[u/mdw/putty] / sshrsa.c

/*
 * RSA implementation just sufficient for ssh client-side
 * initialisation step
 *
 * Rewritten for more speed by Joris van Rantwijk, Jun 1999.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>
#include <windows.h> // FIXME
#include "putty.h" // FIXME

#include "ssh.h"


int makekey(unsigned char *data, struct RSAKey *result,
	    unsigned char **keystr, int order) {
    unsigned char *p = data;
    int i;

    if (result) {
        result->bits = 0;
        for (i=0; i<4; i++)
            result->bits = (result->bits << 8) + *p++;
    } else
        p += 4;

    /*
     * order=0 means exponent then modulus (the keys sent by the
     * server). order=1 means modulus then exponent (the keys
     * stored in a keyfile).
     */

    if (order == 0)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
    if (result)
        result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
    if (keystr) *keystr = p+2;
    p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
    if (order == 1)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);

    return p - data;
}

int makeprivate(unsigned char *data, struct RSAKey *result) {
    return ssh1_read_bignum(data, &result->private_exponent);
}

void rsaencrypt(unsigned char *data, int length, struct RSAKey *key) {
    Bignum b1, b2;
    int i;
    unsigned char *p;

    memmove(data+key->bytes-length, data, length);
    data[0] = 0;
    data[1] = 2;

    for (i = 2; i < key->bytes-length-1; i++) {
	do {
	    data[i] = random_byte();
	} while (data[i] == 0);
    }
    data[key->bytes-length-1] = 0;

    b1 = bignum_from_bytes(data, key->bytes);

    b2 = modpow(b1, key->exponent, key->modulus);

    p = data;
    for (i=key->bytes; i-- ;) {
        *p++ = bignum_byte(b2, i);
    }

    freebn(b1);
    freebn(b2);
}

Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
    Bignum ret;
    ret = modpow(input, key->private_exponent, key->modulus);
    return ret;
}

int rsastr_len(struct RSAKey *key) {
    Bignum md, ex;
    int mdlen, exlen;

    md = key->modulus;
    ex = key->exponent;
    mdlen = (ssh1_bignum_bitcount(md)+15) / 16;
    exlen = (ssh1_bignum_bitcount(ex)+15) / 16;
    return 4 * (mdlen+exlen) + 20;
}

void rsastr_fmt(char *str, struct RSAKey *key) {
    Bignum md, ex;
    int len = 0, i, nibbles;
    static const char hex[] = "0123456789abcdef";

    md = key->modulus;
    ex = key->exponent;

    len += sprintf(str+len, "0x");

    nibbles = (3 + ssh1_bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];

    len += sprintf(str+len, ",0x");

    nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];

    str[len] = '\0';
}

/*
 * Generate a fingerprint string for the key. Compatible with the
 * OpenSSH fingerprint code.
 */
void rsa_fingerprint(char *str, int len, struct RSAKey *key) {
    struct MD5Context md5c;
    unsigned char digest[16];
    char buffer[16*3+40];
    int numlen, slen, i;

    MD5Init(&md5c);
    numlen = ssh1_bignum_length(key->modulus) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->modulus, i);
        MD5Update(&md5c, &c, 1);
    }
    numlen = ssh1_bignum_length(key->exponent) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->exponent, i);
        MD5Update(&md5c, &c, 1);
    }
    MD5Final(digest, &md5c);

    sprintf(buffer, "%d ", ssh1_bignum_bitcount(key->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    strncpy(str, buffer, len); str[len-1] = '\0';
    slen = strlen(str);
    if (key->comment && slen < len-1) {
        str[slen] = ' ';
        strncpy(str+slen+1, key->comment, len-slen-1);
        str[len-1] = '\0';
    }
}

void freersakey(struct RSAKey *key) {
    if (key->modulus) freebn(key->modulus);
    if (key->exponent) freebn(key->exponent);
    if (key->private_exponent) freebn(key->private_exponent);
    if (key->comment) sfree(key->comment);
}

/* ----------------------------------------------------------------------
 * Implementation of the ssh-rsa signing key type. 
 */

#define GET_32BIT(cp) \
    (((unsigned long)(unsigned char)(cp)[0] << 24) | \
    ((unsigned long)(unsigned char)(cp)[1] << 16) | \
    ((unsigned long)(unsigned char)(cp)[2] << 8) | \
    ((unsigned long)(unsigned char)(cp)[3]))

