From 14a4962ab06743b36481aca9481758a3dd92b035 Mon Sep 17 00:00:00 2001
From: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>
Date: Tue, 13 Jun 2006 17:02:28 +0000
Subject: -r 1026:1032
 https://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21/openvpn

Changes:
1. Updated makefile.w32-vc to include lladdr.*, updated
linkage libraries.
2. Modified lladdr.c to be compiled under visual C.
3. Added retry counter to PKCS#11 PIN hook.
4. Modified PKCS#11 PIN retry loop to return correct error
code when PIN is incorrect.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1038 e7ae566f-a301-0410-adde-c780ea21d3b5
---
 lladdr.c        |  3 +-
 makefile.w32-vc |  4 ++-
 pkcs11-helper.c | 89 +++++++++++++++++++++++++++++++++++++++++----------------
 pkcs11-helper.h |  6 ++--
 pkcs11.c        |  6 +++-
 5 files changed, 79 insertions(+), 29 deletions(-)

diff --git a/lladdr.c b/lladdr.c
index d6fb0a6..1f02ba4 100644
--- a/lladdr.c
+++ b/lladdr.c
@@ -16,6 +16,7 @@ int set_lladdr(const char *ifname, const char *lladdr,
 		const struct env_set *es)
 {
   char cmd[256];
+  int r;
 
   if (!ifname || !lladdr)
     return -1;
@@ -51,7 +52,7 @@ int set_lladdr(const char *ifname, const char *lladdr,
       return -1;
 #endif
 
-  int r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address.");
+  r = system_check (cmd, es, M_WARN, "ERROR: Unable to set link layer address.");
   if (r)
     msg (M_INFO, "TUN/TAP link layer address set to %s", lladdr);
   return r;
diff --git a/makefile.w32-vc b/makefile.w32-vc
index f92dbb3..d3dac0b 100644
--- a/makefile.w32-vc
+++ b/makefile.w32-vc
@@ -24,7 +24,7 @@ LZO = \src\lzo-1.08.vc
 
 INCLUDE_DIRS = -I$(OPENSSL)/include -I$(LZO)/include
 
-LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib gdi32.lib advapi32.lib wininet.lib
+LIBS = lzo.lib ws2_32.lib crypt32.lib iphlpapi.lib winmm.lib user32.lib advapi32.lib wininet.lib
 
 LIB_DIRS = -LIBPATH:$(OPENSSL)\out -LIBPATH:$(LZO)
 
@@ -108,6 +108,7 @@ HEADERS = \
 	syshead.h \
         thread.h \
 	tun.h \
+	lladdr.h \
 	win32.h
 
 OBJS =  base64.obj \
@@ -160,6 +161,7 @@ OBJS =  base64.obj \
 	status.obj \
 	thread.obj \
 	tun.obj \
+	lladdr.obj \
 	win32.obj
 
 dynamic : $(OBJS)
diff --git a/pkcs11-helper.c b/pkcs11-helper.c
index c6ef79d..99a67e2 100644
--- a/pkcs11-helper.c
+++ b/pkcs11-helper.c
@@ -56,6 +56,15 @@
  *
  */
 
+/*
+ * Changelog
+ *
+ * 2006.05.14
+ * 	- (alonbl) First stable release.
+ * 	- (alonbl) Release 01.00.
+ *
+ */
+
 #include "pkcs11-helper-config.h"
 
 #if defined(ENABLE_PKCS11H_HELPER)
@@ -268,7 +277,7 @@ struct pkcs11h_data_s {
 	} hooks;
 
 	PKCS11H_BOOL fProtectedAuthentication;
-	int nMaxLoginRetries;
+	unsigned nMaxLoginRetries;
 
 #if defined(ENABLE_PKCS11H_THREADING)
 	pkcs11h_mutex_t mutexGlobal;
@@ -517,7 +526,8 @@ static
 PKCS11H_BOOL
 _pkcs11h_hooks_default_token_prompt (
 	IN const void * pData,
-	IN const pkcs11h_token_id_t token
+	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry
 );
 
 static
@@ -525,6 +535,7 @@ PKCS11H_BOOL
 _pkcs11h_hooks_default_pin_prompt (
 	IN const void * pData,
 	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry,
 	OUT char * const szPIN,
 	IN const size_t nMaxPIN
 );
@@ -1189,7 +1200,7 @@ pkcs11h_setPINCachePeriod (
 
