1,421 authfile.c
View file

Large diffs are not rendered by default.

63 authfile.h
View file
@@ -1,32 +1,51 @@
/* $OpenBSD: authfile.h,v 1.17 2013/12/06 13:34:54 markus Exp $ */
/* $OpenBSD: authfile.h,v 1.18 2014/06/24 01:13:21 djm Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

#ifndef AUTHFILE_H
#define AUTHFILE_H

int key_save_private(Key *, const char *, const char *, const char *,
int, const char *, int);
int key_load_file(int, const char *, Buffer *);
Key *key_load_cert(const char *);
Key *key_load_public(const char *, char **);
Key *key_load_public_type(int, const char *, char **);
Key *key_parse_private(Buffer *, const char *, const char *, char **);
Key *key_load_private(const char *, const char *, char **);
Key *key_load_private_cert(int, const char *, const char *, int *);
Key *key_load_private_type(int, const char *, const char *, char **, int *);
Key *key_load_private_pem(int, int, const char *, char **);
int key_perm_ok(int, const char *);
int key_in_file(Key *, const char *, int);
#ifdef WITH_LEAKMALLOC
#include "leakmalloc.h"
#endif

struct sshbuf;
struct sshkey;

int sshkey_save_private(struct sshkey *, const char *,
const char *, const char *, int, const char *, int);
int sshkey_load_file(int, const char *, struct sshbuf *);
int sshkey_load_cert(const char *, struct sshkey **);
int sshkey_load_public(const char *, struct sshkey **, char **);
int sshkey_load_private(const char *, const char *, struct sshkey **, char **);
int sshkey_load_private_cert(int, const char *, const char *,
struct sshkey **, int *);
int sshkey_load_private_type(int, const char *, const char *,
struct sshkey **, char **, int *);
int sshkey_load_private_pem(int, int, const char *, struct sshkey **, char **);
int sshkey_perm_ok(int, const char *);
int sshkey_in_file(struct sshkey *, const char *, int);

#endif
55 cipher-3des1.c
View file
@@ -29,13 +29,11 @@

#include <openssl/evp.h>

#include <stdarg.h>
#include <string.h>

#include "xmalloc.h"
#include "log.h"

#include "openbsd-compat/openssl-compat.h"
#include "ssherr.h"

/*
* This is used by SSH1:
@@ -57,7 +55,7 @@ struct ssh1_3des_ctx
};

const EVP_CIPHER * evp_ssh1_3des(void);
void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);

static int
ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
@@ -67,11 +65,12 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
u_char *k1, *k2, *k3;

if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xcalloc(1, sizeof(*c));
if ((c = calloc(1, sizeof(*c))) == NULL)
return 0;
EVP_CIPHER_CTX_set_app_data(ctx, c);
}
if (key == NULL)
return (1);
return 1;
if (enc == -1)
enc = ctx->encrypt;
k1 = k2 = k3 = (u_char *) key;
@@ -85,44 +84,29 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
EVP_CIPHER_CTX_init(&c->k1);
EVP_CIPHER_CTX_init(&c->k2);
EVP_CIPHER_CTX_init(&c->k3);
#ifdef SSH_OLD_EVP
EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
#else
if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
explicit_bzero(c, sizeof(*c));
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
return (0);
return 0;
}
#endif
return (1);
return 1;
}

static int
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
LIBCRYPTO_EVP_INL_TYPE len)
ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
{
struct ssh1_3des_ctx *c;

if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
error("ssh1_3des_cbc: no context");
return (0);
}
#ifdef SSH_OLD_EVP
EVP_Cipher(&c->k1, dest, (u_char *)src, len);
EVP_Cipher(&c->k2, dest, dest, len);
EVP_Cipher(&c->k3, dest, dest, len);
#else
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
return 0;
if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
EVP_Cipher(&c->k3, dest, dest, len) == 0)
return (0);
#endif
return (1);
return 0;
return 1;
}

static int
@@ -138,29 +122,28 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL);
}
return (1);
return 1;
}

void
int
ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
{
struct ssh1_3des_ctx *c;

if (len != 24)
fatal("%s: bad 3des iv length: %d", __func__, len);
return SSH_ERR_INVALID_ARGUMENT;
if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
fatal("%s: no 3des context", __func__);
return SSH_ERR_INTERNAL_ERROR;
if (doset) {
debug3("%s: Installed 3DES IV", __func__);
memcpy(c->k1.iv, iv, 8);
memcpy(c->k2.iv, iv + 8, 8);
memcpy(c->k3.iv, iv + 16, 8);
} else {
debug3("%s: Copying 3DES IV", __func__);
memcpy(iv, c->k1.iv, 8);
memcpy(iv + 8, c->k2.iv, 8);
memcpy(iv + 16, c->k3.iv, 8);
}
return 0;
}

const EVP_CIPHER *
@@ -176,8 +159,6 @@ evp_ssh1_3des(void)
ssh1_3des.init = ssh1_3des_init;
ssh1_3des.cleanup = ssh1_3des_cleanup;
ssh1_3des.do_cipher = ssh1_3des_cbc;
#ifndef SSH_OLD_EVP
ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
#endif
return (&ssh1_3des);
return &ssh1_3des;
}
25 cipher-chachapoly.c
View file
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */
/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */

#include "includes.h"

@@ -24,16 +24,18 @@
#include <stdio.h> /* needed for misc.h */

#include "log.h"
#include "misc.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "cipher-chachapoly.h"

void chachapoly_init(struct chachapoly_ctx *ctx,
int chachapoly_init(struct chachapoly_ctx *ctx,
const u_char *key, u_int keylen)
{
if (keylen != (32 + 32)) /* 2 x 256 bit keys */
fatal("%s: invalid keylen %u", __func__, keylen);
return SSH_ERR_INVALID_ARGUMENT;
chacha_keysetup(&ctx->main_ctx, key, 256);
chacha_keysetup(&ctx->header_ctx, key + 32, 256);
return 0;
}

/*
@@ -52,14 +54,14 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
u_char seqbuf[8];
const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
int r = -1;
int r = SSH_ERR_INTERNAL_ERROR;

/*
* Run ChaCha20 once to generate the Poly1305 key. The IV is the
* packet sequence number.
*/
memset(poly_key, 0, sizeof(poly_key));
put_u64(seqbuf, seqnr);
POKE_U64(seqbuf, seqnr);
chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
chacha_encrypt_bytes(&ctx->main_ctx,
poly_key, poly_key, sizeof(poly_key));
@@ -71,8 +73,10 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
const u_char *tag = src + aadlen + len;

poly1305_auth(expected_tag, src, aadlen + len, poly_key);
if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
r = SSH_ERR_MAC_INVALID;
goto out;
}
}
/* Crypt additional data */
if (aadlen) {
@@ -88,7 +92,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
poly_key);
}
r = 0;

out:
explicit_bzero(expected_tag, sizeof(expected_tag));
explicit_bzero(seqbuf, sizeof(seqbuf));
@@ -104,11 +107,11 @@ chachapoly_get_length(struct chachapoly_ctx *ctx,
u_char buf[4], seqbuf[8];

if (len < 4)
return -1; /* Insufficient length */
put_u64(seqbuf, seqnr);
return SSH_ERR_MESSAGE_INCOMPLETE;
POKE_U64(seqbuf, seqnr);
chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
*plenp = get_u32(buf);
*plenp = PEEK_U32(buf);
return 0;
}

4 cipher-chachapoly.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: cipher-chachapoly.h,v 1.3 2014/05/02 03:27:54 djm Exp $ */
/* $OpenBSD: cipher-chachapoly.h,v 1.4 2014/06/24 01:13:21 djm Exp $ */

/*
* Copyright (c) Damien Miller 2013 <djm@mindrot.org>
@@ -28,7 +28,7 @@ struct chachapoly_ctx {
struct chacha_ctx main_ctx, header_ctx;
};

void chachapoly_init(struct chachapoly_ctx *cpctx,
int chachapoly_init(struct chachapoly_ctx *cpctx,
const u_char *key, u_int keylen)
__attribute__((__bounded__(__buffer__, 2, 3)));
int chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr,
363 cipher.c
View file

Large diffs are not rendered by default.

57 cipher.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: cipher.h,v 1.45 2014/04/29 18:01:49 markus Exp $ */
/* $OpenBSD: cipher.h,v 1.46 2014/06/24 01:13:21 djm Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -37,6 +37,7 @@
#ifndef CIPHER_H
#define CIPHER_H

#include <sys/types.h>
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
@@ -61,45 +62,47 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0

typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;

struct Cipher;
struct CipherContext {
struct sshcipher;
struct sshcipher_ctx {
int plaintext;
int encrypt;
EVP_CIPHER_CTX evp;
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
const Cipher *cipher;
const struct sshcipher *cipher;
};

typedef struct sshcipher Cipher ;
typedef struct sshcipher_ctx CipherContext ;

u_int cipher_mask_ssh1(int);
const Cipher *cipher_by_name(const char *);
const Cipher *cipher_by_number(int);
const struct sshcipher *cipher_by_name(const char *);
const struct sshcipher *cipher_by_number(int);
int cipher_number(const char *);
char *cipher_name(int);
int ciphers_valid(const char *);
char *cipher_alg_list(char, int);
void cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
const u_char *, u_int, int);
int cipher_crypt(CipherContext *, u_int, u_char *, const u_char *,
int cipher_init(struct sshcipher_ctx *, const struct sshcipher *,
const u_char *, u_int, const u_char *, u_int, int);
const char* cipher_warning_message(const struct sshcipher_ctx *);
int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
u_int, u_int, u_int);
int cipher_get_length(CipherContext *, u_int *, u_int,
int cipher_get_length(struct sshcipher_ctx *, u_int *, u_int,
const u_char *, u_int);
void cipher_cleanup(CipherContext *);
void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_seclen(const Cipher *);
u_int cipher_authlen(const Cipher *);
u_int cipher_ivlen(const Cipher *);
u_int cipher_is_cbc(const Cipher *);
int cipher_cleanup(struct sshcipher_ctx *);
int cipher_set_key_string(struct sshcipher_ctx *, const struct sshcipher *,
const char *, int);
u_int cipher_blocksize(const struct sshcipher *);
u_int cipher_keylen(const struct sshcipher *);
u_int cipher_seclen(const struct sshcipher *);
u_int cipher_authlen(const struct sshcipher *);
u_int cipher_ivlen(const struct sshcipher *);
u_int cipher_is_cbc(const struct sshcipher *);

u_int cipher_get_number(const Cipher *);
void cipher_get_keyiv(CipherContext *, u_char *, u_int);
void cipher_set_keyiv(CipherContext *, u_char *);
int cipher_get_keyiv_len(const CipherContext *);
int cipher_get_keycontext(const CipherContext *, u_char *);
void cipher_set_keycontext(CipherContext *, u_char *);
u_int cipher_get_number(const struct sshcipher *);
int cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
int cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
int cipher_get_keyiv_len(const struct sshcipher_ctx *);
int cipher_get_keycontext(const struct sshcipher_ctx *, u_char *);
void cipher_set_keycontext(struct sshcipher_ctx *, const u_char *);
#endif /* CIPHER_H */
27 digest-libc.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: digest-libc.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
* Copyright (c) 2014 Markus Friedl. All rights reserved.
@@ -28,7 +28,8 @@
#include <sha1.h>
#include <sha2.h>

#include "buffer.h"
#include "ssherr.h"
#include "sshbuf.h"
#include "digest.h"

typedef void md_init_fn(void *mdctx);
@@ -164,7 +165,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
const struct ssh_digest *digest = ssh_digest_by_alg(from->alg);

if (digest == NULL || from->alg != to->alg)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
memcpy(to->mdctx, from->mdctx, digest->ctx_len);
return 0;
}
@@ -175,15 +176,15 @@ ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);

if (digest == NULL)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
digest->md_update(ctx->mdctx, m, mlen);
return 0;
}

int
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
{
return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
}

int
@@ -192,11 +193,11 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);

if (digest == NULL)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if (dlen > UINT_MAX)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if (dlen < digest->digest_len) /* No truncation allowed */
return -1;
return SSH_ERR_INVALID_ARGUMENT;
digest->md_final(d, ctx->mdctx);
return 0;
}
@@ -223,16 +224,16 @@ ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
struct ssh_digest_ctx *ctx = ssh_digest_start(alg);

if (ctx == NULL)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if (ssh_digest_update(ctx, m, mlen) != 0 ||
ssh_digest_final(ctx, d, dlen) != 0)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
ssh_digest_free(ctx);
return 0;
}

int
ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
36 digest-openssl.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: digest-openssl.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: digest-openssl.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
*
@@ -26,8 +26,9 @@

#include "openbsd-compat/openssl-compat.h"

#include "buffer.h"
#include "sshbuf.h"
#include "digest.h"
#include "ssherr.h"

struct ssh_digest_ctx {
int alg;
@@ -98,24 +99,26 @@ ssh_digest_start(int alg)
int
ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
{
if (from->alg != to->alg)
return SSH_ERR_INVALID_ARGUMENT;
/* we have bcopy-style order while openssl has memcpy-style */
if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
return -1;
return SSH_ERR_LIBCRYPTO_ERROR;
return 0;
}

int
ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
{
if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
return -1;
return SSH_ERR_LIBCRYPTO_ERROR;
return 0;
}

int
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
{
return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
}

int
@@ -125,13 +128,13 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
u_int l = dlen;

if (dlen > UINT_MAX)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if (dlen < digest->digest_len) /* No truncation allowed */
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1)
return -1;
return SSH_ERR_LIBCRYPTO_ERROR;
if (l != digest->digest_len) /* sanity */
return -1;
return SSH_ERR_INTERNAL_ERROR;
return 0;
}

@@ -149,18 +152,19 @@ int
ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
{
struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
int r;

if (ctx == NULL)
return -1;
if (ssh_digest_update(ctx, m, mlen) != 0 ||
ssh_digest_final(ctx, d, dlen) != 0)
return -1;
return SSH_ERR_INVALID_ARGUMENT;
if ((r = ssh_digest_update(ctx, m, mlen) != 0) ||
(r = ssh_digest_final(ctx, d, dlen) != 0))
return r;
ssh_digest_free(ctx);
return 0;
}

int
ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
7 digest.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: digest.h,v 1.4 2014/05/02 03:27:54 djm Exp $ */
/* $OpenBSD: digest.h,v 1.5 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2013 Damien Miller <djm@mindrot.org>
*
@@ -47,14 +47,15 @@ int ssh_digest_memory(int alg, const void *m, size_t mlen,
u_char *d, size_t dlen)
__attribute__((__bounded__(__buffer__, 2, 3)))
__attribute__((__bounded__(__buffer__, 4, 5)));
int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
int ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
__attribute__((__bounded__(__buffer__, 3, 4)));

/* Update API */
struct ssh_digest_ctx *ssh_digest_start(int alg);
int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
__attribute__((__bounded__(__buffer__, 2, 3)));
int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b);
int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx,
const struct sshbuf *b);
int ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
__attribute__((__bounded__(__buffer__, 2, 3)));
void ssh_digest_free(struct ssh_digest_ctx *ctx);
4 dns.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.30 2014/04/20 09:24:26 logan Exp $ */
/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */

/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -34,6 +34,8 @@
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>

#include "xmalloc.h"
#include "key.h"
2 entropy.c
View file
@@ -43,6 +43,8 @@
#include <openssl/crypto.h>
#include <openssl/err.h>

#include "openbsd-compat/openssl-compat.h"

#include "ssh.h"
#include "misc.h"
#include "xmalloc.h"
5 hmac.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: hmac.h,v 1.8 2014/05/02 03:27:54 djm Exp $ */
/* $OpenBSD: hmac.h,v 1.9 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2014 Markus Friedl. All rights reserved.
*
@@ -21,6 +21,7 @@
/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
size_t ssh_hmac_bytes(int alg);

struct sshbuf;
struct ssh_hmac_ctx;
struct ssh_hmac_ctx *ssh_hmac_start(int alg);

@@ -29,7 +30,7 @@ int ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen)
__attribute__((__bounded__(__buffer__, 2, 3)));
int ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen)
__attribute__((__bounded__(__buffer__, 2, 3)));
int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b);
int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const struct sshbuf *b);
int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
__attribute__((__bounded__(__buffer__, 2, 3)));
void ssh_hmac_free(struct ssh_hmac_ctx *ctx);
3 hostfile.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: hostfile.c,v 1.56 2014/04/29 18:01:49 markus Exp $ */
/* $OpenBSD: hostfile.c,v 1.57 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -47,6 +47,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>

#include "xmalloc.h"
#include "match.h"
2,803 key.c
View file

Large diffs are not rendered by default.

187 key.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */
/* $OpenBSD: key.h,v 1.42 2014/06/24 01:13:21 djm Exp $ */

/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -26,141 +26,86 @@
#ifndef KEY_H
#define KEY_H

#include "buffer.h"
#include <openssl/rsa.h>
#include <openssl/dsa.h>
#ifdef OPENSSL_HAS_ECC
#include <openssl/ec.h>
#include "sshkey.h"

typedef struct sshkey Key;

#define types sshkey_types
#define fp_type sshkey_fp_type
#define fp_rep sshkey_fp_rep

#ifndef SSH_KEY_NO_DEFINE
#define key_new sshkey_new
#define key_free sshkey_free
#define key_equal_public sshkey_equal_public
#define key_equal sshkey_equal
#define key_fingerprint sshkey_fingerprint
#define key_type sshkey_type
#define key_cert_type sshkey_cert_type
#define key_ssh_name sshkey_ssh_name
#define key_ssh_name_plain sshkey_ssh_name_plain
#define key_type_from_name sshkey_type_from_name
#define key_ecdsa_nid_from_name sshkey_ecdsa_nid_from_name
#define key_type_is_cert sshkey_type_is_cert
#define key_size sshkey_size
#define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
#define key_names_valid2 sshkey_names_valid2
#define key_is_cert sshkey_is_cert
#define key_type_plain sshkey_type_plain
#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
#define key_curve_nid_to_name sshkey_curve_nid_to_name
#define key_ec_nid_to_hash_alg sshkey_ec_nid_to_hash_alg
#define key_dump_ec_point sshkey_dump_ec_point
#define key_dump_ec_key sshkey_dump_ec_key
#define key_fingerprint sshkey_fingerprint
#endif

typedef struct Key Key;
enum types {
KEY_RSA1,
KEY_RSA,
KEY_DSA,
KEY_ECDSA,
KEY_ED25519,
KEY_RSA_CERT,
KEY_DSA_CERT,
KEY_ECDSA_CERT,
KEY_ED25519_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
KEY_UNSPEC
};
enum fp_type {
SSH_FP_SHA1,
SSH_FP_MD5,
SSH_FP_SHA256
};
enum fp_rep {
SSH_FP_HEX,
SSH_FP_BUBBLEBABBLE,
SSH_FP_RANDOMART
};

/* key is stored in external hardware */
#define KEY_FLAG_EXT 0x0001

#define CERT_MAX_PRINCIPALS 256
struct KeyCert {
Buffer certblob; /* Kept around for use on wire */
u_int type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
u_int64_t serial;
char *key_id;
u_int nprincipals;
char **principals;
u_int64_t valid_after, valid_before;
Buffer critical;
Buffer extensions;
Key *signature_key;
};

struct Key {
int type;
int flags;
RSA *rsa;
DSA *dsa;
int ecdsa_nid; /* NID of curve */
#ifdef OPENSSL_HAS_ECC
EC_KEY *ecdsa;
#else
void *ecdsa;
#endif
struct KeyCert *cert;
u_char *ed25519_sk;
u_char *ed25519_pk;
};

#define ED25519_SK_SZ crypto_sign_ed25519_SECRETKEYBYTES
#define ED25519_PK_SZ crypto_sign_ed25519_PUBLICKEYBYTES

Key *key_new(int);
void key_add_private(Key *);
Key *key_new_private(int);
void key_free(Key *);
Key *key_demote(const Key *);
int key_equal_public(const Key *, const Key *);
int key_equal(const Key *, const Key *);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
int key_read(Key *, char **);
u_int key_size(const Key *);
void key_add_private(Key *);
Key *key_new_private(int);
void key_free(Key *);
Key *key_demote(const Key *);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
int key_write(const Key *, FILE *);
int key_read(Key *, char **);

Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
int key_type_from_name(char *);
int key_is_cert(const Key *);
int key_type_is_cert(int);
int key_type_plain(int);
int key_to_certified(Key *, int);
int key_drop_cert(Key *);
int key_certify(Key *, Key *);
void key_cert_copy(const Key *, struct Key *);
void key_cert_copy(const Key *, Key *);
int key_cert_check_authority(const Key *, int, int, const char *,
const char **);
int key_cert_is_legacy(const Key *);
char *key_alg_list(int, int);

int key_ecdsa_nid_from_name(const char *);
int key_curve_name_to_nid(const char *);
const char *key_curve_nid_to_name(int);
u_int key_curve_nid_to_bits(int);
int key_ecdsa_bits_to_nid(int);
#ifdef OPENSSL_HAS_ECC
int key_ecdsa_key_to_nid(EC_KEY *);
int key_ec_nid_to_hash_alg(int nid);
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
int key_ec_validate_private(const EC_KEY *);
#endif
char *key_alg_list(int, int);
#ifdef WITH_OPENSSL
int key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
int key_ec_validate_private(const EC_KEY *);
#endif /* WITH_OPENSSL */

Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);
const char *key_ssh_name(const Key *);
const char *key_ssh_name_plain(const Key *);
int key_names_valid2(const char *);
Key *key_from_blob(const u_char *, u_int);
int key_to_blob(const Key *, u_char **, u_int *);

int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);

int ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
int ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
int ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
int ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);

#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
void key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
void key_dump_ec_key(const EC_KEY *);
#endif

void key_private_serialize(const Key *, Buffer *);
Key *key_private_deserialize(Buffer *);
void key_private_serialize(const Key *, struct sshbuf *);
Key *key_private_deserialize(struct sshbuf *);

/* authfile.c */
int key_save_private(Key *, const char *, const char *, const char *,
int, const char *, int);
int key_load_file(int, const char *, struct sshbuf *);
Key *key_load_cert(const char *);
Key *key_load_public(const char *, char **);
Key *key_load_private(const char *, const char *, char **);
Key *key_load_private_cert(int, const char *, const char *, int *);
Key *key_load_private_type(int, const char *, const char *, char **, int *);
Key *key_load_private_pem(int, int, const char *, char **);
int key_perm_ok(int, const char *);
int key_in_file(Key *, const char *, int);

#endif
8 krl.c
View file
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

/* $OpenBSD: krl.c,v 1.16 2014/06/24 00:52:02 djm Exp $ */
/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */

#include "includes.h"

@@ -366,7 +366,7 @@ plain_key_blob(const Key *key, u_char **blob, u_int *blen)
}
r = key_to_blob(kcopy, blob, blen);
free(kcopy);
return r == 0 ? -1 : 0;
return r;
}

/* Revoke a key blob. Ownership of blob is transferred to the tree */
@@ -394,7 +394,7 @@ ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
u_int len;

debug3("%s: revoke type %s", __func__, key_type(key));
if (plain_key_blob(key, &blob, &len) != 0)
if (plain_key_blob(key, &blob, &len) < 0)
return -1;
return revoke_blob(&krl->revoked_keys, blob, len);
}
@@ -1130,7 +1130,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)

/* Next, explicit keys */
memset(&rb, 0, sizeof(rb));
if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
if (plain_key_blob(key, &rb.blob, &rb.len) < 0)
return -1;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
5 monitor.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: monitor.c,v 1.133 2014/05/03 17:20:34 markus Exp $ */
/* $OpenBSD: monitor.c,v 1.134 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,9 +40,10 @@
#endif
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>
#ifdef HAVE_POLL_H
#include <poll.h>
141 openbsd-compat/openssl-compat.c
View file
@@ -1,4 +1,4 @@
/* $Id: openssl-compat.c,v 1.18 2014/06/17 13:06:08 dtucker Exp $ */
/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */

/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,6 +16,7 @@
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/

#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
#include "includes.h"

#include <stdarg.h>
@@ -26,13 +27,8 @@
# include <openssl/conf.h>
#endif

#ifndef HAVE_RSA_GET_DEFAULT_METHOD
# include <openssl/rsa.h>
#endif

#include "log.h"

#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
#include "openssl-compat.h"

/*
@@ -70,139 +66,6 @@ ssh_compatible_openssl(long headerver, long libver)
return 0;
}

#ifdef SSH_OLD_EVP
int
ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
unsigned char *key, unsigned char *iv, int enc)
{
EVP_CipherInit(evp, type, key, iv, enc);
return 1;
}

int
ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
{
EVP_Cipher(evp, dst, src, len);
return 1;
}

int
ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
{
EVP_CIPHER_CTX_cleanup(evp);
return 1;
}
#endif

#ifndef HAVE_EVP_DIGESTINIT_EX
int
EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
{
if (engine != NULL)
fatal("%s: ENGINE is not supported", __func__);
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
EVP_DigestInit(ctx, md);
return 1;
# else
return EVP_DigestInit(ctx, md);
# endif
}
#endif

#ifndef HAVE_EVP_DIGESTFINAL_EX
int
EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s)
{
# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
EVP_DigestFinal(ctx, md, s);
return 1;
# else
return EVP_DigestFinal(ctx, md, s);
# endif
}
#endif

#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
int
ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
{
EVP_DigestUpdate(ctx, d, cnt);
return 1;
}
#endif

#ifndef HAVE_EVP_MD_CTX_COPY_EX
int
EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
{
return EVP_MD_CTX_copy(out, in);
}
#endif

#ifndef HAVE_BN_IS_PRIME_EX
int
BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
{
if (cb != NULL)
fatal("%s: callback args not supported", __func__);
return BN_is_prime(p, nchecks, NULL, ctx, NULL);
}
#endif

