diff options
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 87 |
1 files changed, 42 insertions, 45 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.33 2020/10/18 11:32:02 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -105,11 +105,11 @@ sshsk_open(const char *path) return NULL; } if ((ret = calloc(1, sizeof(*ret))) == NULL) { - error("%s: calloc failed", __func__); + error_f("calloc failed"); return NULL; } if ((ret->path = strdup(path)) == NULL) { - error("%s: strdup failed", __func__); + error_f("strdup failed"); goto fail; } /* Skip the rest if we're using the linked in middleware */ @@ -134,8 +134,8 @@ sshsk_open(const char *path) goto fail; } version = ret->sk_api_version(); - debug("%s: provider %s implements version 0x%08lx", __func__, - ret->path, (u_long)version); + debug_f("provider %s implements version 0x%08lx", ret->path, + (u_long)version); if ((version & SSH_SK_VERSION_MAJOR_MASK) != SSH_SK_VERSION_MAJOR) { error("Provider \"%s\" implements unsupported " "version 0x%08lx (supported: 0x%08lx)", @@ -200,7 +200,7 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) *keyp = NULL; if ((key = sshkey_new(KEY_ECDSA_SK)) == NULL) { - error("%s: sshkey_new failed", __func__); + error_f("sshkey_new failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -208,17 +208,17 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid)) == NULL || (q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL || (b = sshbuf_new()) == NULL) { - error("%s: allocation failed", __func__); + error_f("allocation failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshbuf_put_string(b, resp->public_key, resp->public_key_len)) != 0) { - error("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "sshbuf_put_string"); goto out; } if ((r = sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa))) != 0) { - error("%s: parse key: %s", __func__, ssh_err(r)); + error_fr(r, "parse"); r = SSH_ERR_INVALID_FORMAT; goto out; } @@ -229,7 +229,7 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) } if (EC_KEY_set_public_key(key->ecdsa, q) != 1) { /* XXX assume it is a allocation error */ - error("%s: allocation failed", __func__); + error_f("allocation failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -253,17 +253,17 @@ sshsk_ed25519_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) *keyp = NULL; if (resp->public_key_len != ED25519_PK_SZ) { - error("%s: invalid size: %zu", __func__, resp->public_key_len); + error_f("invalid size: %zu", resp->public_key_len); r = SSH_ERR_INVALID_FORMAT; goto out; } if ((key = sshkey_new(KEY_ED25519_SK)) == NULL) { - error("%s: sshkey_new failed", __func__); + error_f("sshkey_new failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } if ((key->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) { - error("%s: malloc failed", __func__); + error_f("malloc failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -288,7 +288,7 @@ sshsk_key_from_response(int alg, const char *application, uint8_t flags, /* Check response validity */ if (resp->public_key == NULL || resp->key_handle == NULL) { - error("%s: sk_enroll response invalid", __func__); + error_f("sk_enroll response invalid"); r = SSH_ERR_INVALID_FORMAT; goto out; } @@ -304,25 +304,25 @@ sshsk_key_from_response(int alg, const char *application, uint8_t flags, goto out; break; default: - error("%s: unsupported algorithm %d", __func__, alg); + error_f("unsupported algorithm %d", alg); r = SSH_ERR_INVALID_ARGUMENT; goto out; } key->sk_flags = flags; if ((key->sk_key_handle = sshbuf_new()) == NULL || (key->sk_reserved = sshbuf_new()) == NULL) { - error("%s: allocation failed", __func__); + error_f("allocation failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } if ((key->sk_application = strdup(application)) == NULL) { - error("%s: strdup application failed", __func__); + error_f("strdup application failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshbuf_put(key->sk_key_handle, resp->key_handle, resp->key_handle_len)) != 0) { - error("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "put key handle"); goto out; } /* success */ @@ -374,18 +374,18 @@ sshsk_add_option(struct sk_option ***optsp, size_t *noptsp, if ((opts = recallocarray(opts, nopts, nopts + 2, /* extra for NULL */ sizeof(*opts))) == NULL) { - error("%s: array alloc failed", __func__); + error_f("array alloc failed"); return SSH_ERR_ALLOC_FAIL; } *optsp = opts; *noptsp = nopts + 1; if ((opts[nopts] = calloc(1, sizeof(**opts))) == NULL) { - error("%s: alloc failed", __func__); + error_f("alloc failed"); return SSH_ERR_ALLOC_FAIL; } if ((opts[nopts]->name = strdup(name)) == NULL || (opts[nopts]->value = strdup(value)) == NULL) { - error("%s: alloc failed", __func__); + error_f("alloc failed"); return SSH_ERR_ALLOC_FAIL; } opts[nopts]->required = required; @@ -438,7 +438,7 @@ fill_attestation_blob(const struct sk_enroll_response *resp, resp->authdata, resp->authdata_len)) != 0 || (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { - error("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "compose"); return r; } /* success */ @@ -461,8 +461,8 @@ sshsk_enroll(int type, const char *provider_path, const char *device, int r = SSH_ERR_INTERNAL_ERROR; int alg; - debug("%s: provider \"%s\", device \"%s\", application \"%s\", " - "userid \"%s\", flags 0x%02x, challenge len %zu%s", __func__, + debug_f("provider \"%s\", device \"%s\", application \"%s\", " + "userid \"%s\", flags 0x%02x, challenge len %zu%s", provider_path, device, application, userid, flags, challenge_buf == NULL ? 