[u/mdw/putty] / sshrsa.c

/*
 * RSA implementation just sufficient for ssh client-side
 * initialisation step
 *
 * Rewritten for more speed by Joris van Rantwijk, Jun 1999.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include "ssh.h"


int makekey(unsigned char *data, struct RSAKey *result,
	    unsigned char **keystr, int order) {
    unsigned char *p = data;
    int i;

    if (result) {
        result->bits = 0;
        for (i=0; i<4; i++)
            result->bits = (result->bits << 8) + *p++;
    } else
        p += 4;

    /*
     * order=0 means exponent then modulus (the keys sent by the
     * server). order=1 means modulus then exponent (the keys
     * stored in a keyfile).
     */

    if (order == 0)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
    if (result)
        result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
    if (keystr) *keystr = p+2;
    p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
    if (order == 1)
        p += ssh1_read_bignum(p, result ? &result->exponent : NULL);

    return p - data;
}

int makeprivate(unsigned char *data, struct RSAKey *result) {
    return ssh1_read_bignum(data, &result->private_exponent);
}

void rsaencrypt(unsigned char *data, int length, struct RSAKey *key) {
    Bignum b1, b2;
    int i;
    unsigned char *p;

    memmove(data+key->bytes-length, data, length);
    data[0] = 0;
    data[1] = 2;

    for (i = 2; i < key->bytes-length-1; i++) {
	do {
	    data[i] = random_byte();
	} while (data[i] == 0);
    }
    data[key->bytes-length-1] = 0;

    b1 = bignum_from_bytes(data, key->bytes);

    b2 = modpow(b1, key->exponent, key->modulus);

    p = data;
    for (i=key->bytes; i-- ;) {
        *p++ = bignum_byte(b2, i);
    }

    freebn(b1);
    freebn(b2);
}

Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
    Bignum ret;
    ret = modpow(input, key->private_exponent, key->modulus);
    return ret;
}

int rsastr_len(struct RSAKey *key) {
    Bignum md, ex;
    int mdlen, exlen;

    md = key->modulus;
    ex = key->exponent;
    mdlen = (ssh1_bignum_bitcount(md)+15) / 16;
    exlen = (ssh1_bignum_bitcount(ex)+15) / 16;
    return 4 * (mdlen+exlen) + 20;
}

void rsastr_fmt(char *str, struct RSAKey *key) {
    Bignum md, ex;
    int len = 0, i, nibbles;
    static const char hex[] = "0123456789abcdef";

    md = key->modulus;
    ex = key->exponent;

    len += sprintf(str+len, "0x");

    nibbles = (3 + ssh1_bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];

    len += sprintf(str+len, ",0x");

    nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
    for (i=nibbles; i-- ;)
        str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];

    str[len] = '\0';
}

/*
 * Generate a fingerprint string for the key. Compatible with the
 * OpenSSH fingerprint code.
 */
void rsa_fingerprint(char *str, int len, struct RSAKey *key) {
    struct MD5Context md5c;
    unsigned char digest[16];
    char buffer[16*3+40];
    int numlen, slen, i;

    MD5Init(&md5c);
    numlen = ssh1_bignum_length(key->modulus) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->modulus, i);
        MD5Update(&md5c, &c, 1);
    }
    numlen = ssh1_bignum_length(key->exponent) - 2;
    for (i = numlen; i-- ;) {
        unsigned char c = bignum_byte(key->exponent, i);
        MD5Update(&md5c, &c, 1);
    }
    MD5Final(digest, &md5c);

    sprintf(buffer, "%d ", ssh1_bignum_bitcount(key->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    strncpy(str, buffer, len); str[len-1] = '\0';
    slen = strlen(str);
    if (key->comment && slen < len-1) {
        str[slen] = ' ';
        strncpy(str+slen+1, key->comment, len-slen-1);
        str[len-1] = '\0';
    }
}

void freersakey(struct RSAKey *key) {
    if (key->modulus) freebn(key->modulus);
    if (key->exponent) freebn(key->exponent);
    if (key->private_exponent) freebn(key->private_exponent);
    if (key->comment) sfree(key->comment);
}

/* ----------------------------------------------------------------------
 * Implementation of the ssh-rsa signing key type. 
 */

