xref: /freebsd/crypto/openssh/regress/misc/sk-dummy/sk-dummy.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*
2  * Copyright (c) 2019 Markus Friedl
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "includes.h"
18 
19 #ifdef HAVE_STDINT_H
20 #include <stdint.h>
21 #endif
22 #include <stdlib.h>
23 #include <string.h>
24 #include <stdio.h>
25 #include <stddef.h>
26 #include <stdarg.h>
27 #ifdef HAVE_SHA2_H
28 #include <sha2.h>
29 #endif
30 
31 #include "crypto_api.h"
32 #include "sk-api.h"
33 
34 #if defined(WITH_OPENSSL) && !defined(OPENSSL_HAS_ECC)
35 # undef WITH_OPENSSL
36 #endif
37 
38 #ifdef WITH_OPENSSL
39 /* We don't use sha2 from OpenSSL and they can conflict with system sha2.h */
40 #define OPENSSL_NO_SHA
41 #define USE_LIBC_SHA2	/* NetBSD 9 */
42 #include <openssl/opensslv.h>
43 #include <openssl/crypto.h>
44 #include <openssl/evp.h>
45 #include <openssl/bn.h>
46 #include <openssl/ec.h>
47 #include <openssl/ecdsa.h>
48 #include <openssl/pem.h>
49 
50 /* Compatibility with OpenSSH 1.0.x */
51 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
52 #define ECDSA_SIG_get0(sig, pr, ps) \
53 	do { \
54 		(*pr) = sig->r; \
55 		(*ps) = sig->s; \
56 	} while (0)
57 #endif
58 #endif /* WITH_OPENSSL */
59 
60 /* #define SK_DEBUG 1 */
61 
62 #if SSH_SK_VERSION_MAJOR != 0x000a0000
63 # error SK API has changed, sk-dummy.c needs an update
64 #endif
65 
66 #ifdef SK_DUMMY_INTEGRATE
67 # define sk_api_version		ssh_sk_api_version
68 # define sk_enroll		ssh_sk_enroll
69 # define sk_sign		ssh_sk_sign
70 # define sk_load_resident_keys	ssh_sk_load_resident_keys
71 #endif /* !SK_STANDALONE */
72 
73 static void skdebug(const char *func, const char *fmt, ...)
74     __attribute__((__format__ (printf, 2, 3)));
75 
76 static void
77 skdebug(const char *func, const char *fmt, ...)
78 {
79 #if defined(SK_DEBUG)
80 	va_list ap;
81 
82 	va_start(ap, fmt);
83 	fprintf(stderr, "sk-dummy %s: ", func);
84 	vfprintf(stderr, fmt, ap);
85 	fputc('\n', stderr);
86 	va_end(ap);
87 #else
88 	(void)func; /* XXX */
89 	(void)fmt; /* XXX */
90 #endif
91 }
92 
93 uint32_t
94 sk_api_version(void)
95 {
96 	return SSH_SK_VERSION_MAJOR;
97 }
98 
99 static int
100 pack_key_ecdsa(struct sk_enroll_response *response)
101 {
102 #ifdef OPENSSL_HAS_ECC
103 	EC_KEY *key = NULL;
104 	const EC_GROUP *g;
105 	const EC_POINT *q;
106 	int ret = -1;
107 	long privlen;
108 	BIO *bio = NULL;
109 	char *privptr;
110 
111 	response->public_key = NULL;
112 	response->public_key_len = 0;
113 	response->key_handle = NULL;
114 	response->key_handle_len = 0;
115 
116 	if ((key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) {
117 		skdebug(__func__, "EC_KEY_new_by_curve_name");
118 		goto out;
119 	}
120 	if (EC_KEY_generate_key(key) != 1) {
121 		skdebug(__func__, "EC_KEY_generate_key");
122 		goto out;
123 	}
124 	EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);
125 	if ((bio = BIO_new(BIO_s_mem())) == NULL ||
126 	    (g = EC_KEY_get0_group(key)) == NULL ||
127 	    (q = EC_KEY_get0_public_key(key)) == NULL) {
128 		skdebug(__func__, "couldn't get key parameters");
129 		goto out;
130 	}
131 	response->public_key_len = EC_POINT_point2oct(g, q,
132 	    POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
