void test_RSA_encryption(){
unsigned char message[129];
strncpy((char*)message,"Hello. This is Timothy.",sizeof(message));
unsigned char ciphertext[129];
unsigned char decrypted[129];
memset(ciphertext,'\0',129);
memset(decrypted,'\0',129);
FILE* fp=fopen("publickey.pem","r");
RSA* pubkey=NULL;
RSA* privkey=NULL;
//Get public key
if((pubkey=PEM_read_RSAPublicKey(fp,&pubkey,NULL,NULL))==NULL){
printf("Error reading public key from file\n");
return;
}
fclose(fp);
printf("Original message: %s\n",message);
int encrypt_len=encrypt_with_public_key(pubkey,message,ciphertext,23);
printf("Encrypted message: %s\n",ciphertext);
privkey=get_private_key();
fp=fopen("privatekeyTEST.pem","w+");
int success=PEM_write_RSAPrivateKey(fp,privkey,NULL,NULL,0,NULL,NULL);
fclose(fp);
if(success!=1){
perror("Issue writing the private key to file: ");
}
decrypt_with_private_key(privkey,ciphertext,decrypted,encrypt_len);
printf("Decrypted message: %s\n",decrypted);
RSA_free(pubkey);
RSA_free(privkey);
}
int sign_value(pkcs11_handle_t *h, cert_object_t *cert, CK_BYTE *data,
CK_ULONG length, CK_BYTE **signature, CK_ULONG *signature_length)
{
int rv;
CK_BYTE hash[15 + SHA_DIGEST_LENGTH] =
"\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14";
CK_MECHANISM mechanism = { 0, NULL, 0 };
if (get_private_key(h, cert) == -1) {
set_error("Couldn't find private key for certificate");
return -1;
}
/* set mechanism */
switch (cert->key_type) {
case CKK_RSA:
mechanism.mechanism = CKM_RSA_PKCS;
break;
default:
set_error("unsupported key type %d", cert->type);
return -1;
}
/* compute hash-value */
SHA1(data, length, &hash[15]);
DBG5("hash[%ld] = [...:%02x:%02x:%02x:...:%02x]", sizeof(hash),
hash[15], hash[16], hash[17], hash[sizeof(hash) - 1]);
/* sign the token */
rv = h->fl->C_SignInit(h->session, &mechanism, cert->private_key);
if (rv != CKR_OK) {
set_error("C_SignInit() failed: 0x%08lX", rv);
return -1;
}
*signature = NULL;
*signature_length = 128;
while (*signature == NULL) {
*signature = malloc(*signature_length);
if (*signature == NULL) {
set_error("not enough free memory available");
return -1;
}
rv = h->fl->C_Sign(h->session, hash, sizeof(hash), *signature, signature_length);
if (rv == CKR_BUFFER_TOO_SMALL) {
/* increase signature length as long as it it to short */
free(*signature);
*signature = NULL;
*signature_length *= 2;
DBG1("increased signature buffer-length to %ld", *signature_length);
} else if (rv != CKR_OK) {
free(*signature);
*signature = NULL;
set_error("C_Sign() failed: 0x%08lX", rv);
return -1;
}
}
DBG5("signature[%ld] = [%02x:%02x:%02x:...:%02x]", *signature_length,
(*signature)[0], (*signature)[1], (*signature)[2], (*signature)[*signature_length - 1]);
return 0;
}
int
main (int argc, char **argv)
{
setprogname (argv[0]);
random_update ();
esign_priv sk = get_private_key();
test_key_sign (sk);
}
void handle_symmetric_key(unsigned char* packet){
struct gyn_header* gyn=(struct gyn_header*)packet;
unsigned char enc_sym_key[129];
unsigned char dec_sym_key[129];
memset(enc_sym_key,'\0',129);
memset(dec_sym_key,'\0',129);
memcpy(enc_sym_key,packet+sizeof(struct gyn_header),gyn->pkt_size-sizeof(struct timeval));
// printf("\t Encrypted symmetric key: ");
// print_aes_key(enc_sym_key,gyn->pkt_size-sizeof(struct timeval));
RSA* privkey=NULL;
privkey=get_private_key();
decrypt_with_private_key(privkey,enc_sym_key,dec_sym_key,gyn->pkt_size-sizeof(struct timeval));
// printf("\tDecrypted symmetric key: ");
// print_aes_key(dec_sym_key,16);
//Create session entry and write to file
struct session_entry sesh_entry;
sesh_entry.host_id=gyn->src;
memcpy(sesh_entry.sym_key,dec_sym_key,16);
memcpy(&sesh_entry.timestamp,packet+sizeof(struct gyn_header)+gyn->pkt_size-sizeof(struct timeval),sizeof(struct timeval));
writeToSessionFile(&sesh_entry);
return;
}
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int i, rv;
const char *user = NULL;
char *password;
unsigned int slot_num = 0;
int is_a_screen_saver = 0;
struct configuration_st *configuration;
int pkcs11_pam_fail = PAM_AUTHINFO_UNAVAIL;
pkcs11_handle_t *ph;
cert_object_t *chosen_cert = NULL;
cert_object_t **cert_list;
int ncert;
unsigned char random_value[128];
unsigned char *signature;
unsigned long signature_length;
/* enough space to hold an issuer DN */
char env_temp[256] = "";
char **issuer, **serial;
const char *login_token_name = NULL;
pam_prompt(pamh, PAM_TEXT_INFO , NULL, _("Smartcard authentication starts"));
