scummvm random work
[patches.git] / openssh-4.4p1pkcs11-0.17.patch
CommitLineData
5e993f12 1diff -urNp openssh-4.4p1/authfd.c openssh-4.4p1+pkcs11-0.17/authfd.c
2--- openssh-4.4p1/authfd.c 2006-09-01 08:38:36.000000000 +0300
3+++ openssh-4.4p1+pkcs11-0.17/authfd.c 2006-10-12 13:59:59.000000000 +0200
4@@ -669,3 +669,79 @@ decode_reply(int type)
5 /* NOTREACHED */
6 return 0;
7 }
8+
9+#ifndef SSH_PKCS11_DISABLED
10+
11+int
12+ssh_pkcs11_add_provider (AuthenticationConnection *auth, const char *provider,
13+ int protected_authentication, const char *sign_mode, int cert_private)
14+{
15+ Buffer msg;
16+ int type;
17+ int code;
18+
19+ code = SSH_AGENTC_PKCS11_ADD_PROVIDER;
20+
21+ buffer_init(&msg);
22+ buffer_put_char(&msg, code);
23+ buffer_put_cstring(&msg, provider);
24+ buffer_put_int(&msg, protected_authentication);
25+ buffer_put_cstring(&msg, sign_mode == NULL ? "auto" : sign_mode);
26+ buffer_put_int(&msg, cert_private);
27+
28+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
29+ buffer_free(&msg);
30+ return 0;
31+ }
32+ type = buffer_get_char(&msg);
33+ buffer_free(&msg);
34+ return decode_reply(type);
35+}
36+
37+int
38+ssh_pkcs11_id (AuthenticationConnection *auth, const pkcs11_identity *id, int remove)
39+{
40+ Buffer msg;
41+ int type;
42+ int code;
43+
44+ code = remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID;
45+
46+ buffer_init(&msg);
47+ buffer_put_char(&msg, code);
48+ buffer_put_cstring(&msg, id->id);
49+ buffer_put_int(&msg, id->pin_cache_period);
50+ buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
51+
52+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
53+ buffer_free(&msg);
54+ return 0;
55+ }
56+ type = buffer_get_char(&msg);
57+ buffer_free(&msg);
58+ return decode_reply(type);
59+}
60+
61+int
62+ssh_pkcs11_set_ask_pin (AuthenticationConnection *auth, const char *pin_prog)
63+{
64+ Buffer msg;
65+ int type;
66+ int code;
67+
68+ code = SSH_AGENTC_PKCS11_SET_ASK_PIN;
69+
70+ buffer_init(&msg);
71+ buffer_put_char(&msg, code);
72+ buffer_put_cstring(&msg, pin_prog);
73+
74+ if (ssh_request_reply(auth, &msg, &msg) == 0) {
75+ buffer_free(&msg);
76+ return 0;
77+ }
78+ type = buffer_get_char(&msg);
79+ buffer_free(&msg);
80+ return decode_reply(type);
81+}
82+
83+#endif /* SSH_PKCS11_DISABLED */
84diff -urNp openssh-4.4p1/authfd.h openssh-4.4p1+pkcs11-0.17/authfd.h
85--- openssh-4.4p1/authfd.h 2006-08-05 05:39:39.000000000 +0300
86+++ openssh-4.4p1+pkcs11-0.17/authfd.h 2006-10-12 13:57:49.000000000 +0200
87@@ -16,6 +16,8 @@
88 #ifndef AUTHFD_H
89 #define AUTHFD_H
90
91+#include "pkcs11.h"
92+
93 /* Messages for the authentication agent connection. */
94 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
95 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
96@@ -49,6 +51,11 @@
97 #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
98 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
99
100+#define SSH_AGENTC_PKCS11_ADD_PROVIDER 27
101+#define SSH_AGENTC_PKCS11_ADD_ID 28
102+#define SSH_AGENTC_PKCS11_REMOVE_ID 29
103+#define SSH_AGENTC_PKCS11_SET_ASK_PIN 30
104+
105 #define SSH_AGENT_CONSTRAIN_LIFETIME 1
106 #define SSH_AGENT_CONSTRAIN_CONFIRM 2
107
108@@ -92,4 +99,11 @@ int
109 ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
110 u_int);
111
112+#ifndef SSH_PKCS11_DISABLED
113+int ssh_pkcs11_add_provider (AuthenticationConnection *, const char *,
114+ int, const char *, int);
115+int ssh_pkcs11_id (AuthenticationConnection *, const pkcs11_identity *, int remove);
116+int ssh_pkcs11_set_ask_pin (AuthenticationConnection *, const char *);
117+#endif /* SSH_PKCS11_DISABLED */
118+
119 #endif /* AUTHFD_H */
120diff -urNp openssh-4.4p1/ChangeLog.pkcs11 openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11
121--- openssh-4.4p1/ChangeLog.pkcs11 1970-01-01 02:00:00.000000000 +0200
122+++ openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11 2006-10-23 17:36:52.000000000 +0200
123@@ -0,0 +1,49 @@
124+20061023
125+ - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
126+ - (alonbl) Release 0.17
127+
128+20061020
129+ - (alonbl) Major modification of ssh-add command-line parameters.
130+ Now, a complete serialized certificate needs to be specified, this
131+ in order to allow people to add id without forcing card to be available.
132+ But to allow complete silent addition a certificate file also needed.
133+ --pkcs11-show-ids is used in order to get a list of resources.
134+ --pkcs11-add-id --pkcs11-id <serialized id> \
135+ [--pkcs11-cert-file <cert_file>]
136+ - (alonbl) PKCS#11 release 0.16
137+
138+20061012
139+ - (alonbl) OpenSC bug workaround.
140+ - (alonbl) PKCS#11 release 0.15
141+
142+20060930
143+ - (alonbl) Some pkcs11-helper updates.
144+ - (alonbl) Rebase against 4.4p1.
145+ - (alonbl) PKCS#11 release 0.14
146+
147+20060709
148+ - (alonbl) PKCS#11 fixed handling multiproviders.
149+ - (alonbl) PKCS#11 release 0.13
150+
151+20060608
152+ - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing
153+ ssh-rsa id.
154+ - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument.
155+ - (alonbl) PKCS#11 release 0.12
156+
157+20060527
158+ - (alonbl) PKCS#11 fix issues with gcc-2
159+ - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version.
160+ - (alonbl) PKCS#11 modified to match X.509-5.4 patch.
161+ - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out
162+ of X.509 certificate.
163+ - (alonbl) PKCS#11 release 0.11
164+
165+20060419
166+ - (alonbl) PKCS#11 fix handling empty attributes.
167+ - (alonbl) PKCS#11 release 0.10
168+
169+20060404
170+ - (alonbl) PKCS#11 code sync.
171+ - (alonbl) PKCS#11 release 0.09
172+
173diff -urNp openssh-4.4p1/config.h.in openssh-4.4p1+pkcs11-0.17/config.h.in
174--- openssh-4.4p1/config.h.in 2006-09-26 14:03:33.000000000 +0300
175+++ openssh-4.4p1+pkcs11-0.17/config.h.in 2006-09-28 16:31:03.000000000 +0300
176@@ -1217,6 +1217,12 @@
177 /* Use audit debugging module */
178 #undef SSH_AUDIT_EVENTS
179
180+/* Define if you don't want use PKCS#11 */
181+#undef SSH_PKCS11_DISABLED
182+
183+/* Define if you don't want use X509 with PKCS#11 */
184+#undef SSH_PKCS11_X509_DISABLED
185+
186 /* non-privileged user for privilege separation */
187 #undef SSH_PRIVSEP_USER
188
189diff -urNp openssh-4.4p1/configure openssh-4.4p1+pkcs11-0.17/configure
190--- openssh-4.4p1/configure 2006-09-26 14:03:41.000000000 +0300
191+++ openssh-4.4p1+pkcs11-0.17/configure 2006-09-28 16:33:53.000000000 +0300
192@@ -1307,6 +1307,7 @@ Optional Features:
193 --disable-libutil disable use of libutil (login() etc.) no
194 --disable-pututline disable use of pututline() etc. (uwtmp) no
195 --disable-pututxline disable use of pututxline() etc. (uwtmpx) no
196+ --disable-pkcs11 Disable PKCS#11 support
197
198 Optional Packages:
199 --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
200@@ -32163,6 +32164,33 @@ if test ! -z "$blibpath" ; then
201 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
202 fi
203
204+ssh_pkcs11="yes"
205+ssh_pkcs11_x509="yes"
206+# Check whether --enable-pkcs11 was given.
207+if test "${enable_pkcs11+set}" = set; then
208+ enableval=$enable_pkcs11;
209+ if test "x$enableval" = "xno"; then
210+ ssh_pkcs11="no"
211+ fi
212+
213+
214+fi
215+
216+if test "x$ssh_pkcs11" = "xno"; then
217+
218+cat >>confdefs.h <<_ACEOF
219+#define SSH_PKCS11_DISABLED 1
220+_ACEOF
221+
222+fi
223+if test "x$ssh_x509" = "x"; then
224+
225+cat >>confdefs.h <<_ACEOF
226+#define SSH_PKCS11_X509_DISABLED 1
227+_ACEOF
228+
229+fi
230+
231 CFLAGS="$CFLAGS $werror_flags"
232
233
234@@ -33415,6 +33443,7 @@ echo " IP address in \$DISPLAY hac
235 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
236 echo " BSD Auth support: $BSD_AUTH_MSG"
237 echo " Random number source: $RAND_MSG"
238+echo " PKCS#11 support: $ssh_pkcs11"
239 if test ! -z "$USE_RAND_HELPER" ; then
240 echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
241 fi
242diff -urNp openssh-4.4p1/configure.ac openssh-4.4p1+pkcs11-0.17/configure.ac
243--- openssh-4.4p1/configure.ac 2006-09-24 22:08:59.000000000 +0300
244+++ openssh-4.4p1+pkcs11-0.17/configure.ac 2006-09-28 08:05:35.000000000 +0300
245@@ -3912,6 +3912,27 @@ if test ! -z "$blibpath" ; then
246 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
247 fi
248
249+ssh_pkcs11="yes"
250+ssh_pkcs11_x509="yes"
251+AC_ARG_ENABLE(pkcs11,
252+ [ --disable-pkcs11 Disable PKCS#11 support],
253+ [
254+ if test "x$enableval" = "xno"; then
255+ ssh_pkcs11="no"
256+ fi
257+ ]
258+)
259+if test "x$ssh_pkcs11" = "xno"; then
260+ AC_DEFINE_UNQUOTED(
261+ SSH_PKCS11_DISABLED, 1,
262+ [Define if you don't want use PKCS#11])
263+fi
264+if test "x$ssh_x509" = "x"; then
265+ AC_DEFINE_UNQUOTED(
266+ SSH_PKCS11_X509_DISABLED, 1,
267+ [Define if you don't want use X509 with PKCS#11])
268+fi
269+
270 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
271 dnl Add now.
272 CFLAGS="$CFLAGS $werror_flags"
273@@ -3973,6 +3994,7 @@ echo " IP address in \$DISPLAY hac
274 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
275 echo " BSD Auth support: $BSD_AUTH_MSG"
276 echo " Random number source: $RAND_MSG"
277+echo " PKCS#11 support: $ssh_pkcs11"
278 if test ! -z "$USE_RAND_HELPER" ; then
279 echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
280 fi
281diff -urNp openssh-4.4p1/cryptoki.h openssh-4.4p1+pkcs11-0.17/cryptoki.h
282--- openssh-4.4p1/cryptoki.h 1970-01-01 02:00:00.000000000 +0200
283+++ openssh-4.4p1+pkcs11-0.17/cryptoki.h 2006-09-28 08:05:35.000000000 +0300
284@@ -0,0 +1,35 @@
285+/* cryptoki.h include file for PKCS #11. */
286+/* $Revision: 1.4 $ */
287+
288+/* License to copy and use this software is granted provided that it is
289+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
290+ * (Cryptoki)" in all material mentioning or referencing this software.
291+
292+ * License is also granted to make and use derivative works provided that
293+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
294+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
295+ * referencing the derived work.
296+
297+ * RSA Security Inc. makes no representations concerning either the
298+ * merchantability of this software or the suitability of this software for
299+ * any particular purpose. It is provided "as is" without express or implied
300+ * warranty of any kind.
301+ */
302+
303+#ifndef ___CRYPTOKI_H_INC___
304+#define ___CRYPTOKI_H_INC___
305+
306+#define CK_PTR *
307+
308+#define CK_DEFINE_FUNCTION(returnType, name) returnType name
309+#define CK_DECLARE_FUNCTION(returnType, name) returnType name
310+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
311+#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
312+
313+#ifndef NULL_PTR
314+#define NULL_PTR 0
315+#endif
316+
317+#include "pkcs11-headers/pkcs11.h"
318+
319+#endif /* ___CRYPTOKI_H_INC___ */
320diff -urNp openssh-4.4p1/cryptoki-win32.h openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h
321--- openssh-4.4p1/cryptoki-win32.h 1970-01-01 02:00:00.000000000 +0200
322+++ openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h 2006-09-28 08:05:35.000000000 +0300
323@@ -0,0 +1,66 @@
324+/* cryptoki.h include file for PKCS #11. */
325+/* $Revision: 1.4 $ */
326+
327+/* License to copy and use this software is granted provided that it is
328+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
329+ * (Cryptoki)" in all material mentioning or referencing this software.
330+
331+ * License is also granted to make and use derivative works provided that
332+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
333+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
334+ * referencing the derived work.
335+
336+ * RSA Security Inc. makes no representations concerning either the
337+ * merchantability of this software or the suitability of this software for
338+ * any particular purpose. It is provided "as is" without express or implied
339+ * warranty of any kind.
340+ */
341+
342+/* This is a sample file containing the top level include directives
343+ * for building Win32 Cryptoki libraries and applications.
344+ */
345+
346+#ifndef ___CRYPTOKI_H_INC___
347+#define ___CRYPTOKI_H_INC___
348+
349+#pragma pack(push, cryptoki, 1)
350+
351+/* Specifies that the function is a DLL entry point. */
352+#define CK_IMPORT_SPEC __declspec(dllimport)
353+
354+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
355+ * not define it in applications.
356+ */
357+#ifdef CRYPTOKI_EXPORTS
358+/* Specified that the function is an exported DLL entry point. */
359+#define CK_EXPORT_SPEC __declspec(dllexport)
360+#else
361+#define CK_EXPORT_SPEC CK_IMPORT_SPEC
362+#endif
363+
364+/* Ensures the calling convention for Win32 builds */
365+#define CK_CALL_SPEC __cdecl
366+
367+#define CK_PTR *
368+
369+#define CK_DEFINE_FUNCTION(returnType, name) \
370+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name
371+
372+#define CK_DECLARE_FUNCTION(returnType, name) \
373+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name
374+
375+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
376+ returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
377+
378+#define CK_CALLBACK_FUNCTION(returnType, name) \
379+ returnType (CK_CALL_SPEC CK_PTR name)
380+
381+#ifndef NULL_PTR
382+#define NULL_PTR 0
383+#endif
384+
385+#include "pkcs11-headers/pkcs11.h"
386+
387+#pragma pack(pop, cryptoki)
388+
389+#endif /* ___CRYPTOKI_H_INC___ */
390diff -urNp openssh-4.4p1/LICENCE openssh-4.4p1+pkcs11-0.17/LICENCE
391--- openssh-4.4p1/LICENCE 2006-08-30 20:24:41.000000000 +0300
392+++ openssh-4.4p1+pkcs11-0.17/LICENCE 2006-09-28 08:05:35.000000000 +0300
393@@ -332,6 +332,9 @@ OpenSSH contains no GPL code.
394 * authorization. *
395 ****************************************************************************/
396
397+ d) PKCS #11: Cryptographic Token Interface Standard
398+
399+ This software uses RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
400
401 ------
402 $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
403diff -urNp openssh-4.4p1/Makefile.in openssh-4.4p1+pkcs11-0.17/Makefile.in
404--- openssh-4.4p1/Makefile.in 2006-09-12 14:54:10.000000000 +0300
405+++ openssh-4.4p1+pkcs11-0.17/Makefile.in 2006-09-28 08:05:35.000000000 +0300
406@@ -66,6 +66,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
407
408 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
409 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
410+ pkcs11.o pkcs11-helper.o \
411 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
412 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
413 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
414diff -urNp openssh-4.4p1/pkcs11.c openssh-4.4p1+pkcs11-0.17/pkcs11.c
415--- openssh-4.4p1/pkcs11.c 1970-01-01 02:00:00.000000000 +0200
416+++ openssh-4.4p1+pkcs11-0.17/pkcs11.c 2006-10-23 17:35:54.000000000 +0200
417@@ -0,0 +1,1139 @@
418+/*
419+ * Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
420+ *
421+ * Redistribution and use in source and binary forms, with or without
422+ * modification, are permitted provided that the following conditions
423+ * are met:
424+ * 1. Redistributions of source code must retain the above copyright
425+ * notice, this list of conditions and the following disclaimer.
