Fixed merge, don't know why this didn't happen automatically - maybe a leftover from the svn->git conversion

7 files changed, 238 insertions, 0 deletions

diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index c27310910..8d6bad565 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -223,9 +223,13 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+<<<<<<< HEAD
 ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
 ipsecuid = @ipsecuid@
+=======
+ipsecgroup = @ipsecgroup@
+>>>>>>> upstream/4.5.1
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -264,6 +268,11 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
+<<<<<<< HEAD
+=======
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+>>>>>>> upstream/4.5.1
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
index 1b1448c6a..6783699e5 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c
@@ -55,6 +55,7 @@ struct private_pkcs11_creds_t {
  * Find certificates, optionally trusted
  */
 static void find_certificates(private_pkcs11_creds_t *this,
+<<<<<<< HEAD
 							  CK_SESSION_HANDLE session, CK_BBOOL trusted)
 {
 	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
@@ -63,11 +64,25 @@ static void find_certificates(private_pkcs11_creds_t *this,
 		{CKA_CLASS, &class, sizeof(class)},
 		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
 		{CKA_TRUSTED, &trusted, sizeof(trusted)},
+=======
+							  CK_SESSION_HANDLE session)
+{
+	CK_OBJECT_CLASS class = CKO_CERTIFICATE;
+	CK_CERTIFICATE_TYPE type = CKC_X_509;
+	CK_BBOOL trusted = TRUE;
+	CK_ATTRIBUTE tmpl[] = {
+		{CKA_CLASS, &class, sizeof(class)},
+		{CKA_CERTIFICATE_TYPE, &type, sizeof(type)},
+>>>>>>> upstream/4.5.1
 	};
 	CK_OBJECT_HANDLE object;
 	CK_ATTRIBUTE attr[] = {
 		{CKA_VALUE, NULL, 0},
 		{CKA_LABEL, NULL, 0},
+<<<<<<< HEAD
+=======
+		{CKA_TRUSTED, &trusted, sizeof(trusted)}
+>>>>>>> upstream/4.5.1
 	};
 	enumerator_t *enumerator;
 	linked_list_t *raw;
@@ -75,11 +90,27 @@ static void find_certificates(private_pkcs11_creds_t *this,
 	struct {
 		chunk_t value;
 		chunk_t label;
+<<<<<<< HEAD
 	} *entry;
 
 	raw = linked_list_create();
 	enumerator = this->lib->create_object_enumerator(this->lib,
 							session, tmpl, countof(tmpl), attr, countof(attr));
+=======
+		bool trusted;
+	} *entry;
+	int count = countof(attr);
+
+	/* store result in a temporary list, avoid recursive operation */
+	raw = linked_list_create();
+	/* do not use trusted argument if not supported */
+	if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS))
+	{
+		count--;
+	}
+	enumerator = this->lib->create_object_enumerator(this->lib,
+									session, tmpl, countof(tmpl), attr, count);
+>>>>>>> upstream/4.5.1
 	while (enumerator->enumerate(enumerator, &object))
 	{
 		entry = malloc(sizeof(*entry));
@@ -87,6 +118,10 @@ static void find_certificates(private_pkcs11_creds_t *this,
 							chunk_create(attr[0].pValue, attr[0].ulValueLen));
 		entry->label = chunk_clone(
 							chunk_create(attr[1].pValue, attr[1].ulValueLen));
+<<<<<<< HEAD
+=======
+		entry->trusted = trusted;
+>>>>>>> upstream/4.5.1
 		raw->insert_last(raw, entry);
 	}
 	enumerator->destroy(enumerator);
@@ -99,10 +134,17 @@ static void find_certificates(private_pkcs11_creds_t *this,
 		if (cert)
 		{
 			DBG1(DBG_CFG, "    loaded %strusted cert '%.*s'",
+<<<<<<< HEAD
 				 trusted ? "" : "un", entry->label.len, entry->label.ptr);
 			/* trusted certificates are also returned as untrusted */
 			this->untrusted->insert_last(this->untrusted, cert);
 			if (trusted)
+=======
+				 entry->trusted ? "" : "un", entry->label.len, entry->label.ptr);
+			/* trusted certificates are also returned as untrusted */
+			this->untrusted->insert_last(this->untrusted, cert);
+			if (entry->trusted)
+>>>>>>> upstream/4.5.1
 			{
 				this->trusted->insert_last(this->trusted, cert->get_ref(cert));
 			}
@@ -135,8 +177,12 @@ static bool load_certificates(private_pkcs11_creds_t *this)
 		return FALSE;
 	}
 
