OpenVPN
pkcs11.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #if defined(ENABLE_PKCS11)
31 
32 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
33 #include "basic.h"
34 #include "error.h"
35 #include "manage.h"
36 #include "base64.h"
37 #include "pkcs11.h"
38 #include "misc.h"
39 #include "otime.h"
40 #include "console.h"
41 #include "pkcs11_backend.h"
42 
43 static
44 time_t
45 __mytime(void)
46 {
47  return openvpn_time(NULL);
48 }
49 
50 #if !defined(_WIN32)
51 static
52 int
53 __mygettimeofday(struct timeval *tv)
54 {
55  return gettimeofday(tv, NULL);
56 }
57 #endif
58 
59 static
60 void
61 __mysleep(const unsigned long usec)
62 {
63 #if defined(_WIN32)
64  Sleep(usec/1000);
65 #else
66  usleep(usec);
67 #endif
68 }
69 
70 
71 static pkcs11h_engine_system_t s_pkcs11h_sys_engine = {
72  malloc,
73  free,
74  __mytime,
75  __mysleep,
76 #if defined(_WIN32)
77  NULL
78 #else
79  __mygettimeofday
80 #endif
81 };
82 
83 static
84 unsigned
85 _pkcs11_msg_pkcs112openvpn(
86  const unsigned flags
87  )
88 {
89  unsigned openvpn_flags;
90 
91  switch (flags)
92  {
93  case PKCS11H_LOG_DEBUG2:
94  openvpn_flags = D_PKCS11_DEBUG;
95  break;
96 
97  case PKCS11H_LOG_DEBUG1:
98  openvpn_flags = D_SHOW_PKCS11;
99  break;
100 
101  case PKCS11H_LOG_INFO:
102  openvpn_flags = M_INFO;
103  break;
104 
105  case PKCS11H_LOG_WARN:
106  openvpn_flags = M_WARN;
107  break;
108 
109  case PKCS11H_LOG_ERROR:
110  openvpn_flags = M_FATAL;
111  break;
112 
113  default:
114  openvpn_flags = M_FATAL;
115  break;
116  }
117 
118 #if defined(ENABLE_PKCS11_FORCE_DEBUG)
119  openvpn_flags = M_INFO;
120 #endif
121 
122  return openvpn_flags;
123 }
124 
125 static
126 unsigned
127 _pkcs11_msg_openvpn2pkcs11(
128  const unsigned flags
129  )
130 {
131  unsigned pkcs11_flags;
132 
133  if ((flags & D_PKCS11_DEBUG) != 0)
134  {
135  pkcs11_flags = PKCS11H_LOG_DEBUG2;
136  }
137  else if ((flags & D_SHOW_PKCS11) != 0)
138  {
139  pkcs11_flags = PKCS11H_LOG_DEBUG1;
140  }
141  else if ((flags & M_INFO) != 0)
142  {
143  pkcs11_flags = PKCS11H_LOG_INFO;
144  }
145  else if ((flags & M_WARN) != 0)
146  {
147  pkcs11_flags = PKCS11H_LOG_WARN;
148  }
149  else if ((flags & M_FATAL) != 0)
150  {
151  pkcs11_flags = PKCS11H_LOG_ERROR;
152  }
153  else
154  {
155  pkcs11_flags = PKCS11H_LOG_ERROR;
156  }
157 
158 #if defined(ENABLE_PKCS11_FORCE_DEBUG)
159  pkcs11_flags = PKCS11H_LOG_DEBUG2;
160 #endif
161 
162  return pkcs11_flags;
163 }
164 
165 static
166 void
167 _pkcs11_openvpn_log(
168  void *const global_data,
169  unsigned flags,
170  const char *const szFormat,
171  va_list args
172  )
173 {
174  char Buffer[10*1024];
175 
176  (void)global_data;
177 
178  vsnprintf(Buffer, sizeof(Buffer), szFormat, args);
179  Buffer[sizeof(Buffer)-1] = 0;
180 
181  msg(_pkcs11_msg_pkcs112openvpn(flags), "%s", Buffer);
182 }
183 
184 static
185 PKCS11H_BOOL
186 _pkcs11_openvpn_token_prompt(
187  void *const global_data,
188  void *const user_data,
189  const pkcs11h_token_id_t token,
190  const unsigned retry
191  )
192 {
193  struct user_pass token_resp;
194 
195  (void)global_data;
196  (void)user_data;
197  (void)retry;
198 
199  ASSERT(token!=NULL);
200 
201  CLEAR(token_resp);
202  token_resp.defined = false;
203  token_resp.nocache = true;
204  snprintf(
205  token_resp.username,
206  sizeof(token_resp.username),
207  "Please insert %s token",
208  token->label
209  );
210 
211  if (
212  !get_user_pass(
213  &token_resp,
214  NULL,
215  "token-insertion-request",
