diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2007-04-12 20:41:31 +0000 |
commit | 774a362e87feab25f1be16fbca08269ddc7121a4 (patch) | |
tree | cf71f4e7466468ac3edc2127125f333224a9acfb /src/pluto/smartcard.c | |
parent | c54a140a445bfe7aa66721f68bb0781f26add91c (diff) | |
download | vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.tar.gz vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.zip |
Major new upstream release, just ran svn-upgrade for now (and wrote some
debian/changelong entries).
Diffstat (limited to 'src/pluto/smartcard.c')
-rw-r--r-- | src/pluto/smartcard.c | 1956 |
1 files changed, 1956 insertions, 0 deletions
diff --git a/src/pluto/smartcard.c b/src/pluto/smartcard.c new file mode 100644 index 000000000..744f8a6f3 --- /dev/null +++ b/src/pluto/smartcard.c @@ -0,0 +1,1956 @@ +/* Support of smartcards and cryptotokens + * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen + * Copyright (C) 2004 David Buechi, Michael Meier + * Zuercher Hochschule Winterthur, Switzerland + * + * Copyright (C) 2005 Michael Joosten + * + * Copyright (C) 2005 Andreas Steffen + * Hochschule für Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: smartcard.c,v 1.41 2006/01/04 21:03:52 as Exp $ + */ + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <errno.h> +#include <string.h> +#include <time.h> +#include <dlfcn.h> + +#include <freeswan.h> +#include <ipsec_policy.h> + +#include "constants.h" + +#ifdef SMARTCARD +#include "rsaref/unix.h" +#include "rsaref/pkcs11.h" +#endif + +#include "defs.h" +#include "mp_defs.h" +#include "log.h" +#include "x509.h" +#include "ca.h" +#include "certs.h" +#include "keys.h" +#include "smartcard.h" +#include "whack.h" +#include "fetch.h" + +#define DEFAULT_BASE 16 + +/* chained list of smartcard records */ +static smartcard_t *smartcards = NULL; + +/* number of generated sc objects */ +static int sc_number = 0; + +const smartcard_t empty_sc = { + NULL , /* next */ + 0 , /* last_load */ + { CERT_NONE, {NULL} }, /* last_cert */ + 0 , /* count */ + 0 , /* number */ + 999999 , /* slot */ + NULL , /* id */ + NULL , /* label */ + { NULL, 0 } , /* pin */ + FALSE , /* pinpad */ + FALSE , /* valid */ + FALSE , /* session_opened */ + FALSE , /* logged_in */ + TRUE , /* any_slot */ + 0L , /* session */ +}; + +#ifdef SMARTCARD /* compile with smartcard support */ + +#define SCX_MAGIC 0xd00bed00 + +struct scx_pkcs11_module { + u_int _magic; + void *handle; +}; + +typedef struct scx_pkcs11_module scx_pkcs11_module_t; + +/* PKCS #11 cryptoki context */ +static bool scx_initialized = FALSE; +static scx_pkcs11_module_t *pkcs11_module = NULL_PTR; +static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR; + +/* crytoki v2.11 - return values of PKCS #11 functions*/ + +static const char *const pkcs11_return_name[] = { + "CKR_OK", + "CKR_CANCEL", + "CKR_HOST_MEMORY", + "CKR_SLOT_ID_INVALID", + "CKR_FLAGS_INVALID", + "CKR_GENERAL_ERROR", + "CKR_FUNCTION_FAILED", + "CKR_ARGUMENTS_BAD", + "CKR_NO_EVENT", + "CKR_NEED_TO_CREATE_THREADS", + "CKR_CANT_LOCK" + }; + +static const char *const pkcs11_return_name_10[] = { + "CKR_ATTRIBUTE_READ_ONLY", + "CKR_ATTRIBUTE_SENSITIVE", + "CKR_ATTRIBUTE_TYPE_INVALID", + "CKR_ATTRIBUTE_VALUE_INVALID" + }; + +static const char *const pkcs11_return_name_20[] = { + "CKR_DATA_INVALID", + "CKR_DATA_LEN_RANGE" + }; + +static const char *const pkcs11_return_name_30[] = { + "CKR_DEVICE_ERROR", + "CKR_DEVICE_MEMORY", + "CKR_DEVICE_REMOVED" + }; + +static const char *const pkcs11_return_name_40[] = { + "CKR_ENCRYPTED_DATA_INVALID", + "CKR_ENCRYPTED_DATA_LEN_RANGE" + }; + +static const char *const pkcs11_return_name_50[] = { + "CKR_FUNCTION_CANCELED", + "CKR_FUNCTION_NOT_PARALLEL", + "CKR_0x52_UNDEFINED", + "CKR_0x53_UNDEFINED", + "CKR_FUNCTION_NOT_SUPPORTED" + }; + +static const char *const pkcs11_return_name_60[] = { + "CKR_KEY_HANDLE_INVALID", + "CKR_KEY_SENSITIVE", + "CKR_KEY_SIZE_RANGE", + "CKR_KEY_TYPE_INCONSISTENT", + "CKR_KEY_NOT_NEEDED", + "CKR_KEY_CHANGED", + "CKR_KEY_NEEDED", + "CKR_KEY_INDIGESTIBLE", + "CKR_KEY_FUNCTION_NOT_PERMITTED", + "CKR_KEY_NOT_WRAPPABLE", + "CKR_KEY_UNEXTRACTABLE" + }; + +static const char *const pkcs11_return_name_70[] = { + "CKR_MECHANISM_INVALID", + "CKR_MECHANISM_PARAM_INVALID" + }; + +static const char *const pkcs11_return_name_80[] = { + "CKR_OBJECT_HANDLE_INVALID" + }; + +static const char *const pkcs11_return_name_90[] = { + "CKR_OPERATION_ACTIVE", + "CKR_OPERATION_NOT_INITIALIZED" + }; + +static const char *const pkcs11_return_name_A0[] = { + "CKR_PIN_INCORRECT", + "CKR_PIN_INVALID", + "CKR_PIN_LEN_RANGE", + "CKR_PIN_EXPIRED", + "CKR_PIN_LOCKED" + }; + +static const char *const pkcs11_return_name_B0[] = { + "CKR_SESSION_CLOSED", + "CKR_SESSION_COUNT", + "CKR_0xB2_UNDEFINED", + "CKR_SESSION_HANDLE_INVALID", + "CKR_SESSION_PARALLEL_NOT_SUPPORTED", + "CKR_SESSION_READ_ONLY", + "CKR_SESSION_EXISTS", + "CKR_SESSION_READ_ONLY_EXISTS", + "CKR_SESSION_READ_WRITE_SO_EXISTS" + }; + +static const char *const pkcs11_return_name_C0[] = { + "CKR_SIGNATURE_INVALID", + "CKR_SIGNATURE_LEN_RANGE" + }; + +static const char *const pkcs11_return_name_D0[] = { + "CKR_TEMPLATE_INCOMPLETE", + "CKR_TEMPLATE_INCONSISTENT" + }; + +static const char *const pkcs11_return_name_E0[] = { + "CKR_TOKEN_NOT_PRESENT", + "CKR_TOKEN_NOT_RECOGNIZED", + "CKR_TOKEN_WRITE_PROTECTED" + }; + +static const char *const pkcs11_return_name_F0[] = { + "CKR_UNWRAPPING_KEY_HANDLE_INVALID", + "CKR_UNWRAPPING_KEY_SIZE_RANGE", + "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT" + }; + +static const char *const pkcs11_return_name_100[] = { + "CKR_USER_ALREADY_LOGGED_IN", + "CKR_USER_NOT_LOGGED_IN", + "CKR_USER_PIN_NOT_INITIALIZED", + "CKR_USER_TYPE_INVALID", + "CKR_USER_ANOTHER_ALREADY_LOGGED_IN", + "CKR_USER_TOO_MANY_TYPES" + }; + +static const char *const pkcs11_return_name_110[] = { + "CKR_WRAPPED_KEY_INVALID", + "CKR_0x111_UNDEFINED", + "CKR_WRAPPED_KEY_LEN_RANGE", + "CKR_WRAPPING_KEY_HANDLE_INVALID", + "CKR_WRAPPING_KEY_SIZE_RANGE", + "CKR_WRAPPING_KEY_TYPE_INCONSISTENT" + }; + +static const char *const pkcs11_return_name_120[] = { + "CKR_RANDOM_SEED_NOT_SUPPORTED", + "CKR_RANDOM_NO_RNG" + }; + +static const char *const pkcs11_return_name_130[] = { + "CKR_DOMAIN_PARAMS_INVALID" + }; + +static const char *const pkcs11_return_name_150[] = { + "CKR_BUFFER_TOO_SMALL" + }; + +static const char *const pkcs11_return_name_160[] = { + "CKR_SAVED_STATE_INVALID" + }; + +static const char *const pkcs11_return_name_170[] = { + "CKR_INFORMATION_SENSITIVE" + }; + +static const char *const pkcs11_return_name_180[] = { + "CKR_STATE_UNSAVEABLE" + }; + +static const char *const pkcs11_return_name_190[] = { + "CKR_CRYPTOKI_NOT_INITIALIZED", + "CKR_CRYPTOKI_ALREADY_INITIALIZED" + }; + +static const char *const pkcs11_return_name_1A0[] = { + "CKR_MUTEX_BAD", + "CKR_MUTEX_NOT_LOCKED" + }; + +static const char *const pkcs11_return_name_200[] = { + "CKR_FUNCTION_REJECTED" + }; + +static const char *const pkcs11_return_name_vendor[] = { + "CKR_VENDOR_DEFINED" + }; + +static enum_names pkcs11_return_names_vendor = + { CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED + , pkcs11_return_name_vendor, NULL }; + +static enum_names pkcs11_return_names_200 = + { CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED + , pkcs11_return_name_200, &pkcs11_return_names_vendor }; + +static enum_names pkcs11_return_names_1A0 = + { CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED + , pkcs11_return_name_1A0, &pkcs11_return_names_200 }; + +static enum_names pkcs11_return_names_190 = + { CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED + , pkcs11_return_name_190, &pkcs11_return_names_1A0 }; + +static enum_names pkcs11_return_names_180 = + { CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE + , pkcs11_return_name_180, &pkcs11_return_names_190 }; + +static enum_names pkcs11_return_names_170 = + { CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE + , pkcs11_return_name_170, &pkcs11_return_names_180 }; + +static enum_names pkcs11_return_names_160 = + { CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID + , pkcs11_return_name_160, &pkcs11_return_names_170 }; + +static enum_names pkcs11_return_names_150 = + { CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL + , pkcs11_return_name_150, &pkcs11_return_names_160 }; + +static enum_names pkcs11_return_names_130 = + { CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID + , pkcs11_return_name_130, &pkcs11_return_names_150 }; + +static enum_names pkcs11_return_names_120 = + { CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG + , pkcs11_return_name_120, &pkcs11_return_names_130 }; + +static enum_names pkcs11_return_names_110 = + { CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT + , pkcs11_return_name_110, &pkcs11_return_names_120 }; + +static enum_names pkcs11_return_names_100 = + { CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES + , pkcs11_return_name_100, &pkcs11_return_names_110 }; + +static enum_names pkcs11_return_names_F0 = + { CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT + , pkcs11_return_name_F0, &pkcs11_return_names_100 }; + +static enum_names pkcs11_return_names_E0 = + { CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED + , pkcs11_return_name_E0, &pkcs11_return_names_F0 }; + +static enum_names pkcs11_return_names_D0 = + { CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT + , pkcs11_return_name_D0,&pkcs11_return_names_E0 }; + +static enum_names pkcs11_return_names_C0 = + { CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE + , pkcs11_return_name_C0, &pkcs11_return_names_D0 }; + +static enum_names pkcs11_return_names_B0 = + { CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS + , pkcs11_return_name_B0, &pkcs11_return_names_C0 }; + +static enum_names pkcs11_return_names_A0 = + { CKR_PIN_INCORRECT, CKR_PIN_LOCKED + , pkcs11_return_name_A0, &pkcs11_return_names_B0 }; + +static enum_names pkcs11_return_names_90 = + { CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED + , pkcs11_return_name_90, &pkcs11_return_names_A0 }; + +static enum_names pkcs11_return_names_80 = + { CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID + , pkcs11_return_name_80, &pkcs11_return_names_90 }; + +static enum_names pkcs11_return_names_70 = + { CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID + , pkcs11_return_name_70, &pkcs11_return_names_80 }; + +static enum_names pkcs11_return_names_60 = + { CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE + , pkcs11_return_name_60, &pkcs11_return_names_70 }; + +static enum_names pkcs11_return_names_50 = + { CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED + , pkcs11_return_name_50, &pkcs11_return_names_60 }; + +static enum_names pkcs11_return_names_40 = + { CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE + , pkcs11_return_name_40, &pkcs11_return_names_50 }; + +static enum_names pkcs11_return_names_30 = + { CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED + , pkcs11_return_name_30, &pkcs11_return_names_40 }; + +static enum_names pkcs11_return_names_20 = + { CKR_DATA_INVALID, CKR_DATA_LEN_RANGE + , pkcs11_return_name_20, &pkcs11_return_names_30 }; + +static enum_names pkcs11_return_names_10 = + { CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID + , pkcs11_return_name_10, &pkcs11_return_names_20}; + +static enum_names pkcs11_return_names = + { CKR_OK, CKR_CANT_LOCK + , pkcs11_return_name, &pkcs11_return_names_10}; + +/* + * Unload a PKCS#11 module. + * The calling application is responsible for cleaning up + * and calling C_Finalize() + */ +static CK_RV +scx_unload_pkcs11_module(scx_pkcs11_module_t *mod) +{ + if (!mod || mod->_magic != SCX_MAGIC) + return CKR_ARGUMENTS_BAD; + + if (dlclose(mod->handle) < 0) + return CKR_FUNCTION_FAILED; + + memset(mod, 0, sizeof(*mod)); + pfree(mod); + return CKR_OK; +} + +static scx_pkcs11_module_t* +scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs) +{ + CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR); + scx_pkcs11_module_t *mod; + void *handle; + int rv; + + if (name == NULL || *name == '\0') + return NULL; + + /* Try to load PKCS#11 library module*/ + handle = dlopen(name, RTLD_NOW); + if (handle == NULL) + return NULL; + + mod = alloc_thing(scx_pkcs11_module_t, "scx_pkcs11_module"); + mod->_magic = SCX_MAGIC; + mod->handle = handle; + + /* Get the list of function pointers */ + c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) + dlsym(mod->handle, "C_GetFunctionList"); + if (!c_get_function_list) + goto failed; + + rv = c_get_function_list(funcs); + if (rv == CKR_OK) + return mod; + +failed: scx_unload_pkcs11_module(mod); + return NULL; +} + +/* + * retrieve a certificate object + */ +static bool +scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object +, smartcard_t *sc, cert_t *cert) +{ + size_t hex_len, label_len; + u_char *hex_id = NULL; + chunk_t blob; + x509cert_t *x509cert; + + CK_ATTRIBUTE attr[] = { + { CKA_ID, NULL_PTR, 0L }, + { CKA_LABEL, NULL_PTR, 0L }, + { CKA_VALUE, NULL_PTR, 0L } + }; + + /* initialize the return argument */ + *cert = empty_cert; + + /* get the length of the attributes first */ + CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3); + if (rv != CKR_OK) + { + plog("couldn't read the attribute sizes: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + pfreeany(sc->label); + + hex_id = alloc_bytes(attr[0].ulValueLen, "hex id"); + hex_len = attr[0].ulValueLen; + sc->label = alloc_bytes(attr[1].ulValueLen + 1, "sc label"); + label_len = attr[1].ulValueLen; + blob.ptr = alloc_bytes(attr[2].ulValueLen, "x509cert blob"); + blob.len = attr[2].ulValueLen; + + attr[0].pValue = hex_id; + attr[1].pValue = sc->label; + attr[2].pValue = blob.ptr; + + /* now get the attributes */ + rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3); + if (rv != CKR_OK) + { + plog("couldn't read the attributes: %s" + , enum_show(&pkcs11_return_names, rv)); + pfree(hex_id); + pfreeany(sc->label); + pfree(blob.ptr); + return FALSE; + } + + pfreeany(sc->id); + + /* convert id from hex to ASCII */ + sc->id = alloc_bytes(2*hex_len + 1, " sc id"); + datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1); + pfree(hex_id); + + /* safeguard in case the label is not null terminated */ + sc->label[label_len] = '\0'; + + /* parse the retrieved cert */ + x509cert = alloc_thing(x509cert_t, "x509cert"); + *x509cert = empty_x509cert; + x509cert->smartcard = TRUE; + + if (!parse_x509cert(blob, 0, x509cert)) + { + plog("failed to load cert from smartcard, error in X.509 certificate"); + free_x509cert(x509cert); + return FALSE; + } + cert->type = CERT_X509_SIGNATURE; + cert->u.x509 = x509cert; + return TRUE; +} + +/* + * search a given slot for PKCS#11 certificate objects + */ +static void +scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) +{ + CK_RV rv; + CK_OBJECT_CLASS class = CKO_CERTIFICATE; + CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }}; + + rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1); + if (rv != CKR_OK) + { + plog("error in C_FindObjectsInit: %s" + , enum_show(&pkcs11_return_names, rv)); + return; + } + + for (;;) + { + CK_OBJECT_HANDLE object; + CK_ULONG obj_count = 0; + err_t ugh; + time_t valid_until; + smartcard_t *sc; + x509cert_t *cert; + + rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count); + if (rv != CKR_OK) + { + plog("error in C_FindObjects: %s" + , enum_show(&pkcs11_return_names, rv)); + break; + } + + /* no objects left */ + if (obj_count == 0) + break; + + /* create and initialize a new smartcard object */ + sc = alloc_thing(smartcard_t, "smartcard"); + *sc = empty_sc; + sc->any_slot = FALSE; + sc->slot = slot; + + if (!scx_find_cert_object(session, object, sc, &sc->last_cert)) + { + scx_free(sc); + continue; + } + DBG(DBG_CONTROL, + DBG_log("found cert in %s with id: %s, label: '%s'" + , scx_print_slot(sc, ""), sc->id, sc->label) + ) + + /* check validity of certificate */ + cert = sc->last_cert.u.x509; + valid_until = cert->notAfter; + ugh = check_validity(cert, &valid_until); + if (ugh != NULL) + { + plog(" %s", ugh); + free_x509cert(cert); + scx_free(sc); + continue; + } + else + { + DBG(DBG_CONTROL, + DBG_log(" certificate is valid") + ) + } + + sc = scx_add(sc); + + /* put end entity and ca certificates into different chains */ + if (cert->isCA) + add_authcert(cert, AUTH_CA); + else + { + add_x509_public_key(cert, valid_until, DAL_LOCAL); + sc->last_cert.u.x509 = add_x509cert(cert); + } + + share_cert(sc->last_cert); + time(&sc->last_load); + } + + rv = pkcs11_functions->C_FindObjectsFinal(session); + if (rv != CKR_OK) + { + plog("error in C_FindObjectsFinal: %s" + , enum_show(&pkcs11_return_names, rv)); + } +} + +/* + * search all slots for PKCS#11 certificate objects + */ +static void +scx_find_all_cert_objects(void) +{ + CK_RV rv; + CK_SLOT_ID_PTR slots = NULL_PTR; + CK_ULONG slot_count = 0; + CK_ULONG i; + + if (!scx_initialized) + { + plog("pkcs11 module not initialized"); + return; + } + + /* read size, always returns CKR_OK ! */ + rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count); + + /* allocate memory for the slots */ + slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots"); + + rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count); + if (rv != CKR_OK) + { + plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv)); + pfreeany(slots); + return; + } + + /* look in every slot for certificate objects */ + for (i = 0; i < slot_count; i++) + { + CK_SLOT_ID slot = slots[i]; + CK_SLOT_INFO info; + CK_SESSION_HANDLE session; + + rv = pkcs11_functions->C_GetSlotInfo(slot, &info); + + if (rv != CKR_OK) + { + plog("error in C_GetSlotInfo: %s" + , enum_show(&pkcs11_return_names, rv)); + continue; + } + + if (!(info.flags & CKF_TOKEN_PRESENT)) + { + plog("no token present in slot %lu", slot); + continue; + } + + rv = pkcs11_functions->C_OpenSession(slot + , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session); + if (rv != CKR_OK) + { + plog("failed to open a session on slot %lu: %s" + , slot, enum_show(&pkcs11_return_names, rv)); + continue; + } + DBG(DBG_CONTROLMORE, + DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot) + ) + scx_find_cert_objects(slot, session); + + rv = pkcs11_functions->C_CloseSession(session); + if (rv != CKR_OK) + { + plog("error in C_CloseSession: %s" + , enum_show(&pkcs11_return_names, rv)); + } + } + pfreeany(slots); +} +#endif + +/* + * load and initialize PKCS#11 cryptoki module + */ +void +scx_init(const char* module) +{ +#ifdef SMARTCARD + CK_RV rv; + + if (scx_initialized) + { + plog("weird - pkcs11 module seems already to be initialized"); + return; + } + + if (module == NULL) +#ifdef PKCS11_DEFAULT_LIB + module = PKCS11_DEFAULT_LIB; +#else + { + plog("no pkcs11 module defined"); + return; + } +#endif + + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 module '%s' loading...", module) + ) + pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions); + if (pkcs11_module == NULL) + { + plog("failed to load pkcs11 module '%s'", module); + return; + } + + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 module initializing...") + ) + rv = pkcs11_functions->C_Initialize(NULL); + if (rv != CKR_OK) + { + plog("failed to initialize pkcs11 module: %s" + , enum_show(&pkcs11_return_names, rv)); + return; + } + + scx_initialized = TRUE; + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 module loaded and initialized") + ) + + scx_find_all_cert_objects(); +#endif +} + +/* + * finalize and unload PKCS#11 cryptoki module + */ +void +scx_finalize(void) +{ +#ifdef SMARTCARD + while (smartcards != NULL) + { + scx_release(smartcards); + } + + if (pkcs11_functions != NULL_PTR) + { + pkcs11_functions->C_Finalize(NULL_PTR); + pkcs11_functions = NULL_PTR; + } + + if (pkcs11_module != NULL) + { + scx_unload_pkcs11_module(pkcs11_module); + pkcs11_module = NULL; + } + + scx_initialized = FALSE; + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 module finalized and unloaded") + ) +#endif +} + +/* + * does a filename contain the token %smartcard? + */ +bool +scx_on_smartcard(const char *filename) +{ + return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0; +} + +#ifdef SMARTCARD +/* + * find a specific object on the smartcard + */ +static bool +scx_pkcs11_find_object( CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE_PTR object, + CK_OBJECT_CLASS class, + const char* id) +{ + size_t len; + char buf[BUF_LEN]; + CK_RV rv; + CK_ULONG obj_count = 0; + CK_ULONG attr_count = 1; + + CK_ATTRIBUTE attr[] = { + { CKA_CLASS, &class, sizeof(class) }, + { CKA_ID, &buf, 0L } + }; + + if (id != NULL) + { + ttodata(id, strlen(id), 16, buf, BUF_LEN, &len); + attr[1].ulValueLen = len; + attr_count = 2; + } + + /* get info for certificate with id */ + rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count); + if (rv != CKR_OK) + { + plog("error in C_FindObjectsInit: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + rv = pkcs11_functions->C_FindObjects(session, object, 1, &obj_count); + if (rv != CKR_OK) + { + plog("error in C_FindObjects: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + rv = pkcs11_functions->C_FindObjectsFinal(session); + if (rv != CKR_OK) + { + plog("error in C_FindObjectsFinal: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + return (obj_count != 0); +} + +/* + * check if a given certificate object id is found in a slot + */ +static bool +scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot) +{ + CK_SESSION_HANDLE session; + CK_OBJECT_HANDLE object; + CK_SLOT_INFO info; + + CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info); + + if (rv != CKR_OK) + { + plog("error in C_GetSlotInfo: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + if (!(info.flags & CKF_TOKEN_PRESENT)) + { + plog("no token present in slot %lu", slot); + return FALSE; + } + + rv = pkcs11_functions->C_OpenSession(slot + , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session); + if (rv != CKR_OK) + { + plog("failed to open a session on slot %lu: %s" + , slot, enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + DBG(DBG_CONTROLMORE, + DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot) + ) + + /* check if there is a certificate on the card in the specified slot */ + if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id)) + { + sc->slot = slot; + sc->any_slot = FALSE; + sc->session = session; + sc->session_opened = TRUE; + return TRUE; + } + + rv = pkcs11_functions->C_CloseSession(session); + if (rv != CKR_OK) + { + plog("error in C_CloseSession: %s" + , enum_show(&pkcs11_return_names, rv)); + } + return FALSE; +} +#endif + +/* + * Connect to the smart card in the reader and select the correct slot + */ +bool +scx_establish_context(smartcard_t *sc) +{ +#ifdef SMARTCARD + bool id_found = FALSE; + + if (!scx_initialized) + { + plog("pkcs11 module not initialized"); + return FALSE; + } + + if (sc->session_opened) + { + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 session #%ld already open", sc->session) + ) + return TRUE; + } + + if (!sc->any_slot) + id_found = scx_find_cert_id_in_slot(sc, sc->slot); + + if (!id_found) + { + CK_RV rv; + CK_SLOT_ID slot; + CK_SLOT_ID_PTR slots = NULL_PTR; + CK_ULONG slot_count = 0; + CK_ULONG i; + + /* read size, always returns CKR_OK ! */ + rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count); + + /* allocate memory for the slots */ + slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots"); + + rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count); + if (rv != CKR_OK) + { + plog("error in C_GetSlotList: %s" + , enum_show(&pkcs11_return_names, rv)); + pfreeany(slots); + return FALSE; + } + + /* look in every slot for a certificate with a given object ID */ + for (i = 0; i < slot_count; i++) + { + slot = slots[i]; + id_found = scx_find_cert_id_in_slot(sc, slot); + if (id_found) + break; + } + pfreeany(slots) + } + + if (id_found) + { + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("found token with id %s in slot %lu", sc->id, sc->slot); + DBG_log("pkcs11 session #%ld opened", sc->session) + ) + } + else + { + plog(" no certificate with id %s found on smartcard", sc->id); + } + return id_found; +#else + plog("warning: SMARTCARD support is deactivated in pluto/Makefile!"); + return FALSE; +#endif +} + +/* + * log in to a session + */ +bool +scx_login(smartcard_t *sc) +{ +#ifdef SMARTCARD + CK_RV rv; + + if (sc->logged_in) + { + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 session #%ld login already done", sc->session) + ) + return TRUE; + } + + if (sc->pin.ptr == NULL) + { + plog("unable to log in without PIN!"); + return FALSE; + } + + if (!sc->session_opened) + { + plog("session not opened"); + return FALSE; + } + + rv = pkcs11_functions->C_Login(sc->session, CKU_USER + , (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len); + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) + { + plog("unable to login: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 session #%ld login successful", sc->session) + ) + sc->logged_in = TRUE; + return TRUE; +#else + return FALSE; +#endif +} + +#ifdef SMARTCARD +/* + * logout from a session + */ +static void +scx_logout(smartcard_t *sc) +{ + CK_RV rv; + + rv = pkcs11_functions->C_Logout(sc->session); + if (rv != CKR_OK) + plog("error in C_Logout: %s" + , enum_show(&pkcs11_return_names, rv)); + else + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 session #%ld logout", sc->session) + ) + sc->logged_in = FALSE; +} +#endif + + +/* + * Release context and disconnect from card + */ +void +scx_release_context(smartcard_t *sc) +{ +#ifdef SMARTCARD + CK_RV rv; + + if (!scx_initialized) + return; + + if (sc->session_opened) + { + if (sc->logged_in) + scx_logout(sc); + + sc->session_opened = FALSE; + + rv = pkcs11_functions->C_CloseSession(sc->session); + if (rv != CKR_OK) + plog("error in C_CloseSession: %s" + , enum_show(&pkcs11_return_names, rv)); + else + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("pkcs11 session #%ld closed", sc->session) + ) + } +#endif +} + +/* + * Load host certificate from smartcard + */ +bool +scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert +, bool *cached) +{ +#ifdef SMARTCARD /* compile with smartcard support */ + CK_OBJECT_HANDLE object; + + const char *number_slot_id = filename + strlen(SCX_TOKEN); + + smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id)); + + /* return the smartcard object */ + *scp = sc; + + /* is there a cached smartcard certificate? */ + *cached = sc->last_cert.type != CERT_NONE + && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL; + + if (*cached) + { + *cert = sc->last_cert; + plog(" using cached cert from smartcard #%d (%s, id: %s, label: '%s')" + , sc->number + , scx_print_slot(sc, "") + , sc->id + , sc->label); + return TRUE; + } + + if (!scx_establish_context(sc)) + { + scx_release_context(sc); + return FALSE; + } + + /* find the certificate object */ + if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id)) + { + scx_release_context(sc); + return FALSE; + } + + /* retrieve the certificate object */ + if (!scx_find_cert_object(sc->session, object, sc, cert)) + { + scx_release_context(sc); + return FALSE; + } + + if (!pkcs11_keep_state) + scx_release_context(sc); + + plog(" loaded cert from smartcard #%d (%s, id: %s, label: '%s')" + , sc->number + , scx_print_slot(sc, "") + , sc->id + , sc->label); + + return TRUE; +#else + plog(" warning: SMARTCARD support is deactivated in pluto/Makefile!"); + return FALSE; +#endif +} + +/* + * parse slot number and key id + * the following syntax is allowed + * number slot id + * %smartcard 1 - - + * %smartcard#2 2 - - + * %smartcard0 - 0 - + * %smartcard:45 - - 45 + * %smartcard0:45 - 0 45 + */ +smartcard_t* +scx_parse_number_slot_id(const char *number_slot_id) +{ + int len = strlen(number_slot_id); + smartcard_t *sc = alloc_thing(smartcard_t, "smartcard"); + + /* assign