git.distorted.org.uk Git - u/mdw/putty/blob - sshdss.c

   1 /*
   2  * Digital Signature Standard implementation for PuTTY.
   3  */
   4
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <assert.h>
   8
   9 #include "ssh.h"
  10 #include "misc.h"
  11
  12 static void sha_mpint(SHA_State * s, Bignum b)
  13 {
  14     unsigned char lenbuf[4];
  15     int len;
  16     len = (bignum_bitcount(b) + 8) / 8;
  17     PUT_32BIT(lenbuf, len);
  18     SHA_Bytes(s, lenbuf, 4);
  19     while (len-- > 0) {
  20         lenbuf[0] = bignum_byte(b, len);
  21         SHA_Bytes(s, lenbuf, 1);
  22     }
  23     smemclr(lenbuf, sizeof(lenbuf));
  24 }
  25
  26 static void sha512_mpint(SHA512_State * s, Bignum b)
  27 {
  28     unsigned char lenbuf[4];
  29     int len;
  30     len = (bignum_bitcount(b) + 8) / 8;
  31     PUT_32BIT(lenbuf, len);
  32     SHA512_Bytes(s, lenbuf, 4);
  33     while (len-- > 0) {
  34         lenbuf[0] = bignum_byte(b, len);
  35         SHA512_Bytes(s, lenbuf, 1);
  36     }
  37     smemclr(lenbuf, sizeof(lenbuf));
  38 }
  39
  40 static void getstring(char **data, int *datalen, char **p, int *length)
  41 {
  42     *p = NULL;
  43     if (*datalen < 4)
  44         return;
  45     *length = toint(GET_32BIT(*data));
  46     if (*length < 0)
  47         return;
  48     *datalen -= 4;
  49     *data += 4;
  50     if (*datalen < *length)
  51         return;
  52     *p = *data;
  53     *data += *length;
  54     *datalen -= *length;
  55 }
  56 static Bignum getmp(char **data, int *datalen)
  57 {
  58     char *p;
  59     int length;
  60     Bignum b;
  61
  62     getstring(data, datalen, &p, &length);
  63     if (!p)
  64         return NULL;
  65     if (p[0] & 0x80)
  66         return NULL;                   /* negative mp */
  67     b = bignum_from_bytes((unsigned char *)p, length);
  68     return b;
  69 }
  70
  71 static Bignum get160(char **data, int *datalen)
  72 {
  73     Bignum b;
  74
  75     b = bignum_from_bytes((unsigned char *)*data, 20);
  76     *data += 20;
  77     *datalen -= 20;
  78
  79     return b;
  80 }
  81
  82 static void *dss_newkey(char *data, int len)
  83 {
  84     char *p;
  85     int slen;
  86     struct dss_key *dss;
  87
  88     dss = snew(struct dss_key);
  89     if (!dss)
  90         return NULL;
  91     getstring(&data, &len, &p, &slen);
  92
  93 #ifdef DEBUG_DSS
  94     {
  95         int i;
  96         printf("key:");
  97         for (i = 0; i < len; i++)
  98             printf("  %02x", (unsigned char) (data[i]));
  99         printf("\n");
 100     }
 101 #endif
 102
 103     if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 104         sfree(dss);
 105         return NULL;
 106     }
 107     dss->p = getmp(&data, &len);
 108     dss->q = getmp(&data, &len);
 109     dss->g = getmp(&data, &len);
 110     dss->y = getmp(&data, &len);
 111
 112     return dss;
 113 }
 114
 115 static void dss_freekey(void *key)
 116 {
 117     struct dss_key *dss = (struct dss_key *) key;
 118     freebn(dss->p);
 119     freebn(dss->q);
 120     freebn(dss->g);
 121     freebn(dss->y);
 122     sfree(dss);
 123 }
 124
 125 static char *dss_fmtkey(void *key)
 126 {
 127     struct dss_key *dss = (struct dss_key *) key;
 128     char *p;
 129     int len, i, pos, nibbles;
 130     static const char hex[] = "0123456789abcdef";
 131     if (!dss->p)
 132         return NULL;
 133     len = 8 + 4 + 1;                   /* 4 x "0x", punctuation, \0 */
 134     len += 4 * (bignum_bitcount(dss->p) + 15) / 16;
 135     len += 4 * (bignum_bitcount(dss->q) + 15) / 16;
 136     len += 4 * (bignum_bitcount(dss->g) + 15) / 16;
 137     len += 4 * (bignum_bitcount(dss->y) + 15) / 16;
 138     p = snewn(len, char);
 139     if (!p)
 140         return NULL;
 141
 142     pos = 0;
 143     pos += sprintf(p + pos, "0x");
 144     nibbles = (3 + bignum_bitcount(dss->p)) / 4;
 145     if (nibbles < 1)
 146         nibbles = 1;
