[secnet] / rsa.c

/*
 * rsa.c: implementation of RSA with PKCS#1 padding
 */
/*
 * This file is Free Software.  It was originally written for secnet.
 *
 * Copyright 1995-2003 Stephen Early
 * Copyright 2002-2014 Ian Jackson
 * Copyright 2001      Simon Tatham
 * Copyright 2013      Mark Wooding
 *
 * You may redistribute secnet as a whole and/or modify it under the
 * terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 3, or (at your option) any
 * later version.
 *
 * You may redistribute this file and/or modify it under the terms of
 * the GNU General Public License as published by the Free Software
 * Foundation; either version 2, or (at your option) any later
 * version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this software; if not, see
 * https://www.gnu.org/licenses/gpl.html.
 */


#include <stdio.h>
#include <string.h>
#include <gmp.h>
#include "secnet.h"
#include "util.h"

#define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n"

#define mpp(s,n) do { char *p = mpz_get_str(NULL,16,n); printf("%s 0x%sL\n", s, p); free(p); } while (0)

struct rsapriv {
    closure_t cl;
    struct rsaprivkey_if ops;
    struct cloc loc;
    MP_INT n;
    MP_INT p, dp;
    MP_INT q, dq;
    MP_INT w;
};
struct rsapub {
    closure_t cl;
    struct rsapubkey_if ops;
    struct cloc loc;
    MP_INT e;
    MP_INT n;
};
/* Sign data. NB data must be smaller than modulus */

#define RSA_MAX_MODBYTES 2048
/* The largest modulus I've seen is 15360 bits, which works out at 1920
 * bytes.  Using keys this big is quite implausible, but it doesn't cost us
 * much to support them.
 */

static const char *hexchars="0123456789abcdef";

static void emsa_pkcs1(MP_INT *n, MP_INT *m,
		       const uint8_t *data, int32_t datalen)
{
    char buff[2*RSA_MAX_MODBYTES + 1];
    int msize, i;

    /* RSA PKCS#1 v1.5 signature padding:
     *
     * <------------ msize hex digits ---------->
     *
     * 00 01 ff ff .... ff ff 00 vv vv vv .... vv
     *
     *                           <--- datalen -->
     *                                 bytes
     *                         = datalen*2 hex digits
     *
     * NB that according to PKCS#1 v1.5 we're supposed to include a
     * hash function OID in the data.  We don't do that (because we
     * don't have the hash function OID to hand here), thus violating
     * the spec in a way that affects interop but not security.
     *
     * -iwj 17.9.2002
     */

    msize=mpz_sizeinbase(n, 16);

    if (datalen*2+6>=msize) {
	fatal("rsa_sign: message too big");
    }

    strcpy(buff,"0001");

    for (i=0; i<datalen; i++) {
	buff[msize+(-datalen+i)*2]=hexchars[(data[i]&0xf0)>>4];
	buff[msize+(-datalen+i)*2+1]=hexchars[data[i]&0xf];
    }
    
    buff[msize-datalen*2-2]= '0';
    buff[msize-datalen*2-1]= '0';
 
    for (i=4; i<msize-datalen*2-2; i++)
       buff[i]='f';

    buff[msize]=0;

    mpz_set_str(m, buff, 16);
}

static string_t rsa_sign(void *sst, uint8_t *data, int32_t datalen)
{
    struct rsapriv *st=sst;
    MP_INT a, b, u, v, tmp, tmp2;
    string_t signature;

    mpz_init(&a);
    mpz_init(&b);

    /* Construct the message representative. */
    emsa_pkcs1(&st->n, &a, data, datalen);

    /*
     * Produce an RSA signature (a^d mod n) using the Chinese
     * Remainder Theorem. We compute:
     * 
     *   u = a^dp mod p    (== a^d mod p, since dp == d mod (p-1))
     *   v = a^dq mod q    (== a^d mod q, similarly)
     * 
     * We also know w == iqmp * q, which has the property that w ==
     * 0 mod q and w == 1 mod p. So (1-w) has the reverse property
     * (congruent to 0 mod p and to 1 mod q). Hence we now compute
     * 
     *   b = w * u + (1-w) * v
     *     = w * (u-v) + v
     * 
     * so that b is congruent to a^d both mod p and mod q. Hence b,
     * reduced mod n, is the required signature.
     */
    mpz_init(&tmp);
    mpz_init(&tmp2);
    mpz_init(&u);
    mpz_init(&v);

    mpz_powm(&u, &a, &st->dp, &st->p);
    mpz_powm(&v, &a, &st->dq, &st->q);
    mpz_sub(&tmp, &u, &v);
    mpz_mul(&tmp2, &tmp, &st->w);
    mpz_add(&tmp, &tmp2, &v);
    mpz_mod(&b, &tmp, &st->n);

    mpz_clear(&tmp);
    mpz_clear(&tmp2);
    mpz_clear(&u);
    mpz_clear(&v);

