blob: 90f0a0173f2f0768dfa61a6650f82a9591a6ca77 [file] [log] [blame]
Damien Miller4a3a9d42013-10-30 22:19:47 +11001/* $OpenBSD: key.c,v 1.105 2013/10/29 09:42:11 djm Exp $ */
Damien Miller450a7a12000-03-26 13:04:51 +10002/*
Damien Millere4340be2000-09-16 13:29:08 +11003 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 *
12 *
Ben Lindstrom44697232001-07-04 03:32:30 +000013 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
Darren Tucker0f0ef0a2008-06-13 08:58:05 +100014 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
Damien Miller450a7a12000-03-26 13:04:51 +100015 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
Damien Miller450a7a12000-03-26 13:04:51 +100024 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 */
Damien Millerd7834352006-08-05 12:39:39 +100036
Damien Miller450a7a12000-03-26 13:04:51 +100037#include "includes.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000038
Darren Tucker9c16ac92008-06-13 04:40:35 +100039#include <sys/param.h>
Damien Millerd7834352006-08-05 12:39:39 +100040#include <sys/types.h>
41
Damien Miller450a7a12000-03-26 13:04:51 +100042#include <openssl/evp.h>
Darren Tucker3d295a62008-02-28 19:22:04 +110043#include <openbsd-compat/openssl-compat.h>
Ben Lindstrom226cfa02001-01-22 05:34:40 +000044
Damien Millerded319c2006-09-01 15:38:36 +100045#include <stdarg.h>
Damien Millera7a73ee2006-08-05 11:37:59 +100046#include <stdio.h>
Damien Millere3476ed2006-07-24 14:13:33 +100047#include <string.h>
48
Damien Miller450a7a12000-03-26 13:04:51 +100049#include "xmalloc.h"
50#include "key.h"
Damien Miller0bc1bd82000-11-13 22:57:25 +110051#include "rsa.h"
Damien Millereba71ba2000-04-29 23:57:08 +100052#include "uuencode.h"
Damien Miller0bc1bd82000-11-13 22:57:25 +110053#include "buffer.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000054#include "log.h"
Damien Miller8a0268f2010-07-16 13:57:51 +100055#include "misc.h"
Damien Miller0a80ca12010-02-27 07:55:05 +110056#include "ssh2.h"
57
Damien Millerf3747bf2013-01-18 11:44:04 +110058static int to_blob(const Key *, u_char **, u_int *, int);
Damien Miller4a3a9d42013-10-30 22:19:47 +110059static Key *key_from_blob2(const u_char *, u_int, int);
Damien Millerf3747bf2013-01-18 11:44:04 +110060
Damien Miller0a80ca12010-02-27 07:55:05 +110061static struct KeyCert *
62cert_new(void)
63{
64 struct KeyCert *cert;
65
66 cert = xcalloc(1, sizeof(*cert));
67 buffer_init(&cert->certblob);
Damien Miller4e270b02010-04-16 15:56:21 +100068 buffer_init(&cert->critical);
69 buffer_init(&cert->extensions);
Damien Miller0a80ca12010-02-27 07:55:05 +110070 cert->key_id = NULL;
71 cert->principals = NULL;
72 cert->signature_key = NULL;
73 return cert;
74}
Damien Miller450a7a12000-03-26 13:04:51 +100075
76Key *
77key_new(int type)
78{
79 Key *k;
80 RSA *rsa;
81 DSA *dsa;
Damien Miller07d86be2006-03-26 14:19:21 +110082 k = xcalloc(1, sizeof(*k));
Damien Miller450a7a12000-03-26 13:04:51 +100083 k->type = type;
Damien Millereb8b60e2010-08-31 22:41:14 +100084 k->ecdsa = NULL;
85 k->ecdsa_nid = -1;
Damien Millereba71ba2000-04-29 23:57:08 +100086 k->dsa = NULL;
87 k->rsa = NULL;
Damien Miller0a80ca12010-02-27 07:55:05 +110088 k->cert = NULL;
Damien Miller450a7a12000-03-26 13:04:51 +100089 switch (k->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +110090 case KEY_RSA1:
Damien Miller450a7a12000-03-26 13:04:51 +100091 case KEY_RSA:
Damien Miller4e270b02010-04-16 15:56:21 +100092 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +110093 case KEY_RSA_CERT:
Damien Millerda755162002-01-22 23:09:22 +110094 if ((rsa = RSA_new()) == NULL)
95 fatal("key_new: RSA_new failed");
96 if ((rsa->n = BN_new()) == NULL)
97 fatal("key_new: BN_new failed");
98 if ((rsa->e = BN_new()) == NULL)
99 fatal("key_new: BN_new failed");
Damien Miller450a7a12000-03-26 13:04:51 +1000100 k->rsa = rsa;
101 break;
102 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000103 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100104 case KEY_DSA_CERT:
Damien Millerda755162002-01-22 23:09:22 +1100105 if ((dsa = DSA_new()) == NULL)
106 fatal("key_new: DSA_new failed");
107 if ((dsa->p = BN_new()) == NULL)
108 fatal("key_new: BN_new failed");
109 if ((dsa->q = BN_new()) == NULL)
110 fatal("key_new: BN_new failed");
111 if ((dsa->g = BN_new()) == NULL)
112 fatal("key_new: BN_new failed");
113 if ((dsa->pub_key = BN_new()) == NULL)
114 fatal("key_new: BN_new failed");
Damien Miller450a7a12000-03-26 13:04:51 +1000115 k->dsa = dsa;
116 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000117#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000118 case KEY_ECDSA:
119 case KEY_ECDSA_CERT:
120 /* Cannot do anything until we know the group */
121 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000122#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +1100123 case KEY_UNSPEC:
Damien Miller450a7a12000-03-26 13:04:51 +1000124 break;
125 default:
126 fatal("key_new: bad key type %d", k->type);
127 break;
128 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100129
130 if (key_is_cert(k))
131 k->cert = cert_new();
132
Damien Miller450a7a12000-03-26 13:04:51 +1000133 return k;
134}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000135
Damien Miller0a80ca12010-02-27 07:55:05 +1100136void
137key_add_private(Key *k)
Damien Miller0bc1bd82000-11-13 22:57:25 +1100138{
Damien Miller0bc1bd82000-11-13 22:57:25 +1100139 switch (k->type) {
140 case KEY_RSA1:
141 case KEY_RSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000142 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100143 case KEY_RSA_CERT:
Damien Millerda755162002-01-22 23:09:22 +1100144 if ((k->rsa->d = BN_new()) == NULL)
145 fatal("key_new_private: BN_new failed");
146 if ((k->rsa->iqmp = BN_new()) == NULL)
147 fatal("key_new_private: BN_new failed");
148 if ((k->rsa->q = BN_new()) == NULL)
149 fatal("key_new_private: BN_new failed");
150 if ((k->rsa->p = BN_new()) == NULL)
151 fatal("key_new_private: BN_new failed");
152 if ((k->rsa->dmq1 = BN_new()) == NULL)
153 fatal("key_new_private: BN_new failed");
154 if ((k->rsa->dmp1 = BN_new()) == NULL)
155 fatal("key_new_private: BN_new failed");
Damien Miller0bc1bd82000-11-13 22:57:25 +1100156 break;
157 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000158 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100159 case KEY_DSA_CERT:
Damien Millerda755162002-01-22 23:09:22 +1100160 if ((k->dsa->priv_key = BN_new()) == NULL)
161 fatal("key_new_private: BN_new failed");
Damien Miller0bc1bd82000-11-13 22:57:25 +1100162 break;
Damien Millereb8b60e2010-08-31 22:41:14 +1000163 case KEY_ECDSA:
164 case KEY_ECDSA_CERT:
165 /* Cannot do anything until we know the group */
166 break;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100167 case KEY_UNSPEC:
168 break;
169 default:
170 break;
171 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100172}
173
174Key *
175key_new_private(int type)
176{
177 Key *k = key_new(type);
178
179 key_add_private(k);
Damien Miller0bc1bd82000-11-13 22:57:25 +1100180 return k;
181}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000182
Damien Miller0a80ca12010-02-27 07:55:05 +1100183static void
184cert_free(struct KeyCert *cert)
185{
186 u_int i;
187
188 buffer_free(&cert->certblob);
Damien Miller4e270b02010-04-16 15:56:21 +1000189 buffer_free(&cert->critical);
190 buffer_free(&cert->extensions);
Darren Tuckera627d422013-06-02 07:31:17 +1000191 free(cert->key_id);
Damien Miller0a80ca12010-02-27 07:55:05 +1100192 for (i = 0; i < cert->nprincipals; i++)
Darren Tuckera627d422013-06-02 07:31:17 +1000193 free(cert->principals[i]);
194 free(cert->principals);
Damien Miller0a80ca12010-02-27 07:55:05 +1100195 if (cert->signature_key != NULL)
196 key_free(cert->signature_key);
Darren Tuckera627d422013-06-02 07:31:17 +1000197 free(cert);
Damien Miller0a80ca12010-02-27 07:55:05 +1100198}
199
Damien Miller450a7a12000-03-26 13:04:51 +1000200void
201key_free(Key *k)
202{
Damien Miller429fcc22006-03-26 14:02:16 +1100203 if (k == NULL)
Damien Millerbbaad772006-03-26 14:03:03 +1100204 fatal("key_free: key is NULL");
Damien Miller450a7a12000-03-26 13:04:51 +1000205 switch (k->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100206 case KEY_RSA1:
Damien Miller450a7a12000-03-26 13:04:51 +1000207 case KEY_RSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000208 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100209 case KEY_RSA_CERT:
Damien Miller450a7a12000-03-26 13:04:51 +1000210 if (k->rsa != NULL)
211 RSA_free(k->rsa);
212 k->rsa = NULL;
213 break;
214 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000215 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100216 case KEY_DSA_CERT:
Damien Miller450a7a12000-03-26 13:04:51 +1000217 if (k->dsa != NULL)
218 DSA_free(k->dsa);
219 k->dsa = NULL;
220 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000221#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000222 case KEY_ECDSA:
223 case KEY_ECDSA_CERT:
224 if (k->ecdsa != NULL)
225 EC_KEY_free(k->ecdsa);
226 k->ecdsa = NULL;
227 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000228#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +1100229 case KEY_UNSPEC:
230 break;
Damien Miller450a7a12000-03-26 13:04:51 +1000231 default:
232 fatal("key_free: bad key type %d", k->type);
233 break;
234 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100235 if (key_is_cert(k)) {
236 if (k->cert != NULL)
237 cert_free(k->cert);
238 k->cert = NULL;
239 }
240
Darren Tuckera627d422013-06-02 07:31:17 +1000241 free(k);
Damien Miller450a7a12000-03-26 13:04:51 +1000242}
Damien Millerf58b58c2003-11-17 21:18:23 +1100243
Damien Miller0a80ca12010-02-27 07:55:05 +1100244static int
245cert_compare(struct KeyCert *a, struct KeyCert *b)
Damien Miller450a7a12000-03-26 13:04:51 +1000246{
Damien Miller0a80ca12010-02-27 07:55:05 +1100247 if (a == NULL && b == NULL)
248 return 1;
249 if (a == NULL || b == NULL)
Damien Miller450a7a12000-03-26 13:04:51 +1000250 return 0;
Damien Miller0a80ca12010-02-27 07:55:05 +1100251 if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
252 return 0;
Damien Millerea1651c2010-07-16 13:58:37 +1000253 if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
Damien Miller0a80ca12010-02-27 07:55:05 +1100254 buffer_len(&a->certblob)) != 0)
255 return 0;
256 return 1;
257}
258
259/*
260 * Compare public portions of key only, allowing comparisons between
261 * certificates and plain keys too.
262 */
263int
264key_equal_public(const Key *a, const Key *b)
265{
Darren Tucker8ccb7392010-09-10 12:28:24 +1000266#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000267 BN_CTX *bnctx;
Darren Tucker8ccb7392010-09-10 12:28:24 +1000268#endif
Damien Millereb8b60e2010-08-31 22:41:14 +1000269
Damien Miller0a80ca12010-02-27 07:55:05 +1100270 if (a == NULL || b == NULL ||
271 key_type_plain(a->type) != key_type_plain(b->type))
272 return 0;
273
Damien Miller450a7a12000-03-26 13:04:51 +1000274 switch (a->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100275 case KEY_RSA1:
Damien Miller4e270b02010-04-16 15:56:21 +1000276 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100277 case KEY_RSA_CERT:
Damien Miller450a7a12000-03-26 13:04:51 +1000278 case KEY_RSA:
279 return a->rsa != NULL && b->rsa != NULL &&
280 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
281 BN_cmp(a->rsa->n, b->rsa->n) == 0;
Damien Miller4e270b02010-04-16 15:56:21 +1000282 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100283 case KEY_DSA_CERT:
Damien Miller450a7a12000-03-26 13:04:51 +1000284 case KEY_DSA:
285 return a->dsa != NULL && b->dsa != NULL &&
286 BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
287 BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
288 BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
289 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
Damien Miller6af914a2010-09-10 11:39:26 +1000290#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000291 case KEY_ECDSA_CERT:
292 case KEY_ECDSA:
293 if (a->ecdsa == NULL || b->ecdsa == NULL ||
294 EC_KEY_get0_public_key(a->ecdsa) == NULL ||
295 EC_KEY_get0_public_key(b->ecdsa) == NULL)
296 return 0;
297 if ((bnctx = BN_CTX_new()) == NULL)
298 fatal("%s: BN_CTX_new failed", __func__);
299 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
300 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
301 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
302 EC_KEY_get0_public_key(a->ecdsa),
303 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
304 BN_CTX_free(bnctx);
305 return 0;
306 }
307 BN_CTX_free(bnctx);
308 return 1;
Damien Miller6af914a2010-09-10 11:39:26 +1000309#endif /* OPENSSL_HAS_ECC */
Damien Miller450a7a12000-03-26 13:04:51 +1000310 default:
Damien Millereba71ba2000-04-29 23:57:08 +1000311 fatal("key_equal: bad key type %d", a->type);
Damien Miller450a7a12000-03-26 13:04:51 +1000312 }
Damien Miller87dd5f22008-07-11 17:35:09 +1000313 /* NOTREACHED */
Damien Miller450a7a12000-03-26 13:04:51 +1000314}
315
Damien Miller0a80ca12010-02-27 07:55:05 +1100316int
317key_equal(const Key *a, const Key *b)
318{
319 if (a == NULL || b == NULL || a->type != b->type)
320 return 0;
321 if (key_is_cert(a)) {
322 if (!cert_compare(a->cert, b->cert))
323 return 0;
324 }
325 return key_equal_public(a, b);
326}
327
Damien Miller37876e92003-05-15 10:19:46 +1000328u_char*
Damien Millerf3747bf2013-01-18 11:44:04 +1100329key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
330 u_int *dgst_raw_length)
Damien Miller450a7a12000-03-26 13:04:51 +1000331{
Ben Lindstrom80cb27d2002-03-05 01:33:36 +0000332 const EVP_MD *md = NULL;
Ben Lindstromf0b48532001-03-12 02:59:31 +0000333 EVP_MD_CTX ctx;
Ben Lindstrom46c16222000-12-22 01:43:59 +0000334 u_char *blob = NULL;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000335 u_char *retval = NULL;
Ben Lindstrom90fd8142002-02-26 18:09:42 +0000336 u_int len = 0;
Damien Millerf3747bf2013-01-18 11:44:04 +1100337 int nlen, elen;
Damien Miller450a7a12000-03-26 13:04:51 +1000338
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000339 *dgst_raw_length = 0;
340
Ben Lindstromf0b48532001-03-12 02:59:31 +0000341 switch (dgst_type) {
342 case SSH_FP_MD5:
343 md = EVP_md5();
344 break;
345 case SSH_FP_SHA1:
346 md = EVP_sha1();
347 break;
Darren Tucker14a9d252012-06-30 20:05:02 +1000348#ifdef HAVE_EVP_SHA256
Damien Miller3bde12a2012-06-20 21:51:11 +1000349 case SSH_FP_SHA256:
350 md = EVP_sha256();
351 break;
Darren Tucker14a9d252012-06-30 20:05:02 +1000352#endif
Ben Lindstromf0b48532001-03-12 02:59:31 +0000353 default:
354 fatal("key_fingerprint_raw: bad digest type %d",
355 dgst_type);
356 }
Damien Miller450a7a12000-03-26 13:04:51 +1000357 switch (k->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100358 case KEY_RSA1:
Damien Miller450a7a12000-03-26 13:04:51 +1000359 nlen = BN_num_bytes(k->rsa->n);
360 elen = BN_num_bytes(k->rsa->e);
361 len = nlen + elen;
Damien Millereba71ba2000-04-29 23:57:08 +1000362 blob = xmalloc(len);
363 BN_bn2bin(k->rsa->n, blob);
364 BN_bn2bin(k->rsa->e, blob + nlen);
Damien Miller450a7a12000-03-26 13:04:51 +1000365 break;
366 case KEY_DSA:
Damien Millereb8b60e2010-08-31 22:41:14 +1000367 case KEY_ECDSA:
Damien Miller0bc1bd82000-11-13 22:57:25 +1100368 case KEY_RSA:
369 key_to_blob(k, &blob, &len);
370 break;
Damien Miller4e270b02010-04-16 15:56:21 +1000371 case KEY_DSA_CERT_V00:
372 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100373 case KEY_DSA_CERT:
Damien Millereb8b60e2010-08-31 22:41:14 +1000374 case KEY_ECDSA_CERT:
Damien Miller0a80ca12010-02-27 07:55:05 +1100375 case KEY_RSA_CERT:
376 /* We want a fingerprint of the _key_ not of the cert */
Damien Millerf3747bf2013-01-18 11:44:04 +1100377 to_blob(k, &blob, &len, 1);
Damien Miller0a80ca12010-02-27 07:55:05 +1100378 break;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100379 case KEY_UNSPEC:
380 return retval;
Damien Miller450a7a12000-03-26 13:04:51 +1000381 default:
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000382 fatal("key_fingerprint_raw: bad key type %d", k->type);
Damien Miller450a7a12000-03-26 13:04:51 +1000383 break;
384 }
Damien Millereba71ba2000-04-29 23:57:08 +1000385 if (blob != NULL) {
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000386 retval = xmalloc(EVP_MAX_MD_SIZE);
Damien Miller6536c7d2000-06-22 21:32:31 +1000387 EVP_DigestInit(&ctx, md);
388 EVP_DigestUpdate(&ctx, blob, len);
Damien Miller3672e4b2002-02-05 11:54:07 +1100389 EVP_DigestFinal(&ctx, retval, dgst_raw_length);
Damien Millereba71ba2000-04-29 23:57:08 +1000390 memset(blob, 0, len);
Darren Tuckera627d422013-06-02 07:31:17 +1000391 free(blob);
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000392 } else {
393 fatal("key_fingerprint_raw: blob is null");
Damien Miller450a7a12000-03-26 13:04:51 +1000394 }
395 return retval;
396}
397
Ben Lindstroma962c2f2002-07-04 00:14:17 +0000398static char *
399key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000400{
401 char *retval;
Damien Millereccb9de2005-06-17 12:59:34 +1000402 u_int i;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000403
Damien Miller07d86be2006-03-26 14:19:21 +1100404 retval = xcalloc(1, dgst_raw_len * 3 + 1);
Damien Miller9f0f5c62001-12-21 14:45:46 +1100405 for (i = 0; i < dgst_raw_len; i++) {
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000406 char hex[4];
407 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
Darren Tucker29588612003-07-14 17:28:34 +1000408 strlcat(retval, hex, dgst_raw_len * 3 + 1);
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000409 }
Darren Tucker29588612003-07-14 17:28:34 +1000410
411 /* Remove the trailing ':' character */
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000412 retval[(dgst_raw_len * 3) - 1] = '\0';
413 return retval;
414}
415
Ben Lindstroma962c2f2002-07-04 00:14:17 +0000416static char *
417key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000418{
419 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
420 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
421 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000422 u_int i, j = 0, rounds, seed = 1;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000423 char *retval;
424
425 rounds = (dgst_raw_len / 2) + 1;
Damien Miller07d86be2006-03-26 14:19:21 +1100426 retval = xcalloc((rounds * 6), sizeof(char));
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000427 retval[j++] = 'x';
428 for (i = 0; i < rounds; i++) {
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000429 u_int idx0, idx1, idx2, idx3, idx4;
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000430 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
431 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000432 seed) % 6;
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000433 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
434 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000435 (seed / 6)) % 6;
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000436 retval[j++] = vowels[idx0];
437 retval[j++] = consonants[idx1];
438 retval[j++] = vowels[idx2];
439 if ((i + 1) < rounds) {
440 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
441 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
442 retval[j++] = consonants[idx3];
443 retval[j++] = '-';
444 retval[j++] = consonants[idx4];
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000445 seed = ((seed * 5) +
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000446 ((((u_int)(dgst_raw[2 * i])) * 7) +
447 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000448 }
449 } else {
450 idx0 = seed % 6;
451 idx1 = 16;
452 idx2 = seed / 6;
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000453 retval[j++] = vowels[idx0];
454 retval[j++] = consonants[idx1];
455 retval[j++] = vowels[idx2];
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000456 }
457 }
Ben Lindstromcbe3ad22001-03-11 20:06:59 +0000458 retval[j++] = 'x';
459 retval[j++] = '\0';
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000460 return retval;
461}
462
Darren Tucker9c16ac92008-06-13 04:40:35 +1000463/*
464 * Draw an ASCII-Art representing the fingerprint so human brain can
465 * profit from its built-in pattern recognition ability.
466 * This technique is called "random art" and can be found in some
467 * scientific publications like this original paper:
468 *
469 * "Hash Visualization: a New Technique to improve Real-World Security",
470 * Perrig A. and Song D., 1999, International Workshop on Cryptographic
471 * Techniques and E-Commerce (CrypTEC '99)
472 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
473 *
474 * The subject came up in a talk by Dan Kaminsky, too.
475 *
476 * If you see the picture is different, the key is different.
477 * If the picture looks the same, you still know nothing.
478 *
479 * The algorithm used here is a worm crawling over a discrete plane,
480 * leaving a trace (augmenting the field) everywhere it goes.
481 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
482 * makes the respective movement vector be ignored for this turn.
483 * Graphs are not unambiguous, because circles in graphs can be
484 * walked in either direction.
485 */
Darren Tucker987ac842008-06-13 04:54:40 +1000486
487/*
488 * Field sizes for the random art. Have to be odd, so the starting point
489 * can be in the exact middle of the picture, and FLDBASE should be >=8 .
490 * Else pictures would be too dense, and drawing the frame would
491 * fail, too, because the key type would not fit in anymore.
492 */
493#define FLDBASE 8
494#define FLDSIZE_Y (FLDBASE + 1)
495#define FLDSIZE_X (FLDBASE * 2 + 1)
Darren Tucker9c16ac92008-06-13 04:40:35 +1000496static char *
Darren Tucker987ac842008-06-13 04:54:40 +1000497key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
Darren Tucker9c16ac92008-06-13 04:40:35 +1000498{
499 /*
500 * Chars to be used after each other every time the worm
501 * intersects with itself. Matter of taste.
502 */
Darren Tucker4b3b9772008-06-13 04:55:10 +1000503 char *augmentation_string = " .o+=*BOX@%&#/^SE";
Darren Tucker9c16ac92008-06-13 04:40:35 +1000504 char *retval, *p;
Darren Tucker014d76f2008-06-13 04:43:51 +1000505 u_char field[FLDSIZE_X][FLDSIZE_Y];
Darren Tucker9c16ac92008-06-13 04:40:35 +1000506 u_int i, b;
507 int x, y;
Darren Tuckerd32b28a2008-06-13 04:45:50 +1000508 size_t len = strlen(augmentation_string) - 1;
Darren Tucker9c16ac92008-06-13 04:40:35 +1000509
510 retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
511
512 /* initialize field */
Darren Tucker014d76f2008-06-13 04:43:51 +1000513 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
Darren Tucker9c16ac92008-06-13 04:40:35 +1000514 x = FLDSIZE_X / 2;
515 y = FLDSIZE_Y / 2;
Darren Tucker9c16ac92008-06-13 04:40:35 +1000516
517 /* process raw key */
518 for (i = 0; i < dgst_raw_len; i++) {
519 int input;
520 /* each byte conveys four 2-bit move commands */
521 input = dgst_raw[i];
522 for (b = 0; b < 4; b++) {
523 /* evaluate 2 bit, rest is shifted later */
524 x += (input & 0x1) ? 1 : -1;
525 y += (input & 0x2) ? 1 : -1;
526
527 /* assure we are still in bounds */
528 x = MAX(x, 0);
529 y = MAX(y, 0);
530 x = MIN(x, FLDSIZE_X - 1);
531 y = MIN(y, FLDSIZE_Y - 1);
532
533 /* augment the field */
Damien Millerc6aadd92008-11-03 19:16:20 +1100534 if (field[x][y] < len - 2)
535 field[x][y]++;
Darren Tucker9c16ac92008-06-13 04:40:35 +1000536 input = input >> 2;
537 }
538 }
Darren Tucker4b3b9772008-06-13 04:55:10 +1000539
540 /* mark starting point and end point*/
541 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
542 field[x][y] = len;
Darren Tucker9c16ac92008-06-13 04:40:35 +1000543
544 /* fill in retval */
Damien Miller007132a2008-06-29 22:45:37 +1000545 snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
Darren Tucker987ac842008-06-13 04:54:40 +1000546 p = strchr(retval, '\0');
Darren Tucker9c16ac92008-06-13 04:40:35 +1000547
548 /* output upper border */
Damien Miller007132a2008-06-29 22:45:37 +1000549 for (i = p - retval - 1; i < FLDSIZE_X; i++)
Darren Tucker9c16ac92008-06-13 04:40:35 +1000550 *p++ = '-';
551 *p++ = '+';
552 *p++ = '\n';
553
554 /* output content */
555 for (y = 0; y < FLDSIZE_Y; y++) {
556 *p++ = '|';
557 for (x = 0; x < FLDSIZE_X; x++)
Darren Tuckerd32b28a2008-06-13 04:45:50 +1000558 *p++ = augmentation_string[MIN(field[x][y], len)];
Darren Tucker9c16ac92008-06-13 04:40:35 +1000559 *p++ = '|';
560 *p++ = '\n';
561 }
562
563 /* output lower border */
564 *p++ = '+';
565 for (i = 0; i < FLDSIZE_X; i++)
566 *p++ = '-';
567 *p++ = '+';
568
569 return retval;
570}
571
Ben Lindstroma962c2f2002-07-04 00:14:17 +0000572char *
Darren Tucker0acca372013-06-02 07:41:51 +1000573key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000574{
Ben Lindstroma3700052001-04-05 23:26:32 +0000575 char *retval = NULL;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000576 u_char *dgst_raw;
Damien Miller3672e4b2002-02-05 11:54:07 +1100577 u_int dgst_raw_len;
Damien Miller9f0f5c62001-12-21 14:45:46 +1100578
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000579 dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
580 if (!dgst_raw)
Ben Lindstromcfccef92001-03-13 04:57:58 +0000581 fatal("key_fingerprint: null from key_fingerprint_raw()");
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +0000582 switch (dgst_rep) {
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000583 case SSH_FP_HEX:
584 retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
585 break;
586 case SSH_FP_BUBBLEBABBLE:
587 retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
588 break;
Darren Tucker9c16ac92008-06-13 04:40:35 +1000589 case SSH_FP_RANDOMART:
Darren Tucker987ac842008-06-13 04:54:40 +1000590 retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
Darren Tucker9c16ac92008-06-13 04:40:35 +1000591 break;
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000592 default:
Damien Miller2f54ada2008-11-03 19:24:16 +1100593 fatal("key_fingerprint: bad digest representation %d",
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000594 dgst_rep);
595 break;
596 }
597 memset(dgst_raw, 0, dgst_raw_len);
Darren Tuckera627d422013-06-02 07:31:17 +1000598 free(dgst_raw);
Ben Lindstrom96e8ea62001-03-11 20:03:44 +0000599 return retval;
600}
601
Damien Miller450a7a12000-03-26 13:04:51 +1000602/*
603 * Reads a multiple-precision integer in decimal from the buffer, and advances
604 * the pointer. The integer must already be initialized. This function is
605 * permitted to modify the buffer. This leaves *cpp to point just beyond the
606 * last processed (and maybe modified) character. Note that this may modify
607 * the buffer containing the number.
608 */
Ben Lindstrombba81212001-06-25 05:01:22 +0000609static int
Damien Miller450a7a12000-03-26 13:04:51 +1000610read_bignum(char **cpp, BIGNUM * value)
611{
612 char *cp = *cpp;
613 int old;
614
615 /* Skip any leading whitespace. */
616 for (; *cp == ' ' || *cp == '\t'; cp++)
617 ;
618
619 /* Check that it begins with a decimal digit. */
620 if (*cp < '0' || *cp > '9')
621 return 0;
622
623 /* Save starting position. */
624 *cpp = cp;
625
626 /* Move forward until all decimal digits skipped. */
627 for (; *cp >= '0' && *cp <= '9'; cp++)
628 ;
629
630 /* Save the old terminating character, and replace it by \0. */
631 old = *cp;
632 *cp = 0;
633
634 /* Parse the number. */
635 if (BN_dec2bn(&value, *cpp) == 0)
636 return 0;
637
638 /* Restore old terminating character. */
639 *cp = old;
640
641 /* Move beyond the number and return success. */
642 *cpp = cp;
643 return 1;
644}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000645
Ben Lindstrombba81212001-06-25 05:01:22 +0000646static int
Damien Miller450a7a12000-03-26 13:04:51 +1000647write_bignum(FILE *f, BIGNUM *num)
648{
649 char *buf = BN_bn2dec(num);
650 if (buf == NULL) {
651 error("write_bignum: BN_bn2dec() failed");
652 return 0;
653 }
654 fprintf(f, " %s", buf);
Damien Milleraf3030f2001-10-10 15:00:49 +1000655 OPENSSL_free(buf);
Damien Miller450a7a12000-03-26 13:04:51 +1000656 return 1;
657}
Damien Miller0bc1bd82000-11-13 22:57:25 +1100658
Ben Lindstrom309f3d12001-09-20 00:55:53 +0000659/* returns 1 ok, -1 error */
Damien Miller0bc1bd82000-11-13 22:57:25 +1100660int
Damien Millereba71ba2000-04-29 23:57:08 +1000661key_read(Key *ret, char **cpp)
Damien Miller450a7a12000-03-26 13:04:51 +1000662{
Damien Millereba71ba2000-04-29 23:57:08 +1000663 Key *k;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100664 int success = -1;
665 char *cp, *space;
Darren Tucker8ccb7392010-09-10 12:28:24 +1000666 int len, n, type;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100667 u_int bits;
Ben Lindstrom46c16222000-12-22 01:43:59 +0000668 u_char *blob;
Darren Tucker8ccb7392010-09-10 12:28:24 +1000669#ifdef OPENSSL_HAS_ECC
670 int curve_nid = -1;
671#endif
Damien Millereba71ba2000-04-29 23:57:08 +1000672
673 cp = *cpp;
674
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +0000675 switch (ret->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100676 case KEY_RSA1:
Damien Millereba71ba2000-04-29 23:57:08 +1000677 /* Get number of bits. */
678 if (*cp < '0' || *cp > '9')
Damien Miller0bc1bd82000-11-13 22:57:25 +1100679 return -1; /* Bad bit count... */
Damien Millereba71ba2000-04-29 23:57:08 +1000680 for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
681 bits = 10 * bits + *cp - '0';
Damien Miller450a7a12000-03-26 13:04:51 +1000682 if (bits == 0)
Damien Miller0bc1bd82000-11-13 22:57:25 +1100683 return -1;
Damien Millereba71ba2000-04-29 23:57:08 +1000684 *cpp = cp;
Damien Miller450a7a12000-03-26 13:04:51 +1000685 /* Get public exponent, public modulus. */
686 if (!read_bignum(cpp, ret->rsa->e))
Damien Miller0bc1bd82000-11-13 22:57:25 +1100687 return -1;
Damien Miller450a7a12000-03-26 13:04:51 +1000688 if (!read_bignum(cpp, ret->rsa->n))
Damien Miller0bc1bd82000-11-13 22:57:25 +1100689 return -1;
Darren Tucker561724f2010-01-13 22:43:05 +1100690 /* validate the claimed number of bits */
691 if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
692 verbose("key_read: claimed key size %d does not match "
693 "actual %d", bits, BN_num_bits(ret->rsa->n));
694 return -1;
695 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100696 success = 1;
Damien Miller450a7a12000-03-26 13:04:51 +1000697 break;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100698 case KEY_UNSPEC:
699 case KEY_RSA:
Damien Miller450a7a12000-03-26 13:04:51 +1000700 case KEY_DSA:
Damien Millereb8b60e2010-08-31 22:41:14 +1000701 case KEY_ECDSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000702 case KEY_DSA_CERT_V00:
703 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100704 case KEY_DSA_CERT:
Damien Millereb8b60e2010-08-31 22:41:14 +1000705 case KEY_ECDSA_CERT:
Damien Miller0a80ca12010-02-27 07:55:05 +1100706 case KEY_RSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +1100707 space = strchr(cp, ' ');
708 if (space == NULL) {
Damien Miller386f1f32003-02-24 11:54:57 +1100709 debug3("key_read: missing whitespace");
Damien Miller0bc1bd82000-11-13 22:57:25 +1100710 return -1;
711 }
712 *space = '\0';
713 type = key_type_from_name(cp);
Damien Miller6af914a2010-09-10 11:39:26 +1000714#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000715 if (key_type_plain(type) == KEY_ECDSA &&
716 (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
717 debug("key_read: invalid curve");
718 return -1;
719 }
Damien Miller6af914a2010-09-10 11:39:26 +1000720#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +1100721 *space = ' ';
722 if (type == KEY_UNSPEC) {
Damien Miller386f1f32003-02-24 11:54:57 +1100723 debug3("key_read: missing keytype");
Damien Miller0bc1bd82000-11-13 22:57:25 +1100724 return -1;
725 }
726 cp = space+1;
727 if (*cp == '\0') {
728 debug3("key_read: short string");
729 return -1;
730 }
731 if (ret->type == KEY_UNSPEC) {
732 ret->type = type;
733 } else if (ret->type != type) {
734 /* is a key, but different type */
735 debug3("key_read: type mismatch");
Ben Lindstrom309f3d12001-09-20 00:55:53 +0000736 return -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100737 }
Damien Millereba71ba2000-04-29 23:57:08 +1000738 len = 2*strlen(cp);
739 blob = xmalloc(len);
740 n = uudecode(cp, blob, len);
Damien Millere247cc42000-05-07 12:03:14 +1000741 if (n < 0) {
Damien Millerb1715dc2000-05-30 13:44:51 +1000742 error("key_read: uudecode %s failed", cp);
Darren Tuckera627d422013-06-02 07:31:17 +1000743 free(blob);
Damien Miller0bc1bd82000-11-13 22:57:25 +1100744 return -1;
Damien Millere247cc42000-05-07 12:03:14 +1000745 }
Darren Tucker502d3842003-06-28 12:38:01 +1000746 k = key_from_blob(blob, (u_int)n);
Darren Tuckera627d422013-06-02 07:31:17 +1000747 free(blob);
Damien Millerb1715dc2000-05-30 13:44:51 +1000748 if (k == NULL) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100749 error("key_read: key_from_blob %s failed", cp);
750 return -1;
Damien Millerb1715dc2000-05-30 13:44:51 +1000751 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100752 if (k->type != type) {
753 error("key_read: type mismatch: encoding error");
754 key_free(k);
755 return -1;
756 }
Damien Miller6af914a2010-09-10 11:39:26 +1000757#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000758 if (key_type_plain(type) == KEY_ECDSA &&
759 curve_nid != k->ecdsa_nid) {
760 error("key_read: type mismatch: EC curve mismatch");
761 key_free(k);
762 return -1;
763 }
Damien Miller6af914a2010-09-10 11:39:26 +1000764#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +1100765/*XXXX*/
Damien Miller0a80ca12010-02-27 07:55:05 +1100766 if (key_is_cert(ret)) {
767 if (!key_is_cert(k)) {
768 error("key_read: loaded key is not a cert");
769 key_free(k);
770 return -1;
771 }
772 if (ret->cert != NULL)
773 cert_free(ret->cert);
774 ret->cert = k->cert;
775 k->cert = NULL;
776 }
777 if (key_type_plain(ret->type) == KEY_RSA) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100778 if (ret->rsa != NULL)
779 RSA_free(ret->rsa);
780 ret->rsa = k->rsa;
781 k->rsa = NULL;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100782#ifdef DEBUG_PK
783 RSA_print_fp(stderr, ret->rsa, 8);
784#endif
Damien Miller0a80ca12010-02-27 07:55:05 +1100785 }
786 if (key_type_plain(ret->type) == KEY_DSA) {
Damien Miller0bc1bd82000-11-13 22:57:25 +1100787 if (ret->dsa != NULL)
788 DSA_free(ret->dsa);
789 ret->dsa = k->dsa;
790 k->dsa = NULL;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100791#ifdef DEBUG_PK
792 DSA_print_fp(stderr, ret->dsa, 8);
793#endif
794 }
Damien Miller6af914a2010-09-10 11:39:26 +1000795#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000796 if (key_type_plain(ret->type) == KEY_ECDSA) {
797 if (ret->ecdsa != NULL)
798 EC_KEY_free(ret->ecdsa);
799 ret->ecdsa = k->ecdsa;
800 ret->ecdsa_nid = k->ecdsa_nid;
801 k->ecdsa = NULL;
802 k->ecdsa_nid = -1;
803#ifdef DEBUG_PK
804 key_dump_ec_key(ret->ecdsa);
805#endif
806 }
Damien Miller6af914a2010-09-10 11:39:26 +1000807#endif
Damien Miller0a80ca12010-02-27 07:55:05 +1100808 success = 1;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100809/*XXXX*/
Ben Lindstrom4cbc1812001-12-06 16:41:41 +0000810 key_free(k);
Damien Miller0bc1bd82000-11-13 22:57:25 +1100811 if (success != 1)
812 break;
Damien Millerb1715dc2000-05-30 13:44:51 +1000813 /* advance cp: skip whitespace and data */
814 while (*cp == ' ' || *cp == '\t')
815 cp++;
816 while (*cp != '\0' && *cp != ' ' && *cp != '\t')
817 cp++;
818 *cpp = cp;
Damien Miller450a7a12000-03-26 13:04:51 +1000819 break;
820 default:
Damien Millereba71ba2000-04-29 23:57:08 +1000821 fatal("key_read: bad key type: %d", ret->type);
Damien Miller450a7a12000-03-26 13:04:51 +1000822 break;
823 }
Damien Miller0bc1bd82000-11-13 22:57:25 +1100824 return success;
Damien Miller450a7a12000-03-26 13:04:51 +1000825}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000826
Damien Miller450a7a12000-03-26 13:04:51 +1000827int
Damien Millerf58b58c2003-11-17 21:18:23 +1100828key_write(const Key *key, FILE *f)
Damien Miller450a7a12000-03-26 13:04:51 +1000829{
Ben Lindstrom90fd8142002-02-26 18:09:42 +0000830 int n, success = 0;
831 u_int len, bits = 0;
Damien Millera10f5612002-09-12 09:49:15 +1000832 u_char *blob;
833 char *uu;
Damien Miller450a7a12000-03-26 13:04:51 +1000834
Damien Miller0a80ca12010-02-27 07:55:05 +1100835 if (key_is_cert(key)) {
836 if (key->cert == NULL) {
837 error("%s: no cert data", __func__);
838 return 0;
839 }
840 if (buffer_len(&key->cert->certblob) == 0) {
841 error("%s: no signed certificate blob", __func__);
842 return 0;
843 }
844 }
845
846 switch (key->type) {
847 case KEY_RSA1:
848 if (key->rsa == NULL)
849 return 0;
Damien Miller450a7a12000-03-26 13:04:51 +1000850 /* size of modulus 'n' */
851 bits = BN_num_bits(key->rsa->n);
852 fprintf(f, "%u", bits);
853 if (write_bignum(f, key->rsa->e) &&
Damien Miller0a80ca12010-02-27 07:55:05 +1100854 write_bignum(f, key->rsa->n))
855 return 1;
856 error("key_write: failed for RSA key");
857 return 0;
858 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000859 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100860 case KEY_DSA_CERT:
861 if (key->dsa == NULL)
862 return 0;
863 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000864#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +1000865 case KEY_ECDSA:
866 case KEY_ECDSA_CERT:
867 if (key->ecdsa == NULL)
868 return 0;
869 break;
Damien Miller6af914a2010-09-10 11:39:26 +1000870#endif
Damien Miller0a80ca12010-02-27 07:55:05 +1100871 case KEY_RSA:
Damien Miller4e270b02010-04-16 15:56:21 +1000872 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +1100873 case KEY_RSA_CERT:
874 if (key->rsa == NULL)
875 return 0;
876 break;
877 default:
878 return 0;
Damien Miller450a7a12000-03-26 13:04:51 +1000879 }
Damien Miller0a80ca12010-02-27 07:55:05 +1100880
881 key_to_blob(key, &blob, &len);
882 uu = xmalloc(2*len);
883 n = uuencode(blob, len, uu, 2*len);
884 if (n > 0) {
885 fprintf(f, "%s %s", key_ssh_name(key), uu);
886 success = 1;
887 }
Darren Tuckera627d422013-06-02 07:31:17 +1000888 free(blob);
889 free(uu);
Damien Miller0a80ca12010-02-27 07:55:05 +1100890
Damien Miller450a7a12000-03-26 13:04:51 +1000891 return success;
892}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000893
Damien Millerf58b58c2003-11-17 21:18:23 +1100894const char *
Damien Miller1cfbfaf2010-03-22 05:58:24 +1100895key_cert_type(const Key *k)
896{
897 switch (k->cert->type) {
898 case SSH2_CERT_TYPE_USER:
899 return "user";
900 case SSH2_CERT_TYPE_HOST:
901 return "host";
902 default:
903 return "unknown";
904 }
905}
906
Damien Millerea111192013-04-23 19:24:32 +1000907struct keytype {
908 char *name;
909 char *shortname;
910 int type;
911 int nid;
912 int cert;
913};
914static const struct keytype keytypes[] = {
915 { NULL, "RSA1", KEY_RSA1, 0, 0 },
916 { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
917 { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
918#ifdef OPENSSL_HAS_ECC
919 { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
920 { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
921 { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
922#endif /* OPENSSL_HAS_ECC */
923 { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
924 { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
925#ifdef OPENSSL_HAS_ECC
926 { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
927 KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
928 { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
929 KEY_ECDSA_CERT, NID_secp384r1, 1 },
930 { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
931 KEY_ECDSA_CERT, NID_secp521r1, 1 },
932#endif /* OPENSSL_HAS_ECC */
933 { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
934 KEY_RSA_CERT_V00, 0, 1 },
935 { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
936 KEY_DSA_CERT_V00, 0, 1 },
937 { NULL, NULL, -1, -1, 0 }
938};
939
940const char *
941key_type(const Key *k)
942{
943 const struct keytype *kt;
944
945 for (kt = keytypes; kt->type != -1; kt++) {
946 if (kt->type == k->type)
947 return kt->shortname;
948 }
949 return "unknown";
950}
951
Damien Millereb8b60e2010-08-31 22:41:14 +1000952static const char *
953key_ssh_name_from_type_nid(int type, int nid)
Damien Miller0bc1bd82000-11-13 22:57:25 +1100954{
Damien Millerea111192013-04-23 19:24:32 +1000955 const struct keytype *kt;
956
957 for (kt = keytypes; kt->type != -1; kt++) {
958 if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
959 return kt->name;
Damien Miller0bc1bd82000-11-13 22:57:25 +1100960 }
961 return "ssh-unknown";
962}
Ben Lindstrom836f0e92002-06-23 21:21:30 +0000963
Damien Millereb8b60e2010-08-31 22:41:14 +1000964const char *
965key_ssh_name(const Key *k)
966{
967 return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
968}
969
970const char *
971key_ssh_name_plain(const Key *k)
972{
973 return key_ssh_name_from_type_nid(key_type_plain(k->type),
974 k->ecdsa_nid);
975}
976
Damien Millerea111192013-04-23 19:24:32 +1000977int
978key_type_from_name(char *name)
979{
980 const struct keytype *kt;
981
982 for (kt = keytypes; kt->type != -1; kt++) {
983 /* Only allow shortname matches for plain key types */
984 if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
985 (!kt->cert && strcasecmp(kt->shortname, name) == 0))
986 return kt->type;
987 }
988 debug2("key_type_from_name: unknown key type '%s'", name);
989 return KEY_UNSPEC;
990}
991
992int
993key_ecdsa_nid_from_name(const char *name)
994{
995 const struct keytype *kt;
996
997 for (kt = keytypes; kt->type != -1; kt++) {
998 if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
999 continue;
1000 if (kt->name != NULL && strcmp(name, kt->name) == 0)
1001 return kt->nid;
1002 }
1003 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1004 return -1;
1005}
1006
1007char *
1008key_alg_list(void)
1009{
1010 char *ret = NULL;
1011 size_t nlen, rlen = 0;
1012 const struct keytype *kt;
1013
1014 for (kt = keytypes; kt->type != -1; kt++) {
1015 if (kt->name == NULL)
1016 continue;
1017 if (ret != NULL)
1018 ret[rlen++] = '\n';
1019 nlen = strlen(kt->name);
1020 ret = xrealloc(ret, 1, rlen + nlen + 2);
1021 memcpy(ret + rlen, kt->name, nlen + 1);
1022 rlen += nlen;
1023 }
1024 return ret;
1025}
1026
Damien Miller4a3a9d42013-10-30 22:19:47 +11001027int
1028key_type_is_cert(int type)
1029{
1030 const struct keytype *kt;
1031
1032 for (kt = keytypes; kt->type != -1; kt++) {
1033 if (kt->type == type)
1034 return kt->cert;
1035 }
1036 return 0;
1037}
1038
Damien Miller0bc1bd82000-11-13 22:57:25 +11001039u_int
Damien Millerf58b58c2003-11-17 21:18:23 +11001040key_size(const Key *k)
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +00001041{
Damien Millerad833b32000-08-23 10:46:23 +10001042 switch (k->type) {
Damien Miller0bc1bd82000-11-13 22:57:25 +11001043 case KEY_RSA1:
Damien Millerad833b32000-08-23 10:46:23 +10001044 case KEY_RSA:
Damien Miller4e270b02010-04-16 15:56:21 +10001045 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001046 case KEY_RSA_CERT:
Damien Millerad833b32000-08-23 10:46:23 +10001047 return BN_num_bits(k->rsa->n);
Damien Millerad833b32000-08-23 10:46:23 +10001048 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +10001049 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001050 case KEY_DSA_CERT:
Damien Millerad833b32000-08-23 10:46:23 +10001051 return BN_num_bits(k->dsa->p);
Damien Miller6af914a2010-09-10 11:39:26 +10001052#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001053 case KEY_ECDSA:
1054 case KEY_ECDSA_CERT:
Damien Miller041ab7c2010-09-10 11:23:34 +10001055 return key_curve_nid_to_bits(k->ecdsa_nid);
Damien Miller6af914a2010-09-10 11:39:26 +10001056#endif
Damien Millerad833b32000-08-23 10:46:23 +10001057 }
1058 return 0;
1059}
Damien Miller0bc1bd82000-11-13 22:57:25 +11001060
Ben Lindstrombba81212001-06-25 05:01:22 +00001061static RSA *
Ben Lindstrom46c16222000-12-22 01:43:59 +00001062rsa_generate_private_key(u_int bits)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001063{
Damien Miller4499f4c2010-11-20 15:15:49 +11001064 RSA *private = RSA_new();
1065 BIGNUM *f4 = BN_new();
Damien Miller69b72032006-03-26 14:02:35 +11001066
Kevin Stevesef4eea92001-02-05 12:42:17 +00001067 if (private == NULL)
Damien Miller4499f4c2010-11-20 15:15:49 +11001068 fatal("%s: RSA_new failed", __func__);
1069 if (f4 == NULL)
1070 fatal("%s: BN_new failed", __func__);
1071 if (!BN_set_word(f4, RSA_F4))
1072 fatal("%s: BN_new failed", __func__);
1073 if (!RSA_generate_key_ex(private, bits, f4, NULL))
1074 fatal("%s: key generation failed.", __func__);
1075 BN_free(f4);
Kevin Stevesef4eea92001-02-05 12:42:17 +00001076 return private;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001077}
1078
Ben Lindstrombba81212001-06-25 05:01:22 +00001079static DSA*
Ben Lindstrom46c16222000-12-22 01:43:59 +00001080dsa_generate_private_key(u_int bits)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001081{
Damien Miller4499f4c2010-11-20 15:15:49 +11001082 DSA *private = DSA_new();
Damien Miller69b72032006-03-26 14:02:35 +11001083
Damien Miller0bc1bd82000-11-13 22:57:25 +11001084 if (private == NULL)
Damien Miller4499f4c2010-11-20 15:15:49 +11001085 fatal("%s: DSA_new failed", __func__);
1086 if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1087 NULL, NULL))
1088 fatal("%s: DSA_generate_parameters failed", __func__);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001089 if (!DSA_generate_key(private))
Damien Miller4499f4c2010-11-20 15:15:49 +11001090 fatal("%s: DSA_generate_key failed.", __func__);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001091 return private;
1092}
1093
Damien Millereb8b60e2010-08-31 22:41:14 +10001094int
1095key_ecdsa_bits_to_nid(int bits)
1096{
1097 switch (bits) {
Damien Miller6af914a2010-09-10 11:39:26 +10001098#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001099 case 256:
1100 return NID_X9_62_prime256v1;
1101 case 384:
1102 return NID_secp384r1;
1103 case 521:
1104 return NID_secp521r1;
Damien Miller6af914a2010-09-10 11:39:26 +10001105#endif
Damien Millereb8b60e2010-08-31 22:41:14 +10001106 default:
1107 return -1;
1108 }
1109}
1110
Damien Miller6af914a2010-09-10 11:39:26 +10001111#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001112int
Damien Millerb472a902010-11-05 10:19:49 +11001113key_ecdsa_key_to_nid(EC_KEY *k)
Damien Millereb8b60e2010-08-31 22:41:14 +10001114{
1115 EC_GROUP *eg;
1116 int nids[] = {
1117 NID_X9_62_prime256v1,
1118 NID_secp384r1,
1119 NID_secp521r1,
1120 -1
1121 };
Damien Millerb472a902010-11-05 10:19:49 +11001122 int nid;
Damien Millereb8b60e2010-08-31 22:41:14 +10001123 u_int i;
1124 BN_CTX *bnctx;
Damien Millerb472a902010-11-05 10:19:49 +11001125 const EC_GROUP *g = EC_KEY_get0_group(k);
Damien Millereb8b60e2010-08-31 22:41:14 +10001126
Damien Millerb472a902010-11-05 10:19:49 +11001127 /*
1128 * The group may be stored in a ASN.1 encoded private key in one of two
1129 * ways: as a "named group", which is reconstituted by ASN.1 object ID
1130 * or explicit group parameters encoded into the key blob. Only the
1131 * "named group" case sets the group NID for us, but we can figure
1132 * it out for the other case by comparing against all the groups that
1133 * are supported.
