key.c revision 255767
1255767Sdes/* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */ 258582Skris/* 365674Skris * read_bignum(): 465674Skris * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 565674Skris * 665674Skris * As far as I am concerned, the code I have written for this software 765674Skris * can be used freely for any purpose. Any derived versions of this 865674Skris * software must be clearly marked as such, and if the derived work is 965674Skris * incompatible with the protocol description in the RFC file, it must be 1065674Skris * called by a name other than "ssh" or "Secure Shell". 1165674Skris * 1265674Skris * 1392559Sdes * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 14181111Sdes * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 1558582Skris * 1658582Skris * Redistribution and use in source and binary forms, with or without 1758582Skris * modification, are permitted provided that the following conditions 1858582Skris * are met: 1958582Skris * 1. Redistributions of source code must retain the above copyright 2058582Skris * notice, this list of conditions and the following disclaimer. 2158582Skris * 2. Redistributions in binary form must reproduce the above copyright 2258582Skris * notice, this list of conditions and the following disclaimer in the 2358582Skris * documentation and/or other materials provided with the distribution. 2458582Skris * 2558582Skris * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 2658582Skris * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 2758582Skris * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2858582Skris * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2958582Skris * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 3058582Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 3158582Skris * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 3258582Skris * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 3358582Skris * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3458582Skris * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3558582Skris */ 36162856Sdes 3776262Sgreen#include "includes.h" 3858582Skris 39181111Sdes#include <sys/param.h> 40162856Sdes#include <sys/types.h> 41162856Sdes 4258592Skris#include <openssl/evp.h> 43181111Sdes#include <openbsd-compat/openssl-compat.h> 4476262Sgreen 45162856Sdes#include <stdarg.h> 46162856Sdes#include <stdio.h> 47162856Sdes#include <string.h> 48162856Sdes 4958582Skris#include "xmalloc.h" 5058582Skris#include "key.h" 5176262Sgreen#include "rsa.h" 5260576Skris#include "uuencode.h" 5376262Sgreen#include "buffer.h" 5476262Sgreen#include "log.h" 55215116Sdes#include "misc.h" 56204917Sdes#include "ssh2.h" 5758582Skris 58248619Sdesstatic int to_blob(const Key *, u_char **, u_int *, int); 59248619Sdes 60204917Sdesstatic struct KeyCert * 61204917Sdescert_new(void) 62204917Sdes{ 63204917Sdes struct KeyCert *cert; 64204917Sdes 65204917Sdes cert = xcalloc(1, sizeof(*cert)); 66204917Sdes buffer_init(&cert->certblob); 67215116Sdes buffer_init(&cert->critical); 68215116Sdes buffer_init(&cert->extensions); 69204917Sdes cert->key_id = NULL; 70204917Sdes cert->principals = NULL; 71204917Sdes cert->signature_key = NULL; 72204917Sdes return cert; 73204917Sdes} 74204917Sdes 7558582SkrisKey * 7658582Skriskey_new(int type) 7758582Skris{ 7858582Skris Key *k; 7958582Skris RSA *rsa; 8058582Skris DSA *dsa; 81162856Sdes k = xcalloc(1, sizeof(*k)); 8258582Skris k->type = type; 83221420Sdes k->ecdsa = NULL; 84221420Sdes k->ecdsa_nid = -1; 8560576Skris k->dsa = NULL; 8660576Skris k->rsa = NULL; 87204917Sdes k->cert = NULL; 8858582Skris switch (k->type) { 8976262Sgreen case KEY_RSA1: 9058582Skris case KEY_RSA: 91215116Sdes case KEY_RSA_CERT_V00: 92204917Sdes case KEY_RSA_CERT: 9392559Sdes if ((rsa = RSA_new()) == NULL) 9492559Sdes fatal("key_new: RSA_new failed"); 9592559Sdes if ((rsa->n = BN_new()) == NULL) 9692559Sdes fatal("key_new: BN_new failed"); 9792559Sdes if ((rsa->e = BN_new()) == NULL) 9892559Sdes fatal("key_new: BN_new failed"); 9958582Skris k->rsa = rsa; 10058582Skris break; 10158582Skris case KEY_DSA: 102215116Sdes case KEY_DSA_CERT_V00: 103204917Sdes case KEY_DSA_CERT: 10492559Sdes if ((dsa = DSA_new()) == NULL) 10592559Sdes fatal("key_new: DSA_new failed"); 10692559Sdes if ((dsa->p = BN_new()) == NULL) 10792559Sdes fatal("key_new: BN_new failed"); 10892559Sdes if ((dsa->q = BN_new()) == NULL) 10992559Sdes fatal("key_new: BN_new failed"); 11092559Sdes if ((dsa->g = BN_new()) == NULL) 11192559Sdes fatal("key_new: BN_new failed"); 11292559Sdes if ((dsa->pub_key = BN_new()) == NULL) 11392559Sdes fatal("key_new: BN_new failed"); 11458582Skris k->dsa = dsa; 11558582Skris break; 116221420Sdes#ifdef OPENSSL_HAS_ECC 117221420Sdes case KEY_ECDSA: 118221420Sdes case KEY_ECDSA_CERT: 119221420Sdes /* Cannot do anything until we know the group */ 120221420Sdes break; 121221420Sdes#endif 12276262Sgreen case KEY_UNSPEC: 12358582Skris break; 12458582Skris default: 12558582Skris fatal("key_new: bad key type %d", k->type); 12658582Skris break; 12758582Skris } 128204917Sdes 129204917Sdes if (key_is_cert(k)) 130204917Sdes k->cert = cert_new(); 131204917Sdes 13258582Skris return k; 13358582Skris} 13499063Sdes 135204917Sdesvoid 136204917Sdeskey_add_private(Key *k) 13776262Sgreen{ 13876262Sgreen switch (k->type) { 13976262Sgreen case KEY_RSA1: 14076262Sgreen case KEY_RSA: 141215116Sdes case KEY_RSA_CERT_V00: 142204917Sdes case KEY_RSA_CERT: 14392559Sdes if ((k->rsa->d = BN_new()) == NULL) 14492559Sdes fatal("key_new_private: BN_new failed"); 14592559Sdes if ((k->rsa->iqmp = BN_new()) == NULL) 14692559Sdes fatal("key_new_private: BN_new failed"); 14792559Sdes if ((k->rsa->q = BN_new()) == NULL) 14892559Sdes fatal("key_new_private: BN_new failed"); 14992559Sdes if ((k->rsa->p = BN_new()) == NULL) 15092559Sdes fatal("key_new_private: BN_new failed"); 15192559Sdes if ((k->rsa->dmq1 = BN_new()) == NULL) 15292559Sdes fatal("key_new_private: BN_new failed"); 15392559Sdes if ((k->rsa->dmp1 = BN_new()) == NULL) 15492559Sdes fatal("key_new_private: BN_new failed"); 15576262Sgreen break; 15676262Sgreen case KEY_DSA: 157215116Sdes case KEY_DSA_CERT_V00: 158204917Sdes case KEY_DSA_CERT: 15992559Sdes if ((k->dsa->priv_key = BN_new()) == NULL) 16092559Sdes fatal("key_new_private: BN_new failed"); 16176262Sgreen break; 162221420Sdes case KEY_ECDSA: 163221420Sdes case KEY_ECDSA_CERT: 164221420Sdes /* Cannot do anything until we know the group */ 165221420Sdes break; 16676262Sgreen case KEY_UNSPEC: 16776262Sgreen break; 16876262Sgreen default: 16976262Sgreen break; 17076262Sgreen } 171204917Sdes} 172204917Sdes 173204917SdesKey * 174204917Sdeskey_new_private(int type) 175204917Sdes{ 176204917Sdes Key *k = key_new(type); 177204917Sdes 178204917Sdes key_add_private(k); 17976262Sgreen return k; 18076262Sgreen} 18199063Sdes 182204917Sdesstatic void 183204917Sdescert_free(struct KeyCert *cert) 184204917Sdes{ 185204917Sdes u_int i; 186204917Sdes 187204917Sdes buffer_free(&cert->certblob); 188215116Sdes buffer_free(&cert->critical); 189215116Sdes buffer_free(&cert->extensions); 190255767Sdes free(cert->key_id); 191204917Sdes for (i = 0; i < cert->nprincipals; i++) 192255767Sdes free(cert->principals[i]); 193255767Sdes free(cert->principals); 194204917Sdes if (cert->signature_key != NULL) 195204917Sdes key_free(cert->signature_key); 196255767Sdes free(cert); 197204917Sdes} 198204917Sdes 19958582Skrisvoid 20058582Skriskey_free(Key *k) 20158582Skris{ 202162856Sdes if (k == NULL) 203162856Sdes fatal("key_free: key is NULL"); 20458582Skris switch (k->type) { 20576262Sgreen case KEY_RSA1: 20658582Skris case KEY_RSA: 207215116Sdes case KEY_RSA_CERT_V00: 208204917Sdes case KEY_RSA_CERT: 20958582Skris if (k->rsa != NULL) 21058582Skris RSA_free(k->rsa); 21158582Skris k->rsa = NULL; 21258582Skris break; 21358582Skris case KEY_DSA: 214215116Sdes case KEY_DSA_CERT_V00: 215204917Sdes case KEY_DSA_CERT: 21658582Skris if (k->dsa != NULL) 21758582Skris DSA_free(k->dsa); 21858582Skris k->dsa = NULL; 21958582Skris break; 220221420Sdes#ifdef OPENSSL_HAS_ECC 221221420Sdes case KEY_ECDSA: 222221420Sdes case KEY_ECDSA_CERT: 223221420Sdes if (k->ecdsa != NULL) 224221420Sdes EC_KEY_free(k->ecdsa); 225221420Sdes k->ecdsa = NULL; 226221420Sdes break; 227221420Sdes#endif 22876262Sgreen case KEY_UNSPEC: 22976262Sgreen break; 23058582Skris default: 23158582Skris fatal("key_free: bad key type %d", k->type); 23258582Skris break; 23358582Skris } 234204917Sdes if (key_is_cert(k)) { 235204917Sdes if (k->cert != NULL) 236204917Sdes cert_free(k->cert); 237204917Sdes k->cert = NULL; 238204917Sdes } 239204917Sdes 240255767Sdes free(k); 24158582Skris} 242126277Sdes 243204917Sdesstatic int 244204917Sdescert_compare(struct KeyCert *a, struct KeyCert *b) 245204917Sdes{ 246204917Sdes if (a == NULL && b == NULL) 247204917Sdes return 1; 248204917Sdes if (a == NULL || b == NULL) 249204917Sdes return 0; 250204917Sdes if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 251204917Sdes return 0; 252215116Sdes if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), 253204917Sdes buffer_len(&a->certblob)) != 0) 254204917Sdes return 0; 255204917Sdes return 1; 256204917Sdes} 257204917Sdes 258204917Sdes/* 259204917Sdes * Compare public portions of key only, allowing comparisons between 260204917Sdes * certificates and plain keys too. 261204917Sdes */ 26258582Skrisint 263204917Sdeskey_equal_public(const Key *a, const Key *b) 26458582Skris{ 265221420Sdes#ifdef OPENSSL_HAS_ECC 266221420Sdes BN_CTX *bnctx; 267221420Sdes#endif 268221420Sdes 269204917Sdes if (a == NULL || b == NULL || 270204917Sdes key_type_plain(a->type) != key_type_plain(b->type)) 27158582Skris return 0; 272204917Sdes 27358582Skris switch (a->type) { 27476262Sgreen case KEY_RSA1: 275215116Sdes case KEY_RSA_CERT_V00: 276204917Sdes case KEY_RSA_CERT: 27758582Skris case KEY_RSA: 27858582Skris return a->rsa != NULL && b->rsa != NULL && 27958582Skris BN_cmp(a->rsa->e, b->rsa->e) == 0 && 28058582Skris BN_cmp(a->rsa->n, b->rsa->n) == 0; 281215116Sdes case KEY_DSA_CERT_V00: 282204917Sdes case KEY_DSA_CERT: 28358582Skris case KEY_DSA: 28458582Skris return a->dsa != NULL && b->dsa != NULL && 28558582Skris BN_cmp(a->dsa->p, b->dsa->p) == 0 && 28658582Skris BN_cmp(a->dsa->q, b->dsa->q) == 0 && 28758582Skris BN_cmp(a->dsa->g, b->dsa->g) == 0 && 28858582Skris BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 289221420Sdes#ifdef OPENSSL_HAS_ECC 290221420Sdes case KEY_ECDSA_CERT: 291221420Sdes case KEY_ECDSA: 292221420Sdes if (a->ecdsa == NULL || b->ecdsa == NULL || 