Blame - scard.c - platform/external/openssh

blob: 9b2d77602a7d919267597f740f6d1c5d6cad1009 [file] [log] [blame]

Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	1	/*
				2	* Copyright (c) 2001 Markus Friedl. All rights reserved.
				3	*
				4	* Redistribution and use in source and binary forms, with or without
				5	* modification, are permitted provided that the following conditions
				6	* are met:
				7	* 1. Redistributions of source code must retain the above copyright
				8	* notice, this list of conditions and the following disclaimer.
				9	* 2. Redistributions in binary form must reproduce the above copyright
				10	* notice, this list of conditions and the following disclaimer in the
				11	* documentation and/or other materials provided with the distribution.
				12	*
				13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				23	*/
				24
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	25	#include "includes.h"
Damien Miller	85de580	2001-09-18 14:01:11 +1000	[diff] [blame]	26	#ifdef SMARTCARD
Ben Lindstrom	c2c6cbc	2002-03-26 02:44:44 +0000	[diff] [blame]	27	RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
Ben Lindstrom	818659a	2002-03-22 03:38:35 +0000	[diff] [blame]	28
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	29	#include <openssl/engine.h>
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	30	#include <openssl/evp.h>
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	31	#include <sectok.h>
				32
				33	#include "key.h"
				34	#include "log.h"
				35	#include "xmalloc.h"
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	36	#include "readpass.h"
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	37	#include "scard.h"
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	38
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	39	#ifdef OPENSSL_VERSION_NUMBER
				40	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
				41	#define RSA_get_default_openssl_method RSA_get_default_method
				42	#define DSA_get_default_openssl_method DSA_get_default_method
				43	#define DH_get_default_openssl_method DH_get_default_method
				44	#define ENGINE_set_BN_mod_exp(x,y)
				45	#endif
				46	#endif
				47
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	48	#define CLA_SSH 0x05
				49	#define INS_DECRYPT 0x10
				50	#define INS_GET_KEYLENGTH 0x20
				51	#define INS_GET_PUBKEY 0x30
				52	#define INS_GET_RESPONSE 0xc0
				53
				54	#define MAX_BUF_SIZE 256
				55
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	56	u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63};
				57
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	58	static int sc_fd = -1;
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	59	static char *sc_reader_id = NULL;
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	60	static char *sc_pin = NULL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	61	static int cla = 0x00; /* class */
				62
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	63	static void sc_mk_digest(const char pin, u_char digest);
				64	static int get_AUT0(u_char *aut0);
				65
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	66	/* interface to libsectok */
				67
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	68	static int
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	69	sc_open(void)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	70	{
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	71	int sw;
				72
				73	if (sc_fd >= 0)
				74	return sc_fd;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	75
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	76	sc_fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	77	if (sc_fd < 0) {
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	78	error("sectok_open failed: %s", sectok_get_sw(sw));
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	79	return SCARD_ERROR_FAIL;
				80	}
				81	if (! sectok_cardpresent(sc_fd)) {
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	82	debug("smartcard in reader %s not present, skipping",
				83	sc_reader_id);
Ben Lindstrom	3ab1dfa	2001-08-06 21:33:44 +0000	[diff] [blame]	84	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	85	return SCARD_ERROR_NOCARD;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	86	}
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	87	if (sectok_reset(sc_fd, 0, NULL, &sw) <= 0) {
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	88	error("sectok_reset failed: %s", sectok_get_sw(sw));
				89	sc_fd = -1;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	90	return SCARD_ERROR_FAIL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	91	}
