crypto/openssh/ssh-pkcs11-client.c

   1 /* $OpenBSD: ssh-pkcs11-client.c,v 1.2 2010/02/24 06:12:53 djm Exp $ */
   2 /*
   3  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include "includes.h"
  19
  20 #ifdef ENABLE_PKCS11
  21
  22 #include <sys/types.h>
  23 #ifdef HAVE_SYS_TIME_H
  24 # include <sys/time.h>
  25 #endif
  26 #include <sys/socket.h>
  27
  28 #include <stdarg.h>
  29 #include <string.h>
  30 #include <unistd.h>
  31 #include <errno.h>
  32
  33 #include "pathnames.h"
  34 #include "xmalloc.h"
  35 #include "buffer.h"
  36 #include "log.h"
  37 #include "misc.h"
  38 #include "key.h"
  39 #include "authfd.h"
  40 #include "atomicio.h"
  41 #include "ssh-pkcs11.h"
  42
  43 /* borrows code from sftp-server and ssh-agent */
  44
  45 int fd = -1;
  46 pid_t pid = -1;
  47
  48 static void
  49 send_msg(Buffer *m)
  50 {
  51         u_char buf[4];
  52         int mlen = buffer_len(m);
  53
  54         put_u32(buf, mlen);
  55         if (atomicio(vwrite, fd, buf, 4) != 4 ||
  56             atomicio(vwrite, fd, buffer_ptr(m),
  57             buffer_len(m)) != buffer_len(m))
  58                 error("write to helper failed");
  59         buffer_consume(m, mlen);
  60 }
  61
  62 static int
  63 recv_msg(Buffer *m)
  64 {
  65         u_int l, len;
  66         u_char buf[1024];
  67
  68         if ((len = atomicio(read, fd, buf, 4)) != 4) {
  69                 error("read from helper failed: %u", len);
  70                 return (0); /* XXX */
  71         }
  72         len = get_u32(buf);
  73         if (len > 256 * 1024)
  74                 fatal("response too long: %u", len);
  75         /* read len bytes into m */
  76         buffer_clear(m);
  77         while (len > 0) {
  78                 l = len;
  79                 if (l > sizeof(buf))
  80                         l = sizeof(buf);
  81                 if (atomicio(read, fd, buf, l) != l) {
  82                         error("response from helper failed.");
  83                         return (0); /* XXX */
  84                 }
  85                 buffer_append(m, buf, l);
  86                 len -= l;
  87         }
  88         return (buffer_get_char(m));
  89 }
  90
  91 int
  92 pkcs11_init(int interactive)
  93 {
  94         return (0);
  95 }
  96
  97 void
  98 pkcs11_terminate(void)
  99 {
 100         close(fd);
 101 }
 102
 103 static int
 104 pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 105     int padding)
 106 {
 107         Key key;
 108         u_char *blob, *signature = NULL;
 109         u_int blen, slen = 0;
 110         int ret = -1;
 111         Buffer msg;
 112
 113         if (padding != RSA_PKCS1_PADDING)
 114                 return (-1);
 115         key.type = KEY_RSA;
 116         key.rsa = rsa;
 117         if (key_to_blob(&key, &blob, &blen) == 0)
 118                 return -1;
 119         buffer_init(&msg);
 120         buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST);
 121         buffer_put_string(&msg, blob, blen);
 122         buffer_put_string(&msg, from, flen);
 123         buffer_put_int(&msg, 0);
 124         xfree(blob);
 125         send_msg(&msg);
 126
 127         if (recv_msg(&msg) == SSH2_AGENT_SIGN_RESPONSE) {
 128                 signature = buffer_get_string(&msg, &slen);
 129                 if (slen <= (u_int)RSA_size(rsa)) {
 130                         memcpy(to, signature, slen);
 131                         ret = slen;
 132                 }
 133                 xfree(signature);
 134         }
 135         return (ret);
 136 }
 137
 138 /* redirect the private key encrypt operation to the ssh-pkcs11-helper */
 139 static int
 140 wrap_key(RSA *rsa)
 141 {
 142         static RSA_METHOD helper_rsa;
 143
 144         memcpy(&helper_rsa, RSA_get_default_method(), sizeof(helper_rsa));
 145         helper_rsa.name = "ssh-pkcs11-helper";
 146         helper_rsa.rsa_priv_enc = pkcs11_rsa_private_encrypt;
 147         RSA_set_method(rsa, &helper_rsa);
 148         return (0);
 149 }
 150
 151 static int
 152 pkcs11_start_helper(void)
 153 {
 154         int pair[2];
 155
 156         if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) {
 157                 error("socketpair: %s", strerror(errno));
 158                 return (-1);
 159         }
 160         if ((pid = fork()) == -1) {
 161                 error("fork: %s", strerror(errno));
 162                 return (-1);
 163         } else if (pid == 0) {
 164                 if ((dup2(pair[1], STDIN_FILENO) == -1) ||
 165                     (dup2(pair[1], STDOUT_FILENO) == -1)) {
 166                         fprintf(stderr, "dup2: %s\n", strerror(errno));
 167                         _exit(1);
 168                 }
 169                 close(pair[0]);
 170                 close(pair[1]);
 171                 execlp(_PATH_SSH_PKCS11_HELPER, _PATH_SSH_PKCS11_HELPER,
 172                     (char *) 0);
 173                 fprintf(stderr, "exec: %s: %s\n", _PATH_SSH_PKCS11_HELPER,
 174                     strerror(errno));
 175                 _exit(1);
 176         }
 177         close(pair[1]);
 178         fd = pair[0];
 179         return (0);
 180 }
 181
 182 int
 183 pkcs11_add_provider(char *name, char *pin, Key ***keysp)
 184 {
 185         Key *k;
 186         int i, nkeys;
 187         u_char *blob;
 188         u_int blen;
 189         Buffer msg;
 190
 191         if (fd < 0 && pkcs11_start_helper() < 0)
 192                 return (-1);
 193
 194         buffer_init(&msg);
 195         buffer_put_char(&msg, SSH_AGENTC_ADD_SMARTCARD_KEY);
 196         buffer_put_cstring(&msg, name);
 197         buffer_put_cstring(&msg, pin);
 198         send_msg(&msg);
 199         buffer_clear(&msg);
 200
 201         if (recv_msg(&msg) == SSH2_AGENT_IDENTITIES_ANSWER) {
 202                 nkeys = buffer_get_int(&msg);
 203                 *keysp = xcalloc(nkeys, sizeof(Key *));
 204                 for (i = 0; i < nkeys; i++) {
 205                         blob = buffer_get_string(&msg, &blen);
 206                         xfree(buffer_get_string(&msg, NULL));
 207                         k = key_from_blob(blob, blen);
 208                         wrap_key(k->rsa);
 209                         (*keysp)[i] = k;
 210                         xfree(blob);
 211                 }
 212         } else {
 213                 nkeys = -1;
 214         }
 215         buffer_free(&msg);
 216         return (nkeys);
 217 }
 218
 219 int
 220 pkcs11_del_provider(char *name)
 221 {
 222         int ret = -1;
 223         Buffer msg;
 224
 225         buffer_init(&msg);
 226         buffer_put_char(&msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY);
 227         buffer_put_cstring(&msg, name);
 228         buffer_put_cstring(&msg, "");
 229         send_msg(&msg);
 230         buffer_clear(&msg);
 231
 232         if (recv_msg(&msg) == SSH_AGENT_SUCCESS)
 233                 ret = 0;
 234         buffer_free(&msg);
 235         return (ret);
 236 }
 237
 238 #endif /* ENABLE_PKCS11 */