X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/d5859615f641e5bbd853cd42aafd4fa577da17eb..32874aeac8dacbca26663777b39a79efc5d8dc4b:/sshdss.c diff --git a/sshdss.c b/sshdss.c index 86a16176..71ad59e1 100644 --- a/sshdss.c +++ b/sshdss.c @@ -1,5 +1,6 @@ #include #include +#include #include "ssh.h" @@ -15,112 +16,155 @@ (cp)[2] = (unsigned char)((value) >> 8); \ (cp)[3] = (unsigned char)(value); } -static void getstring(char **data, int *datalen, char **p, int *length) { +#if 0 +#define DEBUG_DSS +#else +#define diagbn(x,y) +#endif + +static void getstring(char **data, int *datalen, char **p, int *length) +{ *p = NULL; if (*datalen < 4) - return; + return; *length = GET_32BIT(*data); - *datalen -= 4; *data += 4; + *datalen -= 4; + *data += 4; if (*datalen < *length) - return; + return; *p = *data; - *data += *length; *datalen -= *length; + *data += *length; + *datalen -= *length; } -static Bignum getmp(char **data, int *datalen) { +static Bignum getmp(char **data, int *datalen) +{ char *p; - int i, j, length; + int length; Bignum b; getstring(data, datalen, &p, &length); if (!p) - return NULL; + return NULL; if (p[0] & 0x80) - return NULL; /* negative mp */ - b = newbn((length+1)/2); - for (i = 0; i < length; i++) { - j = length - 1 - i; - if (j & 1) - b[j/2+1] |= ((unsigned char)p[i]) << 8; - else - b[j/2+1] |= ((unsigned char)p[i]); - } + return NULL; /* negative mp */ + b = bignum_from_bytes(p, length); return b; } -static Bignum get160(char **data, int *datalen) { - char *p; - int i, j, length; +static Bignum get160(char **data, int *datalen) +{ Bignum b; - p = *data; - *data += 20; *datalen -= 20; - - length = 20; - while (length > 0 && !p[0]) - p++, length--; - b = newbn((length+1)/2); - for (i = 0; i < length; i++) { - j = length - 1 - i; - if (j & 1) - b[j/2+1] |= ((unsigned char)p[i]) << 8; - else - b[j/2+1] |= ((unsigned char)p[i]); - } + b = bignum_from_bytes(*data, 20); + *data += 20; + *datalen -= 20; + return b; } -static Bignum dss_p, dss_q, dss_g, dss_y; +struct dss_key { + Bignum p, q, g, y; +}; -static void dss_setkey(char *data, int len) { +static void *dss_newkey(char *data, int len) +{ char *p; int slen; + struct dss_key *dss; + + dss = smalloc(sizeof(struct dss_key)); + if (!dss) + return NULL; getstring(&data, &len, &p, &slen); + +#ifdef DEBUG_DSS + { + int i; + printf("key:"); + for (i = 0; i < len; i++) + printf(" %02x", (unsigned char) (data[i])); + printf("\n"); + } +#endif + if (!p || memcmp(p, "ssh-dss", 7)) { - dss_p = NULL; - return; + sfree(dss); + return NULL; } - dss_p = getmp(&data, &len); - dss_q = getmp(&data, &len); - dss_g = getmp(&data, &len); - dss_y = getmp(&data, &len); + dss->p = getmp(&data, &len); + dss->q = getmp(&data, &len); + dss->g = getmp(&data, &len); + dss->y = getmp(&data, &len); + + return dss; } -static char *dss_fmtkey(void) { +static void dss_freekey(void *key) +{ + struct dss_key *dss = (struct dss_key *) key; + freebn(dss->p); + freebn(dss->q); + freebn(dss->g); + freebn(dss->y); + sfree(dss); +} + +static char *dss_fmtkey(void *key) +{ + struct dss_key *dss = (struct dss_key *) key; char *p; int len, i, pos, nibbles; static const char hex[] = "0123456789abcdef"; - if (!dss_p) - return NULL; - len = 8 + 4 + 1; /* 4 x "0x", punctuation, \0 */ - len += 4 * (dss_p[0] + dss_q[0] + dss_g[0] + dss_y[0]); /* digits */ - p = malloc(len); - if (!p) return NULL; + if (!dss->p) + return NULL; + len = 8 + 4 + 1; /* 4 x "0x", punctuation, \0 */ + len += 4 * (bignum_bitcount(dss->p) + 15) / 16; + len += 4 * (bignum_bitcount(dss->q) + 15) / 16; + len += 4 * (bignum_bitcount(dss->g) + 15) / 16; + len += 4 * (bignum_bitcount(dss->y) + 15) / 16; + p = smalloc(len); + if (!p) + return NULL; pos = 0; - pos += sprintf(p+pos, "0x"); - nibbles = (3 + ssh1_bignum_bitcount(dss_p))/4; if (nibbles<1) nibbles=1; - for (i=nibbles; i-- ;) - p[pos++] = hex[(bignum_byte(dss_p, i/2) >> (4*(i%2))) & 0xF]; - pos += sprintf(p+pos, "0x"); - nibbles = (3 + ssh1_bignum_bitcount(dss_q))/4; if (nibbles<1) nibbles=1; - for (i=nibbles; i-- ;) - p[pos++] = hex[(bignum_byte(dss_q, i/2) >> (4*(i%2))) & 0xF]; - pos += sprintf(p+pos, "0x"); - nibbles = (3 + ssh1_bignum_bitcount(dss_g))/4; if (nibbles<1) nibbles=1; - for (i=nibbles; i-- ;) - p[pos++] = hex[(bignum_byte(dss_g, i/2) >> (4*(i%2))) & 0xF]; - pos += sprintf(p+pos, "0x"); - nibbles = (3 + ssh1_bignum_bitcount(dss_y))/4; if (nibbles<1) nibbles=1; - for (i=nibbles; i-- ;) - p[pos++] = hex[(bignum_byte(dss_y, i/2) >> (4*(i%2))) & 0xF]; + pos += sprintf(p + pos, "0x"); + nibbles = (3 + bignum_bitcount(dss->p)) / 4; + if (nibbles < 1) + nibbles = 1; + for (i = nibbles; i--;) + p[pos++] = + hex[(bignum_byte(dss->p, i / 2) >> (4 * (i % 2))) & 0xF]; + pos += sprintf(p + pos, ",0x"); + nibbles = (3 + bignum_bitcount(dss->q)) / 4; + if (nibbles < 1) + nibbles = 1; + for (i = nibbles; i--;) + p[pos++] = + hex[(bignum_byte(dss->q, i / 2) >> (4 * (i % 2))) & 0xF]; + pos += sprintf(p + pos, ",0x"); + nibbles = (3 + bignum_bitcount(dss->g)) / 4; + if (nibbles < 1) + nibbles = 1; + for (i = nibbles; i--;) + p[pos++] = + hex[(bignum_byte(dss->g, i / 2) >> (4 * (i % 2))) & 0xF]; + pos += sprintf(p + pos, ",0x"); + nibbles = (3 + bignum_bitcount(dss->y)) / 4; + if (nibbles < 1) + nibbles = 1; + for (i = nibbles; i--;) + p[pos++] = + hex[(bignum_byte(dss->y, i / 2) >> (4 * (i % 2))) & 0xF]; p[pos] = '\0'; return p; } -static char *dss_fingerprint(void) { +static char *dss_fingerprint(void *key) +{ + struct dss_key *dss = (struct dss_key *) key; struct MD5Context md5c; unsigned char digest[16], lenbuf[4]; - char buffer[16*3+40]; + char buffer[16 * 3 + 40]; char *ret; int numlen, i; @@ -128,103 +172,128 @@ static char *dss_fingerprint(void) { MD5Update(&md5c, "\0\0\0\7ssh-dss", 11); #define ADD_BIGNUM(bignum) \ - numlen = (ssh1_bignum_bitcount(bignum)+8)/8; \ + numlen = (bignum_bitcount(bignum)+8)/8; \ PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \ for (i = numlen; i-- ;) { \ unsigned char c = bignum_byte(bignum, i); \ MD5Update(&md5c, &c, 1); \ } - ADD_BIGNUM(dss_p); - ADD_BIGNUM(dss_q); - ADD_BIGNUM(dss_g); - ADD_BIGNUM(dss_y); + ADD_BIGNUM(dss->p); + ADD_BIGNUM(dss->q); + ADD_BIGNUM(dss->g); + ADD_BIGNUM(dss->y); #undef