From ebf6e184470ac8adcc90d7589f13a1fcd2a80066 Mon Sep 17 00:00:00 2001
From: Ben Homer <bmhomer13@gmail.com>
Date: Feb 06 2025 19:24:17 +0000
Subject: Merge webauthn patch to c10s-sig-hyperscale


---

diff --git a/fb87_sk_ecdsa_webauthn.patch b/fb87_sk_ecdsa_webauthn.patch
new file mode 100644
index 0000000..8bbc7a4
--- /dev/null
+++ b/fb87_sk_ecdsa_webauthn.patch
@@ -0,0 +1,30 @@
+Index: openssh-8.7p1/ssh-ecdsa-sk.c
+===================================================================
+--- openssh-8.7p1.orig/ssh-ecdsa-sk.c
++++ openssh-8.7p1/ssh-ecdsa-sk.c
+@@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey
+ 		ret = SSH_ERR_INVALID_FORMAT;
+ 		goto out;
+ 	}
+-	if (is_webauthn) {
+-		if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
+-		    sshbuf_froms(b, &webauthn_wrapper) != 0 ||
+-		    sshbuf_froms(b, &webauthn_exts) != 0) {
+-			ret = SSH_ERR_INVALID_FORMAT;
+-			goto out;
+-		}
+-	}
++	if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 ||
++            sshbuf_froms(b, &webauthn_wrapper) != 0 ||
++            sshbuf_froms(b, &webauthn_exts) != 0) {
++                if (is_webauthn) {
++		    ret = SSH_ERR_INVALID_FORMAT;
++		    goto out;
++                }
++        } else {
++            // webauthn signature detected based on structure
++            is_webauthn = 1;
++        }
+ 	if (sshbuf_len(b) != 0) {
+ 		ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+ 		goto out;
diff --git a/openssh.spec b/openssh.spec
index 1900eaf..528ef72 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -44,7 +44,7 @@
 
 %global openssh_ver 9.9p1
 %global openssh_rel 4
-%global hyperscale_rel 1
+%global hyperscale_rel 2
 
 
 Summary: An open source implementation of SSH protocol version 2
@@ -236,6 +236,8 @@ Patch2018: fb87_pass_principals_to_child.patch
 # Log extra authentication information to the auth_info structured
 # logging field, and add tests for pubkey and cert auth.
 Patch2019: fb87_log_auth_info.patch
+# Detect webauthn-sk-ecdsa signatures based on signature format.
+Patch2020: fb87_sk_ecdsa_webauthn.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -434,6 +436,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 2017 -p1 -b .log_accept_env
 %patch -P 2018 -p1 -b .pass_principals_to_child
 %patch -P 2019 -p1 -b .log_auth_info
+%patch -P 2020 -p1 -b .sk_ecdsa_webauthn
 %endif
 
 %if 0%{?facebook} && 0%{?use_quilt}
@@ -717,6 +720,9 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
+* Thu Dec 19 2024 Ben Homer <bmhomer13@gmail.com> 9.9p1-4.2
+-  Allow webauthn-sk-ecdsa signatures to be detected based on format
+
 * Fri Nov 22 2024 Vishal Mishra <vishalmishra@meta.com> 9.9p1-4.1
 - Merge fb patches to c10s to create c10s-sig-hyperscale