summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--monitor.c4
-rw-r--r--monitor_wrap.c4
-rw-r--r--myproposal.h40
-rw-r--r--readconf.c4
-rw-r--r--servconf.c18
-rw-r--r--servconf.h3
-rw-r--r--sshd.c42
7 files changed, 67 insertions, 48 deletions
diff --git a/monitor.c b/monitor.c
index 64eca98d6..6ee44204c 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.205 2019/11/25 10:23:36 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.206 2019/12/15 18:57:30 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -679,7 +679,7 @@ mm_answer_sign(struct ssh *ssh, int sock, struct sshbuf *m)
679 679
680 if ((key = get_hostkey_by_index(keyid)) != NULL) { 680 if ((key = get_hostkey_by_index(keyid)) != NULL) {
681 if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, 681 if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg,
682 NULL, compat)) != 0) 682 options.sk_provider, compat)) != 0)
683 fatal("%s: sshkey_sign failed: %s", 683 fatal("%s: sshkey_sign failed: %s",
684 __func__, ssh_err(r)); 684 __func__, ssh_err(r));
685 } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && 685 } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL &&
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 06599e3b1..001a8fa1c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor_wrap.c,v 1.116 2019/11/25 00:51:37 djm Exp $ */ 1/* $OpenBSD: monitor_wrap.c,v 1.117 2019/12/15 18:57:30 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -224,8 +224,6 @@ mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
224 int r; 224 int r;
225 225
226 debug3("%s entering", __func__); 226 debug3("%s entering", __func__);
227 if (sk_provider != NULL)
228 fatal("%s: sk_provider != NULL", __func__);
229 if ((m = sshbuf_new()) == NULL) 227 if ((m = sshbuf_new()) == NULL)
230 fatal("%s: sshbuf_new failed", __func__); 228 fatal("%s: sshbuf_new failed", __func__);
231 if ((r = sshbuf_put_u32(m, ndx)) != 0 || 229 if ((r = sshbuf_put_u32(m, ndx)) != 0 ||
diff --git a/myproposal.h b/myproposal.h
index b393db8b0..6688c3066 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: myproposal.h,v 1.62 2019/12/10 22:43:19 djm Exp $ */ 1/* $OpenBSD: myproposal.h,v 1.63 2019/12/15 18:57:30 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -39,32 +39,30 @@
39# define HOSTKEY_ECDSA_CERT_METHODS \ 39# define HOSTKEY_ECDSA_CERT_METHODS \
40 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 40 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
41 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ 41 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
42 "ecdsa-sha2-nistp521-cert-v01@openssh.com," 42 "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
43 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
43# define HOSTKEY_ECDSA_METHODS \ 44# define HOSTKEY_ECDSA_METHODS \
44 "ecdsa-sha2-nistp256," \ 45 "ecdsa-sha2-nistp256," \
45 "ecdsa-sha2-nistp384," \ 46 "ecdsa-sha2-nistp384," \
46 "ecdsa-sha2-nistp521," 47 "ecdsa-sha2-nistp521," \
48 "sk-ecdsa-sha2-nistp256@openssh.com,"
47# else /* OPENSSL_HAS_NISTP521 */ 49# else /* OPENSSL_HAS_NISTP521 */
48# define KEX_ECDH_METHODS \ 50# define KEX_ECDH_METHODS \
49 "ecdh-sha2-nistp256," \ 51 "ecdh-sha2-nistp256," \
50 "ecdh-sha2-nistp384," 52 "ecdh-sha2-nistp384,"
51# define HOSTKEY_ECDSA_CERT_METHODS \ 53# define HOSTKEY_ECDSA_CERT_METHODS \
52 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 54 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
