[sgt/putty] / sshrsa.c

/*
 * RSA implementation just sufficient for ssh client-side
 * initialisation step
 *
 * Rewritten for more speed by Joris van Rantwijk, Jun 1999.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <assert.h>

#include "ssh.h"
#include "misc.h"

#define GET_32BIT(cp) \
    (((unsigned long)(unsigned char)(cp)[0] << 24) | \
    ((unsigned long)(unsigned char)(cp)[1] << 16) | \
    ((unsigned long)(unsigned char)(cp)[2] << 8) | \
    ((unsigned long)(unsigned char)(cp)[3]))

#define PUT_32BIT(cp, value) { \
    (cp)[0] = (unsigned char)((value) >> 24); \
    (cp)[1] = (unsigned char)((value) >> 16); \
    (cp)[2] = (unsigned char)((value) >> 8); \
    (cp)[3] = (unsigned char)(value); }

int makekey(unsigned char *data, struct RSAKey *result,
	    unsigned char **keystr, int order)
{
    unsigned char *p = data;
    int i;

    if (result) {
	result->bits = 0;
	for (i = 0; i < 4; i++)
	    result->bits = (result->bits << 8) + *p++;
    } else
	p += 4;

    /*
     * order=0 means exponent then modulus (the keys sent by the
     * server). order=1 means modulus then exponent (the keys
     * stored in a keyfile).
     */

    if (order == 0)
	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
    if (result)
	result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
    if (keystr)
	*keystr = p + 2;
    p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
    if (order == 1)
	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);

    return p - data;
}

int makeprivate(unsigned char *data, struct RSAKey *result)
{
    return ssh1_read_bignum(data, &result->private_exponent);
}

void rsaencrypt(unsigned char *data, int length, struct RSAKey *key)
{
    Bignum b1, b2;
    int i;
    unsigned char *p;

    memmove(data + key->bytes - length, data, length);
    data[0] = 0;
    data[1] = 2;

    for (i = 2; i < key->bytes - length - 1; i++) {
	do {
	    data[i] = random_byte();
	} while (data[i] == 0);
    }
    data[key->bytes - length - 1] = 0;

    b1 = bignum_from_bytes(data, key->bytes);

    b2 = modpow(b1, key->exponent, key->modulus);

    p = data;
    for (i = key->bytes; i--;) {
	*p++ = bignum_byte(b2, i);
    }

    freebn(b1);
    freebn(b2);
}

Bignum rsadecrypt(Bignum input, struct RSAKey *key)
{
    Bignum ret;
    ret = modpow(input, key->private_exponent, key->modulus);
    return ret;
}

int rsastr_len(struct RSAKey *key)
{
    Bignum md, ex;
    int mdlen, exlen;

    md = key->modulus;
    ex = key->exponent;
    mdlen = (bignum_bitcount(md) + 15) / 16;
    exlen = (bignum_bitcount(ex) + 15) / 16;
    return 4 * (mdlen + exlen) + 20;
}

void rsastr_fmt(char *str, struct RSAKey *key)
{
    Bignum md, ex;
    int len = 0, i, nibbles;
    static const char hex[] = "0123456789abcdef";

    md = key->modulus;
    ex = key->exponent;

    len += sprintf(str + len, "0x");

    nibbles = (3 + bignum_bitcount(ex)) / 4;
    if (nibbles < 1)
	nibbles = 1;
    for (i = nibbles; i--;)
	str[len++] = hex[(bignum_byte(ex, i / 2) >> (4 * (i % 2))) & 0xF];

    len += sprintf(str + len, ",0x");

    nibbles = (3 + bignum_bitcount(md)) / 4;
    if (nibbles < 1)
	nibbles = 1;
    for (i = nibbles; i--;)
	str[len++] = hex[(bignum_byte(md, i / 2) >> (4 * (i % 2))) & 0xF];

    str[len] = '\0';
}

/*
 * Generate a fingerprint string for the key. Compatible with the
 * OpenSSH fingerprint code.
 */
void rsa_fingerprint(char *str, int len, struct RSAKey *key)
{
    struct MD5Context md5c;
    unsigned char digest[16];
    char buffer[16 * 3 + 40];
    int numlen, slen, i;

    MD5Init(&md5c);
    numlen = ssh1_bignum_length(key->modulus) - 2;
    for (i = numlen; i--;) {
	unsigned char c = bignum_byte(key->modulus, i);
	MD5Update(&md5c, &c, 1);
    }
    numlen = ssh1_bignum_length(key->exponent) - 2;
    for (i = numlen; i--;) {
	unsigned char c = bignum_byte(key->exponent, i);
	MD5Update(&md5c, &c, 1);
    }
    MD5Final(digest, &md5c);

    sprintf(buffer, "%d ", bignum_bitcount(key->modulus));
    for (i = 0; i < 16; i++)
	sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
		digest[i]);
    strncpy(str, buffer, len);
    str[len - 1] = '\0';
    slen = strlen(str);
    if (key->comment && slen < len - 1) {
	str[slen] = ' ';
	strncpy(str + slen + 1, key->comment, len - slen - 1);
	str[len - 1] = '\0';
    }
}

/*
 * Verify that the public data in an RSA key matches the private
 * data. We also check the private data itself: we ensure that p >
 * q and that iqmp really is the inverse of q mod p.
 */
int rsa_verify(struct RSAKey *key)
{
    Bignum n, ed, pm1, qm1;
    int cmp;

    /* n must equal pq. */
    n = bigmul(key->p, key->q);
    cmp = bignum_cmp(n, key->modulus);
    freebn(n);
    if (cmp != 0)
	return 0;

    /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
    pm1 = copybn(key->p);
    decbn(pm1);
    ed = modmul(key->exponent, key->private_exponent, pm1);
    cmp = bignum_cmp(ed, One);
    sfree(ed);
    if (cmp != 0)
	return 0;

    qm1 = copybn(key->q);
    decbn(qm1);
    ed = modmul(key->exponent, key->private_exponent, qm1);
    cmp = bignum_cmp(ed, One);
    sfree(ed);
    if (cmp != 0)
	return 0;

