- markus@cvs.openbsd.org 2002/03/25 17:34:27

[scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
     change sc_get_key to sc_get_keys and hide smartcard details in scard.c

ChangeLog

@@ -28,6 +28,9 @@
    - markus@cvs.openbsd.org 2002/03/25 09:25:06
      [auth-rh-rsa.c]
      rm bogus comment
+   - markus@cvs.openbsd.org 2002/03/25 17:34:27
+     [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
+     change sc_get_key to sc_get_keys and hide smartcard details in scard.c
 
 20020324
  - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@@ -8042,4 +8045,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1986 2002/03/26 03:08:47 mouring Exp $
+$Id: ChangeLog,v 1.1987 2002/03/26 03:17:42 mouring Exp $

scard.c

@@ -24,9 +24,8 @@
 
 #include "includes.h"
 #ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
+RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $");
 
-#include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <sectok.h>
 
@@ -36,13 +35,17 @@ RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
 #include "readpass.h"
 #include "scard.h"
 
-#ifdef OPENSSL_VERSION_NUMBER
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-#define RSA_get_default_openssl_method RSA_get_default_method
-#define DSA_get_default_openssl_method DSA_get_default_method
-#define DH_get_default_openssl_method DH_get_default_method
-#define ENGINE_set_BN_mod_exp(x,y)
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#define USE_ENGINE
+#define RSA_get_default_method RSA_get_default_openssl_method
+#else
 #endif
+
+#ifdef USE_ENGINE
+#include <openssl/engine.h>
+#define sc_get_rsa sc_get_engine
+#else
+#define sc_get_rsa sc_get_rsa_method
 #endif
 
 #define CLA_SSH 0x05
@@ -143,8 +146,7 @@ sc_read_pubkey(Key * k)
 	n = NULL;
 
 	if (sc_fd < 0) {
-		status = sc_init();
-		if (status < 0 )
+		if (sc_init() < 0)
 			goto err;
 	}
 
@@ -317,18 +319,13 @@ sc_finish(RSA *rsa)
 	return 1;
 }
 
-
 /* engine for overloading private key operations */
 
-static ENGINE *smart_engine = NULL;
-static RSA_METHOD smart_rsa;
-
-ENGINE *
-sc_get_engine(void)
+static RSA_METHOD *
+sc_get_rsa_method(void)
 {
-	const RSA_METHOD *def;
-
-	def = RSA_get_default_openssl_method();
+	static RSA_METHOD smart_rsa;
+	const RSA_METHOD *def = RSA_get_default_method();
 
 	/* use the OpenSSL version */
 	memcpy(&smart_rsa, def, sizeof(smart_rsa));
@@ -343,13 +340,22 @@ sc_get_engine(void)
 	orig_finish		= def->finish;
 	smart_rsa.finish	= sc_finish;
 
+	return &smart_rsa;
+}
+
+#ifdef USE_ENGINE
+static ENGINE *
+sc_get_engine(void)
+{
+	static ENGINE *smart_engine = NULL;
+
 	if ((smart_engine = ENGINE_new()) == NULL)
 		fatal("ENGINE_new failed");
 
 	ENGINE_set_id(smart_engine, "sectok");
 	ENGINE_set_name(smart_engine, "libsectok");
 
-	ENGINE_set_RSA(smart_engine, &smart_rsa);
+	ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
 	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
 	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
 	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
@@ -357,6 +363,7 @@ sc_get_engine(void)
 
 	return smart_engine;
 }
+#endif
 
 void
 sc_close(void)
@@ -367,11 +374,11 @@ sc_close(void)
 	}
 }
 
-Key *
-sc_get_key(const char *id, const char *pin)
+Key **
+sc_get_keys(const char *id, const char *pin)
 {
-	Key *k;
-	int status;
+	Key *k, *n, **keys;
+	int status, nkeys = 2;
 
 	if (sc_reader_id != NULL)
 		xfree(sc_reader_id);
@@ -395,7 +402,26 @@ sc_get_key(const char *id, const char *pin)
 		key_free(k);
 		return NULL;
 	}
-	return k;
+	keys = xmalloc((nkeys+1) * sizeof(Key *));
+
+	n = key_new(KEY_RSA1);
+	BN_copy(n->rsa->n, k->rsa->n);
+	BN_copy(n->rsa->e, k->rsa->e);
+	RSA_set_method(n->rsa, sc_get_rsa());
+	n->flags |= KEY_FLAG_EXT;
+	keys[0] = n;
+
+	n = key_new(KEY_RSA);
+	BN_copy(n->rsa->n, k->rsa->n);
+	BN_copy(n->rsa->e, k->rsa->e);
+	RSA_set_method(n->rsa, sc_get_rsa());
+	n->flags |= KEY_FLAG_EXT;
+	keys[1] = n;
+
+	keys[2] = NULL;
+
+	key_free(k);
+	return keys;
 }
 
