Changes In Branch protected-auth-path Through [27d18fd03a] Excluding Merge-Ins
This is equivalent to a diff from 8a76f09a85 to 27d18fd03a
|
2013-09-14
| ||
| 04:11 | Merged in changes from piv check-in: 5f8f3e59a7 user: rkeene tags: protected-auth-path | |
|
2013-08-19
| ||
| 03:19 | Fixed memory leak when checking PIV certificates check-in: 182c88b988 user: rkeene tags: piv | |
|
2013-08-18
| ||
| 06:53 | First work towards implementing C_WaitForSlotEvent check-in: 4d4946cc1f user: rkeene tags: wait-for-slot-event | |
|
2013-08-14
| ||
| 06:29 | Updated to not dead-lock when prompting for PIN during a signing operation check-in: 27d18fd03a user: rkeene tags: protected-auth-path | |
| 05:53 | If using Protected Authentication Path, don't set the LOGIN_REQUIRED flag check-in: 14d49a499f user: rkeene tags: protected-auth-path | |
| 04:54 | Added support for enabling the PROTECTED_AUTHENTICATION_PATH flag for the token if a command to provide the PIN is configured check-in: 8a76f09a85 user: rkeene tags: piv | |
| 04:49 | Merged trunk check-in: 2e12e46ded user: rkeene tags: piv | |
| 04:22 | Merged in updates check-in: 5469f9a4d0 user: rkeene tags: protected-auth-path | |
Modified cackey.c from [ce38432e82] to [37c3fd69d4].
| ︙ | ︙ | |||
1114 1115 1116 1117 1118 1119 1120 |
if (slot->pcsc_card_connected) {
SCardDisconnect(slot->pcsc_card, SCARD_LEAVE_CARD);
}
slot->slot_reset = 1;
slot->pcsc_card_connected = 0;
| > | > > > | 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 |
if (slot->pcsc_card_connected) {
SCardDisconnect(slot->pcsc_card, SCARD_LEAVE_CARD);
}
slot->slot_reset = 1;
slot->pcsc_card_connected = 0;
if (cackey_pin_command == NULL) {
slot->token_flags = CKF_LOGIN_REQUIRED;
} else {
slot->token_flags = 0;
}
CACKEY_DEBUG_PRINTF("Returning.");
return;
}
/*
|
| ︙ | ︙ | |||
2866 2867 2868 2869 2870 2871 2872 | free(tmpbuf_s); } } /* End transaction */ cackey_end_transaction(slot); | | < | 2870 2871 2872 2873 2874 2875 2876 2877 2878 2879 2880 2881 2882 2883 2884 2885 2886 2887 |
free(tmpbuf_s);
}
}
/* End transaction */
cackey_end_transaction(slot);
if (respcode == 0x6982 || respcode == 0x6e00) {
CACKEY_DEBUG_PRINTF("Security status not satisified. Returning NEEDLOGIN");
cackey_mark_slot_reset(slot);
return(CACKEY_PCSC_E_NEEDLOGIN);
}
if (send_ret == CACKEY_PCSC_E_TOKENABSENT) {
CACKEY_DEBUG_PRINTF("Token absent. Returning TOKENABSENT");
|
| ︙ | ︙ | |||
4418 4419 4420 4421 4422 4423 4424 |
if (slot_reset) {
cackey_slots[currslot].active = 1;
cackey_slots[currslot].internal = 0;
cackey_slots[currslot].pcsc_reader = strdup(pcsc_readers);
cackey_slots[currslot].pcsc_card_connected = 0;
cackey_slots[currslot].transaction_depth = 0;
cackey_slots[currslot].transaction_need_hw_lock = 0;
| > | > > > | 4421 4422 4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435 4436 4437 4438 4439 |
if (slot_reset) {
cackey_slots[currslot].active = 1;
cackey_slots[currslot].internal = 0;
cackey_slots[currslot].pcsc_reader = strdup(pcsc_readers);
cackey_slots[currslot].pcsc_card_connected = 0;
cackey_slots[currslot].transaction_depth = 0;
cackey_slots[currslot].transaction_need_hw_lock = 0;
if (cackey_pin_command == NULL) {
cackey_slots[currslot].token_flags = CKF_LOGIN_REQUIRED;
} else {
cackey_slots[currslot].token_flags = 0;
}
cackey_slots[currslot].label = NULL;
cackey_mark_slot_reset(&cackey_slots[currslot]);
}
} else {
/* Artificially increase the number of active slots by what will become active */
slot_count++;
|
| ︙ | ︙ | |||
5163 5164 5165 5166 5167 5168 5169 |
}
CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
return(CKR_FUNCTION_NOT_SUPPORTED);
