X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/b9f6235207d4ba125832640744f7b6caff15d6f8..851a428e76e2ea81cf1594174858f228e9dc7734:/scard.c diff --git a/scard.c b/scard.c index 7bd72d8e..9fd3ca1b 100644 --- a/scard.c +++ b/scard.c @@ -1,3 +1,4 @@ +/* $OpenBSD: scard.c,v 1.36 2006/11/06 21:25:28 markus Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -23,25 +24,33 @@ */ #include "includes.h" -#ifdef SMARTCARD -RCSID("$OpenBSD: scard.c,v 1.20 2002/03/21 16:57:15 markus Exp $"); -#include -#include +#if defined(SMARTCARD) && defined(USE_SECTOK) + +#include + #include +#include +#include +#include + +#include "xmalloc.h" #include "key.h" #include "log.h" -#include "xmalloc.h" +#include "misc.h" #include "scard.h" -#include "readpass.h" - -#ifdef OPENSSL_VERSION_NUMBER -#if OPENSSL_VERSION_NUMBER >= 0x00907000L -#define RSA_get_default_openssl_method RSA_get_default_method -#define DSA_get_default_openssl_method DSA_get_default_method -#define DH_get_default_openssl_method DH_get_default_method -#define ENGINE_set_BN_mod_exp(x,y) + +#if OPENSSL_VERSION_NUMBER < 0x00907000L +#define USE_ENGINE +#define RSA_get_default_method RSA_get_default_openssl_method +#else #endif + +#ifdef USE_ENGINE +#include +#define sc_get_rsa sc_get_engine +#else +#define sc_get_rsa sc_get_rsa_method #endif #define CLA_SSH 0x05 @@ -52,10 +61,17 @@ RCSID("$OpenBSD: scard.c,v 1.20 2002/03/21 16:57:15 markus Exp $"); #define MAX_BUF_SIZE 256 +u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63}; + static int sc_fd = -1; static char *sc_reader_id = NULL; +static char *sc_pin = NULL; static int cla = 0x00; /* class */ +static void sc_mk_digest(const char *pin, u_char *digest); +static int get_AUT0(u_char *aut0); +static int try_AUT0(void); + /* interface to libsectok */ static int @@ -114,7 +130,7 @@ sc_init(void) if (status == SCARD_ERROR_NOCARD) { return SCARD_ERROR_NOCARD; } - if (status < 0 ) { + if (status < 0) { error("sc_open failed"); return status; } @@ -136,8 +152,7 @@ sc_read_pubkey(Key * k) n = NULL; if (sc_fd < 0) { - status = sc_init(); - if (status < 0 ) + if (sc_init() < 0) goto err; } @@ -155,6 +170,12 @@ sc_read_pubkey(Key * k) n = xmalloc(len); /* get n */ sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw); + + if (sw == 0x6982) { + if (try_AUT0() < 0) + goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw); + } if (!sectok_swOK(sw)) { error("could not obtain public key: %s", sectok_get_sw(sw)); goto err; @@ -175,7 +196,7 @@ sc_read_pubkey(Key * k) status = 0; p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); - debug("fingerprint %d %s", key_size(k), p); + debug("fingerprint %u %s", key_size(k), p); xfree(p); err: @@ -199,7 +220,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, olen = len = sw = 0; if (sc_fd < 0) { status = sc_init(); - if (status < 0 ) + if (status < 0) goto err; } if (padding != RSA_PKCS1_PADDING) @@ -208,17 +229,15 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, len = BN_num_bytes(rsa->n); padded = xmalloc(len); - sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, (u_char *)from, - 0, NULL, &sw); - if (!sectok_swOK(sw)) { - error("sc_private_decrypt: INS_DECRYPT failed: %s", - sectok_get_sw(sw)); - goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); + + if (sw == 0x6982) { + if (try_AUT0() < 0) + goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); } - sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL, - len, padded, &sw); if (!sectok_swOK(sw)) { - error("sc_private_decrypt: INS_GET_RESPONSE failed: %s", + error("sc_private_decrypt: INS_DECRYPT failed: %s", sectok_get_sw(sw)); goto err; } @@ -241,7 +260,7 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa, len = sw = 0; if (sc_fd < 0) { status = sc_init(); - if (status < 0 ) + if (status < 0) goto err; } if (padding != RSA_PKCS1_PADDING) @@ -255,16 +274,14 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa, error("RSA_padding_add_PKCS1_type_1 failed"); goto err; } - sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, 0, NULL, &sw); - if (!sectok_swOK(sw)) { - error("sc_private_decrypt: INS_DECRYPT failed: %s", - sectok_get_sw(sw)); - goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw); + if (sw == 0x6982) { + if (try_AUT0() < 0) + goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw); } - sectok_apdu(sc_fd, CLA_SSH, INS_GET_RESPONSE, 0, 0, 0, NULL, - len, to, &sw); if (!sectok_swOK(sw)) { - error("sc_private_decrypt: INS_GET_RESPONSE failed: %s", + error("sc_private_encrypt: INS_DECRYPT failed: %s", sectok_get_sw(sw)); goto err; } @@ -288,18 +305,13 @@ sc_finish(RSA *rsa) return 1; } - /* engine for overloading private key operations */ -static ENGINE *smart_engine = NULL; -static RSA_METHOD smart_rsa; - -ENGINE * -sc_get_engine(void) +static RSA_METHOD * +sc_get_rsa_method(void) { - const RSA_METHOD *def; - - def = RSA_get_default_openssl_method(); + static RSA_METHOD smart_rsa; + const RSA_METHOD *def = RSA_get_default_method(); /* use the OpenSSL version */ memcpy(&smart_rsa, def, sizeof(smart_rsa)); @@ -314,13 +326,22 @@ sc_get_engine(void) orig_finish = def->finish; smart_rsa.finish = sc_finish; + return &smart_rsa; +} + +#ifdef USE_ENGINE +static ENGINE * +sc_get_engine(void) +{ + static ENGINE *smart_engine = NULL; + if ((smart_engine = ENGINE_new()) == NULL) fatal("ENGINE_new failed"); ENGINE_set_id(smart_engine, "sectok"); ENGINE_set_name(smart_engine, "libsectok"); - ENGINE_set_RSA(smart_engine, &smart_rsa); + ENGINE_set_RSA(smart_engine, sc_get_rsa_method()); ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method()); ENGINE_set_DH(smart_engine, DH_get_default_openssl_method()); ENGINE_set_RAND(smart_engine, RAND_SSLeay()); @@ -328,6 +349,7 @@ sc_get_engine(void) return smart_engine; } +#endif void sc_close(void) @@ -338,16 +360,20 @@ sc_close(void) } } -Key * -sc_get_key(const char *id) +Key ** +sc_get_keys(const char *id, const char *pin) { - Key *k; - int status; + Key *k, *n, **keys; + int status, nkeys = 2; if (sc_reader_id != NULL) xfree(sc_reader_id); sc_reader_id = xstrdup(id); + if (sc_pin != NULL) + xfree(sc_pin); + sc_pin = (pin == NULL) ? NULL : xstrdup(pin); + k = key_new(KEY_RSA); if (k == NULL) { return NULL; @@ -357,12 +383,33 @@ sc_get_key(const char *id) key_free(k); return NULL; } - if (status < 0 ) { + if (status < 0) { error("sc_read_pubkey failed"); key_free(k); return NULL; } - return k; + keys = xcalloc((nkeys+1), sizeof(Key *)); + + n = key_new(KEY_RSA1); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("sc_get_keys: BN_copy failed"); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[0] = n; + + n = key_new(KEY_RSA); + if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) || + (BN_copy(n->rsa->e, k->rsa->e) == NULL)) + fatal("sc_get_keys: BN_copy