diff options
Diffstat (limited to 'sshkey.c')
| -rw-r--r-- | sshkey.c | 26 |
1 files changed, 16 insertions, 10 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshkey.c,v 1.108 2020/04/11 10:16:11 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.111 2020/08/27 01:06:19 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
| @@ -132,6 +132,8 @@ static const struct keytype keytypes[] = { | |||
| 132 | # endif /* OPENSSL_HAS_NISTP521 */ | 132 | # endif /* OPENSSL_HAS_NISTP521 */ |
| 133 | { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, | 133 | { "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, |
| 134 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, | 134 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 0 }, |
| 135 | { "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL, | ||
| 136 | KEY_ECDSA_SK, NID_X9_62_prime256v1, 0, 1 }, | ||
| 135 | # endif /* OPENSSL_HAS_ECC */ | 137 | # endif /* OPENSSL_HAS_ECC */ |
| 136 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, | 138 | { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL, |
| 137 | KEY_RSA_CERT, 0, 1, 0 }, | 139 | KEY_RSA_CERT, 0, 1, 0 }, |
| @@ -2725,7 +2727,7 @@ int | |||
| 2725 | sshkey_sign(struct sshkey *key, | 2727 | sshkey_sign(struct sshkey *key, |
| 2726 | u_char **sigp, size_t *lenp, | 2728 | u_char **sigp, size_t *lenp, |
| 2727 | const u_char *data, size_t datalen, | 2729 | const u_char *data, size_t datalen, |
| 2728 | const char *alg, const char *sk_provider, u_int compat) | 2730 | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
| 2729 | { | 2731 | { |
| 2730 | int was_shielded = sshkey_is_shielded(key); | 2732 | int was_shielded = sshkey_is_shielded(key); |
| 2731 | int r2, r = SSH_ERR_INTERNAL_ERROR; | 2733 | int r2, r = SSH_ERR_INTERNAL_ERROR; |
| @@ -2764,7 +2766,7 @@ sshkey_sign(struct sshkey *key, | |||
| 2764 | case KEY_ECDSA_SK_CERT: | 2766 | case KEY_ECDSA_SK_CERT: |
| 2765 | case KEY_ECDSA_SK: | 2767 | case KEY_ECDSA_SK: |
| 2766 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, | 2768 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
| 2767 | datalen, compat, /* XXX PIN */ NULL); | 2769 | datalen, compat, sk_pin); |
| 2768 | break; | 2770 | break; |
| 2769 | #ifdef WITH_XMSS | 2771 | #ifdef WITH_XMSS |
| 2770 | case KEY_XMSS: | 2772 | case KEY_XMSS: |
| @@ -2886,7 +2888,8 @@ sshkey_drop_cert(struct sshkey *k) | |||
| 2886 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2888 | /* Sign a certified key, (re-)generating the signed certblob. */ |
| 2887 | int | 2889 | int |
| 2888 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | 2890 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
| 2889 | const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx) | 2891 | const char *sk_provider, const char *sk_pin, |
| 2892 | sshkey_certify_signer *signer, void *signer_ctx) | ||
| 2890 | { | 2893 | { |
| 2891 | struct sshbuf *principals = NULL; | 2894 | struct sshbuf *principals = NULL; |
| 2892 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2895 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
| @@ -3024,7 +3027,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
| 3024 | 3027 | ||
| 3025 | /* Sign the whole mess */ | 3028 | /* Sign the whole mess */ |
| 3026 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 3029 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
| 3027 | sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0) | 3030 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
| 3028 | goto out; | 3031 | goto out; |
| 3029 | /* Check and update signature_type against what was actually used */ | 3032 | /* Check and update signature_type against what was actually used */ |
| 3030 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) | 3033 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
| @@ -3054,19 +3057,20 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
| 3054 | static int | 3057 | static int |
| 3055 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, | 3058 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
| 3056 | const u_char *data, size_t datalen, | 3059 | const u_char *data, size_t datalen, |
| 3057 | const char *alg, const char *sk_provider, u_int compat, void *ctx) | 3060 | const char *alg, const char *sk_provider, const char *sk_pin, |
| 3061 | u_int compat, void *ctx) | ||
| 3058 | { | 3062 | { |
| 3059 | if (ctx != NULL) | 3063 | if (ctx != NULL) |
| 3060 | return SSH_ERR_INVALID_ARGUMENT; | 3064 | return SSH_ERR_INVALID_ARGUMENT; |
| 3061 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, | 3065 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
| 3062 | sk_provider, compat); | 3066 | sk_provider, sk_pin, compat); |
| 3063 | } | 3067 | } |
| 3064 | 3068 | ||
| 3065 | int | 3069 | int |
| 3066 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, | 3070 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
| 3067 | const char *sk_provider) | 3071 | const char *sk_provider, const char *sk_pin) |
| 3068 | { | 3072 | { |
| 3069 | return sshkey_certify_custom(k, ca, alg, sk_provider, | 3073 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
| 3070 | default_key_sign, NULL); | 3074 | default_key_sign, NULL); |
| 3071 | } | 3075 | } |
| 3072 | 3076 | ||
| @@ -3598,10 +3602,12 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) | |||
| 3598 | case KEY_XMSS: | 3602 | case KEY_XMSS: |
| 3599 | case KEY_XMSS_CERT: | 3603 | case KEY_XMSS_CERT: |
| 3600 | if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || | 3604 | if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL)) != 0 || |
| 3601 | (r = sshkey_xmss_init(k, xmss_name)) != 0 || | ||
| 3602 | (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || | 3605 | (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || |
| 3603 | (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) | 3606 | (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) |
| 3604 | goto out; | 3607 | goto out; |
| 3608 | if (type == KEY_XMSS && | ||
| 3609 | (r = sshkey_xmss_init(k, xmss_name)) != 0) | ||
| 3610 | goto out; | ||
| 3605 | if (pklen != sshkey_xmss_pklen(k) || | 3611 | if (pklen != sshkey_xmss_pklen(k) || |
| 3606 | sklen != sshkey_xmss_sklen(k)) { | 3612 | sklen != sshkey_xmss_sklen(k)) { |
| 3607 | r = SSH_ERR_INVALID_FORMAT; | 3613 | r = SSH_ERR_INVALID_FORMAT; |