Expand native auth and benchmark gates
This commit is contained in:
+59
-21
@@ -1,6 +1,6 @@
|
||||
use crate::native::{
|
||||
ForwardingRequest, NativeClientHello, NativeServerHello, NativeUserAuth,
|
||||
parse_ssh_ed25519_public_blob, user_auth_transcript,
|
||||
is_supported_user_key_algorithm, parse_ssh_ed25519_public_blob, user_auth_transcript,
|
||||
};
|
||||
use anyhow::{Context, Result, anyhow, bail};
|
||||
use std::io::{Read, Write};
|
||||
@@ -12,12 +12,16 @@ const SSH2_AGENTC_REQUEST_IDENTITIES: u8 = 11;
|
||||
const SSH2_AGENT_IDENTITIES_ANSWER: u8 = 12;
|
||||
const SSH2_AGENTC_SIGN_REQUEST: u8 = 13;
|
||||
const SSH2_AGENT_SIGN_RESPONSE: u8 = 14;
|
||||
const SSH_AGENT_RSA_SHA2_512: u32 = 4;
|
||||
const MAX_AGENT_PACKET: usize = 256 * 1024;
|
||||
|
||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||
pub struct AgentIdentity {
|
||||
pub key_blob: Vec<u8>,
|
||||
pub public_key: [u8; 32],
|
||||
pub public_key_algorithm: String,
|
||||
pub public_key: Vec<u8>,
|
||||
pub sign_algorithm: String,
|
||||
pub sign_flags: u32,
|
||||
pub comment: String,
|
||||
}
|
||||
|
||||
@@ -38,13 +42,13 @@ pub fn sign_user_auth_with_agent_at(
|
||||
) -> Result<NativeUserAuth> {
|
||||
let mut agent = UnixStream::connect(socket_path.as_ref())
|
||||
.with_context(|| format!("connect ssh-agent {}", socket_path.as_ref().display()))?;
|
||||
let identities = request_ed25519_identities(&mut agent)?;
|
||||
let identities = request_supported_identities(&mut agent)?;
|
||||
let identity = identities
|
||||
.first()
|
||||
.ok_or_else(|| anyhow!("ssh-agent has no ssh-ed25519 identities"))?;
|
||||
.ok_or_else(|| anyhow!("ssh-agent has no supported identities"))?;
|
||||
let mut auth = NativeUserAuth {
|
||||
public_key_algorithm: "ssh-ed25519".to_string(),
|
||||
public_key: identity.public_key.to_vec(),
|
||||
public_key_algorithm: identity.sign_algorithm.clone(),
|
||||
public_key: identity.public_key.clone(),
|
||||
signature: Vec::new(),
|
||||
requested_forwardings,
|
||||
};
|
||||
@@ -54,7 +58,7 @@ pub fn sign_user_auth_with_agent_at(
|
||||
Ok(auth)
|
||||
}
|
||||
|
||||
fn request_ed25519_identities(agent: &mut UnixStream) -> Result<Vec<AgentIdentity>> {
|
||||
fn request_supported_identities(agent: &mut UnixStream) -> Result<Vec<AgentIdentity>> {
|
||||
write_agent_packet(agent, &[SSH2_AGENTC_REQUEST_IDENTITIES])?;
|
||||
let payload = read_agent_packet(agent)?;
|
||||
let mut cursor = payload.as_slice();
|
||||
@@ -72,18 +76,49 @@ fn request_ed25519_identities(agent: &mut UnixStream) -> Result<Vec<AgentIdentit
|
||||
for _ in 0..count {
|
||||
let key_blob = read_ssh_string(&mut cursor)?.to_vec();
|
||||
let comment = String::from_utf8_lossy(read_ssh_string(&mut cursor)?).to_string();
|
||||
if let Ok(public_key) = parse_ssh_ed25519_public_blob(&key_blob) {
|
||||
identities.push(AgentIdentity {
|
||||
key_blob,
|
||||
public_key,
|
||||
comment,
|
||||
});
|
||||
if let Some(identity) = supported_identity(key_blob, comment)? {
|
||||
identities.push(identity);
|
||||
}
|
||||
}
|
||||
anyhow::ensure!(cursor.is_empty(), "trailing data in ssh-agent identities");
