); 1488215116Sdes 1489262566Sdes if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0)) 1490262566Sdes == NULL) { 1491204917Sdes error("%s: Signature key invalid", __func__); 1492204917Sdes goto out; 1493204917Sdes } 1494262566Sdes if (!key_type_is_valid_ca(key->cert->signature_key->type)) { 1495204917Sdes error("%s: Invalid signature key type %s (%d)", __func__, 1496204917Sdes key_type(key->cert->signature_key), 1497204917Sdes key->cert->signature_key->type); 1498204917Sdes goto out; 1499204917Sdes } 1500204917Sdes 1501204917Sdes switch (key_verify(key->cert->signature_key, sig, slen, 1502204917Sdes buffer_ptr(&key->cert->certblob), signed_len)) { 1503204917Sdes case 1: 1504204917Sdes ret = 0; 1505204917Sdes break; /* Good signature */ 1506204917Sdes case 0: 1507204917Sdes error("%s: Invalid signature on certificate", __func__); 1508204917Sdes goto out; 1509204917Sdes case -1: 1510204917Sdes error("%s: Certificate signature verification failed", 1511204917Sdes __func__); 1512204917Sdes goto out; 1513204917Sdes } 1514204917Sdes 1515204917Sdes out: 1516204917Sdes buffer_free(&tmp); 1517255767Sdes free(principals); 1518255767Sdes free(critical); 1519255767Sdes free(exts); 1520255767Sdes free(sig_key); 1521255767Sdes free(sig); 1522204917Sdes return ret; 1523204917Sdes} 1524204917Sdes 1525262566Sdesstatic Key * 1526262566Sdeskey_from_blob2(const u_char *blob, u_int blen, int allow_cert) 152776262Sgreen{ 152876262Sgreen Buffer b; 152976262Sgreen int rlen, type; 1530262566Sdes u_int len; 1531221420Sdes char *ktype = NULL, *curve = NULL; 1532262566Sdes u_char *pk = NULL; 153376262Sgreen Key *key = NULL; 1534221420Sdes#ifdef OPENSSL_HAS_ECC 1535221420Sdes EC_POINT *q = NULL; 1536221420Sdes int nid = -1; 1537221420Sdes#endif 153876262Sgreen 153976262Sgreen#ifdef DEBUG_PK 154076262Sgreen dump_base64(stderr, blob, blen); 154176262Sgreen#endif 154276262Sgreen buffer_init(&b); 154376262Sgreen buffer_append(&b, blob, blen); 1544221420Sdes if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) { 1545147005Sdes error("key_from_blob: can't read key type"); 1546147005Sdes goto out; 1547147005Sdes } 1548147005Sdes 154976262Sgreen type = key_type_from_name(ktype); 1550221420Sdes#ifdef OPENSSL_HAS_ECC 1551221420Sdes if (key_type_plain(type) == KEY_ECDSA) 1552221420Sdes nid = key_ecdsa_nid_from_name(ktype); 1553221420Sdes#endif 1554262566Sdes if (!allow_cert && key_type_is_cert(type)) { 1555262566Sdes error("key_from_blob: certificate not allowed in this context"); 1556262566Sdes goto out; 1557262566Sdes } 155892559Sdes switch (type) { 1559215116Sdes case KEY_RSA_CERT: 1560215116Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1561215116Sdes /* FALLTHROUGH */ 156276262Sgreen case KEY_RSA: 1563215116Sdes case KEY_RSA_CERT_V00: 156476262Sgreen key = key_new(type); 1565147005Sdes if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1566147005Sdes buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1567147005Sdes error("key_from_blob: can't read rsa key"); 1568204917Sdes badkey: 1569147005Sdes key_free(key); 1570147005Sdes key = NULL; 1571147005Sdes goto out; 1572147005Sdes } 157376262Sgreen#ifdef DEBUG_PK 157476262Sgreen RSA_print_fp(stderr, key->rsa, 8); 157576262Sgreen#endif 157676262Sgreen break; 1577215116Sdes case KEY_DSA_CERT: 1578215116Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1579215116Sdes /* FALLTHROUGH */ 158076262Sgreen case KEY_DSA: 1581215116Sdes case KEY_DSA_CERT_V00: 158276262Sgreen key = key_new(type); 1583147005Sdes if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1584147005Sdes buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1585147005Sdes buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1586147005Sdes buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1587147005Sdes error("key_from_blob: can't read dsa key"); 1588204917Sdes goto badkey; 1589147005Sdes } 159076262Sgreen#ifdef DEBUG_PK 159176262Sgreen DSA_print_fp(stderr, key->dsa, 8); 159276262Sgreen#endif 159376262Sgreen break; 1594221420Sdes#ifdef OPENSSL_HAS_ECC 1595221420Sdes case KEY_ECDSA_CERT: 1596221420Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1597221420Sdes /* FALLTHROUGH */ 1598221420Sdes case KEY_ECDSA: 1599221420Sdes key = key_new(type); 1600221420Sdes key->ecdsa_nid = nid; 1601221420Sdes if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) { 1602221420Sdes error("key_from_blob: can't read ecdsa curve"); 1603221420Sdes goto badkey; 1604221420Sdes } 1605221420Sdes if (key->ecdsa_nid != key_curve_name_to_nid(curve)) { 1606221420Sdes error("key_from_blob: ecdsa curve doesn't match type"); 1607221420Sdes goto badkey; 1608221420Sdes } 1609221420Sdes if (key->ecdsa != NULL) 1610221420Sdes EC_KEY_free(key->ecdsa); 1611221420Sdes if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1612221420Sdes == NULL) 1613221420Sdes fatal("key_from_blob: EC_KEY_new_by_curve_name failed"); 1614221420Sdes if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) 1615221420Sdes fatal("key_from_blob: EC_POINT_new failed"); 1616221420Sdes if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa), 1617221420Sdes q) == -1) { 1618221420Sdes error("key_from_blob: can't read ecdsa key point"); 1619221420Sdes goto badkey; 1620221420Sdes } 1621221420Sdes if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1622221420Sdes q) != 0) 1623221420Sdes goto badkey; 1624221420Sdes if (EC_KEY_set_public_key(key->ecdsa, q) != 1) 1625221420Sdes fatal("key_from_blob: EC_KEY_set_public_key failed"); 1626221420Sdes#ifdef DEBUG_PK 1627221420Sdes key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1628221420Sdes#endif 1629221420Sdes break; 1630221420Sdes#endif /* OPENSSL_HAS_ECC */ 1631262566Sdes case KEY_ED25519_CERT: 1632262566Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1633262566Sdes /* FALLTHROUGH */ 1634262566Sdes case KEY_ED25519: 1635262566Sdes if ((pk = buffer_get_string_ret(&b, &len)) == NULL) { 1636262566Sdes error("key_from_blob: can't read ed25519 key"); 1637262566Sdes goto badkey; 1638262566Sdes } 1639262566Sdes if (len != ED25519_PK_SZ) { 1640262566Sdes error("key_from_blob: ed25519 len %d != %d", 1641262566Sdes len, ED25519_PK_SZ); 1642262566Sdes goto badkey; 1643262566Sdes } 1644262566Sdes key = key_new(type); 1645262566Sdes key->ed25519_pk = pk; 1646262566Sdes pk = NULL; 1647262566Sdes break; 164876262Sgreen case KEY_UNSPEC: 164976262Sgreen key = key_new(type); 165076262Sgreen break; 165176262Sgreen default: 165276262Sgreen error("key_from_blob: cannot handle type %s", ktype); 1653147005Sdes goto out; 165476262Sgreen } 1655204917Sdes if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) { 1656204917Sdes error("key_from_blob: can't parse cert data"); 1657204917Sdes goto badkey; 1658204917Sdes } 165976262Sgreen rlen = buffer_len(&b); 166076262Sgreen if (key != NULL && rlen != 0) 166176262Sgreen error("key_from_blob: remaining bytes in key blob %d", rlen); 1662147005Sdes out: 1663255767Sdes free(ktype); 1664255767Sdes free(curve); 1665262566Sdes free(pk); 1666221420Sdes#ifdef OPENSSL_HAS_ECC 1667221420Sdes if (q != NULL) 1668221420Sdes EC_POINT_free(q); 1669221420Sdes#endif 167076262Sgreen buffer_free(&b); 167176262Sgreen return key; 167276262Sgreen} 167376262Sgreen 1674262566SdesKey * 1675262566Sdeskey_from_blob(const u_char *blob, u_int blen) 1676262566Sdes{ 1677262566Sdes return key_from_blob2(blob, blen, 1); 1678262566Sdes} 1679262566Sdes 1680248619Sdesstatic int 1681248619Sdesto_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) 168276262Sgreen{ 168376262Sgreen Buffer b; 1684248619Sdes int len, type; 168576262Sgreen 1686262566Sdes if (blobp != NULL) 1687262566Sdes *blobp = NULL; 1688262566Sdes if (lenp != NULL) 1689262566Sdes *lenp = 0; 169076262Sgreen if (key == NULL) { 169176262Sgreen error("key_to_blob: key == NULL"); 169276262Sgreen return 0; 169376262Sgreen } 169476262Sgreen buffer_init(&b); 1695248619Sdes type = force_plain ? key_type_plain(key->type) : key->type; 1696248619Sdes switch (type) { 1697215116Sdes case KEY_DSA_CERT_V00: 1698215116Sdes case KEY_RSA_CERT_V00: 1699204917Sdes case KEY_DSA_CERT: 1700221420Sdes case KEY_ECDSA_CERT: 1701204917Sdes case KEY_RSA_CERT: 1702262566Sdes case KEY_ED25519_CERT: 1703204917Sdes /* Use the existing blob */ 1704204917Sdes buffer_append(&b, buffer_ptr(&key->cert->certblob), 1705204917Sdes buffer_len(&key->cert->certblob)); 1706204917Sdes break; 170776262Sgreen case KEY_DSA: 1708248619Sdes buffer_put_cstring(&b, 1709248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 171076262Sgreen buffer_put_bignum2(&b, key->dsa->p); 171176262Sgreen buffer_put_bignum2(&b, key->dsa->q); 171276262Sgreen buffer_put_bignum2(&b, key->dsa->g); 171376262Sgreen buffer_put_bignum2(&b, key->dsa->pub_key); 171476262Sgreen break; 1715221420Sdes#ifdef OPENSSL_HAS_ECC 1716221420Sdes case KEY_ECDSA: 1717248619Sdes buffer_put_cstring(&b, 1718248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 1719221420Sdes buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1720221420Sdes buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1721221420Sdes EC_KEY_get0_public_key(key->ecdsa)); 1722221420Sdes break; 1723221420Sdes#endif 172476262Sgreen case KEY_RSA: 1725248619Sdes buffer_put_cstring(&b, 1726248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 172776262Sgreen buffer_put_bignum2(&b, key->rsa->e); 172876262Sgreen buffer_put_bignum2(&b, key->rsa->n); 172976262Sgreen break; 1730262566Sdes case KEY_ED25519: 1731262566Sdes buffer_put_cstring(&b, 1732262566Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 1733262566Sdes buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ); 1734262566Sdes break; 173576262Sgreen default: 173692559Sdes error("key_to_blob: unsupported key type %d", key->type); 173792559Sdes buffer_free(&b); 173892559Sdes return 0; 173976262Sgreen } 174076262Sgreen len = buffer_len(&b); 1741106130Sdes if (lenp != NULL) 1742106130Sdes *lenp = len; 1743106130Sdes if (blobp != NULL) { 1744106130Sdes *blobp = xmalloc(len); 1745106130Sdes memcpy(*blobp, buffer_ptr(&b), len); 1746106130Sdes } 1747264377Sdes explicit_bzero(buffer_ptr(&b), len); 174876262Sgreen buffer_free(&b); 174976262Sgreen return len; 175076262Sgreen} 175176262Sgreen 175276262Sgreenint 1753248619Sdeskey_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1754248619Sdes{ 1755248619Sdes return to_blob(key, blobp, lenp, 0); 1756248619Sdes} 1757248619Sdes 1758248619Sdesint 175976262Sgreenkey_sign( 1760126277Sdes const Key *key, 176192559Sdes u_char **sigp, u_int *lenp, 1762126277Sdes const u_char *data, u_int datalen) 176376262Sgreen{ 176492559Sdes switch (key->type) { 1765215116Sdes case KEY_DSA_CERT_V00: 1766204917Sdes case KEY_DSA_CERT: 176776262Sgreen case KEY_DSA: 176876262Sgreen return ssh_dss_sign(key, sigp, lenp, data, datalen); 1769221420Sdes#ifdef OPENSSL_HAS_ECC 1770221420Sdes case KEY_ECDSA_CERT: 1771221420Sdes case KEY_ECDSA: 1772221420Sdes return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); 1773221420Sdes#endif 1774215116Sdes case KEY_RSA_CERT_V00: 1775204917Sdes case KEY_RSA_CERT: 177676262Sgreen case KEY_RSA: 177776262Sgreen return ssh_rsa_sign(key, sigp, lenp, data, datalen); 1778262566Sdes case KEY_ED25519: 1779262566Sdes case KEY_ED25519_CERT: 1780262566Sdes return ssh_ed25519_sign(key, sigp, lenp, data, datalen); 178176262Sgreen default: 1782137019Sdes error("key_sign: invalid key type %d", key->type); 178376262Sgreen return -1; 178476262Sgreen } 178576262Sgreen} 178676262Sgreen 178798684Sdes/* 178898684Sdes * key_verify returns 1 for a correct signature, 0 for an incorrect signature 178998684Sdes * and -1 on error. 