Attachment 1495 Details for Bug 1371 – 2009_all_pkcs11-agent.patch

[patch] 2009_all_pkcs11-agent.patch

2009_all_pkcs11-agent.patch (text/plain), 10.51 KB, created by Alon Bar-Lev on 2008-04-26 22:40:34 AEST

(hide)

Description:

Filename:

MIME Type:

Creator: Alon Bar-Lev

Created: 2008-04-26 22:40:34 AEST

Size: 10.51 KB

patch

obsolete

>[PATCH] PKCS#11 support in agent
>
>Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
>
>---
>
>diff -urNp ssh/authfd.c ssh.new/authfd.c
>--- ssh/authfd.c	2006-08-03 06:34:41.000000000 +0300
>+++ ssh.new/authfd.c	2008-04-26 12:32:56.000000000 +0300
>@@ -667,3 +667,51 @@ decode_reply(int type)
> 	/* NOTREACHED */
> 	return 0;
> }
>+
>+#ifdef ENABLE_PKCS11
>+
>+int
>+ssh_pkcs11_add_provider(AuthenticationConnection *auth,
>+	const pkcs11_provider *const provider)
>+{
>+	Buffer msg;
>+	int type;
>+
>+	buffer_init(&msg);
>+	buffer_put_char(&msg, SSH_AGENTC_PKCS11_ADD_PROVIDER);
>+	buffer_put_cstring(&msg, provider->provider);
>+	buffer_put_int(&msg, (unsigned)provider->protected_authentication);
>+	buffer_put_int(&msg, provider->private_mode);
>+	buffer_put_int(&msg, (unsigned)provider->cert_is_private);
>+
>+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
>+		buffer_free(&msg);
>+		return 0;
>+	}
>+	type = buffer_get_char(&msg);
>+	buffer_free(&msg);
>+	return decode_reply(type);
>+}
>+
>+int
>+ssh_pkcs11_id(AuthenticationConnection *auth, const pkcs11_id *const id, int remove)
>+{
>+	Buffer msg;
>+	int type;
>+
>+	buffer_init(&msg);
>+	buffer_put_char(&msg, remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID);
>+	buffer_put_cstring(&msg, id->id);
>+	buffer_put_int(&msg, (unsigned)id->pin_cache_period);
>+	buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
>+
>+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
>+		buffer_free(&msg);
>+		return 0;
>+	}
>+	type = buffer_get_char(&msg);
>+	buffer_free(&msg);
>+	return decode_reply(type);
>+}
>+
>+#endif /* ENABLE_PKCS11 */
>diff -urNp ssh/authfd.h ssh.new/authfd.h
>--- ssh/authfd.h	2006-08-03 06:34:41.000000000 +0300
>+++ ssh.new/authfd.h	2008-04-26 12:32:56.000000000 +0300
>@@ -16,6 +16,8 @@
> #ifndef AUTHFD_H
> #define AUTHFD_H
> 
>+#include "pkcs11.h"
>+
> /* Messages for the authentication agent connection. */
> #define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
> #define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
>@@ -49,6 +51,10 @@
> #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
> #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
> 
>+#define SSH_AGENTC_PKCS11_ADD_PROVIDER		27
>+#define SSH_AGENTC_PKCS11_ADD_ID		28
>+#define SSH_AGENTC_PKCS11_REMOVE_ID		29
>+
> #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
> #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
> 
>@@ -92,4 +98,10 @@ int
> ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
>     u_int);
> 
>+#ifdef ENABLE_PKCS11
>+int	ssh_pkcs11_add_provider(AuthenticationConnection *, 
>+    const pkcs11_provider *const);
>+int	ssh_pkcs11_id(AuthenticationConnection *, const pkcs11_id *const, int remove);
>+#endif /* ENABLE_PKCS11 */
>+
> #endif				/* AUTHFD_H */
>diff -urNp ssh/ssh-add.c ssh.new/ssh-add.c
>--- ssh/ssh-add.c	2007-09-09 14:38:01.000000000 +0300
>+++ ssh.new/ssh-add.c	2008-04-26 12:32:56.000000000 +0300
>@@ -53,6 +53,7 @@
> #include "rsa.h"
> #include "log.h"
> #include "key.h"
>+#include "pkcs11.h"
> #include "buffer.h"
> #include "authfd.h"
> #include "authfile.h"
>@@ -316,6 +317,18 @@ usage(void)
> 	fprintf(stderr, "  -X          Unlock agent.\n");
> 	fprintf(stderr, "  -t life     Set lifetime (in seconds) when adding identities.\n");
> 	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
>+#ifdef ENABLE_PKCS11
>+	fprintf(stderr, "  -K provider Add PKCS#11 provider, format:\n");
>+	fprintf(stderr, "              lib[:prot_auth[:private_mode[:cert_is_private]]]\n");
