[u/mdw/putty] / sshrsa.c

/*
 * RSA implementation just sufficient for ssh client-side
 * initialisation step
 *
 * Rewritten for more speed by Joris van Rantwijk, Jun 1999.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include "ssh.h"


int makekey(unsigned char *data, struct RSAKey *result,
	    unsigned char **keystr, int order) {
    unsigned char *p = data;
    int i;

    if (result) {
        result->bits = 0;
        for (i=0; i<4; i++)
            result->bits = (result->bits << 8) + *p++;
    } else
        p += 4;

    /*
     * order=0 means exponent then modulus (the keys sent by the
     * server). order=1 means modulus then exponent (the keys
     * stored in a keyfile).
     */

    if (order == 0)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
    if (result)
        result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
    if (keystr) *keystr = p+2;
    p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
    if (order == 1)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);

    return p - data;
}

int makeprivate(unsigned char *data, struct RSAKey *result) {
    return ssh1_read_bignum(data, &result->private_exponent);
}

void rsaencrypt(unsigned char *data, int length, struct RSAKey *key) {
    Bignum b1, b2;
    int i;
    unsigned char *p;

    memmove(data+key->bytes-length, data, length);
    data[0] = 0;
    data[1] = 2;

    for (i = 2; i < key->bytes-length-1; i++) {
	do {
	    data[i] = random_byte();
	} while (data[i] == 0);
    }
    data[key->bytes-length-1] = 0;

    b1 = bignum_from_bytes(data, key->bytes);

    b2 = modpow(b1, key->exponent, key->modulus);

    p = data;
    for (i=key->bytes; i-- ;) {
        *p++ = bignum_byte(b2, i);
    }

    freebn(b1);
    freebn(b2);
}

Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
    Bignum ret;
    ret = modpow(input, key->private_exponent, key->modulus);
    return ret;
}

int rsastr_len(struct RSAKey *key) {
    Bignum md, ex;
    int mdlen, exlen;

    md = key->modulus;
    ex = key->exponent;
    mdlen = (bignum_bitcount(md)+15) / 16;
    exlen = (bignum_bitcount(ex)+15) / 16;
    return 4 * (mdlen+exlen) + 20;
}

void rsastr_fmt(char *str, struct RSAKey *key) {
    Bignum md, ex;
    int len = 0, i, nibbles;
    static const char hex[] = "0123456789abcdef";

    md = key->modulus;
    ex = key->exponent;

    len += sprintf(str+len, "0x");

    nibbles = (3 + bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];

    len += sprintf(str+len, ",0x");

    nibbles = (3 + bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];

    str[len] = '\0';
}

/*
 * Generate a fingerprint string for the key. Compatible with the
 * OpenSSH fingerprint code.
 */
void rsa_fingerprint(char *str, int len, struct RSAKey *key) {
    struct MD5Context md5c;
    unsigned char digest[16];
    char buffer[16*3+40];
    int numlen, slen, i;

    MD5Init(&md5c);
    numlen = ssh1_bignum_length(key->modulus) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->modulus, i);
        MD5Update(&md5c, &c, 1);
    }
    numlen = ssh1_bignum_length(key->exponent) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->exponent, i);
        MD5Update(&md5c, &c, 1);
    }
    MD5Final(digest, &md5c);

    sprintf(buffer, "%d ", bignum_bitcount(key->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    strncpy(str, buffer, len); str[len-1] = '\0';
    slen = strlen(str);
    if (key->comment && slen < len-1) {
        str[slen] = ' ';
        strncpy(str+slen+1, key->comment, len-slen-1);
        str[len-1] = '\0';
    }
}

/*
 * Verify that the public data in an RSA key matches the private
 * data. We also check the private data itself: we ensure that p >
 * q and that iqmp really is the inverse of q mod p.
 */
int rsa_verify(struct RSAKey *key) {
    Bignum n, ed, pm1, qm1;
    int cmp;

    /* n must equal pq. */
    n = bigmul(key->p, key->q);
    cmp = bignum_cmp(n, key->modulus);
    freebn(n);
    if (cmp != 0)
	return 0;

    /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
    pm1 = copybn(key->p);
    decbn(pm1);
    ed = modmul(key->exponent, key->private_exponent, pm1);
    cmp = bignum_cmp(ed, One);
    sfree(ed);
    if (cmp != 0)
	return 0;

    qm1 = copybn(key->q);
    decbn(qm1);
    ed = modmul(key->exponent, key->private_exponent, qm1);
    cmp = bignum_cmp(ed, One);
    sfree(ed);
    if (cmp != 0)
	return 0;

    /*
     * Ensure p > q.
     */
    if (bignum_cmp(key->p, key->q) <= 0)
        return 0;

    /*
     * Ensure iqmp * q is congruent to 1, modulo p.
     */
    n = modmul(key->iqmp, key->q, key->p);
    cmp = bignum_cmp(n, One);
    sfree(n);
    if (cmp != 0)
        return 0;

    return 1;
}

void freersakey(struct RSAKey *key) {
    if (key->modulus) freebn(key->modulus);
    if (key->exponent) freebn(key->exponent);
    if (key->private_exponent) freebn(key->private_exponent);
    if (key->comment) sfree(key->comment);
}

/* ----------------------------------------------------------------------
 * Implementation of the ssh-rsa signing key type. 
 */

#define GET_32BIT(cp) \
    (((unsigned long)(unsigned char)(cp)[0] << 24) | \
    ((unsigned long)(unsigned char)(cp)[1] << 16) | \
    ((unsigned long)(unsigned char)(cp)[2] << 8) | \
    ((unsigned long)(unsigned char)(cp)[3]))

#define PUT_32BIT(cp, value) { \
    (cp)[0] = (unsigned char)((value) >> 24); \
    (cp)[1] = (unsigned char)((value) >> 16); \
    (cp)[2] = (unsigned char)((value) >> 8); \
    (cp)[3] = (unsigned char)(value); }

static void getstring(char **data, int *datalen, char **p, int *length) {
    *p = NULL;
    if (*datalen < 4)
        return;
    *length = GET_32BIT(*data);
    *datalen -= 4; *data += 4;
    if (*datalen < *length)
        return;
    *p = *data;
    *data += *length; *datalen -= *length;
}
static Bignum getmp(char **data, int *datalen) {
    char *p;
    int length;
    Bignum b;

    getstring(data, datalen, &p, &length);
    if (!p)
        return NULL;
    b = bignum_from_bytes(p, length);
    return b;
}

static void *rsa2_newkey(char *data, int len) {
    char *p;
    int slen;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa) return NULL;
    getstring(&data, &len, &p, &slen);

    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
	sfree(rsa);
	return NULL;
    }
    rsa->exponent = getmp(&data, &len);
    rsa->modulus = getmp(&data, &len);
    rsa->private_exponent = NULL;
    rsa->comment = NULL;

    return rsa;
}

static void rsa2_freekey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    freersakey(rsa);
    sfree(rsa);
}

static char *rsa2_fmtkey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    char *p;
    int len;
    
    len = rsastr_len(rsa);
    p = smalloc(len);
     rsastr_fmt(p, rsa);
    return p;
}

static unsigned char *rsa2_public_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int elen, mlen, bloblen;
    int i;
    unsigned char *blob, *p;

    elen = (bignum_bitcount(rsa->exponent)+8)/8;
    mlen = (bignum_bitcount(rsa->modulus)+8)/8;

    /*
     * string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
     * (three length fields, 12+7=19).
     */
    bloblen = 19+elen+mlen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, 7); p += 4;
    memcpy(p, "ssh-rsa", 7); p += 7;
    PUT_32BIT(p, elen); p += 4;
    for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
    PUT_32BIT(p, mlen); p += 4;
    for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static unsigned char *rsa2_private_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int dlen, plen, qlen, ulen, bloblen;
    int i;
    unsigned char *blob, *p;

    dlen = (bignum_bitcount(rsa->private_exponent)+8)/8;
    plen = (bignum_bitcount(rsa->p)+8)/8;
    qlen = (bignum_bitcount(rsa->q)+8)/8;
    ulen = (bignum_bitcount(rsa->iqmp)+8)/8;

    /*
     * mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
     * sum of lengths.
     */
    bloblen = 16+dlen+plen+qlen+ulen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, dlen); p += 4;
    for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
    PUT_32BIT(p, plen); p += 4;
    for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
    PUT_32BIT(p, qlen); p += 4;
    for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
    PUT_32BIT(p, ulen); p += 4;
    for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static void *rsa2_createkey(unsigned char *pub_blob, int pub_len,
			    unsigned char *priv_blob, int priv_len) {
    struct RSAKey *rsa;
    char *pb = (char *)priv_blob;
    
    rsa = rsa2_newkey((char *)pub_blob, pub_len);
    rsa->private_exponent = getmp(&pb, &priv_len);
    rsa->p = getmp(&pb, &priv_len);
    rsa->q = getmp(&pb, &priv_len);
    rsa->iqmp = getmp(&pb, &priv_len);

    if (!rsa_verify(rsa)) {
	rsa2_freekey(rsa);
	return NULL;
    }

    return rsa;
}

static void *rsa2_openssh_createkey(unsigned char **blob, int *len) {
    char **b = (char **)blob;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa) return NULL;
    rsa->comment = NULL;

    rsa->modulus = getmp(b, len);
    rsa->exponent = getmp(b, len);
    rsa->private_exponent = getmp(b, len);
    rsa->iqmp = getmp(b, len);
    rsa->p = getmp(b, len);
    rsa->q = getmp(b, len);

