[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. 

PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today.

Dw.


commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a
Author: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Date:   Tue Mar 17 13:41:31 2015 +0100

    Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH)

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c3a112f..b053332 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin%s", 
+				(si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) 
+					? " entry on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+			verbose("Deferring PIN entry to keypad of chipcard reader.");
+			pin = NULL;
+		} else {
+			snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+				si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);    /* bail out */
+               };
+
 		rv = f->C_Login(si->session, CKU_USER,
 		    (u_char *)pin, pin ? strlen(pin) : 0);
 		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
-			free(pin);
+			if (pin) free(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
+		if (pin) free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux