1 /* $OpenBSD: ssh-rsa.c,v 1.79 2023/03/05 05:34:09 dtucker Exp $ */
37 #include "openbsd-compat/openssl-compat.h"
46 	if (key->rsa == NULL)  in ssh_rsa_size()
48 	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);  in ssh_rsa_size()
55 	if ((k->rsa = RSA_new()) == NULL)  in ssh_rsa_alloc()
63 	RSA_free(k->rsa);  in ssh_rsa_cleanup()
64 	k->rsa = NULL;  in ssh_rsa_cleanup()
73 	if (a->rsa == NULL || b->rsa == NULL)  in ssh_rsa_equal()
75 	RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL);  in ssh_rsa_equal()
76 	RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL);  in ssh_rsa_equal()
92 	int r;  in ssh_rsa_serialize_public()  local
95 	if (key->rsa == NULL)  in ssh_rsa_serialize_public()
97 	RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL);  in ssh_rsa_serialize_public()
98 	if ((r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||  in ssh_rsa_serialize_public()
99 	    (r = sshbuf_put_bignum2(b, rsa_n)) != 0)  in ssh_rsa_serialize_public()
100 		return r;  in ssh_rsa_serialize_public()
109 	int r;  in ssh_rsa_serialize_private()  local
112 	RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);  in ssh_rsa_serialize_private()
113 	RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);  in ssh_rsa_serialize_private()
114 	RSA_get0_crt_params(key->rsa, NULL, NULL, &rsa_iqmp);  in ssh_rsa_serialize_private()
118 		if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||  in ssh_rsa_serialize_private()
119 		    (r = sshbuf_put_bignum2(b, rsa_e)) != 0)  in ssh_rsa_serialize_private()
120 			return r;  in ssh_rsa_serialize_private()
122 	if ((r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||  in ssh_rsa_serialize_private()
123 	    (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||  in ssh_rsa_serialize_private()
124 	    (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||  in ssh_rsa_serialize_private()
125 	    (r = sshbuf_put_bignum2(b, rsa_q)) != 0)  in ssh_rsa_serialize_private()
126 		return r;  in ssh_rsa_serialize_private()
150 	k->rsa = private;  in ssh_rsa_generate()
164 	int r = SSH_ERR_INTERNAL_ERROR;  in ssh_rsa_copy_public()  local
166 	RSA_get0_key(from->rsa, &rsa_n, &rsa_e, NULL);  in ssh_rsa_copy_public()
169 		r = SSH_ERR_ALLOC_FAIL;  in ssh_rsa_copy_public()
172 	if (!RSA_set0_key(to->rsa, rsa_n_dup, rsa_e_dup, NULL)) {  in ssh_rsa_copy_public()
173 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_copy_public()
178 	r = 0;  in ssh_rsa_copy_public()
182 	return r;  in ssh_rsa_copy_public()
197 	if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {  in ssh_rsa_deserialize_public()
205 	RSA_print_fp(stderr, key->rsa, 8);  in ssh_rsa_deserialize_public()
219 	int r;  in ssh_rsa_deserialize_private()  local
225 		if ((r = sshbuf_get_bignum2(b, &rsa_n)) != 0 ||  in ssh_rsa_deserialize_private()
226 		    (r = sshbuf_get_bignum2(b, &rsa_e)) != 0)  in ssh_rsa_deserialize_private()
228 		if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL)) {  in ssh_rsa_deserialize_private()
229 			r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_deserialize_private()
234 	if ((r = sshbuf_get_bignum2(b, &rsa_d)) != 0 ||  in ssh_rsa_deserialize_private()
235 	    (r = sshbuf_get_bignum2(b, &rsa_iqmp)) != 0 ||  in ssh_rsa_deserialize_private()
236 	    (r = sshbuf_get_bignum2(b, &rsa_p)) != 0 ||  in ssh_rsa_deserialize_private()
237 	    (r = sshbuf_get_bignum2(b, &rsa_q)) != 0)  in ssh_rsa_deserialize_private()
239 	if (!RSA_set0_key(key->rsa, NULL, NULL, rsa_d)) {  in ssh_rsa_deserialize_private()
240 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_deserialize_private()
244 	if (!RSA_set0_factors(key->rsa, rsa_p, rsa_q)) {  in ssh_rsa_deserialize_private()
245 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_deserialize_private()
249 	if ((r = sshkey_check_rsa_length(key, 0)) != 0)  in ssh_rsa_deserialize_private()
251 	if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0)  in ssh_rsa_deserialize_private()
253 	if (RSA_blinding_on(key->rsa, NULL) != 1) {  in ssh_rsa_deserialize_private()
254 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_deserialize_private()
