static void CheckPublicKey(X509 *x509, struct tm tm_after)
{
EVP_PKEY *pkey = X509_get_pubkey(x509);
if (pkey == NULL)
{
SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE);
}
else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
{
RSA *rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
{
SetError(ERR_INVALID);
RSA_free(rsa);
return;
}
const BIGNUM *n, *e;
RSA_get0_key(rsa, &n, &e, NULL);
if (n == NULL || e == NULL)
{
SetError(ERR_INVALID);
RSA_free(rsa);
return;
}
if (!GetBit(errors, ERR_INVALID_TIME_FORMAT))
{
if (tm_after.tm_year >= 114 && BN_num_bits(n) < 2048)
{
SetError(ERR_RSA_SIZE_2048);
}
}
if (BN_is_odd(e) == 0)
{
SetError(ERR_RSA_EXP_NOT_ODD);
}
BIGNUM *i = BN_new();
BN_set_word(i, 3);
if (BN_cmp(e, i) < 0)
{
SetError(ERR_RSA_EXP_3);
}
else
{
BN_set_word(i, 0x10001);
if (BN_cmp(e, i) < 0)
{
SetWarning(WARN_RSA_EXP_RANGE);
}
BN_hex2bn(&i, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
if (BN_cmp(e, i) > 0)
{
SetWarning(WARN_RSA_EXP_RANGE);
}
}
BN_CTX *ctx = BN_CTX_new();
if (BN_gcd(i, n, bn_factors, ctx) == 0 || !BN_is_one(i))
{
SetError(ERR_RSA_SMALL_FACTOR);
}
BN_free(i);
BN_CTX_free(ctx);
RSA_free(rsa);
}
else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_EC)
{
EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey);
const EC_GROUP *group = EC_KEY_get0_group(ec_key);
const EC_POINT *point = EC_KEY_get0_public_key(ec_key);
BN_CTX *ctx = BN_CTX_new();
BIGNUM *order = BN_new();
EC_GROUP_get_order(group, order, ctx);
if (EC_POINT_is_at_infinity(group, point))
{
SetError(ERR_EC_AT_INFINITY);
}
if (EC_POINT_is_on_curve(group, point, ctx) != 1)
{
SetError(ERR_EC_POINT_NOT_ON_CURVE);
}
EC_POINT *result = EC_POINT_new(group);
if (BN_is_zero(order))
{
SetError(ERR_EC_INVALID_GROUP_ORDER);
}
EC_POINT_mul(group, result, NULL, point, order, ctx);
if (!EC_POINT_is_at_infinity(group, result))
{
SetError(ERR_EC_INCORRECT_ORDER);
}
int nid = EC_GROUP_get_curve_name(group);
if (nid != NID_X9_62_prime256v1 && nid != NID_secp384r1 && nid != NID_secp521r1)
{
SetError(ERR_EC_NON_ALLOWED_CURVE);
}
EC_POINT_free(result);
BN_free(order);
BN_CTX_free(ctx);
EC_KEY_free(ec_key);
}
else
{
SetError(ERR_UNKNOWN_PUBLIC_KEY_TYPE);
}
if (pkey != NULL)
{
EVP_PKEY_free(pkey);
}
}
int
ncrackssh_input_kex_ecdh_reply(ncrack_ssh_state *nstate)
{
//struct ssh *ssh = ctxt;
struct kex *kex = nstate->kex;
const EC_GROUP *group;
EC_POINT *server_public = NULL;
EC_KEY *client_key;
BIGNUM *shared_secret = NULL;
struct sshkey *server_host_key = NULL;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
//printf("KEX ECDH REPLY\n");
if (kex->verify_host_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
group = kex->ec_group;
client_key = kex->ec_client_key;
/* hostkey */
if ((r = sshpkt_get_string(nstate, &server_host_key_blob,
&sbloblen)) != 0 ||
(r = sshkey_from_blob(server_host_key_blob, sbloblen,
&server_host_key)) != 0)
goto out;
if (server_host_key->type != kex->hostkey_type ||
(kex->hostkey_type == KEY_ECDSA &&
server_host_key->ecdsa_nid != kex->hostkey_nid)) {
r = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (kex->verify_host_key(server_host_key, nstate) == -1) {
r = SSH_ERR_SIGNATURE_INVALID;
goto out;
}
//printf("before EC_POINT NEW\n");
/* Q_S, server public key */
/* signed H */
if ((server_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(nstate, server_public, group)) != 0 ||
(r = sshpkt_get_string(nstate, &signature, &slen)) != 0 ||
(r = sshpkt_get_end(nstate)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
sshkey_dump_ec_point(group, server_public);
#endif
if (sshkey_ec_validate_public(group, server_public) != 0) {
sshpkt_disconnect(nstate, "invalid server public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, server_public, client_key, NULL) != (int)klen) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc and verify H */
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
hash, &hashlen)) != 0)
goto out;
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
hashlen, nstate->compat)) != 0)
goto out;
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
if ((r = kex_derive_keys_bn(nstate, hash, hashlen, shared_secret)) == 0) {
r = kex_send_newkeys(nstate);
}
out:
explicit_bzero(hash, sizeof(hash));
if (kex->ec_client_key) {
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
}
if (server_public)
EC_POINT_clear_free(server_public);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
if (shared_secret)
BN_clear_free(shared_secret);
sshkey_free(server_host_key);
free(server_host_key_blob);
free(signature);
return r;
}
int
sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v)
{
return sshbuf_put_ec(buf, EC_KEY_get0_public_key(v),
EC_KEY_get0_group(v));
}
static krb5_error_code
generate_dh_keyblock(krb5_context context,
pk_client_params *client_params,
krb5_enctype enctype)
{
unsigned char *dh_gen_key = NULL;
krb5_keyblock key;
krb5_error_code ret;
size_t dh_gen_keylen, size;
memset(&key, 0, sizeof(key));
if (client_params->keyex == USE_DH) {
if (client_params->u.dh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
if (!DH_generate_key(client_params->u.dh.key)) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't generate Diffie-Hellman keys");
goto out;
}
size = DH_size(client_params->u.dh.key);
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
if (dh_gen_keylen == (size_t)-1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
goto out;
}
if (dh_gen_keylen < size) {
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
}
ret = 0;
#ifdef HAVE_OPENSSL
} else if (client_params->keyex == USE_ECDH) {
if (client_params->u.ecdh.public_key == NULL) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret, "public_key");
goto out;
}
client_params->u.ecdh.key = EC_KEY_new();
if (client_params->u.ecdh.key == NULL) {
ret = ENOMEM;
goto out;
}
EC_KEY_set_group(client_params->u.ecdh.key,
EC_KEY_get0_group(client_params->u.ecdh.public_key));
if (EC_KEY_generate_key(client_params->u.ecdh.key) != 1) {
ret = ENOMEM;
goto out;
}
size = (EC_GROUP_get_degree(EC_KEY_get0_group(client_params->u.ecdh.key)) + 7) / 8;
dh_gen_key = malloc(size);
if (dh_gen_key == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
client_params->u.ecdh.key, NULL);
#endif /* HAVE_OPENSSL */
} else {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Diffie-Hellman not selected keys");
goto out;
}
ret = _krb5_pk_octetstring2key(context,
enctype,
dh_gen_key, dh_gen_keylen,
NULL, NULL,
&client_params->reply_key);
out:
if (dh_gen_key)
free(dh_gen_key);
if (key.keyvalue.data)
krb5_free_keyblock_contents(context, &key);
return ret;
}
int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
/* ECDH keys */
ssh_string q_c_string;
ssh_string q_s_string;
EC_KEY *ecdh_key;
const EC_GROUP *group;
const EC_POINT *ecdh_pubkey;
bignum_CTX ctx;
/* SSH host keys (rsa,dsa,ecdsa) */
ssh_key privkey;
ssh_string sig_blob = NULL;
int len;
int rc;
/* Extract the client pubkey from the init packet */
q_c_string = ssh_buffer_get_ssh_string(packet);
if (q_c_string == NULL) {
ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
return SSH_ERROR;
}
session->next_crypto->ecdh_client_pubkey = q_c_string;
/* Build server's keypair */
ctx = BN_CTX_new();
ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
if (ecdh_key == NULL) {
ssh_set_error_oom(session);
BN_CTX_free(ctx);
return SSH_ERROR;
}
group = EC_KEY_get0_group(ecdh_key);
EC_KEY_generate_key(ecdh_key);
ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
len = EC_POINT_point2oct(group,
ecdh_pubkey,
POINT_CONVERSION_UNCOMPRESSED,
NULL,
0,
ctx);
q_s_string = ssh_string_new(len);
if (q_s_string == NULL) {
EC_KEY_free(ecdh_key);
BN_CTX_free(ctx);
return SSH_ERROR;
}
EC_POINT_point2oct(group,
ecdh_pubkey,
POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(q_s_string),
len,
ctx);
BN_CTX_free(ctx);
session->next_crypto->ecdh_privkey = ecdh_key;
session->next_crypto->ecdh_server_pubkey = q_s_string;
/* build k and session_id */
rc = ecdh_build_k(session);
if (rc < 0) {
ssh_set_error(session, SSH_FATAL, "Cannot build k number");
return SSH_ERROR;
}
/* privkey is not allocated */
rc = ssh_get_key_params(session, &privkey);
if (rc == SSH_ERROR) {
return SSH_ERROR;
}
rc = ssh_make_sessionid(session);
if (rc != SSH_OK) {
ssh_set_error(session, SSH_FATAL, "Could not create a session id");
return SSH_ERROR;
}
sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
if (sig_blob == NULL) {
ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
return SSH_ERROR;
}
rc = ssh_buffer_pack(session->out_buffer,
"bSSS",
SSH2_MSG_KEXDH_REPLY,
session->next_crypto->server_pubkey, /* host's pubkey */
q_s_string, /* ecdh public key */
sig_blob); /* signature blob */
ssh_string_free(sig_blob);
if (rc != SSH_OK) {
ssh_set_error_oom(session);
return SSH_ERROR;
}
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
rc = ssh_packet_send(session);
if (rc == SSH_ERROR) {
return SSH_ERROR;
}
/* Send the MSG_NEWKEYS */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS);
if (rc < 0) {
return SSH_ERROR;;
}
session->dh_handshake_state = DH_STATE_NEWKEYS_SENT;
rc = ssh_packet_send(session);
SSH_LOG(SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
return rc;
}
static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype)
{
unsigned char *buffer = NULL;
const char *ecstr;
size_t buf_len = 0, i;
int ret = 0, reason = ERR_R_BIO_LIB;
BIGNUM *pub_key = NULL, *order = NULL;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
const BIGNUM *priv_key;
if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) {
reason = ERR_R_PASSED_NULL_PARAMETER;
goto err;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
if (ktype > 0) {
public_key = EC_KEY_get0_public_key(x);
if (public_key != NULL) {
if ((pub_key = EC_POINT_point2bn(group, public_key,
EC_KEY_get_conv_form(x), NULL,
ctx)) == NULL) {
reason = ERR_R_EC_LIB;
goto err;
}
buf_len = (size_t)BN_num_bytes(pub_key);
}
}
if (ktype == 2) {
priv_key = EC_KEY_get0_private_key(x);
if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len)
buf_len = i;
} else
priv_key = NULL;
if (ktype > 0) {
buf_len += 10;
if ((buffer = OPENSSL_malloc(buf_len)) == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
}
if (ktype == 2)
ecstr = "Private-Key";
else if (ktype == 1)
ecstr = "Public-Key";
else
ecstr = "ECDSA-Parameters";
if (!BIO_indent(bp, off, 128))
goto err;
if ((order = BN_new()) == NULL)
goto err;
if (!EC_GROUP_get_order(group, order, NULL))
goto err;
if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0)
goto err;
if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key,
buffer, off))
goto err;
if ((pub_key != NULL) && !ASN1_bn_print(bp, "pub: ", pub_key,
buffer, off))
goto err;
if (!ECPKParameters_print(bp, group, off))
goto err;
ret = 1;
err:
if (!ret)
ECerr(EC_F_DO_EC_KEY_PRINT, reason);
BN_free(pub_key);
BN_free(order);
BN_CTX_free(ctx);
OPENSSL_free(buffer);
return (ret);
}
static bool _EC_public_fields(
const cjose_jwk_t *jwk, json_t *json, cjose_err *err)
{
ec_keydata *keydata = (ec_keydata *)jwk->keydata;
const EC_GROUP *params = NULL;
const EC_POINT *pub = NULL;
BIGNUM *bnX = NULL,
*bnY = NULL;
uint8_t *buffer = NULL;
char *b64u = NULL;
size_t len = 0,
offset = 0;
json_t *field = NULL;
bool result = false;
// track expected binary data size
uint8_t numsize = _ec_size_for_curve(keydata->crv, err);
// output the curve
field = json_string(_ec_name_for_curve(keydata->crv, err));
if (!field)
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _ec_to_string_cleanup;
}
json_object_set(json, "crv", field);
json_decref(field);
field = NULL;
// obtain the public key
pub = EC_KEY_get0_public_key(keydata->key);
params = EC_KEY_get0_group(keydata->key);
if (!pub || !params)
{
CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
goto _ec_to_string_cleanup;
}
buffer = cjose_get_alloc()(numsize);
bnX = BN_new();
bnY = BN_new();
if (!buffer || !bnX || !bnY)
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _ec_to_string_cleanup;
}
if (1 != EC_POINT_get_affine_coordinates_GFp(params, pub, bnX, bnY, NULL))
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _ec_to_string_cleanup;
}
// output the x coordinate
offset = numsize - BN_num_bytes(bnX);
memset(buffer, 0, numsize);
BN_bn2bin(bnX, (buffer + offset));
if (!cjose_base64url_encode(buffer, numsize, &b64u, &len, err))
{
goto _ec_to_string_cleanup;
}
field = json_stringn(b64u, len);
if (!field)
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _ec_to_string_cleanup;
}
json_object_set(json, "x", field);
json_decref(field);
field = NULL;
cjose_get_dealloc()(b64u);
b64u = NULL;
// output the y coordinate
offset = numsize - BN_num_bytes(bnY);
memset(buffer, 0, numsize);
BN_bn2bin(bnY, (buffer + offset));
if (!cjose_base64url_encode(buffer, numsize, &b64u, &len, err))
{
goto _ec_to_string_cleanup;
}
field = json_stringn(b64u, len);
if (!field)
{
CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
goto _ec_to_string_cleanup;
}
json_object_set(json, "y", field);
json_decref(field);
field = NULL;
cjose_get_dealloc()(b64u);
b64u = NULL;
result = true;
_ec_to_string_cleanup:
if (field)
{
json_decref(field);
}
if (bnX)
{
BN_free(bnX);
}
if (bnY)
{
BN_free(bnY);
}
if (buffer)
{
cjose_get_dealloc()(buffer);
}
if (b64u)
{
cjose_get_dealloc()(b64u);
}
return result;
}
std::vector<unsigned char> decrypt_bip38_ec(const std::vector<unsigned char> key, const std::string& passwd)
{
int i;
uint8_t passfactor[PASSFACTOR_SIZE];
memset(passfactor,0,PASSFACTOR_SIZE);
const unsigned char * s_key = reinterpret_cast<const unsigned char*>(key.data());
crypto_scrypt((const uint8_t *)passwd.c_str(), passwd.length(),
&s_key[3 + ADDRESSHASH_SIZE], OWNERSALT_SIZE,
16384, 8, 8, passfactor, PASSFACTOR_SIZE );
// compute EC point (passpoint) using passfactor
struct bp_key ec_point;
if(!bp_key_init(&ec_point)) {
fprintf(stderr,"%s","cannot init EC point key");
exit(3);
}
if(!bp_key_secret_set(&ec_point,passfactor,PASSFACTOR_SIZE)) {
fprintf(stderr,"%s","cannot set EC point from passfactor");
exit(3);
}
// get the passpoint as bytes
unsigned char * passpoint;
size_t passpoint_len;
if(!bp_pubkey_get(&ec_point,(unsigned char **)&passpoint,&passpoint_len)) {
fprintf(stderr,"%s","cannot get pubkey for EC point");
exit(4);
}
// now we need to decrypt seedb
uint8_t encryptedpart2[16];
memset(encryptedpart2,0,16);
memcpy(encryptedpart2, &s_key[3 + ADDRESSHASH_SIZE + OWNERSALT_SIZE + 8], 16);
uint8_t encryptedpart1[16];
memset(encryptedpart1,0,16);
memcpy(encryptedpart1, &s_key[3 + ADDRESSHASH_SIZE + OWNERSALT_SIZE], 8);
unsigned char derived[DERIVED_SIZE];
// get the encryption key for seedb using scrypt
// with passpoint as the key, salt is addresshash+ownersalt
unsigned char derived_scrypt_salt[ADDRESSHASH_SIZE + OWNERSALT_SIZE];
memcpy(derived_scrypt_salt, &s_key[3], ADDRESSHASH_SIZE); // copy the addresshash
memcpy(derived_scrypt_salt+ADDRESSHASH_SIZE, &s_key[3+ADDRESSHASH_SIZE], OWNERSALT_SIZE); // copy the ownersalt
crypto_scrypt( passpoint, passpoint_len,
derived_scrypt_salt, ADDRESSHASH_SIZE+OWNERSALT_SIZE,
1024, 1, 1, derived, DERIVED_SIZE );
//get decryption key
unsigned char derivedhalf2[DERIVED_SIZE/2];
memcpy(derivedhalf2, derived+(DERIVED_SIZE/2), DERIVED_SIZE/2);
unsigned char iv[32];
memset(iv,0,32);
EVP_CIPHER_CTX d;
EVP_CIPHER_CTX_init(&d);
EVP_DecryptInit_ex(&d, EVP_aes_256_ecb(), NULL, derivedhalf2, iv);
unsigned char unencryptedpart2[32];
int decrypt_len;
EVP_DecryptUpdate(&d, unencryptedpart2, &decrypt_len, encryptedpart2, 16);
EVP_DecryptUpdate(&d, unencryptedpart2, &decrypt_len, encryptedpart2, 16);
for(i=0; i<16; i++) {
unencryptedpart2[i] ^= derived[i + 16];
}
unsigned char unencryptedpart1[32];
memcpy(encryptedpart1+8, unencryptedpart2, 8);
EVP_DecryptUpdate(&d, unencryptedpart1, &decrypt_len, encryptedpart1, 16);
EVP_DecryptUpdate(&d, unencryptedpart1, &decrypt_len, encryptedpart1, 16);
for(i=0; i<16; i++) {
unencryptedpart1[i] ^= derived[i];
}
// recoved seedb
unsigned char seedb[24];
memcpy(seedb, unencryptedpart1, 16);
memcpy(&(seedb[16]), &(unencryptedpart2[8]), 8);
// turn seedb into factorb (factorb = SHA256(SHA256(seedb)))
unsigned char factorb[32];
bu_Hash(factorb, seedb, 24);
// multiply by passfactor (ec_point_pub)
const EC_GROUP * ec_group = EC_KEY_get0_group(ec_point.k);
const EC_POINT * ec_point_pub = EC_KEY_get0_public_key(ec_point.k);
BIGNUM * bn_passfactor = BN_bin2bn(passfactor,32,BN_new());
BIGNUM * bn_factorb = BN_bin2bn(factorb,32,BN_new());
BIGNUM * bn_res = BN_new();
BIGNUM * bn_final = BN_new();
BIGNUM * bn_n = BN_new();
BN_CTX * ctx = BN_CTX_new();
EC_GROUP_get_order(ec_group, bn_n, ctx);
BN_mul(bn_res, bn_passfactor, bn_factorb, ctx);
BN_mod(bn_final, bn_res, bn_n, ctx);
unsigned char finalKey[32];
memset(finalKey, 0, 32);
int n = BN_bn2bin(bn_final, finalKey);
BN_clear_free(bn_passfactor);
BN_clear_free(bn_factorb);
BN_clear_free(bn_res);
BN_clear_free(bn_n);
BN_clear_free(bn_final);
printf("\n");
print_hex((char *)finalKey, 32);
printf("\n");
std::vector<unsigned char> out;
out.assign(finalKey, finalKey + 32);
return out;
}
static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {
uint8_t *buffer = NULL;
const char *ecstr;
size_t buf_len = 0, i;
int ret = 0, reason = ERR_R_BIO_LIB;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
const BIGNUM *priv_key;
uint8_t *pub_key_bytes = NULL;
size_t pub_key_bytes_len = 0;
if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) {
reason = ERR_R_PASSED_NULL_PARAMETER;
goto err;
}
ctx = BN_CTX_new();
if (ctx == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
if (ktype > 0) {
public_key = EC_KEY_get0_public_key(x);
if (public_key != NULL) {
pub_key_bytes_len = EC_POINT_point2oct(
group, public_key, EC_KEY_get_conv_form(x), NULL, 0, ctx);
if (pub_key_bytes_len == 0) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
pub_key_bytes = OPENSSL_malloc(pub_key_bytes_len);
if (pub_key_bytes == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
pub_key_bytes_len =
EC_POINT_point2oct(group, public_key, EC_KEY_get_conv_form(x),
pub_key_bytes, pub_key_bytes_len, ctx);
if (pub_key_bytes_len == 0) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
buf_len = pub_key_bytes_len;
}
}
if (ktype == 2) {
priv_key = EC_KEY_get0_private_key(x);
if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len) {
buf_len = i;
}
} else {
priv_key = NULL;
}
if (ktype > 0) {
buf_len += 10;
if ((buffer = OPENSSL_malloc(buf_len)) == NULL) {
reason = ERR_R_MALLOC_FAILURE;
goto err;
}
}
if (ktype == 2) {
ecstr = "Private-Key";
} else if (ktype == 1) {
ecstr = "Public-Key";
} else {
ecstr = "ECDSA-Parameters";
}
if (!BIO_indent(bp, off, 128)) {
goto err;
}
const BIGNUM *order = EC_GROUP_get0_order(group);
if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0) {
goto err;
}
if ((priv_key != NULL) &&
!ASN1_bn_print(bp, "priv:", priv_key, buffer, off)) {
goto err;
}
if (pub_key_bytes != NULL) {
BIO_hexdump(bp, pub_key_bytes, pub_key_bytes_len, off);
}
/* TODO(fork): implement */
/*
if (!ECPKParameters_print(bp, group, off))
