|
|
|
|
@ -0,0 +1,285 @@
|
|
|
|
|
diff --git a/src/agent.c b/src/agent.c
|
|
|
|
|
index b51dc7e..9a75bf8 100644
|
|
|
|
|
--- a/src/agent.c
|
|
|
|
|
+++ b/src/agent.c
|
|
|
|
|
@@ -846,6 +846,12 @@ learn_status_cb (void *opaque, const char *line)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
+ else if (keywordlen == 6 && !memcmp (keyword, "EXTCAP", keywordlen))
|
|
|
|
|
+ {
|
|
|
|
|
+ /* FIXME: Should we parse the line properly instead of assuming
|
|
|
|
|
+ that the gc capability will always be at the beginning? */
|
|
|
|
|
+ sscanf (line, "gc=%d", &(parm->rng_available));
|
|
|
|
|
+ }
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -1281,6 +1287,28 @@ scute_agent_get_cert (int no, struct cert *cert)
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+gpg_error_t
|
|
|
|
|
+get_challenge_data_cb (void *opaque, const void *line, size_t len)
|
|
|
|
|
+{
|
|
|
|
|
+ memcpy (opaque, line, len);
|
|
|
|
|
+
|
|
|
|
|
+ return 0;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
+gpg_error_t
|
|
|
|
|
+scute_agent_get_random (unsigned char *data, size_t len)
|
|
|
|
|
+{
|
|
|
|
|
+ char command[16];
|
|
|
|
|
+ gpg_error_t err;
|
|
|
|
|
+
|
|
|
|
|
+ snprintf (command, sizeof(command), "SCD RANDOM %lu", len);
|
|
|
|
|
+
|
|
|
|
|
+ err = assuan_transact (agent_ctx, command, get_challenge_data_cb,
|
|
|
|
|
+ data, NULL, NULL, NULL, NULL);
|
|
|
|
|
+
|
|
|
|
|
+ return err;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
�
|
|
|
|
|
void
|
|
|
|
|
scute_agent_finalize (void)
|
|
|
|
|
diff --git a/src/agent.h b/src/agent.h
|
|
|
|
|
index 6ac479f..0d6bb30 100644
|
|
|
|
|
--- a/src/agent.h
|
|
|
|
|
+++ b/src/agent.h
|
|
|
|
|
@@ -73,6 +73,8 @@ struct agent_card_info_s
|
|
|
|
|
char grip1[41];
|
|
|
|
|
char grip2[41];
|
|
|
|
|
char grip3[41];
|
|
|
|
|
+ int rng_available; /* True if the GET CHALLENGE operation
|
|
|
|
|
+ is supported. */
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
�
|
|
|
|
|
@@ -113,4 +115,7 @@ gpg_error_t scute_agent_is_trusted (char *fpr, bool *is_trusted);
|
|
|
|
|
/* Try to get certificate for key numer NO. */
|
|
|
|
|
gpg_error_t scute_agent_get_cert (int no, struct cert *cert);
|
|
|
|
|
|
|
|
|
|
+/* Get random bytes from the card. */
|
|
|
|
|
+gpg_error_t scute_agent_get_random (unsigned char *data, size_t len);
|
|
|
|
|
+
|
|
|
|
|
#endif /* AGENT_H */
|
|
|
|
|
diff --git a/src/p11-generaterandom.c b/src/p11-generaterandom.c
|
|
|
|
|
index f192e9d..e8b20d9 100644
|
|
|
|
|
--- a/src/p11-generaterandom.c
|
|
|
|
|
+++ b/src/p11-generaterandom.c
|
|
|
|
|
@@ -33,14 +33,32 @@
|
|
|
|
|
|
|
|
|
|
#include "cryptoki.h"
|
|
|
|
|
|
|
|
|
|
+#include "locking.h"
|
|
|
|
|
+#include "slots.h"
|
|
|
|
|
+#include "agent.h"
|
|
|
|
|
+#include "error-mapping.h"
|
|
|
|
|
+
|
|
|
|
|
�
|
|
|
|
|
CK_DEFINE_FUNCTION(CK_RV, C_GenerateRandom)
|
|
|
|
|
(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData,
|
|
|
|
|
CK_ULONG ulRandomLen)
|
|
|
|
|
{
|
|
|
|
|
- /* FIXME: Implement me. */
|
|
|
|
|
- (void) hSession;
|
|
|
|
|
- (void) pRandomData;
|
|
|
|
|
- (void) ulRandomLen;
|
|
|
|
|
- return CKR_FUNCTION_NOT_SUPPORTED;
|
|
|
|
|
+ CK_RV err;
|
|
|
|
|
+ slot_iterator_t slot;
|
|
|
|
|
+ session_iterator_t session;
|
|
|
|
|
+
|
|
|
|
|
+ if (pRandomData == NULL_PTR)
|
|
|
|
|
+ return CKR_ARGUMENTS_BAD;
|
|
|
|
|
+
|
|
|
|
|
+ err = scute_global_lock ();
|
|
|
|
|
+ if (err)
|
|
|
|
|
+ return err;
|
|
|
|
|
+
|
|
|
|
|
+ err = slots_lookup_session (hSession, &slot, &session);
|
|
|
|
|
+ if (!err)
|
|
|
|
|
+ err = scute_gpg_err_to_ck (scute_agent_get_random (pRandomData,
|
|
|
|
|
+ ulRandomLen));
|
|
|
|
|
+
|
|
|
|
|
+ scute_global_unlock ();
|
|
|
|
|
+ return err;
|
|
|
|
|
}
|
|
|
|
|
diff --git a/src/p11-gettokeninfo.c b/src/p11-gettokeninfo.c
|
|
|
|
|
index 88d77be..c0a2417 100644
|
|
|
|
|
--- a/src/p11-gettokeninfo.c
|
|
|
|
|
+++ b/src/p11-gettokeninfo.c
|
|
|
|
|
@@ -72,8 +72,11 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo)
|
|
|
|
|
pInfo->flags = CKF_TOKEN_INITIALIZED
|
|
|
|
|
| CKF_PROTECTED_AUTHENTICATION_PATH | CKF_WRITE_PROTECTED
|
|
|
|
|
| CKF_USER_PIN_INITIALIZED;
|
|
|
|
|
- /* FIXME: Support this later: CKF_RNG.
