11 files changed, 731 insertions, 28 deletions
diff --git a/regress/misc/Makefile b/regress/misc/Makefile
index 14c0c279f..cf95f265c 100644
--- a/regress/misc/Makefile
+++ b/regress/misc/Makefile
@@ -1,3 +1,3 @@
-SUBDIR=         kexfuzz
+SUBDIR=         kexfuzz sk-dummy
 .include <bsd.subdir.mk>
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index 85179ac4e..64fbdbab1 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -3,31 +3,36 @@ CXX=clang++-6.0
 FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
 FUZZ_LIBS=-lFuzzer
-CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
+CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
 LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
-LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
+LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
+COMMON_OBJS=ssh-sk-null.o
-TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz
+TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
+        sshsigopt_fuzz privkey_fuzz
 all: $(TARGETS)
 .cc.o:
        $(CXX) $(CXXFLAGS) -c $< -o $@
-pubkey_fuzz: pubkey_fuzz.o
+pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
-        $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS)
+        $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
-sig_fuzz: sig_fuzz.o
+sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
-        $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS)
+        $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
-authopt_fuzz: authopt_fuzz.o
+authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
-        $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)
+        $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
-sshsig_fuzz: sshsig_fuzz.o
+sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
-        $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
+        $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
-sshsigopt_fuzz: sshsigopt_fuzz.o
+sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
-        $(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
+        $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
+privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
+        $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
 clean:
        -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc
new file mode 100644
index 000000000..ff0b0f776
--- /dev/null
+++ b/regress/misc/fuzz-harness/privkey_fuzz.cc
@@ -0,0 +1,21 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+extern "C" {
+#include "sshkey.h"
+#include "sshbuf.h"
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+        struct sshkey *k = NULL;
+        struct sshbuf *b = sshbuf_from(data, size);
+        int r = sshkey_private_deserialize(b, &k);
+        if (r == 0) sshkey_free(k);
+        sshbuf_free(b);
+        return 0;
+}
+} // extern
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
index dd1fda091..b32502ba0 100644
--- a/regress/misc/fuzz-harness/sig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -31,19 +31,31 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
  static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
  static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
 #endif
+  struct sshkey_sig_details *details = NULL;
  static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
  static const char *data = "If everyone started announcing his nose had "
      "run away, I don’t know how it would all end";
  static const size_t dlen = strlen(data);
 #ifdef WITH_OPENSSL
-  sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
-  sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_sig_details_free(details);
-  sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  details = NULL;
