dropbear: sk-ecdsa.c comparison

comparison sk-ecdsa.c @ 1928:333688ec53d0

Handle ecdsa-sk flags, reject no-touch For the time being Dropbear will only allow SK auth with default parameters, user-presence needs to be set. In future handling of authorized_keys option "no-touch-required" can be added. This code would also be refactored to share between ecdsa and ed25519 once I get hardware/emulation to test ed25519.

author	Matt Johnston <matt@ucc.asn.au>
date	Wed, 30 Mar 2022 21:06:15 +0800
parents	35d504d59c05
children

comparison

equal deleted inserted replaced

-:dc615fdb7c06
+:333688ec53d0
 #include "dbutil.h"
 #include "ecc.h"
 #include "ecdsa.h"
 #include "sk-ecdsa.h"
+#include "ssh.h"
 int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
 	hash_state hs;
 	unsigned char subhash[SHA256_HASH_SIZE];
 	buffer *sk_buffer = NULL, *sig_buffer = NULL;
 	ret = buf_ecdsa_verify(sig_buffer, key, sk_buffer);
 	buf_free(sk_buffer);
 	buf_free(sig_buffer);
+	/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
+	if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
+		if (ret == DROPBEAR_SUCCESS) {
+			dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
+		}
+		ret = DROPBEAR_FAILURE;
+	}
 	TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret))
 	return ret;
 }
 #endif /* DROPBEAR_SK_ECDSA */

Mercurial > dropbear

comparison sk-ecdsa.c @ 1928:333688ec53d0