|
 |
ec52761 |
diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
|
|
|
ec52761 |
--- openssh-5.1p1/key.c.nss-keys 2008-07-11 09:35:09.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/key.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
ec52761 |
@@ -96,6 +96,54 @@ key_new(int type)
|
|
|
c9833c9 |
return k;
|
|
|
c3274cc |
}
|
|
|
c3274cc |
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+Key *
|
|
|
c9833c9 |
+key_new_nss(int type)
|
|
|
c3274cc |
+{
|
|
|
c9833c9 |
+ Key *k = key_new(type);
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ k->nss = xcalloc(1, sizeof(*k->nss));
|
|
|
c9833c9 |
+ k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS;
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ return k;
|
|
|
c9833c9 |
+}
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+Key *
|
|
|
c9833c9 |
+key_new_nss_copy(int type, const Key *c)
|
|
|
c9833c9 |
+{
|
|
|
c9833c9 |
+ Key *k = key_new_nss(type);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ switch (k->type) {
|
|
|
c9833c9 |
+ case KEY_RSA:
|
|
|
c9833c9 |
+ if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) ||
|
|
|
c9833c9 |
+ (BN_copy(k->rsa->e, c->rsa->e) == NULL))
|
|
|
c9833c9 |
+ fatal("key_new_nss_copy: BN_copy failed");
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ case KEY_DSA:
|
|
|
c9833c9 |
+ if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) ||
|
|
|
c9833c9 |
+ (BN_copy(k->dsa->q, c->dsa->q) == NULL) ||
|
|
|
c9833c9 |
+ (BN_copy(k->dsa->g, c->dsa->g) == NULL) ||
|
|
|
c9833c9 |
+ (BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL))
|
|
|
c9833c9 |
+ fatal("key_new_nss_copy: BN_copy failed");
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk);
|
|
|
c9833c9 |
+ if (k->nss->privk == NULL)
|
|
|
c9833c9 |
+ fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed");
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk);
|
|
|
c9833c9 |
+ if (k->nss->pubk == NULL)
|
|
|
c9833c9 |
+ fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed");
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if (c->nss->privk->wincx)
|
|
|
c9833c9 |
+ k->nss->privk->wincx = xstrdup(c->nss->privk->wincx);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ return k;
|
|
|
c9833c9 |
+}
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
Key *
|
|
|
c9833c9 |
key_new_private(int type)
|
|
|
c9833c9 |
{
|
|
|
ec52761 |
@@ -151,6 +199,19 @@ key_free(Key *k)
|
|
|
c9833c9 |
fatal("key_free: bad key type %d", k->type);
|
|
|
c9833c9 |
break;
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ if (k->flags & KEY_FLAG_NSS) {
|
|
|
8b8c4dc |
+ if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {
|
|
|
c9833c9 |
+ memset(k->nss->privk->wincx, 0,
|
|
|
c9833c9 |
+ strlen(k->nss->privk->wincx));
|
|
|
c9833c9 |
+ xfree(k->nss->privk->wincx);
|
|
|
c9833c9 |
+ k->nss->privk->wincx = NULL;
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+ SECKEY_DestroyPrivateKey(k->nss->privk);
|
|
|
c9833c9 |
+ SECKEY_DestroyPublicKey(k->nss->pubk);
|
|
|
c9833c9 |
+ xfree(k->nss);
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
xfree(k);
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh-dss.c.nss-keys 2006-11-07 13:14:42.000000000 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh-dss.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -39,6 +39,10 @@
|
|
|
c9833c9 |
#include "log.h"
|
|
|
c9833c9 |
#include "key.h"
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+#include <cryptohi.h>
|
|
|
c9833c9 |
+#endif
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
#define INTBLOB_LEN 20
|
|
|
c9833c9 |
#define SIGBLOB_LEN (2*INTBLOB_LEN)
|
|
|
c9833c9 |
|
|
|
c9833c9 |
@@ -57,6 +61,34 @@ ssh_dss_sign(const Key *key, u_char **si
|
|
|
c9833c9 |
error("ssh_dss_sign: no DSA key");
|
|
|
c9833c9 |
return -1;
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ if (key->flags & KEY_FLAG_NSS) {
|
|
|
c9833c9 |
+ SECItem sigitem;
|
|
|
c9833c9 |
+ SECItem *rawsig;
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ memset(&sigitem, 0, sizeof(sigitem));
|
|
|
c9833c9 |
+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
|
|
|
c9833c9 |
+ SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) != SECSuccess) {
|
|
|
c9833c9 |
+ error("ssh_dss_sign: sign failed");
|
|
|
c9833c9 |
+ return -1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if ((rawsig=DSAU_DecodeDerSig(&sigitem)) == NULL) {
|
|
|
c9833c9 |
+ error("ssh_dss_sign: der decode failed");
|
|
|
c9833c9 |
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
|
|
|
c9833c9 |
+ return -1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
|
|
|
c9833c9 |
+ if (rawsig->len != SIGBLOB_LEN) {
|
|
|
c9833c9 |
+ error("ssh_dss_sign: unsupported signature length %d",
|
|
|
c9833c9 |
+ rawsig->len);
|
|
|
c9833c9 |
+ SECITEM_ZfreeItem(rawsig, PR_TRUE);
|
|
|
c9833c9 |
+ return -1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ memcpy(sigblob, rawsig->data, SIGBLOB_LEN);
|
|
|
c9833c9 |
+ SECITEM_ZfreeItem(rawsig, PR_TRUE);
|
|
|
c9833c9 |
+ } else {
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
EVP_DigestInit(&md, evp_md);
|
|
|
c9833c9 |
EVP_DigestUpdate(&md, data, datalen);
|
|
|
c9833c9 |
EVP_DigestFinal(&md, digest, &dlen);
|
|
|
c9833c9 |
@@ -80,7 +112,9 @@ ssh_dss_sign(const Key *key, u_char **si
|
|
|
c9833c9 |
BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
|
|
|
c9833c9 |
BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
|
|
|
c9833c9 |
DSA_SIG_free(sig);
|
|
|
c9833c9 |
-
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
if (datafellows & SSH_BUG_SIGBLOB) {
|
|
|
c9833c9 |
if (lenp != NULL)
|
|
|
c9833c9 |
*lenp = SIGBLOB_LEN;
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh-agent.c.nss-keys 2008-07-04 15:10:49.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh-agent.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
ec52761 |
@@ -80,6 +80,10 @@
|
|
|
c9833c9 |
#include "scard.h"
|
|
|
c9833c9 |
#endif
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+#include "nsskeys.h"
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
#if defined(HAVE_SYS_PRCTL_H)
|
|
|
c9833c9 |
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
|
|
|
c9833c9 |
#endif
|
|
|
ec52761 |
@@ -714,6 +718,114 @@ send:
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
#endif /* SMARTCARD */
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+static void
|
|
|
c9833c9 |
+process_add_nss_key (SocketEntry *e)
|
|
|
c9833c9 |
+{
|
|
|
c9833c9 |
+ char *tokenname = NULL, *keyname = NULL, *password = NULL;
|
|
|
c9833c9 |
+ int i, version, success = 0, death = 0, confirm = 0;
|
|
|
c9833c9 |
+ Key **keys, *k;
|
|
|
c9833c9 |
+ Identity *id;
|
|
|
c9833c9 |
+ Idtab *tab;
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ tokenname = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+ keyname = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+ password = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ while (buffer_len(&e->request)) {
|
|
|
c9833c9 |
+ switch (buffer_get_char(&e->request)) {
|
|
|
c9833c9 |
+ case SSH_AGENT_CONSTRAIN_LIFETIME:
|
|
|
c9833c9 |
+ death = time(NULL) + buffer_get_int(&e->request);
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ case SSH_AGENT_CONSTRAIN_CONFIRM:
|
|
|
c9833c9 |
+ confirm = 1;
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ default:
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ if (lifetime && !death)
