diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-09-09 03:08:01 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-09-09 13:11:34 +1000 |
commit | c76773524179cb654ff838dd43ba1ddb155bafaa (patch) | |
tree | 0e3079b760a58a670a5a5bbdca0e8eb184e34173 /sk-usbhid.c | |
parent | c1c44eeecddf093a7983bd91e70b446de789b363 (diff) |
upstream: when writing an attestation blob for a FIDO key, record all
the data needed to verify the attestation. Previously we were missing the
"authenticator data" that is included in the signature.
spotted by Ian Haken
feedback Pedro Martelletto and Ian Haken; ok markus@
OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r-- | sk-usbhid.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index de85b2cb3..007c59644 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sk-usbhid.c,v 1.25 2020/08/31 00:17:41 djm Exp $ */ | 1 | /* $OpenBSD: sk-usbhid.c,v 1.26 2020/09/09 03:08:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Markus Friedl | 3 | * Copyright (c) 2019 Markus Friedl |
4 | * Copyright (c) 2020 Pedro Martelletto | 4 | * Copyright (c) 2020 Pedro Martelletto |
@@ -822,6 +822,16 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, | |||
822 | memcpy(response->attestation_cert, ptr, len); | 822 | memcpy(response->attestation_cert, ptr, len); |
823 | response->attestation_cert_len = len; | 823 | response->attestation_cert_len = len; |
824 | } | 824 | } |
825 | if ((ptr = fido_cred_authdata_ptr(cred)) != NULL) { | ||
826 | len = fido_cred_authdata_len(cred); | ||
827 | debug3("%s: authdata len=%zu", __func__, len); | ||
828 | if ((response->authdata = calloc(1, len)) == NULL) { | ||
829 | skdebug(__func__, "calloc authdata failed"); | ||
830 | goto out; | ||
831 | } | ||
832 | memcpy(response->authdata, ptr, len); | ||
833 | response->authdata_len = len; | ||
834 | } | ||
825 | *enroll_response = response; | 835 | *enroll_response = response; |
826 | response = NULL; | 836 | response = NULL; |
827 | ret = 0; | 837 | ret = 0; |
@@ -832,6 +842,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len, | |||
832 | free(response->key_handle); | 842 | free(response->key_handle); |
833 | free(response->signature); | 843 | free(response->signature); |
834 | free(response->attestation_cert); | 844 | free(response->attestation_cert); |
845 | free(response->authdata); | ||
835 | free(response); | 846 | free(response); |
836 | } | 847 | } |
837 | sk_close(sk); | 848 | sk_close(sk); |