upstream: revert unconditional forced login implemented in r1.41 of

ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the token returns no objects and this is less disruptive for users of tokens directly in ssh (rather than via ssh-agent) and in ssh-keygen bz3006, patch from Jakub Jelen; ok markus OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
author: djm@openbsd.org <djm@openbsd.org> 2019-10-01 10:22:53 +0000
committer: Damien Miller <djm@mindrot.org> 2019-10-01 20:24:07 +1000
commit: 084682786d9275552ee93857cb36e43c446ce92c (patch)
tree: b098c741f906f4cfed42ff989113168520aa855a /ssh-pkcs11.c
parent: 6c91d42cce3f055917dc3fd2c305dfc5b3b584b3 (diff)
1 files changed, 5 insertions, 26 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index d4053ea82..09f1ea347 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */
 /*
 * Copyright (c) 2010 Markus Friedl.  All rights reserved.
 * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
        CK_FUNCTION_LIST        *f;
        CK_RV                   rv;
        CK_SESSION_HANDLE       session;
-        int                     login_required, have_pinpad, ret;
+        int                     login_required, ret;
-        char                    prompt[1024], *xpin = NULL;
        f = p->function_list;
        si = &p->slotinfo[slotidx];
-        have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH;
        login_required = si->token.flags & CKF_LOGIN_REQUIRED;
        /* fail early before opening session */
-        if (login_required && !have_pinpad && !pkcs11_interactive &&
+        if (login_required && !pkcs11_interactive &&
            (pin == NULL || strlen(pin) == 0)) {
                error("pin required");
                return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
                error("C_OpenSession failed: %lu", rv);
                return (-1);
        }
-        if (login_required) {
+        if (login_required && pin != NULL && strlen(pin) != 0) {
-                if (have_pinpad && (pin == NULL || strlen(pin) == 0)) {
+                rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
-                        /* defer PIN entry to the reader keypad */
-                        rv = f->C_Login(session, CKU_USER, NULL_PTR, 0);
-                } else {
-                        if (pkcs11_interactive) {
-                                snprintf(prompt, sizeof(prompt),
-                                    "Enter PIN for '%s': ", si->token.label);
-                                if ((xpin = read_passphrase(prompt,
-                                    RP_ALLOW_EOF)) == NULL) {
-                                        debug("%s: no pin specified",
-                                            __func__);
-                                        return (-SSH_PKCS11_ERR_PIN_REQUIRED);
-                                }
-                                pin = xpin;
-                        }
-                        rv = f->C_Login(session, CKU_USER,
-                            (u_char *)pin, strlen(pin));
-                        if (xpin != NULL)
-                                freezero(xpin, strlen(xpin));
-                }
                if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
                        error("C_Login failed: %lu", rv);
                        ret = (rv == CKR_PIN_LOCKED) ?
author	djm@openbsd.org <djm@openbsd.org>	2019-10-01 10:22:53 +0000
committer	Damien Miller <djm@mindrot.org>	2019-10-01 20:24:07 +1000
commit	084682786d9275552ee93857cb36e43c446ce92c (patch)
tree	b098c741f906f4cfed42ff989113168520aa855a /ssh-pkcs11.c
parent	6c91d42cce3f055917dc3fd2c305dfc5b3b584b3 (diff)