|
|
|
c9833c9 |
+ death = time(NULL) + lifetime;
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ keys = nss_get_keys(tokenname, keyname, password);
|
|
|
c9833c9 |
+ /* password is owned by keys[0] now */
|
|
|
c9833c9 |
+ xfree(tokenname);
|
|
|
c9833c9 |
+ xfree(keyname);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if (keys == NULL) {
|
|
|
c9833c9 |
+ memset(password, 0, strlen(password));
|
|
|
c9833c9 |
+ xfree(password);
|
|
|
c9833c9 |
+ error("nss_get_keys failed");
|
|
|
c9833c9 |
+ goto send;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ for (i = 0; keys[i] != NULL; i++) {
|
|
|
c9833c9 |
+ k = keys[i];
|
|
|
c9833c9 |
+ version = k->type == KEY_RSA1 ? 1 : 2;
|
|
|
c9833c9 |
+ tab = idtab_lookup(version);
|
|
|
c9833c9 |
+ if (lookup_identity(k, version) == NULL) {
|
|
|
c9833c9 |
+ id = xmalloc(sizeof(Identity));
|
|
|
c9833c9 |
+ id->key = k;
|
|
|
c9833c9 |
+ id->comment = nss_get_key_label(k);
|
|
|
c9833c9 |
+ id->death = death;
|
|
|
c9833c9 |
+ id->confirm = confirm;
|
|
|
c9833c9 |
+ TAILQ_INSERT_TAIL(&tab->idlist, id, next);
|
|
|
c9833c9 |
+ tab->nentries++;
|
|
|
c9833c9 |
+ success = 1;
|
|
|
c9833c9 |
+ } else {
|
|
|
c9833c9 |
+ key_free(k);
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ keys[i] = NULL;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ xfree(keys);
|
|
|
c9833c9 |
+send:
|
|
|
c9833c9 |
+ buffer_put_int(&e->output, 1);
|
|
|
c9833c9 |
+ buffer_put_char(&e->output,
|
|
|
c9833c9 |
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+static void
|
|
|
c9833c9 |
+process_remove_nss_key(SocketEntry *e)
|
|
|
c9833c9 |
+{
|
|
|
c9833c9 |
+ char *tokenname = NULL, *keyname = NULL, *password = NULL;
|
|
|
c9833c9 |
+ int i, version, success = 0;
|
|
|
c9833c9 |
+ Key **keys, *k = NULL;
|
|
|
c9833c9 |
+ Identity *id;
|
|
|
c9833c9 |
+ Idtab *tab;
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ tokenname = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+ keyname = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+ password = buffer_get_string(&e->request, NULL);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ keys = nss_get_keys(tokenname, keyname, password);
|
|
|
c9833c9 |
+ xfree(tokenname);
|
|
|
c9833c9 |
+ xfree(keyname);
|
|
|
c9833c9 |
+ xfree(password);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if (keys == NULL || keys[0] == NULL) {
|
|
|
c9833c9 |
+ error("nss_get_keys failed");
|
|
|
c9833c9 |
+ goto send;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ for (i = 0; keys[i] != NULL; i++) {
|
|
|
c9833c9 |
+ k = keys[i];
|
|
|
c9833c9 |
+ version = k->type == KEY_RSA1 ? 1 : 2;
|
|
|
c9833c9 |
+ if ((id = lookup_identity(k, version)) != NULL) {
|
|
|
c9833c9 |
+ tab = idtab_lookup(version);
|
|
|
c9833c9 |
+ TAILQ_REMOVE(&tab->idlist, id, next);
|
|
|
c9833c9 |
+ tab->nentries--;
|
|
|
c9833c9 |
+ free_identity(id);
|
|
|
c9833c9 |
+ success = 1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ key_free(k);
|
|
|
c9833c9 |
+ keys[i] = NULL;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ xfree(keys);
|
|
|
c9833c9 |
+send:
|
|
|
c9833c9 |
+ buffer_put_int(&e->output, 1);
|
|
|
c9833c9 |
+ buffer_put_char(&e->output,
|
|
|
c9833c9 |
+ success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
|
|
|
c9833c9 |
+}
|
|
|
c9833c9 |
+#endif /* HAVE_LIBNSS */
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
/* dispatch incoming messages */
|
|
|
c9833c9 |
|
|
|
c9833c9 |
static void
|
|
|
ec52761 |
@@ -806,6 +918,15 @@ process_message(SocketEntry *e)
|
|
|
c9833c9 |
process_remove_smartcard_key(e);
|
|
|
c9833c9 |
break;
|
|
|
c9833c9 |
#endif /* SMARTCARD */
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ case SSH_AGENTC_ADD_NSS_KEY:
|
|
|
c9833c9 |
+ case SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED:
|
|
|
c9833c9 |
+ process_add_nss_key(e);
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+ case SSH_AGENTC_REMOVE_NSS_KEY:
|
|
|
c9833c9 |
+ process_remove_nss_key(e);
|
|
|
c9833c9 |
+ break;
|
|
|
c9833c9 |
+#endif /* SMARTCARD */
|
|
|
c9833c9 |
default:
|
|
|
c9833c9 |
/* Unknown message. Respond with failure. */
|
|
|
c9833c9 |
error("Unknown message %d", type);
|
|
|
ec52761 |
diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
|
|
|
ec52761 |
--- openssh-5.1p1/authfd.h.nss-keys 2006-08-05 04:39:39.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/authfd.h 2008-11-18 19:11:41.000000000 +0100
|
|
|
c3274cc |
@@ -49,6 +49,12 @@
|
|
|
c3274cc |
#define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
|
|
|
c3274cc |
#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
|
|
|
c3274cc |
|
|
|
c3274cc |
+/* nss */
|
|
|
c3274cc |
+#define SSH_AGENTC_ADD_NSS_KEY 30
|
|
|
c3274cc |
+#define SSH_AGENTC_REMOVE_NSS_KEY 31
|
|
|
c3274cc |
+#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED 32
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+
|
|
|
c3274cc |
#define SSH_AGENT_CONSTRAIN_LIFETIME 1
|
|
|
c3274cc |
#define SSH_AGENT_CONSTRAIN_CONFIRM 2
|
|
|
c3274cc |
|
|
|
c3274cc |
@@ -83,6 +89,8 @@ int ssh_remove_all_identities(Authentic
|
|
|
c3274cc |
int ssh_lock_agent(AuthenticationConnection *, int, const char *);
|
|
|
c3274cc |
int ssh_update_card(AuthenticationConnection *, int, const char *,
|
|
|
c3274cc |
const char *, u_int, u_int);
|
|
|
c3274cc |
+int ssh_update_nss_key(AuthenticationConnection *, int, const char *,
|
|
|
c3274cc |
+ const char *, const char *, u_int, u_int);
|
|
|
c3274cc |
|
|
|
c3274cc |
int
|
|
|
c3274cc |
ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
|
|
|
ec52761 |
diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
|
|
|
9e5c6ec |
--- openssh-5.1p1/configure.ac.nss-keys 2008-11-18 19:11:41.000000000 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/configure.ac 2008-11-18 19:12:38.000000000 +0100
|
|
|
9e5c6ec |
@@ -3436,6 +3436,20 @@ AC_ARG_WITH(kerberos5,
|
|
|
9e5c6ec |
]
|
|
|
c9833c9 |
)
|
|
|
c3274cc |
|
|
|
c3274cc |
+# Check whether user wants NSS support
|
|
|
c3274cc |
+LIBNSS_MSG="no"
|
|
|
c3274cc |
+AC_ARG_WITH(nss,
|
|
|
c3274cc |
+ [ --with-nss Enable NSS support],
|
|
|
c3274cc |
+ [ if test "x$withval" != "xno" ; then
|
|
|
c3274cc |
+ AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
|
|
|
c3274cc |
+ LIBNSS_MSG="yes"
|
|
|
c3274cc |
+ CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
|
|
|
0092bbd |
+ AC_CHECK_HEADERS(pk11pub.h)
|
|
|
c9833c9 |
+ LIBS="$LIBS -lnss3"
|
|
|
c3274cc |
+ fi
|
|
|
c3274cc |
+ ])
|
|
|
c3274cc |
+AC_SUBST(LIBNSS)
|
|
|
c3274cc |
+
|
|
|
9e5c6ec |
# Looking for programs, paths and files
|
|
|
9e5c6ec |
|
|
|
9e5c6ec |
PRIVSEP_PATH=/var/empty
|
|
|
9e5c6ec |
@@ -4163,6 +4177,7 @@ echo " TCP Wrappers support
|
|
|
9e5c6ec |
echo " MD5 password support: $MD5_MSG"
|
|
|
9e5c6ec |
echo " libedit support: $LIBEDIT_MSG"
|
|
|
9e5c6ec |
echo " Solaris process contract support: $SPC_MSG"
|
|
|
c3274cc |
+echo " NSS support: $LIBNSS_MSG"
|
|
|
9e5c6ec |
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
|
|
9e5c6ec |
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
|
|
9e5c6ec |
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
|
ec52761 |
diff -up /dev/null openssh-5.1p1/README.nss
|
|
|
9e5c6ec |
--- /dev/null 2008-11-17 17:51:52.160001870 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/README.nss 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -0,0 +1,36 @@
|
|
|
c9833c9 |
+How to use NSS tokens with OpenSSH?
