Attachment #1467 for bug #1371

View | Details | Raw Unified | Return to bug 1371 | Differences between

and this patch




	/* NOTREACHED */
	return 0;
}

#ifdef ENABLE_PKCS11

int
ssh_pkcs11_add_provider(AuthenticationConnection *auth,
	const PKCS11Provider *const provider)
{
	Buffer msg;
	int type;

	buffer_init(&msg);
	buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER);
	buffer_put_cstring(&msg, provider->provider);
	buffer_put_int(&msg, (unsigned)provider->protected_authentication);
	buffer_put_int(&msg, provider->private_mode);
	buffer_put_int(&msg, (unsigned)provider->cert_is_private);

	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		buffer_free(&msg);
		return 0;
	}
	type = buffer_get_char(&msg);
	buffer_free(&msg);
	return decode_reply(type);
}

int
ssh_pkcs11_id(AuthenticationConnection *auth, const PKCS11Id *const id, int remove)
{
	Buffer msg;
	int type;

	buffer_init(&msg);
	buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID);
	buffer_put_cstring(&msg, id->id);
	buffer_put_int(&msg, (unsigned)id->pin_cache_period);
	buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);

	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		buffer_free(&msg);
		return 0;
	}
	type = buffer_get_char(&msg);
	buffer_free(&msg);
	return decode_reply(type);
}

#endif /* ENABLE_PKCS11 */

Lines 16-21 Link Here

(-)ssh.org/authfd.h (+12 lines)
16	#ifndef AUTHFD_H	16	#ifndef AUTHFD_H
17	#define AUTHFD_H	17	#define AUTHFD_H
18		18
		19	#include "pkcs11.h"
		20
19	/* Messages for the authentication agent connection. */	21	/* Messages for the authentication agent connection. */
20	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1	22	#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
21	#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2	23	#define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
Lines 49-54 Link Here
49	#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25	51	#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
50	#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26	52	#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
51		53
		54	#define SSH_AGENTC_PKCS11_ADD_PROVIDER 27
		55	#define SSH_AGENTC_PKCS11_ADD_ID 28
		56	#define SSH_AGENTC_PKCS11_REMOVE_ID 29
		57
52	#define SSH_AGENT_CONSTRAIN_LIFETIME 1	58	#define SSH_AGENT_CONSTRAIN_LIFETIME 1
53	#define SSH_AGENT_CONSTRAIN_CONFIRM 2	59	#define SSH_AGENT_CONSTRAIN_CONFIRM 2
54		60
Lines 92-95 int Link Here
92	ssh_agent_sign(AuthenticationConnection , Key , u_char *, u_int , u_char *,	98	ssh_agent_sign(AuthenticationConnection , Key , u_char *, u_int , u_char *,
93	u_int);	99	u_int);
94		100
		101	#ifdef ENABLE_PKCS11
		102	int ssh_pkcs11_add_provider(AuthenticationConnection *,
		103	const PKCS11Provider *const);
		104	int ssh_pkcs11_id(AuthenticationConnection , const PKCS11Id const, int remove);
		105	#endif /* ENABLE_PKCS11 */
		106
95	#endif /* AUTHFD_H */	107	#endif /* AUTHFD_H */




/*
 * Copyright(c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 *
 * The _ssh_from_x509 is dirived of Tatu and Markus work.
 * Copyright(c) 2006 Alon bar-Lev <alon.barlev@gmail.com>.  All rights reserved.
 * Copyright(c) 2000, 2001 Markus Friedl.  All rights reserved.
 * Copyright(c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 *(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifdef ENABLE_PKCS11

#include <string.h>
#include <unistd.h>
#include <sys/wait.h>
#include <errno.h>
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#include <pkcs11-helper-1.0/pkcs11h-openssl.h>
#include "openssl/pem.h"
#include "misc.h"
#include "xmalloc.h"
#include "log.h"
#include "pkcs11.h"

static char *
_ssh_from_x509(X509 *);

static time_t
__mytime(void)
{
	return time(NULL);
}

static void
__mysleep(const unsigned long usec)
{
	usleep((unsigned)usec);
}

static int
__mygettimeofday(struct timeval *tv)
{
	return gettimeofday(tv, NULL);
}

static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
	xmalloc,
	xfree,
	__mytime,
	__mysleep,
	__mygettimeofday
};

static LogLevel
_pkcs11_msg_pkcs112openssh(const unsigned flags)
{
	LogLevel openssh_flags;

	switch (flags) {
	case PKCS11H_LOG_DEBUG2:
		openssh_flags = SYSLOG_LEVEL_DEBUG3;
		break;
	case PKCS11H_LOG_DEBUG1:
		openssh_flags = SYSLOG_LEVEL_DEBUG2;
		break;
	case PKCS11H_LOG_INFO:
		openssh_flags = SYSLOG_LEVEL_INFO;
		break;
	case PKCS11H_LOG_WARN:
		openssh_flags = SYSLOG_LEVEL_ERROR;
		break;
	case PKCS11H_LOG_ERROR:
		openssh_flags = SYSLOG_LEVEL_FATAL;
		break;
	default:
		openssh_flags = SYSLOG_LEVEL_FATAL;
		break;
	}

	return openssh_flags;
}

static unsigned
_pkcs11_msg_openssh2pkcs11(const LogLevel flags)
{
	unsigned pkcs11_flags;

	switch (flags) {
	case SYSLOG_LEVEL_DEBUG3:
		pkcs11_flags = PKCS11H_LOG_DEBUG2;
		break;
	case SYSLOG_LEVEL_DEBUG2:
		pkcs11_flags = PKCS11H_LOG_DEBUG1;
		break;
	case SYSLOG_LEVEL_INFO:
		pkcs11_flags = PKCS11H_LOG_INFO;
		break;
	case SYSLOG_LEVEL_ERROR:
		pkcs11_flags = PKCS11H_LOG_WARN;
		break;
	case SYSLOG_LEVEL_FATAL:
		pkcs11_flags = PKCS11H_LOG_ERROR;
		break;
	default:
		pkcs11_flags = PKCS11H_LOG_ERROR;
		break;
	}

	return pkcs11_flags;
}

static void
_pkcs11_openssh_log(void *const global_data, unsigned flags,
	const char *const format, va_list args)
{
	(void) global_data;

	do_log(_pkcs11_msg_pkcs112openssh(flags), format, args);
}

static PKCS11H_BOOL
_pkcs11_ssh_token_prompt(void *const global_data,
	void *const user_data,
	const pkcs11h_token_id_t token, IN const unsigned retry)
{
	(void) global_data;
	(void) user_data;
	(void) retry;

	return ask_permission("Please insert token '%s'", token->display);
}

static PKCS11H_BOOL
_pkcs11_ssh_pin_prompt(void *const global_data,
	void *const user_data, const pkcs11h_token_id_t token,
	const unsigned retry, char *const pin, const size_t pin_max)
{
	char prompt[1024];
	char *passphrase = NULL;
	PKCS11H_BOOL ret = FALSE;

	(void) global_data;
	(void) user_data;
	(void) retry;

	if (snprintf(prompt, sizeof(prompt), "Please enter PIN for token '%s': ",
		token->display) < 0)
		goto cleanup;

	passphrase = read_passphrase(prompt, RP_ALLOW_EOF);

	if (passphrase == NULL || strlen(passphrase) == 0 ||
		strlen(passphrase) > pin_max-1)
		goto cleanup;
	
	strncpy(pin, passphrase, pin_max);

	ret = TRUE;

cleanup:

	if (passphrase != NULL)
		xfree(passphrase);

	return ret;
}

static int
_pkcs11_convert_to_ssh_key(const pkcs11h_certificate_id_t certificate_id, Key **const key,
	char **const comment, const int pin_cache_period)
{
	pkcs11h_certificate_t certificate = NULL;
	pkcs11h_certificate_id_t certificate_id_new = NULL;
	pkcs11h_openssl_session_t openssl_session = NULL;
	Key *internal_key = NULL;
	char *internal_comment = NULL;
	RSA *rsa = NULL;
	size_t temp;
	CK_RV rv = CKR_OK;

