diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-01-20 22:51:37 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-01-21 10:54:37 +1100 |
| commit | 93f02107f44d63a016d8c23ebd2ca9205c495c48 (patch) | |
| tree | 1d8d6ca8e146c9bd325614f33a59adf7199b40c9 /ssh-pkcs11-helper.c | |
| parent | aa22c20e0c36c2fc610cfcc793b0d14079c38814 (diff) | |
upstream: add support for ECDSA keys in PKCS#11 tokens
Work by markus@ and Pedro Martelletto, feedback and ok me@
OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
Diffstat (limited to 'ssh-pkcs11-helper.c')
| -rw-r--r-- | ssh-pkcs11-helper.c | 40 |
1 files changed, 30 insertions, 10 deletions
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 6301033c5..92c6728ba 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.14 2018/01/08 15:18:46 markus Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.15 2019/01/20 22:51:37 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -110,7 +110,7 @@ static void | |||
| 110 | process_add(void) | 110 | process_add(void) |
| 111 | { | 111 | { |
| 112 | char *name, *pin; | 112 | char *name, *pin; |
| 113 | struct sshkey **keys; | 113 | struct sshkey **keys = NULL; |
| 114 | int r, i, nkeys; | 114 | int r, i, nkeys; |
| 115 | u_char *blob; | 115 | u_char *blob; |
| 116 | size_t blen; | 116 | size_t blen; |
| @@ -139,11 +139,13 @@ process_add(void) | |||
| 139 | free(blob); | 139 | free(blob); |
| 140 | add_key(keys[i], name); | 140 | add_key(keys[i], name); |
| 141 | } | 141 | } |
| 142 | free(keys); | ||
| 143 | } else { | 142 | } else { |
| 144 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) | 143 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) |
| 145 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 144 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 145 | if ((r = sshbuf_put_u32(msg, -nkeys)) != 0) | ||
| 146 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
| 146 | } | 147 | } |
| 148 | free(keys); | ||
| 147 | free(pin); | 149 | free(pin); |
| 148 | free(name); | 150 | free(name); |
| 149 | send_msg(msg); | 151 | send_msg(msg); |
| @@ -192,15 +194,33 @@ process_sign(void) | |||
| 192 | else { | 194 | else { |
| 193 | if ((found = lookup_key(key)) != NULL) { | 195 | if ((found = lookup_key(key)) != NULL) { |
| 194 | #ifdef WITH_OPENSSL | 196 | #ifdef WITH_OPENSSL |
| 197 | u_int xslen; | ||
| 195 | int ret; | 198 | int ret; |
| 196 | 199 | ||
| 197 | slen = RSA_size(key->rsa); | 200 | if (key->type == KEY_RSA) { |
| 198 | signature = xmalloc(slen); | 201 | slen = RSA_size(key->rsa); |
| 199 | if ((ret = RSA_private_encrypt(dlen, data, signature, | 202 | signature = xmalloc(slen); |
| 200 | found->rsa, RSA_PKCS1_PADDING)) != -1) { | 203 | ret = RSA_private_encrypt(dlen, data, signature, |
| 201 | slen = ret; | 204 | found->rsa, RSA_PKCS1_PADDING); |
| 202 | ok = 0; | 205 | if (ret != -1) { |
| 203 | } | 206 | slen = ret; |
| 207 | ok = 0; | ||
| 208 | } | ||
| 209 | } else if (key->type == KEY_ECDSA) { | ||
| 210 | xslen = ECDSA_size(key->ecdsa); | ||
| 211 | signature = xmalloc(xslen); | ||
| 212 | /* "The parameter type is ignored." */ | ||
| 213 | ret = ECDSA_sign(-1, data, dlen, signature, | ||
| 214 | &xslen, found->ecdsa); | ||
| 215 | if (ret != 0) | ||
| 216 | ok = 0; | ||
| 217 | else | ||
| 218 | error("%s: ECDSA_sign" | ||
| 219 | " returns %d", __func__, ret); | ||
| 220 | slen = xslen; | ||
| 221 | } else | ||
| 222 | error("%s: don't know how to sign with key " | ||
| 223 | "type %d", __func__, (int)key->type); | ||
| 204 | #endif /* WITH_OPENSSL */ | 224 | #endif /* WITH_OPENSSL */ |
| 205 | } | 225 | } |
| 206 | sshkey_free(key); | 226 | sshkey_free(key); |