59  * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
62 struct helper {  struct
72 static struct helper **helpers;  argument
75 static struct helper *
90 static struct helper *
107 static struct helper *
125 helper_free(struct helper *helper)  in helper_free()  argument
130 	if (helper == NULL)  in helper_free()
132 	if (helper->path == NULL || helper->ec_meth == NULL ||  in helper_free()
133 	    helper->rsa_meth == NULL)  in helper_free()
134 		fatal_f("inconsistent helper");  in helper_free()
135 	debug3_f("free helper for provider %s", helper->path);  in helper_free()
137 		if (helpers[i] == helper) {  in helper_free()
139 				fatal_f("helper recorded more than once");  in helper_free()
150 	free(helper->path);  in helper_free()
152 	EC_KEY_METHOD_free(helper->ec_meth);  in helper_free()
154 	RSA_meth_free(helper->rsa_meth);  in helper_free()
155 	free(helper);  in helper_free()
159 helper_terminate(struct helper *helper)  in helper_terminate()  argument
161 	if (helper == NULL) {  in helper_terminate()
163 	} else if (helper->fd == -1) {  in helper_terminate()
166 		debug3_f("terminating helper for %s; "  in helper_terminate()
168 		    helper->path, helper->nrsa, helper->nec);  in helper_terminate()
169 		close(helper->fd);  in helper_terminate()
171 		helper->fd = -1;  in helper_terminate()
172 		helper->pid = -1;  in helper_terminate()
175 	 * Don't delete the helper entry until there are no remaining keys  in helper_terminate()
179 	if (helper->nrsa == 0 && helper->nec == 0)  in helper_terminate()
180 		helper_free(helper);  in helper_terminate()
196 		error("write to helper failed");  in send_msg()
212 		error("read from helper failed: %u", len);  in recv_msg()
224 			error("response from helper failed.");  in recv_msg()
260 	struct helper *helper;  in rsa_encrypt()  local
262 	if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)  in rsa_encrypt()
263 		fatal_f("no helper for PKCS11 key");  in rsa_encrypt()
264 	debug3_f("signing with PKCS11 provider %s", helper->path);  in rsa_encrypt()
289 	send_msg(helper->fd, msg);  in rsa_encrypt()
292 	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {  in rsa_encrypt()
311 	struct helper *helper;  in rsa_finish()  local
313 	if ((helper = helper_by_rsa(rsa)) == NULL)  in rsa_finish()
314 		fatal_f("no helper for PKCS11 key");  in rsa_finish()
315 	debug3_f("free PKCS11 RSA key for provider %s", helper->path);  in rsa_finish()
316 	if (helper->rsa_finish != NULL)  in rsa_finish()
317 		helper->rsa_finish(rsa);  in rsa_finish()
318 	if (helper->nrsa == 0)  in rsa_finish()
320 	helper->nrsa--;  in rsa_finish()
322 	    helper->path, helper->nrsa, helper->nec);  in rsa_finish()
323 	if (helper->nrsa == 0 && helper->nec == 0)  in rsa_finish()
324 		helper_terminate(helper);  in rsa_finish()
340 	struct helper *helper;  in ecdsa_do_sign()  local
342 	if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)  in ecdsa_do_sign()
343 		fatal_f("no helper for PKCS11 key");  in ecdsa_do_sign()
344 	debug3_f("signing with PKCS11 provider %s", helper->path);  in ecdsa_do_sign()
373 	send_msg(helper->fd, msg);  in ecdsa_do_sign()
376 	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {  in ecdsa_do_sign()
394 	struct helper *helper;  in ecdsa_do_finish()  local
396 	if ((helper = helper_by_ec(ec)) == NULL)  in ecdsa_do_finish()
397 		fatal_f("no helper for PKCS11 key");  in ecdsa_do_finish()
398 	debug3_f("free PKCS11 ECDSA key for provider %s", helper->path);  in ecdsa_do_finish()
399 	if (helper->ec_finish != NULL)  in ecdsa_do_finish()
400 		helper->ec_finish(ec);  in ecdsa_do_finish()
401 	if (helper->nec == 0)  in ecdsa_do_finish()
403 	helper->nec--;  in ecdsa_do_finish()
