1 files changed, 32 insertions, 15 deletions
diff --git a/ssh-sk.c b/ssh-sk.c
index 1afb205f8..1455df635 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */
 /*
 * Copyright (c) 2019 Google LLC
 *
@@ -174,6 +174,7 @@ sshsk_free_enroll_response(struct sk_enroll_response *r)
        freezero(r->public_key, r->public_key_len);
        freezero(r->signature, r->signature_len);
        freezero(r->attestation_cert, r->attestation_cert_len);
+        freezero(r->authdata, r->authdata_len);
        freezero(r, sizeof(*r));
 }
@@ -419,6 +420,31 @@ make_options(const char *device, const char *user_id,
        return ret;
 }
+static int
+fill_attestation_blob(const struct sk_enroll_response *resp,
+    struct sshbuf *attest)
+{
+        int r;
+        if (attest == NULL)
+                return 0; /* nothing to do */
+        if ((r = sshbuf_put_cstring(attest, "ssh-sk-attest-v01")) != 0 ||
+            (r = sshbuf_put_string(attest,
+            resp->attestation_cert, resp->attestation_cert_len)) != 0 ||
+            (r = sshbuf_put_string(attest,
+            resp->signature, resp->signature_len)) != 0 ||
+            (r = sshbuf_put_string(attest,
+            resp->authdata, resp->authdata_len)) != 0 ||
+            (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */
+            (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
+                error("%s: buffer error: %s", __func__, ssh_err(r));
+                return r;
+        }
+        /* success */
+        return 0;
+}
 int
 sshsk_enroll(int type, const char *provider_path, const char *device,
    const char *application, const char *userid, uint8_t flags,
@@ -506,19 +532,9 @@ sshsk_enroll(int type, const char *provider_path, const char *device,
                goto out;
        /* Optionally fill in the attestation information */
-        if (attest != NULL) {
+        if ((r = fill_attestation_blob(resp, attest)) != 0)
-                if ((r = sshbuf_put_cstring(attest,
+                goto out;
-                    "ssh-sk-attest-v00")) != 0 ||
-                    (r = sshbuf_put_string(attest,
-                    resp->attestation_cert, resp->attestation_cert_len)) != 0 ||
-                    (r = sshbuf_put_string(attest,
-                    resp->signature, resp->signature_len)) != 0 ||
-                    (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */
-                    (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
-                        error("%s: buffer error: %s", __func__, ssh_err(r));
-                        goto out;
-                }
-        }
        /* success */
        *keyp = key;
        key = NULL; /* transferred */
@@ -769,8 +785,9 @@ sshsk_load_resident(const char *provider_path, const char *device,
                default:
                        continue;
                }
-                /* XXX where to get flags? */
                flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
+                if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
+                        flags |= SSH_SK_USER_VERIFICATION_REQD;
                if ((r = sshsk_key_from_response(rks[i]->alg,
                    rks[i]->application, flags, &rks[i]->key, &key)) != 0)
                        goto out;

diff --git a/ssh-sk.c b/ssh-sk.c index 1afb205f8..1455df635 100644 --- a/ssh-sk.c +++ b/ssh-sk.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */	1	/* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Google LLC	3	* Copyright (c) 2019 Google LLC
4	*	4	*
@@ -174,6 +174,7 @@ sshsk_free_enroll_response(struct sk_enroll_response *r)
174	freezero(r->public_key, r->public_key_len);	174	freezero(r->public_key, r->public_key_len);
175	freezero(r->signature, r->signature_len);	175	freezero(r->signature, r->signature_len);
176	freezero(r->attestation_cert, r->attestation_cert_len);	176	freezero(r->attestation_cert, r->attestation_cert_len);
		177	freezero(r->authdata, r->authdata_len);
177	freezero(r, sizeof(*r));	178	freezero(r, sizeof(*r));
178	}	179	}
179		180
@@ -419,6 +420,31 @@ make_options(const char device, const char user_id,
419	return ret;	420	return ret;
420	}	421	}
421		422
		423
		424	static int
		425	fill_attestation_blob(const struct sk_enroll_response *resp,
		426	struct sshbuf *attest)
		427	{
		428	int r;
		429
		430	if (attest == NULL)
		431	return 0; /* nothing to do */
		432	if ((r = sshbuf_put_cstring(attest, "ssh-sk-attest-v01")) != 0 \|\|
		433	(r = sshbuf_put_string(attest,
		434	resp->attestation_cert, resp->attestation_cert_len)) != 0 \|\|
		435	(r = sshbuf_put_string(attest,
		436	resp->signature, resp->signature_len)) != 0 \|\|
		437	(r = sshbuf_put_string(attest,
		438	resp->authdata, resp->authdata_len)) != 0 \|\|
		439	(r = sshbuf_put_u32(attest, 0)) != 0 \|\| /* resvd flags */
		440	(r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
		441	error("%s: buffer error: %s", __func__, ssh_err(r));
		442	return r;
		443	}
		444	/* success */
		445	return 0;
		446	}
		447
422	int	448	int
423	sshsk_enroll(int type, const char provider_path, const char device,	449	sshsk_enroll(int type, const char provider_path, const char device,
424	const char application, const char userid, uint8_t flags,	450	const char application, const char userid, uint8_t flags,
@@ -506,19 +532,9 @@ sshsk_enroll(int type, const char provider_path, const char device,
506	goto out;	532	goto out;
507		533
508	/* Optionally fill in the attestation information */	534	/* Optionally fill in the attestation information */
509	if (attest != NULL) {	535	if ((r = fill_attestation_blob(resp, attest)) != 0)
510	if ((r = sshbuf_put_cstring(attest,	536	goto out;
511	"ssh-sk-attest-v00")) != 0 \|\|	537
512	(r = sshbuf_put_string(attest,
513	resp->attestation_cert, resp->attestation_cert_len)) != 0 \|\|
514	(r = sshbuf_put_string(attest,
515	resp->signature, resp->signature_len)) != 0 \|\|
516	(r = sshbuf_put_u32(attest, 0)) != 0 \|\| /* resvd flags */
517	(r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) {
518	error("%s: buffer error: %s", __func__, ssh_err(r));
519	goto out;
520	}
521	}
522	/* success */	538	/* success */
523	*keyp = key;	539	*keyp = key;
524	key = NULL; /* transferred */	540	key = NULL; /* transferred */
@@ -769,8 +785,9 @@ sshsk_load_resident(const char provider_path, const char device,
769	default:	785	default:
770	continue;	786	continue;
771	}	787	}
772	/* XXX where to get flags? */
773	flags = SSH_SK_USER_PRESENCE_REQD\|SSH_SK_RESIDENT_KEY;	788	flags = SSH_SK_USER_PRESENCE_REQD\|SSH_SK_RESIDENT_KEY;
		789	if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
		790	flags \|= SSH_SK_USER_VERIFICATION_REQD;
774	if ((r = sshsk_key_from_response(rks[i]->alg,	791	if ((r = sshsk_key_from_response(rks[i]->alg,
775	rks[i]->application, flags, &rks[i]->key, &key)) != 0)	792	rks[i]->application, flags, &rks[i]->key, &key)) != 0)
776	goto out;	793	goto out;