- markus@cvs.openbsd.org 2002/03/25 17:34:27

[scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c] change sc_get_key to sc_get_keys and hide smartcard details in scard.c
2002-03-26 03:17:42 +00:00 · 2002-03-26 03:17:42 +00:00 · 0936a5bb72
parent 5facb2bbc4
commit 0936a5bb72
6 changed files with 130 additions and 128 deletions
--- a/5
+++ b/5
@ -28,6 +28,9 @@
   - markus@cvs.openbsd.org 2002/03/25 09:25:06
     [auth-rh-rsa.c]
     rm bogus comment
   - markus@cvs.openbsd.org 2002/03/25 17:34:27
     [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c]
     change sc_get_key to sc_get_keys and hide smartcard details in scard.c
 20020324
 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@ -8042,4 +8045,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1
-$Id: ChangeLog,v 1.1986 2002/03/26 03:08:47 mouring Exp $
+$Id: ChangeLog,v 1.1987 2002/03/26 03:17:42 mouring Exp $
--- a/scard.c
+++ b/scard.c
@ -24,9 +24,8 @@
 #include "includes.h"
 #ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
+RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $");
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <sectok.h>
@ -36,13 +35,17 @@ RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
 #include "readpass.h"
 #include "scard.h"
-#ifdef OPENSSL_VERSION_NUMBER
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+#define USE_ENGINE
-#define RSA_get_default_openssl_method RSA_get_default_method
+#define RSA_get_default_method RSA_get_default_openssl_method
-#define DSA_get_default_openssl_method DSA_get_default_method
+#else
 #define DH_get_default_openssl_method DH_get_default_method
 #define ENGINE_set_BN_mod_exp(x,y)
 #endif
 #ifdef USE_ENGINE
 #include <openssl/engine.h>
 #define sc_get_rsa sc_get_engine
 #else
 #define sc_get_rsa sc_get_rsa_method
 #endif
 #define CLA_SSH 0x05
@ -143,8 +146,7 @@ sc_read_pubkey(Key * k)
 	n = NULL;
 	if (sc_fd < 0) {
-		status = sc_init();
+		if (sc_init() < 0)
 		if (status < 0 )
 			goto err;
 	}
@ -317,18 +319,13 @@ sc_finish(RSA *rsa)
 	return 1;
 }
 /* engine for overloading private key operations */
-static ENGINE *smart_engine = NULL;
+static RSA_METHOD *
-static RSA_METHOD smart_rsa;
+sc_get_rsa_method(void)
 ENGINE *
 sc_get_engine(void)
 {
-	const RSA_METHOD *def;
+	static RSA_METHOD smart_rsa;
-
+	const RSA_METHOD *def = RSA_get_default_method();
 	def = RSA_get_default_openssl_method();
 	/* use the OpenSSL version */
 	memcpy(&smart_rsa, def, sizeof(smart_rsa));
@ -343,13 +340,22 @@ sc_get_engine(void)
 	orig_finish		= def->finish;
 	smart_rsa.finish	= sc_finish;
 	return &smart_rsa;
 }
 #ifdef USE_ENGINE
 static ENGINE *
 sc_get_engine(void)
 {
 	static ENGINE *smart_engine = NULL;
 	if ((smart_engine = ENGINE_new()) == NULL)
 		fatal("ENGINE_new failed");
 	ENGINE_set_id(smart_engine, "sectok");
 	ENGINE_set_name(smart_engine, "libsectok");
-	ENGINE_set_RSA(smart_engine, &smart_rsa);
+	ENGINE_set_RSA(smart_engine, sc_get_rsa_method());
 	ENGINE_set_DSA(smart_engine, DSA_get_default_openssl_method());
 	ENGINE_set_DH(smart_engine, DH_get_default_openssl_method());
 	ENGINE_set_RAND(smart_engine, RAND_SSLeay());
@ -357,6 +363,7 @@ sc_get_engine(void)
 	return smart_engine;
 }
 #endif
 void
 sc_close(void)
@ -367,11 +374,11 @@ sc_close(void)
 	}
 }
-Key *
+Key **
-sc_get_key(const char *id, const char *pin)
+sc_get_keys(const char *id, const char *pin)
 {
-	Key *k;
+	Key *k, *n, **keys;
-	int status;
+	int status, nkeys = 2;
 	if (sc_reader_id != NULL)
 		xfree(sc_reader_id);
@ -395,7 +402,26 @@ sc_get_key(const char *id, const char *pin)
 		key_free(k);
 		return NULL;
 	}
-	return k;
+	keys = xmalloc((nkeys+1) * sizeof(Key *));
 	n = key_new(KEY_RSA1);
 	BN_copy(n->rsa->n, k->rsa->n);
 	BN_copy(n->rsa->e, k->rsa->e);
 	RSA_set_method(n->rsa, sc_get_rsa());
 	n->flags |= KEY_FLAG_EXT;
 	keys[0] = n;
 	n = key_new(KEY_RSA);
 	BN_copy(n->rsa->n, k->rsa->n);
