[openssh-commits] [openssh] 03/03: upstream: use libfido2 1.8.0+ fido_assert_set_clientdata() instead
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Feb 7 12:35:55 AEDT 2022
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit d6b5aa08fdcf9b527f8b8f932432941d5b76b7ab
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Feb 7 01:25:12 2022 +0000
upstream: use libfido2 1.8.0+ fido_assert_set_clientdata() instead
of manually hashing data outselves. Saves a fair bit of code and makes life
easier for some -portable platforms.
OpenBSD-Commit-ID: 351dfaaa5ab1ee928c0e623041fca28078cff0e0
---
configure.ac | 1 +
sk-usbhid.c | 61 ++++++++++++++++++++++++++++++++----------------------------
2 files changed, 34 insertions(+), 28 deletions(-)
diff --git a/configure.ac b/configure.ac
index eb265143..f2a4aa12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3232,6 +3232,7 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
AC_CHECK_FUNCS([ \
fido_cred_prot \
fido_cred_set_prot \
+ fido_cred_set_clientdata \
fido_dev_get_touch_begin \
fido_dev_get_touch_status \
fido_dev_supports_cred_prot \
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 7e4d1d55..d01dd292 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.37 2021/12/07 22:06:45 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.38 2022/02/07 01:25:12 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl
* Copyright (c) 2020 Pedro Martelletto
@@ -312,6 +312,7 @@ sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)
return 0;
}
+#ifndef HAVE_FIDO_CRED_SET_CLIENTDATA
/* Calculate SHA256(m) */
static int
sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
@@ -336,26 +337,42 @@ sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
return 0;
}
+int
+fido_cred_set_clientdata(fido_cred_t *cred, const u_char *ptr, size_t len)
+{
+ uint8_t d[32];
+ int r;
+
+ if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
+ skdebug(__func__, "hash challenge failed");
+ return FIDO_ERR_INTERNAL;
+ }
+ r = fido_cred_set_clientdata_hash(cred, d, sizeof(d));
+ explicit_bzero(d, sizeof(d));
+ if (r != FIDO_OK) {
+ skdebug(__func__, "fido_cred_set_clientdata_hash failed: %s",
+ fido_strerr(r));
+ }
+ return r;
+}
+#endif /* HAVE_FIDO_CRED_SET_CLIENTDATA */
+
/* Check if the specified key handle exists on a given sk. */
static int
sk_try(const struct sk_usbhid *sk, const char *application,
const uint8_t *key_handle, size_t key_handle_len)
{
fido_assert_t *assert = NULL;
- /* generate an invalid signature on FIDO2 tokens */
- const char *data = "";
- uint8_t message[32];
int r = FIDO_ERR_INTERNAL;
+ uint8_t message[32];
- if (sha256_mem(data, strlen(data), message, sizeof(message)) != 0) {
- skdebug(__func__, "hash message failed");
- goto out;
- }
+ memset(message, '\0', sizeof(message));
if ((assert = fido_assert_new()) == NULL) {
skdebug(__func__, "fido_assert_new failed");
goto out;
}
- if ((r = fido_assert_set_clientdata_hash(assert, message,
+ /* generate an invalid signature on FIDO2 tokens */
+ if ((r = fido_assert_set_clientdata(assert, message,
sizeof(message))) != FIDO_OK) {
skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
fido_strerr(r));
@@ -730,7 +747,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
{
fido_cred_t *cred = NULL;
const uint8_t *ptr;
- uint8_t user_id[32], chall_hash[32];
+ uint8_t user_id[32];
struct sk_usbhid *sk = NULL;
struct sk_enroll_response *response = NULL;
size_t len;
@@ -784,14 +801,9 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
goto out;
}
- if (sha256_mem(challenge, challenge_len,
- chall_hash, sizeof(chall_hash)) != 0) {
- skdebug(__func__, "hash challenge failed");
- goto out;
- }
- if ((r = fido_cred_set_clientdata_hash(cred, chall_hash,
- sizeof(chall_hash))) != FIDO_OK) {
- skdebug(__func__, "fido_cred_set_clientdata_hash: %s",
+ if ((r = fido_cred_set_clientdata(cred,
+ challenge, challenge_len)) != FIDO_OK) {
+ skdebug(__func__, "fido_cred_set_clientdata: %s",
fido_strerr(r));
goto out;
}
@@ -1048,7 +1060,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
char *device = NULL;
struct sk_usbhid *sk = NULL;
struct sk_sign_response *response = NULL;
- uint8_t message[32];
int ret = SSH_SK_ERR_GENERAL, internal_uv;
int r;
@@ -1061,11 +1072,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
*sign_response = NULL;
if (check_sign_load_resident_options(options, &device) != 0)
goto out; /* error already logged */
- /* hash data to be signed before it goes to the security key */
- if ((r = sha256_mem(data, datalen, message, sizeof(message))) != 0) {
- skdebug(__func__, "hash message failed");
- goto out;
- }
if (device != NULL)
sk = sk_open(device);
else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))
@@ -1081,9 +1087,9 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
skdebug(__func__, "fido_assert_new failed");
goto out;
}
- if ((r = fido_assert_set_clientdata_hash(assert, message,
- sizeof(message))) != FIDO_OK) {
- skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
+ if ((r = fido_assert_set_clientdata(assert,
+ data, datalen)) != FIDO_OK) {
+ skdebug(__func__, "fido_assert_set_clientdata: %s",
fido_strerr(r));
goto out;
}
@@ -1136,7 +1142,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
response = NULL;
ret = 0;
out:
- explicit_bzero(message, sizeof(message));
free(device);
if (response != NULL) {
free(response->sig_r);
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list