int kexgex_hash( int hash_alg, const char *client_version_string, const char *server_version_string, const u_char *ckexinit, size_t ckexinitlen, const u_char *skexinit, size_t skexinitlen, const u_char *serverhostkeyblob, size_t sbloblen, int min, int wantbits, int max, const BIGNUM *prime, const BIGNUM *gen, const BIGNUM *client_dh_pub, const BIGNUM *server_dh_pub, const BIGNUM *shared_secret, u_char *hash, size_t *hashlen) { struct sshbuf *b; int r; if (*hashlen < ssh_digest_bytes(SSH_DIGEST_SHA1)) return SSH_ERR_INVALID_ARGUMENT; if ((b = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 || (r = sshbuf_put_cstring(b, server_version_string)) != 0 || /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 || (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 || (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 || (min != -1 && (r = sshbuf_put_u32(b, min)) != 0) || (r = sshbuf_put_u32(b, wantbits)) != 0 || (max != -1 && (r = sshbuf_put_u32(b, max)) != 0) || (r = sshbuf_put_bignum2(b, prime)) != 0 || (r = sshbuf_put_bignum2(b, gen)) != 0 || (r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 || (r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 || (r = sshbuf_put_bignum2(b, shared_secret)) != 0) { sshbuf_free(b); return r; } #ifdef DEBUG_KEXDH sshbuf_dump(b, stderr); #endif if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) { sshbuf_free(b); return SSH_ERR_LIBCRYPTO_ERROR; } sshbuf_free(b); *hashlen = ssh_digest_bytes(hash_alg); #ifdef DEBUG_KEXDH dump_digest("hash", hash, *hashlen); #endif return 0; }
void kexgex_hash( int hash_alg, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, char *skexinit, int skexinitlen, u_char *serverhostkeyblob, int sbloblen, int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen, BIGNUM *client_dh_pub, BIGNUM *server_dh_pub, BIGNUM *shared_secret, u_char **hash, u_int *hashlen) { Buffer b; static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); buffer_put_cstring(&b, server_version_string); /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ buffer_put_int(&b, ckexinitlen+1); buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, ckexinit, ckexinitlen); buffer_put_int(&b, skexinitlen+1); buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, skexinit, skexinitlen); buffer_put_string(&b, serverhostkeyblob, sbloblen); if (min == -1 || max == -1) buffer_put_int(&b, wantbits); else { buffer_put_int(&b, min); buffer_put_int(&b, wantbits); buffer_put_int(&b, max); } buffer_put_bignum2(&b, prime); buffer_put_bignum2(&b, gen); buffer_put_bignum2(&b, client_dh_pub); buffer_put_bignum2(&b, server_dh_pub); buffer_put_bignum2(&b, shared_secret); #ifdef DEBUG_KEXDH buffer_dump(&b); #endif if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif *hash = digest; *hashlen = ssh_digest_bytes(hash_alg); }
int kex_ecdh_hash( int hash_alg, const EC_GROUP *ec_group, const char *client_version_string, const char *server_version_string, const u_char *ckexinit, size_t ckexinitlen, const u_char *skexinit, size_t skexinitlen, const u_char *serverhostkeyblob, size_t sbloblen, const EC_POINT *client_dh_pub, const EC_POINT *server_dh_pub, const BIGNUM *shared_secret, u_char *hash, size_t *hashlen) { struct sshbuf *b; int r; if (*hashlen < ssh_digest_bytes(hash_alg)) return SSH_ERR_INVALID_ARGUMENT; if ((b = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 || (r = sshbuf_put_cstring(b, server_version_string)) != 0 || /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 || (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 || (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 || (r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 || (r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 || (r = sshbuf_put_bignum2(b, shared_secret)) != 0) { sshbuf_free(b); return r; } #ifdef DEBUG_KEX sshbuf_dump(b, stderr); #endif if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) { sshbuf_free(b); return SSH_ERR_LIBCRYPTO_ERROR; } sshbuf_free(b); *hashlen = ssh_digest_bytes(hash_alg); #ifdef DEBUG_KEX dump_digest("hash", hash, *hashlen); #endif return 0; }
void derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, u_int8_t cookie[8], u_int8_t id[16]) { u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; int len; struct ssh_digest_ctx *hashctx; if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL) fatal("%s: ssh_digest_start", __func__); len = BN_num_bytes(host_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad host modulus (len %d)", __func__, len); BN_bn2bin(host_modulus, nbuf); if (ssh_digest_update(hashctx, nbuf, len) != 0) fatal("%s: ssh_digest_update failed", __func__); len = BN_num_bytes(server_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) fatal("%s: bad server modulus (len %d)", __func__, len); BN_bn2bin(server_modulus, nbuf); if (ssh_digest_update(hashctx, nbuf, len) != 0 || ssh_digest_update(hashctx, cookie, 8) != 0) fatal("%s: ssh_digest_update failed", __func__); if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) fatal("%s: ssh_digest_final failed", __func__); memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); explicit_bzero(nbuf, sizeof(nbuf)); explicit_bzero(obuf, sizeof(obuf)); }
int derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus, u_int8_t cookie[8], u_int8_t id[16]) { u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH]; struct ssh_digest_ctx *hashctx = NULL; size_t len; int r; len = BN_num_bytes(host_modulus); if (len < (512 / 8) || (u_int)len > sizeof(nbuf)) return SSH_ERR_KEY_BITS_MISMATCH; if (BN_bn2bin(host_modulus, nbuf) <= 0 || (hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || ssh_digest_update(hashctx, nbuf, len) != 0 || ssh_digest_update(hashctx, cookie, 8) != 0 || ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5)); r = 0; out: ssh_digest_free(hashctx); explicit_bzero(nbuf, sizeof(nbuf)); explicit_bzero(obuf, sizeof(obuf)); return r; }
static void roaming_auth_required(void) { u_char digest[SSH_DIGEST_MAX_LENGTH]; Buffer b; u_int64_t chall, oldchall; chall = packet_get_int64(); oldchall = packet_get_int64(); if (oldchall != lastseenchall) { key1 = oldkey1; key2 = oldkey2; } lastseenchall = chall; buffer_init(&b); buffer_put_int64(&b, cookie); buffer_put_int64(&b, chall); if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0) fatal("%s: ssh_digest_buffer failed", __func__); buffer_free(&b); packet_start(SSH2_MSG_KEX_ROAMING_AUTH); packet_put_int64(key1 ^ get_recv_bytes()); packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1)); packet_send(); oldkey1 = key1; oldkey2 = key2; calculate_new_key(&key1, cookie, chall); calculate_new_key(&key2, cookie, chall); debug("Received %llu bytes", (unsigned long long)get_recv_bytes()); debug("Sent roaming_auth packet"); }
void kex_c25519_hash( int hash_alg, char *client_version_string, char *server_version_string, char *ckexinit, int ckexinitlen, char *skexinit, int skexinitlen, u_char *serverhostkeyblob, int sbloblen, const u_char client_dh_pub[CURVE25519_SIZE], const u_char server_dh_pub[CURVE25519_SIZE], const u_char *shared_secret, u_int secretlen, u_char **hash, u_int *hashlen) { Buffer b; static u_char digest[SSH_DIGEST_MAX_LENGTH]; buffer_init(&b); buffer_put_cstring(&b, client_version_string); buffer_put_cstring(&b, server_version_string); /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ buffer_put_int(&b, ckexinitlen+1); buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, ckexinit, ckexinitlen); buffer_put_int(&b, skexinitlen+1); buffer_put_char(&b, SSH2_MSG_KEXINIT); buffer_append(&b, skexinit, skexinitlen); buffer_put_string(&b, serverhostkeyblob, sbloblen); buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE); buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE); buffer_append(&b, shared_secret, secretlen); #ifdef DEBUG_KEX buffer_dump(&b); #endif if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0) fatal("%s: digest_buffer failed", __func__); buffer_free(&b); #ifdef DEBUG_KEX dump_digest("hash", digest, ssh_digest_bytes(hash_alg)); #endif *hash = digest; *hashlen = ssh_digest_bytes(hash_alg); }
int ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp, const u_char *data, u_int datalen) { ECDSA_SIG *sig; int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH]; u_int len, dlen; Buffer b, bb; if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { error("%s: bad hash algorithm %d", __func__, hash_alg); return -1; } if (ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest)) != 0) { error("%s: digest_memory failed", __func__); return -1; } sig = ECDSA_do_sign(digest, dlen, key->ecdsa); explicit_bzero(digest, sizeof(digest)); if (sig == NULL) { error("%s: sign failed", __func__); return -1; } buffer_init(&bb); buffer_put_bignum2(&bb, sig->r); buffer_put_bignum2(&bb, sig->s); ECDSA_SIG_free(sig); buffer_init(&b); buffer_put_cstring(&b, key_ssh_name_plain(key)); buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb)); buffer_free(&bb); len = buffer_len(&b); if (lenp != NULL) *lenp = len; if (sigp != NULL) { *sigp = xmalloc(len); memcpy(*sigp, buffer_ptr(&b), len); } buffer_free(&b); return 0; }
