aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libcharon/plugins/stroke/stroke_cred.c11
-rw-r--r--src/libstrongswan/credentials/builder.c1
-rw-r--r--src/libstrongswan/credentials/builder.h4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c12
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c12
5 files changed, 18 insertions, 22 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 14f221431..d683afa8a 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -929,7 +929,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
else if (match("PIN", &token))
{
chunk_t sc = chunk_empty, secret = chunk_empty;
- char smartcard[64], keyid[64], pin[64], module[64], *pos;
+ char smartcard[64], keyid[64], module[64], *pos;
private_key_t *key;
u_int slot;
enum {
@@ -997,8 +997,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
DBG1(DBG_CFG, "line %d: malformed PIN: %s", line_nr, ugh);
goto error;
}
- snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
- pin[sizeof(pin) - 1] = '\0';
switch (format)
{
@@ -1008,20 +1006,20 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
BUILD_PKCS11_SLOT, slot,
BUILD_PKCS11_MODULE, module,
BUILD_PKCS11_KEYID, keyid,
- BUILD_PKCS11_PIN, pin, BUILD_END);
+ BUILD_PASSPHRASE, secret, BUILD_END);
break;
case SC_FORMAT_SLOT_KEYID:
key = lib->creds->create(lib->creds,
CRED_PRIVATE_KEY, KEY_ANY,
BUILD_PKCS11_SLOT, slot,
BUILD_PKCS11_KEYID, keyid,
- BUILD_PKCS11_PIN, pin, BUILD_END);
+ BUILD_PASSPHRASE, secret, BUILD_END);
break;
case SC_FORMAT_KEYID:
key = lib->creds->create(lib->creds,
CRED_PRIVATE_KEY, KEY_ANY,
BUILD_PKCS11_KEYID, keyid,
- BUILD_PKCS11_PIN, pin, BUILD_END);
+ BUILD_PASSPHRASE, secret, BUILD_END);
break;
}
if (key)
@@ -1029,7 +1027,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level,
DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr);
this->private->insert_last(this->private, key);
}
- memset(pin, 0, sizeof(pin));
chunk_clear(&secret);
}
else if ((match("PSK", &token) && (type = SHARED_IKE)) ||
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 1fa1377e9..ab7f2b579 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -48,7 +48,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_PKCS11_MODULE",
"BUILD_PKCS11_SLOT",
"BUILD_PKCS11_KEYID",
- "BUILD_PKCS11_PIN",
"BUILD_RSA_MODULUS",
"BUILD_RSA_PUB_EXP",
"BUILD_RSA_PRIV_EXP",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index d13ada0aa..891c178e0 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -57,7 +57,7 @@ enum builder_part_t {
BUILD_BLOB_PGP,
/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
BUILD_BLOB_DNSKEY,
- /** passphrase for e.g. PEM decryption, chunk_t */
+ /** passphrase for e.g. PEM decryption, smartcard unlock, chunk_t */
BUILD_PASSPHRASE,
/** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
* The callback is invoked until the returned passphrase is accepted, or
@@ -109,8 +109,6 @@ enum builder_part_t {
BUILD_PKCS11_SLOT,
/** key ID of a key on a token, null terminated char* */
BUILD_PKCS11_KEYID,
- /** pin to access a token, null terminated char* */
- BUILD_PKCS11_PIN,
/** modulus (n) of a RSA key, chunk_t */
BUILD_RSA_MODULUS,
/** public exponent (e) of a RSA key, chunk_t */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index b7b6e797d..d596fcf6b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -451,8 +451,9 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
{
#ifndef OPENSSL_NO_ENGINE
private_openssl_rsa_private_key_t *this;
- char *keyid = NULL, *pin = NULL, *engine_id = NULL;
- char keyname[64];
+ char *keyid = NULL, *engine_id = NULL;
+ char keyname[64], pin[32];;
+ chunk_t secret = chunk_empty;
EVP_PKEY *key;
ENGINE *engine;
int slot = -1;
@@ -464,8 +465,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
case BUILD_PKCS11_KEYID:
keyid = va_arg(args, char*);
continue;
- case BUILD_PKCS11_PIN:
- pin = va_arg(args, char*);
+ case BUILD_PASSPHRASE:
+ secret = va_arg(args, chunk_t);
continue;
case BUILD_PKCS11_SLOT:
slot = va_arg(args, int);
@@ -480,7 +481,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
}
break;
}
- if (!keyid || !pin)
+ if (!keyid || !secret.len || !secret.ptr)
{
return NULL;
}
@@ -493,6 +494,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
{
snprintf(keyname, sizeof(keyname), "%d:%s", slot, keyid);
}
+ snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
if (!engine_id)
{
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index 576e2af82..cce6afbf1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -276,10 +276,10 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
{
private_pkcs11_private_key_t *this;
- char *keyid = NULL, *pin = NULL, *module = NULL;
+ char *keyid = NULL, *module = NULL;
int slot = -1;
CK_RV rv;
- chunk_t chunk;
+ chunk_t chunk, pin = chunk_empty;
while (TRUE)
{
@@ -288,8 +288,8 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
case BUILD_PKCS11_KEYID:
keyid = va_arg(args, char*);
continue;
- case BUILD_PKCS11_PIN:
- pin = va_arg(args, char*);
+ case BUILD_PASSPHRASE:
+ pin = va_arg(args, chunk_t);
continue;
case BUILD_PKCS11_SLOT:
slot = va_arg(args, int);
@@ -304,7 +304,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
}
break;
}
- if (!keyid || !pin || !module || slot == -1)
+ if (!keyid || !pin.ptr || !pin.len || !module || slot == -1)
{ /* we currently require all parameters, TODO: search for pubkeys */
return NULL;
}
@@ -347,7 +347,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- rv = this->lib->f->C_Login(this->session, CKU_USER, pin, strlen(pin));
+ rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "login to '%s':%d failed: %N",
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 06:12:21 +0000