зеркало из https://github.com/Azure/sonic-openssh.git
upstream: preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API. from Pedro Martelletto; ok markus@ and myself OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
This commit is contained in:
djm@openbsd.org
Damien Miller
Родитель
642e06d0df
Коммит
b649b3daa6
5
sk-api.h
5
sk-api.h
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: sk-api.h,v 1.9 2020/04/28 04:02:29 djm Exp $ */
|
||||
/* $OpenBSD: sk-api.h,v 1.10 2020/08/27 01:08:19 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Google LLC
|
||||
*
|
||||
|
|
@ -63,6 +63,7 @@ struct sk_resident_key {
|
|||
size_t slot;
|
||||
char *application;
|
||||
struct sk_enroll_response key;
|
||||
uint8_t flags;
|
||||
};
|
||||
|
||||
struct sk_option {
|
||||
|
|
@ -71,7 +72,7 @@ struct sk_option {
|
|||
uint8_t required;
|
||||
};
|
||||
|
||||
#define SSH_SK_VERSION_MAJOR 0x00050000 /* current API version */
|
||||
#define SSH_SK_VERSION_MAJOR 0x00060000 /* current API version */
|
||||
#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
|
||||
|
||||
/* Return the version of the middleware API */
|
||||
|
|
|
|||
|
|
@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin,
|
|||
}
|
||||
|
||||
srk->key.key_handle_len = fido_cred_id_len(cred);
|
||||
memcpy(srk->key.key_handle,
|
||||
fido_cred_id_ptr(cred),
|
||||
memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
|
||||
srk->key.key_handle_len);
|
||||
|
||||
switch (fido_cred_type(cred)) {
|
||||
|
|
@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin,
|
|||
goto out; /* XXX free rk and continue */
|
||||
}
|
||||
|
||||
if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
|
||||
srk->flags |= SSH_SK_USER_VERIFICATION_REQD;
|
||||
|
||||
if ((r = pack_public_key(srk->alg, cred,
|
||||
&srk->key)) != 0) {
|
||||
skdebug(__func__, "pack public key failed");
|
||||
|
|
|
|||
5
ssh-sk.c
5
ssh-sk.c
|
|
@ -1,4 +1,4 @@
|
|||
/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
|
||||
/* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2019 Google LLC
|
||||
*
|
||||
|
|
@ -769,8 +769,9 @@ sshsk_load_resident(const char *provider_path, const char *device,
|
|||
default:
|
||||
continue;
|
||||
}
|
||||
/* XXX where to get flags? */
|
||||
flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
|
||||
if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
|
||||
flags |= SSH_SK_USER_VERIFICATION_REQD;
|
||||
if ((r = sshsk_key_from_response(rks[i]->alg,
|
||||
rks[i]->application, flags, &rks[i]->key, &key)) != 0)
|
||||
goto out;
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче