summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--configure.ac1
-rw-r--r--ssh-pkcs11-client.c10
-rw-r--r--ssh-pkcs11.c10
3 files changed, 20 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index 0509c306d..a5974e372 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2973,6 +2973,7 @@ if test "x$openssl" = "xyes" ; then
2973 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ 2973 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2974 test x$enable_nistp521 = x1; then 2974 test x$enable_nistp521 = x1; then
2975 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) 2975 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2976 AC_CHECK_FUNCS([EC_KEY_METHOD_new])
2976 fi 2977 fi
2977 if test x$enable_nistp256 = x1; then 2978 if test x$enable_nistp256 = x1; then
2978 AC_DEFINE([OPENSSL_HAS_NISTP256], [1], 2979 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
index 6cecf4863..5ba33332a 100644
--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
@@ -163,6 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
163 return (ret); 163 return (ret);
164} 164}
165 165
166#ifdef HAVE_EC_KEY_METHOD_NEW
166static ECDSA_SIG * 167static ECDSA_SIG *
167ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, 168ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
168 const BIGNUM *rp, EC_KEY *ec) 169 const BIGNUM *rp, EC_KEY *ec)
@@ -219,9 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
219 sshbuf_free(msg); 220 sshbuf_free(msg);
220 return (ret); 221 return (ret);
221} 222}
223#endif /* HAVE_EC_KEY_METHOD_NEW */
222 224
223static RSA_METHOD *helper_rsa; 225static RSA_METHOD *helper_rsa;
226#ifdef HAVE_EC_KEY_METHOD_NEW
224static EC_KEY_METHOD *helper_ecdsa; 227static EC_KEY_METHOD *helper_ecdsa;
228#endif /* HAVE_EC_KEY_METHOD_NEW */
225 229
226/* redirect private key crypto operations to the ssh-pkcs11-helper */ 230/* redirect private key crypto operations to the ssh-pkcs11-helper */
227static void 231static void
@@ -229,8 +233,10 @@ wrap_key(struct sshkey *k)
229{ 233{
230 if (k->type == KEY_RSA) 234 if (k->type == KEY_RSA)
231 RSA_set_method(k->rsa, helper_rsa); 235 RSA_set_method(k->rsa, helper_rsa);
236#ifdef HAVE_EC_KEY_METHOD_NEW
232 else if (k->type == KEY_ECDSA) 237 else if (k->type == KEY_ECDSA)
233 EC_KEY_set_method(k->ecdsa, helper_ecdsa); 238 EC_KEY_set_method(k->ecdsa, helper_ecdsa);
239#endif /* HAVE_EC_KEY_METHOD_NEW */
234 else 240 else
235 fatal("%s: unknown key type", __func__); 241 fatal("%s: unknown key type", __func__);
236} 242}
@@ -238,9 +244,10 @@ wrap_key(struct sshkey *k)
238static int 244static int
239pkcs11_start_helper_methods(void) 245pkcs11_start_helper_methods(void)
240{ 246{
241 if (helper_ecdsa != NULL) 247 if (helper_rsa != NULL)
242 return (0); 248 return (0);
243 249
250#ifdef HAVE_EC_KEY_METHOD_NEW
244 int (*orig_sign)(int, const unsigned char *, int, unsigned char *, 251 int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
245 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; 252 unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
246 if (helper_ecdsa != NULL) 253 if (helper_ecdsa != NULL)
@@ -250,6 +257,7 @@ pkcs11_start_helper_methods(void)
250 return (-1); 257 return (-1);
251 EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); 258 EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
252 EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); 259 EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
260#endif /* HAVE_EC_KEY_METHOD_NEW */
253 261
254 if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) 262 if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
255 fatal("%s: RSA_meth_dup failed", __func__); 263 fatal("%s: RSA_meth_dup failed", __func__);
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index b49034952..2b65010ce 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -409,6 +409,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
409 return (0); 409 return (0);
410} 410}
411 411
412#ifdef HAVE_EC_KEY_METHOD_NEW
412/* openssl callback doing the actual signing operation */ 413/* openssl callback doing the actual signing operation */
413static ECDSA_SIG * 414static ECDSA_SIG *
414ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, 415ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
@@ -512,6 +513,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
512 513
513 return (0); 514 return (0);
514} 515}
516#endif /* HAVE_EC_KEY_METHOD_NEW */
515 517
516/* remove trailing spaces */ 518/* remove trailing spaces */
517static void 519static void
@@ -582,6 +584,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
582 return (0); 584 return (0);
583} 585}
584 586
587#ifdef HAVE_EC_KEY_METHOD_NEW
585static struct sshkey * 588static struct sshkey *
586pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, 589pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
587 CK_OBJECT_HANDLE *obj) 590 CK_OBJECT_HANDLE *obj)
@@ -704,6 +707,7 @@ fail:
704 707
705 return (key); 708 return (key);
706} 709}
710#endif /* HAVE_EC_KEY_METHOD_NEW */
707 711
708static struct sshkey * 712static struct sshkey *
709pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, 713pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -808,7 +812,9 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
808 EC_KEY *ec = NULL; 812 EC_KEY *ec = NULL;
809 struct sshkey *key = NULL; 813 struct sshkey *key = NULL;
810 int i; 814 int i;
815#ifdef HAVE_EC_KEY_METHOD_NEW
811 int nid; 816 int nid;
817#endif
812 const u_char *cp; 818 const u_char *cp;
813 819
814 memset(&cert_attr, 0, sizeof(cert_attr)); 820 memset(&cert_attr, 0, sizeof(cert_attr));
@@ -890,6 +896,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
890 key->type = KEY_RSA; 896 key->type = KEY_RSA;
891 key->flags |= SSHKEY_FLAG_EXT; 897 key->flags |= SSHKEY_FLAG_EXT;
892 rsa = NULL; /* now owned by key */ 898 rsa = NULL; /* now owned by key */
899#ifdef HAVE_EC_KEY_METHOD_NEW
893 } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { 900 } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
894 if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { 901 if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
895 error("invalid x509; no ec key"); 902 error("invalid x509; no ec key");
@@ -920,6 +927,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
920 key->type = KEY_ECDSA; 927 key->type = KEY_ECDSA;
921 key->flags |= SSHKEY_FLAG_EXT; 928 key->flags |= SSHKEY_FLAG_EXT;
922 ec = NULL; /* now owned by key */ 929 ec = NULL; /* now owned by key */
930#endif /* HAVE_EC_KEY_METHOD_NEW */
923 } else 931 } else
924 error("unknown certificate key type"); 932 error("unknown certificate key type");
925 933
@@ -1103,9 +1111,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
1103 case CKK_RSA: 1111 case CKK_RSA:
1104 key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); 1112 key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
1105 break; 1113 break;
1114#ifdef HAVE_EC_KEY_METHOD_NEW
1106 case CKK_ECDSA: 1115 case CKK_ECDSA:
1107 key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); 1116 key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
1108 break; 1117 break;
1118#endif /* HAVE_EC_KEY_METHOD_NEW */
1109 default: 1119 default:
1110 /* XXX print key type? */ 1120 /* XXX print key type? */
1111 error("skipping unsupported key type"); 1121 error("skipping unsupported key type");