/*
* data has already been hashed (probably with SHA or SHA-1).
* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
int
DSA_verify(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int siglen, DSA *dsa)
{
DSA_SIG *s;
unsigned char *der = NULL;
const unsigned char *p = sigbuf;
int derlen = -1;
int ret = -1;
s = DSA_SIG_new();
if (s == NULL)
return ret;
if (d2i_DSA_SIG(&s, &p, siglen) == NULL)
goto err;
/* Ensure signature uses DER and doesn't have trailing garbage */
derlen = i2d_DSA_SIG(s, &der);
if (derlen != siglen || memcmp(sigbuf, der, derlen))
goto err;
ret = DSA_do_verify(dgst, dgst_len, s, dsa);
err:
freezero(der, derlen);
DSA_SIG_free(s);
return ret;
}
static int pgpVerifySigDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
uint8_t *hash, size_t hashlen, int hash_algo)
{
int rc, ret;
struct pgpDigSigDSA_s *sig = pgpsig->data;
struct pgpDigKeyDSA_s *key = pgpkey->data;
if (!constructDSASigningKey(key)) {
rc = 1;
goto done;
}
if (!constructDSASignature(sig)) {
rc = 1;
goto done;
}
ret = DSA_do_verify(hash, hashlen, sig->dsa_sig, key->dsa_key);
if (ret == 1)
{
/* Success */
rc = 0;
}
else
{
/* Failure */
rc = 1;
}
done:
return rc;
}
static isc_result_t
openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
isc_sha1_t *sha1ctx = dctx->opaque;
dst_key_t *key = dctx->key;
DSA *dsa = key->opaque;
DSA_SIG *dsasig;
int status = 0;
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
unsigned char *cp = sig->base;
isc_sha1_final(sha1ctx, digest);
if (sig->length < 2 * ISC_SHA1_DIGESTLENGTH + 1)
return (DST_R_VERIFYFAILURE);
cp++; /*%< Skip T */
dsasig = DSA_SIG_new();
dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
cp += ISC_SHA1_DIGESTLENGTH;
dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
cp += ISC_SHA1_DIGESTLENGTH;
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
DSA_SIG_free(dsasig);
if (status <= 0)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
}
int
_libssh2_dsa_sha1_verify(libssh2_dsa_ctx * dsactx,
const unsigned char *sig,
const unsigned char *m, unsigned long m_len)
{
unsigned char hash[SHA_DIGEST_LENGTH];
DSA_SIG * dsasig;
BIGNUM * r;
BIGNUM * s;
int ret = -1;
r = BN_new();
BN_bin2bn(sig, 20, r);
s = BN_new();
BN_bin2bn(sig + 20, 20, s);
dsasig = DSA_SIG_new();
#ifdef HAVE_OPAQUE_STRUCTS
DSA_SIG_set0(dsasig, r, s);
#else
dsasig->r = r;
dsasig->s = s;
#endif
if(!_libssh2_sha1(m, m_len, hash))
/* _libssh2_sha1() succeeded */
ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, dsasig, dsactx);
DSA_SIG_free(dsasig);
return (ret == 1) ? 0 : -1;
}
void sigver()
{
DSA *dsa=NULL;
char buf[1024];
int nmod=0;
unsigned char hash[20];
DSA_SIG *sig=DSA_SIG_new();
while(fgets(buf,sizeof buf,stdin) != NULL)
{
if(!strncmp(buf,"[mod = ",7))
{
nmod=atoi(buf+7);
if(dsa)
DSA_free(dsa);
dsa=DSA_new();
}
else if(!strncmp(buf,"P = ",4))
dsa->p=hex2bn(buf+4);
else if(!strncmp(buf,"Q = ",4))
dsa->q=hex2bn(buf+4);
else if(!strncmp(buf,"G = ",4))
{
dsa->g=hex2bn(buf+4);
printf("[mod = %d]\n\n",nmod);
pbn("P",dsa->p);
pbn("Q",dsa->q);
pbn("G",dsa->g);
putc('\n',stdout);
}
else if(!strncmp(buf,"Msg = ",6))
{
unsigned char msg[1024];
int n;
n=hex2bin(buf+6,msg);
pv("Msg",msg,n);
SHA1(msg,n,hash);
}
else if(!strncmp(buf,"Y = ",4))
dsa->pub_key=hex2bn(buf+4);
else if(!strncmp(buf,"R = ",4))
sig->r=hex2bn(buf+4);
else if(!strncmp(buf,"S = ",4))
{
sig->s=hex2bn(buf+4);
pbn("Y",dsa->pub_key);
pbn("R",sig->r);
pbn("S",sig->s);
printf("Result = %c\n",DSA_do_verify(hash,sizeof hash,sig,dsa)
? 'P' : 'F');
putc('\n',stdout);
}
}
}
/* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int siglen, DSA *dsa)
{
DSA_SIG *s;
/*
rdar://problem/20168109 and others
a binary compat issue with OpenSSL zd from zc
this change seems to be the problem, and is not critical
(for now).
*/
#if 0
const unsigned char *p = sigbuf;
unsigned char *der = NULL;
int derlen = -1;
#endif
int ret=-1;
#ifdef OPENSSL_FIPS
if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
{
DSAerr(DSA_F_DSA_VERIFY, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
return 0;
}
#endif
s = DSA_SIG_new();
if (s == NULL) return(ret);
/*
rdar://problem/20168109 and others
a binary compat issue with OpenSSL zd from zc
this change seems to be the problem, and is not critical
(for now).
