diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:06:18 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (patch) | |
| tree | d4523956d4623b19bf5904d1b92afeb2307f69d3 /ssh_api.c | |
| parent | 1196d7f49d4fbc90f37e550de3056561613b0960 (diff) | |
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
Diffstat (limited to 'ssh_api.c')
| -rw-r--r-- | ssh_api.c | 10 |
1 files changed, 5 insertions, 5 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh_api.c,v 1.20 2020/07/01 16:28:31 markus Exp $ */ | 1 | /* $OpenBSD: ssh_api.c,v 1.21 2020/08/27 01:06:18 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2012 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2012 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -54,7 +54,7 @@ int _ssh_host_key_sign(struct ssh *, struct sshkey *, struct sshkey *, | |||
| 54 | */ | 54 | */ |
| 55 | int use_privsep = 0; | 55 | int use_privsep = 0; |
| 56 | int mm_sshkey_sign(struct sshkey *, u_char **, u_int *, | 56 | int mm_sshkey_sign(struct sshkey *, u_char **, u_int *, |
| 57 | const u_char *, u_int, const char *, const char *, u_int); | 57 | const u_char *, u_int, const char *, const char *, const char *, u_int); |
| 58 | 58 | ||
| 59 | #ifdef WITH_OPENSSL | 59 | #ifdef WITH_OPENSSL |
| 60 | DH *mm_choose_dh(int, int, int); | 60 | DH *mm_choose_dh(int, int, int); |
| @@ -66,8 +66,8 @@ u_int session_id2_len = 0; | |||
| 66 | 66 | ||
| 67 | int | 67 | int |
| 68 | mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp, | 68 | mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp, |
| 69 | const u_char *data, u_int datalen, const char *alg, const char *sk_provider, | 69 | const u_char *data, u_int datalen, const char *alg, |
| 70 | u_int compat) | 70 | const char *sk_provider, const char *sk_pin, u_int compat) |
| 71 | { | 71 | { |
| 72 | return (-1); | 72 | return (-1); |
| 73 | } | 73 | } |
| @@ -567,5 +567,5 @@ _ssh_host_key_sign(struct ssh *ssh, struct sshkey *privkey, | |||
| 567 | const u_char *data, size_t dlen, const char *alg) | 567 | const u_char *data, size_t dlen, const char *alg) |
| 568 | { | 568 | { |
| 569 | return sshkey_sign(privkey, signature, slen, data, dlen, | 569 | return sshkey_sign(privkey, signature, slen, data, dlen, |
| 570 | alg, NULL, ssh->compat); | 570 | alg, NULL, NULL, ssh->compat); |
| 571 | } | 571 | } |