[openssh-commits] [openssh] 01/01: remove a bunch of ENABLE_SK #ifdefs

git+noreply at mindrot.org git+noreply at mindrot.org
Sat Dec 14 09:24:27 AEDT 2019


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 9244990ecdcfa36bb9371058111685b05f201c1e
Author: Damien Miller <djm at mindrot.org>
Date:   Sat Dec 14 09:21:46 2019 +1100

    remove a bunch of ENABLE_SK #ifdefs
    
    The ssh-sk-helper client API gives us a nice place to disable
    security key support when it is wasn't enabled at compile time,
    so we don't need to check everywere.
    
    Also, verification of security key signatures can remain enabled
    all the time - it has no additional dependencies. So sshd can
    accept security key pubkeys in authorized_keys, etc regardless of
    the host's support for dlopen, etc.
---
 ssh-ecdsa-sk.c  | 3 ---
 ssh-keygen.c    | 4 ----
 ssh-sk-client.c | 8 ++++++++
 sshkey.c        | 4 ----
 4 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/ssh-ecdsa-sk.c b/ssh-ecdsa-sk.c
index 40f0dc8c..7a2355c1 100644
--- a/ssh-ecdsa-sk.c
+++ b/ssh-ecdsa-sk.c
@@ -29,8 +29,6 @@
 
 #include "includes.h"
 
-#ifdef ENABLE_SK
-
 #include <sys/types.h>
 
 #include <openssl/bn.h>
@@ -203,4 +201,3 @@ ssh_ecdsa_sk_verify(const struct sshkey *key,
 	free(ktype);
 	return ret;
 }
-#endif /* ENABLE_SK */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index e90b85ff..24e246c0 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -3303,9 +3303,6 @@ main(int argc, char **argv)
 	switch (type) {
 	case KEY_ECDSA_SK:
 	case KEY_ED25519_SK:
-#ifndef ENABLE_SK
-		fatal("Security key support was disabled at compile time");
-#else /* ENABLE_SK */
 		if (!quiet) {
 			printf("You may need to touch your security key "
 			    "to authorize key generation.\n");
@@ -3316,7 +3313,6 @@ main(int argc, char **argv)
  		    sk_flags, NULL, &private, NULL) != 0)
  			exit(1); /* error message already printed */
 		break;
-#endif /* ENABLE_SK */
 	default:
 		if ((r = sshkey_generate(type, bits, &private)) != 0)
 			fatal("sshkey_generate failed");
diff --git a/ssh-sk-client.c b/ssh-sk-client.c
index 92ac0e7e..8a7ac97c 100644
--- a/ssh-sk-client.c
+++ b/ssh-sk-client.c
@@ -198,6 +198,10 @@ sshsk_sign(const char *provider, struct sshkey *key,
 	*sigp = NULL;
 	*lenp = 0;
 
+#ifndef ENABLE_SK
+	return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
 	if ((kbuf = sshbuf_new()) == NULL ||
 	    (req = sshbuf_new()) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
@@ -266,6 +270,10 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
 	if (attest != NULL)
 		sshbuf_reset(attest);
 
+#ifndef ENABLE_SK
+	return SSH_ERR_KEY_TYPE_UNKNOWN;
+#endif
+
 	if (type < 0)
 		return SSH_ERR_INVALID_ARGUMENT;
 
diff --git a/sshkey.c b/sshkey.c
index 674303c3..3bab2e89 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -2760,7 +2760,6 @@ sshkey_sign(struct sshkey *key,
 	case KEY_ED25519_CERT:
 		r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
 		break;
-#ifdef ENABLE_SK
 	case KEY_ED25519_SK:
 	case KEY_ED25519_SK_CERT:
 	case KEY_ECDSA_SK_CERT:
@@ -2768,7 +2767,6 @@ sshkey_sign(struct sshkey *key,
 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
 		    datalen, compat);
 		break;
-#endif /* ENABLE_SK */
 #ifdef WITH_XMSS
 	case KEY_XMSS:
 	case KEY_XMSS_CERT:
@@ -2807,12 +2805,10 @@ sshkey_verify(const struct sshkey *key,
 	case KEY_ECDSA_CERT:
 	case KEY_ECDSA:
 		return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
-#  ifdef ENABLE_SK
 	case KEY_ECDSA_SK_CERT:
 	case KEY_ECDSA_SK:
 		return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
 		    compat, detailsp);
-#  endif /* ENABLE_SK */
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA_CERT:
 	case KEY_RSA:

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list