1 /* $OpenBSD: key.c,v 1.82 2010/01/13 01:10:56 dtucker Exp $ */
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * As far as I am concerned, the code I have written for this software
7 * can be used freely for any purpose. Any derived versions of this
8 * software must be clearly marked as such, and if the derived work is
9 * incompatible with the protocol description in the RFC file, it must be
10 * called by a name other than "ssh" or "Secure Shell".
13 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
14 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
16 * Redistribution and use in source and binary forms, with or without
17 * modification, are permitted provided that the following conditions
19 * 1. Redistributions of source code must retain the above copyright
20 * notice, this list of conditions and the following disclaimer.
21 * 2. Redistributions in binary form must reproduce the above copyright
22 * notice, this list of conditions and the following disclaimer in the
23 * documentation and/or other materials provided with the distribution.
25 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 #include <sys/param.h>
40 #include <sys/types.h>
42 #include <openssl/evp.h>
43 #include <openbsd-compat/openssl-compat.h>
62 k
= xcalloc(1, sizeof(*k
));
69 if ((rsa
= RSA_new()) == NULL
)
70 fatal("key_new: RSA_new failed");
71 if ((rsa
->n
= BN_new()) == NULL
)
72 fatal("key_new: BN_new failed");
73 if ((rsa
->e
= BN_new()) == NULL
)
74 fatal("key_new: BN_new failed");
78 if ((dsa
= DSA_new()) == NULL
)
79 fatal("key_new: DSA_new failed");
80 if ((dsa
->p
= BN_new()) == NULL
)
81 fatal("key_new: BN_new failed");
82 if ((dsa
->q
= BN_new()) == NULL
)
83 fatal("key_new: BN_new failed");
84 if ((dsa
->g
= BN_new()) == NULL
)
85 fatal("key_new: BN_new failed");
86 if ((dsa
->pub_key
= BN_new()) == NULL
)
87 fatal("key_new: BN_new failed");
93 fatal("key_new: bad key type %d", k
->type
);
100 key_new_private(int type
)
102 Key
*k
= key_new(type
);
106 if ((k
->rsa
->d
= BN_new()) == NULL
)
107 fatal("key_new_private: BN_new failed");
108 if ((k
->rsa
->iqmp
= BN_new()) == NULL
)
109 fatal("key_new_private: BN_new failed");
110 if ((k
->rsa
->q
= BN_new()) == NULL
)
111 fatal("key_new_private: BN_new failed");
112 if ((k
->rsa
->p
= BN_new()) == NULL
)
113 fatal("key_new_private: BN_new failed");
114 if ((k
->rsa
->dmq1
= BN_new()) == NULL
)
115 fatal("key_new_private: BN_new failed");
116 if ((k
->rsa
->dmp1
= BN_new()) == NULL
)
117 fatal("key_new_private: BN_new failed");
120 if ((k
->dsa
->priv_key
= BN_new()) == NULL
)
121 fatal("key_new_private: BN_new failed");
135 fatal("key_free: key is NULL");
151 fatal("key_free: bad key type %d", k
->type
);
158 key_equal(const Key
*a
, const Key
*b
)
160 if (a
== NULL
|| b
== NULL
|| a
->type
!= b
->type
)
165 return a
->rsa
!= NULL
&& b
->rsa
!= NULL
&&
166 BN_cmp(a
->rsa
->e
, b
->rsa
->e
) == 0 &&
167 BN_cmp(a
->rsa
->n
, b
->rsa
->n
) == 0;
169 return a
->dsa
!= NULL
&& b
->dsa
!= NULL
&&
170 BN_cmp(a
->dsa
->p
, b
->dsa
->p
) == 0 &&
171 BN_cmp(a
->dsa
->q
, b
->dsa
->q
) == 0 &&
172 BN_cmp(a
->dsa
->g
, b
->dsa
->g
) == 0 &&
173 BN_cmp(a
->dsa
->pub_key
, b
->dsa
->pub_key
) == 0;
175 fatal("key_equal: bad key type %d", a
->type
);
181 key_fingerprint_raw(const Key
*k
, enum fp_type dgst_type
,
182 u_int
*dgst_raw_length
)
184 const EVP_MD
*md
= NULL
;
187 u_char
*retval
= NULL
;
191 *dgst_raw_length
= 0;
201 fatal("key_fingerprint_raw: bad digest type %d",
206 nlen
= BN_num_bytes(k
->rsa
->n
);
207 elen
= BN_num_bytes(k
->rsa
->e
);
210 BN_bn2bin(k
->rsa
->n
, blob
);
211 BN_bn2bin(k
->rsa
->e
, blob
+ nlen
);
215 key_to_blob(k
, &blob
, &len
);
220 fatal("key_fingerprint_raw: bad key type %d", k
->type
);
224 retval
= xmalloc(EVP_MAX_MD_SIZE
);
225 EVP_DigestInit(&ctx
, md
);
226 EVP_DigestUpdate(&ctx
, blob
, len
);
227 EVP_DigestFinal(&ctx
, retval
, dgst_raw_length
);
228 memset(blob
, 0, len
);
231 fatal("key_fingerprint_raw: blob is null");
237 key_fingerprint_hex(u_char
*dgst_raw
, u_int dgst_raw_len
)
242 retval
= xcalloc(1, dgst_raw_len
* 3 + 1);
243 for (i
= 0; i
< dgst_raw_len
; i
++) {
245 snprintf(hex
, sizeof(hex
), "%02x:", dgst_raw
[i
]);
246 strlcat(retval
, hex
, dgst_raw_len
* 3 + 1);
249 /* Remove the trailing ':' character */
250 retval
[(dgst_raw_len
* 3) - 1] = '\0';
255 key_fingerprint_bubblebabble(u_char
*dgst_raw
, u_int dgst_raw_len
)
257 char vowels
[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
258 char consonants
[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
259 'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
260 u_int i
, j
= 0, rounds
, seed
= 1;
263 rounds
= (dgst_raw_len
/ 2) + 1;
264 retval
= xcalloc((rounds
* 6), sizeof(char));
266 for (i
= 0; i
< rounds
; i
++) {
267 u_int idx0
, idx1
, idx2
, idx3
, idx4
;
268 if ((i
+ 1 < rounds
) || (dgst_raw_len
% 2 != 0)) {
269 idx0
= (((((u_int
)(dgst_raw
[2 * i
])) >> 6) & 3) +
271 idx1
= (((u_int
)(dgst_raw
[2 * i
])) >> 2) & 15;
272 idx2
= ((((u_int
)(dgst_raw
[2 * i
])) & 3) +
274 retval
[j
++] = vowels
[idx0
];
275 retval
[j
++] = consonants
[idx1
];
276 retval
[j
++] = vowels
[idx2
];
277 if ((i
+ 1) < rounds
) {
278 idx3
= (((u_int
)(dgst_raw
[(2 * i
) + 1])) >> 4) & 15;
279 idx4
= (((u_int
)(dgst_raw
[(2 * i
) + 1]))) & 15;
280 retval
[j
++] = consonants
[idx3
];
282 retval
[j
++] = consonants
[idx4
];
284 ((((u_int
)(dgst_raw
[2 * i
])) * 7) +
285 ((u_int
)(dgst_raw
[(2 * i
) + 1])))) % 36;
291 retval
[j
++] = vowels
[idx0
];
292 retval
[j
++] = consonants
[idx1
];
293 retval
[j
++] = vowels
[idx2
];
302 * Draw an ASCII-Art representing the fingerprint so human brain can
303 * profit from its built-in pattern recognition ability.
304 * This technique is called "random art" and can be found in some
305 * scientific publications like this original paper:
307 * "Hash Visualization: a New Technique to improve Real-World Security",
308 * Perrig A. and Song D., 1999, International Workshop on Cryptographic
309 * Techniques and E-Commerce (CrypTEC '99)
310 * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
312 * The subject came up in a talk by Dan Kaminsky, too.
