diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:19:52 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-30 20:57:58 +1100 |
commit | 4532bd01d57ee13c3ca881eceac1bf9da96a4d7e (patch) | |
tree | 8d28ff7b3344eb6db167c609372ad804c05a81fd /sk-usbhid.c | |
parent | 3e60d18fba1b502c21d64fc7e81d80bcd08a2092 (diff) |
upstream: basic support for generating FIDO2 resident keys
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.
feedback and ok markus@
OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r-- | sk-usbhid.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 594f5d890..61b52bbb9 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -56,7 +56,9 @@ | |||
56 | #define SK_VERSION_MAJOR 0x00020000 /* current API version */ | 56 | #define SK_VERSION_MAJOR 0x00020000 /* current API version */ |
57 | 57 | ||
58 | /* Flags */ | 58 | /* Flags */ |
59 | #define SK_USER_PRESENCE_REQD 0x01 | 59 | #define SK_USER_PRESENCE_REQD 0x01 |
60 | #define SK_USER_VERIFICATION_REQD 0x04 | ||
61 | #define SK_RESIDENT_KEY 0x20 | ||
60 | 62 | ||
61 | /* Algs */ | 63 | /* Algs */ |
62 | #define SK_ECDSA 0x00 | 64 | #define SK_ECDSA 0x00 |
@@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
410 | int r; | 412 | int r; |
411 | char *device = NULL; | 413 | char *device = NULL; |
412 | 414 | ||
413 | (void)flags; /* XXX; unused */ | ||
414 | #ifdef SK_DEBUG | 415 | #ifdef SK_DEBUG |
415 | fido_init(FIDO_DEBUG); | 416 | fido_init(FIDO_DEBUG); |
416 | #endif | 417 | #endif |
@@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
452 | fido_strerr(r)); | 453 | fido_strerr(r)); |
453 | goto out; | 454 | goto out; |
454 | } | 455 | } |
456 | if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ? | ||
457 | FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) { | ||
458 | skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r)); | ||
459 | goto out; | ||
460 | } | ||
455 | if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), | 461 | if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), |
456 | "openssh", "openssh", NULL)) != FIDO_OK) { | 462 | "openssh", "openssh", NULL)) != FIDO_OK) { |
457 | skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); | 463 | skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); |