-  sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
-  sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_sig_details_free(details);
+  details = NULL;
+  sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+  sshkey_sig_details_free(details);
+  details = NULL;
+  sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+  sshkey_sig_details_free(details);
+  details = NULL;
+  sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+  sshkey_sig_details_free(details);
+  details = NULL;
 #endif
-  sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0);
+  sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
+  sshkey_sig_details_free(details);
  return 0;
 }
diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc
new file mode 100644
index 000000000..199af1121
--- /dev/null
+++ b/regress/misc/fuzz-harness/ssh-sk-null.cc
@@ -0,0 +1,51 @@
+/* $OpenBSD$ */
+/*
+ * Copyright (c) 2019 Google LLC
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+extern "C" {
+#include "includes.h"
+#include <sys/types.h>
+#include "ssherr.h"
+#include "ssh-sk.h"
+int
+sshsk_enroll(int type, const char *provider_path, const char *device,
+    const char *application, const char *userid, uint8_t flags,
+    const char *pin, struct sshbuf *challenge_buf,
+    struct sshkey **keyp, struct sshbuf *attest)
+{
+        return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+int
+sshsk_sign(const char *provider_path, struct sshkey *key,
+    u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
+    u_int compat, const char *pin)
+{
+        return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+int
+sshsk_load_resident(const char *provider_path, const char *device,
+    const char *pin, struct sshkey ***keysp, size_t *nkeysp)
+{
+        return SSH_ERR_FEATURE_UNSUPPORTED;
+}
+};
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
index fe09ccb87..02211a096 100644
--- a/regress/misc/fuzz-harness/sshsig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -22,10 +22,12 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
  struct sshbuf *signature = sshbuf_from(sig, slen);
  struct sshbuf *message = sshbuf_from(data, strlen(data));
  struct sshkey *k = NULL;
+  struct sshkey_sig_details *details = NULL;
  extern char *__progname;
  log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
-  sshsig_verifyb(signature, message, "castle", &k);
+  sshsig_verifyb(signature, message, "castle", &k, &details);
+  sshkey_sig_details_free(details);
  sshkey_free(k);
  sshbuf_free(signature);
  sshbuf_free(message);
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index 20802cb87..9eb86931c 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.4 2019/01/21 12:50:12 djm Exp $
+#       $OpenBSD: Makefile,v 1.7 2020/01/26 00:09:50 djm Exp $
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -20,6 +20,7 @@ SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
 SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
 SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
 SRCS+=cipher-chachapoly.c chacha.c poly1305.c
+SRCS+=sshbuf-io.c ssh-ecdsa-sk.c ssh-ed25519-sk.c msg.c ssh-sk-client.c
 SRCS+=  kex.c
 SRCS+=  dh.c
@@ -50,6 +51,9 @@ SSH1=		no
 CFLAGS+=        -DWITH_SSH1
 .endif
+LDADD+= -lfido2 -lcbor -lusbhid
+DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID}
 # enable warnings
 WARNINGS=Yes
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
index 7051e87b1..56697c918 100644
--- a/regress/misc/kexfuzz/kexfuzz.c
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kexfuzz.c,v 1.5 2019/01/21 12:50:12 djm Exp $ */
+/*      $OpenBSD: kexfuzz.c,v 1.6 2020/01/26 00:09:50 djm Exp $ */
 /*
 * Fuzz harness for KEX code
 *
@@ -424,12 +424,8 @@ main(int argc, char **argv)
