Menu
▾
▴
[Opensc-devel] Fwd: [Bug 2240] Secure PIN entry for smartcards through the keypad on the reader (patch)
|
From: Dirk-Willem v. G. <di...@we...> - 2015-05-27 07:13:37
|
For those caring about PIN pad readers and OpenSSH; one less patch to apply once ssh 6.9 makes it into the various distributions. Dw. > Begin forwarded message: > > From: bug...@mi... > Subject: [Bug 2240] Secure PIN entry for smartcards through the keypad on the reader (patch) > Date: 27 May 2015 07:44:08 CEST > To: di...@we... > > https://bugzilla.mindrot.org/show_bug.cgi?id=2240 > > Damien Miller <dj...@mi...> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Resolution|--- |FIXED > Status|NEW |RESOLVED > > --- Comment #5 from Damien Miller <dj...@mi...> --- > This has been committed and will be in openssh-6.9. The final patch is: > > https://anongit.mindrot.org/openssh.git/patch/?id=a71ba58adf34e599f30cdda6e9b93ae6e3937eea > > -- > You are receiving this mail because: > You reported the bug. > From a71ba58adf34e599f30cdda6e9b93ae6e3937eea Mon Sep 17 00:00:00 2001 From: "dj...@op..." <dj...@op...> Date: Wed, 27 May 2015 05:15:02 +0000 Subject: upstream commit support PKCS#11 devices with external PIN entry devices bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d --- ssh-pkcs11.c | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index f4971ad..e074175 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.18 2015/04/24 01:36:01 deraadt Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * @@ -237,7 +237,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, {CKA_ID, NULL, 0}, {CKA_SIGN, NULL, sizeof(true_val) } }; - char *pin, prompt[1024]; + char *pin = NULL, prompt[1024]; int rval = -1; key_filter[0].pValue = &private_key_class; @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", (si->token.flags & + CKF_PROTECTED_AUTHENTICATION_PATH) ? + " on reader keypad" : ""); return (-1); } - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", - si->token.label); - pin = read_passphrase(prompt, RP_ALLOW_EOF); - if (pin == NULL) - return (-1); /* bail out */ - rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin)); - if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + verbose("Deferring PIN entry to reader keypad."); + else { + snprintf(prompt, sizeof(prompt), + "Enter PIN for '%s': ", si->token.label); + pin = read_passphrase(prompt, RP_ALLOW_EOF); + if (pin == NULL) + return (-1); /* bail out */ + } + rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, + (pin != NULL) ? strlen(pin) : 0); + if (pin != NULL) { + explicit_bzero(pin, strlen(pin)); free(pin); + } + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { error("C_Login failed: %lu", rv); return (-1); } - free(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid; -- cgit v0.11.2 |