1134 */
1135 if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1136 return nid;
Damien Millereb8b60e2010-08-31 22:41:14 +10001137 if ((bnctx = BN_CTX_new()) == NULL)
1138 fatal("%s: BN_CTX_new() failed", __func__);
1139 for (i = 0; nids[i] != -1; i++) {
1140 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1141 fatal("%s: EC_GROUP_new_by_curve_name failed",
1142 __func__);
Damien Millerb472a902010-11-05 10:19:49 +11001143 if (EC_GROUP_cmp(g, eg, bnctx) == 0)
Damien Millereb8b60e2010-08-31 22:41:14 +10001144 break;
Damien Millereb8b60e2010-08-31 22:41:14 +10001145 EC_GROUP_free(eg);
1146 }
1147 BN_CTX_free(bnctx);
1148 debug3("%s: nid = %d", __func__, nids[i]);
Damien Millerb472a902010-11-05 10:19:49 +11001149 if (nids[i] != -1) {
1150 /* Use the group with the NID attached */
1151 EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1152 if (EC_KEY_set_group(k, eg) != 1)
1153 fatal("%s: EC_KEY_set_group", __func__);
1154 }
Damien Millereb8b60e2010-08-31 22:41:14 +10001155 return nids[i];
1156}
1157
1158static EC_KEY*
1159ecdsa_generate_private_key(u_int bits, int *nid)
1160{
1161 EC_KEY *private;
1162
1163 if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
1164 fatal("%s: invalid key length", __func__);
1165 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
1166 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1167 if (EC_KEY_generate_key(private) != 1)
1168 fatal("%s: EC_KEY_generate_key failed", __func__);
Damien Millerb472a902010-11-05 10:19:49 +11001169 EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
Damien Millereb8b60e2010-08-31 22:41:14 +10001170 return private;
1171}
Damien Miller6af914a2010-09-10 11:39:26 +10001172#endif /* OPENSSL_HAS_ECC */
Damien Millereb8b60e2010-08-31 22:41:14 +10001173
Damien Miller0bc1bd82000-11-13 22:57:25 +11001174Key *
Ben Lindstrom46c16222000-12-22 01:43:59 +00001175key_generate(int type, u_int bits)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001176{
1177 Key *k = key_new(KEY_UNSPEC);
1178 switch (type) {
Kevin Stevesef4eea92001-02-05 12:42:17 +00001179 case KEY_DSA:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001180 k->dsa = dsa_generate_private_key(bits);
1181 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001182#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001183 case KEY_ECDSA:
1184 k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
1185 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001186#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +11001187 case KEY_RSA:
1188 case KEY_RSA1:
1189 k->rsa = rsa_generate_private_key(bits);
1190 break;
Damien Miller4e270b02010-04-16 15:56:21 +10001191 case KEY_RSA_CERT_V00:
1192 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001193 case KEY_RSA_CERT:
1194 case KEY_DSA_CERT:
1195 fatal("key_generate: cert keys cannot be generated directly");
Damien Miller0bc1bd82000-11-13 22:57:25 +11001196 default:
Kevin Stevesef4eea92001-02-05 12:42:17 +00001197 fatal("key_generate: unknown type %d", type);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001198 }
Kevin Stevesef4eea92001-02-05 12:42:17 +00001199 k->type = type;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001200 return k;
1201}
1202
Damien Miller0a80ca12010-02-27 07:55:05 +11001203void
1204key_cert_copy(const Key *from_key, struct Key *to_key)
1205{
1206 u_int i;
1207 const struct KeyCert *from;
1208 struct KeyCert *to;
1209
1210 if (to_key->cert != NULL) {
1211 cert_free(to_key->cert);
1212 to_key->cert = NULL;
1213 }
1214
1215 if ((from = from_key->cert) == NULL)
1216 return;
1217
1218 to = to_key->cert = cert_new();
1219
1220 buffer_append(&to->certblob, buffer_ptr(&from->certblob),
1221 buffer_len(&from->certblob));
1222
Damien Miller4e270b02010-04-16 15:56:21 +10001223 buffer_append(&to->critical,
1224 buffer_ptr(&from->critical), buffer_len(&from->critical));
1225 buffer_append(&to->extensions,
1226 buffer_ptr(&from->extensions), buffer_len(&from->extensions));
Damien Miller0a80ca12010-02-27 07:55:05 +11001227
Damien Miller4e270b02010-04-16 15:56:21 +10001228 to->serial = from->serial;
Damien Miller0a80ca12010-02-27 07:55:05 +11001229 to->type = from->type;
1230 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
1231 to->valid_after = from->valid_after;
1232 to->valid_before = from->valid_before;
1233 to->signature_key = from->signature_key == NULL ?
1234 NULL : key_from_private(from->signature_key);
1235
1236 to->nprincipals = from->nprincipals;
1237 if (to->nprincipals > CERT_MAX_PRINCIPALS)
1238 fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
1239 __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
1240 if (to->nprincipals > 0) {
1241 to->principals = xcalloc(from->nprincipals,
1242 sizeof(*to->principals));
1243 for (i = 0; i < to->nprincipals; i++)
1244 to->principals[i] = xstrdup(from->principals[i]);
1245 }
1246}
1247
Damien Miller0bc1bd82000-11-13 22:57:25 +11001248Key *
Damien Millerf58b58c2003-11-17 21:18:23 +11001249key_from_private(const Key *k)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001250{
1251 Key *n = NULL;
1252 switch (k->type) {
Kevin Stevesef4eea92001-02-05 12:42:17 +00001253 case KEY_DSA:
Damien Miller4e270b02010-04-16 15:56:21 +10001254 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001255 case KEY_DSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001256 n = key_new(k->type);
Darren Tucker0bc85572006-11-07 23:14:41 +11001257 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1258 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1259 (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1260 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
1261 fatal("key_from_private: BN_copy failed");
Damien Miller0bc1bd82000-11-13 22:57:25 +11001262 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001263#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001264 case KEY_ECDSA:
1265 case KEY_ECDSA_CERT:
1266 n = key_new(k->type);
1267 n->ecdsa_nid = k->ecdsa_nid;
1268 if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
1269 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1270 if (EC_KEY_set_public_key(n->ecdsa,
1271 EC_KEY_get0_public_key(k->ecdsa)) != 1)
1272 fatal("%s: EC_KEY_set_public_key failed", __func__);
1273 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001274#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +11001275 case KEY_RSA:
1276 case KEY_RSA1:
Damien Miller4e270b02010-04-16 15:56:21 +10001277 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001278 case KEY_RSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001279 n = key_new(k->type);
Darren Tucker0bc85572006-11-07 23:14:41 +11001280 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1281 (BN_copy(n->rsa->e, k->rsa->e) == NULL))
1282 fatal("key_from_private: BN_copy failed");
Damien Miller0bc1bd82000-11-13 22:57:25 +11001283 break;
1284 default:
Kevin Stevesef4eea92001-02-05 12:42:17 +00001285 fatal("key_from_private: unknown type %d", k->type);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001286 break;
1287 }
Damien Miller0a80ca12010-02-27 07:55:05 +11001288 if (key_is_cert(k))
1289 key_cert_copy(k, n);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001290 return n;
1291}
1292
1293int
Ben Lindstrom982dbbc2001-04-17 18:11:36 +00001294key_names_valid2(const char *names)
1295{
1296 char *s, *cp, *p;
1297
1298 if (names == NULL || strcmp(names, "") == 0)
1299 return 0;
1300 s = cp = xstrdup(names);
1301 for ((p = strsep(&cp, ",")); p && *p != '\0';
Damien Miller9f0f5c62001-12-21 14:45:46 +11001302 (p = strsep(&cp, ","))) {
Ben Lindstrom982dbbc2001-04-17 18:11:36 +00001303 switch (key_type_from_name(p)) {
1304 case KEY_RSA1:
1305 case KEY_UNSPEC:
Darren Tuckera627d422013-06-02 07:31:17 +10001306 free(s);
Ben Lindstrom982dbbc2001-04-17 18:11:36 +00001307 return 0;
1308 }
1309 }
1310 debug3("key names ok: [%s]", names);
Darren Tuckera627d422013-06-02 07:31:17 +10001311 free(s);
Ben Lindstrom982dbbc2001-04-17 18:11:36 +00001312 return 1;
1313}
1314
Damien Miller0a80ca12010-02-27 07:55:05 +11001315static int
1316cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1317{
Damien Miller4e270b02010-04-16 15:56:21 +10001318 u_char *principals, *critical, *exts, *sig_key, *sig;
1319 u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
Damien Miller0a80ca12010-02-27 07:55:05 +11001320 Buffer tmp;
1321 char *principal;
1322 int ret = -1;
Damien Miller4e270b02010-04-16 15:56:21 +10001323 int v00 = key->type == KEY_DSA_CERT_V00 ||
1324 key->type == KEY_RSA_CERT_V00;
Damien Miller0a80ca12010-02-27 07:55:05 +11001325
1326 buffer_init(&tmp);
1327
1328 /* Copy the entire key blob for verification and later serialisation */
1329 buffer_append(&key->cert->certblob, blob, blen);
1330
Damien Miller4e270b02010-04-16 15:56:21 +10001331 elen = 0; /* Not touched for v00 certs */
1332 principals = exts = critical = sig_key = sig = NULL;
1333 if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1334 buffer_get_int_ret(&key->cert->type, b) != 0 ||
Damien Millerda108ec2010-08-31 22:36:39 +10001335 (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
Damien Miller0a80ca12010-02-27 07:55:05 +11001336 (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1337 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1338 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
Damien Miller4e270b02010-04-16 15:56:21 +10001339 (critical = buffer_get_string_ret(b, &clen)) == NULL ||
1340 (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
1341 (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
1342 buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
Damien Miller0a80ca12010-02-27 07:55:05 +11001343 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1344 error("%s: parse error", __func__);
1345 goto out;
1346 }
1347
1348 /* Signature is left in the buffer so we can calculate this length */
1349 signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1350
1351 if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1352 error("%s: parse error", __func__);
1353 goto out;
1354 }
1355
1356 if (key->cert->type != SSH2_CERT_TYPE_USER &&
1357 key->cert->type != SSH2_CERT_TYPE_HOST) {
1358 error("Unknown certificate type %u", key->cert->type);
1359 goto out;
1360 }
1361
1362 buffer_append(&tmp, principals, plen);
1363 while (buffer_len(&tmp) > 0) {
1364 if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
Damien Miller41396572010-03-04 21:51:11 +11001365 error("%s: Too many principals", __func__);
Damien Miller0a80ca12010-02-27 07:55:05 +11001366 goto out;
1367 }
Damien Millerda108ec2010-08-31 22:36:39 +10001368 if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
Damien Miller41396572010-03-04 21:51:11 +11001369 error("%s: Principals data invalid", __func__);
1370 goto out;
1371 }
Damien Miller0a80ca12010-02-27 07:55:05 +11001372 key->cert->principals = xrealloc(key->cert->principals,
1373 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1374 key->cert->principals[key->cert->nprincipals++] = principal;
1375 }
1376
1377 buffer_clear(&tmp);
1378
Damien Miller4e270b02010-04-16 15:56:21 +10001379 buffer_append(&key->cert->critical, critical, clen);
1380 buffer_append(&tmp, critical, clen);
Damien Miller0a80ca12010-02-27 07:55:05 +11001381 /* validate structure */
1382 while (buffer_len(&tmp) != 0) {
Damien Miller2befbad2010-03-04 21:52:18 +11001383 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1384 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
Damien Miller4e270b02010-04-16 15:56:21 +10001385 error("%s: critical option data invalid", __func__);
1386 goto out;
1387 }
1388 }
1389 buffer_clear(&tmp);
1390
1391 buffer_append(&key->cert->extensions, exts, elen);
1392 buffer_append(&tmp, exts, elen);
1393 /* validate structure */
1394 while (buffer_len(&tmp) != 0) {
1395 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1396 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1397 error("%s: extension data invalid", __func__);
Damien Miller0a80ca12010-02-27 07:55:05 +11001398 goto out;
1399 }
1400 }
1401 buffer_clear(&tmp);
1402
Damien Miller4a3a9d42013-10-30 22:19:47 +11001403 if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0))
1404 == NULL) {
Damien Miller41396572010-03-04 21:51:11 +11001405 error("%s: Signature key invalid", __func__);
Damien Miller0a80ca12010-02-27 07:55:05 +11001406 goto out;
1407 }
