Attachment 2890 Details for Bug 2638 – [PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

[patch] [PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects

file_2638.txt (text/plain), 3.42 KB, created by Jakub Jelen on 2016-11-11 22:09:12 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2016-11-11 22:09:12 AEDT

Size: 3.42 KB

patch

obsolete

>From ca09541b165f00a84236a400dab170d87a0c3ee2 Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 13 Oct 2016 10:48:12 +0200
>Subject: [PATCH] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the
> private objects
>
> * PKCS#11 does not require PIN for the first private key operation
>   * ssh  process is using only single operation
> * The second operation fails, unless reauthenticated before
>   * ssh-agent  process can sign more authentication requests
>   * ssh-agent  can get PIN using SSH_ASKPASS prompt
> * we can't read the attribute before we do use the key (private)
>   * we could cache the attribute by modifying storage structures
>---
> ssh-pkcs11.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 48 insertions(+), 1 deletion(-)
>
>diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
>index 2612444..470fad8 100644
>--- a/ssh-pkcs11.c
>+++ b/ssh-pkcs11.c
>@@ -252,6 +252,49 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
> 	return (ret);
> }
> 
>+int
>+pkcs11_always_authenticate(struct pkcs11_provider *p,
>+    struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj)
>+{
>+	CK_RV			rv;
>+	CK_FUNCTION_LIST	*f;
>+	CK_SESSION_HANDLE	session;
>+	CK_BBOOL		always_authenticate = 0;
>+	CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1};
>+	char			*pin = NULL, prompt[1024];
>+
>+	f = p->function_list;
>+	session = si->session;
>+	rv = f->C_GetAttributeValue(session, obj, &(template), 1);
>+	if (rv != CKR_OK || always_authenticate == CK_FALSE) {
>+		/* not needed */
>+		return (0);
>+	}
>+
>+	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
>+		verbose("Deferring PIN entry to reader keypad.");
>+	else {
>+		snprintf(prompt, sizeof(prompt),
>+		    "Enter PIN for '%s': ", si->token.label);
>+		pin = read_passphrase(prompt, RP_ALLOW_EOF);
>+		if (pin == NULL)
>+			return (-1);	/* bail out */
>+	}
>+	/* context specific login */
>+	rv = f->C_Login(session, CKU_CONTEXT_SPECIFIC, (u_char *)pin,
>+		(pin != NULL) ? strlen(pin) : 0);
>+
>+	if (pin != NULL) {
>+		explicit_bzero(pin, strlen(pin));
>+		free(pin);
>+	}
>+	if (rv != CKR_OK) {
>+		return (-1);
>+	}
>+	/* authentication successful */
>+	return (0);
>+}
>+
> /* openssl callback doing the actual signing operation */
> static int
> pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
>@@ -274,7 +317,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
> 		{CKA_SIGN, NULL, sizeof(true_val) }
> 	};
> 	char			*pin = NULL, prompt[1024];
>-	int			rval = -1;
>+	int			rval = -1, login_performed = 0;
> 
> 	key_filter[0].pValue = &private_key_class;
> 	key_filter[2].pValue = &true_val;
>@@ -316,6 +359,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
> 			return (-1);
> 		}
> 		si->logged_in = 1;
>+		login_performed = 1;
> 	}
> 	key_filter[1].pValue = k11->keyid;
> 	key_filter[1].ulValueLen = k11->keyid_len;
>@@ -325,6 +369,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
> 		error("cannot find private key");
> 	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
> 		error("C_SignInit failed: %lu", rv);
>+	} else if (!login_performed &&
>+	    pkcs11_always_authenticate(k11->provider, si, obj) < 0) {
>+		error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object");
> 	} else {
> 		/* XXX handle CKR_BUFFER_TOO_SMALL */
> 		tlen = RSA_size(rsa);
>-- 
>2.7.4

Actions: View | Diff

Attachments on bug 2638: 2890 | 3033 | 3225