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+This version of OpenSSH contains experimental support for authentication using
|
|
|
c9833c9 |
+keys stored in tokens stored in NSS database. This for example includes any
|
|
|
c9833c9 |
+PKCS#11 tokens which are installed in your NSS database.
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+As the code is experimental and preliminary only SSH protocol 2 is supported.
|
|
|
c9833c9 |
+The NSS certificate and token databases are looked for in the ~/.ssh
|
|
|
c9833c9 |
+directory or in a directory specified by environment variable NSS_DB_PATH.
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+Common operations:
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+(1) tell the ssh client to use the NSS keys:
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ $ ssh -o 'UseNSS yes' otherhost
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ if you want to use a specific token:
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ $ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+(2) or tell the agent to use the NSS keys:
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ $ ssh-add -n
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if you want to use a specific token:
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ $ ssh-add -n -T 'My PKCS11 Token'
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+(3) extract the public key from token so it can be added to the
|
|
|
c9833c9 |
+server:
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ $ ssh-keygen -n
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if you want to use a specific token and/or key:
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ $ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
|
|
|
ec52761 |
diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
|
|
|
ec52761 |
--- openssh-5.1p1/authfd.c.nss-keys 2006-09-01 07:38:36.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/authfd.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
|
|
|
c9833c9 |
return decode_reply(type);
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+int
|
|
|
c9833c9 |
+ssh_update_nss_key(AuthenticationConnection *auth, int add,
|
|
|
c9833c9 |
+ const char *tokenname, const char *keyname,
|
|
|
c9833c9 |
+ const char *pass, u_int life, u_int confirm)
|
|
|
c9833c9 |
+{
|
|
|
c9833c9 |
+ Buffer msg;
|
|
|
c9833c9 |
+ int type, constrained = (life || confirm);
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if (add) {
|
|
|
c9833c9 |
+ type = constrained ?
|
|
|
c9833c9 |
+ SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED :
|
|
|
c9833c9 |
+ SSH_AGENTC_ADD_NSS_KEY;
|
|
|
c9833c9 |
+ } else
|
|
|
c9833c9 |
+ type = SSH_AGENTC_REMOVE_NSS_KEY;
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ buffer_init(&msg;;
|
|
|
c9833c9 |
+ buffer_put_char(&msg, type);
|
|
|
c9833c9 |
+ buffer_put_cstring(&msg, tokenname);
|
|
|
c9833c9 |
+ buffer_put_cstring(&msg, keyname);
|
|
|
c9833c9 |
+ buffer_put_cstring(&msg, pass);
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ if (constrained) {
|
|
|
c9833c9 |
+ if (life != 0) {
|
|
|
c9833c9 |
+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
|
|
|
c9833c9 |
+ buffer_put_int(&msg, life);
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+ if (confirm != 0)
|
|
|
c9833c9 |
+ buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
|
|
|
c9833c9 |
+ buffer_free(&msg;;
|
|
|
c9833c9 |
+ return 0;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ type = buffer_get_char(&msg;;
|
|
|
c9833c9 |
+ buffer_free(&msg;;
|
|
|
c9833c9 |
+ return decode_reply(type);
|
|
|
c9833c9 |
+}
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
/*
|
|
|
c9833c9 |
* Removes all identities from the agent. This call is not meant to be used
|
|
|
c9833c9 |
* by normal applications.
|
|
|
ec52761 |
diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
|
|
|
ec52761 |
--- openssh-5.1p1/readconf.h.nss-keys 2008-06-29 16:04:03.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/readconf.h 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -84,6 +84,8 @@ typedef struct {
|
|
|
c9833c9 |
char *preferred_authentications;
|
|
|
c9833c9 |
char *bind_address; /* local socket address for connection to sshd */
|
|
|
c9833c9 |
char *smartcard_device; /* Smartcard reader device */
|
|
|
c9833c9 |
+ int use_nss; /* Use NSS library for keys */
|
|
|
c9833c9 |
+ char *nss_token; /* Look for NSS keys on token */
|
|
|
c9833c9 |
int verify_host_key_dns; /* Verify host key using DNS */
|
|
|
c3274cc |
|
|
|
c9833c9 |
int num_identity_files; /* Number of files for RSA/DSA identities. */
|
|
|
ec52761 |
diff -up /dev/null openssh-5.1p1/nsskeys.c
|
|
|
9e5c6ec |
--- /dev/null 2008-11-17 17:51:52.160001870 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/nsskeys.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c3274cc |
@@ -0,0 +1,327 @@
|
|
|
c3274cc |
+/*
|
|
|
c3274cc |
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
|
|
|
c3274cc |
+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
|
|
|
c3274cc |
+ *
|
|
|
c3274cc |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
c3274cc |
+ * modification, are permitted provided that the following conditions
|
|
|
c3274cc |
+ * are met:
|
|
|
c3274cc |
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
c3274cc |
+ * notice, this list of conditions and the following disclaimer.
|
|
|
c3274cc |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
c3274cc |
+ * notice, this list of conditions and the following disclaimer in the
|
|
|
c3274cc |
+ * documentation and/or other materials provided with the distribution.
|
|
|
c3274cc |
+ *
|
|
|
c3274cc |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
c3274cc |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
c3274cc |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
c3274cc |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
c3274cc |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
c3274cc |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
c3274cc |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
c3274cc |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
c3274cc |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
c3274cc |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
c3274cc |
+ */
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include "includes.h"
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include <sys/types.h>
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include <stdarg.h>
|
|
|
c3274cc |
+#include <string.h>
|
|
|
c3274cc |
+#include <unistd.h>
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include <openssl/evp.h>
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include <nss.h>
|
|
|
c3274cc |
+#include <keyhi.h>
|
|
|
c3274cc |
+#include <pk11pub.h>
|
|
|
c3274cc |
+#include <cert.h>
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#include "xmalloc.h"
|
|
|
c3274cc |
+#include "key.h"
|
|
|
c3274cc |
+#include "log.h"
|
|
|
c3274cc |
+#include "misc.h"
|
|
|
c3274cc |
+#include "nsskeys.h"
|
|
|
c3274cc |
+#include "pathnames.h"
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static char *
|
|
|
c3274cc |
+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ char *password = arg;
|
|
|
c3274cc |
+ if (retry || password == NULL)
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return PL_strdup(password);
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+int
|
|
|
c3274cc |
+nss_init(PK11PasswordFunc pwfn)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ char *dbpath;
|
|
|
c3274cc |
+ char buf[MAXPATHLEN];
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (NSS_IsInitialized())
|
|
|
c3274cc |
+ return 0;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if ((dbpath=getenv("NSS_DB_PATH")) == NULL) {
|
|
|
c3274cc |
+ struct passwd *pw;
|
|
|
c3274cc |
+ if ((pw = getpwuid(getuid())) == NULL ||
|
|
|
c3274cc |
+ pw->pw_dir == NULL) {
|
|
|
c3274cc |
+ return -1;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
|
|
|
c3274cc |
+ _PATH_SSH_USER_DIR);
|
|
|
c3274cc |
+ dbpath = buf;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (NSS_Init(dbpath) != SECSuccess)
|
|
|
c3274cc |
+ return -1;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (pwfn == NULL) {
|
|
|
c3274cc |
+ pwfn = password_cb;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ PK11_SetPasswordFunc(pwfn);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return 0;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static Key *
|
|
|
c3274cc |
+make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ Key *k;
|
|
|
c3274cc |
+ switch (SECKEY_GetPrivateKeyType(privk)) {
|
|
|
c3274cc |
+ case rsaKey:
|
|
|
c3274cc |
+ k = key_new_nss(KEY_RSA);
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
+ case dsaKey:
|
|
|
c3274cc |
+ k = key_new_nss(KEY_DSA);
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
+ default:
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ k->nss->pubk = SECKEY_ConvertToPublicKey(privk);
|
|
|
c3274cc |
+ if (k->nss->pubk != NULL) {
|
|
|
c3274cc |
+ k->nss->privk = SECKEY_CopyPrivateKey(privk);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ if (k->nss->privk != NULL) {
|
|
|
c3274cc |
+ if (password != NULL) {
|
|
|
c3274cc |
+ k->nss->privk->wincx = xstrdup(password);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ return k;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ key_free(k);
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static Key **
|
|
|
c3274cc |
+add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ if (*allocated < *i + 2) {
|
|
|
c3274cc |
+ *allocated += 16;
|
|
|
c3274cc |
+ keys = xrealloc(keys, *allocated, sizeof(k));
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ keys[*i] = k;
|
|
|
c3274cc |
+ (*i)++;
|
|
|
c3274cc |
+ keys[*i] = NULL;
|
|
|
c3274cc |
+ return keys;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static int
|
|
|
c3274cc |
+nss_convert_pubkey(Key *k)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ u_char *n;
|
|
|
c3274cc |
+ unsigned int len;
|
|
|
c3274cc |
+ char *p;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ switch (k->type) {
|
|
|
c3274cc |
+ case KEY_RSA:
|
|
|
c3274cc |
+ n = k->nss->pubk->u.rsa.modulus.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.rsa.modulus.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ n = k->nss->pubk->u.rsa.publicExponent.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.rsa.publicExponent.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->rsa->e) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
+ case KEY_DSA:
|
|
|
c3274cc |
+ n = k->nss->pubk->u.dsa.params.prime.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.dsa.params.prime.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->dsa->p) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ n = k->nss->pubk->u.dsa.params.subPrime.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.dsa.params.subPrime.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->dsa->q) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ n = k->nss->pubk->u.dsa.params.base.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.dsa.params.base.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->dsa->g) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ n = k->nss->pubk->u.dsa.publicValue.data;
|
|
|
c3274cc |
+ len = k->nss->pubk->u.dsa.publicValue.len;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) {
|
|
|
c3274cc |
+ fatal("nss_convert_pubkey: BN_bin2bn failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
|
|
|
c3274cc |
+ debug("fingerprint %u %s", key_size(k), p);
|
|
|
c3274cc |
+ xfree(p);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return 0;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static Key **
|
|
|
c3274cc |
+nss_find_privkeys(const char *tokenname, const char *keyname,
|
|
|
c3274cc |
+ char *password)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ Key *k = NULL;
|
|
|
c3274cc |
+ Key **keys = NULL;
|
|
|
c3274cc |
+ PK11SlotList *slots;
|
|
|
c3274cc |
+ PK11SlotListElement *sle;
|
|
|
c3274cc |
+ size_t allocated = 0;
|
|
|
c3274cc |
+ size_t i = 0;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) {
|
|
|
c3274cc |
+ if (tokenname == NULL) {
|
|
|
c3274cc |
+ debug("No NSS token found");
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+ debug("NSS token not found: %s", tokenname);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ for (sle = slots->head; sle; sle = sle->next) {
|
|
|
c3274cc |
+ SECKEYPrivateKeyList *list;
|
|
|
c3274cc |
+ SECKEYPrivateKeyListNode *node;
|
|
|
c3274cc |
+ char *tmppass = password;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (PK11_NeedLogin(sle->slot)) {
|
|
|
c3274cc |
+ if (password == NULL) {
|
|
|
c3274cc |
+ char *prompt;
|
|
|
c3274cc |
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
|
|
|
c3274cc |
+ PK11_GetTokenName(sle->slot)) < 0)
|
|
|
c3274cc |
+ fatal("password_cb: asprintf failed");
|
|
|
c3274cc |
+ tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ debug("Looking for: %s:%s", tokenname, keyname);
|
|
|
c3274cc |