*/
#if 0
if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err;
/* Ensure signature uses DER and doesn't have trailing garbage */
derlen = i2d_DSA_SIG(s, &der);
if (derlen != siglen || memcmp(sigbuf, der, derlen))
goto err;
#else
if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
#endif
ret=DSA_do_verify(dgst,dgst_len,s,dsa);
err:
/*
more from rdar://problem/20168109 and others
*/
#if 0
if (derlen > 0)
{
OPENSSL_cleanse(der, derlen);
OPENSSL_free(der);
}
#endif
DSA_SIG_free(s);
return(ret);
}
// Verification functions
bool OSSLDSA::verify(PublicKey* publicKey, const ByteString& originalData,
const ByteString& signature, const AsymMech::Type mechanism,
const void* param /* = NULL */, const size_t paramLen /* = 0 */)
{
if (mechanism == AsymMech::DSA)
{
// Separate implementation for DSA verification without hash computation
// Check if the private key is the right type
if (!publicKey->isOfType(OSSLDSAPublicKey::type))
{
ERROR_MSG("Invalid key type supplied");
return false;
}
// Perform the verify operation
OSSLDSAPublicKey* pk = (OSSLDSAPublicKey*) publicKey;
unsigned int sigLen = pk->getOutputLength();
if (signature.size() != sigLen)
return false;
DSA_SIG* sig = DSA_SIG_new();
if (sig == NULL)
return false;
const unsigned char *s = signature.const_byte_str();
sig->r = BN_bin2bn(s, sigLen / 2, NULL);
sig->s = BN_bin2bn(s + sigLen / 2, sigLen / 2, NULL);
if (sig->r == NULL || sig->s == NULL)
{
DSA_SIG_free(sig);
return false;
}
int dLen = originalData.size();
int ret = DSA_do_verify(originalData.const_byte_str(), dLen, sig, pk->getOSSLKey());
if (ret != 1)
{
if (ret < 0)
ERROR_MSG("DSA verify failed (0x%08X)", ERR_get_error());
DSA_SIG_free(sig);
return false;
}
DSA_SIG_free(sig);
return true;
}
else
{
// Call the generic function
return AsymmetricAlgorithm::verify(publicKey, originalData, signature, mechanism, param, paramLen);
}
}
bool OSSLDSA::verifyFinal(const ByteString& signature)
{
// Save necessary state before calling super class verifyFinal
OSSLDSAPublicKey* pk = (OSSLDSAPublicKey*) currentPublicKey;
if (!AsymmetricAlgorithm::verifyFinal(signature))
{
return false;
}
ByteString hash;
bool bFirstResult = pCurrentHash->hashFinal(hash);
delete pCurrentHash;
pCurrentHash = NULL;
if (!bFirstResult)
{
return false;
}
// Perform the verify operation
unsigned int sigLen = pk->getOutputLength();
if (signature.size() != sigLen)
return false;
DSA_SIG* sig = DSA_SIG_new();
if (sig == NULL)
return false;
const unsigned char *s = signature.const_byte_str();
sig->r = BN_bin2bn(s, sigLen / 2, NULL);
sig->s = BN_bin2bn(s + sigLen / 2, sigLen / 2, NULL);
if (sig->r == NULL || sig->s == NULL)
{
DSA_SIG_free(sig);
return false;
}
int ret = DSA_do_verify(&hash[0], hash.size(), sig, pk->getOSSLKey());
if (ret != 1)
{
if (ret < 0)
ERROR_MSG("DSA verify failed (0x%08X)", ERR_get_error());
DSA_SIG_free(sig);
return false;
}
DSA_SIG_free(sig);
return true;
}
/* returns
* 1: correct signature
* 0: incorrect signature
* -1: error
*/
int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int siglen, DSA *dsa)
{
DSA_SIG *s;
int ret=-1;
s = DSA_SIG_new();
if (s == NULL) return(ret);
if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
ret=DSA_do_verify(dgst,dgst_len,s,dsa);
err:
DSA_SIG_free(s);
return(ret);
}
ops_boolean_t ops_dsa_verify(const unsigned char *hash,size_t hash_length,
const ops_dsa_signature_t *sig,
const ops_dsa_public_key_t *dsa)
{
DSA_SIG *osig;
DSA *odsa;
int ret;
osig=DSA_SIG_new();
osig->r=sig->r;
osig->s=sig->s;
odsa=DSA_new();
odsa->p=dsa->p;
odsa->q=dsa->q;
odsa->g=dsa->g;
odsa->pub_key=dsa->y;
if (debug)
{
fprintf(stderr,"hash passed in:\n");
unsigned i;
for (i=0; i<hash_length; i++)
{
fprintf(stderr,"%02x ", hash[i]);
}
fprintf(stderr,"\n");
}
//printf("hash_length=%ld\n", hash_length);
//printf("Q=%d\n", BN_num_bytes(odsa->q));
unsigned int qlen=BN_num_bytes(odsa->q);
if (qlen < hash_length)
hash_length=qlen;
// ret=DSA_do_verify(hash,hash_length,osig,odsa);
ret=DSA_do_verify(hash,hash_length,osig,odsa);
if (debug)
{
fprintf(stderr,"ret=%d\n",ret);
}
assert(ret >= 0);
odsa->p=odsa->q=odsa->g=odsa->pub_key=NULL;
DSA_free(odsa);
osig->r=osig->s=NULL;
DSA_SIG_free(osig);
return ret != 0;
}
int HsOpenSSL_dsa_verify(DSA *dsa, const unsigned char *ddata, int dlen,
const BIGNUM *r, const BIGNUM *s) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
DSA_SIG* sig = DSA_SIG_new();
DSA_SIG_set0(sig, BN_dup(r), BN_dup(s));
int res = DSA_do_verify(ddata, dlen, sig, dsa);
DSA_SIG_free(sig);
return res;
#else
DSA_SIG sig;
sig.r = (BIGNUM *)r;
sig.s = (BIGNUM *)s;
return dsa->meth->dsa_do_verify(ddata, dlen, &sig, dsa);
#endif
}
unsigned
__ops_dsa_verify(const uint8_t *hash, size_t hash_length,
const __ops_dsa_sig_t *sig,
const __ops_dsa_pubkey_t *dsa)
{
unsigned qlen;
DSA_SIG *osig;
DSA *odsa;
int ret;
osig = DSA_SIG_new();
osig->r = sig->r;
osig->s = sig->s;
odsa = DSA_new();
odsa->p = dsa->p;
odsa->q = dsa->q;
odsa->g = dsa->g;
odsa->pub_key = dsa->y;
if (__ops_get_debug_level(__FILE__)) {
hexdump(stderr, "input hash", hash, hash_length);
(void) fprintf(stderr, "Q=%d\n", BN_num_bytes(odsa->q));
}
if ((qlen = (unsigned)BN_num_bytes(odsa->q)) < hash_length) {
hash_length = qlen;
}
ret = DSA_do_verify(hash, (int)hash_length, osig, odsa);
if (__ops_get_debug_level(__FILE__)) {
(void) fprintf(stderr, "ret=%d\n", ret);
}
if (ret < 0) {
(void) fprintf(stderr, "__ops_dsa_verify: DSA verification\n");
return 0;
}
odsa->p = odsa->q = odsa->g = odsa->pub_key = NULL;
DSA_free(odsa);
osig->r = osig->s = NULL;
DSA_SIG_free(osig);
return (unsigned)ret;
}
/* verify */
void DSASigner::verify(
const void *data,
size_t dataLen,
const void *sig,
size_t sigLen)
{
bool throwSigVerify = false;
DSA_SIG *dsaSig = NULL;
CSSM_RETURN crtn = CSSM_OK;
int irtn;
if(mDsaKey == NULL) {
CssmError::throwMe(CSSMERR_CSP_INTERNAL_ERROR);
}
if(mDsaKey->pub_key == NULL) {
CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_CLASS);
}
/* incoming sig is DER encoded....decode into internal format */
dsaSig = DSA_SIG_new();
crtn = DSASigDecode(dsaSig, sig, sigLen);
if(crtn) {
goto abort;
}
irtn = DSA_do_verify((unsigned char *)data, dataLen, dsaSig, mDsaKey);
if(irtn != 1) {
throwSigVerify = true;
}
abort:
if(dsaSig != NULL) {
DSA_SIG_free(dsaSig);
}
if(throwSigVerify) {
clearOpensslErrors();
CssmError::throwMe(CSSMERR_CSP_VERIFY_FAILED);
}
else if(crtn) {
CssmError::throwMe(crtn);
}
}
static int
xmlSecOpenSSLDsaSha1EvpVerify(int type ATTRIBUTE_UNUSED,
const unsigned char *dgst, unsigned int dgst_len,
const unsigned char *sigbuf, unsigned int siglen,
void *dsa) {
DSA_SIG *s;
int ret = -1;
s = DSA_SIG_new();
if (s == NULL) {
return(ret);
}
if(siglen != XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
NULL,
XMLSEC_ERRORS_R_INVALID_SIZE,
"invalid length %d (%d expected)",
siglen, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE);
goto err;
}
s->r = BN_bin2bn(sigbuf, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2, NULL);
s->s = BN_bin2bn(sigbuf + (XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2),
XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2, NULL);
if((s->r == NULL) || (s->s == NULL)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"BN_bin2bn",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto err;
}
ret = DSA_do_verify(dgst, dgst_len, s, dsa);
err:
DSA_SIG_free(s);
return(ret);
}
int
_libssh2_dsa_sha1_verify(libssh2_dsa_ctx * dsactx,
const unsigned char *sig,
const unsigned char *m, unsigned long m_len)
{
unsigned char hash[SHA_DIGEST_LENGTH];
DSA_SIG dsasig;
int ret;
dsasig.r = BN_new();
BN_bin2bn(sig, 20, dsasig.r);
dsasig.s = BN_new();
BN_bin2bn(sig + 20, 20, dsasig.s);
libssh2_sha1(m, m_len, hash);
ret = DSA_do_verify(hash, SHA_DIGEST_LENGTH, &dsasig, dsactx);
BN_clear_free(dsasig.s);
BN_clear_free(dsasig.r);
return (ret == 1) ? 0 : -1;
}
bool
dsa160_key::verify(byte_array const& digest, byte_array const& signature) const
{
assert(type() != invalid);
assert(digest.size() == SHA256_DIGEST_LENGTH);
// The version of DSA currently implemented by OpenSSL only supports digests up to 160 bits.
int digest_size = 160/8;
DSA_SIG *sig = DSA_SIG_new();
if (!sig)
return false;
byte_array_iwrap<flurry::iarchive> read(signature);
read.archive() >> sig->r >> sig->s; // @todo Check if there's more data in the signature, fail.
int rc = DSA_do_verify((const unsigned char*)digest.const_data(), digest_size, sig, dsa_);
DSA_SIG_free(sig);
return rc == 1;
}
/** Add a DSA key to the tspc key file
*
* @param dsa the DSA param pointer filled with our key info
* @param host the hostname of the corresponding broker
* @param filename the keyfile to use
*
* @return 0 if error
* 1 if ok
*
*/
int
add_dsakey_to_keyfile(DSA *dsa, char *host, char *filename, tBoolean autoaccept)
{
FILE *fp = NULL;
Buffer buf;
char *str = NULL;
int ret = 0;
switch (is_dsakey_in_keyfile(dsa, host, filename)) {
case 0:
Display(LOG_LEVEL_3, ELInfo, TSP_AUTH_PASSDSS_STRING, GOGO_STR_ERR_IN_KEY_VERIF);
Display(LOG_LEVEL_3, ELWarning, TSP_AUTH_PASSDSS_STRING, GOGO_STR_SERVER_KEY_REJECTED);
break;
case 1: /* not in, we add and continue */
#if defined(WIN32) && !defined(WINCE)
// When running as a service we can't ask user
// permission. Compromise and accept the key auto
//
if (!IsService && !autoaccept)
{
#else
if (!autoaccept)
{
#endif
if (!ask(GOGO_STR_UNKNOWN_HOST_ADD_KEY, host))
{
Display(LOG_LEVEL_3, ELWarning, TSP_AUTH_PASSDSS_STRING, GOGO_STR_SERVER_KEY_REJECTED_USER);
break;
}
}
else
Display(LOG_LEVEL_1, ELWarning, TSP_AUTH_PASSDSS_STRING, GOGO_STR_WARN_SERVER_KEY_AUTO_ADDED);
Display(LOG_LEVEL_2, ELInfo, TSP_AUTH_PASSDSS_STRING, GOGO_STR_SERVER_KEY_ACCEPTED_ADDED);
buffer_init(&buf);
if (buf.buf == NULL)
break;
buffer_put_cstring(&buf, "ssh-dss");
buffer_put_bignum(&buf, dsa->p);
buffer_put_bignum(&buf, dsa->q);
buffer_put_bignum(&buf, dsa->g);
buffer_put_bignum(&buf, dsa->pub_key);
if ( (str = pal_malloc(2 * buffer_len(&buf))) == NULL)
break;
if ( (base64encode(str, buffer_ptr(&buf), (int) buffer_len(&buf))) < 1)
break;
fp = fopen(filename, "a");
if (fp) {
fprintf(fp, "%s ssh-dss %s\n", host, str);
fclose(fp);
ret = 1;
}
buffer_free(&buf);
pal_free(str);
break;
case 2: /* in and matching correctly, hurray */
Display(LOG_LEVEL_2, ELInfo, TSP_AUTH_PASSDSS_STRING, GOGO_STR_MATCHING_KEY_FOUND_USED);
ret = 1;
break;
case 3: /* in and NOT matching correctly */
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_WARN_STORED_LOCAL_KEY_NO_MATCH, filename, host);
Display(LOG_LEVEL_3, ELWarning, TSP_AUTH_PASSDSS_STRING, GOGO_STR_SERVER_KEY_REJECTED);
ret = 0;
break;
}
return ret;
}
/**
* Authenticate to the Migration Broker using PASSDSS-3DES-1
*
* Buf_H will contain the data used to validate the server
* signature. The data is a concatenation of the following parameters,
* in that order:
* azname,authname,DH_public_key,pklength,"ssh-dss",p,q,g,z,Y,ssecmask,sbuflen,dh_K
*
* @param socket
* @param user
* @param passwd
* @param host
* @param nt
*
* @return
*
* @todo DH public key validation (RFC2631, 2.1.5)
* @todo Local storage for server public keys
*
*/
gogoc_status AuthPASSDSS_3DES_1(pal_socket_t socket, net_tools_t *nt, tConf *conf, tBrokerList **broker_list)
{
DH *dh = NULL; /**< client DH key used to exchange key with server */
DSA *dsa = NULL; /**< Remote server DSA key public information */
DSA_SIG *sig = NULL; /**< DSA signature */
char authenticate[] = "AUTHENTICATE PASSDSS-3DES-1\r\n";
char *BufferIn = NULL;
char *BufferOut = NULL;
char *BufferPtr = NULL;
Buffer BufH; /**< Buffer to hold data used for signature. */
Buffer BufSpace; /**< Space to hold data before/after base64 conversion */
Buffer *Buf_H = &BufH;
Buffer *Buf_Space = &BufSpace;
BIO *bio_rw = NULL; /**< Memory buffer bio */
