mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-08 20:26:31 +00:00
f374ba41f5
Release notes are available at https://www.openssh.com/txt/release-9.2 OpenSSH 9.2 contains fixes for two security problems and a memory safety problem. The memory safety problem is not believed to be exploitable. These fixes have already been committed to OpenSSH 9.1 in FreeBSD. Some other notable items from the release notes: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. * sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. * sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. * sshd(8): add a -V (version) option to sshd like the ssh client has. * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. * ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 * ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 MFC after: 1 week Sponsored by: The FreeBSD Foundation
1114 lines
30 KiB
C
1114 lines
30 KiB
C
/* $OpenBSD: sshkey-xmss.c,v 1.12 2022/10/28 00:39:29 djm Exp $ */
|
|
/*
|
|
* Copyright (c) 2017 Markus Friedl. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#ifdef WITH_XMSS
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/uio.h>
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
#ifdef HAVE_SYS_FILE_H
|
|
# include <sys/file.h>
|
|
#endif
|
|
|
|
#include "ssh2.h"
|
|
#include "ssherr.h"
|
|
#include "sshbuf.h"
|
|
#include "cipher.h"
|
|
#include "sshkey.h"
|
|
#include "sshkey-xmss.h"
|
|
#include "atomicio.h"
|
|
#include "log.h"
|
|
|
|
#include "xmss_fast.h"
|
|
|
|
/* opaque internal XMSS state */
|
|
#define XMSS_MAGIC "xmss-state-v1"
|
|
#define XMSS_CIPHERNAME "aes256-gcm@openssh.com"
|
|
struct ssh_xmss_state {
|
|
xmss_params params;
|
|
u_int32_t n, w, h, k;
|
|
|
|
bds_state bds;
|
|
u_char *stack;
|
|
u_int32_t stackoffset;
|
|
u_char *stacklevels;
|
|
u_char *auth;
|
|
u_char *keep;
|
|
u_char *th_nodes;
|
|
u_char *retain;
|
|
treehash_inst *treehash;
|
|
|
|
u_int32_t idx; /* state read from file */
|
|
u_int32_t maxidx; /* restricted # of signatures */
|
|
int have_state; /* .state file exists */
|
|
int lockfd; /* locked in sshkey_xmss_get_state() */
|
|
u_char allow_update; /* allow sshkey_xmss_update_state() */
|
|
char *enc_ciphername;/* encrypt state with cipher */
|
|
u_char *enc_keyiv; /* encrypt state with key */
|
|
u_int32_t enc_keyiv_len; /* length of enc_keyiv */
|
|
};
|
|
|
|
int sshkey_xmss_init_bds_state(struct sshkey *);
|
|
int sshkey_xmss_init_enc_key(struct sshkey *, const char *);
|
|
void sshkey_xmss_free_bds(struct sshkey *);
|
|
int sshkey_xmss_get_state_from_file(struct sshkey *, const char *,
|
|
int *, int);
|
|
int sshkey_xmss_encrypt_state(const struct sshkey *, struct sshbuf *,
|
|
struct sshbuf **);
|
|
int sshkey_xmss_decrypt_state(const struct sshkey *, struct sshbuf *,
|
|
struct sshbuf **);
|
|
int sshkey_xmss_serialize_enc_key(const struct sshkey *, struct sshbuf *);
|
|
int sshkey_xmss_deserialize_enc_key(struct sshkey *, struct sshbuf *);
|
|
|
|
#define PRINT(...) do { if (printerror) sshlog(__FILE__, __func__, __LINE__, \
|
|
0, SYSLOG_LEVEL_ERROR, NULL, __VA_ARGS__); } while (0)
|
|
|
|
int
|
|
sshkey_xmss_init(struct sshkey *key, const char *name)
|
|
{
|
|
struct ssh_xmss_state *state;
|
|
|
|
if (key->xmss_state != NULL)
|
|
return SSH_ERR_INVALID_FORMAT;
|
|
if (name == NULL)
|
|
return SSH_ERR_INVALID_FORMAT;
|
|
state = calloc(sizeof(struct ssh_xmss_state), 1);
|
|
if (state == NULL)
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
if (strcmp(name, XMSS_SHA2_256_W16_H10_NAME) == 0) {
|
|
state->n = 32;
|
|
state->w = 16;
|
|
state->h = 10;
|
|
} else if (strcmp(name, XMSS_SHA2_256_W16_H16_NAME) == 0) {
|
|
state->n = 32;
|
|
state->w = 16;
|
|
state->h = 16;
|
|
} else if (strcmp(name, XMSS_SHA2_256_W16_H20_NAME) == 0) {
|
|
state->n = 32;
|
|
state->w = 16;
|
|
state->h = 20;
|
|
} else {
|
|
free(state);
|
|
return SSH_ERR_KEY_TYPE_UNKNOWN;
|
|
}
|
|
if ((key->xmss_name = strdup(name)) == NULL) {
|
|
free(state);
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
}
|
|
state->k = 2; /* XXX hardcoded */
|
|
state->lockfd = -1;
|
|
if (xmss_set_params(&state->params, state->n, state->h, state->w,
|
|
state->k) != 0) {
|
|
free(state);
|
|
return SSH_ERR_INVALID_FORMAT;
|
|
}
|
|
key->xmss_state = state;
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
sshkey_xmss_free_state(struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
sshkey_xmss_free_bds(key);
|
|
if (state) {
|
|
if (state->enc_keyiv) {
|
|
explicit_bzero(state->enc_keyiv, state->enc_keyiv_len);
|
|
free(state->enc_keyiv);
|
|
}
|
|
free(state->enc_ciphername);
|
|
free(state);
|
|
}
|
|
key->xmss_state = NULL;
|
|
}
|
|
|
|
#define SSH_XMSS_K2_MAGIC "k=2"
|
|
#define num_stack(x) ((x->h+1)*(x->n))
|
|
#define num_stacklevels(x) (x->h+1)
|
|
#define num_auth(x) ((x->h)*(x->n))
|
|
#define num_keep(x) ((x->h >> 1)*(x->n))
|
|
#define num_th_nodes(x) ((x->h - x->k)*(x->n))
|
|
#define num_retain(x) (((1ULL << x->k) - x->k - 1) * (x->n))
|
|
#define num_treehash(x) ((x->h) - (x->k))
|
|
|
|
int
|
|
sshkey_xmss_init_bds_state(struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
u_int32_t i;
|
|
|
|
state->stackoffset = 0;
|
|
if ((state->stack = calloc(num_stack(state), 1)) == NULL ||
|
|
(state->stacklevels = calloc(num_stacklevels(state), 1))== NULL ||
|
|
(state->auth = calloc(num_auth(state), 1)) == NULL ||
|
|
(state->keep = calloc(num_keep(state), 1)) == NULL ||
|
|
(state->th_nodes = calloc(num_th_nodes(state), 1)) == NULL ||
|
|
(state->retain = calloc(num_retain(state), 1)) == NULL ||
|
|
(state->treehash = calloc(num_treehash(state),
|
|
sizeof(treehash_inst))) == NULL) {
|
|
sshkey_xmss_free_bds(key);
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
}
|
|
for (i = 0; i < state->h - state->k; i++)
|
|
state->treehash[i].node = &state->th_nodes[state->n*i];
|
|
xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
|
|
state->stacklevels, state->auth, state->keep, state->treehash,
|
|
state->retain, 0);
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
sshkey_xmss_free_bds(struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (state == NULL)
|
|
return;
|
|
free(state->stack);
|
|
free(state->stacklevels);
|
|
free(state->auth);
|
|
free(state->keep);
|
|
free(state->th_nodes);
|
|
free(state->retain);
|
|
free(state->treehash);
|
|
state->stack = NULL;
|
|
state->stacklevels = NULL;
|
|
state->auth = NULL;
|
|
state->keep = NULL;
|
|
state->th_nodes = NULL;
|
|
state->retain = NULL;
|
|
state->treehash = NULL;
|
|
}
|
|
|
|
void *
|
|
sshkey_xmss_params(const struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (state == NULL)
|
|
return NULL;
|
|
return &state->params;
|
|
}
|
|
|
|
void *
|
|
sshkey_xmss_bds_state(const struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (state == NULL)
|
|
return NULL;
|
|
return &state->bds;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_siglen(const struct sshkey *key, size_t *lenp)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (lenp == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_FORMAT;
|
|
*lenp = 4 + state->n +
|
|
state->params.wots_par.keysize +
|
|
state->h * state->n;
|
|
return 0;
|
|
}
|
|
|
|
size_t
|
|
sshkey_xmss_pklen(const struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (state == NULL)
|
|
return 0;
|
|
return state->n * 2;
|
|
}
|
|
|
|
size_t
|
|
sshkey_xmss_sklen(const struct sshkey *key)
|
|
{
|
|
struct ssh_xmss_state *state = key->xmss_state;
|
|
|
|
if (state == NULL)
|
|
return 0;
|
|
return state->n * 4 + 4;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_init_enc_key(struct sshkey *k, const char *ciphername)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
const struct sshcipher *cipher;
|
|
size_t keylen = 0, ivlen = 0;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((cipher = cipher_by_name(ciphername)) == NULL)
|
|
return SSH_ERR_INTERNAL_ERROR;
|
|
if ((state->enc_ciphername = strdup(ciphername)) == NULL)
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
keylen = cipher_keylen(cipher);
|
|
ivlen = cipher_ivlen(cipher);
|
|
state->enc_keyiv_len = keylen + ivlen;
|
|
if ((state->enc_keyiv = calloc(state->enc_keyiv_len, 1)) == NULL) {
|
|
free(state->enc_ciphername);
|
|
state->enc_ciphername = NULL;
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
}
|
|
arc4random_buf(state->enc_keyiv, state->enc_keyiv_len);
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_serialize_enc_key(const struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
int r;
|
|
|
|
if (state == NULL || state->enc_keyiv == NULL ||
|
|