+ list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
|
|
|
c3274cc |
+ tmppass);
|
|
|
c3274cc |
+ if (list == NULL && keyname != NULL) {
|
|
|
c3274cc |
+ char *fooname;
|
|
|
c3274cc |
+ /* NSS bug workaround */
|
|
|
c3274cc |
+ if (asprintf(&fooname, "%s~", keyname) < 0) {
|
|
|
c3274cc |
+ error("nss_find_privkey: asprintf failed");
|
|
|
c3274cc |
+ PK11_FreeSlotList(slots);
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ list = PK11_ListPrivKeysInSlot(sle->slot, fooname,
|
|
|
c3274cc |
+ tmppass);
|
|
|
c3274cc |
+ free(fooname);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ if (list == NULL && keyname != NULL) {
|
|
|
c3274cc |
+ CERTCertificate *cert;
|
|
|
c3274cc |
+ SECKEYPrivateKey *privk;
|
|
|
c3274cc |
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(),
|
|
|
c3274cc |
+ (char *)keyname);
|
|
|
c3274cc |
+ if (cert == NULL)
|
|
|
c3274cc |
+ goto cleanup;
|
|
|
c3274cc |
+ privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass);
|
|
|
c3274cc |
+ CERT_DestroyCertificate(cert);
|
|
|
c3274cc |
+ if (privk == NULL)
|
|
|
c3274cc |
+ goto cleanup;
|
|
|
c3274cc |
+ if ((k=make_key_from_privkey(privk, tmppass)) != NULL) {
|
|
|
c3274cc |
+ nss_convert_pubkey(k);
|
|
|
c3274cc |
+ keys = add_key_to_list(k, keys, &i, &allocated);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ SECKEY_DestroyPrivateKey(privk);
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+ if (list == NULL)
|
|
|
c3274cc |
+ goto cleanup;
|
|
|
c3274cc |
+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
|
|
|
c3274cc |
+ node=PRIVKEY_LIST_NEXT(node))
|
|
|
c3274cc |
+ if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) {
|
|
|
c3274cc |
+ nss_convert_pubkey(k);
|
|
|
c3274cc |
+ keys = add_key_to_list(k, keys, &i, &allocated);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ SECKEY_DestroyPrivateKeyList(list);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+cleanup:
|
|
|
c3274cc |
+ if (password == NULL && tmppass != NULL) {
|
|
|
c3274cc |
+ memset(tmppass, 0, strlen(tmppass));
|
|
|
c3274cc |
+ xfree(tmppass);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ PK11_FreeSlotList(slots);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return keys;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+Key **
|
|
|
c3274cc |
+nss_get_keys(const char *tokenname, const char *keyname,
|
|
|
c3274cc |
+ char *password)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ Key **keys;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (nss_init(NULL) == -1) {
|
|
|
c3274cc |
+ error("Failed to initialize NSS library");
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ keys = nss_find_privkeys(tokenname, keyname, password);
|
|
|
c3274cc |
+ if (keys == NULL && keyname != NULL) {
|
|
|
c3274cc |
+ error("Cannot find key in nss, token removed");
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+#if 0
|
|
|
c3274cc |
+ keys = xcalloc(3, sizeof(Key *));
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (k->type == KEY_RSA) {
|
|
|
c3274cc |
+ n = key_new_nss_copy(KEY_RSA1, k);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ keys[0] = n;
|
|
|
c3274cc |
+ keys[1] = k;
|
|
|
c3274cc |
+ keys[2] = NULL;
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+ keys[0] = k;
|
|
|
c3274cc |
+ keys[1] = NULL;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+ return keys;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+char *
|
|
|
c3274cc |
+nss_get_key_label(Key *key)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ char *label, *nickname;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ nickname = PK11_GetPrivateKeyNickname(key->nss->privk);
|
|
|
c3274cc |
+ label = xstrdup(nickname);
|
|
|
c3274cc |
+ PORT_Free(nickname);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return label;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#endif /* HAVE_LIBNSS */
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh.c.nss-keys 2008-07-04 04:53:50.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -104,6 +104,9 @@
|
|
|
c9833c9 |
#ifdef SMARTCARD
|
|
|
c9833c9 |
#include "scard.h"
|
|
|
c9833c9 |
#endif
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+#include "nsskeys.h"
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
|
|
|
c9833c9 |
extern char *__progname;
|
|
|
c9833c9 |
|
|
|
ec52761 |
@@ -1235,9 +1238,11 @@ load_public_identity_files(void)
|
|
|
c9833c9 |
int i = 0;
|
|
|
c9833c9 |
Key *public;
|
|
|
c9833c9 |
struct passwd *pw;
|
|
|
c9833c9 |
-#ifdef SMARTCARD
|
|
|
c9833c9 |
+#if defined(SMARTCARD) || defined(HAVE_LIBNSS)
|
|
|
c9833c9 |
Key **keys;
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+#ifdef SMARTCARD
|
|
|
c9833c9 |
if (options.smartcard_device != NULL &&
|
|
|
c9833c9 |
options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
|
|
|
c9833c9 |
(keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
|
|
|
ec52761 |
@@ -1260,6 +1265,27 @@ load_public_identity_files(void)
|
|
|
c9833c9 |
xfree(keys);
|
|
|
c9833c9 |
}
|
|
|
c9833c9 |
#endif /* SMARTCARD */
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ if (options.use_nss &&
|
|
|
c9833c9 |
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
|
|
|
c9833c9 |
+ (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
|
|
|
c9833c9 |
+ int count;
|
|
|
c9833c9 |
+ for (count = 0; keys[count] != NULL; count++) {
|
|
|
c9833c9 |
+ memmove(&options.identity_files[1], &options.identity_files[0],
|
|
|
c9833c9 |
+ sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
|
|
|
c9833c9 |
+ memmove(&options.identity_keys[1], &options.identity_keys[0],
|
|
|
c9833c9 |
+ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
|
|
|
c9833c9 |
+ options.num_identity_files++;
|
|
|
c9833c9 |
+ options.identity_keys[0] = keys[count];
|
|
|
c9833c9 |
+ options.identity_files[0] = nss_get_key_label(keys[count]);
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
|
|
|
c9833c9 |
+ options.num_identity_files = SSH_MAX_IDENTITY_FILES;
|
|
|
c9833c9 |
+ i += count;
|
|
|
c9833c9 |
+ xfree(keys);
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+#endif /* HAVE_LIBNSS */
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
if ((pw = getpwuid(original_real_uid)) == NULL)
|
|
|
c9833c9 |
fatal("load_public_identity_files: getpwuid failed");
|
|
|
ec52761 |
pwname = xstrdup(pw->pw_name);
|
|
|
ec52761 |
diff -up /dev/null openssh-5.1p1/nsskeys.h
|
|
|
9e5c6ec |
--- /dev/null 2008-11-17 17:51:52.160001870 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/nsskeys.h 2008-11-18 19:11:41.000000000 +0100
|
|
|
c3274cc |
@@ -0,0 +1,39 @@
|
|
|
c3274cc |
+/*
|
|
|
c3274cc |
+ * Copyright (c) 2001 Markus Friedl. All rights reserved.
|
|
|
c3274cc |
+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
|
|
|
c3274cc |
+ *
|
|
|
c3274cc |
+ * Redistribution and use in source and binary forms, with or without
|
|
|
c3274cc |
+ * modification, are permitted provided that the following conditions
|
|
|
c3274cc |
+ * are met:
|
|
|
c3274cc |
+ * 1. Redistributions of source code must retain the above copyright
|
|
|
c3274cc |
+ * notice, this list of conditions and the following disclaimer.
|
|
|
c3274cc |
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
|
c3274cc |
+ * notice, this list of conditions and the following disclaimer in the
|
|
|
c3274cc |
+ * documentation and/or other materials provided with the distribution.
|
|
|
c3274cc |
+ *
|
|
|
c3274cc |
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
c3274cc |
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
c3274cc |