216  GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK|GET_USER_PASS_NOFATAL
217  )
218  )
219  {
220  return false;
221  }
222  else
223  {
224  return strcmp(token_resp.password, "ok") == 0;
225  }
226 }
227 
228 static
229 PKCS11H_BOOL
230 _pkcs11_openvpn_pin_prompt(
231  void *const global_data,
232  void *const user_data,
233  const pkcs11h_token_id_t token,
234  const unsigned retry,
235  char *const pin,
236  const size_t pin_max
237  )
238 {
239  struct user_pass token_pass;
240  char prompt[1024];
241  CLEAR(token_pass);
242 
243  (void)global_data;
244  (void)user_data;
245  (void)retry;
246 
247  ASSERT(token!=NULL);
248 
249  snprintf(prompt, sizeof(prompt), "%s token", token->label);
250 
251  token_pass.defined = false;
252  token_pass.nocache = true;
253 
254  if (
255  !get_user_pass(
256  &token_pass,
257  NULL,
258  prompt,
259  GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
260  )
261  )
262  {
263  return false;
264  }
265  else
266  {
267  strncpynt(pin, token_pass.password, pin_max);
268  purge_user_pass(&token_pass, true);
269 
270  if (strlen(pin) == 0)
271  {
272  return false;
273  }
274  else
275  {
276  return true;
277  }
278  }
279 }
280 
281 bool
282 pkcs11_initialize(
283  const bool protected_auth,
284  const int nPINCachePeriod
285  )
286 {
287  CK_RV rv = CKR_FUNCTION_FAILED;
288 
289  dmsg(
290  D_PKCS11_DEBUG,
291  "PKCS#11: pkcs11_initialize - entered"
292  );
293 
294  if ((rv = pkcs11h_engine_setSystem(&s_pkcs11h_sys_engine)) != CKR_OK)
295  {
296  msg(M_FATAL, "PKCS#11: Cannot initialize system engine %ld-'%s'", rv, pkcs11h_getMessage(rv));
297  goto cleanup;
298  }
299 
300  if ((rv = pkcs11h_initialize()) != CKR_OK)
301  {
302  msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
303  goto cleanup;
304  }
305 
306  if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
307  {
308  msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
309  goto cleanup;
310  }
311 
312  pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level()));
313 
314  if ((rv = pkcs11h_setForkMode(FALSE)) != CKR_OK)
315  {
316  msg(M_FATAL, "PKCS#11: Cannot set fork mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
317  goto cleanup;
318  }
319 
320  if ((rv = pkcs11h_setTokenPromptHook(_pkcs11_openvpn_token_prompt, NULL)) != CKR_OK)
321  {
322  msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
323  goto cleanup;
324  }
325 
326  if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
327  {
328  msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
329  goto cleanup;
330  }
331 
332  if ((rv = pkcs11h_setProtectedAuthentication(protected_auth)) != CKR_OK)
333  {
334  msg(M_FATAL, "PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage(rv));
335  goto cleanup;
336  }
337 
338  if ((rv = pkcs11h_setPINCachePeriod(nPINCachePeriod)) != CKR_OK)
339  {
340  msg(M_FATAL, "PKCS#11: Cannot set Pcache period %ld-'%s'", rv, pkcs11h_getMessage(rv));
341  goto cleanup;
342  }
343 
344  rv = CKR_OK;
345 
346 cleanup:
347  dmsg(
348  D_PKCS11_DEBUG,
349  "PKCS#11: pkcs11_initialize - return %ld-'%s'",
350  rv,
351  pkcs11h_getMessage(rv)
352  );
353 
354  return rv == CKR_OK;
355 }
356 
357 void
358 pkcs11_terminate(void)
359 {
360  dmsg(
361  D_PKCS11_DEBUG,
362  "PKCS#11: pkcs11_terminate - entered"
363  );
364 
365  pkcs11h_terminate();
366 
367  dmsg(
368  D_PKCS11_DEBUG,
369  "PKCS#11: pkcs11_terminate - return"
370  );
371 }
372 
373 bool
374 pkcs11_addProvider(
375  const char *const provider,
