[patch] Supporting smartcard readers with PIN entry keypads (updated against -HEAD)

Dirk-Willem van Gulik dirkx at webweaving.org
Mon May 12 22:38:10 EST 2014 

Repost; updated for HEAD and tested on ubuntu as well.

Dw.

Folks,

Find below a minor patch to allow the use of smartcards in readers that have their own
PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical
chipcard devices.

Tested on Solaris, FreeBSD, Linux and MacOSX against various cards and drivers.

I’ve left the pkcs11_interactive check in place. Arguably - with some Secure PIN readers
it may be better to move this just in front of the keyboard entry ONLY; as there are some
secure PIN keypads that use means which are somewhat suitable to unattended 
operation. But I thought it better to let this wait until an actual use case warrants this
and/or the need for a special flag/argument to control such.

Thanks,

Dw.

Index: ssh-pkcs11.c
===================================================================
RCS file: /cvs/openssh/ssh-pkcs11.c,v
retrieving revision 1.15
diff -u -w -r1.15 ssh-pkcs11.c
--- ssh-pkcs11.c	20 Apr 2014 03:21:23 -0000	1.15
+++ ssh-pkcs11.c	12 May 2014 12:34:25 -0000
@@ -255,21 +255,29 @@
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+ 			error("need pin entry%s", 
+ 				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
 			return (-1);
 		}
+ 		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+ 			verbose("Deferring PIN entry to keypad of chipcard reader.");
+ 			pin = NULL;
+ 		} else {
 		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
 		    si->token.label);
 		pin = read_passphrase(prompt, RP_ALLOW_EOF);
 		if (pin == NULL)
 			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
-			free(pin);
+ 		};
+ 		if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0))
+  		    != CKR_OK) {
+ 			if (pin)
+ 				xfree(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
+ 		if (pin) 
+ 			xfree(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;

More information about the openssh-unix-dev mailing list