git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@648 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2005/10/17 16:39:41... | ... |
@@ -3,6 +3,10 @@ Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net> |
3 | 3 |
|
4 | 4 |
$Id$ |
5 | 5 |
|
6 |
+2005.10.xx -- Version 2.1-beta5 |
|
7 |
+ |
|
8 |
+* More PKCS#11 additions/changes (Alon Bar-Lev). |
|
9 |
+ |
|
6 | 10 |
2005.10.17 -- Version 2.1-beta4 |
7 | 11 |
|
8 | 12 |
* Fixed bug introduced in 2.1-beta3 where management |
... | ... |
@@ -25,7 +25,7 @@ dnl Process this file with autoconf to produce a configure script. |
25 | 25 |
|
26 | 26 |
AC_PREREQ(2.50) |
27 | 27 |
|
28 |
-AC_INIT([OpenVPN], [2.1_beta4], [openvpn-users@lists.sourceforge.net], [openvpn]) |
|
28 |
+AC_INIT([OpenVPN], [2.1_beta5], [openvpn-users@lists.sourceforge.net], [openvpn]) |
|
29 | 29 |
AM_CONFIG_HEADER(config.h) |
30 | 30 |
AC_CONFIG_SRCDIR(syshead.h) |
31 | 31 |
|
... | ... |
@@ -111,15 +111,16 @@ context_init_1 (struct context *c) |
111 | 111 |
/* Certificate password input */ |
112 | 112 |
if (c->options.key_pass_file) |
113 | 113 |
pem_password_setup (c->options.key_pass_file); |
114 |
+#endif |
|
114 | 115 |
|
115 | 116 |
#if defined(ENABLE_PKCS11) |
116 | 117 |
{ |
117 | 118 |
int i; |
119 |
+ init_pkcs11 (c->options.pkcs11_pin_cache_period); |
|
118 | 120 |
for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++) |
119 | 121 |
add_pkcs11 (c->options.pkcs11_providers[i], c->options.pkcs11_sign_mode[i]); |
120 | 122 |
} |
121 | 123 |
#endif |
122 |
-#endif |
|
123 | 124 |
|
124 | 125 |
#if P2MP |
125 | 126 |
/* Auth user/pass input */ |
... | ... |
@@ -232,13 +233,11 @@ uninit_static (void) |
232 | 232 |
|
233 | 233 |
#ifdef USE_CRYPTO |
234 | 234 |
free_ssl_lib (); |
235 |
+#endif |
|
235 | 236 |
|
236 |
-#ifdef USE_SSL |
|
237 | 237 |
#ifdef ENABLE_PKCS11 |
238 | 238 |
free_pkcs11 (); |
239 | 239 |
#endif |
240 |
-#endif |
|
241 |
-#endif |
|
242 | 240 |
|
243 | 241 |
#if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL) |
244 | 242 |
show_tls_performance_stats (); |
... | ... |
@@ -375,6 +374,11 @@ possibly_become_daemon (const struct options *options, const bool first_time) |
375 | 375 |
msg (M_ERR, "daemon() failed"); |
376 | 376 |
if (options->log) |
377 | 377 |
set_std_files_to_null (true); |
378 |
+ |
|
379 |
+#if defined(ENABLE_PKCS11) |
|
380 |
+ fork_fix_pkcs11 (); |
|
381 |
+#endif |
|
382 |
+ |
|
378 | 383 |
ret = true; |
379 | 384 |
} |
380 | 385 |
return ret; |
... | ... |
@@ -425,24 +425,6 @@ static const char usage_message[] = |
425 | 425 |
"--key file : Local private key in .pem format.\n" |
426 | 426 |
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" |
427 | 427 |
" and optionally the root CA certificate.\n" |
428 |
-#ifdef ENABLE_PKCS11 |
|
429 |
- "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" |
|
430 |
- "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" |
|
431 |
- " auto : Try to determind automatically (default).\n" |
|
432 |
- " recover : Use SignRecover.\n" |
|
433 |
- " sign : Use Sign.\n" |
|
434 |
- "--pkcs11-slot-type method : Slot locate method:\n" |
|
435 |
- " id : By slot id (numeric [prov#:]slot#).\n" |
|
436 |
- " name : By slot name.\n" |
|
437 |
- " label : By the card label that resides in slot.\n" |
|
438 |
- "--pkcs11-slot name : The slot name.\n" |
|
439 |
- "--pkcs11-id-type method : Certificate and key locate method:\n" |
|
440 |
- " id : By the object id (hex format).\n" |
|
441 |
- " label : By the object label (string).\n" |
|
442 |
- " subject : By certificate subject (String).\n" |
|
443 |
- "--pkcs11-id name : The object name.\n" |
|
444 |
- "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n" |
|
445 |
-#endif |
|
446 | 428 |
#ifdef WIN32 |
447 | 429 |
"--cryptoapicert select-string : Load the certificate and private key from the\n" |
448 | 430 |
" Windows Certificate System Store.\n" |
... | ... |
@@ -479,7 +461,29 @@ static const char usage_message[] = |
479 | 479 |
"--ns-cert-type t: Require that peer certificate was signed with an explicit\n" |
480 | 480 |
" nsCertType designation t = 'client' | 'server'.\n" |
481 | 481 |
#endif /* USE_SSL */ |
482 |
+#ifdef ENABLE_PKCS11 |
|
482 | 483 |
"\n" |
484 |
+ "PKCS#11 Options:\n" |
|
485 |
+ "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" |
|
486 |
+ "--pkcs11-sign-mode mode ... : PKCS#11 signature method.\n" |
|
487 |
+ " auto : Try to determind automatically (default).\n" |
|
488 |
+ " recover : Use SignRecover.\n" |
|
489 |
+ " sign : Use Sign.\n" |
|
490 |
+ "--pkcs11-slot-type method : Slot locate method:\n" |
|
491 |
+ " id : By slot id (numeric [prov#:]slot#).\n" |
|
492 |
+ " name : By slot name.\n" |
|
493 |
+ " label : By the card label that resides in slot.\n" |
|
494 |
+ "--pkcs11-slot name : The slot name.\n" |
|
495 |
+ "--pkcs11-id-type method : Certificate and key locate method:\n" |
|
496 |
+ " id : By the object id (hex format).\n" |
|
497 |
+ " label : By the object label (string).\n" |
|
498 |
+ " subject : By certificate subject (String).\n" |
|
499 |
+ "--pkcs11-id name : The object name.\n" |
|
500 |
+ "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" |
|
501 |
+ " cache until token removed.\n" |
|
502 |
+ "--pkcs11-protected-authentication : Use PKCS#11 protected authentication path.\n" |
|
503 |
+#endif /* ENABLE_PKCS11 */ |
|
504 |
+ "\n" |
|
483 | 505 |
"SSL Library information:\n" |
484 | 506 |
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n" |
485 | 507 |
"--show-digests : Show message digest algorithms to use with --auth option.\n" |
... | ... |
@@ -554,14 +558,12 @@ static const char usage_message[] = |
554 | 554 |
"--dev tunX|tapX : tun/tap device\n" |
555 | 555 |
"--dev-type dt : Device type. See tunnel options above for details.\n" |
556 | 556 |
#endif |
557 |
-#ifdef USE_SSL |
|
558 | 557 |
#ifdef ENABLE_PKCS11 |
559 | 558 |
"\n" |
560 |
- "PKCS#11 specific:\n" |
|
559 |
+ "PKCS#11 standalone options:\n" |
|
561 | 560 |
"--show-pkcs11-slots provider : Show PKCS#11 provider available slots.\n" |
562 | 561 |
"--show-pkcs11-objects provider slot : Show PKCS#11 token objects.\n" |
563 |
-#endif |
|
564 |
-#endif |
|
562 |
+#endif /* ENABLE_PKCS11 */ |
|
565 | 563 |
; |
566 | 564 |
|
567 | 565 |
#endif /* !ENABLE_SMALL */ |
... | ... |
@@ -646,11 +648,12 @@ init_options (struct options *o) |
646 | 646 |
o->renegotiate_seconds = 3600; |
647 | 647 |
o->handshake_window = 60; |
648 | 648 |
o->transition_window = 3600; |
649 |
-#ifdef ENABLE_PKCS11 |
|
650 |
- o->pkcs11_protected_authentication = false; |
|
651 |
-#endif |
|
652 | 649 |
#endif |
653 | 650 |
#endif |
651 |
+#ifdef ENABLE_PKCS11 |
|
652 |
+ o->pkcs11_pin_cache_period = -1; |
|
653 |
+ o->pkcs11_protected_authentication = false; |
|
654 |
+#endif /* ENABLE_PKCS11 */ |
|
654 | 655 |
} |
655 | 656 |
|
656 | 657 |
void |
... | ... |
@@ -1178,23 +1181,6 @@ show_settings (const struct options *o) |
1178 | 1178 |
SHOW_STR (cert_file); |
1179 | 1179 |
SHOW_STR (priv_key_file); |
1180 | 1180 |
SHOW_STR (pkcs12_file); |
1181 |
-#ifdef ENABLE_PKCS11 |
|
1182 |
- { |
|
1183 |
- int i; |
|
1184 |
- for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++) |
|
1185 |
- SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s"); |
|
1186 |
- } |
|
1187 |
- { |
|
1188 |
- int i; |
|
1189 |
- for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++) |
|
1190 |
- SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s"); |
|
1191 |
- } |
|
1192 |
- SHOW_STR (pkcs11_slot_type); |
|
1193 |
- SHOW_STR (pkcs11_slot); |
|
1194 |
- SHOW_STR (pkcs11_id_type); |
|
1195 |
- SHOW_STR (pkcs11_id); |
|
1196 |
- SHOW_BOOL (pkcs11_protected_authentication); |
|
1197 |
-#endif |
|
1198 | 1181 |
#ifdef WIN32 |
1199 | 1182 |
SHOW_STR (cryptoapi_cert); |
1200 | 1183 |
#endif |
... | ... |
@@ -1220,6 +1206,25 @@ show_settings (const struct options *o) |
1220 | 1220 |
#endif |
1221 | 1221 |
#endif |
1222 | 1222 |
|
1223 |
+#ifdef ENABLE_PKCS11 |
|
1224 |
+ { |
|
1225 |
+ int i; |
|
1226 |
+ for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++) |
|
1227 |
+ SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s"); |
|
1228 |
+ } |
|
1229 |
+ { |
|
1230 |
+ int i; |
|
1231 |
+ for (i=0;i<MAX_PARMS && o->pkcs11_sign_mode[i] != NULL;i++) |
|
1232 |
+ SHOW_PARM (pkcs11_sign_mode, o->pkcs11_sign_mode[i], "%s"); |
|
1233 |
+ } |
|
1234 |
+ SHOW_STR (pkcs11_slot_type); |
|
1235 |
+ SHOW_STR (pkcs11_slot); |
|
1236 |
+ SHOW_STR (pkcs11_id_type); |
|
1237 |
+ SHOW_STR (pkcs11_id); |
|
1238 |
+ SHOW_INT (pkcs11_pin_cache_period); |
|
1239 |
+ SHOW_BOOL (pkcs11_protected_authentication); |
|
1240 |
+#endif /* ENABLE_PKCS11 */ |
|
1241 |
+ |
|
1223 | 1242 |
#if P2MP |
1224 | 1243 |
show_p2mp_parms (o); |
1225 | 1244 |
#endif |
... | ... |
@@ -1702,11 +1707,6 @@ options_postprocess (struct options *options, bool first_time) |
1702 | 1702 |
|
1703 | 1703 |
notnull (options->pkcs11_id, "PKCS#11 id (--pkcs11-id)"); |
1704 | 1704 |
|
1705 |
- if (options->pkcs11_protected_authentication && options->key_pass_file != NULL) |
|
1706 |
- msg(M_USAGE, "Parameter --askpass cannot be used when --pkcs11-protected-authentication is also specified."); |
|
1707 |
- if (!options->pkcs11_protected_authentication && options->key_pass_file == NULL) |
|
1708 |
- msg (M_USAGE, "Please specify one of --askpass or --pkcs11-protected-autentication options."); |
|
1709 |
- |
|
1710 | 1705 |
if (options->cert_file) |
1711 | 1706 |
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified."); |
1712 | 1707 |
if (options->priv_key_file) |
... | ... |
@@ -4733,83 +4733,6 @@ add_option (struct options *options, |
4733 | 4733 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
4734 | 4734 |
options->cert_file = p[1]; |
4735 | 4735 |
} |
4736 |
-#ifdef ENABLE_PKCS11 |
|
4737 |
- else if (streq (p[0], "show-pkcs11-slots") && p[1]) |
|
4738 |
- { |
|
4739 |
- char *module = p[i++]; |
|
4740 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4741 |
- show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module); |
|
4742 |
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
|
4743 |
- } |
|
4744 |
- else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2]) |
|
4745 |
- { |
|
4746 |
- char *provider = p[i++]; |
|
4747 |
- char *slot = p[i++]; |
|
4748 |
- struct gc_arena gc = gc_new (); |
|
4749 |
- struct buffer pass_prompt = alloc_buf_gc (128, &gc); |
|
4750 |
- char pin[256]; |
|
4751 |
- |
|
4752 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4753 |
- |
|
4754 |
- buf_printf (&pass_prompt, "PIN:"); |
|
4755 |
- |
|
4756 |
- if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin))) |
|
4757 |
- msg (M_FATAL, "Cannot read password from stdin"); |
|
4758 |
- |
|
4759 |
- gc_free (&gc); |
|
4760 |
- |
|
4761 |
- show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin); |
