Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | | - |
17 | | - |
18 | #include "includes.h" | - |
19 | | - |
20 | #ifdef ENABLE_PKCS11 | - |
21 | | - |
22 | #include <sys/types.h> | - |
23 | #ifdef HAVE_SYS_TIME_H | - |
24 | # include <sys/time.h> | - |
25 | #endif | - |
26 | #include <stdarg.h> | - |
27 | #include <stdio.h> | - |
28 | | - |
29 | #include <string.h> | - |
30 | #include <dlfcn.h> | - |
31 | | - |
32 | #include "openbsd-compat/sys-queue.h" | - |
33 | #include "openbsd-compat/openssl-compat.h" | - |
34 | | - |
35 | #include <openssl/x509.h> | - |
36 | | - |
37 | #define CRYPTOKI_COMPAT | - |
38 | #include "pkcs11.h" | - |
39 | | - |
40 | #include "log.h" | - |
41 | #include "misc.h" | - |
42 | #include "sshkey.h" | - |
43 | #include "ssh-pkcs11.h" | - |
44 | #include "xmalloc.h" | - |
45 | | - |
46 | struct pkcs11_slotinfo { | - |
47 | CK_TOKEN_INFO token; | - |
48 | CK_SESSION_HANDLE session; | - |
49 | int logged_in; | - |
50 | }; | - |
51 | | - |
52 | struct pkcs11_provider { | - |
53 | char *name; | - |
54 | void *handle; | - |
55 | CK_FUNCTION_LIST *function_list; | - |
56 | CK_INFO info; | - |
57 | CK_ULONG nslots; | - |
58 | CK_SLOT_ID *slotlist; | - |
59 | struct pkcs11_slotinfo *slotinfo; | - |
60 | int valid; | - |
61 | int refcount; | - |
62 | TAILQ_ENTRY(pkcs11_provider) next; | - |
63 | }; | - |
64 | | - |
65 | TAILQ_HEAD(, pkcs11_provider) pkcs11_providers; | - |
66 | | - |
67 | struct pkcs11_key { | - |
68 | struct pkcs11_provider *provider; | - |
69 | CK_ULONG slotidx; | - |
70 | int (*orig_finish)(RSA *rsa); | - |
71 | RSA_METHOD *rsa_method; | - |
72 | char *keyid; | - |
73 | int keyid_len; | - |
74 | }; | - |
75 | | - |
76 | int pkcs11_interactive = 0; | - |
77 | | - |
78 | int | - |
79 | pkcs11_init(int interactive) | - |
80 | { | - |
81 | pkcs11_interactive = interactive; | - |
82 | TAILQ_INIT(&pkcs11_providers); | - |
83 | return (0); never executed: return (0); | 0 |
84 | } | - |
85 | | - |
86 | | - |
87 | | - |
88 | | - |
89 | | - |
90 | | - |
91 | | - |
92 | static void | - |
93 | pkcs11_provider_finalize(struct pkcs11_provider *p) | - |
94 | { | - |
95 | CK_RV rv; | - |
96 | CK_ULONG i; | - |
97 | | - |
98 | debug("pkcs11_provider_finalize: %p refcount %d valid %d", | - |
99 | p, p->refcount, p->valid); | - |
100 | if (!p->valid)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
101 | return; never executed: return; | 0 |
102 | for (i = 0; i < p->nslots; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
103 | if (p->slotinfo[i].session &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
104 | (rv = p->function_list->C_CloseSession(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
105 | p->slotinfo[i].session)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
106 | error("C_CloseSession failed: %lu", rv); never executed: error("C_CloseSession failed: %lu", rv); | 0 |
107 | } never executed: end of block | 0 |
108 | if ((rv = p->function_list->C_Finalize(NULL)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
109 | error("C_Finalize failed: %lu", rv); never executed: error("C_Finalize failed: %lu", rv); | 0 |
110 | p->valid = 0; | - |
111 | p->function_list = NULL; | - |
112 | dlclose(p->handle); | - |
113 | } never executed: end of block | 0 |
114 | | - |
115 | | - |
116 | | - |
117 | | - |
118 | | - |
119 | static void | - |
120 | pkcs11_provider_unref(struct pkcs11_provider *p) | - |
121 | { | - |
122 | debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); | - |
123 | if (--p->refcount <= 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
124 | if (p->valid)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
125 | error("pkcs11_provider_unref: %p still valid", p); never executed: error("pkcs11_provider_unref: %p still valid", p); | 0 |
126 | free(p->slotlist); | - |
127 | free(p->slotinfo); | - |
128 | free(p); | - |
129 | } never executed: end of block | 0 |
130 | } never executed: end of block | 0 |
