diff options
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 44 |
1 files changed, 30 insertions, 14 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -174,6 +174,7 @@ sshsk_free_enroll_response(struct sk_enroll_response *r) | |||
174 | freezero(r->public_key, r->public_key_len); | 174 | freezero(r->public_key, r->public_key_len); |
175 | freezero(r->signature, r->signature_len); | 175 | freezero(r->signature, r->signature_len); |
176 | freezero(r->attestation_cert, r->attestation_cert_len); | 176 | freezero(r->attestation_cert, r->attestation_cert_len); |
177 | freezero(r->authdata, r->authdata_len); | ||
177 | freezero(r, sizeof(*r)); | 178 | freezero(r, sizeof(*r)); |
178 | } | 179 | } |
179 | 180 | ||
@@ -419,6 +420,31 @@ make_options(const char *device, const char *user_id, | |||
419 | return ret; | 420 | return ret; |
420 | } | 421 | } |
421 | 422 | ||
423 | |||
424 | static int | ||
425 | fill_attestation_blob(const struct sk_enroll_response *resp, | ||
426 | struct sshbuf *attest) | ||
427 | { | ||
428 | int r; | ||
429 | |||
430 | if (attest == NULL) | ||
431 | return 0; /* nothing to do */ | ||
432 | if ((r = sshbuf_put_cstring(attest, "ssh-sk-attest-v01")) != 0 || | ||
433 | (r = sshbuf_put_string(attest, | ||
434 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
435 | (r = sshbuf_put_string(attest, | ||
436 | resp->signature, resp->signature_len)) != 0 || | ||
437 | (r = sshbuf_put_string(attest, | ||
438 | resp->authdata, resp->authdata_len)) != 0 || | ||
439 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
440 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
441 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
442 | return r; | ||
443 | } | ||
444 | /* success */ | ||
445 | return 0; | ||
446 | } | ||
447 | |||
422 | int | 448 | int |
423 | sshsk_enroll(int type, const char *provider_path, const char *device, | 449 | sshsk_enroll(int type, const char *provider_path, const char *device, |
424 | const char *application, const char *userid, uint8_t flags, | 450 | const char *application, const char *userid, uint8_t flags, |
@@ -506,19 +532,9 @@ sshsk_enroll(int type, const char *provider_path, const char *device, | |||
506 | goto out; | 532 | goto out; |
507 | 533 | ||
508 | /* Optionally fill in the attestation information */ | 534 | /* Optionally fill in the attestation information */ |
509 | if (attest != NULL) { | 535 | if ((r = fill_attestation_blob(resp, attest)) != 0) |
510 | if ((r = sshbuf_put_cstring(attest, | 536 | goto out; |
511 | "ssh-sk-attest-v00")) != 0 || | 537 | |
512 | (r = sshbuf_put_string(attest, | ||
513 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
514 | (r = sshbuf_put_string(attest, | ||
515 | resp->signature, resp->signature_len)) != 0 || | ||
516 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
517 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
518 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
519 | goto out; | ||
520 | } | ||
521 | } | ||
522 | /* success */ | 538 | /* success */ |
523 | *keyp = key; | 539 | *keyp = key; |
524 | key = NULL; /* transferred */ | 540 | key = NULL; /* transferred */ |