upstream: make DSA key support compile-time optional, defaulting to

on

ok markus@

OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
This commit is contained in:
djm@openbsd.org 2024-01-11 01:45:36 +00:00 committed by Damien Miller
parent afcc9028bf
commit 4e838120a7
No known key found for this signature in database
11 changed files with 69 additions and 16 deletions

View File

@ -2067,6 +2067,18 @@ AC_ARG_WITH([security-key-builtin],
[ enable_sk_internal=$withval ]
)
disable_ecdsa=
AC_ARG_ENABLE([dsa-keys],
[ --disable-dsa-keys disable DSA key support [no]],
[
if test "x$enableval" = "xno" ; then
disable_ecdsa=1
fi
]
)
test -z "$disable_ecdsa" &&
AC_DEFINE([WITH_DSA], [1], [Define if to enable DSA keys.])
AC_SEARCH_LIBS([dlopen], [dl])
AC_CHECK_FUNCS([dlopen])
AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.383 2023/10/12 02:18:18 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.384 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2711,7 +2711,9 @@ fill_default_options(Options * options)
add_identity_file(options, "~/",
_PATH_SSH_CLIENT_ID_ED25519_SK, 0);
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0);
#ifdef WITH_DSA
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
#endif
}
if (options->escape_char == -1)
options->escape_char = '~';

View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.154 2023/10/12 02:18:18 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.155 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -87,7 +87,7 @@ typedef struct {
char *sk_provider; /* Security key provider */
int verify_host_key_dns; /* Verify host key using DNS */
int num_identity_files; /* Number of files for RSA/DSA identities. */
int num_identity_files; /* Number of files for identities. */
char *identity_files[SSH_MAX_IDENTITY_FILES];
int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-add.c,v 1.171 2024/01/08 00:30:39 djm Exp $ */
/* $OpenBSD: ssh-add.c,v 1.172 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -85,7 +85,9 @@ static char *default_files[] = {
_PATH_SSH_CLIENT_ID_ED25519,
_PATH_SSH_CLIENT_ID_ED25519_SK,
_PATH_SSH_CLIENT_ID_XMSS,
#ifdef WITH_DSA
_PATH_SSH_CLIENT_ID_DSA,
#endif
NULL
};

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-dss.c,v 1.49 2023/03/05 05:34:09 dtucker Exp $ */
/* $OpenBSD: ssh-dss.c,v 1.50 2024/01/11 01:45:36 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,7 +25,7 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#if defined(WITH_OPENSSL) && defined(WITH_DSA)
#include <sys/types.h>
@ -453,4 +453,5 @@ const struct sshkey_impl sshkey_dsa_cert_impl = {
/* .keybits = */ 0,
/* .funcs = */ &sshkey_dss_funcs,
};
#endif /* WITH_OPENSSL */
#endif /* WITH_OPENSSL && WITH_DSA */

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keygen.c,v 1.471 2023/09/04 10:29:58 job Exp $ */
/* $OpenBSD: ssh-keygen.c,v 1.472 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -262,10 +262,12 @@ ask_filename(struct passwd *pw, const char *prompt)
name = _PATH_SSH_CLIENT_ID_ED25519;
else {
switch (sshkey_type_from_name(key_type_name)) {
#ifdef WITH_DSA
case KEY_DSA_CERT:
case KEY_DSA:
name = _PATH_SSH_CLIENT_ID_DSA;
break;
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA:
@ -376,10 +378,12 @@ do_convert_to_pkcs8(struct sshkey *k)
if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))
fatal("PEM_write_RSA_PUBKEY failed");
break;
#ifdef WITH_DSA
case KEY_DSA:
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
fatal("PEM_write_DSA_PUBKEY failed");
break;
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
@ -400,10 +404,12 @@ do_convert_to_pem(struct sshkey *k)
if (!PEM_write_RSAPublicKey(stdout, k->rsa))
fatal("PEM_write_RSAPublicKey failed");
break;
#ifdef WITH_DSA
case KEY_DSA:
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
fatal("PEM_write_DSA_PUBKEY failed");
break;
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
@ -478,8 +484,10 @@ do_convert_private_ssh2(struct sshbuf *b)
u_int magic, i1, i2, i3, i4;
size_t slen;
u_long e;
#ifdef WITH_DSA
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
#endif
BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL;
@ -507,10 +515,12 @@ do_convert_private_ssh2(struct sshbuf *b)
}
free(cipher);
if (strstr(type, "dsa")) {
ktype = KEY_DSA;
} else if (strstr(type, "rsa")) {
if (strstr(type, "rsa")) {
ktype = KEY_RSA;
#ifdef WITH_DSA
} else if (strstr(type, "dsa")) {
ktype = KEY_DSA;
#endif
} else {
free(type);
return NULL;
@ -520,6 +530,7 @@ do_convert_private_ssh2(struct sshbuf *b)
free(type);
switch (key->type) {
#ifdef WITH_DSA
case KEY_DSA:
if ((dsa_p = BN_new()) == NULL ||
(dsa_q = BN_new()) == NULL ||
@ -539,6 +550,7 @@ do_convert_private_ssh2(struct sshbuf *b)
fatal_f("DSA_set0_key failed");
dsa_pub_key = dsa_priv_key = NULL; /* transferred */
break;
#endif
case KEY_RSA:
if ((r = sshbuf_get_u8(b, &e1)) != 0 ||
(e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) ||
@ -702,12 +714,14 @@ do_convert_from_pkcs8(struct sshkey **k, int *private)
(*k)->type = KEY_RSA;
(*k)->rsa = EVP_PKEY_get1_RSA(pubkey);
break;
#ifdef WITH_DSA
case EVP_PKEY_DSA:
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
fatal("sshkey_new failed");
(*k)->type = KEY_DSA;
(*k)->dsa = EVP_PKEY_get1_DSA(pubkey);
break;
#endif
#ifdef OPENSSL_HAS_ECC
case EVP_PKEY_EC:
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
@ -777,10 +791,12 @@ do_convert_from(struct passwd *pw)
fprintf(stdout, "\n");
} else {
switch (k->type) {
#ifdef WITH_DSA
case KEY_DSA:
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
NULL, 0, NULL, NULL);
break;
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL,
@ -3752,9 +3768,11 @@ main(int argc, char **argv)
n += do_print_resource_record(pw,
_PATH_HOST_RSA_KEY_FILE, rr_hostname,
print_generic, opts, nopts);
#ifdef WITH_DSA
n += do_print_resource_record(pw,
_PATH_HOST_DSA_KEY_FILE, rr_hostname,
print_generic, opts, nopts);
#endif
n += do_print_resource_record(pw,
_PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
print_generic, opts, nopts);

