/* Public key blob as used by Pageant: exponent before modulus. */ unsigned char *rsa_public_blob(struct RSAKey *key, int *len) { int length, pos; unsigned char *ret; length = (ssh1_bignum_length(key->modulus) + ssh1_bignum_length(key->exponent) + 4); ret = snewn(length, unsigned char); PUT_32BIT(ret, bignum_bitcount(key->modulus)); pos = 4; pos += ssh1_write_bignum(ret + pos, key->exponent); pos += ssh1_write_bignum(ret + pos, key->modulus); *len = length; return ret; }
/* * DH stage 1: invent a number x between 1 and q, and compute e = * g^x mod p. Return e. * * If `nbits' is greater than zero, it is used as an upper limit * for the number of bits in x. This is safe provided that (a) you * use twice as many bits in x as the number of bits you expect to * use in your session key, and (b) the DH group is a safe prime * (which SSH demands that it must be). * * P. C. van Oorschot, M. J. Wiener * "On Diffie-Hellman Key Agreement with Short Exponents". * Advances in Cryptology: Proceedings of Eurocrypt '96 * Springer-Verlag, May 1996. */ Bignum dh_create_e(void *handle, int nbits) { struct dh_ctx *ctx = (struct dh_ctx *)handle; int i; int nbytes; unsigned char *buf; nbytes = ssh1_bignum_length(ctx->qmask); buf = snewn(nbytes, unsigned char); do { /* * Create a potential x, by ANDing a string of random bytes * with qmask. */ if (ctx->x) freebn(ctx->x); if (nbits == 0 || nbits > bignum_bitcount(ctx->qmask)) { ssh1_write_bignum(buf, ctx->qmask); for (i = 2; i < nbytes; i++) buf[i] &= random_byte(); ssh1_read_bignum(buf, nbytes, &ctx->x); /* can't fail */ } else { int b, nb; ctx->x = bn_power_2(nbits); b = nb = 0; for (i = 0; i < nbits; i++) { if (nb == 0) { nb = 8; b = random_byte(); } bignum_set_bit(ctx->x, i, b & 1); b >>= 1; nb--; } } } while (bignum_cmp(ctx->x, One) <= 0 || bignum_cmp(ctx->x, ctx->q) >= 0); sfree(buf); /* * Done. Now compute e = g^x mod p. */ ctx->e = modpow(ctx->g, ctx->x, ctx->p); return ctx->e; }
/* * Save an RSA key file. Return nonzero on success. */ int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase) { unsigned char buf[16384]; unsigned char keybuf[16]; struct MD5Context md5c; unsigned char *p, *estart; FILE *fp; /* * Write the initial signature. */ p = buf; memcpy(p, rsa_signature, sizeof(rsa_signature)); p += sizeof(rsa_signature); /* * One byte giving encryption type, and one reserved (zero) * uint32. */ *p++ = (passphrase ? SSH_CIPHER_3DES : 0); PUT_32BIT(p, 0); p += 4; /* * An ordinary SSH-1 public key consists of: a uint32 * containing the bit count, then two bignums containing the * modulus and exponent respectively. */ PUT_32BIT(p, bignum_bitcount(key->modulus)); p += 4; p += ssh1_write_bignum(p, key->modulus); p += ssh1_write_bignum(p, key->exponent); /* * A string containing the comment field. */ if (key->comment) { PUT_32BIT(p, strlen(key->comment)); p += 4; memcpy(p, key->comment, strlen(key->comment)); p += strlen(key->comment); } else { PUT_32BIT(p, 0); p += 4; } /* * The encrypted portion starts here. */ estart = p; /* * Two bytes, then the same two bytes repeated. */ *p++ = random_byte(); *p++ = random_byte(); p[0] = p[-2]; p[1] = p[-1]; p += 2; /* * Four more bignums: the decryption exponent, then iqmp, then * q, then p. */ p += ssh1_write_bignum(p, key->private_exponent); p += ssh1_write_bignum(p, key->iqmp); p += ssh1_write_bignum(p, key->q); p += ssh1_write_bignum(p, key->p); /* * Now write zeros until the encrypted portion is a multiple of * 8 bytes. */ while ((p - estart) % 8) *p++ = '\0'; /* * Now encrypt the encrypted portion. */ if (passphrase) { MD5Init(&md5c); MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase)); MD5Final(keybuf, &md5c); des3_encrypt_pubkey(keybuf, estart, p - estart); smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */ } /* * Done. Write the result to the file. */ fp = f_open(filename, "wb", TRUE); if (fp) { int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf)); if (fclose(fp)) ret = 0; return ret; } else return 0; }