179098684Sdes */ 179176262Sgreenint 179276262Sgreenkey_verify( 1793126277Sdes const Key *key, 1794126277Sdes const u_char *signature, u_int signaturelen, 1795126277Sdes const u_char *data, u_int datalen) 179676262Sgreen{ 179792559Sdes if (signaturelen == 0) 179892559Sdes return -1; 179992559Sdes 180092559Sdes switch (key->type) { 1801215116Sdes case KEY_DSA_CERT_V00: 1802204917Sdes case KEY_DSA_CERT: 180376262Sgreen case KEY_DSA: 180476262Sgreen return ssh_dss_verify(key, signature, signaturelen, data, datalen); 1805221420Sdes#ifdef OPENSSL_HAS_ECC 1806221420Sdes case KEY_ECDSA_CERT: 1807221420Sdes case KEY_ECDSA: 1808221420Sdes return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); 1809221420Sdes#endif 1810215116Sdes case KEY_RSA_CERT_V00: 1811204917Sdes case KEY_RSA_CERT: 181276262Sgreen case KEY_RSA: 181376262Sgreen return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 1814262566Sdes case KEY_ED25519: 1815262566Sdes case KEY_ED25519_CERT: 1816262566Sdes return ssh_ed25519_verify(key, signature, signaturelen, data, datalen); 181776262Sgreen default: 1818137019Sdes error("key_verify: invalid key type %d", key->type); 181976262Sgreen return -1; 182076262Sgreen } 182176262Sgreen} 182298684Sdes 182398684Sdes/* Converts a private to a public key */ 182498684SdesKey * 1825126277Sdeskey_demote(const Key *k) 182698684Sdes{ 182798684Sdes Key *pk; 182898684Sdes 1829162856Sdes pk = xcalloc(1, sizeof(*pk)); 183098684Sdes pk->type = k->type; 183198684Sdes pk->flags = k->flags; 1832221420Sdes pk->ecdsa_nid = k->ecdsa_nid; 183398684Sdes pk->dsa = NULL; 1834221420Sdes pk->ecdsa = NULL; 183598684Sdes pk->rsa = NULL; 1836262566Sdes pk->ed25519_pk = NULL; 1837262566Sdes pk->ed25519_sk = NULL; 183898684Sdes 183998684Sdes switch (k->type) { 1840215116Sdes case KEY_RSA_CERT_V00: 1841204917Sdes case KEY_RSA_CERT: 1842204917Sdes key_cert_copy(k, pk); 1843204917Sdes /* FALLTHROUGH */ 184498684Sdes case KEY_RSA1: 184598684Sdes case KEY_RSA: 184698684Sdes if ((pk->rsa = RSA_new()) == NULL) 184798684Sdes fatal("key_demote: RSA_new failed"); 184898684Sdes if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 184998684Sdes fatal("key_demote: BN_dup failed"); 185098684Sdes if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 185198684Sdes fatal("key_demote: BN_dup failed"); 185298684Sdes break; 1853215116Sdes case KEY_DSA_CERT_V00: 1854204917Sdes case KEY_DSA_CERT: 1855204917Sdes key_cert_copy(k, pk); 1856204917Sdes /* FALLTHROUGH */ 185798684Sdes case KEY_DSA: 185898684Sdes if ((pk->dsa = DSA_new()) == NULL) 185998684Sdes fatal("key_demote: DSA_new failed"); 186098684Sdes if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 186198684Sdes fatal("key_demote: BN_dup failed"); 186298684Sdes if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) 186398684Sdes fatal("key_demote: BN_dup failed"); 186498684Sdes if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL) 186598684Sdes fatal("key_demote: BN_dup failed"); 186698684Sdes if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) 186798684Sdes fatal("key_demote: BN_dup failed"); 186898684Sdes break; 1869221420Sdes#ifdef OPENSSL_HAS_ECC 1870221420Sdes case KEY_ECDSA_CERT: 1871221420Sdes key_cert_copy(k, pk); 1872221420Sdes /* FALLTHROUGH */ 1873221420Sdes case KEY_ECDSA: 1874221420Sdes if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL) 1875221420Sdes fatal("key_demote: EC_KEY_new_by_curve_name failed"); 1876221420Sdes if (EC_KEY_set_public_key(pk->ecdsa, 1877221420Sdes EC_KEY_get0_public_key(k->ecdsa)) != 1) 1878221420Sdes fatal("key_demote: EC_KEY_set_public_key failed"); 1879221420Sdes break; 1880221420Sdes#endif 1881262566Sdes case KEY_ED25519_CERT: 1882262566Sdes key_cert_copy(k, pk); 1883262566Sdes /* FALLTHROUGH */ 1884262566Sdes case KEY_ED25519: 1885262566Sdes if (k->ed25519_pk != NULL) { 1886262566Sdes pk->ed25519_pk = xmalloc(ED25519_PK_SZ); 1887262566Sdes memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); 1888262566Sdes } 1889262566Sdes break; 189098684Sdes default: 1891262566Sdes fatal("key_demote: bad key type %d", k->type); 189298684Sdes break; 189398684Sdes } 189498684Sdes 189598684Sdes return (pk); 189698684Sdes} 1897204917Sdes 1898204917Sdesint 1899204917Sdeskey_is_cert(const Key *k) 1900204917Sdes{ 1901215116Sdes if (k == NULL) 1902215116Sdes return 0; 1903262566Sdes return key_type_is_cert(k->type); 1904204917Sdes} 1905204917Sdes 1906204917Sdes/* Return the cert-less equivalent to a certified key type */ 1907204917Sdesint 1908204917Sdeskey_type_plain(int type) 1909204917Sdes{ 1910204917Sdes switch (type) { 1911215116Sdes case KEY_RSA_CERT_V00: 1912204917Sdes case KEY_RSA_CERT: 1913204917Sdes return KEY_RSA; 1914215116Sdes case KEY_DSA_CERT_V00: 1915204917Sdes case KEY_DSA_CERT: 1916204917Sdes return KEY_DSA; 1917221420Sdes case KEY_ECDSA_CERT: 1918221420Sdes return KEY_ECDSA; 1919262566Sdes case KEY_ED25519_CERT: 1920262566Sdes return KEY_ED25519; 1921204917Sdes default: 1922204917Sdes return type; 1923204917Sdes } 1924204917Sdes} 1925204917Sdes 1926262566Sdes/* Convert a plain key to their _CERT equivalent */ 1927204917Sdesint 1928215116Sdeskey_to_certified(Key *k, int legacy) 1929204917Sdes{ 1930204917Sdes switch (k->type) { 1931204917Sdes case KEY_RSA: 1932204917Sdes k->cert = cert_new(); 1933215116Sdes