static u_char * derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen, const u_char *shared_secret, u_int slen) { Buffer b; struct ssh_digest_ctx *hashctx; char c = id; u_int have; size_t mdsz; u_char *digest; if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) fatal("bad kex md size %zu", mdsz); digest = xmalloc(roundup(need, mdsz)); buffer_init(&b); buffer_append(&b, shared_secret, slen); /* K1 = HASH(K || H || "A" || session_id) */ if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) fatal("%s: ssh_digest_start failed", __func__); if (ssh_digest_update_buffer(hashctx, &b) != 0 || ssh_digest_update(hashctx, hash, hashlen) != 0 || ssh_digest_update(hashctx, &c, 1) != 0 || ssh_digest_update(hashctx, kex->session_id, kex->session_id_len) != 0) fatal("%s: ssh_digest_update failed", __func__); if (ssh_digest_final(hashctx, digest, mdsz) != 0) fatal("%s: ssh_digest_final failed", __func__); ssh_digest_free(hashctx); /* * expand key: * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) * Key = K1 || K2 || ... || Kn */ for (have = mdsz; need > have; have += mdsz) { if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL) fatal("%s: ssh_digest_start failed", __func__); if (ssh_digest_update_buffer(hashctx, &b) != 0 || ssh_digest_update(hashctx, hash, hashlen) != 0 || ssh_digest_update(hashctx, digest, have) != 0) fatal("%s: ssh_digest_update failed", __func__); if (ssh_digest_final(hashctx, digest + have, mdsz) != 0) fatal("%s: ssh_digest_final failed", __func__); ssh_digest_free(hashctx); } buffer_free(&b); #ifdef DEBUG_KEX fprintf(stderr, "key '%c'== ", c); dump_digest("key", digest, need); #endif return digest; }
static int openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen, u_char *sigbuf, size_t siglen, RSA *rsa) { size_t rsasize = 0, oidlen = 0, hlen = 0; int ret, len, oidmatch, hashmatch; const u_char *oid = NULL; u_char *decrypted = NULL; if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0) return ret; ret = SSH_ERR_INTERNAL_ERROR; hlen = ssh_digest_bytes(hash_alg); if (hashlen != hlen) { ret = SSH_ERR_INVALID_ARGUMENT; goto done; } rsasize = RSA_size(rsa); if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || siglen == 0 || siglen > rsasize) { ret = SSH_ERR_INVALID_ARGUMENT; goto done; } if ((decrypted = malloc(rsasize)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto done; } if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa, RSA_PKCS1_PADDING)) < 0) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto done; } if (len < 0 || (size_t)len != hlen + oidlen) { ret = SSH_ERR_INVALID_FORMAT; goto done; } oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0; hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0; if (!oidmatch || !hashmatch) { ret = SSH_ERR_SIGNATURE_INVALID; goto done; } ret = 0; done: if (decrypted) { explicit_bzero(decrypted, rsasize); free(decrypted); } return ret; }
int kex_dh_hash( const char *client_version_string, const char *server_version_string, const u_char *ckexinit, size_t ckexinitlen, const u_char *skexinit, size_t skexinitlen, const u_char *serverhostkeyblob, size_t sbloblen, const BIGNUM *client_dh_pub, const BIGNUM *server_dh_pub, const BIGNUM *shared_secret, u_char **hash, size_t *hashlen) { struct sshbuf *b; static u_char digest[SSH_DIGEST_MAX_LENGTH]; int r; if ((b = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 || (r = sshbuf_put_cstring(b, server_version_string)) != 0 || /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 || (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 || (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 || (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 || (r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 || (r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 || (r = sshbuf_put_bignum2(b, shared_secret)) != 0) { sshbuf_free(b); return r; } #ifdef DEBUG_KEX sshbuf_dump(b, stderr); #endif if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, digest, sizeof(digest)) != 0) { sshbuf_free(b); return SSH_ERR_LIBCRYPTO_ERROR; } sshbuf_free(b); *hash = digest; *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); #ifdef DEBUG_KEX dump_digest("hash", digest, *hashlen); #endif return 0; }
int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen) { size_t len; len = ssh_digest_bytes(ctx->alg); if (dlen < len || ssh_digest_final(ctx->digest, ctx->buf, len)) return -1; /* switch to octx */ if (ssh_digest_copy_state(ctx->octx, ctx->digest) < 0 || ssh_digest_update(ctx->digest, ctx->buf, len) < 0 || ssh_digest_final(ctx->digest, d, dlen) < 0) return -1; return 0; }
static double user_specific_delay(const char *user) { char b[512]; size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); u_char *hash = xmalloc(len); double delay; (void)snprintf(b, sizeof b, "%llu%s", (unsigned long long)options.timing_secret, user); if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0) fatal("%s: ssh_digest_memory", __func__); /* 0-4.2 ms of delay */ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; freezero(hash, len); debug3("%s: user specific delay %0.3lfms", __func__, delay/1000); return MIN_FAIL_DELAY_SECONDS + delay; }
