Dirk-Willem van Gulik
2015-Mar-17 12:55 UTC
[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
Some smartcard readers have keypad to enter the PIN securely (i.e. such that it
cannot be intercepted by a rogue (ssh) binary.
PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to
make use of this; against head/master as of today.
Dw.
commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a
Author: Dirk-Willem van Gulik <dirkx at webweaving.org>
Date: Tue Mar 17 13:41:31 2015 +0100
Ensuring support for PINs that can only be entered on a secure keypad
(CKF_PROTECTED_AUTHENTICATION_PATH)
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c3a112f..b053332 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from,
u_char *to, RSA *rsa,
si = &k11->provider->slotinfo[k11->slotidx];
if ((si->token.flags & CKF_LOGIN_REQUIRED) &&
!si->logged_in) {
if (!pkcs11_interactive) {
- error("need pin");
+ error("need pin%s",
+ (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+ ? " entry on reader keypad" : "");
return (-1);
}
- snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
- si->token.label);
- pin = read_passphrase(prompt, RP_ALLOW_EOF);
- if (pin == NULL)
- return (-1); /* bail out */
+ if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
+ verbose("Deferring PIN entry to keypad of chipcard reader.");
+ pin = NULL;
+ } else {
+ snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
+ si->token.label);
+ pin = read_passphrase(prompt, RP_ALLOW_EOF);
+ if (pin == NULL)
+ return (-1); /* bail out */
+ };
+
rv = f->C_Login(si->session, CKU_USER,
(u_char *)pin, pin ? strlen(pin) : 0);
if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
- free(pin);
+ if (pin) free(pin);
error("C_Login failed: %lu", rv);
return (-1);
}
- free(pin);
+ if (pin) free(pin);
si->logged_in = 1;
}
key_filter[1].pValue = k11->keyid;
Damien Miller
2015-Mar-18 07:18 UTC
[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
There is at least one patch in bugzilla for this. I haven't looked at it because I'm not very experienced with PKCS#11 and lack the hardware, but you might want to take a look and attach your patch to (one of) the existing bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2185 https://bugzilla.mindrot.org/show_bug.cgi?id=2240 On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote:> Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. > > PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. > > Dw. > > > commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a > Author: Dirk-Willem van Gulik <dirkx at webweaving.org> > Date: Tue Mar 17 13:41:31 2015 +0100 > > Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) > > diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c > index c3a112f..b053332 100644 > --- a/ssh-pkcs11.c > +++ b/ssh-pkcs11.c > @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, > si = &k11->provider->slotinfo[k11->slotidx]; > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { > if (!pkcs11_interactive) { > - error("need pin"); > + error("need pin%s", > + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) > + ? " entry on reader keypad" : ""); > return (-1); > } > - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", > - si->token.label); > - pin = read_passphrase(prompt, RP_ALLOW_EOF); > - if (pin == NULL) > - return (-1); /* bail out */ > + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { > + verbose("Deferring PIN entry to keypad of chipcard reader."); > + pin = NULL; > + } else { > + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", > + si->token.label); > + pin = read_passphrase(prompt, RP_ALLOW_EOF); > + if (pin == NULL) > + return (-1); /* bail out */ > + }; > + > rv = f->C_Login(si->session, CKU_USER, > (u_char *)pin, pin ? strlen(pin) : 0); > if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { > - free(pin); > + if (pin) free(pin); > error("C_Login failed: %lu", rv); > return (-1); > } > - free(pin); > + if (pin) free(pin); > si->logged_in = 1; > } > key_filter[1].pValue = k11->keyid; > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Dirk-Willem van Gulik
2015-Mar-18 08:32 UTC
[patch] Updated patch for pkcs#11 smartcard readers that have a protected PIN path
Ok - put a pointer in 2185 which was the most out of date of the two; and updated 2240 with the more recent patch that has the casting right and the newer check on Already Logged in that 2185 missed. Dw.> On 18 Mar 2015, at 08:18, Damien Miller <djm at mindrot.org> wrote: > > There is at least one patch in bugzilla for this. I haven't looked at > it because I'm not very experienced with PKCS#11 and lack the hardware, > but you might want to take a look and attach your patch to (one of) the > existing bugs: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2185 > https://bugzilla.mindrot.org/show_bug.cgi?id=2240 > > On Tue, 17 Mar 2015, Dirk-Willem van Gulik wrote: > >> Some smartcard readers have keypad to enter the PIN securely (i.e. such that it cannot be intercepted by a rogue (ssh) binary. >> >> PKCS#11 allows for enforcing this in hardware. Below patch allows for SSH to make use of this; against head/master as of today. >> >> Dw. >> >> >> commit 7f0250a8ae6c639a19d4e1e24fc112d5e2e1249a >> Author: Dirk-Willem van Gulik <dirkx at webweaving.org> >> Date: Tue Mar 17 13:41:31 2015 +0100 >> >> Ensuring support for PINs that can only be entered on a secure keypad (CKF_PROTECTED_AUTHENTICATION_PATH) >> >> diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c >> index c3a112f..b053332 100644 >> --- a/ssh-pkcs11.c >> +++ b/ssh-pkcs11.c >> @@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, >> si = &k11->provider->slotinfo[k11->slotidx]; >> if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >> if (!pkcs11_interactive) { >> - error("need pin"); >> + error("need pin%s", >> + (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) >> + ? " entry on reader keypad" : ""); >> return (-1); >> } >> - snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", >> - si->token.label); >> - pin = read_passphrase(prompt, RP_ALLOW_EOF); >> - if (pin == NULL) >> - return (-1); /* bail out */ >> + if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { >> + verbose("Deferring PIN entry to keypad of chipcard reader."); >> + pin = NULL; >> + } else { >> + snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ", >> + si->token.label); >> + pin = read_passphrase(prompt, RP_ALLOW_EOF); >> + if (pin == NULL) >> + return (-1); /* bail out */ >> + }; >> + >> rv = f->C_Login(si->session, CKU_USER, >> (u_char *)pin, pin ? strlen(pin) : 0); >> if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { >> - free(pin); >> + if (pin) free(pin); >> error("C_Login failed: %lu", rv); >> return (-1); >> } >> - free(pin); >> + if (pin) free(pin); >> si->logged_in = 1; >> } >> key_filter[1].pValue = k11->keyid; >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> >