Mercurial > dropbear
comparison sk-ed25519.c @ 1855:35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
* Implement server-side support for sk-ecdsa U2F-backed keys
* Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys
* Fix one more potential out-of-bounds read
* Check if nistp256 curve is used in sk-ecdsa-sha2- key
It's the only allowed curve per PROTOCOL.u2f specification
* Implement server-side support for sk-ed25519 FIDO2-backed keys
* Keys with type sk-* make no sense as host keys, so they should be
disabled
* fix typo
* Make sk-ecdsa call buf_ecdsa_verify
This reduces code duplication, the SK code just handles the
different message format.
* Reduce sk specific code
The application id can be stored in signkey, then we don't need
to call sk-specific functions from svr-authpubkey
* Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled
* Proper cleanup of sk_app
Co-authored-by: Matt Johnston <[email protected]>
| author | egor-duda <egor-duda@users.noreply.github.com> |
|---|---|
| date | Sat, 22 Jan 2022 16:53:04 +0300 |
| parents | |
| children | 333688ec53d0 |
comparison
equal
deleted
inserted
replaced
| 1854:cba37fe1ddc8 | 1855:35d504d59c05 |
|---|---|
| 1 #include "includes.h" | |
| 2 | |
| 3 #if DROPBEAR_SK_ED25519 | |
| 4 | |
| 5 #include "dbutil.h" | |
| 6 #include "buffer.h" | |
| 7 #include "curve25519.h" | |
| 8 #include "ed25519.h" | |
| 9 | |
| 10 int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { | |
| 11 | |
| 12 int ret = DROPBEAR_FAILURE; | |
| 13 unsigned char *s; | |
| 14 unsigned long slen; | |
| 15 hash_state hs; | |
| 16 unsigned char hash[SHA256_HASH_SIZE]; | |
| 17 buffer *sk_buffer = NULL; | |
| 18 unsigned char flags; | |
| 19 unsigned int counter; | |
| 20 | |
| 21 TRACE(("enter buf_sk_ed25519_verify")) | |
| 22 dropbear_assert(key != NULL); | |
| 23 | |
| 24 slen = buf_getint(buf); | |
| 25 if (slen != 64 || buf->len - buf->pos < slen) { | |
| 26 TRACE(("leave buf_sk_ed25519_verify: bad size")) | |
| 27 goto out; | |
| 28 } | |
| 29 s = buf_getptr(buf, slen); | |
| 30 buf_incrpos(buf, slen); | |
| 31 | |
| 32 flags = buf_getbyte (buf); | |
| 33 counter = buf_getint (buf); | |
| 34 sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); | |
| 35 sha256_init (&hs); | |
| 36 sha256_process (&hs, app, applen); | |
| 37 sha256_done (&hs, hash); | |
| 38 buf_putbytes (sk_buffer, hash, sizeof (hash)); | |
| 39 buf_putbyte (sk_buffer, flags); | |
| 40 buf_putint (sk_buffer, counter); | |
| 41 sha256_init (&hs); | |
| 42 sha256_process (&hs, data_buf->data, data_buf->len); | |
| 43 sha256_done (&hs, hash); | |
| 44 buf_putbytes (sk_buffer, hash, sizeof (hash)); | |
| 45 | |
| 46 if (dropbear_ed25519_verify(sk_buffer->data, sk_buffer->len, | |
| 47 s, slen, key->pub) == 0) { | |
| 48 /* signature is valid */ | |
| 49 TRACE(("leave buf_sk_ed25519_verify: success!")) | |
| 50 ret = DROPBEAR_SUCCESS; | |
| 51 } | |
| 52 | |
| 53 out: | |
| 54 if (sk_buffer) { | |
| 55 buf_free(sk_buffer); | |
| 56 } | |
| 57 TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) | |
| 58 return ret; | |
| 59 } | |
| 60 | |
| 61 #endif /* DROPBEAR_SK_ED25519 */ |