X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/9fc0407d54be6819b44de1140d9f0184bc2dee3f..c9ecc3c71562790fd69d7d595322e9eca55b875b:/scard.c diff --git a/scard.c b/scard.c index 9b2d7760..b3d25058 100644 --- a/scard.c +++ b/scard.c @@ -23,26 +23,29 @@ */ #include "includes.h" -#ifdef SMARTCARD -RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); +#if defined(SMARTCARD) && defined(USE_SECTOK) +RCSID("$OpenBSD: scard.c,v 1.29 2004/05/08 00:21:31 djm Exp $"); -#include #include #include #include "key.h" #include "log.h" #include "xmalloc.h" -#include "readpass.h" +#include "misc.h" #include "scard.h" -#ifdef OPENSSL_VERSION_NUMBER -#if OPENSSL_VERSION_NUMBER >= 0x00907000L -#define RSA_get_default_openssl_method RSA_get_default_method -#define DSA_get_default_openssl_method DSA_get_default_method -#define DH_get_default_openssl_method DH_get_default_method -#define ENGINE_set_BN_mod_exp(x,y) +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define USE_ENGINE +#define RSA_get_default_method RSA_get_default_openssl_method +#else #endif + +#ifdef USE_ENGINE +#include +#define sc_get_rsa sc_get_engine +#else +#define sc_get_rsa sc_get_rsa_method #endif #define CLA_SSH 0x05 @@ -62,6 +65,7 @@ static int cla = 0x00; /* class */ static void sc_mk_digest(const char *pin, u_char *digest); static int get_AUT0(u_char *aut0); +static int try_AUT0(void); /* interface to libsectok */ @@ -143,8 +147,7 @@ sc_read_pubkey(Key * k) n = NULL; if (sc_fd < 0) { - status = sc_init(); - if (status < 0 ) + if (sc_init() < 0) goto err; } @@ -162,6 +165,12 @@ sc_read_pubkey(Key * k) n = xmalloc(len); /* get n */ sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw); + + if (sw == 0x6982) { + if (try_AUT0() < 0) + goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw); + } if (!sectok_swOK(sw)) { error("could not obtain public key: %s", sectok_get_sw(sw)); goto err; @@ -182,7 +191,7 @@ sc_read_pubkey(Key * k) status = 0; p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); - debug("fingerprint %d %s", key_size(k), p); + debug("fingerprint %u %s", key_size(k), p); xfree(p); err: @@ -192,32 +201,6 @@ err: return status; } -static int -try_AUT0(void) -{ - u_char aut0[EVP_MAX_MD_SIZE]; - - /* permission denied; try PIN if provided */ - if (sc_pin && strlen(sc_pin) > 0) { - sc_mk_digest(sc_pin, aut0); - if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { - error("smartcard passphrase incorrect"); - return (-1); - } - } else { - /* try default AUT0 key */ - if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) { - /* default AUT0 key failed; prompt for passphrase */ - if (get_AUT0(aut0) < 0 || - cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { - error("smartcard passphrase incorrect"); - return (-1); - } - } - } - return (0); -} - /* private key operations */ static int @@ -317,18 +300,13 @@ sc_finish(RSA *rsa) return 1; } - /* engine for overloading private key operations */ -static ENGINE *smart_engine = NULL; -static RSA_METHOD smart_rsa; - -ENGINE * -sc_get_engine(void) +static RSA_METHOD * +sc_get_rsa_method(void) { - const RSA_METHOD *def; - - def = RSA_get_default_openssl_method(); + static RSA_METHOD smart_rsa; + const RSA_METHOD *def = RSA_get_default_method(); /* use the OpenSSL version */ memcpy(&smart_rsa, def, sizeof(smart_rsa)); @@ -343,13 +321,22 @@ sc_get_engine(void) orig_finish = def->finish; smart_rsa.finish = sc_finish; + return &smart_rsa; +} + +#ifdef USE_ENGINE +static ENGINE * +sc_get_engine(void) +{ + static ENGINE *smart_engine = NULL; + if ((smart_engine = ENGINE_new()) == NULL) fatal("ENGINE_new failed"); ENGINE_set_id(smart_engine, "sectok"); ENGINE_set_name(smart_engine, "libsectok"); - ENGINE_set_RSA(smart_engine, &smart_rsa); + ENGINE_set_RSA(smart_engine, sc_get_rsa_method()); ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); ENGINE_set_RAND(smart_engine, RAND_SSLeay()); @@ -357,6 +344,7 @@ sc_get_engine(void) return smart_engine; } +#endif void sc_close(void) @@ -367,11 +355,11 @@ sc_close(void) } } -Key * -sc_get_key(const char *id, const char *pin) +Key ** +sc_get_keys(const char *id, const char *pin) { - Key *k; - int status; + Key *k, *n, **keys; + int status, nkeys = 2; if (sc_reader_id != NULL) xfree(sc_reader_id); @@ -395,7 +383,26 @@ sc_get_key(const char *id, const char *pin) key_free(k); return NULL; } - return k; + keys = xmalloc((nkeys+1) * sizeof(Key *)); + + n = key_new(KEY_RSA1); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[0] = n; + + n = key_new(KEY_RSA); + BN_copy(n->rsa->n, k->rsa->n); + BN_copy(n->rsa->e, k->rsa->e); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[1] = n; + + keys[2] = NULL; + + key_free(k); + return keys; } #define NUM_RSA_KEY_ELEMENTS 5+1 @@ -437,6 +444,32 @@ get_AUT0(u_char *aut0) return 0; } +static int +try_AUT0(void) +{ + u_char aut0[EVP_MAX_MD_SIZE]; + + /* permission denied; try PIN if provided */ + if (sc_pin && strlen(sc_pin) > 0) { + sc_mk_digest(sc_pin, aut0); + if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } else { + /* try default AUT0 key */ + if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) { + /* default AUT0 key failed; prompt for passphrase */ + if (get_AUT0(aut0) < 0 || + cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } + } + return (0); +} + int sc_put_key(Key *prv, const char *id) { @@ -493,7 +526,7 @@ sc_put_key(Key *prv, const char *id) } if (!sectok_swOK(sw)) goto done; - log("cyberflex_load_rsa_priv done"); + logit("cyberflex_load_rsa_priv done"); key_fid[0] = 0x73; key_fid[1] = 0x68; if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5], @@ -503,7 +536,7 @@ sc_put_key(Key *prv, const char *id) } if (!sectok_swOK(sw)) goto done; - log("cyberflex_load_rsa_pub done"); + logit("cyberflex_load_rsa_pub done"); status = 0; done: @@ -521,4 +554,11 @@ done: sectok_close(fd); return (status); } -#endif /* SMARTCARD */ + +char * +sc_get_key_label(Key *key) +{ + return xstrdup("smartcard key"); +} + +#endif /* SMARTCARD && USE_SECTOK */