53 "ecdsa-sha2-nistp384-cert-v01@openssh.com," 55 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
56 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
54# define HOSTKEY_ECDSA_METHODS \ 57# define HOSTKEY_ECDSA_METHODS \
55 "ecdsa-sha2-nistp256," \ 58 "ecdsa-sha2-nistp256," \
56 "ecdsa-sha2-nistp384," 59 "ecdsa-sha2-nistp384," \
57# endif /* OPENSSL_HAS_NISTP521 */
58# define USERKEY_ECDSA_SK_CERT_METHODS \
59 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
60# define USERKEY_ECDSA_SK_METHODS \
61 "sk-ecdsa-sha2-nistp256@openssh.com," 60 "sk-ecdsa-sha2-nistp256@openssh.com,"
61# endif /* OPENSSL_HAS_NISTP521 */
62#else /* OPENSSL_HAS_ECC */ 62#else /* OPENSSL_HAS_ECC */
63# define KEX_ECDH_METHODS 63# define KEX_ECDH_METHODS
64# define HOSTKEY_ECDSA_CERT_METHODS 64# define HOSTKEY_ECDSA_CERT_METHODS
65# define HOSTKEY_ECDSA_METHODS 65# define HOSTKEY_ECDSA_METHODS
66# define USERKEY_ECDSA_SK_CERT_METHODS
67# define USERKEY_ECDSA_SK_METHODS
68#endif /* OPENSSL_HAS_ECC */ 66#endif /* OPENSSL_HAS_ECC */
69 67
70#ifdef OPENSSL_HAVE_EVPGCM 68#ifdef OPENSSL_HAVE_EVPGCM
@@ -110,11 +108,13 @@
110#define KEX_DEFAULT_PK_ALG \ 108#define KEX_DEFAULT_PK_ALG \
111 HOSTKEY_ECDSA_CERT_METHODS \ 109 HOSTKEY_ECDSA_CERT_METHODS \
112 "ssh-ed25519-cert-v01@openssh.com," \ 110 "ssh-ed25519-cert-v01@openssh.com," \
111 "sk-ssh-ed25519-cert-v01@openssh.com," \
113 "rsa-sha2-512-cert-v01@openssh.com," \ 112 "rsa-sha2-512-cert-v01@openssh.com," \
114 "rsa-sha2-256-cert-v01@openssh.com," \ 113 "rsa-sha2-256-cert-v01@openssh.com," \
115 "ssh-rsa-cert-v01@openssh.com," \ 114 "ssh-rsa-cert-v01@openssh.com," \
116 HOSTKEY_ECDSA_METHODS \ 115 HOSTKEY_ECDSA_METHODS \
117 "ssh-ed25519," \ 116 "ssh-ed25519," \
117 "sk-ssh-ed25519@openssh.com," \
118 "rsa-sha2-512," \ 118 "rsa-sha2-512," \
119 "rsa-sha2-256," \ 119 "rsa-sha2-256," \
120 "ssh-rsa" 120 "ssh-rsa"
@@ -145,29 +145,12 @@
145/* Not a KEX value, but here so all the algorithm defaults are together */ 145/* Not a KEX value, but here so all the algorithm defaults are together */
146#define SSH_ALLOWED_CA_SIGALGS \ 146#define SSH_ALLOWED_CA_SIGALGS \
147 HOSTKEY_ECDSA_METHODS \ 147 HOSTKEY_ECDSA_METHODS \
148 USERKEY_ECDSA_SK_METHODS \
149 "ssh-ed25519," \ 148 "ssh-ed25519," \
150 "sk-ssh-ed25519@openssh.com," \ 149 "sk-ssh-ed25519@openssh.com," \
151 "rsa-sha2-512," \ 150 "rsa-sha2-512," \
152 "rsa-sha2-256," \ 151 "rsa-sha2-256," \
153 "ssh-rsa" 152 "ssh-rsa"
154 153
155#define PUBKEY_DEFAULT_PK_ALG \
156 USERKEY_ECDSA_SK_CERT_METHODS \
157 HOSTKEY_ECDSA_CERT_METHODS \
158 "sk-ssh-ed25519-cert-v01@openssh.com," \
159 "ssh-ed25519-cert-v01@openssh.com," \
160 "rsa-sha2-512-cert-v01@openssh.com," \
161 "rsa-sha2-256-cert-v01@openssh.com," \
162 "ssh-rsa-cert-v01@openssh.com," \
163 USERKEY_ECDSA_SK_METHODS \
164 HOSTKEY_ECDSA_METHODS \
165 "sk-ssh-ed25519@openssh.com," \
166 "ssh-ed25519," \
167 "rsa-sha2-512," \
168 "rsa-sha2-256," \
169 "ssh-rsa"
170
171#else /* WITH_OPENSSL */ 154#else /* WITH_OPENSSL */
172 155
173#define KEX_SERVER_KEX \ 156#define KEX_SERVER_KEX \
@@ -176,7 +159,6 @@
176#define KEX_DEFAULT_PK_ALG \ 159#define KEX_DEFAULT_PK_ALG \
177 "ssh-ed25519-cert-v01@openssh.com," \ 160 "ssh-ed25519-cert-v01@openssh.com," \
178 "ssh-ed25519" 161 "ssh-ed25519"
179#define PUBKEY_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG
180#define KEX_SERVER_ENCRYPT \ 162#define KEX_SERVER_ENCRYPT \