+<<<<<<< HEAD
 	find_certificates(this, session, CK_TRUE);
 	find_certificates(this, session, CK_FALSE);
+=======
+	find_certificates(this, session);
+>>>>>>> upstream/4.5.1
 
 	this->lib->f->C_CloseSession(session);
 	return TRUE;
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 9fb1b7769..6d819da34 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -466,6 +466,14 @@ struct private_pkcs11_library_t {
 	 * Name as passed to the constructor
 	 */
 	char *name;
+<<<<<<< HEAD
+=======
+
+	/**
+	 * Supported feature set
+	 */
+	pkcs11_feature_t features;
+>>>>>>> upstream/4.5.1
 };
 
 METHOD(pkcs11_library_t, get_name, char*,
@@ -474,6 +482,15 @@ METHOD(pkcs11_library_t, get_name, char*,
 	return this->name;
 }
 
+<<<<<<< HEAD
+=======
+METHOD(pkcs11_library_t, get_features, pkcs11_feature_t,
+	private_pkcs11_library_t *this)
+{
+	return this->features;
+}
+
+>>>>>>> upstream/4.5.1
 /**
  * Object enumerator
  */
@@ -766,19 +783,58 @@ static CK_RV UnlockMutex(CK_VOID_PTR data)
 }
 
 /**
+<<<<<<< HEAD
  * Initialize a PKCS#11 library
  */
 static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+=======
+ * Check if the library has at least a given cryptoki version
+ */
+static bool has_version(CK_INFO *info, int major, int minor)
+{
+	return info->cryptokiVersion.major > major ||
+			(info->cryptokiVersion.major == major &&
+			 info->cryptokiVersion.minor >= minor);
+}
+
+/**
+ * Check for optional PKCS#11 library functionality
+ */
+static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
+{
+	if (has_version(info, 2, 20))
+	{
+		this->features |= PKCS11_TRUSTED_CERTS;
+		this->features |= PKCS11_ALWAYS_AUTH_KEYS;
+	}
+}
+
+/**
+ * Initialize a PKCS#11 library
+ */
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file,
+					   bool os_locking)
+>>>>>>> upstream/4.5.1
 {
 	CK_C_GetFunctionList pC_GetFunctionList;
 	CK_INFO info;
 	CK_RV rv;
+<<<<<<< HEAD
 	CK_C_INITIALIZE_ARGS args = {
+=======
+	static CK_C_INITIALIZE_ARGS args = {
+>>>>>>> upstream/4.5.1
 		.CreateMutex = CreateMutex,
 		.DestroyMutex = DestroyMutex,
 		.LockMutex = LockMutex,
 		.UnlockMutex = UnlockMutex,
 	};
+<<<<<<< HEAD
+=======
+	static CK_C_INITIALIZE_ARGS args_os = {
+		.flags = CKF_OS_LOCKING_OK,
+	};
+>>>>>>> upstream/4.5.1
 
 	pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList");
 	if (!pC_GetFunctionList)
@@ -793,6 +849,7 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 			 name, ck_rv_names, rv);
 		return FALSE;
 	}
+<<<<<<< HEAD
 
