59  * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
62 struct helper {  struct
72 static struct helper **helpers;  argument
75 static struct helper *
90 static struct helper *
107 static struct helper *
125 helper_free(struct helper *helper)  in helper_free()  argument
130 	if (helper == NULL)  in helper_free()
132 	if (helper->path == NULL || helper->ec_meth == NULL ||  in helper_free()
133 	    helper->rsa_meth == NULL)  in helper_free()
134 		fatal_f("inconsistent helper");  in helper_free()
135 	debug3_f("free helper for provider %s", helper->path);  in helper_free()
137 		if (helpers[i] == helper) {  in helper_free()
139 				fatal_f("helper recorded more than once");  in helper_free()
150 	free(helper->path);  in helper_free()
152 	EC_KEY_METHOD_free(helper->ec_meth);  in helper_free()
154 	RSA_meth_free(helper->rsa_meth);  in helper_free()
155 	free(helper);  in helper_free()
159 helper_terminate(struct helper *helper)  in helper_terminate()  argument
161 	if (helper == NULL) {  in helper_terminate()
163 	} else if (helper->fd == -1) {  in helper_terminate()
166 		debug3_f("terminating helper for %s; "  in helper_terminate()
168 		    helper->path, helper->nrsa, helper->nec);  in helper_terminate()
169 		close(helper->fd);  in helper_terminate()
171 		helper->fd = -1;  in helper_terminate()
172 		helper->pid = -1;  in helper_terminate()
175 	 * Don't delete the helper entry until there are no remaining keys  in helper_terminate()
179 	if (helper->nrsa == 0 && helper->nec == 0)  in helper_terminate()
180 		helper_free(helper);  in helper_terminate()
196 		error("write to helper failed");  in send_msg()
212 		error("read from helper failed: %u", len);  in recv_msg()
224 			error("response from helper failed.");  in recv_msg()
260 	struct helper *helper;  in rsa_encrypt()  local
262 	if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1)  in rsa_encrypt()
263 		fatal_f("no helper for PKCS11 key");  in rsa_encrypt()
264 	debug3_f("signing with PKCS11 provider %s", helper->path);  in rsa_encrypt()
286 	send_msg(helper->fd, msg);  in rsa_encrypt()
289 	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {  in rsa_encrypt()
308 	struct helper *helper;  in rsa_finish()  local
310 	if ((helper = helper_by_rsa(rsa)) == NULL)  in rsa_finish()
311 		fatal_f("no helper for PKCS11 key");  in rsa_finish()
312 	debug3_f("free PKCS11 RSA key for provider %s", helper->path);  in rsa_finish()
313 	if (helper->rsa_finish != NULL)  in rsa_finish()
314 		helper->rsa_finish(rsa);  in rsa_finish()
315 	if (helper->nrsa == 0)  in rsa_finish()
317 	helper->nrsa--;  in rsa_finish()
319 	    helper->path, helper->nrsa, helper->nec);  in rsa_finish()
320 	if (helper->nrsa == 0 && helper->nec == 0)  in rsa_finish()
321 		helper_terminate(helper);  in rsa_finish()
337 	struct helper *helper;  in ecdsa_do_sign()  local
339 	if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1)  in ecdsa_do_sign()
340 		fatal_f("no helper for PKCS11 key");  in ecdsa_do_sign()
341 	debug3_f("signing with PKCS11 provider %s", helper->path);  in ecdsa_do_sign()
369 	send_msg(helper->fd, msg);  in ecdsa_do_sign()
372 	if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) {  in ecdsa_do_sign()
390 	struct helper *helper;  in ecdsa_do_finish()  local
392 	if ((helper = helper_by_ec(ec)) == NULL)  in ecdsa_do_finish()
393 		fatal_f("no helper for PKCS11 key");  in ecdsa_do_finish()
394 	debug3_f("free PKCS11 ECDSA key for provider %s", helper->path);  in ecdsa_do_finish()
395 	if (helper->ec_finish != NULL)  in ecdsa_do_finish()
396 		helper->ec_finish(ec);  in ecdsa_do_finish()
397 	if (helper->nec == 0)  in ecdsa_do_finish()
399 	helper->nec--;  in ecdsa_do_finish()
