1 files changed, 238 insertions, 0 deletions
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
new file mode 100644
index 000000000..650c37342
--- /dev/null
+++ b/ssh-pkcs11-client.c
@@ -0,0 +1,238 @@
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
+/*
+ * Copyright (c) 2010 Markus Friedl.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "includes.h"
+#ifdef ENABLE_PKCS11
+#include <sys/types.h>
+#ifdef HAVE_SYS_TIME_H
+# include <sys/time.h>
+#endif
+#include <sys/socket.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include "pathnames.h"
+#include "xmalloc.h"
+#include "buffer.h"
+#include "log.h"
+#include "misc.h"
+#include "key.h"
+#include "authfd.h"
+#include "atomicio.h"
+#include "ssh-pkcs11.h"
+/* borrows code from sftp-server and ssh-agent */
+int fd = -1;
+pid_t pid = -1;
+static void
+send_msg(Buffer *m)
+{
+        u_char buf[4];
+        int mlen = buffer_len(m);
+        put_u32(buf, mlen);
+        if (atomicio(vwrite, fd, buf, 4) != 4 ||
+            atomicio(vwrite, fd, buffer_ptr(m),
+            buffer_len(m)) != buffer_len(m))
+                error("write to helper failed");
+        buffer_consume(m, mlen);
+}
+static int
+recv_msg(Buffer *m)
+{
+        u_int l, len;
+        u_char buf[1024];
+        if ((len = atomicio(read, fd, buf, 4)) != 4) {
+                error("read from helper failed: %u", len);
+                return (0); /* XXX */
+        }
+        len = get_u32(buf);
+        if (len > 256 * 1024)
+                fatal("response too long: %u", len);
+        /* read len bytes into m */
+        buffer_clear(m);
+        while (len > 0) {
+                l = len;
+                if (l > sizeof(buf))
+                        l = sizeof(buf);
+                if (atomicio(read, fd, buf, l) != l) {
+                        error("response from helper failed.");
+                        return (0); /* XXX */
+                }
+                buffer_append(m, buf, l);
+                len -= l;
+        }
+        return (buffer_get_char(m));
+}
+int
+pkcs11_init(int interactive)
+{
+        return (0);
+}
+void
+pkcs11_terminate(void)
+{
+        close(fd);
+}
+static int
+pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
+    int padding)
+{
+        Key key;
+        u_char *blob, *signature = NULL;
+        u_int blen, slen = 0;
+        int ret = -1;
+        Buffer msg;
+        if (padding != RSA_PKCS1_PADDING)
+                return (-1);
+        key.type = KEY_RSA;
+        key.rsa = rsa;
+        if (key_to_blob(&key, &blob, &blen) == 0)
+                return -1;
+        buffer_init(&msg);
+        buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
+        buffer_put_string(&msg, blob, blen);
+        buffer_put_string(&msg, from, flen);
+        buffer_put_int(&msg, 0);
+        xfree(blob);
+        send_msg(&msg);
+        if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
+                signature = buffer_get_string(&msg, &slen);
+                if (slen <= (u_int)RSA_size(rsa)) {
+                        memcpy(to, signature, slen);
+                        ret = slen;
+                }
+                xfree(signature);
+        }
+        return (ret);
+}
+/* redirect the private key encrypt operation to the ssh-pkcs11-helper */
+static int
+wrap_key(RSA *rsa)
+{
+        static RSA_METHOD helper_rsa;
+        memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
+        helper_rsa.name = "ssh-pkcs11-helper";
+        helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
+        RSA_set_method(rsa, &helper_rsa);
+        return (0);
+}
+static int
+pkcs11_start_helper(void)
+{
+        int pair[2];
+        if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
+                error("socketpair: %s", strerror(errno));
+                return (-1);
+        }
+        if ((pid = fork()) == -1) {
+                error("fork: %s", strerror(errno));
+                return (-1);
+        } else if (pid == 0) {
+                if ((dup2(pair[1], STDIN_FILENO) == -1) ||
+                    (dup2(pair[1], STDOUT_FILENO) == -1)) {
+                        fprintf(stderr, "dup2: %s\n", strerror(errno));
+                        _exit(1);
+                }
+                close(pair[0]);
+                close(pair[1]);
+                execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER,
+                    (char *) 0);
+                fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER,
+                    strerror(errno));
+                _exit(1);
+        }
+        close(pair[1]);
+        fd = pair[0];
+        return (0);
+}
+int
+pkcs11_add_provider(char *name, char *pin, Key ***keysp)
+{
+        Key *k;
+        int i, nkeys;
+        u_char *blob;
+        u_int blen;
+        Buffer msg;
+        if (fd < 0 && pkcs11_start_helper() < 0)
+                return (-1);
+        buffer_init(&msg);
+        buffer_put_char(&msg, SSH_AGENTC_ADD_SMARTCARD_KEY);
+        buffer_put_cstring(&msg, name);
+        buffer_put_cstring(&msg, pin);
+        send_msg(&msg);
+        buffer_clear(&msg);
+        if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
+                nkeys = buffer_get_int(&msg);
+                *keysp = xcalloc(nkeys, sizeof(Key *));
+                for (i = 0; i < nkeys; i++) {
+                        blob = buffer_get_string(&msg, &blen);
+                        xfree(buffer_get_string(&msg, NULL));
+                        k = key_from_blob(blob, blen);
+                        wrap_key(k->rsa);
+                        (*keysp)[i] = k;
+                        xfree(blob);
+                }
+        } else {
+                nkeys = -1;
+        }
+        buffer_free(&msg);
+        return (nkeys);
+}
+int
+pkcs11_del_provider(char *name)
+{
+        int ret = -1;
+        Buffer msg;
+        buffer_init(&msg);
+        buffer_put_char(&msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY);
+        buffer_put_cstring(&msg, name);
+        buffer_put_cstring(&msg, "");
+        send_msg(&msg);
+        buffer_clear(&msg);
+        if (recv_msg(&msg) == SSH_AGENT_SUCCESS)
+                ret = 0;
+        buffer_free(&msg);
+        return (ret);
+}
+#endif /* ENABLE_PKCS11 */

diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c new file mode 100644 index 000000000..650c37342 --- /dev/null +++ b/ssh-pkcs11-client.c
@@ -0,0 +1,238 @@
	1	/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
	2	/*
	3	* Copyright (c) 2010 Markus Friedl. All rights reserved.
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include "includes.h"
	19
	20	#ifdef ENABLE_PKCS11
	21
	22	#include <sys/types.h>
	23	#ifdef HAVE_SYS_TIME_H
	24	# include <sys/time.h>
	25	#endif
	26	#include <sys/socket.h>
	27
	28	#include <stdarg.h>
	29	#include <string.h>
	30	#include <unistd.h>
	31	#include <errno.h>
	32
	33	#include "pathnames.h"
	34	#include "xmalloc.h"
	35	#include "buffer.h"
	36	#include "log.h"
	37	#include "misc.h"
	38	#include "key.h"
	39	#include "authfd.h"
	40	#include "atomicio.h"
	41	#include "ssh-pkcs11.h"
	42
	43	/* borrows code from sftp-server and ssh-agent */
	44
	45	int fd = -1;
	46	pid_t pid = -1;
	47
	48	static void
	49	send_msg(Buffer *m)
	50	{
	51	u_char buf[4];
	52	int mlen = buffer_len(m);
	53
	54	put_u32(buf, mlen);
	55	if (atomicio(vwrite, fd, buf, 4) != 4 \|\|
	56	atomicio(vwrite, fd, buffer_ptr(m),
	57	buffer_len(m)) != buffer_len(m))
	58	error("write to helper failed");
	59	buffer_consume(m, mlen);
	60	}
	61
	62	static int
	63	recv_msg(Buffer *m)
	64	{
	65	u_int l, len;
	66	u_char buf[1024];
	67
	68	if ((len = atomicio(read, fd, buf, 4)) != 4) {
	69	error("read from helper failed: %u", len);
	70	return (0); /* XXX */
	71	}
	72	len = get_u32(buf);
	73	if (len > 256 * 1024)
	74	fatal("response too long: %u", len);
	75	/* read len bytes into m */