goto err; */
ret = 1;
err:
if (!ret) {
OPENSSL_PUT_ERROR(EVP, reason);
}
OPENSSL_free(pub_key_bytes);
BN_CTX_free(ctx);
OPENSSL_free(buffer);
return ret;
}
/*
* Verifies gost 2001 signature
*
*/
int gost2001_do_verify(const unsigned char *dgst,int dgst_len,
DSA_SIG *sig, EC_KEY *ec)
{
BN_CTX *ctx=BN_CTX_new();
const EC_GROUP *group = EC_KEY_get0_group(ec);
BIGNUM *order;
BIGNUM *md = NULL,*e=NULL,*R=NULL,*v=NULL,*z1=NULL,*z2=NULL;
BIGNUM *X=NULL,*tmp=NULL;
EC_POINT *C = NULL;
const EC_POINT *pub_key=NULL;
int ok=0;
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
e = BN_CTX_get(ctx);
z1 = BN_CTX_get(ctx);
z2 = BN_CTX_get(ctx);
tmp = BN_CTX_get(ctx);
X= BN_CTX_get(ctx);
R=BN_CTX_get(ctx);
v=BN_CTX_get(ctx);
EC_GROUP_get_order(group,order,ctx);
pub_key = EC_KEY_get0_public_key(ec);
if (BN_is_zero(sig->s) || BN_is_zero(sig->r) ||
(BN_cmp(sig->s,order)>=1) || (BN_cmp(sig->r,order)>=1))
{
GOSTerr(GOST_F_GOST2001_DO_VERIFY,GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
goto err;
}
md = hashsum2bn(dgst);
BN_mod(e,md,order,ctx);
#ifdef DEBUG_SIGN
fprintf(stderr,"digest as bignum: ");
BN_print_fp(stderr,md);
fprintf(stderr,"\ndigest mod q: ");
BN_print_fp(stderr,e);
#endif
if (BN_is_zero(e)) BN_one(e);
v=BN_mod_inverse(v,e,order,ctx);
BN_mod_mul(z1,sig->s,v,order,ctx);
BN_sub(tmp,order,sig->r);
BN_mod_mul(z2,tmp,v,order,ctx);
#ifdef DEBUG_SIGN
fprintf(stderr,"\nInverted digest value: ");
BN_print_fp(stderr,v);
fprintf(stderr,"\nz1: ");
BN_print_fp(stderr,z1);
fprintf(stderr,"\nz2: ");
BN_print_fp(stderr,z2);
#endif
C = EC_POINT_new(group);
if (!EC_POINT_mul(group,C,z1,pub_key,z2,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_VERIFY,ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group,C,X,NULL,ctx))
{
GOSTerr(GOST_F_GOST2001_DO_VERIFY,ERR_R_EC_LIB);
goto err;
}
BN_mod(R,X,order,ctx);
#ifdef DEBUG_SIGN
fprintf(stderr,"\nX=");
BN_print_fp(stderr,X);
fprintf(stderr,"\nX mod q=");
BN_print_fp(stderr,R);
fprintf(stderr,"\n");
#endif
if (BN_cmp(R,sig->r)!=0)
{
GOSTerr(GOST_F_GOST2001_DO_VERIFY,GOST_R_SIGNATURE_MISMATCH);
}
else
{
ok = 1;
}
err:
EC_POINT_free(C);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
BN_free(md);
return ok;
}
/*
* Verifies gost ec signature
*
*/
int gost_ec_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, EC_KEY *ec)
{
BN_CTX *ctx;
const EC_GROUP *group = (ec) ? EC_KEY_get0_group(ec) : NULL;
BIGNUM *order;
BIGNUM *md = NULL, *e = NULL, *R = NULL, *v = NULL,
*z1 = NULL, *z2 = NULL;
BIGNUM *X = NULL, *tmp = NULL;
EC_POINT *C = NULL;
const EC_POINT *pub_key = NULL;
int ok = 0;
OPENSSL_assert(dgst != NULL && sig != NULL && group != NULL);
if (!(ctx = BN_CTX_new())) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
e = BN_CTX_get(ctx);
z1 = BN_CTX_get(ctx);
z2 = BN_CTX_get(ctx);
tmp = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
R = BN_CTX_get(ctx);
v = BN_CTX_get(ctx);
if (!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
pub_key = EC_KEY_get0_public_key(ec);
if (!pub_key || !EC_GROUP_get_order(group, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
if (BN_is_zero(sig->s) || BN_is_zero(sig->r) ||
(BN_cmp(sig->s, order) >= 1) || (BN_cmp(sig->r, order) >= 1)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q);
goto err;
}
OPENSSL_assert(dgst_len == 32 || dgst_len == 64);
md = hashsum2bn(dgst, dgst_len);
if (!md || !BN_mod(e, md, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef DEBUG_SIGN
fprintf(stderr, "digest as bignum: ");
BN_print_fp(stderr, md);
fprintf(stderr, "\ndigest mod q: ");
BN_print_fp(stderr, e);
#endif
if (BN_is_zero(e) && !BN_one(e)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
v = BN_mod_inverse(v, e, order, ctx);
if (!v || !BN_mod_mul(z1, sig->s, v, order, ctx)
|| !BN_sub(tmp, order, sig->r)
|| !BN_mod_mul(z2, tmp, v, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef DEBUG_SIGN
fprintf(stderr, "\nInverted digest value: ");
BN_print_fp(stderr, v);
fprintf(stderr, "\nz1: ");
BN_print_fp(stderr, z1);
fprintf(stderr, "\nz2: ");
BN_print_fp(stderr, z2);
#endif
C = EC_POINT_new(group);
if (!C) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, C, z1, pub_key, z2, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (!BN_mod(R, X, order, ctx)) {
GOSTerr(GOST_F_GOST_EC_VERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifdef DEBUG_SIGN
fprintf(stderr, "\nX=");
BN_print_fp(stderr, X);
fprintf(stderr, "\nX mod q=");
BN_print_fp(stderr, R);
fprintf(stderr, "\n");
#endif
if (BN_cmp(R, sig->r) != 0) {
GOSTerr(GOST_F_GOST_EC_VERIFY, GOST_R_SIGNATURE_MISMATCH);
} else {
ok = 1;
}
err:
if (C)
EC_POINT_free(C);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (md)
BN_free(md);
return ok;
}
int ssh_server_ecdh_init(ssh_session session, ssh_buffer packet){
/* ECDH keys */
ssh_string q_c_string = NULL;
ssh_string q_s_string = NULL;
EC_KEY *ecdh_key=NULL;
const EC_GROUP *group;
const EC_POINT *ecdh_pubkey;
bignum_CTX ctx;
/* SSH host keys (rsa,dsa,ecdsa) */
ssh_key privkey;
ssh_string sig_blob = NULL;
int len;
int rc;
enter_function();
/* Extract the client pubkey from the init packet */
q_c_string = buffer_get_ssh_string(packet);
if (q_c_string == NULL) {
ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet");
goto error;
}
session->next_crypto->ecdh_client_pubkey = q_c_string;
/* Build server's keypair */
ctx = BN_CTX_new();
ecdh_key = EC_KEY_new_by_curve_name(NISTP256);
group = EC_KEY_get0_group(ecdh_key);
EC_KEY_generate_key(ecdh_key);
ecdh_pubkey=EC_KEY_get0_public_key(ecdh_key);
len = EC_POINT_point2oct(group,ecdh_pubkey,POINT_CONVERSION_UNCOMPRESSED,
NULL,0,ctx);
q_s_string=ssh_string_new(len);
EC_POINT_point2oct(group,ecdh_pubkey,POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(q_s_string),len,ctx);
BN_CTX_free(ctx);
session->next_crypto->ecdh_privkey = ecdh_key;
session->next_crypto->ecdh_server_pubkey = q_s_string;
buffer_add_u8(session->out_buffer, SSH2_MSG_KEXDH_REPLY);
/* build k and session_id */
if (ecdh_build_k(session) < 0) {
ssh_set_error(session, SSH_FATAL, "Cannot build k number");
goto error;
}
if (ssh_get_key_params(session, &privkey) == SSH_ERROR)
goto error;
if (make_sessionid(session) != SSH_OK) {
ssh_set_error(session, SSH_FATAL, "Could not create a session id");
goto error;
}
/* add host's public key */
buffer_add_ssh_string(session->out_buffer, session->next_crypto->server_pubkey);
/* add ecdh public key */
buffer_add_ssh_string(session->out_buffer,q_s_string);
/* add signature blob */
sig_blob = ssh_srv_pki_do_sign_sessionid(session, privkey);
if (sig_blob == NULL) {
ssh_set_error(session, SSH_FATAL, "Could not sign the session id");
goto error;
}
buffer_add_ssh_string(session->out_buffer, sig_blob);
ssh_string_free(sig_blob);
/* Free private keys as they should not be readable after this point */
if (session->srv.rsa_key) {
ssh_key_free(session->srv.rsa_key);
session->srv.rsa_key = NULL;
}
if (session->srv.dsa_key) {
ssh_key_free(session->srv.dsa_key);
session->srv.dsa_key = NULL;
}
ssh_log(session,SSH_LOG_PROTOCOL, "SSH_MSG_KEXDH_REPLY sent");
rc = packet_send(session);
if (rc == SSH_ERROR)
goto error;
/* Send the MSG_NEWKEYS */
if (buffer_add_u8(session->out_buffer, SSH2_MSG_NEWKEYS) < 0) {
goto error;
}
session->dh_handshake_state=DH_STATE_NEWKEYS_SENT;
rc=packet_send(session);
ssh_log(session, SSH_LOG_PROTOCOL, "SSH_MSG_NEWKEYS sent");
return rc;
error:
return SSH_ERROR;
}
void
sshbuf_getput_crypto_tests(void)
{
struct sshbuf *p1;
const u_char *d;
size_t s;
BIGNUM *bn, *bn2, *bn_x, *bn_y;
/* This one has num_bits != num_bytes * 8 to test bignum1 encoding */
const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10";
/* This one has MSB set to test bignum2 encoding negative-avoidance */
const char *hexbn2 = "f0e0d0c0b0a0908070605040302010007fff11";
u_char expbn1[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
};
u_char expbn2[] = {
0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
0x7f, 0xff, 0x11
};
int ec256_nid = NID_X9_62_prime256v1;
char *ec256_x = "0C828004839D0106AA59575216191357"
"34B451459DADB586677EF9DF55784999";
char *ec256_y = "4D196B50F0B4E94B3C73E3A9D4CD9DF2"
"C8F9A35E42BDD047550F69D80EC23CD4";
u_char expec256[] = {
0x04,
0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4
};
EC_KEY *eck;
EC_POINT *ecp;
int r;
#define MKBN(b, bnn) \
do { \
bnn = NULL; \
ASSERT_INT_GT(BN_hex2bn(&bnn, b), 0); \
} while (0)
TEST_START("sshbuf_put_bignum1");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 2);
ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn1, sizeof(expbn1));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 limited");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
r = sshbuf_put_bignum1(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 2);
ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn2, sizeof(expbn2));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 bn2 limited");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
r = sshbuf_put_bignum1(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 4);
ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 4, expbn1, sizeof(expbn1));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 limited");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 3), 0);
r = sshbuf_put_bignum2(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4 + 1); /* MSB */
ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn) + 1);
ASSERT_U8_EQ(*(sshbuf_ptr(p1) + 4), 0x00);
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 5, expbn2, sizeof(expbn2));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 bn2 limited");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn2) + 3), 0);
r = sshbuf_put_bignum2(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 truncated");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 giant");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xffff), 0);
ASSERT_INT_EQ(sshbuf_reserve(p1, (0xffff + 7) / 8, NULL), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 bn2 truncated");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + sizeof(expbn1));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 truncated");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 3);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 giant");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, 65536), 0);
ASSERT_INT_EQ(sshbuf_reserve(p1, 65536, NULL), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 65536 + 4);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0); /* MSB */
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + 1 + sizeof(expbn2));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2 truncated");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 1 + 4 - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2 negative");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_IS_NEGATIVE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_ec");
eck = EC_KEY_new_by_curve_name(ec256_nid);
ASSERT_PTR_NE(eck, NULL);
ecp = EC_POINT_new(EC_KEY_get0_group(eck));
ASSERT_PTR_NE(ecp, NULL);
MKBN(ec256_x, bn_x);
MKBN(ec256_y, bn_y);
ASSERT_INT_EQ(EC_POINT_set_affine_coordinates_GFp(
EC_KEY_get0_group(eck), ecp, bn_x, bn_y, NULL), 1);
ASSERT_INT_EQ(EC_KEY_set_public_key(eck, ecp), 1);
EC_POINT_free(ecp);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_eckey(p1, eck), 0);
ASSERT_INT_EQ(sshbuf_get_string_direct(p1, &d, &s), 0);
ASSERT_SIZE_T_EQ(s, sizeof(expec256));
ASSERT_MEM_EQ(d, expec256, sizeof(expec256));
sshbuf_free(p1);
EC_KEY_free(eck);
TEST_DONE();
TEST_START("sshbuf_get_ec");
eck = EC_KEY_new_by_curve_name(ec256_nid);
ASSERT_PTR_NE(eck, NULL);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_string(p1, expec256, sizeof(expec256)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expec256) + 4);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_get_eckey(p1, eck), 0);
bn_x = BN_new();
bn_y = BN_new();
ASSERT_PTR_NE(bn_x, NULL);
ASSERT_PTR_NE(bn_y, NULL);
ASSERT_INT_EQ(EC_POINT_get_affine_coordinates_GFp(
EC_KEY_get0_group(eck), EC_KEY_get0_public_key(eck),
bn_x, bn_y, NULL), 1);
MKBN(ec256_x, bn);
MKBN(ec256_y, bn2);
ASSERT_INT_EQ(BN_cmp(bn_x, bn), 0);
ASSERT_INT_EQ(BN_cmp(bn_y, bn2), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
sshbuf_free(p1);
EC_KEY_free(eck);
BN_free(bn_x);
BN_free(bn_y);
BN_free(bn);
BN_free(bn2);
TEST_DONE();
}
static int
input_kex_ecdh_init(int type, u_int32_t seq, void *ctxt)
{
struct ssh *ssh = ctxt;
struct kex *kex = ssh->kex;
EC_POINT *client_public;
EC_KEY *server_key = NULL;
const EC_GROUP *group;
const EC_POINT *public_key;
BIGNUM *shared_secret = NULL;
struct sshbn *xxx_shared_secret = NULL;
struct sshkey *server_host_private, *server_host_public;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf = NULL;
u_char hash[SSH_DIGEST_MAX_LENGTH];
size_t slen, sbloblen;
size_t klen = 0, hashlen;
int r;
if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (EC_KEY_generate_key(server_key) != 1) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
group = EC_KEY_get0_group(server_key);
#ifdef DEBUG_KEXECDH
fputs("server private key:\n", stderr);
sshkey_dump_ec_key(server_key);
#endif
if (kex->load_host_public_key == NULL ||
kex->load_host_private_key == NULL) {
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
server_host_public = kex->load_host_public_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
server_host_private = kex->load_host_private_key(kex->hostkey_type,
kex->hostkey_nid, ssh);
if (server_host_public == NULL) {
r = SSH_ERR_NO_HOSTKEY_LOADED;
goto out;
}
if ((client_public = EC_POINT_new(group)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshpkt_get_ec(ssh, client_public, group)) != 0 ||
(r = sshpkt_get_end(ssh)) != 0)
goto out;
#ifdef DEBUG_KEXECDH
fputs("client public key:\n", stderr);
sshkey_dump_ec_point(group, client_public);
#endif
if (sshkey_ec_validate_public(group, client_public) != 0) {
sshpkt_disconnect(ssh, "invalid client public key");
r = SSH_ERR_MESSAGE_INCOMPLETE;
goto out;
}
/* Calculate shared_secret */
klen = (EC_GROUP_get_degree(group) + 7) / 8;
if ((kbuf = malloc(klen)) == NULL ||
(shared_secret = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (ECDH_compute_key(kbuf, klen, client_public,
server_key, NULL) != (int)klen ||
BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
/* calc H */
if ((r = sshkey_to_blob(server_host_public, &server_host_key_blob,
&sbloblen)) != 0)
goto out;
hashlen = sizeof(hash);
if ((r = kex_ecdh_hash(
kex->hash_alg,
group,
kex->client_version_string,
kex->server_version_string,
sshbuf_ptr(kex->peer), sshbuf_len(kex->peer),
sshbuf_ptr(kex->my), sshbuf_len(kex->my),
server_host_key_blob, sbloblen,
client_public,
EC_KEY_get0_public_key(server_key),
shared_secret,
hash, &hashlen)) != 0)
goto out;
/* save session id := H */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = malloc(kex->session_id_len);
if (kex->session_id == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(kex->session_id, hash, kex->session_id_len);
}
/* sign H */
if ((r = kex->sign(server_host_private, server_host_public,
&signature, &slen, hash, hashlen, ssh->compat)) < 0)
goto out;
/* destroy_sensitive_data(); */
public_key = EC_KEY_get0_public_key(server_key);
/* send server hostkey, ECDH pubkey 'Q_S' and signed H */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_ECDH_REPLY)) != 0 ||
(r = sshpkt_put_string(ssh, server_host_key_blob, sbloblen)) != 0 ||
(r = sshpkt_put_ec(ssh, public_key, group)) != 0 ||
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
goto out;
/* XXX */
if ((xxx_shared_secret = sshbn_from_bignum(shared_secret)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = kex_derive_keys_bn(ssh, hash, hashlen,
xxx_shared_secret)) == 0)
r = kex_send_newkeys(ssh);
out:
explicit_bzero(hash, sizeof(hash));
if (kex->ec_client_key) {
EC_KEY_free(kex->ec_client_key);
kex->ec_client_key = NULL;
}
if (server_key)
EC_KEY_free(server_key);
if (kbuf) {
explicit_bzero(kbuf, klen);
free(kbuf);
}
if (shared_secret)
BN_clear_free(shared_secret);
sshbn_free(xxx_shared_secret);
free(server_host_key_blob);
free(signature);
return r;
}
/*
* EVP_PKEY_METHOD callback decrypt
* Implementation of GOST2001 key transport, cryptopo variation
*/
int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key,
size_t *key_len, const unsigned char *in,
size_t in_len)
{
const unsigned char *p = in;
EVP_PKEY *priv = EVP_PKEY_CTX_get0_pkey(pctx);
GOST_KEY_TRANSPORT *gkt = NULL;
int ret = 0;
unsigned char wrappedKey[44];
unsigned char sharedKey[32];
gost_ctx ctx;
const struct gost_cipher_info *param = NULL;
EVP_PKEY *eph_key = NULL, *peerkey = NULL;
if (!key) {
*key_len = 32;
return 1;
}
gkt = d2i_GOST_KEY_TRANSPORT(NULL, (const unsigned char **)&p, in_len);
if (!gkt) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO);
return -1;
}
/* If key transport structure contains public key, use it */
eph_key = X509_PUBKEY_get(gkt->key_agreement_info->ephem_key);
if (eph_key) {
if (EVP_PKEY_derive_set_peer(pctx, eph_key) <= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_INCOMPATIBLE_PEER_KEY);
goto err;
}
} else {
/* Set control "public key from client certificate used" */
if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL)
<= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_CTRL_CALL_FAILED);
goto err;
}
}
peerkey = EVP_PKEY_CTX_get0_peerkey(pctx);
if (!peerkey) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_NO_PEER_KEY);
goto err;
}
param = get_encryption_params(gkt->key_agreement_info->cipher);
if (!param) {
goto err;
}
gost_init(&ctx, param->sblock);
OPENSSL_assert(gkt->key_agreement_info->eph_iv->length == 8);
memcpy(wrappedKey, gkt->key_agreement_info->eph_iv->data, 8);
OPENSSL_assert(gkt->key_info->encrypted_key->length == 32);
memcpy(wrappedKey + 8, gkt->key_info->encrypted_key->data, 32);
OPENSSL_assert(gkt->key_info->imit->length == 4);
memcpy(wrappedKey + 40, gkt->key_info->imit->data, 4);
VKO_compute_key(sharedKey, 32,
EC_KEY_get0_public_key(EVP_PKEY_get0(peerkey)),
EVP_PKEY_get0(priv), wrappedKey);
if (!keyUnwrapCryptoPro(&ctx, sharedKey, wrappedKey, key)) {
GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT,
GOST_R_ERROR_COMPUTING_SHARED_KEY);
goto err;
}
ret = 1;
err:
EVP_PKEY_free(eph_key);
GOST_KEY_TRANSPORT_free(gkt);
return ret;
}
int main() {
srand((unsigned)time(NULL));
int i;
EC_KEY* key;
//key = EC_KEY_new_by_curve_name(415);
key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
const EC_GROUP *group = EC_KEY_get0_group(key);
if (EC_KEY_generate_key(key)==0) {
printf("Error generate key\n");
return -1;
}
unsigned char pk_b[33];
const EC_POINT *pub = EC_KEY_get0_public_key(key);
if (EC_POINT_point2oct(group, pub, POINT_CONVERSION_COMPRESSED, pk_b, 33, 0)!=33) {
printf("Error 2\n");
return -1;
}
unsigned char h1[16],h2[16];
printf("\x02");
for (i=0;i<16;i++) {
h1[i]=rand()%256;
printf("%c",h1[i]);
}
for (i=0;i<33;i++)
printf("%c",pk_b[i]);
fflush(stdout);
//get h2
for (i=0;i<16;i++)
h2[i]=rand()%256;
for (i=0;i<16;i++)
scanf("%c",&h2[i]);
//get peerpk_b
unsigned char peerpk_b[33]={2 , 30 , 25 , 50 , 17 , 242 , 232 , 55 , 157 , 18 , 106 , 115 , 214 , 193 , 192 , 39 , 207 , 226 , 184 , 216 , 244 , 147 , 111 , 188 , 125 , 230 , 38 , 125 , 231 , 50 , 56 , 152 , 148 };
for (i=0;i<33;i++)
scanf("%c",&peerpk_b[i]);
EC_POINT *peerpk = EC_POINT_new(group);
if (EC_POINT_oct2point(group, peerpk, peerpk_b, 33, 0)==0) {
printf("Error 3\n");
return -1;
}
unsigned char skey[33];
if (ECDH_compute_key(skey, 32, peerpk, key, NULL)==0) {
printf("Error 4\n");
return -1;
}
SHA512_CTX shactx;
unsigned char hash[SHA512_DIGEST_LENGTH];
SHA512_Init(&shactx);
SHA512_Update(&shactx, h2, 16);
SHA512_Update(&shactx, skey, 32);
SHA512_Update(&shactx, h1, 16);
SHA512_Final(hash, &shactx);
for (i=0;i<64;i++)
printf("%02x",hash[i]);
fflush(stdout);
struct cipher c;
c.recvfd=0;
c.sendfd=1;
for (i=0;i<16;i++)
c.sendkey[i]=hash[i];
for (i=0;i<4;i++)
c.sendiv[i]=hash[32+i];
for (i=0;i<16;i++)
c.recvkey[i]=hash[16+i];
for (i=0;i<4;i++)
c.recviv[i]=hash[36+i];
c.sendcnt=0;
c.recvcnt=0;
unsigned char d[1000];
unsigned char oiv[8];
int op;
char dlen;
while (true) {
scanf("%d",&op);
scanf("%c",&dlen);
scanf("%c",&dlen);
for (i=0;i<dlen;i++)
scanf("%c",&d[i]);
if (op==1) {
for (i=0;i<8;i++)
oiv[i]=rand()%256;
encrypt(c,d,dlen,oiv);
c.recvcnt+=1;
} else if (op==2) {
for (i=0;i<8;i++)
scanf("%c",&oiv[i]);
decrypt(c,d,dlen,oiv, NULL);
c.sendcnt+=1;
}
fflush(stdout);
}
return 0;
}
static int eckey_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p = NULL;
void *pval;
int ptype, pklen;
EC_KEY *eckey = NULL;
X509_ALGOR *palg;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
eckey = eckey_type2param(ptype, pval);
if (!eckey)
goto ecliberr;
/* We have parameters now set private key */
if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
ECerr(EC_F_ECKEY_PRIV_DECODE, EC_R_DECODE_ERROR);
goto ecerr;
}
/* calculate public key (if necessary) */
if (EC_KEY_get0_public_key(eckey) == NULL) {
const BIGNUM *priv_key;
const EC_GROUP *group;
EC_POINT *pub_key;
/*
* the public key was not included in the SEC1 private key =>
* calculate the public key
*/
group = EC_KEY_get0_group(eckey);
pub_key = EC_POINT_new(group);
if (pub_key == NULL) {
ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
goto ecliberr;
}
if (!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) {
EC_POINT_free(pub_key);
ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
goto ecliberr;
}
priv_key = EC_KEY_get0_private_key(eckey);
if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) {
EC_POINT_free(pub_key);
ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
goto ecliberr;
}
if (EC_KEY_set_public_key(eckey, pub_key) == 0) {
EC_POINT_free(pub_key);
ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
goto ecliberr;
}
EC_POINT_free(pub_key);
}
EVP_PKEY_assign_EC_KEY(pkey, eckey);
return 1;
ecliberr:
ECerr(EC_F_ECKEY_PRIV_DECODE, ERR_R_EC_LIB);
ecerr:
EC_KEY_free(eckey);
return 0;
}
private_key private_key::generate()
{
private_key self;
EC_KEY* k = EC_KEY_new_by_curve_name( NID_X9_62_prime256v1 );
if( !k ) FC_THROW_EXCEPTION( exception, "Unable to generate EC key" );
self.my->_key = k;
if( !EC_KEY_generate_key( self.my->_key ) )
{
FC_THROW_EXCEPTION( exception, "ecc key generation error" );
}
#if 0
= bigint( EC_KEY_get0_private_key( k );
EC_POINT* pub = EC_KEY_get0_public_key( k );
EC_GROUP* group = EC_KEY_get0_group( k );
EC_POINT_get_affine_coordinates_GFp( group, pub, self.my->_pub_x.get(), self.my->_pub_y.get(), nullptr/*ctx*/ );
EC_KEY_free(k);
#endif
return self;
}
signature private_key::sign( const fc::sha256& digest )const
{
unsigned int buf_len = ECDSA_size(my->_key);
// fprintf( stderr, "%d %d\n", buf_len, sizeof(sha256) );
signature sig;
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey)
{
int ret = -1, i;
BN_CTX *ctx;
BIGNUM *order, *u1, *u2, *m, *X;
EC_POINT *point = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS);
return -1;
}
ctx = BN_CTX_new();
if (!ctx)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
return -1;
}
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
u1 = BN_CTX_get(ctx);
u2 = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (!X)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if (!EC_GROUP_get_order(group, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE);
ret = 0; /* signature is invalid */
goto err;
}
/* calculate tmp1 = inv(S) mod order */
if (!BN_mod_inverse(u2, sig->s, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* digest -> m */
i = BN_num_bits(order);
/* Need to truncate digest if it is too long: first truncate whole
* bytes.
*/
if (8 * dgst_len > i)
dgst_len = (i + 7)/8;
if (!BN_bin2bn(dgst, dgst_len, m))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* If still too long truncate remaining bits with a shift */
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u1 = m * tmp mod order */
if (!BN_mod_mul(u1, m, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* u2 = r * w mod q */
if (!BN_mod_mul(u2, sig->r, u2, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
if ((point = EC_POINT_new(group)) == NULL)
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
#ifndef OPENSSL_NO_EC2M
else /* NID_X9_62_characteristic_two_field */
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
point, X, NULL, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
}
#endif
if (!BN_nnmod(u1, X, order, ctx))
{
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
goto err;
}
/* if the signature is correct u1 is equal to sig->r */
ret = (BN_ucmp(u1, sig->r) == 0);
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (point)
EC_POINT_free(point);
return ret;
}
void
sshkey_file_tests(void)
{
struct sshkey *k1, *k2;
struct sshbuf *buf, *pw;
BIGNUM *a, *b, *c;
char *cp;
TEST_START("load passphrase");
pw = load_text_file("pw");
TEST_DONE();
TEST_START("parse RSA1 from private");
buf = load_file("rsa1_1");
ASSERT_INT_EQ(sshkey_parse_private(buf, "", "rsa1_1", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa1_1.param.n");
ASSERT_BIGNUM_EQ(k1->rsa->n, a);
BN_free(a);
TEST_DONE();
TEST_START("parse RSA from private w/ passphrase");
buf = load_file("rsa1_1_pw");
ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "rsa1_1_pw",
&k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load RSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("RSA key hex fingerprint");
buf = load_text_file("rsa1_1.fp");
cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("RSA key bubblebabble fingerprint");
buf = load_text_file("rsa1_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse RSA from private");
buf = load_file("rsa_1");
ASSERT_INT_EQ(sshkey_parse_private(buf, "", "rsa_1", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("rsa_1.param.n");
b = load_bignum("rsa_1.param.p");
c = load_bignum("rsa_1.param.q");
ASSERT_BIGNUM_EQ(k1->rsa->n, a);
ASSERT_BIGNUM_EQ(k1->rsa->p, b);
ASSERT_BIGNUM_EQ(k1->rsa->q, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse RSA from private w/ passphrase");
buf = load_file("rsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "rsa_1_pw",
&k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load RSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("RSA key hex fingerprint");
buf = load_text_file("rsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("RSA key bubblebabble fingerprint");
buf = load_text_file("rsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse DSA from private");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private(buf, "", "dsa_1", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
a = load_bignum("dsa_1.param.g");
b = load_bignum("dsa_1.param.priv");
c = load_bignum("dsa_1.param.pub");
ASSERT_BIGNUM_EQ(k1->dsa->g, a);
ASSERT_BIGNUM_EQ(k1->dsa->priv_key, b);
ASSERT_BIGNUM_EQ(k1->dsa->pub_key, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse DSA from private w/ passphrase");
buf = load_file("dsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "dsa_1_pw",
&k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load DSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("DSA key hex fingerprint");
buf = load_text_file("dsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("DSA key bubblebabble fingerprint");
buf = load_text_file("dsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
TEST_START("parse ECDSA from private");
buf = load_file("ecdsa_1");
ASSERT_INT_EQ(sshkey_parse_private(buf, "", "ecdsa_1", &k1, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k1, NULL);
buf = load_text_file("ecdsa_1.param.curve");
ASSERT_STRING_EQ(sshbuf_ptr(buf), OBJ_nid2sn(k1->ecdsa_nid));
sshbuf_free(buf);
a = load_bignum("ecdsa_1.param.priv");
b = load_bignum("ecdsa_1.param.pub");
c = EC_POINT_point2bn(EC_KEY_get0_group(k1->ecdsa),
EC_KEY_get0_public_key(k1->ecdsa), POINT_CONVERSION_UNCOMPRESSED,
NULL, NULL);
ASSERT_PTR_NE(c, NULL);
ASSERT_BIGNUM_EQ(EC_KEY_get0_private_key(k1->ecdsa), a);
ASSERT_BIGNUM_EQ(b, c);
BN_free(a);
BN_free(b);
BN_free(c);
TEST_DONE();
TEST_START("parse ECDSA from private w/ passphrase");
buf = load_file("ecdsa_1_pw");
ASSERT_INT_EQ(sshkey_parse_private(buf, sshbuf_ptr(pw), "ecdsa_1_pw",
&k2, NULL), 0);
sshbuf_free(buf);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("load ECDSA from public");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_1.pub"), &k2,
NULL), 0);
ASSERT_PTR_NE(k2, NULL);
ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
sshkey_free(k2);
TEST_DONE();
TEST_START("ECDSA key hex fingerprint");
buf = load_text_file("ecdsa_1.fp");
cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
TEST_START("ECDSA key bubblebabble fingerprint");
buf = load_text_file("ecdsa_1.fp.bb");
cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
ASSERT_PTR_NE(cp, NULL);
ASSERT_STRING_EQ(cp, sshbuf_ptr(buf));
sshbuf_free(buf);
free(cp);
TEST_DONE();
sshkey_free(k1);
sshbuf_free(pw);
}
void Families::LoadCertificate (const std::string& filename)
{
SSL_CTX * ctx = SSL_CTX_new (TLS_method ());
int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM);
if (ret)
{
SSL * ssl = SSL_new (ctx);
X509 * cert = SSL_get_certificate (ssl);
if (cert)
{
std::shared_ptr<i2p::crypto::Verifier> verifier;
// extract issuer name
char name[100];
X509_NAME_oneline (X509_get_issuer_name(cert), name, 100);
char * cn = strstr (name, "CN=");
if (cn)
{
cn += 3;
char * family = strstr (cn, ".family");
if (family) family[0] = 0;
}
auto pkey = X509_get_pubkey (cert);
int keyType = EVP_PKEY_base_id (pkey);
switch (keyType)
{
case EVP_PKEY_DSA:
// TODO:
break;
case EVP_PKEY_EC:
{
EC_KEY * ecKey = EVP_PKEY_get1_EC_KEY (pkey);
if (ecKey)
{
auto group = EC_KEY_get0_group (ecKey);
if (group)
{
int curve = EC_GROUP_get_curve_name (group);
if (curve == NID_X9_62_prime256v1)
{
uint8_t signingKey[64];
BIGNUM * x = BN_new(), * y = BN_new();
EC_POINT_get_affine_coordinates_GFp (group,
EC_KEY_get0_public_key (ecKey), x, y, NULL);
i2p::crypto::bn2buf (x, signingKey, 32);
i2p::crypto::bn2buf (y, signingKey + 32, 32);
BN_free (x); BN_free (y);
verifier = std::make_shared<i2p::crypto::ECDSAP256Verifier>();
verifier->SetPublicKey (signingKey);
}
else
LogPrint (eLogWarning, "Family: elliptic curve ", curve, " is not supported");
}
EC_KEY_free (ecKey);
}
break;
}
default:
LogPrint (eLogWarning, "Family: Certificate key type ", keyType, " is not supported");
}
EVP_PKEY_free (pkey);
if (verifier && cn)
m_SigningKeys[cn] = verifier;
}
SSL_free (ssl);
}
else
LogPrint (eLogError, "Family: Can't open certificate file ", filename);
SSL_CTX_free (ctx);
}
int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
const ECDSA_SIG *sig, const EC_KEY *eckey) {
int ret = 0;
BN_CTX *ctx;
BIGNUM *u1, *u2, *m, *X;
EC_POINT *point = NULL;
const EC_GROUP *group;
const EC_POINT *pub_key;
// check input values
if ((group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL ||
sig == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);
return 0;
}
ctx = BN_CTX_new();
if (!ctx) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
return 0;
}
BN_CTX_start(ctx);
u1 = BN_CTX_get(ctx);
u2 = BN_CTX_get(ctx);
m = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
if (u1 == NULL || u2 == NULL || m == NULL || X == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
const BIGNUM *order = EC_GROUP_get0_order(group);
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
}
// calculate tmp1 = inv(S) mod order
int no_inverse;
if (!BN_mod_inverse_odd(u2, &no_inverse, sig->s, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
if (!digest_to_bn(m, digest, digest_len, order)) {
goto err;
}
// u1 = m * tmp mod order
if (!BN_mod_mul(u1, m, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
// u2 = r * w mod q
if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
point = EC_POINT_new(group);
if (point == NULL) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);
goto err;
}
if (!BN_nnmod(u1, X, order, ctx)) {
OPENSSL_PUT_ERROR(ECDSA, ERR_R_BN_LIB);
goto err;
}
// if the signature is correct u1 is equal to sig->r
if (BN_ucmp(u1, sig->r) != 0) {
OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
EC_POINT_free(point);
return ret;
}
void
//vg_output_match_console(vg_context_t *vcp, EC_KEY *pkey, const char *pattern)
vg_output_match_console(vg_context_t *vcp, vg_exec_context_t *vxcp, const char *pattern)
{
unsigned char key_buf[512], *pend;
char addr_buf[64], addr2_buf[64];
char privkey_buf[VG_PROTKEY_MAX_B58];
const char *keytype = "Privkey";
int len;
int isscript = (vcp->vc_format == VCF_SCRIPT);
EC_KEY *pkey = vxcp->vxc_key;
EC_POINT *ppnt;
int free_ppnt = 0;
if (vcp->vc_pubkey_base) {
ppnt = EC_POINT_new(EC_KEY_get0_group(pkey));
EC_POINT_copy(ppnt, EC_KEY_get0_public_key(pkey));
EC_POINT_add(EC_KEY_get0_group(pkey),
ppnt,
ppnt,
vcp->vc_pubkey_base,
NULL);
free_ppnt = 1;
keytype = "PrivkeyPart";
} else {
ppnt = (EC_POINT *) EC_KEY_get0_public_key(pkey);
}
assert(EC_KEY_check_key(pkey));
// if (vcp->vc_combined_compressed)
if (vxcp->vc_combined_compressed)
vg_encode_address_compressed(ppnt,
EC_KEY_get0_group(pkey),
vcp->vc_pubkeytype, addr_buf);
else
vg_encode_address(ppnt,
EC_KEY_get0_group(pkey),
vcp->vc_pubkeytype, addr_buf);
if (isscript)
vg_encode_script_address(ppnt,
EC_KEY_get0_group(pkey),
vcp->vc_addrtype, addr2_buf);
if (vcp->vc_key_protect_pass) {
len = vg_protect_encode_privkey(privkey_buf,
pkey, vcp->vc_privtype,
VG_PROTKEY_DEFAULT,
vcp->vc_key_protect_pass);
if (len) {
keytype = "Protkey";
} else {
fprintf(stderr,
"ERROR: could not password-protect key\n");
vcp->vc_key_protect_pass = NULL;
}
}
if (!vcp->vc_key_protect_pass) {
// if (vcp->vc_combined_compressed)
if (vxcp->vc_combined_compressed)
vg_encode_privkey_compressed(pkey, vcp->vc_privtype, privkey_buf);
else
vg_encode_privkey(pkey, vcp->vc_privtype, privkey_buf);
}
if (!vcp->vc_result_file || (vcp->vc_verbose > 0)) {
printf("\r%79s\rPattern: %s\n", "", pattern);
}
if (vcp->vc_verbose > 0) {
if (vcp->vc_verbose > 1) {
pend = key_buf;
len = i2o_ECPublicKey(pkey, &pend);
printf("Pubkey (hex): ");
dumphex(key_buf, len);
printf("Privkey (hex): ");
dumpbn(EC_KEY_get0_private_key(pkey));
pend = key_buf;
len = i2d_ECPrivateKey(pkey, &pend);
printf("Privkey (ASN1): ");
dumphex(key_buf, len);
}
}
if (!vcp->vc_result_file || (vcp->vc_verbose > 0)) {
if (isscript)
printf("P2SHAddress: %s\n", addr2_buf);
printf("Address: %s\n"
"%s: %s\n",
addr_buf, keytype, privkey_buf);
}
if (vcp->vc_result_file) {
FILE *fp = fopen(vcp->vc_result_file, "a");
if (!fp) {
fprintf(stderr,
"ERROR: could not open result file: %s\n",
strerror(errno));
} else {
fprintf(fp,
"Pattern: %s\n"
, pattern);
if (isscript)
fprintf(fp, "P2SHAddress: %s\n", addr2_buf);
fprintf(fp,
"Address: %s\n"
"%s: %s\n",
addr_buf, keytype, privkey_buf);
fclose(fp);
}
}
if (free_ppnt)
EC_POINT_free(ppnt);
}
void *
vg_thread_loop(void *arg)
{
unsigned char hash_buf[128];
unsigned char *eckey_buf;
unsigned char hash1[32];
int i, c, len, output_interval;
int hash_len;
const BN_ULONG rekey_max = 10000000;
BN_ULONG npoints, rekey_at, nbatch;
vg_context_t *vcp = (vg_context_t *) arg;
EC_KEY *pkey = NULL;
const EC_GROUP *pgroup;
const EC_POINT *pgen;
const int ptarraysize = 256;
EC_POINT *ppnt[ptarraysize];
EC_POINT *pbatchinc;
vg_test_func_t test_func = vcp->vc_test;
vg_exec_context_t ctx;
vg_exec_context_t *vxcp;
struct timeval tvstart;
memset(&ctx, 0, sizeof(ctx));
vxcp = &ctx;
vg_exec_context_init(vcp, &ctx);
pkey = vxcp->vxc_key;
pgroup = EC_KEY_get0_group(pkey);
pgen = EC_GROUP_get0_generator(pgroup);
for (i = 0; i < ptarraysize; i++) {
ppnt[i] = EC_POINT_new(pgroup);
if (!ppnt[i]) {
fprintf(stderr, "ERROR: out of memory?\n");
exit(1);
}
}
pbatchinc = EC_POINT_new(pgroup);
if (!pbatchinc) {
fprintf(stderr, "ERROR: out of memory?\n");
exit(1);
}
BN_set_word(&vxcp->vxc_bntmp, ptarraysize);
EC_POINT_mul(pgroup, pbatchinc, &vxcp->vxc_bntmp, NULL, NULL,
vxcp->vxc_bnctx);
EC_POINT_make_affine(pgroup, pbatchinc, vxcp->vxc_bnctx);
npoints = 0;
rekey_at = 0;
nbatch = 0;
vxcp->vxc_key = pkey;
vxcp->vxc_binres[0] = vcp->vc_addrtype;
c = 0;
output_interval = 1000;
gettimeofday(&tvstart, NULL);
if (vcp->vc_format == VCF_SCRIPT) {
hash_buf[ 0] = 0x51; // OP_1
hash_buf[ 1] = 0x41; // pubkey length
// gap for pubkey
hash_buf[67] = 0x51; // OP_1
hash_buf[68] = 0xae; // OP_CHECKMULTISIG
eckey_buf = hash_buf + 2;
hash_len = 69;
} else {
eckey_buf = hash_buf;
hash_len = 65;
}
while (!vcp->vc_halt) {
if (++npoints >= rekey_at) {
vg_exec_context_upgrade_lock(vxcp);
/* Generate a new random private key */
EC_KEY_generate_key(pkey);
npoints = 0;
/* Determine rekey interval */
EC_GROUP_get_order(pgroup, &vxcp->vxc_bntmp,
vxcp->vxc_bnctx);
BN_sub(&vxcp->vxc_bntmp2,
&vxcp->vxc_bntmp,
EC_KEY_get0_private_key(pkey));
rekey_at = BN_get_word(&vxcp->vxc_bntmp2);
if ((rekey_at == BN_MASK2) || (rekey_at > rekey_max))
rekey_at = rekey_max;
assert(rekey_at > 0);
EC_POINT_copy(ppnt[0], EC_KEY_get0_public_key(pkey));
vg_exec_context_downgrade_lock(vxcp);
npoints++;
vxcp->vxc_delta = 0;
if (vcp->vc_pubkey_base)
EC_POINT_add(pgroup,
ppnt[0],
ppnt[0],
vcp->vc_pubkey_base,
vxcp->vxc_bnctx);
for (nbatch = 1;
(nbatch < ptarraysize) && (npoints < rekey_at);
nbatch++, npoints++) {
EC_POINT_add(pgroup,
ppnt[nbatch],
ppnt[nbatch-1],
pgen, vxcp->vxc_bnctx);
}
} else {
/*
* Common case
*
* EC_POINT_add() can skip a few multiplies if
* one or both inputs are affine (Z_is_one).
* This is the case for every point in ppnt, as
* well as pbatchinc.
*/
assert(nbatch == ptarraysize);
for (nbatch = 0;
(nbatch < ptarraysize) && (npoints < rekey_at);
nbatch++, npoints++) {
EC_POINT_add(pgroup,
ppnt[nbatch],
ppnt[nbatch],
pbatchinc,
vxcp->vxc_bnctx);
}
}
/*
* The single most expensive operation performed in this
* loop is modular inversion of ppnt->Z. There is an
* algorithm implemented in OpenSSL to do batched inversion
* that only does one actual BN_mod_inverse(), and saves
* a _lot_ of time.
*
* To take advantage of this, we batch up a few points,
* and feed them to EC_POINTs_make_affine() below.
*/
EC_POINTs_make_affine(pgroup, nbatch, ppnt, vxcp->vxc_bnctx);
for (i = 0; i < nbatch; i++, vxcp->vxc_delta++) {
/* Hash the public key */
len = EC_POINT_point2oct(pgroup, ppnt[i],
POINT_CONVERSION_UNCOMPRESSED,
eckey_buf,
65,
vxcp->vxc_bnctx);
assert(len == 65);
SHA256(hash_buf, hash_len, hash1);
RIPEMD160(hash1, sizeof(hash1), &vxcp->vxc_binres[1]);
switch (test_func(vxcp)) {
case 1:
npoints = 0;
rekey_at = 0;
i = nbatch;
break;
case 2:
goto out;
default:
break;
}
}
c += i;
if (c >= output_interval) {
output_interval = vg_output_timing(vcp, c, &tvstart);
if (output_interval > 250000)
output_interval = 250000;
c = 0;
}
vg_exec_context_yield(vxcp);
}
out:
vg_exec_context_del(&ctx);
vg_context_thread_exit(vcp);
for (i = 0; i < ptarraysize; i++)
if (ppnt[i])
EC_POINT_free(ppnt[i]);
if (pbatchinc)
EC_POINT_free(pbatchinc);
return NULL;
}
static int pub_encode_gost_ec(X509_PUBKEY *pub, const EVP_PKEY *pk)
{
ASN1_OBJECT *algobj = NULL;
ASN1_OCTET_STRING *octet = NULL;
void *pval = NULL;
unsigned char *buf = NULL, *databuf = NULL, *sptr;
int i, j, data_len, ret = -1;
const EC_POINT *pub_key;
BIGNUM *X = NULL, *Y = NULL, *order = NULL;
const EC_KEY *ec = EVP_PKEY_get0((EVP_PKEY *)pk);
int ptype = V_ASN1_UNDEF;
algobj = OBJ_nid2obj(EVP_PKEY_base_id(pk));
if (pk->save_parameters) {
ASN1_STRING *params = encode_gost_algor_params(pk);
pval = params;
ptype = V_ASN1_SEQUENCE;
}
order = BN_new();
if (!order) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, ERR_R_MALLOC_FAILURE);
goto err;
}
EC_GROUP_get_order(EC_KEY_get0_group(ec), order, NULL);
pub_key = EC_KEY_get0_public_key(ec);
if (!pub_key) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, GOST_R_PUBLIC_KEY_UNDEFINED);
goto err;
}
X = BN_new();
Y = BN_new();
if (!X || !Y) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec),
pub_key, X, Y, NULL)) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, ERR_R_INTERNAL_ERROR);
goto err;
}
data_len = 2 * BN_num_bytes(order);
databuf = OPENSSL_malloc(data_len);
if (databuf == NULL) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, ERR_R_MALLOC_FAILURE);
goto err;
}
memset(databuf, 0, data_len);
store_bignum(X, databuf + data_len / 2, data_len / 2);
store_bignum(Y, databuf, data_len / 2);
octet = ASN1_OCTET_STRING_new();
if (octet == NULL) {
GOSTerr(GOST_F_PUB_ENCODE_GOST_EC, ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set(octet, NULL, data_len);
sptr = ASN1_STRING_data(octet);
for (i = 0, j = data_len - 1; i < data_len; i++, j--) {
sptr[i] = databuf[j];
}
ret = i2d_ASN1_OCTET_STRING(octet, &buf);
ASN1_BIT_STRING_free(octet);
err:
if (X)
BN_free(X);
if (Y)
BN_free(Y);
if (order)
BN_free(order);
if (databuf)
OPENSSL_free(databuf);
if (ret < 0)
return 0;
return X509_PUBKEY_set0_param(pub, algobj, ptype, pval, buf, ret);
}
size_t EC_KEY_public_key_to_oct(const EC_KEY *key, uint8_t *out, size_t out_len) {
return EC_POINT_point2oct(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key),
out, out_len, NULL);
}
void
kexecdh_client(Kex *kex)
{
EC_KEY *client_key;
EC_POINT *server_public;
const EC_GROUP *group;
BIGNUM *shared_secret;
Key *server_host_key;
u_char *server_host_key_blob = NULL, *signature = NULL;
u_char *kbuf, *hash;
u_int klen, slen, sbloblen, hashlen;
if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL)
fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
if (EC_KEY_generate_key(client_key) != 1)
fatal("%s: EC_KEY_generate_key failed", __func__);
group = EC_KEY_get0_group(client_key);
packet_start(SSH2_MSG_KEX_ECDH_INIT);
packet_put_ecpoint(group, EC_KEY_get0_public_key(client_key));
packet_send();
debug("sending SSH2_MSG_KEX_ECDH_INIT");
#ifdef DEBUG_KEXECDH
fputs("client private key:\n", stderr);
key_dump_ec_key(client_key);
#endif
debug("expecting SSH2_MSG_KEX_ECDH_REPLY");
packet_read_expect(SSH2_MSG_KEX_ECDH_REPLY);
/* hostkey */
server_host_key_blob = packet_get_string(&sbloblen);
server_host_key = key_from_blob(server_host_key_blob, sbloblen);
if (server_host_key == NULL)
fatal("cannot decode server_host_key_blob");
if (server_host_key->type != kex->hostkey_type)
fatal("type mismatch for decoded server_host_key_blob");
if (kex->verify_host_key == NULL)
fatal("cannot verify server_host_key");
if (kex->verify_host_key(server_host_key) == -1)
fatal("server_host_key verification failed");
/* Q_S, server public key */
if ((server_public = EC_POINT_new(group)) == NULL)
fatal("%s: EC_POINT_new failed", __func__);
packet_get_ecpoint(group, server_public);
if (key_ec_validate_public(group, server_public) != 0)
fatal("%s: invalid server public key", __func__);
#ifdef DEBUG_KEXECDH
fputs("server public key:\n", stderr);
key_dump_ec_point(group, server_public);
#endif
/* signed H */
signature = packet_get_string(&slen);
packet_check_eom();
klen = (EC_GROUP_get_degree(group) + 7) / 8;
kbuf = xmalloc(klen);
if (ECDH_compute_key(kbuf, klen, server_public,
client_key, NULL) != (int)klen)
fatal("%s: ECDH_compute_key failed", __func__);
#ifdef DEBUG_KEXECDH
dump_digest("shared secret", kbuf, klen);
#endif
if ((shared_secret = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
fatal("%s: BN_bin2bn failed", __func__);
memset(kbuf, 0, klen);
free(kbuf);
/* calc and verify H */
kex_ecdh_hash(
kex->evp_md,
group,
kex->client_version_string,
kex->server_version_string,
buffer_ptr(&kex->my), buffer_len(&kex->my),
buffer_ptr(&kex->peer), buffer_len(&kex->peer),
server_host_key_blob, sbloblen,
EC_KEY_get0_public_key(client_key),
server_public,
shared_secret,
&hash, &hashlen
);
free(server_host_key_blob);
EC_POINT_clear_free(server_public);
EC_KEY_free(client_key);
if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
fatal("key_verify failed for server_host_key");
key_free(server_host_key);
free(signature);
/* save session id */
if (kex->session_id == NULL) {
kex->session_id_len = hashlen;
kex->session_id = xmalloc(kex->session_id_len);
memcpy(kex->session_id, hash, kex->session_id_len);
}
kex_derive_keys(kex, hash, hashlen, shared_secret);
BN_clear_free(shared_secret);
kex_finish(kex);
}
int pkey_GOST01cp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out,
size_t *out_len, const unsigned char *key,
size_t key_len)
{
GOST_KEY_TRANSPORT *gkt = NULL;
EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(pctx);
struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(pctx);
const struct gost_cipher_info *param = get_encryption_params(NULL);
unsigned char ukm[8], shared_key[32], crypted_key[44];
int ret = 0;
int key_is_ephemeral = 1;
gost_ctx cctx;
EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx);
if (data->shared_ukm) {
memcpy(ukm, data->shared_ukm, 8);
} else if (out) {
if (RAND_bytes(ukm, 8) <= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
GOST_R_RANDOM_GENERATOR_FAILURE);
return 0;
}
}
/* Check for private key in the peer_key of context */
if (sec_key) {
key_is_ephemeral = 0;
if (!gost_get0_priv_key(sec_key)) {
GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR);
goto err;
}
} else {
key_is_ephemeral = 1;
if (out) {
sec_key = EVP_PKEY_new();
EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new());
EVP_PKEY_copy_parameters(sec_key, pubk);
if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) {
goto err;
}
}
}
if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS)
&& param == gost_cipher_list) {
param = gost_cipher_list + 1;
}
if (out) {
VKO_compute_key(shared_key, 32,
EC_KEY_get0_public_key(EVP_PKEY_get0(pubk)),
EVP_PKEY_get0(sec_key), ukm);
gost_init(&cctx, param->sblock);
keyWrapCryptoPro(&cctx, shared_key, ukm, key, crypted_key);
}
gkt = GOST_KEY_TRANSPORT_new();
if (!gkt) {
goto err;
}
if (!ASN1_OCTET_STRING_set(gkt->key_agreement_info->eph_iv, ukm, 8)) {
goto err;
}
if (!ASN1_OCTET_STRING_set(gkt->key_info->imit, crypted_key + 40, 4)) {
goto err;
}
if (!ASN1_OCTET_STRING_set
(gkt->key_info->encrypted_key, crypted_key + 8, 32)) {
goto err;
}
if (key_is_ephemeral) {
if (!X509_PUBKEY_set
(&gkt->key_agreement_info->ephem_key, out ? sec_key : pubk)) {
GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT,
GOST_R_CANNOT_PACK_EPHEMERAL_KEY);
goto err;
}
}
ASN1_OBJECT_free(gkt->key_agreement_info->cipher);
gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid);
if (key_is_ephemeral)
EVP_PKEY_free(sec_key);
if (!key_is_ephemeral) {
/* Set control "public key from client certificate used" */
if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL)
<= 0) {
GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, GOST_R_CTRL_CALL_FAILED);
goto err;
}
}
if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL)) > 0)
ret = 1;
GOST_KEY_TRANSPORT_free(gkt);
return ret;
err:
if (key_is_ephemeral)
EVP_PKEY_free(sec_key);
GOST_KEY_TRANSPORT_free(gkt);
return -1;
}
static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out)
{
EC_KEY *a=NULL;
EC_KEY *b=NULL;
BIGNUM *x_a=NULL, *y_a=NULL,
*x_b=NULL, *y_b=NULL;
char buf[12];
unsigned char *abuf=NULL,*bbuf=NULL;
int i,alen,blen,aout,bout,ret=0;
const EC_GROUP *group;
a = EC_KEY_new_by_curve_name(nid);
b = EC_KEY_new_by_curve_name(nid);
if (a == NULL || b == NULL)
goto err;
group = EC_KEY_get0_group(a);
if ((x_a=BN_new()) == NULL) goto err;
if ((y_a=BN_new()) == NULL) goto err;
if ((x_b=BN_new()) == NULL) goto err;
if ((y_b=BN_new()) == NULL) goto err;
BIO_puts(out,"Testing key generation with ");
BIO_puts(out,text);
#ifdef NOISY
BIO_puts(out,"\n");
#else
BIO_flush(out);
#endif
if (!EC_KEY_generate_key(a)) goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
}
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err;
}
#ifdef NOISY