133 	if (response->public_key_len == 0 || response->public_key_len > 2048) {
134 		skdebug(__func__, "bad pubkey length %zu",
135 		    response->public_key_len);
136 		goto out;
137 	}
138 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {
139 		skdebug(__func__, "malloc pubkey failed");
140 		goto out;
141 	}
142 	if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
143 	    response->public_key, response->public_key_len, NULL) == 0) {
144 		skdebug(__func__, "EC_POINT_point2oct failed");
145 		goto out;
146 	}
147 	/* Key handle contains PEM encoded private key */
148 	if (!PEM_write_bio_ECPrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) {
149 		skdebug(__func__, "PEM_write_bio_ECPrivateKey failed");
150 		goto out;
151 	}
152 	if ((privlen = BIO_get_mem_data(bio, &privptr)) <= 0) {
153 		skdebug(__func__, "BIO_get_mem_data failed");
154 		goto out;
155 	}
156 	if ((response->key_handle = malloc(privlen)) == NULL) {
157 		skdebug(__func__, "malloc key_handle failed");
158 		goto out;
159 	}
160 	response->key_handle_len = (size_t)privlen;
161 	memcpy(response->key_handle, privptr, response->key_handle_len);
162 	/* success */
163 	ret = 0;
164  out:
165 	if (ret != 0) {
166 		if (response->public_key != NULL) {
167 			memset(response->public_key, 0,
168 			    response->public_key_len);
169 			free(response->public_key);
170 			response->public_key = NULL;
171 		}
172 		if (response->key_handle != NULL) {
173 			memset(response->key_handle, 0,
174 			    response->key_handle_len);
175 			free(response->key_handle);
176 			response->key_handle = NULL;
177 		}
178 	}
179 	BIO_free(bio);
180 	EC_KEY_free(key);
181 	return ret;
182 #else
183 	return -1;
184 #endif
185 }
186 
187 static int
188 pack_key_ed25519(struct sk_enroll_response *response)
189 {
190 	int ret = -1;
191 	u_char pk[crypto_sign_ed25519_PUBLICKEYBYTES];
192 	u_char sk[crypto_sign_ed25519_SECRETKEYBYTES];
193 
194 	response->public_key = NULL;
195 	response->public_key_len = 0;
196 	response->key_handle = NULL;
197 	response->key_handle_len = 0;
198 
199 	memset(pk, 0, sizeof(pk));
200 	memset(sk, 0, sizeof(sk));
201 	crypto_sign_ed25519_keypair(pk, sk);
202 
203 	response->public_key_len = sizeof(pk);
204 	if ((response->public_key = malloc(response->public_key_len)) == NULL) {
205 		skdebug(__func__, "malloc pubkey failed");
206 		goto out;
207 	}
208 	memcpy(response->public_key, pk, sizeof(pk));
209 	/* Key handle contains sk */
210 	response->key_handle_len = sizeof(sk);
211 	if ((response->key_handle = malloc(response->key_handle_len)) == NULL) {
212 		skdebug(__func__, "malloc key_handle failed");
213 		goto out;
214 	}
215 	memcpy(response->key_handle, sk, sizeof(sk));
216 	/* success */
217 	ret = 0;
218  out:
219 	if (ret != 0)
220 		free(response->public_key);
221 	return ret;
222 }
223 
224 static int
225 check_options(struct sk_option **options)
226 {
227 	size_t i;
228 
229 	if (options == NULL)
230 		return 0;
231 	for (i = 0; options[i] != NULL; i++) {
232 		skdebug(__func__, "requested unsupported option %s",
233 		    options[i]->name);
234 		if (options[i]->required) {
235 			skdebug(__func__, "unknown required option");
236 			return -1;
237 		}
238 	}
239 	return 0;
240 }
241 
242 int
243 sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
