Logo Search packages:      
Sourcecode: strongswan version File versions  Download package

smartcard.c

/* Support of smartcards and cryptotokens
 * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
 * Copyright (C) 2004 David Buechi, Michael Meier
 * Zuercher Hochschule Winterthur, Switzerland
 *
 * Copyright (C) 2005 Michael Joosten
 *
 * Copyright (C) 2005 Andreas Steffen
 * Hochschule für Technik Rapperswil, Switzerland
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * RCSID $Id: smartcard.c,v 1.41 2006/01/04 21:03:52 as Exp $
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <time.h>
#include <dlfcn.h>

#include <freeswan.h>
#include <freeswan/ipsec_policy.h>

#include "constants.h"

#ifdef SMARTCARD
#include "rsaref/unix.h"
#include "rsaref/pkcs11.h"
#endif

#include "defs.h"
#include "mp_defs.h"
#include "log.h"
#include "x509.h"
#include "ca.h"
#include "certs.h"
#include "keys.h"
#include "smartcard.h"
#include "whack.h"
#include "fetch.h"

#define DEFAULT_BASE    16

/* chained list of smartcard records */
static smartcard_t *smartcards   = NULL;

/* number of generated sc objects */
static int sc_number = 0;

const smartcard_t empty_sc = {
      NULL         , /* next */
            0            , /* last_load */
    { CERT_NONE, {NULL} }, /* last_cert */
            0            , /* count */
            0            , /* number */
       999999            , /* slot */
      NULL         , /* id */
      NULL         , /* label */
    { NULL, 0 }          , /* pin */
      FALSE        , /* pinpad */
      FALSE        , /* valid */
      FALSE        , /* session_opened */
      FALSE        , /* logged_in */
      TRUE         , /* any_slot */
          0L             , /* session */
};

#ifdef SMARTCARD  /* compile with smartcard support */

#define SCX_MAGIC 0xd00bed00

struct scx_pkcs11_module {
        u_int _magic;
        void *handle;
};

typedef struct scx_pkcs11_module scx_pkcs11_module_t;

/* PKCS #11 cryptoki context */
static bool scx_initialized = FALSE;
static scx_pkcs11_module_t *pkcs11_module = NULL_PTR;
static CK_FUNCTION_LIST_PTR pkcs11_functions = NULL_PTR;

/* crytoki v2.11 - return values of PKCS #11 functions*/

static const char *const pkcs11_return_name[] = {
      "CKR_OK",
      "CKR_CANCEL",
      "CKR_HOST_MEMORY",
      "CKR_SLOT_ID_INVALID",
      "CKR_FLAGS_INVALID",
      "CKR_GENERAL_ERROR",
      "CKR_FUNCTION_FAILED",
      "CKR_ARGUMENTS_BAD",
      "CKR_NO_EVENT",
      "CKR_NEED_TO_CREATE_THREADS",
      "CKR_CANT_LOCK"
    };

static const char *const pkcs11_return_name_10[] = {
      "CKR_ATTRIBUTE_READ_ONLY",
      "CKR_ATTRIBUTE_SENSITIVE",
      "CKR_ATTRIBUTE_TYPE_INVALID",
      "CKR_ATTRIBUTE_VALUE_INVALID"
    };

static const char *const pkcs11_return_name_20[] = {
      "CKR_DATA_INVALID", 
      "CKR_DATA_LEN_RANGE"
    };

static const char *const pkcs11_return_name_30[] = {
      "CKR_DEVICE_ERROR",
      "CKR_DEVICE_MEMORY",
      "CKR_DEVICE_REMOVED"
    };

static const char *const pkcs11_return_name_40[] = {
      "CKR_ENCRYPTED_DATA_INVALID",
      "CKR_ENCRYPTED_DATA_LEN_RANGE"
    };

static const char *const pkcs11_return_name_50[] = {
      "CKR_FUNCTION_CANCELED",
      "CKR_FUNCTION_NOT_PARALLEL",
      "CKR_0x52_UNDEFINED",
      "CKR_0x53_UNDEFINED",
      "CKR_FUNCTION_NOT_SUPPORTED"
    };

static const char *const pkcs11_return_name_60[] = {
      "CKR_KEY_HANDLE_INVALID",
      "CKR_KEY_SENSITIVE",
      "CKR_KEY_SIZE_RANGE",
      "CKR_KEY_TYPE_INCONSISTENT",
      "CKR_KEY_NOT_NEEDED",
      "CKR_KEY_CHANGED",
      "CKR_KEY_NEEDED",
      "CKR_KEY_INDIGESTIBLE",
      "CKR_KEY_FUNCTION_NOT_PERMITTED",
      "CKR_KEY_NOT_WRAPPABLE",
      "CKR_KEY_UNEXTRACTABLE"
     };

static const char *const pkcs11_return_name_70[] = {
      "CKR_MECHANISM_INVALID",
      "CKR_MECHANISM_PARAM_INVALID"
     };

static const char *const pkcs11_return_name_80[] = {
      "CKR_OBJECT_HANDLE_INVALID"
     };

static const char *const pkcs11_return_name_90[] = {
      "CKR_OPERATION_ACTIVE",
      "CKR_OPERATION_NOT_INITIALIZED"
     };

static const char *const pkcs11_return_name_A0[] = {
      "CKR_PIN_INCORRECT",
      "CKR_PIN_INVALID",
      "CKR_PIN_LEN_RANGE",
      "CKR_PIN_EXPIRED",
      "CKR_PIN_LOCKED"
     };

static const char *const pkcs11_return_name_B0[] = {
      "CKR_SESSION_CLOSED",
      "CKR_SESSION_COUNT",
      "CKR_0xB2_UNDEFINED",
      "CKR_SESSION_HANDLE_INVALID",
      "CKR_SESSION_PARALLEL_NOT_SUPPORTED",
      "CKR_SESSION_READ_ONLY",
      "CKR_SESSION_EXISTS",
      "CKR_SESSION_READ_ONLY_EXISTS",
      "CKR_SESSION_READ_WRITE_SO_EXISTS"
     };

static const char *const pkcs11_return_name_C0[] = {
      "CKR_SIGNATURE_INVALID",
      "CKR_SIGNATURE_LEN_RANGE"
     };

static const char *const pkcs11_return_name_D0[] = {
      "CKR_TEMPLATE_INCOMPLETE",
      "CKR_TEMPLATE_INCONSISTENT"
     };

static const char *const pkcs11_return_name_E0[] = {
      "CKR_TOKEN_NOT_PRESENT",
      "CKR_TOKEN_NOT_RECOGNIZED",
      "CKR_TOKEN_WRITE_PROTECTED"
     };

static const char *const pkcs11_return_name_F0[] = {
      "CKR_UNWRAPPING_KEY_HANDLE_INVALID",
      "CKR_UNWRAPPING_KEY_SIZE_RANGE",
      "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT"
     };

static const char *const pkcs11_return_name_100[] = {
      "CKR_USER_ALREADY_LOGGED_IN",
      "CKR_USER_NOT_LOGGED_IN",
      "CKR_USER_PIN_NOT_INITIALIZED",
      "CKR_USER_TYPE_INVALID",
      "CKR_USER_ANOTHER_ALREADY_LOGGED_IN",
      "CKR_USER_TOO_MANY_TYPES"
     };

