key.c revision 207319
1/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */ 2/* 3 * read_bignum(): 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 14 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37#include "includes.h" 38 39#include <sys/param.h> 40#include <sys/types.h> 41 42#include <openssl/evp.h> 43#include <openbsd-compat/openssl-compat.h> 44 45#include <stdarg.h> 46#include <stdio.h> 47#include <string.h> 48 49#include "xmalloc.h" 50#include "key.h" 51#include "rsa.h" 52#include "uuencode.h" 53#include "buffer.h" 54#include "log.h" 55#include "ssh2.h" 56 57static struct KeyCert * 58cert_new(void) 59{ 60 struct KeyCert *cert; 61 62 cert = xcalloc(1, sizeof(*cert)); 63 buffer_init(&cert->certblob); 64 buffer_init(&cert->constraints); 65 cert->key_id = NULL; 66 cert->principals = NULL; 67 cert->signature_key = NULL; 68 return cert; 69} 70 71Key * 72key_new(int type) 73{ 74 Key *k; 75 RSA *rsa; 76 DSA *dsa; 77 k = xcalloc(1, sizeof(*k)); 78 k->type = type; 79 k->dsa = NULL; 80 k->rsa = NULL; 81 k->cert = NULL; 82 switch (k->type) { 83 case KEY_RSA1: 84 case KEY_RSA: 85 case KEY_RSA_CERT: 86 if ((rsa = RSA_new()) == NULL) 87 fatal("key_new: RSA_new failed"); 88 if ((rsa->n = BN_new()) == NULL) 89 fatal("key_new: BN_new failed"); 90 if ((rsa->e = BN_new()) == NULL) 91 fatal("key_new: BN_new failed"); 92 k->rsa = rsa; 93 break; 94 case KEY_DSA: 95 case KEY_DSA_CERT: 96 if ((dsa = DSA_new()) == NULL) 97 fatal("key_new: DSA_new failed"); 98 if ((dsa->p = BN_new()) == NULL) 99 fatal("key_new: BN_new failed"); 100 if ((dsa->q = BN_new()) == NULL) 101 fatal("key_new: BN_new failed"); 102 if ((dsa->g = BN_new()) == NULL) 103 fatal("key_new: BN_new failed"); 104 if ((dsa->pub_key = BN_new()) == NULL) 105 fatal("key_new: BN_new failed"); 106 k->dsa = dsa; 107 break; 108 case KEY_UNSPEC: 109 break; 110 default: 111 fatal("key_new: bad key type %d", k->type); 112 break; 113 } 114 115 if (key_is_cert(k)) 116 k->cert = cert_new(); 117 118 return k; 119} 120 121void 122key_add_private(Key *k) 123{ 124 switch (k->type) { 125 case KEY_RSA1: 126 case KEY_RSA: 127 case KEY_RSA_CERT: 128 if ((k->rsa->d = BN_new()) == NULL) 129 fatal("key_new_private: BN_new failed"); 130 if ((k->rsa->iqmp = BN_new()) == NULL) 131 fatal("key_new_private: BN_new failed"); 132 if ((k->rsa->q = BN_new()) == NULL) 133 fatal("key_new_private: BN_new failed"); 134 if ((k->rsa->p = BN_new()) == NULL) 135 fatal("key_new_private: BN_new failed"); 136 if ((k->rsa->dmq1 = BN_new()) == NULL) 137 fatal("key_new_private: BN_new failed"); 138 if ((k->rsa->dmp1 = BN_new()) == NULL) 139 fatal("key_new_private: BN_new failed"); 140 break; 141 case KEY_DSA: 142 case KEY_DSA_CERT: 143 if ((k->dsa->priv_key = BN_new()) == NULL) 144 fatal("key_new_private: BN_new failed"); 145 break; 146 case KEY_UNSPEC: 147 break; 148 default: 149 break; 150 } 151} 152 153Key * 154key_new_private(int type) 155{ 156 Key *k = key_new(type); 157 158 key_add_private(k); 159 return k; 160} 161 162static void 163cert_free(struct KeyCert *cert) 164{ 165 u_int i; 166 167 buffer_free(&cert->certblob); 168 buffer_free(&cert->constraints); 169 if (cert->key_id != NULL) 170 xfree(cert->key_id); 171 for (i = 0; i < cert->nprincipals; i++) 172 xfree(cert->principals[i]); 173 if (cert->principals != NULL) 174 xfree(cert->principals); 175 if (cert->signature_key != NULL) 176 key_free(cert->signature_key); 177} 178 179void 180key_free(Key *k) 181{ 182 if (k == NULL) 183 fatal("key_free: key is NULL"); 184 switch (k->type) { 185 case KEY_RSA1: 186 case KEY_RSA: 187 case KEY_RSA_CERT: 188 if (k->rsa != NULL) 189 RSA_free(k->rsa); 190 k->rsa = NULL; 191 break; 192 case KEY_DSA: 193 case KEY_DSA_CERT: 194 if (k->dsa != NULL) 195 DSA_free(k->dsa); 196 k->dsa = NULL; 197 break; 198 case KEY_UNSPEC: 199 break; 200 default: 201 fatal("key_free: bad key type %d", k->type); 202 break; 203 } 204 if (key_is_cert(k)) { 205 if (k->cert != NULL) 206 cert_free(k->cert); 207 k->cert = NULL; 208 } 209 210 xfree(k); 211} 212 213static int 214cert_compare(struct KeyCert *a, struct KeyCert *b) 215{ 216 if (a == NULL && b == NULL) 217 return 1; 218 if (a == NULL || b == NULL) 219 return 0; 220 if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 221 return 0; 222 if (memcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), 223 buffer_len(&a->certblob)) != 0) 224 return 0; 225 return 1; 226} 227 228/* 229 * Compare public portions of key only, allowing comparisons between 230 * certificates and plain keys too. 231 */ 232int 233key_equal_public(const Key *a, const Key *b) 234{ 235 if (a == NULL || b == NULL || 236 key_type_plain(a->type) != key_type_plain(b->type)) 237 return 0; 238 239 switch (a->type) { 240 case KEY_RSA1: 241 case KEY_RSA_CERT: 242 case KEY_RSA: 243 return a->rsa != NULL && b->rsa != NULL && 244 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 245 BN_cmp(a->rsa->n, b->rsa->n) == 0; 246 