Reuse generic passphrase build part, not a dedicated PIN part
authorMartin Willi <martin@revosec.ch>
Fri, 16 Jul 2010 08:12:22 +0000 (10:12 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 4 Aug 2010 07:26:20 +0000 (09:26 +0200)
src/libcharon/plugins/stroke/stroke_cred.c
src/libstrongswan/credentials/builder.c
src/libstrongswan/credentials/builder.h
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c

index 14f2214..d683afa 100644 (file)
@@ -929,7 +929,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                else if (match("PIN", &token))
                {
                        chunk_t sc = chunk_empty, secret = chunk_empty;
-                       char smartcard[64], keyid[64], pin[64], module[64], *pos;
+                       char smartcard[64], keyid[64], module[64], *pos;
                        private_key_t *key;
                        u_int slot;
                        enum {
@@ -997,8 +997,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                                DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
                                goto error;
                        }
-                       snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
-                       pin[sizeof(pin) - 1] = '\0';
 
                        switch (format)
                        {
@@ -1008,20 +1006,20 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                                                                        BUILD_PKCS11_SLOT, slot,
                                                                        BUILD_PKCS11_MODULE, module,
                                                                        BUILD_PKCS11_KEYID, keyid,
-                                                                       BUILD_PKCS11_PIN, pin, BUILD_END);
+                                                                       BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                                case SC_FORMAT_SLOT_KEYID:
                                        key = lib->creds->create(lib->creds,
                                                                        CRED_PRIVATE_KEY, KEY_ANY,
                                                                        BUILD_PKCS11_SLOT, slot,
                                                                        BUILD_PKCS11_KEYID, keyid,
-                                                                       BUILD_PKCS11_PIN, pin, BUILD_END);
+                                                                       BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                                case SC_FORMAT_KEYID:
                                        key = lib->creds->create(lib->creds,
                                                                        CRED_PRIVATE_KEY, KEY_ANY,
                                                                        BUILD_PKCS11_KEYID, keyid,
-                                                                       BUILD_PKCS11_PIN, pin, BUILD_END);
+                                                                       BUILD_PASSPHRASE, secret, BUILD_END);
                                        break;
                        }
                        if (key)
@@ -1029,7 +1027,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
                                DBG1(DBG_CFG, "  loaded private key from %.*s", sc.len, sc.ptr);
                                this->private->insert_last(this->private, key);
                        }
-                       memset(pin, 0, sizeof(pin));
                        chunk_clear(&secret);
                }
                else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
index 1fa1377..ab7f2b5 100644 (file)
@@ -48,7 +48,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
        "BUILD_PKCS11_MODULE",
        "BUILD_PKCS11_SLOT",
        "BUILD_PKCS11_KEYID",
-       "BUILD_PKCS11_PIN",
        "BUILD_RSA_MODULUS",
        "BUILD_RSA_PUB_EXP",
        "BUILD_RSA_PRIV_EXP",
index d13ada0..891c178 100644 (file)
@@ -57,7 +57,7 @@ enum builder_part_t {
        BUILD_BLOB_PGP,
        /** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
        BUILD_BLOB_DNSKEY,
-       /** passphrase for e.g. PEM decryption, chunk_t */
+       /** passphrase for e.g. PEM decryption, smartcard unlock, chunk_t */
        BUILD_PASSPHRASE,
        /** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
         *  The callback is invoked until the returned passphrase is accepted, or
@@ -109,8 +109,6 @@ enum builder_part_t {
        BUILD_PKCS11_SLOT,
        /** key ID of a key on a token, null terminated char* */
        BUILD_PKCS11_KEYID,
-       /** pin to access a token, null terminated char* */
-       BUILD_PKCS11_PIN,
        /** modulus (n) of a RSA key, chunk_t */
        BUILD_RSA_MODULUS,
        /** public exponent (e) of a RSA key, chunk_t */
index b7b6e79..d596fcf 100644 (file)
@@ -451,8 +451,9 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
 {
 #ifndef OPENSSL_NO_ENGINE
        private_openssl_rsa_private_key_t *this;
-       char *keyid = NULL, *pin = NULL, *engine_id = NULL;
-       char keyname[64];
+       char *keyid = NULL, *engine_id = NULL;
+       char keyname[64], pin[32];;
+       chunk_t secret = chunk_empty;
        EVP_PKEY *key;
        ENGINE *engine;
        int slot = -1;
@@ -464,8 +465,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
                        case BUILD_PKCS11_KEYID:
                                keyid = va_arg(args, char*);
                                continue;
-                       case BUILD_PKCS11_PIN:
-                               pin = va_arg(args, char*);
+                       case BUILD_PASSPHRASE:
+                               secret = va_arg(args, chunk_t);
                                continue;
                        case BUILD_PKCS11_SLOT:
                                slot = va_arg(args, int);
@@ -480,7 +481,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
                }
                break;
        }
-       if (!keyid || !pin)
+       if (!keyid || !secret.len || !secret.ptr)
        {
                return NULL;
        }
@@ -493,6 +494,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
        {
                snprintf(keyname, sizeof(keyname), "%d:%s", slot, keyid);
        }
+       snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
 
        if (!engine_id)
        {
index 576e2af..cce6afb 100644 (file)
@@ -276,10 +276,10 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
 pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 {
        private_pkcs11_private_key_t *this;
-       char *keyid = NULL, *pin = NULL, *module = NULL;
+       char *keyid = NULL, *module = NULL;
        int slot = -1;
        CK_RV rv;
-       chunk_t chunk;
+       chunk_t chunk, pin = chunk_empty;
 
        while (TRUE)
        {
@@ -288,8 +288,8 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                        case BUILD_PKCS11_KEYID:
                                keyid = va_arg(args, char*);
                                continue;
-                       case BUILD_PKCS11_PIN:
-                               pin = va_arg(args, char*);
+                       case BUILD_PASSPHRASE:
+                               pin = va_arg(args, chunk_t);
                                continue;
                        case BUILD_PKCS11_SLOT:
                                slot = va_arg(args, int);
@@ -304,7 +304,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
                }
                break;
        }
-       if (!keyid || !pin || !module || slot == -1)
+       if (!keyid || !pin.ptr || !pin.len || !module || slot == -1)
        {       /* we currently require all parameters, TODO: search for pubkeys */
                return NULL;
        }
@@ -347,7 +347,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
 
        this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
 
-       rv = this->lib->f->C_Login(this->session, CKU_USER, pin, strlen(pin));
+       rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
        if (rv != CKR_OK)
        {
                DBG1(DBG_CFG, "login to '%s':%d failed: %N",