From 1f63d3c42be16452c97f44894c80b18dc54f3611 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 27 Aug 2020 01:06:18 +0000 Subject: support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ --- usr.bin/ssh/ssh_api.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'usr.bin/ssh/ssh_api.c') diff --git a/usr.bin/ssh/ssh_api.c b/usr.bin/ssh/ssh_api.c index 68b2c14391e..ef10460d0e1 100644 --- a/usr.bin/ssh/ssh_api.c +++ b/usr.bin/ssh/ssh_api.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh_api.c,v 1.20 2020/07/01 16:28:31 markus Exp $ */ +/* $OpenBSD: ssh_api.c,v 1.21 2020/08/27 01:06:18 djm Exp $ */ /* * Copyright (c) 2012 Markus Friedl. All rights reserved. * @@ -50,7 +50,7 @@ int _ssh_host_key_sign(struct ssh *, struct sshkey *, struct sshkey *, */ int use_privsep = 0; int mm_sshkey_sign(struct sshkey *, u_char **, u_int *, - const u_char *, u_int, const char *, const char *, u_int); + const u_char *, u_int, const char *, const char *, const char *, u_int); #ifdef WITH_OPENSSL DH *mm_choose_dh(int, int, int); @@ -62,8 +62,8 @@ u_int session_id2_len = 0; int mm_sshkey_sign(struct sshkey *key, u_char **sigp, u_int *lenp, - const u_char *data, u_int datalen, const char *alg, const char *sk_provider, - u_int compat) + const u_char *data, u_int datalen, const char *alg, + const char *sk_provider, const char *sk_pin, u_int compat) { return (-1); } @@ -561,5 +561,5 @@ _ssh_host_key_sign(struct ssh *ssh, struct sshkey *privkey, const u_char *data, size_t dlen, const char *alg) { return sshkey_sign(privkey, signature, slen, data, dlen, - alg, NULL, ssh->compat); + alg, NULL, NULL, ssh->compat); } -- cgit v1.2.3-59-g8ed1b