    if (!rsa->modulus || !rsa->exponent || !rsa->private_exponent ||
	!rsa->iqmp || !rsa->p || !rsa->q) {
	sfree(rsa->modulus);
	sfree(rsa->exponent);
	sfree(rsa->private_exponent);
	sfree(rsa->iqmp);
	sfree(rsa->p);
	sfree(rsa->q);
	sfree(rsa);
	return NULL;
    }

    return rsa;
}

static int rsa2_openssh_fmtkey(void *key, unsigned char *blob, int len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int bloblen, i;

    bloblen =
	ssh2_bignum_length(rsa->modulus) +
	ssh2_bignum_length(rsa->exponent) +
	ssh2_bignum_length(rsa->private_exponent) +
	ssh2_bignum_length(rsa->iqmp) +
	ssh2_bignum_length(rsa->p) +
	ssh2_bignum_length(rsa->q);

    if (bloblen > len)
	return bloblen;

    bloblen = 0;
#define ENC(x) \
    PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
    for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
    ENC(rsa->modulus);
    ENC(rsa->exponent);
    ENC(rsa->private_exponent);
    ENC(rsa->iqmp);
    ENC(rsa->p);
    ENC(rsa->q);

    return bloblen;
}

static char *rsa2_fingerprint(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    struct MD5Context md5c;
    unsigned char digest[16], lenbuf[4];
    char buffer[16*3+40];
    char *ret;
    int numlen, i;

    MD5Init(&md5c);
    MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);

#define ADD_BIGNUM(bignum) \
    numlen = (bignum_bitcount(bignum)+8)/8; \
    PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
    for (i = numlen; i-- ;) { \
        unsigned char c = bignum_byte(bignum, i); \
        MD5Update(&md5c, &c, 1); \
    }
    ADD_BIGNUM(rsa->exponent);
    ADD_BIGNUM(rsa->modulus);
#undef ADD_BIGNUM

    MD5Final(digest, &md5c);

    sprintf(buffer, "ssh-rsa %d ", bignum_bitcount(rsa->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    ret = smalloc(strlen(buffer)+1);
    if (ret)
        strcpy(ret, buffer);
    return ret;
}

/*
 * This is the magic ASN.1/DER prefix that goes in the decoded
 * signature, between the string of FFs and the actual SHA hash
 * value. The meaning of it is:
 * 
 * 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
 * 
 * 30 21 -- a constructed SEQUENCE of length 0x21
 *    30 09 -- a constructed sub-SEQUENCE of length 9
 *       06 05 -- an object identifier, length 5
 *          2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
 *                            (the 1,3 comes from 0x2B = 43 = 40*1+3)
 *       05 00 -- NULL
 *    04 14 -- a primitive OCTET STRING of length 0x14
 *       [0x14 bytes of hash data follows]
 * 
 * The object id in the middle there is listed as `id-sha1' in
 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
 * ASN module for PKCS #1) and its expanded form is as follows:
 * 
 * id-sha1                OBJECT IDENTIFIER ::= {
 *    iso(1) identified-organization(3) oiw(14) secsig(3)
 *    algorithms(2) 26 }
 */
static unsigned char asn1_weird_stuff[] = {
    0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
    0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
};

#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )

static int rsa2_verifysig(void *key, char *sig, int siglen,
			 char *data, int datalen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    Bignum in, out;
    char *p;
    int slen;
    int bytes, i, j, ret;
    unsigned char hash[20];

    getstring(&sig, &siglen, &p, &slen);
    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
        return 0;
    }
    in = getmp(&sig, &siglen);
    out = modpow(in, rsa->exponent, rsa->modulus);
    freebn(in);

    ret = 1;

    bytes = bignum_bitcount(rsa->modulus) / 8;
    /* Top (partial) byte should be zero. */
    if (bignum_byte(out, bytes-1) != 0)
        ret = 0;
    /* First whole byte should be 1. */
    if (bignum_byte(out, bytes-2) != 1)
        ret = 0;
    /* Most of the rest should be FF. */
    for (i = bytes-3; i >= 20 + ASN1_LEN; i--) {
        if (bignum_byte(out, i) != 0xFF)
            ret = 0;
    }
    /* Then we expect to see the asn1_weird_stuff. */
    for (i = 20 + ASN1_LEN - 1, j=0; i >= 20; i--,j++) {
        if (bignum_byte(out, i) != asn1_weird_stuff[j])
            ret = 0;
    }
    /* Finally, we expect to see the SHA-1 hash of the signed data. */
    SHA_Simple(data, datalen, hash);
    for (i = 19, j=0; i >= 0; i--,j++) {
        if (bignum_byte(out, i) != hash[j])
            ret = 0;
    }

    return ret;
}

unsigned char *rsa2_sign(void *key, char *data, int datalen, int *siglen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    unsigned char *bytes;
    int nbytes;
    unsigned char hash[20];
    Bignum in, out;
    int i, j;

    SHA_Simple(data, datalen, hash);

    nbytes = (bignum_bitcount(rsa->modulus)-1) / 8;
    bytes = smalloc(nbytes);

    bytes[0] = 1;
    for (i = 1; i < nbytes-20-ASN1_LEN; i++)
	bytes[i] = 0xFF;
    for (i = nbytes-20-ASN1_LEN, j=0; i < nbytes-20; i++,j++)
	bytes[i] = asn1_weird_stuff[j];
    for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	bytes[i] = hash[j];

    in = bignum_from_bytes(bytes, nbytes);
    sfree(bytes);

    out = modpow(in, rsa->private_exponent, rsa->modulus);
    freebn(in);

    nbytes = (bignum_bitcount(out)+7)/8;
    bytes = smalloc(4+7+4+nbytes);
    PUT_32BIT(bytes, 7);
    memcpy(bytes+4, "ssh-rsa", 7);
    PUT_32BIT(bytes+4+7, nbytes);
    for (i = 0; i < nbytes; i++)
	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
    freebn(out);

    *siglen = 4+7+4+nbytes;
    return bytes;
}

const struct ssh_signkey ssh_rsa = {
    rsa2_newkey,
    rsa2_freekey,
    rsa2_fmtkey,
    rsa2_public_blob,
    rsa2_private_blob,
    rsa2_createkey,
    rsa2_openssh_createkey,
    rsa2_openssh_fmtkey,
    rsa2_fingerprint,
    rsa2_verifysig,
    rsa2_sign,
    "ssh-rsa",
    "rsa2"
};
Commit	Line	Data
374330e2	1	/*
	2	* RSA implementation just sufficient for ssh client-side
	3	* initialisation step
4644b0ce	4	*
4644b0ce	5	* Rewritten for more speed by Joris van Rantwijk, Jun 1999.
374330e2	6	*/
374330e2	7
374330e2	8	#include <stdio.h>
	9	#include <stdlib.h>
	10	#include <string.h>
65a22376	11	#include <assert.h>
374330e2	12
e5574168	13	#include "ssh.h"
374330e2	14
1c2a93c4	15
374330e2	16	int makekey(unsigned char data, struct RSAKey result,
7cca0d81	17	unsigned char **keystr, int order) {
374330e2	18	unsigned char *p = data;
7cca0d81	19	int i;
374330e2	20
a52f067e	21	if (result) {
	22	result->bits = 0;
	23	for (i=0; i<4; i++)
	24	result->bits = (result->bits << 8) + *p++;
	25	} else
	26	p += 4;
374330e2	27
7cca0d81	28	/*
	29	* order=0 means exponent then modulus (the keys sent by the
	30	* server). order=1 means modulus then exponent (the keys
	31	* stored in a keyfile).
	32	*/
374330e2	33
7cca0d81	34	if (order == 0)
a52f067e	35	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
	36	if (result)
	37	result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
7cca0d81	38	if (keystr) *keystr = p+2;
a52f067e	39	p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
7cca0d81	40	if (order == 1)
a52f067e	41	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
374330e2	42
	43	return p - data;
	44	}
	45
7cca0d81	46	int makeprivate(unsigned char data, struct RSAKey result) {
	47	return ssh1_read_bignum(data, &result->private_exponent);
	48	}
	49
374330e2	50	void rsaencrypt(unsigned char data, int length, struct RSAKey key) {
374330e2	51	Bignum b1, b2;
3709bfe9	52	int i;
374330e2	53	unsigned char *p;
374330e2	54
374330e2	55	memmove(data+key->bytes-length, data, length);
	56	data[0] = 0;
	57	data[1] = 2;
	58
	59	for (i = 2; i < key->bytes-length-1; i++) {
	60	do {
	61	data[i] = random_byte();
	62	} while (data[i] == 0);
	63	}
	64	data[key->bytes-length-1] = 0;
	65
3709bfe9	66	b1 = bignum_from_bytes(data, key->bytes);
374330e2	67
59600f67	68	b2 = modpow(b1, key->exponent, key->modulus);
374330e2	69
374330e2	70	p = data;
d9373729	71	for (i=key->bytes; i-- ;) {
3709bfe9	72	*p++ = bignum_byte(b2, i);
374330e2	73	}
	74
	75	freebn(b1);
	76	freebn(b2);
	77	}
	78
7cca0d81	79	Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
7cca0d81	80	Bignum ret;
59600f67	81	ret = modpow(input, key->private_exponent, key->modulus);
7cca0d81	82	return ret;
	83	}
	84
374330e2	85	int rsastr_len(struct RSAKey *key) {
374330e2	86	Bignum md, ex;
3709bfe9	87	int mdlen, exlen;
374330e2	88
	89	md = key->modulus;
	90	ex = key->exponent;
ddecd643	91	mdlen = (bignum_bitcount(md)+15) / 16;
