Blame - ssh-rsa.c - platform/external/openssh

blob: 782c855730081e0a24950adcdb416a6525866bea [file] [log] [blame]

Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	1	/* $OpenBSD: ssh-rsa.c,v 1.47 2013/12/27 22:30:17 djm Exp $ */
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	2	/*
Darren Tucker	a251f80	2003-06-22 20:45:15 +1000	[diff] [blame]	3	* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	4	*
Darren Tucker	a251f80	2003-06-22 20:45:15 +1000	[diff] [blame]	5	* Permission to use, copy, modify, and distribute this software for any
				6	* purpose with or without fee is hereby granted, provided that the above
				7	* copyright notice and this permission notice appear in all copies.
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	8	*
Darren Tucker	a251f80	2003-06-22 20:45:15 +1000	[diff] [blame]	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
				12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
				14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
				15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	16	*/
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	17
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	18	#include "includes.h"
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	19
Damien Miller	d783435	2006-08-05 12:39:39 +1000	[diff] [blame]	20	#include <sys/types.h>
				21
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	22	#include <openssl/evp.h>
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	23	#include <openssl/err.h>
				24
Damien Miller	ded319c	2006-09-01 15:38:36 +1000	[diff] [blame]	25	#include <stdarg.h>
Damien Miller	e3476ed	2006-07-24 14:13:33 +1000	[diff] [blame]	26	#include <string.h>
				27
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	28	#include "xmalloc.h"
				29	#include "log.h"
				30	#include "buffer.h"
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	31	#include "key.h"
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	32	#include "compat.h"
Damien Miller	8a0268f	2010-07-16 13:57:51 +1000	[diff] [blame]	33	#include "misc.h"
Ben Lindstrom	03f3932	2002-04-02 20:43:11 +0000	[diff] [blame]	34	#include "ssh.h"
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	35
Ben Lindstrom	93576d9	2002-12-23 02:06:19 +0000	[diff] [blame]	36	static int openssh_RSA_verify(int, u_char , u_int, u_char , u_int, RSA *);
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	37
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	38	/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
				39	int
Damien Miller	f58b58c	2003-11-17 21:18:23 +1100	[diff] [blame]	40	ssh_rsa_sign(const Key key, u_char sigp, u_int lenp,
				41	const u_char *data, u_int datalen)
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	42	{
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	43	const EVP_MD *evp_md;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	44	EVP_MD_CTX md;
Ben Lindstrom	2bf759c	2002-07-07 22:13:31 +0000	[diff] [blame]	45	u_char digest[EVP_MAX_MD_SIZE], *sig;
Ben Lindstrom	46c1622	2000-12-22 01:43:59 +0000	[diff] [blame]	46	u_int slen, dlen, len;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	47	int ok, nid;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	48	Buffer b;
				49
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	50	if (key == NULL \|\| key_type_plain(key->type) != KEY_RSA \|\|
				51	key->rsa == NULL) {
				52	error("%s: no RSA key", __func__);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	53	return -1;
				54	}
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	55
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	56	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	57	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	58	error("%s: EVP_get_digestbynid %d failed", __func__, nid);
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	59	return -1;
				60	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	61	EVP_DigestInit(&md, evp_md);
				62	EVP_DigestUpdate(&md, data, datalen);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	63	EVP_DigestFinal(&md, digest, &dlen);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	64
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	65	slen = RSA_size(key->rsa);
				66	sig = xmalloc(slen);
				67
				68	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	69	memset(digest, 'd', sizeof(digest));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	70
				71	if (ok != 1) {
				72	int ecode = ERR_get_error();
Damien Miller	9096740	2006-03-26 14:07:26 +1100	[diff] [blame]	73
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	74	error("%s: RSA_sign failed: %s", __func__,
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	75	ERR_error_string(ecode, NULL));
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	76	free(sig);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	77	return -1;
				78	}
				79	if (len < slen) {
