diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:19:52 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-30 20:57:58 +1100 |
| commit | 4532bd01d57ee13c3ca881eceac1bf9da96a4d7e (patch) | |
| tree | 8d28ff7b3344eb6db167c609372ad804c05a81fd | |
| parent | 3e60d18fba1b502c21d64fc7e81d80bcd08a2092 (diff) | |
upstream: basic support for generating FIDO2 resident keys
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.
feedback and ok markus@
OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
| -rw-r--r-- | PROTOCOL.u2f | 2 | ||||
| -rw-r--r-- | sk-api.h | 4 | ||||
| -rw-r--r-- | sk-usbhid.c | 10 | ||||
| -rw-r--r-- | ssh-keygen.c | 4 |
4 files changed, 16 insertions, 4 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 61b70d6e..93601159 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f @@ -235,6 +235,8 @@ The middleware library need only expose a handful of functions: /* Flags */ #define SSH_SK_USER_PRESENCE_REQD 0x01 + #define SSH_SK_USER_VERIFICATION_REQD 0x04 + #define SSH_SK_RESIDENT_KEY 0x20 /* Algs */ #define SSH_SK_ECDSA 0x00 @@ -1,4 +1,4 @@ -/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */ +/* $OpenBSD: sk-api.h,v 1.3 2019/12/30 09:19:52 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -25,6 +25,8 @@ /* Flags */ #define SSH_SK_USER_PRESENCE_REQD 0x01 +#define SSH_SK_USER_VERIFICATION_REQD 0x04 +#define SSH_SK_RESIDENT_KEY 0x20 /* Algs */ #define SSH_SK_ECDSA 0x00 diff --git a/sk-usbhid.c b/sk-usbhid.c index 594f5d89..61b52bbb 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c @@ -56,7 +56,9 @@ #define SK_VERSION_MAJOR 0x00020000 /* current API version */ /* Flags */ -#define SK_USER_PRESENCE_REQD 0x01 +#define SK_USER_PRESENCE_REQD 0x01 +#define SK_USER_VERIFICATION_REQD 0x04 +#define SK_RESIDENT_KEY 0x20 /* Algs */ #define SK_ECDSA 0x00 @@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, int r; char *device = NULL; - (void)flags; /* XXX; unused */ #ifdef SK_DEBUG fido_init(FIDO_DEBUG); #endif @@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, fido_strerr(r)); goto out; } + if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ? + FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) { + skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r)); + goto out; + } if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), "openssh", "openssh", NULL)) != FIDO_OK) { skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); diff --git a/ssh-keygen.c b/ssh-keygen.c index 447810fb..48342c09 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.377 2019/12/30 09:19:52 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -3135,6 +3135,8 @@ main(int argc, char **argv) fatal("Missing security key flags"); if (strcasecmp(optarg, "no-touch-required") == 0) sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; + else if (strcasecmp(optarg, "resident") == 0) + sk_flags |= SSH_SK_RESIDENT_KEY; else { ull = strtoull(optarg, &ep, 0); if (*ep != '\0') |