default values */ + *sc = empty_sc; + + if (len == 0) /* default: use certificate #1 */ + { + sc->number = 1; + } + else if (*number_slot_id == '#') /* #number scheme */ + { + err_t ugh; + unsigned long ul; + + ugh = atoul(number_slot_id+1, len-1 , 10, &ul); + if (ugh == NULL) + sc->number = (int)ul; + else + plog("error parsing smartcard number: %s", ugh); + } + else /* slot:id scheme */ + { + int slot_len = len; + char *p = strchr(number_slot_id, ':'); + + if (p != NULL) + { + int id_len = len - (p + 1 - number_slot_id); + slot_len -= (1 + id_len); + + if (id_len > 0) /* we have an id */ + sc->id = p + 1; + } + if (slot_len > 0) /* we have a slot */ + { + err_t ugh = NULL; + unsigned long ul; + + ugh = atoul(number_slot_id, slot_len, 10, &ul); + if (ugh == NULL) + { + sc->slot = ul; + sc->any_slot = FALSE; + } + else + plog("error parsing smartcard slot number: %s", ugh); + } + } + /* unshare the id string */ + sc->id = clone_str(sc->id, "key id"); + return sc; +} + +/* + * Verify pin on card + */ +bool +scx_verify_pin(smartcard_t *sc) +{ +#ifdef SMARTCARD + CK_RV rv; + + if (!sc->pinpad) + sc->valid = FALSE; + + if (sc->pin.ptr == NULL) + { + plog("unable to verify without PIN"); + return FALSE; + } + + /* establish context */ + if (!scx_establish_context(sc)) + { + scx_release_context(sc); + return FALSE; + } + + rv = pkcs11_functions->C_Login(sc->session, CKU_USER, + (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len); + if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN) + { + sc->valid = TRUE; + sc->logged_in = TRUE; + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log((rv == CKR_OK) + ? "PIN code correct" + : "already logged in, no PIN entry required"); + DBG_log("pkcs11 session #%ld login successful", sc->session) + ) + } + else + { + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("PIN code incorrect") + ) + } + if (!pkcs11_keep_state) + scx_release_context(sc); +#else + sc->valid = FALSE; +#endif + return sc->valid; +} + +/* + * Sign hash on smartcard + */ +bool +scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen +, u_char *out, size_t outlen) +{ +#ifdef SMARTCARD + CK_RV rv; + CK_OBJECT_HANDLE object; + CK_ULONG siglen = (CK_ULONG)outlen; + CK_BBOOL sign_flag, decrypt_flag; + CK_ATTRIBUTE attr[] = { + { CKA_SIGN, &sign_flag, sizeof(sign_flag) }, + { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) } + }; + + if (!sc->logged_in) + return FALSE; + + if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) + { + plog("unable to find private key with id '%s'", sc->id); + return FALSE; + } + + rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2); + if (rv != CKR_OK) + { + plog("couldn't read the private key attributes: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + DBG(DBG_CONTROL, + DBG_log("RSA key flags: sign = %s, decrypt = %s" + , (sign_flag)? "true":"false" + , (decrypt_flag)? "true":"false") + ) + + if (sign_flag) + { + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; + + rv = pkcs11_functions->C_SignInit(sc->session, &mech, object); + if (rv != CKR_OK) + { + plog("error in C_SignInit: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen + , out, &siglen); + if (rv != CKR_OK) + { + plog("error in C_Sign: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + } + else if (decrypt_flag) + { + CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 }; + size_t padlen; + u_char *p = out ; + + /* PKCS#1 v1.5 8.1 encryption-block formatting */ + *p++ = 0x00; + *p++ = 0x01; /* BT (block type) 01 */ + padlen = outlen - 3 - inlen; + memset(p, 0xFF, padlen); + p += padlen; + *p++ = 0x00; + memcpy(p, in, inlen); + + rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object); + if (rv != CKR_OK) + { + plog("error in C_DecryptInit: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen + , out, &siglen); + if (rv != CKR_OK) + { + plog("error in C_Decrypt: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + } + else + { + plog("private key has neither sign nor decrypt flag set"); + return FALSE; + } + + if (siglen > (CK_ULONG)outlen) + { + plog("signature length (%lu) larger than allocated buffer (%d)" + , siglen, (int)outlen); + return FALSE; + } + return TRUE; +#else + return FALSE; +#endif +} + +/* + * encrypt data block with an RSA public key + */ +bool +scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen +, u_char *out, size_t *outlen) +{ +#ifdef SMARTCARD + CK_RV rv; + CK_OBJECT_HANDLE object; + CK_ULONG len = (CK_ULONG)(*outlen); + CK_BBOOL encrypt_flag; + CK_ATTRIBUTE attr[] = { + { CKA_MODULUS, NULL_PTR, 0L }, + { CKA_PUBLIC_EXPONENT, NULL_PTR, 0L }, + { CKA_ENCRYPT, &encrypt_flag, sizeof(encrypt_flag) } + }; + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; + + if (!scx_establish_context(sc)) + { + scx_release_context(sc); + return FALSE; + } + + if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id)) + { + plog("unable to find public key with id '%s'", sc->id); + return FALSE; + } + + rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3); + if (rv != CKR_OK) + { + plog("couldn't read the public key attributes: %s" + , enum_show(&pkcs11_return_names, rv)); + scx_release_context(sc); + return FALSE; + } + + if (!encrypt_flag) + { + plog("public key cannot be used for encryption"); + scx_release_context(sc); + return FALSE; + } + + /* there must be enough space left for the PKCS#1 v1.5 padding */ + if (inlen > attr[0].ulValueLen - 11) + { + plog("smartcard input data length (%d) exceeds maximum of %lu bytes" + , (int)inlen, attr[0].ulValueLen - 11); + if (!pkcs11_keep_state) + scx_release_context(sc); + return