	*key = NULL;
	*comment = NULL;

	debug3("PKCS#11: _pkcs11_convert_to_ssh_key - entered - certificate=%p, "
		"key=%p, comment=%p, pin_cache_period=%d", (void *) certificate,
		(void *) key, (void *) comment, pin_cache_period);

	if ((rv = pkcs11h_certificate_create(certificate_id, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, pin_cache_period,
		&certificate)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	/*
	 * New certificate_id is constructed from certificate
	 * blob so that it will contian the proper description.
	 */

	if ((rv = pkcs11h_certificate_getCertificateBlob(certificate,
				NULL, &temp)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate blob %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_certificate_getCertificateId(certificate,
		&certificate_id_new)) != CKR_OK) {
		error("PKCS#11: Cannot get certificate_id %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((internal_comment = xstrdup(certificate_id_new->displayName)) == NULL) {
		error("PKCS#11: Memory allocation error");
		goto cleanup;
	}

	if ((openssl_session =
			pkcs11h_openssl_createSession(certificate)) == NULL) {
		error("PKCS#11: Cannot initialize openssl session");
		goto cleanup;
	}

	/*
	 * will be release by openssl_session
	 */
	certificate = NULL;

	if ((rsa = pkcs11h_openssl_session_getRSA(openssl_session)) == NULL) {
		error("PKCS#11: Unable get rsa object");
		goto cleanup;
	}

	internal_key = key_new_private(KEY_UNSPEC);
	internal_key->flags |= KEY_FLAG_EXT;
	internal_key->rsa = rsa;
	rsa = NULL;
	internal_key->type = KEY_RSA;

	*key = internal_key;
	internal_key = NULL;
	*comment = internal_comment;
	internal_comment = NULL;

cleanup:
	if (internal_key != NULL) {
		key_free(internal_key);
		internal_key = NULL;
	}

	if (internal_comment != NULL) {
		xfree(internal_comment);
		internal_comment = NULL;
	}

	if (rsa != NULL) {
		RSA_free (rsa);
		rsa = NULL;
	}

	if (openssl_session != NULL) {
		pkcs11h_openssl_freeSession(openssl_session);
		openssl_session = NULL;
	}

	if (certificate_id_new != NULL) {
		pkcs11h_certificate_freeCertificateId(certificate_id_new);
		certificate_id_new = NULL;
	}

	if (certificate != NULL) {
		pkcs11h_certificate_freeCertificate(certificate);
		certificate = NULL;
	}

	debug3("PKCS#11: _pkcs11_convert_to_ssh_key - return *key=%p", (void *) *key);

	return *key != NULL;
}

int
pkcs11_initialize(const int protected_authentication, const int pin_cache_period)
{
	CK_RV rv = CKR_FUNCTION_FAILED;

	debug3("PKCS#11: pkcs11_initialize - entered protected_authentication=%d, "
		"pin_cache_period=%d", protected_authentication, pin_cache_period);

	if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK) {
		error("PKCS#11: Cannot set system engine %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_initialize()) != CKR_OK) {
		error("PKCS#11: Cannot initialize %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setLogHook(_pkcs11_openssh_log, NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	pkcs11h_setLogLevel(_pkcs11_msg_openssh2pkcs11(get_log_level ()));

	if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_ssh_token_prompt,
		NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setPINPromptHook(_pkcs11_ssh_pin_prompt,
		NULL)) != CKR_OK) {
		error("PKCS#11: Cannot set hooks %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setProtectedAuthentication(protected_authentication)) !=
		CKR_OK) {
		error("PKCS#11: Cannot set protected authentication mode %ld-'%s'",
			rv, pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if ((rv = pkcs11h_setPINCachePeriod(pin_cache_period)) != CKR_OK) {
		error("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	rv = CKR_OK;

cleanup:
	debug3("PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
		rv, pkcs11h_getMessage(rv));

	return rv == CKR_OK;
}

void
pkcs11_terminate(void)
{
	debug3("PKCS#11: pkcs11_terminate - entered");

	pkcs11h_terminate();

	debug3("PKCS#11: pkcs11_terminate - return");
}

void
pkcs11_free_provider(PKCS11Provider *const provider) {
	if (provider != NULL) {
		if (provider->provider != NULL)
			xfree(provider->provider);
		xfree(provider);
	}
}

PKCS11Provider *
pkcs11_parse_provider(const char *const info)
{
	PKCS11Provider *provider = NULL;
	PKCS11Provider *ret = NULL;
	char *split[4];
	char *s = NULL;
	char *p;
	int i;

	if (info == NULL)
		goto cleanup;

	if ((provider = (PKCS11Provider *) xmalloc(sizeof(*provider))) == NULL)
		goto cleanup;

	memset(provider, 0, sizeof(*provider));
	memset(split, 0, sizeof(split));

	if ((s=xstrdup(info)) == NULL)
		goto cleanup;

	p = s;
	i=0;
	while(i<4 && p != NULL) {
		char *t;
		if ((t = strchr(p, ':')) != NULL)
			*t = '\x0';
		split[i++] = p;
		if (t != NULL)
			p = t+1;
		else
			p = NULL;
	}

	/*
	 * provider[:protected_authentication[:private_mode[:cert_is_private]]]
	 * string:1|0:hex:1|0
	 */
	if (split[0] != NULL)
		provider->provider = xstrdup(split[0]);
	if (split[1] != NULL)
		provider->protected_authentication = atoi(split[1]) != 0;
	if (split[2] != NULL)
		sscanf(split[2], "%x", &provider->private_mode);
	if (split[3] != NULL)
		provider->cert_is_private = atoi(split[3]) != 0;
	
	if (provider->provider == NULL || strlen(provider->provider) == 0)
		goto cleanup;

	ret = provider;
	provider = NULL;

cleanup:
	if (s != NULL)
		xfree(s);

	if (provider != NULL)
		pkcs11_free_provider(provider);

	return ret;
}

int
pkcs11_add_provider(const PKCS11Provider *const provider)
{
	CK_RV rv = CKR_OK;

	debug3("PKCS#11: pkcs11_add_provider - entered - provider='%s', "
		"protected_authentication=%d, private_mode='%08x', cert_is_private=%d",
		provider->provider, provider->protected_authentication ? 1 : 0,
		provider->private_mode,	provider->cert_is_private ? 1 : 0);

	debug("PKCS#11: Adding PKCS#11 provider '%s'", provider->provider);

	if (rv == CKR_OK &&
		(rv = pkcs11h_addProvider(provider->provider, provider->provider,
			provider->protected_authentication, provider->private_mode,
				PKCS11H_SLOTEVENT_METHOD_AUTO,
				0, provider->cert_is_private)) != CKR_OK) {
		error("PKCS#11: Cannot initialize provider '%s' %ld-'%s'",
			provider->provider, rv, pkcs11h_getMessage(rv));
	}

	debug3("PKCS#11: pkcs11_add_provider - return rv=%ld-'%s'",
		rv, pkcs11h_getMessage(rv));

	return rv == CKR_OK;
}

PKCS11Id *
pkcs11_id_new(void)
{
	PKCS11Id *id = (PKCS11Id *) xmalloc(sizeof(*id));
	if (id != NULL) {
		memset(id, 0, sizeof(*id));
		id->pin_cache_period = PKCS11H_PIN_CACHE_INFINITE;
	}
	return id;
}

void
pkcs11_id_free(PKCS11Id *const id)
{
	if (id != NULL)
		xfree(id);
}

int
pkcs11_get_key(const PKCS11Id *const id, Key **const key,
	char **const comment)
{
	pkcs11h_certificate_id_t certificate_id = NULL;
	CK_RV rv = CKR_OK;

