oasis

commit: b45c19b8f6802a82335790d0d7b973dae769e422
parent ff10d722b657d1ad3ec85d7fe125a53c8d36f085
Author: Michael Forney <mforney@mforney.org>
Date:   Thu, 14 Nov 2019 01:42:22 -0800

openssh, libfido2: Update to latest git

This enables support for ed25519-sk keys.

Support for building in sk provider is now in upstream openssh.

Diffstat:
M
pkg/libfido2/gen.lua
10
+++++-----
M
pkg/libfido2/ver
2
+-
M
pkg/openssh/README.md
6
++++--
M
pkg/openssh/config.h
1
+
M
pkg/openssh/gen.lua
10
++++++----
D
pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch
64
----------------------------------------------------------------
M
pkg/openssh/ver
2
+-

7 files changed, 18 insertions(+), 77 deletions(-)
diff --git a/pkg/libfido2/gen.lua b/pkg/libfido2/gen.lua
@@ -7,6 +7,11 @@ cflags{
 	'-I pkg/openbsd/include',
 }
 
+pkg.hdrs = copy('$outdir/include', '$srcdir/src', {
+	'fido.h',
+	'fido/err.h',
+	'fido/param.h',
+})
 pkg.deps = {
 	'pkg/libcbor/headers',
 	'pkg/libressl/headers',
@@ -43,9 +48,4 @@ lib('libfido2.a', [[
 	$builddir/pkg/libcbor/libcbor.a
 ]])
 
-lib('libsk-libfido2.a', {
-	'tools/sk-libfido2.c',
-	'libfido2.a.d',
-})
-
 fetch 'git'
diff --git a/pkg/libfido2/ver b/pkg/libfido2/ver
@@ -1 +1 @@
-1.2.0-55-g6a628b3 r0
+1.2.0-74-g1209917 r0
diff --git a/pkg/openssh/README.md b/pkg/openssh/README.md
@@ -4,10 +4,12 @@
 Generated with
 
 	./configure \
+		--disable-pkcs11 \
 		--disable-wtmp \
+		--enable-security-key \
 		--without-pie \
-		CPPFLAGS='-I/src/oasis/out/pkg/zlib/include' \
-		LDFLAGS='-L/src/oasis/out/pkg/libressl -L/src/oasis/out/pkg/openbsd -L/src/oasis/out/pkg/zlib' \
+		CPPFLAGS='-I/src/oasis/pkg/openbsd/include -I/src/oasis/out/pkg/libfido2/include -I/src/oasis/out/pkg/zlib/include' \
+		LDFLAGS='-L/src/oasis/out/pkg/libressl -L/src/oasis/out/pkg/openbsd -L/src/oasis/out/pkg/libfido2 -L/src/oasis/out/pkg/libcbor -L/src/oasis/out/pkg/zlib' \
 		LIBS='-lcrypto -lbsd'
 
 Several changes were made:
diff --git a/pkg/openssh/config.h b/pkg/openssh/config.h
@@ -55,6 +55,7 @@
 #define DISABLE_WTMPX 1
 /* #undef ENABLE_PKCS11 */
 #define ENABLE_SK /**/
+#define ENABLE_SK_INTERNAL /**/
 /* #undef FFLUSH_NULL_BUG */
 /* #undef FILESYSTEM_NO_BACKSLASH */
 /* #undef FSID_HAS_VAL */
diff --git a/pkg/openssh/gen.lua b/pkg/openssh/gen.lua
@@ -10,12 +10,14 @@ cflags{
 	'-I $dir',
 	'-I $srcdir',
 	'-I pkg/openbsd/include',
+	'-I $builddir/pkg/libfido2/include',
 	'-I $builddir/pkg/libressl/include',
 	'-I $builddir/pkg/zlib/include',
 	'-idirafter $srcdir/openbsd-compat',
 }
 
