diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-10-01 10:22:53 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-10-01 20:24:07 +1000 |
commit | 084682786d9275552ee93857cb36e43c446ce92c (patch) | |
tree | b098c741f906f4cfed42ff989113168520aa855a | |
parent | 6c91d42cce3f055917dc3fd2c305dfc5b3b584b3 (diff) |
upstream: revert unconditional forced login implemented in r1.41 of
ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
token returns no objects and this is less disruptive for users of tokens
directly in ssh (rather than via ssh-agent) and in ssh-keygen
bz3006, patch from Jakub Jelen; ok markus
OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
-rw-r--r-- | ssh-pkcs11.c | 31 |
1 files changed, 5 insertions, 26 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index d4053ea8..09f1ea34 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.46 2019/10/01 10:22:53 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -633,17 +633,15 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, CK_FUNCTION_LIST *f; CK_RV rv; CK_SESSION_HANDLE session; - int login_required, have_pinpad, ret; - char prompt[1024], *xpin = NULL; + int login_required, ret; f = p->function_list; si = &p->slotinfo[slotidx]; - have_pinpad = si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH; login_required = si->token.flags & CKF_LOGIN_REQUIRED; /* fail early before opening session */ - if (login_required && !have_pinpad && !pkcs11_interactive && + if (login_required && !pkcs11_interactive && (pin == NULL || strlen(pin) == 0)) { error("pin required"); return (-SSH_PKCS11_ERR_PIN_REQUIRED); @@ -653,27 +651,8 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin, error("C_OpenSession failed: %lu", rv); return (-1); } - if (login_required) { - if (have_pinpad && (pin == NULL || strlen(pin) == 0)) { - /* defer PIN entry to the reader keypad */ - rv = f->C_Login(session, CKU_USER, NULL_PTR, 0); - } else { - if (pkcs11_interactive) { - snprintf(prompt, sizeof(prompt), - "Enter PIN for '%s': ", si->token.label); - if ((xpin = read_passphrase(prompt, - RP_ALLOW_EOF)) == NULL) { - debug("%s: no pin specified", - __func__); - return (-SSH_PKCS11_ERR_PIN_REQUIRED); - } - pin = xpin; - } - rv = f->C_Login(session, CKU_USER, - (u_char *)pin, strlen(pin)); - if (xpin != NULL) - freezero(xpin, strlen(xpin)); - } + if (login_required && pin != NULL && strlen(pin) != 0) { + rv = f->C_Login(session, user, (u_char *)pin, strlen(pin)); if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { error("C_Login failed: %lu", rv); ret = (rv == CKR_PIN_LOCKED) ? |