int
sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp)
{
u_int32_t len;
const u_char *p = sshbuf_ptr(buf), *z;
int r;
if (sshbuf_len(buf) < 4) {
SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
return SSH_ERR_MESSAGE_INCOMPLETE;
}
len = PEEK_U32(p);
if (sshbuf_len(buf) < (size_t)len + 4) {
SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
return SSH_ERR_MESSAGE_INCOMPLETE;
}
/* Allow a \0 only at the end of the string */
if ((z = memchr(p + 4, '\0', len)) != NULL && z < p + 4 + len - 1) {
SSHBUF_DBG(("SSH_ERR_INVALID_FORMAT"));
return SSH_ERR_INVALID_FORMAT;
}
if ((r = sshbuf_consume(buf, 4 + (size_t)len)) < 0)
return -1;
if (valp != NULL) {
if ((*valp = malloc(len + 1)) == NULL) {
SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
return SSH_ERR_ALLOC_FAIL;
}
memcpy(*valp, p + 4, len);
(*valp)[len] = '\0';
}
if (lenp != NULL)
*lenp = (size_t)len;
return 0;
}
int
sshkey_xmss_forward_state(const struct sshkey *k, u_int32_t reserve)
{
struct ssh_xmss_state *state = k->xmss_state;
u_char *sig = NULL;
size_t required_siglen;
unsigned long long smlen;
u_char data;
int ret, r;
if (state == NULL || !state->allow_update)
return SSH_ERR_INVALID_ARGUMENT;
if (reserve == 0)
return SSH_ERR_INVALID_ARGUMENT;
if (state->idx + reserve <= state->idx)
return SSH_ERR_INVALID_ARGUMENT;
if ((r = sshkey_xmss_siglen(k, &required_siglen)) != 0)
return r;
if ((sig = malloc(required_siglen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
while (reserve-- > 0) {
state->idx = PEEK_U32(k->xmss_sk);
smlen = required_siglen;
if ((ret = xmss_sign(k->xmss_sk, sshkey_xmss_bds_state(k),
sig, &smlen, &data, 0, sshkey_xmss_params(k))) != 0) {
r = SSH_ERR_INVALID_ARGUMENT;
break;
}
}
free(sig);
return r;
}
int
sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
size_t *lenp)
{
u_int32_t len;
const u_char *p = sshbuf_ptr(buf);
if (valp != NULL)
*valp = NULL;
if (lenp != NULL)
*lenp = 0;
if (sshbuf_len(buf) < 4) {
SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
return SSH_ERR_MESSAGE_INCOMPLETE;
}
len = PEEK_U32(p);
if (len > SSHBUF_SIZE_MAX - 4) {
SSHBUF_DBG(("SSH_ERR_STRING_TOO_LARGE"));
return SSH_ERR_STRING_TOO_LARGE;
}
if (sshbuf_len(buf) - 4 < len) {
SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
return SSH_ERR_MESSAGE_INCOMPLETE;
}
if (valp != 0)
*valp = p + 4;
if (lenp != NULL)
*lenp = len;
return 0;
}
static int
recv_msg(struct sshbuf *m)
{
u_int l, len;
u_char c, buf[1024];
int r;
if ((len = atomicio(read, fd, buf, 4)) != 4) {
error("read from helper failed: %u", len);
return (0); /* XXX */
}
len = PEEK_U32(buf);
if (len > 256 * 1024)
fatal("response too long: %u", len);
/* read len bytes into m */
sshbuf_reset(m);
while (len > 0) {
l = len;
if (l > sizeof(buf))
l = sizeof(buf);
if (atomicio(read, fd, buf, l) != l) {
error("response from helper failed.");
return (0); /* XXX */
}
if ((r = sshbuf_put(m, buf, l)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
len -= l;
}
if ((r = sshbuf_get_u8(m, &c)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
return c;
}
int
sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp)
{
const u_char *p = sshbuf_ptr(buf);
int r;
if ((r = sshbuf_consume(buf, 4)) < 0)
return r;
if (valp != NULL)
*valp = PEEK_U32(p);
return 0;
}
/* Extract the packet length, including any decryption necessary beforehand */
int
cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
const u_char *cp, u_int len)
{
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
cp, len);
if (len < 4)
return SSH_ERR_MESSAGE_INCOMPLETE;
*plenp = PEEK_U32(cp);
return 0;
}
/* Decrypt and extract the encrypted packet length */
int
chachapoly_get_length(struct chachapoly_ctx *ctx,
u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
{
u_char buf[4], seqbuf[8];
if (len < 4)
return SSH_ERR_MESSAGE_INCOMPLETE;
POKE_U64(seqbuf, seqnr);
chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
*plenp = PEEK_U32(buf);
return 0;
}
u_int32_t
sshkey_xmss_signatures_left(const struct sshkey *k)
{
struct ssh_xmss_state *state = k->xmss_state;
u_int32_t idx;
if (sshkey_type_plain(k->type) == KEY_XMSS && state &&
state->maxidx) {
idx = k->xmss_sk ? PEEK_U32(k->xmss_sk) : state->idx;
if (idx < state->maxidx)
return state->maxidx - idx;
}
return 0;
}
int
sshkey_xmss_get_state_from_file(struct sshkey *k, const char *filename,
int *have_file, sshkey_printfn *pr)
{
struct sshbuf *b = NULL, *enc = NULL;
int ret = SSH_ERR_SYSTEM_ERROR, r, fd = -1;
u_int32_t len;
unsigned char buf[4], *data = NULL;
*have_file = 0;
if ((fd = open(filename, O_RDONLY)) >= 0) {
*have_file = 1;
if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
PRINT("%s: corrupt state file: %s", __func__, filename);
goto done;
}
len = PEEK_U32(buf);
if ((data = calloc(len, 1)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
if (atomicio(read, fd, data, len) != len) {
PRINT("%s: cannot read blob: %s", __func__, filename);
goto done;
}
if ((enc = sshbuf_from(data, len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
sshkey_xmss_free_bds(k);
if ((r = sshkey_xmss_decrypt_state(k, enc, &b)) != 0) {
ret = r;
goto done;
}
if ((r = sshkey_xmss_deserialize_state(k, b)) != 0) {
ret = r;
goto done;
}
ret = 0;
}
done:
if (fd != -1)
close(fd);
free(data);
sshbuf_free(enc);
sshbuf_free(b);
return ret;
}
static double
user_specific_delay(const char *user)
{
char b[512];
size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
u_char *hash = xmalloc(len);
double delay;
(void)snprintf(b, sizeof b, "%llu%s",
(unsigned long long)options.timing_secret, user);
if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
fatal("%s: ssh_digest_memory", __func__);
/* 0-4.2 ms of delay */
delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
freezero(hash, len);
debug3("%s: user specific delay %0.3lfms", __func__, delay/1000);
return MIN_FAIL_DELAY_SECONDS + delay;
}
int
sshkey_xmss_serialize_pk_info(const struct sshkey *k, struct sshbuf *b,
enum sshkey_serialize_rep opts)
{
struct ssh_xmss_state *state = k->xmss_state;
u_char have_info = 1;
u_int32_t idx;
int r;
if (state == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if (opts != SSHKEY_SERIALIZE_INFO)
return 0;
idx = k->xmss_sk ? PEEK_U32(k->xmss_sk) : state->idx;
if ((r = sshbuf_put_u8(b, have_info)) != 0 ||
(r = sshbuf_put_u32(b, idx)) != 0 ||
(r = sshbuf_put_u32(b, state->maxidx)) != 0)
return r;
return 0;
}
void
sshbuf_misc_tests(void)
{
struct sshbuf *p1;
char tmp[512], *p;
FILE *out;
size_t sz;
TEST_START("sshbuf_dump");
out = tmpfile();
ASSERT_PTR_NE(out, NULL);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), 0);
sshbuf_dump(p1, out);
fflush(out);
rewind(out);
sz = fread(tmp, 1, sizeof(tmp), out);
ASSERT_INT_EQ(ferror(out), 0);
ASSERT_INT_NE(feof(out), 0);
ASSERT_SIZE_T_GT(sz, 0);
tmp[sz] = '\0';
ASSERT_PTR_NE(strstr(tmp, "12 34 56 78"), NULL);
fclose(out);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_dtob16");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), 0);
p = sshbuf_dtob16(p1);
ASSERT_PTR_NE(p, NULL);
ASSERT_STRING_EQ(p, "12345678");
free(p);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_dtob64 len 1");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
p = sshbuf_dtob64(p1);
ASSERT_PTR_NE(p, NULL);
ASSERT_STRING_EQ(p, "EQ==");
free(p);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_dtob64 len 2");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
p = sshbuf_dtob64(p1);
ASSERT_PTR_NE(p, NULL);
ASSERT_STRING_EQ(p, "ESI=");
free(p);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_dtob64 len 3");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x33), 0);
p = sshbuf_dtob64(p1);
ASSERT_PTR_NE(p, NULL);
ASSERT_STRING_EQ(p, "ESIz");