#ifndef HAVE_RSA_GENERATE_KEY_EX
int
RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb)
{
RSA *new_rsa, tmp_rsa;
unsigned long e;

if (cb != NULL)
fatal("%s: callback args not supported", __func__);
e = BN_get_word(bn_e);
if (e == 0xffffffffL)
fatal("%s: value of e too large", __func__);
new_rsa = RSA_generate_key(bits, e, NULL, NULL);
if (new_rsa == NULL)
return 0;
/* swap rsa/new_rsa then free new_rsa */
tmp_rsa = *rsa;
*rsa = *new_rsa;
*new_rsa = tmp_rsa;
RSA_free(new_rsa);
return 1;
}
#endif

#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
int
DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed,
int seed_len, int *counter_ret, unsigned long *h_ret, void *cb)
{
DSA *new_dsa, tmp_dsa;

if (cb != NULL)
fatal("%s: callback args not supported", __func__);
new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len,
counter_ret, h_ret, NULL, NULL);
if (new_dsa == NULL)
return 0;
/* swap dsa/new_dsa then free new_dsa */
tmp_dsa = *dsa;
*dsa = *new_dsa;
*new_dsa = tmp_dsa;
DSA_free(new_dsa);
return 1;
}
#endif

#ifndef HAVE_RSA_GET_DEFAULT_METHOD
RSA_METHOD *
RSA_get_default_method(void)
{
return RSA_PKCS1_SSLeay();
}
#endif

#ifdef USE_OPENSSL_ENGINE
void
ssh_OpenSSL_add_all_algorithms(void)
118 openbsd-compat/openssl-compat.h
View file
@@ -1,4 +1,4 @@
/* $Id: openssl-compat.h,v 1.27 2014/06/17 13:06:08 dtucker Exp $ */
/* $Id: openssl-compat.h,v 1.28 2014/07/02 05:28:07 djm Exp $ */

/*
* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,22 +24,8 @@

int ssh_compatible_openssl(long, long);

/* Only in 0.9.8 */
#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
#endif
#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
#endif

/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
# define OPENSSL_free(x) Free(x)
#endif

#if OPENSSL_VERSION_NUMBER < 0x00906000L
# define SSH_OLD_EVP
# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
#error OpenSSL 0.9.8f or greater is required
#endif

#if OPENSSL_VERSION_NUMBER < 0x10000001L
@@ -48,31 +34,6 @@ int ssh_compatible_openssl(long, long);
# define LIBCRYPTO_EVP_INL_TYPE size_t
#endif

#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
# define USE_BUILTIN_RIJNDAEL
#endif

#ifdef USE_BUILTIN_RIJNDAEL
# include "rijndael.h"
# define AES_KEY rijndael_ctx
# define AES_BLOCK_SIZE 16
# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
# define EVP_aes_128_cbc evp_rijndael
# define EVP_aes_192_cbc evp_rijndael
# define EVP_aes_256_cbc evp_rijndael
const EVP_CIPHER *evp_rijndael(void);
void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
#endif

#ifndef OPENSSL_HAVE_EVPCTR
#define EVP_aes_128_ctr evp_aes_128_ctr
#define EVP_aes_192_ctr evp_aes_128_ctr
#define EVP_aes_256_ctr evp_aes_128_ctr
const EVP_CIPHER *evp_aes_128_ctr(void);
void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
#endif

/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
# define EVP_CTRL_GCM_SET_IV_FIXED -1
@@ -90,95 +51,24 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
# endif
#endif

#if OPENSSL_VERSION_NUMBER < 0x00907000L
#define EVP_X_STATE(evp) &(evp).c
#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
#else
#define EVP_X_STATE(evp) (evp).cipher_data
#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
#endif

/* OpenSSL 0.9.8e returns cipher key len not context key len */
#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
#endif

#ifndef HAVE_RSA_GET_DEFAULT_METHOD
RSA_METHOD *RSA_get_default_method(void);
#endif

/*
* We overload some of the OpenSSL crypto functions with ssh_* equivalents
* which cater for older and/or less featureful OpenSSL version.
* to automatically handle OpenSSL engine initialisation.
*
* In order for the compat library to call the real functions, it must
* define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
* implement the ssh_* equivalents.
*/
#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS

# ifdef SSH_OLD_EVP
# ifdef EVP_Cipher
# undef EVP_Cipher
# endif
# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
# endif /* SSH_OLD_EVP */

# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c))
# endif

# ifdef USE_OPENSSL_ENGINE
# ifdef OpenSSL_add_all_algorithms
# undef OpenSSL_add_all_algorithms
# endif
# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms()
# endif

# ifndef HAVE_BN_IS_PRIME_EX
int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *);
# endif

# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *,
unsigned long *, void *);
# endif

# ifndef HAVE_RSA_GENERATE_KEY_EX
int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *);
# endif

# ifndef HAVE_EVP_DIGESTINIT_EX
int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
# endif

# ifndef HAVE_EVP_DISESTFINAL_EX
int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
# endif

# ifndef EVP_MD_CTX_COPY_EX
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
# endif

int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
unsigned char *, int);
int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
void ssh_OpenSSL_add_all_algorithms(void);

# ifndef HAVE_HMAC_CTX_INIT
# define HMAC_CTX_init(a)
# endif

# ifndef HAVE_EVP_MD_CTX_INIT
# define EVP_MD_CTX_init(a)
# endif

# ifndef HAVE_EVP_MD_CTX_CLEANUP
# define EVP_MD_CTX_cleanup(a)
# endif

#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */

38 packet.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: packet.c,v 1.196 2014/05/03 17:20:34 markus Exp $ */
/* $OpenBSD: packet.c,v 1.197 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -78,6 +78,7 @@
#include "canohost.h"
#include "misc.h"
#include "ssh.h"
#include "ssherr.h"
#include "roaming.h"

#ifdef PACKET_DEBUG
@@ -222,17 +223,19 @@ void
packet_set_connection(int fd_in, int fd_out)
{
const Cipher *none = cipher_by_name("none");
int r;

if (none == NULL)
fatal("packet_set_connection: cannot load cipher 'none'");
if (active_state == NULL)
active_state = alloc_session_state();
active_state->connection_in = fd_in;
active_state->connection_out = fd_out;
cipher_init(&active_state->send_context, none, (const u_char *)"",
0, NULL, 0, CIPHER_ENCRYPT);
cipher_init(&active_state->receive_context, none, (const u_char *)"",
0, NULL, 0, CIPHER_DECRYPT);
if ((r = cipher_init(&active_state->send_context, none,
(const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
(r = cipher_init(&active_state->receive_context, none,
(const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0)
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL;
if (!active_state->initialized) {
active_state->initialized = 1;
@@ -329,13 +332,15 @@ void
packet_get_keyiv(int mode, u_char *iv, u_int len)
{
CipherContext *cc;
int r;

if (mode == MODE_OUT)
cc = &active_state->send_context;
else
cc = &active_state->receive_context;

cipher_get_keyiv(cc, iv, len);
if ((r = cipher_get_keyiv(cc, iv, len)) != 0)
fatal("%s: cipher_get_keyiv: %s", __func__, ssh_err(r));
}

int
@@ -381,13 +386,15 @@ void
packet_set_iv(int mode, u_char *dat)
{
CipherContext *cc;
int r;

if (mode == MODE_OUT)
cc = &active_state->send_context;
else
cc = &active_state->receive_context;

cipher_set_keyiv(cc, dat);
if ((r = cipher_set_keyiv(cc, dat)) != 0)
fatal("%s: cipher_set_keyiv: %s", __func__, ssh_err(r));
}

int
@@ -552,6 +559,7 @@ void
packet_set_encryption_key(const u_char *key, u_int keylen, int number)
{
const Cipher *cipher = cipher_by_number(number);
int r;

if (cipher == NULL)
fatal("packet_set_encryption_key: unknown cipher number %d", number);
@@ -561,10 +569,11 @@ packet_set_encryption_key(const u_char *key, u_int keylen, int number)
fatal("packet_set_encryption_key: keylen too big: %d", keylen);
memcpy(active_state->ssh1_key, key, keylen);
active_state->ssh1_keylen = keylen;
cipher_init(&active_state->send_context, cipher, key, keylen, NULL,
0, CIPHER_ENCRYPT);
cipher_init(&active_state->receive_context, cipher, key, keylen, NULL,
0, CIPHER_DECRYPT);
if ((r = cipher_init(&active_state->send_context, cipher,
key, keylen, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
(r = cipher_init(&active_state->receive_context, cipher,
key, keylen, NULL, 0, CIPHER_DECRYPT)) != 0)
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
}

u_int
@@ -744,7 +753,7 @@ set_newkeys(int mode)
Comp *comp;
CipherContext *cc;
u_int64_t *max_blocks;
int crypt_type;
int r, crypt_type;

debug2("set_newkeys: mode %d", mode);

