diff options
Diffstat (limited to 'programs/pluto/smartcard.c')
-rw-r--r-- | programs/pluto/smartcard.c | 1956 |
1 files changed, 0 insertions, 1956 deletions
diff --git a/programs/pluto/smartcard.c b/programs/pluto/smartcard.c deleted file mode 100644 index f1994f1cf..000000000 --- a/programs/pluto/smartcard.c +++ /dev/null @@ -1,1956 +0,0 @@ -/* Support of smartcards and cryptotokens - * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen - * Copyright (C) 2004 David Buechi, Michael Meier - * Zuercher Hochschule Winterthur, Switzerland - * - * Copyright (C) 2005 Michael Joosten - * - * Copyright (C) 2005 Andreas Steffen - * Hochschule für Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: smartcard.c,v 1.41 2006/01/04 21:03:52 as Exp $ - */ - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> -#include <errno.h> -#include <string.h> -#include <time.h> -#include <dlfcn.h> - -#include <freeswan.h> -#include <freeswan/ipsec_policy.h> - -#include "constants.h" - -#ifdef SMARTCARD -#include "rsaref/unix.h" -#include "rsaref/pkcs11.h" -#endif - -#include "defs.h" -#include "mp_defs.h" -#include "log.h" -#include "x509.h" -#include "ca.h" -#include "certs.h" -#include "keys.h" -#include "smartcard.h" -#include "whack.h" -#include "fetch.h" - -#define DEFAULT_BASE 16 - -/* chained list of smartcard records */ -static smartcard_t *smartcards = NULL; - -/* number of generated sc objects */ -static int sc_number = 0; - -const smartcard_t empty_sc = { - NULL , /* next */ - 0 , /* last_load */ - { CERT_NONE, {NULL} }, /* last_cert */ - 0 , /* count */ - 0 , /* number */ - 999999 , /* slot */ - NULL , /* id */ - NULL , /* label */ - { NULL, 0 } , /* pin */ - FALSE , /* pinpad */ - FALSE , /* valid */ - FALSE , /* session_opened */ - FALSE , /* logged_in */ - TRUE , /* any_slot */ - 0L , /* session */ -}; - -#ifdef SMARTCARD /* compile with smartcard support */ - -#define SCX_MAGIC 0xd00bed00 - -struct scx_pkcs11_module { - u_int _magic; - void *handle; -}; - -typedef struct scx_pkcs11_module scx_pkcs11_module_t; - -/* PKCS #11 cryptoki context */ -static bool scx_initialized = FALSE; -static scx_pkcs11_module_t *pkcs11_module = NULL_PTR; -static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR; - -/* crytoki v2.11 - return values of PKCS #11 functions*/ - -static const char *const pkcs11_return_name[] = { - "CKR_OK", - "CKR_CANCEL", - "CKR_HOST_MEMORY", - "CKR_SLOT_ID_INVALID", - "CKR_FLAGS_INVALID", - "CKR_GENERAL_ERROR", - "CKR_FUNCTION_FAILED", - "CKR_ARGUMENTS_BAD", - "CKR_NO_EVENT", - "CKR_NEED_TO_CREATE_THREADS", - "CKR_CANT_LOCK" - }; - -static const char *const pkcs11_return_name_10[] = { - "CKR_ATTRIBUTE_READ_ONLY", - "CKR_ATTRIBUTE_SENSITIVE", - "CKR_ATTRIBUTE_TYPE_INVALID", - "CKR_ATTRIBUTE_VALUE_INVALID" - }; - -static const char *const pkcs11_return_name_20[] = { - "CKR_DATA_INVALID", - "CKR_DATA_LEN_RANGE" - }; - -static const char *const pkcs11_return_name_30[] = { - "CKR_DEVICE_ERROR", - "CKR_DEVICE_MEMORY", - "CKR_DEVICE_REMOVED" - }; - -static const char *const pkcs11_return_name_40[] = { - "CKR_ENCRYPTED_DATA_INVALID", - "CKR_ENCRYPTED_DATA_LEN_RANGE" - }; - -static const char *const pkcs11_return_name_50[] = { - "CKR_FUNCTION_CANCELED", - "CKR_FUNCTION_NOT_PARALLEL", - "CKR_0x52_UNDEFINED", - "CKR_0x53_UNDEFINED", - "CKR_FUNCTION_NOT_SUPPORTED" - }; - -static const char *const pkcs11_return_name_60[] = { - "CKR_KEY_HANDLE_INVALID", - "CKR_KEY_SENSITIVE", - "CKR_KEY_SIZE_RANGE", - "CKR_KEY_TYPE_INCONSISTENT", - "CKR_KEY_NOT_NEEDED", - "CKR_KEY_CHANGED", - "CKR_KEY_NEEDED", - "CKR_KEY_INDIGESTIBLE", - "CKR_KEY_FUNCTION_NOT_PERMITTED", - "CKR_KEY_NOT_WRAPPABLE", - "CKR_KEY_UNEXTRACTABLE" - }; - -static const char *const pkcs11_return_name_70[] = { - "CKR_MECHANISM_INVALID", - "CKR_MECHANISM_PARAM_INVALID" - }; - -static const char *const pkcs11_return_name_80[] = { - "CKR_OBJECT_HANDLE_INVALID" - }; - -static const char *const pkcs11_return_name_90[] = { - "CKR_OPERATION_ACTIVE", - "CKR_OPERATION_NOT_INITIALIZED" - }; - -static const char *const pkcs11_return_name_A0[] = { - "CKR_PIN_INCORRECT", - "CKR_PIN_INVALID", - "CKR_PIN_LEN_RANGE", - "CKR_PIN_EXPIRED", - "CKR_PIN_LOCKED" - }; - -static const char *const pkcs11_return_name_B0[] = { - "CKR_SESSION_CLOSED", - "CKR_SESSION_COUNT", - "CKR_0xB2_UNDEFINED", - "CKR_SESSION_HANDLE_INVALID", - "CKR_SESSION_PARALLEL_NOT_SUPPORTED", - "CKR_SESSION_READ_ONLY", - "CKR_SESSION_EXISTS", - "CKR_SESSION_READ_ONLY_EXISTS", - "CKR_SESSION_READ_WRITE_SO_EXISTS" - }; - -static const char *const pkcs11_return_name_C0[] = { - "CKR_SIGNATURE_INVALID", - "CKR_SIGNATURE_LEN_RANGE" - }; - -static const char *const pkcs11_return_name_D0[] = { - "CKR_TEMPLATE_INCOMPLETE", - "CKR_TEMPLATE_INCONSISTENT" - }; - -static const char *const pkcs11_return_name_E0[] = { - "CKR_TOKEN_NOT_PRESENT", - "CKR_TOKEN_NOT_RECOGNIZED", - "CKR_TOKEN_WRITE_PROTECTED" - }; - -static const char *const pkcs11_return_name_F0[] = { - "CKR_UNWRAPPING_KEY_HANDLE_INVALID", - "CKR_UNWRAPPING_KEY_SIZE_RANGE", - "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT" - }; - -static const char *const pkcs11_return_name_100[] = { - "CKR_USER_ALREADY_LOGGED_IN", - "CKR_USER_NOT_LOGGED_IN", - "CKR_USER_PIN_NOT_INITIALIZED", - "CKR_USER_TYPE_INVALID", - "CKR_USER_ANOTHER_ALREADY_LOGGED_IN", - "CKR_USER_TOO_MANY_TYPES" - }; - -static const char *const pkcs11_return_name_110[] = { - "CKR_WRAPPED_KEY_INVALID", - "CKR_0x111_UNDEFINED", - "CKR_WRAPPED_KEY_LEN_RANGE", - "CKR_WRAPPING_KEY_HANDLE_INVALID", - "CKR_WRAPPING_KEY_SIZE_RANGE", - "CKR_WRAPPING_KEY_TYPE_INCONSISTENT" - }; - -static