diff options
| author |   djm <djm@openbsd.org> | 2019-12-13 19:09:10 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2019-12-13 19:09:10 +0000 |
| commit | 4852100a8107fd6df1ba08ea17696d3c031d25a2 (patch) | |
| tree | cc7e417615db584e67c9b8e6fa35a2269ffac8c1 | |
| parent | occuring -> occurring (diff) | |
| download | wireguard-openbsd-4852100a8107fd6df1ba08ea17696d3c031d25a2.tar.xz wireguard-openbsd-4852100a8107fd6df1ba08ea17696d3c031d25a2.zip | |
use ssh-sk-helper for all security key signing operations
This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*
requested by, feedback and ok markus@
| -rw-r--r-- | usr.bin/ssh/Makefile.inc | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-add/Makefile | 6 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-agent.c | 160 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-agent/Makefile | 8 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keygen/Makefile | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keyscan/Makefile | 7 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-keysign/Makefile | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-pkcs11-helper/Makefile | 7 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-sk-helper/Makefile | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-sk.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-sk.h | 7 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh/Makefile | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd/Makefile | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/sshkey.c | 13 | ||||
| -rw-r--r-- | usr.bin/ssh/sshkey.h | 5 |
15 files changed, 63 insertions, 200 deletions
diff --git a/usr.bin/ssh/Makefile.inc b/usr.bin/ssh/Makefile.inc index 7c8e4fe7b27..63877868418 100644 --- a/usr.bin/ssh/Makefile.inc +++ b/usr.bin/ssh/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.79 2019/11/18 16:08:57 naddy Exp $ +# $OpenBSD: Makefile.inc,v 1.80 2019/12/13 19:09:10 djm Exp $ .include <bsd.own.mk> @@ -71,8 +71,6 @@ SRCS_KEY+= cipher.c SRCS_KEY+= cipher-chachapoly.c SRCS_KEY+= chacha.c SRCS_KEY+= poly1305.c -SRCS_KEY+= ssh-sk.c -SRCS_KEY+= sk-usbhid.c .if (${OPENSSL:L} == "yes") SRCS_KEY+= ssh-dss.c SRCS_KEY+= ssh-ecdsa.c @@ -127,6 +125,11 @@ SRCS_PKCS11_CLIENT+= SRCS_MODULI+= .endif +SRCS_SK= ssh-sk.c +SRCS_SK+= sk-usbhid.c +SRCS_SK_CLIENT= ssh-sk-client.c +SRCS_SK_CLIENT+= msg.c + WITH_XMSS?= no .if (${WITH_XMSS:L} == "yes") CFLAGS+= -DWITH_XMSS diff --git a/usr.bin/ssh/ssh-add/Makefile b/usr.bin/ssh/ssh-add/Makefile index 2899d41ac4a..4b10a2e8be0 100644 --- a/usr.bin/ssh/ssh-add/Makefile +++ b/usr.bin/ssh/ssh-add/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.28 2019/11/14 21:27:30 djm Exp $ +# $OpenBSD: Makefile,v 1.29 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-add.c SRCS+= atomicio.c authfd.c cleanup.c fatal.c readpass.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} +SRCS+= ${SRCS_SK_CLIENT} PROG= ssh-add @@ -14,6 +15,3 @@ BINDIR= /usr/bin LDADD+= -lcrypto -lutil DPADD+= ${LIBCRYPTO} ${LIBUTIL} - -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index 9263f39fe5c..f9a2908a82a 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.250 2019/11/19 16:02:32 jmc Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.251 2019/12/13 19:09:10 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -76,7 +76,7 @@ #include "ssherr.h" #include "pathnames.h" #include "ssh-pkcs11.h" -#include "ssh-sk.h" +#include "sk-api.h" #ifndef DEFAULT_PROVIDER_WHITELIST # define DEFAULT_PROVIDER_WHITELIST "/usr/lib*/*,/usr/local/lib*/*" @@ -268,130 +268,6 @@ agent_decode_alg(struct sshkey *key, u_int flags) return NULL; } -static int -provider_sign(const