upstream: directly support U2F/FIDO2 security keys in OpenSSH by
linking against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for Bluetooth, NFC
and test/debugging.
OpenBSD-Commit-ID: 14446cf170ac0351f0d4792ba0bca53024930069
diff --git a/ssh-sk.c b/ssh-sk.c
index 754577d..591c643 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.11 2019/11/13 20:25:45 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.12 2019/11/14 21:27:30 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
@@ -60,6 +60,15 @@
uint8_t flags, struct sk_sign_response **sign_response);
};
+/* Built-in version */
+int ssh_sk_enroll(int alg, const uint8_t *challenge,
+ size_t challenge_len, const char *application, uint8_t flags,
+ struct sk_enroll_response **enroll_response);
+int ssh_sk_sign(int alg, const uint8_t *message, size_t message_len,
+ const char *application,
+ const uint8_t *key_handle, size_t key_handle_len,
+ uint8_t flags, struct sk_sign_response **sign_response);
+
static void
sshsk_free(struct sshsk_provider *p)
{
@@ -85,6 +94,16 @@
error("%s: strdup failed", __func__);
goto fail;
}
+ /* Skip the rest if we're using the linked in middleware */
+ if (strcasecmp(ret->path, "internal") == 0) {
+#ifdef ENABLE_SK_INTERNAL
+ ret->sk_enroll = ssh_sk_enroll;
+ ret->sk_sign = ssh_sk_sign;
+#else
+ error("internal security key support not enabled");
+#endif
+ return ret;
+ }
if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
error("Security key provider %s dlopen failed: %s",
path, dlerror());