@@ -786,8 +795,9 @@ set_newkeys(int mode)
if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
mac->enabled = 1;
DBG(debug("cipher_init_context: %d", mode));
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
enc->iv, enc->iv_len, crypt_type);
if ((r = cipher_init(cc, enc->cipher, enc->key, enc->key_len,
enc->iv, enc->iv_len, crypt_type)) != 0)
fatal("%s: cipher_init: %s", __func__, ssh_err(r));
/* Deleting the keys does not gain extra security */
/* explicit_bzero(enc->iv, enc->block_size);
explicit_bzero(enc->key, enc->key_len);
113 rsa.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: rsa.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: rsa.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -67,85 +67,122 @@
#include <stdarg.h>
#include <string.h>

#include "xmalloc.h"
#include "rsa.h"
#include "log.h"
#include "ssherr.h"

void
int
rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
{
u_char *inbuf, *outbuf;
int len, ilen, olen;
u_char *inbuf = NULL, *outbuf = NULL;
int len, ilen, olen, r = SSH_ERR_INTERNAL_ERROR;

if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
fatal("rsa_public_encrypt() exponent too small or not odd");
return SSH_ERR_INVALID_ARGUMENT;

olen = BN_num_bytes(key->n);
outbuf = xmalloc(olen);
if ((outbuf = malloc(olen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}

ilen = BN_num_bytes(in);
inbuf = xmalloc(ilen);
if ((inbuf = malloc(ilen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
BN_bn2bin(in, inbuf);

if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key,
RSA_PKCS1_PADDING)) <= 0)
fatal("rsa_public_encrypt() failed");
RSA_PKCS1_PADDING)) <= 0) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

if (BN_bin2bn(outbuf, len, out) == NULL)
fatal("rsa_public_encrypt: BN_bin2bn failed");
if (BN_bin2bn(outbuf, len, out) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
r = 0;

explicit_bzero(outbuf, olen);
explicit_bzero(inbuf, ilen);
free(outbuf);
free(inbuf);
out:
if (outbuf != NULL) {
explicit_bzero(outbuf, olen);
free(outbuf);
}
if (inbuf != NULL) {
explicit_bzero(inbuf, ilen);
free(inbuf);
}
return r;
}

int
rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
{
u_char *inbuf, *outbuf;
int len, ilen, olen;
u_char *inbuf = NULL, *outbuf = NULL;
int len, ilen, olen, r = SSH_ERR_INTERNAL_ERROR;

olen = BN_num_bytes(key->n);
outbuf = xmalloc(olen);
if ((outbuf = malloc(olen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}

ilen = BN_num_bytes(in);
inbuf = xmalloc(ilen);
if ((inbuf = malloc(ilen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
BN_bn2bin(in, inbuf);

if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
RSA_PKCS1_PADDING)) <= 0) {
error("rsa_private_decrypt() failed");
} else {
if (BN_bin2bn(outbuf, len, out) == NULL)
fatal("rsa_private_decrypt: BN_bin2bn failed");
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
} else if (BN_bin2bn(outbuf, len, out) == NULL) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
r = 0;
out:
if (outbuf != NULL) {
explicit_bzero(outbuf, olen);
free(outbuf);
}
if (inbuf != NULL) {
explicit_bzero(inbuf, ilen);
free(inbuf);
}
explicit_bzero(outbuf, olen);
explicit_bzero(inbuf, ilen);
free(outbuf);
free(inbuf);
return len;
return r;
}

/* calculate p-1 and q-1 */
void
int
rsa_generate_additional_parameters(RSA *rsa)
{
BIGNUM *aux;
BN_CTX *ctx;
BIGNUM *aux = NULL;
BN_CTX *ctx = NULL;
int r;

if ((aux = BN_new()) == NULL)
fatal("rsa_generate_additional_parameters: BN_new failed");
if ((ctx = BN_CTX_new()) == NULL)
fatal("rsa_generate_additional_parameters: BN_CTX_new failed");
return SSH_ERR_ALLOC_FAIL;
if ((aux = BN_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}

if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) ||
(BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) ||
(BN_sub(aux, rsa->p, BN_value_one()) == 0) ||
(BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0))
fatal("rsa_generate_additional_parameters: BN_sub/mod failed");

(BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) {
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
r = 0;
out:
BN_clear_free(aux);
BN_CTX_free(ctx);
return r;
}

6 rsa.h
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: rsa.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
/* $OpenBSD: rsa.h,v 1.17 2014/06/24 01:13:21 djm Exp $ */

/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,8 +19,8 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>

void rsa_public_encrypt(BIGNUM *, BIGNUM *, RSA *);
int rsa_public_encrypt(BIGNUM *, BIGNUM *, RSA *);
int rsa_private_decrypt(BIGNUM *, BIGNUM *, RSA *);
void rsa_generate_additional_parameters(RSA *);
int rsa_generate_additional_parameters(RSA *);

#endif /* RSA_H */
24 ssh-add.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-add.c,v 1.109 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: ssh-add.c,v 1.110 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -62,6 +62,7 @@
#include "authfile.h"
#include "pathnames.h"
#include "misc.h"
#include "ssherr.h"

/* argv0 */
extern char *__progname;
@@ -170,7 +171,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
Key *private, *cert;
char *comment = NULL;
char msg[1024], *certpath = NULL;
int fd, perms_ok, ret = -1;
int r, fd, perms_ok, ret = -1;
Buffer keyblob;

if (strcmp(filename, "-") == 0) {
@@ -201,12 +202,18 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
close(fd);

/* At first, try empty passphrase */
private = key_parse_private(&keyblob, filename, "", &comment);
if ((r = sshkey_parse_private_fileblob(&keyblob, filename, "",
&private, &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE)
fatal("Cannot parse %s: %s", filename, ssh_err(r));
if (comment == NULL)
comment = xstrdup(filename);
/* try last */
if (private == NULL && pass != NULL)
private = key_parse_private(&keyblob, filename, pass, NULL);
if (private == NULL && pass != NULL) {
if ((r = sshkey_parse_private_fileblob(&keyblob, filename, pass,
&private, &comment)) != 0 &&
r != SSH_ERR_KEY_WRONG_PASSPHRASE)
fatal("Cannot parse %s: %s", filename, ssh_err(r));
}
if (private == NULL) {
/* clear passphrase since it did not work */
clear_pass();
@@ -220,8 +227,11 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
buffer_free(&keyblob);
return -1;
}
private = key_parse_private(&keyblob, filename, pass,
&comment);
if ((r = sshkey_parse_private_fileblob(&keyblob,
filename, pass, &private, &comment)) != 0 &&
r != SSH_ERR_KEY_WRONG_PASSPHRASE)
fatal("Cannot parse %s: %s",
filename, ssh_err(r));
if (private != NULL)
break;
clear_pass();
24 ssh-agent.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-agent.c,v 1.185 2014/04/29 18:01:49 markus Exp $ */
/* $OpenBSD: ssh-agent.c,v 1.186 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -278,7 +278,7 @@ process_authentication_challenge1(SocketEntry *e)
if (id != NULL && (!id->confirm || confirm_key(id) == 0)) {
Key *private = id->key;
/* Decrypt the challenge using the private key. */
if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
if (rsa_private_decrypt(challenge, challenge, private->rsa) != 0)
goto failure;

/* The response is MD5 of decrypted challenge plus session id. */
@@ -365,12 +365,16 @@ process_sign_request2(SocketEntry *e)
static void
process_remove_identity(SocketEntry *e, int version)
{
u_int blen, bits;
u_int blen;
int success = 0;
Key *key = NULL;
u_char *blob;
#ifdef WITH_SSH1
u_int bits;
#endif /* WITH_SSH1 */

switch (version) {
#ifdef WITH_SSH1
case 1:
key = key_new(KEY_RSA1);
bits = buffer_get_int(&e->request);
@@ -381,6 +385,7 @@ process_remove_identity(SocketEntry *e, int version)
logit("Warning: identity keysize mismatch: actual %u, announced %u",
key_size(key), bits);
break;
#endif /* WITH_SSH1 */
case 2:
blob = buffer_get_string(&e->request, &blen);
key = key_from_blob(blob, blen);
@@ -477,6 +482,7 @@ process_add_identity(SocketEntry *e, int version)
Key *k = NULL;

switch (version) {
#ifdef WITH_SSH1
case 1:
k = key_new_private(KEY_RSA1);
(void) buffer_get_int(&e->request); /* ignored */
@@ -490,7 +496,9 @@ process_add_identity(SocketEntry *e, int version)
buffer_get_bignum(&e->request, k->rsa->p); /* q */

