diff options
| author | Colin Watson <cjwatson@debian.org> | 2010-08-23 22:56:08 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2010-08-23 22:56:08 +0100 |
| commit | 31e30b835fd9695d3b6647cab4867001b092e28f (patch) | |
| tree | 138e715c25661825457c7280cd66e3f4853d474c /ssh-pkcs11.c | |
| parent | 78eedc2c60ff4718200f9271d8ee4f437da3a0c5 (diff) | |
| parent | 43094ebf14c9b16f1ea398bc5b65a7335e947288 (diff) | |
merge 5.6p1
Diffstat (limited to 'ssh-pkcs11.c')
| -rw-r--r-- | ssh-pkcs11.c | 53 |
1 files changed, 41 insertions, 12 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index f0192dcf1..286c232c7 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.4 2010/02/24 06:12:53 djm Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -187,6 +187,34 @@ pkcs11_rsa_finish(RSA *rsa) | |||
| 187 | return (rv); | 187 | return (rv); |
| 188 | } | 188 | } |
| 189 | 189 | ||
| 190 | /* find a single 'obj' for given attributes */ | ||
| 191 | static int | ||
| 192 | pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, | ||
| 193 | CK_ULONG nattr, CK_OBJECT_HANDLE *obj) | ||
| 194 | { | ||
| 195 | CK_FUNCTION_LIST *f; | ||
| 196 | CK_SESSION_HANDLE session; | ||
| 197 | CK_ULONG nfound = 0; | ||
| 198 | CK_RV rv; | ||
| 199 | int ret = -1; | ||
| 200 | |||
| 201 | f = p->function_list; | ||
| 202 | session = p->slotinfo[slotidx].session; | ||
| 203 | if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) { | ||
| 204 | error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv); | ||
| 205 | return (-1); | ||
| 206 | } | ||
| 207 | if ((rv = f->C_FindObjects(session, obj, 1, &nfound)) != CKR_OK || | ||
| 208 | nfound != 1) { | ||
| 209 | debug("C_FindObjects failed (nfound %lu nattr %lu): %lu", | ||
| 210 | nfound, nattr, rv); | ||
| 211 | } else | ||
| 212 | ret = 0; | ||
| 213 | if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) | ||
| 214 | error("C_FindObjectsFinal failed: %lu", rv); | ||
| 215 | return (ret); | ||
| 216 | } | ||
| 217 | |||
| 190 | /* openssl callback doing the actual signing operation */ | 218 | /* openssl callback doing the actual signing operation */ |
| 191 | static int | 219 | static int |
| 192 | pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | 220 | pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, |
| @@ -196,7 +224,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | |||
| 196 | struct pkcs11_slotinfo *si; | 224 | struct pkcs11_slotinfo *si; |
| 197 | CK_FUNCTION_LIST *f; | 225 | CK_FUNCTION_LIST *f; |
| 198 | CK_OBJECT_HANDLE obj; | 226 | CK_OBJECT_HANDLE obj; |
| 199 | CK_ULONG tlen = 0, nfound = 0; | 227 | CK_ULONG tlen = 0; |
| 200 | CK_RV rv; | 228 | CK_RV rv; |
| 201 | CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; | 229 | CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; |
| 202 | CK_BBOOL true_val = CK_TRUE; | 230 | CK_BBOOL true_val = CK_TRUE; |
| @@ -247,13 +275,10 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | |||
| 247 | } | 275 | } |
| 248 | key_filter[1].pValue = k11->keyid; | 276 | key_filter[1].pValue = k11->keyid; |
| 249 | key_filter[1].ulValueLen = k11->keyid_len; | 277 | key_filter[1].ulValueLen = k11->keyid_len; |
| 250 | if ((rv = f->C_FindObjectsInit(si->session, key_filter, 3)) != CKR_OK) { | 278 | /* try to find object w/CKA_SIGN first, retry w/o */ |
| 251 | error("C_FindObjectsInit failed: %lu", rv); | 279 | if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 && |
| 252 | return (-1); | 280 | pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) { |
| 253 | } | 281 | error("cannot find private key"); |
| 254 | if ((rv = f->C_FindObjects(si->session, &obj, 1, &nfound)) != CKR_OK || | ||
| 255 | nfound != 1) { | ||
| 256 | error("C_FindObjects failed (%lu nfound): %lu", nfound, rv); | ||
| 257 | } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { | 282 | } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { |
| 258 | error("C_SignInit failed: %lu", rv); | 283 | error("C_SignInit failed: %lu", rv); |
| 259 | } else { | 284 | } else { |
| @@ -265,8 +290,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | |||
| 265 | else | 290 | else |
| 266 | error("C_Sign failed: %lu", rv); | 291 | error("C_Sign failed: %lu", rv); |
| 267 | } | 292 | } |
| 268 | if ((rv = f->C_FindObjectsFinal(si->session)) != CKR_OK) | ||
| 269 | error("C_FindObjectsFinal failed: %lu", rv); | ||
| 270 | return (rval); | 293 | return (rval); |
| 271 | } | 294 | } |
| 272 | 295 | ||
| @@ -410,7 +433,13 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, | |||
| 410 | error("C_GetAttributeValue failed: %lu", rv); | 433 | error("C_GetAttributeValue failed: %lu", rv); |
| 411 | continue; | 434 | continue; |
| 412 | } | 435 | } |
| 413 | /* allocate buffers for attributes, XXX check ulValueLen? */ | 436 | /* check that none of the attributes are zero length */ |
| 437 | if (attribs[0].ulValueLen == 0 || | ||
| 438 | attribs[1].ulValueLen == 0 || | ||
| 439 | attribs[2].ulValueLen == 0) { | ||
| 440 | continue; | ||
| 441 | } | ||
| 442 | /* allocate buffers for attributes */ | ||
| 414 | for (i = 0; i < 3; i++) | 443 | for (i = 0; i < 3; i++) |
| 415 | attribs[i].pValue = xmalloc(attribs[i].ulValueLen); | 444 | attribs[i].pValue = xmalloc(attribs[i].ulValueLen); |
| 416 | /* retrieve ID, modulus and public exponent of RSA key */ | 445 | /* retrieve ID, modulus and public exponent of RSA key */ |