 #define NUM_RSA_KEY_ELEMENTS 5+1

scard.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $	*/
+/*	$OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -24,8 +24,6 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
-#include <openssl/engine.h>
-
 #ifndef SCARD_H
 #define SCARD_H
 
@@ -35,8 +33,7 @@
 #define SCARD_ERROR_NOCARD	-2
 #define SCARD_ERROR_APPLET	-3
 
-Key	*sc_get_key(const char*, const char*);
-ENGINE	*sc_get_engine(void);
+Key	**sc_get_keys(const char*, const char*);
 void	 sc_close(void);
 int	 sc_put_key(Key *, const char*);
 

ssh-agent.c

@@ -34,7 +34,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $");
 
 #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
 #include <sys/queue.h>
@@ -57,7 +57,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
 #include "log.h"
 
 #ifdef SMARTCARD
-#include <openssl/engine.h>
 #include "scard.h"
 #endif
 
@@ -452,50 +451,39 @@ send:
 static void
 process_add_smartcard_key (SocketEntry *e)
 {
+	Identity *id;
 	Idtab *tab;
-	Key *n = NULL, *k = NULL;
+	Key **keys, *k;
 	char *sc_reader_id = NULL, *pin;
-	int success = 0;
+	int i, version, success = 0;
 
 	sc_reader_id = buffer_get_string(&e->input, NULL);
 	pin = buffer_get_string(&e->input, NULL);
-	k = sc_get_key(sc_reader_id, pin);
+	keys = sc_get_keys(sc_reader_id, pin);
 	xfree(sc_reader_id);
 	xfree(pin);
 
-	if (k == NULL) {
-		error("sc_get_pubkey failed");
+	if (keys == NULL || keys[0] == NULL) {
+		error("sc_get_keys failed");
 		goto send;
 	}
-	success = 1;
-
-	tab = idtab_lookup(1);
-	k->type = KEY_RSA1;
-	if (lookup_identity(k, 1) == NULL) {
-		Identity *id = xmalloc(sizeof(Identity));
-		n = key_new(KEY_RSA1);
-		BN_copy(n->rsa->n, k->rsa->n);
-		BN_copy(n->rsa->e, k->rsa->e);
-		RSA_set_method(n->rsa, sc_get_engine());
-		id->key = n;
-		id->comment = xstrdup("rsa1 smartcard");
-		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-		tab->nentries++;
+	for (i = 0; keys[i] != NULL; i++) {
+		k = keys[i];
+		version = k->type == KEY_RSA1 ? 1 : 2;
+		tab = idtab_lookup(version);
+		if (lookup_identity(k, version) == NULL) {
+			id = xmalloc(sizeof(Identity));
+			id->key = k;
+			id->comment = xstrdup("smartcard key");
+			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+			tab->nentries++;
+			success = 1;
+		} else {
+			key_free(k);
+		}
+		keys[i] = NULL;
 	}
-	k->type = KEY_RSA;
-	tab = idtab_lookup(2);
-	if (lookup_identity(k, 2) == NULL) {
-		Identity *id = xmalloc(sizeof(Identity));
-		n = key_new(KEY_RSA);
-		BN_copy(n->rsa->n, k->rsa->n);
-		BN_copy(n->rsa->e, k->rsa->e);
-		RSA_set_method(n->rsa, sc_get_engine());
-		id->key = n;
-		id->comment = xstrdup("rsa smartcard");
-		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-		tab->nentries++;
-	}
-	key_free(k);
+	xfree(keys);
 send:
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
@@ -505,41 +493,37 @@ send:
 static void
 process_remove_smartcard_key(SocketEntry *e)
 {
-	Key *k = NULL;
-	int success = 0;
+	Identity *id;
+	Idtab *tab;
+	Key **keys, *k = NULL;
 	char *sc_reader_id = NULL, *pin;
+	int i, version, success = 0;
 
 	sc_reader_id = buffer_get_string(&e->input, NULL);
 	pin = buffer_get_string(&e->input, NULL);
-	k = sc_get_key(sc_reader_id, pin);
+	keys = sc_get_keys(sc_reader_id, pin);
 	xfree(sc_reader_id);
 	xfree(pin);
 
