diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-11-14 21:27:29 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-11-15 09:57:30 +1100 |
commit | 6bff9521ab9a9f7396d635755c342b72373bb4f9 (patch) | |
tree | c434974d93c1b918b1a0ae045f421d247f75f391 /ssh-sk.c | |
parent | 4f5e331cb8e11face3025aa6578662dde489c3ad (diff) |
upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
Diffstat (limited to 'ssh-sk.c')
-rw-r--r-- | ssh-sk.c | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.11 2019/11/13 20:25:45 markus Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.12 2019/11/14 21:27:30 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -60,6 +60,15 @@ struct sshsk_provider { | |||
60 | uint8_t flags, struct sk_sign_response **sign_response); | 60 | uint8_t flags, struct sk_sign_response **sign_response); |
61 | }; | 61 | }; |
62 | 62 | ||
63 | /* Built-in version */ | ||
64 | int ssh_sk_enroll(int alg, const uint8_t *challenge, | ||
65 | size_t challenge_len, const char *application, uint8_t flags, | ||
66 | struct sk_enroll_response **enroll_response); | ||
67 | int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len, | ||
68 | const char *application, | ||
69 | const uint8_t *key_handle, size_t key_handle_len, | ||
70 | uint8_t flags, struct sk_sign_response **sign_response); | ||
71 | |||
63 | static void | 72 | static void |
64 | sshsk_free(struct sshsk_provider *p) | 73 | sshsk_free(struct sshsk_provider *p) |
65 | { | 74 | { |
@@ -85,6 +94,16 @@ sshsk_open(const char *path) | |||
85 | error("%s: strdup failed", __func__); | 94 | error("%s: strdup failed", __func__); |
86 | goto fail; | 95 | goto fail; |
87 | } | 96 | } |
97 | /* Skip the rest if we're using the linked in middleware */ | ||
98 | if (strcasecmp(ret->path, "internal") == 0) { | ||
99 | #ifdef ENABLE_SK_INTERNAL | ||
100 | ret->sk_enroll = ssh_sk_enroll; | ||
101 | ret->sk_sign = ssh_sk_sign; | ||
102 | #else | ||
103 | error("internal security key support not enabled"); | ||
104 | #endif | ||
105 | return ret; | ||
106 | } | ||
88 | if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { | 107 | if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { |
89 | error("Security key provider %s dlopen failed: %s", | 108 | error("Security key provider %s dlopen failed: %s", |
90 | path, dlerror()); | 109 | path, dlerror()); |