/src/openssh/ssh-rsa.c

Source (jump to first uncovered line)
/* $OpenBSD: ssh-rsa.c,v 1.81 2025/07/24 05:44:55 djm Exp $ */
/*
 * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#ifdef WITH_OPENSSL

#include <sys/types.h>

#include <openssl/evp.h>
#include <openssl/err.h>

#include <stdarg.h>
#include <string.h>

#include "sshbuf.h"
#include "ssherr.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "digest.h"
#include "log.h"

#include "openbsd-compat/openssl-compat.h"

static u_int
ssh_rsa_size(const struct sshkey *k)
{
  if (k->pkey == NULL)
    return 0;
  return EVP_PKEY_bits(k->pkey);
}

static int
ssh_rsa_alloc(struct sshkey *k)
{
  if ((k->pkey = EVP_PKEY_new()) == NULL)
    return SSH_ERR_ALLOC_FAIL;
  return 0;
}

static void
ssh_rsa_cleanup(struct sshkey *k)
{
  EVP_PKEY_free(k->pkey);
  k->pkey = NULL;
}

static int
ssh_rsa_equal(const struct sshkey *a, const struct sshkey *b)
{
  if (a->pkey == NULL || b->pkey == NULL)
    return 0;
  return EVP_PKEY_cmp(a->pkey, b->pkey) == 1;
}

static int
ssh_rsa_serialize_public(const struct sshkey *key, struct sshbuf *b,
    enum sshkey_serialize_rep opts)
{
  int r;
  const BIGNUM *rsa_n, *rsa_e;
  const RSA *rsa;

  if (key->pkey == NULL)
    return SSH_ERR_INVALID_ARGUMENT;
  if ((rsa = EVP_PKEY_get0_RSA(key->pkey)) == NULL)
    return SSH_ERR_LIBCRYPTO_ERROR;

  RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
  if ((r = sshbuf_put_bignum2(b, rsa_e)) != 0 ||
      (r = sshbuf_put_bignum2(b, rsa_n)) != 0)
    return r;

  return 0;
}

static int
ssh_rsa_serialize_private(const struct sshkey *key, struct sshbuf *b,
    enum sshkey_serialize_rep opts)
{
  int r;
  const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_iqmp, *rsa_p, *rsa_q;
  const RSA *rsa;

  if ((rsa = EVP_PKEY_get0_RSA(key->pkey)) == NULL)
    return SSH_ERR_LIBCRYPTO_ERROR;
  RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
  RSA_get0_factors(rsa, &rsa_p, &rsa_q);
  RSA_get0_crt_params(rsa, NULL, NULL, &rsa_iqmp);

  if (!sshkey_is_cert(key)) {
    /* Note: can't reuse ssh_rsa_serialize_public: e, n vs. n, e */
    if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 ||
        (r = sshbuf_put_bignum2(b, rsa_e)) != 0)
      return r;
  }
  if ((r = sshbuf_put_bignum2(b, rsa_d)) != 0 ||
      (r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 ||
      (r = sshbuf_put_bignum2(b, rsa_p)) != 0 ||
      (r = sshbuf_put_bignum2(b, rsa_q)) != 0)
    return r;

  return 0;
}

static int
ssh_rsa_generate(struct sshkey *k, int bits)
{
  EVP_PKEY_CTX *ctx = NULL;
  EVP_PKEY *res = NULL;

  int ret = SSH_ERR_INTERNAL_ERROR;

  if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
      bits > SSHBUF_MAX_BIGNUM * 8)
    return SSH_ERR_KEY_LENGTH;

  if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
    ret = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if (EVP_PKEY_keygen_init(ctx) <= 0) {
    ret = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0) {
    ret = SSH_ERR_KEY_LENGTH;
    goto out;
  }
  if (EVP_PKEY_keygen(ctx, &res) <= 0 || res == NULL) {
    ret = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  /* success */
  k->pkey = res;
  ret = 0;
 out:
  EVP_PKEY_CTX_free(ctx);
  return ret;
}

static int
ssh_rsa_copy_public(const struct sshkey *from, struct sshkey *to)
{
  const BIGNUM *rsa_n, *rsa_e;
  BIGNUM *rsa_n_dup = NULL, *rsa_e_dup = NULL;
  int r = SSH_ERR_INTERNAL_ERROR;
  const RSA *rsa_from;
  RSA *rsa_to = NULL;

  if ((rsa_from = EVP_PKEY_get0_RSA(from->pkey)) == NULL ||
      (rsa_to = RSA_new()) == NULL)
    return SSH_ERR_LIBCRYPTO_ERROR;

  RSA_get0_key(rsa_from, &rsa_n, &rsa_e, NULL);
  if ((rsa_n_dup = BN_dup(rsa_n)) == NULL ||
      (rsa_e_dup = BN_dup(rsa_e)) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if (!RSA_set0_key(rsa_to, rsa_n_dup, rsa_e_dup, NULL)) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  rsa_n_dup = rsa_e_dup = NULL; /* transferred */

  if (EVP_PKEY_set1_RSA(to->pkey, rsa_to) != 1) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  /* success */
  r = 0;
 out:
  RSA_free(rsa_to);
  BN_clear_free(rsa_n_dup);
  BN_clear_free(rsa_e_dup);
  return r;
}

static int
ssh_rsa_deserialize_public(const char *ktype, struct sshbuf *b,
    struct sshkey *key)
{
  int ret = SSH_ERR_INTERNAL_ERROR;
  BIGNUM *rsa_n = NULL, *rsa_e = NULL;
  RSA *rsa = NULL;

  if ((rsa = RSA_new()) == NULL)
    return SSH_ERR_LIBCRYPTO_ERROR;

  if (sshbuf_get_bignum2(b, &rsa_e) != 0 ||
      sshbuf_get_bignum2(b, &rsa_n) != 0) {
    ret = SSH_ERR_INVALID_FORMAT;
    goto out;
  }
  if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
    ret = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  rsa_n = rsa_e = NULL; /* transferred */
  if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) {
    ret = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  if ((ret = sshkey_check_rsa_length(key, 0)) != 0)
    goto out;
#ifdef DEBUG_PK
  RSA_print_fp(stderr, rsa, 8);
#endif
  /* success */
  ret = 0;
 out:
  RSA_free(rsa);
  BN_clear_free(rsa_n);
  BN_clear_free(rsa_e);
  return ret;
}

static int
ssh_rsa_deserialize_private(const char *ktype, struct sshbuf *b,
    struct sshkey *key)
{
  int r;
  BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
  BIGNUM *rsa_iqmp = NULL, *rsa_p = NULL, *rsa_q = NULL;
  BIGNUM *rsa_dmp1 = NULL, *rsa_dmq1 = NULL;
  RSA *rsa = NULL;

  if (sshkey_is_cert(key)) {
    /* sshkey_private_deserialize already has pubkey from cert */
    if ((rsa = EVP_PKEY_get1_RSA(key->pkey)) == NULL) {
      r = SSH_ERR_LIBCRYPTO_ERROR;
      goto out;
    }
  } else {
    if ((rsa = RSA_new()) == NULL) {
      r = SSH_ERR_LIBCRYPTO_ERROR;
      goto out;
    }
    /* Note: can't reuse ssh_rsa_deserialize_public: e,n vs. n,e */
    if ((r = sshbuf_get_bignum2(b, &rsa_n)) != 0 ||
        (r = sshbuf_get_bignum2(b, &rsa_e)) != 0)
      goto out;
    if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
      r = SSH_ERR_LIBCRYPTO_ERROR;
      goto out;
    }
    rsa_n = rsa_e = NULL; /* transferred */
  }
  if ((r = sshbuf_get_bignum2(b, &rsa_d)) != 0 ||
      (r = sshbuf_get_bignum2(b, &rsa_iqmp)) != 0 ||
      (r = sshbuf_get_bignum2(b, &rsa_p)) != 0 ||
      (r = sshbuf_get_bignum2(b, &rsa_q)) != 0)
    goto out;
  if ((r = ssh_rsa_complete_crt_parameters(rsa_d, rsa_p, rsa_q,
      rsa_iqmp, &rsa_dmp1, &rsa_dmq1)) != 0)
    goto out;
  if (!RSA_set0_key(rsa, NULL, NULL, rsa_d)) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  rsa_d = NULL; /* transferred */
  if (!RSA_set0_factors(rsa, rsa_p, rsa_q)) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  rsa_p = rsa_q = NULL; /* transferred */
  if (!RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL;
  if (RSA_blinding_on(rsa, NULL) != 1) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  if ((r = sshkey_check_rsa_length(key, 0)) != 0)
    goto out;
  /* success */
  r = 0;
 out:
  RSA_free(rsa);
  BN_clear_free(rsa_n);
  BN_clear_free(rsa_e);
  BN_clear_free(rsa_d);
  BN_clear_free(rsa_p);
  BN_clear_free(rsa_q);
  BN_clear_free(rsa_iqmp);
  BN_clear_free(rsa_dmp1);
  BN_clear_free(rsa_dmq1);
  return r;
}

const char *
ssh_rsa_hash_alg_ident(int hash_alg)
{
  switch (hash_alg) {
  case SSH_DIGEST_SHA1:
    return "ssh-rsa";
  case SSH_DIGEST_SHA256:
    return "rsa-sha2-256";
  case SSH_DIGEST_SHA512:
    return "rsa-sha2-512";
  }
  return NULL;
}

/*
 * Returns the hash algorithm ID for a given algorithm identifier as used
 * inside the signature blob,
 */
static int
rsa_hash_id_from_ident(const char *ident)
{
  if (strcmp(ident, "ssh-rsa") == 0)
    return SSH_DIGEST_SHA1;
  if (strcmp(ident, "rsa-sha2-256") == 0)
    return SSH_DIGEST_SHA256;
  if (strcmp(ident, "rsa-sha2-512") == 0)
    return SSH_DIGEST_SHA512;
  return -1;
}

/*
 * Return the hash algorithm ID for the specified key name. This includes
 * all the cases of rsa_hash_id_from_ident() but also the certificate key
 * types.
 */
int
ssh_rsa_hash_id_from_keyname(const char *alg)
{
  int r;

  if ((r = rsa_hash_id_from_ident(alg)) != -1)
    return r;
  if (strcmp(alg, "ssh-rsa-cert-v01@openssh.com") == 0)
    return SSH_DIGEST_SHA1;
  if (strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
    return SSH_DIGEST_SHA256;
  if (strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
    return SSH_DIGEST_SHA512;
  return -1;
}

int
ssh_rsa_complete_crt_parameters(const BIGNUM *rsa_d, const BIGNUM *rsa_p,
    const BIGNUM *rsa_q, const BIGNUM *rsa_iqmp, BIGNUM **rsa_dmp1,
    BIGNUM **rsa_dmq1)
{
  BIGNUM *aux = NULL, *d_consttime = NULL;
  BN_CTX *ctx = NULL;
  int r;

  *rsa_dmq1 = *rsa_dmp1 = NULL;
  if ((ctx = BN_CTX_new()) == NULL)
    return SSH_ERR_ALLOC_FAIL;
  if ((aux = BN_new()) == NULL ||
      (*rsa_dmq1 = BN_new()) == NULL ||
      (*rsa_dmp1 = BN_new()) == NULL)
    return SSH_ERR_ALLOC_FAIL;
  if ((d_consttime = BN_dup(rsa_d)) == NULL) {
    r = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  BN_set_flags(aux, BN_FLG_CONSTTIME);
  BN_set_flags(d_consttime, BN_FLG_CONSTTIME);

  if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) ||
      (BN_mod(*rsa_dmq1, d_consttime, aux, ctx) == 0) ||
      (BN_sub(aux, rsa_p, BN_value_one()) == 0) ||
      (BN_mod(*rsa_dmp1, d_consttime, aux, ctx) == 0)) {
    r = SSH_ERR_LIBCRYPTO_ERROR;
    goto out;
  }
  /* success */
  r = 0;
 out:
  BN_clear_free(aux);
  BN_clear_free(d_consttime);
  BN_CTX_free(ctx);
  return r;
}

/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
static int
ssh_rsa_sign(struct sshkey *key,
    u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen,
    const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
{
  u_char *sig = NULL;
  size_t diff, len = 0;
  int slen = 0;
  int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;

  if (lenp != NULL)
    *lenp = 0;
  if (sigp != NULL)
    *sigp = NULL;

  if (alg == NULL || strlen(alg) == 0)
    hash_alg = SSH_DIGEST_SHA1;
  else
    hash_alg = ssh_rsa_hash_id_from_keyname(alg);

  if (key == NULL || key->pkey == NULL || hash_alg == -1 ||
      sshkey_type_plain(key->type) != KEY_RSA)
    return SSH_ERR_INVALID_ARGUMENT;
  slen = EVP_PKEY_size(key->pkey);
  if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
    return SSH_ERR_INVALID_ARGUMENT;
  if (EVP_PKEY_bits(key->pkey) < SSH_RSA_MINIMUM_MODULUS_SIZE)
    return SSH_ERR_KEY_LENGTH;

  if ((ret = sshkey_pkey_digest_sign(key->pkey, hash_alg, &sig, &len,
      data, datalen)) < 0)
    goto out;
  if (len < (size_t)slen) {
    diff = slen - len;
    memmove(sig + diff, sig, len);
    explicit_bzero(sig, diff);
  } else if (len > (size_t)slen) {
    ret = SSH_ERR_INTERNAL_ERROR;
    goto out;
  }
  if ((ret = ssh_rsa_encode_store_sig(hash_alg, sig, slen,
      sigp, lenp)) != 0)
    goto out;

  /* success */
  ret = 0;
 out:
  freezero(sig, slen);
  return ret;
}

int
ssh_rsa_encode_store_sig(int hash_alg, const u_char *sig, size_t slen,
    u_char **sigp, size_t *lenp)
{
  struct sshbuf *b = NULL;
  int ret = SSH_ERR_INTERNAL_ERROR;
  size_t len;

  if (lenp != NULL)
    *lenp = 0;
  if (sigp != NULL)
    *sigp = NULL;

  /* Encode signature */
  if ((b = sshbuf_new()) == NULL) {
    ret = SSH_ERR_ALLOC_FAIL;
    goto out;
  }
  if ((ret = sshbuf_put_cstring(b,
      ssh_rsa_hash_alg_ident(hash_alg))) != 0 ||
      (ret = sshbuf_put_string(b, sig, slen)) != 0)
    goto out;
  len = sshbuf_len(b);

  /* Store signature */
  if (sigp != NULL) {
    if ((*sigp = malloc(len)) == NULL) {
      ret = SSH_ERR_ALLOC_FAIL;
      goto out;
    }
    memcpy(*sigp, sshbuf_ptr(b), len);
  }
  if (lenp != NULL)
    *lenp = len;
  ret = 0;
 out:
  sshbuf_free(b);
  return ret;
}

static int
ssh_rsa_verify(const struct sshkey *key,
    const u_char *sig, size_t siglen,
    const u_char *data, size_t dlen, const char *alg, u_int compat,
    struct sshkey_sig_details **detailsp)
{
  char *sigtype = NULL;
  int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
  size_t len = 0, diff, modlen, rsasize;
  struct sshbuf *b = NULL;
  u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;

  if (key == NULL || key->pkey == NULL ||
      sshkey_type_plain(key->type) != KEY_RSA ||
      sig == NULL || siglen == 0)
    return SSH_ERR_INVALID_ARGUMENT;
  if (EVP_PKEY_bits(key->pkey) < SSH_RSA_MINIMUM_MODULUS_SIZE)
    return SSH_ERR_KEY_LENGTH;

  if ((b = sshbuf_from(sig, siglen)) == NULL)
    return SSH_ERR_ALLOC_FAIL;
  if (sshbuf_get_cstring(b, &sigtype, NULL) != 0) {
    ret = SSH_ERR_INVALID_FORMAT;
    goto out;
  }
  if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
    ret = SSH_ERR_KEY_TYPE_MISMATCH;
    goto out;
  }
  /*
   * Allow ssh-rsa-cert-v01 certs to generate SHA2 signatures for
   * legacy reasons, but otherwise the signature type should match.
   */
  if (alg != NULL && strcmp(alg, "ssh-rsa-cert-v01@openssh.com") != 0) {
    if ((want_alg = ssh_rsa_hash_id_from_keyname(alg)) == -1) {
      ret = SSH_ERR_INVALID_ARGUMENT;
      goto out;
    }
    if (hash_alg != want_alg) {
      ret = SSH_ERR_SIGNATURE_INVALID;
      goto out;
    }
  }
  if (sshbuf_get_string(b, &sigblob, &len) != 0) {
    ret = SSH_ERR_INVALID_FORMAT;
    goto out;
  }
  if (sshbuf_len(b) != 0) {
    ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
    goto out;
  }
  /* RSA_verify expects a signature of RSA_size */
  modlen = EVP_PKEY_size(key->pkey);
  if (len > modlen) {
    ret = SSH_ERR_KEY_BITS_MISMATCH;
    goto out;
  } else if (len < modlen) {
    diff = modlen - len;
    osigblob = sigblob;
    if ((sigblob = realloc(sigblob, modlen)) == NULL) {
      sigblob = osigblob; /* put it back for clear/free */
      ret = SSH_ERR_ALLOC_FAIL;
      goto out;
    }
    memmove(sigblob + diff, sigblob, len);
    explicit_bzero(sigblob, diff);
    len = modlen;
  }

  rsasize = EVP_PKEY_size(key->pkey);
  if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
      len == 0 || len > rsasize) {
    ret = SSH_ERR_INVALID_ARGUMENT;
    goto out;
  }
  ret = sshkey_pkey_digest_verify(key->pkey, hash_alg, data, dlen,
      sigblob, len);

 out:
  freezero(sigblob, len);
  free(sigtype);
  sshbuf_free(b);
  explicit_bzero(digest, sizeof(digest));
  return ret;
}

static const struct sshkey_impl_funcs sshkey_rsa_funcs = {
  /* .size = */   ssh_rsa_size,
  /* .alloc = */    ssh_rsa_alloc,
  /* .cleanup = */  ssh_rsa_cleanup,
  /* .equal = */    ssh_rsa_equal,
  /* .ssh_serialize_public = */ ssh_rsa_serialize_public,
  /* .ssh_deserialize_public = */ ssh_rsa_deserialize_public,
  /* .ssh_serialize_private = */ ssh_rsa_serialize_private,
  /* .ssh_deserialize_private = */ ssh_rsa_deserialize_private,
  /* .generate = */ ssh_rsa_generate,
  /* .copy_public = */  ssh_rsa_copy_public,
  /* .sign = */   ssh_rsa_sign,
  /* .verify = */   ssh_rsa_verify,
};

const struct sshkey_impl sshkey_rsa_impl = {
  /* .name = */   "ssh-rsa",
  /* .shortname = */  "RSA",
  /* .sigalg = */   NULL,
  /* .type = */   KEY_RSA,
  /* .nid = */    0,
  /* .cert = */   0,
  /* .sigonly = */  0,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};

const struct sshkey_impl sshkey_rsa_cert_impl = {
  /* .name = */   "ssh-rsa-cert-v01@openssh.com",
  /* .shortname = */  "RSA-CERT",
  /* .sigalg = */   NULL,
  /* .type = */   KEY_RSA_CERT,
  /* .nid = */    0,
  /* .cert = */   1,
  /* .sigonly = */  0,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};