293221420Sdes EC_KEY_get0_public_key(a->ecdsa) == NULL || 294221420Sdes EC_KEY_get0_public_key(b->ecdsa) == NULL) 295221420Sdes return 0; 296221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 297221420Sdes fatal("%s: BN_CTX_new failed", __func__); 298221420Sdes if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 299221420Sdes EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 300221420Sdes EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 301221420Sdes EC_KEY_get0_public_key(a->ecdsa), 302221420Sdes EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 303221420Sdes BN_CTX_free(bnctx); 304221420Sdes return 0; 305221420Sdes } 306221420Sdes BN_CTX_free(bnctx); 307221420Sdes return 1; 308221420Sdes#endif /* OPENSSL_HAS_ECC */ 30958582Skris default: 31060576Skris fatal("key_equal: bad key type %d", a->type); 31158582Skris } 312181111Sdes /* NOTREACHED */ 31358582Skris} 31458582Skris 315204917Sdesint 316204917Sdeskey_equal(const Key *a, const Key *b) 317204917Sdes{ 318204917Sdes if (a == NULL || b == NULL || a->type != b->type) 319204917Sdes return 0; 320204917Sdes if (key_is_cert(a)) { 321204917Sdes if (!cert_compare(a->cert, b->cert)) 322204917Sdes return 0; 323204917Sdes } 324204917Sdes return key_equal_public(a, b); 325204917Sdes} 326204917Sdes 327124211Sdesu_char* 328248619Sdeskey_fingerprint_raw(const Key *k, enum fp_type dgst_type, 329248619Sdes u_int *dgst_raw_length) 33058582Skris{ 33192559Sdes const EVP_MD *md = NULL; 33276262Sgreen EVP_MD_CTX ctx; 33376262Sgreen u_char *blob = NULL; 33476262Sgreen u_char *retval = NULL; 33592559Sdes u_int len = 0; 336248619Sdes int nlen, elen; 33758582Skris 33876262Sgreen *dgst_raw_length = 0; 33976262Sgreen 34076262Sgreen switch (dgst_type) { 34176262Sgreen case SSH_FP_MD5: 34276262Sgreen md = EVP_md5(); 34376262Sgreen break; 34476262Sgreen case SSH_FP_SHA1: 34576262Sgreen md = EVP_sha1(); 34676262Sgreen break; 347240075Sdes#ifdef HAVE_EVP_SHA256 348240075Sdes case SSH_FP_SHA256: 349240075Sdes md = EVP_sha256(); 350240075Sdes break; 351240075Sdes#endif 35276262Sgreen default: 35376262Sgreen fatal("key_fingerprint_raw: bad digest type %d", 35476262Sgreen dgst_type); 35576262Sgreen } 35658582Skris switch (k->type) { 35776262Sgreen case KEY_RSA1: 35858582Skris nlen = BN_num_bytes(k->rsa->n); 35958582Skris elen = BN_num_bytes(k->rsa->e); 36058582Skris len = nlen + elen; 36160576Skris blob = xmalloc(len); 36260576Skris BN_bn2bin(k->rsa->n, blob); 36360576Skris BN_bn2bin(k->rsa->e, blob + nlen); 36458582Skris break; 36558582Skris case KEY_DSA: 366221420Sdes case KEY_ECDSA: 36776262Sgreen case KEY_RSA: 36876262Sgreen key_to_blob(k, &blob, &len); 36958582Skris break; 370215116Sdes case KEY_DSA_CERT_V00: 371215116Sdes case KEY_RSA_CERT_V00: 372204917Sdes case KEY_DSA_CERT: 373221420Sdes case KEY_ECDSA_CERT: 374204917Sdes case KEY_RSA_CERT: 375204917Sdes /* We want a fingerprint of the _key_ not of the cert */ 376248619Sdes to_blob(k, &blob, &len, 1); 377204917Sdes break; 37876262Sgreen case KEY_UNSPEC: 37976262Sgreen return retval; 38058582Skris default: 38176262Sgreen fatal("key_fingerprint_raw: bad key type %d", k->type); 38258582Skris break; 38358582Skris } 38460576Skris if (blob != NULL) { 38576262Sgreen retval = xmalloc(EVP_MAX_MD_SIZE); 38665674Skris EVP_DigestInit(&ctx, md); 38765674Skris EVP_DigestUpdate(&ctx, blob, len); 38892559Sdes EVP_DigestFinal(&ctx, retval, dgst_raw_length); 38960576Skris memset(blob, 0, len); 390255767Sdes free(blob); 39176262Sgreen } else { 39276262Sgreen fatal("key_fingerprint_raw: blob is null"); 39358582Skris } 39458582Skris return retval; 39558582Skris} 39658582Skris 397106130Sdesstatic char * 398106130Sdeskey_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len) 39976262Sgreen{ 40076262Sgreen char *retval; 401149753Sdes u_int i; 40276262Sgreen 403162856Sdes retval = xcalloc(1, dgst_raw_len * 3 + 1); 40492559Sdes for (i = 0; i < dgst_raw_len; i++) { 40576262Sgreen char hex[4]; 40676262Sgreen snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 407124211Sdes strlcat(retval, hex, dgst_raw_len * 3 + 1); 40876262Sgreen } 409124211Sdes 410124211Sdes /* Remove the trailing ':' character */ 41176262Sgreen retval[(dgst_raw_len * 3) - 1] = '\0'; 41276262Sgreen return retval; 41376262Sgreen} 41476262Sgreen 415106130Sdesstatic char * 416106130Sdeskey_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) 41776262Sgreen{ 41876262Sgreen char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 41976262Sgreen char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 42076262Sgreen 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 42176262Sgreen u_int i, j = 0, rounds, seed = 1; 42276262Sgreen char *retval; 42376262Sgreen 42476262Sgreen rounds = (dgst_raw_len / 2) + 1; 425162856Sdes retval = xcalloc((rounds * 6), sizeof(char)); 42676262Sgreen retval[j++] = 'x'; 42776262Sgreen for (i = 0; i < rounds; i++) { 42876262Sgreen u_int idx0, idx1, idx2, idx3, idx4; 42976262Sgreen if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 43076262Sgreen idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 43176262Sgreen seed) % 6; 43276262Sgreen idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 43376262Sgreen idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 43476262Sgreen (seed / 6)) % 6; 43576262Sgreen retval[j++] = vowels[idx0]; 43676262Sgreen retval[j++] = consonants[idx1]; 43776262Sgreen retval[j++] = vowels[idx2]; 43876262Sgreen if ((i + 1) < rounds) { 43976262Sgreen idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 44076262Sgreen idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 44176262Sgreen retval[j++] = consonants[idx3]; 44276262Sgreen retval[j++] = '-'; 44376262Sgreen retval[j++] = consonants[idx4]; 44476262Sgreen seed = ((seed * 5) + 44576262Sgreen ((((u_int)(dgst_raw[2 * i])) * 7) + 44676262Sgreen ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 44776262Sgreen } 44876262Sgreen } else { 44976262Sgreen idx0 = seed % 6; 45076262Sgreen idx1 = 16; 45176262Sgreen idx2 = seed / 6; 45276262Sgreen retval[j++] = vowels[idx0]; 45376262Sgreen retval[j++] = consonants[idx1]; 45476262Sgreen retval[j++] = vowels[idx2]; 45576262Sgreen } 45676262Sgreen } 45776262Sgreen retval[j++] = 'x'; 45876262Sgreen retval[j++] = '\0'; 45976262Sgreen return retval; 46076262Sgreen} 46176262Sgreen 462181111Sdes/* 463181111Sdes * Draw an ASCII-Art representing the fingerprint so human brain can 464181111Sdes * profit from its built-in pattern recognition ability. 465181111Sdes * This technique is called "random art" and can be found in some 466181111Sdes * scientific publications like this original paper: 467181111Sdes * 468181111Sdes * "Hash Visualization: a New Technique to improve Real-World Security", 469181111Sdes * Perrig A. and Song D., 1999, International Workshop on Cryptographic 470181111Sdes * Techniques and E-Commerce (CrypTEC '99) 471181111Sdes * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 472181111Sdes * 473181111Sdes * The subject came up in a talk by Dan Kaminsky, too. 474181111Sdes * 475181111Sdes * If you see the picture is different, the key is different. 476181111Sdes * If the picture looks the same, you still know nothing. 477181111Sdes * 478181111Sdes * The algorithm used here is a worm crawling over a discrete plane, 479181111Sdes * leaving a trace (augmenting the field) everywhere it goes. 480181111Sdes * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 481181111Sdes * makes the respective movement vector be ignored for this turn. 482181111Sdes * Graphs are not unambiguous, because circles in graphs can be 483181111Sdes * walked in either direction. 484181111Sdes */ 485181111Sdes 486181111Sdes/* 487181111Sdes * Field sizes for the random art. Have to be odd, so the starting point 488181111Sdes * can be in the exact middle of the picture, and FLDBASE should be >=8 . 489181111Sdes * Else pictures would be too dense, and drawing the frame would 490181111Sdes * fail, too, because the key type would not fit in anymore. 491181111Sdes */ 492181111Sdes#define FLDBASE 8 493181111Sdes#define FLDSIZE_Y (FLDBASE + 1) 494181111Sdes#define FLDSIZE_X (FLDBASE * 2 + 1) 495181111Sdesstatic char * 496181111Sdeskey_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) 497181111Sdes{ 498181111Sdes /* 499181111Sdes * Chars to be used after each other every time the worm 500181111Sdes * intersects with itself. Matter of taste. 501181111Sdes */ 502181111Sdes char *augmentation_string = " .o+=*BOX@%&#/^SE"; 503181111Sdes char *retval, *p; 504181111Sdes u_char field[FLDSIZE_X][FLDSIZE_Y]; 505181111Sdes u_int i, b; 506181111Sdes int x, y; 507181111Sdes size_t len = strlen(augmentation_string) - 1; 508181111Sdes 509181111Sdes retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); 510181111Sdes 511181111Sdes /* initialize field */ 512181111Sdes memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 513181111Sdes x = FLDSIZE_X / 2; 514181111Sdes y = FLDSIZE_Y / 2; 515181111Sdes 516181111Sdes /* process raw key */ 517181111Sdes for (i = 0; i < dgst_raw_len; i++) { 518181111Sdes int input; 519181111Sdes /* each byte conveys four 2-bit move commands */ 520181111Sdes input = dgst_raw[i]; 521181111Sdes for (b = 0; b < 4; b++) { 522181111Sdes /* evaluate 2 bit, rest is shifted later */ 523181111Sdes x += (input & 0x1) ? 1 : -1; 524181111Sdes y += (input & 0x2) ? 1 : -1; 525181111Sdes 526181111Sdes /* assure we are still in bounds */ 527181111Sdes x = MAX(x, 0); 528181111Sdes y = MAX(y, 0); 529181111Sdes x = MIN(x, FLDSIZE_X - 1); 530181111Sdes y = MIN(y, FLDSIZE_Y - 1); 531181111Sdes 532181111Sdes /* augment the field */ 533192595Sdes if (field[x][y] < len - 2) 534192595Sdes field[x][y]++; 535181111Sdes input = input >> 2; 536181111Sdes } 537181111Sdes } 538181111Sdes 539181111Sdes /* mark starting point and end point*/ 540181111Sdes field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 541181111Sdes field[x][y] = len; 542181111Sdes 543181111Sdes /* fill in retval */ 544181111Sdes snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k)); 545181111Sdes p = strchr(retval, '\0'); 546181111Sdes 547181111Sdes /* output upper border */ 548181111Sdes for (i = p - retval - 1; i < FLDSIZE_X; i++) 549181111Sdes *p++ = '-'; 550181111Sdes *p++ = '+'; 551181111Sdes *p++ = '\n'; 552181111Sdes 553181111Sdes /* output content */ 554181111Sdes for (y = 0; y < FLDSIZE_Y; y++) { 555181111Sdes *p++ = '|'; 556181111Sdes for (x = 0; x < FLDSIZE_X; x++) 557181111Sdes *p++ = augmentation_string[MIN(field[x][y], len)]; 558181111Sdes *p++ = '|'; 559181111Sdes *p++ = '\n'; 560181111Sdes } 561181111Sdes 562181111Sdes /* output lower border */ 563181111Sdes *p++ = '+'; 564181111Sdes for (i = 0; i < FLDSIZE_X; i++) 565181111Sdes *p++ = '-'; 566181111Sdes *p++ = '+'; 567181111Sdes 568181111Sdes return retval; 569181111Sdes} 570181111Sdes 571106130Sdeschar * 572255767Sdeskey_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 57376262Sgreen{ 57476262Sgreen char *retval = NULL; 57576262Sgreen u_char *dgst_raw; 57692559Sdes u_int dgst_raw_len; 57792559Sdes 57876262Sgreen dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); 57976262Sgreen if (!dgst_raw) 58076262Sgreen fatal("key_fingerprint: null from key_fingerprint_raw()"); 58192559Sdes switch (dgst_rep) { 58276262Sgreen case SSH_FP_HEX: 58376262Sgreen retval = key_fingerprint_hex(dgst_raw, dgst_raw_len); 58476262Sgreen break; 58576262Sgreen case SSH_FP_BUBBLEBABBLE: 58676262Sgreen retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 58776262Sgreen break; 588181111Sdes case SSH_FP_RANDOMART: 589181111Sdes retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k); 590181111Sdes break; 59176262Sgreen default: 592192595Sdes fatal("key_fingerprint: bad digest representation %d", 59376262Sgreen dgst_rep); 59476262Sgreen break; 59576262Sgreen } 59676262Sgreen memset(dgst_raw, 0, dgst_raw_len); 597255767Sdes free(dgst_raw); 59876262Sgreen return retval; 59976262Sgreen} 60076262Sgreen 60158582Skris/* 60258582Skris * Reads a multiple-precision integer in decimal from the buffer, and advances 60358582Skris * the pointer. The integer must already be initialized. This function is 60458582Skris * permitted to modify the buffer. This leaves *cpp to point just beyond the 60558582Skris * last processed (and maybe modified) character. Note that this may modify 60658582Skris * the buffer containing the number. 60758582Skris */ 60892559Sdesstatic int 60958582Skrisread_bignum(char **cpp, BIGNUM * value) 61058582Skris{ 61158582Skris char *cp = *cpp; 61258582Skris int old; 61358582Skris 61458582Skris /* Skip any leading whitespace. */ 61558582Skris for (; *cp == ' ' || *cp == '\t'; cp++) 61658582Skris ; 61758582Skris 61858582Skris /* Check that it begins with a decimal digit. */ 61958582Skris if (*cp < '0' || *cp > '9') 62058582Skris return 0; 62158582Skris 62258582Skris /* Save starting position. */ 62358582Skris *cpp = cp; 62458582Skris 62558582Skris /* Move forward until all decimal digits skipped. */ 62658582Skris for (; *cp >= '0' && *cp <= '9'; cp++) 62758582Skris ; 62858582Skris 62958582Skris /* Save the old terminating character, and replace it by \0. */ 63058582Skris old = *cp; 63158582Skris *cp = 0; 63258582Skris 63358582Skris /* Parse the number. */ 63458582Skris if (BN_dec2bn(&value, *cpp) == 0) 63558582Skris return 0; 63658582Skris 63758582Skris /* Restore old terminating character. */ 63858582Skris *cp = old; 63958582Skris 64058582Skris /* Move beyond the number and return success. */ 64158582Skris *cpp = cp; 64258582Skris return 1; 64358582Skris} 64499063Sdes 64592559Sdesstatic int 64658582Skriswrite_bignum(FILE *f, BIGNUM *num) 64758582Skris{ 64858582Skris char *buf = BN_bn2dec(num); 64958582Skris if (buf == NULL) { 65058582Skris error("write_bignum: BN_bn2dec() failed"); 65158582Skris return 0; 65258582Skris } 65358582Skris fprintf(f, " %s", buf); 65492559Sdes OPENSSL_free(buf); 65558582Skris return 1; 65658582Skris} 65776262Sgreen 65892559Sdes/* returns 1 ok, -1 error */ 65976262Sgreenint 66060576Skriskey_read(Key *ret, char **cpp) 66158582Skris{ 66260576Skris Key *k; 66376262Sgreen int success = -1; 66476262Sgreen char *cp, *space; 66576262Sgreen int len, n, type; 66676262Sgreen u_int bits; 66776262Sgreen u_char *blob; 668221420Sdes#ifdef OPENSSL_HAS_ECC 669221420Sdes int curve_nid = -1; 670221420Sdes#endif 67160576Skris 67260576Skris cp = *cpp; 67360576Skris 67492559Sdes switch (ret->type) { 67576262Sgreen case KEY_RSA1: 67660576Skris /* Get number of bits. */ 67760576Skris if (*cp < '0' || *cp > '9') 67876262Sgreen return -1; /* Bad bit count... */ 67960576Skris for (bits = 0; *cp >= '0' && *cp <= '9'; cp++) 68060576Skris bits = 10 * bits + *cp - '0'; 68158582Skris if (bits == 0) 68276262Sgreen return -1; 68360576Skris *cpp = cp; 68458582Skris /* Get public exponent, public modulus. */ 68558582Skris if (!read_bignum(cpp, ret->rsa->e)) 68676262Sgreen return -1; 68758582Skris if (!read_bignum(cpp, ret->rsa->n)) 68876262Sgreen return -1; 689204917Sdes /* validate the claimed number of bits */ 690204917Sdes if ((u_int)BN_num_bits(ret->rsa->n) != bits) { 691204917Sdes verbose("key_read: claimed key size %d does not match " 692204917Sdes "actual %d", bits, BN_num_bits(ret->rsa->n)); 693204917Sdes return -1; 694204917Sdes } 69576262Sgreen success = 1; 69658582Skris break; 69776262Sgreen case KEY_UNSPEC: 69876262Sgreen case KEY_RSA: 69958582Skris case KEY_DSA: 700221420Sdes case KEY_ECDSA: 701215116Sdes case KEY_DSA_CERT_V00: 702215116Sdes case KEY_RSA_CERT_V00: 703204917Sdes case KEY_DSA_CERT: 704221420Sdes case KEY_ECDSA_CERT: 705204917Sdes case KEY_RSA_CERT: 70676262Sgreen space = strchr(cp, ' '); 70776262Sgreen if (space == NULL) { 708113911Sdes debug3("key_read: missing whitespace"); 70976262Sgreen return -1; 71076262Sgreen } 71176262Sgreen *space = '\0'; 71276262Sgreen type = key_type_from_name(cp); 713221420Sdes#ifdef OPENSSL_HAS_ECC 714221420Sdes if (key_type_plain(type) == KEY_ECDSA && 715221420Sdes (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { 716221420Sdes debug("key_read: invalid curve"); 717221420Sdes return -1; 718221420Sdes } 719221420Sdes#endif 72076262Sgreen *space = ' '; 72176262Sgreen if (type == KEY_UNSPEC) { 722113911Sdes debug3("key_read: missing keytype"); 72376262Sgreen return -1; 72476262Sgreen } 72576262Sgreen cp = space+1; 72676262Sgreen if (*cp == '\0') { 72776262Sgreen debug3("key_read: short string"); 72876262Sgreen return -1; 72976262Sgreen } 73076262Sgreen if (ret->type == KEY_UNSPEC) { 73176262Sgreen ret->type = type; 73276262Sgreen } else if (ret->type != type) { 73376262Sgreen /* is a key, but different type */ 73476262Sgreen debug3("key_read: type mismatch"); 73592559Sdes return -1; 73676262Sgreen } 73760576Skris len = 2*strlen(cp); 73860576Skris blob = xmalloc(len); 73960576Skris n = uudecode(cp, blob, len); 74060576Skris if (n < 0) { 74161203Skris error("key_read: uudecode %s failed", cp); 742255767Sdes free(blob); 74376262Sgreen return -1; 74460576Skris } 745124211Sdes k = key_from_blob(blob, (u_int)n); 746255767Sdes free(blob); 74761203Skris if (k == NULL) { 74876262Sgreen error("key_read: key_from_blob %s failed", cp); 74976262Sgreen return -1; 75061203Skris } 75176262Sgreen if (k->type != type) { 75276262Sgreen error("key_read: type mismatch: encoding error"); 75376262Sgreen key_free(k); 75476262Sgreen return -1; 75576262Sgreen } 756221420Sdes#ifdef OPENSSL_HAS_ECC 757221420Sdes if (key_type_plain(type) == KEY_ECDSA && 758221420Sdes curve_nid != k->ecdsa_nid) { 759221420Sdes error("key_read: type mismatch: EC curve mismatch"); 760221420Sdes key_free(k); 761221420Sdes return -1; 762221420Sdes } 763221420Sdes#endif 76476262Sgreen/*XXXX*/ 765204917Sdes if (key_is_cert(ret)) { 766204917Sdes if (!key_is_cert(k)) { 767204917Sdes error("key_read: loaded key is not a cert"); 768204917Sdes key_free(k); 769204917Sdes return -1; 770204917Sdes } 771204917Sdes if (ret->cert != NULL) 772204917Sdes cert_free(ret->cert); 773204917Sdes ret->cert = k->cert; 774204917Sdes k->cert = NULL; 775204917Sdes } 776204917Sdes if (key_type_plain(ret->type) == KEY_RSA) { 77776262Sgreen if (ret->rsa != NULL) 77876262Sgreen RSA_free(ret->rsa); 77976262Sgreen ret->rsa = k->rsa; 78076262Sgreen k->rsa = NULL; 78176262Sgreen#ifdef DEBUG_PK 78276262Sgreen RSA_print_fp(stderr, ret->rsa, 8); 78376262Sgreen#endif 784204917Sdes } 785204917Sdes if (key_type_plain(ret->type) == KEY_DSA) { 78676262Sgreen if (ret->dsa != NULL) 78776262Sgreen DSA_free(ret->dsa); 78876262Sgreen ret->dsa = k->dsa; 78976262Sgreen k->dsa = NULL; 79076262Sgreen#ifdef DEBUG_PK 79176262Sgreen DSA_print_fp(stderr, ret->dsa, 8); 79276262Sgreen#endif 79376262Sgreen } 794221420Sdes#ifdef OPENSSL_HAS_ECC 795221420Sdes if (key_type_plain(ret->type) == KEY_ECDSA) { 796221420Sdes if (ret->ecdsa != NULL) 797221420Sdes EC_KEY_free(ret->ecdsa); 798221420Sdes ret->ecdsa = k->ecdsa; 799221420Sdes ret->ecdsa_nid = k->ecdsa_nid; 800221420Sdes k->ecdsa = NULL; 801221420Sdes k->ecdsa_nid = -1; 802221420Sdes#ifdef DEBUG_PK 803221420Sdes key_dump_ec_key(ret->ecdsa); 804221420Sdes#endif 805221420Sdes } 806221420Sdes#endif 807204917Sdes success = 1; 80876262Sgreen/*XXXX*/ 80992559Sdes key_free(k); 81076262Sgreen if (success != 1) 81176262Sgreen break; 81261203Skris /* advance cp: skip whitespace and data */ 81361203Skris while (*cp == ' ' || *cp == '\t') 81461203Skris cp++; 81561203Skris while (*cp != '\0' && *cp != ' ' && *cp != '\t') 81661203Skris cp++; 81761203Skris *cpp = cp; 81858582Skris break; 81958582Skris default: 82060576Skris fatal("key_read: bad key type: %d", ret->type); 82158582Skris break; 82258582Skris } 82376262Sgreen return success; 82458582Skris} 82599063Sdes 82658582Skrisint 827126277Sdeskey_write(const Key *key, FILE *f) 82858582Skris{ 82992559Sdes int n, success = 0; 83092559Sdes u_int len, bits = 0; 831106130Sdes u_char *blob; 832106130Sdes char *uu; 83358582Skris 834204917Sdes if (key_is_cert(key)) { 835204917Sdes if (key->cert == NULL) { 836204917Sdes error("%s: no cert data", __func__); 837204917Sdes return 0; 838204917Sdes } 839204917Sdes if (buffer_len(&key->cert->certblob) == 0) { 840204917Sdes error("%s: no signed certificate blob", __func__); 841204917Sdes return 0; 842204917Sdes } 843204917Sdes } 844204917Sdes 845204917Sdes switch (key->type) { 846204917Sdes case KEY_RSA1: 847204917Sdes if (key->rsa == NULL) 848204917Sdes return 0; 84958582Skris /* size of modulus 'n' */ 85058582Skris bits = BN_num_bits(key->rsa->n); 85158582Skris fprintf(f, "%u", bits); 85258582Skris if (write_bignum(f, key->rsa->e) && 853204917Sdes write_bignum(f, key->rsa->n)) 854204917Sdes return 1; 855204917Sdes error("key_write: failed for RSA key"); 856204917Sdes return 0; 857204917Sdes case KEY_DSA: 858215116Sdes case KEY_DSA_CERT_V00: 859204917Sdes case KEY_DSA_CERT: 860204917Sdes if (key->dsa == NULL) 861204917Sdes return 0; 862204917Sdes break; 863221420Sdes#ifdef OPENSSL_HAS_ECC 864221420Sdes case KEY_ECDSA: 865221420Sdes case KEY_ECDSA_CERT: 866221420Sdes if (key->ecdsa == NULL) 867221420Sdes return 0; 868221420Sdes break; 869221420Sdes#endif 870204917Sdes case KEY_RSA: 871215116Sdes case KEY_RSA_CERT_V00: 