BIO *b64= NULL; /**< Base64 bio */
BIO *cipher = NULL; /**< Symmetric crypto bio */
BIGNUM *server_pubkey = NULL; /**< received server public DH key */
BIGNUM *dh_K = NULL; /**< DH computed shared secret */
u_char hash[20]; /**< SHA1 hash */
u_char enc_key[24]; /**< encryption key (3des) */
u_char enc_iv[8]; /**< initialization vector (3des) */
u_char int_key[20]; /**< cs integrity key */
u_char tmphash[40]; /**< temporary hash storage */
u_char hmac[EVP_MAX_MD_SIZE]; /**< HMAC for integrity of sent data (step L) */
int pklength = 0; /**< length of SSH-style DSA server public key */
int ssecmask = 0; /**< SASL security layers offered */
int sbuflen = 0; /**< maximum server security layer block size */
char *s = NULL;
u_char num[3]; /**< Array to manupulate 3 octet number (sbuflen) */
/* Temporary variables */
int buflen, readlen, keysize, siglength;
gogoc_status status = STATUS_SUCCESS_INIT;
sint32_t tsp_status;
/* From draft-newman-sasl-passdss-01. "This group was taken from the
* ISAKMP/Oakley specification, and was originally generated by
* Richard Schroeppel at the University of Arizona. Properties of
* this prime are described in [Orm96]"
*/
/* RFC2409, DH group 2 (second Oakley group) */
static char *dh_group2=
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE65381"
"FFFFFFFF" "FFFFFFFF";
static unsigned char dh_g[]={
0x02,
};
/* Initialize Diffie Hellman variables */
if ((dh = DH_new()) == NULL || (server_pubkey = BN_new()) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Convert dh_group2 and dh_g to BIGNUM type */
BN_hex2bn(&dh->p, dh_group2);
dh->g = BN_bin2bn(dh_g,sizeof(dh_g),NULL);
if ((dh->p == NULL) || (dh->g == NULL))
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_INITIALIZATION_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
if ((dh_K = BN_new()) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Reserve storage for DSA key */
if ((dsa = DSA_new()) == NULL || (dsa->p = BN_new()) == NULL ||
(dsa->q = BN_new()) == NULL || (dsa->g = BN_new()) == NULL ||
(dsa->pub_key = BN_new()) == NULL || (dsa->priv_key = BN_new()) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Allocate memory for DSA signature */
if ((sig = DSA_SIG_new()) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Initialize data buffers */
BufferIn = calloc(1, TSP_AUTH_PASSDSS_BUFFERSIZE);
BufferOut = calloc(1, TSP_AUTH_PASSDSS_BUFFERSIZE);
if ((BufferIn == NULL) || (BufferOut == NULL))
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
buffer_init(Buf_Space);
buffer_init(Buf_H);
if (Buf_Space->buf == NULL || Buf_H->buf == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Create a read/write memory BIO. Memory is segment is
* created and resized as needed. When BIO is destroyed, the
* memory is freed. */
bio_rw = BIO_new(BIO_s_mem());
/* Create a base64 BIO filter */
b64 = BIO_new(BIO_f_base64());
if ((bio_rw == NULL) || (b64 == NULL))
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/*
Compute the Diffie-Hellman public value "X" as follows. If
X has a value of 0, repeat.
x
X = g mod n
where g = dh_g = 2
n = dh_group2
x = DH secret key
X = DH public key
*/
if (DH_generate_key(dh) == 0)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_DH_GEN_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
/* Validate DH public key (RFC2631, 2.1.5) */
/* Send message with SASL mechanism identifier */
if ( nt->netsend(socket, authenticate, sizeof(authenticate)) == -1 )
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_NET_FAIL_W_SOCKET);
status = make_status(CTX_TSPAUTHENTICATION, ERR_SOCKET_IO);
goto error;
}
/* First PASSDSS message from client to server:
string azname ; the user name to login as, may be empty if
same as authentication name
string authname ; the authentication name
mpint X ; Diffie-Hellman parameter X
*/
/* azname is empty. Just insert a string length zero */
buffer_put_int(Buf_Space, 0);
/* authname */
buffer_put_cstring(Buf_Space, conf->userid);
/* DH public key */
buffer_put_bignum(Buf_Space, dh->pub_key);
/* At this point, save the buffer into Buf_H. Used later for
* signature verification. */
buffer_append(Buf_H, buffer_ptr(Buf_Space), buffer_len(Buf_Space));
/* Push base64 filter */
BIO_push(b64, bio_rw);
/* no newline */
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
/* Write Buffer content into bio_rw. Buffer will be base64
* encoded. */
BIO_write(b64, buffer_ptr(Buf_Space), (int) buffer_len(Buf_Space));
BIO_flush(b64);
/* Get pointer to the result */
buflen = BIO_get_mem_data(bio_rw, &BufferPtr);
// Send data to server, save response in BufferIn.
if((readlen = nt->netsendrecv(socket,
BufferPtr, buflen,
BufferIn, TSP_AUTH_PASSDSS_BUFFERSIZE)) == -1)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_NET_FAIL_RW_SOCKET);
status = make_status(CTX_TSPAUTHENTICATION, ERR_SOCKET_IO);
goto error;
}
/* remove base64 filter */
BIO_pop(bio_rw);
buffer_clear(Buf_Space);
buflen = 0;
/* Decode response (base64) and extract server response
*
* The response format is as follows:
uint32 pklength ; length of SSH-style DSA server public key
(number of bytes up to y, inclusively)
string "ssh-dss" ; constant string "ssh-dss" (lower case)
mpint p ; DSA public key parameters
mpint q
mpint g
mpint z (y in draft)
mpint Y ; Diffie-Hellman parameter Y
OCTET ssecmask ; SASL security layers offered
3 OCTET sbuflen ; maximum server security layer block size
uint32 siglength ; length of SSH-style dss signature
(number of bytes up to s inclusively)
string "ssh-dss" ; constant string "ssh-dss" (lower case)
mpint r ; DSA signature parameters
mpint s
*/
buflen = base64decode(BufferOut, BufferIn);
buffer_append(Buf_Space, BufferOut, buflen);
/* Get pklength */
pklength = buffer_get_int(Buf_Space);
/* Assuming that
* p, g, and y are 512 bits,
* q is 160 bits,
* "ssh-dss" is 7 bytes
* pklength should be at least 240 bytes.
