openssh/openssh-7.7p1-cavstest-kdf.patch

# HG changeset patch
# Parent  1e1d5a2ab8bddfc800f570755f9ea1addcc878c1
CAVS test for KDF implementation in OpenSSH

Index: openssh-8.8p1/Makefile.in
===================================================================
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -27,6 +27,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
 CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
+CAVSTEST_KDF=$(libexecdir)/cavstest-kdf
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
 
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
 
-TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
 cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o
 	$(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
 
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o
+	$(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+
 # test driver for the loginrec code - not built by default
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
@@ -415,6 +419,7 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
+	$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-kdf$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-kdf$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
 	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
 	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
Index: openssh-8.8p1/cavstest-kdf.c
===================================================================
--- /dev/null
+++ openssh-8.8p1/cavstest-kdf.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+
+static int bin_char(unsigned char hex)
+{
+	if (48 <= hex && 57 >= hex)
+		return (hex - 48);
+	if (65 <= hex && 70 >= hex)
+		return (hex - 55);
+	if (97 <= hex && 102 >= hex)
+		return (hex - 87);
+	return 0;
+}
+
+/*
+ * Convert hex representation into binary string
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin output buffer with binary data
+ * @binlen length of already allocated bin buffer (should be at least
+ *	   half of hexlen -- if not, only a fraction of hexlen is converted)
+ */
+static void hex2bin(const char *hex, size_t hexlen,
+		    unsigned char *bin, size_t binlen)
+{
+	size_t i = 0;
+	size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+	for (i = 0; i < chars; i++) {
+		bin[i] = bin_char(hex[(i*2)]) << 4;
+		bin[i] |= bin_char(hex[((i*2)+1)]);
+	}
+}
+
+/*
+ * Allocate sufficient space for binary representation of hex
+ * and convert hex into bin
+ *
+ * Caller must free bin
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin return value holding the pointer to the newly allocated buffer
+ * @binlen return value holding the allocated size of bin
+ *
+ * return: 0 on success, !0 otherwise
+ */
+static int hex2bin_alloc(const char *hex, size_t hexlen,
+			 unsigned char **bin, size_t *binlen)
+{
+	unsigned char *out = NULL;
+	size_t outlen = 0;
+
+	if (!hexlen)
+		return -EINVAL;
+
+	outlen = (hexlen + 1) / 2;
+
+	out = calloc(1, outlen);
+	if (!out)
+		return -errno;
+
+	hex2bin(hex, hexlen, out, outlen);
+	*bin = out;
+	*binlen = outlen;
+	return 0;
+}
+
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+				 '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+				 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+static char hex_char(unsigned int bin, int u)
+{
+	if (bin < sizeof(hex_char_map_l))
+		return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
+	return 'X';
+}
+
+/*
+ * Convert binary string into hex representation
+ * @bin input buffer with binary data
+ * @binlen length of bin
+ * @hex output buffer to store hex data
+ * @hexlen length of already allocated hex buffer (should be at least
+ *	   twice binlen -- if not, only a fraction of binlen is converted)
+ * @u case of hex characters (0=>lower case, 1=>upper case)
+ */
+static void bin2hex(const unsigned char *bin, size_t binlen,
+		    char *hex, size_t hexlen, int u)
+{
+	size_t i = 0;
+	size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+	for (i = 0; i < chars; i++) {
+		hex[(i*2)] = hex_char((bin[i] >> 4), u);
+		hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
+	}
+}
+
+struct kdf_cavs {
+	unsigned char *K;
+	size_t Klen;
+	unsigned char *H;
+	size_t Hlen;
+	unsigned char *session_id;
+	size_t session_id_len;
+
+	unsigned int iv_len;
+	unsigned int ek_len;
+	unsigned int ik_len;
+};
+
+#ifdef WITH_OPENSSL
+static int
+kex_derive_keys_bn(struct ssh *ssh, u_char *hash, u_int hashlen,
+    const BIGNUM *secret)
+{
+	struct sshbuf *shared_secret;
+	int r;
+
+	if ((shared_secret = sshbuf_new()) == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+	if ((r = sshbuf_put_bignum2(shared_secret, secret)) == 0)
+		r = kex_derive_keys(ssh, hash, hashlen, shared_secret);
+	sshbuf_free(shared_secret);
+	return r;
+}
+#endif
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+	int ret = 0;
+	struct kex kex;
+	BIGNUM *Kbn = NULL;
+	int mode = 0;
+	struct newkeys *keys_client;
+	struct newkeys *keys_server;
+       struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+	char hex[HEXOUTLEN];
+
+	memset(&kex, 0, sizeof(struct kex));
+
+	Kbn = BN_new();
+	BN_bin2bn(test->K, test->Klen, Kbn);
+	if (!Kbn) {
+		printf("cannot convert K into BIGNUM\n");