state->enc_ciphername == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((r = sshbuf_put_cstring(b, state->enc_ciphername)) != 0 ||
|
|
(r = sshbuf_put_string(b, state->enc_keyiv,
|
|
state->enc_keyiv_len)) != 0)
|
|
return r;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_deserialize_enc_key(struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
size_t len;
|
|
int r;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((r = sshbuf_get_cstring(b, &state->enc_ciphername, NULL)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->enc_keyiv, &len)) != 0)
|
|
return r;
|
|
state->enc_keyiv_len = len;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_serialize_pk_info(const struct sshkey *k, struct sshbuf *b,
|
|
enum sshkey_serialize_rep opts)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
u_char have_info = 1;
|
|
u_int32_t idx;
|
|
int r;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (opts != SSHKEY_SERIALIZE_INFO)
|
|
return 0;
|
|
idx = k->xmss_sk ? PEEK_U32(k->xmss_sk) : state->idx;
|
|
if ((r = sshbuf_put_u8(b, have_info)) != 0 ||
|
|
(r = sshbuf_put_u32(b, idx)) != 0 ||
|
|
(r = sshbuf_put_u32(b, state->maxidx)) != 0)
|
|
return r;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_deserialize_pk_info(struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
u_char have_info;
|
|
int r;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
/* optional */
|
|
if (sshbuf_len(b) == 0)
|
|
return 0;
|
|
if ((r = sshbuf_get_u8(b, &have_info)) != 0)
|
|
return r;
|
|
if (have_info != 1)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((r = sshbuf_get_u32(b, &state->idx)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &state->maxidx)) != 0)
|
|
return r;
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_generate_private_key(struct sshkey *k, int bits)
|
|
{
|
|
int r;
|
|
const char *name;
|
|
|
|
if (bits == 10) {
|
|
name = XMSS_SHA2_256_W16_H10_NAME;
|
|
} else if (bits == 16) {
|
|
name = XMSS_SHA2_256_W16_H16_NAME;
|
|
} else if (bits == 20) {
|
|
name = XMSS_SHA2_256_W16_H20_NAME;
|
|
} else {
|
|
name = XMSS_DEFAULT_NAME;
|
|
}
|
|
if ((r = sshkey_xmss_init(k, name)) != 0 ||
|
|
(r = sshkey_xmss_init_bds_state(k)) != 0 ||
|
|
(r = sshkey_xmss_init_enc_key(k, XMSS_CIPHERNAME)) != 0)
|
|
return r;
|
|
if ((k->xmss_pk = malloc(sshkey_xmss_pklen(k))) == NULL ||
|
|
(k->xmss_sk = malloc(sshkey_xmss_sklen(k))) == NULL) {
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
}
|
|
xmss_keypair(k->xmss_pk, k->xmss_sk, sshkey_xmss_bds_state(k),
|
|
sshkey_xmss_params(k));
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_get_state_from_file(struct sshkey *k, const char *filename,
|
|
int *have_file, int printerror)
|
|
{
|
|
struct sshbuf *b = NULL, *enc = NULL;
|
|
int ret = SSH_ERR_SYSTEM_ERROR, r, fd = -1;
|
|
u_int32_t len;
|
|
unsigned char buf[4], *data = NULL;
|
|
|
|
*have_file = 0;
|
|
if ((fd = open(filename, O_RDONLY)) >= 0) {
|
|
*have_file = 1;
|
|
if (atomicio(read, fd, buf, sizeof(buf)) != sizeof(buf)) {
|
|
PRINT("corrupt state file: %s", filename);
|
|
goto done;
|
|
}
|
|
len = PEEK_U32(buf);
|
|
if ((data = calloc(len, 1)) == NULL) {
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto done;
|
|
}
|
|
if (atomicio(read, fd, data, len) != len) {
|
|
PRINT("cannot read blob: %s", filename);
|
|
goto done;
|
|
}
|
|
if ((enc = sshbuf_from(data, len)) == NULL) {
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto done;
|
|
}
|
|
sshkey_xmss_free_bds(k);
|
|
if ((r = sshkey_xmss_decrypt_state(k, enc, &b)) != 0) {
|
|
ret = r;
|
|
goto done;
|
|
}
|
|
if ((r = sshkey_xmss_deserialize_state(k, b)) != 0) {
|
|
ret = r;
|
|
goto done;
|
|
}
|
|
ret = 0;
|
|
}
|
|
done:
|
|
if (fd != -1)
|
|
close(fd);
|
|
free(data);
|
|
sshbuf_free(enc);
|
|
sshbuf_free(b);
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_get_state(const struct sshkey *k, int printerror)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
u_int32_t idx = 0;
|
|
char *filename = NULL;
|
|
char *statefile = NULL, *ostatefile = NULL, *lockfile = NULL;
|
|
int lockfd = -1, have_state = 0, have_ostate, tries = 0;
|
|
int ret = SSH_ERR_INVALID_ARGUMENT, r;
|
|
|
|
if (state == NULL)
|
|
goto done;
|
|
/*
|
|
* If maxidx is set, then we are allowed a limited number
|
|
* of signatures, but don't need to access the disk.