426+ * 2. Redistributions in binary form must reproduce the above copyright
427+ * notice, this list of conditions and the following disclaimer in the
428+ * documentation and/or other materials provided with the distribution.
429+ *
430+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
431+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
432+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
433+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
434+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
435+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
436+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
437+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
438+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
439+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
440+ */
441+
442+/*
443+ * The routines in this file deal with providing private key cryptography
444+ * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
445+ *
446+ */
447+
448+#include "includes.h"
449+#include <sys/wait.h>
450+#include <errno.h>
451+
452+#if !defined(SSH_PKCS11_DISABLED)
453+
454+#include "pkcs11-helper.h"
455+#include "pkcs11.h"
456+#include "openssl/pem.h"
457+#include "misc.h"
458+
459+static
460+char *
461+ssh_from_x509 (X509 *x509);
462+
463+static char *s_szSetPINProg = NULL;
464+
465+static
466+unsigned
467+_pkcs11_msg_pkcs112openssh (
468+ IN const unsigned flags
469+) {
470+ unsigned openssh_flags;
471+
472+ switch (flags) {
473+ case PKCS11H_LOG_DEBUG2:
474+ openssh_flags = SYSLOG_LEVEL_DEBUG3;
475+ break;
476+ case PKCS11H_LOG_DEBUG1:
477+ openssh_flags = SYSLOG_LEVEL_DEBUG2;
478+ break;
479+ case PKCS11H_LOG_INFO:
480+ openssh_flags = SYSLOG_LEVEL_INFO;
481+ break;
482+ case PKCS11H_LOG_WARN:
483+ openssh_flags = SYSLOG_LEVEL_ERROR;
484+ break;
485+ case PKCS11H_LOG_ERROR:
486+ openssh_flags = SYSLOG_LEVEL_FATAL;
487+ break;
488+ default:
489+ openssh_flags = SYSLOG_LEVEL_FATAL;
490+ break;
491+ }
492+
493+ return openssh_flags;
494+}
495+
496+static
497+unsigned
498+_pkcs11_msg_openssh2pkcs11 (
499+ IN const unsigned flags
500+) {
501+ unsigned pkcs11_flags;
502+
503+ switch (flags) {
504+ case SYSLOG_LEVEL_DEBUG3:
505+ pkcs11_flags = PKCS11H_LOG_DEBUG2;
506+ break;
507+ case SYSLOG_LEVEL_DEBUG2:
508+ pkcs11_flags = PKCS11H_LOG_DEBUG1;
509+ break;
510+ case SYSLOG_LEVEL_INFO:
511+ pkcs11_flags = PKCS11H_LOG_INFO;
512+ break;
513+ case SYSLOG_LEVEL_ERROR:
514+ pkcs11_flags = PKCS11H_LOG_WARN;
515+ break;
516+ case SYSLOG_LEVEL_FATAL:
517+ pkcs11_flags = PKCS11H_LOG_ERROR;
518+ break;
519+ default:
520+ pkcs11_flags = PKCS11H_LOG_ERROR;
521+ break;
522+ }
523+
524+ return pkcs11_flags;
525+}
526+
527+static
528+void
529+_pkcs11_openssh_log (
530+ IN void * const pData,
531+ IN unsigned flags,
532+ IN const char * const szFormat,
533+ IN va_list args
534+) {
535+ do_log (_pkcs11_msg_pkcs112openssh (flags), szFormat, args);
536+}
537+
538+static
539+int
540+_pkcs11_ssh_prompt (
541+ IN const char * const szType,
542+ IN const char * const szPrompt,
543+ OUT char * const szInput,
544+ IN const int nMaxInput
545+) {
546+ pid_t pid = -1;
547+ int fds[2] = {-1, -1};
548+ int fOK = TRUE;
549+
550+ /*
551+ * Make sure we don't reuse PIN
552+ */
553+ if (fOK) {
554+ memset (szInput, 0, nMaxInput);
555+ }
556+
557+ if (fOK && s_szSetPINProg == NULL) {
558+ fOK = FALSE;
559+ }
560+
561+ if (fOK && pipe (fds) == -1) {
562+ fOK = FALSE;
563+ }
564+
565+ if (fOK && (pid = fork ()) == -1) {
566+ fOK = FALSE;
567+ }
568+
569+ if (fOK) {
570+ if (pid == 0) {
571+ close (fds[0]);
572+ fds[0] = -1;
573+
574+ if (fOK && dup2 (fds[1], 1) == -1) {
575+ fOK = FALSE;
576+ }
577+ if (fOK) {
578+ close (fds[1]);
579+ fds[1] = -1;
580+ }
581+
582+ if (fOK) {
583+ execl (
584+ s_szSetPINProg,
585+ s_szSetPINProg,
586+ "-t",
587+ szType,
588+ szPrompt,
589+ NULL
590+ );
591+ }
592+
593+ exit (1);
594+ }
595+ else {
596+ int status;
597+ int r = 0;
598+
599+ close (fds[1]);
600+ fds[1] = -1;
601+
602+ if (fOK) {
603+ while (
604+ (r=waitpid (pid, &status, 0)) == 0 ||
605+ (r == -1 && errno == EINTR)
606+ );
607+
608+ if (r == -1) {
609+ fOK = FALSE;
610+ }
611+ }
612+
613+ if (fOK && !WIFEXITED (status)) {
614+ fOK = FALSE;
615+ }
616+
617+ if (fOK && WEXITSTATUS (status) != 0) {
618+ fOK = FALSE;
619+ }
620+
621+ if (fOK) {
622+ if (!strcmp (szType, "password")) {
623+ if ((r = read (fds[0], szInput, nMaxInput)) == -1) {
624+ fOK = FALSE;
625+ r = 0;
626+ }
627+ }
628+ else {
629+ r = 0;
630+ }
631+ szInput[r] = '\0';
632+ }
633+
634+ if (fOK) {
635+ if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\n') {
636+ szInput[strlen (szInput)-1] = '\0';
637+ }
638+ /*
639+ * for DOS compatability
640+ */
641+ if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\r') {
642+ szInput[strlen (szInput)-1] = '\0';
643+ }
644+ }
645+ }
646+ }
647+
648+ if (fds[0] != -1) {
649+ close (fds[0]);
650+ fds[0] = -1;
651+ }
652+
653+ if (fds[1] != -1) {
654+ close (fds[1]);
655+ fds[1] = -1;
656+ }
657+
658+ return fOK;
659+}
660+
661+static
662+void
663+_pkcs11_ssh_print (
664+ IN void * const pData,
665+ IN const char * const szFormat,
666+ IN ...
667+) {
668+ va_list args;
669+
670+ va_start (args, szFormat);
671+ vprintf (szFormat, args);
672+ va_end (args);
673+}
674+
675+static
676+PKCS11H_BOOL
677+_pkcs11_ssh_token_prompt (
678+ IN void * const pData1,
679+ IN void * const pData2,
680+ IN const pkcs11h_token_id_t token,
681+ IN const unsigned retry
682+) {
683+ char szPrompt[1024];
684+ char szPIN[1024];
685+
686+ snprintf (szPrompt, sizeof (szPrompt), "Please insert token '%s' or cancel", token->display);
687+ return _pkcs11_ssh_prompt ("okcancel", szPrompt, szPIN, sizeof (szPIN));
688+}
689+
690+static
691+PKCS11H_BOOL
692+_pkcs11_ssh_pin_prompt (
693+ IN void * const pData1,
694+ IN void * const pData2,
695+ IN const pkcs11h_token_id_t token,
696+ IN const unsigned retry,
697+ OUT char * const szPIN,
698+ IN const size_t nMaxPIN
699+) {
700+ char szPrompt[1024];
701+
702+ snprintf (szPrompt, sizeof (szPrompt), "Please enter PIN for token '%s'", token->display);
703+ return _pkcs11_ssh_prompt ("password", szPrompt, szPIN, nMaxPIN);
704+}
705+
706+static
707+PKCS11H_BOOL
708+_pkcs11_ssh_pin_prompt_cli (
709+ IN void * const pData1,
710+ IN void * const pData2,
711+ IN const pkcs11h_token_id_t token,
712+ IN const unsigned retry,
713+ OUT char * const szPIN,
714+ IN const size_t nMaxPIN
715+) {
716+ char szPrompt[1024];
717+ snprintf (szPrompt, sizeof (szPrompt), "Please enter '%s' PIN or 'cancel': ", token->display);
718+ char *p = getpass (szPrompt);
719+
720+ strncpy (szPIN, p, nMaxPIN);
721+ szPIN[nMaxPIN-1] = '\0';
722+
723+ return strcmp (szPIN, "cancel") != 0;
724+}
725+
726+void
727+_pkcs11_do_log (
728+ IN LogLevel l,
729+ IN const char *f,
730+ IN ...
731+) {
732+ va_list args;
733+ va_start (args, f);
734+ do_log (l, f, args);
735+ va_end (args);
736+}
737+
738+int
739+pkcs11_initialize (
740+ const int fProtectedAuthentication,
741+ const int nPINCachePeriod
742+) {
743+ CK_RV rv = CKR_OK;
744+
745+ debug3 (
746+ "PKCS#11: pkcs11_initialize - entered fProtectedAuthentication=%d, nPINCachePeriod=%d",
747+ fProtectedAuthentication,
748+ nPINCachePeriod
749+ );
750+
751+ if (
752+ rv == CKR_OK &&
753+ (rv = pkcs11h_initialize ()) != CKR_OK
754+ ) {
755+ error ("PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
756+ }
757+
758+ if (
759+ rv == CKR_OK &&
760+ (rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL)) != CKR_OK
761+ ) {
762+ error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
763+ }
764+
765+ /*
766+ * WARNING!!!
767+ * There is no way to get log level,
768+ * so set to minimum.
769+ * After fix in log.c it can be fixed.
770+ */
771+ if (rv == CKR_OK) {
772+ pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
773+ }
774+
775+ if (
776+ rv == CKR_OK &&
777+ (rv = pkcs11h_setTokenPromptHook (_pkcs11_ssh_token_prompt, NULL)) != CKR_OK
778+ ) {
779+ error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
780+ }
781+
782+ if (
783+ rv == CKR_OK &&
784+ (rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt, NULL)) != CKR_OK
785+ ) {
786+ error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
787+ }
788+
789+ if (
790+ rv == CKR_OK &&
791+ (rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK
792+ ) {
793+ error ("PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
794+ }
795+
796+ if (
797+ rv == CKR_OK &&
798+ (rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK
799+ ) {
800+ error ("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
801+ }
802+
803+ debug3 (
804+ "PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
805+ rv,
806+ pkcs11h_getMessage (rv)
807+ );
808+
809+ return rv == CKR_OK;
810+}
811+
812+void
813+pkcs11_terminate () {
814+ debug3 ("PKCS#11: pkcs11_terminate - entered");
815+
816+ pkcs11h_terminate ();
817+
818+ debug3 ("PKCS#11: pkcs11_terminate - return");
819+}
820+
821+void
822+pkcs11_forkFix () {
823+ pkcs11h_forkFixup ();
824+}
825+
826+int
827+pkcs11_setAskPIN (
828+ const char * const pin_prog
829+) {
830+ if (pin_prog != NULL) {
831+ if (s_szSetPINProg != NULL) {
832+ xfree (s_szSetPINProg);
833+ s_szSetPINProg = NULL;
834+ }
835+
836+ s_szSetPINProg = xstrdup (pin_prog);
837+ }
838+
839+ return 1;
840+}
841+
842+int
843+pkcs11_addProvider (
844+ const char * const provider,
845+ const int fProtectedAuthentication,
846+ const char * const sign_mode,
847+ const int fCertIsPrivate
848+) {
849+ unsigned maskSignMode = 0;
850+ CK_RV rv = CKR_OK;
851+
852+ PKCS11H_ASSERT (provider != NULL);
853+ PKCS11H_ASSERT (sign_mode != NULL);
854+
855+ debug3 (
856+ "PKCS#11: pkcs11_addProvider - entered - provider='%s', fProtectedAuthentication=%d, sign_mode='%s', fCertIsPrivate=%d",
857+ provider,
858+ fProtectedAuthentication ? 1 : 0,
859+ sign_mode == NULL ? "default" : sign_mode,
860+ fCertIsPrivate ? 1 : 0
861+ );
862+
863+ debug (
864+ "PKCS#11: Adding PKCS#11 provider '%s'",
865+ provider
866+ );
867+
868+ if (rv == CKR_OK) {
869+ if (sign_mode == NULL || !strcmp (sign_mode, "auto")) {
870+ maskSignMode = 0;
871+ }
872+ else if (!strcmp (sign_mode, "sign")) {
873+ maskSignMode = PKCS11H_SIGNMODE_MASK_SIGN;
874+ }
875+ else if (!strcmp (sign_mode, "recover")) {
876+ maskSignMode = PKCS11H_SIGNMODE_MASK_RECOVER;
877+ }
878+ else if (!strcmp (sign_mode, "any")) {
879+ maskSignMode = (
880+ PKCS11H_SIGNMODE_MASK_SIGN |
881+ PKCS11H_SIGNMODE_MASK_RECOVER
882+ );
883+ }
884+ else {
885+ error ("PKCS#11: Invalid sign mode '%s'", sign_mode);
886+ rv = CKR_ARGUMENTS_BAD;
887+ }
888+ }
889+
890+ if (
891+ rv == CKR_OK &&
892+ (rv = pkcs11h_addProvider (
893+ provider,
894+ provider,
895+ fProtectedAuthentication,
896+ maskSignMode,
897+ PKCS11H_SLOTEVENT_METHOD_AUTO,
898+ 0,
899+ fCertIsPrivate
900+ )) != CKR_OK
901+ ) {
902+ error ("PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
903+ }
904+
905+ debug3 (
906+ "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
907+ rv,
908+ pkcs11h_getMessage (rv)
909+ );
910+
911+ return rv == CKR_OK;
912+}
913+
914+pkcs11_identity *
915+pkcs11_identity_new () {
916+ pkcs11_identity *id = xmalloc (sizeof (struct pkcs11_identity_s));
917+ if (id != NULL) {
918+ memset (id, 0, sizeof (struct pkcs11_identity_s));
919+ }
920+ return id;
921+}
922+
923+void
924+pkcs11_identity_free (
925+ const pkcs11_identity * const id
926+) {
927+ if (id != NULL) {
928+ xfree ((void *)id);
929+ }
930+}
931+
932+void
933+pkcs11_getKey (
934+ IN const pkcs11_identity * const id,
935+ OUT Key ** const sshkey,
936+ OUT char * const szComment,
937+ IN const int nCommentMax
938+) {
939+ X509 *x509 = NULL;
940+ RSA *rsa = NULL;
941+ pkcs11h_certificate_id_t certificate_id = NULL;
942+ pkcs11h_certificate_t certificate = NULL;
943+ pkcs11h_openssl_session_t openssl_session = NULL;
944+ size_t temp;
945+ CK_RV rv = CKR_OK;
946+
947+ int fOK = TRUE;
948+
949+ debug3 (
950+ "PKCS#11: pkcs11_getKey - entered - id=%p, sshkey=%p, szComment=%p, nCommentMax=%d",
951+ (void *)id,
952+ (void *)sshkey,
953+ (void *)szComment,
954+ nCommentMax
955+ );
956+
957+ PKCS11H_ASSERT (id != NULL);
958+ PKCS11H_ASSERT (sshkey!=NULL);
959+ PKCS11H_ASSERT (szComment!=NULL);
960+
961+ debug3 (
962+ "PKCS#11: pkcs11_getKey - id - id=%s, pin_cache_period=%d, cert_file=%s",
963+ id->id,
964+ id->pin_cache_period,
965+ id->cert_file
966+ );
967+
968+ PKCS11H_ASSERT (id->id);
969+
970+ if (
971+ fOK &&
972+ pkcs11h_certificate_deserializeCertificateId (&certificate_id, id->id)
973+ ) {
974+ fOK = FALSE;
975+ error ("PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
976+ }
977+
978+ if (
979+ fOK &&
980+ id->cert_file != NULL &&
981+ id->cert_file[0] != '\x0'
982+ ) {
983+ X509 *x509 = NULL;
984+ unsigned char *p = NULL;
985+ unsigned char *certificate_blob = NULL;
986+ size_t certificate_blob_size = 0;
987+ FILE *fp = NULL;
988+
989+ if (
990+ fOK &&
991+ (fp = fopen (id->cert_file, "r")) == NULL
992+ ) {
993+ fOK = FALSE;
994+ error ("PKCS#11: Cannot open file '%s'", id->cert_file);
995+ }
996+
997+ if (
998+ fOK &&
999+ !PEM_read_X509 (
1000+ fp,
1001+ &x509,
1002+ NULL,
1003+ 0
1004+ )
1005+ ) {
1006+ x509 = NULL;
1007+ fOK = FALSE;
1008+ error ("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
1009+ }
1010+
1011+ if (
1012+ fOK &&
1013+ (certificate_blob_size = i2d_X509 (x509, NULL)) < 0
1014+ ) {
1015+ fOK = FALSE;
1016+ error ("PKCS#11: Cannot read decode certificate");
1017+ }
1018+
1019+ if (
1020+ fOK &&
1021+ (certificate_blob = (unsigned char *)xmalloc (certificate_blob_size)) == NULL
1022+ ) {
1023+ fOK = FALSE;
1024+ error ("PKCS#11: Cannot allocate memory");
1025+ }
1026+
1027+ /*
1028+ * i2d_X509 increments p!!!