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keyscan.c,v 1.154 2023/12/20 00:06:25 jsg Exp $ */
/* $OpenBSD: ssh-keyscan.c,v 1.155 2024/01/11 01:45:36 djm Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@ -791,9 +791,11 @@ main(int argc, char **argv)
int type = sshkey_type_from_name(tname);
switch (type) {
#ifdef WITH_DSA
case KEY_DSA:
get_keytypes |= KT_DSA;
break;
#endif
case KEY_ECDSA:
get_keytypes |= KT_ECDSA;
break;

View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keysign.c,v 1.71 2022/08/01 11:09:26 djm Exp $ */
/* $OpenBSD: ssh-keysign.c,v 1.72 2024/01/11 01:45:36 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@ -197,7 +197,9 @@ main(int argc, char **argv)
i = 0;
/* XXX This really needs to read sshd_config for the paths */
#ifdef WITH_DSA
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
#endif
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
key_fd[i++] = open(_PATH_HOST_XMSS_KEY_FILE, O_RDONLY);

6
ssh.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
/* $OpenBSD: ssh.c,v 1.600 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1687,11 +1687,15 @@ main(int ac, char **av)
L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 0);
L_CERT(_PATH_HOST_ED25519_KEY_FILE, 1);
L_CERT(_PATH_HOST_RSA_KEY_FILE, 2);
#ifdef WITH_DSA
L_CERT(_PATH_HOST_DSA_KEY_FILE, 3);
#endif
L_PUBKEY(_PATH_HOST_ECDSA_KEY_FILE, 4);
L_PUBKEY(_PATH_HOST_ED25519_KEY_FILE, 5);
L_PUBKEY(_PATH_HOST_RSA_KEY_FILE, 6);
#ifdef WITH_DSA
L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 7);
#endif
L_CERT(_PATH_HOST_XMSS_KEY_FILE, 8);
L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9);
if (loaded == 0)

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshconnect.c,v 1.365 2023/11/20 02:50:00 djm Exp $ */
/* $OpenBSD: sshconnect.c,v 1.366 2024/01/11 01:45:36 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1595,7 +1595,9 @@ show_other_keys(struct hostkeys *hostkeys, struct sshkey *key)
{
int type[] = {
KEY_RSA,
#ifdef WITH_DSA
KEY_DSA,
#endif
KEY_ECDSA,
KEY_ED25519,
KEY_XMSS,

View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshkey.c,v 1.141 2023/12/20 00:06:25 jsg Exp $ */
/* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@ -121,8 +121,10 @@ extern const struct sshkey_impl sshkey_rsa_sha256_impl;
extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl;
extern const struct sshkey_impl sshkey_rsa_sha512_impl;
extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
# ifdef WITH_DSA
extern const struct sshkey_impl sshkey_dss_impl;
extern const struct sshkey_impl sshkey_dsa_cert_impl;
# endif
#endif /* WITH_OPENSSL */
#ifdef WITH_XMSS
extern const struct sshkey_impl sshkey_xmss_impl;
@ -152,8 +154,10 @@ const struct sshkey_impl * const keyimpls[] = {
&sshkey_ecdsa_sk_webauthn_impl,
# endif /* ENABLE_SK */
# endif /* OPENSSL_HAS_ECC */
# ifdef WITH_DSA
&sshkey_dss_impl,
&sshkey_dsa_cert_impl,
# endif
&sshkey_rsa_impl,
&sshkey_rsa_cert_impl,
&sshkey_rsa_sha256_impl,
@ -3230,6 +3234,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
goto out;
switch (key->type) {
#ifdef WITH_DSA
case KEY_DSA:
if (format == SSHKEY_PRIVATE_PEM) {
success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
@ -3238,6 +3243,7 @@ sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *buf,
success = EVP_PKEY_set1_DSA(pkey, key->dsa);
}
break;
#endif
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
if (format == SSHKEY_PRIVATE_PEM) {
@ -3466,6 +3472,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
}
if ((r = sshkey_check_rsa_length(prv, 0)) != 0)
goto out;
#ifdef WITH_DSA
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
(type == KEY_UNSPEC || type == KEY_DSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
@ -3477,6 +3484,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
#ifdef DEBUG_PK
DSA_print_fp(stderr, prv->dsa, 8);
#endif
#endif
#ifdef OPENSSL_HAS_ECC
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
(type == KEY_UNSPEC || type == KEY_ECDSA)) {