static mp_int *ecdsa_signing_exponent_from_data( const struct ec_curve *curve, const struct ecsign_extra *extra, ptrlen data) { /* Hash the data being signed. */ unsigned char hash[MAX_HASH_LEN]; ssh_hash *h = ssh_hash_new(extra->hash); put_datapl(h, data); ssh_hash_final(h, hash); /* * Take the leftmost b bits of the hash of the signed data (where * b is the number of bits in order(G)), interpreted big-endian. */ mp_int *z = mp_from_bytes_be(make_ptrlen(hash, extra->hash->hlen)); size_t zbits = mp_get_nbits(z); size_t nbits = mp_get_nbits(curve->w.G_order); size_t shift = zbits - nbits; /* Bound the shift count below at 0, using bit twiddling to avoid * a conditional branch */ shift &= ~-(shift >> (CHAR_BIT * sizeof(size_t) - 1)); mp_int *toret = mp_rshift_safe(z, shift); mp_free(z); return toret; }
static void oaep_mask(const ssh_hashalg *h, void *seed, int seedlen, void *vdata, int datalen) { unsigned char *data = (unsigned char *)vdata; unsigned count = 0; while (datalen > 0) { int i, max = (datalen > h->hlen ? h->hlen : datalen); ssh_hash *s; unsigned char hash[MAX_HASH_LEN]; assert(h->hlen <= MAX_HASH_LEN); s = ssh_hash_new(h); put_data(s, seed, seedlen); put_uint32(s, count); ssh_hash_final(s, hash); count++; for (i = 0; i < max; i++) data[i] ^= hash[i]; data += max; datalen -= max; } }
/* * Generate a fingerprint string for the key. Compatible with the * OpenSSH fingerprint code. */ char *rsa_ssh1_fingerprint(RSAKey *key) { unsigned char digest[16]; strbuf *out; int i; /* * The hash preimage for SSH-1 key fingerprinting consists of the * modulus and exponent _without_ any preceding length field - * just the minimum number of bytes to represent each integer, * stored big-endian, concatenated with no marker at the division * between them. */ ssh_hash *hash = ssh_hash_new(&ssh_md5); for (size_t i = (mp_get_nbits(key->modulus) + 7) / 8; i-- > 0 ;) put_byte(hash, mp_get_byte(key->modulus, i)); for (size_t i = (mp_get_nbits(key->exponent) + 7) / 8; i-- > 0 ;) put_byte(hash, mp_get_byte(key->exponent, i)); ssh_hash_final(hash, digest); out = strbuf_new(); strbuf_catf(out, "%d ", mp_get_nbits(key->modulus)); for (i = 0; i < 16; i++) strbuf_catf(out, "%s%02x", i ? ":" : "", digest[i]); if (key->comment) strbuf_catf(out, " %s", key->comment); return strbuf_to_str(out); }
static mp_int *eddsa_signing_exponent_from_data( struct eddsa_key *ek, const struct ecsign_extra *extra, ptrlen r_encoded, ptrlen data) { /* Hash (r || public key || message) */ unsigned char hash[MAX_HASH_LEN]; ssh_hash *h = ssh_hash_new(extra->hash); put_datapl(h, r_encoded); put_epoint(h, ek->publicKey, ek->curve, true); /* omit string header */ put_datapl(h, data); ssh_hash_final(h, hash); /* Convert to an integer */ mp_int *toret = mp_from_bytes_le(make_ptrlen(hash, extra->hash->hlen)); smemclr(hash, extra->hash->hlen); return toret; }
void bcrypt_genblock(int counter, const unsigned char hashed_passphrase[64], const unsigned char *salt, int saltbytes, unsigned char output[32]) { unsigned char hashed_salt[64]; /* Hash the input salt with the counter value optionally suffixed * to get our real 32-byte salt */ ssh_hash *h = ssh_hash_new(&ssh_sha512); put_data(h, salt, saltbytes); if (counter) put_uint32(h, counter); ssh_hash_final(h, hashed_salt); bcrypt_hash(hashed_passphrase, 64, hashed_salt, 64, output); smemclr(&hashed_salt, sizeof(hashed_salt)); }
EdwardsPoint *eddsa_public(mp_int *private_key, const ssh_keyalg *alg) { const struct ecsign_extra *extra = (const struct ecsign_extra *)alg->extra; struct ec_curve *curve = extra->curve(); assert(curve->type == EC_EDWARDS); ssh_hash *h = ssh_hash_new(extra->hash); for (size_t i = 0; i < curve->fieldBytes; ++i) put_byte(h, mp_get_byte(private_key, i)); unsigned char hash[MAX_HASH_LEN]; ssh_hash_final(h, hash); mp_int *exponent = eddsa_exponent_from_hash( make_ptrlen(hash, extra->hash->hlen), curve); EdwardsPoint *toret = ecc_edwards_multiply(curve->e.G, exponent); mp_free(exponent); return toret; }