-	if (k == NULL) {
-		error("sc_get_pubkey failed");
-	} else {
-		Identity *id;
-		k->type = KEY_RSA1;
-		id = lookup_identity(k, 1);
-		if (id != NULL) {
-			Idtab *tab = idtab_lookup(1);
-			TAILQ_REMOVE(&tab->idlist, id, next);
-			free_identity(id);
+	if (keys == NULL || keys[0] == NULL) {
+		error("sc_get_keys failed");
+		goto send;
+	}
+	for (i = 0; keys[i] != NULL; i++) {
+		k = keys[i];
+		version = k->type == KEY_RSA1 ? 1 : 2;
+		if ((id = lookup_identity(k, version)) != NULL) {
+			tab = idtab_lookup(version);
+                        TAILQ_REMOVE(&tab->idlist, id, next);
 			tab->nentries--;
-			success = 1;
-		}
-		k->type = KEY_RSA;
-		id = lookup_identity(k, 2);
-		if (id != NULL) {
-			Idtab *tab = idtab_lookup(2);
-			TAILQ_REMOVE(&tab->idlist, id, next);
 			free_identity(id);
-			tab->nentries--;
 			success = 1;
 		}
 		key_free(k);
+		keys[i] = NULL;
 	}
-
+	xfree(keys);
+send:
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
 	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);

ssh-keygen.c

@@ -12,7 +12,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -416,14 +416,18 @@ do_upload(struct passwd *pw, const char *sc_reader_id)
 static void
 do_download(struct passwd *pw, const char *sc_reader_id)
 {
-	Key *pub = NULL;
+	Key **keys = NULL;
+	int i;
 
-	pub = sc_get_key(sc_reader_id, NULL);
-	if (pub == NULL)
+	keys = sc_get_keys(sc_reader_id, NULL);
+	if (keys == NULL)
 		fatal("cannot read public key from smartcard");
-	key_write(pub, stdout);
-	key_free(pub);
-	fprintf(stdout, "\n");
+	for (i = 0; keys[i]; i++) {
+		key_write(keys[i], stdout);
+		key_free(keys[i]);
+		fprintf(stdout, "\n");
+	}
+	xfree(keys);
 	exit(0);
 }
 #endif /* SMARTCARD */

ssh.c

@@ -39,7 +39,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -70,7 +70,6 @@ RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
 #include "sshtty.h"
 
 #ifdef SMARTCARD
-#include <openssl/engine.h>
 #include "scard.h"
 #endif
 
@@ -1187,40 +1186,29 @@ static void
 load_public_identity_files(void)
 {
 	char *filename;
-	Key *public;
 	int i = 0;
-
+	Key *public;
 #ifdef SMARTCARD
+	Key **keys;
+
 	if (options.smartcard_device != NULL &&
-	    options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES &&
-	    (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) {
-		Key *new;
-
-		if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES)
-			options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2;
-		memmove(&options.identity_files[2], &options.identity_files[0],
-		    sizeof(char *) * options.num_identity_files);
-		options.num_identity_files += 2;
-		i = 2;
-
-		/* XXX ssh1 vs ssh2 */
-		new = key_new(KEY_RSA);
-		new->flags = KEY_FLAG_EXT;
-		BN_copy(new->rsa->n, public->rsa->n);
-		BN_copy(new->rsa->e, public->rsa->e);
-		RSA_set_method(new->rsa, sc_get_engine());
-		options.identity_keys[0] = new;
-		options.identity_files[0] = xstrdup("smartcard rsa key");;
-
-		new = key_new(KEY_RSA1);
-		new->flags = KEY_FLAG_EXT;
-		BN_copy(new->rsa->n, public->rsa->n);
-		BN_copy(new->rsa->e, public->rsa->e);
-		RSA_set_method(new->rsa, sc_get_engine());
-		options.identity_keys[1] = new;
-		options.identity_files[1] = xstrdup("smartcard rsa1 key");
-
-		key_free(public);
+	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
+		int count = 0;
+		for (i = 0; keys[i] != NULL; i++) {
+			count++;
+			if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES)
+				options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1;
+			memmove(&options.identity_files[1], &options.identity_files[0],
+			    sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
+			memmove(&options.identity_keys[1], &options.identity_keys[0],
+			    sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
+			options.num_identity_files++;
+			options.identity_keys[0] = keys[i];
+			options.identity_files[0] = xstrdup("smartcard key");;
+		}
+		i = count;
+		xfree(keys);
 	}
 #endif /* SMARTCARD */
 	for (; i < options.num_identity_files; i++) {