872204917Sdes case KEY_RSA_CERT: 873204917Sdes if (key->rsa == NULL) 874204917Sdes return 0; 875204917Sdes break; 876204917Sdes default: 877204917Sdes return 0; 87858582Skris } 879204917Sdes 880204917Sdes key_to_blob(key, &blob, &len); 881204917Sdes uu = xmalloc(2*len); 882204917Sdes n = uuencode(blob, len, uu, 2*len); 883204917Sdes if (n > 0) { 884204917Sdes fprintf(f, "%s %s", key_ssh_name(key), uu); 885204917Sdes success = 1; 886204917Sdes } 887255767Sdes free(blob); 888255767Sdes free(uu); 889204917Sdes 89058582Skris return success; 89158582Skris} 89299063Sdes 893126277Sdesconst char * 894207319Sdeskey_cert_type(const Key *k) 895207319Sdes{ 896207319Sdes switch (k->cert->type) { 897207319Sdes case SSH2_CERT_TYPE_USER: 898207319Sdes return "user"; 899207319Sdes case SSH2_CERT_TYPE_HOST: 900207319Sdes return "host"; 901207319Sdes default: 902207319Sdes return "unknown"; 903207319Sdes } 904207319Sdes} 905207319Sdes 906255767Sdesstruct keytype { 907255767Sdes char *name; 908255767Sdes char *shortname; 909255767Sdes int type; 910255767Sdes int nid; 911255767Sdes int cert; 912255767Sdes}; 913255767Sdesstatic const struct keytype keytypes[] = { 914255767Sdes { NULL, "RSA1", KEY_RSA1, 0, 0 }, 915255767Sdes { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, 916255767Sdes { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, 917255767Sdes#ifdef OPENSSL_HAS_ECC 918255767Sdes { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, 919255767Sdes { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, 920255767Sdes { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, 921255767Sdes#endif /* OPENSSL_HAS_ECC */ 922255767Sdes { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, 923255767Sdes { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, 924255767Sdes#ifdef OPENSSL_HAS_ECC 925255767Sdes { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", 926255767Sdes KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, 927255767Sdes { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", 928255767Sdes KEY_ECDSA_CERT, NID_secp384r1, 1 }, 929255767Sdes { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", 930255767Sdes KEY_ECDSA_CERT, NID_secp521r1, 1 }, 931255767Sdes#endif /* OPENSSL_HAS_ECC */ 932255767Sdes { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", 933255767Sdes KEY_RSA_CERT_V00, 0, 1 }, 934255767Sdes { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", 935255767Sdes KEY_DSA_CERT_V00, 0, 1 }, 936255767Sdes { NULL, NULL, -1, -1, 0 } 937255767Sdes}; 938255767Sdes 939255767Sdesconst char * 940255767Sdeskey_type(const Key *k) 941255767Sdes{ 942255767Sdes const struct keytype *kt; 943255767Sdes 944255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 945255767Sdes if (kt->type == k->type) 946255767Sdes return kt->shortname; 947255767Sdes } 948255767Sdes return "unknown"; 949255767Sdes} 950255767Sdes 951221420Sdesstatic const char * 952221420Sdeskey_ssh_name_from_type_nid(int type, int nid) 95376262Sgreen{ 954255767Sdes const struct keytype *kt; 955255767Sdes 956255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 957255767Sdes if (kt->type == type && (kt->nid == 0 || kt->nid == nid)) 958255767Sdes return kt->name; 95976262Sgreen } 96076262Sgreen return "ssh-unknown"; 96176262Sgreen} 96299063Sdes 963221420Sdesconst char * 964221420Sdeskey_ssh_name(const Key *k) 965221420Sdes{ 966221420Sdes return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 967221420Sdes} 968221420Sdes 969221420Sdesconst char * 970221420Sdeskey_ssh_name_plain(const Key *k) 971221420Sdes{ 972221420Sdes return key_ssh_name_from_type_nid(key_type_plain(k->type), 973221420Sdes k->ecdsa_nid); 974221420Sdes} 975221420Sdes 976255767Sdesint 977255767Sdeskey_type_from_name(char *name) 978255767Sdes{ 979255767Sdes const struct keytype *kt; 980255767Sdes 981255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 982255767Sdes /* Only allow shortname matches for plain key types */ 983255767Sdes if ((kt->name != NULL && strcmp(name, kt->name) == 0) || 984255767Sdes (!kt->cert && strcasecmp(kt->shortname, name) == 0)) 985255767Sdes return kt->type; 986255767Sdes } 987255767Sdes debug2("key_type_from_name: unknown key type '%s'", name); 988255767Sdes return KEY_UNSPEC; 989255767Sdes} 990255767Sdes 991255767Sdesint 992255767Sdeskey_ecdsa_nid_from_name(const char *name) 993255767Sdes{ 994255767Sdes const struct keytype *kt; 995255767Sdes 996255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 997255767Sdes if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT) 998255767Sdes continue; 999255767Sdes if (kt->name != NULL && strcmp(name, kt->name) == 0) 1000255767Sdes return kt->nid; 1001255767Sdes } 1002255767Sdes debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); 1003255767Sdes return -1; 1004255767Sdes} 1005255767Sdes 1006255767Sdeschar * 1007255767Sdeskey_alg_list(void) 1008255767Sdes{ 1009255767Sdes char *ret = NULL; 1010255767Sdes size_t nlen, rlen = 0; 1011255767Sdes const struct keytype *kt; 1012255767Sdes 1013255767Sdes for (kt = keytypes; kt->type != -1; kt++) { 1014255767Sdes if (kt->name == NULL) 1015255767Sdes continue; 1016255767Sdes if (ret != NULL) 1017255767Sdes ret[rlen++] = '\n'; 1018255767Sdes nlen = strlen(kt->name); 1019255767Sdes ret = xrealloc(ret, 1, rlen + nlen + 2); 1020255767Sdes memcpy(ret + rlen, kt->name, nlen + 1); 1021255767Sdes rlen += nlen; 1022255767Sdes } 1023255767Sdes return ret; 1024255767Sdes} 1025255767Sdes 102676262Sgreenu_int 1027126277Sdeskey_size(const Key *k) 102892559Sdes{ 102965674Skris switch (k->type) { 103076262Sgreen case KEY_RSA1: 103165674Skris case KEY_RSA: 1032215116Sdes case KEY_RSA_CERT_V00: 1033204917Sdes case KEY_RSA_CERT: 103465674Skris return BN_num_bits(k->rsa->n); 103565674Skris case KEY_DSA: 1036215116Sdes case KEY_DSA_CERT_V00: 1037204917Sdes case KEY_DSA_CERT: 103865674Skris return BN_num_bits(k->dsa->p); 1039221420Sdes#ifdef OPENSSL_HAS_ECC 1040221420Sdes case KEY_ECDSA: 1041221420Sdes case KEY_ECDSA_CERT: 1042221420Sdes return key_curve_nid_to_bits(k->ecdsa_nid); 1043221420Sdes#endif 104465674Skris } 104565674Skris return 0; 104665674Skris} 104776262Sgreen 104892559Sdesstatic RSA * 104976262Sgreenrsa_generate_private_key(u_int bits) 105076262Sgreen{ 1051221420Sdes RSA *private = RSA_new(); 1052221420Sdes BIGNUM *f4 = BN_new(); 1053162856Sdes 105476262Sgreen if (private == NULL) 1055221420Sdes fatal("%s: RSA_new failed", __func__); 1056221420Sdes if (f4 == NULL) 1057221420Sdes fatal("%s: BN_new failed", __func__); 1058221420Sdes if (!BN_set_word(f4, RSA_F4)) 1059221420Sdes fatal("%s: BN_new failed", __func__); 1060221420Sdes if (!RSA_generate_key_ex(private, bits, f4, NULL)) 1061221420Sdes fatal("%s: key generation failed.", __func__); 1062221420Sdes BN_free(f4); 106376262Sgreen return private; 106476262Sgreen} 106576262Sgreen 106692559Sdesstatic DSA* 106776262Sgreendsa_generate_private_key(u_int bits) 106876262Sgreen{ 1069221420Sdes DSA *private = DSA_new(); 1070162856Sdes 107176262Sgreen if (private == NULL) 1072221420Sdes fatal("%s: DSA_new failed", __func__); 1073221420Sdes if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1074221420Sdes NULL, NULL)) 1075221420Sdes fatal("%s: DSA_generate_parameters failed", __func__); 107676262Sgreen if (!DSA_generate_key(private)) 1077221420Sdes fatal("%s: DSA_generate_key failed.", __func__); 107876262Sgreen return private; 107976262Sgreen} 108076262Sgreen 1081221420Sdesint 1082221420Sdeskey_ecdsa_bits_to_nid(int bits) 1083221420Sdes{ 1084221420Sdes switch (bits) { 1085221420Sdes#ifdef OPENSSL_HAS_ECC 1086221420Sdes case 256: 1087221420Sdes return NID_X9_62_prime256v1; 1088221420Sdes case 384: 1089221420Sdes return NID_secp384r1; 1090221420Sdes case 521: 1091221420Sdes return NID_secp521r1; 1092221420Sdes#endif 1093221420Sdes default: 1094221420Sdes return -1; 1095221420Sdes } 1096221420Sdes} 1097221420Sdes 1098221420Sdes#ifdef OPENSSL_HAS_ECC 1099221420Sdesint 1100221420Sdeskey_ecdsa_key_to_nid(EC_KEY *k) 1101221420Sdes{ 1102221420Sdes EC_GROUP *eg; 1103221420Sdes int nids[] = { 1104221420Sdes NID_X9_62_prime256v1, 1105221420Sdes NID_secp384r1, 1106221420Sdes NID_secp521r1, 1107221420Sdes -1 1108221420Sdes }; 1109221420Sdes int nid; 1110221420Sdes u_int i; 1111221420Sdes BN_CTX *bnctx; 1112221420Sdes const EC_GROUP *g = EC_KEY_get0_group(k); 1113221420Sdes 1114221420Sdes /* 1115221420Sdes * The group may be stored in a ASN.1 encoded private key in one of two 1116221420Sdes * ways: as a "named group", which is reconstituted by ASN.1 object ID 1117221420Sdes * or explicit group parameters encoded into the key blob. Only the 1118221420Sdes * "named group" case sets the group NID for us, but we can figure 1119221420Sdes * it out for the other case by comparing against all the groups that 1120221420Sdes * are supported. 1121221420Sdes */ 1122221420Sdes if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1123221420Sdes return nid; 1124221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 1125221420Sdes fatal("%s: BN_CTX_new() failed", __func__); 1126221420Sdes for (i = 0; nids[i] != -1; i++) { 1127221420Sdes if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1128221420Sdes fatal("%s: EC_GROUP_new_by_curve_name failed", 1129221420Sdes __func__); 1130221420Sdes if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1131221420Sdes break; 1132221420Sdes EC_GROUP_free(eg); 1133221420Sdes } 1134221420Sdes BN_CTX_free(bnctx); 1135221420Sdes debug3("%s: nid = %d", __func__, nids[i]); 1136221420Sdes if (nids[i] != -1) { 1137221420Sdes /* Use the group with the NID attached */ 1138221420Sdes EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1139221420Sdes if (EC_KEY_set_group(k, eg) != 1) 1140221420Sdes fatal("%s: EC_KEY_set_group", __func__); 1141221420Sdes } 1142221420Sdes return nids[i]; 1143221420Sdes} 1144221420Sdes 1145221420Sdesstatic EC_KEY* 1146221420Sdesecdsa_generate_private_key(u_int bits, int *nid) 1147221420Sdes{ 1148221420Sdes EC_KEY *private; 1149221420Sdes 1150221420Sdes if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1) 1151221420Sdes fatal("%s: invalid key length", __func__); 1152221420Sdes if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) 1153221420Sdes fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1154221420Sdes if (EC_KEY_generate_key(private) != 1) 1155221420Sdes fatal("%s: EC_KEY_generate_key failed", __func__); 1156221420Sdes EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1157221420Sdes return private; 1158221420Sdes} 1159221420Sdes#endif /* OPENSSL_HAS_ECC */ 1160221420Sdes 116176262SgreenKey * 116276262Sgreenkey_generate(int type, u_int bits) 116376262Sgreen{ 116476262Sgreen Key *k = key_new(KEY_UNSPEC); 116576262Sgreen switch (type) { 116676262Sgreen case KEY_DSA: 116776262Sgreen k->dsa = dsa_generate_private_key(bits); 116876262Sgreen break; 1169221420Sdes#ifdef OPENSSL_HAS_ECC 1170221420Sdes case KEY_ECDSA: 1171221420Sdes k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); 1172221420Sdes break; 1173221420Sdes#endif 117476262Sgreen case KEY_RSA: 117576262Sgreen case KEY_RSA1: 117676262Sgreen k->rsa = rsa_generate_private_key(bits); 117776262Sgreen break; 1178215116Sdes case KEY_RSA_CERT_V00: 1179215116Sdes case KEY_DSA_CERT_V00: 1180204917Sdes case KEY_RSA_CERT: 1181204917Sdes case KEY_DSA_CERT: 1182204917Sdes fatal("key_generate: cert keys cannot be generated directly"); 118376262Sgreen default: 118476262Sgreen fatal("key_generate: unknown type %d", type); 118576262Sgreen } 118676262Sgreen k->type = type; 118776262Sgreen return k; 118876262Sgreen} 118976262Sgreen 1190204917Sdesvoid 1191204917Sdeskey_cert_copy(const Key *from_key, struct Key *to_key) 1192204917Sdes{ 1193204917Sdes u_int i; 1194204917Sdes const struct KeyCert *from; 1195204917Sdes struct KeyCert *to; 1196204917Sdes 1197204917Sdes if (to_key->cert != NULL) { 1198204917Sdes cert_free(to_key->cert); 1199204917Sdes to_key->cert = NULL; 1200204917Sdes } 1201204917Sdes 1202204917Sdes if ((from = from_key->cert) == NULL) 1203204917Sdes return; 1204204917Sdes 1205204917Sdes to = to_key->cert = cert_new(); 1206204917Sdes 1207204917Sdes buffer_append(&to->certblob, buffer_ptr(&from->certblob), 1208204917Sdes buffer_len(&from->certblob)); 1209204917Sdes 1210215116Sdes buffer_append(&to->critical, 1211215116Sdes buffer_ptr(&from->critical), buffer_len(&from->critical)); 1212215116Sdes buffer_append(&to->extensions, 1213215116Sdes buffer_ptr(&from->extensions), buffer_len(&from->extensions)); 1214204917Sdes 1215215116Sdes to->serial = from->serial; 1216204917Sdes to->type = from->type; 1217204917Sdes to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 1218204917Sdes to->valid_after = from->valid_after; 1219204917Sdes to->valid_before = from->valid_before; 1220204917Sdes to->signature_key = from->signature_key == NULL ? 1221204917Sdes NULL : key_from_private(from->signature_key); 1222204917Sdes 1223204917Sdes to->nprincipals = from->nprincipals; 1224204917Sdes if (to->nprincipals > CERT_MAX_PRINCIPALS) 1225204917Sdes fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)", 1226204917Sdes __func__, to->nprincipals, CERT_MAX_PRINCIPALS); 1227204917Sdes if (to->nprincipals > 0) { 1228204917Sdes to->principals = xcalloc(from->nprincipals, 1229204917Sdes sizeof(*to->principals)); 1230204917Sdes for (i = 0; i < to->nprincipals; i++) 1231204917Sdes to->principals[i] = xstrdup(from->principals[i]); 1232204917Sdes } 1233204917Sdes} 1234204917Sdes 123576262SgreenKey * 1236126277Sdeskey_from_private(const Key *k) 123776262Sgreen{ 123876262Sgreen Key *n = NULL; 123976262Sgreen switch (k->type) { 124076262Sgreen case KEY_DSA: 1241215116Sdes case KEY_DSA_CERT_V00: 1242204917Sdes case KEY_DSA_CERT: 124376262Sgreen n = key_new(k->type); 1244164149Sdes if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1245164149Sdes (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1246164149Sdes (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1247164149Sdes (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 1248164149Sdes fatal("key_from_private: BN_copy failed"); 124976262Sgreen break; 1250221420Sdes#ifdef OPENSSL_HAS_ECC 1251221420Sdes case KEY_ECDSA: 1252221420Sdes case KEY_ECDSA_CERT: 1253221420Sdes n = key_new(k->type); 1254221420Sdes n->ecdsa_nid = k->ecdsa_nid; 1255221420Sdes if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 1256221420Sdes fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1257221420Sdes if (EC_KEY_set_public_key(n->ecdsa, 1258221420Sdes EC_KEY_get0_public_key(k->ecdsa)) != 1) 1259221420Sdes fatal("%s: EC_KEY_set_public_key failed", __func__); 1260221420Sdes break; 1261221420Sdes#endif 126276262Sgreen case KEY_RSA: 126376262Sgreen case KEY_RSA1: 1264215116Sdes case KEY_RSA_CERT_V00: 1265204917Sdes case KEY_RSA_CERT: 126676262Sgreen n = key_new(k->type); 1267164149Sdes if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1268164149Sdes (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 1269164149Sdes fatal("key_from_private: BN_copy failed"); 127076262Sgreen break; 127176262Sgreen default: 127276262Sgreen fatal("key_from_private: unknown type %d", k->type); 127376262Sgreen break; 127476262Sgreen } 1275204917Sdes if (key_is_cert(k)) 1276204917Sdes key_cert_copy(k, n); 127776262Sgreen return n; 127876262Sgreen} 127976262Sgreen 128076262Sgreenint 128176262Sgreenkey_names_valid2(const char *names) 128276262Sgreen{ 128376262Sgreen char *s, *cp, *p; 128476262Sgreen 128576262Sgreen if (names == NULL || strcmp(names, "") == 0) 128676262Sgreen return 0; 128776262Sgreen s = cp = xstrdup(names); 128876262Sgreen for ((p = strsep(&cp, ",")); p && *p != '\0'; 128992559Sdes (p = strsep(&cp, ","))) { 129076262Sgreen switch (key_type_from_name(p)) { 129176262Sgreen case KEY_RSA1: 129276262Sgreen case KEY_UNSPEC: 1293255767Sdes free(s); 129476262Sgreen return 0; 129576262Sgreen } 129676262Sgreen } 129776262Sgreen debug3("key names ok: [%s]", names); 1298255767Sdes free(s); 129976262Sgreen return 1; 130076262Sgreen} 130176262Sgreen 1302204917Sdesstatic int 1303204917Sdescert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1304204917Sdes{ 1305215116Sdes u_char *principals, *critical, *exts, *sig_key, *sig; 1306215116Sdes u_int signed_len, plen, clen, sklen, slen, kidlen, elen; 1307204917Sdes Buffer tmp; 1308204917Sdes char *principal; 1309204917Sdes int ret = -1; 1310215116Sdes int v00 = key->type == KEY_DSA_CERT_V00 || 1311215116Sdes key->type == KEY_RSA_CERT_V00; 1312204917Sdes 1313204917Sdes buffer_init(&tmp); 1314204917Sdes 1315204917Sdes /* Copy the entire key blob for verification and later serialisation */ 1316204917Sdes buffer_append(&key->cert->certblob, blob, blen); 1317204917Sdes 1318215116Sdes elen = 0; /* Not touched for v00 certs */ 1319215116Sdes principals = exts = critical = sig_key = sig = NULL; 1320215116Sdes if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) || 1321215116Sdes buffer_get_int_ret(&key->cert->type, b) != 0 || 1322221420Sdes (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL || 1323204917Sdes (principals = buffer_get_string_ret(b, &plen)) == NULL || 1324204917Sdes buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1325204917Sdes buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || 1326215116Sdes (critical = buffer_get_string_ret(b, &clen)) == NULL || 1327215116Sdes (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) || 1328215116Sdes (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */ 1329215116Sdes buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */ 1330204917Sdes (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1331204917Sdes error("%s: parse error", __func__); 1332204917Sdes goto out; 1333204917Sdes } 1334204917Sdes 1335204917Sdes /* Signature is left in the buffer so we can calculate this length */ 1336204917Sdes signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); 1337204917Sdes 1338204917Sdes if ((sig = buffer_get_string_ret(b, &slen)) == NULL) { 1339204917Sdes error("%s: parse error", __func__); 1340204917Sdes goto out; 1341204917Sdes } 1342204917Sdes 1343204917Sdes if (key->cert->type != SSH2_CERT_TYPE_USER && 1344204917Sdes key->cert->type != SSH2_CERT_TYPE_HOST) { 1345204917Sdes error("Unknown certificate type %u", key->cert->type); 1346204917Sdes goto out; 1347204917Sdes } 1348204917Sdes 1349204917Sdes buffer_append(&tmp, principals, plen); 1350204917Sdes while (buffer_len(&tmp) > 0) { 1351204917Sdes if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { 1352204917Sdes error("%s: Too many principals", __func__); 1353204917Sdes goto out; 1354204917Sdes } 1355221420Sdes if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) { 1356204917Sdes error("%s: Principals data invalid", __func__); 1357204917Sdes goto out; 1358204917Sdes } 1359204917Sdes key->cert->principals = xrealloc(key->cert->principals, 1360204917Sdes key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1361204917Sdes key->cert->principals[key->cert->nprincipals++] = principal; 1362204917Sdes } 1363204917Sdes 1364204917Sdes buffer_clear(&tmp); 1365204917Sdes 1366215116Sdes buffer_append(&key->cert->critical, critical, clen); 1367215116Sdes buffer_append(&tmp, critical, clen); 1368204917Sdes /* validate structure */ 1369204917Sdes while (buffer_len(&tmp) != 0) { 1370204917Sdes if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1371204917Sdes buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1372215116Sdes error("%s: critical option data invalid", __func__); 1373204917Sdes goto out; 1374204917Sdes } 1375204917Sdes } 1376204917Sdes buffer_clear(&tmp); 1377204917Sdes 1378215116Sdes buffer_append(&key->cert->extensions, exts, elen); 1379215116Sdes buffer_append(&tmp, exts, elen); 1380215116Sdes /* validate structure */ 1381215116Sdes while (buffer_len(&tmp) != 0) { 1382215116Sdes if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1383215116Sdes buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1384215116Sdes error("%s: extension data invalid", __func__); 1385215116Sdes goto out; 1386215116Sdes } 1387215116Sdes } 1388215116Sdes buffer_clear(&tmp); 1389215116Sdes 1390204917Sdes if ((key->cert->signature_key = key_from_blob(sig_key, 1391204917Sdes sklen)) == NULL) { 1392204917Sdes error("%s: Signature key invalid", __func__); 1393204917Sdes goto out; 1394204917Sdes } 1395204917Sdes if (key->cert->signature_key->type != KEY_RSA && 1396221420Sdes key->cert->signature_key->type != KEY_DSA && 1397221420Sdes key->cert->signature_key->type != KEY_ECDSA) { 1398204917Sdes error("%s: Invalid signature key type %s (%d)", __func__, 1399204917Sdes key_type(key->cert->signature_key), 1400204917Sdes key->cert->signature_key->type); 1401204917Sdes goto out; 1402204917Sdes } 1403204917Sdes 1404204917Sdes switch (key_verify(key->cert->signature_key, sig, slen, 1405204917Sdes buffer_ptr(&key->cert->certblob), signed_len)) { 1406204917Sdes case 1: 1407204917Sdes ret = 0; 1408204917Sdes break; /* Good signature */ 1409204917Sdes case 0: 1410204917Sdes error("%s: Invalid signature on certificate", __func__); 1411204917Sdes goto out; 1412204917Sdes case -1: 1413204917Sdes error("%s: Certificate signature verification