diff options
author | markus@openbsd.org <markus@openbsd.org> | 2019-11-12 19:34:40 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-13 08:54:09 +1100 |
commit | b556cc3cbf0c43f073bb41bba4e92ca709a1ec13 (patch) | |
tree | efe6046187a7bc035e427b99e269e7a88cbac59f /ssh-sk.c | |
parent | 3fcf69ace19e75cf9dcd7206f396adfcb29611a8 (diff) |
upstream: remove extra layer for ed25519 signature; ok djm@
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 65 |
1 files changed, 27 insertions, 38 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.8 2019/11/12 19:34:00 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.9 2019/11/12 19:34:40 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -359,12 +359,11 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
359 | } | 359 | } |
360 | 360 | ||
361 | static int | 361 | static int |
362 | sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | 362 | sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) |
363 | { | 363 | { |
364 | struct sshbuf *inner_sig = NULL; | 364 | struct sshbuf *inner_sig = NULL; |
365 | int r = SSH_ERR_INTERNAL_ERROR; | 365 | int r = SSH_ERR_INTERNAL_ERROR; |
366 | 366 | ||
367 | *retp = NULL; | ||
368 | /* Check response validity */ | 367 | /* Check response validity */ |
369 | if (resp->sig_r == NULL || resp->sig_r == NULL) { | 368 | if (resp->sig_r == NULL || resp->sig_r == NULL) { |
370 | error("%s: sk_sign response invalid", __func__); | 369 | error("%s: sk_sign response invalid", __func__); |
@@ -375,7 +374,7 @@ sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | |||
375 | r = SSH_ERR_ALLOC_FAIL; | 374 | r = SSH_ERR_ALLOC_FAIL; |
376 | goto out; | 375 | goto out; |
377 | } | 376 | } |
378 | /* Prepare inner signature object */ | 377 | /* Prepare and append inner signature object */ |
379 | if ((r = sshbuf_put_bignum2_bytes(inner_sig, | 378 | if ((r = sshbuf_put_bignum2_bytes(inner_sig, |
380 | resp->sig_r, resp->sig_r_len)) != 0 || | 379 | resp->sig_r, resp->sig_r_len)) != 0 || |
381 | (r = sshbuf_put_bignum2_bytes(inner_sig, | 380 | (r = sshbuf_put_bignum2_bytes(inner_sig, |
@@ -385,42 +384,39 @@ sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | |||
385 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | 384 | debug("%s: buffer error: %s", __func__, ssh_err(r)); |
386 | goto out; | 385 | goto out; |
387 | } | 386 | } |
387 | if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0) { | ||
388 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | ||
389 | goto out; | ||
390 | } | ||
388 | #ifdef DEBUG_SK | 391 | #ifdef DEBUG_SK |
389 | fprintf(stderr, "%s: sig_r:\n", __func__); | 392 | fprintf(stderr, "%s: sig_r:\n", __func__); |
390 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); | 393 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); |
391 | fprintf(stderr, "%s: sig_s:\n", __func__); | 394 | fprintf(stderr, "%s: sig_s:\n", __func__); |
392 | sshbuf_dump_data(resp->sig_s, resp->sig_s_len, stderr); | 395 | sshbuf_dump_data(resp->sig_s, resp->sig_s_len, stderr); |
396 | fprintf(stderr, "%s: inner:\n", __func__); | ||
397 | sshbuf_dump(inner_sig, stderr); | ||
393 | #endif | 398 | #endif |
394 | *retp = inner_sig; | ||
395 | inner_sig = NULL; | ||
396 | r = 0; | 399 | r = 0; |
397 | out: | 400 | out: |
398 | sshbuf_free(inner_sig); | 401 | sshbuf_free(inner_sig); |
399 | return r; | 402 | return r; |
400 | } | 403 | } |
401 | 404 | ||
402 | static int | 405 | static int |
403 | sshsk_ed25519_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | 406 | sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) |
404 | { | 407 | { |
405 | struct sshbuf *inner_sig = NULL; | ||
406 | int r = SSH_ERR_INTERNAL_ERROR; | 408 | int r = SSH_ERR_INTERNAL_ERROR; |
407 | 409 | ||
408 | *retp = NULL; | ||
409 | /* Check response validity */ | 410 | /* Check response validity */ |
410 | if (resp->sig_r == NULL) { | 411 | if (resp->sig_r == NULL) { |
411 | error("%s: sk_sign response invalid", __func__); | 412 | error("%s: sk_sign response invalid", __func__); |
412 | r = SSH_ERR_INVALID_FORMAT; | 413 | r = SSH_ERR_INVALID_FORMAT; |
413 | goto out; | 414 | goto out; |
414 | } | 415 | } |
415 | if ((inner_sig = sshbuf_new()) == NULL) { | 416 | if ((r = sshbuf_put_string(sig, |
416 | r = SSH_ERR_ALLOC_FAIL; | ||
417 | goto out; | ||
418 | } | ||
419 | /* Prepare inner signature object */ | ||
420 | if ((r = sshbuf_put_string(inner_sig, | ||
421 | resp->sig_r, resp->sig_r_len)) != 0 || | 417 | resp->sig_r, resp->sig_r_len)) != 0 || |
422 | (r = sshbuf_put_u8(inner_sig, resp->flags)) != 0 || | 418 | (r = sshbuf_put_u8(sig, resp->flags)) != 0 || |
423 | (r = sshbuf_put_u32(inner_sig, resp->counter)) != 0) { | 419 | (r = sshbuf_put_u32(sig, resp->counter)) != 0) { |
424 | debug("%s: buffer error: %s", __func__, ssh_err(r)); | 420 | debug("%s: buffer error: %s", __func__, ssh_err(r)); |
425 | goto out; | 421 | goto out; |
426 | } | 422 | } |
@@ -428,12 +424,9 @@ sshsk_ed25519_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp) | |||
428 | fprintf(stderr, "%s: sig_r:\n", __func__); | 424 | fprintf(stderr, "%s: sig_r:\n", __func__); |
429 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); | 425 | sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr); |
430 | #endif | 426 | #endif |
431 | *retp = inner_sig; | ||
432 | inner_sig = NULL; | ||
433 | r = 0; | 427 | r = 0; |
434 | out: | 428 | out: |
435 | sshbuf_free(inner_sig); | 429 | return 0; |
436 | return r; | ||
437 | } | 430 | } |
438 | 431 | ||
439 | int | 432 | int |
@@ -488,34 +481,30 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
488 | debug("%s: sk_sign failed with code %d", __func__, r); | 481 | debug("%s: sk_sign failed with code %d", __func__, r); |
489 | goto out; | 482 | goto out; |
490 | } | 483 | } |
491 | /* Prepare inner signature object */ | 484 | /* Assemble signature */ |
485 | if ((sig = sshbuf_new()) == NULL) { | ||
486 | r = SSH_ERR_ALLOC_FAIL; | ||
487 | goto out; | ||
488 | } | ||
489 | if ((r = sshbuf_put_cstring(sig, sshkey_ssh_name_plain(key))) != 0) { | ||
490 | debug("%s: buffer error (outer): %s", __func__, ssh_err(r)); | ||
491 | goto out; | ||
492 | } | ||
492 | switch (type) { | 493 | switch (type) { |
493 | case KEY_ECDSA_SK: | 494 | case KEY_ECDSA_SK: |
494 | if ((r = sshsk_ecdsa_inner_sig(resp, &inner_sig)) != 0) | 495 | if ((r = sshsk_ecdsa_sig(resp, sig)) != 0) |
495 | goto out; | 496 | goto out; |
496 | break; | 497 | break; |
497 | case KEY_ED25519_SK: | 498 | case KEY_ED25519_SK: |
498 | if ((r = sshsk_ed25519_inner_sig(resp, &inner_sig)) != 0) | 499 | if ((r = sshsk_ed25519_sig(resp, sig)) != 0) |
499 | goto out; | 500 | goto out; |
500 | break; | 501 | break; |
501 | } | 502 | } |
502 | /* Assemble outer signature */ | ||
503 | if ((sig = sshbuf_new()) == NULL) { | ||
504 | r = SSH_ERR_ALLOC_FAIL; | ||
505 | goto out; | ||
506 | } | ||
507 | if ((r = sshbuf_put_cstring(sig, sshkey_ssh_name_plain(key))) != 0 || | ||
508 | (r = sshbuf_put_stringb(sig, inner_sig)) != 0) { | ||
509 | debug("%s: buffer error (outer): %s", __func__, ssh_err(r)); | ||
510 | goto out; | ||
511 | } | ||
512 | #ifdef DEBUG_SK | 503 | #ifdef DEBUG_SK |
513 | fprintf(stderr, "%s: sig_flags = 0x%02x, sig_counter = %u\n", | 504 | fprintf(stderr, "%s: sig_flags = 0x%02x, sig_counter = %u\n", |
514 | __func__, resp->flags, resp->counter); | 505 | __func__, resp->flags, resp->counter); |
515 | fprintf(stderr, "%s: hashed message:\n", __func__); | 506 | fprintf(stderr, "%s: hashed message:\n", __func__); |
516 | sshbuf_dump_data(message, sizeof(message), stderr); | 507 | sshbuf_dump_data(message, sizeof(message), stderr); |
517 | fprintf(stderr, "%s: inner:\n", __func__); | ||
518 | sshbuf_dump(inner_sig, stderr); | ||
519 | fprintf(stderr, "%s: sigbuf:\n", __func__); | 508 | fprintf(stderr, "%s: sigbuf:\n", __func__); |
520 | sshbuf_dump(sig, stderr); | 509 | sshbuf_dump(sig, stderr); |
521 | #endif | 510 | #endif |