Mercurial > dropbear

annotate sk-ed25519.c @ 1902:4a6725ac957c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Revert "Don't include sk keys at all in KEX list" This reverts git commit f972813ecdc7bb981d25b5a63638bd158f1c8e72. The sk algorithms need to remain in the sigalgs list so that they are included in the server-sig-algs ext-info message sent by the server. RFC8308 for server-sig-algs requires that all algorithms are listed (though OpenSSH client 8.4p1 tested doesn't require that)
author Matt Johnston <matt@ucc.asn.au>
date Thu, 24 Mar 2022 13:42:08 +0800
parents 35d504d59c05
children 333688ec53d0
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
1 #include "includes.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
2
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
3 #if DROPBEAR_SK_ED25519
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
4
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
5 #include "dbutil.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
6 #include "buffer.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
7 #include "curve25519.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
8 #include "ed25519.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
9
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
10 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
11
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
12 int ret = DROPBEAR_FAILURE;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
13 unsigned char *s;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
14 unsigned long slen;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
15 hash_state hs;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
16 unsigned char hash[SHA256_HASH_SIZE];
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
17 buffer *sk_buffer = NULL;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
18 unsigned char flags;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
19 unsigned int counter;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
20
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
21 TRACE(("enter buf_sk_ed25519_verify"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
22 dropbear_assert(key != NULL);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
23
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
24 slen = buf_getint(buf);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
25 if (slen != 64 || buf->len - buf->pos < slen) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
26 TRACE(("leave buf_sk_ed25519_verify: bad size"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
27 goto out;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
28 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
29 s = buf_getptr(buf, slen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
30 buf_incrpos(buf, slen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
31
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
32 flags = buf_getbyte (buf);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
33 counter = buf_getint (buf);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
34 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
35 sha256_init (&hs);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
36 sha256_process (&hs, app, applen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
37 sha256_done (&hs, hash);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
38 buf_putbytes (sk_buffer, hash, sizeof (hash));
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
39 buf_putbyte (sk_buffer, flags);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
40 buf_putint (sk_buffer, counter);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
41 sha256_init (&hs);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
42 sha256_process (&hs, data_buf->data, data_buf->len);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
43 sha256_done (&hs, hash);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
44 buf_putbytes (sk_buffer, hash, sizeof (hash));
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
45
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
46 if (dropbear_ed25519_verify(sk_buffer->data, sk_buffer->len,
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
47 s, slen, key->pub) == 0) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
48 /* signature is valid */
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
49 TRACE(("leave buf_sk_ed25519_verify: success!"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
50 ret = DROPBEAR_SUCCESS;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
51 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
52
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
53 out:
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
54 if (sk_buffer) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
55 buf_free(sk_buffer);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
56 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
57 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
58 return ret;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
59 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
60
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
61 #endif /* DROPBEAR_SK_ED25519 */