Bugzilla – Attachment 2890 Details for
Bug 2638
Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
[PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
file_2638.txt (text/plain), 3.42 KB, created by
Jakub Jelen
on 2016-11-11 22:09:12 AEDT
(
hide
)
Description:
[PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2016-11-11 22:09:12 AEDT
Size:
3.42 KB
patch
obsolete
>From ca09541b165f00a84236a400dab170d87a0c3ee2 Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Thu, 13 Oct 2016 10:48:12 +0200 >Subject: [PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the > private objects > > * PKCS#11 does not require PIN for the first private key operation > * ssh process is using only single operation > * The second operation fails, unless reauthenticated before > * ssh-agent process can sign more authentication requests > * ssh-agent can get PIN using SSH_ASKPASS prompt > * we can't read the attribute before we do use the key (private) > * we could cache the attribute by modifying storage structures >--- > ssh-pkcs11.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 48 insertions(+), 1 deletion(-) > >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 2612444..470fad8 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -252,6 +252,49 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, > return (ret); > } > >+int >+pkcs11_always_authenticate(struct pkcs11_provider *p, >+ struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ CK_SESSION_HANDLE session; >+ CK_BBOOL always_authenticate = 0; >+ CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1}; >+ char *pin = NULL, prompt[1024]; >+ >+ f = p->function_list; >+ session = si->session; >+ rv = f->C_GetAttributeValue(session, obj, &(template), 1); >+ if (rv != CKR_OK || always_authenticate == CK_FALSE) { >+ /* not needed */ >+ return (0); >+ } >+ >+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >+ verbose("Deferring PIN entry to reader keypad."); >+ else { >+ snprintf(prompt, sizeof(prompt), >+ "Enter PIN for '%s': ", si->token.label); >+ pin = read_passphrase(prompt, RP_ALLOW_EOF); >+ if (pin == NULL) >+ return (-1); /* bail out */ >+ } >+ /* context specific login */ >+ rv = f->C_Login(session, CKU_CONTEXT_SPECIFIC, (u_char *)pin, >+ (pin != NULL) ? strlen(pin) : 0); >+ >+ if (pin != NULL) { >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ } >+ if (rv != CKR_OK) { >+ return (-1); >+ } >+ /* authentication successful */ >+ return (0); >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >@@ -274,7 +317,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > {CKA_SIGN, NULL, sizeof(true_val) } > }; > char *pin = NULL, prompt[1024]; >- int rval = -1; >+ int rval = -1, login_performed = 0; > > key_filter[0].pValue = &private_key_class; > key_filter[2].pValue = &true_val; >@@ -316,6 +359,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > return (-1); > } > si->logged_in = 1; >+ login_performed = 1; > } > key_filter[1].pValue = k11->keyid; > key_filter[1].ulValueLen = k11->keyid_len; >@@ -325,6 +369,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > error("cannot find private key"); > } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { > error("C_SignInit failed: %lu", rv); >+ } else if (!login_performed && >+ pkcs11_always_authenticate(k11->provider, si, obj) < 0) { >+ error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object"); > } else { > /* XXX handle CKR_BUFFER_TOO_SMALL */ > tlen = RSA_size(rsa); >-- >2.7.4
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2638
:
2890
|
3033
|
3225