 pkg.deps = {
+	'pkg/libfido2/headers',
 	'pkg/libressl/headers',
 	'pkg/zlib/headers',
 }
@@ -69,19 +71,19 @@ lib('libssh.a', [[
 	readpass.c ttymodes.c xmalloc.c addrmatch.c
 	atomicio.c dispatch.c mac.c misc.c utf8.c
 	monitor_fdpass.c rijndael.c ssh-dss.c ssh-ecdsa.c ssh-ecdsa-sk.c
-	ssh-rsa.c dh.c
+	ssh-ed25519-sk.c ssh-rsa.c dh.c
 	msg.c progressmeter.c dns.c entropy.c gss-genr.c umac.c umac128.c
 	ssh-pkcs11.c smult_curve25519_ref.c
 	poly1305.c chacha.c cipher-chachapoly.c
-	ssh-ed25519.c ssh-sk.c digest-openssl.c digest-libc.c hmac.c
-	sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c
+	ssh-ed25519.c ssh-sk.c sk-usbhid.c digest-openssl.c digest-libc.c
+	hmac.c sc25519.c ge25519.c fe25519.c ed25519.c verify.c hash.c
 	kex.c kexdh.c kexgex.c kexecdh.c kexc25519.c
 	kexgexc.c kexgexs.c
 	sntrup4591761.c kexsntrup4591761x25519.c kexgen.c
 	sftp-realpath.c platform-pledge.c platform-tracing.c platform-misc.c
 	libopenbsd-compat.a
 	$builddir/pkg/(libressl/libcrypto.a.d zlib/libz.a)
-	$builddir/pkg/(libfido2/libsk-libfido2.a.d)
+	$builddir/pkg/(libfido2/libfido2.a.d)
 ]])
 
 exe('ssh', [[
diff --git a/pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch b/pkg/openssh/patch/0002-Allow-security-key-provider-to-be-built-in.patch
@@ -1,64 +0,0 @@
-From fc95498df16315eac1ebe62db51ea33b96ce6b52 Mon Sep 17 00:00:00 2001
-From: Michael Forney <mforney@mforney.org>
-Date: Sun, 3 Nov 2019 11:24:13 -0800
-Subject: [PATCH] Allow security key provider to be built-in
-
----
- ssh-sk.c | 30 ++++++++++++++++++------------
- 1 file changed, 18 insertions(+), 12 deletions(-)
-
-diff --git a/ssh-sk.c b/ssh-sk.c
-index 122a1e2b..ca16a187 100644
---- a/ssh-sk.c
-+++ b/ssh-sk.c
-@@ -84,16 +84,22 @@ sshsk_open(const char *path)
- 		error("%s: strdup failed", __func__);
- 		goto fail;
- 	}
--	if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
--		error("Security key provider %s dlopen failed: %s",
--		    path, dlerror());
--		goto fail;
--	}
--	if ((ret->sk_api_version = dlsym(ret->dlhandle,
--	    "sk_api_version")) == NULL) {
--		error("Security key provider %s dlsym(sk_api_version) "
--		    "failed: %s", path, dlerror());
--		goto fail;
-+	if (strcmp(path, "builtin") == 0) {
-+		ret->sk_api_version = sk_api_version;
-+		ret->sk_enroll = sk_enroll;
-+		ret->sk_sign = sk_sign;
-+	} else {
-+		if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
-+			error("Security key provider %s dlopen failed: %s",
-+			    path, dlerror());
-+			goto fail;
-+		}
-+		if ((ret->sk_api_version = dlsym(ret->dlhandle,
-+		    "sk_api_version")) == NULL) {
-+			error("Security key provider %s dlsym(sk_api_version) "
-+			    "failed: %s", path, dlerror());
-+			goto fail;
-+		}
- 	}
- 	version = ret->sk_api_version();
- 	debug("%s: provider %s implements version 0x%08lx", __func__,
-@@ -104,12 +110,12 @@ sshsk_open(const char *path)
- 		    (u_long)SSH_SK_VERSION_MAJOR);
- 		goto fail;
- 	}
--	if ((ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
-+	if (ret->dlhandle && (ret->sk_enroll = dlsym(ret->dlhandle, "sk_enroll")) == NULL) {
- 		error("Security key  provider %s dlsym(sk_enroll) "
- 		    "failed: %s", path, dlerror());
- 		goto fail;
- 	}
--	if ((ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
-+	if (ret->dlhandle && (ret->sk_sign = dlsym(ret->dlhandle, "sk_sign")) == NULL) {
- 		error("Security key provider %s dlsym(sk_sign) failed: %s",
- 		    path, dlerror());
- 		goto fail;
--- 
-2.23.0
-
diff --git a/pkg/openssh/ver b/pkg/openssh/ver
@@ -1 +1 @@
-8.1p1-60-gb236b27d r0
+8.1p1-117-gc63fba5e r0