|
4762 |
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
|
4763 |
- } |
|
4764 |
- else if (streq (p[0], "pkcs11-providers") && p[1]) |
|
4765 |
- { |
|
4766 |
- int j; |
|
4767 |
- |
|
4768 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4769 |
- |
|
4770 |
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i) |
|
4771 |
- options->pkcs11_providers[j-1] = p[j]; |
|
4772 |
- } |
|
4773 |
- else if (streq (p[0], "pkcs11-sign-mode") && p[1]) |
|
4774 |
- { |
|
4775 |
- int j; |
|
4776 |
- |
|
4777 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4778 |
- |
|
4779 |
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i) |
|
4780 |
- options->pkcs11_sign_mode[j-1] = p[j]; |
|
4781 |
- } |
|
4782 |
- else if (streq (p[0], "pkcs11-slot-type") && p[1]) |
|
4783 |
- { |
|
4784 |
- ++i; |
|
4785 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4786 |
- options->pkcs11_slot_type = p[1]; |
|
4787 |
- } |
|
4788 |
- else if (streq (p[0], "pkcs11-slot") && p[1]) |
|
4789 |
- { |
|
4790 |
- ++i; |
|
4791 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4792 |
- options->pkcs11_slot = p[1]; |
|
4793 |
- } |
|
4794 |
- else if (streq (p[0], "pkcs11-id-type") && p[1]) |
|
4795 |
- { |
|
4796 |
- ++i; |
|
4797 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4798 |
- options->pkcs11_id_type = p[1]; |
|
4799 |
- } |
|
4800 |
- else if (streq (p[0], "pkcs11-id") && p[1]) |
|
4801 |
- { |
|
4802 |
- ++i; |
|
4803 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4804 |
- options->pkcs11_id = p[1]; |
|
4805 |
- } |
|
4806 |
- else if (streq (p[0], "pkcs11-protected-authentication")) |
|
4807 |
- { |
|
4808 |
- ++i; |
|
4809 |
- VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4810 |
- options->pkcs11_protected_authentication = true; |
|
4811 |
- } |
|
4812 |
-#endif |
|
4813 | 4736 |
#ifdef WIN32 |
4814 | 4737 |
else if (streq (p[0], "cryptoapicert") && p[1]) |
4815 | 4738 |
{ |
... | ... |
@@ -4968,6 +4891,89 @@ add_option (struct options *options, |
4968 | 4968 |
} |
4969 | 4969 |
#endif /* USE_SSL */ |
4970 | 4970 |
#endif /* USE_CRYPTO */ |
4971 |
+#ifdef ENABLE_PKCS11 |
|
4972 |
+ else if (streq (p[0], "show-pkcs11-slots") && p[1]) |
|
4973 |
+ { |
|
4974 |
+ char *module = p[i++]; |
|
4975 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4976 |
+ show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module); |
|
4977 |
+ openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
|
4978 |
+ } |
|
4979 |
+ else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2]) |
|
4980 |
+ { |
|
4981 |
+ char *provider = p[i++]; |
|
4982 |
+ char *slot = p[i++]; |
|
4983 |
+ struct gc_arena gc = gc_new (); |
|
4984 |
+ struct buffer pass_prompt = alloc_buf_gc (128, &gc); |
|
4985 |
+ char pin[256]; |
|
4986 |
+ |
|
4987 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4988 |
+ |
|
4989 |
+ buf_printf (&pass_prompt, "PIN:"); |
|
4990 |
+ |
|
4991 |
+ if (!get_console_input (BSTR (&pass_prompt), false, pin, sizeof (pin))) |
|
4992 |
+ msg (M_FATAL, "Cannot read password from stdin"); |
|
4993 |
+ |
|
4994 |
+ gc_free (&gc); |
|
4995 |
+ |
|
4996 |
+ show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin); |
|
4997 |
+ openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
|
4998 |
+ } |
|
4999 |
+ else if (streq (p[0], "pkcs11-providers") && p[1]) |
|
5000 |
+ { |
|
5001 |
+ int j; |
|
5002 |
+ |
|
5003 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5004 |
+ |
|
5005 |
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i) |
|
5006 |
+ options->pkcs11_providers[j-1] = p[j]; |
|
5007 |
+ } |
|
5008 |
+ else if (streq (p[0], "pkcs11-sign-mode") && p[1]) |
|
5009 |
+ { |
|
5010 |
+ int j; |
|
5011 |
+ |
|
5012 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5013 |
+ |
|
5014 |
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j, ++i) |
|
5015 |
+ options->pkcs11_sign_mode[j-1] = p[j]; |
|
5016 |
+ } |
|
5017 |
+ else if (streq (p[0], "pkcs11-slot-type") && p[1]) |
|
5018 |
+ { |
|
5019 |
+ ++i; |
|
5020 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5021 |
+ options->pkcs11_slot_type = p[1]; |
|
5022 |
+ } |
|
5023 |
+ else if (streq (p[0], "pkcs11-slot") && p[1]) |
|
5024 |
+ { |
|
5025 |
+ ++i; |
|
5026 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5027 |
+ options->pkcs11_slot = p[1]; |
|
5028 |
+ } |
|
5029 |
+ else if (streq (p[0], "pkcs11-id-type") && p[1]) |
|
5030 |
+ { |
|
5031 |
+ ++i; |
|
5032 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5033 |
+ options->pkcs11_id_type = p[1]; |
|
5034 |
+ } |
|
5035 |
+ else if (streq (p[0], "pkcs11-id") && p[1]) |
|
5036 |
+ { |
|
5037 |
+ ++i; |
|
5038 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5039 |
+ options->pkcs11_id = p[1]; |
|
5040 |
+ } |
|
5041 |
+ else if (streq (p[0], "pkcs11-pin-cache") && p[1]) |
|
5042 |
+ { |
|
5043 |
+ ++i; |
|
5044 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5045 |
+ options->pkcs11_pin_cache_period = atoi (p[1]); |
|
5046 |
+ } |
|
5047 |
+ else if (streq (p[0], "pkcs11-protected-authentication")) |
|
5048 |
+ { |
|
5049 |
+ ++i; |
|
5050 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
5051 |
+ options->pkcs11_protected_authentication = true; |
|
5052 |
+ } |
|
5053 |
+#endif |
|
4971 | 5054 |
#ifdef TUNSETPERSIST |
4972 | 5055 |
else if (streq (p[0], "rmtun")) |
4973 | 5056 |
{ |
... | ... |
@@ -58,6 +58,12 @@ |
58 | 58 |
#include "pkcs11.h" |
59 | 59 |
|
60 | 60 |
/*=========================================== |
61 |
+ * MACROS |
|
62 |
+ */ |
|
63 |
+ |
|
64 |
+#define snprintf openvpn_snprintf |
|
65 |
+ |
|
66 |
+/*=========================================== |
|
61 | 67 |
* Constants |
62 | 68 |
*/ |
63 | 69 |
|
... | ... |
@@ -78,6 +84,25 @@ |
78 | 78 |
* Types |
79 | 79 |
*/ |
80 | 80 |
|
81 |
+typedef bool (*pkcs11_hook_card_prompt_t)( |
|
82 |
+ IN const void *pData, |
|
83 |
+ IN const char * const szLabel |
|
84 |
+); |
|
85 |
+ |
|
86 |
+typedef bool (*pkcs11_hook_pin_prompt_t)( |
|
87 |
+ IN const void *pData, |
|
88 |
+ IN const char * const szLabel, |
|
89 |
+ OUT char * const szPIN, |
|
90 |
+ IN const size_t nMaxPIN |
|
91 |
+); |
|
92 |
+ |
|
93 |
+typedef struct pkcs11_hooks_s { |
|
94 |
+ void *card_prompt_data; |
|
95 |
+ void *pin_prompt_data; |
|
96 |
+ pkcs11_hook_card_prompt_t card_prompt; |
|
97 |
+ pkcs11_hook_pin_prompt_t pin_prompt; |
|
98 |
+} *pkcs11_hooks_t; |
|
99 |
+ |
|
81 | 100 |
typedef struct pkcs11_provider_s { |
82 | 101 |
struct pkcs11_provider_s *next; |
83 | 102 |
|
... | ... |
@@ -91,27 +116,39 @@ typedef struct pkcs11_provider_s { |
91 | 91 |
CK_FUNCTION_LIST_PTR f; |
92 | 92 |
bool fShouldFinalize; |
93 | 93 |
char *szSignMode; |
94 |
+ |
|
94 | 95 |
} *pkcs11_provider_t; |
95 | 96 |
|
96 | 97 |
typedef struct pkcs11_session_s { |
97 | 98 |
|
98 | 99 |
pkcs11_provider_t provider; |
99 | 100 |
|
101 |
+ bool fProtectedAuthentication; |
|
102 |
+ |
|
103 |
+ char szLabel[sizeof (((CK_TOKEN_INFO *)NULL)->label)+1]; |
|
104 |
+ CK_CHAR serialNumber[sizeof (((CK_TOKEN_INFO *)NULL)->serialNumber)]; |
|
105 |
+ |
|
100 | 106 |
unsigned char *certificate; |
101 |
- int certificate_size; |
|
107 |
+ size_t certificate_size; |
|
102 | 108 |
unsigned char *certificate_id; |
103 |
- int certificate_id_size; |
|
104 |
- |
|
105 |
- char *szPIN; |
|
106 |
- bool fLoginFailed; |
|
109 |
+ size_t certificate_id_size; |
|
107 | 110 |
|
108 | 111 |
CK_SLOT_ID slot; |
109 | 112 |
bool fKeySignRecover; |
110 | 113 |
|
111 | 114 |
CK_SESSION_HANDLE session; |
112 | 115 |
CK_OBJECT_HANDLE key; |
116 |
+ |
|
117 |
+ time_t timePINExpire; |
|
113 | 118 |
} *pkcs11_session_t; |
114 | 119 |
|
120 |
+typedef struct pkcs11_data_s { |
|
121 |
+ bool fInitialized; |
|
122 |
+ int nPINCachePeriod; |
|
123 |
+ pkcs11_provider_t providers; |
|
124 |
+ pkcs11_hooks_t hooks; |
|
125 |
+} *pkcs11_data_t; |
|
126 |
+ |
|
115 | 127 |
/*=========================================== |
116 | 128 |
* Low level prototypes |
117 | 129 |
*/ |
... | ... |
@@ -121,14 +158,14 @@ void |
121 | 121 |
_fixupFixedString ( |
122 | 122 |
IN const char * const szSource, |
123 | 123 |
OUT char * const szTarget, /* MUST BE >= nLength+1 */ |
124 |
- IN const int nLength /* FIXED STRING LENGTH */ |
|
124 |
+ IN const size_t nLength /* FIXED STRING LENGTH */ |
|
125 | 125 |
); |
126 | 126 |
static |
127 | 127 |
void |
128 | 128 |
_hexToBinary ( |
129 | 129 |
IN const char * const szSource, |
130 | 130 |
OUT unsigned char * const target, |
131 |
- IN OUT int * const target_size |
|
131 |
+ IN OUT size_t * const target_size |
|
132 | 132 |
); |
133 | 133 |
static |
134 | 134 |
CK_RV |
... | ... |
@@ -154,11 +191,21 @@ _pkcs11_getObjectById ( |
154 | 154 |
IN const pkcs11_session_t pkcs11_session, |
155 | 155 |
IN const CK_OBJECT_CLASS class, |
156 | 156 |
IN const unsigned char * const id, |
157 |
- IN const int id_size, |
|
157 |
+ IN const size_t id_size, |
|
158 | 158 |
OUT CK_OBJECT_HANDLE * const handle |
159 | 159 |
); |
160 | 160 |
static |
161 | 161 |
CK_RV |
162 |
+_pkcs11_setSessionTokenInfo ( |
|
163 |
+ IN const pkcs11_session_t pkcs11_session |
|
164 |
+); |
|
165 |
+static |
|
166 |
+CK_RV |
|
167 |
+_pkcs11_resetSlot ( |
|
168 |
+ IN const pkcs11_session_t pkcs11_session |
|
169 |
+); |
|
170 |
+static |
|
171 |
+CK_RV |
|
162 | 172 |
_pkcs11_loadCertificate ( |
163 | 173 |
IN const pkcs11_session_t pkcs11_session, |
164 | 174 |
IN const char * const szIdType, |
... | ... |
@@ -173,15 +220,66 @@ static |
173 | 173 |
bool |
174 | 174 |
_isBetterCertificate ( |
175 | 175 |
IN const unsigned char * const pCurrent, |
176 |
- IN const int nCurrentSize, |
|
176 |
+ IN const size_t nCurrentSize, |
|
177 | 177 |
IN const unsigned char * const pNew, |
178 |
- IN const int nNewSize |
|
178 |
+ IN const size_t nNewSize |
|
179 |
+); |
|
180 |
+static |
|
181 |
+CK_RV |
|
182 |
+_pkcs11_validateSession ( |
|
183 |
+ IN const pkcs11_session_t pkcs11_session |
|
184 |
+); |
|
185 |
+static |
|
186 |
+CK_RV |
|
187 |
+_pkcs11_login ( |
|
188 |
+ IN const pkcs11_session_t pkcs11_session |
|
189 |
+); |
|
190 |
+static |
|
191 |
+CK_RV |
|
192 |
+_pkcs11_logout ( |
|
193 |
+ IN const pkcs11_session_t pkcs11_session |
|
179 | 194 |
); |
180 | 195 |
|
181 | 196 |
/*========================================= |
182 | 197 |
* Simplified functions prototypes |
183 | 198 |
*/ |
184 |
- |
|
199 |
+static |
|
200 |
+bool |
|
201 |
+_pkcs11_hooks_card_prompt_default ( |
|
202 |
+ IN const void *pData, |
|
203 |
+ IN const char * const szLabel |
|
204 |
+); |
|
205 |
+static |
|
206 |
+bool |
|
207 |
+_pkcs11_hooks_pin_prompt_default ( |
|
208 |
+ IN const void *pData, |
|
209 |
+ IN const char * const szLabel, |
|
210 |
+ OUT char * const szPIN, |
|
211 |
+ IN const size_t nMaxPIN |
|
212 |
+); |
|
213 |
+static |
|
214 |
+CK_RV |
|
215 |
+pkcs11_initialize (); |
|
216 |
+static |
|
217 |
+CK_RV |
|
218 |
+pkcs11_terminate (); |
|
219 |
+static |
|
220 |
+CK_RV |
|
221 |
+pkcs11_setCardPromptHook ( |
|
222 |
+ IN const pkcs11_hook_card_prompt_t hook, |
|
223 |
+ IN void * const pData |
|
224 |
+); |
|
225 |
+static |
|
226 |
+CK_RV |
|
227 |
+pkcs11_setPINPromptHook ( |
|
228 |
+ IN const pkcs11_hook_pin_prompt_t hook, |
|
229 |
+ IN void * const pData |
|
230 |
+); |
|
231 |
+static |
|
232 |
+CK_RV |
|
233 |
+pkcs11_setPINCachePeriod ( |
|
234 |
+ IN const int nPINCachePeriod |
|
235 |
+); |
|
185 | 236 |
static |
186 | 237 |
CK_RV |
187 | 238 |
pkcs11_addProvider ( |
... | ... |
@@ -190,7 +288,7 @@ pkcs11_addProvider ( |
190 | 190 |
); |
191 | 191 |
static |
192 | 192 |
CK_RV |
193 |
-pkcs11_finalize (); |
|
193 |
+pkcs11_forkFixup (); |
|
194 | 194 |
static |
195 | 195 |
CK_RV |
196 | 196 |
pkcs11_createSession ( |
... | ... |
@@ -198,7 +296,6 @@ pkcs11_createSession ( |
198 | 198 |
IN const char * const szSlot, |
199 | 199 |
IN const char * const szIdType, |
200 | 200 |
IN const char * const szId, |
201 |
- IN const char * const szPIN, |
|
202 | 201 |
IN const bool fProtectedAuthentication, |
203 | 202 |
OUT pkcs11_session_t * const pkcs11_session |
204 | 203 |
); |
... | ... |
@@ -209,23 +306,13 @@ pkcs11_freeSession ( |
209 | 209 |
); |
210 | 210 |
static |
211 | 211 |
CK_RV |
212 |
-pkcs11_login ( |
|
213 |
- IN const pkcs11_session_t pkcs11_session |
|
214 |
-); |
|
215 |
-static |
|
216 |
-CK_RV |
|
217 |
-pkcs11_logout ( |
|
218 |
- IN const pkcs11_session_t pkcs11_session |
|
219 |
-); |
|
220 |
-static |
|
221 |
-CK_RV |
|
222 | 212 |
pkcs11_sign ( |
223 | 213 |
IN const pkcs11_session_t pkcs11_session, |
224 | 214 |
IN const CK_MECHANISM_TYPE mech_type, |
225 | 215 |
IN const unsigned char * const source, |
226 |
- IN const int source_size, |
|
216 |
+ IN const size_t source_size, |
|
227 | 217 |
OUT unsigned char * const target, |
228 |
- IN OUT int * const target_size |
|
218 |
+ IN OUT size_t * const target_size |
|
229 | 219 |
); |
230 | 220 |
static |
231 | 221 |
CK_RV |
... | ... |
@@ -233,9 +320,9 @@ pkcs11_signRecover ( |
233 | 233 |
IN const pkcs11_session_t pkcs11_session, |
234 | 234 |
IN const CK_MECHANISM_TYPE mech_type, |
235 | 235 |
IN const unsigned char * const source, |
236 |
- IN const int source_size, |
|
236 |
+ IN const size_t source_size, |
|
237 | 237 |
OUT unsigned char * const target, |
238 |
- IN OUT int * const target_size |
|
238 |
+ IN OUT size_t * const target_size |
|
239 | 239 |
); |
240 | 240 |
static |
241 | 241 |
CK_RV |
... | ... |
@@ -243,16 +330,16 @@ pkcs11_decrypt ( |
243 | 243 |
IN const pkcs11_session_t pkcs11_session, |
244 | 244 |
IN const CK_MECHANISM_TYPE mech_type, |
245 | 245 |
IN const unsigned char * const source, |
246 |
- IN const int source_size, |
|
246 |
+ IN const size_t source_size, |
|
247 | 247 |
OUT unsigned char * const target, |
248 |
- IN OUT int * const target_size |
|
248 |
+ IN OUT size_t * const target_size |
|
249 | 249 |
); |
250 | 250 |
static |
251 | 251 |
CK_RV |
252 | 252 |
pkcs11_getCertificate ( |
253 | 253 |
IN const pkcs11_session_t pkcs11_session, |
254 |
- OUT char * const certificate, |
|
255 |
- IN OUT int * const certificate_size |
|
254 |
+ OUT unsigned char * const certificate, |
|
255 |
+ IN OUT size_t * const certificate_size |
|
256 | 256 |
); |
257 | 257 |
static |
258 | 258 |
char * |
... | ... |
@@ -264,7 +351,7 @@ pkcs11_getMessage ( |
264 | 264 |
* Static data |
265 | 265 |
*/ |
266 | 266 |
|
267 |
-static pkcs11_provider_t pkcs11_provider = NULL; |
|
267 |
+static pkcs11_data_t pkcs11_data = NULL; |
|
268 | 268 |
|
269 | 269 |
/*========================================== |
270 | 270 |
* Internal utility functions |
... | ... |
@@ -275,7 +362,7 @@ void |
275 | 275 |
_fixupFixedString ( |
276 | 276 |
IN const char * const szSource, |
277 | 277 |
OUT char * const szTarget, /* MUST BE >= nLength+1 */ |
278 |
- IN const int nLength /* FIXED STRING LENGTH */ |
|
278 |
+ IN const size_t nLength /* FIXED STRING LENGTH */ |
|
279 | 279 |
) { |
280 | 280 |
char *p; |
281 | 281 |
|
... | ... |
@@ -297,9 +384,9 @@ void |
297 | 297 |
_hexToBinary ( |
298 | 298 |
IN const char * const szSource, |
299 | 299 |
OUT unsigned char * const target, |
300 |
- IN OUT int * const target_size |
|
300 |
+ IN OUT size_t * const target_size |
|
301 | 301 |
) { |
302 |
- int target_max_size; |
|
302 |
+ size_t target_max_size; |
|
303 | 303 |
const char *p; |
304 | 304 |
char buf[3] = {'\0', '\0', '\0'}; |
305 | 305 |
int i = 0; |
... | ... |
@@ -317,7 +404,7 @@ _hexToBinary ( |
317 | 317 |
buf[i%2] = *p; |
318 | 318 |
|
319 | 319 |
if ((i%2) == 1) { |
320 |
- int v; |
|
320 |
+ unsigned v; |
|
321 | 321 |
sscanf (buf, "%x", &v); |
322 | 322 |
target[*target_size] = v & 0xff; |
323 | 323 |
(*target_size)++; |
... | ... |
@@ -333,9 +420,9 @@ static |
333 | 333 |
bool |
334 | 334 |
_isBetterCertificate ( |
335 | 335 |
IN const unsigned char * const pCurrent, |
336 |
- IN const int nCurrentSize, |
|
336 |
+ IN const size_t nCurrentSize, |
|
337 | 337 |
IN const unsigned char * const pNew, |
338 |
- IN const int nNewSize |
|
338 |
+ IN const size_t nNewSize |
|
339 | 339 |
) { |
340 | 340 |
/* |
341 | 341 |
* This function compare the notBefore |
... | ... |
@@ -427,7 +514,7 @@ _pkcs11_getSlotById ( |
427 | 427 |
} |
428 | 428 |
|
429 | 429 |
for ( |
430 |
- i=0, provider=pkcs11_provider; |
|
430 |
+ i=0, provider=pkcs11_data->providers; |
|
431 | 431 |
i < provider_number && provider != NULL; |
432 | 432 |
i++, provider = provider->next |
433 | 433 |
); |
... | ... |
@@ -453,9 +540,6 @@ _pkcs11_getSlotByName ( |
453 | 453 |
IN const pkcs11_session_t pkcs11_session, |
454 | 454 |
IN const char * const szName |
455 | 455 |
) { |
456 |
- CK_SLOT_ID slots[1024]; |
|
457 |
- CK_ULONG slotnum; |
|
458 |
- CK_SLOT_ID s; |
|
459 | 456 |
CK_RV rv; |
460 | 457 |
|
461 | 458 |
pkcs11_provider_t provider; |
... | ... |
@@ -465,13 +549,16 @@ _pkcs11_getSlotByName ( |
465 | 465 |
ASSERT (szName!=NULL); |
466 | 466 |
|
467 | 467 |
for ( |
468 |
- provider = pkcs11_provider; |
|
468 |
+ provider = pkcs11_data->providers; |
|
469 | 469 |
( |
470 | 470 |
provider != NULL && |
471 | 471 |
!fFound |
472 | 472 |
); |
473 | 473 |
provider = provider->next |
474 | 474 |
) { |
475 |
+ CK_SLOT_ID slots[1024]; |
|
476 |
+ CK_ULONG slotnum; |
|
477 |
+ |
|
475 | 478 |
if (!provider->fEnabled) { |
476 | 479 |
continue; |
477 | 480 |
} |
... | ... |
@@ -484,6 +571,8 @@ _pkcs11_getSlotByName ( |
484 | 484 |
&slotnum |
485 | 485 |
)) == CKR_OK |
486 | 486 |
) { |
487 |
+ CK_SLOT_ID s; |
|
488 |
+ |
|
487 | 489 |
for (s=0;!fFound && s<slotnum;s++) { |
488 | 490 |
CK_SLOT_INFO info; |
489 | 491 |
|
... | ... |
@@ -496,7 +585,7 @@ _pkcs11_getSlotByName ( |
496 | 496 |
char szCurrentName[sizeof (info.slotDescription)+1]; |
497 | 497 |
|
498 | 498 |
_fixupFixedString ( |
499 |
- info.slotDescription, |
|
499 |
+ (char *)info.slotDescription, |
|
500 | 500 |
szCurrentName, |
501 | 501 |
sizeof (info.slotDescription) |
502 | 502 |
); |
... | ... |
@@ -520,9 +609,6 @@ _pkcs11_getSlotByLabel ( |
520 | 520 |
IN const pkcs11_session_t pkcs11_session, |
521 | 521 |
IN const char * const szLabel |
522 | 522 |
) { |
523 |
- CK_SLOT_ID slots[1024]; |
|
524 |
- CK_ULONG slotnum; |
|
525 |
- CK_SLOT_ID s; |
|
526 | 523 |
CK_RV rv; |
527 | 524 |
|
528 | 525 |
pkcs11_provider_t provider; |
... | ... |
@@ -532,13 +618,16 @@ _pkcs11_getSlotByLabel ( |
532 | 532 |
ASSERT (szLabel!=NULL); |
533 | 533 |
|
534 | 534 |
for ( |
535 |
- provider = pkcs11_provider; |
|
535 |
+ provider = pkcs11_data->providers; |
|
536 | 536 |
( |
537 | 537 |
provider != NULL && |
538 | 538 |
!fFound |
539 | 539 |
); |
540 | 540 |
provider = provider->next |
541 | 541 |
) { |
542 |
+ CK_SLOT_ID slots[1024]; |
|
543 |
+ CK_ULONG slotnum; |
|
544 |
+ |
|
542 | 545 |
if (!provider->fEnabled) { |
543 | 546 |
continue; |
544 | 547 |
} |
... | ... |
@@ -551,6 +640,8 @@ _pkcs11_getSlotByLabel ( |
551 | 551 |
&slotnum |
552 | 552 |
)) == CKR_OK |
553 | 553 |
) { |
554 |
+ CK_SLOT_ID s; |
|
555 |
+ |
|
554 | 556 |
for (s=0;!fFound && s<slotnum;s++) { |
555 | 557 |
CK_TOKEN_INFO info; |
556 | 558 |
|
... | ... |
@@ -563,7 +654,7 @@ _pkcs11_getSlotByLabel ( |
563 | 563 |
char szCurrentLabel[sizeof (info.label)+1]; |
564 | 564 |
|
565 | 565 |
_fixupFixedString ( |
566 |
- info.label, |
|
566 |
+ (char *)info.label, |
|
567 | 567 |
szCurrentLabel, |
568 | 568 |
sizeof (info.label) |
569 | 569 |
); |
... | ... |
@@ -583,16 +674,105 @@ _pkcs11_getSlotByLabel ( |
583 | 583 |
|
584 | 584 |
static |
585 | 585 |
CK_RV |
586 |
+_pkcs11_setSessionTokenInfo ( |
|
587 |
+ IN const pkcs11_session_t pkcs11_session |
|
588 |
+) { |
|
589 |
+ CK_TOKEN_INFO info; |
|
590 |
+ CK_RV rv; |
|
591 |
+ |
|
592 |
+ ASSERT (pkcs11_session!=NULL); |
|
593 |
+ |
|
594 |
+ if ( |
|
595 |
+ (rv = pkcs11_session->provider->f->C_GetTokenInfo ( |
|
596 |
+ pkcs11_session->slot, |
|
597 |
+ &info |
|
598 |
+ )) == CKR_OK |
|
599 |
+ ) { |
|
600 |
+ _fixupFixedString ( |
|
601 |
+ (char *)info.label, |
|
602 |
+ pkcs11_session->szLabel, |
|
603 |
+ sizeof (info.label) |
|
604 |
+ ); |
|
605 |
+ |
|
606 |
+ memmove ( |
|
607 |
+ pkcs11_session->serialNumber, |
|
608 |
+ info.serialNumber, |
|
609 |
+ sizeof (pkcs11_session->serialNumber) |
|
610 |
+ ); |
|
611 |
+ } |
|
612 |
+ |
|
613 |
+ return rv; |
|
614 |
+} |
|
615 |
+ |
|
616 |
+static |
|
617 |
+CK_RV |
|
618 |
+_pkcs11_resetSlot ( |
|
619 |
+ IN const pkcs11_session_t pkcs11_session |
|
620 |
+) { |
|
621 |
+ CK_SLOT_ID slots[1024]; |
|
622 |
+ CK_ULONG slotnum; |
|
623 |
+ CK_RV rv; |
|
624 |
+ bool fFound = false; |
|
625 |
+ bool fCancel = false; |
|
626 |
+ |
|
627 |
+ ASSERT (pkcs11_session!=NULL); |
|
628 |
+ |
|
629 |
+ do { |
|
630 |
+ slotnum = sizeof (slots) / sizeof (CK_SLOT_ID); |
|
631 |
+ if ( |
|
632 |
+ (rv = pkcs11_session->provider->f->C_GetSlotList ( |
|
633 |
+ TRUE, |
|
634 |
+ slots, |
|
635 |
+ &slotnum |
|
636 |
+ )) == CKR_OK |
|
637 |
+ ) { |
|
638 |
+ CK_SLOT_ID s; |
|
639 |
+ |
|
640 |
+ for (s=0;!fFound && s<slotnum;s++) { |
|
641 |
+ CK_TOKEN_INFO info; |
|
642 |
+ |
|
643 |
+ if ( |
|
644 |
+ (rv = pkcs11_session->provider->f->C_GetTokenInfo ( |
|
645 |
+ slots[s], |
|
646 |
+ &info |
|
647 |
+ )) == CKR_OK |
|
648 |
+ ) { |
|
649 |
+ if ( |
|
650 |
+ !memcmp ( |
|
651 |
+ pkcs11_session->serialNumber, |
|
652 |
+ info.serialNumber, |
|
653 |
+ sizeof (pkcs11_session->serialNumber) |
|
654 |
+ ) |
|
655 |
+ ) { |
|
656 |
+ pkcs11_session->slot = slots[s]; |
|
657 |
+ fFound = true; |
|
658 |
+ } |
|
659 |
+ } |
|
660 |
+ } |
|
661 |
+ } |
|
662 |
+ |
|
663 |
+ if (!fFound) { |
|
664 |
+ fCancel = !pkcs11_data->hooks->card_prompt ( |
|
665 |
+ pkcs11_data->hooks->card_prompt_data, |
|
666 |
+ pkcs11_session->szLabel |
|
667 |
+ ); |
