diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-09-09 03:08:01 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-09-09 13:11:34 +1000 |
| commit | c76773524179cb654ff838dd43ba1ddb155bafaa (patch) | |
| tree | 0e3079b760a58a670a5a5bbdca0e8eb184e34173 /ssh-keygen.c | |
| parent | c1c44eeecddf093a7983bd91e70b446de789b363 (diff) | |
| download | openssh-git-c76773524179cb654ff838dd43ba1ddb155bafaa.tar.gz | |
upstream: when writing an attestation blob for a FIDO key, record all
the data needed to verify the attestation. Previously we were missing the
"authenticator data" that is included in the signature.
spotted by Ian Haken
feedback Pedro Martelletto and Ian Haken; ok markus@
OpenBSD-Commit-ID: 8439896e63792b2db99c6065dd9a45eabbdb7e0a
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 44 |
1 files changed, 27 insertions, 17 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 64cee4de..a12b79a5 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.419 2020/08/27 09:46:04 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.420 2020/09/09 03:08:01 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -3072,6 +3072,27 @@ do_download_sk(const char *skprovider, const char *device) } static void +save_attestation(struct sshbuf *attest, const char *path) +{ + mode_t omask; + int r; + + if (path == NULL) + return; /* nothing to do */ + if (attest == NULL || sshbuf_len(attest) == 0) + fatal("Enrollment did not return attestation data"); + omask = umask(077); + r = sshbuf_write_file(path, attest); + umask(omask); + if (r != 0) + fatal("Unable to write attestation data \"%s\": %s", path, + ssh_err(r)); + if (!quiet) + printf("Your FIDO attestation certificate has been saved in " + "%s\n", path); +} + +static void usage(void) { fprintf(stderr, @@ -3137,7 +3158,7 @@ main(int argc, char **argv) unsigned long long cert_serial = 0; char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; - char *sk_attestaion_path = NULL; + char *sk_attestation_path = NULL; struct sshbuf *challenge = NULL, *attest = NULL; size_t i, nopts = 0; u_int32_t bits = 0; @@ -3593,7 +3614,7 @@ main(int argc, char **argv) } } else if (strncasecmp(opts[i], "write-attestation=", 18) == 0) { - sk_attestaion_path = opts[i] + 18; + sk_attestation_path = opts[i] + 18; } else if (strncasecmp(opts[i], "application=", 12) == 0) { sk_application = xstrdup(opts[i] + 12); @@ -3715,20 +3736,9 @@ main(int argc, char **argv) free(fp); } - if (sk_attestaion_path != NULL) { - if (attest == NULL || sshbuf_len(attest) == 0) { - fatal("Enrollment did not return attestation " - "certificate"); - } - if ((r = sshbuf_write_file(sk_attestaion_path, attest)) != 0) { - fatal("Unable to write attestation certificate " - "\"%s\": %s", sk_attestaion_path, ssh_err(r)); - } - if (!quiet) { - printf("Your FIDO attestation certificate has been " - "saved in %s\n", sk_attestaion_path); - } - } + if (sk_attestation_path != NULL) + save_attestation(attest, sk_attestation_path); + sshbuf_free(attest); sshkey_free(public); |