-/* $OpenBSD: authfd.c,v 1.118 2019/10/31 21:19:14 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.119 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#endif
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
case KEY_XMSS:
case KEY_XMSS_CERT:
type = constrained ?
-/* $OpenBSD: myproposal.h,v 1.60 2019/11/01 02:32:05 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.61 2019/11/12 19:33:08 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+ "sk-ssh-ed25519-cert-v01@openssh.com," \
"ssh-ed25519-cert-v01@openssh.com," \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
"ecdsa-sha2-nistp256," \
"ecdsa-sha2-nistp384," \
"ecdsa-sha2-nistp521," \
+ "sk-ssh-ed25519@openssh.com," \
"ssh-ed25519," \
"rsa-sha2-512," \
"rsa-sha2-256," \
-/* $OpenBSD: pathnames.h,v 1.30 2019/10/31 21:22:01 djm Exp $ */
+/* $OpenBSD: pathnames.h,v 1.31 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
#define _PATH_SSH_CLIENT_ID_XMSS _PATH_SSH_USER_DIR "/id_xmss"
#define _PATH_SSH_CLIENT_ID_ECDSA_SK _PATH_SSH_USER_DIR "/id_ecdsa_sk"
+#define _PATH_SSH_CLIENT_ID_ED25519_SK _PATH_SSH_USER_DIR "/id_ed25519_sk"
/*
* Configuration file in user's home directory. This file need not be
-/* $OpenBSD: readconf.c,v 1.310 2019/10/31 21:18:28 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.311 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#endif
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519, 0);
+ add_identity_file(options, "~/",
+ _PATH_SSH_CLIENT_ID_ED25519_SK, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0);
}
if (options->escape_char == -1)
-/* $OpenBSD: ssh-add.c,v 1.143 2019/10/31 21:19:56 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.144 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
#endif
#endif /* WITH_OPENSSL */
_PATH_SSH_CLIENT_ID_ED25519,
+ _PATH_SSH_CLIENT_ID_ED25519_SK,
_PATH_SSH_CLIENT_ID_XMSS,
NULL
};
ssh_free_identitylist(idlist);
}
- if (sshkey_type_plain(private->type) != KEY_ECDSA_SK)
+ if (!sshkey_is_sk(private))
skprovider = NULL; /* Don't send constraint for other keys */
else if (skprovider == NULL) {
fprintf(stderr, "Cannot load security key %s without "
-/* $OpenBSD: ssh-agent.c,v 1.239 2019/10/31 21:23:19 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.240 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
}
}
if (sk_provider != NULL) {
- if (sshkey_type_plain(k->type) != KEY_ECDSA_SK) {
+ if (!sshkey_is_sk(k)) {
error("Cannot add provider: %s is not a security key",
sshkey_type(k));
free(sk_provider);
-/* $OpenBSD: ssh-keygen.c,v 1.361 2019/11/08 03:54:02 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.362 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
case KEY_ED25519_CERT:
name = _PATH_SSH_CLIENT_ID_ED25519;
break;
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
+ name = _PATH_SSH_CLIENT_ID_ED25519_SK;
+ break;
case KEY_XMSS:
case KEY_XMSS_CERT:
name = _PATH_SSH_CLIENT_ID_XMSS;
printf("Generating public/private %s key pair.\n",
key_type_name);
if (type == KEY_ECDSA_SK) {
+ switch (type) {
+ case KEY_ECDSA_SK:
+ case KEY_ED25519_SK:
#ifndef ENABLE_SK
fatal("Security key support was disabled at compile time");
#else /* ENABLE_SK */
- if (sshsk_enroll(sk_provider,
- cert_key_id == NULL ? "ssh:" : cert_key_id,
- sk_flags, NULL, &private, NULL) != 0)
- exit(1); /* error message already printed */
+ if (sshsk_enroll(type, sk_provider,
+ cert_key_id == NULL ? "ssh:" : cert_key_id,
+ sk_flags, NULL, &private, NULL) != 0)
+ exit(1); /* error message already printed */
+ break;
