diff options
Diffstat (limited to 'regress/misc')
-rw-r--r-- | regress/misc/Makefile | 3 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/Makefile | 38 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/README | 1 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/authopt_fuzz.cc | 33 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/privkey_fuzz.cc | 21 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/pubkey_fuzz.cc | 18 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sig_fuzz.cc | 62 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/ssh-sk-null.cc | 51 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sshsig_fuzz.cc | 37 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sshsigopt_fuzz.cc | 29 | ||||
-rw-r--r-- | regress/misc/kexfuzz/Makefile | 101 | ||||
-rw-r--r-- | regress/misc/kexfuzz/README | 34 | ||||
-rw-r--r-- | regress/misc/kexfuzz/kexfuzz.c | 453 | ||||
-rw-r--r-- | regress/misc/sk-dummy/Makefile | 66 | ||||
-rw-r--r-- | regress/misc/sk-dummy/fatal.c | 20 | ||||
-rw-r--r-- | regress/misc/sk-dummy/sk-dummy.c | 532 |
16 files changed, 1499 insertions, 0 deletions
diff --git a/regress/misc/Makefile b/regress/misc/Makefile new file mode 100644 index 0000000..cf95f26 --- /dev/null +++ b/regress/misc/Makefile @@ -0,0 +1,3 @@ +SUBDIR= kexfuzz sk-dummy + +.include <bsd.subdir.mk> diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile new file mode 100644 index 0000000..64fbdba --- /dev/null +++ b/regress/misc/fuzz-harness/Makefile @@ -0,0 +1,38 @@ +# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. +CXX=clang++-6.0 +FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc +FUZZ_LIBS=-lFuzzer + +CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS) +LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) +LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS) +COMMON_OBJS=ssh-sk-null.o + +TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \ + sshsigopt_fuzz privkey_fuzz + +all: $(TARGETS) + +.cc.o: + $(CXX) $(CXXFLAGS) -c $< -o $@ + +pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +sig_fuzz: sig_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS) + +sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS) + +sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS) + +privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS) + $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS) + +clean: + -rm -f *.o $(TARGETS) diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README new file mode 100644 index 0000000..ae6fbe7 --- /dev/null +++ b/regress/misc/fuzz-harness/README @@ -0,0 +1 @@ +This directory contains fuzzing harnesses for use with clang's libfuzzer. diff --git a/regress/misc/fuzz-harness/authopt_fuzz.cc b/regress/misc/fuzz-harness/authopt_fuzz.cc new file mode 100644 index 0000000..a76d5a3 --- /dev/null +++ b/regress/misc/fuzz-harness/authopt_fuzz.cc @@ -0,0 +1,33 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <stdlib.h> + +extern "C" { + +#include "auth-options.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshauthopt *opts = NULL, *merge = NULL, *add = sshauthopt_new(); + + if (cp == NULL || add == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshauthopt_parse(cp, NULL)) == NULL) + goto out; + if ((merge = sshauthopt_merge(opts, add, NULL)) == NULL) + goto out; + + out: + free(cp); + sshauthopt_free(add); + sshauthopt_free(opts); + sshauthopt_free(merge); + return 0; +} + +} // extern "C" diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc new file mode 100644 index 0000000..ff0b0f7 --- /dev/null +++ b/regress/misc/fuzz-harness/privkey_fuzz.cc @@ -0,0 +1,21 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> + +extern "C" { + +#include "sshkey.h" +#include "sshbuf.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + struct sshkey *k = NULL; + struct sshbuf *b = sshbuf_from(data, size); + int r = sshkey_private_deserialize(b, &k); + if (r == 0) sshkey_free(k); + sshbuf_free(b); + return 0; +} + +} // extern + diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc new file mode 100644 index 0000000..8bbc110 --- /dev/null +++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc @@ -0,0 +1,18 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> + +extern "C" { + +#include "sshkey.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + struct sshkey *k = NULL; + int r = sshkey_from_blob(data, size, &k); + if (r == 0) sshkey_free(k); + return 0; +} + +} // extern + diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc new file mode 100644 index 0000000..b32502b --- /dev/null +++ b/regress/misc/fuzz-harness/sig_fuzz.cc @@ -0,0 +1,62 @@ +// cc_fuzz_target test for public key parsing. + +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" + +static struct sshkey *generate_or_die(int type, unsigned bits) { + int r; + struct sshkey *ret; + if ((r = sshkey_generate(type, bits, &ret)) != 0) { + fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r)); + abort(); + } + return ret; +} + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ +#ifdef