>+	fprintf(stderr, "              prot_auth - 1 to allow protected mode authentication.\n");
>+	fprintf(stderr, "              private_mode - Private key mode, see man page.\n");
>+	fprintf(stderr, "              cert_is_private - 1 if login is required to access certificates.\n");
>+	fprintf(stderr, "  -I          Add PKCS#11 id, remainging arguments:\n");
>+	fprintf(stderr, "              pkcs11_id [session_cache [cert_file]]\n");
>+	fprintf(stderr, "              pkcs11_id - Serialized id, get from ssh-keygen -K.\n");
>+	fprintf(stderr, "              session_cache - Session cache timeout in seconds -1 for infinite.\n");
>+	fprintf(stderr, "              cert_file - Specify PEM file to load if token is unavailable.\n");
>+#endif
> #ifdef SMARTCARD
> 	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
> 	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
>@@ -330,6 +343,10 @@ main(int argc, char **argv)
> 	AuthenticationConnection *ac = NULL;
> 	char *sc_reader_id = NULL;
> 	int i, ch, deleting = 0, ret = 0;
>+#ifdef ENABLE_PKCS11
>+	pkcs11_provider *pkcs11_provider = NULL;
>+	int doing_pkcs11 = 0;
>+#endif /* ENABLE_PKCS11 */
> 
> 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
> 	sanitise_stdfd();
>@@ -343,7 +360,7 @@ main(int argc, char **argv)
> 		    "Could not open a connection to your authentication agent.\n");
> 		exit(2);
> 	}
>-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
>+	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:K:I")) != -1) {
> 		switch (ch) {
> 		case 'l':
> 		case 'L':
>@@ -379,6 +396,18 @@ main(int argc, char **argv)
> 				goto done;
> 			}
> 			break;
>+#ifdef ENABLE_PKCS11
>+		case 'K':
>+			if ((pkcs11_provider = pkcs11_parse_provider(optarg)) == NULL) {
>+				fprintf(stderr, "Cannot parse PKCS#11 provider\n");
>+				ret = 1;
>+				goto done;
>+			}
>+			break;
>+		case 'I':
>+			doing_pkcs11 = 1;
>+			break;
>+#endif /* ENABLE_PKCS11 */
> 		default:
> 			usage();
> 			ret = 1;
>@@ -387,6 +416,50 @@ main(int argc, char **argv)
> 	}
> 	argc -= optind;
> 	argv += optind;
>+
>+#ifdef ENABLE_PKCS11
>+	if (pkcs11_provider != NULL) {
>+		if (!ssh_pkcs11_add_provider(ac, pkcs11_provider)) {
>+			fprintf(stderr,
>+				"Cannot add provider '%s'\n", pkcs11_provider->provider);
>+			ret = 1;
>+			goto done;
>+		}
>+		fprintf(stderr, "Provider '%s' added successfully.\n", pkcs11_provider->provider);
>+		pkcs11_free_provider(pkcs11_provider);
>+	}
>+
>+	if (doing_pkcs11) {
>+		pkcs11_id *pkcs11_id = NULL;
>+		if (argc < 1 || argc > 3) {
>+			fprintf(stderr,
>+				"Invalid PKCS#11 id format\n");
>+			ret = 1;
>+			goto done;
>+		}
>+		if ((pkcs11_id = pkcs11_id_new()) == NULL) {
>+			fprintf(stderr, "Memory allocation error.\n");
>+			ret = 1;
>+			goto done;
>+		}
>+		pkcs11_id->id = argv[0];
>+		if (argc > 1)
>+			pkcs11_id->pin_cache_period = atoi(argv[1]);
>+		if (argc > 2)
>+			pkcs11_id->cert_file = xstrdup(argv[2]);
>+
>+		if (!ssh_pkcs11_id(ac, pkcs11_id, deleting)) {
>+			fprintf(stderr,
>+				"Cannot %s id '%s'\n", deleting ? "remove" : "add", pkcs11_id->id);
>+			ret = 1;
>+			goto done;
>+		}
>+		pkcs11_id_free(pkcs11_id);
>+		fprintf(stderr, "Identity %s successfully.\n", deleting ? "removed" : "added");
>+		goto done;
>+	}
>+#endif /* ENABLE_PKCS11 */
>+
> 	if (sc_reader_id != NULL) {
> 		if (update_card(ac, !deleting, sc_reader_id) == -1)
> 			ret = 1;
>diff -urNp ssh/ssh-agent.c ssh.new/ssh-agent.c
>--- ssh/ssh-agent.c	2007-09-26 01:48:57.000000000 +0200
>+++ ssh.new/ssh-agent.c	2008-04-26 12:32:56.000000000 +0300
>@@ -62,6 +62,7 @@
> #include "buffer.h"
> #include "key.h"
> #include "authfd.h"
>+#include "pkcs11.h"
> #include "compat.h"
> #include "log.h"
> #include "misc.h"
>@@ -689,6 +690,121 @@ send:
> }
> #endif /* SMARTCARD */
> 
>+#ifdef ENABLE_PKCS11
>+
>+static void
>+process_pkcs11_add_provider (SocketEntry *e)
>+{
>+	pkcs11_provider provider;
>+	int success = 0;
>+
