1/* $OpenBSD: ssh-rsa.c,v 1.45 2010/08/31 09:58:37 djm Exp $ */ 2/* 3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include "includes.h" 19 20#include <sys/types.h> 21 22#ifdef __APPLE_CRYPTO__ 23#include "ossl-evp.h" 24#include "ossl-err.h" 25#else 26#include <openssl/evp.h> 27#include <openssl/err.h> 28#endif 29 30#include <stdarg.h> 31#include <string.h> 32 33#include "xmalloc.h" 34#include "log.h" 35#include "buffer.h" 36#include "key.h" 37#include "compat.h" 38#include "misc.h" 39#include "ssh.h" 40 41static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); 42 43/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ 44int 45ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, 46 const u_char *data, u_int datalen) 47{ 48 const EVP_MD *evp_md; 49 EVP_MD_CTX md; 50 u_char digest[EVP_MAX_MD_SIZE], *sig; 51 u_int slen, dlen, len; 52 int ok, nid; 53 Buffer b; 54 55 if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && 56 key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { 57 error("ssh_rsa_sign: no RSA key"); 58 return -1; 59 } 60 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; 61 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { 62 error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid); 63 return -1; 64 } 65 EVP_DigestInit(&md, evp_md); 66 EVP_DigestUpdate(&md, data, datalen); 67 EVP_DigestFinal(&md, digest, &dlen); 68 69 slen = RSA_size(key->rsa); 70 sig = xmalloc(slen); 71 72 ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa); 73 memset(digest, 'd', sizeof(digest)); 74 75 if (ok != 1) { 76 int ecode = ERR_get_error(); 77 78 error("ssh_rsa_sign: RSA_sign failed: %s", 79 ERR_error_string(ecode, NULL)); 80 xfree(sig); 81 return -1; 82 } 83 if (len < slen) { 84 u_int diff = slen - len; 85 debug("slen %u > len %u", slen, len); 86 memmove(sig + diff, sig, len); 87 memset(sig, 0, diff); 88 } else if (len > slen) { 89 error("ssh_rsa_sign: slen %u slen2 %u", slen, len); 90 xfree(sig); 91 return -1; 92 } 93 /* encode signature */ 94 buffer_init(&b); 95 buffer_put_cstring(&b, "ssh-rsa"); 96 buffer_put_string(&b, sig, slen); 97 len = buffer_len(&b); 98 if (lenp != NULL) 99 *lenp = len; 100 if (sigp != NULL) { 101 *sigp = xmalloc(len); 102 memcpy(*sigp, buffer_ptr(&b), len); 103 } 104 buffer_free(&b); 105 memset(sig, 's', slen); 106 xfree(sig); 107 108 return 0; 109} 110 111int 112ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, 113 const u_char *data, u_int datalen) 114{ 115 Buffer b; 116 const EVP_MD *evp_md; 117 EVP_MD_CTX md; 118 char *ktype; 119 u_char digest[EVP_MAX_MD_SIZE], *sigblob; 120 u_int len, dlen, modlen; 121 int rlen, ret, nid; 122 123 if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA && 124 key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) { 125 error("ssh_rsa_verify: no RSA key"); 126 return -1; 127 } 128 if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { 129 error("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits", 130 BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); 131 return -1; 132 } 133 buffer_init(&b); 134 buffer_append(&b, signature, signaturelen); 135 ktype = buffer_get_cstring(&b, NULL); 136 if (strcmp("ssh-rsa", ktype) != 0) { 137 error("ssh_rsa_verify: cannot handle type %s", ktype); 138 buffer_free(&b); 139 xfree(ktype); 140 return -1; 141 } 142 xfree(ktype); 143 sigblob = buffer_get_string(&b, &len); 144 rlen = buffer_len(&b); 145 buffer_free(&b); 146 if (rlen != 0) { 147 error("ssh_rsa_verify: remaining bytes in signature %d", rlen); 148 xfree(sigblob); 149 return -1; 150 } 151 /* RSA_verify expects a signature of RSA_size */ 152 modlen = RSA_size(key->rsa); 153 if (len > modlen) { 154 error("ssh_rsa_verify: len %u > modlen %u", len, modlen); 155 xfree(sigblob); 156 return -1; 157 } else if (len < modlen) { 158 u_int diff = modlen - len; 159 debug("ssh_rsa_verify: add padding: modlen %u > len %u", 160 modlen, len); 161 sigblob = xrealloc(sigblob, 1, modlen); 162 memmove(sigblob + diff, sigblob, len); 163 memset(sigblob, 0, diff); 164 len = modlen; 165 } 166 nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1; 167 if ((evp_md = EVP_get_digestbynid(nid)) == NULL) { 168 error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid); 169 xfree(sigblob); 170 return -1; 171 } 172 EVP_DigestInit(&md, evp_md); 173 EVP_DigestUpdate(&md, data, datalen); 174 EVP_DigestFinal(&md, digest, &dlen); 175 176 ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa); 177 memset(digest, 'd', sizeof(digest)); 178 memset(sigblob, 's', len); 179 xfree(sigblob); 180 debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : ""); 181 return ret; 182} 183 184/* 185 * See: 186 * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/ 187 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn 188 */ 189/* 190 * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 191 * oiw(14) secsig(3) algorithms(2) 26 } 192 */ 193static const u_char id_sha1[] = { 194 0x30, 0x21, /* type Sequence, length 0x21 (33) */ 195 0x30, 0x09, /* type Sequence, length 0x09 */ 196 0x06, 0x05, /* type OID, length 0x05 */ 197 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */ 198 0x05, 0x00, /* NULL */ 199 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ 200}; 201/* 202 * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 203 * rsadsi(113549) digestAlgorithm(2) 5 } 204 */ 205static const u_char id_md5[] = { 206 0x30, 0x20, /* type Sequence, length 0x20 (32) */ 207 0x30, 0x0c, /* type Sequence, length 0x09 */ 208 0x06, 0x08, /* type OID, length 0x05 */ 209 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */ 210 0x05, 0x00, /* NULL */ 211 0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */ 212}; 213 214static int 215openssh_RSA_verify(int type, u_char *hash, u_int hashlen, 216 u_char *sigbuf, u_int siglen, RSA *rsa) 217{ 218 u_int ret, rsasize, oidlen = 0, hlen = 0; 219 int len, oidmatch, hashmatch; 220 const u_char *oid = NULL; 221 u_char *decrypted = NULL; 222 223 ret = 0; 224 switch (type) { 225 case NID_sha1: 226 oid = id_sha1; 227 oidlen = sizeof(id_sha1); 228 hlen = 20; 229 break; 230 case NID_md5: 231 oid = id_md5; 232 oidlen = sizeof(id_md5); 233 hlen = 16; 234 break; 235 default: 236 goto done; 237 } 238 if (hashlen != hlen) { 239 error("bad hashlen"); 240 goto done; 241 } 242 rsasize = RSA_size(rsa); 243 if (siglen == 0 || siglen > rsasize) { 244 error("bad siglen"); 245 goto done; 246 } 247 decrypted = xmalloc(rsasize); 248 if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa, 249 RSA_PKCS1_PADDING)) < 0) { 250 error("RSA_public_decrypt failed: %s", 251 ERR_error_string(ERR_get_error(), NULL)); 252 goto done; 253 } 254 if (len < 0 || (u_int)len != hlen + oidlen) { 255 error("bad decrypted len: %d != %d + %d", len, hlen, oidlen); 256 goto done; 257 } 258 oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; 259 hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; 260 if (!oidmatch) { 261 error("oid mismatch"); 262 goto done; 263 } 264 if (!hashmatch) { 265 error("hash mismatch"); 266 goto done; 267 } 268 ret = 1; 269done: 270 if (decrypted) 271 xfree(decrypted); 272 return ret; 273} 274