|
668 |
+ } |
|
669 |
+ } while (!fFound && !fCancel); |
|
670 |
+ |
|
671 |
+ return fFound ? CKR_OK : CKR_SLOT_ID_INVALID; |
|
672 |
+} |
|
673 |
+ |
|
674 |
+static |
|
675 |
+CK_RV |
|
586 | 676 |
_pkcs11_getObjectById ( |
587 | 677 |
IN const pkcs11_session_t pkcs11_session, |
588 | 678 |
IN const CK_OBJECT_CLASS class, |
589 | 679 |
IN const unsigned char * const id, |
590 |
- IN const int id_size, |
|
680 |
+ IN const size_t id_size, |
|
591 | 681 |
OUT CK_OBJECT_HANDLE * const handle |
592 | 682 |
) { |
593 | 683 |
CK_ULONG count; |
594 |
- bool fFound = false; |
|
595 |
- CK_RV rv; |
|
684 |
+ CK_RV rv = CKR_OK; |
|
596 | 685 |
|
597 | 686 |
CK_ATTRIBUTE filter[] = { |
598 | 687 |
{CKA_CLASS, (void *)&class, sizeof (class)}, |
... | ... |
@@ -603,34 +783,35 @@ _pkcs11_getObjectById ( |
603 | 603 |
ASSERT (id!=NULL); |
604 | 604 |
ASSERT (handle!=NULL); |
605 | 605 |
|
606 |
- if ( |
|
607 |
- (rv = pkcs11_session->provider->f->C_FindObjectsInit ( |
|
606 |
+ if (rv == CKR_OK) { |
|
607 |
+ rv = pkcs11_session->provider->f->C_FindObjectsInit ( |
|
608 | 608 |
pkcs11_session->session, |
609 | 609 |
filter, |
610 | 610 |
sizeof (filter) / sizeof (CK_ATTRIBUTE) |
611 |
- )) != CKR_OK |
|
612 |
- ) { |
|
613 |
- return rv; |
|
611 |
+ ); |
|
614 | 612 |
} |
615 | 613 |
|
616 |
- if ( |
|
617 |
- (rv = pkcs11_session->provider->f->C_FindObjects ( |
|
614 |
+ if (rv == CKR_OK) { |
|
615 |
+ rv = pkcs11_session->provider->f->C_FindObjects ( |
|
618 | 616 |
pkcs11_session->session, |
619 | 617 |
handle, |
620 | 618 |
1, |
621 | 619 |
&count |
622 |
- )) == CKR_OK |
|
620 |
+ ); |
|
621 |
+ } |
|
622 |
+ |
|
623 |
+ if ( |
|
624 |
+ rv == CKR_OK && |
|
625 |
+ count == 0 |
|
623 | 626 |
) { |
624 |
- if (count > 0) { |
|
625 |
- fFound = true; |
|
626 |
- } |
|
627 |
+ rv = CKR_FUNCTION_REJECTED; |
|
627 | 628 |
} |
628 | 629 |
|
629 | 630 |
pkcs11_session->provider->f->C_FindObjectsFinal ( |
630 | 631 |
pkcs11_session->session |
631 | 632 |
); |
632 | 633 |
|
633 |
- return fFound ? CKR_OK : CKR_FUNCTION_REJECTED; |
|
634 |
+ return rv; |
|
634 | 635 |
} |
635 | 636 |
|
636 | 637 |
static |
... | ... |
@@ -674,7 +855,7 @@ _pkcs11_loadCertificate ( |
674 | 674 |
); |
675 | 675 |
} |
676 | 676 |
else if (!strcmp (szIdType, "id")) { |
677 |
- int s = sizeof (cert_filter_by); |
|
677 |
+ size_t s = sizeof (cert_filter_by); |
|
678 | 678 |
|
679 | 679 |
cert_filter[1].type = CKA_ID; |
680 | 680 |
_hexToBinary ( |
... | ... |
@@ -876,11 +1057,303 @@ _pkcs11_loadKeyProperties ( |
876 | 876 |
return CKR_OK; |
877 | 877 |
} |
878 | 878 |
|
879 |
+static |
|
880 |
+CK_RV |
|
881 |
+_pkcs11_validateSession ( |
|
882 |
+ IN const pkcs11_session_t pkcs11_session |
|
883 |
+) { |
|
884 |
+ if ( |
|
885 |
+ pkcs11_session->timePINExpire != (time_t)0 && |
|
886 |
+ pkcs11_session->timePINExpire < time (NULL) |
|
887 |
+ ) { |
|
888 |
+ _pkcs11_logout (pkcs11_session); |
|
889 |
+ } |
|
890 |
+ return CKR_OK; |
|
891 |
+} |
|
892 |
+ |
|
893 |
+static |
|
894 |
+CK_RV |
|
895 |
+_pkcs11_login ( |
|
896 |
+ IN const pkcs11_session_t pkcs11_session |
|
897 |
+) { |
|
898 |
+ CK_RV rv = CKR_OK; |
|
899 |
+ |
|
900 |
+ |
|
901 |
+ ASSERT (pkcs11_session!=NULL); |
|
902 |
+ |
|
903 |
+ _pkcs11_logout (pkcs11_session); |
|
904 |
+ |
|
905 |
+ if (rv == CKR_OK) { |
|
906 |
+ rv = _pkcs11_resetSlot (pkcs11_session); |
|
907 |
+ } |
|
908 |
+ |
|
909 |
+ if (rv == CKR_OK) { |
|
910 |
+ rv = pkcs11_session->provider->f->C_OpenSession ( |
|
911 |
+ pkcs11_session->slot, |
|
912 |
+ CKF_SERIAL_SESSION, |
|
913 |
+ NULL_PTR, |
|
914 |
+ NULL_PTR, |
|
915 |
+ &pkcs11_session->session |
|
916 |
+ ); |
|
917 |
+ } |
|
918 |
+ |
|
919 |
+ if (rv == CKR_OK) { |
|
920 |
+ int nRetryCount = 0; |
|
921 |
+ do { |
|
922 |
+ CK_UTF8CHAR_PTR utfPIN = NULL; |
|
923 |
+ CK_ULONG lPINLength = 0; |
|
924 |
+ char szPIN[1024]; |
|
925 |
+ |
|
926 |
+ /* |
|
927 |
+ * Assume OK for next iteration |
|
928 |
+ */ |
|
929 |
+ rv = CKR_OK; |
|
930 |
+ |
|
931 |
+ if ( |
|
932 |
+ rv == CKR_OK && |
|
933 |
+ !pkcs11_session->fProtectedAuthentication |
|
934 |
+ ) { |
|
935 |
+ if ( |
|
936 |
+ !pkcs11_data->hooks->pin_prompt ( |
|
937 |
+ pkcs11_data->hooks->pin_prompt_data, |
|
938 |
+ pkcs11_session->szLabel, |
|
939 |
+ szPIN, |
|
940 |
+ sizeof (szPIN) |
|
941 |
+ ) |
|
942 |
+ ) { |
|
943 |
+ rv = CKR_FUNCTION_FAILED; |
|
944 |
+ } |
|
945 |
+ else { |
|
946 |
+ utfPIN = (CK_UTF8CHAR_PTR)szPIN; |
|
947 |
+ lPINLength = strlen (szPIN); |
|
948 |
+ } |
|
949 |
+ } |
|
950 |
+ |
|
951 |
+ if (pkcs11_data->nPINCachePeriod == -1) { |
|
952 |
+ pkcs11_session->timePINExpire = 0; |
|
953 |
+ } |
|
954 |
+ else { |
|
955 |
+ pkcs11_session->timePINExpire = ( |
|
956 |
+ time (NULL) + |
|
957 |
+ (time_t)pkcs11_data->nPINCachePeriod |
|
958 |
+ ); |
|
959 |
+ } |
|
960 |
+ if ( |
|
961 |
+ rv == CKR_OK && |
|
962 |
+ (rv = pkcs11_session->provider->f->C_Login ( |
|
963 |
+ pkcs11_session->session, |
|
964 |
+ CKU_USER, |
|
965 |
+ utfPIN, |
|
966 |
+ lPINLength |
|
967 |
+ )) != CKR_OK |
|
968 |
+ ) { |
|
969 |
+ if (rv == CKR_USER_ALREADY_LOGGED_IN) { |
|
970 |
+ rv = CKR_OK; |
|
971 |
+ } |
|
972 |
+ } |
|
973 |
+ |
|
974 |
+ /* |
|
975 |
+ * Clean PIN buffer |
|
976 |
+ */ |
|
977 |
+ memset (szPIN, 0, sizeof (szPIN)); |
|
978 |
+ } while ( |
|
979 |
+ ++nRetryCount < 3 && |
|
980 |
+ ( |
|
981 |
+ rv == CKR_PIN_INCORRECT || |
|
982 |
+ rv == CKR_PIN_INVALID |
|
983 |
+ ) |
|
984 |
+ ); |
|
985 |
+ } |
|
986 |
+ |
|
987 |
+ if ( |
|
988 |
+ rv == CKR_OK && |
|
989 |
+ pkcs11_session->certificate_id != NULL |
|
990 |
+ ) { |
|
991 |
+ rv = _pkcs11_getObjectById ( |
|
992 |
+ pkcs11_session, |
|
993 |
+ CKO_PRIVATE_KEY, |
|
994 |
+ pkcs11_session->certificate_id, |
|
995 |
+ pkcs11_session->certificate_id_size, |
|
996 |
+ &pkcs11_session->key |
|
997 |
+ ); |
|
998 |
+ } |
|
999 |
+ |
|
1000 |
+ return rv; |
|
1001 |
+} |
|
1002 |
+ |
|
1003 |
+static |
|
1004 |
+CK_RV |
|
1005 |
+_pkcs11_logout ( |
|
1006 |
+ IN const pkcs11_session_t pkcs11_session |
|
1007 |
+) { |
|
1008 |
+ ASSERT (pkcs11_session!=NULL); |
|
1009 |
+ |
|
1010 |
+ if (pkcs11_session->session != (CK_SESSION_HANDLE)-1) { |
|
1011 |
+ pkcs11_session->provider->f->C_Logout (pkcs11_session->session); |
|
1012 |
+ pkcs11_session->provider->f->C_CloseSession (pkcs11_session->session); |
|
1013 |
+ pkcs11_session->key = (CK_OBJECT_HANDLE)-1; |
|
1014 |
+ pkcs11_session->session = (CK_SESSION_HANDLE)-1; |
|
1015 |
+ } |
|
1016 |
+ |
|
1017 |
+ return CKR_OK; |
|
1018 |
+} |
|
1019 |
+ |
|
1020 |
+ |
|
879 | 1021 |
/*======================================= |
880 | 1022 |
* Simplified PKCS#11 functions |
881 | 1023 |
*/ |
882 | 1024 |
|
883 | 1025 |
static |
1026 |
+bool |
|
1027 |
+_pkcs11_hooks_card_prompt_default ( |
|
1028 |
+ IN const void * pData, |
|
1029 |
+ IN const char * const szLabel |
|
1030 |
+) { |
|
1031 |
+ return false; |
|
1032 |
+} |
|
1033 |
+ |
|
1034 |
+static |
|
1035 |
+bool |
|
1036 |
+_pkcs11_hooks_pin_prompt_default ( |
|
1037 |
+ IN const void * pData, |
|
1038 |
+ IN const char * const szLabel, |
|
1039 |
+ OUT char * const szPIN, |
|
1040 |
+ IN const size_t nMaxPIN |
|
1041 |
+) { |
|
1042 |
+ return false; |
|
1043 |
+} |
|
1044 |
+ |
|
1045 |
+static |
|
1046 |
+CK_RV |
|
1047 |
+pkcs11_initialize () { |
|
1048 |
+ |
|
1049 |
+ pkcs11_terminate (); |
|
1050 |
+ |
|
1051 |
+ pkcs11_data = (pkcs11_data_t)malloc (sizeof (struct pkcs11_data_s)); |
|
1052 |
+ if (pkcs11_data == NULL) { |
|
1053 |
+ return CKR_HOST_MEMORY; |
|
1054 |
+ } |
|
1055 |
+ |
|
1056 |
+ memset (pkcs11_data, 0, sizeof (struct pkcs11_data_s)); |
|
1057 |
+ |
|
1058 |
+ pkcs11_data->nPINCachePeriod = -1; |
|
1059 |
+ |
|
1060 |
+ pkcs11_data->hooks = (pkcs11_hooks_t)malloc (sizeof (struct pkcs11_hooks_s)); |
|
1061 |
+ if (pkcs11_data->hooks == NULL) { |
|
1062 |
+ return CKR_HOST_MEMORY; |
|
1063 |
+ } |
|
1064 |
+ |
|
1065 |
+ memset (pkcs11_data->hooks, 0, sizeof (struct pkcs11_hooks_s)); |
|
1066 |
+ |
|
1067 |
+ pkcs11_data->fInitialized = true; |
|
1068 |
+ |
|
1069 |
+ pkcs11_setCardPromptHook (_pkcs11_hooks_card_prompt_default, NULL); |
|
1070 |
+ pkcs11_setPINPromptHook (_pkcs11_hooks_pin_prompt_default, NULL); |
|
1071 |
+ |
|
1072 |
+ return CKR_OK; |
|
1073 |
+} |
|
1074 |
+ |
|
1075 |
+static |
|
1076 |
+CK_RV |
|
1077 |
+pkcs11_terminate () { |
|
1078 |
+ |
|
1079 |
+ if (pkcs11_data != NULL) { |
|
1080 |
+ pkcs11_provider_t last = NULL; |
|
1081 |
+ |
|
1082 |
+ for ( |
|
1083 |
+ ; |
|
1084 |
+ pkcs11_data->providers != NULL; |
|
1085 |
+ pkcs11_data->providers = pkcs11_data->providers->next |
|
1086 |
+ ) { |
|
1087 |
+ if (last != NULL) { |
|
1088 |
+ free (last); |
|
1089 |
+ } |
|
1090 |
+ last = pkcs11_data->providers; |
|
1091 |
+ |
|
1092 |
+ if (pkcs11_data->providers->szSignMode != NULL) { |
|
1093 |
+ free (pkcs11_data->providers->szSignMode); |
|
1094 |
+ pkcs11_data->providers->szSignMode = NULL; |
|
1095 |
+ } |
|
1096 |
+ |
|
1097 |
+ if (pkcs11_data->providers->fShouldFinalize) { |
|
1098 |
+ pkcs11_data->providers->f->C_Finalize (NULL); |
|
1099 |
+ pkcs11_data->providers->fShouldFinalize = false; |
|
1100 |
+ } |
|
1101 |
+ |
|
1102 |
+ if (pkcs11_data->providers->f != NULL) { |
|
1103 |
+ pkcs11_data->providers->f = NULL; |
|
1104 |
+ } |
|
1105 |
+ |
|
1106 |
+ if (pkcs11_data->providers->hLibrary != NULL) { |
|
1107 |
+#if defined(WIN32) |
|
1108 |
+ FreeLibrary (pkcs11_data->providers->hLibrary); |
|
1109 |
+#else |
|
1110 |
+ dlclose (pkcs11_data->providers->hLibrary); |
|
1111 |
+#endif |
|
1112 |
+ pkcs11_data->providers->hLibrary = NULL; |
|
1113 |
+ } |
|
1114 |
+ } |
|
1115 |
+ |
|
1116 |
+ if (last != NULL) { |
|
1117 |
+ free (last); |
|
1118 |
+ } |
|
1119 |
+ |
|
1120 |
+ if (pkcs11_data->hooks != NULL) { |
|
1121 |
+ free (pkcs11_data->hooks); |
|
1122 |
+ pkcs11_data->hooks = NULL; |
|
1123 |
+ } |
|
1124 |
+ |
|
1125 |
+ free (pkcs11_data); |
|
1126 |
+ pkcs11_data = NULL; |
|
1127 |
+ } |
|
1128 |
+ |
|
1129 |
+ return CKR_OK; |
|
1130 |
+} |
|
1131 |
+ |
|
1132 |
+static |
|
1133 |
+CK_RV |
|
1134 |
+pkcs11_setPINPromptHook ( |
|
1135 |
+ IN const pkcs11_hook_pin_prompt_t hook, |
|
1136 |
+ IN void * const pData |
|
1137 |
+) { |
|
1138 |
+ ASSERT (pkcs11_data!=NULL); |
|
1139 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1140 |
+ |
|
1141 |
+ pkcs11_data->hooks->pin_prompt = hook; |
|
1142 |
+ pkcs11_data->hooks->pin_prompt_data = pData; |
|
1143 |
+ |
|
1144 |
+ return CKR_OK; |
|
1145 |
+} |
|
1146 |
+ |
|
1147 |
+static |
|
1148 |
+CK_RV |
|
1149 |
+pkcs11_setCardPromptHook ( |
|
1150 |
+ IN const pkcs11_hook_card_prompt_t hook, |
|
1151 |
+ IN void * const pData |
|
1152 |
+) { |
|
1153 |
+ ASSERT (pkcs11_data!=NULL); |
|
1154 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1155 |
+ |
|
1156 |
+ pkcs11_data->hooks->card_prompt = hook; |
|
1157 |
+ pkcs11_data->hooks->card_prompt_data = pData; |
|
1158 |
+ |
|
1159 |
+ return CKR_OK; |
|
1160 |
+} |
|
1161 |
+ |
|
1162 |
+static |
|
1163 |
+CK_RV |
|
1164 |
+pkcs11_setPINCachePeriod ( |
|
1165 |
+ IN const int nPINCachePeriod |
|
1166 |
+) { |
|
1167 |
+ ASSERT (pkcs11_data!=NULL); |
|
1168 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1169 |
+ |
|
1170 |
+ pkcs11_data->nPINCachePeriod = nPINCachePeriod; |
|
1171 |
+ |
|
1172 |
+ return CKR_OK; |
|
1173 |
+} |
|
1174 |
+ |
|
1175 |
+static |
|
884 | 1176 |
CK_RV |
885 | 1177 |
pkcs11_addProvider ( |
886 | 1178 |
IN const char * const szProvider, |
... | ... |
@@ -890,6 +1363,8 @@ pkcs11_addProvider ( |
890 | 890 |
CK_C_GetFunctionList gfl = NULL; |
891 | 891 |
CK_RV rv = CKR_OK; |
892 | 892 |
|
893 |
+ ASSERT (pkcs11_data!=NULL); |
|
894 |
+ ASSERT (pkcs11_data->fInitialized); |
|
893 | 895 |
ASSERT (szProvider!=NULL); |
894 | 896 |
|
895 | 897 |
if ( |
... | ... |
@@ -930,10 +1405,18 @@ pkcs11_addProvider ( |
930 | 930 |
"C_GetFunctionList" |
931 | 931 |
); |
932 | 932 |
#else |
933 |
- gfl = (CK_C_GetFunctionList)dlsym ( |
|
933 |
+ /* |
|
934 |
+ * Make compiler happy! |
|
935 |
+ */ |
|
936 |
+ void *p = dlsym ( |
|
934 | 937 |
provider->hLibrary, |
935 | 938 |
"C_GetFunctionList" |
936 | 939 |
); |
940 |
+ memmove ( |
|
941 |
+ &gfl, |
|
942 |
+ &p, |
|
943 |
+ sizeof (void *) |
|
944 |
+ ); |
|
937 | 945 |
#endif |
938 | 946 |
if (gfl == NULL) { |
939 | 947 |
rv = CKR_FUNCTION_FAILED; |
... | ... |
@@ -960,14 +1443,14 @@ pkcs11_addProvider ( |
960 | 960 |
} |
961 | 961 |
|
962 | 962 |
if (provider != NULL) { |
963 |
- if (pkcs11_provider == NULL) { |
|
964 |
- pkcs11_provider = provider; |
|
963 |
+ if (pkcs11_data->providers == NULL) { |
|
964 |
+ pkcs11_data->providers = provider; |
|
965 | 965 |
} |
966 | 966 |
else { |
967 | 967 |
pkcs11_provider_t last = NULL; |
968 | 968 |
|
969 | 969 |
for ( |
970 |
- last = pkcs11_provider; |
|
970 |
+ last = pkcs11_data->providers; |
|
971 | 971 |
last->next != NULL; |
972 | 972 |
last = last->next |
973 | 973 |
); |
... | ... |
@@ -977,54 +1460,29 @@ pkcs11_addProvider ( |
977 | 977 |
|
978 | 978 |
return rv; |
979 | 979 |
} |
980 |
- |
|
980 |
+ |
|
981 | 981 |
static |
982 | 982 |
CK_RV |
983 |
-pkcs11_finalize () { |
|
984 |
- |
|
985 |
- pkcs11_provider_t last = NULL; |
|
983 |
+pkcs11_forkFixup () { |
|
984 |
+ |
|
985 |
+ pkcs11_provider_t current; |
|
986 |
+ |
|
987 |
+ ASSERT (pkcs11_data!=NULL); |
|
988 |
+ ASSERT (pkcs11_data->fInitialized); |
|
986 | 989 |
|
987 | 990 |
for ( |
988 |
- ; |
|
989 |
- pkcs11_provider != NULL; |
|
990 |
- pkcs11_provider = pkcs11_provider->next |
|
991 |
+ current = pkcs11_data->providers; |
|
992 |
+ current != NULL; |
|
993 |
+ current = current->next |
|
991 | 994 |
) { |
992 |
- if (last != NULL) { |
|
993 |
- free (last); |
|
994 |
- } |
|
995 |
- last = pkcs11_provider; |
|
996 |
- |
|
997 |
- if (pkcs11_provider->szSignMode != NULL) { |
|
998 |
- free (pkcs11_provider->szSignMode); |
|
999 |
- pkcs11_provider->szSignMode = NULL; |
|
1000 |
- } |
|
1001 |
- |
|
1002 |
- if (pkcs11_provider->fShouldFinalize) { |
|
1003 |
- pkcs11_provider->f->C_Finalize (NULL); |
|
1004 |
- pkcs11_provider->fShouldFinalize = false; |
|
1005 |
- } |
|
1006 |
- |
|
1007 |
- if (pkcs11_provider->f != NULL) { |
|
1008 |
- pkcs11_provider->f = NULL; |
|
995 |
+ if (current->fEnabled) { |
|
996 |
+ current->f->C_Initialize (NULL); |
|
1009 | 997 |
} |
1010 |
- |
|
1011 |
- if (pkcs11_provider->hLibrary != NULL) { |
|
1012 |
-#if defined(WIN32) |
|
1013 |
- FreeLibrary (pkcs11_provider->hLibrary); |
|
1014 |
-#else |
|
1015 |
- dlclose (pkcs11_provider->hLibrary); |
|
1016 |
-#endif |
|
1017 |
- pkcs11_provider->hLibrary = NULL; |
|
1018 |
- } |
|
1019 |
- } |
|
1020 |
- |
|
1021 |
- if (last != NULL) { |
|
1022 |
- free (last); |
|
1023 | 998 |
} |
1024 | 999 |
|
1025 | 1000 |
return CKR_OK; |
1026 | 1001 |
} |
1027 |
- |
|
1002 |
+ |
|
1028 | 1003 |
static |
1029 | 1004 |
CK_RV |
1030 | 1005 |
pkcs11_createSession ( |
... | ... |
@@ -1032,18 +1490,18 @@ pkcs11_createSession ( |
1032 | 1032 |
IN const char * const szSlot, |
1033 | 1033 |
IN const char * const szIdType, |
1034 | 1034 |
IN const char * const szId, |
1035 |
- IN const char * const szPIN, |
|
1036 | 1035 |
IN const bool fProtectedAuthentication, |
1037 | 1036 |
OUT pkcs11_session_t * const p_pkcs11_session |
1038 | 1037 |
) { |
1039 | 1038 |
pkcs11_session_t pkcs11_session; |
1040 | 1039 |
CK_RV rv = CKR_OK; |
1041 | 1040 |
|
1041 |
+ ASSERT (pkcs11_data!=NULL); |
|
1042 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1042 | 1043 |
ASSERT (szSlotType!=NULL); |
1043 | 1044 |
ASSERT (szSlot!=NULL); |
1044 | 1045 |
ASSERT (szIdType!=NULL); |
1045 | 1046 |
ASSERT (szId!=NULL); |
1046 |
- ASSERT (szPIN!=NULL); |
|
1047 | 1047 |
ASSERT (p_pkcs11_session!=NULL); |
1048 | 1048 |
|
1049 | 1049 |
if ( |
... | ... |
@@ -1058,36 +1516,46 @@ pkcs11_createSession ( |
1058 | 1058 |
memset (pkcs11_session, 0, sizeof (struct pkcs11_session_s)); |
1059 | 1059 |
} |
1060 | 1060 |
|
1061 |
- if ( |
|
1062 |
- rv == CKR_OK && |
|
1063 |
- !fProtectedAuthentication |
|
1064 |
- ) { |
|
1065 |
- if ((pkcs11_session->szPIN = strdup (szPIN)) == NULL) { |
|
1066 |
- rv = CKR_HOST_MEMORY; |
|
1067 |
- } |
|
1068 |
- } |
|
1069 |
- |
|
1070 | 1061 |
if (rv == CKR_OK) { |
1071 |
- pkcs11_session->fLoginFailed = false; |
|
1072 | 1062 |
pkcs11_session->key = (CK_OBJECT_HANDLE)-1; |
1073 | 1063 |
pkcs11_session->session = (CK_SESSION_HANDLE)-1; |
1064 |
+ pkcs11_session->fProtectedAuthentication = fProtectedAuthentication; |
|
1065 |
+ } |
|
1074 | 1066 |
|
1075 |
- if (!strcmp (szSlotType, "id")) { |
|
1076 |
- rv = _pkcs11_getSlotById (pkcs11_session, szSlot); |
|
1077 |
- } |
|
1078 |
- else if (!strcmp (szSlotType, "name")) { |
|
1079 |
- rv = _pkcs11_getSlotByName (pkcs11_session, szSlot); |
|
1080 |
- } |
|
1081 |
- else if (!strcmp (szSlotType, "label")) { |
|
1082 |
- rv = _pkcs11_getSlotByLabel (pkcs11_session, szSlot); |
|
1083 |
- } |
|
1084 |
- else { |
|
1085 |
- rv = CKR_ARGUMENTS_BAD; |
|
1086 |
- } |
|
1067 |
+ if (rv == CKR_OK) { |
|
1068 |
+ bool fCancel = false; |
|
1069 |
+ |
|
1070 |
+ do { |
|
1071 |
+ if (!strcmp (szSlotType, "id")) { |
|
1072 |
+ rv = _pkcs11_getSlotById (pkcs11_session, szSlot); |
|
1073 |
+ } |
|
1074 |
+ else if (!strcmp (szSlotType, "name")) { |
|
1075 |
+ rv = _pkcs11_getSlotByName (pkcs11_session, szSlot); |
|
1076 |
+ } |
|
1077 |
+ else if (!strcmp (szSlotType, "label")) { |
|
1078 |
+ rv = _pkcs11_getSlotByLabel (pkcs11_session, szSlot); |
|
1079 |
+ } |
|
1080 |
+ else { |
|
1081 |
+ rv = CKR_ARGUMENTS_BAD; |
|
1082 |
+ } |
|
1083 |
+ |
|
1084 |
+ if (rv == CKR_SLOT_ID_INVALID) { |
|
1085 |
+ char szLabel[1024]; |
|
1086 |
+ snprintf (szLabel, sizeof (szLabel), "SLOT(%s=%s)", szSlotType, szSlot); |
|
1087 |
+ fCancel = !pkcs11_data->hooks->card_prompt ( |
|
1088 |
+ pkcs11_data->hooks->card_prompt_data, |
|
1089 |
+ szLabel |
|
1090 |
+ ); |
|
1091 |
+ } |
|
1092 |
+ } while (rv == CKR_SLOT_ID_INVALID && !fCancel); |
|
1093 |
+ } |
|
1094 |
+ |
|
1095 |
+ if (rv == CKR_OK) { |
|
1096 |
+ rv = _pkcs11_setSessionTokenInfo (pkcs11_session); |
|
1087 | 1097 |
} |
1088 | 1098 |
|
1089 | 1099 |
if (rv == CKR_OK) { |
1090 |
- rv = pkcs11_login ( |
|
1100 |
+ rv = _pkcs11_login ( |
|
1091 | 1101 |
pkcs11_session |
1092 | 1102 |
); |
1093 | 1103 |
} |
... | ... |
@@ -1106,88 +1574,10 @@ pkcs11_createSession ( |
1106 | 1106 |
); |
1107 | 1107 |
} |
1108 | 1108 |
|
1109 |
- pkcs11_logout ( |
|
1110 |
- pkcs11_session |
|
1111 |
- ); |
|
1112 |
- |
|
1113 |
- return rv; |
|
1114 |
-} |
|
1115 |
- |
|
1116 |
-CK_RV |
|
1117 |
-pkcs11_freeSession ( |
|
1118 |
- IN const pkcs11_session_t pkcs11_session |
|
1119 |
-) { |
|
1120 |
- if (pkcs11_session != NULL) { |
|
1121 |
- pkcs11_logout (pkcs11_session); |
|
1122 |
- |
|
1123 |
- if (pkcs11_session->szPIN != NULL) { |
|
1124 |
- free (pkcs11_session->szPIN); |
|
1125 |
- } |
|
1126 |
- if (pkcs11_session->certificate != NULL) { |
|
1127 |
- free (pkcs11_session->certificate); |
|
1128 |
- } |
|
1129 |
- if (pkcs11_session->certificate_id != NULL) { |
|
1130 |
- free (pkcs11_session->certificate_id); |
|
1131 |
- } |
|
1132 |
- |
|
1133 |
- free (pkcs11_session); |
|
1134 |
- } |
|
1135 |
- |
|
1136 |
- return CKR_OK; |
|
1137 |
-} |
|
1138 |
- |
|
1139 |
-static |
|
1140 |
-CK_RV |
|
1141 |
-pkcs11_login ( |
|
1142 |
- IN const pkcs11_session_t pkcs11_session |
|
1143 |
-) { |
|
1144 |
- CK_RV rv = CKR_OK; |
|
1145 |
- |
|
1146 |
- ASSERT (pkcs11_session!=NULL); |
|
1147 |
- |
|
1148 |
- pkcs11_logout (pkcs11_session); |
|
1149 |
- |
|
1150 |
- if (rv == CKR_OK) { |
|
1151 |
- rv = pkcs11_session->provider->f->C_OpenSession ( |
|
1152 |
- pkcs11_session->slot, |
|
1153 |
- CKF_SERIAL_SESSION, |
|
1154 |
- NULL_PTR, |
|
1155 |
- NULL_PTR, |
|
1156 |
- &pkcs11_session->session |
|
1157 |
- ); |
|
1158 |
- } |
|
1159 |
- |
|
1160 | 1109 |
/* |
1161 |
- * Do not lock the token |
|
1110 |
+ * Complete missing login process |
|
1162 | 1111 |
*/ |
1163 |
- if ( |
|
1164 |
- rv == CKR_OK && |
|
1165 |
- pkcs11_session->fLoginFailed |
|
1166 |
- ) { |
|
1167 |
- rv = CKR_PIN_INVALID; |
|
1168 |
- } |
|
1169 |
- |
|
1170 |
- if ( |
|
1171 |
- rv == CKR_OK && |
|
1172 |
- (rv = pkcs11_session->provider->f->C_Login ( |
|
1173 |
- pkcs11_session->session, |
|
1174 |
- CKU_USER, |
|
1175 |
- pkcs11_session->szPIN, |
|
1176 |
- pkcs11_session->szPIN == NULL ? 0 : (CK_ULONG)strlen (pkcs11_session->szPIN) |
|
1177 |
- )) != CKR_OK |
|
1178 |
- ) { |
|
1179 |
- if (rv == CKR_USER_ALREADY_LOGGED_IN) { |
|
1180 |
- rv = CKR_OK; |
|
1181 |
- } |
|
1182 |
- else { |
|
1183 |
- pkcs11_session->fLoginFailed = true; |
|
1184 |
- } |
|
1185 |
- } |
|
1186 |
- |
|
1187 |
- if ( |
|
1188 |
- rv == CKR_OK && |
|
1189 |
- pkcs11_session->certificate_id != NULL |
|
1190 |
- ) { |
|
1112 |
+ if (rv == CKR_OK) { |
|
1191 | 1113 |
rv = _pkcs11_getObjectById ( |
1192 | 1114 |
pkcs11_session, |
1193 | 1115 |
CKO_PRIVATE_KEY, |
... | ... |
@@ -1197,25 +1587,27 @@ pkcs11_login ( |
1197 | 1197 |
); |
1198 | 1198 |
} |
1199 | 1199 |
|
1200 |
- if (rv != CKR_OK) { |
|
1201 |
- pkcs11_logout (pkcs11_session); |
|
1202 |
- } |
|
1203 |
- |
|
1204 | 1200 |
return rv; |
1205 | 1201 |
} |
1206 | 1202 |
|
1207 |
-static |
|
1208 | 1203 |
CK_RV |
1209 |
-pkcs11_logout ( |
|
1204 |
+pkcs11_freeSession ( |
|
1210 | 1205 |
IN const pkcs11_session_t pkcs11_session |
1211 | 1206 |
) { |
1212 |
- ASSERT (pkcs11_session!=NULL); |
|
1207 |
+ ASSERT (pkcs11_data!=NULL); |
|
1208 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1213 | 1209 |
|
1214 |
- if (pkcs11_session->session != (CK_SESSION_HANDLE)-1) { |
|
1215 |
- pkcs11_session->provider->f->C_Logout (pkcs11_session->session); |
|
1216 |
- pkcs11_session->provider->f->C_CloseSession (pkcs11_session->session); |
|
1217 |
- pkcs11_session->key = (CK_OBJECT_HANDLE)-1; |
|
1218 |
- pkcs11_session->session = (CK_SESSION_HANDLE)-1; |
|
1210 |
+ if (pkcs11_session != NULL) { |
|
1211 |
+ _pkcs11_logout (pkcs11_session); |
|
1212 |
+ |
|
1213 |
+ if (pkcs11_session->certificate != NULL) { |
|
1214 |
+ free (pkcs11_session->certificate); |
|
1215 |
+ } |
|
1216 |
+ if (pkcs11_session->certificate_id != NULL) { |
|
1217 |
+ free (pkcs11_session->certificate_id); |
|
1218 |
+ } |
|
1219 |
+ |
|
1220 |
+ free (pkcs11_session); |
|
1219 | 1221 |
} |
1220 | 1222 |
|
1221 | 1223 |
return CKR_OK; |
... | ... |
@@ -1227,40 +1619,55 @@ pkcs11_sign ( |
1227 | 1227 |
IN const pkcs11_session_t pkcs11_session, |
1228 | 1228 |
IN const CK_MECHANISM_TYPE mech_type, |
1229 | 1229 |
IN const unsigned char * const source, |
1230 |
- IN const int source_size, |
|
1230 |
+ IN const size_t source_size, |
|
1231 | 1231 |
OUT unsigned char * const target, |
1232 |
- IN OUT int * const target_size |
|
1232 |
+ IN OUT size_t * const target_size |
|
1233 | 1233 |
) { |
1234 | 1234 |
CK_MECHANISM mech = { |
1235 | 1235 |
mech_type, NULL, 0 |
1236 | 1236 |
}; |
1237 |
- CK_ULONG size; |
|
1238 |
- CK_RV rv; |
|
1237 |
+ CK_RV rv = CKR_OK; |
|
1238 |
+ bool fLogonRetry = false; |
|
1239 |
+ bool fOpSuccess = false; |
|
1239 | 1240 |
|
1241 |
+ ASSERT (pkcs11_data!=NULL); |
|
1242 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1240 | 1243 |
ASSERT (pkcs11_session!=NULL); |
1241 | 1244 |
ASSERT (source!=NULL); |
1242 | 1245 |
ASSERT (target_size!=NULL); |
1243 | 1246 |
|
1244 |
- if ( |
|
1245 |
- (rv = pkcs11_session->provider->f->C_SignInit ( |
|
1247 |
+ rv = _pkcs11_validateSession (pkcs11_session); |
|
1248 |
+ |
|
1249 |
+ while (rv == CKR_OK && !fOpSuccess) { |
|
1250 |
+ rv = pkcs11_session->provider->f->C_SignInit ( |
|
1246 | 1251 |
pkcs11_session->session, |
1247 | 1252 |
&mech, |
1248 | 1253 |
pkcs11_session->key |
1249 |
- )) != CKR_OK |
|
1250 |
- ) { |
|
1251 |
- return rv; |
|
1254 |
+ ); |
|
1255 |
+ |
|
1256 |
+ if (rv == CKR_OK) { |
|
1257 |
+ fOpSuccess = true; |
|
1258 |
+ } |
|
1259 |
+ else { |
|
1260 |
+ if (!fLogonRetry) { |
|
1261 |
+ fLogonRetry = true; |
|
1262 |
+ rv = _pkcs11_login (pkcs11_session); |
|
1263 |
+ } |
|
1264 |
+ } |
|
1252 | 1265 |
} |
1253 | 1266 |
|
1254 |
- size = *target_size; |
|
1255 |
- rv = pkcs11_session->provider->f->C_Sign ( |
|
1256 |
- pkcs11_session->session, |
|
1257 |
- (CK_BYTE_PTR)source, |
|
1258 |
- source_size, |
|
1259 |
- (CK_BYTE_PTR)target, |
|
1260 |
- &size |
|
1261 |
- ); |
|
1267 |
+ if (rv == CKR_OK) { |
|
1268 |
+ CK_ULONG size = *target_size; |
|
1269 |
+ rv = pkcs11_session->provider->f->C_Sign ( |
|
1270 |
+ pkcs11_session->session, |
|
1271 |
+ (CK_BYTE_PTR)source, |
|
1272 |
+ source_size, |
|
1273 |
+ (CK_BYTE_PTR)target, |
|
1274 |
+ &size |
|
1275 |
+ ); |
|
1262 | 1276 |
|
1263 |
- *target_size = (int)size; |
|
1277 |
+ *target_size = (int)size; |
|
1278 |
+ } |
|
1264 | 1279 |
|
1265 | 1280 |
return rv; |
1266 | 1281 |
} |
... | ... |
@@ -1271,40 +1678,55 @@ pkcs11_signRecover ( |
1271 | 1271 |
IN const pkcs11_session_t pkcs11_session, |
1272 | 1272 |
IN const CK_MECHANISM_TYPE mech_type, |
1273 | 1273 |
IN const unsigned char * const source, |
1274 |
- IN const int source_size, |
|
1274 |
+ IN const size_t source_size, |
|
1275 | 1275 |
OUT unsigned char * const target, |
1276 |
- IN OUT int * const target_size |
|
1276 |
+ IN OUT size_t * const target_size |
|
1277 | 1277 |
) { |
1278 | 1278 |
CK_MECHANISM mech = { |
1279 | 1279 |
mech_type, NULL, 0 |
1280 | 1280 |
}; |
1281 |
- CK_ULONG size; |
|
1282 |
- CK_RV rv; |
|
1281 |
+ CK_RV rv = CKR_OK; |
|
1282 |
+ bool fLogonRetry = false; |
|
1283 |
+ bool fOpSuccess = false; |
|
1283 | 1284 |
|
1285 |
+ ASSERT (pkcs11_data!=NULL); |
|
1286 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1284 | 1287 |
ASSERT (pkcs11_session!=NULL); |
1285 | 1288 |
ASSERT (source!=NULL); |
1286 | 1289 |
ASSERT (target_size!=NULL); |
1287 | 1290 |
|
1288 |
- if ( |
|
1289 |
- (rv = pkcs11_session->provider->f->C_SignRecoverInit ( |
|
1291 |
+ rv = _pkcs11_validateSession (pkcs11_session); |
|
1292 |
+ |
|
1293 |
+ while (rv == CKR_OK && !fOpSuccess) { |
|
1294 |
+ rv = pkcs11_session->provider->f->C_SignRecoverInit ( |
|
1290 | 1295 |
pkcs11_session->session, |
1291 | 1296 |
&mech, |
1292 | 1297 |
pkcs11_session->key |
1293 |
- )) != CKR_OK |
|
1294 |
- ) { |
|
1295 |
- return rv; |
|
1298 |
+ ); |
|
1299 |
+ |
|
1300 |
+ if (rv == CKR_OK) { |
|
1301 |
+ fOpSuccess = true; |
|
1302 |
+ } |
|
1303 |
+ else { |
|
1304 |
+ if (!fLogonRetry) { |
|
1305 |
+ fLogonRetry = true; |
|
1306 |
+ rv = _pkcs11_login (pkcs11_session); |
|
1307 |
+ } |
|
1308 |
+ } |
|
1296 | 1309 |
} |
1297 | 1310 |
|
1298 |
- size = *target_size; |
|
1299 |
- rv = pkcs11_session->provider->f->C_SignRecover ( |
|
1300 |
- pkcs11_session->session, |
|
1301 |
- (CK_BYTE_PTR)source, |
|
1302 |
- source_size, |
|
1303 |
- (CK_BYTE_PTR)target, |
|
1304 |
- &size |
|
1305 |
- ); |
|
1311 |
+ if (rv == CKR_OK) { |
|
1312 |
+ CK_ULONG size = *target_size; |
|
1313 |
+ rv = pkcs11_session->provider->f->C_SignRecover ( |
|
1314 |
+ pkcs11_session->session, |
|
1315 |
+ (CK_BYTE_PTR)source, |
|
1316 |
+ source_size, |
|
1317 |
+ (CK_BYTE_PTR)target, |
|
1318 |
+ &size |
|
1319 |
+ ); |
|
1306 | 1320 |
|
1307 |
- *target_size = (int)size; |
|
1321 |
+ *target_size = (int)size; |
|
1322 |
+ } |
|
1308 | 1323 |
|
1309 | 1324 |
return rv; |
1310 | 1325 |
} |
... | ... |
@@ -1315,40 +1737,56 @@ pkcs11_decrypt ( |
1315 | 1315 |
IN const pkcs11_session_t pkcs11_session, |
1316 | 1316 |
IN const CK_MECHANISM_TYPE mech_type, |
1317 | 1317 |
IN const unsigned char * const source, |
1318 |
- IN const int source_size, |
|
1318 |
+ IN const size_t source_size, |
|
1319 | 1319 |
OUT unsigned char * const target, |
1320 |
- IN OUT int * const target_size |
|
1320 |
+ IN OUT size_t * const target_size |
|
1321 | 1321 |
) { |
1322 | 1322 |
CK_MECHANISM mech = { |
1323 | 1323 |
mech_type, NULL, 0 |
1324 | 1324 |
}; |
1325 | 1325 |
CK_ULONG size; |
1326 |
- CK_RV rv; |
|
1326 |
+ CK_RV rv = CKR_OK; |
|
1327 |
+ bool fLogonRetry = false; |
|
1328 |
+ bool fOpSuccess = false; |
|
1327 | 1329 |
|
1330 |
+ ASSERT (pkcs11_data!=NULL); |
|
1331 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1328 | 1332 |
ASSERT (pkcs11_session!=NULL); |
1329 | 1333 |
ASSERT (source!=NULL); |
1330 | 1334 |
ASSERT (target_size!=NULL); |
1331 | 1335 |
|
1332 |
- if ( |
|
1333 |
- (rv = pkcs11_session->provider->f->C_DecryptInit ( |
|
1336 |
+ rv = _pkcs11_validateSession (pkcs11_session); |
|
1337 |
+ |
|
1338 |
+ while (rv == CKR_OK && !fOpSuccess) { |
|
1339 |
+ rv = pkcs11_session->provider->f->C_DecryptInit ( |
|
1334 | 1340 |
pkcs11_session->session, |
1335 | 1341 |
&mech, |
1336 | 1342 |
pkcs11_session->key |
1337 |
- )) != CKR_OK |
|
1338 |
- ) { |
|
1339 |
- return rv; |
|
1343 |
+ ); |
|
1344 |
+ |
|
1345 |
+ if (rv == CKR_OK) { |
|
1346 |
+ fOpSuccess = true; |
|
1347 |
+ } |
|
1348 |
+ else { |
|
1349 |
+ if (!fLogonRetry) { |
|
1350 |
+ fLogonRetry = true; |
|
1351 |
+ rv = _pkcs11_login (pkcs11_session); |
|
1352 |
+ } |
|
1353 |
+ } |
|
1340 | 1354 |
} |
1341 | 1355 |
|
1342 |
- size = *target_size; |
|
1343 |
- rv = pkcs11_session->provider->f->C_Decrypt ( |
|
1344 |
- pkcs11_session->session, |
|
1345 |
- (CK_BYTE_PTR)source, |
|
1346 |
- source_size, |
|
1347 |
- (CK_BYTE_PTR)target, |
|
1348 |
- &size |
|
1349 |
- ); |
|
1356 |
+ if (rv == CKR_OK) { |
|
1357 |
+ size = *target_size; |
|
1358 |
+ rv = pkcs11_session->provider->f->C_Decrypt ( |
|
1359 |
+ pkcs11_session->session, |
|
1360 |
+ (CK_BYTE_PTR)source, |
|
1361 |
+ source_size, |
|
1362 |
+ (CK_BYTE_PTR)target, |
|
1363 |
+ &size |
|
1364 |
+ ); |
|
1350 | 1365 |
|
1351 |
- *target_size = (int)size; |
|
1366 |
+ *target_size = (int)size; |
|
1367 |
+ } |
|
1352 | 1368 |
|
1353 | 1369 |
return rv; |
1354 | 1370 |
} |
... | ... |
@@ -1357,9 +1795,11 @@ static |
1357 | 1357 |
CK_RV |
1358 | 1358 |
pkcs11_getCertificate ( |
1359 | 1359 |
IN const pkcs11_session_t pkcs11_session, |
1360 |
- OUT char * const certificate, |
|
1361 |
- IN OUT int * const certificate_size |
|
1360 |
+ OUT unsigned char * const certificate, |
|
1361 |
+ IN OUT size_t * const certificate_size |
|
1362 | 1362 |
) { |
1363 |
+ ASSERT (pkcs11_data!=NULL); |
|
1364 |
+ ASSERT (pkcs11_data->fInitialized); |
|
1363 | 1365 |
ASSERT (certificate_size!=NULL); |
1364 | 1366 |
|
1365 | 1367 |
*certificate_size = pkcs11_session->certificate_size; |
... | ... |
@@ -1474,10 +1914,11 @@ pkcs11_getMessage ( |
1474 | 1474 |
} |
1475 | 1475 |
|
1476 | 1476 |
/*========================================== |
1477 |
- * openvpn interface |
|
1477 |
+ * openssl interface |
|
1478 | 1478 |
*/ |
1479 | 1479 |
|
1480 | 1480 |
typedef struct openssl_session_s { |
1481 |
+ RSA_METHOD smart_rsa; |
|
1481 | 1482 |
int (*orig_finish)(RSA *rsa); |
1482 | 1483 |
pkcs11_session_t pkcs11_session; |
1483 | 1484 |
} *openssl_session_t; |
... | ... |
@@ -1525,7 +1966,7 @@ openssl_pkcs11_priv_dec ( |
1525 | 1525 |
flen, |
1526 | 1526 |
from, |
1527 | 1527 |
to, |
1528 |
- rsa, |
|
1528 |
+ (void *)rsa, |
|
1529 | 1529 |
padding |
1530 | 1530 |
); |
1531 | 1531 |
|
... | ... |
@@ -1543,27 +1984,18 @@ openssl_pkcs11_priv_dec ( |
1543 | 1543 |
|
1544 | 1544 |
if ( |
1545 | 1545 |
rv == CKR_OK && |
1546 |
- (rv = pkcs11_login (pkcs11_session)) != CKR_OK |
|
1547 |
- ) { |
|
1548 |
- msg (M_WARN, "PKCS#11: Cannot login to token %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1549 |
- } |
|
1550 |
- |
|
1551 |
- if ( |
|
1552 |
- rv == CKR_OK && |
|
1553 | 1546 |
(rv = pkcs11_decrypt ( |
1554 | 1547 |
pkcs11_session, |
1555 | 1548 |
CKM_RSA_PKCS, |
1556 | 1549 |
from, |
1557 | 1550 |
flen, |
1558 | 1551 |
to, |
1559 |
- &flen |
|
1552 |
+ (size_t *)&flen |
|
1560 | 1553 |
)) != CKR_OK |
1561 | 1554 |
) { |
1562 | 1555 |
msg (M_WARN, "PKCS#11: Cannot decrypt using private key %ld:'%s'", rv, pkcs11_getMessage (rv)); |
1563 | 1556 |
} |
1564 | 1557 |
|
1565 |
- pkcs11_logout (pkcs11_session); |
|
1566 |
- |
|
1567 | 1558 |
msg ( |
1568 | 1559 |
D_PKCS11_DEBUG, |
1569 | 1560 |
"PKCS#11: openssl_pkcs11_priv_dec - return rv=%ld", |
... | ... |
@@ -1593,8 +2025,8 @@ openssl_pkcs11_sign ( |
1593 | 1593 |
m, |
1594 | 1594 |
m_len, |
1595 | 1595 |
sigret, |
1596 |
- siglen, |
|
1597 |
- rsa |
|
1596 |
+ (void *)siglen, |
|
1597 |
+ (void *)rsa |
|
1598 | 1598 |
); |
1599 | 1599 |
|
1600 | 1600 |
ASSERT (m!=NULL); |
... | ... |
@@ -1607,46 +2039,35 @@ openssl_pkcs11_sign ( |
1607 | 1607 |
|
1608 | 1608 |
*siglen = RSA_size(rsa); |
1609 | 1609 |
|
1610 |
- if ( |
|
1611 |
- rv == CKR_OK && |
|
1612 |
