int
kexgex_hash(
int hash_alg,
const char *client_version_string,
const char *server_version_string,
const u_char *ckexinit, size_t ckexinitlen,
const u_char *skexinit, size_t skexinitlen,
const u_char *serverhostkeyblob, size_t sbloblen,
int min, int wantbits, int max,
const BIGNUM *prime,
const BIGNUM *gen,
const BIGNUM *client_dh_pub,
const BIGNUM *server_dh_pub,
const BIGNUM *shared_secret,
u_char *hash, size_t *hashlen)
{
struct sshbuf *b;
int r;
if (*hashlen < ssh_digest_bytes(SSH_DIGEST_SHA1))
return SSH_ERR_INVALID_ARGUMENT;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
(r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
(r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
(r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
(r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
(min != -1 && (r = sshbuf_put_u32(b, min)) != 0) ||
(r = sshbuf_put_u32(b, wantbits)) != 0 ||
(max != -1 && (r = sshbuf_put_u32(b, max)) != 0) ||
(r = sshbuf_put_bignum2(b, prime)) != 0 ||
(r = sshbuf_put_bignum2(b, gen)) != 0 ||
(r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||
(r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||
(r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
sshbuf_free(b);
return r;
}
#ifdef DEBUG_KEXDH
sshbuf_dump(b, stderr);
#endif
if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
sshbuf_free(b);
return SSH_ERR_LIBCRYPTO_ERROR;
}
sshbuf_free(b);
*hashlen = ssh_digest_bytes(hash_alg);
#ifdef DEBUG_KEXDH
dump_digest("hash", hash, *hashlen);
#endif
return 0;
}
void
kexgex_hash(
int hash_alg,
char *client_version_string,
char *server_version_string,
char *ckexinit, int ckexinitlen,
char *skexinit, int skexinitlen,
u_char *serverhostkeyblob, int sbloblen,
int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
BIGNUM *client_dh_pub,
BIGNUM *server_dh_pub,
BIGNUM *shared_secret,
u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[SSH_DIGEST_MAX_LENGTH];
buffer_init(&b);
buffer_put_cstring(&b, client_version_string);
buffer_put_cstring(&b, server_version_string);
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
buffer_put_int(&b, ckexinitlen+1);
buffer_put_char(&b, SSH2_MSG_KEXINIT);
buffer_append(&b, ckexinit, ckexinitlen);
buffer_put_int(&b, skexinitlen+1);
buffer_put_char(&b, SSH2_MSG_KEXINIT);
buffer_append(&b, skexinit, skexinitlen);
buffer_put_string(&b, serverhostkeyblob, sbloblen);
if (min == -1 || max == -1)
buffer_put_int(&b, wantbits);
else {
buffer_put_int(&b, min);
buffer_put_int(&b, wantbits);
buffer_put_int(&b, max);
}
buffer_put_bignum2(&b, prime);
buffer_put_bignum2(&b, gen);
buffer_put_bignum2(&b, client_dh_pub);
buffer_put_bignum2(&b, server_dh_pub);
buffer_put_bignum2(&b, shared_secret);
#ifdef DEBUG_KEXDH
buffer_dump(&b);
#endif
if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0)
fatal("%s: ssh_digest_buffer failed", __func__);
buffer_free(&b);
#ifdef DEBUG_KEX
dump_digest("hash", digest, ssh_digest_bytes(hash_alg));
#endif
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
int
kex_ecdh_hash(
int hash_alg,
const EC_GROUP *ec_group,
const char *client_version_string,
const char *server_version_string,
const u_char *ckexinit, size_t ckexinitlen,
const u_char *skexinit, size_t skexinitlen,
const u_char *serverhostkeyblob, size_t sbloblen,
const EC_POINT *client_dh_pub,
const EC_POINT *server_dh_pub,
const BIGNUM *shared_secret,
u_char *hash, size_t *hashlen)
{
struct sshbuf *b;
int r;
if (*hashlen < ssh_digest_bytes(hash_alg))
return SSH_ERR_INVALID_ARGUMENT;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
(r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
(r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
(r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
(r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