	debug3("PKCS#11: pkcs11_get_key - entered - id=%p, key=%p, "
		"comment=%p", (const void *) id, (void *) key, (void *) comment);

	debug3("PKCS#11: pkcs11_get_key - id - id=%s, "
		"pin_cache_period=%d, cert_file=%s",
		id->id, id->pin_cache_period, id->cert_file);

	if (pkcs11h_certificate_deserializeCertificateId(&certificate_id, id->id)) {
		error("PKCS#11: Cannot deserialize id %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	if (id->cert_file != NULL && id->cert_file[0] != '\x0') {
		X509 *x509 = NULL;
		unsigned char *p = NULL;
		unsigned char *certificate_blob = NULL;
		size_t certificate_blob_size = 0;
		int size;
		FILE *fp = NULL;

		if ((fp = fopen(id->cert_file, "r")) == NULL) {
			error("PKCS#11: Cannot open file '%s'", id->cert_file);
			goto cleanup1;
		}

		if (!PEM_read_X509(fp, &x509, NULL, 0)) {
			x509 = NULL;
			error("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
			goto cleanup1;
		}

		if ((size = i2d_X509(x509, NULL)) < 0) {
			error("PKCS#11: Cannot read decode certificate");
			goto cleanup1;
		}
		certificate_blob_size = (size_t)size;

		if ((certificate_blob =
				(unsigned char *) xmalloc(certificate_blob_size)) == NULL) {
			error("PKCS#11: Cannot allocate memory");
			goto cleanup1;
		}

		/*
		 * i2d_X509 increments p!!!
		 */
		p = certificate_blob;

		if ((size = i2d_X509(x509, &p)) < 0) {
			error("PKCS#11: Cannot read decode certificate");
			goto cleanup1;
		}
		certificate_blob_size = (size_t)size;

		if (pkcs11h_certificate_setCertificateIdCertificateBlob
			(certificate_id, certificate_blob, certificate_blob_size)
			!= CKR_OK) {
			error("PKCS#11: Cannot set certificate blob %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

	cleanup1:
		if (x509 != NULL) {
			X509_free(x509);
			x509 = NULL;
		}

		if (certificate_blob != NULL) {
			xfree(certificate_blob);
			certificate_blob = NULL;
		}

		if (fp != NULL) {
			fclose(fp);
			fp = NULL;
		}
	}

	_pkcs11_convert_to_ssh_key(certificate_id, key, comment, id->pin_cache_period);

cleanup:

	if (certificate_id != NULL) {
		pkcs11h_certificate_freeCertificateId(certificate_id);
		certificate_id = NULL;
	}

	debug3("PKCS#11: pkcs11_get_key - return rv=%ld, *key=%p", rv, ( void *) *key);

	return *key != NULL;
}

int
pkcs11_get_keys(Key ***const keys, char ***const comments)
{
#define PKCS11_MAX_KEYS 10
	Key **internal_keys = NULL;
	char **internal_comments = NULL;
	pkcs11h_certificate_id_list_t user_certificates = NULL;
	pkcs11h_certificate_id_list_t current = NULL;
	CK_RV rv = CKR_FUNCTION_FAILED;
	int i;

	debug3("PKCS#11: pkcs11_get_keys - entered - sshkey=%p, "
		"comment=%p",
		(void *) keys, (void *) comments);
	
	*keys = NULL;
	*comments = NULL;
	
	if((internal_keys = xmalloc((PKCS11_MAX_KEYS+1)*sizeof(*internal_keys))) == NULL) {
		rv = CKR_HOST_MEMORY;
		goto cleanup;
	}

	if((internal_comments = xmalloc((PKCS11_MAX_KEYS+1)*sizeof(*internal_comments))) == NULL) {
		rv = CKR_HOST_MEMORY;
		goto cleanup;
	}

	memset(internal_keys, 0, (PKCS11_MAX_KEYS+1)*sizeof(*internal_keys));
	memset(internal_comments, 0, (PKCS11_MAX_KEYS+1)*sizeof(*internal_comments));

	if ((rv = pkcs11h_certificate_enumCertificateIds(
		PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL,
		&user_certificates)) != CKR_OK) {
		error("PKCS#11: Cannot enumerate certificates %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	i = 0;
	for (current = user_certificates; current != NULL && i<PKCS11_MAX_KEYS;
		current = current->next) {

		if (_pkcs11_convert_to_ssh_key(current->certificate_id, &internal_keys[i],
			&internal_comments[i], PKCS11H_PIN_CACHE_INFINITE)) {
			i++;
		}
	}

	*keys = internal_keys;
	internal_keys = NULL;
	*comments = internal_comments;
	internal_comments = NULL;
	rv = CKR_OK;

cleanup:
	if (user_certificates != NULL) {
		pkcs11h_certificate_freeCertificateIdList(user_certificates);
		user_certificates = NULL;
	}

	if (internal_keys != NULL) {
		Key **t = internal_keys;
		while (*t != NULL) {
			key_free(*t);
			t++;
		}
		xfree(internal_keys);
	}

	if (internal_comments != NULL) {
		char **t = internal_comments;
		while (*t != NULL) {
			xfree(*t);
			t++;
		}
		xfree(internal_comments);
	}

	debug3("PKCS#11: pkcs11_get_keys - return rv=%ld, *keys=%p", rv, (void *) *keys);

	return *keys != NULL;
#undef PKCS11_MAX_KEYS
}

void
pkcs11_show_ids(void)
{
	pkcs11h_certificate_id_list_t user_certificates = NULL;
	pkcs11h_certificate_id_list_t current = NULL;
	CK_RV rv = CKR_FUNCTION_FAILED;

	if ((rv = pkcs11h_certificate_enumCertificateIds(
		PKCS11H_ENUM_METHOD_CACHE_EXIST, NULL,
		PKCS11H_PROMPT_MASK_ALLOW_ALL, NULL,
		&user_certificates)) != CKR_OK) {
		error("PKCS#11: Cannot enumerate certificates %ld-'%s'", rv,
			pkcs11h_getMessage(rv));
		goto cleanup;
	}

	for (current = user_certificates; current != NULL;
		current = current->next) {

		pkcs11h_certificate_t certificate = NULL;
		X509 *x509 = NULL;

		BIO *bio = NULL;
		char dn[1024] = { 0 };
		char serial[1024] = { 0 };
		char *ser = NULL;
		char *ssh_key = NULL;
		size_t ser_len = 0;
		int n;

		if ((rv = pkcs11h_certificate_serializeCertificateId(NULL,
			&ser_len, current->certificate_id)) != CKR_OK) {
			error("PKCS#11: Cannot serialize certificate id "
				"certificates %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((ser = (char *) xmalloc(ser_len)) == NULL) {
			error("PKCS#11: Cannot allocate memory");
			goto cleanup1;
		}

		if ((rv = pkcs11h_certificate_serializeCertificateId(ser,
			&ser_len, current->certificate_id)) != CKR_OK) {
			error("PKCS#11: Cannot serialize certificate "
				"id certificates %ld-'%s'",
				rv, pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((rv = pkcs11h_certificate_create(current->certificate_id,
			NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL,
			PKCS11H_PIN_CACHE_INFINITE, &certificate)) != CKR_OK) {
			error("PKCS#11: Cannot create certificate %ld-'%s'", rv,
				pkcs11h_getMessage(rv));
			goto cleanup1;
		}

		if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL) {
			error("PKCS#11: Cannot get X509");
			goto cleanup1;
		}

