summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c')
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c217
1 files changed, 170 insertions, 47 deletions
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
index 7b537cfa7..183fce53a 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2011 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
@@ -19,12 +22,15 @@
#include <debug.h>
#include <utils/linked_list.h>
#include <threading/mutex.h>
+#include <threading/rwlock.h>
#include "pkcs11_manager.h"
#include "pkcs11_creds.h"
#include "pkcs11_private_key.h"
#include "pkcs11_public_key.h"
#include "pkcs11_hasher.h"
+#include "pkcs11_rng.h"
+#include "pkcs11_dh.h"
typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t;
@@ -52,6 +58,16 @@ struct private_pkcs11_plugin_t {
* mutex to lock list
*/
mutex_t *mutex;
+
+ /**
+ * TRUE if events from tokens are to be handled
+ */
+ bool handle_events;
+
+ /**
+ * Lock for the above flag
+ */
+ rwlock_t *handle_events_lock;
};
/**
@@ -61,9 +77,10 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
CK_SLOT_ID slot, bool add)
{
enumerator_t *enumerator;
- pkcs11_creds_t *creds, *found = NULL;;
+ pkcs11_creds_t *creds, *found = NULL;
- if (add)
+ this->handle_events_lock->read_lock(this->handle_events_lock);
+ if (add && this->handle_events)
{
creds = pkcs11_creds_create(p11, slot);
if (creds)
@@ -74,7 +91,7 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
lib->credmgr->add_set(lib->credmgr, &creds->set);
}
}
- else
+ else if (this->handle_events)
{
this->mutex->lock(this->mutex);
enumerator = this->creds->create_enumerator(this->creds);
@@ -99,6 +116,7 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
}
}
+ this->handle_events_lock->unlock(this->handle_events_lock);
}
METHOD(plugin_t, get_name, char*,
@@ -107,23 +125,158 @@ METHOD(plugin_t, get_name, char*,
return "pkcs11";
}
-METHOD(plugin_t, destroy, void,
- private_pkcs11_plugin_t *this)
+/**
+ * Load/unload certificates from tokens.
+ */
+static bool handle_certs(private_pkcs11_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *data)
{
- pkcs11_creds_t *creds;
+ this->handle_events_lock->write_lock(this->handle_events_lock);
+ this->handle_events = reg;
+ this->handle_events_lock->unlock(this->handle_events_lock);
+
+ if (reg)
+ {
+ enumerator_t *enumerator;
+ pkcs11_library_t *p11;
+ CK_SLOT_ID slot;
+
+ enumerator = this->manager->create_token_enumerator(this->manager);
+ while (enumerator->enumerate(enumerator, &p11, &slot))
+ {
+ token_event_cb(this, p11, slot, TRUE);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ pkcs11_creds_t *creds;
- lib->creds->remove_builder(lib->creds,
- (builder_function_t)pkcs11_private_key_connect);
- while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+ while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS)
+ {
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+ }
+ }
+ return TRUE;
+}
+/**
+ * Add a set of features
+ */
+static inline void add_features(plugin_feature_t *f, plugin_feature_t *n,
+ int count, int *pos)
+{
+ int i;
+ for (i = 0; i < count; i++)
{
- lib->credmgr->remove_set(lib->credmgr, &creds->set);
- creds->destroy(creds);
+ f[(*pos)++] = n[i];
}
- lib->crypto->remove_hasher(lib->crypto,
- (hasher_constructor_t)pkcs11_hasher_create);
- this->creds->destroy(this->creds);
+}
+
+METHOD(plugin_t, get_features, int,
+ private_pkcs11_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f_hash[] = {
+ PLUGIN_REGISTER(HASHER, pkcs11_hasher_create),
+ PLUGIN_PROVIDE(HASHER, HASH_MD2),
+ PLUGIN_PROVIDE(HASHER, HASH_MD5),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA1),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA256),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA384),
+ PLUGIN_PROVIDE(HASHER, HASH_SHA512),
+ };
+ static plugin_feature_t f_dh[] = {
+ PLUGIN_REGISTER(DH, pkcs11_dh_create),
+ PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+ PLUGIN_PROVIDE(DH, MODP_2048_224),
+ PLUGIN_PROVIDE(DH, MODP_2048_256),
+ PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+ PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+ PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+ PLUGIN_PROVIDE(DH, MODP_6144_BIT),
+ PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+ PLUGIN_PROVIDE(DH, MODP_1024_BIT),