/* Generate additional parameters */
rsa_generate_additional_parameters(k->rsa);
if (rsa_generate_additional_parameters(k->rsa) != 0)
fatal("%s: rsa_generate_additional_parameters "
"error", __func__);

/* enable blinding */
if (RSA_blinding_on(k->rsa, NULL) != 1) {
@@ -499,6 +507,7 @@ process_add_identity(SocketEntry *e, int version)
goto send;
}
break;
#endif /* WITH_SSH1 */
case 2:
k = key_private_deserialize(&e->request);
if (k == NULL) {
@@ -507,11 +516,10 @@ process_add_identity(SocketEntry *e, int version)
}
break;
}
comment = buffer_get_string(&e->request, NULL);
if (k == NULL) {
free(comment);
if (k == NULL)
goto send;
}
comment = buffer_get_string(&e->request, NULL);

while (buffer_len(&e->request)) {
switch ((type = buffer_get_char(&e->request))) {
case SSH_AGENT_CONSTRAIN_LIFETIME:
237 ssh-dss.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-dss.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: ssh-dss.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -33,157 +33,186 @@
#include <stdarg.h>
#include <string.h>

#include "xmalloc.h"
#include "buffer.h"
#include "sshbuf.h"
#include "compat.h"
#include "log.h"
#include "key.h"
#include "ssherr.h"
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"

#define INTBLOB_LEN 20
#define SIGBLOB_LEN (2*INTBLOB_LEN)

int
ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
DSA_SIG *sig;
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
u_int rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
Buffer b;

if (key == NULL || key_type_plain(key->type) != KEY_DSA ||
key->dsa == NULL) {
error("%s: no DSA key", __func__);
return -1;
}

if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: ssh_digest_memory failed", __func__);
return -1;
}

sig = DSA_do_sign(digest, dlen, key->dsa);
explicit_bzero(digest, sizeof(digest));

if (sig == NULL) {
error("ssh_dss_sign: sign failed");
return -1;
size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
struct sshbuf *b = NULL;
int ret = SSH_ERR_INVALID_ARGUMENT;

if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;

if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen == 0)
return SSH_ERR_INTERNAL_ERROR;

if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

rlen = BN_num_bytes(sig->r);
slen = BN_num_bytes(sig->s);
if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
error("bad sig size %u %u", rlen, slen);
DSA_SIG_free(sig);
return -1;
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
explicit_bzero(sigblob, SIGBLOB_LEN);
BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
DSA_SIG_free(sig);
BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen);

if (datafellows & SSH_BUG_SIGBLOB) {
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
if (compat & SSH_BUG_SIGBLOB) {
if (sigp != NULL) {
*sigp = xmalloc(SIGBLOB_LEN);
if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sigblob, SIGBLOB_LEN);
}
if (lenp != NULL)
*lenp = SIGBLOB_LEN;
ret = 0;
} else {
/* ietf-drafts */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-dss");
buffer_put_string(&b, sigblob, SIGBLOB_LEN);
len = buffer_len(&b);
if (lenp != NULL)
*lenp = len;
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 ||
(ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
buffer_free(&b);
if (lenp != NULL)
*lenp = len;
ret = 0;
}
return 0;
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL)
DSA_SIG_free(sig);
if (b != NULL)
sshbuf_free(b);
return ret;
}

int
ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
ssh_dss_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
DSA_SIG *sig;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
u_int len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
int rlen, ret;
Buffer b;

if (key == NULL || key_type_plain(key->type) != KEY_DSA ||
key->dsa == NULL) {
error("%s: no DSA key", __func__);
return -1;
}
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;

if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
if (dlen == 0)
return SSH_ERR_INTERNAL_ERROR;

/* fetch signature */
if (datafellows & SSH_BUG_SIGBLOB) {
sigblob = xmalloc(signaturelen);
if (compat & SSH_BUG_SIGBLOB) {
if ((sigblob = malloc(signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
memcpy(sigblob, signature, signaturelen);
len = signaturelen;
} else {
/* ietf-drafts */
char *ktype;
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_cstring(&b, NULL);
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (strcmp("ssh-dss", ktype) != 0) {
error("%s: cannot handle type %s", __func__, ktype);
buffer_free(&b);
free(ktype);
return -1;
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d",
__func__, rlen);
free(sigblob);
return -1;
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
}

if (len != SIGBLOB_LEN) {
fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}

/* parse signature */
if ((sig = DSA_SIG_new()) == NULL)
fatal("%s: DSA_SIG_new failed", __func__);
if ((sig->r = BN_new()) == NULL)
fatal("%s: BN_new failed", __func__);
if ((sig->s = BN_new()) == NULL)
fatal("ssh_dss_verify: BN_new failed");
if ((sig = DSA_SIG_new()) == NULL ||
(sig->r = BN_new()) == NULL ||
(sig->s = BN_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
fatal("%s: BN_bin2bn failed", __func__);

/* clean up */
explicit_bzero(sigblob, len);
free(sigblob);
(BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

/* sha1 the data */
if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

ret = DSA_do_verify(digest, dlen, sig, key->dsa);
out:
explicit_bzero(digest, sizeof(digest));

DSA_SIG_free(sig);

debug("%s: signature %s", __func__,
ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
if (sig != NULL)
DSA_SIG_free(sig);
if (b != NULL)
sshbuf_free(b);
if (ktype != NULL)
free(ktype);
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
}
return ret;
}
232 ssh-ecdsa.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-ecdsa.c,v 1.10 2014/02/03 23:28:00 djm Exp $ */
/* $OpenBSD: ssh-ecdsa.c,v 1.11 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2010 Damien Miller. All rights reserved.
@@ -37,141 +37,155 @@

#include <string.h>

#include "xmalloc.h"
#include "buffer.h"
#include "compat.h"
#include "log.h"
#include "key.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"

/* ARGSUSED */
int
ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
ECDSA_SIG *sig;
ECDSA_SIG *sig = NULL;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH];
u_int len, dlen;
Buffer b, bb;
size_t len, dlen;
struct sshbuf *b = NULL, *bb = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;

if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
key->ecdsa == NULL) {
error("%s: no ECDSA key", __func__);
return -1;
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;

if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;

if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
(dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}

sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
explicit_bzero(digest, sizeof(digest));

if (sig == NULL) {
error("%s: sign failed", __func__);
return -1;
if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
(ret = sshbuf_put_bignum2(bb, sig->s)) != 0)
goto out;
if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
(ret = sshbuf_put_stringb(b, bb)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}

buffer_init(&bb);
buffer_put_bignum2(&bb, sig->r);
buffer_put_bignum2(&bb, sig->s);
ECDSA_SIG_free(sig);

buffer_init(&b);
buffer_put_cstring(&b, key_ssh_name_plain(key));
buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb));
buffer_free(&bb);
len = buffer_len(&b);
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
}
buffer_free(&b);

return 0;
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
if (b != NULL)
sshbuf_free(b);
if (bb != NULL)
sshbuf_free(bb);
if (sig != NULL)
ECDSA_SIG_free(sig);
return ret;
}

/* ARGSUSED */
int
ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
ssh_ecdsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
ECDSA_SIG *sig;
ECDSA_SIG *sig = NULL;
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
u_int len, dlen;
int rlen, ret;
Buffer b, bb;
char *ktype;

if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
key->ecdsa == NULL) {
error("%s: no ECDSA key", __func__);
return -1;
}
u_char digest[SSH_DIGEST_MAX_LENGTH];
size_t dlen;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL, *sigbuf = NULL;
char *ktype = NULL;

if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;

if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
(dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;

/* fetch signature */
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_string(&b, NULL);
if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
error("%s: cannot handle type %s", __func__, ktype);
buffer_free(&b);
free(ktype);
return -1;
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
sshbuf_froms(b, &sigbuf) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
free(sigblob);
return -1;
if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}

/* parse signature */
if ((sig = ECDSA_SIG_new()) == NULL)
fatal("%s: ECDSA_SIG_new failed", __func__);

buffer_init(&bb);
buffer_append(&bb, sigblob, len);
buffer_get_bignum2(&bb, sig->r);
buffer_get_bignum2(&bb, sig->s);
if (buffer_len(&bb) != 0)
fatal("%s: remaining bytes in inner sigblob", __func__);
buffer_free(&bb);

/* clean up */
explicit_bzero(sigblob, len);
free(sigblob);

/* hash the data */
hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
if ((sig = ECDSA_SIG_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
sshbuf_get_bignum2(sigbuf, sig->s) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (sshbuf_len(sigbuf) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: digest_memory failed", __func__);
return -1;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
case 1:
ret = 0;
break;
case 0:
ret = SSH_ERR_SIGNATURE_INVALID;
goto out;
default:
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
out:
explicit_bzero(digest, sizeof(digest));

ECDSA_SIG_free(sig);

debug("%s: signature %s", __func__,
ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
if (sigbuf != NULL)
sshbuf_free(sigbuf);
if (b != NULL)
sshbuf_free(b);
if (sig != NULL)
ECDSA_SIG_free(sig);
free(ktype);
return ret;
}

183 ssh-ed25519.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-ed25519.c,v 1.3 2014/02/23 20:03:42 djm Exp $ */
/* $OpenBSD: ssh-ed25519.c,v 1.4 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2013 Markus Friedl <markus@openbsd.org>
*
@@ -18,132 +18,149 @@
#include "includes.h"

#include <sys/types.h>
#include <limits.h>

#include "crypto_api.h"

#include <limits.h>
#include <string.h>
#include <stdarg.h>

#include "xmalloc.h"
#include "log.h"
#include "buffer.h"
#include "key.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "ssherr.h"
#include "ssh.h"

int
ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
u_char *sig;
u_int slen, len;
u_char *sig = NULL;
size_t slen = 0, len;
unsigned long long smlen;
int ret;
Buffer b;
int r, ret;
struct sshbuf *b = NULL;

if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
key->ed25519_sk == NULL) {
error("%s: no ED25519 key", __func__);
return -1;
}
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;

if (datalen >= UINT_MAX - crypto_sign_ed25519_BYTES) {
error("%s: datalen %u too long", __func__, datalen);
return -1;
}
if (key == NULL ||
sshkey_type_plain(key->type) != KEY_ED25519 ||
key->ed25519_sk == NULL ||
datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
return SSH_ERR_INVALID_ARGUMENT;
smlen = slen = datalen + crypto_sign_ed25519_BYTES;
sig = xmalloc(slen);
if ((sig = malloc(slen)) == NULL)
return SSH_ERR_ALLOC_FAIL;

if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen,
key->ed25519_sk)) != 0 || smlen <= datalen) {
error("%s: crypto_sign_ed25519 failed: %d", __func__, ret);
free(sig);
return -1;
r = SSH_ERR_INVALID_ARGUMENT; /* XXX better error? */
goto out;
}
/* encode signature */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-ed25519");
buffer_put_string(&b, sig, smlen - datalen);
len = buffer_len(&b);
if ((b = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((r = sshbuf_put_cstring(b, "ssh-ed25519")) != 0 ||
(r = sshbuf_put_string(b, sig, smlen - datalen)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
/* success */
r = 0;
out:
sshbuf_free(b);
if (sig != NULL) {
explicit_bzero(sig, slen);
free(sig);
}
buffer_free(&b);
explicit_bzero(sig, slen);
free(sig);

return 0;
return r;
}

int
ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
ssh_ed25519_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
Buffer b;
char *ktype;
u_char *sigblob, *sm, *m;
u_int len;
unsigned long long smlen, mlen;
int rlen, ret;
struct sshbuf *b = NULL;
char *ktype = NULL;
const u_char *sigblob;
u_char *sm = NULL, *m = NULL;
size_t len;
unsigned long long smlen = 0, mlen = 0;
int r, ret;

if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
key->ed25519_pk == NULL) {
error("%s: no ED25519 key", __func__);
return -1;
}
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_cstring(&b, NULL);
if (key == NULL ||
sshkey_type_plain(key->type) != KEY_ED25519 ||
key->ed25519_pk == NULL ||
datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
return SSH_ERR_INVALID_ARGUMENT;

if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 ||
(r = sshbuf_get_string_direct(b, &sigblob, &len)) != 0)
goto out;
if (strcmp("ssh-ed25519", ktype) != 0) {
error("%s: cannot handle type %s", __func__, ktype);
buffer_free(&b);
free(ktype);
return -1;
r = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
free(sigblob);
return -1;
if (sshbuf_len(b) != 0) {
r = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
if (len > crypto_sign_ed25519_BYTES) {
error("%s: len %u > crypto_sign_ed25519_BYTES %u", __func__,
len, crypto_sign_ed25519_BYTES);
free(sigblob);
return -1;
r = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (datalen >= SIZE_MAX - len)
return SSH_ERR_INVALID_ARGUMENT;
smlen = len + datalen;
sm = xmalloc(smlen);
mlen = smlen;
if ((sm = malloc(smlen)) == NULL || (m = xmalloc(mlen)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(sm, sigblob, len);
memcpy(sm+len, data, datalen);
mlen = smlen;
m = xmalloc(mlen);
if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen,
key->ed25519_pk)) != 0) {
debug2("%s: crypto_sign_ed25519_open failed: %d",
__func__, ret);
}
if (ret == 0 && mlen != datalen) {
debug2("%s: crypto_sign_ed25519_open "
"mlen != datalen (%llu != %u)", __func__, mlen, datalen);
ret = -1;
if (ret != 0 || mlen != datalen) {
r = SSH_ERR_SIGNATURE_INVALID;
goto out;
}
/* XXX compare 'm' and 'data' ? */

explicit_bzero(sigblob, len);
explicit_bzero(sm, smlen);
explicit_bzero(m, smlen); /* NB. mlen may be invalid if ret != 0 */
free(sigblob);
free(sm);
free(m);
debug("%s: signature %scorrect", __func__, (ret != 0) ? "in" : "");

/* translate return code carefully */
return (ret == 0) ? 1 : -1;
/* success */
r = 0;
out:
if (sm != NULL) {
explicit_bzero(sm, smlen);
free(sm);
}
if (m != NULL) {
explicit_bzero(m, smlen); /* NB mlen may be invalid if r != 0 */
free(m);
}
sshbuf_free(b);
free(ktype);
return r;
}

20 ssh-keygen.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.246 2014/04/29 18:01:49 markus Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.247 2014/06/24 01:13:21 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -482,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
buffer_get_bignum_bits(&b, key->rsa->iqmp);
buffer_get_bignum_bits(&b, key->rsa->q);
buffer_get_bignum_bits(&b, key->rsa->p);
rsa_generate_additional_parameters(key->rsa);
if (rsa_generate_additional_parameters(key->rsa) != 0)
fatal("%s: rsa_generate_additional_parameters "
"error", __func__);
break;
}
rlen = buffer_len(&b);
@@ -1637,12 +1639,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
public->cert->valid_after = cert_valid_from;
public->cert->valid_before = cert_valid_to;
if (v00) {
prepare_options_buf(&public->cert->critical,
prepare_options_buf(public->cert->critical,
OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
} else {
prepare_options_buf(&public->cert->critical,
prepare_options_buf(public->cert->critical,
OPTIONS_CRITICAL);
prepare_options_buf(&public->cert->extensions,
prepare_options_buf(public->cert->extensions,
OPTIONS_EXTENSIONS);
}
public->cert->signature_key = key_from_private(ca);
@@ -1913,19 +1915,19 @@ do_show_cert(struct passwd *pw)
printf("\n");
}
printf(" Critical Options: ");
if (buffer_len(&key->cert->critical) == 0)
if (buffer_len(key->cert->critical) == 0)
printf("(none)\n");
else {
printf("\n");
show_options(&key->cert->critical, v00, 1);
show_options(key->cert->critical, v00, 1);
}
if (!v00) {
printf(" Extensions: ");
if (buffer_len(&key->cert->extensions) == 0)
if (buffer_len(key->cert->extensions) == 0)
printf("(none)\n");
else {
printf("\n");
show_options(&key->cert->extensions, v00, 0);
show_options(key->cert->extensions, v00, 0);
}
}
exit(0);
4 ssh-pkcs11-client.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */
/* $OpenBSD: ssh-pkcs11-client.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -30,6 +30,8 @@
#include <unistd.h>
#include <errno.h>

#include <openssl/rsa.h>

#include "pathnames.h"
#include "xmalloc.h"
#include "buffer.h"
8 ssh-pkcs11-helper.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11-helper.c,v 1.7 2013/12/02 02:56:17 djm Exp $ */
/* $OpenBSD: ssh-pkcs11-helper.c,v 1.8 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -169,7 +169,7 @@ process_sign(void)
{
u_char *blob, *data, *signature = NULL;
u_int blen, dlen, slen = 0;
int ok = -1, ret;
int ok = -1;
Key *key, *found;
Buffer msg;

