From 5b2db3b2319518edb2b2deb8cd8f2a4eaa810b48 Mon Sep 17 00:00:00 2001 From: Per Nilsson Date: Tue, 12 Mar 2024 18:55:34 +0100 Subject: [PATCH] Avoid getting metadata in auth-verifyresponse --- lib/internal.h | 4 ++-- lib/tests/api.c | 5 +++-- lib/ykpiv.c | 24 +++++++++--------------- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/lib/internal.h b/lib/internal.h index 9da4719c..55c14ad8 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -212,8 +212,8 @@ ykpiv_rc _ykpiv_transfer_data( int *sw); /* authentication functions not ready for public api */ -ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, uint8_t *challenge, unsigned long *challenge_len); -ykpiv_rc ykpiv_auth_verifyresponse(ykpiv_state *state, uint8_t *response, unsigned long response_len); +ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, ykpiv_metadata *metadata, uint8_t *challenge, unsigned long *challenge_len); +ykpiv_rc ykpiv_auth_verifyresponse(ykpiv_state *state, ykpiv_metadata *metadata, uint8_t *response, unsigned long response_len); ykpiv_rc ykpiv_auth_deauthenticate(ykpiv_state *state); typedef enum _setting_source_t { diff --git a/lib/tests/api.c b/lib/tests/api.c index fb7c1a87..8919f4f9 100644 --- a/lib/tests/api.c +++ b/lib/tests/api.c @@ -691,7 +691,8 @@ static void test_authenticate_helper(bool full) { // Test external auth data_len = sizeof(data); - res = ykpiv_auth_getchallenge(g_state, data, &data_len); + ykpiv_metadata metadata = {0}; + res = ykpiv_auth_getchallenge(g_state, &metadata, data, &data_len); ck_assert_int_eq(res, YKPIV_OK); crc = cipher_import_key(YKPIV_ALGO_3DES, key, key_len, &cipher); @@ -703,7 +704,7 @@ static void test_authenticate_helper(bool full) { crc = cipher_destroy_key(cipher); ck_assert_int_eq(crc, CIPHER_OK); - res = ykpiv_auth_verifyresponse(g_state, data, data_len); + res = ykpiv_auth_verifyresponse(g_state, &metadata, data, data_len); ck_assert_int_eq(res, YKPIV_OK); // Metadata support implies AES support for YKPIV_KEY_CARDMGM diff --git a/lib/ykpiv.c b/lib/ykpiv.c index ca5ca142..88d550e8 100644 --- a/lib/ykpiv.c +++ b/lib/ykpiv.c @@ -2105,22 +2105,24 @@ ykpiv_rc ykpiv_get_metadata(ykpiv_state *state, const unsigned char key, unsigne return res; } -ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, uint8_t *challenge, unsigned long *challenge_len) { +ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, ykpiv_metadata *metadata, uint8_t *challenge, unsigned long *challenge_len) { ykpiv_rc res; if (NULL == state) return YKPIV_ARGUMENT_ERROR; + if (NULL == metadata) return YKPIV_ARGUMENT_ERROR; if (NULL == challenge) return YKPIV_ARGUMENT_ERROR; if (NULL == challenge_len) return YKPIV_ARGUMENT_ERROR; if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res; if (YKPIV_OK != (res = _ykpiv_ensure_application_selected(state))) goto Cleanup; - ykpiv_metadata metadata = {YKPIV_ALGO_3DES}; + metadata->algorithm = YKPIV_ALGO_3DES; + unsigned char data[256] = {0}; unsigned long recv_len = sizeof(data); res = _ykpiv_get_metadata(state, YKPIV_KEY_CARDMGM, data, &recv_len); if (res == YKPIV_OK) { - res = ykpiv_util_parse_metadata(data, recv_len, &metadata); + res = ykpiv_util_parse_metadata(data, recv_len, metadata); if (res != YKPIV_OK) { goto Cleanup; } @@ -2129,7 +2131,7 @@ ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, uint8_t *challenge, unsigne /* get a challenge from the card */ APDU apdu = {0}; apdu.st.ins = YKPIV_INS_AUTHENTICATE; - apdu.st.p1 = metadata.algorithm; + apdu.st.p1 = metadata->algorithm; apdu.st.p2 = YKPIV_KEY_CARDMGM; /* management key */ apdu.st.lc = 0x04; apdu.st.data[0] = 0x7c; @@ -2160,31 +2162,24 @@ ykpiv_rc ykpiv_auth_getchallenge(ykpiv_state *state, uint8_t *challenge, unsigne return res; } -ykpiv_rc ykpiv_auth_verifyresponse(ykpiv_state *state, uint8_t *response, unsigned long response_len) { +ykpiv_rc ykpiv_auth_verifyresponse(ykpiv_state *state, ykpiv_metadata *metadata, uint8_t *response, unsigned long response_len) { ykpiv_rc res; if (NULL == state) return YKPIV_ARGUMENT_ERROR; + if (NULL == metadata) return YKPIV_ARGUMENT_ERROR; if (NULL == response) return YKPIV_ARGUMENT_ERROR; if (16 < response_len) return YKPIV_ARGUMENT_ERROR; if (YKPIV_OK != (res = _ykpiv_begin_transaction(state))) return res; /* note: do not select the applet here, as it resets the challenge state */ - ykpiv_metadata metadata = {YKPIV_ALGO_3DES}; unsigned char data[256] = {0}; unsigned long recv_len = sizeof(data); - res = _ykpiv_get_metadata(state, YKPIV_KEY_CARDMGM, data, &recv_len); - if (res == YKPIV_OK) { - res = ykpiv_util_parse_metadata(data, recv_len, &metadata); - if (res != YKPIV_OK) { - goto Cleanup; - } - } /* send the response to the card. */ APDU apdu = {0}; apdu.st.ins = YKPIV_INS_AUTHENTICATE; - apdu.st.p1 = metadata.algorithm; + apdu.st.p1 = metadata->algorithm; apdu.st.p2 = YKPIV_KEY_CARDMGM; /* management key */ unsigned char *dataptr = apdu.st.data; *dataptr++ = 0x7c; @@ -2195,7 +2190,6 @@ ykpiv_rc ykpiv_auth_verifyresponse(ykpiv_state *state, uint8_t *response, unsign dataptr += response_len; apdu.st.lc = (unsigned char)(dataptr - apdu.st.data); int sw = 0; - recv_len = sizeof(data); if ((res = _ykpiv_send_apdu(state, &apdu, data, &recv_len, &sw)) != YKPIV_OK) { goto Cleanup; }