Imported Upstream version 2.3_rc1

author: Alberto Gonzalez Iniesta <agi@inittab.org> 2012-11-05 16:28:09 +0100
committer: Alberto Gonzalez Iniesta <agi@inittab.org> 2012-11-05 16:28:09 +0100
commit: 8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch)
tree: 566d0620eb693320cb121dfd93a5675fa704a30b /pkcs11.c
parent: 349cfa7acb95abe865209a28e417ec74b56f9bba (diff)
1 files changed, 0 insertions, 990 deletions
diff --git a/pkcs11.c b/pkcs11.c
deleted file mode 100644
index 9cf18e5..0000000
--- a/pkcs11.c
+++ /dev/null
@@ -1,990 +0,0 @@
-/*
- *  OpenVPN -- An application to securely tunnel IP networks
- *             over a single TCP/UDP port, with support for SSL/TLS-based
- *             session authentication and key exchange,
- *             packet encryption, packet authentication, and
- *             packet compression.
- *
- *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2
- *  as published by the Free Software Foundation.
- *
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *
- *  You should have received a copy of the GNU General Public License
- *  along with this program (see the file COPYING included with this
- *  distribution); if not, write to the Free Software Foundation, Inc.,
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-#include "syshead.h"
-
-#if defined(ENABLE_PKCS11)
-
-#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
-#include <pkcs11-helper-1.0/pkcs11h-openssl.h>
-#include "basic.h"
-#include "error.h"
-#include "manage.h"
-#include "base64.h"
-#include "pkcs11.h"
-#include "misc.h"
-#include "otime.h"
-
-static
-time_t
-__mytime (void) {
-	return openvpn_time (NULL);
-}
-
-#if !defined(_WIN32)
-static
-int
-__mygettimeofday (struct timeval *tv) {
-	return gettimeofday (tv, NULL);
-}
-#endif
-
-static
-void
-__mysleep (const unsigned long usec) {
-#if defined(_WIN32)
-	Sleep (usec/1000);
-#else
-	usleep (usec);
-#endif
-}
-
-
-static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
-	malloc,
-	free,
-	__mytime,
-	__mysleep,
-#if defined(_WIN32)
-	NULL
-#else
-	__mygettimeofday
-#endif
-};
-
-static
-unsigned
-_pkcs11_msg_pkcs112openvpn (
-	const unsigned flags
-) {
-	unsigned openvpn_flags;
-
-	switch (flags) {
-		case PKCS11H_LOG_DEBUG2:
-			openvpn_flags = D_PKCS11_DEBUG;
-		break;
-		case PKCS11H_LOG_DEBUG1:
-			openvpn_flags = D_SHOW_PKCS11;
-		break;
-		case PKCS11H_LOG_INFO:
-			openvpn_flags = M_INFO;
-		break;
-		case PKCS11H_LOG_WARN:
-			openvpn_flags = M_WARN;
-		break;
-		case PKCS11H_LOG_ERROR:
-			openvpn_flags = M_FATAL;
-		break;
-		default:
-			openvpn_flags = M_FATAL;
-		break;
-	}
-
-#if defined(ENABLE_PKCS11_FORCE_DEBUG)
-	openvpn_flags=M_INFO;
-#endif
-
-	return openvpn_flags;
-}
-
-static
-unsigned
-_pkcs11_msg_openvpn2pkcs11 (
-	const unsigned flags
-) {
-	unsigned pkcs11_flags;
-
-	if ((flags & D_PKCS11_DEBUG) != 0) {
-		pkcs11_flags = PKCS11H_LOG_DEBUG2;
-	}
-	else if ((flags & D_SHOW_PKCS11) != 0) {
-		pkcs11_flags = PKCS11H_LOG_DEBUG1;
-	}
-	else if ((flags & M_INFO) != 0) {
-		pkcs11_flags = PKCS11H_LOG_INFO;
-	}
-	else if ((flags & M_WARN) != 0) {
-		pkcs11_flags = PKCS11H_LOG_WARN;
-	}
-	else if ((flags & M_FATAL) != 0) {
-		pkcs11_flags = PKCS11H_LOG_ERROR;
-	}
-	else {
-		pkcs11_flags = PKCS11H_LOG_ERROR;
-	}
-
