自学教程：C++ ssh_digest_bytes函数代码示例

intkexgex_hash(    int hash_alg,    const char *client_version_string,    const char *server_version_string,    const u_char *ckexinit, size_t ckexinitlen,    const u_char *skexinit, size_t skexinitlen,    const u_char *serverhostkeyblob, size_t sbloblen,    int min, int wantbits, int max,    const BIGNUM *prime,    const BIGNUM *gen,    const BIGNUM *client_dh_pub,    const BIGNUM *server_dh_pub,    const BIGNUM *shared_secret,    u_char *hash, size_t *hashlen){	struct sshbuf *b;	int r;	if (*hashlen < ssh_digest_bytes(SSH_DIGEST_SHA1))		return SSH_ERR_INVALID_ARGUMENT;	if ((b = sshbuf_new()) == NULL)		return SSH_ERR_ALLOC_FAIL;	if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||	    (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||	    /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */	    (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||	    (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||	    (min != -1 && (r = sshbuf_put_u32(b, min)) != 0) ||	    (r = sshbuf_put_u32(b, wantbits)) != 0 ||	    (max != -1 && (r = sshbuf_put_u32(b, max)) != 0) ||	    (r = sshbuf_put_bignum2(b, prime)) != 0 ||	    (r = sshbuf_put_bignum2(b, gen)) != 0 ||	    (r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||	    (r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||	    (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {		sshbuf_free(b);		return r;	}#ifdef DEBUG_KEXDH	sshbuf_dump(b, stderr);#endif	if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {		sshbuf_free(b);		return SSH_ERR_LIBCRYPTO_ERROR;	}	sshbuf_free(b);	*hashlen = ssh_digest_bytes(hash_alg);#ifdef DEBUG_KEXDH	dump_digest("hash", hash, *hashlen);#endif	return 0;}

voidkexgex_hash(    int hash_alg,    char *client_version_string,    char *server_version_string,    char *ckexinit, int ckexinitlen,    char *skexinit, int skexinitlen,    u_char *serverhostkeyblob, int sbloblen,    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,    BIGNUM *client_dh_pub,    BIGNUM *server_dh_pub,    BIGNUM *shared_secret,    u_char **hash, u_int *hashlen){	Buffer b;	static u_char digest[SSH_DIGEST_MAX_LENGTH];	buffer_init(&b);	buffer_put_cstring(&b, client_version_string);	buffer_put_cstring(&b, server_version_string);	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */	buffer_put_int(&b, ckexinitlen+1);	buffer_put_char(&b, SSH2_MSG_KEXINIT);	buffer_append(&b, ckexinit, ckexinitlen);	buffer_put_int(&b, skexinitlen+1);	buffer_put_char(&b, SSH2_MSG_KEXINIT);	buffer_append(&b, skexinit, skexinitlen);	buffer_put_string(&b, serverhostkeyblob, sbloblen);	if (min == -1 || max == -1)		buffer_put_int(&b, wantbits);	else {		buffer_put_int(&b, min);		buffer_put_int(&b, wantbits);		buffer_put_int(&b, max);	}	buffer_put_bignum2(&b, prime);	buffer_put_bignum2(&b, gen);	buffer_put_bignum2(&b, client_dh_pub);	buffer_put_bignum2(&b, server_dh_pub);	buffer_put_bignum2(&b, shared_secret);#ifdef DEBUG_KEXDH	buffer_dump(&b);#endif	if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0)		fatal("%s: ssh_digest_buffer failed", __func__);	buffer_free(&b);#ifdef DEBUG_KEX	dump_digest("hash", digest, ssh_digest_bytes(hash_alg));#endif	*hash = digest;	*hashlen = ssh_digest_bytes(hash_alg);}

intkex_ecdh_hash(    int hash_alg,    const EC_GROUP *ec_group,    const char *client_version_string,    const char *server_version_string,    const u_char *ckexinit, size_t ckexinitlen,    const u_char *skexinit, size_t skexinitlen,    const u_char *serverhostkeyblob, size_t sbloblen,    const EC_POINT *client_dh_pub,    const EC_POINT *server_dh_pub,    const BIGNUM *shared_secret,    u_char *hash, size_t *hashlen){	struct sshbuf *b;	int r;	if (*hashlen < ssh_digest_bytes(hash_alg))		return SSH_ERR_INVALID_ARGUMENT;	if ((b = sshbuf_new()) == NULL)		return SSH_ERR_ALLOC_FAIL;	if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||	    (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||	    /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */	    (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||	    (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||	    (r = sshbuf_put_ec(b, client_dh_pub, ec_group)) != 0 ||	    (r = sshbuf_put_ec(b, server_dh_pub, ec_group)) != 0 ||	    (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {		sshbuf_free(b);		return r;	}#ifdef DEBUG_KEX	sshbuf_dump(b, stderr);#endif	if (ssh_digest_buffer(hash_alg, b, hash, *hashlen) != 0) {		sshbuf_free(b);		return SSH_ERR_LIBCRYPTO_ERROR;	}	sshbuf_free(b);	*hashlen = ssh_digest_bytes(hash_alg);#ifdef DEBUG_KEX	dump_digest("hash", hash, *hashlen);#endif	return 0;}

