bool rsa_ssh1_encrypt(unsigned char *data, int length, RSAKey *key) { mp_int *b1, *b2; int i; unsigned char *p; if (key->bytes < length + 4) return false; /* RSA key too short! */ memmove(data + key->bytes - length, data, length); data[0] = 0; data[1] = 2; size_t npad = key->bytes - length - 3; /* * Generate a sequence of nonzero padding bytes. We do this in a * reasonably uniform way and without having to loop round * retrying the random number generation, by first generating an * integer in [0,2^n) for an appropriately large n; then we * repeatedly multiply by 255 to give an integer in [0,255*2^n), * extract the top 8 bits to give an integer in [0,255), and mask * those bits off before multiplying up again for the next digit. * This gives us a sequence of numbers in [0,255), and of course * adding 1 to each of them gives numbers in [1,256) as we wanted. * * (You could imagine this being a sort of fixed-point operation: * given a uniformly random binary _fraction_, multiplying it by k * and subtracting off the integer part will yield you a sequence * of integers each in [0,k). I'm just doing that scaled up by a * power of 2 to avoid the fractions.) */ size_t random_bits = (npad + 16) * 8; mp_int *randval = mp_new(random_bits + 8); mp_int *tmp = mp_random_bits(random_bits); mp_copy_into(randval, tmp); mp_free(tmp); for (i = 2; i < key->bytes - length - 1; i++) { mp_mul_integer_into(randval, randval, 255); uint8_t byte = mp_get_byte(randval, random_bits / 8); assert(byte != 255); data[i] = byte + 1; mp_reduce_mod_2to(randval, random_bits); } mp_free(randval); data[key->bytes - length - 1] = 0; b1 = mp_from_bytes_be(make_ptrlen(data, key->bytes)); b2 = mp_modpow(b1, key->exponent, key->modulus); p = data; for (i = key->bytes; i--;) { *p++ = mp_get_byte(b2, i); } mp_free(b1); mp_free(b2); return true; }
/* * Generate a fingerprint string for the key. Compatible with the * OpenSSH fingerprint code. */ char *rsa_ssh1_fingerprint(RSAKey *key) { unsigned char digest[16]; strbuf *out; int i; /* * The hash preimage for SSH-1 key fingerprinting consists of the * modulus and exponent _without_ any preceding length field - * just the minimum number of bytes to represent each integer, * stored big-endian, concatenated with no marker at the division * between them. */ ssh_hash *hash = ssh_hash_new(&ssh_md5); for (size_t i = (mp_get_nbits(key->modulus) + 7) / 8; i-- > 0 ;) put_byte(hash, mp_get_byte(key->modulus, i)); for (size_t i = (mp_get_nbits(key->exponent) + 7) / 8; i-- > 0 ;) put_byte(hash, mp_get_byte(key->exponent, i)); ssh_hash_final(hash, digest); out = strbuf_new(); strbuf_catf(out, "%d ", mp_get_nbits(key->modulus)); for (i = 0; i < 16; i++) strbuf_catf(out, "%s%02x", i ? ":" : "", digest[i]); if (key->comment) strbuf_catf(out, " %s", key->comment); return strbuf_to_str(out); }
static void rsa2_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs) { RSAKey *rsa = container_of(key, RSAKey, sshk); unsigned char *bytes; size_t nbytes; mp_int *in, *out; const ssh_hashalg *halg; const char *sign_alg_name; halg = rsa2_hash_alg_for_flags(flags, &sign_alg_name); nbytes = (mp_get_nbits(rsa->modulus) + 7) / 8; bytes = rsa_pkcs1_signature_string(nbytes, halg, data); in = mp_from_bytes_be(make_ptrlen(bytes, nbytes)); smemclr(bytes, nbytes); sfree(bytes); out = rsa_privkey_op(in, rsa); mp_free(in); put_stringz(bs, sign_alg_name); nbytes = (mp_get_nbits(out) + 7) / 8; put_uint32(bs, nbytes); for (size_t i = 0; i < nbytes; i++) put_byte(bs, mp_get_byte(out, nbytes - 1 - i)); mp_free(out); }
bool rsa_ssh1_decrypt_pkcs1(mp_int *input, RSAKey *key, strbuf *outbuf) { strbuf *data = strbuf_new_nm(); bool success = false; BinarySource src[1]; { mp_int *b = rsa_ssh1_decrypt(input, key); for (size_t i = (mp_get_nbits(key->modulus) + 7) / 8; i-- > 0 ;) { put_byte(data, mp_get_byte(b, i)); } mp_free(b); } BinarySource_BARE_INIT(src, data->u, data->len); /* Check PKCS#1 formatting prefix */ if (get_byte(src) != 0) goto out; if (get_byte(src) != 2) goto out; while (1) { unsigned char byte = get_byte(src); if (get_err(src)) goto out; if (byte == 0) break; } /* Everything else is the payload */ success = true; put_data(outbuf, get_ptr(src), get_avail(src)); out: strbuf_free(data); return success; }
static void BinarySink_put_mp_le_unsigned(BinarySink *bs, mp_int *x) { size_t bytes = (mp_get_nbits(x) + 7) / 8; put_uint32(bs, bytes); for (size_t i = 0; i < bytes; ++i) put_byte(bs, mp_get_byte(x, i)); }
static void BinarySink_put_wpoint( BinarySink *bs, WeierstrassPoint *point, const struct ec_curve *curve, bool bare) { strbuf *sb; BinarySink *bs_inner; if (!bare) { /* * Encapsulate the raw data inside an outermost string layer. */ sb = strbuf_new(); bs_inner = BinarySink_UPCAST(sb); } else { /* * Just write the data directly to the output. */ bs_inner = bs; } if (ecc_weierstrass_is_identity(point)) { put_byte(bs_inner, 0); } else { mp_int *x, *y; ecc_weierstrass_get_affine(point, &x, &y); /* * For ECDSA, we only ever output uncompressed points. */ put_byte(bs_inner, 0x04); for (size_t i = curve->fieldBytes; i--;) put_byte(bs_inner, mp_get_byte(x, i)); for (size_t i = curve->fieldBytes; i--;) put_byte(bs_inner, mp_get_byte(y, i)); mp_free(x); mp_free(y); } if (!bare) put_stringsb(bs, sb); }
static void BinarySink_put_epoint( BinarySink *bs, EdwardsPoint *point, const struct ec_curve *curve, bool bare) { mp_int *x, *y; ecc_edwards_get_affine(point, &x, &y); assert(curve->fieldBytes >= 2); /* * EdDSA requires point compression. We store a single integer, * with bytes in little-endian order, which mostly contains y but * in which the topmost bit is the low bit of x. */ if (!bare) put_uint32(bs, curve->fieldBytes); /* string length field */ for (size_t i = 0; i < curve->fieldBytes - 1; i++) put_byte(bs, mp_get_byte(y, i)); put_byte(bs, (mp_get_byte(y, curve->fieldBytes - 1) & 0x7F) | (mp_get_bit(x, 0) << 7)); mp_free(x); mp_free(y); }
static bool rsa2_verify(ssh_key *key, ptrlen sig, ptrlen data) { RSAKey *rsa = container_of(key, RSAKey, sshk); BinarySource src[1]; ptrlen type, in_pl; mp_int *in, *out; /* If we need to support variable flags on verify, this is where they go */ const ssh_hashalg *halg = rsa2_hash_alg_for_flags(0, NULL); /* Start by making sure the key is even long enough to encode a * signature. If not, everything fails to verify. */ size_t nbytes = (mp_get_nbits(rsa->modulus) + 7) / 8; if (nbytes < rsa_pkcs1_length_of_fixed_parts(halg)) return false; BinarySource_BARE_INIT_PL(src, sig); type = get_string(src); /* * RFC 4253 section 6.6: the signature integer in an ssh-rsa * signature is 'without lengths or padding'. That is, we _don't_ * expect the usual leading zero byte if the topmost bit of the * first byte is set. (However, because of the possibility of * BUG_SSH2_RSA_PADDING at the other end, we tolerate it if it's * there.) So we can't use get_mp_ssh2, which enforces that * leading-byte scheme; instead we use get_string and * mp_from_bytes_be, which will tolerate anything. */ in_pl = get_string(src); if (get_err(src) || !ptrlen_eq_string(type, "ssh-rsa")) return false; in = mp_from_bytes_be(in_pl); out = mp_modpow(in, rsa->exponent, rsa->modulus); mp_free(in); unsigned diff = 0; unsigned char *bytes = rsa_pkcs1_signature_string(nbytes, halg, data); for (size_t i = 0; i < nbytes; i++) diff |= bytes[nbytes-1 - i] ^ mp_get_byte(out, i); smemclr(bytes, nbytes); sfree(bytes); mp_free(out); return diff == 0; }
EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg) { const struct ecsign_extra *extra = (const struct ecsign_extra *)alg->extra; struct ec_curve *curve = extra->curve(); assert(curve->type == EC_EDWARDS); ssh_hash *h = ssh_hash_new(extra->hash); for (size_t i = 0; i < curve->fieldBytes; ++i) put_byte(h, mp_get_byte(private_key, i)); unsigned char hash[MAX_HASH_LEN]; ssh_hash_final(h, hash); mp_int *exponent = eddsa_exponent_from_hash( make_ptrlen(hash, extra->hash->hlen), curve); EdwardsPoint *toret = ecc_edwards_multiply(curve->e.G, exponent); mp_free(exponent); return toret; }
static void eddsa_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs) { struct eddsa_key *ek = container_of(key, struct eddsa_key, sshk); const struct ecsign_extra *extra = (const struct ecsign_extra *)ek->sshk.vt->extra; assert(ek->privateKey); /* * EdDSA prescribes a specific method of generating the random * nonce integer for the signature. (A verifier can't tell * whether you followed that method, but it's important to * follow it anyway, because test vectors will want a specific * signature for a given message, and because this preserves * determinism of signatures even if the same signature were * made twice by different software.) */ /* * First, we hash the private key integer (bare, little-endian) * into a hash generating 2*fieldBytes of output. */ unsigned char hash[MAX_HASH_LEN]; ssh_hash *h = ssh_hash_new(extra->hash); for (size_t i = 0; i < ek->curve->fieldBytes; ++i) put_byte(h, mp_get_byte(ek->privateKey, i)); ssh_hash_final(h, hash); /* * The first half of the output hash is converted into an * integer a, by the standard EdDSA transformation. */ mp_int *a = eddsa_exponent_from_hash( make_ptrlen(hash, ek->curve->fieldBytes), ek->curve); /* * The second half of the hash of the private key is hashed again * with the message to be signed, and used as an exponent to * generate the signature point r. */ h = ssh_hash_new(extra->hash); put_data(h, hash + ek->curve->fieldBytes, extra->hash->hlen - ek->curve->fieldBytes); put_datapl(h, data); ssh_hash_final(h, hash); mp_int *log_r_unreduced = mp_from_bytes_le( make_ptrlen(hash, extra->hash->hlen)); mp_int *log_r = mp_mod(log_r_unreduced, ek->curve->e.G_order); mp_free(log_r_unreduced); EdwardsPoint *r = ecc_edwards_multiply(ek->curve->e.G, log_r); /* * Encode r now, because we'll need its encoding for the next * hashing step as well as to write into the actual signature. */ strbuf *r_enc = strbuf_new(); put_epoint(r_enc, r, ek->curve, true); /* omit string header */ ecc_edwards_point_free(r); /* * Compute the hash of (r || public key || message) just as * eddsa_verify does. */ mp_int *H = eddsa_signing_exponent_from_data( ek, extra, ptrlen_from_strbuf(r_enc), data); /* And then s = (log(r) + H*a) mod order(G). */ mp_int *Ha = mp_modmul(H, a, ek->curve->e.G_order); mp_int *s = mp_modadd(log_r, Ha, ek->curve->e.G_order); mp_free(H); mp_free(a); mp_free(Ha); mp_free(log_r); /* Format the output */ put_stringz(bs, ek->sshk.vt->ssh_id); put_uint32(bs, r_enc->len + ek->curve->fieldBytes); put_data(bs, r_enc->u, r_enc->len); strbuf_free(r_enc); for (size_t i = 0; i < ek->curve->fieldBytes; ++i) put_byte(bs, mp_get_byte(s, i)); mp_free(s); }