 CK_RV
 pkcs11h_setMaxLoginRetries (
-	IN const int nMaxLoginRetries
+	IN const unsigned nMaxLoginRetries
 ) {
 	PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 	PKCS11H_ASSERT (s_pkcs11h_data->fInitialized);
@@ -2974,6 +2985,8 @@ _pkcs11h_resetSession (
 
 	CK_RV rv = CKR_OK;
 
+	unsigned nRetry = 0;
+
 	PKCS11H_ASSERT (session!=NULL);
 	PKCS11H_ASSERT (p_slot!=NULL);
 
@@ -3147,7 +3160,8 @@ _pkcs11h_resetSession (
 				if (
 					!s_pkcs11h_data->hooks.token_prompt (
 						s_pkcs11h_data->hooks.token_prompt_data,
-						session->token_id
+						session->token_id,
+						nRetry++
 					)
 				) {
 					rv = CKR_CANCEL;
@@ -3387,7 +3401,7 @@ _pkcs11h_login (
 		)
 	) {
 		PKCS11H_BOOL fSuccessLogin = FALSE;
-		int nRetryCount = 0;
+		unsigned nRetryCount = 0;
 
 		if ((maskPrompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT) == 0) {
 			rv = CKR_USER_NOT_LOGGED_IN;
@@ -3401,7 +3415,7 @@ _pkcs11h_login (
 		while (
 			rv == CKR_OK &&
 			!fSuccessLogin &&
-			nRetryCount++ < s_pkcs11h_data->nMaxLoginRetries 
+			nRetryCount < s_pkcs11h_data->nMaxLoginRetries 
 		) {
 			CK_UTF8CHAR_PTR utfPIN = NULL;
 			CK_ULONG lPINLength = 0;
@@ -3425,6 +3439,7 @@ _pkcs11h_login (
 					!s_pkcs11h_data->hooks.pin_prompt (
 						s_pkcs11h_data->hooks.pin_prompt_data,
 						session->token_id,
+						nRetryCount,
 						szPIN,
 						sizeof (szPIN)
 					)
@@ -3441,17 +3456,18 @@ _pkcs11h_login (
 					"PKCS#11: pin_prompt hook return rv=%ld",
 					rv
 				);
-
 			}
 
-			if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) {
-				session->timePINExpire = 0;
-			}
-			else {
-				session->timePINExpire = (
-					PKCS11H_TIME (NULL) +
-					(time_t)session->nPINCachePeriod
-				);
+			if (rv == CKR_OK) {
+				if (session->nPINCachePeriod == PKCS11H_PIN_CACHE_INFINITE) {
+					session->timePINExpire = 0;
+				}
+				else {
+					session->timePINExpire = (
+						PKCS11H_TIME (NULL) +
+						(time_t)session->nPINCachePeriod
+					);
+				}
 			}
 
 			if (
@@ -3486,6 +3502,15 @@ _pkcs11h_login (
 				 */
 				rv = CKR_OK;
 			}
+
+			nRetryCount++;
+		}
+
+		/*
+		 * Retry limit
+		 */
+		if (!fSuccessLogin && rv == CKR_OK) {
+			rv = CKR_PIN_INCORRECT;
 		}
 	}
 
@@ -3579,11 +3604,13 @@ static
 PKCS11H_BOOL
 _pkcs11h_hooks_default_token_prompt (
 	IN const void * pData,
-	IN const pkcs11h_token_id_t token
+	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry
 ) {
 	PKCS11H_ASSERT (token!=NULL);
 
 	(void)pData;
+	(void)retry;
 
 	PKCS11H_DEBUG (
 		PKCS11H_LOG_DEBUG2,
@@ -3600,12 +3627,14 @@ PKCS11H_BOOL
 _pkcs11h_hooks_default_pin_prompt (
 	IN const void * pData,
 	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry,
 	OUT char * const szPIN,
 	IN const size_t nMaxPIN
 ) {
 	PKCS11H_ASSERT (token!=NULL);
 
 	(void)pData;
+	(void)retry;
 	(void)szPIN;
 	(void)nMaxPIN;
 
@@ -5034,7 +5063,7 @@ _pkcs11h_certificate_private_op (
 
 	PKCS11H_DEBUG (
 		PKCS11H_LOG_DEBUG2,
-		"PKCS#11: pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p",
+		"PKCS#11: _pkcs11h_certificate_private_op entry certificate=%p, op=%d, mech_type=%ld, source=%p, source_size=%u, target=%p, p_target_size=%p",
 		(void *)certificate,
 		op,
 		mech_type,
@@ -5181,7 +5210,7 @@ _pkcs11h_certificate_private_op (
 
 	PKCS11H_DEBUG (
 		PKCS11H_LOG_DEBUG2,
-		"PKCS#11: pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d",
+		"PKCS#11: _pkcs11h_certificate_private_op return rv=%ld-'%s', *p_target_size=%d",
 		rv,
 		pkcs11h_getMessage (rv),
 		*p_target_size
@@ -5532,7 +5561,7 @@ pkcs11h_certificate_signAny (
 		}
 	}
 
-	if (!fSigned) {
+	if (rv == CKR_OK && !fSigned) {
 		rv = CKR_FUNCTION_FAILED;
 	}
 	
@@ -6313,6 +6342,8 @@ pkcs11h_locate_token (
 	
 	CK_RV rv = CKR_OK;
 
+	unsigned nRetry = 0;
+
 	PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 	PKCS11H_ASSERT (s_pkcs11h_data->fInitialized);
 	PKCS11H_ASSERT (szSlotType!=NULL);
@@ -6403,7 +6434,8 @@ pkcs11h_locate_token (
 			if (
 				!s_pkcs11h_data->hooks.token_prompt (
 					s_pkcs11h_data->hooks.token_prompt_data,
-					dummy_token_id
+					dummy_token_id,
+					nRetry++
 				)
 			) {
 				rv = CKR_CANCEL;
@@ -9297,11 +9329,20 @@ PKCS11H_BOOL
 _pkcs11h_standalone_dump_objects_pin_prompt (
 	IN const void *pData,
 	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry,
 	OUT char * const szPIN,
 	IN const size_t nMaxPIN
 ) {
-	strncpy (szPIN, (char *)pData, nMaxPIN);
-	return TRUE;
+	/*
+	 * Don't lock card
+	 */
+	if (retry == 0) {
+		strncpy (szPIN, (char *)pData, nMaxPIN);
+		return TRUE;
+	}
+	else {
+		return FALSE;
+	}
 }
 
 void
@@ -9686,8 +9727,8 @@ pkcs11h_standalone_dump_objects (
 					CK_BBOOL sign_recover = CK_FALSE;
 					CK_BBOOL sign = CK_FALSE;
 					CK_ATTRIBUTE attrs_key[] = {
-						{CKA_SIGN, &sign_recover, sizeof (sign_recover)},
-						{CKA_SIGN_RECOVER, &sign, sizeof (sign)}
+						{CKA_SIGN, &sign, sizeof (sign)},
+						{CKA_SIGN_RECOVER, &sign_recover, sizeof (sign_recover)}
 					};
 					CK_ATTRIBUTE attrs_key_common[] = {
 						{CKA_ID, NULL, 0},
diff --git a/pkcs11-helper.h b/pkcs11-helper.h
index e2cef6d..f6eb967 100644
--- a/pkcs11-helper.h
+++ b/pkcs11-helper.h
@@ -151,12 +151,14 @@ typedef void (*pkcs11h_hook_slotevent_t)(
 
 typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)(
 	IN const void *pData,
-	IN const pkcs11h_token_id_t token
+	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry
 );
 
 typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)(
 	IN const void *pData,
 	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry,
 	OUT char * const szPIN,
 	IN const size_t nMaxPIN
 );
@@ -357,7 +359,7 @@ pkcs11h_setPINCachePeriod (
  */
 CK_RV
 pkcs11h_setMaxLoginRetries (
-	IN const int nMaxLoginRetries
+	IN const unsigned nMaxLoginRetries
 );
 
 /*
diff --git a/pkcs11.c b/pkcs11.c
index 3b136c5..9f30407 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -149,10 +149,12 @@ static
 bool
 _pkcs11_openvpn_token_prompt (
 	IN const void *pData,
-	IN const pkcs11h_token_id_t token
+	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry
 ) {
 	static struct user_pass token_resp;
 
+	(void)retry;
 	ASSERT (token!=NULL);
 
 	CLEAR (token_resp);
@@ -179,12 +181,14 @@ bool
 _pkcs11_openvpn_pin_prompt (
 	IN const void *pData,
 	IN const pkcs11h_token_id_t token,
+	IN const unsigned retry,
 	OUT char * const szPIN,
 	IN const size_t nMaxPIN
 ) {
 	static struct user_pass token_pass;
 	char szPrompt[1024];
 
+	(void)retry;
 	ASSERT (token!=NULL);
 
 	openvpn_snprintf (szPrompt, sizeof (szPrompt), "%s token", token->label);
-- 
cgit