scummvm random work
[patches.git] / openssh-4.4p1pkcs11-0.17.patch
1 diff -urNp openssh-4.4p1/authfd.c openssh-4.4p1+pkcs11-0.17/authfd.c
2 --- openssh-4.4p1/authfd.c 2006-09-01 08:38:36.000000000 +0300
3 +++ openssh-4.4p1+pkcs11-0.17/authfd.c 2006-10-12 13:59:59.000000000 +0200
4 @@ -669,3 +669,79 @@ decode_reply(int type)
5 /* NOTREACHED */
6 return 0;
7 }
8 +
9 +#ifndef SSH_PKCS11_DISABLED
10 +
11 +int
12 +ssh_pkcs11_add_provider (AuthenticationConnection *auth, const char *provider,
13 + int protected_authentication, const char *sign_mode, int cert_private)
14 +{
15 + Buffer msg;
16 + int type;
17 + int code;
18 +
19 + code = SSH_AGENTC_PKCS11_ADD_PROVIDER;
20 +
21 + buffer_init(&msg);
22 + buffer_put_char(&msg, code);
23 + buffer_put_cstring(&msg, provider);
24 + buffer_put_int(&msg, protected_authentication);
25 + buffer_put_cstring(&msg, sign_mode == NULL ? "auto" : sign_mode);
26 + buffer_put_int(&msg, cert_private);
27 +
28 + if (ssh_request_reply(auth, &msg, &msg) == 0) {
29 + buffer_free(&msg);
30 + return 0;
31 + }
32 + type = buffer_get_char(&msg);
33 + buffer_free(&msg);
34 + return decode_reply(type);
35 +}
36 +
37 +int
38 +ssh_pkcs11_id (AuthenticationConnection *auth, const pkcs11_identity *id, int remove)
39 +{
40 + Buffer msg;
41 + int type;
42 + int code;
43 +
44 + code = remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID;
45 +
46 + buffer_init(&msg);
47 + buffer_put_char(&msg, code);
48 + buffer_put_cstring(&msg, id->id);
49 + buffer_put_int(&msg, id->pin_cache_period);
50 + buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
51 +
52 + if (ssh_request_reply(auth, &msg, &msg) == 0) {
53 + buffer_free(&msg);
54 + return 0;
55 + }
56 + type = buffer_get_char(&msg);
57 + buffer_free(&msg);
58 + return decode_reply(type);
59 +}
60 +
61 +int
62 +ssh_pkcs11_set_ask_pin (AuthenticationConnection *auth, const char *pin_prog)
63 +{
64 + Buffer msg;
65 + int type;
66 + int code;
67 +
68 + code = SSH_AGENTC_PKCS11_SET_ASK_PIN;
69 +
70 + buffer_init(&msg);
71 + buffer_put_char(&msg, code);
72 + buffer_put_cstring(&msg, pin_prog);
73 +
74 + if (ssh_request_reply(auth, &msg, &msg) == 0) {
75 + buffer_free(&msg);
76 + return 0;
77 + }
78 + type = buffer_get_char(&msg);
79 + buffer_free(&msg);
80 + return decode_reply(type);
81 +}
82 +
83 +#endif /* SSH_PKCS11_DISABLED */
84 diff -urNp openssh-4.4p1/authfd.h openssh-4.4p1+pkcs11-0.17/authfd.h
85 --- openssh-4.4p1/authfd.h 2006-08-05 05:39:39.000000000 +0300
86 +++ openssh-4.4p1+pkcs11-0.17/authfd.h 2006-10-12 13:57:49.000000000 +0200
87 @@ -16,6 +16,8 @@
88 #ifndef AUTHFD_H
89 #define AUTHFD_H
90
91 +#include "pkcs11.h"
92 +
93 /* Messages for the authentication agent connection. */
94 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
95 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2
96 @@ -49,6 +51,11 @@
97 #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25
98 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
99
100 +#define SSH_AGENTC_PKCS11_ADD_PROVIDER 27
101 +#define SSH_AGENTC_PKCS11_ADD_ID 28
102 +#define SSH_AGENTC_PKCS11_REMOVE_ID 29
103 +#define SSH_AGENTC_PKCS11_SET_ASK_PIN 30
104 +
105 #define SSH_AGENT_CONSTRAIN_LIFETIME 1
106 #define SSH_AGENT_CONSTRAIN_CONFIRM 2
107
108 @@ -92,4 +99,11 @@ int
109 ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
110 u_int);
111
112 +#ifndef SSH_PKCS11_DISABLED
113 +int ssh_pkcs11_add_provider (AuthenticationConnection *, const char *,
114 + int, const char *, int);
115 +int ssh_pkcs11_id (AuthenticationConnection *, const pkcs11_identity *, int remove);
116 +int ssh_pkcs11_set_ask_pin (AuthenticationConnection *, const char *);
117 +#endif /* SSH_PKCS11_DISABLED */
118 +
119 #endif /* AUTHFD_H */
120 diff -urNp openssh-4.4p1/ChangeLog.pkcs11 openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11
121 --- openssh-4.4p1/ChangeLog.pkcs11 1970-01-01 02:00:00.000000000 +0200
122 +++ openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11 2006-10-23 17:36:52.000000000 +0200
123 @@ -0,0 +1,49 @@
124 +20061023
125 + - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
126 + - (alonbl) Release 0.17
127 +
128 +20061020
129 + - (alonbl) Major modification of ssh-add command-line parameters.
130 + Now, a complete serialized certificate needs to be specified, this
131 + in order to allow people to add id without forcing card to be available.
132 + But to allow complete silent addition a certificate file also needed.
133 + --pkcs11-show-ids is used in order to get a list of resources.
134 + --pkcs11-add-id --pkcs11-id <serialized id> \
135 + [--pkcs11-cert-file <cert_file>]
136 + - (alonbl) PKCS#11 release 0.16
137 +
138 +20061012
139 + - (alonbl) OpenSC bug workaround.
140 + - (alonbl) PKCS#11 release 0.15
141 +
142 +20060930
143 + - (alonbl) Some pkcs11-helper updates.
144 + - (alonbl) Rebase against 4.4p1.
145 + - (alonbl) PKCS#11 release 0.14
146 +
147 +20060709
148 + - (alonbl) PKCS#11 fixed handling multiproviders.
149 + - (alonbl) PKCS#11 release 0.13
150 +
151 +20060608
152 + - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing
153 + ssh-rsa id.
154 + - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument.
155 + - (alonbl) PKCS#11 release 0.12
156 +
157 +20060527
158 + - (alonbl) PKCS#11 fix issues with gcc-2
159 + - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version.
160 + - (alonbl) PKCS#11 modified to match X.509-5.4 patch.
161 + - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out
162 + of X.509 certificate.
163 + - (alonbl) PKCS#11 release 0.11
164 +
165 +20060419
166 + - (alonbl) PKCS#11 fix handling empty attributes.
167 + - (alonbl) PKCS#11 release 0.10
168 +
169 +20060404
170 + - (alonbl) PKCS#11 code sync.
171 + - (alonbl) PKCS#11 release 0.09
172 +
173 diff -urNp openssh-4.4p1/config.h.in openssh-4.4p1+pkcs11-0.17/config.h.in
174 --- openssh-4.4p1/config.h.in 2006-09-26 14:03:33.000000000 +0300
175 +++ openssh-4.4p1+pkcs11-0.17/config.h.in 2006-09-28 16:31:03.000000000 +0300
176 @@ -1217,6 +1217,12 @@
177 /* Use audit debugging module */
178 #undef SSH_AUDIT_EVENTS
179
180 +/* Define if you don't want use PKCS#11 */
181 +#undef SSH_PKCS11_DISABLED
182 +
183 +/* Define if you don't want use X509 with PKCS#11 */
184 +#undef SSH_PKCS11_X509_DISABLED
185 +
186 /* non-privileged user for privilege separation */
187 #undef SSH_PRIVSEP_USER
188
189 diff -urNp openssh-4.4p1/configure openssh-4.4p1+pkcs11-0.17/configure
190 --- openssh-4.4p1/configure 2006-09-26 14:03:41.000000000 +0300
191 +++ openssh-4.4p1+pkcs11-0.17/configure 2006-09-28 16:33:53.000000000 +0300
192 @@ -1307,6 +1307,7 @@ Optional Features:
193 --disable-libutil disable use of libutil (login() etc.) no
194 --disable-pututline disable use of pututline() etc. (uwtmp) no
195 --disable-pututxline disable use of pututxline() etc. (uwtmpx) no
196 + --disable-pkcs11 Disable PKCS#11 support
197
198 Optional Packages:
199 --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
200 @@ -32163,6 +32164,33 @@ if test ! -z "$blibpath" ; then
201 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
202 fi
203
204 +ssh_pkcs11="yes"
205 +ssh_pkcs11_x509="yes"
206 +# Check whether --enable-pkcs11 was given.
207 +if test "${enable_pkcs11+set}" = set; then
208 + enableval=$enable_pkcs11;
209 + if test "x$enableval" = "xno"; then
210 + ssh_pkcs11="no"
211 + fi
212 +
213 +
214 +fi
215 +
216 +if test "x$ssh_pkcs11" = "xno"; then
217 +
218 +cat >>confdefs.h <<_ACEOF
219 +#define SSH_PKCS11_DISABLED 1
220 +_ACEOF
221 +
222 +fi
223 +if test "x$ssh_x509" = "x"; then
224 +
225 +cat >>confdefs.h <<_ACEOF
226 +#define SSH_PKCS11_X509_DISABLED 1
227 +_ACEOF
228 +
229 +fi
230 +
231 CFLAGS="$CFLAGS $werror_flags"
232
233
234 @@ -33415,6 +33443,7 @@ echo " IP address in \$DISPLAY hac
235 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
236 echo " BSD Auth support: $BSD_AUTH_MSG"
237 echo " Random number source: $RAND_MSG"
238 +echo " PKCS#11 support: $ssh_pkcs11"
239 if test ! -z "$USE_RAND_HELPER" ; then
240 echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
241 fi
242 diff -urNp openssh-4.4p1/configure.ac openssh-4.4p1+pkcs11-0.17/configure.ac
243 --- openssh-4.4p1/configure.ac 2006-09-24 22:08:59.000000000 +0300
244 +++ openssh-4.4p1+pkcs11-0.17/configure.ac 2006-09-28 08:05:35.000000000 +0300
245 @@ -3912,6 +3912,27 @@ if test ! -z "$blibpath" ; then
246 AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
247 fi
248
249 +ssh_pkcs11="yes"
250 +ssh_pkcs11_x509="yes"
251 +AC_ARG_ENABLE(pkcs11,
252 + [ --disable-pkcs11 Disable PKCS#11 support],
253 + [
254 + if test "x$enableval" = "xno"; then
255 + ssh_pkcs11="no"
256 + fi
257 + ]
258 +)
259 +if test "x$ssh_pkcs11" = "xno"; then
260 + AC_DEFINE_UNQUOTED(
261 + SSH_PKCS11_DISABLED, 1,
262 + [Define if you don't want use PKCS#11])
263 +fi
264 +if test "x$ssh_x509" = "x"; then
265 + AC_DEFINE_UNQUOTED(
266 + SSH_PKCS11_X509_DISABLED, 1,
267 + [Define if you don't want use X509 with PKCS#11])
268 +fi
269 +
270 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
271 dnl Add now.
272 CFLAGS="$CFLAGS $werror_flags"
273 @@ -3973,6 +3994,7 @@ echo " IP address in \$DISPLAY hac
274 echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
275 echo " BSD Auth support: $BSD_AUTH_MSG"
276 echo " Random number source: $RAND_MSG"
277 +echo " PKCS#11 support: $ssh_pkcs11"
278 if test ! -z "$USE_RAND_HELPER" ; then
279 echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
280 fi
281 diff -urNp openssh-4.4p1/cryptoki.h openssh-4.4p1+pkcs11-0.17/cryptoki.h
282 --- openssh-4.4p1/cryptoki.h 1970-01-01 02:00:00.000000000 +0200
283 +++ openssh-4.4p1+pkcs11-0.17/cryptoki.h 2006-09-28 08:05:35.000000000 +0300
284 @@ -0,0 +1,35 @@
285 +/* cryptoki.h include file for PKCS #11. */
286 +/* $Revision: 1.4 $ */
287 +
288 +/* License to copy and use this software is granted provided that it is
289 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
290 + * (Cryptoki)" in all material mentioning or referencing this software.
291 +
292 + * License is also granted to make and use derivative works provided that
293 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
294 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
295 + * referencing the derived work.
296 +
297 + * RSA Security Inc. makes no representations concerning either the
298 + * merchantability of this software or the suitability of this software for
299 + * any particular purpose. It is provided "as is" without express or implied
300 + * warranty of any kind.
301 + */
302 +
303 +#ifndef ___CRYPTOKI_H_INC___
304 +#define ___CRYPTOKI_H_INC___
305 +
306 +#define CK_PTR *
307 +
308 +#define CK_DEFINE_FUNCTION(returnType, name) returnType name
309 +#define CK_DECLARE_FUNCTION(returnType, name) returnType name
310 +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
311 +#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
312 +
313 +#ifndef NULL_PTR
314 +#define NULL_PTR 0
315 +#endif
316 +
317 +#include "pkcs11-headers/pkcs11.h"
318 +
319 +#endif /* ___CRYPTOKI_H_INC___ */
320 diff -urNp openssh-4.4p1/cryptoki-win32.h openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h
321 --- openssh-4.4p1/cryptoki-win32.h 1970-01-01 02:00:00.000000000 +0200
322 +++ openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h 2006-09-28 08:05:35.000000000 +0300
323 @@ -0,0 +1,66 @@
324 +/* cryptoki.h include file for PKCS #11. */
325 +/* $Revision: 1.4 $ */
326 +
327 +/* License to copy and use this software is granted provided that it is
328 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
329 + * (Cryptoki)" in all material mentioning or referencing this software.
330 +
331 + * License is also granted to make and use derivative works provided that
332 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
333 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
334 + * referencing the derived work.
335 +
336 + * RSA Security Inc. makes no representations concerning either the
337 + * merchantability of this software or the suitability of this software for
338 + * any particular purpose. It is provided "as is" without express or implied
339 + * warranty of any kind.
340 + */
341 +
342 +/* This is a sample file containing the top level include directives
343 + * for building Win32 Cryptoki libraries and applications.
344 + */
345 +
346 +#ifndef ___CRYPTOKI_H_INC___
347 +#define ___CRYPTOKI_H_INC___
348 +
349 +#pragma pack(push, cryptoki, 1)
350 +
351 +/* Specifies that the function is a DLL entry point. */
352 +#define CK_IMPORT_SPEC __declspec(dllimport)
353 +
354 +/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
355 + * not define it in applications.
356 + */
357 +#ifdef CRYPTOKI_EXPORTS
358 +/* Specified that the function is an exported DLL entry point. */
359 +#define CK_EXPORT_SPEC __declspec(dllexport)
360 +#else
361 +#define CK_EXPORT_SPEC CK_IMPORT_SPEC
362 +#endif
363 +
364 +/* Ensures the calling convention for Win32 builds */
365 +#define CK_CALL_SPEC __cdecl
366 +
367 +#define CK_PTR *
368 +
369 +#define CK_DEFINE_FUNCTION(returnType, name) \
370 + returnType CK_EXPORT_SPEC CK_CALL_SPEC name
371 +
372 +#define CK_DECLARE_FUNCTION(returnType, name) \
373 + returnType CK_EXPORT_SPEC CK_CALL_SPEC name
374 +
375 +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
376 + returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
377 +
378 +#define CK_CALLBACK_FUNCTION(returnType, name) \
379 + returnType (CK_CALL_SPEC CK_PTR name)
380 +
381 +#ifndef NULL_PTR
382 +#define NULL_PTR 0
383 +#endif
384 +
385 +#include "pkcs11-headers/pkcs11.h"
386 +
387 +#pragma pack(pop, cryptoki)
388 +
389 +#endif /* ___CRYPTOKI_H_INC___ */
390 diff -urNp openssh-4.4p1/LICENCE openssh-4.4p1+pkcs11-0.17/LICENCE
391 --- openssh-4.4p1/LICENCE 2006-08-30 20:24:41.000000000 +0300
392 +++ openssh-4.4p1+pkcs11-0.17/LICENCE 2006-09-28 08:05:35.000000000 +0300
393 @@ -332,6 +332,9 @@ OpenSSH contains no GPL code.
