lenbuf[0] = bignum_byte(b, len);
SHA_Bytes(s, lenbuf, 1);
}
- memset(lenbuf, 0, sizeof(lenbuf));
+ smemclr(lenbuf, sizeof(lenbuf));
}
static void sha512_mpint(SHA512_State * s, Bignum b)
lenbuf[0] = bignum_byte(b, len);
SHA512_Bytes(s, lenbuf, 1);
}
- memset(lenbuf, 0, sizeof(lenbuf));
+ smemclr(lenbuf, sizeof(lenbuf));
}
-static void getstring(char **data, int *datalen, char **p, int *length)
+static void getstring(const char **data, int *datalen,
+ const char **p, int *length)
{
*p = NULL;
if (*datalen < 4)
return;
- *length = GET_32BIT(*data);
+ *length = toint(GET_32BIT(*data));
+ if (*length < 0)
+ return;
*datalen -= 4;
*data += 4;
if (*datalen < *length)
*data += *length;
*datalen -= *length;
}
-static Bignum getmp(char **data, int *datalen)
+static Bignum getmp(const char **data, int *datalen)
{
- char *p;
+ const char *p;
int length;
Bignum b;
return NULL;
if (p[0] & 0x80)
return NULL; /* negative mp */
- b = bignum_from_bytes((unsigned char *)p, length);
+ b = bignum_from_bytes((const unsigned char *)p, length);
return b;
}
-static Bignum get160(char **data, int *datalen)
+static Bignum get160(const char **data, int *datalen)
{
Bignum b;
- b = bignum_from_bytes((unsigned char *)*data, 20);
+ if (*datalen < 20)
+ return NULL;
+
+ b = bignum_from_bytes((const unsigned char *)*data, 20);
*data += 20;
*datalen -= 20;
return b;
}
-static void *dss_newkey(char *data, int len)
+static void dss_freekey(void *key); /* forward reference */
+
+static void *dss_newkey(const struct ssh_signkey *self,
+ const char *data, int len)
{
- char *p;
+ const char *p;
int slen;
struct dss_key *dss;
dss = snew(struct dss_key);
- if (!dss)
- return NULL;
getstring(&data, &len, &p, &slen);
#ifdef DEBUG_DSS
}
#endif
- if (!p || memcmp(p, "ssh-dss", 7)) {
+ if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) {
sfree(dss);
return NULL;
}
dss->q = getmp(&data, &len);
dss->g = getmp(&data, &len);
dss->y = getmp(&data, &len);
+ dss->x = NULL;
+
+ if (!dss->p || !dss->q || !dss->g || !dss->y ||
+ !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) {
+ /* Invalid key. */
+ dss_freekey(dss);
+ return NULL;
+ }
return dss;
}
static void dss_freekey(void *key)
{
struct dss_key *dss = (struct dss_key *) key;
- freebn(dss->p);
- freebn(dss->q);
- freebn(dss->g);
- freebn(dss->y);
+ if (dss->p)
+ freebn(dss->p);
+ if (dss->q)
+ freebn(dss->q);
+ if (dss->g)
+ freebn(dss->g);
+ if (dss->y)
+ freebn(dss->y);
+ if (dss->x)
+ freebn(dss->x);
sfree(dss);
}
return p;
}
-static char *dss_fingerprint(void *key)
-{
- struct dss_key *dss = (struct dss_key *) key;
- struct MD5Context md5c;
- unsigned char digest[16], lenbuf[4];
- char buffer[16 * 3 + 40];
- char *ret;
- int numlen, i;
-
- MD5Init(&md5c);
- MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11);
-
-#define ADD_BIGNUM(bignum) \
- numlen = (bignum_bitcount(bignum)+8)/8; \
- PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
- for (i = numlen; i-- ;) { \
- unsigned char c = bignum_byte(bignum, i); \
- MD5Update(&md5c, &c, 1); \
- }
- ADD_BIGNUM(dss->p);
- ADD_BIGNUM(dss->q);
- ADD_BIGNUM(dss->g);
- ADD_BIGNUM(dss->y);
-#undef ADD_BIGNUM
-
- MD5Final(digest, &md5c);
-
- sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p));
- for (i = 0; i < 16; i++)
- sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
- digest[i]);
- ret = snewn(strlen(buffer) + 1, char);
- if (ret)
- strcpy(ret, buffer);
- return ret;
-}
-
-static int dss_verifysig(void *key, char *sig, int siglen,
- char *data, int datalen)
+static int dss_verifysig(void *key, const char *sig, int siglen,
+ const char *data, int datalen)
{
struct dss_key *dss = (struct dss_key *) key;
- char *p;
+ const char *p;
int slen;
char hash[20];
Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v;
#endif
/*
* Commercial SSH (2.0.13) and OpenSSH disagree over the format
- * of a DSA signature. OpenSSH is in line with the IETF drafts:
+ * of a DSA signature. OpenSSH is in line with RFC 4253:
* it uses a string "ssh-dss", followed by a 40-byte string
* containing two 160-bit integers end-to-end. Commercial SSH
* can't be bothered with the header bit, and considers a DSA
* signature blob to be _just_ the 40-byte string containing
* the two 160-bit integers. We tell them apart by measuring
* the length: length 40 means the commercial-SSH bug, anything
- * else is assumed to be IETF-compliant.
+ * else is assumed to be RFC-compliant.
*/
if (siglen != 40) { /* bug not present; read admin fields */
getstring(&sig, &siglen, &p, &slen);
}
r = get160(&sig, &siglen);
s = get160(&sig, &siglen);
- if (!r || !s)
+ if (!r || !s) {
+ if (r)
+ freebn(r);
+ if (s)
+ freebn(s);
return 0;
+ }
+
+ if (!bignum_cmp(s, Zero)) {
+ freebn(r);
+ freebn(s);
+ return 0;
+ }
/*
* Step 1. w <- s^-1 mod q.
*/
w = modinv(s, dss->q);
+ if (!w) {
+ freebn(r);
+ freebn(s);
+ return 0;
+ }
/*
* Step 2. u1 <- SHA(message) * w mod q.
freebn(w);
freebn(sha);
+ freebn(u1);
+ freebn(u2);
freebn(gu1p);
freebn(yu2p);
freebn(gu1yu2p);
return blob;
}
-static void *dss_createkey(unsigned char *pub_blob, int pub_len,
- unsigned char *priv_blob, int priv_len)
+static void *dss_createkey(const struct ssh_signkey *self,
+ const unsigned char *pub_blob, int pub_len,
+ const unsigned char *priv_blob, int priv_len)
{
struct dss_key *dss;
- char *pb = (char *) priv_blob;
- char *hash;
+ const char *pb = (const char *) priv_blob;
+ const char *hash;
int hashlen;
SHA_State s;
unsigned char digest[20];
Bignum ytest;
- dss = dss_newkey((char *) pub_blob, pub_len);
+ dss = dss_newkey(self, (char *) pub_blob, pub_len);
+ if (!dss)
+ return NULL;
dss->x = getmp(&pb, &priv_len);
+ if (!dss->x) {
+ dss_freekey(dss);
+ return NULL;
+ }
/*
* Check the obsolete hash in the old DSS key format.
ytest = modpow(dss->g, dss->x, dss->p);
if (0 != bignum_cmp(ytest, dss->y)) {
dss_freekey(dss);
+ freebn(ytest);
return NULL;
}
freebn(ytest);
return dss;
}
-static void *dss_openssh_createkey(unsigned char **blob, int *len)
+static void *dss_openssh_createkey(const struct ssh_signkey *self,
+ const unsigned char **blob, int *len)
{
- char **b = (char **) blob;
+ const char **b = (const char **) blob;
struct dss_key *dss;
dss = snew(struct dss_key);
- if (!dss)
- return NULL;
dss->p = getmp(b, len);
dss->q = getmp(b, len);
dss->y = getmp(b, len);
dss->x = getmp(b, len);
- if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) {
- sfree(dss->p);
- sfree(dss->q);
- sfree(dss->g);
- sfree(dss->y);
- sfree(dss->x);
- sfree(dss);
- return NULL;
+ if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x ||
+ !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) {
+ /* Invalid key. */
+ dss_freekey(dss);
+ return NULL;
}
return dss;
return bloblen;
}
-static int dss_pubkey_bits(void *blob, int len)
+static int dss_pubkey_bits(const struct ssh_signkey *self,
+ const void *blob, int len)
{
struct dss_key *dss;
int ret;
- dss = dss_newkey((char *) blob, len);
+ dss = dss_newkey(self, (const char *) blob, len);
+ if (!dss)
+ return -1;
ret = bignum_bitcount(dss->p);
dss_freekey(dss);
return ret;
}
-static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
+Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key,
+ unsigned char *digest, int digest_len)
{
/*
* The basic DSS signing algorithm is:
* Computer Security Group for helping to argue out all the
* fine details.