const char *const pkcs11_return_name_120[] = { - "CKR_RANDOM_SEED_NOT_SUPPORTED", - "CKR_RANDOM_NO_RNG" - }; - -static const char *const pkcs11_return_name_130[] = { - "CKR_DOMAIN_PARAMS_INVALID" - }; - -static const char *const pkcs11_return_name_150[] = { - "CKR_BUFFER_TOO_SMALL" - }; - -static const char *const pkcs11_return_name_160[] = { - "CKR_SAVED_STATE_INVALID" - }; - -static const char *const pkcs11_return_name_170[] = { - "CKR_INFORMATION_SENSITIVE" - }; - -static const char *const pkcs11_return_name_180[] = { - "CKR_STATE_UNSAVEABLE" - }; - -static const char *const pkcs11_return_name_190[] = { - "CKR_CRYPTOKI_NOT_INITIALIZED", - "CKR_CRYPTOKI_ALREADY_INITIALIZED" - }; - -static const char *const pkcs11_return_name_1A0[] = { - "CKR_MUTEX_BAD", - "CKR_MUTEX_NOT_LOCKED" - }; - -static const char *const pkcs11_return_name_200[] = { - "CKR_FUNCTION_REJECTED" - }; - -static const char *const pkcs11_return_name_vendor[] = { - "CKR_VENDOR_DEFINED" - }; - -static enum_names pkcs11_return_names_vendor = - { CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED - , pkcs11_return_name_vendor, NULL }; - -static enum_names pkcs11_return_names_200 = - { CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED - , pkcs11_return_name_200, &pkcs11_return_names_vendor }; - -static enum_names pkcs11_return_names_1A0 = - { CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED - , pkcs11_return_name_1A0, &pkcs11_return_names_200 }; - -static enum_names pkcs11_return_names_190 = - { CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED - , pkcs11_return_name_190, &pkcs11_return_names_1A0 }; - -static enum_names pkcs11_return_names_180 = - { CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE - , pkcs11_return_name_180, &pkcs11_return_names_190 }; - -static enum_names pkcs11_return_names_170 = - { CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE - , pkcs11_return_name_170, &pkcs11_return_names_180 }; - -static enum_names pkcs11_return_names_160 = - { CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID - , pkcs11_return_name_160, &pkcs11_return_names_170 }; - -static enum_names pkcs11_return_names_150 = - { CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL - , pkcs11_return_name_150, &pkcs11_return_names_160 }; - -static enum_names pkcs11_return_names_130 = - { CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID - , pkcs11_return_name_130, &pkcs11_return_names_150 }; - -static enum_names pkcs11_return_names_120 = - { CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG - , pkcs11_return_name_120, &pkcs11_return_names_130 }; - -static enum_names pkcs11_return_names_110 = - { CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT - , pkcs11_return_name_110, &pkcs11_return_names_120 }; - -static enum_names pkcs11_return_names_100 = - { CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES - , pkcs11_return_name_100, &pkcs11_return_names_110 }; - -static enum_names pkcs11_return_names_F0 = - { CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT - , pkcs11_return_name_F0, &pkcs11_return_names_100 }; - -static enum_names pkcs11_return_names_E0 = - { CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED - , pkcs11_return_name_E0, &pkcs11_return_names_F0 }; - -static enum_names pkcs11_return_names_D0 = - { CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT - , pkcs11_return_name_D0,&pkcs11_return_names_E0 }; - -static enum_names pkcs11_return_names_C0 = - { CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE - , pkcs11_return_name_C0, &pkcs11_return_names_D0 }; - -static enum_names pkcs11_return_names_B0 = - { CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS - , pkcs11_return_name_B0, &pkcs11_return_names_C0 }; - -static enum_names pkcs11_return_names_A0 = - { CKR_PIN_INCORRECT, CKR_PIN_LOCKED - , pkcs11_return_name_A0, &pkcs11_return_names_B0 }; - -static enum_names pkcs11_return_names_90 = - { CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED - , pkcs11_return_name_90, &pkcs11_return_names_A0 }; - -static enum_names pkcs11_return_names_80 = - { CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID - , pkcs11_return_name_80, &pkcs11_return_names_90 }; - -static enum_names pkcs11_return_names_70 = - { CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID - , pkcs11_return_name_70, &pkcs11_return_names_80 }; - -static enum_names pkcs11_return_names_60 = - { CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE - , pkcs11_return_name_60, &pkcs11_return_names_70 }; - -static enum_names pkcs11_return_names_50 = - { CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED - , pkcs11_return_name_50, &pkcs11_return_names_60 }; - -static enum_names pkcs11_return_names_40 = - { CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE - , pkcs11_return_name_40, &pkcs11_return_names_50 }; - -static enum_names pkcs11_return_names_30 = - { CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED - , pkcs11_return_name_30, &pkcs11_return_names_40 }; - -static enum_names pkcs11_return_names_20 = - { CKR_DATA_INVALID, CKR_DATA_LEN_RANGE - , pkcs11_return_name_20, &pkcs11_return_names_30 }; - -static enum_names pkcs11_return_names_10 = - { CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID - , pkcs11_return_name_10, &pkcs11_return_names_20}; - -static enum_names pkcs11_return_names = - { CKR_OK, CKR_CANT_LOCK - , pkcs11_return_name, &pkcs11_return_names_10}; - -/* - * Unload a PKCS#11 module. - * The