[pkg-opensc-commit] [engine-pkcs11] 122/152: Decouple loging into the token
Eric Dorland
eric at moszumanska.debian.org
Mon Oct 19 03:11:24 UTC 2015
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository engine-pkcs11.
commit d00be94b277d4257795401bcec31fb0915216bfb
Author: Petr Písař <petr.pisar at atlas.cz>
Date: Wed Aug 21 18:03:25 2013 +0200
Decouple loging into the token
---
src/engine_pkcs11.c | 99 +++++++++++++++++++++++++++++++----------------------
1 file changed, 58 insertions(+), 41 deletions(-)
diff --git a/src/engine_pkcs11.c b/src/engine_pkcs11.c
index d4efe74..78063c3 100644
--- a/src/engine_pkcs11.c
+++ b/src/engine_pkcs11.c
@@ -39,6 +39,7 @@
#endif
#define fail(msg) { fprintf(stderr,msg); return NULL;}
+#define fail0(msg) { fprintf(stderr,msg); return 0;}
/** The maximum length of an internally-allocated PIN */
#define MAX_PIN_LENGTH 32
@@ -725,6 +726,61 @@ int load_cert_ctrl(ENGINE * e, void *p)
return 1;
}
+/*
+ * Log-into the token if necesary.
+ *
+ * @slot is PKCS11 slot to log in
+ * @tok is PKCS11 token to log in (??? could be derived as @slot->token)
+ * @ui_method is OpenSSL user inteface which is used to ask for a password
+ * @callback_data are application data to the user interface
+ * @return 1 on success, 0 on error.
+ */
+static int pkcs11_login(PKCS11_SLOT *slot, PKCS11_TOKEN *tok, UI_METHOD *ui_method, void *callback_data)
+{
+ if (tok->loginRequired) {
+ /* If the token has a secure login (i.e., an external keypad),
+ then use a NULL pin. Otherwise, check if a PIN exists. If
+ not, allocate and obtain a new PIN. */
+ if (tok->secureLogin) {
+ /* Free the PIN if it has already been
+ assigned (i.e, cached by get_pin) */
+ zero_pin();
+ } else if (pin == NULL) {
+ pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char));
+ pin_length = MAX_PIN_LENGTH;
+ if (pin == NULL) {
+ fail0("Could not allocate memory for PIN");
+ }
+ if (!get_pin(ui_method, callback_data) ) {
+ zero_pin();
+ fail0("No pin code was entered");
+ }
+ }
+
+ /* Now login in with the (possibly NULL) pin */
+ if (PKCS11_login(slot, 0, pin)) {
+ /* Login failed, so free the PIN if present */
+ zero_pin();
+ fail0("Login failed\n");
+ }
+ /* Login successful, PIN retained in case further logins are
+ required. This will occur on subsequent calls to the
+ pkcs11_load_key function. Subsequent login calls should be
+ relatively fast (the token should maintain its own login
+ state), although there may still be a slight performance
+ penalty. We could maintain state noting that successful
+ login has been performed, but this state may not be updated
+ if the token is removed and reinserted between calls. It
+ seems safer to retain the PIN and peform a login on each
+ call to pkcs11_load_key, even if this may not be strictly
+ necessary. */
+ /* TODO when does PIN get freed after successful login? */
+ /* TODO confirm that multiple login attempts do not introduce
+ significant performance penalties */
+ }
+ return 1;
+}
+
static EVP_PKEY *pkcs11_load_key(ENGINE * e, const char *s_slot_key_id,
UI_METHOD * ui_method, void *callback_data,
int isPrivate)
@@ -913,47 +969,8 @@ static EVP_PKEY *pkcs11_load_key(ENGINE * e, const char *s_slot_key_id,
}
/* Perform login to the token if required */
- if (tok->loginRequired) {
- /* If the token has a secure login (i.e., an external keypad),
- then use a NULL pin. Otherwise, check if a PIN exists. If
- not, allocate and obtain a new PIN. */
- if (tok->secureLogin) {
- /* Free the PIN if it has already been
- assigned (i.e, cached by get_pin) */
- zero_pin();
- } else if (pin == NULL) {
- pin = (char *)calloc(MAX_PIN_LENGTH, sizeof(char));
- pin_length = MAX_PIN_LENGTH;
- if (pin == NULL) {
- fail("Could not allocate memory for PIN");
- }
- if (!get_pin(ui_method, callback_data) ) {
- zero_pin();
- fail("No pin code was entered");
- }
- }
-
- /* Now login in with the (possibly NULL) pin */
- if (PKCS11_login(slot, 0, pin)) {
- /* Login failed, so free the PIN if present */
- zero_pin();
- fail("Login failed\n");
- }
- /* Login successful, PIN retained in case further logins are
- required. This will occur on subsequent calls to the
- pkcs11_load_key function. Subsequent login calls should be
- relatively fast (the token should maintain its own login
- state), although there may still be a slight performance
- penalty. We could maintain state noting that successful
- login has been performed, but this state may not be updated
- if the token is removed and reinserted between calls. It
- seems safer to retain the PIN and peform a login on each
- call to pkcs11_load_key, even if this may not be strictly
- necessary. */
- /* TODO when does PIN get freed after successful login? */
- /* TODO confirm that multiple login attempts do not introduce
- significant performance penalties */
-
+ if (!pkcs11_login(slot, tok, ui_method, callback_data)) {
+ return NULL;
}
/* Make sure there is at least one private key on the token */
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/engine-pkcs11.git
More information about the pkg-opensc-commit
mailing list