voidderive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,    u_int8_t cookie[8], u_int8_t id[16]){	u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];	int len;	struct ssh_digest_ctx *hashctx;	if ((hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL)		fatal("%s: ssh_digest_start", __func__);	len = BN_num_bytes(host_modulus);	if (len < (512 / 8) || (u_int)len > sizeof(nbuf))		fatal("%s: bad host modulus (len %d)", __func__, len);	BN_bn2bin(host_modulus, nbuf);	if (ssh_digest_update(hashctx, nbuf, len) != 0)		fatal("%s: ssh_digest_update failed", __func__);	len = BN_num_bytes(server_modulus);	if (len < (512 / 8) || (u_int)len > sizeof(nbuf))		fatal("%s: bad server modulus (len %d)", __func__, len);	BN_bn2bin(server_modulus, nbuf);	if (ssh_digest_update(hashctx, nbuf, len) != 0 ||	    ssh_digest_update(hashctx, cookie, 8) != 0)		fatal("%s: ssh_digest_update failed", __func__);	if (ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0)		fatal("%s: ssh_digest_final failed", __func__);	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));	explicit_bzero(nbuf, sizeof(nbuf));	explicit_bzero(obuf, sizeof(obuf));}

intderive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,    u_int8_t cookie[8], u_int8_t id[16]){	u_int8_t nbuf[2048], obuf[SSH_DIGEST_MAX_LENGTH];	struct ssh_digest_ctx *hashctx = NULL;	size_t len;	int r;	len = BN_num_bytes(host_modulus);	if (len < (512 / 8) || (u_int)len > sizeof(nbuf))		return SSH_ERR_KEY_BITS_MISMATCH;	if (BN_bn2bin(host_modulus, nbuf) <= 0 ||	    (hashctx = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||	    ssh_digest_update(hashctx, nbuf, len) != 0 ||	    ssh_digest_update(hashctx, cookie, 8) != 0 ||	    ssh_digest_final(hashctx, obuf, sizeof(obuf)) != 0) {		r = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));	r = 0; out:	ssh_digest_free(hashctx);	explicit_bzero(nbuf, sizeof(nbuf));	explicit_bzero(obuf, sizeof(obuf));	return r;}

static voidroaming_auth_required(void){	u_char digest[SSH_DIGEST_MAX_LENGTH];	Buffer b;	u_int64_t chall, oldchall;	chall = packet_get_int64();	oldchall = packet_get_int64();	if (oldchall != lastseenchall) {		key1 = oldkey1;		key2 = oldkey2;	}	lastseenchall = chall;	buffer_init(&b);	buffer_put_int64(&b, cookie);	buffer_put_int64(&b, chall);	if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, digest, sizeof(digest)) != 0)		fatal("%s: ssh_digest_buffer failed", __func__);	buffer_free(&b);	packet_start(SSH2_MSG_KEX_ROAMING_AUTH);	packet_put_int64(key1 ^ get_recv_bytes());	packet_put_raw(digest, ssh_digest_bytes(SSH_DIGEST_SHA1));	packet_send();	oldkey1 = key1;	oldkey2 = key2;	calculate_new_key(&key1, cookie, chall);	calculate_new_key(&key2, cookie, chall);	debug("Received %llu bytes", (unsigned long long)get_recv_bytes());	debug("Sent roaming_auth packet");}

voidkex_c25519_hash(    int hash_alg,    char *client_version_string,    char *server_version_string,    char *ckexinit, int ckexinitlen,    char *skexinit, int skexinitlen,    u_char *serverhostkeyblob, int sbloblen,    const u_char client_dh_pub[CURVE25519_SIZE],    const u_char server_dh_pub[CURVE25519_SIZE],    const u_char *shared_secret, u_int secretlen,    u_char **hash, u_int *hashlen){	Buffer b;	static u_char digest[SSH_DIGEST_MAX_LENGTH];	buffer_init(&b);	buffer_put_cstring(&b, client_version_string);	buffer_put_cstring(&b, server_version_string);	/* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */	buffer_put_int(&b, ckexinitlen+1);	buffer_put_char(&b, SSH2_MSG_KEXINIT);	buffer_append(&b, ckexinit, ckexinitlen);	buffer_put_int(&b, skexinitlen+1);	buffer_put_char(&b, SSH2_MSG_KEXINIT);	buffer_append(&b, skexinit, skexinitlen);	buffer_put_string(&b, serverhostkeyblob, sbloblen);	buffer_put_string(&b, client_dh_pub, CURVE25519_SIZE);	buffer_put_string(&b, server_dh_pub, CURVE25519_SIZE);	buffer_append(&b, shared_secret, secretlen);#ifdef DEBUG_KEX	buffer_dump(&b);#endif	if (ssh_digest_buffer(hash_alg, &b, digest, sizeof(digest)) != 0)		fatal("%s: digest_buffer failed", __func__);	buffer_free(&b);#ifdef DEBUG_KEX	dump_digest("hash", digest, ssh_digest_bytes(hash_alg));#endif	*hash = digest;	*hashlen = ssh_digest_bytes(hash_alg);}

intssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,    const u_char *data, u_int datalen){	ECDSA_SIG *sig;	int hash_alg;	u_char digest[SSH_DIGEST_MAX_LENGTH];	u_int len, dlen;	Buffer b, bb;	if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||	    key->ecdsa == NULL) {		error("%s: no ECDSA key", __func__);		return -1;	}	hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);	if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {		error("%s: bad hash algorithm %d", __func__, hash_alg);		return -1;	}	if (ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest)) != 0) {		error("%s: digest_memory failed", __func__);		return -1;	}	sig = ECDSA_do_sign(digest, dlen, key->ecdsa);	explicit_bzero(digest, sizeof(digest));	if (sig == NULL) {		error("%s: sign failed", __func__);		return -1;	}	buffer_init(&bb);	buffer_put_bignum2(&bb, sig->r);	buffer_put_bignum2(&bb, sig->s);	ECDSA_SIG_free(sig);	buffer_init(&b);	buffer_put_cstring(&b, key_ssh_name_plain(key));	buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb));	buffer_free(&bb);	len = buffer_len(&b);	if (lenp != NULL)		*lenp = len;	if (sigp != NULL) {		*sigp = xmalloc(len);		memcpy(*sigp, buffer_ptr(&b), len);	}	buffer_free(&b);	return 0;}

