autoconf pieces for U2F support
Mostly following existing logic for PKCS#11 - turning off support when either libcrypto or dlopen(3) are unavailable.
This commit is contained in:
Damien Miller
parent
45f17a159a
commit
764d51e044
57
configure.ac
57
configure.ac
|
|
@ -1878,16 +1878,53 @@ AC_ARG_ENABLE([pkcs11],
|
|||
]
|
||||
)
|
||||
|
||||
# PKCS11 depends on OpenSSL.
|
||||
if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
|
||||
# PKCS#11 support requires dlopen() and co
|
||||
AC_SEARCH_LIBS([dlopen], [dl],
|
||||
AC_CHECK_DECL([RTLD_NOW],
|
||||
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
|
||||
[], [#include <dlfcn.h>]
|
||||
)
|
||||
)
|
||||
disable_sk=
|
||||
AC_ARG_ENABLE([security-key],
|
||||
[ --disable-security-key disable U2F/FIDO support code [no]],
|
||||
[
|
||||
if test "x$enableval" = "xno" ; then
|
||||
disable_sk=1
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
||||
# PKCS11/U2F depend on OpenSSL and dlopen().
|
||||
AC_SEARCH_LIBS([dlopen], [dl])
|
||||
AC_CHECK_FUNCS([dlopen])
|
||||
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
|
||||
|
||||
enable_pkcs11=yes
|
||||
enable_sk=yes
|
||||
if test "x$openssl" != "xyes" ; then
|
||||
enable_pkcs11="disabled; missing libcrypto"
|
||||
enable_sk="disabled; missing libcrypto"
|
||||
fi
|
||||
if test "x$ac_cv_func_dlopen" != "xyes" ; then
|
||||
enable_pkcs11="disabled; missing dlopen(3)"
|
||||
enable_sk="disabled; missing dlopen(3)"
|
||||
fi
|
||||
if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
|
||||
enable_pkcs11="disabled; missing RTLD_NOW"
|
||||
enable_sk="disabled; missing RTLD_NOW"
|
||||
fi
|
||||
if test ! -z "$disable_pkcs11" ; then
|
||||
enable_pkcs11="disabled by user"
|
||||
fi
|
||||
if test ! -z "$disable_sk" ; then
|
||||
enable_sk="disabled by user"
|
||||
fi
|
||||
|
||||
AC_MSG_CHECKING([whether to enable PKCS11])
|
||||
if test "x$enable_pkcs11" = "xyes" ; then
|
||||
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
|
||||
fi
|
||||
AC_MSG_RESULT([$enable_pkcs11])
|
||||
|
||||
AC_MSG_CHECKING([whether to enable U2F])
|
||||
if test "x$enable_sk" = "xyes" ; then
|
||||
AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
|
||||
fi
|
||||
AC_MSG_RESULT([$enable_sk])
|
||||
|
||||
# IRIX has a const char return value for gai_strerror()
|
||||
AC_CHECK_FUNCS([gai_strerror], [
|
||||
|
|
@ -5247,6 +5284,8 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
echo " PKCS#11 support: $enable_pkcs11"
|
||||
echo " U2F/FIDO support: $enable_sk"
|
||||
|
||||
echo ""
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,8 @@
|
|||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef ENABLE_SK
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
|
|
@ -178,3 +180,4 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
|
|||
free(ktype);
|
||||
return ret;
|
||||
}
|
||||
#endif /* ENABLE_SK */
|
||||
|
|
|
|||
10
ssh-keygen.c
10
ssh-keygen.c
|
|
@ -2783,7 +2783,6 @@ main(int argc, char **argv)
|
|||
unsigned long long ull, cert_serial = 0;
|
||||
char *identity_comment = NULL, *ca_key_path = NULL;
|
||||
u_int32_t bits = 0;
|
||||
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
|
||||
FILE *f;
|
||||
const char *errstr;
|
||||
int log_level = SYSLOG_LEVEL_INFO;
|
||||
|
|
@ -2796,6 +2795,9 @@ main(int argc, char **argv)
|
|||
unsigned long start_lineno = 0, lines_to_process = 0;
|
||||
BIGNUM *start = NULL;
|
||||
#endif
|
||||
#ifdef ENABLE_SK
|
||||
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
|
||||
#endif
|
||||
|
||||
extern int optind;
|
||||
extern char *optarg;
|
||||
|
|
@ -2991,7 +2993,9 @@ main(int argc, char **argv)
|
|||
"number", optarg);
|
||||
if (ull > 0xff)
|
||||
fatal("Invalid security key flags 0x%llx", ull);
|
||||
#ifdef ENABLE_SK
|
||||
sk_flags = (uint8_t)ull;
|
||||
#endif
|
||||
break;
|
||||
case 'z':
|
||||
errno = 0;
|
||||
|
|
@ -3250,10 +3254,14 @@ main(int argc, char **argv)
|
|||
printf("Generating public/private %s key pair.\n",
|
||||
key_type_name);
|
||||
if (type == KEY_ECDSA_SK) {
|
||||
#ifndef ENABLE_SK
|
||||
fatal("Security key support was disabled at compile time");
|
||||
#else /* ENABLE_SK */
|
||||
if (sshsk_enroll(sk_provider,
|
||||
cert_key_id == NULL ? "ssh:" : cert_key_id,
|
||||
sk_flags, NULL, &private, NULL) != 0)
|
||||
exit(1); /* error message already printed */
|
||||
#endif /* ENABLE_SK */
|
||||
} else if ((r = sshkey_generate(type, bits, &private)) != 0)
|
||||
fatal("sshkey_generate failed");
|
||||
if ((r = sshkey_from_private(private, &public)) != 0)
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@
|
|||
#include "ssherr.h"
|
||||
#include "ssh-sk.h"
|
||||
|
||||
#ifdef ENABLE_SK
|
||||
extern char *__progname;
|
||||
|
||||
int
|
||||
|
|
@ -141,3 +142,13 @@ main(int argc, char **argv)
|
|||
|
||||
return (0);
|
||||
}
|
||||
#else /* ENABLE_SK */
|
||||
#include <stdio.h>
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
fprintf(stderr, "ssh-sk-helper: disabled at compile time\n");
|
||||
return -1;
|
||||
}
|
||||
#endif /* ENABLE_SK */
|
||||
|
|
|
|||
Loading…
Reference in New Issue