Attachment #1488 for bug #1371

View | Details | Raw Unified | Return to bug 1371 | Differences between

and this patch




	/* NOTREACHED */
	return 0;
}

#ifdef ENABLE_PKCS11

int
ssh_pkcs11_add_provider(AuthenticationConnection *auth,
	const pkcs11_provider *const provider)
{
	Buffer msg;
	int type;

	buffer_init(&msg);
	buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER);
	buffer_put_cstring(&msg, provider->provider);
	buffer_put_int(&msg, (unsigned)provider->protected_authentication);
	buffer_put_int(&msg, provider->private_mode);
	buffer_put_int(&msg, (unsigned)provider->cert_is_private);

	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		buffer_free(&msg);
		return 0;
	}
	type = buffer_get_char(&msg);
	buffer_free(&msg);
	return decode_reply(type);
}

int
ssh_pkcs11_id(AuthenticationConnection *auth, const pkcs11_id *const id, int remove)
{
	Buffer msg;
	int type;

	buffer_init(&msg);
	buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID);
	buffer_put_cstring(&msg, id->id);
	buffer_put_int(&msg, (unsigned)id->pin_cache_period);
	buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);

	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		buffer_free(&msg);
		return 0;
	}
	type = buffer_get_char(&msg);
	buffer_free(&msg);
	return decode_reply(type);
}

#endif /* ENABLE_PKCS11 */

Lines 16-21 Link Here

(-)ssh/authfd.h (+12 lines)
16	#ifndef AUTHFD_H	16	#ifndef AUTHFD_H
17	#define AUTHFD_H	17	#define AUTHFD_H
18		18
		19	#include "pkcs11.h"
		20
19	/* Messages for the authentication agent connection. */	21	/* Messages for the authentication agent connection. */
20	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1	22	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
21	#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2	23	#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
Lines 49-54 Link Here
49	#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25	51	#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
50	#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26	52	#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
51		53
		54	#define SSH_AGENTC_PKCS11_ADD_PROVIDER 27
		55	#define SSH_AGENTC_PKCS11_ADD_ID 28
		56	#define SSH_AGENTC_PKCS11_REMOVE_ID 29
		57
52	#define SSH_AGENT_CONSTRAIN_LIFETIME 1	58	#define SSH_AGENT_CONSTRAIN_LIFETIME 1
53	#define SSH_AGENT_CONSTRAIN_CONFIRM 2	59	#define SSH_AGENT_CONSTRAIN_CONFIRM 2
54		60
Lines 92-95 int Link Here
92	ssh_agent_sign(AuthenticationConnection , Key , u_char *, u_int , u_char *,	98	ssh_agent_sign(AuthenticationConnection , Key , u_char *, u_int , u_char *,
93	u_int);	99	u_int);
94		100
		101	#ifdef ENABLE_PKCS11
		102	int ssh_pkcs11_add_provider(AuthenticationConnection *,
		103	const pkcs11_provider *const);
		104	int ssh_pkcs11_id(AuthenticationConnection , const pkcs11_id const, int remove);
		105	#endif /* ENABLE_PKCS11 */
		106
95	#endif /* AUTHFD_H */	107	#endif /* AUTHFD_H */




/*
 * Copyright(c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 *(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifdef ENABLE_PKCS11

#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <errno.h>
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#include <pkcs11-helper-1.0/pkcs11h-openssl.h>
#include "openssl/pem.h"
#include "misc.h"
#include "buffer.h"
#include "xmalloc.h"
#include "log.h"
#include "pkcs11.h"

static char *
ssh_from_x509(X509 *);

static time_t
mytime(void)
{
	return time(NULL);
}

static void
mysleep(const unsigned long usec)
{
	usleep((unsigned)usec);
}

static int
mygettimeofday(struct timeval *tv)
{
	return gettimeofday(tv, NULL);
}

static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
	xmalloc,
	xfree,
	mytime,
	mysleep,
	mygettimeofday
};

static LogLevel
pkcs11_msg_pkcs112openssh(const unsigned flags)
{
	LogLevel openssh_flags;

	switch (flags) {
	case PKCS11H_LOG_DEBUG2:
		openssh_flags = SYSLOG_LEVEL_DEBUG3;
		break;
	case PKCS11H_LOG_DEBUG1:
		openssh_flags = SYSLOG_LEVEL_DEBUG2;
		break;
	case PKCS11H_LOG_INFO:
		openssh_flags = SYSLOG_LEVEL_INFO;
		break;
	case PKCS11H_LOG_WARN:
		openssh_flags = SYSLOG_LEVEL_ERROR;
		break;
	case PKCS11H_LOG_ERROR:
		openssh_flags = SYSLOG_LEVEL_FATAL;
		break;
	default:
		openssh_flags = SYSLOG_LEVEL_FATAL;
		break;
	}

	return openssh_flags;
}

static unsigned
pkcs11_msg_openssh2pkcs11(const LogLevel flags)
{
	unsigned pkcs11_flags;

	switch (flags) {
	case SYSLOG_LEVEL_DEBUG3:
		pkcs11_flags = PKCS11H_LOG_DEBUG2;
		break;
	case SYSLOG_LEVEL_DEBUG2:
		pkcs11_flags = PKCS11H_LOG_DEBUG1;
		break;
	case SYSLOG_LEVEL_INFO:
		pkcs11_flags = PKCS11H_LOG_INFO;
		break;
	case SYSLOG_LEVEL_ERROR:
		pkcs11_flags = PKCS11H_LOG_WARN;
		break;
	case SYSLOG_LEVEL_FATAL:
		pkcs11_flags = PKCS11H_LOG_ERROR;
		break;
	default:
		pkcs11_flags = PKCS11H_LOG_ERROR;
		break;
	}

	return pkcs11_flags;
}

/* ARGSUSED */
static void
pkcs11_openssh_log(void *const global_data, unsigned flags,
	const char *const format, va_list args)
{
	do_log(pkcs11_msg_pkcs112openssh(flags), format, args);
}

/* ARGSUSED */
static PKCS11H_BOOL
pkcs11_ssh_token_prompt(void *const global_data,
	void *const user_data,
	const pkcs11h_token_id_t token, IN const unsigned retry)
{
	return ask_permission("Please insert token '%s'", token->display);
}

/* ARGSUSED */
static PKCS11H_BOOL
_pkcs11_ssh_pin_prompt(void *const global_data,
	void *const user_data, const pkcs11h_token_id_t token,
	const unsigned retry, char *const pin, const size_t pin_max)
{
	char prompt[1024];
	char *passphrase = NULL;
	PKCS11H_BOOL ret = FALSE;

	if (snprintf(prompt, sizeof(prompt), "Please enter PIN for token '%s': ",
		token->display) < 0)
		goto cleanup;

	passphrase = read_passphrase(prompt, RP_ALLOW_EOF);

	if (passphrase == NULL || strlen(passphrase) == 0 ||
		strlen(passphrase) > pin_max-1)
		goto cleanup;
	
	strlcpy(pin, passphrase, pin_max);
	bzero(passphrase, strlen(passphrase));

	ret = TRUE;

cleanup:

	if (passphrase != NULL)
		xfree(passphrase);

	return ret;
}

static int
pkcs11_convert_to_ssh_key(const pkcs11h_certificate_id_t certificate_id, Key **const key,
	char **const comment, const int pin_cache_period)
{
	pkcs11h_certificate_t certificate = NULL;
	pkcs11h_certificate_id_t certificate_id_new = NULL;
	pkcs11h_openssl_session_t openssl_session = NULL;
	Key *internal_key = NULL;
	char *internal_comment = NULL;
	RSA *rsa = NULL;
	size_t temp;
	CK_RV rv = CKR_OK;

