Mercurial > dropbear
annotate sk-ecdsa.c @ 1931:b366dfaeae68
Write CHANGES since last release
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 23:18:00 +0800 |
parents | 333688ec53d0 |
children |
rev | line source |
---|---|
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
1 #include "includes.h" |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
2 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
3 #if DROPBEAR_SK_ECDSA |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
4 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
5 #include "dbutil.h" |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
6 #include "ecc.h" |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
7 #include "ecdsa.h" |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
8 #include "sk-ecdsa.h" |
1928
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
9 #include "ssh.h" |
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
10 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
11 int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
12 hash_state hs; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
13 unsigned char subhash[SHA256_HASH_SIZE]; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
14 buffer *sk_buffer = NULL, *sig_buffer = NULL; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
15 unsigned char flags; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
16 unsigned int counter; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
17 int ret; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
18 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
19 TRACE(("buf_sk_ecdsa_verify")) |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
20 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
21 /* from https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f */ |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
22 /* ecdsa signature to verify (r, s) */ |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
23 sig_buffer = buf_getbuf(buf); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
24 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
25 flags = buf_getbyte (buf); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
26 counter = buf_getint (buf); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
27 /* create the message to be signed */ |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
28 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
29 sha256_init (&hs); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
30 sha256_process (&hs, app, applen); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
31 sha256_done (&hs, subhash); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
32 buf_putbytes (sk_buffer, subhash, sizeof (subhash)); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
33 buf_putbyte (sk_buffer, flags); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
34 buf_putint (sk_buffer, counter); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
35 sha256_init (&hs); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
36 sha256_process (&hs, data_buf->data, data_buf->len); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
37 sha256_done (&hs, subhash); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
38 buf_putbytes (sk_buffer, subhash, sizeof (subhash)); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
39 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
40 ret = buf_ecdsa_verify(sig_buffer, key, sk_buffer); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
41 buf_free(sk_buffer); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
42 buf_free(sig_buffer); |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
43 |
1928
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
44 /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
45 if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
46 if (ret == DROPBEAR_SUCCESS) { |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
47 dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
48 } |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
49 ret = DROPBEAR_FAILURE; |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
50 } |
333688ec53d0
Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents:
1855
diff
changeset
|
51 |
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
52 TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
53 return ret; |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
54 } |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
55 |
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff
changeset
|
56 #endif /* DROPBEAR_SK_ECDSA */ |