181 "chacha20-poly1305@openssh.com," \ 163 "chacha20-poly1305@openssh.com," \
182 "aes128-ctr,aes192-ctr,aes256-ctr" 164 "aes128-ctr,aes192-ctr,aes256-ctr"
diff --git a/readconf.c b/readconf.c
index c046e4dbf..4ea8ec566 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: readconf.c,v 1.314 2019/11/14 21:27:29 djm Exp $ */ 1/* $OpenBSD: readconf.c,v 1.315 2019/12/15 18:57:30 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2153,7 +2153,7 @@ fill_default_options(Options * options)
2153 ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac); 2153 ASSEMBLE(macs, KEX_CLIENT_MAC, all_mac);
2154 ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex); 2154 ASSEMBLE(kex_algorithms, KEX_CLIENT_KEX, all_kex);
2155 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); 2155 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
2156 ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); 2156 ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
2157 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); 2157 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
2158#undef ASSEMBLE 2158#undef ASSEMBLE
2159 free(all_cipher); 2159 free(all_cipher);
diff --git a/servconf.c b/servconf.c
index 1f3beab4a..30cd59840 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
1 1
2/* $OpenBSD: servconf.c,v 1.354 2019/11/25 00:52:46 djm Exp $ */ 2/* $OpenBSD: servconf.c,v 1.355 2019/12/15 18:57:30 djm Exp $ */
3/* 3/*
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved 5 * All rights reserved
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions *options)
171 options->authorized_keys_command = NULL; 171 options->authorized_keys_command = NULL;
172 options->authorized_keys_command_user = NULL; 172 options->authorized_keys_command_user = NULL;
173 options->revoked_keys_file = NULL; 173 options->revoked_keys_file = NULL;
174 options->sk_provider = NULL;
174 options->trusted_user_ca_keys = NULL; 175 options->trusted_user_ca_keys = NULL;
175 options->authorized_principals_file = NULL; 176 options->authorized_principals_file = NULL;
176 options->authorized_principals_command = NULL; 177 options->authorized_principals_command = NULL;
@@ -211,7 +212,7 @@ assemble_algorithms(ServerOptions *o)
211 ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); 212 ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
212 ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); 213 ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
213 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); 214 ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
214 ASSEMBLE(pubkey_key_types, PUBKEY_DEFAULT_PK_ALG, all_key); 215 ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
215 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); 216 ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
216#undef ASSEMBLE 217#undef ASSEMBLE
217 free(all_cipher); 218 free(all_cipher);
@@ -428,6 +429,8 @@ fill_default_server_options(ServerOptions *options)
428 options->disable_forwarding = 0; 429 options->disable_forwarding = 0;
429 if (options->expose_userauth_info == -1) 430 if (options->expose_userauth_info == -1)
430 options->expose_userauth_info = 0; 431 options->expose_userauth_info = 0;
432 if (options->sk_provider == NULL)
433 options->sk_provider = xstrdup("internal");
431 434
432 assemble_algorithms(options); 435 assemble_algorithms(options);
433 436
@@ -447,6 +450,7 @@ fill_default_server_options(ServerOptions *options)
