#define SSH_SK_ERR_GENERAL -1
#define SSH_SK_ERR_UNSUPPORTED -2
#define SSH_SK_ERR_PIN_REQUIRED -3
+ #define SSH_SK_ERR_DEVICE_NOT_FOUND -4
struct sk_enroll_response {
uint8_t *public_key;
-/* $OpenBSD: sk-api.h,v 1.7 2020/01/06 02:00:46 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.8 2020/01/25 23:13:09 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
#define SSH_SK_ERR_GENERAL -1
#define SSH_SK_ERR_UNSUPPORTED -2
#define SSH_SK_ERR_PIN_REQUIRED -3
+#define SSH_SK_ERR_DEVICE_NOT_FOUND -4
struct sk_enroll_response {
uint8_t *public_key;
#include <fido/credman.h>
#ifndef SK_STANDALONE
-#include "log.h"
-#include "xmalloc.h"
-#endif
+# include "log.h"
+# include "xmalloc.h"
+/*
+ * If building as part of OpenSSH, then rename exported functions.
+ * This must be done before including sk-api.h.
+ */
+# define sk_api_version ssh_sk_api_version
+# define sk_enroll ssh_sk_enroll
+# define sk_sign ssh_sk_sign
+# define sk_load_resident_keys ssh_sk_load_resident_keys
+#endif /* !SK_STANDALONE */
+
+#include "sk-api.h"
/* #define SK_DEBUG 1 */
} while (0)
#endif
-#define SK_VERSION_MAJOR 0x00040000 /* current API version */
-
-/* Flags */
-#define SK_USER_PRESENCE_REQD 0x01
-#define SK_USER_VERIFICATION_REQD 0x04
-#define SK_RESIDENT_KEY 0x20
-
-/* Algs */
-#define SK_ECDSA 0x00
-#define SK_ED25519 0x01
-
-/* Error codes */
-#define SSH_SK_ERR_GENERAL -1
-#define SSH_SK_ERR_UNSUPPORTED -2
-#define SSH_SK_ERR_PIN_REQUIRED -3
-
-struct sk_enroll_response {
- uint8_t *public_key;
- size_t public_key_len;
- uint8_t *key_handle;
- size_t key_handle_len;
- uint8_t *signature;
- size_t signature_len;
- uint8_t *attestation_cert;
- size_t attestation_cert_len;
-};
-
-struct sk_sign_response {
- uint8_t flags;
- uint32_t counter;
- uint8_t *sig_r;
- size_t sig_r_len;
- uint8_t *sig_s;
- size_t sig_s_len;
-};
-
-struct sk_resident_key {
- uint32_t alg;
- size_t slot;
- char *application;
- struct sk_enroll_response key;
-};
-
-struct sk_option {
- char *name;
- char *value;
- uint8_t required;
-};
-
-/* If building as part of OpenSSH, then rename exported functions */
-#if !defined(SK_STANDALONE)
-#define sk_api_version ssh_sk_api_version
-#define sk_enroll ssh_sk_enroll
-#define sk_sign ssh_sk_sign
-#define sk_load_resident_keys ssh_sk_load_resident_keys
-#endif
-
/* Return the version of the middleware API */
uint32_t sk_api_version(void);
uint32_t
sk_api_version(void)
{
- return SK_VERSION_MAJOR;
+ return SSH_SK_VERSION_MAJOR;
}
/* Select the first identified FIDO device attached to the system */
{
switch(alg) {
#ifdef WITH_OPENSSL
- case SK_ECDSA:
+ case SSH_SK_ECDSA:
return pack_public_key_ecdsa(cred, response);
#endif /* WITH_OPENSSL */
- case SK_ED25519:
+ case SSH_SK_ED25519:
return pack_public_key_ed25519(cred, response);
default:
return -1;
{
switch (fidoerr) {
case FIDO_ERR_UNSUPPORTED_OPTION:
+ case FIDO_ERR_UNSUPPORTED_ALGORITHM:
return SSH_SK_ERR_UNSUPPORTED;
case FIDO_ERR_PIN_REQUIRED:
case FIDO_ERR_PIN_INVALID:
*enroll_response = NULL;
switch(alg) {
#ifdef WITH_OPENSSL
- case SK_ECDSA:
+ case SSH_SK_ECDSA:
cose_alg = COSE_ES256;
break;
#endif /* WITH_OPENSSL */
- case SK_ED25519:
+ case SSH_SK_ED25519:
cose_alg = COSE_EDDSA;
break;
default:
goto out;
}
if (device == NULL && (device = pick_first_device()) == NULL) {
+ ret = SSH_SK_ERR_DEVICE_NOT_FOUND;
skdebug(__func__, "pick_first_device failed");
goto out;
}
fido_strerr(r));
goto out;
}
- if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ?
+ if ((r = fido_cred_set_rk(cred, (flags & SSH_SK_RESIDENT_KEY) != 0 ?
FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
goto out;
{
switch(alg) {
#ifdef WITH_OPENSSL
- case SK_ECDSA:
+ case SSH_SK_ECDSA:
return pack_sig_ecdsa(assert, response);
#endif /* WITH_OPENSSL */
- case SK_ED25519:
+ case SSH_SK_ED25519:
return pack_sig_ed25519(assert, response);
default:
return -1;
goto out;
}
if ((r = fido_assert_set_up(assert,
- (flags & SK_USER_PRESENCE_REQD) ?
+ (flags & SSH_SK_USER_PRESENCE_REQD) ?
FIDO_OPT_TRUE : FIDO_OPT_FALSE)) != FIDO_OK) {
skdebug(__func__, "fido_assert_set_up: %s", fido_strerr(r));
goto out;
switch (fido_cred_type(cred)) {
case COSE_ES256:
- srk->alg = SK_ECDSA;
+ srk->alg = SSH_SK_ECDSA;
break;
case COSE_EDDSA:
- srk->alg = SK_ED25519;
+ srk->alg = SSH_SK_ED25519;
break;
default:
skdebug(__func__, "unsupported key type %d",
fido_cred_type(cred));
- goto out;
+ goto out; /* XXX free rk and continue */
}
if ((r = pack_public_key(srk->alg, cred,
-/* $OpenBSD: ssh-keygen.c,v 1.393 2020/01/25 23:02:13 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.394 2020/01/25 23:13:09 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
if (r == 0)
break;
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
- exit(1); /* error message already printed */
+ fatal("Key enrollment failed: %s", ssh_err(r));
if (passphrase != NULL)
freezero(passphrase, strlen(passphrase));
passphrase = read_passphrase("Enter PIN for security "
-/* $OpenBSD: ssh-sk-helper.c,v 1.8 2020/01/10 23:43:26 djm Exp $ */
+/* $OpenBSD: ssh-sk-helper.c,v 1.9 2020/01/25 23:13:09 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
va_start(ap, fmt);
xvasprintf(&msg, fmt, ap);
va_end(ap);
- error("%s: %s", __progname, msg);
+ debug("%s: %s", __progname, msg);
free(msg);
if (r >= 0)
-/* $OpenBSD: ssh-sk.c,v 1.24 2020/01/06 02:00:47 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.25 2020/01/25 23:13:09 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
return SSH_ERR_FEATURE_UNSUPPORTED;
case SSH_SK_ERR_PIN_REQUIRED:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
+ case SSH_SK_ERR_DEVICE_NOT_FOUND:
+ return SSH_ERR_DEVICE_NOT_FOUND;
case SSH_SK_ERR_GENERAL:
default:
return SSH_ERR_INVALID_FORMAT;
/* enroll key */
if ((r = skp->sk_enroll(alg, challenge, challenge_len, application,
flags, pin, opts, &resp)) != 0) {
- error("Security key provider \"%s\" returned failure %d",
+ debug("%s: provider \"%s\" returned failure %d", __func__,
provider_path, r);
r = skerr_to_ssherr(r);
goto out;
-/* $OpenBSD: ssherr.c,v 1.9 2019/12/30 09:24:45 djm Exp $ */
+/* $OpenBSD: ssherr.c,v 1.10 2020/01/25 23:13:09 djm Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
return "signature algorithm not supported";
case SSH_ERR_FEATURE_UNSUPPORTED:
return "requested feature not supported";
+ case SSH_ERR_DEVICE_NOT_FOUND:
+ return "device not found";
default:
return "unknown error";
}
-/* $OpenBSD: ssherr.h,v 1.7 2019/12/30 09:24:45 djm Exp $ */
+/* $OpenBSD: ssherr.h,v 1.8 2020/01/25 23:13:09 djm Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
#define SSH_ERR_NUMBER_TOO_LARGE -57
#define SSH_ERR_SIGN_ALG_UNSUPPORTED -58
#define SSH_ERR_FEATURE_UNSUPPORTED -59
+#define SSH_ERR_DEVICE_NOT_FOUND -60
/* Translate a numeric error code to a human-readable error string */
const char *ssh_err(int n);
projects / thirdparty / openssh-portable.git / commitdiff