case KEY_DSA_CERT: 247 case KEY_DSA: 248 return a->dsa != NULL && b->dsa != NULL && 249 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 250 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 251 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 252 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 253 default: 254 fatal("key_equal: bad key type %d", a->type); 255 } 256 /* NOTREACHED */ 257} 258 259int 260key_equal(const Key *a, const Key *b) 261{ 262 if (a == NULL || b == NULL || a->type != b->type) 263 return 0; 264 if (key_is_cert(a)) { 265 if (!cert_compare(a->cert, b->cert)) 266 return 0; 267 } 268 return key_equal_public(a, b); 269} 270 271u_char* 272key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) 273{ 274 const EVP_MD *md = NULL; 275 EVP_MD_CTX ctx; 276 u_char *blob = NULL; 277 u_char *retval = NULL; 278 u_int len = 0; 279 int nlen, elen, otype; 280 281 *dgst_raw_length = 0; 282 283 switch (dgst_type) { 284 case SSH_FP_MD5: 285 md = EVP_md5(); 286 break; 287 case SSH_FP_SHA1: 288 md = EVP_sha1(); 289 break; 290 default: 291 fatal("key_fingerprint_raw: bad digest type %d", 292 dgst_type); 293 } 294 switch (k->type) { 295 case KEY_RSA1: 296 nlen = BN_num_bytes(k->rsa->n); 297 elen = BN_num_bytes(k->rsa->e); 298 len = nlen + elen; 299 blob = xmalloc(len); 300 BN_bn2bin(k->rsa->n, blob); 301 BN_bn2bin(k->rsa->e, blob + nlen); 302 break; 303 case KEY_DSA: 304 case KEY_RSA: 305 key_to_blob(k, &blob, &len); 306 break; 307 case KEY_DSA_CERT: 308 case KEY_RSA_CERT: 309 /* We want a fingerprint of the _key_ not of the cert */ 310 otype = k->type; 311 k->type = key_type_plain(k->type); 312 key_to_blob(k, &blob, &len); 313 k->type = otype; 314 break; 315 case KEY_UNSPEC: 316 return retval; 317 default: 318 fatal("key_fingerprint_raw: bad key type %d", k->type); 319 break; 320 } 321 if (blob != NULL) { 322 retval = xmalloc(EVP_MAX_MD_SIZE); 323 EVP_DigestInit(&ctx, md); 324 EVP_DigestUpdate(&ctx, blob, len); 325 EVP_DigestFinal(&ctx, retval, dgst_raw_length); 326 memset(blob, 0, len); 327 xfree(blob); 328 } else { 329 fatal("key_fingerprint_raw: blob is null"); 330 } 331 return retval; 332} 333 334static char * 335key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len) 336{ 337 char *retval; 338 u_int i; 339 340 retval = xcalloc(1, dgst_raw_len * 3 + 1); 341 for (i = 0; i < dgst_raw_len; i++) { 342 char hex[4]; 343 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 344 strlcat(retval, hex, dgst_raw_len * 3 + 1); 345 } 346 347 /* Remove the trailing ':' character */ 348 retval[(dgst_raw_len * 3) - 1] = '\0'; 349 return retval; 350} 351 352static char * 353key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) 354{ 355 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 356 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 357 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 358 u_int i, j = 0, rounds, seed = 1; 359 char *retval; 360 361 rounds = (dgst_raw_len / 2) + 1; 362 retval = xcalloc((rounds * 6), sizeof(char)); 363 retval[j++] = 'x'; 364 for (i = 0; i < rounds; i++) { 365 u_int idx0, idx1, idx2, idx3, idx4; 366 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 367 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 368 seed) % 6; 369 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 370 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 371 (seed / 6)) % 6; 372 retval[j++] = vowels[idx0]; 373 retval[j++] = consonants[idx1]; 374 retval[j++] = vowels[idx2]; 375 if ((i + 1) < rounds) { 376 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 377 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 378 retval[j++] = consonants[idx3]; 379 retval[j++] = '-'; 380 retval[j++] = consonants[idx4]; 381 seed = ((seed * 5) + 382 ((((u_int)(dgst_raw[2 * i])) * 7) + 383 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 384 } 385 } else { 386 idx0 = seed % 6; 387 idx1 = 16; 388 idx2 = seed / 6; 389 retval[j++] = vowels[idx0]; 390 retval[j++] = consonants[idx1]; 391 retval[j++] = vowels[idx2]; 392 } 393 } 394 retval[j++] = 'x'; 395 retval[j++] = '\0'; 396 return retval; 397} 398 399/* 400 * Draw an ASCII-Art representing the fingerprint so human brain can 401 * profit from its built-in pattern recognition ability. 402 * This technique is called "random art" and can be found in some 403 * scientific publications like this original paper: 404 * 405 * "Hash Visualization: a New Technique to improve Real-World Security", 406 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 407 * Techniques and E-Commerce (CrypTEC '99) 408 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 409 * 410 * The subject came up in a talk by Dan Kaminsky, too. 411 * 412 * If you see the picture is different, the key is different. 413 * If the picture looks the same, you still know nothing. 