diff --git a/configure.ac b/configure.ac index 7d30cbaa..ef1c60b1 100644 --- a/configure.ac +++ b/configure.ac @@ -300,7 +300,7 @@ AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([ \ errno.h fcntl.h malloc.h stdlib.h \ inttypes.h string.h strings.h \ - sys/time.h unistd.h locale.h getopt.h + sys/time.h unistd.h locale.h getopt.h sys/mman.h ]) dnl Checks for typedefs, structures, and compiler characteristics. diff --git a/etc/opensc.conf.in b/etc/opensc.conf.in index 3eb0899e..a4259812 100644 --- a/etc/opensc.conf.in +++ b/etc/opensc.conf.in @@ -248,14 +248,25 @@ app default { # WARNING: Caching shouldn't be used in setuid root # applications. # Default: false + # use_file_caching = true; + # + # Use PIN caching? + # Default: true + # use_pin_caching = false; + # + # How many times to use a PIN from cache before re-authenticating it? + # Default: 10 + # pin_cache_counter = 3; # - use_caching = true; # Enable pkcs15 emulation. # Default: yes # enable_pkcs15_emulation = no; # # Prefer pkcs15 emulation code before # the normal pkcs15 processing. + # Some cards (like esteid and pteid) work in emu-only mode, + # and do not depend on this option. + # # Default: no # try_emulation_first = yes; # @@ -285,7 +296,7 @@ app default { # so you can turn it off, if it misbehaves. # this option only affects cardos cards right now. # Default: yes - # enable_sign_with_decrypt_workaround = yes; + # enable_sign_with_decrypt_workaround = no; } } @@ -345,19 +356,7 @@ app opensc-pkcs11 { # # Default: true # lock_login = false; - - # Normally, the pkcs11 module will not cache PINs - # presented via C_Login. However, some cards - # may not work properly with OpenSC; for instance - # when you have two keys on your card that get - # stored in two different directories. # - # In this case, you can turn on PIN caching by setting - # cache_pins = true - # - # Default: true - # cache_pins = false; - # Set this value to true if you want to allow off-card # keypair generation (in software on your pc) # diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports index 7276210b..af3d7ade 100644 --- a/src/libopensc/libopensc.exports +++ b/src/libopensc/libopensc.exports @@ -156,6 +156,7 @@ sc_pkcs15_make_absolute_path sc_pkcs15_parse_df sc_pkcs15_parse_tokeninfo sc_pkcs15_parse_unusedspace +sc_pkcs15_pincache_clear sc_pkcs15_print_id sc_pkcs15_read_cached_file sc_pkcs15_read_certificate diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h index 0b91564b..0aab3660 100644 --- a/src/libopensc/opensc.h +++ b/src/libopensc/opensc.h @@ -1144,6 +1144,7 @@ int sc_base64_decode(const char *in, u8 *out, size_t outlen); * @param len length of the memory buffer */ void sc_mem_clear(void *ptr, size_t len); +void *sc_mem_alloc_secure(size_t len); int sc_get_cache_dir(sc_context_t *ctx, char *buf, size_t bufsize); int sc_make_cache_dir(sc_context_t *ctx); diff --git a/src/libopensc/pkcs15-actalis.c b/src/libopensc/pkcs15-actalis.c index db60ce05..83eda5fb 100644 --- a/src/libopensc/pkcs15-actalis.c +++ b/src/libopensc/pkcs15-actalis.c @@ -177,7 +177,7 @@ static int sc_pkcs15emu_actalis_init(sc_pkcs15_card_t * p15card) const char *authPRKEY = "Authentication Key"; /* const char *nonrepPRKEY = "Non repudiation Key"; */ - p15card->opts.use_cache = 1; + p15card->opts.use_file_cache = 1; /* Get Serial number */ sc_format_path("3F0030000001", &path); diff --git a/src/libopensc/pkcs15-infocamere.c b/src/libopensc/pkcs15-infocamere.c