1 /* $OpenBSD: key.c,v 1.97 2011/05/17 07:13:31 djm Exp $ */ 2 /* 3 * read_bignum(): 4 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 5 * 6 * As far as I am concerned, the code I have written for this software 7 * can be used freely for any purpose. Any derived versions of this 8 * software must be clearly marked as such, and if the derived work is 9 * incompatible with the protocol description in the RFC file, it must be 10 * called by a name other than "ssh" or "Secure Shell". 11 * 12 * 13 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 14 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 35 */ 36 37 #include "includes.h" 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 42 #include <openssl/evp.h> 43 #include <openbsd-compat/openssl-compat.h> 44 45 #include <stdarg.h> 46 #include <stdio.h> 47 #include <string.h> 48 49 #include "xmalloc.h" 50 #include "key.h" 51 #include "rsa.h" 52 #include "uuencode.h" 53 #include "buffer.h" 54 #include "log.h" 55 #include "misc.h" 56 #include "ssh2.h" 57 58 static struct KeyCert * 59 cert_new(void) 60 { 61 struct KeyCert *cert; 62 63 cert = xcalloc(1, sizeof(*cert)); 64 buffer_init(&cert->certblob); 65 buffer_init(&cert->critical); 66 buffer_init(&cert->extensions); 67 cert->key_id = NULL; 68 cert->principals = NULL; 69 cert->signature_key = NULL; 70 return cert; 71 } 72 73 Key * 74 key_new(int type) 75 { 76 Key *k; 77 RSA *rsa; 78 DSA *dsa; 79 k = xcalloc(1, sizeof(*k)); 80 k->type = type; 81 k->ecdsa = NULL; 82 k->ecdsa_nid = -1; 83 k->dsa = NULL; 84 k->rsa = NULL; 85 k->cert = NULL; 86 switch (k->type) { 87 case KEY_RSA1: 88 case KEY_RSA: 89 case KEY_RSA_CERT_V00: 90 case KEY_RSA_CERT: 91 if ((rsa = RSA_new()) == NULL) 92 fatal("key_new: RSA_new failed"); 93 if ((rsa->n = BN_new()) == NULL) 94 fatal("key_new: BN_new failed"); 95 if ((rsa->e = BN_new()) == NULL) 96 fatal("key_new: BN_new failed"); 97 k->rsa = rsa; 98 break; 99 case KEY_DSA: 100 case KEY_DSA_CERT_V00: 101 case KEY_DSA_CERT: 102 if ((dsa = DSA_new()) == NULL) 103 fatal("key_new: DSA_new failed"); 104 if ((dsa->p = BN_new()) == NULL) 105 fatal("key_new: BN_new failed"); 106 if ((dsa->q = BN_new()) == NULL) 107 fatal("key_new: BN_new failed"); 108 if ((dsa->g = BN_new()) == NULL) 109 fatal("key_new: BN_new failed"); 110 if ((dsa->pub_key = BN_new()) == NULL) 111 fatal("key_new: BN_new failed"); 112 k->dsa = dsa; 113 break; 114 #ifdef OPENSSL_HAS_ECC 115 case KEY_ECDSA: 116 case KEY_ECDSA_CERT: 117 /* Cannot do anything until we know the group */ 118 break; 119 #endif 120 case KEY_UNSPEC: 121 break; 122 default: 123 fatal("key_new: bad key type %d", k->type); 124 break; 125 } 126 127 if (key_is_cert(k)) 128 k->cert = cert_new(); 129 130 return k; 131 } 132 133 void 134 key_add_private(Key *k) 135 { 136 switch (k->type) { 137 case KEY_RSA1: 138 case KEY_RSA: 139 case KEY_RSA_CERT_V00: 140 case KEY_RSA_CERT: 141 if ((k->rsa->d = BN_new()) == NULL) 142 fatal("key_new_private: BN_new failed"); 143 if ((k->rsa->iqmp = BN_new()) == NULL) 144 fatal("key_new_private: BN_new failed"); 145 if ((k->rsa->q = BN_new()) == NULL) 146 fatal("key_new_private: BN_new failed"); 147 if ((k->rsa->p = BN_new()) == NULL) 148 fatal("key_new_private: BN_new failed"); 149 if ((k->rsa->dmq1 = BN_new()) == NULL) 150 fatal("key_new_private: BN_new failed"); 151 if ((k->rsa->dmp1 = BN_new()) == NULL) 152 fatal("key_new_private: BN_new failed"); 153 break; 154 case KEY_DSA: 155 case KEY_DSA_CERT_V00: 156 case KEY_DSA_CERT: 157 if ((k->dsa->priv_key = BN_new()) == NULL) 158 fatal("key_new_private: BN_new failed"); 159 break; 160 case KEY_ECDSA: 161 case KEY_ECDSA_CERT: 162 /* Cannot do anything until we know the group */ 163 break; 164 case KEY_UNSPEC: 165 break; 166 default: 167 break; 168 } 169 } 170 171 Key * 172 key_new_private(int type) 173 { 174 Key *k = key_new(type); 175 176 key_add_private(k); 177 return k; 178 } 179 180 static void 181 cert_free(struct KeyCert *cert) 182 { 183 u_int i; 184 185 buffer_free(&cert->certblob); 186 buffer_free(&cert->critical); 187 buffer_free(&cert->extensions); 188 if (cert->key_id != NULL) 189 xfree(cert->key_id); 190 for (i = 0; i < cert->nprincipals; i++) 191 xfree(cert->principals[i]); 192 if (cert->principals != NULL) 193 xfree(cert->principals); 194 if (cert->signature_key != NULL) 195 key_free(cert->signature_key); 196 } 197 198 void 199 key_free(Key *k) 200 { 201 if (k == NULL) 202 fatal("key_free: key is NULL"); 203 switch (k->type) { 204 case KEY_RSA1: 205 case KEY_RSA: 206 case KEY_RSA_CERT_V00: 207 case KEY_RSA_CERT: 208 if (k->rsa != NULL) 209 RSA_free(k->rsa); 210 k->rsa = NULL; 211 break; 212 case KEY_DSA: 213 case KEY_DSA_CERT_V00: 214 case KEY_DSA_CERT: 215 if (k->dsa != NULL) 216 DSA_free(k->dsa); 217 k->dsa = NULL; 218 break; 219 #ifdef OPENSSL_HAS_ECC 220 case KEY_ECDSA: 221 case KEY_ECDSA_CERT: 222 if (k->ecdsa != NULL) 223 EC_KEY_free(k->ecdsa); 224 k->ecdsa = NULL; 225 break; 226 #endif 227 case KEY_UNSPEC: 228 break; 229 default: 230 fatal("key_free: bad key type %d", k->type); 231 break; 232 } 233 if (key_is_cert(k)) { 234 if (k->cert != NULL) 235 cert_free(k->cert); 236 k->cert = NULL; 237 } 238 239 xfree(k); 240 } 241 242 static int 243 cert_compare(struct KeyCert *a, struct KeyCert *b) 244 { 245 if (a == NULL && b == NULL) 246 return 1; 247 if (a == NULL || b == NULL) 248 return 0; 249 if (buffer_len(&a->certblob) != buffer_len(&b->certblob)) 250 return 0; 251 if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob), 252 buffer_len(&a->certblob)) != 0) 253 return 0; 254 return 1; 255 } 256 257 /* 258 * Compare public portions of key only, allowing comparisons between 259 * certificates and plain keys too. 260 */ 261 int 262 key_equal_public(const Key *a, const Key *b) 263 { 264 #ifdef OPENSSL_HAS_ECC 265 BN_CTX *bnctx; 266 #endif 267 268 if (a == NULL || b == NULL || 269 key_type_plain(a->type) != key_type_plain(b->type)) 270 return 0; 271 272 switch (a->type) { 273 case KEY_RSA1: 274 case KEY_RSA_CERT_V00: 275 case KEY_RSA_CERT: 276 case KEY_RSA: 277 return a->rsa != NULL && b->rsa != NULL && 278 BN_cmp(a->rsa->e, b->rsa->e) == 0 && 279 BN_cmp(a->rsa->n, b->rsa->n) == 0; 280 case KEY_DSA_CERT_V00: 281 case KEY_DSA_CERT: 282 case KEY_DSA: 283 return a->dsa != NULL && b->dsa != NULL && 284 BN_cmp(a->dsa->p, b->dsa->p) == 0 && 285 BN_cmp(a->dsa->q, b->dsa->q) == 0 && 286 BN_cmp(a->dsa->g, b->dsa->g) == 0 && 287 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; 288 #ifdef OPENSSL_HAS_ECC 289 case KEY_ECDSA_CERT: 290 case KEY_ECDSA: 291 if (a->ecdsa == NULL || b->ecdsa == NULL || 292 EC_KEY_get0_public_key(a->ecdsa) == NULL || 293 EC_KEY_get0_public_key(b->ecdsa) == NULL) 294 return 0; 295 if ((bnctx = BN_CTX_new()) == NULL) 296 fatal("%s: BN_CTX_new failed", __func__); 297 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa), 298 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 || 299 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa), 300 EC_KEY_get0_public_key(a->ecdsa), 301 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) { 302 BN_CTX_free(bnctx); 303 return 0; 304 } 305 BN_CTX_free(bnctx); 306 return 1; 307 #endif /* OPENSSL_HAS_ECC */ 308 default: 309 fatal("key_equal: bad key type %d", a->type); 310 } 311 /* NOTREACHED */ 312 } 313 314 int 315 key_equal(const Key *a, const Key *b) 316 { 317 if (a == NULL || b == NULL || a->type != b->type) 318 return 0; 319 if (key_is_cert(a)) { 320 if (!cert_compare(a->cert, b->cert)) 321 return 0; 322 } 323 return key_equal_public(a, b); 324 } 325 326 u_char* 327 key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) 328 { 329 const EVP_MD *md = NULL; 330 EVP_MD_CTX ctx; 331 u_char *blob = NULL; 332 u_char *retval = NULL; 333 u_int len = 0; 334 int nlen, elen, otype; 335 336 *dgst_raw_length = 0; 337 338 switch (dgst_type) { 339 case SSH_FP_MD5: 340 md = EVP_md5(); 341 break; 342 case SSH_FP_SHA1: 343 md = EVP_sha1(); 344 break; 345 default: 346 fatal("key_fingerprint_raw: bad digest type %d", 347 dgst_type); 348 } 349 switch (k->type) { 350 case KEY_RSA1: 351 nlen = BN_num_bytes(k->rsa->n); 352 elen = BN_num_bytes(k->rsa->e); 353 len = nlen + elen; 354 blob = xmalloc(len); 355 BN_bn2bin(k->rsa->n, blob); 356 BN_bn2bin(k->rsa->e, blob + nlen); 357 break; 358 case KEY_DSA: 359 case KEY_ECDSA: 360 case KEY_RSA: 361 key_to_blob(k, &blob, &len); 362 break; 363 case KEY_DSA_CERT_V00: 364 case KEY_RSA_CERT_V00: 365 case KEY_DSA_CERT: 366 case KEY_ECDSA_CERT: 367 case KEY_RSA_CERT: 368 /* We want a fingerprint of the _key_ not of the cert */ 369 otype = k->type; 370 k->type = key_type_plain(k->type); 371 key_to_blob(k, &blob, &len); 372 k->type = otype; 373 break; 374 case KEY_UNSPEC: 375 return retval; 376 default: 377 fatal("key_fingerprint_raw: bad key type %d", k->type); 378 break; 379 } 380 if (blob != NULL) { 381 retval = xmalloc(EVP_MAX_MD_SIZE); 382 EVP_DigestInit(&ctx, md); 383 EVP_DigestUpdate(&ctx, blob, len); 384 EVP_DigestFinal(&ctx, retval, dgst_raw_length); 385 memset(blob, 0, len); 386 xfree(blob); 387 } else { 388 fatal("key_fingerprint_raw: blob is null"); 389 } 390 return retval; 391 } 392 393 static char * 394 key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len) 395 { 396 char *retval; 397 u_int i; 398 399 retval = xcalloc(1, dgst_raw_len * 3 + 1); 400 for (i = 0; i < dgst_raw_len; i++) { 401 char hex[4]; 402 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); 403 strlcat(retval, hex, dgst_raw_len * 3 + 1); 404 } 405 406 /* Remove the trailing ':' character */ 407 retval[(dgst_raw_len * 3) - 1] = '\0'; 408 return retval; 409 } 410 411 static char * 412 key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) 413 { 414 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' }; 415 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm', 416 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' }; 417 u_int i, j = 0, rounds, seed = 1; 418 char *retval; 419 420 rounds = (dgst_raw_len / 2) + 1; 421 retval = xcalloc((rounds * 6), sizeof(char)); 422 retval[j++] = 'x'; 423 for (i = 0; i < rounds; i++) { 424 u_int idx0, idx1, idx2, idx3, idx4; 425 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) { 426 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) + 427 seed) % 6; 428 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15; 429 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) + 430 (seed / 6)) % 6; 431 retval[j++] = vowels[idx0]; 432 retval[j++] = consonants[idx1]; 433 retval[j++] = vowels[idx2]; 434 if ((i + 1) < rounds) { 435 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15; 436 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15; 437 retval[j++] = consonants[idx3]; 438 retval[j++] = '-'; 439 retval[j++] = consonants[idx4]; 440 seed = ((seed * 5) + 441 ((((u_int)(dgst_raw[2 * i])) * 7) + 442 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36; 443 } 444 } else { 445 idx0 = seed % 6; 446 idx1 = 16; 447 idx2 = seed / 6; 448 retval[j++] = vowels[idx0]; 449 retval[j++] = consonants[idx1]; 450 retval[j++] = vowels[idx2]; 451 } 452 } 453 retval[j++] = 'x'; 454 retval[j++] = '\0'; 455 return retval; 456 } 457 458 /* 459 * Draw an ASCII-Art representing the fingerprint so human brain can 460 * profit from its built-in pattern recognition ability. 461 * This technique is called "random art" and can be found in some 462 * scientific publications like this original paper: 463 * 464 * "Hash Visualization: a New Technique to improve Real-World Security", 465 * Perrig A. and Song D., 1999, International Workshop on Cryptographic 466 * Techniques and E-Commerce (CrypTEC '99) 467 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf 468 * 469 * The subject came up in a talk by Dan Kaminsky, too. 470 * 471 * If you see the picture is different, the key is different. 472 * If the picture looks the same, you still know nothing. 473 * 474 * The algorithm used here is a worm crawling over a discrete plane, 475 * leaving a trace (augmenting the field) everywhere it goes. 476 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls 477 * makes the respective movement vector be ignored for this turn. 478 * Graphs are not unambiguous, because circles in graphs can be 479 * walked in either direction. 480 */ 481 482 /* 483 * Field sizes for the random art. Have to be odd, so the starting point 484 * can be in the exact middle of the picture, and FLDBASE should be >=8 . 485 * Else pictures would be too dense, and drawing the frame would 486 * fail, too, because the key type would not fit in anymore. 487 */ 488 #define FLDBASE 8 489 #define FLDSIZE_Y (FLDBASE + 1) 490 #define FLDSIZE_X (FLDBASE * 2 + 1) 491 static char * 492 key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k) 493 { 494 /* 495 * Chars to be used after each other every time the worm 496 * intersects with itself. Matter of taste. 497 */ 498 char *augmentation_string = " .o+=*BOX@%&#/^SE"; 499 char *retval, *p; 500 u_char field[FLDSIZE_X][FLDSIZE_Y]; 501 u_int i, b; 502 int x, y; 503 size_t len = strlen(augmentation_string) - 1; 504 505 retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); 506 507 /* initialize field */ 508 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char)); 509 x = FLDSIZE_X / 2; 510 y = FLDSIZE_Y / 2; 511 512 /* process raw key */ 513 for (i = 0; i < dgst_raw_len; i++) { 514 int input; 515 /* each byte conveys four 2-bit move commands */ 516 input = dgst_raw[i]; 517 for (b = 0; b < 4; b++) { 518 /* evaluate 2 bit, rest is shifted later */ 519 x += (input & 0x1) ? 1 : -1; 520 y += (input & 0x2) ? 1 : -1; 521 522 /* assure we are still in bounds */ 523 x = MAX(x, 0); 524 y = MAX(y, 0); 525 x = MIN(x, FLDSIZE_X - 1); 526 y = MIN(y, FLDSIZE_Y - 1); 527 528 /* augment the field */ 529 if (field[x][y] < len - 2) 530 field[x][y]++; 531 input = input >> 2; 532 } 533 } 534 535 /* mark starting point and end point*/ 536 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1; 537 field[x][y] = len; 538 539 /* fill in retval */ 540 snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k)); 541 p = strchr(retval, '\0'); 542 543 /* output upper border */ 544 for (i = p - retval - 1; i < FLDSIZE_X; i++) 545 *p++ = '-'; 546 *p++ = '+'; 547 *p++ = '\n'; 548 549 /* output content */ 550 for (y = 0; y < FLDSIZE_Y; y++) { 551 *p++ = '|'; 552 for (x = 0; x < FLDSIZE_X; x++) 553 *p++ = augmentation_string[MIN(field[x][y], len)]; 554 *p++ = '|'; 555 *p++ = '\n'; 556 } 557 558 /* output lower border */ 559 *p++ = '+'; 560 for (i = 0; i < FLDSIZE_X; i++) 561 *p++ = '-'; 562 *p++ = '+'; 563 564 return retval; 565 } 566 567 char * 568 key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) 569 { 570 char *retval = NULL; 571 u_char *dgst_raw; 572 u_int dgst_raw_len; 573 574 dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len); 575 if (!dgst_raw) 576 fatal("key_fingerprint: null from key_fingerprint_raw()"); 577 switch (dgst_rep) { 578 case SSH_FP_HEX: 579 retval = key_fingerprint_hex(dgst_raw, dgst_raw_len); 580 break; 581 case SSH_FP_BUBBLEBABBLE: 582 retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); 583 break; 584 case SSH_FP_RANDOMART: 585 retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k); 586 break; 587 default: 588 fatal("key_fingerprint: bad digest representation %d", 589 dgst_rep); 590 break; 591 } 592 memset(dgst_raw, 0, dgst_raw_len); 593 xfree(dgst_raw); 594 return retval; 595 } 596 597 /* 598 * Reads a multiple-precision integer in decimal from the buffer, and advances 599 * the pointer. The integer must already be initialized. This function is 600 * permitted to modify the buffer. This leaves *cpp to point just beyond the 601 * last processed (and maybe modified) character. Note that this may modify 602 * the buffer containing the number. 603 */ 604 static int 605 read_bignum(char **cpp, BIGNUM * value) 606 { 607 char *cp = *cpp; 608 int old; 609 610 /* Skip any leading whitespace. */ 611 for (; *cp == ' ' || *cp == '\t'; cp++) 612 ; 613 614 /* Check that it begins with a decimal digit. */ 615 if (*cp < '0' || *cp > '9') 616 return 0; 617 618 /* Save starting position. */ 619 *cpp = cp; 620 621 /* Move forward until all decimal digits skipped. */ 622 for (; *cp >= '0' && *cp <= '9'; cp++) 623 ; 624 625 /* Save the old terminating character, and replace it by \0. */ 626 old = *cp; 627 *cp = 0; 628 629 /* Parse the number. */ 630 if (BN_dec2bn(&value, *cpp) == 0) 631 return 0; 632 633 /* Restore old terminating character. */ 634 *cp = old; 635 636 /* Move beyond the number and return success. */ 637 *cpp = cp; 638 return 1; 639 } 640 641 static int 642 write_bignum(FILE *f, BIGNUM *num) 643 { 644 char *buf = BN_bn2dec(num); 645 if (buf == NULL) { 646 error("write_bignum: BN_bn2dec() failed"); 647 return 0; 648 } 649 fprintf(f, " %s", buf); 650 OPENSSL_free(buf); 651 return 1; 652 } 653 654 /* returns 1 ok, -1 error */ 655 int 656 key_read(Key *ret, char **cpp) 657 { 658 Key *k; 659 int success = -1; 660 char *cp, *space; 661 int len, n, type; 662 u_int bits; 663 u_char *blob; 664 #ifdef OPENSSL_HAS_ECC 665 int curve_nid = -1; 666 #endif 667 668 cp = *cpp; 669 670 switch (ret->type) { 671 case KEY_RSA1: 672 /* Get number of bits. */ 673 if (*cp < '0' || *cp > '9') 674 return -1; /* Bad bit count... */ 675 for (bits = 0; *cp >= '0' && *cp <= '9'; cp++) 676 bits = 10 * bits + *cp - '0'; 677 if (bits == 0) 678 return -1; 679 *cpp = cp; 680 /* Get public exponent, public modulus. */ 681 if (!read_bignum(cpp, ret->rsa->e)) 682 return -1; 683 if (!read_bignum(cpp, ret->rsa->n)) 684 return -1; 685 /* validate the claimed number of bits */ 686 if ((u_int)BN_num_bits(ret->rsa->n) != bits) { 687 verbose("key_read: claimed key size %d does not match " 688 "actual %d", bits, BN_num_bits(ret->rsa->n)); 689 return -1; 690 } 691 success = 1; 692 break; 693 case KEY_UNSPEC: 694 case KEY_RSA: 695 case KEY_DSA: 696 case KEY_ECDSA: 697 case KEY_DSA_CERT_V00: 698 case KEY_RSA_CERT_V00: 699 case KEY_DSA_CERT: 700 case KEY_ECDSA_CERT: 701 case KEY_RSA_CERT: 702 space = strchr(cp, ' '); 703 if (space == NULL) { 704 debug3("key_read: missing whitespace"); 705 return -1; 706 } 707 *space = '\0'; 708 type = key_type_from_name(cp); 709 #ifdef OPENSSL_HAS_ECC 710 if (key_type_plain(type) == KEY_ECDSA && 711 (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) { 712 debug("key_read: invalid curve"); 713 return -1; 714 } 715 #endif 716 *space = ' '; 717 if (type == KEY_UNSPEC) { 718 debug3("key_read: missing keytype"); 719 return -1; 720 } 721 cp = space+1; 722 if (*cp == '\0') { 723 debug3("key_read: short string"); 724 return -1; 725 } 726 if (ret->type == KEY_UNSPEC) { 727 ret->type = type; 728 } else if (ret->type != type) { 729 /* is a key, but different type */ 730 debug3("key_read: type mismatch"); 731 return -1; 732 } 733 len = 2*strlen(cp); 734 blob = xmalloc(len); 735 n = uudecode(cp, blob, len); 736 if (n < 0) { 737 error("key_read: uudecode %s failed", cp); 738 xfree(blob); 739 return -1; 740 } 741 k = key_from_blob(blob, (u_int)n); 742 xfree(blob); 743 if (k == NULL) { 744 error("key_read: key_from_blob %s failed", cp); 745 return -1; 746 } 747 if (k->type != type) { 748 error("key_read: type mismatch: encoding error"); 749 key_free(k); 750 return -1; 751 } 752 #ifdef OPENSSL_HAS_ECC 753 if (key_type_plain(type) == KEY_ECDSA && 754 curve_nid != k->ecdsa_nid) { 755 error("key_read: type mismatch: EC curve mismatch"); 756 key_free(k); 757 return -1; 758 } 759 #endif 760 /*XXXX*/ 761 if (key_is_cert(ret)) { 762 if (!key_is_cert(k)) { 763 error("key_read: loaded key is not a cert"); 764 key_free(k); 765 return -1; 766 } 767 if (ret->cert != NULL) 768 cert_free(ret->cert); 769 ret->cert = k->cert; 770 k->cert = NULL; 771 } 772 if (key_type_plain(ret->type) == KEY_RSA) { 773 if (ret->rsa != NULL) 774 RSA_free(ret->rsa); 775 ret->rsa = k->rsa; 776 k->rsa = NULL; 777 #ifdef DEBUG_PK 778 RSA_print_fp(stderr, ret->rsa, 8); 779 #endif 780 } 781 if (key_type_plain(ret->type) == KEY_DSA) { 782 if (ret->dsa != NULL) 783 DSA_free(ret->dsa); 784 ret->dsa = k->dsa; 785 k->dsa = NULL; 786 #ifdef DEBUG_PK 787 DSA_print_fp(stderr, ret->dsa, 8); 788 #endif 789 } 790 #ifdef OPENSSL_HAS_ECC 791 if (key_type_plain(ret->type) == KEY_ECDSA) { 792 if (ret->ecdsa != NULL) 793 EC_KEY_free(ret->ecdsa); 794 ret->ecdsa = k->ecdsa; 795 ret->ecdsa_nid = k->ecdsa_nid; 796 k->ecdsa = NULL; 797 k->ecdsa_nid = -1; 798 #ifdef DEBUG_PK 799 key_dump_ec_key(ret->ecdsa); 800 #endif 801 } 802 #endif 803 success = 1; 804 /*XXXX*/ 805 key_free(k); 806 if (success != 1) 807 break; 808 /* advance cp: skip whitespace and data */ 809 while (*cp == ' ' || *cp == '\t') 810 cp++; 811 while (*cp != '\0' && *cp != ' ' && *cp != '\t') 812 cp++; 813 *cpp = cp; 814 break; 815 default: 816 fatal("key_read: bad key type: %d", ret->type); 817 break; 818 } 819 return success; 820 } 821 822 int 823 key_write(const Key *key, FILE *f) 824 { 825 int n, success = 0; 826 u_int len, bits = 0; 827 u_char *blob; 828 char *uu; 829 830 if (key_is_cert(key)) { 831 if (key->cert == NULL) { 832 error("%s: no cert data", __func__); 833 return 0; 834 } 835 if (buffer_len(&key->cert->certblob) == 0) { 836 error("%s: no signed certificate blob", __func__); 837 return 0; 838 } 839 } 840 841 switch (key->type) { 842 case KEY_RSA1: 843 if (key->rsa == NULL) 844 return 0; 845 /* size of modulus 'n' */ 846 bits = BN_num_bits(key->rsa->n); 847 fprintf(f, "%u", bits); 848 if (write_bignum(f, key->rsa->e) && 849 write_bignum(f, key->rsa->n)) 850 return 1; 851 error("key_write: failed for RSA key"); 852 return 0; 853 case KEY_DSA: 854 case KEY_DSA_CERT_V00: 855 case KEY_DSA_CERT: 856 if (key->dsa == NULL) 857 return 0; 858 break; 859 #ifdef OPENSSL_HAS_ECC 860 case KEY_ECDSA: 861 case KEY_ECDSA_CERT: 862 if (key->ecdsa == NULL) 863 return 0; 864 break; 865 #endif 866 case KEY_RSA: 867 case KEY_RSA_CERT_V00: 868 case KEY_RSA_CERT: 869 if (key->rsa == NULL) 870 return 0; 871 break; 872 default: 873 return 0; 874 } 875 876 key_to_blob(key, &blob, &len); 877 uu = xmalloc(2*len); 878 n = uuencode(blob, len, uu, 2*len); 879 if (n > 0) { 880 fprintf(f, "%s %s", key_ssh_name(key), uu); 881 success = 1; 882 } 883 xfree(blob); 884 xfree(uu); 885 886 return success; 887 } 888 889 const char * 890 key_type(const Key *k) 891 { 892 switch (k->type) { 893 case KEY_RSA1: 894 return "RSA1"; 895 case KEY_RSA: 896 return "RSA"; 897 case KEY_DSA: 898 return "DSA"; 899 #ifdef OPENSSL_HAS_ECC 900 case KEY_ECDSA: 901 return "ECDSA"; 902 #endif 903 case KEY_RSA_CERT_V00: 904 return "RSA-CERT-V00"; 905 case KEY_DSA_CERT_V00: 906 return "DSA-CERT-V00"; 907 case KEY_RSA_CERT: 908 return "RSA-CERT"; 909 case KEY_DSA_CERT: 910 return "DSA-CERT"; 911 #ifdef OPENSSL_HAS_ECC 912 case KEY_ECDSA_CERT: 913 return "ECDSA-CERT"; 914 #endif 915 } 916 return "unknown"; 917 } 918 919 const char * 920 key_cert_type(const Key *k) 921 { 922 switch (k->cert->type) { 923 case SSH2_CERT_TYPE_USER: 924 return "user"; 925 case SSH2_CERT_TYPE_HOST: 926 return "host"; 927 default: 928 return "unknown"; 929 } 930 } 931 932 static const char * 933 key_ssh_name_from_type_nid(int type, int nid) 934 { 935 switch (type) { 936 case KEY_RSA: 937 return "ssh-rsa"; 938 case KEY_DSA: 939 return "ssh-dss"; 940 case KEY_RSA_CERT_V00: 941 return "ssh-rsa-cert-v00 (at) openssh.com"; 942 case KEY_DSA_CERT_V00: 943 return "ssh-dss-cert-v00 (at) openssh.com"; 944 case KEY_RSA_CERT: 945 return "ssh-rsa-cert-v01 (at) openssh.com"; 946 case KEY_DSA_CERT: 947 return "ssh-dss-cert-v01 (at) openssh.com"; 948 #ifdef OPENSSL_HAS_ECC 949 case KEY_ECDSA: 950 switch (nid) { 951 case NID_X9_62_prime256v1: 952 return "ecdsa-sha2-nistp256"; 953 case NID_secp384r1: 954 return "ecdsa-sha2-nistp384"; 955 case NID_secp521r1: 956 return "ecdsa-sha2-nistp521"; 957 default: 958 break; 959 } 960 break; 961 case KEY_ECDSA_CERT: 962 switch (nid) { 963 case NID_X9_62_prime256v1: 964 return "ecdsa-sha2-nistp256-cert-v01 (at) openssh.com"; 965 case NID_secp384r1: 966 return "ecdsa-sha2-nistp384-cert-v01 (at) openssh.com"; 967 case NID_secp521r1: 968 return "ecdsa-sha2-nistp521-cert-v01 (at) openssh.com"; 969 default: 970 break; 971 } 972 break; 973 #endif /* OPENSSL_HAS_ECC */ 974 } 975 return "ssh-unknown"; 976 } 977 978 const char * 979 key_ssh_name(const Key *k) 980 { 981 return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid); 982 } 983 984 const char * 985 key_ssh_name_plain(const Key *k) 986 { 987 return key_ssh_name_from_type_nid(key_type_plain(k->type), 988 k->ecdsa_nid); 989 } 990 991 u_int 992 key_size(const Key *k) 993 { 994 switch (k->type) { 995 case KEY_RSA1: 996 case KEY_RSA: 997 case KEY_RSA_CERT_V00: 998 case KEY_RSA_CERT: 999 return BN_num_bits(k->rsa->n); 1000 case KEY_DSA: 1001 case KEY_DSA_CERT_V00: 1002 case KEY_DSA_CERT: 1003 return BN_num_bits(k->dsa->p); 1004 #ifdef OPENSSL_HAS_ECC 1005 case KEY_ECDSA: 1006 case KEY_ECDSA_CERT: 1007 return key_curve_nid_to_bits(k->ecdsa_nid); 1008 #endif 1009 } 1010 return 0; 1011 } 1012 1013 static RSA * 1014 rsa_generate_private_key(u_int bits) 1015 { 1016 RSA *private = RSA_new(); 1017 BIGNUM *f4 = BN_new(); 1018 1019 if (private == NULL) 1020 fatal("%s: RSA_new failed", __func__); 1021 if (f4 == NULL) 1022 fatal("%s: BN_new failed", __func__); 1023 if (!BN_set_word(f4, RSA_F4)) 1024 fatal("%s: BN_new failed", __func__); 1025 if (!RSA_generate_key_ex(private, bits, f4, NULL)) 1026 fatal("%s: key generation failed.", __func__); 1027 BN_free(f4); 1028 return private; 1029 } 1030 1031 static DSA* 1032 dsa_generate_private_key(u_int bits) 1033 { 1034 DSA *private = DSA_new(); 1035 1036 if (private == NULL) 1037 fatal("%s: DSA_new failed", __func__); 1038 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL, 1039 NULL, NULL)) 1040 fatal("%s: DSA_generate_parameters failed", __func__); 1041 if (!DSA_generate_key(private)) 1042 fatal("%s: DSA_generate_key failed.", __func__); 1043 return private; 1044 } 1045 1046 int 1047 key_ecdsa_bits_to_nid(int bits) 1048 { 1049 switch (bits) { 1050 #ifdef OPENSSL_HAS_ECC 1051 case 256: 1052 return NID_X9_62_prime256v1; 1053 case 384: 1054 return NID_secp384r1; 1055 case 521: 1056 return NID_secp521r1; 1057 #endif 1058 default: 1059 return -1; 1060 } 1061 } 1062 1063 #ifdef OPENSSL_HAS_ECC 1064 int 1065 key_ecdsa_key_to_nid(EC_KEY *k) 1066 { 1067 EC_GROUP *eg; 1068 int nids[] = { 1069 NID_X9_62_prime256v1, 1070 NID_secp384r1, 1071 NID_secp521r1, 1072 -1 1073 }; 1074 int nid; 1075 u_int i; 1076 BN_CTX *bnctx; 1077 const EC_GROUP *g = EC_KEY_get0_group(k); 1078 1079 /* 1080 * The group may be stored in a ASN.1 encoded private key in one of two 1081 * ways: as a "named group", which is reconstituted by ASN.1 object ID 1082 * or explicit group parameters encoded into the key blob. Only the 1083 * "named group" case sets the group NID for us, but we can figure 1084 * it out for the other case by comparing against all the groups that 1085 * are supported. 1086 */ 1087 if ((nid = EC_GROUP_get_curve_name(g)) > 0) 1088 return nid; 1089 if ((bnctx = BN_CTX_new()) == NULL) 1090 fatal("%s: BN_CTX_new() failed", __func__); 1091 for (i = 0; nids[i] != -1; i++) { 1092 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) 1093 fatal("%s: EC_GROUP_new_by_curve_name failed", 1094 __func__); 1095 if (EC_GROUP_cmp(g, eg, bnctx) == 0) 1096 break; 1097 EC_GROUP_free(eg); 1098 } 1099 BN_CTX_free(bnctx); 1100 debug3("%s: nid = %d", __func__, nids[i]); 1101 if (nids[i] != -1) { 1102 /* Use the group with the NID attached */ 1103 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE); 1104 if (EC_KEY_set_group(k, eg) != 1) 1105 fatal("%s: EC_KEY_set_group", __func__); 1106 } 1107 return nids[i]; 1108 } 1109 1110 static EC_KEY* 1111 ecdsa_generate_private_key(u_int bits, int *nid) 1112 { 1113 EC_KEY *private; 1114 1115 if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1) 1116 fatal("%s: invalid key length", __func__); 1117 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) 1118 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1119 if (EC_KEY_generate_key(private) != 1) 1120 fatal("%s: EC_KEY_generate_key failed", __func__); 1121 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE); 1122 return private; 1123 } 1124 #endif /* OPENSSL_HAS_ECC */ 1125 1126 Key * 1127 key_generate(int type, u_int bits) 1128 { 1129 Key *k = key_new(KEY_UNSPEC); 1130 switch (type) { 1131 case KEY_DSA: 1132 k->dsa = dsa_generate_private_key(bits); 1133 break; 1134 #ifdef OPENSSL_HAS_ECC 1135 case KEY_ECDSA: 1136 k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid); 1137 break; 1138 #endif 1139 case KEY_RSA: 1140 case KEY_RSA1: 1141 k->rsa = rsa_generate_private_key(bits); 1142 break; 1143 case KEY_RSA_CERT_V00: 1144 case KEY_DSA_CERT_V00: 1145 case KEY_RSA_CERT: 1146 case KEY_DSA_CERT: 1147 fatal("key_generate: cert keys cannot be generated directly"); 1148 default: 1149 fatal("key_generate: unknown type %d", type); 1150 } 1151 k->type = type; 1152 return k; 1153 } 1154 1155 void 1156 key_cert_copy(const Key *from_key, struct Key *to_key) 1157 { 1158 u_int i; 1159 const struct KeyCert *from; 1160 struct KeyCert *to; 1161 1162 if (to_key->cert != NULL) { 1163 cert_free(to_key->cert); 1164 to_key->cert = NULL; 1165 } 1166 1167 if ((from = from_key->cert) == NULL) 1168 return; 1169 1170 to = to_key->cert = cert_new(); 1171 1172 buffer_append(&to->certblob, buffer_ptr(&from->certblob), 1173 buffer_len(&from->certblob)); 1174 1175 buffer_append(&to->critical, 1176 buffer_ptr(&from->critical), buffer_len(&from->critical)); 1177 buffer_append(&to->extensions, 1178 buffer_ptr(&from->extensions), buffer_len(&from->extensions)); 1179 1180 to->serial = from->serial; 1181 to->type = from->type; 1182 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id); 1183 to->valid_after = from->valid_after; 1184 to->valid_before = from->valid_before; 1185 to->signature_key = from->signature_key == NULL ? 1186 NULL : key_from_private(from->signature_key); 1187 1188 to->nprincipals = from->nprincipals; 1189 if (to->nprincipals > CERT_MAX_PRINCIPALS) 1190 fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)", 1191 __func__, to->nprincipals, CERT_MAX_PRINCIPALS); 1192 if (to->nprincipals > 0) { 1193 to->principals = xcalloc(from->nprincipals, 1194 sizeof(*to->principals)); 1195 for (i = 0; i < to->nprincipals; i++) 1196 to->principals[i] = xstrdup(from->principals[i]); 1197 } 1198 } 1199 1200 Key * 1201 key_from_private(const Key *k) 1202 { 1203 Key *n = NULL; 1204 switch (k->type) { 1205 case KEY_DSA: 1206 case KEY_DSA_CERT_V00: 1207 case KEY_DSA_CERT: 1208 n = key_new(k->type); 1209 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) || 1210 (BN_copy(n->dsa->q, k->dsa->q) == NULL) || 1211 (BN_copy(n->dsa->g, k->dsa->g) == NULL) || 1212 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) 1213 fatal("key_from_private: BN_copy failed"); 1214 break; 1215 #ifdef OPENSSL_HAS_ECC 1216 case KEY_ECDSA: 1217 case KEY_ECDSA_CERT: 1218 n = key_new(k->type); 1219 n->ecdsa_nid = k->ecdsa_nid; 1220 if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL) 1221 fatal("%s: EC_KEY_new_by_curve_name failed", __func__); 1222 if (EC_KEY_set_public_key(n->ecdsa, 1223 EC_KEY_get0_public_key(k->ecdsa)) != 1) 1224 fatal("%s: EC_KEY_set_public_key failed", __func__); 1225 break; 1226 #endif 1227 case KEY_RSA: 1228 case KEY_RSA1: 1229 case KEY_RSA_CERT_V00: 1230 case KEY_RSA_CERT: 1231 n = key_new(k->type); 1232 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || 1233 (BN_copy(n->rsa->e, k->rsa->e) == NULL)) 1234 fatal("key_from_private: BN_copy failed"); 1235 break; 1236 default: 1237 fatal("key_from_private: unknown type %d", k->type); 1238 break; 1239 } 1240 if (key_is_cert(k)) 1241 key_cert_copy(k, n); 1242 return n; 1243 } 1244 1245 int 1246 key_type_from_name(char *name) 1247 { 1248 if (strcmp(name, "rsa1") == 0) { 1249 return KEY_RSA1; 1250 } else if (strcmp(name, "rsa") == 0) { 1251 return KEY_RSA; 1252 } else if (strcmp(name, "dsa") == 0) { 1253 return KEY_DSA; 1254 } else if (strcmp(name, "ssh-rsa") == 0) { 1255 return KEY_RSA; 1256 } else if (strcmp(name, "ssh-dss") == 0) { 1257 return KEY_DSA; 1258 #ifdef OPENSSL_HAS_ECC 1259 } else if (strcmp(name, "ecdsa") == 0 || 1260 strcmp(name, "ecdsa-sha2-nistp256") == 0 || 1261 strcmp(name, "ecdsa-sha2-nistp384") == 0 || 1262 strcmp(name, "ecdsa-sha2-nistp521") == 0) { 1263 return KEY_ECDSA; 1264 #endif 1265 } else if (strcmp(name, "ssh-rsa-cert-v00 (at) openssh.com") == 0) { 1266 return KEY_RSA_CERT_V00; 1267 } else if (strcmp(name, "ssh-dss-cert-v00 (at) openssh.com") == 0) { 1268 return KEY_DSA_CERT_V00; 1269 } else if (strcmp(name, "ssh-rsa-cert-v01 (at) openssh.com") == 0) { 1270 return KEY_RSA_CERT; 1271 } else if (strcmp(name, "ssh-dss-cert-v01 (at) openssh.com") == 0) { 1272 return KEY_DSA_CERT; 1273 #ifdef OPENSSL_HAS_ECC 1274 } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01 (at) openssh.com") == 0 || 1275 strcmp(name, "ecdsa-sha2-nistp384-cert-v01 (at) openssh.com") == 0 || 1276 strcmp(name, "ecdsa-sha2-nistp521-cert-v01 (at) openssh.com") == 0) { 1277 return KEY_ECDSA_CERT; 1278 #endif 1279 } 1280 1281 debug2("key_type_from_name: unknown key type '%s'", name); 1282 return KEY_UNSPEC; 1283 } 1284 1285 int 1286 key_ecdsa_nid_from_name(const char *name) 1287 { 1288 #ifdef OPENSSL_HAS_ECC 1289 if (strcmp(name, "ecdsa-sha2-nistp256") == 0 || 1290 strcmp(name, "ecdsa-sha2-nistp256-cert-v01 (at) openssh.com") == 0) 1291 return NID_X9_62_prime256v1; 1292 if (strcmp(name, "ecdsa-sha2-nistp384") == 0 || 1293 strcmp(name, "ecdsa-sha2-nistp384-cert-v01 (at) openssh.com") == 0) 1294 return NID_secp384r1; 1295 if (strcmp(name, "ecdsa-sha2-nistp521") == 0 || 1296 strcmp(name, "ecdsa-sha2-nistp521-cert-v01 (at) openssh.com") == 0) 1297 return NID_secp521r1; 1298 #endif /* OPENSSL_HAS_ECC */ 1299 1300 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name); 1301 return -1; 1302 } 1303 1304 int 1305 key_names_valid2(const char *names) 1306 { 1307 char *s, *cp, *p; 1308 1309 if (names == NULL || strcmp(names, "") == 0) 1310 return 0; 1311 s = cp = xstrdup(names); 1312 for ((p = strsep(&cp, ",")); p && *p != '\0'; 1313 (p = strsep(&cp, ","))) { 1314 switch (key_type_from_name(p)) { 1315 case KEY_RSA1: 1316 case KEY_UNSPEC: 1317 xfree(s); 1318 return 0; 1319 } 1320 } 1321 debug3("key names ok: [%s]", names); 1322 xfree(s); 1323 return 1; 1324 } 1325 1326 static int 1327 cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) 1328 { 1329 u_char *principals, *critical, *exts, *sig_key, *sig; 1330 u_int signed_len, plen, clen, sklen, slen, kidlen, elen; 1331 Buffer tmp; 1332 char *principal; 1333 int ret = -1; 1334 int v00 = key->type == KEY_DSA_CERT_V00 || 1335 key->type == KEY_RSA_CERT_V00; 1336 1337 buffer_init(&tmp); 1338 1339 /* Copy the entire key blob for verification and later serialisation */ 1340 buffer_append(&key->cert->certblob, blob, blen); 1341 1342 elen = 0; /* Not touched for v00 certs */ 1343 principals = exts = critical = sig_key = sig = NULL; 1344 if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) || 1345 buffer_get_int_ret(&key->cert->type, b) != 0 || 1346 (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL || 1347 (principals = buffer_get_string_ret(b, &plen)) == NULL || 1348 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || 1349 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || 1350 (critical = buffer_get_string_ret(b, &clen)) == NULL || 1351 (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) || 1352 (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */ 1353 buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */ 1354 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) { 1355 error("%s: parse error", __func__); 1356 goto out; 1357 } 1358 1359 if (kidlen != strlen(key->cert->key_id)) { 1360 error("%s: key ID contains \\0 character", __func__); 1361 goto out; 1362 } 1363 1364 /* Signature is left in the buffer so we can calculate this length */ 1365 signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); 1366 1367 if ((sig = buffer_get_string_ret(b, &slen)) == NULL) { 1368 error("%s: parse error", __func__); 1369 goto out; 1370 } 1371 1372 if (key->cert->type != SSH2_CERT_TYPE_USER && 1373 key->cert->type != SSH2_CERT_TYPE_HOST) { 1374 error("Unknown certificate type %u", key->cert->type); 1375 goto out; 1376 } 1377 1378 buffer_append(&tmp, principals, plen); 1379 while (buffer_len(&tmp) > 0) { 1380 if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { 1381 error("%s: Too many principals", __func__); 1382 goto out; 1383 } 1384 if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) { 1385 error("%s: Principals data invalid", __func__); 1386 goto out; 1387 } 1388 key->cert->principals = xrealloc(key->cert->principals, 1389 key->cert->nprincipals + 1, sizeof(*key->cert->principals)); 1390 key->cert->principals[key->cert->nprincipals++] = principal; 1391 } 1392 1393 buffer_clear(&tmp); 1394 1395 buffer_append(&key->cert->critical, critical, clen); 1396 buffer_append(&tmp, critical, clen); 1397 /* validate structure */ 1398 while (buffer_len(&tmp) != 0) { 1399 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1400 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1401 error("%s: critical option data invalid", __func__); 1402 goto out; 1403 } 1404 } 1405 buffer_clear(&tmp); 1406 1407 buffer_append(&key->cert->extensions, exts, elen); 1408 buffer_append(&tmp, exts, elen); 1409 /* validate structure */ 1410 while (buffer_len(&tmp) != 0) { 1411 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL || 1412 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) { 1413 error("%s: extension data invalid", __func__); 1414 goto out; 1415 } 1416 } 1417 buffer_clear(&tmp); 1418 1419 if ((key->cert->signature_key = key_from_blob(sig_key, 1420 sklen)) == NULL) { 1421 error("%s: Signature key invalid", __func__); 1422 goto out; 1423 } 1424 if (key->cert->signature_key->type != KEY_RSA && 1425 key->cert->signature_key->type != KEY_DSA && 1426 key->cert->signature_key->type != KEY_ECDSA) { 1427 error("%s: Invalid signature key type %s (%d)", __func__, 1428 key_type(key->cert->signature_key), 1429 key->cert->signature_key->type); 1430 goto out; 1431 } 1432 1433 switch (key_verify(key->cert->signature_key, sig, slen, 1434 buffer_ptr(&key->cert->certblob), signed_len)) { 1435 case 1: 1436 ret = 0; 1437 break; /* Good signature */ 1438 case 0: 1439 error("%s: Invalid signature on certificate", __func__); 1440 goto out; 1441 case -1: 1442 error("%s: Certificate signature verification failed", 1443 __func__); 1444 goto out; 1445 } 1446 1447 out: 1448 buffer_free(&tmp); 1449 if (principals != NULL) 1450 xfree(principals); 1451 if (critical != NULL) 1452 xfree(critical); 1453 if (exts != NULL) 1454 xfree(exts); 1455 if (sig_key != NULL) 1456 xfree(sig_key); 1457 if (sig != NULL) 1458 xfree(sig); 1459 return ret; 1460 } 1461 1462 Key * 1463 key_from_blob(const u_char *blob, u_int blen) 1464 { 1465 Buffer b; 1466 int rlen, type; 1467 char *ktype = NULL, *curve = NULL; 1468 Key *key = NULL; 1469 #ifdef OPENSSL_HAS_ECC 1470 EC_POINT *q = NULL; 1471 int nid = -1; 1472 #endif 1473 1474 #ifdef DEBUG_PK 1475 dump_base64(stderr, blob, blen); 1476 #endif 1477 buffer_init(&b); 1478 buffer_append(&b, blob, blen); 1479 if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) { 1480 error("key_from_blob: can't read key type"); 1481 goto out; 1482 } 1483 1484 type = key_type_from_name(ktype); 1485 #ifdef OPENSSL_HAS_ECC 1486 if (key_type_plain(type) == KEY_ECDSA) 1487 nid = key_ecdsa_nid_from_name(ktype); 1488 #endif 1489 1490 switch (type) { 1491 case KEY_RSA_CERT: 1492 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1493 /* FALLTHROUGH */ 1494 case KEY_RSA: 1495 case KEY_RSA_CERT_V00: 1496 key = key_new(type); 1497 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 || 1498 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) { 1499 error("key_from_blob: can't read rsa key"); 1500 badkey: 1501 key_free(key); 1502 key = NULL; 1503 goto out; 1504 } 1505 #ifdef DEBUG_PK 1506 RSA_print_fp(stderr, key->rsa, 8); 1507 #endif 1508 break; 1509 case KEY_DSA_CERT: 1510 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1511 /* FALLTHROUGH */ 1512 case KEY_DSA: 1513 case KEY_DSA_CERT_V00: 1514 key = key_new(type); 1515 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 || 1516 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 || 1517 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 || 1518 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) { 1519 error("key_from_blob: can't read dsa key"); 1520 goto badkey; 1521 } 1522 #ifdef DEBUG_PK 1523 DSA_print_fp(stderr, key->dsa, 8); 1524 #endif 1525 break; 1526 #ifdef OPENSSL_HAS_ECC 1527 case KEY_ECDSA_CERT: 1528 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ 1529 /* FALLTHROUGH */ 1530 case KEY_ECDSA: 1531 key = key_new(type); 1532 key->ecdsa_nid = nid; 1533 if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) { 1534 error("key_from_blob: can't read ecdsa curve"); 1535 goto badkey; 1536 } 1537 if (key->ecdsa_nid != key_curve_name_to_nid(curve)) { 1538 error("key_from_blob: ecdsa curve doesn't match type"); 1539 goto badkey; 1540 } 1541 if (key->ecdsa != NULL) 1542 EC_KEY_free(key->ecdsa); 1543 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) 1544 == NULL) 1545 fatal("key_from_blob: EC_KEY_new_by_curve_name failed"); 1546 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) 1547 fatal("key_from_blob: EC_POINT_new failed"); 1548 if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa), 1549 q) == -1) { 1550 error("key_from_blob: can't read ecdsa key point"); 1551 goto badkey; 1552 } 1553 if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa), 1554 q) != 0) 1555 goto badkey; 1556 if (EC_KEY_set_public_key(key->ecdsa, q) != 1) 1557 fatal("key_from_blob: EC_KEY_set_public_key failed"); 1558 #ifdef DEBUG_PK 1559 key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q); 1560 #endif 1561 break; 1562 #endif /* OPENSSL_HAS_ECC */ 1563 case KEY_UNSPEC: 1564 key = key_new(type); 1565 break; 1566 default: 1567 error("key_from_blob: cannot handle type %s", ktype); 1568 goto out; 1569 } 1570 if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) { 1571 error("key_from_blob: can't parse cert data"); 1572 goto badkey; 1573 } 1574 rlen = buffer_len(&b); 1575 if (key != NULL && rlen != 0) 1576 error("key_from_blob: remaining bytes in key blob %d", rlen); 1577 out: 1578 if (ktype != NULL) 1579 xfree(ktype); 1580 if (curve != NULL) 1581 xfree(curve); 1582 #ifdef OPENSSL_HAS_ECC 1583 if (q != NULL) 1584 EC_POINT_free(q); 1585 #endif 1586 buffer_free(&b); 1587 return key; 1588 } 1589 1590 int 1591 key_to_blob(const Key *key, u_char **blobp, u_int *lenp) 1592 { 1593 Buffer b; 1594 int len; 1595 1596 if (key == NULL) { 1597 error("key_to_blob: key == NULL"); 1598 return 0; 1599 } 1600 buffer_init(&b); 1601 switch (key->type) { 1602 case KEY_DSA_CERT_V00: 1603 case KEY_RSA_CERT_V00: 1604 case KEY_DSA_CERT: 1605 case KEY_ECDSA_CERT: 1606 case KEY_RSA_CERT: 1607 /* Use the existing blob */ 1608 buffer_append(&b, buffer_ptr(&key->cert->certblob), 1609 buffer_len(&key->cert->certblob)); 1610 break; 1611 case KEY_DSA: 1612 buffer_put_cstring(&b, key_ssh_name(key)); 1613 buffer_put_bignum2(&b, key->dsa->p); 1614 buffer_put_bignum2(&b, key->dsa->q); 1615 buffer_put_bignum2(&b, key->dsa->g); 1616 buffer_put_bignum2(&b, key->dsa->pub_key); 1617 break; 1618 #ifdef OPENSSL_HAS_ECC 1619 case KEY_ECDSA: 1620 buffer_put_cstring(&b, key_ssh_name(key)); 1621 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid)); 1622 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa), 1623 EC_KEY_get0_public_key(key->ecdsa)); 1624 break; 1625 #endif 1626 case KEY_RSA: 1627 buffer_put_cstring(&b, key_ssh_name(key)); 1628 buffer_put_bignum2(&b, key->rsa->e); 1629 buffer_put_bignum2(&b, key->rsa->n); 1630 break; 1631 default: 1632 error("key_to_blob: unsupported key type %d", key->type); 1633 buffer_free(&b); 1634 return 0; 1635 } 1636 len = buffer_len(&b); 1637 if (lenp != NULL) 1638 *lenp = len; 1639 if (blobp != NULL) { 1640 *blobp = xmalloc(len); 1641 memcpy(*blobp, buffer_ptr(&b), len); 1642 } 1643 memset(buffer_ptr(&b), 0, len); 1644 buffer_free(&b); 1645 return len; 1646 } 1647 1648 int 1649 key_sign( 1650 const Key *key, 1651 u_char **sigp, u_int *lenp, 1652 const u_char *data, u_int datalen) 1653 { 1654 switch (key->type) { 1655 case KEY_DSA_CERT_V00: 1656 case KEY_DSA_CERT: 1657 case KEY_DSA: 1658 return ssh_dss_sign(key, sigp, lenp, data, datalen); 1659 #ifdef OPENSSL_HAS_ECC 1660 case KEY_ECDSA_CERT: 1661 case KEY_ECDSA: 1662 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen); 1663 #endif 1664 case KEY_RSA_CERT_V00: 1665 case KEY_RSA_CERT: 1666 case KEY_RSA: 1667 return ssh_rsa_sign(key, sigp, lenp, data, datalen); 1668 default: 1669 error("key_sign: invalid key type %d", key->type); 1670 return -1; 1671 } 1672 } 1673 1674 /* 1675 * key_verify returns 1 for a correct signature, 0 for an incorrect signature 1676 * and -1 on error. 1677 */ 1678 int 1679 key_verify( 1680 const Key *key, 1681 const u_char *signature, u_int signaturelen, 1682 const u_char *data, u_int datalen) 1683 { 1684 if (signaturelen == 0) 1685 return -1; 1686 1687 switch (key->type) { 1688 case KEY_DSA_CERT_V00: 1689 case KEY_DSA_CERT: 1690 case KEY_DSA: 1691 return ssh_dss_verify(key, signature, signaturelen, data, datalen); 1692 #ifdef OPENSSL_HAS_ECC 1693 case KEY_ECDSA_CERT: 1694 case KEY_ECDSA: 1695 return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen); 1696 #endif 1697 case KEY_RSA_CERT_V00: 1698 case KEY_RSA_CERT: 1699 case KEY_RSA: 1700 return ssh_rsa_verify(key, signature, signaturelen, data, datalen); 1701 default: 1702 error("key_verify: invalid key type %d", key->type); 1703 return -1; 1704 } 1705 } 1706 1707 /* Converts a private to a public key */ 1708 Key * 1709 key_demote(const Key *k) 1710 { 1711 Key *pk; 1712 1713 pk = xcalloc(1, sizeof(*pk)); 1714 pk->type = k->type; 1715 pk->flags = k->flags; 1716 pk->ecdsa_nid = k->ecdsa_nid; 1717 pk->dsa = NULL; 1718 pk->ecdsa = NULL; 1719 pk->rsa = NULL; 1720 1721 switch (k->type) { 1722 case KEY_RSA_CERT_V00: 1723 case KEY_RSA_CERT: 1724 key_cert_copy(k, pk); 1725 /* FALLTHROUGH */ 1726 case KEY_RSA1: 1727 case KEY_RSA: 1728 if ((pk->rsa = RSA_new()) == NULL) 1729 fatal("key_demote: RSA_new failed"); 1730 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) 1731 