diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-04-28 04:02:29 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-05-01 13:13:29 +1000 |
commit | 59d2de956ed29aa5565ed5e5947a7abdb27ac013 (patch) | |
tree | 983def72c15590c50a0319c8048b9a7d56961edf /ssh-sk.c | |
parent | c9d10dbc0ccfb1c7568bbb784f7aeb7a0b5ded12 (diff) |
upstream: when signing a challenge using a FIDO toke, perform the
hashing in the middleware layer rather than in ssh code. This allows
middlewares that call APIs that perform the hashing implicitly (including
Microsoft's AFAIK). ok markus@
OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 14 |
1 files changed, 2 insertions, 12 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.29 2020/03/06 18:25:48 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -615,7 +615,6 @@ sshsk_sign(const char *provider_path, struct sshkey *key, | |||
615 | int type, alg; | 615 | int type, alg; |
616 | struct sk_sign_response *resp = NULL; | 616 | struct sk_sign_response *resp = NULL; |
617 | struct sshbuf *inner_sig = NULL, *sig = NULL; | 617 | struct sshbuf *inner_sig = NULL, *sig = NULL; |
618 | uint8_t message[32]; | ||
619 | struct sk_option **opts = NULL; | 618 | struct sk_option **opts = NULL; |
620 | 619 | ||
621 | debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__, | 620 | debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__, |
@@ -650,15 +649,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key, | |||
650 | goto out; | 649 | goto out; |
651 | } | 650 | } |
652 | 651 | ||
653 | /* hash data to be signed before it goes to the security key */ | 652 | if ((r = skp->sk_sign(alg, data, datalen, key->sk_application, |
654 | if ((r = ssh_digest_memory(SSH_DIGEST_SHA256, data, datalen, | ||
655 | message, sizeof(message))) != 0) { | ||
656 | error("%s: hash application failed: %s", __func__, ssh_err(r)); | ||
657 | r = SSH_ERR_INTERNAL_ERROR; | ||
658 | goto out; | ||
659 | } | ||
660 | if ((r = skp->sk_sign(alg, message, sizeof(message), | ||
661 | key->sk_application, | ||
662 | sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), | 653 | sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), |
663 | key->sk_flags, pin, opts, &resp)) != 0) { | 654 | key->sk_flags, pin, opts, &resp)) != 0) { |
664 | debug("%s: sk_sign failed with code %d", __func__, r); | 655 | debug("%s: sk_sign failed with code %d", __func__, r); |
@@ -707,7 +698,6 @@ sshsk_sign(const char *provider_path, struct sshkey *key, | |||
707 | r = 0; | 698 | r = 0; |
708 | out: | 699 | out: |
709 | sshsk_free_options(opts); | 700 | sshsk_free_options(opts); |
710 | explicit_bzero(message, sizeof(message)); | ||
711 | sshsk_free(skp); | 701 | sshsk_free(skp); |
712 | sshsk_free_sign_response(resp); | 702 | sshsk_free_sign_response(resp); |
713 | sshbuf_free(sig); | 703 | sshbuf_free(sig); |