annotate sk-ed25519.c @ 1938:77bc00dcc19f default tip main master

Bump version to 2022.82
author Matt Johnston <matt@ucc.asn.au>
date Fri, 01 Apr 2022 14:43:27 +0800
parents 333688ec53d0
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
1 #include "includes.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
2
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
3 #if DROPBEAR_SK_ED25519
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
4
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
5 #include "dbutil.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
6 #include "buffer.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
7 #include "curve25519.h"
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
8 #include "ed25519.h"
1928
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
9 #include "ssh.h"
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
10
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
11 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
12
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
13 int ret = DROPBEAR_FAILURE;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
14 unsigned char *s;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
15 unsigned long slen;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
16 hash_state hs;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
17 unsigned char hash[SHA256_HASH_SIZE];
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
18 buffer *sk_buffer = NULL;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
19 unsigned char flags;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
20 unsigned int counter;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
21
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
22 TRACE(("enter buf_sk_ed25519_verify"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
23 dropbear_assert(key != NULL);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
24
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
25 slen = buf_getint(buf);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
26 if (slen != 64 || buf->len - buf->pos < slen) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
27 TRACE(("leave buf_sk_ed25519_verify: bad size"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
28 goto out;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
29 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
30 s = buf_getptr(buf, slen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
31 buf_incrpos(buf, slen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
32
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
33 flags = buf_getbyte (buf);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
34 counter = buf_getint (buf);
1928
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
35 /* create the message to be signed */
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
36 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
37 sha256_init (&hs);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
38 sha256_process (&hs, app, applen);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
39 sha256_done (&hs, hash);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
40 buf_putbytes (sk_buffer, hash, sizeof (hash));
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
41 buf_putbyte (sk_buffer, flags);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
42 buf_putint (sk_buffer, counter);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
43 sha256_init (&hs);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
44 sha256_process (&hs, data_buf->data, data_buf->len);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
45 sha256_done (&hs, hash);
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
46 buf_putbytes (sk_buffer, hash, sizeof (hash));
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
47
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
48 if (dropbear_ed25519_verify(sk_buffer->data, sk_buffer->len,
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
49 s, slen, key->pub) == 0) {
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
50 /* signature is valid */
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
51 TRACE(("leave buf_sk_ed25519_verify: success!"))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
52 ret = DROPBEAR_SUCCESS;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
53 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
54
1928
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
55 /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
56 if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
57 if (ret == DROPBEAR_SUCCESS) {
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
58 dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
59 }
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
60 ret = DROPBEAR_FAILURE;
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
61 }
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
62 out:
1928
333688ec53d0 Handle ecdsa-sk flags, reject no-touch
Matt Johnston <matt@ucc.asn.au>
parents: 1855
diff changeset
63 buf_free(sk_buffer);
1855
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
64 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
65 return ret;
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
66 }
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
67
35d504d59c05 Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
diff changeset
68 #endif /* DROPBEAR_SK_ED25519 */