1 /* $OpenBSD: ssh-rsa.c,v 1.58 2015/12/11 04:21:12 mmcc Exp $ */ 2 /* 3 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "includes.h" 19 20 #ifdef WITH_OPENSSL 21 22 #include <sys/types.h> 23 24 #include <openssl/evp.h> 25 #include <openssl/err.h> 26 27 #include <stdarg.h> 28 #include <string.h> 29 30 #include "sshbuf.h" 31 #include "compat.h" 32 #include "ssherr.h" 33 #define SSHKEY_INTERNAL 34 #include "sshkey.h" 35 #include "digest.h" 36 37 static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *); 38 39 static const char * 40 rsa_hash_alg_ident(int hash_alg) 41 { 42 switch (hash_alg) { 43 case SSH_DIGEST_SHA1: 44 return "ssh-rsa"; 45 case SSH_DIGEST_SHA256: 46 return "rsa-sha2-256"; 47 case SSH_DIGEST_SHA512: 48 return "rsa-sha2-512"; 49 } 50 return NULL; 51 } 52 53 static int 54 rsa_hash_alg_from_ident(const char *ident) 55 { 56 if (strcmp(ident, "ssh-rsa") == 0) 57 return SSH_DIGEST_SHA1; 58 if (strcmp(ident, "rsa-sha2-256") == 0) 59 return SSH_DIGEST_SHA256; 60 if (strcmp(ident, "rsa-sha2-512") == 0) 61 return SSH_DIGEST_SHA512; 62 return -1; 63 } 64 65 static int 66 rsa_hash_alg_nid(int type) 67 { 68 switch (type) { 69 case SSH_DIGEST_SHA1: 70 return NID_sha1; 71 case SSH_DIGEST_SHA256: 72 return NID_sha256; 73 case SSH_DIGEST_SHA512: 74 return NID_sha512; 75 default: 76 return -1; 77 } 78 } 79 80 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ 81 int 82 ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 83 const u_char *data, size_t datalen, const char *alg_ident) 84 { 85 u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; 86 size_t slen; 87 u_int dlen, len; 88 int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR; 89 struct sshbuf *b = NULL; 90 91 if (lenp != NULL) 92 *lenp = 0; 93 if (sigp != NULL) 94 *sigp = NULL; 95 96 if (alg_ident == NULL || strlen(alg_ident) == 0 || 97 strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0) 98 hash_alg = SSH_DIGEST_SHA1; 99 else 100 hash_alg = rsa_hash_alg_from_ident(alg_ident); 101 if (key == NULL || key->rsa == NULL || hash_alg == -1 || 102 sshkey_type_plain(key->type) != KEY_RSA || 103 BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 104 return SSH_ERR_INVALID_ARGUMENT; 105 slen = RSA_size(key->rsa); 106 if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) 107 return SSH_ERR_INVALID_ARGUMENT; 108 109 /* hash the data */ 110 nid = rsa_hash_alg_nid(hash_alg); 111 if ((dlen = ssh_digest_bytes(hash_alg)) == 0) 112 return SSH_ERR_INTERNAL_ERROR; 113 if ((ret = ssh_digest_memory(hash_alg, data, datalen, 114 digest, sizeof(digest))) != 0) 115 goto out; 116 117 if ((sig = malloc(slen)) == NULL) { 118 ret = SSH_ERR_ALLOC_FAIL; 119 goto out; 120 } 121 122 if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) { 123 ret = SSH_ERR_LIBCRYPTO_ERROR; 124 goto out; 125 } 126 if (len < slen) { 127 size_t diff = slen - len; 128 memmove(sig + diff, sig, len); 129 explicit_bzero(sig, diff); 130 } else if (len > slen) { 131 ret = SSH_ERR_INTERNAL_ERROR; 132 goto out; 133 } 134 /* encode signature */ 135 if ((b = sshbuf_new()) == NULL) { 136 ret = SSH_ERR_ALLOC_FAIL; 137 goto out; 138 } 139 if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 || 140 (ret = sshbuf_put_string(b, sig, slen)) != 0) 141 goto out; 142 len = sshbuf_len(b); 143 if (sigp != NULL) { 144 if ((*sigp = malloc(len)) == NULL) { 145 ret = SSH_ERR_ALLOC_FAIL; 146 goto out; 147 } 148 memcpy(*sigp, sshbuf_ptr(b), len); 149 } 150 if (lenp != NULL) 151 *lenp = len; 152 ret = 0; 153 out: 154 explicit_bzero(digest, sizeof(digest)); 155 if (sig != NULL) { 156 explicit_bzero(sig, slen); 157 free(sig); 158 } 159 sshbuf_free(b); 160 return ret; 161 } 162 163 int 164 ssh_rsa_verify(const struct sshkey *key, 165 const u_char *sig, size_t siglen, const u_char *data, size_t datalen) 166 { 167 char *ktype = NULL; 168 int hash_alg, ret = SSH_ERR_INTERNAL_ERROR; 169 size_t len, diff, modlen, dlen; 170 struct sshbuf *b = NULL; 171 u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL; 172 173 if (key == NULL || key->rsa == NULL || 174 sshkey_type_plain(key->type) != KEY_RSA || 175 BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) 176 return SSH_ERR_INVALID_ARGUMENT; 177 178 if ((b = sshbuf_from(sig, siglen)) == NULL) 179 return SSH_ERR_ALLOC_FAIL; 180 if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { 181 ret = SSH_ERR_INVALID_FORMAT; 182 goto out; 183 } 184 if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) { 185 ret = SSH_ERR_KEY_TYPE_MISMATCH; 186 goto out; 187 } 188 if (sshbuf_get_string(b, &sigblob, &len) != 0) { 189 ret = SSH_ERR_INVALID_FORMAT; 190 goto out; 191 } 192 if (sshbuf_len(b) != 0) { 193 ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; 