*/
if (pklength < 240)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_RCVD_DATA_INVALID);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
/* Make a copy of (pklength|"ssh-dss"|p|q|g|z) in Buf_H */
/* Add pklength */
buffer_put_int(Buf_H, pklength);
/* Add "ssh-dss"|p|q|g|z */
buffer_append(Buf_H, buffer_ptr(Buf_Space), pklength);
/* Get "ssh-dss" string */
s = buffer_get_string(Buf_Space, (unsigned int*)&buflen);
pal_free(s); s = NULL;
/* Get p */
buffer_get_bignum(Buf_Space, dsa->p);
/* Get q */
buffer_get_bignum(Buf_Space, dsa->q);
/* Get g */
buffer_get_bignum(Buf_Space, dsa->g);
/* Get z (pub_key) */
buffer_get_bignum(Buf_Space, dsa->pub_key);
/* Get DH public key */
buffer_get_bignum(Buf_Space, server_pubkey);
/* Copy in Buf_H for signature verification later */
buffer_put_bignum(Buf_H, server_pubkey);
/* Buffer now points at ssecmask (1 octet), followed by
* sbuflen (3 octets). Make a copy of these 4 octets in Buf_H
* now, then extract these values. */
buffer_append(Buf_H, buffer_ptr(Buf_Space), 4);
/* Get ssecmask */
ssecmask = buffer_get_octet(Buf_Space);
/* Get sbuflen
* Big endian binary unsigned integer */
buffer_get(Buf_Space, (char *)num, 3);
sbuflen = (((u_long)(u_char)(num)[0] << 16) |
((u_long)(u_char)(num)[1] << 8) |
((u_long)(u_char)(num)[2]));
/* DSS signature */
/* Get siglength */
siglength = buffer_get_int(Buf_Space);
/* r and s are 20 bytes each, encoded as mpint (2*24)
* "ssh-dss" is 7 bytes + int32 siglength should be >= 59
* octets (mpint may have leading zero byte)
*/
if (siglength < 59)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_RCVD_DATA_INVALID);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
/* Get "ssh-dss" string */
s = buffer_get_string(Buf_Space, (unsigned int*)&buflen);
pal_free(s); s = NULL;
/* Get DSA signature r and s*/
if ((sig->r= BN_new()) == NULL || (sig->s = BN_new()) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
/* Get r */
buffer_get_bignum(Buf_Space, sig->r);
/* Get s */
buffer_get_bignum(Buf_Space, sig->s);
/* Validate server DH public key (RFC2631, 2.1.5) */
{
if( !add_dsakey_to_keyfile(dsa, conf->server, TSPC_DSA_KEYFILE, conf->no_questions) )
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_KEY_VERIF_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
}
/* Verify that DSA public key belongs to server */
/* Compute DH shared secret */
if ((s = calloc(1, DH_size(dh))) == NULL)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_GEN_MALLOC_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_MEMORY_STARVATION);
goto error;
}
if( (keysize = DH_compute_key((unsigned char*)s, server_pubkey, dh)) < 0 )
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_DH_SHARED_COMPUTE_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
}
BN_bin2bn((const unsigned char*)s, keysize, dh_K);
memset(s, 0, keysize);
pal_free(s);
s = NULL;
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_DH_SHARED_KEY, BN_bn2hex(dh_K));
/* Append dh_K in to complete the buffer. Use Buffer to hold
* result to keep Bf_H intact, since to will be used (without
* dh_K) to compute HMAC for packet integrity. */
buffer_clear(Buf_Space);
buffer_append(Buf_Space, buffer_ptr(Buf_H), buffer_len(Buf_H));
buffer_put_bignum(Buf_Space, dh_K);
/* Compute SHA1 hash of Buffer */
SHA1(buffer_ptr(Buf_Space), buffer_len(Buf_Space), hash);
/* Debug information available at level 4 */
{
BIGNUM *h;
h = BN_bin2bn(hash, 20, NULL);
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_SIGNED_HASH, BN_bn2hex(h));
BN_free(h);
}
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_DSA_SIGN_R, BN_bn2hex(sig->r));
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_DSA_SIGN_S, BN_bn2hex(sig->s));
// Verify that the DSS signature is a signature of hash.
switch( DSA_do_verify(hash, sizeof(hash), sig, dsa) )
{
case 0:
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_BAD_SIG_FROM_SERVER);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
break; /* NOTREACHED */
case 1: /* correct signature */
break;
default: /* -1 on error */
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, GOGO_STR_SIG_VERIF_ERROR);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
break; /* NOTREACHED */
}
/* Step I: Compute 3DES key and iv */
/*
cs-encryption-iv = SHA1( K || "A" || H )
sc-encryption-iv = SHA1( K || "B" || H )
cs-encryption-key-1 = SHA1( K || "C" || H )
cs-encryption-key-2 = SHA1( K || cs-encryption-key-1 )
cs-encryption-key = cs-encryption-key-1 || cs-encryption-key-2
sc-encryption-key-1 = SHA1( K || "D" || H )
sc-encryption-key-2 = SHA1( K || sc-encryption-key-1 )
sc-encryption-key = sc-encryption-key-1 || sc-encryption-key-2
cs-integrity-key = SHA1( K || "E" || H )
sc-integrity-key = SHA1( K || "F" || H )
K is dh_k in mpint format (string)
H is hash
*/
/* Since we won't support SASL security layers, we need to
* compute the following only:
* cs-encryption-iv
* cs-encryption-key
* cs-integrity-key
*/
buffer_clear(Buf_Space);
buffer_put_bignum(Buf_Space, dh_K);
buffer_put_octet(Buf_Space,'A');
buffer_append(Buf_Space, hash, 20);
SHA1(buffer_ptr(Buf_Space), buffer_len(Buf_Space), tmphash);
/* Use first 8 octets as iv */
memcpy(enc_iv, tmphash, 8);
buffer_clear(Buf_Space);
buffer_put_bignum(Buf_Space, dh_K);
buffer_put_octet(Buf_Space,'E');
buffer_append(Buf_Space, hash, 20);
SHA1(buffer_ptr(Buf_Space), buffer_len(Buf_Space), int_key);
buffer_clear(Buf_Space);
buffer_put_bignum(Buf_Space, dh_K);
buffer_put_octet(Buf_Space,'C');
buffer_append(Buf_Space, hash, 20);
SHA1(buffer_ptr(Buf_Space), buffer_len(Buf_Space), tmphash);
buffer_clear(Buf_Space);
buffer_put_bignum(Buf_Space, dh_K);
buffer_append(Buf_Space, tmphash, 20);
SHA1(buffer_ptr(Buf_Space), buffer_len(Buf_Space), tmphash+20);
/* Use first 24 octets as key */
memcpy(enc_key, tmphash, 24);
{
BIGNUM *enc, *i, *iv;
enc = BN_bin2bn(enc_key, 24, NULL);
iv = BN_bin2bn(enc_iv, 8, NULL);
i = BN_bin2bn(int_key, 20, NULL);
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_PASSDS_ENC_KEY, BN_bn2hex(enc));
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_PASSDS_IV, BN_bn2hex(iv));
Display(LOG_LEVEL_3, ELDebug, TSP_AUTH_PASSDSS_STRING,
GOGO_STR_PASSDS_INTEG_KEY, BN_bn2hex(i));
BN_free(enc);
BN_free(i);
BN_free(iv);
}
/*
(J) Create a buffer beginning with a bit mask for the
selected security layer (it MUST be one offered from server)
followed by three octets representing the maximum
cipher-text buffer size (at least 32) the client can accept
in network byte order. This is followed by a string
containing the passphrase.
