From nobody Thu Feb 10 00:15:07 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 915A419A762A;
	Thu, 10 Feb 2022 00:15:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JvHLz3PzTz4s8h;
	Thu, 10 Feb 2022 00:15:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1644452107;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HxjgEmtcYuk1f9wWwe0KW+EE5izWvFig8TrQZhX7Myc=;
	b=JAwJgzBshBBPRjPrhWvD37T+mdqOtbQWkRRKqW37inSdLvzoTyPMmkAXVGbiJqg9NcJyg2
	QVki1GqETr2Jy3g0OjJ7Eic33PVmu8Hu7eCkXnx8fxdavo8Tlk2GGMY1PbECxsTClNi+Cs
	wR5mBdsG6VaXlNNvH2ozDka1wlnE3Yzxoa9hWr1SE7NdbJvpUtf8I8avpMSeFOM0ojS334
	K2d2n8OXBMz7CBCR5N9hCgJG20a4n7fsMtk/W/lD/mItzuyCKbOzlP8GIczP49pAyKbTkn
	p2UNT80InyHPYZ3ULU8yNZlNNiD0BENwBtnLqbUZg/rNTscihZxCHNOctWXNjg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5637A16579;
	Thu, 10 Feb 2022 00:15:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 21A0F7sP071098;
	Thu, 10 Feb 2022 00:15:07 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 21A0F7JO071097;
	Thu, 10 Feb 2022 00:15:07 GMT
	(envelope-from git)
Date: Thu, 10 Feb 2022 00:15:07 GMT
Message-Id: <202202100015.21A0F7JO071097@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: a613d68fff9a - stable/13 - ssh: enable FIDO/U2F keys
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: a613d68fff9af03730e1c18438f85d80649547e4
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1644452107;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=HxjgEmtcYuk1f9wWwe0KW+EE5izWvFig8TrQZhX7Myc=;
	b=MJZyqRfKZDH8pA8/c6zI5lElaIdUYSrCpctI4Y1D6tPzelo0OcyuXYAimc2n9cIernpLZp
	eq/VdPs3jqhXLqwIY09cl7ywyA4Fh8XTwkbsrajwUSfG9vM8AnXVWxCvbqCaoVj7MqYeJu
	oMZP6lVUhT9rHV8+WXczXs0aMFUBhAHBC9DWqgR7J6/oEQnJKCL1frO5SdrDd1fFttazyZ
	CJlQMH/qdPDDogCS4R+9/YvNlk4g5OWADU3ZADURMVuhod3AOjjcIvb945Gf89FuZISGvW
	jUGxYYFSgs2RuGCyFWKKb8pU0iTqxOGTuitFyLuE/Wtm2/5Q+pF4vRJMneomaA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644452107; a=rsa-sha256; cv=none;
	b=mr3TfcbErJO1NIhyc3UqP+39FVpg1/LggxSWCtQhzHgdsZMdIhoiINjKP6f52lJYVE0reK
	HxgcFayj/KGBZLOZ1WMCWt5+cxKv09icH3DvwDVAoeGqbNGZfwUSaoKkYSx4smbXDv/nlH
	dz7mFryARTtJE4JuEwchTh+sFFhkyVuDiIZDQJXbSCFHNJlHeVT0N84LueTxb4wNFY2Snc
	C738j6uMVR1/V0F7v2reJ1ovb3Hfcv39EddGZl6s/tEf2P19hBfPx/qCZb+4S7XHjQQ/7T
	mqypGc1JLuZlUkBnlBGY6k2pSw/CQXrwoHD0wcErdHHqC7EP8E31KETfUBzesQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=a613d68fff9af03730e1c18438f85d80649547e4

commit a613d68fff9af03730e1c18438f85d80649547e4
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2021-10-07 03:31:17 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-02-10 00:03:21 +0000

    ssh: enable FIDO/U2F keys
    
    Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
    https://www.openssh.com/txt/release-8.2):
    
      This release adds support for FIDO/U2F hardware authenticators to
      OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
      authentication hardware that are widely used for website
      authentication.  In OpenSSH FIDO devices are supported by new public
      key types "ecdsa-sk" and "ed25519-sk", along with corresponding
      certificate types.
    
      ssh-keygen(1) may be used to generate a FIDO token-backed key, after
      which they may be used much like any other key type supported by
      OpenSSH, so long as the hardware token is attached when the keys are
      used. FIDO tokens also generally require the user explicitly
      authorise operations by touching or tapping them.
    