    signature=write_mpstring(&b);

    mpz_clear(&b);
    mpz_clear(&a);
    return signature;
}

static rsa_checksig_fn rsa_sig_check;
static bool_t rsa_sig_check(void *sst, uint8_t *data, int32_t datalen,
			    cstring_t signature)
{
    struct rsapub *st=sst;
    MP_INT a, b, c;
    bool_t ok;

    mpz_init(&a);
    mpz_init(&b);
    mpz_init(&c);

    emsa_pkcs1(&st->n, &a, data, datalen);

    mpz_set_str(&b, signature, 16);

    mpz_powm(&c, &b, &st->e, &st->n);

    ok=(mpz_cmp(&a, &c)==0);

    mpz_clear(&c);
    mpz_clear(&b);
    mpz_clear(&a);

    return ok;
}

static list_t *rsapub_apply(closure_t *self, struct cloc loc, dict_t *context,
			    list_t *args)
{
    struct rsapub *st;
    item_t *i;
    string_t e,n;

    NEW(st);
    st->cl.description="rsapub";
    st->cl.type=CL_RSAPUBKEY;
    st->cl.apply=NULL;
    st->cl.interface=&st->ops;
    st->ops.st=st;
    st->ops.check=rsa_sig_check;
    st->loc=loc;

    i=list_elem(args,0);
    if (i) {
	if (i->type!=t_string) {
	    cfgfatal(i->loc,"rsa-public","first argument must be a string\n");
	}
	e=i->data.string;
	if (mpz_init_set_str(&st->e,e,10)!=0) {
	    cfgfatal(i->loc,"rsa-public","encryption key \"%s\" is not a "
		     "decimal number string\n",e);
	}
    } else {
	cfgfatal(loc,"rsa-public","you must provide an encryption key\n");
    }
    if (mpz_sizeinbase(&st->e, 256) > RSA_MAX_MODBYTES) {
	cfgfatal(loc, "rsa-public", "implausibly large public exponent\n");
    }
    
    i=list_elem(args,1);
    if (i) {
	if (i->type!=t_string) {
	    cfgfatal(i->loc,"rsa-public","second argument must be a string\n");
	}
	n=i->data.string;
	if (mpz_init_set_str(&st->n,n,10)!=0) {
	    cfgfatal(i->loc,"rsa-public","modulus \"%s\" is not a decimal "
		     "number string\n",n);
	}
    } else {
	cfgfatal(loc,"rsa-public","you must provide a modulus\n");
    }
    if (mpz_sizeinbase(&st->n, 256) > RSA_MAX_MODBYTES) {
	cfgfatal(loc, "rsa-public", "implausibly large modulus\n");
    }
    return new_closure(&st->cl);
}

static uint32_t keyfile_get_int(struct cloc loc, FILE *f)
{
    uint32_t r;
    r=fgetc(f)<<24;
    r|=fgetc(f)<<16;
    r|=fgetc(f)<<8;
    r|=fgetc(f);
    cfgfile_postreadcheck(loc,f);
    return r;
}

static uint16_t keyfile_get_short(struct cloc loc, FILE *f)
{
    uint16_t r;
    r=fgetc(f)<<8;
    r|=fgetc(f);
    cfgfile_postreadcheck(loc,f);
    return r;
}

static list_t *rsapriv_apply(closure_t *self, struct cloc loc, dict_t *context,
			     list_t *args)
{
    struct rsapriv *st;
    FILE *f;
    cstring_t filename;
    item_t *i;
    long length;
    uint8_t *b, *c;
    int cipher_type;
    MP_INT e,d,iqmp,tmp,tmp2,tmp3;
    bool_t valid;

    NEW(st);
    st->cl.description="rsapriv";
    st->cl.type=CL_RSAPRIVKEY;
    st->cl.apply=NULL;
    st->cl.interface=&st->ops;
    st->ops.st=st;
    st->ops.sign=rsa_sign;
    st->loc=loc;

    /* Argument is filename pointing to SSH1 private key file */
    i=list_elem(args,0);
    if (i) {
	if (i->type!=t_string) {
	    cfgfatal(i->loc,"rsa-public","first argument must be a string\n");
	}
	filename=i->data.string;
    } else {
	filename=NULL; /* Make compiler happy */
	cfgfatal(loc,"rsa-private","you must provide a filename\n");
    }

    f=fopen(filename,"rb");
    if (!f) {
	if (just_check_config) {
	    Message(M_WARNING,"rsa-private (%s:%d): cannot open keyfile "
		    "\"%s\"; assuming it's valid while we check the "
		    "rest of the configuration\n",loc.file,loc.line,filename);
	    goto assume_valid;
	} else {
	    fatal_perror("rsa-private (%s:%d): cannot open file \"%s\"",
			 loc.file,loc.line,filename);
	}
    }

