-/* $OpenBSD: sk-usbhid.c,v 1.37 2021/12/07 22:06:45 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.38 2022/02/07 01:25:12 djm Exp $ */
/*
* Copyright (c) 2019 Markus Friedl
* Copyright (c) 2020 Pedro Martelletto
#include <stdio.h>
#include <stddef.h>
#include <stdarg.h>
-#include <sha2.h>
#include <time.h>
#ifdef WITH_OPENSSL
return 0;
}
-/* Calculate SHA256(m) */
-static int
-sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
-{
-#ifdef WITH_OPENSSL
- u_int mdlen;
-#else
- SHA2_CTX ctx;
-#endif
-
- if (dlen != 32)
- return -1;
-#ifdef WITH_OPENSSL
- mdlen = dlen;
- if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL))
- return -1;
-#else
- SHA256Init(&ctx);
- SHA256Update(&ctx, (const uint8_t *)m, mlen);
- SHA256Final(d, &ctx);
-#endif
- return 0;
-}
-
/* Check if the specified key handle exists on a given sk. */
static int
sk_try(const struct sk_usbhid *sk, const char *application,
const uint8_t *key_handle, size_t key_handle_len)
{
fido_assert_t *assert = NULL;
- /* generate an invalid signature on FIDO2 tokens */
- const char *data = "";
- uint8_t message[32];
int r = FIDO_ERR_INTERNAL;
+ uint8_t message[32];
- if (sha256_mem(data, strlen(data), message, sizeof(message)) != 0) {
- skdebug(__func__, "hash message failed");
- goto out;
- }
+ memset(message, '\0', sizeof(message));
if ((assert = fido_assert_new()) == NULL) {
skdebug(__func__, "fido_assert_new failed");
goto out;
}
- if ((r = fido_assert_set_clientdata_hash(assert, message,
+ /* generate an invalid signature on FIDO2 tokens */
+ if ((r = fido_assert_set_clientdata(assert, message,
sizeof(message))) != FIDO_OK) {
skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
fido_strerr(r));
{
fido_cred_t *cred = NULL;
const uint8_t *ptr;
- uint8_t user_id[32], chall_hash[32];
+ uint8_t user_id[32];
struct sk_usbhid *sk = NULL;
struct sk_enroll_response *response = NULL;
size_t len;
skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
goto out;
}
- if (sha256_mem(challenge, challenge_len,
- chall_hash, sizeof(chall_hash)) != 0) {
- skdebug(__func__, "hash challenge failed");
- goto out;
- }
- if ((r = fido_cred_set_clientdata_hash(cred, chall_hash,
- sizeof(chall_hash))) != FIDO_OK) {
- skdebug(__func__, "fido_cred_set_clientdata_hash: %s",
+ if ((r = fido_cred_set_clientdata(cred,
+ challenge, challenge_len)) != FIDO_OK) {
+ skdebug(__func__, "fido_cred_set_clientdata: %s",
fido_strerr(r));
goto out;
}
char *device = NULL;
struct sk_usbhid *sk = NULL;
struct sk_sign_response *response = NULL;
- uint8_t message[32];
int ret = SSH_SK_ERR_GENERAL, internal_uv;
int r;
*sign_response = NULL;
if (check_sign_load_resident_options(options, &device) != 0)
goto out; /* error already logged */
- /* hash data to be signed before it goes to the security key */
- if ((r = sha256_mem(data, datalen, message, sizeof(message))) != 0) {
- skdebug(__func__, "hash message failed");
- goto out;
- }
if (device != NULL)
sk = sk_open(device);
else if (pin != NULL || (flags & SSH_SK_USER_VERIFICATION_REQD))
skdebug(__func__, "fido_assert_new failed");
goto out;
}
- if ((r = fido_assert_set_clientdata_hash(assert, message,
- sizeof(message))) != FIDO_OK) {
- skdebug(__func__, "fido_assert_set_clientdata_hash: %s",
+ if ((r = fido_assert_set_clientdata(assert,
+ data, datalen)) != FIDO_OK) {
+ skdebug(__func__, "fido_assert_set_clientdata: %s",
fido_strerr(r));
goto out;
}
response = NULL;
ret = 0;
out:
- explicit_bzero(message, sizeof(message));
free(device);
if (response != NULL) {
free(response->sig_r);
projects / openbsd / commitdiff