6277N/AIn-house patch created to clear any merge conflicts from source in archive
6277N/Arepo to build properly on Solaris.
6277N/A #ifdef CACKEY_DEBUG_SEARCH_SPEEDTEST
6277N/A #define CK_DEFINE_FUNCTION(returnType, name) returnType name
6277N/A- * Include these source files in this translation unit so that we can bind to
6277N/A- * functions and not include any symbols in the output shared object.
6277N/A #ifndef CACKEY_CRYPTOKI_VERSION_CODE
6277N/A # define CACKEY_CRYPTOKI_VERSION_CODE 0x021e00
6277N/A #define GSCIS_INSTR_GET_CHALLENGE 0x84
6277N/A #define GSCIS_INSTR_INTERNAL_AUTH 0x88
6277N/A #define GSCIS_INSTR_VERIFY 0x20
6277N/A #define GSCIS_INSTR_CHANGE_REFERENCE 0x24
6277N/A #define GSCIS_INSTR_SIGN 0x2A
6277N/A #define GSCIS_INSTR_GET_PROP 0x56
6277N/A #define GSCIS_INSTR_GET_ACR 0x4C
6277N/A #define GSCIS_TAG_SECURITY_CODE 0x57
6277N/A #define GSCIS_TAG_CARDID_AID 0x58
6277N/A #define NISTSP800_73_3_INSTR_GET_DATA 0xCB
6277N/A #define NISTSP800_73_3_INSTR_GENAUTH 0x87
6277N/A /*** PKI Information - EF 7000 ***/
6277N/A #define GSCIS_TAG_CERTIFICATE 0x70
6277N/A #define GSCIS_TAG_CERT_ISSUE_DATE 0x71
6277N/A #define GSCIS_AID_CCC 0xA0, 0x00, 0x00, 0x01, 0x16, 0xDB, 0x00
6277N/A #define NISTSP800_73_3_PIV_AID 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00, 0x00, 0x10, 0x00, 0x01, 0x00
6277N/A #define NISTSP800_73_3_OID_SIGNATURE 0x5F, 0xC1, 0x0A
6277N/A #define NISTSP800_73_3_OID_KEYMGT 0x5F, 0xC1, 0x0B
6277N/A #define NISTSP800_73_3_OID_CARDAUTH 0x5F, 0xC1, 0x01
6277N/A /* Maximum size of data portion of APDUs */
6277N/A /** Do not set this above 250 **/
6277N/A static time_t cackey_debug_start_time = 0;
6277N/A-# define CACKEY_DEBUG_PRINTTIME { if (cackey_debug_start_time == 0) { cackey_debug_start_time = time(NULL); }; fprintf(cackey_debug_fd(), "[%lu]: ", (unsigned long) (time(NULL) - cackey_debug_start_time)); }
6277N/A-# define CACKEY_DEBUG_PRINTTIME /**/
6277N/A-# define CACKEY_DEBUG_PRINTF(x...) { CACKEY_DEBUG_PRINTTIME; fprintf(cackey_debug_fd(), "%s():%i: ", __func__, __LINE__); fprintf(cackey_debug_fd(), x); fprintf(cackey_debug_fd(), "\n"); fflush(cackey_debug_fd()); }
6277N/A-# define CACKEY_DEBUG_PRINTBUF(f, x, y) { unsigned char *TMPBUF; unsigned long idx; TMPBUF = (unsigned char *) (x); CACKEY_DEBUG_PRINTTIME; fprintf(cackey_debug_fd(), "%s():%i: %s (%s/%lu = {%02x", __func__, __LINE__, f, #x, (unsigned long) (y), TMPBUF[0]); for (idx = 1; idx < (y); idx++) { fprintf(cackey_debug_fd(), ", %02x", TMPBUF[idx]); }; fprintf(cackey_debug_fd(), "})\n"); fflush(cackey_debug_fd()); }
6277N/A-# define CACKEY_DEBUG_PERROR(x) { fprintf(cackey_debug_fd(), "%s():%i: ", __func__, __LINE__); CACKEY_DEBUG_PRINTTIME; perror(x); fflush(cackey_debug_fd()); }
6277N/A-# define free(x) { CACKEY_DEBUG_PRINTF("FREE(%p) (%s)", x, #x); free(x); }
6277N/A static unsigned long CACKEY_DEBUG_GETTIME(void) {
6277N/A if (cackey_debug_start_time == 0) {
6277N/A cackey_debug_start_time = time(NULL);
6277N/A fflush(cackey_debug_fd()); \
6277N/A # define CACKEY_DEBUG_PRINTBUF(f, x, y) { \
6277N/A- static char buf_user[4096] = {0}, *buf_user_p, *buf_user_print; \
6277N/A+ static char buf_user[4096] = {0}, *buf_user_p; \
6277N/A unsigned long buf_user_size; \
6277N/A TMPBUF = (unsigned char *) (x); \
6277N/A buf_user_size = sizeof(buf_user); \
6277N/A- for (idx = 0; idx < (y); idx++) { \
6277N/A+ for (idx = 1; idx < (y); idx++) { \
6277N/A if (buf_user_size <= 0) { \
6277N/A buf_user_size -= snprintf_ret; \
6277N/A buf_user[sizeof(buf_user) - 1] = '\0'; \
6277N/A- buf_user_print = buf_user + 2; \
6277N/A- fprintf(cackey_debug_fd(), "[%lu]: %s():%i: %s (%s/%lu = {%s})\n", CACKEY_DEBUG_GETTIME(), __func__, __LINE__, f, #x, (unsigned long) (y), buf_user_print); \
6277N/A+ fprintf(cackey_debug_fd(), "[%lu]: %s():%i: %s (%s/%lu = {%02x%s})\n", CACKEY_DEBUG_GETTIME(), __func__, __LINE__, f, #x, (unsigned long) (y), TMPBUF[0], buf_user); \
6277N/A fflush(cackey_debug_fd()); \
6277N/A # define free(x) { CACKEY_DEBUG_PRINTF("FREE(%p) (%s)", (void *) x, #x); free(x); }
6277N/A static FILE *cackey_debug_fd(void) {
6277N/A #ifdef CACKEY_DEBUG_LOGFILE
6277N/A logfile = CACKEY_DEBUG_LOGFILE;
6277N/A CACKEY_DEBUG_PRINTF("Found log file: %s", logfile);
6277N/A CACKEY_DEBUG_PRINTF("Returning stderr");
6277N/A- CACKEY_DEBUG_PRINTF("Returning %p", fd);
6277N/A CACKEY_DEBUG_PRINTF("Returning %p", (void *) fd);
6277N/A- fprintf(cackey_debug_fd(), "%s():%i: ", func, line);
6277N/A- fprintf(cackey_debug_fd(), "MALLOC() = %p", retval);
6277N/A- fprintf(cackey_debug_fd(), "\n");
6277N/A fprintf(cackey_debug_fd(), "[%lu]: %s():%i: MALLOC() = %p\n", CACKEY_DEBUG_GETTIME(), func, line, retval);
6277N/A retval = realloc(ptr, size);
6277N/A- fprintf(cackey_debug_fd(), "%s():%i: ", func, line);
6277N/A- fprintf(cackey_debug_fd(), "REALLOC(%p) = %p", ptr, retval);
6277N/A- fprintf(cackey_debug_fd(), "\n");
6277N/A fprintf(cackey_debug_fd(), "[%lu]: %s():%i: REALLOC(%p) = %p\n", CACKEY_DEBUG_GETTIME(), func, line, ptr, retval);
6277N/A- fprintf(cackey_debug_fd(), "%s():%i: ", func, line);
6277N/A- fprintf(cackey_debug_fd(), "STRDUP_MALLOC() = %p", retval);
6277N/A- fprintf(cackey_debug_fd(), "\n");
6277N/A fprintf(cackey_debug_fd(), "[%lu]: %s():%i: STRDUP_MALLOC() = %p\n", CACKEY_DEBUG_GETTIME(), func, line, retval);
6277N/A # define CACKEY_DEBUG_PRINTF(x...) /**/
6277N/A # define CACKEY_DEBUG_PRINTBUF(f, x, y) /**/
6277N/A-# define CACKEY_DEBUG_PERROR(x) /**/
6277N/A # define CACKEY_DEBUG_FUNC_TAG_TO_STR(x) "DEBUG_DISABLED"
6277N/A # define CACKEY_DEBUG_FUNC_SCARDERR_TO_STR(x) "DEBUG_DISABLED"
6277N/A # define CACKEY_DEBUG_FUNC_OBJID_TO_STR(x) "DEBUG_DISABLED"
6277N/A # define CACKEY_DEBUG_FUNC_ATTRIBUTE_TO_STR(x) "DEBUG_DISABLED"
6277N/A-struct cackey_pcsc_identity {
6277N/A * Include these source files in this translation unit so that we can bind to
6277N/A * functions and not include any symbols in the output shared object.