|
|
* Otherwise we need to deal with the on-disk state.
|
|
*/
|
|
if (state->maxidx) {
|
|
/* xmss_sk always contains the current state */
|
|
idx = PEEK_U32(k->xmss_sk);
|
|
if (idx < state->maxidx) {
|
|
state->allow_update = 1;
|
|
return 0;
|
|
}
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
}
|
|
if ((filename = k->xmss_filename) == NULL)
|
|
goto done;
|
|
if (asprintf(&lockfile, "%s.lock", filename) == -1 ||
|
|
asprintf(&statefile, "%s.state", filename) == -1 ||
|
|
asprintf(&ostatefile, "%s.ostate", filename) == -1) {
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto done;
|
|
}
|
|
if ((lockfd = open(lockfile, O_CREAT|O_RDONLY, 0600)) == -1) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("cannot open/create: %s", lockfile);
|
|
goto done;
|
|
}
|
|
while (flock(lockfd, LOCK_EX|LOCK_NB) == -1) {
|
|
if (errno != EWOULDBLOCK) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("cannot lock: %s", lockfile);
|
|
goto done;
|
|
}
|
|
if (++tries > 10) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("giving up on: %s", lockfile);
|
|
goto done;
|
|
}
|
|
usleep(1000*100*tries);
|
|
}
|
|
/* XXX no longer const */
|
|
if ((r = sshkey_xmss_get_state_from_file((struct sshkey *)k,
|
|
statefile, &have_state, printerror)) != 0) {
|
|
if ((r = sshkey_xmss_get_state_from_file((struct sshkey *)k,
|
|
ostatefile, &have_ostate, printerror)) == 0) {
|
|
state->allow_update = 1;
|
|
r = sshkey_xmss_forward_state(k, 1);
|
|
state->idx = PEEK_U32(k->xmss_sk);
|
|
state->allow_update = 0;
|
|
}
|
|
}
|
|
if (!have_state && !have_ostate) {
|
|
/* check that bds state is initialized */
|
|
if (state->bds.auth == NULL)
|
|
goto done;
|
|
PRINT("start from scratch idx 0: %u", state->idx);
|
|
} else if (r != 0) {
|
|
ret = r;
|
|
goto done;
|
|
}
|
|
if (state->idx + 1 < state->idx) {
|
|
PRINT("state wrap: %u", state->idx);
|
|
goto done;
|
|
}
|
|
state->have_state = have_state;
|
|
state->lockfd = lockfd;
|
|
state->allow_update = 1;
|
|
lockfd = -1;
|
|
ret = 0;
|
|
done:
|
|
if (lockfd != -1)
|
|
close(lockfd);
|
|
free(lockfile);
|
|
free(statefile);
|
|
free(ostatefile);
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_forward_state(const struct sshkey *k, u_int32_t reserve)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
u_char *sig = NULL;
|
|
size_t required_siglen;
|
|
unsigned long long smlen;
|
|
u_char data;
|
|
int ret, r;
|
|
|
|
if (state == NULL || !state->allow_update)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (reserve == 0)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (state->idx + reserve <= state->idx)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((r = sshkey_xmss_siglen(k, &required_siglen)) != 0)
|
|
return r;
|
|
if ((sig = malloc(required_siglen)) == NULL)
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
while (reserve-- > 0) {
|
|
state->idx = PEEK_U32(k->xmss_sk);
|
|
smlen = required_siglen;
|
|
if ((ret = xmss_sign(k->xmss_sk, sshkey_xmss_bds_state(k),
|
|
sig, &smlen, &data, 0, sshkey_xmss_params(k))) != 0) {
|
|
r = SSH_ERR_INVALID_ARGUMENT;
|
|
break;
|
|
}
|
|
}
|
|
free(sig);
|
|
return r;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_update_state(const struct sshkey *k, int printerror)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
struct sshbuf *b = NULL, *enc = NULL;
|
|
u_int32_t idx = 0;
|
|
unsigned char buf[4];
|
|
char *filename = NULL;
|
|
char *statefile = NULL, *ostatefile = NULL, *nstatefile = NULL;
|
|
int fd = -1;
|
|
int ret = SSH_ERR_INVALID_ARGUMENT;
|
|
|
|
if (state == NULL || !state->allow_update)
|
|
return ret;
|
|
if (state->maxidx) {
|
|
/* no update since the number of signatures is limited */
|
|
ret = 0;
|
|
goto done;
|
|
}
|
|
idx = PEEK_U32(k->xmss_sk);
|
|
if (idx == state->idx) {
|
|
/* no signature happened, no need to update */
|
|
ret = 0;
|
|
goto done;
|
|
} else if (idx != state->idx + 1) {
|
|
PRINT("more than one signature happened: idx %u state %u",
|
|
idx, state->idx);
|
|
goto done;
|
|
}
|
|
state->idx = idx;
|
|
if ((filename = k->xmss_filename) == NULL)
|
|
goto done;
|
|
if (asprintf(&statefile, "%s.state", filename) == -1 ||
|
|
asprintf(&ostatefile, "%s.ostate", filename) == -1 ||
|
|
asprintf(&nstatefile, "%s.nstate", filename) == -1) {
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto done;
|
|
}
|
|
unlink(nstatefile);
|
|
if ((b = sshbuf_new()) == NULL) {
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto done;
|
|
}
|
|
if ((ret = sshkey_xmss_serialize_state(k, b)) != 0) {
|
|
PRINT("SERLIALIZE FAILED: %d", ret);
|
|
goto done;
|
|
}
|
|
if ((ret = sshkey_xmss_encrypt_state(k, b, &enc)) != 0) {
|
|
PRINT("ENCRYPT FAILED: %d", ret);
|
|
goto done;
|
|
}
|
|
if ((fd = open(nstatefile, O_CREAT|O_WRONLY|O_EXCL, 0600)) == -1) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("open new state file: %s", nstatefile);
|
|
goto done;
|
|
}
|
|
POKE_U32(buf, sshbuf_len(enc));
|
|
if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("write new state file hdr: %s", nstatefile);
|
|
close(fd);
|
|
goto done;
|
|
}
|
|
if (atomicio(vwrite, fd, sshbuf_mutable_ptr(enc), sshbuf_len(enc)) !=
|
|
sshbuf_len(enc)) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("write new state file data: %s", nstatefile);
|
|
close(fd);
|
|
goto done;
|
|
}
|
|
if (fsync(fd) == -1) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("sync new state file: %s", nstatefile);
|
|
close(fd);
|
|
goto done;
|
|
}
|
|
if (close(fd) == -1) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("close new state file: %s", nstatefile);
|
|
goto done;
|
|
}
|
|
if (state->have_state) {
|
|
unlink(ostatefile);
|
|
if (link(statefile, ostatefile)) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("backup state %s to %s", statefile, ostatefile);
|
|
goto done;
|
|
}
|
|
}
|
|
if (rename(nstatefile, statefile) == -1) {
|
|
ret = SSH_ERR_SYSTEM_ERROR;
|
|
PRINT("rename %s to %s", nstatefile, statefile);
|
|
goto done;
|
|
}
|
|
ret = 0;
|
|
done:
|
|
if (state->lockfd != -1) {
|
|
close(state->lockfd);
|
|
state->lockfd = -1;
|
|
}
|
|
if (nstatefile)
|
|
unlink(nstatefile);
|
|
free(statefile);
|
|
free(ostatefile);
|
|
free(nstatefile);
|
|
sshbuf_free(b);
|
|
sshbuf_free(enc);
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_serialize_state(const struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
treehash_inst *th;
|
|
u_int32_t i, node;
|
|
int r;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (state->stack == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
state->stackoffset = state->bds.stackoffset; /* copy back */
|
|
if ((r = sshbuf_put_cstring(b, SSH_XMSS_K2_MAGIC)) != 0 ||
|
|
(r = sshbuf_put_u32(b, state->idx)) != 0 ||
|
|
(r = sshbuf_put_string(b, state->stack, num_stack(state))) != 0 ||
|
|
(r = sshbuf_put_u32(b, state->stackoffset)) != 0 ||
|
|
(r = sshbuf_put_string(b, state->stacklevels, num_stacklevels(state))) != 0 ||
|
|
(r = sshbuf_put_string(b, state->auth, num_auth(state))) != 0 ||
|
|
(r = sshbuf_put_string(b, state->keep, num_keep(state))) != 0 ||
|
|
(r = sshbuf_put_string(b, state->th_nodes, num_th_nodes(state))) != 0 ||
|
|
(r = sshbuf_put_string(b, state->retain, num_retain(state))) != 0 ||
|
|
(r = sshbuf_put_u32(b, num_treehash(state))) != 0)
|
|
return r;
|
|
for (i = 0; i < num_treehash(state); i++) {
|
|
th = &state->treehash[i];
|
|
node = th->node - state->th_nodes;
|
|
if ((r = sshbuf_put_u32(b, th->h)) != 0 ||
|
|
(r = sshbuf_put_u32(b, th->next_idx)) != 0 ||
|
|
(r = sshbuf_put_u32(b, th->stackusage)) != 0 ||
|
|
(r = sshbuf_put_u8(b, th->completed)) != 0 ||
|
|
(r = sshbuf_put_u32(b, node)) != 0)
|
|
return r;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_serialize_state_opt(const struct sshkey *k, struct sshbuf *b,
|
|
enum sshkey_serialize_rep opts)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
int r = SSH_ERR_INVALID_ARGUMENT;
|
|
u_char have_stack, have_filename, have_enc;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((r = sshbuf_put_u8(b, opts)) != 0)
|
|
return r;
|
|
switch (opts) {
|
|
case SSHKEY_SERIALIZE_STATE:
|
|
r = sshkey_xmss_serialize_state(k, b);
|
|
break;
|
|
case SSHKEY_SERIALIZE_FULL:
|
|
if ((r = sshkey_xmss_serialize_enc_key(k, b)) != 0)
|
|
return r;
|
|
r = sshkey_xmss_serialize_state(k, b);
|
|
break;
|
|
case SSHKEY_SERIALIZE_SHIELD:
|
|
/* all of stack/filename/enc are optional */
|
|
have_stack = state->stack != NULL;
|
|
if ((r = sshbuf_put_u8(b, have_stack)) != 0)
|
|
return r;
|
|
if (have_stack) {
|
|
state->idx = PEEK_U32(k->xmss_sk); /* update */
|
|
if ((r = sshkey_xmss_serialize_state(k, b)) != 0)
|
|
return r;
|
|
}
|
|
have_filename = k->xmss_filename != NULL;
|
|
if ((r = sshbuf_put_u8(b, have_filename)) != 0)
|
|
return r;
|
|
if (have_filename &&
|
|
(r = sshbuf_put_cstring(b, k->xmss_filename)) != 0)
|
|
return r;
|
|
have_enc = state->enc_keyiv != NULL;
|
|
if ((r = sshbuf_put_u8(b, have_enc)) != 0)
|
|
return r;
|
|
if (have_enc &&
|
|
(r = sshkey_xmss_serialize_enc_key(k, b)) != 0)
|
|
return r;
|
|
if ((r = sshbuf_put_u32(b, state->maxidx)) != 0 ||
|
|
(r = sshbuf_put_u8(b, state->allow_update)) != 0)
|
|
return r;
|
|
break;
|
|
case SSHKEY_SERIALIZE_DEFAULT:
|
|
r = 0;
|
|
break;
|
|
default:
|
|
r = SSH_ERR_INVALID_ARGUMENT;
|
|
break;
|
|
}
|
|
return r;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_deserialize_state(struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
treehash_inst *th;
|
|
u_int32_t i, lh, node;
|
|
size_t ls, lsl, la, lk, ln, lr;
|
|
char *magic;
|
|
int r = SSH_ERR_INTERNAL_ERROR;
|
|
|
|
if (state == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (k->xmss_sk == NULL)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if ((state->treehash = calloc(num_treehash(state),
|
|
sizeof(treehash_inst))) == NULL)
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
if ((r = sshbuf_get_cstring(b, &magic, NULL)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &state->idx)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->stack, &ls)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &state->stackoffset)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->stacklevels, &lsl)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->auth, &la)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->keep, &lk)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->th_nodes, &ln)) != 0 ||
|
|
(r = sshbuf_get_string(b, &state->retain, &lr)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &lh)) != 0)
|
|
goto out;
|
|
if (strcmp(magic, SSH_XMSS_K2_MAGIC) != 0) {
|
|
r = SSH_ERR_INVALID_ARGUMENT;
|
|
goto out;
|
|
}
|
|
/* XXX check stackoffset */
|
|
if (ls != num_stack(state) ||
|
|
lsl != num_stacklevels(state) ||
|
|
la != num_auth(state) ||
|
|
lk != num_keep(state) ||
|
|
ln != num_th_nodes(state) ||
|
|
lr != num_retain(state) ||
|
|
lh != num_treehash(state)) {
|
|
r = SSH_ERR_INVALID_ARGUMENT;
|
|
goto out;
|
|
}
|
|
for (i = 0; i < num_treehash(state); i++) {
|
|
th = &state->treehash[i];
|
|
if ((r = sshbuf_get_u32(b, &th->h)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &th->next_idx)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &th->stackusage)) != 0 ||
|
|
(r = sshbuf_get_u8(b, &th->completed)) != 0 ||
|
|
(r = sshbuf_get_u32(b, &node)) != 0)
|
|
goto out;
|
|
if (node < num_th_nodes(state))
|
|
th->node = &state->th_nodes[node];
|
|
}
|
|
POKE_U32(k->xmss_sk, state->idx);
|
|
xmss_set_bds_state(&state->bds, state->stack, state->stackoffset,
|
|
state->stacklevels, state->auth, state->keep, state->treehash,
|
|
state->retain, 0);
|
|
/* success */
|
|
r = 0;
|
|
out:
|
|
free(magic);
|
|
return r;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_deserialize_state_opt(struct sshkey *k, struct sshbuf *b)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
enum sshkey_serialize_rep opts;
