search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
- (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exact
[openssh-git.git] / key.c
blob842280a9f66b12a351c6f79f1360f6b0dade0d1a
1 /* $OpenBSD: key.c,v 1.92 2010/08/31 11:54:45 djm Exp $ */
2 /*
3 * read_bignum():
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 *
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
11 *
12 *
13 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
14 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
15 *
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
18 * are met:
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
24 *
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35 */
36
37 #include "includes.h"
38
39 #include <sys/param.h>
40 #include <sys/types.h>
41
42 #include <openssl/evp.h>
43 #include <openbsd-compat/openssl-compat.h>
44
45 #include <stdarg.h>
46 #include <stdio.h>
47 #include <string.h>
48
49 #include "xmalloc.h"
50 #include "key.h"
51 #include "rsa.h"
52 #include "uuencode.h"
53 #include "buffer.h"
54 #include "log.h"
55 #include "misc.h"
56 #include "ssh2.h"
57
58 static struct KeyCert *
59 cert_new(void)
60 {
61 struct KeyCert *cert;
62
63 cert = xcalloc(1, sizeof(*cert));
64 buffer_init(&cert->certblob);
65 buffer_init(&cert->critical);
66 buffer_init(&cert->extensions);
67 cert->key_id = NULL;
68 cert->principals = NULL;
69 cert->signature_key = NULL;
70 return cert;
71 }
72
73 Key *
74 key_new(int type)
75 {
76 Key *k;
77 RSA *rsa;
78 DSA *dsa;
79 k = xcalloc(1, sizeof(*k));
80 k->type = type;
81 k->ecdsa = NULL;
82 k->ecdsa_nid = -1;
83 k->dsa = NULL;
84 k->rsa = NULL;
85 k->cert = NULL;
86 switch (k->type) {
87 case KEY_RSA1:
88 case KEY_RSA:
89 case KEY_RSA_CERT_V00:
90 case KEY_RSA_CERT:
91 if ((rsa = RSA_new()) == NULL)
92 fatal("key_new: RSA_new failed");
93 if ((rsa->n = BN_new()) == NULL)
94 fatal("key_new: BN_new failed");
95 if ((rsa->e = BN_new()) == NULL)
96 fatal("key_new: BN_new failed");
97 k->rsa = rsa;
98 break;
99 case KEY_DSA:
100 case KEY_DSA_CERT_V00:
101 case KEY_DSA_CERT:
102 if ((dsa = DSA_new()) == NULL)
103 fatal("key_new: DSA_new failed");
104 if ((dsa->p = BN_new()) == NULL)
105 fatal("key_new: BN_new failed");
106 if ((dsa->q = BN_new()) == NULL)
107 fatal("key_new: BN_new failed");
108 if ((dsa->g = BN_new()) == NULL)
109 fatal("key_new: BN_new failed");
110 if ((dsa->pub_key = BN_new()) == NULL)
111 fatal("key_new: BN_new failed");
112 k->dsa = dsa;
113 break;
114 case KEY_ECDSA:
115 case KEY_ECDSA_CERT:
116 /* Cannot do anything until we know the group */
117 break;
118 case KEY_UNSPEC:
119 break;
120 default:
121 fatal("key_new: bad key type %d", k->type);
122 break;
123 }
124
125 if (key_is_cert(k))
126 k->cert = cert_new();
127
128 return k;
129 }
130
131 void
132 key_add_private(Key *k)
133 {
134 switch (k->type) {
135 case KEY_RSA1:
136 case KEY_RSA:
137 case KEY_RSA_CERT_V00:
138 case KEY_RSA_CERT:
139 if ((k->rsa->d = BN_new()) == NULL)
140 fatal("key_new_private: BN_new failed");
141 if ((k->rsa->iqmp = BN_new()) == NULL)
142 fatal("key_new_private: BN_new failed");
143 if ((k->rsa->q = BN_new()) == NULL)
144 fatal("key_new_private: BN_new failed");
145 if ((k->rsa->p = BN_new()) == NULL)
146 fatal("key_new_private: BN_new failed");
147 if ((k->rsa->dmq1 = BN_new()) == NULL)
148 fatal("key_new_private: BN_new failed");
149 if ((k->rsa->dmp1 = BN_new()) == NULL)
150 fatal("key_new_private: BN_new failed");
151 break;
152 case KEY_DSA:
153 case KEY_DSA_CERT_V00:
154 case KEY_DSA_CERT:
155 if ((k->dsa->priv_key = BN_new()) == NULL)
156 fatal("key_new_private: BN_new failed");
157 break;
158 case KEY_ECDSA:
159 case KEY_ECDSA_CERT:
160 /* Cannot do anything until we know the group */
161 break;
162 case KEY_UNSPEC:
163 break;
164 default:
165 break;
166 }
167 }
168
169 Key *
170 key_new_private(int type)
171 {
172 Key *k = key_new(type);
173
174 key_add_private(k);
175 return k;
176 }
177
178 static void
179 cert_free(struct KeyCert *cert)
180 {
181 u_int i;
182
183 buffer_free(&cert->certblob);
184 buffer_free(&cert->critical);
185 buffer_free(&cert->extensions);
186 if (cert->key_id != NULL)
187 xfree(cert->key_id);
188 for (i = 0; i < cert->nprincipals; i++)
189 xfree(cert->principals[i]);
190 if (cert->principals != NULL)
191 xfree(cert->principals);
192 if (cert->signature_key != NULL)
193 key_free(cert->signature_key);
194 }
195
196 void
197 key_free(Key *k)
198 {
199 if (k == NULL)
200 fatal("key_free: key is NULL");
201 switch (k->type) {
202 case KEY_RSA1:
203 case KEY_RSA:
204 case KEY_RSA_CERT_V00:
205 case KEY_RSA_CERT:
206 if (k->rsa != NULL)
207 RSA_free(k->rsa);
208 k->rsa = NULL;
209 break;
210 case KEY_DSA:
211 case KEY_DSA_CERT_V00:
212 case KEY_DSA_CERT:
213 if (k->dsa != NULL)
214 DSA_free(k->dsa);
215 k->dsa = NULL;
216 break;
217 case KEY_ECDSA:
218 case KEY_ECDSA_CERT:
219 if (k->ecdsa != NULL)
220 EC_KEY_free(k->ecdsa);
221 k->ecdsa = NULL;
222 break;
223 case KEY_UNSPEC:
224 break;
225 default:
226 fatal("key_free: bad key type %d", k->type);
227 break;
228 }
229 if (key_is_cert(k)) {
230 if (k->cert != NULL)
231 cert_free(k->cert);
232 k->cert = NULL;
233 }
234
235 xfree(k);
236 }
237
238 static int
239 cert_compare(struct KeyCert *a, struct KeyCert *b)
240 {
241 if (a == NULL && b == NULL)
242 return 1;
243 if (a == NULL || b == NULL)
244 return 0;
245 if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
246 return 0;
247 if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
248 buffer_len(&a->certblob)) != 0)
249 return 0;
250 return 1;
251 }
252
253 /*
254 * Compare public portions of key only, allowing comparisons between
255 * certificates and plain keys too.