376  const bool protected_auth,
377  const unsigned private_mode,
378  const bool cert_private
379  )
380 {
381  CK_RV rv = CKR_OK;
382 
383  ASSERT(provider!=NULL);
384 
385  dmsg(
386  D_PKCS11_DEBUG,
387  "PKCS#11: pkcs11_addProvider - entered - provider='%s', private_mode=%08x",
388  provider,
389  private_mode
390  );
391 
392  msg(
393  M_INFO,
394  "PKCS#11: Adding PKCS#11 provider '%s'",
395  provider
396  );
397 
398 #if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0))
399  if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK)
400  {
401  msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
402  }
403  else
404  {
405  PKCS11H_BOOL allow_protected_auth = protected_auth;
406  PKCS11H_BOOL cert_is_private = cert_private;
407 
408  rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOCATION, provider, strlen(provider) + 1);
409 
410  if (rv == CKR_OK)
411  {
412  rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_ALLOW_PROTECTED_AUTH, &allow_protected_auth, sizeof(allow_protected_auth));
413  }
414  if (rv == CKR_OK)
415  {
416  rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_MASK_PRIVATE_MODE, &private_mode, sizeof(private_mode));
417  }
418  if (rv == CKR_OK)
419  {
420  rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_CERT_IS_PRIVATE, &cert_is_private, sizeof(cert_is_private));
421  }
422 #if defined(WIN32) && defined(PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS)
423  if (rv == CKR_OK && platform_absolute_pathname(provider))
424  {
425  unsigned loader_flags = LOAD_LIBRARY_SEARCH_DEFAULT_DIRS | LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR;
426  rv = pkcs11h_setProviderProperty(provider, PKCS11H_PROVIDER_PROPERTY_LOADER_FLAGS, &loader_flags, sizeof(loader_flags));
427  }
428 #endif
429 
430  if (rv != CKR_OK || (rv = pkcs11h_initializeProvider(provider)) != CKR_OK)
431  {
432  msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
433  pkcs11h_removeProvider(provider);
434  }
435  }
436 #else /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
437  if (
438  (rv = pkcs11h_addProvider(
439  provider,
440  provider,
441  protected_auth,
442  private_mode,
443  PKCS11H_SLOTEVENT_METHOD_AUTO,
444  0,
445  cert_private
446  )) != CKR_OK
447  )
448  {
449  msg(M_WARN, "PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage(rv));
450  }
451 #endif /* if PKCS11H_VERSION >= ((1<<16) | (28<<8) | (0<<0)) */
452 
453  dmsg(
454  D_PKCS11_DEBUG,
455  "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
456  rv,
457  pkcs11h_getMessage(rv)
458  );
459 
460  return rv == CKR_OK;
461 }
462 
463 int
464 pkcs11_logout(void)
465 {
466  return pkcs11h_logout() == CKR_OK;
467 }
468 
469 int
470 pkcs11_management_id_count(void)
471 {
472  pkcs11h_certificate_id_list_t id_list = NULL;
473  pkcs11h_certificate_id_list_t t = NULL;
474  CK_RV rv = CKR_OK;
475  int count = 0;
476 
477  dmsg(
478  D_PKCS11_DEBUG,
479  "PKCS#11: pkcs11_management_id_count - entered"
480  );
481 
482  if (
483  (rv = pkcs11h_certificate_enumCertificateIds(
484  PKCS11H_ENUM_METHOD_CACHE_EXIST,
485  NULL,
486  PKCS11H_PROMPT_MASK_ALLOW_ALL,
487  NULL,
488  &id_list
489  )) != CKR_OK
490  )
491  {
492  msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
493  goto cleanup;
494  }
495 
496  for (count = 0, t = id_list; t != NULL; t = t->next)
497  {
498  count++;
499  }
500 
501 cleanup:
502 
503  pkcs11h_certificate_freeCertificateIdList(id_list);
504  id_list = NULL;
505 
506  dmsg(
507  D_PKCS11_DEBUG,
