/* * Verify that the public data in an RSA key matches the private * data. We also check the private data itself: we ensure that p > * q and that iqmp really is the inverse of q mod p. */ bool rsa_verify(RSAKey *key) { mp_int *n, *ed, *pm1, *qm1; unsigned ok = 1; /* Preliminary checks: p,q must actually be nonzero. */ if (mp_eq_integer(key->p, 0) | mp_eq_integer(key->q, 0)) return false; /* n must equal pq. */ n = mp_mul(key->p, key->q); ok &= mp_cmp_eq(n, key->modulus); mp_free(n); /* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */ pm1 = mp_copy(key->p); mp_sub_integer_into(pm1, pm1, 1); ed = mp_modmul(key->exponent, key->private_exponent, pm1); mp_free(pm1); ok &= mp_eq_integer(ed, 1); mp_free(ed); qm1 = mp_copy(key->q); mp_sub_integer_into(qm1, qm1, 1); ed = mp_modmul(key->exponent, key->private_exponent, qm1); mp_free(qm1); ok &= mp_eq_integer(ed, 1); mp_free(ed); /* * Ensure p > q. * * I have seen key blobs in the wild which were generated with * p < q, so instead of rejecting the key in this case we * should instead flip them round into the canonical order of * p > q. This also involves regenerating iqmp. */ mp_int *p_new = mp_max(key->p, key->q); mp_int *q_new = mp_min(key->p, key->q); mp_free(key->p); mp_free(key->q); mp_free(key->iqmp); key->p = p_new; key->q = q_new; key->iqmp = mp_invert(key->q, key->p); return ok; }
static bool ecdsa_verify(ssh_key *key, ptrlen sig, ptrlen data) { struct ecdsa_key *ek = container_of(key, struct ecdsa_key, sshk); const struct ecsign_extra *extra = (const struct ecsign_extra *)ek->sshk.vt->extra; BinarySource src[1]; BinarySource_BARE_INIT_PL(src, sig); /* Check the signature starts with the algorithm name */ if (!ptrlen_eq_string(get_string(src), ek->sshk.vt->ssh_id)) return false; /* Everything else is nested inside a sub-string. Descend into that. */ ptrlen sigstr = get_string(src); if (get_err(src)) return false; BinarySource_BARE_INIT_PL(src, sigstr); /* Extract the signature integers r,s */ mp_int *r = get_mp_ssh2(src); mp_int *s = get_mp_ssh2(src); if (get_err(src)) { mp_free(r); mp_free(s); return false; } /* Basic sanity checks: 0 < r,s < order(G) */ unsigned invalid = 0; invalid |= mp_eq_integer(r, 0); invalid |= mp_eq_integer(s, 0); invalid |= mp_cmp_hs(r, ek->curve->w.G_order); invalid |= mp_cmp_hs(s, ek->curve->w.G_order); /* Get the hash of the signed data, converted to an integer */ mp_int *z = ecdsa_signing_exponent_from_data(ek->curve, extra, data); /* Verify the signature integers against the hash */ mp_int *w = mp_invert(s, ek->curve->w.G_order); mp_int *u1 = mp_modmul(z, w, ek->curve->w.G_order); mp_free(z); mp_int *u2 = mp_modmul(r, w, ek->curve->w.G_order); mp_free(w); WeierstrassPoint *u1G = ecc_weierstrass_multiply(ek->curve->w.G, u1); mp_free(u1); WeierstrassPoint *u2P = ecc_weierstrass_multiply(ek->publicKey, u2); mp_free(u2); WeierstrassPoint *sum = ecc_weierstrass_add_general(u1G, u2P); ecc_weierstrass_point_free(u1G); ecc_weierstrass_point_free(u2P); mp_int *x; ecc_weierstrass_get_affine(sum, &x, NULL); ecc_weierstrass_point_free(sum); mp_divmod_into(x, ek->curve->w.G_order, NULL, x); invalid |= (1 ^ mp_cmp_eq(r, x)); mp_free(x); mp_free(r); mp_free(s); return !invalid; }