#define PUT_32BIT(cp, value) { \
    (cp)[0] = (unsigned char)((value) >> 24); \
    (cp)[1] = (unsigned char)((value) >> 16); \
    (cp)[2] = (unsigned char)((value) >> 8); \
    (cp)[3] = (unsigned char)(value); }

static void getstring(char **data, int *datalen, char **p, int *length) {
    *p = NULL;
    if (*datalen < 4)
        return;
    *length = GET_32BIT(*data);
    *datalen -= 4; *data += 4;
    if (*datalen < *length)
        return;
    *p = *data;
    *data += *length; *datalen -= *length;
}
static Bignum getmp(char **data, int *datalen) {
    char *p;
    int length;
    Bignum b;

    getstring(data, datalen, &p, &length);
    if (!p)
        return NULL;
    b = bignum_from_bytes(p, length);
    return b;
}

static void *rsa2_newkey(char *data, int len) {
    char *p;
    int slen;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa) return NULL;
    getstring(&data, &len, &p, &slen);

    if (!p || memcmp(p, "ssh-rsa", 7)) {
	sfree(rsa);
	return NULL;
    }
    rsa->exponent = getmp(&data, &len);
    rsa->modulus = getmp(&data, &len);
    rsa->private_exponent = NULL;
    rsa->comment = NULL;

    return rsa;
}

static void rsa2_freekey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    freersakey(rsa);
    sfree(rsa);
}

static char *rsa2_fmtkey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    char *p;
    int len;
    
    len = rsastr_len(rsa);
    p = smalloc(len);
    rsastr_fmt(p, rsa);
    return p;
}

static unsigned char *rsa2_public_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int elen, mlen, bloblen;
    int i;
    unsigned char *blob, *p;

    elen = (ssh1_bignum_bitcount(rsa->exponent)+8)/8;
    mlen = (ssh1_bignum_bitcount(rsa->modulus)+8)/8;

    /*
     * string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
     * (three length fields, 12+7=19).
     */
    bloblen = 19+elen+mlen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, 7); p += 4;
    memcpy(p, "ssh-rsa", 7); p += 7;
    PUT_32BIT(p, elen); p += 4;
    for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
    PUT_32BIT(p, mlen); p += 4;
    for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static unsigned char *rsa2_private_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int dlen, plen, qlen, ulen, bloblen;
    int i;
    unsigned char *blob, *p;

    dlen = (ssh1_bignum_bitcount(rsa->private_exponent)+8)/8;
    plen = (ssh1_bignum_bitcount(rsa->p)+8)/8;
    qlen = (ssh1_bignum_bitcount(rsa->q)+8)/8;
    ulen = (ssh1_bignum_bitcount(rsa->iqmp)+8)/8;

    /*
     * mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
     * sum of lengths.
     */
    bloblen = 16+dlen+plen+qlen+ulen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, dlen); p += 4;
    for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
    PUT_32BIT(p, plen); p += 4;
    for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
    PUT_32BIT(p, qlen); p += 4;
    for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
    PUT_32BIT(p, ulen); p += 4;
    for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static void *rsa2_createkey(unsigned char *pub_blob, int pub_len,
			    unsigned char *priv_blob, int priv_len) {
    struct RSAKey *rsa;
    char *pb = (char *)priv_blob;
    
    rsa = rsa2_newkey((char *)pub_blob, pub_len);
    rsa->private_exponent = getmp(&pb, &priv_len);
    rsa->p = getmp(&pb, &priv_len);
    rsa->q = getmp(&pb, &priv_len);
    rsa->iqmp = getmp(&pb, &priv_len);

    return rsa;
}

static char *rsa2_fingerprint(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    struct MD5Context md5c;
    unsigned char digest[16], lenbuf[4];
    char buffer[16*3+40];
    char *ret;
    int numlen, i;

    MD5Init(&md5c);
    MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);

#define ADD_BIGNUM(bignum) \
    numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \
    PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
    for (i = numlen; i-- ;) { \
        unsigned char c = bignum_byte(bignum, i); \
        MD5Update(&md5c, &c, 1); \
    }
    ADD_BIGNUM(rsa->exponent);
    ADD_BIGNUM(rsa->modulus);
#undef ADD_BIGNUM

