[openssh-commits] [openssh] 02/02: upstream: unbreak WITH_OPENSSL=no builds, also allowing ed25519
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jul 30 14:41:49 AEST 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit dc630e6d81be8aa495254839731e4f3521cf9e31
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Wed Jul 30 04:27:42 2025 +0000
upstream: unbreak WITH_OPENSSL=no builds, also allowing ed25519
keys to be used via PKCS#11 when OpenSSH is built without libcrypto.
OpenBSD-Commit-ID: ecf26fdf7591bf2c98bac5136fbc36e0b59c3fc2
---
configure.ac | 3 ---
ssh-pkcs11-helper.c | 2 +-
ssh-pkcs11.c | 31 +++++++++++++++++++------------
ssh-pkcs11.h | 6 +-----
4 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9bc664172..460ebd3b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -3322,9 +3322,6 @@ AC_CHECK_DECL([OPENSSL_IS_AWSLC],
[],
[#include <openssl/base.h>]
)
-if test "x$openssl" != "xyes" ; then
- enable_pkcs11="disabled; missing libcrypto"
-fi
if test "x$ac_cv_func_dlopen" != "xyes" ; then
enable_pkcs11="disabled; missing dlopen(3)"
enable_sk="disabled; missing dlopen(3)"
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index 2d818b897..32111fef6 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.28 2025/07/24 05:44:55 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.29 2025/07/30 04:27:42 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 18e6c1ff7..5b0ce304e 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.68 2025/07/30 04:19:17 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.69 2025/07/30 04:27:42 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
* Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -35,9 +35,11 @@
#include "openbsd-compat/sys-queue.h"
#include "openbsd-compat/openssl-compat.h"
+#ifdef WITH_OPENSSL
#include <openssl/ecdsa.h>
#include <openssl/x509.h>
#include <openssl/err.h>
+#endif
#define CRYPTOKI_COMPAT
#include "pkcs11.h"
@@ -1085,6 +1087,7 @@ fail:
}
return key;
}
+#endif /* WITH_OPENSSL */
static struct sshkey *
pkcs11_fetch_ed25519_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1195,6 +1198,7 @@ pkcs11_fetch_ed25519_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
return key;
}
+#ifdef WITH_OPENSSL
static int
pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_OBJECT_HANDLE *obj, struct sshkey **keyp, char **labelp)
@@ -1397,17 +1401,6 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
*labelp = subject;
return 0;
}
-
-#if 0
-static int
-have_rsa_key(const RSA *rsa)
-{
- const BIGNUM *rsa_n, *rsa_e;
-
- RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL);
- return rsa_n != NULL && rsa_e != NULL;
-}
-#endif
#endif /* WITH_OPENSSL */
static void
@@ -1426,6 +1419,7 @@ note_key(struct pkcs11_provider *p, CK_ULONG slotidx, const char *context,
free(fp);
}
+#ifdef WITH_OPENSSL /* libcrypto needed for certificate parsing */
/*
* lookup certificates for token in slot identified by slotidx,
* add 'wrapped' public keys to the 'keysp' array and increment nkeys.
@@ -1530,6 +1524,7 @@ fail:
return (ret);
}
+#endif /* WITH_OPENSSL */
/*
* lookup public keys for token in slot identified by slotidx,
@@ -1597,6 +1592,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
label[key_attr[1].ulValueLen] = '\0';
switch (ck_key_type) {
+#ifdef WITH_OPENSSL
case CKK_RSA:
key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
break;
@@ -1605,6 +1601,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
break;
#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
case CKK_EC_EDWARDS:
key = pkcs11_fetch_ed25519_pubkey(p, slotidx, &obj);
break;
@@ -1967,7 +1964,9 @@ pkcs11_register_provider(char *provider_id, char *pin,
keyp == NULL)
continue;
pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys);
+#ifdef WITH_OPENSSL
pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys);
+#endif
if (nkeys == 0 && !p->slotinfo[i].logged_in &&
pkcs11_interactive) {
/*
@@ -1980,7 +1979,9 @@ pkcs11_register_provider(char *provider_id, char *pin,
continue;
}
pkcs11_fetch_keys(p, i, keyp, labelsp, &nkeys);
+#ifdef WITH_OPENSSL
pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys);
+#endif
}
}
@@ -2073,6 +2074,7 @@ pkcs11_sign(struct sshkey *key,
switch (key->type) {
case KEY_RSA:
case KEY_RSA_CERT:
+#ifdef WITH_OPENSSL
return pkcs11_sign_rsa(key, sigp, lenp, data, datalen,
alg, sk_provider, sk_pin, compat);
#ifdef OPENSSL_HAS_ECC
@@ -2081,6 +2083,7 @@ pkcs11_sign(struct sshkey *key,
return pkcs11_sign_ecdsa(key, sigp, lenp, data, datalen,
alg, sk_provider, sk_pin, compat);
#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
case KEY_ED25519:
case KEY_ED25519_CERT:
return pkcs11_sign_ed25519(key, sigp, lenp, data, datalen,
@@ -2240,12 +2243,16 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
key_type = -1;
}
switch (key_type) {
+#ifdef WITH_OPENSSL
case CKK_RSA:
k = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
break;
+#ifdef OPENSSL_HAS_ECC
case CKK_ECDSA:
k = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
break;
+#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
case CKK_EC_EDWARDS:
k = pkcs11_fetch_ed25519_pubkey(p, slotidx, &obj);
break;
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
index f3a03b6fa..d86c506c1 100644
--- a/ssh-pkcs11.h
+++ b/ssh-pkcs11.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.h,v 1.8 2025/07/24 05:44:55 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.h,v 1.9 2025/07/30 04:27:42 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@@ -45,7 +45,3 @@ struct sshkey *
/* Only available in ssh-pkcs11-client.c */
int pkcs11_make_cert(const struct sshkey *,
const struct sshkey *, struct sshkey **);
-
-#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
-#undef ENABLE_PKCS11
-#endif
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list