WITH_OPENSSL + static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); + static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); + static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); + static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); + static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); +#endif + struct sshkey_sig_details *details = NULL; + static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + static const size_t dlen = strlen(data); + +#ifdef WITH_OPENSSL + sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + details = NULL; +#endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); + return 0; +} + +} // extern diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc new file mode 100644 index 0000000..199af11 --- /dev/null +++ b/regress/misc/fuzz-harness/ssh-sk-null.cc @@ -0,0 +1,51 @@ +/* $OpenBSD$ */ +/* + * Copyright (c) 2019 Google LLC + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +extern "C" { + +#include "includes.h" + +#include <sys/types.h> + +#include "ssherr.h" +#include "ssh-sk.h" + +int +sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, + struct sshkey **keyp, struct sshbuf *attest) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +int +sshsk_sign(const char *provider_path, struct sshkey *key, + u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, + u_int compat, const char *pin) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +int +sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp) +{ + return SSH_ERR_FEATURE_UNSUPPORTED; +} + +}; diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc new file mode 100644 index 0000000..02211a0 --- /dev/null +++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc @@ -0,0 +1,37 @@ +// cc_fuzz_target test for sshsig verification. + +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <stdlib.h> +#include <string.h> + +extern "C" { + +#include "includes.h" +#include "sshkey.h" +#include "ssherr.h" +#include "sshbuf.h" +#include "sshsig.h" +#include "log.h" + +int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +{ + static const char *data = "If everyone started announcing his nose had " + "run away, I don’t know how it would all end"; + struct sshbuf *signature = sshbuf_from(sig, slen); + struct sshbuf *message = sshbuf_from(data, strlen(data)); + struct sshkey *k = NULL; + struct sshkey_sig_details *details = NULL; + extern char *__progname; + + log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1); + sshsig_verifyb(signature, message, "castle", &k, &details); + sshkey_sig_details_free(details); + sshkey_free(k); + sshbuf_free(signature); + sshbuf_free(message); + return 0; +} + +} // extern diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc new file mode 100644 index 0000000..7424fcb --- /dev/null +++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc @@ -0,0 +1,29 @@ +#include <stddef.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <stdlib.h> + +extern "C" { + +#include "sshsig.h" + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + char *cp = (char *)malloc(size + 1); + struct sshsigopt *opts = NULL; + + if (cp == NULL) + goto out; + memcpy(cp, data, size); + cp[size] = '\0'; + if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL) + goto out; + + out: + free(cp); + sshsigopt_free(opts); + return 0; +} + +} // extern "C" diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile new file mode 100644 index 0000000..ede5e2f --- /dev/null +++ b/regress/misc/kexfuzz/Makefile @@ -0,0 +1,101 @@ +# $OpenBSD: Makefile,v 1.8 2020/04/03 04:07:48 djm Exp $ + +.include <bsd.own.mk> +.include <bsd.obj.mk> + +# XXX detect from ssh binary? +SSH1?= no +OPENSSL?= yes + +PROG= kexfuzz +SRCS= kexfuzz.c + +SSHREL=../../../../../usr.bin/ssh +.PATH: ${.CURDIR}/${SSHREL} +# From usr.bin/ssh +SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c +SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c +SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c +SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c +SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c +SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c +SRCS+=cipher-chachapoly.c chacha.c poly1305.c utf8.c +SRCS+=sshbuf-io.c ssh-ecdsa-sk.c ssh-ed25519-sk.c msg.c ssh-sk-client.c + +SRCS+= kex.c +SRCS+= dh.c +SRCS+= kexdh.c +SRCS+= kexecdh.c +SRCS+= kexgex.c +SRCS+= kexgexc.c +SRCS+= kexgexs.c +SRCS+= kexc25519.c +SRCS+= smult_curve25519_ref.c +SRCS+= kexgen.c +SRCS+= kexsntrup4591761x25519.c +SRCS+= sntrup4591761.c + +SRCS+=digest-openssl.c +#SRCS+=digest-libc.c + +NOMAN= 1 + +.if (${OPENSSL:L} == "yes") +CFLAGS+= -DWITH_OPENSSL +.else +# SSH v.1 requires OpenSSL. +SSH1= no +.endif + +.if (${SSH1:L} == "yes") +CFLAGS+= -DWITH_SSH1 +.endif + +LDADD+= -lfido2 -lcbor -lusbhid +DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} + +# enable warnings +WARNINGS=Yes + +DEBUG=-g +CFLAGS+= -fstack-protector-all +CDIAGFLAGS= -Wall +CDIAGFLAGS+= -Wextra +CDIAGFLAGS+= -Werror +CDIAGFLAGS+= -Wchar-subscripts +CDIAGFLAGS+= -Wcomment +CDIAGFLAGS+= -Wformat +CDIAGFLAGS+= -Wformat-security +CDIAGFLAGS+= -Wimplicit +CDIAGFLAGS+= -Winline +CDIAGFLAGS+= -Wmissing-declarations +CDIAGFLAGS+= -Wmissing-prototypes +CDIAGFLAGS+= -Wparentheses +CDIAGFLAGS+= -Wpointer-arith +CDIAGFLAGS+= -Wreturn-type +CDIAGFLAGS+= -Wshadow +CDIAGFLAGS+= -Wsign-compare +CDIAGFLAGS+= -Wstrict-aliasing +CDIAGFLAGS+= -Wstrict-prototypes +CDIAGFLAGS+= -Wswitch +CDIAGFLAGS+= -Wtrigraphs +CDIAGFLAGS+= -Wuninitialized +CDIAGFLAGS+= -Wunused +CDIAGFLAGS+= -Wno-unused-parameter +.if ${COMPILER_VERSION:L} != "gcc3" +CDIAGFLAGS+= -Wold-style-definition +.endif + + +CFLAGS+=-I${.CURDIR}/${SSHREL} + +LDADD+= -lutil -lz +DPADD+= ${LIBUTIL} ${LIBZ} + +.if (${OPENSSL:L} == "yes") +LDADD+= -lcrypto +DPADD+= ${LIBCRYPTO} +.endif + +.include <bsd.prog.mk> + diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README new file mode 100644 index 0000000..504c26f --- /dev/null +++ b/regress/misc/kexfuzz/README @@ -0,0 +1,34 @@ +This is a harness to help with fuzzing KEX. + +To use it, you first set it to count packets in each direction: + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c +S2C: 29 +C2S: 31 + +Then get it to record a particular packet (in this case the 4th +packet from client->server): + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ + -d -D C2S -i 3 -f packet_3 + +Fuzz the packet somehow: + +dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example + +Then re-run the key exchange substituting the modified packet in +its original sequence: + +./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \ + -r -D C2S -i 3 -f packet_3 + +A comprehensive KEX fuzz run would fuzz every packet in both +directions for each key exchange type and every hostkey type. +This will take some time. + +Limitations: kexfuzz can't change the ordering of packets at +present. It is limited to replacing individual packets with +fuzzed variants with the same type. It really should allow +insertion, deletion on replacement of packets too. + +$OpenBSD: README,v 1.3 2017/10/20 02:13:41 djm Exp $ diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c new file mode 100644 index 0000000..56697c9 --- /dev/null +++ b/regress/misc/kexfuzz/kexfuzz.c @@ -0,0 +1,453 @@ +/* $OpenBSD: kexfuzz.c,v 1.6 2020/01/26 00:09:50 djm Exp $ */ +/* + * Fuzz harness for KEX code + * + * Placed in the public domain + */ + +#include "includes.h" + +#include <sys/types.h> +#include <sys/param.h> +#include <stdio.h> +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <fcntl.h> +#ifdef HAVE_ERR_H +# include <err.h> +#endif + +#include "ssherr.h" +#include "ssh_api.h" +#include "sshbuf.h" +#include "packet.h" +#include "myproposal.h" +#include "authfile.h" +#include "log.h" + +void kex_tests(void); +static int do_debug = 0; + +enum direction { S2C, C2S }; + +struct hook_ctx { + struct ssh *client, *server, *server2; + int *c2s, *s2c; + int trigger_direction, packet_index; + const char *dump_path; + struct sshbuf *replace_data; +}; + +static int +packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx) +{ + struct hook_ctx *ctx = (struct hook_ctx *)_ctx; + int mydirection = ssh == ctx->client ? S2C : C2S; + int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s; + FILE *dumpfile; + int r; + + if (do_debug) { + printf("%s packet %d type %u:\n", + mydirection == S2C ? "s2c" : "c2s", + *packet_count, *typep); + sshbuf_dump(packet, stdout); + } + if (mydirection == ctx->trigger_direction && + ctx->packet_index == *packet_count) { + if (ctx->replace_data != NULL) { + sshbuf_reset(packet); + /* Type is first byte of packet */ + if ((r = sshbuf_get_u8(ctx->replace_data, + typep)) != 0 || + (r = sshbuf_putb(packet, ctx->replace_data)) != 0) + return r; + if (do_debug) { + printf("***** replaced packet type %u\n", + *typep); + sshbuf_dump(packet, stdout); + } + } else if (ctx->dump_path != NULL) { + if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL) + err(1, "fopen %s", ctx->dump_path); + /* Write { type, packet } */ + if (fwrite(typep, 1, 1, dumpfile) != 1) + err(1, "fwrite type %s", ctx->dump_path); + if (sshbuf_len(packet) != 0 && + fwrite(sshbuf_ptr(packet), sshbuf_len(packet), + 1, dumpfile) != 1) + err(1, "fwrite body %s", ctx->dump_path); + if (do_debug) { + printf("***** dumped packet type %u len %zu\n", + *typep, sshbuf_len(packet)); + } + fclose(dumpfile); + /* No point in continuing */ + exit(0); + } + } + (*packet_count)++; + return 0; +} + +static int +do_send_and_receive(struct ssh *from, struct ssh *to) +{ + u_char type; + size_t len; + const u_char *buf; + int r; + + for (;;) { + if ((r = ssh_packet_next(from, &type)) != 0) { + fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r)); + return r; + } + + if (type != 0) + return 0; + buf = ssh_output_ptr(from, &len); + if (len == 0) + return 0; + if ((r = ssh_input_append(to, buf, len)) != 0) { + debug("ssh_input_append: %s", ssh_err(r)); + return r; + } + if ((r = ssh_output_consume(from, len)) != 0) { + debug("ssh_output_consume: %s", ssh_err(r)); + return r; + } + } +} + +/* Minimal