diff options
Diffstat (limited to 'key.c')
| -rw-r--r-- | key.c | 510 |
1 files changed, 444 insertions, 66 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: key.c,v 1.104 2013/05/19 02:42:42 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.115 2014/01/09 23:20:00 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * read_bignum(): | 3 | * read_bignum(): |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -39,6 +39,8 @@ | |||
| 39 | #include <sys/param.h> | 39 | #include <sys/param.h> |
| 40 | #include <sys/types.h> | 40 | #include <sys/types.h> |
| 41 | 41 | ||
| 42 | #include "crypto_api.h" | ||
| 43 | |||
| 42 | #include <openssl/evp.h> | 44 | #include <openssl/evp.h> |
| 43 | #include <openbsd-compat/openssl-compat.h> | 45 | #include <openbsd-compat/openssl-compat.h> |
| 44 | 46 | ||
| @@ -54,8 +56,10 @@ | |||
| 54 | #include "log.h" | 56 | #include "log.h" |
| 55 | #include "misc.h" | 57 | #include "misc.h" |
| 56 | #include "ssh2.h" | 58 | #include "ssh2.h" |
| 59 | #include "digest.h" | ||
| 57 | 60 | ||
| 58 | static int to_blob(const Key *, u_char **, u_int *, int); | 61 | static int to_blob(const Key *, u_char **, u_int *, int); |
| 62 | static Key *key_from_blob2(const u_char *, u_int, int); | ||
| 59 | 63 | ||
| 60 | static struct KeyCert * | 64 | static struct KeyCert * |
| 61 | cert_new(void) | 65 | cert_new(void) |
| @@ -85,6 +89,8 @@ key_new(int type) | |||
| 85 | k->dsa = NULL; | 89 | k->dsa = NULL; |
| 86 | k->rsa = NULL; | 90 | k->rsa = NULL; |
| 87 | k->cert = NULL; | 91 | k->cert = NULL; |
| 92 | k->ed25519_sk = NULL; | ||
| 93 | k->ed25519_pk = NULL; | ||
| 88 | switch (k->type) { | 94 | switch (k->type) { |
| 89 | case KEY_RSA1: | 95 | case KEY_RSA1: |
| 90 | case KEY_RSA: | 96 | case KEY_RSA: |
| @@ -119,6 +125,10 @@ key_new(int type) | |||
| 119 | /* Cannot do anything until we know the group */ | 125 | /* Cannot do anything until we know the group */ |
| 120 | break; | 126 | break; |
| 121 | #endif | 127 | #endif |
| 128 | case KEY_ED25519: | ||
| 129 | case KEY_ED25519_CERT: | ||
| 130 | /* no need to prealloc */ | ||
| 131 | break; | ||
| 122 | case KEY_UNSPEC: | 132 | case KEY_UNSPEC: |
| 123 | break; | 133 | break; |
| 124 | default: | 134 | default: |
| @@ -163,6 +173,10 @@ key_add_private(Key *k) | |||
| 163 | case KEY_ECDSA_CERT: | 173 | case KEY_ECDSA_CERT: |
| 164 | /* Cannot do anything until we know the group */ | 174 | /* Cannot do anything until we know the group */ |
| 165 | break; | 175 | break; |
| 176 | case KEY_ED25519: | ||
| 177 | case KEY_ED25519_CERT: | ||
| 178 | /* no need to prealloc */ | ||
| 179 | break; | ||
| 166 | case KEY_UNSPEC: | 180 | case KEY_UNSPEC: |
| 167 | break; | 181 | break; |
| 168 | default: | 182 | default: |
| @@ -225,6 +239,19 @@ key_free(Key *k) | |||
| 225 | k->ecdsa = NULL; | 239 | k->ecdsa = NULL; |
| 226 | break; | 240 | break; |
| 227 | #endif | 241 | #endif |
| 242 | case KEY_ED25519: | ||
| 243 | case KEY_ED25519_CERT: | ||
| 244 | if (k->ed25519_pk) { | ||
| 245 | memset(k->ed25519_pk, 0, ED25519_PK_SZ); | ||
| 246 | free(k->ed25519_pk); | ||
| 247 | k->ed25519_pk = NULL; | ||
| 248 | } | ||
| 249 | if (k->ed25519_sk) { | ||
| 250 | memset(k->ed25519_sk, 0, ED25519_SK_SZ); | ||
| 251 | free(k->ed25519_sk); | ||
| 252 | k->ed25519_sk = NULL; | ||
| 253 | } | ||
| 254 | break; | ||
| 228 | case KEY_UNSPEC: | 255 | case KEY_UNSPEC: |
| 229 | break; | 256 | break; |
| 230 | default: | 257 | default: |
| @@ -306,6 +333,10 @@ key_equal_public(const Key *a, const Key *b) | |||
| 306 | BN_CTX_free(bnctx); | 333 | BN_CTX_free(bnctx); |
| 307 | return 1; | 334 | return 1; |
| 308 | #endif /* OPENSSL_HAS_ECC */ | 335 | #endif /* OPENSSL_HAS_ECC */ |
| 336 | case KEY_ED25519: | ||
| 337 | case KEY_ED25519_CERT: | ||
| 338 | return a->ed25519_pk != NULL && b->ed25519_pk != NULL && | ||
| 339 | memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0; | ||
| 309 | default: | 340 | default: |
| 310 | fatal("key_equal: bad key type %d", a->type); | 341 | fatal("key_equal: bad key type %d", a->type); |
| 311 | } | 342 | } |
| @@ -328,30 +359,26 @@ u_char* | |||
| 328 | key_fingerprint_raw(const Key *k, enum fp_type dgst_type, | 359 | key_fingerprint_raw(const Key *k, enum fp_type dgst_type, |
| 329 | u_int *dgst_raw_length) | 360 | u_int *dgst_raw_length) |
| 330 | { | 361 | { |
| 331 | const EVP_MD *md = NULL; | ||
| 332 | EVP_MD_CTX ctx; | ||
| 333 | u_char *blob = NULL; | 362 | u_char *blob = NULL; |
| 334 | u_char *retval = NULL; | 363 | u_char *retval = NULL; |
| 335 | u_int len = 0; | 364 | u_int len = 0; |
| 336 | int nlen, elen; | 365 | int nlen, elen, hash_alg = -1; |
| 337 | 366 | ||
| 338 | *dgst_raw_length = 0; | 367 | *dgst_raw_length = 0; |
| 339 | 368 | ||
| 369 | /* XXX switch to DIGEST_* directly? */ | ||
| 340 | switch (dgst_type) { | 370 | switch (dgst_type) { |
| 341 | case SSH_FP_MD5: | 371 | case SSH_FP_MD5: |
| 342 | md = EVP_md5(); | 372 | hash_alg = SSH_DIGEST_MD5; |
| 343 | break; | 373 | break; |
| 344 | case SSH_FP_SHA1: | 374 | case SSH_FP_SHA1: |
| 345 | md = EVP_sha1(); | 375 | hash_alg = SSH_DIGEST_SHA1; |
| 346 | break; | 376 | break; |
| 347 | #ifdef HAVE_EVP_SHA256 | ||
| 348 | case SSH_FP_SHA256: | 377 | case SSH_FP_SHA256: |
| 349 | md = EVP_sha256(); | 378 | hash_alg = SSH_DIGEST_SHA256; |
| 350 | break; | 379 | break; |
| 351 | #endif | ||
| 352 | default: | 380 | default: |
| 353 | fatal("key_fingerprint_raw: bad digest type %d", | 381 | fatal("%s: bad digest type %d", __func__, dgst_type); |
| 354 | dgst_type); | ||
| 355 | } | 382 | } |
| 356 | switch (k->type) { | 383 | switch (k->type) { |
