upstream: preserve verify-required for resident FIDO keys

When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API. from Pedro Martelletto; ok markus@ and myself OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
author: djm@openbsd.org <djm@openbsd.org> 2020-08-27 01:08:19 +0000
committer: Damien Miller <djm@mindrot.org> 2020-08-27 11:28:36 +1000
commit: b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch)
tree: 8ca219f355befba5bee1188871bd4db46dac1f04 /sk-usbhid.c
parent: 642e06d0df983fa2af85126cf4b23440bb2985bf (diff)
download: openssh-git-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 2efb377c..0305683f 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 			}
 
 			srk->key.key_handle_len = fido_cred_id_len(cred);
-			memcpy(srk->key.key_handle,
-			    fido_cred_id_ptr(cred),
+			memcpy(srk->key.key_handle, fido_cred_id_ptr(cred),
 			    srk->key.key_handle_len);
 
 			switch (fido_cred_type(cred)) {
@@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin,
 				goto out; /* XXX free rk and continue */
 			}
 
+			if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED)
+				srk->flags |=  SSH_SK_USER_VERIFICATION_REQD;
+
 			if ((r = pack_public_key(srk->alg, cred,
 			    &srk->key)) != 0) {
 				skdebug(__func__, "pack public key failed");
author	djm@openbsd.org <djm@openbsd.org>	2020-08-27 01:08:19 +0000
committer	Damien Miller <djm@mindrot.org>	2020-08-27 11:28:36 +1000
commit	b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch)
tree	8ca219f355befba5bee1188871bd4db46dac1f04 /sk-usbhid.c
parent	642e06d0df983fa2af85126cf4b23440bb2985bf (diff)
download	openssh-git-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.tar.gz