fatal("key_demote: BN_dup failed"); 1732 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL) 1733 fatal("key_demote: BN_dup failed"); 1734 break; 1735 case KEY_DSA_CERT_V00: 1736 case KEY_DSA_CERT: 1737 key_cert_copy(k, pk); 1738 /* FALLTHROUGH */ 1739 case KEY_DSA: 1740 if ((pk->dsa = DSA_new()) == NULL) 1741 fatal("key_demote: DSA_new failed"); 1742 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) 1743 fatal("key_demote: BN_dup failed"); 1744 if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL) 1745 fatal("key_demote: BN_dup failed"); 1746 if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL) 1747 fatal("key_demote: BN_dup failed"); 1748 if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) 1749 fatal("key_demote: BN_dup failed"); 1750 break; 1751 #ifdef OPENSSL_HAS_ECC 1752 case KEY_ECDSA_CERT: 1753 key_cert_copy(k, pk); 1754 /* FALLTHROUGH */ 1755 case KEY_ECDSA: 1756 if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL) 1757 fatal("key_demote: EC_KEY_new_by_curve_name failed"); 1758 if (EC_KEY_set_public_key(pk->ecdsa, 1759 EC_KEY_get0_public_key(k->ecdsa)) != 1) 1760 fatal("key_demote: EC_KEY_set_public_key failed"); 1761 break; 1762 #endif 1763 default: 1764 fatal("key_free: bad key type %d", k->type); 1765 break; 1766 } 1767 1768 return (pk); 1769 } 1770 1771 int 1772 key_is_cert(const Key *k) 1773 { 1774 if (k == NULL) 1775 return 0; 1776 switch (k->type) { 1777 case KEY_RSA_CERT_V00: 1778 case KEY_DSA_CERT_V00: 1779 case KEY_RSA_CERT: 1780 case KEY_DSA_CERT: 1781 case KEY_ECDSA_CERT: 1782 return 1; 1783 default: 1784 return 0; 1785 } 1786 } 1787 1788 /* Return the cert-less equivalent to a certified key type */ 1789 int 1790 key_type_plain(int type) 1791 { 1792 switch (type) { 1793 case KEY_RSA_CERT_V00: 1794 case KEY_RSA_CERT: 1795 return KEY_RSA; 1796 case KEY_DSA_CERT_V00: 1797 case KEY_DSA_CERT: 1798 return KEY_DSA; 1799 case KEY_ECDSA_CERT: 1800 return KEY_ECDSA; 1801 default: 1802 return type; 1803 } 1804 } 1805 1806 /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ 1807 int 1808 key_to_certified(Key *k, int legacy) 1809 { 1810 switch (k->type) { 1811 case KEY_RSA: 1812 k->cert = cert_new(); 1813 k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT; 1814 return 0; 1815 case KEY_DSA: 1816 k->cert = cert_new(); 1817 k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT; 1818 return 0; 1819 case KEY_ECDSA: 1820 if (legacy) 1821 fatal("%s: legacy ECDSA certificates are not supported", 1822 __func__); 1823 k->cert = cert_new(); 1824 k->type = KEY_ECDSA_CERT; 1825 return 0; 1826 default: 1827 error("%s: key has incorrect type %s", __func__, key_type(k)); 1828 return -1; 1829 } 1830 } 1831 1832 /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ 1833 int 1834 key_drop_cert(Key *k) 1835 { 1836 switch (k->type) { 1837 case KEY_RSA_CERT_V00: 1838 case KEY_RSA_CERT: 1839 cert_free(k->cert); 1840 k->type = KEY_RSA; 1841 return 0; 1842 case KEY_DSA_CERT_V00: 1843 case KEY_DSA_CERT: 1844 cert_free(k->cert); 1845 k->type = KEY_DSA; 1846 return 0; 1847 case KEY_ECDSA_CERT: 1848 cert_free(k->cert); 1849 k->type = KEY_ECDSA; 1850 return 0; 1851 default: 1852 error("%s: key has incorrect type %s", __func__, key_type(k)); 1853 return -1; 1854 } 1855 } 1856 1857 /* 1858 * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating 1859 * the signed certblob 1860 */ 1861 int 1862 key_certify(Key *k, Key *ca) 1863 { 1864 Buffer principals; 1865 u_char *ca_blob, *sig_blob, nonce[32]; 1866 u_int i, ca_len, sig_len; 1867 1868 if (k->cert == NULL) { 1869 error("%s: key lacks cert info", __func__); 1870 return -1; 1871 } 1872 1873 if (!key_is_cert(k)) { 1874 error("%s: certificate has unknown type %d", __func__, 1875 k->cert->type); 1876 return -1; 1877 } 1878 1879 if (ca->type != KEY_RSA && ca->type != KEY_DSA && 1880 ca->type != KEY_ECDSA) { 1881 error("%s: CA key has unsupported type %s", __func__, 1882 key_type(ca)); 1883 return -1; 1884 } 1885 1886 key_to_blob(ca, &ca_blob, &ca_len); 1887 1888 buffer_clear(&k->cert->certblob); 1889 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k)); 1890 1891 /* -v01 certs put nonce first */ 1892 arc4random_buf(&nonce, sizeof(nonce)); 1893 if (!key_cert_is_legacy(k)) 1894 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1895 1896 switch (k->type) { 1897 case KEY_DSA_CERT_V00: 1898 case KEY_DSA_CERT: 1899 buffer_put_bignum2(&k->cert->certblob, k->dsa->p); 1900 buffer_put_bignum2(&k->cert->certblob, k->dsa->q); 1901 buffer_put_bignum2(&k->cert->certblob, k->dsa->g); 1902 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key); 1903 break; 1904 #ifdef OPENSSL_HAS_ECC 1905 case KEY_ECDSA_CERT: 1906 buffer_put_cstring(&k->cert->certblob, 1907 key_curve_nid_to_name(k->ecdsa_nid)); 1908 buffer_put_ecpoint(&k->cert->certblob, 1909 EC_KEY_get0_group(k->ecdsa), 1910 EC_KEY_get0_public_key(k->ecdsa)); 1911 break; 1912 #endif 1913 case KEY_RSA_CERT_V00: 1914 case KEY_RSA_CERT: 1915 buffer_put_bignum2(&k->cert->certblob, k->rsa->e); 1916 buffer_put_bignum2(&k->cert->certblob, k->rsa->n); 1917 break; 1918 default: 1919 error("%s: key has incorrect type %s", __func__, key_type(k)); 1920 buffer_clear(&k->cert->certblob); 1921 xfree(ca_blob); 1922 return -1; 1923 } 1924 1925 /* -v01 certs have a serial number next */ 1926 if (!key_cert_is_legacy(k)) 1927 buffer_put_int64(&k->cert->certblob, k->cert->serial); 1928 1929 buffer_put_int(&k->cert->certblob, k->cert->type); 1930 buffer_put_cstring(&k->cert->certblob, k->cert->key_id); 1931 1932 buffer_init(&principals); 1933 for (i = 0; i < k->cert->nprincipals; i++) 1934 buffer_put_cstring(&principals, k->cert->principals[i]); 1935 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals), 1936 buffer_len(&principals)); 1937 buffer_free(&principals); 1938 1939 buffer_put_int64(&k->cert->certblob, k->cert->valid_after); 1940 buffer_put_int64(&k->cert->certblob, k->cert->valid_before); 1941 buffer_put_string(&k->cert->certblob, 1942 buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical)); 1943 1944 /* -v01 certs have non-critical options here */ 1945 if (!key_cert_is_legacy(k)) { 1946 buffer_put_string(&k->cert->certblob, 1947 buffer_ptr(&k->cert->extensions), 1948 buffer_len(&k->cert->extensions)); 1949 } 1950 1951 /* -v00 certs put the nonce at the end */ 1952 if (key_cert_is_legacy(k)) 1953 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); 1954 1955 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */ 1956 buffer_put_string(&k->cert->certblob, ca_blob, ca_len); 1957 xfree(ca_blob); 1958 1959 /* Sign the whole mess */ 1960 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob), 1961 buffer_len(&k->cert->certblob)) != 0) { 1962 error("%s: signature operation failed", __func__); 1963 buffer_clear(&k->cert->certblob); 1964 return -1; 1965 } 1966 /* Append signature and we are done */ 1967 buffer_put_string(&k->cert->certblob, sig_blob, sig_len); 1968 xfree(sig_blob); 1969 1970 return 0; 1971 } 1972 1973 int 1974 key_cert_check_authority(const Key *k, int want_host, int require_principal, 1975 const char *name, const char **reason) 1976 { 1977 u_int i, principal_matches; 1978 time_t now = time(NULL); 1979 1980 if (want_host) { 1981 if (k->cert->type != SSH2_CERT_TYPE_HOST) { 1982 *reason = "Certificate invalid: not a host certificate"; 1983 return -1; 1984 } 1985 } else { 1986 if (k->cert->type != SSH2_CERT_TYPE_USER) { 1987 *reason = "Certificate invalid: not a user certificate"; 1988 return -1; 1989 } 1990 } 1991 if (now < 0) { 1992 error("%s: system clock lies before epoch", __func__); 1993 *reason = "Certificate invalid: not yet valid"; 1994 return -1; 1995 } 1996 if ((u_int64_t)now < k->cert->valid_after) { 1997 *reason = "Certificate invalid: not yet valid"; 