[openssh-commits] [openssh] 07/08: upstream: preserve verify-required for resident FIDO keys

Thu Aug 27 11:28:49 AEST 2020

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Aug 27 01:08:19 2020 +0000

    upstream: preserve verify-required for resident FIDO keys
    
    When downloading a resident, verify-required key from a FIDO token,
    preserve the verify-required in the private key that is written to
    disk. Previously we weren't doing that because of lack of support
    in the middleware API.
    
    from Pedro Martelletto; ok markus@ and myself
    
    OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
---
 sk-api.h    | 5 +++--
 sk-usbhid.c | 6 ++++--
 ssh-sk.c    | 5 +++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/sk-api.h b/sk-api.h
index 1ecaa353..cc32cd4c 100644
--- a/sk-api.h
+++ b/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.9 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.10 2020/08/27 01:08:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -63,6 +63,7 @@ struct sk_resident_key {
 	size_t slot;
 	char *application;
 	struct sk_enroll_response key;
+	uint8_t flags;
 };
 
 struct sk_option {
@@ -71,7 +72,7 @@ struct sk_option {
 	uint8_t required;
 };
 
-#define SSH_SK_VERSION_MAJOR		0x00050000 /* current API version */
+#define SSH_SK_VERSION_MAJOR		0x00060000 /* current API version */
 #define SSH_SK_VERSION_MAJOR_MASK	0xffff0000
 
 /* Return the version of the middleware API */
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 2efb377c..0305683f 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 			}
 
 			srk->key.key_handle_len = fido_cred_id_len(cred);
-			memcpy(srk->key.key_handle,
-			    fido_cred_id_ptr(cred),
+			memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
 			    srk->key.key_handle_len);
 
 			switch (fido_cred_type(cred)) {
@@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 				goto out; /* XXX free rk and continue */
 			}
 
+			if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
+				srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;
+
 			if ((r = pack_public_key(srk->alg, cred,
 			    &srk->key)) != 0) {
 				skdebug(__func__, "pack public key failed");
diff --git a/ssh-sk.c b/ssh-sk.c
index 1afb205f..89478aff 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -769,8 +769,9 @@ sshsk_load_resident(const char *provider_path, const char *device,
 		default:
 			continue;
 		}
-		/* XXX where to get flags? */
 		flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
+		if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
+			flags |= SSH_SK_USER_VERIFICATION_REQD;
 		if ((r = sshsk_key_from_response(rks[i]->alg,
 		    rks[i]->application, flags, &rks[i]->key, &key)) != 0)
 			goto out;

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
