aboutsummaryrefslogtreecommitdiff
path: root/contrib/libfido2/src/cred.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/libfido2/src/cred.c')
-rw-r--r--contrib/libfido2/src/cred.c45
1 files changed, 37 insertions, 8 deletions
diff --git a/contrib/libfido2/src/cred.c b/contrib/libfido2/src/cred.c
index 6da502c8d90a..4a7a7257c985 100644
--- a/contrib/libfido2/src/cred.c
+++ b/contrib/libfido2/src/cred.c
@@ -1,7 +1,8 @@
/*
- * Copyright (c) 2018-2021 Yubico AB. All rights reserved.
+ * Copyright (c) 2018-2022 Yubico AB. All rights reserved.
* Use of this source code is governed by a BSD-style
* license that can be found in the LICENSE file.
+ * SPDX-License-Identifier: BSD-2-Clause
*/
#include <openssl/sha.h>
@@ -251,7 +252,7 @@ get_signed_hash_u2f(fido_blob_t *dgst, const unsigned char *rp_id,
EVP_MD_CTX *ctx = NULL;
int ok = -1;
- if (dgst->len != SHA256_DIGEST_LENGTH ||
+ if (dgst->len < SHA256_DIGEST_LENGTH ||
(md = EVP_sha256()) == NULL ||
(ctx = EVP_MD_CTX_new()) == NULL ||
EVP_DigestInit_ex(ctx, md, NULL) != 1 ||
@@ -266,6 +267,7 @@ get_signed_hash_u2f(fido_blob_t *dgst, const unsigned char *rp_id,
fido_log_debug("%s: sha256", __func__);
goto fail;
}
+ dgst->len = SHA256_DIGEST_LENGTH;
ok = 0;
fail:
@@ -302,6 +304,9 @@ verify_attstmt(const fido_blob_t *dgst, const fido_attstmt_t *attstmt)
case COSE_ES256:
ok = es256_verify_sig(dgst, pkey, &attstmt->sig);
break;
+ case COSE_ES384:
+ ok = es384_verify_sig(dgst, pkey, &attstmt->sig);
+ break;
case COSE_RS256:
ok = rs256_verify_sig(dgst, pkey, &attstmt->sig);
break;
@@ -327,8 +332,9 @@ fail:
int
fido_cred_verify(const fido_cred_t *cred)
{
- unsigned char buf[SHA256_DIGEST_LENGTH];
+ unsigned char buf[1024]; /* XXX */
fido_blob_t dgst;
+ int cose_alg;
int r;
dgst.ptr = buf;
@@ -368,8 +374,11 @@ fido_cred_verify(const fido_cred_t *cred)
goto out;
}
+ if ((cose_alg = cred->attstmt.alg) == COSE_UNSPEC)
+ cose_alg = COSE_ES256; /* backwards compat */
+
if (!strcmp(cred->fmt, "packed")) {
- if (fido_get_signed_hash(COSE_ES256, &dgst, &cred->cdh,
+ if (fido_get_signed_hash(cose_alg, &dgst, &cred->cdh,
&cred->authdata_cbor) < 0) {
fido_log_debug("%s: fido_get_signed_hash", __func__);
r = FIDO_ERR_INTERNAL;
@@ -480,6 +489,10 @@ fido_cred_verify_self(const fido_cred_t *cred)
ok = es256_pk_verify_sig(&dgst, &cred->attcred.pubkey.es256,
&cred->attstmt.sig);
break;
+ case COSE_ES384:
+ ok = es384_pk_verify_sig(&dgst, &cred->attcred.pubkey.es384,
+ &cred->attstmt.sig);
+ break;
case COSE_RS256:
ok = rs256_pk_verify_sig(&dgst, &cred->attcred.pubkey.rs256,
&cred->attstmt.sig);
@@ -549,11 +562,10 @@ fido_cred_reset_tx(fido_cred_t *cred)
free(cred->user.icon);
free(cred->user.name);
free(cred->user.display_name);
- fido_free_blob_array(&cred->excl);
+ fido_cred_empty_exclude_list(cred);
memset(&cred->rp, 0, sizeof(cred->rp));
memset(&cred->user, 0, sizeof(cred->user));
- memset(&cred->excl, 0, sizeof(cred->excl));
memset(&cred->ext, 0, sizeof(cred->ext));
cred->type = 0;
@@ -753,6 +765,15 @@ fido_cred_exclude(fido_cred_t *cred, const unsigned char *id_ptr, size_t id_len)
}
int
+fido_cred_empty_exclude_list(fido_cred_t *cred)
+{
+ fido_free_blob_array(&cred->excl);
+ memset(&cred->excl, 0, sizeof(cred->excl));
+
+ return (FIDO_OK);
+}
+
+int
fido_cred_set_clientdata(fido_cred_t *cred, const unsigned char *data,
size_t data_len)
{
@@ -965,8 +986,10 @@ fido_cred_set_fmt(fido_cred_t *cred, const char *fmt)
int
fido_cred_set_type(fido_cred_t *cred, int cose_alg)
{
- if ((cose_alg != COSE_ES256 && cose_alg != COSE_RS256 &&
- cose_alg != COSE_EDDSA) || cred->type != 0)
+ if (cred->type != 0)
+ return (FIDO_ERR_INVALID_ARGUMENT);
+ if (cose_alg != COSE_ES256 && cose_alg != COSE_ES384 &&
+ cose_alg != COSE_RS256 && cose_alg != COSE_EDDSA)
return (FIDO_ERR_INVALID_ARGUMENT);
cred->type = cose_alg;
@@ -1073,6 +1096,9 @@ fido_cred_pubkey_ptr(const fido_cred_t *cred)
case COSE_ES256:
ptr = &cred->attcred.pubkey.es256;
break;
+ case COSE_ES384:
+ ptr = &cred->attcred.pubkey.es384;
+ break;
case COSE_RS256:
ptr = &cred->attcred.pubkey.rs256;
break;
@@ -1096,6 +1122,9 @@ fido_cred_pubkey_len(const fido_cred_t *cred)
case COSE_ES256:
len = sizeof(cred->attcred.pubkey.es256);
break;
+ case COSE_ES384:
+ len = sizeof(cred->attcred.pubkey.es384);
+ break;
case COSE_RS256:
len = sizeof(cred->attcred.pubkey.rs256);
break;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 16:35:34 +0000