Bugzilla – Attachment 1600 Details for
Bug 1506
rationalize agent behavior on smartcard removal/reattachment
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
retry smartcard at most once on detached reader, and purge PIN and all H/W keys from agent on failure
retry-scard-after-detach-and-purge-hwkeys-on-failure.patch (text/plain), 2.58 KB, created by
Daniel Kahn Gillmor
on 2009-02-04 05:23:13 AEDT
(
hide
)
Description:
retry smartcard at most once on detached reader, and purge PIN and all H/W keys from agent on failure
Filename:
MIME Type:
Creator:
Daniel Kahn Gillmor
Created:
2009-02-04 05:23:13 AEDT
Size:
2.58 KB
patch
obsolete
>diff -ruN openssh-5.1p1/scard-opensc.c openssh-5.1p1.dkg/scard-opensc.c >--- openssh-5.1p1/scard-opensc.c 2007-03-12 16:35:39.000000000 -0400 >+++ openssh-5.1p1.dkg/scard-opensc.c 2008-08-19 21:35:31.000000000 -0400 >@@ -124,7 +121,9 @@ > struct sc_pkcs15_prkey_info *key; > struct sc_pkcs15_object *pin_obj; > struct sc_pkcs15_pin_info *pin; >+ int detach_retry = 1; > >+ detachretry: > priv = (struct sc_priv_data *) RSA_get_app_data(rsa); > if (priv == NULL) > return -1; >@@ -162,6 +161,13 @@ > } > pin = pin_obj->data; > r = sc_lock(card); >+ if (r == SC_ERROR_READER_DETACHED && detach_retry) { >+ /* first retry after a plug fails; we'll try one more time */ >+ debug("Retrying sc_lock() after receiving Error %d (%s)", r, sc_strerror(r)); >+ detach_retry = 0; >+ sc_close(); >+ goto detachretry; >+ } > if (r) { > error("Unable to lock smartcard: %s", sc_strerror(r)); > goto err; >@@ -180,6 +186,10 @@ > return 0; > err: > sc_close(); >+ if (sc_pin != NULL) { >+ xfree(sc_pin); >+ sc_pin = NULL; >+ } > return -1; > } > >diff -ruN openssh-5.1p1/ssh-agent.c openssh-5.1p1.dkg/ssh-agent.c >--- openssh-5.1p1/ssh-agent.c 2008-07-04 09:10:49.000000000 -0400 >+++ openssh-5.1p1.dkg/ssh-agent.c 2008-08-21 11:49:47.000000000 -0400 >@@ -136,6 +136,11 @@ > /* Default lifetime (0 == forever) */ > static int lifetime = 0; > >+#ifdef SMARTCARD >+/* forward declaration needed */ >+static void remove_all_smartcard_keys(); >+#endif /* SMARTCARD */ >+ > static void > close_socket(SocketEntry *e) > { >@@ -330,8 +335,14 @@ > key = key_from_blob(blob, blen); > if (key != NULL) { > Identity *id = lookup_identity(key, 2); >- if (id != NULL && (!id->confirm || confirm_key(id) == 0)) >+ if (id != NULL && (!id->confirm || confirm_key(id) == 0)) { > ok = key_sign(id->key, &signature, &slen, data, dlen); >+#ifdef SMARTCARD >+ if ((ok != 0) && (id->key->flags &= KEY_FLAG_EXT)) { >+ remove_all_smartcard_keys(); >+ } >+#endif /* SMARTCARD */ >+ } > key_free(key); > } > buffer_init(&msg); >@@ -675,6 +686,28 @@ > } > > static void >+remove_all_smartcard_keys() >+{ >+ /* walk through all stored identities and remove keys on external hardware */ >+ Identity *id, *nxt; >+ int version; >+ Idtab *tab; >+ >+ for (version = 1; version < 3; version++) { >+ tab = idtab_lookup(version); >+ for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) { >+ nxt = TAILQ_NEXT(id, next); >+ if (id->key->flags &= KEY_FLAG_EXT) { >+ debug("Removing hardware key '%s'", id->comment); >+ TAILQ_REMOVE(&tab->idlist, id, next); >+ free_identity(id); >+ tab->nentries--; >+ } >+ } >+ } >+} >+ >+static void > process_remove_smartcard_key(SocketEntry *e) > { > char *sc_reader_id = NULL, *pin;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1600">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1506
:
1559
|
1561
|
1600
|
1630