- (rv = pkcs11_login (pkcs11_session)) != CKR_OK |
|
1613 |
- ) { |
|
1614 |
- msg (M_WARN, "PKCS#11: Cannot login to token %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1615 |
- } |
|
1616 |
- |
|
1617 |
- if (rv == CKR_OK) { |
|
1618 |
- if (pkcs11_session->fKeySignRecover) { |
|
1619 |
- if ( |
|
1620 |
- (rv = pkcs11_signRecover ( |
|
1621 |
- pkcs11_session, |
|
1622 |
- CKM_RSA_PKCS, |
|
1623 |
- m, |
|
1624 |
- m_len, |
|
1625 |
- sigret, |
|
1626 |
- siglen |
|
1627 |
- )) != CKR_OK |
|
1628 |
- ) { |
|
1629 |
- msg (M_WARN, "PKCS#11: Cannot perform signature-recover %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1630 |
- } |
|
1610 |
+ if (pkcs11_session->fKeySignRecover) { |
|
1611 |
+ if ( |
|
1612 |
+ (rv = pkcs11_signRecover ( |
|
1613 |
+ pkcs11_session, |
|
1614 |
+ CKM_RSA_PKCS, |
|
1615 |
+ m, |
|
1616 |
+ m_len, |
|
1617 |
+ sigret, |
|
1618 |
+ siglen |
|
1619 |
+ )) != CKR_OK |
|
1620 |
+ ) { |
|
1621 |
+ msg (M_WARN, "PKCS#11: Cannot perform signature-recover %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1631 | 1622 |
} |
1632 |
- else { |
|
1633 |
- if ( |
|
1634 |
- (rv = pkcs11_sign ( |
|
1635 |
- pkcs11_session, |
|
1636 |
- CKM_RSA_PKCS, |
|
1637 |
- m, |
|
1638 |
- m_len, |
|
1639 |
- sigret, |
|
1640 |
- siglen |
|
1641 |
- )) != CKR_OK |
|
1642 |
- ) { |
|
1643 |
- msg (M_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1644 |
- } |
|
1623 |
+ } |
|
1624 |
+ else { |
|
1625 |
+ if ( |
|
1626 |
+ (rv = pkcs11_sign ( |
|
1627 |
+ pkcs11_session, |
|
1628 |
+ CKM_RSA_PKCS, |
|
1629 |
+ m, |
|
1630 |
+ m_len, |
|
1631 |
+ sigret, |
|
1632 |
+ siglen |
|
1633 |
+ )) != CKR_OK |
|
1634 |
+ ) { |
|
1635 |
+ msg (M_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11_getMessage (rv)); |
|
1645 | 1636 |
} |
1646 | 1637 |
} |
1647 | 1638 |
|
1648 |
- pkcs11_logout (pkcs11_session); |
|
1649 |
- |
|
1650 | 1639 |
msg ( |
1651 | 1640 |
D_PKCS11_DEBUG, |
1652 | 1641 |
"PKCS#11: openssl_pkcs11_priv_sign - return rv=%ld", |
... | ... |
@@ -1664,8 +2085,8 @@ openssl_pkcs11_finish(RSA *rsa) { |
1664 | 1664 |
|
1665 | 1665 |
msg ( |
1666 | 1666 |
D_PKCS11_DEBUG, |
1667 |
- "PKCS#11: openssl_pkcs11_finish - entered - rsa=%p", |
|
1668 |
- rsa |
|
1667 |
+ "PKCS#11: openssl_pkcs11_finish - entered rsa=%p", |
|
1668 |
+ (void *)rsa |
|
1669 | 1669 |
); |
1670 | 1670 |
|
1671 | 1671 |
openssl_session = (openssl_session_t)RSA_get_app_data (rsa); |
... | ... |
@@ -1703,27 +2124,37 @@ openssl_pkcs11_finish(RSA *rsa) { |
1703 | 1703 |
return 1; |
1704 | 1704 |
} |
1705 | 1705 |
|
1706 |
-static RSA_METHOD * |
|
1707 |
-openssl_pkcs11_get_rsa_method(RSA *rsa) |
|
1706 |
+void |
|
1707 |
+openssl_pkcs11_set_rsa(const openssl_session_t openssl_session, RSA *rsa) |
|
1708 | 1708 |
{ |
1709 |
- static RSA_METHOD smart_rsa; |
|
1710 | 1709 |
const RSA_METHOD *def = RSA_get_default_method(); |
1711 | 1710 |
|
1712 |
- ASSERT (rsa); |
|
1711 |
+ ASSERT (openssl_session!=NULL); |
|
1712 |
+ ASSERT (rsa!=NULL); |
|
1713 |
+ |
|
1714 |
+ memmove (&openssl_session->smart_rsa, def, sizeof(RSA_METHOD)); |
|
1713 | 1715 |
|
1714 |
- /* use the OpenSSL version */ |
|
1715 |
- memmove (&smart_rsa, def, sizeof(smart_rsa)); |
|
1716 |
+ openssl_session->orig_finish = def->finish; |
|
1716 | 1717 |
|
1717 |
- /* save original */ |
|
1718 |
- ((openssl_session_t)RSA_get_app_data (rsa))->orig_finish = def->finish; |
|
1718 |
+ openssl_session->smart_rsa.name = "pkcs11"; |
|
1719 |
+ openssl_session->smart_rsa.rsa_priv_enc = openssl_pkcs11_priv_enc; |
|
1720 |
+ openssl_session->smart_rsa.rsa_priv_dec = openssl_pkcs11_priv_dec; |
|
1721 |
+ openssl_session->smart_rsa.rsa_sign = openssl_pkcs11_sign; |
|
1722 |
+ openssl_session->smart_rsa.finish = openssl_pkcs11_finish; |
|
1723 |
+ openssl_session->smart_rsa.flags = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY; |
|
1719 | 1724 |
|
1720 |
- smart_rsa.name = "pkcs11"; |
|
1721 |
- smart_rsa.rsa_priv_enc = openssl_pkcs11_priv_enc; |
|
1722 |
- smart_rsa.rsa_priv_dec = openssl_pkcs11_priv_dec; |
|
1723 |
- smart_rsa.rsa_sign = openssl_pkcs11_sign; |
|
1724 |
- smart_rsa.finish = openssl_pkcs11_finish; |
|
1725 |
- smart_rsa.flags = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY; |
|
1726 |
- return &smart_rsa; |
|
1725 |
+ RSA_set_method (rsa, &openssl_session->smart_rsa); |
|
1726 |
+ RSA_set_app_data (rsa, openssl_session); |
|
1727 |
+ |
|
1728 |
+#ifdef BROKEN_OPENSSL_ENGINE |
|
1729 |
+ if (fOK) { |
|
1730 |
+ if (!rsa->engine) |
|
1731 |
+ rsa->engine = ENGINE_get_default_RSA(); |
|
1732 |
+ |
|
1733 |
+ ENGINE_set_RSA(ENGINE_get_default_RSA(), openssl_session->smart_rsa); |
|
1734 |
+ msg(M_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled"); |
|
1735 |
+ } |
|
1736 |
+#endif |
|
1727 | 1737 |
} |
1728 | 1738 |
|
1729 | 1739 |
|
... | ... |
@@ -1737,6 +2168,150 @@ static void broken_openssl_init() |
1737 | 1737 |
} |
1738 | 1738 |
#endif |
1739 | 1739 |
|
1740 |
+/*========================================== |
|
1741 |
+ * openvpn interface |
|
1742 |
+ */ |
|
1743 |
+ |
|
1744 |
+static |
|
1745 |
+bool |
|
1746 |
+_openvpn_pkcs11_card_prompt ( |
|
1747 |
+ IN const void *pData, |
|
1748 |
+ IN const char * const szLabel |
|
1749 |
+) { |
|
1750 |
+ static struct user_pass token_pass; |
|
1751 |
+ char szPrompt[1024]; |
|
1752 |
+ char szTemp[1024]; |
|
1753 |
+ |
|
1754 |
+ ASSERT (szLabel!=NULL); |
|
1755 |
+ |
|
1756 |
+ openvpn_snprintf (szPrompt, sizeof (szPrompt), "INSERT"); |
|
1757 |
+ |
|
1758 |
+ token_pass.defined = false; |
|
1759 |
+ token_pass.nocache = true; |
|
1760 |
+ get_user_pass (&token_pass, NULL, true, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE); |
|
1761 |
+ strncpynt (szTemp, token_pass.password, sizeof (szTemp)); |
|
1762 |
+ purge_user_pass (&token_pass, true); |
|
1763 |
+ |
|
1764 |
+ if (strlen (szTemp) == 0) { |
|
1765 |
+ return false; |
|
1766 |
+ } |
|
1767 |
+ else { |
|
1768 |
+ return true; |
|
1769 |
+ } |
|
1770 |
+} |
|
1771 |
+ |
|
1772 |
+static |
|
1773 |
+bool |
|
1774 |
+_openvpn_pkcs11_pin_prompt ( |
|
1775 |
+ IN const void *pData, |
|
1776 |
+ IN const char * const szLabel, |
|
1777 |
+ OUT char * const szPIN, |
|
1778 |
+ IN const size_t nMaxPIN |
|
1779 |
+) { |
|
1780 |
+ static struct user_pass token_pass; |
|
1781 |
+ char szPrompt[1024]; |
|
1782 |
+ |
|
1783 |
+ ASSERT (szLabel!=NULL); |
|
1784 |
+ |
|
1785 |
+ openvpn_snprintf (szPrompt, sizeof (szPrompt), "%s token", szLabel); |
|
1786 |
+ |
|
1787 |
+ token_pass.defined = false; |
|
1788 |
+ token_pass.nocache = true; |
|
1789 |
+ get_user_pass (&token_pass, NULL, true, szPrompt, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE); |
|
1790 |
+ strncpynt (szPIN, token_pass.password, nMaxPIN); |
|
1791 |
+ purge_user_pass (&token_pass, true); |
|
1792 |
+ |
|
1793 |
+ if (strlen (szPIN) == 0) { |
|
1794 |
+ return false; |
|
1795 |
+ } |
|
1796 |
+ else { |
|
1797 |
+ return true; |
|
1798 |
+ } |
|
1799 |
+} |
|
1800 |
+ |
|
1801 |
+void |
|
1802 |
+init_pkcs11 ( |
|
1803 |
+ const int nPINCachePeriod |
|
1804 |
+) { |
|
1805 |
+ CK_RV rv; |
|
1806 |
+ |
|
1807 |
+ msg ( |
|
1808 |
+ D_PKCS11_DEBUG, |
|
1809 |
+ "PKCS#11: init_pkcs11 - entered" |
|
1810 |
+ ); |
|
1811 |
+ |
|
1812 |
+ if ((rv = pkcs11_initialize ()) != CKR_OK) { |
|
1813 |
+ msg (M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
1814 |
+ } |
|
1815 |
+/*Until REQUEST/REPLY interface. |
|
1816 |
+ if ((rv = pkcs11_setCardPromptHook (_openvpn_pkcs11_card_prompt, NULL)) != CKR_OK) { |
|
1817 |
+ msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
1818 |
+ } |
|
1819 |
+*/ |
|
1820 |
+ if ((rv = pkcs11_setPINPromptHook (_openvpn_pkcs11_pin_prompt, NULL)) != CKR_OK) { |
|
1821 |
+ msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
1822 |
+ } |
|
1823 |
+ |
|
1824 |
+ if ((rv = pkcs11_setPINCachePeriod (nPINCachePeriod)) != CKR_OK) { |
|
1825 |
+ msg (M_FATAL, "PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
1826 |
+ } |
|
1827 |
+ |
|
1828 |
+ msg ( |
|
1829 |
+ D_PKCS11_DEBUG, |
|
1830 |
+ "PKCS#11: init_pkcs11 - return" |
|
1831 |
+ ); |
|
1832 |
+} |
|
1833 |
+ |
|
1834 |
+void |
|
1835 |
+free_pkcs11 () { |
|
1836 |
+ msg ( |
|
1837 |
+ D_PKCS11_DEBUG, |
|
1838 |
+ "PKCS#11: free_pkcs11 - entered" |
|
1839 |
+ ); |
|
1840 |
+ |
|
1841 |
+ pkcs11_terminate (); |
|
1842 |
+ |
|
1843 |
+ msg ( |
|
1844 |
+ D_PKCS11_DEBUG, |
|
1845 |
+ "PKCS#11: free_pkcs11 - return" |
|
1846 |
+ ); |
|
1847 |
+} |
|
1848 |
+ |
|
1849 |
+void |
|
1850 |
+fork_fix_pkcs11 () { |
|
1851 |
+ pkcs11_forkFixup (); |
|
1852 |
+} |
|
1853 |
+ |
|
1854 |
+void |
|
1855 |
+add_pkcs11 ( |
|
1856 |
+ IN const char * const provider, |
|
1857 |
+ IN const char * const sign_mode |
|
1858 |
+) { |
|
1859 |
+ CK_RV rv; |
|
1860 |
+ |
|
1861 |
+ msg ( |
|
1862 |
+ D_PKCS11_DEBUG, |
|
1863 |
+ "PKCS#11: add_pkcs11 - entered - provider='%s', sign_mode='%s'", |
|
1864 |
+ provider, |
|
1865 |
+ sign_mode == NULL ? "default" : sign_mode |
|
1866 |
+ ); |
|
1867 |
+ |
|
1868 |
+ msg ( |
|
1869 |
+ M_INFO, |
|
1870 |
+ "PKCS#11: Adding PKCS#11 provider '%s'", |
|
1871 |
+ provider |
|
1872 |
+ ); |
|
1873 |
+ |
|
1874 |
+ if ((rv = pkcs11_addProvider (provider, sign_mode)) != CKR_OK) { |
|
1875 |
+ msg (M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11_getMessage (rv)); |
|
1876 |
+ } |
|
1877 |
+ |
|
1878 |
+ msg ( |
|
1879 |
+ D_PKCS11_DEBUG, |
|
1880 |
+ "PKCS#11: add_pkcs11 - return" |
|
1881 |
+ ); |
|
1882 |
+} |
|
1883 |
+ |
|
1740 | 1884 |
int |
1741 | 1885 |
SSL_CTX_use_pkcs11 ( |
1742 | 1886 |
IN OUT SSL_CTX * const ssl_ctx, |
... | ... |
@@ -1744,7 +2319,6 @@ SSL_CTX_use_pkcs11 ( |
1744 | 1744 |
IN const char * const pkcs11_slot, |
1745 | 1745 |
IN const char * const pkcs11_id_type, |
1746 | 1746 |
IN const char * const pkcs11_id, |
1747 |
- IN const char * const pin, |
|
1748 | 1747 |
IN const bool pkcs11_protected_authentication |
1749 | 1748 |
) { |
1750 | 1749 |
X509 *x509 = NULL; |
... | ... |
@@ -1755,14 +2329,14 @@ SSL_CTX_use_pkcs11 ( |
1755 | 1755 |
CK_RV rv = CKR_OK; |
1756 | 1756 |
|
1757 | 1757 |
unsigned char certificate[10*1024]; |
1758 |
- int certificate_size; |
|
1758 |
+ size_t certificate_size; |
|
1759 | 1759 |
unsigned char *p; |
1760 | 1760 |
bool fOK = true; |
1761 | 1761 |
|
1762 | 1762 |
msg ( |
1763 | 1763 |
D_PKCS11_DEBUG, |
1764 | 1764 |
"PKCS#11: SSL_CTX_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_slot_type='%s', pkcs11_slot='%s', pkcs11_id_type='%s', pkcs11_id='%s', pkcs11_protected_authentication=%d", |
1765 |
- ssl_ctx, |
|
1765 |
+ (void *)ssl_ctx, |
|
1766 | 1766 |
pkcs11_slot_type, |
1767 | 1767 |
pkcs11_slot, |
1768 | 1768 |
pkcs11_id_type, |
... | ... |
@@ -1775,9 +2349,6 @@ SSL_CTX_use_pkcs11 ( |
1775 | 1775 |
ASSERT (pkcs11_slot!=NULL); |
1776 | 1776 |
ASSERT (pkcs11_id_type!=NULL); |
1777 | 1777 |
