tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-26 15:24:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

autoconf pieces for U2F support

Browse Source 
Mostly following existing logic for PKCS#11 - turning off support
when either libcrypto or dlopen(3) are unavailable.
This commit is contained in:
Damien Miller 2019-11-01 13:34:49 +11:00
parent 45f17a159a
commit 764d51e044
5 changed files with 74 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
configure.ac
View File

@ -1878,16 +1878,53 @@ AC_ARG_ENABLE([pkcs11],
] ]
) )
# PKCS11 depends on OpenSSL. disable_sk=
if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then AC_ARG_ENABLE([security-key],
# PKCS#11 support requires dlopen() and co [ --disable-security-key disable U2F/FIDO support code [no]],
AC_SEARCH_LIBS([dlopen], [dl], [
AC_CHECK_DECL([RTLD_NOW], if test "x$enableval" = "xno" ; then
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]), disable_sk=1
[], [#include <dlfcn.h>] fi
) ]
) )
# PKCS11/U2F depend on OpenSSL and dlopen().
AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen])
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
enable_pkcs11=yes
enable_sk=yes
if test "x$openssl" != "xyes" ; then
enable_pkcs11="disabled; missing libcrypto"
enable_sk="disabled; missing libcrypto"
fi fi
if test "x$ac_cv_func_dlopen" != "xyes" ; then
enable_pkcs11="disabled; missing dlopen(3)"
enable_sk="disabled; missing dlopen(3)"
fi
if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
enable_pkcs11="disabled; missing RTLD_NOW"
enable_sk="disabled; missing RTLD_NOW"
fi
if test ! -z "$disable_pkcs11" ; then
enable_pkcs11="disabled by user"
fi
if test ! -z "$disable_sk" ; then
enable_sk="disabled by user"
fi
AC_MSG_CHECKING([whether to enable PKCS11])
if test "x$enable_pkcs11" = "xyes" ; then
AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
fi
AC_MSG_RESULT([$enable_pkcs11])
AC_MSG_CHECKING([whether to enable U2F])
if test "x$enable_sk" = "xyes" ; then
AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
fi
AC_MSG_RESULT([$enable_sk])
# IRIX has a const char return value for gai_strerror() # IRIX has a const char return value for gai_strerror()
AC_CHECK_FUNCS([gai_strerror], [ AC_CHECK_FUNCS([gai_strerror], [
@ -5247,6 +5284,8 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
echo " PKCS#11 support: $enable_pkcs11"
echo " U2F/FIDO support: $enable_sk"
echo "" echo ""

3
ssh-ecdsa-sk.c
View File

@ -29,6 +29,8 @@
#include "includes.h" #include "includes.h"
#ifdef ENABLE_SK
#include <sys/types.h> #include <sys/types.h>
#include <openssl/bn.h> #include <openssl/bn.h>
@ -178,3 +180,4 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
free(ktype); free(ktype);
return ret; return ret;
} }
#endif /* ENABLE_SK */

10
ssh-keygen.c
View File

@ -2783,7 +2783,6 @@ main(int argc, char **argv)
unsigned long long ull, cert_serial = 0; unsigned long long ull, cert_serial = 0;
char *identity_comment = NULL, *ca_key_path = NULL; char *identity_comment = NULL, *ca_key_path = NULL;
u_int32_t bits = 0; u_int32_t bits = 0;
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
FILE *f; FILE *f;
const char *errstr; const char *errstr;
int log_level = SYSLOG_LEVEL_INFO; int log_level = SYSLOG_LEVEL_INFO;
@ -2796,6 +2795,9 @@ main(int argc, char **argv)
unsigned long start_lineno = 0, lines_to_process = 0; unsigned long start_lineno = 0, lines_to_process = 0;
BIGNUM *start = NULL; BIGNUM *start = NULL;
#endif #endif
#ifdef ENABLE_SK
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
#endif
extern int optind; extern int optind;
extern char *optarg; extern char *optarg;
@ -2991,7 +2993,9 @@ main(int argc, char **argv)
"number", optarg); "number", optarg);
if (ull > 0xff) if (ull > 0xff)
fatal("Invalid security key flags 0x%llx", ull); fatal("Invalid security key flags 0x%llx", ull);
#ifdef ENABLE_SK
sk_flags = (uint8_t)ull; sk_flags = (uint8_t)ull;
#endif
break; break;
case 'z': case 'z':
errno = 0; errno = 0;
@ -3250,10 +3254,14 @@ main(int argc, char **argv)
printf("Generating public/private %s key pair.\n", printf("Generating public/private %s key pair.\n",
key_type_name); key_type_name);
if (type == KEY_ECDSA_SK) { if (type == KEY_ECDSA_SK) {
#ifndef ENABLE_SK
fatal("Security key support was disabled at compile time");
#else /* ENABLE_SK */
if (sshsk_enroll(sk_provider, if (sshsk_enroll(sk_provider,
cert_key_id == NULL ? "ssh:" : cert_key_id, cert_key_id == NULL ? "ssh:" : cert_key_id,
sk_flags, NULL, &private, NULL) != 0) sk_flags, NULL, &private, NULL) != 0)
exit(1); /* error message already printed */ exit(1); /* error message already printed */
#endif /* ENABLE_SK */
} else if ((r = sshkey_generate(type, bits, &private)) != 0) } else if ((r = sshkey_generate(type, bits, &private)) != 0)
fatal("sshkey_generate failed"); fatal("sshkey_generate failed");
if ((r = sshkey_from_private(private, &public)) != 0) if ((r = sshkey_from_private(private, &public)) != 0)

11
ssh-sk-helper.c
View File

@ -51,6 +51,7 @@
#include "ssherr.h" #include "ssherr.h"
#include "ssh-sk.h" #include "ssh-sk.h"
#ifdef ENABLE_SK
extern char *__progname; extern char *__progname;
int int
@ -141,3 +142,13 @@ main(int argc, char **argv)
return (0); return (0);
} }
#else /* ENABLE_SK */
#include <stdio.h>
int
main(int argc, char **argv)
{
fprintf(stderr, "ssh-sk-helper: disabled at compile time\n");
return -1;
}
#endif /* ENABLE_SK */

3
ssh-sk.c
View File

@ -19,6 +19,8 @@
#include "includes.h" #include "includes.h"
#ifdef ENABLE_SK
#include <dlfcn.h> #include <dlfcn.h>
#include <stddef.h> #include <stddef.h>
#include <stdint.h> #include <stdint.h>
@ -375,3 +377,4 @@ sshsk_ecdsa_sign(const char *provider_path, const struct sshkey *key,
sshbuf_free(inner_sig); sshbuf_free(inner_sig);
return r; return r;
} }
#endif /* ENABLE_SK */