Do not query for CKA_ALWAYS_AUTHENTICATE if PKCS#11 Cryptoki version < 2.20

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index e5af0c2..6f79268 100644 (file)
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -794,6 +794,7 @@ static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
        if (has_version(info, 2, 20))
        {
                this->features |= PKCS11_TRUSTED_CERTS;
        if (has_version(info, 2, 20))
        {
                this->features |= PKCS11_TRUSTED_CERTS;

+               this->features |= PKCS11_ALWAYS_AUTH_KEYS;

        }
 }
 
        }
 }
 

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 33e5f97..abe0234 100644 (file)
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -35,6 +35,8 @@ typedef struct pkcs11_library_t pkcs11_library_t;
 enum pkcs11_feature_t {
        /** CKA_TRUSTED attribute supported for certificate objects */
        PKCS11_TRUSTED_CERTS = (1<<0),
 enum pkcs11_feature_t {
        /** CKA_TRUSTED attribute supported for certificate objects */
        PKCS11_TRUSTED_CERTS = (1<<0),

+       /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */
+       PKCS11_ALWAYS_AUTH_KEYS = (1<<1),

 };
 
 /**
 };
 
 /**

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index cabca3f..1977204 100644 (file)
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -401,18 +401,24 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
        };
        CK_OBJECT_HANDLE object;
        CK_KEY_TYPE type;
        };
        CK_OBJECT_HANDLE object;
        CK_KEY_TYPE type;

-       CK_BBOOL reauth;
+       CK_BBOOL reauth = FALSE;

        CK_ATTRIBUTE attr[] = {
                {CKA_KEY_TYPE, &type, sizeof(type)},
        CK_ATTRIBUTE attr[] = {
                {CKA_KEY_TYPE, &type, sizeof(type)},

-               {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},

                {CKA_MODULUS, NULL, 0},
                {CKA_PUBLIC_EXPONENT, NULL, 0},
                {CKA_MODULUS, NULL, 0},
                {CKA_PUBLIC_EXPONENT, NULL, 0},

+               {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)},

        };
        enumerator_t *enumerator;
        chunk_t modulus, pubexp;
        };
        enumerator_t *enumerator;
        chunk_t modulus, pubexp;

+       int count = countof(attr);

 
 

+       /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */
+       if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS))
+       {
+               count--;
+       }

        enumerator = this->lib->create_object_enumerator(this->lib,
        enumerator = this->lib->create_object_enumerator(this->lib,

-                                               this->session, tmpl, countof(tmpl), attr, countof(attr));
+                                                       this->session, tmpl, countof(tmpl), attr, count);

        if (enumerator->enumerate(enumerator, &object))
        {
                switch (type)
        if (enumerator->enumerate(enumerator, &object))
        {
                switch (type)