    /* Check that the ID string is correct */
    length=strlen(AUTHFILE_ID_STRING)+1;
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1 || memcmp(b,AUTHFILE_ID_STRING,length)!=0) {
	cfgfatal_maybefile(f,loc,"rsa-private","failed to read magic ID"
			   " string from SSH1 private keyfile \"%s\"\n",
			   filename);
    }
    free(b);

    cipher_type=fgetc(f);
    keyfile_get_int(loc,f); /* "Reserved data" */
    if (cipher_type != 0) {
	cfgfatal(loc,"rsa-private","we don't support encrypted keyfiles\n");
    }

    /* Read the public key */
    keyfile_get_int(loc,f); /* Not sure what this is */
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausible length %ld for modulus\n",
		 length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f) != 1) {
	cfgfatal_maybefile(f,loc,"rsa-private","error reading modulus\n");
    }
    mpz_init(&st->n);
    read_mpbin(&st->n,b,length);
    free(b);
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausible length %ld for e\n",length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private","error reading e\n");
    }
    mpz_init(&e);
    read_mpbin(&e,b,length);
    free(b);
    
    length=keyfile_get_int(loc,f);
    if (length>1024) {
	cfgfatal(loc,"rsa-private","implausibly long (%ld) key comment\n",
		 length);
    }
    c=safe_malloc(length+1,"rsapriv_apply");
    if (fread(c,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private","error reading key comment\n");
    }
    c[length]=0;

    /* Check that the next two pairs of characters are identical - the
       keyfile is not encrypted, so they should be */

    if (keyfile_get_short(loc,f) != keyfile_get_short(loc,f)) {
	cfgfatal(loc,"rsa-private","corrupt keyfile\n");
    }

    /* Read d */
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausibly long (%ld) decryption key\n",
		 length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private",
			   "error reading decryption key\n");
    }
    mpz_init(&d);
    read_mpbin(&d,b,length);
    free(b);
    /* Read iqmp (inverse of q mod p) */
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausibly long (%ld)"
		 " iqmp auxiliary value\n", length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private",
			   "error reading decryption key\n");
    }
    mpz_init(&iqmp);
    read_mpbin(&iqmp,b,length);
    free(b);
    /* Read q (the smaller of the two primes) */
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausibly long (%ld) q value\n",
		 length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private",
			   "error reading q value\n");
    }
    mpz_init(&st->q);
    read_mpbin(&st->q,b,length);
    free(b);
    /* Read p (the larger of the two primes) */
    length=(keyfile_get_short(loc,f)+7)/8;
    if (length>RSA_MAX_MODBYTES) {
	cfgfatal(loc,"rsa-private","implausibly long (%ld) p value\n",
		 length);
    }
    b=safe_malloc(length,"rsapriv_apply");
    if (fread(b,length,1,f)!=1) {
	cfgfatal_maybefile(f,loc,"rsa-private",
			   "error reading p value\n");
    }
    mpz_init(&st->p);
    read_mpbin(&st->p,b,length);
    free(b);
    
    if (fclose(f)!=0) {
	fatal_perror("rsa-private (%s:%d): fclose",loc.file,loc.line);
    }

    /*
     * Now verify the validity of the key, and set up the auxiliary
     * values for fast CRT signing.
     */
    valid=False;
    i=list_elem(args,1);
    mpz_init(&tmp);
    mpz_init(&tmp2);
    mpz_init(&tmp3);
    if (i && i->type==t_bool && i->data.bool==False) {
	Message(M_INFO,"rsa-private (%s:%d): skipping RSA key validity "
		"check\n",loc.file,loc.line);
    } else {
	/* Verify that p*q is equal to n. */
	mpz_mul(&tmp, &st->p, &st->q);
	if (mpz_cmp(&tmp, &st->n) != 0)
	    goto done_checks;

	/*
	 * Verify that d*e is congruent to 1 mod (p-1), and mod
	 * (q-1). This is equivalent to it being congruent to 1 mod
	 * lambda(n) = lcm(p-1,q-1).  The usual `textbook' condition,
	 * that d e == 1 (mod (p-1)(q-1)) is sufficient, but not
	 * actually necessary.
	 */
	mpz_mul(&tmp, &d, &e);
	mpz_sub_ui(&tmp2, &st->p, 1);
	mpz_mod(&tmp3, &tmp, &tmp2);
	if (mpz_cmp_si(&tmp3, 1) != 0)
	    goto done_checks;
	mpz_sub_ui(&tmp2, &st->q, 1);
	mpz_mod(&tmp3, &tmp, &tmp2);
	if (mpz_cmp_si(&tmp3, 1) != 0)
	    goto done_checks;

	/* Verify that q*iqmp is congruent to 1 mod p. */
	mpz_mul(&tmp, &st->q, &iqmp);
	mpz_mod(&tmp2, &tmp, &st->p);
	if (mpz_cmp_si(&tmp2, 1) != 0)
	    goto done_checks;
    }
    /* Now we know the key is valid (or we don't care). */
    valid = True;
    
    /*
     * Now we compute auxiliary values dp, dq and w to allow us
     * to use the CRT optimisation when signing.
     * 
     *   dp == d mod (p-1)      so that a^dp == a^d mod p, for all a
     *   dq == d mod (q-1)      similarly mod q
     *   w == iqmp * q          so that w == 0 mod q, and w == 1 mod p
     */
    mpz_init(&st->dp);
    mpz_init(&st->dq);
    mpz_init(&st->w);
    mpz_sub_ui(&tmp, &st->p, 1);
    mpz_mod(&st->dp, &d, &tmp);
    mpz_sub_ui(&tmp, &st->q, 1);
    mpz_mod(&st->dq, &d, &tmp);
    mpz_mul(&st->w, &iqmp, &st->q);
    
done_checks:
    if (!valid) {
	cfgfatal(loc,"rsa-private","file \"%s\" does not contain a "
		 "valid RSA key!\n",filename);
    }
    mpz_clear(&tmp);
    mpz_clear(&tmp2);
    mpz_clear(&tmp3);

    free(c);
    mpz_clear(&e);
    mpz_clear(&d);
    mpz_clear(&iqmp);

assume_valid:
    return new_closure(&st->cl);
}

void rsa_module(dict_t *dict)
{
    add_closure(dict,"rsa-private",rsapriv_apply);
    add_closure(dict,"rsa-public",rsapub_apply);
}
Commit	Line	Data
c215a4bc IJ	1	/*
	2	* rsa.c: implementation of RSA with PKCS#1 padding
	3	*/
	4	/*
	5	* This file is Free Software. It was originally written for secnet.
	6	*
	7	* Copyright 1995-2003 Stephen Early
	8	* Copyright 2002-2014 Ian Jackson
	9	* Copyright 2001 Simon Tatham
	10	* Copyright 2013 Mark Wooding
	11	*
	12	* You may redistribute secnet as a whole and/or modify it under the
	13	* terms of the GNU General Public License as published by the Free
	14	* Software Foundation; either version 3, or (at your option) any
	15	* later version.
	16	*
	17	* You may redistribute this file and/or modify it under the terms of
	18	* the GNU General Public License as published by the Free Software
	19	* Foundation; either version 2, or (at your option) any later
	20	* version.
	21	*
	22	* This software is distributed in the hope that it will be useful,
	23	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	24	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	25	* GNU General Public License for more details.
	26	*
	27	* You should have received a copy of the GNU General Public License
	28	* along with this software; if not, see
	29	* https://www.gnu.org/licenses/gpl.html.
	30	*/
3b83c932	31
fe5e9cc4	32
2fe58dfd	33	#include <stdio.h>
3b83c932	34	#include <string.h>
2fe58dfd SE	35	#include <gmp.h>
	36	#include "secnet.h"
	37	#include "util.h"
	38
	39	#define AUTHFILE_ID_STRING "SSH PRIVATE KEY FILE FORMAT 1.1\n"
	40
fe5e9cc4 SE	41	#define mpp(s,n) do { char *p = mpz_get_str(NULL,16,n); printf("%s 0x%sL\n", s, p); free(p); } while (0)
fe5e9cc4 SE	42
2fe58dfd SE	43	struct rsapriv {
	44	closure_t cl;
	45	struct rsaprivkey_if ops;
	46	struct cloc loc;
2fe58dfd	47	MP_INT n;
fe5e9cc4 SE	48	MP_INT p, dp;
	49	MP_INT q, dq;
	50	MP_INT w;
2fe58dfd SE	51	};
	52	struct rsapub {
	53	closure_t cl;
	54	struct rsapubkey_if ops;
	55	struct cloc loc;
	56	MP_INT e;
	57	MP_INT n;
	58	};
	59	/* Sign data. NB data must be smaller than modulus */
	60
9941ae2e MW	61	#define RSA_MAX_MODBYTES 2048
	62	/* The largest modulus I've seen is 15360 bits, which works out at 1920
	63	* bytes. Using keys this big is quite implausible, but it doesn't cost us
	64	* much to support them.
	65	*/
	66
fe5e9cc4	67	static const char *hexchars="0123456789abcdef";
2fe58dfd	68
2cd2cf05 MW	69	static void emsa_pkcs1(MP_INT n, MP_INT m,
2cd2cf05 MW	70	const uint8_t *data, int32_t datalen)
2fe58dfd	71	{
9941ae2e	72	char buff[2*RSA_MAX_MODBYTES + 1];