6277N/A struct cackey_pcsc_identity {
6277N/A cackey_pcsc_id_type id_type;
6277N/A unsigned char *certificate;
6277N/A unsigned int cached_certs_count;
6277N/A struct cackey_pcsc_identity *cached_certs;
6277N/A CACKEY_PCSC_E_NEEDLOGIN = -4,
6277N/A CACKEY_PCSC_E_TOKENABSENT = -6,
6277N/A struct cackey_tlv_cardurl {
6277N/A-#define CACKEY_MACRO_DEFAULT_XSTR(str) CACKEY_MACRO_DEFAULT_STR(str)
6277N/A-#define CACKEY_MACRO_DEFAULT_STR(str) #str
6277N/A /* Protected Authentication Path command */
6277N/A+#define CACKEY_PIN_COMMAND_DEFAULT_XSTR(str) CACKEY_PIN_COMMAND_DEFAULT_STR(str)
6277N/A+#define CACKEY_PIN_COMMAND_DEFAULT_STR(str) #str
6277N/A static char *cackey_pin_command = NULL;
6277N/A-/* Reader Exclusion or Include-only */
6277N/A-static char *cackey_readers_include_only = NULL;
6277N/A-static char *cackey_readers_exclude = NULL;
6277N/A static LPSCARDCONTEXT cackey_pcsc_handle = NULL;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A for (idx = 0; idx < (sizeof(cackey_slots) / sizeof(cackey_slots[0])); idx++) {
6277N/A if (cackey_slots[idx].internal) {
6277N/A if (cackey_slots[idx].pcsc_card_connected) {
6277N/A CACKEY_DEBUG_PRINTF("SCardDisconnect(%lu) called", (unsigned long) idx);
6277N/A slot->pcsc_card_connected = 0;
6277N/A- slot->token_flags = CKF_LOGIN_REQUIRED;
6277N/A if (cackey_pin_command == NULL) {
6277N/A slot->token_flags = CKF_LOGIN_REQUIRED;
6277N/A CACKEY_DEBUG_PRINTF("Returning.");
6277N/A- * LONG cackey_reconnect_card(struct cackey_slot *slot, DWORD default_protocol, LPDWORD selected_protocol);
6277N/A * LONG cackey_reconnect_card(struct cackey_slot *slot, DWORD default_protocol);
6277N/A * Protocol to attempt first
6277N/A- * LPDWORD selected_protocol
6277N/A * The return value from SCardReconnect()
6277N/A-static LONG cackey_reconnect_card(struct cackey_slot *slot, DWORD default_protocol, LPDWORD selected_protocol) {
6277N/A- scard_conn_ret = SCardReconnect(slot->pcsc_card, SCARD_SHARE_SHARED, default_protocol, SCARD_RESET_CARD, selected_protocol);
6277N/A- if (scard_conn_ret == SCARD_E_PROTO_MISMATCH) {
6277N/A- CACKEY_DEBUG_PRINTF("SCardReconnect() returned SCARD_E_PROTO_MISMATCH, trying with just T=0")
6277N/A- scard_conn_ret = SCardReconnect(slot->pcsc_card, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0, SCARD_RESET_CARD, selected_protocol);
6277N/A- if (scard_conn_ret == SCARD_E_PROTO_MISMATCH) {
6277N/A- CACKEY_DEBUG_PRINTF("SCardReconnect() returned SCARD_E_PROTO_MISMATCH, trying with just T=1")
6277N/A- scard_conn_ret = SCardReconnect(slot->pcsc_card, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1, SCARD_RESET_CARD, selected_protocol);
6277N/A static LONG cackey_reconnect_card(struct cackey_slot *slot, DWORD default_protocol) {
6277N/A slot->protocol = selected_protocol;
6277N/A /* Connect to reader, if needed */
6277N/A if (!slot->pcsc_card_connected) {
6277N/A- CACKEY_DEBUG_PRINTF("SCardConnect(%s) called", slot->pcsc_reader);
6277N/A CACKEY_DEBUG_PRINTF("SCardConnect(%s) called for slot %p", slot->pcsc_reader, slot);
6277N/A scard_conn_ret = SCardConnect(*cackey_pcsc_handle, slot->pcsc_reader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &slot->pcsc_card, &protocol);
6277N/A if (scard_conn_ret == SCARD_E_PROTO_MISMATCH) {
6277N/A- scard_conn_ret = cackey_reconnect_card(slot, protocol, &protocol);
6277N/A scard_conn_ret = cackey_reconnect_card(slot, protocol);
6277N/A if (scard_conn_ret != SCARD_S_SUCCESS) {
6277N/A CACKEY_DEBUG_PRINTF("Returning in success");
6277N/A * CACKEY_PCSC_E_GENERIC On error
6277N/A * CACKEY_PCSC_E_TOKENABSENT If the sending failed because the token is
6277N/A- * CACKEY_PCSC_E_RETRY If something that looks retry'able went
6277N/A- * wrong -- try the whole transaction over
6277N/A * This function will connect to the
PC/SC Connection Manager via
6277N/A-static cackey_ret cackey_send_apdu(struct cackey_slot *slot, unsigned char class, unsigned char instruction, unsigned char p1, unsigned char p2, unsigned char lc, unsigned char *data, unsigned char le, uint16_t *respcode, unsigned char *respdata, size_t *respdata_len) {
6277N/A- uint8_t major_rc, minor_rc;
6277N/A- size_t bytes_to_copy, tmp_respdata_len;
6277N/A- LPCSCARD_IO_REQUEST pioSendPci;
6277N/A static cackey_ret cackey_send_apdu(struct cackey_slot *slot, unsigned char class, unsigned char instruction, unsigned char p1, unsigned char p2, unsigned int lc, unsigned char *data, unsigned int le, uint16_t *respcode, unsigned char *respdata, size_t *respdata_len) {
6277N/A uint8_t major_rc, minor_rc;
6277N/A size_t bytes_to_copy, tmp_respdata_len;
6277N/A LPCSCARD_IO_REQUEST pioSendPci;
6277N/A LONG scard_xmit_ret, scard_reconn_ret;
6277N/A BYTE xmit_buf[1024], recv_buf[1024];
6277N/A /* Determine which protocol to send using */
6277N/A CACKEY_DEBUG_PRINTF("Protocol to send datagram is T=0");
6277N/A CACKEY_DEBUG_PRINTF("Protocol to send datagram is T=1");
6277N/A- xmit_buf[xmit_len++] = lc;
6277N/A CACKEY_DEBUG_PRINTF("CAUTION! Using an Lc greater than 255 is untested. Lc = %u", lc);
6277N/A for (idx = 0; idx < lc; idx++) {
6277N/A xmit_buf[xmit_len++] = data[idx];
6277N/A- xmit_buf[xmit_len++] = le;
6277N/A CACKEY_DEBUG_PRINTF("CAUTION! Using an Le greater than 256 is untested. Le = %u", le);
6277N/A /* Begin Smartcard Transaction */
6277N/A cackey_begin_transaction(slot);
6277N/A- if (class == GSCIS_CLASS_ISO7816 && instruction == GSCIS_INSTR_VERIFY && p1 == 0x00 && p2 == 0x00) {
6277N/A if (class == GSCIS_CLASS_ISO7816 && (instruction == GSCIS_INSTR_VERIFY || instruction == GSCIS_INSTR_CHANGE_REFERENCE) && p1 == 0x00) {
6277N/A CACKEY_DEBUG_PRINTF("Sending APDU: <<censored>>");
6277N/A CACKEY_DEBUG_PRINTBUF("Sending APDU:", xmit_buf, xmit_len);
6277N/A /* Begin Smartcard Transaction */
