diff options
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r-- | sk-usbhid.c | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index ad83054ad..25250824d 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -24,6 +24,9 @@ | |||
24 | #include <stdio.h> | 24 | #include <stdio.h> |
25 | #include <stddef.h> | 25 | #include <stddef.h> |
26 | #include <stdarg.h> | 26 | #include <stdarg.h> |
27 | #ifdef HAVE_SHA2_H | ||
28 | #include <sha2.h> | ||
29 | #endif | ||
27 | 30 | ||
28 | #ifdef WITH_OPENSSL | 31 | #ifdef WITH_OPENSSL |
29 | #include <openssl/opensslv.h> | 32 | #include <openssl/opensslv.h> |
@@ -31,6 +34,7 @@ | |||
31 | #include <openssl/bn.h> | 34 | #include <openssl/bn.h> |
32 | #include <openssl/ec.h> | 35 | #include <openssl/ec.h> |
33 | #include <openssl/ecdsa.h> | 36 | #include <openssl/ecdsa.h> |
37 | #include <openssl/evp.h> | ||
34 | #endif /* WITH_OPENSSL */ | 38 | #endif /* WITH_OPENSSL */ |
35 | 39 | ||
36 | #include <fido.h> | 40 | #include <fido.h> |
@@ -710,8 +714,28 @@ check_sign_load_resident_options(struct sk_option **options, char **devicep) | |||
710 | return 0; | 714 | return 0; |
711 | } | 715 | } |
712 | 716 | ||
717 | /* Calculate SHA256(m) */ | ||
718 | static int | ||
719 | sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen) | ||
720 | { | ||
721 | #ifdef WITH_OPENSSL | ||
722 | u_int mdlen; | ||
723 | #endif | ||
724 | |||
725 | if (dlen != 32) | ||
726 | return -1; | ||
727 | #ifdef WITH_OPENSSL | ||
728 | mdlen = dlen; | ||
729 | if (!EVP_Digest(m, mlen, d, &mdlen, EVP_sha256(), NULL)) | ||
730 | return -1; | ||
731 | #else | ||
732 | SHA256Data(m, mlen, d); | ||
733 | #endif | ||
734 | return 0; | ||
735 | } | ||
736 | |||
713 | int | 737 | int |
714 | sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | 738 | sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, |
715 | const char *application, | 739 | const char *application, |
716 | const uint8_t *key_handle, size_t key_handle_len, | 740 | const uint8_t *key_handle, size_t key_handle_len, |
717 | uint8_t flags, const char *pin, struct sk_option **options, | 741 | uint8_t flags, const char *pin, struct sk_option **options, |
@@ -721,6 +745,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | |||
721 | char *device = NULL; | 745 | char *device = NULL; |
722 | fido_dev_t *dev = NULL; | 746 | fido_dev_t *dev = NULL; |
723 | struct sk_sign_response *response = NULL; | 747 | struct sk_sign_response *response = NULL; |
748 | uint8_t message[32]; | ||
724 | int ret = SSH_SK_ERR_GENERAL; | 749 | int ret = SSH_SK_ERR_GENERAL; |
725 | int r; | 750 | int r; |
726 | 751 | ||
@@ -735,7 +760,12 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | |||
735 | *sign_response = NULL; | 760 | *sign_response = NULL; |
736 | if (check_sign_load_resident_options(options, &device) != 0) | 761 | if (check_sign_load_resident_options(options, &device) != 0) |
737 | goto out; /* error already logged */ | 762 | goto out; /* error already logged */ |
738 | if ((dev = find_device(device, message, message_len, | 763 | /* hash data to be signed before it goes to the security key */ |
764 | if ((r = sha256_mem(data, datalen, message, sizeof(message))) != 0) { | ||
765 | skdebug(__func__, "hash message failed"); | ||
766 | goto out; | ||
767 | } | ||
768 | if ((dev = find_device(device, message, sizeof(message), | ||
739 | application, key_handle, key_handle_len)) == NULL) { | 769 | application, key_handle, key_handle_len)) == NULL) { |
740 | skdebug(__func__, "couldn't find device for key handle"); | 770 | skdebug(__func__, "couldn't find device for key handle"); |
741 | goto out; | 771 | goto out; |
@@ -745,7 +775,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | |||
745 | goto out; | 775 | goto out; |
746 | } | 776 | } |
747 | if ((r = fido_assert_set_clientdata_hash(assert, message, | 777 | if ((r = fido_assert_set_clientdata_hash(assert, message, |
748 | message_len)) != FIDO_OK) { | 778 | sizeof(message))) != FIDO_OK) { |
749 | skdebug(__func__, "fido_assert_set_clientdata_hash: %s", | 779 | skdebug(__func__, "fido_assert_set_clientdata_hash: %s", |
750 | fido_strerr(r)); | 780 | fido_strerr(r)); |
751 | goto out; | 781 | goto out; |
@@ -783,6 +813,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, | |||
783 | response = NULL; | 813 | response = NULL; |
784 | ret = 0; | 814 | ret = 0; |
785 | out: | 815 | out: |
816 | explicit_bzero(message, sizeof(message)); | ||
786 | free(device); | 817 | free(device); |
787 | if (response != NULL) { | 818 | if (response != NULL) { |
788 | free(response->sig_r); | 819 | free(response->sig_r); |