diff options
| -rw-r--r-- | ssh-pkcs11.c | 31 |
1 files changed, 5 insertions, 26 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index d4053ea82..09f1ea347 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */ | 1 | /* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2010 Markus Friedl. All rights reserved. |
| 4 | * Copyright (c) 2014 Pedro Martelletto. All rights reserved. | 4 | * Copyright (c) 2014 Pedro Martelletto. All rights reserved. |
| @@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, | |||
| 633 | CK_FUNCTION_LIST *f; | 633 | CK_FUNCTION_LIST *f; |
| 634 | CK_RV rv; | 634 | CK_RV rv; |
| 635 | CK_SESSION_HANDLE session; | 635 | CK_SESSION_HANDLE session; |
| 636 | int login_required, have_pinpad, ret; | 636 | int login_required, ret; |
| 637 | char prompt[1024], *xpin = NULL; | ||
| 638 | 637 | ||
| 639 | f = p->function_list; | 638 | f = p->function_list; |
| 640 | si = &p->slotinfo[slotidx]; | 639 | si = &p->slotinfo[slotidx]; |
| 641 | 640 | ||
| 642 | have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH; | ||
| 643 | login_required = si->token.flags & CKF_LOGIN_REQUIRED; | 641 | login_required = si->token.flags & CKF_LOGIN_REQUIRED; |
| 644 | 642 | ||
| 645 | /* fail early before opening session */ | 643 | /* fail early before opening session */ |
| 646 | if (login_required && !have_pinpad && !pkcs11_interactive && | 644 | if (login_required && !pkcs11_interactive && |
| 647 | (pin == NULL || strlen(pin) == 0)) { | 645 | (pin == NULL || strlen(pin) == 0)) { |
| 648 | error("pin required"); | 646 | error("pin required"); |
| 649 | return (-SSH_PKCS11_ERR_PIN_REQUIRED); | 647 | return (-SSH_PKCS11_ERR_PIN_REQUIRED); |
| @@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, | |||
| 653 | error("C_OpenSession failed: %lu", rv); | 651 | error("C_OpenSession failed: %lu", rv); |
| 654 | return (-1); | 652 | return (-1); |
| 655 | } | 653 | } |
| 656 | if (login_required) { | 654 | if (login_required && pin != NULL && strlen(pin) != 0) { |
| 657 | if (have_pinpad && (pin == NULL || strlen(pin) == 0)) { | 655 | rv = f->C_Login(session, user, (u_char *)pin, strlen(pin)); |
| 658 | /* defer PIN entry to the reader keypad */ | ||
| 659 | rv = f->C_Login(session, CKU_USER, NULL_PTR, 0); | ||
| 660 | } else { | ||
| 661 | if (pkcs11_interactive) { | ||
| 662 | snprintf(prompt, sizeof(prompt), | ||
| 663 | "Enter PIN for '%s': ", si->token.label); | ||
| 664 | if ((xpin = read_passphrase(prompt, | ||
| 665 | RP_ALLOW_EOF)) == NULL) { | ||
| 666 | debug("%s: no pin specified", | ||
| 667 | __func__); | ||
| 668 | return (-SSH_PKCS11_ERR_PIN_REQUIRED); | ||
| 669 | } | ||
| 670 | pin = xpin; | ||
| 671 | } | ||
| 672 | rv = f->C_Login(session, CKU_USER, | ||
| 673 | (u_char *)pin, strlen(pin)); | ||
| 674 | if (xpin != NULL) | ||
| 675 | freezero(xpin, strlen(xpin)); | ||
| 676 | } | ||
| 677 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { | 656 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { |
| 678 | error("C_Login failed: %lu", rv); | 657 | error("C_Login failed: %lu", rv); |
| 679 | ret = (rv == CKR_PIN_LOCKED) ? | 658 | ret = (rv == CKR_PIN_LOCKED) ? |