	*key = NULL;
	*comment = NULL;

	debug3("PKCS#11: pkcs11_convert_to_ssh_key - entered - certificate=%p, "
		"key=%p, comment=%p, pin_cache_period=%d", (void *) certificate,
		(void *) key, (void *) comment, pin_cache_period);

	if ((rv = pkcs11h_certificate_create(certificate_id, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, pin_cache_period,
		&certificate)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	/*
	 * New certificate_id is constructed from certificate
	 * blob so that it will contian the proper description.
	 */

	if ((rv = pkcs11h_certificate_getCertificateBlob(certificate,
				NULL, &temp)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate blob %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_certificate_getCertificateId(certificate,
		&certificate_id_new)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate_id %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((internal_comment = xstrdup(certificate_id_new->displayName)) == NULL) {
		error("PKCS#11: Memory allocation error");
		goto cleanup;
	}

	if ((openssl_session =
			pkcs11h_openssl_createSession(certificate)) == NULL) {
		error("PKCS#11: Cannot initialize openssl session");
		goto cleanup;
	}

	/*
	 * will be release by openssl_session
	 */
	certificate = NULL;

	if ((rsa = pkcs11h_openssl_session_getRSA(openssl_session)) == NULL) {
		error("PKCS#11: Unable get rsa object");
		goto cleanup;
	}

	internal_key = key_new_private(KEY_UNSPEC);
	internal_key->flags |= KEY_FLAG_EXT;
	internal_key->rsa = rsa;
	rsa = NULL;
	internal_key->type = KEY_RSA;

	*key = internal_key;
	internal_key = NULL;
	*comment = internal_comment;
	internal_comment = NULL;

cleanup:
	if (internal_key != NULL) {
		key_free(internal_key);
		internal_key = NULL;
	}

	if (internal_comment != NULL) {
		xfree(internal_comment);
		internal_comment = NULL;
	}

	if (rsa != NULL) {
		RSA_free (rsa);
		rsa = NULL;
	}

	if (openssl_session != NULL) {
		pkcs11h_openssl_freeSession(openssl_session);
		openssl_session = NULL;
	}

	if (certificate_id_new != NULL) {
		pkcs11h_certificate_freeCertificateId(certificate_id_new);
		certificate_id_new = NULL;
	}

	if (certificate != NULL) {
		pkcs11h_certificate_freeCertificate(certificate);
		certificate = NULL;
	}

	debug3("PKCS#11: pkcs11_convert_to_ssh_key - return *key=%p", (void *) *key);

	return *key != NULL;
}

int
pkcs11_initialize(const int protected_authentication, const int pin_cache_period)
{
	CK_RV rv = CKR_FUNCTION_FAILED;

	debug3("PKCS#11: pkcs11_initialize - entered protected_authentication=%d, "
		"pin_cache_period=%d", protected_authentication, pin_cache_period);

	if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK) {
		error("PKCS#11: Cannot set system engine %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_initialize()) != CKR_OK) {
		error("PKCS#11: Cannot initialize %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setLogHook(pkcs11_openssh_log, NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	pkcs11h_setLogLevel(pkcs11_msg_openssh2pkcs11(get_log_level ()));

	if ((rv = pkcs11h_setTokenPromptHook(pkcs11_ssh_token_prompt,
		NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setPINPromptHook(_pkcs11_ssh_pin_prompt,
		NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setProtectedAuthentication(protected_authentication)) !=
		CKR_OK) {
		error("PKCS#11: Cannot set protected authentication mode %ld-'%s'",
			rv, pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setPINCachePeriod(pin_cache_period)) != CKR_OK) {
		error("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	rv = CKR_OK;

cleanup:
	debug3("PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
		rv, pkcs11h_getMessage(rv));

	return rv == CKR_OK;
}

void
pkcs11_terminate(void)
{
	debug3("PKCS#11: pkcs11_terminate - entered");

	pkcs11h_terminate();

	debug3("PKCS#11: pkcs11_terminate - return");
}

void
pkcs11_free_provider(pkcs11_provider *const provider) {
	if (provider != NULL) {
		if (provider->provider != NULL)
			xfree(provider->provider);
		xfree(provider);
	}
}

pkcs11_provider *
pkcs11_parse_provider(const char *const info)
{
	pkcs11_provider *provider = NULL;
	pkcs11_provider *ret = NULL;
	char *split[4];
	char *s = NULL;
	char *p;
	int i;

	if (info == NULL)
		goto cleanup;

	if ((provider = (pkcs11_provider *) xmalloc(sizeof(*provider))) == NULL)
		goto cleanup;

	memset(provider, 0, sizeof(*provider));
	memset(split, 0, sizeof(split));

	if ((s=xstrdup(info)) == NULL)
		goto cleanup;

	p = s;
	i=0;
	while(i<4 && p != NULL) {
		char *t;
		if ((t = strchr(p, ':')) != NULL)
			*t = '\x0';
		split[i++] = p;
		if (t != NULL)
			p = t+1;
		else
			p = NULL;
	}

	/*
	 * provider[:protected_authentication[:private_mode[:cert_is_private]]]
	 * string:1|0:hex:1|0
	 */
	if (split[0] != NULL)
		provider->provider = xstrdup(split[0]);
	if (split[1] != NULL)
		provider->protected_authentication = atoi(split[1]) != 0;
	if (split[2] != NULL)
		sscanf(split[2], "%x", &provider->private_mode);
	if (split[3] != NULL)
		provider->cert_is_private = atoi(split[3]) != 0;
	
	if (provider->provider == NULL || strlen(provider->provider) == 0)
		goto cleanup;

	ret = provider;
	provider = NULL;

cleanup:
	if (s != NULL)
		xfree(s);

	if (provider != NULL)
		pkcs11_free_provider(provider);

	return ret;
}

int
pkcs11_add_provider(const pkcs11_provider *const provider)
{
	CK_RV rv = CKR_OK;

	debug3("PKCS#11: pkcs11_add_provider - entered - provider='%s', "
		"protected_authentication=%d, private_mode='%08x', cert_is_private=%d",
		provider->provider, provider->protected_authentication ? 1 : 0,
		provider->private_mode,	provider->cert_is_private ? 1 : 0);

	debug("PKCS#11: Adding PKCS#11 provider '%s'", provider->provider);

	if (rv == CKR_OK &&
		(rv = pkcs11h_addProvider(provider->provider, provider->provider,
			provider->protected_authentication, provider->private_mode,
				PKCS11H_SLOTEVENT_METHOD_AUTO,
				0, provider->cert_is_private)) != CKR_OK) {
		error("PKCS#11: Cannot initialize provider '%s' %ld-'%s'",
			provider->provider, rv, pkcs11h_getMessage(rv));
	}

	debug3("PKCS#11: pkcs11_add_provider - return rv=%ld-'%s'",
		rv, pkcs11h_getMessage(rv));

	return rv == CKR_OK;
}

pkcs11_id *
pkcs11_id_new(void)
{
	pkcs11_id *id = (pkcs11_id *) xmalloc(sizeof(*id));
	if (id != NULL) {
		memset(id, 0, sizeof(*id));
		id->pin_cache_period = PKCS11H_PIN_CACHE_INFINITE;
	}
	return id;
}

void
pkcs11_id_free(pkcs11_id *const id)
{
	if (id != NULL)
		xfree(id);
}

int
pkcs11_get_key(const pkcs11_id *const id, Key **const key,
	char **const comment)
{
	pkcs11h_certificate_id_t certificate_id = NULL;
	CK_RV rv = CKR_OK;

	debug3("PKCS#11: pkcs11_get_key - entered - id=%p, key=%p, "
		"comment=%p", (const void *) id, (void *) key, (void *) comment);

	debug3("PKCS#11: pkcs11_get_key - id - id=%s, "
		"pin_cache_period=%d, cert_file=%s",
		id->id, id->pin_cache_period, id->cert_file);

	if (pkcs11h_certificate_deserializeCertificateId(&certificate_id, id->id)) {
		error("PKCS#11: Cannot deserialize id %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if (id->cert_file != NULL && id->cert_file[0] != '\x0') {
		X509 *x509 = NULL;
		unsigned char *p = NULL;
		unsigned char *certificate_blob = NULL;
		size_t certificate_blob_size = 0;
		int size;
		FILE *fp = NULL;

		if ((fp = fopen(id->cert_file, "r")) == NULL) {
			error("PKCS#11: Cannot open file '%s'", id->cert_file);
			goto cleanup1;
		}

		if (!PEM_read_X509(fp, &x509, NULL, 0)) {
			x509 = NULL;
			error("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
			goto cleanup1;
		}

		if ((size = i2d_X509(x509, NULL)) < 0) {
			error("PKCS#11: Cannot read decode certificate");
			goto cleanup1;
		}
		certificate_blob_size = (size_t)size;

		if ((certificate_blob =
				(unsigned char *) xmalloc(certificate_blob_size)) == NULL) {
			error("PKCS#11: Cannot allocate memory");
			goto cleanup1;
		}

		/*
		 * i2d_X509 increments p!!!
		 */
		p = certificate_blob;

		if ((size = i2d_X509(x509, &p)) < 0) {
			error("PKCS#11: Cannot read decode certificate");
			goto cleanup1;
		}
		certificate_blob_size = (size_t)size;

		if (pkcs11h_certificate_setCertificateIdCertificateBlob
			(certificate_id, certificate_blob, certificate_blob_size)
			!= CKR_OK) {
			error("PKCS#11: Cannot set certificate blob %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

	cleanup1:
		if (x509 != NULL) {
			X509_free(x509);
			x509 = NULL;
		}

		if (certificate_blob != NULL) {
			xfree(certificate_blob);
			certificate_blob = NULL;
		}

		if (fp != NULL) {
			fclose(fp);
			fp = NULL;
		}
	}

	pkcs11_convert_to_ssh_key(certificate_id, key, comment, id->pin_cache_period);

cleanup:

	if (certificate_id != NULL) {
		pkcs11h_certificate_freeCertificateId(certificate_id);
		certificate_id = NULL;
	}

	debug3("PKCS#11: pkcs11_get_key - return rv=%ld, *key=%p", rv, ( void *) *key);

	return *key != NULL;
}

int
pkcs11_get_keys(Key ***const keys, char ***const comments)
{
#define PKCS11_MAX_KEYS 10
	Key **internal_keys = NULL;
	char **internal_comments = NULL;
	pkcs11h_certificate_id_list_t user_certificates = NULL;
	pkcs11h_certificate_id_list_t current = NULL;
	CK_RV rv = CKR_FUNCTION_FAILED;
	int i;

	debug3("PKCS#11: pkcs11_get_keys - entered - sshkey=%p, "
		"comment=%p",
		(void *) keys, (void *) comments);
	
	*keys = NULL;
	*comments = NULL;
	
	if((internal_keys = (Key **) xcalloc(sizeof(*internal_keys), PKCS11_MAX_KEYS+1)) == NULL) {
		rv = CKR_HOST_MEMORY;
		goto cleanup;
	}

	if((internal_comments = (char **) xcalloc(sizeof(*internal_comments), PKCS11_MAX_KEYS+1)) == NULL) {
		rv = CKR_HOST_MEMORY;
		goto cleanup;
	}

	memset(internal_keys, 0, (PKCS11_MAX_KEYS+1)*sizeof(*internal_keys));
	memset(internal_comments, 0, (PKCS11_MAX_KEYS+1)*sizeof(*internal_comments));

	if ((rv = pkcs11h_certificate_enumCertificateIds(
		PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL,
		&user_certificates)) != CKR_OK) {
		error("PKCS#11: Cannot enumerate certificates %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	i = 0;
	for (current = user_certificates; current != NULL && i<PKCS11_MAX_KEYS;
		current = current->next) {

		if (pkcs11_convert_to_ssh_key(current->certificate_id, &internal_keys[i],
			&internal_comments[i], PKCS11H_PIN_CACHE_INFINITE)) {
			i++;
		}
	}

	*keys = internal_keys;
	internal_keys = NULL;
	*comments = internal_comments;
	internal_comments = NULL;
	rv = CKR_OK;

cleanup:
	if (user_certificates != NULL) {
		pkcs11h_certificate_freeCertificateIdList(user_certificates);
		user_certificates = NULL;
	}

	if (internal_keys != NULL) {
		Key **t = internal_keys;
		while (*t != NULL) {
			key_free(*t);
			t++;
		}
		xfree(internal_keys);
	}

	if (internal_comments != NULL) {
		char **t = internal_comments;
		while (*t != NULL) {
			xfree(*t);
			t++;
		}
		xfree(internal_comments);
	}

	debug3("PKCS#11: pkcs11_get_keys - return rv=%ld, *keys=%p", rv, (void *) *keys);

	return *keys != NULL;
#undef PKCS11_MAX_KEYS
}

void
pkcs11_show_ids(void)
{
	pkcs11h_certificate_id_list_t user_certificates = NULL;
	pkcs11h_certificate_id_list_t current = NULL;
	CK_RV rv = CKR_FUNCTION_FAILED;

	if ((rv = pkcs11h_certificate_enumCertificateIds(
		PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL,
		&user_certificates)) != CKR_OK) {
		error("PKCS#11: Cannot enumerate certificates %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	for (current = user_certificates; current != NULL;
		current = current->next) {

		pkcs11h_certificate_t certificate = NULL;
		X509 *x509 = NULL;

		BIO *bio = NULL;
		char dn[1024] = { 0 };
		char serial[1024] = { 0 };
		char *ser = NULL;
		char *ssh_key = NULL;
		size_t ser_len = 0;
		int n;

		if ((rv = pkcs11h_certificate_serializeCertificateId(NULL,
			&ser_len, current->certificate_id)) != CKR_OK) {
			error("PKCS#11: Cannot serialize certificate id "
				"certificates %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((ser = (char *) xmalloc(ser_len)) == NULL) {
			error("PKCS#11: Cannot allocate memory");
			goto cleanup1;
		}

		if ((rv = pkcs11h_certificate_serializeCertificateId(ser,
			&ser_len, current->certificate_id)) != CKR_OK) {
			error("PKCS#11: Cannot serialize certificate "
				"id certificates %ld-'%s'",
				rv, pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((rv = pkcs11h_certificate_create(current->certificate_id,
			NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL,
			PKCS11H_PIN_CACHE_INFINITE, &certificate)) != CKR_OK) {
			error("PKCS#11: Cannot create certificate %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL) {
			error("PKCS#11: Cannot get X509");
			goto cleanup1;
		}