401 	    helper->path, helper->nrsa, helper->nec);  in ecdsa_do_finish()
402 	if (helper->nrsa == 0 && helper->nec == 0)  in ecdsa_do_finish()
403 		helper_terminate(helper);  in ecdsa_do_finish()
407 /* redirect private key crypto operations to the ssh-pkcs11-helper */
409 wrap_key(struct helper *helper, struct sshkey *k)  in wrap_key()  argument
411 	debug3_f("wrap %s for provider %s", sshkey_type(k), helper->path);  in wrap_key()
413 		RSA_set_method(k->rsa, helper->rsa_meth);  in wrap_key()
414 		if (helper->nrsa++ >= INT_MAX)  in wrap_key()
418 		EC_KEY_set_method(k->ecdsa, helper->ec_meth);  in wrap_key()
419 		if (helper->nec++ >= INT_MAX)  in wrap_key()
426 	    helper->path, helper->nrsa, helper->nec);  in wrap_key()
437 	struct helper *helper = NULL;  in pkcs11_make_cert()  local
452 		if ((helper = helper_by_rsa(priv->rsa)) == NULL ||  in pkcs11_make_cert()
453 		    helper->fd == -1)  in pkcs11_make_cert()
454 			fatal_f("no helper for PKCS11 RSA key");  in pkcs11_make_cert()
457 		RSA_set_method(ret->rsa, helper->rsa_meth);  in pkcs11_make_cert()
458 		if (helper->nrsa++ >= INT_MAX)  in pkcs11_make_cert()
462 		if ((helper = helper_by_ec(priv->ecdsa)) == NULL ||  in pkcs11_make_cert()
463 		    helper->fd == -1)  in pkcs11_make_cert()
464 			fatal_f("no helper for PKCS11 EC key");  in pkcs11_make_cert()
467 		EC_KEY_set_method(ret->ecdsa, helper->ec_meth);  in pkcs11_make_cert()
468 		if (helper->nec++ >= INT_MAX)  in pkcs11_make_cert()
479 	    helper->path, helper->nrsa, helper->nec);  in pkcs11_make_cert()
486 pkcs11_start_helper_methods(struct helper *helper)  in pkcs11_start_helper_methods()  argument
503 	EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish,  in pkcs11_start_helper_methods()
511 	helper->rsa_finish = RSA_meth_get_finish(rsa_meth);  in pkcs11_start_helper_methods()
512 	if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") ||  in pkcs11_start_helper_methods()
517 	helper->ec_meth = ec_meth;  in pkcs11_start_helper_methods()
518 	helper->rsa_meth = rsa_meth;  in pkcs11_start_helper_methods()
522 static struct helper *
527 	struct helper *helper;  in pkcs11_start_helper()  local
532 	debug3_f("start helper for %s", path);  in pkcs11_start_helper()
537 	helper = xcalloc(1, sizeof(*helper));  in pkcs11_start_helper()
538 	if (pkcs11_start_helper_methods(helper) == -1) {  in pkcs11_start_helper()
547 		RSA_meth_free(helper->rsa_meth);  in pkcs11_start_helper()
549 		EC_KEY_METHOD_free(helper->ec_meth);  in pkcs11_start_helper()
551 		free(helper);  in pkcs11_start_helper()
573 	helper->fd = pair[0];  in pkcs11_start_helper()
574 	helper->path = xstrdup(path);  in pkcs11_start_helper()
575 	helper->pid = pid;  in pkcs11_start_helper()
576 	debug3_f("helper %zu for \"%s\" on fd %d pid %ld", nhelpers,  in pkcs11_start_helper()
577 	    helper->path, helper->fd, (long)helper->pid);  in pkcs11_start_helper()
580 	helpers[nhelpers++] = helper;  in pkcs11_start_helper()
581 	return helper;  in pkcs11_start_helper()
595 	struct helper *helper;  in pkcs11_add_provider()  local
597 	if ((helper = helper_by_provider(name)) == NULL &&  in pkcs11_add_provider()
598 	    (helper = pkcs11_start_helper(name)) == NULL)  in pkcs11_add_provider()
607 	send_msg(helper->fd, msg);  in pkcs11_add_provider()
610 	type = recv_msg(helper->fd, msg);  in pkcs11_add_provider()
624 			wrap_key(helper, k);  in pkcs11_add_provider()
645 	struct helper *helper;  in pkcs11_del_provider()  local
648 	 * ssh-agent deletes keys before calling this, so the helper entry  in pkcs11_del_provider()
652 	if ((helper = helper_by_provider(name)) != NULL)  in pkcs11_del_provider()
653 		helper_terminate(helper);  in pkcs11_del_provider()