314 * If you see the picture is different, the key is different.
315 * If the picture looks the same, you still know nothing.
317 * The algorithm used here is a worm crawling over a discrete plane,
318 * leaving a trace (augmenting the field) everywhere it goes.
319 * Movement is taken from dgst_raw 2bit-wise. Bumping into walls
320 * makes the respective movement vector be ignored for this turn.
321 * Graphs are not unambiguous, because circles in graphs can be
322 * walked in either direction.
326 * Field sizes for the random art. Have to be odd, so the starting point
327 * can be in the exact middle of the picture, and FLDBASE should be >=8 .
328 * Else pictures would be too dense, and drawing the frame would
329 * fail, too, because the key type would not fit in anymore.
332 #define FLDSIZE_Y (FLDBASE + 1)
333 #define FLDSIZE_X (FLDBASE * 2 + 1)
335 key_fingerprint_randomart(u_char
*dgst_raw
, u_int dgst_raw_len
, const Key
*k
)
338 * Chars to be used after each other every time the worm
339 * intersects with itself. Matter of taste.
341 char *augmentation_string
= " .o+=*BOX@%&#/^SE";
343 u_char field
[FLDSIZE_X
][FLDSIZE_Y
];
346 size_t len
= strlen(augmentation_string
) - 1;
348 retval
= xcalloc(1, (FLDSIZE_X
+ 3) * (FLDSIZE_Y
+ 2));
350 /* initialize field */
351 memset(field
, 0, FLDSIZE_X
* FLDSIZE_Y
* sizeof(char));
355 /* process raw key */
356 for (i
= 0; i
< dgst_raw_len
; i
++) {
358 /* each byte conveys four 2-bit move commands */
360 for (b
= 0; b
< 4; b
++) {
361 /* evaluate 2 bit, rest is shifted later */
362 x
+= (input
& 0x1) ? 1 : -1;
363 y
+= (input
& 0x2) ? 1 : -1;
365 /* assure we are still in bounds */
368 x
= MIN(x
, FLDSIZE_X
- 1);
369 y
= MIN(y
, FLDSIZE_Y
- 1);
371 /* augment the field */
372 if (field
[x
][y
] < len
- 2)
378 /* mark starting point and end point*/
379 field
[FLDSIZE_X
/ 2][FLDSIZE_Y
/ 2] = len
- 1;
383 snprintf(retval
, FLDSIZE_X
, "+--[%4s %4u]", key_type(k
), key_size(k
));
384 p
= strchr(retval
, '\0');
386 /* output upper border */
387 for (i
= p
- retval
- 1; i
< FLDSIZE_X
; i
++)
393 for (y
= 0; y
< FLDSIZE_Y
; y
++) {
395 for (x
= 0; x
< FLDSIZE_X
; x
++)
396 *p
++ = augmentation_string
[MIN(field
[x
][y
], len
)];
401 /* output lower border */
403 for (i
= 0; i
< FLDSIZE_X
; i
++)
411 key_fingerprint(const Key
*k
, enum fp_type dgst_type
, enum fp_rep dgst_rep
)
417 dgst_raw
= key_fingerprint_raw(k
, dgst_type
, &dgst_raw_len
);
419 fatal("key_fingerprint: null from key_fingerprint_raw()");
422 retval
= key_fingerprint_hex(dgst_raw
, dgst_raw_len
);
424 case SSH_FP_BUBBLEBABBLE
:
425 retval
= key_fingerprint_bubblebabble(dgst_raw
, dgst_raw_len
);
427 case SSH_FP_RANDOMART
:
428 retval
= key_fingerprint_randomart(dgst_raw
, dgst_raw_len
, k
);
431 fatal("key_fingerprint: bad digest representation %d",
435 memset(dgst_raw
, 0, dgst_raw_len
);
441 * Reads a multiple-precision integer in decimal from the buffer, and advances
442 * the pointer. The integer must already be initialized. This function is
443 * permitted to modify the buffer. This leaves *cpp to point just beyond the
444 * last processed (and maybe modified) character. Note that this may modify
445 * the buffer containing the number.