447 CLEAR_ON_NONE(options->banner); 450 CLEAR_ON_NONE(options->banner);
448 CLEAR_ON_NONE(options->trusted_user_ca_keys); 451 CLEAR_ON_NONE(options->trusted_user_ca_keys);
449 CLEAR_ON_NONE(options->revoked_keys_file); 452 CLEAR_ON_NONE(options->revoked_keys_file);
453 CLEAR_ON_NONE(options->sk_provider);
450 CLEAR_ON_NONE(options->authorized_principals_file); 454 CLEAR_ON_NONE(options->authorized_principals_file);
451 CLEAR_ON_NONE(options->adm_forced_command); 455 CLEAR_ON_NONE(options->adm_forced_command);
452 CLEAR_ON_NONE(options->chroot_directory); 456 CLEAR_ON_NONE(options->chroot_directory);
@@ -512,7 +516,7 @@ typedef enum {
512 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, 516 sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
513 sStreamLocalBindMask, sStreamLocalBindUnlink, 517 sStreamLocalBindMask, sStreamLocalBindUnlink,
514 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, 518 sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
515 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, 519 sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
516 sDeprecated, sIgnore, sUnsupported 520 sDeprecated, sIgnore, sUnsupported
517} ServerOpCodes; 521} ServerOpCodes;
518 522
@@ -662,6 +666,7 @@ static struct {
662 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, 666 { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
663 { "rdomain", sRDomain, SSHCFG_ALL }, 667 { "rdomain", sRDomain, SSHCFG_ALL },
664 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, 668 { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
669 { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
665 { NULL, sBadOption, 0 } 670 { NULL, sBadOption, 0 }
666}; 671};
667 672
@@ -2025,6 +2030,10 @@ process_server_config_line(ServerOptions *options, char *line,
2025 charptr = &options->revoked_keys_file; 2030 charptr = &options->revoked_keys_file;
2026 goto parse_filename; 2031 goto parse_filename;
2027 2032
2033 case sSecurityKeyProvider:
2034 charptr = &options->sk_provider;
2035 goto parse_filename;
2036
2028 case sIPQoS: 2037 case sIPQoS:
2029 arg = strdelim(&cp); 2038 arg = strdelim(&cp);
2030 if ((value = parse_ipqos(arg)) == -1) 2039 if ((value = parse_ipqos(arg)) == -1)
@@ -2646,6 +2655,7 @@ dump_config(ServerOptions *o)
2646 dump_cfg_string(sChrootDirectory, o->chroot_directory); 2655 dump_cfg_string(sChrootDirectory, o->chroot_directory);
2647 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); 2656 dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
2648 dump_cfg_string(sRevokedKeys, o->revoked_keys_file); 2657 dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
2658 dump_cfg_string(sSecurityKeyProvider, o->sk_provider);
2649 dump_cfg_string(sAuthorizedPrincipalsFile, 2659 dump_cfg_string(sAuthorizedPrincipalsFile,
2650 o->authorized_principals_file); 2660 o->authorized_principals_file);
2651 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' 2661 dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
@@ -2664,7 +2674,7 @@ dump_config(ServerOptions *o)
2664 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? 2674 dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
2665 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG); 2675 o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
2666 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? 2676 dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