		X509_NAME_oneline(X509_get_subject_name(x509), dn, sizeof(dn));

		if ((bio = BIO_new(BIO_s_mem())) == NULL) {
			error("PKCS#11: Cannot create BIO");
			goto cleanup1;
		}

		i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
		n = BIO_read(bio, serial, sizeof(serial) - 1);
		if (n < 0)
			serial[0] = '\x0';
		else
			serial[n] = 0;

		printf(("\n"
				"********************************************\n"
				"IDENTITY:\n"
				"       DN:             %s\n"
				"       Serial:         %s\n"
				"       Serialized id:  %s\n"
				"\n" "       Certificate:\n"), dn, serial, ser);
		PEM_write_X509(stdout, x509);

		if ((ssh_key = ssh_from_x509(x509)) != NULL) {
			printf(("\n" "        SSH:\n" "%s\n"), ssh_key);

			xfree(ssh_key);
		}

	cleanup1:
		if (x509 != NULL) {
			X509_free(x509);
			x509 = NULL;
		}

		if (bio != NULL) {
			BIO_free_all(bio);
			bio = NULL;
		}

		if (certificate != NULL) {
			pkcs11h_certificate_freeCertificate(certificate);
			certificate = NULL;
		}

		if (ser != NULL) {
			xfree(ser);
			ser = NULL;
		}
	}

cleanup:
	if (user_certificates != NULL) {
		pkcs11h_certificate_freeCertificateIdList(user_certificates);
		user_certificates = NULL;
	}
}

static char *
ssh_from_x509(X509 * x509)
{
	Buffer b;
	EVP_PKEY *pubkey = NULL;
	BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
	char *ret = NULL;
	size_t retsize = 0;
	char *p;
	int n;
	const char *keyname = "ssh-rsa";
	int ok = 0;

	buffer_init(&b);

	if ((pubkey = X509_get_pubkey(x509)) == NULL)
		goto cleanup;

	if ((bio64 = BIO_new(BIO_f_base64())) == NULL)
		goto cleanup;

	if ((bio = BIO_new(BIO_s_mem())) == NULL)
		goto cleanup;

	if ((bio2 = BIO_push(bio64, bio)) == NULL)
		goto cleanup;

	if (pubkey->type != EVP_PKEY_RSA)
		goto cleanup;

	buffer_put_cstring(&b, keyname);
	buffer_put_bignum2(&b, pubkey->pkey.rsa->e);
	buffer_put_bignum2(&b, pubkey->pkey.rsa->n);

	if (BIO_write(bio2, buffer_ptr(&b), buffer_len(&b)) == -1)
		goto cleanup;
	if (BIO_flush(bio2) == -1)
		goto cleanup;
	if ((n = BIO_read(bio, NULL, 10*1024)) == -1)
		goto cleanup;
	retsize = n+1+strlen(keyname)+1;	/* including null terminate and keyname prefix */
	if ((ret = (char *) xmalloc(retsize)) == NULL)
		goto cleanup;
	snprintf (ret, retsize, "%s ", keyname);
	if ((n = BIO_read(bio, ret+strlen(ret), n)) == -1)
		goto cleanup;
	ret[retsize-1] = '\0';

	while ((p = strchr(ret, '\n')) != NULL)
		memmove(p, p + 1, strlen(p));
	while ((p = strchr(ret, '\r')) != NULL)
		memmove(p, p + 1, strlen(p));

	ok = 1;

cleanup:
	if (bio != NULL) {
		BIO_free_all(bio);
		bio = NULL;
	}

	if (pubkey != NULL) {
		EVP_PKEY_free(pubkey);
		pubkey = NULL;
	}

	buffer_free(&b);

	if (!ok) {
		if (ret != NULL) {
			xfree(ret);
			ret = NULL;
		}
	}

	return ret;
}

#endif /* ENABLE_PKCS11 */




/*
 * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef SSH_PKCS11_H
#define SSH_PKCS11_H

#ifdef ENABLE_PKCS11

#include "key.h"

typedef struct {
	char *provider;
	int protected_authentication;
	unsigned private_mode;
	int cert_is_private;
} pkcs11_provider;

typedef struct {
	char *id;
	int pin_cache_period;
	char *cert_file;
} pkcs11_id;

int
pkcs11_initialize(const int, const int);

void
pkcs11_terminate(void);

void
pkcs11_free_provider(pkcs11_provider *const);

pkcs11_provider *
pkcs11_parse_provider(const char *const);

int
pkcs11_add_provider(const pkcs11_provider *const);

pkcs11_id *
pkcs11_id_new(void);

void
pkcs11_id_free(pkcs11_id *const);

int
pkcs11_get_key(const pkcs11_id *const, Key **const, char **const);

int
pkcs11_get_keys(Key ***const, char ***const);

void
pkcs11_show_ids(void);

#endif /* ENABLE_PKCS11 */

#endif /* OPENSSH_PKCS11_H */




#include "rsa.h"
#include "log.h"
#include "key.h"
#include "pkcs11.h"
#include "buffer.h"
#include "authfd.h"
#include "authfile.h"

	fprintf(stderr, "  -X          Unlock agent.\n");
	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
#ifdef ENABLE_PKCS11
	fprintf(stderr, "  -K provider Add PKCS#11 provider, format:\n");
	fprintf(stderr, "              lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
	fprintf(stderr, "              prot_auth - 1 to allow protected mode authentication.\n");
	fprintf(stderr, "              private_mode - Private key mode, see man page.\n");
	fprintf(stderr, "              cert_is_private - 1 if login is required to access certificates.\n");
	fprintf(stderr, "  -I          Add PKCS#11 id, remainging arguments:\n");
	fprintf(stderr, "              pkcs11_id [session_cache [cert_file]]\n");
	fprintf(stderr, "              pkcs11_id - Serialized id, get from ssh-keygen -K.\n");
	fprintf(stderr, "              session_cache - Session cache timeout in seconds -1 for infinite.\n");
	fprintf(stderr, "              cert_file - Specify PEM file to load if token is unavailable.\n");
#endif
#ifdef SMARTCARD
	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");

	AuthenticationConnection *ac = NULL;
	char *sc_reader_id = NULL;
	int i, ch, deleting = 0, ret = 0;
#ifdef ENABLE_PKCS11
	pkcs11_provider *pkcs11_provider = NULL;
	int doing_pkcs11 = 0;
#endif /* ENABLE_PKCS11 */

	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
	sanitise_stdfd();

		    "Could not open a connection to your authentication agent.\n");
		exit(2);
	}
	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) {
		switch (ch) {
		case 'l':
		case 'L':

				goto done;
			}
			break;
#ifdef ENABLE_PKCS11
		case 'K':
			if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
				fprintf(stderr, "Cannot parse PKCS#11 provider\n");
				ret = 1;
				goto done;
			}
			break;
		case 'I':
			doing_pkcs11 = 1;
			break;
#endif /* ENABLE_PKCS11 */
		default:
			usage();
			ret = 1;

	}
	argc -= optind;
	argv += optind;

#ifdef ENABLE_PKCS11
	if (pkcs11_provider != NULL) {
		if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) {
			fprintf(stderr,
				"Cannot add provider '%s'\n", pkcs11_provider->provider);
			ret = 1;
			goto done;
		}
		fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider);
		pkcs11_free_provider(pkcs11_provider);
	}

	if (doing_pkcs11) {
		pkcs11_id *pkcs11_id = NULL;
		if (argc < 1 || argc > 3) {
			fprintf(stderr,
				"Invalid PKCS#11 id format\n");
			ret = 1;
			goto done;
		}
		if ((pkcs11_id = pkcs11_id_new()) == NULL) {
			fprintf(stderr, "Memory allocation error.\n");
			ret = 1;
			goto done;
		}
		pkcs11_id->id = argv[0];
		if (argc > 1)
			pkcs11_id->pin_cache_period = atoi(argv[1]);
		if (argc > 2)
			pkcs11_id->cert_file = xstrdup(argv[2]);

		if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) {
			fprintf(stderr,
				"Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id);
			ret = 1;
			goto done;
		}
		pkcs11_id_free(pkcs11_id);
		fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added");
		goto done;
	}
#endif /* ENABLE_PKCS11 */

	if (sc_reader_id != NULL) {
		if (update_card(ac, !deleting, sc_reader_id) == -1)
			ret = 1;




#include "buffer.h"
#include "key.h"
#include "authfd.h"
#include "pkcs11.h"
#include "compat.h"
#include "log.h"
#include "misc.h"

}
#endif /* SMARTCARD */

#ifdef ENABLE_PKCS11

static void
process_pkcs11_add_provider (SocketEntry *e)
{
	pkcs11_provider provider;
	int success = 0;

	provider.provider = buffer_get_string(&e->request, NULL);
	provider.protected_authentication = buffer_get_int(&e->request);
	provider.private_mode = (unsigned)buffer_get_int(&e->request);
	provider.cert_is_private = buffer_get_int(&e->request);

	success = pkcs11_add_provider(&provider);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

static
void
process_pkcs11_add_id (SocketEntry *e)
{
	pkcs11_id *pkcs11_id = NULL;
	Key *k = NULL;
	char *comment = NULL;
	int success = 0;
	int version = 2;

	pkcs11_id = pkcs11_id_new();
	if (pkcs11_id != NULL) {
		pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));

		if (pkcs11_get_key (pkcs11_id, &k, &comment)) {
			if (lookup_identity(k, version) == NULL) {
				Identity *id = xmalloc(sizeof(Identity));
				Idtab *tab = NULL;
	
				id->key = k;
				k = NULL;
				id->comment = comment;
				id->death = 0;		/* handled by pkcs#11 helper */
				id->confirm = 0;
	
				tab = idtab_lookup(version);
				TAILQ_INSERT_TAIL(&tab->idlist, id, next);
				/* Increment the number of identities. */
				tab->nentries++;
				success = 1;
			}
		}
	}

	if (k != NULL)
		key_free(k);

	if (pkcs11_id != NULL)
		pkcs11_id_free(pkcs11_id);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

static
void
process_pkcs11_remove_id (SocketEntry *e)
{
	Identity *id = NULL;
	char *comment = NULL;
	pkcs11_id *pkcs11_id = NULL;
	Key *k = NULL;
	int version = 2;
	int success = 0;

	pkcs11_id = pkcs11_id_new();
	if (pkcs11_id != NULL) {
		pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL));
		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL));

		if (pkcs11_get_key(pkcs11_id, &k, &comment)) {
			id = lookup_identity (k, version);
			xfree(comment);
			comment = NULL;
		}

		if (id != NULL) {
			Idtab *tab = NULL;

			tab = idtab_lookup(version);
			TAILQ_REMOVE(&tab->idlist, id, next);
			tab->nentries--;
			free_identity(id);
			id = NULL;
			success = 1;
		}
	}

	if (k != NULL)
		key_free(k);

	if (pkcs11_id != NULL)
		pkcs11_id_free(pkcs11_id);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

#endif /* ENABLE_PKCS11 */

/* dispatch incoming messages */

static void

		process_remove_smartcard_key(e);
		break;
#endif /* SMARTCARD */

#ifdef ENABLE_PKCS11
	case SSH_AGENTC_PKCS11_ADD_PROVIDER:
		process_pkcs11_add_provider(e);
		break;
	case SSH_AGENTC_PKCS11_ADD_ID:
		process_pkcs11_add_id(e);
		break;
	case SSH_AGENTC_PKCS11_REMOVE_ID:
		process_pkcs11_remove_id(e);
		break;
#endif /* ENABLE_PKCS11 */
	default:
		/* Unknown message.  Respond with failure. */
		error("Unknown message %d", type);

cleanup_handler(int sig)
{
	cleanup_socket();
#ifdef ENABLE_PKCS11
	pkcs11_terminate ();
#endif /* ENABLE_PKCS11 */
	_exit(2);
}


	}

skip:

#ifdef ENABLE_PKCS11
	pkcs11_initialize (1, -1);
#endif /* ENABLE_PKCS11 */

	new_socket(AUTH_SOCKET, sock);
	if (ac > 0)
		parent_alive_interval = 10;

Lines 84-89 Link Here

(-)ssh/ssh.c (-1 / +61 lines)
84	#include "readconf.h"	84	#include "readconf.h"
85	#include "sshconnect.h"	85	#include "sshconnect.h"
86	#include "misc.h"	86	#include "misc.h"
		87	#include "pkcs11.h"
87	#include "kex.h"	88	#include "kex.h"
88	#include "mac.h"	89	#include "mac.h"
89	#include "sshpty.h"	90	#include "sshpty.h"
Lines 171-176 static u_int mux_command = 0; Link Here
171	volatile sig_atomic_t control_client_terminate = 0;	172	volatile sig_atomic_t control_client_terminate = 0;
172	u_int control_server_pid = 0;	173	u_int control_server_pid = 0;
173		174
		175	#ifdef ENABLE_PKCS11
		176	/* For PKCS#11 */
		177	static pkcs11_provider *use_pkcs11_provider = NULL;
		178	#endif
		179
174	/* Prints a help message to the user. This function never returns. */	180	/* Prints a help message to the user. This function never returns. */
175		181
176	static void	182	static void
Lines 183-188 usage(void) Link Here
183	" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"	189	" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
184	" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"	190	" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
185	" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"	191	" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
		192	#ifdef ENABLE_PKCS11
		193	" [-# use_pkcs11_provider_info]\n"
		194	#endif
186	);	195	);
187	exit(255);	196	exit(255);
188	}	197	}
Lines 259-266 main(int ac, char **av) Link Here
259		268
260	again:	269	again:
261	while ((opt = getopt(ac, av,	270	while ((opt = getopt(ac, av,
262	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {	271	"#:1246ab:c:e:fgi:k:l:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
263	switch (opt) {	272	switch (opt) {
		273	#ifdef ENABLE_PKCS11
		274	case '#':
		275	if ((use_pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
		276	fprintf(stderr, "Cannot parse PKCS#11 provider information.\n");
		277	exit(255);
		278	}
		279	break;
		280	#endif
264	case '1':	281	case '1':
265	options.protocol = SSH_PROTO_1;	282	options.protocol = SSH_PROTO_1;
266	break;	283	break;
Lines 673-678 main(int ac, char **av) Link Here
673		690
674	timeout_ms = options.connection_timeout * 1000;	691	timeout_ms = options.connection_timeout * 1000;
675		692
		693	#ifdef ENABLE_PKCS11
		694	if (use_pkcs11_provider != NULL) {
		695	if (!pkcs11_initialize (1, -1))
		696	fatal("Cannot initialize PKCS#11 interface.\n");
		697	if (!pkcs11_add_provider(use_pkcs11_provider))
		698	fatal("Cannot add PKCS#11 provider '%s'.\n",
		699	use_pkcs11_provider->provider);
		700	}
		701	#endif
		702
676	/* Open a connection to the remote host. */	703	/* Open a connection to the remote host. */
677	if (ssh_connect(host, &hostaddr, options.port,	704	if (ssh_connect(host, &hostaddr, options.port,
678	options.address_family, options.connection_attempts, &timeout_ms,	705	options.address_family, options.connection_attempts, &timeout_ms,
Lines 798-803 main(int ac, char **av) Link Here
798	if (proxy_command_pid > 1)	825	if (proxy_command_pid > 1)
799	kill(proxy_command_pid, SIGHUP);	826	kill(proxy_command_pid, SIGHUP);
800		827
		828	#ifdef ENABLE_PKCS11
		829	if (use_pkcs11_provider != NULL) {
		830	pkcs11_terminate();
		831	pkcs11_free_provider(use_pkcs11_provider);
		832	use_pkcs11_provider = NULL;
		833	}
		834	#endif
		835
801	return exit_status;	836	return exit_status;
802	}	837	}
803		838
Lines 1238-1243 load_public_identity_files(void) Link Here
1238	xfree(keys);	1273	xfree(keys);
1239	}	1274	}
1240	#endif /* SMARTCARD */	1275	#endif /* SMARTCARD */
		1276	#ifdef ENABLE_PKCS11
		1277	if (use_pkcs11_provider != NULL) {
		1278	Key **keys = NULL;
		1279	char **comments = NULL;
		1280
		1281	if (pkcs11_get_keys(&keys, &comments)) {
		1282	int count = 0;
		1283	while (options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
		1284	keys[count] != NULL) {
		1285	memmove(&options.identity_files[1], &options.identity_files[0],
		1286	sizeof(char ) (SSH_MAX_IDENTITY_FILES - 1));
		1287	memmove(&options.identity_keys[1], &options.identity_keys[0],
		1288	sizeof(Key ) (SSH_MAX_IDENTITY_FILES - 1));
		1289	options.num_identity_files++;
		1290	options.identity_keys[0] = keys[count];
		1291	options.identity_files[0] = comments[count];
		1292	count++;
		1293	}
		1294	i += count;
		1295	xfree(keys);
		1296	xfree(comments);
		1297	}
		1298
		1299	}
		1300	#endif
1241	if ((pw = getpwuid(original_real_uid)) == NULL)	1301	if ((pw = getpwuid(original_real_uid)) == NULL)
1242	fatal("load_public_identity_files: getpwuid failed");	1302	fatal("load_public_identity_files: getpwuid failed");
1243	pwname = xstrdup(pw->pw_name);	1303	pwname = xstrdup(pw->pw_name);

Lines 35-40 Link Here

(-)ssh/ssh-keygen.c (-1 / +28 lines)
35	#include "uuencode.h"	35	#include "uuencode.h"
36	#include "buffer.h"	36	#include "buffer.h"
37	#include "pathnames.h"	37	#include "pathnames.h"
		38	#include "pkcs11.h"
38	#include "log.h"	39	#include "log.h"
39	#include "misc.h"	40	#include "misc.h"
40	#include "match.h"	41	#include "match.h"
Lines 1014-1019 usage(void) Link Here
1014	fprintf(stderr, " -g Use generic DNS resource record format.\n");	1015	fprintf(stderr, " -g Use generic DNS resource record format.\n");
1015	fprintf(stderr, " -H Hash names in known_hosts file.\n");	1016	fprintf(stderr, " -H Hash names in known_hosts file.\n");
1016	fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");	1017	fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");
		1018	#ifdef ENABLE_PKCS11
		1019	fprintf(stderr, " -K provider Show PKCS#11 provider ids, format:\n");
		1020	fprintf(stderr, " lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
		1021	fprintf(stderr, " prot_auth - 1 to allow protected mode authentication.\n");
		1022	fprintf(stderr, " private_mode - Private key mode, see man page.\n");
		1023	fprintf(stderr, " cert_is_private - 1 if login is required to access certificates.\n");
		1024	#endif /* ENABLE_PKCS11 */
1017	fprintf(stderr, " -l Show fingerprint of key file.\n");	1025	fprintf(stderr, " -l Show fingerprint of key file.\n");
1018	fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");	1026	fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
1019	fprintf(stderr, " -N phrase Provide new passphrase.\n");	1027	fprintf(stderr, " -N phrase Provide new passphrase.\n");
Lines 1054-1059 main(int argc, char **argv) Link Here
1054	BIGNUM *start = NULL;	1062	BIGNUM *start = NULL;
1055	FILE *f;	1063	FILE *f;
1056	const char *errstr;	1064	const char *errstr;
		1065	#ifdef ENABLE_PKCS11
		1066	pkcs11_provider *pkcs11_provider = NULL;
		1067	#endif /* ENABLE_PKCS11 */
1057		1068
1058	extern int optind;	1069	extern int optind;
1059	extern char *optarg;	1070	extern char *optarg;
Lines 1076-1082 main(int argc, char **argv) Link Here
1076	}	1087	}
1077		1088
1078	while ((opt = getopt(argc, argv,	1089	while ((opt = getopt(argc, argv,
1079	"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {	1090	"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:K:")) != -1) {
1080	switch (opt) {	1091	switch (opt) {
1081	case 'b':	1092	case 'b':
1082	bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);	1093	bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
Lines 1201-1206 main(int argc, char **argv) Link Here
1201	if (BN_hex2bn(&start, optarg) == 0)	1212	if (BN_hex2bn(&start, optarg) == 0)
1202	fatal("Invalid start point.");	1213	fatal("Invalid start point.");
1203	break;	1214	break;
		1215	#ifdef ENABLE_PKCS11
		1216	case 'K':
		1217	if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL)
		1218	fatal("Cannot parse PKCS#11 provider.");
		1219	break;
		1220	#endif /* ENABLE_PKCS11 */
1204	case '?':	1221	case '?':
1205	default:	1222	default:
1206	usage();	1223	usage();
Lines 1255-1260 main(int argc, char **argv) Link Here
1255	exit(0);	1272	exit(0);
1256	}	1273	}
1257	}	1274	}
		1275	#ifdef ENABLE_PKCS11
		1276	if (pkcs11_provider != NULL) {
		1277	pkcs11_initialize(1, -1);
		1278	pkcs11_add_provider(pkcs11_provider);
		1279	pkcs11_show_ids();
		1280	pkcs11_terminate();
		1281	pkcs11_free_provider(pkcs11_provider);
		1282	return (0);
		1283	}
		1284	#endif /* ENABLE_PKCS11 */
1258	if (reader_id != NULL) {	1285	if (reader_id != NULL) {
1259	#ifdef SMARTCARD	1286	#ifdef SMARTCARD
1260	if (download)	1287	if (download)

Return to bug 1371

Lines 667-669 decode_reply(int type) Link Here

(-)ssh/authfd.c (+48 lines)
667	/* NOTREACHED */	667	/* NOTREACHED */
668	return 0;	668	return 0;
669	}	669	}
		670
		671	#ifdef ENABLE_PKCS11
		672
		673	int
		674	ssh_pkcs11_add_provider(AuthenticationConnection *auth,
		675	const pkcs11_provider *const provider)
		676	{
		677	Buffer msg;
		678	int type;
		679
		680	buffer_init(&msg);
		681	buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER);
		682	buffer_put_cstring(&msg, provider->provider);
		683	buffer_put_int(&msg, (unsigned)provider->protected_authentication);
		684	buffer_put_int(&msg, provider->private_mode);
		685	buffer_put_int(&msg, (unsigned)provider->cert_is_private);
		686
		687	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		688	buffer_free(&msg);
		689	return 0;
		690	}
		691	type = buffer_get_char(&msg);
		692	buffer_free(&msg);
		693	return decode_reply(type);
		694	}
		695
		696	int
		697	ssh_pkcs11_id(AuthenticationConnection auth, const pkcs11_id const id, int remove)
		698	{
		699	Buffer msg;
		700	int type;
		701
		702	buffer_init(&msg);
		703	buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID);
		704	buffer_put_cstring(&msg, id->id);
		705	buffer_put_int(&msg, (unsigned)id->pin_cache_period);
		706	buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
		707
		708	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		709	buffer_free(&msg);
		710	return 0;
		711	}
		712	type = buffer_get_char(&msg);
		713	buffer_free(&msg);
		714	return decode_reply(type);
		715	}
		716
		717	#endif /* ENABLE_PKCS11 */

Line 0 Link Here

(-)ssh/pkcs11.h (+77 lines)
		1	/*
		2	* Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		23	*/
		24
		25	#ifndef SSH_PKCS11_H
		26	#define SSH_PKCS11_H
		27
		28	#ifdef ENABLE_PKCS11
		29
		30	#include "key.h"
		31
		32	typedef struct {
		33	char *provider;
		34	int protected_authentication;
		35	unsigned private_mode;
		36	int cert_is_private;
		37	} pkcs11_provider;
		38
		39	typedef struct {
		40	char *id;
		41	int pin_cache_period;
		42	char *cert_file;
		43	} pkcs11_id;
		44
		45	int
		46	pkcs11_initialize(const int, const int);
		47
		48	void
		49	pkcs11_terminate(void);
		50
		51	void
		52	pkcs11_free_provider(pkcs11_provider *const);
		53
		54	pkcs11_provider *
		55	pkcs11_parse_provider(const char *const);
		56
		57	int
		58	pkcs11_add_provider(const pkcs11_provider *const);
		59
		60	pkcs11_id *
		61	pkcs11_id_new(void);
		62
		63	void
		64	pkcs11_id_free(pkcs11_id *const);
65
66	int
67	pkcs11_get_key(const pkcs11_id const, Key const, char *const);
68
69	int
70	pkcs11_get_keys(Key *const, char *const);
71
72	void
73	pkcs11_show_ids(void);
74
75	#endif /* ENABLE_PKCS11 */
76
77	#endif /* OPENSSH_PKCS11_H */

Lines 53-58 Link Here

(-)ssh/ssh-add.c (-1 / +74 lines)
53	#include "rsa.h"	53	#include "rsa.h"
54	#include "log.h"	54	#include "log.h"
55	#include "key.h"	55	#include "key.h"
		56	#include "pkcs11.h"
56	#include "buffer.h"	57	#include "buffer.h"
57	#include "authfd.h"	58	#include "authfd.h"
58	#include "authfile.h"	59	#include "authfile.h"
Lines 316-321 usage(void) Link Here
316	fprintf(stderr, " -X Unlock agent.\n");	317	fprintf(stderr, " -X Unlock agent.\n");
317	fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");	318	fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
318	fprintf(stderr, " -c Require confirmation to sign using identities\n");	319	fprintf(stderr, " -c Require confirmation to sign using identities\n");
		320	#ifdef ENABLE_PKCS11
		321	fprintf(stderr, " -K provider Add PKCS#11 provider, format:\n");
		322	fprintf(stderr, " lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
		323	fprintf(stderr, " prot_auth - 1 to allow protected mode authentication.\n");
		324	fprintf(stderr, " private_mode - Private key mode, see man page.\n");
		325	fprintf(stderr, " cert_is_private - 1 if login is required to access certificates.\n");
		326	fprintf(stderr, " -I Add PKCS#11 id, remainging arguments:\n");
		327	fprintf(stderr, " pkcs11_id [session_cache [cert_file]]\n");
		328	fprintf(stderr, " pkcs11_id - Serialized id, get from ssh-keygen -K.\n");
		329	fprintf(stderr, " session_cache - Session cache timeout in seconds -1 for infinite.\n");
		330	fprintf(stderr, " cert_file - Specify PEM file to load if token is unavailable.\n");
		331	#endif
319	#ifdef SMARTCARD	332	#ifdef SMARTCARD
320	fprintf(stderr, " -s reader Add key in smartcard reader.\n");	333	fprintf(stderr, " -s reader Add key in smartcard reader.\n");
321	fprintf(stderr, " -e reader Remove key in smartcard reader.\n");	334	fprintf(stderr, " -e reader Remove key in smartcard reader.\n");
Lines 330-335 main(int argc, char **argv) Link Here
330	AuthenticationConnection *ac = NULL;	343	AuthenticationConnection *ac = NULL;
331	char *sc_reader_id = NULL;	344	char *sc_reader_id = NULL;
332	int i, ch, deleting = 0, ret = 0;	345	int i, ch, deleting = 0, ret = 0;
		346	#ifdef ENABLE_PKCS11
		347	pkcs11_provider *pkcs11_provider = NULL;
		348	int doing_pkcs11 = 0;
		349	#endif /* ENABLE_PKCS11 */
333		350
334	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */	351	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
335	sanitise_stdfd();	352	sanitise_stdfd();
Lines 343-349 main(int argc, char **argv) Link Here
343	"Could not open a connection to your authentication agent.\n");	360	"Could not open a connection to your authentication agent.\n");
344	exit(2);	361	exit(2);
345	}	362	}
346	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {	363	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) {
347	switch (ch) {	364	switch (ch) {
348	case 'l':	365	case 'l':
349	case 'L':	366	case 'L':
Lines 379-384 main(int argc, char **argv) Link Here
379	goto done;	396	goto done;
380	}	397	}
381	break;	398	break;
		399	#ifdef ENABLE_PKCS11
		400	case 'K':
		401	if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
		402	fprintf(stderr, "Cannot parse PKCS#11 provider\n");
		403	ret = 1;
		404	goto done;
		405	}
		406	break;
		407	case 'I':
		408	doing_pkcs11 = 1;
		409	break;
		410	#endif /* ENABLE_PKCS11 */
382	default:	411	default:
383	usage();	412	usage();
384	ret = 1;	413	ret = 1;
Lines 387-392 main(int argc, char **argv) Link Here
387	}	416	}
388	argc -= optind;	417	argc -= optind;
389	argv += optind;	418	argv += optind;
		419
		420	#ifdef ENABLE_PKCS11
		421	if (pkcs11_provider != NULL) {
		422	if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) {
		423	fprintf(stderr,
		424	"Cannot add provider '%s'\n", pkcs11_provider->provider);
		425	ret = 1;
		426	goto done;
		427	}
		428	fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider);
		429	pkcs11_free_provider(pkcs11_provider);
		430	}
		431
		432	if (doing_pkcs11) {
		433	pkcs11_id *pkcs11_id = NULL;
		434	if (argc < 1 \|\| argc > 3) {
		435	fprintf(stderr,
		436	"Invalid PKCS#11 id format\n");
		437	ret = 1;
		438	goto done;
		439	}
		440	if ((pkcs11_id = pkcs11_id_new()) == NULL) {
		441	fprintf(stderr, "Memory allocation error.\n");
		442	ret = 1;
		443	goto done;
		444	}
		445	pkcs11_id->id = argv[0];
		446	if (argc > 1)
		447	pkcs11_id->pin_cache_period = atoi(argv[1]);
		448	if (argc > 2)
		449	pkcs11_id->cert_file = xstrdup(argv[2]);
		450
		451	if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) {
		452	fprintf(stderr,
		453	"Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id);
		454	ret = 1;
		455	goto done;
		456	}
		457	pkcs11_id_free(pkcs11_id);
		458	fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added");
		459	goto done;
		460	}
		461	#endif /* ENABLE_PKCS11 */
		462
390	if (sc_reader_id != NULL) {	463	if (sc_reader_id != NULL) {
391	if (update_card(ac, !deleting, sc_reader_id) == -1)	464	if (update_card(ac, !deleting, sc_reader_id) == -1)
392	ret = 1;	465	ret = 1;