/* SHA2 signature algorithms */

const struct sshkey_impl sshkey_rsa_sha256_impl = {
  /* .name = */   "rsa-sha2-256",
  /* .shortname = */  "RSA",
  /* .sigalg = */   NULL,
  /* .type = */   KEY_RSA,
  /* .nid = */    0,
  /* .cert = */   0,
  /* .sigonly = */  1,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};

const struct sshkey_impl sshkey_rsa_sha512_impl = {
  /* .name = */   "rsa-sha2-512",
  /* .shortname = */  "RSA",
  /* .sigalg = */   NULL,
  /* .type = */   KEY_RSA,
  /* .nid = */    0,
  /* .cert = */   0,
  /* .sigonly = */  1,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};

const struct sshkey_impl sshkey_rsa_sha256_cert_impl = {
  /* .name = */   "rsa-sha2-256-cert-v01@openssh.com",
  /* .shortname = */  "RSA-CERT",
  /* .sigalg = */   "rsa-sha2-256",
  /* .type = */   KEY_RSA_CERT,
  /* .nid = */    0,
  /* .cert = */   1,
  /* .sigonly = */  1,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};

const struct sshkey_impl sshkey_rsa_sha512_cert_impl = {
  /* .name = */   "rsa-sha2-512-cert-v01@openssh.com",
  /* .shortname = */  "RSA-CERT",
  /* .sigalg = */   "rsa-sha2-512",
  /* .type = */   KEY_RSA_CERT,
  /* .nid = */    0,
  /* .cert = */   1,
  /* .sigonly = */  1,
  /* .keybits = */  0,
  /* .funcs = */    &sshkey_rsa_funcs,
};
#endif /* WITH_OPENSSL */

