remove a bunch of ENABLE_SK #ifdefs

The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.

Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.

diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index 40f0dc8c05de31350aa18e9f567ac5b7534faf30..7a2355c1afc6bdfb6af2182198f8a351c0016039 100644 (file)
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -29,8 +29,6 @@
 
 #include "includes.h"
 
-#ifdef ENABLE_SK
-
 #include <sys/types.h>
 
 #include <openssl/bn.h>
@@ -203,4 +201,3 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
        free(ktype);
        return ret;
 }
-#endif /* ENABLE_SK */

diff --git a/ssh-keygen.c b/ssh-keygen.c
index e90b85ffa3eb86f58a3d49d0ef957224812d3b85..24e246c0b7a550db73b62016a69cd1f8a7809e59 100644 (file)
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -3303,9 +3303,6 @@ main(int argc, char **argv)
        switch (type) {
        case KEY_ECDSA_SK:
        case KEY_ED25519_SK:
-#ifndef ENABLE_SK
-               fatal("Security key support was disabled at compile time");
-#else /* ENABLE_SK */
                if (!quiet) {
                        printf("You may need to touch your security key "
                            "to authorize key generation.\n");
@@ -3316,7 +3313,6 @@ main(int argc, char **argv)
                    sk_flags, NULL, &private, NULL) != 0)
                        exit(1); /* error message already printed */
                break;
-#endif /* ENABLE_SK */
        default:
                if ((r = sshkey_generate(type, bits, &private)) != 0)
                        fatal("sshkey_generate failed");

diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 92ac0e7e1dd6ad56017e2ae7c9efee87042a8d43..8a7ac97c423f5aa2de027d62ccabaf1a5126ff3b 100644 (file)
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -198,6 +198,10 @@ sshsk_sign(const char *provider, struct sshkey *key,
        *sigp = NULL;
        *lenp = 0;
 
+#ifndef ENABLE_SK
+       return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
        if ((kbuf = sshbuf_new()) == NULL ||
            (req = sshbuf_new()) == NULL) {
                r = SSH_ERR_ALLOC_FAIL;
@@ -266,6 +270,10 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
        if (attest != NULL)
                sshbuf_reset(attest);
 
+#ifndef ENABLE_SK
+       return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
        if (type < 0)
                return SSH_ERR_INVALID_ARGUMENT;
 

diff --git a/sshkey.c b/sshkey.c
index 674303c37e152a367021dbb3292d978950f9fe04..3bab2e893ad0baaf2fec275982df20b20431a1ea 100644 (file)
--- a/sshkey.c
+++ b/sshkey.c
@@ -2760,7 +2760,6 @@ sshkey_sign(struct sshkey *key,
        case KEY_ED25519_CERT:
                r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
                break;
-#ifdef ENABLE_SK
        case KEY_ED25519_SK:
        case KEY_ED25519_SK_CERT:
        case KEY_ECDSA_SK_CERT:
@@ -2768,7 +2767,6 @@ sshkey_sign(struct sshkey *key,
                r = sshsk_sign(sk_provider, key, sigp, lenp, data,
                    datalen, compat);
                break;
-#endif /* ENABLE_SK */
 #ifdef WITH_XMSS
        case KEY_XMSS:
        case KEY_XMSS_CERT:
@@ -2807,12 +2805,10 @@ sshkey_verify(const struct sshkey *key,
        case KEY_ECDSA_CERT:
        case KEY_ECDSA:
                return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
-#  ifdef ENABLE_SK
        case KEY_ECDSA_SK_CERT:
        case KEY_ECDSA_SK:
                return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
                    compat, detailsp);
-#  endif /* ENABLE_SK */
 # endif /* OPENSSL_HAS_ECC */
        case KEY_RSA_CERT:
        case KEY_RSA: