2 * Dropbear - a SSH2 server
4 * Copyright (c) 2002,2003 Matt Johnston
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
25 /* Perform RSA operations on data, including reading keys, signing and
28 * The format is specified in rfc2437, Applied Cryptography or The Handbook of
29 * Applied Cryptography detail the general algorithm. */
41 static void rsa_pad_em(dropbear_rsa_key
* key
,
42 const unsigned char * data
, unsigned int len
,
45 /* Load a public rsa key from a buffer, initialising the values.
46 * The key will have the same format as buf_put_rsa_key.
47 * These should be freed with rsa_key_free.
48 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
49 int buf_get_rsa_pub_key(buffer
* buf
, dropbear_rsa_key
*key
) {
51 int ret
= DROPBEAR_FAILURE
;
52 TRACE(("enter buf_get_rsa_pub_key"))
53 dropbear_assert(key
!= NULL
);
54 key
->e
= m_malloc(sizeof(mp_int
));
55 key
->n
= m_malloc(sizeof(mp_int
));
56 m_mp_init_multi(key
->e
, key
->n
, NULL
);
61 buf_incrpos(buf
, 4+SSH_SIGNKEY_RSA_LEN
); /* int + "ssh-rsa" */
63 if (buf_getmpint(buf
, key
->e
) == DROPBEAR_FAILURE
64 || buf_getmpint(buf
, key
->n
) == DROPBEAR_FAILURE
) {
65 TRACE(("leave buf_get_rsa_pub_key: failure"))
69 if (mp_count_bits(key
->n
) < MIN_RSA_KEYLEN
) {
70 dropbear_log(LOG_WARNING
, "rsa key too short");
74 TRACE(("leave buf_get_rsa_pub_key: success"))
75 ret
= DROPBEAR_SUCCESS
;
77 if (ret
== DROPBEAR_FAILURE
) {
84 /* Same as buf_get_rsa_pub_key, but reads private bits at the end.
85 * Loads a private rsa key from a buffer
86 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
87 int buf_get_rsa_priv_key(buffer
* buf
, dropbear_rsa_key
*key
) {
88 int ret
= DROPBEAR_FAILURE
;
90 TRACE(("enter buf_get_rsa_priv_key"))
91 dropbear_assert(key
!= NULL
);
93 if (buf_get_rsa_pub_key(buf
, key
) == DROPBEAR_FAILURE
) {
94 TRACE(("leave buf_get_rsa_priv_key: pub: ret == DROPBEAR_FAILURE"))
95 return DROPBEAR_FAILURE
;
102 key
->d
= m_malloc(sizeof(mp_int
));
104 if (buf_getmpint(buf
, key
->d
) == DROPBEAR_FAILURE
) {
105 TRACE(("leave buf_get_rsa_priv_key: d: ret == DROPBEAR_FAILURE"))
109 if (buf
->pos
== buf
->len
) {
110 /* old Dropbear private keys didn't keep p and q, so we will ignore them*/
112 key
->p
= m_malloc(sizeof(mp_int
));
113 key
->q
= m_malloc(sizeof(mp_int
));
114 m_mp_init_multi(key
->p
, key
->q
, NULL
);
116 if (buf_getmpint(buf
, key
->p
) == DROPBEAR_FAILURE
) {
117 TRACE(("leave buf_get_rsa_priv_key: p: ret == DROPBEAR_FAILURE"))
121 if (buf_getmpint(buf
, key
->q
) == DROPBEAR_FAILURE
) {
122 TRACE(("leave buf_get_rsa_priv_key: q: ret == DROPBEAR_FAILURE"))
127 ret
= DROPBEAR_SUCCESS
;
129 if (ret
== DROPBEAR_FAILURE
) {
134 TRACE(("leave buf_get_rsa_priv_key"))
139 /* Clear and free the memory used by a public or private key */
140 void rsa_key_free(dropbear_rsa_key
*key
) {
142 TRACE(("enter rsa_key_free"))
145 TRACE(("leave rsa_key_free: key == NULL"))
169 TRACE(("leave rsa_key_free"))
172 /* Put the public rsa key into the buffer in the required format:
178 void buf_put_rsa_pub_key(buffer
* buf
, dropbear_rsa_key
*key
) {
180 TRACE(("enter buf_put_rsa_pub_key"))
181 dropbear_assert(key
!= NULL
);
183 buf_putstring(buf
, SSH_SIGNKEY_RSA
, SSH_SIGNKEY_RSA_LEN
);
184 buf_putmpint(buf
, key
->e
);
185 buf_putmpint(buf
, key
->n
);
187 TRACE(("leave buf_put_rsa_pub_key"))
191 /* Same as buf_put_rsa_pub_key, but with the private "x" key appended */
192 void buf_put_rsa_priv_key(buffer
* buf
, dropbear_rsa_key
*key
) {
194 TRACE(("enter buf_put_rsa_priv_key"))
196 dropbear_assert(key
!= NULL
);
197 buf_put_rsa_pub_key(buf
, key
);
198 buf_putmpint(buf
, key
->d
);
200 /* new versions have p and q, old versions don't */
202 buf_putmpint(buf
, key
->p
);
205 buf_putmpint(buf
, key
->q
);
209 TRACE(("leave buf_put_rsa_priv_key"))
213 #ifdef DROPBEAR_SIGNKEY_VERIFY
214 /* Verify a signature in buf, made on data by the key given.