+		ret = 1;
+		goto out;
+	}
+
+	kex.session_id = sshbuf_new();
+	sshbuf_put(kex.session_id, test->session_id, test->session_id_len);
+
+	/* setup kex */
+
+	/* select the right hash based on struct ssh_digest digests */
+	switch (test->ik_len) {
+		case 20:
+			kex.hash_alg = 2;
+			break;
+		case 32:
+			kex.hash_alg = 3;
+			break;
+		case 48:
+			kex.hash_alg = 4;
+			break;
+		case 64:
+			kex.hash_alg = 5;
+			break;
+		default:
+			printf("Wrong hash type %u\n", test->ik_len);
+			ret = 1;
+			goto out;
+	}
+
+	/* implement choose_enc */
+	for (mode = 0; mode < 2; mode++) {
+		kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+		if (!kex.newkeys[mode]) {
+			printf("allocation of newkeys failed\n");
+			ret = 1;
+			goto out;
+		}
+		kex.newkeys[mode]->enc.iv_len = test->iv_len;
+		kex.newkeys[mode]->enc.key_len = test->ek_len;
+		kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+		kex.newkeys[mode]->mac.key_len = test->ik_len;
+	}
+
+	/* implement kex_choose_conf */
+	kex.we_need = kex.newkeys[0]->enc.key_len;
+	if (kex.we_need < kex.newkeys[0]->enc.block_size)
+		kex.we_need = kex.newkeys[0]->enc.block_size;
+	if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+		kex.we_need = kex.newkeys[0]->enc.iv_len;
+	if (kex.we_need < kex.newkeys[0]->mac.key_len)
+		kex.we_need = kex.newkeys[0]->mac.key_len;
+
+	/* MODE_OUT (1) -> server to client
+	 * MODE_IN (0) -> client to server */
+	kex.server = 1;
+
+	/* do it */
+       if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+	   printf("Allocation error\n");
+	   goto out;
+	}
+ 	ssh->kex = &kex;
+	kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
+
+	keys_client = kex.newkeys[0];
+	keys_server = kex.newkeys[1];
+
+	/* get data */
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_client->enc.iv, (size_t)keys_client->enc.iv_len,
+		hex, HEXOUTLEN, 0);
+	printf("Initial IV (client to server) = %s\n", hex);
+
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_server->enc.iv, (size_t)keys_server->enc.iv_len,
+		hex, HEXOUTLEN, 0);
+	printf("Initial IV (server to client) = %s\n", hex);
+
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_client->enc.key, (size_t)keys_client->enc.key_len,
+		hex, HEXOUTLEN, 0);
+	printf("Encryption key (client to server) = %s\n", hex);
+	
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_server->enc.key, (size_t)keys_server->enc.key_len,
+		hex, HEXOUTLEN, 0);
+	printf("Encryption key (server to client) = %s\n", hex);
+
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_client->mac.key, (size_t)keys_client->mac.key_len,
+		hex, HEXOUTLEN, 0);
+	printf("Integrity key (client to server) = %s\n", hex);
+	
+	memset(hex, 0, HEXOUTLEN);
+	bin2hex(keys_server->mac.key, (size_t)keys_server->mac.key_len,
+		hex, HEXOUTLEN, 0);
+	printf("Integrity key (server to client) = %s\n", hex);
+
+out:
+	if (Kbn)
+		BN_free(Kbn);
+	if (ssh)
+		ssh_packet_close(ssh);
+	if (kex.newkeys[0])
+		free(kex.newkeys[0]);
+	if (kex.newkeys[1])
+		free(kex.newkeys[1]);
+	return ret;
+}
+
+static void usage(void)
+{
+	fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t-K\tShared secret string\n");
+	fprintf(stderr, "\t-H\tHash string\n");
+	fprintf(stderr, "\t-s\tSession ID string\n");
+	fprintf(stderr, "\t-i\tIV length to be generated\n");
+	fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
+	fprintf(stderr, "\t-m\tMAC key length to be generated\n");
+}
+
+/*
+ * Test command example:
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+ *
+ * Expected result for example:
+ * Initial IV (client to server) = 4bb320d1679dfd3a
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+ * Initial IV (server to client) = 43dea6fdf263a308
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+ */
+int main(int argc, char *argv[])
+{
+	struct kdf_cavs test;
+	int ret = 1;
+	int opt = 0;
+
+	memset(&test, 0, sizeof(struct kdf_cavs));
+	while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
+	{
+		size_t len = 0;
+		switch(opt)
+		{
+			/*
+			 * CAVS K is MPINT
+			 * we want a hex (i.e. the caller must ensure the
+			 * following transformations already happened):
+			 * 	1. cut off first four bytes
+			 * 	2. if most significant bit of value is
+			 *	   1, prepend 0 byte
+			 */
+			case 'K':
+				len = strlen(optarg);
+				ret = hex2bin_alloc(optarg, len,
+						    &test.K, &test.Klen);
+				if (ret)
+					goto out;
+				break;
+			case 'H':
+				len = strlen(optarg);
+				ret = hex2bin_alloc(optarg, len,
+						    &test.H, &test.Hlen);
+				if (ret)
+					goto out;
+				break;
+			case 's':
+				len = strlen(optarg);
+				ret = hex2bin_alloc(optarg, len,
+						    &test.session_id,
+						    &test.session_id_len);
+				if (ret)
+					goto out;
+				break;
+			case 'i':
+				test.iv_len = strtoul(optarg, NULL, 10);
+				break;
+			case 'e':
+				test.ek_len = strtoul(optarg, NULL, 10);
+				break;
+			case 'm':
+				test.ik_len = strtoul(optarg, NULL, 10);
+				break;
+			default:
+				usage();
+				goto out;
+		}
+	}
+
+	ret = sshkdf_cavs(&test);
+
+out:
+	if (test.session_id)
+		free(test.session_id);
+	if (test.K)
+		free(test.K);
+	if (test.H)
+		free(test.H);
+	return ret;
+
+}