diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:08:19 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
commit | b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch) | |
tree | 8ca219f355befba5bee1188871bd4db46dac1f04 /sk-usbhid.c | |
parent | 642e06d0df983fa2af85126cf4b23440bb2985bf (diff) |
upstream: preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r-- | sk-usbhid.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 2efb377c5..0305683fe 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin, | |||
1104 | } | 1104 | } |
1105 | 1105 | ||
1106 | srk->key.key_handle_len = fido_cred_id_len(cred); | 1106 | srk->key.key_handle_len = fido_cred_id_len(cred); |
1107 | memcpy(srk->key.key_handle, | 1107 | memcpy(srk->key.key_handle, fido_cred_id_ptr(cred), |
1108 | fido_cred_id_ptr(cred), | ||
1109 | srk->key.key_handle_len); | 1108 | srk->key.key_handle_len); |
1110 | 1109 | ||
1111 | switch (fido_cred_type(cred)) { | 1110 | switch (fido_cred_type(cred)) { |
@@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin, | |||
1121 | goto out; /* XXX free rk and continue */ | 1120 | goto out; /* XXX free rk and continue */ |
1122 | } | 1121 | } |
1123 | 1122 | ||
1123 | if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED) | ||
1124 | srk->flags |= SSH_SK_USER_VERIFICATION_REQD; | ||
1125 | |||
1124 | if ((r = pack_public_key(srk->alg, cred, | 1126 | if ((r = pack_public_key(srk->alg, cred, |
1125 | &srk->key)) != 0) { | 1127 | &srk->key)) != 0) { |
1126 | skdebug(__func__, "pack public key failed"); | 1128 | skdebug(__func__, "pack public key failed"); |