-#if defined(ENABLE_PKCS11_FORCE_DEBUG)
-	pkcs11_flags = PKCS11H_LOG_DEBUG2;
-#endif
-
-	return pkcs11_flags;
-}
-
-static
-void
-_pkcs11_openvpn_log (
-	void * const global_data,
-	unsigned flags,
-	const char * const szFormat,
-	va_list args
-) {
-	char Buffer[10*1024];
-
-	(void)global_data;
-	
-	vsnprintf (Buffer, sizeof (Buffer), szFormat, args);
-	Buffer[sizeof (Buffer)-1] = 0;
-
-	msg (_pkcs11_msg_pkcs112openvpn (flags), "%s", Buffer);
-}
-
-static
-PKCS11H_BOOL
-_pkcs11_openvpn_token_prompt (
-	void * const global_data,
-	void * const user_data,
-	const pkcs11h_token_id_t token,
-	const unsigned retry
-) {
-	struct user_pass token_resp;
-
-	(void)global_data;
-	(void)user_data;
-	(void)retry;
-
-	ASSERT (token!=NULL);
-
-	CLEAR (token_resp);
-	token_resp.defined = false;
-	token_resp.nocache = true;
-	openvpn_snprintf (
-		token_resp.username,
-		sizeof (token_resp.username),
-		"Please insert %s token",
-		token->label
-	);
-
-	if (
-		!get_user_pass (
-			&token_resp,
-			NULL,
-			"token-insertion-request",
-			GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL
-		)
-	) {
-		return false;
-	}
-	else {
-		return strcmp (token_resp.password, "ok") == 0;
-	}
-}
-
-static
-PKCS11H_BOOL
-_pkcs11_openvpn_pin_prompt (
-	void * const global_data,
-	void * const user_data,
-	const pkcs11h_token_id_t token,
-	const unsigned retry,
-	char * const pin,
-	const size_t pin_max
-) {
-	struct user_pass token_pass;
-	char prompt[1024];
-
-	(void)global_data;
-	(void)user_data;
-	(void)retry;
-
-	ASSERT (token!=NULL);
-
-	openvpn_snprintf (prompt, sizeof (prompt), "%s token", token->label);
-
-	token_pass.defined = false;
-	token_pass.nocache = true;
-	
-	if (
-		!get_user_pass (
-			&token_pass,
-			NULL,
-			prompt,
-			GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
-		)
-	) {
-		return false;
-	}
-	else {
-		strncpynt (pin, token_pass.password, pin_max);
-		purge_user_pass (&token_pass, true);
-
-		if (strlen (pin) == 0) {
-			return false;
-		}
-		else {
-			return true;
-		}
-	}
-}
-
-bool
-pkcs11_initialize (
-	const bool protected_auth,
-	const int nPINCachePeriod
-) {
-	CK_RV rv = CKR_FUNCTION_FAILED;
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_initialize - entered"
-	);
-
-	if ((rv = pkcs11h_engine_setSystem (&s_pkcs11h_sys_engine)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_initialize ()) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setLogHook (_pkcs11_openvpn_log, NULL)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	pkcs11h_setLogLevel (_pkcs11_msg_openvpn2pkcs11 (get_debug_level ()));
-
-	if ((rv = pkcs11h_setForkMode (TRUE)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setTokenPromptHook (_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setPINPromptHook (_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setProtectedAuthentication (protected_auth)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	rv = CKR_OK;
-
-cleanup:
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_initialize - return %ld-'%s'",
-		rv,
-		pkcs11h_getMessage (rv)
-	);
-
-	return rv == CKR_OK;
-}
-
-void
-pkcs11_terminate () {
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_terminate - entered"
-	);
-
-	pkcs11h_terminate ();
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_terminate - return"
