libpivy: add useful support functions

arekinath · Jun 27, 2023 · 12f970b · 12f970b
1 parent 23fb104
commit 12f970b
Show file tree

Hide file tree

Showing 10 changed files with 524 additions and 265 deletions.
diff --git a/Makefile b/Makefile
@@ -358,10 +358,15 @@ pivy-tool: $(PIVTOOL_OBJS) $(LIBSSH) $(LIBCRYPTO)
 LIBPIVY_SOURCES=		\
 	$(PIV_COMMON_SOURCES)	\
 	$(PIV_CERT_SOURCES)	\
+	$(EBOX_COMMON_SOURCES)	\
+	$(SSS_SOURCES)		\
+	piv-ca.c		\
 	cleanup-exit.c
 LIBPIVY_HEADERS=		\
 	$(PIV_COMMON_HEADERS)	\
-	$(PIV_CERT_HEADERS)
+	$(PIV_CERT_HEADERS)	\
+	$(EBOX_COMMON_HEADERS)	\
+	$(PIV_CA_HEADERS)
 ifeq (yes, $(HAVE_JSONC))
 	LIBPIVY_SOURCES+=	piv-ca.c
 	LIBPIVY_HEADERS+=	$(PIV_CA_HEADERS)
@@ -370,6 +375,7 @@ LIBPIVY_OBJS=		$(LIBPIVY_SOURCES:%.c=%.o)
 LIBPIVY_CFLAGS=		$(PCSC_CFLAGS) \
 			$(CRYPTO_CFLAGS) \
 			$(ZLIB_CFLAGS) \
+			$(JSONC_CFLAGS) \
 			$(SYSTEM_CFLAGS) \
 			$(SECURITY_CFLAGS) \
 			$(CONFIG_CFLAGS) \
@@ -383,11 +389,8 @@ LIBPIVY_LDFLAGS=	$(SYSTEM_LDFLAGS) \
 LIBPIVY_LIBS=		$(CRYPTO_LIBS) \
 			$(PCSC_LIBS) \
 			$(ZLIB_LIBS) \
+			$(JSONC_LIBS) \
 			$(SYSTEM_LIBS)
-ifeq (yes, $(HAVE_JSONC))
-	LIBPIVY_CFLAGS+= $(JSONC_CFLAGS)
-	LIBPIVY_LIBS+=	$(JSONC_LIBS)
-endif
 
 libpivy.so.1 :		CFLAGS=		$(LIBPIVY_CFLAGS)
 libpivy.so.1 :		LIBS+=		$(LIBPIVY_LIBS)

diff --git a/bunyan.c b/bunyan.c
@@ -49,6 +49,13 @@ static const char *bunyan_name = NULL;
  * portable to lots of other operating systems.
  */
 
+static void
+bunyan_default_printer(enum bunyan_log_level lvl, const char *msg)
+{
+	fprintf(stderr, "%s", msg);
+}
+
+static bunyan_printer_t bunyan_printer = bunyan_default_printer;
 static char *bunyan_buf = NULL;
 static size_t bunyan_buf_sz = 0;
 
@@ -92,6 +99,13 @@ bunyan_set_level(enum bunyan_log_level level)
 	bunyan_min_level = level;
 }
 
+void
+bunyan_set_printer(bunyan_printer_t printer, boolean_t omit_timestamp)
+{
+	bunyan_printer = printer;
+	bunyan_omit_timestamp = omit_timestamp;
+}
+
 enum bunyan_log_level
 bunyan_get_level(void)
 {
@@ -414,25 +428,27 @@ bunyan_log(enum bunyan_log_level level, const char *msg, ...)
 		printf_buf("[%s] ", time);
 	}
 
-	switch (level) {
-	case BNY_TRACE:
-		printf_buf("TRACE: ");
-		break;
-	case BNY_DEBUG:
-		printf_buf("DEBUG: ");
-		break;
-	case BNY_INFO:
-		printf_buf("INFO: ");
-		break;
-	case BNY_WARN:
-		printf_buf("WARN: ");
-		break;
-	case BNY_ERROR:
-		printf_buf("ERROR: ");
-		break;
-	case BNY_FATAL:
-		printf_buf("FATAL: ");
-		break;
+	if (bunyan_printer == bunyan_default_printer) {
+		switch (level) {
+		case BNY_TRACE:
+			printf_buf("TRACE: ");
+			break;
+		case BNY_DEBUG:
+			printf_buf("DEBUG: ");
+			break;
+		case BNY_INFO:
+			printf_buf("INFO: ");
+			break;
+		case BNY_WARN:
+			printf_buf("WARN: ");
+			break;
+		case BNY_ERROR:
+			printf_buf("ERROR: ");
+			break;
+		case BNY_FATAL:
+			printf_buf("FATAL: ");
+			break;
+		}
 	}
 
 	printf_buf("%s", msg);
@@ -531,5 +547,5 @@ bunyan_log(enum bunyan_log_level level, const char *msg, ...)
 	if (level < bunyan_min_level) {
 		return;
 	}
-	fprintf(stderr, "%s", bunyan_buf);
+	(*bunyan_printer)(level, bunyan_buf);
 }
diff --git a/bunyan.h b/bunyan.h
@@ -35,6 +35,8 @@ enum bunyan_arg_type {
 void bunyan_init(void);
 void bunyan_unshare(void);
 void bunyan_set_name(const char *name);
+typedef void (*bunyan_printer_t)(enum bunyan_log_level, const char *);
+void bunyan_set_printer(bunyan_printer_t printer, boolean_t omit_timestamp);
 void bunyan_set_level(enum bunyan_log_level level);
 enum bunyan_log_level bunyan_get_level(void);
 void bunyan_log(enum bunyan_log_level level, const char *msg, ...);

diff --git a/ebox-cmd.c b/ebox-cmd.c
@@ -248,15 +248,11 @@ assert_pin(struct piv_token *pk, struct piv_slot *slot, const char *partname,
 errf_t *
 local_unlock_agent(struct piv_ecdh_box *box)
 {
-	struct piv_ecdh_box *rebox = NULL;
-	struct sshkey *pubkey, *temp = NULL, *temppub = NULL;
+	struct sshkey *pubkey;
 	errf_t *err;
 	int rc;
 	uint i;
-	uint8_t code;
 	struct ssh_identitylist *idl = NULL;
-	struct sshbuf *req = NULL, *buf = NULL, *boxbuf = NULL, *reply = NULL;
-	struct sshbuf *datab = NULL;
 	boolean_t found = B_FALSE;
 
 	if (ebox_authfd == -1 &&
@@ -285,115 +281,17 @@ local_unlock_agent(struct piv_ecdh_box *box)
 		goto out;
 	}
 
-	rc = sshkey_generate(KEY_ECDSA, sshkey_size(pubkey), &temp);
-	if (rc) {
-		err = ssherrf("sshkey_generate", rc);
-		goto out;
-	}
-	if ((rc = sshkey_demote(temp, &temppub))) {
-		err = ssherrf("sshkey_demote", rc);
-		goto out;
-	}
-
-	req = sshbuf_new();
-	reply = sshbuf_new();
-	buf = sshbuf_new();
-	boxbuf = sshbuf_new();
-	if (req == NULL || reply == NULL || buf == NULL || boxbuf == NULL) {
-		err = ERRF_NOMEM;
-		goto out;
-	}
-
-	if ((rc = sshbuf_put_u8(req, SSH_AGENTC_EXTENSION))) {
-		err = ssherrf("sshbuf_put_u8", rc);
-		goto out;
-	}
-	if ((rc = sshbuf_put_cstring(req, "[email protected]"))) {
-		err = ssherrf("sshbuf_put_cstring", rc);
-		goto out;
-	}
-
-	if ((err = sshbuf_put_piv_box(boxbuf, box)))
-		goto out;
-	if ((rc = sshbuf_put_stringb(buf, boxbuf))) {
-		err = ssherrf("sshbuf_put_stringb", rc);
-		goto out;
-	}
-	if ((rc = sshbuf_put_u32(buf, 0)) ||
-	    (rc = sshbuf_put_u8(buf, 0))) {
-		err = ssherrf("sshbuf_put_u32", rc);
-		goto out;
-	}
-	sshbuf_reset(boxbuf);
-	if ((rc = sshkey_putb(temppub, boxbuf))) {
-		err = ssherrf("sshkey_putb", rc);
-		goto out;
-	}
-	if ((rc = sshbuf_put_stringb(buf, boxbuf))) {
-		err = ssherrf("sshbuf_put_stringb", rc);
-		goto out;
-	}
-	if ((rc = sshbuf_put_u32(buf, 0))) {
-		err = ssherrf("sshbuf_put_u32", rc);
-		goto out;
-	}
-
-	if ((rc = sshbuf_put_stringb(req, buf))) {
-		err = ssherrf("sshbuf_put_stringb", rc);
-		goto out;
-	}
-
 	if (!ebox_batch) {
 		fprintf(stderr, "Using key '%s' in ssh-agent...\n",
 		    idl->comments[i]);
 	}
-	rc = ssh_request_reply(ebox_authfd, req, reply);
-	if (rc) {
-		err = ssherrf("ssh_request_reply", rc);
-		goto out;
-	}
-
-	if ((rc = sshbuf_get_u8(reply, &code))) {
-		err = ssherrf("sshbuf_get_u8", rc);
-		goto out;
-	}
-	if (code != SSH_AGENT_SUCCESS) {
-		err = errf("SSHAgentError", NULL, "SSH agent returned "
-		    "message code %d to rebox request", (int)code);
-		goto out;
-	}
-	sshbuf_reset(boxbuf);
-	if ((rc = sshbuf_get_stringb(reply, boxbuf))) {
-		err = ssherrf("sshbuf_get_stringb", rc);
-		goto out;
-	}
 
-	if ((err = sshbuf_get_piv_box(boxbuf, &rebox)))
-		goto out;
-
-	if ((err = piv_box_open_offline(temp, rebox)))
-		goto out;
-
-	if ((err = piv_box_take_datab(rebox, &datab)))
-		goto out;
-
-	if ((err = piv_box_set_datab(box, datab)))
-		goto out;
-
-	err = ERRF_OK;
+	err = piv_box_open_agent(ebox_authfd, box);
+	if (err)
+		warnfx(err, "Failed to use key from ssh-agent");
 
 out:
-	sshbuf_free(req);
-	sshbuf_free(reply);
-	sshbuf_free(buf);
-	sshbuf_free(boxbuf);
-	sshbuf_free(datab);
-
-	sshkey_free(temp);
-	sshkey_free(temppub);
-
 	ssh_free_identitylist(idl);
-	piv_box_free(rebox);
 	return (err);
 }
 

diff --git a/libpivy.version b/libpivy.version
@@ -46,6 +46,7 @@ CODEABI_1.0 {
         piv_box_new;
         piv_box_nonce_size;
         piv_box_open;
+        piv_box_open_agent;
         piv_box_open_offline;
         piv_box_pubkey;
         piv_box_seal;
@@ -471,6 +472,7 @@ CODEABI_1.0 {
         bunyan_pop;
         bunyan_set_level;
         bunyan_set_name;
+        bunyan_set_printer;
         bunyan_unshare;
 
         /*
@@ -689,5 +691,23 @@ CODEABI_1.0 {
         tlv_write_byte;
         tlv_write_u16;
         tlv_write_u8to32;
+
+        /*
+         * selected LibreSSL bits
+         */
+        X509_CRL_free;
+        X509_CRL_from_der;
+        X509_CRL_new;
+        X509_CRL_to_der;
+        X509_free;
+        X509_from_der;
+        X509_new;
+        X509_REQ_free;
+        X509_REQ_from_der;
+        X509_REQ_new;
+        X509_REQ_to_der;
+        X509_to_der;
+
+
     local: *;
 };
diff --git a/piv-ca.c b/piv-ca.c
@@ -1519,6 +1519,40 @@ write_uri_array(json_object *array, struct ca_uri *head)
 	return (ERRF_OK);
 }
 
+const char *
+ca_get_ebox_tpl(struct ca *ca, enum ca_ebox_type type)
+{
+	struct ca_ebox_tpl **ptr;
+	switch (type) {
+	case CA_EBOX_PIN:
+	case CA_EBOX_OLD_PIN:
+		ptr = &ca->ca_pin_tpl;
+		break;
+	case CA_EBOX_PUK:
+		ptr = &ca->ca_puk_tpl;
+		break;
+	case CA_EBOX_KEY_BACKUP:
+		ptr = &ca->ca_backup_tpl;
+		break;
+	case CA_EBOX_ADMIN_KEY:
+		ptr = &ca->ca_admin_tpl;
+		break;
+	}
+	if (*ptr == NULL)
+		return (NULL);
+	return ((*ptr)->cet_name);
+}
+
+struct ebox_tpl *
+ca_get_ebox_tpl_name(struct ca *ca, const char *name)
+{
+	struct ca_ebox_tpl *cet;
+	cet = get_ebox_tpl(&ca->ca_ebox_tpls, name, 0);
+	if (cet == NULL)
+		return (NULL);
+	return (cet->cet_tpl);
+}
+
 errf_t *
 ca_set_ebox_tpl(struct ca *ca, enum ca_ebox_type type, const char *tplname)
 {