summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/PROTOCOL.u2f10
-rw-r--r--usr.bin/ssh/sk-api.h12
-rw-r--r--usr.bin/ssh/ssh-sk.c21
3 files changed, 29 insertions, 14 deletions
diff --git a/usr.bin/ssh/PROTOCOL.u2f b/usr.bin/ssh/PROTOCOL.u2f
index a587480bea5..bd60f9fac5f 100644
--- a/usr.bin/ssh/PROTOCOL.u2f
+++ b/usr.bin/ssh/PROTOCOL.u2f
@@ -138,7 +138,7 @@ The signature returned from U2F hardware takes the following format:
For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1
format data in the pre-authentication attack surface. Therefore, the
signature format used on the wire in SSH2_USERAUTH_REQUEST packets will
-be reformatted slightly:
+be reformatted slightly and the ecdsa_signature_blob value has the encoding:
mpint r
mpint s
@@ -184,6 +184,10 @@ The middleware library need only expose a handful of functions:
/* Flags */
#define SSH_SK_USER_PRESENCE_REQD 0x01
+ /* Algs */
+ #define SSH_SK_ECDSA 0x00
+ #define SSH_SK_ED25519 0x01
+
struct sk_enroll_response {
uint8_t *public_key;
size_t public_key_len;
@@ -208,12 +212,12 @@ The middleware library need only expose a handful of functions:
uint32_t sk_api_version(void);
/* Enroll a U2F key (private key generation) */
- int sk_enroll(const uint8_t *challenge, size_t challenge_len,
+ int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
const char *application, uint8_t flags,
struct sk_enroll_response **enroll_response);
/* Sign a challenge */
- int sk_sign(const uint8_t *message, size_t message_len,
+ int sk_sign(int alg, const uint8_t *message, size_t message_len,
const char *application,
const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, struct sk_sign_response **sign_response);
diff --git a/usr.bin/ssh/sk-api.h b/usr.bin/ssh/sk-api.h
index 1de73342543..0ceff54232f 100644
--- a/usr.bin/ssh/sk-api.h
+++ b/usr.bin/ssh/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.1 2019/10/31 21:16:20 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -24,6 +24,10 @@
/* Flags */
#define SSH_SK_USER_PRESENCE_REQD 0x01
+/* Algs */
+#define SSH_SK_ECDSA 0x00
+#define SSH_SK_ED25519 0x01
+
struct sk_enroll_response {
uint8_t *public_key;
size_t public_key_len;
@@ -44,19 +48,19 @@ struct sk_sign_response {
size_t sig_s_len;
};
-#define SSH_SK_VERSION_MAJOR 0x00010000 /* current API version */
+#define SSH_SK_VERSION_MAJOR 0x00020000 /* current API version */
#define SSH_SK_VERSION_MAJOR_MASK 0xffff0000
/* Return the version of the middleware API */
uint32_t sk_api_version(void);
/* Enroll a U2F key (private key generation) */
-int sk_enroll(const uint8_t *challenge, size_t challenge_len,
+int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
const char *application, uint8_t flags,
struct sk_enroll_response **enroll_response);
/* Sign a challenge */
-int sk_sign(const uint8_t *message, size_t message_len,
+int sk_sign(int alg, const uint8_t *message, size_t message_len,
const char *application, const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, struct sk_sign_response **sign_response);
diff --git a/usr.bin/ssh/ssh-sk.c b/usr.bin/ssh/ssh-sk.c
index 0c75e30c34d..57f049c6bf2 100644
--- a/usr.bin/ssh/ssh-sk.c
+++ b/usr.bin/ssh/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.6 2019/11/12 19:31:45 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.7 2019/11/12 19:32:30 markus Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -45,12 +45,12 @@ struct sshsk_provider {
uint32_t (*sk_api_version)(void);
/* Enroll a U2F key (private key generation) */
- int (*sk_enroll)(const uint8_t *challenge, size_t challenge_len,
- const char *application, uint8_t flags,
+ int (*sk_enroll)(int alg, const uint8_t *challenge,
+ size_t challenge_len, const char *application, uint8_t flags,
struct sk_enroll_response **enroll_response);
/* Sign a challenge */
- int (*sk_sign)(const uint8_t *message, size_t message_len,
+ int (*sk_sign)(int alg, const uint8_t *message, size_t message_len,
const char *application,
const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, struct sk_sign_response **sign_response);
@@ -239,13 +239,17 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
size_t challenge_len;
struct sk_enroll_response *resp = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
+ int alg;
*keyp = NULL;
if (attest)
sshbuf_reset(attest);
switch (type) {
case KEY_ECDSA_SK:
+ alg = SSH_SK_ECDSA;
+ break;
case KEY_ED25519_SK:
+ alg = SSH_SK_ED25519;
break;
default:
error("%s: unsupported key type", __func__);
@@ -283,7 +287,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
}
/* XXX validate flags? */
/* enroll key */
- if ((r = skp->sk_enroll(challenge, challenge_len, application,
+ if ((r = skp->sk_enroll(alg, challenge, challenge_len, application,
flags, &resp)) != 0) {
error("Security key provider %s returned failure %d",
provider_path, r);
@@ -423,7 +427,7 @@ sshsk_sign(const char *provider_path, const struct sshkey *key,
{
struct sshsk_provider *skp = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
- int type;
+ int type, alg;
struct sk_sign_response *resp = NULL;
struct sshbuf *inner_sig = NULL, *sig = NULL;
uint8_t message[32];
@@ -435,7 +439,10 @@ sshsk_sign(const char *provider_path, const struct sshkey *key,
type = sshkey_type_plain(key->type);
switch (type) {
case KEY_ECDSA_SK:
+ alg = SSH_SK_ECDSA;
+ break;
case KEY_ED25519_SK:
+ alg = SSH_SK_ED25519;
break;
default:
return SSH_ERR_INVALID_ARGUMENT;
@@ -458,7 +465,7 @@ sshsk_sign(const char *provider_path, const struct sshkey *key,
r = SSH_ERR_INTERNAL_ERROR;
goto out;
}
- if ((r = skp->sk_sign(message, sizeof(message),
+ if ((r = skp->sk_sign(alg, message, sizeof(message),
key->sk_application,
sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle),
key->sk_flags, &resp)) != 0) {