static u_char *derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,    const u_char *shared_secret, u_int slen){	Buffer b;	struct ssh_digest_ctx *hashctx;	char c = id;	u_int have;	size_t mdsz;	u_char *digest;	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)		fatal("bad kex md size %zu", mdsz);	digest = xmalloc(roundup(need, mdsz));	buffer_init(&b);	buffer_append(&b, shared_secret, slen);	/* K1 = HASH(K || H || "A" || session_id) */	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL)		fatal("%s: ssh_digest_start failed", __func__);	if (ssh_digest_update_buffer(hashctx, &b) != 0 ||	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||	    ssh_digest_update(hashctx, &c, 1) != 0 ||	    ssh_digest_update(hashctx, kex->session_id,	    kex->session_id_len) != 0)		fatal("%s: ssh_digest_update failed", __func__);	if (ssh_digest_final(hashctx, digest, mdsz) != 0)		fatal("%s: ssh_digest_final failed", __func__);	ssh_digest_free(hashctx);	/*	 * expand key:	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)	 * Key = K1 || K2 || ... || Kn	 */	for (have = mdsz; need > have; have += mdsz) {		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL)			fatal("%s: ssh_digest_start failed", __func__);		if (ssh_digest_update_buffer(hashctx, &b) != 0 ||		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||		    ssh_digest_update(hashctx, digest, have) != 0)			fatal("%s: ssh_digest_update failed", __func__);		if (ssh_digest_final(hashctx, digest + have, mdsz) != 0)			fatal("%s: ssh_digest_final failed", __func__);		ssh_digest_free(hashctx);	}	buffer_free(&b);#ifdef DEBUG_KEX	fprintf(stderr, "key '%c'== ", c);	dump_digest("key", digest, need);#endif	return digest;}

static intopenssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,    u_char *sigbuf, size_t siglen, RSA *rsa){	size_t rsasize = 0, oidlen = 0, hlen = 0;	int ret, len, oidmatch, hashmatch;	const u_char *oid = NULL;	u_char *decrypted = NULL;	if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)		return ret;	ret = SSH_ERR_INTERNAL_ERROR;	hlen = ssh_digest_bytes(hash_alg);	if (hashlen != hlen) {		ret = SSH_ERR_INVALID_ARGUMENT;		goto done;	}	rsasize = RSA_size(rsa);	if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||	    siglen == 0 || siglen > rsasize) {		ret = SSH_ERR_INVALID_ARGUMENT;		goto done;	}	if ((decrypted = malloc(rsasize)) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto done;	}	if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,	    RSA_PKCS1_PADDING)) < 0) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto done;	}	if (len < 0 || (size_t)len != hlen + oidlen) {		ret = SSH_ERR_INVALID_FORMAT;		goto done;	}	oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;	hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;	if (!oidmatch || !hashmatch) {		ret = SSH_ERR_SIGNATURE_INVALID;		goto done;	}	ret = 0;done:	if (decrypted) {		explicit_bzero(decrypted, rsasize);		free(decrypted);	}	return ret;}

intkex_dh_hash(    const char *client_version_string,    const char *server_version_string,    const u_char *ckexinit, size_t ckexinitlen,    const u_char *skexinit, size_t skexinitlen,    const u_char *serverhostkeyblob, size_t sbloblen,    const BIGNUM *client_dh_pub,    const BIGNUM *server_dh_pub,    const BIGNUM *shared_secret,    u_char **hash, size_t *hashlen){	struct sshbuf *b;	static u_char digest[SSH_DIGEST_MAX_LENGTH];	int r;	if ((b = sshbuf_new()) == NULL)		return SSH_ERR_ALLOC_FAIL;	if ((r = sshbuf_put_cstring(b, client_version_string)) != 0 ||	    (r = sshbuf_put_cstring(b, server_version_string)) != 0 ||	    /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */	    (r = sshbuf_put_u32(b, ckexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, ckexinit, ckexinitlen)) != 0 ||	    (r = sshbuf_put_u32(b, skexinitlen+1)) != 0 ||	    (r = sshbuf_put_u8(b, SSH2_MSG_KEXINIT)) != 0 ||	    (r = sshbuf_put(b, skexinit, skexinitlen)) != 0 ||	    (r = sshbuf_put_string(b, serverhostkeyblob, sbloblen)) != 0 ||	    (r = sshbuf_put_bignum2(b, client_dh_pub)) != 0 ||	    (r = sshbuf_put_bignum2(b, server_dh_pub)) != 0 ||	    (r = sshbuf_put_bignum2(b, shared_secret)) != 0) {		sshbuf_free(b);		return r;	}#ifdef DEBUG_KEX	sshbuf_dump(b, stderr);#endif	if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, digest, sizeof(digest)) != 0) {		sshbuf_free(b);		return SSH_ERR_LIBCRYPTO_ERROR;	}	sshbuf_free(b);	*hash = digest;	*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);#ifdef DEBUG_KEX	dump_digest("hash", digest, *hashlen);#endif	return 0;}

intssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen){	size_t len;	len = ssh_digest_bytes(ctx->alg);	if (dlen < len ||	    ssh_digest_final(ctx->digest, ctx->buf, len))		return -1;	/* switch to octx */	if (ssh_digest_copy_state(ctx->octx, ctx->digest) < 0 ||	    ssh_digest_update(ctx->digest, ctx->buf, len) < 0 ||	    ssh_digest_final(ctx->digest, d, dlen) < 0)		return -1;	return 0;}

static doubleuser_specific_delay(const char *user){	char b[512];	size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);	u_char *hash = xmalloc(len);	double delay;	(void)snprintf(b, sizeof b, "%llu%s",	     (unsigned long long)options.timing_secret, user);	if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)		fatal("%s: ssh_digest_memory", __func__);	/* 0-4.2 ms of delay */	delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;	freezero(hash, len);	debug3("%s: user specific delay %0.3lfms", __func__, delay/1000);	return MIN_FAIL_DELAY_SECONDS + delay;}

