Files
itgmania212121/extern/crypto/CryptRSA.cpp
T
Jason Felds f941519e87 [sm130futures] Move the crypto stuff over.
This right now isn't used by us, but just in case...
2011-05-04 23:42:14 -04:00

800 lines
19 KiB
C++

/*
* RSA implementation for PuTTY.
*/
#include "global.h"
#include "RageUtil.h"
#include "CryptRSA.h"
#include "CryptSHA.h"
#include "CryptSH512.h"
#include "CryptMD5.h"
#include "CryptRand.h"
#include "CryptPrime.h"
#define GET_32BIT(cp) \
(((unsigned long)(unsigned char)(cp)[0] << 24) | \
((unsigned long)(unsigned char)(cp)[1] << 16) | \
((unsigned long)(unsigned char)(cp)[2] << 8) | \
((unsigned long)(unsigned char)(cp)[3]))
#define PUT_32BIT(cp, value) { \
(cp)[0] = (unsigned char)((value) >> 24); \
(cp)[1] = (unsigned char)((value) >> 16); \
(cp)[2] = (unsigned char)((value) >> 8); \
(cp)[3] = (unsigned char)(value); }
RSAKey::RSAKey()
{
bits = bytes = 0;
modulus = exponent = private_exponent = p = q = iqmp = NULL;
}
RSAKey::~RSAKey()
{
if(p)
freebn(p);
if(q)
freebn(q);
if(modulus)
freebn(modulus);
if(exponent)
freebn(exponent);
if(private_exponent)
freebn(private_exponent);
if(iqmp)
freebn(iqmp);
}
int makekey(unsigned char *data, struct RSAKey *result,
unsigned char **keystr, int order)
{
unsigned char *p = data;
int i;
if (result) {
result->bits = 0;
for (i = 0; i < 4; i++)
result->bits = (result->bits << 8) + *p++;
} else
p += 4;
/*
* order=0 means exponent then modulus (the keys sent by the
* server). order=1 means modulus then exponent (the keys
* stored in a keyfile).
*/
if (order == 0)
p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
if (result)
result->bytes = (((p[0] << 8) + p[1]) + 7) / 8;
if (keystr)
*keystr = p + 2;
p += ssh1_read_bignum(p, result ? &result->modulus : NULL);
if (order == 1)
p += ssh1_read_bignum(p, result ? &result->exponent : NULL);
return p - data;
}
int makeprivate( const unsigned char *data, struct RSAKey *result )
{
return ssh1_read_bignum(data, &result->private_exponent);
}
unsigned char *GetBytes( Bignum bn, int *buflen )
{
int len = bn[0]*BIGNUM_INT_BYTES;
unsigned char *ret = new unsigned char[len];
unsigned char *p = ret;
for( int i = len-1; i >= 0; --i )
*p++ = bignum_byte( bn, i );
return ret;
}
static void sha512_mpint(SHA512_State * s, Bignum b)
{
unsigned char lenbuf[4];
int len;
len = (bignum_bitcount(b) + 8) / 8;
PUT_32BIT(lenbuf, len);
SHA512_Bytes(s, lenbuf, 4);
while (len-- > 0) {
lenbuf[0] = bignum_byte(b, len);
SHA512_Bytes(s, lenbuf, 1);
}
memset(lenbuf, 0, sizeof(lenbuf));
}
/*
* This function is a wrapper on modpow(). It has the same effect
* as modpow(), but employs RSA blinding to protect against timing
* attacks.
*/
static Bignum rsa_privkey_op(Bignum input, const RSAKey *key)
{
Bignum random, random_encrypted, random_inverse;
Bignum input_blinded, ret_blinded;
Bignum ret;
SHA512_State ss;
unsigned char digest512[64];
unsigned digestused = ARRAYLEN(digest512);
int hashseq = 0;
/*
* Start by inventing a random number chosen uniformly from the
* range 2..modulus-1. (We do this by preparing a random number
* of the right length and retrying if it's greater than the
* modulus, to prevent any potential Bleichenbacher-like
* attacks making use of the uneven distribution within the
* range that would arise from just reducing our number mod n.
* There are timing implications to the potential retries, of
* course, but all they tell you is the modulus, which you
* already knew.)
*
* To preserve determinism and avoid Pageant needing to share
* the random number pool, we actually generate this `random'
* number by hashing stuff with the private key.
*/
while (1) {
int bits, byte, bitsleft, v;
random = copybn(key->modulus);
/*
* Find the topmost set bit. (This function will return its
* index plus one.) Then we'll set all bits from that one
* downwards randomly.
*/
bits = bignum_bitcount(random);
byte = 0;
bitsleft = 0;
while (bits--) {
if (bitsleft <= 0) {
bitsleft = 8;
/*
* Conceptually the following few lines are equivalent to
* byte = random_byte();
*/
if (digestused >= ARRAYLEN(digest512)) {
unsigned char seqbuf[4];
PUT_32BIT(seqbuf, hashseq);
SHA512_Init(&ss);
SHA512_Bytes(&ss, "RSA deterministic blinding", 26);
SHA512_Bytes(&ss, seqbuf, sizeof(seqbuf));
sha512_mpint(&ss, key->private_exponent);
SHA512_Final(&ss, digest512);
hashseq++;
/*
* Now hash that digest plus the signature
* input.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
sha512_mpint(&ss, input);
SHA512_Final(&ss, digest512);
digestused = 0;
}
byte = digest512[digestused++];
}
v = byte & 1;
byte >>= 1;
bitsleft--;
bignum_set_bit(random, bits, v);
}
/*
* Now check that this number is strictly greater than
* zero, and strictly less than modulus.
*/
if (bignum_cmp(random, Zero) <= 0 ||
bignum_cmp(random, key->modulus) >= 0) {
freebn(random);
continue;
} else {
break;
}
}
/*
* RSA blinding relies on the fact that (xy)^d mod n is equal
* to (x^d mod n) * (y^d mod n) mod n. We invent a random pair
* y and y^d; then we multiply x by y, raise to the power d mod
* n as usual, and divide by y^d to recover x^d. Thus an
* attacker can't correlate the timing of the modpow with the
* input, because they don't know anything about the number
* that was input to the actual modpow.
*
* The clever bit is that we don't have to do a huge modpow to
* get y and y^d; we will use the number we just invented as
* _y^d_, and use the _public_ exponent to compute (y^d)^e = y
* from it, which is much faster to do.
*/
random_encrypted = modpow(random, key->exponent, key->modulus);
random_inverse = modinv(random, key->modulus);
input_blinded = modmul(input, random_encrypted, key->modulus);
ret_blinded = modpow(input_blinded, key->private_exponent, key->modulus);
ret = modmul(ret_blinded, random_inverse, key->modulus);
freebn(ret_blinded);
freebn(input_blinded);
freebn(random_inverse);
freebn(random_encrypted);
freebn(random);
return ret;
}
bool RSAKey::Encrypt( RString &buf ) const
{
Bignum bn = bignum_from_bytes( (unsigned char *) buf.data(), buf.size() );
Bignum encrypted_bn = Encrypt( bn );
delete [] bn;
int len;
unsigned char *bytes = bignum_to_buffer( encrypted_bn, &len );
buf = RString( (const char *) bytes, len );
delete [] encrypted_bn;
return true;
}
bool RSAKey::Decrypt( RString &buf ) const
{
Bignum bn = bignum_from_buffer( (unsigned char *) buf.data(), buf.size() );
if( bn == NULL )
