- markus@cvs.openbsd.org 2002/03/25 17:34:27
[scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
change sc_get_key to sc_get_keys and hide smartcard details in scard.c
diff --git a/ChangeLog b/ChangeLog
index 6e63b16..079c7bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,9 @@
- markus@cvs.openbsd.org 2002/03/25 09:25:06
[auth-rh-rsa.c]
rm bogus comment
+ - markus@cvs.openbsd.org 2002/03/25 17:34:27
+ [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
+ change sc_get_key to sc_get_keys and hide smartcard details in scard.c
20020324
- (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@@ -8042,4 +8045,4 @@
- Wrote replacements for strlcpy and mkdtemp
- Released 1.0pre1
-$Id: ChangeLog,v 1.1986 2002/03/26 03:08:47 mouring Exp $
+$Id: ChangeLog,v 1.1987 2002/03/26 03:17:42 mouring Exp $
diff --git a/scard.c b/scard.c
index 9b2d776..779106f 100644
--- a/scard.c
+++ b/scard.c
@@ -24,9 +24,8 @@
#include "includes.h"
#ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
+RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $");
-#include <openssl/engine.h>
#include <openssl/evp.h>
#include <sectok.h>
@@ -36,13 +35,17 @@
#include "readpass.h"
#include "scard.h"
-#ifdef OPENSSL_VERSION_NUMBER
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-#define RSA_get_default_openssl_method RSA_get_default_method
-#define DSA_get_default_openssl_method DSA_get_default_method
-#define DH_get_default_openssl_method DH_get_default_method
-#define ENGINE_set_BN_mod_exp(x,y)
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#define USE_ENGINE
+#define RSA_get_default_method RSA_get_default_openssl_method
+#else
#endif
+
+#ifdef USE_ENGINE
+#include <openssl/engine.h>
+#define sc_get_rsa sc_get_engine
+#else
+#define sc_get_rsa sc_get_rsa_method
#endif
#define CLA_SSH 0x05
@@ -143,8 +146,7 @@
n = NULL;
if (sc_fd < 0) {
- status = sc_init();
- if (status < 0 )
+ if (sc_init() < 0)
goto err;
}
@@ -317,18 +319,13 @@
return 1;
}
-
/* engine for overloading private key operations */
-static ENGINE *smart_engine = NULL;
-static RSA_METHOD smart_rsa;
-
-ENGINE *
-sc_get_engine(void)
+static RSA_METHOD *
+sc_get_rsa_method(void)
{
- const RSA_METHOD *def;
-
- def = RSA_get_default_openssl_method();
+ static RSA_METHOD smart_rsa;
+ const RSA_METHOD *def = RSA_get_default_method();
/* use the OpenSSL version */
memcpy(&smart_rsa, def, sizeof(smart_rsa));
@@ -343,13 +340,22 @@
orig_finish = def->finish;
smart_rsa.finish = sc_finish;
+ return &smart_rsa;
+}
+
+#ifdef USE_ENGINE
+static ENGINE *
+sc_get_engine(void)
+{
+ static ENGINE *smart_engine = NULL;
+
if ((smart_engine = ENGINE_new()) == NULL)
fatal("ENGINE_new failed");
ENGINE_set_id(smart_engine, "sectok");
ENGINE_set_name(smart_engine, "libsectok");
- ENGINE_set_RSA(smart_engine, &smart_rsa);
+ ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
ENGINE_set_RAND(smart_engine, RAND_SSLeay());
@@ -357,6 +363,7 @@
return smart_engine;
}
+#endif
void
sc_close(void)
@@ -367,11 +374,11 @@
}
}
-Key *
-sc_get_key(const char *id, const char *pin)
+Key **
+sc_get_keys(const char *id, const char *pin)
{
- Key *k;
- int status;
+ Key *k, *n, **keys;
+ int status, nkeys = 2;
if (sc_reader_id != NULL)
xfree(sc_reader_id);
@@ -395,7 +402,26 @@
key_free(k);
return NULL;
}
- return k;
+ keys = xmalloc((nkeys+1) * sizeof(Key *));
+
+ n = key_new(KEY_RSA1);
+ BN_copy(n->rsa->n, k->rsa->n);
+ BN_copy(n->rsa->e, k->rsa->e);
+ RSA_set_method(n->rsa, sc_get_rsa());
+ n->flags |= KEY_FLAG_EXT;
+ keys[0] = n;
+
+ n = key_new(KEY_RSA);
+ BN_copy(n->rsa->n, k->rsa->n);
+ BN_copy(n->rsa->e, k->rsa->e);
+ RSA_set_method(n->rsa, sc_get_rsa());