/* first of all check whether debugging should be enabled */
for (i = 0; i < argc; i++)
if (strcmp("debug", argv[i]) == 0) {
set_debug_level(1);
}
/* call configure routines */
configuration = pk_configure(argc,argv);
if (!configuration ) {
ERR("Error setting configuration parameters");
return PAM_AUTHINFO_UNAVAIL;
}
/* Either slot_description or slot_num, but not both, needs to be used */
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
ERR("Error setting configuration parameters");
return PAM_AUTHINFO_UNAVAIL;
}
/* fail if we are using a remote server
* local login: DISPLAY=:0
* XDMCP login: DISPLAY=host:0 */
{
char *display = getenv("DISPLAY");
if (display)
{
if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
&& (display[0] != '\0')) {
ERR1("Remote login (from %s) is not (yet) supported", display);
pam_syslog(pamh, LOG_ERR,
"Remote login (from %s) is not (yet) supported", display);
return PAM_AUTHINFO_UNAVAIL;
}
}
}
#ifdef ENABLE_NLS
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, "/usr/share/locale");
textdomain(PACKAGE);
#endif
/* init openssl */
rv = crypto_init(&configuration->policy);
if (rv != 0) {
ERR("Failed to initialize crypto");
if (!configuration->quiet)
pam_syslog(pamh,LOG_ERR, "Failed to initialize crypto");
return PAM_AUTHINFO_UNAVAIL;
}
/*
* card_only means:
* 1) always get the userid from the certificate.
* 2) don't prompt for the user name if the card is present.
* 3) if the token is present, then we must use the cardAuth mechanism.
*
* wait_for_card means:
* 1) nothing if card_only isn't set
* 2) if logged in, block in pam conversation until the token used for login
* is inserted
* 3) if not logged in, block until a token that could be used for logging in
* is inserted
* right now, logged in means PKC11_LOGIN_TOKEN_NAME is set,
* but we could something else later (like set some per-user state in
* a pam session module keyed off uid)
*/
if (configuration->card_only) {
char *service;
if (configuration->screen_savers) {
DBG("Is it a screen saver?");
pam_get_item(pamh, PAM_SERVICE, &service);
for (i=0; configuration->screen_savers[i]; i++) {
if (strcmp(configuration->screen_savers[i], service) == 0) {
is_a_screen_saver = 1;
break;
}
}
}
pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
/* look to see if username is already set */
pam_get_item(pamh, PAM_USER, &user);
if (user) {
DBG1("explicit username = [%s]", user);
}
} else {
rv = pam_get_item(pamh, PAM_USER, &user);
if (rv != PAM_SUCCESS || user == NULL || user[0] == '\0') {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your %s or enter your username."),
_(configuration->token_type));
/* get user name */
rv = pam_get_user(pamh, &user, NULL);
if (rv != PAM_SUCCESS) {
pam_syslog(pamh, LOG_ERR,
"pam_get_user() failed %s", pam_strerror(pamh, rv));
return PAM_USER_UNKNOWN;
}
}
DBG1("username = [%s]", user);
}
login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME");
/* if we are using a screen saver, and we didn't log in using the smart card
* drop to the next pam module. */
if (is_a_screen_saver && !login_token_name) {
return PAM_IGNORE;
}
/* load pkcs #11 module */
DBG("loading pkcs #11 module...");
rv = load_pkcs11_module(configuration->pkcs11_modulepath, &ph);
if (rv != 0) {
ERR2("load_pkcs11_module() failed loading %s: %s",
configuration->pkcs11_modulepath, get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "load_pkcs11_module() failed loading %s: %s",
configuration->pkcs11_modulepath, get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2302: PKCS#11 module failed loading"));
sleep(configuration->err_display_time);
}
return PAM_AUTHINFO_UNAVAIL;
}
/* initialise pkcs #11 module */
DBG("initialising pkcs #11 module...");
rv = init_pkcs11_module(ph,configuration->support_threads);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("init_pkcs11_module() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "init_pkcs11_module() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2304: PKCS#11 module could not be initialized"));
sleep(configuration->err_display_time);
}
return PAM_AUTHINFO_UNAVAIL;
}
/* open pkcs #11 session */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel_and_tokenlabel(ph,
configuration->slot_description, login_token_name, &slot_num);
} else if (configuration->slot_num != -1) {
rv = find_slot_by_number_and_label(ph, configuration->slot_num,
login_token_name, &slot_num);
}
if (rv != 0) {
ERR("no suitable token available");
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "no suitable token available");
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2306: No suitable token available"));
sleep(configuration->err_display_time);
}
if (!configuration->card_only) {
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
}
/* we must have a smart card, either because we've configured it as such,
* or because we used one to log in */
if (login_token_name || configuration->wait_for_card) {
if (login_token_name) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your smart card called \"%.32s\"."),
login_token_name);
} else {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your smart card."));
}
if (configuration->slot_description != NULL) {
rv = wait_for_token_by_slotlabel(ph, configuration->slot_description,
login_token_name, &slot_num);
} else if (configuration->slot_num != -1) {
rv = wait_for_token(ph, configuration->slot_num,
login_token_name, &slot_num);
}
if (rv != 0) {
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
} else if (user) {
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2308: No smartcard found"));
sleep(configuration->err_display_time);
}
/* we have a user and no smart card, go to the next pam module */
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
} else {
/* we haven't prompted for the user yet, get the user and see if
* the smart card has been inserted in the mean time */
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Please insert your %s or enter your username."),
_(configuration->token_type));
rv = pam_get_user(pamh, &user, NULL);
/* check one last time for the smart card before bouncing to the next
* module */
if (configuration->slot_description != NULL) {
rv = find_slot_by_slotlabel(ph, configuration->slot_description,
&slot_num);
} else if (configuration->slot_num != -1) {
rv = find_slot_by_number(ph, configuration->slot_num, &slot_num);
}
if (rv != 0) {
/* user gave us a user id and no smart card go to next module */
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2310: No smartcard found"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return PAM_AUTHINFO_UNAVAIL;
}
}
} else {
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("%s found."), _(configuration->token_type));
}
rv = open_pkcs11_session(ph, slot_num);
if (rv != 0) {
ERR1("open_pkcs11_session() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "open_pkcs11_session() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2312: open PKCS#11 session failed"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
rv = get_slot_login_required(ph);
if (rv == -1) {
ERR1("get_slot_login_required() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "get_slot_login_required() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2314: Slot login failed"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
return pkcs11_pam_fail;
} else if (rv) {
/* get password */
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Welcome %.32s!"), get_slot_tokenlabel(ph));
/* no CKF_PROTECTED_AUTHENTICATION_PATH */
rv = get_slot_protected_authentication_path(ph);
if ((-1 == rv) || (0 == rv))
{
char password_prompt[128];
snprintf(password_prompt, sizeof(password_prompt), _("%s PIN: "), _(configuration->token_type));
if (configuration->use_first_pass) {
rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0);
} else if (configuration->try_first_pass) {
rv = pam_get_pwd(pamh, &password, password_prompt, PAM_AUTHTOK,
PAM_AUTHTOK);
} else {
rv = pam_get_pwd(pamh, &password, password_prompt, 0, PAM_AUTHTOK);
}
if (rv != PAM_SUCCESS) {
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2316: password could not be read"));
sleep(configuration->err_display_time);
}
release_pkcs11_module(ph);
pam_syslog(pamh, LOG_ERR,
"pam_get_pwd() failed: %s", pam_strerror(pamh, rv));
return pkcs11_pam_fail;
}
#ifdef DEBUG_SHOW_PASSWORD
DBG1("password = [%s]", password);
#endif
/* check password length */
if (!configuration->nullok && strlen(password) == 0) {
release_pkcs11_module(ph);
memset(password, 0, strlen(password));
free(password);
pam_syslog(pamh, LOG_ERR,
"password length is zero but the 'nullok' argument was not defined.");
if (!configuration->quiet) {
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2318: Empty smartcard PIN not allowed."));
sleep(configuration->err_display_time);
}
return PAM_AUTH_ERR;
}
}
else
{
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
_("Enter your %s PIN on the pinpad"), _(configuration->token_type));
/* use pin pad */
password = NULL;
}
/* call pkcs#11 login to ensure that the user is the real owner of the card
* we need to do thise before get_certificate_list because some tokens
* can not read their certificates until the token is authenticated */
rv = pkcs11_login(ph, password);
/* erase and free in-memory password data asap */
if (password)
{
memset(password, 0, strlen(password));
free(password);
}
if (rv != 0) {
ERR1("open_pkcs11_login() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "open_pkcs11_login() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2320: Wrong smartcard PIN"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
}
cert_list = get_certificate_list(ph, &ncert);
if (rv<0) {
ERR1("get_certificate_list() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "get_certificate_list() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2322: No certificate found"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* load mapper modules */
load_mappers(configuration->ctx);
/* find a valid and matching certificates */
for (i = 0; i < ncert; i++) {
X509 *x509 = (X509 *)get_X509_certificate(cert_list[i]);
if (!x509 ) continue; /* sanity check */
DBG1("verifying the certificate #%d", i + 1);
if (!configuration->quiet) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("verifying certificate"));
}
/* verify certificate (date, signature, CRL, ...) */
rv = verify_certificate(x509,&configuration->policy);
if (rv < 0) {
ERR1("verify_certificate() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"verify_certificate() failed: %s", get_error());
switch (rv) {
case -2: // X509_V_ERR_CERT_HAS_EXPIRED:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2324: Certificate has expired"));
break;
case -3: // X509_V_ERR_CERT_NOT_YET_VALID:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2326: Certificate not yet valid"));
break;
case -4: // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2328: Certificate signature invalid"));
break;
default:
pam_prompt(pamh, PAM_ERROR_MSG , NULL,
_("Error 2330: Certificate invalid"));
break;
}
sleep(configuration->err_display_time);
}
continue; /* try next certificate */
} else if (rv != 1) {
ERR1("verify_certificate() failed: %s", get_error());
continue; /* try next certificate */
}
/* CA and CRL verified, now check/find user */
if ( is_spaced_str(user) ) {
/*
if provided user is null or empty extract and set user
name from certificate
*/
DBG("Empty login: try to deduce from certificate");
user=find_user(x509);
if (!user) {
ERR2("find_user() failed: %s on cert #%d", get_error(),i+1);
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR,
"find_user() failed: %s on cert #%d",get_error(),i+1);
continue; /* try on next certificate */
} else {
DBG1("certificate is valid and matches user %s",user);
/* try to set up PAM user entry with evaluated value */
rv = pam_set_item(pamh, PAM_USER,(const void *)user);
if (rv != PAM_SUCCESS) {
ERR1("pam_set_item() failed %s", pam_strerror(pamh, rv));
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"pam_set_item() failed %s", pam_strerror(pamh, rv));
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2332: setting PAM userentry failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
chosen_cert = cert_list[i];
break; /* end loop, as find user success */
}
} else {
/* User provided:
check whether the certificate matches the user */
rv = match_user(x509, user);
if (rv < 0) { /* match error; abort and return */
ERR1("match_user() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "match_user() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2334: No matching user"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
} else if (rv == 0) { /* match didn't success */
DBG("certificate is valid but does not match the user");
continue; /* try next certificate */
} else { /* match success */
DBG("certificate is valid and matches the user");
chosen_cert = cert_list[i];
break;
}
} /* if is_spaced string */
} /* for (i=0; i<ncerts; i++) */
/* now myCert points to our found certificate or null if no user found */
if (!chosen_cert) {
ERR("no valid certificate which meets all requirements found");
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR,
"no valid certificate which meets all requirements found");