215 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
216 int buf_rsa_verify(buffer
* buf
, dropbear_rsa_key
*key
, const unsigned char* data
,
221 DEF_MP_INT(rsa_mdash
);
223 int ret
= DROPBEAR_FAILURE
;
225 TRACE(("enter buf_rsa_verify"))
227 dropbear_assert(key
!= NULL
);
229 m_mp_init_multi(&rsa_mdash
, &rsa_s
, &rsa_em
, NULL
);
231 slen
= buf_getint(buf
);
232 if (slen
!= (unsigned int)mp_unsigned_bin_size(key
->n
)) {
237 if (mp_read_unsigned_bin(&rsa_s
, buf_getptr(buf
, buf
->len
- buf
->pos
),
238 buf
->len
- buf
->pos
) != MP_OKAY
) {
239 TRACE(("failed reading rsa_s"))
243 /* check that s <= n-1 */
244 if (mp_cmp(&rsa_s
, key
->n
) != MP_LT
) {
249 /* create the magic PKCS padded value */
250 rsa_pad_em(key
, data
, len
, &rsa_em
);
252 if (mp_exptmod(&rsa_s
, key
->e
, key
->n
, &rsa_mdash
) != MP_OKAY
) {
253 TRACE(("failed exptmod rsa_s"))
257 if (mp_cmp(&rsa_em
, &rsa_mdash
) == MP_EQ
) {
258 /* signature is valid */
260 ret
= DROPBEAR_SUCCESS
;
264 mp_clear_multi(&rsa_mdash
, &rsa_s
, &rsa_em
, NULL
);
265 TRACE(("leave buf_rsa_verify: ret %d", ret
))
269 #endif /* DROPBEAR_SIGNKEY_VERIFY */
271 /* Sign the data presented with key, writing the signature contents
273 void buf_put_rsa_sign(buffer
* buf
, dropbear_rsa_key
*key
, const unsigned char* data
,
276 unsigned int nsize
, ssize
;
279 DEF_MP_INT(rsa_tmp1
);
280 DEF_MP_INT(rsa_tmp2
);
281 DEF_MP_INT(rsa_tmp3
);
283 TRACE(("enter buf_put_rsa_sign"))
284 dropbear_assert(key
!= NULL
);
286 m_mp_init_multi(&rsa_s
, &rsa_tmp1
, &rsa_tmp2
, &rsa_tmp3
, NULL
);
288 rsa_pad_em(key
, data
, len
, &rsa_tmp1
);
290 /* the actual signing of the padded data */
294 /* With blinding, s = (r^(-1))((em)*r^e)^d mod n */
296 /* generate the r blinding value */
298 gen_random_mpint(key
->n
, &rsa_tmp2
);
301 /* em' = em * r^e mod n */
303 /* rsa_s used as a temp var*/
304 if (mp_exptmod(&rsa_tmp2
, key
->e
, key
->n
, &rsa_s
) != MP_OKAY
) {
305 dropbear_exit("rsa error");
307 if (mp_invmod(&rsa_tmp2
, key
->n
, &rsa_tmp3
) != MP_OKAY
) {
308 dropbear_exit("rsa error");
310 if (mp_mulmod(&rsa_tmp1
, &rsa_s
, key
->n
, &rsa_tmp2
) != MP_OKAY
) {
311 dropbear_exit("rsa error");
314 /* rsa_tmp2 is em' */
315 /* s' = (em')^d mod n */
316 if (mp_exptmod(&rsa_tmp2
, key
->d
, key
->n
, &rsa_tmp1
) != MP_OKAY
) {
317 dropbear_exit("rsa error");
321 /* rsa_tmp3 is r^(-1) mod n */
322 /* s = (s')r^(-1) mod n */
323 if (mp_mulmod(&rsa_tmp1
, &rsa_tmp3
, key
->n
, &rsa_s
) != MP_OKAY
) {
324 dropbear_exit("rsa error");
331 if (mp_exptmod(&rsa_tmp1
, key
->d
, key
->n
, &rsa_s
