ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-01-31 10:57:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Handle ecdsa-sk flags, reject no-touch

Browse Source 
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
This commit is contained in:
Matt Johnston 2022-03-30 21:06:15 +08:00
parent ecc85f91e6
commit 9007a80616
3 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sk-ecdsa.c
View File

@ -6,6 +6,7 @@
#include "ecc.h" #include "ecc.h"
#include "ecdsa.h" #include "ecdsa.h"
#include "sk-ecdsa.h" #include "sk-ecdsa.h"
#include "ssh.h"
int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) { int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
hash_state hs; hash_state hs;
@ -40,6 +41,14 @@ int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
buf_free(sk_buffer); buf_free(sk_buffer);
buf_free(sig_buffer); buf_free(sig_buffer);
/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
}
ret = DROPBEAR_FAILURE;
}
TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret)) TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret))
return ret; return ret;
} }

13
sk-ed25519.c
View File

@ -6,6 +6,7 @@
#include "buffer.h" #include "buffer.h"
#include "curve25519.h" #include "curve25519.h"
#include "ed25519.h" #include "ed25519.h"
#include "ssh.h"
int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) { int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
@ -31,6 +32,7 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu
flags = buf_getbyte (buf); flags = buf_getbyte (buf);
counter = buf_getint (buf); counter = buf_getint (buf);
/* create the message to be signed */
sk_buffer = buf_new (2*SHA256_HASH_SIZE+5); sk_buffer = buf_new (2*SHA256_HASH_SIZE+5);
sha256_init (&hs); sha256_init (&hs);
sha256_process (&hs, app, applen); sha256_process (&hs, app, applen);
@ -50,10 +52,15 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu
ret = DROPBEAR_SUCCESS; ret = DROPBEAR_SUCCESS;
} }
out: /* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
if (sk_buffer) { if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
buf_free(sk_buffer); if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
}
ret = DROPBEAR_FAILURE;
} }
out:
buf_free(sk_buffer);
TRACE(("leave buf_sk_ed25519_verify: ret %d", ret)) TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))
return ret; return ret;
} }

5
ssh.h
View File

@ -126,3 +126,8 @@
#define SSH2_AGENT_SIGN_RESPONSE 14 #define SSH2_AGENT_SIGN_RESPONSE 14
#define SSH2_AGENT_FAILURE 30 #define SSH2_AGENT_FAILURE 30
/* Flags defined by OpenSSH U2F key/signature format */
#define SSH_SK_USER_PRESENCE_REQD 0x01
#define SSH_SK_USER_VERIFICATION_REQD 0x04
#define SSH_SK_RESIDENT_KEY 0x20