131 | | - |
132 | | - |
133 | void | - |
134 | pkcs11_terminate(void) | - |
135 | { | - |
136 | struct pkcs11_provider *p; | - |
137 | | - |
138 | while ((p = TAILQ_FIRST(&pkcs11_providers)) != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
139 | TAILQ_REMOVE(&pkcs11_providers, p, next); never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; TRUE | never evaluated | FALSE | never evaluated |
| 0 |
140 | pkcs11_provider_finalize(p); | - |
141 | pkcs11_provider_unref(p); | - |
142 | } never executed: end of block | 0 |
143 | } never executed: end of block | 0 |
144 | | - |
145 | | - |
146 | static struct pkcs11_provider * | - |
147 | pkcs11_provider_lookup(char *provider_id) | - |
148 | { | - |
149 | struct pkcs11_provider *p; | - |
150 | | - |
151 | TAILQ_FOREACH(p, &pkcs11_providers, next) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
152 | debug("check %p %s", p, p->name); | - |
153 | if (!strcmp(provider_id, p->name)) never executed: __result = (((const unsigned char *) (const char *) ( provider_id ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( p->name ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
154 | return (p); never executed: return (p); | 0 |
155 | } never executed: end of block | 0 |
156 | return (NULL); never executed: return ( ((void *)0) ); | 0 |
157 | } | - |
158 | | - |
159 | | - |
160 | int | - |
161 | pkcs11_del_provider(char *provider_id) | - |
162 | { | - |
163 | struct pkcs11_provider *p; | - |
164 | | - |
165 | if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
166 | TAILQ_REMOVE(&pkcs11_providers, p, next); never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; TRUE | never evaluated | FALSE | never evaluated |
| 0 |
167 | pkcs11_provider_finalize(p); | - |
168 | pkcs11_provider_unref(p); | - |
169 | return (0); never executed: return (0); | 0 |
170 | } | - |
171 | return (-1); never executed: return (-1); | 0 |
172 | } | - |
173 | | - |
174 | | - |
175 | static int | - |
176 | pkcs11_rsa_finish(RSA *rsa) | - |
177 | { | - |
178 | struct pkcs11_key *k11; | - |
179 | int rv = -1; | - |
180 | | - |
181 | if ((k11 = RSA_get_app_data(rsa)) != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
182 | if (k11->orig_finish)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
183 | rv = k11->orig_finish(rsa); never executed: rv = k11->orig_finish(rsa); | 0 |
184 | if (k11->provider)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
185 | pkcs11_provider_unref(k11->provider); never executed: pkcs11_provider_unref(k11->provider); | 0 |
186 | RSA_meth_free(k11->rsa_method); | - |
187 | free(k11->keyid); | - |
188 | free(k11); | - |
189 | } never executed: end of block | 0 |
190 | return (rv); never executed: return (rv); | 0 |
191 | } | - |
192 | | - |
193 | | - |
194 | static int | - |
195 | pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, | - |
196 | CK_ULONG nattr, CK_OBJECT_HANDLE *obj) | - |
197 | { | - |
198 | CK_FUNCTION_LIST *f; | - |
199 | CK_SESSION_HANDLE session; | - |
200 | CK_ULONG nfound = 0; | - |
201 | CK_RV rv; | - |
202 | int ret = -1; | - |
203 | | - |
204 | f = p->function_list; | - |
205 | session = p->slotinfo[slotidx].session; | - |
206 | if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
207 | error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv); | - |
208 | return (-1); never executed: return (-1); | 0 |
209 | } | - |
210 | if ((rv = f->C_FindObjects(session, obj, 1, &nfound)) != CKR_OK ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
211 | nfound != 1) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
212 | debug("C_FindObjects failed (nfound %lu nattr %lu): %lu", | - |
213 | nfound, nattr, rv); | - |
214 | } else never executed: end of block | 0 |
215 | ret = 0; never executed: ret = 0; | 0 |
216 | if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
217 | error("C_FindObjectsFinal failed: %lu", rv); never executed: error("C_FindObjectsFinal failed: %lu", rv); | 0 |