/* * Caclulate a new key after a reconnect */voidcalculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge){    u_char hash[SSH_DIGEST_MAX_LENGTH];    Buffer b;    buffer_init(&b);    buffer_put_int64(&b, *key);    buffer_put_int64(&b, cookie);    buffer_put_int64(&b, challenge);    if (ssh_digest_buffer(SSH_DIGEST_SHA1, &b, hash, sizeof(hash)) != 0)        fatal("%s: digest_buffer failed", __func__);    buffer_clear(&b);    buffer_append(&b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1));    *key = buffer_get_int64(&b);    buffer_free(&b);}

/* * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success, * with digest via 'digestp' (caller to free) and length via 'lenp'. * Returns -1 on failure. */inthash_buffer(const u_char *buf, u_int len, int hash_alg,    u_char **digestp, u_int *lenp){	u_char digest[SSH_DIGEST_MAX_LENGTH];	u_int digest_len = ssh_digest_bytes(hash_alg);	if (digest_len == 0) {		error("%s: invalid hash", __func__);		return -1;	}	if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) {		error("%s: digest_memory failed", __func__);		return -1;	}	*digestp = xmalloc(digest_len);	*lenp = digest_len;	memcpy(*digestp, digest, *lenp);	bzero(digest, sizeof(digest));	digest_len = 0;	return 0;}

char *host_hash(const char *host, const char *name_from_hostfile, u_int src_len){	struct ssh_hmac_ctx *ctx;	u_char salt[256], result[256];	char uu_salt[512], uu_result[512];	static char encoded[1024];	u_int i, len;	len = ssh_digest_bytes(SSH_DIGEST_SHA1);	if (name_from_hostfile == NULL) {		/* Create new salt */		for (i = 0; i < len; i++)			salt[i] = arc4random();	} else {		/* Extract salt from known host entry */		if (extract_salt(name_from_hostfile, src_len, salt,		    sizeof(salt)) == -1)			return (NULL);	}	if ((ctx = ssh_hmac_start(SSH_DIGEST_SHA1)) == NULL ||	    ssh_hmac_init(ctx, salt, len) < 0 ||	    ssh_hmac_update(ctx, host, strlen(host)) < 0 ||	    ssh_hmac_final(ctx, result, sizeof(result)))		fatal("%s: ssh_hmac failed", __func__);	ssh_hmac_free(ctx);	if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||	    __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)		fatal("%s: __b64_ntop failed", __func__);	snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,	    HASH_DELIM, uu_result);	return (encoded);}

/* * Caclulate a new key after a reconnect */voidcalculate_new_key(u_int64_t *key, u_int64_t cookie, u_int64_t challenge){	u_char hash[SSH_DIGEST_MAX_LENGTH];	struct sshbuf *b;	int r;	if ((b = sshbuf_new()) == NULL)		fatal("%s: sshbuf_new failed", __func__);	if ((r = sshbuf_put_u64(b, *key)) != 0 ||	    (r = sshbuf_put_u64(b, cookie)) != 0 ||	    (r = sshbuf_put_u64(b, challenge)) != 0)		fatal("%s: buffer error: %s", __func__, ssh_err(r));	if (ssh_digest_buffer(SSH_DIGEST_SHA1, b, hash, sizeof(hash)) != 0)		fatal("%s: digest_buffer failed", __func__);	sshbuf_reset(b);	if ((r = sshbuf_put(b, hash, ssh_digest_bytes(SSH_DIGEST_SHA1))) != 0 ||	    (r = sshbuf_get_u64(b, key)) != 0)		fatal("%s: buffer error: %s", __func__, ssh_err(r));	sshbuf_free(b);}

static voidinput_userauth_u2f_register_response(int type, u_int32_t seq, void *ctxt){#define u2f_bounds_check(necessary_bytes) do { /	if (restlen < necessary_bytes) { /		logit("U2F response too short: need %d bytes, but only %d remaining", /			necessary_bytes, restlen); /		goto out; /	} /} while (0)#define u2f_advance(parsed_bytes) do { /	int advance = parsed_bytes; /	walk += advance; /	restlen -= advance; /} while (0)    Authctxt *authctxt = ctxt;	char *response, *regdata, *clientdata;	u_char *decoded = NULL;	u_char *walk = NULL;	u_char *keyhandle = NULL;	u_char *pubkey = NULL;	u_char *signature = NULL;	u_char *dummy = NULL;	u_char *cdecoded = NULL;	X509 *x509;	EVP_MD_CTX mdctx;	int restlen;	int khlen;	int cdecodedlen;	int err;	char errorbuf[4096];	u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];	authctxt->postponed = 0;	response = packet_get_string(NULL);	packet_check_eom();	if ((regdata = extract_json_string(response, "registrationData")) == NULL) {		logit("Response not JSON, or does not contain /"registrationData/"");		goto out;	}	decoded = xmalloc(strlen(regdata) * 3 / 4);	restlen = urlsafe_base64_decode(regdata, decoded, strlen(regdata) * 3 / 4);	walk = decoded;	// Header (magic byte)	u2f_bounds_check(1);	if (walk[0] != 0x05) {		logit("U2F response does not start with magic byte 0x05");		goto out;	}	u2f_advance(1);	// Length of the public key	u2f_bounds_check(u2f_pubkey_len);	pubkey = walk;	u2f_advance(u2f_pubkey_len);	// Length of the key handle	u2f_bounds_check(1);	khlen = walk[0];	u2f_advance(1);	// Key handle	u2f_bounds_check(khlen);	keyhandle = walk;	u2f_advance(khlen);	// Attestation certificate	u2f_bounds_check(1);	signature = walk;	if ((x509 = d2i_X509(NULL, &signature, restlen)) == NULL) {		logit("U2F response contains an invalid attestation certificate.");		goto out;	}	// U2F dictates that the length of the certificate should be determined by	// encoding the certificate using DER.	u2f_advance(i2d_X509(x509, &dummy));	free(dummy);	// Ensure we have at least one byte of signature.	u2f_bounds_check(1);	if ((clientdata = extract_json_string(response, "clientData")) == NULL) {		logit("U2F response JSON lacks the /"clientData/" key.");		goto out;	}	cdecoded = xmalloc(strlen(clientdata) * 3 / 4);	cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4);	EVP_PKEY *pkey = X509_get_pubkey(x509);	if ((err = EVP_VerifyInit(&mdctx, EVP_ecdsa())) != 1) {		ERR_error_string(ERR_get_error(), errorbuf);		fatal("EVP_VerifyInit() failed: %s (reason: %s)",				errorbuf, ERR_reason_error_string(err));//.........这里部分代码省略.........