static const char *const pkcs11_return_name_110[] = {
      "CKR_WRAPPED_KEY_INVALID",
      "CKR_0x111_UNDEFINED",
      "CKR_WRAPPED_KEY_LEN_RANGE",
      "CKR_WRAPPING_KEY_HANDLE_INVALID",
      "CKR_WRAPPING_KEY_SIZE_RANGE",
      "CKR_WRAPPING_KEY_TYPE_INCONSISTENT"
     };

static const char *const pkcs11_return_name_120[] = {
      "CKR_RANDOM_SEED_NOT_SUPPORTED",
      "CKR_RANDOM_NO_RNG"
     };

static const char *const pkcs11_return_name_130[] = {
      "CKR_DOMAIN_PARAMS_INVALID"
     };

static const char *const pkcs11_return_name_150[] = {
      "CKR_BUFFER_TOO_SMALL"
     };

static const char *const pkcs11_return_name_160[] = {
      "CKR_SAVED_STATE_INVALID"
     };

static const char *const pkcs11_return_name_170[] = {
      "CKR_INFORMATION_SENSITIVE"
     };

static const char *const pkcs11_return_name_180[] = {
      "CKR_STATE_UNSAVEABLE"
     };

static const char *const pkcs11_return_name_190[] = {
      "CKR_CRYPTOKI_NOT_INITIALIZED",
      "CKR_CRYPTOKI_ALREADY_INITIALIZED"
     };

static const char *const pkcs11_return_name_1A0[] = {
      "CKR_MUTEX_BAD",
      "CKR_MUTEX_NOT_LOCKED"
     };

static const char *const pkcs11_return_name_200[] = {
      "CKR_FUNCTION_REJECTED"
     };

static const char *const pkcs11_return_name_vendor[] = {
      "CKR_VENDOR_DEFINED"
     };

static enum_names pkcs11_return_names_vendor =
    { CKR_VENDOR_DEFINED, CKR_VENDOR_DEFINED
      , pkcs11_return_name_vendor, NULL };

static enum_names pkcs11_return_names_200 =
    { CKR_FUNCTION_REJECTED, CKR_FUNCTION_REJECTED
      , pkcs11_return_name_200, &pkcs11_return_names_vendor };

static enum_names pkcs11_return_names_1A0 =
    { CKR_MUTEX_BAD, CKR_MUTEX_NOT_LOCKED
      , pkcs11_return_name_1A0, &pkcs11_return_names_200 };

static enum_names pkcs11_return_names_190 =
    { CKR_CRYPTOKI_NOT_INITIALIZED, CKR_CRYPTOKI_ALREADY_INITIALIZED
      , pkcs11_return_name_190, &pkcs11_return_names_1A0 };

static enum_names pkcs11_return_names_180 =
    { CKR_STATE_UNSAVEABLE, CKR_STATE_UNSAVEABLE
      , pkcs11_return_name_180, &pkcs11_return_names_190 };

static enum_names pkcs11_return_names_170 =
    { CKR_INFORMATION_SENSITIVE, CKR_INFORMATION_SENSITIVE
      , pkcs11_return_name_170, &pkcs11_return_names_180 };

static enum_names pkcs11_return_names_160 =
    { CKR_SAVED_STATE_INVALID, CKR_SAVED_STATE_INVALID
      , pkcs11_return_name_160, &pkcs11_return_names_170 };

static enum_names pkcs11_return_names_150 =
    { CKR_BUFFER_TOO_SMALL, CKR_BUFFER_TOO_SMALL
      , pkcs11_return_name_150, &pkcs11_return_names_160 };

static enum_names pkcs11_return_names_130 =
    { CKR_DOMAIN_PARAMS_INVALID, CKR_DOMAIN_PARAMS_INVALID
      , pkcs11_return_name_130, &pkcs11_return_names_150 };

static enum_names pkcs11_return_names_120 =
    { CKR_RANDOM_SEED_NOT_SUPPORTED, CKR_RANDOM_NO_RNG
      , pkcs11_return_name_120, &pkcs11_return_names_130 };

static enum_names pkcs11_return_names_110 =
    { CKR_WRAPPED_KEY_INVALID, CKR_WRAPPING_KEY_TYPE_INCONSISTENT
      , pkcs11_return_name_110, &pkcs11_return_names_120 };

static enum_names pkcs11_return_names_100 =
    { CKR_USER_ALREADY_LOGGED_IN, CKR_USER_TOO_MANY_TYPES
      , pkcs11_return_name_100, &pkcs11_return_names_110 };

static enum_names pkcs11_return_names_F0 =
    { CKR_UNWRAPPING_KEY_HANDLE_INVALID, CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT
      , pkcs11_return_name_F0, &pkcs11_return_names_100 };

static enum_names pkcs11_return_names_E0 =
    { CKR_TOKEN_NOT_PRESENT, CKR_TOKEN_WRITE_PROTECTED
      , pkcs11_return_name_E0, &pkcs11_return_names_F0 };

static enum_names pkcs11_return_names_D0 =
    { CKR_TEMPLATE_INCOMPLETE, CKR_TEMPLATE_INCONSISTENT
      , pkcs11_return_name_D0,&pkcs11_return_names_E0 };

static enum_names pkcs11_return_names_C0 =
    { CKR_SIGNATURE_INVALID, CKR_SIGNATURE_LEN_RANGE
      , pkcs11_return_name_C0, &pkcs11_return_names_D0 };

static enum_names pkcs11_return_names_B0 =
    { CKR_SESSION_CLOSED, CKR_SESSION_READ_WRITE_SO_EXISTS
      , pkcs11_return_name_B0, &pkcs11_return_names_C0 };

static enum_names pkcs11_return_names_A0 =
    { CKR_PIN_INCORRECT, CKR_PIN_LOCKED
      , pkcs11_return_name_A0, &pkcs11_return_names_B0 };

static enum_names pkcs11_return_names_90 =
    { CKR_OPERATION_ACTIVE, CKR_OPERATION_NOT_INITIALIZED
      , pkcs11_return_name_90, &pkcs11_return_names_A0 };

static enum_names pkcs11_return_names_80 =
    { CKR_OBJECT_HANDLE_INVALID, CKR_OBJECT_HANDLE_INVALID
      , pkcs11_return_name_80, &pkcs11_return_names_90 };

static enum_names pkcs11_return_names_70 =
    { CKR_MECHANISM_INVALID, CKR_MECHANISM_PARAM_INVALID
      , pkcs11_return_name_70, &pkcs11_return_names_80 };

static enum_names pkcs11_return_names_60 =
    { CKR_KEY_HANDLE_INVALID, CKR_KEY_UNEXTRACTABLE
      , pkcs11_return_name_60, &pkcs11_return_names_70 };

static enum_names pkcs11_return_names_50 =
    { CKR_FUNCTION_CANCELED, CKR_FUNCTION_NOT_SUPPORTED
      , pkcs11_return_name_50, &pkcs11_return_names_60 };

static enum_names pkcs11_return_names_40 =
    { CKR_ENCRYPTED_DATA_INVALID, CKR_ENCRYPTED_DATA_LEN_RANGE
      , pkcs11_return_name_40, &pkcs11_return_names_50 };

static enum_names pkcs11_return_names_30 =
    { CKR_DEVICE_ERROR, CKR_DEVICE_REMOVED
      , pkcs11_return_name_30, &pkcs11_return_names_40 };

static enum_names pkcs11_return_names_20 =
    { CKR_DATA_INVALID, CKR_DATA_LEN_RANGE
      , pkcs11_return_name_20, &pkcs11_return_names_30 };

static enum_names pkcs11_return_names_10 =
    { CKR_ATTRIBUTE_READ_ONLY, CKR_ATTRIBUTE_VALUE_INVALID
      , pkcs11_return_name_10, &pkcs11_return_names_20};

static enum_names pkcs11_return_names =
    { CKR_OK, CKR_CANT_LOCK
      , pkcs11_return_name, &pkcs11_return_names_10};

