CK_RV
init_token_data(TSS_HCONTEXT hContext, TOKEN_DATA *td) {
CK_RV rc;
(void) memset((char *)td, 0, sizeof (nv_token_data));
//
// the normal USER pin is not set when the token is initialized
//
(void) memcpy(td->user_pin_sha, "00000000000000000000",
SHA1_DIGEST_LENGTH);
(void) memcpy(td->so_pin_sha, default_so_pin_sha,
SHA1_DIGEST_LENGTH);
(void) memset(user_pin_md5, 0x0, MD5_DIGEST_LENGTH);
(void) memcpy(so_pin_md5, default_so_pin_md5, MD5_DIGEST_LENGTH);
(void) memcpy(td->next_token_object_name, "00000000", 8);
td->tweak_vector.allow_key_mods = TRUE;
init_token_info(td);
rc = token_get_tpm_info(hContext, td);
if (rc != CKR_OK)
return (rc);
rc = save_token_data(td);
return (rc);
}
CK_RV init_token_data(CK_SLOT_ID slot_id)
{
CK_RV rc;
memset((char *)nv_token_data, 0, sizeof(nv_token_data));
// the normal USER pin is not set when the token is initialized
//
memcpy(nv_token_data->user_pin_sha, "00000000000000000000",
SHA1_HASH_SIZE);
memcpy(nv_token_data->so_pin_sha, default_so_pin_sha, SHA1_HASH_SIZE);
memset(user_pin_md5, 0x0, MD5_HASH_SIZE);
memcpy(so_pin_md5, default_so_pin_md5, MD5_HASH_SIZE);
memcpy(nv_token_data->next_token_object_name, "00000000", 8);
// generate the master key used for signing the Operation State information
// `
memset(nv_token_data->token_info.label, ' ',
sizeof(nv_token_data->token_info.label));
memcpy(nv_token_data->token_info.label, label, strlen((char *)label));
nv_token_data->tweak_vector.allow_weak_des = TRUE;
nv_token_data->tweak_vector.check_des_parity = FALSE;
nv_token_data->tweak_vector.allow_key_mods = TRUE;
nv_token_data->tweak_vector.netscape_mods = TRUE;
init_tokenInfo();
if (token_specific.t_init_token_data) {
rc = token_specific.t_init_token_data(slot_id);
if (rc != CKR_OK)
return rc;
} else {
//
// FIXME: erase the token object index file (and all token objects)
//
rc = generate_master_key(master_key);
if (rc != CKR_OK) {
TRACE_DEVEL("generate_master_key failed.\n");
return CKR_FUNCTION_FAILED;
}
rc = save_masterkey_so();
if (rc != CKR_OK) {
TRACE_DEVEL("save_masterkey_so failed.\n");
return rc;
}
}
rc = save_token_data(slot_id);
return rc;
}
CK_RV
init_token_data( void )
{
CK_RV rc;
memset( (char *)nv_token_data, 0, sizeof(nv_token_data) );
// the normal USER pin is not set when the token is initialized
//
memcpy( nv_token_data->user_pin_sha, "00000000000000000000", SHA1_HASH_SIZE );
memcpy( nv_token_data->so_pin_sha, default_so_pin_sha, SHA1_HASH_SIZE );
memset( user_pin_md5, 0x0, MD5_HASH_SIZE );
memcpy( so_pin_md5, default_so_pin_md5, MD5_HASH_SIZE );
memcpy( nv_token_data->next_token_object_name, "00000000", 8 );
// generate the master key used for signing the Operation State information
// `
memset( nv_token_data->token_info.label, ' ', sizeof(nv_token_data->token_info.label) );
memcpy( nv_token_data->token_info.label, label, strlen((char *)label) );
nv_token_data->tweak_vector.allow_weak_des = TRUE;
nv_token_data->tweak_vector.check_des_parity = FALSE;
nv_token_data->tweak_vector.allow_key_mods = TRUE;
nv_token_data->tweak_vector.netscape_mods = TRUE;
init_tokenInfo();
//
// FIXME: erase the token object index file (and all token objects)
//
#if 0
rc = rng_generate( master_key, 3 * DES_KEY_SIZE );
if (rc != CKR_OK){
OCK_LOG_ERR(ERR_FUNCTION_FAILED);
return CKR_FUNCTION_FAILED;
}
rc = save_masterkey_so();
if (rc != CKR_OK){
OCK_LOG_ERR(ERR_FUNCTION_FAILED);
return CKR_FUNCTION_FAILED;
}
#endif
rc = save_token_data();
if (rc != CKR_OK)
OCK_LOG_ERR(ERR_FUNCTION_FAILED);
return rc;
}
CK_RV
SC_Login(ST_SESSION_HANDLE sSession,
CK_USER_TYPE userType,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen)
{
SESSION * sess = NULL;
CK_FLAGS * flags = NULL, flagcheck, flagmask;
CK_RV rc = CKR_OK;
SESS_SET
// In v2.11, logins should be exclusive, since token
// specific flags may need to be set for a bad login. - KEY
rc = pthread_mutex_lock(&login_mutex);
if (rc != CKR_OK) {
return (CKR_FUNCTION_FAILED);
}
if (st_Initialized() == FALSE) {
rc = CKR_CRYPTOKI_NOT_INITIALIZED;
goto done;
}
sess = session_mgr_find(hSession);
if (! sess) {
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