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	92	if ((cla = cyberflex_inq_class(sc_fd)) < 0)
				93	cla = 0;
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	94
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	95	debug("sc_open ok %d", sc_fd);
				96	return sc_fd;
				97	}
				98
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	99	static int
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	100	sc_enable_applet(void)
				101	{
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	102	static u_char aid[] = {0xfc, 0x53, 0x73, 0x68, 0x2e, 0x62, 0x69, 0x6e};
				103	int sw = 0;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	104
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	105	/* select applet id */
				106	sectok_apdu(sc_fd, cla, 0xa4, 0x04, 0, sizeof aid, aid, 0, NULL, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	107	if (!sectok_swOK(sw)) {
				108	error("sectok_apdu failed: %s", sectok_get_sw(sw));
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	109	sc_close();
				110	return -1;
				111	}
				112	return 0;
				113	}
				114
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	115	static int
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	116	sc_init(void)
				117	{
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	118	int status;
				119
				120	status = sc_open();
				121	if (status == SCARD_ERROR_NOCARD) {
				122	return SCARD_ERROR_NOCARD;
				123	}
				124	if (status < 0 ) {
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	125	error("sc_open failed");
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	126	return status;
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	127	}
				128	if (sc_enable_applet() < 0) {
				129	error("sc_enable_applet failed");
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	130	return SCARD_ERROR_APPLET;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	131	}
				132	return 0;
				133	}
				134
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	135	static int
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	136	sc_read_pubkey(Key * k)
				137	{
				138	u_char buf[2], *n;
				139	char *p;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	140	int len, sw, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	141
				142	len = sw = 0;
Damien Miller	3ff36d6	2001-09-28 19:51:54 +1000	[diff] [blame]	143	n = NULL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	144
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	145	if (sc_fd < 0) {
				146	status = sc_init();
				147	if (status < 0 )
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	148	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	149	}
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	150
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	151	/* get key size */
				152	sectok_apdu(sc_fd, CLA_SSH, INS_GET_KEYLENGTH, 0, 0, 0, NULL,
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	153	sizeof(buf), buf, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	154	if (!sectok_swOK(sw)) {
				155	error("could not obtain key length: %s", sectok_get_sw(sw));
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	156	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	157	}
				158	len = (buf[0] << 8) \| buf[1];
				159	len /= 8;
				160	debug("INS_GET_KEYLENGTH: len %d sw %s", len, sectok_get_sw(sw));
				161
				162	n = xmalloc(len);
				163	/* get n */
				164	sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
				165	if (!sectok_swOK(sw)) {
				166	error("could not obtain public key: %s", sectok_get_sw(sw));
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	167	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	168	}
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	169
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	170	debug("INS_GET_KEYLENGTH: sw %s", sectok_get_sw(sw));
				171
				172	if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
				173	error("c_read_pubkey: BN_bin2bn failed");
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	174	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	175	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	176
				177	/* currently the java applet just stores 'n' */
				178	if (!BN_set_word(k->rsa->e, 35)) {
				179	error("c_read_pubkey: BN_set_word(e, 35) failed");
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	180	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	181	}
				182
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	183	status = 0;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	184	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
