Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | struct pkcs11_slotinfo { | - |
17 | CK_TOKEN_INFO token; | - |
18 | CK_SESSION_HANDLE session; | - |
19 | int logged_in; | - |
20 | }; | - |
21 | | - |
22 | struct pkcs11_provider { | - |
23 | char *name; | - |
24 | void *handle; | - |
25 | CK_FUNCTION_LIST *function_list; | - |
26 | CK_INFO info; | - |
27 | CK_ULONG nslots; | - |
28 | CK_SLOT_ID *slotlist; | - |
29 | struct pkcs11_slotinfo *slotinfo; | - |
30 | int valid; | - |
31 | int refcount; | - |
32 | struct { struct pkcs11_provider *tqe_next; struct pkcs11_provider **tqe_prev; } next; | - |
33 | }; | - |
34 | | - |
35 | struct { struct pkcs11_provider *tqh_first; struct pkcs11_provider **tqh_last; } pkcs11_providers; | - |
36 | | - |
37 | struct pkcs11_key { | - |
38 | struct pkcs11_provider *provider; | - |
39 | CK_ULONG slotidx; | - |
40 | int (*orig_finish)(RSA *rsa); | - |
41 | RSA_METHOD *rsa_method; | - |
42 | char *keyid; | - |
43 | int keyid_len; | - |
44 | }; | - |
45 | | - |
46 | int pkcs11_interactive = 0; | - |
47 | | - |
48 | int | - |
49 | pkcs11_init(int interactive) | - |
50 | { | - |
51 | pkcs11_interactive = interactive; | - |
52 | do { (&pkcs11_providers)->tqh_first = | - |
53 | ((void *)0) | - |
54 | ; (&pkcs11_providers)->tqh_last = &(&pkcs11_providers)->tqh_first; } while (0); | - |
55 | return never executed: return (0); (0);never executed: return (0); | 0 |
56 | } | - |
57 | | - |
58 | | - |
59 | | - |
60 | | - |
61 | | - |
62 | | - |
63 | | - |
64 | static void | - |
65 | pkcs11_provider_finalize(struct pkcs11_provider *p) | - |
66 | { | - |
67 | CK_RV rv; | - |
68 | CK_ULONG i; | - |
69 | | - |
70 | debug("pkcs11_provider_finalize: %p refcount %d valid %d", | - |
71 | p, p->refcount, p->valid); | - |
72 | if (!p->validTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
73 | return; never executed: return; | 0 |
74 | for (i = 0; i < p->nslotsTRUE | never evaluated | FALSE | never evaluated |
; i++) { | 0 |
75 | if (p->slotinfo[i].sessionTRUE | never evaluated | FALSE | never evaluated |
&& | 0 |
76 | (TRUE | never evaluated | FALSE | never evaluated |
rv = p->function_list->C_CloseSession(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
77 | p->slotinfo[i].session)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
78 | error("C_CloseSession failed: %lu", rv); never executed: error("C_CloseSession failed: %lu", rv); | 0 |
79 | } never executed: end of block | 0 |
80 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = p->function_list->C_Finalize(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
81 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
82 | )) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
83 | error("C_Finalize failed: %lu", rv); never executed: error("C_Finalize failed: %lu", rv); | 0 |
84 | p->valid = 0; | - |
85 | p->function_list = | - |
86 | ((void *)0) | - |
87 | ; | - |
88 | dlclose(p->handle); | - |
89 | } never executed: end of block | 0 |
90 | | - |
91 | | - |
92 | | - |
93 | | - |
94 | | - |
95 | static void | - |
96 | pkcs11_provider_unref(struct pkcs11_provider *p) | - |
97 | { | - |
98 | debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); | - |
99 | if (--TRUE | never evaluated | FALSE | never evaluated |
p->refcount <= 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
100 | if (p->validTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
101 | error("pkcs11_provider_unref: %p still valid", p); never executed: error("pkcs11_provider_unref: %p still valid", p); | 0 |
102 | free(p->slotlist); | - |
103 | free(p->slotinfo); | - |
104 | free(p); | - |
105 | } never executed: end of block | 0 |
106 | } never executed: end of block | 0 |
107 | | - |
108 | | - |
109 | void | - |
110 | pkcs11_terminate(void) | - |
111 | { | - |
112 | struct pkcs11_provider *p; | - |
113 | | - |
114 | while ((TRUE | never evaluated | FALSE | never evaluated |
p = ((&pkcs11_providers)->tqh_first)) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
115 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
116 | ) { | - |
117 | do { if (((TRUE | never evaluated | FALSE | never evaluated |
p)->next.tqe_next) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
118 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
119 | ) ( never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev;never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; else (never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; &pkcs11_providers)->tqh_last = (p)->next.tqe_prev;never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; *(p)->next.tqe_prev = (p)->next.tqe_next; ; ; } while (0); | 0 |
120 | pkcs11_provider_finalize(p); | - |
121 | pkcs11_provider_unref(p); | - |
122 | } never executed: end of block | 0 |
123 | } never executed: end of block | 0 |
124 | | - |
125 | | - |
126 | static struct pkcs11_provider * | - |
127 | pkcs11_provider_lookup(char *provider_id) | - |
128 | { | - |
129 | struct pkcs11_provider *p; | - |
130 | | - |
131 | for((p) = ((&pkcs11_providers)->tqh_first); (TRUE | never evaluated | FALSE | never evaluated |
p) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
132 | ((TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
133 | ; (p) = ((p)->next.tqe_next)) { | - |
134 | debug("check %p %s", p, p->name); | - |
135 | if (!TRUE | never evaluated | FALSE | never evaluated |
| 0 |
136 | __extension__ ({ size_t __s1_len, __s2_len; (__builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
137 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
138 | ) && __builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
139 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
140 | ) && (__s1_len = __builtin_strlen (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
141 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
142 | ), __s2_len = __builtin_strlen (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
143 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
144 | ), (!((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
145 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
146 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
147 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
148 | ) == 1) || __s1_len >= 4) && (!((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
149 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
150 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
151 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
152 | ) == 1) || __s2_len >= 4)) ? __builtin_strcmp (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
153 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
154 | , TRUE | never evaluated | FALSE | never evaluated |
| 0 |
155 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
156 | ) : (__builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
157 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
158 | ) && ((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
159 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
160 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
161 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
162 | ) == 1) && (__s1_len = __builtin_strlen (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
163 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
164 | ), __s1_len < 4) ? (__builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
165 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
166 | ) && ((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
167 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
168 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
169 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
170 | ) == 1) ? __builtin_strcmp (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
171 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
172 | , TRUE | never evaluated | FALSE | never evaluated |
| 0 |
173 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
174 | ) : (__extension__ ({ const unsigned char *__s2 = (const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
175 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
176 | ); int __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
177 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
178 | ))[0] - __s2[0]); if (__s1_len > 0TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) { __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
179 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
180 | ))[1] - __s2[1]); if (__s1_len > 1TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) { __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
181 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
182 | ))[2] - __s2[2]); if (__s1_len > 2TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) __result = (((const unsigned char *) (const char *) (never executed: __result = (((const unsigned char *) (const char *) ( provider_id ))[3] - __s2[3]); | 0 |
183 | provider_idTRUE | never evaluated | FALSE | never evaluated |
never executed: __result = (((const unsigned char *) (const char *) ( provider_id ))[3] - __s2[3]); | 0 |
184 | ))[3] - __s2[3]); } } __result; }))) : (__builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
185 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
186 | ) && ((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
187 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
188 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
189 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
190 | ) == 1) && (__s2_len = __builtin_strlen (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
191 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
192 | ), __s2_len < 4) ? (__builtin_constant_p (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
193 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
194 | ) && ((size_t)(const void *)((TRUE | never evaluated | FALSE | never evaluated |
| 0 |
195 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
196 | ) + 1) - (size_t)(const void *)(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
197 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
198 | ) == 1) ? __builtin_strcmp (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
199 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
200 | , TRUE | never evaluated | FALSE | never evaluated |
| 0 |
201 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
202 | ) : -(__extension__ ({ const unsigned char *__s2 = (const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
203 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
204 | ); int __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
205 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
206 | ))[0] - __s2[0]); if (__s2_len > 0TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) { __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
207 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
208 | ))[1] - __s2[1]); if (__s2_len > 1TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) { __result = (((const unsigned char *) (const char *) (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
209 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
210 | ))[2] - __s2[2]); if (__s2_len > 2TRUE | never evaluated | FALSE | never evaluated |
&& __result == 0TRUE | never evaluated | FALSE | never evaluated |
) __result = (((const unsigned char *) (const char *) (never executed: __result = (((const unsigned char *) (const char *) ( p->name ))[3] - __s2[3]); | 0 |