508  "PKCS#11: pkcs11_management_id_count - return count=%d",
509  count
510  );
511 
512  return count;
513 }
514 
515 bool
516 pkcs11_management_id_get(
517  const int index,
518  char **id,
519  char **base64
520  )
521 {
522  pkcs11h_certificate_id_list_t id_list = NULL;
523  pkcs11h_certificate_id_list_t entry = NULL;
524 #if 0 /* certificate_id seems to be unused -- JY */
525  pkcs11h_certificate_id_t certificate_id = NULL;
526 #endif
527  pkcs11h_certificate_t certificate = NULL;
528  CK_RV rv = CKR_OK;
529  unsigned char *certificate_blob = NULL;
530  size_t certificate_blob_size = 0;
531  size_t max;
532  char *internal_id = NULL;
533  char *internal_base64 = NULL;
534  int count = 0;
535  bool success = false;
536 
537  ASSERT(id!=NULL);
538  ASSERT(base64!=NULL);
539 
540  dmsg(
541  D_PKCS11_DEBUG,
542  "PKCS#11: pkcs11_management_id_get - entered index=%d",
543  index
544  );
545 
546  *id = NULL;
547  *base64 = NULL;
548 
549  if (
550  (rv = pkcs11h_certificate_enumCertificateIds(
551  PKCS11H_ENUM_METHOD_CACHE_EXIST,
552  NULL,
553  PKCS11H_PROMPT_MASK_ALLOW_ALL,
554  NULL,
555  &id_list
556  )) != CKR_OK
557  )
558  {
559  msg(M_WARN, "PKCS#11: Cannot get certificate list %ld-'%s'", rv, pkcs11h_getMessage(rv));
560  goto cleanup;
561  }
562 
563  entry = id_list;
564  count = 0;
565  while (entry != NULL && count != index)
566  {
567  count++;
568  entry = entry->next;
569  }
570 
571  if (entry == NULL)
572  {
573  dmsg(
574  D_PKCS11_DEBUG,
575  "PKCS#11: pkcs11_management_id_get - no certificate at index=%d",
576  index
577  );
578  goto cleanup;
579  }
580 
581  if (
582  (rv = pkcs11h_certificate_serializeCertificateId(
583  NULL,
584  &max,
585  entry->certificate_id
586  )) != CKR_OK
587  )
588  {
589  msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
590  goto cleanup;
591  }
592 
593  if ((internal_id = (char *)malloc(max)) == NULL)
594  {
595  msg(M_FATAL, "PKCS#11: Cannot allocate memory");
596  goto cleanup;
597  }
598 
599  if (
600  (rv = pkcs11h_certificate_serializeCertificateId(
601  internal_id,
602  &max,
603  entry->certificate_id
604  )) != CKR_OK
605  )
606  {
607  msg(M_WARN, "PKCS#11: Cannot serialize certificate id %ld-'%s'", rv, pkcs11h_getMessage(rv));
608  goto cleanup;
609  }
610 
611  if (
612  (rv = pkcs11h_certificate_create(
613  entry->certificate_id,
614  NULL,
615  PKCS11H_PROMPT_MASK_ALLOW_ALL,
616  PKCS11H_PIN_CACHE_INFINITE,
617  &certificate
618  )) != CKR_OK
619  )
620  {
621  msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
622  goto cleanup;
623  }
624 
625  if (
626  (rv = pkcs11h_certificate_getCertificateBlob(
627  certificate,
628  NULL,
629  &certificate_blob_size
630  )) != CKR_OK
631  )
632  {
633  msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
634  goto cleanup;
635  }
636 
637  if ((certificate_blob = (unsigned char *)malloc(certificate_blob_size)) == NULL)
638  {
639  msg(M_FATAL, "PKCS#11: Cannot allocate memory");
640  goto cleanup;
641  }
642 
643  if (
644  (rv = pkcs11h_certificate_getCertificateBlob(
645  certificate,
646  certificate_blob,
647  &certificate_blob_size
648  )) != CKR_OK
649  )
650  {
651  msg(M_WARN, "PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage(rv));
652  goto cleanup;
653  }
654 
655  if (openvpn_base64_encode(certificate_blob, certificate_blob_size, &internal_base64) == -1)
656  {
657  msg(M_WARN, "PKCS#11: Cannot encode certificate");
658  goto cleanup;
659  }
660 
661  *id = internal_id;
662  internal_id = NULL;
663  *base64 = internal_base64;
664  internal_base64 = NULL;
665  success = true;
666 
667 cleanup:
668 
669  pkcs11h_certificate_freeCertificateIdList(id_list);
670  id_list = NULL;
671 
672  free(internal_id);
673  internal_id = NULL;
674 
675  free(internal_base64);
676  internal_base64 = NULL;
677 
678  free(certificate_blob);
679  certificate_blob = NULL;
680 
681  dmsg(
682  D_PKCS11_DEBUG,
683  "PKCS#11: pkcs11_management_id_get - return success=%d, id='%s'",
684  success ? 1 : 0,
685  *id
686  );
687 
688  return success;
689 }
690 
691 int
692 tls_ctx_use_pkcs11(
693  struct tls_root_ctx *const ssl_ctx,
694  bool pkcs11_id_management,
695  const char *const pkcs11_id
696  )
697 {
698  pkcs11h_certificate_id_t certificate_id = NULL;
699  pkcs11h_certificate_t certificate = NULL;
700  CK_RV rv = CKR_OK;
701 
702  bool ok = false;
703 
704  ASSERT(ssl_ctx!=NULL);
705  ASSERT(pkcs11_id_management || pkcs11_id!=NULL);
706 
707  dmsg(
708  D_PKCS11_DEBUG,
709  "PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=%p, pkcs11_id_management=%d, pkcs11_id='%s'",
710  (void *)ssl_ctx,
711  pkcs11_id_management ? 1 : 0,
712  pkcs11_id
713  );
714 
715  if (pkcs11_id_management)
716  {
717  struct user_pass id_resp;
718 
719  CLEAR(id_resp);
720 
721  id_resp.defined = false;
722  id_resp.nocache = true;
723  snprintf(
724  id_resp.username,
725  sizeof(id_resp.username),
726  "Please specify PKCS#11 id to use"
727  );
728 
729  if (
730  !get_user_pass(
731  &id_resp,
732  NULL,
733  "pkcs11-id-request",
734  GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL
735  )
736  )
737  {
738  goto cleanup;
739  }
740 
741  if (
742  (rv = pkcs11h_certificate_deserializeCertificateId(
743  &certificate_id,
744  id_resp.password
745  )) != CKR_OK
746  )
747  {
748  msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
749  goto cleanup;
750  }
751  }
752  else
753  {
754  if (
755  (rv = pkcs11h_certificate_deserializeCertificateId(
756  &certificate_id,
757  pkcs11_id
758  )) != CKR_OK
759  )
760  {
761  msg(M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage(rv));
762  goto cleanup;
763  }
764  }
765 
766  if (
767  (rv = pkcs11h_certificate_create(
768  certificate_id,
769  NULL,
770  PKCS11H_PROMPT_MASK_ALLOW_ALL,
771  PKCS11H_PIN_CACHE_INFINITE,
772  &certificate
773  )) != CKR_OK
774  )
775  {
776  msg(M_WARN, "PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
777  goto cleanup;
778  }
779 
780  if (
781  (pkcs11_init_tls_session(
782  certificate,
783  ssl_ctx
784  ))
785  )
786  {
787  /* Handled by SSL context free */
788  certificate = NULL;
789  goto cleanup;
790  }
791 
792  /* Handled by SSL context free */
793  certificate = NULL;
794  ok = true;
795 
796 cleanup:
797  if (certificate != NULL)
798  {
799  pkcs11h_certificate_freeCertificate(certificate);
800  certificate = NULL;
801  }
802 
803  if (certificate_id != NULL)
804  {
805  pkcs11h_certificate_freeCertificateId(certificate_id);
806  certificate_id = NULL;
807  }
808 
809  dmsg(
810  D_PKCS11_DEBUG,
811  "PKCS#11: tls_ctx_use_pkcs11 - return ok=%d, rv=%ld",
812  ok ? 1 : 0,
813  rv
814  );
815 
816  return ok ? 1 : 0;
817 }
818 
819 static
820 PKCS11H_BOOL
821 _pkcs11_openvpn_show_pkcs11_ids_pin_prompt(
822  void *const global_data,
823  void *const user_data,
824  const pkcs11h_token_id_t token,
825  const unsigned retry,
826  char *const pin,
827  const size_t pin_max
828  )
829 {
830  struct gc_arena gc = gc_new();
831  struct buffer pass_prompt = alloc_buf_gc(128, &gc);
