auth-u2f.o \

	case SSH_AUTH_FAIL_U2F:

	else if (strcmp(method, "u2f") == 0)

		return SSH_AUTH_FAIL_U2F;

		{SSH_AUTH_FAIL_U2F,		"AUTH_FAIL_U2F"},

	SSH_AUTH_FAIL_U2F,

/*

 * Copyright (c) 2014 Google Inc.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 *

 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,

 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY

 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 */

#include "includes.h"

#ifdef U2F

#include <ctype.h>

#include <openssl/x509.h>

#include <openssl/err.h>

#include <u2f-host.h>

#include <fcntl.h>

#include "key.h"

#include "hostfile.h"

#include "auth.h"

#include "auth-options.h"

#include "ssh.h"

#include "ssh2.h"

#include "log.h"

#include "dispatch.h"

#include "misc.h"

#include "servconf.h"

#include "packet.h"

#include "digest.h"

#include "xmalloc.h"

#include "monitor_wrap.h"

#include "u2f.h"

// Evaluates to the maximum size that base64-encoding 'size' bytes can have,

// including one byte for a trailing NULL byte.

#define BASE64_ENCODED_SIZE(size) (((size)+2)/3)*4 + 1

// Evaluates to the maximum size that base64-decoding 'size' bytes can have.

#define BASE64_DECODED_SIZE(size) ((size) * 3/4)

extern ServerOptions options;

static void input_userauth_u2f_auth_response(int, u_int32_t, void *);

static void input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt);

static const int u2f_challenge_len = 32;

// We set the application id to the fixed identifier “openssh”. Theoretically,

// it should be an HTTPS URL, listing further origins that are acceptable.

// However, since the SSH client cannot fetch such a URL anyway, we don’t

// bother setting the appid to anything meaningful.

//

// In case we need to do that in the future, we can easily make the appid a

// configuration option.

static const char *appid = "openssh";

void u2f_sha256(u_char *dest, const u_char *src, size_t srclen) {

	struct ssh_digest_ctx *ctx = ssh_digest_start(SSH_DIGEST_SHA256);

	ssh_digest_update(ctx, src, srclen);

	ssh_digest_final(ctx, dest, ssh_digest_bytes(SSH_DIGEST_SHA256));

}

/* We can get away without a JSON parser because all values in the JSON

 * messages used in U2F are (websafe) base64 encoded, therefore we don’t need

 * to care about escaping at all. We can just look for the starting double

 * quote and take everything until the next double quote.

 */

static char *

extract_json_string(const char *json, const char *key)

{

	char *quotedkey;

	char *keypos;

	char *value;

	char *end;

	int quotedkeylen;

	quotedkeylen = xasprintf(&quotedkey, "\"%s\"", key);

	keypos = strstr(json, quotedkey);

	free(quotedkey);

	if (keypos == NULL)

		return NULL;

	keypos += quotedkeylen;

	if (*keypos == ':')

		keypos++;

	while (*keypos != '\0' && isspace(*keypos))

		keypos++;

	if (*keypos != '"')

		return NULL;

	keypos++;

	value = xstrdup(keypos);

	if ((end = strchr(value, '"')) == NULL) {

		free(value);

		return NULL;

	}

	*end = '\0';

	return value;

}

static int

urlsafe_base64_decode(const char *base64, u_char *buffer, size_t bufferlen)

{

	// U2F uses urlsafe base64, which replaces + with - and / with _, so we

	// need to revert that before base64 decoding.

	char *replaced;

	char *pos;

	int ret;

	replaced = xstrdup(base64);

	while ((pos = strchr(replaced, '-')) != NULL)

		*pos = '+';

	while ((pos = strchr(replaced, '_')) != NULL)

		*pos = '/';

	ret = b64_pton(replaced, buffer, bufferlen);

	free(replaced);

	return ret;

}

static int

urlsafe_base64_encode(u_char const *src, size_t srclength, char *target, size_t targsize)

{

	char *pos;

	int len;

	if ((len = b64_ntop(src, srclength, target, targsize)) == -1)

		return -1;

	while ((pos = strchr(target, '+')) != NULL)

		*pos = '-';

	while ((pos = strchr(target, '/')) != NULL)

		*pos = '_';

	return len;

}

static Key*

read_keyfile(FILE *fp, char *filename, struct passwd *pw, u_long *linenum)

{

	char line[SSH_MAX_PUBKEY_BYTES];

	Key *found = NULL;

	while (read_keyfile_line(fp, filename, line, sizeof(line), linenum) != -1) {

		char *cp;

		if (found != NULL)

			key_free(found);

		found = key_new(KEY_U2F);

		auth_clear_options();

		/* Skip leading whitespace, empty and comment lines. */

		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)

			;

		if (!*cp || *cp == '\n' || *cp == '#')

			continue;

		if (key_read(found, &cp) != 1) {

			continue;

		}

		if (found->type == KEY_U2F) {

			// TODO: calculate and display a fingerprint of the key handle and pubkey?

			debug("ssh-u2f key found: file %s, line %lu", filename, *linenum);

			return found;

		}

	}

	return NULL;

}

/*

 * Read a key from the key files.