ddecd643	92	exlen = (bignum_bitcount(ex)+15) / 16;
3709bfe9	93	return 4 * (mdlen+exlen) + 20;
374330e2	94	}
	95
	96	void rsastr_fmt(char str, struct RSAKey key) {
	97	Bignum md, ex;
d5859615	98	int len = 0, i, nibbles;
d5859615	99	static const char hex[] = "0123456789abcdef";
374330e2	100
	101	md = key->modulus;
	102	ex = key->exponent;
	103
d5859615	104	len += sprintf(str+len, "0x");
d5859615	105
ddecd643	106	nibbles = (3 + bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
d5859615	107	for (i=nibbles; i-- ;)
	108	str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];
	109
	110	len += sprintf(str+len, ",0x");
	111
ddecd643	112	nibbles = (3 + bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
d5859615	113	for (i=nibbles; i-- ;)
	114	str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];
	115
374330e2	116	str[len] = '\0';
	117	}
	118
1c2a93c4	119	/*
	120	* Generate a fingerprint string for the key. Compatible with the
	121	* OpenSSH fingerprint code.
	122	*/
	123	void rsa_fingerprint(char str, int len, struct RSAKey key) {
	124	struct MD5Context md5c;
	125	unsigned char digest[16];
	126	char buffer[16*3+40];
	127	int numlen, slen, i;
	128
	129	MD5Init(&md5c);
	130	numlen = ssh1_bignum_length(key->modulus) - 2;
	131	for (i = numlen; i-- ;) {
	132	unsigned char c = bignum_byte(key->modulus, i);
	133	MD5Update(&md5c, &c, 1);
	134	}
	135	numlen = ssh1_bignum_length(key->exponent) - 2;
	136	for (i = numlen; i-- ;) {
	137	unsigned char c = bignum_byte(key->exponent, i);
	138	MD5Update(&md5c, &c, 1);
	139	}
	140	MD5Final(digest, &md5c);
	141
ddecd643	142	sprintf(buffer, "%d ", bignum_bitcount(key->modulus));
1c2a93c4	143	for (i = 0; i < 16; i++)
	144	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	145	strncpy(str, buffer, len); str[len-1] = '\0';
	146	slen = strlen(str);
	147	if (key->comment && slen < len-1) {
	148	str[slen] = ' ';
	149	strncpy(str+slen+1, key->comment, len-slen-1);
	150	str[len-1] = '\0';
	151	}
	152	}
	153
98f022f5	154	/*
98f022f5	155	* Verify that the public data in an RSA key matches the private
60fe6ff7	156	* data. We also check the private data itself: we ensure that p >
60fe6ff7	157	* q and that iqmp really is the inverse of q mod p.
98f022f5	158	*/
98f022f5	159	int rsa_verify(struct RSAKey *key) {
60fe6ff7	160	Bignum n, ed, pm1, qm1;
98f022f5	161	int cmp;
	162
	163	/* n must equal pq. */
	164	n = bigmul(key->p, key->q);
	165	cmp = bignum_cmp(n, key->modulus);
	166	freebn(n);
	167	if (cmp != 0)
	168	return 0;
	169
60fe6ff7	170	/* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
98f022f5	171	pm1 = copybn(key->p);
98f022f5	172	decbn(pm1);
60fe6ff7	173	ed = modmul(key->exponent, key->private_exponent, pm1);
	174	cmp = bignum_cmp(ed, One);
	175	sfree(ed);
	176	if (cmp != 0)
	177	return 0;
	178
98f022f5	179	qm1 = copybn(key->q);
98f022f5	180	decbn(qm1);
60fe6ff7	181	ed = modmul(key->exponent, key->private_exponent, qm1);
98f022f5	182	cmp = bignum_cmp(ed, One);
	183	sfree(ed);
	184	if (cmp != 0)
	185	return 0;
014970c8	186
60fe6ff7	187	/*
	188	* Ensure p > q.
	189	*/
	190	if (bignum_cmp(key->p, key->q) <= 0)
	191	return 0;
	192
	193	/*
	194	* Ensure iqmp * q is congruent to 1, modulo p.
	195	*/
	196	n = modmul(key->iqmp, key->q, key->p);
	197	cmp = bignum_cmp(n, One);
	198	sfree(n);
	199	if (cmp != 0)
	200	return 0;
	201
014970c8	202	return 1;
98f022f5	203	}
98f022f5	204
5c58ad2d	205	void freersakey(struct RSAKey *key) {
	206	if (key->modulus) freebn(key->modulus);
	207	if (key->exponent) freebn(key->exponent);
	208	if (key->private_exponent) freebn(key->private_exponent);
dcbde236	209	if (key->comment) sfree(key->comment);
5c58ad2d	210	}
85cc02bb	211
	212	/* ----------------------------------------------------------------------
	213	* Implementation of the ssh-rsa signing key type.