free(p);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_dtob64 len 8191");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_reserve(p1, 8192, NULL), 0);
bzero(sshbuf_mutable_ptr(p1), 8192);
p = sshbuf_dtob64(p1);
ASSERT_PTR_NE(p, NULL);
ASSERT_SIZE_T_EQ(strlen(p), ((8191 + 2) / 3) * 4);
free(p);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_b64tod len 1");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A=="), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
ASSERT_U8_EQ(*sshbuf_ptr(p1), 0xd0);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_b64tod len 2");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A8="), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), 0xd00f);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_b64tod len 4");
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A/QDw=="), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), 0xd00fd00f);
sshbuf_free(p1);
TEST_DONE();
}
void
sshbuf_getput_crypto_tests(void)
{
struct sshbuf *p1;
const u_char *d;
size_t s;
BIGNUM *bn, *bn2, *bn_x, *bn_y;
/* This one has num_bits != num_bytes * 8 to test bignum1 encoding */
const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10";
/* This one has MSB set to test bignum2 encoding negative-avoidance */
const char *hexbn2 = "f0e0d0c0b0a0908070605040302010007fff11";
u_char expbn1[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
};
u_char expbn2[] = {
0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
0x7f, 0xff, 0x11
};
int ec256_nid = NID_X9_62_prime256v1;
char *ec256_x = "0C828004839D0106AA59575216191357"
"34B451459DADB586677EF9DF55784999";
char *ec256_y = "4D196B50F0B4E94B3C73E3A9D4CD9DF2"
"C8F9A35E42BDD047550F69D80EC23CD4";
u_char expec256[] = {
0x04,
0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4
};
EC_KEY *eck;
EC_POINT *ecp;
int r;
#define MKBN(b, bnn) \
do { \
bnn = NULL; \
ASSERT_INT_GT(BN_hex2bn(&bnn, b), 0); \
} while (0)
TEST_START("sshbuf_put_bignum1");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 2);
ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn1, sizeof(expbn1));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 limited");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
r = sshbuf_put_bignum1(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 2);
ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn2, sizeof(expbn2));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum1 bn2 limited");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
r = sshbuf_put_bignum1(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 4);
ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn));
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 4, expbn1, sizeof(expbn1));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 limited");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 3), 0);
r = sshbuf_put_bignum2(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4 + 1); /* MSB */
ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn) + 1);
ASSERT_U8_EQ(*(sshbuf_ptr(p1) + 4), 0x00);
ASSERT_MEM_EQ(sshbuf_ptr(p1) + 5, expbn2, sizeof(expbn2));
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_bignum2 bn2 limited");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn2) + 3), 0);
r = sshbuf_put_bignum2(p1, bn);
ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
BN_free(bn);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 truncated");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 giant");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xffff), 0);
ASSERT_INT_EQ(sshbuf_reserve(p1, (0xffff + 7) / 8, NULL), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum1 bn2 truncated");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
bn2 = BN_new();
r = sshbuf_get_bignum1(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + sizeof(expbn1));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 truncated");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 3);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 giant");