+ PLUGIN_PROVIDE(DH, MODP_1024_160),
+ PLUGIN_PROVIDE(DH, MODP_768_BIT),
+ PLUGIN_PROVIDE(DH, MODP_CUSTOM),
+ };
+ static plugin_feature_t f_ecdh[] = {
+ PLUGIN_REGISTER(DH, pkcs11_dh_create),
+ PLUGIN_PROVIDE(DH, ECP_192_BIT),
+ PLUGIN_PROVIDE(DH, ECP_224_BIT),
+ PLUGIN_PROVIDE(DH, ECP_256_BIT),
+ PLUGIN_PROVIDE(DH, ECP_384_BIT),
+ PLUGIN_PROVIDE(DH, ECP_521_BIT),
+ };
+ static plugin_feature_t f_rng[] = {
+ PLUGIN_REGISTER(RNG, pkcs11_rng_create),
+ PLUGIN_PROVIDE(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(RNG, RNG_TRUE),
+ };
+ static plugin_feature_t f_privkey[] = {
+ PLUGIN_REGISTER(PRIVKEY, pkcs11_private_key_connect, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+ };
+ static plugin_feature_t f_pubkey[] = {
+ PLUGIN_REGISTER(PUBKEY, pkcs11_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ECDSA),
+ };
+ static plugin_feature_t f_manager[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)handle_certs, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "pkcs11-certs"),
+ PLUGIN_DEPENDS(CERT_DECODE, CERT_X509),
+ };
+ static plugin_feature_t f[countof(f_hash) + countof(f_dh) + countof(f_rng) +
+ countof(f_ecdh) + countof(f_privkey) +
+ countof(f_pubkey) + countof(f_manager)] = {};
+ static int count = 0;
+
+ if (!count)
+ { /* initialize only once */
+ bool use_ecc = lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.use_ecc", FALSE);
+ add_features(f, f_manager, countof(f_manager), &count);
+ /* private key handling for EC keys is not disabled by use_ecc */
+ add_features(f, f_privkey, countof(f_privkey), &count);
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
+ {
+ add_features(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
+ &count);
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+ {
+ add_features(f, f_hash, countof(f_hash), &count);
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.use_rng", FALSE))
+ {
+ add_features(f, f_rng, countof(f_rng), &count);
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.plugins.pkcs11.use_dh", FALSE))
+ {
+ add_features(f, f_dh, countof(f_dh), &count);
+ if (use_ecc)
+ {
+ add_features(f, f_ecdh, countof(f_ecdh), &count);
+ }
+ }
+ }
+ *features = f;
+ return count;
+}
+
+METHOD(plugin_t, destroy, void,
+ private_pkcs11_plugin_t *this)
+{
+ lib->set(lib, "pkcs11-manager", NULL);
this->manager->destroy(this->manager);
+ this->creds->destroy(this->creds);
this->mutex->destroy(this->mutex);
+ this->handle_events_lock->destroy(this->handle_events_lock);
free(this);
}
@@ -133,52 +286,22 @@ METHOD(plugin_t, destroy, void,
plugin_t *pkcs11_plugin_create()
{
private_pkcs11_plugin_t *this;
- enumerator_t *enumerator;
- pkcs11_library_t *p11;
- CK_SLOT_ID slot;
INIT(this,
.public = {
.plugin = {
.get_name = _get_name,
- .reload = (void*)return_false,
+ .get_features = _get_features,
.destroy = _destroy,
},
},
.creds = linked_list_create(),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .handle_events_lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
);
this->manager = pkcs11_manager_create((void*)token_event_cb, this);
-
- if (lib->settings->get_bool(lib->settings,
- "libstrongswan.plugins.pkcs11.use_hasher", FALSE))
- {
- lib->crypto->add_hasher(lib->crypto, HASH_MD2, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_MD5, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA1, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA256, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA384, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- lib->crypto->add_hasher(lib->crypto, HASH_SHA512, get_name(this),
- (hasher_constructor_t)pkcs11_hasher_create);
- }
-
- lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE,
- (builder_function_t)pkcs11_private_key_connect);
- lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, TRUE,
- (builder_function_t)pkcs11_public_key_load);
-
- enumerator = this->manager->create_token_enumerator(this->manager);
- while (enumerator->enumerate(enumerator, &p11, &slot))
- {
- token_event_cb(this, p11, slot, TRUE);
- }
- enumerator->destroy(enumerator);
+ lib->set(lib, "pkcs11-manager", this->manager);
return &this->public.plugin;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 10:25:35 +0000