k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 1934204917Sdes return 0; 1935204917Sdes case KEY_DSA: 1936204917Sdes k->cert = cert_new(); 1937215116Sdes k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 1938204917Sdes return 0; 1939221420Sdes case KEY_ECDSA: 1940226046Sdes if (legacy) 1941226046Sdes fatal("%s: legacy ECDSA certificates are not supported", 1942226046Sdes __func__); 1943221420Sdes k->cert = cert_new(); 1944221420Sdes k->type = KEY_ECDSA_CERT; 1945221420Sdes return 0; 1946262566Sdes case KEY_ED25519: 1947262566Sdes if (legacy) 1948262566Sdes fatal("%s: legacy ED25519 certificates are not " 1949262566Sdes "supported", __func__); 1950262566Sdes k->cert = cert_new(); 1951262566Sdes k->type = KEY_ED25519_CERT; 1952262566Sdes return 0; 1953204917Sdes default: 1954204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 1955204917Sdes return -1; 1956204917Sdes } 1957204917Sdes} 1958204917Sdes 1959262566Sdes/* Convert a certificate to its raw key equivalent */ 1960204917Sdesint 1961204917Sdeskey_drop_cert(Key *k) 1962204917Sdes{ 1963262566Sdes if (!key_type_is_cert(k->type)) { 1964204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 1965204917Sdes return -1; 1966204917Sdes } 1967262566Sdes cert_free(k->cert); 1968262566Sdes k->cert = NULL; 1969262566Sdes k->type = key_type_plain(k->type); 1970262566Sdes return 0; 1971204917Sdes} 1972204917Sdes 1973262566Sdes/* Sign a certified key, (re-)generating the signed certblob. */ 1974204917Sdesint 1975204917Sdeskey_certify(Key *k, Key *ca) 1976204917Sdes{ 1977204917Sdes Buffer principals; 1978204917Sdes u_char *ca_blob, *sig_blob, nonce[32]; 1979204917Sdes u_int i, ca_len, sig_len; 1980204917Sdes 1981204917Sdes if (k->cert == NULL) { 1982204917Sdes error("%s: key lacks cert info", __func__); 1983204917Sdes return -1; 1984204917Sdes } 1985204917Sdes 1986204917Sdes if (!key_is_cert(k)) { 1987204917Sdes error("%s: certificate has unknown type %d", __func__, 1988204917Sdes k->cert->type); 1989204917Sdes return -1; 1990204917Sdes } 1991204917Sdes 1992262566Sdes if (!key_type_is_valid_ca(ca->type)) { 1993204917Sdes error("%s: CA key has unsupported type %s", __func__, 1994204917Sdes key_type(ca)); 1995204917Sdes return -1; 1996204917Sdes } 1997204917Sdes 1998204917Sdes key_to_blob(ca, &ca_blob, &ca_len); 1999204917Sdes 2000204917Sdes buffer_clear(&k->cert->certblob); 2001204917Sdes buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 2002204917Sdes 2003215116Sdes /* -v01 certs put nonce first */ 2004221420Sdes arc4random_buf(&nonce, sizeof(nonce)); 2005221420Sdes if (!key_cert_is_legacy(k)) 2006215116Sdes buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 2007215116Sdes 2008262566Sdes /* XXX this substantially duplicates to_blob(); refactor */ 2009204917Sdes switch (k->type) { 2010215116Sdes case KEY_DSA_CERT_V00: 2011204917Sdes case KEY_DSA_CERT: 2012204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 2013204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 2014204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 2015204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 2016204917Sdes break; 2017221420Sdes#ifdef OPENSSL_HAS_ECC 2018221420Sdes case KEY_ECDSA_CERT: 2019221420Sdes buffer_put_cstring(&k->cert->certblob, 2020221420Sdes key_curve_nid_to_name(k->ecdsa_nid)); 2021221420Sdes buffer_put_ecpoint(&k->cert->certblob, 2022221420Sdes EC_KEY_get0_group(k->ecdsa), 2023221420Sdes EC_KEY_get0_public_key(k->ecdsa)); 2024221420Sdes break; 2025221420Sdes#endif 2026215116Sdes case KEY_RSA_CERT_V00: 2027204917Sdes case KEY_RSA_CERT: 2028204917Sdes buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 2029204917Sdes buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 2030204917Sdes break; 2031262566Sdes case KEY_ED25519_CERT: 2032262566Sdes buffer_put_string(&k->cert->certblob, 2033262566Sdes k->ed25519_pk, ED25519_PK_SZ); 2034262566Sdes break; 2035204917Sdes default: 2036204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 2037204917Sdes buffer_clear(&k->cert->certblob); 2038255767Sdes free(ca_blob); 2039204917Sdes return -1; 2040204917Sdes } 2041204917Sdes 2042215116Sdes /* -v01 certs have a serial number next */ 2043221420Sdes if (!key_cert_is_legacy(k)) 2044215116Sdes buffer_put_int64(&k->cert->certblob, k->cert->serial); 2045215116Sdes 2046204917Sdes buffer_put_int(&k->cert->certblob, k->cert->type); 2047204917Sdes buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 2048204917Sdes 2049204917Sdes buffer_init(&principals); 2050204917Sdes for (i = 0; i < k->cert->nprincipals; i++) 2051204917Sdes buffer_put_cstring(&principals, k->cert->principals[i]); 2052204917Sdes buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 2053204917Sdes buffer_len(&principals)); 2054204917Sdes buffer_free(&principals); 2055204917Sdes 2056204917Sdes buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 2057204917Sdes buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 2058204917Sdes buffer_put_string(&k->cert->certblob, 2059215116Sdes buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical)); 2060204917Sdes 2061215116Sdes /* -v01 certs have non-critical options here */ 2062221420Sdes if (!key_cert_is_legacy(k)) { 2063215116Sdes buffer_put_string(&k->cert->certblob, 2064215116Sdes buffer_ptr(&k->cert->extensions), 2065215116Sdes buffer_len(&k->cert->extensions)); 2066215116Sdes } 2067215116Sdes 2068215116Sdes /* -v00 certs put the nonce at the end */ 2069221420Sdes if (key_cert_is_legacy(k)) 2070215116Sdes buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 2071215116Sdes 2072204917Sdes buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 