MKBN(hexbn1, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, 65536), 0);
ASSERT_INT_EQ(sshbuf_reserve(p1, 65536, NULL), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 65536 + 4);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0); /* MSB */
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + 1 + sizeof(expbn2));
ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
bn2 = BN_new();
ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
ASSERT_BIGNUM_EQ(bn, bn2);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2 truncated");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 1 + 4 - 1);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_get_bignum2 bn2 negative");
MKBN(hexbn2, bn);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
bn2 = BN_new();
r = sshbuf_get_bignum2(p1, bn2);
ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_IS_NEGATIVE);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4);
BN_free(bn);
BN_free(bn2);
sshbuf_free(p1);
TEST_DONE();
TEST_START("sshbuf_put_ec");
eck = EC_KEY_new_by_curve_name(ec256_nid);
ASSERT_PTR_NE(eck, NULL);
ecp = EC_POINT_new(EC_KEY_get0_group(eck));
ASSERT_PTR_NE(ecp, NULL);
MKBN(ec256_x, bn_x);
MKBN(ec256_y, bn_y);
ASSERT_INT_EQ(EC_POINT_set_affine_coordinates_GFp(
EC_KEY_get0_group(eck), ecp, bn_x, bn_y, NULL), 1);
ASSERT_INT_EQ(EC_KEY_set_public_key(eck, ecp), 1);
EC_POINT_free(ecp);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_eckey(p1, eck), 0);
ASSERT_INT_EQ(sshbuf_get_string_direct(p1, &d, &s), 0);
ASSERT_SIZE_T_EQ(s, sizeof(expec256));
ASSERT_MEM_EQ(d, expec256, sizeof(expec256));
sshbuf_free(p1);
EC_KEY_free(eck);
TEST_DONE();
TEST_START("sshbuf_get_ec");
eck = EC_KEY_new_by_curve_name(ec256_nid);
ASSERT_PTR_NE(eck, NULL);
p1 = sshbuf_new();
ASSERT_PTR_NE(p1, NULL);
ASSERT_INT_EQ(sshbuf_put_string(p1, expec256, sizeof(expec256)), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expec256) + 4);
ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
ASSERT_INT_EQ(sshbuf_get_eckey(p1, eck), 0);
bn_x = BN_new();
bn_y = BN_new();
ASSERT_PTR_NE(bn_x, NULL);
ASSERT_PTR_NE(bn_y, NULL);
ASSERT_INT_EQ(EC_POINT_get_affine_coordinates_GFp(
EC_KEY_get0_group(eck), EC_KEY_get0_public_key(eck),
bn_x, bn_y, NULL), 1);
MKBN(ec256_x, bn);
MKBN(ec256_y, bn2);
ASSERT_INT_EQ(BN_cmp(bn_x, bn), 0);
ASSERT_INT_EQ(BN_cmp(bn_y, bn2), 0);
ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
sshbuf_free(p1);
EC_KEY_free(eck);
BN_free(bn_x);
BN_free(bn_y);
BN_free(bn);
BN_free(bn2);
TEST_DONE();
}
int
sshkey_xmss_update_state(const struct sshkey *k, sshkey_printfn *pr)
{
struct ssh_xmss_state *state = k->xmss_state;
struct sshbuf *b = NULL, *enc = NULL;
u_int32_t idx = 0;
unsigned char buf[4];
char *filename = NULL;
char *statefile = NULL, *ostatefile = NULL, *nstatefile = NULL;
int fd = -1;
int ret = SSH_ERR_INVALID_ARGUMENT;
if (state == NULL || !state->allow_update)
return ret;
if (state->maxidx) {
/* no update since the number of signatures is limited */
ret = 0;
goto done;
}
idx = PEEK_U32(k->xmss_sk);
if (idx == state->idx) {
/* no signature happened, no need to update */
ret = 0;
goto done;
} else if (idx != state->idx + 1) {
PRINT("%s: more than one signature happened: idx %u state %u",
__func__, idx, state->idx);
goto done;
}
state->idx = idx;
if ((filename = k->xmss_filename) == NULL)
goto done;
if (asprintf(&statefile, "%s.state", filename) < 0 ||
asprintf(&ostatefile, "%s.ostate", filename) < 0 ||
asprintf(&nstatefile, "%s.nstate", filename) < 0) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
unlink(nstatefile);
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
if ((ret = sshkey_xmss_serialize_state(k, b)) != 0) {
PRINT("%s: SERLIALIZE FAILED: %d", __func__, ret);
goto done;
}