ADD_BIGNUM MD5Final(digest, &md5c); - sprintf(buffer, "%d ", ssh1_bignum_bitcount(dss_p)); + sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p)); for (i = 0; i < 16; i++) - sprintf(buffer+strlen(buffer), "%s%02x", i?":":"", digest[i]); - ret = malloc(strlen(buffer)+1); + sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "", + digest[i]); + ret = smalloc(strlen(buffer) + 1); if (ret) - strcpy(ret, buffer); + strcpy(ret, buffer); return ret; } -static int dss_verifysig(char *sig, int siglen, char *data, int datalen) { +static int dss_verifysig(void *key, char *sig, int siglen, + char *data, int datalen) +{ + struct dss_key *dss = (struct dss_key *) key; char *p; - int i, slen; + int slen; char hash[20]; - Bignum qm2, r, s, w, i1, i2, i3, u1, u2, sha, v; + Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v; int ret; - if (!dss_p) - return 0; + if (!dss->p) + return 0; - getstring(&sig, &siglen, &p, &slen); - if (!p || memcmp(p, "ssh-dss", 7)) { - return 0; +#ifdef DEBUG_DSS + { + int i; + printf("sig:"); + for (i = 0; i < siglen; i++) + printf(" %02x", (unsigned char) (sig[i])); + printf("\n"); + } +#endif + /* + * Commercial SSH (2.0.13) and OpenSSH disagree over the format + * of a DSA signature. OpenSSH is in line with the IETF drafts: + * it uses a string "ssh-dss", followed by a 40-byte string + * containing two 160-bit integers end-to-end. Commercial SSH + * can't be bothered with the header bit, and considers a DSA + * signature blob to be _just_ the 40-byte string containing + * the two 160-bit integers. We tell them apart by measuring + * the length: length 40 means the commercial-SSH bug, anything + * else is assumed to be IETF-compliant. + */ + if (siglen != 40) { /* bug not present; read admin fields */ + getstring(&sig, &siglen, &p, &slen); + if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) { + return 0; + } + sig += 4, siglen -= 4; /* skip yet another length field */ } - sig += 4, siglen -= 4; /* skip yet another length field */ + diagbn("p=", dss->p); + diagbn("q=", dss->q); + diagbn("g=", dss->g); + diagbn("y=", dss->y); r = get160(&sig, &siglen); + diagbn("r=", r); s = get160(&sig, &siglen); + diagbn("s=", s); if (!r || !s) - return 0; + return 0; /* * Step 1. w <- s^-1 mod q. */ - w = newbn(dss_q[0]); - qm2 = copybn(dss_q); - decbn(qm2); decbn(qm2); - /* Now qm2 is q-2, and by Fermat's Little Theorem, s^qm2 == s^-1 (mod q). - * This is a silly way to do it; may fix it later. */ - modpow(s, qm2, dss_q, w); + w = modinv(s, dss->q); + diagbn("w=", w); /* * Step 2. u1 <- SHA(message) * w mod q. */ - u1 = newbn(dss_q[0]); SHA_Simple(data, datalen, hash); - p = hash; slen = 20; sha = get160(&p, &slen); - modmul(sha, w, dss_q, u1); + p = hash; + slen = 20; + sha = get160(&p, &slen); + diagbn("sha=", sha); + u1 = modmul(sha, w, dss->q); + diagbn("u1=", u1); /* * Step 3. u2 <- r * w mod q. */ - u2 = newbn(dss_q[0]); - modmul(r, w, dss_q, u2); + u2 = modmul(r, w, dss->q); + diagbn("u2=", u2); /* * Step 4. v <- (g^u1 * y^u2 mod p) mod q. */ - i1 = newbn(dss_p[0]); - i2 = newbn(dss_p[0]); - i3 = newbn(dss_p[0]); - v = newbn(dss_q[0]); - modpow(dss_g, u1, dss_p, i1); - modpow(dss_y, u2, dss_p, i2); - modmul(i1, i2, dss_p, i3); - modmul(i3, One, dss_q, v); + gu1p = modpow(dss->g, u1, dss->p); + diagbn("gu1p=", gu1p); + yu2p = modpow(dss->y, u2, dss->p); + diagbn("yu2p=", yu2p); + gu1yu2p = modmul(gu1p, yu2p, dss->p); + diagbn("gu1yu2p=", gu1yu2p); + v = modmul(gu1yu2p, One, dss->q); + diagbn("gu1yu2q=v=", v); + diagbn("r=", r); /* * Step 5. v should now be equal to r. */ - ret = 1; - for (i = 1; i <= v[0] || i <= r[0]; i++) { - if ((i > v[0] && r[i] != 0) || - (i > r[0] && v[i] != 0) || - (i <= v[0] && i <= r[0] && r[i] != v[i])) - ret = 0; - } + ret = !bignum_cmp(v, r); freebn(w); - freebn(qm2); freebn(sha); - freebn(i1); - freebn(i2); - freebn(i3); + freebn(gu1p); + freebn(yu2p); + freebn(gu1yu2p); freebn(v); freebn(r); freebn(s); @@ -232,11 +301,88 @@ static int dss_verifysig(char *sig, int siglen, char *data, int datalen) { return ret; } -struct ssh_hostkey ssh_dss = { - dss_setkey, +static unsigned char *dss_public_blob(void *key, int *len) +{ + struct dss_key *dss = (struct dss_key *) key; + int plen, qlen, glen, ylen, bloblen; + int i; + unsigned char *blob, *p; + + plen = (bignum_bitcount(dss->p) + 8) / 8; + qlen = (bignum_bitcount(dss->q) + 8) / 8; + glen = (bignum_bitcount(dss->g) + 8) / 8; + ylen = (bignum_bitcount(dss->y) + 8) / 8; + + /* + * string "ssh-dss", mpint p, mpint q, mpint g, mpint y. Total + * 27 + sum of lengths. (five length fields, 20+7=27). + */ + bloblen = 27 + plen + qlen + glen + ylen; + blob = smalloc(bloblen); + p = blob; + PUT_32BIT(p, 7); + p += 4; + memcpy(p, "ssh-dss", 7); + p += 7; + PUT_32BIT(p, plen); + p += 4; + for (i = plen; i--;) + *p++ = bignum_byte(dss->p, i); + PUT_32BIT(p, qlen); + p += 4; + for (i = qlen; i--;) + *p++ = bignum_byte(dss->q, i); + PUT_32BIT(p, glen); + p += 4; + for (i = glen; i--;) + *p++ = bignum_byte(dss->g, i); + PUT_32BIT(p, ylen); + p += 4; + for (i = ylen; i--;) + *p++ = bignum_byte(dss->y, i); + assert(p == blob + bloblen); + *len = bloblen; + return blob; +} + +static unsigned char *dss_private_blob(void *key, int *len) +{ + return NULL; /* can't handle DSS private keys */ +} + +static void *dss_createkey(unsigned char *pub_blob, int pub_len, + unsigned char *priv_blob, int priv_len) +{ + return NULL; /* can't handle DSS private keys */ +} + +static void *dss_openssh_createkey(unsigned char **blob, int *len) +{ + return NULL; /* can't handle DSS private keys */ +} + +static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len) +{ + return -1; /* can't handle DSS private keys */ +} + +unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) +{ + return NULL; /* can't handle DSS private keys */ +} + +const struct ssh_signkey ssh_dss = { + dss_newkey, + dss_freekey, dss_fmtkey, + dss_public_blob, + dss_private_blob, + dss_createkey, + dss_openssh_createkey, + dss_openssh_fmtkey, dss_fingerprint, dss_verifysig, + dss_sign, "ssh-dss", "dss" };