Dirk-Willem van Gulik
2014-May-12 12:38 UTC
[patch] Supporting smartcard readers with PIN entry keypads (updated against -HEAD)
Repost; updated for HEAD and tested on ubuntu as well. Dw. Folks, Find below a minor patch to allow the use of smartcards in readers that have their own PIN entry keypads (Secure PIN entry) such as the SPR332 and most german/medical chipcard devices. Tested on Solaris, FreeBSD, Linux and MacOSX against various cards and drivers. I?ve left the pkcs11_interactive check in place. Arguably - with some Secure PIN readers it may be better to move this just in front of the keyboard entry ONLY; as there are some secure PIN keypads that use means which are somewhat suitable to unattended operation. But I thought it better to let this wait until an actual use case warrants this and/or the need for a special flag/argument to control such. Thanks, Dw. Index: ssh-pkcs11.c ==================================================================RCS file: /cvs/openssh/ssh-pkcs11.c,v retrieving revision 1.15 diff -u -w -r1.15 ssh-pkcs11.c --- ssh-pkcs11.c 20 Apr 2014 03:21:23 -0000 1.15 +++ ssh-pkcs11.c 12 May 2014 12:34:25 -0000 @@ -255,21 +255,29 @@ si = &k11->provider->slotinfo[k11->slotidx]; if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { if (!pkcs11_interactive) { - error("need pin"); + error("need pin entry%s", + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? " on reader keypad" : ""); return (-1); } + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { + verbose("Deferring PIN entry to keypad of chipcard reader."); + pin = NULL; + } else { snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", si->token.label); pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { - free(pin); + }; + if ((rv = f->C_Login(si->session, CKU_USER, pin, pin ? strlen(pin): 0)) + != CKR_OK) { + if (pin) + xfree(pin); error("C_Login failed: %lu", rv); return (-1); } - free(pin); + if (pin) + xfree(pin); si->logged_in = 1; } key_filter[1].pValue = k11->keyid;
Possibly Parallel Threads
- Supporting smartcard readers with PIN entry keypads
- [patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
- [Bug 2240] New: Secure PIN entry for smartcards through the keypad on the reader (patch)
- Wanted: smartcard with ECDSA support
- Call for testing: OpenSSH 6.7