Ben Lindstrom	0e50d84	2002-08-20 18:39:14 +0000	[diff] [blame]	80	u_int diff = slen - len;
Ben Lindstrom	5c38552	2002-06-23 21:23:20 +0000	[diff] [blame]	81	debug("slen %u > len %u", slen, len);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	82	memmove(sig + diff, sig, len);
				83	memset(sig, 0, diff);
				84	} else if (len > slen) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	85	error("%s: slen %u slen2 %u", __func__, slen, len);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	86	free(sig);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	87	return -1;
				88	}
				89	/* encode signature */
				90	buffer_init(&b);
				91	buffer_put_cstring(&b, "ssh-rsa");
				92	buffer_put_string(&b, sig, slen);
				93	len = buffer_len(&b);
Ben Lindstrom	2bf759c	2002-07-07 22:13:31 +0000	[diff] [blame]	94	if (lenp != NULL)
				95	*lenp = len;
				96	if (sigp != NULL) {
				97	*sigp = xmalloc(len);
				98	memcpy(*sigp, buffer_ptr(&b), len);
				99	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	100	buffer_free(&b);
				101	memset(sig, 's', slen);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	102	free(sig);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	103
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	104	return 0;
				105	}
				106
				107	int
Damien Miller	f58b58c	2003-11-17 21:18:23 +1100	[diff] [blame]	108	ssh_rsa_verify(const Key key, const u_char signature, u_int signaturelen,
				109	const u_char *data, u_int datalen)
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	110	{
				111	Buffer b;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	112	const EVP_MD *evp_md;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	113	EVP_MD_CTX md;
				114	char *ktype;
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	115	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	116	u_int len, dlen, modlen;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	117	int rlen, ret, nid;
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	118
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	119	if (key == NULL \|\| key_type_plain(key->type) != KEY_RSA \|\|
				120	key->rsa == NULL) {
				121	error("%s: no RSA key", __func__);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	122	return -1;
				123	}
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	124
Ben Lindstrom	03f3932	2002-04-02 20:43:11 +0000	[diff] [blame]	125	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	126	error("%s: RSA modulus too small: %d < minimum %d bits",
				127	__func__, BN_num_bits(key->rsa->n),
				128	SSH_RSA_MINIMUM_MODULUS_SIZE);
Ben Lindstrom	bf555ba	2001-01-18 02:04:35 +0000	[diff] [blame]	129	return -1;
				130	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	131	buffer_init(&b);
Ben Lindstrom	9e0ddd4	2001-09-18 05:41:19 +0000	[diff] [blame]	132	buffer_append(&b, signature, signaturelen);
Damien Miller	da108ec	2010-08-31 22:36:39 +1000	[diff] [blame]	133	ktype = buffer_get_cstring(&b, NULL);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	134	if (strcmp("ssh-rsa", ktype) != 0) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	135	error("%s: cannot handle type %s", __func__, ktype);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	136	buffer_free(&b);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	137	free(ktype);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	138	return -1;
				139	}
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	140	free(ktype);
Ben Lindstrom	9e0ddd4	2001-09-18 05:41:19 +0000	[diff] [blame]	141	sigblob = buffer_get_string(&b, &len);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	142	rlen = buffer_len(&b);
				143	buffer_free(&b);
Ben Lindstrom	1c37c6a	2001-12-06 18:00:18 +0000	[diff] [blame]	144	if (rlen != 0) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	145	error("%s: remaining bytes in signature %d", __func__, rlen);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	146	free(sigblob);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	147	return -1;
				148	}
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	149	/* RSA_verify expects a signature of RSA_size */
				150	modlen = RSA_size(key->rsa);
				151	if (len > modlen) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	152	error("%s: len %u > modlen %u", __func__, len, modlen);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	153	free(sigblob);
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	154	return -1;
				155	} else if (len < modlen) {
Ben Lindstrom	0e50d84	2002-08-20 18:39:14 +0000	[diff] [blame]	156	u_int diff = modlen - len;
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	157	debug("%s: add padding: modlen %u > len %u", __func__,
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	158	modlen, len);
Damien Miller	3681209	2006-03-26 14:22:47 +1100	[diff] [blame]	159	sigblob = xrealloc(sigblob, 1, modlen);
Ben Lindstrom	ceae9d1	2002-06-06 20:55:04 +0000	[diff] [blame]	160	memmove(sigblob + diff, sigblob, len);
				161	memset(sigblob, 0, diff);
				162	len = modlen;
				163	}
Ben Lindstrom	60a4381	2001-03-29 00:32:56 +0000	[diff] [blame]	164	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	165	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	166	error("%s: EVP_get_digestbynid %d failed", __func__, nid);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	167	free(sigblob);
Ben Lindstrom	425fb02	2001-03-29 00:31:20 +0000	[diff] [blame]	168	return -1;
				169	}
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	170	EVP_DigestInit(&md, evp_md);
				171	EVP_DigestUpdate(&md, data, datalen);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	172	EVP_DigestFinal(&md, digest, &dlen);
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	173
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	174	ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
Damien Miller	c516e92	2002-02-05 11:53:43 +1100	[diff] [blame]	175	memset(digest, 'd', sizeof(digest));
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	176	memset(sigblob, 's', len);
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	177	free(sigblob);
Damien Miller	3e19295	2013-12-29 17:47:50 +1100	[diff] [blame^]	178	debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : "");
Damien Miller	0bc1bd8	2000-11-13 22:57:25 +1100	[diff] [blame]	179	return ret;
				180	}
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	181
				182	/*
				183	* See:
				184	* http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
				185	* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
				186	*/
				187	/*
				188	* id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
				189	* oiw(14) secsig(3) algorithms(2) 26 }
				190	*/
				191	static const u_char id_sha1[] = {
				192	0x30, 0x21, /* type Sequence, length 0x21 (33) */
				193	0x30, 0x09, /* type Sequence, length 0x09 */
				194	0x06, 0x05, /* type OID, length 0x05 */
				195	0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
				196	0x05, 0x00, /* NULL */
				197	0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
				198	};
				199	/*
				200	* id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
				201	* rsadsi(113549) digestAlgorithm(2) 5 }
				202	*/
				203	static const u_char id_md5[] = {
				204	0x30, 0x20, /* type Sequence, length 0x20 (32) */
				205	0x30, 0x0c, /* type Sequence, length 0x09 */
				206	0x06, 0x08, /* type OID, length 0x05 */
				207	0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
				208	0x05, 0x00, /* NULL */
				209	0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */
				210	};
				211
				212	static int
				213	openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
				214	u_char sigbuf, u_int siglen, RSA rsa)
				215	{
Damien Miller	f7c2391	2002-09-04 16:39:48 +1000	[diff] [blame]	216	u_int ret, rsasize, oidlen = 0, hlen = 0;
Damien Miller	4e8285e	2010-08-03 16:04:03 +1000	[diff] [blame]	217	int len, oidmatch, hashmatch;
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	218	const u_char *oid = NULL;
				219	u_char *decrypted = NULL;
				220
				221	ret = 0;
				222	switch (type) {
				223	case NID_sha1:
				224	oid = id_sha1;
				225	oidlen = sizeof(id_sha1);
				226	hlen = 20;
				227	break;
				228	case NID_md5:
				229	oid = id_md5;
				230	oidlen = sizeof(id_md5);
				231	hlen = 16;
				232	break;
				233	default:
				234	goto done;
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	235	}
				236	if (hashlen != hlen) {
				237	error("bad hashlen");
				238	goto done;
				239	}
				240	rsasize = RSA_size(rsa);
				241	if (siglen == 0 \|\| siglen > rsasize) {
				242	error("bad siglen");
				243	goto done;
				244	}
				245	decrypted = xmalloc(rsasize);
				246	if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
				247	RSA_PKCS1_PADDING)) < 0) {
				248	error("RSA_public_decrypt failed: %s",
				249	ERR_error_string(ERR_get_error(), NULL));
				250	goto done;
				251	}
Damien Miller	eccb9de	2005-06-17 12:59:34 +1000	[diff] [blame]	252	if (len < 0 \|\| (u_int)len != hlen + oidlen) {
Darren Tucker	a251f80	2003-06-22 20:45:15 +1000	[diff] [blame]	253	error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	254	goto done;
				255	}
Damien Miller	4e8285e	2010-08-03 16:04:03 +1000	[diff] [blame]	256	oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
				257	hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
				258	if (!oidmatch) {
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	259	error("oid mismatch");
				260	goto done;
				261	}
Damien Miller	4e8285e	2010-08-03 16:04:03 +1000	[diff] [blame]	262	if (!hashmatch) {
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	263	error("hash mismatch");
				264	goto done;
				265	}
				266	ret = 1;
				267	done:
Darren Tucker	a627d42	2013-06-02 07:31:17 +1000	[diff] [blame]	268	free(decrypted);
Ben Lindstrom	0deb5d9	2002-08-20 18:40:03 +0000	[diff] [blame]	269	return ret;
				270	}