| 357 | case KEY_RSA1: | 384 | case KEY_RSA1: |
| @@ -365,6 +392,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, | |||
| 365 | case KEY_DSA: | 392 | case KEY_DSA: |
| 366 | case KEY_ECDSA: | 393 | case KEY_ECDSA: |
| 367 | case KEY_RSA: | 394 | case KEY_RSA: |
| 395 | case KEY_ED25519: | ||
| 368 | key_to_blob(k, &blob, &len); | 396 | key_to_blob(k, &blob, &len); |
| 369 | break; | 397 | break; |
| 370 | case KEY_DSA_CERT_V00: | 398 | case KEY_DSA_CERT_V00: |
| @@ -372,24 +400,26 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, | |||
| 372 | case KEY_DSA_CERT: | 400 | case KEY_DSA_CERT: |
| 373 | case KEY_ECDSA_CERT: | 401 | case KEY_ECDSA_CERT: |
| 374 | case KEY_RSA_CERT: | 402 | case KEY_RSA_CERT: |
| 403 | case KEY_ED25519_CERT: | ||
| 375 | /* We want a fingerprint of the _key_ not of the cert */ | 404 | /* We want a fingerprint of the _key_ not of the cert */ |
| 376 | to_blob(k, &blob, &len, 1); | 405 | to_blob(k, &blob, &len, 1); |
| 377 | break; | 406 | break; |
| 378 | case KEY_UNSPEC: | 407 | case KEY_UNSPEC: |
| 379 | return retval; | 408 | return retval; |
| 380 | default: | 409 | default: |
| 381 | fatal("key_fingerprint_raw: bad key type %d", k->type); | 410 | fatal("%s: bad key type %d", __func__, k->type); |
| 382 | break; | 411 | break; |
| 383 | } | 412 | } |
| 384 | if (blob != NULL) { | 413 | if (blob != NULL) { |
| 385 | retval = xmalloc(EVP_MAX_MD_SIZE); | 414 | retval = xmalloc(SSH_DIGEST_MAX_LENGTH); |
| 386 | EVP_DigestInit(&ctx, md); | 415 | if ((ssh_digest_memory(hash_alg, blob, len, |
| 387 | EVP_DigestUpdate(&ctx, blob, len); | 416 | retval, SSH_DIGEST_MAX_LENGTH)) != 0) |
| 388 | EVP_DigestFinal(&ctx, retval, dgst_raw_length); | 417 | fatal("%s: digest_memory failed", __func__); |
| 389 | memset(blob, 0, len); | 418 | memset(blob, 0, len); |
| 390 | free(blob); | 419 | free(blob); |
| 420 | *dgst_raw_length = ssh_digest_bytes(hash_alg); | ||
| 391 | } else { | 421 | } else { |
| 392 | fatal("key_fingerprint_raw: blob is null"); | 422 | fatal("%s: blob is null", __func__); |
| 393 | } | 423 | } |
| 394 | return retval; | 424 | return retval; |
| 395 | } | 425 | } |
| @@ -698,11 +728,13 @@ key_read(Key *ret, char **cpp) | |||
| 698 | case KEY_RSA: | 728 | case KEY_RSA: |
| 699 | case KEY_DSA: | 729 | case KEY_DSA: |
| 700 | case KEY_ECDSA: | 730 | case KEY_ECDSA: |
| 731 | case KEY_ED25519: | ||
| 701 | case KEY_DSA_CERT_V00: | 732 | case KEY_DSA_CERT_V00: |
| 702 | case KEY_RSA_CERT_V00: | 733 | case KEY_RSA_CERT_V00: |
| 703 | case KEY_DSA_CERT: | 734 | case KEY_DSA_CERT: |
| 704 | case KEY_ECDSA_CERT: | 735 | case KEY_ECDSA_CERT: |
| 705 | case KEY_RSA_CERT: | 736 | case KEY_RSA_CERT: |
| 737 | case KEY_ED25519_CERT: | ||
| 706 | space = strchr(cp, ' '); | 738 | space = strchr(cp, ' '); |
| 707 | if (space == NULL) { | 739 | if (space == NULL) { |
| 708 | debug3("key_read: missing whitespace"); | 740 | debug3("key_read: missing whitespace"); |
| @@ -804,6 +836,14 @@ key_read(Key *ret, char **cpp) | |||
| 804 | #endif | 836 | #endif |
| 805 | } | 837 | } |
| 806 | #endif | 838 | #endif |
| 839 | if (key_type_plain(ret->type) == KEY_ED25519) { | ||
| 840 | free(ret->ed25519_pk); | ||
| 841 | ret->ed25519_pk = k->ed25519_pk; | ||
| 842 | k->ed25519_pk = NULL; | ||
| 843 | #ifdef DEBUG_PK | ||
| 844 | /* XXX */ | ||
| 845 | #endif | ||
| 846 | } | ||
| 807 | success = 1; | 847 | success = 1; |
| 808 | /*XXXX*/ | 848 | /*XXXX*/ |
| 809 | key_free(k); | 849 | key_free(k); |
| @@ -867,6 +907,11 @@ key_write(const Key *key, FILE *f) | |||
| 867 | return 0; | 907 | return 0; |
| 868 | break; | 908 | break; |
| 869 | #endif | 909 | #endif |
| 910 | case KEY_ED25519: | ||
| 911 | case KEY_ED25519_CERT: | ||
| 912 | if (key->ed25519_pk == NULL) | ||
| 913 | return 0; | ||
| 914 | break; | ||
| 870 | case KEY_RSA: | 915 | case KEY_RSA: |
| 871 | case KEY_RSA_CERT_V00: | 916 | case KEY_RSA_CERT_V00: |
| 872 | case KEY_RSA_CERT: | 917 | case KEY_RSA_CERT: |
| @@ -914,10 +959,13 @@ static const struct keytype keytypes[] = { | |||
| 914 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, | 959 | { NULL, "RSA1", KEY_RSA1, 0, 0 }, |
| 915 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, | 960 | { "ssh-rsa", "RSA", KEY_RSA, 0, 0 }, |
| 916 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, | 961 | { "ssh-dss", "DSA", KEY_DSA, 0, 0 }, |
| 962 | { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 }, | ||
| 917 | #ifdef OPENSSL_HAS_ECC | 963 | #ifdef OPENSSL_HAS_ECC |
| 918 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, | 964 | { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 }, |
| 919 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, | 965 | { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 }, |
| 966 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 920 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, | 967 | { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 }, |
| 968 | # endif | ||
| 921 | #endif /* OPENSSL_HAS_ECC */ | 969 | #endif /* OPENSSL_HAS_ECC */ |
| 922 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, | 970 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 }, |
| 923 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, | 971 | { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 }, |
| @@ -926,13 +974,17 @@ static const struct keytype keytypes[] = { | |||
| 926 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, | 974 | KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 }, |
| 927 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", | 975 | { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", |