return false;
Bignum decrypted_bn = Decrypt( bn );
delete [] bn;
int len;
unsigned char *bytes = bignum_to_bytes( decrypted_bn, &len );
buf = RString( (const char *) bytes, len );
delete [] decrypted_bn;
return true;
}
Bignum RSAKey::Encrypt(const Bignum input) const
{
return modpow( input, this->exponent, this->modulus );
}
Bignum RSAKey::Decrypt(const Bignum input) const
{
return rsa_privkey_op(input, this);
}
int RSAKey::StrLen() const
{
Bignum md, ex;
int mdlen, exlen;
md = this->modulus;
ex = this->exponent;
mdlen = (bignum_bitcount(md) + 15) / 16;
exlen = (bignum_bitcount(ex) + 15) / 16;
return 4 * (mdlen + exlen) + 20;
}
void RSAKey::StrFmt( char *str ) const
{
int len = 0, i, nibbles;
static const char hex[] = "0123456789abcdef";
len += sprintf(str + len, "0x");
nibbles = (3 + bignum_bitcount(this->exponent)) / 4;
if (nibbles < 1)
nibbles = 1;
for (i = nibbles; i--;)
str[len++] = hex[(bignum_byte(this->exponent, i / 2) >> (4 * (i % 2))) & 0xF];
len += sprintf(str + len, ",0x");
nibbles = (3 + bignum_bitcount(this->modulus)) / 4;
if (nibbles < 1)
nibbles = 1;
for (i = nibbles; i--;)
str[len++] = hex[(bignum_byte(this->modulus, i / 2) >> (4 * (i % 2))) & 0xF];
str[len] = '\0';
}
/*
* Generate a fingerprint string for the key. Compatible with the
* OpenSSH fingerprint code.
*/
void RSAKey::Fingerprint( char *str, int len ) const
{
struct MD5Context md5c;
unsigned char digest[16];
char buffer[16 * 3 + 40];
int numlen, slen, i;
MD5Init(&md5c);
numlen = ssh1_bignum_length(this->modulus) - 2;
for (i = numlen; i--;) {
unsigned char c = bignum_byte(this->modulus, i);
MD5Update(&md5c, &c, 1);
}
numlen = ssh1_bignum_length(this->exponent) - 2;
for (i = numlen; i--;) {
unsigned char c = bignum_byte(this->exponent, i);
MD5Update(&md5c, &c, 1);
}
MD5Final(digest, &md5c);
sprintf(buffer, "%d ", bignum_bitcount(this->modulus));
for (i = 0; i < 16; i++)
sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
digest[i]);
strncpy(str, buffer, len);
str[len - 1] = '\0';
slen = strlen(str);
if (!this->comment.empty() && slen < len - 1)
{
str[slen] = ' ';
strncpy(str + slen + 1, this->comment, len - slen - 1);
str[len - 1] = '\0';
}
}
/*
* Verify that the public data in an RSA key matches the private
* data. We also check the private data itself: we ensure that p >
* q and that iqmp really is the inverse of q mod p.
*/
bool RSAKey::Check() const
{
Bignum n, ed, pm1, qm1;
int cmp;
/* n must equal pq. */
n = bigmul(this->p, this->q);
cmp = bignum_cmp(n, this->modulus);
freebn(n);
if (cmp != 0)
return 0;
/* e * d must be congruent to 1, modulo (p-1) and modulo (q-1). */
pm1 = copybn(this->p);
decbn(pm1);
ed = modmul(this->exponent, this->private_exponent, pm1);
cmp = bignum_cmp(ed, One);
delete [] ed;
if (cmp != 0)
return 0;
qm1 = copybn(this->q);
decbn(qm1);
ed = modmul(this->exponent, this->private_exponent, qm1);
cmp = bignum_cmp(ed, One);
delete [] ed;
if (cmp != 0)
return 0;
/*
* Ensure p > q.
*/
if (bignum_cmp(this->p, this->q) <= 0)
return 0;
/*
* Ensure iqmp * q is congruent to 1, modulo p.
*/
n = modmul(this->iqmp, this->q, this->p);
cmp = bignum_cmp(n, One);
delete [] n;
if (cmp != 0)
return 0;
return 1;
}
/* ----------------------------------------------------------------------
* Implementation of the ssh-rsa signing key type.
*/
static void getstring(const char **data, int *datalen, const char **p, int *length)
{
*p = NULL;
if (*datalen < 4)
return;
*length = GET_32BIT(*data);
*datalen -= 4;
*data += 4;
if (*datalen < *length)
return;
*p = *data;
*data += *length;
*datalen -= *length;
}
static Bignum getmp(const char **data, int *datalen)
{
const char *p;
int length;
Bignum b;
getstring(data, datalen, &p, &length);
if (!p)
return NULL;
b = bignum_from_bytes((unsigned char *)p, length);
return b;
}
bool RSAKey::LoadFromPublicBlob( const RString &str )
{
int len = str.size();
const char *data = str.data();
const char *p;
int slen;
getstring(&data, &len, &p, &slen);
if (!p || slen != 7 || memcmp(p, "ssh-rsa", 7)) {
return false;
}
struct RSAKey *rsa = new RSAKey;
rsa->exponent = getmp(&data, &len);
rsa->modulus = getmp(&data, &len);
rsa->private_exponent = NULL;
return true;
}
char *RSAKey::FmtKey() const
{
int len = this->StrLen();
char *p = new char[len];
StrFmt( p );
return p;
}
void RSAKey::PublicBlob( RString &out ) const
{
int elen, mlen, bloblen;
int i;
unsigned char *blob, *p;
elen = (bignum_bitcount(this->exponent) + 8) / 8;
mlen = (bignum_bitcount(this->modulus) + 8) / 8;
/*
* string "ssh-rsa", mpint exp, mpint mod. Total 19+elen+mlen.
* (three length fields, 12+7=19).
*/
bloblen = 19 + elen + mlen;
blob = new unsigned char[bloblen];
p = blob;
PUT_32BIT(p, 7);
p += 4;
memcpy(p, "ssh-rsa", 7);
p += 7;
PUT_32BIT(p, elen);
p += 4;
for (i = elen; i--;)
*p++ = bignum_byte(this->exponent, i);
PUT_32BIT(p, mlen);
p += 4;
for (i = mlen; i--;)
*p++ = bignum_byte(this->modulus, i);
ASSERT(p == blob + bloblen);
out = RString( (const char *) blob, bloblen );
}
void RSAKey::PrivateBlob( RString &out ) const
{
int i;
unsigned char *blob, *p;
int elen = (bignum_bitcount(this->exponent) + 8) / 8;
int mlen = (bignum_bitcount(this->modulus) + 8) / 8;
int dlen = (bignum_bitcount(this->private_exponent) + 8) / 8;
int plen = (bignum_bitcount(this->p) + 8) / 8;
int qlen = (bignum_bitcount(this->q) + 8) / 8;
int ulen = (bignum_bitcount(this->iqmp) + 8) / 8;
/*
* mpint exp, mpint mod, mpint private_exp, mpint p, mpint q, mpint iqmp. Total 24 +
* sum of lengths.
*/
int bloblen = 24 + elen + mlen + dlen + plen + qlen + ulen;
blob = new unsigned char[bloblen];
p = blob;
PUT_32BIT(p, elen);
p += 4;
for (i = elen; i--;)
*p++ = bignum_byte(this->exponent, i);
PUT_32BIT(p, mlen);
p += 4;
for (i = mlen; i--;)
*p++ = bignum_byte(this->modulus, i);
PUT_32BIT(p, dlen);
p += 4;
for (i = dlen; i--;)
*p++ = bignum_byte(this->private_exponent, i);
PUT_32BIT(p, plen);
p += 4;
for (i = plen; i--;)
*p++ = bignum_byte(this->p, i);
PUT_32BIT(p, qlen);
p += 4;
for (i = qlen; i--;)
*p++ = bignum_byte(this->q, i);
PUT_32BIT(p, ulen);
p += 4;
for (i = ulen; i--;)
*p++ = bignum_byte(this->iqmp, i);
ASSERT(p == blob + bloblen);
out = RString( (const char *) blob, bloblen );
}
bool RSAKey::LoadFromPrivateBlob( const RString &str )
{
int len = str.size();
const char *data = str.data();
this->exponent = getmp(&data, &len);
this->modulus = getmp(&data, &len);
this->private_exponent = getmp(&data, &len);
this->p = getmp(&data, &len);
this->q = getmp(&data, &len);
this->iqmp = getmp(&data, &len);
if (!this->Check())
return false;
return true;
}
/* static struct RSAKey *rsa2_openssh_createkey(unsigned char **blob, int *len)
{
const char **b = (const char **) blob;
struct RSAKey *rsa = new RSAKey;
rsa->comment = NULL;
rsa->modulus = getmp(b, len);
rsa->exponent = getmp(b, len);
rsa->private_exponent = getmp(b, len);
rsa->iqmp = getmp(b, len);
rsa->p = getmp(b, len);
rsa->q = getmp(b, len);
if (!rsa->modulus || !rsa->exponent || !rsa->private_exponent ||
!rsa->iqmp || !rsa->p || !rsa->q)
{
delete rsa;
return NULL;
}
return rsa;
}
static int rsa2_openssh_fmtkey( struct RSAKey *rsa, unsigned char *blob, int len )
{
int bloblen =
ssh2_bignum_length(rsa->modulus) +
ssh2_bignum_length(rsa->exponent) +
ssh2_bignum_length(rsa->private_exponent) +
ssh2_bignum_length(rsa->iqmp) +
ssh2_bignum_length(rsa->p) + ssh2_bignum_length(rsa->q);
if (bloblen > len)
return bloblen;
bloblen = 0;
#define ENC(x) \
PUT_32BIT(blob+bloblen, ssh2_bignum_length((x))-4); bloblen += 4; \
for (i = ssh2_bignum_length((x))-4; i-- ;) blob[bloblen++]=bignum_byte((x),i);
int i;
ENC(rsa->modulus);
ENC(rsa->exponent);
ENC(rsa->private_exponent);
ENC(rsa->iqmp);
ENC(rsa->p);
ENC(rsa->q);
return bloblen;
}
*/
int rsa2_pubkey_bits( const RString &blob )
{
RSAKey rsa;
if( !rsa.LoadFromPublicBlob( blob ) )
return 0;
return bignum_bitcount(rsa.modulus);
}
char *rsa2_fingerprint( struct RSAKey *rsa )
{
struct MD5Context md5c;
unsigned char digest[16], lenbuf[4];
char buffer[16 * 3 + 40];
char *ret;
int numlen, i;
MD5Init(&md5c);
MD5Update(&md5c, (unsigned char *)"\0\0\0\7ssh-rsa", 11);
#define ADD_BIGNUM(bignum) \
numlen = (bignum_bitcount(bignum)+8)/8; \
PUT_32BIT(lenbuf, numlen); MD5Update(&md5c, lenbuf, 4); \
for (i = numlen; i-- ;) { \
unsigned char c = bignum_byte(bignum, i); \
MD5Update(&md5c, &c, 1); \
}
ADD_BIGNUM(rsa->exponent);
ADD_BIGNUM(rsa->modulus);
#undef ADD_BIGNUM
MD5Final(digest, &md5c);
sprintf(buffer, "ssh-rsa %d ", bignum_bitcount(rsa->modulus));
for (i = 0; i < 16; i++)
sprintf(buffer + strlen(buffer), "%s%02x", i ? ":" : "",
digest[i]);
ret = new char[strlen(buffer) + 1];
if (ret)
strcpy(ret, buffer);
return ret;
}
bool RSAKey::Verify( const RString &data, const RString &sig ) const
{
Bignum in, out;
int bytes, i, j;
unsigned char hash[20];
