Attachment #3369 for bug #2890

Lines 206-211 process_sign(void) Link Here

(-)a/ssh-pkcs11-helper.c (+1 lines)
206	if ((found = lookup_key(key)) != NULL) {	206	if ((found = lookup_key(key)) != NULL) {
207	#ifdef WITH_OPENSSL	207	#ifdef WITH_OPENSSL
208	int ret;	208	int ret;
		209	pkcs11_refresh_key(found);
209		210
210	if (key->type == KEY_RSA) {	211	if (key->type == KEY_RSA) {
211	slen = RSA_size(key->rsa);	212	slen = RSA_size(key->rsa);

Lines 76-81 struct pkcs11_key { Link Here

(-)a/ssh-pkcs11.c (+100 lines)
76	int keyid_len;	76	int keyid_len;
77	};	77	};
78		78
		79	static int pkcs11_open_session(struct pkcs11_provider p, CK_ULONG slotidx, char pin, CK_ULONG user);
		80	static int pkcs11_fetch_keys(struct pkcs11_provider p, CK_ULONG slotidx, struct sshkey keysp, char labelsp, int nkeys);
		81	static int pkcs11_key_included(struct sshkey **keysp, int nkeys, struct sshkey *key);
		82
79	int pkcs11_interactive = 0;	83	int pkcs11_interactive = 0;
80		84
81	#ifdef HAVE_EC_KEY_METHOD_NEW	85	#ifdef HAVE_EC_KEY_METHOD_NEW
Lines 417-422 pkcs11_get_key(struct pkcs11_key *k11, CK_MECHANISM_TYPE mech_type) Link Here
417	return (0);	421	return (0);
418	}	422	}
419		423
		424	int pkcs11_key_is_present(struct pkcs11_key *k11)
		425	{
		426	CK_RV rv;
		427	CK_FUNCTION_LIST *f;
		428	CK_SLOT_INFO info;
		429	CK_TOKEN_INFO tokeninfo;
		430	CK_SESSION_HANDLE session;
		431	CK_SESSION_INFO sessioninfo;
		432
		433	f = k11->provider->function_list;
		434	rv = f->C_GetSlotInfo(k11->slotidx, &info);
		435	if (rv != CKR_OK) {
		436	/* The cryptoki is not ready to work with this slot */
		437	return -1;
		438	}
		439	if (!(info.flags & CKF_TOKEN_PRESENT)) {
		440	return -1;
		441	}
		442
		443	rv = f->C_GetTokenInfo(k11->slotidx, &tokeninfo);
		444	if (rv != CKR_OK) {
		445	/* The cryptoki is not ready to work with this token */
		446	return -1;
		447	}
		448	/* TODO check if the fields of the tokeninfo match the stored values */
		449
		450	session = k11->provider->slotinfo[k11->slotidx].session;
		451	rv = f->C_GetSessionInfo(session, &sessioninfo);
		452	if (rv != CKR_OK) {
		453	/* The cryptoki is not ready to work with this session */
		454	return -1;
		455	}
		456	if (sessioninfo.slotID != k11->slotidx) {
		457	return -1;
		458	}
		459	return 0;
		460	}
		461
		462	static int pkcs11_reload_key(struct sshkey key, struct pkcs11_key k11)
		463	{
		464	unsigned char *pin = NULL;
		465	int r, i;
		466	struct sshkey **keysp = NULL;
		467	int nkeys = 0;
		468
		469	/* No need to C_CloseSession(): It is already invalidated */
		470
		471	debug("reading passphrase");
		472	pin = read_passphrase("Enter PIN for smart card", RP_USE_ASKPASS);
		473	if (!pin)
		474	return -1;
		475
		476	r = pkcs11_open_session(k11->provider, k11->slotidx, pin, CKU_USER);
		477
		478	explicit_bzero(pin, strlen(pin));
		479	free(pin);
		480
		481	if (r == -1)
		482	return -1;
		483
		484	/* Check that the key we are using is present in the current card */
		485	r = pkcs11_fetch_keys(k11->provider, k11->slotidx, &keysp, NULL, &nkeys);
		486	if (r < 0)
		487	return -1;
488
489	r = -1;
490	if (pkcs11_key_included(&keysp, &nkeys, key) == 1)
491	r = 0;
492
493	/* clean up the keys */
494	for (i = 0; i < nkeys; i++)
495	sshkey_free(keysp[i]);
496	free(keysp);
497	return r;
498	}
499
500	int pkcs11_refresh_key(struct sshkey *key)
501	{
502	struct pkcs11_key *k11;
503
504	if ((k11 = RSA_get_app_data(key->rsa)) == NULL) {
505	error("RSA_get_app_data failed for rsa %p", key->rsa);
506	return (-1);
507	}
508	if (!k11->provider \|\| !k11->provider->valid) {
509	error("no pkcs11 (valid) provider for rsa %p", key->rsa);
510	return (-1);
511	}
512
513	if (pkcs11_key_is_present(k11) == -1)
514	if (pkcs11_reload_key(key, k11) == -1)
515	return -1;
516
517	return 0;
518	}
519
420	/* openssl callback doing the actual signing operation */	520	/* openssl callback doing the actual signing operation */
421	static int	521	static int
422	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,	522	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,

Lines 26-31 int pkcs11_init(int); Link Here

(-)a/ssh-pkcs11.h (-1 / +1 lines)
26	void pkcs11_terminate(void);	26	void pkcs11_terminate(void);
27	int pkcs11_add_provider(char , char , struct sshkey *, char *);	27	int pkcs11_add_provider(char , char , struct sshkey *, char *);
28	int pkcs11_del_provider(char *);	28	int pkcs11_del_provider(char *);
		29	int pkcs11_refresh_key(struct sshkey *);
29	#ifdef WITH_PKCS11_KEYGEN	30	#ifdef WITH_PKCS11_KEYGEN
30	struct sshkey *	31	struct sshkey *
31	pkcs11_gakp(char , char , unsigned int, char *, unsigned int,	32	pkcs11_gakp(char , char , unsigned int, char *, unsigned int,
32	-

Return to bug 2890