 	BN_copy(n->rsa->e, k->rsa->e);
 	RSA_set_method(n->rsa, sc_get_rsa());
 	n->flags |= KEY_FLAG_EXT;
 	keys[1] = n;
 	keys[2] = NULL;
 	key_free(k);
 	return keys;
 }
 #define NUM_RSA_KEY_ELEMENTS 5+1
--- a/scard.h
+++ b/scard.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: scard.h,v 1.9 2002/03/21 21:54:34 rees Exp $	*/
+/*	$OpenBSD: scard.h,v 1.10 2002/03/25 17:34:27 markus Exp $	*/
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@ -24,8 +24,6 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include <openssl/engine.h>
 #ifndef SCARD_H
 #define SCARD_H
@ -35,8 +33,7 @@
 #define SCARD_ERROR_NOCARD	-2
 #define SCARD_ERROR_APPLET	-3
-Key	*sc_get_key(const char*, const char*);
+Key	**sc_get_keys(const char*, const char*);
 ENGINE	*sc_get_engine(void);
 void	 sc_close(void);
 int	 sc_put_key(Key *, const char*);
--- a/ssh-agent.c
+++ b/ssh-agent.c
@ -34,7 +34,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.84 2002/03/25 17:34:27 markus Exp $");
 #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
 #include <sys/queue.h>
@ -57,7 +57,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.83 2002/03/21 22:44:05 rees Exp $");
 #include "log.h"
 #ifdef SMARTCARD
 #include <openssl/engine.h>
 #include "scard.h"
 #endif
@ -452,50 +451,39 @@ send:
 static void
 process_add_smartcard_key (SocketEntry *e)
 {
 	Identity *id;
 	Idtab *tab;
-	Key *n = NULL, *k = NULL;
+	Key **keys, *k;
 	char *sc_reader_id = NULL, *pin;
-	int success = 0;
+	int i, version, success = 0;
 	sc_reader_id = buffer_get_string(&e->input, NULL);
 	pin = buffer_get_string(&e->input, NULL);
-	k = sc_get_key(sc_reader_id, pin);
+	keys = sc_get_keys(sc_reader_id, pin);
 	xfree(sc_reader_id);
 	xfree(pin);
-	if (k == NULL) {
+	if (keys == NULL || keys[0] == NULL) {
-		error("sc_get_pubkey failed");
+		error("sc_get_keys failed");
 		goto send;
 	}
 	for (i = 0; keys[i] != NULL; i++) {
 		k = keys[i];
 		version = k->type == KEY_RSA1 ? 1 : 2;
 		tab = idtab_lookup(version);
 		if (lookup_identity(k, version) == NULL) {
 			id = xmalloc(sizeof(Identity));
 			id->key = k;
 			id->comment = xstrdup("smartcard key");
 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 			tab->nentries++;
 			success = 1;
-
+		} else {
 	tab = idtab_lookup(1);
 	k->type = KEY_RSA1;
 	if (lookup_identity(k, 1) == NULL) {
 		Identity *id = xmalloc(sizeof(Identity));
 		n = key_new(KEY_RSA1);
 		BN_copy(n->rsa->n, k->rsa->n);
 		BN_copy(n->rsa->e, k->rsa->e);
 		RSA_set_method(n->rsa, sc_get_engine());
 		id->key = n;
 		id->comment = xstrdup("rsa1 smartcard");
 		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 		tab->nentries++;
 	}
 	k->type = KEY_RSA;
 	tab = idtab_lookup(2);
 	if (lookup_identity(k, 2) == NULL) {
 		Identity *id = xmalloc(sizeof(Identity));
 		n = key_new(KEY_RSA);
 		BN_copy(n->rsa->n, k->rsa->n);
 		BN_copy(n->rsa->e, k->rsa->e);
 		RSA_set_method(n->rsa, sc_get_engine());
 		id->key = n;
 		id->comment = xstrdup("rsa smartcard");
 		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 		tab->nentries++;
 	}
 			key_free(k);
 		}
 		keys[i] = NULL;
 	}
 	xfree(keys);
 send:
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
@ -505,41 +493,37 @@ send:
 static void
 process_remove_smartcard_key(SocketEntry *e)
 {
-	Key *k = NULL;
+	Identity *id;
-	int success = 0;
+	Idtab *tab;
 	Key **keys, *k = NULL;
 	char *sc_reader_id = NULL, *pin;
 	int i, version, success = 0;
 	sc_reader_id = buffer_get_string(&e->input, NULL);
 	pin = buffer_get_string(&e->input, NULL);
-	k = sc_get_key(sc_reader_id, pin);
+	keys = sc_get_keys(sc_reader_id, pin);
 	xfree(sc_reader_id);
 	xfree(pin);
-	if (k == NULL) {
+	if (keys == NULL || keys[0] == NULL) {
-		error("sc_get_pubkey failed");
+		error("sc_get_keys failed");
-	} else {
+		goto send;
 		Identity *id;
 		k->type = KEY_RSA1;
 		id = lookup_identity(k, 1);
 		if (id != NULL) {
 			Idtab *tab = idtab_lookup(1);