#define GET_32BIT(cp) \
    (((unsigned long)(unsigned char)(cp)[0] << 24) | \
    ((unsigned long)(unsigned char)(cp)[1] << 16) | \
    ((unsigned long)(unsigned char)(cp)[2] << 8) | \
    ((unsigned long)(unsigned char)(cp)[3]))

#define PUT_32BIT(cp, value) { \
    (cp)[0] = (unsigned char)((value) >> 24); \
    (cp)[1] = (unsigned char)((value) >> 16); \
    (cp)[2] = (unsigned char)((value) >> 8); \
    (cp)[3] = (unsigned char)(value); }

static void getstring(char **data, int *datalen, char **p, int *length) {
    *p = NULL;
    if (*datalen < 4)
        return;
    *length = GET_32BIT(*data);
    *datalen -= 4; *data += 4;
    if (*datalen < *length)
        return;
    *p = *data;
    *data += *length; *datalen -= *length;
}
static Bignum getmp(char **data, int *datalen) {
    char *p;
    int length;
    Bignum b;

    getstring(data, datalen, &p, &length);
    if (!p)
        return NULL;
    b = bignum_from_bytes(p, length);
    return b;
}

static void *rsa2_newkey(char *data, int len) {
    char *p;
    int slen;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa) return NULL;
    getstring(&data, &len, &p, &slen);

    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
	sfree(rsa);
	return NULL;
    }
    rsa->exponent = getmp(&data, &len);
    rsa->modulus = getmp(&data, &len);
    rsa->private_exponent = NULL;
    rsa->comment = NULL;

    return rsa;
}

static void rsa2_freekey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    freersakey(rsa);
    sfree(rsa);
}

static char *rsa2_fmtkey(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    char *p;
    int len;
    
    len = rsastr_len(rsa);
    p = smalloc(len);
    rsastr_fmt(p, rsa);
    return p;
}

static unsigned char *rsa2_public_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int elen, mlen, bloblen;
    int i;
    unsigned char *blob, *p;

    elen = (ssh1_bignum_bitcount(rsa->exponent)+8)/8;
    mlen = (ssh1_bignum_bitcount(rsa->modulus)+8)/8;

    /*
     * string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
     * (three length fields, 12+7=19).
     */
    bloblen = 19+elen+mlen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, 7); p += 4;
    memcpy(p, "ssh-rsa", 7); p += 7;
    PUT_32BIT(p, elen); p += 4;
    for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
    PUT_32BIT(p, mlen); p += 4;
    for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static unsigned char *rsa2_private_blob(void *key, int *len) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    int dlen, plen, qlen, ulen, bloblen;
    int i;
    unsigned char *blob, *p;

    dlen = (ssh1_bignum_bitcount(rsa->private_exponent)+8)/8;
    plen = (ssh1_bignum_bitcount(rsa->p)+8)/8;
    qlen = (ssh1_bignum_bitcount(rsa->q)+8)/8;
    ulen = (ssh1_bignum_bitcount(rsa->iqmp)+8)/8;

    /*
     * mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
     * sum of lengths.
     */
    bloblen = 16+dlen+plen+qlen+ulen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, dlen); p += 4;
    for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
    PUT_32BIT(p, plen); p += 4;
    for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
    PUT_32BIT(p, qlen); p += 4;
    for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
    PUT_32BIT(p, ulen); p += 4;
    for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static void *rsa2_createkey(unsigned char *pub_blob, int pub_len,
			    unsigned char *priv_blob, int priv_len) {
    struct RSAKey *rsa;
    char *pb = (char *)priv_blob;
    
    rsa = rsa2_newkey((char *)pub_blob, pub_len);
    rsa->private_exponent = getmp(&pb, &priv_len);
    rsa->p = getmp(&pb, &priv_len);
    rsa->q = getmp(&pb, &priv_len);
    rsa->iqmp = getmp(&pb, &priv_len);

    return rsa;
}

static void *rsa2_openssh_createkey(unsigned char **blob, int *len) {
    char **b = (char **)blob;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa) return NULL;
    rsa->comment = NULL;

    rsa->modulus = getmp(b, len);
    rsa->exponent = getmp(b, len);
    rsa->private_exponent = getmp(b, len);
    rsa->iqmp = getmp(b, len);
    rsa->p = getmp(b, len);
    rsa->q = getmp(b, len);

    if (!rsa->modulus || !rsa->exponent || !rsa->private_exponent ||
	!rsa->iqmp || !rsa->p || !rsa->q) {
	sfree(rsa->modulus);
	sfree(rsa->exponent);
	sfree(rsa->private_exponent);
	sfree(rsa->iqmp);
	sfree(rsa->p);
	sfree(rsa->q);
	sfree(rsa);
	return NULL;
    }

    return rsa;
}

static char *rsa2_fingerprint(void *key) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    struct MD5Context md5c;
    unsigned char digest[16], lenbuf[4];
    char buffer[16*3+40];
    char *ret;
    int numlen, i;

