180 lines
6 KiB
Diff
180 lines
6 KiB
Diff
commit 23d3b46546f5f6d74a2a99f4c902e52206822f96
|
|
Author: Jeremy Stott <jeremy@stott.co.nz>
|
|
Date: Sat Oct 19 12:10:52 2024 +1300
|
|
|
|
Add make target for standalone sk-libfido2
|
|
|
|
Add a Makefile target for sk-libfido2, the standalone fido2 security
|
|
key shared library, suitable for use with the SecurityKeyProvider
|
|
option.
|
|
|
|
Add a new configure option `--with-security-key-standalone` that
|
|
optionally sets the shared library target sk-libfido2$(SHLIBEXT), and
|
|
adds it to $(TARGETS).
|
|
|
|
misc.h is required when SK_STANDALONE is defined, because of the use
|
|
of `monotime_tv` in `sk_select_by_touch`.
|
|
|
|
Sets the shared library extension for sk-libfido2 is by setting
|
|
`SHLIBEXT` depending on the platform in configure.ac.
|
|
|
|
Add the shared library to the CI builds in the `sk` target config to
|
|
make sure it can compile under the same conditions as
|
|
`--with-security-key-builtin`.
|
|
|
|
Add a libssh-pic.a static library that compiles with `-fPIC` reusing
|
|
.c.lo method in sk-dummy.so for use in the shared library sk-libfido2.
|
|
|
|
Note, a separate static library libssh-pic.a is needed, since defining
|
|
-DSK_STANDALONE excludes some symbols needed in sshkey.lo.
|
|
|
|
diff --git a/.github/configs b/.github/configs
|
|
index 4f47f820b..da6d46d86 100755
|
|
--- a/.github/configs
|
|
+++ b/.github/configs
|
|
@@ -181,7 +181,7 @@ case "$config" in
|
|
CONFIGFLAGS="--with-selinux"
|
|
;;
|
|
sk)
|
|
- CONFIGFLAGS="--with-security-key-builtin"
|
|
+ CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
|
|
;;
|
|
without-openssl)
|
|
LIBCRYPTOFLAGS="--without-openssl"
|
|
diff --git a/.gitignore b/.gitignore
|
|
index 41d505c46..333c7cd3c 100644
|
|
--- a/.gitignore
|
|
+++ b/.gitignore
|
|
@@ -12,6 +12,8 @@ survey.sh
|
|
**/*.o
|
|
**/*.lo
|
|
**/*.so
|
|
+**/*.dylib
|
|
+**/*.dll
|
|
**/*.out
|
|
**/*.a
|
|
**/*.un~
|
|
diff --git a/Makefile.in b/Makefile.in
|
|
index 4243006b0..9450e9991 100644
|
|
--- a/Makefile.in
|
|
+++ b/Makefile.in
|
|
@@ -32,6 +32,7 @@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
STRIP_OPT=@STRIP_OPT@
|
|
TEST_SHELL=@TEST_SHELL@
|
|
BUILDDIR=@abs_top_builddir@
|
|
+SK_STANDALONE=@SK_STANDALONE@
|
|
|
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
|
@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@
|
|
|
|
.SUFFIXES: .lo
|
|
|
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE)
|
|
|
|
XMSS_OBJS=\
|
|
ssh-xmss.o \
|
|
@@ -254,6 +255,16 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
|
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
|
|
|
+# compile libssh objects with -fPIC for use in the sk_libfido2 shared library
|
|
+LIBSSH_PIC_OBJS=$(LIBSSH_OBJS:.o=.lo)
|
|
+libssh-pic.a: $(LIBSSH_PIC_OBJS)
|
|
+ $(AR) rv $@ $(LIBSSH_PIC_OBJS)
|
|
+ $(RANLIB) $@
|
|
+
|
|
+$(SK_STANDALONE): sk-usbhid.c $(LIBCOMPAT) libssh-pic.a
|
|
+ $(CC) -o $@ -shared $(CFLAGS_NOPIE) $(CPPFLAGS) -DSK_STANDALONE $(PICFLAG) sk-usbhid.c \
|
|
+ libssh-pic.a $(LDFLAGS_NOPIE) -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
|
|
+
|
|
$(MANPAGES): $(MANPAGES_IN)
|
|
if test "$(MANTYPE)" = "cat"; then \
|
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
|
@@ -313,7 +324,7 @@ distclean: regressclean
|
|
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
|
rm -f *.out core opensshd.init openssh.xml
|
|
rm -f Makefile buildpkg.sh config.h config.status
|
|
- rm -f survey.sh openbsd-compat/regress/Makefile *~
|
|
+ rm -f survey.sh openbsd-compat/regress/Makefile *~
|
|
rm -rf autom4te.cache
|
|
rm -f regress/check-perm
|
|
rm -f regress/mkdtemp
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 9053a9a2b..1e8432bd6 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -619,6 +619,9 @@ SPP_MSG="no"