static unsigned char *rsa_pkcs1_signature_string( size_t nbytes, const ssh_hashalg *halg, ptrlen data) { size_t fixed_parts = rsa_pkcs1_length_of_fixed_parts(halg); assert(nbytes >= fixed_parts); size_t padding = nbytes - fixed_parts; ptrlen asn1_prefix = rsa_pkcs1_prefix_for_hash(halg); unsigned char *bytes = snewn(nbytes, unsigned char); bytes[0] = 0; bytes[1] = 1; memset(bytes + 2, 0xFF, padding); memcpy(bytes + 2 + padding, asn1_prefix.ptr, asn1_prefix.len); ssh_hash *h = ssh_hash_new(halg); put_datapl(h, data); ssh_hash_final(h, bytes + 2 + padding + asn1_prefix.len); return bytes; }
static void eddsa_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs) { struct eddsa_key *ek = container_of(key, struct eddsa_key, sshk); const struct ecsign_extra *extra = (const struct ecsign_extra *)ek->sshk.vt->extra; assert(ek->privateKey); /* * EdDSA prescribes a specific method of generating the random * nonce integer for the signature. (A verifier can't tell * whether you followed that method, but it's important to * follow it anyway, because test vectors will want a specific * signature for a given message, and because this preserves * determinism of signatures even if the same signature were * made twice by different software.) */ /* * First, we hash the private key integer (bare, little-endian) * into a hash generating 2*fieldBytes of output. */ unsigned char hash[MAX_HASH_LEN]; ssh_hash *h = ssh_hash_new(extra->hash); for (size_t i = 0; i < ek->curve->fieldBytes; ++i) put_byte(h, mp_get_byte(ek->privateKey, i)); ssh_hash_final(h, hash); /* * The first half of the output hash is converted into an * integer a, by the standard EdDSA transformation. */ mp_int *a = eddsa_exponent_from_hash( make_ptrlen(hash, ek->curve->fieldBytes), ek->curve); /* * The second half of the hash of the private key is hashed again * with the message to be signed, and used as an exponent to * generate the signature point r. */ h = ssh_hash_new(extra->hash); put_data(h, hash + ek->curve->fieldBytes, extra->hash->hlen - ek->curve->fieldBytes); put_datapl(h, data); ssh_hash_final(h, hash); mp_int *log_r_unreduced = mp_from_bytes_le( make_ptrlen(hash, extra->hash->hlen)); mp_int *log_r = mp_mod(log_r_unreduced, ek->curve->e.G_order); mp_free(log_r_unreduced); EdwardsPoint *r = ecc_edwards_multiply(ek->curve->e.G, log_r); /* * Encode r now, because we'll need its encoding for the next * hashing step as well as to write into the actual signature. */ strbuf *r_enc = strbuf_new(); put_epoint(r_enc, r, ek->curve, true); /* omit string header */ ecc_edwards_point_free(r); /* * Compute the hash of (r || public key || message) just as * eddsa_verify does. */ mp_int *H = eddsa_signing_exponent_from_data( ek, extra, ptrlen_from_strbuf(r_enc), data); /* And then s = (log(r) + H*a) mod order(G). */ mp_int *Ha = mp_modmul(H, a, ek->curve->e.G_order); mp_int *s = mp_modadd(log_r, Ha, ek->curve->e.G_order); mp_free(H); mp_free(a); mp_free(Ha); mp_free(log_r); /* Format the output */ put_stringz(bs, ek->sshk.vt->ssh_id); put_uint32(bs, r_enc->len + ek->curve->fieldBytes); put_data(bs, r_enc->u, r_enc->len); strbuf_free(r_enc); for (size_t i = 0; i < ek->curve->fieldBytes; ++i) put_byte(bs, mp_get_byte(s, i)); mp_free(s); }
