From 613f887d5f28a140ef8531ea63eec22fa675abe6 Mon Sep 17 00:00:00 2001
From: Sebastian Kinne <skinne@google.com>
Date: Mon, 16 Dec 2019 17:55:54 -0800
Subject: [PATCH] pki: add sha256 helper function

This commit adds a sha256 helper function which is a prerequisite
to having security key backed SSH keys.

Change-Id: I1c4409da49856687e25d2f31ffc2292a7e2fde85
Signed-off-by: Sebastian Kinne <skinne@google.com>
---
 include/libssh/pki_priv.h |  4 ++++
 src/pki_crypto.c          | 11 +++++++++++
 src/pki_gcrypt.c          | 20 ++++++++++++++++++++
 src/pki_mbedcrypto.c      | 14 ++++++++++++++
 4 files changed, 49 insertions(+)

diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h
index 71418fdc3..3a18d811a 100644
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -165,4 +165,8 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey,
 /* URI Function */
 int pki_uri_import(const char *uri_name, ssh_key *key, enum ssh_key_e key_type);
 
+/* SHA256 Helper */
+unsigned char *pki_sha256(const unsigned char *data, size_t data_len,
+                          uint8_t *digest, size_t digest_len);
+
 #endif /* PKI_PRIV_H_ */
diff --git a/src/pki_crypto.c b/src/pki_crypto.c
index 7e10d8c64..cb02283bb 100644
--- a/src/pki_crypto.c
+++ b/src/pki_crypto.c
@@ -36,6 +36,8 @@
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <stdint.h>
 #include "libcrypto-compat.h"
 
 #ifdef HAVE_OPENSSL_EC_H
@@ -2657,4 +2659,13 @@ fail:
     return SSH_ERROR;
 }
 
+unsigned char *pki_sha256(const unsigned char *data, size_t data_len,
+                          uint8_t *digest, size_t digest_len) {
+    if (digest_len < 32) {
+        return NULL;
+    }
+
+    return SHA256(data, data_len, digest);
+}
+
 #endif /* _PKI_CRYPTO_H */
diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 5470ce85f..8e9d514f2 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -2468,4 +2468,24 @@ int pki_uri_import(const char *uri_name, ssh_key *key, enum ssh_key_e key_type)
             "gcrypt does not support PKCS #11");
     return SSH_ERROR;
 }
+
+unsigned char *pki_sha256(const unsigned char *data, size_t data_len,
+                          uint8_t *digest, size_t digest_len) {
+    gcry_md_hd_t hd;
+
+    if (digest_len < 32) {
+        return NULL;
+    }
+
+    gcry_md_open(&hd, GCRY_MD_SHA256, GCRY_MD_FLAG_SECURE);
+    if (hd == NULL) {
+        return NULL;
+    }
+
+    gcry_md_write(hd, data, data_len);
+    memcpy(digest, gcry_md_read(hd, GCRY_MD_SHA256), 32);
+
+    return digest;
+}
+
 #endif /* HAVE_LIBGCRYPT */
diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c
index b0fd82ef3..7c239296d 100644
--- a/src/pki_mbedcrypto.c
+++ b/src/pki_mbedcrypto.c
@@ -25,6 +25,7 @@
 
 #ifdef HAVE_LIBMBEDCRYPTO
 #include <mbedtls/pk.h>
+#include <mbedtls/sha256.h>
 #include <mbedtls/error.h>
 
 #include "libssh/priv.h"
@@ -1601,4 +1602,17 @@ int pki_uri_import(const char *uri_name, ssh_key *key, enum ssh_key_e key_type)
             "mbedcrypto does not support PKCS #11");
     return SSH_ERROR;
 }
+
+unsigned char *pki_sha256(const unsigned char *data, size_t data_len,
+                          uint8_t *digest, size_t digest_len) {
+    if (digest_len < 32) {
+        return NULL;
+    }
+
+    if (mbedtls_sha256_ret(data, data_len, digest, 0) != 0) {
+        return NULL;
+    }
+
+    return digest;
+}
 #endif /* HAVE_LIBMBEDCRYPTO */
-- 
GitLab