char *provider, struct sshkey *key, - u_char **sigp, size_t *lenp, - const u_char *data, size_t datalen, - const char *alg, u_int compat) -{ - int status, pair[2], r = SSH_ERR_INTERNAL_ERROR; - pid_t pid; - char *helper, *verbosity = NULL, *fp = NULL; - struct sshbuf *kbuf, *req, *resp; - u_char version; - struct notifier_ctx *notifier = NULL; - - debug3("%s: start for provider %s", __func__, provider); - - *sigp = NULL; - *lenp = 0; - - helper = getenv("SSH_SK_HELPER"); - if (helper == NULL || strlen(helper) == 0) - helper = _PATH_SSH_SK_HELPER; - if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) - verbosity = "-vvv"; - - /* Start helper */ - if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { - error("socketpair: %s", strerror(errno)); - return SSH_ERR_SYSTEM_ERROR; - } - if ((pid = fork()) == -1) { - error("fork: %s", strerror(errno)); - close(pair[0]); - close(pair[1]); - return SSH_ERR_SYSTEM_ERROR; - } - if (pid == 0) { - if ((dup2(pair[1], STDIN_FILENO) == -1) || - (dup2(pair[1], STDOUT_FILENO) == -1)) - fatal("%s: dup2: %s", __func__, ssh_err(r)); - close(pair[0]); - close(pair[1]); - closefrom(STDERR_FILENO + 1); - debug("%s: starting %s %s", __func__, helper, - verbosity == NULL ? "" : verbosity); - execlp(helper, helper, verbosity, (char *)NULL); - fatal("%s: execlp: %s", __func__, strerror(errno)); - } - close(pair[1]); - - if ((kbuf = sshbuf_new()) == NULL || - (req = sshbuf_new()) == NULL || - (resp = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - - if ((r = sshkey_private_serialize(key, kbuf)) != 0 || - (r = sshbuf_put_stringb(req, kbuf)) != 0 || - (r = sshbuf_put_cstring(req, provider)) != 0 || - (r = sshbuf_put_string(req, data, datalen)) != 0 || - (r = sshbuf_put_u32(req, compat)) != 0) - fatal("%s: compose: %s", __func__, ssh_err(r)); - - if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, - SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); - notifier = notify_start(0, - "Confirm user presence for key %s %s", sshkey_type(key), fp); - - if ((r = ssh_msg_send(pair[0], SSH_SK_HELPER_VERSION, req)) != 0) { - error("%s: send: %s", __func__, ssh_err(r)); - goto out; - } - if ((r = ssh_msg_recv(pair[0], resp)) != 0) { - error("%s: receive: %s", __func__, ssh_err(r)); - goto out; - } - if ((r = sshbuf_get_u8(resp, &version)) != 0) { - error("%s: parse version: %s", __func__, ssh_err(r)); - goto out; - } - if (version != SSH_SK_HELPER_VERSION) { - error("%s: unsupported version: got %u, expected %u", - __func__, version, SSH_SK_HELPER_VERSION); - r = SSH_ERR_INVALID_FORMAT; - goto out; - } - if ((r = sshbuf_get_string(resp, sigp, lenp)) != 0) { - error("%s: parse signature: %s", __func__, ssh_err(r)); - r = SSH_ERR_INVALID_FORMAT; - goto out; - } - if (sshbuf_len(resp) != 0) { - error("%s: trailing data in response", __func__); - r = SSH_ERR_INVALID_FORMAT; - goto out; - } - /* success */ - r = 0; - out: - while (waitpid(pid, &status, 0) == -1) { - if (errno != EINTR) - fatal("%s: waitpid: %s", __func__, ssh_err(r)); - } - notify_complete(notifier); - if (!WIFEXITED(status)) { - error("%s: helper %s exited abnormally", __func__, helper); - if (r == 0) - r = SSH_ERR_SYSTEM_ERROR; - } else if (WEXITSTATUS(status) != 0) { - error("%s: helper %s exited with non-zero exit status", - __func__, helper); - if (r == 0) - r = SSH_ERR_SYSTEM_ERROR; - } - if (r != 0) { - freezero(*sigp, *lenp); - *sigp = NULL; - *lenp = 0; - } - sshbuf_free(kbuf); - sshbuf_free(req); - sshbuf_free(resp); - return r; -} - /* ssh2 only */ static void process_sign_request2(SocketEntry *e) @@ -401,9 +277,11 @@ process_sign_request2(SocketEntry *e) size_t dlen, slen = 0; u_int compat = 0, flags; int r, ok = -1; + char *fp = NULL; struct sshbuf *msg; struct sshkey *key = NULL; struct identity *id; + struct notifier_ctx *notifier = NULL; if ((msg = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); @@ -422,25 +300,27 @@ process_sign_request2(SocketEntry *e) verbose("%s: user refused key", __func__); goto send; } - if (id->sk_provider != NULL) { - if ((r = provider_sign(id->sk_provider, id->key, &signature, - &slen, data, dlen, agent_decode_alg(key, flags), - compat)) != 0) { - error("%s: sign: %s", __func__, ssh_err(r)); - goto send; - } - } else { - if ((r = sshkey_sign(id->key, &signature, &slen, - data, dlen, agent_decode_alg(key, flags), - NULL, compat)) != 0) { - error("%s: sshkey_sign: %s", __func__, ssh_err(r)); - goto send; - } + if (sshkey_is_sk(id->key) && + (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { + if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, + SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint failed", __func__); + notifier = notify_start(0, + "Confirm user presence for key %s %s", + sshkey_type(id->key), fp); + } + if ((r = sshkey_sign(id->key, &signature, &slen, + data, dlen, agent_decode_alg(key, flags), + id->sk_provider, compat)) != 0) { + error("%s: sshkey_sign: %s", __func__, ssh_err(r)); + goto send; } /* Success */ ok = 0; send: + notify_complete(notifier); sshkey_free(key); + free(fp); if (ok == 0) { if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 || (r = sshbuf_put_string(msg, signature, slen)) != 0) diff --git a/usr.bin/ssh/ssh-agent/Makefile b/usr.bin/ssh/ssh-agent/Makefile index 7317a79b211..0103b7a01fd 100644 --- a/usr.bin/ssh/ssh-agent/Makefile +++ b/usr.bin/ssh/ssh-agent/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.35 2019/11/14 21:27:30 djm Exp $ +# $OpenBSD: Makefile,v 1.36 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-agent.c ${SRCS_PKCS11_CLIENT} -SRCS+= atomicio.c compat.c fatal.c readpass.c msg.c +SRCS+= atomicio.c compat.c fatal.c readpass.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} +SRCS+= ${SRCS_SK_CLIENT} PROG= ssh-agent BINOWN= root @@ -17,6 +18,3 @@ BINDIR= /usr/bin LDADD+= -lcrypto -lutil DPADD+= ${LIBCRYPTO} ${LIBUTIL} - -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} diff --git a/usr.bin/ssh/ssh-keygen/Makefile b/usr.bin/ssh/ssh-keygen/Makefile index 7bf2cd3d132..0a63651e260 100644 --- a/usr.bin/ssh/ssh-keygen/Makefile +++ b/usr.bin/ssh/ssh-keygen/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.35 2019/11/14 21:27:30 djm Exp $ +# $OpenBSD: Makefile,v 1.36 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. @@ -6,7 +6,7 @@ SRCS= ssh-keygen.c ${SRCS_MODULI} SRCS+= atomicio.c authfd.c cleanup.c dns.c fatal.c hmac.c hostfile.c \ readpass.c utf8.c sshsig.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_UTL} \ - ${SRCS_PKCS11} + ${SRCS_PKCS11} ${SRCS_SK} PROG= ssh-keygen diff --git a/usr.bin/ssh/ssh-keyscan/Makefile b/usr.bin/ssh/ssh-keyscan/Makefile index 9550b3da819..db192787b2d 100644 --- a/usr.bin/ssh/ssh-keyscan/Makefile +++ b/usr.bin/ssh/ssh-keyscan/Makefile @@ -1,20 +1,17 @@ -# $OpenBSD: Makefile,v 1.14 2019/11/14 21:27:30 djm Exp $ +# $OpenBSD: Makefile,v 1.15 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-keyscan.c SRCS+= atomicio.c cleanup.c compat.c hostfile.c ssh_api.c dns.c SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXC} ${SRCS_KEXS} ${SRCS_KEY} \ - ${SRCS_PKT} ${SRCS_UTL} + ${SRCS_PKT} ${SRCS_UTL} ${SRCS_SK_CLIENT} PROG= ssh-keyscan BINDIR= /usr/bin .include <bsd.prog.mk> -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} - LDADD+= -lcrypto -lz -lutil DPADD+= ${LIBCRYPTO} ${LIBZ} ${LIBUTIL} diff --git