 */

Key*

read_user_u2f_key(struct passwd *pw, u_int key_idx)

{

	size_t i;

	// TODO: It might not be safe to pass the key back to the unprivileged

	// process. It probably is, but we should review this.

	// In the first step, we need to go through all u2f keys that we have and

	// collect their key handles.

	for (i = 0; i < options.num_authkeys_files; i++) {

		FILE *fp;

		char *file;

		Key *key = NULL;

		u_long linenum = 0;

		if (strcasecmp(options.authorized_keys_files[i], "none") == 0)

			continue;

		file = expand_authorized_keys(options.authorized_keys_files[i], pw);

		debug("looking for ssh-u2f keys in %s", file);

		if ((fp = fopen(file, "r")) == NULL) {

			free(file);

			continue;

		}

		do

		{

			// TODO: Hackish way to allow getting more than one key

			key_free(key);

			key = read_keyfile(fp, file, pw, &linenum);

		}

		while(key_idx-- > 0);

		fclose(fp);

		free(file);

		if (key != NULL)

			return key;

	}

	return NULL;

}

static int

userauth_u2f_register(Authctxt *authctxt)

{

	u_char random[u2f_challenge_len];

	char challenge[BASE64_ENCODED_SIZE(sizeof(random))];

	char *json;

	arc4random_buf(random, sizeof(random));

	if (urlsafe_base64_encode(random, sizeof(random), challenge, sizeof(challenge)) == -1)

		fatal("urlsafe_base64_encode(arc4random_buf()) failed");

	xasprintf(&json, "{\"challenge\": \"%s\", \"version\": \"U2F_V2\", \"appId\": \"%s\"}",

		challenge, appid);

	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);

	packet_put_cstring(json);

	packet_send();

	free(json);

	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,

		&input_userauth_u2f_register_response);

	authctxt->postponed = 1;

	return 0;

}

static int

userauth_u2f_authenticate(Authctxt *authctxt)

{

	char pubkey[BASE64_ENCODED_SIZE(U2F_PUBKEY_LEN)];

	char *keyhandle;

	char *json;

	Key *key;

	u_char *challenge;

	if ((key = PRIVSEP(read_user_u2f_key(authctxt->pw, authctxt->u2f_attempt))) == NULL) {

		if (authctxt->u2f_attempt == 0) {

			char *reason = "Skipping U2F authentication: no ssh-u2f keys found in the authorized keys file(s).";

			debug("%s", reason);

			auth_debug_add("%s", reason);

			authctxt->postponed = 0;

			return (1);

		} else {

			debug("terminating u2f authentication unsuccessfully, no more keys to try.");

			userauth_finish(authctxt, 0, "u2f", NULL);

			return (0);

		}

	}

	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);

	challenge = xmalloc(u2f_challenge_len);

	arc4random_buf(challenge, u2f_challenge_len);

	free(authctxt->u2f_challenge);

	key_free(authctxt->u2f_key);

	authctxt->u2f_challenge = xmalloc(BASE64_ENCODED_SIZE(u2f_challenge_len));

	authctxt->u2f_key = key;

	if (urlsafe_base64_encode(challenge, u2f_challenge_len,

			authctxt->u2f_challenge, BASE64_ENCODED_SIZE(u2f_challenge_len)) == -1)

		fatal("urlsafe_base64_encode(arc4random_buf()) failed");

	if (urlsafe_base64_encode(key->u2f_pubkey, U2F_PUBKEY_LEN, pubkey, sizeof(pubkey)) == -1)

		fatal("urlsafe_base64_encode(key->u2f_pubkey) failed");

	keyhandle = xmalloc(BASE64_ENCODED_SIZE(key->u2f_key_handle_len));

	if (urlsafe_base64_encode(key->u2f_key_handle, key->u2f_key_handle_len,

				keyhandle, BASE64_ENCODED_SIZE(key->u2f_key_handle_len)) == -1)

		fatal("urlsafe_base64_encode(key->u2f_key_handle) failed");

	xasprintf(&json, "{\"challenge\": \"%s\", \"keyHandle\": \"%s\", \"appId\": \"%s\"}",

		authctxt->u2f_challenge, keyhandle, appid);

	packet_put_cstring(json);

	free(json);

	free(keyhandle);

	free(challenge);

	packet_send();

	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,

		&input_userauth_u2f_auth_response);

	authctxt->postponed = 1;

	return (0);

}

static int

userauth_u2f(Authctxt *authctxt)

{

	int mode = packet_get_int();

	packet_check_eom();

	if (mode == U2F_MODE_REGISTRATION) {

		debug("Starting U2F registration");

		return userauth_u2f_register(authctxt);