|
|
|
|
|
- FIXME: CKF_USER_PIN_INITIALIZED only if PIN is not default pin?
|
|
|
|
|
+
|
|
|
|
|
+ if (slot_token_has_rng (slot))
|
|
|
|
|
+ pInfo->flags |= CKF_RNG;
|
|
|
|
|
+
|
|
|
|
|
+ /* FIXME: CKF_USER_PIN_INITIALIZED only if PIN is not default pin?
|
|
|
|
|
FIXME: CKF_LOGIN_REQUIRED needed? We could implement login via
|
|
|
|
|
the "SCD CHECKPIN" command. I am not sure how this mixes with
|
|
|
|
|
CKF_PROTECTED_AUTHENTICATION_PATH.
|
|
|
|
|
diff --git a/src/slots.c b/src/slots.c
|
|
|
|
|
index 136d64e..810be0b 100644
|
|
|
|
|
--- a/src/slots.c
|
|
|
|
|
+++ b/src/slots.c
|
|
|
|
|
@@ -657,6 +657,15 @@ slot_get_id (slot_iterator_t slot)
|
|
|
|
|
return slot;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
+/* Return true if the token supports the GET CHALLENGE operation. */
|
|
|
|
|
+bool
|
|
|
|
|
+slot_token_has_rng (slot_iterator_t id)
|
|
|
|
|
+{
|
|
|
|
|
+ struct slot *slot = scute_table_data (slots, id);
|
|
|
|
|
+
|
|
|
|
|
+ return slot->info.rng_available;
|
|
|
|
|
+}
|
|
|
|
|
+
|
|
|
|
|
�
|
|
|
|
|
/* Mechanism management. */
|
|
|
|
|
|
|
|
|
|
diff --git a/src/slots.h b/src/slots.h
|
|
|
|
|
index e36be27..3624c55 100644
|
|
|
|
|
--- a/src/slots.h
|
|
|
|
|
+++ b/src/slots.h
|
|
|
|
|
@@ -116,6 +116,9 @@ void slot_token_pincount (slot_iterator_t id, int *max, int *len);
|
|
|
|
|
/* Return the ID of slot SLOT. */
|
|
|
|
|
CK_SLOT_ID slot_get_id (slot_iterator_t slot);
|
|
|
|
|
|
|
|
|
|
+/* Return true if the token supports the GET CHALLENGE operation. */
|
|
|
|
|
+bool slot_token_has_rng (slot_iterator_t id);
|
|
|
|
|
+
|
|
|
|
|
�
|
|
|
|
|
/* Begin iterating over the list of mechanisms. If succeeds, will be
|
|
|
|
|
followed up by a slot_iterate_end. */
|
|
|
|
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
|
|
index 644eeb0..6c19071 100644
|
|
|
|
|
--- a/tests/Makefile.am
|
|
|
|
|
+++ b/tests/Makefile.am
|
|
|
|
|
@@ -33,7 +33,7 @@ noinst_HEADERS = t-support.h
|
|
|
|
|
TESTS = t-link t-getfunctionlist t-initialize t-getinfo t-getslotlist \
|
|
|
|
|
t-getslotinfo t-gettokeninfo t-getmechanismlist t-getmechanisminfo \
|
|
|
|
|
t-opensession t-closeallsessions t-getsessioninfo \
|
|
|
|
|
- t-findobjects t-getattribute t-auth
|
|
|
|
|
+ t-findobjects t-getattribute t-auth t-generaterandom
|
|
|
|
|
|
|
|
|
|
noinst_PROGRAMS = $(TESTS)
|
|
|
|
|
|
|
|
|
|
diff --git a/tests/t-generaterandom.c b/tests/t-generaterandom.c
|
|
|
|
|
new file mode 100644
|
|
|
|
|
index 0000000..675138d
|
|
|
|
|
--- /dev/null
|
|
|
|
|
+++ b/tests/t-generaterandom.c
|
|
|
|
|
@@ -0,0 +1,105 @@
|
|
|
|
|
+/* t-generaterandom.c - Regression test.