Coverage Report

Created: 2025-08-26 06:33

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: ssh-rsa.c,v 1.81 2025/07/24 05:44:55 djm Exp $ */
2		/*
3		* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
4		*
5		* Permission to use, copy, modify, and distribute this software for any
6		* purpose with or without fee is hereby granted, provided that the above
7		* copyright notice and this permission notice appear in all copies.
8		*
9		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		*/
17
18		#include "includes.h"
19
20		#ifdef WITH_OPENSSL
21
22		#include <sys/types.h>
23
24		#include <openssl/evp.h>
25		#include <openssl/err.h>
26
27		#include <stdarg.h>
28		#include <string.h>
29
30		#include "sshbuf.h"
31		#include "ssherr.h"
32		#define SSHKEY_INTERNAL
33		#include "sshkey.h"
34		#include "digest.h"
35		#include "log.h"
36
37		#include "openbsd-compat/openssl-compat.h"
38
39		static u_int
40		ssh_rsa_size(const struct sshkey *k)
41	0	{
42	0	if (k->pkey == NULL)
43	0	return 0;
44	0	return EVP_PKEY_bits(k->pkey);
45	0	}
46
47		static int
48		ssh_rsa_alloc(struct sshkey *k)
49	4.37k	{
50	4.37k	if ((k->pkey = EVP_PKEY_new()) == NULL)
51	0	return SSH_ERR_ALLOC_FAIL;
52	4.37k	return 0;
53	4.37k	}
54
55		static void
56		ssh_rsa_cleanup(struct sshkey *k)
57	4.37k	{
58	4.37k	EVP_PKEY_free(k->pkey);
59	4.37k	k->pkey = NULL;
60	4.37k	}
61
62		static int
63		ssh_rsa_equal(const struct sshkey a, const struct sshkey b)
64	1.74k	{
65	1.74k	if (a->pkey == NULL \|\| b->pkey == NULL)
66	0	return 0;
67	1.74k	return EVP_PKEY_cmp(a->pkey, b->pkey) == 1;
68	1.74k	}
69
70		static int
71		ssh_rsa_serialize_public(const struct sshkey key, struct sshbuf b,
72		enum sshkey_serialize_rep opts)
73	6	{
74	6	int r;
75	6	const BIGNUM rsa_n, rsa_e;
76	6	const RSA *rsa;
77
78	6	if (key->pkey == NULL)
79	0	return SSH_ERR_INVALID_ARGUMENT;
80	6	if ((rsa = EVP_PKEY_get0_RSA(key->pkey)) == NULL)
81	0	return SSH_ERR_LIBCRYPTO_ERROR;
82
83	6	RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
84	6	if ((r = sshbuf_put_bignum2(b, rsa_e)) != 0 \|\|
85	6	(r = sshbuf_put_bignum2(b, rsa_n)) != 0)
86	0	return r;
87
88	6	return 0;
89	6	}
90
91		static int
92		ssh_rsa_serialize_private(const struct sshkey key, struct sshbuf b,
93		enum sshkey_serialize_rep opts)
94	0	{
95	0	int r;
96	0	const BIGNUM rsa_n, rsa_e, rsa_d, rsa_iqmp, rsa_p, rsa_q;
97	0	const RSA *rsa;
98
99	0	if ((rsa = EVP_PKEY_get0_RSA(key->pkey)) == NULL)
100	0	return SSH_ERR_LIBCRYPTO_ERROR;
101	0	RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
102	0	RSA_get0_factors(rsa, &rsa_p, &rsa_q);
103	0	RSA_get0_crt_params(rsa, NULL, NULL, &rsa_iqmp);
104
105	0	if (!sshkey_is_cert(key)) {
106		/* Note: can't reuse ssh_rsa_serialize_public: e, n vs. n, e */
107	0	if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 \|\|
108	0	(r = sshbuf_put_bignum2(b, rsa_e)) != 0)
109	0	return r;
110	0	}
111	0	if ((r = sshbuf_put_bignum2(b, rsa_d)) != 0 \|\|
112	0	(r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 \|\|
113	0	(r = sshbuf_put_bignum2(b, rsa_p)) != 0 \|\|
114	0	(r = sshbuf_put_bignum2(b, rsa_q)) != 0)
115	0	return r;
116
117	0	return 0;
118	0	}
119
120		static int
121		ssh_rsa_generate(struct sshkey *k, int bits)
122	0	{
123	0	EVP_PKEY_CTX *ctx = NULL;
124	0	EVP_PKEY *res = NULL;
125
126	0	int ret = SSH_ERR_INTERNAL_ERROR;
127
128	0	if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE \|\|
129	0	bits > SSHBUF_MAX_BIGNUM * 8)
130	0	return SSH_ERR_KEY_LENGTH;
131
132	0	if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
133	0	ret = SSH_ERR_ALLOC_FAIL;
134	0	goto out;
135	0	}
136	0	if (EVP_PKEY_keygen_init(ctx) <= 0) {
137	0	ret = SSH_ERR_LIBCRYPTO_ERROR;
138	0	goto out;
139	0	}
140	0	if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) <= 0) {
141	0	ret = SSH_ERR_KEY_LENGTH;
142	0	goto out;
143	0	}
144	0	if (EVP_PKEY_keygen(ctx, &res) <= 0 \|\| res == NULL) {
145	0	ret = SSH_ERR_LIBCRYPTO_ERROR;
146	0	goto out;
147	0	}
148		/* success */
149	0	k->pkey = res;
150	0	ret = 0;
151	0	out:
152	0	EVP_PKEY_CTX_free(ctx);
153	0	return ret;
154	0	}
155
156		static int
157		ssh_rsa_copy_public(const struct sshkey from, struct sshkey to)
158	0	{
159	0	const BIGNUM rsa_n, rsa_e;
160	0	BIGNUM rsa_n_dup = NULL, rsa_e_dup = NULL;
161	0	int r = SSH_ERR_INTERNAL_ERROR;
162	0	const RSA *rsa_from;
163	0	RSA *rsa_to = NULL;
164
165	0	if ((rsa_from = EVP_PKEY_get0_RSA(from->pkey)) == NULL \|\|
166	0	(rsa_to = RSA_new()) == NULL)
167	0	return SSH_ERR_LIBCRYPTO_ERROR;
168
169	0	RSA_get0_key(rsa_from, &rsa_n, &rsa_e, NULL);
170	0	if ((rsa_n_dup = BN_dup(rsa_n)) == NULL \|\|
171	0	(rsa_e_dup = BN_dup(rsa_e)) == NULL) {
172	0	r = SSH_ERR_ALLOC_FAIL;
173	0	goto out;
174	0	}
175	0	if (!RSA_set0_key(rsa_to, rsa_n_dup, rsa_e_dup, NULL)) {
176	0	r = SSH_ERR_LIBCRYPTO_ERROR;
177	0	goto out;
178	0	}
179	0	rsa_n_dup = rsa_e_dup = NULL; /* transferred */
180
181	0	if (EVP_PKEY_set1_RSA(to->pkey, rsa_to) != 1) {
182	0	r = SSH_ERR_LIBCRYPTO_ERROR;
183	0	goto out;
184	0	}
185		/* success */
186	0	r = 0;
187	0	out:
188	0	RSA_free(rsa_to);
189	0	BN_clear_free(rsa_n_dup);
190	0	BN_clear_free(rsa_e_dup);
191	0	return r;
192	0	}
193
194		static int
195		ssh_rsa_deserialize_public(const char ktype, struct sshbuf b,
196		struct sshkey *key)
197	2.62k	{
198	2.62k	int ret = SSH_ERR_INTERNAL_ERROR;
199	2.62k	BIGNUM rsa_n = NULL, rsa_e = NULL;
200	2.62k	RSA *rsa = NULL;
201
202	2.62k	if ((rsa = RSA_new()) == NULL)
203	0	return SSH_ERR_LIBCRYPTO_ERROR;
204
205	2.62k	if (sshbuf_get_bignum2(b, &rsa_e) != 0 \|\|
206	2.62k	sshbuf_get_bignum2(b, &rsa_n) != 0) {
207	0	ret = SSH_ERR_INVALID_FORMAT;
208	0	goto out;
209	0	}
210	2.62k	if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
211	0	ret = SSH_ERR_LIBCRYPTO_ERROR;
212	0	goto out;
213	0	}
214	2.62k	rsa_n = rsa_e = NULL; /* transferred */
215	2.62k	if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) {
216	0	ret = SSH_ERR_LIBCRYPTO_ERROR;
217	0	goto out;
218	0	}
219	2.62k	if ((ret = sshkey_check_rsa_length(key, 0)) != 0)
220	0	goto out;
221		#ifdef DEBUG_PK
222		RSA_print_fp(stderr, rsa, 8);
223		#endif
224		/* success */
225	2.62k	ret = 0;
226	2.62k	out:
227	2.62k	RSA_free(rsa);
228	2.62k	BN_clear_free(rsa_n);
229	2.62k	BN_clear_free(rsa_e);
230	2.62k	return ret;
231	2.62k	}
232
233		static int
234		ssh_rsa_deserialize_private(const char ktype, struct sshbuf b,
235		struct sshkey *key)
236	1.74k	{
237	1.74k	int r;
238	1.74k	BIGNUM rsa_n = NULL, rsa_e = NULL, *rsa_d = NULL;
239	1.74k	BIGNUM rsa_iqmp = NULL, rsa_p = NULL, *rsa_q = NULL;
240	1.74k	BIGNUM rsa_dmp1 = NULL, rsa_dmq1 = NULL;
241	1.74k	RSA *rsa = NULL;
242
243	1.74k	if (sshkey_is_cert(key)) {
244		/* sshkey_private_deserialize already has pubkey from cert */
245	0	if ((rsa = EVP_PKEY_get1_RSA(key->pkey)) == NULL) {
246	0	r = SSH_ERR_LIBCRYPTO_ERROR;
247	0	goto out;
248	0	}
249	1.74k	} else {
250	1.74k	if ((rsa = RSA_new()) == NULL) {
251	0	r = SSH_ERR_LIBCRYPTO_ERROR;
252	0	goto out;
253	0	}
254		/* Note: can't reuse ssh_rsa_deserialize_public: e,n vs. n,e */
255	1.74k	if ((r = sshbuf_get_bignum2(b, &rsa_n)) != 0 \|\|
256	1.74k	(r = sshbuf_get_bignum2(b, &rsa_e)) != 0)
257	0	goto out;
258	1.74k	if (!RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) {
259	0	r = SSH_ERR_LIBCRYPTO_ERROR;
260	0	goto out;
261	0	}
262	1.74k	rsa_n = rsa_e = NULL; /* transferred */
263	1.74k	}
264	1.74k	if ((r = sshbuf_get_bignum2(b, &rsa_d)) != 0 \|\|
265	1.74k	(r = sshbuf_get_bignum2(b, &rsa_iqmp)) != 0 \|\|
266	1.74k	(r = sshbuf_get_bignum2(b, &rsa_p)) != 0 \|\|
267	1.74k	(r = sshbuf_get_bignum2(b, &rsa_q)) != 0)
268	0	goto out;
269	1.74k	if ((r = ssh_rsa_complete_crt_parameters(rsa_d, rsa_p, rsa_q,
270	1.74k	rsa_iqmp, &rsa_dmp1, &rsa_dmq1)) != 0)
271	0	goto out;
272	1.74k	if (!RSA_set0_key(rsa, NULL, NULL, rsa_d)) {
273	0	r = SSH_ERR_LIBCRYPTO_ERROR;
274	0	goto out;
275	0	}
276	1.74k	rsa_d = NULL; /* transferred */
277	1.74k	if (!RSA_set0_factors(rsa, rsa_p, rsa_q)) {
278	0	r = SSH_ERR_LIBCRYPTO_ERROR;
279	0	goto out;
280	0	}
281	1.74k	rsa_p = rsa_q = NULL; /* transferred */
282	1.74k	if (!RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp)) {
283	0	r = SSH_ERR_LIBCRYPTO_ERROR;
284	0	goto out;
285	0	}
286	1.74k	rsa_dmp1 = rsa_dmq1 = rsa_iqmp = NULL;
287	1.74k	if (RSA_blinding_on(rsa, NULL) != 1) {
288	0	r = SSH_ERR_LIBCRYPTO_ERROR;
289	0	goto out;
290	0	}
291	1.74k	if (EVP_PKEY_set1_RSA(key->pkey, rsa) != 1) {
292	0	r = SSH_ERR_LIBCRYPTO_ERROR;
293	0	goto out;
294	0	}
295	1.74k	if ((r = sshkey_check_rsa_length(key, 0)) != 0)
296	0	goto out;
297		/* success */
298	1.74k	r = 0;
299	1.74k	out:
300	1.74k	RSA_free(rsa);
301	1.74k	BN_clear_free(rsa_n);
302	1.74k	BN_clear_free(rsa_e);
303	1.74k	BN_clear_free(rsa_d);
304	1.74k	BN_clear_free(rsa_p);
305	1.74k	BN_clear_free(rsa_q);
306	1.74k	BN_clear_free(rsa_iqmp);
307	1.74k	BN_clear_free(rsa_dmp1);
308	1.74k	BN_clear_free(rsa_dmq1);
309	1.74k	return r;
310	1.74k	}
311
312		const char *
313		ssh_rsa_hash_alg_ident(int hash_alg)
314	0	{
315	0	switch (hash_alg) {
316	0	case SSH_DIGEST_SHA1:
317	0	return "ssh-rsa";
318	0	case SSH_DIGEST_SHA256:
319	0	return "rsa-sha2-256";
320	0	case SSH_DIGEST_SHA512:
321	0	return "rsa-sha2-512";
322	0	}
323	0	return NULL;
324	0	}
325
326		/*
327		* Returns the hash algorithm ID for a given algorithm identifier as used
328		* inside the signature blob,
329		*/
330		static int
331		rsa_hash_id_from_ident(const char *ident)
332	0	{
333	0	if (strcmp(ident, "ssh-rsa") == 0)
334	0	return SSH_DIGEST_SHA1;
335	0	if (strcmp(ident, "rsa-sha2-256") == 0)
336	0	return SSH_DIGEST_SHA256;
337	0	if (strcmp(ident, "rsa-sha2-512") == 0)
338	0	return SSH_DIGEST_SHA512;
339	0	return -1;
340	0	}
341
342		/*
343		* Return the hash algorithm ID for the specified key name. This includes
344		* all the cases of rsa_hash_id_from_ident() but also the certificate key
