summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--scard.c76
-rw-r--r--scard.h7
-rw-r--r--ssh-agent.c98
-rw-r--r--ssh-keygen.c18
-rw-r--r--ssh.c54
6 files changed, 130 insertions, 128 deletions
diff --git a/ChangeLog b/ChangeLog
index 6e63b16d7..079c7bf99 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,9 @@
28 - markus@cvs.openbsd.org 2002/03/25 09:25:06 28 - markus@cvs.openbsd.org 2002/03/25 09:25:06
29 [auth-rh-rsa.c] 29 [auth-rh-rsa.c]
30 rm bogus comment 30 rm bogus comment
31 - markus@cvs.openbsd.org 2002/03/25 17:34:27
32 [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
33 change sc_get_key to sc_get_keys and hide smartcard details in scard.c
31 34
3220020324 3520020324
33 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure 36 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@@ -8042,4 +8045,4 @@
8042 - Wrote replacements for strlcpy and mkdtemp 8045 - Wrote replacements for strlcpy and mkdtemp
8043 - Released 1.0pre1 8046 - Released 1.0pre1
8044 8047
8045$Id: ChangeLog,v 1.1986 2002/03/26 03:08:47 mouring Exp $ 8048$Id: ChangeLog,v 1.1987 2002/03/26 03:17:42 mouring Exp $
diff --git a/scard.c b/scard.c
index 9b2d77602..779106f85 100644
--- a/scard.c
+++ b/scard.c
@@ -24,9 +24,8 @@
24 24
25#include "includes.h" 25#include "includes.h"
26#ifdef SMARTCARD 26#ifdef SMARTCARD
27RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); 27RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $");
28 28
29#include <openssl/engine.h>
30#include <openssl/evp.h> 29#include <openssl/evp.h>
31#include <sectok.h> 30#include <sectok.h>
32 31
@@ -36,13 +35,17 @@ RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
36#include "readpass.h" 35#include "readpass.h"
37#include "scard.h" 36#include "scard.h"
38 37
39#ifdef OPENSSL_VERSION_NUMBER 38#if OPENSSL_VERSION_NUMBER < 0x00907000L
40#if OPENSSL_VERSION_NUMBER >= 0x00907000L 39#define USE_ENGINE
41#define RSA_get_default_openssl_method RSA_get_default_method 40#define RSA_get_default_method RSA_get_default_openssl_method
42#define DSA_get_default_openssl_method DSA_get_default_method 41#else
43#define DH_get_default_openssl_method DH_get_default_method
44#define ENGINE_set_BN_mod_exp(x,y)
45#endif 42#endif
43
44#ifdef USE_ENGINE
45#include <openssl/engine.h>
46#define sc_get_rsa sc_get_engine
47#else
48#define sc_get_rsa sc_get_rsa_method
46#endif 49#endif
47 50
48#define CLA_SSH 0x05 51#define CLA_SSH 0x05
@@ -143,8 +146,7 @@ sc_read_pubkey(Key * k)
143 n = NULL; 146 n = NULL;
144 147
145 if (sc_fd < 0) { 148 if (sc_fd < 0) {
146 status = sc_init(); 149 if (sc_init() < 0)
147 if (status < 0 )
148 goto err; 150 goto err;
149 } 151 }
150 152
@@ -317,18 +319,13 @@ sc_finish(RSA *rsa)
317 return 1; 319 return 1;
318} 320}
319 321
320
321/* engine for overloading private key operations */ 322/* engine for overloading private key operations */
322 323
323static ENGINE *smart_engine = NULL; 324static RSA_METHOD *
324static RSA_METHOD smart_rsa; 325sc_get_rsa_method(void)
325
326ENGINE *
327sc_get_engine(void)
328{ 326{
329 const RSA_METHOD *def; 327 static RSA_METHOD smart_rsa;
330 328 const RSA_METHOD *def = RSA_get_default_method();
331 def = RSA_get_default_openssl_method();
332 329
333 /* use the OpenSSL version */ 330 /* use the OpenSSL version */
334 memcpy(&smart_rsa, def, sizeof(smart_rsa)); 331 memcpy(&smart_rsa, def, sizeof(smart_rsa));
@@ -343,13 +340,22 @@ sc_get_engine(void)
343 orig_finish = def->finish; 340 orig_finish = def->finish;
344 smart_rsa.finish = sc_finish; 341 smart_rsa.finish = sc_finish;
345 342
343 return &smart_rsa;
344}
345
346#ifdef USE_ENGINE
347static ENGINE *
348sc_get_engine(void)
349{
350 static ENGINE *smart_engine = NULL;
351
346 if ((smart_engine = ENGINE_new()) == NULL) 352 if ((smart_engine = ENGINE_new()) == NULL)
347 fatal("ENGINE_new failed"); 353 fatal("ENGINE_new failed");
348 354
349 ENGINE_set_id(smart_engine, "sectok"); 355 ENGINE_set_id(smart_engine, "sectok");
350 ENGINE_set_name(smart_engine, "libsectok"); 356 ENGINE_set_name(smart_engine, "libsectok");
351 357
352 ENGINE_set_RSA(smart_engine, &smart_rsa); 358 ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
353 ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); 359 ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
354 ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); 360 ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
355 ENGINE_set_RAND(smart_engine, RAND_SSLeay()); 361 ENGINE_set_RAND(smart_engine, RAND_SSLeay());
@@ -357,6 +363,7 @@ sc_get_engine(void)
357 363
358 return smart_engine; 364 return smart_engine;
359} 365}
366#endif
360 367
361void 368void
362sc_close(void) 369sc_close(void)
@@ -367,11 +374,11 @@ sc_close(void)
367 } 374 }
368} 375}
369 376
370Key * 377Key **
371sc_get_key(const char *id, const char *pin) 378sc_get_keys(const char *id, const char *pin)
372{ 379{
373 Key *k; 380 Key *k, *n, **keys;
374 int status; 381 int status, nkeys = 2;
375 382
376 if (sc_reader_id != NULL) 383 if (sc_reader_id != NULL)
377 xfree(sc_reader_id); 384 xfree(sc_reader_id);
@@ -395,7 +402,26 @@ sc_get_key(const char *id, const char *pin)
395 key_free(k); 402 key_free(k);
396 return NULL; 403 return NULL;
397 } 404 }
398 return k; 405 keys = xmalloc((nkeys+1) * sizeof(Key *));
406
407 n = key_new(KEY_RSA1);
408 BN_copy(n->rsa->n, k->rsa->n);
409 BN_copy(n->rsa->e, k->rsa->e);
410 RSA_set_method(n->rsa, sc_get_rsa());
411 n->flags |= KEY_FLAG_EXT;
412 keys[0] = n;
413
414 n = key_new(KEY_RSA);
415 BN_copy(n->rsa->n, k->rsa->n);
416 BN_copy(n->rsa->e, k->rsa->e);
417 RSA_set_method(n->rsa, sc_get_rsa());
418 n->flags |= KEY_FLAG_EXT;
419 keys[1] = n;
420
421 keys[2] = NULL;
422
423 key_free(k);
424 return keys;
399} 425}
400 426
401#define NUM_RSA_KEY_ELEMENTS 5+1 427#define NUM_RSA_KEY_ELEMENTS 5+1
diff --git a/scard.h b/scard.h
index 465fe274b..c0aa9ed30 100644
--- a/scard.h
+++ b/scard.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $ */ 1/* $OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -24,8 +24,6 @@
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 */ 25 */
26 26
27#include <openssl/engine.h>
28
29#ifndef SCARD_H 27#ifndef SCARD_H
30#define SCARD_H 28#define SCARD_H
31 29
@@ -35,8 +33,7 @@
35#define SCARD_ERROR_NOCARD -2 33#define SCARD_ERROR_NOCARD -2
36#define SCARD_ERROR_APPLET -3 34#define SCARD_ERROR_APPLET -3
37 35
38Key *sc_get_key(const char*, const char*); 36Key **sc_get_keys(const char*, const char*);
39ENGINE *sc_get_engine(void);
40void sc_close(void); 37void sc_close(void);
41int sc_put_key(Key *, const char*); 38int sc_put_key(Key *, const char*);
42 39
diff --git a/ssh-agent.c b/ssh-agent.c
index 1874eb152..f8183b400 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -34,7 +34,7 @@
34 */ 34 */
35 35
36#include "includes.h" 36#include "includes.h"
37RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $"); 37RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $");
38 38
39#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) 39#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
40#include <sys/queue.h> 40#include <sys/queue.h>
@@ -57,7 +57,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
57#include "log.h" 57#include "log.h"
58 58
59#ifdef SMARTCARD 59#ifdef SMARTCARD
60#include <openssl/engine.h>
61#include "scard.h" 60#include "scard.h"
62#endif 61#endif
63 62
@@ -452,50 +451,39 @@ send:
452static void 451static void
453process_add_smartcard_key (SocketEntry *e) 452process_add_smartcard_key (SocketEntry *e)
454{ 453{
454 Identity *id;
455 Idtab *tab; 455 Idtab *tab;
456 Key *n = NULL, *k = NULL; 456 Key **keys, *k;
457 char *sc_reader_id = NULL, *pin; 457 char *sc_reader_id = NULL, *pin;
458 int success = 0; 458 int i, version, success = 0;
459 459
460 sc_reader_id = buffer_get_string(&e->input, NULL); 460 sc_reader_id = buffer_get_string(&e->input, NULL);
461 pin = buffer_get_string(&e->input, NULL); 461 pin = buffer_get_string(&e->input, NULL);
462 k = sc_get_key(sc_reader_id, pin); 462 keys = sc_get_keys(sc_reader_id, pin);
463 xfree(sc_reader_id); 463 xfree(sc_reader_id);
464 xfree(pin); 464 xfree(pin);
465 465
466 if (k == NULL) { 466 if (keys == NULL || keys[0] == NULL) {
467 error("sc_get_pubkey failed"); 467 error("sc_get_keys failed");
468 goto send; 468 goto send;
469 } 469 }
470 success = 1; 470 for (i = 0; keys[i] != NULL; i++) {
471 471 k = keys[i];
472 tab = idtab_lookup(1); 472 version = k->type == KEY_RSA1 ? 1 : 2;
473 k->type = KEY_RSA1; 473 tab = idtab_lookup(version);
474 if (lookup_identity(k, 1) == NULL) { 474 if (lookup_identity(k, version) == NULL) {
475 Identity *id = xmalloc(sizeof(Identity)); 475 id = xmalloc(sizeof(Identity));
476 n = key_new(KEY_RSA1); 476 id->key = k;
477 BN_copy(n->rsa->n, k->rsa->n); 477 id->comment = xstrdup("smartcard key");
478 BN_copy(n->rsa->e, k->rsa->e); 478 TAILQ_INSERT_TAIL(&tab->idlist, id, next);
479 RSA_set_method(n->rsa, sc_get_engine()); 479 tab->nentries++;
480 id->key = n; 480 success = 1;
481 id->comment = xstrdup("rsa1 smartcard"); 481 } else {
482 TAILQ_INSERT_TAIL(&tab->idlist, id, next); 482 key_free(k);
483 tab->nentries++; 483 }
484 } 484 keys[i] = NULL;
485 k->type = KEY_RSA;
486 tab = idtab_lookup(2);
487 if (lookup_identity(k, 2) == NULL) {
488 Identity *id = xmalloc(sizeof(Identity));
489 n = key_new(KEY_RSA);
490 BN_copy(n->rsa->n, k->rsa->n);
491 BN_copy(n->rsa->e, k->rsa->e);
492 RSA_set_method(n->rsa, sc_get_engine());
493 id->key = n;
494 id->comment = xstrdup("rsa smartcard");
495 TAILQ_INSERT_TAIL(&tab->idlist, id, next);
496 tab->nentries++;
497 } 485 }
498 key_free(k); 486 xfree(keys);
499send: 487send:
500 buffer_put_int(&e->output, 1); 488 buffer_put_int(&e->output, 1);
501 buffer_put_char(&e->output, 489 buffer_put_char(&e->output,
@@ -505,41 +493,37 @@ send:
505static void 493static void
506process_remove_smartcard_key(SocketEntry *e) 494process_remove_smartcard_key(SocketEntry *e)
507{ 495{
508 Key *k = NULL; 496 Identity *id;
509 int success = 0; 497 Idtab *tab;
498 Key **keys, *k = NULL;
510 char *sc_reader_id = NULL, *pin; 499 char *sc_reader_id = NULL, *pin;
500 int i, version, success = 0;
511 501
512 sc_reader_id = buffer_get_string(&e->input, NULL); 502 sc_reader_id = buffer_get_string(&e->input, NULL);
513 pin = buffer_get_string(&e->input, NULL); 503 pin = buffer_get_string(&e->input, NULL);
514 k = sc_get_key(sc_reader_id, pin); 504 keys = sc_get_keys(sc_reader_id, pin);
515 xfree(sc_reader_id); 505 xfree(sc_reader_id);
516 xfree(pin); 506 xfree(pin);
517 507
518 if (k == NULL) { 508 if (keys == NULL || keys[0] == NULL) {
519 error("sc_get_pubkey failed"); 509 error("sc_get_keys failed");
520 } else { 510 goto send;
521 Identity *id; 511 }
522 k->type = KEY_RSA1; 512 for (i = 0; keys[i] != NULL; i++) {
523 id = lookup_identity(k, 1); 513 k = keys[i];
524 if (id != NULL) { 514 version = k->type == KEY_RSA1 ? 1 : 2;
525 Idtab *tab = idtab_lookup(1); 515 if ((id = lookup_identity(k, version)) != NULL) {
526 TAILQ_REMOVE(&tab->idlist, id, next); 516 tab = idtab_lookup(version);
527 free_identity(id); 517 TAILQ_REMOVE(&tab->idlist, id, next);
528 tab->nentries--; 518 tab->nentries--;
529 success = 1;
530 }
531 k->type = KEY_RSA;
532 id = lookup_identity(k, 2);
533 if (id != NULL) {
534 Idtab *tab = idtab_lookup(2);
535 TAILQ_REMOVE(&tab->idlist, id, next);
536 free_identity(id); 519 free_identity(id);
537 tab->nentries--;
538 success = 1; 520 success = 1;
539 } 521 }
540 key_free(k); 522 key_free(k);
523 keys[i] = NULL;
541 } 524 }
542 525 xfree(keys);
526send:
543 buffer_put_int(&e->output, 1); 527 buffer_put_int(&e->output, 1);
544 buffer_put_char(&e->output, 528 buffer_put_char(&e->output,
545 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); 529 success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7d3629365..1a8a73129 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
12 */ 12 */
13 13
14#include "includes.h" 14#include "includes.h"
15RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $"); 15RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $");
16 16
17#include <openssl/evp.h> 17#include <openssl/evp.h>
18#include <openssl/pem.h> 18#include <openssl/pem.h>
@@ -416,14 +416,18 @@ do_upload(struct passwd *pw, const char *sc_reader_id)
416static void 416static void
417do_download(struct passwd *pw, const char *sc_reader_id) 417do_download(struct passwd *pw, const char *sc_reader_id)
418{ 418{
419 Key *pub = NULL; 419 Key **keys = NULL;
420 int i;
420 421
421 pub = sc_get_key(sc_reader_id, NULL); 422 keys = sc_get_keys(sc_reader_id, NULL);
422 if (pub == NULL) 423 if (keys == NULL)
423 fatal("cannot read public key from smartcard"); 424 fatal("cannot read public key from smartcard");
424 key_write(pub, stdout); 425 for (i = 0; keys[i]; i++) {
425 key_free(pub); 426 key_write(keys[i], stdout);
426 fprintf(stdout, "\n"); 427 key_free(keys[i]);
428 fprintf(stdout, "\n");
429 }
430 xfree(keys);
427 exit(0); 431 exit(0);
428} 432}
429#endif /* SMARTCARD */ 433#endif /* SMARTCARD */
diff --git a/ssh.c b/ssh.c
index ae2e85480..dd926b7e7 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
39 */ 39 */
40 40
41#include "includes.h" 41#include "includes.h"
42RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $"); 42RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $");
43 43
44#include <openssl/evp.h> 44#include <openssl/evp.h>
45#include <openssl/err.h> 45#include <openssl/err.h>
@@ -70,7 +70,6 @@ RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
70#include "sshtty.h" 70#include "sshtty.h"
71 71
72#ifdef SMARTCARD 72#ifdef SMARTCARD
73#include <openssl/engine.h>
74#include "scard.h" 73#include "scard.h"
75#endif 74#endif
76 75
@@ -1187,40 +1186,29 @@ static void
1187load_public_identity_files(void) 1186load_public_identity_files(void)
1188{ 1187{
1189 char *filename; 1188 char *filename;
1190 Key *public;
1191 int i = 0; 1189 int i = 0;
1192 1190 Key *public;
1193#ifdef SMARTCARD 1191#ifdef SMARTCARD
1192 Key **keys;
1193
1194 if (options.smartcard_device != NULL && 1194 if (options.smartcard_device != NULL &&
1195 options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && 1195 options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
1196 (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) { 1196 (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
1197 Key *new; 1197 int count = 0;
1198 1198 for (i = 0; keys[i] != NULL; i++) {
1199 if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES) 1199 count++;
1200 options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2; 1200 if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES)
1201 memmove(&options.identity_files[2], &options.identity_files[0], 1201 options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1;
1202 sizeof(char *) * options.num_identity_files); 1202 memmove(&options.identity_files[1], &options.identity_files[0],
1203 options.num_identity_files += 2; 1203 sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
1204 i = 2; 1204 memmove(&options.identity_keys[1], &options.identity_keys[0],
1205 1205 sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
1206 /* XXX ssh1 vs ssh2 */ 1206 options.num_identity_files++;
1207 new = key_new(KEY_RSA); 1207 options.identity_keys[0] = keys[i];
1208 new->flags = KEY_FLAG_EXT; 1208 options.identity_files[0] = xstrdup("smartcard key");;
1209 BN_copy(new->rsa->n, public->rsa->n); 1209 }
1210 BN_copy(new->rsa->e, public->rsa->e); 1210 i = count;
1211 RSA_set_method(new->rsa, sc_get_engine()); 1211 xfree(keys);
1212 options.identity_keys[0] = new;
1213 options.identity_files[0] = xstrdup("smartcard rsa key");;
1214
1215 new = key_new(KEY_RSA1);
1216 new->flags = KEY_FLAG_EXT;
1217 BN_copy(new->rsa->n, public->rsa->n);
1218 BN_copy(new->rsa->e, public->rsa->e);
1219 RSA_set_method(new->rsa, sc_get_engine());
1220 options.identity_keys[1] = new;
1221 options.identity_files[1] = xstrdup("smartcard rsa1 key");
1222
1223 key_free(public);
1224 } 1212 }
1225#endif /* SMARTCARD */ 1213#endif /* SMARTCARD */
1226 for (; i < options.num_identity_files; i++) { 1214 for (; i < options.num_identity_files; i++) {