ASSERT (pkcs11_id!=NULL); |
1778 |
- if (!pkcs11_protected_authentication) { |
|
1779 |
- ASSERT (pin!=NULL); |
|
1780 |
- } |
|
1781 | 1778 |
|
1782 | 1779 |
if ( |
1783 | 1780 |
fOK && |
... | ... |
@@ -1798,7 +2369,6 @@ SSL_CTX_use_pkcs11 ( |
1798 | 1798 |
pkcs11_slot, |
1799 | 1799 |
pkcs11_id_type, |
1800 | 1800 |
pkcs11_id, |
1801 |
- pin, |
|
1802 | 1801 |
pkcs11_protected_authentication, |
1803 | 1802 |
&openssl_session->pkcs11_session |
1804 | 1803 |
)) != CKR_OK |
... | ... |
@@ -1862,23 +2432,12 @@ SSL_CTX_use_pkcs11 ( |
1862 | 1862 |
} |
1863 | 1863 |
|
1864 | 1864 |
if (fOK) { |
1865 |
- RSA_set_app_data (rsa, openssl_session); |
|
1866 |
- RSA_set_method (rsa, openssl_pkcs11_get_rsa_method (rsa)); |
|
1865 |
+ openssl_pkcs11_set_rsa (openssl_session, rsa); |
|
1867 | 1866 |
rsa->flags |= RSA_FLAG_SIGN_VER; |
1868 | 1867 |
|
1869 | 1868 |
/* it will be freed when rsa usage count will be zero */ |
1870 | 1869 |
fShouldFreeOpenSSLSession = false; |
1871 | 1870 |
} |
1872 |
- |
|
1873 |
-#ifdef BROKEN_OPENSSL_ENGINE |
|
1874 |
- if (fOK) { |
|
1875 |
- if (!rsa->engine) |
|
1876 |
- rsa->engine = ENGINE_get_default_RSA(); |
|
1877 |
- |
|
1878 |
- ENGINE_set_RSA(ENGINE_get_default_RSA(), openssl_pkcs11_get_rsa_method(rsa)); |
|
1879 |
- msg(M_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled"); |
|
1880 |
- } |
|
1881 |
-#endif |
|
1882 | 1871 |
|
1883 | 1872 |
if ( |
1884 | 1873 |
fOK && |
... | ... |
@@ -1936,51 +2495,6 @@ SSL_CTX_use_pkcs11 ( |
1936 | 1936 |
} |
1937 | 1937 |
|
1938 | 1938 |
void |
1939 |
-add_pkcs11 ( |
|
1940 |
- IN const char * const provider, |
|
1941 |
- IN const char * const sign_mode |
|
1942 |
-) { |
|
1943 |
- CK_RV rv; |
|
1944 |
- |
|
1945 |
- msg ( |
|
1946 |
- D_PKCS11_DEBUG, |
|
1947 |
- "PKCS#11: add_pkcs11 - entered - provider='%s', sign_mode='%s'", |
|
1948 |
- provider, |
|
1949 |
- sign_mode == NULL ? "default" : sign_mode |
|
1950 |
- ); |
|
1951 |
- |
|
1952 |
- msg ( |
|
1953 |
- M_INFO, |
|
1954 |
- "PKCS#11: Adding PKCS#11 provider '%s'", |
|
1955 |
- provider |
|
1956 |
- ); |
|
1957 |
- |
|
1958 |
- if ((rv = pkcs11_addProvider (provider, sign_mode)) != CKR_OK) { |
|
1959 |
- msg (M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11_getMessage (rv)); |
|
1960 |
- } |
|
1961 |
- |
|
1962 |
- msg ( |
|
1963 |
- D_PKCS11_DEBUG, |
|
1964 |
- "PKCS#11: add_pkcs11 - return" |
|
1965 |
- ); |
|
1966 |
-} |
|
1967 |
- |
|
1968 |
-void |
|
1969 |
-free_pkcs11 () { |
|
1970 |
- msg ( |
|
1971 |
- D_PKCS11_DEBUG, |
|
1972 |
- "PKCS#11: free_pkcs11 - entered" |
|
1973 |
- ); |
|
1974 |
- |
|
1975 |
- pkcs11_finalize (); |
|
1976 |
- |
|
1977 |
- msg ( |
|
1978 |
- D_PKCS11_DEBUG, |
|
1979 |
- "PKCS#11: free_pkcs11 - return" |
|
1980 |
- ); |
|
1981 |
-} |
|
1982 |
- |
|
1983 |
-void |
|
1984 | 1939 |
show_pkcs11_slots ( |
1985 | 1940 |
IN const int msglev, |
1986 | 1941 |
IN const int warnlev, |
... | ... |
@@ -1992,14 +2506,30 @@ show_pkcs11_slots ( |
1992 | 1992 |
CK_SLOT_ID s; |
1993 | 1993 |
CK_RV rv; |
1994 | 1994 |
|
1995 |
+ pkcs11_provider_t pkcs11_provider; |
|
1996 |
+ |
|
1995 | 1997 |
ASSERT (provider!=NULL); |
1996 | 1998 |
|
1997 | 1999 |
if ( |
2000 |
+ (rv = pkcs11_initialize ()) != CKR_OK |
|
2001 |
+ ) { |
|
2002 |
+ msg (M_FATAL, "PKCS#11: Cannot initialize interface %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
2003 |
+ } |
|
2004 |
+ |
|
2005 |
+ if ( |
|
1998 | 2006 |
(rv = pkcs11_addProvider (provider, NULL)) != CKR_OK |
1999 | 2007 |
) { |
2000 | 2008 |
msg (M_FATAL, "PKCS#11: Cannot initialize provider %ld-'%s'", rv, pkcs11_getMessage (rv)); |
2001 | 2009 |
} |
2002 | 2010 |
|
2011 |
+ /* |
|
2012 |
+ * our provider is head |
|
2013 |
+ */ |
|
2014 |
+ pkcs11_provider = pkcs11_data->providers; |
|
2015 |
+ if (pkcs11_provider == NULL || !pkcs11_provider->fEnabled) { |
|
2016 |
+ msg (M_FATAL, "PKCS#11: Cannot get provider %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
2017 |
+ } |
|
2018 |
+ |
|
2003 | 2019 |
if ( |
2004 | 2020 |
(rv = pkcs11_provider->f->C_GetInfo (&info)) != CKR_OK |
2005 | 2021 |
) { |
... | ... |
@@ -2009,7 +2539,7 @@ show_pkcs11_slots ( |
2009 | 2009 |
char szManufacturerID[sizeof (info.manufacturerID)+1]; |
2010 | 2010 |
|
2011 | 2011 |
_fixupFixedString ( |
2012 |
- info.manufacturerID, |
|
2012 |
+ (char *)info.manufacturerID, |
|
2013 | 2013 |
szManufacturerID, |
2014 | 2014 |
sizeof (info.manufacturerID) |
2015 | 2015 |
); |
... | ... |
@@ -2062,7 +2592,7 @@ show_pkcs11_slots ( |
2062 | 2062 |
char szCurrentName[sizeof (info.slotDescription)+1]; |
2063 | 2063 |
|
2064 | 2064 |
_fixupFixedString ( |
2065 |
- info.slotDescription, |
|
2065 |
+ (char *)info.slotDescription, |
|
2066 | 2066 |
szCurrentName, |
2067 | 2067 |
sizeof (info.slotDescription) |
2068 | 2068 |
); |
... | ... |
@@ -2072,7 +2602,19 @@ show_pkcs11_slots ( |
2072 | 2072 |
} |
2073 | 2073 |
} |
2074 | 2074 |
|
2075 |
- pkcs11_finalize (); |
|
2075 |
+ pkcs11_terminate (); |
|
2076 |
+} |
|
2077 |
+ |
|
2078 |
+static |
|
2079 |
+bool |
|
2080 |
+_show_pkcs11_objects_pin_prompt ( |
|
2081 |
+ IN const void *pData, |
|
2082 |
+ IN const char * const szLabel, |
|
2083 |
+ OUT char * const szPIN, |
|
2084 |
+ IN const size_t nMaxPIN |
|
2085 |
+) { |
|
2086 |
+ strncpy (szPIN, (char *)pData, nMaxPIN); |
|
2087 |
+ return true; |
|
2076 | 2088 |
} |
2077 | 2089 |
|
2078 | 2090 |
void |
... | ... |
@@ -2090,6 +2632,8 @@ show_pkcs11_objects ( |
2090 | 2090 |
CK_SLOT_ID s; |
2091 | 2091 |
CK_RV rv; |
2092 | 2092 |
|
2093 |
+ pkcs11_provider_t pkcs11_provider; |
|
2094 |
+ |
|
2093 | 2095 |
ASSERT (provider!=NULL); |
2094 | 2096 |
ASSERT (slot!=NULL); |
2095 | 2097 |
ASSERT (pin!=NULL); |
... | ... |
@@ -2097,11 +2641,31 @@ show_pkcs11_objects ( |
2097 | 2097 |
s = atoi (slot); |
2098 | 2098 |
|
2099 | 2099 |
if ( |
2100 |
+ (rv = pkcs11_initialize ()) != CKR_OK |
|
2101 |
+ ) { |
|
2102 |
+ msg (M_FATAL, "PKCS#11: Cannot initialize interface %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
2103 |
+ } |
|
2104 |
+ |
|
2105 |
+ if ( |
|
2106 |
+ (rv = pkcs11_setPINPromptHook (_show_pkcs11_objects_pin_prompt, (void *)pin)) != CKR_OK |
|
2107 |
+ ) { |
|
2108 |
+ msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
2109 |
+ } |
|
2110 |
+ |
|
2111 |
+ if ( |
|
2100 | 2112 |
(rv = pkcs11_addProvider (provider, NULL)) != CKR_OK |
2101 | 2113 |
) { |
2102 | 2114 |
msg (M_FATAL, "PKCS#11: Cannot initialize provider %ld-'%s'", rv, pkcs11_getMessage (rv)); |
2103 | 2115 |
} |
2104 | 2116 |
|
2117 |
+ /* |
|
2118 |
+ * our provider is head |
|
2119 |
+ */ |
|
2120 |
+ pkcs11_provider = pkcs11_data->providers; |
|
2121 |
+ if (pkcs11_provider == NULL || !pkcs11_provider->fEnabled) { |
|
2122 |
+ msg (M_FATAL, "PKCS#11: Cannot get provider %ld-'%s'", rv, pkcs11_getMessage (rv)); |
|
2123 |
+ } |
|
2124 |
+ |
|
2105 | 2125 |
if ( |
2106 | 2126 |
(rv = pkcs11_provider->f->C_GetTokenInfo ( |
2107 | 2127 |
s, |
... | ... |
@@ -2117,22 +2681,22 @@ show_pkcs11_objects ( |
2117 | 2117 |
char szSerialNumber[sizeof (info.serialNumber)+1]; |
2118 | 2118 |
|
2119 | 2119 |
_fixupFixedString ( |
2120 |
- info.label, |
|
2120 |
+ (char *)info.label, |
|
2121 | 2121 |
szLabel, |
2122 | 2122 |
sizeof (info.label) |
2123 | 2123 |
); |
2124 | 2124 |
_fixupFixedString ( |
2125 |
- info.manufacturerID, |
|
2125 |
+ (char *)info.manufacturerID, |
|
2126 | 2126 |
szManufacturerID, |
2127 | 2127 |
sizeof (info.manufacturerID) |
2128 | 2128 |
); |
2129 | 2129 |
_fixupFixedString ( |
2130 |
- info.model, |
|
2130 |
+ (char *)info.model, |
|
2131 | 2131 |
szModel, |
2132 | 2132 |
sizeof (info.model) |
2133 | 2133 |
); |
2134 | 2134 |
_fixupFixedString ( |
2135 |
- info.serialNumber, |
|
2135 |
+ (char *)info.serialNumber, |
|
2136 | 2136 |
szSerialNumber, |
2137 | 2137 |
sizeof (info.serialNumber) |
2138 | 2138 |
); |
... | ... |
@@ -2385,9 +2949,9 @@ show_pkcs11_objects ( |
2385 | 2385 |
pkcs11_provider->f->C_FindObjectsFinal (session); |
2386 | 2386 |
pkcs11_provider->f->C_Logout (session); |
2387 | 2387 |
pkcs11_provider->f->C_CloseSession (session); |
2388 |
- pkcs11_finalize (); |
|
2388 |
+ pkcs11_terminate (); |
|
2389 | 2389 |
} |
2390 | 2390 |
|
2391 | 2391 |
#else |
2392 | 2392 |
static void dummy (void) {} |
2393 |
-#endif /* USE_OPENSC && USE_SSL && USE_CRYPTO */ |
|
2393 |
+#endif /* ENABLE_PKCS11 */ |
... | ... |
@@ -29,6 +29,23 @@ |
29 | 29 |
|
30 | 30 |
#include <openssl/ssl.h> |
31 | 31 |
|
32 |
+void |
|
33 |
+init_pkcs11 ( |
|
34 |
+ const int nPINCachePeriod |
|
35 |
+); |
|
36 |
+ |
|
37 |
+void |
|
38 |
+free_pkcs11 (); |
|
39 |
+ |
|
40 |
+void |
|
41 |
+fork_fix_pkcs11 (); |
|
42 |
+ |
|
43 |
+void |
|
44 |
+add_pkcs11 ( |
|
45 |
+ const char * const provider, |
|
46 |
+ const char * const sign_mode |
|
47 |
+); |
|
48 |
+ |
|
32 | 49 |
int |
33 | 50 |
SSL_CTX_use_pkcs11 ( |
34 | 51 |
SSL_CTX * const ssl_ctx, |
... | ... |
@@ -36,20 +53,10 @@ SSL_CTX_use_pkcs11 ( |
36 | 36 |
const char * const pkcs11_slot, |
37 | 37 |
const char * const pkcs11_id_type, |
38 | 38 |
const char * const pkcs11_id, |
39 |
- const char * const pin, |
|
40 | 39 |
const bool pkcs11_protected_authentication |
41 | 40 |
); |
42 | 41 |
|
43 | 42 |
void |
44 |
-add_pkcs11 ( |
|
45 |
- const char * const provider, |
|
46 |
- const char * const sign_mode |
|
47 |
-); |
|
48 |
- |
|
49 |
-void |
|
50 |
-free_pkcs11 (); |
|
51 |
- |
|
52 |
-void |
|
53 | 43 |
show_pkcs11_slots ( |
54 | 44 |
const int msglev, |
55 | 45 |
const int warnlev, |
... | ... |
@@ -65,6 +72,6 @@ show_pkcs11_objects ( |
65 | 65 |
const char * const pin |
66 | 66 |
); |
67 | 67 |
|
68 |
-#endif |
|
68 |
+#endif /* ENABLE_PKCS11 */ |
|
69 | 69 |
|
70 |
-#endif |
|
70 |
+#endif /* OPENVPN_PKCS11_H */ |
... | ... |
@@ -854,17 +854,8 @@ init_ssl (const struct options *options) |
854 | 854 |
#ifdef ENABLE_PKCS11 |
855 | 855 |
if (options->pkcs11_providers[0]) |
856 | 856 |
{ |
857 |
- char password[256]; |
|
858 |
- password[0] = '\0'; |
|
859 |
- if ( |
|
860 |
- !options->pkcs11_protected_authentication && |
|
861 |
- options->key_pass_file |
|
862 |
- ) { |
|
863 |
- pem_password_callback (password, sizeof(password) - 1, 0, NULL); |
|
864 |
- } |
|
865 |
- |
|
866 | 857 |
/* Load Certificate and Private Key */ |
867 |
- if (!SSL_CTX_use_pkcs11 (ctx, options->pkcs11_slot_type, options->pkcs11_slot, options->pkcs11_id_type, options->pkcs11_id, password, options->pkcs11_protected_authentication)) |
|
858 |
+ if (!SSL_CTX_use_pkcs11 (ctx, options->pkcs11_slot_type, options->pkcs11_slot, options->pkcs11_id_type, options->pkcs11_id, options->pkcs11_protected_authentication)) |
|
868 | 859 |
msg (M_SSLERR, "Cannot load certificate \"%s:%s\" from slot \"%s:%s\" using PKCS#11 interface", |
869 | 860 |
options->pkcs11_id_type, options->pkcs11_id, options->pkcs11_slot_type, options->pkcs11_slot); |
870 | 861 |
} |