 147     for (i = nibbles; i--;)
 148         p[pos++] =
 149             hex[(bignum_byte(dss->p, i / 2) >> (4 * (i % 2))) & 0xF];
 150     pos += sprintf(p + pos, ",0x");
 151     nibbles = (3 + bignum_bitcount(dss->q)) / 4;
 152     if (nibbles < 1)
 153         nibbles = 1;
 154     for (i = nibbles; i--;)
 155         p[pos++] =
 156             hex[(bignum_byte(dss->q, i / 2) >> (4 * (i % 2))) & 0xF];
 157     pos += sprintf(p + pos, ",0x");
 158     nibbles = (3 + bignum_bitcount(dss->g)) / 4;
 159     if (nibbles < 1)
 160         nibbles = 1;
 161     for (i = nibbles; i--;)
 162         p[pos++] =
 163             hex[(bignum_byte(dss->g, i / 2) >> (4 * (i % 2))) & 0xF];
 164     pos += sprintf(p + pos, ",0x");
 165     nibbles = (3 + bignum_bitcount(dss->y)) / 4;
 166     if (nibbles < 1)
 167         nibbles = 1;
 168     for (i = nibbles; i--;)
 169         p[pos++] =
 170             hex[(bignum_byte(dss->y, i / 2) >> (4 * (i % 2))) & 0xF];
 171     p[pos] = '\0';
 172     return p;
 173 }
 174
 175 static char *dss_fingerprint(void *key)
 176 {
 177     struct dss_key *dss = (struct dss_key *) key;
 178     struct MD5Context md5c;
 179     unsigned char digest[16], lenbuf[4];
 180     char buffer[16 * 3 + 40];
 181     char *ret;
 182     int numlen, i;
 183
 184     MD5Init(&md5c);
 185     MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11);
 186
 187 #define ADD_BIGNUM(bignum) \
 188     numlen = (bignum_bitcount(bignum)+8)/8; \
 189     PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
 190     for (i = numlen; i-- ;) { \
 191         unsigned char c = bignum_byte(bignum, i); \
 192         MD5Update(&md5c, &c, 1); \
 193     }
 194     ADD_BIGNUM(dss->p);
 195     ADD_BIGNUM(dss->q);
 196     ADD_BIGNUM(dss->g);
 197     ADD_BIGNUM(dss->y);
 198 #undef ADD_BIGNUM
 199
 200     MD5Final(digest, &md5c);
 201
 202     sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p));
 203     for (i = 0; i < 16; i++)
 204         sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
 205                 digest[i]);
 206     ret = snewn(strlen(buffer) + 1, char);
 207     if (ret)
 208         strcpy(ret, buffer);
 209     return ret;
 210 }
 211
 212 static int dss_verifysig(void *key, char *sig, int siglen,
 213                          char *data, int datalen)
 214 {
 215     struct dss_key *dss = (struct dss_key *) key;
 216     char *p;
 217     int slen;
 218     char hash[20];
 219     Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v;
 220     int ret;
 221
 222     if (!dss->p)
 223         return 0;
 224
 225 #ifdef DEBUG_DSS
 226     {
 227         int i;
 228         printf("sig:");
 229         for (i = 0; i < siglen; i++)
 230             printf("  %02x", (unsigned char) (sig[i]));
 231         printf("\n");
 232     }
 233 #endif
 234     /*
 235      * Commercial SSH (2.0.13) and OpenSSH disagree over the format
 236      * of a DSA signature. OpenSSH is in line with RFC 4253:
 237      * it uses a string "ssh-dss", followed by a 40-byte string
 238      * containing two 160-bit integers end-to-end. Commercial SSH
 239      * can't be bothered with the header bit, and considers a DSA
 240      * signature blob to be _just_ the 40-byte string containing
 241      * the two 160-bit integers. We tell them apart by measuring
 242      * the length: length 40 means the commercial-SSH bug, anything
 243      * else is assumed to be RFC-compliant.
 244      */
 245     if (siglen != 40) {                /* bug not present; read admin fields */
 246         getstring(&sig, &siglen, &p, &slen);
 247         if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
 248             return 0;
 249         }
 250         sig += 4, siglen -= 4;         /* skip yet another length field */
 251     }
 252     r = get160(&sig, &siglen);
 253     s = get160(&sig, &siglen);
 254     if (!r || !s)
 255         return 0;
 256
 257     /*
 258      * Step 1. w <- s^-1 mod q.