test_helper.c scaffholding to make this standalone */ +const char *in_test = NULL; +#define TEST_START(a) \ + do { \ + in_test = (a); \ + if (do_debug) \ + fprintf(stderr, "test %s starting\n", in_test); \ + } while (0) +#define TEST_DONE() \ + do { \ + if (do_debug) \ + fprintf(stderr, "test %s done\n", \ + in_test ? in_test : "???"); \ + in_test = NULL; \ + } while(0) +#define ASSERT_INT_EQ(a, b) \ + do { \ + if ((int)(a) != (int)(b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%d) != expected %s (%d)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \ + exit(2); \ + } \ + } while (0) +#define ASSERT_INT_GE(a, b) \ + do { \ + if ((int)(a) < (int)(b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%d) < expected %s (%d)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \ + exit(2); \ + } \ + } while (0) +#define ASSERT_PTR_NE(a, b) \ + do { \ + if ((a) == (b)) { \ + fprintf(stderr, "%s %s:%d " \ + "%s (%p) != expected %s (%p)\n", \ + in_test ? in_test : "(none)", \ + __func__, __LINE__, #a, (a), #b, (b)); \ + exit(2); \ + } \ + } while (0) + + +static void +run_kex(struct ssh *client, struct ssh *server) +{ + int r = 0; + + while (!server->kex->done || !client->kex->done) { + if ((r = do_send_and_receive(server, client)) != 0) { + debug("do_send_and_receive S2C: %s", ssh_err(r)); + break; + } + if ((r = do_send_and_receive(client, server)) != 0) { + debug("do_send_and_receive C2S: %s", ssh_err(r)); + break; + } + } + if (do_debug) + printf("done: %s\n", ssh_err(r)); + ASSERT_INT_EQ(r, 0); + ASSERT_INT_EQ(server->kex->done, 1); + ASSERT_INT_EQ(client->kex->done, 1); +} + +static void +do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, + int direction, int packet_index, + const char *dump_path, struct sshbuf *replace_data) +{ + struct ssh *client = NULL, *server = NULL, *server2 = NULL; + struct sshkey *pubkey = NULL; + struct sshbuf *state; + struct kex_params kex_params; + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *keyname = NULL; + struct hook_ctx hook_ctx; + + TEST_START("sshkey_from_private"); + ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0); + TEST_DONE(); + + TEST_START("ssh_init"); + memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); + if (kex != NULL) + kex_params.proposal[PROPOSAL_KEX_ALGS] = strdup(kex); + keyname = strdup(sshkey_ssh_name(prvkey)); + ASSERT_PTR_NE(keyname, NULL); + kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; + ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); + ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0); + ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); + ASSERT_PTR_NE(client, NULL); + ASSERT_PTR_NE(server, NULL); + ASSERT_PTR_NE(server2, NULL); + TEST_DONE(); + + hook_ctx.c2s = c2s; + hook_ctx.s2c = s2c; + hook_ctx.trigger_direction = direction; + hook_ctx.packet_index = packet_index; + hook_ctx.dump_path = dump_path; + hook_ctx.replace_data = replace_data; + hook_ctx.client = client; + hook_ctx.server = server; + hook_ctx.server2 = server2; + ssh_packet_set_input_hook(client, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx); + + TEST_START("ssh_add_hostkey"); + ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0); + ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0); + TEST_DONE(); + + TEST_START("kex"); + run_kex(client, server); + TEST_DONE(); + + TEST_START("rekeying client"); + ASSERT_INT_EQ(kex_send_kexinit(client), 0); + run_kex(client, server); + TEST_DONE(); + + TEST_START("rekeying server"); + ASSERT_INT_EQ(kex_send_kexinit(server), 0); + run_kex(client, server); + TEST_DONE(); + + TEST_START("ssh_packet_get_state"); + state = sshbuf_new(); + ASSERT_PTR_NE(state, NULL); + ASSERT_INT_EQ(ssh_packet_get_state(server, state), 0); + ASSERT_INT_GE(sshbuf_len(state), 1); + TEST_DONE(); + + TEST_START("ssh_packet_set_state"); + ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0); + kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */ + ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0); + ASSERT_INT_EQ(sshbuf_len(state), 0); + sshbuf_free(state); + ASSERT_PTR_NE(server2->kex, NULL); + /* XXX we need to set the callbacks */ +#ifdef WITH_OPENSSL + server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; + server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; + server2->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server; + server2->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server; + server2->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server; + server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; + server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; +# ifdef OPENSSL_HAS_ECC + server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server; +# endif +#endif + server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server; + server2->kex->load_host_public_key = server->kex->load_host_public_key; + server2->kex->load_host_private_key = server->kex->load_host_private_key; + server2->kex->sign = server->kex->sign; + TEST_DONE(); + + TEST_START("rekeying