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
c3274cc |
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
c3274cc |
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
c3274cc |
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
c3274cc |
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
c3274cc |
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
c3274cc |
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
c3274cc |
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
c3274cc |
+ */
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#ifndef NSSKEYS_H
|
|
|
c3274cc |
+#define NSSKEYS_H
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+#include <pk11func.h>
|
|
|
c3274cc |
+#include <prtypes.h>
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+int nss_init(PK11PasswordFunc);
|
|
|
c3274cc |
+Key **nss_get_keys(const char *, const char *, char *);
|
|
|
c3274cc |
+char *nss_get_key_label(Key *);
|
|
|
c3274cc |
+/*void sc_close(void);*/
|
|
|
c3274cc |
+/*int sc_put_key(Key *, const char *);*/
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+#endif
|
|
|
ec52761 |
diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
|
|
|
ec52761 |
--- openssh-5.1p1/Makefile.in.nss-keys 2008-07-08 16:21:12.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/Makefile.in 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
|
|
c9833c9 |
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
|
|
c9833c9 |
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
|
|
|
c9833c9 |
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
|
|
|
c9833c9 |
- entropy.o scard-opensc.o gss-genr.o umac.o
|
|
|
c9833c9 |
+ entropy.o scard-opensc.o gss-genr.o umac.o nsskeys.o
|
|
|
c3274cc |
|
|
|
c9833c9 |
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
|
|
ec52761 |
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
|
|
ec52761 |
diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
|
|
|
ec52761 |
--- openssh-5.1p1/key.h.nss-keys 2008-06-12 20:40:35.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/key.h 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -29,11 +29,17 @@
|
|
|
c9833c9 |
#include <openssl/rsa.h>
|
|
|
c9833c9 |
#include <openssl/dsa.h>
|
|
|
c9833c9 |
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+#include <nss.h>
|
|
|
c9833c9 |
+#include <keyhi.h>
|
|
|
c9833c9 |
+#endif
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
typedef struct Key Key;
|
|
|
c9833c9 |
enum types {
|
|
|
c9833c9 |
KEY_RSA1,
|
|
|
c9833c9 |
KEY_RSA,
|
|
|
c9833c9 |
KEY_DSA,
|
|
|
c9833c9 |
+ KEY_NSS,
|
|
|
c9833c9 |
KEY_UNSPEC
|
|
|
c9833c9 |
};
|
|
|
c9833c9 |
enum fp_type {
|
|
|
ec52761 |
@@ -48,16 +54,30 @@ enum fp_rep {
|
|
|
c9833c9 |
|
|
|
c9833c9 |
/* key is stored in external hardware */
|
|
|
c9833c9 |
#define KEY_FLAG_EXT 0x0001
|
|
|
c9833c9 |
+#define KEY_FLAG_NSS 0x0002
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+typedef struct NSSKey NSSKey;
|
|
|
c9833c9 |
+struct NSSKey {
|
|
|
c9833c9 |
+ SECKEYPrivateKey *privk;
|
|
|
c9833c9 |
+ SECKEYPublicKey *pubk;
|
|
|
c9833c9 |
+};
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
|
|
|
c9833c9 |
struct Key {
|
|
|
c9833c9 |
int type;
|
|
|
c9833c9 |
int flags;
|
|
|
c9833c9 |
RSA *rsa;
|
|
|
c9833c9 |
DSA *dsa;
|
|
|
c9833c9 |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ NSSKey *nss;
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
};
|
|
|
c9833c9 |
|
|
|
c9833c9 |
Key *key_new(int);
|
|
|
c9833c9 |
Key *key_new_private(int);
|
|
|
c9833c9 |
+Key *key_new_nss(int);
|
|
|
c9833c9 |
+Key *key_new_nss_copy(int, const Key *);
|
|
|
c9833c9 |
void key_free(Key *);
|
|
|
c9833c9 |
Key *key_demote(const Key *);
|
|
|
c9833c9 |
int key_equal(const Key *, const Key *);
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh-add.c.nss-keys 2008-02-28 09:13:52.000000000 +0100
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh-add.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
ec52761 |
@@ -44,6 +44,14 @@
|
|
|
c3274cc |
#include <openssl/evp.h>
|
|
|
ec52761 |
#include "openbsd-compat/openssl-compat.h"
|
|
|
c3274cc |
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+#include <nss.h>
|
|
|
c3274cc |
+#include <secmod.h>
|
|
|
c3274cc |
+#include <pk11pub.h>
|
|
|
c3274cc |
+#include <keyhi.h>
|
|
|
c3274cc |
+#include <cert.h>
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+
|
|
|
c3274cc |
#include <fcntl.h>
|
|
|
c3274cc |
#include <pwd.h>
|
|
|
c3274cc |
#include <stdarg.h>
|
|
|
ec52761 |
@@ -57,6 +65,7 @@
|
|
|
c3274cc |
#include "rsa.h"
|
|
|
c3274cc |
#include "log.h"
|
|
|
c3274cc |
#include "key.h"
|
|
|
c3274cc |
+#include "nsskeys.h"
|
|
|
c3274cc |
#include "buffer.h"
|
|
|
c3274cc |
#include "authfd.h"
|
|
|
c3274cc |
#include "authfile.h"
|
|
|
ec52761 |
@@ -307,6 +316,117 @@ do_file(AuthenticationConnection *ac, in
|
|
|
c3274cc |
return 0;
|
|
|
c3274cc |
}
|
|
|
c3274cc |
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+static char *
|
|
|
c3274cc |
+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ char **passcache = arg;
|
|
|
c3274cc |
+ char *password, *p2 = NULL;
|
|
|
c3274cc |
+ char *prompt;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (retry)
|
|
|
c3274cc |
+ return NULL;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (asprintf(&prompt, "Enter passphrase for token %s: ",
|
|
|
c3274cc |
+ PK11_GetTokenName(slot)) < 0)
|
|
|
c3274cc |
+ fatal("password_cb: asprintf failed");
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ password = read_passphrase(prompt, RP_ALLOW_STDIN);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (password != NULL && (p2=PL_strdup(password)) == NULL) {
|
|
|
c3274cc |
+ memset(password, 0, strlen(password));
|
|
|
c3274cc |
+ fatal("password_cb: PL_strdup failed");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (passcache != NULL) {
|
|
|
c3274cc |
+ if (*passcache != NULL) {
|
|
|
c3274cc |
+ memset(*passcache, 0, strlen(*passcache));
|
|
|
c3274cc |
+ xfree(*passcache);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ *passcache = password;
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+ memset(password, 0, strlen(password));
|
|
|
c3274cc |
+ xfree(password);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return p2;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+static int
|
|
|
c3274cc |
+add_slot_keys(AuthenticationConnection *ac, PK11SlotInfo *slot, int add)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ SECKEYPrivateKeyList *list;
|
|
|
c3274cc |
+ SECKEYPrivateKeyListNode *node;
|
|
|
c3274cc |
+ char *passcache = NULL;
|
|
|
c3274cc |
+ char *tokenname;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ int count = 0;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (PK11_NeedLogin(slot))
|
|
|
c3274cc |
+ PK11_Authenticate(slot, PR_TRUE, &passcache);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if ((list=PK11_ListPrivKeysInSlot(slot, NULL, NULL)) == NULL) {
|
|
|
c3274cc |
+ return 0;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ tokenname = PK11_GetTokenName(slot);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
|
|
|
c3274cc |
+ node=PRIVKEY_LIST_NEXT(node)) {
|
|
|
c3274cc |
+ char *keyname;
|
|
|
c3274cc |
+ SECKEYPublicKey *pub;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ keyname = PK11_GetPrivateKeyNickname(node->key);
|
|
|
c3274cc |
+ if (keyname == NULL || *keyname == '\0') {
|
|
|
c3274cc |
+ /* no nickname to refer to */
|
|
|
c3274cc |
+ CERTCertificate *cert;
|
|
|
c3274cc |
+ char *kn;
|
|
|
c3274cc |
