[openssh-commits] [openssh] 05/05: upstream: revert unconditional forced login implemented in r1.41 of

Tue Oct 1 20:24:48 AEST 2019

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 084682786d9275552ee93857cb36e43c446ce92c
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Tue Oct 1 10:22:53 2019 +0000

    upstream: revert unconditional forced login implemented in r1.41 of
    
    ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
    token returns no objects and this is less disruptive for users of tokens
    directly in ssh (rather than via ssh-agent) and in ssh-keygen
    
    bz3006, patch from Jakub Jelen; ok markus
    
    OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
---
 ssh-pkcs11.c | 31 +++++--------------------------
 1 file changed, 5 insertions(+), 26 deletions(-)

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index d4053ea8..09f1ea34 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
 	CK_FUNCTION_LIST	*f;
 	CK_RV			rv;
 	CK_SESSION_HANDLE	session;
-	int			login_required, have_pinpad, ret;
-	char			prompt[1024], *xpin = NULL;
+	int			login_required, ret;
 
 	f = p->function_list;
 	si = &p->slotinfo[slotidx];
 
-	have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH;
 	login_required = si->token.flags & CKF_LOGIN_REQUIRED;
 
 	/* fail early before opening session */
-	if (login_required && !have_pinpad && !pkcs11_interactive &&
+	if (login_required && !pkcs11_interactive &&
 	    (pin == NULL || strlen(pin) == 0)) {
 		error("pin required");
 		return (-SSH_PKCS11_ERR_PIN_REQUIRED);
@@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin,
 		error("C_OpenSession failed: %lu", rv);
 		return (-1);
 	}
-	if (login_required) {
-		if (have_pinpad && (pin == NULL || strlen(pin) == 0)) {
-			/* defer PIN entry to the reader keypad */
-			rv = f->C_Login(session, CKU_USER, NULL_PTR, 0);
-		} else {
-			if (pkcs11_interactive) {
-				snprintf(prompt, sizeof(prompt),
-				    "Enter PIN for '%s': ", si->token.label);
-				if ((xpin = read_passphrase(prompt,
-				    RP_ALLOW_EOF)) == NULL) {
-					debug("%s: no pin specified",
-					    __func__);
-					return (-SSH_PKCS11_ERR_PIN_REQUIRED);
-				}
-				pin = xpin;
-			}
-			rv = f->C_Login(session, CKU_USER,
-			    (u_char *)pin, strlen(pin));
-			if (xpin != NULL)
-				freezero(xpin, strlen(xpin));
-		}
+	if (login_required && pin != NULL && strlen(pin) != 0) {
+		rv = f->C_Login(session, user, (u_char *)pin, strlen(pin));
 		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			error("C_Login failed: %lu", rv);
 			ret = (rv == CKR_PIN_LOCKED) ?

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
