summaryrefslogtreecommitdiff
path: root/sk-usbhid.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2019-12-30 09:19:52 +0000
committerDamien Miller <djm@mindrot.org>2019-12-30 20:57:58 +1100
commit4532bd01d57ee13c3ca881eceac1bf9da96a4d7e (patch)
tree8d28ff7b3344eb6db167c609372ad804c05a81fd /sk-usbhid.c
parent3e60d18fba1b502c21d64fc7e81d80bcd08a2092 (diff)
upstream: basic support for generating FIDO2 resident keys
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
Diffstat (limited to 'sk-usbhid.c')
-rw-r--r--sk-usbhid.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 594f5d890..61b52bbb9 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -56,7 +56,9 @@
56#define SK_VERSION_MAJOR 0x00020000 /* current API version */ 56#define SK_VERSION_MAJOR 0x00020000 /* current API version */
57 57
58/* Flags */ 58/* Flags */
59#define SK_USER_PRESENCE_REQD 0x01 59#define SK_USER_PRESENCE_REQD 0x01
60#define SK_USER_VERIFICATION_REQD 0x04
61#define SK_RESIDENT_KEY 0x20
60 62
61/* Algs */ 63/* Algs */
62#define SK_ECDSA 0x00 64#define SK_ECDSA 0x00
@@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
410 int r; 412 int r;
411 char *device = NULL; 413 char *device = NULL;
412 414
413 (void)flags; /* XXX; unused */
414#ifdef SK_DEBUG 415#ifdef SK_DEBUG
415 fido_init(FIDO_DEBUG); 416 fido_init(FIDO_DEBUG);
416#endif 417#endif
@@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
452 fido_strerr(r)); 453 fido_strerr(r));
453 goto out; 454 goto out;
454 } 455 }
456 if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ?
457 FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
458 skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
459 goto out;
460 }
455 if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), 461 if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
456 "openssh", "openssh", NULL)) != FIDO_OK) { 462 "openssh", "openssh", NULL)) != FIDO_OK) {
457 skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); 463 skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));