upstream: preserve verify-required for resident FIDO keys

When downloading a resident, verify-required key from a FIDO token, preserve the verify-required in the private key that is written to disk. Previously we weren't doing that because of lack of support in the middleware API. from Pedro Martelletto; ok markus@ and myself OpenBSD-Commit-ID: 201c46ccdd227cddba3d64e1bdbd082afa956517
author: djm@openbsd.org <djm@openbsd.org> 2020-08-27 03:08:19 +0200
committer: Damien Miller <djm@mindrot.org> 2020-08-27 03:28:36 +0200
commit: b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch)
tree: 8ca219f355befba5bee1188871bd4db46dac1f04 /ssh-sk.c
parent: upstream: major rework of FIDO token selection logic (diff)
download: openssh-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.tar.xz
openssh-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/ssh-sk.c b/ssh-sk.c
index 1afb205f8..89478aff0 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.31 2020/08/27 01:08:19 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -769,8 +769,9 @@ sshsk_load_resident(const char *provider_path, const char *device,
 		default:
 			continue;
 		}
-		/* XXX where to get flags? */
 		flags = SSH_SK_USER_PRESENCE_REQD|SSH_SK_RESIDENT_KEY;
+		if ((rks[i]->flags & SSH_SK_USER_VERIFICATION_REQD))
+			flags |= SSH_SK_USER_VERIFICATION_REQD;
 		if ((r = sshsk_key_from_response(rks[i]->alg,
 		    rks[i]->application, flags, &rks[i]->key, &key)) != 0)
 			goto out;
author	djm@openbsd.org <djm@openbsd.org>	2020-08-27 03:08:19 +0200
committer	Damien Miller <djm@mindrot.org>	2020-08-27 03:28:36 +0200
commit	b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0 (patch)
tree	8ca219f355befba5bee1188871bd4db46dac1f04 /ssh-sk.c
parent	upstream: major rework of FIDO token selection logic (diff)
download	openssh-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.tar.xz openssh-b649b3daa6d4b8ebe1bd6de69b3db5d2c03c9af0.zip