summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ssh-pkcs11.c45
1 files changed, 29 insertions, 16 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c36d31604..d7b3a65f0 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11.c,v 1.32 2019/01/20 23:05:52 djm Exp $ */ 1/* $OpenBSD: ssh-pkcs11.c,v 1.33 2019/01/20 23:08:24 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * Copyright (c) 2014 Pedro Martelletto. All rights reserved. 4 * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -334,8 +334,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
334 CK_RV rv; 334 CK_RV rv;
335 int rval = -1; 335 int rval = -1;
336 336
337 if ((k11 = RSA_get_app_data(rsa)) == NULL) { 337 if ((k11 = RSA_get_ex_data(rsa, 0)) == NULL) {
338 error("RSA_get_app_data failed for rsa %p", rsa); 338 error("RSA_get_ex_data failed for rsa %p", rsa);
339 return (-1); 339 return (-1);
340 } 340 }
341 341
@@ -365,13 +365,35 @@ pkcs11_rsa_private_decrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
365 return (-1); 365 return (-1);
366} 366}
367 367
368static RSA_METHOD *rsa_method;
369
370static int
371pkcs11_rsa_start_wrapper(void)
372{
373 if (rsa_method != NULL)
374 return (0);
375 rsa_method = RSA_meth_dup(RSA_get_default_method());
376 if (rsa_method == NULL)
377 return (-1);
378 if (!RSA_meth_set1_name(rsa_method, "pkcs11") ||
379 !RSA_meth_set_priv_enc(rsa_method, pkcs11_rsa_private_encrypt) ||
380 !RSA_meth_set_priv_dec(rsa_method, pkcs11_rsa_private_decrypt) ||
381 !RSA_meth_set_finish(rsa_method, pkcs11_rsa_finish)) {
382 error("%s: setup pkcs11 method failed", __func__);
383 return (-1);
384 }
385 return (0);
386}
387
368/* redirect private key operations for rsa key to pkcs11 token */ 388/* redirect private key operations for rsa key to pkcs11 token */
369static int 389static int
370pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, 390pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
371 CK_ATTRIBUTE *keyid_attrib, RSA *rsa) 391 CK_ATTRIBUTE *keyid_attrib, RSA *rsa)
372{ 392{
373 struct pkcs11_key *k11; 393 struct pkcs11_key *k11;
374 const RSA_METHOD *def = RSA_get_default_method(); 394
395 if (pkcs11_rsa_start_wrapper() == -1)
396 return (-1);
375 397
376 k11 = xcalloc(1, sizeof(*k11)); 398 k11 = xcalloc(1, sizeof(*k11));
377 k11->provider = provider; 399 k11->provider = provider;
@@ -383,19 +405,10 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
383 k11->keyid = xmalloc(k11->keyid_len); 405 k11->keyid = xmalloc(k11->keyid_len);
384 memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); 406 memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
385 } 407 }
386 k11->rsa_method = RSA_meth_dup(def); 408
387 if (k11->rsa_method == NULL) 409 k11->rsa_method = rsa_method;
388 fatal("%s: RSA_meth_dup failed", __func__);
389 k11->orig_finish = RSA_meth_get_finish(def);
390 if (!RSA_meth_set1_name(k11->rsa_method, "pkcs11") ||
391 !RSA_meth_set_priv_enc(k11->rsa_method,
392 pkcs11_rsa_private_encrypt) ||
393 !RSA_meth_set_priv_dec(k11->rsa_method,
394 pkcs11_rsa_private_decrypt) ||
395 !RSA_meth_set_finish(k11->rsa_method, pkcs11_rsa_finish))
396 fatal("%s: setup pkcs11 method failed", __func__);
397 RSA_set_method(rsa, k11->rsa_method); 410 RSA_set_method(rsa, k11->rsa_method);
398 RSA_set_app_data(rsa, k11); 411 RSA_set_ex_data(rsa, 0, k11);
399 return (0); 412 return (0);
400} 413}
401 414