From: djm Date: Thu, 11 Jan 2024 01:45:36 +0000 (+0000) Subject: make DSA key support compile-time optional, defaulting to on X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=52113de99a8171d607363c5c4a599017934bb755;p=openbsd make DSA key support compile-time optional, defaulting to on ok markus@ --- diff --git a/usr.bin/ssh/Makefile.inc b/usr.bin/ssh/Makefile.inc index f5ea22530fa..84487e7c942 100644 --- a/usr.bin/ssh/Makefile.inc +++ b/usr.bin/ssh/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.88 2023/01/15 23:05:32 djm Exp $ +# $OpenBSD: Makefile.inc,v 1.89 2024/01/11 01:45:36 djm Exp $ .include @@ -34,6 +34,7 @@ WARNINGS=yes OPENSSL?= yes ZLIB?= yes +DSAKEY?= yes .if (${OPENSSL:L} == "yes") CFLAGS+= -DWITH_OPENSSL @@ -43,6 +44,10 @@ CFLAGS+= -DWITH_OPENSSL CFLAGS+= -DWITH_ZLIB .endif +.if (${DSAKEY:L} == "yes") +CFLAGS+= -DWITH_DSA +.endif + CFLAGS+= -DENABLE_PKCS11 .ifndef NOPIC CFLAGS+= -DHAVE_DLOPEN @@ -78,10 +83,12 @@ SRCS_KEY+= cipher.c SRCS_KEY+= chacha.c SRCS_KEY+= poly1305.c .if (${OPENSSL:L} == "yes") -SRCS_KEY+= ssh-dss.c SRCS_KEY+= ssh-ecdsa.c SRCS_KEY+= ssh-ecdsa-sk.c SRCS_KEY+= ssh-rsa.c +.if (${DSAKEY:L} == "yes") +SRCS_KEY+= ssh-dss.c +.endif SRCS_KEY+= sshbuf-getput-crypto.c SRCS_KEY+= digest-openssl.c SRCS_KEY+= cipher-chachapoly-libcrypto.c diff --git a/usr.bin/ssh/readconf.c b/usr.bin/ssh/readconf.c index f6dd72511ca..b3c8d626b9b 100644 --- a/usr.bin/ssh/readconf.c +++ b/usr.bin/ssh/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.383 2023/10/12 02:18:18 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.384 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -2686,7 +2686,9 @@ fill_default_options(Options * options) add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_ED25519_SK, 0); add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0); +#ifdef WITH_DSA add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0); +#endif } if (options->escape_char == -1) options->escape_char = '~'; diff --git a/usr.bin/ssh/readconf.h b/usr.bin/ssh/readconf.h index ff7180cd0c6..b18536ab9c7 100644 --- a/usr.bin/ssh/readconf.h +++ b/usr.bin/ssh/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.154 2023/10/12 02:18:18 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.155 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen @@ -87,7 +87,7 @@ typedef struct { char *sk_provider; /* Security key provider */ int verify_host_key_dns; /* Verify host key using DNS */ - int num_identity_files; /* Number of files for RSA/DSA identities. */ + int num_identity_files; /* Number of files for identities. */ char *identity_files[SSH_MAX_IDENTITY_FILES]; int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES]; diff --git a/usr.bin/ssh/ssh-add.c b/usr.bin/ssh/ssh-add.c index a84259164d8..c98442e47c0 100644 --- a/usr.bin/ssh/ssh-add.c +++ b/usr.bin/ssh/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.171 2024/01/08 00:30:39 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.172 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -78,7 +78,9 @@ static char *default_files[] = { _PATH_SSH_CLIENT_ID_ED25519, _PATH_SSH_CLIENT_ID_ED25519_SK, _PATH_SSH_CLIENT_ID_XMSS, +#ifdef WITH_DSA _PATH_SSH_CLIENT_ID_DSA, +#endif NULL }; diff --git a/usr.bin/ssh/ssh-dss.c b/usr.bin/ssh/ssh-dss.c index 2fac7008f55..5c135b30910 100644 --- a/usr.bin/ssh/ssh-dss.c +++ b/usr.bin/ssh/ssh-dss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-dss.c,v 1.49 2023/03/05 05:34:09 dtucker Exp $ */ +/* $OpenBSD: ssh-dss.c,v 1.50 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -36,6 +36,8 @@ #define SSHKEY_INTERNAL #include "sshkey.h" +#ifdef WITH_DSA + #define INTBLOB_LEN 20 #define SIGBLOB_LEN (2*INTBLOB_LEN) @@ -445,3 +447,5 @@ const struct sshkey_impl sshkey_dsa_cert_impl = { /* .keybits = */ 0, /* .funcs = */ &sshkey_dss_funcs, }; + +#endif /* WITH_DSA */ diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 56a11a6dd13..844802650ef 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.471 2023/09/04 10:29:58 job Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.472 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -251,10 +251,12 @@ ask_filename(struct passwd *pw, const char *prompt) name = _PATH_SSH_CLIENT_ID_ED25519; else { switch (sshkey_type_from_name(key_type_name)) { +#ifdef WITH_DSA case KEY_DSA_CERT: case KEY_DSA: name = _PATH_SSH_CLIENT_ID_DSA; break; +#endif case KEY_ECDSA_CERT: case KEY_ECDSA: name = _PATH_SSH_CLIENT_ID_ECDSA; @@ -363,10 +365,12 @@ do_convert_to_pkcs8(struct sshkey *k) if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) fatal("PEM_write_RSA_PUBKEY failed"); break; +#ifdef WITH_DSA case KEY_DSA: if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; +#endif case KEY_ECDSA: if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); @@ -385,10 +389,12 @@ do_convert_to_pem(struct sshkey *k) if (!PEM_write_RSAPublicKey(stdout, k->rsa)) fatal("PEM_write_RSAPublicKey failed"); break; +#ifdef WITH_DSA case KEY_DSA: if (!PEM_write_DSA_PUBKEY(stdout, k->dsa)) fatal("PEM_write_DSA_PUBKEY failed"); break; +#endif case KEY_ECDSA: if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa)) fatal("PEM_write_EC_PUBKEY failed"); @@ -461,8 +467,10 @@ do_convert_private_ssh2(struct sshbuf *b) u_int magic, i1, i2, i3, i4; size_t slen; u_long e; +#ifdef WITH_DSA BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL; BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; +#endif BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL; @@ -490,10 +498,12 @@ do_convert_private_ssh2(struct sshbuf *b) } free(cipher); - if (strstr(type, "dsa")) { - ktype = KEY_DSA; - } else if (strstr(type, "rsa")) { + if (strstr(type, "rsa")) { ktype = KEY_RSA; +#ifdef WITH_DSA + } else if (strstr(type, "dsa")) { + ktype = KEY_DSA; +#endif } else { free(type); return NULL; @@ -503,6 +513,7 @@ do_convert_private_ssh2(struct sshbuf *b) free(type); switch (key->type) { +#ifdef WITH_DSA case KEY_DSA: if ((dsa_p = BN_new()) == NULL || (dsa_q = BN_new()) == NULL || @@ -522,6 +533,7 @@ do_convert_private_ssh2(struct sshbuf *b) fatal_f("DSA_set0_key failed"); dsa_pub_key = dsa_priv_key = NULL; /* transferred */ break; +#endif case KEY_RSA: if ((r = sshbuf_get_u8(b, &e1)) != 0 || (e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) || @@ -685,12 +697,14 @@ do_convert_from_pkcs8(struct sshkey **k, int *private) (*k)->type = KEY_RSA; (*k)->rsa = EVP_PKEY_get1_RSA(pubkey); break; +#ifdef WITH_DSA case EVP_PKEY_DSA: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); (*k)->type = KEY_DSA; (*k)->dsa = EVP_PKEY_get1_DSA(pubkey); break; +#endif case EVP_PKEY_EC: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); @@ -758,10 +772,12 @@ do_convert_from(struct passwd *pw) fprintf(stdout, "\n"); } else { switch (k->type) { +#ifdef WITH_DSA case KEY_DSA: ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL); break; +#endif case KEY_ECDSA: ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL, NULL, 0, NULL, NULL); @@ -3726,9 +3742,11 @@ main(int argc, char **argv) n += do_print_resource_record(pw, _PATH_HOST_RSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); +#ifdef WITH_DSA n += do_print_resource_record(pw, _PATH_HOST_DSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); +#endif n += do_print_resource_record(pw, _PATH_HOST_ECDSA_KEY_FILE, rr_hostname, print_generic, opts, nopts); diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c index b9586e8e4d2..825220fb178 100644 --- a/usr.bin/ssh/ssh-keyscan.c +++ b/usr.bin/ssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.154 2023/12/20 00:06:25 jsg Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.155 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -763,9 +763,11 @@ main(int argc, char **argv) int type = sshkey_type_from_name(tname); switch (type) { +#ifdef WITH_DSA case KEY_DSA: get_keytypes |= KT_DSA; break; +#endif case KEY_ECDSA: get_keytypes |= KT_ECDSA; break; diff --git a/usr.bin/ssh/ssh-keysign.c b/usr.bin/ssh/ssh-keysign.c index dc358785ede..8f36d9f16dd 100644 --- a/usr.bin/ssh/ssh-keysign.c +++ b/usr.bin/ssh/ssh-keysign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keysign.c,v 1.71 2022/08/01 11:09:26 djm Exp $ */ +/* $OpenBSD: ssh-keysign.c,v 1.72 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -192,7 +192,9 @@ main(int argc, char **argv) i = 0; /* XXX This really needs to read sshd_config for the paths */ +#ifdef WITH_DSA key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); +#endif key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY); key_fd[i++] = open(_PATH_HOST_XMSS_KEY_FILE, O_RDONLY); diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index e6b1241ff7b..65fb522d597 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.600 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1666,11 +1666,15 @@ main(int ac, char **av) L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 0); L_CERT(_PATH_HOST_ED25519_KEY_FILE, 1); L_CERT(_PATH_HOST_RSA_KEY_FILE, 2); +#ifdef WITH_DSA L_CERT(_PATH_HOST_DSA_KEY_FILE, 3); +#endif L_PUBKEY(_PATH_HOST_ECDSA_KEY_FILE, 4); L_PUBKEY(_PATH_HOST_ED25519_KEY_FILE, 5); L_PUBKEY(_PATH_HOST_RSA_KEY_FILE, 6); +#ifdef WITH_DSA L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 7); +#endif L_CERT(_PATH_HOST_XMSS_KEY_FILE, 8); L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9); if (loaded == 0) diff --git a/usr.bin/ssh/sshconnect.c b/usr.bin/ssh/sshconnect.c index c8ee995b3cf..850372cba0d 100644 --- a/usr.bin/ssh/sshconnect.c +++ b/usr.bin/ssh/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.365 2023/11/20 02:50:00 djm Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.366 2024/01/11 01:45:36 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1557,7 +1557,9 @@ show_other_keys(struct hostkeys *hostkeys, struct sshkey *key) { int type[] = { KEY_RSA, +#ifdef WITH_DSA KEY_DSA, +#endif KEY_ECDSA, KEY_ED25519, KEY_XMSS, diff --git a/usr.bin/ssh/sshkey.c b/usr.bin/ssh/sshkey.c index 22e6ad1e032..5203cc66356 100644 --- a/usr.bin/ssh/sshkey.c +++ b/usr.bin/ssh/sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.141 2023/12/20 00:06:25 jsg Exp $ */ +/* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -108,8 +108,10 @@ extern const struct sshkey_impl sshkey_rsa_sha256_impl; extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl; extern const struct sshkey_impl sshkey_rsa_sha512_impl; extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl; +# ifdef WITH_DSA extern const struct sshkey_impl sshkey_dss_impl; extern const struct sshkey_impl sshkey_dsa_cert_impl; +# endif #endif /* WITH_OPENSSL */ #ifdef WITH_XMSS extern const struct sshkey_impl sshkey_xmss_impl; @@ -131,8 +133,10 @@ const struct sshkey_impl * const keyimpls[] = { &sshkey_ecdsa_sk_impl, &sshkey_ecdsa_sk_cert_impl, &sshkey_ecdsa_sk_webauthn_impl, +# ifdef WITH_DSA &sshkey_dss_impl, &sshkey_dsa_cert_impl, +# endif &sshkey_rsa_impl, &sshkey_rsa_cert_impl, &sshkey_rsa_sha256_impl, @@ -3197,6 +3201,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, goto out; switch (key->type) { +#ifdef WITH_DSA case KEY_DSA: if (format == SSHKEY_PRIVATE_PEM) { success = PEM_write_bio_DSAPrivateKey(bio, key->dsa, @@ -3205,6 +3210,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf, success = EVP_PKEY_set1_DSA(pkey, key->dsa); } break; +#endif case KEY_ECDSA: if (format == SSHKEY_PRIVATE_PEM) { success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa, @@ -3411,6 +3417,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, } if ((r = sshkey_check_rsa_length(prv, 0)) != 0) goto out; +#ifdef WITH_DSA } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && (type == KEY_UNSPEC || type == KEY_DSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { @@ -3421,6 +3428,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, prv->type = KEY_DSA; #ifdef DEBUG_PK DSA_print_fp(stderr, prv->dsa, 8); +#endif #endif } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC && (type == KEY_UNSPEC || type == KEY_ECDSA)) {