				185	debug("fingerprint %d %s", key_size(k), p);
				186	xfree(p);
				187
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	188	err:
				189	if (n != NULL)
				190	xfree(n);
				191	sc_close();
				192	return status;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	193	}
				194
Ben Lindstrom	c2c6cbc	2002-03-26 02:44:44 +0000	[diff] [blame]	195	static int
				196	try_AUT0(void)
				197	{
				198	u_char aut0[EVP_MAX_MD_SIZE];
				199
				200	/* permission denied; try PIN if provided */
				201	if (sc_pin && strlen(sc_pin) > 0) {
				202	sc_mk_digest(sc_pin, aut0);
				203	if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
				204	error("smartcard passphrase incorrect");
				205	return (-1);
				206	}
				207	} else {
				208	/* try default AUT0 key */
				209	if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
				210	/* default AUT0 key failed; prompt for passphrase */
				211	if (get_AUT0(aut0) < 0 \|\|
				212	cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
				213	error("smartcard passphrase incorrect");
				214	return (-1);
				215	}
				216	}
				217	}
				218	return (0);
				219	}
				220
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	221	/* private key operations */
				222
				223	static int
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	224	sc_private_decrypt(int flen, u_char from, u_char to, RSA *rsa,
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	225	int padding)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	226	{
				227	u_char *padded = NULL;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	228	int sw, len, olen, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	229
				230	debug("sc_private_decrypt called");
				231
				232	olen = len = sw = 0;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	233	if (sc_fd < 0) {
				234	status = sc_init();
				235	if (status < 0 )
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	236	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	237	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	238	if (padding != RSA_PKCS1_PADDING)
				239	goto err;
				240
				241	len = BN_num_bytes(rsa->n);
				242	padded = xmalloc(len);
				243
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	244	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
				245
				246	if (sw == 0x6982) {
Ben Lindstrom	c2c6cbc	2002-03-26 02:44:44 +0000	[diff] [blame]	247	if (try_AUT0() < 0)
				248	goto err;
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	249	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
				250	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	251	if (!sectok_swOK(sw)) {
				252	error("sc_private_decrypt: INS_DECRYPT failed: %s",
				253	sectok_get_sw(sw));
				254	goto err;
				255	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	256	olen = RSA_padding_check_PKCS1_type_2(to, len, padded + 1, len - 1,
				257	len);
				258	err:
				259	if (padded)
				260	xfree(padded);
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	261	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	262	return (olen >= 0 ? olen : status);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	263	}
				264
				265	static int
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	266	sc_private_encrypt(int flen, u_char from, u_char to, RSA *rsa,
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	267	int padding)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	268	{
				269	u_char *padded = NULL;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	270	int sw, len, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	271
				272	len = sw = 0;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	273	if (sc_fd < 0) {
				274	status = sc_init();
				275	if (status < 0 )
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	276	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	277	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	278	if (padding != RSA_PKCS1_PADDING)
				279	goto err;
				280
				281	debug("sc_private_encrypt called");
				282	len = BN_num_bytes(rsa->n);
				283	padded = xmalloc(len);
				284
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	285	if (RSA_padding_add_PKCS1_type_1(padded, len, (u_char *)from, flen) <= 0) {
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	286	error("RSA_padding_add_PKCS1_type_1 failed");
				287	goto err;
				288	}
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	289	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
Ben Lindstrom	c2c6cbc	2002-03-26 02:44:44 +0000	[diff] [blame]	290	if (sw == 0x6982) {
