Attachment #2677 for bug #2432

Lines 779-785 do_download(struct passwd *pw) Link Here

(-)a/ssh-keygen.c (-1 / +1 lines)
779	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;	779	fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
780	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;	780	rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
781		781
782	pkcs11_init(0);	782	pkcs11_init(1);
783	nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);	783	nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
784	if (nkeys <= 0)	784	if (nkeys <= 0)
785	fatal("cannot read public key from pkcs11");	785	fatal("cannot read public key from pkcs11");




	return (ret);
}

static int
pkcs11_do_login(CK_FUNCTION_LIST *f, struct pkcs11_slotinfo *si)
{
	char			*pin = NULL, prompt[1024];
	CK_RV			rv;

	if (!pkcs11_interactive) {
		error("need pin entry%s", (si->token.flags &
		    CKF_PROTECTED_AUTHENTICATION_PATH) ?
		    " on reader keypad" : "");
		return (-1);
	}
	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
		verbose("Deferring PIN entry to reader keypad.");
	else {
		snprintf(prompt, sizeof(prompt),
		    "Enter PIN for '%s': ", si->token.label);
		pin = read_passphrase(prompt, RP_ALLOW_EOF);
		if (pin == NULL)
			return (-1);	/* bail out */
	}
	rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
	    (pin != NULL) ? strlen(pin) : 0);
	if (pin != NULL) {
		explicit_bzero(pin, strlen(pin));
		free(pin);
	}
	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
		error("C_Login failed: %lu", rv);
		return (-1);
	}
	si->logged_in = 1;
	return 0;
}

/* openssl callback doing the actual signing operation */
static int
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,

		{CKA_ID, NULL, 0},
		{CKA_SIGN, NULL, sizeof(true_val) }
	};
	char			*pin = NULL, prompt[1024];
	int			rval = -1;

	key_filter[0].pValue = &private_key_class;

	f = k11->provider->function_list;
	si = &k11->provider->slotinfo[k11->slotidx];
	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
		if (pkcs11_do_login(f, si) != 0)
			error("need pin entry%s", (si->token.flags &
			    CKF_PROTECTED_AUTHENTICATION_PATH) ?
			    " on reader keypad" : "");
			return (-1);
		}
		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
			verbose("Deferring PIN entry to reader keypad.");
		else {
			snprintf(prompt, sizeof(prompt),
			    "Enter PIN for '%s': ", si->token.label);
			pin = read_passphrase(prompt, RP_ALLOW_EOF);
			if (pin == NULL)
				return (-1);	/* bail out */
		}
		rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
		    (pin != NULL) ? strlen(pin) : 0);
		if (pin != NULL) {
			explicit_bzero(pin, strlen(pin));
			free(pin);
		}
		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
			error("C_Login failed: %lu", rv);
			return (-1);
		}
		si->logged_in = 1;
	}
	key_filter[1].pValue = k11->keyid;
	key_filter[1].ulValueLen = k11->keyid_len;

		error("C_OpenSession failed: %lu", rv);
		return (-1);
	}
	if (login_required) {
		if (pin) {
			rv = f->C_Login(session, CKU_USER,
				(u_char *)pin, strlen(pin));
			if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
				error("C_Login failed: %lu", rv);
				if ((rv = f->C_CloseSession(session)) != CKR_OK)
					error("C_CloseSession failed: %lu", rv);
				return (-1);
			}
			p->slotinfo[slotidx].logged_in = 1;
		} else if (pkcs11_interactive) {
			p->slotinfo[slotidx].session = session;
			if (pkcs11_do_login(f, &(p->slotinfo[slotidx])) != 0)
				return (0); // do not treat failed login as fatal
		}
		p->slotinfo[slotidx].logged_in = 1;
	}
	p->slotinfo[slotidx].session = session;
	return (0);

    struct sshkey ***keysp, int *nkeys)
{
	CK_OBJECT_CLASS	pubkey_class = CKO_PUBLIC_KEY;
	CK_OBJECT_CLASS	private_class = CKO_PRIVATE_KEY;
	CK_OBJECT_CLASS	cert_class = CKO_CERTIFICATE;
	CK_ATTRIBUTE		pubkey_filter[] = {
		{ CKA_CLASS, NULL, sizeof(pubkey_class) }
	};
	CK_ATTRIBUTE		private_filter[] = {
		{ CKA_CLASS, NULL, sizeof(private_class) }
	};
	CK_ATTRIBUTE		cert_filter[] = {
		{ CKA_CLASS, NULL, sizeof(cert_class) }
	};

		{ CKA_MODULUS, NULL, 0 },
		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
	};
	CK_ATTRIBUTE		*private_attribs = {
		{ CKA_ID, NULL, 0 },
		{ CKA_MODULUS, NULL, 0 },
		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
	};
	CK_ATTRIBUTE		cert_attribs[] = {
		{ CKA_ID, NULL, 0 },
		{ CKA_SUBJECT, NULL, 0 },
		{ CKA_VALUE, NULL, 0 }
	};
	pubkey_filter[0].pValue = &pubkey_class;
	private_filter[0].pValue = &private_class;
	cert_filter[0].pValue = &cert_class;

	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,
	    keysp, nkeys) < 0 ||
	    pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,
	    keysp, nkeys) < 0 ||
	    pkcs11_fetch_keys_filter(p, slotidx, private_filter, private_attribs,
	    keysp, nkeys) < 0)
		return (-1);
	return (0);

Return to bug 2432

Lines 216-221 pkcs11_find(struct pkcs11_provider p, CK_ULONG slotidx, CK_ATTRIBUTE attr, Link Here

(-)a/ssh-pkcs11.c (-35 / +63 lines)
216	return (ret);	216	return (ret);
217	}	217	}
218		218
		219	static int
		220	pkcs11_do_login(CK_FUNCTION_LIST f, struct pkcs11_slotinfo si)
		221	{
		222	char *pin = NULL, prompt[1024];
		223	CK_RV rv;
		224
		225	if (!pkcs11_interactive) {
		226	error("need pin entry%s", (si->token.flags &
		227	CKF_PROTECTED_AUTHENTICATION_PATH) ?
		228	" on reader keypad" : "");
		229	return (-1);
		230	}
		231	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
		232	verbose("Deferring PIN entry to reader keypad.");
		233	else {
		234	snprintf(prompt, sizeof(prompt),
		235	"Enter PIN for '%s': ", si->token.label);
		236	pin = read_passphrase(prompt, RP_ALLOW_EOF);
		237	if (pin == NULL)
		238	return (-1); /* bail out */
		239	}
		240	rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
		241	(pin != NULL) ? strlen(pin) : 0);
		242	if (pin != NULL) {
		243	explicit_bzero(pin, strlen(pin));
		244	free(pin);
		245	}
		246	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
		247	error("C_Login failed: %lu", rv);
		248	return (-1);
		249	}
		250	si->logged_in = 1;
		251	return 0;
		252	}
		253
219	/* openssl callback doing the actual signing operation */	254	/* openssl callback doing the actual signing operation */
220	static int	255	static int
221	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,	256	pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa,
Lines 237-243 pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
237	{CKA_ID, NULL, 0},	272	{CKA_ID, NULL, 0},
238	{CKA_SIGN, NULL, sizeof(true_val) }	273	{CKA_SIGN, NULL, sizeof(true_val) }
239	};	274	};
240	char *pin = NULL, prompt[1024];
241	int rval = -1;	275	int rval = -1;
242		276
243	key_filter[0].pValue = &private_key_class;	277	key_filter[0].pValue = &private_key_class;
Lines 254-285 pkcs11_rsa_private_encrypt(int flen, const u_char from, u_char to, RSA *rsa, Link Here
254	f = k11->provider->function_list;	288	f = k11->provider->function_list;
255	si = &k11->provider->slotinfo[k11->slotidx];	289	si = &k11->provider->slotinfo[k11->slotidx];
256	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {	290	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
257	if (!pkcs11_interactive) {	291	if (pkcs11_do_login(f, si) != 0)
258	error("need pin entry%s", (si->token.flags &
259	CKF_PROTECTED_AUTHENTICATION_PATH) ?
260	" on reader keypad" : "");
261	return (-1);	292	return (-1);
262	}
263	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
264	verbose("Deferring PIN entry to reader keypad.");
265	else {
266	snprintf(prompt, sizeof(prompt),
267	"Enter PIN for '%s': ", si->token.label);
268	pin = read_passphrase(prompt, RP_ALLOW_EOF);
269	if (pin == NULL)
270	return (-1); /* bail out */
271	}
272	rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
273	(pin != NULL) ? strlen(pin) : 0);
274	if (pin != NULL) {
275	explicit_bzero(pin, strlen(pin));
276	free(pin);
277	}
278	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