 	rv = this->public.f->C_Initialize(&args);
 	if (rv == CKR_CANT_LOCK)
@@ -801,6 +858,21 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 		args.flags = CKF_OS_LOCKING_OK;
 		rv = this->public.f->C_Initialize(&args);
 	}
+=======
+	if (os_locking)
+	{
+		rv = CKR_CANT_LOCK;
+	}
+	else
+	{
+		rv = this->public.f->C_Initialize(&args);
+	}
+	if (rv == CKR_CANT_LOCK)
+	{	/* fallback to OS locking */
+		os_locking = TRUE;
+		rv = this->public.f->C_Initialize(&args_os);
+	}
+>>>>>>> upstream/4.5.1
 	if (rv != CKR_OK)
 	{
 		DBG1(DBG_CFG, "C_Initialize() error for '%s': %N",
@@ -826,23 +898,40 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 	DBG1(DBG_CFG, "  %s: %s v%d.%d",
 		 info.manufacturerID, info.libraryDescription,
 		 info.libraryVersion.major, info.libraryVersion.minor);
+<<<<<<< HEAD
 	if (args.flags & CKF_OS_LOCKING_OK)
 	{
 		DBG1(DBG_CFG, "  uses OS locking functions");
 	}
+=======
+	if (os_locking)
+	{
+		DBG1(DBG_CFG, "  uses OS locking functions");
+	}
+
+	check_features(this, &info);
+>>>>>>> upstream/4.5.1
 	return TRUE;
 }
 
 /**
  * See header
  */
+<<<<<<< HEAD
 pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+=======
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
+>>>>>>> upstream/4.5.1
 {
 	private_pkcs11_library_t *this;
 
 	INIT(this,
 		.public = {
 			.get_name = _get_name,
+<<<<<<< HEAD
+=======
+			.get_features = _get_features,
+>>>>>>> upstream/4.5.1
 			.create_object_enumerator = _create_object_enumerator,
 			.create_mechanism_enumerator = _create_mechanism_enumerator,
 			.destroy = _destroy,
@@ -858,7 +947,11 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
 		return NULL;
 	}
 
+<<<<<<< HEAD
 	if (!initialize(this, name, file))
+=======
+	if (!initialize(this, name, file, os_locking))
+>>>>>>> upstream/4.5.1
 	{
 		dlclose(this->handle);
 		free(this);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 1457d24d4..384258089 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -21,6 +21,10 @@
 #ifndef PKCS11_LIBRARY_H_
 #define PKCS11_LIBRARY_H_
 
+<<<<<<< HEAD
+=======
+typedef enum pkcs11_feature_t pkcs11_feature_t;
+>>>>>>> upstream/4.5.1
 typedef struct pkcs11_library_t pkcs11_library_t;
 
 #include "pkcs11.h"
@@ -29,6 +33,19 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 #include <utils/enumerator.h>
 
 /**
+<<<<<<< HEAD
+=======
+ * Optional PKCS#11 features some libraries support, some not
+ */
+enum pkcs11_feature_t {
+	/** CKA_TRUSTED attribute supported for certificate objects */
+	PKCS11_TRUSTED_CERTS = (1<<0),
+	/** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+	PKCS11_ALWAYS_AUTH_KEYS = (1<<1),
+};
+
+/**
+>>>>>>> upstream/4.5.1
  * A loaded and initialized PKCS#11 library.
  */
 struct pkcs11_library_t {
@@ -46,6 +63,16 @@ struct pkcs11_library_t {
 	char* (*get_name)(pkcs11_library_t *this);
 
 	/**
+<<<<<<< HEAD
+=======
+	 * Get the feature set supported by this library.
+	 *
+	 * @return			ORed set of features supported
+	 */
+	pkcs11_feature_t (*get_features)(pkcs11_library_t *this);
+
+	/**
+>>>>>>> upstream/4.5.1
 	 * Create an enumerator over CK_OBJECT_HANDLE using a search template.
 	 *
 	 * An optional attribute array is automatically filled in with the
@@ -103,8 +130,15 @@ void pkcs11_library_trim(char *str, int len);
  *
  * @param name		an arbitrary name, for debugging
  * @param file		pkcs11 library file to dlopen()
+<<<<<<< HEAD
  * @return			library abstraction
  */
 pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+=======
+ * @param os_lock	enforce OS Locking for this library
+ * @return			library abstraction
+ */
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock);
+>>>>>>> upstream/4.5.1
 