6277N/A cackey_end_transaction(slot);
6277N/A cackey_reconnect_card(slot, slot->protocol);
6277N/A return(CACKEY_PCSC_E_RETRY);
6277N/A if (scard_xmit_ret == SCARD_W_RESET_CARD) {
6277N/A CACKEY_DEBUG_PRINTF("Reset required, please hold...");
6277N/A- scard_reconn_ret = cackey_reconnect_card(slot, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &protocol);
6277N/A- if (scard_reconn_ret == SCARD_S_SUCCESS) {
6277N/A- slot->protocol = protocol;
6277N/A scard_reconn_ret = cackey_reconnect_card(slot, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1);
6277N/A if (scard_reconn_ret == SCARD_S_SUCCESS) {
6277N/A /* End Smartcard Transaction */
6277N/A cackey_end_transaction(slot);
6277N/A return(CACKEY_PCSC_E_GENERIC);
6277N/A- /* Supply an invalid response code */
6277N/A- return(CACKEY_PCSC_E_NODATA);
6277N/A /* Determine result code */
6277N/A return(CACKEY_PCSC_E_GENERIC);
6277N/A static unsigned char *cackey_read_bertlv_tag(unsigned char *buffer, size_t *buffer_len_p, unsigned char tag, unsigned char *outbuffer, size_t *outbuffer_len_p) {
6277N/A size_t outbuffer_len, buffer_len;
6277N/A * ssize_t cackey_read_buffer(struct cackey_slot *slot, unsigned char *buffer, size_t count, unsigned char t_or_v, size_t initial_offset);
6277N/A static struct cackey_pcsc_identity *cackey_copy_certs(struct cackey_pcsc_identity *dest, struct cackey_pcsc_identity *start, size_t count) {
6277N/A static struct cackey_pcsc_identity *cackey_read_certs(struct cackey_slot *slot, struct cackey_pcsc_identity *certs, unsigned long *count) {
6277N/A struct cackey_pcsc_identity *curr_id;
6277N/A struct cackey_tlv_entity *ccc_tlv, *ccc_curr, *app_tlv, *app_curr;
6277N/A- unsigned char ccc_aid[] = {GSCIS_AID_CCC};
6277N/A- unsigned char curr_aid[7];
6277N/A- cackey_ret transaction_ret;
6277N/A unsigned char ccc_aid[] = {GSCIS_AID_CCC}, piv_aid[] = {NISTSP800_73_3_PIV_AID};
6277N/A unsigned char *piv_oid, piv_oid_pivauth[] = {NISTSP800_73_3_OID_PIVAUTH}, piv_oid_signature[] = {NISTSP800_73_3_OID_SIGNATURE}, piv_oid_keymgt[] = {NISTSP800_73_3_OID_KEYMGT};
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A /* Begin a SmartCard transaction */
6277N/A transaction_ret = cackey_begin_transaction(slot);
6277N/A if (transaction_ret != CACKEY_PCSC_S_OK) {
6277N/A certs = malloc(sizeof(*certs) * 5);
6277N/A /* Select the CCC Applet */
6277N/A send_ret = cackey_select_applet(slot, ccc_aid, sizeof(ccc_aid));
6277N/A if (send_ret != CACKEY_PCSC_S_OK) {
6277N/A- CACKEY_DEBUG_PRINTF("Unable to select CCC Applet, returning in failure");
6277N/A- /* Terminate SmartCard Transaction */
6277N/A- cackey_end_transaction(slot);
6277N/A- /* Read all the applets from the CCC's TLV */
6277N/A- ccc_tlv = cackey_read_tlv(slot);
6277N/A- /* Look for CARDURLs that coorespond to PKI applets */
6277N/A- for (ccc_curr = ccc_tlv; ccc_curr; ccc_curr = ccc_curr->_next) {
6277N/A- CACKEY_DEBUG_PRINTF("Found tag: %s ... ", CACKEY_DEBUG_FUNC_TAG_TO_STR(ccc_curr->tag));
6277N/A- if (ccc_curr->tag != GSCIS_TAG_CARDURL) {
6277N/A- CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CARDURLs)");
6277N/A- if ((ccc_curr->value_cardurl->apptype & CACKEY_TLV_APP_PKI) != CACKEY_TLV_APP_PKI) {
6277N/A- CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about PKI applets, this applet supports: %s/%02x)", CACKEY_DEBUG_FUNC_APPTYPE_TO_STR(ccc_curr->value_cardurl->apptype), (unsigned int) ccc_curr->value_cardurl->apptype);
6277N/A- CACKEY_DEBUG_PRINTBUF("RID:", ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid));
6277N/A- CACKEY_DEBUG_PRINTF("AppID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->appid), (unsigned long) ccc_curr->value_cardurl->appid);
6277N/A- CACKEY_DEBUG_PRINTF("ObjectID = %s/%04lx", CACKEY_DEBUG_FUNC_OBJID_TO_STR(ccc_curr->value_cardurl->objectid), (unsigned long) ccc_curr->value_cardurl->objectid);
6277N/A- memcpy(curr_aid, ccc_curr->value_cardurl->rid, sizeof(ccc_curr->value_cardurl->rid));
6277N/A- curr_aid[sizeof(curr_aid) - 2] = (ccc_curr->value_cardurl->appid >> 8) & 0xff;
6277N/A- curr_aid[sizeof(curr_aid) - 1] = ccc_curr->value_cardurl->appid & 0xff;
6277N/A- /* Select found applet ... */
6277N/A- select_ret = cackey_select_applet(slot, curr_aid, sizeof(curr_aid));
6277N/A- if (select_ret != CACKEY_PCSC_S_OK) {
6277N/A- CACKEY_DEBUG_PRINTF("Failed to select applet, skipping processing of this object");
6277N/A- /* ... and object (file) */
6277N/A- select_ret = cackey_select_file(slot, ccc_curr->value_cardurl->objectid);
6277N/A- if (select_ret != CACKEY_PCSC_S_OK) {
6277N/A- CACKEY_DEBUG_PRINTF("Failed to select file, skipping processing of this object");
6277N/A- /* Process this file's TLV looking for certificates */
6277N/A- app_tlv = cackey_read_tlv(slot);
6277N/A- for (app_curr = app_tlv; app_curr; app_curr = app_curr->_next) {
6277N/A- CACKEY_DEBUG_PRINTF("Found tag: %s", CACKEY_DEBUG_FUNC_TAG_TO_STR(app_curr->tag));
6277N/A- if (app_curr->tag != GSCIS_TAG_CERTIFICATE) {
6277N/A- CACKEY_DEBUG_PRINTF(" ... skipping it (we only care about CERTIFICATEs)");
6277N/A- /* Select the CCC Applet */
6277N/A- send_ret = cackey_select_applet(slot, ccc_aid, sizeof(ccc_aid));
6277N/A- if (send_ret != CACKEY_PCSC_S_OK) {
6277N/A send_ret = cackey_select_applet(slot, piv_aid, sizeof(piv_aid));
6277N/A if (send_ret == CACKEY_PCSC_S_OK) {
6277N/A /* Terminate SmartCard Transaction */
6277N/A cackey_end_transaction(slot);
6277N/A- certs = malloc(sizeof(*certs) * 5);
6277N/A for (idx = 0; idx < 3; idx++) {
6277N/A curr_id->certificate = NULL;
6277N/A- memcpy(curr_id->applet, curr_aid, sizeof(curr_id->applet));
6277N/A- curr_id->file = ccc_curr->value_cardurl->objectid;
6277N/A- CACKEY_DEBUG_PRINTF("Filling curr_id->applet (%p) with %lu bytes:", curr_id->applet, (unsigned long) sizeof(curr_id->applet));