256 */
257 int
258 key_equal_public(const Key *a, const Key *b)
259 {
260 BN_CTX *bnctx;
261
262 if (a == NULL || b == NULL ||
263 key_type_plain(a->type) != key_type_plain(b->type))
264 return 0;
265
266 switch (a->type) {
267 case KEY_RSA1:
268 case KEY_RSA_CERT_V00:
269 case KEY_RSA_CERT:
270 case KEY_RSA:
271 return a->rsa != NULL && b->rsa != NULL &&
272 BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
273 BN_cmp(a->rsa->n, b->rsa->n) == 0;
274 case KEY_DSA_CERT_V00:
275 case KEY_DSA_CERT:
276 case KEY_DSA:
277 return a->dsa != NULL && b->dsa != NULL &&
278 BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
279 BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
280 BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
281 BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
282 case KEY_ECDSA_CERT:
283 case KEY_ECDSA:
284 if (a->ecdsa == NULL || b->ecdsa == NULL ||
285 EC_KEY_get0_public_key(a->ecdsa) == NULL ||
286 EC_KEY_get0_public_key(b->ecdsa) == NULL)
287 return 0;
288 if ((bnctx = BN_CTX_new()) == NULL)
289 fatal("%s: BN_CTX_new failed", __func__);
290 if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
291 EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
292 EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
293 EC_KEY_get0_public_key(a->ecdsa),
294 EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
295 BN_CTX_free(bnctx);
296 return 0;
297 }
298 BN_CTX_free(bnctx);
299 return 1;
300 default:
301 fatal("key_equal: bad key type %d", a->type);
302 }
303 /* NOTREACHED */
304 }
305
306 int
307 key_equal(const Key *a, const Key *b)
308 {
309 if (a == NULL || b == NULL || a->type != b->type)
310 return 0;
311 if (key_is_cert(a)) {
312 if (!cert_compare(a->cert, b->cert))
313 return 0;
314 }
315 return key_equal_public(a, b);
316 }
317
318 u_char*
319 key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length)
320 {
321 const EVP_MD *md = NULL;
322 EVP_MD_CTX ctx;
323 u_char *blob = NULL;
324 u_char *retval = NULL;
325 u_int len = 0;
326 int nlen, elen, otype;
327
328 *dgst_raw_length = 0;
329
330 switch (dgst_type) {
331 case SSH_FP_MD5:
332 md = EVP_md5();
333 break;
334 case SSH_FP_SHA1:
335 md = EVP_sha1();
336 break;
337 default:
338 fatal("key_fingerprint_raw: bad digest type %d",
339 dgst_type);
340 }
341 switch (k->type) {
342 case KEY_RSA1:
343 nlen = BN_num_bytes(k->rsa->n);
344 elen = BN_num_bytes(k->rsa->e);
345 len = nlen + elen;
346 blob = xmalloc(len);
347 BN_bn2bin(k->rsa->n, blob);
348 BN_bn2bin(k->rsa->e, blob + nlen);
349 break;
350 case KEY_DSA:
351 case KEY_ECDSA:
352 case KEY_RSA:
353 key_to_blob(k, &blob, &len);
354 break;
355 case KEY_DSA_CERT_V00:
356 case KEY_RSA_CERT_V00:
357 case KEY_DSA_CERT:
358 case KEY_ECDSA_CERT:
359 case KEY_RSA_CERT:
360 /* We want a fingerprint of the _key_ not of the cert */
361 otype = k->type;
362 k->type = key_type_plain(k->type);
363 key_to_blob(k, &blob, &len);
364 k->type = otype;
365 break;
366 case KEY_UNSPEC:
367 return retval;
368 default:
369 fatal("key_fingerprint_raw: bad key type %d", k->type);
370 break;
371 }
372 if (blob != NULL) {
373 retval = xmalloc(EVP_MAX_MD_SIZE);
374 EVP_DigestInit(&ctx, md);
375 EVP_DigestUpdate(&ctx, blob, len);
376 EVP_DigestFinal(&ctx, retval, dgst_raw_length);
377 memset(blob, 0, len);
378 xfree(blob);
379 } else {
380 fatal("key_fingerprint_raw: blob is null");
381 }
382 return retval;
383 }
384
385 static char *
386 key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
387 {
388 char *retval;
389 u_int i;
390
391 retval = xcalloc(1, dgst_raw_len * 3 + 1);
392 for (i = 0; i < dgst_raw_len; i++) {
393 char hex[4];
394 snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
395 strlcat(retval, hex, dgst_raw_len * 3 + 1);
396 }
397
398 /* Remove the trailing ':' character */
399 retval[(dgst_raw_len * 3) - 1] = '\0';
400 return retval;
401 }
402
403 static char *
404 key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
405 {
406 char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
407 char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
408 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
409 u_int i, j = 0, rounds, seed = 1;
410 char *retval;
411
412 rounds = (dgst_raw_len / 2) + 1;
413 retval = xcalloc((rounds * 6), sizeof(char));
414 retval[j++] = 'x';
415 for (i = 0; i < rounds; i++) {
416 u_int idx0, idx1, idx2, idx3, idx4;
417 if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
418 idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
419 seed) % 6;
420 idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
421 idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
422 (seed / 6)) % 6;
423 retval[j++] = vowels[idx0];
424 retval[j++] = consonants[idx1];
425 retval[j++] = vowels[idx2];
426 if ((i + 1) < rounds) {
427 idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
428 idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
429 retval[j++] = consonants[idx3];
430 retval[j++] = '-';
431 retval[j++] = consonants[idx4];
432 seed = ((seed * 5) +
433 ((((u_int)(dgst_raw[2 * i])) * 7) +
434 ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
435 }
436 } else {
437 idx0 = seed % 6;
438 idx1 = 16;
439 idx2 = seed / 6;
440 retval[j++] = vowels[idx0];
441 retval[j++] = consonants[idx1];
442 retval[j++] = vowels[idx2];
443 }
444 }
445 retval[j++] = 'x';
446 retval[j++] = '\0';
447 return retval;
448 }
449
450 /*
451 * Draw an ASCII-Art representing the fingerprint so human brain can
452 * profit from its built-in pattern recognition ability.
453 * This technique is called "random art" and can be found in some
454 * scientific publications like this original paper:
455 *
456 * "Hash Visualization: a New Technique to improve Real-World Security",
457 * Perrig A. and Song D., 1999, International Workshop on Cryptographic
458 * Techniques and E-Commerce (CrypTEC '99)
459 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
460 *
461 * The subject came up in a talk by Dan Kaminsky, too.
462 *
463 * If you see the picture is different, the key is different.
464 * If the picture looks the same, you still know nothing.
465 *
466 * The algorithm used here is a worm crawling over a discrete plane,
467 * leaving a trace (augmenting the field) everywhere it goes.
468 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
469 * makes the respective movement vector be ignored for this turn.
470 * Graphs are not unambiguous, because circles in graphs can be
471 * walked in either direction.
472 */
473
474 /*
475 * Field sizes for the random art. Have to be odd, so the starting point
476 * can be in the exact middle of the picture, and FLDBASE should be >=8 .
477 * Else pictures would be too dense, and drawing the frame would
478 * fail, too, because the key type would not fit in anymore.
479 */
480 #define FLDBASE 8
481 #define FLDSIZE_Y (FLDBASE + 1)
482 #define FLDSIZE_X (FLDBASE * 2 + 1)
483 static char *
484 key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
485 {
486 /*
487 * Chars to be used after each other every time the worm
488 * intersects with itself. Matter of taste.
489 */
490 char *augmentation_string = " .o+=*BOX@%&#/^SE";
491 char *retval, *p;
492 u_char field[FLDSIZE_X][FLDSIZE_Y];
493 u_int i, b;
494 int x, y;
495 size_t len = strlen(augmentation_string) - 1;
496
497 retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
498
499 /* initialize field */
500 memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
501 x = FLDSIZE_X / 2;
502 y = FLDSIZE_Y / 2;
503
504 /* process raw key */
505 for (i = 0; i < dgst_raw_len; i++) {
506 int input;
507 /* each byte conveys four 2-bit move commands */
508 input = dgst_raw[i];
509 for (b = 0; b < 4; b++) {
510 /* evaluate 2 bit, rest is shifted later */
511 x += (input & 0x1) ? 1 : -1;
512 y += (input & 0x2) ? 1 : -1;
513
514 /* assure we are still in bounds */
515 x = MAX(x, 0);
516 y = MAX(y, 0);
517 x = MIN(x, FLDSIZE_X - 1);
518 y = MIN(y, FLDSIZE_Y - 1);
519
520 /* augment the field */
521 if (field[x][y] < len - 2)
522 field[x][y]++;
523 input = input >> 2;
524 }
525 }
526
527 /* mark starting point and end point*/
528 field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
529 field[x][y] = len;
530
531 /* fill in retval */
532 snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
533 p = strchr(retval, '\0');
534
535 /* output upper border */
536 for (i = p - retval - 1; i < FLDSIZE_X; i++)
537 *p++ = '-';
538 *p++ = '+';
539 *p++ = '\n';
540
541 /* output content */
542 for (y = 0; y < FLDSIZE_Y; y++) {
543 *p++ = '|';
544 for (x = 0; x < FLDSIZE_X; x++)
545 *p++ = augmentation_string[MIN(field[x][y], len)];
546 *p++ = '|';
547 *p++ = '\n';
548 }
549
550 /* output lower border */
551 *p++ = '+';
552 for (i = 0; i < FLDSIZE_X; i++)
553 *p++ = '-';
554 *p++ = '+';
555
556 return retval;
557 }
558
559 char *
560 key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
561 {
562 char *retval = NULL;
563 u_char *dgst_raw;
564 u_int dgst_raw_len;
565
566 dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
567 if (!dgst_raw)
568 fatal("key_fingerprint: null from key_fingerprint_raw()");
569 switch (dgst_rep) {
570 case SSH_FP_HEX:
571 retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
572 break;
573 case SSH_FP_BUBBLEBABBLE:
574 retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
575 break;
576 case SSH_FP_RANDOMART:
577 retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
578 break;
579 default:
580 fatal("key_fingerprint: bad digest representation %d",
581 dgst_rep);
582 break;
583 }
584 memset(dgst_raw, 0, dgst_raw_len);
585 xfree(dgst_raw);
586 return retval;
587 }
588
589 /*
590 * Reads a multiple-precision integer in decimal from the buffer, and advances
591 * the pointer. The integer must already be initialized. This function is
592 * permitted to modify the buffer. This leaves *cpp to point just beyond the
593 * last processed (and maybe modified) character. Note that this may modify
594 * the buffer containing the number.