218 | return (ret); never executed: return (ret); | 0 |
219 | } | - |
220 | | - |
221 | | - |
222 | static int | - |
223 | pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | - |
224 | int padding) | - |
225 | { | - |
226 | struct pkcs11_key *k11; | - |
227 | struct pkcs11_slotinfo *si; | - |
228 | CK_FUNCTION_LIST *f; | - |
229 | CK_OBJECT_HANDLE obj; | - |
230 | CK_ULONG tlen = 0; | - |
231 | CK_RV rv; | - |
232 | CK_OBJECT_CLASS private_key_class = CKO_PRIVATE_KEY; | - |
233 | CK_BBOOL true_val = CK_TRUE; | - |
234 | CK_MECHANISM mech = { | - |
235 | CKM_RSA_PKCS, NULL_PTR, 0 | - |
236 | }; | - |
237 | CK_ATTRIBUTE key_filter[] = { | - |
238 | {CKA_CLASS, NULL, sizeof(private_key_class) }, | - |
239 | {CKA_ID, NULL, 0}, | - |
240 | {CKA_SIGN, NULL, sizeof(true_val) } | - |
241 | }; | - |
242 | char *pin = NULL, prompt[1024]; | - |
243 | int rval = -1; | - |
244 | | - |
245 | key_filter[0].pValue = &private_key_class; | - |
246 | key_filter[2].pValue = &true_val; | - |
247 | | - |
248 | if ((k11 = RSA_get_app_data(rsa)) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
249 | error("RSA_get_app_data failed for rsa %p", rsa); | - |
250 | return (-1); never executed: return (-1); | 0 |
251 | } | - |
252 | if (!k11->provider || !k11->provider->valid) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
253 | error("no pkcs11 (valid) provider for rsa %p", rsa); | - |
254 | return (-1); never executed: return (-1); | 0 |
255 | } | - |
256 | f = k11->provider->function_list; | - |
257 | si = &k11->provider->slotinfo[k11->slotidx]; | - |
258 | if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
259 | if (!pkcs11_interactive) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
260 | error("need pin entry%s", (si->token.flags & | - |
261 | CKF_PROTECTED_AUTHENTICATION_PATH) ? | - |
262 | " on reader keypad" : ""); | - |
263 | return (-1); never executed: return (-1); | 0 |
264 | } | - |
265 | if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
266 | verbose("Deferring PIN entry to reader keypad."); never executed: verbose("Deferring PIN entry to reader keypad."); | 0 |
267 | else { | - |
268 | snprintf(prompt, sizeof(prompt), | - |
269 | "Enter PIN for '%s': ", si->token.label); | - |
270 | pin = read_passphrase(prompt, RP_ALLOW_EOF); | - |
271 | if (pin == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
272 | return (-1); never executed: return (-1); | 0 |
273 | } never executed: end of block | 0 |
274 | rv = f->C_Login(si->session, CKU_USER, (u_char *)pin, | - |
275 | (pin != NULL) ? strlen(pin) : 0); | - |
276 | if (pin != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
277 | explicit_bzero(pin, strlen(pin)); | - |
278 | free(pin); | - |
279 | } never executed: end of block | 0 |
280 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
281 | error("C_Login failed: %lu", rv); | - |
282 | return (-1); never executed: return (-1); | 0 |
283 | } | - |
284 | si->logged_in = 1; | - |
285 | } never executed: end of block | 0 |
286 | key_filter[1].pValue = k11->keyid; | - |
287 | key_filter[1].ulValueLen = k11->keyid_len; | - |
288 | | - |
289 | if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&TRUE | never evaluated | FALSE | never evaluated |
| 0 |
290 | pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
291 | error("cannot find private key"); | - |
292 | } else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) { never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
293 | error("C_SignInit failed: %lu", rv); | - |
294 | } else { never executed: end of block | 0 |
295 | | - |
296 | tlen = RSA_size(rsa); | - |
297 | rv = f->C_Sign(si->session, (CK_BYTE *)from, flen, to, &tlen); | - |
298 | if (rv == CKR_OK) TRUE | never evaluated | FALSE | never evaluated |
| 0 |
299 | rval = tlen; never executed: rval = tlen; | 0 |
300 | else | - |
301 | error("C_Sign failed: %lu", rv); never executed: error("C_Sign failed: %lu", rv); | 0 |
302 | } | - |
303 | return (rval); never executed: return (rval); | 0 |
304 | } | - |
305 | | - |
306 | static int | - |
307 | pkcs11_rsa_private_decrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | - |
308 | int padding) | - |
309 | { | - |
310 | return (-1); never executed: return (-1); | 0 |
311 | } | - |
312 | | - |
313 | | - |
314 | static int | - |
315 | pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | - |
316 | CK_ATTRIBUTE *keyid_attrib, RSA *rsa) | - |
317 | { | - |
318 | struct pkcs11_key *k11; | - |
319 | const RSA_METHOD *def = RSA_get_default_method(); | - |
320 | | - |
321 | k11 = xcalloc(1, sizeof(*k11)); | - |
322 | k11->provider = provider; | - |
323 | provider->refcount++; | - |
324 | k11->slotidx = slotidx; | - |
325 | | - |
326 | k11->keyid_len = keyid_attrib->ulValueLen; | - |
327 | if (k11->keyid_len > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
328 | k11->keyid = xmalloc(k11->keyid_len); | - |
329 | memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); | - |
330 | } never executed: end of block | 0 |
331 | k11->rsa_method = RSA_meth_dup(def); | - |
332 | if (k11->rsa_method == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
333 | fatal("%s: RSA_meth_dup failed", __func__); never executed: fatal("%s: RSA_meth_dup failed", __func__); | 0 |
334 | k11->orig_finish = RSA_meth_get_finish(def); | - |
335 | if (!RSA_meth_set1_name(k11->rsa_method, "pkcs11") ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
336 | !RSA_meth_set_priv_enc(k11->rsa_method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
337 | pkcs11_rsa_private_encrypt) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
338 | !RSA_meth_set_priv_dec(k11->rsa_method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
339 | pkcs11_rsa_private_decrypt) ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
340 | !RSA_meth_set_finish(k11->rsa_method, pkcs11_rsa_finish))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
341 | fatal("%s: setup pkcs11 method failed", __func__); never executed: fatal("%s: setup pkcs11 method failed", __func__); | 0 |
342 | RSA_set_method(rsa, k11->rsa_method); | - |
343 | RSA_set_app_data(rsa, k11); | - |
344 | return (0); never executed: return (0); | 0 |
345 | } | - |
346 | | - |
347 | | - |
348 | static void | - |
349 | rmspace(u_char *buf, size_t len) | - |
350 | { | - |
351 | size_t i; | - |
352 | | - |
353 | if (!len)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
354 | return; never executed: return; | 0 |
355 | for (i = len - 1; i > 0; i--)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
356 | if (i == len - 1 || buf[i] == ' ')TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
357 | buf[i] = '\0'; never executed: buf[i] = '\0'; | 0 |
358 | else | - |
359 | break; never executed: break; | 0 |
360 | } never executed: end of block | 0 |
361 | | - |
362 | | - |
363 | | - |
364 | | - |
365 | | - |
366 | static int | - |
367 | pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) | - |
368 | { | - |
369 | CK_RV rv; | - |
370 | CK_FUNCTION_LIST *f; | - |
371 | CK_SESSION_HANDLE session; | - |
372 | int login_required; | - |
373 | | - |
374 | f = p->function_list; | - |
375 | login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED; | - |
376 | if (pin && login_required && !strlen(pin)) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
377 | error("pin required"); | - |
378 | return (-1); never executed: return (-1); | 0 |
379 | } | - |
380 | if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION|TRUE | never evaluated | FALSE | never evaluated |
| 0 |
381 | CKF_SERIAL_SESSION, NULL, NULL, &session))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
382 | != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
383 | error("C_OpenSession failed: %lu", rv); | - |
384 | return (-1); never executed: return (-1); | 0 |
385 | } | - |
386 | if (login_required && pin) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
387 | rv = f->C_Login(session, CKU_USER, | - |
388 | (u_char *)pin, strlen(pin)); | - |
389 | if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
390 | error("C_Login failed: %lu", rv); | - |
391 | if ((rv = f->C_CloseSession(session)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
392 | error("C_CloseSession failed: %lu", rv); never executed: error("C_CloseSession failed: %lu", rv); | 0 |
393 | return (-1); never executed: return (-1); | 0 |
394 | } | - |
395 | p->slotinfo[slotidx].logged_in = 1; | - |
396 | } never executed: end of block | 0 |
397 | p->slotinfo[slotidx].session = session; | - |
398 | return (0); never executed: return (0); | 0 |
399 | } | - |
400 | | - |
401 | | - |
402 | | - |
403 | | - |
404 | | - |
405 | | - |
406 | static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, | - |
407 | CK_ATTRIBUTE [], CK_ATTRIBUTE [3], struct sshkey ***, int *) | - |
408 | __attribute__((__bounded__(__minbytes__,4, 3 * sizeof(CK_ATTRIBUTE)))); | - |
409 | | - |
410 | static int | - |
411 | pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, | - |
412 | struct sshkey ***keysp, int *nkeys) | - |
413 | { | - |
414 | CK_OBJECT_CLASS pubkey_class = CKO_PUBLIC_KEY; | - |
415 | CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; | - |
416 | CK_ATTRIBUTE pubkey_filter[] = { | - |
417 | { CKA_CLASS, NULL, sizeof(pubkey_class) } | - |
418 | }; | - |
419 | CK_ATTRIBUTE cert_filter[] = { | - |
420 | { CKA_CLASS, NULL, sizeof(cert_class) } | - |
421 | }; | - |
422 | CK_ATTRIBUTE pubkey_attribs[] = { | - |
423 | { CKA_ID, NULL, 0 }, | - |
424 | { CKA_MODULUS, NULL, 0 }, | - |
425 | { CKA_PUBLIC_EXPONENT, NULL, 0 } | - |
426 | }; | - |
427 | CK_ATTRIBUTE cert_attribs[] = { | - |
428 | { CKA_ID, NULL, 0 }, | - |
429 | { CKA_SUBJECT, NULL, 0 }, | - |
430 | { CKA_VALUE, NULL, 0 } | - |
431 | }; | - |
432 | pubkey_filter[0].pValue = &pubkey_class; | - |
433 | cert_filter[0].pValue = &cert_class; | - |
434 | | - |
435 | if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
436 | keysp, nkeys) < 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
437 | pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
438 | keysp, nkeys) < 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
439 | return (-1); never executed: return (-1); | 0 |
440 | return (0); never executed: return (0); | 0 |
441 | } | - |
442 | | - |
443 | static int | - |
444 | pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) | - |
445 | { | - |
446 | int i; | - |
447 | | - |
448 | for (i = 0; i < *nkeys; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
449 | if (sshkey_equal(key, (*keysp)[i]))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
450 | return (1); never executed: return (1); | 0 |
451 | return (0); never executed: return (0); | 0 |
452 | } | - |
453 | | - |
454 | static int | - |
455 | have_rsa_key(const RSA *rsa) | - |
456 | { | - |
457 | const BIGNUM *rsa_n, *rsa_e; | - |
458 | | - |
459 | RSA_get0_key(rsa, &rsa_n, &rsa_e, NULL); | - |
460 | return rsa_n != NULL && rsa_e != NULL; never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
461 | } | - |
462 | | - |
463 | static int | - |
464 | pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, | - |
465 | CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], | - |
466 | struct sshkey ***keysp, int *nkeys) | - |
467 | { | - |
468 | struct sshkey *key; | - |
469 | RSA *rsa; | - |
470 | X509 *x509; | - |
471 | EVP_PKEY *evp; | - |
472 | int i; | - |
473 | const u_char *cp; | - |
474 | CK_RV rv; | - |
475 | CK_OBJECT_HANDLE obj; | - |
476 | CK_ULONG nfound; | - |
477 | CK_SESSION_HANDLE session; | - |
478 | CK_FUNCTION_LIST *f; | - |
479 | | - |
480 | f = p->function_list; | - |
481 | session = p->slotinfo[slotidx].session; | - |
482 | | - |
483 | if ((rv = f->C_FindObjectsInit(session, filter, 1)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