*/
- struct dss_key *dss = (struct dss_key *) key;
SHA512_State ss;
- unsigned char digest[20], digest512[64];
- Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
- unsigned char *bytes;
- int nbytes, i;
-
- SHA_Simple(data, datalen, digest);
+ unsigned char digest512[64];
+ Bignum proto_k, k;
/*
* Hash some identifying text plus x.
*/
SHA512_Init(&ss);
- SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
- sha512_mpint(&ss, dss->x);
+ SHA512_Bytes(&ss, id_string, strlen(id_string) + 1);
+ sha512_mpint(&ss, private_key);
SHA512_Final(&ss, digest512);
/*
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
- SHA512_Bytes(&ss, digest, sizeof(digest));
- SHA512_Final(&ss, digest512);
+ SHA512_Bytes(&ss, digest, digest_len);
+
+ while (1) {
+ SHA512_State ss2 = ss; /* structure copy */
+ SHA512_Final(&ss2, digest512);
+
+ smemclr(&ss2, sizeof(ss2));
+
+ /*
+ * Now convert the result into a bignum, and reduce it mod q.
+ */
+ proto_k = bignum_from_bytes(digest512, 64);
+ k = bigmod(proto_k, modulus);
+ freebn(proto_k);
+
+ if (bignum_cmp(k, One) != 0 && bignum_cmp(k, Zero) != 0) {
+ smemclr(&ss, sizeof(ss));
+ smemclr(digest512, sizeof(digest512));
+ return k;
+ }
+
+ /* Very unlikely we get here, but if so, k was unsuitable. */
+ freebn(k);
+ /* Perturb the hash to think of a different k. */
+ SHA512_Bytes(&ss, "x", 1);
+ /* Go round and try again. */
+ }
+}
- memset(&ss, 0, sizeof(ss));
+static unsigned char *dss_sign(void *key, const char *data, int datalen,
+ int *siglen)
+{
+ struct dss_key *dss = (struct dss_key *) key;
+ Bignum k, gkp, hash, kinv, hxr, r, s;
+ unsigned char digest[20];
+ unsigned char *bytes;
+ int nbytes, i;
- /*
- * Now convert the result into a bignum, and reduce it mod q.
- */
- proto_k = bignum_from_bytes(digest512, 64);
- k = bigmod(proto_k, dss->q);
- freebn(proto_k);
+ SHA_Simple(data, datalen, digest);
- memset(digest512, 0, sizeof(digest512));
+ k = dss_gen_k("DSA deterministic k generator", dss->q, dss->x,
+ digest, sizeof(digest));
+ kinv = modinv(k, dss->q); /* k^-1 mod q */
+ assert(kinv);
/*
* Now we have k, so just go ahead and compute the signature.
freebn(gkp);
hash = bignum_from_bytes(digest, 20);
- kinv = modinv(k, dss->q); /* k^-1 mod q */
hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */
s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */
freebn(hxr);
freebn(kinv);
+ freebn(k);
freebn(hash);
/*
dss_createkey,
dss_openssh_createkey,
dss_openssh_fmtkey,
+ 5 /* p,q,g,y,x */,
dss_pubkey_bits,
- dss_fingerprint,
dss_verifysig,
dss_sign,
"ssh-dss",
- "dss"
+ "dss",
+ NULL,
};