	} else if (mode == U2F_MODE_AUTHENTICATION) {

		debug("Starting U2F authentication");

		authctxt->u2f_attempt = 0;

		authctxt->u2f_challenge = NULL;

		authctxt->u2f_key = NULL;

		return userauth_u2f_authenticate(authctxt);

	} else {

		error("Unknown U2F mode %d requested by the client.", mode);

		return 0;

	}

}

static void

input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt)

{

#define u2f_bounds_check(necessary_bytes) do { \

	if (restlen < necessary_bytes) { \

		error("U2F response too short: need %d bytes, but only %d remaining", \

			necessary_bytes, restlen); \

		goto out; \

	} \

} while (0)

#define u2f_advance(parsed_bytes) do { \

	int advance = parsed_bytes; \

	walk += advance; \

	restlen -= advance; \

} while (0)

	Authctxt *authctxt = ctxt;

	char *response, *regdata = NULL, *clientdata = NULL;

	u_char *decoded = NULL;

	u_char *walk = NULL;

	u_char *keyhandle = NULL;

	u_char *pubkey = NULL;

	u_char *signature = NULL;

	u_char *dummy = NULL;

	u_char *cdecoded = NULL;

	X509 *x509 = NULL;

	EVP_PKEY *pkey = NULL;

	EVP_MD_CTX mdctx;

	int restlen;

	int khlen;

	int cdecodedlen;

	int err;

	char errorbuf[4096];

	u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];

	authctxt->postponed = 0;

	response = packet_get_string(NULL);

	packet_check_eom();

	if ((regdata = extract_json_string(response, "registrationData")) == NULL) {

		error("U2F Response not JSON, or does not contain \"registrationData\"");

		goto out;

	}

	decoded = xmalloc(BASE64_DECODED_SIZE(strlen(regdata)));

	restlen = urlsafe_base64_decode(regdata, decoded, BASE64_DECODED_SIZE(strlen(regdata)));

	walk = decoded;

	// Header (magic byte)

	u2f_bounds_check(1);

	if (walk[0] != 0x05) {

		error("U2F response does not start with magic byte 0x05");

		goto out;

	}

	u2f_advance(1);

	// Length of the public key

	u2f_bounds_check(U2F_PUBKEY_LEN);

	pubkey = walk;

	u2f_advance(U2F_PUBKEY_LEN);

	// Length of the key handle

	u2f_bounds_check(1);

	khlen = walk[0];

	if (khlen <= 0) {

		error("Invalid key handle length: %d", khlen);

		goto out;

	}

	u2f_advance(1);

	// Key handle

	u2f_bounds_check(khlen);

	keyhandle = walk;

	u2f_advance(khlen);

	// Attestation certificate

	u2f_bounds_check(1);

	signature = walk;

	if ((x509 = d2i_X509(NULL, (const unsigned char **)&signature, restlen)) == NULL) {

		error("U2F response contains an invalid attestation certificate.");

		goto out;

	}

	// U2F dictates that the length of the certificate should be determined by

	// encoding the certificate using DER.

	u2f_advance(i2d_X509(x509, &dummy));

	free(dummy);

	// Ensure we have at least one byte of signature.

	u2f_bounds_check(1);

	if ((clientdata = extract_json_string(response, "clientData")) == NULL) {

		error("U2F response JSON lacks the \"clientData\" key.");

		goto out;

	}

	cdecoded = xmalloc(BASE64_DECODED_SIZE(strlen(clientdata)));

	cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, BASE64_DECODED_SIZE(strlen(clientdata)));

	pkey = X509_get_pubkey(x509);

	if ((err = EVP_VerifyInit(&mdctx, EVP_sha256())) != 1) {

		ERR_error_string(ERR_get_error(), errorbuf);

		fatal("EVP_VerifyInit() failed: %s (reason: %s)",

				errorbuf, ERR_reason_error_string(err));

	}

	EVP_VerifyUpdate(&mdctx, "\0", 1);

	u2f_sha256(digest, appid, strlen(appid));

	EVP_VerifyUpdate(&mdctx, digest, sizeof(digest));

	u2f_sha256(digest, cdecoded, cdecodedlen);

	EVP_VerifyUpdate(&mdctx, digest, sizeof(digest));

	EVP_VerifyUpdate(&mdctx, keyhandle, khlen);

	EVP_VerifyUpdate(&mdctx, pubkey, U2F_PUBKEY_LEN);

	err = EVP_VerifyFinal(&mdctx, walk, restlen, pkey);

	if (err == 0) {

		error("Verifying the U2F registration signature failed: invalid signature");

		goto out;

	} else if (err == -1) {

		long e = ERR_get_error();

		ERR_error_string(e, errorbuf);

		error("Verifying the U2F registration signature failed: %s (raw %lu) (reason: %s)",

				errorbuf, e, ERR_reason_error_string(err));

		goto out;

