diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-08-27 01:06:18 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-08-27 11:28:36 +1000 |
| commit | 9b8ad93824c682ce841f53f3b5762cef4e7cc4dc (patch) | |
| tree | d4523956d4623b19bf5904d1b92afeb2307f69d3 /sshkey.h | |
| parent | 1196d7f49d4fbc90f37e550de3056561613b0960 (diff) | |
upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
Diffstat (limited to 'sshkey.h')
| -rw-r--r-- | sshkey.h | 11 |
1 files changed, 6 insertions, 5 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: sshkey.h,v 1.45 2020/04/08 00:08:46 djm Exp $ */ | 1 | /* $OpenBSD: sshkey.h,v 1.46 2020/08/27 01:06:19 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. |
| @@ -200,12 +200,13 @@ size_t sshkey_format_cert_validity(const struct sshkey_cert *, | |||
| 200 | int sshkey_check_cert_sigtype(const struct sshkey *, const char *); | 200 | int sshkey_check_cert_sigtype(const struct sshkey *, const char *); |
| 201 | 201 | ||
| 202 | int sshkey_certify(struct sshkey *, struct sshkey *, | 202 | int sshkey_certify(struct sshkey *, struct sshkey *, |
| 203 | const char *, const char *); | 203 | const char *, const char *, const char *); |
| 204 | /* Variant allowing use of a custom signature function (e.g. for ssh-agent) */ | 204 | /* Variant allowing use of a custom signature function (e.g. for ssh-agent) */ |
| 205 | typedef int sshkey_certify_signer(struct sshkey *, u_char **, size_t *, | 205 | typedef int sshkey_certify_signer(struct sshkey *, u_char **, size_t *, |
| 206 | const u_char *, size_t, const char *, const char *, u_int, void *); | 206 | const u_char *, size_t, const char *, const char *, const char *, |
| 207 | u_int, void *); | ||
| 207 | int sshkey_certify_custom(struct sshkey *, struct sshkey *, const char *, | 208 | int sshkey_certify_custom(struct sshkey *, struct sshkey *, const char *, |
| 208 | const char *, sshkey_certify_signer *, void *); | 209 | const char *, const char *, sshkey_certify_signer *, void *); |
| 209 | 210 | ||
| 210 | int sshkey_ecdsa_nid_from_name(const char *); | 211 | int sshkey_ecdsa_nid_from_name(const char *); |
| 211 | int sshkey_curve_name_to_nid(const char *); | 212 | int sshkey_curve_name_to_nid(const char *); |
| @@ -234,7 +235,7 @@ int sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *); | |||
| 234 | int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); | 235 | int sshkey_putb_plain(const struct sshkey *, struct sshbuf *); |
| 235 | 236 | ||
| 236 | int sshkey_sign(struct sshkey *, u_char **, size_t *, | 237 | int sshkey_sign(struct sshkey *, u_char **, size_t *, |
| 237 | const u_char *, size_t, const char *, const char *, u_int); | 238 | const u_char *, size_t, const char *, const char *, const char *, u_int); |
| 238 | int sshkey_verify(const struct sshkey *, const u_char *, size_t, | 239 | int sshkey_verify(const struct sshkey *, const u_char *, size_t, |
| 239 | const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); | 240 | const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); |
| 240 | int sshkey_check_sigtype(const u_char *, size_t, const char *); | 241 | int sshkey_check_sigtype(const u_char *, size_t, const char *); |