summaryrefslogtreecommitdiffstats
path: root/regress/misc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 11:13:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 11:13:18 +0000
commit9e7e4ab6617fef1d1681fc2d3e02554264ccc954 (patch)
tree336445493163aa0370cb7830d97ebd8819b2e2c5 /regress/misc
parentInitial commit. (diff)
downloadopenssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.tar.xz
openssh-9e7e4ab6617fef1d1681fc2d3e02554264ccc954.zip
Adding upstream version 1:8.4p1.upstream/1%8.4p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'regress/misc')
-rw-r--r--regress/misc/Makefile3
-rw-r--r--regress/misc/fuzz-harness/Makefile38
-rw-r--r--regress/misc/fuzz-harness/README1
-rw-r--r--regress/misc/fuzz-harness/authopt_fuzz.cc33
-rw-r--r--regress/misc/fuzz-harness/privkey_fuzz.cc21
-rw-r--r--regress/misc/fuzz-harness/pubkey_fuzz.cc18
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc62
-rw-r--r--regress/misc/fuzz-harness/ssh-sk-null.cc51
-rw-r--r--regress/misc/fuzz-harness/sshsig_fuzz.cc37
-rw-r--r--regress/misc/fuzz-harness/sshsigopt_fuzz.cc29
-rw-r--r--regress/misc/kexfuzz/Makefile101
-rw-r--r--regress/misc/kexfuzz/README34
-rw-r--r--regress/misc/kexfuzz/kexfuzz.c453
-rw-r--r--regress/misc/sk-dummy/Makefile66
-rw-r--r--regress/misc/sk-dummy/fatal.c20
-rw-r--r--regress/misc/sk-dummy/sk-dummy.c532
16 files changed, 1499 insertions, 0 deletions
diff --git a/regress/misc/Makefile b/regress/misc/Makefile
new file mode 100644
index 0000000..cf95f26
--- /dev/null
+++ b/regress/misc/Makefile
@@ -0,0 +1,3 @@
+SUBDIR= kexfuzz sk-dummy
+
+.include <bsd.subdir.mk>
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
new file mode 100644
index 0000000..64fbdba
--- /dev/null
+++ b/regress/misc/fuzz-harness/Makefile
@@ -0,0 +1,38 @@
+# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
+CXX=clang++-6.0
+FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
+FUZZ_LIBS=-lFuzzer
+
+CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
+LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
+LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
+COMMON_OBJS=ssh-sk-null.o
+
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
+ sshsigopt_fuzz privkey_fuzz
+
+all: $(TARGETS)
+
+.cc.o:
+ $(CXX) $(CXXFLAGS) -c $< -o $@
+
+pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
+
+sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+
+sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+
+privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
+ $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
+
+clean:
+ -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README
new file mode 100644
index 0000000..ae6fbe7
--- /dev/null
+++ b/regress/misc/fuzz-harness/README
@@ -0,0 +1 @@
+This directory contains fuzzing harnesses for use with clang's libfuzzer.
diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc
new file mode 100644
index 0000000..a76d5a3
--- /dev/null
+++ b/regress/misc/fuzz-harness/authopt_fuzz.cc
@@ -0,0 +1,33 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern "C" {
+
+#include "auth-options.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ char *cp = (char *)malloc(size + 1);
+ struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new();
+
+ if (cp == NULL || add == NULL)
+ goto out;
+ memcpy(cp, data, size);
+ cp[size] = '\0';
+ if ((opts = sshauthopt_parse(cp, NULL)) == NULL)
+ goto out;
+ if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL)
+ goto out;
+
+ out:
+ free(cp);
+ sshauthopt_free(add);
+ sshauthopt_free(opts);
+ sshauthopt_free(merge);
+ return 0;
+}
+
+} // extern "C"
diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc
new file mode 100644
index 0000000..ff0b0f7
--- /dev/null
+++ b/regress/misc/fuzz-harness/privkey_fuzz.cc
@@ -0,0 +1,21 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+#include "sshbuf.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ struct sshkey *k = NULL;
+ struct sshbuf *b = sshbuf_from(data, size);
+ int r = sshkey_private_deserialize(b, &k);
+ if (r == 0) sshkey_free(k);
+ sshbuf_free(b);
+ return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc
new file mode 100644
index 0000000..8bbc110
--- /dev/null
+++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc
@@ -0,0 +1,18 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ struct sshkey *k = NULL;
+ int r = sshkey_from_blob(data, size, &k);
+ if (r == 0) sshkey_free(k);
+ return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
new file mode 100644
index 0000000..b32502b
--- /dev/null
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -0,0 +1,62 @@
+// cc_fuzz_target test for public key parsing.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+
+static struct sshkey *generate_or_die(int type, unsigned bits) {
+ int r;
+ struct sshkey *ret;
+ if ((r = sshkey_generate(type, bits, &ret)) != 0) {
+ fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r));
+ abort();
+ }
+ return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+#ifdef WITH_OPENSSL
+ static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
+ static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
+ static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
+ static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
+ static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
+#endif
+ struct sshkey_sig_details *details = NULL;
+ static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
+ static const char *data = "If everyone started announcing his nose had "
+ "run away, I don’t know how it would all end";
+ static const size_t dlen = strlen(data);
+
+#ifdef WITH_OPENSSL
+ sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+ sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ details = NULL;
+#endif
+ sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+ sshkey_sig_details_free(details);
+ return 0;
+}
+
+} // extern
diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc
new file mode 100644
index 0000000..199af11
--- /dev/null
+++ b/regress/misc/fuzz-harness/ssh-sk-null.cc
@@ -0,0 +1,51 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2019 Google LLC
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+extern "C" {
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include "ssherr.h"
+#include "ssh-sk.h"
+
+int
+sshsk_enroll(int type, const char *provider_path, const char *device,
+ const char *application, const char *userid, uint8_t flags,
+ const char *pin, struct sshbuf *challenge_buf,
+ struct sshkey **keyp, struct sshbuf *attest)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+int
+sshsk_sign(const char *provider_path, struct sshkey *key,
+ u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
+ u_int compat, const char *pin)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+int
+sshsk_load_resident(const char *provider_path, const char *device,
+ const char *pin, struct sshkey ***keysp, size_t *nkeysp)
+{
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+
+};
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
new file mode 100644
index 0000000..02211a0
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -0,0 +1,37 @@
+// cc_fuzz_target test for sshsig verification.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshsig.h"
+#include "log.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+ static const char *data = "If everyone started announcing his nose had "
+ "run away, I don’t know how it would all end";
+ struct sshbuf *signature = sshbuf_from(sig, slen);
+ struct sshbuf *message = sshbuf_from(data, strlen(data));
+ struct sshkey *k = NULL;
+ struct sshkey_sig_details *details = NULL;
+ extern char *__progname;
+
+ log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
+ sshsig_verifyb(signature, message, "castle", &k, &details);
+ sshkey_sig_details_free(details);
+ sshkey_free(k);
+ sshbuf_free(signature);
+ sshbuf_free(message);
+ return 0;
+}
+
+} // extern
diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
new file mode 100644
index 0000000..7424fcb
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
@@ -0,0 +1,29 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+
+extern "C" {
+
+#include "sshsig.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+ char *cp = (char *)malloc(size + 1);
+ struct sshsigopt *opts = NULL;
+
+ if (cp == NULL)
+ goto out;
+ memcpy(cp, data, size);
+ cp[size] = '\0';
+ if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL)
+ goto out;
+
+ out:
+ free(cp);
+ sshsigopt_free(opts);
+ return 0;
+}
+
+} // extern "C"
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
new file mode 100644
index 0000000..ede5e2f
--- /dev/null
+++ b/regress/misc/kexfuzz/Makefile
@@ -0,0 +1,101 @@
+# $OpenBSD: Makefile,v 1.8 2020/04/03 04:07:48 djm Exp $
+
+.include <bsd.own.mk>
+.include <bsd.obj.mk>
+
+# XXX detect from ssh binary?
+SSH1?= no
+OPENSSL?= yes
+
+PROG= kexfuzz
+SRCS= kexfuzz.c
+
+SSHREL=../../../../../usr.bin/ssh
+.PATH: ${.CURDIR}/${SSHREL}
+# From usr.bin/ssh
+SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
+SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
+SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
+SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
+SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
+SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
+SRCS+=cipher-chachapoly.c chacha.c poly1305.c utf8.c
+SRCS+=sshbuf-io.c ssh-ecdsa-sk.c ssh-ed25519-sk.c msg.c ssh-sk-client.c
+
+SRCS+= kex.c
+SRCS+= dh.c
+SRCS+= kexdh.c
+SRCS+= kexecdh.c
+SRCS+= kexgex.c
+SRCS+= kexgexc.c
+SRCS+= kexgexs.c
+SRCS+= kexc25519.c
+SRCS+= smult_curve25519_ref.c
+SRCS+= kexgen.c
+SRCS+= kexsntrup4591761x25519.c
+SRCS+= sntrup4591761.c
+
+SRCS+=digest-openssl.c
+#SRCS+=digest-libc.c
+
+NOMAN= 1
+
+.if (${OPENSSL:L} == "yes")
+CFLAGS+= -DWITH_OPENSSL
+.else
+# SSH v.1 requires OpenSSL.
+SSH1= no
+.endif
+
+.if (${SSH1:L} == "yes")
+CFLAGS+= -DWITH_SSH1
+.endif
+
+LDADD+= -lfido2 -lcbor -lusbhid
+DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID}
+
+# enable warnings
+WARNINGS=Yes
+
+DEBUG=-g
+CFLAGS+= -fstack-protector-all
+CDIAGFLAGS= -Wall
+CDIAGFLAGS+= -Wextra
+CDIAGFLAGS+= -Werror
+CDIAGFLAGS+= -Wchar-subscripts
+CDIAGFLAGS+= -Wcomment
+CDIAGFLAGS+= -Wformat
+CDIAGFLAGS+= -Wformat-security
+CDIAGFLAGS+= -Wimplicit
+CDIAGFLAGS+= -Winline
+CDIAGFLAGS+= -Wmissing-declarations
+CDIAGFLAGS+= -Wmissing-prototypes
+CDIAGFLAGS+= -Wparentheses
+CDIAGFLAGS+= -Wpointer-arith
+CDIAGFLAGS+= -Wreturn-type
+CDIAGFLAGS+= -Wshadow
+CDIAGFLAGS+= -Wsign-compare
+CDIAGFLAGS+= -Wstrict-aliasing
+CDIAGFLAGS+= -Wstrict-prototypes
+CDIAGFLAGS+= -Wswitch
+CDIAGFLAGS+= -Wtrigraphs
+CDIAGFLAGS+= -Wuninitialized
+CDIAGFLAGS+= -Wunused
+CDIAGFLAGS+= -Wno-unused-parameter
+.if ${COMPILER_VERSION:L} != "gcc3"
+CDIAGFLAGS+= -Wold-style-definition
+.endif
+
+
+CFLAGS+=-I${.CURDIR}/${SSHREL}
+
+LDADD+= -lutil -lz
+DPADD+= ${LIBUTIL} ${LIBZ}
+
+.if (${OPENSSL:L} == "yes")
+LDADD+= -lcrypto
+DPADD+= ${LIBCRYPTO}
+.endif
+
+.include <bsd.prog.mk>
+
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README
new file mode 100644
index 0000000..504c26f
--- /dev/null
+++ b/regress/misc/kexfuzz/README
@@ -0,0 +1,34 @@
+This is a harness to help with fuzzing KEX.
+
+To use it, you first set it to count packets in each direction:
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c
+S2C: 29
+C2S: 31
+
+Then get it to record a particular packet (in this case the 4th
+packet from client->server):
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
+ -d -D C2S -i 3 -f packet_3
+
+Fuzz the packet somehow:
+
+dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example
+
+Then re-run the key exchange substituting the modified packet in
+its original sequence:
+
+./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
+ -r -D C2S -i 3 -f packet_3
+
+A comprehensive KEX fuzz run would fuzz every packet in both
+directions for each key exchange type and every hostkey type.