	214	*/
	215
	216	#define GET_32BIT(cp) \
	217	(((unsigned long)(unsigned char)(cp)[0] << 24) \| \
	218	((unsigned long)(unsigned char)(cp)[1] << 16) \| \
	219	((unsigned long)(unsigned char)(cp)[2] << 8) \| \
	220	((unsigned long)(unsigned char)(cp)[3]))
	221
	222	#define PUT_32BIT(cp, value) { \
	223	(cp)[0] = (unsigned char)((value) >> 24); \
	224	(cp)[1] = (unsigned char)((value) >> 16); \
	225	(cp)[2] = (unsigned char)((value) >> 8); \
	226	(cp)[3] = (unsigned char)(value); }
	227
	228	static void getstring(char *data, int datalen, char *p, int length) {
	229	*p = NULL;
	230	if (*datalen < 4)
	231	return;
	232	length = GET_32BIT(data);
	233	datalen -= 4; data += 4;
	234	if (datalen < length)
	235	return;
	236	p = data;
	237	data += length; datalen -= length;
	238	}
	239	static Bignum getmp(char *data, int datalen) {
	240	char *p;
	241	int length;
	242	Bignum b;
	243
	244	getstring(data, datalen, &p, &length);
	245	if (!p)
	246	return NULL;
	247	b = bignum_from_bytes(p, length);
	248	return b;
	249	}
	250
	251	static void rsa2_newkey(char data, int len) {
	252	char *p;
	253	int slen;
	254	struct RSAKey *rsa;
	255
	256	rsa = smalloc(sizeof(struct RSAKey));
	257	if (!rsa) return NULL;
	258	getstring(&data, &len, &p, &slen);
	259
45cebe79	260	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
85cc02bb	261	sfree(rsa);
	262	return NULL;
	263	}
	264	rsa->exponent = getmp(&data, &len);
	265	rsa->modulus = getmp(&data, &len);
	266	rsa->private_exponent = NULL;
	267	rsa->comment = NULL;
	268
	269	return rsa;
	270	}
	271
	272	static void rsa2_freekey(void *key) {
	273	struct RSAKey rsa = (struct RSAKey )key;
	274	freersakey(rsa);
	275	sfree(rsa);
	276	}
	277
	278	static char rsa2_fmtkey(void key) {
	279	struct RSAKey rsa = (struct RSAKey )key;
	280	char *p;
	281	int len;
	282
	283	len = rsastr_len(rsa);
	284	p = smalloc(len);
98f022f5	285	rsastr_fmt(p, rsa);
85cc02bb	286	return p;
	287	}
	288
65a22376	289	static unsigned char rsa2_public_blob(void key, int *len) {
	290	struct RSAKey rsa = (struct RSAKey )key;
	291	int elen, mlen, bloblen;
	292	int i;
	293	unsigned char blob, p;
	294
ddecd643	295	elen = (bignum_bitcount(rsa->exponent)+8)/8;
ddecd643	296	mlen = (bignum_bitcount(rsa->modulus)+8)/8;
65a22376	297
	298	/*
	299	* string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
	300	* (three length fields, 12+7=19).
	301	*/
	302	bloblen = 19+elen+mlen;
	303	blob = smalloc(bloblen);
	304	p = blob;
	305	PUT_32BIT(p, 7); p += 4;
	306	memcpy(p, "ssh-rsa", 7); p += 7;
	307	PUT_32BIT(p, elen); p += 4;
	308	for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
	309	PUT_32BIT(p, mlen); p += 4;
	310	for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
	311	assert(p == blob + bloblen);
	312	*len = bloblen;
	313	return blob;
	314	}
	315
	316	static unsigned char rsa2_private_blob(void key, int *len) {
	317	struct RSAKey rsa = (struct RSAKey )key;
	318	int dlen, plen, qlen, ulen, bloblen;
	319	int i;
	320	unsigned char blob, p;
	321
ddecd643	322	dlen = (bignum_bitcount(rsa->private_exponent)+8)/8;
	323	plen = (bignum_bitcount(rsa->p)+8)/8;
	324	qlen = (bignum_bitcount(rsa->q)+8)/8;
	325	ulen = (bignum_bitcount(rsa->iqmp)+8)/8;
65a22376	326
	327	/*
	328	* mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
	329	* sum of lengths.
	330	*/
	331	bloblen = 16+dlen+plen+qlen+ulen;
	332	blob = smalloc(bloblen);
	333	p = blob;
	334	PUT_32BIT(p, dlen); p += 4;
	335	for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
	336	PUT_32BIT(p, plen); p += 4;
	337	for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
	338	PUT_32BIT(p, qlen); p += 4;
	339	for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
	340	PUT_32BIT(p, ulen); p += 4;
	341	for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