index f9d2a40c..12643141 100644 --- a/src/libopensc/pkcs15-infocamere.c +++ b/src/libopensc/pkcs15-infocamere.c @@ -590,7 +590,7 @@ static int infocamere_1400_init(sc_pkcs15_card_t * p15card) set_security_env = card->ops->set_security_env; card->ops->set_security_env = infocamere_1400_set_sec_env; card->ops->compute_signature = do_sign; - p15card->opts.use_cache = 1; + p15card->opts.use_file_cache = 1; sc_format_path("30000001", &path); diff --git a/src/libopensc/pkcs15-pin.c b/src/libopensc/pkcs15-pin.c index 2b9c629d..5b2b19d3 100644 --- a/src/libopensc/pkcs15-pin.c +++ b/src/libopensc/pkcs15-pin.c @@ -51,6 +51,8 @@ static const struct sc_asn1_entry c_asn1_pin[] = { { NULL, 0, 0, 0, NULL, NULL } }; +static void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_pin_info *pininfo, const u8 *pin, size_t pinlen); + int sc_pkcs15_decode_aodf_entry(struct sc_pkcs15_card *p15card, struct sc_pkcs15_object *obj, const u8 ** buf, size_t *buflen) @@ -198,15 +200,13 @@ int sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, sc_card_t *card; struct sc_pin_cmd_data data; + SC_FUNC_CALLED(p15card->card->ctx, 2); if ((r = _validate_pin(p15card, pin, pinlen)) != SC_SUCCESS) return r; card = p15card->card; r = sc_lock(card); - if (r == SC_ERROR_CARD_RESET || r == SC_ERROR_READER_REATTACHED) { - r = sc_lock(card); - } SC_TEST_RET(card->ctx, r, "sc_lock() failed"); /* the path in the pin object is optional */ if (pin->path.len > 0) { @@ -251,6 +251,8 @@ int sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, } r = sc_pin_cmd(card, &data, &pin->tries_left); + if (r == SC_SUCCESS) + sc_pkcs15_pincache_add(p15card, pin, pincode, pinlen); out: sc_unlock(card); return r; @@ -328,6 +330,8 @@ int sc_pkcs15_change_pin(struct sc_pkcs15_card *p15card, } r = sc_pin_cmd(card, &data, &pin->tries_left); + if (r == SC_SUCCESS) + sc_pkcs15_pincache_add(p15card, pin, newpin, newpinlen); out: sc_unlock(card); @@ -436,6 +440,8 @@ int sc_pkcs15_unblock_pin(struct sc_pkcs15_card *p15card, } r = sc_pin_cmd(card, &data, &pin->tries_left); + if (r == SC_SUCCESS) + sc_pkcs15_pincache_add(p15card, pin, newpin, newpinlen); out: sc_unlock(card); @@ -446,3 +452,94 @@ void sc_pkcs15_free_pin_info(sc_pkcs15_pin_info_t *pin) { free(pin); } + +/* Add a PIN to the PIN cache related to the card. Some operations can trigger re-authentication later. */ +static void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, + struct sc_pkcs15_pin_info *pininfo, + const u8 *pin, size_t pinlen) +{ + int i; + sc_pkcs15_pincache_entry_t *entry; + sc_pkcs15_object_t *obj; + + SC_FUNC_CALLED(p15card->card->ctx, 2); + + if (!p15card->opts.use_pin_cache) + return; + + /* Is it a user consent protecting PIN ? */ + if (sc_pkcs15_find_prkey_by_reference(p15card, NULL, pininfo->reference, &obj) == SC_SUCCESS) { + if (obj->user_consent) { + sc_debug(p15card->card->ctx, "Not caching userconsent related PIN"); + return; + } + } + + for (i=0; ipin_cache[i] == NULL) { + entry = (sc_pkcs15_pincache_entry_t *) sc_mem_alloc_secure(sizeof(sc_pkcs15_pincache_entry_t)); + if (!entry) + return; + memcpy(&entry->id, &pininfo->auth_id, sizeof(sc_pkcs15_id_t)); + memcpy(&entry->pin, pin, pinlen); + entry->len = pinlen; + entry->counter = 0; + p15card->pin_cache[i] = entry; + return; + } else { /* Update the existing PIN */ + sc_pkcs15_pincache_entry_t *entry = p15card->pin_cache[i]; + if (sc_pkcs15_compare_id(&entry->id, &pininfo->auth_id)) { + memcpy(&entry->pin, pin, pinlen); + entry->len = pinlen; + entry->counter = 0; + return; + } + + } + } +} +/* Validate the PIN code associated with an object */ +int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj) +{ + int r, i; + sc_pkcs15_object_t *pin_obj; + sc_pkcs15_pin_info_t *pin_info; + + SC_FUNC_CALLED(p15card->card->ctx, 2); + + if (!p15card->opts.use_pin_cache) + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + + if (obj->user_consent) + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + + if (p15card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD) + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + + r = sc_pkcs15_find_pin_by_auth_id(p15card, &obj->auth_id, &pin_obj); + if (r != SC_SUCCESS) { + sc_debug(p15card->card->ctx, "Could not find pin object for auth_id %s", sc_pkcs15_print_id(&obj->auth_id)); + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + } + + pin_info = (sc_pkcs15_pin_info_t *) pin_obj->data; + for (i=0; ipin_cache[i] != NULL; i++) { + sc_pkcs15_pincache_entry_t *entry = p15card->pin_cache[i]; + if (sc_pkcs15_compare_id(&entry->id, &obj->auth_id)) { + if (entry->counter >= p15card->opts.pin_cache_counter) { + sc_mem_clear(entry->pin, entry->len); + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; + } + entry->counter++; + return sc_pkcs15_verify_pin(p15card, pin_info, entry->pin, entry->len); + } + } + return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; +} + +void sc_pkcs15_pincache_clear(struct sc_pkcs15_card *p15card) +{ + int i; + for (i=0; ipin_cache[i] != NULL; i++) + sc_mem_clear(p15card->pin_cache[i]->pin, p15card->pin_cache[i]->len); +} \ No newline at end of file diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c index 69246265..cc8eadb9 100644 --- a/src/libopensc/pkcs15-sec.c +++ b/src/libopensc/pkcs15-sec.c @@ -121,6 +121,10 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card, SC_TEST_RET(ctx, r, "sc_set_security_env() failed"); } r = sc_decipher(p15card->card, in, inlen, out, outlen); + if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { + if (sc_pkcs15_pincache_revalidate(p15card, obj) == SC_SUCCESS) + r = sc_decipher(p15card->card, in, inlen, out, outlen); + } sc_unlock(p15card->card); SC_TEST_RET(ctx, r, "sc_decipher() failed"); @@ -268,6 +272,10 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card, } r = sc_compute_signature(p15card->card, tmp, inlen, out, outlen); + if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { + if (sc_pkcs15_pincache_revalidate(p15card, obj) == SC_SUCCESS) + r = sc_compute_signature(p15card->card, tmp, inlen, out, outlen); + } sc_mem_clear(buf, sizeof(buf)); sc_unlock(p15card->card); SC_TEST_RET(ctx, r, "sc_compute_signature() failed"); diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c index 7292893e..9188ec8e 100644 --- a/src/libopensc/pkcs15.c +++ b/src/libopensc/pkcs15.c @@ -416,6 +416,8 @@ struct sc_pkcs15_card * sc_pkcs15_card_new(void) void sc_pkcs15_card_free(struct sc_pkcs15_card *p15card) { + size_t i; + if (p15card == NULL) return; assert(p15card->magic == SC_PKCS15_CARD_MAGIC); @@ -446,11 +448,14 @@ void sc_pkcs15_card_free(struct sc_pkcs15_card *p15card) if (p15card->preferred_language != NULL) free(p15card->preferred_language); if (p15card->seInfo != NULL) { - size_t i; for (i = 0; i < p15card->num_seInfo; i++) free(p15card->seInfo[i]); free(p15card->seInfo); } + for (i=0; ipin_cache[i] != NULL; i++) { + sc_mem_clear(p15card->pin_cache[i]->pin, p15card->pin_cache[i]->len); + free(p15card->pin_cache[i]); + } free(p15card); } @@ -567,8 +572,7 @@ static int sc_pkcs15_bind_internal(sc_pkcs15_card_t *p15card) goto end; if (p15card->file_odf == NULL) { - /* check if an ODF is present; suppress errors as we - * don't know yet whether we have a pkcs15 card */ + /* check if an ODF is present; we don't know yet whether we have a pkcs15 card */ tmppath = p15card->file_app->path; sc_append_path_id(&tmppath, (const u8 *) "\x50\x31", 2); err = sc_select_file(card, &tmppath, &p15card->file_odf); @@ -697,19 +701,21 @@ int sc_pkcs15_bind(sc_card_t *card, p15card = sc_pkcs15_card_new(); if (p15card == NULL) return SC_ERROR_OUT_OF_MEMORY; - p15card->card = card; - for (i = 0; ctx->conf_blocks[i] != NULL; i++) { - blocks = scconf_find_blocks(ctx->conf, ctx->conf_blocks[i], - "framework", "pkcs15"); - if (blocks && blocks[0] != NULL) - conf_block = blocks[0]; - free(blocks); - } + p15card->card = card; + p15card->opts.use_file_cache = 0; + p15card->opts.use_pin_cache = 1; + p15card->opts.pin_cache_counter = 10; + + conf_block = sc_get_conf_block(ctx, "framework", "pkcs15", 1); if (conf_block) { - p15card->opts.use_cache = scconf_get_bool(conf_block, "use_caching", 0); + p15card->opts.use_file_cache = scconf_get_bool(conf_block, "use_file_caching", p15card->opts.use_file_cache); + p15card->opts.use_pin_cache = scconf_get_bool(conf_block, "use_pin_caching", p15card->opts.use_pin_cache); + p15card->opts.pin_cache_counter = scconf_get_bool(conf_block, "pin_cache_counter", p15card->opts.pin_cache_counter); } + sc_debug(ctx, "PKCS#15 options: use_file_cache=%d use_pin_cache=%d pin_cache_counter=%d", + p15card->opts.use_file_cache, p15card->opts.use_pin_cache, p15card->opts.pin_cache_counter); r = sc_lock(card); if (r) { @@ -1676,7 +1682,7 @@ int sc_pkcs15_read_file(struct sc_pkcs15_card *p15card, } r = -1; /* file state: not in cache */ - if (p15card->opts.use_cache) { + if (p15card->opts.use_file_cache) { r = sc_pkcs15_read_cached_file(p15card, in_path, &data, &len); } if (r) { diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h index 757624cf..1ab2c3a6 100644 --- a/src/libopensc/pkcs15.h +++ b/src/libopensc/pkcs15.h @@ -380,6 +380,13 @@ typedef struct { size_t aid_len; } sc_pkcs15_sec_env_info_t; +typedef struct { + sc_pkcs15_id_t id; + u8 pin[SC_MAX_PIN_SIZE]; + size_t len; + int counter; +} sc_pkcs15_pincache_entry_t; + typedef struct { unsigned int version; unsigned int flags; @@ -412,11 +419,14 @@ typedef struct sc_pkcs15_card { int unusedspace_read; struct sc_pkcs15_card_opts { - int use_cache; + int use_file_cache; + int use_pin_cache; + int pin_cache_counter; } opts; sc_pkcs15_sec_env_info_t **seInfo; size_t num_seInfo; + sc_pkcs15_pincache_entry_t *pin_cache[SC_PKCS15_MAX_PINS]; unsigned int magic; @@ -561,6 +571,8 @@ int sc_pkcs15_find_pin_by_reference(struct sc_pkcs15_card *card, struct sc_pkcs15_object **out); int sc_pkcs15_find_so_pin(struct sc_pkcs15_card *card, struct sc_pkcs15_object **out); +int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj); +void sc_pkcs15_pincache_clear(struct sc_pkcs15_card *p15card); int sc_pkcs15_encode_dir(struct sc_context *ctx, struct sc_pkcs15_card *card, diff --git a/src/libopensc/sc.c b/src/libopensc/sc.c index 500a64b3..083ea944 100644 --- a/src/libopensc/sc.c +++ b/src/libopensc/sc.c @@ -26,6 +26,9 @@ #include /* for OPENSSL_cleanse */ #endif +#ifdef HAVE_SYS_MMAN_H +#include +#endif #include "internal.h" #include #include @@ -715,6 +718,24 @@ int _sc_parse_atr(sc_context_t *ctx, sc_slot_info_t *slot) return 0; } +void *sc_mem_alloc_secure(size_t len) +{ + void *pointer; + + pointer = calloc(len, sizeof(unsigned char)); + if (!pointer) + return NULL; +#ifdef HAVE_SYS_MMAN_H + /* TODO Windows support and mprotect too */ + /* Do not swap the memory */ + if (mlock(pointer, len) == -1) { + free(pointer); + return NULL; + } +#endif + return pointer; +} + void sc_mem_clear(void *ptr, size_t len) { #ifdef ENABLE_OPENSSL diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index 1b6ad9d0..dd31be62 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -28,15 +28,8 @@ extern int hack_enabled; -#define MAX_CACHE_PIN 32 struct pkcs15_slot_data { struct sc_pkcs15_object *auth_obj; - int user_consent; - struct { - sc_path_t path; - u8 value[MAX_CACHE_PIN]; - unsigned int len; - } pin[2]; }; #define slot_data(p) ((struct pkcs15_slot_data *) (p)) #define slot_data_auth(p) (slot_data(p)->auth_obj) @@ -148,9 +141,6 @@ static CK_RV get_modulus_bits(struct sc_pkcs15_pubkey *, static CK_RV get_usage_bit(unsigned int usage, CK_ATTRIBUTE_PTR attr); static CK_RV asn1_sequence_wrapper(const u8 *, size_t, CK_ATTRIBUTE_PTR); static CK_RV get_gostr3410_params(const u8 *, size_t, CK_ATTRIBUTE_PTR); -static void cache_pin(void *, int, const sc_path_t *, const void *, size_t); -static int revalidate_pin(struct pkcs15_slot_data *data, - struct sc_pkcs11_session *ses); static int lock_card(struct pkcs15_fw_data *); static int unlock_card(struct pkcs15_fw_data *); static void add_pins_to_keycache(struct sc_pkcs11_card *p11card, @@ -634,11 +624,6 @@ pkcs15_add_object(struct sc_pkcs11_slot *slot, obj->base.flags |= SC_PKCS11_OBJECT_SEEN; obj->refcount++; - if (obj->p15_object && (obj->p15_object->user_consent > 0) ) { - sc_debug(context, "User consent object detected, marking slot as user_consent!\n"); - ((struct pkcs15_slot_data *)slot->fw_data)->user_consent = 1; - } - /* Add related objects * XXX prevent infinite recursion when a card specifies two certificates * referring to each other. @@ -679,7 +664,6 @@ static void pkcs15_init_slot(struct sc_pkcs15_card *card, slot->token_info.flags |= CKF_USER_PIN_INITIALIZED; if (card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD) { slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH; - sc_pkcs11_conf.cache_pins = 0; } if (card->card->caps & SC_CARD_CAP_RNG) slot->token_info.flags |= CKF_RNG; @@ -970,10 +954,6 @@ static CK_RV pkcs15_login(struct sc_pkcs11_card *p11card, rc = sc_pkcs15_verify_pin(card, pin, pPin, ulPinLen); sc_debug(context, "PIN verification returned %d\n", rc); - - if (rc >= 0) - cache_pin(fw_token, userType, &pin->path, pPin, ulPinLen); - return sc_to_cryptoki_error(rc, p11card->reader); } @@ -981,10 +961,8 @@ static CK_RV pkcs15_logout(struct sc_pkcs11_card *p11card, void *fw_token) { struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) p11card->fw_data; int rc = 0; - - cache_pin(fw_token, CKU_SO, NULL, NULL, 0); - cache_pin(fw_token, CKU_USER, NULL, NULL, 0); - + + sc_pkcs15_pincache_clear(fw_data->p15_card); sc_logout(fw_data->p15_card->card); if (sc_pkcs11_conf.lock_login) @@ -1021,9 +999,6 @@ static CK_RV pkcs15_change_pin(struct sc_pkcs11_card *p11card, rc = sc_pkcs15_change_pin(fw_data->p15_card, pin, pOldPin, ulOldLen, pNewPin, ulNewLen); sc_debug(context, "PIN change returned %d\n", rc); - - if (rc >= 0) - cache_pin(fw_token, CKU_USER, &pin->path, pNewPin, ulNewLen); return sc_to_cryptoki_error(rc, p11card->reader); } @@ -1069,9 +1044,6 @@ static CK_RV pkcs15_init_pin(struct sc_pkcs11_card *p11card, pkcs15_init_slot(fw_data->p15_card, slot, auth_obj); pin_info = (sc_pkcs15_pin_info_t *) auth_obj->data; - - cache_pin(slot->fw_data, CKU_USER, &pin_info->path, pPin, ulPinLen); - return CKR_OK; } @@ -2219,15 +2191,6 @@ static CK_RV pkcs15_prkey_sign(struct sc_pkcs11_session *ses, void *obj, pSignature, *pulDataLen); - /* Do we have to try a re-login and then try to sign again? */ - if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { - rv = revalidate_pin(data, ses); - if (rv == 0) - rv = sc_pkcs15_compute_signature(fw_data->p15_card, - prkey->prv_p15obj, flags, pData, ulDataLen, - pSignature, *pulDataLen); - } - sc_unlock(ses->slot->card->card); sc_debug(context, "Sign complete. Result %d.\n", rv); @@ -2294,14 +2257,6 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *ses, void *obj, flags, pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted)); - /* Do we have to try a re-login and then try to decrypt again? */ - if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { - rv = revalidate_pin(data, ses); - if (rv == 0) - rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, - flags, pEncryptedData, ulEncryptedDataLen, - decrypted, sizeof(decrypted)); - } sc_unlock(ses->slot->card->card); sc_debug(context, "Key unwrap/decryption complete. Result %d.\n", rv); @@ -2557,13 +2512,6 @@ static int pkcs15_dobj_get_value(struct sc_pkcs11_session *session, rv = sc_pkcs15_read_data_object(fw_data->p15_card, dobj->info, out_data); - /* Do we have to try a re-login and then try to sign again? */ - if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { - rv = revalidate_pin(data, session); - if (rv == 0) - rv = sc_pkcs15_read_data_object(fw_data->p15_card, dobj->info, out_data); - } - sc_unlock(card); if (rv < 0) return sc_to_cryptoki_error(rv, reader); @@ -2684,13 +2632,6 @@ static CK_RV pkcs15_dobj_destroy(struct sc_pkcs11_session *session, void *object /* Delete object in smartcard */ rv = sc_pkcs15init_delete_object(fw_data->p15_card, profile, obj->base.p15_object); - /* Do we have to try a re-login and then try to delete again? */ - if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) { - rv = revalidate_pin(data, session); - if (rv == 0) - rv = sc_pkcs15init_delete_object(fw_data->p15_card, profile, obj->base.p15_object); - } - sc_pkcs15init_unbind(profile); sc_unlock(card->card); @@ -2870,64 +2811,6 @@ asn1_sequence_wrapper(const u8 *data, size_t len, CK_ATTRIBUTE_PTR attr) return CKR_OK; } -static void -cache_pin(void *p, int user, const sc_path_t *path, const void *pin, size_t len) -{ - struct pkcs15_slot_data *data = (struct pkcs15_slot_data *) p; - -#ifdef USE_PKCS15_INIT - if (len == 0) { - sc_keycache_forget_key(path, SC_AC_SYMBOLIC, - user? SC_PKCS15INIT_USER_PIN : SC_PKCS15INIT_SO_PIN); - } -#endif - - if ((user != CKU_SO && user != CKU_USER) || !sc_pkcs11_conf.cache_pins) - return; - /* Don't cache pins related to user_consent objects/slots */ - if (data->user_consent) - return; - - memset(&data->pin[user], 0, sizeof(data->pin[user])); - if (len && len <= MAX_CACHE_PIN) { - memcpy(data->pin[user].value, pin, len); - data->pin[user].len = len; - if (path) - data->pin[user].path = *path; - } -} - -/* TODO: GUI must indicate pinpad revalidation instead of a plain error.*/ -static int -revalidate_pin(struct pkcs15_slot_data *data, struct sc_pkcs11_session *ses) -{ - int rv; - u8 value[MAX_CACHE_PIN]; - - sc_debug(context, "PIN revalidation\n"); - - if (!sc_pkcs11_conf.cache_pins - && !(ses->slot->token_info.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) - return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; - - if (sc_pkcs11_conf.cache_pins && data->user_consent) - return SC_ERROR_SECURITY_STATUS_NOT_SATISFIED; - - if (ses->slot->token_info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) { - rv = pkcs15_login(ses->slot->card, ses->slot->fw_data, CKU_USER, NULL, 0); - } - else { - memcpy(value, data->pin[CKU_USER].value, data->pin[CKU_USER].len); - rv = pkcs15_login(ses->slot->card, ses->slot->fw_data, CKU_USER, - value, data->pin[CKU_USER].len); - } - - if (rv != CKR_OK) - sc_debug(context, "Re-login failed: 0x%0x (%d)\n", rv, rv); - - return rv; -} - static int register_gost_mechanisms(struct sc_pkcs11_card *p11card, int flags) { CK_MECHANISM_INFO mech_info; @@ -3085,6 +2968,7 @@ static int register_mechanisms(struct sc_pkcs11_card *p11card) return rc; #endif } + return CKR_OK; } @@ -3116,7 +3000,8 @@ static void add_pins_to_keycache(struct sc_pkcs11_card *p11card, struct sc_pkcs11_slot *slot) { -#ifdef USE_PKCS15_INIT +#if 0 +//#ifdef USE_PKCS15_INIT struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) p11card->fw_data; struct sc_pkcs15_card *p15card = fw_data->p15_card; struct pkcs15_slot_data *p15_data = slot_data(slot->fw_data); diff --git a/src/pkcs11/misc.c b/src/pkcs11/misc.c index 69c2136b..d208b8f8 100644 --- a/src/pkcs11/misc.c +++ b/src/pkcs11/misc.c @@ -322,8 +322,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t *ctx) conf->max_virtual_slots = 16; conf->slots_per_card = 4; conf->hide_empty_tokens = 1; - conf->lock_login = 1; - conf->cache_pins = 1; + conf->lock_login = 0; conf->soft_keygen_allowed = 0; @@ -339,6 +338,7 @@ void load_pkcs11_parameters(struct sc_pkcs11_config *conf, sc_context_t *ctx) conf->slots_per_card = scconf_get_int(conf_block, "slots_per_card", conf->slots_per_card); conf->hide_empty_tokens = scconf_get_bool(conf_block, "hide_empty_tokens", conf->hide_empty_tokens); conf->lock_login = scconf_get_bool(conf_block, "lock_login", conf->lock_login); - conf->cache_pins = scconf_get_bool(conf_block, "cache_pins", conf->cache_pins); conf->soft_keygen_allowed = scconf_get_bool(conf_block, "soft_keygen_allowed", conf->soft_keygen_allowed); + sc_debug(ctx, "PKCS#11 options: plug_and_play=%d max_virtual_slots=%d slots_per_card=%d hide_empty_tokens=%d lock_login=%d", + conf->plug_and_play, conf->max_virtual_slots, conf->slots_per_card, conf->hide_empty_tokens, conf->lock_login); } diff --git a/src/pkcs11/sc-pkcs11.h b/src/pkcs11/sc-pkcs11.h index d511808e..2b85bec6 100644 --- a/src/pkcs11/sc-pkcs11.h +++ b/src/pkcs11/sc-pkcs11.h @@ -92,7 +92,6 @@ struct sc_pkcs11_config { unsigned int slots_per_card; unsigned char hide_empty_tokens; unsigned char lock_login; - unsigned char cache_pins; unsigned char soft_keygen_allowed; }; diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c index f0de198d..431c8d50 100644 --- a/src/tools/pkcs15-tool.c +++ b/src/tools/pkcs15-tool.c @@ -1541,7 +1541,7 @@ int main(int argc, char * const argv[]) goto end; } if (opt_no_cache) - p15card->opts.use_cache = 0; + p15card->opts.use_file_cache = 0; if (verbose) fprintf(stderr, "Found %s!\n", p15card->label); if (do_learn_card) {