2073204917Sdes buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 2074255767Sdes free(ca_blob); 2075204917Sdes 2076204917Sdes /* Sign the whole mess */ 2077204917Sdes if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 2078204917Sdes buffer_len(&k->cert->certblob)) != 0) { 2079204917Sdes error("%s: signature operation failed", __func__); 2080204917Sdes buffer_clear(&k->cert->certblob); 2081204917Sdes return -1; 2082204917Sdes } 2083204917Sdes /* Append signature and we are done */ 2084204917Sdes buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 2085255767Sdes free(sig_blob); 2086204917Sdes 2087204917Sdes return 0; 2088204917Sdes} 2089204917Sdes 2090204917Sdesint 2091204917Sdeskey_cert_check_authority(const Key *k, int want_host, int require_principal, 2092204917Sdes const char *name, const char **reason) 2093204917Sdes{ 2094204917Sdes u_int i, principal_matches; 2095204917Sdes time_t now = time(NULL); 2096204917Sdes 2097204917Sdes if (want_host) { 2098204917Sdes if (k->cert->type != SSH2_CERT_TYPE_HOST) { 2099204917Sdes *reason = "Certificate invalid: not a host certificate"; 2100204917Sdes return -1; 2101204917Sdes } 2102204917Sdes } else { 2103204917Sdes if (k->cert->type != SSH2_CERT_TYPE_USER) { 2104204917Sdes *reason = "Certificate invalid: not a user certificate"; 2105204917Sdes return -1; 2106204917Sdes } 2107204917Sdes } 2108204917Sdes if (now < 0) { 2109204917Sdes error("%s: system clock lies before epoch", __func__); 2110204917Sdes *reason = "Certificate invalid: not yet valid"; 2111204917Sdes return -1; 2112204917Sdes } 2113204917Sdes if ((u_int64_t)now < k->cert->valid_after) { 2114204917Sdes *reason = "Certificate invalid: not yet valid"; 2115204917Sdes return -1; 2116204917Sdes } 2117204917Sdes if ((u_int64_t)now >= k->cert->valid_before) { 2118204917Sdes *reason = "Certificate invalid: expired"; 2119204917Sdes return -1; 2120204917Sdes } 2121204917Sdes if (k->cert->nprincipals == 0) { 2122204917Sdes if (require_principal) { 2123204917Sdes *reason = "Certificate lacks principal list"; 2124204917Sdes return -1; 2125204917Sdes } 2126215116Sdes } else if (name != NULL) { 2127204917Sdes principal_matches = 0; 2128204917Sdes for (i = 0; i < k->cert->nprincipals; i++) { 2129204917Sdes if (strcmp(name, k->cert->principals[i]) == 0) { 2130204917Sdes principal_matches = 1; 2131204917Sdes break; 2132204917Sdes } 2133204917Sdes } 2134204917Sdes if (!principal_matches) { 2135204917Sdes *reason = "Certificate invalid: name is not a listed " 2136204917Sdes "principal"; 2137204917Sdes return -1; 2138204917Sdes } 2139204917Sdes } 2140204917Sdes return 0; 2141204917Sdes} 2142215116Sdes 2143215116Sdesint 2144248619Sdeskey_cert_is_legacy(const Key *k) 2145215116Sdes{ 2146215116Sdes switch (k->type) { 2147215116Sdes case KEY_DSA_CERT_V00: 2148215116Sdes case KEY_RSA_CERT_V00: 2149215116Sdes return 1; 2150215116Sdes default: 2151215116Sdes return 0; 2152215116Sdes } 2153215116Sdes} 2154221420Sdes 2155221420Sdes/* XXX: these are really begging for a table-driven approach */ 2156221420Sdesint 2157221420Sdeskey_curve_name_to_nid(const char *name) 2158221420Sdes{ 2159221420Sdes#ifdef OPENSSL_HAS_ECC 2160221420Sdes if (strcmp(name, "nistp256") == 0) 2161221420Sdes return NID_X9_62_prime256v1; 2162221420Sdes else if (strcmp(name, "nistp384") == 0) 2163221420Sdes return NID_secp384r1; 2164262566Sdes# ifdef OPENSSL_HAS_NISTP521 2165221420Sdes else if (strcmp(name, "nistp521") == 0) 2166221420Sdes return NID_secp521r1; 2167262566Sdes# endif 2168221420Sdes#endif 2169221420Sdes 2170221420Sdes debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); 2171221420Sdes return -1; 2172221420Sdes} 2173221420Sdes 2174221420Sdesu_int 2175221420Sdeskey_curve_nid_to_bits(int nid) 2176221420Sdes{ 2177221420Sdes switch (nid) { 2178221420Sdes#ifdef OPENSSL_HAS_ECC 2179221420Sdes case NID_X9_62_prime256v1: 2180221420Sdes return 256; 2181221420Sdes case NID_secp384r1: 2182221420Sdes return 384; 2183262566Sdes# ifdef OPENSSL_HAS_NISTP521 2184221420Sdes case NID_secp521r1: 2185221420Sdes return 521; 2186262566Sdes# endif 2187221420Sdes#endif 2188221420Sdes default: 2189221420Sdes error("%s: unsupported EC curve nid %d", __func__, nid); 2190221420Sdes return 0; 2191221420Sdes } 2192221420Sdes} 2193221420Sdes 2194221420Sdesconst char * 2195221420Sdeskey_curve_nid_to_name(int nid) 2196221420Sdes{ 2197221420Sdes#ifdef OPENSSL_HAS_ECC 2198221420Sdes if (nid == NID_X9_62_prime256v1) 2199221420Sdes return "nistp256"; 2200221420Sdes else if (nid == NID_secp384r1) 2201221420Sdes return "nistp384"; 2202262566Sdes# ifdef OPENSSL_HAS_NISTP521 2203221420Sdes else if (nid == NID_secp521r1) 2204221420Sdes return "nistp521"; 2205262566Sdes# endif 2206221420Sdes#endif 2207221420Sdes error("%s: unsupported EC curve nid %d", __func__, nid); 2208221420Sdes return NULL; 2209221420Sdes} 2210221420Sdes 2211221420Sdes#ifdef OPENSSL_HAS_ECC 2212262566Sdesint 2213262566Sdeskey_ec_nid_to_hash_alg(int nid) 2214221420Sdes{ 2215221420Sdes int kbits = key_curve_nid_to_bits(nid); 2216221420Sdes 2217221420Sdes if (kbits == 0) 2218221420Sdes fatal("%s: invalid nid %d", __func__, nid); 2219221420Sdes /* RFC5656 section 6.2.1 */ 2220221420Sdes if (kbits <= 256) 2221262566Sdes return SSH_DIGEST_SHA256; 2222221420Sdes else if (kbits <= 384) 2223262566Sdes return SSH_DIGEST_SHA384; 2224221420Sdes else 2225262566Sdes return SSH_DIGEST_SHA512; 2226221420Sdes} 2227221420Sdes 2228221420Sdesint 2229221420Sdeskey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2230221420Sdes{ 2231221420Sdes BN_CTX *bnctx; 2232221420Sdes EC_POINT *nq = NULL; 2233221420Sdes BIGNUM *order, *x, *y, *tmp; 2234221420Sdes int ret = -1; 2235221420Sdes 2236221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2237221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2238221420Sdes BN_CTX_start(bnctx); 2239221420Sdes 2240221420Sdes /* 2241221420Sdes * We shouldn't ever hit this case because bignum_get_ecpoint() 2242221420Sdes * refuses to load GF2m points. 