X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=sshdss.c;h=20a5e7fa61247742a8d961a2858c213a74dbbbb1;hb=510f49e405e71ba5c97875e7a019364e1ef5fac9;hp=41974c2353be18669bd371b5930d31b58608e1b7;hpb=6eec320f0b3606f17f06a290acdbb8f84afdff00;p=PuTTY.git diff --git a/sshdss.c b/sshdss.c index 41974c23..20a5e7fa 100644 --- a/sshdss.c +++ b/sshdss.c @@ -1,3 +1,7 @@ +/* + * Digital Signature Standard implementation for PuTTY. + */ + #include #include #include @@ -16,7 +20,7 @@ static void sha_mpint(SHA_State * s, Bignum b) lenbuf[0] = bignum_byte(b, len); SHA_Bytes(s, lenbuf, 1); } - memset(lenbuf, 0, sizeof(lenbuf)); + smemclr(lenbuf, sizeof(lenbuf)); } static void sha512_mpint(SHA512_State * s, Bignum b) @@ -30,15 +34,18 @@ static void sha512_mpint(SHA512_State * s, Bignum b) lenbuf[0] = bignum_byte(b, len); SHA512_Bytes(s, lenbuf, 1); } - memset(lenbuf, 0, sizeof(lenbuf)); + smemclr(lenbuf, sizeof(lenbuf)); } -static void getstring(char **data, int *datalen, char **p, int *length) +static void getstring(const char **data, int *datalen, + const char **p, int *length) { *p = NULL; if (*datalen < 4) return; - *length = GET_32BIT(*data); + *length = toint(GET_32BIT(*data)); + if (*length < 0) + return; *datalen -= 4; *data += 4; if (*datalen < *length) @@ -47,9 +54,9 @@ static void getstring(char **data, int *datalen, char **p, int *length) *data += *length; *datalen -= *length; } -static Bignum getmp(char **data, int *datalen) +static Bignum getmp(const char **data, int *datalen) { - char *p; + const char *p; int length; Bignum b; @@ -58,30 +65,34 @@ static Bignum getmp(char **data, int *datalen) return NULL; if (p[0] & 0x80) return NULL; /* negative mp */ - b = bignum_from_bytes((unsigned char *)p, length); + b = bignum_from_bytes((const unsigned char *)p, length); return b; } -static Bignum get160(char **data, int *datalen) +static Bignum get160(const char **data, int *datalen) { Bignum b; - b = bignum_from_bytes((unsigned char *)*data, 20); + if (*datalen < 20) + return NULL; + + b = bignum_from_bytes((const unsigned char *)*data, 20); *data += 20; *datalen -= 20; return b; } -static void *dss_newkey(char *data, int len) +static void dss_freekey(void *key); /* forward reference */ + +static void *dss_newkey(const struct ssh_signkey *self, + const char *data, int len) { - char *p; + const char *p; int slen; struct dss_key *dss; dss = snew(struct dss_key); - if (!dss) - return NULL; getstring(&data, &len, &p, &slen); #ifdef DEBUG_DSS @@ -94,7 +105,7 @@ static void *dss_newkey(char *data, int len) } #endif - if (!p || memcmp(p, "ssh-dss", 7)) { + if (!p || slen != 7 || memcmp(p, "ssh-dss", 7)) { sfree(dss); return NULL; } @@ -102,6 +113,14 @@ static void *dss_newkey(char *data, int len) dss->q = getmp(&data, &len); dss->g = getmp(&data, &len); dss->y = getmp(&data, &len); + dss->x = NULL; + + if (!dss->p || !dss->q || !dss->g || !dss->y || + !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) { + /* Invalid key. */ + dss_freekey(dss); + return NULL; + } return dss; } @@ -109,10 +128,16 @@ static void *dss_newkey(char *data, int len) static void dss_freekey(void *key) { struct dss_key *dss = (struct dss_key *) key; - freebn(dss->p); - freebn(dss->q); - freebn(dss->g); - freebn(dss->y); + if (dss->p) + freebn(dss->p); + if (dss->q) + freebn(dss->q); + if (dss->g) + freebn(dss->g); + if (dss->y) + freebn(dss->y); + if (dss->x) + freebn(dss->x); sfree(dss); } @@ -166,48 +191,11 @@ static char *dss_fmtkey(void *key) return p; } -static char *dss_fingerprint(void *key) +static int dss_verifysig(void *key, const char *sig, int siglen, + const char *data, int datalen) { struct dss_key *dss = (struct dss_key *) key; - struct MD5Context md5c; - unsigned char digest[16], lenbuf[4]; - char buffer[16 * 3 + 40]; - char *ret; - int numlen, i; - - MD5Init(&md5c); - MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-dss", 11); - -#define ADD_BIGNUM(bignum) \ - numlen = (bignum_bitcount(bignum)+8)/8; \ - PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \ - for (i = numlen; i-- ;) { \ - unsigned char c = bignum_byte(bignum, i); \ - MD5Update(&md5c, &c, 1); \ - } - ADD_BIGNUM(dss->p); - ADD_BIGNUM(dss->q); - ADD_BIGNUM(dss->g); - ADD_BIGNUM(dss->y); -#undef ADD_BIGNUM - - MD5Final(digest, &md5c); - - sprintf(buffer, "ssh-dss %d ", bignum_bitcount(dss->p)); - for (i = 0; i < 16; i++) - sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "", - digest[i]); - ret = snewn(strlen(buffer) + 1, char); - if (ret) - strcpy(ret, buffer); - return ret; -} - -static int dss_verifysig(void *key, char *sig, int siglen, - char *data, int datalen) -{ - struct dss_key *dss = (struct dss_key *) key; - char *p; + const char *p; int slen; char hash[20]; Bignum r, s, w, gu1p, yu2p, gu1yu2p, u1, u2, sha, v; @@ -227,14 +215,14 @@ static int dss_verifysig(void *key, char *sig, int siglen, #endif /* * Commercial SSH (2.0.13) and OpenSSH disagree over the format - * of a DSA signature. OpenSSH is in line with the IETF drafts: + * of a DSA signature. OpenSSH is in line with RFC 4253: * it uses a string "ssh-dss", followed by a 40-byte string * containing two 160-bit integers end-to-end. Commercial SSH * can't be bothered with the header bit, and considers a DSA * signature blob to be _just_ the 40-byte string containing * the two 160-bit integers. We tell them apart by measuring * the length: length 40 means the commercial-SSH bug, anything - * else is assumed to be IETF-compliant. + * else is assumed to be RFC-compliant. */ if (siglen != 40) { /* bug not present; read admin fields */ getstring(&sig, &siglen, &p, &slen); @@ -245,13 +233,29 @@ static int dss_verifysig(void *key, char *sig, int siglen, } r = get160(&sig, &siglen); s = get160(&sig, &siglen); - if (!r || !s) + if (!r || !s) { + if (r) + freebn(r); + if (s) + freebn(s); return 0; + } + + if (!bignum_cmp(s, Zero)) { + freebn(r); + freebn(s); + return 0; + } /* * Step 1. w <- s^-1 mod q. */ w = modinv(s, dss->q); + if (!w) { + freebn(r); + freebn(s); + return 0; + } /* * Step 2. u1 <- SHA(message) * w mod q. @@ -283,6 +287,8 @@ static int dss_verifysig(void *key, char *sig, int siglen, freebn(w); freebn(sha); + freebn(u1); + freebn(u2); freebn(gu1p); freebn(yu2p); freebn(gu1yu2p); @@ -361,19 +367,26 @@ static unsigned char *dss_private_blob(void *key, int *len) return blob; } -static void *dss_createkey(unsigned char *pub_blob, int pub_len, - unsigned char *priv_blob, int priv_len) +static void *dss_createkey(const struct ssh_signkey *self, + const unsigned char *pub_blob, int pub_len, + const unsigned char *priv_blob, int priv_len) { struct dss_key *dss; - char *pb = (char *) priv_blob; - char *hash; + const char *pb = (const char *) priv_blob; + const char *hash; int hashlen; SHA_State s; unsigned char digest[20]; Bignum ytest; - dss = dss_newkey((char *) pub_blob, pub_len); + dss = dss_newkey(self, (char *) pub_blob, pub_len); + if (!dss) + return NULL; dss->x = getmp(&pb, &priv_len); + if (!dss->x) { + dss_freekey(dss); + return NULL; + } /* * Check the obsolete hash in the old DSS key format. @@ -398,6 +411,7 @@ static void *dss_createkey(unsigned char *pub_blob, int pub_len, ytest = modpow(dss->g, dss->x, dss->p); if (0 != bignum_cmp(ytest, dss->y)) { dss_freekey(dss); + freebn(ytest); return NULL; } freebn(ytest); @@ -405,14 +419,13 @@ static void *dss_createkey(unsigned char *pub_blob, int pub_len, return dss; } -static void *dss_openssh_createkey(unsigned char **blob, int *len) +static void *dss_openssh_createkey(const struct ssh_signkey *self, + const unsigned char **blob, int *len) { - char **b = (char **) blob; + const char **b = (const char **) blob; struct dss_key *dss; dss = snew(struct dss_key); - if (!dss) - return NULL; dss->p = getmp(b, len); dss->q = getmp(b, len); @@ -420,14 +433,11 @@ static void *dss_openssh_createkey(unsigned char **blob, int *len) dss->y = getmp(b, len); dss->x = getmp(b, len); - if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x) { - sfree(dss->p); - sfree(dss->q); - sfree(dss->g); - sfree(dss->y); - sfree(dss->x); - sfree(dss); - return NULL; + if (!dss->p || !dss->q || !dss->g || !dss->y || !dss->x || + !bignum_cmp(dss->q, Zero) || !bignum_cmp(dss->p, Zero)) { + /* Invalid key. */ + dss_freekey(dss); + return NULL; } return dss; @@ -461,19 +471,23 @@ static int dss_openssh_fmtkey(void *key, unsigned char *blob, int len) return bloblen; } -static int dss_pubkey_bits(void *blob, int len) +static int dss_pubkey_bits(const struct ssh_signkey *self, + const void *blob, int len) { struct dss_key *dss; int ret; - dss = dss_newkey((char *) blob, len); + dss = dss_newkey(self, (const char *) blob, len); + if (!dss) + return -1; ret = bignum_bitcount(dss->p); dss_freekey(dss); return ret; } -static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) +Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key, + unsigned char *digest, int digest_len) { /* * The basic DSS signing algorithm is: @@ -546,21 +560,16 @@ static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) * Computer Security Group for helping to argue out all the * fine details. */ - struct dss_key *dss = (struct dss_key *) key; SHA512_State ss; - unsigned char digest[20], digest512[64]; - Bignum proto_k, k, gkp, hash, kinv, hxr, r, s; - unsigned char *bytes; - int nbytes, i; - - SHA_Simple(data, datalen, digest); + unsigned char digest512[64]; + Bignum proto_k, k; /* * Hash some identifying text plus x. */ SHA512_Init(&ss); - SHA512_Bytes(&ss, "DSA deterministic k generator", 30); - sha512_mpint(&ss, dss->x); + SHA512_Bytes(&ss, id_string, strlen(id_string) + 1); + sha512_mpint(&ss, private_key); SHA512_Final(&ss, digest512); /* @@ -568,19 +577,50 @@ static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) */ SHA512_Init(&ss); SHA512_Bytes(&ss, digest512, sizeof(digest512)); - SHA512_Bytes(&ss, digest, sizeof(digest)); - SHA512_Final(&ss, digest512); + SHA512_Bytes(&ss, digest, digest_len); + + while (1) { + SHA512_State ss2 = ss; /* structure copy */ + SHA512_Final(&ss2, digest512); + + smemclr(&ss2, sizeof(ss2)); + + /* + * Now convert the result into a bignum, and reduce it mod q. + */ + proto_k = bignum_from_bytes(digest512, 64); + k = bigmod(proto_k, modulus); + freebn(proto_k); + + if (bignum_cmp(k, One) != 0 && bignum_cmp(k, Zero) != 0) { + smemclr(&ss, sizeof(ss)); + smemclr(digest512, sizeof(digest512)); + return k; + } + + /* Very unlikely we get here, but if so, k was unsuitable. */ + freebn(k); + /* Perturb the hash to think of a different k. */ + SHA512_Bytes(&ss, "x", 1); + /* Go round and try again. */ + } +} - memset(&ss, 0, sizeof(ss)); +static unsigned char *dss_sign(void *key, const char *data, int datalen, + int *siglen) +{ + struct dss_key *dss = (struct dss_key *) key; + Bignum k, gkp, hash, kinv, hxr, r, s; + unsigned char digest[20]; + unsigned char *bytes; + int nbytes, i; - /* - * Now convert the result into a bignum, and reduce it mod q. - */ - proto_k = bignum_from_bytes(digest512, 64); - k = bigmod(proto_k, dss->q); - freebn(proto_k); + SHA_Simple(data, datalen, digest); - memset(digest512, 0, sizeof(digest512)); + k = dss_gen_k("DSA deterministic k generator", dss->q, dss->x, + digest, sizeof(digest)); + kinv = modinv(k, dss->q); /* k^-1 mod q */ + assert(kinv); /* * Now we have k, so just go ahead and compute the signature. @@ -590,11 +630,11 @@ static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen) freebn(gkp); hash = bignum_from_bytes(digest, 20); - kinv = modinv(k, dss->q); /* k^-1 mod q */ hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */ s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */ freebn(hxr); freebn(kinv); + freebn(k); freebn(hash); /* @@ -630,10 +670,11 @@ const struct ssh_signkey ssh_dss = { dss_createkey, dss_openssh_createkey, dss_openssh_fmtkey, + 5 /* p,q,g,y,x */, dss_pubkey_bits, - dss_fingerprint, dss_verifysig, dss_sign, "ssh-dss", - "dss" + "dss", + NULL, };