+ n->flags |= KEY_FLAG_EXT;
+ keys[1] = n;
+
+ keys[2] = NULL;
+
+ key_free(k);
+ return keys;
}
#define NUM_RSA_KEY_ELEMENTS 5+1
diff --git a/scard.h b/scard.h
index 465fe27..c0aa9ed 100644
--- a/scard.h
+++ b/scard.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $ */
+/* $OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
@@ -24,8 +24,6 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#include <openssl/engine.h>
-
#ifndef SCARD_H
#define SCARD_H
@@ -35,8 +33,7 @@
#define SCARD_ERROR_NOCARD -2
#define SCARD_ERROR_APPLET -3
-Key *sc_get_key(const char*, const char*);
-ENGINE *sc_get_engine(void);
+Key **sc_get_keys(const char*, const char*);
void sc_close(void);
int sc_put_key(Key *, const char*);
diff --git a/ssh-agent.c b/ssh-agent.c
index 1874eb1..f8183b4 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -34,7 +34,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $");
#if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
#include <sys/queue.h>
@@ -57,7 +57,6 @@
#include "log.h"
#ifdef SMARTCARD
-#include <openssl/engine.h>
#include "scard.h"
#endif
@@ -452,50 +451,39 @@
static void
process_add_smartcard_key (SocketEntry *e)
{
+ Identity *id;
Idtab *tab;
- Key *n = NULL, *k = NULL;
+ Key **keys, *k;
char *sc_reader_id = NULL, *pin;
- int success = 0;
+ int i, version, success = 0;
sc_reader_id = buffer_get_string(&e->input, NULL);
pin = buffer_get_string(&e->input, NULL);
- k = sc_get_key(sc_reader_id, pin);
+ keys = sc_get_keys(sc_reader_id, pin);
xfree(sc_reader_id);
xfree(pin);
- if (k == NULL) {
- error("sc_get_pubkey failed");
+ if (keys == NULL || keys[0] == NULL) {
+ error("sc_get_keys failed");
goto send;
}
- success = 1;
-
- tab = idtab_lookup(1);
- k->type = KEY_RSA1;
- if (lookup_identity(k, 1) == NULL) {
- Identity *id = xmalloc(sizeof(Identity));
- n = key_new(KEY_RSA1);
- BN_copy(n->rsa->n, k->rsa->n);
- BN_copy(n->rsa->e, k->rsa->e);
- RSA_set_method(n->rsa, sc_get_engine());
- id->key = n;
- id->comment = xstrdup("rsa1 smartcard");
- TAILQ_INSERT_TAIL(&tab->idlist, id, next);
- tab->nentries++;
+ for (i = 0; keys[i] != NULL; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+ tab = idtab_lookup(version);
+ if (lookup_identity(k, version) == NULL) {
+ id = xmalloc(sizeof(Identity));
+ id->key = k;
+ id->comment = xstrdup("smartcard key");
+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+ tab->nentries++;
+ success = 1;
+ } else {
+ key_free(k);
+ }
+ keys[i] = NULL;
}
- k->type = KEY_RSA;
- tab = idtab_lookup(2);
- if (lookup_identity(k, 2) == NULL) {
- Identity *id = xmalloc(sizeof(Identity));
- n = key_new(KEY_RSA);
- BN_copy(n->rsa->n, k->rsa->n);
- BN_copy(n->rsa->e, k->rsa->e);
- RSA_set_method(n->rsa, sc_get_engine());
- id->key = n;
- id->comment = xstrdup("rsa smartcard");
- TAILQ_INSERT_TAIL(&tab->idlist, id, next);
- tab->nentries++;
- }
- key_free(k);
+ xfree(keys);
send:
buffer_put_int(&e->output, 1);
buffer_put_char(&e->output,
@@ -505,41 +493,37 @@
static void
process_remove_smartcard_key(SocketEntry *e)
{
- Key *k = NULL;
- int success = 0;
+ Identity *id;
+ Idtab *tab;
+ Key **keys, *k = NULL;
char *sc_reader_id = NULL, *pin;
+ int i, version, success = 0;
sc_reader_id = buffer_get_string(&e->input, NULL);
pin = buffer_get_string(&e->input, NULL);
- k = sc_get_key(sc_reader_id, pin);
+ keys = sc_get_keys(sc_reader_id, pin);
xfree(sc_reader_id);
xfree(pin);
- if (k == NULL) {
- error("sc_get_pubkey failed");
- } else {
- Identity *id;
- k->type = KEY_RSA1;
- id = lookup_identity(k, 1);
- if (id != NULL) {
- Idtab *tab = idtab_lookup(1);
- TAILQ_REMOVE(&tab->idlist, id, next);
- free_identity(id);
+ if (keys == NULL || keys[0] == NULL) {
+ error("sc_get_keys failed");
+ goto send;
+ }
+ for (i = 0; keys[i] != NULL; i++) {
+ k = keys[i];
+ version = k->type == KEY_RSA1 ? 1 : 2;
+ if ((id = lookup_identity(k, version)) != NULL) {
+ tab = idtab_lookup(version);
+ TAILQ_REMOVE(&tab->idlist, id, next);
tab->nentries--;
- success = 1;
- }
- k->type = KEY_RSA;
- id = lookup_identity(k, 2);
- if (id != NULL) {
- Idtab *tab = idtab_lookup(2);
- TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
- tab->nentries--;
success = 1;
}
key_free(k);
+ keys[i] = NULL;
}
-
+ xfree(keys);
+send:
buffer_put_int(&e->output, 1);
buffer_put_char(&e->output,
success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 7d36293..1a8a731 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $");
#include <openssl/evp.h>
#include <openssl/pem.h>
@@ -416,14 +416,18 @@
static void
do_download(struct passwd *pw, const char *sc_reader_id)
{
- Key *pub = NULL;
+ Key **keys = NULL;
+ int i;
- pub = sc_get_key(sc_reader_id, NULL);
- if (pub == NULL)
+ keys = sc_get_keys(sc_reader_id, NULL);
+ if (keys == NULL)
fatal("cannot read public key from smartcard");
- key_write(pub, stdout);
- key_free(pub);
- fprintf(stdout, "\n");
+ for (i = 0; keys[i]; i++) {
+ key_write(keys[i], stdout);
+ key_free(keys[i]);
+ fprintf(stdout, "\n");
+ }
+ xfree(keys);
exit(0);
}
#endif /* SMARTCARD */
diff --git a/ssh.c b/ssh.c
index ae2e854..dd926b7 100644
--- a/ssh.c
+++ b/ssh.c
@@ -39,7 +39,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $");
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -70,7 +70,6 @@
#include "sshtty.h"
#ifdef SMARTCARD
-#include <openssl/engine.h>
#include "scard.h"
#endif
@@ -1187,40 +1186,29 @@
load_public_identity_files(void)
{
char *filename;
- Key *public;
int i = 0;
-
+ Key *public;
#ifdef SMARTCARD
+ Key **keys;
+
if (options.smartcard_device != NULL &&
- options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES &&
- (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) {
- Key *new;
-
- if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES)
- options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2;
- memmove(&options.identity_files[2], &options.identity_files[0],
- sizeof(char *) * options.num_identity_files);
- options.num_identity_files += 2;
- i = 2;
-
- /* XXX ssh1 vs ssh2 */
- new = key_new(KEY_RSA);
- new->flags = KEY_FLAG_EXT;
- BN_copy(new->rsa->n, public->rsa->n);
- BN_copy(new->rsa->e, public->rsa->e);
- RSA_set_method(new->rsa, sc_get_engine());
- options.identity_keys[0] = new;
- options.identity_files[0] = xstrdup("smartcard rsa key");;
-
- new = key_new(KEY_RSA1);
- new->flags = KEY_FLAG_EXT;
- BN_copy(new->rsa->n, public->rsa->n);
- BN_copy(new->rsa->e, public->rsa->e);
- RSA_set_method(new->rsa, sc_get_engine());
- options.identity_keys[1] = new;
- options.identity_files[1] = xstrdup("smartcard rsa1 key");
-
- key_free(public);
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
+ int count = 0;
+ for (i = 0; keys[i] != NULL; i++) {
+ count++;
+ if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES)
+ options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1;
+ memmove(&options.identity_files[1], &options.identity_files[0],
+ sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
+ memmove(&options.identity_keys[1], &options.identity_keys[0],
+ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
+ options.num_identity_files++;
+ options.identity_keys[0] = keys[i];
+ options.identity_files[0] = xstrdup("smartcard key");;
+ }
+ i = count;
+ xfree(keys);
}
#endif /* SMARTCARD */
for (; i < options.num_identity_files; i++) {