Bugzilla – Attachment 3196 Details for
Bug 2890
ssh-agent should not fail after removing and inserting smart card
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch
openssh_agent.patch (text/plain), 4.50 KB, created by
Jakub Jelen
on 2018-10-26 22:24:27 AEDT
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Jakub Jelen
Created:
2018-10-26 22:24:27 AEDT
Size:
4.50 KB
patch
obsolete
>From bc521231c9e466ddacebdb5c7bfe0e82c309a2ed Mon Sep 17 00:00:00 2001 >From: Jakub Jelen <jjelen@redhat.com> >Date: Thu, 25 Oct 2018 17:25:27 +0200 >Subject: [PATCH] pkcs11: Detect the card removal from pkcs11-helper and prompt > for a new PIN > >This introduces a check in pkcs11-helper verifying the smart card is ready >to sign data (was not removed since last invocation). If it was, the new >code tries to ask a user for the PIN (using askpass program if defined) >and reauthenticate the card, rather than fail hard. > >Signed-off: Jakub Jelen <jjelen@redhat.com >Pair-programmed-with: Nikos Mavrogiannopoulos <nmav@redhat.com> >--- > ssh-pkcs11-helper.c | 1 + > ssh-pkcs11.c | 99 +++++++++++++++++++++++++++++++++++++++++++++ > ssh-pkcs11.h | 1 + > 3 files changed, 101 insertions(+) > >diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c >index 6301033c..5bf22c7a 100644 >--- a/ssh-pkcs11-helper.c >+++ b/ssh-pkcs11-helper.c >@@ -194,6 +194,7 @@ process_sign(void) > #ifdef WITH_OPENSSL > int ret; > >+ pkcs11_refresh_key(found); > slen = RSA_size(key->rsa); > signature = xmalloc(slen); > if ((ret = RSA_private_encrypt(dlen, data, signature, >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index b6575ea6..767d05a4 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -73,6 +73,10 @@ struct pkcs11_key { > int keyid_len; > }; > >+static int pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin); >+static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, struct sshkey ***keysp, int *nkeys); >+static int pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key); >+ > int pkcs11_interactive = 0; > > int >@@ -272,6 +276,101 @@ pkcs11_always_authenticate(struct pkcs11_provider *p, > return pkcs11_login(p, si, CKU_CONTEXT_SPECIFIC); > } > >+int pkcs11_key_is_present(struct pkcs11_key *k11) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ CK_SLOT_INFO info; >+ CK_TOKEN_INFO tokeninfo; >+ CK_SESSION_HANDLE session; >+ CK_SESSION_INFO sessioninfo; >+ >+ f = k11->provider->function_list; >+ rv = f->C_GetSlotInfo(k11->slotidx, &info); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this slot */ >+ return -1; >+ } >+ if (!(info.flags & CKF_TOKEN_PRESENT)) { >+ return -1; >+ } >+ >+ rv = f->C_GetTokenInfo(k11->slotidx, &tokeninfo); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this token */ >+ return -1; >+ } >+ /* TODO check if the fields of the tokeninfo match the stored values */ >+ >+ session = k11->provider->slotinfo[k11->slotidx].session; >+ rv = f->C_GetSessionInfo(session, &sessioninfo); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this session */ >+ return -1; >+ } >+ if (sessioninfo.slotID != k11->slotidx) { >+ return -1; >+ } >+ return 0; >+} >+ >+static int pkcs11_reload_key(struct sshkey *key, struct pkcs11_key *k11) >+{ >+ unsigned char *pin = NULL; >+ int r, i; >+ struct sshkey **keysp = NULL; >+ int nkeys = 0; >+ >+ /* No need to C_CloseSession(): It is already invalidated */ >+ >+ pin = read_passphrase("Enter PIN for smart card", RP_USE_ASKPASS); >+ if (!pin) >+ return -1; >+ >+ r = pkcs11_open_session(k11->provider, k11->slotidx, pin); >+ >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ >+ if (r == -1) >+ return -1; >+ >+ /* Check that the key we are using is present in the current card */ >+ r = pkcs11_fetch_keys(k11->provider, k11->slotidx, &keysp, &nkeys); >+ if (r < 0) >+ return -1; >+ >+ r = -1; >+ if (pkcs11_key_included(&keysp, &nkeys, key) == 1) >+ r = 0; >+ >+ /* clean up the keys */ >+ for (i = 0; i < nkeys; i++) >+ sshkey_free(keysp[i]); >+ free(keysp); >+ return r; >+} >+ >+int pkcs11_refresh_key(struct sshkey *key) >+{ >+ struct pkcs11_key *k11; >+ >+ if ((k11 = RSA_get_app_data(key->rsa)) == NULL) { >+ error("RSA_get_app_data failed for rsa %p", key->rsa); >+ return (-1); >+ } >+ if (!k11->provider || !k11->provider->valid) { >+ error("no pkcs11 (valid) provider for rsa %p", key->rsa); >+ return (-1); >+ } >+ >+ if (pkcs11_key_is_present(k11) == -1) >+ if (pkcs11_reload_key(key, k11) == -1) >+ return -1; >+ >+ return 0; >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h >index 0ced74f2..df2609a4 100644 >--- a/ssh-pkcs11.h >+++ b/ssh-pkcs11.h >@@ -18,6 +18,7 @@ int pkcs11_init(int); > void pkcs11_terminate(void); > int pkcs11_add_provider(char *, char *, struct sshkey ***); > int pkcs11_del_provider(char *); >+int pkcs11_refresh_key(struct sshkey *); > > #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11) > #undef ENABLE_PKCS11 >-- >2.17.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3196">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2890
:
3196
|
3197
|
3369
|
3415