overload key signing function for opensc tokens...
Danny De Cock
godot at ulyssis.org
Tue Apr 8 09:08:39 EST 2003
hi,
last year in november, I posted the diffs attached to this mail. the
diffs refer to openssh-3.5p1, and work well in combination with
openssl-0.9.7a, zlib-1.1.4, and the cvs-source for opensc. I have not yet
inspected the new openssh release, but I do not expect significant issues
when applying the same patches intelligently.
I changed scard.h, scard-opensc.c, sshconnect2.c, ssh-rsa.c and the
Makefile (which was produced by `./configure --with-opensc=/usr/local
--with-ssl-dir=/usr/local/ssl`), as you may see in the attachment.
the stuff works well given gemplus gpk 8k and gpk 16k cards. I have not
tested any other cards.
I do not claim that the changes I applied are clean (cfr. sshconnect2.c),
but they do what I expect them to do, and as far as I am concerned, the
patch can be considered stable.
in order not to interfere with the original openssh-3.5p1, all my changes
follow this structure:
#if defined(SMARTCARD) && defined(USE_OPENSC)
my code
#else
original code
#endif
feel free to produce comments, danny.
On Mon, 7 Apr 2003, Markus Friedl wrote:
> On Mon, Apr 07, 2003 at 12:25:12PM -0500, Kevin Stefanik wrote:
> > My best guess... openssl immediately uses the engine if RSA_FLAG_SIGN_VER flag
> > is set - it doesn't check if there is an engine defined. In this case, in
> > my debugging, rsa.engine is 0x0 and the ENGINE_get_RSA() called from
> > RSA_sign call doesn't verify it before referencing an element of the
> > structure, so it segfaults.
> >
> > Would a cleaner patch be to use the sc_get_engine() and assign an engine?
> > That doesn't seem to be happening in sc_read_pubkey at the moment. In fact,
> > I can't see that sc_get_engine is called anywhere. I'm currently using
> > 0.9.7a, so shouldn't USE_ENGINE be undefined? What if there's no USE_ENGINE?
> USE_ENGINE is for the 0.9.6-engine interface.
>
> in 0.9.7 the engine interface was removed.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
--
-----------------------------------------------------------------------------
To be intoxicated is to feel sophisticated but not be able to say it.
-----------------------------------------------------------------------------
Mail : Danny.DeCock at esat.kuleuven.ac.be
WWW : http://ace.ulyssis.org/~godot godot at advalvas.be
-------------- next part --------------
===================== scard.h =====================
--- scard.h Thu Nov 14 22:52:17 2002
+++ original/openssh-3.5p1/scard.h Thu Jul 4 02:14:18 2002
@@ -37,8 +37,4 @@
void sc_close(void);
int sc_put_key(Key *, const char *);
-#if defined(SMARTCARD) && defined(USE_OPENSC)
-int sc_sign(int type, u_char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-#endif
-
#endif
===================== scard-opensc.c =====================
--- scard-opensc.c Thu Nov 14 23:51:06 2002
+++ original/openssh-3.5p1/scard-opensc.c Tue Apr 23 14:48:46 2002
@@ -185,99 +185,10 @@
return -1;
}
-#if defined(SMARTCARD) && defined(USE_OPENSC)
-char *
-get_pin (struct sc_pkcs15_object *obj)
-{
- char buf[80];
- char *pincode;
- struct sc_pkcs15_pin_info *pinfo = (struct sc_pkcs15_pin_info *) obj->data;
-
- sprintf (buf, "Enter PIN [%s]: ", obj->label);
- while (1)
- {
- pincode = getpass (buf);
- if (strlen (pincode) == 0)
- return NULL;
- if (strlen (pincode) < pinfo->min_length ||
- strlen (pincode) > pinfo->stored_length)
- continue;
- return pincode;
- }
-}
-#endif
-
-int
+static int
sc_sign(int type, u_char *m, unsigned int m_len,
unsigned char *sigret, unsigned int *siglen, RSA *rsa)
{
-#if defined(SMARTCARD) && defined(USE_OPENSC)
- struct sc_pkcs15_object *key_obj;
- int r;
- struct sc_pkcs15_id id;
- struct sc_pkcs15_object *objs[32];
- struct sc_pkcs15_object *key;
- unsigned long flags = 0;
- char *pincode;
- struct sc_pkcs15_object *pin;
-
- r = sc_lock (card);
- if (r)
- {
- error ("Unable to lock smartcard: %s", sc_strerror (r));
- goto err;
- }
- r = sc_pkcs15_get_objects (p15card, SC_PKCS15_TYPE_PRKEY, objs, 32);
- if (r<0)
- {
- debug ("Unable to retrieve private keys: %s\n",
- sc_strerror (r));
- return -1;
- }
- key = objs[0];
- if (key->auth_id.len)
- {
- r = sc_pkcs15_find_pin_by_auth_id (p15card, &key->auth_id, &pin);
- if (r)
- {
- debug ("Unable to find PIN code for private key: %s\n",
- sc_strerror (r));
- return -1;
- }
- pincode = get_pin (pin);
- if (pincode == NULL)
- {
- return -1;
- }
- r =
- sc_pkcs15_verify_pin (p15card,
- (struct sc_pkcs15_pin_info *) pin->data,
- (const u8 *) pincode, strlen (pincode));
- if (r)
- {
- debug ("PIN code verification failed: %s\n",
- sc_strerror (r));
- return -1;
- }
- free (pincode);
- debug ("PIN code correct.\n");
- }
-// /* FIXME: check 'type' and modify flags accordingly */
- flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1;
- r = sc_pkcs15_compute_signature (p15card, key, flags,
- m, m_len, sigret, RSA_size (rsa));
- if (r < 0)
- {
- error ("sc_pkcs15_compute_signature() failed: %s", sc_strerror (r));
- goto err;
- }
- sc_unlock (card);
- *siglen = r;
- return 1;
-err:
- sc_close ();
- return 0;
-#else
struct sc_pkcs15_object *key_obj;
int r;
unsigned long flags = 0;
@@ -301,7 +212,6 @@
err:
sc_close();
return 0;
-#endif
}
static int
===================== sshconnect2.c =====================
--- sshconnect2.c Thu Nov 14 22:35:18 2002
+++ original/openssh-3.5p1/sshconnect2.c Thu Oct 3 07:45:55 2002
@@ -167,12 +167,6 @@
int *batch_flag; /* flag in option struct that disables method */
};
-#if defined(SMARTCARD) && defined(USE_OPENSC)
-static int
-key_sign_cb(Authctxt *authctxt, Key *key, u_char **sigp, u_int *lenp,
- u_char *data, u_int datalen);
-#endif
-
void input_userauth_success(int, u_int32_t, void *);
void input_userauth_failure(int, u_int32_t, void *);
void input_userauth_banner(int, u_int32_t, void *);
@@ -602,11 +596,7 @@
buffer_put_string(&b, blob, bloblen);
/* generate signature */
-#if defined(SMARTCARD) && defined(USE_OPENSC)
- ret = (key_sign_cb)(authctxt, k, &signature, &slen,
-#else
ret = (*sign_callback)(authctxt, k, &signature, &slen,
-#endif
buffer_ptr(&b), buffer_len(&b));
if (ret == -1) {
xfree(blob);
===================== ssh-rsa.c =====================
--- ssh-rsa.c Thu Nov 14 22:35:21 2002
+++ original/openssh-3.5p1/ssh-rsa.c Wed Sep 4 08:39:49 2002
@@ -37,10 +37,6 @@
#include "compat.h"
#include "ssh.h"
-#if defined(SMARTCARD) && defined(USE_OPENSC)
-#include "scard.h"
-#endif
-
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int , RSA *);
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
@@ -71,11 +67,7 @@
slen = RSA_size(key->rsa);
sig = xmalloc(slen);
-#if defined(SMARTCARD) && defined(USE_OPENSC)
- ok = sc_sign(nid, digest, dlen, sig, &len, key->rsa);
-#else
ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
-#endif
memset(digest, 'd', sizeof(digest));
if (ok != 1) {
===================== Makefile =====================
--- Makefile Thu Nov 14 22:35:17 2002
+++ original/openssh-3.5p1/Makefile Thu Nov 14 22:37:12 2002
@@ -62,8 +62,7 @@
LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o msg.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o scard-opensc.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o monitor_wrap.o monitor_fdpass.o
-#SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-SSHOBJS= scard-opensc.o ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
+SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
More information about the openssh-unix-dev
mailing list