 			TAILQ_REMOVE(&tab->idlist, id, next);
 			free_identity(id);
 			tab->nentries--;
 			success = 1;
 	}
-		k->type = KEY_RSA;
+	for (i = 0; keys[i] != NULL; i++) {
-		id = lookup_identity(k, 2);
+		k = keys[i];
-		if (id != NULL) {
+		version = k->type == KEY_RSA1 ? 1 : 2;
-			Idtab *tab = idtab_lookup(2);
+		if ((id = lookup_identity(k, version)) != NULL) {
 			tab = idtab_lookup(version);
                        TAILQ_REMOVE(&tab->idlist, id, next);
 			free_identity(id);
 			tab->nentries--;
 			free_identity(id);
 			success = 1;
 		}
 		key_free(k);
 		keys[i] = NULL;
 	}
-
+	xfree(keys);
 send:
 	buffer_put_int(&e->output, 1);
 	buffer_put_char(&e->output,
 	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.96 2002/03/21 21:54:34 rees Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.97 2002/03/25 17:34:27 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@ -416,14 +416,18 @@ do_upload(struct passwd *pw, const char *sc_reader_id)
 static void
 do_download(struct passwd *pw, const char *sc_reader_id)
 {
-	Key *pub = NULL;
+	Key **keys = NULL;
 	int i;
-	pub = sc_get_key(sc_reader_id, NULL);
+	keys = sc_get_keys(sc_reader_id, NULL);
-	if (pub == NULL)
+	if (keys == NULL)
 		fatal("cannot read public key from smartcard");
-	key_write(pub, stdout);
+	for (i = 0; keys[i]; i++) {
-	key_free(pub);
+		key_write(keys[i], stdout);
 		key_free(keys[i]);
 		fprintf(stdout, "\n");
 	}
 	xfree(keys);
 	exit(0);
 }
 #endif /* SMARTCARD */
--- a/ssh.c
+++ b/ssh.c
@ -39,7 +39,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.167 2002/03/25 17:34:27 markus Exp $");
 #include <openssl/evp.h>
 #include <openssl/err.h>
@ -70,7 +70,6 @@ RCSID("$OpenBSD: ssh.c,v 1.166 2002/03/21 22:44:05 rees Exp $");
 #include "sshtty.h"
 #ifdef SMARTCARD
 #include <openssl/engine.h>
 #include "scard.h"
 #endif
@ -1187,40 +1186,29 @@ static void
 load_public_identity_files(void)
 {
 	char *filename;
 	Key *public;
 	int i = 0;
-
+	Key *public;
 #ifdef SMARTCARD
 	Key **keys;
 	if (options.smartcard_device != NULL &&
-	    options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES &&
+	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
-	    (public = sc_get_key(options.smartcard_device, NULL)) != NULL ) {
+	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
-		Key *new;
+		int count = 0;
-
+		for (i = 0; keys[i] != NULL; i++) {
-		if (options.num_identity_files + 2 > SSH_MAX_IDENTITY_FILES)
+			count++;
-			options.num_identity_files = SSH_MAX_IDENTITY_FILES - 2;
+			if (options.num_identity_files + 1 > SSH_MAX_IDENTITY_FILES)
-		memmove(&options.identity_files[2], &options.identity_files[0],
+				options.num_identity_files = SSH_MAX_IDENTITY_FILES - 1;
-		    sizeof(char *) * options.num_identity_files);
+			memmove(&options.identity_files[1], &options.identity_files[0],
-		options.num_identity_files += 2;
+			    sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
-		i = 2;
+			memmove(&options.identity_keys[1], &options.identity_keys[0],
-
+			    sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
-		/* XXX ssh1 vs ssh2 */
+			options.num_identity_files++;
-		new = key_new(KEY_RSA);
+			options.identity_keys[0] = keys[i];
-		new->flags = KEY_FLAG_EXT;
+			options.identity_files[0] = xstrdup("smartcard key");;
-		BN_copy(new->rsa->n, public->rsa->n);
+		}
-		BN_copy(new->rsa->e, public->rsa->e);
+		i = count;
-		RSA_set_method(new->rsa, sc_get_engine());
+		xfree(keys);
 		options.identity_keys[0] = new;
 		options.identity_files[0] = xstrdup("smartcard rsa key");;
 		new = key_new(KEY_RSA1);
 		new->flags = KEY_FLAG_EXT;
 		BN_copy(new->rsa->n, public->rsa->n);
 		BN_copy(new->rsa->e, public->rsa->e);
 		RSA_set_method(new->rsa, sc_get_engine());
 		options.identity_keys[1] = new;
 		options.identity_files[1] = xstrdup("smartcard rsa1 key");
 		key_free(public);
 	}
 #endif /* SMARTCARD */
 	for (; i < options.num_identity_files; i++) {