Mercurial > dropbear
comparison signkey.h @ 1855:35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
* Implement server-side support for sk-ecdsa U2F-backed keys
* Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys
* Fix one more potential out-of-bounds read
* Check if nistp256 curve is used in sk-ecdsa-sha2- key
It's the only allowed curve per PROTOCOL.u2f specification
* Implement server-side support for sk-ed25519 FIDO2-backed keys
* Keys with type sk-* make no sense as host keys, so they should be
disabled
* fix typo
* Make sk-ecdsa call buf_ecdsa_verify
This reduces code duplication, the SK code just handles the
different message format.
* Reduce sk specific code
The application id can be stored in signkey, then we don't need
to call sk-specific functions from svr-authpubkey
* Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled
* Proper cleanup of sk_app
Co-authored-by: Matt Johnston <[email protected]>
| author | egor-duda <egor-duda@users.noreply.github.com> |
|---|---|
| date | Sat, 22 Jan 2022 16:53:04 +0300 |
| parents | d5cdc60db08e |
| children |
comparison
equal
deleted
inserted
replaced
| 1854:cba37fe1ddc8 | 1855:35d504d59c05 |
|---|---|
| 42 #endif | 42 #endif |
| 43 #if DROPBEAR_ECDSA | 43 #if DROPBEAR_ECDSA |
| 44 DROPBEAR_SIGNKEY_ECDSA_NISTP256, | 44 DROPBEAR_SIGNKEY_ECDSA_NISTP256, |
| 45 DROPBEAR_SIGNKEY_ECDSA_NISTP384, | 45 DROPBEAR_SIGNKEY_ECDSA_NISTP384, |
| 46 DROPBEAR_SIGNKEY_ECDSA_NISTP521, | 46 DROPBEAR_SIGNKEY_ECDSA_NISTP521, |
| 47 #if DROPBEAR_SK_ECDSA | |
| 48 DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256, | |
| 49 #endif /* DROPBEAR_SK_ECDSA */ | |
| 47 #endif /* DROPBEAR_ECDSA */ | 50 #endif /* DROPBEAR_ECDSA */ |
| 48 #if DROPBEAR_ED25519 | 51 #if DROPBEAR_ED25519 |
| 49 DROPBEAR_SIGNKEY_ED25519, | 52 DROPBEAR_SIGNKEY_ED25519, |
| 53 #if DROPBEAR_SK_ED25519 | |
| 54 DROPBEAR_SIGNKEY_SK_ED25519, | |
| 55 #endif | |
| 50 #endif | 56 #endif |
| 51 DROPBEAR_SIGNKEY_NUM_NAMED, | 57 DROPBEAR_SIGNKEY_NUM_NAMED, |
| 52 DROPBEAR_SIGNKEY_ECDSA_KEYGEN = 70, /* just "ecdsa" for keygen */ | 58 DROPBEAR_SIGNKEY_ECDSA_KEYGEN = 70, /* just "ecdsa" for keygen */ |
| 53 DROPBEAR_SIGNKEY_ANY = 80, | 59 DROPBEAR_SIGNKEY_ANY = 80, |
| 54 DROPBEAR_SIGNKEY_NONE = 90, | 60 DROPBEAR_SIGNKEY_NONE = 90, |
| 61 #endif | 67 #endif |
| 62 #if DROPBEAR_ECDSA | 68 #if DROPBEAR_ECDSA |
| 63 DROPBEAR_SIGNATURE_ECDSA_NISTP256 = DROPBEAR_SIGNKEY_ECDSA_NISTP256, | 69 DROPBEAR_SIGNATURE_ECDSA_NISTP256 = DROPBEAR_SIGNKEY_ECDSA_NISTP256, |
| 64 DROPBEAR_SIGNATURE_ECDSA_NISTP384 = DROPBEAR_SIGNKEY_ECDSA_NISTP384, | 70 DROPBEAR_SIGNATURE_ECDSA_NISTP384 = DROPBEAR_SIGNKEY_ECDSA_NISTP384, |
| 65 DROPBEAR_SIGNATURE_ECDSA_NISTP521 = DROPBEAR_SIGNKEY_ECDSA_NISTP521, | 71 DROPBEAR_SIGNATURE_ECDSA_NISTP521 = DROPBEAR_SIGNKEY_ECDSA_NISTP521, |
| 72 #if DROPBEAR_SK_ECDSA | |
