Bugzilla – Attachment 1495 Details for
Bug 1371
Add PKCS#11 (Smartcards) support into OpenSSH
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
2009_all_pkcs11-agent.patch
2009_all_pkcs11-agent.patch (text/plain), 10.51 KB, created by
Alon Bar-Lev
on 2008-04-26 22:40:34 AEST
(
hide
)
Description:
2009_all_pkcs11-agent.patch
Filename:
MIME Type:
Creator:
Alon Bar-Lev
Created:
2008-04-26 22:40:34 AEST
Size:
10.51 KB
patch
obsolete
>[PATCH] PKCS#11 support in agent > >Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> > >--- > >diff -urNp ssh/authfd.c ssh.new/authfd.c >--- ssh/authfd.c 2006-08-03 06:34:41.000000000 +0300 >+++ ssh.new/authfd.c 2008-04-26 12:32:56.000000000 +0300 >@@ -667,3 +667,51 @@ decode_reply(int type) > /* NOTREACHED */ > return 0; > } >+ >+#ifdef ENABLE_PKCS11 >+ >+int >+ssh_pkcs11_add_provider(AuthenticationConnection *auth, >+ const pkcs11_provider *const provider) >+{ >+ Buffer msg; >+ int type; >+ >+ buffer_init(&msg); >+ buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER); >+ buffer_put_cstring(&msg, provider->provider); >+ buffer_put_int(&msg, (unsigned)provider->protected_authentication); >+ buffer_put_int(&msg, provider->private_mode); >+ buffer_put_int(&msg, (unsigned)provider->cert_is_private); >+ >+ if (ssh_request_reply(auth, &msg, &msg) == 0) { >+ buffer_free(&msg); >+ return 0; >+ } >+ type = buffer_get_char(&msg); >+ buffer_free(&msg); >+ return decode_reply(type); >+} >+ >+int >+ssh_pkcs11_id(AuthenticationConnection *auth, const pkcs11_id *const id, int remove) >+{ >+ Buffer msg; >+ int type; >+ >+ buffer_init(&msg); >+ buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID); >+ buffer_put_cstring(&msg, id->id); >+ buffer_put_int(&msg, (unsigned)id->pin_cache_period); >+ buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file); >+ >+ if (ssh_request_reply(auth, &msg, &msg) == 0) { >+ buffer_free(&msg); >+ return 0; >+ } >+ type = buffer_get_char(&msg); >+ buffer_free(&msg); >+ return decode_reply(type); >+} >+ >+#endif /* ENABLE_PKCS11 */ >diff -urNp ssh/authfd.h ssh.new/authfd.h >--- ssh/authfd.h 2006-08-03 06:34:41.000000000 +0300 >+++ ssh.new/authfd.h 2008-04-26 12:32:56.000000000 +0300 >@@ -16,6 +16,8 @@ > #ifndef AUTHFD_H > #define AUTHFD_H > >+#include "pkcs11.h" >+ > /* Messages for the authentication agent connection. */ > #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 > #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 >@@ -49,6 +51,10 @@ > #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 > #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 > >+#define SSH_AGENTC_PKCS11_ADD_PROVIDER 27 >+#define SSH_AGENTC_PKCS11_ADD_ID 28 >+#define SSH_AGENTC_PKCS11_REMOVE_ID 29 >+ > #define SSH_AGENT_CONSTRAIN_LIFETIME 1 > #define SSH_AGENT_CONSTRAIN_CONFIRM 2 > >@@ -92,4 +98,10 @@ int > ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *, > u_int); > >+#ifdef ENABLE_PKCS11 >+int ssh_pkcs11_add_provider(AuthenticationConnection *, >+ const pkcs11_provider *const); >+int ssh_pkcs11_id(AuthenticationConnection *, const pkcs11_id *const, int remove); >+#endif /* ENABLE_PKCS11 */ >+ > #endif /* AUTHFD_H */ >diff -urNp ssh/ssh-add.c ssh.new/ssh-add.c >--- ssh/ssh-add.c 2007-09-09 14:38:01.000000000 +0300 >+++ ssh.new/ssh-add.c 2008-04-26 12:32:56.000000000 +0300 >@@ -53,6 +53,7 @@ > #include "rsa.h" > #include "log.h" > #include "key.h" >+#include "pkcs11.h" > #include "buffer.h" > #include "authfd.h" > #include "authfile.h" >@@ -316,6 +317,18 @@ usage(void) > fprintf(stderr, " -X Unlock agent.\n"); > fprintf(stderr, " -t life Set lifetime (in seconds) when adding identities.\n"); > fprintf(stderr, " -c Require confirmation to sign using identities\n"); >+#ifdef ENABLE_PKCS11 >+ fprintf(stderr, " -K provider Add PKCS#11 provider, format:\n"); >+ fprintf(stderr, " lib[:prot_auth[:private_mode[:cert_is_private]]]\n"); >+ fprintf(stderr, " prot_auth - 1 to allow protected mode authentication.