From 7ea845e48df6d34a333ebbe79380cba0938d02a5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Feb 2010 09:21:02 +1100 Subject: - markus@cvs.openbsd.org 2010/02/08 10:50:20 [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev ` --- ssh-pkcs11.c | 544 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 544 insertions(+) create mode 100644 ssh-pkcs11.c (limited to 'ssh-pkcs11.c') diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c new file mode 100644 index 000000000..f82454329 --- /dev/null +++ b/ssh-pkcs11.c @@ -0,0 +1,544 @@ +/* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include + +#include +#include + +#define CRYPTOKI_COMPAT +#include "pkcs11.h" + +#include "log.h" +#include "misc.h" +#include "key.h" +#include "ssh-pkcs11.h" +#include "xmalloc.h" + +struct pkcs11_slotinfo { + CK_TOKEN_INFO token; + CK_SESSION_HANDLE session; + int logged_in; +}; + +struct pkcs11_provider { + char *name; + void *handle; + CK_FUNCTION_LIST *function_list; + CK_INFO info; + CK_ULONG nslots; + CK_SLOT_ID *slotlist; + struct pkcs11_slotinfo *slotinfo; + int valid; + int refcount; + TAILQ_ENTRY(pkcs11_provider) next; +}; + +TAILQ_HEAD(, pkcs11_provider) pkcs11_providers; + +struct pkcs11_key { + struct pkcs11_provider *provider; + CK_ULONG slotidx; + int (*orig_finish)(RSA *rsa); + RSA_METHOD rsa_method; + char *keyid; + int keyid_len; +}; + +int pkcs11_interactive = 0; + +int +pkcs11_init(int interactive) +{ + pkcs11_interactive = interactive; + TAILQ_INIT(&pkcs11_providers); + return (0); +} + +/* + * finalize a provider shared libarary, it's no longer usable. + * however, there might still be keys referencing this provider, + * so the actuall freeing of memory is handled by pkcs11_provider_unref(). + * this is called when a provider gets unregistered. + */ +static void +pkcs11_provider_finalize(struct pkcs11_provider *p) +{ + CK_RV rv; + CK_ULONG i; + + debug("pkcs11_provider_finalize: %p refcount %d valid %d", + p, p->refcount, p->valid); + if (!p->valid) + return; + for (i = 0; i < p->nslots; i++) { + if (p->slotinfo[i].session && + (rv = p->function_list->C_CloseSession( + p->slotinfo[i].session)) != CKR_OK) + error("C_CloseSession failed: %lu", rv); + } + if ((rv = p->function_list->C_Finalize(NULL)) != CKR_OK) + error("C_Finalize failed: %lu", rv); + p->valid = 0; + p->function_list = NULL; + dlclose(p->handle); +} + +/* + * remove a reference to the provider. + * called when a key gets destroyed or when the provider is unregistered. + */ +static void +pkcs11_provider_unref(struct pkcs11_provider *p) +{ + debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); + if (--p->refcount <= 0) { + if (p->valid) + error("pkcs11_provider_unref: %p still valid", p); + xfree(p->slotlist); + xfree(p->slotinfo); + xfree(p); + } +} + +/* unregister all providers, keys might still point to the providers */ +void +pkcs11_terminate(void) +{ + struct pkcs11_provider *p; + + while ((p = TAILQ_FIRST(&pkcs11_providers)) != NULL) { + TAILQ_REMOVE(&pkcs11_providers, p, next); + pkcs11_provider_finalize(p); + pkcs11_provider_unref(p); + } +} + +/* lookup provider by name */ +static struct pkcs11_provider * +pkcs11_provider_lookup(char *provider_id) +{ + struct pkcs11_provider *p; + + TAILQ_FOREACH(p, &pkcs11_providers, next) { + debug("check %p %s", p, p->name); + if (!strcmp(provider_id, p->name)) + return (p); + } + return (NULL); +} + +/* unregister provider by name */ +int +pkcs11_del_provider(char *provider_id) +{ + struct pkcs11_provider *p; + + if ((p = pkcs11_provider_lookup(provider_id)) != NULL) { + TAILQ_REMOVE(&pkcs11_providers, p, next); + pkcs11_provider_finalize(p); + pkcs11_provider_unref(p); + return (0); + } + return (-1); +} + +/* openssl callback for freeing an RSA key */ +static int +pkcs11_rsa_finish(RSA *rsa) +{ + struct pkcs11_key *k11; + int rv = -1; + + if ((k11 = RSA_get_app_data(rsa)) != NULL) { + if (k11->orig_finish) + rv = k11->orig_finish(rsa); + if (k11->provider) + pkcs11_provider_unref(k11->provider); + if (k11->keyid) + xfree(k11->keyid); + xfree(k11); + } + return (rv); +} + +/* openssl callback doing the actual signing operation */ +static int +pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, + int padding) +{ + struct pkcs11_key *k11; + struct pkcs11_slotinfo *si; + CK_FUNCTION_LIST *f; + CK_OBJECT_HANDLE obj; + CK_ULONG tlen = 0, nfound = 0; + CK_RV rv; + CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; + CK_BBOOL true = CK_TRUE; + CK_MECHANISM mech = { + CKM_RSA_PKCS, NULL_PTR, 0 + }; + CK_ATTRIBUTE key_filter[] = { + {CKA_CLASS, &private_key_class, sizeof(private_key_class) }, + {CKA_ID, NULL, 0}, + {CKA_SIGN, &true, sizeof(true) } + }; + char *pin, prompt[1024]; + int rval = -1; + + if ((k11 = RSA_get_app_data(rsa)) == NULL) { + error("RSA_get_app_data failed for rsa %p", rsa); + return (-1); + } + if (!k11->provider || !k11->provider->valid) { + error("no pkcs11 (valid) provider for rsa %p", rsa); + return (-1); + } + f = k11->provider->function_list; + si = &k11->provider->slotinfo[k11->slotidx]; + if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { + if (!pkcs11_interactive) { + error("need pin"); + return (-1); + } + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", + si->token.label); + pin = read_passphrase(prompt, RP_ALLOW_EOF); + if (pin == NULL) + return (-1); /* bail out */ + if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin))) + != CKR_OK) { + xfree(pin); + error("C_Login failed: %lu", rv); + return (-1); + } + xfree(pin); + si->logged_in = 1; + } + key_filter[1].pValue = k11->keyid; + key_filter[1].ulValueLen = k11->keyid_len; + if ((rv = f->C_FindObjectsInit(si->session, key_filter, 3)) != CKR_OK) { + error("C_FindObjectsInit failed: %lu", rv); + return (-1); + } + if ((rv = f->C_FindObjects(si->session, &obj, 1, &nfound)) != CKR_OK || + nfound != 1) { + error("C_FindObjects failed (%lu nfound): %lu", nfound, rv); + } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { + error("C_SignInit failed: %lu", rv); + } else { + /* XXX handle CKR_BUFFER_TOO_SMALL */ + tlen = RSA_size(rsa); + rv = f->C_Sign(si->session, (CK_BYTE *)from, flen, to, &tlen); + if (rv == CKR_OK) + rval = tlen; + else + error("C_Sign failed: %lu", rv); + } + if ((rv = f->C_FindObjectsFinal(si->session)) != CKR_OK) + error("C_FindObjectsFinal failed: %lu", rv); + return (rval); +} + +static int +pkcs11_rsa_private_decrypt(int flen, const u_char *from, u_char *to, RSA *rsa, + int padding) +{ + return (-1); +} + +/* redirect private key operations for rsa key to pkcs11 token */ +static int +pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + CK_ATTRIBUTE *keyid_attrib, RSA *rsa) +{ + struct pkcs11_key *k11; + const RSA_METHOD *def = RSA_get_default_method(); + + k11 = xcalloc(1, sizeof(*k11)); + k11->provider = provider; + provider->refcount++; /* provider referenced by RSA key */ + k11->slotidx = slotidx; + /* identify key object on smartcard */ + k11->keyid_len = keyid_attrib->ulValueLen; + k11->keyid = xmalloc(k11->keyid_len); + memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); + k11->orig_finish = def->finish; + memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method)); + k11->rsa_method.name = "pkcs11"; + k11->rsa_method.rsa_priv_enc = pkcs11_rsa_private_encrypt; + k11->rsa_method.rsa_priv_dec = pkcs11_rsa_private_decrypt; + k11->rsa_method.finish = pkcs11_rsa_finish; + RSA_set_method(rsa, &k11->rsa_method); + RSA_set_app_data(rsa, k11); + return (0); +} + +/* remove trailing spaces */ +static void +rmspace(char *buf, size_t len) +{ + size_t i; + + if (!len) + return; + for (i = len - 1; i > 0; i--) + if (i == len - 1 || buf[i] == ' ') + buf[i] = '\0'; + else + break; +} + +/* + * open