tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

sync ssh-keysign, ssh-keygen and some dependencies to the
 new buffer/key API; mostly mechanical, ok markus@
This commit is contained in:
djm@openbsd.org 2015-01-15 09:40:00 +00:00 committed by Damien Miller
parent e4ebf55864
commit 1129dcfc5a
13 changed files with 591 additions and 491 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
dns.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */
/* $OpenBSD: dns.c,v 1.33 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -38,7 +38,8 @@
#include <stdlib.h>
#include "xmalloc.h"
#include "key.h"
#include "sshkey.h"
#include "ssherr.h"
#include "dns.h"
#include "log.h"
#include "digest.h"
@ -78,9 +79,9 @@ dns_result_totext(unsigned int res)
*/
static int
dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
u_char **digest, u_int *digest_len, Key *key)
u_char **digest, size_t *digest_len, struct sshkey *key)
{
int success = 0;
int r, success = 0;
int fp_alg = -1;
switch (key->type) {
@ -121,9 +122,10 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
}
if (*algorithm && *digest_type) {
*digest = key_fingerprint_raw(key, fp_alg, digest_len);
if (*digest == NULL)
fatal("dns_read_key: null from key_fingerprint_raw()");
if ((r = sshkey_fingerprint_raw(key, fp_alg, digest,
digest_len)) != 0)
fatal("%s: sshkey_fingerprint_raw: %s", __func__,
ssh_err(r));
success = 1;
} else {
*digest = NULL;
@ -139,7 +141,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
*/
static int
dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
u_char **digest, u_int *digest_len, u_char *rdata, int rdata_len)
u_char **digest, size_t *digest_len, u_char *rdata, int rdata_len)
{
int success = 0;
@ -200,7 +202,7 @@ is_numeric_hostname(const char *hostname)
*/
int
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Key *hostkey, int *flags)
struct sshkey *hostkey, int *flags)
{
u_int counter;
int result;
@ -209,12 +211,12 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
u_int8_t hostkey_algorithm;
u_int8_t hostkey_digest_type = SSHFP_HASH_RESERVED;
u_char *hostkey_digest;
u_int hostkey_digest_len;
size_t hostkey_digest_len;
u_int8_t dnskey_algorithm;
u_int8_t dnskey_digest_type;
u_char *dnskey_digest;
u_int dnskey_digest_len;
size_t dnskey_digest_len;
*flags = 0;
@ -310,13 +312,13 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
* Export the fingerprint of a key as a DNS resource record
*/
int
export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic)
{
u_int8_t rdata_pubkey_algorithm = 0;
u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
u_int8_t dtype;
u_char *rdata_digest;
u_int i, rdata_digest_len;
size_t i, rdata_digest_len;
int success = 0;
for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
@ -324,7 +326,7 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic)
if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
&rdata_digest, &rdata_digest_len, key)) {
if (generic) {
fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ",
fprintf(f, "%s IN TYPE%d \\# %zu %02x %02x ",
hostname, DNS_RDATATYPE_SSHFP,
2 + rdata_digest_len,
rdata_pubkey_algorithm, rdata_digest_type);

7
dns.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: dns.h,v 1.13 2014/04/20 09:24:26 logan Exp $ */
/* $OpenBSD: dns.h,v 1.14 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -50,7 +50,8 @@ enum sshfp_hashes {
#define DNS_VERIFY_MATCH 0x00000002
#define DNS_VERIFY_SECURE 0x00000004
int verify_host_key_dns(const char *, struct sockaddr *, Key *, int *);
int export_dns_rr(const char *, Key *, FILE *, int);
int verify_host_key_dns(const char *, struct sockaddr *,
struct sshkey *, int *);
int export_dns_rr(const char *, struct sshkey *, FILE *, int);
#endif /* DNS_H */

