aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2006-06-13 17:02:28 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2006-06-13 17:02:28 +0000
commit14a4962ab06743b36481aca9481758a3dd92b035 (patch)
tree18e18f55f585a6d7b4a089b9eded04debb8e1c3e
parentAdded optional minimum-number-of-bytes (diff)
downloadopenvpn-14a4962ab06743b36481aca9481758a3dd92b035.tar.xz
-r 1026:1032
https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn Changes: 1. Updated makefile.w32-vc to include lladdr.*, updated linkage libraries. 2. Modified lladdr.c to be compiled under visual C. 3. Added retry counter to PKCS#11 PIN hook. 4. Modified PKCS#11 PIN retry loop to return correct error code when PIN is incorrect. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1038 e7ae566f-a301-0410-adde-c780ea21d3b5
-rw-r--r--lladdr.c3
-rw-r--r--makefile.w32-vc4
-rw-r--r--pkcs11-helper.c89
-rw-r--r--pkcs11-helper.h6
-rw-r--r--pkcs11.c6
5 files changed, 79 insertions, 29 deletions
diff --git a/lladdr.c b/lladdr.c
index d6fb0a6..1f02ba4 100644
--- a/lladdr.c
+++ b/lladdr.c
@@ -16,6 +16,7 @@ int set_lladdr(const char *ifname, const char *lladdr,
const struct env_set *es)
{
char cmd[256];
+ int r;
if (!ifname || !lladdr)
return -1;
@@ -51,7 +52,7 @@ int set_lladdr(const char *ifname, const char *lladdr,
return -1;
#endif
- int r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address.");
+ r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address.");
if (r)
msg (M_INFO, "TUN/TAP link layer address set to %s", lladdr);
return r;
diff --git a/makefile.w32-vc b/makefile.w32-vc
index f92dbb3..d3dac0b 100644
--- a/makefile.w32-vc
+++ b/makefile.w32-vc
@@ -24,7 +24,7 @@ LZO = \src\lzo-1.08.vc
INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include
-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib gdi32.lib advapi32.lib wininet.lib
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib
LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO)
@@ -108,6 +108,7 @@ HEADERS = \
syshead.h \
thread.h \
tun.h \
+ lladdr.h \
win32.h
OBJS = base64.obj \
@@ -160,6 +161,7 @@ OBJS = base64.obj \
status.obj \
thread.obj \
tun.obj \
+ lladdr.obj \
win32.obj
dynamic : $(OBJS)
diff --git a/pkcs11-helper.c b/pkcs11-helper.c
index c6ef79d..99a67e2 100644
--- a/pkcs11-helper.c
+++ b/pkcs11-helper.c
@@ -56,6 +56,15 @@
*
*/
+/*
+ * Changelog
+ *
+ * 2006.05.14
+ * - (alonbl) First stable release.
+ * - (alonbl) Release 01.00.
+ *
+ */
+
#include "pkcs11-helper-config.h"
#if defined(ENABLE_PKCS11H_HELPER)
@@ -268,7 +277,7 @@ struct pkcs11h_data_s {
} hooks;
PKCS11H_BOOL fProtectedAuthentication;
- int nMaxLoginRetries;
+ unsigned nMaxLoginRetries;
#if defined(ENABLE_PKCS11H_THREADING)
pkcs11h_mutex_t mutexGlobal;
@@ -517,7 +526,8 @@ static
PKCS11H_BOOL
_pkcs11h_hooks_default_token_prompt (
IN const void * pData,
- IN const pkcs11h_token_id_t token
+ IN const pkcs11h_token_id_t token,
+ IN const unsigned retry
);
static
@@ -525,6 +535,7 @@ PKCS11H_BOOL
_pkcs11h_hooks_default_pin_prompt (
IN const void * pData,
IN const pkcs11h_token_id_t token,
+ IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
);
@@ -1189,7 +1200,7 @@ pkcs11h_setPINCachePeriod (
CK_RV
pkcs11h_setMaxLoginRetries (
- IN const int nMaxLoginRetries
+ IN const unsigned nMaxLoginRetries
) {
PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
PKCS11H_ASSERT (s_pkcs11h_data->fInitialized);
@@ -2974,6 +2985,8 @@ _pkcs11h_resetSession (
CK_RV rv = CKR_OK;
+ unsigned nRetry = 0;
+
PKCS11H_ASSERT (session!=NULL);
PKCS11H_ASSERT (p_slot!=NULL);
@@ -3147,7 +3160,8 @@ _pkcs11h_resetSession (
if (
!s_pkcs11h_data->hooks.token_prompt (
s_pkcs11h_data->hooks.token_prompt_data,
- session->token_id
+ session->token_id,
+ nRetry++
)
) {
rv = CKR_CANCEL;
@@ -3387,7 +3401,7 @@ _pkcs11h_login (
)
) {
PKCS11H_BOOL fSuccessLogin = FALSE;
- int nRetryCount = 0;
+ unsigned nRetryCount = 0;
if ((maskPrompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT) == 0) {
rv = CKR_USER_NOT_LOGGED_IN;
@@ -3401,7 +3415,7 @@ _pkcs11h_login (
while (
rv == CKR_OK &&
!fSuccessLogin &&
- nRetryCount++ < s_pkcs11h_data->nMaxLoginRetries
+ nRetryCount < s_pkcs11h_data->nMaxLoginRetries
) {
CK_UTF8CHAR_PTR utfPIN = NULL;
CK_ULONG lPINLength = 0;
@@ -3425,6 +3439,7 @@ _pkcs11h_login (
!s_pkcs11h_data->hooks.pin_prompt (
s_pkcs11h_data->hooks.pin_prompt_data,
session->token_id,
+ nRetryCount,
szPIN,
sizeof (szPIN)
)
@@ -3441,17 +3456,18 @@ _pkcs11h_login (
"PKCS#11: pin_prompt hook return rv=%ld",
rv
);
-
}
- if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) {
- session->timePINExpire = 0;
- }
- else {
- session->timePINExpire = (
- PKCS11H_TIME (NULL) +
- (time_t)session->nPINCachePeriod
- );
+ if (rv == CKR_OK) {
+ if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) {
+ session->timePINExpire = 0;
+ }
+ else {
+ session->timePINExpire = (
+ PKCS11H_TIME (NULL) +
+ (time_t)session->nPINCachePeriod
+ );
+ }
}
if (
@@ -3486,6 +3502,15 @@ _pkcs11h_login (
*/
rv = CKR_OK;
}
+
+ nRetryCount++;
+ }
+
+ /*
+ * Retry limit
+ */
+ if (!fSuccessLogin && rv == CKR_OK) {
+ rv = CKR_PIN_INCORRECT;
}
}
@@ -3579,11 +3604,13 @@ static
PKCS11H_BOOL
_pkcs11h_hooks_default_token_prompt (
IN const void * pData,
- IN const pkcs11h_token_id_t token
+ IN const pkcs11h_token_id_t token,
+ IN const unsigned retry
) {
PKCS11H_ASSERT (token!=NULL);
(void)pData;
+ (void)retry;
PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
@@ -3600,12 +3627,14 @@ PKCS11H_BOOL
_pkcs11h_hooks_default_pin_prompt (
IN const void * pData,
IN const pkcs11h_token_id_t token,
+ IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
) {
PKCS11H_ASSERT (token!=NULL);
(void)pData;
+ (void)retry;
(void)szPIN;
(void)nMaxPIN;
@@ -5034,7 +5063,7 @@ _pkcs11h_certificate_private_op (
PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p",
+ "PKCS#11: _pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p",
(void *)certificate,
op,
mech_type,
@@ -5181,7 +5210,7 @@ _pkcs11h_certificate_private_op (
PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
- "PKCS#11: pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d",
+ "PKCS#11: _pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d",
rv,
pkcs11h_getMessage (rv),
*p_target_size
@@ -5532,7 +5561,7 @@ pkcs11h_certificate_signAny (
}
}
- if (!fSigned) {
+ if (rv == CKR_OK && !fSigned) {
rv = CKR_FUNCTION_FAILED;
}
@@ -6313,6 +6342,8 @@ pkcs11h_locate_token (
CK_RV rv = CKR_OK;
+ unsigned nRetry = 0;
+
PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
PKCS11H_ASSERT (s_pkcs11h_data->fInitialized);
PKCS11H_ASSERT (szSlotType!=NULL);
@@ -6403,7 +6434,8 @@ pkcs11h_locate_token (
if (
!s_pkcs11h_data->hooks.token_prompt (
s_pkcs11h_data->hooks.token_prompt_data,
- dummy_token_id
+ dummy_token_id,
+ nRetry++
)
) {
rv = CKR_CANCEL;
@@ -9297,11 +9329,20 @@ PKCS11H_BOOL
_pkcs11h_standalone_dump_objects_pin_prompt (
IN const void *pData,
IN const pkcs11h_token_id_t token,
+ IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
) {
- strncpy (szPIN, (char *)pData, nMaxPIN);
- return TRUE;
+ /*
+ * Don't lock card
+ */
+ if (retry == 0) {
+ strncpy (szPIN, (char *)pData, nMaxPIN);
+ return TRUE;
+ }
+ else {
+ return FALSE;
+ }
}
void
@@ -9686,8 +9727,8 @@ pkcs11h_standalone_dump_objects (
CK_BBOOL sign_recover = CK_FALSE;
CK_BBOOL sign = CK_FALSE;
CK_ATTRIBUTE attrs_key[] = {
- {CKA_SIGN, &sign_recover, sizeof (sign_recover)},
- {CKA_SIGN_RECOVER, &sign, sizeof (sign)}
+ {CKA_SIGN, &sign, sizeof (sign)},
+ {CKA_SIGN_RECOVER, &sign_recover, sizeof (sign_recover)}
};
CK_ATTRIBUTE attrs_key_common[] = {
{CKA_ID, NULL, 0},
diff --git a/pkcs11-helper.h b/pkcs11-helper.h
index e2cef6d..f6eb967 100644
--- a/pkcs11-helper.h
+++ b/pkcs11-helper.h
@@ -151,12 +151,14 @@ typedef void (*pkcs11h_hook_slotevent_t)(
typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)(
IN const void *pData,
- IN const pkcs11h_token_id_t token
+ IN const pkcs11h_token_id_t token,
+ IN const unsigned retry
);
typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)(
IN const void *pData,
IN const pkcs11h_token_id_t token,
+ IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
);
@@ -357,7 +359,7 @@ pkcs11h_setPINCachePeriod (
*/
CK_RV
pkcs11h_setMaxLoginRetries (
- IN const int nMaxLoginRetries
+ IN const unsigned nMaxLoginRetries
);
/*
diff --git a/pkcs11.c b/pkcs11.c
index 3b136c5..9f30407 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -149,10 +149,12 @@ static
bool
_pkcs11_openvpn_token_prompt (
IN const void *pData,
- IN const pkcs11h_token_id_t token
+ IN const pkcs11h_token_id_t token,
+ IN const unsigned retry
) {
static struct user_pass token_resp;
+ (void)retry;
ASSERT (token!=NULL);
CLEAR (token_resp);
@@ -179,12 +181,14 @@ bool
_pkcs11_openvpn_pin_prompt (
IN const void *pData,
IN const pkcs11h_token_id_t token,
+ IN const unsigned retry,
OUT char * const szPIN,
IN const size_t nMaxPIN
) {
static struct user_pass token_pass;
char szPrompt[1024];
+ (void)retry;
ASSERT (token!=NULL);
openvpn_snprintf (szPrompt, sizeof (szPrompt), "%s token", token->label);