From b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 27 Aug 2020 01:08:19 +0000
Subject: upstream: preserve verify-required for resident FIDO keys

When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.

from Pedro Martelletto; ok markus@ and myself

OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
---
 sk-usbhid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'sk-usbhid.c')

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 2efb377c5..0305683fe 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 			}
 
 			srk->key.key_handle_len = fido_cred_id_len(cred);
-			memcpy(srk->key.key_handle,
-			    fido_cred_id_ptr(cred),
+			memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
 			    srk->key.key_handle_len);
 
 			switch (fido_cred_type(cred)) {
@@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 				goto out; /* XXX free rk and continue */
 			}
 
+			if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
+				srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;
+
 			if ((r = pack_public_key(srk->alg, cred,
 			    &srk->key)) != 0) {
 				skdebug(__func__, "pack public key failed");
-- 
cgit v1.2.3