Attachment 241861 Details for Bug 356451 – nssmodule.patch

[patch] nssmodule.patch

nssmodule.patch (text/plain), 5.44 KB, created by Pierre Ossman on 2007-10-29 14:07:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Pierre Ossman

Created: 2007-10-29 14:07:34 UTC

Size: 5.44 KB

patch

obsolete

>Index: ssh.c
>===================================================================
>--- ssh.c	(revision 13254)
>+++ ssh.c	(revision 13255)
>@@ -1250,7 +1250,8 @@
> #ifdef HAVE_LIBNSS
> 	if (options.use_nss &&
> 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
>-	    (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
>+	    (keys = nss_get_keys(options.nss_token, NULL, NULL, 
>+	    	options.num_nss_modules, options.nss_modules)) != NULL) {
> 		int count;
> 		for (count = 0; keys[count] != NULL; count++) {
> 			memmove(&options.identity_files[1], &options.identity_files[0],
>Index: ssh.h
>===================================================================
>--- ssh.h	(revision 13254)
>+++ ssh.h	(revision 13255)
>@@ -28,6 +28,12 @@
> #define SSH_MAX_IDENTITY_FILES		100
> 
> /*
>+ * Maximum number of PKCS#11 modules that can be specified in configuration
>+ * files or on the command line.
>+ */
>+#define SSH_MAX_NSS_MODULES			10
>+
>+/*
>  * Maximum length of lines in authorized_keys file.
>  * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
>  * some room for options and comments.
>Index: nsskeys.c
>===================================================================
>--- nsskeys.c	(revision 13254)
>+++ nsskeys.c	(revision 13255)
>@@ -76,8 +76,11 @@
> 		dbpath = buf;
> 	}
> 
>-	if (NSS_Init(dbpath) != SECSuccess)
>-		return -1;
>+	if (NSS_Init(dbpath) != SECSuccess) {
>+		debug("Failed to initialize NSS library. Attempting without DB...");
>+		if (NSS_NoDB_Init(NULL) != SECSuccess)
>+			return -1;
>+	}
> 
> 	if (pwfn == NULL) {
> 		pwfn = password_cb;
>@@ -88,6 +91,25 @@
> 	return 0;
> }
> 
>+int
>+nss_load_module(const char *modpath)
>+{
>+	char spec[MAXPATHLEN + 40];
>+	SECMODModule *module;
>+
>+	debug("loading PKCS#11 module '%s'", modpath);
>+
>+	snprintf(spec, sizeof(spec), "library=\"%s\" name=\"Foobar\"", modpath);
>+	module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE);
>+	if (!module || !module->loaded) {
>+		if (module)
>+			SECMOD_DestroyModule(module);
>+		return -1;
>+	}
>+
>+	return 0;
>+}
>+
> static Key *
> make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
> {
>@@ -281,8 +303,9 @@
> 
> Key **
> nss_get_keys(const char *tokenname, const char *keyname,
>-    char *password)
>+    char *password, int num_modules, const char **modules)
> {
>+	int i;
> 	Key **keys;
> 
> 	if (nss_init(NULL) == -1) {
>@@ -290,6 +313,13 @@
> 		return NULL;
> 	}
> 
>+	for (i = 0;i < num_modules;i++) {
>+		if (nss_load_module(modules[i]) == -1) {
>+			error("Failed to load PKCS#11 module '%s'", modules[i]);
>+			return NULL;
>+		}
>+	}
>+
> 	keys = nss_find_privkeys(tokenname, keyname, password);
> 	if (keys == NULL && keyname != NULL) {
> 		error("Cannot find key in nss, token removed");
>Index: nsskeys.h
>===================================================================
>--- nsskeys.h	(revision 13254)
>+++ nsskeys.h	(revision 13255)
>@@ -30,7 +30,7 @@
> #include <prtypes.h>
> 
> int	nss_init(PK11PasswordFunc);
>-Key	**nss_get_keys(const char *, const char *, char *);
>+Key	**nss_get_keys(const char *, const char *, char *, int , const char **);
> char	*nss_get_key_label(Key *);
> /*void	 sc_close(void);*/
> /*int	 sc_put_key(Key *, const char *);*/
>Index: readconf.c
>===================================================================
>--- readconf.c	(revision 13254)
>+++ readconf.c	(revision 13255)
>@@ -124,7 +124,7 @@
> 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
> 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
> 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
>-	oUseNSS, oNSSToken,
>+	oUseNSS, oNSSToken, oNSSModule,
> 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
> 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
> 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
>@@ -213,9 +213,11 @@
> #ifdef HAVE_LIBNSS
> 	{ "usenss", oUseNSS },
> 	{ "nsstoken", oNSSToken },
>+	{ "nssmodule", oNSSModule },
> #else
> 	{ "usenss", oUnsupported },
> 	{ "nsstoken", oNSSToken },
>+	{ "nssmodule", oUnsupported },
> #endif
> 	{ "clearallforwardings", oClearAllForwardings },
> 	{ "enablesshkeysign", oEnableSSHKeysign },
>@@ -617,6 +619,20 @@
> 		charptr = &options->nss_token;
> 		goto parse_command;
> 
>+	case oNSSModule:
>+		arg = strdelim(&s);
>+		if (!arg || *arg == '\0')
>+			fatal("%.200s line %d: Missing argument.", filename, linenum);
>+		if (*activep) {
>+			intptr = &options->num_nss_modules;
>+			if (*intptr >= SSH_MAX_NSS_MODULES)
>+				fatal("%.200s line %d: Too many PKCS#11 modules specified (max %d).",
>+				    filename, linenum, SSH_MAX_NSS_MODULES);
>+			charptr = &options->nss_modules[*intptr];
>+			*charptr = xstrdup(arg);
>+			*intptr = *intptr + 1;
>+		}
>+		break;
> 	case oProxyCommand:
> 		charptr = &options->proxy_command;
> parse_command:
>@@ -1069,6 +1085,7 @@
> 	options->smartcard_device = NULL;
> 	options->use_nss = -1;
> 	options->nss_token = NULL;
>+	options->num_nss_modules = 0;
> 	options->enable_ssh_keysign = - 1;
> 	options->no_host_authentication_for_localhost = - 1;
> 	options->identities_only = - 1;
>Index: readconf.h
>===================================================================
>--- readconf.h	(revision 13254)
>+++ readconf.h	(revision 13255)
>@@ -86,6 +86,8 @@
> 	char   *smartcard_device; /* Smartcard reader device */
> 	int     use_nss;        /* Use NSS library for keys */
> 	char   *nss_token;      /* Look for NSS keys on token */
>+	int     num_nss_modules; /* Number of PCKS#11 modules. */
>+	char   *nss_modules[SSH_MAX_NSS_MODULES];
> 	int	verify_host_key_dns;	/* Verify host key using DNS */
> 
> 	int     num_identity_files;	/* Number of files for RSA/DSA identities. */

Actions: View | Diff

Attachments on bug 356451: 241861 | 369436