calling application is responsible for cleaning up - * and calling C_Finalize() - */ -static CK_RV -scx_unload_pkcs11_module(scx_pkcs11_module_t *mod) -{ - if (!mod || mod->_magic != SCX_MAGIC) - return CKR_ARGUMENTS_BAD; - - if (dlclose(mod->handle) < 0) - return CKR_FUNCTION_FAILED; - - memset(mod, 0, sizeof(*mod)); - pfree(mod); - return CKR_OK; -} - -static scx_pkcs11_module_t* -scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs) -{ - CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR); - scx_pkcs11_module_t *mod; - void *handle; - int rv; - - if (name == NULL || *name == '\0') - return NULL; - - /* Try to load PKCS#11 library module*/ - handle = dlopen(name, RTLD_NOW); - if (handle == NULL) - return NULL; - - mod = alloc_thing(scx_pkcs11_module_t, "scx_pkcs11_module"); - mod->_magic = SCX_MAGIC; - mod->handle = handle; - - /* Get the list of function pointers */ - c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) - dlsym(mod->handle, "C_GetFunctionList"); - if (!c_get_function_list) - goto failed; - - rv = c_get_function_list(funcs); - if (rv == CKR_OK) - return mod; - -failed: scx_unload_pkcs11_module(mod); - return NULL; -} - -/* - * retrieve a certificate object - */ -static bool -scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object -, smartcard_t *sc, cert_t *cert) -{ - size_t hex_len, label_len; - u_char *hex_id = NULL; - chunk_t blob; - x509cert_t *x509cert; - - CK_ATTRIBUTE attr[] = { - { CKA_ID, NULL_PTR, 0L }, - { CKA_LABEL, NULL_PTR, 0L }, - { CKA_VALUE, NULL_PTR, 0L } - }; - - /* initialize the return argument */ - *cert = empty_cert; - - /* get the length of the attributes first */ - CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3); - if (rv != CKR_OK) - { - plog("couldn't read the attribute sizes: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - pfreeany(sc->label); - - hex_id = alloc_bytes(attr[0].ulValueLen, "hex id"); - hex_len = attr[0].ulValueLen; - sc->label = alloc_bytes(attr[1].ulValueLen + 1, "sc label"); - label_len = attr[1].ulValueLen; - blob.ptr = alloc_bytes(attr[2].ulValueLen, "x509cert blob"); - blob.len = attr[2].ulValueLen; - - attr[0].pValue = hex_id; - attr[1].pValue = sc->label; - attr[2].pValue = blob.ptr; - - /* now get the attributes */ - rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3); - if (rv != CKR_OK) - { - plog("couldn't read the attributes: %s" - , enum_show(&pkcs11_return_names, rv)); - pfree(hex_id); - pfreeany(sc->label); - pfree(blob.ptr); - return FALSE; - } - - pfreeany(sc->id); - - /* convert id from hex to ASCII */ - sc->id = alloc_bytes(2*hex_len + 1, " sc id"); - datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1); - pfree(hex_id); - - /* safeguard in case the label is not null terminated */ - sc->label[label_len] = '\0'; - - /* parse the retrieved cert */ - x509cert = alloc_thing(x509cert_t, "x509cert"); - *x509cert = empty_x509cert; - x509cert->smartcard = TRUE; - - if (!parse_x509cert(blob, 0, x509cert)) - { - plog("failed to load cert from smartcard, error in X.509 certificate"); - free_x509cert(x509cert); - return FALSE; - } - cert->type = CERT_X509_SIGNATURE; - cert->u.x509 = x509cert; - return TRUE; -} - -/* - * search a given slot for PKCS#11 certificate objects - */ -static void -scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session) -{ - CK_RV rv; - CK_OBJECT_CLASS class = CKO_CERTIFICATE; - CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }}; - - rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1); - if (rv != CKR_OK) - { - plog("error in C_FindObjectsInit: %s" - , enum_show(&pkcs11_return_names, rv)); - return; - } - - for (;;) - { - CK_OBJECT_HANDLE object; - CK_ULONG obj_count = 0; - err_t ugh; - time_t valid_until; - smartcard_t *sc; - x509cert_t *cert; - - rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count); - if (rv != CKR_OK) - { - plog("error in C_FindObjects: %s" - , enum_show(&pkcs11_return_names, rv)); - break; - } - - /* no objects left */ - if (obj_count == 0) - break; - - /* create and initialize a new smartcard object */ - sc = alloc_thing(smartcard_t, "smartcard"); - *sc = empty_sc; - sc->any_slot = FALSE; - sc->slot = slot; - - if (!scx_find_cert_object(session, object, sc, &sc->last_cert)) - { - scx_free(sc); - continue; - } - DBG(DBG_CONTROL, - DBG_log("found cert in %s with id: %s, label: '%s'" - , scx_print_slot(sc, ""), sc->id, sc->label) - ) - - /* check validity of certificate */ - cert = sc->last_cert.u.x509; - valid_until = cert->notAfter; - ugh = check_validity(cert, &valid_until); - if (ugh != NULL) - { - plog(" %s", ugh); - free_x509cert(cert); - scx_free(sc); - continue; - } - else - { - DBG(DBG_CONTROL, - DBG_log(" certificate is valid") - ) - } - - sc = scx_add(sc); - - /* put end entity and ca certificates into different chains */ - if (cert->isCA) - add_authcert(cert, AUTH_CA); - else - { - add_x509_public_key(cert, valid_until, DAL_LOCAL); - sc->last_cert.u.x509 = add_x509cert(cert); - } - - share_cert(sc->last_cert); - time(&sc->last_load); - } - - rv = pkcs11_functions->C_FindObjectsFinal(session); - if (rv != CKR_OK) - { - plog("error in C_FindObjectsFinal: %s" - , enum_show(&pkcs11_return_names, rv)); - } -} - -/* - * search all slots for PKCS#11 certificate objects - */ -static void -scx_find_all_cert_objects(void) -{ - CK_RV rv; - CK_SLOT_ID_PTR slots = NULL_PTR; - CK_ULONG slot_count = 0; - CK_ULONG i; - - if (!scx_initialized) - { - plog("pkcs11 module not initialized"); - return; - } - - /* read size, always returns CKR_OK ! */ - rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count); - - /* allocate memory for the slots */ - slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots"); - - rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count); - if (rv != CKR_OK) - { - plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv)); - pfreeany(slots); - return; - } - - /* look in every slot for certificate objects */ - for (i = 0; i < slot_count; i++) - { - CK_SLOT_ID slot = slots[i]; - CK_SLOT_INFO info; - CK_SESSION_HANDLE session; - - rv = pkcs11_functions->C_GetSlotInfo(slot, &info); - - if (rv != CKR_OK) - { - plog("error in C_GetSlotInfo: %s" - , enum_show(&pkcs11_return_names, rv)); - continue; - } - - if (!