From 9ec7dd94c37c434764c34cf58bb7854c873e27c4 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@cvs.openbsd.org>
Date: Mon, 30 Dec 2019 09:19:53 +0000
Subject: basic support for generating FIDO2 resident keys

"ssh-keygen -t ecdsa-sk|ed25519-sk -x resident" will generate a
device-resident key.

feedback and ok markus@
---
 usr.bin/ssh/PROTOCOL.u2f |  2 ++
 usr.bin/ssh/sk-api.h     |  4 +++-
 usr.bin/ssh/sk-usbhid.c  | 10 ++++++++--
 usr.bin/ssh/ssh-keygen.c |  4 +++-
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/usr.bin/ssh/PROTOCOL.u2f b/usr.bin/ssh/PROTOCOL.u2f
index 61b70d6ef2b..93601159c1c 100644
--- a/usr.bin/ssh/PROTOCOL.u2f
+++ b/usr.bin/ssh/PROTOCOL.u2f
@@ -235,6 +235,8 @@ The middleware library need only expose a handful of functions:
 
 	/* Flags */
 	#define SSH_SK_USER_PRESENCE_REQD	0x01
+	#define SSH_SK_USER_VERIFICATION_REQD	0x04
+	#define SSH_SK_RESIDENT_KEY		0x20
 
 	/* Algs */
 	#define SSH_SK_ECDSA                   0x00
diff --git a/usr.bin/ssh/sk-api.h b/usr.bin/ssh/sk-api.h
index 0ceff54232f..88b4ca435de 100644
--- a/usr.bin/ssh/sk-api.h
+++ b/usr.bin/ssh/sk-api.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-api.h,v 1.2 2019/11/12 19:32:30 markus Exp $ */
+/* $OpenBSD: sk-api.h,v 1.3 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -23,6 +23,8 @@
 
 /* Flags */
 #define SSH_SK_USER_PRESENCE_REQD	0x01
+#define SSH_SK_USER_VERIFICATION_REQD	0x04
+#define SSH_SK_RESIDENT_KEY		0x20
 
 /* Algs */
 #define SSH_SK_ECDSA			0x00
diff --git a/usr.bin/ssh/sk-usbhid.c b/usr.bin/ssh/sk-usbhid.c
index 39d25aa8b5d..dfc346a159b 100644
--- a/usr.bin/ssh/sk-usbhid.c
+++ b/usr.bin/ssh/sk-usbhid.c
@@ -52,7 +52,9 @@
 #define SK_VERSION_MAJOR	0x00020000 /* current API version */
 
 /* Flags */
-#define SK_USER_PRESENCE_REQD	0x01
+#define SK_USER_PRESENCE_REQD		0x01
+#define SK_USER_VERIFICATION_REQD	0x04
+#define SK_RESIDENT_KEY			0x20
 
 /* Algs */
 #define	SK_ECDSA		0x00
@@ -406,7 +408,6 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
 	int r;
 	char *device = NULL;
 
-	(void)flags; /* XXX; unused */
 #ifdef SK_DEBUG
 	fido_init(FIDO_DEBUG);
 #endif
@@ -448,6 +449,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
 		    fido_strerr(r));
 		goto out;
 	}
+	if ((r = fido_cred_set_rk(cred, (flags & SK_RESIDENT_KEY) != 0 ?
+	    FIDO_OPT_TRUE : FIDO_OPT_OMIT)) != FIDO_OK) {
+		skdebug(__func__, "fido_cred_set_rk: %s", fido_strerr(r));
+		goto out;
+	}
 	if ((r = fido_cred_set_user(cred, user_id, sizeof(user_id),
 	    "openssh", "openssh", NULL)) != FIDO_OK) {
 		skdebug(__func__, "fido_cred_set_user: %s", fido_strerr(r));
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 34c65121d5a..eaafbf2b096 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.376 2019/12/30 03:30:09 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.377 2019/12/30 09:19:52 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3116,6 +3116,8 @@ main(int argc, char **argv)
 				fatal("Missing security key flags");
 			if (strcasecmp(optarg, "no-touch-required") == 0)
 				sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
+			else if (strcasecmp(optarg, "resident") == 0)
+				sk_flags |= SSH_SK_RESIDENT_KEY;
 			else {
 				ull = strtoull(optarg, &ep, 0);
 				if (*ep != '\0')
-- 
cgit v1.2.3