    MD5Init(&md5c);
    MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);

#define ADD_BIGNUM(bignum) \
    numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \
    PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
    for (i = numlen; i-- ;) { \
        unsigned char c = bignum_byte(bignum, i); \
        MD5Update(&md5c, &c, 1); \
    }
    ADD_BIGNUM(rsa->exponent);
    ADD_BIGNUM(rsa->modulus);
#undef ADD_BIGNUM

    MD5Final(digest, &md5c);

    sprintf(buffer, "ssh-rsa %d ", ssh1_bignum_bitcount(rsa->modulus));
    for (i = 0; i < 16; i++)
        sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
    ret = smalloc(strlen(buffer)+1);
    if (ret)
        strcpy(ret, buffer);
    return ret;
}

/*
 * This is the magic ASN.1/DER prefix that goes in the decoded
 * signature, between the string of FFs and the actual SHA hash
 * value. The meaning of it is:
 * 
 * 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
 * 
 * 30 21 -- a constructed SEQUENCE of length 0x21
 *    30 09 -- a constructed sub-SEQUENCE of length 9
 *       06 05 -- an object identifier, length 5
 *          2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
 *                            (the 1,3 comes from 0x2B = 43 = 40*1+3)
 *       05 00 -- NULL
 *    04 14 -- a primitive OCTET STRING of length 0x14
 *       [0x14 bytes of hash data follows]
 * 
 * The object id in the middle there is listed as `id-sha1' in
 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
 * ASN module for PKCS #1) and its expanded form is as follows:
 * 
 * id-sha1                OBJECT IDENTIFIER ::= {
 *    iso(1) identified-organization(3) oiw(14) secsig(3)
 *    algorithms(2) 26 }
 */
static unsigned char asn1_weird_stuff[] = {
    0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
    0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
};

#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )

static int rsa2_verifysig(void *key, char *sig, int siglen,
			 char *data, int datalen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    Bignum in, out;
    char *p;
    int slen;
    int bytes, i, j, ret;
    unsigned char hash[20];

    getstring(&sig, &siglen, &p, &slen);
    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
        return 0;
    }
    in = getmp(&sig, &siglen);
    out = modpow(in, rsa->exponent, rsa->modulus);
    freebn(in);

    ret = 1;

    bytes = ssh1_bignum_bitcount(rsa->modulus) / 8;
    /* Top (partial) byte should be zero. */
    if (bignum_byte(out, bytes-1) != 0)
        ret = 0;
    /* First whole byte should be 1. */
    if (bignum_byte(out, bytes-2) != 1)
        ret = 0;
    /* Most of the rest should be FF. */
    for (i = bytes-3; i >= 20 + ASN1_LEN; i--) {
        if (bignum_byte(out, i) != 0xFF)
            ret = 0;
    }
    /* Then we expect to see the asn1_weird_stuff. */
    for (i = 20 + ASN1_LEN - 1, j=0; i >= 20; i--,j++) {
        if (bignum_byte(out, i) != asn1_weird_stuff[j])
            ret = 0;
    }
    /* Finally, we expect to see the SHA-1 hash of the signed data. */
    SHA_Simple(data, datalen, hash);
    for (i = 19, j=0; i >= 0; i--,j++) {
        if (bignum_byte(out, i) != hash[j])
            ret = 0;
    }

    return ret;
}

unsigned char *rsa2_sign(void *key, char *data, int datalen, int *siglen) {
    struct RSAKey *rsa = (struct RSAKey *)key;
    unsigned char *bytes;
    int nbytes;
    unsigned char hash[20];
    Bignum in, out;
    int i, j;