	}

	{

		/* Send the client a ssh-u2f line to append to the authorized_keys file

		 * (in order to register the security key that was just used). */

		char *authorizedkey;

		char key[U2F_PUBKEY_LEN + khlen];

		char key64[BASE64_ENCODED_SIZE(sizeof(key))];

		memcpy(key, pubkey, U2F_PUBKEY_LEN);

		memcpy(key+U2F_PUBKEY_LEN, keyhandle, khlen);

		if (b64_ntop(key, sizeof(key), key64, sizeof(key64)) == -1)

			fatal("b64_ntop(key)");

		xasprintf(&authorizedkey, "ssh-u2f %s my security key", key64);

		packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);

		packet_put_cstring(authorizedkey);

		packet_send();

		free(authorizedkey);

		dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);

	}

out:

	free(regdata);

	free(clientdata);

	free(decoded);

	free(cdecoded);

	if (x509 != NULL)

		X509_free(x509);

	if (pkey != NULL)

		EVP_PKEY_free(pkey);

	userauth_finish(authctxt, 0, "u2f", NULL);

#undef u2f_bounds_check

#undef u2f_advance

}

int

verify_u2f_user(Key *key, u_char *dgst, size_t dgstlen, u_char *sig, size_t siglen)

{

	char errorbuf[4096];

	int ret = 0;

	EC_KEY *ec;

	u_char *p;

	/* To save bytes, the (common) public key prefix is not included in U2F

	 * messages itself. */

#define PREFIX_LEN 26

#define TOTAL_LEN U2F_PUBKEY_LEN + PREFIX_LEN

	u_char user_pubkey[TOTAL_LEN] =

		"\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a"

		"\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00";

	memcpy(user_pubkey+PREFIX_LEN, key->u2f_pubkey, U2F_PUBKEY_LEN);

	p = user_pubkey;

	if ((ec = d2i_EC_PUBKEY(NULL, (const unsigned char **)&p, TOTAL_LEN)) == NULL) {

		ERR_error_string(ERR_get_error(), errorbuf);

		error("Verifying U2F authentication signature failed: "

				"d2i_EC_PUBKEY() failed: %s (reason: %s)",

				errorbuf, ERR_reason_error_string(ERR_get_error()));

		return 0;

	}

	if ((ret = ECDSA_verify(0, dgst, dgstlen, sig, siglen, ec)) == -1) {

		ERR_error_string(ERR_get_error(), errorbuf);

		error("Verifying U2F authentication signature failed: "

				"ECDSA_verify() failed: %s (reason: %s)",

				errorbuf, ERR_reason_error_string(ERR_get_error()));

		goto out;

	}

	debug("U2F authentication signature verified: %s.", (ret == 1 ? "valid" : "invalid"));

out:

	EC_KEY_free(ec);

	return (ret == 1);

#undef TOTAL_LEN

#undef PREFIX_LEN

}

static void

input_userauth_u2f_auth_response(int type, u_int32_t seq, void *ctxt)

{

	int authenticated = 0;

	Authctxt *authctxt = ctxt;

	u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];

	char *sig = NULL;

	char *clientdata = NULL;

	u_char *decoded = NULL;

	int decodedlen;

	u_char *cdecoded = NULL;

	int cdecodedlen;

	char *received_challenge = NULL;

	char *resp = packet_get_string(NULL);

	packet_check_eom();

	if ((sig = extract_json_string(resp, "signatureData")) == NULL) {

		error("U2F Response not JSON, or does not contain \"signatureData\"");

		goto out;

	}

	if (*sig == '\0') {

		error("U2F authentication failed: empty signature. "

				"Probably the key is not registered (i.e. the configured "

				"key handle/pubkey do not exist on the security key you are using)");

		goto out;

	}

	decoded = xmalloc(BASE64_DECODED_SIZE(strlen(sig)));

	decodedlen = urlsafe_base64_decode(sig, decoded, BASE64_DECODED_SIZE(strlen(sig)));

	// Ensure that the user presence byte, the counter and at least one byte of

	// signature are present.

	if (decodedlen <= (int)(sizeof(u_char) + sizeof(u_int32_t))) {

		error("Decoded U2F signature too short (%d bytes, expected more than %d bytes)",

				decodedlen, (int)(sizeof(u_char) + sizeof(u_int32_t)));

		goto out;

	}

	if ((decoded[0] & 0x01) != 0x01) {

		error("No user presence detected. Please touch your security key upon "

				"being prompted when retrying.");

		goto out;

	}

	u_int32_t counter = ntohl(*((u_int32_t*)(decoded + sizeof(u_char))));

	// XXX: Ideally, we would verify that this counter never decreases to

	// detect cloned security keys. However, since OpenSSH never writes any

	// data to disk, we cannot keep track of the counter.