mp_int *ssh_rsakex_decrypt( RSAKey *rsa, const ssh_hashalg *h, ptrlen ciphertext) { mp_int *b1, *b2; int outlen, i; unsigned char *out; unsigned char labelhash[64]; ssh_hash *hash; BinarySource src[1]; const int HLEN = h->hlen; /* * Decryption side of the RSA key exchange operation. */ /* The length of the encrypted data should be exactly the length * in octets of the RSA modulus.. */ outlen = (7 + mp_get_nbits(rsa->modulus)) / 8; if (ciphertext.len != outlen) return NULL; /* Do the RSA decryption, and extract the result into a byte array. */ b1 = mp_from_bytes_be(ciphertext); b2 = rsa_privkey_op(b1, rsa); out = snewn(outlen, unsigned char); for (i = 0; i < outlen; i++) out[i] = mp_get_byte(b2, outlen-1-i); mp_free(b1); mp_free(b2); /* Do the OAEP masking operations, in the reverse order from encryption */ oaep_mask(h, out+HLEN+1, outlen-HLEN-1, out+1, HLEN); oaep_mask(h, out+1, HLEN, out+HLEN+1, outlen-HLEN-1); /* Check the leading byte is zero. */ if (out[0] != 0) { sfree(out); return NULL; } /* Check the label hash at position 1+HLEN */ assert(HLEN <= lenof(labelhash)); hash = ssh_hash_new(h); ssh_hash_final(hash, labelhash); if (memcmp(out + HLEN + 1, labelhash, HLEN)) { sfree(out); return NULL; } /* Expect zero bytes followed by a 1 byte */ for (i = 1 + 2 * HLEN; i < outlen; i++) { if (out[i] == 1) { i++; /* skip over the 1 byte */ break; } else if (out[i] != 1) { sfree(out); return NULL; } } /* And what's left is the input message data, which should be * encoded as an ordinary SSH-2 mpint. */ BinarySource_BARE_INIT(src, out + i, outlen - i); b1 = get_mp_ssh2(src); sfree(out); if (get_err(src) || get_avail(src) != 0) { mp_free(b1); return NULL; } /* Success! */ return b1; }
strbuf *ssh_rsakex_encrypt(RSAKey *rsa, const ssh_hashalg *h, ptrlen in) { mp_int *b1, *b2; int k, i; char *p; const int HLEN = h->hlen; /* * Here we encrypt using RSAES-OAEP. Essentially this means: * * - we have a SHA-based `mask generation function' which * creates a pseudo-random stream of mask data * deterministically from an input chunk of data. * * - we have a random chunk of data called a seed. * * - we use the seed to generate a mask which we XOR with our * plaintext. * * - then we use _the masked plaintext_ to generate a mask * which we XOR with the seed. * * - then we concatenate the masked seed and the masked * plaintext, and RSA-encrypt that lot. * * The result is that the data input to the encryption function * is random-looking and (hopefully) contains no exploitable * structure such as PKCS1-v1_5 does. * * For a precise specification, see RFC 3447, section 7.1.1. * Some of the variable names below are derived from that, so * it'd probably help to read it anyway. */ /* k denotes the length in octets of the RSA modulus. */ k = (7 + mp_get_nbits(rsa->modulus)) / 8; /* The length of the input data must be at most k - 2hLen - 2. */ assert(in.len > 0 && in.len <= k - 2*HLEN - 2); /* The length of the output data wants to be precisely k. */ strbuf *toret = strbuf_new_nm(); int outlen = k; unsigned char *out = strbuf_append(toret, outlen); /* * Now perform EME-OAEP encoding. First set up all the unmasked * output data. */ /* Leading byte zero. */ out[0] = 0; /* At position 1, the seed: HLEN bytes of random data. */ random_read(out + 1, HLEN); /* At position 1+HLEN, the data block DB, consisting of: */ /* The hash of the label (we only support an empty label here) */ { ssh_hash *s = ssh_hash_new(h); ssh_hash_final(s, out + HLEN + 1); } /* A bunch of zero octets */ memset(out + 2*HLEN + 1, 0, outlen - (2*HLEN + 1)); /* A single 1 octet, followed by the input message data. */ out[outlen - in.len - 1] = 1; memcpy(out + outlen - in.len, in.ptr, in.len); /* * Now use the seed data to mask the block DB. */ oaep_mask(h, out+1, HLEN, out+HLEN+1, outlen-HLEN-1); /* * And now use the masked DB to mask the seed itself. */ oaep_mask(h, out+HLEN+1, outlen-HLEN-1, out+1, HLEN); /* * Now `out' contains precisely the data we want to * RSA-encrypt. */ b1 = mp_from_bytes_be(make_ptrlen(out, outlen)); b2 = mp_modpow(b1, rsa->exponent, rsa->modulus); p = (char *)out; for (i = outlen; i--;) { *p++ = mp_get_byte(b2, i); } mp_free(b1); mp_free(b2); /* * And we're done. */ return toret; }