/*
 * Unload a PKCS#11 module.
 * The calling application is responsible for cleaning up
 * and calling C_Finalize()
 */
static CK_RV
scx_unload_pkcs11_module(scx_pkcs11_module_t *mod)
{
    if (!mod || mod->_magic != SCX_MAGIC)
      return CKR_ARGUMENTS_BAD;

    if (dlclose(mod->handle) < 0)
      return CKR_FUNCTION_FAILED;

    memset(mod, 0, sizeof(*mod));
    pfree(mod);
    return CKR_OK;
}

static scx_pkcs11_module_t*
scx_load_pkcs11_module(const char *name, CK_FUNCTION_LIST_PTR_PTR funcs)
{
    CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR);
    scx_pkcs11_module_t *mod;
    void *handle;
    int rv;

    if (name == NULL || *name == '\0')
      return NULL;

    /* Try to load PKCS#11 library module*/
    handle = dlopen(name, RTLD_NOW);
    if (handle == NULL)
      return NULL;

    mod = alloc_thing(scx_pkcs11_module_t, "scx_pkcs11_module");
    mod->_magic = SCX_MAGIC;
    mod->handle = handle;

   /* Get the list of function pointers */
    c_get_function_list = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR))
          dlsym(mod->handle, "C_GetFunctionList");
    if (!c_get_function_list)
      goto failed;

    rv = c_get_function_list(funcs);
    if (rv == CKR_OK)
      return mod;

failed: scx_unload_pkcs11_module(mod);
      return NULL;
}

/*
 * retrieve a certificate object
 */
static bool
scx_find_cert_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object
, smartcard_t *sc, cert_t *cert)
{
    size_t hex_len, label_len;
    u_char *hex_id = NULL;
    chunk_t blob;
    x509cert_t *x509cert;

    CK_ATTRIBUTE attr[] = {
      { CKA_ID,    NULL_PTR, 0L },
      { CKA_LABEL, NULL_PTR, 0L },
      { CKA_VALUE, NULL_PTR, 0L }
    };

    /* initialize the return argument */
    *cert = empty_cert;

    /* get the length of the attributes first */
    CK_RV rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
    if (rv != CKR_OK)
    {
      plog("couldn't read the attribute sizes: %s"
          , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    pfreeany(sc->label);

    hex_id    = alloc_bytes(attr[0].ulValueLen, "hex id");
    hex_len   = attr[0].ulValueLen;
    sc->label = alloc_bytes(attr[1].ulValueLen + 1, "sc label");
    label_len = attr[1].ulValueLen;
    blob.ptr  = alloc_bytes(attr[2].ulValueLen, "x509cert blob");
    blob.len  = attr[2].ulValueLen;

    attr[0].pValue = hex_id;
    attr[1].pValue = sc->label;
    attr[2].pValue = blob.ptr;

    /* now get the attributes */
    rv = pkcs11_functions->C_GetAttributeValue(session, object, attr, 3);
    if (rv != CKR_OK)
    {
      plog("couldn't read the attributes: %s"
          , enum_show(&pkcs11_return_names, rv));
      pfree(hex_id);
      pfreeany(sc->label);
      pfree(blob.ptr);
      return FALSE;
    }

    pfreeany(sc->id);

    /* convert id from hex to ASCII */
    sc->id = alloc_bytes(2*hex_len + 1, " sc id");
    datatot(hex_id, hex_len, 16, sc->id, 2*hex_len + 1);
    pfree(hex_id);

    /* safeguard in case the label is not null terminated */
    sc->label[label_len] = '\0';

    /* parse the retrieved cert */
    x509cert = alloc_thing(x509cert_t, "x509cert");
    *x509cert = empty_x509cert;
    x509cert->smartcard = TRUE;

    if (!parse_x509cert(blob, 0, x509cert))
    {
      plog("failed to load cert from smartcard, error in X.509 certificate");
      free_x509cert(x509cert);
      return FALSE;
    }
    cert->type = CERT_X509_SIGNATURE;
    cert->u.x509 = x509cert;
    return TRUE;
}

/*
 * search a given slot for PKCS#11 certificate objects
 */
static void
scx_find_cert_objects(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
{
    CK_RV rv;
    CK_OBJECT_CLASS class = CKO_CERTIFICATE;
    CK_ATTRIBUTE attr[] = {{ CKA_CLASS, &class, sizeof(class) }};

    rv = pkcs11_functions->C_FindObjectsInit(session, attr, 1);
    if (rv != CKR_OK)
    {
      plog("error in C_FindObjectsInit: %s"
          , enum_show(&pkcs11_return_names, rv));
      return;
    }

    for (;;)
    {
      CK_OBJECT_HANDLE object;
      CK_ULONG obj_count = 0;
      err_t ugh;
      time_t valid_until;
      smartcard_t *sc;
      x509cert_t *cert;

      rv = pkcs11_functions->C_FindObjects(session, &object, 1, &obj_count);
      if (rv != CKR_OK)
      {
          plog("error in C_FindObjects: %s"
            , enum_show(&pkcs11_return_names, rv));
          break;
      }

      /* no objects left */
      if (obj_count == 0)
          break;

      /* create and initialize a new smartcard object */
      sc  = alloc_thing(smartcard_t, "smartcard");
      *sc = empty_sc;
      sc->any_slot = FALSE;
      sc->slot  = slot;

        if (!scx_find_cert_object(session, object, sc, &sc->last_cert))
      {
          scx_free(sc);
          continue;
      }
      DBG(DBG_CONTROL,
          DBG_log("found cert in %s with id: %s, label: '%s'"
            , scx_print_slot(sc, ""), sc->id, sc->label)
      )

      /* check validity of certificate */
      cert = sc->last_cert.u.x509;
      valid_until = cert->notAfter;
      ugh = check_validity(cert, &valid_until);
      if (ugh != NULL)
      {
          plog("  %s", ugh);
          free_x509cert(cert);
          scx_free(sc);
          continue;
      }
      else
      {
          DBG(DBG_CONTROL,
            DBG_log("  certificate is valid")
          )
      }

      sc = scx_add(sc);

      /* put end entity and ca certificates into different chains */
      if (cert->isCA)
          add_authcert(cert, AUTH_CA);
      else
      {
          add_x509_public_key(cert, valid_until, DAL_LOCAL);
            sc->last_cert.u.x509 = add_x509cert(cert);
      }

      share_cert(sc->last_cert);
      time(&sc->last_load);
    }

    rv = pkcs11_functions->C_FindObjectsFinal(session);
    if (rv != CKR_OK)
    {
      plog("error in C_FindObjectsFinal: %s"
              , enum_show(&pkcs11_return_names, rv));
    }
}

/*
 * search all slots for PKCS#11 certificate objects
 */
static void
scx_find_all_cert_objects(void)
{
    CK_RV rv;
    CK_SLOT_ID_PTR slots = NULL_PTR;
    CK_ULONG slot_count = 0;
    CK_ULONG i;

    if (!scx_initialized)
    {
      plog("pkcs11 module not initialized");
      return;
    }

    /* read size, always returns CKR_OK ! */
    rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);

    /* allocate memory for the slots */
    slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");

    rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
    if (rv != CKR_OK)
    {
      plog("error in C_GetSlotList: %s", enum_show(&pkcs11_return_names, rv));
      pfreeany(slots);
      return;
    }

    /* look in every slot for certificate objects */
    for (i = 0; i < slot_count; i++)
    {
      CK_SLOT_ID slot = slots[i];
      CK_SLOT_INFO info;
      CK_SESSION_HANDLE session;

      rv = pkcs11_functions->C_GetSlotInfo(slot, &info);

      if (rv != CKR_OK)
      {
          plog("error in C_GetSlotInfo: %s"
            , enum_show(&pkcs11_return_names, rv));
          continue;
      }
      
      if (!(info.flags & CKF_TOKEN_PRESENT))
      {
          plog("no token present in slot %lu", slot);
          continue;
      }

      rv = pkcs11_functions->C_OpenSession(slot
            , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
      if (rv != CKR_OK)
      {
          plog("failed to open a session on slot %lu: %s"
            , slot, enum_show(&pkcs11_return_names, rv));
          continue;
      }
      DBG(DBG_CONTROLMORE,
          DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
      )
      scx_find_cert_objects(slot, session);

      rv = pkcs11_functions->C_CloseSession(session);
      if (rv != CKR_OK)
      {
          plog("error in C_CloseSession: %s"
            , enum_show(&pkcs11_return_names, rv));
      }
    }
    pfreeany(slots);
}
#endif

/*
 * load and initialize PKCS#11 cryptoki module 
 */
void
scx_init(const char* module)
{
#ifdef SMARTCARD
    CK_RV rv;

    if (scx_initialized)
    {
      plog("weird - pkcs11 module seems already to be initialized");
      return;
    }

    if (module == NULL)
#ifdef PKCS11_DEFAULT_LIB
      module = PKCS11_DEFAULT_LIB;
#else
    {
      plog("no pkcs11 module defined");
      return;
    }
#endif

    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("pkcs11 module '%s' loading...", module)
    )
    pkcs11_module = scx_load_pkcs11_module(module, &pkcs11_functions);
    if (pkcs11_module == NULL)
    {
       plog("failed to load pkcs11 module '%s'", module);
       return;
    }

    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("pkcs11 module initializing...")
    )   
    rv = pkcs11_functions->C_Initialize(NULL);
    if (rv != CKR_OK)
    {
      plog("failed to initialize pkcs11 module: %s"
          , enum_show(&pkcs11_return_names, rv));
      return;
    }

    scx_initialized = TRUE;
    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("pkcs11 module loaded and initialized")
    )

    scx_find_all_cert_objects();
#endif
}

/*
 * finalize and unload PKCS#11 cryptoki module 
 */
void
scx_finalize(void)
{
#ifdef SMARTCARD
    while (smartcards != NULL)
    {
      scx_release(smartcards);
    }

    if (pkcs11_functions != NULL_PTR)
    {
      pkcs11_functions->C_Finalize(NULL_PTR);
      pkcs11_functions = NULL_PTR;
    }

    if (pkcs11_module != NULL)
    {
      scx_unload_pkcs11_module(pkcs11_module);
      pkcs11_module = NULL;
    }

    scx_initialized = FALSE;
    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("pkcs11 module finalized and unloaded")
    )
#endif
}

/*
 * does a filename contain the token %smartcard?
 */
bool
scx_on_smartcard(const char *filename)
{
    return strncmp(filename, SCX_TOKEN, strlen(SCX_TOKEN)) == 0;
}

#ifdef SMARTCARD
/*
 * find a specific object on the smartcard 
 */
static bool
scx_pkcs11_find_object( CK_SESSION_HANDLE session, 
                  CK_OBJECT_HANDLE_PTR object, 
                  CK_OBJECT_CLASS class, 
                  const char* id)
{
    size_t len;
    char buf[BUF_LEN];
    CK_RV rv;
    CK_ULONG obj_count = 0;
    CK_ULONG attr_count = 1;

    CK_ATTRIBUTE attr[] = {
      { CKA_CLASS, &class, sizeof(class) },
      { CKA_ID, &buf, 0L }
    };

    if (id != NULL)
    {
      ttodata(id, strlen(id), 16, buf, BUF_LEN, &len);
      attr[1].ulValueLen = len;
      attr_count = 2;
    }

    /* get info for certificate with id */
    rv = pkcs11_functions->C_FindObjectsInit(session, attr, attr_count);
    if (rv != CKR_OK)
    {
      plog("error in C_FindObjectsInit: %s"
              , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    rv = pkcs11_functions->C_FindObjects(session, object, 1,  &obj_count);
    if (rv != CKR_OK)
    {
      plog("error in C_FindObjects: %s"
              , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    rv = pkcs11_functions->C_FindObjectsFinal(session);
    if (rv != CKR_OK)
    {
      plog("error in C_FindObjectsFinal: %s"
              , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    return (obj_count != 0);
}

/*
 * check if a given certificate object id is found in a slot
 */
static bool
scx_find_cert_id_in_slot(smartcard_t *sc, CK_SLOT_ID slot)
{
    CK_SESSION_HANDLE session;
    CK_OBJECT_HANDLE object;
    CK_SLOT_INFO info;

    CK_RV rv = pkcs11_functions->C_GetSlotInfo(slot, &info);

    if (rv != CKR_OK)
    {
      plog("error in C_GetSlotInfo: %s"
          , enum_show(&pkcs11_return_names, rv));
       return FALSE;
    }
      
    if (!(info.flags & CKF_TOKEN_PRESENT))
    {
      plog("no token present in slot %lu", slot);
      return FALSE;
    }

    rv = pkcs11_functions->C_OpenSession(slot
            , CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &session);
    if (rv != CKR_OK)
    {
      plog("failed to open a session on slot %lu: %s"
          , slot, enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }
    DBG(DBG_CONTROLMORE,
      DBG_log("pkcs11 session #%ld for searching slot %lu", session, slot)
    )

    /* check if there is a certificate on the card in the specified slot */
    if (scx_pkcs11_find_object(session, &object, CKO_CERTIFICATE, sc->id))
    {
      sc->slot = slot;
      sc->any_slot = FALSE;
      sc->session = session;
      sc->session_opened = TRUE;
      return TRUE;
    }
      
    rv = pkcs11_functions->C_CloseSession(session);
    if (rv != CKR_OK)
    {
      plog("error in C_CloseSession: %s"
            , enum_show(&pkcs11_return_names, rv));
    }
    return FALSE;
}
#endif

/*
 * Connect to the smart card in the reader and select the correct slot
 */
bool
scx_establish_context(smartcard_t *sc)
{
#ifdef SMARTCARD
    bool id_found = FALSE;

    if (!scx_initialized)
    {
      plog("pkcs11 module not initialized");
      return FALSE;
    }

    if (sc->session_opened)
    {
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log("pkcs11 session #%ld already open", sc->session)
      )
      return TRUE;
    }

    if (!sc->any_slot)
      id_found = scx_find_cert_id_in_slot(sc, sc->slot);

    if (!id_found)
    {
      CK_RV rv;
      CK_SLOT_ID slot;
      CK_SLOT_ID_PTR slots = NULL_PTR;
      CK_ULONG slot_count = 0;
      CK_ULONG i;

      /* read size, always returns CKR_OK ! */
      rv = pkcs11_functions->C_GetSlotList(FALSE, NULL_PTR, &slot_count);

      /* allocate memory for the slots */
      slots = (CK_SLOT_ID *)alloc_bytes(slot_count * sizeof(CK_SLOT_ID), "slots");

      rv = pkcs11_functions->C_GetSlotList(FALSE, slots, &slot_count);
      if (rv != CKR_OK)
      {
          plog("error in C_GetSlotList: %s"
            , enum_show(&pkcs11_return_names, rv));
          pfreeany(slots);
          return FALSE;
        }

        /* look in every slot for a certificate with a given object ID */
      for (i = 0; i < slot_count; i++)
      {
          slot = slots[i];
          id_found = scx_find_cert_id_in_slot(sc, slot);
          if (id_found)
              break;
        }
      pfreeany(slots)
    }

    if (id_found)
    {
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log("found token with id %s in slot %lu", sc->id, sc->slot);
          DBG_log("pkcs11 session #%ld opened", sc->session)
      )
    }
    else
    {
      plog("  no certificate with id %s found on smartcard", sc->id);
    }
    return id_found;
#else
    plog("warning: SMARTCARD support is deactivated in pluto/Makefile!");
    return FALSE;
#endif
}

/*
 * log in to a session
 */
bool
scx_login(smartcard_t *sc)
{
#ifdef SMARTCARD
    CK_RV rv;

    if (sc->logged_in)
    {
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log("pkcs11 session #%ld login already done", sc->session)
      )
      return TRUE;
    }
      
    if (sc->pin.ptr == NULL)
    {
      plog("unable to log in without PIN!");
      return FALSE;
    }

    if (!sc->session_opened)
    {
      plog("session not opened");
      return FALSE;
    }

    rv = pkcs11_functions->C_Login(sc->session, CKU_USER 
                        , (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
    if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
    {
      plog("unable to login: %s"
          , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }
    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("pkcs11 session #%ld login successful", sc->session)
    )
    sc->logged_in = TRUE;
    return TRUE;
#else
   return FALSE;
#endif
}

#ifdef SMARTCARD
/*
 * logout from a session
 */
static void
scx_logout(smartcard_t *sc)
{
    CK_RV rv;
    
    rv = pkcs11_functions->C_Logout(sc->session);
    if (rv != CKR_OK)
      plog("error in C_Logout: %s"
          , enum_show(&pkcs11_return_names, rv));
    else
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log("pkcs11 session #%ld logout", sc->session)
      )
    sc->logged_in = FALSE;
}
#endif


/*
 * Release context and disconnect from card
 */
void
scx_release_context(smartcard_t *sc)
{
#ifdef SMARTCARD
    CK_RV rv;

    if (!scx_initialized)
      return;

    if (sc->session_opened)
    {
      if (sc->logged_in)
          scx_logout(sc);

      sc->session_opened = FALSE;
      
      rv = pkcs11_functions->C_CloseSession(sc->session);
      if (rv != CKR_OK)
          plog("error in C_CloseSession: %s"
            , enum_show(&pkcs11_return_names, rv));
      else
          DBG(DBG_CONTROL | DBG_CRYPT,
            DBG_log("pkcs11 session #%ld closed", sc->session)
          )
    }
#endif
}

/*
 * Load host certificate from smartcard
 */
bool
scx_load_cert(const char *filename, smartcard_t **scp, cert_t *cert
, bool *cached)
{
#ifdef SMARTCARD  /* compile with smartcard support */
    CK_OBJECT_HANDLE object;

    const char *number_slot_id = filename + strlen(SCX_TOKEN);

    smartcard_t *sc = scx_add(scx_parse_number_slot_id(number_slot_id));

    /* return the smartcard object */
    *scp = sc;

    /* is there a cached smartcard certificate? */
    *cached = sc->last_cert.type != CERT_NONE
            && (time(NULL) - sc->last_load) < SCX_CERT_CACHE_INTERVAL;

    if (*cached)
    {
      *cert = sc->last_cert;
      plog("  using cached cert from smartcard #%d (%s, id: %s, label: '%s')"
            , sc->number
            , scx_print_slot(sc, "")
            , sc->id
            , sc->label);
      return TRUE;
    }

    if (!scx_establish_context(sc))
    {
      scx_release_context(sc);
      return FALSE;
    }

    /* find the certificate object */
    if (!scx_pkcs11_find_object(sc->session, &object, CKO_CERTIFICATE, sc->id))
    {
      scx_release_context(sc);
      return FALSE;
    }

    /* retrieve the certificate object */
    if (!scx_find_cert_object(sc->session, object, sc, cert))
    {
      scx_release_context(sc);
      return FALSE;
    }

    if (!pkcs11_keep_state)
      scx_release_context(sc);

    plog("  loaded cert from smartcard #%d (%s, id: %s, label: '%s')"
      , sc->number
      , scx_print_slot(sc, "")
      , sc->id
      , sc->label);

    return TRUE;
#else
    plog("  warning: SMARTCARD support is deactivated in pluto/Makefile!");
    return FALSE;
#endif
}

/*
 * parse slot number and key id
 * the following syntax is allowed
 *               number   slot   id
 * %smartcard      1       -     -
 * %smartcard#2    2       -     -
 * %smartcard0     -       0     -
 * %smartcard:45   -       -     45
 * %smartcard0:45  -       0     45
 */
smartcard_t*
scx_parse_number_slot_id(const char *number_slot_id)
{
    int len = strlen(number_slot_id);
    smartcard_t *sc = alloc_thing(smartcard_t, "smartcard");