	debug("usage counter = %d\n", counter);

	struct ssh_digest_ctx *sha256ctx = ssh_digest_start(SSH_DIGEST_SHA256);

	u2f_sha256(digest, appid, strlen(appid));

	ssh_digest_update(sha256ctx, digest, sizeof(digest));

	ssh_digest_update(sha256ctx, decoded, sizeof(u_char));

	ssh_digest_update(sha256ctx, decoded+1, 4 * sizeof(u_char));

	if ((clientdata = extract_json_string(resp, "clientData")) == NULL) {

		error("U2F response JSON lacks the \"clientData\" key.");

		goto out;

	}

	cdecoded = xcalloc(1, BASE64_DECODED_SIZE(strlen(clientdata))+1);

	cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, BASE64_DECODED_SIZE(strlen(clientdata)));

	// XXX: We intentionally do not verify the "origin" field because that

	// would always require end-to-end connectivity, i.e. both server and

	// client need to share the understanding of the server’s hostname. As an

	// example, if the client connects to the server as ssh-gateway.example.net

	// (which could be a CNAME pointing to fra01.example.net), but the server

	// has the hostname fra01.example.net, this would break.

	if ((received_challenge = extract_json_string(cdecoded, "challenge")) == NULL) {

		error("U2F response clientData lacks the \"challenge\" key.");

		goto out;

	}

	if (strcmp(received_challenge, authctxt->u2f_challenge) != 0) {

		error("U2F response challenge bytes differ from what was sent. Man in the middle?");

		free(received_challenge);

		goto out;

	}

	free(received_challenge);

	u2f_sha256(digest, cdecoded, cdecodedlen);

	ssh_digest_update(sha256ctx, digest, sizeof(digest));

	ssh_digest_final(sha256ctx, digest, sizeof(digest));

	authenticated = PRIVSEP(verify_u2f_user(

		authctxt->u2f_key, digest, sizeof(digest), decoded+5, decodedlen-5));

	authctxt->postponed = 0;

	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);

out:

	free(sig);

	free(clientdata);

	free(decoded);

	free(cdecoded);

	authctxt->u2f_attempt++;

	if (authenticated) {

		userauth_finish(authctxt, 1, "u2f", NULL);

	} else {

		// Try again, perhaps there are more keys to use.

		userauth_u2f_authenticate(authctxt);

	}

}

Authmethod method_u2f = {

	"u2f",

	userauth_u2f,

	&options.u2f_authentication

};

#endif /* U2F */

#ifdef U2F

	Key         *u2f_key;

	char        *u2f_challenge;

	int          u2f_attempt;

#endif

#ifdef U2F

Key	 *read_user_u2f_key(struct passwd *, u_int);

int	 verify_u2f_user(Key *, u_char *, size_t, u_char *, size_t);

#endif

#ifdef U2F

extern Authmethod method_u2f;

#endif

#ifdef U2F

	&method_u2f,

#endif

/* Enable U2F support (using libu2f-host) */

#undef U2F

/* Enable large inode numbers on Mac OS X 10.5.  */

#ifndef _DARWIN_USE_64_BIT_INODE

# define _DARWIN_USE_64_BIT_INODE 1

#endif

# Check whether user wants u2f support (using libu2f-host)

U2F_MSG="no"

AC_ARG_WITH([u2f],

	[  --with-u2f[[=PATH]]   Enable U2F support (using libu2f-host)],

	[ if test "x$withval" != "xno" ; then

		if test "x$withval" = "xyes" ; then

			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])

			if test "x$PKGCONFIG" != "xno"; then

				AC_MSG_CHECKING([if $PKGCONFIG knows about u2f-host])

			 	if "$PKGCONFIG" u2f-host; then

					AC_MSG_RESULT([yes])

					use_pkgconfig_for_libu2fhost=yes

				else

					AC_MSG_RESULT([no])

				fi

			fi

		else

			CPPFLAGS="$CPPFLAGS -I${withval}/include"

			if test -n "${need_dash_r}"; then

				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"

			else

				LDFLAGS="-L${withval}/lib ${LDFLAGS}"

			fi

		fi

		if test "x$use_pkgconfig_for_libu2fhost" = "xyes"; then

			LIBU2FHOST=`$PKGCONFIG --libs u2f-host`

			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags u2f-host`"

		else

			LIBU2FHOST="-lu2f-host"

		fi

		LIBS="$LIBS $LIBU2FHOST"

		AC_CHECK_LIB([u2f-host], [u2fh_global_init],

			[ AC_DEFINE([U2F], [1], [Enable U2F support (using libu2f-host)])

			  U2F_MSG="yes"

			  AC_SUBST([LIBU2FHOST])

			],

			[ AC_MSG_ERROR([libu2f-host not found]) ],

			[ $LIBS ]

		)

		AC_MSG_CHECKING([if libu2f-host version is compatible])

		AC_COMPILE_IFELSE(

		    [AC_LANG_PROGRAM([[ #include <u2f-host.h> ]],

		    [[

	u2fh_global_init(0);

	exit(0);

		    ]])],

		    [ AC_MSG_RESULT([yes]) ],

		    [ AC_MSG_RESULT([no])

		      AC_MSG_ERROR([u2f-host version is not compatible]) ]

		)

	fi ]

)

echo "                       U2F support: $U2F_MSG"

 * Copyright 2014 Google Inc.