6277N/A- CACKEY_DEBUG_PRINTBUF("VAL:", curr_id->applet, sizeof(curr_id->applet));
6277N/A- curr_id->certificate_len = app_curr->length;
6277N/A- curr_id->certificate = malloc(curr_id->certificate_len);
6277N/A- memcpy(curr_id->certificate, app_curr->value, curr_id->certificate_len);
6277N/A- certs = realloc(certs, sizeof(*certs) * (*count));
6277N/A if (curr_id->certificate_len > 4) {
6277N/A if (memcmp(curr_id->certificate, "\x1f\x8b\x08\x00", 4) == 0) {
6277N/A- certs = realloc(certs, sizeof(*certs) * (*count));
6277N/A certs = realloc(certs, sizeof(*certs) * (*count));
6277N/A slot->cached_certs = cackey_copy_certs(NULL, certs, *count);
6277N/A slot->cached_certs_count = *count;
6277N/A /* Terminate SmartCard Transaction */
6277N/A cackey_end_transaction(slot);
6277N/A static ssize_t cackey_signdecrypt(struct cackey_slot *slot, struct cackey_identity *identity, unsigned char *buf, size_t buflen, unsigned char *outbuf, size_t outbuflen, int padInput, int unpadOutput) {
6277N/A- unsigned char *tmpbuf, *tmpbuf_s, *outbuf_s;
6277N/A- unsigned char bytes_to_send, p1;
6277N/A cackey_pcsc_id_type id_type;
6277N/A unsigned char dyn_auth_template[10], *dyn_auth_tmpbuf;
6277N/A unsigned char *tmpbuf, *tmpbuf_s, *outbuf_s, *outbuf_p;
6277N/A unsigned char bytes_to_send, p1, class;
6277N/A ssize_t retval = 0, unpadoffset;
6277N/A- size_t tmpbuflen, padlen, tmpoutbuflen;
6277N/A size_t tmpbuflen, padlen, tmpoutbuflen, outbuf_len;
6277N/A id_type = identity->pcsc_identity->id_type;
6277N/A if (id_type == CACKEY_ID_TYPE_CERT_ONLY) {
6277N/A CACKEY_DEBUG_PRINTF("Error. identity->pcsc_identity is CACKEY_ID_TYPE_CERT_ONLY, which cannot be used for
sign/decrypt");
6277N/A /* Determine identity Key size */
6277N/A if (identity->pcsc_identity->keysize < 0) {
6277N/A identity->pcsc_identity->keysize = x509_to_keysize(identity->pcsc_identity->certificate, identity->pcsc_identity->certificate_len);
6277N/A if (identity->pcsc_identity->keysize > 0) {
6277N/A if (buflen != identity->pcsc_identity->keysize) {
6277N/A if (buflen > (identity->pcsc_identity->keysize + 3)) {
6277N/A- if (buflen > (identity->pcsc_identity->keysize - 3)) {
6277N/A padlen = tmpbuflen - buflen - 3;
6277N/A- CACKEY_DEBUG_PRINTF("Need to pad the buffer with %llu bytes (tmpbuflen = %llu, buflen = %llu)", (unsigned long long) padlen, (unsigned long long) tmpbuflen, (unsigned long long) buflen);
6277N/A /* RSA PKCS#1 EMSA-PKCS1-v1_5 Padding */
6277N/A cackey_begin_transaction(slot);
6277N/A /* Select correct applet */
6277N/A- CACKEY_DEBUG_PRINTF("Selecting applet found at %p ...", identity->pcsc_identity->applet);
6277N/A- cackey_select_applet(slot, identity->pcsc_identity->applet, sizeof(identity->pcsc_identity->applet));
6277N/A- cackey_select_file(slot, identity->pcsc_identity->file);
6277N/A case CACKEY_ID_TYPE_CERT_ONLY:
6277N/A- bytes_to_send = tmpbuflen;
6277N/A- send_ret = cackey_send_apdu(slot, GSCIS_CLASS_GLOBAL_PLATFORM, GSCIS_INSTR_SIGNDECRYPT, p1, 0x00, bytes_to_send, tmpbuf, le, &respcode, outbuf, &tmpoutbuflen);
6277N/A- if (send_ret != CACKEY_PCSC_S_OK) {
6277N/A- CACKEY_DEBUG_PRINTF("ADPU Sending Failed -- returning in error.");
6277N/A if (tmpbuflen > CACKEY_APDU_MTU) {
6277N/A if (send_ret != CACKEY_PCSC_S_OK) {
6277N/A cackey_end_transaction(slot);
6277N/A- CACKEY_DEBUG_PRINTF("Security status not satisified. Returning NEEDLOGIN");
6277N/A- cackey_mark_slot_reset(slot);
6277N/A if (send_ret == CACKEY_PCSC_E_RETRY) {
6277N/A CACKEY_DEBUG_PRINTF("ADPU Sending Failed -- retrying.");
6277N/A cackey_mark_slot_reset(slot);
6277N/A slot->token_flags = CKF_LOGIN_REQUIRED;
6277N/A return(CACKEY_PCSC_E_NEEDLOGIN);
6277N/A CACKEY_DEBUG_PRINTF("Token absent. Returning TOKENABSENT");
6277N/A cackey_mark_slot_reset(slot);
6277N/A- slot->token_flags = CKF_LOGIN_REQUIRED;
6277N/A return(CACKEY_PCSC_E_TOKENABSENT);
6277N/A- CACKEY_DEBUG_PRINTF("Something went wrong during signing, resetting the slot and hoping for the best.");
6277N/A- cackey_mark_slot_reset(slot);
6277N/A- return(CACKEY_PCSC_E_GENERIC);
6277N/A /* We must remove the "7C" tag to get to the signature */
6277N/A-static cackey_ret cackey_login(struct cackey_slot *slot, unsigned char *pin, unsigned long pin_len, int *tries_remaining_p) {
6277N/A- unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
6277N/A- /* Indicate that we do not know about how many tries are remaining */
6277N/A- /* Apparently, CAC PINs are *EXACTLY* 8 bytes long -- pad with 0xFF if too short */
6277N/A- memcpy(cac_pin, pin, pin_len);
6277N/A- send_ret = cackey_send_apdu(slot, GSCIS_CLASS_ISO7816, GSCIS_INSTR_VERIFY, 0x00, 0x00, sizeof(cac_pin), cac_pin, 0x00, &response_code, NULL, NULL);
6277N/A- if (send_ret != CACKEY_PCSC_S_OK) {
6277N/A- if ((response_code & 0x63C0) == 0x63C0) {
6277N/A- tries_remaining = (response_code & 0xF);
6277N/A- CACKEY_DEBUG_PRINTF("PIN Verification failed, %i tries remaining", tries_remaining);
6277N/A- *tries_remaining_p = tries_remaining;
6277N/A- return(CACKEY_PCSC_E_BADPIN);
6277N/A- if (response_code == 0x6983) {
6277N/A- CACKEY_DEBUG_PRINTF("PIN Verification failed, device is locked");
6277N/A- return(CACKEY_PCSC_E_LOCKED);
6277N/A- return(CACKEY_PCSC_E_GENERIC);
6277N/A- CACKEY_DEBUG_PRINTF("PIN Verification succeeded");
6277N/A-static cackey_ret cackey_token_present(struct cackey_slot *slot) {
6277N/A- cackey_ret pcsc_connect_ret;
6277N/A- DWORD reader_len, state, protocol, atr_len;
6277N/A static cackey_ret cackey_token_present(struct cackey_slot *slot) {
6277N/A cackey_ret pcsc_connect_ret;
6277N/A DWORD reader_len = 0, state = 0, protocol = 0, atr_len;
6277N/A LONG status_ret, scard_reconn_ret;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A CACKEY_DEBUG_PRINTF("Returning token present (internal token)");
6277N/A return(CACKEY_PCSC_S_TOKENPRESENT);
6277N/A pcsc_connect_ret = cackey_connect_card(slot);
6277N/A if (pcsc_connect_ret != CACKEY_PCSC_S_OK) {
6277N/A CACKEY_DEBUG_PRINTF("Unable to connect to card, returning token absent");
6277N/A return(CACKEY_PCSC_E_TOKENABSENT);
6277N/A CACKEY_DEBUG_PRINTF("Calling SCardStatus() to determine card status");
6277N/A status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len);
6277N/A return(CACKEY_PCSC_E_TOKENABSENT);
6277N/A CACKEY_DEBUG_PRINTF("Calling SCardStatus() again");
6277N/A status_ret = SCardStatus(slot->pcsc_card, NULL, &reader_len, &state, &protocol, atr, &atr_len);
6277N/A if (status_ret == SCARD_W_RESET_CARD) {
6277N/A CACKEY_DEBUG_PRINTF("Reset required, please hold...");
6277N/A- scard_reconn_ret = cackey_reconnect_card(slot, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, &protocol);
6277N/A- if (scard_reconn_ret == SCARD_S_SUCCESS) {
6277N/A- slot->protocol = protocol;
6277N/A scard_reconn_ret = cackey_reconnect_card(slot, SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1);
6277N/A if (scard_reconn_ret == SCARD_S_SUCCESS) {
6277N/A /* Re-establish transaction, if it was present */
6277N/A if (slot->transaction_depth > 0) {
6277N/A-static ssize_t cackey_pcsc_identity_to_label(struct cackey_pcsc_identity *identity, unsigned char *label_buf, unsigned long label_buf_len) {
6277N/A- unsigned long certificate_len;
6277N/A static cackey_ret cackey_set_pin(struct cackey_slot *slot, unsigned char *old_pin, unsigned long old_pin_len, unsigned char *pin, unsigned long pin_len) {
6277N/A struct cackey_pcsc_identity *pcsc_identities;
6277N/A unsigned char cac_pin[8] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
6277N/A CACKEY_DEBUG_PRINTF("PIN Change succeeded");
6277N/A- /* Disable a warning, since this is only used in debug mode */
6277N/A- tries_remaining = tries_remaining;
6277N/A if (response_code == 0x6d00) {
6277N/A+ if (have_piv == 1 && retries > 0) {
6277N/A CACKEY_DEBUG_PRINTF("Got ISO 7816 Response \"6D 00\" in response to a VERIFY request.");
6277N/A- CACKEY_DEBUG_PRINTF("We did not expect this because it is not mentioned in NIST SP 800-73-3 Part 2 Section 3.2.1 or GSC-IS v2.1");
6277N/A+ CACKEY_DEBUG_PRINTF("We did not expect this because it is not mentioned in NIST SP 800-73-3 Part 2 Section 3.2.1");
6277N/A CACKEY_DEBUG_PRINTF("We are going to try to reset the card and select the applet again.");
6277N/A cackey_mark_slot_reset(slot);
6277N/A static ssize_t cackey_pcsc_identity_to_label(struct cackey_pcsc_identity *identity, unsigned char *label_buf, unsigned long label_buf_len) {
6277N/A unsigned long certificate_len;
6277N/A CACKEY_DEBUG_PRINTF("Requesting attribute CKA_LABEL (0x%08lx) ...", (unsigned long) curr_attr_type);
6277N/A- ulValueLen = snprintf((char *) ucTmpBuf, sizeof(ucTmpBuf), "Identity #%lu", (unsigned long) identity_num);
6277N/A- if (ulValueLen >= sizeof(ucTmpBuf)) {
6277N/A if (identity->id_type == CACKEY_ID_TYPE_PIV) {
6277N/A ulValueLen = strlen(pValue);
6277N/A CACKEY_DEBUG_PRINTF(" ... returning (%p/%lu)", pValue, (unsigned long) ulValueLen);
6277N/A- CACKEY_DEBUG_PRINTF("Returning %lu objects (%p).", numattrs, retval);
6277N/A CACKEY_DEBUG_PRINTF("Returning %lu objects (%p).", numattrs, (void *) retval);
6277N/A static unsigned long cackey_read_dod_identities(struct cackey_identity *identities, unsigned long num_dod_certs) {
6277N/A unsigned long cert_idx, id_idx = 0;
6277N/A static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) {
6277N/A struct cackey_pcsc_identity *pcsc_identities;
6277N/A struct cackey_identity *identities;
6277N/A unsigned long num_ids, id_idx, curr_id_type;
6277N/A- unsigned long num_certs, num_extra_certs, cert_idx;
6277N/A- int include_extra_certs = 1;
6277N/A- CACKEY_DEBUG_PRINTF("Called.");
6277N/A- if (getenv("CACKEY_NO_EXTRA_CERTS") != NULL) {
6277N/A- CACKEY_DEBUG_PRINTF("Asked not to include extra (DoD) certificates");
6277N/A- if (include_extra_certs) {
6277N/A- num_extra_certs = sizeof(extra_certs) / sizeof(extra_certs[0]);
6277N/A- CACKEY_DEBUG_PRINTF("Including %i DoD Certificates as objects on this token", num_extra_certs);
6277N/A- CACKEY_DEBUG_PRINTF("Error. ids_found is NULL");
6277N/A unsigned long num_certs, num_dod_certs, cert_idx;
6277N/A int include_extra_certs = 0, include_dod_certs;
6277N/A pcsc_identities = cackey_read_certs(slot, NULL, &num_certs);
6277N/A if (pcsc_identities != NULL) {
6277N/A /* Convert number of Certs to number of objects */
6277N/A num_ids = (CKO_PRIVATE_KEY - CKO_CERTIFICATE + 1) * num_certs;
6277N/A- num_ids += num_extra_certs * 3;
6277N/A num_ids += cackey_read_dod_identities(NULL, num_dod_certs);
6277N/A identities = malloc(num_ids * sizeof(*identities));
6277N/A- cackey_free_certs(pcsc_identities, num_certs, 1);
6277N/A- /* Add DoD Certificates and Netscape Trust Objects */
6277N/A- for (cert_idx = 0; cert_idx < num_extra_certs; cert_idx++) {
6277N/A- identities[id_idx].pcsc_identity = NULL;
6277N/A- identities[id_idx].attributes = cackey_get_attributes(CKO_CERTIFICATE, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
6277N/A- identities[id_idx].pcsc_identity = NULL;
6277N/A- identities[id_idx].attributes = cackey_get_attributes(CKO_PUBLIC_KEY, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
6277N/A- identities[id_idx].pcsc_identity = NULL;
6277N/A- identities[id_idx].attributes = cackey_get_attributes(CKO_NETSCAPE_TRUST, &extra_certs[cert_idx], 0xf000 | cert_idx, &identities[id_idx].attributes_count);
6277N/A CACKEY_DEBUG_PRINTF("Including US Government Certificates on hardware slot");
6277N/A-CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) {
6277N/A- CK_C_INITIALIZE_ARGS CK_PTR args;
6277N/A static cackey_ret cackey_get_pin(char *pinbuf) {
6277N/A uint32_t idx, highest_slot;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A cackey_slots[idx].slot_reset = 0;
6277N/A cackey_slots[idx].token_flags = 0;
6277N/A cackey_slots[idx].label = NULL;
6277N/A cackey_slots[idx].internal = 0;
6277N/A cackey_slots[highest_slot].label = (unsigned char *) "US Government Certificates";
6277N/A cackey_slots[highest_slot].pcsc_reader = "CACKey";
6277N/A cackey_slots[highest_slot].token_flags = 0;
6277N/A /* Define a command to prompt user for a PIN */
6277N/A #ifdef CACKEY_PIN_COMMAND_DEFAULT
6277N/A- cackey_pin_command = strdup(CACKEY_MACRO_DEFAULT_XSTR(CACKEY_PIN_COMMAND_DEFAULT));
6277N/A+ cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_DEFAULT);
6277N/A #ifdef CACKEY_PIN_COMMAND_XONLY_DEFAULT
6277N/A if (getenv("DISPLAY") != NULL) {
6277N/A- cackey_pin_command = strdup(CACKEY_MACRO_DEFAULT_XSTR(CACKEY_PIN_COMMAND_XONLY_DEFAULT));
6277N/A+ cackey_pin_command = CACKEY_PIN_COMMAND_DEFAULT_XSTR(CACKEY_PIN_COMMAND_XONLY_DEFAULT);
6277N/A if (getenv("CACKEY_PIN_COMMAND") != NULL) {
6277N/A- cackey_pin_command = strdup(getenv("CACKEY_PIN_COMMAND"));
6277N/A+ cackey_pin_command = getenv("CACKEY_PIN_COMMAND");
6277N/A if (getenv("CACKEY_PIN_COMMAND_XONLY") != NULL && getenv("DISPLAY") != NULL) {
6277N/A- cackey_pin_command = strdup(getenv("CACKEY_PIN_COMMAND_XONLY"));
6277N/A+ cackey_pin_command = getenv("CACKEY_PIN_COMMAND_XONLY");
6277N/A-#ifdef CACKEY_READERS_INCLUDE_ONLY_DEFAULT
6277N/A- cackey_readers_include_only = strdup(CACKEY_MACRO_DEFAULT_XSTR(CACKEY_READERS_INCLUDE_ONLY_DEFAULT));
6277N/A-#ifdef CACKEY_READERS_EXCLUDE_DEFAULT
6277N/A- cackey_readers_exclude = strdup(CACKEY_MACRO_DEFAULT_XSTR(CACKEY_READERS_EXCLUDE_DEFAULT));
6277N/A- if (getenv("CACKEY_READERS_INCLUDE_ONLY") != NULL) {
6277N/A- cackey_readers_include_only = strdup(getenv("CACKEY_READERS_INCLUDE_ONLY"));
6277N/A- if (cackey_readers_include_only[0] == '\0') {
6277N/A- free(cackey_readers_include_only);
6277N/A- cackey_readers_include_only = NULL;
6277N/A- if (getenv("CACKEY_READERS_EXCLUDE") != NULL) {
6277N/A- cackey_readers_exclude = strdup(getenv("CACKEY_READERS_EXCLUDE"));
6277N/A- if (cackey_readers_exclude[0] == '\0') {
6277N/A- free(cackey_readers_exclude);
6277N/A- cackey_readers_exclude = NULL;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
6277N/A- cackey_slots_disconnect_all();
6277N/A- for (idx = 0; idx < (sizeof(cackey_slots) / sizeof(cackey_slots[0])); idx++) {
6277N/A- if (cackey_slots[idx].pcsc_reader) {
6277N/A- free(cackey_slots[idx].pcsc_reader);
6277N/A cackey_slots_disconnect_all();
6277N/A for (idx = 0; idx < (sizeof(cackey_slots) / sizeof(cackey_slots[0])); idx++) {
6277N/A- if (cackey_pin_command != NULL) {
6277N/A- cackey_pin_command = NULL;
6277N/A- if (cackey_readers_include_only != NULL) {
6277N/A- free(cackey_readers_include_only);
6277N/A- cackey_readers_include_only = NULL;
6277N/A- if (cackey_readers_exclude != NULL) {
6277N/A- free(cackey_readers_exclude);
6277N/A- cackey_readers_exclude = NULL;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
6277N/A * Process list of readers, and create mapping between reader name and slot ID
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
6277N/A- CK_ULONG count, slot_count = 0, currslot;
6277N/A- char *pcsc_readers, *pcsc_readers_s, *pcsc_readers_e;
6277N/A- LONG scard_listreaders_ret;
6277N/A CK_ULONG count, slot_count = 0, currslot, slot_idx;
6277N/A char *pcsc_readers, *pcsc_readers_s, *pcsc_readers_e;
6277N/A- char *reader_check_pattern;
6277N/A LONG scard_listreaders_ret;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A- CACKEY_DEBUG_PRINTF("Purging all slot information.");
6277N/A- /* Only update the list of slots if we are actually being supply the slot information */
6277N/A- cackey_slots_disconnect_all();
6277N/A- for (currslot = 0; currslot < (sizeof(cackey_slots) / sizeof(cackey_slots[0])); currslot++) {
6277N/A- if (cackey_slots[currslot].pcsc_reader) {
6277N/A- free(cackey_slots[currslot].pcsc_reader);
6277N/A- cackey_slots[currslot].pcsc_reader = NULL;
6277N/A- if (cackey_slots[currslot].label) {
6277N/A- free(cackey_slots[currslot].label);
6277N/A- cackey_slots[currslot].label = NULL;
6277N/A- cackey_slots[currslot].active = 0;
6277N/A /* Determine list of readers */
6277N/A pcsc_connect_ret = cackey_pcsc_connect();
6277N/A if (pcsc_connect_ret != CACKEY_PCSC_S_OK) {
6277N/A CACKEY_DEBUG_PRINTF("Connection to
PC/SC failed, assuming no slots");
6277N/A /* Start with Slot ID 1, to avoid a bug in GDM on RHEL */
6277N/A- while (pcsc_readers < pcsc_readers_e) {
6277N/A while (pcsc_readers < pcsc_readers_e) {
6277N/A /* Find next available slot */
6277N/A curr_reader_len = strlen(pcsc_readers);
6277N/A if ((pcsc_readers + curr_reader_len) > pcsc_readers_e) {
6277N/A- CACKEY_DEBUG_PRINTF("Found reader: %s", pcsc_readers);
6277N/A- /* Only update the list of slots if we are actually being asked supply the slot information */
6277N/A- cackey_slots[currslot].active = 1;
6277N/A- cackey_slots[currslot].pcsc_reader = strdup(pcsc_readers);
6277N/A- cackey_slots[currslot].pcsc_card_connected = 0;
6277N/A- cackey_slots[currslot].transaction_depth = 0;
6277N/A- cackey_slots[currslot].transaction_need_hw_lock = 0;
6277N/A- cackey_slots[currslot].slot_reset = 1;
6277N/A- cackey_slots[currslot].token_flags = CKF_LOGIN_REQUIRED;
6277N/A- cackey_slots[currslot].label = NULL;
6277N/A- cackey_mark_slot_reset(&cackey_slots[currslot]);
6277N/A CACKEY_DEBUG_PRINTF("Found reader: %s (currslot = %lu)", pcsc_readers, (unsigned long) currslot);
6277N/A- if (cackey_readers_include_only != NULL) {
6277N/A- CACKEY_DEBUG_PRINTF("Asked to include only readers matching: %s", cackey_readers_include_only);
