Attachment #3033 for bug #2638




	return (ret);
}

int
pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si,
    int login_type)
{
	CK_RV			rv;
	CK_FUNCTION_LIST	*f;
	char			*pin = NULL, prompt[1024];

	f = p->function_list;

	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
		verbose("Deferring PIN entry to reader keypad.");
	else {
		snprintf(prompt, sizeof(prompt),
		    "Enter PIN for '%s': ", si->token.label);
		pin = read_passphrase(prompt, RP_ALLOW_EOF);
		if (pin == NULL)
			return (-1);	/* bail out */
	}
	/* context specific login */
	rv = f->C_Login(si->session, login_type, (u_char *)pin,
		(pin != NULL) ? strlen(pin) : 0);

	if (pin != NULL) {
		explicit_bzero(pin, strlen(pin));
		free(pin);
	}
	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
		error("C_Login failed: %lu", rv);
		return (-1);
	}
	/* authentication successful */
	return (0);
}

int
pkcs11_always_authenticate(struct pkcs11_provider *p,
    struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj)
{
	CK_RV			rv;
	CK_FUNCTION_LIST	*f;
	CK_BBOOL		always_authenticate = 0;
	CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1};

	f = p->function_list;

	rv = f->C_GetAttributeValue(si->session, obj, &(template), 1);
	if (rv != CKR_OK || always_authenticate == CK_FALSE) {
		/* not needed */
		return (0);
	}

	return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC);
}

/* openssl callback doing the actual signing operation */
static int
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,

		{CKA_ID, NULL, 0},
		{CKA_SIGN, NULL, sizeof(true_val) }
	};
	int			rval = -1, login_performed = 0;
	int			rval = -1;

	key_filter[0].pValue = &private_key_class;
	key_filter[2].pValue = &true_val;

			    " on reader keypad" : "");
			return (-1);
		}

		if (pkcs11_login(k11->provider, si, CKU_USER) < 0)
		else {
			snprintf(prompt, sizeof(prompt),
			    "Enter PIN for '%s': ", si->token.label);
			pin = read_passphrase(prompt, RP_ALLOW_EOF);
			if (pin == NULL)
				return (-1);	/* bail out */
		}
		rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
		    (pin != NULL) ? strlen(pin) : 0);
		if (pin != NULL) {
			explicit_bzero(pin, strlen(pin));
			free(pin);
		}
		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
			error("C_Login failed: %lu", rv);
			return (-1);
		}
		si->logged_in = 1;
		login_performed = 1;
	}
	key_filter[1].pValue = k11->keyid;
	key_filter[1].ulValueLen = k11->keyid_len;

		error("cannot find private key");
	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
		error("C_SignInit failed: %lu", rv);
	} else if (!login_performed &&
	    pkcs11_always_authenticate(k11->provider, si, obj) < 0) {
		error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object");
	} else {
		/* XXX handle CKR_BUFFER_TOO_SMALL */
		tlen = RSA_size(rsa);

Return to bug 2638

Lines 216-221 pkcs11_find(struct pkcs11_provider p, CK_ULONG slotidx, CK_ATTRIBUTE attr, Link Here

(-)a/ssh-pkcs11.c (-20 / +62 lines)
216	return (ret);	216	return (ret);
217	}	217	}
218		218
		219	int
		220	pkcs11_login(struct pkcs11_provider p, struct pkcs11_slotinfo si,
		221	int login_type)
		222	{
		223	CK_RV rv;
		224	CK_FUNCTION_LIST *f;
		225	char *pin = NULL, prompt[1024];
		226
		227	f = p->function_list;
		228
		229	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
		230	verbose("Deferring PIN entry to reader keypad.");
		231	else {
		232	snprintf(prompt, sizeof(prompt),
		233	"Enter PIN for '%s': ", si->token.label);
		234	pin = read_passphrase(prompt, RP_ALLOW_EOF);
		235	if (pin == NULL)
		236	return (-1); /* bail out */
		237	}
		238	/* context specific login */
		239	rv = f->C_Login(si->session, login_type, (u_char *)pin,
		240	(pin != NULL) ? strlen(pin) : 0);
		241
		242	if (pin != NULL) {
		243	explicit_bzero(pin, strlen(pin));
		244	free(pin);
		245	}
		246	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
		247	error("C_Login failed: %lu", rv);
		248	return (-1);
		249	}
		250	/* authentication successful */
		251	return (0);
		252	}
		253
		254	int
		255	pkcs11_always_authenticate(struct pkcs11_provider *p,
		256	struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj)
		257	{
		258	CK_RV rv;
		259	CK_FUNCTION_LIST *f;
		260	CK_BBOOL always_authenticate = 0;
		261	CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1};
		262
		263	f = p->function_list;
		264
		265	rv = f->C_GetAttributeValue(si->session, obj, &(template), 1);
		266	if (rv != CKR_OK \|\| always_authenticate == CK_FALSE) {
		267	/* not needed */
		268	return (0);
		269	}
		270
		271	return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC);
		272	}
		273
219	/* openssl callback doing the actual signing operation */	274	/* openssl callback doing the actual signing operation */
220	static int	275	static int
221	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,	276	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,
Lines 237-244 pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
237	{CKA_ID, NULL, 0},	292	{CKA_ID, NULL, 0},
238	{CKA_SIGN, NULL, sizeof(true_val) }	293	{CKA_SIGN, NULL, sizeof(true_val) }
239	};	294	};
240	char *pin = NULL, prompt[1024];	295	int rval = -1, login_performed = 0;
241	int rval = -1;
242		296
243	key_filter[0].pValue = &private_key_class;	297	key_filter[0].pValue = &private_key_class;
244	key_filter[2].pValue = &true_val;	298	key_filter[2].pValue = &true_val;
Lines 260-285 pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
260	" on reader keypad" : "");	314	" on reader keypad" : "");
261	return (-1);	315	return (-1);
262	}	316	}
263	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)	317
264	verbose("Deferring PIN entry to reader keypad.");	318	if (pkcs11_login(k11->provider, si, CKU_USER) < 0)
265	else {
266	snprintf(prompt, sizeof(prompt),
267	"Enter PIN for '%s': ", si->token.label);
268	pin = read_passphrase(prompt, RP_ALLOW_EOF);
269	if (pin == NULL)
270	return (-1); /* bail out */
271	}
272	rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
273	(pin != NULL) ? strlen(pin) : 0);
274	if (pin != NULL) {
275	explicit_bzero(pin, strlen(pin));
276	free(pin);
277	}
278	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
279	error("C_Login failed: %lu", rv);
280	return (-1);	319	return (-1);
281	}
282	si->logged_in = 1;	320	si->logged_in = 1;
		321	login_performed = 1;
283	}	322	}
284	key_filter[1].pValue = k11->keyid;	323	key_filter[1].pValue = k11->keyid;
285	key_filter[1].ulValueLen = k11->keyid_len;	324	key_filter[1].ulValueLen = k11->keyid_len;
Lines 289-294 pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
289	error("cannot find private key");	328	error("cannot find private key");
290	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {	329	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
291	error("C_SignInit failed: %lu", rv);	330	error("C_SignInit failed: %lu", rv);
		331	} else if (!login_performed &&
		332	pkcs11_always_authenticate(k11->provider, si, obj) < 0) {
		333	error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object");
292	} else {	334	} else {
293	/* XXX handle CKR_BUFFER_TOO_SMALL */	335	/* XXX handle CKR_BUFFER_TOO_SMALL */
294	tlen = RSA_size(rsa);	336	tlen = RSA_size(rsa);