Blame - ssh-rsa.c - platform/external/openssh

blob: c7f5ed0b3a8aed4c0b67e9a710d690163e7ef9c0 [file] [log] [blame]

Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	1	/*
				2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
				3	*
				4	* Redistribution and use in source and binary forms, with or without
				5	* modification, are permitted provided that the following conditions
				6	* are met:
				7	* 1. Redistributions of source code must retain the above copyright
				8	* notice, this list of conditions and the following disclaimer.
				9	* 2. Redistributions in binary form must reproduce the above copyright
				10	* notice, this list of conditions and the following disclaimer in the
				11	* documentation and/or other materials provided with the distribution.
				12	*
				13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				23	*/
				24
				25	#include "includes.h"
Ben Lindstrom	c51b924	2002-07-07 22:10:15 +0000	[diff] [blame]	26	RCSID("$OpenBSD: ssh-rsa.c,v 1.22 2002/07/04 04:15:33 deraadt Exp $");
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	27
				28	#include <openssl/evp.h>
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	29	#include <openssl/err.h>
				30
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	31	#include "xmalloc.h"
				32	#include "log.h"
				33	#include "buffer.h"
				34	#include "bufaux.h"
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	35	#include "key.h"
Ben Lindstrom	31ca54a	2001-02-09 02:11:24 +0000	[diff] [blame]	36	#include "ssh-rsa.h"
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	37	#include "compat.h"
Ben Lindstrom	03f3932	2002-04-02 20:43:11 +0000	[diff] [blame]	38	#include "ssh.h"
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	39
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	40	/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
				41	int
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	42	ssh_rsa_sign(Key key, u_char sigp, u_int lenp,
Ben Lindstrom	90fd814	2002-02-26 18:09:42 +0000	[diff] [blame]	43	u_char *data, u_int datalen)
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	44	{
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	45	const EVP_MD *evp_md;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	46	EVP_MD_CTX md;
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	47	u_char digest[EVP_MAX_MD_SIZE], sig, ret;
Ben Lindstrom	46c1622	2000-12-22 01:43:59 +0000	[diff] [blame]	48	u_int slen, dlen, len;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	49	int ok, nid;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	50	Buffer b;
				51
				52	if (key == NULL \|\| key->type != KEY_RSA \|\| key->rsa == NULL) {
				53	error("ssh_rsa_sign: no RSA key");
				54	return -1;
				55	}
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	56	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	57	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
				58	error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
				59	return -1;
				60	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	61	EVP_DigestInit(&md, evp_md);
				62	EVP_DigestUpdate(&md, data, datalen);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	63	EVP_DigestFinal(&md, digest, &dlen);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	64
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	65	slen = RSA_size(key->rsa);
				66	sig = xmalloc(slen);
				67
				68	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	69	memset(digest, 'd', sizeof(digest));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	70
				71	if (ok != 1) {
				72	int ecode = ERR_get_error();
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	73	error("ssh_rsa_sign: RSA_sign failed: %s",
				74	ERR_error_string(ecode, NULL));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	75	xfree(sig);
				76	return -1;
				77	}
				78	if (len < slen) {
				79	int diff = slen - len;
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	80	debug("slen %u > len %u", slen, len);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	81	memmove(sig + diff, sig, len);
				82	memset(sig, 0, diff);
				83	} else if (len > slen) {
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	84	error("ssh_rsa_sign: slen %u slen2 %u", slen, len);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	85	xfree(sig);
				86	return -1;
				87	}
				88	/* encode signature */
				89	buffer_init(&b);
				90	buffer_put_cstring(&b, "ssh-rsa");
				91	buffer_put_string(&b, sig, slen);
				92	len = buffer_len(&b);
				93	ret = xmalloc(len);
				94	memcpy(ret, buffer_ptr(&b), len);
				95	buffer_free(&b);
				96	memset(sig, 's', slen);
				97	xfree(sig);
				98
				99	if (lenp != NULL)