(r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 ||
(r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 ||
(r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
sshbuf_free(b);
return r;
}
#ifdef DEBUG_KEX
sshbuf_dump(b, stderr);
#endif
if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {
sshbuf_free(b);
return SSH_ERR_LIBCRYPTO_ERROR;
}
sshbuf_free(b);
*hashlen = ssh_digest_bytes(hash_alg);
#ifdef DEBUG_KEX
dump_digest("hash", hash, *hashlen);
#endif
return 0;
}
void
derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
u_int8_t cookie[8], u_int8_t id[16])
{
u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
int len;
struct ssh_digest_ctx *hashctx;
if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL)
fatal("%s: ssh_digest_start", __func__);
len = BN_num_bytes(host_modulus);
if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad host modulus (len %d)", __func__, len);
BN_bn2bin(host_modulus, nbuf);
if (ssh_digest_update(hashctx, nbuf, len) != 0)
fatal("%s: ssh_digest_update failed", __func__);
len = BN_num_bytes(server_modulus);
if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
fatal("%s: bad server modulus (len %d)", __func__, len);
BN_bn2bin(server_modulus, nbuf);
if (ssh_digest_update(hashctx, nbuf, len) != 0 ||
ssh_digest_update(hashctx, cookie, 8) != 0)
fatal("%s: ssh_digest_update failed", __func__);
if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0)
fatal("%s: ssh_digest_final failed", __func__);
memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
explicit_bzero(nbuf, sizeof(nbuf));
explicit_bzero(obuf, sizeof(obuf));
}
int
derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
u_int8_t cookie[8], u_int8_t id[16])
{
u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];
struct ssh_digest_ctx *hashctx = NULL;
size_t len;
int r;
len = BN_num_bytes(host_modulus);
if (len < (512 / 8) || (u_int)len > sizeof(nbuf))
return SSH_ERR_KEY_BITS_MISMATCH;
if (BN_bn2bin(host_modulus, nbuf) <= 0 ||
(hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
ssh_digest_update(hashctx, nbuf, len) != 0 ||
ssh_digest_update(hashctx, cookie, 8) != 0 ||
ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
r = 0;
out:
ssh_digest_free(hashctx);
explicit_bzero(nbuf, sizeof(nbuf));
explicit_bzero(obuf, sizeof(obuf));
return r;
}
static void
roaming_auth_required(void)
{
u_char digest[SSH_DIGEST_MAX_LENGTH];
Buffer b;
u_int64_t chall, oldchall;
chall = packet_get_int64();
oldchall = packet_get_int64();
if (oldchall != lastseenchall) {
key1 = oldkey1;
key2 = oldkey2;
}
lastseenchall = chall;
buffer_init(&b);
buffer_put_int64(&b, cookie);
buffer_put_int64(&b, chall);
if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0)
fatal("%s: ssh_digest_buffer failed", __func__);
buffer_free(&b);
packet_start(SSH2_MSG_KEX_ROAMING_AUTH);
packet_put_int64(key1 ^ get_recv_bytes());
packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1));
packet_send();
oldkey1 = key1;
oldkey2 = key2;
calculate_new_key(&key1, cookie, chall);
calculate_new_key(&key2, cookie, chall);
debug("Received %llu bytes", (unsigned long long)get_recv_bytes());
debug("Sent roaming_auth packet");
}
void
kex_c25519_hash(
int hash_alg,
char *client_version_string,
char *server_version_string,
char *ckexinit, int ckexinitlen,
char *skexinit, int skexinitlen,
u_char *serverhostkeyblob, int sbloblen,
const u_char client_dh_pub[CURVE25519_SIZE],
const u_char server_dh_pub[CURVE25519_SIZE],
const u_char *shared_secret, u_int secretlen,
u_char **hash, u_int *hashlen)
{
Buffer b;
static u_char digest[SSH_DIGEST_MAX_LENGTH];
buffer_init(&b);
buffer_put_cstring(&b, client_version_string);
buffer_put_cstring(&b, server_version_string);
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
buffer_put_int(&b, ckexinitlen+1);
buffer_put_char(&b, SSH2_MSG_KEXINIT);
