openssh-8.1p1-1 + 0.10.3-8

This commit is contained in:
Jakub Jelen 2019-10-09 10:24:21 +02:00
parent 5eb2d51328
commit 36fef5669a
20 changed files with 258 additions and 828 deletions

2
.gitignore vendored
View File

@ -36,3 +36,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-7.9p1.tar.gz.asc
/openssh-8.0p1.tar.gz
/openssh-8.0p1.tar.gz.asc
/openssh-8.1p1.tar.gz
/openssh-8.1p1.tar.gz.asc

View File

@ -210,8 +210,8 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);

View File

@ -10,5 +10,5 @@
+ }
omode = mode;
mode |= S_IWUSR;
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
--

View File

@ -28,14 +28,15 @@ diff --git a/auth.h b/auth.h
index f9d191c..c432d2f 100644
--- a/auth.h
+++ b/auth.h
@@ -222,5 +222,7 @@ int sys_auth_passwd(Authctxt *, const char *);
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
+ char **k5login_directory);
#endif
#endif
#endif /* AUTH_H */
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index a7c0c5f..df8cc9a 100644
--- a/gss-serv-krb5.c

View File

@ -48,5 +48,5 @@ Author: Harald Freudenberger <freude@de.ibm.com>
+#endif
}
(void) closedir(dirp);
} else
return;

View File

@ -14,7 +14,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
+ if (len <= 0)
+ return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0)
if (sock == -1)
error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;

View File

@ -59,7 +59,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
ssh_gai_strerror(gaierr));
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ X11_PORT_MIN + display_number, strerror(errno));
@ -197,7 +197,7 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
+.Cm X11MaxDisplays ,
.Cm X11Forwarding
and
.Cm X11UseLocalHost .
.Cm X11UseLocalhost .
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
X11 forwarding.
This prevents sshd from interfering with real X11 servers.

View File

@ -69,29 +69,6 @@ index 6e7de31..e86aa2c 100644
SC_ALLOW(__NR_getrandom),
#endif
-- 1.9.1
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
sandbox-seccomp-filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e86aa2c..98062f1 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
+ /* Allow ioctls for EP11 crypto card on s390 */
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
#endif
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
/*
--
1.9.1
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
@ -107,40 +84,3 @@ diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-se
SC_ALLOW(__NR_getrandom),
#endif
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.ibm.com>
Date: Fri, 24 May 2019 10:11:15 +0200
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
to the sandbox seccomp filter rules.
Now the ibmca openssl engine provides elliptic curve cryptography support with the
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
device driver and so there is a need to enable this on the openssl sandbox.
Code is s390 specific and has been tested, verified and reviewed.
Please note that I am also the originator of the previous changes in that area.
I posted these changes to Eduardo and he forwarded the patches to the openssl
community.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
sandbox-seccomp-filter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 5edbc6946..56eb9317f 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
/* Allow ioctls for EP11 crypto card on s390 */
SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
#endif
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
/*

View File

@ -941,8 +941,8 @@ diff -up openssh/kex.c.audit openssh/kex.c
return SSH_ERR_NO_CIPHER_ALG_MATCH;
+ }
if ((enc->cipher = cipher_by_name(name)) == NULL) {
error("%s: unsupported cipher %s", __func__, name);
free(name);
return SSH_ERR_INTERNAL_ERROR;
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
{
char *name = match_list(client, server, NULL);
@ -955,8 +955,8 @@ diff -up openssh/kex.c.audit openssh/kex.c
return SSH_ERR_NO_MAC_ALG_MATCH;
+ }
if (mac_setup(mac, name) < 0) {
error("%s: unsupported MAC %s", __func__, name);
free(name);
return SSH_ERR_INTERNAL_ERROR;
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
}
@ -1659,9 +1659,9 @@ diff -up openssh/packet.c.audit openssh/packet.c
#include "xmalloc.h"
+#include "audit.h"
#include "crc32.h"
#include "compat.h"
#include "ssh2.h"
#include "cipher.h"
@@ -510,6 +511,13 @@ ssh_packet_get_connection_out(struct ssh
return ssh->state->connection_out;
}
@ -2309,8 +2309,8 @@ diff -up openssh/sshkey.h.audit openssh/sshkey.h
--- openssh/sshkey.h.audit 2019-04-03 17:02:20.657885510 +0200
+++ openssh/sshkey.h 2019-04-03 17:02:20.718886088 +0200
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *);
+int sshkey_is_private(const struct sshkey *);
int sshkey_is_cert(const struct sshkey *);

View File

@ -152,9 +152,9 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o sshsig.o
- $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o sshsig.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o uidswap.o compat.o
- $(LD) -o $@ ssh-keysign.o readconf.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -169,8 +169,8 @@ diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
@ -229,7 +229,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \
HOSTKEY_ECDSA_METHODS \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
@ -526,13 +526,13 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "crypto_api.h"
@@ -57,6 +58,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "sshkey-xmss.h"
#include "match.h"
+#include "log.h"
#include "xmss_fast.h"
#ifdef WITH_XMSS
#include "sshkey-xmss.h"
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
@ -546,9 +546,9 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
if (*bitsp > maxbits)
fatal("key bits exceeds maximum %d", maxbits);
#endif
}
#ifdef WITH_OPENSSL
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");

View File

@ -336,14 +336,15 @@ index 29491df9..fdab5040 100644
#endif
struct sshbuf *loginmsg;
@@ -243,6 +244,6 @@ int sys_auth_passwd(struct ssh *, const char *);
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
#include <krb5.h>
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif
#endif /* AUTH_H */
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100

View File

@ -141,7 +141,7 @@ diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
char *compound;
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200

View File

@ -1,31 +0,0 @@
From 2317ce4b0ed7d8c4b0c684e2d47bff5006bd1178 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 14 Jun 2019 03:51:47 +0000
Subject: [PATCH] upstream: process agent requests for RSA certificate private
keys using
correct signature algorithm when requested. Patch from Jakub Jelen in bz3016
ok dtucker markus
OpenBSD-Commit-ID: 61f86efbeb4a1857a3e91298c1ccc6cf49b79624
---
ssh-agent.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ssh-agent.c b/ssh-agent.c
index 034f31387..4669b679c 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -269,6 +269,11 @@ agent_decode_alg(struct sshkey *key, u_int flags)
return "rsa-sha2-256";
else if (flags & SSH_AGENT_RSA_SHA2_512)
return "rsa-sha2-512";
+ } else if (key->type == KEY_RSA_CERT) {
+ if (flags & SSH_AGENT_RSA_SHA2_256)
+ return "rsa-sha2-256-cert-v01@openssh.com";
+ else if (flags & SSH_AGENT_RSA_SHA2_512)
+ return "rsa-sha2-512-cert-v01@openssh.com";
}
return NULL;
}

View File

@ -32,9 +32,9 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
@@ -1123,16 +1123,10 @@ If the specified value begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
from the default set instead of replacing them.
.Sq ^
character, then the specified methods will be placed at the head of the
default set.
-The default is:
-.Bd -literal -offset indent
-curve25519-sha256,curve25519-sha256@libssh.org,
@ -72,9 +72,9 @@ diff -up openssh-8.0p1/ssh_config.5.crypto-policies openssh-8.0p1/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
@@ -1361,17 +1351,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
.Sq ^
character, then the specified key types will be placed at the head of the
default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
@ -187,9 +187,9 @@ diff -up openssh-8.0p1/sshd_config.5.crypto-policies openssh-8.0p1/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
@@ -1455,17 +1440,10 @@ If the specified value begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
from the default set instead of replacing them.
.Sq ^
character, then the specified key types will be placed at the head of the
default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ecdsa-sha2-nistp256-cert-v01@openssh.com,

View File

@ -17,7 +17,7 @@ index 6f001bb3..c31821ac 100644
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
sftp-server.o sftp-common.o sftp-realpath.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/auth.c b/auth.c
index 332b6220..7664aaac 100644
@ -60,7 +60,7 @@ index 332b6220..7664aaac 100644
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) < 0) {
- (struct sockaddr *)&from, &fromlen) == -1) {
- debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- }
@ -279,7 +279,7 @@ index f71a0856..404731d2 100644
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ (struct sockaddr *)&from, &fromlen) == -1) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
@ -1258,18 +1258,6 @@ index ab3a15f0..6ce56e92 100644
}
/* Privileged */
diff --git a/hmac.c b/hmac.c
index 1c879640..a29f32c5 100644
--- a/hmac.c
+++ b/hmac.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdlib.h>
#include "sshbuf.h"
#include "digest.h"
diff --git a/kex.c b/kex.c
index 34808b5c..a2a4794e 100644
--- a/kex.c
@ -1293,7 +1281,7 @@ index 34808b5c..a2a4794e 100644
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = {
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, -1, -1, -1},
{ NULL, 0, -1, -1},
};
+static const struct kexalg gss_kexalgs[] = {
+#ifdef GSSAPI
@ -1306,7 +1294,7 @@ index 34808b5c..a2a4794e 100644
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+ { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif
+ { NULL, -1, -1, -1 },
+ { NULL, 0, -1, -1 },
+};
-char *
@ -2585,18 +2573,6 @@ index 00000000..60bc02de
+ return r;
+}
+#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */
diff --git a/mac.c b/mac.c
index 51dc11d7..3d11eba6 100644
--- a/mac.c
+++ b/mac.c
@@ -29,6 +29,7 @@
#include <string.h>
#include <stdio.h>
+#include <stdlib.h>
#include "digest.h"
#include "hmac.h"
diff --git a/monitor.c b/monitor.c
index 60e52944..669cdb4a 100644
--- a/monitor.c

View File

@ -1,324 +0,0 @@
From eb0d8e708a1f958aecd2d6e2ff2450af488d4c2a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 15 Jul 2019 13:16:29 +0000
Subject: [PATCH] upstream: support PKCS8 as an optional format for storage of
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.
The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).
adapted from patch by Jakub Jelen via bz3013; ok markus
OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
---
authfile.c | 6 ++--
ssh-keygen.1 | 9 +++---
ssh-keygen.c | 25 +++++++++--------
sshkey.c | 78 +++++++++++++++++++++++++++++++++++++---------------
sshkey.h | 11 ++++++--
5 files changed, 87 insertions(+), 42 deletions(-)
diff --git a/authfile.c b/authfile.c
index 2166c1689..851c1a8a1 100644
--- a/authfile.c
+++ b/authfile.c
@@ -74,7 +74,7 @@ sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
int
sshkey_save_private(struct sshkey *key, const char *filename,
const char *passphrase, const char *comment,
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
{
struct sshbuf *keyblob = NULL;
int r;
@@ -82,7 +82,7 @@ sshkey_save_private(struct sshkey *key, const char *filename,
if ((keyblob = sshbuf_new()) == NULL)
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
- force_new_format, new_format_cipher, new_format_rounds)) != 0)
+ format, openssh_format_cipher, openssh_format_rounds)) != 0)
goto out;
if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
goto out;
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index f42127c60..8184a1797 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -419,11 +419,12 @@ The supported key formats are:
.Dq RFC4716
(RFC 4716/SSH2 public or private key),
.Dq PKCS8
-(PEM PKCS8 public key)
+(PKCS8 public or private key)
or
.Dq PEM
(PEM public key).
-The default conversion format is
+By default OpenSSH will write newly-generated private keys in its own
+format, but when converting public keys for export the default format is
.Dq RFC4716 .
Setting a format of
.Dq PEM
diff --git a/ssh-keygen.c b/ssh-keygen.c
index b019a02ff..5dcad1f61 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -147,11 +147,11 @@ static char *key_type_name = NULL;
/* Load key from this PKCS#11 provider */
static char *pkcs11provider = NULL;
-/* Use new OpenSSH private key format when writing SSH2 keys instead of PEM */
-static int use_new_format = 1;
+/* Format for writing private keys */
+static int private_key_format = SSHKEY_PRIVATE_OPENSSH;
/* Cipher for new-format private keys */
-static char *new_format_cipher = NULL;
+static char *openssh_format_cipher = NULL;
/*
* Number of KDF rounds to derive new format keys /
@@ -1048,7 +1048,8 @@ do_gen_all_hostkeys(struct passwd *pw)
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
hostname);
if ((r = sshkey_save_private(private, prv_tmp, "",
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
+ comment, private_key_format, openssh_format_cipher,
+ rounds)) != 0) {
error("Saving key \"%s\" failed: %s",
prv_tmp, ssh_err(r));
goto failnext;
@@ -1391,7 +1392,7 @@ do_change_passphrase(struct passwd *pw)
/* Save the file using the new passphrase. */
if ((r = sshkey_save_private(private, identity_file, passphrase1,
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
error("Saving key \"%s\" failed: %s.",
identity_file, ssh_err(r));
explicit_bzero(passphrase1, strlen(passphrase1));
@@ -1480,7 +1481,7 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
}
if (private->type != KEY_ED25519 && private->type != KEY_XMSS &&
- !use_new_format) {
+ private_key_format != SSHKEY_PRIVATE_OPENSSH) {
error("Comments are only supported for keys stored in "
"the new format (-o).");
explicit_bzero(passphrase, strlen(passphrase));
@@ -1514,7 +1515,8 @@ do_change_comment(struct passwd *pw, const char *identity_comment)
/* Save the file using the new passphrase. */
if ((r = sshkey_save_private(private, identity_file, passphrase,
- new_comment, use_new_format, new_format_cipher, rounds)) != 0) {
+ new_comment, private_key_format, openssh_format_cipher,
+ rounds)) != 0) {
error("Saving key \"%s\" failed: %s",
identity_file, ssh_err(r));
explicit_bzero(passphrase, strlen(passphrase));
@@ -2525,11 +2527,12 @@ main(int argc, char **argv)
}
if (strcasecmp(optarg, "PKCS8") == 0) {
convert_format = FMT_PKCS8;
+ private_key_format = SSHKEY_PRIVATE_PKCS8;
break;
}
if (strcasecmp(optarg, "PEM") == 0) {
convert_format = FMT_PEM;
- use_new_format = 0;
+ private_key_format = SSHKEY_PRIVATE_PEM;
break;
}
fatal("Unsupported conversion format \"%s\"", optarg);
@@ -2567,7 +2570,7 @@ main(int argc, char **argv)
add_cert_option(optarg);
break;
case 'Z':
- new_format_cipher = optarg;
+ openssh_format_cipher = optarg;
break;
case 'C':
identity_comment = optarg;
@@ -2912,7 +2915,7 @@ main(int argc, char **argv)
/* Save the key with the given passphrase and comment. */
if ((r = sshkey_save_private(private, identity_file, passphrase1,
- comment, use_new_format, new_format_cipher, rounds)) != 0) {
+ comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
error("Saving key \"%s\" failed: %s",
identity_file, ssh_err(r));
explicit_bzero(passphrase1, strlen(passphrase1));
diff --git a/sshkey.c b/sshkey.c
index 6b5ff0485..a0cea9257 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -3975,10 +3975,10 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
#ifdef WITH_OPENSSL
-/* convert SSH v2 key in OpenSSL PEM format */
+/* convert SSH v2 key to PEM or PKCS#8 format */
static int
-sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
- const char *_passphrase, const char *comment)
+sshkey_private_to_blob_pem_pkcs8(struct sshkey *key, struct sshbuf *blob,
+ int format, const char *_passphrase, const char *comment)
{
int success, r;
int blen, len = strlen(_passphrase);
@@ -3988,26 +3988,46 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
char *bptr;
BIO *bio = NULL;
+ EVP_PKEY *pkey = NULL;
if (len > 0 && len <= 4)
return SSH_ERR_PASSPHRASE_TOO_SHORT;
- if ((bio = BIO_new(BIO_s_mem())) == NULL)
- return SSH_ERR_ALLOC_FAIL;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
switch (key->type) {
case KEY_DSA:
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
- cipher, passphrase, len, NULL, NULL);
+ if (format == SSHKEY_PRIVATE_PEM) {
+ success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
+ cipher, passphrase, len, NULL, NULL);
+ } else {
+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
+ }
break;
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
- cipher, passphrase, len, NULL, NULL);
+ if (format == SSHKEY_PRIVATE_PEM) {
+ success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
+ cipher, passphrase, len, NULL, NULL);
+ } else {
+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
+ }
break;
#endif
case KEY_RSA:
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
- cipher, passphrase, len, NULL, NULL);
+ if (format == SSHKEY_PRIVATE_PEM) {
+ success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
+ cipher, passphrase, len, NULL, NULL);
+ } else {
+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
+ }
break;
default:
success = 0;
@@ -4023,6 +4040,13 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ if (format == SSHKEY_PRIVATE_PKCS8) {
+ if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
+ passphrase, len, NULL, NULL)) == 0) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ }
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
@@ -4035,6 +4059,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
goto out;
r = 0;
out:
+ EVP_PKEY_free(pkey);
BIO_free(bio);
return r;
}
@@ -4046,29 +4071,38 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *buf,
int
sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
const char *passphrase, const char *comment,
- int force_new_format, const char *new_format_cipher, int new_format_rounds)
+ int format, const char *openssh_format_cipher, int openssh_format_rounds)
{
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_DSA:
case KEY_ECDSA:
case KEY_RSA:
- if (force_new_format) {
- return sshkey_private_to_blob2(key, blob, passphrase,
- comment, new_format_cipher, new_format_rounds);
- }
- return sshkey_private_pem_to_blob(key, blob,
- passphrase, comment);
+ break; /* see below */
#endif /* WITH_OPENSSL */
case KEY_ED25519:
#ifdef WITH_XMSS
case KEY_XMSS:
#endif /* WITH_XMSS */
return sshkey_private_to_blob2(key, blob, passphrase,
- comment, new_format_cipher, new_format_rounds);
+ comment, openssh_format_cipher, openssh_format_rounds);
default:
return SSH_ERR_KEY_TYPE_UNKNOWN;
}
+
+#ifdef WITH_OPENSSL
+ switch (format) {
+ case SSHKEY_PRIVATE_OPENSSH:
+ return sshkey_private_to_blob2(key, blob, passphrase,
+ comment, openssh_format_cipher, openssh_format_rounds);
+ case SSHKEY_PRIVATE_PEM:
+ case SSHKEY_PRIVATE_PKCS8:
+ return sshkey_private_to_blob_pem_pkcs8(key, blob,
+ format, passphrase, comment);
+ default:
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+#endif /* WITH_OPENSSL */
}
diff --git a/sshkey.h b/sshkey.h
index 41d159a1b..d30a69cc9 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -88,6 +88,13 @@ enum sshkey_serialize_rep {
SSHKEY_SERIALIZE_INFO = 254,
};
+/* Private key disk formats */
+enum sshkey_private_format {
+ SSHKEY_PRIVATE_OPENSSH = 0,
+ SSHKEY_PRIVATE_PEM = 1,
+ SSHKEY_PRIVATE_PKCS8 = 2,
+};
+
/* key is stored in external hardware */
#define SSHKEY_FLAG_EXT 0x0001
@@ -221,7 +228,7 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **keyp);
/* private key file format parsing and serialisation */
int sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
const char *passphrase, const char *comment,
- int force_new_format, const char *new_format_cipher, int new_format_rounds);
+ int format, const char *openssh_format_cipher, int openssh_format_rounds);
int sshkey_parse_private_fileblob(struct sshbuf *buffer,
const char *passphrase, struct sshkey **keyp, char **commentp);
int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,

View File

@ -1,9 +1,9 @@
diff --git a/Makefile.in b/Makefile.in
index 6f001bb3..c9424f1e 100644
index adb1977e..9b01a017 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -93,7 +93,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
atomicio.o dispatch.o mac.o uuencode.o misc.o utf8.o \
atomicio.o dispatch.o mac.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- ssh-pkcs11.o smult_curve25519_ref.o \
@ -11,7 +11,7 @@ index 6f001bb3..c9424f1e 100644
poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
@@ -250,6 +250,8 @@ clean: regressclean
@@ -255,6 +255,8 @@ clean: regressclean
rm -f regress/unittests/match/test_match$(EXEEXT)
rm -f regress/unittests/utf8/*.o
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
@ -20,7 +20,7 @@ index 6f001bb3..c9424f1e 100644
rm -f regress/misc/kexfuzz/*.o
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
(cd openbsd-compat && $(MAKE) clean)
@@ -280,6 +282,8 @@ distclean: regressclean
@@ -285,6 +287,8 @@ distclean: regressclean
rm -f regress/unittests/match/test_match
rm -f regress/unittests/utf8/*.o
rm -f regress/unittests/utf8/test_utf8
@ -29,7 +29,7 @@ index 6f001bb3..c9424f1e 100644
rm -f regress/misc/kexfuzz/*.o
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
(cd openbsd-compat && $(MAKE) distclean)
@@ -442,6 +446,7 @@ regress-prep:
@@ -447,6 +451,7 @@ regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/kex
$(MKDIR_P) `pwd`/regress/unittests/match
$(MKDIR_P) `pwd`/regress/unittests/utf8
@ -37,7 +37,7 @@ index 6f001bb3..c9424f1e 100644
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
@@ -565,6 +570,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
@@ -570,6 +575,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@ -54,32 +54,19 @@ index 6f001bb3..c9424f1e 100644
MISC_KEX_FUZZ_OBJS=\
regress/misc/kexfuzz/kexfuzz.o
@@ -585,6 +600,7 @@ regress-binaries: regress/modpipe$(EXEEXT) \
@@ -593,6 +608,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
regress/unittests/kex/test_kex$(EXEEXT) \
regress/unittests/match/test_match$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
tests interop-tests t-exec unit: regress-prep regress-binaries $(TARGETS)
diff --git a/authfd.c b/authfd.c
index 95348abf..5383df92 100644
--- a/authfd.c
+++ b/authfd.c
@@ -312,6 +312,8 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
if (idl->comments != NULL)
free(idl->comments[i]);
}
+ free(idl->keys);
+ free(idl->comments);
free(idl);
}
tests: file-tests t-exec interop-tests unit
diff --git a/configure.ac b/configure.ac
index 30be6c18..82459746 100644
index 3e93c027..351f0ba5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1854,12 +1854,14 @@ AC_LINK_IFELSE(
@@ -1861,12 +1861,14 @@ AC_LINK_IFELSE(
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])
@ -94,7 +81,7 @@ index 30be6c18..82459746 100644
fi
]
)
@@ -1875,6 +1877,40 @@ if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
@@ -1882,6 +1884,40 @@ if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
)
fi
@ -135,7 +122,7 @@ index 30be6c18..82459746 100644
# IRIX has a const char return value for gai_strerror()
AC_CHECK_FUNCS([gai_strerror], [
AC_DEFINE([HAVE_GAI_STRERROR])
@@ -5256,6 +5292,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
@@ -5229,6 +5265,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -144,24 +131,20 @@ index 30be6c18..82459746 100644
echo ""
diff --git a/regress/Makefile b/regress/Makefile
index 925edf71..94bb25e9 100644
index 34c47e8c..d693aa4a 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -109,9 +109,11 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
@@ -115,7 +115,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
modpipe netcat no_identity_config \
pidfile putty.rsa2 ready regress.log \
- remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
+ remote_pid revoked-* rsa rsa-agent rsa-agent.pub \
+ rsa-agent-cert.pub rsa.pub \
rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
- rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
+ pkcs11*.crt pkcs11*.key \
+ pkcs11.info rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
pidfile putty.rsa2 ready regress.log remote_pid \
- revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa_ssh2_cr.prv \
+ revoked-* rsa rsa-agent rsa-agent.pub rsa-agent-cert.pub \
+ rsa.pub rsa_ssh2_cr.prv pkcs11*.crt pkcs11*.key pkcs11.info \
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
@@ -231,6 +233,7 @@ unit:
@@ -245,6 +246,7 @@ unit:
V="" ; \
test "x${USE_VALGRIND}" = "x" || \
V=${.CURDIR}/valgrind-unit.sh ; \
@ -170,24 +153,10 @@ index 925edf71..94bb25e9 100644
$$V ${.OBJDIR}/unittests/sshkey/test_sshkey \
-d ${.CURDIR}/unittests/sshkey/testdata ; \
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 5205d906..5ca49be5 100644
index 5205d906..bfbaeb65 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -29,6 +29,13 @@ fi
test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
+# requires ssh-agent built with correct path to ssh-pkcs11-helper
+# otherwise it fails to start the helper
+strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"
+if [ $? -ne 0 ]; then
+ fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"
+fi
+
# setup environment for softhsm2 token
DIR=$OBJ/SOFTHSM
rm -rf $DIR
@@ -113,7 +120,7 @@ else
@@ -113,7 +113,7 @@ else
done
trace "remove pkcs11 keys"
@ -198,10 +167,10 @@ index 5205d906..5ca49be5 100644
fail "ssh-add -e failed: exit code $r"
diff --git a/regress/pkcs11.sh b/regress/pkcs11.sh
new file mode 100644
index 00000000..19fc8169
index 00000000..f2d6c41c
--- /dev/null
+++ b/regress/pkcs11.sh
@@ -0,0 +1,352 @@
@@ -0,0 +1,345 @@
+#
+# Copyright (c) 2017 Red Hat
+#
@ -247,13 +216,6 @@ index 00000000..19fc8169
+
+test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"
+
+# requires ssh-agent built with correct path to ssh-pkcs11-helper
+# otherwise it fails to start the helper
+strings ${TEST_SSH_SSHAGENT} | grep "$TEST_SSH_SSHPKCS11HELPER"
+if [ $? -ne 0 ]; then
+ fatal "Needs to reconfigure with --libexecdir=\`pwd\` or so"
+fi
+
+# setup environment for softhsm token
+DIR=$OBJ/SOFTHSM
+rm -rf $DIR
@ -555,15 +517,15 @@ index 00000000..19fc8169
+ ${SSHAGENT} -k > /dev/null
+fi
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
index e464b085..a0e5a37c 100644
index 4e56e110..2690ebeb 100644
--- a/regress/unittests/Makefile
+++ b/regress/unittests/Makefile
@@ -2,6 +2,6 @@
REGRESS_FAIL_EARLY?= yes
SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
-SUBDIR+=authopt
+SUBDIR+=pkcs11 authopt
-SUBDIR+=authopt misc
+SUBDIR+=authopt misc pkcs11
.include <bsd.subdir.mk>
diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c
@ -910,10 +872,10 @@ index 00000000..b637cb13
