2006-04-23 22:26:03 +04:00
|
|
|
/*
|
|
|
|
* Digital Signature Standard implementation for PuTTY.
|
|
|
|
*/
|
|
|
|
|
2000-09-07 20:33:49 +04:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
2001-03-03 14:54:34 +03:00
|
|
|
#include <assert.h>
|
2000-09-07 20:33:49 +04:00
|
|
|
|
2000-09-05 18:28:17 +04:00
|
|
|
#include "ssh.h"
|
2001-09-23 00:52:21 +04:00
|
|
|
#include "misc.h"
|
2000-09-05 18:28:17 +04:00
|
|
|
|
2001-09-23 00:52:21 +04:00
|
|
|
static void sha_mpint(SHA_State * s, Bignum b)
|
|
|
|
{
|
|
|
|
unsigned char lenbuf[4];
|
|
|
|
int len;
|
|
|
|
len = (bignum_bitcount(b) + 8) / 8;
|
|
|
|
PUT_32BIT(lenbuf, len);
|
|
|
|
SHA_Bytes(s, lenbuf, 4);
|
|
|
|
while (len-- > 0) {
|
|
|
|
lenbuf[0] = bignum_byte(b, len);
|
|
|
|
SHA_Bytes(s, lenbuf, 1);
|
|
|
|
}
|
2012-07-22 23:51:50 +04:00
|
|
|
smemclr(lenbuf, sizeof(lenbuf));
|
2001-09-23 00:52:21 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void sha512_mpint(SHA512_State * s, Bignum b)
|
|
|
|
{
|
|
|
|
unsigned char lenbuf[4];
|
|
|
|
int len;
|
|
|
|
len = (bignum_bitcount(b) + 8) / 8;
|
|
|
|
PUT_32BIT(lenbuf, len);
|
|
|
|
SHA512_Bytes(s, lenbuf, 4);
|
|
|
|
while (len-- > 0) {
|
|
|
|
lenbuf[0] = bignum_byte(b, len);
|
|
|
|
SHA512_Bytes(s, lenbuf, 1);
|
|
|
|
}
|
2012-07-22 23:51:50 +04:00
|
|
|
smemclr(lenbuf, sizeof(lenbuf));
|
2001-09-23 00:52:21 +04:00
|
|
|
}
|
2000-10-23 19:18:37 +04:00
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static void getstring(char **data, int *datalen, char **p, int *length)
|
|
|
|
{
|
2000-09-07 20:33:49 +04:00
|
|
|
*p = NULL;
|
|
|
|
if (*datalen < 4)
|
2001-05-06 18:35:20 +04:00
|
|
|
return;
|
2013-07-14 14:45:54 +04:00
|
|
|
*length = toint(GET_32BIT(*data));
|
2013-07-09 02:36:04 +04:00
|
|
|
if (*length < 0)
|
|
|
|
return;
|
2001-05-06 18:35:20 +04:00
|
|
|
*datalen -= 4;
|
|
|
|
*data += 4;
|
2000-09-07 20:33:49 +04:00
|
|
|
if (*datalen < *length)
|
2001-05-06 18:35:20 +04:00
|
|
|
return;
|
2000-09-07 20:33:49 +04:00
|
|
|
*p = *data;
|
2001-05-06 18:35:20 +04:00
|
|
|
*data += *length;
|
|
|
|
*datalen -= *length;
|
2000-09-07 20:33:49 +04:00
|
|
|
}
|
2001-05-06 18:35:20 +04:00
|
|
|
static Bignum getmp(char **data, int *datalen)
|
|
|
|
{
|
2000-09-07 20:33:49 +04:00
|
|
|
char *p;
|
2001-03-01 20:41:26 +03:00
|
|
|
int length;
|
2000-09-07 20:33:49 +04:00
|
|
|
Bignum b;
|
|
|
|
|
|
|
|
getstring(data, datalen, &p, &length);
|
|
|
|
if (!p)
|
2001-05-06 18:35:20 +04:00
|
|
|
return NULL;
|
2000-09-07 20:33:49 +04:00
|
|
|
if (p[0] & 0x80)
|
2001-05-06 18:35:20 +04:00
|
|
|
return NULL; /* negative mp */
|
2003-01-05 17:00:16 +03:00
|
|
|
b = bignum_from_bytes((unsigned char *)p, length);
|
2000-09-07 20:33:49 +04:00
|
|
|
return b;
|
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static Bignum get160(char **data, int *datalen)
|
|
|
|
{
|
2000-09-07 20:33:49 +04:00
|
|
|
Bignum b;
|
|
|
|
|
2013-08-02 10:27:56 +04:00
|
|
|
if (*datalen < 20)
|
|
|
|
return NULL;
|
|
|
|
|
2003-01-05 17:00:16 +03:00
|
|
|
b = bignum_from_bytes((unsigned char *)*data, 20);
|
2001-05-06 18:35:20 +04:00
|
|
|
*data += 20;
|
|
|
|
*datalen -= 20;