buffer_append(&b, ckexinit, ckexinitlen);
buffer_put_int(&b, skexinitlen+1);
buffer_put_char(&b, SSH2_MSG_KEXINIT);
buffer_append(&b, skexinit, skexinitlen);
buffer_put_string(&b, serverhostkeyblob, sbloblen);
buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE);
buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE);
buffer_append(&b, shared_secret, secretlen);
#ifdef DEBUG_KEX
buffer_dump(&b);
#endif
if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0)
fatal("%s: digest_buffer failed", __func__);
buffer_free(&b);
#ifdef DEBUG_KEX
dump_digest("hash", digest, ssh_digest_bytes(hash_alg));
#endif
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
int
ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
{
ECDSA_SIG *sig;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH];
u_int len, dlen;
Buffer b, bb;
if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
key->ecdsa == NULL) {
error("%s: no ECDSA key", __func__);
return -1;
}
hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
}
sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
explicit_bzero(digest, sizeof(digest));
if (sig == NULL) {
error("%s: sign failed", __func__);
return -1;
}
buffer_init(&bb);
buffer_put_bignum2(&bb, sig->r);
buffer_put_bignum2(&bb, sig->s);
ECDSA_SIG_free(sig);
buffer_init(&b);
buffer_put_cstring(&b, key_ssh_name_plain(key));
buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb));
buffer_free(&bb);
len = buffer_len(&b);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
}
buffer_free(&b);
return 0;
}
static u_char *
derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
const u_char *shared_secret, u_int slen)
{
Buffer b;
struct ssh_digest_ctx *hashctx;
char c = id;
u_int have;
size_t mdsz;
u_char *digest;
if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
fatal("bad kex md size %zu", mdsz);
digest = xmalloc(roundup(need, mdsz));
buffer_init(&b);
buffer_append(&b, shared_secret, slen);
/* K1 = HASH(K || H || "A" || session_id) */
if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL)
fatal("%s: ssh_digest_start failed", __func__);
if (ssh_digest_update_buffer(hashctx, &b) != 0 ||
ssh_digest_update(hashctx, hash, hashlen) != 0 ||
ssh_digest_update(hashctx, &c, 1) != 0 ||
ssh_digest_update(hashctx, kex->session_id,
kex->session_id_len) != 0)
fatal("%s: ssh_digest_update failed", __func__);
if (ssh_digest_final(hashctx, digest, mdsz) != 0)
fatal("%s: ssh_digest_final failed", __func__);
ssh_digest_free(hashctx);
/*
* expand key:
* Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
* Key = K1 || K2 || ... || Kn
*/
for (have = mdsz; need > have; have += mdsz) {
if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL)
fatal("%s: ssh_digest_start failed", __func__);
if (ssh_digest_update_buffer(hashctx, &b) != 0 ||
ssh_digest_update(hashctx, hash, hashlen) != 0 ||
ssh_digest_update(hashctx, digest, have) != 0)
fatal("%s: ssh_digest_update failed", __func__);
if (ssh_digest_final(hashctx, digest + have, mdsz) != 0)
fatal("%s: ssh_digest_final failed", __func__);
ssh_digest_free(hashctx);
}
buffer_free(&b);
#ifdef DEBUG_KEX
fprintf(stderr, "key '%c'== ", c);
dump_digest("key", digest, need);
#endif
return digest;
}
static int
openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
u_char *sigbuf, size_t siglen, RSA *rsa)
{
size_t rsasize = 0, oidlen = 0, hlen = 0;
int ret, len, oidmatch, hashmatch;
const u_char *oid = NULL;
u_char *decrypted = NULL;
if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
return ret;
ret = SSH_ERR_INTERNAL_ERROR;
hlen = ssh_digest_bytes(hash_alg);
if (hashlen != hlen) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
rsasize = RSA_size(rsa);
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
siglen == 0 || siglen > rsasize) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
if ((decrypted = malloc(rsasize)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
RSA_PKCS1_PADDING)) < 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto done;
}
if (len < 0 || (size_t)len != hlen + oidlen) {
ret = SSH_ERR_INVALID_FORMAT;
goto done;
}
oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
if (!oidmatch || !hashmatch) {
ret = SSH_ERR_SIGNATURE_INVALID;
goto done;
}
ret = 0;
done:
if (decrypted) {
explicit_bzero(decrypted, rsasize);
free(decrypted);
}
return ret;
}
int
kex_dh_hash(
const char *client_version_string,
const char *server_version_string,
const u_char *ckexinit, size_t ckexinitlen,
const u_char *skexinit, size_t skexinitlen,
const u_char *serverhostkeyblob, size_t sbloblen,
const BIGNUM *client_dh_pub,
const BIGNUM *server_dh_pub,
const BIGNUM *shared_secret,
u_char **hash, size_t *hashlen)
{
struct sshbuf *b;
static u_char digest[SSH_DIGEST_MAX_LENGTH];
int r;
if ((b = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||
(r = sshbuf_put_cstring(b, server_version_string)) != 0 ||
/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */
(r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||
(r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||
(r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||
(r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||
(r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||
(r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||
(r = sshbuf_put_bignum2(b, shared_secret)) != 0) {
sshbuf_free(b);
return r;
}
#ifdef DEBUG_KEX
sshbuf_dump(b, stderr);
#endif
if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, digest, sizeof(digest)) != 0) {
sshbuf_free(b);
return SSH_ERR_LIBCRYPTO_ERROR;
}
sshbuf_free(b);
*hash = digest;
*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
#ifdef DEBUG_KEX
dump_digest("hash", digest, *hashlen);
#endif
return 0;
}
int
ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
{
size_t len;
len = ssh_digest_bytes(ctx->alg);
if (dlen < len ||
ssh_digest_final(ctx->digest, ctx->buf, len))
return -1;
/* switch to octx */
if (ssh_digest_copy_state(ctx->octx, ctx->digest) < 0 ||
ssh_digest_update(ctx->digest, ctx->buf, len) < 0 ||
ssh_digest_final(ctx->digest, d, dlen) < 0)
return -1;
return 0;
}
static double
user_specific_delay(const char *user)
{
char b[512];
size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
u_char *hash = xmalloc(len);
double delay;
(void)snprintf(b, sizeof b, "%llu%s",
(unsigned long long)options.timing_secret, user);
if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
fatal("%s: ssh_digest_memory", __func__);
/* 0-4.2 ms of delay */
delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
freezero(hash, len);
debug3("%s: user specific delay %0.3lfms", __func__, delay/1000);
return MIN_FAIL_DELAY_SECONDS + delay;
}
/*
* Caclulate a new key after a reconnect
*/
void
calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
{
u_char hash[SSH_DIGEST_MAX_LENGTH];
Buffer b;
buffer_init(&b);
buffer_put_int64(&b, *key);
buffer_put_int64(&b, cookie);
buffer_put_int64(&b, challenge);
if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0)
fatal("%s: digest_buffer failed", __func__);
buffer_clear(&b);
buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
*key = buffer_get_int64(&b);
buffer_free(&b);
}
/*
* Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
* with digest via 'digestp' (caller to free) and length via 'lenp'.
* Returns -1 on failure.
*/
int
hash_buffer(const u_char *buf, u_int len, int hash_alg,
u_char **digestp, u_int *lenp)
{
u_char digest[SSH_DIGEST_MAX_LENGTH];
u_int digest_len = ssh_digest_bytes(hash_alg);
if (digest_len == 0) {
error("%s: invalid hash", __func__);
return -1;
}
if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
}