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2336: No matching certificate found"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* if signature check is enforced, generate random data, sign and verify */
if (configuration->policy.signature_policy) {
pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Checking signature"));
#ifdef notdef
rv = get_private_key(ph);
if (rv != 0) {
ERR1("get_private_key() failed: %s", get_error());
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR,
"get_private_key() failed: %s", get_error());
goto auth_failed_nopw;
}
#endif
/* read random value */
rv = get_random_value(random_value, sizeof(random_value));
if (rv != 0) {
ERR1("get_random_value() failed: %s", get_error());
if (!configuration->quiet){
pam_syslog(pamh, LOG_ERR, "get_random_value() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2338: Getting random value failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* sign random value */
signature = NULL;
rv = sign_value(ph, chosen_cert, random_value, sizeof(random_value),
&signature, &signature_length);
if (rv != 0) {
ERR1("sign_value() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "sign_value() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2340: Signing failed"));
sleep(configuration->err_display_time);
}
goto auth_failed_nopw;
}
/* verify the signature */
DBG("verifying signature...");
rv = verify_signature((X509 *)get_X509_certificate(chosen_cert),
random_value, sizeof(random_value), signature, signature_length);
if (signature != NULL) {
free(signature);
}
if (rv != 0) {
close_pkcs11_session(ph);
release_pkcs11_module(ph);
ERR1("verify_signature() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "verify_signature() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, _("Error 2342: Verifying signature failed"));
sleep(configuration->err_display_time);
}
return PAM_AUTH_ERR;
}
} else {
DBG("Skipping signature check");
}
/*
* fill in the environment variables.
*/
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_TOKEN_NAME=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_TOKEN_NAME=")),
get_slot_tokenlabel(ph));
rv = pam_putenv(pamh, env_temp);
if (rv != PAM_SUCCESS) {
ERR1("could not put token name in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put token name in environment: %s",
pam_strerror(pamh, rv));
}
issuer = cert_info((X509 *)get_X509_certificate(chosen_cert), CERT_ISSUER,
ALGORITHM_NULL);
if (issuer) {
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_CERT_ISSUER=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_ISSUER=")),
issuer[0]);
rv = pam_putenv(pamh, env_temp);
} else {
ERR("couldn't get certificate issuer.");
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "couldn't get certificate issuer.");
}
if (rv != PAM_SUCCESS) {
ERR1("could not put cert issuer in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put cert issuer in environment: %s",
pam_strerror(pamh, rv));
}
serial = cert_info((X509 *)get_X509_certificate(chosen_cert), CERT_SERIAL,
ALGORITHM_NULL);
if (serial) {
snprintf(env_temp, sizeof(env_temp) - 1,
"PKCS11_LOGIN_CERT_SERIAL=%.*s",
(int)((sizeof(env_temp) - 1) - strlen("PKCS11_LOGIN_CERT_SERIAL=")),
serial[0]);
rv = pam_putenv(pamh, env_temp);
} else {
ERR("couldn't get certificate serial number.");
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "couldn't get certificate serial number.");
}
if (rv != PAM_SUCCESS) {
ERR1("could not put cert serial in environment: %s",
pam_strerror(pamh, rv));
if (!configuration->quiet)
pam_syslog(pamh, LOG_ERR, "could not put cert serial in environment: %s",
pam_strerror(pamh, rv));
}
/* unload mapper modules */
unload_mappers();
/* close pkcs #11 session */
rv = close_pkcs11_session(ph);
if (rv != 0) {
release_pkcs11_module(ph);
ERR1("close_pkcs11_session() failed: %s", get_error());
if (!configuration->quiet) {
pam_syslog(pamh, LOG_ERR, "close_pkcs11_module() failed: %s", get_error());
pam_prompt(pamh, PAM_ERROR_MSG , NULL, ("Error 2344: Closing PKCS#11 session failed"));
sleep(configuration->err_display_time);
}
return pkcs11_pam_fail;
}
/* release pkcs #11 module */
DBG("releasing pkcs #11 module...");
release_pkcs11_module(ph);
DBG("authentication succeeded");
return PAM_SUCCESS;
/* quick and dirty fail exit point */
memset(password, 0, strlen(password));
free(password); /* erase and free in-memory password data */
auth_failed_nopw:
unload_mappers();
close_pkcs11_session(ph);
release_pkcs11_module(ph);
return pkcs11_pam_fail;
}