a/usr.bin/ssh/ssh-keysign/Makefile b/usr.bin/ssh/ssh-keysign/Makefile index 15460055ff0..e3eaa153a73 100644 --- a/usr.bin/ssh/ssh-keysign/Makefile +++ b/usr.bin/ssh/ssh-keysign/Makefile @@ -1,12 +1,12 @@ -# $OpenBSD: Makefile,v 1.17 2019/11/14 21:27:31 djm Exp $ +# $OpenBSD: Makefile,v 1.18 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-keysign.c readconf.c compat.c -SRCS+= atomicio.c cleanup.c fatal.c msg.c +SRCS+= atomicio.c cleanup.c fatal.c SRCS+= uidswap.c SRCS+= ${SRCS_BASE} ${SRCS_KEY} ${SRCS_KEYP} ${SRCS_KRL} ${SRCS_PKT} \ - ${SRCS_UTL} + ${SRCS_UTL} ${SRCS_SK_CLIENT} PROG= ssh-keysign BINOWN= root BINMODE=4555 @@ -16,8 +16,5 @@ MAN= ssh-keysign.8 .include <bsd.prog.mk> -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} - LDADD+= -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff --git a/usr.bin/ssh/ssh-pkcs11-helper/Makefile b/usr.bin/ssh/ssh-pkcs11-helper/Makefile index c625766642f..267e1febaaa 100644 --- a/usr.bin/ssh/ssh-pkcs11-helper/Makefile +++ b/usr.bin/ssh/ssh-pkcs11-helper/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.10 2019/11/14 21:27:31 djm Exp $ +# $OpenBSD: Makefile,v 1.11 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-pkcs11-helper.c ${SRCS_PKCS11} SRCS+= atomicio.c compat.c fatal.c readpass.c -SRCS+= ${SRCS_KEY} ${SRCS_UTL} ${SRCS_BASE} +SRCS+= ${SRCS_KEY} ${SRCS_UTL} ${SRCS_BASE} ${SRCS_SK_CLIENT} PROG= ssh-pkcs11-helper @@ -13,8 +13,5 @@ MAN= ssh-pkcs11-helper.8 .include <bsd.prog.mk> -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} - LDADD+= -lcrypto -lutil DPADD+= ${LIBCRYPTO} ${LIBUTIL} diff --git a/usr.bin/ssh/ssh-sk-helper/Makefile b/usr.bin/ssh/ssh-sk-helper/Makefile index 300f743fb56..b5d74134a88 100644 --- a/usr.bin/ssh/ssh-sk-helper/Makefile +++ b/usr.bin/ssh/ssh-sk-helper/Makefile @@ -1,10 +1,10 @@ -# $OpenBSD: Makefile,v 1.4 2019/11/14 21:27:31 djm Exp $ +# $OpenBSD: Makefile,v 1.5 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-sk-helper.c SRCS+= atomicio.c fatal.c cleanup.c msg.c -SRCS+= ${SRCS_KEY} ${SRCS_UTL} ${SRCS_BASE} +SRCS+= ${SRCS_KEY} ${SRCS_UTL} ${SRCS_BASE} ${SRCS_SK} PROG= ssh-sk-helper diff --git a/usr.bin/ssh/ssh-sk.c b/usr.bin/ssh/ssh-sk.c index 861a3151bca..d5903216b2e 100644 --- a/usr.bin/ssh/ssh-sk.c +++ b/usr.bin/ssh/ssh-sk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.c,v 1.17 2019/11/27 22:32:11 djm Exp $ */ +/* $OpenBSD: ssh-sk.c,v 1.18 2019/12/13 19:09:10 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -456,7 +456,7 @@ sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) } int -sshsk_sign(const char *provider_path, const struct sshkey *key, +sshsk_sign(const char *provider_path, struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat) { diff --git a/usr.bin/ssh/ssh-sk.h b/usr.bin/ssh/ssh-sk.h index bb593160a0b..4d667884ec2 100644 --- a/usr.bin/ssh/ssh-sk.h +++ b/usr.bin/ssh/ssh-sk.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk.h,v 1.5 2019/11/12 19:31:45 markus Exp $ */ +/* $OpenBSD: ssh-sk.h,v 1.6 2019/12/13 19:09:10 djm Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -21,9 +21,6 @@ struct sshbuf; struct sshkey; -/* Version of protocol between ssh-agent and ssh-sk-helper */ -#define SSH_SK_HELPER_VERSION 1 - /* * Enroll (generate) a new security-key hosted private key of given type * via the specified provider middleware. @@ -44,7 +41,7 @@ int sshsk_enroll(int type, const char *provider_path, const char *application, * * Returns 0 on success or a ssherr.h error code on failure. */ -int sshsk_sign(const char *provider_path, const struct sshkey *key, +int sshsk_sign(const char *provider_path, struct sshkey *key, u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, u_int