diff --git a/sk-ecdsa.c b/sk-ecdsa.c index 2d4a0ff..bd4d353 100644 --- a/sk-ecdsa.c +++ b/sk-ecdsa.c @@ -6,6 +6,7 @@ #include "ecc.h" #include "ecdsa.h" #include "sk-ecdsa.h" +#include "ssh.h" int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { hash_state hs; @@ -40,6 +41,14 @@ int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, buf_free(sk_buffer); buf_free(sig_buffer); + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; + } + TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) return ret; } diff --git a/sk-ed25519.c b/sk-ed25519.c index 9da9606..902a5e6 100644 --- a/sk-ed25519.c +++ b/sk-ed25519.c @@ -6,6 +6,7 @@ #include "buffer.h" #include "curve25519.h" #include "ed25519.h" +#include "ssh.h" int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { @@ -31,6 +32,7 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu flags = buf_getbyte (buf); counter = buf_getint (buf); + /* create the message to be signed */ sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); sha256_init (&hs); sha256_process (&hs, app, applen); @@ -50,10 +52,15 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu ret = DROPBEAR_SUCCESS; } -out: - if (sk_buffer) { - buf_free(sk_buffer); + /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */ + if (!(flags & SSH_SK_USER_PRESENCE_REQD)) { + if (ret == DROPBEAR_SUCCESS) { + dropbear_log(LOG_WARNING, "Rejecting, user-presence not set"); + } + ret = DROPBEAR_FAILURE; } +out: + buf_free(sk_buffer); TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) return ret; } diff --git a/ssh.h b/ssh.h index ee4a960..1b4fec6 100644 --- a/ssh.h +++ b/ssh.h @@ -126,3 +126,8 @@ #define SSH2_AGENT_SIGN_RESPONSE 14 #define SSH2_AGENT_FAILURE 30 + +/* Flags defined by OpenSSH U2F key/signature format */ +#define SSH_SK_USER_PRESENCE_REQD 0x01 +#define SSH_SK_USER_VERIFICATION_REQD 0x04 +#define SSH_SK_RESIDENT_KEY 0x20