From: djm@openbsd.org <djm@openbsd.org>
Date: Mon, 30 Dec 2019 09:19:52 +0000 (+0000)
Subject: upstream: basic support for generating FIDO2 resident keys
X-Git-Tag: V_8_2_P1~168
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4532bd01d57ee13c3ca881eceac1bf9da96a4d7e;p=thirdparty%2Fopenssh-portable.git

upstream: basic support for generating FIDO2 resident keys

"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.

feedback and ok markus@

OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
---

diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f
index 61b70d6ef..93601159c 100644
--- a/PROTOCOL.u2f
+++ b/PROTOCOL.u2f
@@ -235,6 +235,8 @@ The middleware library need only expose a handful of functions:
 
 	/* Flags */
 	#define SSH_SK_USER_PRESENCE_REQD	0x01
+	#define SSH_SK_USER_VERIFICATION_REQD	0x04
+	#define SSH_SK_RESIDENT_KEY		0x20
 
 	/* Algs */
 	#define SSH_SK_ECDSA                   0x00
diff --git a/sk-api.h b/sk-api.h
index 5ada30a3d..5947e0ed7 100644
--- a/sk-api.h
+++ b/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */
+/* $OpenBSD: sk-api.h,v 1.3 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -25,6 +25,8 @@
 
 /* Flags */
 #define SSH_SK_USER_PRESENCE_REQD	0x01
+#define SSH_SK_USER_VERIFICATION_REQD	0x04
+#define SSH_SK_RESIDENT_KEY		0x20
 
 /* Algs */
 #define SSH_SK_ECDSA			0x00
diff --git a/sk-usbhid.c b/sk-usbhid.c
index 594f5d890..61b52bbb9 100644
--- a/sk-usbhid.c
+++ b/sk-usbhid.c
@@ -56,7 +56,9 @@
 #define SK_VERSION_MAJOR	0x00020000 /* current API version */
 
 /* Flags */
-#define SK_USER_PRESENCE_REQD	0x01
+#define SK_USER_PRESENCE_REQD		0x01
+#define SK_USER_VERIFICATION_REQD	0x04
+#define SK_RESIDENT_KEY			0x20
 
 /* Algs */
 #define	SK_ECDSA		0x00
@@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
 	int r;
 	char *device = NULL;
 
-	(void)flags; /* XXX; unused */
 #ifdef SK_DEBUG
 	fido_init(FIDO_DEBUG);
 #endif
@@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
 		    fido_strerr(r));
 		goto out;
 	}
+	if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ?
+	    FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
+		skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
+		goto out;
+	}
 	if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
 	    "openssh", "openssh", NULL)) != FIDO_OK) {
 		skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 447810fb1..48342c09d 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.377 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3135,6 +3135,8 @@ main(int argc, char **argv)
 				fatal("Missing security key flags");
 			if (strcasecmp(optarg, "no-touch-required") == 0)
 				sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
+			else if (strcasecmp(optarg, "resident") == 0)
+				sk_flags |= SSH_SK_RESIDENT_KEY;
 			else {
 				ull = strtoull(optarg, &ep, 0);
 				if (*ep != '\0')