2667 o->pubkey_key_types : PUBKEY_DEFAULT_PK_ALG); 2677 o->pubkey_key_types : KEX_DEFAULT_PK_ALG);
2668 dump_cfg_string(sRDomain, o->routing_domain); 2678 dump_cfg_string(sRDomain, o->routing_domain);
2669 2679
2670 /* string arguments requiring a lookup */ 2680 /* string arguments requiring a lookup */
diff --git a/servconf.h b/servconf.h
index 9f202260a..6fc1efb2c 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: servconf.h,v 1.141 2019/11/25 00:52:46 djm Exp $ */ 1/* $OpenBSD: servconf.h,v 1.142 2019/12/15 18:57:30 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -215,6 +215,7 @@ typedef struct {
215 int fingerprint_hash; 215 int fingerprint_hash;
216 int expose_userauth_info; 216 int expose_userauth_info;
217 u_int64_t timing_secret; 217 u_int64_t timing_secret;
218 char *sk_provider;
218} ServerOptions; 219} ServerOptions;
219 220
220/* Information about the incoming connection as used by Match */ 221/* Information about the incoming connection as used by Match */
diff --git a/sshd.c b/sshd.c
index 1e4d8a295..0cf13a741 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.541 2019/11/18 16:10:05 naddy Exp $ */ 1/* $OpenBSD: sshd.c,v 1.542 2019/12/15 18:57:30 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -122,6 +122,7 @@
122#include "auth-options.h" 122#include "auth-options.h"
123#include "version.h" 123#include "version.h"
124#include "ssherr.h" 124#include "ssherr.h"
125#include "sk-api.h"
125 126
126/* Re-exec fds */ 127/* Re-exec fds */
127#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) 128#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -632,6 +633,8 @@ list_hostkey_types(void)
632 case KEY_DSA: 633 case KEY_DSA:
633 case KEY_ECDSA: 634 case KEY_ECDSA:
634 case KEY_ED25519: 635 case KEY_ED25519:
636 case KEY_ECDSA_SK:
637 case KEY_ED25519_SK:
635 case KEY_XMSS: 638 case KEY_XMSS:
636 append_hostkey_type(b, sshkey_ssh_name(key)); 639 append_hostkey_type(b, sshkey_ssh_name(key));
637 break; 640 break;
@@ -651,6 +654,8 @@ list_hostkey_types(void)
651 case KEY_DSA_CERT: 654 case KEY_DSA_CERT:
652 case KEY_ECDSA_CERT: 655 case KEY_ECDSA_CERT:
653 case KEY_ED25519_CERT: 656 case KEY_ED25519_CERT:
657 case KEY_ECDSA_SK_CERT:
658 case KEY_ED25519_SK_CERT:
654 case KEY_XMSS_CERT: 659 case KEY_XMSS_CERT:
655 append_hostkey_type(b, sshkey_ssh_name(key)); 660 append_hostkey_type(b, sshkey_ssh_name(key));
656 break; 661 break;
@@ -675,6 +680,8 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
675 case KEY_DSA_CERT: 680 case KEY_DSA_CERT:
676 case KEY_ECDSA_CERT: 681 case KEY_ECDSA_CERT:
677 case KEY_ED25519_CERT: 682 case KEY_ED25519_CERT:
683 case KEY_ECDSA_SK_CERT:
684 case KEY_ED25519_SK_CERT:
678 case KEY_XMSS_CERT: 685 case KEY_XMSS_CERT:
679 key = sensitive_data.host_certificates[i]; 686 key = sensitive_data.host_certificates[i];
680 break; 687 break;
@@ -684,10 +691,20 @@ get_hostkey_by_type(int type, int nid, int need_private, struct ssh *ssh)
684 key = sensitive_data.host_pubkeys[i]; 691 key = sensitive_data.host_pubkeys[i];
685 break; 692 break;
686 } 693 }
687 if (key != NULL && key->type == type && 694 if (key == NULL || key->type != type)
688 (key->type != KEY_ECDSA || key->ecdsa_nid == nid)) 695 continue;
696 switch (type) {
697 case KEY_ECDSA:
698 case KEY_ECDSA_SK:
699 case KEY_ECDSA_CERT:
700 case KEY_ECDSA_SK_CERT:
701 if (key->ecdsa_nid != nid)
702 continue;
703 /* FALLTHROUGH */
704 default:
689 return need_private ? 705 return need_private ?