				100	*lenp = len;
				101	if (sigp != NULL)
				102	*sigp = ret;
Ben Lindstrom	c51b924	2002-07-07 22:10:15 +0000	[diff] [blame]	103	else
				104	xfree(ret);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	105	return 0;
				106	}
				107
				108	int
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	109	ssh_rsa_verify(Key key, u_char signature, u_int signaturelen,
Ben Lindstrom	90fd814	2002-02-26 18:09:42 +0000	[diff] [blame]	110	u_char *data, u_int datalen)
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	111	{
				112	Buffer b;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	113	const EVP_MD *evp_md;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	114	EVP_MD_CTX md;
				115	char *ktype;
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	116	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	117	u_int len, dlen, modlen;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	118	int rlen, ret, nid;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	119
				120	if (key == NULL \|\| key->type != KEY_RSA \|\| key->rsa == NULL) {
				121	error("ssh_rsa_verify: no RSA key");
				122	return -1;
				123	}
Ben Lindstrom	03f3932	2002-04-02 20:43:11 +0000	[diff] [blame]	124	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
Ben Lindstrom	2779d28	2002-06-11 15:47:42 +0000	[diff] [blame]	125	error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
				126	BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
Ben Lindstrom	bf555ba	2001-01-18 02:04:35 +0000	[diff] [blame]	127	return -1;
				128	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	129	buffer_init(&b);
Ben Lindstrom	9e0ddd4	2001-09-18 05:41:19 +0000	[diff] [blame]	130	buffer_append(&b, signature, signaturelen);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	131	ktype = buffer_get_string(&b, NULL);
				132	if (strcmp("ssh-rsa", ktype) != 0) {
				133	error("ssh_rsa_verify: cannot handle type %s", ktype);
				134	buffer_free(&b);
				135	xfree(ktype);
				136	return -1;
				137	}
				138	xfree(ktype);
Ben Lindstrom	9e0ddd4	2001-09-18 05:41:19 +0000	[diff] [blame]	139	sigblob = buffer_get_string(&b, &len);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	140	rlen = buffer_len(&b);
				141	buffer_free(&b);
Ben Lindstrom	1c37c6a	2001-12-06 18:00:18 +0000	[diff] [blame]	142	if (rlen != 0) {
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	143	error("ssh_rsa_verify: remaining bytes in signature %d", rlen);
Damien Miller	36e603d	2001-11-12 11:03:35 +1100	[diff] [blame]	144	xfree(sigblob);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	145	return -1;
				146	}
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	147	/* RSA_verify expects a signature of RSA_size */
				148	modlen = RSA_size(key->rsa);
				149	if (len > modlen) {
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	150	error("ssh_rsa_verify: len %u > modlen %u", len, modlen);
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	151	xfree(sigblob);
				152	return -1;
				153	} else if (len < modlen) {
				154	int diff = modlen - len;
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	155	debug("ssh_rsa_verify: add padding: modlen %u > len %u",
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	156	modlen, len);
				157	sigblob = xrealloc(sigblob, modlen);
				158	memmove(sigblob + diff, sigblob, len);
				159	memset(sigblob, 0, diff);
				160	len = modlen;
				161	}
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	162	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	163	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	164	error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
Damien Miller	36e603d	2001-11-12 11:03:35 +1100	[diff] [blame]	165	xfree(sigblob);
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	166	return -1;
				167	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	168	EVP_DigestInit(&md, evp_md);
				169	EVP_DigestUpdate(&md, data, datalen);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	170	EVP_DigestFinal(&md, digest, &dlen);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	171
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	172	ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	173	memset(digest, 'd', sizeof(digest));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	174	memset(sigblob, 's', len);
				175	xfree(sigblob);
				176	if (ret == 0) {
				177	int ecode = ERR_get_error();
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	178	error("ssh_rsa_verify: RSA_verify failed: %s",
				179	ERR_error_string(ecode, NULL));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	180	}
				181	debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
				182	return ret;
				183	}