				291	if (try_AUT0() < 0)
				292	goto err;
				293	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
				294	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	295	if (!sectok_swOK(sw)) {
Ben Lindstrom	c2c6cbc	2002-03-26 02:44:44 +0000	[diff] [blame]	296	error("sc_private_encrypt: INS_DECRYPT failed: %s",
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	297	sectok_get_sw(sw));
				298	goto err;
				299	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	300	err:
				301	if (padded)
				302	xfree(padded);
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	303	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	304	return (len >= 0 ? len : status);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	305	}
				306
Ben Lindstrom	a6c8a8d	2001-08-06 21:42:00 +0000	[diff] [blame]	307	/* called on free */
				308
				309	static int (orig_finish)(RSA rsa) = NULL;
				310
				311	static int
				312	sc_finish(RSA *rsa)
				313	{
				314	if (orig_finish)
				315	orig_finish(rsa);
				316	sc_close();
				317	return 1;
				318	}
				319
				320
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	321	/* engine for overloading private key operations */
				322
				323	static ENGINE *smart_engine = NULL;
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	324	static RSA_METHOD smart_rsa;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	325
				326	ENGINE *
				327	sc_get_engine(void)
				328	{
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	329	const RSA_METHOD *def;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	330
				331	def = RSA_get_default_openssl_method();
				332
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	333	/* use the OpenSSL version */
				334	memcpy(&smart_rsa, def, sizeof(smart_rsa));
				335
				336	smart_rsa.name = "sectok";
				337
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	338	/* overload */
				339	smart_rsa.rsa_priv_enc = sc_private_encrypt;
				340	smart_rsa.rsa_priv_dec = sc_private_decrypt;
				341
Ben Lindstrom	a6c8a8d	2001-08-06 21:42:00 +0000	[diff] [blame]	342	/* save original */
				343	orig_finish = def->finish;
				344	smart_rsa.finish = sc_finish;
				345
Damien Miller	da75516	2002-01-22 23:09:22 +1100	[diff] [blame]	346	if ((smart_engine = ENGINE_new()) == NULL)
				347	fatal("ENGINE_new failed");
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	348
				349	ENGINE_set_id(smart_engine, "sectok");
				350	ENGINE_set_name(smart_engine, "libsectok");
Ben Lindstrom	0b675b1	2002-03-22 03:28:11 +0000	[diff] [blame]	351
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	352	ENGINE_set_RSA(smart_engine, &smart_rsa);
				353	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
				354	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
				355	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
				356	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
				357
				358	return smart_engine;
				359	}
				360
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	361	void
				362	sc_close(void)
				363	{
				364	if (sc_fd >= 0) {
				365	sectok_close(sc_fd);
				366	sc_fd = -1;
				367	}
				368	}
				369
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	370	Key *
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	371	sc_get_key(const char id, const char pin)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	372	{
				373	Key *k;
Ben Lindstrom	94baf30	2001-08-06 21:25:38 +0000	[diff] [blame]	374	int status;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	375
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	376	if (sc_reader_id != NULL)
				377	xfree(sc_reader_id);
				378	sc_reader_id = xstrdup(id);
				379
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	380	if (sc_pin != NULL)
				381	xfree(sc_pin);
				382	sc_pin = (pin == NULL) ? NULL : xstrdup(pin);
				383
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	384	k = key_new(KEY_RSA);
				385	if (k == NULL) {
				386	return NULL;
				387	}
Ben Lindstrom	94baf30	2001-08-06 21:25:38 +0000	[diff] [blame]	388	status = sc_read_pubkey(k);
				389	if (status == SCARD_ERROR_NOCARD) {
				390	key_free(k);
				391	return NULL;
				392	}
				393	if (status < 0 ) {
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	394	error("sc_read_pubkey failed");
				395	key_free(k);
				396	return NULL;
				397	}
				398	return k;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	399	}
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	400
				401	#define NUM_RSA_KEY_ELEMENTS 5+1
				402	#define COPY_RSA_KEY(x, i) \
				403	do { \
				404	len = BN_num_bytes(prv->rsa->x); \
				405	elements[i] = xmalloc(len); \
				406	debug("#bytes %d", len); \
				407	if (BN_bn2bin(prv->rsa->x, elements[i]) < 0) \
				408	goto done; \
				409	} while (0)
				410
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	411	static void
				412	sc_mk_digest(const char pin, u_char digest)
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	413	{
				414	const EVP_MD *evp_md = EVP_sha1();
				415	EVP_MD_CTX md;
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	416
				417	EVP_DigestInit(&md, evp_md);
				418	EVP_DigestUpdate(&md, pin, strlen(pin));
				419	EVP_DigestFinal(&md, digest, NULL);
				420	}
				421
				422	static int
				423	get_AUT0(u_char *aut0)
				424	{
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	425	char *pass;
				426
				427	pass = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
				428	if (pass == NULL)
				429	return -1;
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	430	if (!strcmp(pass, "-")) {
				431	memcpy(aut0, DEFAUT0, sizeof DEFAUT0);
				432	return 0;
				433	}
				434	sc_mk_digest(pass, aut0);
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	435	memset(pass, 0, strlen(pass));
				436	xfree(pass);
				437	return 0;
				438	}
				439
				440	int
				441	sc_put_key(Key prv, const char id)
				442	{
				443	u_char *elements[NUM_RSA_KEY_ELEMENTS];
				444	u_char key_fid[2];
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	445	u_char AUT0[EVP_MAX_MD_SIZE];
				446	int len, status = -1, i, fd = -1, ret;
				447	int sw = 0, cla = 0x00;
				448
				449	for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
				450	elements[i] = NULL;
				451
				452	COPY_RSA_KEY(q, 0);
				453	COPY_RSA_KEY(p, 1);
				454	COPY_RSA_KEY(iqmp, 2);
				455	COPY_RSA_KEY(dmq1, 3);
				456	COPY_RSA_KEY(dmp1, 4);
				457	COPY_RSA_KEY(n, 5);
				458	len = BN_num_bytes(prv->rsa->n);
Ben Lindstrom	818659a	2002-03-22 03:38:35 +0000	[diff] [blame]	459	fd = sectok_friendly_open(id, STONOWAIT, &sw);
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	460	if (fd < 0) {
				461	error("sectok_open failed: %s", sectok_get_sw(sw));
				462	goto done;
				463	}
				464	if (! sectok_cardpresent(fd)) {
Ben Lindstrom	818659a	2002-03-22 03:38:35 +0000	[diff] [blame]	465	error("smartcard in reader %s not present", id);
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	466	goto done;
				467	}
				468	ret = sectok_reset(fd, 0, NULL, &sw);
				469	if (ret <= 0) {
				470	error("sectok_reset failed: %s", sectok_get_sw(sw));
				471	goto done;
				472	}
				473	if ((cla = cyberflex_inq_class(fd)) < 0) {
				474	error("cyberflex_inq_class failed");
				475	goto done;
				476	}
				477	memcpy(AUT0, DEFAUT0, sizeof(DEFAUT0));
				478	if (cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
				479	if (get_AUT0(AUT0) < 0 \|\|
				480	cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) {
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	481	memset(AUT0, 0, sizeof(DEFAUT0));
				482	error("smartcard passphrase incorrect");
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	483	goto done;
				484	}
				485	}
Ben Lindstrom	266ec63	2002-03-22 03:47:38 +0000	[diff] [blame]	486	memset(AUT0, 0, sizeof(DEFAUT0));
Ben Lindstrom	70e3ad8	2002-03-22 03:33:43 +0000	[diff] [blame]	487	key_fid[0] = 0x00;
				488	key_fid[1] = 0x12;
				489	if (cyberflex_load_rsa_priv(fd, cla, key_fid, 5, 8*len, elements,
				490	&sw) < 0) {
				491	error("cyberflex_load_rsa_priv failed: %s", sectok_get_sw(sw));
				492	goto done;
				493	}
				494	if (!sectok_swOK(sw))
				495	goto done;
				496	log("cyberflex_load_rsa_priv done");
				497	key_fid[0] = 0x73;
				498	key_fid[1] = 0x68;
				499	if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5],
				500	&sw) < 0) {
				501	error("cyberflex_load_rsa_pub failed: %s", sectok_get_sw(sw));
				502	goto done;
				503	}
				504	if (!sectok_swOK(sw))
				505	goto done;
				506	log("cyberflex_load_rsa_pub done");
				507	status = 0;
				508
				509	done:
				510	memset(elements[0], '\0', BN_num_bytes(prv->rsa->q));
				511	memset(elements[1], '\0', BN_num_bytes(prv->rsa->p));
				512	memset(elements[2], '\0', BN_num_bytes(prv->rsa->iqmp));
				513	memset(elements[3], '\0', BN_num_bytes(prv->rsa->dmq1));
				514	memset(elements[4], '\0', BN_num_bytes(prv->rsa->dmp1));
				515	memset(elements[5], '\0', BN_num_bytes(prv->rsa->n));
				516
				517	for (i = 0; i < NUM_RSA_KEY_ELEMENTS; i++)
				518	if (elements[i])
				519	xfree(elements[i]);
				520	if (fd != -1)
				521	sectok_close(fd);
				522	return (status);
				523	}
Ben Lindstrom	bcc1808	2001-08-06 21:59:25 +0000	[diff] [blame]	524	#endif /* SMARTCARD */