diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-09-13 02:08:33 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-09-13 12:12:33 +1000 |
commit | 482d23bcacdd3664f21cc82a5135f66fc598275f (patch) | |
tree | 362f697a94da0a765d1dabcfbf33370b2a4df121 /ssh-pkcs11.c | |
parent | d70d061828730a56636ab6f1f24fe4a8ccefcfc1 (diff) |
upstream: hold our collective noses and use the openssl-1.1.x API in
OpenSSH; feedback and ok tb@ jsing@ markus@
OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
Diffstat (limited to 'ssh-pkcs11.c')
-rw-r--r-- | ssh-pkcs11.c | 55 |
1 files changed, 40 insertions, 15 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 65a7b5897..c35f9415f 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c | |||
@@ -67,7 +67,7 @@ struct pkcs11_key { | |||
67 | struct pkcs11_provider *provider; | 67 | struct pkcs11_provider *provider; |
68 | CK_ULONG slotidx; | 68 | CK_ULONG slotidx; |
69 | int (*orig_finish)(RSA *rsa); | 69 | int (*orig_finish)(RSA *rsa); |
70 | RSA_METHOD rsa_method; | 70 | RSA_METHOD *rsa_method; |
71 | char *keyid; | 71 | char *keyid; |
72 | int keyid_len; | 72 | int keyid_len; |
73 | }; | 73 | }; |
@@ -182,6 +182,7 @@ pkcs11_rsa_finish(RSA *rsa) | |||
182 | rv = k11->orig_finish(rsa); | 182 | rv = k11->orig_finish(rsa); |
183 | if (k11->provider) | 183 | if (k11->provider) |
184 | pkcs11_provider_unref(k11->provider); | 184 | pkcs11_provider_unref(k11->provider); |
185 | RSA_meth_free(k11->rsa_method); | ||
185 | free(k11->keyid); | 186 | free(k11->keyid); |
186 | free(k11); | 187 | free(k11); |
187 | } | 188 | } |
@@ -326,13 +327,18 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | |||
326 | k11->keyid = xmalloc(k11->keyid_len); | 327 | k11->keyid = xmalloc(k11->keyid_len); |
327 | memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); | 328 | memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); |
328 | } | 329 | } |
329 | k11->orig_finish = def->finish; | 330 | k11->rsa_method = RSA_meth_dup(def); |
330 | memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method)); | 331 | if (k11->rsa_method == NULL) |
331 | k11->rsa_method.name = "pkcs11"; | 332 | fatal("%s: RSA_meth_dup failed", __func__); |
332 | k11->rsa_method.rsa_priv_enc = pkcs11_rsa_private_encrypt; | 333 | k11->orig_finish = RSA_meth_get_finish(def); |
333 | k11->rsa_method.rsa_priv_dec = pkcs11_rsa_private_decrypt; | 334 | if (!RSA_meth_set1_name(k11->rsa_method, "pkcs11") || |
334 | k11->rsa_method.finish = pkcs11_rsa_finish; | 335 | !RSA_meth_set_priv_enc(k11->rsa_method, |
335 | RSA_set_method(rsa, &k11->rsa_method); | 336 | pkcs11_rsa_private_encrypt) || |
337 | !RSA_meth_set_priv_dec(k11->rsa_method, | ||
338 | pkcs11_rsa_private_decrypt) || | ||
339 | !RSA_meth_set_finish(k11->rsa_method, pkcs11_rsa_finish)) | ||
340 | fatal("%s: setup pkcs11 method failed", __func__); | ||
341 | RSA_set_method(rsa, k11->rsa_method); | ||
336 | RSA_set_app_data(rsa, k11); | 342 | RSA_set_app_data(rsa, k11); |
337 | return (0); | 343 | return (0); |
338 | } | 344 | } |
@@ -445,6 +451,15 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) | |||
445 | } | 451 | } |
446 | 452 | ||
447 | static int | 453 | static int |
454 | have_rsa_key(const RSA *rsa) | ||
455 | { | ||
456 | const BIGNUM *rsa_n, *rsa_e; | ||
457 | |||
458 | RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL); | ||
459 | return rsa_n != NULL && rsa_e != NULL; | ||
460 | } | ||
461 | |||
462 | static int | ||
448 | pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, | 463 | pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, |
449 | CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], | 464 | CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], |
450 | struct sshkey ***keysp, int *nkeys) | 465 | struct sshkey ***keysp, int *nkeys) |
@@ -512,10 +527,20 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, | |||
512 | if ((rsa = RSA_new()) == NULL) { | 527 | if ((rsa = RSA_new()) == NULL) { |
513 | error("RSA_new failed"); | 528 | error("RSA_new failed"); |
514 | } else { | 529 | } else { |
515 | rsa->n = BN_bin2bn(attribs[1].pValue, | 530 | BIGNUM *rsa_n, *rsa_e; |
531 | |||
532 | rsa_n = BN_bin2bn(attribs[1].pValue, | ||
516 | attribs[1].ulValueLen, NULL); | 533 | attribs[1].ulValueLen, NULL); |
517 | rsa->e = BN_bin2bn(attribs[2].pValue, | 534 | rsa_e = BN_bin2bn(attribs[2].pValue, |
518 | attribs[2].ulValueLen, NULL); | 535 | attribs[2].ulValueLen, NULL); |
536 | if (rsa_n != NULL && rsa_e != NULL) { | ||
537 | if (!RSA_set0_key(rsa, | ||
538 | rsa_n, rsa_e, NULL)) | ||
539 | fatal("%s: set key", __func__); | ||
540 | rsa_n = rsa_e = NULL; /* transferred */ | ||
541 | } | ||
542 | BN_free(rsa_n); | ||
543 | BN_free(rsa_e); | ||
519 | } | 544 | } |
520 | } else { | 545 | } else { |
521 | cp = attribs[2].pValue; | 546 | cp = attribs[2].pValue; |
@@ -525,16 +550,16 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, | |||
525 | == NULL) { | 550 | == NULL) { |
526 | error("d2i_X509 failed"); | 551 | error("d2i_X509 failed"); |
527 | } else if ((evp = X509_get_pubkey(x509)) == NULL || | 552 | } else if ((evp = X509_get_pubkey(x509)) == NULL || |
528 | evp->type != EVP_PKEY_RSA || | 553 | EVP_PKEY_base_id(evp) != EVP_PKEY_RSA || |
529 | evp->pkey.rsa == NULL) { | 554 | EVP_PKEY_get0_RSA(evp) == NULL) { |
530 | debug("X509_get_pubkey failed or no rsa"); | 555 | debug("X509_get_pubkey failed or no rsa"); |
531 | } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) | 556 | } else if ((rsa = RSAPublicKey_dup( |
532 | == NULL) { | 557 | EVP_PKEY_get0_RSA(evp))) == NULL) { |
533 | error("RSAPublicKey_dup"); | 558 | error("RSAPublicKey_dup"); |
534 | } | 559 | } |
535 | X509_free(x509); | 560 | X509_free(x509); |
536 | } | 561 | } |
537 | if (rsa && rsa->n && rsa->e && | 562 | if (rsa && have_rsa_key(rsa) && |
538 | pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { | 563 | pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { |
539 | if ((key = sshkey_new(KEY_UNSPEC)) == NULL) | 564 | if ((key = sshkey_new(KEY_UNSPEC)) == NULL) |
540 | fatal("sshkey_new failed"); | 565 | fatal("sshkey_new failed"); |