832 
833  (void)global_data;
834  (void)user_data;
835  (void)retry;
836 
837  ASSERT(token!=NULL);
838 
839  buf_printf(&pass_prompt, "Please enter '%s' token PIN or 'cancel': ", token->display);
840  if (!query_user_SINGLE(BSTR(&pass_prompt), BLEN(&pass_prompt),
841  pin, pin_max, false))
842  {
843  msg(M_FATAL, "Could not retrieve the PIN");
844  }
845 
846  gc_free(&gc);
847 
848  if (!strcmp(pin, "cancel"))
849  {
850  return FALSE;
851  }
852  else
853  {
854  return TRUE;
855  }
856 }
857 
858 void
859 show_pkcs11_ids(
860  const char *const provider,
861  bool cert_private
862  )
863 {
864  struct gc_arena gc = gc_new();
865  pkcs11h_certificate_id_list_t user_certificates = NULL;
866  pkcs11h_certificate_id_list_t current = NULL;
867  CK_RV rv = CKR_FUNCTION_FAILED;
868 
869  if ((rv = pkcs11h_initialize()) != CKR_OK)
870  {
871  msg(M_FATAL, "PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage(rv));
872  goto cleanup;
873  }
874 
875  if ((rv = pkcs11h_setLogHook(_pkcs11_openvpn_log, NULL)) != CKR_OK)
876  {
877  msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
878  goto cleanup;
879  }
880 
881  pkcs11h_setLogLevel(_pkcs11_msg_openvpn2pkcs11(get_debug_level()));
882 
883  if ((rv = pkcs11h_setProtectedAuthentication(TRUE)) != CKR_OK)
884  {
885  msg(M_FATAL, "PKCS#11: Cannot set protected authentication %ld-'%s'", rv, pkcs11h_getMessage(rv));
886  goto cleanup;
887  }
888 
889  if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_show_pkcs11_ids_pin_prompt, NULL)) != CKR_OK)
890  {
891  msg(M_FATAL, "PKCS#11: Cannot set PIN hook %ld-'%s'", rv, pkcs11h_getMessage(rv));
892  goto cleanup;
893  }
894 
895  if (!pkcs11_addProvider(provider, TRUE, 0, cert_private ? TRUE : FALSE))
896  {
897  msg(M_FATAL, "Failed to add PKCS#11 provider '%s", provider);
898  goto cleanup;
899  }
900 
901  if (
902  (rv = pkcs11h_certificate_enumCertificateIds(
903  PKCS11H_ENUM_METHOD_CACHE_EXIST,
904  NULL,
905  PKCS11H_PROMPT_MASK_ALLOW_ALL,
906  NULL,
907  &user_certificates
908  )) != CKR_OK
909  )
910  {
911  msg(M_FATAL, "PKCS#11: Cannot enumerate certificates %ld-'%s'", rv, pkcs11h_getMessage(rv));
912  goto cleanup;
913  }
914 
915  msg(
916  M_INFO|M_NOPREFIX|M_NOLF,
917  (
918  "\n"
919  "The following objects are available for use.\n"
920  "Each object shown below may be used as parameter to\n"
921  "--pkcs11-id option please remember to use single quote mark.\n"
922  )
923  );
924  for (current = user_certificates; current != NULL; current = current->next)
925  {
926  pkcs11h_certificate_t certificate = NULL;
927  char *dn = NULL;
928  char serial[1024] = {0};
929  char *ser = NULL;
930  size_t ser_len = 0;
931 
932  if (
933  (rv = pkcs11h_certificate_serializeCertificateId(
934  NULL,
935  &ser_len,
936  current->certificate_id
937  )) != CKR_OK
938  )
939  {
940  msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
941  goto cleanup1;
942  }
943 
944  if (
945  rv == CKR_OK
946  && (ser = (char *)malloc(ser_len)) == NULL
947  )
948  {
949  msg(M_FATAL, "PKCS#11: Cannot allocate memory");
950  goto cleanup1;
951  }
952 
953  if (
954  (rv = pkcs11h_certificate_serializeCertificateId(
955  ser,
956  &ser_len,
957  current->certificate_id
958  )) != CKR_OK
959  )
960  {
961  msg(M_FATAL, "PKCS#11: Cannot serialize certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
962  goto cleanup1;
963  }
964 
965  if (
966  (rv = pkcs11h_certificate_create(
967  current->certificate_id,
968  NULL,
969  PKCS11H_PROMPT_MASK_ALLOW_ALL,
970  PKCS11H_PIN_CACHE_INFINITE,
971  &certificate
972  ))
973  )
974  {
975  msg(M_FATAL, "PKCS#11: Cannot create certificate %ld-'%s'", rv, pkcs11h_getMessage(rv));
976  goto cleanup1;
977  }
978 
979  if (
980  (dn = pkcs11_certificate_dn(
981  certificate,
982  &gc
983  )) == NULL
984  )
985  {
986  goto cleanup1;
987  }
988 
989  if (
990  (pkcs11_certificate_serial(
991  certificate,
992  serial,
993  sizeof(serial)
994  ))
995  )
996  {
997  goto cleanup1;
998  }
999 
1000  msg(
1001  M_INFO|M_NOPREFIX|M_NOLF,
1002  (
1003  "\n"
1004  "Certificate\n"
1005  " DN: %s\n"
1006  " Serial: %s\n"
1007  " Serialized id: %s\n"
1008  ),
1009  dn,
1010  serial,
1011  ser
1012  );
1013 
1014 cleanup1:
1015 
1016  if (certificate != NULL)
1017  {
1018  pkcs11h_certificate_freeCertificate(certificate);
1019  certificate = NULL;
1020  }
1021 
1022  free(ser);
1023  ser = NULL;
1024  }
1025 
1026 cleanup:
1027  pkcs11h_certificate_freeCertificateIdList(user_certificates);
1028  user_certificates = NULL;
1029 
1030  pkcs11h_terminate();
1031  gc_free(&gc);
1032 }
1033 #endif /* ENABLE_PKCS11 */
M_INFO
#define M_INFO
Definition: errlevel.h:55
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
M_FATAL
#define M_FATAL
Definition: error.h:89
manage.h
BSTR
#define BSTR(buf)
Definition: buffer.h:129
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_base64_encode
int openvpn_base64_encode(const void *data, int size, char **str)
Definition: base64.c:52
D_SHOW_PKCS11
#define D_SHOW_PKCS11
Definition: errlevel.h:141
dmsg
#define dmsg(flags,...)
Definition: error.h:148
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
console.h
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:109
CLEAR
#define CLEAR(x)
Definition: basic.h:33
query_user_SINGLE
static bool query_user_SINGLE(char *prompt, size_t prompt_len, char *resp, size_t resp_len, bool echo)
A plain "make Gert happy" wrapper.
Definition: console.h:122
ASSERT
#define ASSERT(x)
Definition: error.h:195
BLEN
#define BLEN(buf)
Definition: buffer.h:127
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:485
platform_absolute_pathname
bool platform_absolute_pathname(const char *pathname)
Return true if pathname is absolute.
Definition: platform.c:641
misc.h
get_debug_level
int get_debug_level(void)
Definition: error.c:137
M_WARN
#define M_WARN
Definition: error.h:91
GET_USER_PASS_NOFATAL
#define GET_USER_PASS_NOFATAL
Definition: misc.h:113
pkcs11_backend.h
base64.h
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition: misc.h:150
D_PKCS11_DEBUG
#define D_PKCS11_DEBUG
Definition: errlevel.h:174
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
syshead.h
pkcs11.h
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
openvpn_time
static time_t openvpn_time(time_t *t)
Definition: otime.h:90
otime.h
tls_root_ctx
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:107
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:111
GET_USER_PASS_NEED_OK
#define GET_USER_PASS_NEED_OK
Definition: misc.h:112
config.h
M_NOLF
#define M_NOLF
Definition: error.h:101
user_pass
Definition: misc.h:56
GET_USER_PASS_NEED_STR
#define GET_USER_PASS_NEED_STR
Definition: misc.h:114
msg
#define msg(flags,...)
Definition: error.h:144
pkcs11_id_management
static bool pkcs11_id_management
Definition: test_pkcs11.c:136
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
gc
struct gc_arena gc
Definition: test_ssl.c:155
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:290
Generated by   doxygen 1.8.17