Blame - scard.c - platform/external/openssh

blob: e8319314c681b7d861613ced29ba133fa8126484 [file] [log] [blame]

Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	1	/*
				2	* Copyright (c) 2001 Markus Friedl. All rights reserved.
				3	*
				4	* Redistribution and use in source and binary forms, with or without
				5	* modification, are permitted provided that the following conditions
				6	* are met:
				7	* 1. Redistributions of source code must retain the above copyright
				8	* notice, this list of conditions and the following disclaimer.
				9	* 2. Redistributions in binary form must reproduce the above copyright
				10	* notice, this list of conditions and the following disclaimer in the
				11	* documentation and/or other materials provided with the distribution.
				12	*
				13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
				23	*/
				24
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	25	#include "includes.h"
Damien Miller	85de580	2001-09-18 14:01:11 +1000	[diff] [blame]	26	#ifdef SMARTCARD
Damien Miller	da75516	2002-01-22 23:09:22 +1100	[diff] [blame^]	27	RCSID("$OpenBSD: scard.c,v 1.17 2001/12/27 18:22:16 markus Exp $");
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	28
				29	#include <openssl/engine.h>
				30	#include <sectok.h>
				31
				32	#include "key.h"
				33	#include "log.h"
				34	#include "xmalloc.h"
				35	#include "scard.h"
				36
				37	#define CLA_SSH 0x05
				38	#define INS_DECRYPT 0x10
				39	#define INS_GET_KEYLENGTH 0x20
				40	#define INS_GET_PUBKEY 0x30
				41	#define INS_GET_RESPONSE 0xc0
				42
				43	#define MAX_BUF_SIZE 256
				44
				45	static int sc_fd = -1;
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	46	static char *sc_reader_id = NULL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	47	static int cla = 0x00; /* class */
				48
				49	/* interface to libsectok */
				50
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	51	static int
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	52	sc_open(void)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	53	{
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	54	int sw;
				55
				56	if (sc_fd >= 0)
				57	return sc_fd;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	58
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	59	sc_fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	60	if (sc_fd < 0) {
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	61	error("sectok_open failed: %s", sectok_get_sw(sw));
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	62	return SCARD_ERROR_FAIL;
				63	}
				64	if (! sectok_cardpresent(sc_fd)) {
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	65	debug("smartcard in reader %s not present, skipping",
				66	sc_reader_id);
Ben Lindstrom	3ab1dfa	2001-08-06 21:33:44 +0000	[diff] [blame]	67	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	68	return SCARD_ERROR_NOCARD;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	69	}
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	70	if (sectok_reset(sc_fd, 0, NULL, &sw) <= 0) {
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	71	error("sectok_reset failed: %s", sectok_get_sw(sw));
				72	sc_fd = -1;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	73	return SCARD_ERROR_FAIL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	74	}
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	75	if ((cla = cyberflex_inq_class(sc_fd)) < 0)
				76	cla = 0;
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	77
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	78	debug("sc_open ok %d", sc_fd);
				79	return sc_fd;
				80	}
				81
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	82	static int
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	83	sc_enable_applet(void)
				84	{
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	85	static u_char aid[] = {0xfc, 0x53, 0x73, 0x68, 0x2e, 0x62, 0x69, 0x6e};
				86	int sw = 0;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	87
Ben Lindstrom	60df8e4	2001-08-06 21:10:52 +0000	[diff] [blame]	88	/* select applet id */
				89	sectok_apdu(sc_fd, cla, 0xa4, 0x04, 0, sizeof aid, aid, 0, NULL, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	90	if (!sectok_swOK(sw)) {
				91	error("sectok_apdu failed: %s", sectok_get_sw(sw));
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	92	sc_close();
				93	return -1;
				94	}
				95	return 0;
				96	}
				97
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	98	static int
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	99	sc_init(void)
				100	{
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	101	int status;
				102
				103	status = sc_open();
				104	if (status == SCARD_ERROR_NOCARD) {
				105	return SCARD_ERROR_NOCARD;
				106	}
				107	if (status < 0 ) {
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	108	error("sc_open failed");
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	109	return status;
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	110	}
				111	if (sc_enable_applet() < 0) {
				112	error("sc_enable_applet failed");
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	113	return SCARD_ERROR_APPLET;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	114	}