) != MP_OKAY
) {
332 dropbear_exit("rsa error");
335 #endif /* RSA_BLINDING */
337 mp_clear_multi(&rsa_tmp1
, &rsa_tmp2
, &rsa_tmp3
, NULL
);
339 /* create the signature to return */
340 buf_putstring(buf
, SSH_SIGNKEY_RSA
, SSH_SIGNKEY_RSA_LEN
);
342 nsize
= mp_unsigned_bin_size(key
->n
);
344 /* string rsa_signature_blob length */
345 buf_putint(buf
, nsize
);
346 /* pad out s to same length as n */
347 ssize
= mp_unsigned_bin_size(&rsa_s
);
348 dropbear_assert(ssize
<= nsize
);
349 for (i
= 0; i
< nsize
-ssize
; i
++) {
350 buf_putbyte(buf
, 0x00);
353 if (mp_to_unsigned_bin(&rsa_s
, buf_getwriteptr(buf
, ssize
)) != MP_OKAY
) {
354 dropbear_exit("rsa error");
356 buf_incrwritepos(buf
, ssize
);
359 #if defined(DEBUG_RSA) && defined(DEBUG_TRACE)
360 printhex("RSA sig", buf
->data
, buf
->len
);
364 TRACE(("leave buf_put_rsa_sign"))
367 /* Creates the message value as expected by PKCS, see rfc2437 etc */
368 /* format to be padded to is:
369 * EM = 01 | FF* | 00 | prefix | hash
371 * where FF is repeated enough times to make EM one byte
372 * shorter than the size of key->n
374 * prefix is the ASN1 designator prefix,
375 * hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14
377 * rsa_em must be a pointer to an initialised mp_int.
379 static void rsa_pad_em(dropbear_rsa_key
* key
,
380 const unsigned char * data
, unsigned int len
,
383 /* ASN1 designator (including the 0x00 preceding) */
384 const unsigned char rsa_asn1_magic
[] =
385 {0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b,
386 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
387 const unsigned int RSA_ASN1_MAGIC_LEN
= 16;
389 buffer
* rsa_EM
= NULL
;
393 dropbear_assert(key
!= NULL
);
394 dropbear_assert(data
!= NULL
);
395 nsize
= mp_unsigned_bin_size(key
->n
);
397 rsa_EM
= buf_new(nsize
-1);
399 buf_putbyte(rsa_EM
, 0x01);
400 /* Padding with 0xFF bytes */
401 while(rsa_EM
->pos
!= rsa_EM
->size
- RSA_ASN1_MAGIC_LEN
- SHA1_HASH_SIZE
) {
402 buf_putbyte(rsa_EM
, 0xff);
404 /* Magic ASN1 stuff */
405 memcpy(buf_getwriteptr(rsa_EM
, RSA_ASN1_MAGIC_LEN
),
406 rsa_asn1_magic
, RSA_ASN1_MAGIC_LEN
);
407 buf_incrwritepos(rsa_EM
, RSA_ASN1_MAGIC_LEN
);
409 /* The hash of the data */
411 sha1_process(&hs
, data
, len
);
412 sha1_done(&hs
, buf_getwriteptr(rsa_EM
, SHA1_HASH_SIZE
));
413 buf_incrwritepos(rsa_EM
, SHA1_HASH_SIZE
);
415 dropbear_assert(rsa_EM
->pos
== rsa_EM
->size
);
417 /* Create the mp_int from the encoded bytes */
418 buf_setpos(rsa_EM
, 0);
419 bytes_to_mp(rsa_em
, buf_getptr(rsa_EM
, rsa_EM
->size
),
424 #endif /* DROPBEAR_RSA */