394 * authorization. *
395 ****************************************************************************/
396
397 + d) PKCS #11: Cryptographic Token Interface Standard
398 +
399 + This software uses RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
400
401 ------
402 $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
403 diff -urNp openssh-4.4p1/Makefile.in openssh-4.4p1+pkcs11-0.17/Makefile.in
404 --- openssh-4.4p1/Makefile.in 2006-09-12 14:54:10.000000000 +0300
405 +++ openssh-4.4p1+pkcs11-0.17/Makefile.in 2006-09-28 08:05:35.000000000 +0300
406 @@ -66,6 +66,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
407
408 LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
409 canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
410 + pkcs11.o pkcs11-helper.o \
411 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
412 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
413 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
414 diff -urNp openssh-4.4p1/pkcs11.c openssh-4.4p1+pkcs11-0.17/pkcs11.c
415 --- openssh-4.4p1/pkcs11.c 1970-01-01 02:00:00.000000000 +0200
416 +++ openssh-4.4p1+pkcs11-0.17/pkcs11.c 2006-10-23 17:35:54.000000000 +0200
417 @@ -0,0 +1,1139 @@
418 +/*
419 + * Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
420 + *
421 + * Redistribution and use in source and binary forms, with or without
422 + * modification, are permitted provided that the following conditions
423 + * are met:
424 + * 1. Redistributions of source code must retain the above copyright
425 + * notice, this list of conditions and the following disclaimer.
426 + * 2. Redistributions in binary form must reproduce the above copyright
427 + * notice, this list of conditions and the following disclaimer in the
428 + * documentation and/or other materials provided with the distribution.
429 + *
430 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
431 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
432 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
433 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
434 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
435 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
436 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
437 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
438 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
439 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
440 + */
441 +
442 +/*
443 + * The routines in this file deal with providing private key cryptography
444 + * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
445 + *
446 + */
447 +
448 +#include "includes.h"
449 +#include <sys/wait.h>
450 +#include <errno.h>
451 +
452 +#if !defined(SSH_PKCS11_DISABLED)
453 +
454 +#include "pkcs11-helper.h"
455 +#include "pkcs11.h"
456 +#include "openssl/pem.h"
457 +#include "misc.h"
458 +
459 +static
460 +char *
461 +ssh_from_x509 (X509 *x509);
462 +
463 +static char *s_szSetPINProg = NULL;
464 +
465 +static
466 +unsigned
467 +_pkcs11_msg_pkcs112openssh (
468 + IN const unsigned flags
469 +) {
470 + unsigned openssh_flags;
471 +
472 + switch (flags) {
473 + case PKCS11H_LOG_DEBUG2:
474 + openssh_flags = SYSLOG_LEVEL_DEBUG3;
475 + break;
476 + case PKCS11H_LOG_DEBUG1:
477 + openssh_flags = SYSLOG_LEVEL_DEBUG2;
478 + break;
479 + case PKCS11H_LOG_INFO:
480 + openssh_flags = SYSLOG_LEVEL_INFO;
481 + break;
482 + case PKCS11H_LOG_WARN:
483 + openssh_flags = SYSLOG_LEVEL_ERROR;
484 + break;
485 + case PKCS11H_LOG_ERROR:
486 + openssh_flags = SYSLOG_LEVEL_FATAL;
487 + break;
488 + default:
489 + openssh_flags = SYSLOG_LEVEL_FATAL;
490 + break;
491 + }
492 +
493 + return openssh_flags;
494 +}
495 +
496 +static
497 +unsigned
498 +_pkcs11_msg_openssh2pkcs11 (
499 + IN const unsigned flags
500 +) {
501 + unsigned pkcs11_flags;
502 +
503 + switch (flags) {
504 + case SYSLOG_LEVEL_DEBUG3:
505 + pkcs11_flags = PKCS11H_LOG_DEBUG2;
506 + break;
507 + case SYSLOG_LEVEL_DEBUG2:
508 + pkcs11_flags = PKCS11H_LOG_DEBUG1;
509 + break;
510 + case SYSLOG_LEVEL_INFO:
511 + pkcs11_flags = PKCS11H_LOG_INFO;
512 + break;
513 + case SYSLOG_LEVEL_ERROR:
514 + pkcs11_flags = PKCS11H_LOG_WARN;
515 + break;
516 + case SYSLOG_LEVEL_FATAL:
517 + pkcs11_flags = PKCS11H_LOG_ERROR;
518 + break;
519 + default:
520 + pkcs11_flags = PKCS11H_LOG_ERROR;
521 + break;
522 + }
523 +
524 + return pkcs11_flags;
525 +}
526 +
527 +static
528 +void
529 +_pkcs11_openssh_log (
530 + IN void * const pData,
531 + IN unsigned flags,
532 + IN const char * const szFormat,
533 + IN va_list args
534 +) {
535 + do_log (_pkcs11_msg_pkcs112openssh (flags), szFormat, args);
536 +}
537 +
538 +static
539 +int
540 +_pkcs11_ssh_prompt (
541 + IN const char * const szType,
542 + IN const char * const szPrompt,
543 + OUT char * const szInput,
544 + IN const int nMaxInput
545 +) {
546 + pid_t pid = -1;
547 + int fds[2] = {-1, -1};
548 + int fOK = TRUE;
549 +
550 + /*
551 + * Make sure we don't reuse PIN
552 + */
553 + if (fOK) {
554 + memset (szInput, 0, nMaxInput);
555 + }
556 +
557 + if (fOK && s_szSetPINProg == NULL) {
558 + fOK = FALSE;
559 + }
560 +
561 + if (fOK && pipe (fds) == -1) {
562 + fOK = FALSE;
563 + }
564 +
565 + if (fOK && (pid = fork ()) == -1) {
566 + fOK = FALSE;
567 + }
568 +
569 + if (fOK) {
570 + if (pid == 0) {
571 + close (fds[0]);
572 + fds[0] = -1;
573 +
574 + if (fOK && dup2 (fds[1], 1) == -1) {
575 + fOK = FALSE;
576 + }
577 + if (fOK) {
578 + close (fds[1]);
579 + fds[1] = -1;
580 + }
581 +
582 + if (fOK) {
583 + execl (
584 + s_szSetPINProg,
585 + s_szSetPINProg,
586 + "-t",
587 + szType,
588 + szPrompt,
589 + NULL
590 + );
591 + }
592 +
593 + exit (1);
594 + }
595 + else {
596 + int status;
597 + int r = 0;
598 +
599 + close (fds[1]);
600 + fds[1] = -1;
601 +
602 + if (fOK) {
603 + while (
604 + (r=waitpid (pid, &status, 0)) == 0 ||
605 + (r == -1 && errno == EINTR)
606 + );
607 +
608 + if (r == -1) {
609 + fOK = FALSE;
610 + }
611 + }
612 +
613 + if (fOK && !WIFEXITED (status)) {
614 + fOK = FALSE;
615 + }
616 +
617 + if (fOK && WEXITSTATUS (status) != 0) {
618 + fOK = FALSE;
619 + }
620 +
621 + if (fOK) {
622 + if (!strcmp (szType, "password")) {
623 + if ((r = read (fds[0], szInput, nMaxInput)) == -1) {
624 + fOK = FALSE;
625 + r = 0;
626 + }
627 + }
628 + else {
629 + r = 0;
630 + }
631 + szInput[r] = '\0';
632 + }
633 +
634 + if (fOK) {
635 + if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\n') {
636 + szInput[strlen (szInput)-1] = '\0';
637 + }
638 + /*
639 + * for DOS compatability
640 + */
641 + if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\r') {
642 + szInput[strlen (szInput)-1] = '\0';
643 + }
644 + }
645 + }
646 + }
647 +
648 + if (fds[0] != -1) {
649 + close (fds[0]);
650 + fds[0] = -1;
651 + }
652 +
653 + if (fds[1] != -1) {
654 + close (fds[1]);
655 + fds[1] = -1;
656 + }
657 +
658 + return fOK;
659 +}
660 +
661 +static
662 +void
663 +_pkcs11_ssh_print (
664 + IN void * const pData,
665 + IN const char * const szFormat,
666 + IN ...
667 +) {
668 + va_list args;
669 +
670 + va_start (args, szFormat);
671 + vprintf (szFormat, args);
672 + va_end (args);
673 +}
674 +
675 +static
676 +PKCS11H_BOOL
677 +_pkcs11_ssh_token_prompt (
678 + IN void * const pData1,
679 + IN void * const pData2,
680 + IN const pkcs11h_token_id_t token,
681 + IN const unsigned retry
682 +) {
683 + char szPrompt[1024];
684 + char szPIN[1024];
685 +
686 + snprintf (szPrompt, sizeof (szPrompt), "Please insert token '%s' or cancel", token->display);
687 + return _pkcs11_ssh_prompt ("okcancel", szPrompt, szPIN, sizeof (szPIN));
688 +}
689 +
690 +static
691 +PKCS11H_BOOL
692 +_pkcs11_ssh_pin_prompt (
693 + IN void * const pData1,
694 + IN void * const pData2,
695 + IN const pkcs11h_token_id_t token,
696 + IN const unsigned retry,
697 + OUT char * const szPIN,
698 + IN const size_t nMaxPIN
699 +) {
700 + char szPrompt[1024];
701 +
702 + snprintf (szPrompt, sizeof (szPrompt), "Please enter PIN for token '%s'", token->display);
703 + return _pkcs11_ssh_prompt ("password", szPrompt, szPIN, nMaxPIN);
704 +}
705 +
706 +static
707 +PKCS11H_BOOL
708 +_pkcs11_ssh_pin_prompt_cli (
709 + IN void * const pData1,
710 + IN void * const pData2,
711 + IN const pkcs11h_token_id_t token,
712 + IN const unsigned retry,
713 + OUT char * const szPIN,
714 + IN const size_t nMaxPIN
715 +) {
716 + char szPrompt[1024];
717 + snprintf (szPrompt, sizeof (szPrompt), "Please enter '%s' PIN or 'cancel': ", token->display);
718 + char *p = getpass (szPrompt);
719 +
720 + strncpy (szPIN, p, nMaxPIN);
721 + szPIN[nMaxPIN-1] = '\0';
722 +
723 + return strcmp (szPIN, "cancel") != 0;
724 +}
725 +
726 +void
727 +_pkcs11_do_log (
728 + IN LogLevel l,
729 + IN const char *f,
730 + IN ...
731 +) {
732 + va_list args;
733 + va_start (args, f);
734 + do_log (l, f, args);
735 + va_end (args);
736 +}
737 +
738 +int
739 +pkcs11_initialize (
740 + const int fProtectedAuthentication,
741 + const int nPINCachePeriod
742 +) {
743 + CK_RV rv = CKR_OK;
744 +
745 + debug3 (
746 + "PKCS#11: pkcs11_initialize - entered fProtectedAuthentication=%d, nPINCachePeriod=%d",
747 + fProtectedAuthentication,
748 + nPINCachePeriod
749 + );
750 +
751 + if (
752 + rv == CKR_OK &&
753 + (rv = pkcs11h_initialize ()) != CKR_OK
754 + ) {
755 + error ("PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
756 + }
757 +
758 + if (
759 + rv == CKR_OK &&
760 + (rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL)) != CKR_OK
761 + ) {
762 + error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
763 + }
764 +
765 + /*
766 + * WARNING!!!
767 + * There is no way to get log level,
768 + * so set to minimum.
769 + * After fix in log.c it can be fixed.
