[openssh-commits] [openssh] 01/01: upstream: Hash challenge supplied by client during FIDO key enrollment

git+noreply at mindrot.org git+noreply at mindrot.org
Mon May 31 16:50:06 AEST 2021 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 59a194825f12fff8a7f75d91bf751ea17645711b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon May 31 06:48:42 2021 +0000

    upstream: Hash challenge supplied by client during FIDO key enrollment
    
    prior to passing it to libfido2, which does expect a hash.
    
    There is no effect for users who are simply generating FIDO keys using
    ssh-keygen - by default we generate a random 256 bit challenge, but
    people building attestation workflows around our tools should now have
    a more consistent experience (esp. fewer failures when they fail to
    guess the magic 32-byte challenge length requirement).
    
    ok markus@
    
    OpenBSD-Commit-ID: b8d5363a6a7ca3b23dc28f3ca69470472959f2b5
---
 sk-usbhid.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/sk-usbhid.c b/sk-usbhid.c
index c85b9857..43898088 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.29 2021/02/18 02:15:07 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.30 2021/05/31 06:48:42 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -669,7 +669,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 {
 	fido_cred_t *cred = NULL;
 	const uint8_t *ptr;
-	uint8_t user_id[32];
+	uint8_t user_id[32], chall_hash[32];
 	struct sk_usbhid *sk = NULL;
 	struct sk_enroll_response *response = NULL;
 	size_t len;
@@ -721,8 +721,13 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
 		goto out;
 	}
-	if ((r = fido_cred_set_clientdata_hash(cred, challenge,
-	    challenge_len)) != FIDO_OK) {
+	if (sha256_mem(challenge, challenge_len,
+	    chall_hash, sizeof(chall_hash)) != 0) {
+		skdebug(__func__, "hash challenge failed");
+		goto out;
+	}
+	if ((r = fido_cred_set_clientdata_hash(cred, chall_hash,
+	    sizeof(chall_hash))) != FIDO_OK) {
 		skdebug(__func__, "fido_cred_set_clientdata_hash: %s",
 		    fido_strerr(r));
 		goto out;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list