server2"); + ASSERT_INT_EQ(kex_send_kexinit(server2), 0); + run_kex(client, server2); + ASSERT_INT_EQ(kex_send_kexinit(client), 0); + run_kex(client, server2); + TEST_DONE(); + + TEST_START("cleanup"); + sshkey_free(pubkey); + ssh_free(client); + ssh_free(server); + ssh_free(server2); + free(keyname); + TEST_DONE(); +} + +static void +usage(void) +{ + fprintf(stderr, + "Usage: kexfuzz [-hcdrv] [-D direction] [-f data_file]\n" + " [-K kex_alg] [-k private_key] [-i packet_index]\n" + "\n" + "Options:\n" + " -h Display this help\n" + " -c Count packets sent during KEX\n" + " -d Dump mode: record KEX packet to data file\n" + " -r Replace mode: replace packet with data file\n" + " -v Turn on verbose logging\n" + " -D S2C|C2S Packet direction for replacement or dump\n" + " -f data_file Path to data file for replacement or dump\n" + " -K kex_alg Name of KEX algorithm to test (see below)\n" + " -k private_key Path to private key file\n" + " -i packet_index Index of packet to replace or dump (from 0)\n" + "\n" + "Available KEX algorithms: %s\n", kex_alg_list(' ')); +} + +static void +badusage(const char *bad) +{ + fprintf(stderr, "Invalid options\n"); + fprintf(stderr, "%s\n", bad); + usage(); + exit(1); +} + +int +main(int argc, char **argv) +{ + int ch, fd, r; + int count_flag = 0, dump_flag = 0, replace_flag = 0; + int packet_index = -1, direction = -1; + int s2c = 0, c2s = 0; /* packet counts */ + const char *kex = NULL, *kpath = NULL, *data_path = NULL; + struct sshkey *key = NULL; + struct sshbuf *replace_data = NULL; + + setvbuf(stdout, NULL, _IONBF, 0); + while ((ch = getopt(argc, argv, "hcdrvD:f:K:k:i:")) != -1) { + switch (ch) { + case 'h': + usage(); + return 0; + case 'c': + count_flag = 1; + break; + case 'd': + dump_flag = 1; + break; + case 'r': + replace_flag = 1; + break; + case 'v': + do_debug = 1; + break; + + case 'D': + if (strcasecmp(optarg, "s2c") == 0) + direction = S2C; + else if (strcasecmp(optarg, "c2s") == 0) + direction = C2S; + else + badusage("Invalid direction (-D)"); + break; + case 'f': + data_path = optarg; + break; + case 'K': + kex = optarg; + break; + case 'k': + kpath = optarg; + break; + case 'i': + packet_index = atoi(optarg); + if (packet_index < 0) + badusage("Invalid packet index"); + break; + default: + badusage("unsupported flag"); + } + } + argc -= optind; + argv += optind; + + log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO, + SYSLOG_FACILITY_USER, 1); + + /* Must select a single mode */ + if ((count_flag + dump_flag + replace_flag) != 1) + badusage("Must select one mode: -c, -d or -r"); + /* KEX type is mandatory */ + if (kex == NULL || !kex_names_valid(kex) || strchr(kex, ',') != NULL) + badusage("Missing or invalid kex type (-K flag)"); + /* Valid key is mandatory */ + if (kpath == NULL) + badusage("Missing private key (-k flag)"); + if ((fd = open(kpath, O_RDONLY)) == -1) + err(1, "open %s", kpath); + if ((r = sshkey_load_private_type_fd(fd, KEY_UNSPEC, NULL, + &key, NULL)) != 0) + errx(1, "Unable to load key %s: %s", kpath, ssh_err(r)); + close(fd); + /* XXX check that it is a private key */ + /* XXX support certificates */ + if (key == NULL || key->type == KEY_UNSPEC) + badusage("Invalid key file (-k flag)"); + + /* Replace (fuzz) mode */ + if (replace_flag) { + if (packet_index == -1 || direction == -1 || data_path == NULL) + badusage("Replace (-r) mode must specify direction " + "(-D) packet index (-i) and data path (-f)"); + if ((r = sshbuf_load_file(data_path, &replace_data)) != 0) + errx(1, "read %s: %s", data_path, ssh_err(r)); + } + + /* Dump mode */ + if (dump_flag) { + if (packet_index == -1 || direction == -1 || data_path == NULL) + badusage("Dump (-d) mode must specify direction " + "(-D), packet index (-i) and data path (-f)"); + } + + /* Count mode needs no further flags */ + + do_kex_with_key(kex, key, &c2s, &s2c, + direction, packet_index, + dump_flag ? data_path : NULL, + replace_flag ? replace_data : NULL); + sshkey_free(key); + sshbuf_free(replace_data); + + if (count_flag) { + printf("S2C: %d\n", s2c); + printf("C2S: %d\n", c2s); + } + + return 0; +} diff --git a/regress/misc/sk-dummy/Makefile b/regress/misc/sk-dummy/Makefile new file mode 100644 index 0000000..29e313c --- /dev/null +++ b/regress/misc/sk-dummy/Makefile @@ -0,0 +1,66 @@ +# $OpenBSD: Makefile,v 1.2 2019/11/29 00:13:29 djm Exp $ + +.include <bsd.own.mk> +.include <bsd.obj.mk> + +PROG= sk-dummy.so +NOMAN= + +SSHREL=../../../../../usr.bin/ssh +.PATH: ${.CURDIR}/${SSHREL} + +SRCS=sk-dummy.c +# From usr.bin/ssh +SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c +OPENSSL?