diff options
-rw-r--r-- | usr.bin/ssh/scard.c | 76 | ||||
-rw-r--r-- | usr.bin/ssh/scard.h | 7 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-agent.c | 98 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 18 | ||||
-rw-r--r-- | usr.bin/ssh/ssh.c | 54 |
5 files changed, 126 insertions, 127 deletions
diff --git a/usr.bin/ssh/scard.c b/usr.bin/ssh/scard.c index 819807a0970..4e312732838 100644 --- a/usr.bin/ssh/scard.c +++ b/usr.bin/ssh/scard.c @@ -24,9 +24,8 @@ #ifdef SMARTCARD #include "includes.h" -RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); +RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $"); -#include <openssl/engine.h> #include <openssl/evp.h> #include <sectok.h> @@ -36,13 +35,17 @@ RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); #include "readpass.h" #include "scard.h" -#ifdef OPENSSL_VERSION_NUMBER -#if OPENSSL_VERSION_NUMBER >= 0x00907000L -#define RSA_get_default_openssl_method RSA_get_default_method -#define DSA_get_default_openssl_method DSA_get_default_method -#define DH_get_default_openssl_method DH_get_default_method -#define ENGINE_set_BN_mod_exp(x,y) +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define USE_ENGINE +#define RSA_get_default_method RSA_get_default_openssl_method +#else #endif + +#ifdef USE_ENGINE +#include <openssl/engine.h> +#define sc_get_rsa sc_get_engine +#else +#define sc_get_rsa sc_get_rsa_method #endif #define CLA_SSH 0x05 @@ -143,8 +146,7 @@ sc_read_pubkey(Key * k) n = NULL; if (sc_fd < 0) { - status = sc_init(); - if (status < 0 ) + if (sc_init() < 0) goto err; } @@ -317,18 +319,13 @@ sc_finish(RSA *rsa) return 1; } - /* engine for overloading private key operations */ -static ENGINE *smart_engine = NULL; -static RSA_METHOD smart_rsa; - -ENGINE * -sc_get_engine(void) +static RSA_METHOD * +sc_get_rsa_method(void) { - const RSA_METHOD *def; - - def = RSA_get_default_openssl_method(); + static RSA_METHOD smart_rsa; + const RSA_METHOD *def = RSA_get_default_method(); /* use the OpenSSL version */ memcpy(&smart_rsa, def, sizeof(smart_rsa)); @@ -343,13 +340,22 @@ sc_get_engine(void) orig_finish = def->finish; smart_rsa.finish = sc_finish; + return &smart_rsa; +} + +#ifdef USE_ENGINE +static ENGINE * +sc_get_engine(void) +{ + static ENGINE *smart_engine = NULL; + if ((smart_engine = ENGINE_new()) == NULL) fatal("ENGINE_new failed"); ENGINE_set_id(smart_engine, "sectok"); ENGINE_set_name(smart_engine, "libsectok"); - ENGINE_set_RSA(smart_engine, &smart_rsa); + ENGINE_set_RSA(smart_engine, sc_get_rsa_method()); ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); ENGINE_set_RAND(smart_engine, RAND_SSLeay()); @@ -357,6 +363,7 @@ sc_get_engine(void) return smart_engine; } +#endif void sc_close(void) @@ -367,11 +374,11 @@ sc_close(void) } } -Key * -sc_get_key(const char *id, const char *pin) +Key ** +sc_get_keys(const char *id, const char *pin) { - Key *k; - int status; + Key *k, *n, **keys; + int status, nkeys = 2; if (sc_reader_id != NULL) xfree(sc_reader_id); @@ -395,7 +402,26 @@ sc_get_key(const char *id, const char *pin) key_free(k); return NULL; } - return k; + keys = xmalloc((nkeys+1) * sizeof(Key *)); + + n = key_new(KEY_RSA1); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[0] = n; + + n = key_new(KEY_RSA); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[1] = n; + + keys[2] = NULL; + + key_free(k); + return keys; } #define NUM_RSA_KEY_ELEMENTS 5+1 diff --git a/usr.bin/ssh/scard.h b/usr.bin/ssh/scard.h index 465fe274bd4..c0aa9ed30c2 100644 --- a/usr.bin/ssh/scard.h +++ b/usr.bin/ssh/scard.h @@ -1,4 +1,4 @@ -/* $OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $ */ +/* $OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -24,8 +24,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include <openssl/engine.h> - #ifndef SCARD_H #define SCARD_H @@ -35,8 +33,7 @@ #define SCARD_ERROR_NOCARD -2 #define SCARD_ERROR_APPLET -3 -Key *sc_get_key(const char*, const char*); -ENGINE *sc_get_engine(void); +Key **sc_get_keys(const char*, const char*); void sc_close(void); int sc_put_key(Key *, const char*); diff --git a/usr.bin/ssh/ssh-agent.c b/usr.bin/ssh/ssh-agent.c index 5851b63619a..e44ac8f6005 100644 --- a/usr.bin/ssh/ssh-agent.c +++ b/usr.bin/ssh/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include <sys/queue.h> -RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $"); #include <openssl/evp.h> #include <openssl/md5.h> @@ -52,7 +52,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $"); #include "log.h" #ifdef SMARTCARD -#include <openssl/engine.h> #include "scard.h" #endif @@ -443,50 +442,39 @@ send: static void process_add_smartcard_key (SocketEntry *e) { + Identity *id; Idtab *tab; - Key *n = NULL, *k = NULL; + Key **keys, *k; char *sc_reader_id = NULL, *pin; - int success = 0; + int i, version, success = 0; sc_reader_id = buffer_get_string(&e->input, NULL); pin = buffer_get_string(&e->input, NULL); - k = sc_get_key(sc_reader_id, pin); + keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); - if (k == NULL) { - error("sc_get_pubkey failed"); + if (keys == NULL || keys[0] == NULL) { + error("sc_get_keys failed"); goto send; } - success = 1; - - tab = idtab_lookup(1); - k->type = KEY_RSA1; - if (lookup_identity(k, 1) == NULL) { - Identity *id = xmalloc(sizeof(Identity)); - n = key_new(KEY_RSA1); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); - RSA_set_method(n->rsa, sc_get_engine()); - id->key = n; - id->comment = xstrdup("rsa1 smartcard"); - TAILQ_INSERT_TAIL(&tab->idlist, id, next); - tab->nentries++; - } - k->type = KEY_RSA; - tab = idtab_lookup(2); - if (lookup_identity(k, 2) == NULL) { - Identity *id = xmalloc(sizeof(Identity)); - n = key_new(KEY_RSA); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); - RSA_set_method(n->rsa, sc_get_engine()); - id->key = n; - id->comment = xstrdup("rsa smartcard"); - TAILQ_INSERT_TAIL(&tab->idlist, id, next); - tab->nentries++; + for (i = 0; keys[i] != NULL; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; + tab = idtab_lookup(version); + if (lookup_identity(k, version) == NULL) { + id = xmalloc(sizeof(Identity)); + id->key = k; + id->comment = xstrdup("smartcard key"); + TAILQ_INSERT_TAIL(&tab->idlist, id, next); + tab->nentries++; + success = 1; + } else { + key_free(k); + } + keys[i] = NULL; } - key_free(k); + xfree(keys); send: buffer_put_int(&e->output, 1); buffer_put_char(&e->output, @@ -496,41 +484,37 @@ send: static void process_remove_smartcard_key(SocketEntry *e) { - Key *k = NULL; - int success = 0; + Identity *id; + Idtab *tab; + Key **keys, *k = NULL; char *sc_reader_id = NULL, *pin; + int i, version, success = 0; sc_reader_id = buffer_get_string(&e->input, NULL); pin = buffer_get_string(&e->input, NULL); - k = sc_get_key(sc_reader_id, pin); + keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); - if (k == NULL) { - error("sc_get_pubkey failed"); - } else { - Identity *id; - k->type = KEY_RSA1; - id = lookup_identity(k, 1); - if (id != NULL) { - Idtab *tab = idtab_lookup(1); - TAILQ_REMOVE(&tab->idlist, id, next); - free_identity(id); + if (keys == NULL || keys[0] == NULL) { + error("sc_get_keys failed"); + goto send; + } + for (i = 0; keys[i] != NULL; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; + if ((id = lookup_identity(k, version)) != NULL) { + tab = idtab_lookup(version); + TAILQ_REMOVE(&tab->idlist, id, next); tab->nentries--; - success = 1; - } - k->type = KEY_RSA; - id = lookup_identity(k, 2); - if (id != NULL) { - Idtab *tab = idtab_lookup(2); - TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); - tab->nentries--; success = 1; } key_free(k); + keys[i] = NULL; } - + xfree(keys); +send: buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index a0f0c9a7fb1..f2b73ade3a6 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $"); #include <openssl/evp.h> #include <openssl/pem.h> @@ -412,14 +412,18 @@ do_upload(struct passwd *pw, const char *sc_reader_id) static void do_download(struct passwd *pw, const char *sc_reader_id) { - Key *pub = NULL; + Key **keys = NULL; + int i; - pub = sc_get_key(sc_reader_id, NULL); - if (pub == NULL) + keys = sc_get_keys(sc_reader_id, NULL); + if (keys == NULL) fatal("cannot read public key from smartcard"); - key_write(pub, stdout); - key_free(pub); - fprintf(stdout, "\n"); + for (i = 0; keys[i]; i++) { + key_write(keys[i], stdout); + key_free(keys[i]); + fprintf(stdout, "\n"); + } + xfree(keys); exit(0); } #endif /* SMARTCARD */ diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index f5eeeb9b9b9..ad72bd1ac2c 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $"); #include <openssl/evp.h> #include <openssl/err.h> @@ -70,7 +70,6 @@ RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $"); #include "sshtty.h" #ifdef SMARTCARD -#include <openssl/engine.h> #include "scard.h" #endif @@ -1167,40 +1166,29 @@ static void load_public_identity_files(void) { char *filename; - Key *public; int i = 0; - + Key *public; #ifdef SMARTCARD + Key **keys; + if (options.smartcard_device != NULL && - options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && - (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) { - Key *new; - - if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES) - options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2; - memmove(&options.identity_files[2], &options.identity_files[0], - sizeof(char *) * options.num_identity_files); - options.num_identity_files += 2; - i = 2; - - /* XXX ssh1 vs ssh2 */ - new = key_new(KEY_RSA); - new->flags = KEY_FLAG_EXT; - BN_copy(new->rsa->n, public->rsa->n); - BN_copy(new->rsa->e, public->rsa->e); - RSA_set_method(new->rsa, sc_get_engine()); - options.identity_keys[0] = new; - options.identity_files[0] = xstrdup("smartcard rsa key");; - - new = key_new(KEY_RSA1); - new->flags = KEY_FLAG_EXT; - BN_copy(new->rsa->n, public->rsa->n); - BN_copy(new->rsa->e, public->rsa->e); - RSA_set_method(new->rsa, sc_get_engine()); - options.identity_keys[1] = new; - options.identity_files[1] = xstrdup("smartcard rsa1 key"); - - key_free(public); + options.num_identity_files < SSH_MAX_IDENTITY_FILES && + (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { + int count = 0; + for (i = 0; keys[i] != NULL; i++) { + count++; + if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES) + options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1; + memmove(&options.identity_files[1], &options.identity_files[0], + sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); + memmove(&options.identity_keys[1], &options.identity_keys[0], + sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); + options.num_identity_files++; + options.identity_keys[0] = keys[i]; + options.identity_files[0] = xstrdup("smartcard key");; + } + i = count; + xfree(keys); } #endif /* SMARTCARD */ for (; i < options.num_identity_files; i++) { |