(info.flags & CKF_TOKEN_PRESENT)) - { - plog("no token present in slot %lu", slot); - continue; - } - - rv = pkcs11_functions->C_OpenSession(slot - , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session); - if (rv != CKR_OK) - { - plog("failed to open a session on slot %lu: %s" - , slot, enum_show(&pkcs11_return_names, rv)); - continue; - } - DBG(DBG_CONTROLMORE, - DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot) - ) - scx_find_cert_objects(slot, session); - - rv = pkcs11_functions->C_CloseSession(session); - if (rv != CKR_OK) - { - plog("error in C_CloseSession: %s" - , enum_show(&pkcs11_return_names, rv)); - } - } - pfreeany(slots); -} -#endif - -/* - * load and initialize PKCS#11 cryptoki module - */ -void -scx_init(const char* module) -{ -#ifdef SMARTCARD - CK_RV rv; - - if (scx_initialized) - { - plog("weird - pkcs11 module seems already to be initialized"); - return; - } - - if (module == NULL) -#ifdef PKCS11_DEFAULT_LIB - module = PKCS11_DEFAULT_LIB; -#else - { - plog("no pkcs11 module defined"); - return; - } -#endif - - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 module '%s' loading...", module) - ) - pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions); - if (pkcs11_module == NULL) - { - plog("failed to load pkcs11 module '%s'", module); - return; - } - - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 module initializing...") - ) - rv = pkcs11_functions->C_Initialize(NULL); - if (rv != CKR_OK) - { - plog("failed to initialize pkcs11 module: %s" - , enum_show(&pkcs11_return_names, rv)); - return; - } - - scx_initialized = TRUE; - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 module loaded and initialized") - ) - - scx_find_all_cert_objects(); -#endif -} - -/* - * finalize and unload PKCS#11 cryptoki module - */ -void -scx_finalize(void) -{ -#ifdef SMARTCARD - while (smartcards != NULL) - { - scx_release(smartcards); - } - - if (pkcs11_functions != NULL_PTR) - { - pkcs11_functions->C_Finalize(NULL_PTR); - pkcs11_functions = NULL_PTR; - } - - if (pkcs11_module != NULL) - { - scx_unload_pkcs11_module(pkcs11_module); - pkcs11_module = NULL; - } - - scx_initialized = FALSE; - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 module finalized and unloaded") - ) -#endif -} - -/* - * does a filename contain the token %smartcard? - */ -bool -scx_on_smartcard(const char *filename) -{ - return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0; -} - -#ifdef SMARTCARD -/* - * find a specific object on the smartcard - */ -static bool -scx_pkcs11_find_object( CK_SESSION_HANDLE session, - CK_OBJECT_HANDLE_PTR object, - CK_OBJECT_CLASS class, - const char* id) -{ - size_t len; - char buf[BUF_LEN]; - CK_RV rv; - CK_ULONG obj_count = 0; - CK_ULONG attr_count = 1; - - CK_ATTRIBUTE attr[] = { - { CKA_CLASS, &class, sizeof(class) }, - { CKA_ID, &buf, 0L } - }; - - if (id != NULL) - { - ttodata(id, strlen(id), 16, buf, BUF_LEN, &len); - attr[1].ulValueLen = len; - attr_count = 2; - } - - /* get info for certificate with id */ - rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count); - if (rv != CKR_OK) - { - plog("error in C_FindObjectsInit: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - rv = pkcs11_functions->C_FindObjects(session, object, 1, &obj_count); - if (rv != CKR_OK) - { - plog("error in C_FindObjects: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - rv = pkcs11_functions->C_FindObjectsFinal(session); - if (rv != CKR_OK) - { - plog("error in C_FindObjectsFinal: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - return (obj_count != 0); -} - -/* - * check if a given certificate object id is found in a slot - */ -static bool -scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot) -{ - CK_SESSION_HANDLE session; - CK_OBJECT_HANDLE object; - CK_SLOT_INFO info; - - CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info); - - if (rv != CKR_OK) - { - plog("error in C_GetSlotInfo: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - if (!(info.flags & CKF_TOKEN_PRESENT)) - { - plog("no token present in slot %lu", slot); - return FALSE; - } - - rv = pkcs11_functions->C_OpenSession(slot - , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session); - if (rv != CKR_OK) - { - plog("failed to open a session on slot %lu: %s" - , slot, enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - DBG(DBG_CONTROLMORE, - DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot) - ) - - /* check if there is a certificate on the card in the specified slot */ - if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id)) - { - sc->slot = slot; - sc->any_slot = FALSE; - sc->session = session; - sc->session_opened = TRUE; - return TRUE; - } - - rv = pkcs11_functions->C_CloseSession(session); - if (rv != CKR_OK) - { - plog("error in C_CloseSession: %s" - , enum_show(&pkcs11_return_names, rv)); - } - return FALSE; -} -#endif - -/* - * Connect to the smart card in the reader and select the correct slot - */ -bool -scx_establish_context(smartcard_t *sc) -{ -#ifdef SMARTCARD - bool id_found = FALSE; - - if (!scx_initialized) - { - plog("pkcs11 module not initialized"); - return FALSE; - } - - if (sc->session_opened) - { - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 session #%ld already open", sc->session) - ) - return TRUE; - } - - if (!sc->any_slot) - id_found = scx_find_cert_id_in_slot(sc, sc->slot); - - if (!id_found) - { - CK_RV rv; - CK_SLOT_ID slot; - CK_SLOT_ID_PTR slots = NULL_PTR; - CK_ULONG slot_count = 0; - CK_ULONG i; - - /* read size, always returns CKR_OK ! */ - rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count); - - /* allocate memory for the slots */ - slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots"); - - rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count); - if (rv != CKR_OK) - { - plog("error in C_GetSlotList: %s" - , enum_show(&pkcs11_return_names, rv)); - pfreeany(slots); - return FALSE; - } - - /* look in every slot for a certificate with a given object ID */ - for (i = 0; i < slot_count; i++) - { - slot = slots[i]; - id_found = scx_find_cert_id_in_slot(sc, slot); - if (id_found) - break; - } - pfreeany(slots) - } - - if (id_found) - { - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("found token with id %s in slot %lu", sc->id, sc->slot); - DBG_log("pkcs11 session #%ld opened", sc->session) - ) - } - else - { - plog(" no certificate with id %s found on smartcard", sc->id); - } - return id_found; -#else - plog("warning: SMARTCARD support is deactivated in pluto/Makefile!"); - return FALSE; -#endif -} - -/* - * log in to a session - */ -bool -scx_login(smartcard_t *sc) -{ -#ifdef SMARTCARD - CK_RV rv; - - if (sc->logged_in) - { - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 session #%ld login already done", sc->session) - ) - return TRUE; - } - - if (sc->pin.ptr == NULL) - { - plog("unable to log in without PIN!"); - return FALSE; - } - - if (!sc->session_opened) - { - plog("session not opened"); - return FALSE; - } - - rv = pkcs11_functions->C_Login(sc->session, CKU_USER - , (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len); - if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) - { - plog("unable to login: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 session #%ld login successful", sc->session) - ) - sc->logged_in = TRUE; - return TRUE; -#else - return FALSE; -#endif -} - -#ifdef SMARTCARD -/* - * logout from a session - */ -static void -scx_logout(smartcard_t *sc) -{ - CK_RV rv; - - rv = pkcs11_functions->C_Logout(sc->session); - if (rv != CKR_OK) - plog("error in C_Logout: %s" - , enum_show(&pkcs11_return_names, rv)); - else - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 session #%ld logout", sc->session) - ) - sc->logged_in = FALSE; -} -#endif - - -/* - * Release context and disconnect from card - */ -void -scx_release_context(smartcard_t *sc) -{ -#ifdef SMARTCARD - CK_RV rv; - - if (!scx_initialized) - return; - - if (sc->session_opened) - { - if (sc->logged_in) - scx_logout(sc); - - sc->session_opened = FALSE; - - rv = pkcs11_functions->C_CloseSession(sc->session); - if (rv != CKR_OK) - plog("error in C_CloseSession: %s" - , enum_show(&pkcs11_return_names, rv)); - else - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("pkcs11 session #%ld closed", sc->session) - ) - } -#endif -} - -/* - * Load host certificate from smartcard - */ -bool -scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert -, bool *cached) -{ -#ifdef SMARTCARD /* compile with smartcard support */ - CK_OBJECT_HANDLE object; - - const char *number_slot_id = filename + strlen(SCX_TOKEN); - - smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id)); - - /* return the smartcard object */ - *scp = sc; - - /* is there a cached smartcard certificate? */ - *cached = sc->last_cert.type != CERT_NONE - && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL; - - if (*cached) - { - *cert = sc->last_cert; - plog(" using cached cert from smartcard #%d (%s, id: %s, label: '%s')" - , sc->number - , scx_print_slot(sc, "") - , sc->id - , sc->label); - return TRUE; - } - - if (!scx_establish_context(sc)) - { - scx_release_context(sc); - return FALSE; - } - - /* find the certificate object */ - if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id)) - { - scx_release_context(sc); - return FALSE; - } - - /* retrieve the certificate object */ - if (!scx_find_cert_object(sc->session, object, sc, cert)) - { - scx_release_context(sc); - return FALSE; - } - - if (!pkcs11_keep_state) - scx_release_context(sc); - - plog(" loaded cert from smartcard #%d (%s, id: %s, label: '%s')" - , sc->number - , scx_print_slot(sc, "") - , sc->id - , sc->label); - - return TRUE; -#else - plog(" warning: SMARTCARD support is deactivated in pluto/Makefile!"); - return FALSE; -#endif -} - -/* - * parse slot number and key id - * the following syntax is allowed - * number slot id - * %smartcard 1 - - - * %smartcard#2 2 - - - * %smartcard0 - 0 - - * %smartcard:45 - - 45 - * %smartcard0:45 - 0 45 - */ -smartcard_t* -scx_parse_number_slot_id(const char *number_slot_id) -{ - int len = strlen(number_slot_id); - smartcard_t *sc = alloc_thing(smartcard_t, "smartcard"); - - /* assign default values */ - *sc = empty_sc; - - if (len == 0) /* default: use certificate #1 */ - { - sc->number = 1; - } - else if (*number_slot_id == '#') /* #number scheme */ - { - err_t ugh; - unsigned long ul; - - ugh = atoul(number_slot_id+1, len-1 , 10, &ul); - if (ugh == NULL) - sc->number = (int)ul; - else - plog("error parsing smartcard number: %s", ugh); - } - else /* slot:id scheme */ - { - int slot_len = len; - char *p = strchr(number_slot_id, ':'); - - if (p != NULL) - { - int id_len = len - (p + 1 - number_slot_id); - slot_len -= (1 + id_len); - - if (id_len > 0) /* we have an id */ - sc->id = p + 1; - } - if (slot_len > 0) /* we have a slot */ - { - err_t ugh = NULL; - unsigned long ul; - - ugh = atoul(number_slot_id, slot_len, 10, &ul); - if (ugh == NULL) - { - sc->slot = ul; - sc->any_slot = FALSE; - } - else - plog("error parsing smartcard slot number: %s", ugh); - } - } - /* unshare the id string */ - sc->id = clone_str(sc->id, "key id"); - return sc; -} - -/* - * Verify pin on card - */ -bool -scx_verify_pin(smartcard_t *sc) -{ -#ifdef SMARTCARD - CK_RV rv; - - if (!sc->pinpad) - sc->valid = FALSE; - - if (sc->pin.ptr == NULL) - { - plog("unable to verify without PIN"); - return FALSE; - } - - /* establish context */ - if (!scx_establish_context(sc)) - { - scx_release_context(sc); - return FALSE; - } - - rv = pkcs11_functions->C_Login(sc->session, CKU_USER, - (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len); - if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN) - { - sc->valid = TRUE; - sc->logged_in = TRUE; - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log((rv == CKR_OK) - ? "PIN code correct" - : "already logged in, no PIN entry required"); - DBG_log("pkcs11 session #%ld login successful", sc->session) - ) - } - else - { - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("PIN code incorrect") - ) - } - if (!pkcs11_keep_state) - scx_release_context(sc); -#else - sc->valid = FALSE; -#endif - return sc->valid; -} - -/* - * Sign hash on smartcard - */ -bool -scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen -, u_char *out, size_t outlen) -{ -#ifdef SMARTCARD - CK_RV rv; - CK_OBJECT_HANDLE object; - CK_ULONG siglen = (CK_ULONG)outlen; - CK_BBOOL sign_flag, decrypt_flag; - CK_ATTRIBUTE attr[] = { - { CKA_SIGN, &sign_flag, sizeof(sign_flag) }, - { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) } - }; - - if (!sc->logged_in) - return FALSE; - - if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) - { - plog("unable to find private key with id '%s'", sc->id); - return FALSE; - } - - rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2); - if (rv != CKR_OK) - { - plog("couldn't read the private key attributes: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - DBG(DBG_CONTROL, - DBG_log("RSA key flags: sign = %s, decrypt = %s" - , (sign_flag)? "true":"false" - , (decrypt_flag)? "true":"false") - ) - - if (sign_flag) - { - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; - - rv = pkcs11_functions->C_SignInit(sc->session, &mech, object); - if (rv != CKR_OK) - { - plog("error in C_SignInit: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen - , out, &siglen); - if (rv != CKR_OK) - { - plog("error in C_Sign: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - } - else if (decrypt_flag) - { - CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 }; - size_t padlen; - u_char *p = out ; - - /* PKCS#1 v1.5 8.1 encryption-block formatting */ - *p++ = 0x00; - *p++ = 0x01; /* BT (block type) 01 */ - padlen = outlen - 3 - inlen; - memset(p, 0xFF, padlen); - p += padlen; - *p++ = 0x00; - memcpy(p, in, inlen); - - rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object); - if (rv != CKR_OK) - { - plog("error in C_DecryptInit: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen - , out, &siglen); - if (rv != CKR_OK) - { - plog("error in C_Decrypt: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - } - else - { - plog("private key has neither sign nor decrypt flag set"); - return FALSE; - } - - if (siglen > (CK_ULONG)outlen) - { - plog("signature length (%lu) larger than allocated buffer (%d)" - , siglen, (int)outlen); - return FALSE; - } - return TRUE; -#else - return FALSE; -#endif -} - -/* - * encrypt data block with an RSA public key - */ -bool -scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen -, u_char *out, size_t *outlen) -{ -#ifdef SMARTCARD - CK_RV rv; - CK_OBJECT_HANDLE object; - CK_ULONG len = (CK_ULONG)(*outlen); - CK_BBOOL encrypt_flag; - CK_ATTRIBUTE attr[] = { - { CKA_MODULUS, NULL_PTR, 0L }, - { CKA_PUBLIC_EXPONENT, NULL_PTR, 0L }, - { CKA_ENCRYPT, &encrypt_flag, sizeof(encrypt_flag) } - }; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; - - if (!scx_establish_context(sc)) - { - scx_release_context(sc); - return FALSE; - } - - if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id)) - { - plog("unable to find public key with id '%s'", sc->id); - return FALSE; - } - - rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3); - if (rv != CKR_OK) - { - plog("couldn't read the public key attributes: %s" - , enum_show(&pkcs11_return_names, rv)); - scx_release_context(sc); - return FALSE; - } - - if (!encrypt_flag) - { - plog("public key cannot be used for encryption"); - scx_release_context(sc); - return FALSE; - } - - /* there must be enough space left for the PKCS#1 v1.5 padding */ - if (inlen > attr[0].ulValueLen - 11) - { - plog("smartcard input data length (%d) exceeds maximum of %lu bytes" - , (int)inlen, attr[0].ulValueLen - 11); - if (!pkcs11_keep_state) - scx_release_context(sc); - return FALSE; - } - - rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object); - - if (rv != CKR_OK) - { - if (rv == CKR_FUNCTION_NOT_SUPPORTED) - { - RSA_public_key_t rsa; - chunk_t plain_text = {in, inlen}; - chunk_t cipher_text; - - DBG(DBG_CONTROL, - DBG_log("doing RSA encryption in software") - ) - attr[0].pValue = alloc_bytes(attr[0].ulValueLen, "modulus"); - attr[1].pValue = alloc_bytes(attr[1].ulValueLen, "exponent"); - - rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2); - if (rv != CKR_OK) - { - plog("couldn't read modulus and public exponent: %s" - , enum_show(&pkcs11_return_names, rv)); - pfree(attr[0].pValue); - pfree(attr[1].pValue); - scx_release_context(sc); - return FALSE; - } - rsa.k = attr[0].ulValueLen; - n_to_mpz(&rsa.n, attr[0].pValue, attr[0].ulValueLen); - n_to_mpz(&rsa.e, attr[1].pValue, attr[1].ulValueLen); - pfree(attr[0].pValue); - pfree(attr[1].pValue); - - cipher_text = RSA_encrypt(&rsa, plain_text); - free_RSA_public_content(&rsa); - if (cipher_text.ptr == NULL) - { - plog("smartcard input data length is too large"); - if (!pkcs11_keep_state) - scx_release_context(sc); - return FALSE; - } - - memcpy(out, cipher_text.ptr, cipher_text.len); - *outlen = cipher_text.len; - freeanychunk(cipher_text); - if (!pkcs11_keep_state) - scx_release_context(sc); - return TRUE; - } - else - { - plog("error in C_EncryptInit: %s" - , enum_show(&pkcs11_return_names, rv)); - scx_release_context(sc); - return FALSE; - } - } - - DBG(DBG_CONTROL, - DBG_log("doing RSA encryption on smartcard") - ) - rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen - , out, &len); - if (rv != CKR_OK) - { - plog("error in C_Encrypt: %s" - , enum_show(&pkcs11_return_names, rv)); - scx_release_context(sc); - return FALSE; - } - if (!pkcs11_keep_state) - scx_release_context(sc); - - *outlen = (size_t)len; - return TRUE; -#else - return FALSE; -#endif -} -/* - * decrypt a data block with an RSA private key - */ -bool -scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen -, u_char *out, size_t *outlen) -{ -#ifdef SMARTCARD - CK_RV rv; - CK_OBJECT_HANDLE object; - CK_ULONG len = (CK_ULONG)(*outlen); - CK_BBOOL decrypt_flag; - CK_ATTRIBUTE attr[] = { - { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) } - }; - CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 }; - - if (!scx_establish_context(sc) || !scx_login(sc)) - { - scx_release_context(sc); - return FALSE; - } - - if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) - { - plog("unable to find private key with id '%s'", sc->id); - return FALSE; - } - - rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1); - if (rv != CKR_OK) - { - plog("couldn't read the private key attributes: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - if (!decrypt_flag) - { - plog("private key cannot be used for decryption"); - scx_release_context(sc); - return FALSE; - } - - DBG(DBG_CONTROL, - DBG_log("doing RSA decryption on smartcard") - ) - rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object); - if (rv != CKR_OK) - { - plog("error in C_DecryptInit: %s" - , enum_show(&pkcs11_return_names, rv)); - scx_release_context(sc); - return FALSE; - } - - rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen - , out, &len); - if (rv != CKR_OK) - { - plog("error in C_Decrypt: %s" - , enum_show(&pkcs11_return_names, rv)); - scx_release_context(sc); - return FALSE; - } - if (!pkcs11_keep_state) - scx_release_context(sc); - - *outlen = (size_t)len; - return TRUE; -#else - return FALSE; -#endif -} - -/* receive an encrypted data block via whack, - * decrypt it using a private RSA key and - * return the decrypted data block via whack - */ -bool -scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op -, const char* keyid, int whackfd) -{ - char inbuf[RSA_MAX_OCTETS]; - char outbuf[2*RSA_MAX_OCTETS + 1]; - size_t outlen = sizeof(inbuf); - size_t inlen; - smartcard_t *sc,*sc_new; - - const char *number_slot_id = ""; - - err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen); - - /* no prefix - use default base */ - if (ugh != NULL && inbase == 0) - ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen); - - if (ugh != NULL) - { - plog("format error in smartcard input data: %s", ugh); - return FALSE; - } - - if (keyid != NULL) - { - number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0) - ? keyid + strlen(SCX_TOKEN) : keyid; - } - - sc_new = scx_parse_number_slot_id(number_slot_id); - sc = scx_add(sc_new); - if (sc == sc_new) - scx_share(sc); - - DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW, - DBG_dump("smartcard input data:\n", inbuf, inlen) - ) - - if (op == SC_OP_DECRYPT) - { - if (!sc->valid && whackfd != NULL_FD) - scx_get_pin(sc, whackfd); - - if (!sc->valid) - { - loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN"); - return FALSE; - } - } - - DBG(DBG_CONTROL | DBG_CRYPT, - DBG_log("using RSA key from smartcard (slot: %d, id: %s)" - , (int)sc->slot, sc->id) - ) - - switch (op) - { - case SC_OP_ENCRYPT: - if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen)) - return FALSE; - break; - case SC_OP_DECRYPT: - if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen)) - return FALSE; - break; - default: - break; - } - - DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW, - DBG_dump("smartcard output data:\n", inbuf, outlen) - ) - - if (outbase == 0) /* use default base */ - outbase = DEFAULT_BASE; - - if (outbase == 256) /* ascii plain text */ - whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf); - else - { - outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf)); - if (outlen == 0) - { - plog("error in output