Mercurial > dropbear
changeset 1928:333688ec53d0
Handle ecdsa-sk flags, reject no-touch
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Wed, 30 Mar 2022 21:06:15 +0800 |
parents | dc615fdb7c06 |
children | 315dbcef7293 |
files | sk-ecdsa.c sk-ed25519.c ssh.h |
diffstat | 3 files changed, 24 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/sk-ecdsa.c Wed Mar 30 14:32:49 2022 +0800 +++ b/sk-ecdsa.c Wed Mar 30 21:06:15 2022 +0800 @@ -6,6 +6,7 @@ #include "ecc.h" #include "ecdsa.h" #include "sk-ecdsa.h" +#include "ssh.h" int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { hash_state hs; @@ -40,6 +41,14 @@ buf_free(sk_buffer); buf_free(sig_buffer); + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; + } + TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) return ret; }
--- a/sk-ed25519.c Wed Mar 30 14:32:49 2022 +0800 +++ b/sk-ed25519.c Wed Mar 30 21:06:15 2022 +0800 @@ -6,6 +6,7 @@ #include "buffer.h" #include "curve25519.h" #include "ed25519.h" +#include "ssh.h" int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { @@ -31,6 +32,7 @@ flags = buf_getbyte (buf); counter = buf_getint (buf); + /* create the message to be signed */ sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); sha256_init (&hs); sha256_process (&hs, app, applen); @@ -50,10 +52,15 @@ ret = DROPBEAR_SUCCESS; } + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; + } out: - if (sk_buffer) { - buf_free(sk_buffer); - } + buf_free(sk_buffer); TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) return ret; }
--- a/ssh.h Wed Mar 30 14:32:49 2022 +0800 +++ b/ssh.h Wed Mar 30 21:06:15 2022 +0800 @@ -126,3 +126,8 @@ #define SSH2_AGENT_SIGN_RESPONSE 14 #define SSH2_AGENT_FAILURE 30 + +/* Flags defined by OpenSSH U2F key/signature format */ +#define SSH_SK_USER_PRESENCE_REQD 0x01 +#define SSH_SK_USER_VERIFICATION_REQD 0x04 +#define SSH_SK_RESIDENT_KEY 0x20