From c2c6cbc527d86eff97f5f2897f16b5100b340d13 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Tue, 26 Mar 2002 02:44:44 +0000 Subject: - markus@cvs.openbsd.org 2002/03/24 18:05:29 [scard.c] we need to figure out AUT0 for sc_private_encrypt, too --- ChangeLog | 5 ++++- scard.c | 56 +++++++++++++++++++++++++++++++++++--------------------- 2 files changed, 39 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index 526edb96b..bd1f8688c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - stevesk@cvs.openbsd.org 2002/03/24 17:53:16 [monitor_fdpass.c] minor cleanup and more error checking; ok markus@ + - markus@cvs.openbsd.org 2002/03/24 18:05:29 + [scard.c] + we need to figure out AUT0 for sc_private_encrypt, too 20020324 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure @@ -8030,4 +8033,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1982 2002/03/26 02:36:29 mouring Exp $ +$Id: ChangeLog,v 1.1983 2002/03/26 02:44:44 mouring Exp $ diff --git a/scard.c b/scard.c index a8ee2fe6d..9b2d77602 100644 --- a/scard.c +++ b/scard.c @@ -24,7 +24,7 @@ #include "includes.h" #ifdef SMARTCARD -RCSID("$OpenBSD: scard.c,v 1.22 2002/03/21 21:54:34 rees Exp $"); +RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $"); #include #include @@ -192,6 +192,32 @@ err: return status; } +static int +try_AUT0(void) +{ + u_char aut0[EVP_MAX_MD_SIZE]; + + /* permission denied; try PIN if provided */ + if (sc_pin && strlen(sc_pin) > 0) { + sc_mk_digest(sc_pin, aut0); + if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } else { + /* try default AUT0 key */ + if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) { + /* default AUT0 key failed; prompt for passphrase */ + if (get_AUT0(aut0) < 0 || + cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { + error("smartcard passphrase incorrect"); + return (-1); + } + } + } + return (0); +} + /* private key operations */ static int @@ -199,7 +225,6 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, int padding) { u_char *padded = NULL; - u_char aut0[EVP_MAX_MD_SIZE]; int sw, len, olen, status = -1; debug("sc_private_decrypt called"); @@ -219,24 +244,8 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); if (sw == 0x6982) { - /* permission denied; try PIN if provided */ - if (sc_pin && strlen(sc_pin) > 0) { - sc_mk_digest(sc_pin, aut0); - if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { - error("smartcard passphrase incorrect"); - goto err; - } - } else { - /* try default AUT0 key */ - if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) { - /* default AUT0 key failed; prompt for passphrase */ - if (get_AUT0(aut0) < 0 || - cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) { - error("smartcard passphrase incorrect"); - goto err; - } - } - } + if (try_AUT0() < 0) + goto err; sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw); } if (!sectok_swOK(sw)) { @@ -278,8 +287,13 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa, goto err; } sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw); + if (sw == 0x6982) { + if (try_AUT0() < 0) + goto err; + sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw); + } if (!sectok_swOK(sw)) { - error("sc_private_decrypt: INS_DECRYPT failed: %s", + error("sc_private_encrypt: INS_DECRYPT failed: %s", sectok_get_sw(sw)); goto err; } -- cgit v1.2.3