autoconf pieces for U2F support

Mostly following existing logic for PKCS#11 - turning off support
when either libcrypto or dlopen(3) are unavailable.

diff --git a/configure.ac b/configure.ac
index 9b4a7ee62334185d37464bc87775342e7974d1f6..8f007e635ea21a924d79ce300197dff0df5dd54f 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1878,16 +1878,53 @@ AC_ARG_ENABLE([pkcs11],
        ]
 )
 
-# PKCS11 depends on OpenSSL.
-if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
-       # PKCS#11 support requires dlopen() and co
-       AC_SEARCH_LIBS([dlopen], [dl],
-           AC_CHECK_DECL([RTLD_NOW],
-               AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support]),
-               [], [#include <dlfcn.h>]
-           )
-       )
+disable_sk=
+AC_ARG_ENABLE([security-key],
+       [  --disable-security-key  disable U2F/FIDO support code [no]],
+       [
+               if test "x$enableval" = "xno" ; then
+                       disable_sk=1
+               fi
+       ]
+)
+
+# PKCS11/U2F depend on OpenSSL and dlopen().
+AC_SEARCH_LIBS([dlopen], [dl])
+AC_CHECK_FUNCS([dlopen])
+AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
+
+enable_pkcs11=yes
+enable_sk=yes
+if test "x$openssl" != "xyes" ; then
+       enable_pkcs11="disabled; missing libcrypto"
+       enable_sk="disabled; missing libcrypto"
+fi
+if test "x$ac_cv_func_dlopen" != "xyes" ; then
+       enable_pkcs11="disabled; missing dlopen(3)"
+       enable_sk="disabled; missing dlopen(3)"
+fi
+if test "x$ac_cv_have_decl_RTLD_NOW" != "xyes" ; then
+       enable_pkcs11="disabled; missing RTLD_NOW"
+       enable_sk="disabled; missing RTLD_NOW"
+fi
+if test ! -z "$disable_pkcs11" ; then
+       enable_pkcs11="disabled by user"
+fi
+if test ! -z "$disable_sk" ; then
+       enable_sk="disabled by user"
+fi
+
+AC_MSG_CHECKING([whether to enable PKCS11])
+if test "x$enable_pkcs11" = "xyes" ; then
+       AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])
+fi
+AC_MSG_RESULT([$enable_pkcs11])
+
+AC_MSG_CHECKING([whether to enable U2F])
+if test "x$enable_sk" = "xyes" ; then
+       AC_DEFINE([ENABLE_SK], [], [Enable for U2F/FIDO support])
 fi
+AC_MSG_RESULT([$enable_sk])
 
 # IRIX has a const char return value for gai_strerror()
 AC_CHECK_FUNCS([gai_strerror], [
@@ -5247,6 +5284,8 @@ echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
+echo "                   PKCS#11 support: $enable_pkcs11"
+echo "                  U2F/FIDO support: $enable_sk"
 
 echo ""
 

diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index 6441cd7fa9b4d0c6f49b8b2f4732f8c4c7019160..3559246578818c5e822831e8c3463580dcc5d70a 100644 (file)
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -29,6 +29,8 @@
 
 #include "includes.h"
 
+#ifdef ENABLE_SK
+
 #include <sys/types.h>
 
 #include <openssl/bn.h>
@@ -178,3 +180,4 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
        free(ktype);
        return ret;
 }
+#endif /* ENABLE_SK */

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 0d0586576214efa57240d0cec3d2a961261039dc..1d2a93f66d34accf4a96600f044c3bf4265654d7 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -2783,7 +2783,6 @@ main(int argc, char **argv)
        unsigned long long ull, cert_serial = 0;
        char *identity_comment = NULL, *ca_key_path = NULL;
        u_int32_t bits = 0;
-       uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
        FILE *f;
        const char *errstr;
        int log_level = SYSLOG_LEVEL_INFO;
@@ -2796,6 +2795,9 @@ main(int argc, char **argv)
        unsigned long start_lineno = 0, lines_to_process = 0;
        BIGNUM *start = NULL;
 #endif
+#ifdef ENABLE_SK
+       uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
+#endif
 
        extern int optind;
        extern char *optarg;
@@ -2991,7 +2993,9 @@ main(int argc, char **argv)
                                    "number", optarg);
                        if (ull > 0xff)
                                fatal("Invalid security key flags 0x%llx", ull);
+#ifdef ENABLE_SK
                        sk_flags = (uint8_t)ull;
+#endif
                        break;
                case 'z':
                        errno = 0;
@@ -3250,10 +3254,14 @@ main(int argc, char **argv)
                printf("Generating public/private %s key pair.\n",
                    key_type_name);
        if (type == KEY_ECDSA_SK) {
+#ifndef ENABLE_SK
+               fatal("Security key support was disabled at compile time");
+#else /* ENABLE_SK */
                if (sshsk_enroll(sk_provider,
                    cert_key_id == NULL ? "ssh:" : cert_key_id,
                    sk_flags, NULL, &private, NULL) != 0)
                        exit(1); /* error message already printed */
+#endif /* ENABLE_SK */
        } else if ((r = sshkey_generate(type, bits, &private)) != 0)
                fatal("sshkey_generate failed");
        if ((r = sshkey_from_private(private, &public)) != 0)

diff --git a/ssh-sk-helper.c b/ssh-sk-helper.c
index 0a0c92a441298c91a1cf6dbee8c399dd08829523..ced00d955693684bd75aa5504ca53bd3aa9f0755 100644 (file)
--- a/ssh-sk-helper.c
+++ b/ssh-sk-helper.c
@@ -51,6 +51,7 @@
 #include "ssherr.h"
 #include "ssh-sk.h"
 
+#ifdef ENABLE_SK
 extern char *__progname;
 
 int
@@ -141,3 +142,13 @@ main(int argc, char **argv)
 
        return (0);
 }
+#else /* ENABLE_SK */
+#include <stdio.h>
+
+int
+main(int argc, char **argv)
+{
+       fprintf(stderr, "ssh-sk-helper: disabled at compile time\n");
+       return -1;
+}
+#endif /* ENABLE_SK */

diff --git a/ssh-sk.c b/ssh-sk.c
index 7d313f57b5100270cf28546b10a23c689de0d977..122a1e2b742bb52fc5b2e6cd5b3ac83ec34993f7 100644 (file)
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -19,6 +19,8 @@
 
 #include "includes.h"
 
+#ifdef ENABLE_SK
+
 #include <dlfcn.h>
 #include <stddef.h>
 #include <stdint.h>
@@ -375,3 +377,4 @@ sshsk_ecdsa_sign(const char *provider_path, const struct sshkey *key,
        sshbuf_free(inner_sig);
        return r;
 }
+#endif /* ENABLE_SK */