summaryrefslogtreecommitdiff
path: root/ssh-pkcs11.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2015-05-27 05:15:02 +0000
committerDamien Miller <djm@mindrot.org>2015-05-27 15:16:59 +1000
commita71ba58adf34e599f30cdda6e9b93ae6e3937eea (patch)
tree2f74e8db69612748b82f88bb2728ae4853e34349 /ssh-pkcs11.c
parentb282fec1aa05246ed3482270eb70fc3ec5f39a00 (diff)
upstream commit
support PKCS#11 devices with external PIN entry devices bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
Diffstat (limited to 'ssh-pkcs11.c')
-rw-r--r--ssh-pkcs11.c32
1 files changed, 20 insertions, 12 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index f4971ad8a..e074175bb 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-pkcs11.c,v 1.18 2015/04/24 01:36:01 deraadt Exp $ */ 1/* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2010 Markus Friedl. All rights reserved. 3 * Copyright (c) 2010 Markus Friedl. All rights reserved.
4 * 4 *
@@ -237,7 +237,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
237 {CKA_ID, NULL, 0}, 237 {CKA_ID, NULL, 0},
238 {CKA_SIGN, NULL, sizeof(true_val) } 238 {CKA_SIGN, NULL, sizeof(true_val) }
239 }; 239 };
240 char *pin, prompt[1024]; 240 char *pin = NULL, prompt[1024];
241 int rval = -1; 241 int rval = -1;
242 242
243 key_filter[0].pValue = &private_key_class; 243 key_filter[0].pValue = &private_key_class;
@@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
255 si = &k11->provider->slotinfo[k11->slotidx]; 255 si = &k11->provider->slotinfo[k11->slotidx];
256 if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { 256 if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
257 if (!pkcs11_interactive) { 257 if (!pkcs11_interactive) {
258 error("need pin"); 258 error("need pin entry%s", (si->token.flags &
259 CKF_PROTECTED_AUTHENTICATION_PATH) ?
260 " on reader keypad" : "");
259 return (-1); 261 return (-1);
260 } 262 }
261 snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", 263 if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
262 si->token.label); 264 verbose("Deferring PIN entry to reader keypad.");
263 pin = read_passphrase(prompt, RP_ALLOW_EOF); 265 else {
264 if (pin == NULL) 266 snprintf(prompt, sizeof(prompt),
265 return (-1); /* bail out */ 267 "Enter PIN for '%s': ", si->token.label);
266 rv = f->C_Login(si->session, CKU_USER, 268 pin = read_passphrase(prompt, RP_ALLOW_EOF);
267 (u_char *)pin, strlen(pin)); 269 if (pin == NULL)
268 if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { 270 return (-1); /* bail out */
271 }
272 rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
273 (pin != NULL) ? strlen(pin) : 0);
274 if (pin != NULL) {
275 explicit_bzero(pin, strlen(pin));
269 free(pin); 276 free(pin);
277 }
278 if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
270 error("C_Login failed: %lu", rv); 279 error("C_Login failed: %lu", rv);
271 return (-1); 280 return (-1);
272 } 281 }
273 free(pin);
274 si->logged_in = 1; 282 si->logged_in = 1;
275 } 283 }
276 key_filter[1].pValue = k11->keyid; 284 key_filter[1].pValue = k11->keyid;
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-03 10:56:44 +0000