Mercurial > dropbear
comparison sk-ed25519.c @ 1928:333688ec53d0
Handle ecdsa-sk flags, reject no-touch
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 21:06:15 +0800 |
parents | 35d504d59c05 |
children |
comparison
equal
deleted
inserted
replaced
1927:dc615fdb7c06 | 1928:333688ec53d0 |
---|---|
4 | 4 |
5 #include "dbutil.h" | 5 #include "dbutil.h" |
6 #include "buffer.h" | 6 #include "buffer.h" |
7 #include "curve25519.h" | 7 #include "curve25519.h" |
8 #include "ed25519.h" | 8 #include "ed25519.h" |
9 #include "ssh.h" | |
9 | 10 |
10 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { | 11 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { |
11 | 12 |
12 int ret = DROPBEAR_FAILURE; | 13 int ret = DROPBEAR_FAILURE; |
13 unsigned char *s; | 14 unsigned char *s; |
29 s = buf_getptr(buf, slen); | 30 s = buf_getptr(buf, slen); |
30 buf_incrpos(buf, slen); | 31 buf_incrpos(buf, slen); |
31 | 32 |
32 flags = buf_getbyte (buf); | 33 flags = buf_getbyte (buf); |
33 counter = buf_getint (buf); | 34 counter = buf_getint (buf); |
35 /* create the message to be signed */ | |
34 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); | 36 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); |
35 sha256_init (&hs); | 37 sha256_init (&hs); |
36 sha256_process (&hs, app, applen); | 38 sha256_process (&hs, app, applen); |
37 sha256_done (&hs, hash); | 39 sha256_done (&hs, hash); |
38 buf_putbytes (sk_buffer, hash, sizeof (hash)); | 40 buf_putbytes (sk_buffer, hash, sizeof (hash)); |
48 /* signature is valid */ | 50 /* signature is valid */ |
49 TRACE(("leave buf_sk_ed25519_verify: success!")) | 51 TRACE(("leave buf_sk_ed25519_verify: success!")) |
50 ret = DROPBEAR_SUCCESS; | 52 ret = DROPBEAR_SUCCESS; |
51 } | 53 } |
52 | 54 |
55 /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ | |
56 if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { | |
57 if (ret == DROPBEAR_SUCCESS) { | |
58 dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); | |
59 } | |
60 ret = DROPBEAR_FAILURE; | |
61 } | |
53 out: | 62 out: |
54 if (sk_buffer) { | 63 buf_free(sk_buffer); |
55 buf_free(sk_buffer); | |
56 } | |
57 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) | 64 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) |
58 return ret; | 65 return ret; |
59 } | 66 } |
60 | 67 |
61 #endif /* DROPBEAR_SK_ED25519 */ | 68 #endif /* DROPBEAR_SK_ED25519 */ |