| 928 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, | 976 | KEY_ECDSA_CERT, NID_secp384r1, 1 }, |
| 977 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 929 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", | 978 | { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", |
| 930 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, | 979 | KEY_ECDSA_CERT, NID_secp521r1, 1 }, |
| 980 | # endif | ||
| 931 | #endif /* OPENSSL_HAS_ECC */ | 981 | #endif /* OPENSSL_HAS_ECC */ |
| 932 | { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", | 982 | { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00", |
| 933 | KEY_RSA_CERT_V00, 0, 1 }, | 983 | KEY_RSA_CERT_V00, 0, 1 }, |
| 934 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | 984 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", |
| 935 | KEY_DSA_CERT_V00, 0, 1 }, | 985 | KEY_DSA_CERT_V00, 0, 1 }, |
| 986 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
| 987 | KEY_ED25519_CERT, 0, 1 }, | ||
| 936 | { "null", "null", KEY_NULL, 0, 0 }, | 988 | { "null", "null", KEY_NULL, 0, 0 }, |
| 937 | { NULL, NULL, -1, -1, 0 } | 989 | { NULL, NULL, -1, -1, 0 } |
| 938 | }; | 990 | }; |
| @@ -1005,7 +1057,7 @@ key_ecdsa_nid_from_name(const char *name) | |||
| 1005 | } | 1057 | } |
| 1006 | 1058 | ||
| 1007 | char * | 1059 | char * |
| 1008 | key_alg_list(void) | 1060 | key_alg_list(int certs_only, int plain_only) |
| 1009 | { | 1061 | { |
| 1010 | char *ret = NULL; | 1062 | char *ret = NULL; |
| 1011 | size_t nlen, rlen = 0; | 1063 | size_t nlen, rlen = 0; |
| @@ -1014,6 +1066,8 @@ key_alg_list(void) | |||
| 1014 | for (kt = keytypes; kt->type != -1; kt++) { | 1066 | for (kt = keytypes; kt->type != -1; kt++) { |
| 1015 | if (kt->name == NULL) | 1067 | if (kt->name == NULL) |
| 1016 | continue; | 1068 | continue; |
| 1069 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
| 1070 | continue; | ||
| 1017 | if (ret != NULL) | 1071 | if (ret != NULL) |
| 1018 | ret[rlen++] = '\n'; | 1072 | ret[rlen++] = '\n'; |
| 1019 | nlen = strlen(kt->name); | 1073 | nlen = strlen(kt->name); |
| @@ -1024,6 +1078,32 @@ key_alg_list(void) | |||
| 1024 | return ret; | 1078 | return ret; |
| 1025 | } | 1079 | } |
| 1026 | 1080 | ||
| 1081 | int | ||
| 1082 | key_type_is_cert(int type) | ||
| 1083 | { | ||
| 1084 | const struct keytype *kt; | ||
| 1085 | |||
| 1086 | for (kt = keytypes; kt->type != -1; kt++) { | ||
| 1087 | if (kt->type == type) | ||
| 1088 | return kt->cert; | ||
| 1089 | } | ||
| 1090 | return 0; | ||
| 1091 | } | ||
| 1092 | |||
| 1093 | static int | ||
| 1094 | key_type_is_valid_ca(int type) | ||
| 1095 | { | ||
| 1096 | switch (type) { | ||
| 1097 | case KEY_RSA: | ||
| 1098 | case KEY_DSA: | ||
| 1099 | case KEY_ECDSA: | ||
| 1100 | case KEY_ED25519: | ||
| 1101 | return 1; | ||
| 1102 | default: | ||
| 1103 | return 0; | ||
| 1104 | } | ||
| 1105 | } | ||
| 1106 | |||
| 1027 | u_int | 1107 | u_int |
| 1028 | key_size(const Key *k) | 1108 | key_size(const Key *k) |
| 1029 | { | 1109 | { |
| @@ -1037,6 +1117,8 @@ key_size(const Key *k) | |||
| 1037 | case KEY_DSA_CERT_V00: | 1117 | case KEY_DSA_CERT_V00: |
| 1038 | case KEY_DSA_CERT: | 1118 | case KEY_DSA_CERT: |
| 1039 | return BN_num_bits(k->dsa->p); | 1119 | return BN_num_bits(k->dsa->p); |
| 1120 | case KEY_ED25519: | ||
| 1121 | return 256; /* XXX */ | ||
| 1040 | #ifdef OPENSSL_HAS_ECC | 1122 | #ifdef OPENSSL_HAS_ECC |
| 1041 | case KEY_ECDSA: | 1123 | case KEY_ECDSA: |
| 1042 | case KEY_ECDSA_CERT: | 1124 | case KEY_ECDSA_CERT: |
| @@ -1088,8 +1170,10 @@ key_ecdsa_bits_to_nid(int bits) | |||
| 1088 | return NID_X9_62_prime256v1; | 1170 | return NID_X9_62_prime256v1; |
| 1089 | case 384: | 1171 | case 384: |
| 1090 | return NID_secp384r1; | 1172 | return NID_secp384r1; |
| 1173 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 1091 | case 521: | 1174 | case 521: |
| 1092 | return NID_secp521r1; | 1175 | return NID_secp521r1; |
| 1176 | # endif | ||
| 1093 | #endif | 1177 | #endif |
| 1094 | default: | 1178 | default: |
| 1095 | return -1; | 1179 | return -1; |
| @@ -1104,7 +1188,9 @@ key_ecdsa_key_to_nid(EC_KEY *k) | |||
| 1104 | int nids[] = { | 1188 | int nids[] = { |
| 1105 | NID_X9_62_prime256v1, | 1189 | NID_X9_62_prime256v1, |
| 1106 | NID_secp384r1, | 1190 | NID_secp384r1, |
| 1191 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 1107 | NID_secp521r1, | 1192 | NID_secp521r1, |
| 1193 | # endif | ||
| 1108 | -1 | 1194 | -1 |
| 1109 | }; | 1195 | }; |
| 1110 | int nid; | 1196 | int nid; |
| @@ -1176,6 +1262,11 @@ key_generate(int type, u_int bits) | |||
| 1176 | case KEY_RSA1: | 1262 | case KEY_RSA1: |
| 1177 | k->rsa = rsa_generate_private_key(bits); | 1263 | k->rsa = rsa_generate_private_key(bits); |
| 1178 | break; | 1264 | break; |
| 1265 | case KEY_ED25519: | ||
| 1266 | k->ed25519_pk = xmalloc(ED25519_PK_SZ); | ||
| 1267 | k->ed25519_sk = xmalloc(ED25519_SK_SZ); | ||
| 1268 | crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk); | ||
| 1269 | break; | ||
| 1179 | case KEY_RSA_CERT_V00: | 1270 | case KEY_RSA_CERT_V00: |
| 1180 | case KEY_DSA_CERT_V00: | 1271 | case KEY_DSA_CERT_V00: |
| 1181 | case KEY_RSA_CERT: | 1272 | case KEY_RSA_CERT: |
| @@ -1269,6 +1360,14 @@ key_from_private(const Key *k) | |||
| 1269 | (BN_copy(n->rsa->e, k->rsa->e) == NULL)) | 1360 | (BN_copy(n->rsa->e, k->rsa->e) == NULL)) |
| 1270 | fatal("key_from_private: BN_copy failed"); | 1361 | fatal("key_from_private: BN_copy failed"); |
| 1271 | break; | 1362 | break; |
| 1363 | case KEY_ED25519: | ||
| 1364 | case KEY_ED25519_CERT: | ||
| 1365 | n = key_new(k->type); | ||