| 73 DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256 = DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256, | |
| 74 #endif /* DROPBEAR_SK_ECDSA */ | |
| 66 #endif /* DROPBEAR_ECDSA */ | 75 #endif /* DROPBEAR_ECDSA */ |
| 67 #if DROPBEAR_ED25519 | 76 #if DROPBEAR_ED25519 |
| 68 DROPBEAR_SIGNATURE_ED25519 = DROPBEAR_SIGNKEY_ED25519, | 77 DROPBEAR_SIGNATURE_ED25519 = DROPBEAR_SIGNKEY_ED25519, |
| 78 #if DROPBEAR_SK_ED25519 | |
| 79 DROPBEAR_SIGNATURE_SK_ED25519 = DROPBEAR_SIGNKEY_SK_ED25519, | |
| 80 #endif | |
| 69 #endif | 81 #endif |
| 70 #if DROPBEAR_RSA_SHA1 | 82 #if DROPBEAR_RSA_SHA1 |
| 71 DROPBEAR_SIGNATURE_RSA_SHA1 = 100, /* ssh-rsa signature (sha1) */ | 83 DROPBEAR_SIGNATURE_RSA_SHA1 = 100, /* ssh-rsa signature (sha1) */ |
| 72 #endif | 84 #endif |
| 73 #if DROPBEAR_RSA_SHA256 | 85 #if DROPBEAR_RSA_SHA256 |
| 108 #endif | 120 #endif |
| 109 #endif | 121 #endif |
| 110 #if DROPBEAR_ED25519 | 122 #if DROPBEAR_ED25519 |
| 111 struct dropbear_ED25519_Key * ed25519key; | 123 struct dropbear_ED25519_Key * ed25519key; |
| 112 #endif | 124 #endif |
| 125 | |
| 126 #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519 | |
| 127 /* application ID for U2F/FIDO key types, a malloced string */ | |
| 128 char * sk_app; | |
| 129 unsigned int sk_applen; | |
| 130 #endif | |
| 113 }; | 131 }; |
| 114 | 132 |
| 115 typedef struct SIGN_key sign_key; | 133 typedef struct SIGN_key sign_key; |
| 116 | 134 |
| 117 sign_key * new_sign_key(void); | 135 sign_key * new_sign_key(void); |
| 128 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type); | 146 void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type); |
| 129 void sign_key_free(sign_key *key); | 147 void sign_key_free(sign_key *key); |
| 130 void buf_put_sign(buffer* buf, sign_key *key, enum signature_type sigtype, const buffer *data_buf); | 148 void buf_put_sign(buffer* buf, sign_key *key, enum signature_type sigtype, const buffer *data_buf); |
| 131 #if DROPBEAR_SIGNKEY_VERIFY | 149 #if DROPBEAR_SIGNKEY_VERIFY |
| 132 int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, const buffer *data_buf); | 150 int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, const buffer *data_buf); |
| 151 int sk_buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, const buffer *data_buf, char* app, unsigned int applen); | |
| 133 char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen); | 152 char * sign_key_fingerprint(const unsigned char* keyblob, unsigned int keybloblen); |
| 134 #endif | 153 #endif |
| 135 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, | 154 int cmp_base64_key(const unsigned char* keyblob, unsigned int keybloblen, |
| 136 const unsigned char* algoname, unsigned int algolen, | 155 const unsigned char* algoname, unsigned int algolen, |
| 137 const buffer * line, char ** fingerprint); | 156 const buffer * line, char ** fingerprint); |