2243221420Sdes */ 2244221420Sdes if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2245221420Sdes NID_X9_62_prime_field) { 2246221420Sdes error("%s: group is not a prime field", __func__); 2247221420Sdes goto out; 2248221420Sdes } 2249221420Sdes 2250221420Sdes /* Q != infinity */ 2251221420Sdes if (EC_POINT_is_at_infinity(group, public)) { 2252221420Sdes error("%s: received degenerate public key (infinity)", 2253221420Sdes __func__); 2254221420Sdes goto out; 2255221420Sdes } 2256221420Sdes 2257221420Sdes if ((x = BN_CTX_get(bnctx)) == NULL || 2258221420Sdes (y = BN_CTX_get(bnctx)) == NULL || 2259221420Sdes (order = BN_CTX_get(bnctx)) == NULL || 2260221420Sdes (tmp = BN_CTX_get(bnctx)) == NULL) 2261221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2262221420Sdes 2263221420Sdes /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2264221420Sdes if (EC_GROUP_get_order(group, order, bnctx) != 1) 2265221420Sdes fatal("%s: EC_GROUP_get_order failed", __func__); 2266221420Sdes if (EC_POINT_get_affine_coordinates_GFp(group, public, 2267221420Sdes x, y, bnctx) != 1) 2268221420Sdes fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2269221420Sdes if (BN_num_bits(x) <= BN_num_bits(order) / 2) { 2270221420Sdes error("%s: public key x coordinate too small: " 2271221420Sdes "bits(x) = %d, bits(order)/2 = %d", __func__, 2272221420Sdes BN_num_bits(x), BN_num_bits(order) / 2); 2273221420Sdes goto out; 2274221420Sdes } 2275221420Sdes if (BN_num_bits(y) <= BN_num_bits(order) / 2) { 2276221420Sdes error("%s: public key y coordinate too small: " 2277221420Sdes "bits(y) = %d, bits(order)/2 = %d", __func__, 2278221420Sdes BN_num_bits(x), BN_num_bits(order) / 2); 2279221420Sdes goto out; 2280221420Sdes } 2281221420Sdes 2282221420Sdes /* nQ == infinity (n == order of subgroup) */ 2283221420Sdes if ((nq = EC_POINT_new(group)) == NULL) 2284221420Sdes fatal("%s: BN_CTX_tmp failed", __func__); 2285221420Sdes if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) 2286221420Sdes fatal("%s: EC_GROUP_mul failed", __func__); 2287221420Sdes if (EC_POINT_is_at_infinity(group, nq) != 1) { 2288221420Sdes error("%s: received degenerate public key (nQ != infinity)", 2289221420Sdes __func__); 2290221420Sdes goto out; 2291221420Sdes } 2292221420Sdes 2293221420Sdes /* x < order - 1, y < order - 1 */ 2294221420Sdes if (!BN_sub(tmp, order, BN_value_one())) 2295221420Sdes fatal("%s: BN_sub failed", __func__); 2296221420Sdes if (BN_cmp(x, tmp) >= 0) { 2297221420Sdes error("%s: public key x coordinate >= group order - 1", 2298221420Sdes __func__); 2299221420Sdes goto out; 2300221420Sdes } 2301221420Sdes if (BN_cmp(y, tmp) >= 0) { 2302221420Sdes error("%s: public key y coordinate >= group order - 1", 2303221420Sdes __func__); 2304221420Sdes goto out; 2305221420Sdes } 2306221420Sdes ret = 0; 2307221420Sdes out: 2308221420Sdes BN_CTX_free(bnctx); 2309221420Sdes EC_POINT_free(nq); 2310221420Sdes return ret; 2311221420Sdes} 2312221420Sdes 2313221420Sdesint 2314221420Sdeskey_ec_validate_private(const EC_KEY *key) 2315221420Sdes{ 2316221420Sdes BN_CTX *bnctx; 2317221420Sdes BIGNUM *order, *tmp; 2318221420Sdes int ret = -1; 2319221420Sdes 2320221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2321221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2322221420Sdes BN_CTX_start(bnctx); 2323221420Sdes 2324221420Sdes if ((order = BN_CTX_get(bnctx)) == NULL || 2325221420Sdes (tmp = BN_CTX_get(bnctx)) == NULL) 2326221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2327221420Sdes 2328221420Sdes /* log2(private) > log2(order)/2 */ 2329221420Sdes if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) 2330221420Sdes fatal("%s: EC_GROUP_get_order failed", __func__); 2331221420Sdes if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2332221420Sdes BN_num_bits(order) / 2) { 2333221420Sdes error("%s: private key too small: " 2334221420Sdes "bits(y) = %d, bits(order)/2 = %d", __func__, 2335221420Sdes BN_num_bits(EC_KEY_get0_private_key(key)), 2336221420Sdes BN_num_bits(order) / 2); 2337221420Sdes goto out; 2338221420Sdes } 2339221420Sdes 2340221420Sdes /* private < order - 1 */ 2341221420Sdes if (!BN_sub(tmp, order, BN_value_one())) 2342221420Sdes fatal("%s: BN_sub failed", __func__); 2343221420Sdes if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) { 2344221420Sdes error("%s: private key >= group order - 1", __func__); 2345221420Sdes goto out; 2346221420Sdes } 2347221420Sdes ret = 0; 2348221420Sdes out: 2349221420Sdes BN_CTX_free(bnctx); 2350221420Sdes return ret; 2351221420Sdes} 2352221420Sdes 2353221420Sdes#if defined(DEBUG_KEXECDH) || defined(DEBUG_PK) 2354221420Sdesvoid 2355221420Sdeskey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2356221420Sdes{ 2357221420Sdes BIGNUM *x, *y; 2358221420Sdes BN_CTX *bnctx; 2359221420Sdes 2360221420Sdes if (point == NULL) { 2361221420Sdes fputs("point=(NULL)\n", stderr); 2362221420Sdes return; 2363221420Sdes } 2364221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2365221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2366221420Sdes BN_CTX_start(bnctx); 2367221420Sdes if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL) 2368221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2369221420Sdes if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2370221420Sdes