| 1366 | if (k->ed25519_pk != NULL) { | ||
| 1367 | n->ed25519_pk = xmalloc(ED25519_PK_SZ); | ||
| 1368 | memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); | ||
| 1369 | } | ||
| 1370 | break; | ||
| 1272 | default: | 1371 | default: |
| 1273 | fatal("key_from_private: unknown type %d", k->type); | 1372 | fatal("key_from_private: unknown type %d", k->type); |
| 1274 | break; | 1373 | break; |
| @@ -1388,14 +1487,12 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
| 1388 | } | 1487 | } |
| 1389 | buffer_clear(&tmp); | 1488 | buffer_clear(&tmp); |
| 1390 | 1489 | ||
| 1391 | if ((key->cert->signature_key = key_from_blob(sig_key, | 1490 | if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0)) |
| 1392 | sklen)) == NULL) { | 1491 | == NULL) { |
| 1393 | error("%s: Signature key invalid", __func__); | 1492 | error("%s: Signature key invalid", __func__); |
| 1394 | goto out; | 1493 | goto out; |
| 1395 | } | 1494 | } |
| 1396 | if (key->cert->signature_key->type != KEY_RSA && | 1495 | if (!key_type_is_valid_ca(key->cert->signature_key->type)) { |
| 1397 | key->cert->signature_key->type != KEY_DSA && | ||
| 1398 | key->cert->signature_key->type != KEY_ECDSA) { | ||
| 1399 | error("%s: Invalid signature key type %s (%d)", __func__, | 1496 | error("%s: Invalid signature key type %s (%d)", __func__, |
| 1400 | key_type(key->cert->signature_key), | 1497 | key_type(key->cert->signature_key), |
| 1401 | key->cert->signature_key->type); | 1498 | key->cert->signature_key->type); |
| @@ -1426,12 +1523,14 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
| 1426 | return ret; | 1523 | return ret; |
| 1427 | } | 1524 | } |
| 1428 | 1525 | ||
| 1429 | Key * | 1526 | static Key * |
| 1430 | key_from_blob(const u_char *blob, u_int blen) | 1527 | key_from_blob2(const u_char *blob, u_int blen, int allow_cert) |
| 1431 | { | 1528 | { |
| 1432 | Buffer b; | 1529 | Buffer b; |
| 1433 | int rlen, type; | 1530 | int rlen, type; |
| 1531 | u_int len; | ||
| 1434 | char *ktype = NULL, *curve = NULL; | 1532 | char *ktype = NULL, *curve = NULL; |
| 1533 | u_char *pk = NULL; | ||
| 1435 | Key *key = NULL; | 1534 | Key *key = NULL; |
| 1436 | #ifdef OPENSSL_HAS_ECC | 1535 | #ifdef OPENSSL_HAS_ECC |
| 1437 | EC_POINT *q = NULL; | 1536 | EC_POINT *q = NULL; |
| @@ -1453,7 +1552,10 @@ key_from_blob(const u_char *blob, u_int blen) | |||
| 1453 | if (key_type_plain(type) == KEY_ECDSA) | 1552 | if (key_type_plain(type) == KEY_ECDSA) |
| 1454 | nid = key_ecdsa_nid_from_name(ktype); | 1553 | nid = key_ecdsa_nid_from_name(ktype); |
| 1455 | #endif | 1554 | #endif |
| 1456 | 1555 | if (!allow_cert && key_type_is_cert(type)) { | |
| 1556 | error("key_from_blob: certificate not allowed in this context"); | ||
| 1557 | goto out; | ||
| 1558 | } | ||
| 1457 | switch (type) { | 1559 | switch (type) { |
| 1458 | case KEY_RSA_CERT: | 1560 | case KEY_RSA_CERT: |
| 1459 | (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ | 1561 | (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ |
| @@ -1527,6 +1629,23 @@ key_from_blob(const u_char *blob, u_int blen) | |||
| 1527 | #endif | 1629 | #endif |
| 1528 | break; | 1630 | break; |
| 1529 | #endif /* OPENSSL_HAS_ECC */ | 1631 | #endif /* OPENSSL_HAS_ECC */ |
| 1632 | case KEY_ED25519_CERT: | ||
| 1633 | (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */ | ||
| 1634 | /* FALLTHROUGH */ | ||
| 1635 | case KEY_ED25519: | ||
| 1636 | if ((pk = buffer_get_string_ret(&b, &len)) == NULL) { | ||
| 1637 | error("key_from_blob: can't read ed25519 key"); | ||
| 1638 | goto badkey; | ||
| 1639 | } | ||
| 1640 | if (len != ED25519_PK_SZ) { | ||
| 1641 | error("key_from_blob: ed25519 len %d != %d", | ||
| 1642 | len, ED25519_PK_SZ); | ||
| 1643 | goto badkey; | ||
| 1644 | } | ||
| 1645 | key = key_new(type); | ||
| 1646 | key->ed25519_pk = pk; | ||
| 1647 | pk = NULL; | ||
| 1648 | break; | ||
| 1530 | case KEY_UNSPEC: | 1649 | case KEY_UNSPEC: |
| 1531 | key = key_new(type); | 1650 | key = key_new(type); |
| 1532 | break; | 1651 | break; |
| @@ -1544,6 +1663,7 @@ key_from_blob(const u_char *blob, u_int blen) | |||
| 1544 | out: | 1663 | out: |
| 1545 | free(ktype); | 1664 | free(ktype); |
| 1546 | free(curve); | 1665 | free(curve); |
| 1666 | free(pk); | ||
| 1547 | #ifdef OPENSSL_HAS_ECC | 1667 | #ifdef OPENSSL_HAS_ECC |
| 1548 | if (q != NULL) | 1668 | if (q != NULL) |
| 1549 | EC_POINT_free(q); | 1669 | EC_POINT_free(q); |
| @@ -1552,12 +1672,22 @@ key_from_blob(const u_char *blob, u_int blen) | |||
| 1552 | return key; | 1672 | return key; |
| 1553 | } | 1673 | } |
| 1554 | 1674 | ||
| 1675 | Key * | ||
| 1676 | key_from_blob(const u_char *blob, u_int blen) | ||
| 1677 | { | ||
| 1678 | return key_from_blob2(blob, blen, 1); | ||
| 1679 | } | ||
| 1680 | |||
| 1555 | static int | 1681 | static int |
| 1556 | to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) | 1682 | to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) |
| 1557 | { | 1683 | { |
| 1558 | Buffer b; | 1684 | Buffer b; |
| 1559 | int len, type; | 1685 | int len, type; |
| 1560 | 1686 | ||
| 1687 | if (blobp != NULL) | ||
| 1688 | *blobp = NULL; | ||
| 1689 | if (lenp != NULL) | ||
| 1690 | *lenp = 0; | ||
| 1561 | if (key == NULL) { | 1691 | if (key == NULL) { |
| 1562 | error("key_to_blob: key == NULL"); | 1692 | error("key_to_blob: key == NULL"); |
| 1563 | return 0; | 1693 | return 0; |
| @@ -1570,6 +1700,7 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) | |||
| 1570 | case KEY_DSA_CERT: | 1700 | case KEY_DSA_CERT: |
| 1571 | case KEY_ECDSA_CERT: | 1701 | case KEY_ECDSA_CERT: |