|
|
|
|
|
+ Copyright (C) 2016 g10 Code GmbH
|
|
|
|
|
+
|
|
|
|
|
+ This file is part of Scute.
|
|
|
|
|
+
|
|
|
|
|
+ Scute is free software; you can redistribute it and/or modify it
|
|
|
|
|
+ under the terms of the GNU General Public License as published by
|
|
|
|
|
+ the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
+ (at your option) any later version.
|
|
|
|
|
+
|
|
|
|
|
+ Scute is distributed in the hope that it will be useful, but
|
|
|
|
|
+ WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
+ General Public License for more details.
|
|
|
|
|
+
|
|
|
|
|
+ You should have received a copy of the GNU General Public License
|
|
|
|
|
+ along with Scute; if not, write to the Free Software Foundation,
|
|
|
|
|
+ Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
|
+
|
|
|
|
|
+ In addition, as a special exception, g10 Code GmbH gives permission
|
|
|
|
|
+ to link this library: with the Mozilla Foundation's code for
|
|
|
|
|
+ Mozilla (or with modified versions of it that use the same license
|
|
|
|
|
+ as the "Mozilla" code), and distribute the linked executables. You
|
|
|
|
|
+ must obey the GNU General Public License in all respects for all of
|
|
|
|
|
+ the code used other than "Mozilla". If you modify this file, you
|
|
|
|
|
+ may extend this exception to your version of the file, but you are
|
|
|
|
|
+ not obligated to do so. If you do not wish to do so, delete this
|
|
|
|
|
+ exception statement from your version. */
|
|
|
|
|
+
|
|
|
|
|
+#include <stdio.h>
|
|
|
|
|
+#include <stdbool.h>
|
|
|
|
|
+
|
|
|
|
|
+#include "t-support.h"
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+int
|
|
|
|
|
+main (int argc, char *argv[])
|
|
|
|
|
+{
|
|
|
|
|
+ CK_RV err;
|
|
|
|
|
+ CK_SLOT_ID_PTR slots;
|
|
|
|
|
+ CK_ULONG slots_count;
|
|
|
|
|
+ unsigned int i;
|
|
|
|
|
+
|
|
|
|
|
+ (void) argc;
|
|
|
|
|
+ (void) argv;
|
|
|
|
|
+
|
|
|
|
|
+ init_cryptoki ();
|
|
|
|
|
+
|
|
|
|
|
+ err = C_GetSlotList (true, NULL, &slots_count);
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+
|
|
|
|
|
+ if (slots_count == 0)
|
|
|
|
|
+ {
|
|
|
|
|
+ printf ("Skipping test because no token is present.\n");
|
|
|
|
|
+ return 77;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ printf ("Number of slots with tokens: %lu\n", slots_count);
|
|
|
|
|
+ slots = malloc (sizeof (CK_SLOT_ID) * slots_count);
|
|
|
|
|
+ if (!slots)
|
|
|
|
|
+ fail_if_err (CKR_HOST_MEMORY);
|
|
|
|
|
+
|
|
|
|
|
+ err = C_GetSlotList (true, slots, &slots_count);
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+
|
|
|
|
|
+ for (i = 0; i < slots_count; i++)
|
|
|
|
|
+ {
|
|
|
|
|
+ CK_TOKEN_INFO info;
|
|
|
|
|
+
|
|
|
|
|
+ printf ("%2i. Slot ID %lu\n", i, slots[i]);
|
|
|
|
|
+
|
|
|
|
|
+ err = C_GetTokenInfo (slots[i], &info);
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+
|
|
|
|
|
+ if ((info.flags & CKF_RNG) > 0)
|
|
|
|
|
+ {
|
|
|
|
|
+ CK_SESSION_HANDLE session;
|
|
|
|
|
+ unsigned char buffer[16];
|
|
|
|
|
+ unsigned int j;
|
|
|
|
|
+
|
|
|
|
|
+ printf(" RNG available\n");
|
|
|
|
|
+
|
|
|
|
|
+ err = C_OpenSession (slots[i], CKF_SERIAL_SESSION, NULL, NULL,
|
|
|
|
|
+ &session);
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+
|
|
|
|
|
+ printf (" Session ID: %lu\n", session);
|
|
|
|
|
+
|
|
|
|
|
+ err = C_GenerateRandom (session, buffer, sizeof(buffer));
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+
|
|
|
|
|
+ printf (" Random bytes: 0x");
|
|
|
|
|
+ for (j = 0; j < sizeof(buffer); j++)
|
|
|
|
|
+ printf ("%02x", buffer[j]);
|
|
|
|
|
+ printf ("\n");
|
|
|
|
|
+
|
|
|
|
|
+ err = C_CloseSession (session);
|
|
|
|
|
+ fail_if_err (err);
|
|
|
|
|
+ }
|
|
|
|
|
+ else
|
|
|
|
|
+ printf (" No RNG available on token\n");
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ return 0;
|
|
|
|
|
+}
|