448 read_bignum(char **cpp
, BIGNUM
* value
)
453 /* Skip any leading whitespace. */
454 for (; *cp
== ' ' || *cp
== '\t'; cp
++)
457 /* Check that it begins with a decimal digit. */
458 if (*cp
< '0' || *cp
> '9')
461 /* Save starting position. */
464 /* Move forward until all decimal digits skipped. */
465 for (; *cp
>= '0' && *cp
<= '9'; cp
++)
468 /* Save the old terminating character, and replace it by \0. */
472 /* Parse the number. */
473 if (BN_dec2bn(&value
, *cpp
) == 0)
476 /* Restore old terminating character. */
479 /* Move beyond the number and return success. */
485 write_bignum(FILE *f
, BIGNUM
*num
)
487 char *buf
= BN_bn2dec(num
);
489 error("write_bignum: BN_bn2dec() failed");
492 fprintf(f
, " %s", buf
);
497 /* returns 1 ok, -1 error */
499 key_read(Key
*ret
, char **cpp
)
512 /* Get number of bits. */
513 if (*cp
< '0' || *cp
> '9')
514 return -1; /* Bad bit count... */
515 for (bits
= 0; *cp
>= '0' && *cp
<= '9'; cp
++)
516 bits
= 10 * bits
+ *cp
- '0';
520 /* Get public exponent, public modulus. */
521 if (!read_bignum(cpp
, ret
->rsa
->e
))
523 if (!read_bignum(cpp
, ret
->rsa
->n
))
525 /* validate the claimed number of bits */
526 if ((u_int
)BN_num_bits(ret
->rsa
->n
) != bits
) {
527 verbose("key_read: claimed key size %d does not match "
528 "actual %d", bits
, BN_num_bits(ret
->rsa
->n
));
536 space
= strchr(cp
, ' ');
538 debug3("key_read: missing whitespace");
542 type
= key_type_from_name(cp
);
544 if (type
== KEY_UNSPEC
) {
545 debug3("key_read: missing keytype");
550 debug3("key_read: short string");
553 if (ret
->type
== KEY_UNSPEC
) {
555 } else if (ret
->type
!= type
) {
556 /* is a key, but different type */
557 debug3("key_read: type mismatch");
562 n
= uudecode(cp
, blob
, len
);
564 error("key_read: uudecode %s failed", cp
);
568 k
= key_from_blob(blob
, (u_int
)n
);
571 error("key_read: key_from_blob %s failed", cp
);
574 if (k
->type
!= type
) {
575 error("key_read: type mismatch: encoding error");
580 if (ret
->type
== KEY_RSA
) {
581 if (ret
->rsa
!= NULL
)
587 RSA_print_fp(stderr
, ret
->rsa
, 8);
590 if (ret
->dsa
!= NULL
)
596 DSA_print_fp(stderr
, ret
->dsa
, 8);
603 /* advance cp: skip whitespace and data */
604 while (*cp
== ' ' || *cp
== '\t')
606 while (*cp
!= '\0' && *cp
!= ' ' && *cp
!= '\t')
611 fatal("key_read: bad key type: %d", ret
->type
);
618 key_write(const Key
*key
, FILE *f
)
625 if (key
->type
== KEY_RSA1
&& key
->rsa
!= NULL
) {
626 /* size of modulus 'n' */
627 bits
= BN_num_bits(key
->rsa
->n
);
628 fprintf(f
, "%u", bits
);
629 if (write_bignum(f
, key
->rsa
->e
) &&
630 write_bignum(f
, key
->rsa
->n
)) {
633 error("key_write: failed for RSA key");
635 } else if ((key
->type
== KEY_DSA
&& key
->dsa
!= NULL
) ||
636 (key
->type
== KEY_RSA
&& key
->rsa
!= NULL
