From 9ab929ca2d820520327b41929372bcb9e261534c Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 20 Jul 2022 03:29:14 +0000
Subject: upstream: when enrolling a resident key on a security token, check

if a credential with matching application and user ID strings already exists.
if so, prompt the user for confirmation before overwriting the credential.

patch from Pedro Martelletto via GHPR329

NB. cranks SSH_SK_VERSION_MAJOR, so any third-party FIDO middleware
implementations will need to adjust

OpenBSD-Commit-ID: e45e9f1bf2b2f32d9850669e7a8dbd64acc5fca4
---
 sk-api.h | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'sk-api.h')

diff --git a/sk-api.h b/sk-api.h
index 34e110b4..08f567a9 100644
--- a/sk-api.h
+++ b/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.14 2021/11/02 22:56:40 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.15 2022/07/20 03:29:14 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -26,6 +26,7 @@
 /* Flags */
 #define SSH_SK_USER_PRESENCE_REQD	0x01
 #define SSH_SK_USER_VERIFICATION_REQD	0x04
+#define SSH_SK_FORCE_OPERATION		0x10
 #define SSH_SK_RESIDENT_KEY		0x20
 
 /* Algs */
@@ -37,6 +38,7 @@
 #define SSH_SK_ERR_UNSUPPORTED		-2
 #define SSH_SK_ERR_PIN_REQUIRED		-3
 #define SSH_SK_ERR_DEVICE_NOT_FOUND	-4
+#define SSH_SK_ERR_CREDENTIAL_EXISTS	-5
 
 struct sk_enroll_response {
 	uint8_t flags;
@@ -77,7 +79,7 @@ struct sk_option {
 	uint8_t required;
 };
 
-#define SSH_SK_VERSION_MAJOR		0x00090000 /* current API version */
+#define SSH_SK_VERSION_MAJOR		0x000a0000 /* current API version */
 #define SSH_SK_VERSION_MAJOR_MASK	0xffff0000
 
 /* Return the version of the middleware API */
-- 
cgit v1.2.1