                if (packet_index == -1 || direction == -1 || data_path == NULL)
                        badusage("Replace (-r) mode must specify direction "
                            "(-D) packet index (-i) and data path (-f)");
-                if ((fd = open(data_path, O_RDONLY)) == -1)
+                if ((r = sshbuf_load_file(data_path, &replace_data)) != 0)
-                        err(1, "open %s", data_path);
-                replace_data = sshbuf_new();
-                if ((r = sshkey_load_file(fd, replace_data)) != 0)
                        errx(1, "read %s: %s", data_path, ssh_err(r));
-                close(fd);
        }
        /* Dump mode */
diff --git a/regress/misc/sk-dummy/Makefile b/regress/misc/sk-dummy/Makefile
new file mode 100644
index 000000000..29e313c82
--- /dev/null
+++ b/regress/misc/sk-dummy/Makefile
@@ -0,0 +1,66 @@
+#       $OpenBSD: Makefile,v 1.2 2019/11/29 00:13:29 djm Exp $
+.include <bsd.own.mk>
+.include <bsd.obj.mk>
+PROG=   sk-dummy.so
+NOMAN=
+SSHREL=../../../../../usr.bin/ssh
+.PATH: ${.CURDIR}/${SSHREL}
+SRCS=sk-dummy.c
+# From usr.bin/ssh
+SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
+OPENSSL?=       yes
+CFLAGS+=        -fPIC
+.if (${OPENSSL:L} == "yes")
+CFLAGS+=        -DWITH_OPENSSL
+.endif
+# enable warnings
+WARNINGS=Yes
+DEBUG=-g
+CFLAGS+=        -fstack-protector-all
+CDIAGFLAGS=     -Wall
+CDIAGFLAGS+=    -Wextra
+CDIAGFLAGS+=    -Werror
+CDIAGFLAGS+=    -Wchar-subscripts
+CDIAGFLAGS+=    -Wcomment
+CDIAGFLAGS+=    -Wformat
+CDIAGFLAGS+=    -Wformat-security
+CDIAGFLAGS+=    -Wimplicit
+CDIAGFLAGS+=    -Winline
+CDIAGFLAGS+=    -Wmissing-declarations
+CDIAGFLAGS+=    -Wmissing-prototypes
+CDIAGFLAGS+=    -Wparentheses
+CDIAGFLAGS+=    -Wpointer-arith
+CDIAGFLAGS+=    -Wreturn-type
+CDIAGFLAGS+=    -Wshadow
+CDIAGFLAGS+=    -Wsign-compare
+CDIAGFLAGS+=    -Wstrict-aliasing
+CDIAGFLAGS+=    -Wstrict-prototypes
+CDIAGFLAGS+=    -Wswitch
+CDIAGFLAGS+=    -Wtrigraphs
+CDIAGFLAGS+=    -Wuninitialized
+CDIAGFLAGS+=    -Wunused
+CDIAGFLAGS+=    -Wno-unused-parameter
+.if ${COMPILER_VERSION:L} != "gcc3"
+CDIAGFLAGS+=    -Wold-style-definition
+.endif
+CFLAGS+=-I${.CURDIR}/${SSHREL}
+.if (${OPENSSL:L} == "yes")
+LDADD+= -lcrypto
+DPADD+= ${LIBCRYPTO}
+.endif
+$(PROG): $(OBJS)
+        $(CC) $(LDFLAGS) -shared -o $@ $(OBJS) $(LDADD)
+.include <bsd.prog.mk>
diff --git a/regress/misc/sk-dummy/fatal.c b/regress/misc/sk-dummy/fatal.c
new file mode 100644
index 000000000..7cdc74b97
--- /dev/null
+++ b/regress/misc/sk-dummy/fatal.c
@@ -0,0 +1,20 @@
+/* public domain */
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <unistd.h>
+void fatal(char *fmt, ...);
+void
+fatal(char *fmt, ...)
+{
+        va_list ap;
+        va_start(ap, fmt);
+        vfprintf(stderr, fmt, ap);
+        va_end(ap);
+        fputc('\n', stderr);
+        _exit(1);
+}
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
new file mode 100644
index 000000000..dca158ded
--- /dev/null
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -0,0 +1,526 @@
+/*
+ * Copyright (c) 2019 Markus Friedl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include "crypto_api.h"
+#include "sk-api.h"
+#include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/pem.h>
+/* #define SK_DEBUG 1 */
+/* Compatibility with OpenSSH 1.0.x */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#define ECDSA_SIG_get0(sig, pr, ps) \
+        do { \
+                (*pr) = sig->r; \
+                (*ps) = sig->s; \
+        } while (0)
+#endif
+#if SSH_SK_VERSION_MAJOR != 0x00040000
+# error SK API has changed, sk-dummy.c needs an update
+#endif
+static void skdebug(const char *func, const char *fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)));
+static void
+skdebug(const char *func, const char *fmt, ...)
