[pkg-opensc-commit] [opensc] 166/295: pkcs11-tool: always authenticate when pinpad is in use
Eric Dorland
eric at moszumanska.debian.org
Sat Jun 24 21:11:28 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository opensc.
commit 423375c6f85853d359d502a28e676a09e33a0ac1
Author: Nuno Goncalves <nunojpg at gmail.com>
Date: Thu Jan 26 14:42:30 2017 +0100
pkcs11-tool: always authenticate when pinpad is in use
Authentication might not be required (from pkcs11 side) when
pin cache is used. This can't happen if a pinpad is used.
We were already checking for CKA_ALWAYS_AUTHENTICATE (user_consent),
now also check for CKF_PROTECTED_AUTHENTICATION_PATH (pinpad).
Also encapsulate logic in a function and provide additional checks for
redundant authentication attempts.
Signed-off-by: Nuno Goncalves <nunojpg at gmail.com>
---
src/tools/pkcs11-tool.c | 39 +++++++++++++++++++++++++++++++--------
1 file changed, 31 insertions(+), 8 deletions(-)
diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 8dbcfba..931f083 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -365,6 +365,7 @@ static void show_token(CK_SLOT_ID);
static void list_mechs(CK_SLOT_ID);
static void list_objects(CK_SESSION_HANDLE, CK_OBJECT_CLASS);
static int login(CK_SESSION_HANDLE, int);
+static void authenticate_if_required(CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
static void init_token(CK_SLOT_ID);
static void init_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
static int change_pin(CK_SLOT_ID, CK_SESSION_HANDLE);
@@ -2882,6 +2883,32 @@ VARATTR_METHOD(GOSTR3410_PARAMS, unsigned char);
VARATTR_METHOD(EC_POINT, unsigned char);
VARATTR_METHOD(EC_PARAMS, unsigned char);
+static void authenticate_if_required(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privKeyObject){
+ CK_SESSION_INFO sessionInfo;
+ CK_TOKEN_INFO info;
+ CK_RV rv;
+
+ rv = p11->C_GetSessionInfo(session, &sessionInfo);
+ if (rv != CKR_OK)
+ p11_fatal("C_OpenSession", rv);
+
+ switch(sessionInfo.state){
+ case CKS_RW_USER_FUNCTIONS: //logged in, not need to continue.
+ util_warn("authentication was requested, but was already logged in");
+ return;
+ case CKS_RW_PUBLIC_SESSION:
+ break;
+ default:
+ util_fatal("unexpected state");
+ }
+
+ get_token_info(opt_slot, &info);
+ if (!(info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) && !getALWAYS_AUTHENTICATE(session, privKeyObject))
+ return;
+
+ login(session,CKU_CONTEXT_SPECIFIC);
+}
+
static void list_objects(CK_SESSION_HANDLE sess, CK_OBJECT_CLASS object_class)
{
CK_OBJECT_HANDLE object;
@@ -4022,8 +4049,7 @@ static int sign_verify_openssl(CK_SESSION_HANDLE session,
if (rv != CKR_OK)
p11_fatal("C_SignInit", rv);
- if (getALWAYS_AUTHENTICATE(session, privKeyObject))
- login(session,CKU_CONTEXT_SPECIFIC);
+ authenticate_if_required(session, privKeyObject);
printf(" %s: ", p11_mechanism_to_name(ck_mech->mechanism));
sigLen1 = sizeof(sig1);
@@ -4219,8 +4245,7 @@ static int test_signature(CK_SESSION_HANDLE sess)
rv = p11->C_SignInit(sess, &ck_mech, privKeyObject);
if (rv != CKR_OK)
p11_fatal("C_SignInit", rv);
- if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
- login(sess,CKU_CONTEXT_SPECIFIC);
+ authenticate_if_required(sess, privKeyObject);
sigLen2 = sizeof(sig2);
rv = p11->C_Sign(sess, data, dataLen, sig2, &sigLen2);
@@ -4258,8 +4283,7 @@ static int test_signature(CK_SESSION_HANDLE sess)
printf(" ERR: C_Sign() didn't return CKR_OK for a NULL output buf, but %s (0x%0x)\n",
CKR2Str(rv), (int) rv);
}
- if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
- login(sess,CKU_CONTEXT_SPECIFIC);
+ authenticate_if_required(sess, privKeyObject);
rv = p11->C_Sign(sess, data, dataLen, sig2, &sigLen2);
if (rv == CKR_OPERATION_NOT_INITIALIZED) {
@@ -4395,8 +4419,7 @@ static int sign_verify(CK_SESSION_HANDLE session,
}
printf(" %s: ", p11_mechanism_to_name(*mech_type));
- if (getALWAYS_AUTHENTICATE(session, priv_key))
- login(session,CKU_CONTEXT_SPECIFIC);
+ authenticate_if_required(session, priv_key);
signat_len = sizeof(signat);
rv = p11->C_Sign(session, datas[j], data_lens[j], signat, &signat_len);
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git
More information about the pkg-opensc-commit
mailing list