a pkcs11 session and login if required. + * if pin == NULL we delay login until key use + */ +static int +pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) +{ + CK_RV rv; + CK_FUNCTION_LIST *f; + CK_SESSION_HANDLE session; + int login_required; + + f = p->function_list; + login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED; + if (pin && login_required && !strlen(pin)) { + error("pin required"); + return (-1); + } + if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION| + CKF_SERIAL_SESSION, NULL, NULL, &session)) + != CKR_OK) { + error("C_OpenSession failed: %lu", rv); + return (-1); + } + if (login_required && pin) { + if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin))) + != CKR_OK) { + error("C_Login failed: %lu", rv); + if ((rv = f->C_CloseSession(session)) != CKR_OK) + error("C_CloseSession failed: %lu", rv); + return (-1); + } + p->slotinfo[slotidx].logged_in = 1; + } + p->slotinfo[slotidx].session = session; + return (0); +} + +/* + * lookup public keys for token in slot identified by slotidx, + * add 'wrapped' public keys to the 'keysp' array and increment nkeys. + * keysp points to an (possibly empty) array with *nkeys keys. + */ +static int +pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, + int *nkeys) +{ + Key *key; + RSA *rsa; + int i; + CK_RV rv; + CK_OBJECT_HANDLE obj; + CK_ULONG nfound; + CK_SESSION_HANDLE session; + CK_FUNCTION_LIST *f; + CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; + CK_ATTRIBUTE pubkey_filter[] = { + { CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } + }; + CK_ATTRIBUTE attribs[] = { + { CKA_ID, NULL, 0 }, + { CKA_MODULUS, NULL, 0 }, + { CKA_PUBLIC_EXPONENT, NULL, 0 } + }; + + f = p->function_list; + session = p->slotinfo[slotidx].session; + /* setup a filter the looks for public keys */ + if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) { + error("C_FindObjectsInit failed: %lu", rv); + return (-1); + } + while (1) { + /* XXX 3 attributes in attribs[] */ + for (i = 0; i < 3; i++) { + attribs[i].pValue = NULL; + attribs[i].ulValueLen = 0; + } + if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OK + || nfound == 0) + break; + /* found a key, so figure out size of the attributes */ + if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) + != CKR_OK) { + error("C_GetAttributeValue failed: %lu", rv); + continue; + } + /* allocate buffers for attributes, XXX check ulValueLen? */ + for (i = 0; i < 3; i++) + attribs[i].pValue = xmalloc(attribs[i].ulValueLen); + /* retrieve ID, modulus and public exponent of RSA key */ + if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3)) + != CKR_OK) { + error("C_GetAttributeValue failed: %lu", rv); + } else if ((rsa = RSA_new()) == NULL) { + error("RSA_new failed"); + } else { + rsa->n = BN_bin2bn(attribs[1].pValue, + attribs[1].ulValueLen, NULL); + rsa->e = BN_bin2bn(attribs[2].pValue, + attribs[2].ulValueLen, NULL); + if (rsa->n && rsa->e && + pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) { + key = key_new(KEY_UNSPEC); + key->rsa = rsa; + key->type = KEY_RSA; + key->flags |= KEY_FLAG_EXT; + /* expand key array and add key */ + *keysp = xrealloc(*keysp, *nkeys + 1, + sizeof(Key *)); + (*keysp)[*nkeys] = key; + *nkeys = *nkeys + 1; + debug("have %d keys", *nkeys); + } else { + RSA_free(rsa); + } + } + for (i = 0; i < 3; i++) + xfree(attribs[i].pValue); + } + if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK) + error("C_FindObjectsFinal failed: %lu", rv); + return (0); +} + +/* register a new provider, fails if provider already exists */ +int +pkcs11_add_provider(char *provider_id, char *pin, Key ***keyp) +{ + int nkeys, need_finalize = 0; + struct pkcs11_provider *p = NULL; + void *handle = NULL; + CK_RV (*getfunctionlist)(CK_FUNCTION_LIST **); + CK_RV rv; + CK_FUNCTION_LIST *f = NULL; + CK_TOKEN_INFO *token; + CK_ULONG