- Patches from Stef implementing PKCS11 RNG related functions

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@866 c6295689-39f2-0310-b995-f0e70906c6a9

src/pkcs11/Makefile.mak

@@ -19,7 +19,7 @@ all: install-headers install-headers-dir $(TARGET) $(TARGET2)
 !INCLUDE $(TOPDIR)\win32\Make.rules.mak
 
 $(TARGET): $(OBJECTS)
-	link $(LINKFLAGS) /dll /out:$(TARGET) $(OBJECTS) ..\libopensc\opensc.lib ..\scconf\scconf.lib ..\pkcs15init\pkcs15init.lib winscard.lib
+	link $(LINKFLAGS) /dll /out:$(TARGET) $(OBJECTS) ..\libopensc\opensc.lib ..\scconf\scconf.lib ..\scrandom\scrandom.lib ..\pkcs15init\pkcs15init.lib winscard.lib
 
 $(TARGET2): $(OBJECTS2)
 	lib /nologo /machine:ix86 /out:$(TARGET2) $(OBJECTS2)

src/pkcs11/framework-pkcs15.c

@@ -255,6 +255,8 @@ static void pkcs15_init_slot(struct sc_pkcs15_card *card,
 				| CKF_WRITE_PROTECTED;
 	if (card->card->slot->capabilities & SC_SLOT_CAP_PIN_PAD)
 		slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
+	if (card->card->caps & SC_CARD_CAP_RNG)
+		slot->token_info.flags |= CKF_RNG;
 	slot->fw_data = fw_data = (struct pkcs15_slot_data *) calloc(1, sizeof(*fw_data));
 	fw_data->auth_obj = auth;
 

src/pkcs11/framework-pkcs15init.c

@@ -156,6 +156,8 @@ pkcs15init_initialize(struct sc_pkcs11_card *p11card, void *ptr,
 	for (id = 0; slot_get_slot(id, &slot) == CKR_OK; id++) {
 		if (slot->card == p11card)
 			slot->token_info.flags |= CKF_TOKEN_INITIALIZED;
+		if (slot->card->card->caps & SC_CARD_CAP_RNG)
+			slot->token_info.flags |= CKF_RNG;
 	}
 
 	sc_pkcs15init_unbind(profile);

src/pkcs11/openssl.c

@@ -6,6 +6,7 @@
  */
 
 #include "sc-pkcs11.h"
+#include "opensc/scrandom.h"
 
 #ifdef HAVE_OPENSSL
 #include <openssl/evp.h>
@@ -58,6 +59,9 @@ sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
 	sc_pkcs11_register_mechanism(card, &openssl_ripemd160_mech);
 }
 
+static int rng_seeded = 0; 
+
+
 /*
  * Handle OpenSSL digest functions
  */
@@ -116,4 +120,53 @@ sc_pkcs11_openssl_md_release(sc_pkcs11_operation_t *op)
 	op->priv_data = NULL;
 }
 
+CK_RV
+sc_pkcs11_openssl_add_seed_rand(struct sc_pkcs11_session *session,
+				CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen)
+{
+	if (!(session->slot->card->card->caps & SC_CARD_CAP_RNG))
+		return CKR_RANDOM_NO_RNG;
+
+	if (pSeed == NULL || ulSeedLen == 0)
+		return CKR_OK;
+
+	RAND_seed(pSeed, ulSeedLen);
+
+	return CKR_OK;
+}
+
+CK_RV
+sc_pkcs11_openssl_add_gen_rand(struct sc_pkcs11_session *session,
+				CK_BYTE_PTR RandomData, CK_ULONG ulRandomLen)
+{
+	unsigned char seed[20];
+	int r;
+
+	if (!(session->slot->card->card->caps & SC_CARD_CAP_RNG))
+		return CKR_RANDOM_NO_RNG;
+
+	if (RandomData == NULL || ulRandomLen == 0)
+		return CKR_OK;
+
+	if (scrandom_get_data(seed, 20) == -1) {
+		error(context, "scrandom_get_data() failed\n");
+		return CKR_FUNCTION_FAILED;
+	}
+	RAND_seed(seed, 20);
+
+	if (rng_seeded == 0) {
+		r = sc_get_challenge(session->slot->card->card, seed, 20);
+		if (r != 0) {
+			error(context, "sc_get_challenge() returned %d\n", r);
+			return sc_to_cryptoki_error(r, session->slot->card->reader);
+		}
+		rng_seeded = 1;
+	}
+	RAND_seed(seed, 20);
+
+	r = RAND_bytes(RandomData, ulRandomLen);
+
+	return r == 1 ? CKR_OK : CKR_FUNCTION_FAILED;
+}
+
 #endif

src/pkcs11/pkcs11-object.c

@@ -725,14 +725,36 @@ CK_RV C_SeedRandom(CK_SESSION_HANDLE hSession,  /* the session's handle */
 		   CK_BYTE_PTR       pSeed,     /* the seed material */
 		   CK_ULONG          ulSeedLen) /* count of bytes of seed material */
 {
-        return CKR_FUNCTION_NOT_SUPPORTED;
+#ifdef HAVE_OPENSSL
+	struct sc_pkcs11_session *session;
+	int rv;
+
+	rv = pool_find(&session_pool, hSession, (void**) &session);
+	if (rv != CKR_OK)
+		return rv;
+
+	return sc_pkcs11_openssl_add_seed_rand(session, pSeed, ulSeedLen);
+#else
+	return CKR_FUNCTION_NOT_SUPPORTED;
+#endif
 }
 
 CK_RV C_GenerateRandom(CK_SESSION_HANDLE hSession,    /* the session's handle */
 		       CK_BYTE_PTR       RandomData,  /* receives the random data */
 		       CK_ULONG          ulRandomLen) /* number of bytes to be generated */
 {
-        return CKR_FUNCTION_NOT_SUPPORTED;
+#ifdef HAVE_OPENSSL
+	struct sc_pkcs11_session *session;
+	int rv;
+
+	rv = pool_find(&session_pool, hSession, (void**) &session);
+	if (rv != CKR_OK)
+		return rv;
+
+	return sc_pkcs11_openssl_add_gen_rand(session, RandomData, ulRandomLen);
+#else
+	return CKR_FUNCTION_NOT_SUPPORTED;
+#endif
 }
 
 CK_RV C_GetFunctionStatus(CK_SESSION_HANDLE hSession) /* the session's handle */

src/pkcs11/sc-pkcs11.h

@@ -357,6 +357,12 @@ CK_RV sc_pkcs11_register_sign_and_hash_mechanism(struct sc_pkcs11_card *,
 				CK_MECHANISM_TYPE, CK_MECHANISM_TYPE,
 				sc_pkcs11_mechanism_type_t *);
 
+#ifdef HAVE_OPENSSL
+/* Random generation functions */
+CK_RV sc_pkcs11_openssl_add_seed_rand(struct sc_pkcs11_session *, CK_BYTE_PTR, CK_ULONG);
+CK_RV sc_pkcs11_openssl_add_gen_rand(struct sc_pkcs11_session *, CK_BYTE_PTR, CK_ULONG);
+#endif
+
 /* Load configuration defaults */
 void load_pkcs11_parameters(struct sc_pkcs11_config *, struct sc_context *);
 

src/scrandom/Makefile.mak

@@ -9,7 +9,7 @@ OBJECTS = scrandom.obj
 all: install-headers $(TARGET)
 
 $(TARGET): $(OBJECTS)
-	lib /nologo /machine:ix86 /out:$(TARGET) $(OBJECTS)
+	lib /nologo /machine:ix86 /out:$(TARGET) $(OBJECTS) advapi32.lib
 
 !INCLUDE $(TOPDIR)\win32\Make.rules.mak
 

src/tools/pkcs11-tool.c

@@ -111,7 +111,7 @@ struct mech_info {
 
 static void		show_cryptoki_info(void);
 static void		list_slots(void);
-static void		show_slot(CK_SLOT_ID);
+static void		show_token(CK_SLOT_ID);
 static void		list_mechs(CK_SLOT_ID);
 static void		list_objects(CK_SESSION_HANDLE);
 static void		show_object(CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
@@ -393,12 +393,13 @@ list_slots(void)
 						info.firmwareVersion.minor);
 			printf("  flags:         %s\n", p11_slot_info_flags(info.flags));
 		}
-		show_slot(p11_slots[n]);
+		if (info.flags & CKF_TOKEN_PRESENT)
+			show_token(p11_slots[n]);
 	}
 }
 
 void
-show_slot(CK_SLOT_ID slot)
+show_token(CK_SLOT_ID slot)
 {
 	CK_TOKEN_INFO	info;
 
@@ -1239,11 +1240,71 @@ test_signature(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 	return errors;
 }
 
+static int
+test_random(CK_SESSION_HANDLE session)
+{
+	CK_BYTE buf1[100], buf2[100];
+	CK_BYTE seed1[100];
+	CK_RV rv;
+	int errors = 0;
+
+	printf("C_SeedRandom() and C_GenerateRandom():\n");
+
+	rv = p11->C_SeedRandom(session, seed1, 10);
+	if (rv == CKR_RANDOM_NO_RNG) {
+		printf("  not implemented\n");
+		return 0;
+	}
+	if (rv == CKR_RANDOM_SEED_NOT_SUPPORTED) {
+		printf("  seeding (C_SeedRandom) not supported\n");
+		return 0;
+	}
+	if (rv != CKR_OK) {
+		printf("  ERR: C_SeedRandom returned %s (0x%0x)\n", CKR2Str(rv), rv);
+		return 1;
+	}
+
+	rv = p11->C_GenerateRandom(session, buf1, 10);
+	if (rv != CKR_OK) {
+		printf("  ERR: C_GenerateRandom returned %s (0x%0x)\n", CKR2Str(rv), rv);
+		return 1;
+	}
+
+	rv = p11->C_GenerateRandom(session, buf1, 100);
+	if (rv != CKR_OK) {
+		printf("  ERR: C_GenerateRandom returned %s (0x%0x)\n", CKR2Str(rv), rv);
+		return 1;
+	}
+
+	rv = p11->C_GenerateRandom(session, buf1, 0);
+	if (rv != CKR_OK) {
+		printf("  ERR: C_GenerateRandom(,,0) returned %s (0x%0x)\n", CKR2Str(rv), rv);
+		return 1;
+	}
+
+	rv = p11->C_GenerateRandom(session, NULL, 100);
+	if (rv != CKR_OK) {
+		printf("  ERR: C_GenerateRandom(,NULL,) returned %s (0x%0x)\n", CKR2Str(rv), rv);
+		return 1;
+	}
+
+	if (memcmp(buf1, buf2, 100) == 0) {
+		printf("  ERR: C_GenerateRandom returned twice the same value!!!\n");
+		errors++;
+	}
+
+	printf("  seems to be OK\n");
+
+	return 0;
+}
+
 static int
 p11_test(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
 {
        int errors = 0;
 
+       errors += test_random(session);
+
        errors += test_digest(slot);
 
        errors += test_signature(slot, session);