ssh-dss.c revision 126274 
1/*
2 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
26RCSID("$OpenBSD: ssh-dss.c,v 1.19 2003/11/10 16:23:41 jakob Exp $");
27
28#include <openssl/bn.h>
29#include <openssl/evp.h>
30
31#include "xmalloc.h"
32#include "buffer.h"
33#include "bufaux.h"
34#include "compat.h"
35#include "log.h"
36#include "key.h"
37
38#define INTBLOB_LEN	20
39#define SIGBLOB_LEN	(2*INTBLOB_LEN)
40
41int
42ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
43    const u_char *data, u_int datalen)
44{
45	DSA_SIG *sig;
46	const EVP_MD *evp_md = EVP_sha1();
47	EVP_MD_CTX md;
48	u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
49	u_int rlen, slen, len, dlen;
50	Buffer b;
51
52	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
53		error("ssh_dss_sign: no DSA key");
54		return -1;
55	}
56	EVP_DigestInit(&md, evp_md);
57	EVP_DigestUpdate(&md, data, datalen);
58	EVP_DigestFinal(&md, digest, &dlen);
59
60	sig = DSA_do_sign(digest, dlen, key->dsa);
61	memset(digest, 'd', sizeof(digest));
62
63	if (sig == NULL) {
64		error("ssh_dss_sign: sign failed");
65		return -1;
66	}
67
68	rlen = BN_num_bytes(sig->r);
69	slen = BN_num_bytes(sig->s);
70	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
71		error("bad sig size %u %u", rlen, slen);
72		DSA_SIG_free(sig);
73		return -1;
74	}
75	memset(sigblob, 0, SIGBLOB_LEN);
76	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
77	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
78	DSA_SIG_free(sig);
79
80	if (datafellows & SSH_BUG_SIGBLOB) {
81		if (lenp != NULL)
82			*lenp = SIGBLOB_LEN;
83		if (sigp != NULL) {
84			*sigp = xmalloc(SIGBLOB_LEN);
85			memcpy(*sigp, sigblob, SIGBLOB_LEN);
86		}
87	} else {
88		/* ietf-drafts */
89		buffer_init(&b);
90		buffer_put_cstring(&b, "ssh-dss");
91		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
92		len = buffer_len(&b);
93		if (lenp != NULL)
94			*lenp = len;
95		if (sigp != NULL) {
96			*sigp = xmalloc(len);
97			memcpy(*sigp, buffer_ptr(&b), len);
98		}
99		buffer_free(&b);
100	}
101	return 0;
102}
103int
104ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
105    const u_char *data, u_int datalen)
106{
107	DSA_SIG *sig;
108	const EVP_MD *evp_md = EVP_sha1();
109	EVP_MD_CTX md;
110	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
111	u_int len, dlen;
112	int rlen, ret;
113	Buffer b;
114
115	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
116		error("ssh_dss_verify: no DSA key");
117		return -1;
118	}
119
120	/* fetch signature */
121	if (datafellows & SSH_BUG_SIGBLOB) {
122		sigblob = xmalloc(signaturelen);
123		memcpy(sigblob, signature, signaturelen);
124		len = signaturelen;
125	} else {
126		/* ietf-drafts */
127		char *ktype;
128		buffer_init(&b);
129		buffer_append(&b, signature, signaturelen);
130		ktype = buffer_get_string(&b, NULL);
131		if (strcmp("ssh-dss", ktype) != 0) {
132			error("ssh_dss_verify: cannot handle type %s", ktype);
133			buffer_free(&b);
134			xfree(ktype);
135			return -1;
136		}
137		xfree(ktype);
138		sigblob = buffer_get_string(&b, &len);
139		rlen = buffer_len(&b);
140		buffer_free(&b);
141		if (rlen != 0) {
142			error("ssh_dss_verify: "
143			    "remaining bytes in signature %d", rlen);
144			xfree(sigblob);
145			return -1;
146		}
147	}
148
149	if (len != SIGBLOB_LEN) {
150		fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
151	}
152
153	/* parse signature */
154	if ((sig = DSA_SIG_new()) == NULL)
155		fatal("ssh_dss_verify: DSA_SIG_new failed");
156	if ((sig->r = BN_new()) == NULL)
157		fatal("ssh_dss_verify: BN_new failed");
158	if ((sig->s = BN_new()) == NULL)
159		fatal("ssh_dss_verify: BN_new failed");
160	BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
161	BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
162
163	/* clean up */
164	memset(sigblob, 0, len);
165	xfree(sigblob);
166
167	/* sha1 the data */
168	EVP_DigestInit(&md, evp_md);
169	EVP_DigestUpdate(&md, data, datalen);
170	EVP_DigestFinal(&md, digest, &dlen);
171
172	ret = DSA_do_verify(digest, dlen, sig, key->dsa);
173	memset(digest, 'd', sizeof(digest));
174
175	DSA_SIG_free(sig);
176
177	debug("ssh_dss_verify: signature %s",
178	    ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
179	return ret;
180}
181