Mercurial > dropbear
diff sk-ed25519.c @ 1928:333688ec53d0
Handle ecdsa-sk flags, reject no-touch
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 21:06:15 +0800 |
parents | 35d504d59c05 |
children |
line wrap: on
line diff
--- a/sk-ed25519.c Wed Mar 30 14:32:49 2022 +0800 +++ b/sk-ed25519.c Wed Mar 30 21:06:15 2022 +0800 @@ -6,6 +6,7 @@ #include "buffer.h" #include "curve25519.h" #include "ed25519.h" +#include "ssh.h" int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { @@ -31,6 +32,7 @@ flags = buf_getbyte (buf); counter = buf_getint (buf); + /* create the message to be signed */ sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); sha256_init (&hs); sha256_process (&hs, app, applen); @@ -50,10 +52,15 @@ ret = DROPBEAR_SUCCESS; } + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; + } out: - if (sk_buffer) { - buf_free(sk_buffer); - } + buf_free(sk_buffer); TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) return ret; }