From 02f4c3ff52f99b0e57145294932eecbdb587dc1f Mon Sep 17 00:00:00 2001
From: Ben Homer <bmhomer13@gmail.com>
Date: Jan 08 2025 13:42:18 +0000
Subject: Allow sk webauthn signatures to be determined based on structure


---

diff --git a/fb87_sk_ecdsa_webauthn.patch b/fb87_sk_ecdsa_webauthn.patch
new file mode 100644
index 0000000..8bbc7a4
--- /dev/null
+++ b/fb87_sk_ecdsa_webauthn.patch
@@ -0,0 +1,30 @@
+Index: openssh-8.7p1/ssh-ecdsa-sk.c
+===================================================================
+--- openssh-8.7p1.orig/ssh-ecdsa-sk.c
++++ openssh-8.7p1/ssh-ecdsa-sk.c
+@@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey
+ 		ret = SSH_ERR_INVALID_FORMAT;
+ 		goto out;
+ 	}
+-	if (is_webauthn) {
+-		if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
+-		    sshbuf_froms(b, &webauthn_wrapper) != 0 ||
+-		    sshbuf_froms(b, &webauthn_exts) != 0) {
+-			ret = SSH_ERR_INVALID_FORMAT;
+-			goto out;
+-		}
+-	}
++	if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
++            sshbuf_froms(b, &webauthn_wrapper) != 0 ||
++            sshbuf_froms(b, &webauthn_exts) != 0) {
++                if (is_webauthn) {
++		    ret = SSH_ERR_INVALID_FORMAT;
++		    goto out;
++                }
++        } else {
++            // webauthn signature detected based on structure
++            is_webauthn = 1;
++        }
+ 	if (sshbuf_len(b) != 0) {
+ 		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+ 		goto out;
diff --git a/openssh.spec b/openssh.spec
index 28ec48a..4445d01 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -52,7 +52,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
 %global openssh_rel 43
-%global hyperscale_rel 2
+%global hyperscale_rel 3
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -329,6 +329,8 @@ Patch2018: fb87_pass_principals_to_child.patch
 # Log extra authentication information to the auth_info structured
 # logging field, and add tests for pubkey and cert auth.
 Patch2019: fb87_log_auth_info.patch
+# Detect webauthn-sk-ecdsa signatures based on signature format.
+Patch2020: fb87_sk_ecdsa_webauthn.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -567,6 +569,7 @@ popd
 %patch2017 -p1 -b .log_accept_env
 %patch2018 -p1 -b .pass_principals_to_child
 %patch2019 -p1 -b .log_auth_info
+%patch2020 -p1 -b .sk_ecdsa_webauthn
 %endif
 
 %if 0%{?facebook} && 0%{?use_quilt}
@@ -860,6 +863,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Dec 19 2024 Ben Homer <bmhomer13@gmail.com> - 8.7p1-43.3 + 0.10.4-5.3
+- Allow webauthn-sk-ecdsa signatures to be detected based on format
+
 * Wed Jul 10 2024 Raymond Colebaugh <raymondcolebaugh@gmail.com> - 8.7p1-43.2 + 0.10.4-5.43.2
 - Reenable keyperm patch in facebook builds