BIO_puts(out," pri 1=");
BN_print(out,a->priv_key);
BIO_puts(out,"\n pub 1=");
BN_print(out,x_a);
BIO_puts(out,",");
BN_print(out,y_a);
BIO_puts(out,"\n");
#else
BIO_printf(out," .");
BIO_flush(out);
#endif
if (!EC_KEY_generate_key(b)) goto err;
if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field)
{
if (!EC_POINT_get_affine_coordinates_GFp(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
}
else
{
if (!EC_POINT_get_affine_coordinates_GF2m(group,
EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err;
}
#ifdef NOISY
BIO_puts(out," pri 2=");
BN_print(out,b->priv_key);
BIO_puts(out,"\n pub 2=");
BN_print(out,x_b);
BIO_puts(out,",");
BN_print(out,y_b);
BIO_puts(out,"\n");
#else
BIO_printf(out,".");
BIO_flush(out);
#endif
alen=KDF1_SHA1_len;
abuf=(unsigned char *)OPENSSL_malloc(alen);
aout=ECDH_compute_key(abuf,alen,EC_KEY_get0_public_key(b),a,KDF1_SHA1);
#ifdef NOISY
BIO_puts(out," key1 =");
for (i=0; i<aout; i++)
{
sprintf(buf,"%02X",abuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
#else
BIO_printf(out,".");
BIO_flush(out);
#endif
blen=KDF1_SHA1_len;
bbuf=(unsigned char *)OPENSSL_malloc(blen);
bout=ECDH_compute_key(bbuf,blen,EC_KEY_get0_public_key(a),b,KDF1_SHA1);
#ifdef NOISY
BIO_puts(out," key2 =");
for (i=0; i<bout; i++)
{
sprintf(buf,"%02X",bbuf[i]);
BIO_puts(out,buf);
}
BIO_puts(out,"\n");
#else
BIO_printf(out,".");
BIO_flush(out);
#endif
if ((aout < 4) || (bout != aout) || (memcmp(abuf,bbuf,aout) != 0))
{
#ifndef NOISY
BIO_printf(out, " failed\n\n");
BIO_printf(out, "key a:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(a));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_a);
BIO_printf(out, ",");
BN_print(out, y_a);
BIO_printf(out, "\nkey b:\n");
BIO_printf(out, "private key: ");
BN_print(out, EC_KEY_get0_private_key(b));
BIO_printf(out, "\n");
BIO_printf(out, "public key (x,y): ");
BN_print(out, x_b);
BIO_printf(out, ",");
BN_print(out, y_b);
BIO_printf(out, "\n");
BIO_printf(out, "generated key a: ");
for (i=0; i<bout; i++)
{
sprintf(buf, "%02X", bbuf[i]);
BIO_puts(out, buf);
}
BIO_printf(out, "\n");
BIO_printf(out, "generated key b: ");
for (i=0; i<aout; i++)
{
sprintf(buf, "%02X", abuf[i]);
BIO_puts(out,buf);
}
BIO_printf(out, "\n");
#endif
fprintf(stderr,"Error in ECDH routines\n");
ret=0;
}
else
{
#ifndef NOISY
BIO_printf(out, " ok\n");
#endif
ret=1;
}
err:
ERR_print_errors_fp(stderr);
if (abuf != NULL) OPENSSL_free(abuf);
if (bbuf != NULL) OPENSSL_free(bbuf);
if (x_a) BN_free(x_a);
if (y_a) BN_free(y_a);
if (x_b) BN_free(x_b);
if (y_b) BN_free(y_b);
if (b) EC_KEY_free(b);
if (a) EC_KEY_free(a);
return(ret);
}
CK_RV PKCS11_Objects_OpenSSL::GetAttributeValue(Cryptoki_Session_Context* pSessionCtx, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
{
OBJECT_DATA* pObj = PKCS11_Objects_OpenSSL::GetObjectFromHandle(pSessionCtx, hObject);
if(pObj == NULL) return CKR_OBJECT_HANDLE_INVALID;
if(pObj->Type == CertificateType)
{
CERT_DATA* pCertData = (CERT_DATA*)pObj->Data;
X509* pCert = pCertData->cert;
INT32 valLen = 0;
for(int i=0; i<(int)ulCount; i++)
{
switch(pTemplate[i].type)
{
case CKA_CLASS:
*(INT32*)pTemplate[i].pValue = SwapEndianIfBEc32(CKO_CERTIFICATE);
break;
case CKA_PRIVATE:
*(INT32*)pTemplate[i].pValue = SwapEndianIfBEc32(pCertData->privKeyData.key == NULL ? 0 : 1);
valLen = sizeof(INT32);
break;
case CKA_VALUE_BITS:
{
*(INT32*)pTemplate[i].pValue = SwapEndianIfBEc32(pCertData->pubKeyData.size);
valLen = sizeof(INT32);
}
break;
case CKA_KEY_TYPE:
{
*(UINT32*)pTemplate[i].pValue = SwapEndianIfBEc32(pCertData->pubKeyData.type);
valLen = sizeof(UINT32);
}
break;
case CKA_ISSUER:
{
char* name=X509_NAME_oneline(X509_get_issuer_name(pCert),NULL,0);
valLen = TINYCLR_SSL_STRLEN(name) + 1;
if(valLen > pTemplate[i].ulValueLen) valLen = pTemplate[i].ulValueLen;
hal_strcpy_s((char*)pTemplate[i].pValue, valLen, name);
OPENSSL_free(name);
}
break;
case CKA_SUBJECT:
{
char* subject=X509_NAME_oneline(X509_get_subject_name(pCert),NULL,0);
valLen = TINYCLR_SSL_STRLEN(subject) + 1;
if(valLen > pTemplate[i].ulValueLen) valLen = pTemplate[i].ulValueLen;
hal_strcpy_s((char*)pTemplate[i].pValue, valLen, subject);
OPENSSL_free(subject);
}
break;
case CKA_SERIAL_NUMBER:
{
ASN1_INTEGER* asn = X509_get_serialNumber(pCert);
valLen = asn->length;
if(valLen > pTemplate[i].ulValueLen) valLen = pTemplate[i].ulValueLen;
TINYCLR_SSL_MEMCPY(pTemplate[i].pValue, asn->data, valLen);
}
break;
case CKA_MECHANISM_TYPE:
if(pCert->sig_alg != NULL)
{
int signature_nid;
CK_MECHANISM_TYPE type = CKM_VENDOR_DEFINED;
signature_nid = OBJ_obj2nid(pCert->sig_alg->algorithm);
switch(signature_nid)
{
case NID_sha1WithRSA:
case NID_sha1WithRSAEncryption:
//szNid = "1.2.840.113549.1.1.5";
type = CKM_SHA1_RSA_PKCS;
break;
case NID_md5WithRSA:
case NID_md5WithRSAEncryption:
//szNid = "1.2.840.113549.1.1.4";
type = CKM_MD5_RSA_PKCS;
break;
case NID_sha256WithRSAEncryption:
//szNid = "1.2.840.113549.1.1.11";
type = CKM_SHA256_RSA_PKCS;
break;
case NID_sha384WithRSAEncryption:
//szNid = "1.2.840.113549.1.1.12";
type = CKM_SHA384_RSA_PKCS;
break;
case NID_sha512WithRSAEncryption:
//szNid = "1.2.840.113549.1.1.13";
type = CKM_SHA512_RSA_PKCS;
break;
}
valLen = sizeof(CK_MECHANISM_TYPE);
*(CK_MECHANISM_TYPE*)pTemplate[i].pValue = SwapEndianIfBEc32(type);
}
break;
case CKA_START_DATE:
{
DATE_TIME_INFO dti;
ssl_get_ASN1_UTCTIME(X509_get_notBefore(pCert), &dti);
valLen = (INT32)pTemplate[i].ulValueLen;
if(valLen > sizeof(dti)) valLen = sizeof(dti);
TINYCLR_SSL_MEMCPY(pTemplate[i].pValue, &dti, valLen);
}
break;
case CKA_END_DATE:
{
DATE_TIME_INFO dti;
ssl_get_ASN1_UTCTIME(X509_get_notAfter(pCert), &dti);
valLen = pTemplate[i].ulValueLen;
if(valLen > sizeof(dti)) valLen = sizeof(dti);
TINYCLR_SSL_MEMCPY(pTemplate[i].pValue, &dti, valLen);
}
break;
case CKA_VALUE:
{
UINT8* pData = (UINT8*)pTemplate[i].pValue;
UINT8* pTmp = pData;
valLen = i2d_X509(pCert, NULL);
if(valLen > pTemplate[i].ulValueLen) return CKR_DEVICE_MEMORY;
valLen = i2d_X509(pCert, &pTmp);
if(valLen < 0) return CKR_FUNCTION_FAILED;
}
break;
case CKA_VALUE_LEN:
*(UINT32*)pTemplate[i].pValue = SwapEndianIfBEc32(valLen);
break;
default:
return CKR_ATTRIBUTE_TYPE_INVALID;
}
}
}
else if(pObj->Type == KeyType)
{
KEY_DATA* pKey = (KEY_DATA*)pObj->Data;
int valLen = 0;
bool isPrivate = false;
for(int i=0; i<(int)ulCount; i++)
{
switch(pTemplate[i].type)
{
case CKA_CLASS:
*(INT32*)pTemplate[i].pValue = SwapEndianIfBEc32((0 != (pKey->attrib & Private) ? CKO_PRIVATE_KEY : 0 != (pKey->attrib & Public) ? CKO_PUBLIC_KEY : CKO_SECRET_KEY));
break;
case CKA_MODULUS:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->n, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_EXPONENT_1:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->dmp1, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_EXPONENT_2:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->dmq1, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_COEFFICIENT:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->iqmp, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PRIME_1:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->p, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PRIME_2:
if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->q, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PRIVATE_EXPONENT:
if(pKey->type == CKK_DSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.dsa->priv_key, (UINT8*)pTemplate[i].pValue);
}
else if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->d, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PUBLIC_EXPONENT:
if(pKey->type == CKK_DSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.dsa->pub_key, (UINT8*)pTemplate[i].pValue);
}
else if(pKey->type == CKK_EC)
{
UINT8 pTmp[66*2+1];
EC_KEY* pEC = ((EVP_PKEY*)pKey->key)->pkey.ec;
const EC_POINT* point = EC_KEY_get0_public_key(pEC);
valLen = EC_POINT_point2oct(EC_KEY_get0_group(pEC), point, POINT_CONVERSION_UNCOMPRESSED, (UINT8*)pTmp, ARRAYSIZE(pTmp), NULL);
if(valLen == 0) return CKR_FUNCTION_FAILED;
memmove(pTemplate[i].pValue, &pTmp[1], valLen-1); // remove POINT_CONVERSION_UNCOMPRESSED header byte
}
else if(pKey->type == CKK_RSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.rsa->e, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PRIME:
if(pKey->type == CKK_DSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.dsa->p, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_SUBPRIME:
if(pKey->type == CKK_DSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.dsa->q, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_BASE:
if(pKey->type == CKK_DSA)
{
EVP_PKEY* pRealKey = (EVP_PKEY*)pKey->key;
valLen = BN_bn2bin(pRealKey->pkey.dsa->g, (UINT8*)pTemplate[i].pValue);
}
break;
case CKA_PRIVATE:
isPrivate = 0 != *(INT32*)pTemplate[i].pValue;
break;
case CKA_KEY_TYPE:
*(INT32*)pTemplate[i].pValue = SwapEndianIfBEc32(pKey->type);
break;
case CKA_VALUE_BITS:
*(UINT32*)pTemplate[i].pValue = SwapEndianIfBEc32(pKey->size);
break;
case CKA_VALUE:
switch(pKey->type)
{
case CKK_AES:
case CKK_GENERIC_SECRET:
{
// TODO: Add permissions to export key
int len = (pKey->size + 7) / 8;
if(len > (INT32)pTemplate[i].ulValueLen) len = (int)pTemplate[i].ulValueLen;
TINYCLR_SSL_MEMCPY(pTemplate[i].pValue, pKey->key, len);
valLen = len;
}
break;
default:
return CKR_ATTRIBUTE_TYPE_INVALID;
}
break;
case CKA_VALUE_LEN:
switch(pKey->type)
{
case CKK_EC:
*(UINT32*)pTemplate[i].pValue = SwapEndianIfBEc32(valLen);
break;
default:
return CKR_ATTRIBUTE_TYPE_INVALID;
}
break;
default:
return CKR_ATTRIBUTE_TYPE_INVALID;
}
}
}
return CKR_OK;
}