1408 if (key->cert->signature_key->type != KEY_RSA &&
Damien Millereb8b60e2010-08-31 22:41:14 +10001409 key->cert->signature_key->type != KEY_DSA &&
1410 key->cert->signature_key->type != KEY_ECDSA) {
Damien Miller41396572010-03-04 21:51:11 +11001411 error("%s: Invalid signature key type %s (%d)", __func__,
Damien Miller0a80ca12010-02-27 07:55:05 +11001412 key_type(key->cert->signature_key),
1413 key->cert->signature_key->type);
1414 goto out;
1415 }
1416
1417 switch (key_verify(key->cert->signature_key, sig, slen,
1418 buffer_ptr(&key->cert->certblob), signed_len)) {
1419 case 1:
Damien Miller41396572010-03-04 21:51:11 +11001420 ret = 0;
Damien Miller0a80ca12010-02-27 07:55:05 +11001421 break; /* Good signature */
1422 case 0:
Damien Miller41396572010-03-04 21:51:11 +11001423 error("%s: Invalid signature on certificate", __func__);
Damien Miller0a80ca12010-02-27 07:55:05 +11001424 goto out;
1425 case -1:
Damien Miller41396572010-03-04 21:51:11 +11001426 error("%s: Certificate signature verification failed",
1427 __func__);
Damien Miller0a80ca12010-02-27 07:55:05 +11001428 goto out;
1429 }
1430
Damien Miller0a80ca12010-02-27 07:55:05 +11001431 out:
1432 buffer_free(&tmp);
Darren Tuckera627d422013-06-02 07:31:17 +10001433 free(principals);
1434 free(critical);
1435 free(exts);
1436 free(sig_key);
1437 free(sig);
Damien Miller0a80ca12010-02-27 07:55:05 +11001438 return ret;
1439}
1440
Damien Miller4a3a9d42013-10-30 22:19:47 +11001441static Key *
1442key_from_blob2(const u_char *blob, u_int blen, int allow_cert)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001443{
1444 Buffer b;
Darren Tucker8ccb7392010-09-10 12:28:24 +10001445 int rlen, type;
Damien Millereb8b60e2010-08-31 22:41:14 +10001446 char *ktype = NULL, *curve = NULL;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001447 Key *key = NULL;
Damien Miller6af914a2010-09-10 11:39:26 +10001448#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001449 EC_POINT *q = NULL;
Darren Tucker8ccb7392010-09-10 12:28:24 +10001450 int nid = -1;
Damien Miller6af914a2010-09-10 11:39:26 +10001451#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +11001452
1453#ifdef DEBUG_PK
1454 dump_base64(stderr, blob, blen);
1455#endif
1456 buffer_init(&b);
1457 buffer_append(&b, blob, blen);
Damien Millerda108ec2010-08-31 22:36:39 +10001458 if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
Darren Tucker08d04fa2004-11-05 20:42:28 +11001459 error("key_from_blob: can't read key type");
1460 goto out;
1461 }
1462
Damien Miller0bc1bd82000-11-13 22:57:25 +11001463 type = key_type_from_name(ktype);
Damien Miller6af914a2010-09-10 11:39:26 +10001464#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001465 if (key_type_plain(type) == KEY_ECDSA)
1466 nid = key_ecdsa_nid_from_name(ktype);
Damien Miller6af914a2010-09-10 11:39:26 +10001467#endif
Damien Miller4a3a9d42013-10-30 22:19:47 +11001468 if (!allow_cert && key_type_is_cert(type)) {
1469 error("key_from_blob: certificate not allowed in this context");
1470 goto out;
1471 }
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +00001472 switch (type) {
Damien Miller0a80ca12010-02-27 07:55:05 +11001473 case KEY_RSA_CERT:
Damien Miller4e270b02010-04-16 15:56:21 +10001474 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1475 /* FALLTHROUGH */
1476 case KEY_RSA:
1477 case KEY_RSA_CERT_V00:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001478 key = key_new(type);
Darren Tucker08d04fa2004-11-05 20:42:28 +11001479 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1480 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1481 error("key_from_blob: can't read rsa key");
Damien Miller0a80ca12010-02-27 07:55:05 +11001482 badkey:
Darren Tucker08d04fa2004-11-05 20:42:28 +11001483 key_free(key);
1484 key = NULL;
1485 goto out;
1486 }
Damien Miller0bc1bd82000-11-13 22:57:25 +11001487#ifdef DEBUG_PK
1488 RSA_print_fp(stderr, key->rsa, 8);
1489#endif
1490 break;
Damien Miller0a80ca12010-02-27 07:55:05 +11001491 case KEY_DSA_CERT:
Damien Miller4e270b02010-04-16 15:56:21 +10001492 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1493 /* FALLTHROUGH */
1494 case KEY_DSA:
1495 case KEY_DSA_CERT_V00:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001496 key = key_new(type);
Darren Tucker08d04fa2004-11-05 20:42:28 +11001497 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1498 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1499 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1500 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1501 error("key_from_blob: can't read dsa key");
Damien Miller0a80ca12010-02-27 07:55:05 +11001502 goto badkey;
Darren Tucker08d04fa2004-11-05 20:42:28 +11001503 }
Damien Miller0bc1bd82000-11-13 22:57:25 +11001504#ifdef DEBUG_PK
1505 DSA_print_fp(stderr, key->dsa, 8);
1506#endif
1507 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001508#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001509 case KEY_ECDSA_CERT:
1510 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1511 /* FALLTHROUGH */
1512 case KEY_ECDSA:
1513 key = key_new(type);
1514 key->ecdsa_nid = nid;
1515 if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
1516 error("key_from_blob: can't read ecdsa curve");
1517 goto badkey;
1518 }
1519 if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
1520 error("key_from_blob: ecdsa curve doesn't match type");
1521 goto badkey;
1522 }
1523 if (key->ecdsa != NULL)
1524 EC_KEY_free(key->ecdsa);
1525 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
1526 == NULL)
1527 fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
1528 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
1529 fatal("key_from_blob: EC_POINT_new failed");
1530 if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
1531 q) == -1) {
1532 error("key_from_blob: can't read ecdsa key point");
1533 goto badkey;
1534 }
1535 if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1536 q) != 0)
1537 goto badkey;
1538 if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
1539 fatal("key_from_blob: EC_KEY_set_public_key failed");
1540#ifdef DEBUG_PK
1541 key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
1542#endif
1543 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001544#endif /* OPENSSL_HAS_ECC */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001545 case KEY_UNSPEC:
1546 key = key_new(type);
1547 break;
1548 default:
1549 error("key_from_blob: cannot handle type %s", ktype);
Darren Tucker08d04fa2004-11-05 20:42:28 +11001550 goto out;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001551 }
Damien Miller0a80ca12010-02-27 07:55:05 +11001552 if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1553 error("key_from_blob: can't parse cert data");
1554 goto badkey;
1555 }
Damien Miller0bc1bd82000-11-13 22:57:25 +11001556 rlen = buffer_len(&b);
1557 if (key != NULL && rlen != 0)
1558 error("key_from_blob: remaining bytes in key blob %d", rlen);
Darren Tucker08d04fa2004-11-05 20:42:28 +11001559 out:
Darren Tuckera627d422013-06-02 07:31:17 +10001560 free(ktype);
1561 free(curve);
Damien Miller6af914a2010-09-10 11:39:26 +10001562#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001563 if (q != NULL)
1564 EC_POINT_free(q);
Damien Miller6af914a2010-09-10 11:39:26 +10001565#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +11001566 buffer_free(&b);
1567 return key;
1568}
1569
Damien Miller4a3a9d42013-10-30 22:19:47 +11001570Key *
1571key_from_blob(const u_char *blob, u_int blen)
1572{
1573 return key_from_blob2(blob, blen, 1);
1574}
1575
Damien Millerf3747bf2013-01-18 11:44:04 +11001576static int
1577to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001578{
1579 Buffer b;
Damien Millerf3747bf2013-01-18 11:44:04 +11001580 int len, type;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001581
1582 if (key == NULL) {
1583 error("key_to_blob: key == NULL");
1584 return 0;
1585 }
1586 buffer_init(&b);
Damien Millerf3747bf2013-01-18 11:44:04 +11001587 type = force_plain ? key_type_plain(key->type) : key->type;
1588 switch (type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001589 case KEY_DSA_CERT_V00:
1590 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001591 case KEY_DSA_CERT:
Damien Millereb8b60e2010-08-31 22:41:14 +10001592 case KEY_ECDSA_CERT:
Damien Miller0a80ca12010-02-27 07:55:05 +11001593 case KEY_RSA_CERT:
1594 /* Use the existing blob */
1595 buffer_append(&b, buffer_ptr(&key->cert->certblob),
1596 buffer_len(&key->cert->certblob));
1597 break;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001598 case KEY_DSA:
Damien Millerf3747bf2013-01-18 11:44:04 +11001599 buffer_put_cstring(&b,
1600 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
Damien Miller0bc1bd82000-11-13 22:57:25 +11001601 buffer_put_bignum2(&b, key->dsa->p);
1602 buffer_put_bignum2(&b, key->dsa->q);
1603 buffer_put_bignum2(&b, key->dsa->g);
1604 buffer_put_bignum2(&b, key->dsa->pub_key);
1605 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001606#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001607 case KEY_ECDSA:
Damien Millerf3747bf2013-01-18 11:44:04 +11001608 buffer_put_cstring(&b,
1609 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
Damien Millereb8b60e2010-08-31 22:41:14 +10001610 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1611 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1612 EC_KEY_get0_public_key(key->ecdsa));
1613 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001614#endif
Damien Miller0bc1bd82000-11-13 22:57:25 +11001615 case KEY_RSA:
Damien Millerf3747bf2013-01-18 11:44:04 +11001616 buffer_put_cstring(&b,
1617 key_ssh_name_from_type_nid(type, key->ecdsa_nid));
Damien Miller0bc1bd82000-11-13 22:57:25 +11001618 buffer_put_bignum2(&b, key->rsa->e);
Ben Lindstrombf555ba2001-01-18 02:04:35 +00001619 buffer_put_bignum2(&b, key->rsa->n);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001620 break;
1621 default:
Ben Lindstrom99a30f12001-09-18 05:49:14 +00001622 error("key_to_blob: unsupported key type %d", key->type);
1623 buffer_free(&b);
1624 return 0;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001625 }
1626 len = buffer_len(&b);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001627 if (lenp != NULL)
1628 *lenp = len;
Ben Lindstrom2bf759c2002-07-07 22:13:31 +00001629 if (blobp != NULL) {
1630 *blobp = xmalloc(len);
1631 memcpy(*blobp, buffer_ptr(&b), len);
1632 }
1633 memset(buffer_ptr(&b), 0, len);
1634 buffer_free(&b);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001635 return len;
1636}
1637
1638int
Damien Millerf3747bf2013-01-18 11:44:04 +11001639key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1640{
1641 return to_blob(key, blobp, lenp, 0);
1642}
1643
1644int
Damien Miller0bc1bd82000-11-13 22:57:25 +11001645key_sign(
Damien Millerf58b58c2003-11-17 21:18:23 +11001646 const Key *key,
Ben Lindstrom90fd8142002-02-26 18:09:42 +00001647 u_char **sigp, u_int *lenp,
Damien Millerf58b58c2003-11-17 21:18:23 +11001648 const u_char *data, u_int datalen)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001649{
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +00001650 switch (key->type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001651 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001652 case KEY_DSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001653 case KEY_DSA:
1654 return ssh_dss_sign(key, sigp, lenp, data, datalen);
Damien Miller6af914a2010-09-10 11:39:26 +10001655#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001656 case KEY_ECDSA_CERT:
1657 case KEY_ECDSA:
1658 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
Damien Miller6af914a2010-09-10 11:39:26 +10001659#endif
Damien Miller4e270b02010-04-16 15:56:21 +10001660 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001661 case KEY_RSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001662 case KEY_RSA:
1663 return ssh_rsa_sign(key, sigp, lenp, data, datalen);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001664 default:
Darren Tucker5cb30ad2004-08-12 22:40:24 +10001665 error("key_sign: invalid key type %d", key->type);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001666 return -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001667 }
1668}
1669
Ben Lindstrom01fff0c2002-06-06 20:54:07 +00001670/*
1671 * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1672 * and -1 on error.