595 */
596 static int
597 read_bignum(char **cpp, BIGNUM * value)
598 {
599 char *cp = *cpp;
600 int old;
601
602 /* Skip any leading whitespace. */
603 for (; *cp == ' ' || *cp == '\t'; cp++)
604 ;
605
606 /* Check that it begins with a decimal digit. */
607 if (*cp < '0' || *cp > '9')
608 return 0;
609
610 /* Save starting position. */
611 *cpp = cp;
612
613 /* Move forward until all decimal digits skipped. */
614 for (; *cp >= '0' && *cp <= '9'; cp++)
615 ;
616
617 /* Save the old terminating character, and replace it by \0. */
618 old = *cp;
619 *cp = 0;
620
621 /* Parse the number. */
622 if (BN_dec2bn(&value, *cpp) == 0)
623 return 0;
624
625 /* Restore old terminating character. */
626 *cp = old;
627
628 /* Move beyond the number and return success. */
629 *cpp = cp;
630 return 1;
631 }
632
633 static int
634 write_bignum(FILE *f, BIGNUM *num)
635 {
636 char *buf = BN_bn2dec(num);
637 if (buf == NULL) {
638 error("write_bignum: BN_bn2dec() failed");
639 return 0;
640 }
641 fprintf(f, " %s", buf);
642 OPENSSL_free(buf);
643 return 1;
644 }
645
646 /* returns 1 ok, -1 error */
647 int
648 key_read(Key *ret, char **cpp)
649 {
650 Key *k;
651 int success = -1;
652 char *cp, *space;
653 int len, n, type, curve_nid = -1;
654 u_int bits;
655 u_char *blob;
656
657 cp = *cpp;
658
659 switch (ret->type) {
660 case KEY_RSA1:
661 /* Get number of bits. */
662 if (*cp < '0' || *cp > '9')
663 return -1; /* Bad bit count... */
664 for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
665 bits = 10 * bits + *cp - '0';
666 if (bits == 0)
667 return -1;
668 *cpp = cp;
669 /* Get public exponent, public modulus. */
670 if (!read_bignum(cpp, ret->rsa->e))
671 return -1;
672 if (!read_bignum(cpp, ret->rsa->n))
673 return -1;
674 /* validate the claimed number of bits */
675 if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
676 verbose("key_read: claimed key size %d does not match "
677 "actual %d", bits, BN_num_bits(ret->rsa->n));
678 return -1;
679 }
680 success = 1;
681 break;
682 case KEY_UNSPEC:
683 case KEY_RSA:
684 case KEY_DSA:
685 case KEY_ECDSA:
686 case KEY_DSA_CERT_V00:
687 case KEY_RSA_CERT_V00:
688 case KEY_DSA_CERT:
689 case KEY_ECDSA_CERT:
690 case KEY_RSA_CERT:
691 space = strchr(cp, ' ');
692 if (space == NULL) {
693 debug3("key_read: missing whitespace");
694 return -1;
695 }
696 *space = '\0';
697 type = key_type_from_name(cp);
698 if (key_type_plain(type) == KEY_ECDSA &&
699 (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
700 debug("key_read: invalid curve");
701 return -1;
702 }
703 *space = ' ';
704 if (type == KEY_UNSPEC) {
705 debug3("key_read: missing keytype");
706 return -1;
707 }
708 cp = space+1;
709 if (*cp == '\0') {
710 debug3("key_read: short string");
711 return -1;
712 }
713 if (ret->type == KEY_UNSPEC) {
714 ret->type = type;
715 } else if (ret->type != type) {
716 /* is a key, but different type */
717 debug3("key_read: type mismatch");
718 return -1;
719 }
720 len = 2*strlen(cp);
721 blob = xmalloc(len);
722 n = uudecode(cp, blob, len);
723 if (n < 0) {
724 error("key_read: uudecode %s failed", cp);
725 xfree(blob);
726 return -1;
727 }
728 k = key_from_blob(blob, (u_int)n);
729 xfree(blob);
730 if (k == NULL) {
731 error("key_read: key_from_blob %s failed", cp);
732 return -1;
733 }
734 if (k->type != type) {
735 error("key_read: type mismatch: encoding error");
736 key_free(k);
737 return -1;
738 }
739 if (key_type_plain(type) == KEY_ECDSA &&
740 curve_nid != k->ecdsa_nid) {
741 error("key_read: type mismatch: EC curve mismatch");
742 key_free(k);
743 return -1;
744 }
745 /*XXXX*/
746 if (key_is_cert(ret)) {
747 if (!key_is_cert(k)) {
748 error("key_read: loaded key is not a cert");
749 key_free(k);
750 return -1;
751 }
752 if (ret->cert != NULL)
753 cert_free(ret->cert);
754 ret->cert = k->cert;
755 k->cert = NULL;
756 }
757 if (key_type_plain(ret->type) == KEY_RSA) {
758 if (ret->rsa != NULL)
759 RSA_free(ret->rsa);
760 ret->rsa = k->rsa;
761 k->rsa = NULL;
762 #ifdef DEBUG_PK
763 RSA_print_fp(stderr, ret->rsa, 8);
764 #endif
765 }
766 if (key_type_plain(ret->type) == KEY_DSA) {
767 if (ret->dsa != NULL)
768 DSA_free(ret->dsa);
769 ret->dsa = k->dsa;
770 k->dsa = NULL;
771 #ifdef DEBUG_PK
772 DSA_print_fp(stderr, ret->dsa, 8);
773 #endif
774 }
775 if (key_type_plain(ret->type) == KEY_ECDSA) {
776 if (ret->ecdsa != NULL)
777 EC_KEY_free(ret->ecdsa);
778 ret->ecdsa = k->ecdsa;
779 ret->ecdsa_nid = k->ecdsa_nid;
780 k->ecdsa = NULL;
781 k->ecdsa_nid = -1;
782 #ifdef DEBUG_PK
783 key_dump_ec_key(ret->ecdsa);
784 #endif
785 }
786 success = 1;
787 /*XXXX*/
788 key_free(k);
789 if (success != 1)
790 break;
791 /* advance cp: skip whitespace and data */
792 while (*cp == ' ' || *cp == '\t')
793 cp++;
794 while (*cp != '\0' && *cp != ' ' && *cp != '\t')
795 cp++;
796 *cpp = cp;
797 break;
798 default:
799 fatal("key_read: bad key type: %d", ret->type);
800 break;
801 }
802 return success;
803 }
804
805 int
806 key_write(const Key *key, FILE *f)
807 {
808 int n, success = 0;
809 u_int len, bits = 0;
810 u_char *blob;
811 char *uu;
812
813 if (key_is_cert(key)) {
814 if (key->cert == NULL) {
815 error("%s: no cert data", __func__);
816 return 0;
817 }
818 if (buffer_len(&key->cert->certblob) == 0) {
819 error("%s: no signed certificate blob", __func__);
820 return 0;
821 }
822 }
823
824 switch (key->type) {
825 case KEY_RSA1:
826 if (key->rsa == NULL)
827 return 0;
828 /* size of modulus 'n' */
829 bits = BN_num_bits(key->rsa->n);
830 fprintf(f, "%u", bits);
831 if (write_bignum(f, key->rsa->e) &&
832 write_bignum(f, key->rsa->n))
833 return 1;
834 error("key_write: failed for RSA key");
835 return 0;
836 case KEY_DSA:
837 case KEY_DSA_CERT_V00:
838 case KEY_DSA_CERT:
839 if (key->dsa == NULL)
840 return 0;
841 break;
842 case KEY_ECDSA:
843 case KEY_ECDSA_CERT:
844 if (key->ecdsa == NULL)
845 return 0;
846 break;
847 case KEY_RSA:
848 case KEY_RSA_CERT_V00:
849 case KEY_RSA_CERT:
850 if (key->rsa == NULL)
851 return 0;
852 break;
853 default:
854 return 0;
855 }
856
857 key_to_blob(key, &blob, &len);
858 uu = xmalloc(2*len);
859 n = uuencode(blob, len, uu, 2*len);
860 if (n > 0) {
861 fprintf(f, "%s %s", key_ssh_name(key), uu);
862 success = 1;
863 }
864 xfree(blob);
865 xfree(uu);
866
867 return success;
868 }
869
870 const char *
871 key_type(const Key *k)
872 {
873 switch (k->type) {
874 case KEY_RSA1:
875 return "RSA1";
876 case KEY_RSA:
877 return "RSA";
