tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream: revert unconditional forced login implemented in r1.41 of 

ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
token returns no objects and this is less disruptive for users of tokens
directly in ssh (rather than via ssh-agent) and in ssh-keygen

bz3006, patch from Jakub Jelen; ok markus

OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
This commit is contained in:
djm@openbsd.org 2019-10-01 10:22:53 +00:00 committed by Damien Miller
parent 6c91d42cce
commit 084682786d
1 changed files with 5 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
ssh-pkcs11.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */ /* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */
/* /*
* Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2010 Markus Friedl. All rights reserved.
* Copyright (c) 2014 Pedro Martelletto. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
CK_FUNCTION_LIST *f; CK_FUNCTION_LIST *f;
CK_RV rv; CK_RV rv;
CK_SESSION_HANDLE session; CK_SESSION_HANDLE session;
int login_required, have_pinpad, ret; int login_required, ret;
char prompt[1024], *xpin = NULL;
f = p->function_list; f = p->function_list;
si = &p->slotinfo[slotidx]; si = &p->slotinfo[slotidx];
have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH;
login_required = si->token.flags & CKF_LOGIN_REQUIRED; login_required = si->token.flags & CKF_LOGIN_REQUIRED;
/* fail early before opening session */ /* fail early before opening session */
if (login_required && !have_pinpad && !pkcs11_interactive && if (login_required && !pkcs11_interactive &&
(pin == NULL || strlen(pin) == 0)) { (pin == NULL || strlen(pin) == 0)) {
error("pin required"); error("pin required");
return (-SSH_PKCS11_ERR_PIN_REQUIRED); return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
error("C_OpenSession failed: %lu", rv); error("C_OpenSession failed: %lu", rv);
return (-1); return (-1);
} }
if (login_required) { if (login_required && pin != NULL && strlen(pin) != 0) {
if (have_pinpad && (pin == NULL || strlen(pin) == 0)) { rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
/* defer PIN entry to the reader keypad */
rv = f->C_Login(session, CKU_USER, NULL_PTR, 0);
} else {
if (pkcs11_interactive) {
snprintf(prompt, sizeof(prompt),
"Enter PIN for '%s': ", si->token.label);
if ((xpin = read_passphrase(prompt,
RP_ALLOW_EOF)) == NULL) {
debug("%s: no pin specified",
__func__);
return (-SSH_PKCS11_ERR_PIN_REQUIRED);
}
pin = xpin;
}
rv = f->C_Login(session, CKU_USER,
(u_char *)pin, strlen(pin));
if (xpin != NULL)
freezero(xpin, strlen(xpin));
}
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
error("C_Login failed: %lu", rv); error("C_Login failed: %lu", rv);
ret = (rv == CKR_PIN_LOCKED) ? ret = (rv == CKR_PIN_LOCKED) ?