i; + + *keyp = NULL; + if (pkcs11_provider_lookup(provider_id) != NULL) { + error("provider already registered: %s", provider_id); + goto fail; + } + /* open shared pkcs11-libarary */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { + error("dlsym(C_GetFunctionList) failed: %s", dlerror()); + goto fail; + } + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; + /* setup the pkcs11 callbacks */ + if ((rv = (*getfunctionlist)(&f)) != CKR_OK) { + error("C_GetFunctionList failed: %lu", rv); + goto fail; + } + p->function_list = f; + if ((rv = f->C_Initialize(NULL)) != CKR_OK) { + error("C_Initialize failed: %lu", rv); + goto fail; + } + need_finalize = 1; + if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) { + error("C_GetInfo failed: %lu", rv); + goto fail; + } + rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); + rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); + debug("manufacturerID <%s> cryptokiVersion %d.%d" + " libraryDescription <%s> libraryVersion %d.%d", + p->info.manufacturerID, + p->info.cryptokiVersion.major, + p->info.cryptokiVersion.minor, + p->info.libraryDescription, + p->info.libraryVersion.major, + p->info.libraryVersion.minor); + if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) { + error("C_GetSlotList failed: %lu", rv); + goto fail; + } + if (p->nslots == 0) { + error("no slots"); + goto fail; + } + p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID)); + if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots)) + != CKR_OK) { + error("C_GetSlotList failed: %lu", rv); + goto fail; + } + p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo)); + p->valid = 1; + nkeys = 0; + for (i = 0; i < p->nslots; i++) { + token = &p->slotinfo[i].token; + if ((rv = f->C_GetTokenInfo(p->slotlist[i], token)) + != CKR_OK) { + error("C_GetTokenInfo failed: %lu", rv); + continue; + } + rmspace(token->label, sizeof(token->label)); + rmspace(token->manufacturerID, sizeof(token->manufacturerID)); + rmspace(token->model, sizeof(token->model)); + rmspace(token->serialNumber, sizeof(token->serialNumber)); + debug("label <%s> manufacturerID <%s> model <%s> serial <%s>" + " flags 0x%lx", + token->label, token->manufacturerID, token->model, + token->serialNumber, token->flags); + /* open session, login with pin and retrieve public keys */ + if (pkcs11_open_session(p, i, pin) == 0) + pkcs11_fetch_keys(p, i, keyp, &nkeys); + } + if (nkeys > 0) { + TAILQ_INSERT_TAIL(&pkcs11_providers, p, next); + p->refcount++; /* add to provider list */ + return (nkeys); + } + error("no keys"); + /* don't add the provider, since it does not have any keys */ +fail: + if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK) + error("C_Finalize failed: %lu", rv); + if (p) { + if (p->slotlist) + xfree(p->slotlist); + if (p->slotinfo) + xfree(p->slotinfo); + xfree(p); + } + if (handle) + dlclose(handle); + return (-1); +} -- cgit v1.2.3 From 8ad0fbd98e5ffd98c25f88881981336508ae90d7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Feb 2010 09:49:06 +1100 Subject: - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] Make it compile on OSX --- ChangeLog | 2 ++ ssh-pkcs11-client.c | 6 +++++- ssh-pkcs11-helper.c | 9 +++++++-- ssh-pkcs11.c | 12 +++++++++--- 4 files changed, 23 insertions(+), 6 deletions(-) (limited to 'ssh-pkcs11.c') diff --git a/ChangeLog b/ChangeLog index ce4ef1343..f56dad3ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,8 @@ - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c] [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] Remove obsolete smartcard support + - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] + Make it compile on OSX 20100210 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 6ffdd9364..d376153fa 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -14,8 +14,12 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include "includes.h" + #include -#include +#ifdef HAVE_SYS_TIME_H +# include +#endif #include #include diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index f9962709b..464209641 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -14,9 +14,14 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "includes.h" + #include -#include +#ifdef HAVE_SYS_TIME_H +# include +#endif + +#include "openbsd-compat/sys-queue.h" #include #include diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index f82454329..2f6c9cec8 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -14,14 +14,20 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include "includes.h" + #include -#include +#ifdef HAVE_SYS_TIME_H +# include +#endif #include #include #include #include +#include "openbsd-compat/sys-queue.h" + #define CRYPTOKI_COMPAT #include "pkcs11.h" @@ -190,14 +196,14 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, CK_ULONG tlen = 0, nfound = 0; CK_RV rv; CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; - CK_BBOOL true = CK_TRUE; + CK_BBOOL true_val = CK_TRUE; CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; CK_ATTRIBUTE key_filter[] = { {CKA_CLASS, &private_key_class, sizeof(private_key_class) }, {CKA_ID, NULL, 0}, - {CKA_SIGN, &true, sizeof(true) } + {CKA_SIGN, &true_val, sizeof(true_val) } }; char *pin, prompt[1024]; int rval = -1; -- cgit v1.2.3 From dfa4156dbd4aa45464b2ea6b867bcaa483bed134 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 12 Feb 2010 10:06:28 +1100 Subject: - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] Use ssh_get_progname to fill __progname --- ChangeLog | 2 ++ ssh-pkcs11-client.c | 4 ++++ ssh-pkcs11-helper.c | 15 +++++++++++++++ ssh-pkcs11.c | 4 ++++ 4 files changed, 25 insertions(+) (limited to 'ssh-pkcs11.c') diff --git a/ChangeLog b/ChangeLog index f56dad3ca..c5dc75262 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ Remove obsolete smartcard support - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] Make it compile on OSX + - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] + Use ssh_get_progname to fill __progname 20100210 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index d376153fa..37050e04d 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -16,6 +16,8 @@ #include "includes.h" +#ifdef ENABLE_PKCS11 + #include #ifdef HAVE_SYS_TIME_H # include @@ -231,3 +233,5 @@ pkcs11_del_provider(char *name) buffer_free(&msg); return (ret); } + +#endif /* ENABLE_PKCS11 */ diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 464209641..3b44f7c30 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -16,6 +16,8 @@ #include "includes.h" +#ifdef ENABLE_PKCS11 + #include #ifdef HAVE_SYS_TIME_H # include @@ -277,6 +279,8 @@ main(int argc, char **argv) extern char *optarg; extern char *__progname; + __progname = ssh_get_progname(argv[0]); + log_init(__progname, log_level, log_facility, log_stderr); in = STDIN_FILENO; @@ -352,3 +356,14 @@ main(int argc, char **argv) process(); } } +#else /* ENABLE_PKCS11 */ +int +main(int argc, char **argv) +{ + extern char *__progname; + + __progname = ssh_get_progname(argv[0]); + log_init(__progname, SYSLOG_LEVEL_ERROR, SYSLOG_FACILITY_AUTH, 0); + fatal("PKCS#11 support disabled at compile time"); +} +#endif /* ENABLE_PKCS11 */ diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 2f6c9cec8..821e9f840 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -16,6 +16,8 @@ #include "includes.h" +#ifdef ENABLE_PKCS11 + #include #ifdef HAVE_SYS_TIME_H # include @@ -548,3 +550,5 @@ fail: dlclose(handle); return (-1); } + +#endif /* ENABLE_PKCS11 */ -- cgit v1.2.3 From 05abd2c96876b959f4a2f71671652064fcedda0d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 24 Feb 2010 17:16:08 +1100 Subject: - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable --- ChangeLog | 4 ++++ pkcs11.h | 1 + ssh-pkcs11-client.c | 1 + ssh-pkcs11-helper.c | 1 + ssh-pkcs11.c | 1 + ssh-pkcs11.h | 1 + 6 files changed, 9 insertions(+) (limited to 'ssh-pkcs11.c') diff --git a/ChangeLog b/ChangeLog index 83259b5fd..ac08efa4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100224 + - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] + [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable + 20100212 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/02/02 22:49:34 diff --git a/pkcs11.h b/pkcs11.h index 223f20ff3..2cde5b3f4 100644 --- a/pkcs11.h +++ b/pkcs11.h @@ -1,3 +1,4 @@ +/* $OpenBSD: pkcs11.h,v 1.2 2010/02/24 06:12:53 djm Exp $ */ /* pkcs11.h Copyright 2006, 2007 g10 Code GmbH Copyright 2006 Andreas Jellinghaus diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 37050e04d..650c37342 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -1,3 +1,4 @@ +/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index 3b44f7c30..1684ab0c2 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -1,3 +1,4 @@ +/* $OpenBSD: ssh-pkcs11-helper.c,v 1.3 2010/02/24 06:12:53 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 821e9f840..7536f92a6 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,3 +1,4 @@ +/* $OpenBSD: ssh-pkcs11.c,v 1.4 2010/02/24 06:12:53 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h index fae41a7b5..59f456adf 100644 --- a/ssh-pkcs11.h +++ b/ssh-pkcs11.h @@ -1,3 +1,4 @@ +/* $OpenBSD: ssh-pkcs11.h,v 1.2 2010/02/24 06:12:53 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * -- cgit v1.2.3 From 179eee081a560f3e10506ae3a2facdc1c766f0f6 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 4 Mar 2010 12:48:05 -0800 Subject: - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older compilers. OK djm@ --- ChangeLog | 2 ++ ssh-pkcs11.c | 15 ++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'ssh-pkcs11.c') diff --git a/ChangeLog b/ChangeLog index 3f0ba4237..254575307 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - djm@cvs.openbsd.org 2010/03/04 20:35:08 [ssh-keygen.1 ssh-keygen.c] Add a -L flag to print the contents of a certificate; ok markus@ + - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older + compilers. OK djm@ 20100304 - (djm) [ssh-keygen.c] Use correct local variable, instead of diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 7536f92a6..f0192dcf1 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -204,13 +204,18 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, CKM_RSA_PKCS, NULL_PTR, 0 }; CK_ATTRIBUTE key_filter[] = { - {CKA_CLASS, &private_key_class, sizeof(private_key_class) }, + {CKA_CLASS, NULL, sizeof(private_key_class) }, {CKA_ID, NULL, 0}, - {CKA_SIGN, &true_val, sizeof(true_val) } + {CKA_SIGN, NULL, sizeof(true_val) } }; char *pin, prompt[1024]; int rval = -1; + /* some compilers complain about non-constant initializer so we + use NULL in CK_ATTRIBUTE above and set the values here */ + key_filter[0].pValue = &private_key_class; + key_filter[2].pValue = &true_val; + if ((k11 = RSA_get_app_data(rsa)) == NULL) { error("RSA_get_app_data failed for rsa %p", rsa); return (-1); @@ -371,7 +376,7 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, CK_FUNCTION_LIST *f; CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; CK_ATTRIBUTE pubkey_filter[] = { - { CKA_CLASS, &pubkey_class, sizeof(pubkey_class) } + { CKA_CLASS, NULL, sizeof(pubkey_class) } }; CK_ATTRIBUTE attribs[] = { { CKA_ID, NULL, 0 }, @@ -379,6 +384,10 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp, { CKA_PUBLIC_EXPONENT, NULL, 0 } }; + /* some compilers complain about non-constant initializer so we + use NULL in CK_ATTRIBUTE above and set the value here */ + pubkey_filter[0].pValue = &pubkey_class; + f = p->function_list; session = p->slotinfo[slotidx].session; /* setup a filter the looks for public keys */ -- cgit v1.2.3