    MD5Final(digest, &md5c);

    sprintf(buffer, "ssh-rsa %d ", ssh1_bignum_bitcount(rsa->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    ret = smalloc(strlen(buffer)+1);
    if (ret)
        strcpy(ret, buffer);
    return ret;
}

/*
 * This is the magic ASN.1/DER prefix that goes in the decoded
 * signature, between the string of FFs and the actual SHA hash
 * value. As closely as I can tell, the meaning of it is:
 * 
 * 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
 * 
 * 30 21 -- a constructed SEQUENCE of length 0x21
 *    30 09 -- a constructed sub-SEQUENCE of length 9
 *       06 05 -- an object identifier, length 5
 *          2B 0E 03 02 1A -- 
 *       05 00 -- NULL
 *    04 14 -- a primitive OCTET STRING of length 0x14
 *       [0x14 bytes of hash data follows]
 */
static unsigned char asn1_weird_stuff[] = {
    0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
    0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
};

static int rsa2_verifysig(void *key, char *sig, int siglen,
			 char *data, int datalen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    Bignum in, out;
    char *p;
    int slen;
    int bytes, i, j, ret;
    unsigned char hash[20];

    getstring(&sig, &siglen, &p, &slen);
    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
        return 0;
    }
    in = getmp(&sig, &siglen);
    out = modpow(in, rsa->exponent, rsa->modulus);
    freebn(in);

    ret = 1;

    bytes = ssh1_bignum_bitcount(rsa->modulus) / 8;
    /* Top (partial) byte should be zero. */
    if (bignum_byte(out, bytes-1) != 0)
        ret = 0;
    /* First whole byte should be 1. */
    if (bignum_byte(out, bytes-2) != 1)
        ret = 0;
    /* Most of the rest should be FF. */
    for (i = bytes-3; i >= 20 + sizeof(asn1_weird_stuff); i--) {
        if (bignum_byte(out, i) != 0xFF)
            ret = 0;
    }
    /* Then we expect to see the asn1_weird_stuff. */
    for (i = 20 + sizeof(asn1_weird_stuff) - 1, j=0; i >= 20; i--,j++) {
        if (bignum_byte(out, i) != asn1_weird_stuff[j])
            ret = 0;
    }
    /* Finally, we expect to see the SHA-1 hash of the signed data. */
    SHA_Simple(data, datalen, hash);
    for (i = 19, j=0; i >= 0; i--,j++) {
        if (bignum_byte(out, i) != hash[j])
            ret = 0;
    }

    return ret;
}

unsigned char *rsa2_sign(void *key, char *data, int datalen, int *siglen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    unsigned char *bytes;
    int nbytes;
    unsigned char hash[20];
    Bignum in, out;
    int i, j;

    SHA_Simple(data, datalen, hash);

    nbytes = (ssh1_bignum_bitcount(rsa->modulus)-1) / 8;
    bytes = smalloc(nbytes);

    bytes[0] = 1;
    for (i = 1; i < nbytes-20-sizeof(asn1_weird_stuff); i++)
	bytes[i] = 0xFF;
    for (i = nbytes-20-sizeof(asn1_weird_stuff), j=0; i < nbytes-20; i++,j++)
	bytes[i] = asn1_weird_stuff[j];
    for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	bytes[i] = hash[j];

    in = bignum_from_bytes(bytes, nbytes);
    sfree(bytes);

    out = modpow(in, rsa->private_exponent, rsa->modulus);
    freebn(in);

    nbytes = (ssh1_bignum_bitcount(out)+7)/8;
    bytes = smalloc(4+7+4+nbytes);
    PUT_32BIT(bytes, 7);
    memcpy(bytes+4, "ssh-rsa", 7);
    PUT_32BIT(bytes+4+7, nbytes);
    for (i = 0; i < nbytes; i++)
	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
    freebn(out);

    *siglen = 4+7+4+nbytes;
    return bytes;
}

const struct ssh_signkey ssh_rsa = {
    rsa2_newkey,
    rsa2_freekey,
    rsa2_fmtkey,
    rsa2_public_blob,
    rsa2_private_blob,
    rsa2_createkey,
    rsa2_fingerprint,
    rsa2_verifysig,
    rsa2_sign,
    "ssh-rsa",
    "rsa2"
};
Commit	Line	Data
374330e2	1	/*
	2	* RSA implementation just sufficient for ssh client-side
	3	* initialisation step
4644b0ce	4	*
4644b0ce	5	* Rewritten for more speed by Joris van Rantwijk, Jun 1999.
374330e2	6	*/
374330e2	7
374330e2	8	#include <stdio.h>
	9	#include <stdlib.h>
	10	#include <string.h>
65a22376	11	#include <assert.h>
	12	#include <windows.h> // FIXME
	13	#include "putty.h" // FIXME
374330e2	14
e5574168	15	#include "ssh.h"
374330e2	16
1c2a93c4	17
374330e2	18	int makekey(unsigned char data, struct RSAKey result,
7cca0d81	19	unsigned char **keystr, int order) {
374330e2	20	unsigned char *p = data;
7cca0d81	21	int i;
374330e2	22
a52f067e	23	if (result) {
	24	result->bits = 0;
	25	for (i=0; i<4; i++)
	26	result->bits = (result->bits << 8) + *p++;
	27	} else
	28	p += 4;
374330e2	29
7cca0d81	30	/*
	31	* order=0 means exponent then modulus (the keys sent by the
	32	* server). order=1 means modulus then exponent (the keys
	33	* stored in a keyfile).
	34	*/
374330e2	35
7cca0d81	36	if (order == 0)
a52f067e	37	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
	38	if (result)
	39	result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
7cca0d81	40	if (keystr) *keystr = p+2;
a52f067e	41	p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
7cca0d81	42	if (order == 1)
a52f067e	43	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
374330e2	44
	45	return p - data;
	46	}
	47
7cca0d81	48	int makeprivate(unsigned char data, struct RSAKey result) {
	49	return ssh1_read_bignum(data, &result->private_exponent);
	50	}
	51
374330e2	52	void rsaencrypt(unsigned char data, int length, struct RSAKey key) {
374330e2	53	Bignum b1, b2;
3709bfe9	54	int i;
374330e2	55	unsigned char *p;
374330e2	56
374330e2	57	memmove(data+key->bytes-length, data, length);
	58	data[0] = 0;
	59	data[1] = 2;
	60
	61	for (i = 2; i < key->bytes-length-1; i++) {
	62	do {
	63	data[i] = random_byte();
	64	} while (data[i] == 0);
	65	}
	66	data[key->bytes-length-1] = 0;
	67
3709bfe9	68	b1 = bignum_from_bytes(data, key->bytes);
374330e2	69
59600f67	70	b2 = modpow(b1, key->exponent, key->modulus);
374330e2	71
374330e2	72	p = data;
d9373729	73	for (i=key->bytes; i-- ;) {
3709bfe9	74	*p++ = bignum_byte(b2, i);
374330e2	75	}
	76
	77	freebn(b1);
	78	freebn(b2);
	79	}
	80
7cca0d81	81	Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
7cca0d81	82	Bignum ret;
59600f67	83	ret = modpow(input, key->private_exponent, key->modulus);
7cca0d81	84	return ret;
	85	}
	86
374330e2	87	int rsastr_len(struct RSAKey *key) {
374330e2	88	Bignum md, ex;
3709bfe9	89	int mdlen, exlen;
374330e2	90
	91	md = key->modulus;
	92	ex = key->exponent;
3709bfe9	93	mdlen = (ssh1_bignum_bitcount(md)+15) / 16;
	94	exlen = (ssh1_bignum_bitcount(ex)+15) / 16;
	95	return 4 * (mdlen+exlen) + 20;
374330e2	96	}
	97
	98	void rsastr_fmt(char str, struct RSAKey key) {
	99	Bignum md, ex;
d5859615	100	int len = 0, i, nibbles;
d5859615	101	static const char hex[] = "0123456789abcdef";
374330e2	102
	103	md = key->modulus;
	104	ex = key->exponent;
	105
d5859615	106	len += sprintf(str+len, "0x");
	107
	108	nibbles = (3 + ssh1_bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
	109	for (i=nibbles; i-- ;)
	110	str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];
	111