 259      */
 260     w = modinv(s, dss->q);
 261
 262     /*
 263      * Step 2. u1 <- SHA(message) * w mod q.
 264      */
 265     SHA_Simple(data, datalen, (unsigned char *)hash);
 266     p = hash;
 267     slen = 20;
 268     sha = get160(&p, &slen);
 269     u1 = modmul(sha, w, dss->q);
 270
 271     /*
 272      * Step 3. u2 <- r * w mod q.
 273      */
 274     u2 = modmul(r, w, dss->q);
 275
 276     /*
 277      * Step 4. v <- (g^u1 * y^u2 mod p) mod q.
 278      */
 279     gu1p = modpow(dss->g, u1, dss->p);
 280     yu2p = modpow(dss->y, u2, dss->p);
 281     gu1yu2p = modmul(gu1p, yu2p, dss->p);
 282     v = modmul(gu1yu2p, One, dss->q);
 283
 284     /*
 285      * Step 5. v should now be equal to r.
 286      */
 287
 288     ret = !bignum_cmp(v, r);
 289
 290     freebn(w);
 291     freebn(sha);
 292     freebn(u1);
 293     freebn(u2);
 294     freebn(gu1p);
 295     freebn(yu2p);
 296     freebn(gu1yu2p);
 297     freebn(v);
 298     freebn(r);
 299     freebn(s);
 300
 301     return ret;
 302 }
 303
 304 static unsigned char *dss_public_blob(void *key, int *len)
 305 {
 306     struct dss_key *dss = (struct dss_key *) key;
 307     int plen, qlen, glen, ylen, bloblen;
 308     int i;
 309     unsigned char *blob, *p;
 310
 311     plen = (bignum_bitcount(dss->p) + 8) / 8;
 312     qlen = (bignum_bitcount(dss->q) + 8) / 8;
 313     glen = (bignum_bitcount(dss->g) + 8) / 8;
 314     ylen = (bignum_bitcount(dss->y) + 8) / 8;
 315
 316     /*
 317      * string "ssh-dss", mpint p, mpint q, mpint g, mpint y. Total
 318      * 27 + sum of lengths. (five length fields, 20+7=27).
 319      */
 320     bloblen = 27 + plen + qlen + glen + ylen;
 321     blob = snewn(bloblen, unsigned char);
 322     p = blob;
 323     PUT_32BIT(p, 7);
 324     p += 4;
 325     memcpy(p, "ssh-dss", 7);
 326     p += 7;
 327     PUT_32BIT(p, plen);
 328     p += 4;
 329     for (i = plen; i--;)
 330         *p++ = bignum_byte(dss->p, i);
 331     PUT_32BIT(p, qlen);
 332     p += 4;
 333     for (i = qlen; i--;)
 334         *p++ = bignum_byte(dss->q, i);
 335     PUT_32BIT(p, glen);
 336     p += 4;
 337     for (i = glen; i--;)
 338         *p++ = bignum_byte(dss->g, i);
 339     PUT_32BIT(p, ylen);
 340     p += 4;
 341     for (i = ylen; i--;)
 342         *p++ = bignum_byte(dss->y, i);
 343     assert(p == blob + bloblen);
 344     *len = bloblen;
 345     return blob;
 346 }
 347
 348 static unsigned char *dss_private_blob(void *key, int *len)
 349 {
 350     struct dss_key *dss = (struct dss_key *) key;
 351     int xlen, bloblen;
 352     int i;
 353     unsigned char *blob, *p;
 354
 355     xlen = (bignum_bitcount(dss->x) + 8) / 8;
 356
 357     /*
 358      * mpint x, string[20] the SHA of p||q||g. Total 4 + xlen.
 359      */
 360     bloblen = 4 + xlen;
 361     blob = snewn(bloblen, unsigned char);
 362     p = blob;
 363     PUT_32BIT(p, xlen);
 364     p += 4;
 365     for (i = xlen; i--;)
 366         *p++ = bignum_byte(dss->x, i);
 367     assert(p == blob + bloblen);
 368     *len = bloblen;
 369     return blob;
 370 }
 371
 372 static void *dss_createkey(unsigned char *pub_blob, int pub_len,
 373                            unsigned char *priv_blob, int priv_len)
 374 {
 375     struct dss_key *dss;
 376     char *pb = (char *) priv_blob;
 377     char *hash;
 378     int hashlen;
 379     SHA_State s;
 380     unsigned char digest[20];
 381     Bignum ytest;
 382
 383     dss = dss_newkey((char *) pub_blob, pub_len);
 384     dss->x = getmp(&pb, &priv_len);
 385
 386     /*
 387      * Check the obsolete hash in the old DSS key format.
 388      */
 389     hashlen = -1;
 390     getstring(&pb, &priv_len, &hash, &hashlen);
 391     if (hashlen == 20) {
 392         SHA_Init(&s);
 393         sha_mpint(&s, dss->p);
 394         sha_mpint(&s, dss->q);
 395         sha_mpint(&s, dss->g);
 396         SHA_Final(&s, digest);
 397         if (0 != memcmp(hash, digest, 20)) {
 398             dss_freekey(dss);
 399             return NULL;
 400         }
 401     }
 402
 403     /*
 404      * Now ensure g^x mod p really is y.
 405      */
 406     ytest = modpow(dss->g, dss->x, dss->p);
 407     if (0 != bignum_cmp(ytest, dss->y)) {
 408         dss_freekey(dss);
 409         freebn(ytest);
 410         return NULL;
 411     }
 412     freebn(ytest);
 413
 414     return dss;
 415 }
 416
 417 static void *dss_openssh_createkey(unsigned char **blob, int *len)
 418 {
 419     char **b = (char **) blob;
 420     struct dss_key *dss;
 421
 422     dss = snew(struct dss_key);
 423     if (!dss)
 424         return NULL;
 425
 426     dss->p = getmp(b, len);
 427     dss->q = getmp(b, len);
 428     dss->g = getmp(b, len);
 429     dss->y = getmp(b, len);
 430     dss->x = getmp(b, len);
 431
 432     if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) {
 433         sfree(dss->p);
 434         sfree(dss->q);
 435         sfree(dss->g);
 436         sfree(dss->y);
 437         sfree(dss->x);
 438         sfree(dss);
 439         return NULL;
 440     }
 441
 442     return dss;
 443 }
 444
 445 static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len)
 446 {
 447     struct dss_key *dss = (struct dss_key *) key;
 448     int bloblen, i;
 449
 450     bloblen =
 451         ssh2_bignum_length(dss->p) +
 452         ssh2_bignum_length(dss->q) +
 453         ssh2_bignum_length(dss->g) +
 454         ssh2_bignum_length(dss->y) +
 455         ssh2_bignum_length(dss->x);
 456
 457     if (bloblen > len)
 458         return bloblen;
 459
 460     bloblen = 0;
 461 #define ENC(x) \
 462     PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
 463     for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
 464     ENC(dss->p);
 465     ENC(dss->q);
 466     ENC(dss->g);
 467     ENC(dss->y);
 468     ENC(dss->x);
 469
 470     return bloblen;
 471 }
 472
 473 static int dss_pubkey_bits(void *blob, int len)
 474 {
 475     struct dss_key *dss;
 476     int ret;
 477
 478     dss = dss_newkey((char *) blob, len);
 479     ret = bignum_bitcount(dss->p);
 480     dss_freekey(dss);
 481
 482     return ret;
 483 }
 484
 485 static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
 486 {
 487     /*
 488      * The basic DSS signing algorithm is:
 489      *
 490      *  - invent a random k between 1 and q-1 (exclusive).
 491      *  - Compute r = (g^k mod p) mod q.
 492      *  - Compute s = k^-1 * (hash + x*r) mod q.
 493      *
 494      * This has the dangerous properties that:
 495      *
 496      *  - if an attacker in possession of the public key _and_ the
 497      *    signature (for example, the host you just authenticated
 498      *    to) can guess your k, he can reverse the computation of s
 499      *    and work out x = r^-1 * (s*k - hash) mod q. That is, he
 500      *    can deduce the private half of your key, and masquerade
 501      *    as you for as long as the key is still valid.
 502      *
 503      *  - since r is a function purely of k and the public key, if
 504      *    the attacker only has a _range of possibilities_ for k
 505      *    it's easy for him to work through them all and check each
 506      *    one against r; he'll never be unsure of whether he's got
 507      *    the right one.
 508      *
 509      *  - if you ever sign two different hashes with the same k, it
 510      *    will be immediately obvious because the two signatures
 511      *    will have the same r, and moreover an attacker in
 512      *    possession of both signatures (and the public key of
 513      *    course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
 514      *    and from there deduce x as before.
 515      *
 516      *  - the Bleichenbacher attack on DSA makes use of methods of
 517      *    generating k which are significantly non-uniformly
 518      *    distributed; in particular, generating a 160-bit random
 519      *    number and reducing it mod q is right out.
 520      *
 521      * For this reason we must be pretty careful about how we
 522      * generate our k. Since this code runs on Windows, with no
 523      * particularly good system entropy sources, we can't trust our
 524      * RNG itself to produce properly unpredictable data. Hence, we
 525      * use a totally different scheme instead.