if ((ret = sshkey_xmss_encrypt_state(k, b, &enc)) != 0) {
PRINT("%s: ENCRYPT FAILED: %d", __func__, ret);
goto done;
}
if ((fd = open(nstatefile, O_CREAT|O_WRONLY|O_EXCL, 0600)) < 0) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: open new state file: %s", __func__, nstatefile);
goto done;
}
POKE_U32(buf, sshbuf_len(enc));
if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: write new state file hdr: %s", __func__, nstatefile);
close(fd);
goto done;
}
if (atomicio(vwrite, fd, sshbuf_mutable_ptr(enc), sshbuf_len(enc)) !=
sshbuf_len(enc)) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: write new state file data: %s", __func__, nstatefile);
close(fd);
goto done;
}
if (fsync(fd) < 0) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: sync new state file: %s", __func__, nstatefile);
close(fd);
goto done;
}
if (close(fd) < 0) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: close new state file: %s", __func__, nstatefile);
goto done;
}
if (state->have_state) {
unlink(ostatefile);
if (link(statefile, ostatefile)) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: backup state %s to %s", __func__, statefile,
ostatefile);
goto done;
}
}
if (rename(nstatefile, statefile) < 0) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: rename %s to %s", __func__, nstatefile, statefile);
goto done;
}
ret = 0;
done:
if (state->lockfd != -1) {
close(state->lockfd);
state->lockfd = -1;
}
if (nstatefile)
unlink(nstatefile);
free(statefile);
free(ostatefile);
free(nstatefile);
sshbuf_free(b);
sshbuf_free(enc);
return ret;
}
int
sshkey_xmss_get_state(const struct sshkey *k, sshkey_printfn *pr)
{
struct ssh_xmss_state *state = k->xmss_state;
u_int32_t idx = 0;
char *filename = NULL;
char *statefile = NULL, *ostatefile = NULL, *lockfile = NULL;
int lockfd = -1, have_state = 0, have_ostate, tries = 0;
int ret = SSH_ERR_INVALID_ARGUMENT, r;
if (state == NULL)
goto done;
/*
* If maxidx is set, then we are allowed a limited number
* of signatures, but don't need to access the disk.
* Otherwise we need to deal with the on-disk state.
*/
if (state->maxidx) {
/* xmss_sk always contains the current state */
idx = PEEK_U32(k->xmss_sk);
if (idx < state->maxidx) {
state->allow_update = 1;
return 0;
}
return SSH_ERR_INVALID_ARGUMENT;
}
if ((filename = k->xmss_filename) == NULL)
goto done;
if (asprintf(&lockfile, "%s.lock", filename) < 0 ||
asprintf(&statefile, "%s.state", filename) < 0 ||
asprintf(&ostatefile, "%s.ostate", filename) < 0) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
if ((lockfd = open(lockfile, O_CREAT|O_RDONLY, 0600)) < 0) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: cannot open/create: %s", __func__, lockfile);
goto done;
}
while (flock(lockfd, LOCK_EX|LOCK_NB) < 0) {
if (errno != EWOULDBLOCK) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: cannot lock: %s", __func__, lockfile);
goto done;
}
if (++tries > 10) {
ret = SSH_ERR_SYSTEM_ERROR;
PRINT("%s: giving up on: %s", __func__, lockfile);
goto done;
}
usleep(1000*100*tries);
}
/* XXX no longer const */
if ((r = sshkey_xmss_get_state_from_file(__UNCONST(k),
statefile, &have_state, pr)) != 0) {
if ((r = sshkey_xmss_get_state_from_file(__UNCONST(k),
ostatefile, &have_ostate, pr)) == 0) {
state->allow_update = 1;
r = sshkey_xmss_forward_state(k, 1);
state->idx = PEEK_U32(k->xmss_sk);
state->allow_update = 0;
}
}
if (!have_state && !have_ostate) {
/* check that bds state is initialized */
if (state->bds.auth == NULL)
goto done;
PRINT("%s: start from scratch idx 0: %u", __func__, state->idx);
} else if (r != 0) {
ret = r;
goto done;
}
if (state->idx + 1 < state->idx) {
PRINT("%s: state wrap: %u", __func__, state->idx);
goto done;
}
state->have_state = have_state;
state->lockfd = lockfd;
state->allow_update = 1;
lockfd = -1;
ret = 0;
done:
if (lockfd != -1)
close(lockfd);
free(lockfile);
free(statefile);
free(ostatefile);
return ret;
}
