Overview
| Comment: | Added support for supplying a command to provide a PIN via standard output |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | protected-auth-path |
| Files: | files | file ages | folders |
| SHA1: |
b6a0e30bff76eec5f60582aa5d99c6ad |
| User & Date: | rkeene on 2013-08-14 03:48:01 |
| Other Links: | branch diff | manifest | tags |
Context
|
2013-08-14
| ||
| 03:55 | Updated to allow the Protected Authentication Path to be set only if an X server display is available check-in: b6ea2dbe0a user: rkeene tags: protected-auth-path | |
| 03:48 | Added support for supplying a command to provide a PIN via standard output check-in: b6a0e30bff user: rkeene tags: protected-auth-path | |
| 03:01 | Made test driver aware of PKCS#11 protected authentication path flag check-in: 06eb7a2600 user: rkeene tags: protected-auth-path | |
Changes
Modified cackey.c from [8554f45411] to [1675cfdb33].
| ︙ | ︙ | |||
865 866 867 868 869 870 871 872 873 874 875 876 877 878 |
static int cackey_biglock_init = 0;
CK_C_INITIALIZE_ARGS cackey_args;
/** Extra certificates to include in token **/
struct cackey_pcsc_identity extra_certs[] = {
#include "cackey_builtin_certs.h"
};
/* PCSC Global Handles */
static LPSCARDCONTEXT cackey_pcsc_handle = NULL;
static unsigned long cackey_getversion(void) {
static unsigned long retval = 255;
unsigned long major = 0;
| > > > > > > > > > | 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 |
static int cackey_biglock_init = 0;
CK_C_INITIALIZE_ARGS cackey_args;
/** Extra certificates to include in token **/
struct cackey_pcsc_identity extra_certs[] = {
#include "cackey_builtin_certs.h"
};
/* Protected Authentication Path command */
#ifdef CACKEY_PIN_COMMAND_DEFAULT
# define CACKEY_PIN_COMMAND_DEFAULT_XSTR(str) CACKEY_PIN_COMMAND_DEFAULT_STR(str)
# define CACKEY_PIN_COMMAND_DEFAULT_STR(str) #str
static char *cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_DEFAULT);
#else
static char *cackey_pin_command = NULL;
#endif
/* PCSC Global Handles */
static LPSCARDCONTEXT cackey_pcsc_handle = NULL;
static unsigned long cackey_getversion(void) {
static unsigned long retval = 255;
unsigned long major = 0;
|
| ︙ | ︙ | |||
3046 3047 3048 3049 3050 3051 3052 3053 3054 3055 3056 3057 3058 3059 |
/* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
if (pin_len >= 8) {
memcpy(cac_pin, pin, 8);
} else {
memcpy(cac_pin, pin, pin_len);
}
/* PIV authentication uses a "key_reference" of 0x80 */
pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
if (num_certs > 0 && pcsc_identities != NULL) {
switch (pcsc_identities[0].id_type) {
case CACKEY_ID_TYPE_PIV:
CACKEY_DEBUG_PRINTF("We recently had a PIV card, so we will attempt to authenticate using the PIV Application key reference");
| > > > > > > > | 3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 |
/* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
if (pin_len >= 8) {
memcpy(cac_pin, pin, 8);
} else {
memcpy(cac_pin, pin, pin_len);
}
/* Reject PINs which are too short */
if (pin_len < 5) {
CACKEY_DEBUG_PRINTF("Rejecting PIN which is too short (length = %lu, must be atleast 5)", pin_len);
return(CACKEY_PCSC_E_BADPIN);
}
/* PIV authentication uses a "key_reference" of 0x80 */
pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
if (num_certs > 0 && pcsc_identities != NULL) {
switch (pcsc_identities[0].id_type) {
case CACKEY_ID_TYPE_PIV:
CACKEY_DEBUG_PRINTF("We recently had a PIV card, so we will attempt to authenticate using the PIV Application key reference");
|
| ︙ | ︙ | |||
4113 4114 4115 4116 4117 4118 4119 4120 4121 4122 4123 4124 4125 4126 |
CACKEY_DEBUG_PRINTF("Error. Mutex initialization failed.");
return(CKR_CANT_LOCK);
}
cackey_biglock_init = 1;
}
CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
return(CKR_OK);
}
CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) {
| > > > > > | 4129 4130 4131 4132 4133 4134 4135 4136 4137 4138 4139 4140 4141 4142 4143 4144 4145 4146 4147 |
CACKEY_DEBUG_PRINTF("Error. Mutex initialization failed.");
return(CKR_CANT_LOCK);
}
cackey_biglock_init = 1;
}
/* Define a command to prompt user for a PIN */
if (getenv("CACKEY_PIN_COMMAND") != NULL) {
cackey_pin_command = getenv("CACKEY_PIN_COMMAND");
}
CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
return(CKR_OK);
}
CK_DEFINE_FUNCTION(CK_RV, C_Finalize)(CK_VOID_PTR pReserved) {
|
| ︙ | ︙ | |||
4645 4646 4647 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 | pInfo->hardwareVersion.major = (cackey_getversion() >> 16) & 0xff; pInfo->hardwareVersion.minor = (cackey_getversion() >> 8) & 0xff; pInfo->firmwareVersion.major = 0x00; pInfo->firmwareVersion.minor = 0x00; pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED | cackey_slots[slotID].token_flags; pInfo->ulMaxSessionCount = (sizeof(cackey_sessions) / sizeof(cackey_sessions[0])) - 1; pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxRwSessionCount = 0; pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION; pInfo->ulMaxPinLen = 128; pInfo->ulMinPinLen = 0; | > > > > | 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 |