    /*
     * Ensure p > q.
     */
    if (bignum_cmp(key->p, key->q) <= 0)
	return 0;

    /*
     * Ensure iqmp * q is congruent to 1, modulo p.
     */
    n = modmul(key->iqmp, key->q, key->p);
    cmp = bignum_cmp(n, One);
    sfree(n);
    if (cmp != 0)
	return 0;

    return 1;
}

/* Public key blob as used by Pageant: exponent before modulus. */
unsigned char *rsa_public_blob(struct RSAKey *key, int *len)
{
    int length, pos;
    unsigned char *ret;

    length = (ssh1_bignum_length(key->modulus) +
	      ssh1_bignum_length(key->exponent) + 4);
    ret = smalloc(length);

    PUT_32BIT(ret, bignum_bitcount(key->modulus));
    pos = 4;
    pos += ssh1_write_bignum(ret + pos, key->exponent);
    pos += ssh1_write_bignum(ret + pos, key->modulus);

    *len = length;
    return ret;
}

/* Given a public blob, determine its length. */
int rsa_public_blob_len(void *data)
{
    unsigned char *p = (unsigned char *)data;
    int ret;

    p += 4;			       /* length word */
    p += ssh1_read_bignum(p, NULL);    /* exponent */
    p += ssh1_read_bignum(p, NULL);    /* modulus */

    return p - (unsigned char *)data;
}

void freersakey(struct RSAKey *key)
{
    if (key->modulus)
	freebn(key->modulus);
    if (key->exponent)
	freebn(key->exponent);
    if (key->private_exponent)
	freebn(key->private_exponent);
    if (key->comment)
	sfree(key->comment);
}

/* ----------------------------------------------------------------------
 * Implementation of the ssh-rsa signing key type. 
 */

static void getstring(char **data, int *datalen, char **p, int *length)
{
    *p = NULL;
    if (*datalen < 4)
	return;
    *length = GET_32BIT(*data);
    *datalen -= 4;
    *data += 4;
    if (*datalen < *length)
	return;
    *p = *data;
    *data += *length;
    *datalen -= *length;
}
static Bignum getmp(char **data, int *datalen)
{
    char *p;
    int length;
    Bignum b;

    getstring(data, datalen, &p, &length);
    if (!p)
	return NULL;
    b = bignum_from_bytes(p, length);
    return b;
}

static void *rsa2_newkey(char *data, int len)
{
    char *p;
    int slen;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa)
	return NULL;
    getstring(&data, &len, &p, &slen);

    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
	sfree(rsa);
	return NULL;
    }
    rsa->exponent = getmp(&data, &len);
    rsa->modulus = getmp(&data, &len);
    rsa->private_exponent = NULL;
    rsa->comment = NULL;

    return rsa;
}

static void rsa2_freekey(void *key)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    freersakey(rsa);
    sfree(rsa);
}

static char *rsa2_fmtkey(void *key)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    char *p;
    int len;

    len = rsastr_len(rsa);
    p = smalloc(len);
    rsastr_fmt(p, rsa);
    return p;
}

static unsigned char *rsa2_public_blob(void *key, int *len)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    int elen, mlen, bloblen;
    int i;
    unsigned char *blob, *p;

    elen = (bignum_bitcount(rsa->exponent) + 8) / 8;
    mlen = (bignum_bitcount(rsa->modulus) + 8) / 8;

    /*
     * string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
     * (three length fields, 12+7=19).
     */
    bloblen = 19 + elen + mlen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, 7);
    p += 4;
    memcpy(p, "ssh-rsa", 7);
    p += 7;
    PUT_32BIT(p, elen);
    p += 4;
    for (i = elen; i--;)
	*p++ = bignum_byte(rsa->exponent, i);
    PUT_32BIT(p, mlen);
    p += 4;
    for (i = mlen; i--;)
	*p++ = bignum_byte(rsa->modulus, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static unsigned char *rsa2_private_blob(void *key, int *len)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    int dlen, plen, qlen, ulen, bloblen;
    int i;
    unsigned char *blob, *p;

    dlen = (bignum_bitcount(rsa->private_exponent) + 8) / 8;
    plen = (bignum_bitcount(rsa->p) + 8) / 8;
    qlen = (bignum_bitcount(rsa->q) + 8) / 8;
    ulen = (bignum_bitcount(rsa->iqmp) + 8) / 8;

    /*
     * mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
     * sum of lengths.
     */
    bloblen = 16 + dlen + plen + qlen + ulen;
    blob = smalloc(bloblen);
    p = blob;
    PUT_32BIT(p, dlen);
    p += 4;
    for (i = dlen; i--;)
	*p++ = bignum_byte(rsa->private_exponent, i);
    PUT_32BIT(p, plen);
    p += 4;
    for (i = plen; i--;)
	*p++ = bignum_byte(rsa->p, i);
    PUT_32BIT(p, qlen);
    p += 4;
    for (i = qlen; i--;)
	*p++ = bignum_byte(rsa->q, i);
    PUT_32BIT(p, ulen);
    p += 4;
    for (i = ulen; i--;)
	*p++ = bignum_byte(rsa->iqmp, i);
    assert(p == blob + bloblen);
    *len = bloblen;
    return blob;
}

static void *rsa2_createkey(unsigned char *pub_blob, int pub_len,
			    unsigned char *priv_blob, int priv_len)
{
    struct RSAKey *rsa;
    char *pb = (char *) priv_blob;

    rsa = rsa2_newkey((char *) pub_blob, pub_len);
    rsa->private_exponent = getmp(&pb, &priv_len);
    rsa->p = getmp(&pb, &priv_len);
    rsa->q = getmp(&pb, &priv_len);
    rsa->iqmp = getmp(&pb, &priv_len);

    if (!rsa_verify(rsa)) {
	rsa2_freekey(rsa);
	return NULL;
    }

    return rsa;
}

static void *rsa2_openssh_createkey(unsigned char **blob, int *len)
{
    char **b = (char **) blob;
    struct RSAKey *rsa;

    rsa = smalloc(sizeof(struct RSAKey));
    if (!rsa)
	return NULL;
    rsa->comment = NULL;

    rsa->modulus = getmp(b, len);
    rsa->exponent = getmp(b, len);
    rsa->private_exponent = getmp(b, len);
    rsa->iqmp = getmp(b, len);
    rsa->p = getmp(b, len);
    rsa->q = getmp(b, len);

    if (!rsa->modulus || !rsa->exponent || !rsa->private_exponent ||
	!rsa->iqmp || !rsa->p || !rsa->q) {
	sfree(rsa->modulus);
	sfree(rsa->exponent);
	sfree(rsa->private_exponent);
	sfree(rsa->iqmp);
	sfree(rsa->p);
	sfree(rsa->q);
	sfree(rsa);
	return NULL;
    }

    return rsa;
}

static int rsa2_openssh_fmtkey(void *key, unsigned char *blob, int len)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    int bloblen, i;

    bloblen =
	ssh2_bignum_length(rsa->modulus) +
	ssh2_bignum_length(rsa->exponent) +
	ssh2_bignum_length(rsa->private_exponent) +
	ssh2_bignum_length(rsa->iqmp) +
	ssh2_bignum_length(rsa->p) + ssh2_bignum_length(rsa->q);

    if (bloblen > len)
	return bloblen;

    bloblen = 0;
#define ENC(x) \
    PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
    for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
    ENC(rsa->modulus);
    ENC(rsa->exponent);
    ENC(rsa->private_exponent);
    ENC(rsa->iqmp);
    ENC(rsa->p);
    ENC(rsa->q);

    return bloblen;
}

static char *rsa2_fingerprint(void *key)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    struct MD5Context md5c;
    unsigned char digest[16], lenbuf[4];
    char buffer[16 * 3 + 40];
    char *ret;
    int numlen, i;

    MD5Init(&md5c);
    MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);

#define ADD_BIGNUM(bignum) \
    numlen = (bignum_bitcount(bignum)+8)/8; \
    PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
    for (i = numlen; i-- ;) { \
        unsigned char c = bignum_byte(bignum, i); \
        MD5Update(&md5c, &c, 1); \
    }
    ADD_BIGNUM(rsa->exponent);
    ADD_BIGNUM(rsa->modulus);
#undef ADD_BIGNUM

    MD5Final(digest, &md5c);

    sprintf(buffer, "ssh-rsa %d ", bignum_bitcount(rsa->modulus));
    for (i = 0; i < 16; i++)
	sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
		digest[i]);
    ret = smalloc(strlen(buffer) + 1);
    if (ret)
	strcpy(ret, buffer);
    return ret;
}

/*
 * This is the magic ASN.1/DER prefix that goes in the decoded
 * signature, between the string of FFs and the actual SHA hash
 * value. The meaning of it is:
 * 
 * 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
 * 
 * 30 21 -- a constructed SEQUENCE of length 0x21
 *    30 09 -- a constructed sub-SEQUENCE of length 9
 *       06 05 -- an object identifier, length 5
 *          2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
 *                            (the 1,3 comes from 0x2B = 43 = 40*1+3)
 *       05 00 -- NULL
 *    04 14 -- a primitive OCTET STRING of length 0x14
 *       [0x14 bytes of hash data follows]
 * 
 * The object id in the middle there is listed as `id-sha1' in
 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
 * ASN module for PKCS #1) and its expanded form is as follows:
 * 
 * id-sha1                OBJECT IDENTIFIER ::= {
 *    iso(1) identified-organization(3) oiw(14) secsig(3)
 *    algorithms(2) 26 }
 */
static unsigned char asn1_weird_stuff[] = {
    0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
    0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14,
};

#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )

static int rsa2_verifysig(void *key, char *sig, int siglen,
			  char *data, int datalen)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    Bignum in, out;
    char *p;
    int slen;
    int bytes, i, j, ret;
    unsigned char hash[20];

    getstring(&sig, &siglen, &p, &slen);
    if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
	return 0;
    }
    in = getmp(&sig, &siglen);
    out = modpow(in, rsa->exponent, rsa->modulus);
    freebn(in);

    ret = 1;

    bytes = bignum_bitcount(rsa->modulus) / 8;
    /* Top (partial) byte should be zero. */
    if (bignum_byte(out, bytes - 1) != 0)
	ret = 0;
    /* First whole byte should be 1. */
    if (bignum_byte(out, bytes - 2) != 1)
	ret = 0;
    /* Most of the rest should be FF. */
    for (i = bytes - 3; i >= 20 + ASN1_LEN; i--) {
	if (bignum_byte(out, i) != 0xFF)
	    ret = 0;
    }
    /* Then we expect to see the asn1_weird_stuff. */
    for (i = 20 + ASN1_LEN - 1, j = 0; i >= 20; i--, j++) {
	if (bignum_byte(out, i) != asn1_weird_stuff[j])
	    ret = 0;
    }
    /* Finally, we expect to see the SHA-1 hash of the signed data. */
    SHA_Simple(data, datalen, hash);
    for (i = 19, j = 0; i >= 0; i--, j++) {
	if (bignum_byte(out, i) != hash[j])
	    ret = 0;
    }

    return ret;
}

unsigned char *rsa2_sign(void *key, char *data, int datalen, int *siglen)
{
    struct RSAKey *rsa = (struct RSAKey *) key;
    unsigned char *bytes;
    int nbytes;
    unsigned char hash[20];
    Bignum in, out;
    int i, j;

    SHA_Simple(data, datalen, hash);

    nbytes = (bignum_bitcount(rsa->modulus) - 1) / 8;
    bytes = smalloc(nbytes);

    bytes[0] = 1;
    for (i = 1; i < nbytes - 20 - ASN1_LEN; i++)
	bytes[i] = 0xFF;
    for (i = nbytes - 20 - ASN1_LEN, j = 0; i < nbytes - 20; i++, j++)
	bytes[i] = asn1_weird_stuff[j];
    for (i = nbytes - 20, j = 0; i < nbytes; i++, j++)
	bytes[i] = hash[j];

    in = bignum_from_bytes(bytes, nbytes);
    sfree(bytes);

    out = modpow(in, rsa->private_exponent, rsa->modulus);
    freebn(in);

    nbytes = (bignum_bitcount(out) + 7) / 8;
    bytes = smalloc(4 + 7 + 4 + nbytes);
    PUT_32BIT(bytes, 7);
    memcpy(bytes + 4, "ssh-rsa", 7);
    PUT_32BIT(bytes + 4 + 7, nbytes);
    for (i = 0; i < nbytes; i++)
	bytes[4 + 7 + 4 + i] = bignum_byte(out, nbytes - 1 - i);
    freebn(out);

    *siglen = 4 + 7 + 4 + nbytes;
    return bytes;
}

const struct ssh_signkey ssh_rsa = {
    rsa2_newkey,
    rsa2_freekey,
    rsa2_fmtkey,
    rsa2_public_blob,
    rsa2_private_blob,
    rsa2_createkey,
    rsa2_openssh_createkey,
    rsa2_openssh_fmtkey,
    rsa2_fingerprint,
    rsa2_verifysig,
    rsa2_sign,
    "ssh-rsa",
    "rsa2"
};
Commit	Line	Data
374330e2	1	/*
	2	* RSA implementation just sufficient for ssh client-side
	3	* initialisation step
4644b0ce	4	*
4644b0ce	5	* Rewritten for more speed by Joris van Rantwijk, Jun 1999.
374330e2	6	*/
374330e2	7
374330e2	8	#include <stdio.h>
	9	#include <stdlib.h>
	10	#include <string.h>
65a22376	11	#include <assert.h>
374330e2	12
e5574168	13	#include "ssh.h"
8365990c	14	#include "misc.h"
374330e2	15
3f2d010c	16	#define GET_32BIT(cp) \
	17	(((unsigned long)(unsigned char)(cp)[0] << 24) \| \
	18	((unsigned long)(unsigned char)(cp)[1] << 16) \| \
	19	((unsigned long)(unsigned char)(cp)[2] << 8) \| \
	20	((unsigned long)(unsigned char)(cp)[3]))
	21
	22	#define PUT_32BIT(cp, value) { \
	23	(cp)[0] = (unsigned char)((value) >> 24); \
	24	(cp)[1] = (unsigned char)((value) >> 16); \
	25	(cp)[2] = (unsigned char)((value) >> 8); \
	26	(cp)[3] = (unsigned char)(value); }
1c2a93c4	27
374330e2	28	int makekey(unsigned char data, struct RSAKey result,
32874aea	29	unsigned char **keystr, int order)
32874aea	30	{
374330e2	31	unsigned char *p = data;
7cca0d81	32	int i;
374330e2	33
a52f067e	34	if (result) {
32874aea	35	result->bits = 0;
	36	for (i = 0; i < 4; i++)
	37	result->bits = (result->bits << 8) + *p++;
a52f067e	38	} else
32874aea	39	p += 4;
374330e2	40
7cca0d81	41	/*
	42	* order=0 means exponent then modulus (the keys sent by the
	43	* server). order=1 means modulus then exponent (the keys
	44	* stored in a keyfile).
	45	*/
374330e2	46
7cca0d81	47	if (order == 0)
32874aea	48	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
a52f067e	49	if (result)
32874aea	50	result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
	51	if (keystr)
	52	*keystr = p + 2;
a52f067e	53	p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
7cca0d81	54	if (order == 1)
32874aea	55	p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
374330e2	56
	57	return p - data;
	58	}
	59
32874aea	60	int makeprivate(unsigned char data, struct RSAKey result)
32874aea	61	{
7cca0d81	62	return ssh1_read_bignum(data, &result->private_exponent);
	63	}
	64
32874aea	65	void rsaencrypt(unsigned char data, int length, struct RSAKey key)
32874aea	66	{
374330e2	67	Bignum b1, b2;
3709bfe9	68	int i;
374330e2	69	unsigned char *p;
374330e2	70
32874aea	71	memmove(data + key->bytes - length, data, length);
374330e2	72	data[0] = 0;
	73	data[1] = 2;
	74
32874aea	75	for (i = 2; i < key->bytes - length - 1; i++) {
374330e2	76	do {
	77	data[i] = random_byte();
	78	} while (data[i] == 0);
	79	}
32874aea	80	data[key->bytes - length - 1] = 0;
374330e2	81
3709bfe9	82	b1 = bignum_from_bytes(data, key->bytes);
374330e2	83
59600f67	84	b2 = modpow(b1, key->exponent, key->modulus);
374330e2	85
374330e2	86	p = data;
32874aea	87	for (i = key->bytes; i--;) {
32874aea	88	*p++ = bignum_byte(b2, i);
374330e2	89	}
	90
	91	freebn(b1);
	92	freebn(b2);
	93	}
	94
32874aea	95	Bignum rsadecrypt(Bignum input, struct RSAKey *key)
32874aea	96	{
7cca0d81	97	Bignum ret;
59600f67	98	ret = modpow(input, key->private_exponent, key->modulus);
7cca0d81	99	return ret;
	100	}
	101
32874aea	102	int rsastr_len(struct RSAKey *key)