74
hostfile.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: hostfile.c,v 1.58 2014/10/20 03:43:01 djm Exp $ */
/* $OpenBSD: hostfile.c,v 1.59 2015/01/15 09:40:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -51,10 +51,11 @@
#include "xmalloc.h"
#include "match.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "log.h"
#include "misc.h"
#include "ssherr.h"
#include "digest.h"
#include "hmac.h"
@ -155,15 +156,16 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
*/
int
hostfile_read_key(char **cpp, int *bitsp, Key *ret)
hostfile_read_key(char **cpp, u_int *bitsp, struct sshkey *ret)
{
char *cp;
int r;
/* Skip leading whitespace. */
for (cp = *cpp; *cp == ' ' || *cp == '\t'; cp++)
;
if (key_read(ret, &cp) != 1)
if ((r = sshkey_read(ret, &cp)) != 0)
return 0;
/* Skip trailing whitespace. */
@ -172,15 +174,13 @@ hostfile_read_key(char **cpp, int *bitsp, Key *ret)
/* Return results. */
*cpp = cp;
if (bitsp != NULL) {
if ((*bitsp = key_size(ret)) <= 0)
return 0;
}
if (bitsp != NULL)
*bitsp = sshkey_size(ret);
return 1;
}
static int
hostfile_check_key(int bits, const Key *key, const char *host,
hostfile_check_key(int bits, const struct sshkey *key, const char *host,
const char *filename, u_long linenum)
{
#ifdef WITH_SSH1
@ -249,8 +249,8 @@ load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
u_long linenum = 0, num_loaded = 0;
char *cp, *cp2, *hashed_host;
HostkeyMarker marker;
Key *key;
int kbits;
struct sshkey *key;
u_int kbits;
if ((f = fopen(path, "r")) == NULL)
return;
@ -296,13 +296,19 @@ load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
* Extract the key from the line. This will skip any leading
* whitespace. Ignore badly formatted lines.
*/
key = key_new(KEY_UNSPEC);
if ((key = sshkey_new(KEY_UNSPEC)) == NULL) {
error("%s: sshkey_new failed", __func__);
break;
}
if (!hostfile_read_key(&cp, &kbits, key)) {
key_free(key);
sshkey_free(key);
#ifdef WITH_SSH1
key = key_new(KEY_RSA1);
if ((key = sshkey_new(KEY_RSA1)) == NULL) {
error("%s: sshkey_new failed", __func__);
break;
}
if (!hostfile_read_key(&cp, &kbits, key)) {
key_free(key);
sshkey_free(key);
continue;
}
#else
@ -315,7 +321,7 @@ load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
debug3("%s: found %skey type %s in file %s:%lu", __func__,
marker == MRK_NONE ? "" :
(marker == MRK_CA ? "ca " : "revoked "),
key_type(key), path, linenum);
sshkey_type(key), path, linenum);
hostkeys->entries = xrealloc(hostkeys->entries,
hostkeys->num_entries + 1, sizeof(*hostkeys->entries));
hostkeys->entries[hostkeys->num_entries].host = xstrdup(host);
@ -339,7 +345,7 @@ free_hostkeys(struct hostkeys *hostkeys)
for (i = 0; i < hostkeys->num_entries; i++) {
free(hostkeys->entries[i].host);
free(hostkeys->entries[i].file);
key_free(hostkeys->entries[i].key);
sshkey_free(hostkeys->entries[i].key);
explicit_bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
}
free(hostkeys->entries);
@ -348,18 +354,18 @@ free_hostkeys(struct hostkeys *hostkeys)
}
static int
check_key_not_revoked(struct hostkeys *hostkeys, Key *k)
check_key_not_revoked(struct hostkeys *hostkeys, struct sshkey *k)
{
int is_cert = key_is_cert(k);
int is_cert = sshkey_is_cert(k);
u_int i;
for (i = 0; i < hostkeys->num_entries; i++) {
if (hostkeys->entries[i].marker != MRK_REVOKE)
continue;
if (key_equal_public(k, hostkeys->entries[i].key))
if (sshkey_equal_public(k, hostkeys->entries[i].key))
return -1;
if (is_cert &&
key_equal_public(k->cert->signature_key,
sshkey_equal_public(k->cert->signature_key,
hostkeys->entries[i].key))
return -1;
}
@ -383,11 +389,11 @@ check_key_not_revoked(struct hostkeys *hostkeys, Key *k)
*/
static HostStatus
check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
Key *k, int keytype, const struct hostkey_entry **found)
struct sshkey *k, int keytype, const struct hostkey_entry **found)
{
u_int i;
HostStatus end_return = HOST_NEW;
int want_cert = key_is_cert(k);
int want_cert = sshkey_is_cert(k);
HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE;
int proto = (k ? k->type : keytype) == KEY_RSA1 ? 1 : 2;
@ -411,7 +417,7 @@ check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
break;
}
if (want_cert) {
if (key_equal_public(k->cert->signature_key,
if (sshkey_equal_public(k->cert->signature_key,
hostkeys->entries[i].key)) {
/* A matching CA exists */
end_return = HOST_OK;
@ -420,7 +426,7 @@ check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
break;
}
} else {
if (key_equal(k, hostkeys->entries[i].key)) {
if (sshkey_equal(k, hostkeys->entries[i].key)) {
end_return = HOST_OK;
if (found != NULL)
*found = hostkeys->entries + i;
@ -441,7 +447,7 @@ check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
}
HostStatus
check_key_in_hostkeys(struct hostkeys *hostkeys, Key *key,
check_key_in_hostkeys(struct hostkeys *hostkeys, struct sshkey *key,
const struct hostkey_entry **found)
{
if (key == NULL)
@ -463,11 +469,11 @@ lookup_key_in_hostkeys_by_type(struct hostkeys *hostkeys, int keytype,
*/
int
add_host_to_hostfile(const char *filename, const char *host, const Key *key,
int store_hash)
add_host_to_hostfile(const char *filename, const char *host,
const struct sshkey *key, int store_hash)
{
FILE *f;
int success = 0;
int r, success = 0;
char *hashed_host = NULL;
if (key == NULL)
@ -485,12 +491,12 @@ add_host_to_hostfile(const char *filename, const char *host, const Key *key,
}
fprintf(f, "%s ", store_hash ? hashed_host : host);
if (key_write(key, f)) {
if ((r = sshkey_write(key, f)) != 0) {
error("%s: saving key in %s failed: %s",
__func__, filename, ssh_err(r));
} else
success = 1;
} else {
error("add_host_to_hostfile: saving key in %s failed", filename);
}
fprintf(f, "\n");
fputs("\n", f);
fclose(f);
return success;
}