		X509_NAME_oneline(X509_get_subject_name(x509), dn, sizeof(dn));

		if ((bio = BIO_new(BIO_s_mem())) == NULL) {
			error("PKCS#11: Cannot create BIO");
			goto cleanup1;
		}

		i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
		n = BIO_read(bio, serial, sizeof(serial) - 1);
		if (n < 0)
			serial[0] = '\x0';
		else
			serial[n] = 0;

		printf(("\n"
				"********************************************\n"
				"IDENTITY:\n"
				"       DN:             %s\n"
				"       Serial:         %s\n"
				"       Serialized id:  %s\n"
				"\n" "       Certificate:\n"), dn, serial, ser);
		PEM_write_X509(stdout, x509);

		if ((ssh_key = _ssh_from_x509(x509)) != NULL) {
			printf(("\n" "        SSH:\n" "%s\n"), ssh_key);

			xfree(ssh_key);
		}

	cleanup1:
		if (x509 != NULL) {
			X509_free(x509);
			x509 = NULL;
		}

		if (bio != NULL) {
			BIO_free_all(bio);
			bio = NULL;
		}

		if (certificate != NULL) {
			pkcs11h_certificate_freeCertificate(certificate);
			certificate = NULL;
		}

		if (ser != NULL) {
			xfree(ser);
			ser = NULL;
		}
	}

cleanup:
	if (user_certificates != NULL) {
		pkcs11h_certificate_freeCertificateIdList(user_certificates);
		user_certificates = NULL;
	}
}

static char *
_ssh_from_x509(X509 * x509)
{
#define PUT_32BIT(cp, value) ( \
	(cp)[0] = (unsigned char)((value) >> 24), \
	(cp)[1] = (unsigned char)((value) >> 16), \
	(cp)[2] = (unsigned char)((value) >> 8), \
	(cp)[3] = (unsigned char)((value) >> 0) )

	EVP_PKEY *pubkey = NULL;
	BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
	unsigned char *blob = NULL, *buffer = NULL;
	char *ret = NULL;
	size_t blobsize = 0, retsize = 0;
	size_t bytes_name = 0, bytes_exponent = 0, bytes_modulus = 0;
	unsigned char *bp;
	char *p;
	int n;
	const char *keyname = NULL;
	int ok = 0;

	if ((pubkey = X509_get_pubkey(x509)) == NULL)
		goto cleanup;

	if ((bio64 = BIO_new(BIO_f_base64())) == NULL)
		goto cleanup;

	if ((bio = BIO_new(BIO_s_mem())) == NULL)
		goto cleanup;

	if ((bio2 = BIO_push(bio64, bio)) == NULL)
		goto cleanup;

	if (pubkey->type != EVP_PKEY_RSA)
		goto cleanup;

	keyname = "ssh-rsa";

	bytes_name = strlen(keyname);
	bytes_exponent = (size_t)BN_num_bytes(pubkey->pkey.rsa->e);
	bytes_modulus = (size_t)BN_num_bytes(pubkey->pkey.rsa->n);

	blobsize = (4 + bytes_name + 4 + ((unsigned)bytes_exponent + 1) + 4 +
		((unsigned)bytes_modulus + 1) + 1);

	if ((blob = (unsigned char *) xmalloc(blobsize)) == NULL)
		goto cleanup;

	if ((buffer = (unsigned char *) xmalloc(blobsize)) == NULL)
		goto cleanup;

	bp = blob;

	PUT_32BIT(bp, bytes_name), bp += 4;
	memcpy(bp, keyname, bytes_name), bp += (ssize_t)bytes_name;

	BN_bn2bin(pubkey->pkey.rsa->e, buffer);
	if (buffer[0] & 0x80) {
		// highest bit set would indicate a negative number.
		// to avoid this, we have to spend an extra byte:
		PUT_32BIT(bp, bytes_exponent + 1), bp += 4;
		*(bp++) = 0;
	} else
		PUT_32BIT(bp, bytes_exponent), bp += 4;

	memcpy(bp, buffer, bytes_exponent), bp += (ssize_t)bytes_exponent;

	BN_bn2bin(pubkey->pkey.rsa->n, buffer);
	if (buffer[0] & 0x80) {
		PUT_32BIT(bp, bytes_modulus + 1), bp += 4;
		*(bp++) = 0;
	} else
		PUT_32BIT(bp, bytes_modulus), bp += 4;

	memcpy(bp, buffer, bytes_modulus), bp += (ssize_t)bytes_modulus;

	if (BIO_write(bio2, blob, (int)(bp - blob)) == -1)
		goto cleanup;

	if (BIO_flush(bio2) == -1)
		goto cleanup;

	/*
	 * Allocate the newline too... We will remove them later
	 * For MS, allocate return as well.
	 */
	retsize = strlen(keyname) + 1 + (blobsize * 4 / 3) + (blobsize * 2 / 50) +
		10 + 1;

	if ((ret = (char *) xmalloc(retsize)) == NULL)
		goto cleanup;

	if (snprintf(ret, retsize, "%s ", keyname) < 0)
		goto cleanup;

	if ((n = BIO_read(bio, ret + (ssize_t)strlen(ret),
		(int)(retsize - strlen(ret) - 1))) == -1)
		goto cleanup;

	ret[(int)strlen(keyname) + 1 + n] = '\x0';

	while ((p = strchr(ret, '\n')) != NULL)
		memmove(p, p + 1, strlen(p) + 1);
	while ((p = strchr(ret, '\r')) != NULL)
		memmove(p, p + 1, strlen(p) + 1);

	ok = 1;

cleanup:
	if (bio != NULL) {
		BIO_free_all(bio);
		bio = NULL;
	}

	if (pubkey != NULL) {
		EVP_PKEY_free(pubkey);
		pubkey = NULL;
	}

	if (buffer != NULL) {
		xfree(buffer);
		buffer = NULL;
	}

	if (blob != NULL) {
		xfree(blob);
		blob = NULL;
	}

	if (!ok) {
		if (ret != NULL) {
			xfree(ret);
			ret = NULL;
		}
	}

	return ret;

#undef PUT_32BIT
}

#endif /* ENABLE_PKCS11 */




/*
 * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef SSH_PKCS11_H
#define SSH_PKCS11_H

#ifdef ENABLE_PKCS11

#include "key.h"

typedef struct {
	char *provider;
	int protected_authentication;
	unsigned private_mode;
	int cert_is_private;
} PKCS11Provider;

typedef struct {
	char *id;
	int pin_cache_period;
	char *cert_file;
}	PKCS11Id;

int
pkcs11_initialize(const int, const int);

void
pkcs11_terminate(void);

void
pkcs11_free_provider(PKCS11Provider *const);

PKCS11Provider *
pkcs11_parse_provider(const char *const);

int
pkcs11_add_provider(const PKCS11Provider *const);

PKCS11Id *
pkcs11_id_new(void);

void
pkcs11_id_free(PKCS11Id *const);

int
pkcs11_get_key(const PKCS11Id *const, Key **const, char **const);

int
pkcs11_get_keys(Key ***const, char ***const);

void
pkcs11_show_ids(void);

#endif /* ENABLE_PKCS11 */

#endif /* OPENSSH_PKCS11_H */




#include "rsa.h"
#include "log.h"
#include "key.h"
#include "pkcs11.h"
#include "buffer.h"
#include "authfd.h"
#include "authfile.h"

	fprintf(stderr, "  -X          Unlock agent.\n");
	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
#ifdef ENABLE_PKCS11
	fprintf(stderr, "  -K provider Add PKCS#11 provider, format:\n");
	fprintf(stderr, "              lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
	fprintf(stderr, "              prot_auth - 1 to allow protected mode authentication.\n");
	fprintf(stderr, "              private_mode - Private key mode, see man page.\n");
	fprintf(stderr, "              cert_is_private - 1 if login is required to access certificates.\n");
	fprintf(stderr, "  -I          Add PKCS#11 id, remainging arguments:\n");
	fprintf(stderr, "              pkcs11_id [session_cache [cert_file]]\n");
	fprintf(stderr, "              pkcs11_id - Serialized id, get from ssh-keygen -K.\n");
	fprintf(stderr, "              session_cache - Session cache timeout in seconds -1 for infinite.\n");
	fprintf(stderr, "              cert_file - Specify PEM file to load if token is unavailable.\n");
#endif
#ifdef SMARTCARD
	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");

	AuthenticationConnection *ac = NULL;
	char *sc_reader_id = NULL;
	int i, ch, deleting = 0, ret = 0;
#ifdef ENABLE_PKCS11
	PKCS11Provider *pkcs11_provider = NULL;
	int doing_pkcs11 = 0;
#endif /* ENABLE_PKCS11 */

	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
	sanitise_stdfd();

		    "Could not open a connection to your authentication agent.\n");
		exit(2);
	}
	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) {
		switch (ch) {
		case 'l':
		case 'L':

				goto done;
			}
			break;
#ifdef ENABLE_PKCS11
		case 'K':
			if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
				fprintf(stderr, "Cannot parse PKCS#11 provider\n");
				ret = 1;
				goto done;
			}
			break;
		case 'I':
			doing_pkcs11 = 1;
			break;
#endif /* ENABLE_PKCS11 */
		default:
			usage();
			ret = 1;

	}
	argc -= optind;
	argv += optind;

#ifdef ENABLE_PKCS11
	if (pkcs11_provider != NULL) {
		if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) {
			fprintf(stderr,
				"Cannot add provider '%s'\n", pkcs11_provider->provider);
			ret = 1;
			goto done;
		}
		fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider);
		pkcs11_free_provider(pkcs11_provider);
	}

	if (doing_pkcs11) {
		PKCS11Id *pkcs11_id = NULL;
		if (argc < 1 || argc > 3) {
			fprintf(stderr,
				"Invalid PKCS#11 id format\n");
			ret = 1;
			goto done;
		}
		if ((pkcs11_id = pkcs11_id_new()) == NULL) {
			fprintf(stderr, "Memory allocation error.\n");
			ret = 1;
			goto done;
		}
		pkcs11_id->id = argv[0];
		if (argc > 1)
			pkcs11_id->pin_cache_period = atoi(argv[1]);
		if (argc > 2)
			pkcs11_id->cert_file = xstrdup(argv[2]);

		if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) {
			fprintf(stderr,
				"Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id);
			ret = 1;
			goto done;
		}
		pkcs11_id_free(pkcs11_id);
		fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added");
		goto done;
	}
#endif /* ENABLE_PKCS11 */

	if (sc_reader_id != NULL) {
		if (update_card(ac, !deleting, sc_reader_id) == -1)
			ret = 1;




#include "buffer.h"
#include "key.h"
#include "authfd.h"
#include "pkcs11.h"
#include "compat.h"
#include "log.h"
#include "misc.h"

}
#endif /* SMARTCARD */

#ifdef ENABLE_PKCS11

static void
process_pkcs11_add_provider (SocketEntry *e)
{
	PKCS11Provider provider;
	int success = 0;

	provider.provider = buffer_get_string(&e->request, NULL);
	provider.protected_authentication = buffer_get_int(&e->request);
	provider.private_mode = (unsigned)buffer_get_int(&e->request);
	provider.cert_is_private = buffer_get_int(&e->request);

	success = pkcs11_add_provider(&provider);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

static
void
process_pkcs11_add_id (SocketEntry *e)
{
	PKCS11Id *pkcs11_id = NULL;
	Key *k = NULL;
	char *comment = NULL;
	int success = 0;
	int version = 2;

	pkcs11_id = pkcs11_id_new();
	if (pkcs11_id != NULL) {
		pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));

		if (pkcs11_get_key (pkcs11_id, &k, &comment)) {
			if (lookup_identity(k, version) == NULL) {
				Identity *id = xmalloc(sizeof(Identity));
				Idtab *tab = NULL;
	
				id->key = k;
				k = NULL;
				id->comment = comment;
				id->death = 0;		/* handled by pkcs#11 helper */
				id->confirm = 0;
	
				tab = idtab_lookup(version);
				TAILQ_INSERT_TAIL(&tab->idlist, id, next);
				/* Increment the number of identities. */
				tab->nentries++;
				success = 1;
			}
		}
	}

	if (k != NULL)
		key_free(k);

	if (pkcs11_id != NULL)
		pkcs11_id_free(pkcs11_id);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

static
void
process_pkcs11_remove_id (SocketEntry *e)
{
	Identity *id = NULL;
	char *comment = NULL;
	PKCS11Id *pkcs11_id = NULL;
	Key *k = NULL;
	int version = 2;
	int success = 0;

	pkcs11_id = pkcs11_id_new();
	if (pkcs11_id != NULL) {
		pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL));
		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL));

		if (pkcs11_get_key(pkcs11_id, &k, &comment)) {
			id = lookup_identity (k, version);
			xfree(comment);
			comment = NULL;
		}

		if (id != NULL) {
			Idtab *tab = NULL;

			tab = idtab_lookup(version);
			TAILQ_REMOVE(&tab->idlist, id, next);
			tab->nentries--;
			free_identity(id);
			id = NULL;
			success = 1;
		}
	}

	if (k != NULL)
		key_free(k);

	if (pkcs11_id != NULL)
		pkcs11_id_free(pkcs11_id);

	buffer_put_int(&e->output, 1);
	buffer_put_char(&e->output,
	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
}

#endif /* ENABLE_PKCS11 */

/* dispatch incoming messages */

static void

		process_remove_smartcard_key(e);
		break;
#endif /* SMARTCARD */

#ifdef ENABLE_PKCS11
	case SSH_AGENTC_PKCS11_ADD_PROVIDER:
		process_pkcs11_add_provider(e);
		break;
	case SSH_AGENTC_PKCS11_ADD_ID:
		process_pkcs11_add_id(e);
		break;
	case SSH_AGENTC_PKCS11_REMOVE_ID:
		process_pkcs11_remove_id(e);
		break;
#endif /* ENABLE_PKCS11 */
	default:
		/* Unknown message.  Respond with failure. */
		error("Unknown message %d", type);

cleanup_handler(int sig)
{
	cleanup_socket();
#ifdef ENABLE_PKCS11
	pkcs11_terminate ();
#endif /* ENABLE_PKCS11 */
	_exit(2);
}


	}

skip:

#ifdef ENABLE_PKCS11
	pkcs11_initialize (1, -1);
#endif /* ENABLE_PKCS11 */

	new_socket(AUTH_SOCKET, sock);
	if (ac > 0)
		parent_alive_interval = 10;