32874aea	103	{
374330e2	104	Bignum md, ex;
3709bfe9	105	int mdlen, exlen;
374330e2	106
	107	md = key->modulus;
	108	ex = key->exponent;
32874aea	109	mdlen = (bignum_bitcount(md) + 15) / 16;
	110	exlen = (bignum_bitcount(ex) + 15) / 16;
	111	return 4 * (mdlen + exlen) + 20;
374330e2	112	}
374330e2	113
32874aea	114	void rsastr_fmt(char str, struct RSAKey key)
32874aea	115	{
374330e2	116	Bignum md, ex;
d5859615	117	int len = 0, i, nibbles;
d5859615	118	static const char hex[] = "0123456789abcdef";
374330e2	119
	120	md = key->modulus;
	121	ex = key->exponent;
	122
32874aea	123	len += sprintf(str + len, "0x");
d5859615	124
32874aea	125	nibbles = (3 + bignum_bitcount(ex)) / 4;
	126	if (nibbles < 1)
	127	nibbles = 1;
	128	for (i = nibbles; i--;)
	129	str[len++] = hex[(bignum_byte(ex, i / 2) >> (4 * (i % 2))) & 0xF];
d5859615	130
32874aea	131	len += sprintf(str + len, ",0x");
d5859615	132
32874aea	133	nibbles = (3 + bignum_bitcount(md)) / 4;
	134	if (nibbles < 1)
	135	nibbles = 1;
	136	for (i = nibbles; i--;)
	137	str[len++] = hex[(bignum_byte(md, i / 2) >> (4 * (i % 2))) & 0xF];
d5859615	138
374330e2	139	str[len] = '\0';
	140	}
	141
1c2a93c4	142	/*
	143	* Generate a fingerprint string for the key. Compatible with the
	144	* OpenSSH fingerprint code.
	145	*/
32874aea	146	void rsa_fingerprint(char str, int len, struct RSAKey key)
32874aea	147	{
1c2a93c4	148	struct MD5Context md5c;
1c2a93c4	149	unsigned char digest[16];
32874aea	150	char buffer[16 * 3 + 40];
1c2a93c4	151	int numlen, slen, i;
	152
	153	MD5Init(&md5c);
	154	numlen = ssh1_bignum_length(key->modulus) - 2;
32874aea	155	for (i = numlen; i--;) {
	156	unsigned char c = bignum_byte(key->modulus, i);
	157	MD5Update(&md5c, &c, 1);
1c2a93c4	158	}
1c2a93c4	159	numlen = ssh1_bignum_length(key->exponent) - 2;
32874aea	160	for (i = numlen; i--;) {
	161	unsigned char c = bignum_byte(key->exponent, i);
	162	MD5Update(&md5c, &c, 1);
1c2a93c4	163	}
	164	MD5Final(digest, &md5c);
	165
ddecd643	166	sprintf(buffer, "%d ", bignum_bitcount(key->modulus));
1c2a93c4	167	for (i = 0; i < 16; i++)
32874aea	168	sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
	169	digest[i]);
	170	strncpy(str, buffer, len);
	171	str[len - 1] = '\0';
1c2a93c4	172	slen = strlen(str);
32874aea	173	if (key->comment && slen < len - 1) {
	174	str[slen] = ' ';
	175	strncpy(str + slen + 1, key->comment, len - slen - 1);
	176	str[len - 1] = '\0';
1c2a93c4	177	}
	178	}
	179
98f022f5	180	/*
98f022f5	181	* Verify that the public data in an RSA key matches the private
60fe6ff7	182	* data. We also check the private data itself: we ensure that p >
60fe6ff7	183	* q and that iqmp really is the inverse of q mod p.
98f022f5	184	*/
32874aea	185	int rsa_verify(struct RSAKey *key)
32874aea	186	{
60fe6ff7	187	Bignum n, ed, pm1, qm1;
98f022f5	188	int cmp;
	189
	190	/* n must equal pq. */
	191	n = bigmul(key->p, key->q);
	192	cmp = bignum_cmp(n, key->modulus);
	193	freebn(n);
	194	if (cmp != 0)
	195	return 0;
	196
60fe6ff7	197	/* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
98f022f5	198	pm1 = copybn(key->p);
98f022f5	199	decbn(pm1);
60fe6ff7	200	ed = modmul(key->exponent, key->private_exponent, pm1);
	201	cmp = bignum_cmp(ed, One);
	202	sfree(ed);
	203	if (cmp != 0)
	204	return 0;
	205
98f022f5	206	qm1 = copybn(key->q);
98f022f5	207	decbn(qm1);
60fe6ff7	208	ed = modmul(key->exponent, key->private_exponent, qm1);
98f022f5	209	cmp = bignum_cmp(ed, One);
	210	sfree(ed);
	211	if (cmp != 0)
	212	return 0;
014970c8	213
60fe6ff7	214	/*
	215	* Ensure p > q.
	216	*/
	217	if (bignum_cmp(key->p, key->q) <= 0)
32874aea	218	return 0;
60fe6ff7	219
	220	/*
	221	* Ensure iqmp * q is congruent to 1, modulo p.
	222	*/
	223	n = modmul(key->iqmp, key->q, key->p);
	224	cmp = bignum_cmp(n, One);
	225	sfree(n);
	226	if (cmp != 0)
32874aea	227	return 0;
60fe6ff7	228
014970c8	229	return 1;
98f022f5	230	}
98f022f5	231
3f2d010c	232	/* Public key blob as used by Pageant: exponent before modulus. */
	233	unsigned char rsa_public_blob(struct RSAKey key, int *len)
	234	{
	235	int length, pos;
	236	unsigned char *ret;
	237
	238	length = (ssh1_bignum_length(key->modulus) +
	239	ssh1_bignum_length(key->exponent) + 4);
	240	ret = smalloc(length);
	241
	242	PUT_32BIT(ret, bignum_bitcount(key->modulus));
	243	pos = 4;
	244	pos += ssh1_write_bignum(ret + pos, key->exponent);
	245	pos += ssh1_write_bignum(ret + pos, key->modulus);
	246
	247	*len = length;
	248	return ret;
	249	}
	250
	251	/* Given a public blob, determine its length. */
	252	int rsa_public_blob_len(void *data)
	253	{
	254	unsigned char p = (unsigned char )data;
	255	int ret;
	256
	257	p += 4; /* length word */
	258	p += ssh1_read_bignum(p, NULL); /* exponent */
	259	p += ssh1_read_bignum(p, NULL); /* modulus */
	260
	261	return p - (unsigned char *)data;
	262	}
	263
32874aea	264	void freersakey(struct RSAKey *key)
	265	{
	266	if (key->modulus)
	267	freebn(key->modulus);
	268	if (key->exponent)
	269	freebn(key->exponent);
	270	if (key->private_exponent)
	271	freebn(key->private_exponent);
	272	if (key->comment)
	273	sfree(key->comment);
5c58ad2d	274	}
85cc02bb	275
	276	/* ----------------------------------------------------------------------
	277	* Implementation of the ssh-rsa signing key type.
	278	*/
	279
32874aea	280	static void getstring(char *data, int datalen, char *p, int length)
32874aea	281	{
85cc02bb	282	*p = NULL;
85cc02bb	283	if (*datalen < 4)
32874aea	284	return;
85cc02bb	285	length = GET_32BIT(data);
32874aea	286	*datalen -= 4;
32874aea	287	*data += 4;
85cc02bb	288	if (datalen < length)
32874aea	289	return;
85cc02bb	290	p = data;
32874aea	291	data += length;
32874aea	292	datalen -= length;
85cc02bb	293	}
32874aea	294	static Bignum getmp(char *data, int datalen)
32874aea	295	{
85cc02bb	296	char *p;
	297	int length;
	298	Bignum b;
	299
	300	getstring(data, datalen, &p, &length);
	301	if (!p)
32874aea	302	return NULL;
85cc02bb	303	b = bignum_from_bytes(p, length);
	304	return b;
	305	}
	306
32874aea	307	static void rsa2_newkey(char data, int len)
32874aea	308	{
85cc02bb	309	char *p;
	310	int slen;
	311	struct RSAKey *rsa;
	312
	313	rsa = smalloc(sizeof(struct RSAKey));
32874aea	314	if (!rsa)
32874aea	315	return NULL;
85cc02bb	316	getstring(&data, &len, &p, &slen);
85cc02bb	317
45cebe79	318	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
85cc02bb	319	sfree(rsa);
	320	return NULL;
	321	}
	322	rsa->exponent = getmp(&data, &len);
	323	rsa->modulus = getmp(&data, &len);
	324	rsa->private_exponent = NULL;
	325	rsa->comment = NULL;
	326
	327	return rsa;
	328	}
	329
32874aea	330	static void rsa2_freekey(void *key)
	331	{
	332	struct RSAKey rsa = (struct RSAKey ) key;
85cc02bb	333	freersakey(rsa);
	334	sfree(rsa);
	335	}
	336
32874aea	337	static char rsa2_fmtkey(void key)
	338	{
	339	struct RSAKey rsa = (struct RSAKey ) key;
85cc02bb	340	char *p;
85cc02bb	341	int len;
32874aea	342
85cc02bb	343	len = rsastr_len(rsa);
85cc02bb	344	p = smalloc(len);
32874aea	345	rsastr_fmt(p, rsa);
85cc02bb	346	return p;
	347	}
	348
32874aea	349	static unsigned char rsa2_public_blob(void key, int *len)
	350	{
	351	struct RSAKey rsa = (struct RSAKey ) key;
65a22376	352	int elen, mlen, bloblen;
	353	int i;
	354	unsigned char blob, p;
	355
32874aea	356	elen = (bignum_bitcount(rsa->exponent) + 8) / 8;
32874aea	357	mlen = (bignum_bitcount(rsa->modulus) + 8) / 8;
65a22376	358
	359	/*
	360	* string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
	361	* (three length fields, 12+7=19).
	362	*/
32874aea	363	bloblen = 19 + elen + mlen;
65a22376	364	blob = smalloc(bloblen);
65a22376	365	p = blob;
32874aea	366	PUT_32BIT(p, 7);
	367	p += 4;
	368	memcpy(p, "ssh-rsa", 7);
	369	p += 7;
	370	PUT_32BIT(p, elen);
	371	p += 4;
	372	for (i = elen; i--;)
	373	*p++ = bignum_byte(rsa->exponent, i);
	374	PUT_32BIT(p, mlen);
	375	p += 4;
	376	for (i = mlen; i--;)
	377	*p++ = bignum_byte(rsa->modulus, i);
65a22376	378	assert(p == blob + bloblen);
	379	*len = bloblen;
	380	return blob;
	381	}
	382
32874aea	383	static unsigned char rsa2_private_blob(void key, int *len)
	384	{
	385	struct RSAKey rsa = (struct RSAKey ) key;
65a22376	386	int dlen, plen, qlen, ulen, bloblen;
	387	int i;
	388	unsigned char blob, p;
	389
32874aea	390	dlen = (bignum_bitcount(rsa->private_exponent) + 8) / 8;
	391	plen = (bignum_bitcount(rsa->p) + 8) / 8;
	392	qlen = (bignum_bitcount(rsa->q) + 8) / 8;
	393	ulen = (bignum_bitcount(rsa->iqmp) + 8) / 8;
65a22376	394
	395	/*
	396	* mpint private_exp, mpint p, mpint q, mpint iqmp. Total 16 +
	397	* sum of lengths.
	398	*/
32874aea	399	bloblen = 16 + dlen + plen + qlen + ulen;
