git.distorted.org.uk Git - u/mdw/putty/blob - sshdss.c

   1 /*
   2  * Digital Signature Standard implementation for PuTTY.
   3  */
   4
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <assert.h>
   8
   9 #include "ssh.h"
  10 #include "misc.h"
  11
  12 static void sha_mpint(SHA_State * s, Bignum b)
  13 {
  14     unsigned char lenbuf[4];
  15     int len;
  16     len = (bignum_bitcount(b) + 8) / 8;
  17     PUT_32BIT(lenbuf, len);
  18     SHA_Bytes(s, lenbuf, 4);
  19     while (len-- > 0) {
  20         lenbuf[0] = bignum_byte(b, len);
  21         SHA_Bytes(s, lenbuf, 1);
  22     }
  23     smemclr(lenbuf, sizeof(lenbuf));
  24 }
  25
  26 static void sha512_mpint(SHA512_State * s, Bignum b)
  27 {
  28     unsigned char lenbuf[4];
  29     int len;
  30     len = (bignum_bitcount(b) + 8) / 8;
  31     PUT_32BIT(lenbuf, len);
  32     SHA512_Bytes(s, lenbuf, 4);
  33     while (len-- > 0) {
  34         lenbuf[0] = bignum_byte(b, len);
  35         SHA512_Bytes(s, lenbuf, 1);
  36     }
  37     smemclr(lenbuf, sizeof(lenbuf));
  38 }
  39
  40 static void getstring(char **data, int *datalen, char **p, int *length)
  41 {
  42     *p = NULL;
  43     if (*datalen < 4)
  44         return;
  45     *length = GET_32BIT(*data);
  46     if (*length < 0)
  47         return;
  48     *datalen -= 4;
  49     *data += 4;
  50     if (*datalen < *length)
  51         return;
  52     *p = *data;
  53     *data += *length;
  54     *datalen -= *length;
  55 }
  56 static Bignum getmp(char **data, int *datalen)
  57 {
  58     char *p;
  59     int length;
  60     Bignum b;
  61
  62     getstring(data, datalen, &p, &length);
  63     if (!p)
  64         return NULL;
  65     if (p[0] & 0x80)
  66         return NULL;                   /* negative mp */
  67     b = bignum_from_bytes((unsigned char *)p, length);
  68     return b;
  69 }
  70
  71 static Bignum get160(char **data, int *datalen)
  72 {
  73     Bignum b;
  74
  75     b = bignum_from_bytes((unsigned char *)*data, 20);
  76     *data += 20;
  77     *datalen -= 20;
  78
  79     return b;
  80 }
  81
  82 static void *dss_newkey(char *data, int len)
  83 {
  84     char *p;
  85     int slen;
  86     struct dss_key *dss;
  87
  88     dss = snew(struct dss_key);
  89     if (!dss)
  90         return NULL;
  91     getstring(&data, &len, &p, &slen);
  92
  93 #ifdef DEBUG_DSS
  94     {
  95         int i;
  96         printf("key:");
  97         for (i = 0; i < len; i++)
  98             printf("  %02x", (unsigned char) (data[i]));
  99         printf("\n");
 100     }
 101 #endif
 102
 103     if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 104         sfree(dss);
 105         return NULL;
 106     }
 107     dss->p = getmp(&data, &len);
 108     dss->q = getmp(&data, &len);
 109     dss->g = getmp(&data, &len);
 110     dss->y = getmp(&data, &len);
 111
 112     return dss;
 113 }
 114
 115 static void dss_freekey(void *key)
 116 {
 117     struct dss_key *dss = (struct dss_key *) key;
 118     freebn(dss->p);
 119     freebn(dss->q);
 120     freebn(dss->g);
 121     freebn(dss->y);
 122     sfree(dss);
 123 }
 124
 125 static char *dss_fmtkey(void *key)
 126 {
 127     struct dss_key *dss = (struct dss_key *) key;
 128     char *p;
 129     int len, i, pos, nibbles;
 130     static const char hex[] = "0123456789abcdef";
 131     if (!dss->p)
 132         return NULL;
 133     len = 8 + 4 + 1;                   /* 4 x "0x", punctuation, \0 */
 134     len += 4 * (bignum_bitcount(dss->p) + 15) / 16;
 135     len += 4 * (bignum_bitcount(dss->q) + 15) / 16;
 136     len += 4 * (bignum_bitcount(dss->g) + 15) / 16;
 137     len += 4 * (bignum_bitcount(dss->y) + 15) / 16;
 138     p = snewn(len, char);
 139     if (!p)
 140         return NULL;
 141
 142     pos = 0;
 143     pos += sprintf(p + pos, "0x");
 144     nibbles = (3 + bignum_bitcount(dss->p)) / 4;
 145     if (nibbles < 1)
 146         nibbles = 1;