void u2f_sha256(u_char *dest, u_char *src, size_t srclen) {	struct ssh_digest_ctx *ctx = ssh_digest_start(SSH_DIGEST_SHA256);	ssh_digest_update(ctx, src, srclen);	ssh_digest_final(ctx, dest, ssh_digest_bytes(SSH_DIGEST_SHA256));}

static intderive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,    const u_char *shared_secret, u_int slen, u_char **keyp){	struct kex *kex = ssh->kex;	struct sshbuf *b = NULL;	struct ssh_digest_ctx *hashctx = NULL;	char c = id;	u_int have;	size_t mdsz;	u_char *digest;	int r;	if ((mdsz = ssh_digest_bytes(kex->hash_alg)) == 0)		return SSH_ERR_INVALID_ARGUMENT;	if ((digest = calloc(1, roundup(need, mdsz))) == NULL ||	    (b = sshbuf_new()) == NULL) {		r = SSH_ERR_ALLOC_FAIL;		goto out;	}	if ((r = sshbuf_put(b, shared_secret, slen)) < 0)		goto out;	/* K1 = HASH(K || H || "A" || session_id) */	if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||	    ssh_digest_update_buffer(hashctx, b) != 0 ||	    ssh_digest_update(hashctx, hash, hashlen) != 0 ||	    ssh_digest_update(hashctx, &c, 1) != 0 ||	    ssh_digest_update(hashctx, kex->session_id,	    kex->session_id_len) != 0 ||	    ssh_digest_final(hashctx, digest, mdsz) != 0) {		r = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	ssh_digest_free(hashctx);	hashctx = NULL;	/*	 * expand key:	 * Kn = HASH(K || H || K1 || K2 || ... || Kn-1)	 * Key = K1 || K2 || ... || Kn	 */	for (have = mdsz; need > have; have += mdsz) {		if ((hashctx = ssh_digest_start(kex->hash_alg)) == NULL ||		    ssh_digest_update_buffer(hashctx, b) != 0 ||		    ssh_digest_update(hashctx, hash, hashlen) != 0 ||		    ssh_digest_update(hashctx, digest, have) != 0 ||		    ssh_digest_final(hashctx, digest + have, mdsz) != 0) {			r = SSH_ERR_LIBCRYPTO_ERROR;			goto out;		}		ssh_digest_free(hashctx);		hashctx = NULL;	}#ifdef DEBUG_KEX	fprintf(stderr, "key '%c'== ", c);	dump_digest("key", digest, need);#endif	*keyp = digest;	digest = NULL;	r = 0; out:	if (digest)		free(digest);	if (b)		sshbuf_free(b);	ssh_digest_free(hashctx);	return r;}

intssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,    const u_char *data, size_t datalen, u_int compat){	DSA_SIG *sig = NULL;	u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];	size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);	struct sshbuf *b = NULL;	int ret = SSH_ERR_INVALID_ARGUMENT;	if (lenp != NULL)		*lenp = 0;	if (sigp != NULL)		*sigp = NULL;	if (key == NULL || key->dsa == NULL ||	    sshkey_type_plain(key->type) != KEY_DSA)		return SSH_ERR_INVALID_ARGUMENT;	if (dlen == 0)		return SSH_ERR_INTERNAL_ERROR;	if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	rlen = BN_num_bytes(sig->r);	slen = BN_num_bytes(sig->s);	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {		ret = SSH_ERR_INTERNAL_ERROR;		goto out;	}	explicit_bzero(sigblob, SIGBLOB_LEN);	BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);	BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen);	if (compat & SSH_BUG_SIGBLOB) {		if (sigp != NULL) {			if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) {				ret = SSH_ERR_ALLOC_FAIL;				goto out;			}			memcpy(*sigp, sigblob, SIGBLOB_LEN);		}		if (lenp != NULL)			*lenp = SIGBLOB_LEN;		ret = 0;	} else {		/* ietf-drafts */		if ((b = sshbuf_new()) == NULL) {			ret = SSH_ERR_ALLOC_FAIL;			goto out;		}		if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 ||		    (ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0)			goto out;		len = sshbuf_len(b);		if (sigp != NULL) {			if ((*sigp = malloc(len)) == NULL) {				ret = SSH_ERR_ALLOC_FAIL;				goto out;			}			memcpy(*sigp, sshbuf_ptr(b), len);		}		if (lenp != NULL)			*lenp = len;		ret = 0;	} out:	explicit_bzero(digest, sizeof(digest));	if (sig != NULL)		DSA_SIG_free(sig);	sshbuf_free(b);	return ret;}