+ test_generate_valid();
+}
diff --git a/ssh-add.c b/ssh-add.c
index ac9c808d..f039e00e 100644
index ebfb8a32..c32d1cb5 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -64,6 +64,7 @@
@@ -66,6 +66,7 @@
#include "misc.h"
#include "ssherr.h"
#include "digest.h"
@ -921,32 +883,55 @@ index ac9c808d..f039e00e 100644
/* argv0 */
extern char *__progname;
@@ -188,6 +189,24 @@ delete_all(int agent_fd, int qflag)
@@ -190,6 +191,32 @@ delete_all(int agent_fd, int qflag)
return ret;
}
+#ifdef ENABLE_PKCS11
+static int update_card(int, int, const char *, int);
+static int update_card(int, int, const char *, int, char *);
+
+int
+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag)
+{
+ char *pin = NULL;
+ struct pkcs11_uri *uri;
+
+ /* dry-run parse to make sure the URI is valid and to report errors */
+ uri = pkcs11_uri_init();
+ if (pkcs11_uri_parse((char *) pkcs11_uri, uri) != 0)
+ fatal("Failed to parse PKCS#11 URI");
+ if (uri->pin != NULL) {
+ pin = strdup(uri->pin);
+ if (pin == NULL) {
+ fatal("Failed to dupplicate string");
+ }
+ /* pin is freed in the update_card() */
+ }
+ pkcs11_uri_cleanup(uri);
+
+ return update_card(agent_fd, adding, pkcs11_uri, qflag);
+ return update_card(agent_fd, adding, pkcs11_uri, qflag, pin);
+}
+#endif
+
static int
add_file(int agent_fd, const char *filename, int key_only, int qflag)
{
@@ -529,6 +548,13 @@ lock_agent(int agent_fd, int lock)
@@ -392,12 +419,11 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
}
static int
-update_card(int agent_fd, int add, const char *id, int qflag)
+update_card(int agent_fd, int add, const char *id, int qflag, char *pin)
{
- char *pin = NULL;
int r, ret = -1;
- if (add) {
+ if (add && pin == NULL) {
if ((pin = read_passphrase("Enter passphrase for PKCS#11: ",
RP_ALLOW_STDIN)) == NULL)
return -1;
@@ -531,6 +557,13 @@ lock_agent(int agent_fd, int lock)
static int
do_file(int agent_fd, int deleting, int key_only, char *file, int qflag)
{
@ -960,11 +945,20 @@ index ac9c808d..f039e00e 100644
if (deleting) {
if (delete_file(agent_fd, file, key_only, qflag) == -1)
return -1;
@@ -709,7 +742,7 @@ main(int argc, char **argv)
}
if (pkcs11provider != NULL) {
if (update_card(agent_fd, !deleting, pkcs11provider,
- qflag) == -1)
+ qflag, NULL) == -1)
ret = 1;
goto done;
}
diff --git a/ssh-agent.c b/ssh-agent.c
index d06ecfd9..9c1b328f 100644
index 9c6680a2..e3336073 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -548,10 +548,72 @@ no_identities(SocketEntry *e)
@@ -556,10 +556,72 @@ no_identities(SocketEntry *e)
}
#ifdef ENABLE_PKCS11
@ -1038,7 +1032,7 @@ index d06ecfd9..9c1b328f 100644
int r, i, count = 0, success = 0, confirm = 0;
u_int seconds;
time_t death = 0;
@@ -587,28 +649,23 @@ process_add_smartcard_key(SocketEntry *e)
@@ -595,28 +657,23 @@ process_add_smartcard_key(SocketEntry *e)
goto send;
}
}
@ -1075,7 +1069,7 @@ index d06ecfd9..9c1b328f 100644
id->death = death;
id->confirm = confirm;
TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
@@ -622,6 +679,7 @@ process_add_smartcard_key(SocketEntry *e)
@@ -630,6 +687,7 @@ process_add_smartcard_key(SocketEntry *e)
send:
free(pin);
free(provider);
@ -1083,7 +1077,7 @@ index d06ecfd9..9c1b328f 100644
free(keys);
send_status(e, success);
}
@@ -629,7 +687,7 @@ send:
@@ -637,7 +695,7 @@ send:
static void
process_remove_smartcard_key(SocketEntry *e)
{
@ -1092,7 +1086,7 @@ index d06ecfd9..9c1b328f 100644
int r, success = 0;
Identity *id, *nxt;
@@ -640,30 +698,29 @@ process_remove_smartcard_key(SocketEntry *e)
@@ -648,30 +706,29 @@ process_remove_smartcard_key(SocketEntry *e)
}
free(pin);
@ -1130,10 +1124,10 @@ index d06ecfd9..9c1b328f 100644
}
#endif /* ENABLE_PKCS11 */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 3898b281..91c43b14 100644
index e039be30..6770fafb 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -798,6 +798,7 @@ do_download(struct passwd *pw)
@@ -829,6 +829,7 @@ do_download(struct passwd *pw)
free(fp);
} else {
(void) sshkey_write(keys[i], stdout); /* XXX check */
@ -1638,7 +1632,7 @@ index 00000000..942a5a5a
+char *pkcs11_uri_get(struct pkcs11_uri *uri);
+
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 70f06bff..59332945 100644
index 09f1ea34..fceddfe3 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -54,8 +54,8 @@ struct pkcs11_slotinfo {
@ -1900,11 +1894,11 @@ index 70f06bff..59332945 100644
static void
pkcs11_k11_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
@@ -208,6 +347,7 @@ pkcs11_k11_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx,
if (k11->provider)
pkcs11_provider_unref(k11->provider);
free(k11->keyid);
if (k11->provider)
pkcs11_provider_unref(k11->provider);
free(k11->keyid);
+ free(k11->label);
free(k11);
free(k11);
}
@@ -222,8 +362,8 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
@ -1918,18 +1912,40 @@ index 70f06bff..59332945 100644
if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
return (-1);
@@ -252,8 +392,8 @@ pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
@@ -267,7 +407,7 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
return (-1); /* bail out */
}
}
- rv = provider->function_list->C_Login(si->session, type, (u_char *)pin,
+ rv = provider->module->function_list->C_Login(si->session, type, (u_char *)pin,
(pin != NULL) ? strlen(pin) : 0);
if (pin != NULL)
freezero(pin, strlen(pin));
@@ -282,13 +422,14 @@ pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
static int
pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
{
- if (k11 == NULL || k11->provider == NULL || !k11->provider->valid) {
+ if (k11 == NULL || k11->provider == NULL || !k11->provider->valid ||
+ k11->provider->module == NULL || !k11->provider->module->valid) {
error("no pkcs11 (valid) provider found");
return (-1);
}
- f = k11->provider->function_list;
- si = &k11->provider->slotinfo[k11->slotidx];
+ f = k11->provider->module->function_list;
+ si = &k11->provider->module->slotinfo[k11->slotidx];
return pkcs11_login_slot(k11->provider,
- &k11->provider->slotinfo[k11->slotidx], type);
+ &k11->provider->module->slotinfo[k11->slotidx], type);
}
if (!pkcs11_interactive) {
error("need pin entry%s",
@@ -300,8 +440,8 @@ pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,
@@ -304,13 +445,14 @@ pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,
*val = 0;
- if (!k11->provider || !k11->provider->valid) {
+ if (!k11->provider || !k11->provider->valid ||
+ !k11->provider->module || !k11->provider->module->valid) {
error("no pkcs11 (valid) provider found");
return (-1);
}
@ -1940,13 +1956,13 @@ index 70f06bff..59332945 100644
attr.type = type;
attr.pValue = &flag;
@@ -332,13 +472,14 @@ pkcs11_get_key(struct pkcs11_key *k11, CK_MECHANISM_TYPE mech_type)