+This will take some time.
+
+Limitations: kexfuzz can't change the ordering of packets at
+present. It is limited to replacing individual packets with
+fuzzed variants with the same type. It really should allow
+insertion, deletion on replacement of packets too.
+
+$OpenBSD: README,v 1.3 2017/10/20 02:13:41 djm Exp $
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
new file mode 100644
index 0000000..56697c9
--- /dev/null
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -0,0 +1,453 @@
+/* $OpenBSD: kexfuzz.c,v 1.6 2020/01/26 00:09:50 djm Exp $ */
+/*
+ * Fuzz harness for KEX code
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#ifdef HAVE_ERR_H
+# include <err.h>
+#endif
+
+#include "ssherr.h"
+#include "ssh_api.h"
+#include "sshbuf.h"
+#include "packet.h"
+#include "myproposal.h"
+#include "authfile.h"
+#include "log.h"
+
+void kex_tests(void);
+static int do_debug = 0;
+
+enum direction { S2C, C2S };
+
+struct hook_ctx {
+ struct ssh *client, *server, *server2;
+ int *c2s, *s2c;
+ int trigger_direction, packet_index;
+ const char *dump_path;
+ struct sshbuf *replace_data;
+};
+
+static int
+packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx)
+{
+ struct hook_ctx *ctx = (struct hook_ctx *)_ctx;
+ int mydirection = ssh == ctx->client ? S2C : C2S;
+ int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s;
+ FILE *dumpfile;
+ int r;
+
+ if (do_debug) {
+ printf("%s packet %d type %u:\n",
+ mydirection == S2C ? "s2c" : "c2s",
+ *packet_count, *typep);
+ sshbuf_dump(packet, stdout);
+ }
+ if (mydirection == ctx->trigger_direction &&
+ ctx->packet_index == *packet_count) {
+ if (ctx->replace_data != NULL) {
+ sshbuf_reset(packet);
+ /* Type is first byte of packet */
+ if ((r = sshbuf_get_u8(ctx->replace_data,
+ typep)) != 0 ||
+ (r = sshbuf_putb(packet, ctx->replace_data)) != 0)
+ return r;
+ if (do_debug) {
+ printf("***** replaced packet type %u\n",
+ *typep);
+ sshbuf_dump(packet, stdout);
+ }
+ } else if (ctx->dump_path != NULL) {
+ if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL)
+ err(1, "fopen %s", ctx->dump_path);
+ /* Write { type, packet } */
+ if (fwrite(typep, 1, 1, dumpfile) != 1)
+ err(1, "fwrite type %s", ctx->dump_path);
+ if (sshbuf_len(packet) != 0 &&
+ fwrite(sshbuf_ptr(packet), sshbuf_len(packet),
+ 1, dumpfile) != 1)
+ err(1, "fwrite body %s", ctx->dump_path);
+ if (do_debug) {
+ printf("***** dumped packet type %u len %zu\n",
+ *typep, sshbuf_len(packet));
+ }
+ fclose(dumpfile);
+ /* No point in continuing */
+ exit(0);
+ }
+ }
+ (*packet_count)++;
+ return 0;
+}
+
+static int
+do_send_and_receive(struct ssh *from, struct ssh *to)
+{
+ u_char type;
+ size_t len;
+ const u_char *buf;
+ int r;
+
+ for (;;) {
+ if ((r = ssh_packet_next(from, &type)) != 0) {
+ fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r));
+ return r;
+ }
+
+ if (type != 0)
+ return 0;
+ buf = ssh_output_ptr(from, &len);
+ if (len == 0)
+ return 0;
+ if ((r = ssh_input_append(to, buf, len)) != 0) {
+ debug("ssh_input_append: %s", ssh_err(r));
+ return r;
+ }
+ if ((r = ssh_output_consume(from, len)) != 0) {
+ debug("ssh_output_consume: %s", ssh_err(r));
+ return r;
+ }
+ }
+}
+
+/* Minimal test_helper.c scaffholding to make this standalone */
+const char *in_test = NULL;
+#define TEST_START(a) \
+ do { \
+ in_test = (a); \
+ if (do_debug) \
+ fprintf(stderr, "test %s starting\n", in_test); \
+ } while (0)
+#define TEST_DONE() \
+ do { \
+ if (do_debug) \
+ fprintf(stderr, "test %s done\n", \
+ in_test ? in_test : "???"); \
+ in_test = NULL; \
+ } while(0)
+#define ASSERT_INT_EQ(a, b) \
+ do { \
+ if ((int)(a) != (int)(b)) { \
+ fprintf(stderr, "%s %s:%d " \
+ "%s (%d) != expected %s (%d)\n", \
+ in_test ? in_test : "(none)", \
+ __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
+ exit(2); \
+ } \
+ } while (0)
+#define ASSERT_INT_GE(a, b) \
+ do { \
+ if ((int)(a) < (int)(b)) { \
+ fprintf(stderr, "%s %s:%d " \
+ "%s (%d) < expected %s (%d)\n", \
+ in_test ? in_test : "(none)", \
+ __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
+ exit(2); \
+ } \
+ } while (0)
+#define ASSERT_PTR_NE(a, b) \
+ do { \
+ if ((a) == (b)) { \
+ fprintf(stderr, "%s %s:%d " \
+ "%s (%p) != expected %s (%p)\n", \
+ in_test ? in_test : "(none)", \
+ __func__, __LINE__, #a, (a), #b, (b)); \
+ exit(2); \
+ } \
+ } while (0)
+
+
+static void
+run_kex(struct ssh *client, struct ssh *server)
+{
+ int r = 0;
+
+ while (!server->kex->done || !client->kex->done) {
+ if ((r = do_send_and_receive(server, client)) != 0) {
+ debug("do_send_and_receive S2C: %s", ssh_err(r));
+ break;
+ }
+ if ((r = do_send_and_receive(client, server)) != 0) {
+ debug("do_send_and_receive C2S: %s", ssh_err(r));
+ break;
+ }
+ }
+ if (do_debug)
+ printf("done: %s\n", ssh_err(r));
+ ASSERT_INT_EQ(r, 0);
+ ASSERT_INT_EQ(server->kex->done, 1);
+ ASSERT_INT_EQ(client->kex->done, 1);
+}
+
+static void
+do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
+ int direction, int packet_index,
+ const char *dump_path, struct sshbuf *replace_data)
+{
+ struct ssh *client = NULL, *server = NULL, *server2 = NULL;
+ struct sshkey *pubkey = NULL;
+ struct sshbuf *state;
+ struct kex_params kex_params;
+ char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ char *keyname = NULL;
+ struct hook_ctx hook_ctx;
+
+ TEST_START("sshkey_from_private");
+ ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0);
+ TEST_DONE();
+
+ TEST_START("ssh_init");
+ memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
+ if (kex != NULL)
+ kex_params.proposal[PROPOSAL_KEX_ALGS] = strdup(kex);
+ keyname = strdup(sshkey_ssh_name(prvkey));
+ ASSERT_PTR_NE(keyname, NULL);
+ kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
+ ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
+ ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
+ ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0);
+ ASSERT_PTR_NE(client, NULL);
+ ASSERT_PTR_NE(server, NULL);
+ ASSERT_PTR_NE(server2, NULL);
+ TEST_DONE();
+
+ hook_ctx.c2s = c2s;
+ hook_ctx.s2c = s2c;
+ hook_ctx.trigger_direction = direction;
+ hook_ctx.packet_index = packet_index;
+ hook_ctx.dump_path = dump_path;
+ hook_ctx.replace_data = replace_data;
+ hook_ctx.client = client;
+ hook_ctx.server = server;
+ hook_ctx.server2 = server2;
+ ssh_packet_set_input_hook(client, packet_hook, &hook_ctx);
+ ssh_packet_set_input_hook(server, packet_hook, &hook_ctx);
+ ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx);
+
+ TEST_START("ssh_add_hostkey");
+ ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0);
+ ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0);
+ TEST_DONE();
+
+ TEST_START("kex");
+ run_kex(client, server);
+ TEST_DONE();
+
+ TEST_START("rekeying client");
+ ASSERT_INT_EQ(kex_send_kexinit(client), 0);
+ run_kex(client, server);
+ TEST_DONE();
+
+ TEST_START("rekeying server");
+ ASSERT_INT_EQ(kex_send_kexinit(server), 0);
+ run_kex(client, server);
+ TEST_DONE();
+
+ TEST_START("ssh_packet_get_state");
+ state = sshbuf_new();
+ ASSERT_PTR_NE(state, NULL);
+ ASSERT_INT_EQ(ssh_packet_get_state(server, state), 0);
+ ASSERT_INT_GE(sshbuf_len(state), 1);
+ TEST_DONE();
+
+ TEST_START("ssh_packet_set_state");
+ ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0);
+ kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */
+ ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0);
+ ASSERT_INT_EQ(sshbuf_len(state), 0);
+ sshbuf_free(state);
+ ASSERT_PTR_NE(server2->kex, NULL);
+ /* XXX we need to set the callbacks */
+#ifdef WITH_OPENSSL
+ server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server;
+ server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server;
+ server2->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server;
+ server2->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server;
+ server2->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server;
+ server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
+ server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+# ifdef OPENSSL_HAS_ECC
+ server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
+# endif
+#endif
+ server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
+ server2->kex->load_host_public_key = server->kex->load_host_public_key;
+ server2->kex->load_host_private_key = server->kex->load_host_private_key;
+ server2->kex->sign = server->kex->sign;
+ TEST_DONE();
+
+ TEST_START("rekeying server2");
+ ASSERT_INT_EQ(kex_send_kexinit(server2), 0);
+ run_kex(client, server2);
+ ASSERT_INT_EQ(kex_send_kexinit(client), 0);
+ run_kex(client, server2);
+ TEST_DONE();
+
+ TEST_START("cleanup");
+ sshkey_free(pubkey);
+ ssh_free(client);
+ ssh_free(server);
+ ssh_free(server2);
+ free(keyname);
+ TEST_DONE();
+}
+
+static void
+usage(void)
+{
+ fprintf(stderr,
+ "Usage: kexfuzz [-hcdrv] [-D direction] [-f data_file]\n"
+ " [-K kex_alg] [-k private_key] [-i packet_index]\n"
+ "\n"
+ "Options:\n"
+ " -h Display this help\n"
+ " -c Count packets sent during KEX\n"
+ " -d Dump mode: record KEX packet to data file\n"
+ " -r Replace mode: replace packet with data file\n"
+ " -v Turn on verbose logging\n"
+ " -D S2C|C2S Packet direction for replacement or dump\n"
+ " -f data_file Path to data file for replacement or dump\n"
+ " -K kex_alg Name of KEX algorithm to test (see below)\n"
+ " -k private_key Path to private key file\n"
+ " -i packet_index Index of packet to replace or dump (from 0)\n"
+ "\n"
+ "Available KEX algorithms: %s\n", kex_alg_list(' '));
+}
+
+static void
+badusage(const char *bad)
+{
+ fprintf(stderr, "Invalid options\n");
+ fprintf(stderr, "%s\n", bad);
+ usage();
+ exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+ int ch, fd, r;
+ int count_flag = 0, dump_flag = 0, replace_flag = 0;
+ int packet_index = -1, direction = -1;
+ int s2c = 0, c2s = 0; /* packet counts */
+ const char *kex = NULL, *kpath = NULL, *data_path = NULL;
+ struct sshkey *key = NULL;
+ struct sshbuf *replace_data = NULL;
+
+ setvbuf(stdout, NULL, _IONBF, 0);
+ while ((ch = getopt(argc, argv, "hcdrvD:f:K:k:i:")) != -1) {
+ switch (ch) {
+ case 'h':
+ usage();
+ return 0;
+ case 'c':
+ count_flag = 1;
+ break;
+ case 'd':
+ dump_flag = 1;
+ break;
+ case 'r':
+ replace_flag = 1;
+ break;
+ case 'v':