414 * 415 * The algorithm used here is a worm crawling over a discrete plane, 416 * leaving a trace (augmenting the field) everywhere it goes. 417 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 418 * makes the respective movement vector be ignored for this turn. 419 * Graphs are not unambiguous, because circles in graphs can be 420 * walked in either direction. 421 */ 422 423/* 424 * Field sizes for the random art. Have to be odd, so the starting point 425 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 426 * Else pictures would be too dense, and drawing the frame would 427 * fail, too, because the key type would not fit in anymore. 428 */ 429#define FLDBASE 8 430#define FLDSIZE_Y (FLDBASE + 1) 431#define FLDSIZE_X (FLDBASE * 2 + 1) 432static char * 433key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) 434{ 435 /* 436 * Chars to be used after each other every time the worm 437 * intersects with itself. Matter of taste. 438 */ 439 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 440 char *retval, *p; 441 u_char field[FLDSIZE_X][FLDSIZE_Y]; 442 u_int i, b; 443 int x, y; 444 size_t len = strlen(augmentation_string) - 1; 445 446 retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); 447 448 /* initialize field */ 449 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 450 x = FLDSIZE_X / 2; 451 y = FLDSIZE_Y / 2; 452 453 /* process raw key */ 454 for (i = 0; i < dgst_raw_len; i++) { 455 int input; 456 /* each byte conveys four 2-bit move commands */ 457 input = dgst_raw[i]; 458 for (b = 0; b < 4; b++) { 459 /* evaluate 2 bit, rest is shifted later */ 460 x += (input & 0x1) ? 1 : -1; 461 y += (input & 0x2) ? 1 : -1; 462 463 /* assure we are still in bounds */ 464 x = MAX(x, 0); 465 y = MAX(y, 0); 466 x = MIN(x, FLDSIZE_X - 1); 467 y = MIN(y, FLDSIZE_Y - 1); 468 469 /* augment the field */ 470 if (field[x][y] < len - 2) 471 field[x][y]++; 472 input = input >> 2; 473 } 474 } 475 476 /* mark starting point and end point*/ 477 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 478 field[x][y] = len; 479 480 /* fill in retval */ 481 snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k)); 482 p = strchr(retval, '\0'); 483 484 /* output upper border */ 485 for (i = p - retval - 1; i < FLDSIZE_X; i++) 486 *p++ = '-'; 487 *p++ = '+'; 488 *p++ = '\n'; 489 490 /* output content */ 491 for (y = 0; y < FLDSIZE_Y; y++) { 492 *p++ = '|'; 493 for (x = 0; x < FLDSIZE_X; x++) 494 *p++ = augmentation_string[MIN(field[x][y], len)]; 495 *p++ = '|'; 496 *p++ = '\n'; 497 } 498 499 /* output lower border */ 500 *p++ = '+'; 501 for (i = 0; i < FLDSIZE_X; i++) 502 *p++ = '-'; 503 *p++ = '+'; 504 505 return retval; 506} 507 508char * 509key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 510{ 511 char *retval = NULL; 512 u_char *dgst_raw; 513 u_int dgst_raw_len; 514 515 dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); 516 if (!dgst_raw) 517 fatal("key_fingerprint: null from key_fingerprint_raw()"); 518 switch (dgst_rep) { 519 case SSH_FP_HEX: 520 retval = key_fingerprint_hex(dgst_raw, dgst_raw_len); 521 break; 522 case SSH_FP_BUBBLEBABBLE: 523 retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 524 break; 525 case SSH_FP_RANDOMART: 526 retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k); 527 break; 528 default: 529 fatal("key_fingerprint: bad digest representation %d", 530 dgst_rep); 531 break; 532 } 533 memset(dgst_raw, 0, dgst_raw_len); 534 xfree(dgst_raw); 535 return retval; 536} 537 538/* 539 * Reads a multiple-precision integer in decimal from the buffer, and advances 540 * the pointer. The integer must already be initialized. This function is 541 * permitted to modify the buffer. This leaves *cpp to point just beyond the 542 * last processed (and maybe modified) character. Note that this may modify 543 * the buffer containing the number. 544 */ 545static int 546read_bignum(char **cpp, BIGNUM * value) 547{ 548 char *cp = *cpp; 549 int old; 550 551 /* Skip any leading whitespace. */ 552 for (; *cp == ' ' || *cp == '\t'; cp++) 553 ; 554 555 /* Check that it begins with a decimal digit. */ 556 if (*cp < '0' || *cp > '9') 557 return 0; 558 559 /* Save starting position. */ 560 *cpp = cp; 561 562 /* Move forward until all decimal digits skipped. */ 563 for (; *cp >= '0' && *cp <= '9'; cp++) 564 ; 565 566 /* Save the old terminating character, and replace it by \0. */ 567 old = *cp; 568 *cp = 0; 569 570 /* Parse the number. */ 571 if (BN_dec2bn(&value, *cpp) == 0) 572 return 0; 573 574 /* Restore old terminating character. */ 575 *cp = old; 576 577 /* Move beyond the number and return success. */ 578 *cpp = cp; 579 return 1; 580} 581 582static int 583write_bignum(FILE *f, BIGNUM *num) 584{ 585 char *buf = BN_bn2dec(num); 586 if (buf == NULL) { 587 error("write_bignum: BN_bn2dec() failed"); 588 return 0; 589 } 590 fprintf(f, " %s", buf); 591 OPENSSL_free(buf); 592 return 1; 593} 594 595/* returns 1 ok, -1 error */ 596int 597key_read(Key *ret, char **cpp) 598{ 599 Key *k; 600 int success = -1; 