211 | p->nameTRUE | never evaluated | FALSE | never evaluated |
never executed: __result = (((const unsigned char *) (const char *) ( p->name ))[3] - __s2[3]); | 0 |
212 | ))[3] - __s2[3]); } } __result; }))) : __builtin_strcmp (TRUE | never evaluated | FALSE | never evaluated |
| 0 |
213 | provider_idTRUE | never evaluated | FALSE | never evaluated |
| 0 |
214 | , TRUE | never evaluated | FALSE | never evaluated |
| 0 |
215 | p->nameTRUE | never evaluated | FALSE | never evaluated |
| 0 |
216 | )))); })TRUE | never evaluated | FALSE | never evaluated |
| 0 |
217 | ) | - |
218 | return never executed: return (p); (p);never executed: return (p); | 0 |
219 | } never executed: end of block | 0 |
220 | return never executed: return ( ((void *)0) ); (never executed: return ( ((void *)0) ); | 0 |
221 | ((void *)0) never executed: return ( ((void *)0) ); | 0 |
222 | ); never executed: return ( ((void *)0) ); | 0 |
223 | } | - |
224 | | - |
225 | | - |
226 | int | - |
227 | pkcs11_del_provider(char *provider_id) | - |
228 | { | - |
229 | struct pkcs11_provider *p; | - |
230 | | - |
231 | if ((TRUE | never evaluated | FALSE | never evaluated |
p = pkcs11_provider_lookup(provider_id)) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
232 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
233 | ) { | - |
234 | do { if (((TRUE | never evaluated | FALSE | never evaluated |
p)->next.tqe_next) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
235 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
236 | ) ( never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev;never executed: (p)->next.tqe_next->next.tqe_prev = (p)->next.tqe_prev; else (never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; &pkcs11_providers)->tqh_last = (p)->next.tqe_prev;never executed: (&pkcs11_providers)->tqh_last = (p)->next.tqe_prev; *(p)->next.tqe_prev = (p)->next.tqe_next; ; ; } while (0); | 0 |
237 | pkcs11_provider_finalize(p); | - |
238 | pkcs11_provider_unref(p); | - |
239 | return never executed: return (0); (0);never executed: return (0); | 0 |
240 | } | - |
241 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
242 | } | - |
243 | | - |
244 | | - |
245 | static int | - |
246 | pkcs11_rsa_finish(RSA *rsa) | - |
247 | { | - |
248 | struct pkcs11_key *k11; | - |
249 | int rv = -1; | - |
250 | | - |
251 | if ((TRUE | never evaluated | FALSE | never evaluated |
k11 = TRUE | never evaluated | FALSE | never evaluated |
| 0 |
252 | RSA_get_ex_data(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
253 | rsaTRUE | never evaluated | FALSE | never evaluated |
| 0 |
254 | ,0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
255 | ) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
256 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
257 | ) { | - |
258 | if (k11->orig_finishTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
259 | rv = k11->orig_finish(rsa); never executed: rv = k11->orig_finish(rsa); | 0 |
260 | if (k11->providerTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
261 | pkcs11_provider_unref(k11->provider); never executed: pkcs11_provider_unref(k11->provider); | 0 |
262 | RSA_meth_free(k11->rsa_method); | - |
263 | free(k11->keyid); | - |
264 | free(k11); | - |
265 | } never executed: end of block | 0 |
266 | return never executed: return (rv); (rv);never executed: return (rv); | 0 |
267 | } | - |
268 | | - |
269 | | - |
270 | static int | - |
271 | pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr, | - |
272 | CK_ULONG nattr, CK_OBJECT_HANDLE *obj) | - |
273 | { | - |
274 | CK_FUNCTION_LIST *f; | - |
275 | CK_SESSION_HANDLE session; | - |
276 | CK_ULONG nfound = 0; | - |
277 | CK_RV rv; | - |
278 | int ret = -1; | - |
279 | | - |
280 | f = p->function_list; | - |
281 | session = p->slotinfo[slotidx].session; | - |
282 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjectsInit(session, attr, nattr)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
283 | error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv); | - |
284 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
285 | } | - |
286 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjects(session, obj, 1, &nfound)) != (0)TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
287 | nfound != 1TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
288 | debug("C_FindObjects failed (nfound %lu nattr %lu): %lu", | - |
289 | nfound, nattr, rv); | - |
290 | } never executed: end of block else | 0 |
291 | ret = 0; never executed: ret = 0; | 0 |
292 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjectsFinal(session)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
293 | error("C_FindObjectsFinal failed: %lu", rv); never executed: error("C_FindObjectsFinal failed: %lu", rv); | 0 |
294 | return never executed: return (ret); (ret);never executed: return (ret); | 0 |
295 | } | - |
296 | | - |
297 | | - |
298 | static int | - |
299 | pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | - |
300 | int padding) | - |
301 | { | - |
302 | struct pkcs11_key *k11; | - |
303 | struct pkcs11_slotinfo *si; | - |
304 | CK_FUNCTION_LIST *f; | - |
305 | CK_OBJECT_HANDLE obj; | - |
306 | CK_ULONG tlen = 0; | - |
307 | CK_RV rv; | - |
308 | CK_OBJECT_CLASS private_key_class = (3); | - |
309 | CK_BBOOL true_val = 1; | - |
310 | CK_MECHANISM mech = { | - |
311 | (1), | - |
312 | ((void *)0) | - |
313 | , 0 | - |
314 | }; | - |
315 | CK_ATTRIBUTE key_filter[] = { | - |
316 | {(0), | - |
317 | ((void *)0) | - |
318 | , sizeof(private_key_class) }, | - |
319 | {(0x102), | - |
320 | ((void *)0) | - |
321 | , 0}, | - |
322 | {(0x108), | - |
323 | ((void *)0) | - |
324 | , sizeof(true_val) } | - |
325 | }; | - |
326 | char *pin = | - |
327 | ((void *)0) | - |
328 | , prompt[1024]; | - |