1673 */
Damien Miller0bc1bd82000-11-13 22:57:25 +11001674int
1675key_verify(
Damien Millerf58b58c2003-11-17 21:18:23 +11001676 const Key *key,
1677 const u_char *signature, u_int signaturelen,
1678 const u_char *data, u_int datalen)
Damien Miller0bc1bd82000-11-13 22:57:25 +11001679{
Ben Lindstrom5363aee2001-06-25 04:42:20 +00001680 if (signaturelen == 0)
1681 return -1;
1682
Ben Lindstrom1c37c6a2001-12-06 18:00:18 +00001683 switch (key->type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001684 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001685 case KEY_DSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001686 case KEY_DSA:
1687 return ssh_dss_verify(key, signature, signaturelen, data, datalen);
Damien Miller6af914a2010-09-10 11:39:26 +10001688#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001689 case KEY_ECDSA_CERT:
1690 case KEY_ECDSA:
1691 return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
Damien Miller6af914a2010-09-10 11:39:26 +10001692#endif
Damien Miller4e270b02010-04-16 15:56:21 +10001693 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001694 case KEY_RSA_CERT:
Damien Miller0bc1bd82000-11-13 22:57:25 +11001695 case KEY_RSA:
1696 return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001697 default:
Darren Tucker5cb30ad2004-08-12 22:40:24 +10001698 error("key_verify: invalid key type %d", key->type);
Damien Miller0bc1bd82000-11-13 22:57:25 +11001699 return -1;
Damien Miller0bc1bd82000-11-13 22:57:25 +11001700 }
1701}
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001702
1703/* Converts a private to a public key */
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001704Key *
Damien Millerf58b58c2003-11-17 21:18:23 +11001705key_demote(const Key *k)
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001706{
1707 Key *pk;
Ben Lindstrom6328ab32002-03-22 02:54:23 +00001708
Damien Miller07d86be2006-03-26 14:19:21 +11001709 pk = xcalloc(1, sizeof(*pk));
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001710 pk->type = k->type;
1711 pk->flags = k->flags;
Damien Millereb8b60e2010-08-31 22:41:14 +10001712 pk->ecdsa_nid = k->ecdsa_nid;
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001713 pk->dsa = NULL;
Damien Millereb8b60e2010-08-31 22:41:14 +10001714 pk->ecdsa = NULL;
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001715 pk->rsa = NULL;
1716
1717 switch (k->type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001718 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001719 case KEY_RSA_CERT:
1720 key_cert_copy(k, pk);
1721 /* FALLTHROUGH */
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001722 case KEY_RSA1:
1723 case KEY_RSA:
1724 if ((pk->rsa = RSA_new()) == NULL)
1725 fatal("key_demote: RSA_new failed");
1726 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1727 fatal("key_demote: BN_dup failed");
1728 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1729 fatal("key_demote: BN_dup failed");
1730 break;
Damien Miller4e270b02010-04-16 15:56:21 +10001731 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001732 case KEY_DSA_CERT:
1733 key_cert_copy(k, pk);
1734 /* FALLTHROUGH */
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001735 case KEY_DSA:
1736 if ((pk->dsa = DSA_new()) == NULL)
1737 fatal("key_demote: DSA_new failed");
1738 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1739 fatal("key_demote: BN_dup failed");
1740 if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1741 fatal("key_demote: BN_dup failed");
1742 if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1743 fatal("key_demote: BN_dup failed");
1744 if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1745 fatal("key_demote: BN_dup failed");
1746 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001747#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001748 case KEY_ECDSA_CERT:
1749 key_cert_copy(k, pk);
1750 /* FALLTHROUGH */
1751 case KEY_ECDSA:
1752 if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
1753 fatal("key_demote: EC_KEY_new_by_curve_name failed");
1754 if (EC_KEY_set_public_key(pk->ecdsa,
1755 EC_KEY_get0_public_key(k->ecdsa)) != 1)
1756 fatal("key_demote: EC_KEY_set_public_key failed");
1757 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001758#endif
Ben Lindstroma674e8d2002-03-22 01:45:53 +00001759 default:
1760 fatal("key_free: bad key type %d", k->type);
1761 break;
1762 }
1763
1764 return (pk);
1765}
Damien Miller0a80ca12010-02-27 07:55:05 +11001766
1767int
1768key_is_cert(const Key *k)
1769{
Damien Miller4e270b02010-04-16 15:56:21 +10001770 if (k == NULL)
1771 return 0;
Damien Miller4a3a9d42013-10-30 22:19:47 +11001772 return key_type_is_cert(k->type);
Damien Miller0a80ca12010-02-27 07:55:05 +11001773}
1774
1775/* Return the cert-less equivalent to a certified key type */
1776int
1777key_type_plain(int type)
1778{
1779 switch (type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001780 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001781 case KEY_RSA_CERT:
1782 return KEY_RSA;
Damien Miller4e270b02010-04-16 15:56:21 +10001783 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001784 case KEY_DSA_CERT:
1785 return KEY_DSA;
Damien Millereb8b60e2010-08-31 22:41:14 +10001786 case KEY_ECDSA_CERT:
1787 return KEY_ECDSA;
Damien Miller0a80ca12010-02-27 07:55:05 +11001788 default:
1789 return type;
1790 }
1791}
1792
1793/* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
1794int
Damien Miller4e270b02010-04-16 15:56:21 +10001795key_to_certified(Key *k, int legacy)
Damien Miller0a80ca12010-02-27 07:55:05 +11001796{
1797 switch (k->type) {
1798 case KEY_RSA:
1799 k->cert = cert_new();
Damien Miller4e270b02010-04-16 15:56:21 +10001800 k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
Damien Miller0a80ca12010-02-27 07:55:05 +11001801 return 0;
1802 case KEY_DSA:
1803 k->cert = cert_new();
Damien Miller4e270b02010-04-16 15:56:21 +10001804 k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
Damien Miller0a80ca12010-02-27 07:55:05 +11001805 return 0;
Damien Millereb8b60e2010-08-31 22:41:14 +10001806 case KEY_ECDSA:
Damien Miller8f639fe2011-05-20 19:03:08 +10001807 if (legacy)
1808 fatal("%s: legacy ECDSA certificates are not supported",
1809 __func__);
Damien Millereb8b60e2010-08-31 22:41:14 +10001810 k->cert = cert_new();
1811 k->type = KEY_ECDSA_CERT;
1812 return 0;
Damien Miller0a80ca12010-02-27 07:55:05 +11001813 default:
1814 error("%s: key has incorrect type %s", __func__, key_type(k));
1815 return -1;
1816 }
1817}
1818
1819/* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1820int
1821key_drop_cert(Key *k)
1822{
1823 switch (k->type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001824 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001825 case KEY_RSA_CERT:
1826 cert_free(k->cert);
1827 k->type = KEY_RSA;
1828 return 0;
Damien Miller4e270b02010-04-16 15:56:21 +10001829 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001830 case KEY_DSA_CERT:
1831 cert_free(k->cert);
1832 k->type = KEY_DSA;
1833 return 0;
Damien Millereb8b60e2010-08-31 22:41:14 +10001834 case KEY_ECDSA_CERT:
1835 cert_free(k->cert);
1836 k->type = KEY_ECDSA;
1837 return 0;
Damien Miller0a80ca12010-02-27 07:55:05 +11001838 default:
1839 error("%s: key has incorrect type %s", __func__, key_type(k));
1840 return -1;
1841 }
1842}
1843
Damien Millereb8b60e2010-08-31 22:41:14 +10001844/*
1845 * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating
1846 * the signed certblob
1847 */
Damien Miller0a80ca12010-02-27 07:55:05 +11001848int
1849key_certify(Key *k, Key *ca)
1850{
1851 Buffer principals;
1852 u_char *ca_blob, *sig_blob, nonce[32];
1853 u_int i, ca_len, sig_len;
1854
1855 if (k->cert == NULL) {
1856 error("%s: key lacks cert info", __func__);
1857 return -1;
1858 }
1859
1860 if (!key_is_cert(k)) {
1861 error("%s: certificate has unknown type %d", __func__,
1862 k->cert->type);
1863 return -1;
1864 }
1865
Damien Millereb8b60e2010-08-31 22:41:14 +10001866 if (ca->type != KEY_RSA && ca->type != KEY_DSA &&
1867 ca->type != KEY_ECDSA) {
Damien Miller0a80ca12010-02-27 07:55:05 +11001868 error("%s: CA key has unsupported type %s", __func__,
1869 key_type(ca));
1870 return -1;
1871 }
1872
1873 key_to_blob(ca, &ca_blob, &ca_len);
1874
1875 buffer_clear(&k->cert->certblob);
1876 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1877
Damien Miller4e270b02010-04-16 15:56:21 +10001878 /* -v01 certs put nonce first */
Damien Miller0a5f0122011-02-04 11:47:01 +11001879 arc4random_buf(&nonce, sizeof(nonce));
1880 if (!key_cert_is_legacy(k))
Damien Miller4e270b02010-04-16 15:56:21 +10001881 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
Damien Miller4e270b02010-04-16 15:56:21 +10001882
Damien Miller0a80ca12010-02-27 07:55:05 +11001883 switch (k->type) {
Damien Miller4e270b02010-04-16 15:56:21 +10001884 case KEY_DSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001885 case KEY_DSA_CERT:
1886 buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1887 buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1888 buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1889 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1890 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001891#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10001892 case KEY_ECDSA_CERT:
1893 buffer_put_cstring(&k->cert->certblob,
1894 key_curve_nid_to_name(k->ecdsa_nid));
1895 buffer_put_ecpoint(&k->cert->certblob,
1896 EC_KEY_get0_group(k->ecdsa),
1897 EC_KEY_get0_public_key(k->ecdsa));
1898 break;
Damien Miller6af914a2010-09-10 11:39:26 +10001899#endif
Damien Miller4e270b02010-04-16 15:56:21 +10001900 case KEY_RSA_CERT_V00:
Damien Miller0a80ca12010-02-27 07:55:05 +11001901 case KEY_RSA_CERT:
1902 buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1903 buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1904 break;
1905 default:
1906 error("%s: key has incorrect type %s", __func__, key_type(k));
1907 buffer_clear(&k->cert->certblob);
Darren Tuckera627d422013-06-02 07:31:17 +10001908 free(ca_blob);
Damien Miller0a80ca12010-02-27 07:55:05 +11001909 return -1;
1910 }
1911
Damien Miller4e270b02010-04-16 15:56:21 +10001912 /* -v01 certs have a serial number next */
Damien Millereb8b60e2010-08-31 22:41:14 +10001913 if (!key_cert_is_legacy(k))
Damien Miller4e270b02010-04-16 15:56:21 +10001914 buffer_put_int64(&k->cert->certblob, k->cert->serial);
1915
Damien Miller0a80ca12010-02-27 07:55:05 +11001916 buffer_put_int(&k->cert->certblob, k->cert->type);
1917 buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1918
1919 buffer_init(&principals);
1920 for (i = 0; i < k->cert->nprincipals; i++)
1921 buffer_put_cstring(&principals, k->cert->principals[i]);
1922 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1923 buffer_len(&principals));
1924 buffer_free(&principals);
1925
1926 buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1927 buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1928 buffer_put_string(&k->cert->certblob,
Damien Miller4e270b02010-04-16 15:56:21 +10001929 buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