690 sensitive_data.host_keys[i] : key; 706 sensitive_data.host_keys[i] : key;
707 }
691 } 708 }
692 return NULL; 709 return NULL;
693} 710}
@@ -1723,7 +1740,14 @@ main(int ac, char **av)
1723 &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) 1740 &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
1724 do_log2(ll, "Unable to load host key \"%s\": %s", 1741 do_log2(ll, "Unable to load host key \"%s\": %s",
1725 options.host_key_files[i], ssh_err(r)); 1742 options.host_key_files[i], ssh_err(r));
1726 if (r == 0 && (r = sshkey_shield_private(key)) != 0) { 1743 if (sshkey_is_sk(key) &&
1744 key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
1745 debug("host key %s requires user presence, ignoring",
1746 options.host_key_files[i]);
1747 key->sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
1748 }
1749 if (r == 0 && key != NULL &&
1750 (r = sshkey_shield_private(key)) != 0) {
1727 do_log2(ll, "Unable to shield host key \"%s\": %s", 1751 do_log2(ll, "Unable to shield host key \"%s\": %s",
1728 options.host_key_files[i], ssh_err(r)); 1752 options.host_key_files[i], ssh_err(r));
1729 sshkey_free(key); 1753 sshkey_free(key);
@@ -1760,6 +1784,8 @@ main(int ac, char **av)
1760 case KEY_DSA: 1784 case KEY_DSA:
1761 case KEY_ECDSA: 1785 case KEY_ECDSA:
1762 case KEY_ED25519: 1786 case KEY_ED25519:
1787 case KEY_ECDSA_SK:
1788 case KEY_ED25519_SK:
1763 case KEY_XMSS: 1789 case KEY_XMSS:
1764 if (have_agent || key != NULL) 1790 if (have_agent || key != NULL)
1765 sensitive_data.have_ssh2_key = 1; 1791 sensitive_data.have_ssh2_key = 1;
@@ -2212,17 +2238,19 @@ sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey,
2212 if (use_privsep) { 2238 if (use_privsep) {
2213 if (privkey) { 2239 if (privkey) {
2214 if (mm_sshkey_sign(ssh, privkey, signature, slenp, 2240 if (mm_sshkey_sign(ssh, privkey, signature, slenp,
2215 data, dlen, alg, NULL, ssh->compat) < 0) 2241 data, dlen, alg, options.sk_provider,
2242 ssh->compat) < 0)
2216 fatal("%s: privkey sign failed", __func__); 2243 fatal("%s: privkey sign failed", __func__);
2217 } else { 2244 } else {
2218 if (mm_sshkey_sign(ssh, pubkey, signature, slenp, 2245 if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
2219 data, dlen, alg, NULL, ssh->compat) < 0) 2246 data, dlen, alg, options.sk_provider,
2247 ssh->compat) < 0)
2220 fatal("%s: pubkey sign failed", __func__); 2248 fatal("%s: pubkey sign failed", __func__);
2221 } 2249 }
2222 } else { 2250 } else {
2223 if (privkey) { 2251 if (privkey) {
2224 if (sshkey_sign(privkey, signature, slenp, data, dlen, 2252 if (sshkey_sign(privkey, signature, slenp, data, dlen,
2225 alg, NULL, ssh->compat) < 0) 2253 alg, options.sk_provider, ssh->compat) < 0)
2226 fatal("%s: privkey sign failed", __func__); 2254 fatal("%s: privkey sign failed", __func__);
2227 } else { 2255 } else {
2228 if ((r = ssh_agent_sign(auth_sock, pubkey, 2256 if ((r = ssh_agent_sign(auth_sock, pubkey,