X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/5c72ca6161da0e7976245222c412d62ebae2e386..HEAD:/sshdss.c diff --git a/sshdss.c b/sshdss.c index b2179a83..84fcdac7 100644 --- a/sshdss.c +++ b/sshdss.c @@ -1,3 +1,7 @@ +/* + * Digital Signature Standard implementation for PuTTY. + */ + #include #include #include @@ -5,21 +9,8 @@ #include "ssh.h" #include "misc.h" -#define GET_32BIT(cp) \ - (((unsigned long)(unsigned char)(cp)[0] << 24) | \ - ((unsigned long)(unsigned char)(cp)[1] << 16) | \ - ((unsigned long)(unsigned char)(cp)[2] << 8) | \ - ((unsigned long)(unsigned char)(cp)[3])) - -#define PUT_32BIT(cp, value) { \ - (cp)[0] = (unsigned char)((value) >> 24); \ - (cp)[1] = (unsigned char)((value) >> 16); \ - (cp)[2] = (unsigned char)((value) >> 8); \ - (cp)[3] = (unsigned char)(value); } - static void sha_mpint(SHA_State * s, Bignum b) { - unsigned char *p; unsigned char lenbuf[4]; int len; len = (bignum_bitcount(b) + 8) / 8; @@ -29,12 +20,11 @@ static void sha_mpint(SHA_State * s, Bignum b) lenbuf[0] = bignum_byte(b, len); SHA_Bytes(s, lenbuf, 1); } - memset(lenbuf, 0, sizeof(lenbuf)); + smemclr(lenbuf, sizeof(lenbuf)); } static void sha512_mpint(SHA512_State * s, Bignum b) { - unsigned char *p; unsigned char lenbuf[4]; int len; len = (bignum_bitcount(b) + 8) / 8; @@ -44,7 +34,7 @@ static void sha512_mpint(SHA512_State * s, Bignum b) lenbuf[0] = bignum_byte(b, len); SHA512_Bytes(s, lenbuf, 1); } - memset(lenbuf, 0, sizeof(lenbuf)); + smemclr(lenbuf, sizeof(lenbuf)); } static void getstring(char **data, int *datalen, char **p, int *length) @@ -52,7 +42,9 @@ static void getstring(char **data, int *datalen, char **p, int *length) *p = NULL; if (*datalen < 4) return; - *length = GET_32BIT(*data); + *length = toint(GET_32BIT(*data)); + if (*length < 0) + return; *datalen -= 4; *data += 4; if (*datalen < *length) @@ -72,7 +64,7 @@ static Bignum getmp(char **data, int *datalen) return NULL; if (p[0] & 0x80) return NULL; /* negative mp */ - b = bignum_from_bytes(p, length); + b = bignum_from_bytes((unsigned char *)p, length); return b; } @@ -80,22 +72,25 @@ static Bignum get160(char **data, int *datalen) { Bignum b; - b = bignum_from_bytes(*data, 20); + if (*datalen < 20) + return NULL; + + b = bignum_from_bytes((unsigned char *)*data, 20); *data += 20; *datalen -= 20; return b; } +static void dss_freekey(void *key); /* forward reference */ + static void *dss_newkey(char *data, int len) { char *p; int slen; struct dss_key *dss; - dss = smalloc(sizeof(struct dss_key)); - if (!dss) - return NULL; + dss = snew(struct dss_key); getstring(&data, &len, &p, &slen); #ifdef DEBUG_DSS @@ -108,7 +103,7 @@ static void *dss_newkey(char *data, int len) } #endif - if (!p || memcmp(p, "ssh-dss", 7)) { + if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) { sfree(dss); return NULL; } @@ -116,6 +111,14 @@ static void *dss_newkey(char *data, int len) dss->q = getmp(&data, &len); dss->g = getmp(&data, &len); dss->y = getmp(&data, &len); + dss->x = NULL; + + if (!dss->p || !dss->q || !dss->g || !dss->y || + !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) { + /* Invalid key. */ + dss_freekey(dss); + return NULL; + } return dss; } @@ -123,10 +126,16 @@ static void *dss_newkey(char *data, int len) static void dss_freekey(void *key) { struct dss_key *dss = (struct dss_key *) key; - freebn(dss->p); - freebn(dss->q); - freebn(dss->g); - freebn(dss->y); + if (dss->p) + freebn(dss->p); + if (dss->q) + freebn(dss->q); + if (dss->g) + freebn(dss->g); + if (dss->y) + freebn(dss->y); + if (dss->x) + freebn(dss->x); sfree(dss); } @@ -143,7 +152,7 @@ static char *dss_fmtkey(void *key) len += 4 * (bignum_bitcount(dss->q) + 15) / 16; len += 4 * (bignum_bitcount(dss->g) + 15) / 16; len += 4 * (bignum_bitcount(dss->y) + 15) / 16; - p = smalloc(len); + p = snewn(len, char); if (!p) return NULL; @@ -190,7 +199,7 @@ static char *dss_fingerprint(void *key) int numlen, i; MD5Init(&md5c); - MD5Update(&md5c, "\0\0\0\7ssh-dss", 11); + MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11); #define ADD_BIGNUM(bignum) \ numlen = (bignum_bitcount(bignum)+8)/8; \ @@ -211,7 +220,7 @@ static char *dss_fingerprint(void *key) for (i = 0; i < 16; i++) sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "", digest[i]); - ret = smalloc(strlen(buffer) + 1); + ret = snewn(strlen(buffer) + 1, char); if (ret) strcpy(ret, buffer); return ret; @@ -241,14 +250,14 @@ static int dss_verifysig(void *key, char *sig, int siglen, #endif /* * Commercial SSH (2.0.13) and OpenSSH disagree over the format - * of a DSA signature. OpenSSH is in line with the IETF drafts: + * of a DSA signature. OpenSSH is in line with RFC 4253: * it uses a string "ssh-dss", followed by a 40-byte string * containing two 160-bit integers end-to-end. Commercial SSH * can't be bothered with the header bit, and considers a DSA * signature blob to be _just_ the 40-byte string containing * the two 160-bit integers. We tell them apart by measuring * the length: length 40 means the commercial-SSH bug, anything - * else is assumed to be IETF-compliant. + * else is assumed to be RFC-compliant. */ if (siglen != 40) { /* bug not present; read admin fields */ getstring(&sig, &siglen, &p, &slen); @@ -259,18 +268,34 @@ static int dss_verifysig(void *key, char *sig, int siglen, } r = get160(&sig, &siglen); s = get160(&sig, &siglen); - if (!r || !s) + if (!r || !s) { + if (r) + freebn(r); + if (s) + freebn(s); return 0; + } + + if (!bignum_cmp(s, Zero)) { + freebn(r); + freebn(s); + return 0; + } /* * Step 1. w <- s^-1 mod q. */ w = modinv(s, dss->q); + if (!w) { + freebn(r); + freebn(s); + return 0; + } /* * Step 2. u1 <- SHA(message) * w mod q. */ - SHA_Simple(data, datalen, hash); + SHA_Simple(data, datalen, (unsigned char *)hash); p = hash; slen = 20; sha = get160(&p, &slen); @@ -297,6 +322,8 @@ static int dss_verifysig(void *key, char *sig, int siglen, freebn(w); freebn(sha); + freebn(u1); + freebn(u2); freebn(gu1p); freebn(yu2p); freebn(gu1yu2p); @@ -324,7 +351,7 @@ static unsigned char *dss_public_blob(void *key, int *len) * 27 + sum of lengths. (five length fields, 20+7=27). */ bloblen = 27 + plen + qlen + glen + ylen; - blob = smalloc(bloblen); + blob = snewn(bloblen, unsigned char); p = blob; PUT_32BIT(p, 7); p += 4; @@ -357,31 +384,19 @@ static unsigned char *dss_private_blob(void *key, int *len) int xlen, bloblen; int i; unsigned char *blob, *p; - SHA_State s; - unsigned char digest[20]; xlen = (bignum_bitcount(dss->x) + 8) / 8; /* - * mpint x, string[20] the SHA of p||q||g. Total 28 + xlen. - * (two length fields and twenty bytes, 20+8=28). + * mpint x, string[20] the SHA of p||q||g. Total 4 + xlen. */ - bloblen = 28 + xlen; - blob = smalloc(bloblen); + bloblen = 4 + xlen; + blob = snewn(bloblen, unsigned char); p = blob; PUT_32BIT(p, xlen); p += 4; for (i = xlen; i--;) *p++ = bignum_byte(dss->x, i); - PUT_32BIT(p, 20); - SHA_Init(&s); - sha_mpint(&s, dss->p); - sha_mpint(&s, dss->q); - sha_mpint(&s, dss->g); - SHA_Final(&s, digest); - p += 4; - for (i = 0; i < 20; i++) - *p++ = digest[i]; assert(p == blob + bloblen); *len = bloblen; return blob; @@ -399,25 +414,29 @@ static void *dss_createkey(unsigned char *pub_blob, int pub_len, Bignum ytest; dss = dss_newkey((char *) pub_blob, pub_len); + if (!dss) + return NULL; dss->x = getmp(&pb, &priv_len); - getstring(&pb, &priv_len, &hash, &hashlen); + if (!dss->x) { + dss_freekey(dss); + return NULL; + } /* - * Verify details of the key. First check that the hash is - * indeed a hash of p||q||g. + * Check the obsolete hash in the old DSS key format. */ - if (hashlen != 20) { - dss_freekey(dss); - return NULL; - } - SHA_Init(&s); - sha_mpint(&s, dss->p); - sha_mpint(&s, dss->q); - sha_mpint(&s, dss->g); - SHA_Final(&s, digest); - if (0 != memcmp(hash, digest, 20)) { - dss_freekey(dss); - return NULL; + hashlen = -1; + getstring(&pb, &priv_len, &hash, &hashlen); + if (hashlen == 20) { + SHA_Init(&s); + sha_mpint(&s, dss->p); + sha_mpint(&s, dss->q); + sha_mpint(&s, dss->g); + SHA_Final(&s, digest); + if (0 != memcmp(hash, digest, 20)) { + dss_freekey(dss); + return NULL; + } } /* @@ -426,6 +445,7 @@ static void *dss_createkey(unsigned char *pub_blob, int pub_len, ytest = modpow(dss->g, dss->x, dss->p); if (0 != bignum_cmp(ytest, dss->y)) { dss_freekey(dss); + freebn(ytest); return NULL; } freebn(ytest); @@ -438,9 +458,7 @@ static void *dss_openssh_createkey(unsigned char **blob, int *len) char **b = (char **) blob; struct dss_key *dss; - dss = smalloc(sizeof(struct dss_key)); - if (!dss) - return NULL; + dss = snew(struct dss_key); dss->p = getmp(b, len); dss->q = getmp(b, len); @@ -448,14 +466,11 @@ static void *dss_openssh_createkey(unsigned char **blob, int *len) dss->y = getmp(b, len); dss->x = getmp(b, len); - if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) { - sfree(dss->p); - sfree(dss->q); - sfree(dss->g); - sfree(dss->y); - sfree(dss->x); - sfree(dss); - return NULL; + if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x || + !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) { + /* Invalid key. */ + dss_freekey(dss); + return NULL; } return dss; @@ -489,7 +504,21 @@ static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len) return bloblen; } -unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) +static int dss_pubkey_bits(void *blob, int len) +{ + struct dss_key *dss; + int ret; + + dss = dss_newkey((char *) blob, len); + if (!dss) + return -1; + ret = bignum_bitcount(dss->p); + dss_freekey(dss); + + return ret; +} + +static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) { /* * The basic DSS signing algorithm is: @@ -546,9 +575,16 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) * signing the same hash twice with the same key yields the * same signature. * - * (It doesn't, _per se_, protect against reuse of k. Reuse of - * k is left to chance; all it does is prevent _excessively - * high_ chances of reuse of k due to entropy problems.) + * Despite this determinism, it's still not predictable to an + * attacker, because in order to repeat the SHA-512 + * construction that created it, the attacker would have to + * know the private key value x - and by assumption he doesn't, + * because if he knew that he wouldn't be attacking k! + * + * (This trick doesn't, _per se_, protect against reuse of k. + * Reuse of k is left to chance; all it does is prevent + * _excessively high_ chances of reuse of k due to entropy + * problems.) * * Thanks to Colin Plumb for the general idea of using x to * ensure k is hard to guess, and to the Cambridge University @@ -578,18 +614,34 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) SHA512_Init(&ss); SHA512_Bytes(&ss, digest512, sizeof(digest512)); SHA512_Bytes(&ss, digest, sizeof(digest)); - SHA512_Final(&ss, digest512); - memset(&ss, 0, sizeof(ss)); + while (1) { + SHA512_State ss2 = ss; /* structure copy */ + SHA512_Final(&ss2, digest512); + + smemclr(&ss2, sizeof(ss2)); + + /* + * Now convert the result into a bignum, and reduce it mod q. + */ + proto_k = bignum_from_bytes(digest512, 64); + k = bigmod(proto_k, dss->q); + freebn(proto_k); + kinv = modinv(k, dss->q); /* k^-1 mod q */ + if (!kinv) { /* very unlikely */ + freebn(k); + /* Perturb the hash to think of a different k. */ + SHA512_Bytes(&ss, "x", 1); + /* Go round and try again. */ + continue; + } + + break; + } - /* - * Now convert the result into a bignum, and reduce it mod q. - */ - proto_k = bignum_from_bytes(digest512, 64); - k = bigmod(proto_k, dss->q); - freebn(proto_k); + smemclr(&ss, sizeof(ss)); - memset(digest512, 0, sizeof(digest512)); + smemclr(digest512, sizeof(digest512)); /* * Now we have k, so just go ahead and compute the signature. @@ -599,11 +651,11 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) freebn(gkp); hash = bignum_from_bytes(digest, 20); - kinv = modinv(k, dss->q); /* k^-1 mod q */ hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */ s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); + freebn(k); freebn(hash); /* @@ -615,7 +667,7 @@ unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) * i.e. 4+7 + 4+40 bytes. */ nbytes = 4 + 7 + 4 + 40; - bytes = smalloc(nbytes); + bytes = snewn(nbytes, unsigned char); PUT_32BIT(bytes, 7); memcpy(bytes + 4, "ssh-dss", 7); PUT_32BIT(bytes + 4 + 7, 40); @@ -639,6 +691,7 @@ const struct ssh_signkey ssh_dss = { dss_createkey, dss_openssh_createkey, dss_openssh_fmtkey, + dss_pubkey_bits, dss_fingerprint, dss_verifysig, dss_sign,