#ifdef U2F

int mm_answer_read_user_u2f_key(int, Buffer *);

int mm_answer_verify_u2f_user(int, Buffer *);

#endif

#ifdef U2F

    {MONITOR_REQ_READUSERU2FKEY, MON_AUTH, mm_answer_read_user_u2f_key},

    {MONITOR_REQ_VERIFYU2FUSER, MON_AUTH, mm_answer_verify_u2f_user},

#endif

	case SSH_AUTH_FAIL_U2F:

#ifdef U2F

int

mm_answer_read_user_u2f_key(int sock, Buffer *m)

{

	int authenticated = 0;

	Key *key;

	u_int key_idx;

	u_char *blob = NULL;

	u_int blen = 0;

	key_idx = buffer_get_int(m);

	buffer_clear(m);

	key = read_user_u2f_key(authctxt->pw, key_idx);

	buffer_put_int(m, key == NULL ? 1 : 0);

	if (key != NULL)

	{

		if (key_to_blob(key, &blob, &blen) == 0)

			fatal("%s: key_to_blob failed", __func__);

		buffer_put_string(m, blob, blen);

		debug3("%s: sending key", __func__);

	} else {

		debug3("%s: no key to send", __func__);

		if (key_idx == 0) {

			auth_method = "u2f";

			authenticated = 1;

		}

	}

	mm_request_send(sock, MONITOR_ANS_READUSERU2FKEY, m);

	return authenticated;

}

int

mm_answer_verify_u2f_user(int sock, Buffer *m)

{

	int authenticated = 0;

	Key *key;

	u_char *blob, *dgst, *sig;

	u_int bloblen, dgstlen, siglen;

	blob = buffer_get_string(m, &bloblen);

	key = key_from_blob(blob, bloblen);

	dgst = buffer_get_string(m, &dgstlen);

	sig = buffer_get_string(m, &siglen);

	buffer_clear(m);

	authenticated = verify_u2f_user(key, dgst, dgstlen, sig, siglen);

	buffer_put_int(m, authenticated);

	auth_method = "u2f";

	mm_request_send(sock, MONITOR_ANS_VERIFYU2FUSER, m);

	key_free(key);

	return authenticated;

}

#endif /* U2F */

	MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53,

	MONITOR_REQ_VERIFYU2FUSER = 54, MONITOR_ANS_VERIFYU2FUSER = 55,

 * Copyright 2014 Google Inc.

#ifdef U2F

Key *

mm_read_user_u2f_key(struct passwd *pw, u_int key_idx)

{

	Buffer m;

	Key *key = NULL;

	u_char *blob;

	u_int blen;

	u_int is_null;

	debug3("%s entering", __func__);

	buffer_init(&m);

	buffer_put_int(&m, key_idx);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_READUSERU2FKEY, &m);

	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_READUSERU2FKEY, &m);

	is_null = buffer_get_int(&m);

	if (is_null == 0) {

		blob = buffer_get_string(&m, &blen);

		if ((key = key_from_blob(blob, blen)) == NULL)

			fatal("%s: key_from_blob failed", __func__);

		free(blob);

	}

	buffer_free(&m);

	return key;

}

int

mm_verify_u2f_user(Key *key, u_char * dgst, size_t dgstlen, u_char * sig, size_t siglen)

{

	int authenticated = 0;

	Buffer m;

	u_char *blob;

	u_int blen;

	debug3("%s entering", __func__);

	if (key_to_blob(key, &blob, &blen) == 0)

		fatal("%s: key_to_blob failed", __func__);

	buffer_init(&m);

	buffer_put_string(&m, blob, blen);

	free(blob);

	buffer_put_string(&m, dgst, dgstlen);

	buffer_put_string(&m, sig, siglen);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_VERIFYU2FUSER, &m);

	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_VERIFYU2FUSER, &m);

	authenticated = buffer_get_int(&m);

	buffer_free(&m);

	return authenticated;

}

#endif /* U2F */

#ifdef U2F

Key *mm_read_user_u2f_key(struct passwd *, u_int);

int mm_verify_u2f_user(Key *, u_char *, size_t, u_char *, size_t);

#endif

	oU2fMode,

#ifdef U2F

	{ "u2fmode", oU2fMode },

#else

	{ "u2fmode", oUnsupported },

#endif

	case oU2fMode:

		charptr = &options->u2f_mode;

		goto parse_string;

	options->u2f_mode = NULL;

	int     u2f_authentication;

	char    *u2f_mode; /* mode (registration or authentication) for U2F auth. */

	options->u2f_authentication = -1;

	// U2F authentication is disabled by default. On its own, it does not

	// provide adequate security, and it should be used as a second factor in

	// combination with publickey, for example.

