diff --git a/ChangeLog b/ChangeLog index 6e63b16d7..079c7bf99 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ - markus@cvs.openbsd.org 2002/03/25 09:25:06 [auth-rh-rsa.c] rm bogus comment + - markus@cvs.openbsd.org 2002/03/25 17:34:27 + [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c] + change sc_get_key to sc_get_keys and hide smartcard details in scard.c 20020324 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure @@ -8042,4 +8045,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1986 2002/03/26 03:08:47 mouring Exp $ +$Id: ChangeLog,v 1.1987 2002/03/26 03:17:42 mouring Exp $ diff --git a/scard.c b/scard.c index 9b2d77602..779106f85 100644 --- a/scard.c +++ b/scard.c @@ -24,9 +24,8 @@ #include "includes.h" #ifdef SMARTCARD -RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); +RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $"); -#include #include #include @@ -36,13 +35,17 @@ RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); #include "readpass.h" #include "scard.h" -#ifdef OPENSSL_VERSION_NUMBER -#if OPENSSL_VERSION_NUMBER >= 0x00907000L -#define RSA_get_default_openssl_method RSA_get_default_method -#define DSA_get_default_openssl_method DSA_get_default_method -#define DH_get_default_openssl_method DH_get_default_method -#define ENGINE_set_BN_mod_exp(x,y) +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define USE_ENGINE +#define RSA_get_default_method RSA_get_default_openssl_method +#else #endif + +#ifdef USE_ENGINE +#include +#define sc_get_rsa sc_get_engine +#else +#define sc_get_rsa sc_get_rsa_method #endif #define CLA_SSH 0x05 @@ -143,8 +146,7 @@ sc_read_pubkey(Key * k) n = NULL; if (sc_fd < 0) { - status = sc_init(); - if (status < 0 ) + if (sc_init() < 0) goto err; } @@ -317,18 +319,13 @@ sc_finish(RSA *rsa) return 1; } - /* engine for overloading private key operations */ -static ENGINE *smart_engine = NULL; -static RSA_METHOD smart_rsa; - -ENGINE * -sc_get_engine(void) +static RSA_METHOD * +sc_get_rsa_method(void) { - const RSA_METHOD *def; - - def = RSA_get_default_openssl_method(); + static RSA_METHOD smart_rsa; + const RSA_METHOD *def = RSA_get_default_method(); /* use the OpenSSL version */ memcpy(&smart_rsa, def, sizeof(smart_rsa)); @@ -343,13 +340,22 @@ sc_get_engine(void) orig_finish = def->finish; smart_rsa.finish = sc_finish; + return &smart_rsa; +} + +#ifdef USE_ENGINE +static ENGINE * +sc_get_engine(void) +{ + static ENGINE *smart_engine = NULL; + if ((smart_engine = ENGINE_new()) == NULL) fatal("ENGINE_new failed"); ENGINE_set_id(smart_engine, "sectok"); ENGINE_set_name(smart_engine, "libsectok"); - ENGINE_set_RSA(smart_engine, &smart_rsa); + ENGINE_set_RSA(smart_engine, sc_get_rsa_method()); ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); ENGINE_set_RAND(smart_engine, RAND_SSLeay()); @@ -357,6 +363,7 @@ sc_get_engine(void) return smart_engine; } +#endif void sc_close(void) @@ -367,11 +374,11 @@ sc_close(void) } } -Key * -sc_get_key(const char *id, const char *pin) +Key ** +sc_get_keys(const char *id, const char *pin) { - Key *k; - int status; + Key *k, *n, **keys; + int status, nkeys = 2; if (sc_reader_id != NULL) xfree(sc_reader_id); @@ -395,7 +402,26 @@ sc_get_key(const char *id, const char *pin) key_free(k); return NULL; } - return k; + keys = xmalloc((nkeys+1) * sizeof(Key *)); + + n = key_new(KEY_RSA1); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[0] = n; + + n = key_new(KEY_RSA); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[1] = n; + + keys[2] = NULL; + + key_free(k); + return keys; } #define NUM_RSA_KEY_ELEMENTS 5+1 diff --git a/scard.h b/scard.h index 465fe274b..c0aa9ed30 100644 --- a/scard.h +++ b/scard.h @@ -1,4 +1,4 @@ -/* $OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $ */ +/* $OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -24,8 +24,6 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include - #ifndef SCARD_H #define SCARD_H @@ -35,8 +33,7 @@ #define SCARD_ERROR_NOCARD -2 #define SCARD_ERROR_APPLET -3 -Key *sc_get_key(const char*, const char*); -ENGINE *sc_get_engine(void); +Key **sc_get_keys(const char*, const char*); void sc_close(void); int sc_put_key(Key *, const char*); diff --git a/ssh-agent.c b/ssh-agent.c index 1874eb152..f8183b400 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -34,7 +34,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $"); #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H) #include @@ -57,7 +57,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $"); #include "log.h" #ifdef SMARTCARD -#include #include "scard.h" #endif @@ -452,50 +451,39 @@ send: static void process_add_smartcard_key (SocketEntry *e) { + Identity *id; Idtab *tab; - Key *n = NULL, *k = NULL; + Key **keys, *k; char *sc_reader_id = NULL, *pin; - int success = 0; + int i, version, success = 0; sc_reader_id = buffer_get_string(&e->input, NULL); pin = buffer_get_string(&e->input, NULL); - k = sc_get_key(sc_reader_id, pin); + keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); - if (k == NULL) { - error("sc_get_pubkey failed"); + if (keys == NULL || keys[0] == NULL) { + error("sc_get_keys failed"); goto send; } - success = 1; - - tab = idtab_lookup(1); - k->type = KEY_RSA1; - if (lookup_identity(k, 1) == NULL) { - Identity *id = xmalloc(sizeof(Identity)); - n = key_new(KEY_RSA1); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); - RSA_set_method(n->rsa, sc_get_engine()); - id->key = n; - id->comment = xstrdup("rsa1 smartcard"); - TAILQ_INSERT_TAIL(&tab->idlist, id, next); - tab->nentries++; + for (i = 0; keys[i] != NULL; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; + tab = idtab_lookup(version); + if (lookup_identity(k, version) == NULL) { + id = xmalloc(sizeof(Identity)); + id->key = k; + id->comment = xstrdup("smartcard key"); + TAILQ_INSERT_TAIL(&tab->idlist, id, next); + tab->nentries++; + success = 1; + } else { + key_free(k); + } + keys[i] = NULL; } - k->type = KEY_RSA; - tab = idtab_lookup(2); - if (lookup_identity(k, 2) == NULL) { - Identity *id = xmalloc(sizeof(Identity)); - n = key_new(KEY_RSA); - BN_copy(n->rsa->n, k->rsa->n); - BN_copy(n->rsa->e, k->rsa->e); - RSA_set_method(n->rsa, sc_get_engine()); - id->key = n; - id->comment = xstrdup("rsa smartcard"); - TAILQ_INSERT_TAIL(&tab->idlist, id, next); - tab->nentries++; - } - key_free(k); + xfree(keys); send: buffer_put_int(&e->output, 1); buffer_put_char(&e->output, @@ -505,41 +493,37 @@ send: static void process_remove_smartcard_key(SocketEntry *e) { - Key *k = NULL; - int success = 0; + Identity *id; + Idtab *tab; + Key **keys, *k = NULL; char *sc_reader_id = NULL, *pin; + int i, version, success = 0; sc_reader_id = buffer_get_string(&e->input, NULL); pin = buffer_get_string(&e->input, NULL); - k = sc_get_key(sc_reader_id, pin); + keys = sc_get_keys(sc_reader_id, pin); xfree(sc_reader_id); xfree(pin); - if (k == NULL) { - error("sc_get_pubkey failed"); - } else { - Identity *id; - k->type = KEY_RSA1; - id = lookup_identity(k, 1); - if (id != NULL) { - Idtab *tab = idtab_lookup(1); - TAILQ_REMOVE(&tab->idlist, id, next); - free_identity(id); + if (keys == NULL || keys[0] == NULL) { + error("sc_get_keys failed"); + goto send; + } + for (i = 0; keys[i] != NULL; i++) { + k = keys[i]; + version = k->type == KEY_RSA1 ? 1 : 2; + if ((id = lookup_identity(k, version)) != NULL) { + tab = idtab_lookup(version); + TAILQ_REMOVE(&tab->idlist, id, next); tab->nentries--; - success = 1; - } - k->type = KEY_RSA; - id = lookup_identity(k, 2); - if (id != NULL) { - Idtab *tab = idtab_lookup(2); - TAILQ_REMOVE(&tab->idlist, id, next); free_identity(id); - tab->nentries--; success = 1; } key_free(k); + keys[i] = NULL; } - + xfree(keys); +send: buffer_put_int(&e->output, 1); buffer_put_char(&e->output, success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); diff --git a/ssh-keygen.c b/ssh-keygen.c index 7d3629365..1a8a73129 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $"); #include #include @@ -416,14 +416,18 @@ do_upload(struct passwd *pw, const char *sc_reader_id) static void do_download(struct passwd *pw, const char *sc_reader_id) { - Key *pub = NULL; + Key **keys = NULL; + int i; - pub = sc_get_key(sc_reader_id, NULL); - if (pub == NULL) + keys = sc_get_keys(sc_reader_id, NULL); + if (keys == NULL) fatal("cannot read public key from smartcard"); - key_write(pub, stdout); - key_free(pub); - fprintf(stdout, "\n"); + for (i = 0; keys[i]; i++) { + key_write(keys[i], stdout); + key_free(keys[i]); + fprintf(stdout, "\n"); + } + xfree(keys); exit(0); } #endif /* SMARTCARD */ diff --git a/ssh.c b/ssh.c index ae2e85480..dd926b7e7 100644 --- a/ssh.c +++ b/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $"); #include #include @@ -70,7 +70,6 @@ RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $"); #include "sshtty.h" #ifdef SMARTCARD -#include #include "scard.h" #endif @@ -1187,40 +1186,29 @@ static void load_public_identity_files(void) { char *filename; - Key *public; int i = 0; - + Key *public; #ifdef SMARTCARD + Key **keys; + if (options.smartcard_device != NULL && - options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && - (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) { - Key *new; - - if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES) - options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2; - memmove(&options.identity_files[2], &options.identity_files[0], - sizeof(char *) * options.num_identity_files); - options.num_identity_files += 2; - i = 2; - - /* XXX ssh1 vs ssh2 */ - new = key_new(KEY_RSA); - new->flags = KEY_FLAG_EXT; - BN_copy(new->rsa->n, public->rsa->n); - BN_copy(new->rsa->e, public->rsa->e); - RSA_set_method(new->rsa, sc_get_engine()); - options.identity_keys[0] = new; - options.identity_files[0] = xstrdup("smartcard rsa key");; - - new = key_new(KEY_RSA1); - new->flags = KEY_FLAG_EXT; - BN_copy(new->rsa->n, public->rsa->n); - BN_copy(new->rsa->e, public->rsa->e); - RSA_set_method(new->rsa, sc_get_engine()); - options.identity_keys[1] = new; - options.identity_files[1] = xstrdup("smartcard rsa1 key"); - - key_free(public); + options.num_identity_files < SSH_MAX_IDENTITY_FILES && + (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { + int count = 0; + for (i = 0; keys[i] != NULL; i++) { + count++; + if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES) + options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1; + memmove(&options.identity_files[1], &options.identity_files[0], + sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); + memmove(&options.identity_keys[1], &options.identity_keys[0], + sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); + options.num_identity_files++; + options.identity_keys[0] = keys[i]; + options.identity_files[0] = xstrdup("smartcard key");; + } + i = count; + xfree(keys); } #endif /* SMARTCARD */ for (; i < options.num_identity_files; i++) {