diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:06:18 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (patch) | |
| tree | d4523956d4623b19bf5904d1b92afeb2307f69d3 /sshkey.c | |
| parent | 1196d7f49d4fbc90f37e550de3056561613b0960 (diff) | |
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
Diffstat (limited to 'sshkey.c')
| -rw-r--r-- | sshkey.c | 20 |
1 files changed, 11 insertions, 9 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshkey.c,v 1.110 2020/06/24 15:07:33 markus Exp $ */ | 1 | /* $OpenBSD: sshkey.c,v 1.111 2020/08/27 01:06:19 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. | 4 | * Copyright (c) 2008 Alexander von Gernler. All rights reserved. |
| @@ -2727,7 +2727,7 @@ int | |||
| 2727 | sshkey_sign(struct sshkey *key, | 2727 | sshkey_sign(struct sshkey *key, |
| 2728 | u_char **sigp, size_t *lenp, | 2728 | u_char **sigp, size_t *lenp, |
| 2729 | const u_char *data, size_t datalen, | 2729 | const u_char *data, size_t datalen, |
| 2730 | const char *alg, const char *sk_provider, u_int compat) | 2730 | const char *alg, const char *sk_provider, const char *sk_pin, u_int compat) |
| 2731 | { | 2731 | { |
| 2732 | int was_shielded = sshkey_is_shielded(key); | 2732 | int was_shielded = sshkey_is_shielded(key); |
| 2733 | int r2, r = SSH_ERR_INTERNAL_ERROR; | 2733 | int r2, r = SSH_ERR_INTERNAL_ERROR; |
| @@ -2766,7 +2766,7 @@ sshkey_sign(struct sshkey *key, | |||
| 2766 | case KEY_ECDSA_SK_CERT: | 2766 | case KEY_ECDSA_SK_CERT: |
| 2767 | case KEY_ECDSA_SK: | 2767 | case KEY_ECDSA_SK: |
| 2768 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, | 2768 | r = sshsk_sign(sk_provider, key, sigp, lenp, data, |
| 2769 | datalen, compat, /* XXX PIN */ NULL); | 2769 | datalen, compat, sk_pin); |
| 2770 | break; | 2770 | break; |
| 2771 | #ifdef WITH_XMSS | 2771 | #ifdef WITH_XMSS |
| 2772 | case KEY_XMSS: | 2772 | case KEY_XMSS: |
| @@ -2888,7 +2888,8 @@ sshkey_drop_cert(struct sshkey *k) | |||
| 2888 | /* Sign a certified key, (re-)generating the signed certblob. */ | 2888 | /* Sign a certified key, (re-)generating the signed certblob. */ |
| 2889 | int | 2889 | int |
| 2890 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | 2890 | sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, |
| 2891 | const char *sk_provider, sshkey_certify_signer *signer, void *signer_ctx) | 2891 | const char *sk_provider, const char *sk_pin, |
| 2892 | sshkey_certify_signer *signer, void *signer_ctx) | ||
| 2892 | { | 2893 | { |
| 2893 | struct sshbuf *principals = NULL; | 2894 | struct sshbuf *principals = NULL; |
| 2894 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; | 2895 | u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32]; |
| @@ -3026,7 +3027,7 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
| 3026 | 3027 | ||
| 3027 | /* Sign the whole mess */ | 3028 | /* Sign the whole mess */ |
| 3028 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), | 3029 | if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert), |
| 3029 | sshbuf_len(cert), alg, sk_provider, 0, signer_ctx)) != 0) | 3030 | sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0) |
| 3030 | goto out; | 3031 | goto out; |
| 3031 | /* Check and update signature_type against what was actually used */ | 3032 | /* Check and update signature_type against what was actually used */ |
| 3032 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) | 3033 | if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0) |
| @@ -3056,19 +3057,20 @@ sshkey_certify_custom(struct sshkey *k, struct sshkey *ca, const char *alg, | |||
| 3056 | static int | 3057 | static int |
| 3057 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, | 3058 | default_key_sign(struct sshkey *key, u_char **sigp, size_t *lenp, |
| 3058 | const u_char *data, size_t datalen, | 3059 | const u_char *data, size_t datalen, |
| 3059 | const char *alg, const char *sk_provider, u_int compat, void *ctx) | 3060 | const char *alg, const char *sk_provider, const char *sk_pin, |
| 3061 | u_int compat, void *ctx) | ||
| 3060 | { | 3062 | { |
| 3061 | if (ctx != NULL) | 3063 | if (ctx != NULL) |
| 3062 | return SSH_ERR_INVALID_ARGUMENT; | 3064 | return SSH_ERR_INVALID_ARGUMENT; |
| 3063 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, | 3065 | return sshkey_sign(key, sigp, lenp, data, datalen, alg, |
| 3064 | sk_provider, compat); | 3066 | sk_provider, sk_pin, compat); |
| 3065 | } | 3067 | } |
| 3066 | 3068 | ||
| 3067 | int | 3069 | int |
| 3068 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, | 3070 | sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, |
| 3069 | const char *sk_provider) | 3071 | const char *sk_provider, const char *sk_pin) |
| 3070 | { | 3072 | { |
| 3071 | return sshkey_certify_custom(k, ca, alg, sk_provider, | 3073 | return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin, |
| 3072 | default_key_sign, NULL); | 3074 | default_key_sign, NULL); |
| 3073 | } | 3075 | } |
| 3074 | 3076 | ||