@@ -341,13 +483,14 @@ pkcs11_get_key(struct pkcs11_key *k11, CK_MECHANISM_TYPE mech_type)
int always_auth = 0;
int did_login = 0;
- if (!k11->provider || !k11->provider->valid) {
+ if (!k11->provider || !k11->provider->valid || !k11->provider->module
+ || !k11->provider->module->valid) {
+ if (!k11->provider || !k11->provider->valid ||
+ !k11->provider->module || !k11->provider->module->valid) {
error("no pkcs11 (valid) provider found");
return (-1);
}
@ -1958,7 +1974,7 @@ index 70f06bff..59332945 100644
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
if (pkcs11_login(k11, CKU_USER) < 0) {
@@ -415,8 +556,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
@@ -424,8 +567,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
return (-1);
}
@ -1969,7 +1985,7 @@ index 70f06bff..59332945 100644
tlen = RSA_size(rsa);
/* XXX handle CKR_BUFFER_TOO_SMALL */
@@ -460,7 +601,7 @@ pkcs11_rsa_start_wrapper(void)
@@ -469,7 +612,7 @@ pkcs11_rsa_start_wrapper(void)
/* redirect private key operations for rsa key to pkcs11 token */
static int
pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
@ -1978,7 +1994,7 @@ index 70f06bff..59332945 100644
{
struct pkcs11_key *k11;
@@ -478,6 +619,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
@@ -487,6 +630,12 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
}
@ -1991,7 +2007,7 @@ index 70f06bff..59332945 100644
RSA_set_method(rsa, rsa_method);
RSA_set_ex_data(rsa, rsa_idx, k11);
return (0);
@@ -508,8 +655,8 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
@@ -517,8 +666,8 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
return (NULL);
}
@ -2002,7 +2018,7 @@ index 70f06bff..59332945 100644
siglen = ECDSA_size(ec);
sig = xmalloc(siglen);
@@ -574,7 +721,7 @@ pkcs11_ecdsa_start_wrapper(void)
@@ -583,7 +732,7 @@ pkcs11_ecdsa_start_wrapper(void)
static int
pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
@ -2011,7 +2027,7 @@ index 70f06bff..59332945 100644
{
struct pkcs11_key *k11;
@@ -590,6 +737,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
@@ -599,6 +748,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
k11->keyid = xmalloc(k11->keyid_len);
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
@ -2024,26 +2040,18 @@ index 70f06bff..59332945 100644
EC_KEY_set_method(ec, ec_key_method);
EC_KEY_set_ex_data(ec, ec_key_idx, k11);
@@ -624,47 +777,26 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
CK_FUNCTION_LIST *f;
CK_RV rv;
@@ -635,8 +790,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
CK_SESSION_HANDLE session;
- int login_required, have_pinpad, ret;
- char prompt[1024], *xpin = NULL;
+ int login_required, ret;
int login_required, ret;
- f = p->function_list;
- si = &p->slotinfo[slotidx];
+ f = p->module->function_list;
+ si = &p->module->slotinfo[slotidx];
- have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH;
login_required = si->token.flags & CKF_LOGIN_REQUIRED;
/* fail early before opening session */
- if (login_required && !have_pinpad && !pkcs11_interactive &&
+ if (login_required && !pkcs11_interactive &&
(pin == NULL || strlen(pin) == 0)) {
@@ -646,9 +801,9 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
error("pin required");
return (-SSH_PKCS11_ERR_PIN_REQUIRED);
}
@ -2054,33 +2062,8 @@ index 70f06bff..59332945 100644
+ error("C_OpenSession failed for slot %lu: %lu", slotidx, rv);
return (-1);
}
- if (login_required) {
- if (have_pinpad && (pin == NULL || strlen(pin) == 0)) {
- /* defer PIN entry to the reader keypad */
- rv = f->C_Login(session, CKU_USER, NULL_PTR, 0);
- } else {
- if (pkcs11_interactive) {
- snprintf(prompt, sizeof(prompt),
- "Enter PIN for '%s': ", si->token.label);
- if ((xpin = read_passphrase(prompt,
- RP_ALLOW_EOF)) == NULL) {
- debug("%s: no pin specified",
- __func__);
- return (-SSH_PKCS11_ERR_PIN_REQUIRED);
- }
- pin = xpin;
- }
- rv = f->C_Login(session, CKU_USER,
- (u_char *)pin, strlen(pin));
- if (xpin != NULL)
- freezero(xpin, strlen(xpin));
- }
+ if (login_required && pin != NULL && strlen(pin) != 0) {
+ rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
error("C_Login failed: %lu", rv);
ret = (rv == CKR_PIN_LOCKED) ?
@@ -696,7 +828,8 @@ static struct sshkey *
if (login_required && pin != NULL && strlen(pin) != 0) {
@@ -684,7 +839,8 @@ static struct sshkey *
pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_OBJECT_HANDLE *obj)
{
@ -2090,7 +2073,7 @@ index 70f06bff..59332945 100644
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
@@ -710,14 +843,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -698,14 +854,15 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
memset(&key_attr, 0, sizeof(key_attr));
key_attr[0].type = CKA_ID;
@ -2111,13 +2094,12 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
return (NULL);
@@ -730,19 +863,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
* ensure that none of the others are zero length.
@@ -717,18 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
* XXX assumes CKA_ID is always first.
*/
- if (key_attr[1].ulValueLen == 0 ||
if (key_attr[1].ulValueLen == 0 ||
- key_attr[2].ulValueLen == 0) {
+ if (key_attr[2].ulValueLen == 0 ||
+ key_attr[2].ulValueLen == 0 ||
+ key_attr[3].ulValueLen == 0) {
error("invalid attribute length");
return (NULL);
@ -2135,7 +2117,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
goto fail;
@@ -752,8 +887,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -740,8 +898,8 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2146,7 +2128,7 @@ index 70f06bff..59332945 100644
if (group == NULL) {
ossl_error("d2i_ECPKParameters failed");
goto fail;
@@ -764,13 +899,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -752,13 +910,13 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2163,7 +2145,7 @@ index 70f06bff..59332945 100644
if (octet == NULL) {
ossl_error("d2i_ASN1_OCTET_STRING failed");
goto fail;
@@ -787,7 +922,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -775,7 +933,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2172,7 +2154,7 @@ index 70f06bff..59332945 100644
goto fail;
key = sshkey_new(KEY_UNSPEC);
@@ -803,7 +938,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -791,7 +949,7 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
ec = NULL; /* now owned by key */
fail:
@ -2181,7 +2163,7 @@ index 70f06bff..59332945 100644
free(key_attr[i].pValue);
if (ec)
EC_KEY_free(ec);
@@ -820,7 +955,8 @@ static struct sshkey *
@@ -808,7 +966,8 @@ static struct sshkey *
pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_OBJECT_HANDLE *obj)
{
@ -2191,7 +2173,7 @@ index 70f06bff..59332945 100644
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
@@ -831,14 +967,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -819,14 +978,15 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
memset(&key_attr, 0, sizeof(key_attr));
key_attr[0].type = CKA_ID;
@ -2212,13 +2194,12 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
return (NULL);
@@ -850,19 +987,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
* ensure that none of the others are zero length.
@@ -838,18 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
* XXX assumes CKA_ID is always first.
*/
- if (key_attr[1].ulValueLen == 0 ||
if (key_attr[1].ulValueLen == 0 ||
- key_attr[2].ulValueLen == 0) {
+ if (key_attr[2].ulValueLen == 0 ||
+ key_attr[2].ulValueLen == 0 ||
+ key_attr[3].ulValueLen == 0) {
error("invalid attribute length");
return (NULL);
@ -2236,7 +2217,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
goto fail;
@@ -873,8 +1011,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -861,8 +1022,8 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2247,7 +2228,7 @@ index 70f06bff..59332945 100644
if (rsa_n == NULL || rsa_e == NULL) {
error("BN_bin2bn failed");
goto fail;
@@ -883,7 +1021,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
fatal("%s: set key", __func__);
rsa_n = rsa_e = NULL; /* transferred */
@ -2256,7 +2237,7 @@ index 70f06bff..59332945 100644
goto fail;
key = sshkey_new(KEY_UNSPEC);
@@ -898,7 +1036,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -886,7 +1047,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
rsa = NULL; /* now owned by key */
fail:
@ -2265,7 +2246,7 @@ index 70f06bff..59332945 100644
free(key_attr[i].pValue);
RSA_free(rsa);
@@ -909,7 +1047,8 @@ static struct sshkey *
@@ -897,7 +1058,8 @@ static struct sshkey *
pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
CK_OBJECT_HANDLE *obj)
{
@ -2275,7 +2256,7 @@ index 70f06bff..59332945 100644
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
@@ -926,14 +1065,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -916,14 +1078,15 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
memset(&cert_attr, 0, sizeof(cert_attr));
cert_attr[0].type = CKA_ID;
@ -2296,7 +2277,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
return (NULL);
@@ -945,18 +1085,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -935,18 +1098,19 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
* XXX assumes CKA_ID is always first.
*/
if (cert_attr[1].ulValueLen == 0 ||
@ -2319,7 +2300,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
goto fail;
@@ -968,8 +1109,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -958,8 +1122,8 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2330,7 +2311,7 @@ index 70f06bff..59332945 100644
error("d2i_x509 failed");
goto fail;
}
@@ -990,7 +1131,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -980,7 +1144,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2339,7 +2320,7 @@ index 70f06bff..59332945 100644
goto fail;
key = sshkey_new(KEY_UNSPEC);
@@ -1020,7 +1161,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1010,7 +1174,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
goto fail;
}
@ -2348,7 +2329,7 @@ index 70f06bff..59332945 100644
goto fail;
key = sshkey_new(KEY_UNSPEC);
@@ -1039,7 +1180,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1029,7 +1193,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
error("unknown certificate key type");
fail:
@ -2357,7 +2338,7 @@ index 70f06bff..59332945 100644
free(cert_attr[i].pValue);
X509_free(x509);
RSA_free(rsa);
@@ -1066,11 +1207,12 @@ have_rsa_key(const RSA *rsa)
@@ -1058,11 +1222,12 @@ have_rsa_key(const RSA *rsa)
*/
static int
pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
@ -2372,7 +2353,7 @@ index 70f06bff..59332945 100644
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
@@ -1086,10 +1228,23 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1078,10 +1243,23 @@ pkcs11_fetch_certs(struct pkcs11_provider *p, CK_ULONG slotidx,
key_attr[0].pValue = &key_class;
key_attr[0].ulValueLen = sizeof(key_class);
@ -2399,7 +2380,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_FindObjectsInit failed: %lu", rv);
goto fail;
@@ -1163,11 +1318,12 @@ fail:
@@ -1155,11 +1333,12 @@ fail:
*/
static int
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
@ -2414,7 +2395,7 @@ index 70f06bff..59332945 100644
CK_SESSION_HANDLE session;
CK_FUNCTION_LIST *f = NULL;
CK_RV rv;
@@ -1183,10 +1339,23 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1175,10 +1354,23 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
key_attr[0].pValue = &key_class;
key_attr[0].ulValueLen = sizeof(key_class);
@ -2441,7 +2422,7 @@ index 70f06bff..59332945 100644
if (rv != CKR_OK) {
error("C_FindObjectsInit failed: %lu", rv);
goto fail;
@@ -1443,15 +1612,10 @@ pkcs11_ecdsa_generate_private_key(struct pkcs11_provider *p, CK_ULONG slotidx,
@@ -1435,15 +1627,10 @@ pkcs11_ecdsa_generate_private_key(struct pkcs11_provider *p, CK_ULONG slotidx,
}
#endif /* WITH_PKCS11_KEYGEN */
@ -2459,7 +2440,7 @@ index 70f06bff..59332945 100644
int ret = -1;
struct pkcs11_provider *p = NULL;
void *handle = NULL;
@@ -1460,148 +1624,285 @@ pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp,
@@ -1452,161 +1639,298 @@ pkcs11_register_provider(char *provider_id, char *pin, struct sshkey ***keyp,
CK_FUNCTION_LIST *f = NULL;
CK_TOKEN_INFO *token;
CK_ULONG i;
@ -2547,17 +2528,17 @@ index 70f06bff..59332945 100644
error("C_GetInfo for provider %s failed: %lu",
- provider_id, rv);
+ provider_module, rv);
goto fail;
}
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ goto fail;
+ }
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
+ if (uri->lib_manuf != NULL &&
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
+ debug("%s: Skipping provider %s not matching library_manufacturer",
+ __func__, m->info.manufacturerID);
+ goto fail;
+ }
goto fail;
}
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
" libraryDescription <%s> libraryVersion %d.%d",
@ -2583,7 +2564,7 @@ index 70f06bff..59332945 100644
}
- if (p->nslots == 0) {
+ if (m->nslots == 0) {
error("%s: provider %s returned no slots", __func__,
debug("%s: provider %s returned no slots", __func__,
- provider_id);
+ provider_module);
ret = -SSH_PKCS11_ERR_NO_SLOTS;
@ -2720,26 +2701,43 @@ index 70f06bff..59332945 100644
+ * open session if not yet openend, login with pin and
+ * retrieve public keys (if keyp is provided)
*/
- if ((ret = pkcs11_open_session(p, i, pin, user)) == 0) {
+ if (p->module->slotinfo[i].session != 0 ||
+ (ret = pkcs11_open_session(p, i, pin, user)) == 0) {
if (keyp == NULL)
- if ((ret = pkcs11_open_session(p, i, pin, user)) != 0 ||
+ if ((p->module->slotinfo[i].session != 0 ||
+ (ret = pkcs11_open_session(p, i, pin, user)) != 0) && /* ??? */
keyp == NULL)
continue;
- pkcs11_fetch_keys(p, i, keyp, &nkeys);
- pkcs11_fetch_certs(p, i, keyp, &nkeys);
- if (nkeys == 0 && !p->slotinfo[i].logged_in &&
+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri);
+ if (nkeys == 0 && !p->module->slotinfo[i].logged_in &&
pkcs11_interactive) {
/*
* Some tokens require login before they will
* expose keys.
*/
- if (pkcs11_login_slot(p, &p->slotinfo[i],
+ if (pkcs11_login_slot(p, &p->module->slotinfo[i],
CKU_USER) < 0) {
error("login failed");
continue;
}
- pkcs11_fetch_keys(p, i, keyp, &nkeys);
- pkcs11_fetch_certs(p, i, keyp, &nkeys);
+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri);
+ if (nkeys == 0 && uri->object != NULL) {
+ debug3("%s: No keys found. Retrying without label (%s) ",
+ __func__, token->label);
+ /* Try once more without the label filter */
+ char *label = uri->object;
+ uri->object = NULL; /* XXX clone uri? */
+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri);
+ uri->object = label;
+ }
}
+ if (nkeys == 0 && uri->object != NULL) {
+ debug3("%s: No keys found. Retrying without label (%s) ",
+ __func__, uri->object);
+ /* Try once more without the label filter */
+ char *label = uri->object;
+ uri->object = NULL; /* XXX clone uri? */
+ pkcs11_fetch_keys(p, i, keyp, &nkeys, uri);
+ pkcs11_fetch_certs(p, i, keyp, &nkeys, uri);
+ uri->object = label;
+ }
+ pin = NULL; /* Will be cleaned up with URI */
}
@ -2816,7 +2814,7 @@ index 70f06bff..59332945 100644
/* no keys found or some other error, de-register provider */
if (nkeys <= 0 && p != NULL) {
@@ -1611,7 +1912,36 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
@@ -1616,7 +1940,36 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
}
if (nkeys == 0)
debug("%s: provider %s returned no keys", __func__,
@ -2854,7 +2852,7 @@ index 70f06bff..59332945 100644
return (nkeys);
}
@@ -1633,8 +1963,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label,
@@ -1638,8 +1991,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label,
if ((p = pkcs11_provider_lookup(provider_id)) != NULL)
debug("%s: provider \"%s\" available", __func__, provider_id);
@ -2864,7 +2862,7 @@ index 70f06bff..59332945 100644
debug("%s: could not register provider %s", __func__,
provider_id);
goto out;
@@ -1705,8 +2034,7 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
@@ -1710,8 +2062,7 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
debug("%s: using provider \"%s\"", __func__, provider_id);
@ -2894,7 +2892,7 @@ index b9038450..5a855338 100644
struct sshkey *
pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int,
diff --git a/ssh.c b/ssh.c
index 91e7c351..47f4f299 100644
index ee51823c..2268755b 100644
--- a/ssh.c
+++ b/ssh.c
@@ -772,6 +772,14 @@ main(int ac, char **av)
@ -2910,9 +2908,9 @@ index 91e7c351..47f4f299 100644
+ }
+#endif
p = tilde_expand_filename(optarg, getuid());
if (stat(p, &st) < 0)
if (stat(p, &st) == -1)
fprintf(stderr, "Warning: Identity file %s "
@@ -1521,6 +1529,7 @@ main(int ac, char **av)
@@ -1524,6 +1532,7 @@ main(int ac, char **av)
free(options.certificate_files[i]);
options.certificate_files[i] = NULL;
}
@ -2920,7 +2918,7 @@ index 91e7c351..47f4f299 100644
skip_connect:
exit_status = ssh_session2(ssh, pw);
@@ -1994,6 +2003,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
@@ -1997,6 +2006,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
options.escape_char : SSH_ESCAPECHAR_NONE, id);
}
@ -2966,7 +2964,7 @@ index 91e7c351..47f4f299 100644
/* Loads all IdentityFile and CertificateFile keys */
static void
load_public_identity_files(struct passwd *pw)
@@ -2008,10 +2056,6 @@ load_public_identity_files(struct passwd *pw)
@@ -2011,10 +2059,6 @@ load_public_identity_files(struct passwd *pw)
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
int certificate_file_userprovided[SSH_MAX_CERTIFICATE_FILES];
@ -2977,7 +2975,7 @@ index 91e7c351..47f4f299 100644
n_ids = n_certs = 0;
memset(identity_files, 0, sizeof(identity_files));
@@ -2024,32 +2068,46 @@ load_public_identity_files(struct passwd *pw)
@@ -2027,32 +2071,46 @@ load_public_identity_files(struct passwd *pw)
sizeof(certificate_file_userprovided));
#ifdef ENABLE_PKCS11
@ -3043,10 +3041,10 @@ index 91e7c351..47f4f299 100644
"u", pw->pw_name, "l", thishost, "h", host,
"r", options.user, (char *)NULL);
diff --git a/ssh_config.5 b/ssh_config.5
index 41262963..a211034e 100644
index 02a87892..41acfa33 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -952,6 +952,21 @@ may also be used in conjunction with
@@ -964,6 +964,21 @@ may also be used in conjunction with
.Cm CertificateFile
in order to provide any certificate also needed for authentication with
the identity.
@ -3068,69 +3066,3 @@ index 41262963..a211034e 100644
.It Cm IgnoreUnknown
Specifies a pattern-list of unknown options to be ignored if they are
encountered in configuration parsing.
commit 1efe98998408593861fdcd4da392dd10820f0fde
Author: Jakub Jelen <jjelen@redhat.com>
Date: Wed Jun 12 14:30:30 2019 +0200
Allow to specify the pin also for the ssh-add
diff --git a/ssh-add.c b/ssh-add.c
index f039e00e..adc4e5c9 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -190,20 +190,28 @@ delete_all(int agent_fd, int qflag)
}
#ifdef ENABLE_PKCS11
-static int update_card(int, int, const char *, int);
+static int update_card(int, int, const char *, int, char *);
int
update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag)
{
+ char *pin = NULL;
struct pkcs11_uri *uri;
/* dry-run parse to make sure the URI is valid and to report errors */
uri = pkcs11_uri_init();
if (pkcs11_uri_parse((char *) pkcs11_uri, uri) != 0)
fatal("Failed to parse PKCS#11 URI");
+ if (uri->pin != NULL) {
+ pin = strdup(uri->pin);
+ if (pin == NULL) {
+ fatal("Failed to dupplicate string");
+ }
+ /* pin is freed in the update_card() */
+ }
pkcs11_uri_cleanup(uri);
- return update_card(agent_fd, adding, pkcs11_uri, qflag);
+ return update_card(agent_fd, adding, pkcs11_uri, qflag, pin);
}
#endif
@@ -409,12 +417,11 @@ add_file(int agent_fd, const char *filename, int key_only, int qflag)
}
static int
-update_card(int agent_fd, int add, const char *id, int qflag)
+update_card(int agent_fd, int add, const char *id, int qflag, char *pin)
{
- char *pin = NULL;
int r, ret = -1;
- if (add) {
+ if (add && pin == NULL) {
if ((pin = read_passphrase("Enter passphrase for PKCS#11: ",
RP_ALLOW_STDIN)) == NULL)
return -1;
@@ -734,7 +741,7 @@ main(int argc, char **argv)
}
if (pkcs11provider != NULL) {
if (update_card(agent_fd, !deleting, pkcs11provider,
- qflag) == -1)
+ qflag, NULL) == -1)
ret = 1;
goto done;
}

View File

@ -1,61 +0,0 @@
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index 59f1ff63..dd48a482 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -51,6 +51,18 @@ badserver_4)
echo "C755 2 file"
echo "X"
;;
+badserver_5)
+ echo "D0555 0 "
+ echo "X"
+ ;;
+badserver_6)
+ echo "D0555 0 ."
+ echo "X"
+ ;;
+badserver_7)
+ echo "C0755 2 extrafile"
+ echo "X"
+ ;;
*)
set -- $arg
shift
diff --git a/regress/scp.sh b/regress/scp.sh
index 57cc7706..104c89e1 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -25,6 +25,7 @@ export SCP # used in scp-ssh-wrapper.scp
scpclean() {
rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
mkdir ${DIR} ${DIR2}
+ chmod 755 ${DIR} ${DIR2}
}
verbose "$tid: simple copy local file to local file"
@@ -101,7 +102,7 @@ if [ ! -z "$SUDO" ]; then
$SUDO rm ${DIR2}/copy
fi
-for i in 0 1 2 3 4; do
+for i in 0 1 2 3 4 5 6 7; do
verbose "$tid: disallow bad server #$i"
SCPTESTMODE=badserver_$i
export DIR SCPTESTMODE
@@ -113,6 +114,15 @@ for i in 0 1 2 3 4; do
scpclean
$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
+
+ scpclean
+ $SCP -pr $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+ [ ! -w ${DIR2} ] && fail "allows target root attribute change"
+
+ scpclean
+ $SCP $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+ [ -e ${DIR2}/extrafile ] && fail "allows extranous object creation"
+ rm -f ${DIR2}/extrafile
done
verbose "$tid: detect non-directory target"

View File

@ -65,15 +65,15 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.0p1
%global openssh_rel 8
%global openssh_ver 8.1p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 7
%global pam_ssh_agent_rel 8
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -196,6 +196,7 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
# Sandbox adjustments for s390 and audit
Patch950: openssh-7.5p1-sandbox.patch
# PKCS#11 URIs (upstream #2817, 2nd iteration)
# git diff upstream/master > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
Patch951: openssh-8.0p1-pkcs11-uri.patch
# Unbreak scp between two IPv6 hosts (#1620333)
Patch953: openssh-7.8p1-scp-ipv6.patch
@ -203,19 +204,12 @@ Patch953: openssh-7.8p1-scp-ipv6.patch
# - do not return 0 if the write fails (full disk)
# - shellcheck reports (upstream #2902)
Patch958: openssh-7.9p1-ssh-copy-id.patch
# Verify the SCP vulnerabilities are fixed in the package testsuite
# https://bugzilla.mindrot.org/show_bug.cgi?id=3007
Patch961: openssh-8.0p1-scp-tests.patch
# Mention crypto-policies in manual pages (#1668325)
Patch962: openssh-8.0p1-crypto-policies.patch
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
Patch963: openssh-8.0p1-openssl-evp.patch
# Use OpenSSL KDF (#1631761)
Patch964: openssh-8.0p1-openssl-kdf.patch
# Use new OpenSSL for PEM export to avoid MD5 dependency (#1712436)
Patch965: openssh-8.0p1-openssl-pem.patch
# Properly encode SHA2 certificate types in ssh-agent
Patch966: openssh-8.0p1-agent-certs-sha2.patch
License: BSD
Requires: /sbin/nologin
@ -413,12 +407,9 @@ popd
%patch951 -p1 -b .pkcs11-uri
%patch953 -p1 -b .scp-ipv6
%patch958 -p1 -b .ssh-copy-id
%patch961 -p1 -b .scp-tests
%patch962 -p1 -b .crypto-policies
%patch963 -p1 -b .openssl-evp
%patch964 -p1 -b .openssl-kdf
%patch965 -p1 -b .openssl-pem
%patch966 -p1 -b .agent-cert-sha2
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
@ -721,6 +712,9 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Wed Oct 09 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-1 + 0.10.3-8
- New upstream release (#1759750)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.0p1-8.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.0p1.tar.gz) = e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
SHA512 (openssh-8.0p1.tar.gz.asc) = fe9e7383d9467e869762864f2b719165d9a3f2c5316c07067df1d45fc7819bd2cb8ef758454865595688804a4c160dd3d3aaee4c5f887859555d2c7bb8c4592b
SHA512 (openssh-8.1p1.tar.gz) = b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
SHA512 (openssh-8.1p1.tar.gz.asc) = f36458ef8822376a5b305cfbc971f5d2db8bf2f48fea9a957e02ef2fc27a48bacb59495587fee81fa2d89bca6250a8fb407e1f5a7dae7ceb361ab332c0771344
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66