)) {
637 key_to_blob(key
, &blob
, &len
);
639 n
= uuencode(blob
, len
, uu
, 2*len
);
641 fprintf(f
, "%s %s", key_ssh_name(key
), uu
);
651 key_type(const Key
*k
)
665 key_ssh_name(const Key
*k
)
673 return "ssh-unknown";
677 key_size(const Key
*k
)
682 return BN_num_bits(k
->rsa
->n
);
684 return BN_num_bits(k
->dsa
->p
);
690 rsa_generate_private_key(u_int bits
)
694 private = RSA_generate_key(bits
, RSA_F4
, NULL
, NULL
);
696 fatal("rsa_generate_private_key: key generation failed.");
701 dsa_generate_private_key(u_int bits
)
703 DSA
*private = DSA_generate_parameters(bits
, NULL
, 0, NULL
, NULL
, NULL
, NULL
);
706 fatal("dsa_generate_private_key: DSA_generate_parameters failed");
707 if (!DSA_generate_key(private))
708 fatal("dsa_generate_private_key: DSA_generate_key failed.");
710 fatal("dsa_generate_private_key: NULL.");
715 key_generate(int type
, u_int bits
)
717 Key
*k
= key_new(KEY_UNSPEC
);
720 k
->dsa
= dsa_generate_private_key(bits
);
724 k
->rsa
= rsa_generate_private_key(bits
);
727 fatal("key_generate: unknown type %d", type
);
734 key_from_private(const Key
*k
)
739 n
= key_new(k
->type
);
740 if ((BN_copy(n
->dsa
->p
, k
->dsa
->p
) == NULL
) ||
741 (BN_copy(n
->dsa
->q
, k
->dsa
->q
) == NULL
) ||
742 (BN_copy(n
->dsa
->g
, k
->dsa
->g
) == NULL
) ||
743 (BN_copy(n
->dsa
->pub_key
, k
->dsa
->pub_key
) == NULL
))
744 fatal("key_from_private: BN_copy failed");
748 n
= key_new(k
->type
);
749 if ((BN_copy(n
->rsa
->n
, k
->rsa
->n
) == NULL
) ||
750 (BN_copy(n
->rsa
->e
, k
->rsa
->e
) == NULL
))
751 fatal("key_from_private: BN_copy failed");
754 fatal("key_from_private: unknown type %d", k
->type
);
761 key_type_from_name(char *name
)
763 if (strcmp(name
, "rsa1") == 0) {
765 } else if (strcmp(name
, "rsa") == 0) {
767 } else if (strcmp(name
, "dsa") == 0) {
769 } else if (strcmp(name
, "ssh-rsa") == 0) {
771 } else if (strcmp(name
, "ssh-dss") == 0) {
774 debug2("key_type_from_name: unknown key type '%s'", name
);
779 key_names_valid2(const char *names
)
783 if (names
== NULL
|| strcmp(names
, "") == 0)
785 s
= cp
= xstrdup(names
);
786 for ((p
= strsep(&cp
, ",")); p
&& *p
!= '\0';
787 (p
= strsep(&cp
, ","))) {
788 switch (key_type_from_name(p
)) {
795 debug3("key names ok: [%s]", names
);
801 key_from_blob(const u_char
*blob
, u_int blen
)
809 dump_base64(stderr
, blob
, blen
);
812 buffer_append(&b
, blob
, blen
);
813 if ((ktype
= buffer_get_string_ret(&b
, NULL
)) == NULL
) {
814 error("key_from_blob: can't read key type");
818 type
= key_type_from_name(ktype
);
823 if (buffer_get_bignum2_ret(&b
, key
->rsa
->e
) == -1 ||
824 buffer_get_bignum2_ret(&b
, key
->rsa
->n
) == -1) {
825 error("key_from_blob: can't read rsa key");
831 RSA_print_fp(stderr
, key
->rsa
, 8);
836 if (buffer_get_bignum2_ret(&b
