upstream: remove extra layer for ed25519 signature; ok djm@
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
This commit is contained in:
markus@openbsd.org
Damien Miller
parent
3fcf69ace1
commit
b556cc3cbf
|
|
@ -148,6 +148,14 @@ be reformatted slightly and the ecdsa_signature_blob value has the encoding:
|
|||
Where 'r' and 's' are extracted by the client or token middleware from the
|
||||
ecdsa_signature field returned from the hardware.
|
||||
|
||||
For Ed25519 keys the signature is encoded as:
|
||||
|
||||
string "sk-ssh-ed25519@openssh.com"
|
||||
string signature
|
||||
byte flags
|
||||
uint32 counter
|
||||
|
||||
|
||||
ssh-agent protocol extensions
|
||||
-----------------------------
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-ed25519-sk.c,v 1.1 2019/11/12 19:29:24 markus Exp $ */
|
||||
/* $OpenBSD: ssh-ed25519-sk.c,v 1.2 2019/11/12 19:34:40 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Markus Friedl. All rights reserved.
|
||||
*
|
||||
|
|
@ -36,7 +36,6 @@ ssh_ed25519_sk_verify(const struct sshkey *key,
|
|||
const u_char *data, size_t datalen, u_int compat)
|
||||
{
|
||||
struct sshbuf *b = NULL;
|
||||
struct sshbuf *sigbuf = NULL;
|
||||
struct sshbuf *encoded = NULL;
|
||||
char *ktype = NULL;
|
||||
const u_char *sigblob;
|
||||
|
|
@ -60,10 +59,9 @@ ssh_ed25519_sk_verify(const struct sshkey *key,
|
|||
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
|
||||
sshbuf_froms(b, &sigbuf) != 0 ||
|
||||
sshbuf_get_string_direct(sigbuf, &sigblob, &len) != 0 ||
|
||||
sshbuf_get_u8(sigbuf, &sig_flags) != 0 ||
|
||||
sshbuf_get_u32(sigbuf, &sig_counter) != 0) {
|
||||
sshbuf_get_string_direct(b, &sigblob, &len) != 0 ||
|
||||
sshbuf_get_u8(b, &sig_flags) != 0 ||
|
||||
sshbuf_get_u32(b, &sig_counter) != 0) {
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
}
|
||||
|
|
@ -123,7 +121,6 @@ ssh_ed25519_sk_verify(const struct sshkey *key,
|
|||
free(m);
|
||||
}
|
||||
sshbuf_free(b);
|
||||
sshbuf_free(sigbuf);
|
||||
sshbuf_free(encoded);
|
||||
free(ktype);
|
||||
return r;
|
||||
|
|
|
|||
67
ssh-sk.c
67
ssh-sk.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-sk.c,v 1.8 2019/11/12 19:34:00 markus Exp $ */
|
||||
/* $OpenBSD: ssh-sk.c,v 1.9 2019/11/12 19:34:40 markus Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Google LLC
|
||||
*
|
||||
|
|
@ -359,12 +359,11 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
|
|||
}
|
||||
|
||||
static int
|
||||
sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp)
|
||||
sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig)
|
||||
{
|
||||
struct sshbuf *inner_sig = NULL;
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
*retp = NULL;
|
||||
/* Check response validity */
|
||||
if (resp->sig_r == NULL || resp->sig_r == NULL) {
|
||||
error("%s: sk_sign response invalid", __func__);
|
||||
|
|
@ -375,7 +374,7 @@ sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp)
|
|||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
/* Prepare inner signature object */
|
||||
/* Prepare and append inner signature object */
|
||||
if ((r = sshbuf_put_bignum2_bytes(inner_sig,
|
||||
resp->sig_r, resp->sig_r_len)) != 0 ||
|
||||
(r = sshbuf_put_bignum2_bytes(inner_sig,
|
||||
|
|
@ -385,42 +384,39 @@ sshsk_ecdsa_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp)
|
|||
debug("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0) {
|
||||
debug("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
#ifdef DEBUG_SK
|
||||
fprintf(stderr, "%s: sig_r:\n", __func__);
|
||||
sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr);
|
||||
fprintf(stderr, "%s: sig_s:\n", __func__);
|
||||
sshbuf_dump_data(resp->sig_s, resp->sig_s_len, stderr);
|
||||
fprintf(stderr, "%s: inner:\n", __func__);
|
||||
sshbuf_dump(inner_sig, stderr);
|
||||
#endif
|
||||
*retp = inner_sig;
|
||||
inner_sig = NULL;
|
||||
r = 0;
|
||||
out:
|
||||
out:
|
||||
sshbuf_free(inner_sig);
|
||||
return r;
|
||||
}
|
||||
|
||||
static int
|
||||
sshsk_ed25519_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp)
|
||||
sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig)
|
||||
{
|
||||
struct sshbuf *inner_sig = NULL;
|
||||
int r = SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
*retp = NULL;
|
||||
/* Check response validity */
|
||||
if (resp->sig_r == NULL) {
|
||||
error("%s: sk_sign response invalid", __func__);
|
||||
r = SSH_ERR_INVALID_FORMAT;
|
||||
goto out;
|
||||
}
|
||||
if ((inner_sig = sshbuf_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
/* Prepare inner signature object */
|
||||
if ((r = sshbuf_put_string(inner_sig,
|
||||
if ((r = sshbuf_put_string(sig,
|
||||
resp->sig_r, resp->sig_r_len)) != 0 ||
|
||||
(r = sshbuf_put_u8(inner_sig, resp->flags)) != 0 ||
|
||||
(r = sshbuf_put_u32(inner_sig, resp->counter)) != 0) {
|
||||
(r = sshbuf_put_u8(sig, resp->flags)) != 0 ||
|
||||
(r = sshbuf_put_u32(sig, resp->counter)) != 0) {
|
||||
debug("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
|
|
@ -428,12 +424,9 @@ sshsk_ed25519_inner_sig(struct sk_sign_response *resp, struct sshbuf **retp)
|
|||
fprintf(stderr, "%s: sig_r:\n", __func__);
|
||||
sshbuf_dump_data(resp->sig_r, resp->sig_r_len, stderr);
|
||||
#endif
|
||||
*retp = inner_sig;
|
||||
inner_sig = NULL;
|
||||
r = 0;
|
||||
out:
|
||||
sshbuf_free(inner_sig);
|
||||
return r;
|
||||
out:
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
|
|
@ -488,34 +481,30 @@ sshsk_sign(const char *provider_path, const struct sshkey *key,
|
|||
debug("%s: sk_sign failed with code %d", __func__, r);
|
||||
goto out;
|
||||
}
|
||||
/* Prepare inner signature object */
|
||||
switch (type) {
|
||||
case KEY_ECDSA_SK:
|
||||
if ((r = sshsk_ecdsa_inner_sig(resp, &inner_sig)) != 0)
|
||||
goto out;
|
||||
break;
|
||||
case KEY_ED25519_SK:
|
||||
if ((r = sshsk_ed25519_inner_sig(resp, &inner_sig)) != 0)
|
||||
goto out;
|
||||
break;
|
||||
}
|
||||
/* Assemble outer signature */
|
||||
/* Assemble signature */
|
||||
if ((sig = sshbuf_new()) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
if ((r = sshbuf_put_cstring(sig, sshkey_ssh_name_plain(key))) != 0 ||
|
||||
(r = sshbuf_put_stringb(sig, inner_sig)) != 0) {
|
||||
if ((r = sshbuf_put_cstring(sig, sshkey_ssh_name_plain(key))) != 0) {
|
||||
debug("%s: buffer error (outer): %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
switch (type) {
|
||||
case KEY_ECDSA_SK:
|
||||
if ((r = sshsk_ecdsa_sig(resp, sig)) != 0)
|
||||
goto out;
|
||||
break;
|
||||
case KEY_ED25519_SK:
|
||||
if ((r = sshsk_ed25519_sig(resp, sig)) != 0)
|
||||
goto out;
|
||||
break;
|
||||
}
|
||||
#ifdef DEBUG_SK
|
||||
fprintf(stderr, "%s: sig_flags = 0x%02x, sig_counter = %u\n",
|
||||
__func__, resp->flags, resp->counter);
|
||||
fprintf(stderr, "%s: hashed message:\n", __func__);
|
||||
sshbuf_dump_data(message, sizeof(message), stderr);
|
||||
fprintf(stderr, "%s: inner:\n", __func__);
|
||||
sshbuf_dump(inner_sig, stderr);
|
||||
fprintf(stderr, "%s: sigbuf:\n", __func__);
|
||||
sshbuf_dump(sig, stderr);
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue