static void getp(dss_key *key, unsigned int size) { DEF_MP_INT(tempX); DEF_MP_INT(tempC); DEF_MP_INT(tempP); DEF_MP_INT(temp2q); int result; unsigned char *buf; m_mp_init_multi(&tempX, &tempC, &tempP, &temp2q, NULL); /* 2*q */ if (mp_mul_d(key->q, 2, &temp2q) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } buf = (unsigned char*)m_malloc(size); result = 0; do { genrandom(buf, size); buf[0] |= 0x80; /* set the top bit high */ /* X is a random mp_int */ bytes_to_mp(&tempX, buf, size); /* C = X mod 2q */ if (mp_mod(&tempX, &temp2q, &tempC) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } /* P = X - (C - 1) = X - C + 1*/ if (mp_sub(&tempX, &tempC, &tempP) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } if (mp_add_d(&tempP, 1, key->p) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } /* now check for prime, 5 rounds is enough according to HAC */ /* result == 1 => p is prime */ if (mp_prime_is_prime(key->p, 5, &result) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } } while (!result); mp_clear_multi(&tempX, &tempC, &tempP, &temp2q, NULL); m_burn(buf, size); m_free(buf); }
/* mostly taken from libtomcrypt's rsa key generation routine */ dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { dropbear_rsa_key * key; DEF_MP_INT(pminus); DEF_MP_INT(qminus); DEF_MP_INT(lcm); if (size < 512 || size > 4096 || (size % 8 != 0)) { dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a" " multiple of 8"); } key = m_malloc(sizeof(*key)); m_mp_alloc_init_multi(&key->e, &key->n, &key->d, &key->p, &key->q, NULL); m_mp_init_multi(&pminus, &lcm, &qminus, NULL); if (mp_set_int(key->e, RSA_E) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); exit(1); } while (1) { getrsaprime(key->p, &pminus, key->e, size/16); getrsaprime(key->q, &qminus, key->e, size/16); if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); exit(1); } if ((unsigned int)mp_count_bits(key->n) == size) { break; } } /* lcm(p-1, q-1) */ if (mp_lcm(&pminus, &qminus, &lcm) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); exit(1); } /* de = 1 mod lcm(p-1,q-1) */ /* therefore d = (e^-1) mod lcm(p-1,q-1) */ if (mp_invmod(key->e, &lcm, key->d) != MP_OKAY) { fprintf(stderr, "RSA generation failed\n"); exit(1); } mp_clear_multi(&pminus, &qminus, &lcm, NULL); return key; }
void send_msg_kexdh_init() { cli_ses.dh_e = (mp_int*)m_malloc(sizeof(mp_int)); cli_ses.dh_x = (mp_int*)m_malloc(sizeof(mp_int)); m_mp_init_multi(cli_ses.dh_e, cli_ses.dh_x, NULL); gen_kexdh_vals(cli_ses.dh_e, cli_ses.dh_x); CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); buf_putmpint(ses.writepayload, cli_ses.dh_e); encrypt_packet(); ses.requirenext = SSH_MSG_KEXDH_REPLY; }
dss_key * gen_dss_priv_key(unsigned int size) { dss_key *key; key = (dss_key*)m_malloc(sizeof(dss_key)); key->p = (mp_int*)m_malloc(sizeof(mp_int)); key->q = (mp_int*)m_malloc(sizeof(mp_int)); key->g = (mp_int*)m_malloc(sizeof(mp_int)); key->y = (mp_int*)m_malloc(sizeof(mp_int)); key->x = (mp_int*)m_malloc(sizeof(mp_int)); m_mp_init_multi(key->p, key->q, key->g, key->y, key->x, NULL); seedrandom(); getq(key); getp(key, size); getg(key); getx(key); gety(key); return key; }
static void getg(dss_key * key) { DEF_MP_INT(div); DEF_MP_INT(h); DEF_MP_INT(val); m_mp_init_multi(&div, &h, &val, NULL); /* get div=(p-1)/q */ if (mp_sub_d(key->p, 1, &val) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } if (mp_div(&val, key->q, &div, NULL) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } /* initialise h=1 */ mp_set(&h, 1); do { /* now keep going with g=h^div mod p, until g > 1 */ if (mp_exptmod(&h, &div, key->p, key->g) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } if (mp_add_d(&h, 1, &h) != MP_OKAY) { fprintf(stderr, "dss key generation failed\n"); exit(1); } } while (mp_cmp_d(key->g, 1) != MP_GT); mp_clear_multi(&div, &h, &val, NULL); }
