diff options
author | djm@openbsd.org <djm@openbsd.org> | 2021-11-02 22:56:40 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2021-11-03 10:07:23 +1100 |
commit | f3c34df860c4c1ebddacb973954e58167d9dbade (patch) | |
tree | 3d09525139df4ea6022637b15c18fa4cc9aeb985 /sk-api.h | |
parent | 0328a081f38c09d2d4d650e94461a47fb5eef536 (diff) | |
download | openssh-git-f3c34df860c4c1ebddacb973954e58167d9dbade.tar.gz |
upstream: Better handle FIDO keys on tokens that provide user
verification (UV) on the device itself, including biometric keys.
Query the token during key creation to determine whether it supports
on-token UV and, if so, clear the SSH_SK_USER_VERIFICATION_REQD flag
in the key so that ssh(1) doesn't automatically prompty for PIN later.
When making signatures with the key, query the token's capabilities
again and check whether the token is able (right now) to perform user-
verification without a PIN. If it is then the PIN prompt is bypassed
and user verification delegated to the token. If not (e.g. the token
is biometric capable, but no biometric are enrolled), then fall back
to user verification via the usual PIN prompt.
Work by Pedro Martelletto; ok myself and markus@
NB. cranks SSH_SK_VERSION_MAJOR
OpenBSD-Commit-ID: e318a8c258d9833a0b7eb0236cdb68b5143b2f27
Diffstat (limited to 'sk-api.h')
-rw-r--r-- | sk-api.h | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sk-api.h,v 1.13 2021/10/28 02:54:18 djm Exp $ */ +/* $OpenBSD: sk-api.h,v 1.14 2021/11/02 22:56:40 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -39,6 +39,7 @@ #define SSH_SK_ERR_DEVICE_NOT_FOUND -4 struct sk_enroll_response { + uint8_t flags; uint8_t *public_key; size_t public_key_len; uint8_t *key_handle; @@ -76,7 +77,7 @@ struct sk_option { uint8_t required; }; -#define SSH_SK_VERSION_MAJOR 0x00080000 /* current API version */ +#define SSH_SK_VERSION_MAJOR 0x00090000 /* current API version */ #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 /* Return the version of the middleware API */ |