git.distorted.org.uk Git - u/mdw/putty/blob - sshdss.c

   1 #include <stdio.h>
   2 #include <stdlib.h>
   3
   4 #include "ssh.h"
   5
   6 #define GET_32BIT(cp) \
   7     (((unsigned long)(unsigned char)(cp)[0] << 24) | \
   8     ((unsigned long)(unsigned char)(cp)[1] << 16) | \
   9     ((unsigned long)(unsigned char)(cp)[2] << 8) | \
  10     ((unsigned long)(unsigned char)(cp)[3]))
  11
  12 #define PUT_32BIT(cp, value) { \
  13     (cp)[0] = (unsigned char)((value) >> 24); \
  14     (cp)[1] = (unsigned char)((value) >> 16); \
  15     (cp)[2] = (unsigned char)((value) >> 8); \
  16     (cp)[3] = (unsigned char)(value); }
  17
  18 static void getstring(char **data, int *datalen, char **p, int *length) {
  19     *p = NULL;
  20     if (*datalen < 4)
  21         return;
  22     *length = GET_32BIT(*data);
  23     *datalen -= 4; *data += 4;
  24     if (*datalen < *length)
  25         return;
  26     *p = *data;
  27     *data += *length; *datalen -= *length;
  28 }
  29 static Bignum getmp(char **data, int *datalen) {
  30     char *p;
  31     int i, j, length;
  32     Bignum b;
  33
  34     getstring(data, datalen, &p, &length);
  35     if (!p)
  36         return NULL;
  37     if (p[0] & 0x80)
  38         return NULL;                   /* negative mp */
  39     b = newbn((length+1)/2);
  40     for (i = 0; i < length; i++) {
  41         j = length - 1 - i;
  42         if (j & 1)
  43             b[j/2+1] |= ((unsigned char)p[i]) << 8;
  44         else
  45             b[j/2+1] |= ((unsigned char)p[i]);
  46     }
  47     return b;
  48 }
  49
  50 static Bignum get160(char **data, int *datalen) {
  51     char *p;
  52     int i, j, length;
  53     Bignum b;
  54
  55     p = *data;
  56     *data += 20; *datalen -= 20;
  57
  58     length = 20;
  59     while (length > 0 && !p[0])
  60         p++, length--;
  61     b = newbn((length+1)/2);
  62     for (i = 0; i < length; i++) {
  63         j = length - 1 - i;
  64         if (j & 1)
  65             b[j/2+1] |= ((unsigned char)p[i]) << 8;
  66         else
  67             b[j/2+1] |= ((unsigned char)p[i]);
  68     }
  69     return b;
  70 }
  71
  72 static Bignum dss_p, dss_q, dss_g, dss_y;
  73
  74 static void dss_setkey(char *data, int len) {
  75     char *p;
  76     int slen;
  77     getstring(&data, &len, &p, &slen);
  78     if (!p || memcmp(p, "ssh-dss", 7)) {
  79         dss_p = NULL;
  80         return;
  81     }
  82     dss_p = getmp(&data, &len);
  83     dss_q = getmp(&data, &len);
  84     dss_g = getmp(&data, &len);
  85     dss_y = getmp(&data, &len);
  86 }
  87
  88 static char *dss_fmtkey(void) {
  89     char *p;
  90     int len, i, pos, nibbles;
  91     static const char hex[] = "0123456789abcdef";
  92     if (!dss_p)
  93         return NULL;
  94     len = 8 + 4 + 1;                   /* 4 x "0x", punctuation, \0 */
  95     len += 4 * (dss_p[0] + dss_q[0] + dss_g[0] + dss_y[0]);   /* digits */
  96     p = malloc(len);
  97     if (!p) return NULL;
  98
  99     pos = 0;
 100     pos += sprintf(p+pos, "0x");
 101     nibbles = (3 + ssh1_bignum_bitcount(dss_p))/4; if (nibbles<1) nibbles=1;
 102     for (i=nibbles; i-- ;)
 103         p[pos++] = hex[(bignum_byte(dss_p, i/2) >> (4*(i%2))) & 0xF];
 104     pos += sprintf(p+pos, ",0x");
 105     nibbles = (3 + ssh1_bignum_bitcount(dss_q))/4; if (nibbles<1) nibbles=1;
 106     for (i=nibbles; i-- ;)
 107         p[pos++] = hex[(bignum_byte(dss_q, i/2) >> (4*(i%2))) & 0xF];
 108     pos += sprintf(p+pos, ",0x");
 109     nibbles = (3 + ssh1_bignum_bitcount(dss_g))/4; if (nibbles<1) nibbles=1;
 110     for (i=nibbles; i-- ;)
 111         p[pos++] = hex[(bignum_byte(dss_g, i/2) >> (4*(i%2))) & 0xF];