11
hostfile.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: hostfile.h,v 1.20 2013/07/12 00:19:58 djm Exp $ */
/* $OpenBSD: hostfile.h,v 1.21 2015/01/15 09:40:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -26,7 +26,7 @@ struct hostkey_entry {
char *host;
char *file;
u_long line;
Key *key;
struct sshkey *key;
HostkeyMarker marker;
};
struct hostkeys;
@ -35,13 +35,14 @@ struct hostkeys *init_hostkeys(void);
void load_hostkeys(struct hostkeys *, const char *, const char *);
void free_hostkeys(struct hostkeys *);
HostStatus check_key_in_hostkeys(struct hostkeys *, Key *,
HostStatus check_key_in_hostkeys(struct hostkeys *, struct sshkey *,
const struct hostkey_entry **);
int lookup_key_in_hostkeys_by_type(struct hostkeys *, int,
const struct hostkey_entry **);
int hostfile_read_key(char **, int *, Key *);
int add_host_to_hostfile(const char *, const char *, const Key *, int);
int hostfile_read_key(char **, u_int *, struct sshkey *);
int add_host_to_hostfile(const char *, const char *,
const struct sshkey *, int);
#define HASH_MAGIC "|1|"
#define HASH_DELIM '|'

4
kex.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kex.h,v 1.65 2015/01/13 19:31:40 markus Exp $ */
/* $OpenBSD: kex.h,v 1.66 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@ -27,6 +27,8 @@
#define KEX_H
#include "mac.h"
#include "buffer.h" /* XXX for typedef */
#include "key.h" /* XXX for typedef */
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <openssl/ec.h>

25
msg.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: msg.c,v 1.15 2006/08/03 03:34:42 deraadt Exp $ */
/* $OpenBSD: msg.c,v 1.16 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@ -34,17 +34,18 @@
#include <unistd.h>
#include <stdarg.h>
#include "buffer.h"
#include "sshbuf.h"
#include "ssherr.h"
#include "log.h"
#include "atomicio.h"
#include "msg.h"
#include "misc.h"
int
ssh_msg_send(int fd, u_char type, Buffer *m)
ssh_msg_send(int fd, u_char type, struct sshbuf *m)
{
u_char buf[5];
u_int mlen = buffer_len(m);
u_int mlen = sshbuf_len(m);
debug3("ssh_msg_send: type %u", (unsigned int)type & 0xff);
@ -54,7 +55,7 @@ ssh_msg_send(int fd, u_char type, Buffer *m)
error("ssh_msg_send: write");
return (-1);
}
if (atomicio(vwrite, fd, buffer_ptr(m), mlen) != mlen) {
if (atomicio(vwrite, fd, (u_char *)sshbuf_ptr(m), mlen) != mlen) {
error("ssh_msg_send: write");
return (-1);
}
@ -62,10 +63,11 @@ ssh_msg_send(int fd, u_char type, Buffer *m)
}
int
ssh_msg_recv(int fd, Buffer *m)
ssh_msg_recv(int fd, struct sshbuf *m)
{
u_char buf[4];
u_char buf[4], *p;
u_int msg_len;
int r;
debug3("ssh_msg_recv entering");
@ -79,9 +81,12 @@ ssh_msg_recv(int fd, Buffer *m)
error("ssh_msg_recv: read: bad msg_len %u", msg_len);
return (-1);
}
buffer_clear(m);
buffer_append_space(m, msg_len);
if (atomicio(read, fd, buffer_ptr(m), msg_len) != msg_len) {
sshbuf_reset(m);
if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) {
error("%s: buffer error: %s", __func__, ssh_err(r));
return -1;
}
if (atomicio(read, fd, p, msg_len) != msg_len) {
error("ssh_msg_recv: read: %s", strerror(errno));
return (-1);
}

7
msg.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: msg.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
/* $OpenBSD: msg.h,v 1.5 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@ -25,7 +25,8 @@
#ifndef SSH_MSG_H
#define SSH_MSG_H
int ssh_msg_send(int, u_char, Buffer *);
int ssh_msg_recv(int, Buffer *);
struct sshbuf;
int ssh_msg_send(int, u_char, struct sshbuf *);
int ssh_msg_recv(int, struct sshbuf *);
#endif

5
readconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.c,v 1.226 2015/01/13 07:39:19 djm Exp $ */
/* $OpenBSD: readconf.c,v 1.227 2015/01/15 09:40:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -51,11 +51,10 @@
#include "cipher.h"
#include "pathnames.h"
#include "log.h"
#include "key.h"
#include "sshkey.h"
#include "misc.h"
#include "readconf.h"
#include "match.h"
#include "buffer.h"
#include "kex.h"
#include "mac.h"
#include "uidswap.h"

4
readconf.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: readconf.h,v 1.105 2014/12/21 22:27:56 djm Exp $ */
/* $OpenBSD: readconf.h,v 1.106 2015/01/15 09:40:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -93,7 +93,7 @@ typedef struct {
int num_identity_files; /* Number of files for RSA/DSA identities. */
char *identity_files[SSH_MAX_IDENTITY_FILES];
int identity_file_userprovided[SSH_MAX_IDENTITY_FILES];
Key *identity_keys[SSH_MAX_IDENTITY_FILES];
struct sshkey *identity_keys[SSH_MAX_IDENTITY_FILES];
/* Local TCP/IP forward requests. */
int num_local_forwards;