      Generating a FIDO key requires the token be attached, and will
      usually require the user tap the token to confirm the operation:
    
        $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
        Generating public/private ecdsa-sk key pair.
        You may need to touch your security key to authorize key generation.
        Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
        Enter passphrase (empty for no passphrase):
        Enter same passphrase again:
        Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
        Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
    
      This will yield a public and private key-pair. The private key file
      should be useless to an attacker who does not have access to the
      physical token. After generation, this key may be used like any
      other supported key in OpenSSH and may be listed in authorized_keys,
      added to ssh-agent(1), etc. The only additional stipulation is that
      the FIDO token that the key belongs to must be attached when the key
      is used.
    
    To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
    adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
    WITHOUT_USB).
    
    devd integration is not included in this change, and is under
    investigation for the base system.  In the interim the security/u2f-devd
    port can be installed to provide appropriate devd rules.
    
    Reviewed by:    delphij, kevans
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D32509
    
    (cherry picked from commit e9a994639b2af232f994ba2ad23ca45a17718d2b)
---
 crypto/openssh/ssh_namespace.h           | 12 ++++++++++++
 secure/libexec/Makefile                  |  2 +-
 secure/libexec/ssh-sk-helper/Makefile    | 16 ++++++++++++++++
 secure/ssh.mk                            |  6 ++++++
 tools/build/mk/OptionalObsoleteFiles.inc |  2 ++
 5 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/crypto/openssh/ssh_namespace.h b/crypto/openssh/ssh_namespace.h
index 2c2060567460..94a391ee5f45 100644
--- a/crypto/openssh/ssh_namespace.h
+++ b/crypto/openssh/ssh_namespace.h
@@ -87,6 +87,10 @@
 #define chacha_encrypt_bytes			Fssh_chacha_encrypt_bytes
 #define chacha_ivsetup				Fssh_chacha_ivsetup
 #define chacha_keysetup				Fssh_chacha_keysetup
+#define chachapoly_crypt			Fssh_chachapoly_crypt
+#define chachapoly_free				Fssh_chachapoly_free
+#define chachapoly_get_length			Fssh_chachapoly_get_length
+#define chachapoly_new				Fssh_chachapoly_new
 #define chan_ibuf_empty				Fssh_chan_ibuf_empty
 #define chan_is_dead				Fssh_chan_is_dead
 #define chan_mark_dead				Fssh_chan_mark_dead
@@ -553,8 +557,10 @@
 #define ssh_dss_sign				Fssh_ssh_dss_sign
 #define ssh_dss_verify				Fssh_ssh_dss_verify
 #define ssh_ecdsa_sign				Fssh_ssh_ecdsa_sign
+#define ssh_ecdsa_sk_verify			Fssh_ssh_ecdsa_sk_verify
 #define ssh_ecdsa_verify			Fssh_ssh_ecdsa_verify
 #define ssh_ed25519_sign			Fssh_ssh_ed25519_sign
+#define ssh_ed25519_sk_verify			Fssh_ssh_ed25519_sk_verify
 #define ssh_ed25519_verify			Fssh_ssh_ed25519_verify
 #define ssh_err					Fssh_ssh_err
 #define ssh_fetch_identitylist			Fssh_ssh_fetch_identitylist
@@ -871,6 +877,12 @@
 #define sshpkt_start				Fssh_sshpkt_start
 #define sshpkt_vfatal				Fssh_sshpkt_vfatal
 #define sshsigdie				Fssh_sshsigdie
+#define sshsk_add_option			Fssh_sshsk_add_option
+#define sshsk_enroll				Fssh_sshsk_enroll
+#define sshsk_key_from_response			Fssh_sshsk_key_from_response
+#define sshsk_load_resident			Fssh_sshsk_load_resident
+#define sshsk_open				Fssh_sshsk_open
+#define sshsk_sign				Fssh_sshsk_sign
 #define start_progress_meter			Fssh_start_progress_meter
 #define stdfd_devnull				Fssh_stdfd_devnull
 #define stop_progress_meter			Fssh_stop_progress_meter
diff --git a/secure/libexec/Makefile b/secure/libexec/Makefile
index 3438b412d5da..f07454db3643 100644
--- a/secure/libexec/Makefile
+++ b/secure/libexec/Makefile
@@ -4,7 +4,7 @@
 