+ cert = PK11_GetCertFromPrivateKey(node->key);
|
|
|
c3274cc |
+ if (cert == NULL)
|
|
|
c3274cc |
+ continue;
|
|
|
c3274cc |
+ kn = strchr(cert->nickname, ':');
|
|
|
c3274cc |
+ if (kn == NULL)
|
|
|
c3274cc |
+ kn = cert->nickname;
|
|
|
c3274cc |
+ else
|
|
|
c3274cc |
+ kn++;
|
|
|
c3274cc |
+ keyname = PORT_Strdup(kn);
|
|
|
c3274cc |
+ CERT_DestroyCertificate(cert);
|
|
|
c3274cc |
+ if (keyname == NULL)
|
|
|
c3274cc |
+ continue;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ pub = SECKEY_ConvertToPublicKey(node->key);
|
|
|
c3274cc |
+ if (pub == NULL) {
|
|
|
c3274cc |
+ fprintf(stderr, "No public key for: %s:%s\n",
|
|
|
c3274cc |
+ tokenname, keyname);
|
|
|
c3274cc |
+ continue; /* not possible to obtain public key */
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ SECKEY_DestroyPublicKey(pub);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (ssh_update_nss_key(ac, add, tokenname, keyname,
|
|
|
c3274cc |
+ passcache?passcache:"", lifetime, confirm)) {
|
|
|
c3274cc |
+ fprintf(stderr, "Key %s: %s:%s\n",
|
|
|
c3274cc |
+ add?"added":"removed", tokenname, keyname);
|
|
|
c3274cc |
+ count++;
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+ fprintf(stderr, "Could not %s key: %s:%s\n",
|
|
|
c3274cc |
+ add?"add":"remove", tokenname, keyname);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ PORT_Free(keyname);
|
|
|
c3274cc |
+ count++;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (passcache != NULL) {
|
|
|
c3274cc |
+ memset(passcache, 0, strlen(passcache));
|
|
|
c3274cc |
+ xfree(passcache);
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ SECKEY_DestroyPrivateKeyList(list);
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ return count;
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+
|
|
|
c3274cc |
static void
|
|
|
c3274cc |
usage(void)
|
|
|
c3274cc |
{
|
|
|
ec52761 |
@@ -334,6 +454,10 @@ main(int argc, char **argv)
|
|
|
c3274cc |
AuthenticationConnection *ac = NULL;
|
|
|
c3274cc |
char *sc_reader_id = NULL;
|
|
|
c3274cc |
int i, ch, deleting = 0, ret = 0;
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ char *token_id = NULL;
|
|
|
c3274cc |
+ int use_nss = 0;
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
|
|
|
c3274cc |
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
|
|
c3274cc |
sanitise_stdfd();
|
|
|
ec52761 |
@@ -351,7 +475,7 @@ main(int argc, char **argv)
|
|
|
c3274cc |
"Could not open a connection to your authentication agent.\n");
|
|
|
c3274cc |
exit(2);
|
|
|
c3274cc |
}
|
|
|
c3274cc |
- while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
|
|
|
c3274cc |
+ while ((ch = getopt(argc, argv, "lLcdDnxXe:s:t:T:")) != -1) {
|
|
|
c3274cc |
switch (ch) {
|
|
|
c3274cc |
case 'l':
|
|
|
c3274cc |
case 'L':
|
|
|
ec52761 |
@@ -373,6 +497,11 @@ main(int argc, char **argv)
|
|
|
c3274cc |
if (delete_all(ac) == -1)
|
|
|
c3274cc |
ret = 1;
|
|
|
c3274cc |
goto done;
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ case 'n':
|
|
|
c3274cc |
+ use_nss = 1;
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
case 's':
|
|
|
c3274cc |
sc_reader_id = optarg;
|
|
|
c3274cc |
break;
|
|
|
ec52761 |
@@ -387,6 +516,11 @@ main(int argc, char **argv)
|
|
|
c3274cc |
goto done;
|
|
|
c3274cc |
}
|
|
|
c3274cc |
break;
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ case 'T':
|
|
|
c9833c9 |
+ token_id = optarg;
|
|
|
c9833c9 |
+ break;
|
|
|
c3274cc |
+#endif
|
|
|
c9833c9 |
default:
|
|
|
c9833c9 |
usage();
|
|
|
c9833c9 |
ret = 1;
|
|
|
ec52761 |
@@ -400,6 +534,40 @@ main(int argc, char **argv)
|
|
|
c9833c9 |
ret = 1;
|
|
|
c9833c9 |
goto done;
|
|
|
c3274cc |
}
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ if (use_nss) {
|
|
|
c9833c9 |
+ PK11SlotList *slots;
|
|
|
c9833c9 |
+ PK11SlotListElement *sle;
|
|
|
c9833c9 |
+ int count = 0;
|
|
|
c9833c9 |
+ if (nss_init(password_cb) == -1) {
|
|
|
c9833c9 |
+ fprintf(stderr, "Failed to initialize NSS library\n");
|
|
|
c9833c9 |
+ ret = 1;
|
|
|
c9833c9 |
+ goto done;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ if ((slots=PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
|
|
|
c9833c9 |
+ NULL)) == NULL) {
|
|
|
c9833c9 |
+ fprintf(stderr, "No tokens found\n");
|
|
|
c9833c9 |
+ ret = 1;
|
|
|
c9833c9 |
+ goto nss_done;
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ for (sle = slots->head; sle; sle = sle->next) {
|
|
|
c9833c9 |
+ int rv;
|
|
|
c9833c9 |
+ if ((rv=add_slot_keys(ac, sle->slot, !deleting)) == -1) {
|
|
|
c9833c9 |
+ ret = 1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ count += rv;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+ if (count == 0) {
|
|
|
c9833c9 |
+ ret = 1;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+nss_done:
|
|
|
c9833c9 |
+ NSS_Shutdown();
|
|
|
c9833c9 |
+ clear_pass();
|
|
|
c9833c9 |
+ goto done;
|
|
|
c9833c9 |
+ }
|
|
|
c9833c9 |
+#endif
|
|
|
c9833c9 |
if (argc == 0) {
|
|
|
c9833c9 |
char buf[MAXPATHLEN];
|
|
|
c9833c9 |
struct passwd *pw;
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh-rsa.c.nss-keys 2006-09-01 07:38:37.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh-rsa.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -32,6 +32,10 @@
|
|
|
c9833c9 |
#include "compat.h"
|
|
|
c9833c9 |
#include "ssh.h"
|
|
|
c3274cc |
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+#include <cryptohi.h>
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
|
|
|
c3274cc |
|
|
|
c9833c9 |
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
|
|
|
c9833c9 |
@@ -50,6 +54,38 @@ ssh_rsa_sign(const Key *key, u_char **si
|
|
|
c9833c9 |
error("ssh_rsa_sign: no RSA key");
|
|
|
c3274cc |
return -1;
|
|
|
c3274cc |
}
|
|
|
c9833c9 |
+
|
|
|
c9833c9 |
+ slen = RSA_size(key->rsa);
|
|
|
c9833c9 |
+ sig = xmalloc(slen);
|
|
|
c9833c9 |
+
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ if (key->flags & KEY_FLAG_NSS) {
|
|
|
c3274cc |
+ SECItem sigitem;
|
|
|
c9833c9 |
+ SECOidTag alg;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ memset(&sigitem, 0, sizeof(sigitem));
|
|
|
c9833c9 |
+ alg = (datafellows & SSH_BUG_RSASIGMD5) ?
|
|
|
c9833c9 |
+ SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION :
|
|
|
c9833c9 |
+ SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
|
|
|
c9833c9 |
+
|
|
|
c3274cc |
+ if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
|
|
|
c9833c9 |
+ alg) != SECSuccess) {
|
|
|
c9833c9 |
+ error("ssh_rsa_sign: sign failed");
|
|
|
c3274cc |
+ return -1;
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+ if (sigitem.len > slen) {
|
|
|
c9833c9 |
+ error("ssh_rsa_sign: slen %u slen2 %u", slen, sigitem.len);
|
|
|
c9833c9 |
+ xfree(sig);
|
|
|
c3274cc |
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
|
|
|
c3274cc |
+ return -1;
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+ if (sigitem.len < slen) {
|
|
|
c9833c9 |
+ memset(sig, 0, slen - sigitem.len);
|
|
|
c3274cc |
+ }
|
|
|
c9833c9 |
+ memcpy(sig+slen-sigitem.len, sigitem.data, sigitem.len);
|
|
|
c9833c9 |
+ SECITEM_ZfreeItem(&sigitem, PR_FALSE);
|
|
|
c3274cc |
+ } else {
|
|
|
c3274cc |
+#endif
|
|
|
c9833c9 |
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
|
|
|
c9833c9 |
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
|
|
|
c9833c9 |
error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
|
|
|
c9833c9 |
@@ -59,9 +95,6 @@ ssh_rsa_sign(const Key *key, u_char **si
|
|
|
c3274cc |
EVP_DigestUpdate(&md, data, datalen);
|
|
|
c3274cc |
EVP_DigestFinal(&md, digest, &dlen);
|
|
|
c9833c9 |
|
|
|
c9833c9 |
- slen = RSA_size(key->rsa);