601 char *cp, *space; 602 int len, n, type; 603 u_int bits; 604 u_char *blob; 605 606 cp = *cpp; 607 608 switch (ret->type) { 609 case KEY_RSA1: 610 /* Get number of bits. */ 611 if (*cp < '0' || *cp > '9') 612 return -1; /* Bad bit count... */ 613 for (bits = 0; *cp >= '0' && *cp <= '9'; cp++) 614 bits = 10 * bits + *cp - '0'; 615 if (bits == 0) 616 return -1; 617 *cpp = cp; 618 /* Get public exponent, public modulus. */ 619 if (!read_bignum(cpp, ret->rsa->e)) 620 return -1; 621 if (!read_bignum(cpp, ret->rsa->n)) 622 return -1; 623 /* validate the claimed number of bits */ 624 if ((u_int)BN_num_bits(ret->rsa->n) != bits) { 625 verbose("key_read: claimed key size %d does not match " 626 "actual %d", bits, BN_num_bits(ret->rsa->n)); 627 return -1; 628 } 629 success = 1; 630 break; 631 case KEY_UNSPEC: 632 case KEY_RSA: 633 case KEY_DSA: 634 case KEY_DSA_CERT: 635 case KEY_RSA_CERT: 636 space = strchr(cp, ' '); 637 if (space == NULL) { 638 debug3("key_read: missing whitespace"); 639 return -1; 640 } 641 *space = '\0'; 642 type = key_type_from_name(cp); 643 *space = ' '; 644 if (type == KEY_UNSPEC) { 645 debug3("key_read: missing keytype"); 646 return -1; 647 } 648 cp = space+1; 649 if (*cp == '\0') { 650 debug3("key_read: short string"); 651 return -1; 652 } 653 if (ret->type == KEY_UNSPEC) { 654 ret->type = type; 655 } else if (ret->type != type) { 656 /* is a key, but different type */ 657 debug3("key_read: type mismatch"); 658 return -1; 659 } 660 len = 2*strlen(cp); 661 blob = xmalloc(len); 662 n = uudecode(cp, blob, len); 663 if (n < 0) { 664 error("key_read: uudecode %s failed", cp); 665 xfree(blob); 666 return -1; 667 } 668 k = key_from_blob(blob, (u_int)n); 669 xfree(blob); 670 if (k == NULL) { 671 error("key_read: key_from_blob %s failed", cp); 672 return -1; 673 } 674 if (k->type != type) { 675 error("key_read: type mismatch: encoding error"); 676 key_free(k); 677 return -1; 678 } 679/*XXXX*/ 680 if (key_is_cert(ret)) { 681 if (!key_is_cert(k)) { 682 error("key_read: loaded key is not a cert"); 683 key_free(k); 684 return -1; 685 } 686 if (ret->cert != NULL) 687 cert_free(ret->cert); 688 ret->cert = k->cert; 689 k->cert = NULL; 690 } 691 if (key_type_plain(ret->type) == KEY_RSA) { 692 if (ret->rsa != NULL) 693 RSA_free(ret->rsa); 694 ret->rsa = k->rsa; 695 k->rsa = NULL; 696#ifdef DEBUG_PK 697 RSA_print_fp(stderr, ret->rsa, 8); 698#endif 699 } 700 if (key_type_plain(ret->type) == KEY_DSA) { 701 if (ret->dsa != NULL) 702 DSA_free(ret->dsa); 703 ret->dsa = k->dsa; 704 k->dsa = NULL; 705#ifdef DEBUG_PK 706 DSA_print_fp(stderr, ret->dsa, 8); 707#endif 708 } 709 success = 1; 710/*XXXX*/ 711 key_free(k); 712 if (success != 1) 713 break; 714 /* advance cp: skip whitespace and data */ 715 while (*cp == ' ' || *cp == '\t') 716 cp++; 717 while (*cp != '\0' && *cp != ' ' && *cp != '\t') 718 cp++; 719 *cpp = cp; 720 break; 721 default: 722 fatal("key_read: bad key type: %d", ret->type); 723 break; 724 } 725 return success; 726} 727 728int 729key_write(const Key *key, FILE *f) 730{ 731 int n, success = 0; 732 u_int len, bits = 0; 733 u_char *blob; 734 char *uu; 735 736 if (key_is_cert(key)) { 737 if (key->cert == NULL) { 738 error("%s: no cert data", __func__); 739 return 0; 740 } 741 if (buffer_len(&key->cert->certblob) == 0) { 742 error("%s: no signed certificate blob", __func__); 743 return 0; 744 } 745 } 746 747 switch (key->type) { 748 case KEY_RSA1: 749 if (key->rsa == NULL) 750 return 0; 751 /* size of modulus 'n' */ 752 bits = BN_num_bits(key->rsa->n); 753 fprintf(f, "%u", bits); 754 if (write_bignum(f, key->rsa->e) && 755 write_bignum(f, key->rsa->n)) 756 return 1; 757 error("key_write: failed for RSA key"); 758 return 0; 759 case KEY_DSA: 760 case KEY_DSA_CERT: 761 if (key->dsa == NULL) 762 return 0; 763 break; 764 case KEY_RSA: 765 case KEY_RSA_CERT: 766 if (key->rsa == NULL) 767 return 0; 768 break; 769 default: 770 return 0; 771 } 772 773 key_to_blob(key, &blob, &len); 774 uu = xmalloc(2*len); 775 n = uuencode(blob, len, uu, 2*len); 776 if (n > 0) { 777 fprintf(f, "%s %s", key_ssh_name(key), uu); 778 success = 1; 779 } 780 xfree(blob); 781 xfree(uu); 782 783 return success; 784} 785 786const char * 787key_type(const Key *k) 788{ 789 switch (k->type) { 790 case KEY_RSA1: 791 return "RSA1"; 792 case KEY_RSA: 793 return "RSA"; 794 case KEY_DSA: 795 return "DSA"; 796 case KEY_RSA_CERT: 797 return "RSA-CERT"; 798 case KEY_DSA_CERT: 799 return "DSA-CERT"; 800 } 801 return "unknown"; 802} 803 804const char * 805key_cert_type(const Key *k) 806{ 807 switch (k->cert->type) { 808 case SSH2_CERT_TYPE_USER: 809 return "user"; 810 case SSH2_CERT_TYPE_HOST: 811 return "host"; 812 default: 813 return "unknown"; 814 } 815} 816 817const char * 818key_ssh_name(const Key *k) 819{ 820 switch (k->type) { 821 case KEY_RSA: 822 return "ssh-rsa"; 823 case KEY_DSA: 824 return "ssh-dss"; 825 case KEY_RSA_CERT: 826 return "ssh-rsa-cert-v00@openssh.com"; 827 case KEY_DSA_CERT: 828 return "ssh-dss-cert-v00@openssh.com"; 829 } 830 return "ssh-unknown"; 831} 832 833u_int 834key_size(const Key *k) 835{ 836 switch (k->type) { 837 case KEY_RSA1: 838 case KEY_RSA: 839 case KEY_RSA_CERT: 840 return BN_num_bits(k->rsa->n); 841 case KEY_DSA: 842 case KEY_DSA_CERT: 843 return BN_num_bits(k->dsa->p); 844 } 845 return 0; 846} 847 848static RSA * 849rsa_generate_private_key(u_int bits) 850{ 851 RSA *private; 852 853 private = RSA_generate_key(bits, RSA_F4, NULL, NULL); 854 if (private == NULL) 855 fatal("rsa_generate_private_key: key generation failed."); 856 return private; 857} 858 859static DSA* 860dsa_generate_private_key(u_int bits) 861{ 862 DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL); 863 864 if (private == NULL) 865 fatal("dsa_generate_private_key: DSA_generate_parameters failed"); 866 if (!DSA_generate_key(private)) 867 fatal("dsa_generate_private_key: DSA_generate_key failed."); 868 if (private == NULL) 869 fatal("dsa_generate_private_key: NULL."); 870 return private; 871} 872 873Key * 874key_generate(int type, u_int bits) 875{ 876 Key *k = key_new(KEY_UNSPEC); 877 switch (type) { 878 case KEY_DSA: 879 k->dsa = dsa_generate_private_key(bits); 880 break; 881 case KEY_RSA: 882 case KEY_RSA1: 883 k->rsa = rsa_generate_private_key(bits); 884 break; 885 case KEY_RSA_CERT: 886 case KEY_DSA_CERT: 887 fatal("key_generate: cert keys cannot be generated directly"); 888 default: 889 fatal("key_generate: unknown type %d", type); 890 } 891 k->type = type; 892 return k; 893} 894 895void 896key_cert_copy(const Key *from_key, struct Key *to_key) 897{ 898 u_int i; 899 const struct KeyCert *from; 900 struct KeyCert *to; 901 902 if (to_key->cert != NULL) { 903 cert_free(to_key->cert); 904 to_key->cert = NULL; 905 } 906 907 if ((from = from_key->cert) == NULL) 908 return; 909 910 to = to_key->cert = cert_new(); 911 912 buffer_append(&to->certblob, buffer_ptr(&from->certblob), 913 buffer_len(&from->certblob)); 914 915 buffer_append(&to->constraints, buffer_ptr(&from->constraints), 916 buffer_len(&from->constraints)); 917 918 to->type = from->type; 919 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 920 to->valid_after = from->valid_after; 921 to->valid_before = from->valid_before; 922 to->signature_key = from->signature_key == NULL ? 923 NULL : key_from_private(from->signature_key); 924 925 to->nprincipals = from->nprincipals; 926 if (to->nprincipals > CERT_MAX_PRINCIPALS) 927 fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)", 928 __func__, to->nprincipals, CERT_MAX_PRINCIPALS); 929 if (to->nprincipals > 0) { 930 to->principals = xcalloc(from->nprincipals, 931 sizeof(*to->principals)); 932 for (i = 0; i < to->nprincipals; i++) 933 to->principals[i] = xstrdup(from->principals[i]); 934 } 935} 936 937Key * 938key_from_private(const Key *k) 939{ 940 Key *n = NULL; 941 switch (k->type) { 942 case KEY_DSA: 943 case KEY_DSA_CERT: 944 n = key_new(k->type); 945 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 946 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 947 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 948 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 949 fatal("key_from_private: BN_copy failed"); 950 break; 951 case KEY_RSA: 952 case KEY_RSA1: 953 case KEY_RSA_CERT: 954 n = key_new(k->type); 955 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 956 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 957 fatal("key_from_private: BN_copy failed"); 958 break; 959 default: 960 fatal("key_from_private: unknown type %d", k->type); 961 break; 962 } 963 if (key_is_cert(k)) 964 key_cert_copy(k, n); 965 return n; 966} 967 968int 969key_type_from_name(char *name) 970{ 971 if (strcmp(name, "rsa1") == 0) { 972 return KEY_RSA1; 973 } else if (strcmp(name, "rsa") == 0) { 974 return KEY_RSA; 975 } else if (strcmp(name, "dsa") == 0) { 976 return KEY_DSA; 977 } else if (strcmp(name, "ssh-rsa") == 0) { 978 return KEY_RSA; 979 } else if (strcmp(name, "ssh-dss") == 0) { 980 return KEY_DSA; 981 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) { 982 return KEY_RSA_CERT; 983 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) { 984 return KEY_DSA_CERT; 985 } 986 debug2("key_type_from_name: unknown key type '%s'", name); 987 return KEY_UNSPEC; 988} 989 990int 991key_names_valid2(const char *names) 992{ 993 char *s, *cp, *p; 994 995 if (names == NULL || strcmp(names, "") == 0) 996 return 0; 997 s = cp = xstrdup(names); 998 for ((p = strsep(&cp, ",")); p && *p != '\0'; 999 (p = strsep(&cp, ","))) { 1000 switch (key_type_from_name(p)) { 1001 case KEY_RSA1: 1002 case KEY_UNSPEC: 1003 xfree(s); 1004 return 0; 1005 } 1006 } 1007 debug3("key names ok: [%s]", names); 1008 xfree(s); 1009 return 1; 1010} 1011 1012static int 1013cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1014{ 1015 u_char *principals, *constraints, *sig_key, *sig; 1016 u_int signed_len, plen, clen, sklen, slen, kidlen; 1017 Buffer tmp; 1018 char *principal; 1019 int ret = -1; 1020 1021 buffer_init(&tmp); 1022 1023 /* Copy the entire key blob for verification and later serialisation */ 1024 buffer_append(&key->cert->certblob, blob, blen); 1025 1026 principals = constraints = sig_key = sig = NULL; 1027 if (buffer_get_int_ret(&key->cert->type, b) != 0 || 1028 (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL || 1029 (principals = buffer_get_string_ret(b, &plen)) == NULL || 1030 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1031 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || 1032 (constraints = buffer_get_string_ret(b, &clen)) == NULL || 1033 /* skip nonce */ buffer_get_string_ptr_ret(b, NULL) == NULL || 1034 /* skip reserved */ buffer_get_string_ptr_ret(b, NULL) == NULL || 1035 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1036 error("%s: parse error", __func__); 1037 goto out; 1038 } 1039 1040 if (kidlen != strlen(key->cert->key_id)) { 1041 error("%s: key ID contains \\0 character", __func__); 1042 goto out; 1043 } 1044 1045 /* Signature is left in the buffer so we can calculate this length */ 1046 signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); 1047 1048 if ((sig = buffer_get_string_ret(b, &slen)) == NULL) { 1049 error("%s: parse error", __func__); 1050 goto out; 1051 } 1052 1053 if (key->cert->type != SSH2_CERT_TYPE_USER && 1054 key->cert->type != SSH2_CERT_TYPE_HOST) { 1055 error("Unknown certificate type %u", key->cert->type); 1056 goto out; 1057 } 1058 1059 buffer_append(&tmp, principals, plen); 1060 while (buffer_len(&tmp) > 0) { 1061 if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { 1062 error("%s: Too many principals", __func__); 1063 goto out; 1064 } 1065 if ((principal = buffer_get_string_ret(&tmp, &plen)) == NULL) { 1066 error("%s: Principals data invalid", __func__); 1067 goto out; 1068 } 1069 if (strlen(principal) != plen) { 1070 error("%s: Principal contains \\0 character", 1071 __func__); 1072 goto out; 1073 } 1074 key->cert->principals = xrealloc(key->cert->principals, 1075 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1076 key->cert->principals[key->cert->nprincipals++] = principal; 1077 } 1078 1079 buffer_clear(&tmp); 1080 1081 buffer_append(&key->cert->constraints, constraints, clen); 1082 buffer_append(&tmp, constraints, clen); 1083 /* validate structure */ 1084 while (buffer_len(&tmp) != 0) { 1085 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1086 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1087 error("%s: Constraints data invalid", __func__); 1088 goto out; 1089 } 1090 } 1091 buffer_clear(&tmp); 1092 1093 if ((key->cert->signature_key = key_from_blob(sig_key, 1094 sklen)) == NULL) { 1095 error("%s: Signature key invalid", __func__); 1096 goto out; 1097 } 1098 if (key->cert->signature_key->type != KEY_RSA && 1099 key->cert->signature_key->type != KEY_DSA) { 1100 error("%s: Invalid signature key type %s (%d)", __func__, 1101 key_type(key->cert->signature_key), 1102 key->cert->signature_key->type); 1103 goto out; 1104 } 1105 1106 switch (key_verify(key->cert->signature_key, sig, slen, 1107 buffer_ptr(&key->cert->certblob), signed_len)) { 1108 case 1: 1109 ret = 0; 1110 break; /* Good signature */ 1111 case 0: 1112 error("%s: Invalid signature on certificate", __func__); 1113 goto out; 1114 case -1: 1115 error("%s: Certificate signature verification failed", 1116 __func__); 1117 goto out; 1118 } 1119 1120 out: 1121 buffer_free(&tmp); 1122 if (principals != NULL) 1123 xfree(principals); 1124 if (constraints != NULL) 1125 xfree(constraints); 1126 if (sig_key != NULL) 1127 xfree(sig_key); 1128 if (sig != NULL) 1129 xfree(sig); 1130 return ret; 1131} 1132 1133Key * 1134key_from_blob(const u_char *blob, u_int blen) 1135{ 1136 Buffer b; 1137 int rlen, type; 1138 char *ktype = NULL; 1139 Key *key = NULL; 1140 1141#ifdef DEBUG_PK 1142 dump_base64(stderr, blob, blen); 1143#endif 1144 buffer_init(&b); 1145 buffer_append(&b, blob, blen); 1146 if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) { 1147 error("key_from_blob: can't read key type"); 1148 goto out; 1149 } 1150 1151 type = key_type_from_name(ktype); 1152 1153 switch (type) { 1154 case KEY_RSA: 1155 case KEY_RSA_CERT: 1156 key = key_new(type); 1157 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1158 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1159 error("key_from_blob: can't read rsa key"); 1160 badkey: 1161 key_free(key); 1162 key = NULL; 1163 goto out; 1164 } 1165#ifdef DEBUG_PK 1166 RSA_print_fp(stderr, key->rsa, 8); 1167#endif 1168 break; 1169 case KEY_DSA: 1170 case KEY_DSA_CERT: 1171 key = key_new(type); 1172 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1173 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1174 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1175 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1176 