767
ssh-keygen.c
View File

File diff suppressed because it is too large Load Diff

120
ssh-keysign.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keysign.c,v 1.45 2015/01/08 10:14:08 djm Exp $ */
/* $OpenBSD: ssh-keysign.c,v 1.46 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2002 Markus Friedl. All rights reserved.
*
@ -43,11 +43,11 @@
#include "xmalloc.h"
#include "log.h"
#include "key.h"
#include "sshkey.h"
#include "ssh.h"
#include "ssh2.h"
#include "misc.h"
#include "buffer.h"
#include "sshbuf.h"
#include "authfile.h"
#include "msg.h"
#include "canohost.h"
@ -63,64 +63,73 @@ uid_t original_real_uid;
extern char *__progname;
static int
valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
u_int datalen)
valid_request(struct passwd *pw, char *host, struct sshkey **ret,
u_char *data, size_t datalen)
{
Buffer b;
Key *key = NULL;
u_char *pkblob;
u_int blen, len;
char *pkalg, *p;
int pktype, fail;
struct sshbuf *b;
struct sshkey *key = NULL;
u_char type, *pkblob;
char *p;
size_t blen, len;
char *pkalg, *luser;
int r, pktype, fail;
if (ret != NULL)
*ret = NULL;
fail = 0;
buffer_init(&b);
buffer_append(&b, data, datalen);
if ((b = sshbuf_from(data, datalen)) == NULL)
fatal("%s: sshbuf_from failed", __func__);
/* session id, currently limited to SHA1 (20 bytes) or SHA256 (32) */
p = buffer_get_string(&b, &len);
if ((r = sshbuf_get_string(b, NULL, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (len != 20 && len != 32)
fail++;
free(p);
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
if ((r = sshbuf_get_u8(b, &type)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (type != SSH2_MSG_USERAUTH_REQUEST)
fail++;
/* server user */
buffer_skip_string(&b);
if ((r = sshbuf_skip_string(b)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* service */
p = buffer_get_string(&b, NULL);
if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (strcmp("ssh-connection", p) != 0)
fail++;
free(p);
/* method */
p = buffer_get_string(&b, NULL);
if ((r = sshbuf_get_cstring(b, &p, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (strcmp("hostbased", p) != 0)
fail++;
free(p);
/* pubkey */
pkalg = buffer_get_string(&b, NULL);
pkblob = buffer_get_string(&b, &blen);
if ((r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 ||
(r = sshbuf_get_string(b, &pkblob, &blen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
pktype = key_type_from_name(pkalg);
pktype = sshkey_type_from_name(pkalg);
if (pktype == KEY_UNSPEC)
fail++;
else if ((key = key_from_blob(pkblob, blen)) == NULL)
else if ((r = sshkey_from_blob(pkblob, blen, &key)) != 0) {
error("%s: bad key blob: %s", __func__, ssh_err(r));
fail++;
else if (key->type != pktype)
} else if (key->type != pktype)
fail++;
free(pkalg);
free(pkblob);
/* client host name, handle trailing dot */
p = buffer_get_string(&b, &len);
debug2("valid_request: check expect chost %s got %s", host, p);
if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
debug2("%s: check expect chost %s got %s", __func__, host, p);
if (strlen(host) != len - 1)
fail++;
else if (p[len - 1] != '.')
@ -130,21 +139,22 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
free(p);
/* local user */
p = buffer_get_string(&b, NULL);
if ((r = sshbuf_get_cstring(b, &luser, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (strcmp(pw->pw_name, p) != 0)
if (strcmp(pw->pw_name, luser) != 0)
fail++;
free(p);
free(luser);
/* end of message */
if (buffer_len(&b) != 0)
if (sshbuf_len(b) != 0)
fail++;
buffer_free(&b);
sshbuf_free(b);
debug3("valid_request: fail %d", fail);
debug3("%s: fail %d", __func__, fail);
if (fail && key != NULL)
key_free(key);
sshkey_free(key);
else
*ret = key;
@ -154,15 +164,15 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data,
int
main(int argc, char **argv)
{
Buffer b;
struct sshbuf *b;
Options options;
#define NUM_KEYTYPES 4
Key *keys[NUM_KEYTYPES], *key = NULL;
struct sshkey *keys[NUM_KEYTYPES], *key = NULL;
struct passwd *pw;
int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
u_char *signature, *data;
u_char *signature, *data, rver;
char *host, *fp;
u_int slen, dlen;
size_t slen, dlen;
#ifdef WITH_OPENSSL
u_int32_t rnd[256];
#endif
@ -232,18 +242,23 @@ main(int argc, char **argv)
if (!found)
fatal("no hostkey found");
buffer_init(&b);
if (ssh_msg_recv(STDIN_FILENO, &b) < 0)
if ((b = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if (ssh_msg_recv(STDIN_FILENO, b) < 0)
fatal("ssh_msg_recv failed");
if (buffer_get_char(&b) != version)
fatal("bad version");
fd = buffer_get_int(&b);
if ((fd == STDIN_FILENO) || (fd == STDOUT_FILENO))
if ((r = sshbuf_get_u8(b, &rver)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (rver != version)
fatal("bad version: received %d, expected %d", rver, version);
if ((r = sshbuf_get_u32(b, (u_int *)&fd)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (fd < 0 || fd == STDIN_FILENO || fd == STDOUT_FILENO)
fatal("bad fd");
if ((host = get_local_name(fd)) == NULL)
fatal("cannot get local name for fd");
data = buffer_get_string(&b, &dlen);
if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (valid_request(pw, host, &key, data, dlen) < 0)
fatal("not a valid request");
free(host);
@ -251,26 +266,27 @@ main(int argc, char **argv)
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {
if (keys[i] != NULL &&
key_equal_public(key, keys[i])) {
sshkey_equal_public(key, keys[i])) {
found = 1;
break;
}
}
if (!found) {
fp = key_fingerprint(key, options.fingerprint_hash,
fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT);
fatal("no matching hostkey found for key %s %s",
key_type(key), fp);
sshkey_type(key), fp ? fp : "");
}
if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
fatal("key_sign failed");
if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, 0)) != 0)
fatal("sshkey_sign failed: %s", ssh_err(r));
free(data);
/* send reply */
buffer_clear(&b);
buffer_put_string(&b, signature, slen);
if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1)
sshbuf_reset(b);
if ((r = sshbuf_put_string(b, signature, slen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (ssh_msg_send(STDOUT_FILENO, version, b) == -1)
fatal("ssh_msg_send failed");
return (0);

24
ssh-pkcs11.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: ssh-pkcs11.c,v 1.15 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@ -38,7 +38,7 @@
#include "log.h"
#include "misc.h"
#include "key.h"
#include "sshkey.h"
#include "ssh-pkcs11.h"
#include "xmalloc.h"
@ -385,12 +385,12 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
* keysp points to an (possibly empty) array with *nkeys keys.
*/
static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,
CK_ATTRIBUTE [], CK_ATTRIBUTE [3], Key ***, int *)
CK_ATTRIBUTE [], CK_ATTRIBUTE [3], struct sshkey ***, int *)
__attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE))));
static int
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
Key ***keysp, int *nkeys)
struct sshkey ***keysp, int *nkeys)
{
CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
@ -422,12 +422,12 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
}
static int
pkcs11_key_included(Key ***keysp, int *nkeys, Key *key)
pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
{
int i;
for (i = 0; i < *nkeys; i++)
if (key_equal(key, (*keysp)[i]))
if (sshkey_equal(key, (*keysp)[i]))
return (1);
return (0);
}
@ -435,9 +435,9 @@ pkcs11_key_included(Key ***keysp, int *nkeys, Key *key)
static int
pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3],
Key ***keysp, int *nkeys)
struct sshkey ***keysp, int *nkeys)
{
Key *key;
struct sshkey *key;
RSA *rsa;
X509 *x509;
EVP_PKEY *evp;
@ -517,16 +517,16 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
}
if (rsa && rsa->n && rsa->e &&
pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
key = key_new(KEY_UNSPEC);
key = sshkey_new(KEY_UNSPEC);
key->rsa = rsa;
key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT;
if (pkcs11_key_included(keysp, nkeys, key)) {
key_free(key);
sshkey_free(key);
} else {
/* expand key array and add key */
*keysp = xrealloc(*keysp, *nkeys + 1,
sizeof(Key *));
sizeof(struct sshkey *));
(*keysp)[*nkeys] = key;
*nkeys = *nkeys + 1;
debug("have %d keys", *nkeys);
@ -544,7 +544,7 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
/* register a new provider, fails if provider already exists */
int
pkcs11_add_provider(char *provider_id, char *pin, Key ***keyp)
pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
{
int nkeys, need_finalize = 0;
struct pkcs11_provider *p = NULL;

4
ssh-pkcs11.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11.h,v 1.3 2014/04/29 18:01:49 markus Exp $ */
/* $OpenBSD: ssh-pkcs11.h,v 1.4 2015/01/15 09:40:00 djm Exp $ */
/*
* Copyright (c) 2010 Markus Friedl. All rights reserved.
*
@ -16,7 +16,7 @@
*/
int pkcs11_init(int);
void pkcs11_terminate(void);
int pkcs11_add_provider(char *, char *, Key ***);
int pkcs11_add_provider(char *, char *, struct sshkey ***);
int pkcs11_del_provider(char *);
#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)