Overview
| Comment: | If using Protected Authentication Path, don't set the LOGIN_REQUIRED flag |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | protected-auth-path |
| Files: | files | file ages | folders |
| SHA1: |
14d49a499f03dab3d093bf3ef298f633 |
| User & Date: | rkeene on 2013-08-14 05:53:05 |
| Other Links: | branch diff | manifest | tags |
Context
|
2013-08-14
| ||
| 06:29 | Updated to not dead-lock when prompting for PIN during a signing operation check-in: 27d18fd03a user: rkeene tags: protected-auth-path | |
| 05:53 | If using Protected Authentication Path, don't set the LOGIN_REQUIRED flag check-in: 14d49a499f user: rkeene tags: protected-auth-path | |
| 04:54 | Added support for enabling the PROTECTED_AUTHENTICATION_PATH flag for the token if a command to provide the PIN is configured check-in: 8a76f09a85 user: rkeene tags: piv | |
| 04:22 | Merged in updates check-in: 5469f9a4d0 user: rkeene tags: protected-auth-path | |
Changes
Modified cackey.c from [745d36081e] to [345685b667].
| ︙ | ︙ | |||
1114 1115 1116 1117 1118 1119 1120 |
if (slot->pcsc_card_connected) {
SCardDisconnect(slot->pcsc_card, SCARD_LEAVE_CARD);
}
slot->slot_reset = 1;
slot->pcsc_card_connected = 0;
| > | > > > | 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 |
if (slot->pcsc_card_connected) {
SCardDisconnect(slot->pcsc_card, SCARD_LEAVE_CARD);
}
slot->slot_reset = 1;
slot->pcsc_card_connected = 0;
if (cackey_pin_command == NULL) {
slot->token_flags = CKF_LOGIN_REQUIRED;
} else {
slot->token_flags = 0;
}
CACKEY_DEBUG_PRINTF("Returning.");
return;
}
/*
|
| ︙ | ︙ | |||
2870 2871 2872 2873 2874 2875 2876 |
/* End transaction */
cackey_end_transaction(slot);
if (respcode == 0x6982) {
CACKEY_DEBUG_PRINTF("Security status not satisified. Returning NEEDLOGIN");
cackey_mark_slot_reset(slot);
| < | 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 |
/* End transaction */
cackey_end_transaction(slot);
if (respcode == 0x6982) {
CACKEY_DEBUG_PRINTF("Security status not satisified. Returning NEEDLOGIN");
cackey_mark_slot_reset(slot);
return(CACKEY_PCSC_E_NEEDLOGIN);
}
if (send_ret == CACKEY_PCSC_E_TOKENABSENT) {
CACKEY_DEBUG_PRINTF("Token absent. Returning TOKENABSENT");
|
| ︙ | ︙ | |||
3969 3970 3971 3972 3973 3974 3975 |
}
static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) {
struct cackey_pcsc_identity *pcsc_identities;
struct cackey_identity *identities;
unsigned long num_ids, id_idx, curr_id_type;
unsigned long num_certs, num_dod_certs, cert_idx;
| | | 3972 3973 3974 3975 3976 3977 3978 3979 3980 3981 3982 3983 3984 3985 3986 |
}
static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) {
struct cackey_pcsc_identity *pcsc_identities;
struct cackey_identity *identities;
unsigned long num_ids, id_idx, curr_id_type;
unsigned long num_certs, num_dod_certs, cert_idx;
int include_extra_certs = 0, include_dod_certs;
CACKEY_DEBUG_PRINTF("Called.");
if (ids_found == NULL) {
CACKEY_DEBUG_PRINTF("Error. ids_found is NULL");
return(NULL);
|
| ︙ | ︙ | |||
3991 3992 3993 3994 3995 3996 3997 3998 |
include_extra_certs = 1;
}
if (getenv("CACKEY_NO_DOD_CERTS_ON_HW_SLOTS") != NULL) {
include_extra_certs = 0;
}
if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
| > > > > > > > | > > > > > > > | 3994 3995 3996 3997 3998 3999 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4011 4012 4013 4014 4015 4016 4017 4018 4019 4020 4021 4022 4023 4024 4025 |
include_extra_certs = 1;
}
if (getenv("CACKEY_NO_DOD_CERTS_ON_HW_SLOTS") != NULL) {
include_extra_certs = 0;
}
#ifdef CACKEY_NO_EXTRA_CERTS
if (getenv("CACKEY_EXTRA_CERTS") != NULL) {
include_dod_certs = 1;
} else {
include_dod_certs = 0;
}
#else
if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
include_dod_certs = 0;
} else {
include_dod_certs = 1;
}
#endif
if (include_dod_certs) {
num_dod_certs = sizeof(extra_certs) / sizeof(extra_certs[0]);
} else {
num_dod_certs = 0;
}
if (slot->internal) {
num_ids = cackey_read_dod_identities(NULL, num_dod_certs);
if (num_ids != 0) {
identities = malloc(num_ids * sizeof(*identities));
|
| ︙ | ︙ | |||
4404 4405 4406 4407 4408 4409 4410 |
if (slot_reset) {
cackey_slots[currslot].active = 1;
cackey_slots[currslot].internal = 0;
cackey_slots[currslot].pcsc_reader = strdup(pcsc_readers);
cackey_slots[currslot].pcsc_card_connected = 0;
cackey_slots[currslot].transaction_depth = 0;
cackey_slots[currslot].transaction_need_hw_lock = 0;
| > | > > > | 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 |
if (slot_reset) {
cackey_slots[currslot].active = 1;
cackey_slots[currslot].internal = 0;
cackey_slots[currslot].pcsc_reader = strdup(pcsc_readers);
cackey_slots[currslot].pcsc_card_connected = 0;
cackey_slots[currslot].transaction_depth = 0;
cackey_slots[currslot].transaction_need_hw_lock = 0;
if (cackey_pin_command == NULL) {
