When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
OpenBSD-Commit-ID:
201c46ccdd227cddba3d64e1bdbd082afa956517
-/* $OpenBSD: sk-api.h,v 1.9 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.10 2020/08/27 01:08:19 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
size_t slot;
char *application;
struct sk_enroll_response key;
+ uint8_t flags;
};
struct sk_option {
uint8_t required;
};
-#define SSH_SK_VERSION_MAJOR 0x00050000 /* current API version */
+#define SSH_SK_VERSION_MAJOR 0x00060000 /* current API version */
#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
/* Return the version of the middleware API */
}
srk->key.key_handle_len = fido_cred_id_len(cred);
- memcpy(srk->key.key_handle,
- fido_cred_id_ptr(cred),
+ memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
srk->key.key_handle_len);
switch (fido_cred_type(cred)) {
goto out; /* XXX free rk and continue */
}
+ if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
+ srk->flags |= SSH_SK_USER_VERIFICATION_REQD;
+
if ((r = pack_public_key(srk->alg, cred,
&srk->key)) != 0) {
skdebug(__func__, "pack public key failed");
-/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
default:
continue;
}
- /* XXX where to get flags? */
flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
+ if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
+ flags |= SSH_SK_USER_VERIFICATION_REQD;
if ((r = sshsk_key_from_response(rks[i]->alg,
rks[i]->application, flags, &rks[i]->key, &key)) != 0)
goto out;
projects / thirdparty / openssh-portable.git / commitdiff