>+	provider.provider = buffer_get_string(&e->request, NULL);
>+	provider.protected_authentication = buffer_get_int(&e->request);
>+	provider.private_mode = (unsigned)buffer_get_int(&e->request);
>+	provider.cert_is_private = buffer_get_int(&e->request);
>+
>+	success = pkcs11_add_provider(&provider);
>+
>+	buffer_put_int(&e->output, 1);
>+	buffer_put_char(&e->output,
>+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
>+}
>+
>+static
>+void
>+process_pkcs11_add_id (SocketEntry *e)
>+{
>+	pkcs11_id *pkcs11_id = NULL;
>+	Key *k = NULL;
>+	char *comment = NULL;
>+	int success = 0;
>+	int version = 2;
>+
>+	pkcs11_id = pkcs11_id_new();
>+	if (pkcs11_id != NULL) {
>+		pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
>+		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
>+		pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
>+
>+		if (pkcs11_get_key (pkcs11_id, &k, &comment)) {
>+			if (lookup_identity(k, version) == NULL) {
>+				Identity *id = xmalloc(sizeof(Identity));
>+				Idtab *tab = NULL;
>+	
>+				id->key = k;
>+				k = NULL;
>+				id->comment = comment;
>+				id->death = 0;		/* handled by pkcs#11 helper */
>+				id->confirm = 0;
>+	
>+				tab = idtab_lookup(version);
>+				TAILQ_INSERT_TAIL(&tab->idlist, id, next);
>+				/* Increment the number of identities. */
>+				tab->nentries++;
>+				success = 1;
>+			}
>+		}
>+	}
>+
>+	if (k != NULL)
>+		key_free(k);
>+
>+	if (pkcs11_id != NULL)
>+		pkcs11_id_free(pkcs11_id);
>+
>+	buffer_put_int(&e->output, 1);
>+	buffer_put_char(&e->output,
>+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
>+}
>+
>+static
>+void
>+process_pkcs11_remove_id (SocketEntry *e)
>+{
>+	Identity *id = NULL;
>+	char *comment = NULL;
>+	pkcs11_id *pkcs11_id = NULL;
>+	Key *k = NULL;
>+	int version = 2;
>+	int success = 0;
>+
>+	pkcs11_id = pkcs11_id_new();
>+	if (pkcs11_id != NULL) {
>+		pkcs11_id->id = strdup(buffer_get_string(&e->request, NULL));
>+		pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
>+		pkcs11_id->cert_file = strdup(buffer_get_string(&e->request, NULL));
>+
>+		if (pkcs11_get_key(pkcs11_id, &k, &comment)) {
>+			id = lookup_identity (k, version);
>+			xfree(comment);
>+			comment = NULL;
>+		}
>+
>+		if (id != NULL) {
>+			Idtab *tab = NULL;
>+
>+			tab = idtab_lookup(version);
>+			TAILQ_REMOVE(&tab->idlist, id, next);
>+			tab->nentries--;
>+			free_identity(id);
>+			id = NULL;
>+			success = 1;
>+		}
>+	}
>+
>+	if (k != NULL)
>+		key_free(k);
>+
>+	if (pkcs11_id != NULL)
>+		pkcs11_id_free(pkcs11_id);
>+
>+	buffer_put_int(&e->output, 1);
>+	buffer_put_char(&e->output,
>+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
>+}
>+
>+#endif /* ENABLE_PKCS11 */
>+
> /* dispatch incoming messages */
> 
> static void
>@@ -781,6 +897,18 @@ process_message(SocketEntry *e)
> 		process_remove_smartcard_key(e);
> 		break;
> #endif /* SMARTCARD */
>+
>+#ifdef ENABLE_PKCS11
>+	case SSH_AGENTC_PKCS11_ADD_PROVIDER:
>+		process_pkcs11_add_provider(e);
>+		break;
>+	case SSH_AGENTC_PKCS11_ADD_ID:
>+		process_pkcs11_add_id(e);
>+		break;
>+	case SSH_AGENTC_PKCS11_REMOVE_ID:
>+		process_pkcs11_remove_id(e);
>+		break;
>+#endif /* ENABLE_PKCS11 */
> 	default:
> 		/* Unknown message.  Respond with failure. */
> 		error("Unknown message %d", type);
>@@ -988,6 +1116,9 @@ static void
> cleanup_handler(int sig)
> {
> 	cleanup_socket();
>+#ifdef ENABLE_PKCS11
>+	pkcs11_terminate ();
>+#endif /* ENABLE_PKCS11 */
> 	_exit(2);
> }
> 
>@@ -1216,6 +1347,11 @@ main(int ac, char **av)
> 	}
> 
> skip:
>+
>+#ifdef ENABLE_PKCS11
>+	pkcs11_initialize (1, -1);
>+#endif /* ENABLE_PKCS11 */
>+
> 	new_socket(AUTH_SOCKET, sock);
> 	if (ac > 0)
> 		parent_alive_interval = 10;

Actions: View | Diff

Attachments on bug 1371: 1444 | 1463 | 1464 | 1465 | 1466 | 1467 | 1468 | 1469 | 1470 | 1471 | 1477 | 1478 | 1484 | 1485 | 1486 | 1487 | 1488 | 1489 | 1490 | 1491 | 1492 | 1493 | 1494 | 1495 | 1496 | 1497 | 1547 | 1557 | 1558