diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-01-20 22:51:37 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-01-21 10:54:37 +1100 |
commit | 93f02107f44d63a016d8c23ebd2ca9205c495c48 (patch) | |
tree | 1d8d6ca8e146c9bd325614f33a59adf7199b40c9 /ssh-pkcs11-helper.c | |
parent | aa22c20e0c36c2fc610cfcc793b0d14079c38814 (diff) |
upstream: add support for ECDSA keys in PKCS#11 tokens
Work by markus@ and Pedro Martelletto, feedback and ok me@
OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
Diffstat (limited to 'ssh-pkcs11-helper.c')
-rw-r--r-- | ssh-pkcs11-helper.c | 40 |
1 files changed, 30 insertions, 10 deletions
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 6301033c5..92c6728ba 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.14 2018/01/08 15:18:46 markus Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.15 2019/01/20 22:51:37 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -110,7 +110,7 @@ static void | |||
110 | process_add(void) | 110 | process_add(void) |
111 | { | 111 | { |
112 | char *name, *pin; | 112 | char *name, *pin; |
113 | struct sshkey **keys; | 113 | struct sshkey **keys = NULL; |
114 | int r, i, nkeys; | 114 | int r, i, nkeys; |
115 | u_char *blob; | 115 | u_char *blob; |
116 | size_t blen; | 116 | size_t blen; |
@@ -139,11 +139,13 @@ process_add(void) | |||
139 | free(blob); | 139 | free(blob); |
140 | add_key(keys[i], name); | 140 | add_key(keys[i], name); |
141 | } | 141 | } |
142 | free(keys); | ||
143 | } else { | 142 | } else { |
144 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) | 143 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) |
145 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 144 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
145 | if ((r = sshbuf_put_u32(msg, -nkeys)) != 0) | ||
146 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
146 | } | 147 | } |
148 | free(keys); | ||
147 | free(pin); | 149 | free(pin); |
148 | free(name); | 150 | free(name); |
149 | send_msg(msg); | 151 | send_msg(msg); |
@@ -192,15 +194,33 @@ process_sign(void) | |||
192 | else { | 194 | else { |
193 | if ((found = lookup_key(key)) != NULL) { | 195 | if ((found = lookup_key(key)) != NULL) { |
194 | #ifdef WITH_OPENSSL | 196 | #ifdef WITH_OPENSSL |
197 | u_int xslen; | ||
195 | int ret; | 198 | int ret; |
196 | 199 | ||
197 | slen = RSA_size(key->rsa); | 200 | if (key->type == KEY_RSA) { |
198 | signature = xmalloc(slen); | 201 | slen = RSA_size(key->rsa); |
199 | if ((ret = RSA_private_encrypt(dlen, data, signature, | 202 | signature = xmalloc(slen); |
200 | found->rsa, RSA_PKCS1_PADDING)) != -1) { | 203 | ret = RSA_private_encrypt(dlen, data, signature, |
201 | slen = ret; | 204 | found->rsa, RSA_PKCS1_PADDING); |
202 | ok = 0; | 205 | if (ret != -1) { |
203 | } | 206 | slen = ret; |
207 | ok = 0; | ||
208 | } | ||
209 | } else if (key->type == KEY_ECDSA) { | ||
210 | xslen = ECDSA_size(key->ecdsa); | ||
211 | signature = xmalloc(xslen); | ||
212 | /* "The parameter type is ignored." */ | ||
213 | ret = ECDSA_sign(-1, data, dlen, signature, | ||
214 | &xslen, found->ecdsa); | ||
215 | if (ret != 0) | ||
216 | ok = 0; | ||
217 | else | ||
218 | error("%s: ECDSA_sign" | ||
219 | " returns %d", __func__, ret); | ||
220 | slen = xslen; | ||
221 | } else | ||
222 | error("%s: don't know how to sign with key " | ||
223 | "type %d", __func__, (int)key->type); | ||
204 | #endif /* WITH_OPENSSL */ | 224 | #endif /* WITH_OPENSSL */ |
205 | } | 225 | } |
206 | sshkey_free(key); | 226 | sshkey_free(key); |