6277N/A- reader_check_pattern = cackey_readers_include_only;
6277N/A- } else if (cackey_readers_exclude != NULL) {
6277N/A- CACKEY_DEBUG_PRINTF("Asked to exclude readers matching: %s", cackey_readers_exclude);
6277N/A- reader_check_pattern = cackey_readers_exclude;
6277N/A- reader_check_pattern = NULL;
6277N/A- if (reader_check_pattern != NULL) {
6277N/A- if (strstr(pcsc_readers, reader_check_pattern) != NULL) {
6277N/A- CACKEY_DEBUG_PRINTF("This reader matched the pattern.");
6277N/A- include_reader = !include_reader;
6277N/A- if (include_reader != 1) {
6277N/A- CACKEY_DEBUG_PRINTF("Skipping this reader.");
6277N/A- pcsc_readers += curr_reader_len + 1;
6277N/A /* Only update the list of slots if we are actually being asked supply the slot information */
6277N/A pcsc_readers += curr_reader_len + 1;
6277N/A- /* Start with Slot ID 1, to avoid a bug in GDM on RHEL */
6277N/A- /* Start with Slot ID 1, to avoid a bug in GDM on RHEL */
6277N/A- slot_count = currslot - 1;
6277N/A for (currslot = 0; currslot < (sizeof(cackey_slots) / sizeof(cackey_slots[0])); currslot++) {
6277N/A if (cackey_slots[currslot].active) {
6277N/A CACKEY_DEBUG_PRINTF("Found active slot %lu, reader = %s", (unsigned long) currslot, cackey_slots[currslot].pcsc_reader);
6277N/A CACKEY_DEBUG_PRINTF("Second call to SCardListReaders failed, return %s/%li", CACKEY_DEBUG_FUNC_SCARDERR_TO_STR(scard_listreaders_ret), (long) scard_listreaders_ret);
6277N/A CACKEY_DEBUG_PRINTF("Error. User allocated %lu entries, but we have %lu entries.", count, slot_count);
6277N/A- return(CKR_BUFFER_TOO_SMALL);
6277N/A- for (currslot = 0; currslot < slot_count; currslot++) {
6277N/A- /* Start with Slot ID 1, to avoid a bug in GDM on RHEL */
6277N/A- pSlotList[currslot] = currslot + 1;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_BUFFER_TOO_SMALL");
6277N/A return(CKR_BUFFER_TOO_SMALL);
6277N/A CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
6277N/A return(CKR_SLOT_ID_INVALID);
6277N/A- pInfo->flags = CKF_REMOVABLE_DEVICE | CKF_HW_SLOT;
6277N/A pInfo->flags = CKF_HW_SLOT;
6277N/A if (!cackey_slots[slotID].internal) {
6277N/A pInfo->flags |= CKF_REMOVABLE_DEVICE;
6277N/A if (cackey_token_present(&cackey_slots[slotID]) == CACKEY_PCSC_S_TOKENPRESENT) {
6277N/A pInfo->flags |= CKF_TOKEN_PRESENT;
6277N/A pInfo->flags = CKF_WRITE_PROTECTED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED | cackey_slots[slotID].token_flags;
6277N/A if (cackey_pin_command != NULL) {
6277N/A pInfo->flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
6277N/A pInfo->ulMaxSessionCount = (sizeof(cackey_sessions) / sizeof(cackey_sessions[0])) - 1;
6277N/A pInfo->ulSessionCount = CK_UNAVAILABLE_INFORMATION;
6277N/A pInfo->ulMaxRwSessionCount = 0;
6277N/A return(CKR_TOKEN_WRITE_PROTECTED);
6277N/A-/* We don't support this method. */
6277N/A-CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) {
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_SetPIN)(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) {
6277N/A char oldpinbuf[64], newpinbuf[64];
6277N/A cackey_ret set_pin_ret, get_pin_ret;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A return(CKR_CRYPTOKI_NOT_INITIALIZED);
6277N/A- CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED);
6277N/A- return(CKR_FUNCTION_NOT_SUPPORTED);
6277N/A mutex_retval = cackey_mutex_lock(cackey_biglock);
6277N/A CACKEY_DEBUG_PRINTF("Error. Locking failed.");
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication, CK_NOTIFY notify, CK_SESSION_HANDLE_PTR phSession) {
6277N/A return(CKR_FUNCTION_NOT_SUPPORTED);
6277N/A-CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
6277N/A CK_DEFINE_FUNCTION(CK_RV, _C_LoginMutexArg)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, int lock_mutex) {
6277N/A return(CKR_USER_TYPE_INVALID);
6277N/A- mutex_retval = cackey_mutex_lock(cackey_biglock);
6277N/A- CACKEY_DEBUG_PRINTF("Error. Locking failed.");
6277N/A- return(CKR_GENERAL_ERROR);
6277N/A- if (!cackey_sessions[hSession].active) {
6277N/A- cackey_mutex_unlock(cackey_biglock);
6277N/A mutex_retval = cackey_mutex_lock(cackey_biglock);
6277N/A cackey_mutex_unlock(cackey_biglock);
6277N/A CACKEY_DEBUG_PRINTF("Error. Session not active.");
6277N/A if (slotID < 0 || slotID >= (sizeof(cackey_slots) / sizeof(cackey_slots[0]))) {
6277N/A CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), outside of valid range", slotID);
6277N/A cackey_mutex_unlock(cackey_biglock);
6277N/A if (cackey_slots[slotID].active == 0) {
6277N/A CACKEY_DEBUG_PRINTF("Error. Invalid slot requested (%lu), slot not currently active", slotID);
6277N/A- cackey_mutex_unlock(cackey_biglock);
6277N/A cackey_mutex_unlock(cackey_biglock);
6277N/A- login_ret = cackey_login(&cackey_slots[slotID], pPin, ulPinLen, &tries_remaining);
6277N/A- if (login_ret != CACKEY_PCSC_S_OK) {
6277N/A- cackey_mutex_unlock(cackey_biglock);
6277N/A if (cackey_pin_command != NULL) {
6277N/A CACKEY_DEBUG_PRINTF("Protected authentication path in effect and PIN provided !?");
6277N/A cackey_mutex_unlock(cackey_biglock);
6277N/A if (login_ret == CACKEY_PCSC_E_LOCKED) {
6277N/A CACKEY_DEBUG_PRINTF("Error. Token is locked.");
6277N/A cackey_slots[slotID].token_flags |= CKF_USER_PIN_LOCKED;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_PIN_LOCKED (%i)", (int) CKR_PIN_LOCKED);
6277N/A } else if (login_ret == CACKEY_PCSC_E_BADPIN) {
6277N/A CACKEY_DEBUG_PRINTF("Error. Invalid PIN.");
6277N/A cackey_slots[slotID].token_flags |= CKF_USER_PIN_FINAL_TRY;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_PIN_INCORRECT (%i)", (int) CKR_PIN_INCORRECT);
6277N/A cackey_sessions[hSession].state = CKS_RO_USER_FUNCTIONS;
6277N/A- mutex_retval = cackey_mutex_unlock(cackey_biglock);
