diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:08:19 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch) | |
| tree | 8ca219f355befba5bee1188871bd4db46dac1f04 /sk-usbhid.c | |
| parent | 642e06d0df983fa2af85126cf4b23440bb2985bf (diff) | |
upstream: preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
Diffstat (limited to 'sk-usbhid.c')
| -rw-r--r-- | sk-usbhid.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 2efb377c5..0305683fe 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
| @@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin, | |||
| 1104 | } | 1104 | } |
| 1105 | 1105 | ||
| 1106 | srk->key.key_handle_len = fido_cred_id_len(cred); | 1106 | srk->key.key_handle_len = fido_cred_id_len(cred); |
| 1107 | memcpy(srk->key.key_handle, | 1107 | memcpy(srk->key.key_handle, fido_cred_id_ptr(cred), |
| 1108 | fido_cred_id_ptr(cred), | ||
| 1109 | srk->key.key_handle_len); | 1108 | srk->key.key_handle_len); |
| 1110 | 1109 | ||
| 1111 | switch (fido_cred_type(cred)) { | 1110 | switch (fido_cred_type(cred)) { |
| @@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin, | |||
| 1121 | goto out; /* XXX free rk and continue */ | 1120 | goto out; /* XXX free rk and continue */ |
| 1122 | } | 1121 | } |
| 1123 | 1122 | ||
| 1123 | if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED) | ||
| 1124 | srk->flags |= SSH_SK_USER_VERIFICATION_REQD; | ||
| 1125 | |||
| 1124 | if ((r = pack_public_key(srk->alg, cred, | 1126 | if ((r = pack_public_key(srk->alg, cred, |
| 1125 | &srk->key)) != 0) { | 1127 | &srk->key)) != 0) { |
| 1126 | skdebug(__func__, "pack public key failed"); | 1128 | skdebug(__func__, "pack public key failed"); |