platform_external_openssh/sk-usbhid.c, branch master

wrap sha2.h inclusion in #ifdef HAVE_SHA2_H

2020-05-01T03:29:16+00:00

upstream: when signing a challenge using a FIDO toke, perform the

2020-05-01T03:13:29+00:00

hashing in the middleware layer rather than in ssh code. This allows
middlewares that call APIs that perform the hashing implicitly (including
Microsoft's AFAIK). ok markus@

OpenBSD-Commit-ID: c9fc8630aba26c75d5016884932f08a5a237f37d

upstream: changes to support FIDO attestation

2020-01-29T07:52:55+00:00

Allow writing to disk the attestation certificate that is generated by
the FIDO token at key enrollment time. These certificates may be used
by an out-of-band workflow to prove that a particular key is held in
trustworthy hardware.

Allow passing in a challenge that will be sent to the card during
key enrollment. These are needed to build an attestation workflow
that resists replay attacks.

ok markus@

OpenBSD-Commit-ID: 457dc3c3d689ba39eed328f0817ed9b91a5f78f6

upstream: improve the error message for u2f enrollment errors by

2020-01-25T23:18:42+00:00

making ssh-keygen be solely responsible for printing the error message and
convertint some more common error responses from the middleware to a useful
ssherr.h status code. more detail remains visible via -v of course.

also remove indepedent copy of sk-api.h declarations in sk-usbhid.c
and just include it.

feedback & ok markus@

OpenBSD-Commit-ID: a4a8ffa870d9a3e0cfd76544bcdeef5c9fb1f1bb

upstream: missing else in check_enroll_options()

2020-01-06T02:40:28+00:00

OpenBSD-Commit-ID: e058fb918fda56ddbbf0bee910101004cec421d4

upstream: fix error message

2020-01-06T02:25:26+00:00

OpenBSD-Commit-ID: 1eb52025658eb78ea6223181e552862198d3d505

upstream: Extends the SK API to accept a set of key/value options

2020-01-06T02:12:46+00:00

for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.

At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O

This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.

feedback, fixes and ok markus@

OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc

upstream: translate and return error codes; retry on bad PIN

2019-12-30T10:01:51+00:00

Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.

Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.

feedback and ok markus@

OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620

upstream: SK API and sk-helper error/PIN passing

2019-12-30T09:59:33+00:00

Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.

Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.

feedback and ok markus@

OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71

upstream: resident keys support in SK API

2019-12-30T09:58:19+00:00

Adds a sk_load_resident_keys() function to the security key
API that accepts a security key provider and a PIN and returns
a list of keys.

Implement support for this in the usbhid middleware.

feedback and ok markus@

OpenBSD-Commit-ID: 67e984e4e87f4999ce447a6178c4249a9174eff0