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
return b;
|
|
|
|
}
|
|
|
|
|
2013-08-04 23:33:49 +04:00
|
|
|
static void dss_freekey(void *key); /* forward reference */
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static void *dss_newkey(char *data, int len)
|
|
|
|
{
|
2000-09-07 20:33:49 +04:00
|
|
|
char *p;
|
|
|
|
int slen;
|
2000-12-02 15:48:15 +03:00
|
|
|
struct dss_key *dss;
|
|
|
|
|
2003-03-29 19:14:26 +03:00
|
|
|
dss = snew(struct dss_key);
|
2000-09-07 20:33:49 +04:00
|
|
|
getstring(&data, &len, &p, &slen);
|
2000-10-23 19:18:37 +04:00
|
|
|
|
|
|
|
#ifdef DEBUG_DSS
|
|
|
|
{
|
2001-05-06 18:35:20 +04:00
|
|
|
int i;
|
|
|
|
printf("key:");
|
|
|
|
for (i = 0; i < len; i++)
|
|
|
|
printf(" %02x", (unsigned char) (data[i]));
|
|
|
|
printf("\n");
|
2000-10-23 19:18:37 +04:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-07-09 02:36:04 +04:00
|
|
|
if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
|
2000-12-12 13:33:13 +03:00
|
|
|
sfree(dss);
|
2000-12-02 15:48:15 +03:00
|
|
|
return NULL;
|
2000-09-07 20:33:49 +04:00
|
|
|
}
|
2000-12-02 15:48:15 +03:00
|
|
|
dss->p = getmp(&data, &len);
|
|
|
|
dss->q = getmp(&data, &len);
|
|
|
|
dss->g = getmp(&data, &len);
|
|
|
|
dss->y = getmp(&data, &len);
|
2013-08-04 23:33:43 +04:00
|
|
|
dss->x = NULL;
|
2000-12-02 15:48:15 +03:00
|
|
|
|
2013-08-04 23:33:49 +04:00
|
|
|
if (!dss->p || !dss->q || !dss->g || !dss->y ||
|
|
|
|
!bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) {
|
|
|
|
/* Invalid key. */
|
|
|
|
dss_freekey(dss);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2000-12-02 15:48:15 +03:00
|
|
|
return dss;
|
2000-09-07 20:33:49 +04:00
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static void dss_freekey(void *key)
|
|
|
|
{
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
2013-08-04 23:33:43 +04:00
|
|
|
if (dss->p)
|
|
|
|
freebn(dss->p);
|
|
|
|
if (dss->q)
|
|
|
|
freebn(dss->q);
|
|
|
|
if (dss->g)
|
|
|
|
freebn(dss->g);
|
|
|
|
if (dss->y)
|
|
|
|
freebn(dss->y);
|
|
|
|
if (dss->x)
|
|
|
|
freebn(dss->x);
|
2000-12-12 13:33:13 +03:00
|
|
|
sfree(dss);
|
2000-12-02 15:48:15 +03:00
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static char *dss_fmtkey(void *key)
|
|
|
|
{
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
2000-09-07 20:33:49 +04:00
|
|
|
char *p;
|
2000-09-27 19:21:04 +04:00
|
|
|
int len, i, pos, nibbles;
|
|
|
|
static const char hex[] = "0123456789abcdef";
|
2000-12-02 15:48:15 +03:00
|
|
|
if (!dss->p)
|
2001-05-06 18:35:20 +04:00
|
|
|
return NULL;
|
|
|
|
len = 8 + 4 + 1; /* 4 x "0x", punctuation, \0 */
|
|
|
|
len += 4 * (bignum_bitcount(dss->p) + 15) / 16;
|
|
|
|
len += 4 * (bignum_bitcount(dss->q) + 15) / 16;
|
|
|
|
len += 4 * (bignum_bitcount(dss->g) + 15) / 16;
|
|
|
|
len += 4 * (bignum_bitcount(dss->y) + 15) / 16;
|
2003-03-29 19:14:26 +03:00
|
|
|
p = snewn(len, char);
|
2001-05-06 18:35:20 +04:00
|
|
|
if (!p)
|
|
|
|
return NULL;
|
2000-09-27 19:21:04 +04:00
|
|
|
|
|
|
|
pos = 0;
|
2001-05-06 18:35:20 +04:00
|
|
|
pos += sprintf(p + pos, "0x");
|
|
|
|
nibbles = (3 + bignum_bitcount(dss->p)) / 4;
|
|
|
|
if (nibbles < 1)
|
|
|
|
nibbles = 1;
|
|
|
|
for (i = nibbles; i--;)
|
|
|
|
p[pos++] =
|
|
|
|
hex[(bignum_byte(dss->p, i / 2) >> (4 * (i % 2))) & 0xF];
|
|
|
|
pos += sprintf(p + pos, ",0x");
|
|
|
|
nibbles = (3 + bignum_bitcount(dss->q)) / 4;
|
|
|
|
if (nibbles < 1)
|
|
|
|
nibbles = 1;
|
|
|
|
for (i = nibbles; i--;)
|
|
|
|
p[pos++] =
|
|
|
|
hex[(bignum_byte(dss->q, i / 2) >> (4 * (i % 2))) & 0xF];
|
|
|
|
pos += sprintf(p + pos, ",0x");
|
|
|
|
nibbles = (3 + bignum_bitcount(dss->g)) / 4;
|
|
|
|
if (nibbles < 1)
|
|
|
|
nibbles = 1;
|
|
|
|
for (i = nibbles; i--;)
|
|
|
|
p[pos++] =
|
|
|
|
hex[(bignum_byte(dss->g, i / 2) >> (4 * (i % 2))) & 0xF];
|
|
|
|
pos += sprintf(p + pos, ",0x");
|
|
|
|
nibbles = (3 + bignum_bitcount(dss->y)) / 4;
|
|
|
|
if (nibbles < 1)
|
|
|
|
nibbles = 1;
|
|
|
|
for (i = nibbles; i--;)
|
|
|
|
p[pos++] =
|
|
|
|
hex[(bignum_byte(dss->y, i / 2) >> (4 * (i % 2))) & 0xF];
|
2000-09-27 19:21:04 +04:00
|
|
|
p[pos] = '\0';
|
2000-09-07 20:33:49 +04:00
|
|
|
return p;
|
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static char *dss_fingerprint(void *key)
|
|
|
|
{
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
2000-09-27 19:21:04 +04:00
|
|
|
struct MD5Context md5c;
|
|
|
|
unsigned char digest[16], lenbuf[4];
|
2001-05-06 18:35:20 +04:00
|
|
|
char buffer[16 * 3 + 40];
|
2000-09-27 19:21:04 +04:00
|
|
|
char *ret;
|
|
|
|
int numlen, i;
|
|
|
|
|
|
|
|
MD5Init(&md5c);
|
2003-01-05 17:00:16 +03:00
|
|
|
MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11);
|
2000-09-27 19:21:04 +04:00
|
|
|
|
|
|
|
#define ADD_BIGNUM(bignum) \
|
2001-04-16 15:16:58 +04:00
|
|
|
numlen = (bignum_bitcount(bignum)+8)/8; \
|
2000-09-27 19:21:04 +04:00
|
|
|
PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
|
|
|
|
for (i = numlen; i-- ;) { \
|
|
|
|
unsigned char c = bignum_byte(bignum, i); \
|
|
|
|
MD5Update(&md5c, &c, 1); \
|
|
|
|
}
|
2000-12-02 15:48:15 +03:00
|
|
|
ADD_BIGNUM(dss->p);
|
|
|
|
ADD_BIGNUM(dss->q);
|
|
|
|
ADD_BIGNUM(dss->g);
|
|
|
|
ADD_BIGNUM(dss->y);
|
2000-09-27 19:21:04 +04:00
|
|
|
#undef ADD_BIGNUM
|
|
|
|
|
|
|
|
MD5Final(digest, &md5c);
|
|
|
|
|
2001-04-16 15:16:58 +04:00
|
|
|
sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p));
|
2000-09-27 19:21:04 +04:00
|
|
|
for (i = 0; i < 16; i++)
|
2001-05-06 18:35:20 +04:00
|
|
|
sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
|
|
|
|
digest[i]);
|
2003-03-29 19:14:26 +03:00
|
|
|
ret = snewn(strlen(buffer) + 1, char);
|
2000-09-27 19:21:04 +04:00
|
|
|
if (ret)
|
2001-05-06 18:35:20 +04:00
|
|
|
strcpy(ret, buffer);
|
2000-09-27 19:21:04 +04:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2000-12-02 15:48:15 +03:00
|
|
|
static int dss_verifysig(void *key, char *sig, int siglen,
|
2001-05-06 18:35:20 +04:00
|
|
|
char *data, int datalen)
|
|
|
|
{
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
2000-09-07 20:33:49 +04:00
|
|
|
char *p;
|
2000-10-23 20:03:21 +04:00
|
|
|
int slen;
|
2000-09-07 20:33:49 +04:00
|
|
|
char hash[20];
|
2000-10-23 20:11:31 +04:00
|
|
|
Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v;
|
2000-09-07 20:33:49 +04:00
|
|
|
int ret;
|
|
|
|
|
2000-12-02 15:48:15 +03:00
|
|
|
if (!dss->p)
|
2001-05-06 18:35:20 +04:00
|
|
|
return 0;
|
2000-09-07 20:33:49 +04:00
|
|
|
|
2000-10-23 19:18:37 +04:00
|
|
|
#ifdef DEBUG_DSS
|
|
|
|
{
|
2001-05-06 18:35:20 +04:00
|
|
|
int i;
|
|
|
|
printf("sig:");
|
|
|
|
for (i = 0; i < siglen; i++)
|
|
|
|
printf(" %02x", (unsigned char) (sig[i]));
|
|
|
|
printf("\n");
|
2000-10-23 19:18:37 +04:00
|
|
|
}
|
|
|
|
#endif
|
2000-10-03 13:05:56 +04:00
|
|
|
/*
|
|
|
|
* Commercial SSH (2.0.13) and OpenSSH disagree over the format
|
2007-10-04 01:21:18 +04:00
|
|
|
* of a DSA signature. OpenSSH is in line with RFC 4253:
|
2000-10-03 13:05:56 +04:00
|
|
|
* it uses a string "ssh-dss", followed by a 40-byte string
|
|
|
|
* containing two 160-bit integers end-to-end. Commercial SSH
|
|
|
|
* can't be bothered with the header bit, and considers a DSA
|
|
|
|
* signature blob to be _just_ the 40-byte string containing
|
|
|
|
* the two 160-bit integers. We tell them apart by measuring
|
|
|
|
* the length: length 40 means the commercial-SSH bug, anything
|
2007-10-04 01:21:18 +04:00
|
|
|
* else is assumed to be RFC-compliant.
|
2000-10-03 13:05:56 +04:00
|
|
|
*/
|
2001-05-06 18:35:20 +04:00
|
|
|
if (siglen != 40) { /* bug not present; read admin fields */
|
|
|
|
getstring(&sig, &siglen, &p, &slen);
|
|
|
|
if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
sig += 4, siglen -= 4; /* skip yet another length field */
|
2000-09-07 20:33:49 +04:00
|
|
|
}
|
|
|
|
r = get160(&sig, &siglen);
|
|
|
|
s = get160(&sig, &siglen);
|
2013-08-04 23:33:57 +04:00
|
|
|
if (!r || !s) {
|
|
|
|
if (r)
|
|
|
|
freebn(r);
|
|
|
|
if (s)
|
|
|
|
freebn(s);
|
2001-05-06 18:35:20 +04:00
|
|
|
return 0;
|
2013-08-04 23:33:57 +04:00
|
|
|
}
|
2000-09-07 20:33:49 +04:00
|
|
|
|
2013-08-04 23:34:00 +04:00
|
|
|
if (!bignum_cmp(s, Zero)) {
|
|
|
|
freebn(r);
|
|
|
|
freebn(s);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2000-09-07 20:33:49 +04:00
|
|
|
/*
|
|
|
|
* Step 1. w <- s^-1 mod q.
|
|
|
|
*/
|
2000-12-02 15:48:15 +03:00
|
|
|
w = modinv(s, dss->q);
|
2013-08-04 23:34:07 +04:00
|
|
|
if (!w) {
|
|
|
|
freebn(r);
|
|
|
|
freebn(s);
|
|
|
|
return 0;
|
|
|
|
}
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Step 2. u1 <- SHA(message) * w mod q.
|
|
|
|
*/
|
2003-01-05 17:00:16 +03:00
|
|
|
SHA_Simple(data, datalen, (unsigned char *)hash);
|
2001-05-06 18:35:20 +04:00
|
|
|
p = hash;
|
|
|
|
slen = 20;
|
|
|
|
sha = get160(&p, &slen);
|
2000-12-02 15:48:15 +03:00
|
|
|
u1 = modmul(sha, w, dss->q);
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Step 3. u2 <- r * w mod q.
|
|
|
|
*/
|
2000-12-02 15:48:15 +03:00
|
|
|
u2 = modmul(r, w, dss->q);
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Step 4. v <- (g^u1 * y^u2 mod p) mod q.
|
|
|
|
*/
|
2000-12-02 15:48:15 +03:00
|
|
|
gu1p = modpow(dss->g, u1, dss->p);
|
|
|
|
yu2p = modpow(dss->y, u2, dss->p);
|
|
|
|
gu1yu2p = modmul(gu1p, yu2p, dss->p);
|
|
|
|
v = modmul(gu1yu2p, One, dss->q);
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Step 5. v should now be equal to r.
|
|
|
|
*/
|
|
|
|
|
2000-10-23 20:03:21 +04:00
|
|
|
ret = !bignum_cmp(v, r);
|
2000-09-07 20:33:49 +04:00
|
|
|
|
|
|
|
freebn(w);
|
|
|
|
freebn(sha);
|
2013-07-14 14:46:07 +04:00
|
|
|
freebn(u1);
|
|
|
|
freebn(u2);
|
2000-10-23 20:11:31 +04:00
|
|
|
freebn(gu1p);
|
|
|
|
freebn(yu2p);
|
|
|
|
freebn(gu1yu2p);
|
2000-09-07 20:33:49 +04:00
|
|
|
freebn(v);
|
|
|
|
freebn(r);
|
|
|
|
freebn(s);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static unsigned char *dss_public_blob(void *key, int *len)
|
|
|
|
{
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
2001-03-03 14:54:34 +03:00
|
|
|
int plen, qlen, glen, ylen, bloblen;
|
|
|
|
int i;
|
|
|
|
unsigned char *blob, *p;
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
plen = (bignum_bitcount(dss->p) + 8) / 8;
|
|
|
|
qlen = (bignum_bitcount(dss->q) + 8) / 8;
|
|
|
|
glen = (bignum_bitcount(dss->g) + 8) / 8;
|
|
|
|
ylen = (bignum_bitcount(dss->y) + 8) / 8;
|
2001-03-03 14:54:34 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* string "ssh-dss", mpint p, mpint q, mpint g, mpint y. Total
|
|
|
|
* 27 + sum of lengths. (five length fields, 20+7=27).
|
|
|
|
*/
|
2001-05-06 18:35:20 +04:00
|
|
|
bloblen = 27 + plen + qlen + glen + ylen;
|
2003-03-29 19:14:26 +03:00
|
|
|
blob = snewn(bloblen, unsigned char);
|
2001-03-03 14:54:34 +03:00
|
|
|
p = blob;
|
2001-05-06 18:35:20 +04:00
|
|
|
PUT_32BIT(p, 7);
|
|
|
|
p += 4;
|
|
|
|
memcpy(p, "ssh-dss", 7);
|
|
|
|
p += 7;
|
|
|
|
PUT_32BIT(p, plen);
|
|
|
|
p += 4;
|
|
|
|
for (i = plen; i--;)
|
|
|
|
*p++ = bignum_byte(dss->p, i);
|
|
|
|
PUT_32BIT(p, qlen);
|
|
|
|
p += 4;
|
|
|
|
for (i = qlen; i--;)
|
|
|
|
*p++ = bignum_byte(dss->q, i);
|
|
|
|
PUT_32BIT(p, glen);
|
|
|
|
p += 4;
|
|
|
|
for (i = glen; i--;)
|
|
|
|
*p++ = bignum_byte(dss->g, i);
|
|
|
|
PUT_32BIT(p, ylen);
|
|
|
|
p += 4;
|
|
|
|
for (i = ylen; i--;)
|
|
|
|
*p++ = bignum_byte(dss->y, i);
|
2001-03-03 14:54:34 +03:00
|
|
|
assert(p == blob + bloblen);
|
|
|
|
*len = bloblen;
|
|
|
|
return blob;
|
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static unsigned char *dss_private_blob(void *key, int *len)
|
|
|
|
{
|
2001-09-23 00:52:21 +04:00
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
|
|
|
int xlen, bloblen;
|
|
|
|
int i;
|
|
|
|
unsigned char *blob, *p;
|
|
|
|
|
|
|
|
xlen = (bignum_bitcount(dss->x) + 8) / 8;
|
|
|
|
|
|
|
|
/*
|
2001-11-25 17:31:46 +03:00
|
|
|
* mpint x, string[20] the SHA of p||q||g. Total 4 + xlen.
|
2001-09-23 00:52:21 +04:00
|
|
|
*/
|
2001-11-25 17:31:46 +03:00
|
|
|
bloblen = 4 + xlen;
|
2003-03-29 19:14:26 +03:00
|
|
|
blob = snewn(bloblen, unsigned char);
|
2001-09-23 00:52:21 +04:00
|
|
|
p = blob;
|
|
|
|
PUT_32BIT(p, xlen);
|
|
|
|
p += 4;
|
|
|
|
for (i = xlen; i--;)
|
|
|
|
*p++ = bignum_byte(dss->x, i);
|
|
|
|
assert(p == blob + bloblen);
|
|
|
|
*len = bloblen;
|
|
|
|
return blob;
|
2001-03-03 14:54:34 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
static void *dss_createkey(unsigned char *pub_blob, int pub_len,
|
2001-05-06 18:35:20 +04:00
|
|
|
unsigned char *priv_blob, int priv_len)
|
|
|
|
{
|
2001-09-23 00:52:21 +04:00
|
|
|
struct dss_key *dss;
|
|
|
|
char *pb = (char *) priv_blob;
|
|
|
|
char *hash;
|
|
|
|
int hashlen;
|
|
|
|
SHA_State s;
|
|
|
|
unsigned char digest[20];
|
|
|
|
Bignum ytest;
|
|
|
|
|
|
|
|
dss = dss_newkey((char *) pub_blob, pub_len);
|
2013-08-04 23:33:49 +04:00
|
|
|
if (!dss)
|
|
|
|
return NULL;
|
2001-09-23 00:52:21 +04:00
|
|
|
dss->x = getmp(&pb, &priv_len);
|
2013-08-04 23:33:49 +04:00
|
|
|
if (!dss->x) {
|
|
|
|
dss_freekey(dss);
|
|
|
|
return NULL;
|
|
|
|
}
|
2001-09-23 00:52:21 +04:00
|
|
|
|
|
|
|
/*
|
2001-11-25 17:31:46 +03:00
|
|
|
* Check the obsolete hash in the old DSS key format.
|
2001-09-23 00:52:21 +04:00
|
|
|
*/
|
2001-11-25 17:31:46 +03:00
|
|
|
hashlen = -1;
|
|
|
|
getstring(&pb, &priv_len, &hash, &hashlen);
|
|
|
|
if (hashlen == 20) {
|
|
|
|
SHA_Init(&s);
|
|
|
|
sha_mpint(&s, dss->p);
|
|
|
|
sha_mpint(&s, dss->q);
|
|
|
|
sha_mpint(&s, dss->g);
|
|
|
|
SHA_Final(&s, digest);
|
|
|
|
if (0 != memcmp(hash, digest, 20)) {
|
|
|
|
dss_freekey(dss);
|
|
|
|
return NULL;
|
|
|
|
}
|
2001-09-23 00:52:21 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now ensure g^x mod p really is y.
|
|
|
|
*/
|
|
|
|
ytest = modpow(dss->g, dss->x, dss->p);
|
|
|
|
if (0 != bignum_cmp(ytest, dss->y)) {
|
|
|
|
dss_freekey(dss);
|
2013-07-14 14:46:07 +04:00
|
|
|
freebn(ytest);
|
2001-09-23 00:52:21 +04:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
freebn(ytest);
|
|
|
|
|
|
|
|
return dss;
|
2001-03-03 14:54:34 +03:00
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static void *dss_openssh_createkey(unsigned char **blob, int *len)
|
|
|
|
{
|
2001-09-23 00:52:21 +04:00
|
|
|
char **b = (char **) blob;
|
|
|
|
struct dss_key *dss;
|
|
|
|
|
2003-03-29 19:14:26 +03:00
|
|
|
dss = snew(struct dss_key);
|
2001-09-23 00:52:21 +04:00
|
|
|
|
|
|
|
dss->p = getmp(b, len);
|
|
|
|
dss->q = getmp(b, len);
|
|
|
|
dss->g = getmp(b, len);
|
|
|
|
dss->y = getmp(b, len);
|
|
|
|
dss->x = getmp(b, len);
|
|
|
|
|
2013-08-04 23:33:49 +04:00
|
|
|
if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x ||
|
|
|
|
!bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) {
|
|
|
|
/* Invalid key. */
|
|
|
|
dss_freekey(dss);
|
|
|
|
return NULL;
|
2001-09-23 00:52:21 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
return dss;
|
2001-03-03 18:31:35 +03:00
|
|
|
}
|
|
|
|
|
2001-05-06 18:35:20 +04:00
|
|
|
static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len)
|
|
|
|
{
|
2001-09-23 00:52:21 +04:00
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
|
|
|
int bloblen, i;
|
|
|
|
|
|
|
|
bloblen =
|
|
|
|
ssh2_bignum_length(dss->p) +
|
|
|
|
ssh2_bignum_length(dss->q) +
|
|
|
|
ssh2_bignum_length(dss->g) +
|
|
|
|
ssh2_bignum_length(dss->y) +
|
|
|
|
ssh2_bignum_length(dss->x);
|
|
|
|
|
|
|
|
if (bloblen > len)
|
|
|
|
return bloblen;
|
|
|
|
|
|
|
|
bloblen = 0;
|
|
|
|
#define ENC(x) \
|
|
|
|
PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
|
|
|
|
for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
|
|
|
|
ENC(dss->p);
|
|
|
|
ENC(dss->q);
|
|
|
|
ENC(dss->g);
|
|
|
|
ENC(dss->y);
|
|
|
|
ENC(dss->x);
|
|
|
|
|
|
|
|
return bloblen;
|
2001-04-16 15:16:58 +04:00
|
|
|
}
|
|
|
|
|
2004-01-22 22:15:32 +03:00
|
|
|
static int dss_pubkey_bits(void *blob, int len)
|
|
|
|
{
|
|
|
|
struct dss_key *dss;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
dss = dss_newkey((char *) blob, len);
|
2013-08-04 23:33:49 +04:00
|
|
|
if (!dss)
|
|
|
|
return -1;
|
2004-01-22 22:15:32 +03:00
|
|
|
ret = bignum_bitcount(dss->p);
|
|
|
|
dss_freekey(dss);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2003-01-06 02:14:04 +03:00
|
|
|
static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
|
2001-05-06 18:35:20 +04:00
|
|
|
{
|
2001-09-23 00:52:21 +04:00
|
|
|
/*
|
|
|
|
* The basic DSS signing algorithm is:
|
|
|
|
*
|
|
|
|
* - invent a random k between 1 and q-1 (exclusive).
