diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2020-01-25 00:03:36 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2020-01-25 11:35:55 +1100 |
| commit | 89a8d4525e8edd9958ed3df60cf683551142eae0 (patch) | |
| tree | 5251d0355691f30dca76d17724dd0d2123285e6e /ssh-pkcs11-helper.c | |
| parent | a8c05c640873621681ab64d2e47a314592d5efa2 (diff) | |
upstream: expose PKCS#11 key labels/X.509 subjects as comments
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.
based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church
feedback and ok markus@
OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
Diffstat (limited to 'ssh-pkcs11-helper.c')
| -rw-r--r-- | ssh-pkcs11-helper.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 219ce9b5d..17220d624 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.21 2019/09/06 05:23:55 djm Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11-helper.c,v 1.22 2020/01/25 00:03:36 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -50,7 +50,7 @@ | |||
| 50 | 50 | ||
| 51 | struct pkcs11_keyinfo { | 51 | struct pkcs11_keyinfo { |
| 52 | struct sshkey *key; | 52 | struct sshkey *key; |
| 53 | char *providername; | 53 | char *providername, *label; |
| 54 | TAILQ_ENTRY(pkcs11_keyinfo) next; | 54 | TAILQ_ENTRY(pkcs11_keyinfo) next; |
| 55 | }; | 55 | }; |
| 56 | 56 | ||
| @@ -63,13 +63,14 @@ struct sshbuf *iqueue; | |||
| 63 | struct sshbuf *oqueue; | 63 | struct sshbuf *oqueue; |
| 64 | 64 | ||
| 65 | static void | 65 | static void |
| 66 | add_key(struct sshkey *k, char *name) | 66 | add_key(struct sshkey *k, char *name, char *label) |
| 67 | { | 67 | { |
| 68 | struct pkcs11_keyinfo *ki; | 68 | struct pkcs11_keyinfo *ki; |
| 69 | 69 | ||
| 70 | ki = xcalloc(1, sizeof(*ki)); | 70 | ki = xcalloc(1, sizeof(*ki)); |
| 71 | ki->providername = xstrdup(name); | 71 | ki->providername = xstrdup(name); |
| 72 | ki->key = k; | 72 | ki->key = k; |
| 73 | ki->label = xstrdup(label); | ||
| 73 | TAILQ_INSERT_TAIL(&pkcs11_keylist, ki, next); | 74 | TAILQ_INSERT_TAIL(&pkcs11_keylist, ki, next); |
| 74 | } | 75 | } |
| 75 | 76 | ||
| @@ -83,6 +84,7 @@ del_keys_by_name(char *name) | |||
| 83 | if (!strcmp(ki->providername, name)) { | 84 | if (!strcmp(ki->providername, name)) { |
| 84 | TAILQ_REMOVE(&pkcs11_keylist, ki, next); | 85 | TAILQ_REMOVE(&pkcs11_keylist, ki, next); |
| 85 | free(ki->providername); | 86 | free(ki->providername); |
| 87 | free(ki->label); | ||
| 86 | sshkey_free(ki->key); | 88 | sshkey_free(ki->key); |
| 87 | free(ki); | 89 | free(ki); |
| 88 | } | 90 | } |
| @@ -96,7 +98,7 @@ lookup_key(struct sshkey *k) | |||
| 96 | struct pkcs11_keyinfo *ki; | 98 | struct pkcs11_keyinfo *ki; |
| 97 | 99 | ||
| 98 | TAILQ_FOREACH(ki, &pkcs11_keylist, next) { | 100 | TAILQ_FOREACH(ki, &pkcs11_keylist, next) { |
| 99 | debug("check %p %s", ki, ki->providername); | 101 | debug("check %p %s %s", ki, ki->providername, ki->label); |
| 100 | if (sshkey_equal(k, ki->key)) | 102 | if (sshkey_equal(k, ki->key)) |
| 101 | return (ki->key); | 103 | return (ki->key); |
| 102 | } | 104 | } |
| @@ -121,13 +123,14 @@ process_add(void) | |||
| 121 | u_char *blob; | 123 | u_char *blob; |
| 122 | size_t blen; | 124 | size_t blen; |
| 123 | struct sshbuf *msg; | 125 | struct sshbuf *msg; |
| 126 | char **labels = NULL; | ||
| 124 | 127 | ||
| 125 | if ((msg = sshbuf_new()) == NULL) | 128 | if ((msg = sshbuf_new()) == NULL) |
| 126 | fatal("%s: sshbuf_new failed", __func__); | 129 | fatal("%s: sshbuf_new failed", __func__); |
| 127 | if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || | 130 | if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || |
| 128 | (r = sshbuf_get_cstring(iqueue, &pin, NULL)) != 0) | 131 | (r = sshbuf_get_cstring(iqueue, &pin, NULL)) != 0) |
| 129 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 132 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 130 | if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) { | 133 | if ((nkeys = pkcs11_add_provider(name, pin, &keys, &labels)) > 0) { |
| 131 | if ((r = sshbuf_put_u8(msg, | 134 | if ((r = sshbuf_put_u8(msg, |
| 132 | SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || | 135 | SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || |
| 133 | (r = sshbuf_put_u32(msg, nkeys)) != 0) | 136 | (r = sshbuf_put_u32(msg, nkeys)) != 0) |
| @@ -139,11 +142,12 @@ process_add(void) | |||
| 139 | continue; | 142 | continue; |
| 140 | } | 143 | } |
| 141 | if ((r = sshbuf_put_string(msg, blob, blen)) != 0 || | 144 | if ((r = sshbuf_put_string(msg, blob, blen)) != 0 || |
| 142 | (r = sshbuf_put_cstring(msg, name)) != 0) | 145 | (r = sshbuf_put_cstring(msg, labels[i])) != 0) |
| 143 | fatal("%s: buffer error: %s", | 146 | fatal("%s: buffer error: %s", |
| 144 | __func__, ssh_err(r)); | 147 | __func__, ssh_err(r)); |
| 145 | free(blob); | 148 | free(blob); |
| 146 | add_key(keys[i], name); | 149 | add_key(keys[i], name, labels[i]); |
| 150 | free(labels[i]); | ||
| 147 | } | 151 | } |
| 148 | } else { | 152 | } else { |
| 149 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) | 153 | if ((r = sshbuf_put_u8(msg, SSH_AGENT_FAILURE)) != 0) |
| @@ -151,7 +155,8 @@ process_add(void) | |||
| 151 | if ((r = sshbuf_put_u32(msg, -nkeys)) != 0) | 155 | if ((r = sshbuf_put_u32(msg, -nkeys)) != 0) |
| 152 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 156 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| 153 | } | 157 | } |
| 154 | free(keys); | 158 | free(labels); |
| 159 | free(keys); /* keys themselves are transferred to pkcs11_keylist */ | ||
| 155 | free(pin); | 160 | free(pin); |
| 156 | free(name); | 161 | free(name); |
| 157 | send_msg(msg); | 162 | send_msg(msg); |