345		* types.
346		*/
347		int
348		ssh_rsa_hash_id_from_keyname(const char *alg)
349	0	{
350	0	int r;
351
352	0	if ((r = rsa_hash_id_from_ident(alg)) != -1)
353	0	return r;
354	0	if (strcmp(alg, "ssh-rsa-cert-v01@openssh.com") == 0)
355	0	return SSH_DIGEST_SHA1;
356	0	if (strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
357	0	return SSH_DIGEST_SHA256;
358	0	if (strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
359	0	return SSH_DIGEST_SHA512;
360	0	return -1;
361	0	}
362
363		int
364		ssh_rsa_complete_crt_parameters(const BIGNUM rsa_d, const BIGNUM rsa_p,
365		const BIGNUM rsa_q, const BIGNUM rsa_iqmp, BIGNUM **rsa_dmp1,
366		BIGNUM **rsa_dmq1)
367	1.74k	{
368	1.74k	BIGNUM aux = NULL, d_consttime = NULL;
369	1.74k	BN_CTX *ctx = NULL;
370	1.74k	int r;
371
372	1.74k	rsa_dmq1 = rsa_dmp1 = NULL;
373	1.74k	if ((ctx = BN_CTX_new()) == NULL)
374	0	return SSH_ERR_ALLOC_FAIL;
375	1.74k	if ((aux = BN_new()) == NULL \|\|
376	1.74k	(*rsa_dmq1 = BN_new()) == NULL \|\|
377	1.74k	(*rsa_dmp1 = BN_new()) == NULL)
378	0	return SSH_ERR_ALLOC_FAIL;
379	1.74k	if ((d_consttime = BN_dup(rsa_d)) == NULL) {
380	0	r = SSH_ERR_ALLOC_FAIL;
381	0	goto out;
382	0	}
383	1.74k	BN_set_flags(aux, BN_FLG_CONSTTIME);
384	1.74k	BN_set_flags(d_consttime, BN_FLG_CONSTTIME);
385
386	1.74k	if ((BN_sub(aux, rsa_q, BN_value_one()) == 0) \|\|
387	1.74k	(BN_mod(*rsa_dmq1, d_consttime, aux, ctx) == 0) \|\|
388	1.74k	(BN_sub(aux, rsa_p, BN_value_one()) == 0) \|\|
389	1.74k	(BN_mod(*rsa_dmp1, d_consttime, aux, ctx) == 0)) {
390	0	r = SSH_ERR_LIBCRYPTO_ERROR;
391	0	goto out;
392	0	}
393		/* success */
394	1.74k	r = 0;
395	1.74k	out:
396	1.74k	BN_clear_free(aux);
397	1.74k	BN_clear_free(d_consttime);
398	1.74k	BN_CTX_free(ctx);
399	1.74k	return r;
400	1.74k	}
401
402		/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
403		static int
404		ssh_rsa_sign(struct sshkey *key,
405		u_char *sigp, size_t lenp,
406		const u_char *data, size_t datalen,
407		const char alg, const char sk_provider, const char *sk_pin, u_int compat)
408	0	{
409	0	u_char *sig = NULL;
410	0	size_t diff, len = 0;
411	0	int slen = 0;
412	0	int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
413
414	0	if (lenp != NULL)
415	0	*lenp = 0;
416	0	if (sigp != NULL)
417	0	*sigp = NULL;
418
419	0	if (alg == NULL \|\| strlen(alg) == 0)
420	0	hash_alg = SSH_DIGEST_SHA1;
421	0	else
422	0	hash_alg = ssh_rsa_hash_id_from_keyname(alg);
423
424	0	if (key == NULL \|\| key->pkey == NULL \|\| hash_alg == -1 \|\|
425	0	sshkey_type_plain(key->type) != KEY_RSA)
426	0	return SSH_ERR_INVALID_ARGUMENT;
427	0	slen = EVP_PKEY_size(key->pkey);
428	0	if (slen <= 0 \|\| slen > SSHBUF_MAX_BIGNUM)
429	0	return SSH_ERR_INVALID_ARGUMENT;
430	0	if (EVP_PKEY_bits(key->pkey) < SSH_RSA_MINIMUM_MODULUS_SIZE)
431	0	return SSH_ERR_KEY_LENGTH;
432
433	0	if ((ret = sshkey_pkey_digest_sign(key->pkey, hash_alg, &sig, &len,
434	0	data, datalen)) < 0)
435	0	goto out;
436	0	if (len < (size_t)slen) {
437	0	diff = slen - len;
438	0	memmove(sig + diff, sig, len);
439	0	explicit_bzero(sig, diff);
440	0	} else if (len > (size_t)slen) {
441	0	ret = SSH_ERR_INTERNAL_ERROR;
442	0	goto out;
443	0	}
444	0	if ((ret = ssh_rsa_encode_store_sig(hash_alg, sig, slen,
445	0	sigp, lenp)) != 0)
446	0	goto out;
447
448		/* success */
449	0	ret = 0;
450	0	out:
451	0	freezero(sig, slen);
452	0	return ret;
453	0	}
454
455		int
456		ssh_rsa_encode_store_sig(int hash_alg, const u_char *sig, size_t slen,
457		u_char *sigp, size_t lenp)
458	0	{
459	0	struct sshbuf *b = NULL;
460	0	int ret = SSH_ERR_INTERNAL_ERROR;
461	0	size_t len;
462
463	0	if (lenp != NULL)
464	0	*lenp = 0;
465	0	if (sigp != NULL)
466	0	*sigp = NULL;
467
468		/* Encode signature */
469	0	if ((b = sshbuf_new()) == NULL) {
470	0	ret = SSH_ERR_ALLOC_FAIL;
471	0	goto out;
472	0	}
473	0	if ((ret = sshbuf_put_cstring(b,
474	0	ssh_rsa_hash_alg_ident(hash_alg))) != 0 \|\|
475	0	(ret = sshbuf_put_string(b, sig, slen)) != 0)
476	0	goto out;
477	0	len = sshbuf_len(b);
478
479		/* Store signature */
480	0	if (sigp != NULL) {
481	0	if ((*sigp = malloc(len)) == NULL) {
482	0	ret = SSH_ERR_ALLOC_FAIL;
483	0	goto out;
484	0	}
485	0	memcpy(*sigp, sshbuf_ptr(b), len);
486	0	}
487	0	if (lenp != NULL)
488	0	*lenp = len;
489	0	ret = 0;
490	0	out:
491	0	sshbuf_free(b);
492	0	return ret;
493	0	}
494
495		static int
496		ssh_rsa_verify(const struct sshkey *key,
497		const u_char *sig, size_t siglen,
498		const u_char data, size_t dlen, const char alg, u_int compat,
499		struct sshkey_sig_details **detailsp)
500	0	{
501	0	char *sigtype = NULL;
502	0	int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
503	0	size_t len = 0, diff, modlen, rsasize;
504	0	struct sshbuf *b = NULL;
505	0	u_char digest[SSH_DIGEST_MAX_LENGTH], osigblob, sigblob = NULL;
506
507	0	if (key == NULL \|\| key->pkey == NULL \|\|
508	0	sshkey_type_plain(key->type) != KEY_RSA \|\|
509	0	sig == NULL \|\| siglen == 0)
