summaryrefslogtreecommitdiffstats
path: root/sk-usbhid.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: changes to support FIDO attestationdjm@openbsd.org2020-01-291-0/+1
| | | | | | | | | | | | | | | Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
* upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org2020-01-261-72/+27
| | | | | | | | | | | | | making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
* upstream: missing else in check_enroll_options()djm@openbsd.org2020-01-061-1/+1
| | | | OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4
* upstream: fix error messagedjm@openbsd.org2020-01-061-2/+1
| | | | OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505
* upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org2020-01-061-42/+152
| | | | | | | | | | | | | | | | | | | | for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
* upstream: translate and return error codes; retry on bad PINdjm@openbsd.org2019-12-301-17/+32
| | | | | | | | | | | | Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
* upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org2019-12-301-5/+5
| | | | | | | | | | | | | Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
* upstream: resident keys support in SK APIdjm@openbsd.org2019-12-301-6/+232
| | | | | | | | | | | | Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@ OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
* upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org2019-12-301-2/+8
| | | | | | | | | "ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
* upstream: add the missing WITH_OPENSSL ifdefs after the ED25519-SKnaddy@openbsd.org2019-11-191-0/+12
| | | | | | addition; ok djm@ OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474
* upstream: fix typos in sk_enrollmarkus@openbsd.org2019-11-161-5/+5
| | | | OpenBSD-Commit-ID: faa9bf779e008b3e64e2eb1344d9b7d83b3c4487
* upstream: remove most uses of BN_CTXdjm@openbsd.org2019-11-161-8/+7
| | | | | | | We weren't following the rules re BN_CTX_start/BN_CTX_end and the places we were using it didn't benefit from its use anyway. ok dtucker@ OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a
* upstream: rewrite c99-ismderaadt@openbsd.org2019-11-151-2/+2
| | | | OpenBSD-Commit-ID: d0c70cca29cfa7e6d9f7ec1d6d5dabea112499b3
* upstream: U2F tokens may return FIDO_ERR_USER_PRESENCE_REQUIRED whendjm@openbsd.org2019-11-151-0/+4
| | | | | | | probed to see if they own a key handle. Handle this case so the find_device() look can work for them. Reported by Michael Forney OpenBSD-Commit-ID: 2ccd5b30a6ddfe4dba228b7159bf168601bd9166
* upstream: correct function name in debug messagedjm@openbsd.org2019-11-151-1/+1
| | | | OpenBSD-Commit-ID: 2482c99d2ce448f39282493050f8a01e3ffc39ab
* upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org2019-11-141-0/+697
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069