    /* assign default values */
    *sc = empty_sc;

    if (len == 0)             /* default: use certificate #1 */
    {
      sc->number = 1;   
    }
    else if (*number_slot_id == '#')      /* #number scheme */
    {
      err_t ugh;
      unsigned long ul;

      ugh = atoul(number_slot_id+1, len-1 , 10, &ul);
      if (ugh == NULL)
          sc->number = (int)ul;
      else
          plog("error parsing smartcard number: %s", ugh);
    }
    else                      /* slot:id scheme */
    {
      int slot_len = len;
      char *p = strchr(number_slot_id, ':');

      if (p != NULL)
      {
          int id_len = len - (p + 1 - number_slot_id);
          slot_len -= (1 + id_len);

          if (id_len > 0)           /* we have an id */
            sc->id = p + 1;
      }
      if (slot_len > 0)       /* we have a slot */
      {
          err_t ugh = NULL;
          unsigned long ul;

          ugh = atoul(number_slot_id, slot_len, 10, &ul);
          if (ugh == NULL)
          {
            sc->slot = ul;
                sc->any_slot = FALSE;
          }
          else
            plog("error parsing smartcard slot number: %s", ugh);
      }
    }
    /* unshare the id string */
    sc->id = clone_str(sc->id, "key id");
    return sc;
}

/*
 * Verify pin on card
 */
bool
scx_verify_pin(smartcard_t *sc)
{
#ifdef SMARTCARD
    CK_RV rv;
    
    if (!sc->pinpad)
      sc->valid = FALSE;

    if (sc->pin.ptr == NULL)
    {
      plog("unable to verify without PIN");
      return FALSE;
    }

    /* establish context */
    if (!scx_establish_context(sc))
    {
      scx_release_context(sc);
      return FALSE;
    }

    rv = pkcs11_functions->C_Login(sc->session, CKU_USER,
                        (CK_UTF8CHAR *) sc->pin.ptr, sc->pin.len);
    if (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN)
    {
      sc->valid = TRUE;
      sc->logged_in = TRUE;
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log((rv == CKR_OK)
            ? "PIN code correct"
            : "already logged in, no PIN entry required");
          DBG_log("pkcs11 session #%ld login successful", sc->session)
        )
    }
    else
    {
      DBG(DBG_CONTROL | DBG_CRYPT,
          DBG_log("PIN code incorrect")
        )
    }
    if (!pkcs11_keep_state)
      scx_release_context(sc);
#else
    sc->valid = FALSE;
#endif
    return sc->valid;
}

/*
 * Sign hash on smartcard
 */
bool
scx_sign_hash(smartcard_t *sc, const u_char *in, size_t inlen
, u_char *out, size_t outlen)
{
#ifdef SMARTCARD
    CK_RV rv;
    CK_OBJECT_HANDLE object;
    CK_ULONG siglen = (CK_ULONG)outlen;
    CK_BBOOL sign_flag, decrypt_flag;
    CK_ATTRIBUTE attr[] = {
      { CKA_SIGN,    &sign_flag,    sizeof(sign_flag) },
      { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
    };

    if (!sc->logged_in)
      return FALSE;

    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
    {
      plog("unable to find private key with id '%s'", sc->id);
      return FALSE;
    }

    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
    if (rv != CKR_OK)
    {
      plog("couldn't read the private key attributes: %s"
          , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }
    DBG(DBG_CONTROL,
      DBG_log("RSA key flags: sign = %s, decrypt = %s"
          , (sign_flag)?    "true":"false"
          , (decrypt_flag)? "true":"false")
    )

    if (sign_flag)
    {
      CK_MECHANISM mech  = { CKM_RSA_PKCS, NULL_PTR, 0 };

      rv = pkcs11_functions->C_SignInit(sc->session, &mech, object);
      if (rv != CKR_OK)
      {
          plog("error in C_SignInit: %s"
            , enum_show(&pkcs11_return_names, rv));
          return FALSE;
      }

      rv = pkcs11_functions->C_Sign(sc->session, (CK_BYTE_PTR)in, inlen
            , out, &siglen);
      if (rv != CKR_OK)
      {
          plog("error in C_Sign: %s"
            , enum_show(&pkcs11_return_names, rv));
          return FALSE;
      }
    }
    else if (decrypt_flag)
    {
      CK_MECHANISM mech = { CKM_RSA_X_509, NULL_PTR, 0 };
      size_t padlen;
      u_char *p = out ;

      /* PKCS#1 v1.5 8.1 encryption-block formatting */
      *p++ = 0x00;
      *p++ = 0x01;      /* BT (block type) 01 */
      padlen = outlen - 3 - inlen;
      memset(p, 0xFF, padlen);
      p += padlen;
      *p++ = 0x00;
      memcpy(p, in, inlen);

      rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
      if (rv != CKR_OK)
      {
          plog("error in C_DecryptInit: %s"
              , enum_show(&pkcs11_return_names, rv));
          return FALSE;
        }

        rv = pkcs11_functions->C_Decrypt(sc->session, out, outlen
            , out, &siglen);
      if (rv != CKR_OK)
        {
          plog("error in C_Decrypt: %s"
              , enum_show(&pkcs11_return_names, rv));
          return FALSE;
        }
    }
    else
    {
      plog("private key has neither sign nor decrypt flag set");
      return FALSE;
    }

    if (siglen > (CK_ULONG)outlen)
    {
      plog("signature length (%lu) larger than allocated buffer (%d)"
          , siglen, (int)outlen);
      return FALSE;
    }
    return TRUE;
#else
    return FALSE;
#endif
}

/* 
 * encrypt data block with an RSA public key
 */
bool
scx_encrypt(smartcard_t *sc, const u_char *in, size_t inlen
, u_char *out, size_t *outlen)
{
#ifdef SMARTCARD
    CK_RV rv;
    CK_OBJECT_HANDLE object;
    CK_ULONG len = (CK_ULONG)(*outlen);
    CK_BBOOL encrypt_flag;
    CK_ATTRIBUTE attr[] = {
      { CKA_MODULUS,         NULL_PTR, 0L },
      { CKA_PUBLIC_EXPONENT, NULL_PTR, 0L },
      { CKA_ENCRYPT,         &encrypt_flag, sizeof(encrypt_flag) }
    };
    CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };

    if (!scx_establish_context(sc))
    {
      scx_release_context(sc);
          return FALSE;
    }

    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PUBLIC_KEY, sc->id))
    {
      plog("unable to find public key with id '%s'", sc->id);
      return FALSE;
    }

    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 3);
    if (rv != CKR_OK)
    {
      plog("couldn't read the public key attributes: %s"
          , enum_show(&pkcs11_return_names, rv));
      scx_release_context(sc);
      return FALSE;
    }

    if (!encrypt_flag)
    {
      plog("public key cannot be used for encryption");
      scx_release_context(sc);
      return FALSE;
    }
      
    /* there must be enough space left for the PKCS#1 v1.5 padding */
    if (inlen > attr[0].ulValueLen - 11)
    {
      plog("smartcard input data length (%d) exceeds maximum of %lu bytes"
            , (int)inlen, attr[0].ulValueLen - 11);
      if (!pkcs11_keep_state)
          scx_release_context(sc);
      return FALSE;
    }

    rv = pkcs11_functions->C_EncryptInit(sc->session, &mech, object);

    if (rv != CKR_OK)
    {
      if (rv == CKR_FUNCTION_NOT_SUPPORTED)
      {
          RSA_public_key_t rsa;
          chunk_t plain_text = {in, inlen};
          chunk_t cipher_text; 