@@ -179,13 +179,17 @@ process_sign(void)

if ((key = key_from_blob(blob, blen)) != NULL) {
if ((found = lookup_key(key)) != NULL) {
#ifdef WITH_OPENSSL
int ret;

slen = RSA_size(key->rsa);
signature = xmalloc(slen);
if ((ret = RSA_private_encrypt(dlen, data, signature,
found->rsa, RSA_PKCS1_PADDING)) != -1) {
slen = ret;
ok = 0;
}
#endif /* WITH_OPENSSL */
}
key_free(key);
}
4 ssh-pkcs11.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11.c,v 1.13 2014/05/02 03:27:54 djm Exp $ */
/* $OpenBSD: ssh-pkcs11.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -520,7 +520,7 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
key = key_new(KEY_UNSPEC);
key->rsa = rsa;
key->type = KEY_RSA;
key->flags |= KEY_FLAG_EXT;
key->flags |= SSHKEY_FLAG_EXT;
if (pkcs11_key_included(keysp, nkeys, key)) {
key_free(key);
} else {
260 ssh-rsa.c
View file
@@ -1,4 +1,4 @@
/* $OpenBSD: ssh-rsa.c,v 1.51 2014/02/02 03:44:31 djm Exp $ */
/* $OpenBSD: ssh-rsa.c,v 1.52 2014/06/24 01:13:21 djm Exp $ */
/*
* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
*
@@ -25,163 +25,167 @@
#include <stdarg.h>
#include <string.h>

#include "xmalloc.h"
#include "log.h"
#include "buffer.h"
#include "key.h"
#include "sshbuf.h"
#include "compat.h"
#include "misc.h"
#include "ssh.h"
#include "ssherr.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "digest.h"

static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);

/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
int hash_alg;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sig;
u_int slen, dlen, len;
int ok, nid;
Buffer b;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
size_t slen;
u_int dlen, len;
int nid, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;

if (key == NULL || key_type_plain(key->type) != KEY_RSA ||
key->rsa == NULL) {
error("%s: no RSA key", __func__);
return -1;
}
if (lenp != NULL)
*lenp = 0;
if (sigp != NULL)
*sigp = NULL;

if (key == NULL || key->rsa == NULL ||
sshkey_type_plain(key->type) != KEY_RSA)
return SSH_ERR_INVALID_ARGUMENT;
slen = RSA_size(key->rsa);
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
return SSH_ERR_INVALID_ARGUMENT;

/* hash the data */
hash_alg = SSH_DIGEST_SHA1;
nid = NID_sha1;
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: ssh_digest_memory failed", __func__);
return -1;
}

slen = RSA_size(key->rsa);
sig = xmalloc(slen);

ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
explicit_bzero(digest, sizeof(digest));
if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
return SSH_ERR_INTERNAL_ERROR;
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

if (ok != 1) {
int ecode = ERR_get_error();
if ((sig = malloc(slen)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}

error("%s: RSA_sign failed: %s", __func__,
ERR_error_string(ecode, NULL));
free(sig);
return -1;
if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
if (len < slen) {
u_int diff = slen - len;
debug("slen %u > len %u", slen, len);
size_t diff = slen - len;
memmove(sig + diff, sig, len);
explicit_bzero(sig, diff);
} else if (len > slen) {
error("%s: slen %u slen2 %u", __func__, slen, len);
free(sig);
return -1;
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
/* encode signature */
buffer_init(&b);
buffer_put_cstring(&b, "ssh-rsa");
buffer_put_string(&b, sig, slen);
len = buffer_len(&b);
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 ||
(ret = sshbuf_put_string(b, sig, slen)) != 0)
goto out;
len = sshbuf_len(b);
if (sigp != NULL) {
if ((*sigp = malloc(len)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memcpy(*sigp, sshbuf_ptr(b), len);
}
if (lenp != NULL)
*lenp = len;
if (sigp != NULL) {
*sigp = xmalloc(len);
memcpy(*sigp, buffer_ptr(&b), len);
ret = 0;
out:
explicit_bzero(digest, sizeof(digest));
if (sig != NULL) {
explicit_bzero(sig, slen);
free(sig);
}
buffer_free(&b);
explicit_bzero(sig, slen);
free(sig);

if (b != NULL)
sshbuf_free(b);
return 0;
}

int
ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
const u_char *data, u_int datalen)
ssh_rsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
Buffer b;
int hash_alg;
char *ktype;
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
u_int len, dlen, modlen;
int rlen, ret;
char *ktype = NULL;
int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
size_t len, diff, modlen, dlen;
struct sshbuf *b = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;

if (key == NULL || key_type_plain(key->type) != KEY_RSA ||
key->rsa == NULL) {
error("%s: no RSA key", __func__);
return -1;
}
if (key == NULL || key->rsa == NULL ||
sshkey_type_plain(key->type) != KEY_RSA ||
BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_INVALID_ARGUMENT;

if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
error("%s: RSA modulus too small: %d < minimum %d bits",
__func__, BN_num_bits(key->rsa->n),
SSH_RSA_MINIMUM_MODULUS_SIZE);
return -1;
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
return SSH_ERR_ALLOC_FAIL;
if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
buffer_init(&b);
buffer_append(&b, signature, signaturelen);
ktype = buffer_get_cstring(&b, NULL);
if (strcmp("ssh-rsa", ktype) != 0) {
error("%s: cannot handle type %s", __func__, ktype);
buffer_free(&b);
free(ktype);
return -1;
ret = SSH_ERR_KEY_TYPE_MISMATCH;
goto out;
}
free(ktype);
sigblob = buffer_get_string(&b, &len);
rlen = buffer_len(&b);
buffer_free(&b);
if (rlen != 0) {
error("%s: remaining bytes in signature %d", __func__, rlen);
free(sigblob);
return -1;
if (sshbuf_get_string(b, &sigblob, &len) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
goto out;
}
if (sshbuf_len(b) != 0) {
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
}
/* RSA_verify expects a signature of RSA_size */
modlen = RSA_size(key->rsa);
if (len > modlen) {
error("%s: len %u > modlen %u", __func__, len, modlen);
free(sigblob);
return -1;
ret = SSH_ERR_KEY_BITS_MISMATCH;
goto out;
} else if (len < modlen) {
u_int diff = modlen - len;
debug("%s: add padding: modlen %u > len %u", __func__,
modlen, len);
sigblob = xrealloc(sigblob, 1, modlen);
diff = modlen - len;
osigblob = sigblob;
if ((sigblob = realloc(sigblob, modlen)) == NULL) {
sigblob = osigblob; /* put it back for clear/free */
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
memmove(sigblob + diff, sigblob, len);
explicit_bzero(sigblob, diff);
len = modlen;
}
/* hash the data */
hash_alg = SSH_DIGEST_SHA1;
if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
error("%s: bad hash algorithm %d", __func__, hash_alg);
return -1;
}
if (ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest)) != 0) {
error("%s: ssh_digest_memory failed", __func__);
return -1;
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
if ((ret = ssh_digest_memory(hash_alg, data, datalen,
digest, sizeof(digest))) != 0)
goto out;

ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
key->rsa);
out:
if (sigblob != NULL) {
explicit_bzero(sigblob, len);
free(sigblob);
}
if (ktype != NULL)
free(ktype);
if (b != NULL)
sshbuf_free(b);
explicit_bzero(digest, sizeof(digest));
explicit_bzero(sigblob, len);
free(sigblob);
debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : "");
return ret;
}

@@ -204,15 +208,15 @@ static const u_char id_sha1[] = {
};

static int
openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen,
u_char *sigbuf, u_int siglen, RSA *rsa)
openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
u_char *sigbuf, size_t siglen, RSA *rsa)
{
u_int ret, rsasize, oidlen = 0, hlen = 0;
size_t ret, rsasize = 0, oidlen = 0, hlen = 0;
int len, oidmatch, hashmatch;
const u_char *oid = NULL;
u_char *decrypted = NULL;

ret = 0;
ret = SSH_ERR_INTERNAL_ERROR;
switch (hash_alg) {
case SSH_DIGEST_SHA1:
oid = id_sha1;
@@ -223,37 +227,39 @@ openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen,
goto done;
}
if (hashlen != hlen) {
error("bad hashlen");
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
rsasize = RSA_size(rsa);
if (siglen == 0 || siglen > rsasize) {
error("bad siglen");
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
siglen == 0 || siglen > rsasize) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
if ((decrypted = malloc(rsasize)) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto done;
}
decrypted = xmalloc(rsasize);
if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
RSA_PKCS1_PADDING)) < 0) {
error("RSA_public_decrypt failed: %s",
ERR_error_string(ERR_get_error(), NULL));
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto done;
}
if (len < 0 || (u_int)len != hlen + oidlen) {
error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
if (len < 0 || (size_t)len != hlen + oidlen) {
ret = SSH_ERR_INVALID_FORMAT;
goto done;
}
oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
if (!oidmatch) {
error("oid mismatch");
goto done;
}
if (!hashmatch) {
error("hash mismatch");
if (!oidmatch || !hashmatch) {
ret = SSH_ERR_SIGNATURE_INVALID;
goto done;
}
ret = 1;
ret = 0;
done:
free(decrypted);
if (decrypted) {
explicit_bzero(decrypted, rsasize);
free(decrypted);
}
return ret;
}