mp_int *ssh_rsakex_decrypt( RSAKey *rsa, const ssh_hashalg *h, ptrlen ciphertext) { mp_int *b1, *b2; int outlen, i; unsigned char *out; unsigned char labelhash[64]; ssh_hash *hash; BinarySource src[1]; const int HLEN = h->hlen; /* * Decryption side of the RSA key exchange operation. */ /* The length of the encrypted data should be exactly the length * in octets of the RSA modulus.. */ outlen = (7 + mp_get_nbits(rsa->modulus)) / 8; if (ciphertext.len != outlen) return NULL; /* Do the RSA decryption, and extract the result into a byte array. */ b1 = mp_from_bytes_be(ciphertext); b2 = rsa_privkey_op(b1, rsa); out = snewn(outlen, unsigned char); for (i = 0; i < outlen; i++) out[i] = mp_get_byte(b2, outlen-1-i); mp_free(b1); mp_free(b2); /* Do the OAEP masking operations, in the reverse order from encryption */ oaep_mask(h, out+HLEN+1, outlen-HLEN-1, out+1, HLEN); oaep_mask(h, out+1, HLEN, out+HLEN+1, outlen-HLEN-1); /* Check the leading byte is zero. */ if (out[0] != 0) { sfree(out); return NULL; } /* Check the label hash at position 1+HLEN */ assert(HLEN <= lenof(labelhash)); hash = ssh_hash_new(h); ssh_hash_final(hash, labelhash); if (memcmp(out + HLEN + 1, labelhash, HLEN)) { sfree(out); return NULL; } /* Expect zero bytes followed by a 1 byte */ for (i = 1 + 2 * HLEN; i < outlen; i++) { if (out[i] == 1) { i++; /* skip over the 1 byte */ break; } else if (out[i] != 1) { sfree(out); return NULL; } } /* And what's left is the input message data, which should be * encoded as an ordinary SSH-2 mpint. */ BinarySource_BARE_INIT(src, out + i, outlen - i); b1 = get_mp_ssh2(src); sfree(out); if (get_err(src) || get_avail(src) != 0) { mp_free(b1); return NULL; } /* Success! */ return b1; }
strbuf *ssh_rsakex_encrypt(RSAKey *rsa, const ssh_hashalg *h, ptrlen in) { mp_int *b1, *b2; int k, i; char *p; const int HLEN = h->hlen; /* * Here we encrypt using RSAES-OAEP. Essentially this means: * * - we have a SHA-based `mask generation function' which * creates a pseudo-random stream of mask data * deterministically from an input chunk of data. * * - we have a random chunk of data called a seed. * * - we use the seed to generate a mask which we XOR with our * plaintext. * * - then we use _the masked plaintext_ to generate a mask * which we XOR with the seed. * * - then we concatenate the masked seed and the masked * plaintext, and RSA-encrypt that lot. * * The result is that the data input to the encryption function * is random-looking and (hopefully) contains no exploitable * structure such as PKCS1-v1_5 does. * * For a precise specification, see RFC 3447, section 7.1.1. * Some of the variable names below are derived from that, so * it'd probably help to read it anyway. */ /* k denotes the length in octets of the RSA modulus. */ k = (7 + mp_get_nbits(rsa->modulus)) / 8; /* The length of the input data must be at most k - 2hLen - 2. */ assert(in.len > 0 && in.len <= k - 2*HLEN - 2); /* The length of the output data wants to be precisely k. */ strbuf *toret = strbuf_new_nm(); int outlen = k; unsigned char *out = strbuf_append(toret, outlen); /* * Now perform EME-OAEP encoding. First set up all the unmasked * output data. */ /* Leading byte zero. */ out[0] = 0; /* At position 1, the seed: HLEN bytes of random data. */ random_read(out + 1, HLEN); /* At position 1+HLEN, the data block DB, consisting of: */ /* The hash of the label (we only support an empty label here) */ { ssh_hash *s = ssh_hash_new(h); ssh_hash_final(s, out + HLEN + 1); } /* A bunch of zero octets */ memset(out + 2*HLEN + 1, 0, outlen - (2*HLEN + 1)); /* A single 1 octet, followed by the input message data. */ out[outlen - in.len - 1] = 1; memcpy(out + outlen - in.len, in.ptr, in.len); /* * Now use the seed data to mask the block DB. */ oaep_mask(h, out+1, HLEN, out+HLEN+1, outlen-HLEN-1); /* * And now use the masked DB to mask the seed itself. */ oaep_mask(h, out+HLEN+1, outlen-HLEN-1, out+1, HLEN); /* * Now `out' contains precisely the data we want to * RSA-encrypt. */ b1 = mp_from_bytes_be(make_ptrlen(out, outlen)); b2 = mp_modpow(b1, rsa->exponent, rsa->modulus); p = (char *)out; for (i = outlen; i--;) { *p++ = mp_get_byte(b2, i); } mp_free(b1); mp_free(b2); /* * And we're done. */ return toret; }