summaryrefslogtreecommitdiff
path: root/ssh-sk-client.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2020-01-06 02:00:46 +0000
committerDamien Miller <djm@mindrot.org>2020-01-06 13:12:46 +1100
commitc312ca077cd2a6c15545cd6b4d34ee2f69289174 (patch)
treeb8dd974c55dd0de351dfcbfc4f33fddb935a1c12 /ssh-sk-client.c
parent2ab335712d084d9ccaf3f53afc3fa9535329da87 (diff)
upstream: Extends the SK API to accept a set of key/value options
for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
Diffstat (limited to 'ssh-sk-client.c')
-rw-r--r--ssh-sk-client.c14
1 files changed, 9 insertions, 5 deletions
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 0033a6655..d3d37f792 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-sk-client.c,v 1.3 2019/12/30 09:23:28 djm Exp $ */ 1/* $OpenBSD: ssh-sk-client.c,v 1.4 2020/01/06 02:00:46 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2019 Google LLC 3 * Copyright (c) 2019 Google LLC
4 * 4 *
@@ -282,8 +282,9 @@ sshsk_sign(const char *provider, struct sshkey *key,
282} 282}
283 283
284int 284int
285sshsk_enroll(int type, const char *provider_path, const char *application, 285sshsk_enroll(int type, const char *provider_path, const char *device,
286 uint8_t flags, const char *pin, struct sshbuf *challenge_buf, 286 const char *application, const char *userid, uint8_t flags,
287 const char *pin, struct sshbuf *challenge_buf,
287 struct sshkey **keyp, struct sshbuf *attest) 288 struct sshkey **keyp, struct sshbuf *attest)
288{ 289{
289 int oerrno, r = SSH_ERR_INTERNAL_ERROR; 290 int oerrno, r = SSH_ERR_INTERNAL_ERROR;
@@ -311,7 +312,9 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
311 if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_ENROLL)) != 0 || 312 if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_ENROLL)) != 0 ||
312 (r = sshbuf_put_u32(req, (u_int)type)) != 0 || 313 (r = sshbuf_put_u32(req, (u_int)type)) != 0 ||
313 (r = sshbuf_put_cstring(req, provider_path)) != 0 || 314 (r = sshbuf_put_cstring(req, provider_path)) != 0 ||
315 (r = sshbuf_put_cstring(req, device)) != 0 ||
314 (r = sshbuf_put_cstring(req, application)) != 0 || 316 (r = sshbuf_put_cstring(req, application)) != 0 ||
317 (r = sshbuf_put_cstring(req, userid)) != 0 ||
315 (r = sshbuf_put_u8(req, flags)) != 0 || 318 (r = sshbuf_put_u8(req, flags)) != 0 ||
316 (r = sshbuf_put_cstring(req, pin)) != 0 || 319 (r = sshbuf_put_cstring(req, pin)) != 0 ||
317 (r = sshbuf_put_stringb(req, challenge_buf)) != 0) { 320 (r = sshbuf_put_stringb(req, challenge_buf)) != 0) {
@@ -358,8 +361,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
358} 361}
359 362
360int 363int
361sshsk_load_resident(const char *provider_path, const char *pin, 364sshsk_load_resident(const char *provider_path, const char *device,
362 struct sshkey ***keysp, size_t *nkeysp) 365 const char *pin, struct sshkey ***keysp, size_t *nkeysp)
363{ 366{
364 int oerrno, r = SSH_ERR_INTERNAL_ERROR; 367 int oerrno, r = SSH_ERR_INTERNAL_ERROR;
365 struct sshbuf *kbuf = NULL, *req = NULL, *resp = NULL; 368 struct sshbuf *kbuf = NULL, *req = NULL, *resp = NULL;
@@ -378,6 +381,7 @@ sshsk_load_resident(const char *provider_path, const char *pin,
378 381
379 if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_LOAD_RESIDENT)) != 0 || 382 if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_LOAD_RESIDENT)) != 0 ||
380 (r = sshbuf_put_cstring(req, provider_path)) != 0 || 383 (r = sshbuf_put_cstring(req, provider_path)) != 0 ||
384 (r = sshbuf_put_cstring(req, device)) != 0 ||
381 (r = sshbuf_put_cstring(req, pin)) != 0) { 385 (r = sshbuf_put_cstring(req, pin)) != 0) {
382 error("%s: compose: %s", __func__, ssh_err(r)); 386 error("%s: compose: %s", __func__, ssh_err(r));
383 goto out; 387 goto out;