upstream: update sk-api to version 2 for ed25519 support; ok djm

OpenBSD-Commit-ID: 77aa4d5b6ab17987d8a600907b49573940a0044a

1 files changed, 7 insertions, 3 deletions

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index a587480be..bd60f9fac 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -138,7 +138,7 @@ The signature returned from U2F hardware takes the following format:
 For use in the SSH protocol, we wish to avoid server-side parsing of ASN.1
 format data in the pre-authentication attack surface. Therefore, the
 signature format used on the wire in SSH2_USERAUTH_REQUEST packets will
-be reformatted slightly:
+be reformatted slightly and the ecdsa_signature_blob value has the encoding:
 
 	mpint		r
 	mpint		s
@@ -184,6 +184,10 @@ The middleware library need only expose a handful of functions:
 	/* Flags */
 	#define SSH_SK_USER_PRESENCE_REQD	0x01
 
+	/* Algs */
+	#define SSH_SK_ECDSA                   0x00
+	#define SSH_SK_ED25519                 0x01
+
 	struct sk_enroll_response {
 		uint8_t *public_key;
 		size_t public_key_len;
@@ -208,12 +212,12 @@ The middleware library need only expose a handful of functions:
 	uint32_t sk_api_version(void);
 
 	/* Enroll a U2F key (private key generation) */
-	int sk_enroll(const uint8_t *challenge, size_t challenge_len,
+	int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
 	    const char *application, uint8_t flags,
 	    struct sk_enroll_response **enroll_response);
 
 	/* Sign a challenge */
-	int sk_sign(const uint8_t *message, size_t message_len,
+	int sk_sign(int alg, const uint8_t *message, size_t message_len,
 	    const char *application,
 	    const uint8_t *key_handle, size_t key_handle_len,
 	    uint8_t flags, struct sk_sign_response **sign_response);