+{
+#if defined(SK_DEBUG)
+        va_list ap;
+        va_start(ap, fmt);
+        fprintf(stderr, "sk-dummy %s: ", func);
+        vfprintf(stderr, fmt, ap);
+        fputc('\n', stderr);
+        va_end(ap);
+#else
+        (void)func; /* XXX */
+        (void)fmt; /* XXX */
+#endif
+}
+uint32_t
+sk_api_version(void)
+{
+        return SSH_SK_VERSION_MAJOR;
+}
+static int
+pack_key_ecdsa(struct sk_enroll_response *response)
+{
+#ifdef OPENSSL_HAS_ECC
+        EC_KEY *key = NULL;
+        const EC_GROUP *g;
+        const EC_POINT *q;
+        int ret = -1;
+        long privlen;
+        BIO *bio = NULL;
+        char *privptr;
+        response->public_key = NULL;
+        response->public_key_len = 0;
+        response->key_handle = NULL;
+        response->key_handle_len = 0;
+        if ((key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) {
+                skdebug(__func__, "EC_KEY_new_by_curve_name");
+                goto out;
+        }
+        if (EC_KEY_generate_key(key) != 1) {
+                skdebug(__func__, "EC_KEY_generate_key");
+                goto out;
+        }
+        EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);
+        if ((bio = BIO_new(BIO_s_mem())) == NULL ||
+            (g = EC_KEY_get0_group(key)) == NULL ||
+            (q = EC_KEY_get0_public_key(key)) == NULL) {
+                skdebug(__func__, "couldn't get key parameters");
+                goto out;
+        }
+        response->public_key_len = EC_POINT_point2oct(g, q,
+            POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
+        if (response->public_key_len == 0 || response->public_key_len > 2048) {
+                skdebug(__func__, "bad pubkey length %zu",
+                    response->public_key_len);
+                goto out;
+        }
+        if ((response->public_key = malloc(response->public_key_len)) == NULL) {
+                skdebug(__func__, "malloc pubkey failed");
+                goto out;
+        }
+        if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
+            response->public_key, response->public_key_len, NULL) == 0) {
+                skdebug(__func__, "EC_POINT_point2oct failed");
+                goto out;
+        }
+        /* Key handle contains PEM encoded private key */
+        if (!PEM_write_bio_ECPrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) {
+                skdebug(__func__, "PEM_write_bio_ECPrivateKey failed");
+                goto out;
+        }
+        if ((privlen = BIO_get_mem_data(bio, &privptr)) <= 0) {
+                skdebug(__func__, "BIO_get_mem_data failed");
+                goto out;
+        }
+        if ((response->key_handle = malloc(privlen)) == NULL) {
+                skdebug(__func__, "malloc key_handle failed");
+                goto out;
+        }
+        response->key_handle_len = (size_t)privlen;
+        memcpy(response->key_handle, privptr, response->key_handle_len);
+        /* success */
+        ret = 0;
+ out:
+        if (ret != 0) {
+                if (response->public_key != NULL) {
+                        memset(response->public_key, 0,
+                            response->public_key_len);
+                        free(response->public_key);
+                        response->public_key = NULL;
+                }
+                if (response->key_handle != NULL) {
+                        memset(response->key_handle, 0,
+                            response->key_handle_len);
+                        free(response->key_handle);
+                        response->key_handle = NULL;
+                }
+        }
+        BIO_free(bio);
+        EC_KEY_free(key);
+        return ret;
+#else
+        return -1;
+#endif
+}
+static int
+pack_key_ed25519(struct sk_enroll_response *response)
+{
+        int ret = -1;
+        u_char pk[crypto_sign_ed25519_PUBLICKEYBYTES];
+        u_char sk[crypto_sign_ed25519_SECRETKEYBYTES];
+        response->public_key = NULL;
+        response->public_key_len = 0;
+        response->key_handle = NULL;
+        response->key_handle_len = 0;
+        memset(pk, 0, sizeof(pk));