failed"); + RSA_set_method(n->rsa, sc_get_rsa()); + n->flags |= KEY_FLAG_EXT; + keys[1] = n; + + keys[2] = NULL; + + key_free(k); + return keys; } #define NUM_RSA_KEY_ELEMENTS 5+1 @@ -375,30 +422,66 @@ sc_get_key(const char *id) goto done; \ } while (0) -static int -get_AUT0(char *aut0) +static void +sc_mk_digest(const char *pin, u_char *digest) { const EVP_MD *evp_md = EVP_sha1(); EVP_MD_CTX md; + + EVP_DigestInit(&md, evp_md); + EVP_DigestUpdate(&md, pin, strlen(pin)); + EVP_DigestFinal(&md, digest, NULL); +} + +static int +get_AUT0(u_char *aut0) +{ char *pass; pass = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN); if (pass == NULL) return -1; - EVP_DigestInit(&md, evp_md); - EVP_DigestUpdate(&md, pass, strlen(pass)); - EVP_DigestFinal(&md, aut0, NULL); + if (!strcmp(pass, "-")) { + memcpy(aut0, DEFAUT0, sizeof DEFAUT0); + return 0; + } + sc_mk_digest(pass, aut0); memset(pass, 0, strlen(pass)); xfree(pass); return 0; } +static int +try_AUT0(void) +{ + u_char aut0[EVP_MAX_MD_SIZE]; + + /* permission denied; try PIN if provided */ + if (sc_pin && strlen(sc_pin) > 0) { + sc_mk_digest(sc_pin, aut0); + if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } else { + /* try default AUT0 key */ + if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) { + /* default AUT0 key failed; prompt for passphrase */ + if (get_AUT0(aut0) < 0 || + cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } + } + return (0); +} + int sc_put_key(Key *prv, const char *id) { u_char *elements[NUM_RSA_KEY_ELEMENTS]; u_char key_fid[2]; - u_char DEFAUT0[] = {0xad, 0x9f, 0x61, 0xfe, 0xfa, 0x20, 0xce, 0x63}; u_char AUT0[EVP_MAX_MD_SIZE]; int len, status = -1, i, fd = -1, ret; int sw = 0, cla = 0x00; @@ -413,14 +496,13 @@ sc_put_key(Key *prv, const char *id) COPY_RSA_KEY(dmp1, 4); COPY_RSA_KEY(n, 5); len = BN_num_bytes(prv->rsa->n); - fd = sectok_friendly_open(sc_reader_id, STONOWAIT, &sw); + fd = sectok_friendly_open(id, STONOWAIT, &sw); if (fd < 0) { error("sectok_open failed: %s", sectok_get_sw(sw)); goto done; } if (! sectok_cardpresent(fd)) { - error("smartcard in reader %s not present", - sc_reader_id); + error("smartcard in reader %s not present", id); goto done; } ret = sectok_reset(fd, 0, NULL, &sw); @@ -436,10 +518,12 @@ sc_put_key(Key *prv, const char *id) if (cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) { if (get_AUT0(AUT0) < 0 || cyberflex_verify_AUT0(fd, cla, AUT0, sizeof(DEFAUT0)) < 0) { - error("cyberflex_verify_AUT0 failed"); + memset(AUT0, 0, sizeof(DEFAUT0)); + error("smartcard passphrase incorrect"); goto done; } } + memset(AUT0, 0, sizeof(DEFAUT0)); key_fid[0] = 0x00; key_fid[1] = 0x12; if (cyberflex_load_rsa_priv(fd, cla, key_fid, 5, 8*len, elements, @@ -449,7 +533,7 @@ sc_put_key(Key *prv, const char *id) } if (!sectok_swOK(sw)) goto done; - log("cyberflex_load_rsa_priv done"); + logit("cyberflex_load_rsa_priv done"); key_fid[0] = 0x73; key_fid[1] = 0x68; if (cyberflex_load_rsa_pub(fd, cla, key_fid, len, elements[5], @@ -459,7 +543,7 @@ sc_put_key(Key *prv, const char *id) } if (!sectok_swOK(sw)) goto done; - log("cyberflex_load_rsa_pub done"); + logit("cyberflex_load_rsa_pub done"); status = 0; done: @@ -477,4 +561,11 @@ done: sectok_close(fd); return (status); } -#endif /* SMARTCARD */ + +char * +sc_get_key_label(Key *key) +{ + return xstrdup("smartcard key"); +} + +#endif /* SMARTCARD && USE_SECTOK */