format conversion"); - return FALSE; - } - whack_log(RC_COMMENT, "%s", outbuf); - } - return TRUE; -} - - /* - * get length of RSA key in bytes - */ -size_t -scx_get_keylength(smartcard_t *sc) -{ -#ifdef SMARTCARD - CK_RV rv; - CK_OBJECT_HANDLE object; - CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}}; - - if (!sc->logged_in) - return FALSE; - - if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id)) - { - plog("unable to find private key with id '%s'", sc->id); - return FALSE; - } - - /* get the length of the private key */ - rv = pkcs11_functions->C_GetAttributeValue(sc->session, object - , (CK_ATTRIBUTE_PTR)&attr, 1); - if (rv != CKR_OK) - { - plog("failed to get key length: %s" - , enum_show(&pkcs11_return_names, rv)); - return FALSE; - } - - return attr[0].ulValueLen; /*Return key length in bytes */ -#else - return 0; -#endif -} - -/* - * prompt for pin and verify it - */ -bool -scx_get_pin(smartcard_t *sc, int whackfd) -{ -#ifdef SMARTCARD - char pin[BUF_LEN]; - int i, n; - - whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')" - , sc->number, scx_print_slot(sc, ""), sc->id, sc->label); - - for (i = 0; i < SCX_MAX_PIN_TRIALS; i++) - { - if (i > 0) - whack_log(RC_ENTERSECRET, "invalid PIN, please try again"); - - n = read(whackfd, pin, BUF_LEN); - - if (n == -1) - { - whack_log(RC_LOG_SERIOUS, "read(whackfd) failed"); - return FALSE; - } - - if (strlen(pin) == 0) - { - whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted"); - return FALSE; - } - - sc->pin.ptr = pin; - sc->pin.len = strlen(pin); - - /* verify the pin */ - if (scx_verify_pin(sc)) - { - clonetochunk(sc->pin, pin, strlen(pin), "pin"); - break; - } - - /* wrong pin - we try another round */ - sc->pin = empty_chunk; - } - - if (sc->valid) - whack_log(RC_SUCCESS, "valid PIN"); - else - whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials"); -#else - sc->valid = FALSE; - whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!"); -#endif - return sc->valid; -} - - -/* - * free the pin code - */ -void -scx_free_pin(chunk_t *pin) -{ - if (pin->ptr != NULL) - { - /* clear pin field in memory */ - memset(pin->ptr, '\0', pin->len); - pfree(pin->ptr); - *pin = empty_chunk; - } -} - -/* - * frees a smartcard record - */ -void -scx_free(smartcard_t *sc) -{ - if (sc != NULL) - { - scx_release_context(sc); - pfreeany(sc->id); - pfreeany(sc->label); - scx_free_pin(&sc->pin); - pfree(sc); - } -} - -/* release of a smartcard record decreases the count by one - " the record is freed when the counter reaches zero - */ -void -scx_release(smartcard_t *sc) -{ - if (sc != NULL && --sc->count == 0) - { - smartcard_t **pp = &smartcards; - while (*pp != sc) - pp = &(*pp)->next; - *pp = sc->next; - release_cert(sc->last_cert); - scx_free(sc); - } -} - -/* - * compare two smartcard records by comparing their slots and ids - */ -static bool -scx_same(smartcard_t *a, smartcard_t *b) -{ - if (a->number && b->number) - { - /* same number */ - return a->number == b->number; - } - else - { - /* same id and/or same slot */ - return (!a->id || (b->id && streq(a->id, b->id))) - && (a->any_slot || b->any_slot || a->slot == b->slot); - } -} - -/* for each link pointing to the smartcard record - " increase the count by one - */ -void -scx_share(smartcard_t *sc) -{ - if (sc != NULL) - sc->count++; -} - -/* - * adds a smartcard record to the chained list - */ -smartcard_t* -scx_add(smartcard_t *smartcard) -{ - smartcard_t *sc = smartcards; - smartcard_t **psc = &smartcards; - - while (sc != NULL) - { - if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */ - { - scx_free(smartcard); - return sc; - } - psc = &sc->next; - sc = sc->next; - } - - /* insert new smartcard record at the end of the chain */ - *psc = smartcard; - smartcard->number = ++sc_number; - smartcard->count = 1; - DBG(DBG_CONTROL | DBG_PARSING, - DBG_log(" smartcard #%d added", sc_number) - ) - return smartcard; -} - -/* - * get the smartcard that belongs to an X.509 certificate - */ -smartcard_t* -scx_get(x509cert_t *cert) -{ - smartcard_t *sc = smartcards; - - while (sc != NULL) - { - if (sc->last_cert.u.x509 == cert) - return sc; - sc = sc->next; - } - return NULL; -} - -/* - * prints either the slot number or 'any slot' - */ -char * -scx_print_slot(smartcard_t *sc, const char *whitespace) -{ - char *buf = temporary_cyclic_buffer(); - - if (sc->any_slot) - snprintf(buf, BUF_LEN, "any slot"); - else - snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot); - return buf; -} - -/* - * list all smartcard info records in a chained list - */ -void -scx_list(bool utc) -{ - smartcard_t *sc = smartcards; - - if (sc != NULL) - { - whack_log(RC_COMMENT, " "); - whack_log(RC_COMMENT, "List of Smartcard Objects:"); - whack_log(RC_COMMENT, " "); - } - - while (sc != NULL) - { - whack_log(RC_COMMENT, "%s, #%d, count: %d" - , timetoa(&sc->last_load, utc) - , sc->number - , sc->count); - whack_log(RC_COMMENT, " %s, session %s, logged %s, has %s" - , scx_print_slot(sc, " ") - , sc->session_opened? "opened" : "closed" - , sc->logged_in? "in" : "out" - , sc->pinpad? "pin pad" - : ((sc->pin.ptr == NULL)? "no pin" - : sc->valid? "valid pin" : "invalid pin")); - if (sc->id != NULL) - whack_log(RC_COMMENT, " id: %s", sc->id); - if (sc->label != NULL) - whack_log(RC_COMMENT, " label: '%s'", sc->label); - if (sc->last_cert.type == CERT_X509_SIGNATURE) - { - char buf[BUF_LEN]; - - dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject); - whack_log(RC_COMMENT, " subject: '%s'", buf); - } - sc = sc->next; - } -} |