+        memset(sk, 0, sizeof(sk));
+        crypto_sign_ed25519_keypair(pk, sk);
+        response->public_key_len = sizeof(pk);
+        if ((response->public_key = malloc(response->public_key_len)) == NULL) {
+                skdebug(__func__, "malloc pubkey failed");
+                goto out;
+        }
+        memcpy(response->public_key, pk, sizeof(pk));
+        /* Key handle contains sk */
+        response->key_handle_len = sizeof(sk);
+        if ((response->key_handle = malloc(response->key_handle_len)) == NULL) {
+                skdebug(__func__, "malloc key_handle failed");
+                goto out;
+        }
+        memcpy(response->key_handle, sk, sizeof(sk));
+        /* success */
+        ret = 0;
+ out:
+        if (ret != 0)
+                free(response->public_key);
+        return ret;
+}
+static int
+check_options(struct sk_option **options)
+{
+        size_t i;
+        if (options == NULL)
+                return 0;
+        for (i = 0; options[i] != NULL; i++) {
+                skdebug(__func__, "requested unsupported option %s",
+                    options[i]->name);
+                if (options[i]->required) {
+                        skdebug(__func__, "unknown required option");
+                        return -1;
+                }
+        }
+        return 0;
+}
+int
+sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
+    const char *application, uint8_t flags, const char *pin,
+    struct sk_option **options, struct sk_enroll_response **enroll_response)
+{
+        struct sk_enroll_response *response = NULL;
+        int ret = SSH_SK_ERR_GENERAL;
+        (void)flags; /* XXX; unused */
+        if (enroll_response == NULL) {
+                skdebug(__func__, "enroll_response == NULL");
+                goto out;
+        }
+        *enroll_response = NULL;
+        if (check_options(options) != 0)
+                goto out; /* error already logged */
+        if ((response = calloc(1, sizeof(*response))) == NULL) {
+                skdebug(__func__, "calloc response failed");
+                goto out;
+        }
+        switch(alg) {
+        case SSH_SK_ECDSA:
+                if (pack_key_ecdsa(response) != 0)
+                        goto out;
+                break;
+        case SSH_SK_ED25519:
+                if (pack_key_ed25519(response) != 0)
+                        goto out;
+                break;
+        default:
+                skdebug(__func__, "unsupported key type %d", alg);
+                return -1;
+        }
+        /* Have to return something here */
+        if ((response->signature = calloc(1, 1)) == NULL) {
+                skdebug(__func__, "calloc signature failed");
+                goto out;
+        }
+        response->signature_len = 0;
+        *enroll_response = response;
+        response = NULL;
+        ret = 0;
+ out:
+        if (response != NULL) {
+                free(response->public_key);
+                free(response->key_handle);
+                free(response->signature);
+                free(response->attestation_cert);
+                free(response);
+        }
+        return ret;
+}
+static void
+dump(const char *preamble, const void *sv, size_t l)
+{
+#ifdef SK_DEBUG
+        const u_char *s = (const u_char *)sv;
+        size_t i;
+        fprintf(stderr, "%s (len %zu):\n", preamble, l);
+        for (i = 0; i < l; i++) {
+                if (i % 16 == 0)
+                        fprintf(stderr, "%04zu: ", i);
+                fprintf(stderr, "%02x", s[i]);
+                if (i % 16 == 15 || i == l - 1)
+                        fprintf(stderr, "\n");
+        }
+#endif
+}
+static int
+sig_ecdsa(const uint8_t *message, size_t message_len,
+    const char *application, uint32_t counter, uint8_t flags,
+    const uint8_t *key_handle, size_t key_handle_len,
+    struct sk_sign_response *response)
+{
+#ifdef OPENSSL_HAS_ECC
+        ECDSA_SIG *sig = NULL;
+        const BIGNUM *sig_r, *sig_s;
+        int ret = -1;
+        BIO *bio = NULL;
+        EVP_PKEY *pk = NULL;
+        EC_KEY *ec = NULL;
+        SHA256_CTX ctx;