	342	assert(p == blob + bloblen);
	343	*len = bloblen;
	344	return blob;
	345	}
	346
	347	static void rsa2_createkey(unsigned char pub_blob, int pub_len,
	348	unsigned char *priv_blob, int priv_len) {
	349	struct RSAKey *rsa;
	350	char pb = (char )priv_blob;
	351
	352	rsa = rsa2_newkey((char *)pub_blob, pub_len);
	353	rsa->private_exponent = getmp(&pb, &priv_len);
	354	rsa->p = getmp(&pb, &priv_len);
	355	rsa->q = getmp(&pb, &priv_len);
	356	rsa->iqmp = getmp(&pb, &priv_len);
	357
98f022f5	358	if (!rsa_verify(rsa)) {
	359	rsa2_freekey(rsa);
	360	return NULL;
	361	}
	362
65a22376	363	return rsa;
	364	}
	365
45cebe79	366	static void rsa2_openssh_createkey(unsigned char blob, int len) {
	367	char b = (char )blob;
	368	struct RSAKey *rsa;
45cebe79	369
	370	rsa = smalloc(sizeof(struct RSAKey));
	371	if (!rsa) return NULL;
	372	rsa->comment = NULL;
	373
	374	rsa->modulus = getmp(b, len);
	375	rsa->exponent = getmp(b, len);
	376	rsa->private_exponent = getmp(b, len);
	377	rsa->iqmp = getmp(b, len);
	378	rsa->p = getmp(b, len);
	379	rsa->q = getmp(b, len);
	380
	381	if (!rsa->modulus \|\| !rsa->exponent \|\| !rsa->private_exponent \|\|
	382	!rsa->iqmp \|\| !rsa->p \|\| !rsa->q) {
	383	sfree(rsa->modulus);
	384	sfree(rsa->exponent);
	385	sfree(rsa->private_exponent);
	386	sfree(rsa->iqmp);
	387	sfree(rsa->p);
	388	sfree(rsa->q);
	389	sfree(rsa);
	390	return NULL;
	391	}
	392
	393	return rsa;
	394	}
	395
260f3dec	396	static int rsa2_openssh_fmtkey(void key, unsigned char blob, int len) {
ddecd643	397	struct RSAKey rsa = (struct RSAKey )key;
	398	int bloblen, i;
	399
	400	bloblen =
	401	ssh2_bignum_length(rsa->modulus) +
	402	ssh2_bignum_length(rsa->exponent) +
	403	ssh2_bignum_length(rsa->private_exponent) +
	404	ssh2_bignum_length(rsa->iqmp) +
	405	ssh2_bignum_length(rsa->p) +
	406	ssh2_bignum_length(rsa->q);
	407
	408	if (bloblen > len)
	409	return bloblen;
	410
	411	bloblen = 0;
	412	#define ENC(x) \
	413	PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
	414	for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
	415	ENC(rsa->modulus);
	416	ENC(rsa->exponent);
	417	ENC(rsa->private_exponent);
	418	ENC(rsa->iqmp);
	419	ENC(rsa->p);
	420	ENC(rsa->q);
	421
	422	return bloblen;
	423	}
	424
85cc02bb	425	static char rsa2_fingerprint(void key) {
	426	struct RSAKey rsa = (struct RSAKey )key;
	427	struct MD5Context md5c;
	428	unsigned char digest[16], lenbuf[4];
	429	char buffer[16*3+40];
	430	char *ret;
	431	int numlen, i;
	432
	433	MD5Init(&md5c);
	434	MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);
	435
	436	#define ADD_BIGNUM(bignum) \
ddecd643	437	numlen = (bignum_bitcount(bignum)+8)/8; \
85cc02bb	438	PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
	439	for (i = numlen; i-- ;) { \
	440	unsigned char c = bignum_byte(bignum, i); \
	441	MD5Update(&md5c, &c, 1); \
	442	}
	443	ADD_BIGNUM(rsa->exponent);
	444	ADD_BIGNUM(rsa->modulus);
	445	#undef ADD_BIGNUM
	446
	447	MD5Final(digest, &md5c);
	448
ddecd643	449	sprintf(buffer, "ssh-rsa %d ", bignum_bitcount(rsa->modulus));
85cc02bb	450	for (i = 0; i < 16; i++)
	451	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	452	ret = smalloc(strlen(buffer)+1);
	453	if (ret)
	454	strcpy(ret, buffer);
	455	return ret;
	456	}
	457
	458	/*
	459	* This is the magic ASN.1/DER prefix that goes in the decoded
	460	* signature, between the string of FFs and the actual SHA hash
96a73db9	461	* value. The meaning of it is:
85cc02bb	462	*
	463	* 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
	464	*
	465	* 30 21 -- a constructed SEQUENCE of length 0x21
	466	* 30 09 -- a constructed sub-SEQUENCE of length 9
	467	* 06 05 -- an object identifier, length 5
96a73db9	468	* 2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
