overload key signing function for opensc tokens...
Kevin Stefanik
kstef at mtppi.org
Wed Apr 9 01:03:12 EST 2003
Thanks, Danny. I had used some of your code and I think alot of this made it
into the official version (at least it did the Mandrake sources) - I tried
patching a few days back, but it wasn't clean. But using your sc_sign
instead of RSA_sign eliminated the key specific overloading and effectively
_required_ hardware tokens instead of making them just possible. But it was
only needed due to a bug in openssl that's been fixed (untested) as of
today's CVS. Now, the sc_sign is put in the smartcard key's meth->
structure and called for signing.
The get_pin part of your code didn't seem to be in the official sources,
though, and I've had problems getting it to work. It seems to close the
STDIN_FILENO file handle and when ssh goes to open a session
(ssh_session2_open), the dup() fails. I've tried using the ssh
read_passphrase instead of get_pass, but the same thing happens.
Any idea what that would happen?
Cheers,
Kevin
On Monday 07 April 2003 07:08 pm, Danny De Cock wrote:
> hi,
>
> last year in november, I posted the diffs attached to this mail. the
> diffs refer to openssh-3.5p1, and work well in combination with
> openssl-0.9.7a, zlib-1.1.4, and the cvs-source for opensc. I have not yet
> inspected the new openssh release, but I do not expect significant issues
> when applying the same patches intelligently.
>
> I changed scard.h, scard-opensc.c, sshconnect2.c, ssh-rsa.c and the
> Makefile (which was produced by `./configure --with-opensc=/usr/local
> --with-ssl-dir=/usr/local/ssl`), as you may see in the attachment.
>
> the stuff works well given gemplus gpk 8k and gpk 16k cards. I have not
> tested any other cards.
>
> I do not claim that the changes I applied are clean (cfr. sshconnect2.c),
> but they do what I expect them to do, and as far as I am concerned, the
> patch can be considered stable.
>
> in order not to interfere with the original openssh-3.5p1, all my changes
> follow this structure:
>
> #if defined(SMARTCARD) && defined(USE_OPENSC)
> my code
> #else
> original code
> #endif
>
> feel free to produce comments, danny.
>
> On Mon, 7 Apr 2003, Markus Friedl wrote:
> > On Mon, Apr 07, 2003 at 12:25:12PM -0500, Kevin Stefanik wrote:
> > > My best guess... openssl immediately uses the engine if
> > > RSA_FLAG_SIGN_VER flag is set - it doesn't check if there is an engine
> > > defined. In this case, in my debugging, rsa.engine is 0x0 and the
> > > ENGINE_get_RSA() called from RSA_sign call doesn't verify it before
> > > referencing an element of the structure, so it segfaults.
> > >
> > > Would a cleaner patch be to use the sc_get_engine() and assign an
> > > engine? That doesn't seem to be happening in sc_read_pubkey at the
> > > moment. In fact, I can't see that sc_get_engine is called anywhere.
> > > I'm currently using 0.9.7a, so shouldn't USE_ENGINE be undefined? What
> > > if there's no USE_ENGINE?
> >
> > USE_ENGINE is for the 0.9.6-engine interface.
> >
> > in 0.9.7 the engine interface was removed.
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list