diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:08:19 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
commit | b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch) | |
tree | 8ca219f355befba5bee1188871bd4db46dac1f04 /sk-usbhid.c | |
parent | 642e06d0df983fa2af85126cf4b23440bb2985bf (diff) | |
download | openssh-git-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.tar.gz |
upstream: preserve verify-required for resident FIDO keys
When downloading a resident, verify-required key from a FIDO token,
preserve the verify-required in the private key that is written to
disk. Previously we weren't doing that because of lack of support
in the middleware API.
from Pedro Martelletto; ok markus@ and myself
OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r-- | sk-usbhid.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 2efb377c..0305683f 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -1104,8 +1104,7 @@ read_rks(struct sk_usbhid *sk, const char *pin, } srk->key.key_handle_len = fido_cred_id_len(cred); - memcpy(srk->key.key_handle, - fido_cred_id_ptr(cred), + memcpy(srk->key.key_handle, fido_cred_id_ptr(cred), srk->key.key_handle_len); switch (fido_cred_type(cred)) { @@ -1121,6 +1120,9 @@ read_rks(struct sk_usbhid *sk, const char *pin, goto out; /* XXX free rk and continue */ } + if (fido_cred_prot(cred) == FIDO_CRED_PROT_UV_REQUIRED) + srk->flags |= SSH_SK_USER_VERIFICATION_REQD; + if ((r = pack_public_key(srk->alg, cred, &srk->key)) != 0) { skdebug(__func__, "pack public key failed"); |