 SUBDIR=
 .if ${MK_OPENSSH} != "no"
-SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper
+SUBDIR+=sftp-server ssh-keysign ssh-pkcs11-helper ssh-sk-helper
 .endif
 
 SUBDIR.${MK_TESTS}+= tests
diff --git a/secure/libexec/ssh-sk-helper/Makefile b/secure/libexec/ssh-sk-helper/Makefile
new file mode 100644
index 000000000000..622b0ac682bd
--- /dev/null
+++ b/secure/libexec/ssh-sk-helper/Makefile
@@ -0,0 +1,16 @@
+.include <src.opts.mk>
+.include "${SRCTOP}/secure/ssh.mk"
+
+PROG=	ssh-sk-helper
+SRCS=	ssh-sk-helper.c ssh-sk.c sk-usbhid.c
+MAN=	ssh-sk-helper.8
+CFLAGS+=-I${SRCTOP}/contrib/libfido2/src
+
+LIBADD=	ssh crypto z
+.if ${MK_USB} != "no"
+LIBADD+= fido2 cbor
+.endif
+
+.include <bsd.prog.mk>
+
+.PATH:	${SSHDIR}
diff --git a/secure/ssh.mk b/secure/ssh.mk
index 4ab8cd399ae8..822946253263 100644
--- a/secure/ssh.mk
+++ b/secure/ssh.mk
@@ -1,6 +1,12 @@
 # Common Make variables for OpenSSH
 
+.include <src.opts.mk>
+
 SSHDIR=		${SRCTOP}/crypto/openssh
 
 CFLAGS+= -I${SSHDIR} -include ssh_namespace.h
 SRCS+=	 ssh_namespace.h
+
+.if ${MK_USB} != "no"
+CFLAGS+=	-DENABLE_SK_INTERNAL=1
+.endif
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
index 972a58a330dc..21336b55fb89 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -7220,6 +7220,7 @@ OLD_FILES+=usr/lib32/libprivatessh_p.a
 OLD_FILES+=usr/libexec/sftp-server
 OLD_FILES+=usr/libexec/ssh-keysign
 OLD_FILES+=usr/libexec/ssh-pkcs11-helper
+OLD_FILES+=usr/libexec/ssh-sk-helper
 OLD_FILES+=usr/sbin/sshd
 OLD_FILES+=usr/share/man/man1/scp.1.gz
 OLD_FILES+=usr/share/man/man1/sftp.1.gz
@@ -7236,6 +7237,7 @@ OLD_FILES+=usr/share/man/man8/pam_ssh.8.gz
 OLD_FILES+=usr/share/man/man8/sftp-server.8.gz
 OLD_FILES+=usr/share/man/man8/ssh-keysign.8.gz
 OLD_FILES+=usr/share/man/man8/ssh-pkcs11-helper.8.gz
+OLD_FILES+=usr/share/man/man8/ssh-sk-helper.8.gz
 OLD_FILES+=usr/share/man/man8/sshd.8.gz
 .endif