Support for sk-ecdsa-sha2-nistp256 and sk-ssh-ed25519 keys, FIDO (#698)

Notes: Add support for sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com key exchange for FIDO auth using the OpenSSL backend. Stub API for other backends. Credit: Michael Buckley
2025-08-07 08:02:56 +03:00 · 2022-09-29 09:05:34 -07:00
parent ef292424bb
commit ed439a29bb
16 changed files with 1380 additions and 29 deletions
--- a/include/libssh2.h
+++ b/include/libssh2.h
@@ -283,6 +283,15 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
    unsigned int length;
 } LIBSSH2_USERAUTH_KBDINT_RESPONSE;

+typedef struct _LIBSSH2_SK_SIG_INFO {
+    uint8_t flags;
+    uint32_t counter;
+    unsigned char *sig_r;
+    size_t sig_r_len;
+    unsigned char *sig_s;
+    size_t sig_s_len;
+} LIBSSH2_SK_SIG_INFO;
+
 /* 'publickey' authentication callback */
 #define LIBSSH2_USERAUTH_PUBLICKEY_SIGN_FUNC(name) \
  int name(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, \
@@ -295,6 +304,17 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
            const LIBSSH2_USERAUTH_KBDINT_PROMPT *prompts,              \
            LIBSSH2_USERAUTH_KBDINT_RESPONSE *responses, void **abstract)

+/* SK authentication callback */
+#define LIBSSH2_USERAUTH_SK_SIGN_FUNC(name) \
+int name(LIBSSH2_SESSION *session, LIBSSH2_SK_SIG_INFO *sig_info, \
+const unsigned char *data, size_t data_len, int algorithm, uint8_t flags, \
+const char *application, const unsigned char *key_handle, size_t handle_len, \
+void **abstract)
+
+/* Flags for SK authentication */
+#define LIBSSH2_SK_PRESENCE_REQUIRED     0x01
+#define LIBSSH2_SK_VERIFICATION_REQUIRED 0x04
+
 /* Callbacks for special SSH packets */
 #define LIBSSH2_IGNORE_FUNC(name) \
 void name(LIBSSH2_SESSION *session, const char *message, int message_len, \
@@ -368,6 +388,25 @@ typedef struct _LIBSSH2_LISTENER                    LIBSSH2_LISTENER;
 typedef struct _LIBSSH2_KNOWNHOSTS                  LIBSSH2_KNOWNHOSTS;
 typedef struct _LIBSSH2_AGENT                       LIBSSH2_AGENT;

+/* SK signature callback */
+typedef struct _LIBSSH2_PRIVKEY_SK {
+    int algorithm;
+    uint8_t flags;
+    const char *application;
+    const unsigned char *key_handle;
+    size_t handle_len;
+    LIBSSH2_USERAUTH_SK_SIGN_FUNC((*sign_callback));
+    void **orig_abstract;
+} LIBSSH2_PRIVKEY_SK;
+
+int
+libssh2_sign_sk(LIBSSH2_SESSION *session,
+                unsigned char **sig,
+                size_t *sig_len,
+                const unsigned char *data,
+                size_t data_len,
+                void **abstract);
+
 typedef struct _LIBSSH2_POLLFD {
    unsigned char type; /* LIBSSH2_POLLFD_* below */

@@ -711,6 +750,17 @@ libssh2_userauth_keyboard_interactive_ex(LIBSSH2_SESSION* session,
                                             (unsigned int)strlen(username), \
                                             (response_callback))

+LIBSSH2_API int
+libssh2_userauth_publickey_sk(LIBSSH2_SESSION *session,
+                              const char *username,
+                              size_t username_len,
+                              const char *privatekeydata,
+                              size_t privatekeydata_len,
+                              const char *passphrase,
+                              LIBSSH2_USERAUTH_SK_SIGN_FUNC
+                              ((*sign_callback)),
+                              void **abstract);
+
 LIBSSH2_API int libssh2_poll(LIBSSH2_POLLFD *fds, unsigned int nfds,
                             long timeout);