diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-09-09 03:08:01 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-09-09 13:11:34 +1000 |
commit | c76773524179cb654ff838dd43ba1ddb155bafaa (patch) | |
tree | 0e3079b760a58a670a5a5bbdca0e8eb184e34173 /ssh-sk.c | |
parent | c1c44eeecddf093a7983bd91e70b446de789b363 (diff) |
upstream: when writing an attestation blob for a FIDO key, record all
the data needed to verify the attestation. Previously we were missing the
"authenticator data" that is included in the signature.
spotted by Ian Haken
feedback Pedro Martelletto and Ian Haken; ok markus@
OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 44 |
1 files changed, 30 insertions, 14 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -174,6 +174,7 @@ sshsk_free_enroll_response(struct sk_enroll_response *r) | |||
174 | freezero(r->public_key, r->public_key_len); | 174 | freezero(r->public_key, r->public_key_len); |
175 | freezero(r->signature, r->signature_len); | 175 | freezero(r->signature, r->signature_len); |
176 | freezero(r->attestation_cert, r->attestation_cert_len); | 176 | freezero(r->attestation_cert, r->attestation_cert_len); |
177 | freezero(r->authdata, r->authdata_len); | ||
177 | freezero(r, sizeof(*r)); | 178 | freezero(r, sizeof(*r)); |
178 | } | 179 | } |
179 | 180 | ||
@@ -419,6 +420,31 @@ make_options(const char *device, const char *user_id, | |||
419 | return ret; | 420 | return ret; |
420 | } | 421 | } |
421 | 422 | ||
423 | |||
424 | static int | ||
425 | fill_attestation_blob(const struct sk_enroll_response *resp, | ||
426 | struct sshbuf *attest) | ||
427 | { | ||
428 | int r; | ||
429 | |||
430 | if (attest == NULL) | ||
431 | return 0; /* nothing to do */ | ||
432 | if ((r = sshbuf_put_cstring(attest, "ssh-sk-attest-v01")) != 0 || | ||
433 | (r = sshbuf_put_string(attest, | ||
434 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
435 | (r = sshbuf_put_string(attest, | ||
436 | resp->signature, resp->signature_len)) != 0 || | ||
437 | (r = sshbuf_put_string(attest, | ||
438 | resp->authdata, resp->authdata_len)) != 0 || | ||
439 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
440 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
441 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
442 | return r; | ||
443 | } | ||
444 | /* success */ | ||
445 | return 0; | ||
446 | } | ||
447 | |||
422 | int | 448 | int |
423 | sshsk_enroll(int type, const char *provider_path, const char *device, | 449 | sshsk_enroll(int type, const char *provider_path, const char *device, |
424 | const char *application, const char *userid, uint8_t flags, | 450 | const char *application, const char *userid, uint8_t flags, |
@@ -506,19 +532,9 @@ sshsk_enroll(int type, const char *provider_path, const char *device, | |||
506 | goto out; | 532 | goto out; |
507 | 533 | ||
508 | /* Optionally fill in the attestation information */ | 534 | /* Optionally fill in the attestation information */ |
509 | if (attest != NULL) { | 535 | if ((r = fill_attestation_blob(resp, attest)) != 0) |
510 | if ((r = sshbuf_put_cstring(attest, | 536 | goto out; |
511 | "ssh-sk-attest-v00")) != 0 || | 537 | |
512 | (r = sshbuf_put_string(attest, | ||
513 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
514 | (r = sshbuf_put_string(attest, | ||
515 | resp->signature, resp->signature_len)) != 0 || | ||
516 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
517 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
518 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
519 | goto out; | ||
520 | } | ||
521 | } | ||
522 | /* success */ | 538 | /* success */ |
523 | *keyp = key; | 539 | *keyp = key; |
524 | key = NULL; /* transferred */ | 540 | key = NULL; /* transferred */ |