intssh_dss_verify(const struct sshkey *key,    const u_char *signature, size_t signaturelen,    const u_char *data, size_t datalen, u_int compat){	DSA_SIG *sig = NULL;	u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;	size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);	int ret = SSH_ERR_INTERNAL_ERROR;	struct sshbuf *b = NULL;	char *ktype = NULL;	if (key == NULL || key->dsa == NULL ||	    sshkey_type_plain(key->type) != KEY_DSA)		return SSH_ERR_INVALID_ARGUMENT;	if (dlen == 0)		return SSH_ERR_INTERNAL_ERROR;	/* fetch signature */	if (compat & SSH_BUG_SIGBLOB) {		if ((sigblob = malloc(signaturelen)) == NULL)			return SSH_ERR_ALLOC_FAIL;		memcpy(sigblob, signature, signaturelen);		len = signaturelen;	} else {		/* ietf-drafts */		if ((b = sshbuf_from(signature, signaturelen)) == NULL)			return SSH_ERR_ALLOC_FAIL;		if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||		    sshbuf_get_string(b, &sigblob, &len) != 0) {			ret = SSH_ERR_INVALID_FORMAT;			goto out;		}		if (strcmp("ssh-dss", ktype) != 0) {			ret = SSH_ERR_KEY_TYPE_MISMATCH;			goto out;		}		if (sshbuf_len(b) != 0) {			ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;			goto out;		}	}	if (len != SIGBLOB_LEN) {		ret = SSH_ERR_INVALID_FORMAT;		goto out;	}	/* parse signature */	if ((sig = DSA_SIG_new()) == NULL ||	    (sig->r = BN_new()) == NULL ||	    (sig->s = BN_new()) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||	    (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	/* sha1 the data */	if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {	case 1:		ret = 0;		break;	case 0:		ret = SSH_ERR_SIGNATURE_INVALID;		goto out;	default:		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	} out:	explicit_bzero(digest, sizeof(digest));	if (sig != NULL)		DSA_SIG_free(sig);	sshbuf_free(b);	free(ktype);	if (sigblob != NULL) {		explicit_bzero(sigblob, len);		free(sigblob);	}	return ret;}

/* ARGSUSED */intssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,    const u_char *data, size_t datalen, u_int compat){	ECDSA_SIG *sig = NULL;	int hash_alg;	u_char digest[SSH_DIGEST_MAX_LENGTH];	size_t len, dlen;	struct sshbuf *b = NULL, *bb = NULL;	int ret = SSH_ERR_INTERNAL_ERROR;	if (lenp != NULL)		*lenp = 0;	if (sigp != NULL)		*sigp = NULL;	if (key == NULL || key->ecdsa == NULL ||	    sshkey_type_plain(key->type) != KEY_ECDSA)		return SSH_ERR_INVALID_ARGUMENT;	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||	    (dlen = ssh_digest_bytes(hash_alg)) == 0)		return SSH_ERR_INTERNAL_ERROR;	if ((ret = ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||	    (ret = sshbuf_put_bignum2(bb, sig->s)) != 0)		goto out;	if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||	    (ret = sshbuf_put_stringb(b, bb)) != 0)		goto out;	len = sshbuf_len(b);	if (sigp != NULL) {		if ((*sigp = malloc(len)) == NULL) {			ret = SSH_ERR_ALLOC_FAIL;			goto out;		}		memcpy(*sigp, sshbuf_ptr(b), len);	}	if (lenp != NULL)		*lenp = len;	ret = 0; out:	explicit_bzero(digest, sizeof(digest));	if (b != NULL)		sshbuf_free(b);	if (bb != NULL)		sshbuf_free(bb);	if (sig != NULL)		ECDSA_SIG_free(sig);	return ret;}

/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */intssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,    const u_char *data, size_t datalen, const char *alg_ident){	u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;	size_t slen;	u_int dlen, len;	int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;	struct sshbuf *b = NULL;	if (lenp != NULL)		*lenp = 0;	if (sigp != NULL)		*sigp = NULL;	if (alg_ident == NULL || strlen(alg_ident) == 0 ||	    strncmp(alg_ident, "ssh-rsa-cert", strlen("ssh-rsa-cert")) == 0)		hash_alg = SSH_DIGEST_SHA1;	else		hash_alg = rsa_hash_alg_from_ident(alg_ident);	if (key == NULL || key->rsa == NULL || hash_alg == -1 ||	    sshkey_type_plain(key->type) != KEY_RSA ||	    BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)		return SSH_ERR_INVALID_ARGUMENT;	slen = RSA_size(key->rsa);	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)		return SSH_ERR_INVALID_ARGUMENT;	/* hash the data */	nid = rsa_hash_alg_nid(hash_alg);	if ((dlen = ssh_digest_bytes(hash_alg)) == 0)		return SSH_ERR_INTERNAL_ERROR;	if ((ret = ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	if ((sig = malloc(slen)) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	if (len < slen) {		size_t diff = slen - len;		memmove(sig + diff, sig, len);		explicit_bzero(sig, diff);	} else if (len > slen) {		ret = SSH_ERR_INTERNAL_ERROR;		goto out;	}	/* encode signature */	if ((b = sshbuf_new()) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if ((ret = sshbuf_put_cstring(b, rsa_hash_alg_ident(hash_alg))) != 0 ||	    (ret = sshbuf_put_string(b, sig, slen)) != 0)		goto out;	len = sshbuf_len(b);	if (sigp != NULL) {		if ((*sigp = malloc(len)) == NULL) {			ret = SSH_ERR_ALLOC_FAIL;			goto out;		}		memcpy(*sigp, sshbuf_ptr(b), len);	}	if (lenp != NULL)		*lenp = len;	ret = 0; out:	explicit_bzero(digest, sizeof(digest));	if (sig != NULL) {		explicit_bzero(sig, slen);		free(sig);	}	sshbuf_free(b);	return ret;}

