Blame - ssh-pkcs11-client.c - platform/external/openssh

blob: 650c37342791e79292ef5cc79e7a2354ec277f7c [file] [log] [blame]

Damien Miller	05abd2c	2010-02-24 17:16:08 +1100	[diff] [blame]	1	/* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
Damien Miller	7ea845e	2010-02-12 09:21:02 +1100	[diff] [blame]	2	/*
				3	* Copyright (c) 2010 Markus Friedl. All rights reserved.
				4	*
				5	* Permission to use, copy, modify, and distribute this software for any
				6	* purpose with or without fee is hereby granted, provided that the above
				7	* copyright notice and this permission notice appear in all copies.
				8	*
				9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
				12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
				14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
				15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
				16	*/
				17
Damien Miller	8ad0fbd	2010-02-12 09:49:06 +1100	[diff] [blame]	18	#include "includes.h"
				19
Damien Miller	dfa4156	2010-02-12 10:06:28 +1100	[diff] [blame]	20	#ifdef ENABLE_PKCS11
				21
Damien Miller	7ea845e	2010-02-12 09:21:02 +1100	[diff] [blame]	22	#include <sys/types.h>
Damien Miller	8ad0fbd	2010-02-12 09:49:06 +1100	[diff] [blame]	23	#ifdef HAVE_SYS_TIME_H
				24	# include <sys/time.h>
				25	#endif
Damien Miller	7ea845e	2010-02-12 09:21:02 +1100	[diff] [blame]	26	#include <sys/socket.h>
				27
				28	#include <stdarg.h>
				29	#include <string.h>
				30	#include <unistd.h>
				31	#include <errno.h>
				32
				33	#include "pathnames.h"
				34	#include "xmalloc.h"
				35	#include "buffer.h"
				36	#include "log.h"
				37	#include "misc.h"
				38	#include "key.h"
				39	#include "authfd.h"
				40	#include "atomicio.h"
				41	#include "ssh-pkcs11.h"
				42
				43	/* borrows code from sftp-server and ssh-agent */
				44
				45	int fd = -1;
				46	pid_t pid = -1;
				47
				48	static void
				49	send_msg(Buffer *m)
				50	{
				51	u_char buf[4];
				52	int mlen = buffer_len(m);
				53
				54	put_u32(buf, mlen);
				55	if (atomicio(vwrite, fd, buf, 4) != 4 \|\|
				56	atomicio(vwrite, fd, buffer_ptr(m),
				57	buffer_len(m)) != buffer_len(m))
				58	error("write to helper failed");
				59	buffer_consume(m, mlen);
				60	}
				61
				62	static int
				63	recv_msg(Buffer *m)
				64	{
				65	u_int l, len;
				66	u_char buf[1024];
				67
				68	if ((len = atomicio(read, fd, buf, 4)) != 4) {
				69	error("read from helper failed: %u", len);
				70	return (0); /* XXX */
				71	}
				72	len = get_u32(buf);
				73	if (len > 256 * 1024)
				74	fatal("response too long: %u", len);
				75	/* read len bytes into m */
				76	buffer_clear(m);
				77	while (len > 0) {
				78	l = len;
				79	if (l > sizeof(buf))
				80	l = sizeof(buf);
				81	if (atomicio(read, fd, buf, l) != l) {
				82	error("response from helper failed.");
				83	return (0); /* XXX */
				84	}
				85	buffer_append(m, buf, l);
				86	len -= l;
				87	}
				88	return (buffer_get_char(m));
				89	}
				90
				91	int
				92	pkcs11_init(int interactive)
				93	{
				94	return (0);
				95	}
				96
				97	void
				98	pkcs11_terminate(void)
				99	{
				100	close(fd);
				101	}
				102
				103	static int
				104	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,
				105	int padding)
				106	{
				107	Key key;
				108	u_char blob, signature = NULL;
				109	u_int blen, slen = 0;
				110	int ret = -1;
				111	Buffer msg;
				112
				113	if (padding != RSA_PKCS1_PADDING)
				114	return (-1);
				115	key.type = KEY_RSA;
				116	key.rsa = rsa;
				117	if (key_to_blob(&key, &blob, &blen) == 0)
				118	return -1;
				119	buffer_init(&msg);
				120	buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
				121	buffer_put_string(&msg, blob, blen);
				122	buffer_put_string(&msg, from, flen);
				123	buffer_put_int(&msg, 0);
				124	xfree(blob);
				125	send_msg(&msg);
				126
				127	if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
				128	signature = buffer_get_string(&msg, &slen);
				129	if (slen <= (u_int)RSA_size(rsa)) {
				130	memcpy(to, signature, slen);
				131	ret = slen;
				132	}
				133	xfree(signature);
				134	}
				135	return (ret);
				136	}
				137
				138	/* redirect the private key encrypt operation to the ssh-pkcs11-helper */
				139	static int
				140	wrap_key(RSA *rsa)
				141	{
				142	static RSA_METHOD helper_rsa;
				143
				144	memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
				145	helper_rsa.name = "ssh-pkcs11-helper";
				146	helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
				147	RSA_set_method(rsa, &helper_rsa);
				148	return (0);
				149	}
				150
				151	static int
				152	pkcs11_start_helper(void)
				153	{
				154	int pair[2];
				155
				156	if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
				157	error("socketpair: %s", strerror(errno));
				158	return (-1);
				159	}
				160	if ((pid = fork()) == -1) {
				161	error("fork: %s", strerror(errno));
				162	return (-1);
				163	} else if (pid == 0) {
				164	if ((dup2(pair[1], STDIN_FILENO) == -1) \|\|
				165	(dup2(pair[1], STDOUT_FILENO) == -1)) {
				166	fprintf(stderr, "dup2: %s\n", strerror(errno));
				167	_exit(1);
				168	}
				169	close(pair[0]);
				170	close(pair[1]);
				171	execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER,
				172	(char *) 0);
				173	fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER,
				174	strerror(errno));
				175	_exit(1);
				176	}
				177	close(pair[1]);
				178	fd = pair[0];
				179	return (0);
				180	}
				181
				182	int
				183	pkcs11_add_provider(char name, char pin, Key ***keysp)
				184	{
				185	Key *k;
				186	int i, nkeys;
				187	u_char *blob;
				188	u_int blen;
				189	Buffer msg;
				190
				191	if (fd < 0 && pkcs11_start_helper() < 0)
				192	return (-1);
				193
				194	buffer_init(&msg);
				195	buffer_put_char(&msg, SSH_AGENTC_ADD_SMARTCARD_KEY);
				196	buffer_put_cstring(&msg, name);
				197	buffer_put_cstring(&msg, pin);
				198	send_msg(&msg);
				199	buffer_clear(&msg);
				200
				201	if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
				202	nkeys = buffer_get_int(&msg);
				203	keysp = xcalloc(nkeys, sizeof(Key ));
				204	for (i = 0; i < nkeys; i++) {
				205	blob = buffer_get_string(&msg, &blen);
				206	xfree(buffer_get_string(&msg, NULL));
				207	k = key_from_blob(blob, blen);
				208	wrap_key(k->rsa);
				209	(*keysp)[i] = k;
				210	xfree(blob);
				211	}
				212	} else {
				213	nkeys = -1;
				214	}
				215	buffer_free(&msg);
				216	return (nkeys);
				217	}
				218
				219	int
				220	pkcs11_del_provider(char *name)
				221	{
				222	int ret = -1;
				223	Buffer msg;
				224
				225	buffer_init(&msg);
				226	buffer_put_char(&msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY);
				227	buffer_put_cstring(&msg, name);
				228	buffer_put_cstring(&msg, "");
				229	send_msg(&msg);
				230	buffer_clear(&msg);
				231
				232	if (recv_msg(&msg) == SSH_AGENT_SUCCESS)
				233	ret = 0;
				234	buffer_free(&msg);
				235	return (ret);
				236	}
Damien Miller	dfa4156	2010-02-12 10:06:28 +1100	[diff] [blame]	237
				238	#endif /* ENABLE_PKCS11 */