CVSROOT: /cvs
Module name: src
Changes by: d...@cvs.openbsd.org 2025/07/23 23:44:55
Modified files:
usr.bin/ssh/sshd: Makefile
usr.bin/ssh/ssh-keysign: Makefile
usr.bin/ssh/ssh-keyscan: Makefile
usr.bin/ssh/ssh-add: Makefile
usr.bin/ssh : sshkey.h sshkey.c sshbuf.h sshbuf-misc.c
ssh-sk-helper.c ssh-rsa.c ssh-pkcs11.h
ssh-pkcs11.c ssh-pkcs11-helper.c
ssh-pkcs11-client.c ssh-ecdsa.c
Log message:
Help OpenSSH's PKCS#11 support kick its meth habit.
The PKCS#11 code in OpenSSH used the libcrypto public key method API
(e.g. the delightfully named RSA_meth_free()) to delegate signing
operations to external keys. This had one advantage - that it was
basically transparent to callers, but also had a big disadvantage -
that we'd manually have to track the method implementations, their
state and their relationships to the underlying PKCS#11 objects.
This rips this out and replaces it with explicit delegation to
PKCS#11 code for externally hosted keys via the ssh-pkcs11-helper
subprocess. This is very similar to how we handle FIDO keys in
OpenSSH (i.e. via ssh-sk-helper). All we need to track now is a
much simpler mapping of public key -> helper subprocess.
Kicking our libcrypto meth dependency also makes it much easier
to support Ed25519 keys in PKCS#11, which will happen in a subsequent
commit.
feedback / ok tb@