-	);
-}
-
-void
-pkcs11_forkFixup () {
-	pkcs11h_forkFixup ();
-}
-
-bool
-pkcs11_addProvider (
-	const char * const provider,
-	const bool protected_auth,
-	const unsigned private_mode,
-	const bool cert_private
-) {
-	CK_RV rv = CKR_OK;
-
-	ASSERT (provider!=NULL);
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x",
-		provider,
-		private_mode
-	);
-
-	msg (
-		M_INFO,
-		"PKCS#11: Adding PKCS#11 provider '%s'",
-		provider
-	);
-
-	if (
-		(rv = pkcs11h_addProvider (
-			provider,
-			provider,
-			protected_auth,
-			private_mode,
-			PKCS11H_SLOTEVENT_METHOD_AUTO,
-			0,
-			cert_private
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
-	}
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
-		rv,
-		pkcs11h_getMessage (rv)
-	);
-
-	return rv == CKR_OK;
-}
-
-int
-pkcs11_logout() {
-	return pkcs11h_logout () == CKR_OK;
-}
-
-int
-pkcs11_management_id_count () {
-	pkcs11h_certificate_id_list_t id_list = NULL;
-	pkcs11h_certificate_id_list_t t = NULL;
-	CK_RV rv = CKR_OK;
-	int count = 0;
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_management_id_count - entered"
-	);
-
-	if (
-		(rv = pkcs11h_certificate_enumCertificateIds (
-			PKCS11H_ENUM_METHOD_CACHE_EXIST,
-			NULL,
-			PKCS11H_PROMPT_MASK_ALLOW_ALL,
-			NULL,
-			&id_list
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	for (count = 0, t = id_list; t != NULL; t = t->next) {
-		count++;
-	}
-
-cleanup:
-
-	if (id_list != NULL) {
-		pkcs11h_certificate_freeCertificateIdList (id_list);
-		id_list = NULL;
-	}
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_management_id_count - return count=%d",
-		count
-	);
-
-	return count;
-}
-
-bool
-pkcs11_management_id_get (
-	const int index,
-	char ** id,
-	char **base64
-) {
-	pkcs11h_certificate_id_list_t id_list = NULL;
-	pkcs11h_certificate_id_list_t entry = NULL;
-#if 0 /* certificate_id seems to be unused -- JY */
-	pkcs11h_certificate_id_t certificate_id = NULL;
-#endif
-	pkcs11h_certificate_t certificate = NULL;
-	CK_RV rv = CKR_OK;
-	unsigned char *certificate_blob = NULL;
-	size_t certificate_blob_size = 0;
-	size_t max;
-	char *internal_id = NULL;
-	char *internal_base64 = NULL;
-	int count = 0;
-	bool success = false;
-
-	ASSERT (id!=NULL);
-	ASSERT (base64!=NULL);
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_management_id_get - entered index=%d",
-		index
-	);
-
-	*id = NULL;
-	*base64 = NULL;
-
-	if (
-		(rv = pkcs11h_certificate_enumCertificateIds (
-			PKCS11H_ENUM_METHOD_CACHE_EXIST,
-			NULL,
-			PKCS11H_PROMPT_MASK_ALLOW_ALL,
-			NULL,
-			&id_list
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	entry = id_list;
-	count = 0;
-	while (entry != NULL && count != index) {
-		count++;
-		entry = entry->next;
-	}
-
-	if (entry == NULL) {
-		dmsg (
-			D_PKCS11_DEBUG,
-			"PKCS#11: pkcs11_management_id_get - no certificate at index=%d",
-			index
-		);
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_serializeCertificateId (
-			NULL,
-			&max,
-			entry->certificate_id
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((internal_id = (char *)malloc (max)) == NULL) {
-		msg (M_FATAL, "PKCS#11: Cannot allocate memory");
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_serializeCertificateId (
-			internal_id,
-			&max,
-			entry->certificate_id
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_create (
-			entry->certificate_id,
-			NULL,
-			PKCS11H_PROMPT_MASK_ALLOW_ALL,
-			PKCS11H_PIN_CACHE_INFINITE,
-			&certificate
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_getCertificateBlob (
-			certificate,
-			NULL,
-			&certificate_blob_size
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((certificate_blob = (unsigned char *)malloc (certificate_blob_size)) == NULL) {
-		msg (M_FATAL, "PKCS#11: Cannot allocate memory");
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_getCertificateBlob (
-			certificate,
-			certificate_blob,
-			&certificate_blob_size
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if (base64_encode (certificate_blob, certificate_blob_size, &internal_base64) == -1) {
-		msg (M_WARN, "PKCS#11: Cannot encode certificate");
-		goto cleanup;
-	}
-
-	*id = internal_id;
-	internal_id = NULL;
-	*base64 = internal_base64;
-	internal_base64 = NULL;
-	success = true;
-	
-cleanup:
-
-	if (id_list != NULL) {
-		pkcs11h_certificate_freeCertificateIdList (id_list);
-		id_list = NULL;
-	}
-
-	if (internal_id != NULL) {
-		free (internal_id);
-		internal_id = NULL;
-	}
-
-	if (internal_base64 != NULL) {
-		free (internal_base64);
-		internal_base64 = NULL;
-	}
-
-	if (certificate_blob != NULL) {
-		free (certificate_blob);
-		certificate_blob = NULL;
-	}
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'",
-		success ? 1 : 0,
-		*id
-	);
-
-	return success;
-}
-
-int
-SSL_CTX_use_pkcs11 (
-	SSL_CTX * const ssl_ctx,
-	bool pkcs11_id_management,
-	const char * const pkcs11_id
-) {
-	X509 *x509 = NULL;
-	RSA *rsa = NULL;
-	pkcs11h_certificate_id_t certificate_id = NULL;
-	pkcs11h_certificate_t certificate = NULL;
-	pkcs11h_openssl_session_t openssl_session = NULL;
-	CK_RV rv = CKR_OK;
-
-	bool ok = false;
-
-	ASSERT (ssl_ctx!=NULL);
-	ASSERT (pkcs11_id_management || pkcs11_id!=NULL);
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: SSL_CTX_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'",
-		(void *)ssl_ctx,
-		pkcs11_id_management ? 1 : 0,
-		pkcs11_id
-	);
-
-	if (pkcs11_id_management) {
-		struct user_pass id_resp;
-
-		CLEAR (id_resp);
-
-		id_resp.defined = false;
-		id_resp.nocache = true;
-		openvpn_snprintf (
-			id_resp.username,
-			sizeof (id_resp.username),
-			"Please specify PKCS#11 id to use"
-		);
-
-		if (
-			!get_user_pass (
-				&id_resp,
-				NULL,
-				"pkcs11-id-request",
-				GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL
-			)
-		) {
-			goto cleanup;
-		}
-
-		if (
-			(rv = pkcs11h_certificate_deserializeCertificateId (
-				&certificate_id,
-				id_resp.password
-			)) != CKR_OK
-		) {
-			msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
-			goto cleanup;
-		}
-	}
-	else {
-		if (
-			(rv = pkcs11h_certificate_deserializeCertificateId (
-				&certificate_id,
-				pkcs11_id
-			)) != CKR_OK
-		) {
-			msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
-			goto cleanup;
-		}
-	}
-
-	if (
-		(rv = pkcs11h_certificate_create (
-			certificate_id,
-			NULL,
-			PKCS11H_PROMPT_MASK_ALLOW_ALL,
-			PKCS11H_PIN_CACHE_INFINITE,
-			&certificate
-		)) != CKR_OK
-	) {
-		msg (M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL	) {
-		msg (M_WARN, "PKCS#11: Cannot initialize openssl session");
-		goto cleanup;
-	}
-
-	/*
-	 * Will be released by openssl_session
-	 */
-	certificate = NULL;
-
-	if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) {
-		msg (M_WARN, "PKCS#11: Unable get rsa object");
-		goto cleanup;
-	}
-
-	if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL) {
-		msg (M_WARN, "PKCS#11: Unable get certificate object");
-		goto cleanup;
-	}
-
-	if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) {
-		msg (M_WARN, "PKCS#11: Cannot set private key for openssl");
-		goto cleanup;
-	}
-
-	if (!SSL_CTX_use_certificate (ssl_ctx, x509)) {
-		msg (M_WARN, "PKCS#11: Cannot set certificate for openssl");
-		goto cleanup;
-	}
-
-	ok = true;
-
-cleanup:
-	/*
-	 * openssl objects have reference
-	 * count, so release them
-	 */
-
-	if (x509 != NULL) {
-		X509_free (x509);
-		x509 = NULL;
-	}
-
-	if (rsa != NULL) {
-		RSA_free (rsa);
-		rsa = NULL;
-	}
-
-	if (certificate != NULL) {
-		pkcs11h_certificate_freeCertificate (certificate);
-		certificate = NULL;
-	}
-
-	if (certificate_id != NULL) {
-		pkcs11h_certificate_freeCertificateId (certificate_id);
-		certificate_id = NULL;
-	}
-	
-	if (openssl_session != NULL) {
-		pkcs11h_openssl_freeSession (openssl_session);
-		openssl_session = NULL;
-	}
-
-	dmsg (
-		D_PKCS11_DEBUG,
-		"PKCS#11: SSL_CTX_use_pkcs11 - return ok=%d, rv=%ld",
-		ok ? 1 : 0,
-		rv
-	);
-
-	return ok ? 1 : 0;
-}
-
-static
-bool
-_pkcs11_openvpn_show_pkcs11_ids_pin_prompt (
-	void * const global_data,
-	void * const user_data,
-	const pkcs11h_token_id_t token,
-	const unsigned retry,
-	char * const pin,
-	const size_t pin_max
-) {
-	struct gc_arena gc = gc_new ();
-	struct buffer pass_prompt = alloc_buf_gc (128, &gc);
-
-	(void)global_data;
-	(void)user_data;
-	(void)retry;
-
-	ASSERT (token!=NULL);
-
-	buf_printf (&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display);
-
-	if (!get_console_input (BSTR (&pass_prompt), false, pin, pin_max)) {
-		msg (M_FATAL, "Cannot read password from stdin");
-	}
-
-	gc_free (&gc);
-
-	if (!strcmp (pin, "cancel")) {
-		return FALSE;
-	}
-	else {
-		return TRUE;
-	}
-}
-
-void
-show_pkcs11_ids (
-	const char * const provider,
-	bool cert_private
-) {
-	pkcs11h_certificate_id_list_t user_certificates = NULL;
-	pkcs11h_certificate_id_list_t current = NULL;
-	CK_RV rv = CKR_FUNCTION_FAILED;
-
-	if ((rv = pkcs11h_initialize ()) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setLogHook (_pkcs11_openvpn_log, NULL)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	pkcs11h_setLogLevel (_pkcs11_msg_openvpn2pkcs11 (get_debug_level ()));
-
-	if ((rv = pkcs11h_setProtectedAuthentication (TRUE)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if ((rv = pkcs11h_setPINPromptHook (_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK) {
-		msg (M_FATAL, "PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_addProvider (
-			provider,
-			provider,
-			TRUE,
-			0,
-			FALSE,
-			0,
-			cert_private ? TRUE : FALSE
-		)) != CKR_OK
-	) {
-		msg (M_FATAL, "PKCS#11: Cannot add provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	if (
-		(rv = pkcs11h_certificate_enumCertificateIds (
-			PKCS11H_ENUM_METHOD_CACHE_EXIST,
-			NULL,
-			PKCS11H_PROMPT_MASK_ALLOW_ALL,