0 : sshbuf_len(challenge_buf), (pin != NULL && *pin != '\0') ? " with-pin" : ""); @@ -484,22 +484,22 @@ sshsk_enroll(int type, const char *provider_path, const char *device, alg = SSH_SK_ED25519; break; default: - error("%s: unsupported key type", __func__); + error_f("unsupported key type"); r = SSH_ERR_INVALID_ARGUMENT; goto out; } if (provider_path == NULL) { - error("%s: missing provider", __func__); + error_f("missing provider"); r = SSH_ERR_INVALID_ARGUMENT; goto out; } if (application == NULL || *application == '\0') { - error("%s: missing application", __func__); + error_f("missing application"); r = SSH_ERR_INVALID_ARGUMENT; goto out; } if (challenge_buf == NULL) { - debug("%s: using random challenge", __func__); + debug_f("using random challenge"); arc4random_buf(randchall, sizeof(randchall)); challenge = randchall; challenge_len = sizeof(randchall); @@ -510,8 +510,7 @@ sshsk_enroll(int type, const char *provider_path, const char *device, } else { challenge = sshbuf_ptr(challenge_buf); challenge_len = sshbuf_len(challenge_buf); - debug3("%s: using explicit challenge len=%zd", - __func__, challenge_len); + debug3_f("using explicit challenge len=%zd", challenge_len); } if ((skp = sshsk_open(provider_path)) == NULL) { r = SSH_ERR_INVALID_FORMAT; /* XXX sshsk_open return code? */ @@ -521,8 +520,7 @@ sshsk_enroll(int type, const char *provider_path, const char *device, /* enroll key */ if ((r = skp->sk_enroll(alg, challenge, challenge_len, application, flags, pin, opts, &resp)) != 0) { - debug("%s: provider \"%s\" returned failure %d", __func__, - provider_path, r); + debug_f("provider \"%s\" failure %d", provider_path, r); r = skerr_to_ssherr(r); goto out; } @@ -557,7 +555,7 @@ sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) /* Check response validity */ if (resp->sig_r == NULL || resp->sig_s == NULL) { - error("%s: sk_sign response invalid", __func__); + error_f("sk_sign response invalid"); r = SSH_ERR_INVALID_FORMAT; goto out; } @@ -570,13 +568,13 @@ sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) resp->sig_r, resp->sig_r_len)) != 0 || (r = sshbuf_put_bignum2_bytes(inner_sig, resp->sig_s, resp->sig_s_len)) != 0) { - debug("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "compose inner"); goto out; } if ((r = sshbuf_put_stringb(sig, inner_sig)) != 0 || (r = sshbuf_put_u8(sig, resp->flags)) != 0 || (r = sshbuf_put_u32(sig, resp->counter)) != 0) { - debug("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "compose"); goto out; } #ifdef DEBUG_SK @@ -601,7 +599,7 @@ sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) /* Check response validity */ if (resp->sig_r == NULL) { - error("%s: sk_sign response invalid", __func__); + error_f("sk_sign response invalid"); r = SSH_ERR_INVALID_FORMAT; goto out; } @@ -609,7 +607,7 @@ sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) resp->sig_r, resp->sig_r_len)) != 0 || (r = sshbuf_put_u8(sig, resp->flags)) != 0 || (r = sshbuf_put_u32(sig, resp->counter)) != 0) { - debug("%s: buffer error: %s", __func__, ssh_err(r)); + error_fr(r, "compose"); goto out; } #ifdef DEBUG_SK @@ -633,7 +631,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, struct sshbuf *inner_sig = NULL, *sig = NULL; struct sk_option **opts = NULL; - debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__, + debug_f("provider \"%s\", key %s, flags 0x%02x%s", provider_path, sshkey_type(key), key->sk_flags, (pin != NULL && *pin != '\0') ? " with-pin" : ""); @@ -668,7 +666,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, if ((r = skp->sk_sign(alg, data, datalen, key->sk_application, sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), key->sk_flags, pin, opts, &resp)) != 0) { - debug("%s: sk_sign failed with code %d", __func__, r); + debug_f("sk_sign failed with code %d", r); r = skerr_to_ssherr(r); goto out; } @@ -678,7 +676,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, goto out; } if ((r = sshbuf_put_cstring(sig, sshkey_ssh_name_plain(key))) != 0) { - debug("%s: buffer error (outer): %s", __func__, ssh_err(r)); + error_fr(r, "compose outer"); goto out; } switch (type) { @@ -752,7 +750,7 @@ sshsk_load_resident(const char *provider_path, const char *device, uint8_t flags; struct sk_option **opts = NULL; - debug("%s: provider \"%s\"%s", __func__, provider_path, + debug_f("provider \"%s\"%s", provider_path, (pin != NULL && *pin != '\0') ? ", have-pin": ""); if (keysp == NULL || nkeysp == NULL) @@ -772,9 +770,8 @@ sshsk_load_resident(const char *provider_path, const char *device, goto out; } for (i = 0; i < nrks; i++) { - debug3("%s: rk %zu: slot = %zu, alg = %d, application = \"%s\"", - __func__, i, rks[i]->slot, rks[i]->alg, - rks[i]->application); + debug3_f("rk %zu: slot = %zu, alg = %d, application = \"%s\"", + i, rks[i]->slot, rks[i]->alg, rks[i]->application); /* XXX need better filter here */ if (strncmp(rks[i]->application, "ssh:", 4) != 0) continue; @@ -793,7 +790,7 @@ sshsk_load_resident(const char *provider_path, const char *device, goto out; if ((tmp = recallocarray(keys, nkeys, nkeys + 1, sizeof(*tmp))) == NULL) { - error("%s: recallocarray failed", __func__); + error_f("recallocarray failed"); r = SSH_ERR_ALLOC_FAIL; goto out; } |