diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:19:52 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-12-30 20:57:58 +1100 |
commit | 4532bd01d57ee13c3ca881eceac1bf9da96a4d7e (patch) | |
tree | 8d28ff7b3344eb6db167c609372ad804c05a81fd | |
parent | 3e60d18fba1b502c21d64fc7e81d80bcd08a2092 (diff) |
upstream: basic support for generating FIDO2 resident keys
"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.
feedback and ok markus@
OpenBSD-Commit-ID: 8e1b3c56a4b11d85047bd6c6c705b7eef4d58431
-rw-r--r-- | PROTOCOL.u2f | 2 | ||||
-rw-r--r-- | sk-api.h | 4 | ||||
-rw-r--r-- | sk-usbhid.c | 10 | ||||
-rw-r--r-- | ssh-keygen.c | 4 |
4 files changed, 16 insertions, 4 deletions
diff --git a/PROTOCOL.u2f b/PROTOCOL.u2f index 61b70d6ef..93601159c 100644 --- a/PROTOCOL.u2f +++ b/PROTOCOL.u2f | |||
@@ -235,6 +235,8 @@ The middleware library need only expose a handful of functions: | |||
235 | 235 | ||
236 | /* Flags */ | 236 | /* Flags */ |
237 | #define SSH_SK_USER_PRESENCE_REQD 0x01 | 237 | #define SSH_SK_USER_PRESENCE_REQD 0x01 |
238 | #define SSH_SK_USER_VERIFICATION_REQD 0x04 | ||
239 | #define SSH_SK_RESIDENT_KEY 0x20 | ||
238 | 240 | ||
239 | /* Algs */ | 241 | /* Algs */ |
240 | #define SSH_SK_ECDSA 0x00 | 242 | #define SSH_SK_ECDSA 0x00 |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */ | 1 | /* $OpenBSD: sk-api.h,v 1.3 2019/12/30 09:19:52 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | /* Flags */ | 26 | /* Flags */ |
27 | #define SSH_SK_USER_PRESENCE_REQD 0x01 | 27 | #define SSH_SK_USER_PRESENCE_REQD 0x01 |
28 | #define SSH_SK_USER_VERIFICATION_REQD 0x04 | ||
29 | #define SSH_SK_RESIDENT_KEY 0x20 | ||
28 | 30 | ||
29 | /* Algs */ | 31 | /* Algs */ |
30 | #define SSH_SK_ECDSA 0x00 | 32 | #define SSH_SK_ECDSA 0x00 |
diff --git a/sk-usbhid.c b/sk-usbhid.c index 594f5d890..61b52bbb9 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -56,7 +56,9 @@ | |||
56 | #define SK_VERSION_MAJOR 0x00020000 /* current API version */ | 56 | #define SK_VERSION_MAJOR 0x00020000 /* current API version */ |
57 | 57 | ||
58 | /* Flags */ | 58 | /* Flags */ |
59 | #define SK_USER_PRESENCE_REQD 0x01 | 59 | #define SK_USER_PRESENCE_REQD 0x01 |
60 | #define SK_USER_VERIFICATION_REQD 0x04 | ||
61 | #define SK_RESIDENT_KEY 0x20 | ||
60 | 62 | ||
61 | /* Algs */ | 63 | /* Algs */ |
62 | #define SK_ECDSA 0x00 | 64 | #define SK_ECDSA 0x00 |
@@ -410,7 +412,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
410 | int r; | 412 | int r; |
411 | char *device = NULL; | 413 | char *device = NULL; |
412 | 414 | ||
413 | (void)flags; /* XXX; unused */ | ||
414 | #ifdef SK_DEBUG | 415 | #ifdef SK_DEBUG |
415 | fido_init(FIDO_DEBUG); | 416 | fido_init(FIDO_DEBUG); |
416 | #endif | 417 | #endif |
@@ -452,6 +453,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
452 | fido_strerr(r)); | 453 | fido_strerr(r)); |
453 | goto out; | 454 | goto out; |
454 | } | 455 | } |
456 | if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ? | ||
457 | FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) { | ||
458 | skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r)); | ||
459 | goto out; | ||
460 | } | ||
455 | if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), | 461 | if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id), |
456 | "openssh", "openssh", NULL)) != FIDO_OK) { | 462 | "openssh", "openssh", NULL)) != FIDO_OK) { |
457 | skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); | 463 | skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r)); |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 447810fb1..48342c09d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.377 2019/12/30 09:19:52 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -3135,6 +3135,8 @@ main(int argc, char **argv) | |||
3135 | fatal("Missing security key flags"); | 3135 | fatal("Missing security key flags"); |
3136 | if (strcasecmp(optarg, "no-touch-required") == 0) | 3136 | if (strcasecmp(optarg, "no-touch-required") == 0) |
3137 | sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; | 3137 | sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
3138 | else if (strcasecmp(optarg, "resident") == 0) | ||
3139 | sk_flags |= SSH_SK_RESIDENT_KEY; | ||
3138 | else { | 3140 | else { |
3139 | ull = strtoull(optarg, &ep, 0); | 3141 | ull = strtoull(optarg, &ep, 0); |
3140 | if (*ep != '\0') | 3142 | if (*ep != '\0') |