194 goto out; 195 } 196 /* RSA_verify expects a signature of RSA_size */ 197 modlen = RSA_size(key->rsa); 198 if (len > modlen) { 199 ret = SSH_ERR_KEY_BITS_MISMATCH; 200 goto out; 201 } else if (len < modlen) { 202 diff = modlen - len; 203 osigblob = sigblob; 204 if ((sigblob = realloc(sigblob, modlen)) == NULL) { 205 sigblob = osigblob; /* put it back for clear/free */ 206 ret = SSH_ERR_ALLOC_FAIL; 207 goto out; 208 } 209 memmove(sigblob + diff, sigblob, len); 210 explicit_bzero(sigblob, diff); 211 len = modlen; 212 } 213 if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { 214 ret = SSH_ERR_INTERNAL_ERROR; 215 goto out; 216 } 217 if ((ret = ssh_digest_memory(hash_alg, data, datalen, 218 digest, sizeof(digest))) != 0) 219 goto out; 220 221 ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len, 222 key->rsa); 223 out: 224 if (sigblob != NULL) { 225 explicit_bzero(sigblob, len); 226 free(sigblob); 227 } 228 free(ktype); 229 sshbuf_free(b); 230 explicit_bzero(digest, sizeof(digest)); 231 return ret; 232 } 233 234 /* 235 * See: 236 * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/ 237 * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn 238 */ 239 240 /* 241 * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) 242 * oiw(14) secsig(3) algorithms(2) 26 } 243 */ 244 static const u_char id_sha1[] = { 245 0x30, 0x21, /* type Sequence, length 0x21 (33) */ 246 0x30, 0x09, /* type Sequence, length 0x09 */ 247 0x06, 0x05, /* type OID, length 0x05 */ 248 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */ 249 0x05, 0x00, /* NULL */ 250 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */ 251 }; 252 253 /* 254 * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html 255 * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 256 * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) 257 * id-sha256(1) } 258 */ 259 static const u_char id_sha256[] = { 260 0x30, 0x31, /* type Sequence, length 0x31 (49) */ 261 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ 262 0x06, 0x09, /* type OID, length 0x09 */ 263 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */ 264 0x05, 0x00, /* NULL */ 265 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */ 266 }; 267 268 /* 269 * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html 270 * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) 271 * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) 272 * id-sha256(3) } 273 */ 274 static const u_char id_sha512[] = { 275 0x30, 0x51, /* type Sequence, length 0x51 (81) */ 276 0x30, 0x0d, /* type Sequence, length 0x0d (13) */ 277 0x06, 0x09, /* type OID, length 0x09 */ 278 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */ 279 0x05, 0x00, /* NULL */ 280 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */ 281 }; 282 283 static int 284 rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp) 285 { 286 switch (hash_alg) { 287 case SSH_DIGEST_SHA1: 288 *oidp = id_sha1; 289 *oidlenp = sizeof(id_sha1); 290 break; 291 case SSH_DIGEST_SHA256: 292 *oidp = id_sha256; 293 *oidlenp = sizeof(id_sha256); 294 break; 295 case SSH_DIGEST_SHA512: 296 *oidp = id_sha512; 297 *oidlenp = sizeof(id_sha512); 298 break; 299 default: 300 return SSH_ERR_INVALID_ARGUMENT; 301 } 302 return 0; 303 } 304 305 static int 306 openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen, 307 u_char *sigbuf, size_t siglen, RSA *rsa) 308 { 309 size_t rsasize = 0, oidlen = 0, hlen = 0; 310 int ret, len, oidmatch, hashmatch; 311 const u_char *oid = NULL; 312 u_char *decrypted = NULL; 313 314 if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0) 315 return ret; 316 ret = SSH_ERR_INTERNAL_ERROR; 317 hlen = ssh_digest_bytes(hash_alg); 318 if (hashlen != hlen) { 319 ret = SSH_ERR_INVALID_ARGUMENT; 320 goto done; 321 } 322 rsasize = RSA_size(rsa); 323 if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || 324 siglen == 0 || siglen > rsasize) { 325 ret = SSH_ERR_INVALID_ARGUMENT; 326 goto done; 327 } 328 if ((decrypted = malloc(rsasize)) == NULL) { 329 ret = SSH_ERR_ALLOC_FAIL; 330 goto done; 331 } 332 if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa, 333 RSA_PKCS1_PADDING)) < 0) { 334 ret = SSH_ERR_LIBCRYPTO_ERROR; 335 goto done; 336 } 337 if (len < 0 || (size_t)len != hlen + oidlen) { 338 ret = SSH_ERR_INVALID_FORMAT; 339 goto done; 340 } 341 oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; 342 hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; 343 if (!oidmatch || !hashmatch) { 344 ret = SSH_ERR_SIGNATURE_INVALID; 345 goto done; 346 } 347 ret = 0; 348 done: 349 if (decrypted) { 350 explicit_bzero(decrypted, rsasize); 351 free(decrypted); 352 } 353 return ret; 354 } 355 #endif /* WITH_OPENSSL */ 356