upstream: directly support U2F/FIDO2 security keys in OpenSSH by

linking against the (previously external) USB HID middleware. The dlopen() capability still exists for alternate middlewares, e.g. for Bluetooth, NFC and test/debugging. OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
author: djm@openbsd.org <djm@openbsd.org> 2019-11-14 21:27:29 +0000
committer: Damien Miller <djm@mindrot.org> 2019-11-15 09:57:30 +1100
commit: 6bff9521ab9a9f7396d635755c342b72373bb4f9 (patch)
tree: c434974d93c1b918b1a0ae045f421d247f75f391 /ssh-sk.c
parent: 4f5e331cb8e11face3025aa6578662dde489c3ad (diff)
1 files changed, 20 insertions, 1 deletions
diff --git a/ssh-sk.c b/ssh-sk.c
index 754577d9d..591c643d4 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.11 2019/11/13 20:25:45 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.12 2019/11/14 21:27:30 djm Exp $ */
 /*
 * Copyright (c) 2019 Google LLC
 *
@@ -60,6 +60,15 @@ struct sshsk_provider {
            uint8_t flags, struct sk_sign_response **sign_response);
 };
+/* Built-in version */
+int ssh_sk_enroll(int alg, const uint8_t *challenge,
+    size_t challenge_len, const char *application, uint8_t flags,
+    struct sk_enroll_response **enroll_response);
+int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len,
+    const char *application,
+    const uint8_t *key_handle, size_t key_handle_len,
+    uint8_t flags, struct sk_sign_response **sign_response);
 static void
 sshsk_free(struct sshsk_provider *p)
 {
@@ -85,6 +94,16 @@ sshsk_open(const char *path)
                error("%s: strdup failed", __func__);
                goto fail;
        }
+        /* Skip the rest if we're using the linked in middleware */
+        if (strcasecmp(ret->path, "internal") == 0) {
+#ifdef ENABLE_SK_INTERNAL
+                ret->sk_enroll = ssh_sk_enroll;
+                ret->sk_sign = ssh_sk_sign;
+#else
+                error("internal security key support not enabled");
+#endif
+                return ret;
+        }
        if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
                error("Security key provider %s dlopen failed: %s",
                    path, dlerror());
author	djm@openbsd.org <djm@openbsd.org>	2019-11-14 21:27:29 +0000
committer	Damien Miller <djm@mindrot.org>	2019-11-15 09:57:30 +1100
commit	6bff9521ab9a9f7396d635755c342b72373bb4f9 (patch)
tree	c434974d93c1b918b1a0ae045f421d247f75f391 /ssh-sk.c
parent	4f5e331cb8e11face3025aa6578662dde489c3ad (diff)

diff --git a/ssh-sk.c b/ssh-sk.c index 754577d9d..591c643d4 100644 --- a/ssh-sk.c +++ b/ssh-sk.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssh-sk.c,v 1.11 2019/11/13 20:25:45 markus Exp $ */	1	/* $OpenBSD: ssh-sk.c,v 1.12 2019/11/14 21:27:30 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2019 Google LLC	3	* Copyright (c) 2019 Google LLC
4	*	4	*
@@ -60,6 +60,15 @@ struct sshsk_provider {
60	uint8_t flags, struct sk_sign_response **sign_response);	60	uint8_t flags, struct sk_sign_response **sign_response);
61	};	61	};
62		62
		63	/* Built-in version */
		64	int ssh_sk_enroll(int alg, const uint8_t *challenge,
		65	size_t challenge_len, const char *application, uint8_t flags,
		66	struct sk_enroll_response **enroll_response);
		67	int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len,
		68	const char *application,
		69	const uint8_t *key_handle, size_t key_handle_len,
		70	uint8_t flags, struct sk_sign_response **sign_response);
		71
63	static void	72	static void
64	sshsk_free(struct sshsk_provider *p)	73	sshsk_free(struct sshsk_provider *p)
65	{	74	{
@@ -85,6 +94,16 @@ sshsk_open(const char *path)
85	error("%s: strdup failed", __func__);	94	error("%s: strdup failed", __func__);
86	goto fail;	95	goto fail;
87	}	96	}
		97	/* Skip the rest if we're using the linked in middleware */
		98	if (strcasecmp(ret->path, "internal") == 0) {
		99	#ifdef ENABLE_SK_INTERNAL
		100	ret->sk_enroll = ssh_sk_enroll;
		101	ret->sk_sign = ssh_sk_sign;
		102	#else
		103	error("internal security key support not enabled");
		104	#endif
		105	return ret;
		106	}
88	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {	107	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
89	error("Security key provider %s dlopen failed: %s",	108	error("Security key provider %s dlopen failed: %s",
90	path, dlerror());	109	path, dlerror());