pInfo->hardwareVersion.major = (cackey_getversion() >> 16) & 0xff;
pInfo->hardwareVersion.minor = (cackey_getversion() >> 8) & 0xff;
pInfo->firmwareVersion.major = 0x00;
pInfo->firmwareVersion.minor = 0x00;
pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED | cackey_slots[slotID].token_flags;
if (cackey_pin_command != NULL) {
pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
}
pInfo->ulMaxSessionCount = (sizeof(cackey_sessions) / sizeof(cackey_sessions[0])) - 1;
pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
pInfo->ulMaxRwSessionCount = 0;
pInfo->ulRwSessionCount = CK_UNAVAILABLE_INFORMATION;
pInfo->ulMaxPinLen = 128;
pInfo->ulMinPinLen = 0;
|
| ︙ | ︙ | |||
5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 |
CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
return(CKR_FUNCTION_NOT_SUPPORTED);
}
CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
CK_SLOT_ID slotID;
int mutex_retval;
int tries_remaining;
int login_ret;
CACKEY_DEBUG_PRINTF("Called.");
if (!cackey_initialized) {
CACKEY_DEBUG_PRINTF("Error. Not initialized.");
return(CKR_CRYPTOKI_NOT_INITIALIZED);
| > > > | 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 |
CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
return(CKR_FUNCTION_NOT_SUPPORTED);
}
CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
CK_SLOT_ID slotID;
FILE *pinfd;
char *pincmd, pinbuf[64], *fgets_ret;
int mutex_retval;
int tries_remaining;
int login_ret;
int pclose_ret;
CACKEY_DEBUG_PRINTF("Called.");
if (!cackey_initialized) {
CACKEY_DEBUG_PRINTF("Error. Not initialized.");
return(CKR_CRYPTOKI_NOT_INITIALIZED);
|
| ︙ | ︙ | |||
5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 |
if (cackey_slots[slotID].active == 0) {
CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);
cackey_mutex_unlock(cackey_biglock);
return(CKR_GENERAL_ERROR);
}
login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
if (login_ret != CACKEY_PCSC_S_OK) {
cackey_mutex_unlock(cackey_biglock);
if (login_ret == CACKEY_PCSC_E_LOCKED) {
CACKEY_DEBUG_PRINTF("Error. Token is locked.");
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 |
if (cackey_slots[slotID].active == 0) {
CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);
cackey_mutex_unlock(cackey_biglock);
return(CKR_GENERAL_ERROR);
}
pincmd = cackey_pin_command;
if (pincmd != NULL) {
CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", pincmd);
if (pPin != NULL) {
CACKEY_DEBUG_PRINTF("Error. Protected authentication path in effect and PIN provided !?");
cackey_mutex_unlock(cackey_biglock);
return(CKR_GENERAL_ERROR);
}
pinfd = popen(pincmd, "r");
if (pinfd == NULL) {
CACKEY_DEBUG_PRINTF("Error. %s: Unable to run", pincmd);
cackey_mutex_unlock(cackey_biglock);
return(CKR_PIN_INCORRECT);
}
fgets_ret = fgets(pinbuf, sizeof(pinbuf), pinfd);
if (fgets_ret == NULL) {
pinbuf[0] = '\0';
}
pclose_ret = pclose(pinfd);
if (pclose_ret != 0) {
CACKEY_DEBUG_PRINTF("Error. %s: exited with non-zero status of %i", pincmd, pclose_ret);
cackey_mutex_unlock(cackey_biglock);
return(CKR_PIN_INCORRECT);
}
if (strlen(pinbuf) < 1) {
CACKEY_DEBUG_PRINTF("Error. %s: returned no data", pincmd);
cackey_mutex_unlock(cackey_biglock);
return(CKR_PIN_INCORRECT);
}
if (pinbuf[strlen(pinbuf) - 1] == '\n') {
pinbuf[strlen(pinbuf) - 1] = '\0';
}
pPin = (CK_UTF8CHAR_PTR) pinbuf;
ulPinLen = strlen(pinbuf);
}
login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
if (login_ret != CACKEY_PCSC_S_OK) {
cackey_mutex_unlock(cackey_biglock);
if (login_ret == CACKEY_PCSC_E_LOCKED) {
CACKEY_DEBUG_PRINTF("Error. Token is locked.");
|
| ︙ | ︙ |
Modified configure.ac from [9a7cfcd810] to [0e5526103b].
| ︙ | ︙ | |||
149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
], [
dodcertsonhwslots=no
])
if ! test "${dodcertsonhwslots}" = 'no'; then
AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
fi
dnl Set version script, to limit the scope of symbols
DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker
DC_SYNC_RPATH
| > > > > > > > > > > > | 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 |
], [
dodcertsonhwslots=no
])
if ! test "${dodcertsonhwslots}" = 'no'; then
AC_DEFINE(CACKEY_CARD_SLOT_INCLUDE_EXTRA_CERTS, [1], [Specify that DoD certificates should be made available on hardware token slots])
fi
dnl Option to hard-code a command to run to request a PIN (enabling protected authentication path)
AC_ARG_WITH(pin-command, AC_HELP_STRING([--with-pin-command=<command>], [Specify a command to run to request a PIN from the user. The user may override this with the CACKEY_PIN_COMMAND environment variable.]), [
pincommand="${withval}"
], [
pincommand="no"
])
if ! test "${pincommand}" = 'no'; then
AC_DEFINE_UNQUOTED(CACKEY_PIN_COMMAND_DEFAULT, [$pincommand], [Command to run to prompt user for PIN])
fi
dnl Set version script, to limit the scope of symbols
DC_SETVERSIONSCRIPT(libcackey.vers, libcackey.syms)
dnl Upate LDFLAGS to include setting the run-time linker path to the same as our compile-time linker
DC_SYNC_RPATH
|
| ︙ | ︙ |