diff options
-rw-r--r-- | sk-usbhid.c | 12 | ||||
-rw-r--r-- | ssh-sk.c | 16 |
2 files changed, 27 insertions, 1 deletions
diff --git a/sk-usbhid.c b/sk-usbhid.c index 17b595367..594f5d890 100644 --- a/sk-usbhid.c +++ b/sk-usbhid.c | |||
@@ -25,11 +25,13 @@ | |||
25 | #include <stddef.h> | 25 | #include <stddef.h> |
26 | #include <stdarg.h> | 26 | #include <stdarg.h> |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
28 | #include <openssl/opensslv.h> | 29 | #include <openssl/opensslv.h> |
29 | #include <openssl/crypto.h> | 30 | #include <openssl/crypto.h> |
30 | #include <openssl/bn.h> | 31 | #include <openssl/bn.h> |
31 | #include <openssl/ec.h> | 32 | #include <openssl/ec.h> |
32 | #include <openssl/ecdsa.h> | 33 | #include <openssl/ecdsa.h> |
34 | #endif /* WITH_OPENSSL */ | ||
33 | 35 | ||
34 | #include <fido.h> | 36 | #include <fido.h> |
35 | 37 | ||
@@ -271,6 +273,7 @@ find_device(const uint8_t *message, size_t message_len, const char *application, | |||
271 | return dev; | 273 | return dev; |
272 | } | 274 | } |
273 | 275 | ||
276 | #ifdef WITH_OPENSSL | ||
274 | /* | 277 | /* |
275 | * The key returned via fido_cred_pubkey_ptr() is in affine coordinates, | 278 | * The key returned via fido_cred_pubkey_ptr() is in affine coordinates, |
276 | * but the API expects a SEC1 octet string. | 279 | * but the API expects a SEC1 octet string. |
@@ -343,6 +346,7 @@ pack_public_key_ecdsa(fido_cred_t *cred, struct sk_enroll_response *response) | |||
343 | BN_clear_free(y); | 346 | BN_clear_free(y); |
344 | return ret; | 347 | return ret; |
345 | } | 348 | } |
349 | #endif /* WITH_OPENSSL */ | ||
346 | 350 | ||
347 | static int | 351 | static int |
348 | pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response) | 352 | pack_public_key_ed25519(fido_cred_t *cred, struct sk_enroll_response *response) |
@@ -379,8 +383,10 @@ static int | |||
379 | pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response) | 383 | pack_public_key(int alg, fido_cred_t *cred, struct sk_enroll_response *response) |
380 | { | 384 | { |
381 | switch(alg) { | 385 | switch(alg) { |
386 | #ifdef WITH_OPENSSL | ||
382 | case SK_ECDSA: | 387 | case SK_ECDSA: |
383 | return pack_public_key_ecdsa(cred, response); | 388 | return pack_public_key_ecdsa(cred, response); |
389 | #endif /* WITH_OPENSSL */ | ||
384 | case SK_ED25519: | 390 | case SK_ED25519: |
385 | return pack_public_key_ed25519(cred, response); | 391 | return pack_public_key_ed25519(cred, response); |
386 | default: | 392 | default: |
@@ -414,9 +420,11 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
414 | } | 420 | } |
415 | *enroll_response = NULL; | 421 | *enroll_response = NULL; |
416 | switch(alg) { | 422 | switch(alg) { |
423 | #ifdef WITH_OPENSSL | ||
417 | case SK_ECDSA: | 424 | case SK_ECDSA: |
418 | cose_alg = COSE_ES256; | 425 | cose_alg = COSE_ES256; |
419 | break; | 426 | break; |
427 | #endif /* WITH_OPENSSL */ | ||
420 | case SK_ED25519: | 428 | case SK_ED25519: |
421 | cose_alg = COSE_EDDSA; | 429 | cose_alg = COSE_EDDSA; |
422 | break; | 430 | break; |
@@ -536,6 +544,7 @@ sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, | |||
536 | return ret; | 544 | return ret; |
537 | } | 545 | } |
538 | 546 | ||
547 | #ifdef WITH_OPENSSL | ||
539 | static int | 548 | static int |
540 | pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) | 549 | pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) |
541 | { | 550 | { |
@@ -572,6 +581,7 @@ pack_sig_ecdsa(fido_assert_t *assert, struct sk_sign_response *response) | |||
572 | } | 581 | } |
573 | return ret; | 582 | return ret; |
574 | } | 583 | } |
584 | #endif /* WITH_OPENSSL */ | ||
575 | 585 | ||
576 | static int | 586 | static int |
577 | pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) | 587 | pack_sig_ed25519(fido_assert_t *assert, struct sk_sign_response *response) |
@@ -605,8 +615,10 @@ static int | |||
605 | pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) | 615 | pack_sig(int alg, fido_assert_t *assert, struct sk_sign_response *response) |
606 | { | 616 | { |
607 | switch(alg) { | 617 | switch(alg) { |
618 | #ifdef WITH_OPENSSL | ||
608 | case SK_ECDSA: | 619 | case SK_ECDSA: |
609 | return pack_sig_ecdsa(assert, response); | 620 | return pack_sig_ecdsa(assert, response); |
621 | #endif /* WITH_OPENSSL */ | ||
610 | case SK_ED25519: | 622 | case SK_ED25519: |
611 | return pack_sig_ed25519(assert, response); | 623 | return pack_sig_ed25519(assert, response); |
612 | default: | 624 | default: |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-sk.c,v 1.14 2019/11/16 23:17:20 djm Exp $ */ | 1 | /* $OpenBSD: ssh-sk.c,v 1.15 2019/11/18 16:08:57 naddy Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2019 Google LLC | 3 | * Copyright (c) 2019 Google LLC |
4 | * | 4 | * |
@@ -27,8 +27,10 @@ | |||
27 | #include <string.h> | 27 | #include <string.h> |
28 | #include <stdio.h> | 28 | #include <stdio.h> |
29 | 29 | ||
30 | #ifdef WITH_OPENSSL | ||
30 | #include <openssl/objects.h> | 31 | #include <openssl/objects.h> |
31 | #include <openssl/ec.h> | 32 | #include <openssl/ec.h> |
33 | #endif /* WITH_OPENSSL */ | ||
32 | 34 | ||
33 | #include "log.h" | 35 | #include "log.h" |
34 | #include "misc.h" | 36 | #include "misc.h" |
@@ -163,6 +165,7 @@ sshsk_free_sign_response(struct sk_sign_response *r) | |||
163 | freezero(r, sizeof(*r)); | 165 | freezero(r, sizeof(*r)); |
164 | }; | 166 | }; |
165 | 167 | ||
168 | #ifdef WITH_OPENSSL | ||
166 | /* Assemble key from response */ | 169 | /* Assemble key from response */ |
167 | static int | 170 | static int |
168 | sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) | 171 | sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) |
@@ -217,6 +220,7 @@ sshsk_ecdsa_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) | |||
217 | sshbuf_free(b); | 220 | sshbuf_free(b); |
218 | return r; | 221 | return r; |
219 | } | 222 | } |
223 | #endif /* WITH_OPENSSL */ | ||
220 | 224 | ||
221 | static int | 225 | static int |
222 | sshsk_ed25519_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) | 226 | sshsk_ed25519_assemble(struct sk_enroll_response *resp, struct sshkey **keyp) |
@@ -272,9 +276,11 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
272 | if (attest) | 276 | if (attest) |
273 | sshbuf_reset(attest); | 277 | sshbuf_reset(attest); |
274 | switch (type) { | 278 | switch (type) { |