2fe58dfd	73	int msize, i;
2fe58dfd	74
3b83c932 SE	75	/* RSA PKCS#1 v1.5 signature padding:
	76	*
	77	* <------------ msize hex digits ---------->
	78	*
	79	* 00 01 ff ff .... ff ff 00 vv vv vv .... vv
	80	*
	81	* <--- datalen -->
	82	* bytes
	83	* = datalen*2 hex digits
	84	*
	85	* NB that according to PKCS#1 v1.5 we're supposed to include a
	86	* hash function OID in the data. We don't do that (because we
	87	* don't have the hash function OID to hand here), thus violating
	88	* the spec in a way that affects interop but not security.
	89	*
	90	* -iwj 17.9.2002
	91	*/
	92
2cd2cf05	93	msize=mpz_sizeinbase(n, 16);
2fe58dfd	94
3b83c932	95	if (datalen*2+6>=msize) {
4f5e39ec	96	fatal("rsa_sign: message too big");
3454dce4 SE	97	}
3454dce4 SE	98
2fe58dfd SE	99	strcpy(buff,"0001");
	100
	101	for (i=0; i<datalen; i++) {
3b83c932 SE	102	buff[msize+(-datalen+i)*2]=hexchars[(data[i]&0xf0)>>4];
3b83c932 SE	103	buff[msize+(-datalen+i)*2+1]=hexchars[data[i]&0xf];
2fe58dfd	104	}
3454dce4	105
3b83c932 SE	106	buff[msize-datalen*2-2]= '0';
	107	buff[msize-datalen*2-1]= '0';
	108
	109	for (i=4; i<msize-datalen*2-2; i++)
	110	buff[i]='f';
2fe58dfd SE	111
	112	buff[msize]=0;
	113
2cd2cf05 MW	114	mpz_set_str(m, buff, 16);
	115	}
	116
	117	static string_t rsa_sign(void sst, uint8_t data, int32_t datalen)
	118	{
	119	struct rsapriv *st=sst;
	120	MP_INT a, b, u, v, tmp, tmp2;
	121	string_t signature;
	122
	123	mpz_init(&a);
	124	mpz_init(&b);
	125
	126	/* Construct the message representative. */
	127	emsa_pkcs1(&st->n, &a, data, datalen);
2fe58dfd	128
fe5e9cc4 SE	129	/*
	130	* Produce an RSA signature (a^d mod n) using the Chinese
	131	* Remainder Theorem. We compute:
	132	*
	133	* u = a^dp mod p (== a^d mod p, since dp == d mod (p-1))
	134	* v = a^dq mod q (== a^d mod q, similarly)
	135	*
	136	* We also know w == iqmp * q, which has the property that w ==
	137	* 0 mod q and w == 1 mod p. So (1-w) has the reverse property
	138	* (congruent to 0 mod p and to 1 mod q). Hence we now compute
	139	*
	140	* b = w * u + (1-w) * v
	141	* = w * (u-v) + v
	142	*
	143	* so that b is congruent to a^d both mod p and mod q. Hence b,
	144	* reduced mod n, is the required signature.
	145	*/
	146	mpz_init(&tmp);
	147	mpz_init(&tmp2);
	148	mpz_init(&u);
	149	mpz_init(&v);
	150
	151	mpz_powm(&u, &a, &st->dp, &st->p);
	152	mpz_powm(&v, &a, &st->dq, &st->q);
	153	mpz_sub(&tmp, &u, &v);
	154	mpz_mul(&tmp2, &tmp, &st->w);
	155	mpz_add(&tmp, &tmp2, &v);
	156	mpz_mod(&b, &tmp, &st->n);
	157
	158	mpz_clear(&tmp);
	159	mpz_clear(&tmp2);
	160	mpz_clear(&u);
	161	mpz_clear(&v);
2fe58dfd SE	162
	163	signature=write_mpstring(&b);
	164
	165	mpz_clear(&b);
	166	mpz_clear(&a);
	167	return signature;
	168	}
	169
fe5e9cc4	170	static rsa_checksig_fn rsa_sig_check;
1caa23ff	171	static bool_t rsa_sig_check(void sst, uint8_t data, int32_t datalen,
fe5e9cc4	172	cstring_t signature)
2fe58dfd SE	173	{
	174	struct rsapub *st=sst;
	175	MP_INT a, b, c;
2fe58dfd SE	176	bool_t ok;
	177
	178	mpz_init(&a);
	179	mpz_init(&b);
	180	mpz_init(&c);
	181
2cd2cf05	182	emsa_pkcs1(&st->n, &a, data, datalen);
2fe58dfd SE	183
	184	mpz_set_str(&b, signature, 16);
	185
	186	mpz_powm(&c, &b, &st->e, &st->n);
	187
	188	ok=(mpz_cmp(&a, &c)==0);
	189
	190	mpz_clear(&c);
	191	mpz_clear(&b);
	192	mpz_clear(&a);
	193
	194	return ok;
	195	}
	196
	197	static list_t rsapub_apply(closure_t self, struct cloc loc, dict_t *context,
	198	list_t *args)
	199	{
	200	struct rsapub *st;
	201	item_t *i;
	202	string_t e,n;
	203
b7886fd4	204	NEW(st);
2fe58dfd SE	205	st->cl.description="rsapub";
	206	st->cl.type=CL_RSAPUBKEY;
	207	st->cl.apply=NULL;
	208	st->cl.interface=&st->ops;
	209	st->ops.st=st;
	210	st->ops.check=rsa_sig_check;
	211	st->loc=loc;
	212
	213	i=list_elem(args,0);
	214	if (i) {
	215	if (i->type!=t_string) {
39a6b1e2	216	cfgfatal(i->loc,"rsa-public","first argument must be a string\n");
2fe58dfd SE	217	}
	218	e=i->data.string;
	219	if (mpz_init_set_str(&st->e,e,10)!=0) {
	220	cfgfatal(i->loc,"rsa-public","encryption key \"%s\" is not a "
	221	"decimal number string\n",e);
	222	}
	223	} else {
	224	cfgfatal(loc,"rsa-public","you must provide an encryption key\n");
	225	}
f15aefe4 MW	226	if (mpz_sizeinbase(&st->e, 256) > RSA_MAX_MODBYTES) {
	227	cfgfatal(loc, "rsa-public", "implausibly large public exponent\n");
	228	}
2fe58dfd SE	229
	230	i=list_elem(args,1);
	231	if (i) {
	232	if (i->type!=t_string) {
39a6b1e2	233	cfgfatal(i->loc,"rsa-public","second argument must be a string\n");
2fe58dfd SE	234	}
	235	n=i->data.string;
	236	if (mpz_init_set_str(&st->n,n,10)!=0) {
	237	cfgfatal(i->loc,"rsa-public","modulus \"%s\" is not a decimal "
	238	"number string\n",n);
	239	}
	240	} else {
	241	cfgfatal(loc,"rsa-public","you must provide a modulus\n");
	242	}
f15aefe4 MW	243	if (mpz_sizeinbase(&st->n, 256) > RSA_MAX_MODBYTES) {
	244	cfgfatal(loc, "rsa-public", "implausibly large modulus\n");
	245	}
2fe58dfd SE	246	return new_closure(&st->cl);
	247	}
	248
4f5e39ec	249	static uint32_t keyfile_get_int(struct cloc loc, FILE *f)
2fe58dfd SE	250	{
	251	uint32_t r;
	252	r=fgetc(f)<<24;
	253	r\|=fgetc(f)<<16;
	254	r\|=fgetc(f)<<8;
	255	r\|=fgetc(f);
4f5e39ec	256	cfgfile_postreadcheck(loc,f);
2fe58dfd SE	257	return r;
	258	}
	259
4f5e39ec	260	static uint16_t keyfile_get_short(struct cloc loc, FILE *f)
2fe58dfd SE	261	{
	262	uint16_t r;
	263	r=fgetc(f)<<8;
	264	r\|=fgetc(f);
4f5e39ec	265	cfgfile_postreadcheck(loc,f);
2fe58dfd SE	266	return r;
	267	}
	268
	269	static list_t rsapriv_apply(closure_t self, struct cloc loc, dict_t *context,
	270	list_t *args)
	271	{
	272	struct rsapriv *st;
	273	FILE *f;
fe5e9cc4	274	cstring_t filename;
2fe58dfd SE	275	item_t *i;
	276	long length;
	277	uint8_t b, c;
	278	int cipher_type;
fe5e9cc4	279	MP_INT e,d,iqmp,tmp,tmp2,tmp3;
3b83c932	280	bool_t valid;
2fe58dfd	281
b7886fd4	282	NEW(st);
2fe58dfd SE	283	st->cl.description="rsapriv";
	284	st->cl.type=CL_RSAPRIVKEY;
	285	st->cl.apply=NULL;
	286	st->cl.interface=&st->ops;
	287	st->ops.st=st;
	288	st->ops.sign=rsa_sign;
	289	st->loc=loc;
	290
	291	/* Argument is filename pointing to SSH1 private key file */
	292	i=list_elem(args,0);
	293	if (i) {
	294	if (i->type!=t_string) {
39a6b1e2	295	cfgfatal(i->loc,"rsa-public","first argument must be a string\n");
2fe58dfd SE	296	}
	297	filename=i->data.string;
	298	} else {
fe5e9cc4	299	filename=NULL; /* Make compiler happy */
2fe58dfd SE	300	cfgfatal(loc,"rsa-private","you must provide a filename\n");
	301	}
	302
	303	f=fopen(filename,"rb");
	304	if (!f) {
baa06aeb SE	305	if (just_check_config) {
	306	Message(M_WARNING,"rsa-private (%s:%d): cannot open keyfile "
	307	"\"%s\"; assuming it's valid while we check the "
	308	"rest of the configuration\n",loc.file,loc.line,filename);
	309	goto assume_valid;
	310	} else {
	311	fatal_perror("rsa-private (%s:%d): cannot open file \"%s\"",
	312	loc.file,loc.line,filename);
	313	}
2fe58dfd SE	314	}
	315
	316	/* Check that the ID string is correct */
