diff options
| author |   markus <markus@openbsd.org> | 2001-06-26 20:14:10 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2001-06-26 20:14:10 +0000 |
| commit | 477b4babd1b41419bfd349aa200918e3d2563a79 (patch) | |
| tree | f5f6d63cdaeccdcccc260ffdc430dc600531ef6d | |
| parent | regen (diff) | |
| download | wireguard-openbsd-477b4babd1b41419bfd349aa200918e3d2563a79.tar.xz wireguard-openbsd-477b4babd1b41419bfd349aa200918e3d2563a79.zip | |
add smartcard support to the client, too (now you can use both
the agent and the client).
| -rw-r--r-- | usr.bin/ssh/key.c | 3 | ||||
| -rw-r--r-- | usr.bin/ssh/key.h | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/scard.c | 8 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh.c | 49 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh/Makefile | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect1.c | 35 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 7 |
7 files changed, 86 insertions, 29 deletions
diff --git a/usr.bin/ssh/key.c b/usr.bin/ssh/key.c index 2000c2755b5..0ddd3d9d476 100644 --- a/usr.bin/ssh/key.c +++ b/usr.bin/ssh/key.c @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.28 2001/06/25 08:25:37 markus Exp $"); +RCSID("$OpenBSD: key.c,v 1.29 2001/06/26 20:14:10 markus Exp $"); #include <openssl/evp.h> @@ -54,6 +54,7 @@ key_new(int type) DSA *dsa; k = xmalloc(sizeof(*k)); k->type = type; + k->flags = 0; k->dsa = NULL; k->rsa = NULL; switch (k->type) { diff --git a/usr.bin/ssh/key.h b/usr.bin/ssh/key.h index 562834c9895..2b4fbce046f 100644 --- a/usr.bin/ssh/key.h +++ b/usr.bin/ssh/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.15 2001/06/26 17:27:23 markus Exp $ */ +/* $OpenBSD: key.h,v 1.16 2001/06/26 20:14:10 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -44,8 +44,13 @@ enum fp_rep { SSH_FP_HEX, SSH_FP_BUBBLEBABBLE }; + +/* key is stored in external hardware */ +#define KEY_FLAG_EXT 0x0001 + struct Key { - int type; + int type; + int flags; RSA *rsa; DSA *dsa; }; diff --git a/usr.bin/ssh/scard.c b/usr.bin/ssh/scard.c index 1e09fc14c77..9078789ed9d 100644 --- a/usr.bin/ssh/scard.c +++ b/usr.bin/ssh/scard.c @@ -24,7 +24,7 @@ #ifdef SMARTCARD #include "includes.h" -RCSID("$OpenBSD: scard.c,v 1.2 2001/06/26 06:32:59 itojun Exp $"); +RCSID("$OpenBSD: scard.c,v 1.3 2001/06/26 20:14:10 markus Exp $"); #include <openssl/engine.h> #include <sectok.h> @@ -162,7 +162,7 @@ sc_read_pubkey(Key * k) return rv; } len = (buf[0] << 8) | buf[1]; - error("len %d r1 %d r2 %d", len, r1, r2); + debug("INS_GET_KEYLENGTH: len %d r1 %d r2 %d", len, r1, r2); len /= 8; /* get n */ @@ -171,7 +171,7 @@ sc_read_pubkey(Key * k) error("could not obtain public key"); return rv; } - debug("len %d r1 %d r2 %d", len, r1, r2); + debug("INS_GET_PUBKEY: len %d r1 %d r2 %d", len, r1, r2); BN_bin2bn(buf, len, k->rsa->n); /* currently the java applet just stores 'n' */ @@ -240,7 +240,7 @@ sc_private_encrypt(int flen, unsigned char *from, if (padding != RSA_PKCS1_PADDING) goto err; - error("sc_private_encrypt called"); + debug("sc_private_encrypt called"); num = BN_num_bytes(rsa->n); padded = xmalloc(num); i = RSA_padding_add_PKCS1_type_1(padded, num, from, flen); diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index c6f32ccf3a6..1b7c639bd40 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.126 2001/06/23 15:12:21 itojun Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.127 2001/06/26 20:14:11 markus Exp $"); #include <openssl/evp.h> #include <openssl/err.h> @@ -69,6 +69,11 @@ RCSID("$OpenBSD: ssh.c,v 1.126 2001/06/23 15:12:21 itojun Exp $"); #include "mac.h" #include "sshtty.h" +#ifdef SMARTCARD +#include <openssl/engine.h> +#include "scard.h" +#endif + extern char *__progname; /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. @@ -138,6 +143,11 @@ Buffer command; /* Should we execute a command or invoke a subsystem? */ int subsystem_flag = 0; +#ifdef SMARTCARD +/* Smartcard reader id */ +int sc_reader_num = -1; +#endif + /* Prints a help message to the user. This function never returns. */ static void @@ -307,7 +317,7 @@ main(int ac, char **av) opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpbLRDo", opt)) { /* options with arguments */ + if (strchr("eilcmpbILRDo", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -374,6 +384,13 @@ main(int ac, char **av) SSH_MAX_IDENTITY_FILES); options.identity_files[options.num_identity_files++] = xstrdup(optarg); break; + case 'I': +#ifdef SMARTCARD + sc_reader_num = atoi(optarg); +#else + fprintf(stderr, "no support for smartcards.\n"); +#endif + break; case 't': if (tty_flag) force_tty_flag = 1; @@ -1119,4 +1136,32 @@ load_public_identity_files(void) options.identity_files[i] = filename; options.identity_keys[i] = public; } +#ifdef SMARTCARD + if (sc_reader_num != -1 && + options.num_identity_files + 1 < SSH_MAX_IDENTITY_FILES && + (public = sc_get_key(sc_reader_num)) != NULL ) { + Key *new; + + /* XXX ssh1 vs ssh2 */ + new = key_new(KEY_RSA); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + i = options.num_identity_files++; + options.identity_keys[i] = new; + options.identity_files[i] = xstrdup("smartcard rsa key");; + + new = key_new(KEY_RSA1); + new->flags = KEY_FLAG_EXT; + BN_copy(new->rsa->n, public->rsa->n); + BN_copy(new->rsa->e, public->rsa->e); + RSA_set_method(new->rsa, sc_get_engine()); + i = options.num_identity_files++; + options.identity_keys[i] = new; + options.identity_files[i] = xstrdup("smartcard rsa1 key");; + + key_free(public); + } +#endif } diff --git a/usr.bin/ssh/ssh/Makefile b/usr.bin/ssh/ssh/Makefile index 21170eb5c12..86e008f9079 100644 --- a/usr.bin/ssh/ssh/Makefile +++ b/usr.bin/ssh/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.32 2001/06/26 17:52:41 dugsong Exp $ +# $OpenBSD: Makefile,v 1.33 2001/06/26 20:14:12 markus Exp $ .PATH: ${.CURDIR}/.. @@ -38,3 +38,5 @@ DPADD+= ${LIBKRB5} ${LIBASN1} LDADD+= -lcrypto -lz DPADD+= ${LIBCRYPTO} ${LIBZ} + +#LDADD+= -lsectok diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c index 09203d71496..166fdc17fe8 100644 --- a/usr.bin/ssh/sshconnect1.c +++ b/usr.bin/ssh/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.37 2001/06/26 16:15:24 dugsong Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.38 2001/06/26 20:14:11 markus Exp $"); #include <openssl/bn.h> #include <openssl/evp.h> @@ -205,20 +205,17 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv) * the user using it. */ static int -try_rsa_authentication(const char *authfile) +try_rsa_authentication(int idx) { BIGNUM *challenge; Key *public, *private; - char buf[300], *passphrase, *comment; + char buf[300], *passphrase, *comment, *authfile; int i, type, quit, plen, clen; - /* Try to load identification for the authentication key. */ - /* XXKEYLOAD */ - public = key_load_public_type(KEY_RSA1, authfile, &comment); - if (public == NULL) { - /* Could not load it. Fail. */ - return 0; - } + public = options.identity_keys[idx]; + authfile = options.identity_files[idx]; + comment = xstrdup(authfile); + debug("Trying RSA authentication with key '%.100s'", comment); /* Tell the server that we are willing to authenticate using this key. */ @@ -227,9 +224,6 @@ try_rsa_authentication(const char *authfile) packet_send(); packet_write_wait(); - /* We no longer need the public key. */ - key_free(public); - /* Wait for server's response. */ type = packet_read(&plen); @@ -255,10 +249,14 @@ try_rsa_authentication(const char *authfile) debug("Received RSA challenge from server."); /* - * Load the private key. Try first with empty passphrase; if it + * If the key is not stored in external hardware, we have to + * load the private key. Try first with empty passphrase; if it * fails, ask for a passphrase. */ - private = key_load_private_type(KEY_RSA1, authfile, "", NULL); + if (public->flags && KEY_FLAG_EXT) + private = public; + else + private = key_load_private_type(KEY_RSA1, authfile, "", NULL); if (private == NULL && !options.batch_mode) { snprintf(buf, sizeof(buf), "Enter passphrase for RSA key '%.100s': ", comment); @@ -302,8 +300,9 @@ try_rsa_authentication(const char *authfile) /* Compute and send a response to the challenge. */ respond_to_rsa_challenge(challenge, private->rsa); - /* Destroy the private key. */ - key_free(private); + /* Destroy the private key unless it in external hardware. */ + if (!(private->flags & KEY_FLAG_EXT)) + key_free(private); /* We no longer need the challenge. */ BN_clear_free(challenge); @@ -1218,7 +1217,7 @@ ssh_userauth1(const char *local_user, const char *server_user, char *host, for (i = 0; i < options.num_identity_files; i++) if (options.identity_keys[i] != NULL && options.identity_keys[i]->type == KEY_RSA1 && - try_rsa_authentication(options.identity_files[i])) + try_rsa_authentication(i)) goto success; } /* Try challenge response authentication if the server supports it. */ diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 258ee483463..2e2452801c6 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.79 2001/06/25 20:26:37 stevesk Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.80 2001/06/26 20:14:11 markus Exp $"); #include <openssl/bn.h> #include <openssl/md5.h> @@ -640,6 +640,11 @@ identity_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, int *lenp, idx = authctxt->last_key_hint; if (idx < 0) return -1; + + /* private key is stored in external hardware */ + if (options.identity_keys[idx]->flags & KEY_FLAG_EXT) + return key_sign(options.identity_keys[idx], sigp, lenp, data, datalen); + private = load_identity_file(options.identity_files[idx]); if (private == NULL) return -1; |