summaryrefslogtreecommitdiff
path: root/ssh-sk.c
AgeCommit message (Collapse)Author
2020-01-29upstream: changes to support FIDO attestationdjm@openbsd.org
Allow writing to disk the attestation certificate that is generated by the FIDO token at key enrollment time. These certificates may be used by an out-of-band workflow to prove that a particular key is held in trustworthy hardware. Allow passing in a challenge that will be sent to the card during key enrollment. These are needed to build an attestation workflow that resists replay attacks. ok markus@ OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6
2020-01-26upstream: improve the error message for u2f enrollment errors bydjm@openbsd.org
making ssh-keygen be solely responsible for printing the error message and convertint some more common error responses from the middleware to a useful ssherr.h status code. more detail remains visible via -v of course. also remove indepedent copy of sk-api.h declarations in sk-usbhid.c and just include it. feedback & ok markus@ OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb
2020-01-14Wrap stdint.h inside HAVE_STDINT_H.Darren Tucker
2020-01-06upstream: Extends the SK API to accept a set of key/value optionsdjm@openbsd.org
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
2019-12-30upstream: translate and return error codes; retry on bad PINdjm@openbsd.org
Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
2019-12-30upstream: improve some error messages; ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81
2019-12-30upstream: SK API and sk-helper error/PIN passingdjm@openbsd.org
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-30upstream: resident keys support in SK APIdjm@openbsd.org
Adds a sk_load_resident_keys() function to the security key API that accepts a security key provider and a PIN and returns a list of keys. Implement support for this in the usbhid middleware. feedback and ok markus@ OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0
2019-12-30upstream: Factor out parsing of struct sk_enroll_responsedjm@openbsd.org
We'll reuse this for extracting resident keys from a device. feedback and ok markus@ OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273
2019-12-14upstream: use ssh-sk-helper for all security key signing operationsdjm@openbsd.org
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-11-28upstream: remove stray semicolon after closing brace of function;djm@openbsd.org
from Michael Forney OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
2019-11-20upstream: adjust on-wire signature encoding for ecdsa-sk keys todjm@openbsd.org
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne NB. if you are depending on security keys (already?) then make sure you update both your clients and servers. OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-20upstream: add the missing WITH_OPENSSL ifdefs after the ED25519-SKnaddy@openbsd.org
addition; ok djm@ OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474
2019-11-18upstream: tweak debug messagedjm@openbsd.org
OpenBSD-Commit-ID: 2bf336d3be0b7e3dd97920d7e7471146a281d2b9
2019-11-17upstream: a little debug() in the security key interfacedjm@openbsd.org
OpenBSD-Commit-ID: 4c70300609a5c8b19707207bb7ad4109e963b0e8
2019-11-15upstream: directly support U2F/FIDO2 security keys in OpenSSH bydjm@openbsd.org
linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
2019-11-15upstream: fix check for sig_s; noted by qsa at qualys.commarkus@openbsd.org
OpenBSD-Commit-ID: 34198084e4afb424a859f52c04bb2c9668a52867
2019-11-13upstream: allow an empty attestation certificate returned by adjm@openbsd.org
security key enrollment - these are possible for tokens that only offer self- attestation. This also needs support from the middleware. ok markus@ OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc
2019-11-13upstream: remove extra layer for ed25519 signature; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47
2019-11-13upstream: check sig_r and sig_s for ssh-sk keys; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1a1e6a85b5f465d447a3800f739e35c5b74e0abc
2019-11-13upstream: update sk-api to version 2 for ed25519 support; ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a
2019-11-13upstream: implement sshsk_ed25519_assemble(); ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: af9ec838b9bc643786310b5caefc4ca4754e68c6
2019-11-13upstream: implement sshsk_ed25519_inner_sig(); ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
2019-11-13upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok djmmarkus@openbsd.org
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
2019-11-13upstream: factor out sshsk_ecdsa_inner_sig(); ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 07e41997b542f670a15d7e2807143fe01efef584
2019-11-13upstream: factor out sshsk_ecdsa_assemble(); ok djm@markus@openbsd.org
OpenBSD-Commit-ID: 2313761a3a84ccfe032874d638d3c363e0f14026
2019-11-01autoconf pieces for U2F supportDamien Miller
Mostly following existing logic for PKCS#11 - turning off support when either libcrypto or dlopen(3) are unavailable.
2019-11-01upstream: U2F/FIDO middleware interfacedjm@openbsd.org
Supports enrolling (generating) keys and signatures. feedback & ok markus@ OpenBSD-Commit-ID: 73d1dd5939454f9c7bd840f48236cba41e8ad592