          DBG(DBG_CONTROL,
            DBG_log("doing RSA encryption in software")
          )
          attr[0].pValue = alloc_bytes(attr[0].ulValueLen, "modulus");
          attr[1].pValue = alloc_bytes(attr[1].ulValueLen, "exponent");

          rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 2);
          if (rv != CKR_OK)
          {
            plog("couldn't read modulus and public exponent: %s"
                , enum_show(&pkcs11_return_names, rv));
            pfree(attr[0].pValue);
            pfree(attr[1].pValue);
            scx_release_context(sc);
            return FALSE;
          }
          rsa.k = attr[0].ulValueLen;
          n_to_mpz(&rsa.n, attr[0].pValue, attr[0].ulValueLen);
          n_to_mpz(&rsa.e, attr[1].pValue, attr[1].ulValueLen);
          pfree(attr[0].pValue);
          pfree(attr[1].pValue);

          cipher_text = RSA_encrypt(&rsa, plain_text);
          free_RSA_public_content(&rsa);
          if (cipher_text.ptr == NULL)
          {
            plog("smartcard input data length is too large");
            if (!pkcs11_keep_state)
                scx_release_context(sc);
              return FALSE;
          }

          memcpy(out, cipher_text.ptr, cipher_text.len);
          *outlen = cipher_text.len;
          freeanychunk(cipher_text);
          if (!pkcs11_keep_state)
            scx_release_context(sc);
          return TRUE;
      }
      else
      {
          plog("error in C_EncryptInit: %s"
            , enum_show(&pkcs11_return_names, rv));
          scx_release_context(sc);
          return FALSE;
      }
    }

    DBG(DBG_CONTROL,
      DBG_log("doing RSA encryption on smartcard")
    )
    rv = pkcs11_functions->C_Encrypt(sc->session, in, inlen
            , out, &len);
    if (rv != CKR_OK)
    {
      plog("error in C_Encrypt: %s"
          , enum_show(&pkcs11_return_names, rv));
      scx_release_context(sc);
      return FALSE;
    }
    if (!pkcs11_keep_state)
      scx_release_context(sc);

    *outlen = (size_t)len;
    return TRUE;
#else
    return FALSE;
#endif
}
/* 
 * decrypt a data block with an RSA private key
 */
bool
scx_decrypt(smartcard_t *sc, const u_char *in, size_t inlen
, u_char *out, size_t *outlen)
{
#ifdef SMARTCARD
    CK_RV rv;
    CK_OBJECT_HANDLE object;
    CK_ULONG len = (CK_ULONG)(*outlen);
    CK_BBOOL decrypt_flag;
    CK_ATTRIBUTE attr[] = {
      { CKA_DECRYPT, &decrypt_flag, sizeof(decrypt_flag) }
    };
    CK_MECHANISM mech = { CKM_RSA_PKCS, NULL_PTR, 0 };

    if (!scx_establish_context(sc) || !scx_login(sc))
    {
      scx_release_context(sc);
          return FALSE;
    }

    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
    {
      plog("unable to find private key with id '%s'", sc->id);
      return FALSE;
    }

    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object, attr, 1);
    if (rv != CKR_OK)
    {
      plog("couldn't read the private key attributes: %s"
          , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    if (!decrypt_flag)
    {
      plog("private key cannot be used for decryption");
      scx_release_context(sc);
      return FALSE;
    }
      
    DBG(DBG_CONTROL,
      DBG_log("doing RSA decryption on smartcard")
    )
    rv = pkcs11_functions->C_DecryptInit(sc->session, &mech, object);
    if (rv != CKR_OK)
    {
      plog("error in C_DecryptInit: %s"
          , enum_show(&pkcs11_return_names, rv));
      scx_release_context(sc);
      return FALSE;
    }

    rv = pkcs11_functions->C_Decrypt(sc->session, in, inlen
            , out, &len);
    if (rv != CKR_OK)
    {
      plog("error in C_Decrypt: %s"
          , enum_show(&pkcs11_return_names, rv));
      scx_release_context(sc);
      return FALSE;
    }
    if (!pkcs11_keep_state)
      scx_release_context(sc);

    *outlen = (size_t)len;
    return TRUE;
#else
    return FALSE;
#endif
}

/* receive an encrypted data block via whack,
 * decrypt it using a private RSA key and
 * return the decrypted data block via whack
 */
bool
scx_op_via_whack(const char* msg, int inbase, int outbase, sc_op_t op
, const char* keyid, int whackfd)
{
    char inbuf[RSA_MAX_OCTETS];
    char outbuf[2*RSA_MAX_OCTETS + 1];
    size_t outlen = sizeof(inbuf);
    size_t inlen;
    smartcard_t *sc,*sc_new;

    const char *number_slot_id = "";

    err_t ugh = ttodata(msg, 0, inbase, inbuf, sizeof(inbuf), &inlen);

    /* no prefix - use default base */
    if (ugh != NULL  && inbase == 0)
       ugh = ttodata(msg, 0, DEFAULT_BASE, inbuf, sizeof(inbuf), &inlen);

    if (ugh != NULL)
    {
      plog("format error in smartcard input data: %s", ugh);
      return FALSE;
    }

    if (keyid != NULL)
    {
      number_slot_id = (strncmp(keyid, SCX_TOKEN, strlen(SCX_TOKEN)) == 0)
                   ? keyid + strlen(SCX_TOKEN) : keyid;
    }

    sc_new = scx_parse_number_slot_id(number_slot_id);
    sc = scx_add(sc_new);
    if (sc == sc_new)
      scx_share(sc);

    DBG((op == SC_OP_ENCRYPT)? DBG_PRIVATE:DBG_RAW,
      DBG_dump("smartcard input data:\n", inbuf, inlen)
    )

    if (op == SC_OP_DECRYPT)
    {
      if (!sc->valid && whackfd != NULL_FD)
          scx_get_pin(sc, whackfd);

      if (!sc->valid)
      {
          loglog(RC_NOVALIDPIN, "cannot decrypt without valid PIN");
          return FALSE;
        }
    }

    DBG(DBG_CONTROL | DBG_CRYPT,
      DBG_log("using RSA key from smartcard (slot: %d, id: %s)"
          , (int)sc->slot, sc->id)
    )

    switch (op)
    {
    case SC_OP_ENCRYPT:
      if (!scx_encrypt(sc, inbuf, inlen, inbuf, &outlen))
          return FALSE;
      break;
    case SC_OP_DECRYPT:
      if (!scx_decrypt(sc, inbuf, inlen, inbuf, &outlen))
          return FALSE;
      break;
    default:
      break;
    }

    DBG((op == SC_OP_DECRYPT)? DBG_PRIVATE:DBG_RAW,
      DBG_dump("smartcard output data:\n", inbuf, outlen)
    )

    if (outbase == 0)  /* use default base */ 
      outbase = DEFAULT_BASE;

    if (outbase == 256) /* ascii plain text */
      whack_log(RC_COMMENT, "%.*s", (int)outlen, inbuf);
    else
    {
      outlen = datatot(inbuf, outlen, outbase, outbuf, sizeof(outbuf));
      if (outlen == 0)
      {
          plog("error in output format conversion");
          return FALSE;
      }
      whack_log(RC_COMMENT, "%s", outbuf);
    }
    return TRUE;
}