/* * Caclulate a new key after a reconnect */ void calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { u_char hash[SSH_DIGEST_MAX_LENGTH]; Buffer b; buffer_init(&b); buffer_put_int64(&b, *key); buffer_put_int64(&b, cookie); buffer_put_int64(&b, challenge); if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0) fatal("%s: digest_buffer failed", __func__); buffer_clear(&b); buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1)); *key = buffer_get_int64(&b); buffer_free(&b); }
/* * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success, * with digest via 'digestp' (caller to free) and length via 'lenp'. * Returns -1 on failure. */ int hash_buffer(const u_char *buf, u_int len, int hash_alg, u_char **digestp, u_int *lenp) { u_char digest[SSH_DIGEST_MAX_LENGTH]; u_int digest_len = ssh_digest_bytes(hash_alg); if (digest_len == 0) { error("%s: invalid hash", __func__); return -1; } if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) { error("%s: digest_memory failed", __func__); return -1; } *digestp = xmalloc(digest_len); *lenp = digest_len; memcpy(*digestp, digest, *lenp); bzero(digest, sizeof(digest)); digest_len = 0; return 0; }
char * host_hash(const char *host, const char *name_from_hostfile, u_int src_len) { struct ssh_hmac_ctx *ctx; u_char salt[256], result[256]; char uu_salt[512], uu_result[512]; static char encoded[1024]; u_int i, len; len = ssh_digest_bytes(SSH_DIGEST_SHA1); if (name_from_hostfile == NULL) { /* Create new salt */ for (i = 0; i < len; i++) salt[i] = arc4random(); } else { /* Extract salt from known host entry */ if (extract_salt(name_from_hostfile, src_len, salt, sizeof(salt)) == -1) return (NULL); } if ((ctx = ssh_hmac_start(SSH_DIGEST_SHA1)) == NULL || ssh_hmac_init(ctx, salt, len) < 0 || ssh_hmac_update(ctx, host, strlen(host)) < 0 || ssh_hmac_final(ctx, result, sizeof(result))) fatal("%s: ssh_hmac failed", __func__); ssh_hmac_free(ctx); if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 || __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1) fatal("%s: __b64_ntop failed", __func__); snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt, HASH_DELIM, uu_result); return (encoded); }
/* * Caclulate a new key after a reconnect */ void calculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge) { u_char hash[SSH_DIGEST_MAX_LENGTH]; struct sshbuf *b; int r; if ((b = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); if ((r = sshbuf_put_u64(b, *key)) != 0 || (r = sshbuf_put_u64(b, cookie)) != 0 || (r = sshbuf_put_u64(b, challenge)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, hash, sizeof(hash)) != 0) fatal("%s: digest_buffer failed", __func__); sshbuf_reset(b); if ((r = sshbuf_put(b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1))) != 0 || (r = sshbuf_get_u64(b, key)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); sshbuf_free(b); }
static void input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt) { #define u2f_bounds_check(necessary_bytes) do { \ if (restlen < necessary_bytes) { \ logit("U2F response too short: need %d bytes, but only %d remaining", \ necessary_bytes, restlen); \ goto out; \ } \ } while (0) #define u2f_advance(parsed_bytes) do { \ int advance = parsed_bytes; \ walk += advance; \ restlen -= advance; \ } while (0) Authctxt *authctxt = ctxt; char *response, *regdata, *clientdata; u_char *decoded = NULL; u_char *walk = NULL; u_char *keyhandle = NULL; u_char *pubkey = NULL; u_char *signature = NULL; u_char *dummy = NULL; u_char *cdecoded = NULL; X509 *x509; EVP_MD_CTX mdctx; int restlen; int khlen; int cdecodedlen; int err; char errorbuf[4096]; u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)]; authctxt->postponed = 0; response = packet_get_string(NULL); packet_check_eom(); if ((regdata = extract_json_string(response, "registrationData")) == NULL) { logit("Response not JSON, or does not contain \"registrationData\""); goto out; } decoded = xmalloc(strlen(regdata) * 3 / 4); restlen = urlsafe_base64_decode(regdata, decoded, strlen(regdata) * 3 / 4); walk = decoded; // Header (magic byte) u2f_bounds_check(1); if (walk[0] != 0x05) { logit("U2F response does not start with magic byte 0x05"); goto out; } u2f_advance(1); // Length of the public key u2f_bounds_check(u2f_pubkey_len); pubkey = walk; u2f_advance(u2f_pubkey_len); // Length of the key handle u2f_bounds_check(1); khlen = walk[0]; u2f_advance(1); // Key handle u2f_bounds_check(khlen); keyhandle = walk; u2f_advance(khlen); // Attestation certificate u2f_bounds_check(1); signature = walk; if ((x509 = d2i_X509(NULL, &signature, restlen)) == NULL) { logit("U2F response contains an invalid attestation certificate."); goto out; } // U2F dictates that the length of the certificate should be determined by // encoding the certificate using DER. u2f_advance(i2d_X509(x509, &dummy)); free(dummy); // Ensure we have at least one byte of signature. u2f_bounds_check(1); if ((clientdata = extract_json_string(response, "clientData")) == NULL) { logit("U2F response JSON lacks the \"clientData\" key."); goto out; } cdecoded = xmalloc(strlen(clientdata) * 3 / 4); cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4); EVP_PKEY *pkey = X509_get_pubkey(x509); if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) { ERR_error_string(ERR_get_error(), errorbuf); fatal("EVP_VerifyInit() failed: %s (reason: %s)", errorbuf, ERR_reason_error_string(err)); } EVP_VerifyUpdate(&mdctx, "\0", 1); u2f_sha256(digest, appid, strlen(appid)); EVP_VerifyUpdate(&mdctx, digest, sizeof(digest)); u2f_sha256(digest, cdecoded, cdecodedlen); EVP_VerifyUpdate(&mdctx, digest, sizeof(digest)); EVP_VerifyUpdate(&mdctx, keyhandle, khlen); EVP_VerifyUpdate(&mdctx, pubkey, u2f_pubkey_len); if ((err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey)) == -1) { ERR_error_string(ERR_get_error(), errorbuf); logit("Verifying the U2F registration signature failed: %s (reason: %s)", errorbuf, ERR_reason_error_string(err)); goto out; } EVP_PKEY_free(pkey); { char *authorizedkey; char key[u2f_pubkey_len + khlen]; char key64[((sizeof(key)+2)/3)*4 + 1]; memcpy(key, pubkey, u2f_pubkey_len); memcpy(key+u2f_pubkey_len, keyhandle, khlen); if (b64_ntop(key, sizeof(key), key64, sizeof(key64)) == -1) fatal("b64_ntop()"); xasprintf(&authorizedkey, "ssh-u2f %s", key64); packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); packet_put_cstring(authorizedkey); packet_send(); free(authorizedkey); dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); } out: free(decoded); userauth_finish(authctxt, 0, "u2f", NULL); return; #undef u2f_bounds_check #undef u2f_advance }
void u2f_sha256(u_char *dest, u_char *src, size_t srclen) { struct ssh_digest_ctx *ctx = ssh_digest_start(SSH_DIGEST_SHA256); ssh_digest_update(ctx, src, srclen); ssh_digest_final(ctx, dest, ssh_digest_bytes(SSH_DIGEST_SHA256)); }
static int derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen, const u_char *shared_secret, u_int slen, u_char **keyp) { struct kex *kex = ssh->kex; struct sshbuf *b = NULL; struct ssh_digest_ctx *hashctx = NULL; char c = id; u_int have; size_t mdsz; u_char *digest; int r; if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0) return SSH_ERR_INVALID_ARGUMENT; if ((digest = calloc(1, roundup(need, mdsz))) == NULL || (b = sshbuf_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshbuf_put(b, shared_secret, slen)) < 0) goto out; /* K1 = HASH(K || H || "A" || session_id) */ if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || ssh_digest_update_buffer(hashctx, b) != 0 || ssh_digest_update(hashctx, hash, hashlen) != 0 || ssh_digest_update(hashctx, &c, 1) != 0 || ssh_digest_update(hashctx, kex->session_id, kex->session_id_len) != 0 || ssh_digest_final(hashctx, digest, mdsz) != 0) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } ssh_digest_free(hashctx); hashctx = NULL; /* * expand key: * Kn = HASH(K || H || K1 || K2 || ... || Kn-1) * Key = K1 || K2 || ... || Kn */ for (have = mdsz; need > have; have += mdsz) { if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL || ssh_digest_update_buffer(hashctx, b) != 0 || ssh_digest_update(hashctx, hash, hashlen) != 0 || ssh_digest_update(hashctx, digest, have) != 0 || ssh_digest_final(hashctx, digest + have, mdsz) != 0) { r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } ssh_digest_free(hashctx); hashctx = NULL; } #ifdef DEBUG_KEX fprintf(stderr, "key '%c'== ", c); dump_digest("key", digest, need); #endif *keyp = digest; digest = NULL; r = 0; out: if (digest) free(digest); if (b) sshbuf_free(b); ssh_digest_free(hashctx); return r; }
int ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { DSA_SIG *sig = NULL; u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); struct sshbuf *b = NULL; int ret = SSH_ERR_INVALID_ARGUMENT; if (lenp != NULL) *lenp = 0; if (sigp != NULL) *sigp = NULL; if (key == NULL || key->dsa == NULL || sshkey_type_plain(key->type) != KEY_DSA) return SSH_ERR_INVALID_ARGUMENT; if (dlen == 0) return SSH_ERR_INTERNAL_ERROR; if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, digest, sizeof(digest))) != 0) goto out; if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } rlen = BN_num_bytes(sig->r); slen = BN_num_bytes(sig->s); if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) { ret = SSH_ERR_INTERNAL_ERROR; goto out; } explicit_bzero(sigblob, SIGBLOB_LEN); BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen); BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen); if (compat & SSH_BUG_SIGBLOB) { if (sigp != NULL) { if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(*sigp, sigblob, SIGBLOB_LEN); } if (lenp != NULL) *lenp = SIGBLOB_LEN; ret = 0; } else { /* ietf-drafts */ if ((b = sshbuf_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 || (ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0) goto out; len = sshbuf_len(b); if (sigp != NULL) { if ((*sigp = malloc(len)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(*sigp, sshbuf_ptr(b), len); } if (lenp != NULL) *lenp = len; ret = 0; } out: explicit_bzero(digest, sizeof(digest)); if (sig != NULL) DSA_SIG_free(sig); sshbuf_free(b); return ret; }