96a73db9	469	* (the 1,3 comes from 0x2B = 43 = 40*1+3)
85cc02bb	470	* 05 00 -- NULL
	471	* 04 14 -- a primitive OCTET STRING of length 0x14
	472	* [0x14 bytes of hash data follows]
96a73db9	473	*
	474	* The object id in the middle there is listed as `id-sha1' in
	475	* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
	476	* ASN module for PKCS #1) and its expanded form is as follows:
	477	*
	478	* id-sha1 OBJECT IDENTIFIER ::= {
	479	* iso(1) identified-organization(3) oiw(14) secsig(3)
	480	* algorithms(2) 26 }
85cc02bb	481	*/
	482	static unsigned char asn1_weird_stuff[] = {
	483	0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
	484	0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
	485	};
	486
d8770b12	487	#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )
d8770b12	488
85cc02bb	489	static int rsa2_verifysig(void key, char sig, int siglen,
	490	char *data, int datalen) {
	491	struct RSAKey rsa = (struct RSAKey )key;
	492	Bignum in, out;
	493	char *p;
	494	int slen;
	495	int bytes, i, j, ret;
	496	unsigned char hash[20];
	497
	498	getstring(&sig, &siglen, &p, &slen);
	499	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
	500	return 0;
	501	}
	502	in = getmp(&sig, &siglen);
	503	out = modpow(in, rsa->exponent, rsa->modulus);
	504	freebn(in);
	505
	506	ret = 1;
	507
ddecd643	508	bytes = bignum_bitcount(rsa->modulus) / 8;
85cc02bb	509	/* Top (partial) byte should be zero. */
	510	if (bignum_byte(out, bytes-1) != 0)
	511	ret = 0;
	512	/* First whole byte should be 1. */
	513	if (bignum_byte(out, bytes-2) != 1)
	514	ret = 0;
	515	/* Most of the rest should be FF. */
d8770b12	516	for (i = bytes-3; i >= 20 + ASN1_LEN; i--) {
85cc02bb	517	if (bignum_byte(out, i) != 0xFF)
	518	ret = 0;
	519	}
	520	/* Then we expect to see the asn1_weird_stuff. */
d8770b12	521	for (i = 20 + ASN1_LEN - 1, j=0; i >= 20; i--,j++) {
85cc02bb	522	if (bignum_byte(out, i) != asn1_weird_stuff[j])
	523	ret = 0;
	524	}
	525	/* Finally, we expect to see the SHA-1 hash of the signed data. */
	526	SHA_Simple(data, datalen, hash);
	527	for (i = 19, j=0; i >= 0; i--,j++) {
	528	if (bignum_byte(out, i) != hash[j])
	529	ret = 0;
	530	}
	531
	532	return ret;
	533	}
	534
65a22376	535	unsigned char rsa2_sign(void key, char data, int datalen, int siglen) {
	536	struct RSAKey rsa = (struct RSAKey )key;
	537	unsigned char *bytes;
	538	int nbytes;
	539	unsigned char hash[20];
	540	Bignum in, out;
	541	int i, j;
	542
	543	SHA_Simple(data, datalen, hash);
	544
ddecd643	545	nbytes = (bignum_bitcount(rsa->modulus)-1) / 8;
65a22376	546	bytes = smalloc(nbytes);
	547
	548	bytes[0] = 1;
d8770b12	549	for (i = 1; i < nbytes-20-ASN1_LEN; i++)
65a22376	550	bytes[i] = 0xFF;
d8770b12	551	for (i = nbytes-20-ASN1_LEN, j=0; i < nbytes-20; i++,j++)
65a22376	552	bytes[i] = asn1_weird_stuff[j];
	553	for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	554	bytes[i] = hash[j];
	555
	556	in = bignum_from_bytes(bytes, nbytes);
	557	sfree(bytes);
	558
	559	out = modpow(in, rsa->private_exponent, rsa->modulus);
	560	freebn(in);
	561
ddecd643	562	nbytes = (bignum_bitcount(out)+7)/8;
65a22376	563	bytes = smalloc(4+7+4+nbytes);
	564	PUT_32BIT(bytes, 7);
	565	memcpy(bytes+4, "ssh-rsa", 7);
	566	PUT_32BIT(bytes+4+7, nbytes);
	567	for (i = 0; i < nbytes; i++)
	568	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
	569	freebn(out);
	570
	571	*siglen = 4+7+4+nbytes;
	572	return bytes;
85cc02bb	573	}
85cc02bb	574
65a22376	575	const struct ssh_signkey ssh_rsa = {
85cc02bb	576	rsa2_newkey,
	577	rsa2_freekey,
	578	rsa2_fmtkey,
65a22376	579	rsa2_public_blob,
	580	rsa2_private_blob,
	581	rsa2_createkey,
45cebe79	582	rsa2_openssh_createkey,
ddecd643	583	rsa2_openssh_fmtkey,
85cc02bb	584	rsa2_fingerprint,
	585	rsa2_verifysig,
	586	rsa2_sign,
	587	"ssh-rsa",
	588	"rsa2"
	589	};