65a22376	400	blob = smalloc(bloblen);
65a22376	401	p = blob;
32874aea	402	PUT_32BIT(p, dlen);
	403	p += 4;
	404	for (i = dlen; i--;)
	405	*p++ = bignum_byte(rsa->private_exponent, i);
	406	PUT_32BIT(p, plen);
	407	p += 4;
	408	for (i = plen; i--;)
	409	*p++ = bignum_byte(rsa->p, i);
	410	PUT_32BIT(p, qlen);
	411	p += 4;
	412	for (i = qlen; i--;)
	413	*p++ = bignum_byte(rsa->q, i);
	414	PUT_32BIT(p, ulen);
	415	p += 4;
	416	for (i = ulen; i--;)
	417	*p++ = bignum_byte(rsa->iqmp, i);
65a22376	418	assert(p == blob + bloblen);
	419	*len = bloblen;
	420	return blob;
	421	}
	422
	423	static void rsa2_createkey(unsigned char pub_blob, int pub_len,
32874aea	424	unsigned char *priv_blob, int priv_len)
32874aea	425	{
65a22376	426	struct RSAKey *rsa;
32874aea	427	char pb = (char ) priv_blob;
	428
	429	rsa = rsa2_newkey((char *) pub_blob, pub_len);
65a22376	430	rsa->private_exponent = getmp(&pb, &priv_len);
	431	rsa->p = getmp(&pb, &priv_len);
	432	rsa->q = getmp(&pb, &priv_len);
	433	rsa->iqmp = getmp(&pb, &priv_len);
	434
98f022f5	435	if (!rsa_verify(rsa)) {
	436	rsa2_freekey(rsa);
	437	return NULL;
	438	}
	439
65a22376	440	return rsa;
	441	}
	442
32874aea	443	static void rsa2_openssh_createkey(unsigned char blob, int len)
	444	{
	445	char b = (char ) blob;
45cebe79	446	struct RSAKey *rsa;
45cebe79	447
45cebe79	448	rsa = smalloc(sizeof(struct RSAKey));
32874aea	449	if (!rsa)
32874aea	450	return NULL;
45cebe79	451	rsa->comment = NULL;
	452
	453	rsa->modulus = getmp(b, len);
	454	rsa->exponent = getmp(b, len);
	455	rsa->private_exponent = getmp(b, len);
	456	rsa->iqmp = getmp(b, len);
	457	rsa->p = getmp(b, len);
	458	rsa->q = getmp(b, len);
	459
	460	if (!rsa->modulus \|\| !rsa->exponent \|\| !rsa->private_exponent \|\|
	461	!rsa->iqmp \|\| !rsa->p \|\| !rsa->q) {
	462	sfree(rsa->modulus);
	463	sfree(rsa->exponent);
	464	sfree(rsa->private_exponent);
	465	sfree(rsa->iqmp);
	466	sfree(rsa->p);
	467	sfree(rsa->q);
	468	sfree(rsa);
	469	return NULL;
	470	}
	471
	472	return rsa;
	473	}
	474
32874aea	475	static int rsa2_openssh_fmtkey(void key, unsigned char blob, int len)
	476	{
	477	struct RSAKey rsa = (struct RSAKey ) key;
ddecd643	478	int bloblen, i;
	479
	480	bloblen =
	481	ssh2_bignum_length(rsa->modulus) +
	482	ssh2_bignum_length(rsa->exponent) +
	483	ssh2_bignum_length(rsa->private_exponent) +
	484	ssh2_bignum_length(rsa->iqmp) +
32874aea	485	ssh2_bignum_length(rsa->p) + ssh2_bignum_length(rsa->q);
ddecd643	486
	487	if (bloblen > len)
	488	return bloblen;
	489
	490	bloblen = 0;
	491	#define ENC(x) \
	492	PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
	493	for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
	494	ENC(rsa->modulus);
	495	ENC(rsa->exponent);
	496	ENC(rsa->private_exponent);
	497	ENC(rsa->iqmp);
	498	ENC(rsa->p);
	499	ENC(rsa->q);
	500
	501	return bloblen;
	502	}
	503
32874aea	504	static char rsa2_fingerprint(void key)
	505	{
	506	struct RSAKey rsa = (struct RSAKey ) key;
85cc02bb	507	struct MD5Context md5c;
85cc02bb	508	unsigned char digest[16], lenbuf[4];
32874aea	509	char buffer[16 * 3 + 40];
85cc02bb	510	char *ret;
	511	int numlen, i;
	512
	513	MD5Init(&md5c);
	514	MD5Update(&md5c, "\0\0\0\7ssh-rsa", 11);
	515
	516	#define ADD_BIGNUM(bignum) \
ddecd643	517	numlen = (bignum_bitcount(bignum)+8)/8; \
85cc02bb	518	PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
	519	for (i = numlen; i-- ;) { \
	520	unsigned char c = bignum_byte(bignum, i); \
	521	MD5Update(&md5c, &c, 1); \
	522	}
	523	ADD_BIGNUM(rsa->exponent);
	524	ADD_BIGNUM(rsa->modulus);
	525	#undef ADD_BIGNUM
	526
	527	MD5Final(digest, &md5c);
	528
ddecd643	529	sprintf(buffer, "ssh-rsa %d ", bignum_bitcount(rsa->modulus));
85cc02bb	530	for (i = 0; i < 16; i++)
32874aea	531	sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
	532	digest[i]);
	533	ret = smalloc(strlen(buffer) + 1);
85cc02bb	534	if (ret)
32874aea	535	strcpy(ret, buffer);
85cc02bb	536	return ret;
	537	}
	538
	539	/*
	540	* This is the magic ASN.1/DER prefix that goes in the decoded
	541	* signature, between the string of FFs and the actual SHA hash
96a73db9	542	* value. The meaning of it is:
85cc02bb	543	*
	544	* 00 -- this marks the end of the FFs; not part of the ASN.1 bit itself
	545	*
	546	* 30 21 -- a constructed SEQUENCE of length 0x21