FALSE; + } + + rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object); + + if (rv != CKR_OK) + { + if (rv == CKR_FUNCTION_NOT_SUPPORTED) + { + RSA_public_key_t rsa; + chunk_t plain_text = {in, inlen}; + chunk_t cipher_text; + + DBG(DBG_CONTROL, + DBG_log("doing RSA encryption in software") + ) + attr[0].pValue = alloc_bytes(attr[0].ulValueLen, "modulus"); + attr[1].pValue = alloc_bytes(attr[1].ulValueLen, "exponent"); + + rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2); + if (rv != CKR_OK) + { + plog("couldn't read modulus and public exponent: %s" + , enum_show(&pkcs11_return_names, rv)); + pfree(attr[0].pValue); + pfree(attr[1].pValue); + scx_release_context(sc); + return FALSE; + } + rsa.k = attr[0].ulValueLen; + n_to_mpz(&rsa.n, attr[0].pValue, attr[0].ulValueLen); + n_to_mpz(&rsa.e, attr[1].pValue, attr[1].ulValueLen); + pfree(attr[0].pValue); + pfree(attr[1].pValue); + + cipher_text = RSA_encrypt(&rsa, plain_text); + free_RSA_public_content(&rsa); + if (cipher_text.ptr == NULL) + { + plog("smartcard input data length is too large"); + if (!pkcs11_keep_state) + scx_release_context(sc); + return FALSE; + } + + memcpy(out, cipher_text.ptr, cipher_text.len); + *outlen = cipher_text.len; + freeanychunk(cipher_text); + if (!pkcs11_keep_state) + scx_release_context(sc); + return TRUE; + } + else + { + plog("error in C_EncryptInit: %s" + , enum_show(&pkcs11_return_names, rv)); + scx_release_context(sc); + return FALSE; + } + } + + DBG(DBG_CONTROL, + DBG_log("doing RSA encryption on smartcard") + ) + rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen + , out, &len); + if (rv != CKR_OK) + { + plog("error in C_Encrypt: %s" + , enum_show(&pkcs11_return_names, rv)); + scx_release_context(sc); + return FALSE; + } + if (!pkcs11_keep_state) + scx_release_context(sc); + + *outlen = (size_t)len; + return TRUE; +#else + return FALSE; +#endif +} +/* + * decrypt a data block with an RSA private key + */ +bool +scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen +, u_char *out, size_t *outlen) +{ +#ifdef SMARTCARD + CK_RV rv; + CK_OBJECT_HANDLE object; + CK_ULONG len = (CK_ULONG)(*outlen); + CK_BBOOL decrypt_flag; + CK_ATTRIBUTE attr[] = { + { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) } + }; + CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; + + if (!scx_establish_context(sc) || !scx_login(sc)) + { + scx_release_context(sc); + return FALSE; + } + + if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) + { + plog("unable to find private key with id '%s'", sc->id); + return FALSE; + } + + rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1); + if (rv != CKR_OK) + { + plog("couldn't read the private key attributes: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + if (!decrypt_flag) + { + plog("private key cannot be used for decryption"); + scx_release_context(sc); + return FALSE; + } + + DBG(DBG_CONTROL, + DBG_log("doing RSA decryption on smartcard") + ) + rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object); + if (rv != CKR_OK) + { + plog("error in C_DecryptInit: %s" + , enum_show(&pkcs11_return_names, rv)); + scx_release_context(sc); + return FALSE; + } + + rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen + , out, &len); + if (rv != CKR_OK) + { + plog("error in C_Decrypt: %s" + , enum_show(&pkcs11_return_names, rv)); + scx_release_context(sc); + return FALSE; + } + if (!pkcs11_keep_state) + scx_release_context(sc); + + *outlen = (size_t)len; + return TRUE; +#else + return FALSE; +#endif +} + +/* receive an encrypted data block via whack, + * decrypt it using a private RSA key and + * return the decrypted data block via whack + */ +bool +scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op +, const char* keyid, int whackfd) +{ + char inbuf[RSA_MAX_OCTETS]; + char outbuf[2*RSA_MAX_OCTETS + 1]; + size_t outlen = sizeof(inbuf); + size_t inlen; + smartcard_t *sc,*sc_new; + + const char *number_slot_id = ""; + + err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen); + + /* no prefix - use default base */ + if (ugh != NULL && inbase == 0) + ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen); + + if (ugh != NULL) + { + plog("format error in smartcard input data: %s", ugh); + return FALSE; + } + + if (keyid != NULL) + { + number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0) + ? keyid + strlen(SCX_TOKEN) : keyid; + } + + sc_new = scx_parse_number_slot_id(number_slot_id); + sc = scx_add(sc_new); + if (sc == sc_new) + scx_share(sc); + + DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW, + DBG_dump("smartcard input data:\n", inbuf, inlen) + ) + + if (op == SC_OP_DECRYPT) + { + if (!sc->valid && whackfd != NULL_FD) + scx_get_pin(sc, whackfd); + + if (!sc->valid) + { + loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN"); + return FALSE; + } + } + + DBG(DBG_CONTROL | DBG_CRYPT, + DBG_log("using RSA key from smartcard (slot: %d, id: %s)" + , (int)sc->slot, sc->id) + ) + + switch (op) + { + case SC_OP_ENCRYPT: + if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen)) + return FALSE; + break; + case SC_OP_DECRYPT: + if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen)) + return FALSE; + break; + default: + break; + } + + DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW, + DBG_dump("smartcard output data:\n", inbuf, outlen) + ) + + if (outbase == 0) /* use default base */ + outbase = DEFAULT_BASE; + + if (outbase == 256) /* ascii plain text */ + whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf); + else + { + outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf)); + if (outlen == 0) + { + plog("error in output format conversion"); + return FALSE; + } + whack_log(RC_COMMENT, "%s", outbuf); + } + return TRUE; +} + + /* + * get length of RSA key in bytes + */ +size_t +scx_get_keylength(smartcard_t *sc) +{ +#ifdef SMARTCARD + CK_RV rv; + CK_OBJECT_HANDLE object; + CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}}; + + if (!sc->logged_in) + return FALSE; + + if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) + { + plog("unable to find private key with id '%s'", sc->id); + return FALSE; + } + + /* get the length of the private key */ + rv = pkcs11_functions->C_GetAttributeValue(sc->session, object + , (CK_ATTRIBUTE_PTR)&attr, 1); + if (rv != CKR_OK) + { + plog("failed to get key length: %s" + , enum_show(&pkcs11_return_names, rv)); + return FALSE; + } + + return attr[0].ulValueLen; /*Return key length in bytes */ +#else + return 0; +#endif +} + +/* + * prompt for pin and verify it + */ +bool +scx_get_pin(smartcard_t *sc, int whackfd) +{ +#ifdef SMARTCARD + char pin[BUF_LEN]; + int i, n; + + whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')" + , sc->number, scx_print_slot(sc, ""), sc->id, sc->label); + + for (i = 0; i < SCX_MAX_PIN_TRIALS; i++) + { + if (i > 0) + whack_log(RC_ENTERSECRET, "invalid PIN, please try again"); + + n = read(whackfd, pin, BUF_LEN); + + if (n == -1) + { + whack_log(RC_LOG_SERIOUS, "read(whackfd) failed"); + return FALSE; + } + + if (strlen(pin) == 0) + { + whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted"); + return FALSE; + } + + sc->pin.ptr = pin; + sc->pin.len = strlen(pin); + + /* verify the pin */ + if (scx_verify_pin(sc)) + { + clonetochunk(sc->pin, pin, strlen(pin), "pin"); + break; + } + + /* wrong pin - we try another round */ + sc->pin = empty_chunk; + } + + if (sc->valid) + whack_log(RC_SUCCESS, "valid PIN"); + else + whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials"); +#else + sc->valid = FALSE; + whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!"); +#endif + return sc->valid; +} + + +/* + * free the pin code + */ +void +scx_free_pin(chunk_t *pin) +{ + if (pin->ptr != NULL) + { + /* clear pin field in memory */ + memset(pin->ptr, '\0', pin->len); + pfree(pin->ptr); + *pin = empty_chunk; + } +} + +/* + * frees a smartcard record + */ +void +scx_free(smartcard_t *sc) +{ + if (sc != NULL) + { + scx_release_context(sc); + pfreeany(sc->id); + pfreeany(sc->label); + scx_free_pin(&sc->pin); + pfree(sc); + } +} + +/* release of a smartcard record decreases the count by one + " the record is freed when the counter reaches zero + */ +void +scx_release(smartcard_t *sc) +{ + if (sc != NULL && --sc->count == 0) + { + smartcard_t **pp = &smartcards; + while (*pp != sc) + pp = &(*pp)->next; + *pp = sc->next; + release_cert(sc->last_cert); + scx_free(sc); + } +} + +/* + * compare two smartcard records by comparing their slots and ids + */ +static bool +scx_same(smartcard_t *a, smartcard_t *b) +{ + if (a->number && b->number) + { + /* same number */ + return a->number == b->number; + } + else + { + /* same id and/or same slot */ + return (!a->id || (b->id && streq(a->id, b->id))) + && (a->any_slot || b->any_slot || a->slot == b->slot); + } +} + +/* for each link pointing to the smartcard record + " increase the count by one + */ +void +scx_share(smartcard_t *sc) +{ + if (sc != NULL) + sc->count++; +} + +/* + * adds a smartcard record to the chained list + */ +smartcard_t* +scx_add(smartcard_t *smartcard) +{ + smartcard_t *sc = smartcards; + smartcard_t **psc = &smartcards; + + while (sc != NULL) + { + if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */ + { + scx_free(smartcard); + return sc; + } + psc = &sc->next; + sc = sc->next; + } + + /* insert new smartcard record at the end of the chain */ + *psc = smartcard; + smartcard->number = ++sc_number; + smartcard->count = 1; + DBG(DBG_CONTROL | DBG_PARSING, + DBG_log(" smartcard #%d added", sc_number) + ) + return smartcard; +} + +/* + * get the smartcard that belongs to an X.509 certificate + */ +smartcard_t* +scx_get(x509cert_t *cert) +{ + smartcard_t *sc = smartcards; + + while (sc != NULL) + { + if (sc->last_cert.u.x509 == cert) + return sc; + sc = sc->next; + } + return NULL; +} + +/* + * prints either the slot number or 'any slot' + */ +char * +scx_print_slot(smartcard_t *sc, const char *whitespace) +{ + char *buf = temporary_cyclic_buffer(); + + if (sc->any_slot) + snprintf(buf, BUF_LEN, "any slot"); + else + snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot); + return buf; +} + +/* + * list all smartcard info records in a chained list + */ +void +scx_list(bool utc) +{ + smartcard_t *sc = smartcards; + + if (sc != NULL) + { + whack_log(RC_COMMENT, " "); + whack_log(RC_COMMENT, "List of Smartcard Objects:"); + whack_log(RC_COMMENT, " "); + } + + while (sc != NULL) + { + whack_log(RC_COMMENT, "%s, #%d, count: %d" + , timetoa(&sc->last_load, utc) + , sc->number + , sc->count); + whack_log(RC_COMMENT, " %s, session %s, logged %s, has %s" + , scx_print_slot(sc, " ") + , sc->session_opened? "opened" : "closed" + , sc->logged_in? "in" : "out" + , sc->pinpad? "pin pad" + : ((sc->pin.ptr == NULL)? "no pin" + : sc->valid? "valid pin" : "invalid pin")); + if (sc->id != NULL) + whack_log(RC_COMMENT, " id: %s", sc->id); + if (sc->label != NULL) + whack_log(RC_COMMENT, " label: '%s'", sc->label); + if (sc->last_cert.type == CERT_X509_SIGNATURE) + { + char buf[BUF_LEN]; + + dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject); + whack_log(RC_COMMENT, " subject: '%s'", buf); + } + sc = sc->next; + } +} |