+ do_debug = 1;
+ break;
+
+ case 'D':
+ if (strcasecmp(optarg, "s2c") == 0)
+ direction = S2C;
+ else if (strcasecmp(optarg, "c2s") == 0)
+ direction = C2S;
+ else
+ badusage("Invalid direction (-D)");
+ break;
+ case 'f':
+ data_path = optarg;
+ break;
+ case 'K':
+ kex = optarg;
+ break;
+ case 'k':
+ kpath = optarg;
+ break;
+ case 'i':
+ packet_index = atoi(optarg);
+ if (packet_index < 0)
+ badusage("Invalid packet index");
+ break;
+ default:
+ badusage("unsupported flag");
+ }
+ }
+ argc -= optind;
+ argv += optind;
+
+ log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO,
+ SYSLOG_FACILITY_USER, 1);
+
+ /* Must select a single mode */
+ if ((count_flag + dump_flag + replace_flag) != 1)
+ badusage("Must select one mode: -c, -d or -r");
+ /* KEX type is mandatory */
+ if (kex == NULL || !kex_names_valid(kex) || strchr(kex, ',') != NULL)
+ badusage("Missing or invalid kex type (-K flag)");
+ /* Valid key is mandatory */
+ if (kpath == NULL)
+ badusage("Missing private key (-k flag)");
+ if ((fd = open(kpath, O_RDONLY)) == -1)
+ err(1, "open %s", kpath);
+ if ((r = sshkey_load_private_type_fd(fd, KEY_UNSPEC, NULL,
+ &key, NULL)) != 0)
+ errx(1, "Unable to load key %s: %s", kpath, ssh_err(r));
+ close(fd);
+ /* XXX check that it is a private key */
+ /* XXX support certificates */
+ if (key == NULL || key->type == KEY_UNSPEC)
+ badusage("Invalid key file (-k flag)");
+
+ /* Replace (fuzz) mode */
+ if (replace_flag) {
+ if (packet_index == -1 || direction == -1 || data_path == NULL)
+ badusage("Replace (-r) mode must specify direction "
+ "(-D) packet index (-i) and data path (-f)");
+ if ((r = sshbuf_load_file(data_path, &replace_data)) != 0)
+ errx(1, "read %s: %s", data_path, ssh_err(r));
+ }
+
+ /* Dump mode */
+ if (dump_flag) {
+ if (packet_index == -1 || direction == -1 || data_path == NULL)
+ badusage("Dump (-d) mode must specify direction "
+ "(-D), packet index (-i) and data path (-f)");
+ }
+
+ /* Count mode needs no further flags */
+
+ do_kex_with_key(kex, key, &c2s, &s2c,
+ direction, packet_index,
+ dump_flag ? data_path : NULL,
+ replace_flag ? replace_data : NULL);
+ sshkey_free(key);
+ sshbuf_free(replace_data);
+
+ if (count_flag) {
+ printf("S2C: %d\n", s2c);
+ printf("C2S: %d\n", c2s);
+ }
+
+ return 0;
+}
diff --git a/regress/misc/sk-dummy/Makefile b/regress/misc/sk-dummy/Makefile
new file mode 100644
index 0000000..29e313c
--- /dev/null
+++ b/regress/misc/sk-dummy/Makefile
@@ -0,0 +1,66 @@
+# $OpenBSD: Makefile,v 1.2 2019/11/29 00:13:29 djm Exp $
+
+.include <bsd.own.mk>
+.include <bsd.obj.mk>
+
+PROG= sk-dummy.so
+NOMAN=
+
+SSHREL=../../../../../usr.bin/ssh
+.PATH: ${.CURDIR}/${SSHREL}
+
+SRCS=sk-dummy.c
+# From usr.bin/ssh
+SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
+OPENSSL?= yes
+
+CFLAGS+= -fPIC
+
+.if (${OPENSSL:L} == "yes")
+CFLAGS+= -DWITH_OPENSSL
+.endif
+
+# enable warnings
+WARNINGS=Yes
+
+DEBUG=-g
+CFLAGS+= -fstack-protector-all
+CDIAGFLAGS= -Wall
+CDIAGFLAGS+= -Wextra
+CDIAGFLAGS+= -Werror
+CDIAGFLAGS+= -Wchar-subscripts
+CDIAGFLAGS+= -Wcomment
+CDIAGFLAGS+= -Wformat
+CDIAGFLAGS+= -Wformat-security
+CDIAGFLAGS+= -Wimplicit
+CDIAGFLAGS+= -Winline
+CDIAGFLAGS+= -Wmissing-declarations
+CDIAGFLAGS+= -Wmissing-prototypes
+CDIAGFLAGS+= -Wparentheses
+CDIAGFLAGS+= -Wpointer-arith
+CDIAGFLAGS+= -Wreturn-type
+CDIAGFLAGS+= -Wshadow
+CDIAGFLAGS+= -Wsign-compare
+CDIAGFLAGS+= -Wstrict-aliasing
+CDIAGFLAGS+= -Wstrict-prototypes
+CDIAGFLAGS+= -Wswitch
+CDIAGFLAGS+= -Wtrigraphs
+CDIAGFLAGS+= -Wuninitialized
+CDIAGFLAGS+= -Wunused
+CDIAGFLAGS+= -Wno-unused-parameter
+.if ${COMPILER_VERSION:L} != "gcc3"
+CDIAGFLAGS+= -Wold-style-definition
+.endif
+
+CFLAGS+=-I${.CURDIR}/${SSHREL}
+
+.if (${OPENSSL:L} == "yes")
+LDADD+= -lcrypto
+DPADD+= ${LIBCRYPTO}
+.endif
+
+$(PROG): $(OBJS)
+ $(CC) $(LDFLAGS) -shared -o $@ $(OBJS) $(LDADD)
+
+.include <bsd.prog.mk>
+
diff --git a/regress/misc/sk-dummy/fatal.c b/regress/misc/sk-dummy/fatal.c
new file mode 100644
index 0000000..7cdc74b
--- /dev/null
+++ b/regress/misc/sk-dummy/fatal.c
@@ -0,0 +1,20 @@
+/* public domain */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <unistd.h>
+
+void fatal(char *fmt, ...);
+
+void
+fatal(char *fmt, ...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ fputc('\n', stderr);
+ _exit(1);
+}
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
new file mode 100644
index 0000000..bf1feec
--- /dev/null
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -0,0 +1,532 @@
+/*
+ * Copyright (c) 2019 Markus Friedl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stddef.h>
+#include <stdarg.h>
+
+#include "crypto_api.h"
+#include "sk-api.h"
+
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/pem.h>
+
+/* #define SK_DEBUG 1 */
+
+/* Compatibility with OpenSSH 1.0.x */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define ECDSA_SIG_get0(sig, pr, ps) \
+ do { \
+ (*pr) = sig->r; \
+ (*ps) = sig->s; \
+ } while (0)
+#endif
+
+#if SSH_SK_VERSION_MAJOR != 0x00070000
+# error SK API has changed, sk-dummy.c needs an update
+#endif
+
+static void skdebug(const char *func, const char *fmt, ...)
+ __attribute__((__format__ (printf, 2, 3)));
+
+static void
+skdebug(const char *func, const char *fmt, ...)
+{
+#if defined(SK_DEBUG)
+ va_list ap;
+
+ va_start(ap, fmt);
+ fprintf(stderr, "sk-dummy %s: ", func);
+ vfprintf(stderr, fmt, ap);
+ fputc('\n', stderr);
+ va_end(ap);
+#else
+ (void)func; /* XXX */
+ (void)fmt; /* XXX */
+#endif
+}
+
+uint32_t
+sk_api_version(void)
+{
+ return SSH_SK_VERSION_MAJOR;
+}
+
+static int
+pack_key_ecdsa(struct sk_enroll_response *response)
+{
+#ifdef OPENSSL_HAS_ECC
+ EC_KEY *key = NULL;
+ const EC_GROUP *g;
+ const EC_POINT *q;
+ int ret = -1;
+ long privlen;
+ BIO *bio = NULL;
+ char *privptr;
+
+ response->public_key = NULL;
+ response->public_key_len = 0;
+ response->key_handle = NULL;
+ response->key_handle_len = 0;
+
+ if ((key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) {
+ skdebug(__func__, "EC_KEY_new_by_curve_name");
+ goto out;
+ }
+ if (EC_KEY_generate_key(key) != 1) {
+ skdebug(__func__, "EC_KEY_generate_key");
+ goto out;
+ }
+ EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);
+ if ((bio = BIO_new(BIO_s_mem())) == NULL ||
+ (g = EC_KEY_get0_group(key)) == NULL ||
+ (q = EC_KEY_get0_public_key(key)) == NULL) {
+ skdebug(__func__, "couldn't get key parameters");
+ goto out;
+ }
+ response->public_key_len = EC_POINT_point2oct(g, q,
+ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
+ if (response->public_key_len == 0 || response->public_key_len > 2048) {
+ skdebug(__func__, "bad pubkey length %zu",
+ response->public_key_len);
+ goto out;
+ }
+ if ((response->public_key = malloc(response->public_key_len)) == NULL) {
+ skdebug(__func__, "malloc pubkey failed");
+ goto out;
+ }
+ if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
+ response->public_key, response->public_key_len, NULL) == 0) {
+ skdebug(__func__, "EC_POINT_point2oct failed");
+ goto out;
+ }
+ /* Key handle contains PEM encoded private key */
+ if (!PEM_write_bio_ECPrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) {
+ skdebug(__func__, "PEM_write_bio_ECPrivateKey failed");
+ goto out;
+ }
+ if ((privlen = BIO_get_mem_data(bio, &privptr)) <= 0) {
+ skdebug(__func__, "BIO_get_mem_data failed");
+ goto out;
+ }
+ if ((response->key_handle = malloc(privlen)) == NULL) {
+ skdebug(__func__, "malloc key_handle failed");
+ goto out;
+ }
+ response->key_handle_len = (size_t)privlen;
+ memcpy(response->key_handle, privptr, response->key_handle_len);
+ /* success */
+ ret = 0;
+ out:
+ if (ret != 0) {
+ if (response->public_key != NULL) {
+ memset(response->public_key, 0,
+ response->public_key_len);
+ free(response->public_key);
+ response->public_key = NULL;
+ }
+ if (response->key_handle != NULL) {
+ memset(response->key_handle, 0,
+ response->key_handle_len);
+ free(response->key_handle);
+ response->key_handle = NULL;
+ }
+ }
+ BIO_free(bio);
+ EC_KEY_free(key);
+ return ret;
+#else
+ return -1;
+#endif
+}
+
+static int
+pack_key_ed25519(struct sk_enroll_response *response)
+{
+ int ret = -1;
+ u_char pk[crypto_sign_ed25519_PUBLICKEYBYTES];
+ u_char sk[crypto_sign_ed25519_SECRETKEYBYTES];
+
+ response->public_key = NULL;
+ response->public_key_len = 0;
+ response->key_handle = NULL;
+ response->key_handle_len = 0;
+
+ memset(pk, 0, sizeof(pk));
+ memset(sk, 0, sizeof(sk));
+ crypto_sign_ed25519_keypair(pk, sk);
+
+ response->public_key_len = sizeof(pk);
+ if ((response->public_key = malloc(response->public_key_len)) == NULL) {
+ skdebug(__func__, "malloc pubkey failed");
+ goto out;
+ }
+ memcpy(response->public_key, pk, sizeof(pk));
+ /* Key handle contains sk */
+ response->key_handle_len = sizeof(sk);
+ if ((response->key_handle = malloc(response->key_handle_len)) == NULL) {
+ skdebug(__func__, "malloc key_handle failed");
+ goto out;
+ }
+ memcpy(response->key_handle, sk, sizeof(sk));
+ /* success */
+ ret = 0;
+ out:
+ if (ret != 0)
+ free(response->public_key);
+ return ret;
+}
+
+static int
+check_options(struct sk_option **options)
+{
+ size_t i;
+
+ if (options == NULL)
+ return 0;
+ for (i = 0; options[i] != NULL; i++) {
+ skdebug(__func__, "requested unsupported option %s",
+ options[i]->name);
+ if (options[i]->required) {
+ skdebug(__func__, "unknown required option");
+ return -1;
+ }
+ }
+ return 0;
+}
+
+int
+sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
+ const char *application, uint8_t flags, const char *pin,