| 1572 | case KEY_RSA_CERT: | 1702 | case KEY_RSA_CERT: |
| 1703 | case KEY_ED25519_CERT: | ||
| 1573 | /* Use the existing blob */ | 1704 | /* Use the existing blob */ |
| 1574 | buffer_append(&b, buffer_ptr(&key->cert->certblob), | 1705 | buffer_append(&b, buffer_ptr(&key->cert->certblob), |
| 1575 | buffer_len(&key->cert->certblob)); | 1706 | buffer_len(&key->cert->certblob)); |
| @@ -1597,6 +1728,11 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain) | |||
| 1597 | buffer_put_bignum2(&b, key->rsa->e); | 1728 | buffer_put_bignum2(&b, key->rsa->e); |
| 1598 | buffer_put_bignum2(&b, key->rsa->n); | 1729 | buffer_put_bignum2(&b, key->rsa->n); |
| 1599 | break; | 1730 | break; |
| 1731 | case KEY_ED25519: | ||
| 1732 | buffer_put_cstring(&b, | ||
| 1733 | key_ssh_name_from_type_nid(type, key->ecdsa_nid)); | ||
| 1734 | buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ); | ||
| 1735 | break; | ||
| 1600 | default: | 1736 | default: |
| 1601 | error("key_to_blob: unsupported key type %d", key->type); | 1737 | error("key_to_blob: unsupported key type %d", key->type); |
| 1602 | buffer_free(&b); | 1738 | buffer_free(&b); |
| @@ -1640,6 +1776,9 @@ key_sign( | |||
| 1640 | case KEY_RSA_CERT: | 1776 | case KEY_RSA_CERT: |
| 1641 | case KEY_RSA: | 1777 | case KEY_RSA: |
| 1642 | return ssh_rsa_sign(key, sigp, lenp, data, datalen); | 1778 | return ssh_rsa_sign(key, sigp, lenp, data, datalen); |
| 1779 | case KEY_ED25519: | ||
| 1780 | case KEY_ED25519_CERT: | ||
| 1781 | return ssh_ed25519_sign(key, sigp, lenp, data, datalen); | ||
| 1643 | default: | 1782 | default: |
| 1644 | error("key_sign: invalid key type %d", key->type); | 1783 | error("key_sign: invalid key type %d", key->type); |
| 1645 | return -1; | 1784 | return -1; |
| @@ -1673,6 +1812,9 @@ key_verify( | |||
| 1673 | case KEY_RSA_CERT: | 1812 | case KEY_RSA_CERT: |
| 1674 | case KEY_RSA: | 1813 | case KEY_RSA: |
| 1675 | return ssh_rsa_verify(key, signature, signaturelen, data, datalen); | 1814 | return ssh_rsa_verify(key, signature, signaturelen, data, datalen); |
| 1815 | case KEY_ED25519: | ||
| 1816 | case KEY_ED25519_CERT: | ||
| 1817 | return ssh_ed25519_verify(key, signature, signaturelen, data, datalen); | ||
| 1676 | default: | 1818 | default: |
| 1677 | error("key_verify: invalid key type %d", key->type); | 1819 | error("key_verify: invalid key type %d", key->type); |
| 1678 | return -1; | 1820 | return -1; |
| @@ -1692,6 +1834,8 @@ key_demote(const Key *k) | |||
| 1692 | pk->dsa = NULL; | 1834 | pk->dsa = NULL; |
| 1693 | pk->ecdsa = NULL; | 1835 | pk->ecdsa = NULL; |
| 1694 | pk->rsa = NULL; | 1836 | pk->rsa = NULL; |
| 1837 | pk->ed25519_pk = NULL; | ||
| 1838 | pk->ed25519_sk = NULL; | ||
| 1695 | 1839 | ||
| 1696 | switch (k->type) { | 1840 | switch (k->type) { |
| 1697 | case KEY_RSA_CERT_V00: | 1841 | case KEY_RSA_CERT_V00: |
| @@ -1735,8 +1879,17 @@ key_demote(const Key *k) | |||
| 1735 | fatal("key_demote: EC_KEY_set_public_key failed"); | 1879 | fatal("key_demote: EC_KEY_set_public_key failed"); |
| 1736 | break; | 1880 | break; |
| 1737 | #endif | 1881 | #endif |
| 1882 | case KEY_ED25519_CERT: | ||
| 1883 | key_cert_copy(k, pk); | ||
| 1884 | /* FALLTHROUGH */ | ||
| 1885 | case KEY_ED25519: | ||
| 1886 | if (k->ed25519_pk != NULL) { | ||
| 1887 | pk->ed25519_pk = xmalloc(ED25519_PK_SZ); | ||
| 1888 | memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ); | ||
| 1889 | } | ||
| 1890 | break; | ||
| 1738 | default: | 1891 | default: |
| 1739 | fatal("key_free: bad key type %d", k->type); | 1892 | fatal("key_demote: bad key type %d", k->type); |
| 1740 | break; | 1893 | break; |
| 1741 | } | 1894 | } |
| 1742 | 1895 | ||
| @@ -1748,16 +1901,7 @@ key_is_cert(const Key *k) | |||
| 1748 | { | 1901 | { |
| 1749 | if (k == NULL) | 1902 | if (k == NULL) |
| 1750 | return 0; | 1903 | return 0; |
| 1751 | switch (k->type) { | 1904 | return key_type_is_cert(k->type); |
| 1752 | case KEY_RSA_CERT_V00: | ||
| 1753 | case KEY_DSA_CERT_V00: | ||
| 1754 | case KEY_RSA_CERT: | ||
| 1755 | case KEY_DSA_CERT: | ||
| 1756 | case KEY_ECDSA_CERT: | ||
| 1757 | return 1; | ||
| 1758 | default: | ||
| 1759 | return 0; | ||
| 1760 | } | ||
| 1761 | } | 1905 | } |
| 1762 | 1906 | ||
| 1763 | /* Return the cert-less equivalent to a certified key type */ | 1907 | /* Return the cert-less equivalent to a certified key type */ |
| @@ -1773,12 +1917,14 @@ key_type_plain(int type) | |||
| 1773 | return KEY_DSA; | 1917 | return KEY_DSA; |
| 1774 | case KEY_ECDSA_CERT: | 1918 | case KEY_ECDSA_CERT: |
| 1775 | return KEY_ECDSA; | 1919 | return KEY_ECDSA; |
| 1920 | case KEY_ED25519_CERT: | ||
| 1921 | return KEY_ED25519; | ||
| 1776 | default: | 1922 | default: |
| 1777 | return type; | 1923 | return type; |
| 1778 | } | 1924 | } |
| 1779 | } | 1925 | } |
| 1780 | 1926 | ||
| 1781 | /* Convert a KEY_RSA or KEY_DSA to their _CERT equivalent */ | 1927 | /* Convert a plain key to their _CERT equivalent */ |
| 1782 | int | 1928 | int |
| 1783 | key_to_certified(Key *k, int legacy) | 1929 | key_to_certified(Key *k, int legacy) |
| 1784 | { | 1930 | { |
| @@ -1798,41 +1944,34 @@ key_to_certified(Key *k, int legacy) | |||
| 1798 | k->cert = cert_new(); | 1944 | k->cert = cert_new(); |
| 1799 | k->type = KEY_ECDSA_CERT; | 1945 | k->type = KEY_ECDSA_CERT; |
| 1800 | return 0; | 1946 | return 0; |
| 1947 | case KEY_ED25519: | ||
| 1948 | if (legacy) | ||
| 1949 | fatal("%s: legacy ED25519 certificates are not " | ||
| 1950 | "supported", __func__); | ||
| 1951 | k->cert = cert_new(); | ||
| 1952 | k->type = KEY_ED25519_CERT; | ||
| 1953 | return 0; | ||
| 1801 | default: | 1954 | default: |
