From 14a4962ab06743b36481aca9481758a3dd92b035 Mon Sep 17 00:00:00 2001 From: james Date: Tue, 13 Jun 2006 17:02:28 +0000 Subject: -r 1026:1032 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn Changes: 1. Updated makefile.w32-vc to include lladdr.*, updated linkage libraries. 2. Modified lladdr.c to be compiled under visual C. 3. Added retry counter to PKCS#11 PIN hook. 4. Modified PKCS#11 PIN retry loop to return correct error code when PIN is incorrect. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1038 e7ae566f-a301-0410-adde-c780ea21d3b5 --- lladdr.c | 3 +- makefile.w32-vc | 4 ++- pkcs11-helper.c | 89 +++++++++++++++++++++++++++++++++++++++++---------------- pkcs11-helper.h | 6 ++-- pkcs11.c | 6 +++- 5 files changed, 79 insertions(+), 29 deletions(-) diff --git a/lladdr.c b/lladdr.c index d6fb0a6..1f02ba4 100644 --- a/lladdr.c +++ b/lladdr.c @@ -16,6 +16,7 @@ int set_lladdr(const char *ifname, const char *lladdr, const struct env_set *es) { char cmd[256]; + int r; if (!ifname || !lladdr) return -1; @@ -51,7 +52,7 @@ int set_lladdr(const char *ifname, const char *lladdr, return -1; #endif - int r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address."); + r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address."); if (r) msg (M_INFO, "TUN/TAP link layer address set to %s", lladdr); return r; diff --git a/makefile.w32-vc b/makefile.w32-vc index f92dbb3..d3dac0b 100644 --- a/makefile.w32-vc +++ b/makefile.w32-vc @@ -24,7 +24,7 @@ LZO = \src\lzo-1.08.vc INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include -LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib gdi32.lib advapi32.lib wininet.lib +LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO) @@ -108,6 +108,7 @@ HEADERS = \ syshead.h \ thread.h \ tun.h \ + lladdr.h \ win32.h OBJS = base64.obj \ @@ -160,6 +161,7 @@ OBJS = base64.obj \ status.obj \ thread.obj \ tun.obj \ + lladdr.obj \ win32.obj dynamic : $(OBJS) diff --git a/pkcs11-helper.c b/pkcs11-helper.c index c6ef79d..99a67e2 100644 --- a/pkcs11-helper.c +++ b/pkcs11-helper.c @@ -56,6 +56,15 @@ * */ +/* + * Changelog + * + * 2006.05.14 + * - (alonbl) First stable release. + * - (alonbl) Release 01.00. + * + */ + #include "pkcs11-helper-config.h" #if defined(ENABLE_PKCS11H_HELPER) @@ -268,7 +277,7 @@ struct pkcs11h_data_s { } hooks; PKCS11H_BOOL fProtectedAuthentication; - int nMaxLoginRetries; + unsigned nMaxLoginRetries; #if defined(ENABLE_PKCS11H_THREADING) pkcs11h_mutex_t mutexGlobal; @@ -517,7 +526,8 @@ static PKCS11H_BOOL _pkcs11h_hooks_default_token_prompt ( IN const void * pData, - IN const pkcs11h_token_id_t token + IN const pkcs11h_token_id_t token, + IN const unsigned retry ); static @@ -525,6 +535,7 @@ PKCS11H_BOOL _pkcs11h_hooks_default_pin_prompt ( IN const void * pData, IN const pkcs11h_token_id_t token, + IN const unsigned retry, OUT char * const szPIN, IN const size_t nMaxPIN ); @@ -1189,7 +1200,7 @@ pkcs11h_setPINCachePeriod ( CK_RV pkcs11h_setMaxLoginRetries ( - IN const int nMaxLoginRetries + IN const unsigned nMaxLoginRetries ) { PKCS11H_ASSERT (s_pkcs11h_data!=NULL); PKCS11H_ASSERT (s_pkcs11h_data->fInitialized); @@ -2974,6 +2985,8 @@ _pkcs11h_resetSession ( CK_RV rv = CKR_OK; + unsigned nRetry = 0; + PKCS11H_ASSERT (session!=NULL); PKCS11H_ASSERT (p_slot!=NULL); @@ -3147,7 +3160,8 @@ _pkcs11h_resetSession ( if ( !s_pkcs11h_data->hooks.token_prompt ( s_pkcs11h_data->hooks.token_prompt_data, - session->token_id + session->token_id, + nRetry++ ) ) { rv = CKR_CANCEL; @@ -3387,7 +3401,7 @@ _pkcs11h_login ( ) ) { PKCS11H_BOOL fSuccessLogin = FALSE; - int nRetryCount = 0; + unsigned nRetryCount = 0; if ((maskPrompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT) == 0) { rv = CKR_USER_NOT_LOGGED_IN; @@ -3401,7 +3415,7 @@ _pkcs11h_login ( while ( rv == CKR_OK && !fSuccessLogin && - nRetryCount++ < s_pkcs11h_data->nMaxLoginRetries + nRetryCount < s_pkcs11h_data->nMaxLoginRetries ) { CK_UTF8CHAR_PTR utfPIN = NULL; CK_ULONG lPINLength = 0; @@ -3425,6 +3439,7 @@ _pkcs11h_login ( !s_pkcs11h_data->hooks.pin_prompt ( s_pkcs11h_data->hooks.pin_prompt_data, session->token_id, + nRetryCount, szPIN, sizeof (szPIN) ) @@ -3441,17 +3456,18 @@ _pkcs11h_login ( "PKCS#11: pin_prompt hook return rv=%ld", rv ); - } - if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) { - session->timePINExpire = 0; - } - else { - session->timePINExpire = ( - PKCS11H_TIME (NULL) + - (time_t)session->nPINCachePeriod - ); + if (rv == CKR_OK) { + if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) { + session->timePINExpire = 0; + } + else { + session->timePINExpire = ( + PKCS11H_TIME (NULL) + + (time_t)session->nPINCachePeriod + ); + } } if ( @@ -3486,6 +3502,15 @@ _pkcs11h_login ( */ rv = CKR_OK; } + + nRetryCount++; + } + + /* + * Retry limit + */ + if (!fSuccessLogin && rv == CKR_OK) { + rv = CKR_PIN_INCORRECT; } } @@ -3579,11 +3604,13 @@ static PKCS11H_BOOL _pkcs11h_hooks_default_token_prompt ( IN const void * pData, - IN const pkcs11h_token_id_t token + IN const pkcs11h_token_id_t token, + IN const unsigned retry ) { PKCS11H_ASSERT (token!=NULL); (void)pData; + (void)retry; PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, @@ -3600,12 +3627,14 @@ PKCS11H_BOOL _pkcs11h_hooks_default_pin_prompt ( IN const void * pData, IN const pkcs11h_token_id_t token, + IN const unsigned retry, OUT char * const szPIN, IN const size_t nMaxPIN ) { PKCS11H_ASSERT (token!=NULL); (void)pData; + (void)retry; (void)szPIN; (void)nMaxPIN; @@ -5034,7 +5063,7 @@ _pkcs11h_certificate_private_op ( PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, - "PKCS#11: pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p", + "PKCS#11: _pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p", (void *)certificate, op, mech_type, @@ -5181,7 +5210,7 @@ _pkcs11h_certificate_private_op ( PKCS11H_DEBUG ( PKCS11H_LOG_DEBUG2, - "PKCS#11: pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d", + "PKCS#11: _pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d", rv, pkcs11h_getMessage (rv), *p_target_size @@ -5532,7 +5561,7 @@ pkcs11h_certificate_signAny ( } } - if (!fSigned) { + if (rv == CKR_OK && !fSigned) { rv = CKR_FUNCTION_FAILED; } @@ -6313,6 +6342,8 @@ pkcs11h_locate_token ( CK_RV rv = CKR_OK; + unsigned nRetry = 0; + PKCS11H_ASSERT (s_pkcs11h_data!=NULL); PKCS11H_ASSERT (s_pkcs11h_data->fInitialized); PKCS11H_ASSERT (szSlotType!=NULL); @@ -6403,7 +6434,8 @@ pkcs11h_locate_token ( if ( !s_pkcs11h_data->hooks.token_prompt ( s_pkcs11h_data->hooks.token_prompt_data, - dummy_token_id + dummy_token_id, + nRetry++ ) ) { rv = CKR_CANCEL; @@ -9297,11 +9329,20 @@ PKCS11H_BOOL _pkcs11h_standalone_dump_objects_pin_prompt ( IN const void *pData, IN const pkcs11h_token_id_t token, + IN const unsigned retry, OUT char * const szPIN, IN const size_t nMaxPIN ) { - strncpy (szPIN, (char *)pData, nMaxPIN); - return TRUE; + /* + * Don't lock card + */ + if (retry == 0) { + strncpy (szPIN, (char *)pData, nMaxPIN); + return TRUE; + } + else { + return FALSE; + } } void @@ -9686,8 +9727,8 @@ pkcs11h_standalone_dump_objects ( CK_BBOOL sign_recover = CK_FALSE; CK_BBOOL sign = CK_FALSE; CK_ATTRIBUTE attrs_key[] = { - {CKA_SIGN, &sign_recover, sizeof (sign_recover)}, - {CKA_SIGN_RECOVER, &sign, sizeof (sign)} + {CKA_SIGN, &sign, sizeof (sign)}, + {CKA_SIGN_RECOVER, &sign_recover, sizeof (sign_recover)} }; CK_ATTRIBUTE attrs_key_common[] = { {CKA_ID, NULL, 0}, diff --git a/pkcs11-helper.h b/pkcs11-helper.h index e2cef6d..f6eb967 100644 --- a/pkcs11-helper.h +++ b/pkcs11-helper.h @@ -151,12 +151,14 @@ typedef void (*pkcs11h_hook_slotevent_t)( typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)( IN const void *pData, - IN const pkcs11h_token_id_t token + IN const pkcs11h_token_id_t token, + IN const unsigned retry ); typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)( IN const void *pData, IN const pkcs11h_token_id_t token, + IN const unsigned retry, OUT char * const szPIN, IN const size_t nMaxPIN ); @@ -357,7 +359,7 @@ pkcs11h_setPINCachePeriod ( */ CK_RV pkcs11h_setMaxLoginRetries ( - IN const int nMaxLoginRetries + IN const unsigned nMaxLoginRetries ); /* diff --git a/pkcs11.c b/pkcs11.c index 3b136c5..9f30407 100644 --- a/pkcs11.c +++ b/pkcs11.c @@ -149,10 +149,12 @@ static bool _pkcs11_openvpn_token_prompt ( IN const void *pData, - IN const pkcs11h_token_id_t token + IN const pkcs11h_token_id_t token, + IN const unsigned retry ) { static struct user_pass token_resp; + (void)retry; ASSERT (token!=NULL); CLEAR (token_resp); @@ -179,12 +181,14 @@ bool _pkcs11_openvpn_pin_prompt ( IN const void *pData, IN const pkcs11h_token_id_t token, + IN const unsigned retry, OUT char * const szPIN, IN const size_t nMaxPIN ) { static struct user_pass token_pass; char szPrompt[1024]; + (void)retry; ASSERT (token!=NULL); openvpn_snprintf (szPrompt, sizeof (szPrompt), "%s token", token->label); -- cgit v1.2.3