510	0	return SSH_ERR_INVALID_ARGUMENT;
511	0	if (EVP_PKEY_bits(key->pkey) < SSH_RSA_MINIMUM_MODULUS_SIZE)
512	0	return SSH_ERR_KEY_LENGTH;
513
514	0	if ((b = sshbuf_from(sig, siglen)) == NULL)
515	0	return SSH_ERR_ALLOC_FAIL;
516	0	if (sshbuf_get_cstring(b, &sigtype, NULL) != 0) {
517	0	ret = SSH_ERR_INVALID_FORMAT;
518	0	goto out;
519	0	}
520	0	if ((hash_alg = rsa_hash_id_from_ident(sigtype)) == -1) {
521	0	ret = SSH_ERR_KEY_TYPE_MISMATCH;
522	0	goto out;
523	0	}
524		/*
525		* Allow ssh-rsa-cert-v01 certs to generate SHA2 signatures for
526		* legacy reasons, but otherwise the signature type should match.
527		*/
528	0	if (alg != NULL && strcmp(alg, "ssh-rsa-cert-v01@openssh.com") != 0) {
529	0	if ((want_alg = ssh_rsa_hash_id_from_keyname(alg)) == -1) {
530	0	ret = SSH_ERR_INVALID_ARGUMENT;
531	0	goto out;
532	0	}
533	0	if (hash_alg != want_alg) {
534	0	ret = SSH_ERR_SIGNATURE_INVALID;
535	0	goto out;
536	0	}
537	0	}
538	0	if (sshbuf_get_string(b, &sigblob, &len) != 0) {
539	0	ret = SSH_ERR_INVALID_FORMAT;
540	0	goto out;
541	0	}
542	0	if (sshbuf_len(b) != 0) {
543	0	ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
544	0	goto out;
545	0	}
546		/* RSA_verify expects a signature of RSA_size */
547	0	modlen = EVP_PKEY_size(key->pkey);
548	0	if (len > modlen) {
549	0	ret = SSH_ERR_KEY_BITS_MISMATCH;
550	0	goto out;
551	0	} else if (len < modlen) {
552	0	diff = modlen - len;
553	0	osigblob = sigblob;
554	0	if ((sigblob = realloc(sigblob, modlen)) == NULL) {
555	0	sigblob = osigblob; /* put it back for clear/free */
556	0	ret = SSH_ERR_ALLOC_FAIL;
557	0	goto out;
558	0	}
559	0	memmove(sigblob + diff, sigblob, len);
560	0	explicit_bzero(sigblob, diff);
561	0	len = modlen;
562	0	}
563
564	0	rsasize = EVP_PKEY_size(key->pkey);
565	0	if (rsasize <= 0 \|\| rsasize > SSHBUF_MAX_BIGNUM \|\|
566	0	len == 0 \|\| len > rsasize) {
567	0	ret = SSH_ERR_INVALID_ARGUMENT;
568	0	goto out;
569	0	}
570	0	ret = sshkey_pkey_digest_verify(key->pkey, hash_alg, data, dlen,
571	0	sigblob, len);
572
573	0	out:
574	0	freezero(sigblob, len);
575	0	free(sigtype);
576	0	sshbuf_free(b);
577	0	explicit_bzero(digest, sizeof(digest));
578	0	return ret;
579	0	}
580
581		static const struct sshkey_impl_funcs sshkey_rsa_funcs = {
582		/* .size = */ ssh_rsa_size,
583		/* .alloc = */ ssh_rsa_alloc,
584		/* .cleanup = */ ssh_rsa_cleanup,
585		/* .equal = */ ssh_rsa_equal,
586		/* .ssh_serialize_public = */ ssh_rsa_serialize_public,
587		/* .ssh_deserialize_public = */ ssh_rsa_deserialize_public,
588		/* .ssh_serialize_private = */ ssh_rsa_serialize_private,
589		/* .ssh_deserialize_private = */ ssh_rsa_deserialize_private,
590		/* .generate = */ ssh_rsa_generate,
591		/* .copy_public = */ ssh_rsa_copy_public,
592		/* .sign = */ ssh_rsa_sign,
593		/* .verify = */ ssh_rsa_verify,
594		};
595
596		const struct sshkey_impl sshkey_rsa_impl = {
597		/* .name = */ "ssh-rsa",
598		/* .shortname = */ "RSA",
599		/* .sigalg = */ NULL,
600		/* .type = */ KEY_RSA,
601		/* .nid = */ 0,
602		/* .cert = */ 0,
603		/* .sigonly = */ 0,
604		/* .keybits = */ 0,
605		/* .funcs = */ &sshkey_rsa_funcs,
606		};
607
608		const struct sshkey_impl sshkey_rsa_cert_impl = {
609		/* .name = */ "ssh-rsa-cert-v01@openssh.com",
610		/* .shortname = */ "RSA-CERT",
611		/* .sigalg = */ NULL,
612		/* .type = */ KEY_RSA_CERT,
613		/* .nid = */ 0,
614		/* .cert = */ 1,
615		/* .sigonly = */ 0,
616		/* .keybits = */ 0,
617		/* .funcs = */ &sshkey_rsa_funcs,
618		};
619
620		/* SHA2 signature algorithms */
621
622		const struct sshkey_impl sshkey_rsa_sha256_impl = {
623		/* .name = */ "rsa-sha2-256",
624		/* .shortname = */ "RSA",
625		/* .sigalg = */ NULL,
626		/* .type = */ KEY_RSA,
627		/* .nid = */ 0,
628		/* .cert = */ 0,
629		/* .sigonly = */ 1,
630		/* .keybits = */ 0,
631		/* .funcs = */ &sshkey_rsa_funcs,
632		};
633
634		const struct sshkey_impl sshkey_rsa_sha512_impl = {
635		/* .name = */ "rsa-sha2-512",
636		/* .shortname = */ "RSA",
637		/* .sigalg = */ NULL,
638		/* .type = */ KEY_RSA,
639		/* .nid = */ 0,
640		/* .cert = */ 0,
641		/* .sigonly = */ 1,
642		/* .keybits = */ 0,
643		/* .funcs = */ &sshkey_rsa_funcs,
644		};
645
646		const struct sshkey_impl sshkey_rsa_sha256_cert_impl = {
647		/* .name = */ "rsa-sha2-256-cert-v01@openssh.com",
648		/* .shortname = */ "RSA-CERT",
649		/* .sigalg = */ "rsa-sha2-256",
650		/* .type = */ KEY_RSA_CERT,
651		/* .nid = */ 0,
652		/* .cert = */ 1,
653		/* .sigonly = */ 1,
654		/* .keybits = */ 0,
655		/* .funcs = */ &sshkey_rsa_funcs,
656		};
657
658		const struct sshkey_impl sshkey_rsa_sha512_cert_impl = {
659		/* .name = */ "rsa-sha2-512-cert-v01@openssh.com",
660		/* .shortname = */ "RSA-CERT",
661		/* .sigalg = */ "rsa-sha2-512",
662		/* .type = */ KEY_RSA_CERT,
663		/* .nid = */ 0,
664		/* .cert = */ 1,
665		/* .sigonly = */ 1,
666		/* .keybits = */ 0,
667		/* .funcs = */ &sshkey_rsa_funcs,
668		};
669		#endif /* WITH_OPENSSL */