				115	return 0;
				116	}
				117
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	118	static int
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	119	sc_read_pubkey(Key * k)
				120	{
				121	u_char buf[2], *n;
				122	char *p;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	123	int len, sw, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	124
				125	len = sw = 0;
Damien Miller	3ff36d6	2001-09-28 19:51:54 +1000	[diff] [blame]	126	n = NULL;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	127
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	128	if (sc_fd < 0) {
				129	status = sc_init();
				130	if (status < 0 )
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	131	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	132	}
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	133
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	134	/* get key size */
				135	sectok_apdu(sc_fd, CLA_SSH, INS_GET_KEYLENGTH, 0, 0, 0, NULL,
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	136	sizeof(buf), buf, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	137	if (!sectok_swOK(sw)) {
				138	error("could not obtain key length: %s", sectok_get_sw(sw));
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	139	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	140	}
				141	len = (buf[0] << 8) \| buf[1];
				142	len /= 8;
				143	debug("INS_GET_KEYLENGTH: len %d sw %s", len, sectok_get_sw(sw));
				144
				145	n = xmalloc(len);
				146	/* get n */
				147	sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
				148	if (!sectok_swOK(sw)) {
				149	error("could not obtain public key: %s", sectok_get_sw(sw));
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	150	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	151	}
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	152
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	153	debug("INS_GET_KEYLENGTH: sw %s", sectok_get_sw(sw));
				154
				155	if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
				156	error("c_read_pubkey: BN_bin2bn failed");
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	157	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	158	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	159
				160	/* currently the java applet just stores 'n' */
				161	if (!BN_set_word(k->rsa->e, 35)) {
				162	error("c_read_pubkey: BN_set_word(e, 35) failed");
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	163	goto err;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	164	}
				165
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	166	status = 0;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	167	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
				168	debug("fingerprint %d %s", key_size(k), p);
				169	xfree(p);
				170
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	171	err:
				172	if (n != NULL)
				173	xfree(n);
				174	sc_close();
				175	return status;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	176	}
				177
				178	/* private key operations */
				179
				180	static int
				181	sc_private_decrypt(int flen, u_char from, u_char to, RSA *rsa, int padding)
				182	{
				183	u_char *padded = NULL;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	184	int sw, len, olen, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	185
				186	debug("sc_private_decrypt called");
				187
				188	olen = len = sw = 0;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	189	if (sc_fd < 0) {
				190	status = sc_init();
				191	if (status < 0 )
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	192	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	193	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	194	if (padding != RSA_PKCS1_PADDING)
				195	goto err;
				196
				197	len = BN_num_bytes(rsa->n);
				198	padded = xmalloc(len);
				199
				200	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, 0, NULL, &sw);
				201	if (!sectok_swOK(sw)) {
				202	error("sc_private_decrypt: INS_DECRYPT failed: %s",
				203	sectok_get_sw(sw));
				204	goto err;
				205	}
				206	sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL,
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	207	len, padded, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	208	if (!sectok_swOK(sw)) {
				209	error("sc_private_decrypt: INS_GET_RESPONSE failed: %s",
				210	sectok_get_sw(sw));
				211	goto err;
				212	}
				213	olen = RSA_padding_check_PKCS1_type_2(to, len, padded + 1, len - 1,
				214	len);
				215	err:
				216	if (padded)
				217	xfree(padded);
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	218	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	219	return (olen >= 0 ? olen : status);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	220	}
				221
				222	static int
				223	sc_private_encrypt(int flen, u_char from, u_char to, RSA *rsa, int padding)
				224	{
				225	u_char *padded = NULL;
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	226	int sw, len, status = -1;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	227
				228	len = sw = 0;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	229	if (sc_fd < 0) {
				230	status = sc_init();
				231	if (status < 0 )
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	232	goto err;
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	233	}
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	234	if (padding != RSA_PKCS1_PADDING)
				235	goto err;
				236
				237	debug("sc_private_encrypt called");
				238	len = BN_num_bytes(rsa->n);
				239	padded = xmalloc(len);
				240
				241	if (RSA_padding_add_PKCS1_type_1(padded, len, from, flen) <= 0) {
				242	error("RSA_padding_add_PKCS1_type_1 failed");
				243	goto err;
				244	}
				245	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, 0, NULL, &sw);
				246	if (!sectok_swOK(sw)) {
				247	error("sc_private_decrypt: INS_DECRYPT failed: %s",
				248	sectok_get_sw(sw));
				249	goto err;
				250	}
				251	sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL,
Damien Miller	9f0f5c6	2001-12-21 14:45:46 +1100	[diff] [blame]	252	len, to, &sw);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	253	if (!sectok_swOK(sw)) {
				254	error("sc_private_decrypt: INS_GET_RESPONSE failed: %s",
				255	sectok_get_sw(sw));
				256	goto err;
				257	}
				258	err:
				259	if (padded)
				260	xfree(padded);
Ben Lindstrom	a2fec90	2001-09-18 05:45:44 +0000	[diff] [blame]	261	sc_close();
Ben Lindstrom	30b00be	2001-08-06 21:22:10 +0000	[diff] [blame]	262	return (len >= 0 ? len : status);
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	263	}
				264
Ben Lindstrom	a6c8a8d	2001-08-06 21:42:00 +0000	[diff] [blame]	265	/* called on free */
				266
				267	static int (orig_finish)(RSA rsa) = NULL;
				268
				269	static int
				270	sc_finish(RSA *rsa)
				271	{
				272	if (orig_finish)
				273	orig_finish(rsa);
				274	sc_close();
				275	return 1;
				276	}
				277
				278
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	279	/* engine for overloading private key operations */
				280
				281	static ENGINE *smart_engine = NULL;
				282	static RSA_METHOD smart_rsa =
				283	{
				284	"sectok",
				285	NULL,
				286	NULL,
				287	NULL,
				288	NULL,
				289	NULL,
				290	NULL,
				291	NULL,
				292	NULL,
				293	0,
				294	NULL,
				295	};
				296
				297	ENGINE *
				298	sc_get_engine(void)
				299	{
				300	RSA_METHOD *def;
				301
				302	def = RSA_get_default_openssl_method();
				303
				304	/* overload */
				305	smart_rsa.rsa_priv_enc = sc_private_encrypt;
				306	smart_rsa.rsa_priv_dec = sc_private_decrypt;
				307
Ben Lindstrom	a6c8a8d	2001-08-06 21:42:00 +0000	[diff] [blame]	308	/* save original */
				309	orig_finish = def->finish;
				310	smart_rsa.finish = sc_finish;
				311
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	312	/* just use the OpenSSL version */
				313	smart_rsa.rsa_pub_enc = def->rsa_pub_enc;
				314	smart_rsa.rsa_pub_dec = def->rsa_pub_dec;
				315	smart_rsa.rsa_mod_exp = def->rsa_mod_exp;
				316	smart_rsa.bn_mod_exp = def->bn_mod_exp;
				317	smart_rsa.init = def->init;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	318	smart_rsa.flags = def->flags;
				319	smart_rsa.app_data = def->app_data;
				320	smart_rsa.rsa_sign = def->rsa_sign;
				321	smart_rsa.rsa_verify = def->rsa_verify;
				322
Damien Miller	da75516	2002-01-22 23:09:22 +1100	[diff] [blame^]	323	if ((smart_engine = ENGINE_new()) == NULL)
				324	fatal("ENGINE_new failed");
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	325
				326	ENGINE_set_id(smart_engine, "sectok");
				327	ENGINE_set_name(smart_engine, "libsectok");
				328	ENGINE_set_RSA(smart_engine, &smart_rsa);
				329	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
				330	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
				331	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
				332	ENGINE_set_BN_mod_exp(smart_engine, BN_mod_exp);
				333
				334	return smart_engine;
				335	}
				336
Damien Miller	694be4b	2001-07-14 12:13:26 +1000	[diff] [blame]	337	void
				338	sc_close(void)
				339	{
				340	if (sc_fd >= 0) {
				341	sectok_close(sc_fd);
				342	sc_fd = -1;
				343	}
				344	}
				345
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	346	Key *
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	347	sc_get_key(const char *id)
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	348	{
				349	Key *k;
Ben Lindstrom	94baf30	2001-08-06 21:25:38 +0000	[diff] [blame]	350	int status;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	351
Ben Lindstrom	f7db3bb	2001-08-06 21:35:51 +0000	[diff] [blame]	352	if (sc_reader_id != NULL)
				353	xfree(sc_reader_id);
				354	sc_reader_id = xstrdup(id);
				355
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	356	k = key_new(KEY_RSA);
				357	if (k == NULL) {
				358	return NULL;
				359	}
Ben Lindstrom	94baf30	2001-08-06 21:25:38 +0000	[diff] [blame]	360	status = sc_read_pubkey(k);
				361	if (status == SCARD_ERROR_NOCARD) {
				362	key_free(k);
				363	return NULL;
				364	}
				365	if (status < 0 ) {
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	366	error("sc_read_pubkey failed");
				367	key_free(k);
				368	return NULL;
				369	}
				370	return k;
Ben Lindstrom	3133dbb	2001-07-04 05:35:00 +0000	[diff] [blame]	371	}
Ben Lindstrom	bcc1808	2001-08-06 21:59:25 +0000	[diff] [blame]	372	#endif /* SMARTCARD */