diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-05-27 05:15:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-05-27 15:16:59 +1000 |
| commit | a71ba58adf34e599f30cdda6e9b93ae6e3937eea (patch) | |
| tree | 2f74e8db69612748b82f88bb2728ae4853e34349 | |
| parent | b282fec1aa05246ed3482270eb70fc3ec5f39a00 (diff) | |
upstream commit
support PKCS#11 devices with external PIN entry devices
bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
| -rw-r--r-- | ssh-pkcs11.c | 32 |
1 files changed, 20 insertions, 12 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index f4971ad8a..e074175bb 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.18 2015/04/24 01:36:01 deraadt Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -237,7 +237,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | |||
| 237 | {CKA_ID, NULL, 0}, | 237 | {CKA_ID, NULL, 0}, |
| 238 | {CKA_SIGN, NULL, sizeof(true_val) } | 238 | {CKA_SIGN, NULL, sizeof(true_val) } |
| 239 | }; | 239 | }; |
| 240 | char *pin, prompt[1024]; | 240 | char *pin = NULL, prompt[1024]; |
| 241 | int rval = -1; | 241 | int rval = -1; |
| 242 | 242 | ||
| 243 | key_filter[0].pValue = &private_key_class; | 243 | key_filter[0].pValue = &private_key_class; |
| @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | |||
| 255 | si = &k11->provider->slotinfo[k11->slotidx]; | 255 | si = &k11->provider->slotinfo[k11->slotidx]; |
| 256 | if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { | 256 | if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { |
| 257 | if (!pkcs11_interactive) { | 257 | if (!pkcs11_interactive) { |
| 258 | error("need pin"); | 258 | error("need pin entry%s", (si->token.flags & |
| 259 | CKF_PROTECTED_AUTHENTICATION_PATH) ? | ||
| 260 | " on reader keypad" : ""); | ||
| 259 | return (-1); | 261 | return (-1); |
| 260 | } | 262 | } |
| 261 | snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", | 263 | if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) |
| 262 | si->token.label); | 264 | verbose("Deferring PIN entry to reader keypad."); |
| 263 | pin = read_passphrase(prompt, RP_ALLOW_EOF); | 265 | else { |
| 264 | if (pin == NULL) | 266 | snprintf(prompt, sizeof(prompt), |
| 265 | return (-1); /* bail out */ | 267 | "Enter PIN for '%s': ", si->token.label); |
| 266 | rv = f->C_Login(si->session, CKU_USER, | 268 | pin = read_passphrase(prompt, RP_ALLOW_EOF); |
| 267 | (u_char *)pin, strlen(pin)); | 269 | if (pin == NULL) |
| 268 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { | 270 | return (-1); /* bail out */ |
| 271 | } | ||
| 272 | rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, | ||
| 273 | (pin != NULL) ? strlen(pin) : 0); | ||
| 274 | if (pin != NULL) { | ||
| 275 | explicit_bzero(pin, strlen(pin)); | ||
| 269 | free(pin); | 276 | free(pin); |
| 277 | } | ||
| 278 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { | ||
| 270 | error("C_Login failed: %lu", rv); | 279 | error("C_Login failed: %lu", rv); |
| 271 | return (-1); | 280 | return (-1); |
| 272 | } | 281 | } |
| 273 | free(pin); | ||
| 274 | si->logged_in = 1; | 282 | si->logged_in = 1; |
| 275 | } | 283 | } |
| 276 | key_filter[1].pValue = k11->keyid; | 284 | key_filter[1].pValue = k11->keyid; |