summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--scard.c56
2 files changed, 39 insertions, 22 deletions
diff --git a/ChangeLog b/ChangeLog
index 526edb96b..bd1f8688c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,9 @@
16 - stevesk@cvs.openbsd.org 2002/03/24 17:53:16 16 - stevesk@cvs.openbsd.org 2002/03/24 17:53:16
17 [monitor_fdpass.c] 17 [monitor_fdpass.c]
18 minor cleanup and more error checking; ok markus@ 18 minor cleanup and more error checking; ok markus@
19 - markus@cvs.openbsd.org 2002/03/24 18:05:29
20 [scard.c]
21 we need to figure out AUT0 for sc_private_encrypt, too
19 22
2020020324 2320020324
21 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure 24 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@@ -8030,4 +8033,4 @@
8030 - Wrote replacements for strlcpy and mkdtemp 8033 - Wrote replacements for strlcpy and mkdtemp
8031 - Released 1.0pre1 8034 - Released 1.0pre1
8032 8035
8033$Id: ChangeLog,v 1.1982 2002/03/26 02:36:29 mouring Exp $ 8036$Id: ChangeLog,v 1.1983 2002/03/26 02:44:44 mouring Exp $
diff --git a/scard.c b/scard.c
index a8ee2fe6d..9b2d77602 100644
--- a/scard.c
+++ b/scard.c
@@ -24,7 +24,7 @@
24 24
25#include "includes.h" 25#include "includes.h"
26#ifdef SMARTCARD 26#ifdef SMARTCARD
27RCSID("$OpenBSD: scard.c,v 1.22 2002/03/21 21:54:34 rees Exp $"); 27RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");
28 28
29#include <openssl/engine.h> 29#include <openssl/engine.h>
30#include <openssl/evp.h> 30#include <openssl/evp.h>
@@ -192,6 +192,32 @@ err:
192 return status; 192 return status;
193} 193}
194 194
195static int
196try_AUT0(void)
197{
198 u_char aut0[EVP_MAX_MD_SIZE];
199
200 /* permission denied; try PIN if provided */
201 if (sc_pin && strlen(sc_pin) > 0) {
202 sc_mk_digest(sc_pin, aut0);
203 if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
204 error("smartcard passphrase incorrect");
205 return (-1);
206 }
207 } else {
208 /* try default AUT0 key */
209 if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
210 /* default AUT0 key failed; prompt for passphrase */
211 if (get_AUT0(aut0) < 0 ||
212 cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
213 error("smartcard passphrase incorrect");
214 return (-1);
215 }
216 }
217 }
218 return (0);
219}
220
195/* private key operations */ 221/* private key operations */
196 222
197static int 223static int
@@ -199,7 +225,6 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
199 int padding) 225 int padding)
200{ 226{
201 u_char *padded = NULL; 227 u_char *padded = NULL;
202 u_char aut0[EVP_MAX_MD_SIZE];
203 int sw, len, olen, status = -1; 228 int sw, len, olen, status = -1;
204 229
205 debug("sc_private_decrypt called"); 230 debug("sc_private_decrypt called");
@@ -219,24 +244,8 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
219 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); 244 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
220 245
221 if (sw == 0x6982) { 246 if (sw == 0x6982) {
222 /* permission denied; try PIN if provided */ 247 if (try_AUT0() < 0)
223 if (sc_pin && strlen(sc_pin) > 0) { 248 goto err;
224 sc_mk_digest(sc_pin, aut0);
225 if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
226 error("smartcard passphrase incorrect");
227 goto err;
228 }
229 } else {
230 /* try default AUT0 key */
231 if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
232 /* default AUT0 key failed; prompt for passphrase */
233 if (get_AUT0(aut0) < 0 ||
234 cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
235 error("smartcard passphrase incorrect");
236 goto err;
237 }
238 }
239 }
240 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); 249 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
241 } 250 }
242 if (!sectok_swOK(sw)) { 251 if (!sectok_swOK(sw)) {
@@ -278,8 +287,13 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
278 goto err; 287 goto err;
279 } 288 }
280 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw); 289 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
290 if (sw == 0x6982) {
291 if (try_AUT0() < 0)
292 goto err;
293 sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
294 }
281 if (!sectok_swOK(sw)) { 295 if (!sectok_swOK(sw)) {
282 error("sc_private_decrypt: INS_DECRYPT failed: %s", 296 error("sc_private_encrypt: INS_DECRYPT failed: %s",
283 sectok_get_sw(sw)); 297 sectok_get_sw(sw));
284 goto err; 298 goto err;
285 } 299 }