|
|
u_char have_state, have_stack, have_filename, have_enc;
|
|
int r;
|
|
|
|
if ((r = sshbuf_get_u8(b, &have_state)) != 0)
|
|
return r;
|
|
|
|
opts = have_state;
|
|
switch (opts) {
|
|
case SSHKEY_SERIALIZE_DEFAULT:
|
|
r = 0;
|
|
break;
|
|
case SSHKEY_SERIALIZE_SHIELD:
|
|
if ((r = sshbuf_get_u8(b, &have_stack)) != 0)
|
|
return r;
|
|
if (have_stack &&
|
|
(r = sshkey_xmss_deserialize_state(k, b)) != 0)
|
|
return r;
|
|
if ((r = sshbuf_get_u8(b, &have_filename)) != 0)
|
|
return r;
|
|
if (have_filename &&
|
|
(r = sshbuf_get_cstring(b, &k->xmss_filename, NULL)) != 0)
|
|
return r;
|
|
if ((r = sshbuf_get_u8(b, &have_enc)) != 0)
|
|
return r;
|
|
if (have_enc &&
|
|
(r = sshkey_xmss_deserialize_enc_key(k, b)) != 0)
|
|
return r;
|
|
if ((r = sshbuf_get_u32(b, &state->maxidx)) != 0 ||
|
|
(r = sshbuf_get_u8(b, &state->allow_update)) != 0)
|
|
return r;
|
|
break;
|
|
case SSHKEY_SERIALIZE_STATE:
|
|
if ((r = sshkey_xmss_deserialize_state(k, b)) != 0)
|
|
return r;
|
|
break;
|
|
case SSHKEY_SERIALIZE_FULL:
|
|
if ((r = sshkey_xmss_deserialize_enc_key(k, b)) != 0 ||
|
|
(r = sshkey_xmss_deserialize_state(k, b)) != 0)
|
|
return r;
|
|
break;
|
|
default:
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
break;
|
|
}
|
|
return r;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_encrypt_state(const struct sshkey *k, struct sshbuf *b,
|
|
struct sshbuf **retp)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
struct sshbuf *encrypted = NULL, *encoded = NULL, *padded = NULL;
|
|
struct sshcipher_ctx *ciphercontext = NULL;
|
|
const struct sshcipher *cipher;
|
|
u_char *cp, *key, *iv = NULL;
|
|
size_t i, keylen, ivlen, blocksize, authlen, encrypted_len, aadlen;
|
|
int r = SSH_ERR_INTERNAL_ERROR;
|
|
|
|
if (retp != NULL)
|
|
*retp = NULL;
|
|
if (state == NULL ||
|
|
state->enc_keyiv == NULL ||
|
|
state->enc_ciphername == NULL)
|
|
return SSH_ERR_INTERNAL_ERROR;
|
|
if ((cipher = cipher_by_name(state->enc_ciphername)) == NULL) {
|
|
r = SSH_ERR_INTERNAL_ERROR;
|
|
goto out;
|
|
}
|
|
blocksize = cipher_blocksize(cipher);
|
|
keylen = cipher_keylen(cipher);
|
|
ivlen = cipher_ivlen(cipher);
|
|
authlen = cipher_authlen(cipher);
|
|
if (state->enc_keyiv_len != keylen + ivlen) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
key = state->enc_keyiv;
|
|
if ((encrypted = sshbuf_new()) == NULL ||
|
|
(encoded = sshbuf_new()) == NULL ||
|
|
(padded = sshbuf_new()) == NULL ||
|
|
(iv = malloc(ivlen)) == NULL) {
|
|
r = SSH_ERR_ALLOC_FAIL;
|
|
goto out;
|
|
}
|
|
|
|
/* replace first 4 bytes of IV with index to ensure uniqueness */
|
|
memcpy(iv, key + keylen, ivlen);
|
|
POKE_U32(iv, state->idx);
|
|
|
|
if ((r = sshbuf_put(encoded, XMSS_MAGIC, sizeof(XMSS_MAGIC))) != 0 ||
|
|
(r = sshbuf_put_u32(encoded, state->idx)) != 0)
|
|
goto out;
|
|
|
|
/* padded state will be encrypted */
|
|
if ((r = sshbuf_putb(padded, b)) != 0)
|
|
goto out;
|
|
i = 0;
|
|
while (sshbuf_len(padded) % blocksize) {
|
|
if ((r = sshbuf_put_u8(padded, ++i & 0xff)) != 0)
|
|
goto out;
|
|
}
|
|
encrypted_len = sshbuf_len(padded);
|
|
|
|
/* header including the length of state is used as AAD */
|
|
if ((r = sshbuf_put_u32(encoded, encrypted_len)) != 0)
|
|
goto out;
|
|
aadlen = sshbuf_len(encoded);
|
|
|
|
/* concat header and state */
|
|
if ((r = sshbuf_putb(encoded, padded)) != 0)
|
|
goto out;
|
|
|
|
/* reserve space for encryption of encoded data plus auth tag */
|
|
/* encrypt at offset addlen */
|
|
if ((r = sshbuf_reserve(encrypted,
|
|
encrypted_len + aadlen + authlen, &cp)) != 0 ||
|
|
(r = cipher_init(&ciphercontext, cipher, key, keylen,
|
|
iv, ivlen, 1)) != 0 ||
|
|
(r = cipher_crypt(ciphercontext, 0, cp, sshbuf_ptr(encoded),
|
|
encrypted_len, aadlen, authlen)) != 0)
|
|
goto out;
|
|
|
|
/* success */
|
|
r = 0;
|
|
out:
|
|
if (retp != NULL) {
|
|
*retp = encrypted;
|
|
encrypted = NULL;
|
|
}
|
|
sshbuf_free(padded);
|
|
sshbuf_free(encoded);
|
|