+ struct sk_option **options, struct sk_enroll_response **enroll_response)
+{
+ struct sk_enroll_response *response = NULL;
+ int ret = SSH_SK_ERR_GENERAL;
+
+ (void)flags; /* XXX; unused */
+
+ if (enroll_response == NULL) {
+ skdebug(__func__, "enroll_response == NULL");
+ goto out;
+ }
+ *enroll_response = NULL;
+ if (check_options(options) != 0)
+ goto out; /* error already logged */
+ if ((response = calloc(1, sizeof(*response))) == NULL) {
+ skdebug(__func__, "calloc response failed");
+ goto out;
+ }
+ switch(alg) {
+ case SSH_SK_ECDSA:
+ if (pack_key_ecdsa(response) != 0)
+ goto out;
+ break;
+ case SSH_SK_ED25519:
+ if (pack_key_ed25519(response) != 0)
+ goto out;
+ break;
+ default:
+ skdebug(__func__, "unsupported key type %d", alg);
+ return -1;
+ }
+ /* Have to return something here */
+ if ((response->signature = calloc(1, 1)) == NULL) {
+ skdebug(__func__, "calloc signature failed");
+ goto out;
+ }
+ response->signature_len = 0;
+
+ *enroll_response = response;
+ response = NULL;
+ ret = 0;
+ out:
+ if (response != NULL) {
+ free(response->public_key);
+ free(response->key_handle);
+ free(response->signature);
+ free(response->attestation_cert);
+ free(response);
+ }
+ return ret;
+}
+
+static void
+dump(const char *preamble, const void *sv, size_t l)
+{
+#ifdef SK_DEBUG
+ const u_char *s = (const u_char *)sv;
+ size_t i;
+
+ fprintf(stderr, "%s (len %zu):\n", preamble, l);
+ for (i = 0; i < l; i++) {
+ if (i % 16 == 0)
+ fprintf(stderr, "%04zu: ", i);
+ fprintf(stderr, "%02x", s[i]);
+ if (i % 16 == 15 || i == l - 1)
+ fprintf(stderr, "\n");
+ }
+#endif
+}
+
+static int
+sig_ecdsa(const uint8_t *message, size_t message_len,
+ const char *application, uint32_t counter, uint8_t flags,
+ const uint8_t *key_handle, size_t key_handle_len,
+ struct sk_sign_response *response)
+{
+#ifdef OPENSSL_HAS_ECC
+ ECDSA_SIG *sig = NULL;
+ const BIGNUM *sig_r, *sig_s;
+ int ret = -1;
+ BIO *bio = NULL;
+ EVP_PKEY *pk = NULL;
+ EC_KEY *ec = NULL;
+ SHA256_CTX ctx;
+ uint8_t apphash[SHA256_DIGEST_LENGTH];
+ uint8_t sighash[SHA256_DIGEST_LENGTH];
+ uint8_t countbuf[4];
+
+ /* Decode EC_KEY from key handle */
+ if ((bio = BIO_new(BIO_s_mem())) == NULL ||
+ BIO_write(bio, key_handle, key_handle_len) != (int)key_handle_len) {
+ skdebug(__func__, "BIO setup failed");
+ goto out;
+ }
+ if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, "")) == NULL) {
+ skdebug(__func__, "PEM_read_bio_PrivateKey failed");
+ goto out;
+ }
+ if (EVP_PKEY_base_id(pk) != EVP_PKEY_EC) {
+ skdebug(__func__, "Not an EC key: %d", EVP_PKEY_base_id(pk));
+ goto out;
+ }
+ if ((ec = EVP_PKEY_get1_EC_KEY(pk)) == NULL) {
+ skdebug(__func__, "EVP_PKEY_get1_EC_KEY failed");
+ goto out;
+ }
+ /* Expect message to be pre-hashed */
+ if (message_len != SHA256_DIGEST_LENGTH) {
+ skdebug(__func__, "bad message len %zu", message_len);
+ goto out;
+ }
+ /* Prepare data to be signed */
+ dump("message", message, message_len);
+ SHA256_Init(&ctx);
+ SHA256_Update(&ctx, application, strlen(application));
+ SHA256_Final(apphash, &ctx);
+ dump("apphash", apphash, sizeof(apphash));
+ countbuf[0] = (counter >> 24) & 0xff;
+ countbuf[1] = (counter >> 16) & 0xff;
+ countbuf[2] = (counter >> 8) & 0xff;
+ countbuf[3] = counter & 0xff;
+ dump("countbuf", countbuf, sizeof(countbuf));
+ dump("flags", &flags, sizeof(flags));
+ SHA256_Init(&ctx);
+ SHA256_Update(&ctx, apphash, sizeof(apphash));
+ SHA256_Update(&ctx, &flags, sizeof(flags));
+ SHA256_Update(&ctx, countbuf, sizeof(countbuf));
+ SHA256_Update(&ctx, message, message_len);
+ SHA256_Final(sighash, &ctx);
+ dump("sighash", sighash, sizeof(sighash));
+ /* create and encode signature */
+ if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) {
+ skdebug(__func__, "ECDSA_do_sign failed");
+ goto out;
+ }
+ ECDSA_SIG_get0(sig, &sig_r, &sig_s);
+ response->sig_r_len = BN_num_bytes(sig_r);
+ response->sig_s_len = BN_num_bytes(sig_s);
+ if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
+ (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
+ skdebug(__func__, "calloc signature failed");
+ goto out;
+ }
+ BN_bn2bin(sig_r, response->sig_r);
+ BN_bn2bin(sig_s, response->sig_s);
+ ret = 0;
+ out:
+ explicit_bzero(&ctx, sizeof(ctx));
+ explicit_bzero(&apphash, sizeof(apphash));
+ explicit_bzero(&sighash, sizeof(sighash));
+ ECDSA_SIG_free(sig);
+ if (ret != 0) {
+ free(response->sig_r);
+ free(response->sig_s);
+ response->sig_r = NULL;
+ response->sig_s = NULL;
+ }
+ BIO_free(bio);
+ EC_KEY_free(ec);
+ EVP_PKEY_free(pk);
+ return ret;
+#else
+ return -1;
+#endif
+}
+
+static int
+sig_ed25519(const uint8_t *message, size_t message_len,
+ const char *application, uint32_t counter, uint8_t flags,
+ const uint8_t *key_handle, size_t key_handle_len,
+ struct sk_sign_response *response)
+{
+ size_t o;
+ int ret = -1;
+ SHA256_CTX ctx;
+ uint8_t apphash[SHA256_DIGEST_LENGTH];
+ uint8_t signbuf[sizeof(apphash) + sizeof(flags) +
+ sizeof(counter) + SHA256_DIGEST_LENGTH];
+ uint8_t sig[crypto_sign_ed25519_BYTES + sizeof(signbuf)];
+ unsigned long long smlen;
+
+ if (key_handle_len != crypto_sign_ed25519_SECRETKEYBYTES) {
+ skdebug(__func__, "bad key handle length %zu", key_handle_len);
+ goto out;
+ }
+ /* Expect message to be pre-hashed */
+ if (message_len != SHA256_DIGEST_LENGTH) {
+ skdebug(__func__, "bad message len %zu", message_len);
+ goto out;
+ }
+ /* Prepare data to be signed */
+ dump("message", message, message_len);
+ SHA256_Init(&ctx);
+ SHA256_Update(&ctx, application, strlen(application));
+ SHA256_Final(apphash, &ctx);
+ dump("apphash", apphash, sizeof(apphash));
+
+ memcpy(signbuf, apphash, sizeof(apphash));
+ o = sizeof(apphash);
+ signbuf[o++] = flags;
+ signbuf[o++] = (counter >> 24) & 0xff;
+ signbuf[o++] = (counter >> 16) & 0xff;
+ signbuf[o++] = (counter >> 8) & 0xff;
+ signbuf[o++] = counter & 0xff;
+ memcpy(signbuf + o, message, message_len);
+ o += message_len;
+ if (o != sizeof(signbuf)) {
+ skdebug(__func__, "bad sign buf len %zu, expected %zu",
+ o, sizeof(signbuf));
+ goto out;
+ }
+ dump("signbuf", signbuf, sizeof(signbuf));
+ /* create and encode signature */
+ smlen = sizeof(signbuf);
+ if (crypto_sign_ed25519(sig, &smlen, signbuf, sizeof(signbuf),
+ key_handle) != 0) {
+ skdebug(__func__, "crypto_sign_ed25519 failed");
+ goto out;
+ }
+ if (smlen <= sizeof(signbuf)) {
+ skdebug(__func__, "bad sign smlen %llu, expected min %zu",
+ smlen, sizeof(signbuf) + 1);
+ goto out;
+ }
+ response->sig_r_len = (size_t)(smlen - sizeof(signbuf));
+ if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
+ skdebug(__func__, "calloc signature failed");
+ goto out;
+ }
+ memcpy(response->sig_r, sig, response->sig_r_len);
+ dump("sig_r", response->sig_r, response->sig_r_len);
+ ret = 0;
+ out:
+ explicit_bzero(&ctx, sizeof(ctx));
+ explicit_bzero(&apphash, sizeof(apphash));
+ explicit_bzero(&signbuf, sizeof(signbuf));
+ explicit_bzero(&sig, sizeof(sig));
+ if (ret != 0) {
+ free(response->sig_r);
+ response->sig_r = NULL;
+ }
+ return ret;
+}
+
+int
+sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
+ const char *application, const uint8_t *key_handle, size_t key_handle_len,
+ uint8_t flags, const char *pin, struct sk_option **options,
+ struct sk_sign_response **sign_response)
+{
+ struct sk_sign_response *response = NULL;
+ int ret = SSH_SK_ERR_GENERAL;
+ SHA256_CTX ctx;
+ uint8_t message[32];
+
+ if (sign_response == NULL) {
+ skdebug(__func__, "sign_response == NULL");
+ goto out;
+ }
+ *sign_response = NULL;
+ if (check_options(options) != 0)
+ goto out; /* error already logged */
+ if ((response = calloc(1, sizeof(*response))) == NULL) {
+ skdebug(__func__, "calloc response failed");
+ goto out;
+ }
+ SHA256_Init(&ctx);
+ SHA256_Update(&ctx, data, datalen);
+ SHA256_Final(message, &ctx);
+ response->flags = flags;
+ response->counter = 0x12345678;
+ switch(alg) {
+ case SSH_SK_ECDSA:
+ if (sig_ecdsa(message, sizeof(message), application,
+ response->counter, flags, key_handle, key_handle_len,
+ response) != 0)
+ goto out;
+ break;
+ case SSH_SK_ED25519:
+ if (sig_ed25519(message, sizeof(message), application,
+ response->counter, flags, key_handle, key_handle_len,
+ response) != 0)
+ goto out;
+ break;
+ default:
+ skdebug(__func__, "unsupported key type %d", alg);
+ return -1;
+ }
+ *sign_response = response;
+ response = NULL;
+ ret = 0;
+ out:
+ explicit_bzero(message, sizeof(message));
+ if (response != NULL) {
+ free(response->sig_r);
+ free(response->sig_s);
+ free(response);
+ }
+ return ret;
+}
+
+int
+sk_load_resident_keys(const char *pin, struct sk_option **options,
+ struct sk_resident_key ***rks, size_t *nrks)
+{
+ return SSH_SK_ERR_UNSUPPORTED;
+}