[patch] Supporting smartcard readers with PIN entry keypads (updated against -HEAD)

Mon, 12 May 2014 05:44:31 -0700 

Repost; updated for HEAD and tested on ubuntu as well.

Dw.

Folks,

Find below a minor patch to allow the use of smartcards in readers that have 
their own
PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical
chipcard devices.

Tested on Solaris, FreeBSD, Linux and MacOSX against various cards and drivers.

I’ve left the pkcs11_interactive check in place. Arguably - with some Secure 
PIN readers
it may be better to move this just in front of the keyboard entry ONLY; as 
there are some
secure PIN keypads that use means which are somewhat suitable to unattended 
operation. But I thought it better to let this wait until an actual use case 
warrants this
and/or the need for a special flag/argument to control such.

Thanks,

Dw.

Index: ssh-pkcs11.c
===================================================================
RCS file: /cvs/openssh/ssh-pkcs11.c,v
retrieving revision 1.15
diff -u -w -r1.15 ssh-pkcs11.c
--- ssh-pkcs11.c        20 Apr 2014 03:21:23 -0000      1.15
+++ ssh-pkcs11.c        12 May 2014 12:34:25 -0000
@@ -255,21 +255,29 @@
        si = &k11->provider->slotinfo[k11->slotidx];
        if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
                if (!pkcs11_interactive) {
-                       error("need pin");
+                       error("need pin entry%s", 
+                               (si->token.flags & 
CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : "");
                        return (-1);
                }
+               if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+                       verbose("Deferring PIN entry to keypad of chipcard 
reader.");
+                       pin = NULL;
+               } else {
                snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
                    si->token.label);
                pin = read_passphrase(prompt, RP_ALLOW_EOF);
                if (pin == NULL)
                        return (-1);    /* bail out */
-               if ((rv = f->C_Login(si->session, CKU_USER,
-                   (u_char *)pin, strlen(pin))) != CKR_OK) {
-                       free(pin);
+               };
+               if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? 
strlen(pin): 0))
+                   != CKR_OK) {
+                       if (pin)
+                               xfree(pin);
                        error("C_Login failed: %lu", rv);
                        return (-1);
                }
-               free(pin);
+               if (pin) 
+                       xfree(pin);
                si->logged_in = 1;
        }
        key_filter[1].pValue = k11->keyid;

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to