failed", 1414204917Sdes __func__); 1415204917Sdes goto out; 1416204917Sdes } 1417204917Sdes 1418204917Sdes out: 1419204917Sdes buffer_free(&tmp); 1420255767Sdes free(principals); 1421255767Sdes free(critical); 1422255767Sdes free(exts); 1423255767Sdes free(sig_key); 1424255767Sdes free(sig); 1425204917Sdes return ret; 1426204917Sdes} 1427204917Sdes 142876262SgreenKey * 1429126277Sdeskey_from_blob(const u_char *blob, u_int blen) 143076262Sgreen{ 143176262Sgreen Buffer b; 143276262Sgreen int rlen, type; 1433221420Sdes char *ktype = NULL, *curve = NULL; 143476262Sgreen Key *key = NULL; 1435221420Sdes#ifdef OPENSSL_HAS_ECC 1436221420Sdes EC_POINT *q = NULL; 1437221420Sdes int nid = -1; 1438221420Sdes#endif 143976262Sgreen 144076262Sgreen#ifdef DEBUG_PK 144176262Sgreen dump_base64(stderr, blob, blen); 144276262Sgreen#endif 144376262Sgreen buffer_init(&b); 144476262Sgreen buffer_append(&b, blob, blen); 1445221420Sdes if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) { 1446147005Sdes error("key_from_blob: can't read key type"); 1447147005Sdes goto out; 1448147005Sdes } 1449147005Sdes 145076262Sgreen type = key_type_from_name(ktype); 1451221420Sdes#ifdef OPENSSL_HAS_ECC 1452221420Sdes if (key_type_plain(type) == KEY_ECDSA) 1453221420Sdes nid = key_ecdsa_nid_from_name(ktype); 1454221420Sdes#endif 145576262Sgreen 145692559Sdes switch (type) { 1457215116Sdes case KEY_RSA_CERT: 1458215116Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1459215116Sdes /* FALLTHROUGH */ 146076262Sgreen case KEY_RSA: 1461215116Sdes case KEY_RSA_CERT_V00: 146276262Sgreen key = key_new(type); 1463147005Sdes if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1464147005Sdes buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1465147005Sdes error("key_from_blob: can't read rsa key"); 1466204917Sdes badkey: 1467147005Sdes key_free(key); 1468147005Sdes key = NULL; 1469147005Sdes goto out; 1470147005Sdes } 147176262Sgreen#ifdef DEBUG_PK 147276262Sgreen RSA_print_fp(stderr, key->rsa, 8); 147376262Sgreen#endif 147476262Sgreen break; 1475215116Sdes case KEY_DSA_CERT: 1476215116Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1477215116Sdes /* FALLTHROUGH */ 147876262Sgreen case KEY_DSA: 1479215116Sdes case KEY_DSA_CERT_V00: 148076262Sgreen key = key_new(type); 1481147005Sdes if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1482147005Sdes buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1483147005Sdes buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1484147005Sdes buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1485147005Sdes error("key_from_blob: can't read dsa key"); 1486204917Sdes goto badkey; 1487147005Sdes } 148876262Sgreen#ifdef DEBUG_PK 148976262Sgreen DSA_print_fp(stderr, key->dsa, 8); 149076262Sgreen#endif 149176262Sgreen break; 1492221420Sdes#ifdef OPENSSL_HAS_ECC 1493221420Sdes case KEY_ECDSA_CERT: 1494221420Sdes (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1495221420Sdes /* FALLTHROUGH */ 1496221420Sdes case KEY_ECDSA: 1497221420Sdes key = key_new(type); 1498221420Sdes key->ecdsa_nid = nid; 1499221420Sdes if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) { 1500221420Sdes error("key_from_blob: can't read ecdsa curve"); 1501221420Sdes goto badkey; 1502221420Sdes } 1503221420Sdes if (key->ecdsa_nid != key_curve_name_to_nid(curve)) { 1504221420Sdes error("key_from_blob: ecdsa curve doesn't match type"); 1505221420Sdes goto badkey; 1506221420Sdes } 1507221420Sdes if (key->ecdsa != NULL) 1508221420Sdes EC_KEY_free(key->ecdsa); 1509221420Sdes if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1510221420Sdes == NULL) 1511221420Sdes fatal("key_from_blob: EC_KEY_new_by_curve_name failed"); 1512221420Sdes if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) 1513221420Sdes fatal("key_from_blob: EC_POINT_new failed"); 1514221420Sdes if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa), 1515221420Sdes q) == -1) { 1516221420Sdes error("key_from_blob: can't read ecdsa key point"); 1517221420Sdes goto badkey; 1518221420Sdes } 1519221420Sdes if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1520221420Sdes q) != 0) 1521221420Sdes goto badkey; 1522221420Sdes if (EC_KEY_set_public_key(key->ecdsa, q) != 1) 1523221420Sdes fatal("key_from_blob: EC_KEY_set_public_key failed"); 1524221420Sdes#ifdef DEBUG_PK 1525221420Sdes key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1526221420Sdes#endif 1527221420Sdes break; 1528221420Sdes#endif /* OPENSSL_HAS_ECC */ 152976262Sgreen case KEY_UNSPEC: 153076262Sgreen key = key_new(type); 153176262Sgreen break; 153276262Sgreen default: 153376262Sgreen error("key_from_blob: cannot handle type %s", ktype); 1534147005Sdes goto out; 153576262Sgreen } 1536204917Sdes if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) { 1537204917Sdes error("key_from_blob: can't parse cert data"); 1538204917Sdes goto badkey; 1539204917Sdes } 154076262Sgreen rlen = buffer_len(&b); 154176262Sgreen if (key != NULL && rlen != 0) 154276262Sgreen error("key_from_blob: remaining bytes in key blob %d", rlen); 1543147005Sdes out: 1544255767Sdes free(ktype); 1545255767Sdes free(curve); 1546221420Sdes#ifdef OPENSSL_HAS_ECC 1547221420Sdes if (q != NULL) 1548221420Sdes EC_POINT_free(q); 1549221420Sdes#endif 155076262Sgreen buffer_free(&b); 155176262Sgreen return key; 155276262Sgreen} 155376262Sgreen 1554248619Sdesstatic int 1555248619Sdesto_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) 155676262Sgreen{ 155776262Sgreen Buffer b; 1558248619Sdes int len, type; 155976262Sgreen 156076262Sgreen if (key == NULL) { 156176262Sgreen error("key_to_blob: key == NULL"); 156276262Sgreen return 0; 156376262Sgreen } 156476262Sgreen buffer_init(&b); 1565248619Sdes type = force_plain ? key_type_plain(key->type) : key->type; 1566248619Sdes switch (type) { 1567215116Sdes case KEY_DSA_CERT_V00: 1568215116Sdes case KEY_RSA_CERT_V00: 1569204917Sdes case KEY_DSA_CERT: 1570221420Sdes case KEY_ECDSA_CERT: 1571204917Sdes case KEY_RSA_CERT: 1572204917Sdes /* Use the existing blob */ 1573204917Sdes buffer_append(&b, buffer_ptr(&key->cert->certblob), 1574204917Sdes buffer_len(&key->cert->certblob)); 1575204917Sdes break; 157676262Sgreen case KEY_DSA: 1577248619Sdes buffer_put_cstring(&b, 1578248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 157976262Sgreen buffer_put_bignum2(&b, key->dsa->p); 158076262Sgreen buffer_put_bignum2(&b, key->dsa->q); 158176262Sgreen buffer_put_bignum2(&b, key->dsa->g); 158276262Sgreen buffer_put_bignum2(&b, key->dsa->pub_key); 158376262Sgreen break; 1584221420Sdes#ifdef OPENSSL_HAS_ECC 1585221420Sdes case KEY_ECDSA: 1586248619Sdes buffer_put_cstring(&b, 1587248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 1588221420Sdes buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1589221420Sdes buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1590221420Sdes EC_KEY_get0_public_key(key->ecdsa)); 1591221420Sdes break; 1592221420Sdes#endif 159376262Sgreen case KEY_RSA: 1594248619Sdes buffer_put_cstring(&b, 1595248619Sdes key_ssh_name_from_type_nid(type, key->ecdsa_nid)); 159676262Sgreen buffer_put_bignum2(&b, key->rsa->e); 159776262Sgreen buffer_put_bignum2(&b, key->rsa->n); 159876262Sgreen break; 159976262Sgreen default: 160092559Sdes error("key_to_blob: unsupported key type %d", key->type); 160192559Sdes buffer_free(&b); 160292559Sdes return 0; 160376262Sgreen } 160476262Sgreen len = buffer_len(&b); 1605106130Sdes if (lenp != NULL) 1606106130Sdes *lenp = len; 1607106130Sdes if (blobp != NULL) { 1608106130Sdes *blobp = xmalloc(len); 1609106130Sdes memcpy(*blobp, buffer_ptr(&b), len); 1610106130Sdes } 161176262Sgreen memset(buffer_ptr(&b), 0, len); 161276262Sgreen buffer_free(&b); 161376262Sgreen return len; 161476262Sgreen} 161576262Sgreen 161676262Sgreenint 1617248619Sdeskey_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1618248619Sdes{ 1619248619Sdes return to_blob(key, blobp, lenp, 0); 1620248619Sdes} 1621248619Sdes 1622248619Sdesint 162376262Sgreenkey_sign( 1624126277Sdes const Key *key, 162592559Sdes u_char **sigp, u_int *lenp, 1626126277Sdes const u_char *data, u_int datalen) 162776262Sgreen{ 162892559Sdes switch (key->type) { 1629215116Sdes case KEY_DSA_CERT_V00: 1630204917Sdes case KEY_DSA_CERT: 163176262Sgreen case KEY_DSA: 163276262Sgreen return ssh_dss_sign(key, sigp, lenp, data, datalen); 1633221420Sdes#ifdef OPENSSL_HAS_ECC 1634221420Sdes case KEY_ECDSA_CERT: 1635221420Sdes case KEY_ECDSA: 1636221420Sdes return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); 1637221420Sdes#endif 1638215116Sdes case KEY_RSA_CERT_V00: 1639204917Sdes case KEY_RSA_CERT: 164076262Sgreen case KEY_RSA: 164176262Sgreen return ssh_rsa_sign(key, sigp, lenp, data, datalen); 164276262Sgreen default: 1643137019Sdes error("key_sign: invalid key type %d", key->type); 164476262Sgreen return -1; 164576262Sgreen } 164676262Sgreen} 164776262Sgreen 164898684Sdes/* 164998684Sdes * key_verify returns 1 for a correct signature, 0 for an incorrect signature 165098684Sdes * and -1 on error. 