git.ipfire.org Git - thirdparty/openssh-portable.git/commit

author	djm@openbsd.org <djm@openbsd.org>
	Thu, 24 Jul 2025 05:44:55 +0000 (05:44 +0000)
committer	Damien Miller <djm@mindrot.org>
	Thu, 24 Jul 2025 23:23:16 +0000 (09:23 +1000)
commit	a8c0e5c871c0c7ee5ae93e353b1499a53c09c71d
tree	58a2f460f7c745b8d8a759130db50abe24371541	tree
parent	259c66aebe4e1f9d60e548f728ff74083bcccddf	commit \| diff

upstream: Help OpenSSH's PKCS#11 support kick its meth habit.

The PKCS#11 code in OpenSSH used the libcrypto public key method API
(e.g. the delightfully named RSA_meth_free()) to delegate signing
operations to external keys. This had one advantage - that it was
basically transparent to callers, but also had a big disadvantage -
that we'd manually have to track the method implementations, their
state and their relationships to the underlying PKCS#11 objects.

This rips this out and replaces it with explicit delegation to
PKCS#11 code for externally hosted keys via the ssh-pkcs11-helper
subprocess. This is very similar to how we handle FIDO keys in
OpenSSH (i.e. via ssh-sk-helper). All we need to track now is a
much simpler mapping of public key -> helper subprocess.

Kicking our libcrypto meth dependency also makes it much easier
to support Ed25519 keys in PKCS#11, which will happen in a subsequent
commit.

feedback / ok tb@

OpenBSD-Commit-ID: a5a1eaf57971cf15e0cdc5a513e313541c8a35f0

.depend		diff \| blob \| blame \| history
Makefile.in		diff \| blob \| blame \| history
ssh-ecdsa.c		diff \| blob \| blame \| history
ssh-pkcs11-client.c		diff \| blob \| blame \| history
ssh-pkcs11-helper.c		diff \| blob \| blame \| history
ssh-pkcs11.c		diff \| blob \| blame \| history
ssh-pkcs11.h		diff \| blob \| blame \| history
ssh-rsa.c		diff \| blob \| blame \| history
ssh-sk-helper.c		diff \| blob \| blame \| history
sshbuf-misc.c		diff \| blob \| blame \| history
sshbuf.h		diff \| blob \| blame \| history
sshkey.c		diff \| blob \| blame \| history
sshkey.h		diff \| blob \| blame \| history