878 case KEY_DSA:
879 return "DSA";
880 case KEY_ECDSA:
881 return "ECDSA";
882 case KEY_RSA_CERT_V00:
883 return "RSA-CERT-V00";
884 case KEY_DSA_CERT_V00:
885 return "DSA-CERT-V00";
886 case KEY_RSA_CERT:
887 return "RSA-CERT";
888 case KEY_DSA_CERT:
889 return "DSA-CERT";
890 case KEY_ECDSA_CERT:
891 return "ECDSA-CERT";
892 }
893 return "unknown";
894 }
895
896 const char *
897 key_cert_type(const Key *k)
898 {
899 switch (k->cert->type) {
900 case SSH2_CERT_TYPE_USER:
901 return "user";
902 case SSH2_CERT_TYPE_HOST:
903 return "host";
904 default:
905 return "unknown";
906 }
907 }
908
909 static const char *
910 key_ssh_name_from_type_nid(int type, int nid)
911 {
912 switch (type) {
913 case KEY_RSA:
914 return "ssh-rsa";
915 case KEY_DSA:
916 return "ssh-dss";
917 case KEY_RSA_CERT_V00:
918 return "ssh-rsa-cert-v00@openssh.com";
919 case KEY_DSA_CERT_V00:
920 return "ssh-dss-cert-v00@openssh.com";
921 case KEY_RSA_CERT:
922 return "ssh-rsa-cert-v01@openssh.com";
923 case KEY_DSA_CERT:
924 return "ssh-dss-cert-v01@openssh.com";
925 case KEY_ECDSA:
926 switch (nid) {
927 case NID_X9_62_prime256v1:
928 return "ecdsa-sha2-nistp256";
929 case NID_secp384r1:
930 return "ecdsa-sha2-nistp384";
931 case NID_secp521r1:
932 return "ecdsa-sha2-nistp521";
933 default:
934 break;
935 }
936 break;
937 case KEY_ECDSA_CERT:
938 switch (nid) {
939 case NID_X9_62_prime256v1:
940 return "ecdsa-sha2-nistp256-cert-v01@openssh.com";
941 case NID_secp384r1:
942 return "ecdsa-sha2-nistp384-cert-v01@openssh.com";
943 case NID_secp521r1:
944 return "ecdsa-sha2-nistp521-cert-v01@openssh.com";
945 default:
946 break;
947 }
948 break;
949 }
950 return "ssh-unknown";
951 }
952
953 const char *
954 key_ssh_name(const Key *k)
955 {
956 return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
957 }
958
959 const char *
960 key_ssh_name_plain(const Key *k)
961 {
962 return key_ssh_name_from_type_nid(key_type_plain(k->type),
963 k->ecdsa_nid);
964 }
965
966 u_int
967 key_size(const Key *k)
968 {
969 switch (k->type) {
970 case KEY_RSA1:
971 case KEY_RSA:
972 case KEY_RSA_CERT_V00:
973 case KEY_RSA_CERT:
974 return BN_num_bits(k->rsa->n);
975 case KEY_DSA:
976 case KEY_DSA_CERT_V00:
977 case KEY_DSA_CERT:
978 return BN_num_bits(k->dsa->p);
979 case KEY_ECDSA:
980 case KEY_ECDSA_CERT:
981 switch (k->ecdsa_nid) {
982 case NID_X9_62_prime256v1:
983 return 256;
984 case NID_secp384r1:
985 return 384;
986 case NID_secp521r1:
987 return 521;
988 default:
989 break;
990 }
991 break;
992 }
993 return 0;
994 }
995
996 static RSA *
997 rsa_generate_private_key(u_int bits)
998 {
999 RSA *private;
1000
1001 private = RSA_generate_key(bits, RSA_F4, NULL, NULL);
1002 if (private == NULL)
1003 fatal("rsa_generate_private_key: key generation failed.");
1004 return private;
1005 }
1006
1007 static DSA*
1008 dsa_generate_private_key(u_int bits)
1009 {
1010 DSA *private = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
1011
1012 if (private == NULL)
1013 fatal("dsa_generate_private_key: DSA_generate_parameters failed");
1014 if (!DSA_generate_key(private))
1015 fatal("dsa_generate_private_key: DSA_generate_key failed.");
1016 if (private == NULL)
1017 fatal("dsa_generate_private_key: NULL.");
1018 return private;
1019 }
1020
1021 int
1022 key_ecdsa_bits_to_nid(int bits)
1023 {
1024 switch (bits) {
1025 case 256:
1026 return NID_X9_62_prime256v1;
1027 case 384:
1028 return NID_secp384r1;
1029 case 521:
1030 return NID_secp521r1;
1031 default:
1032 return -1;
1033 }
1034 }
1035
1036 /*
1037 * This is horrid, but OpenSSL's PEM_read_PrivateKey seems not to restore
1038 * the EC_GROUP nid when loading a key...
1039 */
1040 int
1041 key_ecdsa_group_to_nid(const EC_GROUP *g)
1042 {
1043 EC_GROUP *eg;
1044 int nids[] = {
1045 NID_X9_62_prime256v1,
1046 NID_secp384r1,
1047 NID_secp521r1,
1048 -1
1049 };
1050 u_int i;
1051 BN_CTX *bnctx;
1052
1053 if ((bnctx = BN_CTX_new()) == NULL)
1054 fatal("%s: BN_CTX_new() failed", __func__);
1055 for (i = 0; nids[i] != -1; i++) {
1056 if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
1057 fatal("%s: EC_GROUP_new_by_curve_name failed",
1058 __func__);
1059 if (EC_GROUP_cmp(g, eg, bnctx) == 0) {
1060 EC_GROUP_free(eg);
1061 break;
1062 }
1063 EC_GROUP_free(eg);
1064 }
1065 BN_CTX_free(bnctx);
1066 debug3("%s: nid = %d", __func__, nids[i]);
1067 return nids[i];
1068 }
1069
1070 static EC_KEY*
1071 ecdsa_generate_private_key(u_int bits, int *nid)
1072 {
1073 EC_KEY *private;
1074
1075 if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
1076 fatal("%s: invalid key length", __func__);
1077 if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
1078 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1079 if (EC_KEY_generate_key(private) != 1)
1080 fatal("%s: EC_KEY_generate_key failed", __func__);
1081 return private;
1082 }
1083
1084 Key *
1085 key_generate(int type, u_int bits)
1086 {
1087 Key *k = key_new(KEY_UNSPEC);
1088 switch (type) {
1089 case KEY_DSA:
1090 k->dsa = dsa_generate_private_key(bits);
1091 break;
1092 case KEY_ECDSA:
1093 k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
1094 break;
1095 case KEY_RSA:
1096 case KEY_RSA1:
1097 k->rsa = rsa_generate_private_key(bits);
1098 break;
1099 case KEY_RSA_CERT_V00:
1100 case KEY_DSA_CERT_V00:
1101 case KEY_RSA_CERT:
1102 case KEY_DSA_CERT:
1103 fatal("key_generate: cert keys cannot be generated directly");
1104 default:
1105 fatal("key_generate: unknown type %d", type);
1106 }
1107 k->type = type;
1108 return k;
1109 }
1110
1111 void
1112 key_cert_copy(const Key *from_key, struct Key *to_key)
1113 {
1114 u_int i;
1115 const struct KeyCert *from;
1116 struct KeyCert *to;
1117
1118 if (to_key->cert != NULL) {
1119 cert_free(to_key->cert);
1120 to_key->cert = NULL;
1121 }
1122
1123 if ((from = from_key->cert) == NULL)
1124 return;
1125
1126 to = to_key->cert = cert_new();
1127
1128 buffer_append(&to->certblob, buffer_ptr(&from->certblob),
1129 buffer_len(&from->certblob));
1130
1131 buffer_append(&to->critical,
1132 buffer_ptr(&from->critical), buffer_len(&from->critical));
1133 buffer_append(&to->extensions,
1134 buffer_ptr(&from->extensions), buffer_len(&from->extensions));
1135
1136 to->serial = from->serial;
1137 to->type = from->type;
1138 to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
1139 to->valid_after = from->valid_after;
1140 to->valid_before = from->valid_before;
1141 to->signature_key = from->signature_key == NULL ?