+        uint8_t apphash[SHA256_DIGEST_LENGTH];
+        uint8_t sighash[SHA256_DIGEST_LENGTH];
+        uint8_t countbuf[4];
+        /* Decode EC_KEY from key handle */
+        if ((bio = BIO_new(BIO_s_mem())) == NULL ||
+            BIO_write(bio, key_handle, key_handle_len) != (int)key_handle_len) {
+                skdebug(__func__, "BIO setup failed");
+                goto out;
+        }
+        if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, "")) == NULL) {
+                skdebug(__func__, "PEM_read_bio_PrivateKey failed");
+                goto out;
+        }
+        if (EVP_PKEY_base_id(pk) != EVP_PKEY_EC) {
+                skdebug(__func__, "Not an EC key: %d", EVP_PKEY_base_id(pk));
+                goto out;
+        }
+        if ((ec = EVP_PKEY_get1_EC_KEY(pk)) == NULL) {
+                skdebug(__func__, "EVP_PKEY_get1_EC_KEY failed");
+                goto out;
+        }
+        /* Expect message to be pre-hashed */
+        if (message_len != SHA256_DIGEST_LENGTH) {
+                skdebug(__func__, "bad message len %zu", message_len);
+                goto out;
+        }
+        /* Prepare data to be signed */
+        dump("message", message, message_len);
+        SHA256_Init(&ctx);
+        SHA256_Update(&ctx, application, strlen(application));
+        SHA256_Final(apphash, &ctx);
+        dump("apphash", apphash, sizeof(apphash));
+        countbuf[0] = (counter >> 24) & 0xff;
+        countbuf[1] = (counter >> 16) & 0xff;
+        countbuf[2] = (counter >> 8) & 0xff;
+        countbuf[3] = counter & 0xff;
+        dump("countbuf", countbuf, sizeof(countbuf));
+        dump("flags", &flags, sizeof(flags));
+        SHA256_Init(&ctx);
+        SHA256_Update(&ctx, apphash, sizeof(apphash));
+        SHA256_Update(&ctx, &flags, sizeof(flags));
+        SHA256_Update(&ctx, countbuf, sizeof(countbuf));
+        SHA256_Update(&ctx, message, message_len);
+        SHA256_Final(sighash, &ctx);
+        dump("sighash", sighash, sizeof(sighash));
+        /* create and encode signature */
+        if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) {
+                skdebug(__func__, "ECDSA_do_sign failed");
+                goto out;
+        }
+        ECDSA_SIG_get0(sig, &sig_r, &sig_s);
+        response->sig_r_len = BN_num_bytes(sig_r);
+        response->sig_s_len = BN_num_bytes(sig_s);
+        if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
+            (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
+                skdebug(__func__, "calloc signature failed");
+                goto out;
+        }
+        BN_bn2bin(sig_r, response->sig_r);
+        BN_bn2bin(sig_s, response->sig_s);
+        ret = 0;
+ out:
+        explicit_bzero(&ctx, sizeof(ctx));
+        explicit_bzero(&apphash, sizeof(apphash));
+        explicit_bzero(&sighash, sizeof(sighash));
+        ECDSA_SIG_free(sig);
+        if (ret != 0) {
+                free(response->sig_r);
+                free(response->sig_s);
+                response->sig_r = NULL;
+                response->sig_s = NULL;
+        }
+        BIO_free(bio);
+        EC_KEY_free(ec);
+        EVP_PKEY_free(pk);
+        return ret;
+#else
+        return -1;
+#endif
+}
+static int
+sig_ed25519(const uint8_t *message, size_t message_len,
+    const char *application, uint32_t counter, uint8_t flags,
+    const uint8_t *key_handle, size_t key_handle_len,
+    struct sk_sign_response *response)
+{
+        size_t o;
+        int ret = -1;
+        SHA256_CTX ctx;
+        uint8_t apphash[SHA256_DIGEST_LENGTH];
+        uint8_t signbuf[sizeof(apphash) + sizeof(flags) +
+            sizeof(counter) + SHA256_DIGEST_LENGTH];
+        uint8_t sig[crypto_sign_ed25519_BYTES + sizeof(signbuf)];
+        unsigned long long smlen;
+        if (key_handle_len != crypto_sign_ed25519_SECRETKEYBYTES) {
+                skdebug(__func__, "bad key handle length %zu", key_handle_len);
+                goto out;
+        }
+        /* Expect message to be pre-hashed */
+        if (message_len != SHA256_DIGEST_LENGTH) {
+                skdebug(__func__, "bad message len %zu", message_len);