Lines 84-89 Link Here

(-)ssh.org/ssh.c (-1 / +61 lines)
84	#include "readconf.h"	84	#include "readconf.h"
85	#include "sshconnect.h"	85	#include "sshconnect.h"
86	#include "misc.h"	86	#include "misc.h"
		87	#include "pkcs11.h"
87	#include "kex.h"	88	#include "kex.h"
88	#include "mac.h"	89	#include "mac.h"
89	#include "sshpty.h"	90	#include "sshpty.h"
Lines 171-176 static u_int mux_command = 0; Link Here
171	volatile sig_atomic_t control_client_terminate = 0;	172	volatile sig_atomic_t control_client_terminate = 0;
172	u_int control_server_pid = 0;	173	u_int control_server_pid = 0;
173		174
		175	#ifdef ENABLE_PKCS11
		176	/* For PKCS#11 */
		177	static PKCS11Provider *pkcs11_provider = NULL;
		178	#endif
		179
174	/* Prints a help message to the user. This function never returns. */	180	/* Prints a help message to the user. This function never returns. */
175		181
176	static void	182	static void
Lines 183-188 usage(void) Link Here
183	" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"	189	" [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
184	" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"	190	" [-R [bind_address:]port:host:hostport] [-S ctl_path]\n"
185	" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"	191	" [-w local_tun[:remote_tun]] [user@]hostname [command]\n"
		192	#ifdef ENABLE_PKCS11
		193	" [-# pkcs11_provider_info]\n"
		194	#endif
186	);	195	);
187	exit(255);	196	exit(255);
188	}	197	}
Lines 259-266 main(int ac, char **av) Link Here
259		268
260	again:	269	again:
261	while ((opt = getopt(ac, av,	270	while ((opt = getopt(ac, av,
262	"1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {	271	"#:1246ab:c:e:fgi:k:l:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
263	switch (opt) {	272	switch (opt) {
		273	#ifdef ENABLE_PKCS11
		274	case '#':
		275	if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
		276	fprintf(stderr, "Cannot parse PKCS#11 provider information.\n");
		277	exit(255);
		278	}
		279	break;
		280	#endif
264	case '1':	281	case '1':
265	options.protocol = SSH_PROTO_1;	282	options.protocol = SSH_PROTO_1;
266	break;	283	break;
Lines 666-671 main(int ac, char **av) Link Here
666	if (options.control_path != NULL)	683	if (options.control_path != NULL)
667	control_client(options.control_path);	684	control_client(options.control_path);
668		685
		686	#ifdef ENABLE_PKCS11
		687	if (pkcs11_provider != NULL) {
		688	if (!pkcs11_initialize (1, -1))
		689	fatal("Cannot initialize PKCS#11 interface.\n");
		690	if (!pkcs11_add_provider(pkcs11_provider))
		691	fatal("Cannot add PKCS#11 provider '%s'.\n",
		692	pkcs11_provider->provider);
		693	}
		694	#endif
		695
669	/* Open a connection to the remote host. */	696	/* Open a connection to the remote host. */
670	if (ssh_connect(host, &hostaddr, options.port,	697	if (ssh_connect(host, &hostaddr, options.port,
671	options.address_family, options.connection_attempts,	698	options.address_family, options.connection_attempts,
Lines 786-791 main(int ac, char **av) Link Here
786	if (proxy_command_pid > 1)	813	if (proxy_command_pid > 1)
787	kill(proxy_command_pid, SIGHUP);	814	kill(proxy_command_pid, SIGHUP);
788		815
		816	#ifdef ENABLE_PKCS11
		817	if (pkcs11_provider != NULL) {
		818	pkcs11_terminate();
		819	pkcs11_free_provider(pkcs11_provider);
		820	pkcs11_provider = NULL;
		821	}
		822	#endif
		823
789	return exit_status;	824	return exit_status;
790	}	825	}
791		826
Lines 1220-1225 load_public_identity_files(void) Link Here
1220	xfree(keys);	1255	xfree(keys);
1221	}	1256	}
1222	#endif /* SMARTCARD */	1257	#endif /* SMARTCARD */
		1258	#ifdef ENABLE_PKCS11
		1259	if (pkcs11_provider != NULL) {
		1260	Key **keys = NULL;
		1261	char **comments = NULL;
		1262
		1263	if (pkcs11_get_keys(&keys, &comments)) {
		1264	int count = 0;
		1265	while (options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
		1266	keys[count] != NULL) {
		1267	memmove(&options.identity_files[1], &options.identity_files[0],
		1268	sizeof(char ) (SSH_MAX_IDENTITY_FILES - 1));
		1269	memmove(&options.identity_keys[1], &options.identity_keys[0],
		1270	sizeof(Key ) (SSH_MAX_IDENTITY_FILES - 1));
		1271	options.num_identity_files++;
		1272	options.identity_keys[0] = keys[count];
		1273	options.identity_files[0] = comments[count];
		1274	count++;
		1275	}
		1276	i += count;
		1277	xfree(keys);
		1278	xfree(comments);
		1279	}
		1280
		1281	}
		1282	#endif
1223	if ((pw = getpwuid(original_real_uid)) == NULL)	1283	if ((pw = getpwuid(original_real_uid)) == NULL)
1224	fatal("load_public_identity_files: getpwuid failed");	1284	fatal("load_public_identity_files: getpwuid failed");
1225	if (gethostname(thishost, sizeof(thishost)) == -1)	1285	if (gethostname(thishost, sizeof(thishost)) == -1)

Lines 35-40 Link Here

(-)ssh.org/ssh-keygen.c (-1 / +28 lines)
35	#include "uuencode.h"	35	#include "uuencode.h"
36	#include "buffer.h"	36	#include "buffer.h"
37	#include "pathnames.h"	37	#include "pathnames.h"
		38	#include "pkcs11.h"
38	#include "log.h"	39	#include "log.h"
39	#include "misc.h"	40	#include "misc.h"
40	#include "match.h"	41	#include "match.h"
Lines 1016-1021 usage(void) Link Here
1016	fprintf(stderr, " -g Use generic DNS resource record format.\n");	1017	fprintf(stderr, " -g Use generic DNS resource record format.\n");
1017	fprintf(stderr, " -H Hash names in known_hosts file.\n");	1018	fprintf(stderr, " -H Hash names in known_hosts file.\n");
1018	fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");	1019	fprintf(stderr, " -i Convert RFC 4716 to OpenSSH key file.\n");
		1020	#ifdef ENABLE_PKCS11
		1021	fprintf(stderr, " -K provider Show PKCS#11 provider ids, format:\n");
		1022	fprintf(stderr, " lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
		1023	fprintf(stderr, " prot_auth - 1 to allow protected mode authentication.\n");
		1024	fprintf(stderr, " private_mode - Private key mode, see man page.\n");
		1025	fprintf(stderr, " cert_is_private - 1 if login is required to access certificates.\n");
		1026	#endif /* ENABLE_PKCS11 */
1019	fprintf(stderr, " -l Show fingerprint of key file.\n");	1027	fprintf(stderr, " -l Show fingerprint of key file.\n");
1020	fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");	1028	fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
1021	fprintf(stderr, " -N phrase Provide new passphrase.\n");	1029	fprintf(stderr, " -N phrase Provide new passphrase.\n");
Lines 1056-1061 main(int argc, char **argv) Link Here
1056	BIGNUM *start = NULL;	1064	BIGNUM *start = NULL;
1057	FILE *f;	1065	FILE *f;
1058	const char *errstr;	1066	const char *errstr;
		1067	#ifdef ENABLE_PKCS11
		1068	PKCS11Provider *pkcs11_provider = NULL;
		1069	#endif /* ENABLE_PKCS11 */
1059		1070
1060	extern int optind;	1071	extern int optind;
1061	extern char *optarg;	1072	extern char *optarg;
Lines 1078-1084 main(int argc, char **argv) Link Here
1078	}	1089	}
1079		1090
1080	while ((opt = getopt(argc, argv,	1091	while ((opt = getopt(argc, argv,
1081	"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {	1092	"degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:K:")) != -1) {
1082	switch (opt) {	1093	switch (opt) {
1083	case 'b':	1094	case 'b':
1084	bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);	1095	bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
Lines 1203-1208 main(int argc, char **argv) Link Here
1203	if (BN_hex2bn(&start, optarg) == 0)	1214	if (BN_hex2bn(&start, optarg) == 0)
1204	fatal("Invalid start point.");	1215	fatal("Invalid start point.");
1205	break;	1216	break;
		1217	#ifdef ENABLE_PKCS11
		1218	case 'K':
		1219	if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL)
		1220	fatal("Cannot parse PKCS#11 provider.");
		1221	break;
		1222	#endif /* ENABLE_PKCS11 */
1206	case '?':	1223	case '?':
1207	default:	1224	default:
1208	usage();	1225	usage();
Lines 1257-1262 main(int argc, char **argv) Link Here
1257	exit(0);	1274	exit(0);
1258	}	1275	}
1259	}	1276	}
		1277	#ifdef ENABLE_PKCS11
		1278	if (pkcs11_provider != NULL) {
		1279	pkcs11_initialize(1, -1);
		1280	pkcs11_add_provider(pkcs11_provider);
		1281	pkcs11_show_ids();
		1282	pkcs11_terminate();
		1283	pkcs11_free_provider(pkcs11_provider);
		1284	return (0);
		1285	}
		1286	#endif /* ENABLE_PKCS11 */
1260	if (reader_id != NULL) {	1287	if (reader_id != NULL) {
1261	#ifdef SMARTCARD	1288	#ifdef SMARTCARD
1262	if (download)	1289	if (download)

