Attachment 3130 Details for Bug 2430 – Try to login, if the first attempt does not return any keys

[patch] Try to login, if the first attempt does not return any keys

openssh_private.patch (text/plain), 3.21 KB, created by Jakub Jelen on 2018-02-27 03:28:36 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2018-02-27 03:28:36 AEDT

Size: 3.21 KB

patch

obsolete

>commit f6470692700506f78349fcb08ba036ebb310ab8d
>Author: Jakub Jelen <jjelen@redhat.com>
>Date:   Mon Feb 26 15:38:48 2018 +0100
>
>    Try to login, if there are no keys returned without it
>
>diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
>index 3977393c..7eb0bac2 100644
>--- a/ssh-pkcs11.c
>+++ b/ssh-pkcs11.c
>@@ -216,6 +216,40 @@ pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
> 	return (ret);
> }
> 
>+int
>+pkcs11_login(struct pkcs11_provider *p, struct pkcs11_slotinfo *si,
>+    int login_type)
>+{
>+	CK_RV			rv;
>+	CK_FUNCTION_LIST	*f;
>+	char			*pin = NULL, prompt[1024];
>+
>+	f = p->function_list;
>+
>+	if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
>+		verbose("Deferring PIN entry to reader keypad.");
>+	else {
>+		snprintf(prompt, sizeof(prompt),
>+		    "Enter PIN for '%s': ", si->token.label);
>+		pin = read_passphrase(prompt, RP_ALLOW_EOF);
>+		if (pin == NULL)
>+			return (-1);	/* bail out */
>+	}
>+	rv = f->C_Login(si->session, login_type, (u_char *)pin,
>+		(pin != NULL) ? strlen(pin) : 0);
>+
>+	if (pin != NULL) {
>+		explicit_bzero(pin, strlen(pin));
>+		free(pin);
>+	}
>+	if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
>+		error("C_Login failed: %lu", rv);
>+		return (-1);
>+	}
>+	/* authentication successful */
>+	return (0);
>+}
>+
> /* openssl callback doing the actual signing operation */
> static int
> pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
>@@ -237,7 +271,6 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
> 		{CKA_ID, NULL, 0},
> 		{CKA_SIGN, NULL, sizeof(true_val) }
> 	};
>-	char			*pin = NULL, prompt[1024];
> 	int			rval = -1;
> 
> 	key_filter[0].pValue = &private_key_class;
>@@ -260,25 +293,8 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
> 			    " on reader keypad" : "");
> 			return (-1);
> 		}
>-		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
>-			verbose("Deferring PIN entry to reader keypad.");
>-		else {
>-			snprintf(prompt, sizeof(prompt),
>-			    "Enter PIN for '%s': ", si->token.label);
>-			pin = read_passphrase(prompt, RP_ALLOW_EOF);
>-			if (pin == NULL)
>-				return (-1);	/* bail out */
>-		}
>-		rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
>-		    (pin != NULL) ? strlen(pin) : 0);
>-		if (pin != NULL) {
>-			explicit_bzero(pin, strlen(pin));
>-			free(pin);
>-		}
>-		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
>-			error("C_Login failed: %lu", rv);
>+		if (pkcs11_login(k11->provider, si, CKU_USER) < 0)
> 			return (-1);
>-		}
> 		si->logged_in = 1;
> 	}
> 	key_filter[1].pValue = k11->keyid;
>@@ -689,8 +705,15 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp)
> 		    token->label, token->manufacturerID, token->model,
> 		    token->serialNumber, token->flags);
> 		/* open session, login with pin and retrieve public keys */
>-		if (pkcs11_open_session(p, i, pin) == 0)
>+		if (pkcs11_open_session(p, i, pin) == 0) {
> 			pkcs11_fetch_keys(p, i, keyp, &nkeys);
>+			/* if we don't get any keys try to prompt for PIN */
>+			if (nkeys == 0 && pin == NULL &&
>+			    pkcs11_login(p, &p->slotinfo[i], CKU_USER) == 0) {
>+				pkcs11_fetch_keys(p, i, keyp, &nkeys);
>+				p->slotinfo[i].logged_in = 1;
>+			}
>+		}
> 	}
> 	if (nkeys > 0) {
> 		TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);

Actions: View | Diff

Attachments on bug 2430: 3130 | 3133 | 3279