1d059297112922cabb0c674840589be8db821fd9aAdam Langley/* $OpenBSD: ssh-dss.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */ 2bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman/* 3bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Copyright (c) 2000 Markus Friedl. All rights reserved. 4bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 5bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * Redistribution and use in source and binary forms, with or without 6bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * modification, are permitted provided that the following conditions 7bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * are met: 8bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 1. Redistributions of source code must retain the above copyright 9bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * notice, this list of conditions and the following disclaimer. 10bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 2. Redistributions in binary form must reproduce the above copyright 11bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * notice, this list of conditions and the following disclaimer in the 12bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * documentation and/or other materials provided with the distribution. 13bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * 14bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman */ 25bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 26bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "includes.h" 27bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 28d059297112922cabb0c674840589be8db821fd9aAdam Langley#ifdef WITH_OPENSSL 29d059297112922cabb0c674840589be8db821fd9aAdam Langley 30bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <sys/types.h> 31bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 32bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <openssl/bn.h> 33d059297112922cabb0c674840589be8db821fd9aAdam Langley#include <openssl/dsa.h> 34bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <openssl/evp.h> 35bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 36bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <stdarg.h> 37bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include <string.h> 38bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 39d059297112922cabb0c674840589be8db821fd9aAdam Langley#include "sshbuf.h" 40bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#include "compat.h" 41d059297112922cabb0c674840589be8db821fd9aAdam Langley#include "ssherr.h" 42d059297112922cabb0c674840589be8db821fd9aAdam Langley#include "digest.h" 43d059297112922cabb0c674840589be8db821fd9aAdam Langley#define SSHKEY_INTERNAL 44d059297112922cabb0c674840589be8db821fd9aAdam Langley#include "sshkey.h" 45bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 46bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#define INTBLOB_LEN 20 47bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman#define SIGBLOB_LEN (2*INTBLOB_LEN) 48bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 49bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanint 50d059297112922cabb0c674840589be8db821fd9aAdam Langleyssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 51d059297112922cabb0c674840589be8db821fd9aAdam Langley const u_char *data, size_t datalen, u_int compat) 52bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 53d059297112922cabb0c674840589be8db821fd9aAdam Langley DSA_SIG *sig = NULL; 54d059297112922cabb0c674840589be8db821fd9aAdam Langley u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; 55d059297112922cabb0c674840589be8db821fd9aAdam Langley size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); 56d059297112922cabb0c674840589be8db821fd9aAdam Langley struct sshbuf *b = NULL; 57d059297112922cabb0c674840589be8db821fd9aAdam Langley int ret = SSH_ERR_INVALID_ARGUMENT; 58d059297112922cabb0c674840589be8db821fd9aAdam Langley 59d059297112922cabb0c674840589be8db821fd9aAdam Langley if (lenp != NULL) 60d059297112922cabb0c674840589be8db821fd9aAdam Langley *lenp = 0; 61d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sigp != NULL) 62d059297112922cabb0c674840589be8db821fd9aAdam Langley *sigp = NULL; 63d059297112922cabb0c674840589be8db821fd9aAdam Langley 64d059297112922cabb0c674840589be8db821fd9aAdam Langley if (key == NULL || key->dsa == NULL || 65d059297112922cabb0c674840589be8db821fd9aAdam Langley sshkey_type_plain(key->type) != KEY_DSA) 66d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_INVALID_ARGUMENT; 67d059297112922cabb0c674840589be8db821fd9aAdam Langley if (dlen == 0) 68d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_INTERNAL_ERROR; 69d059297112922cabb0c674840589be8db821fd9aAdam Langley 70d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, 71d059297112922cabb0c674840589be8db821fd9aAdam Langley digest, sizeof(digest))) != 0) 72d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 73d059297112922cabb0c674840589be8db821fd9aAdam Langley 74d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) { 75d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_LIBCRYPTO_ERROR; 76d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 77bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 78bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 79bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman rlen = BN_num_bytes(sig->r); 80bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman slen = BN_num_bytes(sig->s); 81bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) { 82d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_INTERNAL_ERROR; 83d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 84bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 85d059297112922cabb0c674840589be8db821fd9aAdam Langley explicit_bzero(sigblob, SIGBLOB_LEN); 86d059297112922cabb0c674840589be8db821fd9aAdam Langley BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen); 87d059297112922cabb0c674840589be8db821fd9aAdam Langley BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen); 88bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 89d059297112922cabb0c674840589be8db821fd9aAdam Langley if (compat & SSH_BUG_SIGBLOB) { 90bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (sigp != NULL) { 91d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) { 92d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_ALLOC_FAIL; 93d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 94d059297112922cabb0c674840589be8db821fd9aAdam Langley } 95bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman memcpy(*sigp, sigblob, SIGBLOB_LEN); 96bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 97d059297112922cabb0c674840589be8db821fd9aAdam Langley if (lenp != NULL) 98d059297112922cabb0c674840589be8db821fd9aAdam Langley *lenp = SIGBLOB_LEN; 99d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = 0; 100bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } else { 101bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* ietf-drafts */ 102d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((b = sshbuf_new()) == NULL) { 103d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_ALLOC_FAIL; 104d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 105d059297112922cabb0c674840589be8db821fd9aAdam Langley } 106d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 || 107d059297112922cabb0c674840589be8db821fd9aAdam Langley (ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0) 108d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 109d059297112922cabb0c674840589be8db821fd9aAdam Langley len = sshbuf_len(b); 110bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (sigp != NULL) { 111d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((*sigp = malloc(len)) == NULL) { 112d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_ALLOC_FAIL; 113d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 114d059297112922cabb0c674840589be8db821fd9aAdam Langley } 115d059297112922cabb0c674840589be8db821fd9aAdam Langley memcpy(*sigp, sshbuf_ptr(b), len); 116bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 117d059297112922cabb0c674840589be8db821fd9aAdam Langley if (lenp != NULL) 118d059297112922cabb0c674840589be8db821fd9aAdam Langley *lenp = len; 119d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = 0; 120bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 121d059297112922cabb0c674840589be8db821fd9aAdam Langley out: 122d059297112922cabb0c674840589be8db821fd9aAdam Langley explicit_bzero(digest, sizeof(digest)); 123d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sig != NULL) 124d059297112922cabb0c674840589be8db821fd9aAdam Langley DSA_SIG_free(sig); 125d059297112922cabb0c674840589be8db821fd9aAdam Langley if (b != NULL) 126d059297112922cabb0c674840589be8db821fd9aAdam Langley sshbuf_free(b); 127d059297112922cabb0c674840589be8db821fd9aAdam Langley return ret; 128bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 129d059297112922cabb0c674840589be8db821fd9aAdam Langley 130bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartmanint 131d059297112922cabb0c674840589be8db821fd9aAdam Langleyssh_dss_verify(const struct sshkey *key, 132d059297112922cabb0c674840589be8db821fd9aAdam Langley const u_char *signature, size_t signaturelen, 133d059297112922cabb0c674840589be8db821fd9aAdam Langley const u_char *data, size_t datalen, u_int compat) 134bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman{ 135d059297112922cabb0c674840589be8db821fd9aAdam Langley DSA_SIG *sig = NULL; 136d059297112922cabb0c674840589be8db821fd9aAdam Langley u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL; 137d059297112922cabb0c674840589be8db821fd9aAdam Langley size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); 138d059297112922cabb0c674840589be8db821fd9aAdam Langley int ret = SSH_ERR_INTERNAL_ERROR; 139d059297112922cabb0c674840589be8db821fd9aAdam Langley struct sshbuf *b = NULL; 140d059297112922cabb0c674840589be8db821fd9aAdam Langley char *ktype = NULL; 141d059297112922cabb0c674840589be8db821fd9aAdam Langley 142d059297112922cabb0c674840589be8db821fd9aAdam Langley if (key == NULL || key->dsa == NULL || 143d059297112922cabb0c674840589be8db821fd9aAdam Langley sshkey_type_plain(key->type) != KEY_DSA) 144d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_INVALID_ARGUMENT; 145d059297112922cabb0c674840589be8db821fd9aAdam Langley if (dlen == 0) 146d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_INTERNAL_ERROR; 147bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 148bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* fetch signature */ 149d059297112922cabb0c674840589be8db821fd9aAdam Langley if (compat & SSH_BUG_SIGBLOB) { 150d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((sigblob = malloc(signaturelen)) == NULL) 151d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_ALLOC_FAIL; 152bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman memcpy(sigblob, signature, signaturelen); 153bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman len = signaturelen; 154bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } else { 155bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* ietf-drafts */ 156d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((b = sshbuf_from(signature, signaturelen)) == NULL) 157d059297112922cabb0c674840589be8db821fd9aAdam Langley return SSH_ERR_ALLOC_FAIL; 158d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || 159d059297112922cabb0c674840589be8db821fd9aAdam Langley sshbuf_get_string(b, &sigblob, &len) != 0) { 160d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_INVALID_FORMAT; 161d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 162d059297112922cabb0c674840589be8db821fd9aAdam Langley } 163bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (strcmp("ssh-dss", ktype) != 0) { 164d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_KEY_TYPE_MISMATCH; 165d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 166bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 167d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sshbuf_len(b) != 0) { 168d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 169d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 170bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 171bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 172bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 173bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if (len != SIGBLOB_LEN) { 174d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_INVALID_FORMAT; 175d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 176bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman } 177bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 178bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* parse signature */ 179d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((sig = DSA_SIG_new()) == NULL || 180d059297112922cabb0c674840589be8db821fd9aAdam Langley (sig->r = BN_new()) == NULL || 181d059297112922cabb0c674840589be8db821fd9aAdam Langley (sig->s = BN_new()) == NULL) { 182d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_ALLOC_FAIL; 183d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 184d059297112922cabb0c674840589be8db821fd9aAdam Langley } 185bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || 186d059297112922cabb0c674840589be8db821fd9aAdam Langley (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) { 187d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_LIBCRYPTO_ERROR; 188d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 189d059297112922cabb0c674840589be8db821fd9aAdam Langley } 190bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 191bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman /* sha1 the data */ 192d059297112922cabb0c674840589be8db821fd9aAdam Langley if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, 193d059297112922cabb0c674840589be8db821fd9aAdam Langley digest, sizeof(digest))) != 0) 194d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 195d059297112922cabb0c674840589be8db821fd9aAdam Langley 196d059297112922cabb0c674840589be8db821fd9aAdam Langley switch (DSA_do_verify(digest, dlen, sig, key->dsa)) { 197d059297112922cabb0c674840589be8db821fd9aAdam Langley case 1: 198d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = 0; 199d059297112922cabb0c674840589be8db821fd9aAdam Langley break; 200d059297112922cabb0c674840589be8db821fd9aAdam Langley case 0: 201d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_SIGNATURE_INVALID; 202d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 203d059297112922cabb0c674840589be8db821fd9aAdam Langley default: 204d059297112922cabb0c674840589be8db821fd9aAdam Langley ret = SSH_ERR_LIBCRYPTO_ERROR; 205d059297112922cabb0c674840589be8db821fd9aAdam Langley goto out; 206d059297112922cabb0c674840589be8db821fd9aAdam Langley } 207bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman 208d059297112922cabb0c674840589be8db821fd9aAdam Langley out: 209d059297112922cabb0c674840589be8db821fd9aAdam Langley explicit_bzero(digest, sizeof(digest)); 210d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sig != NULL) 211d059297112922cabb0c674840589be8db821fd9aAdam Langley DSA_SIG_free(sig); 212d059297112922cabb0c674840589be8db821fd9aAdam Langley if (b != NULL) 213d059297112922cabb0c674840589be8db821fd9aAdam Langley sshbuf_free(b); 214d059297112922cabb0c674840589be8db821fd9aAdam Langley if (ktype != NULL) 215d059297112922cabb0c674840589be8db821fd9aAdam Langley free(ktype); 216d059297112922cabb0c674840589be8db821fd9aAdam Langley if (sigblob != NULL) { 217d059297112922cabb0c674840589be8db821fd9aAdam Langley explicit_bzero(sigblob, len); 218d059297112922cabb0c674840589be8db821fd9aAdam Langley free(sigblob); 219d059297112922cabb0c674840589be8db821fd9aAdam Langley } 220bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman return ret; 221bd77cf78387b72b7b3ea870459077672bf75c3b5Greg Hartman} 222d059297112922cabb0c674840589be8db821fd9aAdam Langley#endif /* WITH_OPENSSL */ 223