cackey_slots[currslot].token_flags = CKF_LOGIN_REQUIRED;
} else {
cackey_slots[currslot].token_flags = 0;
}
cackey_slots[currslot].label = NULL;
cackey_mark_slot_reset(&cackey_slots[currslot]);
}
} else {
/* Artificially increase the number of active slots by what will become active */
slot_count++;
|
| ︙ | ︙ | |||
5359 5360 5361 5362 5363 5364 5365 | cackey_mutex_unlock(cackey_biglock); return(CKR_GENERAL_ERROR); } cackey_sessions[hSession].state = CKS_RO_PUBLIC_SESSION; | > > | > > > | 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 |
cackey_mutex_unlock(cackey_biglock);
return(CKR_GENERAL_ERROR);
}
cackey_sessions[hSession].state = CKS_RO_PUBLIC_SESSION;
if (cackey_pin_command == NULL) {
cackey_slots[slotID].token_flags = CKF_LOGIN_REQUIRED;
} else {
cackey_slots[slotID].token_flags = 0;
}
mutex_retval = cackey_mutex_unlock(cackey_biglock);
if (mutex_retval != 0) {
CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
return(CKR_GENERAL_ERROR);
}
|
| ︙ | ︙ | |||
6283 6284 6285 6286 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 |
return(CKR_GENERAL_ERROR);
}
switch (cackey_sessions[hSession].decrypt_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to decrypt */
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
if (buflen < 0) {
/* Decryption failed. */
if (buflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (buflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
| > > > > > > | 6309 6310 6311 6312 6313 6314 6315 6316 6317 6318 6319 6320 6321 6322 6323 6324 6325 6326 6327 6328 |
return(CKR_GENERAL_ERROR);
}
switch (cackey_sessions[hSession].decrypt_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to decrypt */
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
if (buflen == CACKEY_PCSC_E_NEEDLOGIN && cackey_pin_command != NULL) {
if (C_Login(hSession, CKU_USER, NULL, 0) == CKR_OK) {
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
}
}
if (buflen < 0) {
/* Decryption failed. */
if (buflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (buflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
|
| ︙ | ︙ | |||
6794 6795 6796 6797 6798 6799 6800 6801 6802 6803 6804 6805 6806 6807 |
}
switch (cackey_sessions[hSession].sign_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to sign */
CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", (void *) cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
if (sigbuflen < 0) {
/* Signing failed. */
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (sigbuflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
| > > > > > > | 6826 6827 6828 6829 6830 6831 6832 6833 6834 6835 6836 6837 6838 6839 6840 6841 6842 6843 6844 6845 |
}
switch (cackey_sessions[hSession].sign_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to sign */
CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", (void *) cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN && cackey_pin_command != NULL) {
if (C_Login(hSession, CKU_USER, NULL, 0) == CKR_OK) {
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
}
}
if (sigbuflen < 0) {
/* Signing failed. */
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (sigbuflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
|
| ︙ | ︙ |
Modified configure.ac from [34fbe03317] to [8333de68f9].
| ︙ | ︙ | |||
149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
], [
dodcertsonhwslots=no
])
if ! test "${dodcertsonhwslots}" = 'no'; then
AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
fi
dnl Option to hard-code a command to run to request a PIN (enabling protected authentication path)
AC_ARG_WITH(pin-command, AC_HELP_STRING([--with-pin-command=<command>], [Specify a command to run to request a PIN from the user. The user may override this with the CACKEY_PIN_COMMAND environment variable.]), [
pincommand="${withval}"
], [
pincommand="no"
])
| > > > > > > > > > > > | 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
], [
dodcertsonhwslots=no
])
if ! test "${dodcertsonhwslots}" = 'no'; then
AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
fi
dnl Option to disable DoD certs entirely
AC_ARG_ENABLE(dod-certs, AC_HELP_STRING([--disable-dod-certs], [Disable including DoD certs entirely. The user may override this with the CACKEY_EXTRA_CERTS environment variable.]), [
dodcerts=$enableval
], [
dodcerts=yes
])
if test "${dodcerts}" = 'no'; then
AC_DEFINE(CACKEY_NO_EXTRA_CERTS, [1], [Specify that DoD certificates should not be made available])
fi
dnl Option to hard-code a command to run to request a PIN (enabling protected authentication path)
AC_ARG_WITH(pin-command, AC_HELP_STRING([--with-pin-command=<command>], [Specify a command to run to request a PIN from the user. The user may override this with the CACKEY_PIN_COMMAND environment variable.]), [
pincommand="${withval}"
], [
pincommand="no"
])
|
| ︙ | ︙ |