Attachment #2690 for bug #2377

Lines 121-127 ssh_get_authentication_socket(int *fdp) Link Here

(-)a/authfd.c (-1 / +1 lines)
121	}	121	}
122		122
123	/* Communicate with agent: send request and read reply */	123	/* Communicate with agent: send request and read reply */
124	static int	124	int
125	ssh_request_reply(int sock, struct sshbuf request, struct sshbuf reply)	125	ssh_request_reply(int sock, struct sshbuf request, struct sshbuf reply)
126	{	126	{
127	int r;	127	int r;

Lines 42-47 int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge, Link Here

(-)a/authfd.h (+1 lines)
42	int ssh_agent_sign(int sock, struct sshkey *key,	42	int ssh_agent_sign(int sock, struct sshkey *key,
43	u_char *sigp, size_t lenp,	43	u_char *sigp, size_t lenp,
44	const u_char *data, size_t datalen, u_int compat);	44	const u_char *data, size_t datalen, u_int compat);
		45	int ssh_request_reply(int sock, struct sshbuf request, struct sshbuf reply);
45		46
46	/* Messages for the authentication agent connection. */	47	/* Messages for the authentication agent connection. */
47	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1	48	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1




#include "atomicio.h"
#include "krl.h"
#include "digest.h"
#include "authfd.h"

#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"

#endif /* ENABLE_PKCS11 */
}

static int
do_agent_sign(int agent_fd, struct sshkey *k, struct sshkey *ca_pk,
	u_char *ca_blob, size_t ca_len)
{
	u_char type;
	u_char *sig;
	size_t slen;
	struct sshbuf *msg, *cert_blob;
	u_int flags = 0;
	int ret = 0, r = 0;

	cert_blob = k->cert->certblob; /* for readability */
	if ((msg = sshbuf_new()) == NULL)
		fatal("%s: sshbuf_new failed", __func__);
	if ((r = sshkey_cert_prepare_sign(k, ca_pk)) != 0) {
		ret = -1;
	}
	
	if (ret == 0) {
		if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
			(r = sshbuf_put_string(msg, ca_blob, ca_len)) != 0 ||
			(r = sshbuf_put_string(msg, sshbuf_ptr(cert_blob),
			sshbuf_len(cert_blob))) != 0 ||
			(r = sshbuf_put_u32(msg, flags)) != 0)
			fatal("%s: buffer error: %s", __func__, ssh_err(r));
		if ((r = ssh_request_reply(agent_fd, msg, msg)) != 0)
			ret = -1;
		else if ((r = sshbuf_get_u8(msg, &type)) != 0)
			fatal("%s: buffer error: %s", __func__, ssh_err(r));
		else if ((type == SSH_AGENT_FAILURE) ||
				 (type == SSH2_AGENT_FAILURE))
			ret = -1;
		else if ((r = sshbuf_get_string(msg, &sig, &slen)) != 0 ||
				 (r = sshbuf_put_string(cert_blob, sig, slen)) != 0)
			fatal("%s: buffer error: %s", __func__, ssh_err(r));
		else
			free(sig);
	}
	
	sshbuf_free(msg);
	return ret;
}

static void
do_ca_sign(struct passwd *pw, int argc, char **argv)
{
	int r, i, fd, agent_fd;
	u_int n;
	struct sshkey *ca, *ca_pk, *public;
	char *otmp, *tmp, *cp, *out, *comment, **plist = NULL;
	FILE *f;
	u_char *ca_blob;
	size_t ca_len;
	/* flag indicating whether to try the ssh-agent to sign certificates */
	int try_agent = 0;

#ifdef ENABLE_PKCS11
	pkcs11_init(1);
#endif
	
	/* load pubkey of CA first (ca_blob), if it works, try getting agent socket */
	tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
	if ((r = sshkey_load_public(tmp, &ca_pk, NULL)) == 0 &&
	    (r = sshkey_to_blob(ca_pk, &ca_blob, &ca_len)) == 0) {
		switch (r = ssh_get_authentication_socket(&agent_fd)) {
		case SSH_ERR_SUCCESS:
			try_agent = 1;
			ca = NULL;
			break;
		case SSH_ERR_AGENT_NOT_PRESENT:
			debug("Couldn't open connection to agent");
			break;
		default:
			debug("Error connecting to agent");
			break;
		}
	}
	
	if (!try_agent) {
		if (pkcs11provider != NULL) {
			if ((ca = load_pkcs11_key(tmp)) == NULL)
				fatal("No PKCS#11 key matching %s found", ca_key_path);
		} else
			ca = load_identity(tmp);
		free(tmp);
	}

	for (i = 0; i < argc; i++) {
		/* Split list of principals */

		prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
		prepare_options_buf(public->cert->extensions,
		    OPTIONS_EXTENSIONS);
		if ((r = sshkey_from_private(ca,
		    &public->cert->signature_key)) != 0)
			fatal("key_from_private (ca key): %s", ssh_err(r));

		if (try_agent &&
			(r = do_agent_sign(agent_fd, public, ca_pk, ca_blob, ca_len)) != 0) {
			try_agent = 0;
			otmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
			if (pkcs11provider != NULL) {
				if ((ca = load_pkcs11_key(otmp)) == NULL)
					fatal("No PKCS#11 key matching %s found", ca_key_path);
			} else
				ca = load_identity(otmp);
			free(otmp);
		}

		if (!try_agent) {
			if ((r = sshkey_from_private(ca,
			    &public->cert->signature_key)) != 0)
				fatal("key_from_private (ca key): %s", ssh_err(r));
	
			if (sshkey_certify(public, ca) != 0)
				fatal("Couldn't not certify key %s", tmp);
		}
	
		if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
			*cp = '\0';
		xasprintf(&out, "%s-cert.pub", tmp);




	return 0;
}

/* Prepare a certificate blob for CA signing. */
int
sshkey_cert_prepare_sign(struct sshkey *k, struct sshkey *ca) {
{
	struct sshbuf *principals = NULL;
	u_char *ca_blob = NULL, nonce[32];
	size_t i, ca_len;
	int ret = SSH_ERR_INTERNAL_ERROR;
	struct sshbuf *cert;


	    (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
	    (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
		goto out;
	ret = 0;
 out:
	if (ret != 0)
		sshbuf_reset(cert);
	if (ca_blob != NULL)
		free(ca_blob);
	if (principals != NULL)
		sshbuf_free(principals);
	return ret;
}

/* Sign a certified key, (re-)generating the signed certblob. */
int
sshkey_certify(struct sshkey *k, struct sshkey *ca)
{
	u_char *sig_blob = NULL;
	size_t sig_len;
	int ret = SSH_ERR_INTERNAL_ERROR;
	struct sshbuf *cert;
  
	cert = k->cert->certblob; /* for readability */
	if ((ret = sshkey_cert_prepare_sign(k, ca)) != 0)
		goto out;
	
	/* Sign the whole mess */
	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
	    sshbuf_len(cert), 0)) != 0)

		sshbuf_reset(cert);
	if (sig_blob != NULL)
		free(sig_blob);
	if (ca_blob != NULL)
		free(ca_blob);
	if (principals != NULL)
		sshbuf_free(principals);
	return ret;
}


Lines 137-142 int sshkey_type_is_cert(int); Link Here

(-)a/sshkey.h (-1 / +1 lines)
137	int sshkey_type_plain(int);	137	int sshkey_type_plain(int);
138	int sshkey_to_certified(struct sshkey *);	138	int sshkey_to_certified(struct sshkey *);
139	int sshkey_drop_cert(struct sshkey *);	139	int sshkey_drop_cert(struct sshkey *);
		140	int sshkey_cert_prepare_sign(struct sshkey , struct sshkey );
140	int sshkey_certify(struct sshkey , struct sshkey );	141	int sshkey_certify(struct sshkey , struct sshkey );
141	int sshkey_cert_copy(const struct sshkey , struct sshkey );	142	int sshkey_cert_copy(const struct sshkey , struct sshkey );
142	int sshkey_cert_check_authority(const struct sshkey *, int, int,	143	int sshkey_cert_check_authority(const struct sshkey *, int, int,
143	-

