src - OpenBSD base system

diff options


context:
space:
mode:

author	Damien Miller <djm@cvs.openbsd.org>	2022-02-07 01:25:13 +0000
committer	Damien Miller <djm@cvs.openbsd.org>	2022-02-07 01:25:13 +0000
commit	65f65b3370184247c52c7b198d62e4005cc19a17 (patch)
tree	f60a10efc2f0c063e9ef7bdd9c17e475403f9461 /usr.bin
parent	3d833436e3d62723e7c71bde000b1ad55aaa3f85 (diff)

use libfido2 1.8.0+ fido_assert_set_clientdata() instead of manually

hashing data outselves. Saves a fair bit of code and makes life easier for some -portable platforms.

Diffstat (limited to 'usr.bin')

-rw-r--r--

usr.bin/ssh/sk-usbhid.c

1 files changed, 12 insertions, 53 deletions

diff --git a/usr.bin/ssh/sk-usbhid.c b/usr.bin/ssh/sk-usbhid.c
index 6d629da7792..795a21d827d 100644
--- a/usr.bin/ssh/sk-usbhid.c
+++ b/usr.bin/ssh/sk-usbhid.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: sk-usbhid.c,v 1.37 2021/12/07 22:06:45 djm Exp $ */

+/* $OpenBSD: sk-usbhid.c,v 1.38 2022/02/07 01:25:12 djm Exp $ */

@@ -22,7 +22,6 @@

#include <stdio.h>

#include <stddef.h>

#include <stdarg.h>

-#include <sha2.h>

#include <time.h>

#ifdef WITH_OPENSSL

@@ -274,50 +273,22 @@ sk_touch_poll(struct sk_usbhid **skv, size_t nsk, int *touch, size_t *idx)

return 0;

}

-/* Calculate SHA256(m) */

-static int

-sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)

-#ifdef WITH_OPENSSL

- u_int mdlen;

-#else

- SHA2_CTX ctx;

-#endif

- if (dlen != 32)

- return -1;

-#ifdef WITH_OPENSSL

- mdlen = dlen;

- if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL))

- return -1;

-#else

- SHA256Init(&ctx);

- SHA256Update(&ctx, (const uint8_t *)m, mlen);

- SHA256Final(d, &ctx);

-#endif

- return 0;

/* Check if the specified key handle exists on a given sk. */

static int

sk_try(const struct sk_usbhid *sk, const char *application,

const uint8_t *key_handle, size_t key_handle_len)

{

fido_assert_t *assert = NULL;

- /* generate an invalid signature on FIDO2 tokens */

- const char *data = "";

- uint8_t message[32];

int r = FIDO_ERR_INTERNAL;

+ uint8_t message[32];

- if (sha256_mem(data, strlen(data), message, sizeof(message)) != 0) {

- skdebug(__func__, "hash message failed");

- goto out;

- }

+ memset(message, '\0', sizeof(message));

if ((assert = fido_assert_new()) == NULL) {

skdebug(__func__, "fido_assert_new failed");

goto out;

}

- if ((r = fido_assert_set_clientdata_hash(assert, message,

+ /* generate an invalid signature on FIDO2 tokens */

+ if ((r = fido_assert_set_clientdata(assert, message,

sizeof(message))) != FIDO_OK) {

skdebug(__func__, "fido_assert_set_clientdata_hash: %s",

fido_strerr(r));

@@ -687,7 +658,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,

{

fido_cred_t *cred = NULL;

const uint8_t *ptr;

- uint8_t user_id[32], chall_hash[32];

+ uint8_t user_id[32];

struct sk_usbhid *sk = NULL;

struct sk_enroll_response *response = NULL;

size_t len;

@@ -741,14 +712,9 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,

skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));

goto out;

}

- if (sha256_mem(challenge, challenge_len,

- chall_hash, sizeof(chall_hash)) != 0) {

- skdebug(__func__, "hash challenge failed");

- goto out;

- }

- if ((r = fido_cred_set_clientdata_hash(cred, chall_hash,

- sizeof(chall_hash))) != FIDO_OK) {

- skdebug(__func__, "fido_cred_set_clientdata_hash: %s",

+ if ((r = fido_cred_set_clientdata(cred,

+ challenge, challenge_len)) != FIDO_OK) {

+ skdebug(__func__, "fido_cred_set_clientdata: %s",

fido_strerr(r));

goto out;

}

@@ -998,7 +964,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,

char *device = NULL;

struct sk_usbhid *sk = NULL;

struct sk_sign_response *response = NULL;

- uint8_t message[32];

int ret = SSH_SK_ERR_GENERAL, internal_uv;

int r;

@@ -1011,11 +976,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,

*sign_response = NULL;

if (check_sign_load_resident_options(options, &device) != 0)

goto out; /* error already logged */

- /* hash data to be signed before it goes to the security key */

- if ((r = sha256_mem(data, datalen, message, sizeof(message))) != 0) {

- skdebug(__func__, "hash message failed");

- goto out;

- }

if (device != NULL)

sk = sk_open(device);

else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))

@@ -1031,9 +991,9 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,

skdebug(__func__, "fido_assert_new failed");

goto out;

}

- if ((r = fido_assert_set_clientdata_hash(assert, message,

- sizeof(message))) != FIDO_OK) {

- skdebug(__func__, "fido_assert_set_clientdata_hash: %s",

+ if ((r = fido_assert_set_clientdata(assert,

+ data, datalen)) != FIDO_OK) {

+ skdebug(__func__, "fido_assert_set_clientdata: %s",

fido_strerr(r));

goto out;

}

@@ -1086,7 +1046,6 @@ sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,

response = NULL;

ret = 0;

out:

- explicit_bzero(message, sizeof(message));

free(device);

if (response != NULL) {

free(response->sig_r);