Damien Miller0a80ca12010-02-27 07:55:05 +11001930
Damien Miller4e270b02010-04-16 15:56:21 +10001931 /* -v01 certs have non-critical options here */
Damien Millereb8b60e2010-08-31 22:41:14 +10001932 if (!key_cert_is_legacy(k)) {
Damien Miller4e270b02010-04-16 15:56:21 +10001933 buffer_put_string(&k->cert->certblob,
1934 buffer_ptr(&k->cert->extensions),
1935 buffer_len(&k->cert->extensions));
1936 }
1937
1938 /* -v00 certs put the nonce at the end */
Damien Millereb8b60e2010-08-31 22:41:14 +10001939 if (key_cert_is_legacy(k))
Damien Miller4e270b02010-04-16 15:56:21 +10001940 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1941
Damien Miller0a80ca12010-02-27 07:55:05 +11001942 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1943 buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
Darren Tuckera627d422013-06-02 07:31:17 +10001944 free(ca_blob);
Damien Miller0a80ca12010-02-27 07:55:05 +11001945
1946 /* Sign the whole mess */
1947 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
1948 buffer_len(&k->cert->certblob)) != 0) {
1949 error("%s: signature operation failed", __func__);
1950 buffer_clear(&k->cert->certblob);
1951 return -1;
1952 }
1953 /* Append signature and we are done */
1954 buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
Darren Tuckera627d422013-06-02 07:31:17 +10001955 free(sig_blob);
Damien Miller0a80ca12010-02-27 07:55:05 +11001956
1957 return 0;
1958}
1959
1960int
1961key_cert_check_authority(const Key *k, int want_host, int require_principal,
1962 const char *name, const char **reason)
1963{
1964 u_int i, principal_matches;
1965 time_t now = time(NULL);
1966
1967 if (want_host) {
1968 if (k->cert->type != SSH2_CERT_TYPE_HOST) {
1969 *reason = "Certificate invalid: not a host certificate";
1970 return -1;
1971 }
1972 } else {
1973 if (k->cert->type != SSH2_CERT_TYPE_USER) {
1974 *reason = "Certificate invalid: not a user certificate";
1975 return -1;
1976 }
1977 }
1978 if (now < 0) {
1979 error("%s: system clock lies before epoch", __func__);
1980 *reason = "Certificate invalid: not yet valid";
1981 return -1;
1982 }
1983 if ((u_int64_t)now < k->cert->valid_after) {
1984 *reason = "Certificate invalid: not yet valid";
1985 return -1;
1986 }
1987 if ((u_int64_t)now >= k->cert->valid_before) {
1988 *reason = "Certificate invalid: expired";
1989 return -1;
1990 }
1991 if (k->cert->nprincipals == 0) {
1992 if (require_principal) {
1993 *reason = "Certificate lacks principal list";
1994 return -1;
1995 }
Damien Miller30da3442010-05-10 11:58:03 +10001996 } else if (name != NULL) {
Damien Miller0a80ca12010-02-27 07:55:05 +11001997 principal_matches = 0;
1998 for (i = 0; i < k->cert->nprincipals; i++) {
1999 if (strcmp(name, k->cert->principals[i]) == 0) {
2000 principal_matches = 1;
2001 break;
2002 }
2003 }
2004 if (!principal_matches) {
2005 *reason = "Certificate invalid: name is not a listed "
2006 "principal";
2007 return -1;
2008 }
2009 }
2010 return 0;
2011}
Damien Miller4e270b02010-04-16 15:56:21 +10002012
2013int
Damien Millerf3747bf2013-01-18 11:44:04 +11002014key_cert_is_legacy(const Key *k)
Damien Miller4e270b02010-04-16 15:56:21 +10002015{
2016 switch (k->type) {
2017 case KEY_DSA_CERT_V00:
2018 case KEY_RSA_CERT_V00:
2019 return 1;
2020 default:
2021 return 0;
2022 }
2023}
Damien Millereb8b60e2010-08-31 22:41:14 +10002024
Damien Miller041ab7c2010-09-10 11:23:34 +10002025/* XXX: these are really begging for a table-driven approach */
Damien Millereb8b60e2010-08-31 22:41:14 +10002026int
2027key_curve_name_to_nid(const char *name)
2028{
Damien Miller6af914a2010-09-10 11:39:26 +10002029#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10002030 if (strcmp(name, "nistp256") == 0)
2031 return NID_X9_62_prime256v1;
2032 else if (strcmp(name, "nistp384") == 0)
2033 return NID_secp384r1;
2034 else if (strcmp(name, "nistp521") == 0)
2035 return NID_secp521r1;
Damien Miller6af914a2010-09-10 11:39:26 +10002036#endif
Damien Millereb8b60e2010-08-31 22:41:14 +10002037
2038 debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
2039 return -1;
2040}
2041
Damien Miller041ab7c2010-09-10 11:23:34 +10002042u_int
2043key_curve_nid_to_bits(int nid)
2044{
2045 switch (nid) {
Damien Miller6af914a2010-09-10 11:39:26 +10002046#ifdef OPENSSL_HAS_ECC
Damien Miller041ab7c2010-09-10 11:23:34 +10002047 case NID_X9_62_prime256v1:
2048 return 256;
2049 case NID_secp384r1:
2050 return 384;
2051 case NID_secp521r1:
2052 return 521;
Damien Miller6af914a2010-09-10 11:39:26 +10002053#endif
Damien Miller041ab7c2010-09-10 11:23:34 +10002054 default:
2055 error("%s: unsupported EC curve nid %d", __func__, nid);
2056 return 0;
2057 }
2058}
2059
Damien Millereb8b60e2010-08-31 22:41:14 +10002060const char *
2061key_curve_nid_to_name(int nid)
2062{
Damien Miller6af914a2010-09-10 11:39:26 +10002063#ifdef OPENSSL_HAS_ECC
Damien Millereb8b60e2010-08-31 22:41:14 +10002064 if (nid == NID_X9_62_prime256v1)
2065 return "nistp256";
2066 else if (nid == NID_secp384r1)
2067 return "nistp384";
2068 else if (nid == NID_secp521r1)
2069 return "nistp521";
Damien Miller6af914a2010-09-10 11:39:26 +10002070#endif
Damien Millereb8b60e2010-08-31 22:41:14 +10002071 error("%s: unsupported EC curve nid %d", __func__, nid);
2072 return NULL;
2073}
2074
Damien Miller6af914a2010-09-10 11:39:26 +10002075#ifdef OPENSSL_HAS_ECC
Damien Miller041ab7c2010-09-10 11:23:34 +10002076const EVP_MD *
2077key_ec_nid_to_evpmd(int nid)
2078{
2079 int kbits = key_curve_nid_to_bits(nid);
2080
2081 if (kbits == 0)
2082 fatal("%s: invalid nid %d", __func__, nid);
2083 /* RFC5656 section 6.2.1 */
2084 if (kbits <= 256)
2085 return EVP_sha256();
2086 else if (kbits <= 384)
2087 return EVP_sha384();
2088 else
2089 return EVP_sha512();
2090}
2091
Damien Millereb8b60e2010-08-31 22:41:14 +10002092int
2093key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
2094{
2095 BN_CTX *bnctx;
2096 EC_POINT *nq = NULL;
2097 BIGNUM *order, *x, *y, *tmp;
2098 int ret = -1;
2099
2100 if ((bnctx = BN_CTX_new()) == NULL)
2101 fatal("%s: BN_CTX_new failed", __func__);
2102 BN_CTX_start(bnctx);
2103
2104 /*
2105 * We shouldn't ever hit this case because bignum_get_ecpoint()
2106 * refuses to load GF2m points.
2107 */
2108 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2109 NID_X9_62_prime_field) {
2110 error("%s: group is not a prime field", __func__);
2111 goto out;
2112 }
2113
2114 /* Q != infinity */
2115 if (EC_POINT_is_at_infinity(group, public)) {
2116 error("%s: received degenerate public key (infinity)",
2117 __func__);
2118 goto out;
2119 }
2120
2121 if ((x = BN_CTX_get(bnctx)) == NULL ||
2122 (y = BN_CTX_get(bnctx)) == NULL ||
2123 (order = BN_CTX_get(bnctx)) == NULL ||
2124 (tmp = BN_CTX_get(bnctx)) == NULL)
2125 fatal("%s: BN_CTX_get failed", __func__);
2126
2127 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2128 if (EC_GROUP_get_order(group, order, bnctx) != 1)
2129 fatal("%s: EC_GROUP_get_order failed", __func__);
2130 if (EC_POINT_get_affine_coordinates_GFp(group, public,
2131 x, y, bnctx) != 1)
2132 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2133 if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
2134 error("%s: public key x coordinate too small: "
2135 "bits(x) = %d, bits(order)/2 = %d", __func__,
2136 BN_num_bits(x), BN_num_bits(order) / 2);
2137 goto out;
2138 }
2139 if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
2140 error("%s: public key y coordinate too small: "
2141 "bits(y) = %d, bits(order)/2 = %d", __func__,
2142 BN_num_bits(x), BN_num_bits(order) / 2);
2143 goto out;
2144 }
2145
2146 /* nQ == infinity (n == order of subgroup) */
2147 if ((nq = EC_POINT_new(group)) == NULL)
2148 fatal("%s: BN_CTX_tmp failed", __func__);
2149 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
2150 fatal("%s: EC_GROUP_mul failed", __func__);
2151 if (EC_POINT_is_at_infinity(group, nq) != 1) {
2152 error("%s: received degenerate public key (nQ != infinity)",
2153 __func__);
2154 goto out;
2155 }
2156
2157 /* x < order - 1, y < order - 1 */
2158 if (!BN_sub(tmp, order, BN_value_one()))
2159 fatal("%s: BN_sub failed", __func__);
2160 if (BN_cmp(x, tmp) >= 0) {
2161 error("%s: public key x coordinate >= group order - 1",
2162 __func__);
2163 goto out;
2164 }
2165 if (BN_cmp(y, tmp) >= 0) {
2166 error("%s: public key y coordinate >= group order - 1",
2167 __func__);
2168 goto out;
2169 }
2170 ret = 0;
2171 out:
2172 BN_CTX_free(bnctx);
2173 EC_POINT_free(nq);
2174 return ret;
2175}
2176
2177int
2178key_ec_validate_private(const EC_KEY *key)
2179{
2180 BN_CTX *bnctx;
2181 BIGNUM *order, *tmp;
2182 int ret = -1;
2183
2184 if ((bnctx = BN_CTX_new()) == NULL)
2185 fatal("%s: BN_CTX_new failed", __func__);
2186 BN_CTX_start(bnctx);
2187
2188 if ((order = BN_CTX_get(bnctx)) == NULL ||
2189 (tmp = BN_CTX_get(bnctx)) == NULL)
2190 fatal("%s: BN_CTX_get failed", __func__);
2191
2192 /* log2(private) > log2(order)/2 */
2193 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
2194 fatal("%s: EC_GROUP_get_order failed", __func__);
2195 if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2196 BN_num_bits(order) / 2) {
2197 error("%s: private key too small: "
2198 "bits(y) = %d, bits(order)/2 = %d", __func__,
2199 BN_num_bits(EC_KEY_get0_private_key(key)),
2200 BN_num_bits(order) / 2);
2201 goto out;
2202 }
2203
2204 /* private < order - 1 */
2205 if (!BN_sub(tmp, order, BN_value_one()))
2206 fatal("%s: BN_sub failed", __func__);
2207 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
2208 error("%s: private key >= group order - 1", __func__);
2209 goto out;
2210 }
2211 ret = 0;
2212 out:
2213 BN_CTX_free(bnctx);
2214 return ret;
2215}
2216
2217#if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
2218void
2219key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2220{
2221 BIGNUM *x, *y;
2222 BN_CTX *bnctx;
2223
2224 if (point == NULL) {
2225 fputs("point=(NULL)\n", stderr);
2226 return;
2227 }
2228 if ((bnctx = BN_CTX_new()) == NULL)
2229 fatal("%s: BN_CTX_new failed", __func__);
2230 BN_CTX_start(bnctx);
2231 if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
2232 fatal("%s: BN_CTX_get failed", __func__);
2233 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2234 NID_X9_62_prime_field)
2235 fatal("%s: group is not a prime field", __func__);
2236 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
2237 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2238 fputs("x=", stderr);
2239 BN_print_fp(stderr, x);
2240 fputs("\ny=", stderr);
2241 BN_print_fp(stderr, y);
2242 fputs("\n", stderr);
2243 BN_CTX_free(bnctx);
2244}
2245
2246void
2247key_dump_ec_key(const EC_KEY *key)
2248{
2249 const BIGNUM *exponent;
2250
2251 key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
2252 fputs("exponent=", stderr);
2253 if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
2254 fputs("(NULL)", stderr);
2255 else
2256 BN_print_fp(stderr, EC_KEY_get0_private_key(key));
2257 fputs("\n", stderr);
2258}
2259#endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
Damien Miller6af914a2010-09-10 11:39:26 +10002260#endif /* OPENSSL_HAS_ECC */