770 + */
771 + if (rv == CKR_OK) {
772 + pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
773 + }
774 +
775 + if (
776 + rv == CKR_OK &&
777 + (rv = pkcs11h_setTokenPromptHook (_pkcs11_ssh_token_prompt, NULL)) != CKR_OK
778 + ) {
779 + error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
780 + }
781 +
782 + if (
783 + rv == CKR_OK &&
784 + (rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt, NULL)) != CKR_OK
785 + ) {
786 + error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
787 + }
788 +
789 + if (
790 + rv == CKR_OK &&
791 + (rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK
792 + ) {
793 + error ("PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
794 + }
795 +
796 + if (
797 + rv == CKR_OK &&
798 + (rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK
799 + ) {
800 + error ("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
801 + }
802 +
803 + debug3 (
804 + "PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
805 + rv,
806 + pkcs11h_getMessage (rv)
807 + );
808 +
809 + return rv == CKR_OK;
810 +}
811 +
812 +void
813 +pkcs11_terminate () {
814 + debug3 ("PKCS#11: pkcs11_terminate - entered");
815 +
816 + pkcs11h_terminate ();
817 +
818 + debug3 ("PKCS#11: pkcs11_terminate - return");
819 +}
820 +
821 +void
822 +pkcs11_forkFix () {
823 + pkcs11h_forkFixup ();
824 +}
825 +
826 +int
827 +pkcs11_setAskPIN (
828 + const char * const pin_prog
829 +) {
830 + if (pin_prog != NULL) {
831 + if (s_szSetPINProg != NULL) {
832 + xfree (s_szSetPINProg);
833 + s_szSetPINProg = NULL;
834 + }
835 +
836 + s_szSetPINProg = xstrdup (pin_prog);
837 + }
838 +
839 + return 1;
840 +}
841 +
842 +int
843 +pkcs11_addProvider (
844 + const char * const provider,
845 + const int fProtectedAuthentication,
846 + const char * const sign_mode,
847 + const int fCertIsPrivate
848 +) {
849 + unsigned maskSignMode = 0;
850 + CK_RV rv = CKR_OK;
851 +
852 + PKCS11H_ASSERT (provider != NULL);
853 + PKCS11H_ASSERT (sign_mode != NULL);
854 +
855 + debug3 (
856 + "PKCS#11: pkcs11_addProvider - entered - provider='%s', fProtectedAuthentication=%d, sign_mode='%s', fCertIsPrivate=%d",
857 + provider,
858 + fProtectedAuthentication ? 1 : 0,
859 + sign_mode == NULL ? "default" : sign_mode,
860 + fCertIsPrivate ? 1 : 0
861 + );
862 +
863 + debug (
864 + "PKCS#11: Adding PKCS#11 provider '%s'",
865 + provider
866 + );
867 +
868 + if (rv == CKR_OK) {
869 + if (sign_mode == NULL || !strcmp (sign_mode, "auto")) {
870 + maskSignMode = 0;
871 + }
872 + else if (!strcmp (sign_mode, "sign")) {
873 + maskSignMode = PKCS11H_SIGNMODE_MASK_SIGN;
874 + }
875 + else if (!strcmp (sign_mode, "recover")) {
876 + maskSignMode = PKCS11H_SIGNMODE_MASK_RECOVER;
877 + }
878 + else if (!strcmp (sign_mode, "any")) {
879 + maskSignMode = (
880 + PKCS11H_SIGNMODE_MASK_SIGN |
881 + PKCS11H_SIGNMODE_MASK_RECOVER
882 + );
883 + }
884 + else {
885 + error ("PKCS#11: Invalid sign mode '%s'", sign_mode);
886 + rv = CKR_ARGUMENTS_BAD;
887 + }
888 + }
889 +
890 + if (
891 + rv == CKR_OK &&
892 + (rv = pkcs11h_addProvider (
893 + provider,
894 + provider,
895 + fProtectedAuthentication,
896 + maskSignMode,
897 + PKCS11H_SLOTEVENT_METHOD_AUTO,
898 + 0,
899 + fCertIsPrivate
900 + )) != CKR_OK
901 + ) {
902 + error ("PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
903 + }
904 +
905 + debug3 (
906 + "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
907 + rv,
908 + pkcs11h_getMessage (rv)
909 + );
910 +
911 + return rv == CKR_OK;
912 +}
913 +
914 +pkcs11_identity *
915 +pkcs11_identity_new () {
916 + pkcs11_identity *id = xmalloc (sizeof (struct pkcs11_identity_s));
917 + if (id != NULL) {
918 + memset (id, 0, sizeof (struct pkcs11_identity_s));
919 + }
920 + return id;
921 +}
922 +
923 +void
924 +pkcs11_identity_free (
925 + const pkcs11_identity * const id
926 +) {
927 + if (id != NULL) {
928 + xfree ((void *)id);
929 + }
930 +}
931 +
932 +void
933 +pkcs11_getKey (
934 + IN const pkcs11_identity * const id,
935 + OUT Key ** const sshkey,
936 + OUT char * const szComment,
937 + IN const int nCommentMax
938 +) {
939 + X509 *x509 = NULL;
940 + RSA *rsa = NULL;
941 + pkcs11h_certificate_id_t certificate_id = NULL;
942 + pkcs11h_certificate_t certificate = NULL;
943 + pkcs11h_openssl_session_t openssl_session = NULL;
944 + size_t temp;
945 + CK_RV rv = CKR_OK;
946 +
947 + int fOK = TRUE;
948 +
949 + debug3 (
