~sircmpwn/hare-ssh

c6a39e37ba4a42721594e0a907fe016f8e2198a8 — Armin Preiml 3 months ago 9140636 0.24.0 master
harden against "compromise via lattices"
1 files changed, 21 insertions(+), 2 deletions(-)

M format/ssh/sign.ha
M format/ssh/sign.ha => format/ssh/sign.ha +21 -2
@@ 1,5 1,8 @@
use crypto::ed25519;
use io;
use memio;
use os;
use bytes;

// Signs a message using the provided key, writing the message signature in the
// SSH format to the provided sink.


@@ 7,8 10,24 @@ export fn sign(
	sink: io::handle,
	key: *key,
	msg: []u8,
) (void | io::error) = {
	key.vtable.sign(key, sink, msg)?;
) (void | error) = {
	static let sigbuf: [os::BUFSZ]u8 = [0...];
	let memsink = memio::fixed(sigbuf);

	key.vtable.sign(key, &memsink, msg)?;

	// Natural occuring computational errors during the signature generation
	// can lead to a complete compromise. Therefore to work around this 
	// issue the signature will be verified before writing it to 'sink'.
	//
	// See "Passive SSH Key Compromise via Lattices" 
	// https://eprint.iacr.org/2023/1711
	let sig = memio::buffer(&memsink);
	defer bytes::zero(sig);
	io::seek(&memsink, io::whence::SET, 0)!;
	verify(&memsink, key, msg)?;

	io::writeall(sink, sig)?;
};

// Reads an SSH wire signature from the provided I/O handle and verifies that it