1029+ */
1030+ p = certificate_blob;
1031+
1032+ if (
1033+ fOK &&
1034+ (certificate_blob_size = i2d_X509 (x509, &p)) < 0
1035+ ) {
1036+ fOK = FALSE;
1037+ error ("PKCS#11: Cannot read decode certificate");
1038+ }
1039+
1040+ if (
1041+ fOK &&
1042+ pkcs11h_certificate_setCertificateIdCertificateBlob (
1043+ certificate_id,
1044+ certificate_blob,
1045+ certificate_blob_size
1046+ ) != CKR_OK
1047+ ) {
1048+ fOK = FALSE;
1049+ error ("PKCS#11: Cannot set certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
1050+ }
1051+
1052+ if (x509 != NULL) {
1053+ X509_free (x509);
1054+ x509 = NULL;
1055+ }
1056+
1057+ if (certificate_blob != NULL) {
1058+ xfree (certificate_blob);
1059+ certificate_blob = NULL;
1060+ }
1061+
1062+ if (fp != NULL) {
1063+ fclose (fp);
1064+ fp = NULL;
1065+ }
1066+ }
1067+
1068+ if (
1069+ fOK &&
1070+ (rv = pkcs11h_certificate_create (
1071+ certificate_id,
1072+ NULL,
1073+ PKCS11H_PROMPT_MASK_ALLOW_ALL,
1074+ id->pin_cache_period,
1075+ &certificate
1076+ )) != CKR_OK
1077+ ) {
1078+ fOK = FALSE;
1079+ error ("PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
1080+ }
1081+
1082+ if (certificate_id != NULL){
1083+ pkcs11h_certificate_freeCertificateId (certificate_id);
1084+ certificate_id = NULL;
1085+ }
1086+
1087+ /*
1088+ * Is called so next certificate_id will
1089+ * contain a proper description
1090+ */
1091+ if (
1092+ fOK &&
1093+ (rv = pkcs11h_certificate_getCertificateBlob (
1094+ certificate,
1095+ NULL,
1096+ &temp
1097+ )) != CKR_OK
1098+ ) {
1099+ fOK = FALSE;
1100+ error ("PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
1101+ }
1102+
1103+ if (
1104+ fOK &&
1105+ (rv = pkcs11h_certificate_getCertificateId (
1106+ certificate,
1107+ &certificate_id
1108+ )) != CKR_OK
1109+ ) {
1110+ fOK = FALSE;
1111+ error ("PKCS#11: Cannot get certificate_id %ld-'%s'", rv, pkcs11h_getMessage (rv));
1112+ }
1113+
1114+ if (fOK) {
1115+ strncpy (szComment, certificate_id->displayName, nCommentMax);
1116+ szComment[nCommentMax - 1] = '\0';
1117+ }
1118+
1119+ if (
1120+ fOK &&
1121+ (openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
1122+ ) {
1123+ fOK = FALSE;
1124+ error ("PKCS#11: Cannot initialize openssl session");
1125+ }
1126+
1127+ if (fOK) {
1128+ /*
1129+ * will be release by openssl_session
1130+ */
1131+ certificate = NULL;
1132+ }
1133+
1134+ if (
1135+ fOK &&
1136+ (rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL
1137+ ) {
1138+ fOK = FALSE;
1139+ error ("PKCS#11: Unable get rsa object");
1140+ }
1141+
1142+ if (
1143+ fOK &&
1144+ (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
1145+ ) {
1146+ fOK = FALSE;
1147+ error ("PKCS#11: Unable get certificate object");
1148+ }
1149+
1150+ if (fOK) {
1151+ *sshkey = key_new_private (KEY_UNSPEC);
1152+ (*sshkey)->rsa = rsa;
1153+ rsa = NULL;
1154+#if defined(SSH_PKCS11_X509_DISABLED)
1155+ (*sshkey)->type = KEY_RSA;
1156+#else
1157+ (*sshkey)->type = KEY_X509_RSA;
1158+ (*sshkey)->x509 = x509;
1159+ x509 = NULL;
1160+#endif
1161+ }
1162+
1163+ if (x509 != NULL) {
1164+ X509_free (x509);
1165+ x509 = NULL;
1166+ }
1167+
1168+ if (openssl_session != NULL) {
1169+ pkcs11h_openssl_freeSession (openssl_session);
1170+ openssl_session = NULL;
1171+ }
1172+
1173+ if (certificate != NULL) {
1174+ pkcs11h_certificate_freeCertificate (certificate);
1175+ certificate = NULL;
1176+ }
1177+
1178+ if (certificate_id != NULL) {
1179+ pkcs11h_certificate_freeCertificateId (certificate_id);
1180+ certificate_id = NULL;
1181+ }
1182+
1183+ debug3 (
1184+ "PKCS#11: pkcs11_getKey - return fOK=%d, rv=%ld",
1185+ fOK ? 1 : 0,
1186+ rv
1187+ );
1188+}
1189+
1190+void
1191+pkcs11_show_ids (
1192+ const char * const provider,
1193+ int allow_protected_auth,
1194+ int cert_is_private
1195+) {
1196+ pkcs11h_certificate_id_list_t user_certificates = NULL;
1197+ pkcs11h_certificate_id_list_t current = NULL;
1198+ CK_RV rv = CKR_OK;
1199+
1200+ if (rv == CKR_OK) {
1201+ rv = pkcs11h_initialize ();
1202+ }
1203+
1204+ if (rv == CKR_OK) {
1205+ rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL);
1206+ }
1207+
1208+ if (rv == CKR_OK) {
1209+ pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
1210+ }
1211+
1212+ if (rv == CKR_OK) {
1213+ rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt_cli, NULL);
1214+ }
1215+
1216+ if (rv == CKR_OK) {
1217+ rv = pkcs11h_setProtectedAuthentication (TRUE);
1218+ }
1219+
1220+ if (rv == CKR_OK) {
1221+ rv = pkcs11h_addProvider (
1222+ provider,
1223+ provider,
1224+ allow_protected_auth ? TRUE : FALSE,
1225+ 0,
1226+ FALSE,
1227+ 0,
1228+ cert_is_private ? TRUE : FALSE
1229+ );
1230+ }
1231+
1232+ if (rv == CKR_OK) {
1233+ rv = pkcs11h_certificate_enumCertificateIds (
1234+ PKCS11H_ENUM_METHOD_CACHE_EXIST,
1235+ NULL,
1236+ PKCS11H_PROMPT_MASK_ALLOW_ALL,
1237+ NULL,
1238+ &user_certificates
1239+ );
1240+ }
1241+
1242+ for (current = user_certificates; rv == CKR_OK && current != NULL; current = current->next) {
1243+ pkcs11h_certificate_t certificate = NULL;
1244+ X509 *x509 = NULL;
1245+ char dn[1024] = {0};
1246+ char *ser = NULL;
1247+ char *ssh_key = NULL;
1248+ size_t ser_len = 0;
1249+
1250+ if (rv == CKR_OK) {
1251+ rv = pkcs11h_certificate_serializeCertificateId (NULL, &ser_len, current->certificate_id);
1252+ }
1253+
1254+ if (
1255+ rv == CKR_OK &&
1256+ (ser = (char *)xmalloc (ser_len)) == NULL
1257+ ) {
1258+ rv = CKR_HOST_MEMORY;
1259+ }
1260+
1261+ if (rv == CKR_OK) {
1262+ rv = pkcs11h_certificate_serializeCertificateId (ser, &ser_len, current->certificate_id);
1263+ }
1264+
1265+ if (rv == CKR_OK) {
1266+ rv = pkcs11h_certificate_create (
1267+ current->certificate_id,
1268+ NULL,
1269+ PKCS11H_PROMPT_MASK_ALLOW_ALL,
1270+ PKCS11H_PIN_CACHE_INFINITE,
1271+ &certificate
1272+ );
1273+ }
1274+
1275+ if (
1276+ rv == CKR_OK &&
1277+ (x509 = pkcs11h_openssl_getX509 (certificate)) == NULL
1278+ ) {
1279+ rv = CKR_FUNCTION_FAILED;
1280+ }
1281+
1282+ if (rv == CKR_OK) {
1283+ X509_NAME_oneline (
1284+ X509_get_subject_name (x509),
1285+ dn,
1286+ sizeof (dn)
1287+ );
1288+ printf (
1289+ (
1290+ "\n"
1291+ "********************************************\n"
1292+ "IDENTITY:\n"
1293+ " DN: %s\n"
1294+ " Serialized id: %s\n"
1295+ "\n"
1296+ " Certificate:\n"
1297+ ),
1298+ dn,
1299+ ser
1300+ );
1301+ PEM_write_X509 (stdout, x509);
1302+ }
1303+
1304+ if (
1305+ rv == CKR_OK &&
1306+ (ssh_key = ssh_from_x509 (x509)) != NULL
1307+ ) {
1308+ printf (
1309+ (
1310+ "\n"
1311+ " SSH:\n"
1312+ "%s\n"
1313+ ),
1314+ ssh_key
1315+ );
1316+
1317+ xfree (ssh_key);
1318+ }
1319+
1320+ if (x509 != NULL) {
1321+ X509_free (x509);
1322+ x509 = NULL;
1323+ }
1324+
1325+ if (certificate != NULL) {
1326+ pkcs11h_certificate_freeCertificate (certificate);
1327+ certificate = NULL;
1328+ }
1329+
1330+ if (ser != NULL) {
1331+ xfree (ser);
1332+ ser = NULL;
1333+ }
1334+
1335+ /*
1336+ * Ignore error
1337+ */
1338+ if (rv != CKR_OK) {
1339+ error ("PKCS#11: Failed to get id %ld-'%s'", rv, pkcs11h_getMessage (rv));
1340+ rv = CKR_OK;
1341+ }
1342+ }
1343+
1344+ if (user_certificates != NULL) {
1345+ pkcs11h_certificate_freeCertificateIdList (user_certificates);
1346+ user_certificates = NULL;
1347+ }
1348+
1349+ pkcs11h_terminate ();
1350+}
1351+
1352+void
1353+pkcs11_dump_slots (
1354+ const char * const provider
1355+) {
1356+ pkcs11h_standalone_dump_slots (
1357+ _pkcs11_ssh_print,
1358+ NULL,
1359+ provider
1360+ );
1361+}
1362+
1363+void
1364+pkcs11_dump_objects (
1365+ const char * const provider,
1366+ const char * const slot,
1367+ const char * const pin
1368+) {
1369+ pkcs11h_standalone_dump_objects (
1370+ _pkcs11_ssh_print,
1371+ NULL,
1372+ provider,
1373+ slot,
1374+ pin
1375+ );
1376+}
1377+
1378+/*
1379+ * The ssh_from_x509 is dirived of Tatu and Markus work.
1380+ *
1381+ * Copyright (c) 2006 Alon bar-Lev <alon.barlev@gmail.com>. All rights reserved.
1382+ * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1383+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
1384+ */
1385+
1386+#define PUT_32BIT(cp, value) ( \
1387+ (cp)[0] = (value) >> 24, \
1388+ (cp)[1] = (value) >> 16, \
1389+ (cp)[2] = (value) >> 8, \
1390+ (cp)[3] = (value) )
1391+
1392+static
1393+char *
1394+ssh_from_x509 (X509 *x509) {
1395+
1396+ EVP_PKEY *pubkey = NULL;
1397+ BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
1398+ unsigned char *blob = NULL, *buffer = NULL;
1399+ char *ret = NULL;
1400+ int blobsize = 0, retsize = 0;
1401+ int bytes_name = 0, bytes_exponent = 0, bytes_modulus = 0;
1402+ unsigned char *bp;
1403+ char *p;
1404+ int n;
1405+ const char *keyname = NULL;
1406+ int ok = 1;
1407+
1408+ if (ok && (pubkey = X509_get_pubkey (x509)) == NULL) {
1409+ ok = 0;
1410+ }
1411+
1412+ if (ok && (bio64 = BIO_new (BIO_f_base64 ())) == NULL) {
1413+ ok = 0;
1414+ }
1415+
1416+ if (ok && (bio = BIO_new (BIO_s_mem ())) == NULL) {
1417+ ok = 0;
1418+ }
1419+
1420+ if (ok && (bio2 = BIO_push (bio64, bio)) == NULL) {
1421+ ok = 0;
1422+ }
1423+
1424+ if (ok && pubkey->type != EVP_PKEY_RSA) {
1425+ ok = 0;
1426+ }
1427+
1428+ if (ok) {
1429+ keyname = "ssh-rsa";
1430+ }
1431+
1432+ if (ok) {
1433+ bytes_name = strlen (keyname);
1434+ bytes_exponent = BN_num_bytes (pubkey->pkey.rsa->e);
1435+ bytes_modulus = BN_num_bytes (pubkey->pkey.rsa->n);
1436+
1437+ blobsize = (
1438+ 4 + bytes_name +
1439+ 4 + (bytes_exponent + 1) +
1440+ 4 + (bytes_modulus + 1) +
1441+ 1
1442+ );
1443+ }
1444+
1445+ if (ok && (blob = (unsigned char *)xmalloc (blobsize)) == NULL) {
1446+ ok = 0;
1447+ }
1448+
1449+ if (ok && (buffer = (unsigned char *)xmalloc (blobsize)) == NULL) {
1450+ ok = 0;
1451+ }
1452+
1453+ if (ok) {
1454+ bp = blob;
1455+
1456+ PUT_32BIT (bp, bytes_name), bp += 4;
1457+ memcpy (bp, keyname, bytes_name), bp += bytes_name;
1458+
1459+ BN_bn2bin (pubkey->pkey.rsa->e, buffer);
1460+ if (buffer[0] & 0x80) {
1461+ // highest bit set would indicate a negative number.
1462+ // to avoid this, we have to spend an extra byte:
1463+ PUT_32BIT (bp, bytes_exponent+1), bp += 4;
1464+ *(bp++) = 0;
1465+ } else {
1466+ PUT_32BIT (bp, bytes_exponent), bp += 4;
1467+ }
1468+ memcpy (bp, buffer, bytes_exponent), bp += bytes_exponent;
1469+
1470+ BN_bn2bin (pubkey->pkey.rsa->n, buffer);
1471+ if (buffer[0] & 0x80) {
1472+ PUT_32BIT (bp, bytes_modulus+1), bp += 4;
1473+ *(bp++) = 0;
1474+ } else {
1475+ PUT_32BIT( bp, bytes_modulus ), bp += 4;
1476+ }
1477+ memcpy (bp, buffer, bytes_modulus), bp += bytes_modulus;
1478+ }
1479+
1480+
1481+ if (ok && BIO_write (bio2, blob, bp-blob) == -1) {
1482+ ok = 0;
1483+ }
1484+
1485+ if (ok && BIO_flush (bio2) == -1) {
1486+ ok = 0;
1487+ }
1488+
1489+ /*
1490+ * Allocate the newline too... We will remove them later
1491+ * For MS, allocate return as well.
1492+ */
1493+ if (ok) {
1494+ retsize = strlen (keyname) + 1 + (blobsize * 4 / 3) + (blobsize * 2 / 50) + 10 + 1;
1495+ }
1496+
1497+ if (ok && (ret = xmalloc (retsize)) == NULL) {
1498+ ok = 0;
1499+ }
1500+
1501+ if (ok) {
1502+ strcpy (ret, keyname);
1503+ strcat (ret, " ");
1504+ }
1505+
1506+ if (ok && (n = BIO_read (bio, ret + strlen (ret), retsize - strlen (ret) - 1)) == -1) {
1507+ ok = 0;
1508+ }
1509+
1510+ if (ok) {
1511+ ret[strlen (keyname) + 1 + n] = '\x0';
1512+ }
1513+
1514+ if (ok) {
1515+ while ((p = strchr (ret, '\n')) != NULL) {
1516+ memmove (p, p+1, strlen (p)+1);
1517+ }
1518+ while ((p = strchr (ret, '\r')) != NULL) {
1519+ memmove (p, p+1, strlen (p)+1);
1520+ }
1521+
1522+ }
1523+
1524+ if (bio != NULL) {
1525+ BIO_free_all (bio);
1526+ bio = NULL;
1527+ }
1528+
1529+ if (pubkey != NULL) {
1530+ EVP_PKEY_free (pubkey);
1531+ pubkey = NULL;
1532+ }
1533+
1534+ if (buffer != NULL) {
1535+ xfree (buffer);
1536+ buffer = NULL;
1537+ }
1538+
1539+ if (blob != NULL) {
1540+ xfree (blob);
1541+ blob = NULL;
1542+ }
1543+
1544+ if (!ok) {
1545+ if (ret != NULL) {
1546+ xfree (ret);
1547+ ret = NULL;
1548+ }
1549+ }
1550+
1551+ return ret;
1552+}
1553+
1554+#else
1555+static void dummy (void) {}
1556+#endif /* SSH_PKCS11_DISABLED */
1557diff -urNp openssh-4.4p1/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11.h
1558--- openssh-4.4p1/pkcs11.h 1970-01-01 02:00:00.000000000 +0200
1559+++ openssh-4.4p1+pkcs11-0.17/pkcs11.h 2006-10-12 13:55:28.000000000 +0200
1560@@ -0,0 +1,100 @@
1561+/*
1562+ * Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
1563+ *
1564+ * Redistribution and use in source and binary forms, with or without
1565+ * modification, are permitted provided that the following conditions
1566+ * are met:
1567+ * 1. Redistributions of source code must retain the above copyright
1568+ * notice, this list of conditions and the following disclaimer.
1569+ * 2. Redistributions in binary form must reproduce the above copyright
1570+ * notice, this list of conditions and the following disclaimer in the
1571+ * documentation and/or other materials provided with the distribution.
1572+ *
1573+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1574+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1575+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1576+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1577+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1578+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1579+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1580+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1581+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1582+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1583+ */
1584+
1585+#ifndef SSH_PKCS11_H
1586+#define SSH_PKCS11_H
1587+
1588+#if !defined(SSH_PKCS11_DISABLED)
1589+
1590+#include "key.h"
1591+
1592+typedef struct pkcs11_identity_s {
1593+ char *id;
1594+ int pin_cache_period;
1595+ char *cert_file;
1596+} pkcs11_identity;
1597+
1598+int
1599+pkcs11_initialize (
1600+ const int fProtectedAuthentication,
1601+ const int nPINCachePeriod
1602+);
1603+
1604+void
1605+pkcs11_terminate ();
1606+
1607+void
1608+pkcs11_forkFix ();
1609+
1610+int
1611+pkcs11_setAskPIN (
1612+ const char * const pin_prog
1613+);
1614+
1615+int
1616+pkcs11_addProvider (
1617+ const char * const provider,
1618+ const int fProtectedAuthentication,
1619+ const char * const sign_mode,
1620+ const int fCertIsPrivate
1621+);
1622+
1623+pkcs11_identity *
1624+pkcs11_identity_new ();
1625+
1626+void
1627+pkcs11_identity_free (
1628+ const pkcs11_identity * const id
1629+);
1630+
1631+void
1632+pkcs11_getKey (
1633+ const pkcs11_identity * const id,
1634+ Key ** const sshkey,
1635+ char * const szComment,
1636+ const int nCommentMax
1637+);
1638+
1639+void
1640+pkcs11_show_ids (
1641+ const char * const provider,
1642+ int allow_protected_auth,
1643+ int cert_is_private
1644+);
1645+
1646+void
1647+pkcs11_dump_slots (
1648+ const char * const provider
1649+);
1650+
1651+void
1652+pkcs11_dump_objects (
1653+ const char * const provider,
1654+ const char * const slot,
1655+ const char * const pin
1656+);
1657+
1658+#endif /* SSH_PKCS11_DISABLED */
1659+
1660+#endif /* OPENSSH_PKCS11_H */
1661diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11f.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h
1662--- openssh-4.4p1/pkcs11-headers/pkcs11f.h 1970-01-01 02:00:00.000000000 +0200
1663+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h 2006-09-28 08:05:35.000000000 +0300
1664@@ -0,0 +1,912 @@
1665+/* pkcs11f.h include file for PKCS #11. */
1666+/* $Revision: 1.4 $ */
1667+
1668+/* License to copy and use this software is granted provided that it is
1669+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
1670+ * (Cryptoki)" in all material mentioning or referencing this software.
1671+
1672+ * License is also granted to make and use derivative works provided that
1673+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
1674+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
1675+ * referencing the derived work.
1676+
1677+ * RSA Security Inc. makes no representations concerning either the
1678+ * merchantability of this software or the suitability of this software for
1679+ * any particular purpose. It is provided "as is" without express or implied
1680+ * warranty of any kind.
1681+ */
1682+
1683+/* This header file contains pretty much everything about all the */
1684+/* Cryptoki function prototypes. Because this information is */
1685+/* used for more than just declaring function prototypes, the */
1686+/* order of the functions appearing herein is important, and */
1687+/* should not be altered. */
1688+
1689+/* General-purpose */
1690+
1691+/* C_Initialize initializes the Cryptoki library. */
1692+CK_PKCS11_FUNCTION_INFO(C_Initialize)
1693+#ifdef CK_NEED_ARG_LIST
1694+(
1695+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
1696+ * cast to CK_C_INITIALIZE_ARGS_PTR
1697+ * and dereferenced */
1698+);
1699+#endif
1700+
1701+
1702+/* C_Finalize indicates that an application is done with the
1703+ * Cryptoki library. */
1704+CK_PKCS11_FUNCTION_INFO(C_Finalize)
1705+#ifdef CK_NEED_ARG_LIST
1706+(
1707+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
1708+);
1709+#endif
1710+
1711+
1712+/* C_GetInfo returns general information about Cryptoki. */
1713+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
1714+#ifdef CK_NEED_ARG_LIST
1715+(
1716+ CK_INFO_PTR pInfo /* location that receives information */
1717+);
1718+#endif
1719+
1720+
1721+/* C_GetFunctionList returns the function list. */
1722+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
1723+#ifdef CK_NEED_ARG_LIST
1724+(
1725+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
1726+ * function list */
1727+);
1728+#endif
1729+
1730+
1731+
1732+/* Slot and token management */
1733+
1734+/* C_GetSlotList obtains a list of slots in the system. */
1735+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
1736+#ifdef CK_NEED_ARG_LIST
1737+(
1738+ CK_BBOOL tokenPresent, /* only slots with tokens? */
1739+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
1740+ CK_ULONG_PTR pulCount /* receives number of slots */
1741+);
1742+#endif
1743+
1744+
1745+/* C_GetSlotInfo obtains information about a particular slot in
1746+ * the system. */
1747+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
1748+#ifdef CK_NEED_ARG_LIST
1749+(
1750+ CK_SLOT_ID slotID, /* the ID of the slot */
1751+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
1752+);
1753+#endif
1754+
1755+
1756+/* C_GetTokenInfo obtains information about a particular token
1757+ * in the system. */
1758+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
1759+#ifdef CK_NEED_ARG_LIST
1760+(
1761+ CK_SLOT_ID slotID, /* ID of the token's slot */
1762+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
1763+);
1764+#endif
1765+
1766+
1767+/* C_GetMechanismList obtains a list of mechanism types
1768+ * supported by a token. */
1769+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
1770+#ifdef CK_NEED_ARG_LIST
1771+(
1772+ CK_SLOT_ID slotID, /* ID of token's slot */
1773+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
1774+ CK_ULONG_PTR pulCount /* gets # of mechs. */
1775+);
1776+#endif
1777+
1778+
1779+/* C_GetMechanismInfo obtains information about a particular
1780+ * mechanism possibly supported by a token. */
1781+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
1782+#ifdef CK_NEED_ARG_LIST
1783+(
1784+ CK_SLOT_ID slotID, /* ID of the token's slot */
1785+ CK_MECHANISM_TYPE type, /* type of mechanism */
1786+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
1787+);
1788+#endif
1789+
1790+
1791+/* C_InitToken initializes a token. */
1792+CK_PKCS11_FUNCTION_INFO(C_InitToken)
1793+#ifdef CK_NEED_ARG_LIST
1794+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
1795+(
1796+ CK_SLOT_ID slotID, /* ID of the token's slot */
1797+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
1798+ CK_ULONG ulPinLen, /* length in bytes of the PIN */
1799+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
1800+);
1801+#endif
1802+
1803+
1804+/* C_InitPIN initializes the normal user's PIN. */
1805+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
1806+#ifdef CK_NEED_ARG_LIST
1807+(
1808+ CK_SESSION_HANDLE hSession, /* the session's handle */
1809+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
1810+ CK_ULONG ulPinLen /* length in bytes of the PIN */
1811+);
1812+#endif
1813+
1814+
1815+/* C_SetPIN modifies the PIN of the user who is logged in. */
1816+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
1817+#ifdef CK_NEED_ARG_LIST
1818+(
1819+ CK_SESSION_HANDLE hSession, /* the session's handle */
1820+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
1821+ CK_ULONG ulOldLen, /* length of the old PIN */
1822+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
1823+ CK_ULONG ulNewLen /* length of the new PIN */
1824+);
1825+#endif
1826+
1827+
1828+
1829+/* Session management */
1830+
1831+/* C_OpenSession opens a session between an application and a
1832+ * token. */
1833+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
1834+#ifdef CK_NEED_ARG_LIST
1835+(
1836+ CK_SLOT_ID slotID, /* the slot's ID */
1837+ CK_FLAGS flags, /* from CK_SESSION_INFO */
1838+ CK_VOID_PTR pApplication, /* passed to callback */
1839+ CK_NOTIFY Notify, /* callback function */
1840+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
1841+);
1842+#endif
1843+
1844+
1845+/* C_CloseSession closes a session between an application and a
1846+ * token. */
1847+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
1848+#ifdef CK_NEED_ARG_LIST
1849+(
1850+ CK_SESSION_HANDLE hSession /* the session's handle */
1851+);
1852+#endif
1853+
1854+
1855+/* C_CloseAllSessions closes all sessions with a token. */
1856+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
1857+#ifdef CK_NEED_ARG_LIST
1858+(
1859+ CK_SLOT_ID slotID /* the token's slot */
1860+);
1861+#endif
1862+
1863+
1864+/* C_GetSessionInfo obtains information about the session. */
1865+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
1866+#ifdef CK_NEED_ARG_LIST
1867+(
1868+ CK_SESSION_HANDLE hSession, /* the session's handle */
1869+ CK_SESSION_INFO_PTR pInfo /* receives session info */
1870+);
1871+#endif
1872+
1873+
1874+/* C_GetOperationState obtains the state of the cryptographic operation
1875+ * in a session. */
1876+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
1877+#ifdef CK_NEED_ARG_LIST
1878+(
1879+ CK_SESSION_HANDLE hSession, /* session's handle */
1880+ CK_BYTE_PTR pOperationState, /* gets state */
1881+ CK_ULONG_PTR pulOperationStateLen /* gets state length */
1882+);
1883+#endif
1884+
1885+
1886+/* C_SetOperationState restores the state of the cryptographic
1887+ * operation in a session. */
1888+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
1889+#ifdef CK_NEED_ARG_LIST
1890+(
1891+ CK_SESSION_HANDLE hSession, /* session's handle */
1892+ CK_BYTE_PTR pOperationState, /* holds state */
1893+ CK_ULONG ulOperationStateLen, /* holds state length */
1894+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
1895+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
1896+);
1897+#endif
1898+
1899+
1900+/* C_Login logs a user into a token. */
1901+CK_PKCS11_FUNCTION_INFO(C_Login)
1902+#ifdef CK_NEED_ARG_LIST
1903+(
1904+ CK_SESSION_HANDLE hSession, /* the session's handle */
1905+ CK_USER_TYPE userType, /* the user type */
1906+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
1907+ CK_ULONG ulPinLen /* the length of the PIN */
1908+);
1909+#endif
1910+
1911+
1912+/* C_Logout logs a user out from a token. */
1913+CK_PKCS11_FUNCTION_INFO(C_Logout)
1914+#ifdef CK_NEED_ARG_LIST
1915+(
1916+ CK_SESSION_HANDLE hSession /* the session's handle */
1917+);
1918+#endif
1919+
1920+
1921+
1922+/* Object management */
1923+
1924+/* C_CreateObject creates a new object. */
1925+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
1926+#ifdef CK_NEED_ARG_LIST
1927+(
1928+ CK_SESSION_HANDLE hSession, /* the session's handle */
1929+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
1930+ CK_ULONG ulCount, /* attributes in template */
1931+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
1932+);
1933+#endif
1934+
1935+
1936+/* C_CopyObject copies an object, creating a new object for the
1937+ * copy. */
1938+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
1939+#ifdef CK_NEED_ARG_LIST
1940+(
1941+ CK_SESSION_HANDLE hSession, /* the session's handle */
1942+ CK_OBJECT_HANDLE hObject, /* the object's handle */
1943+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
1944+ CK_ULONG ulCount, /* attributes in template */
1945+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
1946+);
1947+#endif
1948+
1949+
1950+/* C_DestroyObject destroys an object. */
1951+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
1952+#ifdef CK_NEED_ARG_LIST
1953+(
1954+ CK_SESSION_HANDLE hSession, /* the session's handle */
1955+ CK_OBJECT_HANDLE hObject /* the object's handle */
1956+);
1957+#endif
1958+
1959+
1960+/* C_GetObjectSize gets the size of an object in bytes. */
1961+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
1962+#ifdef CK_NEED_ARG_LIST
1963+(
1964+ CK_SESSION_HANDLE hSession, /* the session's handle */
1965+ CK_OBJECT_HANDLE hObject, /* the object's handle */
1966+ CK_ULONG_PTR pulSize /* receives size of object */
1967+);
1968+#endif
1969+
1970+
1971+/* C_GetAttributeValue obtains the value of one or more object
1972+ * attributes. */
1973+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
1974+#ifdef CK_NEED_ARG_LIST
1975+(
1976+ CK_SESSION_HANDLE hSession, /* the session's handle */
1977+ CK_OBJECT_HANDLE hObject, /* the object's handle */
1978+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
1979+ CK_ULONG ulCount /* attributes in template */
1980+);
1981+#endif
1982+
1983+
1984+/* C_SetAttributeValue modifies the value of one or more object
1985+ * attributes */
1986+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
1987+#ifdef CK_NEED_ARG_LIST
1988+(
1989+ CK_SESSION_HANDLE hSession, /* the session's handle */
1990+ CK_OBJECT_HANDLE hObject, /* the object's handle */
1991+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
1992+ CK_ULONG ulCount /* attributes in template */
1993+);
1994+#endif
1995+
1996+
1997+/* C_FindObjectsInit initializes a search for token and session
1998+ * objects that match a template. */
1999+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
2000+#ifdef CK_NEED_ARG_LIST
2001+(
2002+ CK_SESSION_HANDLE hSession, /* the session's handle */
2003+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
2004+ CK_ULONG ulCount /* attrs in search template */
2005+);
2006+#endif
2007+
2008+
2009+/* C_FindObjects continues a search for token and session
2010+ * objects that match a template, obtaining additional object
2011+ * handles. */
2012+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
2013+#ifdef CK_NEED_ARG_LIST
2014+(
2015+ CK_SESSION_HANDLE hSession, /* session's handle */
2016+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
2017+ CK_ULONG ulMaxObjectCount, /* max handles to get */
2018+ CK_ULONG_PTR pulObjectCount /* actual # returned */
2019+);
2020+#endif
2021+
2022+
2023+/* C_FindObjectsFinal finishes a search for token and session
2024+ * objects. */
2025+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
2026+#ifdef CK_NEED_ARG_LIST
2027+(
2028+ CK_SESSION_HANDLE hSession /* the session's handle */
2029+);
2030+#endif
2031+
2032+
2033+
2034+/* Encryption and decryption */
2035+
2036+/* C_EncryptInit initializes an encryption operation. */
2037+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
2038+#ifdef CK_NEED_ARG_LIST
2039+(
2040+ CK_SESSION_HANDLE hSession, /* the session's handle */
2041+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
2042+ CK_OBJECT_HANDLE hKey /* handle of encryption key */
2043+);
2044+#endif
2045+
2046+
2047+/* C_Encrypt encrypts single-part data. */
2048+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
2049+#ifdef CK_NEED_ARG_LIST
2050+(
2051+ CK_SESSION_HANDLE hSession, /* session's handle */
2052+ CK_BYTE_PTR pData, /* the plaintext data */
2053+ CK_ULONG ulDataLen, /* bytes of plaintext */
2054+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
2055+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
2056+);
2057+#endif
2058+
2059+
2060+/* C_EncryptUpdate continues a multiple-part encryption
2061+ * operation. */
2062+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
2063+#ifdef CK_NEED_ARG_LIST
2064+(
2065+ CK_SESSION_HANDLE hSession, /* session's handle */
2066+ CK_BYTE_PTR pPart, /* the plaintext data */
2067+ CK_ULONG ulPartLen, /* plaintext data len */
2068+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2069+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
2070+);
2071+#endif
2072+
2073+
2074+/* C_EncryptFinal finishes a multiple-part encryption
2075+ * operation. */
2076+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
2077+#ifdef CK_NEED_ARG_LIST
2078+(
2079+ CK_SESSION_HANDLE hSession, /* session handle */
2080+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
2081+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
2082+);
2083+#endif
2084+
2085+
2086+/* C_DecryptInit initializes a decryption operation. */
2087+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
2088+#ifdef CK_NEED_ARG_LIST
2089+(
2090+ CK_SESSION_HANDLE hSession, /* the session's handle */
2091+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
2092+ CK_OBJECT_HANDLE hKey /* handle of decryption key */
2093+);
2094+#endif
2095+
2096+
2097+/* C_Decrypt decrypts encrypted data in a single part. */
2098+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
2099+#ifdef CK_NEED_ARG_LIST
2100+(
2101+ CK_SESSION_HANDLE hSession, /* session's handle */
2102+ CK_BYTE_PTR pEncryptedData, /* ciphertext */
2103+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
2104+ CK_BYTE_PTR pData, /* gets plaintext */
2105+ CK_ULONG_PTR pulDataLen /* gets p-text size */
2106+);
2107+#endif
2108+
2109+
2110+/* C_DecryptUpdate continues a multiple-part decryption
2111+ * operation. */
2112+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
2113+#ifdef CK_NEED_ARG_LIST
2114+(
2115+ CK_SESSION_HANDLE hSession, /* session's handle */
2116+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
2117+ CK_ULONG ulEncryptedPartLen, /* input length */
2118+ CK_BYTE_PTR pPart, /* gets plaintext */
2119+ CK_ULONG_PTR pulPartLen /* p-text size */
2120+);
2121+#endif
2122+
2123+
2124+/* C_DecryptFinal finishes a multiple-part decryption
2125+ * operation. */
2126+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
2127+#ifdef CK_NEED_ARG_LIST
2128+(
2129+ CK_SESSION_HANDLE hSession, /* the session's handle */
2130+ CK_BYTE_PTR pLastPart, /* gets plaintext */
2131+ CK_ULONG_PTR pulLastPartLen /* p-text size */
2132+);
2133+#endif
2134+
2135+
2136+
2137+/* Message digesting */
2138+
2139+/* C_DigestInit initializes a message-digesting operation. */
2140+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
2141+#ifdef CK_NEED_ARG_LIST
2142+(
2143+ CK_SESSION_HANDLE hSession, /* the session's handle */
2144+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
2145+);
2146+#endif
2147+
2148+
2149+/* C_Digest digests data in a single part. */
2150+CK_PKCS11_FUNCTION_INFO(C_Digest)
2151+#ifdef CK_NEED_ARG_LIST
2152+(
2153+ CK_SESSION_HANDLE hSession, /* the session's handle */
2154+ CK_BYTE_PTR pData, /* data to be digested */
2155+ CK_ULONG ulDataLen, /* bytes of data to digest */
2156+ CK_BYTE_PTR pDigest, /* gets the message digest */
2157+ CK_ULONG_PTR pulDigestLen /* gets digest length */
2158+);
2159+#endif
2160+
2161+
2162+/* C_DigestUpdate continues a multiple-part message-digesting
2163+ * operation. */
2164+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
2165+#ifdef CK_NEED_ARG_LIST
2166+(
2167+ CK_SESSION_HANDLE hSession, /* the session's handle */
2168+ CK_BYTE_PTR pPart, /* data to be digested */
2169+ CK_ULONG ulPartLen /* bytes of data to be digested */
2170+);
2171+#endif
2172+
2173+
2174+/* C_DigestKey continues a multi-part message-digesting
2175+ * operation, by digesting the value of a secret key as part of
2176+ * the data already digested. */
2177+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
2178+#ifdef CK_NEED_ARG_LIST
2179+(
2180+ CK_SESSION_HANDLE hSession, /* the session's handle */
2181+ CK_OBJECT_HANDLE hKey /* secret key to digest */
2182+);
2183+#endif
2184+
2185+
2186+/* C_DigestFinal finishes a multiple-part message-digesting
2187+ * operation. */
2188+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
2189+#ifdef CK_NEED_ARG_LIST
2190+(
2191+ CK_SESSION_HANDLE hSession, /* the session's handle */
2192+ CK_BYTE_PTR pDigest, /* gets the message digest */
2193+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
2194+);
2195+#endif
2196+
2197+
2198+
2199+/* Signing and MACing */
2200+
2201+/* C_SignInit initializes a signature (private key encryption)
2202+ * operation, where the signature is (will be) an appendix to
2203+ * the data, and plaintext cannot be recovered from the
2204+ *signature. */
2205+CK_PKCS11_FUNCTION_INFO(C_SignInit)
2206+#ifdef CK_NEED_ARG_LIST
2207+(
2208+ CK_SESSION_HANDLE hSession, /* the session's handle */
2209+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
2210+ CK_OBJECT_HANDLE hKey /* handle of signature key */
2211+);
2212+#endif
2213+
2214+
2215+/* C_Sign signs (encrypts with private key) data in a single
2216+ * part, where the signature is (will be) an appendix to the
2217+ * data, and plaintext cannot be recovered from the signature. */
2218+CK_PKCS11_FUNCTION_INFO(C_Sign)
2219+#ifdef CK_NEED_ARG_LIST
2220+(
2221+ CK_SESSION_HANDLE hSession, /* the session's handle */
2222+ CK_BYTE_PTR pData, /* the data to sign */
2223+ CK_ULONG ulDataLen, /* count of bytes to sign */
2224+ CK_BYTE_PTR pSignature, /* gets the signature */
2225+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
2226+);
2227+#endif
2228+
2229+
2230+/* C_SignUpdate continues a multiple-part signature operation,
2231+ * where the signature is (will be) an appendix to the data,
2232+ * and plaintext cannot be recovered from the signature. */
2233+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
2234+#ifdef CK_NEED_ARG_LIST
2235+(
2236+ CK_SESSION_HANDLE hSession, /* the session's handle */
2237+ CK_BYTE_PTR pPart, /* the data to sign */
2238+ CK_ULONG ulPartLen /* count of bytes to sign */
2239+);
2240+#endif
2241+
2242+
2243+/* C_SignFinal finishes a multiple-part signature operation,
2244+ * returning the signature. */
2245+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
2246+#ifdef CK_NEED_ARG_LIST
2247+(
2248+ CK_SESSION_HANDLE hSession, /* the session's handle */
2249+ CK_BYTE_PTR pSignature, /* gets the signature */
2250+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
2251+);
2252+#endif
2253+
2254+
2255+/* C_SignRecoverInit initializes a signature operation, where
2256+ * the data can be recovered from the signature. */
2257+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
2258+#ifdef CK_NEED_ARG_LIST
2259+(
2260+ CK_SESSION_HANDLE hSession, /* the session's handle */
2261+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
2262+ CK_OBJECT_HANDLE hKey /* handle of the signature key */
2263+);
2264+#endif
2265+
2266+
2267+/* C_SignRecover signs data in a single operation, where the
2268+ * data can be recovered from the signature. */
2269+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
2270+#ifdef CK_NEED_ARG_LIST
2271+(
2272+ CK_SESSION_HANDLE hSession, /* the session's handle */
2273+ CK_BYTE_PTR pData, /* the data to sign */
2274+ CK_ULONG ulDataLen, /* count of bytes to sign */
2275+ CK_BYTE_PTR pSignature, /* gets the signature */
2276+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
2277+);
2278+#endif
2279+
2280+
2281+
2282+/* Verifying signatures and MACs */
2283+
2284+/* C_VerifyInit initializes a verification operation, where the
2285+ * signature is an appendix to the data, and plaintext cannot
2286+ * cannot be recovered from the signature (e.g. DSA). */
2287+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
2288+#ifdef CK_NEED_ARG_LIST
2289+(
2290+ CK_SESSION_HANDLE hSession, /* the session's handle */
2291+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
2292+ CK_OBJECT_HANDLE hKey /* verification key */
2293+);
2294+#endif
2295+
2296+
2297+/* C_Verify verifies a signature in a single-part operation,
2298+ * where the signature is an appendix to the data, and plaintext
2299+ * cannot be recovered from the signature. */
2300+CK_PKCS11_FUNCTION_INFO(C_Verify)
2301+#ifdef CK_NEED_ARG_LIST
2302+(
2303+ CK_SESSION_HANDLE hSession, /* the session's handle */
2304+ CK_BYTE_PTR pData, /* signed data */
2305+ CK_ULONG ulDataLen, /* length of signed data */
2306+ CK_BYTE_PTR pSignature, /* signature */
2307+ CK_ULONG ulSignatureLen /* signature length*/
2308+);
2309+#endif
2310+
2311+
2312+/* C_VerifyUpdate continues a multiple-part verification
2313+ * operation, where the signature is an appendix to the data,
2314+ * and plaintext cannot be recovered from the signature. */
2315+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
2316+#ifdef CK_NEED_ARG_LIST
2317+(
2318+ CK_SESSION_HANDLE hSession, /* the session's handle */
2319+ CK_BYTE_PTR pPart, /* signed data */
2320+ CK_ULONG ulPartLen /* length of signed data */
2321+);
2322+#endif
2323+
2324+
2325+/* C_VerifyFinal finishes a multiple-part verification
2326+ * operation, checking the signature. */
2327+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
2328+#ifdef CK_NEED_ARG_LIST
2329+(
2330+ CK_SESSION_HANDLE hSession, /* the session's handle */
2331+ CK_BYTE_PTR pSignature, /* signature to verify */
2332+ CK_ULONG ulSignatureLen /* signature length */
2333+);
2334+#endif
2335+
2336+
2337+/* C_VerifyRecoverInit initializes a signature verification
2338+ * operation, where the data is recovered from the signature. */
2339+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
2340+#ifdef CK_NEED_ARG_LIST
2341+(
2342+ CK_SESSION_HANDLE hSession, /* the session's handle */
2343+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
2344+ CK_OBJECT_HANDLE hKey /* verification key */
2345+);
2346+#endif
2347+
2348+
2349+/* C_VerifyRecover verifies a signature in a single-part
2350+ * operation, where the data is recovered from the signature. */
2351+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
2352+#ifdef CK_NEED_ARG_LIST
2353+(
2354+ CK_SESSION_HANDLE hSession, /* the session's handle */
2355+ CK_BYTE_PTR pSignature, /* signature to verify */
2356+ CK_ULONG ulSignatureLen, /* signature length */
2357+ CK_BYTE_PTR pData, /* gets signed data */
2358+ CK_ULONG_PTR pulDataLen /* gets signed data len */
2359+);
2360+#endif
2361+
2362+
2363+
2364+/* Dual-function cryptographic operations */
2365+
2366+/* C_DigestEncryptUpdate continues a multiple-part digesting
2367+ * and encryption operation. */
2368+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
2369+#ifdef CK_NEED_ARG_LIST
2370+(
2371+ CK_SESSION_HANDLE hSession, /* session's handle */
2372+ CK_BYTE_PTR pPart, /* the plaintext data */
2373+ CK_ULONG ulPartLen, /* plaintext length */
2374+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2375+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
2376+);
2377+#endif
2378+
2379+
2380+/* C_DecryptDigestUpdate continues a multiple-part decryption and
2381+ * digesting operation. */
2382+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
2383+#ifdef CK_NEED_ARG_LIST
2384+(
2385+ CK_SESSION_HANDLE hSession, /* session's handle */
2386+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
2387+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
2388+ CK_BYTE_PTR pPart, /* gets plaintext */
2389+ CK_ULONG_PTR pulPartLen /* gets plaintext len */
2390+);
2391+#endif
2392+
2393+
2394+/* C_SignEncryptUpdate continues a multiple-part signing and
2395+ * encryption operation. */
2396+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
2397+#ifdef CK_NEED_ARG_LIST
2398+(
2399+ CK_SESSION_HANDLE hSession, /* session's handle */
2400+ CK_BYTE_PTR pPart, /* the plaintext data */
2401+ CK_ULONG ulPartLen, /* plaintext length */
2402+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2403+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
2404+);
2405+#endif
2406+
2407+
2408+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
2409+ * verify operation. */
2410+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
2411+#ifdef CK_NEED_ARG_LIST
2412+(
2413+ CK_SESSION_HANDLE hSession, /* session's handle */
2414+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
2415+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
2416+ CK_BYTE_PTR pPart, /* gets plaintext */
2417+ CK_ULONG_PTR pulPartLen /* gets p-text length */
2418+);
2419+#endif
2420+
2421+
2422+
2423+/* Key management */
2424+
2425+/* C_GenerateKey generates a secret key, creating a new key
2426+ * object. */
2427+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
2428+#ifdef CK_NEED_ARG_LIST
2429+(
2430+ CK_SESSION_HANDLE hSession, /* the session's handle */
2431+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
2432+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
2433+ CK_ULONG ulCount, /* # of attrs in template */
2434+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
2435+);
2436+#endif
2437+
2438+
2439+/* C_GenerateKeyPair generates a public-key/private-key pair,
2440+ * creating new key objects. */
2441+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
2442+#ifdef CK_NEED_ARG_LIST
2443+(
2444+ CK_SESSION_HANDLE hSession, /* session
2445+ * handle */
2446+ CK_MECHANISM_PTR pMechanism, /* key-gen
2447+ * mech. */
2448+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
2449+ * for pub.
2450+ * key */
2451+ CK_ULONG ulPublicKeyAttributeCount, /* # pub.
2452+ * attrs. */
2453+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
2454+ * for priv.
2455+ * key */
2456+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
2457+ * attrs. */
2458+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
2459+ * key
2460+ * handle */
2461+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
2462+ * priv. key
2463+ * handle */
2464+);
2465+#endif
2466+
2467+
2468+/* C_WrapKey wraps (i.e., encrypts) a key. */
2469+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
2470+#ifdef CK_NEED_ARG_LIST
2471+(
2472+ CK_SESSION_HANDLE hSession, /* the session's handle */
2473+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
2474+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
2475+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
2476+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
2477+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
2478+);
2479+#endif
2480+
2481+
2482+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
2483+ * key object. */
2484+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
2485+#ifdef CK_NEED_ARG_LIST
2486+(
2487+ CK_SESSION_HANDLE hSession, /* session's handle */
2488+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
2489+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
2490+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
2491+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
2492+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
2493+ CK_ULONG ulAttributeCount, /* template length */
2494+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
2495+);
2496+#endif
2497+
2498+
2499+/* C_DeriveKey derives a key from a base key, creating a new key
2500+ * object. */
2501+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
2502+#ifdef CK_NEED_ARG_LIST
2503+(
2504+ CK_SESSION_HANDLE hSession, /* session's handle */
2505+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
2506+ CK_OBJECT_HANDLE hBaseKey, /* base key */
2507+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
2508+ CK_ULONG ulAttributeCount, /* template length */
2509+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
2510+);
2511+#endif
2512+
2513+
2514+
2515+/* Random number generation */
2516+
2517+/* C_SeedRandom mixes additional seed material into the token's
2518+ * random number generator. */
2519+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
2520+#ifdef CK_NEED_ARG_LIST
2521+(
2522+ CK_SESSION_HANDLE hSession, /* the session's handle */
2523+ CK_BYTE_PTR pSeed, /* the seed material */
2524+ CK_ULONG ulSeedLen /* length of seed material */
2525+);
2526+#endif
2527+
2528+
2529+/* C_GenerateRandom generates random data. */
2530+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
2531+#ifdef CK_NEED_ARG_LIST
2532+(
2533+ CK_SESSION_HANDLE hSession, /* the session's handle */
2534+ CK_BYTE_PTR RandomData, /* receives the random data */
2535+ CK_ULONG ulRandomLen /* # of bytes to generate */
2536+);
2537+#endif
2538+
2539+
2540+
2541+/* Parallel function management */
2542+
2543+/* C_GetFunctionStatus is a legacy function; it obtains an
2544+ * updated status of a function running in parallel with an
2545+ * application. */
2546+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
2547+#ifdef CK_NEED_ARG_LIST
2548+(
2549+ CK_SESSION_HANDLE hSession /* the session's handle */
2550+);
2551+#endif
2552+
2553+
2554+/* C_CancelFunction is a legacy function; it cancels a function
2555+ * running in parallel. */
2556+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
2557+#ifdef CK_NEED_ARG_LIST
2558+(
2559+ CK_SESSION_HANDLE hSession /* the session's handle */
2560+);
2561+#endif
2562+
2563+
2564+
2565+/* Functions added in for Cryptoki Version 2.01 or later */
2566+
2567+/* C_WaitForSlotEvent waits for a slot event (token insertion,
2568+ * removal, etc.) to occur. */
2569+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
2570+#ifdef CK_NEED_ARG_LIST
2571+(
2572+ CK_FLAGS flags, /* blocking/nonblocking flag */
2573+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
2574+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
2575+);
2576+#endif
2577diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h
2578--- openssh-4.4p1/pkcs11-headers/pkcs11.h 1970-01-01 02:00:00.000000000 +0200
2579+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h 2006-09-28 08:05:35.000000000 +0300
2580@@ -0,0 +1,299 @@
2581+/* pkcs11.h include file for PKCS #11. */
2582+/* $Revision: 1.4 $ */
2583+
2584+/* License to copy and use this software is granted provided that it is
2585+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
2586+ * (Cryptoki)" in all material mentioning or referencing this software.
