comparison rsa.c @ 1674:ba6fc7afe1c5

use sigtype where appropriate
author Matt Johnston <matt@ucc.asn.au>
date Mon, 06 Apr 2020 23:18:26 +0800
parents bb8eaa26bc93
children ae41624c2198
comparison
equal deleted inserted replaced
1668:49cb3cf4bd6f 1674:ba6fc7afe1c5
33 #include "bignum.h" 33 #include "bignum.h"
34 #include "rsa.h" 34 #include "rsa.h"
35 #include "buffer.h" 35 #include "buffer.h"
36 #include "ssh.h" 36 #include "ssh.h"
37 #include "dbrandom.h" 37 #include "dbrandom.h"
38 #include "signkey.h"
38 39
39 #if DROPBEAR_RSA 40 #if DROPBEAR_RSA
40 41
42 #if !(DROPBEAR_RSA_SHA1 || DROPBEAR_RSA_SHA256)
43 #error Somehow RSA was enabled with neither DROPBEAR_RSA_SHA1 nor DROPBEAR_RSA_SHA256
44 #endif
45
41 static void rsa_pad_em(const dropbear_rsa_key * key, 46 static void rsa_pad_em(const dropbear_rsa_key * key,
42 const buffer *data_buf, mp_int * rsa_em); 47 const buffer *data_buf, mp_int * rsa_em, enum signkey_type sigtype);
43 48
44 /* Load a public rsa key from a buffer, initialising the values. 49 /* Load a public rsa key from a buffer, initialising the values.
45 * The key will have the same format as buf_put_rsa_key. 50 * The key will have the same format as buf_put_rsa_key.
46 * These should be freed with rsa_key_free. 51 * These should be freed with rsa_key_free.
47 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ 52 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
189 } 194 }
190 195
191 #if DROPBEAR_SIGNKEY_VERIFY 196 #if DROPBEAR_SIGNKEY_VERIFY
192 /* Verify a signature in buf, made on data by the key given. 197 /* Verify a signature in buf, made on data by the key given.
193 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ 198 * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
194 int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key, const buffer *data_buf) { 199 int buf_rsa_verify(buffer * buf, const dropbear_rsa_key *key,
200 enum signkey_type sigtype, const buffer *data_buf) {
195 unsigned int slen; 201 unsigned int slen;
196 DEF_MP_INT(rsa_s); 202 DEF_MP_INT(rsa_s);
197 DEF_MP_INT(rsa_mdash); 203 DEF_MP_INT(rsa_mdash);
198 DEF_MP_INT(rsa_em); 204 DEF_MP_INT(rsa_em);
199 int ret = DROPBEAR_FAILURE; 205 int ret = DROPBEAR_FAILURE;
221 TRACE(("s > n-1")) 227 TRACE(("s > n-1"))
222 goto out; 228 goto out;
223 } 229 }
224 230
225 /* create the magic PKCS padded value */ 231 /* create the magic PKCS padded value */
226 rsa_pad_em(key, data_buf, &rsa_em); 232 rsa_pad_em(key, data_buf, &rsa_em, sigtype);
227 233
228 if (mp_exptmod(&rsa_s, key->e, key->n, &rsa_mdash) != MP_OKAY) { 234 if (mp_exptmod(&rsa_s, key->e, key->n, &rsa_mdash) != MP_OKAY) {
229 TRACE(("failed exptmod rsa_s")) 235 TRACE(("failed exptmod rsa_s"))
230 goto out; 236 goto out;
231 } 237 }
244 250
245 #endif /* DROPBEAR_SIGNKEY_VERIFY */ 251 #endif /* DROPBEAR_SIGNKEY_VERIFY */
246 252
247 /* Sign the data presented with key, writing the signature contents 253 /* Sign the data presented with key, writing the signature contents
248 * to the buffer */ 254 * to the buffer */
249 void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key, const buffer *data_buf) { 255 void buf_put_rsa_sign(buffer* buf, const dropbear_rsa_key *key,
250 unsigned int nsize, ssize; 256 enum signkey_type sigtype, const buffer *data_buf) {
257 const char *name = NULL;
258 unsigned int nsize, ssize, namelen = 0;
251 unsigned int i; 259 unsigned int i;
252 DEF_MP_INT(rsa_s); 260 DEF_MP_INT(rsa_s);
253 DEF_MP_INT(rsa_tmp1); 261 DEF_MP_INT(rsa_tmp1);
254 DEF_MP_INT(rsa_tmp2); 262 DEF_MP_INT(rsa_tmp2);
255 DEF_MP_INT(rsa_tmp3); 263 DEF_MP_INT(rsa_tmp3);
257 TRACE(("enter buf_put_rsa_sign")) 265 TRACE(("enter buf_put_rsa_sign"))
258 dropbear_assert(key != NULL); 266 dropbear_assert(key != NULL);
259 267
260 m_mp_init_multi(&rsa_s, &rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL); 268 m_mp_init_multi(&rsa_s, &rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
261 269
262 rsa_pad_em(key, data_buf, &rsa_tmp1); 270 rsa_pad_em(key, data_buf, &rsa_tmp1, sigtype);
263 271
264 /* the actual signing of the padded data */ 272 /* the actual signing of the padded data */
265 273
266 #if DROPBEAR_RSA_BLINDING 274 #if DROPBEAR_RSA_BLINDING
267 275
309 #endif /* DROPBEAR_RSA_BLINDING */ 317 #endif /* DROPBEAR_RSA_BLINDING */
310 318
311 mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL); 319 mp_clear_multi(&rsa_tmp1, &rsa_tmp2, &rsa_tmp3, NULL);
312 320
313 /* create the signature to return */ 321 /* create the signature to return */
314 buf_putstring(buf, SSH_SIGNKEY_RSA, SSH_SIGNKEY_RSA_LEN); 322 name = signature_name_from_type(sigtype, &namelen);
323 buf_putstring(buf, name, namelen);
315 324
316 nsize = mp_unsigned_bin_size(key->n); 325 nsize = mp_unsigned_bin_size(key->n);
317 326
318 /* string rsa_signature_blob length */ 327 /* string rsa_signature_blob length */
319 buf_putint(buf, nsize); 328 buf_putint(buf, nsize);
338 347
339 348
340 TRACE(("leave buf_put_rsa_sign")) 349 TRACE(("leave buf_put_rsa_sign"))
341 } 350 }
342 351
343 /* Creates the message value as expected by PKCS, see rfc2437 etc */ 352 /* Creates the message value as expected by PKCS,
344 /* format to be padded to is: 353 see rfc8017 section 9.2 */
345 * EM = 01 | FF* | 00 | prefix | hash
346 *
347 * where FF is repeated enough times to make EM one byte
348 * shorter than the size of key->n
349 *
350 * prefix is the ASN1 designator prefix,
351 * hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14
352 *
353 * rsa_em must be a pointer to an initialised mp_int.