*digestp = xmalloc(digest_len);
*lenp = digest_len;
memcpy(*digestp, digest, *lenp);
bzero(digest, sizeof(digest));
digest_len = 0;
return 0;
}
char *
host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
{
struct ssh_hmac_ctx *ctx;
u_char salt[256], result[256];
char uu_salt[512], uu_result[512];
static char encoded[1024];
u_int i, len;
len = ssh_digest_bytes(SSH_DIGEST_SHA1);
if (name_from_hostfile == NULL) {
/* Create new salt */
for (i = 0; i < len; i++)
salt[i] = arc4random();
} else {
/* Extract salt from known host entry */
if (extract_salt(name_from_hostfile, src_len, salt,
sizeof(salt)) == -1)
return (NULL);
}
if ((ctx = ssh_hmac_start(SSH_DIGEST_SHA1)) == NULL ||
ssh_hmac_init(ctx, salt, len) < 0 ||
ssh_hmac_update(ctx, host, strlen(host)) < 0 ||
ssh_hmac_final(ctx, result, sizeof(result)))
fatal("%s: ssh_hmac failed", __func__);
ssh_hmac_free(ctx);
if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
__b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
fatal("%s: __b64_ntop failed", __func__);
snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
HASH_DELIM, uu_result);
return (encoded);
}
/*
* Caclulate a new key after a reconnect
*/
void
calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge)
{
u_char hash[SSH_DIGEST_MAX_LENGTH];
struct sshbuf *b;
int r;
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_u64(b, *key)) != 0 ||
(r = sshbuf_put_u64(b, cookie)) != 0 ||
(r = sshbuf_put_u64(b, challenge)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, hash, sizeof(hash)) != 0)
fatal("%s: digest_buffer failed", __func__);
sshbuf_reset(b);
if ((r = sshbuf_put(b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1))) != 0 ||
(r = sshbuf_get_u64(b, key)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
sshbuf_free(b);
}
static void
input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt)
{
#define u2f_bounds_check(necessary_bytes) do { \
if (restlen < necessary_bytes) { \
logit("U2F response too short: need %d bytes, but only %d remaining", \
necessary_bytes, restlen); \
goto out; \
} \
} while (0)
#define u2f_advance(parsed_bytes) do { \
int advance = parsed_bytes; \
walk += advance; \
restlen -= advance; \
} while (0)
Authctxt *authctxt = ctxt;
char *response, *regdata, *clientdata;
u_char *decoded = NULL;
u_char *walk = NULL;
u_char *keyhandle = NULL;
u_char *pubkey = NULL;
u_char *signature = NULL;
u_char *dummy = NULL;
u_char *cdecoded = NULL;
X509 *x509;
EVP_MD_CTX mdctx;
int restlen;
int khlen;
int cdecodedlen;
int err;
char errorbuf[4096];
u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];
authctxt->postponed = 0;
response = packet_get_string(NULL);
packet_check_eom();
if ((regdata = extract_json_string(response, "registrationData")) == NULL) {
logit("Response not JSON, or does not contain \"registrationData\"");
goto out;
}
decoded = xmalloc(strlen(regdata) * 3 / 4);
restlen = urlsafe_base64_decode(regdata, decoded, strlen(regdata) * 3 / 4);
walk = decoded;
// Header (magic byte)
u2f_bounds_check(1);
if (walk[0] != 0x05) {
logit("U2F response does not start with magic byte 0x05");
goto out;
}
u2f_advance(1);
// Length of the public key
u2f_bounds_check(u2f_pubkey_len);
pubkey = walk;
u2f_advance(u2f_pubkey_len);
// Length of the key handle
u2f_bounds_check(1);
khlen = walk[0];
u2f_advance(1);
// Key handle
u2f_bounds_check(khlen);
keyhandle = walk;
u2f_advance(khlen);
// Attestation certificate
u2f_bounds_check(1);
signature = walk;
if ((x509 = d2i_X509(NULL, &signature, restlen)) == NULL) {
logit("U2F response contains an invalid attestation certificate.");
goto out;
}
// U2F dictates that the length of the certificate should be determined by
// encoding the certificate using DER.
u2f_advance(i2d_X509(x509, &dummy));
free(dummy);
// Ensure we have at least one byte of signature.