}
| | | 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 |
}
CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
return(CKR_FUNCTION_NOT_SUPPORTED);
}
CK_DEFINE_FUNCTION(CK_RV, _C_LoginMutexArg)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, int lock_mutex) {
CK_SLOT_ID slotID;
FILE *pinfd;
char *pincmd, pinbuf[64], *fgets_ret;
int mutex_retval;
int tries_remaining;
int login_ret;
int pclose_ret;
|
| ︙ | ︙ | |||
5192 5193 5194 5195 5196 5197 5198 |
if (userType != CKU_USER) {
CACKEY_DEBUG_PRINTF("Error. We only support USER mode, asked for %lu mode.", (unsigned long) userType)
return(CKR_USER_TYPE_INVALID);
}
| > | | | | > > | > > > > > > | > > | > > | > > | > > | > | 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291 5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5317 |
if (userType != CKU_USER) {
CACKEY_DEBUG_PRINTF("Error. We only support USER mode, asked for %lu mode.", (unsigned long) userType)
return(CKR_USER_TYPE_INVALID);
}
if (lock_mutex) {
mutex_retval = cackey_mutex_lock(cackey_biglock);
if (mutex_retval != 0) {
CACKEY_DEBUG_PRINTF("Error. Locking failed.");
return(CKR_GENERAL_ERROR);
}
}
if (!cackey_sessions[hSession].active) {
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
CACKEY_DEBUG_PRINTF("Error. Session not active.");
return(CKR_SESSION_HANDLE_INVALID);
}
slotID = cackey_sessions[hSession].slotID;
if (slotID < 0 || slotID >= (sizeof(cackey_slots) / sizeof(cackey_slots[0]))) {
CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), outside of valid range", slotID);
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
return(CKR_GENERAL_ERROR);
}
if (cackey_slots[slotID].active == 0) {
CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
return(CKR_GENERAL_ERROR);
}
pincmd = cackey_pin_command;
if (pincmd != NULL) {
CACKEY_DEBUG_PRINTF("CACKEY_PIN_COMMAND = %s", pincmd);
if (pPin != NULL) {
CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?");
}
pinfd = popen(pincmd, "r");
if (pinfd == NULL) {
CACKEY_DEBUG_PRINTF("Error. %s: Unable to run", pincmd);
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
return(CKR_PIN_INCORRECT);
}
fgets_ret = fgets(pinbuf, sizeof(pinbuf), pinfd);
if (fgets_ret == NULL) {
pinbuf[0] = '\0';
}
pclose_ret = pclose(pinfd);
if (pclose_ret != 0) {
CACKEY_DEBUG_PRINTF("Error. %s: exited with non-zero status of %i", pincmd, pclose_ret);
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
return(CKR_PIN_INCORRECT);
}
if (strlen(pinbuf) < 1) {
CACKEY_DEBUG_PRINTF("Error. %s: returned no data", pincmd);
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
return(CKR_PIN_INCORRECT);
}
if (pinbuf[strlen(pinbuf) - 1] == '\n') {
pinbuf[strlen(pinbuf) - 1] = '\0';
}
pPin = (CK_UTF8CHAR_PTR) pinbuf;
ulPinLen = strlen(pinbuf);
}
login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
if (login_ret != CACKEY_PCSC_S_OK) {
if (lock_mutex) {
cackey_mutex_unlock(cackey_biglock);
}
if (login_ret == CACKEY_PCSC_E_LOCKED) {
CACKEY_DEBUG_PRINTF("Error. Token is locked.");
cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED;
CACKEY_DEBUG_PRINTF("Returning CKR_PIN_LOCKED (%i)", (int) CKR_PIN_LOCKED);
|
| ︙ | ︙ | |||
5311 5312 5313 5314 5315 5316 5317 | return(CKR_GENERAL_ERROR); } cackey_slots[slotID].token_flags &= ~(CKF_USER_PIN_LOCKED | CKF_USER_PIN_COUNT_LOW | CKF_LOGIN_REQUIRED | CKF_USER_PIN_FINAL_TRY); cackey_sessions[hSession].state = CKS_RO_USER_FUNCTIONS; | > | | | | > > > > > | 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 |
return(CKR_GENERAL_ERROR);
}
cackey_slots[slotID].token_flags &= ~(CKF_USER_PIN_LOCKED | CKF_USER_PIN_COUNT_LOW | CKF_LOGIN_REQUIRED | CKF_USER_PIN_FINAL_TRY);