	112	len += sprintf(str+len, ",0x");
	113
	114	nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
	115	for (i=nibbles; i-- ;)
	116	str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];
	117
374330e2	118	str[len] = '\0';
	119	}
	120
1c2a93c4	121	/*
	122	* Generate a fingerprint string for the key. Compatible with the
	123	* OpenSSH fingerprint code.
	124	*/
	125	void rsa_fingerprint(char str, int len, struct RSAKey key) {
	126	struct MD5Context md5c;
	127	unsigned char digest[16];
	128	char buffer[16*3+40];
	129	int numlen, slen, i;
	130
	131	MD5Init(&md5c);
	132	numlen = ssh1_bignum_length(key->modulus) - 2;
	133	for (i = numlen; i-- ;) {
	134	unsigned char c = bignum_byte(key->modulus, i);
	135	MD5Update(&md5c, &c, 1);
	136	}
	137	numlen = ssh1_bignum_length(key->exponent) - 2;
	138	for (i = numlen; i-- ;) {
	139	unsigned char c = bignum_byte(key->exponent, i);
	140	MD5Update(&md5c, &c, 1);
	141	}
	142	MD5Final(digest, &md5c);
	143
	144	sprintf(buffer, "%d ", ssh1_bignum_bitcount(key->modulus));
	145	for (i = 0; i < 16; i++)
	146	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	147	strncpy(str, buffer, len); str[len-1] = '\0';
	148	slen = strlen(str);
	149	if (key->comment && slen < len-1) {
	150	str[slen] = ' ';
	151	strncpy(str+slen+1, key->comment, len-slen-1);
	152	str[len-1] = '\0';
	153	}
	154	}
	155
5c58ad2d	156	void freersakey(struct RSAKey *key) {
	157	if (key->modulus) freebn(key->modulus);
	158	if (key->exponent) freebn(key->exponent);
	159	if (key->private_exponent) freebn(key->private_exponent);
dcbde236	160	if (key->comment) sfree(key->comment);
5c58ad2d	161	}
85cc02bb	162
	163	/* ----------------------------------------------------------------------
	164	* Implementation of the ssh-rsa signing key type.
	165	*/
	166
	167	#define GET_32BIT(cp) \
	168	(((unsigned long)(unsigned char)(cp)[0] << 24) \| \
	169	((unsigned long)(unsigned char)(cp)[1] << 16) \| \
	170	((unsigned long)(unsigned char)(cp)[2] << 8) \| \
	171	((unsigned long)(unsigned char)(cp)[3]))
	172
	173	#define PUT_32BIT(cp, value) { \
	174	(cp)[0] = (unsigned char)((value) >> 24); \
	175	(cp)[1] = (unsigned char)((value) >> 16); \
	176	(cp)[2] = (unsigned char)((value) >> 8); \
	177	(cp)[3] = (unsigned char)(value); }
	178
	179	static void getstring(char *data, int datalen, char *p, int length) {
	180	*p = NULL;
	181	if (*datalen < 4)
	182	return;
	183	length = GET_32BIT(data);
	184	datalen -= 4; data += 4;
	185	if (datalen < length)
	186	return;
	187	p = data;
	188	data += length; datalen -= length;
	189	}
	190	static Bignum getmp(char *data, int datalen) {
	191	char *p;
	192	int length;
	193	Bignum b;
	194
	195	getstring(data, datalen, &p, &length);
	196	if (!p)
	197	return NULL;
	198	b = bignum_from_bytes(p, length);
	199	return b;
	200	}
	201
	202	static void rsa2_newkey(char data, int len) {
	203	char *p;
	204	int slen;
	205	struct RSAKey *rsa;
	206
	207	rsa = smalloc(sizeof(struct RSAKey));
	208	if (!rsa) return NULL;
	209	getstring(&data, &len, &p, &slen);
	210
	211	if (!p \|\| memcmp(p, "ssh-rsa", 7)) {
	212	sfree(rsa);
	213	return NULL;
	214	}
	215	rsa->exponent = getmp(&data, &len);
	216	rsa->modulus = getmp(&data, &len);
	217	rsa->private_exponent = NULL;
	218	rsa->comment = NULL;
	219
	220	return rsa;
	221	}
	222
	223	static void rsa2_freekey(void *key) {
	224	struct RSAKey rsa = (struct RSAKey )key;
	225	freersakey(rsa);
226	sfree(rsa);
227	}
228
229	static char rsa2_fmtkey(void key) {
230	struct RSAKey rsa = (struct RSAKey )key;
231	char *p;
232	int len;
233
234	len = rsastr_len(rsa);
235	p = smalloc(len);
236	rsastr_fmt(p, rsa);
237	return p;
238	}
239
65a22376	240	static unsigned char rsa2_public_blob(void key, int *len) {
	241	struct RSAKey rsa = (struct RSAKey )key;
	242	int elen, mlen, bloblen;
	243	int i;
	244	unsigned char blob, p;
	245
	246	elen = (ssh1_bignum_bitcount(rsa->exponent)+8)/8;
	247	mlen = (ssh1_bignum_bitcount(rsa->modulus)+8)/8;
	248
	249	/*
	250	* string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
	251	* (three length fields, 12+7=19).
	252	*/
	253	bloblen = 19+elen+mlen;
	254	blob = smalloc(bloblen);
	255	p = blob;
	256	PUT_32BIT(p, 7); p += 4;
	257	memcpy(p, "ssh-rsa", 7); p += 7;
	258	PUT_32BIT(p, elen); p += 4;
	259	for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
	260	PUT_32BIT(p, mlen); p += 4;
	261	for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
	262	assert(p == blob + bloblen);
	263	*len = bloblen;
	264	return blob;
	265	}
	266
	267	static unsigned char rsa2_private_blob(void key, int *len) {
	268	struct RSAKey rsa = (struct RSAKey )key;
	269	int dlen, plen, qlen, ulen, bloblen;
	270	int i;
	271	unsigned char blob, p;
	272
	273	dlen = (ssh1_bignum_bitcount(rsa->private_exponent)+8)/8;
	274	plen = (ssh1_bignum_bitcount(rsa->p)+8)/8;
	275	qlen = (ssh1_bignum_bitcount(rsa->q)+8)/8;
	276	ulen = (ssh1_bignum_bitcount(rsa->iqmp)+8)/8;
	277
	278	/*
	279	* mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
	280	* sum of lengths.
	281	*/
	282	bloblen = 16+dlen+plen+qlen+ulen;
	283	blob = smalloc(bloblen);
	284	p = blob;
	285	PUT_32BIT(p, dlen); p += 4;
	286	for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
	287	PUT_32BIT(p, plen); p += 4;
	288	for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
	289	PUT_32BIT(p, qlen); p += 4;
	290	for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
	291	PUT_32BIT(p, ulen); p += 4;
	292	for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
	293	assert(p == blob + bloblen);
	294	*len = bloblen;
	295	return blob;
	296	}
	297
	298	static void rsa2_createkey(unsigned char pub_blob, int pub_len,
	299	unsigned char *priv_blob, int priv_len) {
	300	struct RSAKey *rsa;
	301	char pb = (char )priv_blob;
	302
	303	rsa = rsa2_newkey((char *)pub_blob, pub_len);
304	rsa->private_exponent = getmp(&pb, &priv_len);
305	rsa->p = getmp(&pb, &priv_len);
306	rsa->q = getmp(&pb, &priv_len);
307	rsa->iqmp = getmp(&pb, &priv_len);
308
309	return rsa;
310	}
311
85cc02bb	312	static char rsa2_fingerprint(void key) {
	313	struct RSAKey rsa = (struct RSAKey )key;
	314	struct MD5Context md5c;
	315	unsigned char digest[16], lenbuf[4];
	316	char buffer[16*3+40];
	317	char *ret;
	318	int numlen, i;
	319
	320	MD5Init(&md5c);
	321	MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);
	322
	323	#define ADD_BIGNUM(bignum) \
	324	numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \
	325	PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
	326	for (i = numlen; i-- ;) { \
	327	unsigned char c = bignum_byte(bignum, i); \
	328	MD5Update(&md5c, &c, 1); \
	329	}
	330	ADD_BIGNUM(rsa->exponent);
	331	ADD_BIGNUM(rsa->modulus);
	332	#undef ADD_BIGNUM
	333
	334	MD5Final(digest, &md5c);
	335
5d03233b	336	sprintf(buffer, "ssh-rsa %d ", ssh1_bignum_bitcount(rsa->modulus));
85cc02bb	337	for (i = 0; i < 16; i++)
	338	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	339	ret = smalloc(strlen(buffer)+1);
	340	if (ret)
	341	strcpy(ret, buffer);
	342	return ret;
	343	}
	344
	345	/*
	346	* This is the magic ASN.1/DER prefix that goes in the decoded
