1/* $NetBSD: ssh-pkcs11-helper.c,v 1.3 2011/05/24 14:27:07 joerg Exp $ */ 2/* $OpenBSD: ssh-pkcs11-helper.c,v 1.3 2010/02/24 06:12:53 djm Exp $ */ 3/* 4 * Copyright (c) 2010 Markus Friedl. All rights reserved. 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18#include "includes.h" 19__RCSID("$NetBSD: ssh-pkcs11-helper.c,v 1.3 2011/05/24 14:27:07 joerg Exp $"); 20 21#include <sys/queue.h> 22#include <sys/types.h> 23#include <sys/time.h> 24#include <sys/param.h> 25 26#include <stdarg.h> 27#include <string.h> 28#include <unistd.h> 29#include <errno.h> 30 31#include "xmalloc.h" 32#include "buffer.h" 33#include "log.h" 34#include "misc.h" 35#include "key.h" 36#include "authfd.h" 37#include "ssh-pkcs11.h" 38 39/* borrows code from sftp-server and ssh-agent */ 40 41struct pkcs11_keyinfo { 42 Key *key; 43 char *providername; 44 TAILQ_ENTRY(pkcs11_keyinfo) next; 45}; 46 47TAILQ_HEAD(, pkcs11_keyinfo) pkcs11_keylist; 48 49#define MAX_MSG_LENGTH 10240 /*XXX*/ 50 51/* helper */ 52#define get_int() buffer_get_int(&iqueue); 53#define get_string(lenp) buffer_get_string(&iqueue, lenp); 54 55/* input and output queue */ 56Buffer iqueue; 57Buffer oqueue; 58 59static void 60add_key(Key *k, char *name) 61{ 62 struct pkcs11_keyinfo *ki; 63 64 ki = xcalloc(1, sizeof(*ki)); 65 ki->providername = xstrdup(name); 66 ki->key = k; 67 TAILQ_INSERT_TAIL(&pkcs11_keylist, ki, next); 68} 69 70static void 71del_keys_by_name(char *name) 72{ 73 struct pkcs11_keyinfo *ki, *nxt; 74 75 for (ki = TAILQ_FIRST(&pkcs11_keylist); ki; ki = nxt) { 76 nxt = TAILQ_NEXT(ki, next); 77 if (!strcmp(ki->providername, name)) { 78 TAILQ_REMOVE(&pkcs11_keylist, ki, next); 79 xfree(ki->providername); 80 key_free(ki->key); 81 free(ki); 82 } 83 } 84} 85 86/* lookup matching 'private' key */ 87static Key * 88lookup_key(Key *k) 89{ 90 struct pkcs11_keyinfo *ki; 91 92 TAILQ_FOREACH(ki, &pkcs11_keylist, next) { 93 debug("check %p %s", ki, ki->providername); 94 if (key_equal(k, ki->key)) 95 return (ki->key); 96 } 97 return (NULL); 98} 99 100static void 101send_msg(Buffer *m) 102{ 103 int mlen = buffer_len(m); 104 105 buffer_put_int(&oqueue, mlen); 106 buffer_append(&oqueue, buffer_ptr(m), mlen); 107 buffer_consume(m, mlen); 108} 109 110static void 111process_add(void) 112{ 113 char *name, *pin; 114 Key **keys; 115 int i, nkeys; 116 u_char *blob; 117 u_int blen; 118 Buffer msg; 119 120 buffer_init(&msg); 121 name = get_string(NULL); 122 pin = get_string(NULL); 123 if ((nkeys = pkcs11_add_provider(name, pin, &keys)) > 0) { 124 buffer_put_char(&msg, SSH2_AGENT_IDENTITIES_ANSWER); 125 buffer_put_int(&msg, nkeys); 126 for (i = 0; i < nkeys; i++) { 127 key_to_blob(keys[i], &blob, &blen); 128 buffer_put_string(&msg, blob, blen); 129 buffer_put_cstring(&msg, name); 130 xfree(blob); 131 add_key(keys[i], name); 132 } 133 xfree(keys); 134 } else { 135 buffer_put_char(&msg, SSH_AGENT_FAILURE); 136 } 137 xfree(pin); 138 xfree(name); 139 send_msg(&msg); 140 buffer_free(&msg); 141} 142 143static void 144process_del(void) 145{ 146 char *name, *pin; 147 Buffer msg; 148 149 buffer_init(&msg); 150 name = get_string(NULL); 151 pin = get_string(NULL); 152 del_keys_by_name(name); 153 if (pkcs11_del_provider(name) == 0) 154 buffer_put_char(&msg, SSH_AGENT_SUCCESS); 155 else 156 buffer_put_char(&msg, SSH_AGENT_FAILURE); 157 xfree(pin); 158 xfree(name); 159 send_msg(&msg); 160 buffer_free(&msg); 161} 162 163static void 164process_sign(void) 165{ 166 u_char *blob, *data, *signature = NULL; 167 u_int blen, dlen, slen = 0; 168 int ok = -1, flags, ret; 169 Key *key, *found; 170 Buffer msg; 171 172 blob = get_string(&blen); 173 data = get_string(&dlen); 174 flags = get_int(); /* XXX ignore */ 175 176 if ((key = key_from_blob(blob, blen)) != NULL) { 177 if ((found = lookup_key(key)) != NULL) { 178 slen = RSA_size(key->rsa); 179 signature = xmalloc(slen); 180 if ((ret = RSA_private_encrypt(dlen, data, signature, 181 found->rsa, RSA_PKCS1_PADDING)) != -1) { 182 slen = ret; 183 ok = 0; 184 } 185 } 186 key_free(key); 187 } 188 buffer_init(&msg); 189 if (ok == 0) { 190 buffer_put_char(&msg, SSH2_AGENT_SIGN_RESPONSE); 191 buffer_put_string(&msg, signature, slen); 192 } else { 193 buffer_put_char(&msg, SSH_AGENT_FAILURE); 194 } 195 xfree(data); 196 xfree(blob); 197 if (signature != NULL) 198 xfree(signature); 199 send_msg(&msg); 200 buffer_free(&msg); 201} 202 203static void 204process(void) 205{ 206 u_int msg_len; 207 u_int buf_len; 208 u_int consumed; 209 u_int type; 210 u_char *cp; 211 212 buf_len = buffer_len(&iqueue); 213 if (buf_len < 5) 214 return; /* Incomplete message. */ 215 cp = buffer_ptr(&iqueue); 216 msg_len = get_u32(cp); 217 if (msg_len > MAX_MSG_LENGTH) { 218 error("bad message len %d", msg_len); 219 cleanup_exit(11); 220 } 221 if (buf_len < msg_len + 4) 222 return; 223 buffer_consume(&iqueue, 4); 224 buf_len -= 4; 225 type = buffer_get_char(&iqueue); 226 switch (type) { 227 case SSH_AGENTC_ADD_SMARTCARD_KEY: 228 debug("process_add"); 229 process_add(); 230 break; 231 case SSH_AGENTC_REMOVE_SMARTCARD_KEY: 232 debug("process_del"); 233 process_del(); 234 break; 235 case SSH2_AGENTC_SIGN_REQUEST: 236 debug("process_sign"); 237 process_sign(); 238 break; 239 default: 240 error("Unknown message %d", type); 241 break; 242 } 243 /* discard the remaining bytes from the current packet */ 244 if (buf_len < buffer_len(&iqueue)) { 245 error("iqueue grew unexpectedly"); 246 cleanup_exit(255); 247 } 248 consumed = buf_len - buffer_len(&iqueue); 249 if (msg_len < consumed) { 250 error("msg_len %d < consumed %d", msg_len, consumed); 251 cleanup_exit(255); 252 } 253 if (msg_len > consumed) 254 buffer_consume(&iqueue, msg_len - consumed); 255} 256 257void 258cleanup_exit(int i) 259{ 260 /* XXX */ 261 _exit(i); 262} 263 264int 265main(int argc, char **argv) 266{ 267 fd_set *rset, *wset; 268 int in, out, max, log_stderr = 0; 269 ssize_t len, olen, set_size; 270 SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; 271 LogLevel log_level = SYSLOG_LEVEL_ERROR; 272 char buf[4*4096]; 273 extern char *__progname; 274 275 TAILQ_INIT(&pkcs11_keylist); 276 pkcs11_init(0); 277 278 log_init(__progname, log_level, log_facility, log_stderr); 279 280 in = STDIN_FILENO; 281 out = STDOUT_FILENO; 282 283 max = 0; 284 if (in > max) 285 max = in; 286 if (out > max) 287 max = out; 288 289 buffer_init(&iqueue); 290 buffer_init(&oqueue); 291 292 set_size = howmany(max + 1, NFDBITS) * sizeof(fd_mask); 293 rset = (fd_set *)xmalloc(set_size); 294 wset = (fd_set *)xmalloc(set_size); 295 296 for (;;) { 297 memset(rset, 0, set_size); 298 memset(wset, 0, set_size); 299 300 /* 301 * Ensure that we can read a full buffer and handle 302 * the worst-case length packet it can generate, 303 * otherwise apply backpressure by stopping reads. 304 */ 305 if (buffer_check_alloc(&iqueue, sizeof(buf)) && 306 buffer_check_alloc(&oqueue, MAX_MSG_LENGTH)) 307 FD_SET(in, rset); 308 309 olen = buffer_len(&oqueue); 310 if (olen > 0) 311 FD_SET(out, wset); 312 313 if (select(max+1, rset, wset, NULL, NULL) < 0) { 314 if (errno == EINTR) 315 continue; 316 error("select: %s", strerror(errno)); 317 cleanup_exit(2); 318 } 319 320 /* copy stdin to iqueue */ 321 if (FD_ISSET(in, rset)) { 322 len = read(in, buf, sizeof buf); 323 if (len == 0) { 324 debug("read eof"); 325 cleanup_exit(0); 326 } else if (len < 0) { 327 error("read: %s", strerror(errno)); 328 cleanup_exit(1); 329 } else { 330 buffer_append(&iqueue, buf, len); 331 } 332 } 333 /* send oqueue to stdout */ 334 if (FD_ISSET(out, wset)) { 335 len = write(out, buffer_ptr(&oqueue), olen); 336 if (len < 0) { 337 error("write: %s", strerror(errno)); 338 cleanup_exit(1); 339 } else { 340 buffer_consume(&oqueue, len); 341 } 342 } 343 344 /* 345 * Process requests from client if we can fit the results 346 * into the output buffer, otherwise stop processing input 347 * and let the output queue drain. 348 */ 349 if (buffer_check_alloc(&oqueue, MAX_MSG_LENGTH)) 350 process(); 351 } 352} 353