git: 73104d583850 - main - ssh: generate SK config file using private cbor and fido2 libs
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 06 Mar 2022 00:57:55 UTC
The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=73104d583850f7447ae1fe70c59a42e69d9d407c commit 73104d583850f7447ae1fe70c59a42e69d9d407c Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-03-01 21:39:16 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-03-06 00:57:22 +0000 ssh: generate SK config file using private cbor and fido2 libs Specify -lprivatecbor and -lprivatefido2 in OpenSSH's configure.ac, and pass -I paths to libcbor and libfido2's contrib src location. MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34440 --- crypto/openssh/configure.ac | 6 +++--- crypto/openssh/freebsd-configure.sh | 22 +++++++++++++++++++--- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac index 428f3ff55a87..28a64d8f07db 100644 --- a/crypto/openssh/configure.ac +++ b/crypto/openssh/configure.ac @@ -3263,16 +3263,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" = "xyes" ; then LIBFIDO2=`$PKGCONFIG --libs libfido2` CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" else - LIBFIDO2="-lfido2 -lcbor" + LIBFIDO2="-lprivatefido2 -lprivatecbor" fi OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'` - AC_CHECK_LIB([fido2], [fido_init], + AC_CHECK_LIB([privatefido2], [fido_init], [ AC_SUBST([LIBFIDO2]) AC_DEFINE([ENABLE_SK_INTERNAL], [], [Enable for built-in U2F/FIDO support]) enable_sk="built-in" - ], [ AC_MSG_ERROR([no usable libfido2 found]) ], + ], [ AC_MSG_ERROR([no usable libprivatefido2 found]) ], [ $OTHERLIBS ] ) saved_LIBS="$LIBS" diff --git a/crypto/openssh/freebsd-configure.sh b/crypto/openssh/freebsd-configure.sh index 4d405a0ffacb..3cde318ade58 100755 --- a/crypto/openssh/freebsd-configure.sh +++ b/crypto/openssh/freebsd-configure.sh @@ -12,7 +12,6 @@ configure_args=" --with-libedit --with-ssl-engine --without-xauth - --without-security-key-builtin " set -e @@ -34,11 +33,28 @@ sh configure $configure_args --with-kerberos5=/usr mv config.log config.log.kerberos5 mv config.h config.h.kerberos5 -# Generate config.h without krb5 -sh configure $configure_args --without-kerberos5 +# Generate config.h with built-in security key support +# +# We install libcbor and libfido2 as PRIVATELIB, so the headers are not +# available for configure - add their paths via CFLAGS as a slight hack. +# configure.ac is also patched to specify -lprivatecbor and -lprivatefido2 +# rather than -lcbor and -lfido2. +export CFLAGS="-I$openssh/../../contrib/libcbor/src -I$openssh/../../contrib/libfido2/src" +sh configure $configure_args --with-security-key-builtin +unset CFLAGS +mv config.log config.log.sk-builtin +mv config.h config.h.sk-builtin + +# Generate config.h without krb5 or SK support +sh configure $configure_args --without-kerberos5 --without-security-key-builtin # Extract the difference echo '/* $Free''BSD$ */' > krb5_config.h diff -u config.h.kerberos5 config.h | sed -n '/^-#define/s/^-//p' | grep -Ff /dev/stdin config.h.kerberos5 >> krb5_config.h + +# Extract the difference - SK +diff -u config.h.sk-builtin config.h | + sed -n '/^-#define/s/^-//p' | + grep -Ff /dev/stdin config.h.sk-builtin > sk_config.h