History log of /openssh-portable/ssh-sk.c (Results 1 - 25 of 31)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# 1b378c0d 06-Mar-2020 markus@openbsd.org

upstream: return correct error in sshsk_ed25519_sig; ok djm

OpenBSD-Commit-ID: 52bf733df220303c260fee4f165ec64b4a977625


# dd992520 27-Feb-2020 djm@openbsd.org

upstream: better error message when trying to use a FIDO key

function and SecurityKeyProvider is empty

OpenBSD-Commit-ID: e56602c2ee8c82f835d30e4dc8ee2e4a7896be24


Revision tags: V_8_2_P1
# a47f6a6c 06-Feb-2020 naddy@openbsd.org

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator"

upstream: Replace "security key" with "authenticator" in program

messages.

This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".

ok djm@

OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e

show more ...


# 24c0f752 28-Jan-2020 djm@openbsd.org

upstream: changes to support FIDO attestation

Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used

upstream: changes to support FIDO attestation

Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.

Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.

ok markus@

OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6

show more ...


# 59d01f1d 25-Jan-2020 djm@openbsd.org

upstream: improve the error message for u2f enrollment errors by

making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses fr

upstream: improve the error message for u2f enrollment errors by

making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to a useful
ssherr.h status code. more detail remains visible via -v of course.

also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.

feedback & ok markus@

OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb

show more ...


# 429170f2 13-Jan-2020 Darren Tucker

Wrap stdint.h inside HAVE_STDINT_H.


# c312ca07 05-Jan-2020 djm@openbsd.org

upstream: Extends the SK API to accept a set of key/value options

for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields

upstream: Extends the SK API to accept a set of key/value options

for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.

At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O

This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.

feedback, fixes and ok markus@

OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc

show more ...


# 43ce9642 30-Dec-2019 djm@openbsd.org

upstream: translate and return error codes; retry on bad PIN

Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.

Use the new "wrong PIN" error

upstream: translate and return error codes; retry on bad PIN

Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.

Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.

feedback and ok markus@

OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620

show more ...


# d4335967 30-Dec-2019 djm@openbsd.org

upstream: improve some error messages; ok markus@

OpenBSD-Commit-ID: 4ccd8ddabb8df4f995107dd3b7ea58220e93cb81


# c54cd189 30-Dec-2019 djm@openbsd.org

upstream: SK API and sk-helper error/PIN passing

Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.

Also enhance the ssh-sk-helper API to

upstream: SK API and sk-helper error/PIN passing

Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.

Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.

feedback and ok markus@

OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71

show more ...


# 14cea36d 30-Dec-2019 djm@openbsd.org

upstream: resident keys support in SK API

Adds a sk_load_resident_keys() function to the security key
API that accepts a security key provider and a PIN and returns
a list of keys.

upstream: resident keys support in SK API

Adds a sk_load_resident_keys() function to the security key
API that accepts a security key provider and a PIN and returns
a list of keys.

Implement support for this in the usbhid middleware.

feedback and ok markus@

OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0

show more ...


# 2fe05fcb 30-Dec-2019 djm@openbsd.org

upstream: Factor out parsing of struct sk_enroll_response

We'll reuse this for extracting resident keys from a device.

feedback and ok markus@

OpenBSD-Commit-ID: 9bc1efd9c6

upstream: Factor out parsing of struct sk_enroll_response

We'll reuse this for extracting resident keys from a device.

feedback and ok markus@

OpenBSD-Commit-ID: 9bc1efd9c6897eac4df0983746cf6578c1542273

show more ...


# b52ec0ba 13-Dec-2019 djm@openbsd.org

upstream: use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the ot

upstream: use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*

requested by, feedback and ok markus@

OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f

show more ...


# d8b2838c 27-Nov-2019 djm@openbsd.org

upstream: remove stray semicolon after closing brace of function;

from Michael Forney

OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7


# a70d92f2 19-Nov-2019 djm@openbsd.org

upstream: adjust on-wire signature encoding for ecdsa-sk keys to

better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne

NB. if you are depending on security keys (

upstream: adjust on-wire signature encoding for ecdsa-sk keys to

better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne

NB. if you are depending on security keys (already?) then make sure you
update both your clients and servers.

OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679

show more ...


# 723a5369 18-Nov-2019 naddy@openbsd.org

upstream: add the missing WITH_OPENSSL ifdefs after the ED25519-SK

addition; ok djm@

OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474


# 9a1225e8 16-Nov-2019 djm@openbsd.org

upstream: tweak debug message

OpenBSD-Commit-ID: 2bf336d3be0b7e3dd97920d7e7471146a281d2b9


# 4103a3ec 16-Nov-2019 djm@openbsd.org

upstream: a little debug() in the security key interface

OpenBSD-Commit-ID: 4c70300609a5c8b19707207bb7ad4109e963b0e8


# 6bff9521 14-Nov-2019 djm@openbsd.org

upstream: directly support U2F/FIDO2 security keys in OpenSSH by

linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewa

upstream: directly support U2F/FIDO2 security keys in OpenSSH by

linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.

OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069

show more ...


# dffd02e2 13-Nov-2019 markus@openbsd.org

upstream: fix check for sig_s; noted by qsa at qualys.com

OpenBSD-Commit-ID: 34198084e4afb424a859f52c04bb2c9668a52867


# fccff339 12-Nov-2019 djm@openbsd.org

upstream: allow an empty attestation certificate returned by a

security key enrollment - these are possible for tokens that only offer self-
attestation. This also needs support from the

upstream: allow an empty attestation certificate returned by a

security key enrollment - these are possible for tokens that only offer self-
attestation. This also needs support from the middleware.

ok markus@

OpenBSD-Commit-ID: 135eeeb937088ef6830a25ca0bbe678dfd2c57cc

show more ...


# b556cc3c 12-Nov-2019 markus@openbsd.org

upstream: remove extra layer for ed25519 signature; ok djm@

OpenBSD-Commit-ID: 7672d9d0278b4bf656a12d3aab0c0bfe92a8ae47


# 3fcf69ac 12-Nov-2019 markus@openbsd.org

upstream: check sig_r and sig_s for ssh-sk keys; ok djm

OpenBSD-Commit-ID: 1a1e6a85b5f465d447a3800f739e35c5b74e0abc


# fd1a3b5e 12-Nov-2019 markus@openbsd.org

upstream: update sk-api to version 2 for ed25519 support; ok djm

OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a


# 7c32b51e 12-Nov-2019 markus@openbsd.org

upstream: implement sshsk_ed25519_assemble(); ok djm

OpenBSD-Commit-ID: af9ec838b9bc643786310b5caefc4ca4754e68c6


12