u2f_bounds_check(1);
if ((clientdata = extract_json_string(response, "clientData")) == NULL) {
logit("U2F response JSON lacks the \"clientData\" key.");
goto out;
}
cdecoded = xmalloc(strlen(clientdata) * 3 / 4);
cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4);
EVP_PKEY *pkey = X509_get_pubkey(x509);
if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) {
ERR_error_string(ERR_get_error(), errorbuf);
fatal("EVP_VerifyInit() failed: %s (reason: %s)",
errorbuf, ERR_reason_error_string(err));
}
EVP_VerifyUpdate(&mdctx, "\0", 1);
u2f_sha256(digest, appid, strlen(appid));
EVP_VerifyUpdate(&mdctx, digest, sizeof(digest));
u2f_sha256(digest, cdecoded, cdecodedlen);
EVP_VerifyUpdate(&mdctx, digest, sizeof(digest));
EVP_VerifyUpdate(&mdctx, keyhandle, khlen);
EVP_VerifyUpdate(&mdctx, pubkey, u2f_pubkey_len);
if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) {
ERR_error_string(ERR_get_error(), errorbuf);
logit("Verifying the U2F registration signature failed: %s (reason: %s)",
errorbuf, ERR_reason_error_string(err));
goto out;
}
EVP_PKEY_free(pkey);
{
char *authorizedkey;
char key[u2f_pubkey_len + khlen];
char key64[((sizeof(key)+2)/3)*4 + 1];
memcpy(key, pubkey, u2f_pubkey_len);
memcpy(key+u2f_pubkey_len, keyhandle, khlen);
if (b64_ntop(key, sizeof(key), key64, sizeof(key64)) == -1)
fatal("b64_ntop()");
xasprintf(&authorizedkey, "ssh-u2f %s", key64);
packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
packet_put_cstring(authorizedkey);
packet_send();
free(authorizedkey);
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
}
out:
free(decoded);
userauth_finish(authctxt, 0, "u2f", NULL);
return;
#undef u2f_bounds_check
#undef u2f_advance
}
void u2f_sha256(u_char *dest, u_char *src, size_t srclen) {
struct ssh_digest_ctx *ctx = ssh_digest_start(SSH_DIGEST_SHA256);
ssh_digest_update(ctx, src, srclen);
ssh_digest_final(ctx, dest, ssh_digest_bytes(SSH_DIGEST_SHA256));
}
static int
derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
const u_char *shared_secret, u_int slen, u_char **keyp)
{
struct kex *kex = ssh->kex;
struct sshbuf *b = NULL;
struct ssh_digest_ctx *hashctx = NULL;
char c = id;
u_int have;
size_t mdsz;
u_char *digest;
int r;
if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)
return SSH_ERR_INVALID_ARGUMENT;
if ((digest = calloc(1, roundup(need, mdsz))) == NULL ||
(b = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_put(b, shared_secret, slen)) < 0)
goto out;
/* K1 = HASH(K || H || "A" || session_id) */
if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
ssh_digest_update_buffer(hashctx, b) != 0 ||
ssh_digest_update(hashctx, hash, hashlen) != 0 ||
ssh_digest_update(hashctx, &c, 1) != 0 ||
ssh_digest_update(hashctx, kex->session_id,
kex->session_id_len) != 0 ||
ssh_digest_final(hashctx, digest, mdsz) != 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
ssh_digest_free(hashctx);
hashctx = NULL;
/*
* expand key:
* Kn = HASH(K || H || K1 || K2 || ... || Kn-1)
* Key = K1 || K2 || ... || Kn
*/
for (have = mdsz; need > have; have += mdsz) {
if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||
ssh_digest_update_buffer(hashctx, b) != 0 ||
ssh_digest_update(hashctx, hash, hashlen) != 0 ||
ssh_digest_update(hashctx, digest, have) != 0 ||
ssh_digest_final(hashctx, digest + have, mdsz) != 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
ssh_digest_free(hashctx);
hashctx = NULL;
}
#ifdef DEBUG_KEX
fprintf(stderr, "key '%c'== ", c);
dump_digest("key", digest, need);
#endif
*keyp = digest;
digest = NULL;
r = 0;
out:
if (digest)
free(digest);
if (b)
sshbuf_free(b);
ssh_digest_free(hashctx);
return r;
}
int
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
struct sshbuf *b = NULL;
int ret = SSH_ERR_INVALID_ARGUMENT;
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
rlen = BN_num_bytes(sig->r);
slen = BN_num_bytes(sig->s);
if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
explicit_bzero(sigblob, SIGBLOB_LEN);
BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen);
if (compat & SSH_BUG_SIGBLOB) {
if (sigp != NULL) {
if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sigblob, SIGBLOB_LEN);
}
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
ret = 0;
} else {
/* ietf-drafts */
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 ||
(ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
ret = 0;
}
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
sshbuf_free(b);
return ret;
}
int
ssh_dss_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen == 0)
return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
if (compat & SSH_BUG_SIGBLOB) {
if ((sigblob = malloc(signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
memcpy(sigblob, signature, signaturelen);
len = signaturelen;
} else {
/* ietf-drafts */
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (strcmp("ssh-dss", ktype) != 0) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
}
if (len != SIGBLOB_LEN) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
/* parse signature */
if ((sig = DSA_SIG_new()) == NULL ||
(sig->r = BN_new()) == NULL ||
(sig->s = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
/* sha1 the data */
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
sshbuf_free(b);
free(ktype);
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
}
return ret;
}
/* ARGSUSED */