-			NULL,
-			&user_certificates
-		)) != CKR_OK
-	) {
-		msg (M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage (rv));
-		goto cleanup;
-	}
-
-	msg (
-		M_INFO|M_NOPREFIX|M_NOLF,
-		(
-			"\n"
-			"The following objects are available for use.\n"
-			"Each object shown below may be used as parameter to\n"
-			"--pkcs11-id option please remember to use single quote mark.\n"
-		)
-	);
-	for (current = user_certificates;current != NULL; current = current->next) {
-		pkcs11h_certificate_t certificate = NULL;
-		X509 *x509 = NULL;
-		BIO *bio = NULL;
-		char dn[1024] = {0};
-		char serial[1024] = {0};
-		char *ser = NULL;
-		size_t ser_len = 0;
-		int n;
-
-		if (
-			(rv = pkcs11h_certificate_serializeCertificateId (
-				NULL,
-				&ser_len,
-				current->certificate_id
-			)) != CKR_OK
-		) {
-			msg (M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
-			goto cleanup1;
-		}
-
-		if (
-			rv == CKR_OK &&
-			(ser = (char *)malloc (ser_len)) == NULL
-		) {
-			msg (M_FATAL, "PKCS#11: Cannot allocate memory");
-			goto cleanup1;
-		}
-
-		if (
-			(rv = pkcs11h_certificate_serializeCertificateId (
-				ser,
-				&ser_len,
-				current->certificate_id
-			)) != CKR_OK
-		) {
-			msg (M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
-			goto cleanup1;
-		}
-
-		if (
-			(rv = pkcs11h_certificate_create (
-				current->certificate_id,
-				NULL,
-				PKCS11H_PROMPT_MASK_ALLOW_ALL,
-				PKCS11H_PIN_CACHE_INFINITE,
-				&certificate
-			))
-		) {
-			msg (M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
-			goto cleanup1;
-		}
-
-		if ((x509 = pkcs11h_openssl_getX509 (certificate)) == NULL) {
-			msg (M_FATAL, "PKCS#11: Cannot get X509");
-			goto cleanup1;
-		}
-
-		X509_NAME_oneline (
-			X509_get_subject_name (x509),
-			dn,
-			sizeof (dn)
-		);
-
-		if ((bio = BIO_new (BIO_s_mem ())) == NULL) {
-			msg (M_FATAL, "PKCS#11: Cannot create BIO");
-			goto cleanup1;
-		}
-
-		i2a_ASN1_INTEGER(bio, X509_get_serialNumber (x509));
-		n = BIO_read (bio, serial, sizeof (serial)-1);
-		if (n<0) {
-			serial[0] = '\x0';
-		}
-		else {
-			serial[n] = 0;
-		}
-
-		msg (
-			M_INFO|M_NOPREFIX|M_NOLF,
-			(
-				"\n"
-				"Certificate\n"
-				"       DN:             %s\n"
-				"       Serial:         %s\n"
-				"       Serialized id:  %s\n"
-			),
-			dn,
-			serial,
-			ser
-		);
-
-	cleanup1:
-		if (x509 != NULL) {
-			X509_free (x509);
-			x509 = NULL;
-		}
-
-		if (certificate != NULL) {
-			pkcs11h_certificate_freeCertificate (certificate);
-			certificate = NULL;
-		}
-
-		if (ser != NULL) {
-			free (ser);
-			ser = NULL;
-		}
-	}
-
-cleanup:
-	if (user_certificates != NULL) {
-		pkcs11h_certificate_freeCertificateIdList (user_certificates);
-		user_certificates = NULL;
-	}
-
-	pkcs11h_terminate ();
-}
-
-#else
-#ifdef _MSC_VER  /* Dummy function needed to avoid empty file compiler warning in Microsoft VC */
-static void dummy (void) {}
-#endif
-#endif /* ENABLE_PKCS11 */
author	Alberto Gonzalez Iniesta <agi@inittab.org>	2012-11-05 16:28:09 +0100
committer	Alberto Gonzalez Iniesta <agi@inittab.org>	2012-11-05 16:28:09 +0100
commit	8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (patch)
tree	566d0620eb693320cb121dfd93a5675fa704a30b /pkcs11.c
parent	349cfa7acb95abe865209a28e417ec74b56f9bba (diff)