Commit Graph

13 Commits

Author SHA1 Message Date
djm@openbsd.org
37f2da069c upstream: some clarifying comments
OpenBSD-Commit-ID: 5268479000fd97bfa30ab819f3517139daa054a2
2020-06-26 15:18:07 +10:00
djm@openbsd.org
bb52e70fa5 upstream: Add support for FIDO webauthn (verification only).
webauthn is a standard for using FIDO keys in web browsers. webauthn
signatures are a slightly different format to plain FIDO signatures - this
support allows verification of these. Feedback and ok markus@

OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
2020-06-22 16:27:27 +10:00
djm@openbsd.org
64bc121097 upstream: refactor ECDSA-SK verification a little ahead of adding
support for FIDO webauthn signature verification support; ok markus@

OpenBSD-Commit-ID: c9f478fd8e0c1bd17e511ce8694f010d8e32043e
2020-06-22 16:11:14 +10:00
Ruben Kerkhof
0488dc2d30 Fix building without openssl.
This fixes the following when there are no openssl headers on the system:
ssh-ecdsa-sk.c:34:10: fatal error: 'openssl/bn.h' file not found
2020-01-20 21:14:46 +11:00
Darren Tucker
fff8ff6dd5 Put SK ECDSA bits inside ifdef OPENSSL_HAS_ECC.
Fixes build when linking against OpenSSLs built with no-ec.
2019-12-15 18:27:02 +11:00
Damien Miller
9244990ecd remove a bunch of ENABLE_SK #ifdefs
The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.

Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.
2019-12-14 09:21:46 +11:00
djm@openbsd.org
e0d38ae9bc upstream: more debugging; behind DEBUG_SK
OpenBSD-Commit-ID: a978896227118557505999ddefc1f4c839818b60
2019-11-27 10:44:29 +11:00
djm@openbsd.org
b7e74ea072 upstream: Add new structure for signature options
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-25 12:23:33 +11:00
djm@openbsd.org
d2b0f88178 upstream: memleak in error path
OpenBSD-Commit-ID: 93488431bf02dde85a854429362695d2d43d9112
2019-11-25 12:22:43 +11:00
Darren Tucker
2f95d43dc2 Include openssl compat header.
Fixes warning for ECDSA_SIG_set0 on OpenSSL versions prior to 1.1.
2019-11-20 16:34:11 +11:00
djm@openbsd.org
a70d92f236 upstream: adjust on-wire signature encoding for ecdsa-sk keys to
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne

NB. if you are depending on security keys (already?) then make sure you
update both your clients and servers.

OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-20 09:27:29 +11:00
Damien Miller
764d51e044 autoconf pieces for U2F support
Mostly following existing logic for PKCS#11 - turning off support
when either libcrypto or dlopen(3) are unavailable.
2019-11-01 13:35:34 +11:00
djm@openbsd.org
02bb0768a9 upstream: Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private
keys and certificates, signature validation.

feedback & ok markus@

OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
2019-11-01 09:46:08 +11:00