| 1802 | error("%s: key has incorrect type %s", __func__, key_type(k)); | 1955 | error("%s: key has incorrect type %s", __func__, key_type(k)); |
| 1803 | return -1; | 1956 | return -1; |
| 1804 | } | 1957 | } |
| 1805 | } | 1958 | } |
| 1806 | 1959 | ||
| 1807 | /* Convert a KEY_RSA_CERT or KEY_DSA_CERT to their raw key equivalent */ | 1960 | /* Convert a certificate to its raw key equivalent */ |
| 1808 | int | 1961 | int |
| 1809 | key_drop_cert(Key *k) | 1962 | key_drop_cert(Key *k) |
| 1810 | { | 1963 | { |
| 1811 | switch (k->type) { | 1964 | if (!key_type_is_cert(k->type)) { |
| 1812 | case KEY_RSA_CERT_V00: | ||
| 1813 | case KEY_RSA_CERT: | ||
| 1814 | cert_free(k->cert); | ||
| 1815 | k->type = KEY_RSA; | ||
| 1816 | return 0; | ||
| 1817 | case KEY_DSA_CERT_V00: | ||
| 1818 | case KEY_DSA_CERT: | ||
| 1819 | cert_free(k->cert); | ||
| 1820 | k->type = KEY_DSA; | ||
| 1821 | return 0; | ||
| 1822 | case KEY_ECDSA_CERT: | ||
| 1823 | cert_free(k->cert); | ||
| 1824 | k->type = KEY_ECDSA; | ||
| 1825 | return 0; | ||
| 1826 | default: | ||
| 1827 | error("%s: key has incorrect type %s", __func__, key_type(k)); | 1965 | error("%s: key has incorrect type %s", __func__, key_type(k)); |
| 1828 | return -1; | 1966 | return -1; |
| 1829 | } | 1967 | } |
| 1968 | cert_free(k->cert); | ||
| 1969 | k->cert = NULL; | ||
| 1970 | k->type = key_type_plain(k->type); | ||
| 1971 | return 0; | ||
| 1830 | } | 1972 | } |
| 1831 | 1973 | ||
| 1832 | /* | 1974 | /* Sign a certified key, (re-)generating the signed certblob. */ |
| 1833 | * Sign a KEY_RSA_CERT, KEY_DSA_CERT or KEY_ECDSA_CERT, (re-)generating | ||
| 1834 | * the signed certblob | ||
| 1835 | */ | ||
| 1836 | int | 1975 | int |
| 1837 | key_certify(Key *k, Key *ca) | 1976 | key_certify(Key *k, Key *ca) |
| 1838 | { | 1977 | { |
| @@ -1851,8 +1990,7 @@ key_certify(Key *k, Key *ca) | |||
| 1851 | return -1; | 1990 | return -1; |
| 1852 | } | 1991 | } |
| 1853 | 1992 | ||
| 1854 | if (ca->type != KEY_RSA && ca->type != KEY_DSA && | 1993 | if (!key_type_is_valid_ca(ca->type)) { |
| 1855 | ca->type != KEY_ECDSA) { | ||
| 1856 | error("%s: CA key has unsupported type %s", __func__, | 1994 | error("%s: CA key has unsupported type %s", __func__, |
| 1857 | key_type(ca)); | 1995 | key_type(ca)); |
| 1858 | return -1; | 1996 | return -1; |
| @@ -1868,6 +2006,7 @@ key_certify(Key *k, Key *ca) | |||
| 1868 | if (!key_cert_is_legacy(k)) | 2006 | if (!key_cert_is_legacy(k)) |
| 1869 | buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); | 2007 | buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce)); |
| 1870 | 2008 | ||
| 2009 | /* XXX this substantially duplicates to_blob(); refactor */ | ||
| 1871 | switch (k->type) { | 2010 | switch (k->type) { |
| 1872 | case KEY_DSA_CERT_V00: | 2011 | case KEY_DSA_CERT_V00: |
| 1873 | case KEY_DSA_CERT: | 2012 | case KEY_DSA_CERT: |
| @@ -1890,6 +2029,10 @@ key_certify(Key *k, Key *ca) | |||
| 1890 | buffer_put_bignum2(&k->cert->certblob, k->rsa->e); | 2029 | buffer_put_bignum2(&k->cert->certblob, k->rsa->e); |
| 1891 | buffer_put_bignum2(&k->cert->certblob, k->rsa->n); | 2030 | buffer_put_bignum2(&k->cert->certblob, k->rsa->n); |
| 1892 | break; | 2031 | break; |
| 2032 | case KEY_ED25519_CERT: | ||
| 2033 | buffer_put_string(&k->cert->certblob, | ||
| 2034 | k->ed25519_pk, ED25519_PK_SZ); | ||
| 2035 | break; | ||
| 1893 | default: | 2036 | default: |
| 1894 | error("%s: key has incorrect type %s", __func__, key_type(k)); | 2037 | error("%s: key has incorrect type %s", __func__, key_type(k)); |
| 1895 | buffer_clear(&k->cert->certblob); | 2038 | buffer_clear(&k->cert->certblob); |
| @@ -2019,8 +2162,10 @@ key_curve_name_to_nid(const char *name) | |||
| 2019 | return NID_X9_62_prime256v1; | 2162 | return NID_X9_62_prime256v1; |
| 2020 | else if (strcmp(name, "nistp384") == 0) | 2163 | else if (strcmp(name, "nistp384") == 0) |
| 2021 | return NID_secp384r1; | 2164 | return NID_secp384r1; |
| 2165 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 2022 | else if (strcmp(name, "nistp521") == 0) | 2166 | else if (strcmp(name, "nistp521") == 0) |
| 2023 | return NID_secp521r1; | 2167 | return NID_secp521r1; |
| 2168 | # endif | ||
| 2024 | #endif | 2169 | #endif |
| 2025 | 2170 | ||
| 2026 | debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); | 2171 | debug("%s: unsupported EC curve name \"%.100s\"", __func__, name); |
| @@ -2036,8 +2181,10 @@ key_curve_nid_to_bits(int nid) | |||
| 2036 | return 256; | 2181 | return 256; |
| 2037 | case NID_secp384r1: | 2182 | case NID_secp384r1: |
| 2038 | return 384; | 2183 | return 384; |
| 2184 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 2039 | case NID_secp521r1: | 2185 | case NID_secp521r1: |
| 2040 | return 521; | 2186 | return 521; |
| 2187 | # endif | ||
| 2041 | #endif | 2188 | #endif |
| 2042 | default: | 2189 | default: |
| 2043 | error("%s: unsupported EC curve nid %d", __func__, nid); | 2190 | error("%s: unsupported EC curve nid %d", __func__, nid); |
| @@ -2053,16 +2200,18 @@ key_curve_nid_to_name(int nid) | |||
| 2053 | return "nistp256"; | 2200 | return "nistp256"; |
| 2054 | else if (nid == NID_secp384r1) | 2201 | else if (nid == NID_secp384r1) |
| 2055 | return "nistp384"; | 2202 | return "nistp384"; |
| 2203 | # ifdef OPENSSL_HAS_NISTP521 | ||
| 2056 | else if (nid == NID_secp521r1) | 2204 | else if (nid == NID_secp521r1) |
| 2057 | return "nistp521"; | 2205 | return "nistp521"; |
| 2206 | # endif | ||
| 2058 | #endif | 2207 | #endif |
| 2059 | error("%s: unsupported EC curve nid %d", __func__, nid); | 2208 | error("%s: unsupported EC curve nid %d", __func__, nid); |