Return to bug 1371

Lines 667-669 decode_reply(int type) Link Here

(-)ssh.org/authfd.c (+48 lines)
667	/* NOTREACHED */	667	/* NOTREACHED */
668	return 0;	668	return 0;
669	}	669	}
		670
		671	#ifdef ENABLE_PKCS11
		672
		673	int
		674	ssh_pkcs11_add_provider(AuthenticationConnection *auth,
		675	const PKCS11Provider *const provider)
		676	{
		677	Buffer msg;
		678	int type;
		679
		680	buffer_init(&msg);
		681	buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER);
		682	buffer_put_cstring(&msg, provider->provider);
		683	buffer_put_int(&msg, (unsigned)provider->protected_authentication);
		684	buffer_put_int(&msg, provider->private_mode);
		685	buffer_put_int(&msg, (unsigned)provider->cert_is_private);
		686
		687	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		688	buffer_free(&msg);
		689	return 0;
		690	}
		691	type = buffer_get_char(&msg);
		692	buffer_free(&msg);
		693	return decode_reply(type);
		694	}
		695
		696	int
		697	ssh_pkcs11_id(AuthenticationConnection auth, const PKCS11Id const id, int remove)
		698	{
		699	Buffer msg;
		700	int type;
		701
		702	buffer_init(&msg);
		703	buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID);
		704	buffer_put_cstring(&msg, id->id);
		705	buffer_put_int(&msg, (unsigned)id->pin_cache_period);
		706	buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
		707
		708	if (ssh_request_reply(auth, &msg, &msg) == 0) {
		709	buffer_free(&msg);
		710	return 0;
		711	}
		712	type = buffer_get_char(&msg);
		713	buffer_free(&msg);
		714	return decode_reply(type);
		715	}
		716
		717	#endif /* ENABLE_PKCS11 */

Line 0 Link Here

(-)ssh.org/pkcs11.h (+77 lines)
		1	/*
		2	* Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
		14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
		15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
		16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
		17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
		18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
		19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
		20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
		21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
		22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
		23	*/
		24
		25	#ifndef SSH_PKCS11_H
		26	#define SSH_PKCS11_H
		27
		28	#ifdef ENABLE_PKCS11
		29
		30	#include "key.h"
		31
		32	typedef struct {
		33	char *provider;
		34	int protected_authentication;
		35	unsigned private_mode;
		36	int cert_is_private;
		37	} PKCS11Provider;
		38
		39	typedef struct {
		40	char *id;
		41	int pin_cache_period;
		42	char *cert_file;
		43	} PKCS11Id;
		44
		45	int
		46	pkcs11_initialize(const int, const int);
		47
		48	void
		49	pkcs11_terminate(void);
		50
		51	void
		52	pkcs11_free_provider(PKCS11Provider *const);
		53
		54	PKCS11Provider *
		55	pkcs11_parse_provider(const char *const);
		56
		57	int
		58	pkcs11_add_provider(const PKCS11Provider *const);
		59
		60	PKCS11Id *
		61	pkcs11_id_new(void);
		62
		63	void
		64	pkcs11_id_free(PKCS11Id *const);
65
66	int
67	pkcs11_get_key(const PKCS11Id const, Key const, char *const);
68
69	int
70	pkcs11_get_keys(Key *const, char *const);
71
72	void
73	pkcs11_show_ids(void);
74
75	#endif /* ENABLE_PKCS11 */
76
77	#endif /* OPENSSH_PKCS11_H */

Lines 53-58 Link Here

(-)ssh.org/ssh-add.c (-1 / +74 lines)
53	#include "rsa.h"	53	#include "rsa.h"
54	#include "log.h"	54	#include "log.h"
55	#include "key.h"	55	#include "key.h"
		56	#include "pkcs11.h"
56	#include "buffer.h"	57	#include "buffer.h"
57	#include "authfd.h"	58	#include "authfd.h"
58	#include "authfile.h"	59	#include "authfile.h"
Lines 316-321 usage(void) Link Here
316	fprintf(stderr, " -X Unlock agent.\n");	317	fprintf(stderr, " -X Unlock agent.\n");
317	fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");	318	fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n");
318	fprintf(stderr, " -c Require confirmation to sign using identities\n");	319	fprintf(stderr, " -c Require confirmation to sign using identities\n");
		320	#ifdef ENABLE_PKCS11
		321	fprintf(stderr, " -K provider Add PKCS#11 provider, format:\n");
		322	fprintf(stderr, " lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
		323	fprintf(stderr, " prot_auth - 1 to allow protected mode authentication.\n");
		324	fprintf(stderr, " private_mode - Private key mode, see man page.\n");
		325	fprintf(stderr, " cert_is_private - 1 if login is required to access certificates.\n");
		326	fprintf(stderr, " -I Add PKCS#11 id, remainging arguments:\n");
		327	fprintf(stderr, " pkcs11_id [session_cache [cert_file]]\n");
		328	fprintf(stderr, " pkcs11_id - Serialized id, get from ssh-keygen -K.\n");
		329	fprintf(stderr, " session_cache - Session cache timeout in seconds -1 for infinite.\n");
		330	fprintf(stderr, " cert_file - Specify PEM file to load if token is unavailable.\n");
		331	#endif
319	#ifdef SMARTCARD	332	#ifdef SMARTCARD
320	fprintf(stderr, " -s reader Add key in smartcard reader.\n");	333	fprintf(stderr, " -s reader Add key in smartcard reader.\n");
321	fprintf(stderr, " -e reader Remove key in smartcard reader.\n");	334	fprintf(stderr, " -e reader Remove key in smartcard reader.\n");
Lines 330-335 main(int argc, char **argv) Link Here
330	AuthenticationConnection *ac = NULL;	343	AuthenticationConnection *ac = NULL;
331	char *sc_reader_id = NULL;	344	char *sc_reader_id = NULL;
332	int i, ch, deleting = 0, ret = 0;	345	int i, ch, deleting = 0, ret = 0;
		346	#ifdef ENABLE_PKCS11
		347	PKCS11Provider *pkcs11_provider = NULL;
		348	int doing_pkcs11 = 0;
		349	#endif /* ENABLE_PKCS11 */
333		350
334	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */	351	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
335	sanitise_stdfd();	352	sanitise_stdfd();
Lines 343-349 main(int argc, char **argv) Link Here
343	"Could not open a connection to your authentication agent.\n");	360	"Could not open a connection to your authentication agent.\n");
344	exit(2);	361	exit(2);
345	}	362	}
346	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {	363	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) {
347	switch (ch) {	364	switch (ch) {
348	case 'l':	365	case 'l':
349	case 'L':	366	case 'L':
Lines 379-384 main(int argc, char **argv) Link Here
379	goto done;	396	goto done;
380	}	397	}
381	break;	398	break;
		399	#ifdef ENABLE_PKCS11
		400	case 'K':
		401	if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
		402	fprintf(stderr, "Cannot parse PKCS#11 provider\n");
		403	ret = 1;
		404	goto done;
		405	}
		406	break;
		407	case 'I':
		408	doing_pkcs11 = 1;
		409	break;
		410	#endif /* ENABLE_PKCS11 */
382	default:	411	default:
383	usage();	412	usage();
384	ret = 1;	413	ret = 1;
Lines 387-392 main(int argc, char **argv) Link Here
387	}	416	}
388	argc -= optind;	417	argc -= optind;
389	argv += optind;	418	argv += optind;
		419
		420	#ifdef ENABLE_PKCS11
		421	if (pkcs11_provider != NULL) {
		422	if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) {
		423	fprintf(stderr,
		424	"Cannot add provider '%s'\n", pkcs11_provider->provider);
		425	ret = 1;
		426	goto done;
		427	}
		428	fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider);
		429	pkcs11_free_provider(pkcs11_provider);
		430	}
		431
		432	if (doing_pkcs11) {
		433	PKCS11Id *pkcs11_id = NULL;
		434	if (argc < 1 \|\| argc > 3) {
		435	fprintf(stderr,
		436	"Invalid PKCS#11 id format\n");
		437	ret = 1;
		438	goto done;
		439	}
		440	if ((pkcs11_id = pkcs11_id_new()) == NULL) {
		441	fprintf(stderr, "Memory allocation error.\n");
		442	ret = 1;
		443	goto done;
		444	}
		445	pkcs11_id->id = argv[0];
		446	if (argc > 1)
		447	pkcs11_id->pin_cache_period = atoi(argv[1]);
		448	if (argc > 2)
		449	pkcs11_id->cert_file = xstrdup(argv[2]);
		450
		451	if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) {
		452	fprintf(stderr,
		453	"Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id);
		454	ret = 1;
		455	goto done;
		456	}
		457	pkcs11_id_free(pkcs11_id);
		458	fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added");
		459	goto done;
		460	}
		461	#endif /* ENABLE_PKCS11 */
		462
390	if (sc_reader_id != NULL) {	463	if (sc_reader_id != NULL) {
391	if (update_card(ac, !deleting, sc_reader_id) == -1)	464	if (update_card(ac, !deleting, sc_reader_id) == -1)
392	ret = 1;	465	ret = 1;

Lines 62-67 Link Here

(-)ssh.org/ssh-agent.c (+136 lines)
62	#include "buffer.h"	62	#include "buffer.h"
63	#include "key.h"	63	#include "key.h"
64	#include "authfd.h"	64	#include "authfd.h"
		65	#include "pkcs11.h"
65	#include "compat.h"	66	#include "compat.h"
66	#include "log.h"	67	#include "log.h"
67	#include "misc.h"	68	#include "misc.h"
Lines 688-693 send: Link Here
688	}	689	}
689	#endif /* SMARTCARD */	690	#endif /* SMARTCARD */
690		691
		692	#ifdef ENABLE_PKCS11
		693
		694	static void
		695	process_pkcs11_add_provider (SocketEntry *e)
		696	{
		697	PKCS11Provider provider;
		698	int success = 0;
		699
		700	provider.provider = buffer_get_string(&e->request, NULL);
		701	provider.protected_authentication = buffer_get_int(&e->request);
		702	provider.private_mode = (unsigned)buffer_get_int(&e->request);
		703	provider.cert_is_private = buffer_get_int(&e->request);
		704
		705	success = pkcs11_add_provider(&provider);
		706
		707	buffer_put_int(&e->output, 1);
		708	buffer_put_char(&e->output,
		709	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
		710	}
		711
		712	static
		713	void
		714	process_pkcs11_add_id (SocketEntry *e)
		715	{
		716	PKCS11Id *pkcs11_id = NULL;
		717	Key *k = NULL;
		718	char *comment = NULL;
		719	int success = 0;
		720	int version = 2;
		721
		722	pkcs11_id = pkcs11_id_new();
		723	if (pkcs11_id != NULL) {
		724	pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
		725	pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
		726	pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
		727
		728	if (pkcs11_get_key (pkcs11_id, &k, &comment)) {
		729	if (lookup_identity(k, version) == NULL) {
		730	Identity *id = xmalloc(sizeof(Identity));
		731	Idtab *tab = NULL;
		732
		733	id->key = k;
		734	k = NULL;
		735	id->comment = comment;
		736	id->death = 0; /* handled by pkcs#11 helper */
		737	id->confirm = 0;
		738
		739	tab = idtab_lookup(version);
		740	TAILQ_INSERT_TAIL(&tab->idlist, id, next);
		741	/* Increment the number of identities. */
		742	tab->nentries++;
		743	success = 1;
		744	}
		745	}
		746	}
		747
		748	if (k != NULL)
		749	key_free(k);
		750
		751	if (pkcs11_id != NULL)
		752	pkcs11_id_free(pkcs11_id);
		753
		754	buffer_put_int(&e->output, 1);
		755	buffer_put_char(&e->output,
756	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
757	}
758
759	static
760	void
761	process_pkcs11_remove_id (SocketEntry *e)
762	{
763	Identity *id = NULL;
764	char *comment = NULL;
765	PKCS11Id *pkcs11_id = NULL;
766	Key *k = NULL;
767	int version = 2;
768	int success = 0;
769
770	pkcs11_id = pkcs11_id_new();
771	if (pkcs11_id != NULL) {
772	pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL));
773	pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
774	pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL));
775
776	if (pkcs11_get_key(pkcs11_id, &k, &comment)) {
777	id = lookup_identity (k, version);
778	xfree(comment);
779	comment = NULL;
780	}
781
782	if (id != NULL) {
783	Idtab *tab = NULL;
784
785	tab = idtab_lookup(version);
786	TAILQ_REMOVE(&tab->idlist, id, next);
787	tab->nentries--;
788	free_identity(id);
789	id = NULL;
790	success = 1;
791	}
792	}
793
794	if (k != NULL)
795	key_free(k);
796
797	if (pkcs11_id != NULL)
798	pkcs11_id_free(pkcs11_id);
799
800	buffer_put_int(&e->output, 1);
801	buffer_put_char(&e->output,
802	success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
803	}
804
805	#endif /* ENABLE_PKCS11 */
806
691	/* dispatch incoming messages */	807	/* dispatch incoming messages */
692		808
693	static void	809	static void
Lines 780-785 process_message(SocketEntry *e) Link Here
780	process_remove_smartcard_key(e);	896	process_remove_smartcard_key(e);
781	break;	897	break;
782	#endif /* SMARTCARD */	898	#endif /* SMARTCARD */
		899
		900	#ifdef ENABLE_PKCS11
		901	case SSH_AGENTC_PKCS11_ADD_PROVIDER:
		902	process_pkcs11_add_provider(e);
		903	break;
		904	case SSH_AGENTC_PKCS11_ADD_ID:
		905	process_pkcs11_add_id(e);
		906	break;
		907	case SSH_AGENTC_PKCS11_REMOVE_ID:
		908	process_pkcs11_remove_id(e);
		909	break;
		910	#endif /* ENABLE_PKCS11 */
783	default:	911	default:
784	/* Unknown message. Respond with failure. */	912	/* Unknown message. Respond with failure. */
785	error("Unknown message %d", type);	913	error("Unknown message %d", type);
Lines 987-992 static void Link Here
987	cleanup_handler(int sig)	1115	cleanup_handler(int sig)
988	{	1116	{
989	cleanup_socket();	1117	cleanup_socket();
		1118	#ifdef ENABLE_PKCS11
		1119	pkcs11_terminate ();
		1120	#endif /* ENABLE_PKCS11 */
990	_exit(2);	1121	_exit(2);
991	}	1122	}
992		1123
Lines 1215-1220 main(int ac, char **av) Link Here
1215	}	1346	}
1216		1347
1217	skip:	1348	skip:
		1349
		1350	#ifdef ENABLE_PKCS11
		1351	pkcs11_initialize (1, -1);
		1352	#endif /* ENABLE_PKCS11 */
		1353
1218	new_socket(AUTH_SOCKET, sock);	1354	new_socket(AUTH_SOCKET, sock);
1219	if (ac > 0)	1355	if (ac > 0)
1220	parent_alive_interval = 10;	1356	parent_alive_interval = 10;