summaryrefslogtreecommitdiff
path: root/sk-usbhid.c
AgeCommit message (Collapse)Author
2020-05-27upstream: we are still aiming for pre-C99 ...deraadt@openbsd.org
OpenBSD-Commit-ID: a240fc9cbe60bc4e6c3d24d022eb4ab01fe1cb38
2020-05-27upstream: Enable credProtect extension when generating a residentdjm@openbsd.org
key. The FIDO 2.1 Client to Authenticator Protocol introduced a "credProtect" feature to better protect resident keys. This option allows (amone other possibilities) requiring a PIN prior to all operations that may retrieve the key handle. Patch by Pedro Martelletto; ok djm and markus OpenBSD-Commit-ID: 013bc06a577dcaa66be3913b7f183eb8cad87e73
2020-05-27upstream: always call fido_init(); previous behaviour only calleddjm@openbsd.org
fido_init() when SK_DEBUG was defined. Harmless with current libfido2, but this isn't guaranteed in the future. OpenBSD-Commit-ID: c7ea20ff2bcd98dd12015d748d3672d4f01f0864
2020-05-01wrap sha2.h inclusion in #ifdef HAVE_SHA2_HDamien Miller
2020-05-01upstream: when signing a challenge using a FIDO toke, perform thedjm@openbsd.org
hashing in the middleware layer rather than in ssh code. This allows middlewares that call APIs that perform the hashing implicitly (including Microsoft's AFAIK). ok markus@ OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d
2020-01-29upstream: changes to support FIDO attestationdjm@openbsd.org
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org
making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-06upstream: missing else in check_enroll_options()djm@openbsd.org
OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4
2020-01-06upstream: fix error messagedjm@openbsd.org
OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505
2020-01-06upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2019-12-30upstream: translate and return error codes; retry on bad PINdjm@openbsd.org
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-30upstream: resident keys support in SK APIdjm@openbsd.org
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@ OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
2019-12-30upstream: basic support for generating FIDO2 resident keysdjm@openbsd.org
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a device-resident key. feedback and ok markus@ OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
2019-11-20upstream: add the missing WITH_OPENSSL ifdefs after the ED25519-SKnaddy@openbsd.org
addition; ok djm@ OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474
2019-11-17upstream: fix typos in sk_enrollmarkus@openbsd.org
OpenBSD-Commit-ID: faa9bf779e008b3e64e2eb1344d9b7d83b3c4487
2019-11-17upstream: remove most uses of BN_CTXdjm@openbsd.org
We weren't following the rules re BN_CTX_start/BN_CTX_end and the places we were using it didn't benefit from its use anyway. ok dtucker@ OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a
2019-11-15upstream: rewrite c99-ismderaadt@openbsd.org
OpenBSD-Commit-ID: d0c70cca29cfa7e6d9f7ec1d6d5dabea112499b3
2019-11-15upstream: U2F tokens may return FIDO_ERR_USER_PRESENCE_REQUIRED whendjm@openbsd.org
probed to see if they own a key handle. Handle this case so the find_device() look can work for them. Reported by Michael Forney OpenBSD-Commit-ID: 2ccd5b30a6ddfe4dba228b7159bf168601bd9166
2019-11-15upstream: correct function name in debug messagedjm@openbsd.org
OpenBSD-Commit-ID: 2482c99d2ce448f39282493050f8a01e3ffc39ab
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069