	317	length=strlen(AUTHFILE_ID_STRING)+1;
	318	b=safe_malloc(length,"rsapriv_apply");
	319	if (fread(b,length,1,f)!=1 \|\| memcmp(b,AUTHFILE_ID_STRING,length)!=0) {
4f5e39ec SE	320	cfgfatal_maybefile(f,loc,"rsa-private","failed to read magic ID"
	321	" string from SSH1 private keyfile \"%s\"\n",
	322	filename);
2fe58dfd SE	323	}
	324	free(b);
	325
	326	cipher_type=fgetc(f);
4f5e39ec	327	keyfile_get_int(loc,f); /* "Reserved data" */
2fe58dfd SE	328	if (cipher_type != 0) {
	329	cfgfatal(loc,"rsa-private","we don't support encrypted keyfiles\n");
	330	}
	331
	332	/* Read the public key */
4f5e39ec SE	333	keyfile_get_int(loc,f); /* Not sure what this is */
4f5e39ec SE	334	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	335	if (length>RSA_MAX_MODBYTES) {
2fe58dfd SE	336	cfgfatal(loc,"rsa-private","implausible length %ld for modulus\n",
	337	length);
	338	}
	339	b=safe_malloc(length,"rsapriv_apply");
	340	if (fread(b,length,1,f) != 1) {
39a6b1e2	341	cfgfatal_maybefile(f,loc,"rsa-private","error reading modulus\n");
2fe58dfd SE	342	}
	343	mpz_init(&st->n);
	344	read_mpbin(&st->n,b,length);
	345	free(b);
4f5e39ec	346	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	347	if (length>RSA_MAX_MODBYTES) {
2fe58dfd SE	348	cfgfatal(loc,"rsa-private","implausible length %ld for e\n",length);
	349	}
	350	b=safe_malloc(length,"rsapriv_apply");
	351	if (fread(b,length,1,f)!=1) {
4f5e39ec	352	cfgfatal_maybefile(f,loc,"rsa-private","error reading e\n");
2fe58dfd SE	353	}
	354	mpz_init(&e);
	355	read_mpbin(&e,b,length);
	356	free(b);
	357
4f5e39ec	358	length=keyfile_get_int(loc,f);
2fe58dfd SE	359	if (length>1024) {
	360	cfgfatal(loc,"rsa-private","implausibly long (%ld) key comment\n",
	361	length);
	362	}
	363	c=safe_malloc(length+1,"rsapriv_apply");
	364	if (fread(c,length,1,f)!=1) {
4f5e39ec	365	cfgfatal_maybefile(f,loc,"rsa-private","error reading key comment\n");
2fe58dfd SE	366	}
	367	c[length]=0;
	368
	369	/* Check that the next two pairs of characters are identical - the
	370	keyfile is not encrypted, so they should be */
4f5e39ec SE	371
4f5e39ec SE	372	if (keyfile_get_short(loc,f) != keyfile_get_short(loc,f)) {
2fe58dfd SE	373	cfgfatal(loc,"rsa-private","corrupt keyfile\n");
	374	}
	375
	376	/* Read d */
4f5e39ec	377	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	378	if (length>RSA_MAX_MODBYTES) {
2fe58dfd SE	379	cfgfatal(loc,"rsa-private","implausibly long (%ld) decryption key\n",
	380	length);
	381	}
	382	b=safe_malloc(length,"rsapriv_apply");
	383	if (fread(b,length,1,f)!=1) {
4f5e39ec SE	384	cfgfatal_maybefile(f,loc,"rsa-private",
4f5e39ec SE	385	"error reading decryption key\n");
2fe58dfd	386	}
fe5e9cc4 SE	387	mpz_init(&d);
	388	read_mpbin(&d,b,length);
	389	free(b);
	390	/* Read iqmp (inverse of q mod p) */
	391	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	392	if (length>RSA_MAX_MODBYTES) {
fe5e9cc4 SE	393	cfgfatal(loc,"rsa-private","implausibly long (%ld)"
	394	" iqmp auxiliary value\n", length);
	395	}
	396	b=safe_malloc(length,"rsapriv_apply");
	397	if (fread(b,length,1,f)!=1) {
	398	cfgfatal_maybefile(f,loc,"rsa-private",
	399	"error reading decryption key\n");
	400	}
	401	mpz_init(&iqmp);
	402	read_mpbin(&iqmp,b,length);
	403	free(b);
	404	/* Read q (the smaller of the two primes) */
	405	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	406	if (length>RSA_MAX_MODBYTES) {
fe5e9cc4 SE	407	cfgfatal(loc,"rsa-private","implausibly long (%ld) q value\n",
	408	length);
	409	}