|
|
# the --with-solaris-privs option and --with-sandbox=solaris).
|
|
SOLARIS_PRIVS="no"
|
|
|
|
+# Default shared library extension
|
|
+SHLIBEXT=".so"
|
|
+
|
|
# Check for some target-specific stuff
|
|
case "$host" in
|
|
*-*-aix*)
|
|
@@ -737,6 +740,7 @@ case "$host" in
|
|
# Cygwin defines optargs, optargs as declspec(dllimport) for historical
|
|
# reasons which cause compile warnings, so we disable those warnings.
|
|
OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
|
|
+ SHLIBEXT=".dll"
|
|
;;
|
|
*-*-dgux*)
|
|
AC_DEFINE([IP_TOS_IS_BROKEN], [1],
|
|
@@ -796,6 +800,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
|
# cf. Apple bug 3710161 (not public, but searchable)
|
|
AC_DEFINE([BROKEN_POLL], [1],
|
|
[System poll(2) implementation is broken])
|
|
+ SHLIBEXT=".dylib"
|
|
;;
|
|
*-*-dragonfly*)
|
|
SSHDLIBS="$SSHDLIBS"
|
|
@@ -2084,6 +2089,12 @@ AC_ARG_WITH([security-key-builtin],
|
|
[ enable_sk_internal=$withval ]
|
|
)
|
|
|
|
+enable_sk_standalone=
|
|
+AC_ARG_WITH([security-key-standalone],
|
|
+ [ --with-security-key-standalone build standalone sk-libfido2 SecurityKeyProvider],
|
|
+ [ enable_sk_standalone=$withval ]
|
|
+)
|
|
+
|
|
enable_dsa=
|
|
AC_ARG_ENABLE([dsa-keys],
|
|
[ --enable-dsa-keys enable DSA key support [no]],
|
|
@@ -3321,6 +3332,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
|
|
fi
|
|
fi
|
|
|
|
+# Check for standalone SecurityKeyProvider
|
|
+AC_MSG_CHECKING([whether to build standlone sk-libfido2])
|
|
+if test "x$enable_sk_standalone" = "xyes" ; then
|
|
+ AC_MSG_RESULT([yes])
|
|
+ AC_SUBST([SK_STANDALONE], [sk-libfido2$SHLIBEXT])
|
|
+else
|
|
+ AC_MSG_RESULT([no])
|
|
+ AC_SUBST([SK_STANDALONE], [""])
|
|
+fi
|
|
+
|
|
AC_CHECK_FUNCS([ \
|
|
arc4random \
|
|
arc4random_buf \
|
|
diff --git a/sk-usbhid.c b/sk-usbhid.c
|
|
index 812b28d83..36f089a57 100644
|
|
--- a/sk-usbhid.c
|
|
+++ b/sk-usbhid.c
|
|
@@ -77,10 +77,11 @@
|
|
#define FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID 0
|
|
#endif
|
|
|
|
+# include "misc.h"
|
|
+
|
|
#ifndef SK_STANDALONE
|
|
# include "log.h"
|
|
# include "xmalloc.h"
|
|
-# include "misc.h"
|
|
/*
|
|
* If building as part of OpenSSH, then rename exported functions.
|
|
* This must be done before including sk-api.h.
|