    SHA_Simple(data, datalen, hash);

    nbytes = (ssh1_bignum_bitcount(rsa->modulus)-1) / 8;
    bytes = smalloc(nbytes);

    bytes[0] = 1;
    for (i = 1; i < nbytes-20-ASN1_LEN; i++)
	bytes[i] = 0xFF;
    for (i = nbytes-20-ASN1_LEN, j=0; i < nbytes-20; i++,j++)
	bytes[i] = asn1_weird_stuff[j];
    for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	bytes[i] = hash[j];

    in = bignum_from_bytes(bytes, nbytes);
    sfree(bytes);

    out = modpow(in, rsa->private_exponent, rsa->modulus);
    freebn(in);

    nbytes = (ssh1_bignum_bitcount(out)+7)/8;
    bytes = smalloc(4+7+4+nbytes);
    PUT_32BIT(bytes, 7);
    memcpy(bytes+4, "ssh-rsa", 7);
    PUT_32BIT(bytes+4+7, nbytes);
    for (i = 0; i < nbytes; i++)
	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
    freebn(out);

    *siglen = 4+7+4+nbytes;
    return bytes;
}

const struct ssh_signkey ssh_rsa = {
    rsa2_newkey,
    rsa2_freekey,
    rsa2_fmtkey,
    rsa2_public_blob,
    rsa2_private_blob,
    rsa2_createkey,
    rsa2_openssh_createkey,
    rsa2_fingerprint,
    rsa2_verifysig,
    rsa2_sign,
    "ssh-rsa",
    "rsa2"
};
Commit	Line	Data
374330e2	1	/*
	2	* RSA implementation just sufficient for ssh client-side
	3	* initialisation step
4644b0ce	4	*
4644b0ce	5	* Rewritten for more speed by Joris van Rantwijk, Jun 1999.
374330e2	6	*/
374330e2	7
374330e2	8	#include <stdio.h>
	9	#include <stdlib.h>
	10	#include <string.h>
65a22376	11	#include <assert.h>
374330e2	12
e5574168	13	#include "ssh.h"
374330e2	14
1c2a93c4	15
374330e2	16	int makekey(unsigned char data, struct RSAKey result,
7cca0d81	17	unsigned char **keystr, int order) {
374330e2	18	unsigned char *p = data;
7cca0d81	19	int i;
374330e2	20
a52f067e	21	if (result) {
	22	result->bits = 0;
	23	for (i=0; i<4; i++)
	24	result->bits = (result->bits << 8) + *p++;
	25	} else
	26	p += 4;
374330e2	27
7cca0d81	28	/*
	29	* order=0 means exponent then modulus (the keys sent by the
	30	* server). order=1 means modulus then exponent (the keys
	31	* stored in a keyfile).
	32	*/
374330e2	33
7cca0d81	34	if (order == 0)
a52f067e	35	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
	36	if (result)
	37	result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
7cca0d81	38	if (keystr) *keystr = p+2;
a52f067e	39	p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
7cca0d81	40	if (order == 1)
a52f067e	41	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
374330e2	42
	43	return p - data;
	44	}
	45
7cca0d81	46	int makeprivate(unsigned char data, struct RSAKey result) {
	47	return ssh1_read_bignum(data, &result->private_exponent);
	48	}
	49
374330e2	50	void rsaencrypt(unsigned char data, int length, struct RSAKey key) {
374330e2	51	Bignum b1, b2;
3709bfe9	52	int i;
374330e2	53	unsigned char *p;
374330e2	54
374330e2	55	memmove(data+key->bytes-length, data, length);
	56	data[0] = 0;
	57	data[1] = 2;
	58
	59	for (i = 2; i < key->bytes-length-1; i++) {
	60	do {
	61	data[i] = random_byte();
	62	} while (data[i] == 0);
	63	}
	64	data[key->bytes-length-1] = 0;
	65
3709bfe9	66	b1 = bignum_from_bytes(data, key->bytes);
374330e2	67
59600f67	68	b2 = modpow(b1, key->exponent, key->modulus);
374330e2	69
374330e2	70	p = data;
d9373729	71	for (i=key->bytes; i-- ;) {
3709bfe9	72	*p++ = bignum_byte(b2, i);
