upstream: update sk-api to version 2 for ed25519 support; ok djm

OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a

1 files changed, 7 insertions, 3 deletions

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index a587480be..bd60f9fac 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -138,7 +138,7 @@ The signature returned from U2F hardware takes the following format:
 For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1
 format data in the pre-authentication attack surface. Therefore, the
 signature format used on the wire in SSH2_USERAUTH_REQUEST packets will
-be reformatted slightly:
+be reformatted slightly and the ecdsa_signature_blob value has the encoding:
 
         mpint           r
         mpint           s
@@ -184,6 +184,10 @@ The middleware library need only expose a handful of functions:
         /* Flags */
         #define SSH_SK_USER_PRESENCE_REQD       0x01
 
+        /* Algs */
+        #define SSH_SK_ECDSA                   0x00
+        #define SSH_SK_ED25519                 0x01
+
         struct sk_enroll_response {
                 uint8_t *public_key;
                 size_t public_key_len;
@@ -208,12 +212,12 @@ The middleware library need only expose a handful of functions:
         uint32_t sk_api_version(void);
 
         /* Enroll a U2F key (private key generation) */
-        int sk_enroll(const uint8_t *challenge, size_t challenge_len,
+        int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
             const char *application, uint8_t flags,
             struct sk_enroll_response **enroll_response);
 
         /* Sign a challenge */
-        int sk_sign(const uint8_t *message, size_t message_len,
+        int sk_sign(int alg, const uint8_t *message, size_t message_len,
             const char *application,
             const uint8_t *key_handle, size_t key_handle_len,
             uint8_t flags, struct sk_sign_response **sign_response);