*/
buffer_clear(Buf_Space);
buffer_put_octet(Buf_Space, ssecmask);
buffer_put_octet(Buf_Space, 0);
buffer_put_octet(Buf_Space, 0);
buffer_put_octet(Buf_Space, 0); /**< @bug must be at least 32 */
buffer_put_cstring(Buf_Space, conf->passwd);
/*
(K) Create a buffer containing items (1) through (7)
immediately followed by the first four octets of (J).
*/
buffer_append(Buf_H, buffer_ptr(Buf_Space), 4);
/*
(L) Compute HMAC-SHA-1 with (K) as the data and the
cs-integrity- key from step (I) as the key. This produces a
20 octet result.
*/
HMAC(EVP_sha1(), int_key, sizeof(int_key),
buffer_ptr(Buf_H), buffer_len(Buf_H), hmac, (unsigned int*)&keysize);
/*
(M) Create a buffer containing (J) followed by (L) followed
by an arbitrary number of zero octets as necessary to reach
the block size of DES and conceal the passphrase length from
an eavesdropper.
*/
buffer_append(Buf_Space, hmac, keysize);
/*
(N) Apply the triple-DES algorithm to (M) with the first 8
octets of cs-encryption-iv from step (I) as the
initialization vector and the first 24 octets of
cs-encryption-key as the key.
*/
/*
Padding is automatically done. From OpenSSL EVP_EncryptInit(3):
EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
encryption operations are padded using standard block padding and the
padding is checked and removed when decrypting.
*/
/*
Create BIO filter to encrypt using 3des + convert to
base64. Result is written in memory BIO.
*/
/* Erase BIO and buffer memory */
BIO_reset(bio_rw);
memset(BufferOut, 0, TSP_AUTH_PASSDSS_BUFFERSIZE);
memset(BufferIn, 0, TSP_AUTH_PASSDSS_BUFFERSIZE);
buflen = 0;
/* Create cipher BIO */
cipher = BIO_new(BIO_f_cipher());
BIO_set_cipher(cipher, EVP_des_ede3_cbc(), enc_key, enc_iv, 1);
/* Assemble filters as cipher->b64->bio_rw */
BIO_push(cipher, b64);
BIO_push(b64, bio_rw);
/* Write Buffer content into bio_rw */
BIO_write(cipher, buffer_ptr(Buf_Space), (int) buffer_len(Buf_Space));
BIO_flush(cipher);
/* Get pointer to the result. */
buflen = BIO_get_mem_data(bio_rw, &BufferPtr);
/* wipe encryption material */
memset(enc_key, 0, sizeof(enc_key));
memset(enc_iv, 0, sizeof(enc_iv));
/* Send data to server, save response in BufferIn */
if( (readlen = nt->netsendrecv(socket, BufferPtr, buflen,
BufferIn, TSP_AUTH_PASSDSS_BUFFERSIZE)) == -1)
{
Display(LOG_LEVEL_1, ELError, TSP_AUTH_PASSDSS_STRING, STR_NET_FAIL_RW_SOCKET);
status = make_status(CTX_TSPAUTHENTICATION, ERR_SOCKET_IO);
goto error;
}
tsp_status = tspGetStatusCode(BufferIn);
// Check if the reply status indicated a broker redirection.
if( tspIsRedirectStatus(tsp_status) )
{
if( tspHandleRedirect(BufferIn, conf, broker_list) == TSP_REDIRECT_OK )
{
status = make_status(CTX_TSPAUTHENTICATION, EVNT_BROKER_REDIRECTION);
}
else
{
// Redirect error.
status = make_status(CTX_TSPAUTHENTICATION, ERR_BROKER_REDIRECTION);
}
goto error;
}
// Check if authentication was successful.
switch( tsp_status )
{
case TSP_PROTOCOL_SUCCESS:
break;
case TSP_PROTOCOL_AUTH_FAILED:
Display(LOG_LEVEL_1, ELError, "AuthPASSDSS_3DES_1", STR_TSP_AUTH_FAILED_USER, conf->userid);
status = make_status(CTX_TSPAUTHENTICATION, ERR_AUTHENTICATION_FAILURE);
goto error;
default:
Display(LOG_LEVEL_1, ELError, "AuthPASSDSS_3DES_1", STR_TSP_UNKNOWN_ERR_AUTH_FAILED, tspGetTspStatusStr(tsp_status));
status = make_status(CTX_TSPAUTHENTICATION, ERR_TSP_GENERIC_ERROR);
goto error;
}
status = STATUS_SUCCESS_INIT;
error:
/* Free storage for DSA key */
if (dsa != NULL) DSA_free(dsa); /* Also frees BIGNUMs inside struct */
/* DSA signature */
if (sig != NULL) DSA_SIG_free(sig);
/* Free Diffie Hellman variables */
if (dh != NULL) DH_free(dh); /* Also frees BIGNUMs inside struct */
if (server_pubkey != NULL) BN_free(server_pubkey);
if (dh_K != NULL) BN_free(dh_K);
/* Buffers */
if (Buf_Space->buf != NULL) buffer_free(Buf_Space);
if (Buf_H->buf != NULL) buffer_free(Buf_H);
/* malloc'ed space*/
if (BufferIn != NULL) pal_free(BufferIn);
if (BufferOut != NULL) pal_free(BufferOut);
/* BIOs */
if (cipher != NULL) BIO_vfree(cipher);
if (b64 != NULL) BIO_vfree(b64);
if (bio_rw != NULL) BIO_vfree(bio_rw);
/* strings buffers */
if (s != NULL) pal_free(s);
return status;
}
int ssh_dss_verify(DSA *key,
u_char *signature, u_int signaturelen,
u_char *data, u_int datalen)
{
DSA_SIG *sig;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
unsigned char digest[EVP_MAX_MD_SIZE], *sigblob;
unsigned int len, dlen;
int ret;
char *ptr;
OpenSSL_add_all_digests();
if (key == NULL) {
return -2;
}
ptr = signature;
// step1
if (signaturelen == 0x28) {
// workaround for SSH-2.0-2.0* and SSH-2.0-2.1* (2006.11.18 maya)
ptr -= 4;
}
else {
len = get_uint32_MSBfirst(ptr);
ptr += 4;
if (strncmp("ssh-dss", ptr, len) != 0) {
return -3;
}
ptr += len;
}
// step2
len = get_uint32_MSBfirst(ptr);
ptr += 4;
sigblob = ptr;
ptr += len;
if (len != SIGBLOB_LEN) {
return -4;
}
/* parse signature */
if ((sig = DSA_SIG_new()) == NULL)
return -5;
if ((sig->r = BN_new()) == NULL)
return -6;
if ((sig->s = BN_new()) == NULL)
return -7;
BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
/* sha1 the data */
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
ret = DSA_do_verify(digest, dlen, sig, key);
memset(digest, 'd', sizeof(digest));
DSA_SIG_free(sig);
return ret;
}
int
ssh_dss_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen == 0)
return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
if (compat & SSH_BUG_SIGBLOB) {
if ((sigblob = malloc(signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
memcpy(sigblob, signature, signaturelen);
len = signaturelen;
} else {
/* ietf-drafts */