279	error("C_Login failed: %lu", rv);
280	return (-1);
281	}
282	si->logged_in = 1;
283	}	293	}
284	key_filter[1].pValue = k11->keyid;	294	key_filter[1].pValue = k11->keyid;
285	key_filter[1].ulValueLen = k11->keyid_len;	295	key_filter[1].ulValueLen = k11->keyid_len;
Lines 375-390 pkcs11_open_session(struct pkcs11_provider p, CK_ULONG slotidx, char pin) Link Here
375	error("C_OpenSession failed: %lu", rv);	385	error("C_OpenSession failed: %lu", rv);
376	return (-1);	386	return (-1);
377	}	387	}
378	if (login_required && pin) {	388	if (login_required) {
379	rv = f->C_Login(session, CKU_USER,	389	if (pin) {
380	(u_char *)pin, strlen(pin));	390	rv = f->C_Login(session, CKU_USER,
381	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {	391	(u_char *)pin, strlen(pin));
382	error("C_Login failed: %lu", rv);	392	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
383	if ((rv = f->C_CloseSession(session)) != CKR_OK)	393	error("C_Login failed: %lu", rv);
384	error("C_CloseSession failed: %lu", rv);	394	if ((rv = f->C_CloseSession(session)) != CKR_OK)
385	return (-1);	395	error("C_CloseSession failed: %lu", rv);
		396	return (-1);
		397	}
		398	p->slotinfo[slotidx].logged_in = 1;
		399	} else if (pkcs11_interactive) {
		400	p->slotinfo[slotidx].session = session;
		401	if (pkcs11_do_login(f, &(p->slotinfo[slotidx])) != 0)
		402	return (0); // do not treat failed login as fatal
386	}	403	}
387	p->slotinfo[slotidx].logged_in = 1;
388	}	404	}
389	p->slotinfo[slotidx].session = session;	405	p->slotinfo[slotidx].session = session;
390	return (0);	406	return (0);
Lines 404-413 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
404	struct sshkey **keysp, int nkeys)	420	struct sshkey **keysp, int nkeys)
405	{	421	{
406	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;	422	CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY;
		423	CK_OBJECT_CLASS private_class = CKO_PRIVATE_KEY;
407	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;	424	CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
408	CK_ATTRIBUTE pubkey_filter[] = {	425	CK_ATTRIBUTE pubkey_filter[] = {
409	{ CKA_CLASS, NULL, sizeof(pubkey_class) }	426	{ CKA_CLASS, NULL, sizeof(pubkey_class) }
410	};	427	};
		428	CK_ATTRIBUTE private_filter[] = {
		429	{ CKA_CLASS, NULL, sizeof(private_class) }
		430	};
411	CK_ATTRIBUTE cert_filter[] = {	431	CK_ATTRIBUTE cert_filter[] = {
412	{ CKA_CLASS, NULL, sizeof(cert_class) }	432	{ CKA_CLASS, NULL, sizeof(cert_class) }
413	};	433	};
Lines 416-432 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Link Here
416	{ CKA_MODULUS, NULL, 0 },	436	{ CKA_MODULUS, NULL, 0 },
417	{ CKA_PUBLIC_EXPONENT, NULL, 0 }	437	{ CKA_PUBLIC_EXPONENT, NULL, 0 }
418	};	438	};
		439	CK_ATTRIBUTE *private_attribs = {
		440	{ CKA_ID, NULL, 0 },
		441	{ CKA_MODULUS, NULL, 0 },
		442	{ CKA_PUBLIC_EXPONENT, NULL, 0 }
		443	};
419	CK_ATTRIBUTE cert_attribs[] = {	444	CK_ATTRIBUTE cert_attribs[] = {
420	{ CKA_ID, NULL, 0 },	445	{ CKA_ID, NULL, 0 },
421	{ CKA_SUBJECT, NULL, 0 },	446	{ CKA_SUBJECT, NULL, 0 },
422	{ CKA_VALUE, NULL, 0 }	447	{ CKA_VALUE, NULL, 0 }
423	};	448	};
424	pubkey_filter[0].pValue = &pubkey_class;	449	pubkey_filter[0].pValue = &pubkey_class;
		450	private_filter[0].pValue = &private_class;
425	cert_filter[0].pValue = &cert_class;	451	cert_filter[0].pValue = &cert_class;
426		452
427	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,	453	if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,
428	keysp, nkeys) < 0 \|\|	454	keysp, nkeys) < 0 \|\|
429	pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,	455	pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,
		456	keysp, nkeys) < 0 \|\|
		457	pkcs11_fetch_keys_filter(p, slotidx, private_filter, private_attribs,
430	keysp, nkeys) < 0)	458	keysp, nkeys) < 0)
431	return (-1);	459	return (-1);
432	return (0);	460	return (0);