| 2060 | return NULL; | 2209 | return NULL; |
| 2061 | } | 2210 | } |
| 2062 | 2211 | ||
| 2063 | #ifdef OPENSSL_HAS_ECC | 2212 | #ifdef OPENSSL_HAS_ECC |
| 2064 | const EVP_MD * | 2213 | int |
| 2065 | key_ec_nid_to_evpmd(int nid) | 2214 | key_ec_nid_to_hash_alg(int nid) |
| 2066 | { | 2215 | { |
| 2067 | int kbits = key_curve_nid_to_bits(nid); | 2216 | int kbits = key_curve_nid_to_bits(nid); |
| 2068 | 2217 | ||
| @@ -2070,11 +2219,11 @@ key_ec_nid_to_evpmd(int nid) | |||
| 2070 | fatal("%s: invalid nid %d", __func__, nid); | 2219 | fatal("%s: invalid nid %d", __func__, nid); |
| 2071 | /* RFC5656 section 6.2.1 */ | 2220 | /* RFC5656 section 6.2.1 */ |
| 2072 | if (kbits <= 256) | 2221 | if (kbits <= 256) |
| 2073 | return EVP_sha256(); | 2222 | return SSH_DIGEST_SHA256; |
| 2074 | else if (kbits <= 384) | 2223 | else if (kbits <= 384) |
| 2075 | return EVP_sha384(); | 2224 | return SSH_DIGEST_SHA384; |
| 2076 | else | 2225 | else |
| 2077 | return EVP_sha512(); | 2226 | return SSH_DIGEST_SHA512; |
| 2078 | } | 2227 | } |
| 2079 | 2228 | ||
| 2080 | int | 2229 | int |
| @@ -2246,3 +2395,232 @@ key_dump_ec_key(const EC_KEY *key) | |||
| 2246 | } | 2395 | } |
| 2247 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ | 2396 | #endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */ |
| 2248 | #endif /* OPENSSL_HAS_ECC */ | 2397 | #endif /* OPENSSL_HAS_ECC */ |
| 2398 | |||
| 2399 | void | ||
| 2400 | key_private_serialize(const Key *key, Buffer *b) | ||
| 2401 | { | ||
| 2402 | buffer_put_cstring(b, key_ssh_name(key)); | ||
| 2403 | switch (key->type) { | ||
| 2404 | case KEY_RSA: | ||
| 2405 | buffer_put_bignum2(b, key->rsa->n); | ||
| 2406 | buffer_put_bignum2(b, key->rsa->e); | ||
| 2407 | buffer_put_bignum2(b, key->rsa->d); | ||
| 2408 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 2409 | buffer_put_bignum2(b, key->rsa->p); | ||
| 2410 | buffer_put_bignum2(b, key->rsa->q); | ||
| 2411 | break; | ||
| 2412 | case KEY_RSA_CERT_V00: | ||
| 2413 | case KEY_RSA_CERT: | ||
| 2414 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2415 | fatal("%s: no cert/certblob", __func__); | ||
| 2416 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2417 | buffer_len(&key->cert->certblob)); | ||
| 2418 | buffer_put_bignum2(b, key->rsa->d); | ||
| 2419 | buffer_put_bignum2(b, key->rsa->iqmp); | ||
| 2420 | buffer_put_bignum2(b, key->rsa->p); | ||
| 2421 | buffer_put_bignum2(b, key->rsa->q); | ||
| 2422 | break; | ||
| 2423 | case KEY_DSA: | ||
| 2424 | buffer_put_bignum2(b, key->dsa->p); | ||
| 2425 | buffer_put_bignum2(b, key->dsa->q); | ||
| 2426 | buffer_put_bignum2(b, key->dsa->g); | ||
| 2427 | buffer_put_bignum2(b, key->dsa->pub_key); | ||
| 2428 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 2429 | break; | ||
| 2430 | case KEY_DSA_CERT_V00: | ||
| 2431 | case KEY_DSA_CERT: | ||
| 2432 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2433 | fatal("%s: no cert/certblob", __func__); | ||
| 2434 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2435 | buffer_len(&key->cert->certblob)); | ||
| 2436 | buffer_put_bignum2(b, key->dsa->priv_key); | ||
| 2437 | break; | ||
| 2438 | #ifdef OPENSSL_HAS_ECC | ||
| 2439 | case KEY_ECDSA: | ||
| 2440 | buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid)); | ||
| 2441 | buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa), | ||
| 2442 | EC_KEY_get0_public_key(key->ecdsa)); | ||
| 2443 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 2444 | break; | ||
| 2445 | case KEY_ECDSA_CERT: | ||
| 2446 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2447 | fatal("%s: no cert/certblob", __func__); | ||
| 2448 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2449 | buffer_len(&key->cert->certblob)); | ||
| 2450 | buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa)); | ||
| 2451 | break; | ||
| 2452 | #endif /* OPENSSL_HAS_ECC */ | ||
| 2453 | case KEY_ED25519: | ||
| 2454 | buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); | ||
| 2455 | buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); | ||
| 2456 | break; | ||
| 2457 | case KEY_ED25519_CERT: | ||
| 2458 | if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0) | ||
| 2459 | fatal("%s: no cert/certblob", __func__); | ||
| 2460 | buffer_put_string(b, buffer_ptr(&key->cert->certblob), | ||
| 2461 | buffer_len(&key->cert->certblob)); | ||
| 2462 | buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ); | ||
| 2463 | buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ); | ||
| 2464 | break; | ||
| 2465 | } | ||
| 2466 | } | ||
| 2467 | |||
| 2468 | Key * | ||
| 2469 | key_private_deserialize(Buffer *blob) | ||
| 2470 | { | ||
| 2471 | char *type_name; | ||
| 2472 | Key *k = NULL; | ||
| 2473 | u_char *cert; | ||
| 2474 | u_int len, pklen, sklen; | ||
| 2475 | int type; | ||
| 2476 | #ifdef OPENSSL_HAS_ECC | ||
| 2477 | char *curve; | ||
| 2478 | BIGNUM *exponent; | ||
| 2479 | EC_POINT *q; | ||
| 2480 | #endif | ||
| 2481 | |||
| 2482 | type_name = buffer_get_string(blob, NULL); | ||
| 2483 | type = key_type_from_name(type_name); | ||
| 2484 | switch (type) { | ||
| 2485 | case KEY_DSA: | ||
| 2486 | k = key_new_private(type); | ||
| 2487 | buffer_get_bignum2(blob, k->dsa->p); | ||
| 2488 | buffer_get_bignum2(blob, k->dsa->q); | ||
| 2489 | buffer_get_bignum2(blob, k->dsa->g); | ||
| 2490 | buffer_get_bignum2(blob, k->dsa->pub_key); | ||
| 2491 | buffer_get_bignum2(blob, k->dsa->priv_key); | ||
| 2492 | break; | ||
| 2493 | case KEY_DSA_CERT_V00: | ||
| 2494 | case KEY_DSA_CERT: | ||
| 2495 | cert = buffer_get_string(blob, &len); | ||
| 2496 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2497 | fatal("Certificate parse failed"); | ||
| 2498 | free(cert); | ||
| 2499 | key_add_private(k); | ||
| 2500 | buffer_get_bignum2(blob, k->dsa->priv_key); | ||
| 2501 | break; | ||
| 2502 | #ifdef OPENSSL_HAS_ECC | ||
| 2503 | case KEY_ECDSA: | ||
| 2504 | k = key_new_private(type); | ||
| 2505 | k->ecdsa_nid = key_ecdsa_nid_from_name(type_name); | ||
| 2506 | curve = buffer_get_string(blob, NULL); | ||
| 2507 | if (k->ecdsa_nid != key_curve_name_to_nid(curve)) | ||
| 2508 | fatal("%s: curve names mismatch", __func__); | ||
| 2509 | free(curve); | ||
| 2510 | k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid); | ||
| 2511 | if (k->ecdsa == NULL) | ||
| 2512 | fatal("%s: EC_KEY_new_by_curve_name failed", | ||
| 2513 | __func__); | ||
| 2514 | q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa)); | ||
| 2515 | if (q == NULL) | ||
| 2516 | fatal("%s: BN_new failed", __func__); | ||
| 2517 | if ((exponent = BN_new()) == NULL) | ||
| 2518 | fatal("%s: BN_new failed", __func__); | ||
| 2519 | buffer_get_ecpoint(blob, | ||
| 2520 | EC_KEY_get0_group(k->ecdsa), q); | ||
| 2521 | buffer_get_bignum2(blob, exponent); | ||
| 2522 | if (EC_KEY_set_public_key(k->ecdsa, q) != 1) | ||
| 2523 | fatal("%s: EC_KEY_set_public_key failed", | ||
| 2524 | __func__); | ||
| 2525 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 2526 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 2527 | __func__); | ||
| 2528 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 2529 | EC_KEY_get0_public_key(k->ecdsa)) != 0) | ||
| 2530 | fatal("%s: bad ECDSA public key", __func__); | ||
| 2531 | if (key_ec_validate_private(k->ecdsa) != 0) | ||
| 2532 | fatal("%s: bad ECDSA private key", __func__); | ||
| 2533 | BN_clear_free(exponent); | ||
| 2534 | EC_POINT_free(q); | ||
| 2535 | break; | ||
| 2536 | case KEY_ECDSA_CERT: | ||
| 2537 | cert = buffer_get_string(blob, &len); | ||
| 2538 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2539 | fatal("Certificate parse failed"); | ||
| 2540 | free(cert); | ||
| 2541 | key_add_private(k); | ||
| 2542 | if ((exponent = BN_new()) == NULL) | ||
| 2543 | fatal("%s: BN_new failed", __func__); | ||
| 2544 | buffer_get_bignum2(blob, exponent); | ||
| 2545 | if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) | ||
| 2546 | fatal("%s: EC_KEY_set_private_key failed", | ||
| 2547 | __func__); | ||
| 2548 | if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa), | ||
| 2549 | EC_KEY_get0_public_key(k->ecdsa)) != 0 || | ||
| 2550 | key_ec_validate_private(k->ecdsa) != 0) | ||
| 2551 | fatal("%s: bad ECDSA key", __func__); | ||
| 2552 | BN_clear_free(exponent); | ||
| 2553 | break; | ||
| 2554 | #endif | ||
| 2555 | case KEY_RSA: | ||
| 2556 | k = key_new_private(type); | ||
| 2557 | buffer_get_bignum2(blob, k->rsa->n); | ||
| 2558 | buffer_get_bignum2(blob, k->rsa->e); | ||
| 2559 | buffer_get_bignum2(blob, k->rsa->d); | ||
| 2560 | buffer_get_bignum2(blob, k->rsa->iqmp); | ||
| 2561 | buffer_get_bignum2(blob, k->rsa->p); | ||
| 2562 | buffer_get_bignum2(blob, k->rsa->q); | ||
| 2563 | |||
| 2564 | /* Generate additional parameters */ | ||
| 2565 | rsa_generate_additional_parameters(k->rsa); | ||
| 2566 | break; | ||
| 2567 | case KEY_RSA_CERT_V00: | ||
| 2568 | case KEY_RSA_CERT: | ||
| 2569 | cert = buffer_get_string(blob, &len); | ||
| 2570 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2571 | fatal("Certificate parse failed"); | ||
| 2572 | free(cert); | ||
| 2573 | key_add_private(k); | ||
| 2574 | buffer_get_bignum2(blob, k->rsa->d); | ||
| 2575 | buffer_get_bignum2(blob, k->rsa->iqmp); | ||
| 2576 | buffer_get_bignum2(blob, k->rsa->p); | ||
| 2577 | buffer_get_bignum2(blob, k->rsa->q); | ||
| 2578 | break; | ||
| 2579 | case KEY_ED25519: | ||
| 2580 | k = key_new_private(type); | ||
| 2581 | k->ed25519_pk = buffer_get_string(blob, &pklen); | ||
| 2582 | k->ed25519_sk = buffer_get_string(blob, &sklen); | ||
| 2583 | if (pklen != ED25519_PK_SZ) | ||
| 2584 | fatal("%s: ed25519 pklen %d != %d", | ||
| 2585 | __func__, pklen, ED25519_PK_SZ); | ||
| 2586 | if (sklen != ED25519_SK_SZ) | ||
| 2587 | fatal("%s: ed25519 sklen %d != %d", | ||
| 2588 | __func__, sklen, ED25519_SK_SZ); | ||
| 2589 | break; | ||
| 2590 | case KEY_ED25519_CERT: | ||
| 2591 | cert = buffer_get_string(blob, &len); | ||
| 2592 | if ((k = key_from_blob(cert, len)) == NULL) | ||
| 2593 | fatal("Certificate parse failed"); | ||
| 2594 | free(cert); | ||
| 2595 | key_add_private(k); | ||
| 2596 | k->ed25519_pk = buffer_get_string(blob, &pklen); | ||
| 2597 | k->ed25519_sk = buffer_get_string(blob, &sklen); | ||
| 2598 | if (pklen != ED25519_PK_SZ) | ||
| 2599 | fatal("%s: ed25519 pklen %d != %d", | ||
| 2600 | __func__, pklen, ED25519_PK_SZ); | ||
| 2601 | if (sklen != ED25519_SK_SZ) | ||
| 2602 | fatal("%s: ed25519 sklen %d != %d", | ||
| 2603 | __func__, sklen, ED25519_SK_SZ); | ||
| 2604 | break; | ||
| 2605 | default: | ||
| 2606 | free(type_name); | ||
| 2607 | buffer_clear(blob); | ||
| 2608 | return NULL; | ||
| 2609 | } | ||
| 2610 | free(type_name); | ||
| 2611 | |||
| 2612 | /* enable blinding */ | ||
| 2613 | switch (k->type) { | ||
| 2614 | case KEY_RSA: | ||
| 2615 | case KEY_RSA_CERT_V00: | ||
| 2616 | case KEY_RSA_CERT: | ||
| 2617 | case KEY_RSA1: | ||
| 2618 | if (RSA_blinding_on(k->rsa, NULL) != 1) { | ||
| 2619 | error("%s: RSA_blinding_on failed", __func__); | ||
| 2620 | key_free(k); | ||
| 2621 | return NULL; | ||
| 2622 | } | ||
| 2623 | break; | ||
| 2624 | } | ||
| 2625 | return k; | ||
| 2626 | } | ||