1142 NULL : key_from_private(from->signature_key);
1143
1144 to->nprincipals = from->nprincipals;
1145 if (to->nprincipals > CERT_MAX_PRINCIPALS)
1146 fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
1147 __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
1148 if (to->nprincipals > 0) {
1149 to->principals = xcalloc(from->nprincipals,
1150 sizeof(*to->principals));
1151 for (i = 0; i < to->nprincipals; i++)
1152 to->principals[i] = xstrdup(from->principals[i]);
1153 }
1154 }
1155
1156 Key *
1157 key_from_private(const Key *k)
1158 {
1159 Key *n = NULL;
1160 switch (k->type) {
1161 case KEY_DSA:
1162 case KEY_DSA_CERT_V00:
1163 case KEY_DSA_CERT:
1164 n = key_new(k->type);
1165 if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1166 (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1167 (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1168 (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
1169 fatal("key_from_private: BN_copy failed");
1170 break;
1171 case KEY_ECDSA:
1172 case KEY_ECDSA_CERT:
1173 n = key_new(k->type);
1174 n->ecdsa_nid = k->ecdsa_nid;
1175 if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
1176 fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
1177 if (EC_KEY_set_public_key(n->ecdsa,
1178 EC_KEY_get0_public_key(k->ecdsa)) != 1)
1179 fatal("%s: EC_KEY_set_public_key failed", __func__);
1180 break;
1181 case KEY_RSA:
1182 case KEY_RSA1:
1183 case KEY_RSA_CERT_V00:
1184 case KEY_RSA_CERT:
1185 n = key_new(k->type);
1186 if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1187 (BN_copy(n->rsa->e, k->rsa->e) == NULL))
1188 fatal("key_from_private: BN_copy failed");
1189 break;
1190 default:
1191 fatal("key_from_private: unknown type %d", k->type);
1192 break;
1193 }
1194 if (key_is_cert(k))
1195 key_cert_copy(k, n);
1196 return n;
1197 }
1198
1199 int
1200 key_type_from_name(char *name)
1201 {
1202 if (strcmp(name, "rsa1") == 0) {
1203 return KEY_RSA1;
1204 } else if (strcmp(name, "rsa") == 0) {
1205 return KEY_RSA;
1206 } else if (strcmp(name, "dsa") == 0) {
1207 return KEY_DSA;
1208 } else if (strcmp(name, "ssh-rsa") == 0) {
1209 return KEY_RSA;
1210 } else if (strcmp(name, "ssh-dss") == 0) {
1211 return KEY_DSA;
1212 } else if (strcmp(name, "ecdsa") == 0 ||
1213 strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1214 strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1215 strcmp(name, "ecdsa-sha2-nistp521") == 0) {
1216 return KEY_ECDSA;
1217 } else if (strcmp(name, "ssh-rsa-cert-v00@openssh.com") == 0) {
1218 return KEY_RSA_CERT_V00;
1219 } else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
1220 return KEY_DSA_CERT_V00;
1221 } else if (strcmp(name, "ssh-rsa-cert-v01@openssh.com") == 0) {
1222 return KEY_RSA_CERT;
1223 } else if (strcmp(name, "ssh-dss-cert-v01@openssh.com") == 0) {
1224 return KEY_DSA_CERT;
1225 } else if (strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0 ||
1226 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0 ||
1227 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
1228 return KEY_ECDSA_CERT;
1229
1230 debug2("key_type_from_name: unknown key type '%s'", name);
1231 return KEY_UNSPEC;
1232 }
1233
1234 int
1235 key_ecdsa_nid_from_name(const char *name)
1236 {
1237 if (strcmp(name, "ecdsa-sha2-nistp256") == 0 ||
1238 strcmp(name, "ecdsa-sha2-nistp256-cert-v01@openssh.com") == 0)
1239 return NID_X9_62_prime256v1;
1240 if (strcmp(name, "ecdsa-sha2-nistp384") == 0 ||
1241 strcmp(name, "ecdsa-sha2-nistp384-cert-v01@openssh.com") == 0)
1242 return NID_secp384r1;
1243 if (strcmp(name, "ecdsa-sha2-nistp521") == 0 ||
1244 strcmp(name, "ecdsa-sha2-nistp521-cert-v01@openssh.com") == 0)
1245 return NID_secp521r1;
1246
1247 debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
1248 return -1;
1249 }
1250
1251 int
1252 key_names_valid2(const char *names)
1253 {
1254 char *s, *cp, *p;
1255
1256 if (names == NULL || strcmp(names, "") == 0)
1257 return 0;
1258 s = cp = xstrdup(names);
1259 for ((p = strsep(&cp, ",")); p && *p != '\0';
1260 (p = strsep(&cp, ","))) {
1261 switch (key_type_from_name(p)) {
1262 case KEY_RSA1:
1263 case KEY_UNSPEC:
1264 xfree(s);
1265 return 0;
1266 }
1267 }
1268 debug3("key names ok: [%s]", names);
1269 xfree(s);
1270 return 1;
1271 }
1272
1273 static int
1274 cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
1275 {
1276 u_char *principals, *critical, *exts, *sig_key, *sig;
1277 u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
1278 Buffer tmp;
1279 char *principal;
1280 int ret = -1;
1281 int v00 = key->type == KEY_DSA_CERT_V00 ||
1282 key->type == KEY_RSA_CERT_V00;
1283
1284 buffer_init(&tmp);
1285
1286 /* Copy the entire key blob for verification and later serialisation */
1287 buffer_append(&key->cert->certblob, blob, blen);
1288
1289 elen = 0; /* Not touched for v00 certs */
1290 principals = exts = critical = sig_key = sig = NULL;
1291 if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
1292 buffer_get_int_ret(&key->cert->type, b) != 0 ||
1293 (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
1294 (principals = buffer_get_string_ret(b, &plen)) == NULL ||
1295 buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
1296 buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
1297 (critical = buffer_get_string_ret(b, &clen)) == NULL ||
1298 (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
1299 (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
1300 buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
1301 (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
1302 error("%s: parse error", __func__);
1303 goto out;
1304 }
1305
1306 if (kidlen != strlen(key->cert->key_id)) {
1307 error("%s: key ID contains \\0 character", __func__);
1308 goto out;
1309 }
1310
1311 /* Signature is left in the buffer so we can calculate this length */
1312 signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
1313
1314 if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
1315 error("%s: parse error", __func__);
1316 goto out;
1317 }
1318
1319 if (key->cert->type != SSH2_CERT_TYPE_USER &&
1320 key->cert->type != SSH2_CERT_TYPE_HOST) {
1321 error("Unknown certificate type %u", key->cert->type);
1322 goto out;
1323 }
1324
1325 buffer_append(&tmp, principals, plen);
1326 while (buffer_len(&tmp) > 0) {
1327 if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
1328 error("%s: Too many principals", __func__);
1329 goto out;
1330 }
1331 if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
1332 error("%s: Principals data invalid", __func__);
1333 goto out;
1334 }
1335 key->cert->principals = xrealloc(key->cert->principals,
1336 key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1337 key->cert->principals[key->cert->nprincipals++] = principal;
1338 }
1339
1340 buffer_clear(&tmp);
1341
1342 buffer_append(&key->cert->critical, critical, clen);
1343 buffer_append(&tmp, critical, clen);
1344 /* validate structure */
1345 while (buffer_len(&tmp) != 0) {
1346 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1347 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1348 error("%s: critical option data invalid", __func__);
1349 goto out;
1350 }
1351 }
1352 buffer_clear(&tmp);
1353
1354 buffer_append(&key->cert->extensions, exts, elen);
1355 buffer_append(&tmp, exts, elen);
1356 /* validate structure */
1357 while (buffer_len(&tmp) != 0) {
1358 if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
1359 buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
1360 error("%s: extension data invalid", __func__);
1361 goto out;
1362 }
1363 }
1364 buffer_clear(&tmp);
1365
1366 if ((key->cert->signature_key = key_from_blob(sig_key,
1367 sklen)) == NULL) {
1368 error("%s: Signature key invalid", __func__);
1369 goto out;
1370 }
1371 if (key->cert->signature_key->type != KEY_RSA &&
1372 key->cert->signature_key->type != KEY_DSA &&
1373 key->cert->signature_key->type != KEY_ECDSA) {
1374 error("%s: Invalid signature key type %s (%d)", __func__,
1375 key_type(key->cert->signature_key),
1376 key->cert->signature_key->type);
1377 goto out;
1378 }
1379
1380 switch (key_verify(key->cert->signature_key, sig, slen,
1381 buffer_ptr(&key->cert->certblob), signed_len)) {
1382 case 1:
1383 ret = 0;
1384 break; /* Good signature */
1385 case 0:
1386 error("%s: Invalid signature on certificate", __func__);
1387 goto out;
1388 case -1:
1389 error("%s: Certificate signature verification failed",
1390 __func__);
1391 goto out;
1392 }
1393
1394 out:
1395 buffer_free(&tmp);
1396 if (principals != NULL)
1397 xfree(principals);
1398 if (critical != NULL)
1399 xfree(critical);
1400 if (exts != NULL)
1401 xfree(exts);
1402 if (sig_key != NULL)
1403 xfree(sig_key);
1404 if (sig != NULL)
1405 xfree(sig);
1406 return ret;
1407 }
1408
1409 Key *
1410 key_from_blob(const u_char *blob, u_int blen)
1411 {
1412 Buffer b;
1413 int rlen, type, nid = -1;
1414 char *ktype = NULL, *curve = NULL;
1415 Key *key = NULL;
1416 EC_POINT *q = NULL;
1417
1418 #ifdef DEBUG_PK
1419 dump_base64(stderr, blob, blen);
1420 #endif
1421 buffer_init(&b);
1422 buffer_append(&b, blob, blen);
1423 if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
1424 error("key_from_blob: can't read key type");
1425 goto out;
1426 }
1427
1428 type = key_type_from_name(ktype);
1429 if (key_type_plain(type) == KEY_ECDSA)
1430 nid = key_ecdsa_nid_from_name(ktype);
1431
1432 switch (type) {
1433 case KEY_RSA_CERT:
1434 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1435 /* FALLTHROUGH */
1436 case KEY_RSA:
1437 case KEY_RSA_CERT_V00:
1438 key = key_new(type);
1439 if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
1440 buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
1441 error("key_from_blob: can't read rsa key");
1442 badkey:
1443 key_free(key);
1444 key = NULL;
1445 goto out;
1446 }
1447 #ifdef DEBUG_PK
1448 RSA_print_fp(stderr, key->rsa, 8);
1449 #endif
1450 break;
1451 case KEY_DSA_CERT:
1452 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1453 /* FALLTHROUGH */
1454 case KEY_DSA:
1455 case KEY_DSA_CERT_V00:
1456 key = key_new(type);
1457 if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
1458 buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
1459 buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
1460 buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
1461 error("key_from_blob: can't read dsa key");
1462 goto badkey;
1463 }
1464 #ifdef DEBUG_PK
1465 DSA_print_fp(stderr, key->dsa, 8);
1466 #endif
1467 break;
1468 case KEY_ECDSA_CERT:
1469 (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
1470 /* FALLTHROUGH */
1471 case KEY_ECDSA:
1472 key = key_new(type);
1473 key->ecdsa_nid = nid;
1474 if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
1475 error("key_from_blob: can't read ecdsa curve");
1476 goto badkey;
1477 }
1478 if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
1479 error("key_from_blob: ecdsa curve doesn't match type");
1480 goto badkey;
1481 }
1482 if (key->ecdsa != NULL)
1483 EC_KEY_free(key->ecdsa);
1484 if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
1485 == NULL)
1486 fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
1487 if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
1488 fatal("key_from_blob: EC_POINT_new failed");
1489 if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
1490 q) == -1) {
1491 error("key_from_blob: can't read ecdsa key point");
1492 goto badkey;
1493 }
1494 if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
1495 q) != 0)
1496 goto badkey;
1497 if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
1498 fatal("key_from_blob: EC_KEY_set_public_key failed");
1499 #ifdef DEBUG_PK
1500 key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
1501 #endif
1502 break;
1503 case KEY_UNSPEC:
1504 key = key_new(type);
1505 break;
1506 default:
1507 error("key_from_blob: cannot handle type %s", ktype);
1508 goto out;
1509 }
1510 if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
1511 error("key_from_blob: can't parse cert data");
1512 goto badkey;
1513 }
1514 rlen = buffer_len(&b);
1515 if (key != NULL && rlen != 0)
1516 error("key_from_blob: remaining bytes in key blob %d", rlen);
1517 out:
1518 if (ktype != NULL)
1519 xfree(ktype);
1520 if (curve != NULL)
1521 xfree(curve);
1522 if (q != NULL)
1523 EC_POINT_free(q);
1524 buffer_free(&b);
1525 return key;
1526 }
1527
1528 int
1529 key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
1530 {
1531 Buffer b;
1532 int len;
1533
1534 if (key == NULL) {
1535 error("key_to_blob: key == NULL");
1536 return 0;
1537 }
1538 buffer_init(&b);
1539 switch (key->type) {
1540 case KEY_DSA_CERT_V00:
1541 case KEY_RSA_CERT_V00:
1542 case KEY_DSA_CERT:
1543 case KEY_ECDSA_CERT:
1544 case KEY_RSA_CERT:
1545 /* Use the existing blob */
1546 buffer_append(&b, buffer_ptr(&key->cert->certblob),
1547 buffer_len(&key->cert->certblob));
1548 break;
1549 case KEY_DSA:
1550 buffer_put_cstring(&b, key_ssh_name(key));
1551 buffer_put_bignum2(&b, key->dsa->p);
1552 buffer_put_bignum2(&b, key->dsa->q);
1553 buffer_put_bignum2(&b, key->dsa->g);
1554 buffer_put_bignum2(&b, key->dsa->pub_key);
1555 break;
1556 case KEY_ECDSA:
1557 buffer_put_cstring(&b, key_ssh_name(key));
1558 buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
1559 buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
1560 EC_KEY_get0_public_key(key->ecdsa));
1561 break;
1562 case KEY_RSA:
1563 buffer_put_cstring(&b, key_ssh_name(key));
1564 buffer_put_bignum2(&b, key->rsa->e);
1565 buffer_put_bignum2(&b, key->rsa->n);
1566 break;
1567 default:
1568 error("key_to_blob: unsupported key type %d", key->type);
1569 buffer_free(&b);
1570 return 0;
1571 }
1572 len = buffer_len(&b);
1573 if (lenp != NULL)
1574 *lenp = len;
1575 if (blobp != NULL) {
1576 *blobp = xmalloc(len);
1577 memcpy(*blobp, buffer_ptr(&b), len);
1578 }
1579 memset(buffer_ptr(&b), 0, len);
1580 buffer_free(&b);
1581 return len;
1582 }
1583
1584 int
1585 key_sign(
1586 const Key *key,
1587 u_char **sigp, u_int *lenp,
1588 const u_char *data, u_int datalen)
1589 {
1590 switch (key->type) {
1591 case KEY_DSA_CERT_V00:
1592 case KEY_DSA_CERT:
1593 case KEY_DSA:
1594 return ssh_dss_sign(key, sigp, lenp, data, datalen);
1595 case KEY_ECDSA_CERT:
1596 case KEY_ECDSA:
1597 return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
1598 case KEY_RSA_CERT_V00:
1599 case KEY_RSA_CERT:
1600 case KEY_RSA:
1601 return ssh_rsa_sign(key, sigp, lenp, data, datalen);
1602 default:
1603 error("key_sign: invalid key type %d", key->type);
1604 return -1;
1605 }
1606 }
1607
1608 /*
1609 * key_verify returns 1 for a correct signature, 0 for an incorrect signature
1610 * and -1 on error.