258 	r = 0;  in ssh_rsa_deserialize_private()
266 	return r;  in ssh_rsa_deserialize_private()
274 		return "ssh-rsa";  in rsa_hash_alg_ident()
276 		return "rsa-sha2-256";  in rsa_hash_alg_ident()
278 		return "rsa-sha2-512";  in rsa_hash_alg_ident()
290 	if (strcmp(ident, "ssh-rsa") == 0)  in rsa_hash_id_from_ident()
292 	if (strcmp(ident, "rsa-sha2-256") == 0)  in rsa_hash_id_from_ident()
294 	if (strcmp(ident, "rsa-sha2-512") == 0)  in rsa_hash_id_from_ident()
296 	return -1;  in rsa_hash_id_from_ident()
307 	int r;  in rsa_hash_id_from_keyname()  local
309 	if ((r = rsa_hash_id_from_ident(alg)) != -1)  in rsa_hash_id_from_keyname()
310 		return r;  in rsa_hash_id_from_keyname()
311 	if (strcmp(alg, "ssh-rsa-cert-v01@openssh.com") == 0)  in rsa_hash_id_from_keyname()
313 	if (strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)  in rsa_hash_id_from_keyname()
315 	if (strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)  in rsa_hash_id_from_keyname()
317 	return -1;  in rsa_hash_id_from_keyname()
331 		return -1;  in rsa_hash_alg_nid()
342 	int r;  in ssh_rsa_complete_crt_parameters()  local
344 	if (key == NULL || key->rsa == NULL ||  in ssh_rsa_complete_crt_parameters()
345 	    sshkey_type_plain(key->type) != KEY_RSA)  in ssh_rsa_complete_crt_parameters()
348 	RSA_get0_key(key->rsa, NULL, NULL, &rsa_d);  in ssh_rsa_complete_crt_parameters()
349 	RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);  in ssh_rsa_complete_crt_parameters()
359 		r = SSH_ERR_ALLOC_FAIL;  in ssh_rsa_complete_crt_parameters()
369 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_complete_crt_parameters()
372 	if (!RSA_set0_crt_params(key->rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {  in ssh_rsa_complete_crt_parameters()
373 		r = SSH_ERR_LIBCRYPTO_ERROR;  in ssh_rsa_complete_crt_parameters()
378 	r = 0;  in ssh_rsa_complete_crt_parameters()
386 	return r;  in ssh_rsa_complete_crt_parameters()
389 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
412 	if (key == NULL || key->rsa == NULL || hash_alg == -1 ||  in ssh_rsa_sign()
413 	    sshkey_type_plain(key->type) != KEY_RSA)  in ssh_rsa_sign()
415 	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);  in ssh_rsa_sign()
418 	slen = RSA_size(key->rsa);  in ssh_rsa_sign()
435 	if (RSA_sign(nid, digest, hlen, sig, &len, key->rsa) != 1) {  in ssh_rsa_sign()
440 		size_t diff = slen - len;  in ssh_rsa_sign()
486 	if (key == NULL || key->rsa == NULL ||  in ssh_rsa_verify()
487 	    sshkey_type_plain(key->type) != KEY_RSA ||  in ssh_rsa_verify()
490 	RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);  in ssh_rsa_verify()
500 	if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {  in ssh_rsa_verify()
505 	 * Allow ssh-rsa-cert-v01 certs to generate SHA2 signatures for  in ssh_rsa_verify()
508 	if (alg != NULL && strcmp(alg, "ssh-rsa-cert-v01@openssh.com") != 0) {  in ssh_rsa_verify()
509 		if ((want_alg = rsa_hash_id_from_keyname(alg)) == -1) {  in ssh_rsa_verify()
527 	modlen = RSA_size(key->rsa);  in ssh_rsa_verify()
532 		diff = modlen - len;  in ssh_rsa_verify()
552 	    key->rsa);  in ssh_rsa_verify()
563  * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
564  * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
568  * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
575 	0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
582  * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
584  *      id-sha256(1) }
590 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
597  * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
599  *      id-sha256(3) }
605 	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
696 	/* .name = */		"ssh-rsa",
708 	/* .name = */		"ssh-rsa-cert-v01@openssh.com",
709 	/* .shortname = */	"RSA-CERT",
722 	/* .name = */		"rsa-sha2-256",
734 	/* .name = */		"rsa-sha2-512",
746 	/* .name = */		"rsa-sha2-256-cert-v01@openssh.com",
747 	/* .shortname = */	"RSA-CERT",
748 	/* .sigalg = */		"rsa-sha2-256",
758 	/* .name = */		"rsa-sha2-512-cert-v01@openssh.com",
759 	/* .shortname = */	"RSA-CERT",
760 	/* .sigalg = */		"rsa-sha2-512",