Return to bug 2377

Lines 57-62 Link Here

(-)a/ssh-keygen.c (-13 / +96 lines)
57	#include "atomicio.h"	57	#include "atomicio.h"
58	#include "krl.h"	58	#include "krl.h"
59	#include "digest.h"	59	#include "digest.h"
		60	#include "authfd.h"
60		61
61	#ifdef WITH_OPENSSL	62	#ifdef WITH_OPENSSL
62	# define DEFAULT_KEY_TYPE_NAME "rsa"	63	# define DEFAULT_KEY_TYPE_NAME "rsa"
Lines 1566-1590 load_pkcs11_key(char *path) Link Here
1566	#endif /* ENABLE_PKCS11 */	1567	#endif /* ENABLE_PKCS11 */
1567	}	1568	}
1568		1569
		1570	static int
		1571	do_agent_sign(int agent_fd, struct sshkey k, struct sshkey ca_pk,
		1572	u_char *ca_blob, size_t ca_len)
		1573	{
		1574	u_char type;
		1575	u_char *sig;
		1576	size_t slen;
		1577	struct sshbuf msg, cert_blob;
		1578	u_int flags = 0;
		1579	int ret = 0, r = 0;
		1580
		1581	cert_blob = k->cert->certblob; /* for readability */
		1582	if ((msg = sshbuf_new()) == NULL)
		1583	fatal("%s: sshbuf_new failed", __func__);
		1584	if ((r = sshkey_cert_prepare_sign(k, ca_pk)) != 0) {
		1585	ret = -1;
		1586	}
		1587
		1588	if (ret == 0) {
		1589	if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 \|\|
		1590	(r = sshbuf_put_string(msg, ca_blob, ca_len)) != 0 \|\|
		1591	(r = sshbuf_put_string(msg, sshbuf_ptr(cert_blob),
		1592	sshbuf_len(cert_blob))) != 0 \|\|
		1593	(r = sshbuf_put_u32(msg, flags)) != 0)
		1594	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1595	if ((r = ssh_request_reply(agent_fd, msg, msg)) != 0)
		1596	ret = -1;
		1597	else if ((r = sshbuf_get_u8(msg, &type)) != 0)
		1598	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1599	else if ((type == SSH_AGENT_FAILURE) \|\|
		1600	(type == SSH2_AGENT_FAILURE))
		1601	ret = -1;
		1602	else if ((r = sshbuf_get_string(msg, &sig, &slen)) != 0 \|\|
		1603	(r = sshbuf_put_string(cert_blob, sig, slen)) != 0)
		1604	fatal("%s: buffer error: %s", __func__, ssh_err(r));
		1605	else
		1606	free(sig);
		1607	}
		1608
		1609	sshbuf_free(msg);
		1610	return ret;
		1611	}
		1612
1569	static void	1613	static void
1570	do_ca_sign(struct passwd pw, int argc, char *argv)	1614	do_ca_sign(struct passwd pw, int argc, char *argv)
1571	{	1615	{
1572	int r, i, fd;	1616	int r, i, fd, agent_fd;
1573	u_int n;	1617	u_int n;
1574	struct sshkey ca, public;	1618	struct sshkey ca, ca_pk, *public;
1575	char otmp, tmp, cp, out, comment, *plist = NULL;	1619	char otmp, tmp, cp, out, comment, *plist = NULL;
1576	FILE *f;	1620	FILE *f;
		1621	u_char *ca_blob;
		1622	size_t ca_len;
		1623	/* flag indicating whether to try the ssh-agent to sign certificates */
		1624	int try_agent = 0;
1577		1625
1578	#ifdef ENABLE_PKCS11	1626	#ifdef ENABLE_PKCS11
1579	pkcs11_init(1);	1627	pkcs11_init(1);
1580	#endif	1628	#endif
		1629
		1630	/* load pubkey of CA first (ca_blob), if it works, try getting agent socket */
1581	tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);	1631	tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
1582	if (pkcs11provider != NULL) {	1632	if ((r = sshkey_load_public(tmp, &ca_pk, NULL)) == 0 &&
1583	if ((ca = load_pkcs11_key(tmp)) == NULL)	1633	(r = sshkey_to_blob(ca_pk, &ca_blob, &ca_len)) == 0) {
1584	fatal("No PKCS#11 key matching %s found", ca_key_path);	1634	switch (r = ssh_get_authentication_socket(&agent_fd)) {
1585	} else	1635	case SSH_ERR_SUCCESS:
1586	ca = load_identity(tmp);	1636	try_agent = 1;
1587	free(tmp);	1637	ca = NULL;
		1638	break;
		1639	case SSH_ERR_AGENT_NOT_PRESENT:
		1640	debug("Couldn't open connection to agent");
		1641	break;
		1642	default:
		1643	debug("Error connecting to agent");
		1644	break;
		1645	}
		1646	}
		1647
		1648	if (!try_agent) {
		1649	if (pkcs11provider != NULL) {
		1650	if ((ca = load_pkcs11_key(tmp)) == NULL)
		1651	fatal("No PKCS#11 key matching %s found", ca_key_path);
		1652	} else
		1653	ca = load_identity(tmp);
		1654	free(tmp);
		1655	}
1588		1656
1589	for (i = 0; i < argc; i++) {	1657	for (i = 0; i < argc; i++) {
1590	/* Split list of principals */	1658	/* Split list of principals */
Lines 1623-1635 do_ca_sign(struct passwd pw, int argc, char *argv) Link Here
1623	prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);	1691	prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
1624	prepare_options_buf(public->cert->extensions,	1692	prepare_options_buf(public->cert->extensions,
1625	OPTIONS_EXTENSIONS);	1693	OPTIONS_EXTENSIONS);
1626	if ((r = sshkey_from_private(ca,
1627	&public->cert->signature_key)) != 0)
1628	fatal("key_from_private (ca key): %s", ssh_err(r));
1629		1694
1630	if (sshkey_certify(public, ca) != 0)	1695	if (try_agent &&
1631	fatal("Couldn't not certify key %s", tmp);	1696	(r = do_agent_sign(agent_fd, public, ca_pk, ca_blob, ca_len)) != 0) {
		1697	try_agent = 0;
		1698	otmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
		1699	if (pkcs11provider != NULL) {
		1700	if ((ca = load_pkcs11_key(otmp)) == NULL)
		1701	fatal("No PKCS#11 key matching %s found", ca_key_path);
		1702	} else
		1703	ca = load_identity(otmp);
		1704	free(otmp);
		1705	}
1632		1706
		1707	if (!try_agent) {
		1708	if ((r = sshkey_from_private(ca,
		1709	&public->cert->signature_key)) != 0)
		1710	fatal("key_from_private (ca key): %s", ssh_err(r));
		1711
		1712	if (sshkey_certify(public, ca) != 0)
		1713	fatal("Couldn't not certify key %s", tmp);
		1714	}
		1715
1633	if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)	1716	if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
1634	*cp = '\0';	1717	*cp = '\0';
1635	xasprintf(&out, "%s-cert.pub", tmp);	1718	xasprintf(&out, "%s-cert.pub", tmp);

Lines 2370-2382 sshkey_drop_cert(struct sshkey *k) Link Here

(-)a/sshkey.c (-9 / +27 lines)
2370	return 0;	2370	return 0;
2371	}	2371	}
2372		2372
2373	/* Sign a certified key, (re-)generating the signed certblob. */	2373	/* Prepare a certificate blob for CA signing. */
2374	int	2374	int
2375	sshkey_certify(struct sshkey k, struct sshkey ca)	2375	sshkey_cert_prepare_sign(struct sshkey k, struct sshkey ca) {
2376	{
2377	struct sshbuf *principals = NULL;	2376	struct sshbuf *principals = NULL;
2378	u_char ca_blob = NULL, sig_blob = NULL, nonce[32];	2377	u_char *ca_blob = NULL, nonce[32];
2379	size_t i, ca_len, sig_len;	2378	size_t i, ca_len;
2380	int ret = SSH_ERR_INTERNAL_ERROR;	2379	int ret = SSH_ERR_INTERNAL_ERROR;
2381	struct sshbuf *cert;	2380	struct sshbuf *cert;
2382		2381
Lines 2459-2465 sshkey_certify(struct sshkey k, struct sshkey ca) Link Here
2459	(ret = sshbuf_put_string(cert, NULL, 0)) != 0 \|\| /* Reserved */	2458	(ret = sshbuf_put_string(cert, NULL, 0)) != 0 \|\| /* Reserved */
2460	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)	2459	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2461	goto out;	2460	goto out;
		2461	ret = 0;
		2462	out:
		2463	if (ret != 0)
		2464	sshbuf_reset(cert);
		2465	if (ca_blob != NULL)
		2466	free(ca_blob);
		2467	if (principals != NULL)
		2468	sshbuf_free(principals);
		2469	return ret;
		2470	}
2462		2471
		2472	/* Sign a certified key, (re-)generating the signed certblob. */
		2473	int
		2474	sshkey_certify(struct sshkey k, struct sshkey ca)
		2475	{
		2476	u_char *sig_blob = NULL;
		2477	size_t sig_len;
		2478	int ret = SSH_ERR_INTERNAL_ERROR;
		2479	struct sshbuf *cert;
		2480
		2481	cert = k->cert->certblob; /* for readability */
		2482	if ((ret = sshkey_cert_prepare_sign(k, ca)) != 0)
		2483	goto out;
		2484
2463	/* Sign the whole mess */	2485	/* Sign the whole mess */
2464	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),	2486	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2465	sshbuf_len(cert), 0)) != 0)	2487	sshbuf_len(cert), 0)) != 0)
Lines 2474-2483 sshkey_certify(struct sshkey k, struct sshkey ca) Link Here
2474	sshbuf_reset(cert);	2496	sshbuf_reset(cert);
2475	if (sig_blob != NULL)	2497	if (sig_blob != NULL)
2476	free(sig_blob);	2498	free(sig_blob);
2477	if (ca_blob != NULL)
2478	free(ca_blob);
2479	if (principals != NULL)
2480	sshbuf_free(principals);
2481	return ret;	2499	return ret;
2482	}	2500	}
2483		2501