|
|
|
c9833c9 |
- sig = xmalloc(slen);
|
|
|
c3274cc |
-
|
|
|
c9833c9 |
ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
|
|
|
c9833c9 |
memset(digest, 'd', sizeof(digest));
|
|
|
c9833c9 |
|
|
|
c9833c9 |
@@ -83,6 +116,9 @@ ssh_rsa_sign(const Key *key, u_char **si
|
|
|
c9833c9 |
xfree(sig);
|
|
|
c9833c9 |
return -1;
|
|
|
c9833c9 |
}
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+#endif
|
|
|
c9833c9 |
/* encode signature */
|
|
|
c9833c9 |
buffer_init(&b);
|
|
|
c9833c9 |
buffer_put_cstring(&b, "ssh-rsa");
|
|
|
ec52761 |
diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
|
|
|
ec52761 |
--- openssh-5.1p1/ssh-keygen.c.nss-keys 2008-07-14 03:28:29.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/ssh-keygen.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
ec52761 |
@@ -53,6 +53,11 @@
|
|
|
c3274cc |
#include "scard.h"
|
|
|
c3274cc |
#endif
|
|
|
c3274cc |
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+#include <nss.h>
|
|
|
c3274cc |
+#include "nsskeys.h"
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+
|
|
|
c3274cc |
/* Number of bits in the RSA/DSA key. This value can be set on the command line. */
|
|
|
c3274cc |
#define DEFAULT_BITS 2048
|
|
|
c3274cc |
#define DEFAULT_BITS_DSA 1024
|
|
|
ec52761 |
@@ -501,6 +506,26 @@ do_download(struct passwd *pw, const cha
|
|
|
c3274cc |
}
|
|
|
c3274cc |
#endif /* SMARTCARD */
|
|
|
c3274cc |
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+static void
|
|
|
c3274cc |
+do_nss_download(struct passwd *pw, const char *tokenname, const char *keyname)
|
|
|
c3274cc |
+{
|
|
|
c3274cc |
+ Key **keys = NULL;
|
|
|
c3274cc |
+ int i;
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ keys = nss_get_keys(tokenname, keyname, NULL);
|
|
|
c3274cc |
+ if (keys == NULL)
|
|
|
c3274cc |
+ fatal("cannot find public key in NSS");
|
|
|
c3274cc |
+ for (i = 0; keys[i]; i++) {
|
|
|
c3274cc |
+ key_write(keys[i], stdout);
|
|
|
c3274cc |
+ key_free(keys[i]);
|
|
|
c3274cc |
+ fprintf(stdout, "\n");
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
+ xfree(keys);
|
|
|
c3274cc |
+ exit(0);
|
|
|
c3274cc |
+}
|
|
|
c3274cc |
+#endif /* HAVE_LIBNSS */
|
|
|
c3274cc |
+
|
|
|
c3274cc |
static void
|
|
|
c3274cc |
do_fingerprint(struct passwd *pw)
|
|
|
c3274cc |
{
|
|
|
ec52761 |
@@ -1083,7 +1108,8 @@ main(int argc, char **argv)
|
|
|
c3274cc |
Key *private, *public;
|
|
|
c3274cc |
struct passwd *pw;
|
|
|
c3274cc |
struct stat st;
|
|
|
c3274cc |
- int opt, type, fd, download = 0;
|
|
|
c3274cc |
+ int opt, type, fd, download = 1;
|
|
|
c3274cc |
+ int use_nss = 0;
|
|
|
c3274cc |
u_int32_t memory = 0, generator_wanted = 0, trials = 100;
|
|
|
c3274cc |
int do_gen_candidates = 0, do_screen_candidates = 0;
|
|
|
ec52761 |
BIGNUM *start = NULL;
|
|
|
ec52761 |
@@ -1116,7 +1142,7 @@ main(int argc, char **argv)
|
|
|
c3274cc |
}
|
|
|
c3274cc |
|
|
|
c9833c9 |
while ((opt = getopt(argc, argv,
|
|
|
c3274cc |
- "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
|
|
|
c3274cc |
+ "degiqpclnBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
|
|
|
c3274cc |
switch (opt) {
|
|
|
c3274cc |
case 'b':
|
|
|
c3274cc |
bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
|
|
|
ec52761 |
@@ -1156,6 +1182,10 @@ main(int argc, char **argv)
|
|
|
c3274cc |
case 'g':
|
|
|
c3274cc |
print_generic = 1;
|
|
|
c3274cc |
break;
|
|
|
c3274cc |
+ case 'n':
|
|
|
c3274cc |
+ use_nss = 1;
|
|
|
c3274cc |
+ download = 1;
|
|
|
c3274cc |
+ break;
|
|
|
c3274cc |
case 'P':
|
|
|
c3274cc |
identity_passphrase = optarg;
|
|
|
c3274cc |
break;
|
|
|
ec52761 |
@@ -1187,10 +1217,10 @@ main(int argc, char **argv)
|
|
|
c3274cc |
case 't':
|
|
|
c3274cc |
key_type_name = optarg;
|
|
|
c3274cc |
break;
|
|
|
c3274cc |
- case 'D':
|
|
|
c3274cc |
- download = 1;
|
|
|
c3274cc |
- /*FALLTHROUGH*/
|
|
|
c3274cc |
case 'U':
|
|
|
c3274cc |
+ download = 0;
|
|
|
c3274cc |
+ /*FALLTHROUGH*/
|
|
|
c3274cc |
+ case 'D':
|
|
|
c3274cc |
reader_id = optarg;
|
|
|
c3274cc |
break;
|
|
|
c3274cc |
case 'v':
|
|
|
ec52761 |
@@ -1299,6 +1329,17 @@ main(int argc, char **argv)
|
|
|
c3274cc |
exit(0);
|
|
|
c3274cc |
}
|
|
|
c3274cc |
}
|
|
|
c3274cc |
+
|
|
|
c3274cc |
+ if (use_nss) {
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c3274cc |
+ if (download)
|
|
|
c3274cc |
+ do_nss_download(pw, reader_id, identity_file);
|
|
|
c3274cc |
+ else
|
|
|
c3274cc |
+ fatal("no support for NSS key upload.");
|
|
|
c3274cc |
+#else
|
|
|
c3274cc |
+ fatal("no support for NSS keys.");
|
|
|
c3274cc |
+#endif
|
|
|
c3274cc |
+ }
|
|
|
c3274cc |
if (reader_id != NULL) {
|
|
|
c3274cc |
#ifdef SMARTCARD
|
|
|
c3274cc |
if (download)
|
|
|
ec52761 |
diff -up openssh-5.1p1/readconf.c.nss-keys openssh-5.1p1/readconf.c
|
|
|
ec52761 |
--- openssh-5.1p1/readconf.c.nss-keys 2008-06-29 16:04:03.000000000 +0200
|
|
|
9e5c6ec |
+++ openssh-5.1p1/readconf.c 2008-11-18 19:11:41.000000000 +0100
|
|
|
c9833c9 |
@@ -124,6 +124,7 @@ typedef enum {
|
|
|
c9833c9 |
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
|
|
|
c9833c9 |
oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
|
|
|
c9833c9 |
oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
|
|
|
c9833c9 |
+ oUseNSS, oNSSToken,
|
|
|
c9833c9 |
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
|
|
c9833c9 |
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
|
c9833c9 |
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
|
ec52761 |
@@ -210,6 +211,13 @@ static struct {
|
|
|
c9833c9 |
#else
|
|
|
c9833c9 |
{ "smartcarddevice", oUnsupported },
|
|
|
c9833c9 |
#endif
|
|
|
c3274cc |
+#ifdef HAVE_LIBNSS
|
|
|
c9833c9 |
+ { "usenss", oUseNSS },
|
|
|
c9833c9 |
+ { "nsstoken", oNSSToken },
|
|
|
c9833c9 |
+#else
|
|
|
c9833c9 |
+ { "usenss", oUnsupported },
|
|
|
c9833c9 |
+ { "nsstoken", oNSSToken },
|
|
|
c3274cc |
+#endif
|
|
|
c9833c9 |
{ "clearallforwardings", oClearAllForwardings },
|
|
|
c9833c9 |
{ "enablesshkeysign", oEnableSSHKeysign },
|
|
|
c9833c9 |
{ "verifyhostkeydns", oVerifyHostKeyDNS },
|
|
|
ec52761 |
@@ -603,6 +611,14 @@ parse_string:
|
|
|
c9833c9 |
charptr = &options->smartcard_device;
|
|
|
c9833c9 |
goto parse_string;
|
|
|
c3274cc |
|
|
|
c9833c9 |
+ case oUseNSS:
|
|
|
c9833c9 |
+ intptr = &options->use_nss;
|
|
|
c9833c9 |
+ goto parse_flag;
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
+ case oNSSToken:
|
|
|
c9833c9 |
+ charptr = &options->nss_token;
|
|
|
c9833c9 |
+ goto parse_command;
|
|
|
c3274cc |
+
|
|
|
c9833c9 |
case oProxyCommand:
|
|
|
c9833c9 |
charptr = &options->proxy_command;
|
|
|
c9833c9 |
parse_command:
|
|
|
ec52761 |
@@ -1055,6 +1071,8 @@ initialize_options(Options * options)
|
|
|
c9833c9 |
options->preferred_authentications = NULL;
|
|
|
c9833c9 |
options->bind_address = NULL;
|
|
|
c9833c9 |
options->smartcard_device = NULL;
|
|
|
c9833c9 |
+ options->use_nss = -1;
|
|
|
c9833c9 |
+ options->nss_token = NULL;
|
|
|
c9833c9 |
options->enable_ssh_keysign = - 1;
|
|
|
c9833c9 |
options->no_host_authentication_for_localhost = - 1;
|
|
|
c9833c9 |
options->identities_only = - 1;
|
|
|
ec52761 |
@@ -1184,6 +1202,8 @@ fill_default_options(Options * options)
|
|
|
c9833c9 |
options->no_host_authentication_for_localhost = 0;
|
|
|
c9833c9 |
if (options->identities_only == -1)
|
|
|
c9833c9 |
options->identities_only = 0;
|
|
|
c9833c9 |
+ if (options->use_nss == -1)
|
|
|
c9833c9 |
+ options->use_nss = 0;
|
|
|
c9833c9 |
if (options->enable_ssh_keysign == -1)
|
|
|
c9833c9 |
options->enable_ssh_keysign = 0;
|
|
|
c9833c9 |
if (options->rekey_limit == -1)
|