int
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
ECDSA_SIG *sig = NULL;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH];
size_t len, dlen;
struct sshbuf *b = NULL, *bb = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;
if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;
if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
(dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
(ret = sshbuf_put_bignum2(bb, sig->s)) != 0)
goto out;
if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
(ret = sshbuf_put_stringb(b, bb)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
if (b != NULL)
sshbuf_free(b);
if (bb != NULL)
sshbuf_free(bb);
if (sig != NULL)
ECDSA_SIG_free(sig);
return ret;
}
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, const char *alg_ident)
{
u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
size_t slen;
u_int dlen, len;
int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;
if (alg_ident == NULL || strlen(alg_ident) == 0 ||
strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0)
hash_alg = SSH_DIGEST_SHA1;
else
hash_alg = rsa_hash_alg_from_ident(alg_ident);
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
sshkey_type_plain(key->type) != KEY_RSA ||
BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_INVALID_ARGUMENT;
slen = RSA_size(key->rsa);
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
return SSH_ERR_INVALID_ARGUMENT;
/* hash the data */
nid = rsa_hash_alg_nid(hash_alg);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
if ((sig = malloc(slen)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (len < slen) {
size_t diff = slen - len;
memmove(sig + diff, sig, len);
explicit_bzero(sig, diff);
} else if (len > slen) {
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
/* encode signature */
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 ||
(ret = sshbuf_put_string(b, sig, slen)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL) {
explicit_bzero(sig, slen);
free(sig);
}
sshbuf_free(b);
return ret;
}
int
ssh_rsa_verify(const struct sshkey *key,
const u_char *sig, size_t siglen, const u_char *data, size_t datalen)
{
char *ktype = NULL;
int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
size_t len, diff, modlen, dlen;
struct sshbuf *b = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
if (key == NULL || key->rsa == NULL ||
sshkey_type_plain(key->type) != KEY_RSA ||
BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE ||
sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT;
if ((b = sshbuf_from(sig, siglen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
/* RSA_verify expects a signature of RSA_size */
modlen = RSA_size(key->rsa);
if (len > modlen) {
ret = SSH_ERR_KEY_BITS_MISMATCH;
goto out;
} else if (len < modlen) {
diff = modlen - len;
osigblob = sigblob;
if ((sigblob = realloc(sigblob, modlen)) == NULL) {
sigblob = osigblob; /* put it back for clear/free */
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memmove(sigblob + diff, sigblob, len);
explicit_bzero(sigblob, diff);
len = modlen;
}
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
key->rsa);
out:
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
}
free(ktype);
sshbuf_free(b);
explicit_bzero(digest, sizeof(digest));
return ret;
}
size_t
ssh_hmac_bytes(int alg)
{
return ssh_digest_bytes(alg);
}
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
size_t slen;
u_int dlen, len;
int nid, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;
if (key == NULL || key->rsa == NULL ||
sshkey_type_plain(key->type) != KEY_RSA)
return SSH_ERR_INVALID_ARGUMENT;
slen = RSA_size(key->rsa);
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
return SSH_ERR_INVALID_ARGUMENT;
/* hash the data */
hash_alg = SSH_DIGEST_SHA1;
nid = NID_sha1;
if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
if ((sig = malloc(slen)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (len < slen) {
size_t diff = slen - len;
memmove(sig + diff, sig, len);
explicit_bzero(sig, diff);
} else if (len > slen) {
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
/* encode signature */
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 ||
(ret = sshbuf_put_string(b, sig, slen)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL) {
explicit_bzero(sig, slen);
free(sig);
}
if (b != NULL)
sshbuf_free(b);
return ret;
}
// TODO: can we send multiple authrequests at the same time, so that we don’t
// need multiple round-trips but still support multiple security keys
static void
input_userauth_u2f_info_response(int type, u_int32_t seq, void *ctxt)
{
int authenticated = 0;
Authctxt *authctxt = ctxt;
u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];
debug("input_userauth_u2f_info_response\n");
u_int len;
char *clientdata;
u_char *cdecoded;
int cdecodedlen;
char *resp = packet_get_string(&len);
debug("u2f resp len (server): %d\n", len);
debug("u2f resp (server): %s\n", resp);
packet_check_eom();
char *sig = extract_json_string(resp, "signatureData");
if (sig == NULL)
fatal("could not extract signature");
// TODO: free sig
debug("signature is *%s*", sig);
if (*sig == '\0')
fatal("u2f authentication failed: empty signature. Probably the key is not registered (i.e. your key handle/pubkey do not exist on the key you are using)");
// TODO: is there a macro for this size?