1611 */
1612 int
1613 key_verify(
1614 const Key *key,
1615 const u_char *signature, u_int signaturelen,
1616 const u_char *data, u_int datalen)
1617 {
1618 if (signaturelen == 0)
1619 return -1;
1620
1621 switch (key->type) {
1622 case KEY_DSA_CERT_V00:
1623 case KEY_DSA_CERT:
1624 case KEY_DSA:
1625 return ssh_dss_verify(key, signature, signaturelen, data, datalen);
1626 case KEY_ECDSA_CERT:
1627 case KEY_ECDSA:
1628 return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
1629 case KEY_RSA_CERT_V00:
1630 case KEY_RSA_CERT:
1631 case KEY_RSA:
1632 return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
1633 default:
1634 error("key_verify: invalid key type %d", key->type);
1635 return -1;
1636 }
1637 }
1638
1639 /* Converts a private to a public key */
1640 Key *
1641 key_demote(const Key *k)
1642 {
1643 Key *pk;
1644
1645 pk = xcalloc(1, sizeof(*pk));
1646 pk->type = k->type;
1647 pk->flags = k->flags;
1648 pk->ecdsa_nid = k->ecdsa_nid;
1649 pk->dsa = NULL;
1650 pk->ecdsa = NULL;
1651 pk->rsa = NULL;
1652
1653 switch (k->type) {
1654 case KEY_RSA_CERT_V00:
1655 case KEY_RSA_CERT:
1656 key_cert_copy(k, pk);
1657 /* FALLTHROUGH */
1658 case KEY_RSA1:
1659 case KEY_RSA:
1660 if ((pk->rsa = RSA_new()) == NULL)
1661 fatal("key_demote: RSA_new failed");
1662 if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
1663 fatal("key_demote: BN_dup failed");
1664 if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
1665 fatal("key_demote: BN_dup failed");
1666 break;
1667 case KEY_DSA_CERT_V00:
1668 case KEY_DSA_CERT:
1669 key_cert_copy(k, pk);
1670 /* FALLTHROUGH */
1671 case KEY_DSA:
1672 if ((pk->dsa = DSA_new()) == NULL)
1673 fatal("key_demote: DSA_new failed");
1674 if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
1675 fatal("key_demote: BN_dup failed");
1676 if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
1677 fatal("key_demote: BN_dup failed");
1678 if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
1679 fatal("key_demote: BN_dup failed");
1680 if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
1681 fatal("key_demote: BN_dup failed");
1682 break;
1683 case KEY_ECDSA_CERT:
1684 key_cert_copy(k, pk);
1685 /* FALLTHROUGH */
1686 case KEY_ECDSA:
1687 if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
1688 fatal("key_demote: EC_KEY_new_by_curve_name failed");
1689 if (EC_KEY_set_public_key(pk->ecdsa,
1690 EC_KEY_get0_public_key(k->ecdsa)) != 1)
1691 fatal("key_demote: EC_KEY_set_public_key failed");
1692 break;
1693 default:
1694 fatal("key_free: bad key type %d", k->type);
1695 break;
1696 }
1697
1698 return (pk);
1699 }
1700
1701 int
1702 key_is_cert(const Key *k)
1703 {
1704 if (k == NULL)
1705 return 0;
1706 switch (k->type) {
1707 case KEY_RSA_CERT_V00:
1708 case KEY_DSA_CERT_V00:
1709 case KEY_RSA_CERT:
1710 case KEY_DSA_CERT:
1711 case KEY_ECDSA_CERT:
1712 return 1;
1713 default:
1714 return 0;
1715 }
1716 }
1717
1718 /* Return the cert-less equivalent to a certified key type */
1719 int
1720 key_type_plain(int type)
1721 {
1722 switch (type) {
1723 case KEY_RSA_CERT_V00:
1724 case KEY_RSA_CERT:
1725 return KEY_RSA;
1726 case KEY_DSA_CERT_V00:
1727 case KEY_DSA_CERT:
1728 return KEY_DSA;
1729 case KEY_ECDSA_CERT:
1730 return KEY_ECDSA;
1731 default:
1732 return type;
1733 }
1734 }
1735
1736 /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */
1737 int
1738 key_to_certified(Key *k, int legacy)
1739 {
1740 switch (k->type) {
1741 case KEY_RSA:
1742 k->cert = cert_new();
1743 k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
1744 return 0;
1745 case KEY_DSA:
1746 k->cert = cert_new();
1747 k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
1748 return 0;
1749 case KEY_ECDSA:
1750 k->cert = cert_new();
1751 k->type = KEY_ECDSA_CERT;
1752 return 0;
1753 default:
1754 error("%s: key has incorrect type %s", __func__, key_type(k));
1755 return -1;
1756 }
1757 }
1758
1759 /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */
1760 int
1761 key_drop_cert(Key *k)
1762 {
1763 switch (k->type) {
1764 case KEY_RSA_CERT_V00:
1765 case KEY_RSA_CERT:
1766 cert_free(k->cert);
1767 k->type = KEY_RSA;
1768 return 0;
1769 case KEY_DSA_CERT_V00:
1770 case KEY_DSA_CERT:
1771 cert_free(k->cert);
1772 k->type = KEY_DSA;
1773 return 0;
1774 case KEY_ECDSA_CERT:
1775 cert_free(k->cert);
1776 k->type = KEY_ECDSA;
1777 return 0;
1778 default:
1779 error("%s: key has incorrect type %s", __func__, key_type(k));
1780 return -1;
1781 }
1782 }
1783
1784 /*
1785 * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating
1786 * the signed certblob
1787 */
1788 int
1789 key_certify(Key *k, Key *ca)
1790 {
1791 Buffer principals;
1792 u_char *ca_blob, *sig_blob, nonce[32];
1793 u_int i, ca_len, sig_len;
1794
1795 if (k->cert == NULL) {
1796 error("%s: key lacks cert info", __func__);
1797 return -1;
1798 }
1799
1800 if (!key_is_cert(k)) {
1801 error("%s: certificate has unknown type %d", __func__,
1802 k->cert->type);
1803 return -1;
1804 }
1805
1806 if (ca->type != KEY_RSA && ca->type != KEY_DSA &&
1807 ca->type != KEY_ECDSA) {
1808 error("%s: CA key has unsupported type %s", __func__,
1809 key_type(ca));
1810 return -1;
1811 }
1812
1813 key_to_blob(ca, &ca_blob, &ca_len);
1814
1815 buffer_clear(&k->cert->certblob);
1816 buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
1817
1818 /* -v01 certs put nonce first */
1819 if (!key_cert_is_legacy(k)) {
1820 arc4random_buf(&nonce, sizeof(nonce));
1821 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1822 }
1823
1824 switch (k->type) {
1825 case KEY_DSA_CERT_V00:
1826 case KEY_DSA_CERT:
1827 buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
1828 buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
1829 buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
1830 buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
1831 break;
1832 case KEY_ECDSA_CERT:
1833 buffer_put_cstring(&k->cert->certblob,
1834 key_curve_nid_to_name(k->ecdsa_nid));
1835 buffer_put_ecpoint(&k->cert->certblob,
1836 EC_KEY_get0_group(k->ecdsa),
1837 EC_KEY_get0_public_key(k->ecdsa));
1838 break;
1839 case KEY_RSA_CERT_V00:
1840 case KEY_RSA_CERT:
1841 buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
1842 buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
1843 break;
1844 default:
1845 error("%s: key has incorrect type %s", __func__, key_type(k));
1846 buffer_clear(&k->cert->certblob);
1847 xfree(ca_blob);
1848 return -1;
1849 }
1850
1851 /* -v01 certs have a serial number next */
1852 if (!key_cert_is_legacy(k))
1853 buffer_put_int64(&k->cert->certblob, k->cert->serial);
1854
1855 buffer_put_int(&k->cert->certblob, k->cert->type);
1856 buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
1857
1858 buffer_init(&principals);
1859 for (i = 0; i < k->cert->nprincipals; i++)
1860 buffer_put_cstring(&principals, k->cert->principals[i]);
1861 buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
1862 buffer_len(&principals));
1863 buffer_free(&principals);
1864
1865 buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
1866 buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
1867 buffer_put_string(&k->cert->certblob,
1868 buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
1869
1870 /* -v01 certs have non-critical options here */
1871 if (!key_cert_is_legacy(k)) {
1872 buffer_put_string(&k->cert->certblob,
1873 buffer_ptr(&k->cert->extensions),
1874 buffer_len(&k->cert->extensions));
1875 }
1876
1877 /* -v00 certs put the nonce at the end */
1878 if (key_cert_is_legacy(k))
1879 buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
1880
1881 buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
1882 buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
1883 xfree(ca_blob);
1884
1885 /* Sign the whole mess */
1886 if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
1887 buffer_len(&k->cert->certblob)) != 0) {
1888 error("%s: signature operation failed", __func__);