	76	buffer_clear(m);
	77	while (len > 0) {
	78	l = len;
	79	if (l > sizeof(buf))
	80	l = sizeof(buf);
	81	if (atomicio(read, fd, buf, l) != l) {
	82	error("response from helper failed.");
	83	return (0); /* XXX */
	84	}
	85	buffer_append(m, buf, l);
	86	len -= l;
	87	}
	88	return (buffer_get_char(m));
	89	}
	90
	91	int
	92	pkcs11_init(int interactive)
	93	{
	94	return (0);
	95	}
	96
	97	void
	98	pkcs11_terminate(void)
	99	{
	100	close(fd);
	101	}
	102
	103	static int
	104	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,
	105	int padding)
	106	{
	107	Key key;
	108	u_char blob, signature = NULL;
	109	u_int blen, slen = 0;
	110	int ret = -1;
	111	Buffer msg;
	112
	113	if (padding != RSA_PKCS1_PADDING)
	114	return (-1);
	115	key.type = KEY_RSA;
	116	key.rsa = rsa;
	117	if (key_to_blob(&key, &blob, &blen) == 0)
	118	return -1;
	119	buffer_init(&msg);
	120	buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
	121	buffer_put_string(&msg, blob, blen);
	122	buffer_put_string(&msg, from, flen);
	123	buffer_put_int(&msg, 0);
	124	xfree(blob);
	125	send_msg(&msg);
	126
	127	if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
	128	signature = buffer_get_string(&msg, &slen);
	129	if (slen <= (u_int)RSA_size(rsa)) {
	130	memcpy(to, signature, slen);
	131	ret = slen;
	132	}
	133	xfree(signature);
	134	}
	135	return (ret);
	136	}
	137
	138	/* redirect the private key encrypt operation to the ssh-pkcs11-helper */
	139	static int
	140	wrap_key(RSA *rsa)
	141	{
	142	static RSA_METHOD helper_rsa;
	143
	144	memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
	145	helper_rsa.name = "ssh-pkcs11-helper";
	146	helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
	147	RSA_set_method(rsa, &helper_rsa);
	148	return (0);
	149	}
	150
	151	static int
	152	pkcs11_start_helper(void)
	153	{
	154	int pair[2];
	155
	156	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
	157	error("socketpair: %s", strerror(errno));
	158	return (-1);
	159	}
	160	if ((pid = fork()) == -1) {
	161	error("fork: %s", strerror(errno));
	162	return (-1);
	163	} else if (pid == 0) {
	164	if ((dup2(pair[1], STDIN_FILENO) == -1) \|\|
	165	(dup2(pair[1], STDOUT_FILENO) == -1)) {
	166	fprintf(stderr, "dup2: %s\n", strerror(errno));
	167	_exit(1);
	168	}
	169	close(pair[0]);
	170	close(pair[1]);
	171	execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER,
	172	(char *) 0);
	173	fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER,
	174	strerror(errno));
	175	_exit(1);
	176	}
	177	close(pair[1]);
	178	fd = pair[0];
	179	return (0);
	180	}
	181
	182	int
	183	pkcs11_add_provider(char name, char pin, Key ***keysp)
	184	{
	185	Key *k;
	186	int i, nkeys;
	187	u_char *blob;
	188	u_int blen;
	189	Buffer msg;
	190
	191	if (fd < 0 && pkcs11_start_helper() < 0)
	192	return (-1);
	193
	194	buffer_init(&msg);
	195	buffer_put_char(&msg, SSH_AGENTC_ADD_SMARTCARD_KEY);
	196	buffer_put_cstring(&msg, name);
	197	buffer_put_cstring(&msg, pin);
	198	send_msg(&msg);
	199	buffer_clear(&msg);
	200
	201	if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
	202	nkeys = buffer_get_int(&msg);
	203	keysp = xcalloc(nkeys, sizeof(Key ));
	204	for (i = 0; i < nkeys; i++) {
	205	blob = buffer_get_string(&msg, &blen);
	206	xfree(buffer_get_string(&msg, NULL));
	207	k = key_from_blob(blob, blen);
	208	wrap_key(k->rsa);
	209	(*keysp)[i] = k;
	210	xfree(blob);
	211	}
	212	} else {
	213	nkeys = -1;
	214	}
	215	buffer_free(&msg);
	216	return (nkeys);
	217	}
	218
	219	int
	220	pkcs11_del_provider(char *name)
	221	{
	222	int ret = -1;
	223	Buffer msg;
	224
	225	buffer_init(&msg);
	226	buffer_put_char(&msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY);
	227	buffer_put_cstring(&msg, name);
	228	buffer_put_cstring(&msg, "");
	229	send_msg(&msg);
	230	buffer_clear(&msg);
	231
	232	if (recv_msg(&msg) == SSH_AGENT_SUCCESS)
	233	ret = 0;
	234	buffer_free(&msg);
	235	return (ret);
	236	}
	237
	238	#endif /* ENABLE_PKCS11 */