 147     for (i = nibbles; i--;)
 148         p[pos++] =
 149             hex[(bignum_byte(dss->p, i / 2) >> (4 * (i % 2))) & 0xF];
 150     pos += sprintf(p + pos, ",0x");
 151     nibbles = (3 + bignum_bitcount(dss->q)) / 4;
 152     if (nibbles < 1)
 153         nibbles = 1;
 154     for (i = nibbles; i--;)
 155         p[pos++] =
 156             hex[(bignum_byte(dss->q, i / 2) >> (4 * (i % 2))) & 0xF];
 157     pos += sprintf(p + pos, ",0x");
 158     nibbles = (3 + bignum_bitcount(dss->g)) / 4;
 159     if (nibbles < 1)
 160         nibbles = 1;
 161     for (i = nibbles; i--;)
 162         p[pos++] =
 163             hex[(bignum_byte(dss->g, i / 2) >> (4 * (i % 2))) & 0xF];
 164     pos += sprintf(p + pos, ",0x");
 165     nibbles = (3 + bignum_bitcount(dss->y)) / 4;
 166     if (nibbles < 1)
 167         nibbles = 1;
 168     for (i = nibbles; i--;)
 169         p[pos++] =
 170             hex[(bignum_byte(dss->y, i / 2) >> (4 * (i % 2))) & 0xF];
 171     p[pos] = '\0';
 172     return p;
 173 }
 174
 175 static char *dss_fingerprint(void *key)
 176 {
 177     struct dss_key *dss = (struct dss_key *) key;
 178     struct MD5Context md5c;
 179     unsigned char digest[16], lenbuf[4];
 180     char buffer[16 * 3 + 40];
 181     char *ret;
 182     int numlen, i;
 183
 184     MD5Init(&md5c);
 185     MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11);
 186
 187 #define ADD_BIGNUM(bignum) \
 188     numlen = (bignum_bitcount(bignum)+8)/8; \
 189     PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
 190     for (i = numlen; i-- ;) { \
 191         unsigned char c = bignum_byte(bignum, i); \
 192         MD5Update(&md5c, &c, 1); \
 193     }
 194     ADD_BIGNUM(dss->p);
 195     ADD_BIGNUM(dss->q);
 196     ADD_BIGNUM(dss->g);
 197     ADD_BIGNUM(dss->y);
 198 #undef ADD_BIGNUM
 199
 200     MD5Final(digest, &md5c);
 201
 202     sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p));
 203     for (i = 0; i < 16; i++)
 204         sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
 205                 digest[i]);
 206     ret = snewn(strlen(buffer) + 1, char);
 207     if (ret)
 208         strcpy(ret, buffer);
 209     return ret;
 210 }
 211
 212 static int dss_verifysig(void *key, char *sig, int siglen,
 213                          char *data, int datalen)
 214 {
 215     struct dss_key *dss = (struct dss_key *) key;
 216     char *p;
 217     int slen;
 218     char hash[20];
 219     Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v;
 220     int ret;
 221
 222     if (!dss->p)
 223         return 0;
 224
 225 #ifdef DEBUG_DSS
 226     {
 227         int i;
 228         printf("sig:");
 229         for (i = 0; i < siglen; i++)
 230             printf("  %02x", (unsigned char) (sig[i]));
 231         printf("\n");
 232     }
 233 #endif
 234     /*
 235      * Commercial SSH (2.0.13) and OpenSSH disagree over the format
 236      * of a DSA signature. OpenSSH is in line with RFC 4253:
 237      * it uses a string "ssh-dss", followed by a 40-byte string
 238      * containing two 160-bit integers end-to-end. Commercial SSH
 239      * can't be bothered with the header bit, and considers a DSA
 240      * signature blob to be _just_ the 40-byte string containing
 241      * the two 160-bit integers. We tell them apart by measuring
 242      * the length: length 40 means the commercial-SSH bug, anything
 243      * else is assumed to be RFC-compliant.
 244      */
 245     if (siglen != 40) {                /* bug not present; read admin fields */
 246         getstring(&sig, &siglen, &p, &slen);
 247         if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 248             return 0;
 249         }
 250         sig += 4, siglen -= 4;         /* skip yet another length field */
 251     }
 252     r = get160(&sig, &siglen);
 253     s = get160(&sig, &siglen);
 254     if (!r || !s)
 255         return 0;
 256
 257     /*
 258      * Step 1. w <- s^-1 mod q.
 259      */
 260     w = modinv(s, dss->q);
 261
 262     /*
 263      * Step 2. u1 <- SHA(message) * w mod q.
 264      */
 265     SHA_Simple(data, datalen, (unsigned char *)hash);
 266     p = hash;
 267     slen = 20;
 268     sha = get160(&p, &slen);
 269     u1 = modmul(sha, w, dss->q);
 270
 271     /*
 272      * Step 3. u2 <- r * w mod q.
 273      */
 274     u2 = modmul(r, w, dss->q);
 275
 276     /*
 277      * Step 4. v <- (g^u1 * y^u2 mod p) mod q.
 278      */
 279     gu1p = modpow(dss->g, u1, dss->p);
 280     yu2p = modpow(dss->y, u2, dss->p);
 281     gu1yu2p = modmul(gu1p, yu2p, dss->p);
 282     v = modmul(gu1yu2p, One, dss->q);
 283
 284     /*
 285      * Step 5. v should now be equal to r.
 286      */
 287
 288     ret = !bignum_cmp(v, r);
 289
 290     freebn(w);
 291     freebn(sha);
 292     freebn(gu1p);
 293     freebn(yu2p);
 294     freebn(gu1yu2p);
 295     freebn(v);
 296     freebn(r);
 297     freebn(s);
 298
 299     return ret;
 300 }
 301
 302 static unsigned char *dss_public_blob(void *key, int *len)
 303 {
 304     struct dss_key *dss = (struct dss_key *) key;
 305     int plen, qlen, glen, ylen, bloblen;
 306     int i;
 307     unsigned char *blob, *p;
 308
 309     plen = (bignum_bitcount(dss->p) + 8) / 8;
 310     qlen = (bignum_bitcount(dss->q) + 8) / 8;
 311     glen = (bignum_bitcount(dss->g) + 8) / 8;
 312     ylen = (bignum_bitcount(dss->y) + 8) / 8;
 313
 314     /*
 315      * string "ssh-dss", mpint p, mpint q, mpint g, mpint y. Total
 316      * 27 + sum of lengths. (five length fields, 20+7=27).
 317      */
 318     bloblen = 27 + plen + qlen + glen + ylen;
 319     blob = snewn(bloblen, unsigned char);
 320     p = blob;
 321     PUT_32BIT(p, 7);
 322     p += 4;
 323     memcpy(p, "ssh-dss", 7);
 324     p += 7;
 325     PUT_32BIT(p, plen);
 326     p += 4;
 327     for (i = plen; i--;)
 328         *p++ = bignum_byte(dss->p, i);
 329     PUT_32BIT(p, qlen);
 330     p += 4;
 331     for (i = qlen; i--;)
 332         *p++ = bignum_byte(dss->q, i);
 333     PUT_32BIT(p, glen);
 334     p += 4;
 335     for (i = glen; i--;)
 336         *p++ = bignum_byte(dss->g, i);
 337     PUT_32BIT(p, ylen);
 338     p += 4;
 339     for (i = ylen; i--;)
 340         *p++ = bignum_byte(dss->y, i);
 341     assert(p == blob + bloblen);
 342     *len = bloblen;
 343     return blob;
 344 }
 345
 346 static unsigned char *dss_private_blob(void *key, int *len)
 347 {
 348     struct dss_key *dss = (struct dss_key *) key;
 349     int xlen, bloblen;
 350     int i;
 351     unsigned char *blob, *p;
 352
 353     xlen = (bignum_bitcount(dss->x) + 8) / 8;
 354
 355     /*
 356      * mpint x, string[20] the SHA of p||q||g. Total 4 + xlen.
 357      */
 358     bloblen = 4 + xlen;
 359     blob = snewn(bloblen, unsigned char);
 360     p = blob;
 361     PUT_32BIT(p, xlen);
 362     p += 4;
 363     for (i = xlen; i--;)
 364         *p++ = bignum_byte(dss->x, i);
 365     assert(p == blob + bloblen);
 366     *len = bloblen;
 367     return blob;
 368 }
 369
 370 static void *dss_createkey(unsigned char *pub_blob, int pub_len,
 371                            unsigned char *priv_blob, int priv_len)
 372 {
 373     struct dss_key *dss;
 374     char *pb = (char *) priv_blob;
 375     char *hash;
 376     int hashlen;
 377     SHA_State s;
 378     unsigned char digest[20];
 379     Bignum ytest;
 380
 381     dss = dss_newkey((char *) pub_blob, pub_len);
 382     dss->x = getmp(&pb, &priv_len);
 383
 384     /*
 385      * Check the obsolete hash in the old DSS key format.