1889 buffer_clear(&k->cert->certblob);
1890 return -1;
1891 }
1892 /* Append signature and we are done */
1893 buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
1894 xfree(sig_blob);
1895
1896 return 0;
1897 }
1898
1899 int
1900 key_cert_check_authority(const Key *k, int want_host, int require_principal,
1901 const char *name, const char **reason)
1902 {
1903 u_int i, principal_matches;
1904 time_t now = time(NULL);
1905
1906 if (want_host) {
1907 if (k->cert->type != SSH2_CERT_TYPE_HOST) {
1908 *reason = "Certificate invalid: not a host certificate";
1909 return -1;
1910 }
1911 } else {
1912 if (k->cert->type != SSH2_CERT_TYPE_USER) {
1913 *reason = "Certificate invalid: not a user certificate";
1914 return -1;
1915 }
1916 }
1917 if (now < 0) {
1918 error("%s: system clock lies before epoch", __func__);
1919 *reason = "Certificate invalid: not yet valid";
1920 return -1;
1921 }
1922 if ((u_int64_t)now < k->cert->valid_after) {
1923 *reason = "Certificate invalid: not yet valid";
1924 return -1;
1925 }
1926 if ((u_int64_t)now >= k->cert->valid_before) {
1927 *reason = "Certificate invalid: expired";
1928 return -1;
1929 }
1930 if (k->cert->nprincipals == 0) {
1931 if (require_principal) {
1932 *reason = "Certificate lacks principal list";
1933 return -1;
1934 }
1935 } else if (name != NULL) {
1936 principal_matches = 0;
1937 for (i = 0; i < k->cert->nprincipals; i++) {
1938 if (strcmp(name, k->cert->principals[i]) == 0) {
1939 principal_matches = 1;
1940 break;
1941 }
1942 }
1943 if (!principal_matches) {
1944 *reason = "Certificate invalid: name is not a listed "
1945 "principal";
1946 return -1;
1947 }
1948 }
1949 return 0;
1950 }
1951
1952 int
1953 key_cert_is_legacy(Key *k)
1954 {
1955 switch (k->type) {
1956 case KEY_DSA_CERT_V00:
1957 case KEY_RSA_CERT_V00:
1958 return 1;
1959 default:
1960 return 0;
1961 }
1962 }
1963
1964 int
1965 key_curve_name_to_nid(const char *name)
1966 {
1967 if (strcmp(name, "nistp256") == 0)
1968 return NID_X9_62_prime256v1;
1969 else if (strcmp(name, "nistp384") == 0)
1970 return NID_secp384r1;
1971 else if (strcmp(name, "nistp521") == 0)
1972 return NID_secp521r1;
1973
1974 debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
1975 return -1;
1976 }
1977
1978 const char *
1979 key_curve_nid_to_name(int nid)
1980 {
1981 if (nid == NID_X9_62_prime256v1)
1982 return "nistp256";
1983 else if (nid == NID_secp384r1)
1984 return "nistp384";
1985 else if (nid == NID_secp521r1)
1986 return "nistp521";
1987
1988 error("%s: unsupported EC curve nid %d", __func__, nid);
1989 return NULL;
1990 }
1991
1992 int
1993 key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
1994 {
1995 BN_CTX *bnctx;
1996 EC_POINT *nq = NULL;
1997 BIGNUM *order, *x, *y, *tmp;
1998 int ret = -1;
1999
2000 if ((bnctx = BN_CTX_new()) == NULL)
2001 fatal("%s: BN_CTX_new failed", __func__);
2002 BN_CTX_start(bnctx);
2003
2004 /*
2005 * We shouldn't ever hit this case because bignum_get_ecpoint()
2006 * refuses to load GF2m points.
2007 */
2008 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2009 NID_X9_62_prime_field) {
2010 error("%s: group is not a prime field", __func__);
2011 goto out;
2012 }
2013
2014 /* Q != infinity */
2015 if (EC_POINT_is_at_infinity(group, public)) {
2016 error("%s: received degenerate public key (infinity)",
2017 __func__);
2018 goto out;
2019 }
2020
2021 if ((x = BN_CTX_get(bnctx)) == NULL ||
2022 (y = BN_CTX_get(bnctx)) == NULL ||
2023 (order = BN_CTX_get(bnctx)) == NULL ||
2024 (tmp = BN_CTX_get(bnctx)) == NULL)
2025 fatal("%s: BN_CTX_get failed", __func__);
2026
2027 /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2028 if (EC_GROUP_get_order(group, order, bnctx) != 1)
2029 fatal("%s: EC_GROUP_get_order failed", __func__);
2030 if (EC_POINT_get_affine_coordinates_GFp(group, public,
2031 x, y, bnctx) != 1)
2032 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2033 if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
2034 error("%s: public key x coordinate too small: "
2035 "bits(x) = %d, bits(order)/2 = %d", __func__,
2036 BN_num_bits(x), BN_num_bits(order) / 2);
2037 goto out;
2038 }
2039 if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
2040 error("%s: public key y coordinate too small: "
2041 "bits(y) = %d, bits(order)/2 = %d", __func__,
2042 BN_num_bits(x), BN_num_bits(order) / 2);
2043 goto out;
2044 }
2045
2046 /* nQ == infinity (n == order of subgroup) */
2047 if ((nq = EC_POINT_new(group)) == NULL)
2048 fatal("%s: BN_CTX_tmp failed", __func__);
2049 if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
2050 fatal("%s: EC_GROUP_mul failed", __func__);
2051 if (EC_POINT_is_at_infinity(group, nq) != 1) {
2052 error("%s: received degenerate public key (nQ != infinity)",
2053 __func__);
2054 goto out;
2055 }
2056
2057 /* x < order - 1, y < order - 1 */
2058 if (!BN_sub(tmp, order, BN_value_one()))
2059 fatal("%s: BN_sub failed", __func__);
2060 if (BN_cmp(x, tmp) >= 0) {
2061 error("%s: public key x coordinate >= group order - 1",
2062 __func__);
2063 goto out;
2064 }
2065 if (BN_cmp(y, tmp) >= 0) {
2066 error("%s: public key y coordinate >= group order - 1",
2067 __func__);
2068 goto out;
2069 }
2070 ret = 0;
2071 out:
2072 BN_CTX_free(bnctx);
2073 EC_POINT_free(nq);
2074 return ret;
2075 }
2076
2077 int
2078 key_ec_validate_private(const EC_KEY *key)
2079 {
2080 BN_CTX *bnctx;
2081 BIGNUM *order, *tmp;
2082 int ret = -1;
2083
2084 if ((bnctx = BN_CTX_new()) == NULL)
2085 fatal("%s: BN_CTX_new failed", __func__);
2086 BN_CTX_start(bnctx);
2087
2088 if ((order = BN_CTX_get(bnctx)) == NULL ||
2089 (tmp = BN_CTX_get(bnctx)) == NULL)
2090 fatal("%s: BN_CTX_get failed", __func__);
2091
2092 /* log2(private) > log2(order)/2 */
2093 if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
2094 fatal("%s: EC_GROUP_get_order failed", __func__);
2095 if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2096 BN_num_bits(order) / 2) {
2097 error("%s: private key too small: "
2098 "bits(y) = %d, bits(order)/2 = %d", __func__,
2099 BN_num_bits(EC_KEY_get0_private_key(key)),
2100 BN_num_bits(order) / 2);
2101 goto out;
2102 }
2103
2104 /* private < order - 1 */
2105 if (!BN_sub(tmp, order, BN_value_one()))
2106 fatal("%s: BN_sub failed", __func__);
2107 if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
2108 error("%s: private key >= group order - 1", __func__);
2109 goto out;
2110 }
2111 ret = 0;
2112 out:
2113 BN_CTX_free(bnctx);
2114 return ret;
2115 }
2116
2117 #if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
2118 void
2119 key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2120 {
2121 BIGNUM *x, *y;
2122 BN_CTX *bnctx;
2123
2124 if (point == NULL) {
2125 fputs("point=(NULL)\n", stderr);
2126 return;
2127 }
2128 if ((bnctx = BN_CTX_new()) == NULL)
2129 fatal("%s: BN_CTX_new failed", __func__);
2130 BN_CTX_start(bnctx);
2131 if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
2132 fatal("%s: BN_CTX_get failed", __func__);
2133 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2134 NID_X9_62_prime_field)
2135 fatal("%s: group is not a prime field", __func__);
2136 if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
2137 fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
2138 fputs("x=", stderr);
2139 BN_print_fp(stderr, x);
2140 fputs("\ny=", stderr);
2141 BN_print_fp(stderr, y);
2142 fputs("\n", stderr);
2143 BN_CTX_free(bnctx);
2144 }
2145
2146 void
2147 key_dump_ec_key(const EC_KEY *key)
2148 {
2149 const BIGNUM *exponent;
2150
2151 key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
2152 fputs("exponent=", stderr);
2153 if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
2154 fputs("(NULL)", stderr);
2155 else
2156 BN_print_fp(stderr, EC_KEY_get0_private_key(key));
2157 fputs("\n", stderr);
2158 }
2159 #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
2160
A clone of openssh git repository