354 */
355 static void rsa_pad_em(const dropbear_rsa_key * key, 354 static void rsa_pad_em(const dropbear_rsa_key * key,
356 const buffer *data_buf, mp_int * rsa_em) { 355 const buffer *data_buf, mp_int * rsa_em, enum signkey_type sigtype) {
357 356 /* EM = 0x00 || 0x01 || PS || 0x00 || T
358 /* ASN1 designator (including the 0x00 preceding) */ 357 PS is padding of 0xff to make EM the size of key->n
359 const unsigned char rsa_asn1_magic[] = 358
360 {0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 359 T is the DER encoding of the hash alg (sha1 or sha256)
360 */
361
362 /* From rfc8017 page 46 */
363 #if DROPBEAR_RSA_SHA1
364 const unsigned char T_sha1[] =
365 {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b,
361 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; 366 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14};
362 const unsigned int RSA_ASN1_MAGIC_LEN = 16; 367 #endif
363 368 #if DROPBEAR_RSA_SHA256
369 const unsigned char T_sha256[] =
370 {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01,
371 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
372 #endif
373
374 int Tlen = 0;
375 const unsigned char *T = NULL;
376 const struct ltc_hash_descriptor *hash_desc = NULL;
364 buffer * rsa_EM = NULL; 377 buffer * rsa_EM = NULL;
365 hash_state hs; 378 hash_state hs;
366 unsigned int nsize; 379 unsigned int nsize;
367 380
368 dropbear_assert(key != NULL); 381 switch (sigtype) {
382 #if DROPBEAR_RSA_SHA1
383 case DROPBEAR_SIGNKEY_RSA:
384 Tlen = sizeof(T_sha1);
385 T = T_sha1;
386 hash_desc = &sha1_desc;
387 break;
388 #endif
389 #if DROPBEAR_RSA_SHA256
390 case DROPBEAR_SIGNKEY_RSA_SHA256:
391 Tlen = sizeof(T_sha256);
392 T = T_sha256;
393 hash_desc = &sha256_desc;
394 break;
395 #endif
396 default:
397 assert(0);
398 }
399
369 nsize = mp_unsigned_bin_size(key->n); 400 nsize = mp_unsigned_bin_size(key->n);
370 401
371 rsa_EM = buf_new(nsize-1); 402 rsa_EM = buf_new(nsize);
372 /* type byte */ 403 /* type byte */
404 buf_putbyte(rsa_EM, 0x00);
373 buf_putbyte(rsa_EM, 0x01); 405 buf_putbyte(rsa_EM, 0x01);
374 /* Padding with 0xFF bytes */ 406 /* Padding with PS 0xFF bytes */
375 while(rsa_EM->pos != rsa_EM->size - RSA_ASN1_MAGIC_LEN - SHA1_HASH_SIZE) { 407 while(rsa_EM->pos != rsa_EM->size - (1 + Tlen + hash_desc->hashsize)) {
376 buf_putbyte(rsa_EM, 0xff); 408 buf_putbyte(rsa_EM, 0xff);
377 } 409 }
410 buf_putbyte(rsa_EM, 0x00);
378 /* Magic ASN1 stuff */ 411 /* Magic ASN1 stuff */
379 memcpy(buf_getwriteptr(rsa_EM, RSA_ASN1_MAGIC_LEN), 412 buf_putbytes(rsa_EM, T, Tlen);
380 rsa_asn1_magic, RSA_ASN1_MAGIC_LEN);
381 buf_incrwritepos(rsa_EM, RSA_ASN1_MAGIC_LEN);
382 413
383 /* The hash of the data */ 414 /* The hash of the data */
384 sha1_init(&hs); 415 hash_desc->init(&hs);
385 sha1_process(&hs, data_buf->data, data_buf->len); 416 hash_desc->process(&hs, data_buf->data, data_buf->len);
386 sha1_done(&hs, buf_getwriteptr(rsa_EM, SHA1_HASH_SIZE)); 417 hash_desc->done(&hs, buf_getwriteptr(rsa_EM, hash_desc->hashsize));
387 buf_incrwritepos(rsa_EM, SHA1_HASH_SIZE); 418 buf_incrwritepos(rsa_EM, hash_desc->hashsize);
388 419
389 dropbear_assert(rsa_EM->pos == rsa_EM->size); 420 dropbear_assert(rsa_EM->pos == rsa_EM->size);
390 421
391 /* Create the mp_int from the encoded bytes */ 422 /* Create the mp_int from the encoded bytes */
392 buf_setpos(rsa_EM, 0); 423 buf_setpos(rsa_EM, 0);