Skip to content

Commit

Permalink
YubiHSM Auth: Add YubiKey firmware version check before getting devic…
Browse files Browse the repository at this point in the history
…e challenge
  • Loading branch information
aveenismail committed Sep 5, 2024
1 parent bf1bf0d commit 1cdd461
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 11 deletions.
21 changes: 18 additions & 3 deletions src/commands.c
Original file line number Diff line number Diff line change
Expand Up @@ -1857,9 +1857,24 @@ int yh_com_open_yksession(yubihsm_context *ctx, Argument *argv,
uint8_t host_challenge[YH_EC_P256_PUBKEY_LEN] = {0};
size_t host_challenge_len = sizeof(host_challenge);

ykhsmauthrc = ykhsmauth_get_challenge_ex(ctx->state, argv[1].s,
argv[2].x, argv[2].len,
host_challenge, &host_challenge_len);
uint8_t major = 0, minor = 0, patch = 0;
ykhsmauthrc = ykhsmauth_get_version_ex(ctx->state, &major, &minor, &patch);
if (ykhsmauthrc != YKHSMAUTHR_SUCCESS) {
fprintf(stderr, "Failed to get YubiKey firmware version: %s\n",
ykhsmauth_strerror(ykhsmauthrc));
ykhsmauth_disconnect(ctx->state);
return -1;
}

if (major > 5 || (major == 5 && minor > 7) ||
(major == 5 && minor == 7 && patch >= 1)) {
ykhsmauthrc =
ykhsmauth_get_challenge_ex(ctx->state, argv[1].s, argv[2].x, argv[2].len,
host_challenge, &host_challenge_len);
} else {
ykhsmauthrc = ykhsmauth_get_challenge(ctx->state, argv[1].s, host_challenge,
&host_challenge_len);
}
if (ykhsmauthrc != YKHSMAUTHR_SUCCESS) {
fprintf(stderr, "Failed to get host challenge from the YubiKey: %s\n",
ykhsmauth_strerror(ykhsmauthrc));
Expand Down
31 changes: 23 additions & 8 deletions ykhsmauth/ykhsmauth.c
Original file line number Diff line number Diff line change
Expand Up @@ -296,9 +296,9 @@ ykhsmauth_rc ykhsmauth_list_readers(ykhsmauth_state *state, char *readers,
return YKHSMAUTHR_SUCCESS;
}

ykhsmauth_rc ykhsmauth_get_version(ykhsmauth_state *state, char *version,
size_t len) {
if (state == NULL || version == NULL) {
ykhsmauth_rc ykhsmauth_get_version_ex(ykhsmauth_state *state, uint8_t *major,
uint8_t *minor, uint8_t *patch) {
if (state == NULL || major == NULL || minor == NULL || patch == NULL) {
return YKHSMAUTHR_INVALID_PARAMS;
}

Expand All @@ -307,22 +307,37 @@ ykhsmauth_rc ykhsmauth_get_version(ykhsmauth_state *state, char *version,
DWORD recv_len = sizeof(data);
uint16_t sw = 0;
ykhsmauth_rc res;

if ((res = send_data(state, &apdu, data, &recv_len, &sw)) !=
YKHSMAUTHR_SUCCESS) {
return res;
} else if (sw == SW_SUCCESS && recv_len == 3) {
int result = snprintf(version, len, "%d.%d.%d", data[0], data[1], data[2]);
*major = data[0];
*minor = data[1];
*patch = data[2];
return YKHSMAUTHR_SUCCESS;
} else {
return translate_error(sw, NULL);
}
}

ykhsmauth_rc ykhsmauth_get_version(ykhsmauth_state *state, char *version,
size_t len) {
if (version == NULL) {
return YKHSMAUTHR_INVALID_PARAMS;
}

uint8_t v[3] = {0};
ykhsmauth_rc res = ykhsmauth_get_version_ex(state, &v[0], &v[1], &v[2]);
if(res == YKHSMAUTHR_SUCCESS) {
int result = snprintf(version, len, "%d.%d.%d", v[0], v[1], v[2]);
if (result < 0) {
if (state->verbose) {
fprintf(stderr, "Version buffer too small\n");
}
return YKHSMAUTHR_GENERIC_ERROR;
}
return YKHSMAUTHR_SUCCESS;
} else {
return translate_error(sw, NULL);
}
return res;
}

ykhsmauth_rc ykhsmauth_put(ykhsmauth_state *state, const uint8_t *mgmkey,
Expand Down
3 changes: 3 additions & 0 deletions ykhsmauth/ykhsmauth.h
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ ykhsmauth_rc ykhsmauth_list_readers(ykhsmauth_state *state, char *readers,
size_t *len);
ykhsmauth_rc ykhsmauth_disconnect(ykhsmauth_state *state);

ykhsmauth_rc ykhsmauth_get_version_ex(ykhsmauth_state *state, uint8_t *major,
uint8_t *minor, uint8_t *patch);

ykhsmauth_rc ykhsmauth_get_version(ykhsmauth_state *state, char *version,
size_t len);

Expand Down

0 comments on commit 1cdd461

Please sign in to comment.