Ok - put a pointer in 2185 which was the most out of date of the two; and updated 2240 with the more recent patch that has the casting right and the newer check on Already Logged in that 2185 missed. Dw. > On 18 Mar 2015, at 08:18, Damien Miller <djm@xxxxxxxxxxx> wrote: > > There is at least one patch in bugzilla for this. I haven't looked at > it because I'm not very experienced with PKCS#11 and lack the hardware, > but you might want to take a look and attach your patch to (one of) the > existing bugs: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2185 > https://bugzilla.mindrot.org/show_bug.cgi?id=2240 > > On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote: > >> Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. >> >> PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. >> >> Dw. >> >> >> commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a >> Author: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx> >> Date: Tue Mar 17 13:41:31 2015 +0100 >> >> Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) >> >> diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >> index c3a112f..b053332 100644 >> --- a/ssh-pkcs11.c >> +++ b/ssh-pkcs11.c >> @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >> si = &k11->provider->slotinfo[k11->slotidx]; >> if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >> if (!pkcs11_interactive) { >> - error("need pin"); >> + error("need pin%s", >> + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >> + ? " entry on reader keypad" : ""); >> return (-1); >> } >> - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", >> - si->token.label); >> - pin = read_passphrase(prompt, RP_ALLOW_EOF); >> - if (pin == NULL) >> - return (-1); /* bail out */ >> + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { >> + verbose("Deferring PIN entry to keypad of chipcard reader."); >> + pin = NULL; >> + } else { >> + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", >> + si->token.label); >> + pin = read_passphrase(prompt, RP_ALLOW_EOF); >> + if (pin == NULL) >> + return (-1); /* bail out */ >> + }; >> + >> rv = f->C_Login(si->session, CKU_USER, >> (u_char *)pin, pin ? strlen(pin) : 0); >> if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >> - free(pin); >> + if (pin) free(pin); >> error("C_Login failed: %lu", rv); >> return (-1); >> } >> - free(pin); >> + if (pin) free(pin); >> si->logged_in = 1; >> } >> key_filter[1].pValue = k11->keyid; >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