\n"); >+ fprintf(stderr, " private_mode - Private key mode, see man page.\n"); >+ fprintf(stderr, " cert_is_private - 1 if login is required to access certificates.\n"); >+ fprintf(stderr, " -I Add PKCS#11 id, remainging arguments:\n"); >+ fprintf(stderr, " pkcs11_id [session_cache [cert_file]]\n"); >+ fprintf(stderr, " pkcs11_id - Serialized id, get from ssh-keygen -K.\n"); >+ fprintf(stderr, " session_cache - Session cache timeout in seconds -1 for infinite.\n"); >+ fprintf(stderr, " cert_file - Specify PEM file to load if token is unavailable.\n"); >+#endif > #ifdef SMARTCARD > fprintf(stderr, " -s reader Add key in smartcard reader.\n"); > fprintf(stderr, " -e reader Remove key in smartcard reader.\n"); >@@ -330,6 +343,10 @@ main(int argc, char **argv) > AuthenticationConnection *ac = NULL; > char *sc_reader_id = NULL; > int i, ch, deleting = 0, ret = 0; >+#ifdef ENABLE_PKCS11 >+ pkcs11_provider *pkcs11_provider = NULL; >+ int doing_pkcs11 = 0; >+#endif /* ENABLE_PKCS11 */ > > /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ > sanitise_stdfd(); >@@ -343,7 +360,7 @@ main(int argc, char **argv) > "Could not open a connection to your authentication agent.\n"); > exit(2); > } >- while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { >+ while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) { > switch (ch) { > case 'l': > case 'L': >@@ -379,6 +396,18 @@ main(int argc, char **argv) > goto done; > } > break; >+#ifdef ENABLE_PKCS11 >+ case 'K': >+ if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) { >+ fprintf(stderr, "Cannot parse PKCS#11 provider\n"); >+ ret = 1; >+ goto done; >+ } >+ break; >+ case 'I': >+ doing_pkcs11 = 1; >+ break; >+#endif /* ENABLE_PKCS11 */ > default: > usage(); > ret = 1; >@@ -387,6 +416,50 @@ main(int argc, char **argv) > } > argc -= optind; > argv += optind; >+ >+#ifdef ENABLE_PKCS11 >+ if (pkcs11_provider != NULL) { >+ if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) { >+ fprintf(stderr, >+ "Cannot add provider '%s'\n", pkcs11_provider->provider); >+ ret = 1; >+ goto done; >+ } >+ fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider); >+ pkcs11_free_provider(pkcs11_provider); >+ } >+ >+ if (doing_pkcs11) { >+ pkcs11_id *pkcs11_id = NULL; >+ if (argc < 1 || argc > 3) { >+ fprintf(stderr, >+ "Invalid PKCS#11 id format\n"); >+ ret = 1; >+ goto done; >+ } >+ if ((pkcs11_id = pkcs11_id_new()) == NULL) { >+ fprintf(stderr, "Memory allocation error.\n"); >+ ret = 1; >+ goto done; >+ } >+ pkcs11_id->id = argv[0]; >+ if (argc > 1) >+ pkcs11_id->pin_cache_period = atoi(argv[1]); >+ if (argc > 2) >+ pkcs11_id->cert_file = xstrdup(argv[2]); >+ >+ if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) { >+ fprintf(stderr, >+ "Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id); >+ ret = 1; >+ goto done; >+ } >+ pkcs11_id_free(pkcs11_id); >+ fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added"); >+ goto done; >+ } >+#endif /* ENABLE_PKCS11 */ >+ > if (sc_reader_id != NULL) { > if (update_card(ac, !deleting, sc_reader_id) == -1) > ret = 1; >diff -urNp ssh/ssh-agent.c ssh.new/ssh-agent.c >--- ssh/ssh-agent.c 2007-09-26 01:48:57.000000000 +0200 >+++ ssh.new/ssh-agent.c 2008-04-26 12:32:56.000000000 +0300 >@@ -62,6 +62,7 @@ > #include "buffer.h" > #include "key.h" > #include "authfd.h" >+#include "pkcs11.h" > #include "compat.h" > #include "log.h" > #include "misc.h" >@@ -689,6 +690,121 @@ send: > } > #endif /* SMARTCARD */ > >+#ifdef ENABLE_PKCS11 >+ >+static void >+process_pkcs11_add_provider (SocketEntry *e) >+{ >+ pkcs11_provider provider; >+ int success = 0; >+ >+ provider.provider = buffer_get_string(&e->request, NULL); >+ provider.protected_authentication = buffer_get_int(&e->request); >+ provider.private_mode = (unsigned)buffer_get_int(&e->request); >+ provider.cert_is_private = buffer_get_int(&e->request); >+ >+ success = pkcs11_add_provider(&provider); >+ >+ buffer_put_int(&e->output, 1); >+ buffer_put_char(&e->output, >+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); >+} >+ >+static >+void >+process_pkcs11_add_id (SocketEntry *e) >+{ >+ pkcs11_id *pkcs11_id = NULL; >+ Key *k = NULL; >+ char *comment = NULL; >+ int success = 0; >+ int version = 2; >+ >+ pkcs11_id = pkcs11_id_new(); >+ if (pkcs11_id != NULL) { >+ pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL)); >+ pkcs11_id->pin_cache_period = buffer_get_int(&e->request); >+ pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL)); >+ >+ if (pkcs11_get_key (pkcs11_id, &k, &comment)) { >+ if (lookup_identity(k, version) == NULL) { >+ Identity *id = xmalloc(sizeof(Identity)); >+ Idtab *tab = NULL; >+ >+ id->key = k; >+ k = NULL; >+ id->comment = comment; >+ id->death = 0; /* handled by pkcs#11 helper */ >+ id->confirm = 0; >+ >+ tab = idtab_lookup(version); >+ TAILQ_INSERT_TAIL(&tab->idlist, id, next); >+ /* Increment the number of identities. */ >+ tab->nentries++; >+ success = 1; >+ } >+ } >+ } >+ >+ if (k != NULL) >+ key_free(k); >+ >+ if (pkcs11_id != NULL) >+ pkcs11_id_free(pkcs11_id); >+ >+ buffer_put_int(&e->output, 1); >+ buffer_put_char(&e->output, >+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); >+} >+ >+static >+void >+process_pkcs11_remove_id (SocketEntry *e) >+{ >+ Identity *id = NULL; >+ char *comment = NULL; >+ pkcs11_id *pkcs11_id = NULL; >+ Key *k = NULL; >+ int version = 2; >+ int success = 0; >+ >+ pkcs11_id = pkcs11_id_new(); >+ if (pkcs11_id != NULL) { >+ pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL)); >+ pkcs11_id->pin_cache_period = buffer_get_int(&e->request); >+ pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL)); >+ >+ if (pkcs11_get_key(pkcs11_id, &k, &comment)) { >+ id = lookup_identity (k, version); >+ xfree(comment); >+ comment = NULL; >+ } >+ >+ if (id != NULL) { >+ Idtab *tab = NULL; >+ >+ tab = idtab_lookup(version); >+ TAILQ_REMOVE(&tab->idlist, id, next); >+ tab->nentries--; >+ free_identity(id); >+ id = NULL; >+ success = 1; >+ } >+ } >+ >+ if (k != NULL) >+ key_free(k); >+ >+ if (pkcs11_id != NULL) >+ pkcs11_id_free(pkcs11_id); >+ >+ buffer_put_int(&e->output, 1); >+ buffer_put_char(&e->output, >+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE); >+} >+ >+#endif /* ENABLE_PKCS11 */ >+ > /* dispatch incoming messages */ > > static void >@@ -781,6 +897,18 @@ process_message(SocketEntry *e) > process_remove_smartcard_key(e); > break; > #endif /* SMARTCARD */ >+ >+#ifdef ENABLE_PKCS11 >+ case SSH_AGENTC_PKCS11_ADD_PROVIDER: >+ process_pkcs11_add_provider(e); >+ break; >+ case SSH_AGENTC_PKCS11_ADD_ID: >+ process_pkcs11_add_id(e); >+ break; >+ case SSH_AGENTC_PKCS11_REMOVE_ID: >+ process_pkcs11_remove_id(e); >+ break; >+#endif /* ENABLE_PKCS11 */ > default: > /* Unknown message. Respond with failure. */ > error("Unknown message %d", type); >@@ -988,6 +1116,9 @@ static void > cleanup_handler(int sig) > { > cleanup_socket(); >+#ifdef ENABLE_PKCS11 >+ pkcs11_terminate (); >+#endif /* ENABLE_PKCS11 */ > _exit(2); > } > >@@ -1216,6 +1347,11 @@ main(int ac, char **av) > } > > skip: >+ >+#ifdef ENABLE_PKCS11 >+ pkcs11_initialize (1, -1); >+#endif /* ENABLE_PKCS11 */ >+ > new_socket(AUTH_SOCKET, sock); > if (ac > 0) > parent_alive_interval = 10;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1371
:
1444
|
1463
|
1464
|
1465
|
1466
|
1467
|
1468
|
1469
|
1470
|
1471
|
1477
|
1478
|
1484
|
1485
|
1486
|
1487
|
1488
|
1489
|
1490
|
1491
|
1492
|
1493
|
1494
| 1495 |
1496
|
1497
|
1547
|
1557
|
1558