	410	b=safe_malloc(length,"rsapriv_apply");
	411	if (fread(b,length,1,f)!=1) {
	412	cfgfatal_maybefile(f,loc,"rsa-private",
	413	"error reading q value\n");
	414	}
	415	mpz_init(&st->q);
	416	read_mpbin(&st->q,b,length);
	417	free(b);
	418	/* Read p (the larger of the two primes) */
	419	length=(keyfile_get_short(loc,f)+7)/8;
9941ae2e	420	if (length>RSA_MAX_MODBYTES) {
fe5e9cc4 SE	421	cfgfatal(loc,"rsa-private","implausibly long (%ld) p value\n",
	422	length);
	423	}
	424	b=safe_malloc(length,"rsapriv_apply");
	425	if (fread(b,length,1,f)!=1) {
	426	cfgfatal_maybefile(f,loc,"rsa-private",
	427	"error reading p value\n");
	428	}
	429	mpz_init(&st->p);
	430	read_mpbin(&st->p,b,length);
2fe58dfd SE	431	free(b);
	432
	433	if (fclose(f)!=0) {
	434	fatal_perror("rsa-private (%s:%d): fclose",loc.file,loc.line);
	435	}
	436
fe5e9cc4 SE	437	/*
	438	* Now verify the validity of the key, and set up the auxiliary
	439	* values for fast CRT signing.
	440	*/
3b83c932	441	valid=False;
70dc107b	442	i=list_elem(args,1);
3b83c932 SE	443	mpz_init(&tmp);
	444	mpz_init(&tmp2);
	445	mpz_init(&tmp3);
70dc107b SE	446	if (i && i->type==t_bool && i->data.bool==False) {
	447	Message(M_INFO,"rsa-private (%s:%d): skipping RSA key validity "
	448	"check\n",loc.file,loc.line);
	449	} else {
fe5e9cc4 SE	450	/* Verify that pq is equal to n. /
	451	mpz_mul(&tmp, &st->p, &st->q);
	452	if (mpz_cmp(&tmp, &st->n) != 0)
	453	goto done_checks;
	454
	455	/*
	456	* Verify that d*e is congruent to 1 mod (p-1), and mod
	457	* (q-1). This is equivalent to it being congruent to 1 mod
104e8e74 MW	458	* lambda(n) = lcm(p-1,q-1). The usual `textbook' condition,
	459	* that d e == 1 (mod (p-1)(q-1)) is sufficient, but not
	460	* actually necessary.
fe5e9cc4 SE	461	*/
	462	mpz_mul(&tmp, &d, &e);
	463	mpz_sub_ui(&tmp2, &st->p, 1);
	464	mpz_mod(&tmp3, &tmp, &tmp2);
	465	if (mpz_cmp_si(&tmp3, 1) != 0)
	466	goto done_checks;
	467	mpz_sub_ui(&tmp2, &st->q, 1);
	468	mpz_mod(&tmp3, &tmp, &tmp2);
	469	if (mpz_cmp_si(&tmp3, 1) != 0)
	470	goto done_checks;
	471
	472	/* Verify that qiqmp is congruent to 1 mod p. /
	473	mpz_mul(&tmp, &st->q, &iqmp);
	474	mpz_mod(&tmp2, &tmp, &st->p);
	475	if (mpz_cmp_si(&tmp2, 1) != 0)
	476	goto done_checks;
2fe58dfd	477	}
3b83c932 SE	478	/* Now we know the key is valid (or we don't care). */
	479	valid = True;
	480
	481	/*
	482	* Now we compute auxiliary values dp, dq and w to allow us
	483	* to use the CRT optimisation when signing.
	484	*
	485	* dp == d mod (p-1) so that a^dp == a^d mod p, for all a
	486	* dq == d mod (q-1) similarly mod q
	487	* w == iqmp * q so that w == 0 mod q, and w == 1 mod p
	488	*/
	489	mpz_init(&st->dp);
	490	mpz_init(&st->dq);
	491	mpz_init(&st->w);
	492	mpz_sub_ui(&tmp, &st->p, 1);
	493	mpz_mod(&st->dp, &d, &tmp);
	494	mpz_sub_ui(&tmp, &st->q, 1);
	495	mpz_mod(&st->dq, &d, &tmp);
	496	mpz_mul(&st->w, &iqmp, &st->q);
	497
	498	done_checks:
	499	if (!valid) {
	500	cfgfatal(loc,"rsa-private","file \"%s\" does not contain a "
	501	"valid RSA key!\n",filename);
	502	}
	503	mpz_clear(&tmp);
	504	mpz_clear(&tmp2);
	505	mpz_clear(&tmp3);
2fe58dfd SE	506
	507	free(c);
	508	mpz_clear(&e);
fe5e9cc4 SE	509	mpz_clear(&d);
fe5e9cc4 SE	510	mpz_clear(&iqmp);
2fe58dfd	511
baa06aeb	512	assume_valid:
2fe58dfd SE	513	return new_closure(&st->cl);
	514	}
	515
2fe58dfd SE	516	void rsa_module(dict_t *dict)
	517	{
	518	add_closure(dict,"rsa-private",rsapriv_apply);
	519	add_closure(dict,"rsa-public",rsapub_apply);
	520	}