aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan')
-rw-r--r--src/libstrongswan/credentials/builder.c1
-rw-r--r--src/libstrongswan/credentials/builder.h4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c12
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c12
4 files changed, 14 insertions, 15 deletions
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index 1fa1377e9..ab7f2b579 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -48,7 +48,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_PKCS11_MODULE",
"BUILD_PKCS11_SLOT",
"BUILD_PKCS11_KEYID",
- "BUILD_PKCS11_PIN",
"BUILD_RSA_MODULUS",
"BUILD_RSA_PUB_EXP",
"BUILD_RSA_PRIV_EXP",
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index d13ada0aa..891c178e0 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -57,7 +57,7 @@ enum builder_part_t {
BUILD_BLOB_PGP,
/** DNS public key blob (RFC 4034, RSA specifc RFC 3110), chunk_t */
BUILD_BLOB_DNSKEY,
- /** passphrase for e.g. PEM decryption, chunk_t */
+ /** passphrase for e.g. PEM decryption, smartcard unlock, chunk_t */
BUILD_PASSPHRASE,
/** passphrase callback, chunk_t(*fn)(void *user, int try), void *user.
* The callback is invoked until the returned passphrase is accepted, or
@@ -109,8 +109,6 @@ enum builder_part_t {
BUILD_PKCS11_SLOT,
/** key ID of a key on a token, null terminated char* */
BUILD_PKCS11_KEYID,
- /** pin to access a token, null terminated char* */
- BUILD_PKCS11_PIN,
/** modulus (n) of a RSA key, chunk_t */
BUILD_RSA_MODULUS,
/** public exponent (e) of a RSA key, chunk_t */
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index b7b6e797d..d596fcf6b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -451,8 +451,9 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
{
#ifndef OPENSSL_NO_ENGINE
private_openssl_rsa_private_key_t *this;
- char *keyid = NULL, *pin = NULL, *engine_id = NULL;
- char keyname[64];
+ char *keyid = NULL, *engine_id = NULL;
+ char keyname[64], pin[32];;
+ chunk_t secret = chunk_empty;
EVP_PKEY *key;
ENGINE *engine;
int slot = -1;
@@ -464,8 +465,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
case BUILD_PKCS11_KEYID:
keyid = va_arg(args, char*);
continue;
- case BUILD_PKCS11_PIN:
- pin = va_arg(args, char*);
+ case BUILD_PASSPHRASE:
+ secret = va_arg(args, chunk_t);
continue;
case BUILD_PKCS11_SLOT:
slot = va_arg(args, int);
@@ -480,7 +481,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
}
break;
}
- if (!keyid || !pin)
+ if (!keyid || !secret.len || !secret.ptr)
{
return NULL;
}
@@ -493,6 +494,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
{
snprintf(keyname, sizeof(keyname), "%d:%s", slot, keyid);
}
+ snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
if (!engine_id)
{
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index 576e2af82..cce6afbf1 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -276,10 +276,10 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid)
pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
{
private_pkcs11_private_key_t *this;
- char *keyid = NULL, *pin = NULL, *module = NULL;
+ char *keyid = NULL, *module = NULL;
int slot = -1;
CK_RV rv;
- chunk_t chunk;
+ chunk_t chunk, pin = chunk_empty;
while (TRUE)
{
@@ -288,8 +288,8 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
case BUILD_PKCS11_KEYID:
keyid = va_arg(args, char*);
continue;
- case BUILD_PKCS11_PIN:
- pin = va_arg(args, char*);
+ case BUILD_PASSPHRASE:
+ pin = va_arg(args, chunk_t);
continue;
case BUILD_PKCS11_SLOT:
slot = va_arg(args, int);
@@ -304,7 +304,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
}
break;
}
- if (!keyid || !pin || !module || slot == -1)
+ if (!keyid || !pin.ptr || !pin.len || !module || slot == -1)
{ /* we currently require all parameters, TODO: search for pubkeys */
return NULL;
}
@@ -347,7 +347,7 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args)
this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- rv = this->lib->f->C_Login(this->session, CKU_USER, pin, strlen(pin));
+ rv = this->lib->f->C_Login(this->session, CKU_USER, pin.ptr, pin.len);
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "login to '%s':%d failed: %N",
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-24 12:12:30 +0000