pkcs11: Add support for 'serial' in PKCS#11 URI
The patch was updated by the upstream MR https://github.com/openssh/openssh-portable/pull/406 by npocs@redhat.com
This commit is contained in:
parent
c7af8ecb76
commit
d77b1b790a
@ -68,7 +68,7 @@ diff -up openssh-8.7p1/configure.ac.pkcs11-uri openssh-8.7p1/configure.ac
|
||||
diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
|
||||
--- openssh-8.7p1/Makefile.in.pkcs11-uri 2021-08-30 13:07:43.571699324 +0200
|
||||
+++ openssh-8.7p1/Makefile.in 2021-08-30 13:07:43.663700096 +0200
|
||||
@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
@@ -105,7 +105,7 @@
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
|
||||
ssh-ed25519-sk.o ssh-rsa.o dh.o \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
@ -103,7 +103,7 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
|
||||
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
||||
[ -f `pwd`/regress/Makefile ] || \
|
||||
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||
@@ -677,6 +682,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT
|
||||
@@ -685,6 +690,16 @@
|
||||
regress/unittests/test_helper/libtest_helper.a \
|
||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(TESTLIBS)
|
||||
|
||||
@ -534,7 +534,7 @@ diff -up openssh-8.7p1/regress/unittests/Makefile.pkcs11-uri openssh-8.7p1/regre
|
||||
diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c
|
||||
--- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri 2021-08-30 13:07:43.664700104 +0200
|
||||
+++ openssh-8.7p1/regress/unittests/pkcs11/tests.c 2021-08-30 13:07:43.664700104 +0200
|
||||
@@ -0,0 +1,337 @@
|
||||
@@ -0,0 +1,346 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2017 Red Hat
|
||||
+ *
|
||||
@ -563,7 +563,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+#include "sshbuf.h"
|
||||
+#include "ssh-pkcs11-uri.h"
|
||||
+
|
||||
+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
|
||||
+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
|
||||
+
|
||||
+/* prototypes are not public -- specify them here internally for tests */
|
||||
+struct sshbuf *percent_encode(const char *, size_t, char *);
|
||||
@ -596,6 +596,10 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+ ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);
|
||||
+ else /* both should be null */
|
||||
+ ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);
|
||||
+ if (b->serial != NULL)
|
||||
+ ASSERT_STRING_EQ(a->serial, b->serial);
|
||||
+ else /* both should be null */
|
||||
+ ASSERT_PTR_EQ(a->serial, b->serial);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
@ -630,7 +634,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+
|
||||
+struct pkcs11_uri *
|
||||
+compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,
|
||||
+ char *manuf, char *module_path, char *object, char *pin)
|
||||
+ char *manuf, char *serial, char *module_path, char *object, char *pin)
|
||||
+{
|
||||
+ struct pkcs11_uri *uri = pkcs11_uri_init();
|
||||
+ if (id_len > 0) {
|
||||
@ -641,6 +645,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+ uri->token = token;
|
||||
+ uri->lib_manuf = lib_manuf;
|
||||
+ uri->manuf = manuf;
|
||||
+ uri->serial = serial;
|
||||
+ uri->object = object;
|
||||
+ uri->pin = pin;
|
||||
+ return uri;
|
||||
@ -651,47 +656,49 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+{
|
||||
+ /* path arguments */
|
||||
+ check_parse("pkcs11:id=%01",
|
||||
+ compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:id=%00%01",
|
||||
+ compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:token=SSH%20Keys",
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:library-manufacturer=OpenSC",
|
||||
+ compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:manufacturer=piv_II",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:serial=IamSerial",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, "IamSerial", NULL, NULL, NULL));
|
||||
+ check_parse("pkcs11:object=SIGN%20Key",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
|
||||
