tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

conditionalise ECDSA PKCS#11 support 

Require EC_KEY_METHOD support in libcrypto, evidenced by presence
of EC_KEY_METHOD_new() function.
This commit is contained in:
Damien Miller 2019-01-21 11:32:28 +11:00
parent fcb1b09371
commit e2cb445d78
3 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configure.ac
View File

@ -2973,6 +2973,7 @@ if test "x$openssl" = "xyes" ; then
if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
test x$enable_nistp521 = x1; then test x$enable_nistp521 = x1; then
AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
AC_CHECK_FUNCS([EC_KEY_METHOD_new])
fi fi
if test x$enable_nistp256 = x1; then if test x$enable_nistp256 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP256], [1], AC_DEFINE([OPENSSL_HAS_NISTP256], [1],

10
ssh-pkcs11-client.c
View File

@ -163,6 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
return (ret); return (ret);
} }
#ifdef HAVE_EC_KEY_METHOD_NEW
static ECDSA_SIG * static ECDSA_SIG *
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
const BIGNUM *rp, EC_KEY *ec) const BIGNUM *rp, EC_KEY *ec)
@ -219,9 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
sshbuf_free(msg); sshbuf_free(msg);
return (ret); return (ret);
} }
#endif /* HAVE_EC_KEY_METHOD_NEW */
static RSA_METHOD *helper_rsa; static RSA_METHOD *helper_rsa;
#ifdef HAVE_EC_KEY_METHOD_NEW
static EC_KEY_METHOD *helper_ecdsa; static EC_KEY_METHOD *helper_ecdsa;
#endif /* HAVE_EC_KEY_METHOD_NEW */
/* redirect private key crypto operations to the ssh-pkcs11-helper */ /* redirect private key crypto operations to the ssh-pkcs11-helper */
static void static void
@ -229,8 +233,10 @@ wrap_key(struct sshkey *k)
{ {
if (k->type == KEY_RSA) if (k->type == KEY_RSA)
RSA_set_method(k->rsa, helper_rsa); RSA_set_method(k->rsa, helper_rsa);
#ifdef HAVE_EC_KEY_METHOD_NEW
else if (k->type == KEY_ECDSA) else if (k->type == KEY_ECDSA)
EC_KEY_set_method(k->ecdsa, helper_ecdsa); EC_KEY_set_method(k->ecdsa, helper_ecdsa);
#endif /* HAVE_EC_KEY_METHOD_NEW */
else else
fatal("%s: unknown key type", __func__); fatal("%s: unknown key type", __func__);
} }
@ -238,9 +244,10 @@ wrap_key(struct sshkey *k)
static int static int
pkcs11_start_helper_methods(void) pkcs11_start_helper_methods(void)
{ {
if (helper_ecdsa != NULL) if (helper_rsa != NULL)
return (0); return (0);
#ifdef HAVE_EC_KEY_METHOD_NEW
int (*orig_sign)(int, const unsigned char *, int, unsigned char *, int (*orig_sign)(int, const unsigned char *, int, unsigned char *,
unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL;
if (helper_ecdsa != NULL) if (helper_ecdsa != NULL)
@ -250,6 +257,7 @@ pkcs11_start_helper_methods(void)
return (-1); return (-1);
EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL);
EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign);
#endif /* HAVE_EC_KEY_METHOD_NEW */
if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL)
fatal("%s: RSA_meth_dup failed", __func__); fatal("%s: RSA_meth_dup failed", __func__);

10
ssh-pkcs11.c
View File

@ -409,6 +409,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
return (0); return (0);
} }
#ifdef HAVE_EC_KEY_METHOD_NEW
/* openssl callback doing the actual signing operation */ /* openssl callback doing the actual signing operation */
static ECDSA_SIG * static ECDSA_SIG *
ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
@ -512,6 +513,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
return (0); return (0);
} }
#endif /* HAVE_EC_KEY_METHOD_NEW */
/* remove trailing spaces */ /* remove trailing spaces */
static void static void
@ -582,6 +584,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key)
return (0); return (0);
} }
#ifdef HAVE_EC_KEY_METHOD_NEW
static struct sshkey * static struct sshkey *
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_OBJECT_HANDLE *obj) CK_OBJECT_HANDLE *obj)
@ -704,6 +707,7 @@ fail:
return (key); return (key);
} }
#endif /* HAVE_EC_KEY_METHOD_NEW */
static struct sshkey * static struct sshkey *
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@ -808,7 +812,9 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
EC_KEY *ec = NULL; EC_KEY *ec = NULL;
struct sshkey *key = NULL; struct sshkey *key = NULL;
int i; int i;
#ifdef HAVE_EC_KEY_METHOD_NEW
int nid; int nid;
#endif
const u_char *cp; const u_char *cp;
memset(&cert_attr, 0, sizeof(cert_attr)); memset(&cert_attr, 0, sizeof(cert_attr));
@ -890,6 +896,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
key->type = KEY_RSA; key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT; key->flags |= SSHKEY_FLAG_EXT;
rsa = NULL; /* now owned by key */ rsa = NULL; /* now owned by key */
#ifdef HAVE_EC_KEY_METHOD_NEW
} else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) {
if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { if (EVP_PKEY_get0_EC_KEY(evp) == NULL) {
error("invalid x509; no ec key"); error("invalid x509; no ec key");
@ -920,6 +927,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
key->type = KEY_ECDSA; key->type = KEY_ECDSA;
key->flags |= SSHKEY_FLAG_EXT; key->flags |= SSHKEY_FLAG_EXT;
ec = NULL; /* now owned by key */ ec = NULL; /* now owned by key */
#endif /* HAVE_EC_KEY_METHOD_NEW */
} else } else
error("unknown certificate key type"); error("unknown certificate key type");
@ -1103,9 +1111,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
case CKK_RSA: case CKK_RSA:
key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj);
break; break;
#ifdef HAVE_EC_KEY_METHOD_NEW
case CKK_ECDSA: case CKK_ECDSA:
key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj);
break; break;
#endif /* HAVE_EC_KEY_METHOD_NEW */
default: default:
/* XXX print key type? */ /* XXX print key type? */
error("skipping unsupported key type"); error("skipping unsupported key type");