Mercurial > dropbear
annotate sk-ecdsa.c @ 1861:2b3a8026a6ce
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 30 Jan 2022 10:14:56 +0800 |
| parents | 35d504d59c05 |
| children | 333688ec53d0 |
| rev | line source |
|---|---|
|
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
1 #include "includes.h" |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
2 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
3 #if DROPBEAR_SK_ECDSA |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
4 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
5 #include "dbutil.h" |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
6 #include "ecc.h" |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
7 #include "ecdsa.h" |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
8 #include "sk-ecdsa.h" |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
9 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
10 int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
11 hash_state hs; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
12 unsigned char subhash[SHA256_HASH_SIZE]; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
13 buffer *sk_buffer = NULL, *sig_buffer = NULL; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
14 unsigned char flags; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
15 unsigned int counter; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
16 int ret; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
17 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
18 TRACE(("buf_sk_ecdsa_verify")) |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
19 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
20 /* from https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f */ |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
21 /* ecdsa signature to verify (r, s) */ |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
22 sig_buffer = buf_getbuf(buf); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
23 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
24 flags = buf_getbyte (buf); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
25 counter = buf_getint (buf); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
26 /* create the message to be signed */ |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
27 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
28 sha256_init (&hs); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
29 sha256_process (&hs, app, applen); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
30 sha256_done (&hs, subhash); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
31 buf_putbytes (sk_buffer, subhash, sizeof (subhash)); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
32 buf_putbyte (sk_buffer, flags); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
33 buf_putint (sk_buffer, counter); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
34 sha256_init (&hs); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
35 sha256_process (&hs, data_buf->data, data_buf->len); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
36 sha256_done (&hs, subhash); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
37 buf_putbytes (sk_buffer, subhash, sizeof (subhash)); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
38 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
39 ret = buf_ecdsa_verify(sig_buffer, key, sk_buffer); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
40 buf_free(sk_buffer); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
41 buf_free(sig_buffer); |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
42 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
43 TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
44 return ret; |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
45 } |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
46 |
|
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
47 #endif /* DROPBEAR_SK_ECDSA */ |