conditionalise ECDSA PKCS#11 support
Require EC_KEY_METHOD support in libcrypto, evidenced by presence of EC_KEY_METHOD_new() function.
This commit is contained in:
parent
fcb1b09371
commit
e2cb445d78
|
@ -2973,6 +2973,7 @@ if test "x$openssl" = "xyes" ; then
|
||||||
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
|
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
|
||||||
test x$enable_nistp521 = x1; then
|
test x$enable_nistp521 = x1; then
|
||||||
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
|
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
|
||||||
|
AC_CHECK_FUNCS([EC_KEY_METHOD_new])
|
||||||
fi
|
fi
|
||||||
if test x$enable_nistp256 = x1; then
|
if test x$enable_nistp256 = x1; then
|
||||||
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
|
AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
|
||||||
|
|
|
@ -163,6 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
static ECDSA_SIG *
|
static ECDSA_SIG *
|
||||||
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
||||||
const BIGNUM *rp, EC_KEY *ec)
|
const BIGNUM *rp, EC_KEY *ec)
|
||||||
|
@ -219,9 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
||||||
sshbuf_free(msg);
|
sshbuf_free(msg);
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
static RSA_METHOD *helper_rsa;
|
static RSA_METHOD *helper_rsa;
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
static EC_KEY_METHOD *helper_ecdsa;
|
static EC_KEY_METHOD *helper_ecdsa;
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
/* redirect private key crypto operations to the ssh-pkcs11-helper */
|
/* redirect private key crypto operations to the ssh-pkcs11-helper */
|
||||||
static void
|
static void
|
||||||
|
@ -229,8 +233,10 @@ wrap_key(struct sshkey *k)
|
||||||
{
|
{
|
||||||
if (k->type == KEY_RSA)
|
if (k->type == KEY_RSA)
|
||||||
RSA_set_method(k->rsa, helper_rsa);
|
RSA_set_method(k->rsa, helper_rsa);
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
else if (k->type == KEY_ECDSA)
|
else if (k->type == KEY_ECDSA)
|
||||||
EC_KEY_set_method(k->ecdsa, helper_ecdsa);
|
EC_KEY_set_method(k->ecdsa, helper_ecdsa);
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
else
|
else
|
||||||
fatal("%s: unknown key type", __func__);
|
fatal("%s: unknown key type", __func__);
|
||||||
}
|
}
|
||||||
|
@ -238,9 +244,10 @@ wrap_key(struct sshkey *k)
|
||||||
static int
|
static int
|
||||||
pkcs11_start_helper_methods(void)
|
pkcs11_start_helper_methods(void)
|
||||||
{
|
{
|
||||||
if (helper_ecdsa != NULL)
|
if (helper_rsa != NULL)
|
||||||
return (0);
|
return (0);
|
||||||
|
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
|
int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
|
||||||
unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
|
unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
|
||||||
if (helper_ecdsa != NULL)
|
if (helper_ecdsa != NULL)
|
||||||
|
@ -250,6 +257,7 @@ pkcs11_start_helper_methods(void)
|
||||||
return (-1);
|
return (-1);
|
||||||
EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
|
EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
|
||||||
EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
|
EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
|
if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
|
||||||
fatal("%s: RSA_meth_dup failed", __func__);
|
fatal("%s: RSA_meth_dup failed", __func__);
|
||||||
|
|
10
ssh-pkcs11.c
10
ssh-pkcs11.c
|
@ -409,6 +409,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
/* openssl callback doing the actual signing operation */
|
/* openssl callback doing the actual signing operation */
|
||||||
static ECDSA_SIG *
|
static ECDSA_SIG *
|
||||||
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
|
||||||
|
@ -512,6 +513,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
|
||||||
|
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
/* remove trailing spaces */
|
/* remove trailing spaces */
|
||||||
static void
|
static void
|
||||||
|
@ -582,6 +584,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
static struct sshkey *
|
static struct sshkey *
|
||||||
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
CK_OBJECT_HANDLE *obj)
|
CK_OBJECT_HANDLE *obj)
|
||||||
|
@ -704,6 +707,7 @@ fail:
|
||||||
|
|
||||||
return (key);
|
return (key);
|
||||||
}
|
}
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
|
|
||||||
static struct sshkey *
|
static struct sshkey *
|
||||||
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
|
@ -808,7 +812,9 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
EC_KEY *ec = NULL;
|
EC_KEY *ec = NULL;
|
||||||
struct sshkey *key = NULL;
|
struct sshkey *key = NULL;
|
||||||
int i;
|
int i;
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
int nid;
|
int nid;
|
||||||
|
#endif
|
||||||
const u_char *cp;
|
const u_char *cp;
|
||||||
|
|
||||||
memset(&cert_attr, 0, sizeof(cert_attr));
|
memset(&cert_attr, 0, sizeof(cert_attr));
|
||||||
|
@ -890,6 +896,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
key->type = KEY_RSA;
|
key->type = KEY_RSA;
|
||||||
key->flags |= SSHKEY_FLAG_EXT;
|
key->flags |= SSHKEY_FLAG_EXT;
|
||||||
rsa = NULL; /* now owned by key */
|
rsa = NULL; /* now owned by key */
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
|
} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
|
||||||
if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
|
if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
|
||||||
error("invalid x509; no ec key");
|
error("invalid x509; no ec key");
|
||||||
|
@ -920,6 +927,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
key->type = KEY_ECDSA;
|
key->type = KEY_ECDSA;
|
||||||
key->flags |= SSHKEY_FLAG_EXT;
|
key->flags |= SSHKEY_FLAG_EXT;
|
||||||
ec = NULL; /* now owned by key */
|
ec = NULL; /* now owned by key */
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
} else
|
} else
|
||||||
error("unknown certificate key type");
|
error("unknown certificate key type");
|
||||||
|
|
||||||
|
@ -1103,9 +1111,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
case CKK_RSA:
|
case CKK_RSA:
|
||||||
key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
|
key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
|
||||||
break;
|
break;
|
||||||
|
#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||||
case CKK_ECDSA:
|
case CKK_ECDSA:
|
||||||
key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
|
key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
|
||||||
break;
|
break;
|
||||||
|
#endif /* HAVE_EC_KEY_METHOD_NEW */
|
||||||
default:
|
default:
|
||||||
/* XXX print key type? */
|
/* XXX print key type? */
|
||||||
error("skipping unsupported key type");
|
error("skipping unsupported key type");
|
||||||
|
|
Loading…
Reference in New Issue