Add make target for standalone sk-libfido2

Add a Makefile target for sk-libfido2, the standalone fido2 security key shared library, suitable for use with the SecurityKeyProvider option. Add a new configure option `--with-security-key-standalone` that optionally sets the shared library target sk-libfido2$(SHLIBEXT), and adds it to $(TARGETS). misc.h is required when SK_STANDALONE is defined, because of the use of `monotime_tv` in `sk_select_by_touch`. Sets the shared library extension for sk-libfido2 is by setting `SHLIBEXT` depending on the platform in configure.ac. Add the shared library to the CI builds in the `sk` target config to make sure it can compile under the same conditions as `--with-security-key-builtin`. Add a libssh-pic.a static library that compiles with `-fPIC` reusing .c.lo method in sk-dummy.so for use in the shared library sk-libfido2. Note, a separate static library libssh-pic.a is needed, since defining -DSK_STANDALONE excludes some symbols needed in sshkey.lo.
openssh · Nov 28, 2024 · ca0697a · ca0697a
1 parent 74d7084
commit ca0697a
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 3 deletions.
diff --git a/.github/configs b/.github/configs
@@ -181,7 +181,7 @@ case "$config" in
 	CONFIGFLAGS="--with-selinux"
 	;;
     sk)
-	CONFIGFLAGS="--with-security-key-builtin"
+	CONFIGFLAGS="--with-security-key-builtin --with-security-key-standalone"
         ;;
     without-openssl)
 	LIBCRYPTOFLAGS="--without-openssl"

diff --git a/.gitignore b/.gitignore
@@ -12,6 +12,8 @@ survey.sh
 **/*.o
 **/*.lo
 **/*.so
+**/*.dylib
+**/*.dll
 **/*.out
 **/*.a
 **/*.un~

diff --git a/Makefile.in b/Makefile.in
@@ -33,6 +33,7 @@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
 TEST_SHELL=@TEST_SHELL@
 BUILDDIR=@abs_top_builddir@
+SK_STANDALONE=@SK_STANDALONE@
 
 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
 	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
@@ -73,7 +74,7 @@ MKDIR_P=@MKDIR_P@
 
 .SUFFIXES: .lo
 
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) sshd-auth$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) $(SK_STANDALONE)
 
 XMSS_OBJS=\
 	ssh-xmss.o \
@@ -272,6 +273,16 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS)
 logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
 	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
 
+# compile libssh objects with -fPIC for use in the sk_libfido2 shared library
+LIBSSH_PIC_OBJS=$(LIBSSH_OBJS:.o=.lo)
+libssh-pic.a: $(LIBSSH_PIC_OBJS)
+	$(AR) rv $@ $(LIBSSH_PIC_OBJS)
+	$(RANLIB) $@
+
+$(SK_STANDALONE): sk-usbhid.c $(LIBCOMPAT) libssh-pic.a
+	$(CC) -o $@ -shared $(CFLAGS_NOPIE) $(CPPFLAGS) -DSK_STANDALONE $(PICFLAG) sk-usbhid.c \
+	libssh-pic.a $(LDFLAGS_NOPIE) -lopenbsd-compat $(LIBS) $(LIBFIDO2) $(CHANNELLIBS)
+
 $(MANPAGES): $(MANPAGES_IN)
 	if test "$(MANTYPE)" = "cat"; then \
 		manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \

diff --git a/configure.ac b/configure.ac
@@ -614,6 +614,9 @@ SPP_MSG="no"
 # the --with-solaris-privs option and --with-sandbox=solaris).
 SOLARIS_PRIVS="no"
 
+# Default shared library extension
+SHLIBEXT=".so"
+
 # Check for some target-specific stuff
 case "$host" in
 *-*-aix*)
@@ -732,6 +735,7 @@ case "$host" in
 	# Cygwin defines optargs, optargs as declspec(dllimport) for historical
 	# reasons which cause compile warnings, so we disable those warnings.
 	OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
+	SHLIBEXT=".dll"
 	;;
 *-*-dgux*)
 	AC_DEFINE([IP_TOS_IS_BROKEN], [1],
@@ -791,6 +795,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	# cf. Apple bug 3710161 (not public, but searchable)
 	AC_DEFINE([BROKEN_POLL], [1],
 	    [System poll(2) implementation is broken])
+	SHLIBEXT=".dylib"
 	;;
 *-*-dragonfly*)
 	SSHDLIBS="$SSHDLIBS"
@@ -2079,6 +2084,12 @@ AC_ARG_WITH([security-key-builtin],
 	[ enable_sk_internal=$withval ]
 )
 
+enable_sk_standalone=
+AC_ARG_WITH([security-key-standalone],
+	[  --with-security-key-standalone build standalone sk-libfido2 SecurityKeyProvider],
+	[ enable_sk_standalone=$withval ]
+)
+
 enable_dsa=
 AC_ARG_ENABLE([dsa-keys],
 	[  --enable-dsa-keys       enable DSA key support [no]],
@@ -3316,6 +3327,16 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
 	fi
 fi
 
+# Check for standalone SecurityKeyProvider
+AC_MSG_CHECKING([whether to build standlone sk-libfido2])
+if test "x$enable_sk_standalone" = "xyes" ; then
+	AC_MSG_RESULT([yes])
+	AC_SUBST([SK_STANDALONE], [sk-libfido2$SHLIBEXT])
+else
+	AC_MSG_RESULT([no])
+	AC_SUBST([SK_STANDALONE], [""])
+fi
+
 AC_CHECK_FUNCS([ \
 	arc4random \
 	arc4random_buf \

diff --git a/sk-usbhid.c b/sk-usbhid.c
@@ -77,10 +77,11 @@
 #define FIDO_CRED_PROT_UV_OPTIONAL_WITH_ID 0
 #endif
 
+# include "misc.h"
+
 #ifndef SK_STANDALONE
 # include "log.h"
 # include "xmalloc.h"
-# include "misc.h"
 /*
  * If building as part of OpenSSH, then rename exported functions.
  * This must be done before including sk-api.h.