- markus@cvs.openbsd.org 2002/03/24 18:05:29

[scard.c] we need to figure out AUT0 for sc_private_encrypt, too
2002-03-26 02:44:44 +00:00 · 2002-03-26 02:44:44 +00:00 · c2c6cbc527
parent 31ee7aeb15
commit c2c6cbc527
2 changed files with 39 additions and 22 deletions
--- a/5
+++ b/5
@ -16,6 +16,9 @@
   - stevesk@cvs.openbsd.org 2002/03/24 17:53:16
     [monitor_fdpass.c]
     minor cleanup and more error checking; ok markus@
+   - markus@cvs.openbsd.org 2002/03/24 18:05:29
+     [scard.c]
+     we need to figure out AUT0 for sc_private_encrypt, too

 20020324
 - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure
@ -8030,4 +8033,4 @@
 - Wrote replacements for strlcpy and mkdtemp
 - Released 1.0pre1

-$Id: ChangeLog,v 1.1982 2002/03/26 02:36:29 mouring Exp $
+$Id: ChangeLog,v 1.1983 2002/03/26 02:44:44 mouring Exp $
--- a/scard.c
+++ b/scard.c
@ -24,7 +24,7 @@

 #include "includes.h"
 #ifdef SMARTCARD
-RCSID("$OpenBSD: scard.c,v 1.22 2002/03/21 21:54:34 rees Exp $");
+RCSID("$OpenBSD: scard.c,v 1.23 2002/03/24 18:05:29 markus Exp $");

 #include <openssl/engine.h>
 #include <openssl/evp.h>
@ -192,6 +192,32 @@ err:
 	return status;
 }

+static int
+try_AUT0(void)
+{
+	u_char aut0[EVP_MAX_MD_SIZE];
+
+	/* permission denied; try PIN if provided */
+	if (sc_pin && strlen(sc_pin) > 0) {
+		sc_mk_digest(sc_pin, aut0);
+		if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
+			error("smartcard passphrase incorrect");
+			return (-1);
+		}
+	} else {
+		/* try default AUT0 key */
+		if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
+			/* default AUT0 key failed; prompt for passphrase */
+			if (get_AUT0(aut0) < 0 ||
+			    cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
+				error("smartcard passphrase incorrect");
+				return (-1);
+			}
+		}
+	}
+	return (0);
+}
+
 /* private key operations */

 static int
@ -199,7 +225,6 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
    int padding)
 {
 	u_char *padded = NULL;
-	u_char aut0[EVP_MAX_MD_SIZE];
 	int sw, len, olen, status = -1;

 	debug("sc_private_decrypt called");
@ -219,24 +244,8 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa,
 	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);

 	if (sw == 0x6982) {
-		/* permission denied; try PIN if provided */
-		if (sc_pin && strlen(sc_pin) > 0) {
-			sc_mk_digest(sc_pin, aut0);
-			if (cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-				error("smartcard passphrase incorrect");
-				goto err;
-			}
-		} else {
-			/* try default AUT0 key */
-			if (cyberflex_verify_AUT0(sc_fd, cla, DEFAUT0, 8) < 0) {
-				/* default AUT0 key failed; prompt for passphrase */
-				if (get_AUT0(aut0) < 0 ||
-				    cyberflex_verify_AUT0(sc_fd, cla, aut0, 8) < 0) {
-					error("smartcard passphrase incorrect");
-					goto err;
-				}
-			}
-		}
+		if (try_AUT0() < 0)
+			goto err;
 		sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, from, len, padded, &sw);
 	}
 	if (!sectok_swOK(sw)) {
@ -278,8 +287,13 @@ sc_private_encrypt(int flen, u_char *from, u_char *to, RSA *rsa,
 		goto err;
 	}
 	sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
+	if (sw == 0x6982) {
+		if (try_AUT0() < 0)
+			goto err;
+		sectok_apdu(sc_fd, CLA_SSH, INS_DECRYPT, 0, 0, len, padded, len, to, &sw);
+	}
 	if (!sectok_swOK(sw)) {
-		error("sc_private_decrypt: INS_DECRYPT failed: %s",
+		error("sc_private_encrypt: INS_DECRYPT failed: %s",
 		    sectok_get_sw(sw));
 		goto err;
 	}