1998 return -1; 1999 } 2000 if ((u_int64_t)now >= k->cert->valid_before) { 2001 *reason = "Certificate invalid: expired"; 2002 return -1; 2003 } 2004 if (k->cert->nprincipals == 0) { 2005 if (require_principal) { 2006 *reason = "Certificate lacks principal list"; 2007 return -1; 2008 } 2009 } else if (name != NULL) { 2010 principal_matches = 0; 2011 for (i = 0; i < k->cert->nprincipals; i++) { 2012 if (strcmp(name, k->cert->principals[i]) == 0) { 2013 principal_matches = 1; 2014 break; 2015 } 2016 } 2017 if (!principal_matches) { 2018 *reason = "Certificate invalid: name is not a listed " 2019 "principal"; 2020 return -1; 2021 } 2022 } 2023 return 0; 2024 } 2025 2026 int 2027 key_cert_is_legacy(Key *k) 2028 { 2029 switch (k->type) { 2030 case KEY_DSA_CERT_V00: 2031 case KEY_RSA_CERT_V00: 2032 return 1; 2033 default: 2034 return 0; 2035 } 2036 } 2037 2038 /* XXX: these are really begging for a table-driven approach */ 2039 int 2040 key_curve_name_to_nid(const char *name) 2041 { 2042 #ifdef OPENSSL_HAS_ECC 2043 if (strcmp(name, "nistp256") == 0) 2044 return NID_X9_62_prime256v1; 2045 else if (strcmp(name, "nistp384") == 0) 2046 return NID_secp384r1; 2047 else if (strcmp(name, "nistp521") == 0) 2048 return NID_secp521r1; 2049 #endif 2050 2051 debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); 2052 return -1; 2053 } 2054 2055 u_int 2056 key_curve_nid_to_bits(int nid) 2057 { 2058 switch (nid) { 2059 #ifdef OPENSSL_HAS_ECC 2060 case NID_X9_62_prime256v1: 2061 return 256; 2062 case NID_secp384r1: 2063 return 384; 2064 case NID_secp521r1: 2065 return 521; 2066 #endif 2067 default: 2068 error("%s: unsupported EC curve nid %d", __func__, nid); 2069 return 0; 2070 } 2071 } 2072 2073 const char * 2074 key_curve_nid_to_name(int nid) 2075 { 2076 #ifdef OPENSSL_HAS_ECC 2077 if (nid == NID_X9_62_prime256v1) 2078 return "nistp256"; 2079 else if (nid == NID_secp384r1) 2080 return "nistp384"; 2081 else if (nid == NID_secp521r1) 2082 return "nistp521"; 2083 #endif 2084 error("%s: unsupported EC curve nid %d", __func__, nid); 2085 return NULL; 2086 } 2087 2088 #ifdef OPENSSL_HAS_ECC 2089 const EVP_MD * 2090 key_ec_nid_to_evpmd(int nid) 2091 { 2092 int kbits = key_curve_nid_to_bits(nid); 2093 2094 if (kbits == 0) 2095 fatal("%s: invalid nid %d", __func__, nid); 2096 /* RFC5656 section 6.2.1 */ 2097 if (kbits <= 256) 2098 return EVP_sha256(); 2099 else if (kbits <= 384) 2100 return EVP_sha384(); 2101 else 2102 return EVP_sha512(); 2103 } 2104 2105 int 2106 key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) 2107 { 2108 BN_CTX *bnctx; 2109 EC_POINT *nq = NULL; 2110 BIGNUM *order, *x, *y, *tmp; 2111 int ret = -1; 2112 2113 if ((bnctx = BN_CTX_new()) == NULL) 2114 fatal("%s: BN_CTX_new failed", __func__); 2115 BN_CTX_start(bnctx); 2116 2117 /* 2118 * We shouldn't ever hit this case because bignum_get_ecpoint() 2119 * refuses to load GF2m points. 2120 */ 2121 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2122 NID_X9_62_prime_field) { 2123 error("%s: group is not a prime field", __func__); 2124 goto out; 2125 } 2126 2127 /* Q != infinity */ 2128 if (EC_POINT_is_at_infinity(group, public)) { 2129 error("%s: received degenerate public key (infinity)", 2130 __func__); 2131 goto out; 2132 } 2133 2134 if ((x = BN_CTX_get(bnctx)) == NULL || 2135 (y = BN_CTX_get(bnctx)) == NULL || 2136 (order = BN_CTX_get(bnctx)) == NULL || 2137 (tmp = BN_CTX_get(bnctx)) == NULL) 2138 fatal("%s: BN_CTX_get failed", __func__); 2139 2140 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */ 2141 if (EC_GROUP_get_order(group, order, bnctx) != 1) 2142 fatal("%s: EC_GROUP_get_order failed", __func__); 2143 if (EC_POINT_get_affine_coordinates_GFp(group, public, 2144 x, y, bnctx) != 1) 2145 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2146 if (BN_num_bits(x) <= BN_num_bits(order) / 2) { 2147 error("%s: public key x coordinate too small: " 2148 "bits(x) = %d, bits(order)/2 = %d", __func__, 2149 BN_num_bits(x), BN_num_bits(order) / 2); 2150 goto out; 2151 } 2152 if (BN_num_bits(y) <= BN_num_bits(order) / 2) { 2153 error("%s: public key y coordinate too small: " 2154 "bits(y) = %d, bits(order)/2 = %d", __func__, 2155 BN_num_bits(x), BN_num_bits(order) / 2); 2156 goto out; 2157 } 2158 2159 /* nQ == infinity (n == order of subgroup) */ 2160 if ((nq = EC_POINT_new(group)) == NULL) 2161 fatal("%s: BN_CTX_tmp failed", __func__); 2162 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) 2163 fatal("%s: EC_GROUP_mul failed", __func__); 2164 if (EC_POINT_is_at_infinity(group, nq) != 1) { 2165 error("%s: received degenerate public key (nQ != infinity)", 2166 __func__); 2167 goto out; 2168 } 2169 2170 /* x < order - 1, y < order - 1 */ 2171 if (!BN_sub(tmp, order, BN_value_one())) 2172 fatal("%s: BN_sub failed", __func__); 2173 if (BN_cmp(x, tmp) >= 0) { 2174 error("%s: public key x coordinate >= group order - 1", 2175 __func__); 2176 goto out; 2177 } 2178 if (BN_cmp(y, tmp) >= 0) { 2179 error("%s: public key y coordinate >= group order - 1", 2180 __func__); 2181 goto out; 2182 } 2183 ret = 0; 2184 out: 2185 BN_CTX_free(bnctx); 2186 EC_POINT_free(nq); 2187 return ret; 2188 } 2189 2190 int 2191 key_ec_validate_private(const EC_KEY *key) 2192 { 2193 BN_CTX *bnctx; 2194 BIGNUM *order, *tmp; 2195 int ret = -1; 2196 2197 if ((bnctx = BN_CTX_new()) == NULL) 2198 fatal("%s: BN_CTX_new failed", __func__); 2199 BN_CTX_start(bnctx); 2200 2201 if ((order = BN_CTX_get(bnctx)) == NULL || 2202 (tmp = BN_CTX_get(bnctx)) == NULL) 2203 fatal("%s: BN_CTX_get failed", __func__); 2204 2205 /* log2(private) > log2(order)/2 */ 2206 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) 2207 fatal("%s: EC_GROUP_get_order failed", __func__); 2208 if (BN_num_bits(EC_KEY_get0_private_key(key)) <= 2209 BN_num_bits(order) / 2) { 2210 error("%s: private key too small: " 2211 "bits(y) = %d, bits(order)/2 = %d", __func__, 2212 BN_num_bits(EC_KEY_get0_private_key(key)), 2213 BN_num_bits(order) / 2); 2214 goto out; 2215 } 2216 2217 /* private < order - 1 */ 2218 if (!BN_sub(tmp, order, BN_value_one())) 2219 fatal("%s: BN_sub failed", __func__); 2220 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) { 2221 error("%s: private key >= group order - 1", __func__); 2222 goto out; 2223 } 2224 ret = 0; 2225 out: 2226 BN_CTX_free(bnctx); 2227 return ret; 2228 } 2229 2230 #if defined(DEBUG_KEXECDH) || defined(DEBUG_PK) 2231 void 2232 key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) 2233 { 2234 BIGNUM *x, *y; 2235 BN_CTX *bnctx; 2236 2237 if (point == NULL) { 2238 fputs("point=(NULL)\n", stderr); 2239 return; 2240 } 2241 if ((bnctx = BN_CTX_new()) == NULL) 2242 fatal("%s: BN_CTX_new failed", __func__); 2243 BN_CTX_start(bnctx); 2244 if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL) 2245 fatal("%s: BN_CTX_get failed", __func__); 2246 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != 2247 NID_X9_62_prime_field) 2248 fatal("%s: group is not a prime field", __func__); 2249 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1) 2250 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__); 2251 fputs("x=", stderr); 2252 BN_print_fp(stderr, x); 2253 fputs("\ny=", stderr); 2254 BN_print_fp(stderr, y); 2255 fputs("\n", stderr); 2256 BN_CTX_free(bnctx); 2257 } 2258 2259 void 2260 key_dump_ec_key(const EC_KEY *key) 2261 { 2262 const BIGNUM *exponent; 2263 2264 key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key)); 2265 fputs("exponent=", stderr); 2266 if ((exponent = EC_KEY_get0_private_key(key)) == NULL) 2267 fputs("(NULL)", stderr); 2268 else 2269 BN_print_fp(stderr, EC_KEY_get0_private_key(key)); 2270 fputs("\n", stderr); 2271 } 2272 #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ 2273 #endif /* OPENSSL_HAS_ECC */ 2274
