diff options
author | markus@openbsd.org <markus@openbsd.org> | 2019-11-12 19:31:18 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-13 08:49:52 +1100 |
commit | fe05a36dc0ea884c8c2395d53d804fe4f4202b26 (patch) | |
tree | f2497141020c6991fd5d538b6e1f88f1213219d4 | |
parent | e03a29e6554cd0c9cdbac0dae53dd79e6eb4ea47 (diff) |
upstream: implement sshsk_ed25519_inner_sig(); ok djm
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
-rw-r--r-- | ssh-sk.c | 59 | ||||
-rw-r--r-- | ssh-sk.h | 4 | ||||
-rw-r--r-- | sshkey.c | 7 |
3 files changed, 61 insertions, 9 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.4 2019/11/12 19:30:50 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.5 2019/11/12 19:31:18 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -330,8 +330,37 @@ sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | |||
330 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); | 330 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); |
331 | fprintf(stderr, "%s: sig_s:\n", __func__); | 331 | fprintf(stderr, "%s: sig_s:\n", __func__); |
332 | sshbuf_dump_data(resp->sig_s, resp->sig_s_len, stderr); | 332 | sshbuf_dump_data(resp->sig_s, resp->sig_s_len, stderr); |
333 | fprintf(stderr, "%s: sig_flags = 0x%02x, sig_counter = %u\n", | 333 | #endif |
334 | __func__, resp->flags, resp->counter); | 334 | *retp = inner_sig; |
335 | inner_sig = NULL; | ||
336 | r = 0; | ||
337 | out: | ||
338 | sshbuf_free(inner_sig); | ||
339 | return r; | ||
340 | } | ||
341 | |||
342 | static int | ||
343 | sshsk_ed25519_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | ||
344 | { | ||
345 | struct sshbuf *inner_sig = NULL; | ||
346 | int r = SSH_ERR_INTERNAL_ERROR; | ||
347 | |||
348 | *retp = NULL; | ||
349 | if ((inner_sig = sshbuf_new()) == NULL) { | ||
350 | r = SSH_ERR_ALLOC_FAIL; | ||
351 | goto out; | ||
352 | } | ||
353 | /* Prepare inner signature object */ | ||
354 | if ((r = sshbuf_put_string(inner_sig, | ||
355 | resp->sig_r, resp->sig_r_len)) != 0 || | ||
356 | (r = sshbuf_put_u8(inner_sig, resp->flags)) != 0 || | ||
357 | (r = sshbuf_put_u32(inner_sig, resp->counter)) != 0) { | ||
358 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | ||
359 | goto out; | ||
360 | } | ||
361 | #ifdef DEBUG_SK | ||
362 | fprintf(stderr, "%s: sig_r:\n", __func__); | ||
363 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); | ||
335 | #endif | 364 | #endif |
336 | *retp = inner_sig; | 365 | *retp = inner_sig; |
337 | inner_sig = NULL; | 366 | inner_sig = NULL; |
@@ -348,6 +377,7 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
348 | { | 377 | { |
349 | struct sshsk_provider *skp = NULL; | 378 | struct sshsk_provider *skp = NULL; |
350 | int r = SSH_ERR_INTERNAL_ERROR; | 379 | int r = SSH_ERR_INTERNAL_ERROR; |
380 | int type; | ||
351 | struct sk_sign_response *resp = NULL; | 381 | struct sk_sign_response *resp = NULL; |
352 | struct sshbuf *inner_sig = NULL, *sig = NULL; | 382 | struct sshbuf *inner_sig = NULL, *sig = NULL; |
353 | uint8_t message[32]; | 383 | uint8_t message[32]; |
@@ -356,8 +386,15 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
356 | *sigp = NULL; | 386 | *sigp = NULL; |
357 | if (lenp != NULL) | 387 | if (lenp != NULL) |
358 | *lenp = 0; | 388 | *lenp = 0; |
389 | type = sshkey_type_plain(key->type); | ||
390 | switch (type) { | ||
391 | case KEY_ECDSA_SK: | ||
392 | case KEY_ED25519_SK: | ||
393 | break; | ||
394 | default: | ||
395 | return SSH_ERR_INVALID_ARGUMENT; | ||
396 | } | ||