error("key_from_blob: can't read dsa key"); 1177 goto badkey; 1178 } 1179#ifdef DEBUG_PK 1180 DSA_print_fp(stderr, key->dsa, 8); 1181#endif 1182 break; 1183 case KEY_UNSPEC: 1184 key = key_new(type); 1185 break; 1186 default: 1187 error("key_from_blob: cannot handle type %s", ktype); 1188 goto out; 1189 } 1190 if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) { 1191 error("key_from_blob: can't parse cert data"); 1192 goto badkey; 1193 } 1194 rlen = buffer_len(&b); 1195 if (key != NULL && rlen != 0) 1196 error("key_from_blob: remaining bytes in key blob %d", rlen); 1197 out: 1198 if (ktype != NULL) 1199 xfree(ktype); 1200 buffer_free(&b); 1201 return key; 1202} 1203 1204int 1205key_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1206{ 1207 Buffer b; 1208 int len; 1209 1210 if (key == NULL) { 1211 error("key_to_blob: key == NULL"); 1212 return 0; 1213 } 1214 buffer_init(&b); 1215 switch (key->type) { 1216 case KEY_DSA_CERT: 1217 case KEY_RSA_CERT: 1218 /* Use the existing blob */ 1219 buffer_append(&b, buffer_ptr(&key->cert->certblob), 1220 buffer_len(&key->cert->certblob)); 1221 break; 1222 case KEY_DSA: 1223 buffer_put_cstring(&b, key_ssh_name(key)); 1224 buffer_put_bignum2(&b, key->dsa->p); 1225 buffer_put_bignum2(&b, key->dsa->q); 1226 buffer_put_bignum2(&b, key->dsa->g); 1227 buffer_put_bignum2(&b, key->dsa->pub_key); 1228 break; 1229 case KEY_RSA: 1230 buffer_put_cstring(&b, key_ssh_name(key)); 1231 buffer_put_bignum2(&b, key->rsa->e); 1232 buffer_put_bignum2(&b, key->rsa->n); 1233 break; 1234 default: 1235 error("key_to_blob: unsupported key type %d", key->type); 1236 buffer_free(&b); 1237 return 0; 1238 } 1239 len = buffer_len(&b); 1240 if (lenp != NULL) 1241 *lenp = len; 1242 if (blobp != NULL) { 1243 *blobp = xmalloc(len); 1244 memcpy(*blobp, buffer_ptr(&b), len); 1245 } 1246 memset(buffer_ptr(&b), 0, len); 1247 buffer_free(&b); 1248 return len; 1249} 1250 1251int 1252key_sign( 1253 const Key *key, 1254 u_char **sigp, u_int *lenp, 1255 const u_char *data, u_int datalen) 1256{ 1257 switch (key->type) { 1258 case KEY_DSA_CERT: 1259 case KEY_DSA: 1260 return ssh_dss_sign(key, sigp, lenp, data, datalen); 1261 case KEY_RSA_CERT: 1262 case KEY_RSA: 1263 return ssh_rsa_sign(key, sigp, lenp, data, datalen); 1264 default: 1265 error("key_sign: invalid key type %d", key->type); 1266 return -1; 1267 } 1268} 1269 1270/* 1271 * key_verify returns 1 for a correct signature, 0 for an incorrect signature 1272 * and -1 on error. 1273 */ 1274int 1275key_verify( 1276 const Key *key, 1277 const u_char *signature, u_int signaturelen, 1278 const u_char *data, u_int datalen) 1279{ 1280 if (signaturelen == 0) 1281 return -1; 1282 1283 switch (key->type) { 1284 case KEY_DSA_CERT: 1285 case KEY_DSA: 1286 return ssh_dss_verify(key, signature, signaturelen, data, datalen); 1287 case KEY_RSA_CERT: 1288 case KEY_RSA: 1289 return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 1290 default: 1291 error("key_verify: invalid key type %d", key->type); 1292 return -1; 1293 } 1294} 1295 1296/* Converts a private to a public key */ 1297Key * 1298key_demote(const Key *k) 1299{ 1300 Key *pk; 1301 1302 pk = xcalloc(1, sizeof(*pk)); 1303 pk->type = k->type; 1304 pk->flags = k->flags; 1305 pk->dsa = NULL; 1306 pk->rsa = NULL; 1307 1308 switch (k->type) { 1309 case KEY_RSA_CERT: 1310 key_cert_copy(k, pk); 1311 /* FALLTHROUGH */ 1312 case KEY_RSA1: 1313 case KEY_RSA: 1314 if ((pk->rsa = RSA_new()) == NULL) 1315 fatal("key_demote: RSA_new failed"); 1316 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 1317 fatal("key_demote: BN_dup failed"); 1318 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 1319 fatal("key_demote: BN_dup failed"); 1320 break; 1321 case KEY_DSA_CERT: 1322 key_cert_copy(k, pk); 1323 /* FALLTHROUGH */ 1324 case KEY_DSA: 1325 if ((pk->dsa = DSA_new()) == NULL) 1326 fatal("key_demote: DSA_new failed"); 1327 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 1328 fatal("key_demote: BN_dup failed"); 1329 if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) 1330 fatal("key_demote: BN_dup failed"); 1331 if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL) 1332 fatal("key_demote: BN_dup failed"); 1333 if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) 1334 fatal("key_demote: BN_dup failed"); 1335 break; 1336 default: 1337 fatal("key_free: bad key type %d", k->type); 1338 break; 1339 } 1340 1341 return (pk); 1342} 1343 1344int 1345key_is_cert(const Key *k) 1346{ 1347 return k != NULL && 1348 (k->type == KEY_RSA_CERT || k->type == KEY_DSA_CERT); 1349} 1350 1351/* Return the cert-less equivalent to a certified key type */ 1352int 1353key_type_plain(int type) 1354{ 1355 switch (type) { 1356 case KEY_RSA_CERT: 1357 return KEY_RSA; 1358 case KEY_DSA_CERT: 1359 return KEY_DSA; 1360 default: 1361 return type; 1362 } 1363} 1364 1365/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ 1366int 1367key_to_certified(Key *k) 1368{ 1369 switch (k->type) { 1370 case KEY_RSA: 1371 k->cert = cert_new(); 1372 k->type = KEY_RSA_CERT; 1373 return 0; 1374 case KEY_DSA: 1375 k->cert = cert_new(); 1376 k->type = KEY_DSA_CERT; 1377 return 0; 1378 default: 1379 error("%s: key has incorrect type %s", __func__, key_type(k)); 1380 return -1; 1381 } 1382} 1383 1384/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ 1385int 1386key_drop_cert(Key *k) 1387{ 1388 switch (k->type) { 1389 case KEY_RSA_CERT: 1390 cert_free(k->cert); 1391 k->type = KEY_RSA; 1392 return 0; 1393 case KEY_DSA_CERT: 1394 cert_free(k->cert); 1395 k->type = KEY_DSA; 1396 return 0; 1397 default: 1398 error("%s: key has incorrect type %s", __func__, key_type(k)); 1399 return -1; 1400 } 1401} 1402 1403/* Sign a KEY_RSA_CERT or KEY_DSA_CERT, (re-)generating the signed certblob */ 1404int 1405key_certify(Key *k, Key *ca) 1406{ 1407 Buffer principals; 1408 u_char *ca_blob, *sig_blob, nonce[32]; 1409 u_int i, ca_len, sig_len; 1410 1411 if (k->cert == NULL) { 1412 error("%s: key lacks cert info", __func__); 1413 return -1; 1414 } 1415 1416 if (!key_is_cert(k)) { 1417 error("%s: certificate has unknown type %d", __func__, 1418 k->cert->type); 1419 return -1; 1420 } 1421 1422 if (ca->type != KEY_RSA && ca->type != KEY_DSA) { 1423 error("%s: CA key has unsupported type %s", __func__, 1424 key_type(ca)); 1425 return -1; 1426 } 1427 1428 key_to_blob(ca, &ca_blob, &ca_len); 1429 1430 buffer_clear(&k->cert->certblob); 1431 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 1432 1433 switch (k->type) { 1434 case KEY_DSA_CERT: 1435 buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 1436 buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 1437 buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 1438 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 1439 break; 1440 case KEY_RSA_CERT: 1441 buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 1442 buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 1443 break; 1444 default: 1445 error("%s: key has incorrect type %s", __func__, key_type(k)); 1446 buffer_clear(&k->cert->certblob); 1447 xfree(ca_blob); 1448 return -1; 1449 } 1450 1451 buffer_put_int(&k->cert->certblob, k->cert->type); 1452 buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 1453 1454 buffer_init(&principals); 1455 for (i = 0; i < k->cert->nprincipals; i++) 1456 buffer_put_cstring(&principals, k->cert->principals[i]); 1457 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 1458 buffer_len(&principals)); 1459 buffer_free(&principals); 1460 1461 buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 1462 buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 1463 buffer_put_string(&k->cert->certblob, 1464 buffer_ptr(&k->cert->constraints), 1465 buffer_len(&k->cert->constraints)); 1466 1467 arc4random_buf(&nonce, sizeof(nonce)); 1468 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1469 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1470 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1471 xfree(ca_blob); 1472 1473 /* Sign the whole mess */ 1474 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1475 buffer_len(&k->cert->certblob)) != 0) { 1476 error("%s: signature operation failed", __func__); 1477 buffer_clear(&k->cert->certblob); 1478 return -1; 1479 } 1480 /* Append signature and we are done */ 1481 buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 1482 xfree(sig_blob); 1483 1484 return 0; 1485} 1486 1487int 1488key_cert_check_authority(const Key *k, int want_host, int require_principal, 1489 const char *name, const char **reason) 1490{ 1491 u_int i, principal_matches; 1492 time_t now = time(NULL); 1493 1494 if (want_host) { 1495 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 1496 *reason = "Certificate invalid: not a host certificate"; 1497 return -1; 1498 } 1499 } else { 1500 if (k->cert->type != SSH2_CERT_TYPE_USER) { 1501 *reason = "Certificate invalid: not a user certificate"; 1502 return -1; 1503 } 1504 } 1505 if (now < 0) { 1506 error("%s: system clock lies before epoch", __func__); 1507 *reason = "Certificate invalid: not yet valid"; 1508 return -1; 1509 } 1510 if ((u_int64_t)now < k->cert->valid_after) { 1511 *reason = "Certificate invalid: not yet valid"; 1512 return -1; 1513 } 1514 if ((u_int64_t)now >= k->cert->valid_before) { 1515 *reason = "Certificate invalid: expired"; 1516 return -1; 1517 } 1518 if (k->cert->nprincipals == 0) { 1519 if (require_principal) { 1520 *reason = "Certificate lacks principal list"; 1521 return -1; 1522 } 1523 } else { 1524 principal_matches = 0; 1525 for (i = 0; i < k->cert->nprincipals; i++) { 1526 if (strcmp(name, k->cert->principals[i]) == 0) { 1527 principal_matches = 1; 1528 break; 1529 } 1530 } 1531 if (!principal_matches) { 1532 *reason = "Certificate invalid: name is not a listed " 1533 "principal"; 1534 return -1; 1535 } 1536 } 1537 return 0; 1538} 1539