compat); diff --git a/usr.bin/ssh/ssh/Makefile b/usr.bin/ssh/ssh/Makefile index 71de598a528..218c6bc4cc3 100644 --- a/usr.bin/ssh/ssh/Makefile +++ b/usr.bin/ssh/ssh/Makefile @@ -1,12 +1,13 @@ -# $OpenBSD: Makefile,v 1.78 2019/11/14 21:27:30 djm Exp $ +# $OpenBSD: Makefile,v 1.79 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh.c readconf.c clientloop.c sshtty.c sshconnect.c sshconnect2.c mux.c SRCS+= atomicio.c authfd.c compat.c dns.c fatal.c \ - hostfile.c msg.c readpass.c utf8.c + hostfile.c readpass.c utf8.c SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXC} ${SRCS_KEY} ${SRCS_KEYP} \ - ${SRCS_KRL} ${SRCS_PROT} ${SRCS_PKT} ${SRCS_UTL} ${SRCS_PKCS11} + ${SRCS_KRL} ${SRCS_PROT} ${SRCS_PKT} ${SRCS_UTL} ${SRCS_PKCS11} \ + ${SRCS_SK_CLIENT} PROG= ssh @@ -34,8 +35,5 @@ LDADD+= -lcrypto DPADD+= ${LIBCRYPTO} .endif -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} - LDADD+= -lutil -lz DPADD+= ${LIBUTIL} ${LIBZ} diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile index f38e860fd98..d8336250ee7 100644 --- a/usr.bin/ssh/sshd/Makefile +++ b/usr.bin/ssh/sshd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.101 2019/11/14 21:27:31 djm Exp $ +# $OpenBSD: Makefile,v 1.102 2019/12/13 19:09:10 djm Exp $ .PATH: ${.CURDIR}/.. @@ -8,9 +8,10 @@ SRCS= sshd.c auth-rhosts.c auth-passwd.c sshpty.c sshlogin.c servconf.c \ auth2-none.c auth2-passwd.c auth2-pubkey.c monitor.c monitor_wrap.c \ sftp-server.c sftp-common.c sftp-realpath.c sandbox-pledge.c SRCS+= atomicio.c authfd.c compat.c dns.c fatal.c \ - hostfile.c msg.c readpass.c utf8.c uidswap.c + hostfile.c readpass.c utf8.c uidswap.c SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXS} ${SRCS_KEY} ${SRCS_KEYP} \ - ${SRCS_KRL} ${SRCS_PROT} ${SRCS_PKT} ${SRCS_UTL} ${SRCS_PKCS11} + ${SRCS_KRL} ${SRCS_PROT} ${SRCS_PKT} ${SRCS_UTL} ${SRCS_PKCS11} \ + ${SRCS_SK_CLIENT} PROG= sshd BINDIR= /usr/sbin @@ -38,8 +39,5 @@ LDADD+= -lcrypto DPADD+= ${LIBCRYPTO} .endif -LDADD+= -lfido2 -lcbor -lusbhid -DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID} - LDADD+= -lutil -lz DPADD+= ${LIBUTIL} ${LIBZ} diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 3e4f1e87c20..69238a9e18c 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.96 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.97 2019/12/13 19:09:10 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -2704,11 +2704,6 @@ sshkey_sign(struct sshkey *key, case KEY_ECDSA: r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat); break; - case KEY_ECDSA_SK_CERT: - case KEY_ECDSA_SK: - r = sshsk_sign(sk_provider, key, sigp, lenp, data, datalen, - compat); - break; case KEY_RSA_CERT: case KEY_RSA: r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg); @@ -2720,8 +2715,10 @@ sshkey_sign(struct sshkey *key, break; case KEY_ED25519_SK: case KEY_ED25519_SK_CERT: - r = sshsk_sign(sk_provider, key, sigp, lenp, data, datalen, - compat); + case KEY_ECDSA_SK_CERT: + case KEY_ECDSA_SK: + r = sshsk_sign(sk_provider, key, sigp, lenp, data, + datalen, compat); break; #ifdef WITH_XMSS case KEY_XMSS: diff --git a/usr.bin/ssh/sshkey.h b/usr.bin/ssh/sshkey.h index b6d3b6769c7..b07cf159f9f 100644 --- a/usr.bin/ssh/sshkey.h +++ b/usr.bin/ssh/sshkey.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.h,v 1.40 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: sshkey.h,v 1.41 2019/12/13 19:09:10 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -45,6 +45,9 @@ #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024 #define SSH_KEY_MAX_SIGN_DATA_SIZE (1 << 20) +/* Version of protocol expected from ssh-sk-helper */ +#define SSH_SK_HELPER_VERSION 1 + struct sshbuf; /* Key types */ |