- stevesk@cvs.openbsd.org 2002/08/29 16:02:54

[openssh.git] / ssh-rsa.c

diff --git a/ssh-rsa.c b/ssh-rsa.c
index d6729b045ca1005cb4e3c1e7ba2cab271fb4ceb4..d7b2918f938851f03dbee7f2067ded974a244f1c 100644 (file)
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-rsa.c,v 1.23 2002/07/04 10:41:47 markus Exp $");
+RCSID("$OpenBSD: ssh-rsa.c,v 1.26 2002/08/27 17:13:56 stevesk Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -37,6 +37,8 @@ RCSID("$OpenBSD: ssh-rsa.c,v 1.23 2002/07/04 10:41:47 markus Exp $");
 #include "compat.h"
 #include "ssh.h"
 
+static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *);
+
 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
 int
 ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
@@ -76,7 +78,7 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp,
                return -1;
        }
        if (len < slen) {
-               int diff = slen - len;
+               u_int diff = slen - len;
                debug("slen %u > len %u", slen, len);
                memmove(sig + diff, sig, len);
                memset(sig, 0, diff);
@@ -149,7 +151,7 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
                xfree(sigblob);
                return -1;
        } else if (len < modlen) {
-               int diff = modlen - len;
+               u_int diff = modlen - len;
                debug("ssh_rsa_verify: add padding: modlen %u > len %u",
                    modlen, len);
                sigblob = xrealloc(sigblob, modlen);
@@ -167,15 +169,100 @@ ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen,
        EVP_DigestUpdate(&md, data, datalen);
        EVP_DigestFinal(&md, digest, &dlen);
 
-       ret = RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
+       ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
        memset(digest, 'd', sizeof(digest));
        memset(sigblob, 's', len);
        xfree(sigblob);
-       if (ret == 0) {
-               int ecode = ERR_get_error();
-               error("ssh_rsa_verify: RSA_verify failed: %s",
-                   ERR_error_string(ecode, NULL));
-       }
        debug("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
        return ret;
 }
+
+/*
+ * See:
+ * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
+ * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
+ */
+/*
+ * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
+ *     oiw(14) secsig(3) algorithms(2) 26 }
+ */
+static const u_char id_sha1[] = {
+       0x30, 0x21, /* type Sequence, length 0x21 (33) */
+       0x30, 0x09, /* type Sequence, length 0x09 */
+       0x06, 0x05, /* type OID, length 0x05 */
+       0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
+       0x05, 0x00, /* NULL */
+       0x04, 0x14  /* Octet string, length 0x14 (20), followed by sha1 hash */
+};
+/*
+ * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
+ *     rsadsi(113549) digestAlgorithm(2) 5 }
+ */
+static const u_char id_md5[] = {
+       0x30, 0x20, /* type Sequence, length 0x20 (32) */
+       0x30, 0x0c, /* type Sequence, length 0x09 */
+       0x06, 0x08, /* type OID, length 0x05 */
+       0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
+       0x05, 0x00, /* NULL */
+       0x04, 0x10  /* Octet string, length 0x10 (16), followed by md5 hash */
+};
+
+static int
+openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
+    u_char *sigbuf, u_int siglen, RSA *rsa)
+{
+       u_int ret, rsasize, oidlen = 0, hlen = 0;
+       int len;
+       const u_char *oid = NULL;
+       u_char *decrypted = NULL;
+
+       ret = 0;
+       switch (type) {
+       case NID_sha1:
+               oid = id_sha1;
+               oidlen = sizeof(id_sha1);
+               hlen = 20;
+               break;
+       case NID_md5:
+               oid = id_md5;
+               oidlen = sizeof(id_md5);
+               hlen = 16;
+               break;
+       default:
+               goto done;
+               break;
+       }
+       if (hashlen != hlen) {
+               error("bad hashlen");
+               goto done;
+       }
+       rsasize = RSA_size(rsa);
+       if (siglen == 0 || siglen > rsasize) {
+               error("bad siglen");
+               goto done;
+       }
+       decrypted = xmalloc(rsasize);
+       if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
+           RSA_PKCS1_PADDING)) < 0) {
+               error("RSA_public_decrypt failed: %s",
+                   ERR_error_string(ERR_get_error(), NULL));
+               goto done;
+       }
+       if (len != hlen + oidlen) {
+               error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
+               goto done;
+       }
+       if (memcmp(decrypted, oid, oidlen) != 0) {
+               error("oid mismatch");
+               goto done;
+       }
+       if (memcmp(decrypted + oidlen, hash, hlen) != 0) {
+               error("hash mismatch");
+               goto done;
+       }
+       ret = 1;
+done:
+       if (decrypted)
+               xfree(decrypted);
+       return ret;
+}