	if (options->u2f_authentication == -1)

		options->u2f_authentication = 0;

	sU2FAuthentication,

#ifdef U2F

	{ "u2fauthentication", sU2FAuthentication, SSHCFG_ALL },

#else

	{ "u2fauthentication", sUnsupported, SSHCFG_ALL },

#endif

	case sU2FAuthentication:

		intptr = &options->u2f_authentication;

		goto parse_flag;

	M_CP_INTOPT(u2f_authentication);

#ifdef U2F

	dump_cfg_fmtint(sU2FAuthentication, o->u2f_authentication);

#endif

	int     u2f_authentication;

.It U2FMode

#ifdef U2F

#include <u2f-host.h>

#endif

	SSL_load_error_strings();

#endif

#ifdef U2F

	if (u2fh_global_init(0) != U2FH_OK)

		fatal("u2fh_global_init() failed");

.It Cm U2FMode

Specifies which mode the U2F authentication method should use. Can be either

.Dq authentication

or

.Dq registration .

The default is

.Dq authentication .

 * Copyright (c) 2014 Google Inc.  All rights reserved.

#include <time.h>

#ifdef U2F

#include <u2f-host.h>

#endif

#include "u2f.h"

	char *host_port;

#ifdef U2F

int userauth_u2f(Authctxt *authctxt);

void input_userauth_u2f_authenticate(int type, u_int32_t seq, void *ctxt);

void input_userauth_u2f_register(int type, u_int32_t seq, void *ctxt);

void input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt);

#endif

	// U2F needs to be the first authentication method, so that we use it once

	// the server allows it. This enables server configurations containing e.g.:

	// AuthenticationMethods password,u2f pubkey,u2f

#ifdef U2F

    {"u2f",

        userauth_u2f,

        NULL,

        &options.u2f_authentication,

        NULL},

#endif

	get_hostfile_hostname_ipaddr(host, NULL, port, &authctxt.host_port, NULL);

#ifdef U2F

int

userauth_u2f(Authctxt *authctxt)

{

	// first step: we dont send anything, but install a custom dispatcher.

	debug("sshconnect2:userauth_u2f");

	// For U2F_MODE_REGISTRATION, this code path will return 0, meaning the

	// authentication method will not be retried. If we did not do that, we

	// would loop endlessly.

	if (authctxt->info_req_seen) {

		dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);

		return 0;

	}

	packet_start(SSH2_MSG_USERAUTH_REQUEST);

	packet_put_cstring(authctxt->server_user);

	packet_put_cstring(authctxt->service);

	packet_put_cstring(authctxt->method->name);

	if (options.u2f_mode == NULL || strcasecmp(options.u2f_mode, "authentication") == 0) {

		packet_put_int(U2F_MODE_AUTHENTICATION);

		dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_u2f_authenticate);

	} else if (options.u2f_mode != NULL && strcasecmp(options.u2f_mode, "registration") == 0) {

		packet_put_int(U2F_MODE_REGISTRATION);

		dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_u2f_register);

	} else {

		fatal("Invalid U2F mode (\"%s\"), expected \"authentication\" or \"registration\".",

				options.u2f_mode);

	}

	packet_send();

	return 1;

}

static void

wait_for_u2f_devices(u2fh_devs *devs)

{

	time_t looking;

	int attempts = 0;

	u2fh_rc rc;

	// The U2F implementation considerations recommend 3 seconds as the time a

	// client implementation should grant for security keys to respond. We wait

	// 3 times that for the user to insert a security key (and it being

	// detected).

	looking = monotime();

	do {

		if ((rc = u2fh_devs_discover(devs, NULL)) != U2FH_OK && attempts++ == 0)

			error("Please insert and touch your U2F security key.");

		if (rc != U2FH_OK)

			usleep(50);

	} while (rc != U2FH_OK && (monotime() - looking) <= 9);

	if (rc != U2FH_OK)

		fatal("No U2F devices found (%s). Did you plug in your U2F security key?",

				u2fh_strerror(rc));

	if (attempts == 0)

		error("Please touch your U2F security key now.");

}

void

input_userauth_u2f_register(int type, u_int32_t seq, void *ctxt)

{

	Authctxt *authctxt = ctxt;

	char *challenge, *response;

	u2fh_devs *devs = NULL;

	u2fh_rc rc;

	const char *origin = authctxt->host_port;

	if (authctxt == NULL)

		fatal("input_userauth_u2f_register: no authentication context");

	authctxt->info_req_seen = 1;

	challenge = packet_get_string(NULL);

	packet_check_eom();

	if ((rc = u2fh_devs_init(&devs)) != U2FH_OK)

		fatal("u2fh_devs_init() failed: %s", u2fh_strerror(rc));

	wait_for_u2f_devices(devs);

	if ((rc = u2fh_register(devs, challenge, origin, &response, U2FH_REQUEST_USER_PRESENCE)) != U2FH_OK)

		fatal("u2fh_register() failed: %s", u2fh_strerror(rc));

	u2fh_devs_done(devs);

