Bugzilla – Attachment 3033 Details for
Bug 2638
Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch sharing the login code
file_2638.txt (text/plain), 3.61 KB, created by
Jakub Jelen
on 2017-08-11 20:36:57 AEST
(
hide
)
Description:
patch sharing the login code
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2017-08-11 20:36:57 AEST
Size:
3.61 KB
patch
obsolete
>diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 22252700..a99d3388 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -216,6 +216,61 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, > return (ret); > } > >+int >+pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si, >+ int login_type) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ char *pin = NULL, prompt[1024]; >+ >+ f = p->function_list; >+ >+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >+ verbose("Deferring PIN entry to reader keypad."); >+ else { >+ snprintf(prompt, sizeof(prompt), >+ "Enter PIN for '%s': ", si->token.label); >+ pin = read_passphrase(prompt, RP_ALLOW_EOF); >+ if (pin == NULL) >+ return (-1); /* bail out */ >+ } >+ /* context specific login */ >+ rv = f->C_Login(si->session, login_type, (u_char *)pin, >+ (pin != NULL) ? strlen(pin) : 0); >+ >+ if (pin != NULL) { >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ } >+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >+ error("C_Login failed: %lu", rv); >+ return (-1); >+ } >+ /* authentication successful */ >+ return (0); >+} >+ >+int >+pkcs11_always_authenticate(struct pkcs11_provider *p, >+ struct pkcs11_slotinfo *si, CK_OBJECT_HANDLE obj) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ CK_BBOOL always_authenticate = 0; >+ CK_ATTRIBUTE template = { CKA_ALWAYS_AUTHENTICATE, &always_authenticate, 1}; >+ >+ f = p->function_list; >+ >+ rv = f->C_GetAttributeValue(si->session, obj, &(template), 1); >+ if (rv != CKR_OK || always_authenticate == CK_FALSE) { >+ /* not needed */ >+ return (0); >+ } >+ >+ return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC); >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >@@ -237,8 +292,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > {CKA_ID, NULL, 0}, > {CKA_SIGN, NULL, sizeof(true_val) } > }; >- char *pin = NULL, prompt[1024]; >- int rval = -1; >+ int rval = -1, login_performed = 0; > > key_filter[0].pValue = &private_key_class; > key_filter[2].pValue = &true_val; >@@ -260,26 +314,11 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > " on reader keypad" : ""); > return (-1); > } >- if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >- verbose("Deferring PIN entry to reader keypad."); >- else { >- snprintf(prompt, sizeof(prompt), >- "Enter PIN for '%s': ", si->token.label); >- pin = read_passphrase(prompt, RP_ALLOW_EOF); >- if (pin == NULL) >- return (-1); /* bail out */ >- } >- rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, >- (pin != NULL) ? strlen(pin) : 0); >- if (pin != NULL) { >- explicit_bzero(pin, strlen(pin)); >- free(pin); >- } >- if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >- error("C_Login failed: %lu", rv); >+ >+ if (pkcs11_login(k11->provider, si, CKU_USER) < 0) > return (-1); >- } > si->logged_in = 1; >+ login_performed = 1; > } > key_filter[1].pValue = k11->keyid; > key_filter[1].ulValueLen = k11->keyid_len; >@@ -289,6 +328,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > error("cannot find private key"); > } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { > error("C_SignInit failed: %lu", rv); >+ } else if (!login_performed && >+ pkcs11_always_authenticate(k11->provider, si, obj) < 0) { >+ error("Failed to re-authenticate to access ALWAYS_AUTHENTICATE object"); > } else { > /* XXX handle CKR_BUFFER_TOO_SMALL */ > tlen = RSA_size(rsa);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3033">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2638
:
2890
|
3033
|
3225