upstream: basic support for generating FIDO2 resident keys

"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.

feedback and ok markus@

OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 61b70d6ef2b271a7690405e2b33265ffd2b32379..93601159c1c79bd68bb1230686d010fd10c0eeb7 100644 (file)
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -235,6 +235,8 @@ The middleware library need only expose a handful of functions:
 
        /* Flags */
        #define SSH_SK_USER_PRESENCE_REQD       0x01
+       #define SSH_SK_USER_VERIFICATION_REQD   0x04
+       #define SSH_SK_RESIDENT_KEY             0x20
 
        /* Algs */
        #define SSH_SK_ECDSA                   0x00

diff --git a/sk-api.h b/sk-api.h
index 5ada30a3d748b86195eaecd6f0c1ca33247cefd2..5947e0ed7a97231fe7d888caa61fbaee17af9f5d 100644 (file)
--- a/sk-api.h
+++ b/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */
+/* $OpenBSD: sk-api.h,v 1.3 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -25,6 +25,8 @@
 
 /* Flags */
 #define SSH_SK_USER_PRESENCE_REQD      0x01
+#define SSH_SK_USER_VERIFICATION_REQD  0x04
+#define SSH_SK_RESIDENT_KEY            0x20
 
 /* Algs */
 #define SSH_SK_ECDSA                   0x00

diff --git a/sk-usbhid.c b/sk-usbhid.c
index 594f5d8907febb51f5561e0fbff340f53a2517b5..61b52bbb9b6e80cbf2e5076b6737089897e396b1 100644 (file)
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -56,7 +56,9 @@
 #define SK_VERSION_MAJOR       0x00020000 /* current API version */
 
 /* Flags */
-#define SK_USER_PRESENCE_REQD  0x01
+#define SK_USER_PRESENCE_REQD          0x01
+#define SK_USER_VERIFICATION_REQD      0x04
+#define SK_RESIDENT_KEY                        0x20
 
 /* Algs */
 #define        SK_ECDSA                0x00
@@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
        int r;
        char *device = NULL;
 
-       (void)flags; /* XXX; unused */
 #ifdef SK_DEBUG
        fido_init(FIDO_DEBUG);
 #endif
@@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
                    fido_strerr(r));
                goto out;
        }
+       if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ?
+           FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
+               skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
+               goto out;
+       }
        if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
            "openssh", "openssh", NULL)) != FIDO_OK) {
                skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 447810fb16bc0bd3c272c3a12c850c9e027e1488..48342c09d3e9961d76dd26a8dbcfd3de6c98a95a 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.377 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3135,6 +3135,8 @@ main(int argc, char **argv)
                                fatal("Missing security key flags");
                        if (strcasecmp(optarg, "no-touch-required") == 0)
                                sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
+                       else if (strcasecmp(optarg, "resident") == 0)
+                               sk_flags |= SSH_SK_RESIDENT_KEY;
                        else {
                                ull = strtoull(optarg, &ep, 0);
                                if (*ep != '\0')