244     const char *application, uint8_t flags, const char *pin,
245     struct sk_option **options, struct sk_enroll_response **enroll_response)
246 {
247 	struct sk_enroll_response *response = NULL;
248 	int ret = SSH_SK_ERR_GENERAL;
249 
250 	(void)flags; /* XXX; unused */
251 
252 	if (enroll_response == NULL) {
253 		skdebug(__func__, "enroll_response == NULL");
254 		goto out;
255 	}
256 	*enroll_response = NULL;
257 	if (check_options(options) != 0)
258 		goto out; /* error already logged */
259 	if ((response = calloc(1, sizeof(*response))) == NULL) {
260 		skdebug(__func__, "calloc response failed");
261 		goto out;
262 	}
263 	response->flags = flags;
264 	switch(alg) {
265 	case SSH_SK_ECDSA:
266 		if (pack_key_ecdsa(response) != 0)
267 			goto out;
268 		break;
269 	case SSH_SK_ED25519:
270 		if (pack_key_ed25519(response) != 0)
271 			goto out;
272 		break;
273 	default:
274 		skdebug(__func__, "unsupported key type %d", alg);
275 		return -1;
276 	}
277 	/* Have to return something here */
278 	if ((response->signature = calloc(1, 1)) == NULL) {
279 		skdebug(__func__, "calloc signature failed");
280 		goto out;
281 	}
282 	response->signature_len = 0;
283 
284 	*enroll_response = response;
285 	response = NULL;
286 	ret = 0;
287  out:
288 	if (response != NULL) {
289 		free(response->public_key);
290 		free(response->key_handle);
291 		free(response->signature);
292 		free(response->attestation_cert);
293 		free(response);
294 	}
295 	return ret;
296 }
297 
298 static void
299 dump(const char *preamble, const void *sv, size_t l)
300 {
301 #ifdef SK_DEBUG
302 	const u_char *s = (const u_char *)sv;
303 	size_t i;
304 
305 	fprintf(stderr, "%s (len %zu):\n", preamble, l);
306 	for (i = 0; i < l; i++) {
307 		if (i % 16 == 0)
308 			fprintf(stderr, "%04zu: ", i);
309 		fprintf(stderr, "%02x", s[i]);
310 		if (i % 16 == 15 || i == l - 1)
311 			fprintf(stderr, "\n");
312 	}
313 #endif
314 }
315 
316 static int
317 sig_ecdsa(const uint8_t *message, size_t message_len,
318     const char *application, uint32_t counter, uint8_t flags,
319     const uint8_t *key_handle, size_t key_handle_len,
320     struct sk_sign_response *response)
321 {
322 #ifdef OPENSSL_HAS_ECC
323 	ECDSA_SIG *sig = NULL;
324 	const BIGNUM *sig_r, *sig_s;
325 	int ret = -1;
326 	BIO *bio = NULL;
327 	EVP_PKEY *pk = NULL;
328 	EC_KEY *ec = NULL;
329 	SHA2_CTX ctx;
330 	uint8_t	apphash[SHA256_DIGEST_LENGTH];
331 	uint8_t	sighash[SHA256_DIGEST_LENGTH];
332 	uint8_t countbuf[4];
333 
334 	/* Decode EC_KEY from key handle */
335 	if ((bio = BIO_new(BIO_s_mem())) == NULL ||
336 	    BIO_write(bio, key_handle, key_handle_len) != (int)key_handle_len) {
337 		skdebug(__func__, "BIO setup failed");
338 		goto out;
339 	}
340 	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, "")) == NULL) {
341 		skdebug(__func__, "PEM_read_bio_PrivateKey failed");
342 		goto out;
343 	}
344 	if (EVP_PKEY_base_id(pk) != EVP_PKEY_EC) {
345 		skdebug(__func__, "Not an EC key: %d", EVP_PKEY_base_id(pk));
346 		goto out;
347 	}
348 	if ((ec = EVP_PKEY_get1_EC_KEY(pk)) == NULL) {
349 		skdebug(__func__, "EVP_PKEY_get1_EC_KEY failed");
350 		goto out;
351 	}
352 	/* Expect message to be pre-hashed */
353 	if (message_len != SHA256_DIGEST_LENGTH) {
354 		skdebug(__func__, "bad message len %zu", message_len);
355 		goto out;
356 	}
357 	/* Prepare data to be signed */
358 	dump("message", message, message_len);
359 	SHA256Init(&ctx);
360 	SHA256Update(&ctx, (const u_char *)application, strlen(application));
361 	SHA256Final(apphash, &ctx);
362 	dump("apphash", apphash, sizeof(apphash));
363 	countbuf[0] = (counter >> 24) & 0xff;
364 	countbuf[1] = (counter >> 16) & 0xff;
365 	countbuf[2] = (counter >> 8) & 0xff;
366 	countbuf[3] = counter & 0xff;
367 	dump("countbuf", countbuf, sizeof(countbuf));
368 	dump("flags", &flags, sizeof(flags));
369 	SHA256Init(&ctx);
370 	SHA256Update(&ctx, apphash, sizeof(apphash));
371 	SHA256Update(&ctx, &flags, sizeof(flags));
372 	SHA256Update(&ctx, countbuf, sizeof(countbuf));
373 	SHA256Update(&ctx, message, message_len);
374 	SHA256Final(sighash, &ctx);
375 	dump("sighash", sighash, sizeof(sighash));
376 	/* create and encode signature */
377 	if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) {
378 		skdebug(__func__, "ECDSA_do_sign failed");
379 		goto out;
380 	}
381 	ECDSA_SIG_get0(sig, &sig_r, &sig_s);
382 	response->sig_r_len = BN_num_bytes(sig_r);
383 	response->sig_s_len = BN_num_bytes(sig_s);
384 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
385 	    (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
386 		skdebug(__func__, "calloc signature failed");
387 		goto out;
388 	}
389 	BN_bn2bin(sig_r, response->sig_r);
390 	BN_bn2bin(sig_s, response->sig_s);
391 	ret = 0;
392  out:
393 	explicit_bzero(&ctx, sizeof(ctx));
394 	explicit_bzero(&apphash, sizeof(apphash));
395 	explicit_bzero(&sighash, sizeof(sighash));
396 	ECDSA_SIG_free(sig);
397 	if (ret != 0) {
398 		free(response->sig_r);
399 		free(response->sig_s);
400 		response->sig_r = NULL;
401 		response->sig_s = NULL;
402 	}
403 	BIO_free(bio);
404 	EC_KEY_free(ec);
405 	EVP_PKEY_free(pk);
406 	return ret;
407 #else
408 	return -1;
409 #endif
410 }
411 
412 static int
413 sig_ed25519(const uint8_t *message, size_t message_len,
414     const char *application, uint32_t counter, uint8_t flags,
415     const uint8_t *key_handle, size_t key_handle_len,
416     struct sk_sign_response *response)
417 {
418 	size_t o;
419 	int ret = -1;
420 	SHA2_CTX ctx;
421 	uint8_t	apphash[SHA256_DIGEST_LENGTH];
422 	uint8_t signbuf[sizeof(apphash) + sizeof(flags) +
423 	    sizeof(counter) + SHA256_DIGEST_LENGTH];
424 	uint8_t sig[crypto_sign_ed25519_BYTES + sizeof(signbuf)];
425 	unsigned long long smlen;
426 
427 	if (key_handle_len != crypto_sign_ed25519_SECRETKEYBYTES) {
428 		skdebug(__func__, "bad key handle length %zu", key_handle_len);
429 		goto out;
430 	}
431 	/* Expect message to be pre-hashed */
432 	if (message_len != SHA256_DIGEST_LENGTH) {
433 		skdebug(__func__, "bad message len %zu", message_len);
434 		goto out;
435 	}
436 	/* Prepare data to be signed */
437 	dump("message", message, message_len);
438 	SHA256Init(&ctx);
439 	SHA256Update(&ctx, (const u_char *)application, strlen(application));
440 	SHA256Final(apphash, &ctx);
441 	dump("apphash", apphash, sizeof(apphash));
442 
443 	memcpy(signbuf, apphash, sizeof(apphash));
444 	o = sizeof(apphash);
445 	signbuf[o++] = flags;
446 	signbuf[o++] = (counter >> 24) & 0xff;
447 	signbuf[o++] = (counter >> 16) & 0xff;
448 	signbuf[o++] = (counter >> 8) & 0xff;
449 	signbuf[o++] = counter & 0xff;
450 	memcpy(signbuf + o, message, message_len);
451 	o += message_len;
452 	if (o != sizeof(signbuf)) {
453 		skdebug(__func__, "bad sign buf len %zu, expected %zu",
454 		    o, sizeof(signbuf));
455 		goto out;
456 	}
457 	dump("signbuf", signbuf, sizeof(signbuf));
458 	/* create and encode signature */
459 	smlen = sizeof(signbuf);
460 	if (crypto_sign_ed25519(sig, &smlen, signbuf, sizeof(signbuf),
461 	    key_handle) != 0) {
462 		skdebug(__func__, "crypto_sign_ed25519 failed");
463 		goto out;
464 	}
465 	if (smlen <= sizeof(signbuf)) {
466 		skdebug(__func__, "bad sign smlen %llu, expected min %zu",
467 		    smlen, sizeof(signbuf) + 1);
468 		goto out;
469 	}
470 	response->sig_r_len = (size_t)(smlen - sizeof(signbuf));
471 	if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
472 		skdebug(__func__, "calloc signature failed");
473 		goto out;
474 	}
475 	memcpy(response->sig_r, sig, response->sig_r_len);
476 	dump("sig_r", response->sig_r, response->sig_r_len);
477 	ret = 0;
478  out:
479 	explicit_bzero(&ctx, sizeof(ctx));
480 	explicit_bzero(&apphash, sizeof(apphash));
481 	explicit_bzero(&signbuf, sizeof(signbuf));
482 	explicit_bzero(&sig, sizeof(sig));
483 	if (ret != 0) {
484 		free(response->sig_r);
485 		response->sig_r = NULL;
486 	}
487 	return ret;
488 }
489 
490 int
491 sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
492     const char *application, const uint8_t *key_handle, size_t key_handle_len,
493     uint8_t flags, const char *pin, struct sk_option **options,
494     struct sk_sign_response **sign_response)
495 {
496 	struct sk_sign_response *response = NULL;
497 	int ret = SSH_SK_ERR_GENERAL;
498 	SHA2_CTX ctx;
499 	uint8_t message[32];
500 
501 	if (sign_response == NULL) {
502 		skdebug(__func__, "sign_response == NULL");
503 		goto out;
504 	}
505 	*sign_response = NULL;
506 	if (check_options(options) != 0)
507 		goto out; /* error already logged */
508 	if ((response = calloc(1, sizeof(*response))) == NULL) {
509 		skdebug(__func__, "calloc response failed");
510 		goto out;
511 	}
512 	SHA256Init(&ctx);
513 	SHA256Update(&ctx, data, datalen);
514 	SHA256Final(message, &ctx);
515 	response->flags = flags;
516 	response->counter = 0x12345678;
517 	switch(alg) {
518 	case SSH_SK_ECDSA:
519 		if (sig_ecdsa(message, sizeof(message), application,
520 		    response->counter, flags, key_handle, key_handle_len,
521 		    response) != 0)
522 			goto out;
523 		break;
524 	case SSH_SK_ED25519:
525 		if (sig_ed25519(message, sizeof(message), application,
526 		    response->counter, flags, key_handle, key_handle_len,
527 		    response) != 0)
528 			goto out;
529 		break;
530 	default:
531 		skdebug(__func__, "unsupported key type %d", alg);
532 		return -1;
533 	}
534 	*sign_response = response;
535 	response = NULL;
536 	ret = 0;
537  out:
538 	explicit_bzero(message, sizeof(message));
539 	if (response != NULL) {
540 		free(response->sig_r);
541 		free(response->sig_s);
542 		free(response);
543 	}
544 	return ret;
545 }
546 
547 int
548 sk_load_resident_keys(const char *pin, struct sk_option **options,
549     struct sk_resident_key ***rks, size_t *nrks)
550 {
551 	return SSH_SK_ERR_UNSUPPORTED;
552 }
553