tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-27 15:54:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
support PKCS#11 devices with external PIN entry devices
 bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@

Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
This commit is contained in:
djm@openbsd.org 2015-05-27 05:15:02 +00:00 committed by Damien Miller
parent b282fec1aa
commit a71ba58adf
1 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
ssh-pkcs11.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-pkcs11.c,v 1.18 2015/04/24 01:36:01 deraadt Exp $ */ /* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */
/* /*
* Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2010 Markus Friedl. All rights reserved.
* *
@ -237,7 +237,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
{CKA_ID, NULL, 0}, {CKA_ID, NULL, 0},
{CKA_SIGN, NULL, sizeof(true_val) } {CKA_SIGN, NULL, sizeof(true_val) }
}; };
char *pin, prompt[1024]; char *pin = NULL, prompt[1024];
int rval = -1; int rval = -1;
key_filter[0].pValue = &private_key_class; key_filter[0].pValue = &private_key_class;
@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
si = &k11->provider->slotinfo[k11->slotidx]; si = &k11->provider->slotinfo[k11->slotidx];
if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
if (!pkcs11_interactive) { if (!pkcs11_interactive) {
error("need pin"); error("need pin entry%s", (si->token.flags &
CKF_PROTECTED_AUTHENTICATION_PATH) ?
" on reader keypad" : "");
return (-1); return (-1);
} }
snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
si->token.label); verbose("Deferring PIN entry to reader keypad.");
else {
snprintf(prompt, sizeof(prompt),
"Enter PIN for '%s': ", si->token.label);
pin = read_passphrase(prompt, RP_ALLOW_EOF); pin = read_passphrase(prompt, RP_ALLOW_EOF);
if (pin == NULL) if (pin == NULL)
return (-1); /* bail out */ return (-1); /* bail out */
rv = f->C_Login(si->session, CKU_USER, }
(u_char *)pin, strlen(pin)); rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { (pin != NULL) ? strlen(pin) : 0);
if (pin != NULL) {
explicit_bzero(pin, strlen(pin));
free(pin); free(pin);
}
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
error("C_Login failed: %lu", rv); error("C_Login failed: %lu", rv);
return (-1); return (-1);
} }
free(pin);
si->logged_in = 1; si->logged_in = 1;
} }
key_filter[1].pValue = k11->keyid; key_filter[1].pValue = k11->keyid;