2587+
2588+ * License is also granted to make and use derivative works provided that
2589+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
2590+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
2591+ * referencing the derived work.
2592+
2593+ * RSA Security Inc. makes no representations concerning either the
2594+ * merchantability of this software or the suitability of this software for
2595+ * any particular purpose. It is provided "as is" without express or implied
2596+ * warranty of any kind.
2597+ */
2598+
2599+#ifndef _PKCS11_H_
2600+#define _PKCS11_H_ 1
2601+
2602+#ifdef __cplusplus
2603+extern "C" {
2604+#endif
2605+
2606+/* Before including this file (pkcs11.h) (or pkcs11t.h by
2607+ * itself), 6 platform-specific macros must be defined. These
2608+ * macros are described below, and typical definitions for them
2609+ * are also given. Be advised that these definitions can depend
2610+ * on both the platform and the compiler used (and possibly also
2611+ * on whether a Cryptoki library is linked statically or
2612+ * dynamically).
2613+ *
2614+ * In addition to defining these 6 macros, the packing convention
2615+ * for Cryptoki structures should be set. The Cryptoki
2616+ * convention on packing is that structures should be 1-byte
2617+ * aligned.
2618+ *
2619+ * If you're using Microsoft Developer Studio 5.0 to produce
2620+ * Win32 stuff, this might be done by using the following
2621+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
2622+ *
2623+ * #pragma pack(push, cryptoki, 1)
2624+ *
2625+ * and using the following preprocessor directive after including
2626+ * pkcs11.h or pkcs11t.h:
2627+ *
2628+ * #pragma pack(pop, cryptoki)
2629+ *
2630+ * If you're using an earlier version of Microsoft Developer
2631+ * Studio to produce Win16 stuff, this might be done by using
2632+ * the following preprocessor directive before including
2633+ * pkcs11.h or pkcs11t.h:
2634+ *
2635+ * #pragma pack(1)
2636+ *
2637+ * In a UNIX environment, you're on your own for this. You might
2638+ * not need to do (or be able to do!) anything.
2639+ *
2640+ *
2641+ * Now for the macros:
2642+ *
2643+ *
2644+ * 1. CK_PTR: The indirection string for making a pointer to an
2645+ * object. It can be used like this:
2646+ *
2647+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
2648+ *
2649+ * If you're using Microsoft Developer Studio 5.0 to produce
2650+ * Win32 stuff, it might be defined by:
2651+ *
2652+ * #define CK_PTR *
2653+ *
2654+ * If you're using an earlier version of Microsoft Developer
2655+ * Studio to produce Win16 stuff, it might be defined by:
2656+ *
2657+ * #define CK_PTR far *
2658+ *
2659+ * In a typical UNIX environment, it might be defined by:
2660+ *
2661+ * #define CK_PTR *
2662+ *
2663+ *
2664+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
2665+ * an exportable Cryptoki library function definition out of a
2666+ * return type and a function name. It should be used in the
2667+ * following fashion to define the exposed Cryptoki functions in
2668+ * a Cryptoki library:
2669+ *
2670+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
2671+ * CK_VOID_PTR pReserved
2672+ * )
2673+ * {
2674+ * ...
2675+ * }
2676+ *
2677+ * If you're using Microsoft Developer Studio 5.0 to define a
2678+ * function in a Win32 Cryptoki .dll, it might be defined by:
2679+ *
2680+ * #define CK_DEFINE_FUNCTION(returnType, name) \
2681+ * returnType __declspec(dllexport) name
2682+ *
2683+ * If you're using an earlier version of Microsoft Developer
2684+ * Studio to define a function in a Win16 Cryptoki .dll, it
2685+ * might be defined by:
2686+ *
2687+ * #define CK_DEFINE_FUNCTION(returnType, name) \
2688+ * returnType __export _far _pascal name
2689+ *
2690+ * In a UNIX environment, it might be defined by:
2691+ *
2692+ * #define CK_DEFINE_FUNCTION(returnType, name) \
2693+ * returnType name
2694+ *
2695+ *
2696+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
2697+ * an importable Cryptoki library function declaration out of a
2698+ * return type and a function name. It should be used in the
2699+ * following fashion:
2700+ *
2701+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
2702+ * CK_VOID_PTR pReserved
2703+ * );
2704+ *
2705+ * If you're using Microsoft Developer Studio 5.0 to declare a
2706+ * function in a Win32 Cryptoki .dll, it might be defined by:
2707+ *
2708+ * #define CK_DECLARE_FUNCTION(returnType, name) \
2709+ * returnType __declspec(dllimport) name
2710+ *
2711+ * If you're using an earlier version of Microsoft Developer
2712+ * Studio to declare a function in a Win16 Cryptoki .dll, it
2713+ * might be defined by:
2714+ *
2715+ * #define CK_DECLARE_FUNCTION(returnType, name) \
2716+ * returnType __export _far _pascal name
2717+ *
2718+ * In a UNIX environment, it might be defined by:
2719+ *
2720+ * #define CK_DECLARE_FUNCTION(returnType, name) \
2721+ * returnType name
2722+ *
2723+ *
2724+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
2725+ * which makes a Cryptoki API function pointer declaration or
2726+ * function pointer type declaration out of a return type and a
2727+ * function name. It should be used in the following fashion:
2728+ *
2729+ * // Define funcPtr to be a pointer to a Cryptoki API function
2730+ * // taking arguments args and returning CK_RV.
2731+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
2732+ *
2733+ * or
2734+ *
2735+ * // Define funcPtrType to be the type of a pointer to a
2736+ * // Cryptoki API function taking arguments args and returning
2737+ * // CK_RV, and then define funcPtr to be a variable of type
2738+ * // funcPtrType.
2739+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
2740+ * funcPtrType funcPtr;
2741+ *
2742+ * If you're using Microsoft Developer Studio 5.0 to access
2743+ * functions in a Win32 Cryptoki .dll, in might be defined by:
2744+ *
2745+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2746+ * returnType __declspec(dllimport) (* name)
2747+ *
2748+ * If you're using an earlier version of Microsoft Developer
2749+ * Studio to access functions in a Win16 Cryptoki .dll, it might
2750+ * be defined by:
2751+ *
2752+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2753+ * returnType __export _far _pascal (* name)
2754+ *
2755+ * In a UNIX environment, it might be defined by:
2756+ *
2757+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2758+ * returnType (* name)
2759+ *
2760+ *
2761+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
2762+ * a function pointer type for an application callback out of
2763+ * a return type for the callback and a name for the callback.
2764+ * It should be used in the following fashion:
2765+ *
2766+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
2767+ *
2768+ * to declare a function pointer, myCallback, to a callback
2769+ * which takes arguments args and returns a CK_RV. It can also
2770+ * be used like this:
2771+ *
2772+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
2773+ * myCallbackType myCallback;
2774+ *
2775+ * If you're using Microsoft Developer Studio 5.0 to do Win32
2776+ * Cryptoki development, it might be defined by:
2777+ *
2778+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
2779+ * returnType (* name)
2780+ *
2781+ * If you're using an earlier version of Microsoft Developer
2782+ * Studio to do Win16 development, it might be defined by:
2783+ *
2784+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
2785+ * returnType _far _pascal (* name)
2786+ *
2787+ * In a UNIX environment, it might be defined by:
2788+ *
2789+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
2790+ * returnType (* name)
2791+ *
2792+ *
2793+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
2794+ *
2795+ * In any ANSI/ISO C environment (and in many others as well),
2796+ * this should best be defined by
2797+ *
2798+ * #ifndef NULL_PTR
2799+ * #define NULL_PTR 0
2800+ * #endif
2801+ */
2802+
2803+
2804+/* All the various Cryptoki types and #define'd values are in the
2805+ * file pkcs11t.h. */
2806+#include "pkcs11t.h"
2807+
2808+#define __PASTE(x,y) x##y
2809+
2810+
2811+/* ==============================================================
2812+ * Define the "extern" form of all the entry points.
2813+ * ==============================================================
2814+ */
2815+
2816+#define CK_NEED_ARG_LIST 1
2817+#define CK_PKCS11_FUNCTION_INFO(name) \
2818+ extern CK_DECLARE_FUNCTION(CK_RV, name)
2819+
2820+/* pkcs11f.h has all the information about the Cryptoki
2821+ * function prototypes. */
2822+#include "pkcs11f.h"
2823+
2824+#undef CK_NEED_ARG_LIST
2825+#undef CK_PKCS11_FUNCTION_INFO
2826+
2827+
2828+/* ==============================================================
2829+ * Define the typedef form of all the entry points. That is, for
2830+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
2831+ * a pointer to that kind of function.
2832+ * ==============================================================
2833+ */
2834+
2835+#define CK_NEED_ARG_LIST 1
2836+#define CK_PKCS11_FUNCTION_INFO(name) \
2837+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
2838+
2839+/* pkcs11f.h has all the information about the Cryptoki
2840+ * function prototypes. */
2841+#include "pkcs11f.h"
2842+
2843+#undef CK_NEED_ARG_LIST
2844+#undef CK_PKCS11_FUNCTION_INFO
2845+
2846+
2847+/* ==============================================================
2848+ * Define structed vector of entry points. A CK_FUNCTION_LIST
2849+ * contains a CK_VERSION indicating a library's Cryptoki version
2850+ * and then a whole slew of function pointers to the routines in
2851+ * the library. This type was declared, but not defined, in
2852+ * pkcs11t.h.
2853+ * ==============================================================
2854+ */
2855+
2856+#define CK_PKCS11_FUNCTION_INFO(name) \
2857+ __PASTE(CK_,name) name;
2858+
2859+struct CK_FUNCTION_LIST {
2860+
2861+ CK_VERSION version; /* Cryptoki version */
2862+
2863+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
2864+/* pkcs11f.h has all the information about the Cryptoki
2865+ * function prototypes. */
2866+#include "pkcs11f.h"
2867+
2868+};
2869+
2870+#undef CK_PKCS11_FUNCTION_INFO
2871+
2872+
2873+#undef __PASTE
2874+
2875+#ifdef __cplusplus
2876+}
2877+#endif
2878+
2879+#endif
2880diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11t.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h
2881--- openssh-4.4p1/pkcs11-headers/pkcs11t.h 1970-01-01 02:00:00.000000000 +0200
2882+++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h 2006-09-28 08:05:35.000000000 +0300
2883@@ -0,0 +1,1685 @@
2884+/* pkcs11t.h include file for PKCS #11. */
2885+/* $Revision: 1.6 $ */
2886+
2887+/* License to copy and use this software is granted provided that it is
2888+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
2889+ * (Cryptoki)" in all material mentioning or referencing this software.
2890+
2891+ * License is also granted to make and use derivative works provided that
2892+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
2893+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
2894+ * referencing the derived work.
2895+
2896+ * RSA Security Inc. makes no representations concerning either the
2897+ * merchantability of this software or the suitability of this software for
2898+ * any particular purpose. It is provided "as is" without express or implied
2899+ * warranty of any kind.
2900+ */
2901+
2902+/* See top of pkcs11.h for information about the macros that
2903+ * must be defined and the structure-packing conventions that
2904+ * must be set before including this file. */
2905+
2906+#ifndef _PKCS11T_H_
2907+#define _PKCS11T_H_ 1
2908+
2909+#define CK_TRUE 1
2910+#define CK_FALSE 0
2911+
2912+#ifndef CK_DISABLE_TRUE_FALSE
2913+#ifndef FALSE
2914+#define FALSE CK_FALSE
2915+#endif
2916+
2917+#ifndef TRUE
2918+#define TRUE CK_TRUE
2919+#endif
2920+#endif
2921+
2922+/* an unsigned 8-bit value */
2923+typedef unsigned char CK_BYTE;
2924+
2925+/* an unsigned 8-bit character */
2926+typedef CK_BYTE CK_CHAR;
2927+
2928+/* an 8-bit UTF-8 character */
2929+typedef CK_BYTE CK_UTF8CHAR;
2930+
2931+/* a BYTE-sized Boolean flag */
2932+typedef CK_BYTE CK_BBOOL;
2933+
2934+/* an unsigned value, at least 32 bits long */
2935+typedef unsigned long int CK_ULONG;
2936+
2937+/* a signed value, the same size as a CK_ULONG */
2938+/* CK_LONG is new for v2.0 */
2939+typedef long int CK_LONG;
2940+
2941+/* at least 32 bits; each bit is a Boolean flag */
2942+typedef CK_ULONG CK_FLAGS;
2943+
2944+
2945+/* some special values for certain CK_ULONG variables */
2946+#define CK_UNAVAILABLE_INFORMATION (~0UL)
2947+#define CK_EFFECTIVELY_INFINITE 0
2948+
2949+
2950+typedef CK_BYTE CK_PTR CK_BYTE_PTR;
2951+typedef CK_CHAR CK_PTR CK_CHAR_PTR;
2952+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
2953+typedef CK_ULONG CK_PTR CK_ULONG_PTR;
2954+typedef void CK_PTR CK_VOID_PTR;
2955+
2956+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
2957+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
2958+
2959+
2960+/* The following value is always invalid if used as a session */
2961+/* handle or object handle */
2962+#define CK_INVALID_HANDLE 0
2963+
2964+
2965+typedef struct CK_VERSION {
2966+ CK_BYTE major; /* integer portion of version number */
2967+ CK_BYTE minor; /* 1/100ths portion of version number */
2968+} CK_VERSION;
2969+
2970+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
2971+
2972+
2973+typedef struct CK_INFO {
2974+ /* manufacturerID and libraryDecription have been changed from
2975+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
2976+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
2977+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
2978+ CK_FLAGS flags; /* must be zero */
2979+
2980+ /* libraryDescription and libraryVersion are new for v2.0 */
2981+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
2982+ CK_VERSION libraryVersion; /* version of library */
2983+} CK_INFO;
2984+
2985+typedef CK_INFO CK_PTR CK_INFO_PTR;
2986+
2987+
2988+/* CK_NOTIFICATION enumerates the types of notifications that
2989+ * Cryptoki provides to an application */
2990+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
2991+ * for v2.0 */
2992+typedef CK_ULONG CK_NOTIFICATION;
2993+#define CKN_SURRENDER 0
2994+
2995+
2996+typedef CK_ULONG CK_SLOT_ID;
2997+
2998+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
2999+
3000+
3001+/* CK_SLOT_INFO provides information about a slot */
3002+typedef struct CK_SLOT_INFO {
3003+ /* slotDescription and manufacturerID have been changed from
3004+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
3005+ CK_UTF8CHAR slotDescription[64]; /* blank padded */
3006+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
3007+ CK_FLAGS flags;
3008+
3009+ /* hardwareVersion and firmwareVersion are new for v2.0 */
3010+ CK_VERSION hardwareVersion; /* version of hardware */
3011+ CK_VERSION firmwareVersion; /* version of firmware */
3012+} CK_SLOT_INFO;
3013+
3014+/* flags: bit flags that provide capabilities of the slot
3015+ * Bit Flag Mask Meaning
3016+ */
3017+#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
3018+#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
3019+#define CKF_HW_SLOT 0x00000004 /* hardware slot */
3020+
3021+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
3022+
3023+
3024+/* CK_TOKEN_INFO provides information about a token */
3025+typedef struct CK_TOKEN_INFO {
3026+ /* label, manufacturerID, and model have been changed from
3027+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
3028+ CK_UTF8CHAR label[32]; /* blank padded */
3029+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
3030+ CK_UTF8CHAR model[16]; /* blank padded */
3031+ CK_CHAR serialNumber[16]; /* blank padded */
3032+ CK_FLAGS flags; /* see below */
3033+
3034+ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
3035+ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
3036+ * changed from CK_USHORT to CK_ULONG for v2.0 */
3037+ CK_ULONG ulMaxSessionCount; /* max open sessions */
3038+ CK_ULONG ulSessionCount; /* sess. now open */
3039+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
3040+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
3041+ CK_ULONG ulMaxPinLen; /* in bytes */
3042+ CK_ULONG ulMinPinLen; /* in bytes */
3043+ CK_ULONG ulTotalPublicMemory; /* in bytes */
3044+ CK_ULONG ulFreePublicMemory; /* in bytes */
3045+ CK_ULONG ulTotalPrivateMemory; /* in bytes */
3046+ CK_ULONG ulFreePrivateMemory; /* in bytes */
3047+
3048+ /* hardwareVersion, firmwareVersion, and time are new for
3049+ * v2.0 */
3050+ CK_VERSION hardwareVersion; /* version of hardware */
3051+ CK_VERSION firmwareVersion; /* version of firmware */
3052+ CK_CHAR utcTime[16]; /* time */
3053+} CK_TOKEN_INFO;
3054+
3055+/* The flags parameter is defined as follows:
3056+ * Bit Flag Mask Meaning
3057+ */
3058+#define CKF_RNG 0x00000001 /* has random #
3059+ * generator */
3060+#define CKF_WRITE_PROTECTED 0x00000002 /* token is
3061+ * write-
3062+ * protected */
3063+#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
3064+ * login */
3065+#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
3066+ * PIN is set */
3067+
3068+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
3069+ * that means that *every* time the state of cryptographic
3070+ * operations of a session is successfully saved, all keys
3071+ * needed to continue those operations are stored in the state */
3072+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
3073+
3074+/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
3075+ * that the token has some sort of clock. The time on that
3076+ * clock is returned in the token info structure */
3077+#define CKF_CLOCK_ON_TOKEN 0x00000040
3078+
3079+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
3080+ * set, that means that there is some way for the user to login
3081+ * without sending a PIN through the Cryptoki library itself */
3082+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
3083+
3084+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
3085+ * that means that a single session with the token can perform
3086+ * dual simultaneous cryptographic operations (digest and
3087+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
3088+ * and sign) */
3089+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
3090+
3091+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
3092+ * token has been initialized using C_InitializeToken or an
3093+ * equivalent mechanism outside the scope of PKCS #11.
3094+ * Calling C_InitializeToken when this flag is set will cause
3095+ * the token to be reinitialized. */
3096+#define CKF_TOKEN_INITIALIZED 0x00000400
3097+
3098+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
3099+ * true, the token supports secondary authentication for
3100+ * private key objects. This flag is deprecated in v2.11 and
3101+ onwards. */
3102+#define CKF_SECONDARY_AUTHENTICATION 0x00000800
3103+
3104+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
3105+ * incorrect user login PIN has been entered at least once
3106+ * since the last successful authentication. */
3107+#define CKF_USER_PIN_COUNT_LOW 0x00010000
3108+
3109+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
3110+ * supplying an incorrect user PIN will it to become locked. */
3111+#define CKF_USER_PIN_FINAL_TRY 0x00020000
3112+
3113+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
3114+ * user PIN has been locked. User login to the token is not
3115+ * possible. */
3116+#define CKF_USER_PIN_LOCKED 0x00040000
3117+
3118+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
3119+ * the user PIN value is the default value set by token
3120+ * initialization or manufacturing, or the PIN has been
3121+ * expired by the card. */
3122+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
3123+
3124+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
3125+ * incorrect SO login PIN has been entered at least once since
3126+ * the last successful authentication. */
3127+#define CKF_SO_PIN_COUNT_LOW 0x00100000
3128+
3129+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
3130+ * supplying an incorrect SO PIN will it to become locked. */
3131+#define CKF_SO_PIN_FINAL_TRY 0x00200000
3132+
3133+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
3134+ * PIN has been locked. SO login to the token is not possible.
3135+ */
3136+#define CKF_SO_PIN_LOCKED 0x00400000
3137+
3138+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
3139+ * the SO PIN value is the default value set by token
3140+ * initialization or manufacturing, or the PIN has been
3141+ * expired by the card. */
3142+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
3143+
3144+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
3145+
3146+
3147+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
3148+ * identifies a session */
3149+typedef CK_ULONG CK_SESSION_HANDLE;
3150+
3151+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
3152+
3153+
3154+/* CK_USER_TYPE enumerates the types of Cryptoki users */
3155+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
3156+ * v2.0 */
3157+typedef CK_ULONG CK_USER_TYPE;
3158+/* Security Officer */
3159+#define CKU_SO 0
3160+/* Normal user */
3161+#define CKU_USER 1
3162+/* Context specific (added in v2.20) */
3163+#define CKU_CONTEXT_SPECIFIC 2
3164+
3165+/* CK_STATE enumerates the session states */
3166+/* CK_STATE has been changed from an enum to a CK_ULONG for
3167+ * v2.0 */
3168+typedef CK_ULONG CK_STATE;
3169+#define CKS_RO_PUBLIC_SESSION 0
3170+#define CKS_RO_USER_FUNCTIONS 1
3171+#define CKS_RW_PUBLIC_SESSION 2
3172+#define CKS_RW_USER_FUNCTIONS 3
3173+#define CKS_RW_SO_FUNCTIONS 4
3174+
3175+
3176+/* CK_SESSION_INFO provides information about a session */
3177+typedef struct CK_SESSION_INFO {
3178+ CK_SLOT_ID slotID;
3179+ CK_STATE state;
3180+ CK_FLAGS flags; /* see below */
3181+
3182+ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
3183+ * v2.0 */
3184+ CK_ULONG ulDeviceError; /* device-dependent error code */
3185+} CK_SESSION_INFO;
3186+
3187+/* The flags are defined in the following table:
3188+ * Bit Flag Mask Meaning
3189+ */
3190+#define CKF_RW_SESSION 0x00000002 /* session is r/w */
3191+#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
3192+
3193+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
3194+
3195+
3196+/* CK_OBJECT_HANDLE is a token-specific identifier for an
3197+ * object */
3198+typedef CK_ULONG CK_OBJECT_HANDLE;
3199+
3200+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
3201+
3202+
3203+/* CK_OBJECT_CLASS is a value that identifies the classes (or
3204+ * types) of objects that Cryptoki recognizes. It is defined
3205+ * as follows: */
3206+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
3207+ * v2.0 */
3208+typedef CK_ULONG CK_OBJECT_CLASS;
3209+
3210+/* The following classes of objects are defined: */
3211+/* CKO_HW_FEATURE is new for v2.10 */
3212+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
3213+/* CKO_MECHANISM is new for v2.20 */
3214+#define CKO_DATA 0x00000000
3215+#define CKO_CERTIFICATE 0x00000001
3216+#define CKO_PUBLIC_KEY 0x00000002
3217+#define CKO_PRIVATE_KEY 0x00000003
3218+#define CKO_SECRET_KEY 0x00000004
3219+#define CKO_HW_FEATURE 0x00000005
3220+#define CKO_DOMAIN_PARAMETERS 0x00000006
3221+#define CKO_MECHANISM 0x00000007
3222+#define CKO_VENDOR_DEFINED 0x80000000
3223+
3224+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
3225+
3226+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
3227+ * value that identifies the hardware feature type of an object
3228+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
3229+typedef CK_ULONG CK_HW_FEATURE_TYPE;
3230+
3231+/* The following hardware feature types are defined */
3232+/* CKH_USER_INTERFACE is new for v2.20 */
3233+#define CKH_MONOTONIC_COUNTER 0x00000001
3234+#define CKH_CLOCK 0x00000002
3235+#define CKH_USER_INTERFACE 0x00000003
3236+#define CKH_VENDOR_DEFINED 0x80000000
3237+
3238+/* CK_KEY_TYPE is a value that identifies a key type */
3239+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
3240+typedef CK_ULONG CK_KEY_TYPE;
3241+
3242+/* the following key types are defined: */
3243+#define CKK_RSA 0x00000000
3244+#define CKK_DSA 0x00000001
3245+#define CKK_DH 0x00000002
3246+
3247+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
3248+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
3249+#define CKK_ECDSA 0x00000003
3250+#define CKK_EC 0x00000003
3251+#define CKK_X9_42_DH 0x00000004
3252+#define CKK_KEA 0x00000005
3253+
3254+#define CKK_GENERIC_SECRET 0x00000010
3255+#define CKK_RC2 0x00000011
3256+#define CKK_RC4 0x00000012
3257+#define CKK_DES 0x00000013
3258+#define CKK_DES2 0x00000014
3259+#define CKK_DES3 0x00000015
3260+
3261+/* all these key types are new for v2.0 */
3262+#define CKK_CAST 0x00000016
3263+#define CKK_CAST3 0x00000017
3264+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
3265+#define CKK_CAST5 0x00000018
3266+#define CKK_CAST128 0x00000018
3267+#define CKK_RC5 0x00000019
3268+#define CKK_IDEA 0x0000001A
3269+#define CKK_SKIPJACK 0x0000001B
3270+#define CKK_BATON 0x0000001C
3271+#define CKK_JUNIPER 0x0000001D
3272+#define CKK_CDMF 0x0000001E
3273+#define CKK_AES 0x0000001F
3274+
3275+/* BlowFish and TwoFish are new for v2.20 */
3276+#define CKK_BLOWFISH 0x00000020
3277+#define CKK_TWOFISH 0x00000021
3278+
3279+#define CKK_VENDOR_DEFINED 0x80000000
3280+
3281+
3282+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
3283+ * type */
3284+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
3285+ * for v2.0 */
3286+typedef CK_ULONG CK_CERTIFICATE_TYPE;
3287+
3288+/* The following certificate types are defined: */
3289+/* CKC_X_509_ATTR_CERT is new for v2.10 */
3290+/* CKC_WTLS is new for v2.20 */
3291+#define CKC_X_509 0x00000000
3292+#define CKC_X_509_ATTR_CERT 0x00000001
3293+#define CKC_WTLS 0x00000002
3294+#define CKC_VENDOR_DEFINED 0x80000000
3295+
3296+
3297+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
3298+ * type */
3299+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
3300+ * v2.0 */
3301+typedef CK_ULONG CK_ATTRIBUTE_TYPE;
3302+
3303+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
3304+ consists of an array of values. */
3305+#define CKF_ARRAY_ATTRIBUTE 0x40000000
3306+
3307+/* The following attribute types are defined: */
3308+#define CKA_CLASS 0x00000000
3309+#define CKA_TOKEN 0x00000001
3310+#define CKA_PRIVATE 0x00000002
3311+#define CKA_LABEL 0x00000003
3312+#define CKA_APPLICATION 0x00000010
3313+#define CKA_VALUE 0x00000011
3314+
3315+/* CKA_OBJECT_ID is new for v2.10 */
3316+#define CKA_OBJECT_ID 0x00000012
3317+
3318+#define CKA_CERTIFICATE_TYPE 0x00000080
3319+#define CKA_ISSUER 0x00000081
3320+#define CKA_SERIAL_NUMBER 0x00000082
3321+
3322+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
3323+ * for v2.10 */
3324+#define CKA_AC_ISSUER 0x00000083
3325+#define CKA_OWNER 0x00000084
3326+#define CKA_ATTR_TYPES 0x00000085
3327+
3328+/* CKA_TRUSTED is new for v2.11 */
3329+#define CKA_TRUSTED 0x00000086
3330+
3331+/* CKA_CERTIFICATE_CATEGORY ...
3332+ * CKA_CHECK_VALUE are new for v2.20 */
3333+#define CKA_CERTIFICATE_CATEGORY 0x00000087
3334+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
3335+#define CKA_URL 0x00000089
3336+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
3337+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
3338+#define CKA_CHECK_VALUE 0x00000090
3339+
3340+#define CKA_KEY_TYPE 0x00000100
3341+#define CKA_SUBJECT 0x00000101
3342+#define CKA_ID 0x00000102
3343+#define CKA_SENSITIVE 0x00000103
3344+#define CKA_ENCRYPT 0x00000104
3345+#define CKA_DECRYPT 0x00000105
3346+#define CKA_WRAP 0x00000106
3347+#define CKA_UNWRAP 0x00000107
3348+#define CKA_SIGN 0x00000108
3349+#define CKA_SIGN_RECOVER 0x00000109
3350+#define CKA_VERIFY 0x0000010A
3351+#define CKA_VERIFY_RECOVER 0x0000010B
3352+#define CKA_DERIVE 0x0000010C
3353+#define CKA_START_DATE 0x00000110
3354+#define CKA_END_DATE 0x00000111
3355+#define CKA_MODULUS 0x00000120
3356+#define CKA_MODULUS_BITS 0x00000121
3357+#define CKA_PUBLIC_EXPONENT 0x00000122
3358+#define CKA_PRIVATE_EXPONENT 0x00000123
3359+#define CKA_PRIME_1 0x00000124
3360+#define CKA_PRIME_2 0x00000125
3361+#define CKA_EXPONENT_1 0x00000126
3362+#define CKA_EXPONENT_2 0x00000127
3363+#define CKA_COEFFICIENT 0x00000128
3364+#define CKA_PRIME 0x00000130
3365+#define CKA_SUBPRIME 0x00000131
3366+#define CKA_BASE 0x00000132
3367+
3368+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
3369+#define CKA_PRIME_BITS 0x00000133
3370+#define CKA_SUBPRIME_BITS 0x00000134
3371+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
3372+/* (To retain backwards-compatibility) */
3373+
3374+#define CKA_VALUE_BITS 0x00000160
3375+#define CKA_VALUE_LEN 0x00000161
3376+
3377+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
3378+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
3379+ * and CKA_EC_POINT are new for v2.0 */
3380+#define CKA_EXTRACTABLE 0x00000162
3381+#define CKA_LOCAL 0x00000163
3382+#define CKA_NEVER_EXTRACTABLE 0x00000164
3383+#define CKA_ALWAYS_SENSITIVE 0x00000165
3384+
3385+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
3386+#define CKA_KEY_GEN_MECHANISM 0x00000166
3387+
3388+#define CKA_MODIFIABLE 0x00000170
3389+
3390+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
3391+ * CKA_EC_PARAMS is preferred. */
3392+#define CKA_ECDSA_PARAMS 0x00000180
3393+#define CKA_EC_PARAMS 0x00000180
3394+
3395+#define CKA_EC_POINT 0x00000181
3396+
3397+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
3398+ * are new for v2.10. Deprecated in v2.11 and onwards. */
3399+#define CKA_SECONDARY_AUTH 0x00000200
3400+#define CKA_AUTH_PIN_FLAGS 0x00000201
3401+
3402+/* CKA_ALWAYS_AUTHENTICATE ...
3403+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
3404+#define CKA_ALWAYS_AUTHENTICATE 0x00000202
3405+
3406+#define CKA_WRAP_WITH_TRUSTED 0x00000210
3407+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
3408+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
3409+
3410+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
3411+ * are new for v2.10 */
3412+#define CKA_HW_FEATURE_TYPE 0x00000300
3413+#define CKA_RESET_ON_INIT 0x00000301
3414+#define CKA_HAS_RESET 0x00000302
3415+
3416+/* The following attributes are new for v2.20 */
3417+#define CKA_PIXEL_X 0x00000400
3418+#define CKA_PIXEL_Y 0x00000401
3419+#define CKA_RESOLUTION 0x00000402
3420+#define CKA_CHAR_ROWS 0x00000403
3421+#define CKA_CHAR_COLUMNS 0x00000404
3422+#define CKA_COLOR 0x00000405
3423+#define CKA_BITS_PER_PIXEL 0x00000406
3424+#define CKA_CHAR_SETS 0x00000480
3425+#define CKA_ENCODING_METHODS 0x00000481
3426+#define CKA_MIME_TYPES 0x00000482
3427+#define CKA_MECHANISM_TYPE 0x00000500
3428+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
3429+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
3430+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
3431+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
3432+
3433+#define CKA_VENDOR_DEFINED 0x80000000
3434+
3435+
3436+/* CK_ATTRIBUTE is a structure that includes the type, length
3437+ * and value of an attribute */
3438+typedef struct CK_ATTRIBUTE {
3439+ CK_ATTRIBUTE_TYPE type;
3440+ CK_VOID_PTR pValue;
3441+
3442+ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
3443+ CK_ULONG ulValueLen; /* in bytes */
3444+} CK_ATTRIBUTE;
3445+
3446+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
3447+
3448+
3449+/* CK_DATE is a structure that defines a date */
3450+typedef struct CK_DATE{
3451+ CK_CHAR year[4]; /* the year ("1900" - "9999") */
3452+ CK_CHAR month[2]; /* the month ("01" - "12") */
3453+ CK_CHAR day[2]; /* the day ("01" - "31") */
3454+} CK_DATE;
3455+
3456+
3457+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
3458+ * type */
3459+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
3460+ * v2.0 */
3461+typedef CK_ULONG CK_MECHANISM_TYPE;
3462+
3463+/* the following mechanism types are defined: */
3464+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
3465+#define CKM_RSA_PKCS 0x00000001
3466+#define CKM_RSA_9796 0x00000002
3467+#define CKM_RSA_X_509 0x00000003
3468+
3469+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
3470+ * are new for v2.0. They are mechanisms which hash and sign */
3471+#define CKM_MD2_RSA_PKCS 0x00000004
3472+#define CKM_MD5_RSA_PKCS 0x00000005
3473+#define CKM_SHA1_RSA_PKCS 0x00000006
3474+
3475+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
3476+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
3477+#define CKM_RIPEMD128_RSA_PKCS 0x00000007
3478+#define CKM_RIPEMD160_RSA_PKCS 0x00000008
3479+#define CKM_RSA_PKCS_OAEP 0x00000009
3480+
3481+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
3482+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
3483+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
3484+#define CKM_RSA_X9_31 0x0000000B
3485+#define CKM_SHA1_RSA_X9_31 0x0000000C
3486+#define CKM_RSA_PKCS_PSS 0x0000000D
3487+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
3488+
3489+#define CKM_DSA_KEY_PAIR_GEN 0x00000010
3490+#define CKM_DSA 0x00000011
3491+#define CKM_DSA_SHA1 0x00000012
3492+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
3493+#define CKM_DH_PKCS_DERIVE 0x00000021
3494+
3495+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
3496+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
3497+ * v2.11 */
3498+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
3499+#define CKM_X9_42_DH_DERIVE 0x00000031
3500+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
3501+#define CKM_X9_42_MQV_DERIVE 0x00000033
3502+
3503+/* CKM_SHA256/384/512 are new for v2.20 */
3504+#define CKM_SHA256_RSA_PKCS 0x00000040
3505+#define CKM_SHA384_RSA_PKCS 0x00000041
3506+#define CKM_SHA512_RSA_PKCS 0x00000042
3507+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
3508+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
3509+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
3510+
3511+#define CKM_RC2_KEY_GEN 0x00000100
3512+#define CKM_RC2_ECB 0x00000101
3513+#define CKM_RC2_CBC 0x00000102
3514+#define CKM_RC2_MAC 0x00000103
3515+
3516+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
3517+#define CKM_RC2_MAC_GENERAL 0x00000104
3518+#define CKM_RC2_CBC_PAD 0x00000105
3519+
3520+#define CKM_RC4_KEY_GEN 0x00000110
3521+#define CKM_RC4 0x00000111
3522+#define CKM_DES_KEY_GEN 0x00000120
3523+#define CKM_DES_ECB 0x00000121
3524+#define CKM_DES_CBC 0x00000122
3525+#define CKM_DES_MAC 0x00000123
3526+
3527+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
3528+#define CKM_DES_MAC_GENERAL 0x00000124
3529+#define CKM_DES_CBC_PAD 0x00000125
3530+
3531+#define CKM_DES2_KEY_GEN 0x00000130
3532+#define CKM_DES3_KEY_GEN 0x00000131
3533+#define CKM_DES3_ECB 0x00000132
3534+#define CKM_DES3_CBC 0x00000133
3535+#define CKM_DES3_MAC 0x00000134
3536+
3537+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
3538+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
3539+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
3540+#define CKM_DES3_MAC_GENERAL 0x00000135
3541+#define CKM_DES3_CBC_PAD 0x00000136
3542+#define CKM_CDMF_KEY_GEN 0x00000140
3543+#define CKM_CDMF_ECB 0x00000141
3544+#define CKM_CDMF_CBC 0x00000142
3545+#define CKM_CDMF_MAC 0x00000143
3546+#define CKM_CDMF_MAC_GENERAL 0x00000144
3547+#define CKM_CDMF_CBC_PAD 0x00000145
3548+
3549+/* the following four DES mechanisms are new for v2.20 */
3550+#define CKM_DES_OFB64 0x00000150
3551+#define CKM_DES_OFB8 0x00000151
3552+#define CKM_DES_CFB64 0x00000152
3553+#define CKM_DES_CFB8 0x00000153
3554+
3555+#define CKM_MD2 0x00000200
3556+
3557+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
3558+#define CKM_MD2_HMAC 0x00000201
3559+#define CKM_MD2_HMAC_GENERAL 0x00000202
3560+
3561+#define CKM_MD5 0x00000210
3562+
3563+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
3564+#define CKM_MD5_HMAC 0x00000211
3565+#define CKM_MD5_HMAC_GENERAL 0x00000212
3566+
3567+#define CKM_SHA_1 0x00000220
3568+
3569+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
3570+#define CKM_SHA_1_HMAC 0x00000221
3571+#define CKM_SHA_1_HMAC_GENERAL 0x00000222
3572+
3573+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
3574+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
3575+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
3576+#define CKM_RIPEMD128 0x00000230
3577+#define CKM_RIPEMD128_HMAC 0x00000231
3578+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
3579+#define CKM_RIPEMD160 0x00000240
3580+#define CKM_RIPEMD160_HMAC 0x00000241
3581+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
3582+
3583+/* CKM_SHA256/384/512 are new for v2.20 */
3584+#define CKM_SHA256 0x00000250
3585+#define CKM_SHA256_HMAC 0x00000251
3586+#define CKM_SHA256_HMAC_GENERAL 0x00000252
3587+#define CKM_SHA384 0x00000260
3588+#define CKM_SHA384_HMAC 0x00000261
3589+#define CKM_SHA384_HMAC_GENERAL 0x00000262
3590+#define CKM_SHA512 0x00000270
3591+#define CKM_SHA512_HMAC 0x00000271
3592+#define CKM_SHA512_HMAC_GENERAL 0x00000272
3593+
3594+/* All of the following mechanisms are new for v2.0 */
3595+/* Note that CAST128 and CAST5 are the same algorithm */
3596+#define CKM_CAST_KEY_GEN 0x00000300
3597+#define CKM_CAST_ECB 0x00000301
3598+#define CKM_CAST_CBC 0x00000302
3599+#define CKM_CAST_MAC 0x00000303
3600+#define CKM_CAST_MAC_GENERAL 0x00000304
3601+#define CKM_CAST_CBC_PAD 0x00000305
3602+#define CKM_CAST3_KEY_GEN 0x00000310
3603+#define CKM_CAST3_ECB 0x00000311
3604+#define CKM_CAST3_CBC 0x00000312
3605+#define CKM_CAST3_MAC 0x00000313
3606+#define CKM_CAST3_MAC_GENERAL 0x00000314
3607+#define CKM_CAST3_CBC_PAD 0x00000315
3608+#define CKM_CAST5_KEY_GEN 0x00000320
3609+#define CKM_CAST128_KEY_GEN 0x00000320
3610+#define CKM_CAST5_ECB 0x00000321
3611+#define CKM_CAST128_ECB 0x00000321
3612+#define CKM_CAST5_CBC 0x00000322
3613+#define CKM_CAST128_CBC 0x00000322
3614+#define CKM_CAST5_MAC 0x00000323
3615+#define CKM_CAST128_MAC 0x00000323
3616+#define CKM_CAST5_MAC_GENERAL 0x00000324
3617+#define CKM_CAST128_MAC_GENERAL 0x00000324
3618+#define CKM_CAST5_CBC_PAD 0x00000325
3619+#define CKM_CAST128_CBC_PAD 0x00000325
3620+#define CKM_RC5_KEY_GEN 0x00000330
3621+#define CKM_RC5_ECB 0x00000331
3622+#define CKM_RC5_CBC 0x00000332
3623+#define CKM_RC5_MAC 0x00000333
3624+#define CKM_RC5_MAC_GENERAL 0x00000334
3625+#define CKM_RC5_CBC_PAD 0x00000335
3626+#define CKM_IDEA_KEY_GEN 0x00000340
3627+#define CKM_IDEA_ECB 0x00000341
3628+#define CKM_IDEA_CBC 0x00000342
3629+#define CKM_IDEA_MAC 0x00000343
3630+#define CKM_IDEA_MAC_GENERAL 0x00000344
3631+#define CKM_IDEA_CBC_PAD 0x00000345
3632+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
3633+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
3634+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
3635+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
3636+#define CKM_XOR_BASE_AND_DATA 0x00000364
3637+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
3638+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
3639+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
3640+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
3641+
3642+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
3643+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
3644+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
3645+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
3646+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
3647+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
3648+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
3649+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
3650+
3651+/* CKM_TLS_PRF is new for v2.20 */
3652+#define CKM_TLS_PRF 0x00000378
3653+
3654+#define CKM_SSL3_MD5_MAC 0x00000380
3655+#define CKM_SSL3_SHA1_MAC 0x00000381
3656+#define CKM_MD5_KEY_DERIVATION 0x00000390
3657+#define CKM_MD2_KEY_DERIVATION 0x00000391
3658+#define CKM_SHA1_KEY_DERIVATION 0x00000392
3659+
3660+/* CKM_SHA256/384/512 are new for v2.20 */
3661+#define CKM_SHA256_KEY_DERIVATION 0x00000393
3662+#define CKM_SHA384_KEY_DERIVATION 0x00000394
3663+#define CKM_SHA512_KEY_DERIVATION 0x00000395
3664+
3665+#define CKM_PBE_MD2_DES_CBC 0x000003A0
3666+#define CKM_PBE_MD5_DES_CBC 0x000003A1
3667+#define CKM_PBE_MD5_CAST_CBC 0x000003A2
3668+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
3669+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
3670+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
3671+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
3672+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
3673+#define CKM_PBE_SHA1_RC4_128 0x000003A6
3674+#define CKM_PBE_SHA1_RC4_40 0x000003A7
3675+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
3676+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
3677+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
3678+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
3679+
3680+/* CKM_PKCS5_PBKD2 is new for v2.10 */
3681+#define CKM_PKCS5_PBKD2 0x000003B0
3682+
3683+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
3684+
3685+/* WTLS mechanisms are new for v2.20 */
3686+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
3687+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
3688+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
3689+#define CKM_WTLS_PRF 0x000003D3
3690+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
3691+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
3692+
3693+#define CKM_KEY_WRAP_LYNKS 0x00000400
3694+#define CKM_KEY_WRAP_SET_OAEP 0x00000401
3695+
3696+/* CKM_CMS_SIG is new for v2.20 */
3697+#define CKM_CMS_SIG 0x00000500
3698+
3699+/* Fortezza mechanisms */
3700+#define CKM_SKIPJACK_KEY_GEN 0x00001000
3701+#define CKM_SKIPJACK_ECB64 0x00001001
3702+#define CKM_SKIPJACK_CBC64 0x00001002
3703+#define CKM_SKIPJACK_OFB64 0x00001003
3704+#define CKM_SKIPJACK_CFB64 0x00001004
3705+#define CKM_SKIPJACK_CFB32 0x00001005
3706+#define CKM_SKIPJACK_CFB16 0x00001006
3707+#define CKM_SKIPJACK_CFB8 0x00001007
3708+#define CKM_SKIPJACK_WRAP 0x00001008
3709+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
3710+#define CKM_SKIPJACK_RELAYX 0x0000100a
3711+#define CKM_KEA_KEY_PAIR_GEN 0x00001010
3712+#define CKM_KEA_KEY_DERIVE 0x00001011
3713+#define CKM_FORTEZZA_TIMESTAMP 0x00001020
3714+#define CKM_BATON_KEY_GEN 0x00001030
3715+#define CKM_BATON_ECB128 0x00001031
3716+#define CKM_BATON_ECB96 0x00001032
3717+#define CKM_BATON_CBC128 0x00001033
3718+#define CKM_BATON_COUNTER 0x00001034
3719+#define CKM_BATON_SHUFFLE 0x00001035
3720+#define CKM_BATON_WRAP 0x00001036
3721+
3722+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
3723+ * CKM_EC_KEY_PAIR_GEN is preferred */
3724+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
3725+#define CKM_EC_KEY_PAIR_GEN 0x00001040
3726+
3727+#define CKM_ECDSA 0x00001041
3728+#define CKM_ECDSA_SHA1 0x00001042
3729+
3730+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
3731+ * are new for v2.11 */
3732+#define CKM_ECDH1_DERIVE 0x00001050
3733+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
3734+#define CKM_ECMQV_DERIVE 0x00001052
3735+
3736+#define CKM_JUNIPER_KEY_GEN 0x00001060
3737+#define CKM_JUNIPER_ECB128 0x00001061
3738+#define CKM_JUNIPER_CBC128 0x00001062
3739+#define CKM_JUNIPER_COUNTER 0x00001063
3740+#define CKM_JUNIPER_SHUFFLE 0x00001064
3741+#define CKM_JUNIPER_WRAP 0x00001065
3742+#define CKM_FASTHASH 0x00001070
3743+
3744+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
3745+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
3746+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
3747+ * new for v2.11 */
3748+#define CKM_AES_KEY_GEN 0x00001080
3749+#define CKM_AES_ECB 0x00001081
3750+#define CKM_AES_CBC 0x00001082
3751+#define CKM_AES_MAC 0x00001083
3752+#define CKM_AES_MAC_GENERAL 0x00001084
3753+#define CKM_AES_CBC_PAD 0x00001085
3754+
3755+/* BlowFish and TwoFish are new for v2.20 */
3756+#define CKM_BLOWFISH_KEY_GEN 0x00001090
3757+#define CKM_BLOWFISH_CBC 0x00001091
3758+#define CKM_TWOFISH_KEY_GEN 0x00001092
3759+#define CKM_TWOFISH_CBC 0x00001093
3760+
3761+
3762+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
3763+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
3764+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
3765+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
3766+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
3767+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
3768+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
3769+
3770+#define CKM_DSA_PARAMETER_GEN 0x00002000
3771+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
3772+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
3773+
3774+#define CKM_VENDOR_DEFINED 0x80000000
3775+
3776+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
3777+
3778+
3779+/* CK_MECHANISM is a structure that specifies a particular
3780+ * mechanism */
3781+typedef struct CK_MECHANISM {
3782+ CK_MECHANISM_TYPE mechanism;
3783+ CK_VOID_PTR pParameter;
3784+
3785+ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
3786+ * v2.0 */
3787+ CK_ULONG ulParameterLen; /* in bytes */
3788+} CK_MECHANISM;
3789+
3790+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
3791+
3792+
3793+/* CK_MECHANISM_INFO provides information about a particular
3794+ * mechanism */
3795+typedef struct CK_MECHANISM_INFO {
3796+ CK_ULONG ulMinKeySize;
3797+ CK_ULONG ulMaxKeySize;
3798+ CK_FLAGS flags;
3799+} CK_MECHANISM_INFO;
3800+
3801+/* The flags are defined as follows:
3802+ * Bit Flag Mask Meaning */
3803+#define CKF_HW 0x00000001 /* performed by HW */
3804+
3805+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
3806+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
3807+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
3808+ * and CKF_DERIVE are new for v2.0. They specify whether or not
3809+ * a mechanism can be used for a particular task */
3810+#define CKF_ENCRYPT 0x00000100
3811+#define CKF_DECRYPT 0x00000200
3812+#define CKF_DIGEST 0x00000400
3813+#define CKF_SIGN 0x00000800
3814+#define CKF_SIGN_RECOVER 0x00001000
3815+#define CKF_VERIFY 0x00002000
3816+#define CKF_VERIFY_RECOVER 0x00004000
3817+#define CKF_GENERATE 0x00008000
3818+#define CKF_GENERATE_KEY_PAIR 0x00010000
3819+#define CKF_WRAP 0x00020000
3820+#define CKF_UNWRAP 0x00040000
3821+#define CKF_DERIVE 0x00080000
3822+
3823+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
3824+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
3825+ * describe a token's EC capabilities not available in mechanism
3826+ * information. */
3827+#define CKF_EC_F_P 0x00100000
3828+#define CKF_EC_F_2M 0x00200000
3829+#define CKF_EC_ECPARAMETERS 0x00400000
3830+#define CKF_EC_NAMEDCURVE 0x00800000
3831+#define CKF_EC_UNCOMPRESS 0x01000000
3832+#define CKF_EC_COMPRESS 0x02000000
3833+
3834+#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
3835+
3836+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
3837+
3838+
3839+/* CK_RV is a value that identifies the return value of a
3840+ * Cryptoki function */
3841+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
3842+typedef CK_ULONG CK_RV;
3843+
3844+#define CKR_OK 0x00000000
3845+#define CKR_CANCEL 0x00000001