= yes + +CFLAGS+= -fPIC + +.if (${OPENSSL:L} == "yes") +CFLAGS+= -DWITH_OPENSSL +.endif + +# enable warnings +WARNINGS=Yes + +DEBUG=-g +CFLAGS+= -fstack-protector-all +CDIAGFLAGS= -Wall +CDIAGFLAGS+= -Wextra +CDIAGFLAGS+= -Werror +CDIAGFLAGS+= -Wchar-subscripts +CDIAGFLAGS+= -Wcomment +CDIAGFLAGS+= -Wformat +CDIAGFLAGS+= -Wformat-security +CDIAGFLAGS+= -Wimplicit +CDIAGFLAGS+= -Winline +CDIAGFLAGS+= -Wmissing-declarations +CDIAGFLAGS+= -Wmissing-prototypes +CDIAGFLAGS+= -Wparentheses +CDIAGFLAGS+= -Wpointer-arith +CDIAGFLAGS+= -Wreturn-type +CDIAGFLAGS+= -Wshadow +CDIAGFLAGS+= -Wsign-compare +CDIAGFLAGS+= -Wstrict-aliasing +CDIAGFLAGS+= -Wstrict-prototypes +CDIAGFLAGS+= -Wswitch +CDIAGFLAGS+= -Wtrigraphs +CDIAGFLAGS+= -Wuninitialized +CDIAGFLAGS+= -Wunused +CDIAGFLAGS+= -Wno-unused-parameter +.if ${COMPILER_VERSION:L} != "gcc3" +CDIAGFLAGS+= -Wold-style-definition +.endif + +CFLAGS+=-I${.CURDIR}/${SSHREL} + +.if (${OPENSSL:L} == "yes") +LDADD+= -lcrypto +DPADD+= ${LIBCRYPTO} +.endif + +$(PROG): $(OBJS) + $(CC) $(LDFLAGS) -shared -o $@ $(OBJS) $(LDADD) + +.include <bsd.prog.mk> + diff --git a/regress/misc/sk-dummy/fatal.c b/regress/misc/sk-dummy/fatal.c new file mode 100644 index 0000000..7cdc74b --- /dev/null +++ b/regress/misc/sk-dummy/fatal.c @@ -0,0 +1,20 @@ +/* public domain */ + +#include <stdlib.h> +#include <stdio.h> +#include <stdarg.h> +#include <unistd.h> + +void fatal(char *fmt, ...); + +void +fatal(char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + vfprintf(stderr, fmt, ap); + va_end(ap); + fputc('\n', stderr); + _exit(1); +} diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c new file mode 100644 index 0000000..bf1feec --- /dev/null +++ b/regress/misc/sk-dummy/sk-dummy.c @@ -0,0 +1,532 @@ +/* + * Copyright (c) 2019 Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif +#include <stdlib.h> +#include <string.h> +#include <stdio.h> +#include <stddef.h> +#include <stdarg.h> + +#include "crypto_api.h" +#include "sk-api.h" + +#include <openssl/opensslv.h> +#include <openssl/crypto.h> +#include <openssl/evp.h> +#include <openssl/bn.h> +#include <openssl/ec.h> +#include <openssl/ecdsa.h> +#include <openssl/pem.h> + +/* #define SK_DEBUG 1 */ + +/* Compatibility with OpenSSH 1.0.x */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#define ECDSA_SIG_get0(sig, pr, ps) \ + do { \ + (*pr) = sig->r; \ + (*ps) = sig->s; \ + } while (0) +#endif + +#if SSH_SK_VERSION_MAJOR != 0x00070000 +# error SK API has changed, sk-dummy.c needs an update +#endif + +static void skdebug(const char *func, const char *fmt, ...) + __attribute__((__format__ (printf, 2, 3))); + +static void +skdebug(const char *func, const char *fmt, ...) +{ +#if defined(SK_DEBUG) + va_list ap; + + va_start(ap, fmt); + fprintf(stderr, "sk-dummy %s: ", func); + vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + va_end(ap); +#else + (void)func; /* XXX */ + (void)fmt; /* XXX */ +#endif +} + +uint32_t +sk_api_version(void) +{ + return SSH_SK_VERSION_MAJOR; +} + +static int +pack_key_ecdsa(struct sk_enroll_response *response) +{ +#ifdef OPENSSL_HAS_ECC + EC_KEY *key = NULL; + const EC_GROUP *g; + const EC_POINT *q; + int ret = -1; + long privlen; + BIO *bio = NULL; + char *privptr; + + response->public_key = NULL; + response->public_key_len = 0; + response->key_handle = NULL; + response->key_handle_len = 0; + + if ((key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) { + skdebug(__func__, "EC_KEY_new_by_curve_name"); + goto out; + } + if (EC_KEY_generate_key(key) != 1) { + skdebug(__func__, "EC_KEY_generate_key"); + goto out; + } + EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE); + if ((bio = BIO_new(BIO_s_mem())) == NULL || + (g = EC_KEY_get0_group(key)) == NULL || + (q = EC_KEY_get0_public_key(key)) == NULL) { + skdebug(__func__, "couldn't get key parameters"); + goto out; + } + response->public_key_len = EC_POINT_point2oct(g, q, + POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); + if (response->public_key_len == 0 || response->public_key_len > 2048) { + skdebug(__func__, "bad pubkey length %zu", + response->public_key_len); + goto out; + } + if ((response->public_key = malloc(response->public_key_len)) == NULL) { + skdebug(__func__, "malloc pubkey failed"); + goto out; + } + if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED, + response->public_key, response->public_key_len, NULL) == 0) { + skdebug(__func__, "EC_POINT_point2oct failed"); + goto out; + } + /* Key handle contains PEM encoded private key */ + if (!PEM_write_bio_ECPrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) { + skdebug(__func__, "PEM_write_bio_ECPrivateKey failed"); + goto out; + } + if ((privlen = BIO_get_mem_data(bio, &privptr)) <= 0) { + skdebug(__func__, "BIO_get_mem_data failed"); + goto out; + } + if ((response->key_handle = malloc(privlen)) == NULL) { + skdebug(__func__, "malloc key_handle failed"); + goto out; + } + response->key_handle_len = (size_t)privlen; + memcpy(response->key_handle, privptr, response->key_handle_len); + /* success */ + ret = 0; + out: + if (ret != 0) { + if (response->public_key != NULL) { + memset(response->public_key, 0, + response->public_key_len); + free(response->public_key); + response->public_key = NULL; + } + if (response->key_handle != NULL) { + memset(response->key_handle, 0, + response->key_handle_len); + free(response->key_handle); + response->key_handle = NULL; + } + } + BIO_free(bio); + EC_KEY_free(key); + return ret; +#else + return -1; +#endif +} + +static int +pack_key_ed25519(struct sk_enroll_response *response) +{ + int ret = -1; + u_char pk[crypto_sign_ed25519_PUBLICKEYBYTES]; + u_char sk[crypto_sign_ed25519_SECRETKEYBYTES]; + + response->public_key = NULL; + response->public_key_len = 0; + response->key_handle = NULL; + response->key_handle_len = 0; + + memset(pk, 0, sizeof(pk)); + memset(sk, 0, sizeof(sk)); + crypto_sign_ed25519_keypair(pk, sk); + + response->public_key_len = sizeof(pk); + if ((response->public_key = malloc(response->public_key_len)) == NULL) { + skdebug(__func__, "malloc pubkey failed"); + goto out; + } + memcpy(response->public_key, pk, sizeof(pk)); + /* Key handle contains sk */ + response->key_handle_len = sizeof(sk); + if ((response->key_handle = malloc(response->key_handle_len)) == NULL) { + skdebug(__func__, "malloc key_handle failed"); + goto out; + } + memcpy(response->key_handle, sk, sizeof(sk)); + /* success */ + ret = 0; + out: + if (ret != 0) + free(response->public_key); + return ret; +} + +static int +check_options(struct sk_option **options) +{ + size_t i; + + if (options == NULL) + return 0; + for (i = 0; options[i] != NULL; i++) { + skdebug(__func__, "requested unsupported option %s", + options[i]->name); + if (options[i]->required) { + skdebug(__func__, "unknown required option"); + return -1; + } + } + return 0; +} + +int +sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, + const char *application, uint8_t flags, const char *pin, + struct sk_option **options, struct sk_enroll_response **enroll_response) +{ + struct sk_enroll_response *response = NULL; + int ret = SSH_SK_ERR_GENERAL; + + (void)flags; /* XXX; unused */ + + if (enroll_response == NULL) { + skdebug(__func__, "enroll_response == NULL"); + goto out; + } + *enroll_response = NULL; + if (check_options(options) != 0) + goto out; /* error already logged */ + if ((response = calloc(1, sizeof(*response))) == NULL) { + skdebug(__func__, "calloc response failed"); + goto out; + } + switch(alg) { + case SSH_SK_ECDSA: + if (pack_key_ecdsa(response) != 0) + goto out; + break; + case SSH_SK_ED25519: + if (pack_key_ed25519(response) != 0) + goto out; + break; + default: + skdebug(__func__, "unsupported key type %d", alg); + return -1; + } + /* Have to return something here */ + if ((response->signature = calloc(1, 1)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + response->signature_len = 0; + + *enroll_response = response; + response = NULL; + ret = 0; + out: + if (response != NULL) { + free(response->public_key); + free(response->key_handle); + free(response->signature); + free(response->attestation_cert); + free(response); + } + return ret; +} + +static void +dump(const char *preamble, const void *sv, size_t l) +{ +#ifdef SK_DEBUG + const u_char *s = (const u_char *)sv; + size_t i; + + fprintf(stderr, "%s (len %zu):\n", preamble, l); + for (i = 0; i < l; i++) { + if (i % 16 == 0) + fprintf(stderr, "%04zu: ", i); + fprintf(stderr, "%02x", s[i]); + if (i % 16 == 15 || i == l - 1) + fprintf(stderr, "\n"); + } +#endif +} + +static int +sig_ecdsa(const uint8_t *message, size_t message_len, + const char *application, uint32_t counter, uint8_t flags, + const uint8_t *key_handle, size_t key_handle_len, + struct sk_sign_response *response) +{ +#ifdef OPENSSL_HAS_ECC + ECDSA_SIG *sig = NULL; + const BIGNUM *sig_r, *sig_s; + int ret = -1; + BIO *bio = NULL; + EVP_PKEY *pk = NULL; + EC_KEY *ec = NULL; + SHA256_CTX ctx; + uint8_t apphash[SHA256_DIGEST_LENGTH]; + uint8_t sighash[SHA256_DIGEST_LENGTH]; + uint8_t countbuf[4]; + + /* Decode EC_KEY from key handle */ + if ((bio = BIO_new(BIO_s_mem())) == NULL || + BIO_write(bio, key_handle, key_handle_len) != (int)key_handle_len) { + skdebug(__func__, "BIO setup failed"); + goto out; + } + if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, "")) == NULL) { + skdebug(__func__, "PEM_read_bio_PrivateKey failed"); + goto out; + } + if (EVP_PKEY_base_id(pk) != EVP_PKEY_EC) { + skdebug(__func__, "Not an EC key: %d", EVP_PKEY_base_id(pk)); + goto out; + } + if ((ec = EVP_PKEY_get1_EC_KEY(pk)) == NULL) { + skdebug(__func__, "EVP_PKEY_get1_EC_KEY failed"); + goto out; + } + /* Expect message to be pre-hashed */ + if (message_len != SHA256_DIGEST_LENGTH) { + skdebug(__func__, "bad message len %zu", message_len); + goto out; + } + /* Prepare data to be signed */ + dump("message", message, message_len); + SHA256_Init(&ctx); + SHA256_Update(&ctx, application, strlen(application)); + SHA256_Final(apphash, &ctx); + dump("apphash", apphash, sizeof(apphash)); + countbuf[0] = (counter >> 24) & 0xff; + countbuf[1] = (counter >> 16) & 0xff; + countbuf[2] = (counter >> 8) & 0xff; + countbuf[3] = counter & 0xff; + dump("countbuf", countbuf, sizeof(countbuf)); + dump("flags", &flags, sizeof(flags)); + SHA256_Init(&ctx); + SHA256_Update(&ctx, apphash, sizeof(apphash)); + SHA256_Update(&ctx, &flags, sizeof(flags)); + SHA256_Update(&ctx, countbuf, sizeof(countbuf)); + SHA256_Update(&ctx, message, message_len); + SHA256_Final(sighash, &ctx); + dump("sighash", sighash, sizeof(sighash)); + /* create