u_char decoded[strlen(sig) * 3 / 4];
int decodedlen = urlsafe_base64_decode(sig, decoded, sizeof(decoded));
// Ensure that the user presence byte, the counter and at least one byte of
// signature are present.
if (decodedlen <= (sizeof(u_char) + sizeof(u_int32_t)))
fatal("decoded signature too short");
if ((decoded[0] & 0x01) != 0x01)
fatal("user presence bit not set");
u_int32_t counter = ntohl(*((u_int32_t*)&decoded[1]));
debug("usage counter = %d\n", counter);
struct sha_digest_ctx *sha256ctx = ssh_digest_start(SSH_DIGEST_SHA256);
u2f_sha256(digest, appid, strlen(appid));
ssh_digest_update(sha256ctx, digest, sizeof(digest));
ssh_digest_update(sha256ctx, decoded, sizeof(u_char));
ssh_digest_update(sha256ctx, decoded+1, 4 * sizeof(u_char));
if ((clientdata = extract_json_string(resp, "clientData")) == NULL) {
fatal("U2F response JSON lacks the \"clientData\" key.");
}
cdecoded = xmalloc(strlen(clientdata) * 3 / 4);
cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4);
u2f_sha256(digest, cdecoded, cdecodedlen);
ssh_digest_update(sha256ctx, digest, sizeof(digest));
ssh_digest_final(sha256ctx, digest, sizeof(digest));
debug("hashed sig");
authenticated = PRIVSEP(verify_u2f_user(
authctxt->u2f_key, digest, sizeof(digest), decoded+5, decodedlen-5));
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
userauth_finish(authctxt, authenticated, "u2f", NULL);
}
int
ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
{
ECDSA_SIG *sig;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
u_int len, dlen;
int rlen, ret;
Buffer b, bb;
char *ktype;
if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
key->ecdsa == NULL) {
error("%s: no ECDSA key", __func__);
return -1;
}
/* fetch signature */
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_string(&b, NULL);
if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
error("%s: cannot handle type %s", __func__, ktype);
buffer_free(&b);
free(ktype);
return -1;
}
free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
free(sigblob);
return -1;
}
/* parse signature */
if ((sig = ECDSA_SIG_new()) == NULL)
fatal("%s: ECDSA_SIG_new failed", __func__);
buffer_init(&bb);
buffer_append(&bb, sigblob, len);
buffer_get_bignum2(&bb, sig->r);
buffer_get_bignum2(&bb, sig->s);
if (buffer_len(&bb) != 0)
fatal("%s: remaining bytes in inner sigblob", __func__);
buffer_free(&bb);
/* clean up */
explicit_bzero(sigblob, len);
free(sigblob);
/* hash the data */
hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
}
ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
explicit_bzero(digest, sizeof(digest));
ECDSA_SIG_free(sig);
debug("%s: signature %s", __func__,
ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
return ret;
}
/* ARGSUSED */
int
ssh_ecdsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
ECDSA_SIG *sig = NULL;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH];
size_t dlen;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL, *sigbuf = NULL;
char *ktype = NULL;
if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;
if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
(dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_froms(b, &sigbuf) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
/* parse signature */
if ((sig = ECDSA_SIG_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
sshbuf_get_bignum2(sigbuf, sig->s) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (sshbuf_len(sigbuf) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;
switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
out:
explicit_bzero(digest, sizeof(digest));
if (sigbuf != NULL)
sshbuf_free(sigbuf);
if (b != NULL)
sshbuf_free(b);
if (sig != NULL)
ECDSA_SIG_free(sig);
free(ktype);
return ret;
}