int ssh_dss_verify(const struct sshkey *key, const u_char *signature, size_t signaturelen, const u_char *data, size_t datalen, u_int compat) { DSA_SIG *sig = NULL; u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL; size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1); int ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL; char *ktype = NULL; if (key == NULL || key->dsa == NULL || sshkey_type_plain(key->type) != KEY_DSA) return SSH_ERR_INVALID_ARGUMENT; if (dlen == 0) return SSH_ERR_INTERNAL_ERROR; /* fetch signature */ if (compat & SSH_BUG_SIGBLOB) { if ((sigblob = malloc(signaturelen)) == NULL) return SSH_ERR_ALLOC_FAIL; memcpy(sigblob, signature, signaturelen); len = signaturelen; } else { /* ietf-drafts */ if ((b = sshbuf_from(signature, signaturelen)) == NULL) return SSH_ERR_ALLOC_FAIL; if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || sshbuf_get_string(b, &sigblob, &len) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } if (strcmp("ssh-dss", ktype) != 0) { ret = SSH_ERR_KEY_TYPE_MISMATCH; goto out; } if (sshbuf_len(b) != 0) { ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; } } if (len != SIGBLOB_LEN) { ret = SSH_ERR_INVALID_FORMAT; goto out; } /* parse signature */ if ((sig = DSA_SIG_new()) == NULL || (sig->r = BN_new()) == NULL || (sig->s = BN_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) || (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } /* sha1 the data */ if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, digest, sizeof(digest))) != 0) goto out; switch (DSA_do_verify(digest, dlen, sig, key->dsa)) { case 1: ret = 0; break; case 0: ret = SSH_ERR_SIGNATURE_INVALID; goto out; default: ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } out: explicit_bzero(digest, sizeof(digest)); if (sig != NULL) DSA_SIG_free(sig); sshbuf_free(b); free(ktype); if (sigblob != NULL) { explicit_bzero(sigblob, len); free(sigblob); } return ret; }
/* ARGSUSED */ int ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { ECDSA_SIG *sig = NULL; int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH]; size_t len, dlen; struct sshbuf *b = NULL, *bb = NULL; int ret = SSH_ERR_INTERNAL_ERROR; if (lenp != NULL) *lenp = 0; if (sigp != NULL) *sigp = NULL; if (key == NULL || key->ecdsa == NULL || sshkey_type_plain(key->type) != KEY_ECDSA) return SSH_ERR_INVALID_ARGUMENT; if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || (dlen = ssh_digest_bytes(hash_alg)) == 0) return SSH_ERR_INTERNAL_ERROR; if ((ret = ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest))) != 0) goto out; if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 || (ret = sshbuf_put_bignum2(bb, sig->s)) != 0) goto out; if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 || (ret = sshbuf_put_stringb(b, bb)) != 0) goto out; len = sshbuf_len(b); if (sigp != NULL) { if ((*sigp = malloc(len)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(*sigp, sshbuf_ptr(b), len); } if (lenp != NULL) *lenp = len; ret = 0; out: explicit_bzero(digest, sizeof(digest)); if (b != NULL) sshbuf_free(b); if (bb != NULL) sshbuf_free(bb); if (sig != NULL) ECDSA_SIG_free(sig); return ret; }
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, const char *alg_ident) { u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; size_t slen; u_int dlen, len; int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL; if (lenp != NULL) *lenp = 0; if (sigp != NULL) *sigp = NULL; if (alg_ident == NULL || strlen(alg_ident) == 0 || strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0) hash_alg = SSH_DIGEST_SHA1; else hash_alg = rsa_hash_alg_from_ident(alg_ident); if (key == NULL || key->rsa == NULL || hash_alg == -1 || sshkey_type_plain(key->type) != KEY_RSA || BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) return SSH_ERR_INVALID_ARGUMENT; slen = RSA_size(key->rsa); if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) return SSH_ERR_INVALID_ARGUMENT; /* hash the data */ nid = rsa_hash_alg_nid(hash_alg); if ((dlen = ssh_digest_bytes(hash_alg)) == 0) return SSH_ERR_INTERNAL_ERROR; if ((ret = ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest))) != 0) goto out; if ((sig = malloc(slen)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } if (len < slen) { size_t diff = slen - len; memmove(sig + diff, sig, len); explicit_bzero(sig, diff); } else if (len > slen) { ret = SSH_ERR_INTERNAL_ERROR; goto out; } /* encode signature */ if ((b = sshbuf_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 || (ret = sshbuf_put_string(b, sig, slen)) != 0) goto out; len = sshbuf_len(b); if (sigp != NULL) { if ((*sigp = malloc(len)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(*sigp, sshbuf_ptr(b), len); } if (lenp != NULL) *lenp = len; ret = 0; out: explicit_bzero(digest, sizeof(digest)); if (sig != NULL) { explicit_bzero(sig, slen); free(sig); } sshbuf_free(b); return ret; }
int ssh_rsa_verify(const struct sshkey *key, const u_char *sig, size_t siglen, const u_char *data, size_t datalen) { char *ktype = NULL; int hash_alg, ret = SSH_ERR_INTERNAL_ERROR; size_t len, diff, modlen, dlen; struct sshbuf *b = NULL; u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL; if (key == NULL || key->rsa == NULL || sshkey_type_plain(key->type) != KEY_RSA || BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE || sig == NULL || siglen == 0) return SSH_ERR_INVALID_ARGUMENT; if ((b = sshbuf_from(sig, siglen)) == NULL) return SSH_ERR_ALLOC_FAIL; if (sshbuf_get_cstring(b, &ktype, NULL) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) { ret = SSH_ERR_KEY_TYPE_MISMATCH; goto out; } if (sshbuf_get_string(b, &sigblob, &len) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } if (sshbuf_len(b) != 0) { ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; } /* RSA_verify expects a signature of RSA_size */ modlen = RSA_size(key->rsa); if (len > modlen) { ret = SSH_ERR_KEY_BITS_MISMATCH; goto out; } else if (len < modlen) { diff = modlen - len; osigblob = sigblob; if ((sigblob = realloc(sigblob, modlen)) == NULL) { sigblob = osigblob; /* put it back for clear/free */ ret = SSH_ERR_ALLOC_FAIL; goto out; } memmove(sigblob + diff, sigblob, len); explicit_bzero(sigblob, diff); len = modlen; } if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { ret = SSH_ERR_INTERNAL_ERROR; goto out; } if ((ret = ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest))) != 0) goto out; ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len, key->rsa); out: if (sigblob != NULL) { explicit_bzero(sigblob, len); free(sigblob); } free(ktype); sshbuf_free(b); explicit_bzero(digest, sizeof(digest)); return ret; }
size_t ssh_hmac_bytes(int alg) { return ssh_digest_bytes(alg); }
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL; size_t slen; u_int dlen, len; int nid, ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL; if (lenp != NULL) *lenp = 0; if (sigp != NULL) *sigp = NULL; if (key == NULL || key->rsa == NULL || sshkey_type_plain(key->type) != KEY_RSA) return SSH_ERR_INVALID_ARGUMENT; slen = RSA_size(key->rsa); if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) return SSH_ERR_INVALID_ARGUMENT; /* hash the data */ hash_alg = SSH_DIGEST_SHA1; nid = NID_sha1; if ((dlen = ssh_digest_bytes(hash_alg)) == 0) return SSH_ERR_INTERNAL_ERROR; if ((ret = ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest))) != 0) goto out; if ((sig = malloc(slen)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) { ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } if (len < slen) { size_t diff = slen - len; memmove(sig + diff, sig, len); explicit_bzero(sig, diff); } else if (len > slen) { ret = SSH_ERR_INTERNAL_ERROR; goto out; } /* encode signature */ if ((b = sshbuf_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 || (ret = sshbuf_put_string(b, sig, slen)) != 0) goto out; len = sshbuf_len(b); if (sigp != NULL) { if ((*sigp = malloc(len)) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } memcpy(*sigp, sshbuf_ptr(b), len); } if (lenp != NULL) *lenp = len; ret = 0; out: explicit_bzero(digest, sizeof(digest)); if (sig != NULL) { explicit_bzero(sig, slen); free(sig); } if (b != NULL) sshbuf_free(b); return ret; }
// TODO: can we send multiple authrequests at the same time, so that we don’t // need multiple round-trips but still support multiple security keys static void input_userauth_u2f_info_response(int type, u_int32_t seq, void *ctxt) { int authenticated = 0; Authctxt *authctxt = ctxt; u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)]; debug("input_userauth_u2f_info_response\n"); u_int len; char *clientdata; u_char *cdecoded; int cdecodedlen; char *resp = packet_get_string(&len); debug("u2f resp len (server): %d\n", len); debug("u2f resp (server): %s\n", resp); packet_check_eom(); char *sig = extract_json_string(resp, "signatureData"); if (sig == NULL) fatal("could not extract signature"); // TODO: free sig debug("signature is *%s*", sig); if (*sig == '\0') fatal("u2f authentication failed: empty signature. Probably the key is not registered (i.e. your key handle/pubkey do not exist on the key you are using)"); // TODO: is there a macro for this size? u_char decoded[strlen(sig) * 3 / 4]; int decodedlen = urlsafe_base64_decode(sig, decoded, sizeof(decoded)); // Ensure that the user presence byte, the counter and at least one byte of // signature are present. if (decodedlen <= (sizeof(u_char) + sizeof(u_int32_t))) fatal("decoded signature too short"); if ((decoded[0] & 0x01) != 0x01) fatal("user presence bit not set"); u_int32_t counter = ntohl(*((u_int32_t*)&decoded[1])); debug("usage counter = %d\n", counter); struct sha_digest_ctx *sha256ctx = ssh_digest_start(SSH_DIGEST_SHA256); u2f_sha256(digest, appid, strlen(appid)); ssh_digest_update(sha256ctx, digest, sizeof(digest)); ssh_digest_update(sha256ctx, decoded, sizeof(u_char)); ssh_digest_update(sha256ctx, decoded+1, 4 * sizeof(u_char)); if ((clientdata = extract_json_string(resp, "clientData")) == NULL) { fatal("U2F response JSON lacks the \"clientData\" key."); } cdecoded = xmalloc(strlen(clientdata) * 3 / 4); cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4); u2f_sha256(digest, cdecoded, cdecodedlen); ssh_digest_update(sha256ctx, digest, sizeof(digest)); ssh_digest_final(sha256ctx, digest, sizeof(digest)); debug("hashed sig"); authenticated = PRIVSEP(verify_u2f_user( authctxt->u2f_key, digest, sizeof(digest), decoded+5, decodedlen-5)); authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); userauth_finish(authctxt, authenticated, "u2f", NULL); }
int ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen) { ECDSA_SIG *sig; int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob; u_int len, dlen; int rlen, ret; Buffer b, bb; char *ktype; if (key == NULL || key_type_plain(key->type) != KEY_ECDSA || key->ecdsa == NULL) { error("%s: no ECDSA key", __func__); return -1; } /* fetch signature */ buffer_init(&b); buffer_append(&b, signature, signaturelen); ktype = buffer_get_string(&b, NULL); if (strcmp(key_ssh_name_plain(key), ktype) != 0) { error("%s: cannot handle type %s", __func__, ktype); buffer_free(&b); free(ktype); return -1; } free(ktype); sigblob = buffer_get_string(&b, &len); rlen = buffer_len(&b); buffer_free(&b); if (rlen != 0) { error("%s: remaining bytes in signature %d", __func__, rlen); free(sigblob); return -1; } /* parse signature */ if ((sig = ECDSA_SIG_new()) == NULL) fatal("%s: ECDSA_SIG_new failed", __func__); buffer_init(&bb); buffer_append(&bb, sigblob, len); buffer_get_bignum2(&bb, sig->r); buffer_get_bignum2(&bb, sig->s); if (buffer_len(&bb) != 0) fatal("%s: remaining bytes in inner sigblob", __func__); buffer_free(&bb); /* clean up */ explicit_bzero(sigblob, len); free(sigblob); /* hash the data */ hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid); if ((dlen = ssh_digest_bytes(hash_alg)) == 0) { error("%s: bad hash algorithm %d", __func__, hash_alg); return -1; } if (ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest)) != 0) { error("%s: digest_memory failed", __func__); return -1; } ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa); explicit_bzero(digest, sizeof(digest)); ECDSA_SIG_free(sig); debug("%s: signature %s", __func__, ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error"); return ret; }
/* ARGSUSED */ int ssh_ecdsa_verify(const struct sshkey *key, const u_char *signature, size_t signaturelen, const u_char *data, size_t datalen, u_int compat) { ECDSA_SIG *sig = NULL; int hash_alg; u_char digest[SSH_DIGEST_MAX_LENGTH]; size_t dlen; int ret = SSH_ERR_INTERNAL_ERROR; struct sshbuf *b = NULL, *sigbuf = NULL; char *ktype = NULL; if (key == NULL || key->ecdsa == NULL || sshkey_type_plain(key->type) != KEY_ECDSA) return SSH_ERR_INVALID_ARGUMENT; if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 || (dlen = ssh_digest_bytes(hash_alg)) == 0) return SSH_ERR_INTERNAL_ERROR; /* fetch signature */ if ((b = sshbuf_from(signature, signaturelen)) == NULL) return SSH_ERR_ALLOC_FAIL; if (sshbuf_get_cstring(b, &ktype, NULL) != 0 || sshbuf_froms(b, &sigbuf) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) { ret = SSH_ERR_KEY_TYPE_MISMATCH; goto out; } if (sshbuf_len(b) != 0) { ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; } /* parse signature */ if ((sig = ECDSA_SIG_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; } if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 || sshbuf_get_bignum2(sigbuf, sig->s) != 0) { ret = SSH_ERR_INVALID_FORMAT; goto out; } if (sshbuf_len(sigbuf) != 0) { ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; } if ((ret = ssh_digest_memory(hash_alg, data, datalen, digest, sizeof(digest))) != 0) goto out; switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) { case 1: ret = 0; break; case 0: ret = SSH_ERR_SIGNATURE_INVALID; goto out; default: ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } out: explicit_bzero(digest, sizeof(digest)); if (sigbuf != NULL) sshbuf_free(sigbuf); if (b != NULL) sshbuf_free(b); if (sig != NULL) ECDSA_SIG_free(sig); free(ktype); return ret; }