	547	* 30 09 -- a constructed sub-SEQUENCE of length 9
	548	* 06 05 -- an object identifier, length 5
96a73db9	549	* 2B 0E 03 02 1A -- object id { 1 3 14 3 2 26 }
96a73db9	550	* (the 1,3 comes from 0x2B = 43 = 40*1+3)
85cc02bb	551	* 05 00 -- NULL
	552	* 04 14 -- a primitive OCTET STRING of length 0x14
	553	* [0x14 bytes of hash data follows]
96a73db9	554	*
	555	* The object id in the middle there is listed as `id-sha1' in
	556	* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2.asn (the
	557	* ASN module for PKCS #1) and its expanded form is as follows:
	558	*
	559	* id-sha1 OBJECT IDENTIFIER ::= {
	560	* iso(1) identified-organization(3) oiw(14) secsig(3)
	561	* algorithms(2) 26 }
85cc02bb	562	*/
85cc02bb	563	static unsigned char asn1_weird_stuff[] = {
32874aea	564	0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B,
32874aea	565	0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14,
85cc02bb	566	};
85cc02bb	567
d8770b12	568	#define ASN1_LEN ( (int) sizeof(asn1_weird_stuff) )
d8770b12	569
85cc02bb	570	static int rsa2_verifysig(void key, char sig, int siglen,
32874aea	571	char *data, int datalen)
	572	{
	573	struct RSAKey rsa = (struct RSAKey ) key;
85cc02bb	574	Bignum in, out;
	575	char *p;
	576	int slen;
	577	int bytes, i, j, ret;
	578	unsigned char hash[20];
	579
	580	getstring(&sig, &siglen, &p, &slen);
	581	if (!p \|\| slen != 7 \|\| memcmp(p, "ssh-rsa", 7)) {
32874aea	582	return 0;
85cc02bb	583	}
	584	in = getmp(&sig, &siglen);
	585	out = modpow(in, rsa->exponent, rsa->modulus);
	586	freebn(in);
	587
	588	ret = 1;
	589
ddecd643	590	bytes = bignum_bitcount(rsa->modulus) / 8;
85cc02bb	591	/* Top (partial) byte should be zero. */
32874aea	592	if (bignum_byte(out, bytes - 1) != 0)
32874aea	593	ret = 0;
85cc02bb	594	/* First whole byte should be 1. */
32874aea	595	if (bignum_byte(out, bytes - 2) != 1)
32874aea	596	ret = 0;
85cc02bb	597	/* Most of the rest should be FF. */
32874aea	598	for (i = bytes - 3; i >= 20 + ASN1_LEN; i--) {
	599	if (bignum_byte(out, i) != 0xFF)
	600	ret = 0;
85cc02bb	601	}
85cc02bb	602	/* Then we expect to see the asn1_weird_stuff. */
32874aea	603	for (i = 20 + ASN1_LEN - 1, j = 0; i >= 20; i--, j++) {
	604	if (bignum_byte(out, i) != asn1_weird_stuff[j])
	605	ret = 0;
85cc02bb	606	}
	607	/* Finally, we expect to see the SHA-1 hash of the signed data. */
	608	SHA_Simple(data, datalen, hash);
32874aea	609	for (i = 19, j = 0; i >= 0; i--, j++) {
	610	if (bignum_byte(out, i) != hash[j])
	611	ret = 0;
85cc02bb	612	}
	613
	614	return ret;
	615	}
	616
32874aea	617	unsigned char rsa2_sign(void key, char data, int datalen, int siglen)
	618	{
	619	struct RSAKey rsa = (struct RSAKey ) key;
65a22376	620	unsigned char *bytes;
	621	int nbytes;
	622	unsigned char hash[20];
	623	Bignum in, out;
	624	int i, j;
	625
	626	SHA_Simple(data, datalen, hash);
	627
32874aea	628	nbytes = (bignum_bitcount(rsa->modulus) - 1) / 8;
65a22376	629	bytes = smalloc(nbytes);
	630
	631	bytes[0] = 1;
32874aea	632	for (i = 1; i < nbytes - 20 - ASN1_LEN; i++)
65a22376	633	bytes[i] = 0xFF;
32874aea	634	for (i = nbytes - 20 - ASN1_LEN, j = 0; i < nbytes - 20; i++, j++)
65a22376	635	bytes[i] = asn1_weird_stuff[j];
32874aea	636	for (i = nbytes - 20, j = 0; i < nbytes; i++, j++)
65a22376	637	bytes[i] = hash[j];
	638
	639	in = bignum_from_bytes(bytes, nbytes);
	640	sfree(bytes);
	641
	642	out = modpow(in, rsa->private_exponent, rsa->modulus);
	643	freebn(in);
	644
32874aea	645	nbytes = (bignum_bitcount(out) + 7) / 8;
32874aea	646	bytes = smalloc(4 + 7 + 4 + nbytes);
65a22376	647	PUT_32BIT(bytes, 7);
32874aea	648	memcpy(bytes + 4, "ssh-rsa", 7);
32874aea	649	PUT_32BIT(bytes + 4 + 7, nbytes);
65a22376	650	for (i = 0; i < nbytes; i++)
32874aea	651	bytes[4 + 7 + 4 + i] = bignum_byte(out, nbytes - 1 - i);
65a22376	652	freebn(out);
65a22376	653
32874aea	654	*siglen = 4 + 7 + 4 + nbytes;
65a22376	655	return bytes;
85cc02bb	656	}
85cc02bb	657
65a22376	658	const struct ssh_signkey ssh_rsa = {
85cc02bb	659	rsa2_newkey,
	660	rsa2_freekey,
	661	rsa2_fmtkey,
65a22376	662	rsa2_public_blob,
	663	rsa2_private_blob,
	664	rsa2_createkey,
45cebe79	665	rsa2_openssh_createkey,
ddecd643	666	rsa2_openssh_fmtkey,
85cc02bb	667	rsa2_fingerprint,
	668	rsa2_verifysig,
	669	rsa2_sign,
	670	"ssh-rsa",
	671	"rsa2"
	672	};