 112     pos += sprintf(p+pos, ",0x");
 113     nibbles = (3 + ssh1_bignum_bitcount(dss_y))/4; if (nibbles<1) nibbles=1;
 114     for (i=nibbles; i-- ;)
 115         p[pos++] = hex[(bignum_byte(dss_y, i/2) >> (4*(i%2))) & 0xF];
 116     p[pos] = '\0';
 117     return p;
 118 }
 119
 120 static char *dss_fingerprint(void) {
 121     struct MD5Context md5c;
 122     unsigned char digest[16], lenbuf[4];
 123     char buffer[16*3+40];
 124     char *ret;
 125     int numlen, i;
 126
 127     MD5Init(&md5c);
 128     MD5Update(&md5c, "\0\0\0\7ssh-dss", 11);
 129
 130 #define ADD_BIGNUM(bignum) \
 131     numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \
 132     PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
 133     for (i = numlen; i-- ;) { \
 134         unsigned char c = bignum_byte(bignum, i); \
 135         MD5Update(&md5c, &c, 1); \
 136     }
 137     ADD_BIGNUM(dss_p);
 138     ADD_BIGNUM(dss_q);
 139     ADD_BIGNUM(dss_g);
 140     ADD_BIGNUM(dss_y);
 141 #undef ADD_BIGNUM
 142
 143     MD5Final(digest, &md5c);
 144
 145     sprintf(buffer, "%d ", ssh1_bignum_bitcount(dss_p));
 146     for (i = 0; i < 16; i++)
 147         sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]);
 148     ret = malloc(strlen(buffer)+1);
 149     if (ret)
 150         strcpy(ret, buffer);
 151     return ret;
 152 }
 153
 154 static int dss_verifysig(char *sig, int siglen, char *data, int datalen) {
 155     char *p;
 156     int i, slen;
 157     char hash[20];
 158     Bignum qm2, r, s, w, i1, i2, i3, u1, u2, sha, v;
 159     int ret;
 160
 161     if (!dss_p)
 162         return 0;
 163
 164     getstring(&sig, &siglen, &p, &slen);
 165     if (!p || memcmp(p, "ssh-dss", 7)) {
 166         return 0;
 167     }
 168     sig += 4, siglen -= 4;             /* skip yet another length field */
 169     r = get160(&sig, &siglen);
 170     s = get160(&sig, &siglen);
 171     if (!r || !s)
 172         return 0;
 173
 174     /*
 175      * Step 1. w <- s^-1 mod q.
 176      */
 177     w = newbn(dss_q[0]);
 178     qm2 = copybn(dss_q);
 179     decbn(qm2); decbn(qm2);
 180     /* Now qm2 is q-2, and by Fermat's Little Theorem, s^qm2 == s^-1 (mod q).
 181      * This is a silly way to do it; may fix it later. */
 182     modpow(s, qm2, dss_q, w);
 183
 184     /*
 185      * Step 2. u1 <- SHA(message) * w mod q.
 186      */
 187     u1 = newbn(dss_q[0]);
 188     SHA_Simple(data, datalen, hash);
 189     p = hash; slen = 20; sha = get160(&p, &slen);
 190     modmul(sha, w, dss_q, u1);
 191
 192     /*
 193      * Step 3. u2 <- r * w mod q.
 194      */
 195     u2 = newbn(dss_q[0]);
 196     modmul(r, w, dss_q, u2);
 197
 198     /*
 199      * Step 4. v <- (g^u1 * y^u2 mod p) mod q.
 200      */
 201     i1 = newbn(dss_p[0]);
 202     i2 = newbn(dss_p[0]);
 203     i3 = newbn(dss_p[0]);
 204     v = newbn(dss_q[0]);
 205     modpow(dss_g, u1, dss_p, i1);
 206     modpow(dss_y, u2, dss_p, i2);
 207     modmul(i1, i2, dss_p, i3);
 208     modmul(i3, One, dss_q, v);
 209
 210     /*
 211      * Step 5. v should now be equal to r.
 212      */
 213
 214     ret = 1;
 215     for (i = 1; i <= v[0] || i <= r[0]; i++) {
 216         if ((i > v[0] && r[i] != 0) ||
 217             (i > r[0] && v[i] != 0) ||
 218             (i <= v[0] && i <= r[0] && r[i] != v[i]))
 219             ret = 0;
 220     }
 221
 222     freebn(w);
 223     freebn(qm2);
 224     freebn(sha);
 225     freebn(i1);
 226     freebn(i2);
 227     freebn(i3);
 228     freebn(v);
 229     freebn(r);
 230     freebn(s);
 231
 232     return ret;
 233 }
 234
 235 struct ssh_hostkey ssh_dss = {
 236     dss_setkey,
 237     dss_fmtkey,
 238     dss_fingerprint,
 239     dss_verifysig,
 240     "ssh-dss",
 241     "dss"
 242 };