329 | int rval = -1; | - |
330 | | - |
331 | key_filter[0].pValue = &private_key_class; | - |
332 | key_filter[2].pValue = &true_val; | - |
333 | | - |
334 | if ((TRUE | never evaluated | FALSE | never evaluated |
k11 = TRUE | never evaluated | FALSE | never evaluated |
| 0 |
335 | RSA_get_ex_data(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
336 | rsaTRUE | never evaluated | FALSE | never evaluated |
| 0 |
337 | ,0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
338 | ) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
339 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
340 | ) { | - |
341 | error("RSA_get_app_data failed for rsa %p", rsa); | - |
342 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
343 | } | - |
344 | if (!k11->providerTRUE | never evaluated | FALSE | never evaluated |
|| !k11->provider->validTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
345 | error("no pkcs11 (valid) provider for rsa %p", rsa); | - |
346 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
347 | } | - |
348 | f = k11->provider->function_list; | - |
349 | si = &k11->provider->slotinfo[k11->slotidx]; | - |
350 | if ((TRUE | never evaluated | FALSE | never evaluated |
si->token.flags & (1 << 2))TRUE | never evaluated | FALSE | never evaluated |
&& !si->logged_inTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
351 | if (!pkcs11_interactiveTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
352 | error("need pin entry%s", (si->token.flags & | - |
353 | (1 << 8)) ? | - |
354 | " on reader keypad" : ""); | - |
355 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
356 | } | - |
357 | if (si->token.flags & (1 << 8)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
358 | verbose("Deferring PIN entry to reader keypad."); never executed: verbose("Deferring PIN entry to reader keypad."); | 0 |
359 | else { | - |
360 | snprintf(prompt, sizeof(prompt), | - |
361 | "Enter PIN for '%s': ", si->token.label); | - |
362 | pin = read_passphrase(prompt, 0x0004); | - |
363 | if (pin == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
364 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
365 | ) | - |
366 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
367 | } never executed: end of block | 0 |
368 | rv = f->C_Login(si->session, (1), (u_char *)pin, | - |
369 | (pin != | - |
370 | ((void *)0) | - |
371 | ) ? strlen(pin) : 0); | - |
372 | if (pin != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
373 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
374 | ) { | - |
375 | explicit_bzero(pin, strlen(pin)); | - |
376 | free(pin); | - |
377 | } never executed: end of block | 0 |
378 | if (rv != (0)TRUE | never evaluated | FALSE | never evaluated |
&& rv != (0x100)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
379 | error("C_Login failed: %lu", rv); | - |
380 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
381 | } | - |
382 | si->logged_in = 1; | - |
383 | } never executed: end of block | 0 |
384 | key_filter[1].pValue = k11->keyid; | - |
385 | key_filter[1].ulValueLen = k11->keyid_len; | - |
386 | | - |
387 | if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0TRUE | never evaluated | FALSE | never evaluated |
&& | 0 |
388 | pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
389 | error("cannot find private key"); | - |
390 | } never executed: end of block else if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_SignInit(si->session, &mech, obj)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
391 | error("C_SignInit failed: %lu", rv); | - |
392 | } never executed: end of block else { | 0 |
393 | | - |
394 | tlen = RSA_size(rsa); | - |
395 | rv = f->C_Sign(si->session, (CK_BYTE *)from, flen, to, &tlen); | - |
396 | if (rv == (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
397 | rval = tlen; never executed: rval = tlen; | 0 |
398 | else | - |
399 | error("C_Sign failed: %lu", rv); never executed: error("C_Sign failed: %lu", rv); | 0 |
400 | } | - |
401 | return never executed: return (rval); (rval);never executed: return (rval); | 0 |
402 | } | - |
403 | | - |
404 | static int | - |
405 | pkcs11_rsa_private_decrypt(int flen, const u_char *from, u_char *to, RSA *rsa, | - |
406 | int padding) | - |
407 | { | - |
408 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
409 | } | - |
410 | | - |
411 | | - |
412 | static int | - |
413 | pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, | - |
414 | CK_ATTRIBUTE *keyid_attrib, RSA *rsa) | - |
415 | { | - |
416 | struct pkcs11_key *k11; | - |
417 | const RSA_METHOD *def = RSA_get_default_method(); | - |
418 | | - |
419 | k11 = xcalloc(1, sizeof(*k11)); | - |
420 | k11->provider = provider; | - |
421 | provider->refcount++; | - |
422 | k11->slotidx = slotidx; | - |
423 | | - |
424 | k11->keyid_len = keyid_attrib->ulValueLen; | - |
425 | if (k11->keyid_len > 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
426 | k11->keyid = xmalloc(k11->keyid_len); | - |
427 | memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); | - |
428 | } never executed: end of block | 0 |
429 | k11->rsa_method = RSA_meth_dup(def); | - |
430 | if (k11->rsa_method == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
431 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
432 | ) | - |
433 | fatal("%s: RSA_meth_dup failed", __func__); never executed: fatal("%s: RSA_meth_dup failed", __func__); | 0 |
434 | k11->orig_finish = RSA_meth_get_finish(def); | - |
435 | if (!RSA_meth_set1_name(k11->rsa_method, "pkcs11")TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
436 | !RSA_meth_set_priv_enc(k11->rsa_method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
437 | pkcs11_rsa_private_encrypt)TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
438 | !RSA_meth_set_priv_dec(k11->rsa_method,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
439 | pkcs11_rsa_private_decrypt)TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
440 | !RSA_meth_set_finish(k11->rsa_method, pkcs11_rsa_finish)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
441 | fatal("%s: setup pkcs11 method failed", __func__); never executed: fatal("%s: setup pkcs11 method failed", __func__); | 0 |
442 | RSA_set_method(rsa, k11->rsa_method); | - |
443 | | - |
444 | RSA_set_ex_data( | - |
445 | rsa | - |
446 | ,0, | - |
447 | k11 | - |
448 | ) | - |
449 | ; | - |
450 | return never executed: return (0); (0);never executed: return (0); | 0 |
451 | } | - |
452 | | - |
453 | | - |
454 | static void | - |
455 | rmspace(u_char *buf, size_t len) | - |
456 | { | - |
457 | size_t i; | - |
458 | | - |
459 | if (!lenTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
460 | return; never executed: return; | 0 |
461 | for (i = len - 1; i > 0TRUE | never evaluated | FALSE | never evaluated |
; i--) | 0 |
462 | if (i == len - 1TRUE | never evaluated | FALSE | never evaluated |
|| buf[i] == ' 'TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
463 | buf[i] = '\0'; never executed: buf[i] = '\0'; | 0 |
464 | else | - |
465 | break; never executed: break; | 0 |
466 | } never executed: end of block | 0 |
467 | | - |
468 | | - |
469 | | - |
470 | | - |
471 | | - |
472 | static int | - |
473 | pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) | - |
474 | { | - |
475 | CK_RV rv; | - |
476 | CK_FUNCTION_LIST *f; | - |
477 | CK_SESSION_HANDLE session; | - |
478 | int login_required; | - |
479 | | - |
480 | f = p->function_list; | - |
481 | login_required = p->slotinfo[slotidx].token.flags & (1 << 2); | - |
482 | if (pinTRUE | never evaluated | FALSE | never evaluated |
&& login_requiredTRUE | never evaluated | FALSE | never evaluated |
&& !strlen(pin)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
483 | error("pin required"); | - |
484 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
485 | } | - |
486 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_OpenSession(p->slotlist[slotidx], (1 << 1)|TRUE | never evaluated | FALSE | never evaluated |
| 0 |
487 | (1 << 2), TRUE | never evaluated | FALSE | never evaluated |
| 0 |
488 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
489 | , TRUE | never evaluated | FALSE | never evaluated |
| 0 |
490 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
491 | , &session))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
492 | != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
493 | error("C_OpenSession failed: %lu", rv); | - |
494 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
495 | } | - |
496 | if (login_requiredTRUE | never evaluated | FALSE | never evaluated |
&& pinTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
497 | rv = f->C_Login(session, (1), | - |
498 | (u_char *)pin, strlen(pin)); | - |
499 | if (rv != (0)TRUE | never evaluated | FALSE | never evaluated |
&& rv != (0x100)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
500 | error("C_Login failed: %lu", rv); | - |
501 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_CloseSession(session)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
502 | error("C_CloseSession failed: %lu", rv); never executed: error("C_CloseSession failed: %lu", rv); | 0 |
503 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
504 | } | - |
505 | p->slotinfo[slotidx].logged_in = 1; | - |
506 | } never executed: end of block | 0 |
507 | p->slotinfo[slotidx].session = session; | - |
508 | return never executed: return (0); (0);never executed: return (0); | 0 |
509 | } | - |
510 | | - |
511 | | - |
512 | | - |
513 | | - |
514 | | - |
515 | | - |
516 | static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG, | - |
517 | CK_ATTRIBUTE [], CK_ATTRIBUTE [3], struct sshkey ***, int *) | - |
518 | __attribute__(()); | - |
519 | | - |
520 | static int | - |
521 | pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, | - |
522 | struct sshkey ***keysp, int *nkeys) | - |
523 | { | - |
524 | CK_OBJECT_CLASS pubkey_class = (2); | - |
525 | CK_OBJECT_CLASS cert_class = (1); | - |
526 | CK_ATTRIBUTE pubkey_filter[] = { | - |
527 | { (0), | - |
528 | ((void *)0) | - |
529 | , sizeof(pubkey_class) } | - |
530 | }; | - |
531 | CK_ATTRIBUTE cert_filter[] = { | - |
532 | { (0), | - |
533 | ((void *)0) | - |
534 | , sizeof(cert_class) } | - |
535 | }; | - |
536 | CK_ATTRIBUTE pubkey_attribs[] = { | - |
537 | { (0x102), | - |
538 | ((void *)0) | - |
539 | , 0 }, | - |
540 | { (0x120), | - |
541 | ((void *)0) | - |
542 | , 0 }, | - |
543 | { (0x122), | - |
544 | ((void *)0) | - |
545 | , 0 } | - |
546 | }; | - |
547 | CK_ATTRIBUTE cert_attribs[] = { | - |
548 | { (0x102), | - |
549 | ((void *)0) | - |
550 | , 0 }, | - |
551 | { (0x101), | - |
552 | ((void *)0) | - |
553 | , 0 }, | - |
554 | { (0x11), | - |
555 | ((void *)0) | - |
556 | , 0 } | - |
557 | }; | - |
558 | pubkey_filter[0].pValue = &pubkey_class; | - |
559 | cert_filter[0].pValue = &cert_class; | - |
560 | | - |
561 | if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, pubkey_attribs,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
562 | keysp, nkeys) < 0TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
563 | pkcs11_fetch_keys_filter(p, slotidx, cert_filter, cert_attribs,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
564 | keysp, nkeys) < 0TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
565 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
566 | return never executed: return (0); (0);never executed: return (0); | 0 |
567 | } | - |
568 | | - |
569 | static int | - |
570 | pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) | - |
571 | { | - |
572 | int i; | - |
573 | | - |
574 | for (i = 0; i < *nkeysTRUE | never evaluated | FALSE | never evaluated |
; i++) | 0 |
575 | if (sshkey_equal(key, (*keysp)[i])TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
576 | return never executed: return (1); (1);never executed: return (1); | 0 |
577 | return never executed: return (0); (0);never executed: return (0); | 0 |
578 | } | - |
579 | | - |
580 | static int | - |
581 | have_rsa_key(const RSA *rsa) | - |
582 | { | - |
583 | const BIGNUM *rsa_n, *rsa_e; | - |
584 | | - |
585 | RSA_get0_key(rsa, &rsa_n, &rsa_e, | - |
586 | ((void *)0) | - |
587 | ); | - |
588 | return never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; rsa_n != TRUE | never evaluated | FALSE | never evaluated |
never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; | 0 |
589 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; | 0 |
590 | && rsa_e != TRUE | never evaluated | FALSE | never evaluated |
never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; | 0 |
591 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; | 0 |
592 | ; never executed: return rsa_n != ((void *)0) && rsa_e != ((void *)0) ; | 0 |
593 | } | - |
594 | | - |
595 | static int | - |
596 | pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx, | - |
597 | CK_ATTRIBUTE filter[], CK_ATTRIBUTE attribs[3], | - |
598 | struct sshkey ***keysp, int *nkeys) | - |
599 | { | - |
600 | struct sshkey *key; | - |
601 | RSA *rsa; | - |
602 | X509 *x509; | - |
603 | EVP_PKEY *evp; | - |
604 | int i; | - |
605 | const u_char *cp; | - |
606 | CK_RV rv; | - |
607 | CK_OBJECT_HANDLE obj; | - |
608 | CK_ULONG nfound; | - |
609 | CK_SESSION_HANDLE session; | - |
610 | CK_FUNCTION_LIST *f; | - |
611 | | - |
612 | f = p->function_list; | - |
613 | session = p->slotinfo[slotidx].session; | - |
614 | | - |
615 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjectsInit(session, filter, 1)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
616 | error("C_FindObjectsInit failed: %lu", rv); | - |
617 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
618 | } | - |
619 | while (1) { | - |
620 | | - |
621 | for (i = 0; i < 3TRUE | never evaluated | FALSE | never evaluated |
; i++) { | 0 |
622 | attribs[i].pValue = | - |
623 | ((void *)0) | - |
624 | ; | - |
625 | attribs[i].ulValueLen = 0; | - |
626 | } never executed: end of block | 0 |
627 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjects(session, &obj, 1, &nfound)) != (0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
628 | || nfound == 0TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
629 | break; never executed: break; | 0 |
630 | | - |
631 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetAttributeValue(session, obj, attribs, 3))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
632 | != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
633 | error("C_GetAttributeValue failed: %lu", rv); | - |
634 | continue; never executed: continue; | 0 |
635 | } | - |
636 | | - |
637 | | - |
638 | | - |
639 | | - |
640 | | - |
641 | if (attribs[1].ulValueLen == 0TRUE | never evaluated | FALSE | never evaluated |
|| | 0 |
642 | attribs[2].ulValueLen == 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
643 | continue; never executed: continue; | 0 |
644 | } | - |
645 | | - |
646 | for (i = 0; i < 3TRUE | never evaluated | FALSE | never evaluated |
; i++) { | 0 |
647 | if (attribs[i].ulValueLen > 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
648 | attribs[i].pValue = xmalloc( | - |
649 | attribs[i].ulValueLen); | - |
650 | } never executed: end of block | 0 |
651 | } never executed: end of block | 0 |
652 | | - |
653 | | - |
654 | | - |
655 | | - |
656 | | - |
657 | rsa = | - |
658 | ((void *)0) | - |
659 | ; | - |
660 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetAttributeValue(session, obj, attribs, 3))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
661 | != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
662 | error("C_GetAttributeValue failed: %lu", rv); | - |
663 | } never executed: end of block else if (attribs[1].type == (0x120)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
664 | if ((TRUE | never evaluated | FALSE | never evaluated |
rsa = RSA_new()) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
665 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
666 | ) { | - |
667 | error("RSA_new failed"); | - |
668 | } never executed: end of block else { | 0 |
669 | BIGNUM *rsa_n, *rsa_e; | - |
670 | | - |
671 | rsa_n = BN_bin2bn(attribs[1].pValue, | - |
672 | attribs[1].ulValueLen, | - |
673 | ((void *)0) | - |
674 | ); | - |
675 | rsa_e = BN_bin2bn(attribs[2].pValue, | - |
676 | attribs[2].ulValueLen, | - |
677 | ((void *)0) | - |
678 | ); | - |
679 | if (rsa_n != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
680 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
681 | && rsa_e != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
682 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
683 | ) { | - |
684 | if (!RSA_set0_key(rsa,TRUE | never evaluated | FALSE | never evaluated |
| 0 |
685 | rsa_n, rsa_e, TRUE | never evaluated | FALSE | never evaluated |
| 0 |
686 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
687 | )TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
688 | fatal("%s: set key", __func__); never executed: fatal("%s: set key", __func__); | 0 |
689 | rsa_n = rsa_e = | - |
690 | ((void *)0) | - |
691 | ; | - |
692 | } never executed: end of block | 0 |
693 | BN_free(rsa_n); | - |
694 | BN_free(rsa_e); | - |
695 | } never executed: end of block | 0 |
696 | } else { | - |
697 | cp = attribs[2].pValue; | - |
698 | if ((TRUE | never evaluated | FALSE | never evaluated |