	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);

	packet_put_cstring(response);

	packet_send();

	free(response);

	dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, NULL);

	dispatch_set(SSH2_MSG_USERAUTH_INFO_REQUEST, &input_userauth_u2f_register_response);

}

void

input_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt)

{

	char *response = packet_get_string(NULL);

	printf("%s\n", response);

	fflush(stdout);

}

void

input_userauth_u2f_authenticate(int type, u_int32_t seq, void *ctxt)

{

	Authctxt *authctxt = ctxt;

	char *challenge, *response;

	u2fh_devs *devs = NULL;

	u2fh_rc rc;

	const char *origin = authctxt->host_port;

	if (authctxt == NULL)

		fatal("input_userauth_u2f_authenticate: no authentication context");

	authctxt->info_req_seen = 1;

	challenge = packet_get_string(NULL);

	packet_check_eom();

	debug("Starting U2F authentication for origin \"%s\".", origin);

	if ((rc = u2fh_devs_init(&devs)) != U2FH_OK)

		fatal("u2fh_devs_init() failed: %s", u2fh_strerror(rc));

	wait_for_u2f_devices(devs);

	// TODO: refactor with input_userauth_u2f_register(), the following line is the only one that is different :)

	if ((rc = u2fh_authenticate(devs, challenge, origin, &response, U2FH_REQUEST_USER_PRESENCE)) != U2FH_OK)

		fatal("u2fh_authenticate() failed: %s", u2fh_strerror(rc));

	u2fh_devs_done(devs);

	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);

	packet_put_cstring(response);

	packet_send();

	free(response);

	// We intentionally do not set SSH2_MSG_USERAUTH_INFO_REQUEST to NULL,

	// because the server might send us more challenges (in case more than one

	// U2F security key is in the authorized_keys).

}

#endif /* U2F */

	SSL_load_error_strings();

.It Cm U2FAuthentication

Specifies whether user authentication based on U2F (Universal Second Factor) is allowed. The default is

.Dq no .

Note that U2F authentication should never be used alone, so specify for example:

.Bd -literal -offset indent

U2FAuthentication yes

AuthenticationMethods pubkey,u2f

.Ed

.Pp

That way, pubkey authentication will be performed and U2F will be required

after pubkey authentication was successful. In case the user in question does

not have any ssh-u2f lines in their authorized_keys file, the u2f

authentication method will just return success.

.Pp

In order to register a U2F security key, enable this option as outlined above.

Then, run

.Dq ssh -o U2FMode=registration server.example.net

in order to obtain a ssh-u2f line which you can then append to your

authorized_keys.

 * Copyright (c) 2014 Google Inc.  All rights reserved.

#include "key.h"

#include "hostfile.h"

#include "auth.h"

#include "u2f.h"

	{ "ssh-u2f", "U2F", KEY_U2F, 0, 0 },

	case KEY_U2F:

		break;

#ifdef U2F

	case KEY_U2F:

		if (key->u2f_pubkey == NULL)

			return SSH_ERR_INVALID_ARGUMENT;

		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||

		    (ret = sshbuf_put_string(b, key->u2f_pubkey, U2F_PUBKEY_LEN)) != 0 ||

		    (ret = sshbuf_put_string(b,

				key->u2f_key_handle, key->u2f_key_handle_len)) != 0)

			return ret;

		break;

#endif

	case KEY_U2F:

#ifdef U2F

		space = strchr(cp, ' ');

		if (space == NULL)

			return SSH_ERR_INVALID_FORMAT;

		*space = '\0';

		type = sshkey_type_from_name(cp);

		if (type == KEY_UNSPEC)

			return SSH_ERR_INVALID_FORMAT;

		cp = space+1;

		if (*cp == '\0')

			return SSH_ERR_INVALID_FORMAT;

		if (ret->type == KEY_UNSPEC) {

			ret->type = type;

		} else if (ret->type != type)

			return SSH_ERR_KEY_TYPE_MISMATCH;

		cp = space+1;

		/* trim comment */

		space = strchr(cp, ' ');

		if (space)

			*space = '\0';

		blob = sshbuf_new();

		if ((r = sshbuf_b64tod(blob, cp)) != 0) {

			sshbuf_free(blob);

			return r;

		}

		// TODO: why do we _need_ to use malloc here? xmalloc gives memory that crashes!

		ret->u2f_pubkey = malloc(U2F_PUBKEY_LEN);

		memcpy(ret->u2f_pubkey, sshbuf_ptr(blob), U2F_PUBKEY_LEN);

		ret->u2f_key_handle_len = sshbuf_len(blob) - U2F_PUBKEY_LEN;

		ret->u2f_key_handle = malloc(ret->u2f_key_handle_len);

		memcpy(ret->u2f_key_handle, sshbuf_ptr(blob) + U2F_PUBKEY_LEN, ret->u2f_key_handle_len);