in = bignum_from_bytes( (const unsigned char *) sig.data(), sig.size() );
/* Base (in) must be smaller than the modulus. */
if( bignum_cmp(in, this->modulus) >= 0 )
{
freebn(in);
return false;
}
out = modpow(in, this->exponent, this->modulus);
freebn(in);
bool ret = true;
bytes = (bignum_bitcount(this->modulus)+7) / 8;
/* Top (partial) byte should be zero. */
if (bignum_byte(out, bytes - 1) != 0)
ret = 0;
/* First whole byte should be 1. */
if (bignum_byte(out, bytes - 2) != 1)
ret = 0;
/* Most of the rest should be FF. */
for (i = bytes - 3; i >= 20; i--) {
if (bignum_byte(out, i) != 0xFF)
ret = 0;
}
/* Finally, we expect to see the SHA-1 hash of the signed data. */
SHA_Simple( data.data(), data.size(), hash );
for (i = 19, j = 0; i >= 0; i--, j++) {
if (bignum_byte(out, i) != hash[j])
ret = false;
}
freebn(out);
return ret;
}
void RSAKey::Sign( const RString &data, RString &out ) const
{
Bignum in;
{
unsigned char hash[20];
SHA_Simple(data.data(), data.size(), hash);
int nbytes = (bignum_bitcount(this->modulus) - 1) / 8;
unsigned char *bytes = new unsigned char[nbytes];
memset( bytes, 0xFF, nbytes );
bytes[0] = 1;
memcpy( bytes + nbytes - 20, hash, 20 );
in = bignum_from_bytes(bytes, nbytes);
delete [] bytes;
}
Bignum outnum = rsa_privkey_op(in, this);
delete [] in;
int siglen;
unsigned char *bytes = bignum_to_bytes( outnum, &siglen );
delete [] outnum;
out = RString( (const char *) bytes, siglen );
delete [] bytes;
}
#define RSA_EXPONENT 37 /* we like this prime */
int RSAKey::Generate( int bits )
{
Bignum pm1, qm1, phi_n;
/*
* We don't generate e; we just use a standard one always.
*/
this->exponent = bignum_from_long(RSA_EXPONENT);
/*
* Generate p and q: primes with combined length `bits', not
* congruent to 1 modulo e. (Strictly speaking, we wanted (p-1)
* and e to be coprime, and (q-1) and e to be coprime, but in
* general that's slightly more fiddly to arrange. By choosing
* a prime e, we can simplify the criterion.)
*/
this->p = primegen(bits / 2, RSA_EXPONENT, 1, NULL, 1);
this->q = primegen(bits - bits / 2, RSA_EXPONENT, 1, NULL, 2);
/*
* Ensure p > q, by swapping them if not.
*/
if (bignum_cmp(this->p, this->q) < 0)
swap( p, q );
/*
* Now we have p, q and e. All we need to do now is work out
* the other helpful quantities: n=pq, d=e^-1 mod (p-1)(q-1),
* and (q^-1 mod p).
*/
this->modulus = bigmul(this->p, this->q);
pm1 = copybn(this->p);
decbn(pm1);
qm1 = copybn(this->q);
decbn(qm1);
phi_n = bigmul(pm1, qm1);
freebn(pm1);
freebn(qm1);
this->private_exponent = modinv(this->exponent, phi_n);
this->iqmp = modinv(this->q, this->p);
/*
* Clean up temporary numbers.
*/
freebn(phi_n);
return 1;
}
/*
* PuTTY is copyright 1997-2001 Simon Tatham.
*
* Portions copyright Robert de Bath, Joris van Rantwijk, Delian
* Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry,
* Justin Bradford, and CORE SDI S.A.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation files
* (the "Software"), to deal in the Software without restriction,
* including without limitation the rights to use, copy, modify, merge,
* publish, distribute, sublicense, and/or sell copies of the Software,
* and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE
* FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
* CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/