279 | #ifdef WITH_OPENSSL | ||
275 | case KEY_ECDSA_SK: | 280 | case KEY_ECDSA_SK: |
276 | alg = SSH_SK_ECDSA; | 281 | alg = SSH_SK_ECDSA; |
277 | break; | 282 | break; |
283 | #endif /* WITH_OPENSSL */ | ||
278 | case KEY_ED25519_SK: | 284 | case KEY_ED25519_SK: |
279 | alg = SSH_SK_ED25519; | 285 | alg = SSH_SK_ED25519; |
280 | break; | 286 | break; |
@@ -330,10 +336,12 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
330 | goto out; | 336 | goto out; |
331 | } | 337 | } |
332 | switch (type) { | 338 | switch (type) { |
339 | #ifdef WITH_OPENSSL | ||
333 | case KEY_ECDSA_SK: | 340 | case KEY_ECDSA_SK: |
334 | if ((r = sshsk_ecdsa_assemble(resp, &key)) != 0) | 341 | if ((r = sshsk_ecdsa_assemble(resp, &key)) != 0) |
335 | goto out; | 342 | goto out; |
336 | break; | 343 | break; |
344 | #endif /* WITH_OPENSSL */ | ||
337 | case KEY_ED25519_SK: | 345 | case KEY_ED25519_SK: |
338 | if ((r = sshsk_ed25519_assemble(resp, &key)) != 0) | 346 | if ((r = sshsk_ed25519_assemble(resp, &key)) != 0) |
339 | goto out; | 347 | goto out; |
@@ -382,6 +390,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application, | |||
382 | return r; | 390 | return r; |
383 | } | 391 | } |
384 | 392 | ||
393 | #ifdef WITH_OPENSSL | ||
385 | static int | 394 | static int |
386 | sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) | 395 | sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) |
387 | { | 396 | { |
@@ -425,6 +434,7 @@ sshsk_ecdsa_sig(struct sk_sign_response *resp, struct sshbuf *sig) | |||
425 | sshbuf_free(inner_sig); | 434 | sshbuf_free(inner_sig); |
426 | return r; | 435 | return r; |
427 | } | 436 | } |
437 | #endif /* WITH_OPENSSL */ | ||
428 | 438 | ||
429 | static int | 439 | static int |
430 | sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) | 440 | sshsk_ed25519_sig(struct sk_sign_response *resp, struct sshbuf *sig) |
@@ -474,9 +484,11 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
474 | *lenp = 0; | 484 | *lenp = 0; |
475 | type = sshkey_type_plain(key->type); | 485 | type = sshkey_type_plain(key->type); |
476 | switch (type) { | 486 | switch (type) { |
487 | #ifdef WITH_OPENSSL | ||
477 | case KEY_ECDSA_SK: | 488 | case KEY_ECDSA_SK: |
478 | alg = SSH_SK_ECDSA; | 489 | alg = SSH_SK_ECDSA; |
479 | break; | 490 | break; |
491 | #endif /* WITH_OPENSSL */ | ||
480 | case KEY_ED25519_SK: | 492 | case KEY_ED25519_SK: |
481 | alg = SSH_SK_ED25519; | 493 | alg = SSH_SK_ED25519; |
482 | break; | 494 | break; |
@@ -518,10 +530,12 @@ sshsk_sign(const char *provider_path, const struct sshkey *key, | |||
518 | goto out; | 530 | goto out; |
519 | } | 531 | } |
520 | switch (type) { | 532 | switch (type) { |
533 | #ifdef WITH_OPENSSL | ||
521 | case KEY_ECDSA_SK: | 534 | case KEY_ECDSA_SK: |
522 | if ((r = sshsk_ecdsa_sig(resp, sig)) != 0) | 535 | if ((r = sshsk_ecdsa_sig(resp, sig)) != 0) |
523 | goto out; | 536 | goto out; |
524 | break; | 537 | break; |
538 | #endif /* WITH_OPENSSL */ | ||
525 | case KEY_ED25519_SK: | 539 | case KEY_ED25519_SK: |
526 | if ((r = sshsk_ed25519_sig(resp, sig)) != 0) | 540 | if ((r = sshsk_ed25519_sig(resp, sig)) != 0) |
527 | goto out; | 541 | goto out; |