 526      *
 527      * What we do is to take a SHA-512 (_big_) hash of the private
 528      * key x, and then feed this into another SHA-512 hash that
 529      * also includes the message hash being signed. That is:
 530      *
 531      *   proto_k = SHA512 ( SHA512(x) || SHA160(message) )
 532      *
 533      * This number is 512 bits long, so reducing it mod q won't be
 534      * noticeably non-uniform. So
 535      *
 536      *   k = proto_k mod q
 537      *
 538      * This has the interesting property that it's _deterministic_:
 539      * signing the same hash twice with the same key yields the
 540      * same signature.
 541      *
 542      * Despite this determinism, it's still not predictable to an
 543      * attacker, because in order to repeat the SHA-512
 544      * construction that created it, the attacker would have to
 545      * know the private key value x - and by assumption he doesn't,
 546      * because if he knew that he wouldn't be attacking k!
 547      *
 548      * (This trick doesn't, _per se_, protect against reuse of k.
 549      * Reuse of k is left to chance; all it does is prevent
 550      * _excessively high_ chances of reuse of k due to entropy
 551      * problems.)
 552      *
 553      * Thanks to Colin Plumb for the general idea of using x to
 554      * ensure k is hard to guess, and to the Cambridge University
 555      * Computer Security Group for helping to argue out all the
 556      * fine details.
 557      */
 558     struct dss_key *dss = (struct dss_key *) key;
 559     SHA512_State ss;
 560     unsigned char digest[20], digest512[64];
 561     Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
 562     unsigned char *bytes;
 563     int nbytes, i;
 564
 565     SHA_Simple(data, datalen, digest);
 566
 567     /*
 568      * Hash some identifying text plus x.
 569      */
 570     SHA512_Init(&ss);
 571     SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
 572     sha512_mpint(&ss, dss->x);
 573     SHA512_Final(&ss, digest512);
 574
 575     /*
 576      * Now hash that digest plus the message hash.
 577      */
 578     SHA512_Init(&ss);
 579     SHA512_Bytes(&ss, digest512, sizeof(digest512));
 580     SHA512_Bytes(&ss, digest, sizeof(digest));
 581     SHA512_Final(&ss, digest512);
 582
 583     smemclr(&ss, sizeof(ss));
 584
 585     /*
 586      * Now convert the result into a bignum, and reduce it mod q.
 587      */
 588     proto_k = bignum_from_bytes(digest512, 64);
 589     k = bigmod(proto_k, dss->q);
 590     freebn(proto_k);
 591
 592     smemclr(digest512, sizeof(digest512));
 593
 594     /*
 595      * Now we have k, so just go ahead and compute the signature.
 596      */
 597     gkp = modpow(dss->g, k, dss->p);   /* g^k mod p */
 598     r = bigmod(gkp, dss->q);           /* r = (g^k mod p) mod q */
 599     freebn(gkp);
 600
 601     hash = bignum_from_bytes(digest, 20);
 602     kinv = modinv(k, dss->q);          /* k^-1 mod q */
 603     hxr = bigmuladd(dss->x, r, hash);  /* hash + x*r */
 604     s = modmul(kinv, hxr, dss->q);     /* s = k^-1 * (hash + x*r) mod q */
 605     freebn(hxr);
 606     freebn(kinv);
 607     freebn(hash);
 608
 609     /*
 610      * Signature blob is
 611      *
 612      *   string  "ssh-dss"
 613      *   string  two 20-byte numbers r and s, end to end
 614      *
 615      * i.e. 4+7 + 4+40 bytes.
 616      */
 617     nbytes = 4 + 7 + 4 + 40;
 618     bytes = snewn(nbytes, unsigned char);
 619     PUT_32BIT(bytes, 7);
 620     memcpy(bytes + 4, "ssh-dss", 7);
 621     PUT_32BIT(bytes + 4 + 7, 40);
 622     for (i = 0; i < 20; i++) {
 623         bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i);
 624         bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i);
 625     }
 626     freebn(r);
 627     freebn(s);
 628
 629     *siglen = nbytes;
 630     return bytes;
 631 }
 632
 633 const struct ssh_signkey ssh_dss = {
 634     dss_newkey,
 635     dss_freekey,
 636     dss_fmtkey,
 637     dss_public_blob,
 638     dss_private_blob,
 639     dss_createkey,
 640     dss_openssh_createkey,
 641     dss_openssh_fmtkey,
 642     dss_pubkey_bits,
 643     dss_fingerprint,
 644     dss_verifysig,
 645     dss_sign,
 646     "ssh-dss",
 647     "dss"
 648 };