405 	    helper->path, helper->nrsa, helper->nec);  in ecdsa_do_finish()
406 	if (helper->nrsa == 0 && helper->nec == 0)  in ecdsa_do_finish()
407 		helper_terminate(helper);  in ecdsa_do_finish()
411 /* redirect private key crypto operations to the ssh-pkcs11-helper */
413 wrap_key(struct helper *helper, struct sshkey *k)  in wrap_key()  argument
418 	debug3_f("wrap %s for provider %s", sshkey_type(k), helper->path);  in wrap_key()
422 		if (RSA_set_method(rsa, helper->rsa_meth) != 1)  in wrap_key()
424 		if (helper->nrsa++ >= INT_MAX)  in wrap_key()
433 		if (EC_KEY_set_method(ecdsa, helper->ec_meth) != 1)  in wrap_key()
435 		if (helper->nec++ >= INT_MAX)  in wrap_key()
445 	    helper->path, helper->nrsa, helper->nec);  in wrap_key()
456 	struct helper *helper = NULL;  in pkcs11_make_cert()  local
477 		if ((helper = helper_by_rsa(rsa_priv)) == NULL ||  in pkcs11_make_cert()
478 		    helper->fd == -1)  in pkcs11_make_cert()
479 			fatal_f("no helper for PKCS11 RSA key");  in pkcs11_make_cert()
484 		if (RSA_set_method(rsa_cert, helper->rsa_meth) != 1)  in pkcs11_make_cert()
486 		if (helper->nrsa++ >= INT_MAX)  in pkcs11_make_cert()
496 		if ((helper = helper_by_ec(ec_priv)) == NULL ||  in pkcs11_make_cert()
497 		    helper->fd == -1)  in pkcs11_make_cert()
498 			fatal_f("no helper for PKCS11 EC key");  in pkcs11_make_cert()
503 		if (EC_KEY_set_method(ec_cert, helper->ec_meth) != 1)  in pkcs11_make_cert()
505 		if (helper->nec++ >= INT_MAX)  in pkcs11_make_cert()
520 	    helper->path, helper->nrsa, helper->nec);  in pkcs11_make_cert()
527 pkcs11_start_helper_methods(struct helper *helper)  in pkcs11_start_helper_methods()  argument
544 	EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,  in pkcs11_start_helper_methods()
552 	helper->rsa_finish = RSA_meth_get_finish(rsa_meth);  in pkcs11_start_helper_methods()
553 	if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||  in pkcs11_start_helper_methods()
558 	helper->ec_meth = ec_meth;  in pkcs11_start_helper_methods()
559 	helper->rsa_meth = rsa_meth;  in pkcs11_start_helper_methods()
563 static struct helper *
568 	struct helper *helper;  in pkcs11_start_helper()  local
573 	debug3_f("start helper for %s", path);  in pkcs11_start_helper()
578 	helper = xcalloc(1, sizeof(*helper));  in pkcs11_start_helper()
579 	if (pkcs11_start_helper_methods(helper) == -1) {  in pkcs11_start_helper()
588 		RSA_meth_free(helper->rsa_meth);  in pkcs11_start_helper()
590 		EC_KEY_METHOD_free(helper->ec_meth);  in pkcs11_start_helper()
592 		free(helper);  in pkcs11_start_helper()
614 	helper->fd = pair[0];  in pkcs11_start_helper()
615 	helper->path = xstrdup(path);  in pkcs11_start_helper()
616 	helper->pid = pid;  in pkcs11_start_helper()
617 	debug3_f("helper %zu for \"%s\" on fd %d pid %ld", nhelpers,  in pkcs11_start_helper()
618 	    helper->path, helper->fd, (long)helper->pid);  in pkcs11_start_helper()
621 	helpers[nhelpers++] = helper;  in pkcs11_start_helper()
622 	return helper;  in pkcs11_start_helper()
636 	struct helper *helper;  in pkcs11_add_provider()  local
638 	if ((helper = helper_by_provider(name)) == NULL &&  in pkcs11_add_provider()
639 	    (helper = pkcs11_start_helper(name)) == NULL)  in pkcs11_add_provider()
648 	send_msg(helper->fd, msg);  in pkcs11_add_provider()
651 	type = recv_msg(helper->fd, msg);  in pkcs11_add_provider()
665 			wrap_key(helper, k);  in pkcs11_add_provider()
686 	struct helper *helper;  in pkcs11_del_provider()  local
689 	 * ssh-agent deletes keys before calling this, so the helper entry  in pkcs11_del_provider()
693 	if ((helper = helper_by_provider(name)) != NULL)  in pkcs11_del_provider()
694 		helper_terminate(helper);  in pkcs11_del_provider()