#endif /* ENABLE_SK */
- } else if ((r = sshkey_generate(type, bits, &private)) != 0)
- fatal("sshkey_generate failed");
+ default:
+ if ((r = sshkey_generate(type, bits, &private)) != 0)
+ fatal("sshkey_generate failed");
+ break;
+ }
if ((r = sshkey_from_private(private, &public)) != 0)
fatal("sshkey_from_private failed: %s\n", ssh_err(r));
-/* $OpenBSD: ssh-sk-helper.c,v 1.2 2019/11/12 19:30:50 markus Exp $ */
+/* $OpenBSD: ssh-sk-helper.c,v 1.3 2019/11/12 19:33:08 markus Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
if ((r = sshbuf_froms(req, &kbuf)) != 0 ||
(r = sshkey_private_deserialize(kbuf, &key)) != 0)
fatal("Unable to parse key: %s", ssh_err(r));
- if (sshkey_type_plain(key->type) != KEY_ECDSA_SK)
+ if (!sshkey_is_sk(key))
fatal("Unsupported key type %s", sshkey_ssh_name(key));
if ((r = sshbuf_get_cstring(req, &provider, NULL)) != 0 ||
-/* $OpenBSD: sshconnect.c,v 1.321 2019/10/31 21:20:38 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.322 2019/11/12 19:33:08 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
close(auth_sock);
return;
}
- if (sshkey_type_plain(private->type) == KEY_ECDSA_SK)
+ if (sshkey_is_sk(private))
skprovider = options.sk_provider;
if ((r = ssh_add_identity_constrained(auth_sock, private, comment, 0,
(options.add_keys_to_agent == 3), 0, skprovider)) == 0)
-/* $OpenBSD: sshconnect2.c,v 1.310 2019/10/31 21:23:19 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.311 2019/11/12 19:33:08 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
if (id->key) {
if ((id->key->flags & SSHKEY_FLAG_EXT) != 0)
note = " token";
- else if (sshkey_type_plain(id->key->type) == KEY_ECDSA_SK)
+ else if (sshkey_is_sk(id->key))
note = " security-key";
}
xasprintf(&ret, "%s %s%s%s%s%s%s",
quit = 1;
break;
}
- if (private != NULL &&
- sshkey_type_plain(private->type) == KEY_ECDSA_SK &&
+ if (private != NULL && sshkey_is_sk(private) &&
options.sk_provider == NULL) {
debug("key \"%s\" is a security key, but no "
"provider specified", id->filename);
options.identity_files[i]);
continue;
}
- if (key && sshkey_type_plain(key->type) == KEY_ECDSA_SK &&
- options.sk_provider == NULL) {
+ if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
debug("%s: ignoring security key %s as no "
"SecurityKeyProvider has been specified",
__func__, options.identity_files[i]);
options.identity_files[i]);
continue;
}
- if (key && sshkey_type_plain(key->type) == KEY_ECDSA_SK &&
- options.sk_provider == NULL) {
+ if (key && sshkey_is_sk(key) && options.sk_provider == NULL) {
debug("%s: ignoring security key certificate %s as no "
"SecurityKeyProvider has been specified",
__func__, options.identity_files[i]);
-/* $OpenBSD: sshkey.c,v 1.89 2019/11/12 19:31:18 markus Exp $ */
+/* $OpenBSD: sshkey.c,v 1.90 2019/11/12 19:33:08 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
{ "ssh-ed25519", "ED25519", NULL, KEY_ED25519, 0, 0, 0 },
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL,
KEY_ED25519_CERT, 0, 1, 0 },
+ { "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL,
+ KEY_ED25519_SK, 0, 0, 0 },
+ { "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL,
+ KEY_ED25519_SK_CERT, 0, 1, 0 },
#ifdef WITH_XMSS
{ "ssh-xmss@openssh.com", "XMSS", NULL, KEY_XMSS, 0, 0, 0 },
{ "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL,
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
case KEY_XMSS:
case KEY_XMSS_CERT:
return 256; /* XXX */
case KEY_ECDSA:
case KEY_ECDSA_SK:
case KEY_ED25519:
+ case KEY_ED25519_SK:
case KEY_XMSS:
return 1;
default:
return sshkey_type_is_cert(k->type);
}
+int
+sshkey_is_sk(const struct sshkey *k)
+{
+ if (k == NULL)
+ return 0;
+ switch (sshkey_type_plain(k->type)) {
+ case KEY_ECDSA_SK:
+ case KEY_ED25519_SK:
+ return 1;
+ default:
+ return 0;
+ }
+}
+
/* Return the cert-less equivalent to a certified key type */
int
sshkey_type_plain(int type)
return KEY_ECDSA_SK;
case KEY_ED25519_CERT:
return KEY_ED25519;
+ case KEY_ED25519_SK_CERT:
+ return KEY_ED25519_SK;
case KEY_XMSS_CERT:
return KEY_XMSS;
default:
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
case KEY_XMSS:
case KEY_XMSS_CERT:
/* no need to prealloc */
break;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
+ free(k->sk_application);
+ sshbuf_free(k->sk_key_handle);
+ sshbuf_free(k->sk_reserved);
+ /* FALLTHROUGH */
case KEY_ED25519:
case KEY_ED25519_CERT:
freezero(k->ed25519_pk, ED25519_PK_SZ);
return 1;
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
+ if (a->sk_application == NULL || b->sk_application == NULL)
+ return 0;
+ if (strcmp(a->sk_application, b->sk_application) != 0)
+ return 0;
+ /* FALLTHROUGH */
case KEY_ED25519:
case KEY_ED25519_CERT:
return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
+ case KEY_ED25519_SK:
if (key->ed25519_pk == NULL)
return SSH_ERR_INVALID_ARGUMENT;
if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
(ret = sshbuf_put_string(b,
key->ed25519_pk, ED25519_PK_SZ)) != 0)
return ret;
+ if (type == KEY_ED25519_SK) {
+ if ((ret = sshbuf_put_cstring(b,
+ key->sk_application)) != 0)
+ return ret;
+ }
break;
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_ECDSA:
case KEY_ECDSA_SK:
case KEY_ED25519:
+ case KEY_ED25519_SK:
case KEY_DSA_CERT:
case KEY_ECDSA_CERT:
case KEY_ECDSA_SK_CERT:
case KEY_RSA_CERT:
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK_CERT:
#ifdef WITH_XMSS
case KEY_XMSS:
case KEY_XMSS_CERT:
/* XXX */
#endif
break;
+ case KEY_ED25519_SK:
+ freezero(ret->ed25519_pk, ED25519_PK_SZ);
+ ret->ed25519_pk = k->ed25519_pk;
+ ret->sk_application = k->sk_application;
+ k->ed25519_pk = NULL;
+ k->sk_application = NULL;
+ break;
#ifdef WITH_XMSS
case KEY_XMSS:
free(ret->xmss_pk);
#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK:
+ case KEY_ED25519_SK_CERT:
if (k->ed25519_pk != NULL) {
if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
}
memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
}
+ if (k->type != KEY_ED25519_SK &&
+ k->type != KEY_ED25519_SK_CERT)
+ break;
+ /* Append security-key application string */
+ if ((n->sk_application = strdup(k->sk_application)) == NULL)
+ goto out;
break;
#ifdef WITH_XMSS
case KEY_XMSS:
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
case KEY_ED25519_CERT:
+ case KEY_ED25519_SK_CERT:
/* Skip nonce */
if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
ret = SSH_ERR_INVALID_FORMAT;
}
/* FALLTHROUGH */
case KEY_ED25519:
+ case KEY_ED25519_SK:
if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
goto out;
if (len != ED25519_PK_SZ) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
+ if (type == KEY_ED25519_SK || type == KEY_ED25519_SK_CERT) {
+ /* Parse additional security-key application string */
+ if (sshbuf_get_cstring(b, &key->sk_application,
+ NULL) != 0) {
+ ret = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+#ifdef DEBUG_PK
+ fprintf(stderr, "App: %s\n", key->sk_application);
+#endif
+ }
key->ed25519_pk = pk;
pk = NULL;
break;
newtype = KEY_ECDSA_SK_CERT;
break;
#endif /* WITH_OPENSSL */
+ case KEY_ED25519_SK:
+ newtype = KEY_ED25519_SK_CERT;
+ break;
case KEY_ED25519:
newtype = KEY_ED25519_CERT;
break;
ED25519_SK_SZ)) != 0)
goto out;
break;
+ case KEY_ED25519_SK:
+ if ((r = sshbuf_put_string(b, key->ed25519_pk,
+ ED25519_PK_SZ)) != 0 ||
+ (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
+ (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
+ (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
+ (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
+ goto out;
+ break;
+ case KEY_ED25519_SK_CERT:
+ if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
+ r = SSH_ERR_INVALID_ARGUMENT;
+ goto out;
+ }
+ if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
+ (r = sshbuf_put_string(b, key->ed25519_pk,
+ ED25519_PK_SZ)) != 0 ||
+ (r = sshbuf_put_cstring(b, key->sk_application)) != 0 ||
+ (r = sshbuf_put_u8(b, key->sk_flags)) != 0 ||
+ (r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 ||
+ (r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
+ goto out;
+ break;
#ifdef WITH_XMSS
case KEY_XMSS:
if (key->xmss_name == NULL) {
k->ed25519_sk = ed25519_sk;
ed25519_pk = ed25519_sk = NULL; /* transferred */
break;
+ case KEY_ED25519_SK:
+ if ((k = sshkey_new(type)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
+ goto out;
+ if (pklen != ED25519_PK_SZ) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ if ((k->sk_key_handle = sshbuf_new()) == NULL ||
+ (k->sk_reserved = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_get_cstring(buf, &k->sk_application,
+ NULL)) != 0 ||
+ (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
+ (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
+ (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
+ goto out;
+ k->ed25519_pk = ed25519_pk;
+ ed25519_pk = NULL;
+ break;
+ case KEY_ED25519_SK_CERT:
+ if ((r = sshkey_froms(buf, &k)) != 0 ||
+ (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
+ goto out;
+ if (k->type != type) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ if (pklen != ED25519_PK_SZ) {
+ r = SSH_ERR_INVALID_FORMAT;
+ goto out;
+ }
+ if ((k->sk_key_handle = sshbuf_new()) == NULL ||
+ (k->sk_reserved = sshbuf_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ if ((r = sshbuf_get_cstring(buf, &k->sk_application,
+ NULL)) != 0 ||
+ (r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 ||
+ (r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 ||
+ (r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
+ goto out;
+ k->ed25519_pk = ed25519_pk;
+ ed25519_pk = NULL; /* transferred */
+ break;
#ifdef WITH_XMSS
case KEY_XMSS:
if ((k = sshkey_new(type)) == NULL) {
break; /* see below */
#endif /* WITH_OPENSSL */
case KEY_ED25519:
+ case KEY_ED25519_SK:
#ifdef WITH_XMSS
case KEY_XMSS:
#endif /* WITH_XMSS */
-/* $OpenBSD: sshkey.h,v 1.37 2019/11/12 19:29:25 markus Exp $ */
+/* $OpenBSD: sshkey.h,v 1.38 2019/11/12 19:33:08 markus Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
/* KEY_ECDSA and KEY_ECDSA_SK */
int ecdsa_nid; /* NID of curve */
EC_KEY *ecdsa;
- /* KEY_ED25519 */
+ /* KEY_ED25519 and KEY_ED25519_SK */
u_char *ed25519_sk;
u_char *ed25519_pk;
/* KEY_XMSS */
void *xmss_state; /* depends on xmss_name, opaque */
u_char *xmss_sk;
u_char *xmss_pk;
- /* KEY_ECDSA_SK */
+ /* KEY_ECDSA_SK and KEY_ED25519_SK */
char *sk_application;
uint8_t sk_flags;
struct sshbuf *sk_key_handle;
int sshkey_type_from_name(const char *);
int sshkey_is_cert(const struct sshkey *);
+int sshkey_is_sk(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
int sshkey_to_certified(struct sshkey *);
projects / thirdparty / openssh-portable.git / commitdiff