+ /* query arguments */
|
||||
+ check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ check_parse("pkcs11:?pin-value=123456",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "123456"));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, "123456"));
|
||||
+
|
||||
+ /* combinations */
|
||||
+ /* ID SHOULD be percent encoded */
|
||||
+ check_parse("pkcs11:token=SSH%20Key;id=0",
|
||||
+ compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_parse(
|
||||
+ "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "CAC",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "CAC", NULL,
|
||||
+ "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ check_parse(
|
||||
+ "pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL,
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL,
|
||||
+ "/usr/lib64/pkcs11/opencryptoki.so", "RSA Key", NULL));
|
||||
+ check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so&pin-value=123456",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
|
||||
+
|
||||
+ /* empty path component matches everything */
|
||||
+ check_parse("pkcs11:", EMPTY_URI);
|
||||
+
|
||||
+ /* empty string is a valid to match against (and different from NULL) */
|
||||
+ check_parse("pkcs11:token=",
|
||||
+ compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ /* Percent character needs to be percent-encoded */
|
||||
+ check_parse("pkcs11:token=%25",
|
||||
+ compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
@ -703,7 +710,7 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+ check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);
|
||||
+ /* Space MUST be percent encoded -- XXX not enforced yet */
|
||||
+ check_parse("pkcs11:token=SSH Keys",
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ /* MUST NOT contain duplicate attributes of the same name */
|
||||
+ check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);
|
||||
+ /* MUST NOT contain duplicate attributes of the same name */
|
||||
@ -734,29 +741,31 @@ diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1
|
||||
+{
|
||||
+ /* path arguments */
|
||||
+ check_gen("pkcs11:id=%01",
|
||||
+ compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_gen("pkcs11:id=%00%01",
|
||||
+ compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ /* library-manufacturer is not implmented now */
|
||||
+ /*check_gen("pkcs11:library-manufacturer=OpenSC",
|
||||
+ compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));*/
|
||||
+ compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));*/
|
||||
+ check_gen("pkcs11:manufacturer=piv_II",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
|
||||
+ check_gen("pkcs11:serial=IamSerial",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, "IamSerial", NULL, NULL, NULL));
|
||||
+ check_gen("pkcs11:object=RSA%20Key",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "RSA Key", NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "RSA Key", NULL));
|
||||
+ /* query arguments */
|
||||
+ check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+
|
||||
+ /* combinations */
|
||||
+ check_gen("pkcs11:id=%02;token=SSH%20Keys",
|
||||
+ compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
|
||||
+ compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
|
||||
+ check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",
|
||||
+ compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ compose_uri("\xEE\x02", 2, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
|
||||
+ check_gen("pkcs11:object=Encryption%20Key;manufacturer=piv_II",
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, "Encryption Key", NULL));
|
||||
+ compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, "Encryption Key", NULL));
|
||||
+
|
||||
+ /* empty path component matches everything */
|
||||
+ check_gen("pkcs11:", EMPTY_URI);
|
||||
@ -1545,7 +1554,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
}
|
||||
|
||||
static RSA_METHOD *rsa_method;
|
||||
@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
|
||||
@@ -195,6 +286,56 @@ static EC_KEY_METHOD *ec_key_method;
|
||||
static int ec_key_idx = 0;
|
||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
||||
|
||||
@ -1587,6 +1596,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
+ uri.module_path = k11->provider->module->module_path;
|
||||
+ uri.lib_manuf = k11->provider->module->info.manufacturerID;
|
||||
+ uri.manuf = k11->provider->module->slotinfo[k11->slotidx].token.manufacturerID;
|
||||
+ uri.serial = k11->provider->module->slotinfo[k11->slotidx].token.serialNumber;
|
||||
+
|
||||
+ p = pkcs11_uri_get(&uri);
|
||||
+ /* do not cleanup -- we do not allocate here, only reference */
|
||||
@ -1620,9 +1630,12 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
|
||||
error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
|
||||
return (-1);
|
||||
@@ -262,12 +403,12 @@ pkcs11_login_slot(struct pkcs11_provider
|
||||
@@ -260,14 +403,14 @@ pkcs11_login_slot(struct pkcs11_provider
|
||||
if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
|
||||
verbose("Deferring PIN entry to reader keypad.");
|
||||
else {
|
||||
snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
|
||||
- snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
|
||||
+ snprintf(prompt, sizeof(prompt), "Enter PIN for '%.32s': ",
|
||||
si->token.label);
|
||||
- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
|
||||
+ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
|
||||
@ -1754,6 +1767,27 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
EC_KEY_set_method(ec, ec_key_method);
|
||||
EC_KEY_set_ex_data(ec, ec_key_idx, k11);
|
||||
|
||||
@@ -622,7 +779,8 @@
|
||||
}
|
||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
||||
|
||||
-/* remove trailing spaces */
|
||||
+/* remove trailing spaces. Note, that this does NOT guarantee the buffer
|
||||
+ * will be null terminated if there are no trailing spaces! */
|
||||
static void
|
||||
rmspace(u_char *buf, size_t len)
|
||||
{
|
||||
@@ -630,8 +788,8 @@
|
||||
|
||||
if (!len)
|
||||
return;
|
||||
- for (i = len - 1; i > 0; i--)
|
||||
- if (i == len - 1 || buf[i] == ' ')
|
||||
+ for (i = len - 1; i > 0; i--)
|
||||
+ if (buf[i] == ' ')
|
||||
buf[i] = '\0';
|
||||
else
|
||||
break;
|
||||
@@ -650,8 +806,8 @@ pkcs11_open_session(struct pkcs11_provid
|
||||
CK_SESSION_HANDLE session;
|
||||
int login_required, ret;
|
||||
@ -2157,7 +2191,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
int ret = -1;
|
||||
struct pkcs11_provider *p = NULL;
|
||||
void *handle = NULL;
|
||||
@@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_
|
||||
@@ -1517,164 +1702,305 @@
|
||||
CK_FUNCTION_LIST *f = NULL;
|
||||
CK_TOKEN_INFO *token;
|
||||
CK_ULONG i;
|
||||
@ -2243,20 +2277,12 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
error("C_GetInfo for provider %s failed: %lu",
|
||||
- provider_id, rv);
|
||||
+ provider_module, rv);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
||||
+ if (uri->lib_manuf != NULL &&
|
||||
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
||||
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
||||
+ m->info.manufacturerID);
|
||||
goto fail;
|
||||
}
|
||||
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
|
||||
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
|
||||
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
||||
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
|
||||
" libraryDescription <%s> libraryVersion %d.%d",
|
||||
- debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
|
||||
- " libraryDescription <%s> libraryVersion %d.%d",
|
||||
- provider_id,
|
||||
- p->info.manufacturerID,
|
||||
- p->info.cryptokiVersion.major,
|
||||
@ -2265,6 +2291,16 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
- p->info.libraryVersion.major,
|
||||
- p->info.libraryVersion.minor);
|
||||
- if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) {
|
||||
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
||||
+ if (uri->lib_manuf != NULL &&
|
||||
+ strncmp(uri->lib_manuf, m->info.manufacturerID, 32)) {
|
||||
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
||||
+ m->info.manufacturerID);
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
||||
+ debug("provider %s: manufacturerID <%.32s> cryptokiVersion %d.%d"
|
||||
+ " libraryDescription <%.32s> libraryVersion %d.%d",
|
||||
+ provider_module,
|
||||
+ m->info.manufacturerID,
|
||||
+ m->info.cryptokiVersion.major,
|
||||
@ -2321,6 +2357,9 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
rmspace(token->manufacturerID, sizeof(token->manufacturerID));
|
||||
rmspace(token->model, sizeof(token->model));
|
||||
rmspace(token->serialNumber, sizeof(token->serialNumber));
|
||||
- debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
|
||||
- "model <%s> serial <%s> flags 0x%lx",
|
||||
- provider_id, (unsigned long)i,
|
||||
+ }
|
||||
+ m->module_path = provider_module;
|
||||
+ provider_module = NULL;
|
||||
@ -2389,22 +2428,28 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (uri->token != NULL &&
|
||||
+ strcmp(token->label, uri->token) != 0) {
|
||||
+ debug2_f("ignoring token not matching label (%s) "
|
||||
+ strncmp(token->label, uri->token, 32) != 0) {
|
||||
+ debug2_f("ignoring token not matching label (%.32s) "
|
||||
+ "specified by PKCS#11 URI in slot %lu",
|
||||
+ token->label, (unsigned long)i);
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (uri->manuf != NULL &&
|
||||
+ strcmp(token->manufacturerID, uri->manuf) != 0) {
|
||||
+ strncmp(token->manufacturerID, uri->manuf, 32) != 0) {
|
||||
+ debug2_f("ignoring token not matching requrested "
|
||||
+ "manufacturerID (%s) specified by PKCS#11 URI in "
|
||||
+ "manufacturerID (%.32s) specified by PKCS#11 URI in "
|
||||
+ "slot %lu", token->manufacturerID, (unsigned long)i);
|
||||
+ continue;
|
||||
+ }
|
||||
debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
|
||||
"model <%s> serial <%s> flags 0x%lx",
|
||||
- provider_id, (unsigned long)i,
|
||||
+ if (uri->serial != NULL &&
|
||||
+ strncmp(token->serialNumber, uri->serial, 16) != 0) {
|
||||
+ debug2_f("ignoring token not matching requrested "
|
||||
+ "serialNumber (%s) specified by PKCS#11 URI in "
|
||||
+ "slot %lu", token->serialNumber, (unsigned long)i);
|
||||
+ continue;
|
||||
+ }
|
||||
+ debug("provider %s slot %lu: label <%.32s> manufacturerID <%.32s> "
|
||||
+ "model <%.16s> serial <%.16s> flags 0x%lx",
|
||||
+ provider_uri, (unsigned long)i,
|
||||
token->label, token->manufacturerID, token->model,
|
||||
token->serialNumber, token->flags);
|
||||
@ -2443,7 +2488,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
||||
+ }
|
||||
+ if (nkeys == 0 && uri->object != NULL) {
|
||||
+ debug3_f("No keys found. Retrying without label (%s) ",
|
||||
+ debug3_f("No keys found. Retrying without label (%.32s) ",
|
||||
+ uri->object);
|
||||
+ /* Try once more without the label filter */
|
||||
+ char *label = uri->object;
|
||||
@ -2531,7 +2576,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
|
||||
|
||||
/* no keys found or some other error, de-register provider */
|
||||
if (nkeys <= 0 && p != NULL) {
|
||||
@@ -1683,7 +2002,37 @@ pkcs11_add_provider(char *provider_id, c
|
||||
@@ -1684,7 +2012,37 @@ pkcs11_add_provider(char *provider_id, c
|
||||
pkcs11_provider_unref(p);
|
||||
}
|
||||
if (nkeys == 0)
|
||||
@ -2591,7 +2636,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11.h
|
||||
diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c
|
||||
--- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200
|
||||
+++ openssh-8.7p1/ssh-pkcs11-uri.c 2021-08-30 13:07:43.667700130 +0200
|
||||
@@ -0,0 +1,419 @@
|
||||
@@ -0,0 +1,437 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2017 Red Hat
|
||||
+ *
|
||||
@ -2634,13 +2679,14 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+#define PKCS11_URI_OBJECT "object"
|
||||
+#define PKCS11_URI_LIB_MANUF "library-manufacturer"
|
||||
+#define PKCS11_URI_MANUF "manufacturer"
|
||||
+#define PKCS11_URI_SERIAL "serial"
|
||||
+#define PKCS11_URI_MODULE_PATH "module-path"
|
||||
+#define PKCS11_URI_PIN_VALUE "pin-value"
|
||||
+
|
||||
+/* Keyword tokens. */
|
||||
+typedef enum {
|
||||
+ pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pModulePath,
|
||||
+ pPinValue, pBadOption
|
||||
+ pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pSerial,
|
||||
+ pModulePath, pPinValue, pBadOption
|
||||
+} pkcs11uriOpCodes;
|
||||
+
|
||||
+/* Textual representation of the tokens. */
|
||||
@ -2653,6 +2699,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+ { PKCS11_URI_OBJECT, pObject },
|
||||
+ { PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
|
||||
+ { PKCS11_URI_MANUF, pManufacturer },
|
||||
+ { PKCS11_URI_SERIAL, pSerial },
|
||||
+ { PKCS11_URI_MODULE_PATH, pModulePath },
|
||||
+ { PKCS11_URI_PIN_VALUE, pPinValue },
|
||||
+ { NULL, pBadOption }
|
||||
@ -2811,6 +2858,16 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /* Write serial */
|
||||
+ if (uri->serial) {
|
||||
+ struct sshbuf *serial = percent_encode(uri->serial,
|
||||
+ strlen(uri->serial), PKCS11_URI_WHITELIST);
|
||||
+ path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
|
||||
+ PKCS11_URI_SERIAL, serial);
|
||||
+ if (path == NULL)
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /* Write module_path */
|
||||
+ if (uri->module_path) {
|
||||
+ struct sshbuf *module = percent_encode(uri->module_path,
|
||||
@ -2853,6 +2910,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+ free(pkcs11->object);
|
||||
+ free(pkcs11->lib_manuf);
|
||||
+ free(pkcs11->manuf);
|
||||
+ free(pkcs11->serial);
|
||||
+ if (pkcs11->pin)
|
||||
+ freezero(pkcs11->pin, strlen(pkcs11->pin));
|
||||
+ free(pkcs11);
|
||||
@ -2948,6 +3006,11 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+ charptr = &pkcs11->manuf;
|
||||
+ goto parse_string;
|
||||
+
|
||||
+ case pSerial:
|
||||
+ /* CK_TOKEN_INFO -> serialNumber */
|
||||
+ charptr = &pkcs11->serial;
|
||||
+ goto parse_string;
|
||||
+
|
||||
+ case pLibraryManufacturer:
|
||||
+ /* CK_INFO -> manufacturerID */
|
||||
+ charptr = &pkcs11->lib_manuf;
|
||||
@ -3014,7 +3077,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h
|
||||
--- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri 2021-08-30 13:07:43.667700130 +0200
|
||||
+++ openssh-8.7p1/ssh-pkcs11-uri.h 2021-08-30 13:07:43.667700130 +0200
|
||||
@@ -0,0 +1,42 @@
|
||||
@@ -0,0 +1,43 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2017 Red Hat
|
||||
+ *
|
||||
@ -3046,6 +3109,7 @@ diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.
|
||||
+ char *object;
|
||||
+ char *lib_manuf;
|
||||
+ char *manuf;
|
||||
+ char *serial;
|
||||
+ /* query */
|
||||
+ char *module_path;
|
||||
+ char *pin; /* Only parsed, but not printed */
|
||||
|
@ -710,9 +710,9 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* remove trailing spaces */
|
||||
/* remove trailing spaces. Note, that this does NOT guarantee the buffer
|
||||
* will be null terminated if there are no trailing spaces! */
|
||||
static void
|
||||
rmspace(u_char *buf, size_t len)
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
|
||||
--- openssh-9.3p1/ssh-pkcs11-client.c 2023-06-06 15:53:36.591443976 +0200
|
||||
+++ openssh-9.3p1-patched/ssh-pkcs11-client.c 2023-06-06 15:52:25.626551768 +0200
|
||||
|
@ -47,7 +47,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 9.3p1
|
||||
%global openssh_rel 8
|
||||
%global openssh_rel 9
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 9
|
||||
|
||||
@ -741,6 +741,11 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Aug 03 2023 Norbert Pocs <npocs@redhat.com> - 9.3p1-9
|
||||
- pkcs11: Add support for 'serial' in PKCS#11 URI
|
||||
- Apply the upstream MR related to the previous pkcs11 issue
|
||||
- https://github.com/openssh/openssh-portable/pull/406
|
||||
|
||||
* Thu Aug 03 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.3p1-8
|
||||
- Split including crypto-policies to a separate config (rhbz#1970566)
|
||||
- Disable forking of ssh-agent on startup (rhbz#2148555)
|
||||
|
Loading…
Reference in New Issue
Block a user