Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh-pkcs11.c,v
rcsdiff: /ftp/cvs/cvsroot/src/crypto/external/bsd/openssh/dist/ssh-pkcs11.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.7
retrieving revision 1.8
diff -u -p -r1.7 -r1.8
--- src/crypto/external/bsd/openssh/dist/ssh-pkcs11.c	2015/04/03 23:58:19	1.7
+++ src/crypto/external/bsd/openssh/dist/ssh-pkcs11.c	2015/07/03 01:00:00	1.8
@@ -1,5 +1,5 @@
-/*	$NetBSD: ssh-pkcs11.c,v 1.7 2015/04/03 23:58:19 christos Exp $	*/
-/* $OpenBSD: ssh-pkcs11.c,v 1.17 2015/02/03 08:07:20 deraadt Exp $ */
+/*	$NetBSD: ssh-pkcs11.c,v 1.8 2015/07/03 01:00:00 christos Exp $	*/
+/* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -16,7 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 #include "includes.h"
-__RCSID("$NetBSD: ssh-pkcs11.c,v 1.7 2015/04/03 23:58:19 christos Exp $");
+__RCSID("$NetBSD: ssh-pkcs11.c,v 1.8 2015/07/03 01:00:00 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/queue.h>
@@ -236,7 +236,7 @@ pkcs11_rsa_private_encrypt(int flen, con
 		{CKA_ID, NULL, 0},
 		{CKA_SIGN, &true_val, sizeof(true_val) }
 	};
-	char			*pin, prompt[1024];
+	char			*pin = NULL, prompt[1024];
 	int			rval = -1;
 
 	if ((k11 = RSA_get_app_data(rsa)) == NULL) {
@@ -251,22 +251,30 @@ pkcs11_rsa_private_encrypt(int flen, con
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", (si->token.flags &
+			    CKF_PROTECTED_AUTHENTICATION_PATH) ?
+			    " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin));
-		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+			verbose("Deferring PIN entry to reader keypad.");
+		else {
+			snprintf(prompt, sizeof(prompt),
+			    "Enter PIN for '%s': ", si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		}
+		rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
+		    (pin != NULL) ? strlen(pin) : 0);
+		if (pin != NULL) {
+			explicit_bzero(pin, strlen(pin));
 			free(pin);
+		}
+		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;
@@ -521,7 +529,7 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
 				sshkey_free(key);
 			} else {
 				/* expand key array and add key */
-				*keysp = xrealloc(*keysp, *nkeys + 1,
+				*keysp = xreallocarray(*keysp, *nkeys + 1,
 				    sizeof(struct sshkey *));
 				(*keysp)[*nkeys] = key;
 				*nkeys = *nkeys + 1;