374330e2	73	}
	74
	75	freebn(b1);
	76	freebn(b2);
	77	}
	78
7cca0d81	79	Bignum rsadecrypt(Bignum input, struct RSAKey *key) {
7cca0d81	80	Bignum ret;
59600f67	81	ret = modpow(input, key->private_exponent, key->modulus);
7cca0d81	82	return ret;
	83	}
	84
374330e2	85	int rsastr_len(struct RSAKey *key) {
374330e2	86	Bignum md, ex;
3709bfe9	87	int mdlen, exlen;
374330e2	88
	89	md = key->modulus;
	90	ex = key->exponent;
3709bfe9	91	mdlen = (ssh1_bignum_bitcount(md)+15) / 16;
	92	exlen = (ssh1_bignum_bitcount(ex)+15) / 16;
	93	return 4 * (mdlen+exlen) + 20;
374330e2	94	}
	95
	96	void rsastr_fmt(char str, struct RSAKey key) {
	97	Bignum md, ex;
d5859615	98	int len = 0, i, nibbles;
d5859615	99	static const char hex[] = "0123456789abcdef";
374330e2	100
	101	md = key->modulus;
	102	ex = key->exponent;
	103
d5859615	104	len += sprintf(str+len, "0x");
	105
	106	nibbles = (3 + ssh1_bignum_bitcount(ex))/4; if (nibbles<1) nibbles=1;
	107	for (i=nibbles; i-- ;)
	108	str[len++] = hex[(bignum_byte(ex, i/2) >> (4*(i%2))) & 0xF];
	109
	110	len += sprintf(str+len, ",0x");
	111
	112	nibbles = (3 + ssh1_bignum_bitcount(md))/4; if (nibbles<1) nibbles=1;
	113	for (i=nibbles; i-- ;)
	114	str[len++] = hex[(bignum_byte(md, i/2) >> (4*(i%2))) & 0xF];
	115
374330e2	116	str[len] = '\0';
	117	}
	118
1c2a93c4	119	/*
	120	* Generate a fingerprint string for the key. Compatible with the
	121	* OpenSSH fingerprint code.
	122	*/
	123	void rsa_fingerprint(char str, int len, struct RSAKey key) {
	124	struct MD5Context md5c;
	125	unsigned char digest[16];
	126	char buffer[16*3+40];
	127	int numlen, slen, i;
	128
	129	MD5Init(&md5c);
	130	numlen = ssh1_bignum_length(key->modulus) - 2;
	131	for (i = numlen; i-- ;) {
	132	unsigned char c = bignum_byte(key->modulus, i);
	133	MD5Update(&md5c, &c, 1);
	134	}
	135	numlen = ssh1_bignum_length(key->exponent) - 2;
	136	for (i = numlen; i-- ;) {
	137	unsigned char c = bignum_byte(key->exponent, i);
	138	MD5Update(&md5c, &c, 1);
	139	}
	140	MD5Final(digest, &md5c);
	141
	142	sprintf(buffer, "%d ", ssh1_bignum_bitcount(key->modulus));
	143	for (i = 0; i < 16; i++)
	144	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	145	strncpy(str, buffer, len); str[len-1] = '\0';
	146	slen = strlen(str);
	147	if (key->comment && slen < len-1) {
	148	str[slen] = ' ';
	149	strncpy(str+slen+1, key->comment, len-slen-1);
	150	str[len-1] = '\0';
	151	}
	152	}
	153
5c58ad2d	154	void freersakey(struct RSAKey *key) {
	155	if (key->modulus) freebn(key->modulus);
	156	if (key->exponent) freebn(key->exponent);
	157	if (key->private_exponent) freebn(key->private_exponent);
dcbde236	158	if (key->comment) sfree(key->comment);
5c58ad2d	159	}
85cc02bb	160
	161	/* ----------------------------------------------------------------------
	162	* Implementation of the ssh-rsa signing key type.
	163	*/
	164
	165	#define GET_32BIT(cp) \
	166	(((unsigned long)(unsigned char)(cp)[0] << 24) \| \
	167	((unsigned long)(unsigned char)(cp)[1] << 16) \| \
	168	((unsigned long)(unsigned char)(cp)[2] << 8) \| \
	169	((unsigned long)(unsigned char)(cp)[3]))
	170
	171	#define PUT_32BIT(cp, value) { \
	172	(cp)[0] = (unsigned char)((value) >> 24); \
	173	(cp)[1] = (unsigned char)((value) >> 16); \
	174	(cp)[2] = (unsigned char)((value) >> 8); \
	175	(cp)[3] = (unsigned char)(value); }
	176
	177	static void getstring(char *data, int datalen, char *p, int length) {
	178	*p = NULL;
	179	if (*datalen < 4)
	180	return;
	181	length = GET_32BIT(data);
	182	datalen -= 4; data += 4;
	183	if (datalen < length)
	184	return;
	185	p = data;
	186	data += length; datalen -= length;
	187	}
	188	static Bignum getmp(char *data, int datalen) {
	189	char *p;
	190	int length;
	191	Bignum b;
	192
	193	getstring(data, datalen, &p, &length);
	194	if (!p)
	195	return NULL;
	196	b = bignum_from_bytes(p, length);
	197	return b;
	198	}
	199
	200	static void rsa2_newkey(char data, int len) {
	201	char *p;
	202	int slen;
	203	struct RSAKey *rsa;
	204
	205	rsa = smalloc(sizeof(struct RSAKey));
	206	if (!rsa) return NULL;
	207	getstring(&data, &len, &p, &slen);
	208
45cebe79	209	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
85cc02bb	210	sfree(rsa);
	211	return NULL;
	212	}
	213	rsa->exponent = getmp(&data, &len);
	214	rsa->modulus = getmp(&data, &len);
	215	rsa->private_exponent = NULL;
	216	rsa->comment = NULL;
	217
	218	return rsa;
	219	}
	220
	221	static void rsa2_freekey(void *key) {
	222	struct RSAKey rsa = (struct RSAKey )key;
	223	freersakey(rsa);
	224	sfree(rsa);
	225	}
	226
	227	static char rsa2_fmtkey(void key) {
	228	struct RSAKey rsa = (struct RSAKey )key;
	229	char *p;
	230	int len;
	231
	232	len = rsastr_len(rsa);
	233	p = smalloc(len);
	234	rsastr_fmt(p, rsa);
	235	return p;
	236	}
	237
65a22376	238	static unsigned char rsa2_public_blob(void key, int *len) {
	239	struct RSAKey rsa = (struct RSAKey )key;
	240	int elen, mlen, bloblen;
	241	int i;
	242	unsigned char blob, p;
	243
	244	elen = (ssh1_bignum_bitcount(rsa->exponent)+8)/8;
	245	mlen = (ssh1_bignum_bitcount(rsa->modulus)+8)/8;
	246
	247	/*
	248	* string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
	249	* (three length fields, 12+7=19).
	250	*/
	251	bloblen = 19+elen+mlen;
	252	blob = smalloc(bloblen);
	253	p = blob;
	254	PUT_32BIT(p, 7); p += 4;
	255	memcpy(p, "ssh-rsa", 7); p += 7;
	256	PUT_32BIT(p, elen); p += 4;
	257	for (i = elen; i-- ;) *p++ = bignum_byte(rsa->exponent, i);
	258	PUT_32BIT(p, mlen); p += 4;
	259	for (i = mlen; i-- ;) *p++ = bignum_byte(rsa->modulus, i);
	260	assert(p == blob + bloblen);
	261	*len = bloblen;
	262	return blob;
	263	}
	264
	265	static unsigned char rsa2_private_blob(void key, int *len) {
	266	struct RSAKey rsa = (struct RSAKey )key;
	267	int dlen, plen, qlen, ulen, bloblen;
	268	int i;
	269	unsigned char blob, p;
	270
	271	dlen = (ssh1_bignum_bitcount(rsa->private_exponent)+8)/8;
	272	plen = (ssh1_bignum_bitcount(rsa->p)+8)/8;
	273	qlen = (ssh1_bignum_bitcount(rsa->q)+8)/8;
	274	ulen = (ssh1_bignum_bitcount(rsa->iqmp)+8)/8;
	275
	276	/*
	277	* mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
	278	* sum of lengths.
	279	*/
	280	bloblen = 16+dlen+plen+qlen+ulen;
	281	blob = smalloc(bloblen);
	282	p = blob;
	283	PUT_32BIT(p, dlen); p += 4;
	284	for (i = dlen; i-- ;) *p++ = bignum_byte(rsa->private_exponent, i);
	285	PUT_32BIT(p, plen); p += 4;
	286	for (i = plen; i-- ;) *p++ = bignum_byte(rsa->p, i);
	287	PUT_32BIT(p, qlen); p += 4;
	288	for (i = qlen; i-- ;) *p++ = bignum_byte(rsa->q, i);
	289	PUT_32BIT(p, ulen); p += 4;
	290	for (i = ulen; i-- ;) *p++ = bignum_byte(rsa->iqmp, i);
	291	assert(p == blob + bloblen);
	292	*len = bloblen;
	293	return blob;
	294	}
	295
	296	static void rsa2_createkey(unsigned char pub_blob, int pub_len,
	297	unsigned char *priv_blob, int priv_len) {
	298	struct RSAKey *rsa;
	299	char pb = (char )priv_blob;
	300
	301	rsa = rsa2_newkey((char *)pub_blob, pub_len);
302	rsa->private_exponent = getmp(&pb, &priv_len);
303	rsa->p = getmp(&pb, &priv_len);
304	rsa->q = getmp(&pb, &priv_len);
305	rsa->iqmp = getmp(&pb, &priv_len);
306
307	return rsa;
308	}
309
45cebe79	310	static void rsa2_openssh_createkey(unsigned char blob, int len) {
	311	char b = (char )blob;
	312	struct RSAKey *rsa;
45cebe79	313
	314	rsa = smalloc(sizeof(struct RSAKey));
	315	if (!rsa) return NULL;
	316	rsa->comment = NULL;
	317
	318	rsa->modulus = getmp(b, len);
	319	rsa->exponent = getmp(b, len);
	320	rsa->private_exponent = getmp(b, len);
	321	rsa->iqmp = getmp(b, len);
	322	rsa->p = getmp(b, len);
	323	rsa->q = getmp(b, len);
	324
	325	if (!rsa->modulus \|\| !rsa->exponent \|\| !rsa->private_exponent \|\|
	326	!rsa->iqmp \|\| !rsa->p \|\| !rsa->q) {
	327	sfree(rsa->modulus);
	328	sfree(rsa->exponent);
	329	sfree(rsa->private_exponent);
	330	sfree(rsa->iqmp);
	331	sfree(rsa->p);
	332	sfree(rsa->q);
	333	sfree(rsa);
	334	return NULL;
	335	}
	336
	337	return rsa;
	338	}
	339
85cc02bb	340	static char rsa2_fingerprint(void key) {
	341	struct RSAKey rsa = (struct RSAKey )key;
	342	struct MD5Context md5c;
	343	unsigned char digest[16], lenbuf[4];
	344	char buffer[16*3+40];
	345	char *ret;
	346	int numlen, i;
	347
	348	MD5Init(&md5c);
	349	MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);
	350
	351	#define ADD_BIGNUM(bignum) \
	352	numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \
	353	PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
	354	for (i = numlen; i-- ;) { \
	355	unsigned char c = bignum_byte(bignum, i); \
	356	MD5Update(&md5c, &c, 1); \
	357	}
	358	ADD_BIGNUM(rsa->exponent);
	359	ADD_BIGNUM(rsa->modulus);
	360	#undef ADD_BIGNUM
	361
	362	MD5Final(digest, &md5c);
	363
5d03233b	364	sprintf(buffer, "ssh-rsa %d ", ssh1_bignum_bitcount(rsa->modulus));
85cc02bb	365	for (i = 0; i < 16; i++)
	366	sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
	367	ret = smalloc(strlen(buffer)+1);
	368	if (ret)
	369	strcpy(ret, buffer);
	370	return ret;
	371	}
	372
	373	/*
	374	* This is the magic ASN.1/DER prefix that goes in the decoded
	375	* signature, between the string of FFs and the actual SHA hash
96a73db9	376	* value. The meaning of it is:
85cc02bb	377	*
	378	* 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
	379	*
	380	* 30 21 -- a constructed SEQUENCE of length 0x21
	381	* 30 09 -- a constructed sub-SEQUENCE of length 9
	382	* 06 05 -- an object identifier, length 5
96a73db9	383	* 2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
96a73db9	384	* (the 1,3 comes from 0x2B = 43 = 40*1+3)
85cc02bb	385	* 05 00 -- NULL
	386	* 04 14 -- a primitive OCTET STRING of length 0x14
	387	* [0x14 bytes of hash data follows]
96a73db9	388	*
	389	* The object id in the middle there is listed as `id-sha1' in
	390	* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
	391	* ASN module for PKCS #1) and its expanded form is as follows:
	392	*
	393	* id-sha1 OBJECT IDENTIFIER ::= {
	394	* iso(1) identified-organization(3) oiw(14) secsig(3)
	395	* algorithms(2) 26 }
85cc02bb	396	*/
	397	static unsigned char asn1_weird_stuff[] = {
	398	0x00,0x30,0x21,0x30,0x09,0x06,0x05,0x2B,
	399	0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14,
	400	};
	401
d8770b12	402	#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )
d8770b12	403
85cc02bb	404	static int rsa2_verifysig(void key, char sig, int siglen,
	405	char *data, int datalen) {
	406	struct RSAKey rsa = (struct RSAKey )key;
	407	Bignum in, out;
	408	char *p;
	409	int slen;
	410	int bytes, i, j, ret;
	411	unsigned char hash[20];
	412
	413	getstring(&sig, &siglen, &p, &slen);
	414	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
	415	return 0;
	416	}
	417	in = getmp(&sig, &siglen);
	418	out = modpow(in, rsa->exponent, rsa->modulus);
	419	freebn(in);
	420
	421	ret = 1;
	422
	423	bytes = ssh1_bignum_bitcount(rsa->modulus) / 8;
	424	/* Top (partial) byte should be zero. */
	425	if (bignum_byte(out, bytes-1) != 0)
	426	ret = 0;
	427	/* First whole byte should be 1. */
	428	if (bignum_byte(out, bytes-2) != 1)
	429	ret = 0;
	430	/* Most of the rest should be FF. */
d8770b12	431	for (i = bytes-3; i >= 20 + ASN1_LEN; i--) {
85cc02bb	432	if (bignum_byte(out, i) != 0xFF)
	433	ret = 0;
	434	}
	435	/* Then we expect to see the asn1_weird_stuff. */
d8770b12	436	for (i = 20 + ASN1_LEN - 1, j=0; i >= 20; i--,j++) {
85cc02bb	437	if (bignum_byte(out, i) != asn1_weird_stuff[j])
	438	ret = 0;
	439	}
	440	/* Finally, we expect to see the SHA-1 hash of the signed data. */
	441	SHA_Simple(data, datalen, hash);
	442	for (i = 19, j=0; i >= 0; i--,j++) {
	443	if (bignum_byte(out, i) != hash[j])
	444	ret = 0;
	445	}
	446
	447	return ret;
	448	}
	449
65a22376	450	unsigned char rsa2_sign(void key, char data, int datalen, int siglen) {
	451	struct RSAKey rsa = (struct RSAKey )key;
	452	unsigned char *bytes;
	453	int nbytes;
	454	unsigned char hash[20];
	455	Bignum in, out;
	456	int i, j;
	457
	458	SHA_Simple(data, datalen, hash);
	459
	460	nbytes = (ssh1_bignum_bitcount(rsa->modulus)-1) / 8;
	461	bytes = smalloc(nbytes);
	462
	463	bytes[0] = 1;
d8770b12	464	for (i = 1; i < nbytes-20-ASN1_LEN; i++)
65a22376	465	bytes[i] = 0xFF;
d8770b12	466	for (i = nbytes-20-ASN1_LEN, j=0; i < nbytes-20; i++,j++)
65a22376	467	bytes[i] = asn1_weird_stuff[j];
	468	for (i = nbytes-20, j=0; i < nbytes; i++,j++)
	469	bytes[i] = hash[j];
	470
	471	in = bignum_from_bytes(bytes, nbytes);
	472	sfree(bytes);
	473
	474	out = modpow(in, rsa->private_exponent, rsa->modulus);
	475	freebn(in);
	476
	477	nbytes = (ssh1_bignum_bitcount(out)+7)/8;
	478	bytes = smalloc(4+7+4+nbytes);
	479	PUT_32BIT(bytes, 7);
	480	memcpy(bytes+4, "ssh-rsa", 7);
	481	PUT_32BIT(bytes+4+7, nbytes);
	482	for (i = 0; i < nbytes; i++)
	483	bytes[4+7+4+i] = bignum_byte(out, nbytes-1-i);
	484	freebn(out);
	485
	486	*siglen = 4+7+4+nbytes;
	487	return bytes;
85cc02bb	488	}
85cc02bb	489
65a22376	490	const struct ssh_signkey ssh_rsa = {
85cc02bb	491	rsa2_newkey,
	492	rsa2_freekey,
	493	rsa2_fmtkey,
65a22376	494	rsa2_public_blob,
	495	rsa2_private_blob,
	496	rsa2_createkey,
45cebe79	497	rsa2_openssh_createkey,
85cc02bb	498	rsa2_fingerprint,
	499	rsa2_verifysig,
	500	rsa2_sign,
	501	"ssh-rsa",
	502	"rsa2"
	503	};