 386      */
 387     hashlen = -1;
 388     getstring(&pb, &priv_len, &hash, &hashlen);
 389     if (hashlen == 20) {
 390         SHA_Init(&s);
 391         sha_mpint(&s, dss->p);
 392         sha_mpint(&s, dss->q);
 393         sha_mpint(&s, dss->g);
 394         SHA_Final(&s, digest);
 395         if (0 != memcmp(hash, digest, 20)) {
 396             dss_freekey(dss);
 397             return NULL;
 398         }
 399     }
 400
 401     /*
 402      * Now ensure g^x mod p really is y.
 403      */
 404     ytest = modpow(dss->g, dss->x, dss->p);
 405     if (0 != bignum_cmp(ytest, dss->y)) {
 406         dss_freekey(dss);
 407         return NULL;
 408     }
 409     freebn(ytest);
 410
 411     return dss;
 412 }
 413
 414 static void *dss_openssh_createkey(unsigned char **blob, int *len)
 415 {
 416     char **b = (char **) blob;
 417     struct dss_key *dss;
 418
 419     dss = snew(struct dss_key);
 420     if (!dss)
 421         return NULL;
 422
 423     dss->p = getmp(b, len);
 424     dss->q = getmp(b, len);
 425     dss->g = getmp(b, len);
 426     dss->y = getmp(b, len);
 427     dss->x = getmp(b, len);
 428
 429     if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) {
 430         sfree(dss->p);
 431         sfree(dss->q);
 432         sfree(dss->g);
 433         sfree(dss->y);
 434         sfree(dss->x);
 435         sfree(dss);
 436         return NULL;
 437     }
 438
 439     return dss;
 440 }
 441
 442 static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len)
 443 {
 444     struct dss_key *dss = (struct dss_key *) key;
 445     int bloblen, i;
 446
 447     bloblen =
 448         ssh2_bignum_length(dss->p) +
 449         ssh2_bignum_length(dss->q) +
 450         ssh2_bignum_length(dss->g) +
 451         ssh2_bignum_length(dss->y) +
 452         ssh2_bignum_length(dss->x);
 453
 454     if (bloblen > len)
 455         return bloblen;
 456
 457     bloblen = 0;
 458 #define ENC(x) \
 459     PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
 460     for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
 461     ENC(dss->p);
 462     ENC(dss->q);
 463     ENC(dss->g);
 464     ENC(dss->y);
 465     ENC(dss->x);
 466
 467     return bloblen;
 468 }
 469
 470 static int dss_pubkey_bits(void *blob, int len)
 471 {
 472     struct dss_key *dss;
 473     int ret;
 474
 475     dss = dss_newkey((char *) blob, len);
 476     ret = bignum_bitcount(dss->p);
 477     dss_freekey(dss);
 478
 479     return ret;
 480 }
 481
 482 static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
 483 {
 484     /*
 485      * The basic DSS signing algorithm is:
 486      *
 487      *  - invent a random k between 1 and q-1 (exclusive).
 488      *  - Compute r = (g^k mod p) mod q.
 489      *  - Compute s = k^-1 * (hash + x*r) mod q.
 490      *
 491      * This has the dangerous properties that:
 492      *
 493      *  - if an attacker in possession of the public key _and_ the
 494      *    signature (for example, the host you just authenticated
 495      *    to) can guess your k, he can reverse the computation of s
 496      *    and work out x = r^-1 * (s*k - hash) mod q. That is, he
 497      *    can deduce the private half of your key, and masquerade
 498      *    as you for as long as the key is still valid.
 499      *
 500      *  - since r is a function purely of k and the public key, if
 501      *    the attacker only has a _range of possibilities_ for k
 502      *    it's easy for him to work through them all and check each
 503      *    one against r; he'll never be unsure of whether he's got
 504      *    the right one.
 505      *
 506      *  - if you ever sign two different hashes with the same k, it
 507      *    will be immediately obvious because the two signatures
 508      *    will have the same r, and moreover an attacker in
 509      *    possession of both signatures (and the public key of
 510      *    course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
 511      *    and from there deduce x as before.
 512      *
 513      *  - the Bleichenbacher attack on DSA makes use of methods of
 514      *    generating k which are significantly non-uniformly
 515      *    distributed; in particular, generating a 160-bit random
 516      *    number and reducing it mod q is right out.
 517      *
 518      * For this reason we must be pretty careful about how we
 519      * generate our k. Since this code runs on Windows, with no
 520      * particularly good system entropy sources, we can't trust our
 521      * RNG itself to produce properly unpredictable data. Hence, we
 522      * use a totally different scheme instead.
 523      *
 524      * What we do is to take a SHA-512 (_big_) hash of the private
 525      * key x, and then feed this into another SHA-512 hash that
 526      * also includes the message hash being signed. That is:
 527      *
 528      *   proto_k = SHA512 ( SHA512(x) || SHA160(message) )
 529      *
 530      * This number is 512 bits long, so reducing it mod q won't be
 531      * noticeably non-uniform. So
 532      *
 533      *   k = proto_k mod q
 534      *
 535      * This has the interesting property that it's _deterministic_:
 536      * signing the same hash twice with the same key yields the
 537      * same signature.
 538      *
 539      * Despite this determinism, it's still not predictable to an
 540      * attacker, because in order to repeat the SHA-512
 541      * construction that created it, the attacker would have to
 542      * know the private key value x - and by assumption he doesn't,
 543      * because if he knew that he wouldn't be attacking k!
 544      *
 545      * (This trick doesn't, _per se_, protect against reuse of k.
 546      * Reuse of k is left to chance; all it does is prevent
 547      * _excessively high_ chances of reuse of k due to entropy
 548      * problems.)
 549      *
 550      * Thanks to Colin Plumb for the general idea of using x to
 551      * ensure k is hard to guess, and to the Cambridge University
 552      * Computer Security Group for helping to argue out all the
 553      * fine details.
 554      */
 555     struct dss_key *dss = (struct dss_key *) key;
 556     SHA512_State ss;
 557     unsigned char digest[20], digest512[64];
 558     Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
 559     unsigned char *bytes;
 560     int nbytes, i;
 561
 562     SHA_Simple(data, datalen, digest);
 563
 564     /*
 565      * Hash some identifying text plus x.
 566      */
 567     SHA512_Init(&ss);
 568     SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
 569     sha512_mpint(&ss, dss->x);
 570     SHA512_Final(&ss, digest512);
 571
 572     /*
 573      * Now hash that digest plus the message hash.
 574      */
 575     SHA512_Init(&ss);
 576     SHA512_Bytes(&ss, digest512, sizeof(digest512));
 577     SHA512_Bytes(&ss, digest, sizeof(digest));
 578     SHA512_Final(&ss, digest512);
 579
 580     smemclr(&ss, sizeof(ss));
 581
 582     /*
 583      * Now convert the result into a bignum, and reduce it mod q.
 584      */
 585     proto_k = bignum_from_bytes(digest512, 64);
 586     k = bigmod(proto_k, dss->q);
 587     freebn(proto_k);
 588
 589     smemclr(digest512, sizeof(digest512));
 590
 591     /*
 592      * Now we have k, so just go ahead and compute the signature.
 593      */
 594     gkp = modpow(dss->g, k, dss->p);   /* g^k mod p */
 595     r = bigmod(gkp, dss->q);           /* r = (g^k mod p) mod q */
 596     freebn(gkp);
 597
 598     hash = bignum_from_bytes(digest, 20);
 599     kinv = modinv(k, dss->q);          /* k^-1 mod q */
 600     hxr = bigmuladd(dss->x, r, hash);  /* hash + x*r */
 601     s = modmul(kinv, hxr, dss->q);     /* s = k^-1 * (hash + x*r) mod q */
 602     freebn(hxr);
 603     freebn(kinv);
 604     freebn(hash);
 605
 606     /*
 607      * Signature blob is
 608      *
 609      *   string  "ssh-dss"
 610      *   string  two 20-byte numbers r and s, end to end
 611      *
 612      * i.e. 4+7 + 4+40 bytes.
 613      */
 614     nbytes = 4 + 7 + 4 + 40;
 615     bytes = snewn(nbytes, unsigned char);
 616     PUT_32BIT(bytes, 7);
 617     memcpy(bytes + 4, "ssh-dss", 7);
 618     PUT_32BIT(bytes + 4 + 7, 40);
 619     for (i = 0; i < 20; i++) {
 620         bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i);
 621         bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i);
 622     }
 623     freebn(r);
 624     freebn(s);
 625
 626     *siglen = nbytes;
 627     return bytes;
 628 }
 629
 630 const struct ssh_signkey ssh_dss = {
 631     dss_newkey,
 632     dss_freekey,
 633     dss_fmtkey,
 634     dss_public_blob,
 635     dss_private_blob,
 636     dss_createkey,
 637     dss_openssh_createkey,
 638     dss_openssh_fmtkey,
 639     dss_pubkey_bits,
 640     dss_fingerprint,
 641     dss_verifysig,
 642     dss_sign,
 643     "ssh-dss",
 644     "dss"
 645 };