d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ssh: generate SK config file using private cbor and fido2 libs

Browse Source 
Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and
pass -I paths to libcbor and libfido2's contrib src location.

MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D34440
This commit is contained in:
Ed Maste 2022-03-01 16:39:16 -05:00
parent e36c256040
commit 73104d5838
2 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
crypto/openssh/configure.ac
View File

@ -3263,16 +3263,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then
LIBFIDO2=`$PKGCONFIG --libs libfido2` LIBFIDO2=`$PKGCONFIG --libs libfido2`
CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
else else
LIBFIDO2="-lfido2 -lcbor" LIBFIDO2="-lprivatefido2 -lprivatecbor"
fi fi
OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'` OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
AC_CHECK_LIB([fido2], [fido_init], AC_CHECK_LIB([privatefido2], [fido_init],
[ [
AC_SUBST([LIBFIDO2]) AC_SUBST([LIBFIDO2])
AC_DEFINE([ENABLE_SK_INTERNAL], [], AC_DEFINE([ENABLE_SK_INTERNAL], [],
[Enable for built-in U2F/FIDO support]) [Enable for built-in U2F/FIDO support])
enable_sk="built-in" enable_sk="built-in"
], [ AC_MSG_ERROR([no usable libfido2 found]) ], ], [ AC_MSG_ERROR([no usable libprivatefido2 found]) ],
[ $OTHERLIBS ] [ $OTHERLIBS ]
) )
saved_LIBS="$LIBS" saved_LIBS="$LIBS"

22
crypto/openssh/freebsd-configure.sh
View File

@ -12,7 +12,6 @@ configure_args="
--with-libedit --with-libedit
--with-ssl-engine --with-ssl-engine
--without-xauth --without-xauth
--without-security-key-builtin
" "
set -e set -e
@ -34,11 +33,28 @@ sh configure $configure_args --with-kerberos5=/usr
mv config.log config.log.kerberos5 mv config.log config.log.kerberos5
mv config.h config.h.kerberos5 mv config.h config.h.kerberos5
# Generate config.h without krb5 # Generate config.h with built-in security key support
sh configure $configure_args --without-kerberos5 #
# We install libcbor and libfido2 as PRIVATELIB, so the headers are not
# available for configure - add their paths via CFLAGS as a slight hack.
# configure.ac is also patched to specify -lprivatecbor and -lprivatefido2
# rather than -lcbor and -lfido2.
export CFLAGS="-I$openssh/../../contrib/libcbor/src -I$openssh/../../contrib/libfido2/src"
sh configure $configure_args --with-security-key-builtin
unset CFLAGS
mv config.log config.log.sk-builtin
mv config.h config.h.sk-builtin
# Generate config.h without krb5 or SK support
sh configure $configure_args --without-kerberos5 --without-security-key-builtin
# Extract the difference # Extract the difference
echo '/* $Free''BSD$ */' > krb5_config.h echo '/* $Free''BSD$ */' > krb5_config.h
diff -u config.h.kerberos5 config.h | diff -u config.h.kerberos5 config.h |
sed -n '/^-#define/s/^-//p' | sed -n '/^-#define/s/^-//p' |
grep -Ff /dev/stdin config.h.kerberos5 >> krb5_config.h grep -Ff /dev/stdin config.h.kerberos5 >> krb5_config.h
# Extract the difference - SK
diff -u config.h.sk-builtin config.h |
sed -n '/^-#define/s/^-//p' |
grep -Ff /dev/stdin config.h.sk-builtin > sk_config.h