x509 = X509_new()) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
699 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
700 | ) { | - |
701 | error("X509_new failed"); | - |
702 | } never executed: end of block else if (d2i_X509(&x509, &cp, attribs[2].ulValueLen)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
703 | == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
704 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
705 | ) { | - |
706 | error("d2i_X509 failed"); | - |
707 | } never executed: end of block else if ((TRUE | never evaluated | FALSE | never evaluated |
evp = X509_get_pubkey(x509)) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
708 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
709 | || | - |
710 | EVP_PKEY_base_id(evp) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
711 | 6TRUE | never evaluated | FALSE | never evaluated |
| 0 |
712 | || | - |
713 | EVP_PKEY_get0_RSA(evp) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
714 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
715 | ) { | - |
716 | debug("X509_get_pubkey failed or no rsa"); | - |
717 | } never executed: end of block else if ((TRUE | never evaluated | FALSE | never evaluated |
rsa = RSAPublicKey_dup(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
718 | EVP_PKEY_get0_RSA(evp))) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
719 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
720 | ) { | - |
721 | error("RSAPublicKey_dup"); | - |
722 | } never executed: end of block | 0 |
723 | X509_free(x509); | - |
724 | } never executed: end of block | 0 |
725 | if (rsaTRUE | never evaluated | FALSE | never evaluated |
&& have_rsa_key(rsa)TRUE | never evaluated | FALSE | never evaluated |
&& | 0 |
726 | pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
727 | if ((TRUE | never evaluated | FALSE | never evaluated |
key = sshkey_new(KEY_UNSPEC)) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
728 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
729 | ) | - |
730 | fatal("sshkey_new failed"); never executed: fatal("sshkey_new failed"); | 0 |
731 | key->rsa = rsa; | - |
732 | key->type = KEY_RSA; | - |
733 | key->flags |= 0x0001; | - |
734 | if (pkcs11_key_included(keysp, nkeys, key)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
735 | sshkey_free(key); | - |
736 | } never executed: end of block else { | 0 |
737 | | - |
738 | *keysp = xrecallocarray(*keysp, *nkeys, | - |
739 | *nkeys + 1, sizeof(struct sshkey *)); | - |
740 | (*keysp)[*nkeys] = key; | - |
741 | *nkeys = *nkeys + 1; | - |
742 | debug("have %d keys", *nkeys); | - |
743 | } never executed: end of block | 0 |
744 | } else if (rsaTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
745 | RSA_free(rsa); | - |
746 | } never executed: end of block | 0 |
747 | for (i = 0; i < 3TRUE | never evaluated | FALSE | never evaluated |
; i++) | 0 |
748 | free(attribs[i].pValue); never executed: free(attribs[i].pValue); | 0 |
749 | } never executed: end of block | 0 |
750 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_FindObjectsFinal(session)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
751 | error("C_FindObjectsFinal failed: %lu", rv); never executed: error("C_FindObjectsFinal failed: %lu", rv); | 0 |
752 | return never executed: return (0); (0);never executed: return (0); | 0 |
753 | } | - |
754 | | - |
755 | | - |
756 | int | - |
757 | pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp) | - |
758 | { | - |
759 | int nkeys, need_finalize = 0; | - |
760 | struct pkcs11_provider *p = | - |
761 | ((void *)0) | - |
762 | ; | - |
763 | void *handle = | - |
764 | ((void *)0) | - |
765 | ; | - |
766 | CK_RV (*getfunctionlist)(CK_FUNCTION_LIST **); | - |
767 | CK_RV rv; | - |
768 | CK_FUNCTION_LIST *f = | - |
769 | ((void *)0) | - |
770 | ; | - |
771 | CK_TOKEN_INFO *token; | - |
772 | CK_ULONG i; | - |
773 | | - |
774 | *keyp = | - |
775 | ((void *)0) | - |
776 | ; | - |
777 | if (pkcs11_provider_lookup(provider_id) != TRUE | never evaluated | FALSE | never evaluated |
| 0 |
778 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
779 | ) { | - |
780 | debug("%s: provider already registered: %s", | - |
781 | __func__, provider_id); | - |
782 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
783 | } | - |
784 | | - |
785 | if ((TRUE | never evaluated | FALSE | never evaluated |
handle = dlopen(provider_id, TRUE | never evaluated | FALSE | never evaluated |
| 0 |
786 | 0x00002TRUE | never evaluated | FALSE | never evaluated |
| 0 |
787 | )) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
788 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
789 | ) { | - |
790 | error("dlopen %s failed: %s", provider_id, dlerror()); | - |
791 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
792 | } | - |
793 | if ((TRUE | never evaluated | FALSE | never evaluated |
getfunctionlist = dlsym(handle, "C_GetFunctionList")) == TRUE | never evaluated | FALSE | never evaluated |
| 0 |
794 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
795 | ) { | - |
796 | error("dlsym(C_GetFunctionList) failed: %s", dlerror()); | - |
797 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
798 | } | - |
799 | p = xcalloc(1, sizeof(*p)); | - |
800 | p->name = xstrdup(provider_id); | - |
801 | p->handle = handle; | - |
802 | | - |
803 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = (*getfunctionlist)(&f)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
804 | error("C_GetFunctionList for provider %s failed: %lu", | - |
805 | provider_id, rv); | - |
806 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
807 | } | - |
808 | p->function_list = f; | - |
809 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_Initialize(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
810 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
811 | )) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
812 | error("C_Initialize for provider %s failed: %lu", | - |
813 | provider_id, rv); | - |
814 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
815 | } | - |
816 | need_finalize = 1; | - |
817 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetInfo(&p->info)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
818 | error("C_GetInfo for provider %s failed: %lu", | - |
819 | provider_id, rv); | - |
820 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
821 | } | - |
822 | rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); | - |
823 | rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); | - |
824 | debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" | - |
825 | " libraryDescription <%s> libraryVersion %d.%d", | - |
826 | provider_id, | - |
827 | p->info.manufacturerID, | - |
828 | p->info.cryptokiVersion.major, | - |
829 | p->info.cryptokiVersion.minor, | - |
830 | p->info.libraryDescription, | - |
831 | p->info.libraryVersion.major, | - |
832 | p->info.libraryVersion.minor); | - |
833 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetSlotList(1, TRUE | never evaluated | FALSE | never evaluated |
| 0 |
834 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
835 | , &p->nslots)) != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
836 | error("C_GetSlotList failed: %lu", rv); | - |
837 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
838 | } | - |
839 | if (p->nslots == 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
840 | debug("%s: provider %s returned no slots", __func__, | - |
841 | provider_id); | - |
842 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
843 | } | - |
844 | p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID)); | - |
845 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetSlotList(1, p->slotlist, &p->nslots))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
846 | != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
847 | error("C_GetSlotList for provider %s failed: %lu", | - |
848 | provider_id, rv); | - |
849 | goto never executed: goto fail; fail;never executed: goto fail; | 0 |
850 | } | - |
851 | p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo)); | - |
852 | p->valid = 1; | - |
853 | nkeys = 0; | - |
854 | for (i = 0; i < p->nslotsTRUE | never evaluated | FALSE | never evaluated |
; i++) { | 0 |
855 | token = &p->slotinfo[i].token; | - |
856 | if ((TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_GetTokenInfo(p->slotlist[i], token))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
857 | != (0)TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
858 | error("C_GetTokenInfo for provider %s slot %lu " | - |
859 | "failed: %lu", provider_id, (unsigned long)i, rv); | - |
860 | continue; never executed: continue; | 0 |
861 | } | - |
862 | if ((TRUE | never evaluated | FALSE | never evaluated |
token->flags & (1 << 10)) == 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
863 | debug2("%s: ignoring uninitialised token in " | - |
864 | "provider %s slot %lu", __func__, | - |
865 | provider_id, (unsigned long)i); | - |
866 | continue; never executed: continue; | 0 |
867 | } | - |
868 | rmspace(token->label, sizeof(token->label)); | - |
869 | rmspace(token->manufacturerID, sizeof(token->manufacturerID)); | - |
870 | rmspace(token->model, sizeof(token->model)); | - |
871 | rmspace(token->serialNumber, sizeof(token->serialNumber)); | - |
872 | debug("provider %s slot %lu: label <%s> manufacturerID <%s> " | - |
873 | "model <%s> serial <%s> flags 0x%lx", | - |
874 | provider_id, (unsigned long)i, | - |
875 | token->label, token->manufacturerID, token->model, | - |
876 | token->serialNumber, token->flags); | - |
877 | | - |
878 | if (pkcs11_open_session(p, i, pin) == 0TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
879 | pkcs11_fetch_keys(p, i, keyp, &nkeys); never executed: pkcs11_fetch_keys(p, i, keyp, &nkeys); | 0 |
880 | } never executed: end of block | 0 |
881 | if (nkeys > 0TRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
882 | do { (p)->next.tqe_next = | - |
883 | ((void *)0) | - |
884 | ; (p)->next.tqe_prev = (&pkcs11_providers)->tqh_last; *(&pkcs11_providers)->tqh_last = (p); (&pkcs11_providers)->tqh_last = &(p)->next.tqe_next; } while (0); | - |
885 | p->refcount++; | - |
886 | return never executed: return (nkeys); (nkeys);never executed: return (nkeys); | 0 |
887 | } | - |
888 | debug("%s: provider %s returned no keys", __func__, provider_id); | - |
889 | | - |
890 | fail: code before this statement never executed: fail: | 0 |
891 | if (need_finalizeTRUE | never evaluated | FALSE | never evaluated |
&& (TRUE | never evaluated | FALSE | never evaluated |
rv = f->C_Finalize(TRUE | never evaluated | FALSE | never evaluated |
| 0 |
892 | ((void *)0)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
893 | )) != (0)TRUE | never evaluated | FALSE | never evaluated |
) | 0 |
894 | error("C_Finalize for provider %s failed: %lu", never executed: error("C_Finalize for provider %s failed: %lu", provider_id, rv); | 0 |
895 | provider_id, rv); never executed: error("C_Finalize for provider %s failed: %lu", provider_id, rv); | 0 |
896 | if (pTRUE | never evaluated | FALSE | never evaluated |
) { | 0 |
897 | free(p->slotlist); | - |
898 | free(p->slotinfo); | - |
899 | free(p); | - |
900 | } never executed: end of block | 0 |
901 | if (handleTRUE | never evaluated | FALSE | never evaluated |
) | 0 |
902 | dlclose(handle); never executed: dlclose(handle); | 0 |
903 | return never executed: return (-1); (-1);never executed: return (-1); | 0 |
904 | } | - |
| | |