1 /* $NetBSD: ssh-xmss.c,v 1.5 2022/10/05 22:39:36 christos Exp $ */ 2 /* $OpenBSD: ssh-xmss.c,v 1.5 2022/04/20 15:59:18 millert Exp $*/ 3 4 /* 5 * Copyright (c) 2017 Stefan-Lukas Gazdag. 6 * Copyright (c) 2017 Markus Friedl. 7 * 8 * Permission to use, copy, modify, and distribute this software for any 9 * purpose with or without fee is hereby granted, provided that the above 10 * copyright notice and this permission notice appear in all copies. 11 * 12 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 13 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 14 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 15 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 16 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 */ 20 #include "includes.h" 21 __RCSID("$NetBSD: ssh-xmss.c,v 1.5 2022/10/05 22:39:36 christos Exp $"); 22 #define SSHKEY_INTERNAL 23 #include <sys/types.h> 24 #include <limits.h> 25 26 #include <stdlib.h> 27 #include <string.h> 28 #include <stdarg.h> 29 #include <stdint.h> 30 #include <unistd.h> 31 32 #include "log.h" 33 #include "sshbuf.h" 34 #include "sshkey.h" 35 #include "sshkey-xmss.h" 36 #include "ssherr.h" 37 #include "ssh.h" 38 39 #include "xmss_fast.h" 40 41 int 42 ssh_xmss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp, 43 const u_char *data, size_t datalen, u_int compat) 44 { 45 u_char *sig = NULL; 46 size_t slen = 0, len = 0, required_siglen; 47 unsigned long long smlen; 48 int r, ret; 49 struct sshbuf *b = NULL; 50 51 if (lenp != NULL) 52 *lenp = 0; 53 if (sigp != NULL) 54 *sigp = NULL; 55 56 if (key == NULL || 57 sshkey_type_plain(key->type) != KEY_XMSS || 58 key->xmss_sk == NULL || 59 sshkey_xmss_params(key) == NULL) 60 return SSH_ERR_INVALID_ARGUMENT; 61 if ((r = sshkey_xmss_siglen(key, &required_siglen)) != 0) 62 return r; 63 if (datalen >= INT_MAX - required_siglen) 64 return SSH_ERR_INVALID_ARGUMENT; 65 smlen = slen = datalen + required_siglen; 66 if ((sig = malloc(slen)) == NULL) 67 return SSH_ERR_ALLOC_FAIL; 68 if ((r = sshkey_xmss_get_state(key, 1)) != 0) 69 goto out; 70 if ((ret = xmss_sign(key->xmss_sk, sshkey_xmss_bds_state(key), sig, &smlen, 71 data, datalen, sshkey_xmss_params(key))) != 0 || smlen <= datalen) { 72 r = SSH_ERR_INVALID_ARGUMENT; /* XXX better error? */ 73 goto out; 74 } 75 /* encode signature */ 76 if ((b = sshbuf_new()) == NULL) { 77 r = SSH_ERR_ALLOC_FAIL; 78 goto out; 79 } 80 if ((r = sshbuf_put_cstring(b, "ssh-xmss@openssh.com")) != 0 || 81 (r = sshbuf_put_string(b, sig, smlen - datalen)) != 0) 82 goto out; 83 len = sshbuf_len(b); 84 if (sigp != NULL) { 85 if ((*sigp = malloc(len)) == NULL) { 86 r = SSH_ERR_ALLOC_FAIL; 87 goto out; 88 } 89 memcpy(*sigp, sshbuf_ptr(b), len); 90 } 91 if (lenp != NULL) 92 *lenp = len; 93 /* success */ 94 r = 0; 95 out: 96 if ((ret = sshkey_xmss_update_state(key, 1)) != 0) { 97 /* discard signature since we cannot update the state */ 98 if (r == 0 && sigp != NULL && *sigp != NULL) { 99 explicit_bzero(*sigp, len); 100 free(*sigp); 101 } 102 if (sigp != NULL) 103 *sigp = NULL; 104 if (lenp != NULL) 105 *lenp = 0; 106 r = ret; 107 } 108 sshbuf_free(b); 109 if (sig != NULL) 110 freezero(sig, slen); 111 112 return r; 113 } 114 115 int 116 ssh_xmss_verify(const struct sshkey *key, 117 const u_char *signature, size_t signaturelen, 118 const u_char *data, size_t datalen, u_int compat) 119 { 120 struct sshbuf *b = NULL; 121 char *ktype = NULL; 122 const u_char *sigblob; 123 u_char *sm = NULL, *m = NULL; 124 size_t len, required_siglen; 125 unsigned long long smlen = 0, mlen = 0; 126 int r, ret; 127 128 if (key == NULL || 129 sshkey_type_plain(key->type) != KEY_XMSS || 130 key->xmss_pk == NULL || 131 sshkey_xmss_params(key) == NULL || 132 signature == NULL || signaturelen == 0) 133 return SSH_ERR_INVALID_ARGUMENT; 134 if ((r = sshkey_xmss_siglen(key, &required_siglen)) != 0) 135 return r; 136 if (datalen >= INT_MAX - required_siglen) 137 return SSH_ERR_INVALID_ARGUMENT; 138 139 if ((b = sshbuf_from(signature, signaturelen)) == NULL) 140 return SSH_ERR_ALLOC_FAIL; 141 if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 || 142 (r = sshbuf_get_string_direct(b, &sigblob, &len)) != 0) 143 goto out; 144 if (strcmp("ssh-xmss@openssh.com", ktype) != 0) { 145 r = SSH_ERR_KEY_TYPE_MISMATCH; 146 goto out; 147 } 148 if (sshbuf_len(b) != 0) { 149 r = SSH_ERR_UNEXPECTED_TRAILING_DATA; 150 goto out; 151 } 152 if (len != required_siglen) { 153 r = SSH_ERR_INVALID_FORMAT; 154 goto out; 155 } 156 if (datalen >= SIZE_MAX - len) { 157 r = SSH_ERR_INVALID_ARGUMENT; 158 goto out; 159 } 160 smlen = len + datalen; 161 mlen = smlen; 162 if ((sm = malloc(smlen)) == NULL || (m = malloc(mlen)) == NULL) { 163 r = SSH_ERR_ALLOC_FAIL; 164 goto out; 165 } 166 memcpy(sm, sigblob, len); 167 memcpy(sm+len, data, datalen); 168 if ((ret = xmss_sign_open(m, &mlen, sm, smlen, 169 key->xmss_pk, sshkey_xmss_params(key))) != 0) { 170 debug2_f("xmss_sign_open failed: %d", ret); 171 } 172 if (ret != 0 || mlen != datalen) { 173 r = SSH_ERR_SIGNATURE_INVALID; 174 goto out; 175 } 176 /* XXX compare 'm' and 'data' ? */ 177 /* success */ 178 r = 0; 179 out: 180 if (sm != NULL) 181 freezero(sm, smlen); 182 if (m != NULL) 183 freezero(m, smlen); 184 sshbuf_free(b); 185 free(ktype); 186 return r; 187 } 188