165198684Sdes */ 165276262Sgreenint 165376262Sgreenkey_verify( 1654126277Sdes const Key *key, 1655126277Sdes const u_char *signature, u_int signaturelen, 1656126277Sdes const u_char *data, u_int datalen) 165776262Sgreen{ 165892559Sdes if (signaturelen == 0) 165992559Sdes return -1; 166092559Sdes 166192559Sdes switch (key->type) { 1662215116Sdes case KEY_DSA_CERT_V00: 1663204917Sdes case KEY_DSA_CERT: 166476262Sgreen case KEY_DSA: 166576262Sgreen return ssh_dss_verify(key, signature, signaturelen, data, datalen); 1666221420Sdes#ifdef OPENSSL_HAS_ECC 1667221420Sdes case KEY_ECDSA_CERT: 1668221420Sdes case KEY_ECDSA: 1669221420Sdes return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); 1670221420Sdes#endif 1671215116Sdes case KEY_RSA_CERT_V00: 1672204917Sdes case KEY_RSA_CERT: 167376262Sgreen case KEY_RSA: 167476262Sgreen return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 167576262Sgreen default: 1676137019Sdes error("key_verify: invalid key type %d", key->type); 167776262Sgreen return -1; 167876262Sgreen } 167976262Sgreen} 168098684Sdes 168198684Sdes/* Converts a private to a public key */ 168298684SdesKey * 1683126277Sdeskey_demote(const Key *k) 168498684Sdes{ 168598684Sdes Key *pk; 168698684Sdes 1687162856Sdes pk = xcalloc(1, sizeof(*pk)); 168898684Sdes pk->type = k->type; 168998684Sdes pk->flags = k->flags; 1690221420Sdes pk->ecdsa_nid = k->ecdsa_nid; 169198684Sdes pk->dsa = NULL; 1692221420Sdes pk->ecdsa = NULL; 169398684Sdes pk->rsa = NULL; 169498684Sdes 169598684Sdes switch (k->type) { 1696215116Sdes case KEY_RSA_CERT_V00: 1697204917Sdes case KEY_RSA_CERT: 1698204917Sdes key_cert_copy(k, pk); 1699204917Sdes /* FALLTHROUGH */ 170098684Sdes case KEY_RSA1: 170198684Sdes case KEY_RSA: 170298684Sdes if ((pk->rsa = RSA_new()) == NULL) 170398684Sdes fatal("key_demote: RSA_new failed"); 170498684Sdes if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 170598684Sdes fatal("key_demote: BN_dup failed"); 170698684Sdes if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 170798684Sdes fatal("key_demote: BN_dup failed"); 170898684Sdes break; 1709215116Sdes case KEY_DSA_CERT_V00: 1710204917Sdes case KEY_DSA_CERT: 1711204917Sdes key_cert_copy(k, pk); 1712204917Sdes /* FALLTHROUGH */ 171398684Sdes case KEY_DSA: 171498684Sdes if ((pk->dsa = DSA_new()) == NULL) 171598684Sdes fatal("key_demote: DSA_new failed"); 171698684Sdes if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 171798684Sdes fatal("key_demote: BN_dup failed"); 171898684Sdes if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) 171998684Sdes fatal("key_demote: BN_dup failed"); 172098684Sdes if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL) 172198684Sdes fatal("key_demote: BN_dup failed"); 172298684Sdes if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) 172398684Sdes fatal("key_demote: BN_dup failed"); 172498684Sdes break; 1725221420Sdes#ifdef OPENSSL_HAS_ECC 1726221420Sdes case KEY_ECDSA_CERT: 1727221420Sdes key_cert_copy(k, pk); 1728221420Sdes /* FALLTHROUGH */ 1729221420Sdes case KEY_ECDSA: 1730221420Sdes if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL) 1731221420Sdes fatal("key_demote: EC_KEY_new_by_curve_name failed"); 1732221420Sdes if (EC_KEY_set_public_key(pk->ecdsa, 1733221420Sdes EC_KEY_get0_public_key(k->ecdsa)) != 1) 1734221420Sdes fatal("key_demote: EC_KEY_set_public_key failed"); 1735221420Sdes break; 1736221420Sdes#endif 173798684Sdes default: 173898684Sdes fatal("key_free: bad key type %d", k->type); 173998684Sdes break; 174098684Sdes } 174198684Sdes 174298684Sdes return (pk); 174398684Sdes} 1744204917Sdes 1745204917Sdesint 1746204917Sdeskey_is_cert(const Key *k) 1747204917Sdes{ 1748215116Sdes if (k == NULL) 1749215116Sdes return 0; 1750215116Sdes switch (k->type) { 1751215116Sdes case KEY_RSA_CERT_V00: 1752215116Sdes case KEY_DSA_CERT_V00: 1753215116Sdes case KEY_RSA_CERT: 1754215116Sdes case KEY_DSA_CERT: 1755221420Sdes case KEY_ECDSA_CERT: 1756215116Sdes return 1; 1757215116Sdes default: 1758215116Sdes return 0; 1759215116Sdes } 1760204917Sdes} 1761204917Sdes 1762204917Sdes/* Return the cert-less equivalent to a certified key type */ 1763204917Sdesint 1764204917Sdeskey_type_plain(int type) 1765204917Sdes{ 1766204917Sdes switch (type) { 1767215116Sdes case KEY_RSA_CERT_V00: 1768204917Sdes case KEY_RSA_CERT: 1769204917Sdes return KEY_RSA; 1770215116Sdes case KEY_DSA_CERT_V00: 1771204917Sdes case KEY_DSA_CERT: 1772204917Sdes return KEY_DSA; 1773221420Sdes case KEY_ECDSA_CERT: 1774221420Sdes return KEY_ECDSA; 1775204917Sdes default: 1776204917Sdes return type; 1777204917Sdes } 1778204917Sdes} 1779204917Sdes 1780204917Sdes/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ 1781204917Sdesint 1782215116Sdeskey_to_certified(Key *k, int legacy) 1783204917Sdes{ 1784204917Sdes switch (k->type) { 1785204917Sdes case KEY_RSA: 1786204917Sdes k->cert = cert_new(); 1787215116Sdes k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 1788204917Sdes return 0; 1789204917Sdes case KEY_DSA: 1790204917Sdes k->cert = cert_new(); 1791215116Sdes k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 1792204917Sdes return 0; 1793221420Sdes case KEY_ECDSA: 1794226046Sdes if (legacy) 1795226046Sdes fatal("%s: legacy ECDSA certificates are not supported", 1796226046Sdes __func__); 1797221420Sdes k->cert = cert_new(); 1798221420Sdes k->type = KEY_ECDSA_CERT; 1799221420Sdes return 0; 1800204917Sdes default: 1801204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 1802204917Sdes return -1; 1803204917Sdes } 1804204917Sdes} 1805204917Sdes 1806204917Sdes/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ 1807204917Sdesint 1808204917Sdeskey_drop_cert(Key *k) 1809204917Sdes{ 1810204917Sdes switch (k->type) { 1811215116Sdes case KEY_RSA_CERT_V00: 1812204917Sdes case KEY_RSA_CERT: 1813204917Sdes cert_free(k->cert); 1814204917Sdes k->type = KEY_RSA; 1815204917Sdes return 0; 1816215116Sdes case KEY_DSA_CERT_V00: 1817204917Sdes case KEY_DSA_CERT: 1818204917Sdes cert_free(k->cert); 1819204917Sdes k->type = KEY_DSA; 1820204917Sdes return 0; 1821221420Sdes case KEY_ECDSA_CERT: 1822221420Sdes cert_free(k->cert); 1823221420Sdes k->type = KEY_ECDSA; 1824221420Sdes return 0; 1825204917Sdes default: 1826204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 1827204917Sdes return -1; 1828204917Sdes } 1829204917Sdes} 1830204917Sdes 1831221420Sdes/* 1832221420Sdes * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating 1833221420Sdes * the signed certblob 1834221420Sdes */ 1835204917Sdesint 1836204917Sdeskey_certify(Key *k, Key *ca) 1837204917Sdes{ 1838204917Sdes Buffer principals; 1839204917Sdes u_char *ca_blob, *sig_blob, nonce[32]; 1840204917Sdes u_int i, ca_len, sig_len; 1841204917Sdes 1842204917Sdes if (k->cert == NULL) { 1843204917Sdes error("%s: key lacks cert info", __func__); 1844204917Sdes return -1; 1845204917Sdes } 1846204917Sdes 1847204917Sdes if (!key_is_cert(k)) { 1848204917Sdes error("%s: certificate has unknown type %d", __func__, 1849204917Sdes k->cert->type); 1850204917Sdes return -1; 1851204917Sdes } 1852204917Sdes 1853221420Sdes if (ca->type != KEY_RSA && ca->type != KEY_DSA && 1854221420Sdes ca->type != KEY_ECDSA) { 1855204917Sdes error("%s: CA key has unsupported type %s", __func__, 1856204917Sdes key_type(ca)); 1857204917Sdes return -1; 1858204917Sdes } 1859204917Sdes 1860204917Sdes key_to_blob(ca, &ca_blob, &ca_len); 1861204917Sdes 1862204917Sdes buffer_clear(&k->cert->certblob); 1863204917Sdes buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 1864204917Sdes 1865215116Sdes /* -v01 certs put nonce first */ 1866221420Sdes arc4random_buf(&nonce, sizeof(nonce)); 1867221420Sdes if (!key_cert_is_legacy(k)) 1868215116Sdes buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1869215116Sdes 1870204917Sdes switch (k->type) { 1871215116Sdes case KEY_DSA_CERT_V00: 1872204917Sdes case KEY_DSA_CERT: 1873204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 1874204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 1875204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 1876204917Sdes buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 1877204917Sdes break; 1878221420Sdes#ifdef OPENSSL_HAS_ECC 1879221420Sdes case KEY_ECDSA_CERT: 1880221420Sdes buffer_put_cstring(&k->cert->certblob, 1881221420Sdes key_curve_nid_to_name(k->ecdsa_nid)); 1882221420Sdes buffer_put_ecpoint(&k->cert->certblob, 1883221420Sdes EC_KEY_get0_group(k->ecdsa), 1884221420Sdes EC_KEY_get0_public_key(k->ecdsa)); 1885221420Sdes break; 1886221420Sdes#endif 1887215116Sdes case KEY_RSA_CERT_V00: 1888204917Sdes case KEY_RSA_CERT: 1889204917Sdes buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 1890204917Sdes buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 1891204917Sdes break; 1892204917Sdes default: 1893204917Sdes error("%s: key has incorrect type %s", __func__, key_type(k)); 1894204917Sdes buffer_clear(&k->cert->certblob); 1895255767Sdes free(ca_blob); 1896204917Sdes return -1; 1897204917Sdes } 1898204917Sdes 1899215116Sdes /* -v01 certs have a serial number next */ 1900221420Sdes if (!key_cert_is_legacy(k)) 1901215116Sdes buffer_put_int64(&k->cert->certblob, k->cert->serial); 1902215116Sdes 1903204917Sdes buffer_put_int(&k->cert->certblob, k->cert->type); 1904204917Sdes buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 1905204917Sdes 1906204917Sdes buffer_init(&principals); 1907204917Sdes for (i = 0; i < k->cert->nprincipals; i++) 1908204917Sdes buffer_put_cstring(&principals, k->cert->principals[i]); 1909204917Sdes buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 1910204917Sdes buffer_len(&principals)); 1911204917Sdes buffer_free(&principals); 1912204917Sdes 1913204917Sdes buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 1914204917Sdes buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 1915204917Sdes buffer_put_string(&k->cert->certblob, 1916215116Sdes buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical)); 1917204917Sdes 1918215116Sdes /* -v01 certs have non-critical options here */ 1919221420Sdes if (!key_cert_is_legacy(k)) { 1920215116Sdes buffer_put_string(&k->cert->certblob, 1921215116Sdes buffer_ptr(&k->cert->extensions), 1922215116Sdes buffer_len(&k->cert->extensions)); 1923215116Sdes } 1924215116Sdes 1925215116Sdes /* -v00 certs put the nonce at the end */ 1926221420Sdes if (key_cert_is_legacy(k)) 1927215116Sdes buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1928215116Sdes 1929204917Sdes buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1930204917Sdes buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1931255767Sdes free(ca_blob); 1932204917Sdes 1933204917Sdes /* Sign the whole mess */ 1934204917Sdes if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1935204917Sdes buffer_len(&k->cert->certblob)) != 0) { 1936204917Sdes error("%s: signature operation failed", __func__); 1937204917Sdes buffer_clear(&k->cert->certblob); 1938204917Sdes return -1; 1939204917Sdes } 1940204917Sdes /* Append signature and we are done */ 1941204917Sdes buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 1942255767Sdes free(sig_blob); 1943204917Sdes 1944204917Sdes return 0; 1945204917Sdes} 1946204917Sdes 1947204917Sdesint 1948204917Sdeskey_cert_check_authority(const Key *k, int want_host, int require_principal, 1949204917Sdes const char *name, const char **reason) 1950204917Sdes{ 1951204917Sdes u_int i, principal_matches; 1952204917Sdes time_t now = time(NULL); 1953204917Sdes 1954204917Sdes if (want_host) { 1955204917Sdes if (k->cert->type != SSH2_CERT_TYPE_HOST) { 1956204917Sdes *reason = "Certificate invalid: not a host certificate"; 1957204917Sdes return -1; 1958204917Sdes } 1959204917Sdes } else { 1960204917Sdes if (k->cert->type != SSH2_CERT_TYPE_USER) { 1961204917Sdes *reason = "Certificate invalid: not a user certificate"; 1962204917Sdes return -1; 1963204917Sdes } 1964204917Sdes } 1965204917Sdes if (now < 0) { 1966204917Sdes error("%s: system clock lies before epoch", __func__); 1967204917Sdes *reason = "Certificate invalid: not yet valid"; 1968204917Sdes return -1; 1969204917Sdes } 1970204917Sdes if ((u_int64_t)now < k->cert->valid_after) { 