, key
->dsa
->p
) == -1 ||
837 buffer_get_bignum2_ret(&b
, key
->dsa
->q
) == -1 ||
838 buffer_get_bignum2_ret(&b
, key
->dsa
->g
) == -1 ||
839 buffer_get_bignum2_ret(&b
, key
->dsa
->pub_key
) == -1) {
840 error("key_from_blob: can't read dsa key");
846 DSA_print_fp(stderr
, key
->dsa
, 8);
853 error("key_from_blob: cannot handle type %s", ktype
);
856 rlen
= buffer_len(&b
);
857 if (key
!= NULL
&& rlen
!= 0)
858 error("key_from_blob: remaining bytes in key blob %d", rlen
);
867 key_to_blob(const Key
*key
, u_char
**blobp
, u_int
*lenp
)
873 error("key_to_blob: key == NULL");
879 buffer_put_cstring(&b
, key_ssh_name(key
));
880 buffer_put_bignum2(&b
, key
->dsa
->p
);
881 buffer_put_bignum2(&b
, key
->dsa
->q
);
882 buffer_put_bignum2(&b
, key
->dsa
->g
);
883 buffer_put_bignum2(&b
, key
->dsa
->pub_key
);
886 buffer_put_cstring(&b
, key_ssh_name(key
));
887 buffer_put_bignum2(&b
, key
->rsa
->e
);
888 buffer_put_bignum2(&b
, key
->rsa
->n
);
891 error("key_to_blob: unsupported key type %d", key
->type
);
895 len
= buffer_len(&b
);
899 *blobp
= xmalloc(len
);
900 memcpy(*blobp
, buffer_ptr(&b
), len
);
902 memset(buffer_ptr(&b
), 0, len
);
910 u_char
**sigp
, u_int
*lenp
,
911 const u_char
*data
, u_int datalen
)
915 return ssh_dss_sign(key
, sigp
, lenp
, data
, datalen
);
917 return ssh_rsa_sign(key
, sigp
, lenp
, data
, datalen
);
919 error("key_sign: invalid key type %d", key
->type
);
925 * key_verify returns 1 for a correct signature, 0 for an incorrect signature
931 const u_char
*signature
, u_int signaturelen
,
932 const u_char
*data
, u_int datalen
)
934 if (signaturelen
== 0)
939 return ssh_dss_verify(key
, signature
, signaturelen
, data
, datalen
);
941 return ssh_rsa_verify(key
, signature
, signaturelen
, data
, datalen
);
943 error("key_verify: invalid key type %d", key
->type
);
948 /* Converts a private to a public key */
950 key_demote(const Key
*k
)
954 pk
= xcalloc(1, sizeof(*pk
));
956 pk
->flags
= k
->flags
;
963 if ((pk
->rsa
= RSA_new()) == NULL
)
964 fatal("key_demote: RSA_new failed");
965 if ((pk
->rsa
->e
= BN_dup(k
->rsa
->e
)) == NULL
)
966 fatal("key_demote: BN_dup failed");
967 if ((pk
->rsa
->n
= BN_dup(k
->rsa
->n
)) == NULL
)
968 fatal("key_demote: BN_dup failed");
971 if ((pk
->dsa
= DSA_new()) == NULL
)
972 fatal("key_demote: DSA_new failed");
973 if ((pk
->dsa
->p
= BN_dup(k
->dsa
->p
)) == NULL
)
974 fatal("key_demote: BN_dup failed");
975 if ((pk
->dsa
->q
= BN_dup(k
->dsa
->q
)) == NULL
)
976 fatal("key_demote: BN_dup failed");
977 if ((pk
->dsa
->g
= BN_dup(k
->dsa
->g
)) == NULL
)
978 fatal("key_demote: BN_dup failed");
979 if ((pk
->dsa
->pub_key
= BN_dup(k
->dsa
->pub_key
)) == NULL
)
980 fatal("key_demote: BN_dup failed");
983 fatal("key_free: bad key type %d", k
->type
);