diff options
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/PROTOCOL.u2f | 10 | ||||
-rw-r--r-- | usr.bin/ssh/sk-api.h | 12 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-sk.c | 21 |
3 files changed, 29 insertions, 14 deletions
diff --git a/usr.bin/ssh/PROTOCOL.u2f b/usr.bin/ssh/PROTOCOL.u2f index a587480bea5..bd60f9fac5f 100644 --- a/usr.bin/ssh/PROTOCOL.u2f +++ b/usr.bin/ssh/PROTOCOL.u2f @@ -138,7 +138,7 @@ The signature returned from U2F hardware takes the following format: For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1 format data in the pre-authentication attack surface. Therefore, the signature format used on the wire in SSH2_USERAUTH_REQUEST packets will -be reformatted slightly: +be reformatted slightly and the ecdsa_signature_blob value has the encoding: mpint r mpint s @@ -184,6 +184,10 @@ The middleware library need only expose a handful of functions: /* Flags */ #define SSH_SK_USER_PRESENCE_REQD 0x01 + /* Algs */ + #define SSH_SK_ECDSA 0x00 + #define SSH_SK_ED25519 0x01 + struct sk_enroll_response { uint8_t *public_key; size_t public_key_len; @@ -208,12 +212,12 @@ The middleware library need only expose a handful of functions: uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ - int sk_enroll(const uint8_t *challenge, size_t challenge_len, + int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, struct sk_enroll_response **enroll_response); /* Sign a challenge */ - int sk_sign(const uint8_t *message, size_t message_len, + int sk_sign(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, struct sk_sign_response **sign_response); diff --git a/usr.bin/ssh/sk-api.h b/usr.bin/ssh/sk-api.h index 1de73342543..0ceff54232f 100644 --- a/usr.bin/ssh/sk-api.h +++ b/usr.bin/ssh/sk-api.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sk-api.h,v 1.1 2019/10/31 21:16:20 djm Exp $ */ +/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -24,6 +24,10 @@ /* Flags */ #define SSH_SK_USER_PRESENCE_REQD 0x01 +/* Algs */ +#define SSH_SK_ECDSA 0x00 +#define SSH_SK_ED25519 0x01 + struct sk_enroll_response { uint8_t *public_key; size_t public_key_len; @@ -44,19 +48,19 @@ struct sk_sign_response { size_t sig_s_len; }; -#define SSH_SK_VERSION_MAJOR 0x00010000 /* current API version */ +#define SSH_SK_VERSION_MAJOR 0x00020000 /* current API version */ #define SSH_SK_VERSION_MAJOR_MASK 0xffff0000 /* Return the version of the middleware API */ uint32_t sk_api_version(void); /* Enroll a U2F key (private key generation) */ -int sk_enroll(const uint8_t *challenge, size_t challenge_len, +int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, struct sk_enroll_response **enroll_response); /* Sign a challenge */ -int sk_sign(const uint8_t *message, size_t message_len, +int sk_sign(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, struct sk_sign_response **sign_response); diff --git a/usr.bin/ssh/ssh-sk.c b/usr.bin/ssh/ssh-sk.c index 0c75e30c34d..57f049c6bf2 100644 --- a/usr.bin/ssh/ssh-sk.c +++ b/usr.bin/ssh/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.6 2019/11/12 19:31:45 markus Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.7 2019/11/12 19:32:30 markus Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -45,12 +45,12 @@ struct sshsk_provider { uint32_t (*sk_api_version)(void); /* Enroll a U2F key (private key generation) */ - int (*sk_enroll)(const uint8_t *challenge, size_t challenge_len, - const char *application, uint8_t flags, + int (*sk_enroll)(int alg, const uint8_t *challenge, + size_t challenge_len, const char *application, uint8_t flags, struct sk_enroll_response **enroll_response); /* Sign a challenge */ - int (*sk_sign)(const uint8_t *message, size_t message_len, + int (*sk_sign)(int alg, const uint8_t *message, size_t message_len, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, struct sk_sign_response **sign_response); @@ -239,13 +239,17 @@ sshsk_enroll(int type, const char *provider_path, const char *application, size_t challenge_len; struct sk_enroll_response *resp = NULL; int r = SSH_ERR_INTERNAL_ERROR; + int alg; *keyp = NULL; if (attest) sshbuf_reset(attest); switch (type) { case KEY_ECDSA_SK: + alg = SSH_SK_ECDSA; + break; case KEY_ED25519_SK: + alg = SSH_SK_ED25519; break; default: error("%s: unsupported key type", __func__); @@ -283,7 +287,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application, } /* XXX validate flags? */ /* enroll key */ - if ((r = skp->sk_enroll(challenge, challenge_len, application, + if ((r = skp->sk_enroll(alg, challenge, challenge_len, application, flags, &resp)) != 0) { error("Security key provider %s returned failure %d", provider_path, r); @@ -423,7 +427,7 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, { struct sshsk_provider *skp = NULL; int r = SSH_ERR_INTERNAL_ERROR; - int type; + int type, alg; struct sk_sign_response *resp = NULL; struct sshbuf *inner_sig = NULL, *sig = NULL; uint8_t message[32]; @@ -435,7 +439,10 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, type = sshkey_type_plain(key->type); switch (type) { case KEY_ECDSA_SK: + alg = SSH_SK_ECDSA; + break; case KEY_ED25519_SK: + alg = SSH_SK_ED25519; break; default: return SSH_ERR_INVALID_ARGUMENT; @@ -458,7 +465,7 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, r = SSH_ERR_INTERNAL_ERROR; goto out; } - if ((r = skp->sk_sign(message, sizeof(message), + if ((r = skp->sk_sign(alg, message, sizeof(message), key->sk_application, sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle), key->sk_flags, &resp)) != 0) { |