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (strcmp("ssh-dss", ktype) != 0) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
}
if (len != SIGBLOB_LEN) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* parse signature */
if ((sig = DSA_SIG_new()) == NULL ||
(sig->r = BN_new()) == NULL ||
(sig->s = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
/* sha1 the data */
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
sshbuf_free(b);
free(ktype);
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
}
return ret;
}
int sig_verify(ssh_session session, ssh_public_key pubkey,
SIGNATURE *signature, unsigned char *digest, int size) {
#ifdef HAVE_LIBGCRYPT
gcry_error_t valid = 0;
gcry_sexp_t gcryhash;
#elif defined HAVE_LIBCRYPTO
int valid = 0;
#endif
unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
sha1(digest, size, hash + 1);
#ifdef DEBUG_CRYPTO
ssh_print_hexa("Hash to be verified with dsa", hash + 1, SHA_DIGEST_LEN);
#endif
switch(pubkey->type) {
case SSH_KEYTYPE_DSS:
#ifdef HAVE_LIBGCRYPT
valid = gcry_sexp_build(&gcryhash, NULL, "%b", SHA_DIGEST_LEN + 1, hash);
if (valid != 0) {
ssh_set_error(session, SSH_FATAL,
"RSA error: %s", gcry_strerror(valid));
return -1;
}
valid = gcry_pk_verify(signature->dsa_sign, gcryhash, pubkey->dsa_pub);
gcry_sexp_release(gcryhash);
if (valid == 0) {
return 0;
}
if (gcry_err_code(valid) != GPG_ERR_BAD_SIGNATURE) {
ssh_set_error(session, SSH_FATAL,
"DSA error: %s", gcry_strerror(valid));
return -1;
}
#elif defined HAVE_LIBCRYPTO
valid = DSA_do_verify(hash + 1, SHA_DIGEST_LEN, signature->dsa_sign,
pubkey->dsa_pub);
if (valid == 1) {
return 0;
}
if (valid == -1) {
ssh_set_error(session, SSH_FATAL,
"DSA error: %s", ERR_error_string(ERR_get_error(), NULL));
return -1;
}
#endif
ssh_set_error(session, SSH_FATAL, "Invalid DSA signature");
return -1;
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
#ifdef HAVE_LIBGCRYPT
valid = gcry_sexp_build(&gcryhash, NULL,
"(data(flags pkcs1)(hash sha1 %b))", SHA_DIGEST_LEN, hash + 1);
if (valid != 0) {
ssh_set_error(session, SSH_FATAL,
"RSA error: %s", gcry_strerror(valid));
return -1;
}
valid = gcry_pk_verify(signature->rsa_sign,gcryhash,pubkey->rsa_pub);
gcry_sexp_release(gcryhash);
if (valid == 0) {
return 0;
}
if (gcry_err_code(valid) != GPG_ERR_BAD_SIGNATURE) {
ssh_set_error(session, SSH_FATAL,
"RSA error: %s", gcry_strerror(valid));
return -1;
}
#elif defined HAVE_LIBCRYPTO
valid = RSA_verify(NID_sha1, hash + 1, SHA_DIGEST_LEN,
signature->rsa_sign->string, ssh_string_len(signature->rsa_sign),
pubkey->rsa_pub);
if (valid == 1) {
return 0;
}
if (valid == -1) {
ssh_set_error(session, SSH_FATAL,
"RSA error: %s", ERR_error_string(ERR_get_error(), NULL));
return -1;
}
#endif
ssh_set_error(session, SSH_FATAL, "Invalid RSA signature");
return -1;
default:
ssh_set_error(session, SSH_FATAL, "Unknown public key type");
return -1;
}
return -1;
}
bool OpenSSLCryptoKeyDSA::verifyBase64Signature(unsigned char * hashBuf,
unsigned int hashLen,
char * base64Signature,
unsigned int sigLen) {
// Use the currently loaded key to validate the Base64 encoded signature
if (mp_dsaKey == NULL) {
throw XSECCryptoException(XSECCryptoException::DSAError,
"OpenSSL:DSA - Attempt to validate signature with empty key");
}
unsigned char sigVal[512];
int sigValLen;
int err;
/*
BIO * b64 = BIO_new(BIO_f_base64());
BIO * bmem = BIO_new(BIO_s_mem());
BIO_set_mem_eof_return(bmem, 0);
b64 = BIO_push(b64, bmem);
// Translate signature from Base64
BIO_write(bmem, base64Signature, sigLen);
sigValLen = BIO_read(b64, sigVal, 512);
*/
EVP_ENCODE_CTX m_dctx;
int rc;
EVP_DecodeInit(&m_dctx);
rc = EVP_DecodeUpdate(&m_dctx,
sigVal,
&sigValLen,
(unsigned char *) base64Signature,
sigLen);
if (rc < 0) {
throw XSECCryptoException(XSECCryptoException::DSAError,
"OpenSSL:DSA - Error during Base64 Decode");
}
int t = 0;
EVP_DecodeFinal(&m_dctx, &sigVal[sigValLen], &t);
sigValLen += t;
if (sigValLen != 40) {
throw XSECCryptoException(XSECCryptoException::DSAError,
"OpenSSL:DSA - Signature Length incorrect");
}
// Translate to BNs and thence to DSA_SIG
BIGNUM * R = BN_bin2bn(sigVal, 20, NULL);
BIGNUM * S = BN_bin2bn(&sigVal[20], 20, NULL);
DSA_SIG * dsa_sig = DSA_SIG_new();
dsa_sig->r = BN_dup(R);
dsa_sig->s = BN_dup(S);
unsigned char sigValTranslatedBuf[256];
unsigned char * sigValTranslated = sigValTranslatedBuf;
int sigValTranslatedLen;
sigValTranslatedLen = i2d_DSA_SIG(dsa_sig, &sigValTranslated);
// Now we have a signature and a key - lets check
err = DSA_do_verify(hashBuf, hashLen, dsa_sig, mp_dsaKey);
DSA_SIG_free(dsa_sig);
if (err < 0) {
throw XSECCryptoException(XSECCryptoException::DSAError,
"OpenSSL:DSA - Error validating signature");
}
return (err == 1);
}
int
ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
{
DSA_SIG *sig;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
u_char digest[EVP_MAX_MD_SIZE], *sigblob;
u_int len, dlen;
int rlen, ret;
Buffer b;
if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA &&
key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00)) {
error("ssh_dss_verify: no DSA key");
return -1;
}
/* fetch signature */
if (datafellows & SSH_BUG_SIGBLOB) {
sigblob = xmalloc(signaturelen);
memcpy(sigblob, signature, signaturelen);
len = signaturelen;
} else {
/* ietf-drafts */
char *ktype;
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_cstring(&b, NULL);
if (strcmp("ssh-dss", ktype) != 0) {
error("ssh_dss_verify: cannot handle type %s", ktype);
buffer_free(&b);
xfree(ktype);
return -1;
}
xfree(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("ssh_dss_verify: "
"remaining bytes in signature %d", rlen);