intssh_rsa_verify(const struct sshkey *key,    const u_char *sig, size_t siglen, const u_char *data, size_t datalen){	char *ktype = NULL;	int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;	size_t len, diff, modlen, dlen;	struct sshbuf *b = NULL;	u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;	if (key == NULL || key->rsa == NULL ||	    sshkey_type_plain(key->type) != KEY_RSA ||	    BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE ||	    sig == NULL || siglen == 0)		return SSH_ERR_INVALID_ARGUMENT;	if ((b = sshbuf_from(sig, siglen)) == NULL)		return SSH_ERR_ALLOC_FAIL;	if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {		ret = SSH_ERR_INVALID_FORMAT;		goto out;	}	if ((hash_alg = rsa_hash_alg_from_ident(ktype)) == -1) {		ret = SSH_ERR_KEY_TYPE_MISMATCH;		goto out;	}	if (sshbuf_get_string(b, &sigblob, &len) != 0) {		ret = SSH_ERR_INVALID_FORMAT;		goto out;	}	if (sshbuf_len(b) != 0) {		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;		goto out;	}	/* RSA_verify expects a signature of RSA_size */	modlen = RSA_size(key->rsa);	if (len > modlen) {		ret = SSH_ERR_KEY_BITS_MISMATCH;		goto out;	} else if (len < modlen) {		diff = modlen - len;		osigblob = sigblob;		if ((sigblob = realloc(sigblob, modlen)) == NULL) {			sigblob = osigblob; /* put it back for clear/free */			ret = SSH_ERR_ALLOC_FAIL;			goto out;		}		memmove(sigblob + diff, sigblob, len);		explicit_bzero(sigblob, diff);		len = modlen;	}	if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {		ret = SSH_ERR_INTERNAL_ERROR;		goto out;	}	if ((ret = ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,	    key->rsa); out:	if (sigblob != NULL) {		explicit_bzero(sigblob, len);		free(sigblob);	}	free(ktype);	sshbuf_free(b);	explicit_bzero(digest, sizeof(digest));	return ret;}

size_tssh_hmac_bytes(int alg){	return ssh_digest_bytes(alg);}

/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */intssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,    const u_char *data, size_t datalen, u_int compat){	int hash_alg;	u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;	size_t slen;	u_int dlen, len;	int nid, ret = SSH_ERR_INTERNAL_ERROR;	struct sshbuf *b = NULL;	if (lenp != NULL)		*lenp = 0;	if (sigp != NULL)		*sigp = NULL;	if (key == NULL || key->rsa == NULL ||	    sshkey_type_plain(key->type) != KEY_RSA)		return SSH_ERR_INVALID_ARGUMENT;	slen = RSA_size(key->rsa);	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)		return SSH_ERR_INVALID_ARGUMENT;	/* hash the data */	hash_alg = SSH_DIGEST_SHA1;	nid = NID_sha1;	if ((dlen = ssh_digest_bytes(hash_alg)) == 0)		return SSH_ERR_INTERNAL_ERROR;	if ((ret = ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	if ((sig = malloc(slen)) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	}	if (len < slen) {		size_t diff = slen - len;		memmove(sig + diff, sig, len);		explicit_bzero(sig, diff);	} else if (len > slen) {		ret = SSH_ERR_INTERNAL_ERROR;		goto out;	}	/* encode signature */	if ((b = sshbuf_new()) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 ||	    (ret = sshbuf_put_string(b, sig, slen)) != 0)		goto out;	len = sshbuf_len(b);	if (sigp != NULL) {		if ((*sigp = malloc(len)) == NULL) {			ret = SSH_ERR_ALLOC_FAIL;			goto out;		}		memcpy(*sigp, sshbuf_ptr(b), len);	}	if (lenp != NULL)		*lenp = len;	ret = 0; out:	explicit_bzero(digest, sizeof(digest));	if (sig != NULL) {		explicit_bzero(sig, slen);		free(sig);	}	if (b != NULL)		sshbuf_free(b);	return ret;}

// TODO: can we send multiple authrequests at the same time, so that we don’t// need multiple round-trips but still support multiple security keysstatic voidinput_userauth_u2f_info_response(int type, u_int32_t seq, void *ctxt){	int authenticated = 0;    Authctxt *authctxt = ctxt;	u_char digest[ssh_digest_bytes(SSH_DIGEST_SHA256)];    debug("input_userauth_u2f_info_response/n");    u_int len;	char *clientdata;	u_char *cdecoded;	int cdecodedlen;    char *resp = packet_get_string(&len);    debug("u2f resp len (server): %d/n", len);    debug("u2f resp (server): %s/n", resp);    packet_check_eom();	char *sig = extract_json_string(resp, "signatureData");	if (sig == NULL)		fatal("could not extract signature");	// TODO: free sig	debug("signature is *%s*", sig);	if (*sig == '/0')		fatal("u2f authentication failed: empty signature. Probably the key is not registered (i.e. your key handle/pubkey do not exist on the key you are using)");	// TODO: is there a macro for this size?	u_char decoded[strlen(sig) * 3 / 4];	int decodedlen = urlsafe_base64_decode(sig, decoded, sizeof(decoded));	// Ensure that the user presence byte, the counter and at least one byte of	// signature are present.	if (decodedlen <= (sizeof(u_char) + sizeof(u_int32_t)))		fatal("decoded signature too short");	if ((decoded[0] & 0x01) != 0x01)		fatal("user presence bit not set");	u_int32_t counter = ntohl(*((u_int32_t*)&decoded[1]));	debug("usage counter = %d/n", counter);	struct sha_digest_ctx *sha256ctx = ssh_digest_start(SSH_DIGEST_SHA256);	u2f_sha256(digest, appid, strlen(appid));	ssh_digest_update(sha256ctx, digest, sizeof(digest));	ssh_digest_update(sha256ctx, decoded, sizeof(u_char));	ssh_digest_update(sha256ctx, decoded+1, 4 * sizeof(u_char));	if ((clientdata = extract_json_string(resp, "clientData")) == NULL) {		fatal("U2F response JSON lacks the /"clientData/" key.");	}	cdecoded = xmalloc(strlen(clientdata) * 3 / 4);	cdecodedlen = urlsafe_base64_decode(clientdata, cdecoded, strlen(clientdata) * 3 / 4);	u2f_sha256(digest, cdecoded, cdecodedlen);	ssh_digest_update(sha256ctx, digest, sizeof(digest));	ssh_digest_final(sha256ctx, digest, sizeof(digest));	debug("hashed sig");	authenticated = PRIVSEP(verify_u2f_user(		authctxt->u2f_key, digest, sizeof(digest), decoded+5, decodedlen-5));	authctxt->postponed = 0;	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);	userauth_finish(authctxt, authenticated, "u2f", NULL);}

intssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,    const u_char *data, u_int datalen){	ECDSA_SIG *sig;	int hash_alg;	u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;	u_int len, dlen;	int rlen, ret;	Buffer b, bb;	char *ktype;	if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||	    key->ecdsa == NULL) {		error("%s: no ECDSA key", __func__);		return -1;	}	/* fetch signature */	buffer_init(&b);	buffer_append(&b, signature, signaturelen);	ktype = buffer_get_string(&b, NULL);	if (strcmp(key_ssh_name_plain(key), ktype) != 0) {		error("%s: cannot handle type %s", __func__, ktype);		buffer_free(&b);		free(ktype);		return -1;	}	free(ktype);	sigblob = buffer_get_string(&b, &len);	rlen = buffer_len(&b);	buffer_free(&b);	if (rlen != 0) {		error("%s: remaining bytes in signature %d", __func__, rlen);		free(sigblob);		return -1;	}	/* parse signature */	if ((sig = ECDSA_SIG_new()) == NULL)		fatal("%s: ECDSA_SIG_new failed", __func__);	buffer_init(&bb);	buffer_append(&bb, sigblob, len);	buffer_get_bignum2(&bb, sig->r);	buffer_get_bignum2(&bb, sig->s);	if (buffer_len(&bb) != 0)		fatal("%s: remaining bytes in inner sigblob", __func__);	buffer_free(&bb);	/* clean up */	explicit_bzero(sigblob, len);	free(sigblob);	/* hash the data */	hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);	if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {		error("%s: bad hash algorithm %d", __func__, hash_alg);		return -1;	}	if (ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest)) != 0) {		error("%s: digest_memory failed", __func__);		return -1;	}	ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);	explicit_bzero(digest, sizeof(digest));	ECDSA_SIG_free(sig);	debug("%s: signature %s", __func__,	    ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");	return ret;}

/* ARGSUSED */intssh_ecdsa_verify(const struct sshkey *key,    const u_char *signature, size_t signaturelen,    const u_char *data, size_t datalen, u_int compat){	ECDSA_SIG *sig = NULL;	int hash_alg;	u_char digest[SSH_DIGEST_MAX_LENGTH];	size_t dlen;	int ret = SSH_ERR_INTERNAL_ERROR;	struct sshbuf *b = NULL, *sigbuf = NULL;	char *ktype = NULL;	if (key == NULL || key->ecdsa == NULL ||	    sshkey_type_plain(key->type) != KEY_ECDSA)		return SSH_ERR_INVALID_ARGUMENT;	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||	    (dlen = ssh_digest_bytes(hash_alg)) == 0)		return SSH_ERR_INTERNAL_ERROR;	/* fetch signature */	if ((b = sshbuf_from(signature, signaturelen)) == NULL)		return SSH_ERR_ALLOC_FAIL;	if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||	    sshbuf_froms(b, &sigbuf) != 0) {		ret = SSH_ERR_INVALID_FORMAT;		goto out;	}	if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {		ret = SSH_ERR_KEY_TYPE_MISMATCH;		goto out;	}	if (sshbuf_len(b) != 0) {		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;		goto out;	}	/* parse signature */	if ((sig = ECDSA_SIG_new()) == NULL) {		ret = SSH_ERR_ALLOC_FAIL;		goto out;	}	if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||	    sshbuf_get_bignum2(sigbuf, sig->s) != 0) {		ret = SSH_ERR_INVALID_FORMAT;		goto out;	}	if (sshbuf_len(sigbuf) != 0) {		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;		goto out;	}	if ((ret = ssh_digest_memory(hash_alg, data, datalen,	    digest, sizeof(digest))) != 0)		goto out;	switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {	case 1:		ret = 0;		break;	case 0:		ret = SSH_ERR_SIGNATURE_INVALID;		goto out;	default:		ret = SSH_ERR_LIBCRYPTO_ERROR;		goto out;	} out:	explicit_bzero(digest, sizeof(digest));	if (sigbuf != NULL)		sshbuf_free(sigbuf);	if (b != NULL)		sshbuf_free(b);	if (sig != NULL)		ECDSA_SIG_free(sig);	free(ktype);	return ret;}