1971204917Sdes *reason = "Certificate invalid: not yet valid"; 1972204917Sdes return -1; 1973204917Sdes } 1974204917Sdes if ((u_int64_t)now >= k->cert->valid_before) { 1975204917Sdes *reason = "Certificate invalid: expired"; 1976204917Sdes return -1; 1977204917Sdes } 1978204917Sdes if (k->cert->nprincipals == 0) { 1979204917Sdes if (require_principal) { 1980204917Sdes *reason = "Certificate lacks principal list"; 1981204917Sdes return -1; 1982204917Sdes } 1983215116Sdes } else if (name != NULL) { 1984204917Sdes principal_matches = 0; 1985204917Sdes for (i = 0; i < k->cert->nprincipals; i++) { 1986204917Sdes if (strcmp(name, k->cert->principals[i]) == 0) { 1987204917Sdes principal_matches = 1; 1988204917Sdes break; 1989204917Sdes } 1990204917Sdes } 1991204917Sdes if (!principal_matches) { 1992204917Sdes *reason = "Certificate invalid: name is not a listed " 1993204917Sdes "principal"; 1994204917Sdes return -1; 1995204917Sdes } 1996204917Sdes } 1997204917Sdes return 0; 1998204917Sdes} 1999215116Sdes 2000215116Sdesint 2001248619Sdeskey_cert_is_legacy(const Key *k) 2002215116Sdes{ 2003215116Sdes switch (k->type) { 2004215116Sdes case KEY_DSA_CERT_V00: 2005215116Sdes case KEY_RSA_CERT_V00: 2006215116Sdes return 1; 2007215116Sdes default: 2008215116Sdes return 0; 2009215116Sdes } 2010215116Sdes} 2011221420Sdes 2012221420Sdes/* XXX: these are really begging for a table-driven approach */ 2013221420Sdesint 2014221420Sdeskey_curve_name_to_nid(const char *name) 2015221420Sdes{ 2016221420Sdes#ifdef OPENSSL_HAS_ECC 2017221420Sdes if (strcmp(name, "nistp256") == 0) 2018221420Sdes return NID_X9_62_prime256v1; 2019221420Sdes else if (strcmp(name, "nistp384") == 0) 2020221420Sdes return NID_secp384r1; 2021221420Sdes else if (strcmp(name, "nistp521") == 0) 2022221420Sdes return NID_secp521r1; 2023221420Sdes#endif 2024221420Sdes 2025221420Sdes debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); 2026221420Sdes return -1; 2027221420Sdes} 2028221420Sdes 2029221420Sdesu_int 2030221420Sdeskey_curve_nid_to_bits(int nid) 2031221420Sdes{ 2032221420Sdes switch (nid) { 2033221420Sdes#ifdef OPENSSL_HAS_ECC 2034221420Sdes case NID_X9_62_prime256v1: 2035221420Sdes return 256; 2036221420Sdes case NID_secp384r1: 2037221420Sdes return 384; 2038221420Sdes case NID_secp521r1: 2039221420Sdes return 521; 2040221420Sdes#endif 2041221420Sdes default: 2042221420Sdes error("%s: unsupported EC curve nid %d", __func__, nid); 2043221420Sdes return 0; 2044221420Sdes } 2045221420Sdes} 2046221420Sdes 2047221420Sdesconst char * 2048221420Sdeskey_curve_nid_to_name(int nid) 2049221420Sdes{ 2050221420Sdes#ifdef OPENSSL_HAS_ECC 2051221420Sdes if (nid == NID_X9_62_prime256v1) 2052221420Sdes return "nistp256"; 2053221420Sdes else if (nid == NID_secp384r1) 2054221420Sdes return "nistp384"; 2055221420Sdes else if (nid == NID_secp521r1) 2056221420Sdes return "nistp521"; 2057221420Sdes#endif 2058221420Sdes error("%s: unsupported EC curve nid %d", __func__, nid); 2059221420Sdes return NULL; 2060221420Sdes} 2061221420Sdes 2062221420Sdes#ifdef OPENSSL_HAS_ECC 2063221420Sdesconst EVP_MD * 2064221420Sdeskey_ec_nid_to_evpmd(int nid) 2065221420Sdes{ 2066221420Sdes int kbits = key_curve_nid_to_bits(nid); 2067221420Sdes 2068221420Sdes if (kbits == 0) 2069221420Sdes fatal("%s: invalid nid %d", __func__, nid); 2070221420Sdes /* RFC5656 section 6.2.1 */ 2071221420Sdes if (kbits <= 256) 2072221420Sdes return EVP_sha256(); 2073221420Sdes else if (kbits <= 384) 2074221420Sdes return EVP_sha384(); 2075221420Sdes else 2076221420Sdes return EVP_sha512(); 2077221420Sdes} 2078221420Sdes 2079221420Sdesint 2080221420Sdeskey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2081221420Sdes{ 2082221420Sdes BN_CTX *bnctx; 2083221420Sdes EC_POINT *nq = NULL; 2084221420Sdes BIGNUM *order, *x, *y, *tmp; 2085221420Sdes int ret = -1; 2086221420Sdes 2087221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2088221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2089221420Sdes BN_CTX_start(bnctx); 2090221420Sdes 2091221420Sdes /* 2092221420Sdes * We shouldn't ever hit this case because bignum_get_ecpoint() 2093221420Sdes * refuses to load GF2m points. 2094221420Sdes */ 2095221420Sdes if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2096221420Sdes NID_X9_62_prime_field) { 2097221420Sdes error("%s: group is not a prime field", __func__); 2098221420Sdes goto out; 2099221420Sdes } 2100221420Sdes 2101221420Sdes /* Q != infinity */ 2102221420Sdes if (EC_POINT_is_at_infinity(group, public)) { 2103221420Sdes error("%s: received degenerate public key (infinity)", 2104221420Sdes __func__); 2105221420Sdes goto out; 2106221420Sdes } 2107221420Sdes 2108221420Sdes if ((x = BN_CTX_get(bnctx)) == NULL || 2109221420Sdes (y = BN_CTX_get(bnctx)) == NULL || 2110221420Sdes (order = BN_CTX_get(bnctx)) == NULL || 2111221420Sdes (tmp = BN_CTX_get(bnctx)) == NULL) 2112221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2113221420Sdes 2114221420Sdes /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2115221420Sdes if (EC_GROUP_get_order(group, order, bnctx) != 1) 2116221420Sdes fatal("%s: EC_GROUP_get_order failed", __func__); 2117221420Sdes if (EC_POINT_get_affine_coordinates_GFp(group, public, 2118221420Sdes x, y, bnctx) != 1) 2119221420Sdes fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2120221420Sdes if (BN_num_bits(x) <= BN_num_bits(order) / 2) { 2121221420Sdes error("%s: public key x coordinate too small: " 2122221420Sdes "bits(x) = %d, bits(order)/2 = %d", __func__, 2123221420Sdes BN_num_bits(x), BN_num_bits(order) / 2); 2124221420Sdes goto out; 2125221420Sdes } 2126221420Sdes if (BN_num_bits(y) <= BN_num_bits(order) / 2) { 2127221420Sdes error("%s: public key y coordinate too small: " 2128221420Sdes "bits(y) = %d, bits(order)/2 = %d", __func__, 2129221420Sdes BN_num_bits(x), BN_num_bits(order) / 2); 2130221420Sdes goto out; 2131221420Sdes } 2132221420Sdes 2133221420Sdes /* nQ == infinity (n == order of subgroup) */ 2134221420Sdes if ((nq = EC_POINT_new(group)) == NULL) 2135221420Sdes fatal("%s: BN_CTX_tmp failed", __func__); 2136221420Sdes if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) 2137221420Sdes fatal("%s: EC_GROUP_mul failed", __func__); 2138221420Sdes if (EC_POINT_is_at_infinity(group, nq) != 1) { 2139221420Sdes error("%s: received degenerate public key (nQ != infinity)", 2140221420Sdes __func__); 2141221420Sdes goto out; 2142221420Sdes } 2143221420Sdes 2144221420Sdes /* x < order - 1, y < order - 1 */ 2145221420Sdes if (!BN_sub(tmp, order, BN_value_one())) 2146221420Sdes fatal("%s: BN_sub failed", __func__); 2147221420Sdes if (BN_cmp(x, tmp) >= 0) { 2148221420Sdes error("%s: public key x coordinate >= group order - 1", 2149221420Sdes __func__); 2150221420Sdes goto out; 2151221420Sdes } 2152221420Sdes if (BN_cmp(y, tmp) >= 0) { 2153221420Sdes error("%s: public key y coordinate >= group order - 1", 2154221420Sdes __func__); 2155221420Sdes goto out; 2156221420Sdes } 2157221420Sdes ret = 0; 2158221420Sdes out: 2159221420Sdes BN_CTX_free(bnctx); 2160221420Sdes EC_POINT_free(nq); 2161221420Sdes return ret; 2162221420Sdes} 2163221420Sdes 2164221420Sdesint 2165221420Sdeskey_ec_validate_private(const EC_KEY *key) 2166221420Sdes{ 2167221420Sdes BN_CTX *bnctx; 2168221420Sdes BIGNUM *order, *tmp; 2169221420Sdes int ret = -1; 2170221420Sdes 2171221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2172221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2173221420Sdes BN_CTX_start(bnctx); 2174221420Sdes 2175221420Sdes if ((order = BN_CTX_get(bnctx)) == NULL || 2176221420Sdes (tmp = BN_CTX_get(bnctx)) == NULL) 2177221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2178221420Sdes 2179221420Sdes /* log2(private) > log2(order)/2 */ 2180221420Sdes if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) 2181221420Sdes fatal("%s: EC_GROUP_get_order failed", __func__); 2182221420Sdes if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2183221420Sdes BN_num_bits(order) / 2) { 2184221420Sdes error("%s: private key too small: " 2185221420Sdes "bits(y) = %d, bits(order)/2 = %d", __func__, 2186221420Sdes BN_num_bits(EC_KEY_get0_private_key(key)), 2187221420Sdes BN_num_bits(order) / 2); 2188221420Sdes goto out; 2189221420Sdes } 2190221420Sdes 2191221420Sdes /* private < order - 1 */ 2192221420Sdes if (!BN_sub(tmp, order, BN_value_one())) 2193221420Sdes fatal("%s: BN_sub failed", __func__); 2194221420Sdes if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) { 2195221420Sdes error("%s: private key >= group order - 1", __func__); 2196221420Sdes goto out; 2197221420Sdes } 2198221420Sdes ret = 0; 2199221420Sdes out: 2200221420Sdes BN_CTX_free(bnctx); 2201221420Sdes return ret; 2202221420Sdes} 2203221420Sdes 2204221420Sdes#if defined(DEBUG_KEXECDH) || defined(DEBUG_PK) 2205221420Sdesvoid 2206221420Sdeskey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2207221420Sdes{ 2208221420Sdes BIGNUM *x, *y; 2209221420Sdes BN_CTX *bnctx; 2210221420Sdes 2211221420Sdes if (point == NULL) { 2212221420Sdes fputs("point=(NULL)\n", stderr); 2213221420Sdes return; 2214221420Sdes } 2215221420Sdes if ((bnctx = BN_CTX_new()) == NULL) 2216221420Sdes fatal("%s: BN_CTX_new failed", __func__); 2217221420Sdes BN_CTX_start(bnctx); 2218221420Sdes if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL) 2219221420Sdes fatal("%s: BN_CTX_get failed", __func__); 2220221420Sdes if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2221221420Sdes NID_X9_62_prime_field) 2222221420Sdes fatal("%s: group is not a prime field", __func__); 2223221420Sdes if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1) 2224221420Sdes fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2225221420Sdes fputs("x=", stderr); 2226221420Sdes BN_print_fp(stderr, x); 2227221420Sdes fputs("\ny=", stderr); 2228221420Sdes BN_print_fp(stderr, y); 2229221420Sdes fputs("\n", stderr); 2230221420Sdes BN_CTX_free(bnctx); 2231221420Sdes} 2232221420Sdes 2233221420Sdesvoid 2234221420Sdeskey_dump_ec_key(const EC_KEY *key) 2235221420Sdes{ 2236221420Sdes const BIGNUM *exponent; 2237221420Sdes 2238221420Sdes key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key)); 2239221420Sdes fputs("exponent=", stderr); 2240221420Sdes if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2241221420Sdes fputs("(NULL)", stderr); 2242221420Sdes else 2243221420Sdes BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2244221420Sdes fputs("\n", stderr); 2245221420Sdes} 2246221420Sdes#endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ 2247221420Sdes#endif /* OPENSSL_HAS_ECC */ 2248