and encode signature */ + if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) { + skdebug(__func__, "ECDSA_do_sign failed"); + goto out; + } + ECDSA_SIG_get0(sig, &sig_r, &sig_s); + response->sig_r_len = BN_num_bytes(sig_r); + response->sig_s_len = BN_num_bytes(sig_s); + if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL || + (response->sig_s = calloc(1, response->sig_s_len)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + BN_bn2bin(sig_r, response->sig_r); + BN_bn2bin(sig_s, response->sig_s); + ret = 0; + out: + explicit_bzero(&ctx, sizeof(ctx)); + explicit_bzero(&apphash, sizeof(apphash)); + explicit_bzero(&sighash, sizeof(sighash)); + ECDSA_SIG_free(sig); + if (ret != 0) { + free(response->sig_r); + free(response->sig_s); + response->sig_r = NULL; + response->sig_s = NULL; + } + BIO_free(bio); + EC_KEY_free(ec); + EVP_PKEY_free(pk); + return ret; +#else + return -1; +#endif +} + +static int +sig_ed25519(const uint8_t *message, size_t message_len, + const char *application, uint32_t counter, uint8_t flags, + const uint8_t *key_handle, size_t key_handle_len, + struct sk_sign_response *response) +{ + size_t o; + int ret = -1; + SHA256_CTX ctx; + uint8_t apphash[SHA256_DIGEST_LENGTH]; + uint8_t signbuf[sizeof(apphash) + sizeof(flags) + + sizeof(counter) + SHA256_DIGEST_LENGTH]; + uint8_t sig[crypto_sign_ed25519_BYTES + sizeof(signbuf)]; + unsigned long long smlen; + + if (key_handle_len != crypto_sign_ed25519_SECRETKEYBYTES) { + skdebug(__func__, "bad key handle length %zu", key_handle_len); + goto out; + } + /* Expect message to be pre-hashed */ + if (message_len != SHA256_DIGEST_LENGTH) { + skdebug(__func__, "bad message len %zu", message_len); + goto out; + } + /* Prepare data to be signed */ + dump("message", message, message_len); + SHA256_Init(&ctx); + SHA256_Update(&ctx, application, strlen(application)); + SHA256_Final(apphash, &ctx); + dump("apphash", apphash, sizeof(apphash)); + + memcpy(signbuf, apphash, sizeof(apphash)); + o = sizeof(apphash); + signbuf[o++] = flags; + signbuf[o++] = (counter >> 24) & 0xff; + signbuf[o++] = (counter >> 16) & 0xff; + signbuf[o++] = (counter >> 8) & 0xff; + signbuf[o++] = counter & 0xff; + memcpy(signbuf + o, message, message_len); + o += message_len; + if (o != sizeof(signbuf)) { + skdebug(__func__, "bad sign buf len %zu, expected %zu", + o, sizeof(signbuf)); + goto out; + } + dump("signbuf", signbuf, sizeof(signbuf)); + /* create and encode signature */ + smlen = sizeof(signbuf); + if (crypto_sign_ed25519(sig, &smlen, signbuf, sizeof(signbuf), + key_handle) != 0) { + skdebug(__func__, "crypto_sign_ed25519 failed"); + goto out; + } + if (smlen <= sizeof(signbuf)) { + skdebug(__func__, "bad sign smlen %llu, expected min %zu", + smlen, sizeof(signbuf) + 1); + goto out; + } + response->sig_r_len = (size_t)(smlen - sizeof(signbuf)); + if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) { + skdebug(__func__, "calloc signature failed"); + goto out; + } + memcpy(response->sig_r, sig, response->sig_r_len); + dump("sig_r", response->sig_r, response->sig_r_len); + ret = 0; + out: + explicit_bzero(&ctx, sizeof(ctx)); + explicit_bzero(&apphash, sizeof(apphash)); + explicit_bzero(&signbuf, sizeof(signbuf)); + explicit_bzero(&sig, sizeof(sig)); + if (ret != 0) { + free(response->sig_r); + response->sig_r = NULL; + } + return ret; +} + +int +sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, + const char *application, const uint8_t *key_handle, size_t key_handle_len, + uint8_t flags, const char *pin, struct sk_option **options, + struct sk_sign_response **sign_response) +{ + struct sk_sign_response *response = NULL; + int ret = SSH_SK_ERR_GENERAL; + SHA256_CTX ctx; + uint8_t message[32]; + + if (sign_response == NULL) { + skdebug(__func__, "sign_response == NULL"); + goto out; + } + *sign_response = NULL; + if (check_options(options) != 0) + goto out; /* error already logged */ + if ((response = calloc(1, sizeof(*response))) == NULL) { + skdebug(__func__, "calloc response failed"); + goto out; + } + SHA256_Init(&ctx); + SHA256_Update(&ctx, data, datalen); + SHA256_Final(message, &ctx); + response->flags = flags; + response->counter = 0x12345678; + switch(alg) { + case SSH_SK_ECDSA: + if (sig_ecdsa(message, sizeof(message), application, + response->counter, flags, key_handle, key_handle_len, + response) != 0) + goto out; + break; + case SSH_SK_ED25519: + if (sig_ed25519(message, sizeof(message), application, + response->counter, flags, key_handle, key_handle_len, + response) != 0) + goto out; + break; + default: + skdebug(__func__, "unsupported key type %d", alg); + return -1; + } + *sign_response = response; + response = NULL; + ret = 0; + out: + explicit_bzero(message, sizeof(message)); + if (response != NULL) { + free(response->sig_r); + free(response->sig_s); + free(response); + } + return ret; +} + +int +sk_load_resident_keys(const char *pin, struct sk_option **options, + struct sk_resident_key ***rks, size_t *nrks) +{ + return SSH_SK_ERR_UNSUPPORTED; +} |