Attachment #3279 for bug #2430




}

static int
pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
    CK_USER_TYPE type)
{
	struct pkcs11_slotinfo	*si;
	CK_FUNCTION_LIST	*f;
	char			*pin = NULL, prompt[1024];
	CK_RV			 rv;

	if (provider == NULL || si == NULL || !provider->valid) {
		error("no pkcs11 (valid) provider found");
		return (-1);
	}

	f = k11->provider->function_list;
	si = &k11->provider->slotinfo[k11->slotidx];

	if (!pkcs11_interactive) {
		error("need pin entry%s",
		    (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ?

			return (-1);	/* bail out */
		}
	}
	rv = provider->function_list->C_Login(si->session, type, (u_char *)pin,
	    (pin != NULL) ? strlen(pin) : 0);
	if (pin != NULL)
		freezero(pin, strlen(pin));

	return (0);
}

static int
pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
{
	if (k11 == NULL || k11->provider == NULL || !k11->provider->valid) {
		error("no pkcs11 (valid) provider found");
		return (-1);
	}

	return pkcs11_login_slot(k11->provider,
	    &k11->provider->slotinfo[k11->slotidx], type);
}


static int
pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,
    CK_ATTRIBUTE_TYPE type, int *val)

		 * open session, login with pin and retrieve public
		 * keys (if keyp is provided)
		 */
		if ((ret = pkcs11_open_session(p, i, pin, user)) != 0 ||
		    keyp == NULL)
			continue;
		pkcs11_fetch_keys(p, i, keyp, &nkeys);
		pkcs11_fetch_certs(p, i, keyp, &nkeys);
		if (nkeys == 0 && !p->slotinfo[i].logged_in &&
		    pkcs11_interactive) {
			/*
			 * Some tokens require login before they will
			 * expose keys.
			 */
			if (pkcs11_login_slot(p, &p->slotinfo[i],
			    CKU_USER) < 0) {
				error("login failed");
				continue;
			}
			pkcs11_fetch_keys(p, i, keyp, &nkeys);
			pkcs11_fetch_certs(p, i, keyp, &nkeys);
		}

Return to bug 2430

Lines 231-251 pkcs11_find(struct pkcs11_provider p, CK_ULONG slotidx, CK_ATTRIBUTE attr, Link Here

(-)a/ssh-pkcs11.c (-10 / +32 lines)
231	}	231	}
232		232
233	static int	233	static int
234	pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)	234	pkcs11_login_slot(struct pkcs11_provider provider, struct pkcs11_slotinfo si,
		235	CK_USER_TYPE type)
235	{	236	{
236	struct pkcs11_slotinfo *si;
237	CK_FUNCTION_LIST *f;
238	char *pin = NULL, prompt[1024];	237	char *pin = NULL, prompt[1024];
239	CK_RV rv;	238	CK_RV rv;
240		239
241	if (!k11->provider \|\| !k11->provider->valid) {	240	if (provider == NULL \|\| si == NULL \|\| !provider->valid) {
242	error("no pkcs11 (valid) provider found");	241	error("no pkcs11 (valid) provider found");
243	return (-1);	242	return (-1);
244	}	243	}
245		244
246	f = k11->provider->function_list;
247	si = &k11->provider->slotinfo[k11->slotidx];
248
249	if (!pkcs11_interactive) {	245	if (!pkcs11_interactive) {
250	error("need pin entry%s",	246	error("need pin entry%s",
251	(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ?	247	(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ?
Lines 262-268 pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type) Link Here
262	return (-1); /* bail out */	258	return (-1); /* bail out */
263	}	259	}
264	}	260	}
265	rv = f->C_Login(si->session, type, (u_char *)pin,	261	rv = provider->function_list->C_Login(si->session, type, (u_char *)pin,
266	(pin != NULL) ? strlen(pin) : 0);	262	(pin != NULL) ? strlen(pin) : 0);
267	if (pin != NULL)	263	if (pin != NULL)
268	freezero(pin, strlen(pin));	264	freezero(pin, strlen(pin));
Lines 274-279 pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type) Link Here
274	return (0);	270	return (0);
275	}	271	}
276		272
		273	static int
		274	pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
		275	{
		276	if (k11 == NULL \|\| k11->provider == NULL \|\| !k11->provider->valid) {
		277	error("no pkcs11 (valid) provider found");
		278	return (-1);
		279	}
		280
		281	return pkcs11_login_slot(k11->provider,
		282	&k11->provider->slotinfo[k11->slotidx], type);
		283	}
		284
		285
277	static int	286	static int
278	pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,	287	pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,
279	CK_ATTRIBUTE_TYPE type, int *val)	288	CK_ATTRIBUTE_TYPE type, int *val)
Lines 1540-1548 pkcs11_register_provider(char provider_id, char pin, struct sshkey ***keyp, Link Here
1540	* open session, login with pin and retrieve public	1549	* open session, login with pin and retrieve public
1541	* keys (if keyp is provided)	1550	* keys (if keyp is provided)
1542	*/	1551	*/
1543	if ((ret = pkcs11_open_session(p, i, pin, user)) == 0) {	1552	if ((ret = pkcs11_open_session(p, i, pin, user)) != 0 \|\|
1544	if (keyp == NULL)	1553	keyp == NULL)
		1554	continue;
		1555	pkcs11_fetch_keys(p, i, keyp, &nkeys);
		1556	pkcs11_fetch_certs(p, i, keyp, &nkeys);
		1557	if (nkeys == 0 && !p->slotinfo[i].logged_in &&
		1558	pkcs11_interactive) {
		1559	/*
		1560	* Some tokens require login before they will
		1561	* expose keys.
		1562	*/
		1563	if (pkcs11_login_slot(p, &p->slotinfo[i],
		1564	CKU_USER) < 0) {
		1565	error("login failed");
1545	continue;	1566	continue;
		1567	}
1546	pkcs11_fetch_keys(p, i, keyp, &nkeys);	1568	pkcs11_fetch_keys(p, i, keyp, &nkeys);
1547	pkcs11_fetch_certs(p, i, keyp, &nkeys);	1569	pkcs11_fetch_certs(p, i, keyp, &nkeys);
1548	}	1570	}