NID_X9_62_prime_field) 2371221420Sdes fatal("%s: group is not a prime field", __func__); 2372221420Sdes if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1) 2373221420Sdes fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2374221420Sdes fputs("x=", stderr); 2375221420Sdes BN_print_fp(stderr, x); 2376221420Sdes fputs("\ny=", stderr); 2377221420Sdes BN_print_fp(stderr, y); 2378221420Sdes fputs("\n", stderr); 2379221420Sdes BN_CTX_free(bnctx); 2380221420Sdes} 2381221420Sdes 2382221420Sdesvoid 2383221420Sdeskey_dump_ec_key(const EC_KEY *key) 2384221420Sdes{ 2385221420Sdes const BIGNUM *exponent; 2386221420Sdes 2387221420Sdes key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key)); 2388221420Sdes fputs("exponent=", stderr); 2389221420Sdes if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2390221420Sdes fputs("(NULL)", stderr); 2391221420Sdes else 2392221420Sdes BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2393221420Sdes fputs("\n", stderr); 2394221420Sdes} 2395221420Sdes#endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ 2396221420Sdes#endif /* OPENSSL_HAS_ECC */ 2397262566Sdes 2398262566Sdesvoid 2399262566Sdeskey_private_serialize(const Key *key, Buffer *b) 2400262566Sdes{ 2401262566Sdes buffer_put_cstring(b, key_ssh_name(key)); 2402262566Sdes switch (key->type) { 2403262566Sdes case KEY_RSA: 2404262566Sdes buffer_put_bignum2(b, key->rsa->n); 2405262566Sdes buffer_put_bignum2(b, key->rsa->e); 2406262566Sdes buffer_put_bignum2(b, key->rsa->d); 2407262566Sdes buffer_put_bignum2(b, key->rsa->iqmp); 2408262566Sdes buffer_put_bignum2(b, key->rsa->p); 2409262566Sdes buffer_put_bignum2(b, key->rsa->q); 2410262566Sdes break; 2411262566Sdes case KEY_RSA_CERT_V00: 2412262566Sdes case KEY_RSA_CERT: 2413262566Sdes if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) 2414262566Sdes fatal("%s: no cert/certblob", __func__); 2415262566Sdes buffer_put_string(b, buffer_ptr(&key->cert->certblob), 2416262566Sdes buffer_len(&key->cert->certblob)); 2417262566Sdes buffer_put_bignum2(b, key->rsa->d); 2418262566Sdes buffer_put_bignum2(b, key->rsa->iqmp); 2419262566Sdes buffer_put_bignum2(b, key->rsa->p); 2420262566Sdes buffer_put_bignum2(b, key->rsa->q); 2421262566Sdes break; 2422262566Sdes case KEY_DSA: 2423262566Sdes buffer_put_bignum2(b, key->dsa->p); 2424262566Sdes buffer_put_bignum2(b, key->dsa->q); 2425262566Sdes buffer_put_bignum2(b, key->dsa->g); 2426262566Sdes buffer_put_bignum2(b, key->dsa->pub_key); 2427262566Sdes buffer_put_bignum2(b, key->dsa->priv_key); 2428262566Sdes break; 2429262566Sdes case KEY_DSA_CERT_V00: 2430262566Sdes case KEY_DSA_CERT: 2431262566Sdes if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) 2432262566Sdes fatal("%s: no cert/certblob", __func__); 2433262566Sdes buffer_put_string(b, buffer_ptr(&key->cert->certblob), 2434262566Sdes buffer_len(&key->cert->certblob)); 2435262566Sdes buffer_put_bignum2(b, key->dsa->priv_key); 2436262566Sdes break; 2437262566Sdes#ifdef OPENSSL_HAS_ECC 2438262566Sdes case KEY_ECDSA: 2439262566Sdes buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); 2440262566Sdes buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), 2441262566Sdes EC_KEY_get0_public_key(key->ecdsa)); 2442262566Sdes buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); 2443262566Sdes break; 2444262566Sdes case KEY_ECDSA_CERT: 2445262566Sdes if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) 2446262566Sdes fatal("%s: no cert/certblob", __func__); 2447262566Sdes buffer_put_string(b, buffer_ptr(&key->cert->certblob), 2448262566Sdes buffer_len(&key->cert->certblob)); 2449262566Sdes buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); 2450262566Sdes break; 2451262566Sdes#endif /* OPENSSL_HAS_ECC */ 2452262566Sdes case KEY_ED25519: 2453262566Sdes buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); 2454262566Sdes buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); 2455262566Sdes break; 2456262566Sdes case KEY_ED25519_CERT: 2457262566Sdes if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) 2458262566Sdes fatal("%s: no cert/certblob", __func__); 2459262566Sdes buffer_put_string(b, buffer_ptr(&key->cert->certblob), 2460262566Sdes buffer_len(&key->cert->certblob)); 2461262566Sdes buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); 2462262566Sdes buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); 2463262566Sdes break; 2464262566Sdes } 2465262566Sdes} 2466262566Sdes 2467262566SdesKey * 2468262566Sdeskey_private_deserialize(Buffer *blob) 2469262566Sdes{ 2470262566Sdes char *type_name; 2471262566Sdes Key *k = NULL; 2472262566Sdes u_char *cert; 2473262566Sdes u_int len, pklen, sklen; 2474262566Sdes int type; 2475262566Sdes#ifdef OPENSSL_HAS_ECC 2476262566Sdes char *curve; 2477262566Sdes BIGNUM *exponent; 2478262566Sdes EC_POINT *q; 2479262566Sdes#endif 2480262566Sdes 2481262566Sdes type_name = buffer_get_string(blob, NULL); 2482262566Sdes type = key_type_from_name(type_name); 2483262566Sdes switch (type) { 2484262566Sdes case KEY_DSA: 2485262566Sdes k = key_new_private(type); 2486262566Sdes buffer_get_bignum2(blob, k->dsa->p); 2487262566Sdes buffer_get_bignum2(blob, k->dsa->q); 2488262566Sdes buffer_get_bignum2(blob, k->dsa->g); 2489262566Sdes buffer_get_bignum2(blob, k->dsa->pub_key); 2490262566Sdes buffer_get_bignum2(blob, k->dsa->priv_key); 2491262566Sdes break; 2492262566Sdes case KEY_DSA_CERT_V00: 2493262566Sdes case KEY_DSA_CERT: 2494262566Sdes cert = buffer_get_string(blob, &len); 2495262566Sdes if ((k = key_from_blob(cert, len)) == NULL) 2496262566Sdes fatal("Certificate parse failed"); 2497262566Sdes