 #endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 0c27600a6..b7ca3538c 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -373,7 +373,14 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 			free(entry);
 			continue;
 		}
+<<<<<<< HEAD
 		entry->lib = pkcs11_library_create(module, entry->path);
+=======
+		entry->lib = pkcs11_library_create(module, entry->path,
+						lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
+							FALSE, module));
+>>>>>>> upstream/4.5.1
 		if (!entry->lib)
 		{
 			free(entry);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index ace405c23..b02873870 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -26,6 +26,11 @@
 #include "pkcs11_public_key.h"
 #include "pkcs11_hasher.h"
 
+<<<<<<< HEAD
+=======
+static const char *plugin_name = "pkcs11";
+
+>>>>>>> upstream/4.5.1
 typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
 
 /**
@@ -146,6 +151,7 @@ plugin_t *pkcs11_plugin_create()
 	if (lib->settings->get_bool(lib->settings,
 							"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
 	{
+<<<<<<< HEAD
 		lib->crypto->add_hasher(lib->crypto, HASH_MD2,
 					(hasher_constructor_t)pkcs11_hasher_create);
 		lib->crypto->add_hasher(lib->crypto, HASH_MD5,
@@ -157,6 +163,19 @@ plugin_t *pkcs11_plugin_create()
 		lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
 					(hasher_constructor_t)pkcs11_hasher_create);
 		lib->crypto->add_hasher(lib->crypto, HASH_SHA512,
+=======
+		lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name,
+					(hasher_constructor_t)pkcs11_hasher_create);
+		lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name,
+>>>>>>> upstream/4.5.1
 					(hasher_constructor_t)pkcs11_hasher_create);
 	}
 
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cabca3f54..6d2c93c98 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -401,6 +401,7 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 	};
 	CK_OBJECT_HANDLE object;
 	CK_KEY_TYPE type;
+<<<<<<< HEAD
 	CK_BBOOL reauth;
 	CK_ATTRIBUTE attr[] = {
 		{CKA_KEY_TYPE, &type, sizeof(type)},
@@ -413,18 +414,47 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 
 	enumerator = this->lib->create_object_enumerator(this->lib,
 						this->session, tmpl, countof(tmpl), attr, countof(attr));
+=======
+	CK_BBOOL reauth = FALSE;
+	CK_ATTRIBUTE attr[] = {
+		{CKA_KEY_TYPE, &type, sizeof(type)},
+		{CKA_MODULUS, NULL, 0},
+		{CKA_PUBLIC_EXPONENT, NULL, 0},
+		{CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},
+	};
+	enumerator_t *enumerator;
+	chunk_t modulus, pubexp;
+	int count = countof(attr);
+
+	/* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+	if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+	{
+		count--;
+	}
+	enumerator = this->lib->create_object_enumerator(this->lib,
+							this->session, tmpl, countof(tmpl), attr, count);
+>>>>>>> upstream/4.5.1
 	if (enumerator->enumerate(enumerator, &object))
 	{
 		switch (type)
 		{
 			case CKK_RSA:
+<<<<<<< HEAD
 				if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1)
+=======
+				if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1)
+>>>>>>> upstream/4.5.1
 				{
 					DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed");
 					break;
 				}
+<<<<<<< HEAD
 				modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen);
 				pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen);
+=======
+				modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen);
+				pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen);
+>>>>>>> upstream/4.5.1
 				this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
 									KEY_RSA, BUILD_RSA_MODULUS, modulus,
 									BUILD_RSA_PUB_EXP, pubexp, BUILD_END);