[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path

Dirk-Willem van Gulik dirkx at webweaving.org
Wed Mar 18 19:32:15 AEDT 2015 

Ok - put a pointer in 2185 which was the most out of date of the two; and updated 2240 with the more recent patch that has the casting right and the newer check on Already Logged in that 2185 missed.

Dw.

> On 18 Mar 2015, at 08:18, Damien Miller <djm at mindrot.org> wrote:
> 
> There is at least one patch in bugzilla for this. I haven't looked at
> it because I'm not very experienced with PKCS#11 and lack the hardware,
> but you might want to take a look and attach your patch to (one of) the
> existing bugs:
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=2185
> https://bugzilla.mindrot.org/show_bug.cgi?id=2240
> 
> On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote:
> 
>> Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. 
>> 
>> PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today.
>> 
>> Dw.
>> 
>> 
>> commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a
>> Author: Dirk-Willem van Gulik <dirkx at webweaving.org>
>> Date:   Tue Mar 17 13:41:31 2015 +0100
>> 
>>    Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH)
>> 
>> diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
>> index c3a112f..b053332 100644
>> --- a/ssh-pkcs11.c
>> +++ b/ssh-pkcs11.c
>> @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
>> 	si = &k11->provider->slotinfo[k11->slotidx];
>> 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
>> 		if (!pkcs11_interactive) {
>> -			error("need pin");
>> +			error("need pin%s", 
>> +				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
>> +					? " entry on reader keypad" : "");
>> 			return (-1);
>> 		}
>> -		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
>> -		    si->token.label);
>> -		pin = read_passphrase(prompt, RP_ALLOW_EOF);
>> -		if (pin == NULL)
>> -			return (-1);	/* bail out */
>> +		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
>> +			verbose("Deferring PIN entry to keypad of chipcard reader.");
>> +			pin = NULL;
>> +		} else {
>> +			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
>> +				si->token.label);
>> +			pin = read_passphrase(prompt, RP_ALLOW_EOF);
>> +			if (pin == NULL)
>> +				return (-1);    /* bail out */
>> +               };
>> +
>> 		rv = f->C_Login(si->session, CKU_USER,
>> 		    (u_char *)pin, pin ? strlen(pin) : 0);
>> 		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
>> -			free(pin);
>> +			if (pin) free(pin);
>> 			error("C_Login failed: %lu", rv);
>> 			return (-1);
>> 		}
>> -		free(pin);
>> +		if (pin) free(pin);
>> 		si->logged_in = 1;
>> 	}
>> 	key_filter[1].pValue = k11->keyid;
>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> 
>

More information about the openssh-unix-dev mailing list