diff options
author | djm@openbsd.org <djm@openbsd.org> | 2020-01-06 02:00:46 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2020-01-06 13:12:46 +1100 |
commit | c312ca077cd2a6c15545cd6b4d34ee2f69289174 (patch) | |
tree | b8dd974c55dd0de351dfcbfc4f33fddb935a1c12 /ssh-sk-client.c | |
parent | 2ab335712d084d9ccaf3f53afc3fa9535329da87 (diff) |
upstream: Extends the SK API to accept a set of key/value options
for all operations. These are intended to future-proof the API a little by
making it easier to specify additional fields for without having to change
the API version for each.
At present, only two options are defined: one to explicitly specify
the device for an operation (rather than accepting the middleware's
autoselection) and another to specify the FIDO2 username that may
be used when generating a resident key. These new options may be
invoked at key generation time via ssh-keygen -O
This also implements a suggestion from Markus to avoid "int" in favour
of uint32_t for the algorithm argument in the API, to make implementation
of ssh-sk-client/helper a little easier.
feedback, fixes and ok markus@
OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc
Diffstat (limited to 'ssh-sk-client.c')
-rw-r--r-- | ssh-sk-client.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/ssh-sk-client.c b/ssh-sk-client.c index 0033a6655..d3d37f792 100644 --- a/ssh-sk-client.c +++ b/ssh-sk-client.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk-client.c,v 1.3 2019/12/30 09:23:28 djm Exp $ */ | 1 | /* $OpenBSD: ssh-sk-client.c,v 1.4 2020/01/06 02:00:46 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -282,8 +282,9 @@ sshsk_sign(const char *provider, struct sshkey *key, | |||
282 | } | 282 | } |
283 | 283 | ||
284 | int | 284 | int |
285 | sshsk_enroll(int type, const char *provider_path, const char *application, | 285 | sshsk_enroll(int type, const char *provider_path, const char *device, |
286 | uint8_t flags, const char *pin, struct sshbuf *challenge_buf, | 286 | const char *application, const char *userid, uint8_t flags, |
287 | const char *pin, struct sshbuf *challenge_buf, | ||
287 | struct sshkey **keyp, struct sshbuf *attest) | 288 | struct sshkey **keyp, struct sshbuf *attest) |
288 | { | 289 | { |
289 | int oerrno, r = SSH_ERR_INTERNAL_ERROR; | 290 | int oerrno, r = SSH_ERR_INTERNAL_ERROR; |
@@ -311,7 +312,9 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
311 | if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_ENROLL)) != 0 || | 312 | if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_ENROLL)) != 0 || |
312 | (r = sshbuf_put_u32(req, (u_int)type)) != 0 || | 313 | (r = sshbuf_put_u32(req, (u_int)type)) != 0 || |
313 | (r = sshbuf_put_cstring(req, provider_path)) != 0 || | 314 | (r = sshbuf_put_cstring(req, provider_path)) != 0 || |
315 | (r = sshbuf_put_cstring(req, device)) != 0 || | ||
314 | (r = sshbuf_put_cstring(req, application)) != 0 || | 316 | (r = sshbuf_put_cstring(req, application)) != 0 || |
317 | (r = sshbuf_put_cstring(req, userid)) != 0 || | ||
315 | (r = sshbuf_put_u8(req, flags)) != 0 || | 318 | (r = sshbuf_put_u8(req, flags)) != 0 || |
316 | (r = sshbuf_put_cstring(req, pin)) != 0 || | 319 | (r = sshbuf_put_cstring(req, pin)) != 0 || |
317 | (r = sshbuf_put_stringb(req, challenge_buf)) != 0) { | 320 | (r = sshbuf_put_stringb(req, challenge_buf)) != 0) { |
@@ -358,8 +361,8 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
358 | } | 361 | } |
359 | 362 | ||
360 | int | 363 | int |
361 | sshsk_load_resident(const char *provider_path, const char *pin, | 364 | sshsk_load_resident(const char *provider_path, const char *device, |
362 | struct sshkey ***keysp, size_t *nkeysp) | 365 | const char *pin, struct sshkey ***keysp, size_t *nkeysp) |
363 | { | 366 | { |
364 | int oerrno, r = SSH_ERR_INTERNAL_ERROR; | 367 | int oerrno, r = SSH_ERR_INTERNAL_ERROR; |
365 | struct sshbuf *kbuf = NULL, *req = NULL, *resp = NULL; | 368 | struct sshbuf *kbuf = NULL, *req = NULL, *resp = NULL; |
@@ -378,6 +381,7 @@ sshsk_load_resident(const char *provider_path, const char *pin, | |||
378 | 381 | ||
379 | if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_LOAD_RESIDENT)) != 0 || | 382 | if ((r = sshbuf_put_u32(req, SSH_SK_HELPER_LOAD_RESIDENT)) != 0 || |
380 | (r = sshbuf_put_cstring(req, provider_path)) != 0 || | 383 | (r = sshbuf_put_cstring(req, provider_path)) != 0 || |
384 | (r = sshbuf_put_cstring(req, device)) != 0 || | ||
381 | (r = sshbuf_put_cstring(req, pin)) != 0) { | 385 | (r = sshbuf_put_cstring(req, pin)) != 0) { |
382 | error("%s: compose: %s", __func__, ssh_err(r)); | 386 | error("%s: compose: %s", __func__, ssh_err(r)); |
383 | goto out; | 387 | goto out; |