cackey_sessions[hSession].state = CKS_RO_USER_FUNCTIONS;
if (lock_mutex) {
mutex_retval = cackey_mutex_unlock(cackey_biglock);
if (mutex_retval != 0) {
CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
return(CKR_GENERAL_ERROR);
}
}
CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
return(CKR_OK);
}
CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
return(_C_LoginMutexArg(hSession, userType, pPin, ulPinLen, 1));
}
CK_DEFINE_FUNCTION(CK_RV, C_Logout)(CK_SESSION_HANDLE hSession) {
CK_SLOT_ID slotID;
int mutex_retval;
CACKEY_DEBUG_PRINTF("Called.");
|
| ︙ | ︙ | |||
5373 5374 5375 5376 5377 5378 5379 | cackey_mutex_unlock(cackey_biglock); return(CKR_GENERAL_ERROR); } cackey_sessions[hSession].state = CKS_RO_PUBLIC_SESSION; | > > | > > > | 5404 5405 5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 |
cackey_mutex_unlock(cackey_biglock);
return(CKR_GENERAL_ERROR);
}
cackey_sessions[hSession].state = CKS_RO_PUBLIC_SESSION;
if (cackey_pin_command == NULL) {
cackey_slots[slotID].token_flags = CKF_LOGIN_REQUIRED;
} else {
cackey_slots[slotID].token_flags = 0;
}
mutex_retval = cackey_mutex_unlock(cackey_biglock);
if (mutex_retval != 0) {
CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
return(CKR_GENERAL_ERROR);
}
|
| ︙ | ︙ | |||
6297 6298 6299 6300 6301 6302 6303 6304 6305 6306 6307 6308 6309 6310 |
return(CKR_GENERAL_ERROR);
}
switch (cackey_sessions[hSession].decrypt_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to decrypt */
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
if (buflen < 0) {
/* Decryption failed. */
if (buflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (buflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
| > > > > > > | 6333 6334 6335 6336 6337 6338 6339 6340 6341 6342 6343 6344 6345 6346 6347 6348 6349 6350 6351 6352 |
return(CKR_GENERAL_ERROR);
}
switch (cackey_sessions[hSession].decrypt_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to decrypt */
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
if (buflen == CACKEY_PCSC_E_NEEDLOGIN && cackey_pin_command != NULL) {
if (_C_LoginMutexArg(hSession, CKU_USER, NULL, 0, 0) == CKR_OK) {
buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
}
}
if (buflen < 0) {
/* Decryption failed. */
if (buflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (buflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
|
| ︙ | ︙ | |||
6808 6809 6810 6811 6812 6813 6814 6815 6816 6817 6818 6819 6820 6821 |
}
switch (cackey_sessions[hSession].sign_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to sign */
CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", (void *) cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
if (sigbuflen < 0) {
/* Signing failed. */
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (sigbuflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
| > > > > > > | 6850 6851 6852 6853 6854 6855 6856 6857 6858 6859 6860 6861 6862 6863 6864 6865 6866 6867 6868 6869 |
}
switch (cackey_sessions[hSession].sign_mechanism) {
case CKM_RSA_PKCS:
/* Ask card to sign */
CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", (void *) cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN && cackey_pin_command != NULL) {
if (_C_LoginMutexArg(hSession, CKU_USER, NULL, 0, 0) == CKR_OK) {
sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
}
}
if (sigbuflen < 0) {
/* Signing failed. */
if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN) {
retval = CKR_USER_NOT_LOGGED_IN;
} else if (sigbuflen == CACKEY_PCSC_E_TOKENABSENT) {
retval = CKR_DEVICE_REMOVED;
|
| ︙ | ︙ |