|
|
|
|
* - Compute r = (g^k mod p) mod q.
|
|
|
|
* - Compute s = k^-1 * (hash + x*r) mod q.
|
|
|
|
*
|
|
|
|
* This has the dangerous properties that:
|
|
|
|
*
|
|
|
|
* - if an attacker in possession of the public key _and_ the
|
|
|
|
* signature (for example, the host you just authenticated
|
|
|
|
* to) can guess your k, he can reverse the computation of s
|
|
|
|
* and work out x = r^-1 * (s*k - hash) mod q. That is, he
|
|
|
|
* can deduce the private half of your key, and masquerade
|
|
|
|
* as you for as long as the key is still valid.
|
|
|
|
*
|
|
|
|
* - since r is a function purely of k and the public key, if
|
|
|
|
* the attacker only has a _range of possibilities_ for k
|
|
|
|
* it's easy for him to work through them all and check each
|
|
|
|
* one against r; he'll never be unsure of whether he's got
|
|
|
|
* the right one.
|
|
|
|
*
|
|
|
|
* - if you ever sign two different hashes with the same k, it
|
|
|
|
* will be immediately obvious because the two signatures
|
|
|
|
* will have the same r, and moreover an attacker in
|
|
|
|
* possession of both signatures (and the public key of
|
|
|
|
* course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
|
|
|
|
* and from there deduce x as before.
|
|
|
|
*
|
|
|
|
* - the Bleichenbacher attack on DSA makes use of methods of
|
|
|
|
* generating k which are significantly non-uniformly
|
|
|
|
* distributed; in particular, generating a 160-bit random
|
|
|
|
* number and reducing it mod q is right out.
|
|
|
|
*
|
|
|
|
* For this reason we must be pretty careful about how we
|
|
|
|
* generate our k. Since this code runs on Windows, with no
|
|
|
|
* particularly good system entropy sources, we can't trust our
|
|
|
|
* RNG itself to produce properly unpredictable data. Hence, we
|
|
|
|
* use a totally different scheme instead.
|
|
|
|
*
|
|
|
|
* What we do is to take a SHA-512 (_big_) hash of the private
|
|
|
|
* key x, and then feed this into another SHA-512 hash that
|
|
|
|
* also includes the message hash being signed. That is:
|
|
|
|
*
|
|
|
|
* proto_k = SHA512 ( SHA512(x) || SHA160(message) )
|
|
|
|
*
|
|
|
|
* This number is 512 bits long, so reducing it mod q won't be
|
|
|
|
* noticeably non-uniform. So
|
|
|
|
*
|
|
|
|
* k = proto_k mod q
|
|
|
|
*
|
|
|
|
* This has the interesting property that it's _deterministic_:
|
|
|
|
* signing the same hash twice with the same key yields the
|
|
|
|
* same signature.
|
|
|
|
*
|
2001-09-23 01:00:16 +04:00
|
|
|
* Despite this determinism, it's still not predictable to an
|
|
|
|
* attacker, because in order to repeat the SHA-512
|
|
|
|
* construction that created it, the attacker would have to
|
|
|
|
* know the private key value x - and by assumption he doesn't,
|
|
|
|
* because if he knew that he wouldn't be attacking k!
|
|
|
|
*
|
|
|
|
* (This trick doesn't, _per se_, protect against reuse of k.
|
|
|
|
* Reuse of k is left to chance; all it does is prevent
|
|
|
|
* _excessively high_ chances of reuse of k due to entropy
|
|
|
|
* problems.)
|
2001-09-23 00:52:21 +04:00
|
|
|
*
|
|
|
|
* Thanks to Colin Plumb for the general idea of using x to
|
|
|
|
* ensure k is hard to guess, and to the Cambridge University
|
|
|
|
* Computer Security Group for helping to argue out all the
|
|
|
|
* fine details.
|
|
|
|
*/
|
|
|
|
struct dss_key *dss = (struct dss_key *) key;
|
|
|
|
SHA512_State ss;
|
|
|
|
unsigned char digest[20], digest512[64];
|
|
|
|
Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
|
|
|
|
unsigned char *bytes;
|
|
|
|
int nbytes, i;
|
|
|
|
|
|
|
|
SHA_Simple(data, datalen, digest);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Hash some identifying text plus x.
|
|
|
|
*/
|
|
|
|
SHA512_Init(&ss);
|
|
|
|
SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
|
|
|
|
sha512_mpint(&ss, dss->x);
|
|
|
|
SHA512_Final(&ss, digest512);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now hash that digest plus the message hash.
|
|
|
|
*/
|
|
|
|
SHA512_Init(&ss);
|
|
|
|
SHA512_Bytes(&ss, digest512, sizeof(digest512));
|
|
|
|
SHA512_Bytes(&ss, digest, sizeof(digest));
|
|
|
|
|
2013-08-04 23:34:07 +04:00
|
|
|
while (1) {
|
|
|
|
SHA512_State ss2 = ss; /* structure copy */
|
|
|
|
SHA512_Final(&ss2, digest512);
|
|
|
|
|
|
|
|
smemclr(&ss2, sizeof(ss2));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now convert the result into a bignum, and reduce it mod q.
|
|
|
|
*/
|
|
|
|
proto_k = bignum_from_bytes(digest512, 64);
|
|
|
|
k = bigmod(proto_k, dss->q);
|
|
|
|
freebn(proto_k);
|
|
|
|
kinv = modinv(k, dss->q); /* k^-1 mod q */
|
|
|
|
if (!kinv) { /* very unlikely */
|
|
|
|
freebn(k);
|
|
|
|
/* Perturb the hash to think of a different k. */
|
|
|
|
SHA512_Bytes(&ss, "x", 1);
|
|
|
|
/* Go round and try again. */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
break;
|
|
|
|
}
|
2001-09-23 00:52:21 +04:00
|
|
|
|
2013-08-04 23:34:07 +04:00
|
|
|
smemclr(&ss, sizeof(ss));
|
2001-09-23 00:52:21 +04:00
|
|
|
|
2012-07-22 23:51:50 +04:00
|
|
|
smemclr(digest512, sizeof(digest512));
|
2001-09-23 00:52:21 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Now we have k, so just go ahead and compute the signature.
|
|
|
|
*/
|
|
|
|
gkp = modpow(dss->g, k, dss->p); /* g^k mod p */
|
|
|
|
r = bigmod(gkp, dss->q); /* r = (g^k mod p) mod q */
|
|
|
|
freebn(gkp);
|
|
|
|
|
|
|
|
hash = bignum_from_bytes(digest, 20);
|
|
|
|
hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */
|
|
|
|
s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */
|
|
|
|
freebn(hxr);
|
|
|
|
freebn(kinv);
|
2013-08-04 23:33:57 +04:00
|
|
|
freebn(k);
|
2001-09-23 00:52:21 +04:00
|
|
|
freebn(hash);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Signature blob is
|
|
|
|
*
|
|
|
|
* string "ssh-dss"
|
|
|
|
* string two 20-byte numbers r and s, end to end
|
|
|
|
*
|
|
|
|
* i.e. 4+7 + 4+40 bytes.
|
|
|
|
*/
|
|
|
|
nbytes = 4 + 7 + 4 + 40;
|
2003-03-29 19:14:26 +03:00
|
|
|
bytes = snewn(nbytes, unsigned char);
|
2001-09-23 00:52:21 +04:00
|
|
|
PUT_32BIT(bytes, 7);
|
|
|
|
memcpy(bytes + 4, "ssh-dss", 7);
|
|
|
|
PUT_32BIT(bytes + 4 + 7, 40);
|
|
|
|
for (i = 0; i < 20; i++) {
|
|
|
|
bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i);
|
|
|
|
bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i);
|
|
|
|
}
|
|
|
|
freebn(r);
|
|
|
|
freebn(s);
|
|
|
|
|
|
|
|
*siglen = nbytes;
|
|
|
|
return bytes;
|
2000-12-02 15:48:15 +03:00
|
|
|
}
|
|
|
|
|
2001-03-03 14:54:34 +03:00
|
|
|
const struct ssh_signkey ssh_dss = {
|
2000-12-02 15:48:15 +03:00
|
|
|
dss_newkey,
|
|
|
|
dss_freekey,
|
2000-09-07 20:33:49 +04:00
|
|
|
dss_fmtkey,
|
2001-03-03 14:54:34 +03:00
|
|
|
dss_public_blob,
|
|
|
|
dss_private_blob,
|
|
|
|
dss_createkey,
|
2001-03-03 18:31:35 +03:00
|
|
|
dss_openssh_createkey,
|
2001-04-16 15:16:58 +04:00
|
|
|
dss_openssh_fmtkey,
|
2004-01-22 22:15:32 +03:00
|
|
|
dss_pubkey_bits,
|
2000-09-27 19:21:04 +04:00
|
|
|
dss_fingerprint,
|
2000-09-07 20:33:49 +04:00
|
|
|
dss_verifysig,
|
2000-12-02 15:48:15 +03:00
|
|
|
dss_sign,
|
2000-09-27 19:21:04 +04:00
|
|
|
"ssh-dss",
|
|
|
|
"dss"
|
2000-09-05 18:28:17 +04:00
|
|
|
};
|