484 | error("C_FindObjectsInit failed: %lu", rv); | - |
485 | return (-1); never executed: return (-1); | 0 |
486 | } | - |
487 | while (1) { | - |
488 | | - |
489 | for (i = 0; i < 3; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
490 | attribs[i].pValue = NULL; | - |
491 | attribs[i].ulValueLen = 0; | - |
492 | } never executed: end of block | 0 |
493 | if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OKTRUE | never evaluated | FALSE | never evaluated |
| 0 |
494 | || nfound == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
495 | break; never executed: break; | 0 |
496 | | - |
497 | if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
498 | != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
499 | error("C_GetAttributeValue failed: %lu", rv); | - |
500 | continue; never executed: continue; | 0 |
501 | } | - |
502 | | - |
503 | | - |
504 | | - |
505 | | - |
506 | | - |
507 | if (attribs[1].ulValueLen == 0 ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
508 | attribs[2].ulValueLen == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
509 | continue; never executed: continue; | 0 |
510 | } | - |
511 | | - |
512 | for (i = 0; i < 3; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
513 | if (attribs[i].ulValueLen > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
514 | attribs[i].pValue = xmalloc( | - |
515 | attribs[i].ulValueLen); | - |
516 | } never executed: end of block | 0 |
517 | } never executed: end of block | 0 |
518 | | - |
519 | | - |
520 | | - |
521 | | - |
522 | | - |
523 | rsa = NULL; | - |
524 | if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
525 | != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
526 | error("C_GetAttributeValue failed: %lu", rv); | - |
527 | } else if (attribs[1].type == CKA_MODULUS ) { never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
528 | if ((rsa = RSA_new()) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
529 | error("RSA_new failed"); | - |
530 | } else { never executed: end of block | 0 |
531 | BIGNUM *rsa_n, *rsa_e; | - |
532 | | - |
533 | rsa_n = BN_bin2bn(attribs[1].pValue, | - |
534 | attribs[1].ulValueLen, NULL); | - |
535 | rsa_e = BN_bin2bn(attribs[2].pValue, | - |
536 | attribs[2].ulValueLen, NULL); | - |
537 | if (rsa_n != NULL && rsa_e != NULL) {TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
538 | if (!RSA_set0_key(rsa,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
539 | rsa_n, rsa_e, NULL))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
540 | fatal("%s: set key", __func__); never executed: fatal("%s: set key", __func__); | 0 |
541 | rsa_n = rsa_e = NULL; | - |
542 | } never executed: end of block | 0 |
543 | BN_free(rsa_n); | - |
544 | BN_free(rsa_e); | - |
545 | } never executed: end of block | 0 |
546 | } else { | - |
547 | cp = attribs[2].pValue; | - |
548 | if ((x509 = X509_new()) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
549 | error("X509_new failed"); | - |
550 | } else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen) never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
551 | == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
552 | error("d2i_X509 failed"); | - |
553 | } else if ((evp = X509_get_pubkey(x509)) == NULL || never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
554 | EVP_PKEY_base_id(evp) != EVP_PKEY_RSA ||TRUE | never evaluated | FALSE | never evaluated |
| 0 |
555 | EVP_PKEY_get0_RSA(evp) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
556 | debug("X509_get_pubkey failed or no rsa"); | - |
557 | } else if ((rsa = RSAPublicKey_dup( never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
| 0 |
558 | EVP_PKEY_get0_RSA(evp))) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
559 | error("RSAPublicKey_dup"); | - |
560 | } never executed: end of block | 0 |
561 | X509_free(x509); | - |
562 | } never executed: end of block | 0 |
563 | if (rsa && have_rsa_key(rsa) &&TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
564 | pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
565 | if ((key = sshkey_new(KEY_UNSPEC)) == NULL)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
566 | fatal("sshkey_new failed"); never executed: fatal("sshkey_new failed"); | 0 |
567 | key->rsa = rsa; | - |
568 | key->type = KEY_RSA; | - |
569 | key->flags |= SSHKEY_FLAG_EXT; | - |
570 | if (pkcs11_key_included(keysp, nkeys, key)) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
571 | sshkey_free(key); | - |
572 | } else { never executed: end of block | 0 |
573 | | - |
574 | *keysp = xrecallocarray(*keysp, *nkeys, | - |
575 | *nkeys + 1, sizeof(struct sshkey *)); | - |
576 | (*keysp)[*nkeys] = key; | - |
577 | *nkeys = *nkeys + 1; | - |
578 | debug("have %d keys", *nkeys); | - |
579 | } never executed: end of block | 0 |
580 | } else if (rsa) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
581 | RSA_free(rsa); | - |
582 | } never executed: end of block | 0 |
583 | for (i = 0; i < 3; i++)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
584 | free(attribs[i].pValue); never executed: free(attribs[i].pValue); | 0 |
585 | } never executed: end of block | 0 |
586 | if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
587 | error("C_FindObjectsFinal failed: %lu", rv); never executed: error("C_FindObjectsFinal failed: %lu", rv); | 0 |
588 | return (0); never executed: return (0); | 0 |
589 | } | - |
590 | | - |
591 | | - |
592 | int | - |
593 | pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) | - |
594 | { | - |
595 | int nkeys, need_finalize = 0; | - |
596 | struct pkcs11_provider *p = NULL; | - |
597 | void *handle = NULL; | - |
598 | CK_RV (*getfunctionlist)(CK_FUNCTION_LIST **); | - |
599 | CK_RV rv; | - |
600 | CK_FUNCTION_LIST *f = NULL; | - |
601 | CK_TOKEN_INFO *token; | - |
602 | CK_ULONG i; | - |
603 | | - |
604 | *keyp = NULL; | - |
605 | if (pkcs11_provider_lookup(provider_id) != NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
606 | debug("%s: provider already registered: %s", | - |
607 | __func__, provider_id); | - |
608 | goto fail; never executed: goto fail; | 0 |
609 | } | - |
610 | | - |
611 | if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
612 | error("dlopen %s failed: %s", provider_id, dlerror()); | - |
613 | goto fail; never executed: goto fail; | 0 |
614 | } | - |
615 | if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
616 | error("dlsym(C_GetFunctionList) failed: %s", dlerror()); | - |
617 | goto fail; never executed: goto fail; | 0 |
618 | } | - |
619 | p = xcalloc(1, sizeof(*p)); | - |
620 | p->name = xstrdup(provider_id); | - |
621 | p->handle = handle; | - |
622 | | - |
623 | if ((rv = (*getfunctionlist)(&f)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
624 | error("C_GetFunctionList for provider %s failed: %lu", | - |
625 | provider_id, rv); | - |
626 | goto fail; never executed: goto fail; | 0 |
627 | } | - |
628 | p->function_list = f; | - |
629 | if ((rv = f->C_Initialize(NULL)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
630 | error("C_Initialize for provider %s failed: %lu", | - |
631 | provider_id, rv); | - |
632 | goto fail; never executed: goto fail; | 0 |
633 | } | - |
634 | need_finalize = 1; | - |
635 | if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
636 | error("C_GetInfo for provider %s failed: %lu", | - |
637 | provider_id, rv); | - |
638 | goto fail; never executed: goto fail; | 0 |
639 | } | - |
640 | rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); | - |
641 | rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); | - |
642 | debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" | - |
643 | " libraryDescription <%s> libraryVersion %d.%d", | - |
644 | provider_id, | - |
645 | p->info.manufacturerID, | - |
646 | p->info.cryptokiVersion.major, | - |
647 | p->info.cryptokiVersion.minor, | - |
648 | p->info.libraryDescription, | - |
649 | p->info.libraryVersion.major, | - |
650 | p->info.libraryVersion.minor); | - |
651 | if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
652 | error("C_GetSlotList failed: %lu", rv); | - |
653 | goto fail; never executed: goto fail; | 0 |
654 | } | - |
655 | if (p->nslots == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
656 | debug("%s: provider %s returned no slots", __func__, | - |
657 | provider_id); | - |
658 | goto fail; never executed: goto fail; | 0 |
659 | } | - |
660 | p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID)); | - |
661 | if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
662 | != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
663 | error("C_GetSlotList for provider %s failed: %lu", | - |
664 | provider_id, rv); | - |
665 | goto fail; never executed: goto fail; | 0 |
666 | } | - |
667 | p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo)); | - |
668 | p->valid = 1; | - |
669 | nkeys = 0; | - |
670 | for (i = 0; i < p->nslots; i++) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
671 | token = &p->slotinfo[i].token; | - |
672 | if ((rv = f->C_GetTokenInfo(p->slotlist[i], token))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
673 | != CKR_OK) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
674 | error("C_GetTokenInfo for provider %s slot %lu " | - |
675 | "failed: %lu", provider_id, (unsigned long)i, rv); | - |
676 | continue; never executed: continue; | 0 |
677 | } | - |
678 | if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
679 | debug2("%s: ignoring uninitialised token in " | - |
680 | "provider %s slot %lu", __func__, | - |
681 | provider_id, (unsigned long)i); | - |
682 | continue; never executed: continue; | 0 |
683 | } | - |
684 | rmspace(token->label, sizeof(token->label)); | - |
685 | rmspace(token->manufacturerID, sizeof(token->manufacturerID)); | - |
686 | rmspace(token->model, sizeof(token->model)); | - |
687 | rmspace(token->serialNumber, sizeof(token->serialNumber)); | - |
688 | debug("provider %s slot %lu: label <%s> manufacturerID <%s> " | - |
689 | "model <%s> serial <%s> flags 0x%lx", | - |
690 | provider_id, (unsigned long)i, | - |
691 | token->label, token->manufacturerID, token->model, | - |
692 | token->serialNumber, token->flags); | - |
693 | | - |
694 | if (pkcs11_open_session(p, i, pin) == 0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
695 | pkcs11_fetch_keys(p, i, keyp, &nkeys); never executed: pkcs11_fetch_keys(p, i, keyp, &nkeys); | 0 |
696 | } never executed: end of block | 0 |
697 | if (nkeys > 0) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
698 | TAILQ_INSERT_TAIL(&pkcs11_providers, p, next); | - |
699 | p->refcount++; | - |
700 | return (nkeys); never executed: return (nkeys); | 0 |
701 | } | - |
702 | debug("%s: provider %s returned no keys", __func__, provider_id); | - |
703 | | - |
704 | fail: code before this statement never executed: fail: | 0 |
705 | if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
706 | error("C_Finalize for provider %s failed: %lu", never executed: error("C_Finalize for provider %s failed: %lu", provider_id, rv); | 0 |
707 | provider_id, rv); never executed: error("C_Finalize for provider %s failed: %lu", provider_id, rv); | 0 |
708 | if (p) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
709 | free(p->slotlist); | - |
710 | free(p->slotinfo); | - |
711 | free(p); | - |
712 | } never executed: end of block | 0 |
713 | if (handle)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
714 | dlclose(handle); never executed: dlclose(handle); | 0 |
715 | return (-1); never executed: return (-1); | 0 |
716 | } | - |
717 | | - |
718 | #else | - |
719 | | - |
720 | int | - |
721 | pkcs11_init(int interactive) | - |
722 | { | - |
723 | return (0); | - |
724 | } | - |
725 | | - |
726 | void | - |
727 | pkcs11_terminate(void) | - |
728 | { | - |
729 | return; | - |
730 | } | - |
731 | | - |
732 | #endif /* ENABLE_PKCS11 */ | - |
| | |