- rees@cvs.openbsd.org 2002/03/26 18:46:59

[scard.c]
     try_AUT0 in read_pubkey too, for those paranoid few who want to acl 'sh'

ChangeLog

@@ -11,9 +11,9 @@
    - markus@cvs.openbsd.org 2002/03/26 15:23:40
      [bufaux.c]
      do not talk about packets in bufaux
-   - markus@cvs.openbsd.org 2002/03/26 15:58:46
-     [readpass.c readpass.h sshconnect2.c]
-     client side support for PASSWD_CHANGEREQ
+   - rees@cvs.openbsd.org 2002/03/26 18:46:59
+     [scard.c]
+     try_AUT0 in read_pubkey too, for those paranoid few who want to acl 'sh'
 
 20020325
  - (stevesk) import OpenBSD <sys/tree.h> as "openbsd-compat/tree.h"
@@ -8077,4 +8077,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1996 2002/03/27 17:28:46 mouring Exp $
+$Id: ChangeLog,v 1.1997 2002/03/27 17:33:17 mouring Exp $

scard.c

@@ -24,7 +24,7 @@
 
 #include "includes.h"
 #ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.24 2002/03/25 17:34:27 markus Exp $");
+RCSID("$OpenBSD: scard.c,v 1.25 2002/03/26 18:46:59 rees Exp $");
 
 #include <openssl/evp.h>
 #include <sectok.h>
@@ -65,6 +65,7 @@ static int cla = 0x00;	/* class */
 
 static void sc_mk_digest(const char *pin, u_char *digest);
 static int get_AUT0(u_char *aut0);
+static int try_AUT0(void);
 
 /* interface to libsectok */
 
@@ -164,6 +165,12 @@ sc_read_pubkey(Key * k)
 	n = xmalloc(len);
 	/* get n */
 	sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
+
+	if (sw == 0x6982) {
+		if (try_AUT0() < 0)
+			goto err;
+		sectok_apdu(sc_fd, CLA_SSH, INS_GET_PUBKEY, 0, 0, 0, NULL, len, n, &sw);
+	}
 	if (!sectok_swOK(sw)) {
 		error("could not obtain public key: %s", sectok_get_sw(sw));
 		goto err;
@@ -194,32 +201,6 @@ err:
 	return status;
 }
 
-static int
-try_AUT0(void)
-{
-	u_char aut0[EVP_MAX_MD_SIZE];
-
-	/* permission denied; try PIN if provided */
-	if (sc_pin && strlen(sc_pin) > 0) {
-		sc_mk_digest(sc_pin, aut0);
-		if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-			error("smartcard passphrase incorrect");
-			return (-1);
-		}
-	} else {
-		/* try default AUT0 key */
-		if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
-			/* default AUT0 key failed; prompt for passphrase */
-			if (get_AUT0(aut0) < 0 ||
-			    cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-				error("smartcard passphrase incorrect");
-				return (-1);
-			}
-		}
-	}
-	return (0);
-}
-
 /* private key operations */
 
 static int
@@ -463,6 +444,32 @@ get_AUT0(u_char *aut0)
 	return 0;
 }
 
+static int
+try_AUT0(void)
+{
+	u_char aut0[EVP_MAX_MD_SIZE];
+
+	/* permission denied; try PIN if provided */
+	if (sc_pin && strlen(sc_pin) > 0) {
+		sc_mk_digest(sc_pin, aut0);
+		if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
+			error("smartcard passphrase incorrect");
+			return (-1);
+		}
+	} else {
+		/* try default AUT0 key */
+		if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
+			/* default AUT0 key failed; prompt for passphrase */
+			if (get_AUT0(aut0) < 0 ||
+			    cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
+				error("smartcard passphrase incorrect");
+				return (-1);
+			}
+		}
+	}
+	return (0);
+}
+
 int
 sc_put_key(Key *prv, const char *id)
 {