Bugzilla – Attachment 3369 Details for
Bug 2890
ssh-agent should not fail after removing and inserting smart card
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch, March 2020
updated-patch-march-2020 (text/plain), 4.63 KB, created by
Jacob Hoffman-Andrews
on 2020-03-18 14:12:01 AEDT
(
hide
)
Description:
updated patch, March 2020
Filename:
MIME Type:
Creator:
Jacob Hoffman-Andrews
Created:
2020-03-18 14:12:01 AEDT
Size:
4.63 KB
patch
obsolete
>From 16f960d82ee16a8f706fdaf3d2c0f11cf1406810 Mon Sep 17 00:00:00 2001 >From: Jacob Hoffman-Andrews <github@hoffman-andrews.com> >Date: Tue, 17 Mar 2020 20:01:49 -0700 >Subject: [PATCH 2/2] This introduces a check in pkcs11-helper verifying the > smart card is ready to sign data (was not removed since last invocation). If > it was, the new code tries to ask a user for the PIN (using askpass program > if defined) and reauthenticate the card, rather than fail hard. > >Originally by Jakub Jelen <jjelen@redhat.com> and >Nikos Mavrogiannopoulos <nmav@redhat.com>. Brought up to date as of >2020-03-17 by Jacob Hoffman-Andrews <jsha@letsencrypt.org>. >--- > ssh-pkcs11-helper.c | 1 + > ssh-pkcs11.c | 100 ++++++++++++++++++++++++++++++++++++++++++++ > ssh-pkcs11.h | 1 + > 3 files changed, 102 insertions(+) > >diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c >index 5706c4a9..d237547f 100644 >--- a/ssh-pkcs11-helper.c >+++ b/ssh-pkcs11-helper.c >@@ -206,6 +206,7 @@ process_sign(void) > if ((found = lookup_key(key)) != NULL) { > #ifdef WITH_OPENSSL > int ret; >+ pkcs11_refresh_key(found); > > if (key->type == KEY_RSA) { > slen = RSA_size(key->rsa); >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >index 20739a01..e494a4aa 100644 >--- a/ssh-pkcs11.c >+++ b/ssh-pkcs11.c >@@ -76,6 +76,10 @@ struct pkcs11_key { > int keyid_len; > }; > >+static int pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, CK_ULONG user); >+static int pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, struct sshkey ***keysp, char ***labelsp, int *nkeys); >+static int pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key); >+ > int pkcs11_interactive = 0; > > #ifdef HAVE_EC_KEY_METHOD_NEW >@@ -417,6 +421,102 @@ pkcs11_get_key(struct pkcs11_key *k11, CK_MECHANISM_TYPE mech_type) > return (0); > } > >+int pkcs11_key_is_present(struct pkcs11_key *k11) >+{ >+ CK_RV rv; >+ CK_FUNCTION_LIST *f; >+ CK_SLOT_INFO info; >+ CK_TOKEN_INFO tokeninfo; >+ CK_SESSION_HANDLE session; >+ CK_SESSION_INFO sessioninfo; >+ >+ f = k11->provider->function_list; >+ rv = f->C_GetSlotInfo(k11->slotidx, &info); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this slot */ >+ return -1; >+ } >+ if (!(info.flags & CKF_TOKEN_PRESENT)) { >+ return -1; >+ } >+ >+ rv = f->C_GetTokenInfo(k11->slotidx, &tokeninfo); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this token */ >+ return -1; >+ } >+ /* TODO check if the fields of the tokeninfo match the stored values */ >+ >+ session = k11->provider->slotinfo[k11->slotidx].session; >+ rv = f->C_GetSessionInfo(session, &sessioninfo); >+ if (rv != CKR_OK) { >+ /* The cryptoki is not ready to work with this session */ >+ return -1; >+ } >+ if (sessioninfo.slotID != k11->slotidx) { >+ return -1; >+ } >+ return 0; >+} >+ >+static int pkcs11_reload_key(struct sshkey *key, struct pkcs11_key *k11) >+{ >+ unsigned char *pin = NULL; >+ int r, i; >+ struct sshkey **keysp = NULL; >+ int nkeys = 0; >+ >+ /* No need to C_CloseSession(): It is already invalidated */ >+ >+ debug("reading passphrase"); >+ pin = read_passphrase("Enter PIN for smart card", RP_USE_ASKPASS); >+ if (!pin) >+ return -1; >+ >+ r = pkcs11_open_session(k11->provider, k11->slotidx, pin, CKU_USER); >+ >+ explicit_bzero(pin, strlen(pin)); >+ free(pin); >+ >+ if (r == -1) >+ return -1; >+ >+ /* Check that the key we are using is present in the current card */ >+ r = pkcs11_fetch_keys(k11->provider, k11->slotidx, &keysp, NULL, &nkeys); >+ if (r < 0) >+ return -1; >+ >+ r = -1; >+ if (pkcs11_key_included(&keysp, &nkeys, key) == 1) >+ r = 0; >+ >+ /* clean up the keys */ >+ for (i = 0; i < nkeys; i++) >+ sshkey_free(keysp[i]); >+ free(keysp); >+ return r; >+} >+ >+int pkcs11_refresh_key(struct sshkey *key) >+{ >+ struct pkcs11_key *k11; >+ >+ if ((k11 = RSA_get_app_data(key->rsa)) == NULL) { >+ error("RSA_get_app_data failed for rsa %p", key->rsa); >+ return (-1); >+ } >+ if (!k11->provider || !k11->provider->valid) { >+ error("no pkcs11 (valid) provider for rsa %p", key->rsa); >+ return (-1); >+ } >+ >+ if (pkcs11_key_is_present(k11) == -1) >+ if (pkcs11_reload_key(key, k11) == -1) >+ return -1; >+ >+ return 0; >+} >+ > /* openssl callback doing the actual signing operation */ > static int > pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h >index 81f1d7c5..b3cf4b76 100644 >--- a/ssh-pkcs11.h >+++ b/ssh-pkcs11.h >@@ -26,6 +26,7 @@ int pkcs11_init(int); > void pkcs11_terminate(void); > int pkcs11_add_provider(char *, char *, struct sshkey ***, char ***); > int pkcs11_del_provider(char *); >+int pkcs11_refresh_key(struct sshkey *); > #ifdef WITH_PKCS11_KEYGEN > struct sshkey * > pkcs11_gakp(char *, char *, unsigned int, char *, unsigned int, >-- >2.20.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3369">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2890
:
3196
|
3197
| 3369 |
3415