free(cert); 2498262566Sdes key_add_private(k); 2499262566Sdes buffer_get_bignum2(blob, k->dsa->priv_key); 2500262566Sdes break; 2501262566Sdes#ifdef OPENSSL_HAS_ECC 2502262566Sdes case KEY_ECDSA: 2503262566Sdes k = key_new_private(type); 2504262566Sdes k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); 2505262566Sdes curve = buffer_get_string(blob, NULL); 2506262566Sdes if (k->ecdsa_nid != key_curve_name_to_nid(curve)) 2507262566Sdes fatal("%s: curve names mismatch", __func__); 2508262566Sdes free(curve); 2509262566Sdes k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); 2510262566Sdes if (k->ecdsa == NULL) 2511262566Sdes fatal("%s: EC_KEY_new_by_curve_name failed", 2512262566Sdes __func__); 2513262566Sdes q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); 2514262566Sdes if (q == NULL) 2515262566Sdes fatal("%s: BN_new failed", __func__); 2516262566Sdes if ((exponent = BN_new()) == NULL) 2517262566Sdes fatal("%s: BN_new failed", __func__); 2518262566Sdes buffer_get_ecpoint(blob, 2519262566Sdes EC_KEY_get0_group(k->ecdsa), q); 2520262566Sdes buffer_get_bignum2(blob, exponent); 2521262566Sdes if (EC_KEY_set_public_key(k->ecdsa, q) != 1) 2522262566Sdes fatal("%s: EC_KEY_set_public_key failed", 2523262566Sdes __func__); 2524262566Sdes if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) 2525262566Sdes fatal("%s: EC_KEY_set_private_key failed", 2526262566Sdes __func__); 2527262566Sdes if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2528262566Sdes EC_KEY_get0_public_key(k->ecdsa)) != 0) 2529262566Sdes fatal("%s: bad ECDSA public key", __func__); 2530262566Sdes if (key_ec_validate_private(k->ecdsa) != 0) 2531262566Sdes fatal("%s: bad ECDSA private key", __func__); 2532262566Sdes BN_clear_free(exponent); 2533262566Sdes EC_POINT_free(q); 2534262566Sdes break; 2535262566Sdes case KEY_ECDSA_CERT: 2536262566Sdes cert = buffer_get_string(blob, &len); 2537262566Sdes if ((k = key_from_blob(cert, len)) == NULL) 2538262566Sdes fatal("Certificate parse failed"); 2539262566Sdes free(cert); 2540262566Sdes key_add_private(k); 2541262566Sdes if ((exponent = BN_new()) == NULL) 2542262566Sdes fatal("%s: BN_new failed", __func__); 2543262566Sdes buffer_get_bignum2(blob, exponent); 2544262566Sdes if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) 2545262566Sdes fatal("%s: EC_KEY_set_private_key failed", 2546262566Sdes __func__); 2547262566Sdes if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), 2548262566Sdes EC_KEY_get0_public_key(k->ecdsa)) != 0 || 2549262566Sdes key_ec_validate_private(k->ecdsa) != 0) 2550262566Sdes fatal("%s: bad ECDSA key", __func__); 2551262566Sdes BN_clear_free(exponent); 2552262566Sdes break; 2553262566Sdes#endif 2554262566Sdes case KEY_RSA: 2555262566Sdes k = key_new_private(type); 2556262566Sdes buffer_get_bignum2(blob, k->rsa->n); 2557262566Sdes buffer_get_bignum2(blob, k->rsa->e); 2558262566Sdes buffer_get_bignum2(blob, k->rsa->d); 2559262566Sdes buffer_get_bignum2(blob, k->rsa->iqmp); 2560262566Sdes buffer_get_bignum2(blob, k->rsa->p); 2561262566Sdes buffer_get_bignum2(blob, k->rsa->q); 2562262566Sdes 2563262566Sdes /* Generate additional parameters */ 2564262566Sdes rsa_generate_additional_parameters(k->rsa); 2565262566Sdes break; 2566262566Sdes case KEY_RSA_CERT_V00: 2567262566Sdes case KEY_RSA_CERT: 2568262566Sdes cert = buffer_get_string(blob, &len); 2569262566Sdes if ((k = key_from_blob(cert, len)) == NULL) 2570262566Sdes fatal("Certificate parse failed"); 2571262566Sdes free(cert); 2572262566Sdes key_add_private(k); 2573262566Sdes buffer_get_bignum2(blob, k->rsa->d); 2574262566Sdes buffer_get_bignum2(blob, k->rsa->iqmp); 2575262566Sdes buffer_get_bignum2(blob, k->rsa->p); 2576262566Sdes buffer_get_bignum2(blob, k->rsa->q); 2577262566Sdes break; 2578262566Sdes case KEY_ED25519: 2579262566Sdes k = key_new_private(type); 2580262566Sdes k->ed25519_pk = buffer_get_string(blob, &pklen); 2581262566Sdes k->ed25519_sk = buffer_get_string(blob, &sklen); 2582262566Sdes if (pklen != ED25519_PK_SZ) 2583262566Sdes fatal("%s: ed25519 pklen %d != %d", 2584262566Sdes __func__, pklen, ED25519_PK_SZ); 2585262566Sdes if (sklen != ED25519_SK_SZ) 2586262566Sdes fatal("%s: ed25519 sklen %d != %d", 2587262566Sdes __func__, sklen, ED25519_SK_SZ); 2588262566Sdes break; 2589262566Sdes case KEY_ED25519_CERT: 2590262566Sdes cert = buffer_get_string(blob, &len); 2591262566Sdes if ((k = key_from_blob(cert, len)) == NULL) 2592262566Sdes fatal("Certificate parse failed"); 2593262566Sdes free(cert); 2594262566Sdes key_add_private(k); 2595262566Sdes k->ed25519_pk = buffer_get_string(blob, &pklen); 2596262566Sdes k->ed25519_sk = buffer_get_string(blob, &sklen); 2597262566Sdes if (pklen != ED25519_PK_SZ) 2598262566Sdes fatal("%s: ed25519 pklen %d != %d", 2599262566Sdes __func__, pklen, ED25519_PK_SZ); 2600262566Sdes if (sklen != ED25519_SK_SZ) 2601262566Sdes fatal("%s: ed25519 sklen %d != %d", 2602262566Sdes __func__, sklen, ED25519_SK_SZ); 2603262566Sdes break; 2604262566Sdes default: 2605262566Sdes free(type_name); 2606262566Sdes buffer_clear(blob); 2607262566Sdes return NULL; 2608262566Sdes } 2609262566Sdes free(type_name); 2610262566Sdes 2611262566Sdes /* enable blinding */ 2612262566Sdes switch (k->type) { 2613262566Sdes case KEY_RSA: 2614262566Sdes case KEY_RSA_CERT_V00: 2615262566Sdes case KEY_RSA_CERT: 2616262566Sdes case KEY_RSA1: 2617262566Sdes if (RSA_blinding_on(k->rsa, NULL) != 1) { 2618262566Sdes error("%s: RSA_blinding_on failed", __func__); 2619262566Sdes key_free(k); 2620262566Sdes return NULL; 2621262566Sdes } 2622262566Sdes break; 2623262566Sdes } 2624262566Sdes return k; 2625262566Sdes} 2626