+                goto out;
+        }
+        /* Prepare data to be signed */
+        dump("message", message, message_len);
+        SHA256_Init(&ctx);
+        SHA256_Update(&ctx, application, strlen(application));
+        SHA256_Final(apphash, &ctx);
+        dump("apphash", apphash, sizeof(apphash));
+        memcpy(signbuf, apphash, sizeof(apphash));
+        o = sizeof(apphash);
+        signbuf[o++] = flags;
+        signbuf[o++] = (counter >> 24) & 0xff;
+        signbuf[o++] = (counter >> 16) & 0xff;
+        signbuf[o++] = (counter >> 8) & 0xff;
+        signbuf[o++] = counter & 0xff;
+        memcpy(signbuf + o, message, message_len);
+        o += message_len;
+        if (o != sizeof(signbuf)) {
+                skdebug(__func__, "bad sign buf len %zu, expected %zu",
+                    o, sizeof(signbuf));
+                goto out;
+        }
+        dump("signbuf", signbuf, sizeof(signbuf));
+        /* create and encode signature */
+        smlen = sizeof(signbuf);
+        if (crypto_sign_ed25519(sig, &smlen, signbuf, sizeof(signbuf),
+            key_handle) != 0) {
+                skdebug(__func__, "crypto_sign_ed25519 failed");
+                goto out;
+        }
+        if (smlen <= sizeof(signbuf)) {
+                skdebug(__func__, "bad sign smlen %llu, expected min %zu",
+                    smlen, sizeof(signbuf) + 1);
+                goto out;
+        }
+        response->sig_r_len = (size_t)(smlen - sizeof(signbuf));
+        if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
+                skdebug(__func__, "calloc signature failed");
+                goto out;
+        }
+        memcpy(response->sig_r, sig, response->sig_r_len);
+        dump("sig_r", response->sig_r, response->sig_r_len);
+        ret = 0;
+ out:
+        explicit_bzero(&ctx, sizeof(ctx));
+        explicit_bzero(&apphash, sizeof(apphash));
+        explicit_bzero(&signbuf, sizeof(signbuf));
+        explicit_bzero(&sig, sizeof(sig));
+        if (ret != 0) {
+                free(response->sig_r);
+                response->sig_r = NULL;
+        }
+        return ret;
+}
+int
+sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
+    const char *application, const uint8_t *key_handle, size_t key_handle_len,
+    uint8_t flags, const char *pin, struct sk_option **options,
+    struct sk_sign_response **sign_response)
+{
+        struct sk_sign_response *response = NULL;
+        int ret = SSH_SK_ERR_GENERAL;
+        if (sign_response == NULL) {
+                skdebug(__func__, "sign_response == NULL");
+                goto out;
+        }
+        *sign_response = NULL;
+        if (check_options(options) != 0)
+                goto out; /* error already logged */
+        if ((response = calloc(1, sizeof(*response))) == NULL) {
+                skdebug(__func__, "calloc response failed");
+                goto out;
+        }
+        response->flags = flags;
+        response->counter = 0x12345678;
+        switch(alg) {
+        case SSH_SK_ECDSA:
+                if (sig_ecdsa(message, message_len, application,
+                    response->counter, flags, key_handle, key_handle_len,
+                    response) != 0)
+                        goto out;
+                break;
+        case SSH_SK_ED25519:
+                if (sig_ed25519(message, message_len, application,
+                    response->counter, flags, key_handle, key_handle_len,
+                    response) != 0)
+                        goto out;
+                break;
+        default:
+                skdebug(__func__, "unsupported key type %d", alg);
+                return -1;
+        }
+        *sign_response = response;
+        response = NULL;
+        ret = 0;
+ out:
+        if (response != NULL) {
+                free(response->sig_r);
+                free(response->sig_s);
+                free(response);
+        }
+        return ret;
+}
+int
+sk_load_resident_keys(const char *pin, struct sk_option **options,
+    struct sk_resident_key ***rks, size_t *nrks)
+{
+        return SSH_SK_ERR_UNSUPPORTED;
+}