	347	* signature, between the string of FFs and the actual SHA hash
	348	* value. As closely as I can tell, the meaning of it is:
	349	*
	350	* 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
	351	*
	352	* 30 21 -- a constructed SEQUENCE of length 0x21
	353	* 30 09 -- a constructed sub-SEQUENCE of length 9
	354	* 06 05 -- an object identifier, length 5
	355	* 2B 0E 03 02 1A --
	356	* 05 00 -- NULL
	357	* 04 14 -- a primitive OCTET STRING of length 0x14
	358	* [0x14 bytes of hash data follows]
	359	*/
	360	static unsigned char asn1_weird_stuff[] = {
	361	0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
	362	0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
	363	};
	364
	365	static int rsa2_verifysig(void key, char sig, int siglen,
	366	char *data, int datalen) {
	367	struct RSAKey rsa = (struct RSAKey )key;
	368	Bignum in, out;
	369	char *p;
	370	int slen;
	371	int bytes, i, j, ret;
	372	unsigned char hash[20];
	373
	374	getstring(&sig, &siglen, &p, &slen);
	375	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
	376	return 0;
	377	}
	378	in = getmp(&sig, &siglen);
	379	out = modpow(in, rsa->exponent, rsa->modulus);
	380	freebn(in);
	381
	382	ret = 1;
	383
	384	bytes = ssh1_bignum_bitcount(rsa->modulus) / 8;
	385	/* Top (partial) byte should be zero. */
	386	if (bignum_byte(out, bytes-1) != 0)
	387	ret = 0;
	388	/* First whole byte should be 1. */
	389	if (bignum_byte(out, bytes-2) != 1)
	390	ret = 0;
	391	/* Most of the rest should be FF. */
	392	for (i = bytes-3; i >= 20 + sizeof(asn1_weird_stuff); i--) {
	393	if (bignum_byte(out, i) != 0xFF)
	394	ret = 0;
	395	}
	396	/* Then we expect to see the asn1_weird_stuff. */
	397	for (i = 20 + sizeof(asn1_weird_stuff) - 1, j=0; i >= 20; i--,j++) {
	398	if (bignum_byte(out, i) != asn1_weird_stuff[j])
	399	ret = 0;
	400	}
401	/* Finally, we expect to see the SHA-1 hash of the signed data. */
402	SHA_Simple(data, datalen, hash);
403	for (i = 19, j=0; i >= 0; i--,j++) {
404	if (bignum_byte(out, i) != hash[j])
405	ret = 0;
406	}
407
408	return ret;
409	}
410
65a22376	411	unsigned char rsa2_sign(void key, char data, int datalen, int siglen) {
	412	struct RSAKey rsa = (struct RSAKey )key;
	413	unsigned char *bytes;
	414	int nbytes;
	415	unsigned char hash[20];
	416	Bignum in, out;
	417	int i, j;
	418
	419	SHA_Simple(data, datalen, hash);
	420
	421	nbytes = (ssh1_bignum_bitcount(rsa->modulus)-1) / 8;
	422	bytes = smalloc(nbytes);
	423
	424	bytes[0] = 1;
	425	for (i = 1; i < nbytes-20-sizeof(asn1_weird_stuff); i++)
	426	bytes[i] = 0xFF;
	427	for (i = nbytes-20-sizeof(asn1_weird_stuff), j=0; i < nbytes-20; i++,j++)
	428	bytes[i] = asn1_weird_stuff[j];
	429	for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	430	bytes[i] = hash[j];
	431
	432	in = bignum_from_bytes(bytes, nbytes);
	433	sfree(bytes);
	434
	435	out = modpow(in, rsa->private_exponent, rsa->modulus);
	436	freebn(in);
	437
	438	nbytes = (ssh1_bignum_bitcount(out)+7)/8;
	439	bytes = smalloc(4+7+4+nbytes);
	440	PUT_32BIT(bytes, 7);
	441	memcpy(bytes+4, "ssh-rsa", 7);
	442	PUT_32BIT(bytes+4+7, nbytes);
	443	for (i = 0; i < nbytes; i++)
	444	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
	445	freebn(out);
	446
	447	*siglen = 4+7+4+nbytes;
	448	return bytes;
85cc02bb	449	}
85cc02bb	450
65a22376	451	const struct ssh_signkey ssh_rsa = {
85cc02bb	452	rsa2_newkey,
	453	rsa2_freekey,
	454	rsa2_fmtkey,
65a22376	455	rsa2_public_blob,
	456	rsa2_private_blob,
	457	rsa2_createkey,
85cc02bb	458	rsa2_fingerprint,
	459	rsa2_verifysig,
	460	rsa2_sign,
	461	"ssh-rsa",
	462	"rsa2"
	463	};