Mercurial > dropbear
diff sk-ecdsa.c @ 1928:333688ec53d0
Handle ecdsa-sk flags, reject no-touch
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 30 Mar 2022 21:06:15 +0800 |
| parents | 35d504d59c05 |
| children |
line wrap: on
line diff
--- a/sk-ecdsa.c Wed Mar 30 14:32:49 2022 +0800 +++ b/sk-ecdsa.c Wed Mar 30 21:06:15 2022 +0800 @@ -6,6 +6,7 @@ #include "ecc.h" #include "ecdsa.h" #include "sk-ecdsa.h" +#include "ssh.h" int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { hash_state hs; @@ -40,6 +41,14 @@ buf_free(sk_buffer); buf_free(sig_buffer); + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; + } + TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) return ret; }