1 /*
2 * Copyright (c) 2000 Markus Friedl. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25 #include "includes.h"
26 RCSID("$OpenBSD: ssh-dss.c,v 1.17 2002/07/04 10:41:47 markus Exp $");
27
28 #pragma ident "%Z%%M% %I% %E% SMI"
29
30 #include <openssl/opensslconf.h>
31 #include <openssl/bn.h>
32 #include <openssl/evp.h>
33
34 #include "xmalloc.h"
35 #include "buffer.h"
36 #include "bufaux.h"
37 #include "compat.h"
38 #include "log.h"
39 #include "key.h"
40 #include "ssh-dss.h"
41
42 #define INTBLOB_LEN 20
43 #define SIGBLOB_LEN (2*INTBLOB_LEN)
44
45 int
46 ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp,
47 u_char *data, u_int datalen)
48 {
49 DSA_SIG *sig;
50 const EVP_MD *evp_md = EVP_sha1();
51 EVP_MD_CTX md;
52 u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
53 u_int rlen, slen, len, dlen;
54 Buffer b;
55
56 if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
57 error("ssh_dss_sign: no DSA key");
58 return -1;
59 }
60 EVP_DigestInit(&md, evp_md);
61 EVP_DigestUpdate(&md, data, datalen);
62 EVP_DigestFinal(&md, digest, &dlen);
63
64 sig = DSA_do_sign(digest, dlen, key->dsa);
65 memset(digest, 'd', sizeof(digest));
66
67 if (sig == NULL) {
68 error("ssh_dss_sign: sign failed");
69 return -1;
70 }
71
72 rlen = BN_num_bytes(sig->r);
73 slen = BN_num_bytes(sig->s);
74 if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
75 error("bad sig size %u %u", rlen, slen);
76 DSA_SIG_free(sig);
77 return -1;
78 }
79 memset(sigblob, 0, SIGBLOB_LEN);
80 BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
81 BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
82 DSA_SIG_free(sig);
83
84 if (datafellows & SSH_BUG_SIGBLOB) {
85 if (lenp != NULL)
86 *lenp = SIGBLOB_LEN;
87 if (sigp != NULL) {
88 *sigp = xmalloc(SIGBLOB_LEN);
89 memcpy(*sigp, sigblob, SIGBLOB_LEN);
90 }
91 } else {
92 /* ietf-drafts */
93 buffer_init(&b);
94 buffer_put_cstring(&b, "ssh-dss");
95 buffer_put_string(&b, sigblob, SIGBLOB_LEN);
96 len = buffer_len(&b);
97 if (lenp != NULL)
98 *lenp = len;
99 if (sigp != NULL) {
100 *sigp = xmalloc(len);
101 memcpy(*sigp, buffer_ptr(&b), len);
102 }
103 buffer_free(&b);
104 }
105 return 0;
106 }
107 int
108 ssh_dss_verify(Key *key, u_char *signature, u_int signaturelen,
109 u_char *data, u_int datalen)
110 {
111 DSA_SIG *sig;
112 const EVP_MD *evp_md = EVP_sha1();
113 EVP_MD_CTX md;
114 u_char digest[EVP_MAX_MD_SIZE], *sigblob;
115 u_int len, dlen;
116 int rlen, ret;
117 Buffer b;
118
119 if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
120 error("ssh_dss_verify: no DSA key");
121 return -1;
122 }
123
124 /* fetch signature */
125 if (datafellows & SSH_BUG_SIGBLOB) {
126 sigblob = signature;
127 len = signaturelen;
128 } else {
129 /* ietf-drafts */
130 char *ktype;
131 buffer_init(&b);
132 buffer_append(&b, signature, signaturelen);
133 ktype = buffer_get_string(&b, NULL);
134 if (strcmp("ssh-dss", ktype) != 0) {
135 error("ssh_dss_verify: cannot handle type %s", ktype);
136 buffer_free(&b);
137 xfree(ktype);
138 return -1;
139 }
140 xfree(ktype);
141 sigblob = buffer_get_string(&b, &len);
142 rlen = buffer_len(&b);
143 buffer_free(&b);
144 if (rlen != 0) {
145 error("ssh_dss_verify: "
146 "remaining bytes in signature %d", rlen);
147 xfree(sigblob);
148 return -1;
149 }
150 }
151
152 if (len != SIGBLOB_LEN) {
153 fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
154 }
155
156 /* parse signature */
157 if ((sig = DSA_SIG_new()) == NULL)
158 fatal("ssh_dss_verify: DSA_SIG_new failed");
159 if ((sig->r = BN_new()) == NULL)
160 fatal("ssh_dss_verify: BN_new failed");
161 if ((sig->s = BN_new()) == NULL)
162 fatal("ssh_dss_verify: BN_new failed");
163 BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
164 BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
165
166 if (!(datafellows & SSH_BUG_SIGBLOB)) {
167 memset(sigblob, 0, len);
168 xfree(sigblob);
169 }
170
171 /* sha1 the data */
172 EVP_DigestInit(&md, evp_md);
173 EVP_DigestUpdate(&md, data, datalen);
174 EVP_DigestFinal(&md, digest, &dlen);
175
176 ret = DSA_do_verify(digest, dlen, sig, key->dsa);
177 memset(digest, 'd', sizeof(digest));
178
179 DSA_SIG_free(sig);
180
181 debug("ssh_dss_verify: signature %s",
182 ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
183 return ret;
184 }