Mercurial > dropbear

comparison sk-ed25519.c @ 1928:333688ec53d0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Handle ecdsa-sk flags, reject no-touch For the time being Dropbear will only allow SK auth with default parameters, user-presence needs to be set. In future handling of authorized_keys option "no-touch-required" can be added. This code would also be refactored to share between ecdsa and ed25519 once I get hardware/emulation to test ed25519.
author Matt Johnston <matt@ucc.asn.au>
date Wed, 30 Mar 2022 21:06:15 +0800
parents 35d504d59c05
children
comparison
equal deleted inserted replaced
1927:dc615fdb7c06 1928:333688ec53d0
4 4
5 #include "dbutil.h" 5 #include "dbutil.h"
6 #include "buffer.h" 6 #include "buffer.h"
7 #include "curve25519.h" 7 #include "curve25519.h"
8 #include "ed25519.h" 8 #include "ed25519.h"
9 #include "ssh.h"
9 10
10 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { 11 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
11 12
12 int ret = DROPBEAR_FAILURE; 13 int ret = DROPBEAR_FAILURE;
13 unsigned char *s; 14 unsigned char *s;
29 s = buf_getptr(buf, slen); 30 s = buf_getptr(buf, slen);
30 buf_incrpos(buf, slen); 31 buf_incrpos(buf, slen);
31 32
32 flags = buf_getbyte (buf); 33 flags = buf_getbyte (buf);
33 counter = buf_getint (buf); 34 counter = buf_getint (buf);
35 /* create the message to be signed */
34 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); 36 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5);
35 sha256_init (&hs); 37 sha256_init (&hs);
36 sha256_process (&hs, app, applen); 38 sha256_process (&hs, app, applen);
37 sha256_done (&hs, hash); 39 sha256_done (&hs, hash);
38 buf_putbytes (sk_buffer, hash, sizeof (hash)); 40 buf_putbytes (sk_buffer, hash, sizeof (hash));
48 /* signature is valid */ 50 /* signature is valid */
49 TRACE(("leave buf_sk_ed25519_verify: success!")) 51 TRACE(("leave buf_sk_ed25519_verify: success!"))
50 ret = DROPBEAR_SUCCESS; 52 ret = DROPBEAR_SUCCESS;
51 } 53 }
52 54
55 /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
56 if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
57 if (ret == DROPBEAR_SUCCESS) {
58 dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
59 }
60 ret = DROPBEAR_FAILURE;
61 }
53 out: 62 out:
54 if (sk_buffer) { 63 buf_free(sk_buffer);
55 buf_free(sk_buffer);
56 }
57 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) 64 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))
58 return ret; 65 return ret;
59 } 66 }
60 67
61 #endif /* DROPBEAR_SK_ED25519 */ 68 #endif /* DROPBEAR_SK_ED25519 */