[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path

Damien Miller djm at mindrot.org
Wed Mar 18 18:18:00 AEDT 2015 

There is at least one patch in bugzilla for this. I haven't looked at
it because I'm not very experienced with PKCS#11 and lack the hardware,
but you might want to take a look and attach your patch to (one of) the
existing bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2185
https://bugzilla.mindrot.org/show_bug.cgi?id=2240

On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote:

> Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. 
> 
> PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today.
> 
> Dw.
> 
> 
> commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a
> Author: Dirk-Willem van Gulik <dirkx at webweaving.org>
> Date:   Tue Mar 17 13:41:31 2015 +0100
> 
>     Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH)
> 
> diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
> index c3a112f..b053332 100644
> --- a/ssh-pkcs11.c
> +++ b/ssh-pkcs11.c
> @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
>  	si = &k11->provider->slotinfo[k11->slotidx];
>  	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
>  		if (!pkcs11_interactive) {
> -			error("need pin");
> +			error("need pin%s", 
> +				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
> +					? " entry on reader keypad" : "");
>  			return (-1);
>  		}
> -		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
> -		    si->token.label);
> -		pin = read_passphrase(prompt, RP_ALLOW_EOF);
> -		if (pin == NULL)
> -			return (-1);	/* bail out */
> +		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
> +			verbose("Deferring PIN entry to keypad of chipcard reader.");
> +			pin = NULL;
> +		} else {
> +			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
> +				si->token.label);
> +			pin = read_passphrase(prompt, RP_ALLOW_EOF);
> +			if (pin == NULL)
> +				return (-1);    /* bail out */
> +               };
> +
>  		rv = f->C_Login(si->session, CKU_USER,
>  		    (u_char *)pin, pin ? strlen(pin) : 0);
>  		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
> -			free(pin);
> +			if (pin) free(pin);
>  			error("C_Login failed: %lu", rv);
>  			return (-1);
>  		}
> -		free(pin);
> +		if (pin) free(pin);
>  		si->logged_in = 1;
>  	}
>  	key_filter[1].pValue = k11->keyid;
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list