 /*
 * get length of RSA key in bytes
 */
size_t
scx_get_keylength(smartcard_t *sc)
{
#ifdef SMARTCARD
    CK_RV rv;
    CK_OBJECT_HANDLE object;
    CK_ATTRIBUTE attr[] = {{ CKA_MODULUS, NULL_PTR, 0}};

    if (!sc->logged_in)
      return FALSE;

    if (!scx_pkcs11_find_object(sc->session, &object, CKO_PRIVATE_KEY, sc->id))
    {
      plog("unable to find private key with id '%s'", sc->id);
      return FALSE;
    }

    /* get the length of the private key */
    rv = pkcs11_functions->C_GetAttributeValue(sc->session, object
            , (CK_ATTRIBUTE_PTR)&attr, 1);
    if (rv != CKR_OK)
    {
      plog("failed to get key length: %s"
          , enum_show(&pkcs11_return_names, rv));
      return FALSE;
    }

    return attr[0].ulValueLen;      /*Return key length in bytes */
#else
    return 0;
#endif
}

/*
 * prompt for pin and verify it
 */
bool
scx_get_pin(smartcard_t *sc, int whackfd)
{
#ifdef SMARTCARD
    char pin[BUF_LEN];
    int i, n;

    whack_log(RC_ENTERSECRET, "need PIN for #%d (%s, id: %s, label: '%s')"
      , sc->number, scx_print_slot(sc, ""), sc->id, sc->label);

    for (i = 0; i < SCX_MAX_PIN_TRIALS; i++)
    {
      if (i > 0)
          whack_log(RC_ENTERSECRET, "invalid PIN, please try again");

      n = read(whackfd, pin, BUF_LEN);

      if (n == -1)
      {
          whack_log(RC_LOG_SERIOUS, "read(whackfd) failed");
          return FALSE;
      }

      if (strlen(pin) == 0)
      {
          whack_log(RC_LOG_SERIOUS, "no PIN entered, aborted");
          return FALSE;
      }

      sc->pin.ptr = pin;
      sc->pin.len = strlen(pin);

      /* verify the pin */
      if (scx_verify_pin(sc))
      {
          clonetochunk(sc->pin, pin, strlen(pin), "pin");
          break;
      }

      /* wrong pin - we try another round */
      sc->pin = empty_chunk;
    }

    if (sc->valid)
      whack_log(RC_SUCCESS, "valid PIN");
    else
      whack_log(RC_LOG_SERIOUS, "invalid PIN, too many trials");
#else
    sc->valid = FALSE;
    whack_log(RC_LOG_SERIOUS, "SMARTCARD support is deactivated in pluto/Makefile!");
#endif
    return sc->valid;
}


/*
 * free the pin code
 */
void
scx_free_pin(chunk_t *pin)
{
    if (pin->ptr != NULL)
    {
      /* clear pin field in memory */
      memset(pin->ptr, '\0', pin->len);
      pfree(pin->ptr);
      *pin = empty_chunk;
    }
}

/*
 * frees a smartcard record
 */
void
scx_free(smartcard_t *sc)
{
    if (sc != NULL)
    {
      scx_release_context(sc);
      pfreeany(sc->id);
      pfreeany(sc->label);
      scx_free_pin(&sc->pin);
      pfree(sc);
    }
}

/*  release of a smartcard record decreases the count by one
 "  the record is freed when the counter reaches zero
 */
void
scx_release(smartcard_t *sc)
{
    if (sc != NULL && --sc->count == 0)
    {
      smartcard_t **pp = &smartcards;
      while (*pp != sc)
          pp = &(*pp)->next;
        *pp = sc->next;
      release_cert(sc->last_cert);
      scx_free(sc);
    }
}

/*
 *  compare two smartcard records by comparing their slots and ids
 */
static bool
scx_same(smartcard_t *a, smartcard_t *b)
{
    if  (a->number && b->number)
    {
      /* same number */
      return a->number == b->number;
    }
    else
    {
      /* same id and/or same slot */
        return (!a->id || (b->id && streq(a->id, b->id)))
          && (a->any_slot || b->any_slot || a->slot == b->slot);
    }
}

/*  for each link pointing to the smartcard record
 "  increase the count by one
 */
void
scx_share(smartcard_t *sc)
{
    if (sc != NULL)
      sc->count++;
}

/*
 *  adds a smartcard record to the chained list
 */
smartcard_t*
scx_add(smartcard_t *smartcard)
{
    smartcard_t *sc = smartcards;
    smartcard_t **psc = &smartcards;

    while (sc != NULL)
    {
      if (scx_same(smartcard, sc)) /* already in chain, free smartcard record */
      {
          scx_free(smartcard);
          return sc;
      }
        psc = &sc->next;
      sc = sc->next;
    }

    /* insert new smartcard record at the end of the chain */
    *psc = smartcard;
    smartcard->number = ++sc_number;
    smartcard->count = 1;
    DBG(DBG_CONTROL | DBG_PARSING,
      DBG_log("  smartcard #%d added", sc_number)
    )
    return smartcard;
}

/*
 * get the smartcard that belongs to an X.509 certificate
 */
smartcard_t*
scx_get(x509cert_t *cert)
{
    smartcard_t *sc = smartcards;

    while (sc != NULL)
    {
      if (sc->last_cert.u.x509 == cert)
          return sc;
      sc = sc->next;
    }
    return NULL;
}

/*
 * prints either the slot number or 'any slot'
 */
char *
scx_print_slot(smartcard_t *sc, const char *whitespace)
{
    char *buf = temporary_cyclic_buffer();

    if (sc->any_slot)
      snprintf(buf, BUF_LEN, "any slot");
    else
      snprintf(buf, BUF_LEN, "slot: %s%lu", whitespace, sc->slot);
    return buf;
}

/*
 *  list all smartcard info records in a chained list
 */
void
scx_list(bool utc)
{
    smartcard_t *sc = smartcards;

    if (sc != NULL)
    {
      whack_log(RC_COMMENT, " ");
      whack_log(RC_COMMENT, "List of Smartcard Objects:");
      whack_log(RC_COMMENT, " ");
    }

    while (sc != NULL)
    {
      whack_log(RC_COMMENT, "%s, #%d, count: %d"
          , timetoa(&sc->last_load, utc)
          , sc->number
          , sc->count);
      whack_log(RC_COMMENT, "       %s, session %s, logged %s, has %s"
          , scx_print_slot(sc, "    ")
          , sc->session_opened? "opened" : "closed"
          , sc->logged_in? "in" : "out"
          , sc->pinpad? "pin pad" 
            : ((sc->pin.ptr == NULL)? "no pin"
                : sc->valid? "valid pin" : "invalid pin"));
      if (sc->id != NULL)
          whack_log(RC_COMMENT, "       id:       %s", sc->id);
      if (sc->label != NULL)
          whack_log(RC_COMMENT, "       label:   '%s'", sc->label);
      if (sc->last_cert.type == CERT_X509_SIGNATURE)
      {
          char buf[BUF_LEN];

          dntoa(buf, BUF_LEN, sc->last_cert.u.x509->subject);
          whack_log(RC_COMMENT, "       subject: '%s'", buf);
      }
      sc = sc->next;
    }
}

Generated by  Doxygen 1.6.0   Back to index