flags = &nv_token_data->token_info.flags;
if (pPin == NULL) {
set_login_flags(userType, flags);
rc = CKR_ARGUMENTS_BAD;
goto done;
}
if (ulPinLen < MIN_PIN_LEN || ulPinLen > MAX_PIN_LEN) {
set_login_flags(userType, flags);
rc = CKR_PIN_LEN_RANGE;
goto done;
}
/*
* PKCS #11 v2.01 requires that all sessions have the same login status:
* --> all sessions are public, all are SO or all are USER
*/
if (userType == CKU_USER) {
if (session_mgr_so_session_exists()) {
rc = CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
}
if (session_mgr_user_session_exists()) {
rc = CKR_USER_ALREADY_LOGGED_IN;
}
} else if (userType == CKU_SO) {
if (session_mgr_user_session_exists()) {
rc = CKR_USER_ANOTHER_ALREADY_LOGGED_IN;
}
if (session_mgr_so_session_exists()) {
rc = CKR_USER_ALREADY_LOGGED_IN;
}
if (session_mgr_readonly_exists()) {
rc = CKR_SESSION_READ_ONLY_EXISTS;
}
} else {
rc = CKR_USER_TYPE_INVALID;
}
if (rc != CKR_OK)
goto done;
if (userType == CKU_USER) {
flagcheck = CKF_USER_PIN_LOCKED;
flagmask = (CKF_USER_PIN_LOCKED | CKF_USER_PIN_FINAL_TRY |
CKF_USER_PIN_COUNT_LOW);
} else {
flagcheck = CKF_SO_PIN_LOCKED;
flagmask = (CKF_SO_PIN_LOCKED |
CKF_SO_PIN_FINAL_TRY |
CKF_SO_PIN_COUNT_LOW);
}
if (*flags & flagcheck) {
rc = CKR_PIN_LOCKED;
goto done;
}
/* call the pluggable login function here */
rc = token_specific.t_login(sess->hContext, userType, pPin, ulPinLen);
if (rc == CKR_OK) {
*flags &= ~(flagmask);
} else if (rc == CKR_PIN_INCORRECT) {
set_login_flags(userType, flags);
goto done;
} else {
goto done;
}
rc = session_mgr_login_all(userType);
done:
if (rc == CKR_OK)
rc = save_token_data(nv_token_data);
(void) pthread_mutex_unlock(&login_mutex);
return (rc);
}
CK_RV
SC_InitPIN(
ST_SESSION_HANDLE sSession,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen)
{
SESSION * sess = NULL;
CK_RV rc = CKR_OK;
CK_FLAGS * flags = NULL;
SESS_SET
if (st_Initialized() == FALSE) {
rc = CKR_CRYPTOKI_NOT_INITIALIZED;
goto done;
}
if (! pPin) {
rc = CKR_ARGUMENTS_BAD;
goto done;
}
sess = session_mgr_find(hSession);
if (! sess) {
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
if (pin_locked(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
rc = CKR_PIN_LOCKED;
goto done;
}
if (sess->session_info.state != CKS_RW_SO_FUNCTIONS) {
rc = CKR_USER_NOT_LOGGED_IN;
goto done;
}
rc = token_specific.t_init_pin(sess->hContext, pPin, ulPinLen);
if (rc == CKR_OK) {
flags = &nv_token_data->token_info.flags;
*flags &= ~(CKF_USER_PIN_LOCKED |
CKF_USER_PIN_FINAL_TRY |
CKF_USER_PIN_COUNT_LOW);
rc = save_token_data(nv_token_data);
if (rc != CKR_OK) {
goto done;
}
}
done:
if (debugfile) {
stlogit2(debugfile, "% - 25s: session = %08x\n",
"C_InitPin", rc, hSession);
}
return (rc);
}
/*ARGSUSED*/
CK_RV
SC_InitToken(
CK_SLOT_ID sid,
CK_CHAR_PTR pPin,
CK_ULONG ulPinLen,
CK_CHAR_PTR pLabel)
{
CK_RV rc = CKR_OK;
CK_BYTE hash_sha[SHA1_DIGEST_LENGTH];
TOKEN_DATA newtoken;
TSS_HCONTEXT hContext = 0;
if (st_Initialized() == FALSE) {
rc = CKR_CRYPTOKI_NOT_INITIALIZED;
goto done;
}
if (sid != TPM_SLOTID) {
rc = CKR_SLOT_ID_INVALID;
goto done;
}
if (! pPin || ! pLabel) {
rc = CKR_ARGUMENTS_BAD;
goto done;
}
if (open_tss_context(&hContext)) {
rc = CKR_FUNCTION_FAILED;
goto done;
}
rc = load_token_data(hContext, &newtoken);
if (rc != CKR_OK) {
goto done;
}
if (newtoken.token_info.flags & CKF_SO_PIN_LOCKED) {
rc = CKR_PIN_LOCKED;
goto done;
}
rc = token_specific.t_verify_so_pin(hContext, pPin, ulPinLen);
if (rc != CKR_OK) {
rc = CKR_PIN_INCORRECT;
goto done;
}
/*
* Before we reconstruct all the data, we should delete the
* token objects from the filesystem.
*
* Construct a string to delete the token objects.
*/
(void) object_mgr_destroy_token_objects(hContext);
(void) init_token_data(hContext, &newtoken);
(void) init_slot_info(&newtoken);
/* change the label */
(void) strncpy((char *)newtoken.token_info.label, (char *)pLabel,
sizeof (newtoken.token_info.label));
(void) memcpy(newtoken.so_pin_sha, hash_sha,
SHA1_DIGEST_LENGTH);
newtoken.token_info.flags |= CKF_TOKEN_INITIALIZED;
rc = save_token_data(&newtoken);
done:
if (hContext)
(void) Tspi_Context_Close(hContext);
return (rc);
}
