diff options
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 47 |
1 files changed, 32 insertions, 15 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.32 2020/09/09 03:08:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -174,6 +174,7 @@ sshsk_free_enroll_response(struct sk_enroll_response *r) | |||
174 | freezero(r->public_key, r->public_key_len); | 174 | freezero(r->public_key, r->public_key_len); |
175 | freezero(r->signature, r->signature_len); | 175 | freezero(r->signature, r->signature_len); |
176 | freezero(r->attestation_cert, r->attestation_cert_len); | 176 | freezero(r->attestation_cert, r->attestation_cert_len); |
177 | freezero(r->authdata, r->authdata_len); | ||
177 | freezero(r, sizeof(*r)); | 178 | freezero(r, sizeof(*r)); |
178 | } | 179 | } |
179 | 180 | ||
@@ -419,6 +420,31 @@ make_options(const char *device, const char *user_id, | |||
419 | return ret; | 420 | return ret; |
420 | } | 421 | } |
421 | 422 | ||
423 | |||
424 | static int | ||
425 | fill_attestation_blob(const struct sk_enroll_response *resp, | ||
426 | struct sshbuf *attest) | ||
427 | { | ||
428 | int r; | ||
429 | |||
430 | if (attest == NULL) | ||
431 | return 0; /* nothing to do */ | ||
432 | if ((r = sshbuf_put_cstring(attest, "ssh-sk-attest-v01")) != 0 || | ||
433 | (r = sshbuf_put_string(attest, | ||
434 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
435 | (r = sshbuf_put_string(attest, | ||
436 | resp->signature, resp->signature_len)) != 0 || | ||
437 | (r = sshbuf_put_string(attest, | ||
438 | resp->authdata, resp->authdata_len)) != 0 || | ||
439 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
440 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
441 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
442 | return r; | ||
443 | } | ||
444 | /* success */ | ||
445 | return 0; | ||
446 | } | ||
447 | |||
422 | int | 448 | int |
423 | sshsk_enroll(int type, const char *provider_path, const char *device, | 449 | sshsk_enroll(int type, const char *provider_path, const char *device, |
424 | const char *application, const char *userid, uint8_t flags, | 450 | const char *application, const char *userid, uint8_t flags, |
@@ -506,19 +532,9 @@ sshsk_enroll(int type, const char *provider_path, const char *device, | |||
506 | goto out; | 532 | goto out; |
507 | 533 | ||
508 | /* Optionally fill in the attestation information */ | 534 | /* Optionally fill in the attestation information */ |
509 | if (attest != NULL) { | 535 | if ((r = fill_attestation_blob(resp, attest)) != 0) |
510 | if ((r = sshbuf_put_cstring(attest, | 536 | goto out; |
511 | "ssh-sk-attest-v00")) != 0 || | 537 | |
512 | (r = sshbuf_put_string(attest, | ||
513 | resp->attestation_cert, resp->attestation_cert_len)) != 0 || | ||
514 | (r = sshbuf_put_string(attest, | ||
515 | resp->signature, resp->signature_len)) != 0 || | ||
516 | (r = sshbuf_put_u32(attest, 0)) != 0 || /* resvd flags */ | ||
517 | (r = sshbuf_put_string(attest, NULL, 0)) != 0 /* resvd */) { | ||
518 | error("%s: buffer error: %s", __func__, ssh_err(r)); | ||
519 | goto out; | ||
520 | } | ||
521 | } | ||
522 | /* success */ | 538 | /* success */ |
523 | *keyp = key; | 539 | *keyp = key; |
524 | key = NULL; /* transferred */ | 540 | key = NULL; /* transferred */ |
@@ -769,8 +785,9 @@ sshsk_load_resident(const char *provider_path, const char *device, | |||
769 | default: | 785 | default: |
770 | continue; | 786 | continue; |
771 | } | 787 | } |
772 | /* XXX where to get flags? */ | ||
773 | flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY; | 788 | flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY; |
789 | if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD)) | ||
790 | flags |= SSH_SK_USER_VERIFICATION_REQD; | ||
774 | if ((r = sshsk_key_from_response(rks[i]->alg, | 791 | if ((r = sshsk_key_from_response(rks[i]->alg, |
775 | rks[i]->application, flags, &rks[i]->key, &key)) != 0) | 792 | rks[i]->application, flags, &rks[i]->key, &key)) != 0) |
776 | goto out; | 793 | goto out; |