===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-pkcs11.c,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- src/usr.bin/ssh/ssh-pkcs11.c	2019/09/02 00:19:25	1.44
+++ src/usr.bin/ssh/ssh-pkcs11.c	2019/09/05 10:05:51	1.45
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.44 2019/09/02 00:19:25 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.45 2019/09/05 10:05:51 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
@@ -231,21 +231,17 @@
 }
 
 static int
-pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
+pkcs11_login_slot(struct pkcs11_provider *provider, struct pkcs11_slotinfo *si,
+    CK_USER_TYPE type)
 {
-	struct pkcs11_slotinfo	*si;
-	CK_FUNCTION_LIST	*f;
 	char			*pin = NULL, prompt[1024];
 	CK_RV			 rv;
 
-	if (!k11->provider || !k11->provider->valid) {
+	if (provider == NULL || si == NULL || !provider->valid) {
 		error("no pkcs11 (valid) provider found");
 		return (-1);
 	}
 
-	f = k11->provider->function_list;
-	si = &k11->provider->slotinfo[k11->slotidx];
-
 	if (!pkcs11_interactive) {
 		error("need pin entry%s",
 		    (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ?
@@ -262,7 +258,7 @@
 			return (-1);	/* bail out */
 		}
 	}
-	rv = f->C_Login(si->session, type, (u_char *)pin,
+	rv = provider->function_list->C_Login(si->session, type, (u_char *)pin,
 	    (pin != NULL) ? strlen(pin) : 0);
 	if (pin != NULL)
 		freezero(pin, strlen(pin));
@@ -275,6 +271,19 @@
 }
 
 static int
+pkcs11_login(struct pkcs11_key *k11, CK_USER_TYPE type)
+{
+	if (k11 == NULL || k11->provider == NULL || !k11->provider->valid) {
+		error("no pkcs11 (valid) provider found");
+		return (-1);
+	}
+
+	return pkcs11_login_slot(k11->provider,
+	    &k11->provider->slotinfo[k11->slotidx], type);
+}
+
+
+static int
 pkcs11_check_obj_bool_attrib(struct pkcs11_key *k11, CK_OBJECT_HANDLE obj,
     CK_ATTRIBUTE_TYPE type, int *val)
 {
@@ -1540,9 +1549,22 @@
 		 * open session, login with pin and retrieve public
 		 * keys (if keyp is provided)
 		 */
-		if ((ret = pkcs11_open_session(p, i, pin, user)) == 0) {
-			if (keyp == NULL)
+		if ((ret = pkcs11_open_session(p, i, pin, user)) != 0 ||
+		    keyp == NULL)
+			continue;
+		pkcs11_fetch_keys(p, i, keyp, &nkeys);
+		pkcs11_fetch_certs(p, i, keyp, &nkeys);
+		if (nkeys == 0 && !p->slotinfo[i].logged_in &&
+		    pkcs11_interactive) {
+			/*
+			 * Some tokens require login before they will
+			 * expose keys.
+			 */
+			if (pkcs11_login_slot(p, &p->slotinfo[i],
+			    CKU_USER) < 0) {
+				error("login failed");
 				continue;
+			}
 			pkcs11_fetch_keys(p, i, keyp, &nkeys);
 			pkcs11_fetch_certs(p, i, keyp, &nkeys);
 		}