6277N/A- CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
6277N/A- return(CKR_GENERAL_ERROR);
6277N/A mutex_retval = cackey_mutex_unlock(cackey_biglock);
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
6277N/A return(_C_LoginMutexArg(hSession, userType, pPin, ulPinLen, 1));
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_Logout)(CK_SESSION_HANDLE hSession) {
6277N/A cackey_sessions[hSession].state = CKS_RO_PUBLIC_SESSION;
6277N/A- cackey_slots[slotID].token_flags = CKF_LOGIN_REQUIRED;
6277N/A if (cackey_pin_command == NULL) {
6277N/A cackey_slots[slotID].token_flags = CKF_LOGIN_REQUIRED;
6277N/A cackey_slots[slotID].token_flags = 0;
6277N/A mutex_retval = cackey_mutex_unlock(cackey_biglock);
6277N/A CK_ULONG curr_id_idx, curr_out_id_idx, curr_attr_idx, sess_attr_idx;
6277N/A CK_ULONG matched_count, prev_matched_count;
6277N/A #ifdef CACKEY_DEBUG_SEARCH_SPEEDTEST
6277N/A uint64_t start_int, end_int;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A return(CKR_OPERATION_NOT_INITIALIZED);
6277N/A #ifdef CACKEY_DEBUG_SEARCH_SPEEDTEST
6277N/A gettimeofday(&start, NULL);
6277N/A for (curr_id_idx = cackey_sessions[hSession].search_curr_id; curr_id_idx < cackey_sessions[hSession].identities_count && ulMaxObjectCount; curr_id_idx++) {
6277N/A curr_id = &cackey_sessions[hSession].identities[curr_id_idx];
6277N/A cackey_sessions[hSession].search_curr_id = curr_id_idx;
6277N/A *pulObjectCount = curr_out_id_idx;
6277N/A #ifdef CACKEY_DEBUG_SEARCH_SPEEDTEST
6277N/A fprintf(stderr, "Search took %lu microseconds\n", (unsigned long) (end_int - start_int));
6277N/A mutex_retval = cackey_mutex_unlock(cackey_biglock);
6277N/A CACKEY_DEBUG_PRINTF("Error. Unlocking failed.");
6277N/A buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
6277N/A if (buflen == CACKEY_PCSC_E_NEEDLOGIN && cackey_pin_command != NULL) {
6277N/A if (_C_LoginMutexArg(hSession, CKU_USER, NULL, 0, 0) == CKR_OK) {
6277N/A buflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].decrypt_identity, pEncryptedPart, ulEncryptedPartLen, buf, sizeof(buf), 0, 1);
6277N/A if (buflen == CACKEY_PCSC_E_NEEDLOGIN) {
6277N/A } else if (buflen == CACKEY_PCSC_E_TOKENABSENT) {
6277N/A retval = CKR_DEVICE_REMOVED;
6277N/A CACKEY_DEBUG_PRINTF("Failed to send APDU, error = %li", (long int) buflen);
6277N/A retval = CKR_GENERAL_ERROR;
6277N/A } else if (((unsigned long) buflen) > *pulPartLen && pPart) {
6277N/A cackey_sessions[hSession].sign_bufused = 0;
6277N/A cackey_sessions[hSession].sign_buf = malloc(sizeof(*cackey_sessions[hSession].sign_buf) * cackey_sessions[hSession].sign_buflen);
6277N/A- CACKEY_DEBUG_PRINTF("Session %lu sign_identity is %p (identity #%lu)", (unsigned long) hSession, &cackey_sessions[hSession].identities[hKey], (unsigned long) hKey);
6277N/A CACKEY_DEBUG_PRINTF("Session %lu sign_identity is %p (identity #%lu)", (unsigned long) hSession, (void *) &cackey_sessions[hSession].identities[hKey], (unsigned long) hKey);
6277N/A cackey_sessions[hSession].sign_identity = &cackey_sessions[hSession].identities[hKey];
6277N/A mutex_retval = cackey_mutex_unlock(cackey_biglock);
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_SignUpdate)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) {
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A switch (cackey_sessions[hSession].sign_mechanism) {
6277N/A if ((cackey_sessions[hSession].sign_bufused + ulPartLen) > cackey_sessions[hSession].sign_buflen) {
6277N/A- for (resizeRetry = 0; resizeRetry < 11; resizeRetry++) {
6277N/A- if ((cackey_sessions[hSession].sign_bufused + ulPartLen) > cackey_sessions[hSession].sign_buflen) {
6277N/A- CACKEY_DEBUG_PRINTF("Resizing signing buffer (try #%i of 10 -- 11th is fatal)", resizeRetry);
6277N/A- free(cackey_sessions[hSession].sign_buf);
6277N/A- cackey_sessions[hSession].sign_buflen = 0;
6277N/A- cackey_sessions[hSession].sign_buf = NULL;
6277N/A cackey_sessions[hSession].sign_buflen *= 2;
6277N/A cackey_sessions[hSession].sign_buf = realloc(cackey_sessions[hSession].sign_buf, sizeof(*cackey_sessions[hSession].sign_buf) * cackey_sessions[hSession].sign_buflen);
6277N/A- if (cackey_sessions[hSession].sign_buf == NULL) {
6277N/A- cackey_mutex_unlock(cackey_biglock);
6277N/A- CACKEY_DEBUG_PRINTF("Error. Signing buffer is NULL.");
6277N/A- return(CKR_GENERAL_ERROR);
6277N/A memcpy(cackey_sessions[hSession].sign_buf + cackey_sessions[hSession].sign_bufused, pPart, ulPartLen);
6277N/A cackey_sessions[hSession].sign_bufused += ulPartLen;
6277N/A switch (cackey_sessions[hSession].sign_mechanism) {
6277N/A- CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
6277N/A- sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
6277N/A CACKEY_DEBUG_PRINTF("Asking to sign from identity %p in session %lu", (void *) cackey_sessions[hSession].sign_identity, (unsigned long) hSession);
6277N/A sigbuflen = cackey_signdecrypt(&cackey_slots[slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_bufused, sigbuf, sizeof(sigbuf), 1, 0);
6277N/A if (sigbuflen == CACKEY_PCSC_E_NEEDLOGIN) {
6277N/A CK_DEFINE_FUNCTION(CK_RV, C_GetFunctionList)(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) {
6277N/A- static CK_FUNCTION_LIST_PTR spFunctionList = NULL;
6277N/A CK_FUNCTION_LIST_PTR pFunctionList;
6277N/A CACKEY_DEBUG_PRINTF("Called.");
6277N/A- if (spFunctionList != NULL) {
6277N/A- *ppFunctionList = spFunctionList;
6277N/A- CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);
6277N/A pFunctionList = malloc(sizeof(*pFunctionList));
6277N/A pFunctionList->C_CancelFunction = C_CancelFunction;
6277N/A pFunctionList->C_GetFunctionList = C_GetFunctionList;
6277N/A- spFunctionList = pFunctionList;
6277N/A *ppFunctionList = pFunctionList;
6277N/A CACKEY_DEBUG_PRINTF("Returning CKR_OK (%i)", CKR_OK);