/* Generate our side of the diffie-hellman key exchange value (dh_f), and * calculate the session key using the diffie-hellman algorithm. Following * that, the session hash is calculated, and signed with RSA or DSS. The * result is sent to the client. * * See the ietf-secsh-transport draft, section 6, for details */ static void send_msg_kexdh_reply(mp_int *dh_e) { mp_int dh_p, dh_q, dh_g, dh_y, dh_f; unsigned char randbuf[DH_P_LEN]; int dh_q_len; hash_state hs; TRACE(("enter send_msg_kexdh_reply")); assert(ses.kexstate.recvkexinit); m_mp_init_multi(&dh_g, &dh_p, &dh_q, &dh_y, &dh_f, NULL); /* read the prime and generator*/ if (mp_read_unsigned_bin(&dh_p, (unsigned char*)dh_p_val, DH_P_LEN) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } if (mp_set_int(&dh_g, dh_g_val) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } /* calculate q = (p-1)/2 */ if (mp_sub_d(&dh_p, 1, &dh_y) != MP_OKAY) { /*dh_y is just a temp var here*/ dropbear_exit("Diffie-Hellman error"); } if (mp_div_2(&dh_y, &dh_q) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } dh_q_len = mp_unsigned_bin_size(&dh_q); /* calculate our random value dh_y */ do { assert((unsigned int)dh_q_len <= sizeof(randbuf)); genrandom(randbuf, dh_q_len); if (mp_read_unsigned_bin(&dh_y, randbuf, dh_q_len) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } } while (mp_cmp(&dh_y, &dh_q) == MP_GT || mp_cmp_d(&dh_y, 0) != MP_GT); /* f = g^y mod p */ if (mp_exptmod(&dh_g, &dh_y, &dh_p, &dh_f) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } mp_clear(&dh_g); /* K = e^y mod p */ ses.dh_K = (mp_int*)m_malloc(sizeof(mp_int)); m_mp_init(ses.dh_K); if (mp_exptmod(dh_e, &dh_y, &dh_p, ses.dh_K) != MP_OKAY) { dropbear_exit("Diffie-Hellman error"); } /* clear no longer needed vars */ mp_clear_multi(&dh_y, &dh_p, &dh_q, NULL); /* Create the remainder of the hash buffer, to generate the exchange hash */ /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, ses.opts->hostkey, ses.newkeys->algo_hostkey); /* e, exchange value sent by the client */ buf_putmpint(ses.kexhashbuf, dh_e); /* f, exchange value sent by the server */ buf_putmpint(ses.kexhashbuf, &dh_f); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); /* calculate the hash H to sign */ sha1_init(&hs); buf_setpos(ses.kexhashbuf, 0); sha1_process(&hs, buf_getptr(ses.kexhashbuf, ses.kexhashbuf->len), ses.kexhashbuf->len); sha1_done(&hs, ses.hash); buf_free(ses.kexhashbuf); ses.kexhashbuf = NULL; /* first time around, we set the session_id to H */ if (ses.session_id == NULL) { /* create the session_id, this never needs freeing */ ses.session_id = (unsigned char*)m_malloc(SHA1_HASH_SIZE); memcpy(ses.session_id, ses.hash, SHA1_HASH_SIZE); } /* we can start creating the kexdh_reply packet */ CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_REPLY); buf_put_pub_key(ses.writepayload, ses.opts->hostkey, ses.newkeys->algo_hostkey); /* put f */ buf_putmpint(ses.writepayload, &dh_f); mp_clear(&dh_f); /* calc the signature */ buf_put_sign(ses.writepayload, ses.opts->hostkey, ses.newkeys->algo_hostkey, ses.hash, SHA1_HASH_SIZE); /* the SSH_MSG_KEXDH_REPLY is done */ encrypt_packet(); TRACE(("leave send_msg_kexdh_reply")); }