359 | if (provider_path == NULL || | 397 | if (provider_path == NULL || |
360 | sshkey_type_plain(key->type) != KEY_ECDSA_SK || | ||
361 | key->sk_key_handle == NULL || | 398 | key->sk_key_handle == NULL || |
362 | key->sk_application == NULL || *key->sk_application == '\0') { | 399 | key->sk_application == NULL || *key->sk_application == '\0') { |
363 | r = SSH_ERR_INVALID_ARGUMENT; | 400 | r = SSH_ERR_INVALID_ARGUMENT; |
@@ -383,8 +420,16 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
383 | goto out; | 420 | goto out; |
384 | } | 421 | } |
385 | /* Prepare inner signature object */ | 422 | /* Prepare inner signature object */ |
386 | if ((r = sshsk_ecdsa_inner_sig(resp, &inner_sig)) != 0) | 423 | switch (type) { |
387 | goto out; | 424 | case KEY_ECDSA_SK: |
425 | if ((r = sshsk_ecdsa_inner_sig(resp, &inner_sig)) != 0) | ||
426 | goto out; | ||
427 | break; | ||
428 | case KEY_ED25519_SK: | ||
429 | if ((r = sshsk_ed25519_inner_sig(resp, &inner_sig)) != 0) | ||
430 | goto out; | ||
431 | break; | ||
432 | } | ||
388 | /* Assemble outer signature */ | 433 | /* Assemble outer signature */ |
389 | if ((sig = sshbuf_new()) == NULL) { | 434 | if ((sig = sshbuf_new()) == NULL) { |
390 | r = SSH_ERR_ALLOC_FAIL; | 435 | r = SSH_ERR_ALLOC_FAIL; |
@@ -396,6 +441,8 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
396 | goto out; | 441 | goto out; |
397 | } | 442 | } |
398 | #ifdef DEBUG_SK | 443 | #ifdef DEBUG_SK |
444 | fprintf(stderr, "%s: sig_flags = 0x%02x, sig_counter = %u\n", | ||
445 | __func__, resp->flags, resp->counter); | ||
399 | fprintf(stderr, "%s: hashed message:\n", __func__); | 446 | fprintf(stderr, "%s: hashed message:\n", __func__); |
400 | sshbuf_dump_data(message, sizeof(message), stderr); | 447 | sshbuf_dump_data(message, sizeof(message), stderr); |
401 | fprintf(stderr, "%s: inner:\n", __func__); | 448 | fprintf(stderr, "%s: inner:\n", __func__); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.h,v 1.3 2019/11/12 19:30:50 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.h,v 1.4 2019/11/12 19:31:18 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -39,7 +39,7 @@ int sshsk_enroll(const char *provider_path, const char *application, | |||
39 | struct sshbuf *attest); | 39 | struct sshbuf *attest); |
40 | 40 | ||
41 | /* | 41 | /* |
42 | * Calculate an ECDSA_SK signature using the specified key | 42 | * Calculate an ECDSA_SK or ED25519_SK signature using the specified key |
43 | * and provider middleware. | 43 | * and provider middleware. |
44 | * | 44 | * |
45 | * Returns 0 on success or a ssherr.h error code on failure. | 45 | * Returns 0 on success or a ssherr.h error code on failure. |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshkey.c,v 1.88 2019/11/12 19:30:50 markus Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.89 2019/11/12 19:31:18 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
@@ -2701,6 +2701,11 @@ sshkey_sign(struct sshkey *key, | |||
2701 | case KEY_ED25519_CERT: | 2701 | case KEY_ED25519_CERT: |
2702 | r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); | 2702 | r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat); |
2703 | break; | 2703 | break; |
2704 | case KEY_ED25519_SK: | ||
2705 | case KEY_ED25519_SK_CERT: | ||
2706 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, datalen, | ||
2707 | compat); | ||
2708 | break; | ||
2704 | #ifdef WITH_XMSS | 2709 | #ifdef WITH_XMSS |
2705 | case KEY_XMSS: | 2710 | case KEY_XMSS: |
2706 | case KEY_XMSS_CERT: | 2711 | case KEY_XMSS_CERT: |