From c312ca077cd2a6c15545cd6b4d34ee2f69289174 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 6 Jan 2020 02:00:46 +0000 Subject: upstream: Extends the SK API to accept a set of key/value options for all operations. These are intended to future-proof the API a little by making it easier to specify additional fields for without having to change the API version for each. At present, only two options are defined: one to explicitly specify the device for an operation (rather than accepting the middleware's autoselection) and another to specify the FIDO2 username that may be used when generating a resident key. These new options may be invoked at key generation time via ssh-keygen -O This also implements a suggestion from Markus to avoid "int" in favour of uint32_t for the algorithm argument in the API, to make implementation of ssh-sk-client/helper a little easier. feedback, fixes and ok markus@ OpenBSD-Commit-ID: 973ce11704609022ab36abbdeb6bc23c8001eabc --- ssh-sk.h | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'ssh-sk.h') diff --git a/ssh-sk.h b/ssh-sk.h index 348759a98..ea9ff6e1a 100644 --- a/ssh-sk.h +++ b/ssh-sk.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.h,v 1.8 2019/12/30 09:23:28 djm Exp $ */ +/* $OpenBSD: ssh-sk.h,v 1.9 2020/01/06 02:00:47 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -20,9 +20,10 @@ struct sshbuf; struct sshkey; +struct sk_option; /* Version of protocol expected from ssh-sk-helper */ -#define SSH_SK_HELPER_VERSION 3 +#define SSH_SK_HELPER_VERSION 4 /* ssh-sk-helper messages */ #define SSH_SK_HELPER_ERROR 0 /* Only valid H->C */ @@ -40,8 +41,9 @@ struct sshkey; * If successful and the attest_data buffer is not NULL then attestation * information is placed there. */ -int sshsk_enroll(int type, const char *provider_path, const char *application, - uint8_t flags, const char *pin, struct sshbuf *challenge_buf, +int sshsk_enroll(int type, const char *provider_path, const char *device, + const char *application, const char *userid, uint8_t flags, + const char *pin, struct sshbuf *challenge_buf, struct sshkey **keyp, struct sshbuf *attest); /* @@ -60,8 +62,8 @@ int sshsk_sign(const char *provider_path, struct sshkey *key, * * Returns 0 on success or a ssherr.h error code on failure. */ -int sshsk_load_resident(const char *provider_path, const char *pin, - struct sshkey ***keysp, size_t *nkeysp); +int sshsk_load_resident(const char *provider_path, const char *device, + const char *pin, struct sshkey ***keysp, size_t *nkeysp); #endif /* _SSH_SK_H */ -- cgit v1.2.3