]> git.ipfire.org Git - thirdparty/openssh-portable.git/commitdiff
upstream: preserve verify-required for resident FIDO keys
authordjm@openbsd.org <djm@openbsd.org>
Thu, 27 Aug 2020 01:08:19 +0000 (01:08 +0000)
committerDamien Miller <djm@mindrot.org>
Thu, 27 Aug 2020 01:28:36 +0000 (11:28 +1000)
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.

from Pedro Martelletto; ok markus@ and myself

OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517

sk-api.h
sk-usbhid.c
ssh-sk.c

index 1ecaa353730c485b96e0723630c7ee976b587c8b..cc32cd4cceb2714648429c0c905b8338160eaf26 100644 (file)
--- a/sk-api.h
+++ b/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.9 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.10 2020/08/27 01:08:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -63,6 +63,7 @@ struct sk_resident_key {
        size_t slot;
        char *application;
        struct sk_enroll_response key;
+       uint8_t flags;
 };
 
 struct sk_option {
@@ -71,7 +72,7 @@ struct sk_option {
        uint8_t required;
 };
 
-#define SSH_SK_VERSION_MAJOR           0x00050000 /* current API version */
+#define SSH_SK_VERSION_MAJOR           0x00060000 /* current API version */
 #define SSH_SK_VERSION_MAJOR_MASK      0xffff0000
 
 /* Return the version of the middleware API */
index 2efb377c51c01626ec31f290a35fc92ed4c8a3c6..0305683febc7916ec0bb4bcc333e9dee955c9017 100644 (file)
@@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin,
                        }
 
                        srk->key.key_handle_len = fido_cred_id_len(cred);
-                       memcpy(srk->key.key_handle,
-                           fido_cred_id_ptr(cred),
+                       memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
                            srk->key.key_handle_len);
 
                        switch (fido_cred_type(cred)) {
@@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin,
                                goto out; /* XXX free rk and continue */
                        }
 
+                       if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
+                               srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;
+
                        if ((r = pack_public_key(srk->alg, cred,
                            &srk->key)) != 0) {
                                skdebug(__func__, "pack public key failed");
index 1afb205f86b09ac31c1b6a5ff276da2e9fd95657..89478aff005c2b5be9b222e5cc514e13c8165478 100644 (file)
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -769,8 +769,9 @@ sshsk_load_resident(const char *provider_path, const char *device,
                default:
                        continue;
                }
-               /* XXX where to get flags? */
                flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
+               if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
+                       flags |= SSH_SK_USER_VERIFICATION_REQD;
                if ((r = sshsk_key_from_response(rks[i]->alg,
                    rks[i]->application, flags, &rks[i]->key, &key)) != 0)
                        goto out;