Lines 62-67 Link Here

(-)ssh/ssh-agent.c (+136 lines)
62	#include "buffer.h"	62	#include "buffer.h"
63	#include "key.h"	63	#include "key.h"
64	#include "authfd.h"	64	#include "authfd.h"
		65	#include "pkcs11.h"
65	#include "compat.h"	66	#include "compat.h"
66	#include "log.h"	67	#include "log.h"
67	#include "misc.h"	68	#include "misc.h"
Lines 689-694 send: Link Here
689	}	690	}
690	#endif /* SMARTCARD */	691	#endif /* SMARTCARD */
691		692
		693	#ifdef ENABLE_PKCS11
		694
		695	static void
		696	process_pkcs11_add_provider (SocketEntry *e)
		697	{
		698	pkcs11_provider provider;
		699	int success = 0;
		700
		701	provider.provider = buffer_get_string(&e->request, NULL);
		702	provider.protected_authentication = buffer_get_int(&e->request);
		703	provider.private_mode = (unsigned)buffer_get_int(&e->request);
		704	provider.cert_is_private = buffer_get_int(&e->request);
		705
		706	success = pkcs11_add_provider(&provider);
		707
		708	buffer_put_int(&e->output, 1);
		709	buffer_put_char(&e->output,
		710	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
		711	}
		712
		713	static
		714	void
		715	process_pkcs11_add_id (SocketEntry *e)
		716	{
		717	pkcs11_id *pkcs11_id = NULL;
		718	Key *k = NULL;
		719	char *comment = NULL;
		720	int success = 0;
		721	int version = 2;
		722
		723	pkcs11_id = pkcs11_id_new();
		724	if (pkcs11_id != NULL) {
		725	pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
		726	pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		727	pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
		728
		729	if (pkcs11_get_key (pkcs11_id, &k, &comment)) {
		730	if (lookup_identity(k, version) == NULL) {
		731	Identity *id = xmalloc(sizeof(Identity));
		732	Idtab *tab = NULL;
		733
		734	id->key = k;
		735	k = NULL;
		736	id->comment = comment;
		737	id->death = 0; /* handled by pkcs#11 helper */
		738	id->confirm = 0;
		739
		740	tab = idtab_lookup(version);
		741	TAILQ_INSERT_TAIL(&tab->idlist, id, next);
		742	/* Increment the number of identities. */
		743	tab->nentries++;
		744	success = 1;
		745	}
		746	}
		747	}
		748
		749	if (k != NULL)
		750	key_free(k);
		751
		752	if (pkcs11_id != NULL)
		753	pkcs11_id_free(pkcs11_id);
		754
		755	buffer_put_int(&e->output, 1);
		756	buffer_put_char(&e->output,
757	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
758	}
759
760	static
761	void
762	process_pkcs11_remove_id (SocketEntry *e)
763	{
764	Identity *id = NULL;
765	char *comment = NULL;
766	pkcs11_id *pkcs11_id = NULL;
767	Key *k = NULL;
768	int version = 2;
769	int success = 0;
770
771	pkcs11_id = pkcs11_id_new();
772	if (pkcs11_id != NULL) {
773	pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL));
774	pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
775	pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL));
776
777	if (pkcs11_get_key(pkcs11_id, &k, &comment)) {
778	id = lookup_identity (k, version);
779	xfree(comment);
780	comment = NULL;
781	}
782
783	if (id != NULL) {
784	Idtab *tab = NULL;
785
786	tab = idtab_lookup(version);
787	TAILQ_REMOVE(&tab->idlist, id, next);
788	tab->nentries--;
789	free_identity(id);
790	id = NULL;
791	success = 1;
792	}
793	}
794
795	if (k != NULL)
796	key_free(k);
797
798	if (pkcs11_id != NULL)
799	pkcs11_id_free(pkcs11_id);
800
801	buffer_put_int(&e->output, 1);
802	buffer_put_char(&e->output,
803	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
804	}
805
806	#endif /* ENABLE_PKCS11 */
807
692	/* dispatch incoming messages */	808	/* dispatch incoming messages */
693		809
694	static void	810	static void
Lines 781-786 process_message(SocketEntry *e) Link Here
781	process_remove_smartcard_key(e);	897	process_remove_smartcard_key(e);
782	break;	898	break;
783	#endif /* SMARTCARD */	899	#endif /* SMARTCARD */
		900
		901	#ifdef ENABLE_PKCS11
		902	case SSH_AGENTC_PKCS11_ADD_PROVIDER:
		903	process_pkcs11_add_provider(e);
		904	break;
		905	case SSH_AGENTC_PKCS11_ADD_ID:
		906	process_pkcs11_add_id(e);
		907	break;
		908	case SSH_AGENTC_PKCS11_REMOVE_ID:
		909	process_pkcs11_remove_id(e);
		910	break;
		911	#endif /* ENABLE_PKCS11 */
784	default:	912	default:
785	/* Unknown message. Respond with failure. */	913	/* Unknown message. Respond with failure. */
786	error("Unknown message %d", type);	914	error("Unknown message %d", type);
Lines 988-993 static void Link Here
988	cleanup_handler(int sig)	1116	cleanup_handler(int sig)
989	{	1117	{
990	cleanup_socket();	1118	cleanup_socket();
		1119	#ifdef ENABLE_PKCS11
		1120	pkcs11_terminate ();
		1121	#endif /* ENABLE_PKCS11 */
991	_exit(2);	1122	_exit(2);
992	}	1123	}
993		1124
Lines 1216-1221 main(int ac, char **av) Link Here
1216	}	1347	}
1217		1348
1218	skip:	1349	skip:
		1350
		1351	#ifdef ENABLE_PKCS11
		1352	pkcs11_initialize (1, -1);
		1353	#endif /* ENABLE_PKCS11 */
		1354
1219	new_socket(AUTH_SOCKET, sock);	1355	new_socket(AUTH_SOCKET, sock);
1220	if (ac > 0)	1356	if (ac > 0)
1221	parent_alive_interval = 10;	1357	parent_alive_interval = 10;