|
||||
Ok(identities)
|
||||
}
|
||||
|
||||
fn supported_identity(key_blob: Vec<u8>, comment: String) -> Result<Option<AgentIdentity>> {
|
||||
let algorithm = key_blob_algorithm(&key_blob)?;
|
||||
if !is_supported_user_key_algorithm(&algorithm) {
|
||||
return Ok(None);
|
||||
}
|
||||
let identity = match algorithm.as_str() {
|
||||
"ssh-ed25519" => AgentIdentity {
|
||||
public_key_algorithm: algorithm.clone(),
|
||||
public_key: parse_ssh_ed25519_public_blob(&key_blob)?.to_vec(),
|
||||
sign_algorithm: "ssh-ed25519".to_string(),
|
||||
sign_flags: 0,
|
||||
key_blob,
|
||||
comment,
|
||||
},
|
||||
"ecdsa-sha2-nistp256" => AgentIdentity {
|
||||
public_key_algorithm: algorithm.clone(),
|
||||
public_key: key_blob.clone(),
|
||||
sign_algorithm: algorithm,
|
||||
sign_flags: 0,
|
||||
key_blob,
|
||||
comment,
|
||||
},
|
||||
"ssh-rsa" => AgentIdentity {
|
||||
public_key_algorithm: algorithm,
|
||||
public_key: key_blob.clone(),
|
||||
sign_algorithm: "rsa-sha2-512".to_string(),
|
||||
sign_flags: SSH_AGENT_RSA_SHA2_512,
|
||||
key_blob,
|
||||
comment,
|
||||
},
|
||||
_ => return Ok(None),
|
||||
};
|
||||
Ok(Some(identity))
|
||||
}
|
||||
|
||||
fn sign_with_agent(
|
||||
agent: &mut UnixStream,
|
||||
identity: &AgentIdentity,
|
||||
@@ -93,7 +128,7 @@ fn sign_with_agent(
|
||||
request.push(SSH2_AGENTC_SIGN_REQUEST);
|
||||
write_ssh_string(&mut request, &identity.key_blob);
|
||||
write_ssh_string(&mut request, transcript);
|
||||
request.extend_from_slice(&0u32.to_be_bytes());
|
||||
request.extend_from_slice(&identity.sign_flags.to_be_bytes());
|
||||
write_agent_packet(agent, &request)?;
|
||||
|
||||
let payload = read_agent_packet(agent)?;
|
||||
@@ -114,20 +149,17 @@ fn sign_with_agent(
|
||||
|
||||
let mut signature_cursor = signature_blob;
|
||||
let algorithm = read_ssh_string(&mut signature_cursor)?;
|
||||
let algorithm = String::from_utf8_lossy(algorithm);
|
||||
anyhow::ensure!(
|
||||
algorithm == b"ssh-ed25519",
|
||||
"ssh-agent returned unsupported signature algorithm {}",
|
||||
String::from_utf8_lossy(algorithm)
|
||||
algorithm == identity.sign_algorithm,
|
||||
"ssh-agent returned signature algorithm {algorithm}, expected {}",
|
||||
identity.sign_algorithm
|
||||
);
|
||||
let signature = read_ssh_string(&mut signature_cursor)?;
|
||||
anyhow::ensure!(
|
||||
signature_cursor.is_empty(),
|
||||
"trailing data in ssh-agent signature blob"
|
||||
);
|
||||
anyhow::ensure!(
|
||||
signature.len() == 64,
|
||||
"ssh-agent Ed25519 signature was not 64 bytes"
|
||||
);
|
||||
Ok(signature.to_vec())
|
||||
}
|
||||
|
||||
@@ -182,6 +214,12 @@ fn write_ssh_string(out: &mut Vec<u8>, value: &[u8]) {
|
||||
out.extend_from_slice(value);
|
||||
}
|
||||
|
||||
fn key_blob_algorithm(blob: &[u8]) -> Result<String> {
|
||||
let mut cursor = blob;
|
||||
let algorithm = read_ssh_string(&mut cursor)?;
|
||||
Ok(String::from_utf8_lossy(algorithm).to_string())
|
||||
}
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use super::*;
|
||||
|
||||
Reference in New Issue
Block a user