sshbuf_free(encrypted);
|
|
cipher_free(ciphercontext);
|
|
free(iv);
|
|
return r;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
|
|
struct sshbuf **retp)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
struct sshbuf *copy = NULL, *decrypted = NULL;
|
|
struct sshcipher_ctx *ciphercontext = NULL;
|
|
const struct sshcipher *cipher = NULL;
|
|
u_char *key, *iv = NULL, *dp;
|
|
size_t keylen, ivlen, authlen, aadlen;
|
|
u_int blocksize, encrypted_len, index;
|
|
int r = SSH_ERR_INTERNAL_ERROR;
|
|
|
|
if (retp != NULL)
|
|
*retp = NULL;
|
|
if (state == NULL ||
|
|
state->enc_keyiv == NULL ||
|
|
state->enc_ciphername == NULL)
|
|
return SSH_ERR_INTERNAL_ERROR;
|
|
if ((cipher = cipher_by_name(state->enc_ciphername)) == NULL) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
blocksize = cipher_blocksize(cipher);
|
|
keylen = cipher_keylen(cipher);
|
|
ivlen = cipher_ivlen(cipher);
|
|
authlen = cipher_authlen(cipher);
|
|
if (state->enc_keyiv_len != keylen + ivlen) {
|
|
r = SSH_ERR_INTERNAL_ERROR;
|
|
goto out;
|
|
}
|
|
key = state->enc_keyiv;
|
|
|
|
if ((copy = sshbuf_fromb(encoded)) == NULL ||
|
|
(decrypted = sshbuf_new()) == NULL ||
|
|
(iv = malloc(ivlen)) == NULL) {
|
|
r = SSH_ERR_ALLOC_FAIL;
|
|
goto out;
|
|
}
|
|
|
|
/* check magic */
|
|
if (sshbuf_len(encoded) < sizeof(XMSS_MAGIC) ||
|
|
memcmp(sshbuf_ptr(encoded), XMSS_MAGIC, sizeof(XMSS_MAGIC))) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
/* parse public portion */
|
|
if ((r = sshbuf_consume(encoded, sizeof(XMSS_MAGIC))) != 0 ||
|
|
(r = sshbuf_get_u32(encoded, &index)) != 0 ||
|
|
(r = sshbuf_get_u32(encoded, &encrypted_len)) != 0)
|
|
goto out;
|
|
|
|
/* check size of encrypted key blob */
|
|
if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
/* check that an appropriate amount of auth data is present */
|
|
if (sshbuf_len(encoded) < authlen ||
|
|
sshbuf_len(encoded) - authlen < encrypted_len) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
|
|
aadlen = sshbuf_len(copy) - sshbuf_len(encoded);
|
|
|
|
/* replace first 4 bytes of IV with index to ensure uniqueness */
|
|
memcpy(iv, key + keylen, ivlen);
|
|
POKE_U32(iv, index);
|
|
|
|
/* decrypt private state of key */
|
|
if ((r = sshbuf_reserve(decrypted, aadlen + encrypted_len, &dp)) != 0 ||
|
|
(r = cipher_init(&ciphercontext, cipher, key, keylen,
|
|
iv, ivlen, 0)) != 0 ||
|
|
(r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(copy),
|
|
encrypted_len, aadlen, authlen)) != 0)
|
|
goto out;
|
|
|
|
/* there should be no trailing data */
|
|
if ((r = sshbuf_consume(encoded, encrypted_len + authlen)) != 0)
|
|
goto out;
|
|
if (sshbuf_len(encoded) != 0) {
|
|
r = SSH_ERR_INVALID_FORMAT;
|
|
goto out;
|
|
}
|
|
|
|
/* remove AAD */
|
|
if ((r = sshbuf_consume(decrypted, aadlen)) != 0)
|
|
goto out;
|
|
/* XXX encrypted includes unchecked padding */
|
|
|
|
/* success */
|
|
r = 0;
|
|
if (retp != NULL) {
|
|
*retp = decrypted;
|
|
decrypted = NULL;
|
|
}
|
|
out:
|
|
cipher_free(ciphercontext);
|
|
sshbuf_free(copy);
|
|
sshbuf_free(decrypted);
|
|
free(iv);
|
|
return r;
|
|
}
|
|
|
|
u_int32_t
|
|
sshkey_xmss_signatures_left(const struct sshkey *k)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
u_int32_t idx;
|
|
|
|
if (sshkey_type_plain(k->type) == KEY_XMSS && state &&
|
|
state->maxidx) {
|
|
idx = k->xmss_sk ? PEEK_U32(k->xmss_sk) : state->idx;
|
|
if (idx < state->maxidx)
|
|
return state->maxidx - idx;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
int
|
|
sshkey_xmss_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
|
|
{
|
|
struct ssh_xmss_state *state = k->xmss_state;
|
|
|
|
if (sshkey_type_plain(k->type) != KEY_XMSS)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
if (maxsign == 0)
|
|
return 0;
|
|
if (state->idx + maxsign < state->idx)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
state->maxidx = state->idx + maxsign;
|
|
return 0;
|
|
}
|
|
#endif /* WITH_XMSS */
|