xfree(sigblob);
return -1;
}
}
if (len != SIGBLOB_LEN) {
fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
}
/* parse signature */
if ((sig = DSA_SIG_new()) == NULL)
fatal("ssh_dss_verify: DSA_SIG_new failed");
if ((sig->r = BN_new()) == NULL)
fatal("ssh_dss_verify: BN_new failed");
if ((sig->s = BN_new()) == NULL)
fatal("ssh_dss_verify: BN_new failed");
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
fatal("ssh_dss_verify: BN_bin2bn failed");
/* clean up */
memset(sigblob, 0, len);
xfree(sigblob);
/* sha1 the data */
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
ret = DSA_do_verify(digest, dlen, sig, key->dsa);
memset(digest, 'd', sizeof(digest));
DSA_SIG_free(sig);
debug("ssh_dss_verify: signature %s",
ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
return ret;
}
int
ssh_dss_verify(const struct sshkey *key,
const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen, u_int compat)
{
DSA_SIG *sig = NULL;
const EVP_MD *evp_md = EVP_sha1();
EVP_MD_CTX md;
u_char digest[EVP_MAX_MD_SIZE], *sigblob = NULL;
size_t len;
u_int dlen;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;
if (key == NULL || key->dsa == NULL || (key->type != KEY_DSA &&
key->type != KEY_DSA_CERT && key->type != KEY_DSA_CERT_V00))
return SSH_ERR_INVALID_ARGUMENT;
/* fetch signature */
if (compat & SSH_BUG_SIGBLOB) {
if ((sigblob = malloc(signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
memcpy(sigblob, signature, signaturelen);
len = signaturelen;
} else {
/* ietf-drafts */
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((ret = sshbuf_put(b, signature, signaturelen)) != 0)
goto out;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (strcmp("ssh-dss", ktype) != 0) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
}
if (len != SIGBLOB_LEN) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* parse signature */
if ((sig = DSA_SIG_new()) == NULL ||
(sig->r = BN_new()) == NULL ||
(sig->s = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
/* sha1 the data */
if (EVP_DigestInit(&md, evp_md) != 1 ||
EVP_DigestUpdate(&md, data, datalen) != 1 ||
EVP_DigestFinal(&md, digest, &dlen) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
out:
bzero(digest, sizeof(digest));
bzero(&md, sizeof(md));
if (sig != NULL)
DSA_SIG_free(sig);
if (b != NULL)
sshbuf_free(b);
if (ktype != NULL)
free(ktype);
if (sigblob != NULL) {
memset(sigblob, 0, len);
free(sigblob);
}
return ret;
}
ops_boolean_t ops_dsa_verify(const unsigned char *hash,size_t hash_length,
const ops_dsa_signature_t *sig,
const ops_dsa_public_key_t *dsa)
{
DSA_SIG *osig;
DSA *odsa;
int ret;
osig=DSA_SIG_new();
osig->r=sig->r;
osig->s=sig->s;
if(BN_num_bits(dsa->q) != 160)
{
if(!already_said)
{
fprintf(stderr,"(WW) ops_dsa_verify: openssl does only supports 'q' of 160 bits. Current is %d bits.\n",BN_num_bits(dsa->q)) ;
already_said=ops_true ;
}
osig->r=osig->s=NULL;
DSA_SIG_free(osig);
return ops_false ;
}
odsa=DSA_new();
odsa->p=dsa->p;
odsa->q=dsa->q;
odsa->g=dsa->g;
odsa->pub_key=dsa->y;
if (debug)
{
fprintf(stderr,"hash passed in:\n");
unsigned i;
for (i=0; i<hash_length; i++)
{
fprintf(stderr,"%02x ", hash[i]);
}
fprintf(stderr,"\n");
}
//printf("hash_length=%ld\n", hash_length);
//printf("Q=%d\n", BN_num_bytes(odsa->q));
unsigned int qlen=BN_num_bytes(odsa->q);
if (qlen < hash_length)
hash_length=qlen;
// ret=DSA_do_verify(hash,hash_length,osig,odsa);
ret=DSA_do_verify(hash,hash_length,osig,odsa);
if (debug)
{
fprintf(stderr,"ret=%d\n",ret);
}
if(ret < 0)
{
ERR_load_crypto_strings() ;
unsigned long err = 0 ;
while((err = ERR_get_error()) > 0)
fprintf(stderr,"DSA_do_verify(): ERR = %ld. lib error:\"%s\", func_error:\"%s\", reason:\"%s\"\n",err,ERR_lib_error_string(err),ERR_func_error_string(err),ERR_reason_error_string(err)) ;
//assert(ret >= 0);
return ops_false ;
}
odsa->p=odsa->q=odsa->g=odsa->pub_key=NULL;
DSA_free(odsa);
osig->r=osig->s=NULL;
DSA_SIG_free(osig);
return ret != 0;
}
static isc_result_t
openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
dst_key_t *key = dctx->key;
DSA *dsa = key->keydata.dsa;
int status = 0;
unsigned char *cp = sig->base;
DSA_SIG *dsasig;
#if USE_EVP
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
#if 0
EVP_PKEY *pkey;
unsigned char *sigbuf;
#endif
unsigned int siglen;
#else
isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
#endif
unsigned char digest[ISC_SHA1_DIGESTLENGTH];
#if USE_EVP
#if 1
/* Only use EVP for the digest */
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
return (ISC_R_FAILURE);
}
#endif
#else
isc_sha1_final(sha1ctx, digest);
#endif
if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
return (DST_R_VERIFYFAILURE);
}
cp++; /*%< Skip T */
dsasig = DSA_SIG_new();
if (dsasig == NULL)
return (ISC_R_NOMEMORY);
dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
cp += ISC_SHA1_DIGESTLENGTH;
dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
#if 0
pkey = EVP_PKEY_new();
if (pkey == NULL)
return (ISC_R_NOMEMORY);
if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
EVP_PKEY_free(pkey);
return (ISC_R_FAILURE);
}
/* Convert to Dss-Sig-Value (RFC2459). */
sigbuf = malloc(EVP_PKEY_size(pkey) + 50);
if (sigbuf == NULL) {
EVP_PKEY_free(pkey);
return (ISC_R_NOMEMORY);
}
siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf);
INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey);
EVP_PKEY_free(pkey);
free(sigbuf);
#else
status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
#endif
DSA_SIG_free(dsasig);
if (status != 1)
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
return (ISC_R_SUCCESS);
}