950 + "PKCS#11: pkcs11_getKey - entered - id=%p, sshkey=%p, szComment=%p, nCommentMax=%d",
951 + (void *)id,
952 + (void *)sshkey,
953 + (void *)szComment,
954 + nCommentMax
955 + );
956 +
957 + PKCS11H_ASSERT (id != NULL);
958 + PKCS11H_ASSERT (sshkey!=NULL);
959 + PKCS11H_ASSERT (szComment!=NULL);
960 +
961 + debug3 (
962 + "PKCS#11: pkcs11_getKey - id - id=%s, pin_cache_period=%d, cert_file=%s",
963 + id->id,
964 + id->pin_cache_period,
965 + id->cert_file
966 + );
967 +
968 + PKCS11H_ASSERT (id->id);
969 +
970 + if (
971 + fOK &&
972 + pkcs11h_certificate_deserializeCertificateId (&certificate_id, id->id)
973 + ) {
974 + fOK = FALSE;
975 + error ("PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
976 + }
977 +
978 + if (
979 + fOK &&
980 + id->cert_file != NULL &&
981 + id->cert_file[0] != '\x0'
982 + ) {
983 + X509 *x509 = NULL;
984 + unsigned char *p = NULL;
985 + unsigned char *certificate_blob = NULL;
986 + size_t certificate_blob_size = 0;
987 + FILE *fp = NULL;
988 +
989 + if (
990 + fOK &&
991 + (fp = fopen (id->cert_file, "r")) == NULL
992 + ) {
993 + fOK = FALSE;
994 + error ("PKCS#11: Cannot open file '%s'", id->cert_file);
995 + }
996 +
997 + if (
998 + fOK &&
999 + !PEM_read_X509 (
1000 + fp,
1001 + &x509,
1002 + NULL,
1003 + 0
1004 + )
1005 + ) {
1006 + x509 = NULL;
1007 + fOK = FALSE;
1008 + error ("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
1009 + }
1010 +
1011 + if (
1012 + fOK &&
1013 + (certificate_blob_size = i2d_X509 (x509, NULL)) < 0
1014 + ) {
1015 + fOK = FALSE;
1016 + error ("PKCS#11: Cannot read decode certificate");
1017 + }
1018 +
1019 + if (
1020 + fOK &&
1021 + (certificate_blob = (unsigned char *)xmalloc (certificate_blob_size)) == NULL
1022 + ) {
1023 + fOK = FALSE;
1024 + error ("PKCS#11: Cannot allocate memory");
1025 + }
1026 +
1027 + /*
1028 + * i2d_X509 increments p!!!
1029 + */
1030 + p = certificate_blob;
1031 +
1032 + if (
1033 + fOK &&
1034 + (certificate_blob_size = i2d_X509 (x509, &p)) < 0
1035 + ) {
1036 + fOK = FALSE;
1037 + error ("PKCS#11: Cannot read decode certificate");
1038 + }
1039 +
1040 + if (
1041 + fOK &&
1042 + pkcs11h_certificate_setCertificateIdCertificateBlob (
1043 + certificate_id,
1044 + certificate_blob,
1045 + certificate_blob_size
1046 + ) != CKR_OK
1047 + ) {
1048 + fOK = FALSE;
1049 + error ("PKCS#11: Cannot set certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
1050 + }
1051 +
1052 + if (x509 != NULL) {
1053 + X509_free (x509);
1054 + x509 = NULL;
1055 + }
1056 +
1057 + if (certificate_blob != NULL) {
1058 + xfree (certificate_blob);
1059 + certificate_blob = NULL;
1060 + }
1061 +
1062 + if (fp != NULL) {
1063 + fclose (fp);
1064 + fp = NULL;
1065 + }
1066 + }
1067 +
1068 + if (
1069 + fOK &&
1070 + (rv = pkcs11h_certificate_create (
1071 + certificate_id,
1072 + NULL,
1073 + PKCS11H_PROMPT_MASK_ALLOW_ALL,
1074 + id->pin_cache_period,
1075 + &certificate
1076 + )) != CKR_OK
1077 + ) {
1078 + fOK = FALSE;
1079 + error ("PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
1080 + }
1081 +
1082 + if (certificate_id != NULL){
1083 + pkcs11h_certificate_freeCertificateId (certificate_id);
1084 + certificate_id = NULL;
1085 + }
1086 +
1087 + /*
1088 + * Is called so next certificate_id will
1089 + * contain a proper description
1090 + */
1091 + if (
1092 + fOK &&
1093 + (rv = pkcs11h_certificate_getCertificateBlob (
1094 + certificate,
1095 + NULL,
1096 + &temp
1097 + )) != CKR_OK
1098 + ) {
1099 + fOK = FALSE;
1100 + error ("PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
1101 + }
1102 +
1103 + if (
1104 + fOK &&
1105 + (rv = pkcs11h_certificate_getCertificateId (
1106 + certificate,
1107 + &certificate_id
1108 + )) != CKR_OK
1109 + ) {
1110 + fOK = FALSE;
1111 + error ("PKCS#11: Cannot get certificate_id %ld-'%s'", rv, pkcs11h_getMessage (rv));
1112 + }
1113 +
1114 + if (fOK) {
1115 + strncpy (szComment, certificate_id->displayName, nCommentMax);
1116 + szComment[nCommentMax - 1] = '\0';
1117 + }
1118 +
1119 + if (
1120 + fOK &&
1121 + (openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
1122 + ) {
1123 + fOK = FALSE;
1124 + error ("PKCS#11: Cannot initialize openssl session");
1125 + }
1126 +
1127 + if (fOK) {
1128 + /*
1129 + * will be release by openssl_session
1130 + */
1131 + certificate = NULL;
1132 + }
1133 +
1134 + if (
1135 + fOK &&
1136 + (rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL
1137 + ) {
1138 + fOK = FALSE;
1139 + error ("PKCS#11: Unable get rsa object");
1140 + }
1141 +
1142 + if (
1143 + fOK &&
1144 + (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
1145 + ) {
1146 + fOK = FALSE;
1147 + error ("PKCS#11: Unable get certificate object");
1148 + }
1149 +
1150 + if (fOK) {
1151 + *sshkey = key_new_private (KEY_UNSPEC);
1152 + (*sshkey)->rsa = rsa;
1153 + rsa = NULL;
1154 +#if defined(SSH_PKCS11_X509_DISABLED)
1155 + (*sshkey)->type = KEY_RSA;
1156 +#else
1157 + (*sshkey)->type = KEY_X509_RSA;
1158 + (*sshkey)->x509 = x509;
1159 + x509 = NULL;
1160 +#endif
1161 + }
1162 +
1163 + if (x509 != NULL) {
1164 + X509_free (x509);
1165 + x509 = NULL;
1166 + }
1167 +
1168 + if (openssl_session != NULL) {
1169 + pkcs11h_openssl_freeSession (openssl_session);
1170 + openssl_session = NULL;
1171 + }
1172 +
1173 + if (certificate != NULL) {
1174 + pkcs11h_certificate_freeCertificate (certificate);
1175 + certificate = NULL;
1176 + }
1177 +
1178 + if (certificate_id != NULL) {
1179 + pkcs11h_certificate_freeCertificateId (certificate_id);
1180 + certificate_id = NULL;
1181 + }
1182 +
1183 + debug3 (
1184 + "PKCS#11: pkcs11_getKey - return fOK=%d, rv=%ld",
1185 + fOK ? 1 : 0,
1186 + rv
1187 + );
1188 +}
1189 +
1190 +void
1191 +pkcs11_show_ids (
1192 + const char * const provider,
1193 + int allow_protected_auth,
1194 + int cert_is_private
1195 +) {
1196 + pkcs11h_certificate_id_list_t user_certificates = NULL;
1197 + pkcs11h_certificate_id_list_t current = NULL;
1198 + CK_RV rv = CKR_OK;
1199 +
1200 + if (rv == CKR_OK) {
1201 + rv = pkcs11h_initialize ();
1202 + }
1203 +
1204 + if (rv == CKR_OK) {
1205 + rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL);
1206 + }
1207 +
1208 + if (rv == CKR_OK) {
1209 + pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
1210 + }
1211 +
1212 + if (rv == CKR_OK) {
1213 + rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt_cli, NULL);
1214 + }
1215 +
1216 + if (rv == CKR_OK) {
1217 + rv = pkcs11h_setProtectedAuthentication (TRUE);
1218 + }
1219 +
1220 + if (rv == CKR_OK) {
1221 + rv = pkcs11h_addProvider (
1222 + provider,
1223 + provider,
1224 + allow_protected_auth ? TRUE : FALSE,
1225 + 0,
1226 + FALSE,
1227 + 0,
1228 + cert_is_private ? TRUE : FALSE
1229 + );
1230 + }
1231 +
1232 + if (rv == CKR_OK) {
1233 + rv = pkcs11h_certificate_enumCertificateIds (
1234 + PKCS11H_ENUM_METHOD_CACHE_EXIST,
1235 + NULL,
1236 + PKCS11H_PROMPT_MASK_ALLOW_ALL,
1237 + NULL,
1238 + &user_certificates
1239 + );
1240 + }
1241 +
1242 + for (current = user_certificates; rv == CKR_OK && current != NULL; current = current->next) {
1243 + pkcs11h_certificate_t certificate = NULL;
1244 + X509 *x509 = NULL;
1245 + char dn[1024] = {0};
1246 + char *ser = NULL;
1247 + char *ssh_key = NULL;
1248 + size_t ser_len = 0;
1249 +
1250 + if (rv == CKR_OK) {
1251 + rv = pkcs11h_certificate_serializeCertificateId (NULL, &ser_len, current->certificate_id);
1252 + }
1253 +
1254 + if (
1255 + rv == CKR_OK &&
1256 + (ser = (char *)xmalloc (ser_len)) == NULL
1257 + ) {
1258 + rv = CKR_HOST_MEMORY;
1259 + }
1260 +
1261 + if (rv == CKR_OK) {
1262 + rv = pkcs11h_certificate_serializeCertificateId (ser, &ser_len, current->certificate_id);
1263 + }
1264 +
1265 + if (rv == CKR_OK) {
1266 + rv = pkcs11h_certificate_create (
1267 + current->certificate_id,
1268 + NULL,
1269 + PKCS11H_PROMPT_MASK_ALLOW_ALL,
1270 + PKCS11H_PIN_CACHE_INFINITE,
1271 + &certificate
1272 + );
1273 + }
1274 +
1275 + if (
1276 + rv == CKR_OK &&
1277 + (x509 = pkcs11h_openssl_getX509 (certificate)) == NULL
1278 + ) {
1279 + rv = CKR_FUNCTION_FAILED;
1280 + }
1281 +
1282 + if (rv == CKR_OK) {
1283 + X509_NAME_oneline (
1284 + X509_get_subject_name (x509),
1285 + dn,
1286 + sizeof (dn)
1287 + );
1288 + printf (
1289 + (
1290 + "\n"
1291 + "********************************************\n"
1292 + "IDENTITY:\n"
1293 + " DN: %s\n"
1294 + " Serialized id: %s\n"
1295 + "\n"
1296 + " Certificate:\n"
1297 + ),
1298 + dn,
1299 + ser
1300 + );
1301 + PEM_write_X509 (stdout, x509);
1302 + }
1303 +
1304 + if (
1305 + rv == CKR_OK &&
1306 + (ssh_key = ssh_from_x509 (x509)) != NULL
1307 + ) {
1308 + printf (
1309 + (
1310 + "\n"
1311 + " SSH:\n"
1312 + "%s\n"
1313 + ),
1314 + ssh_key
1315 + );
1316 +
1317 + xfree (ssh_key);
1318 + }
1319 +
1320 + if (x509 != NULL) {
1321 + X509_free (x509);
1322 + x509 = NULL;
1323 + }
1324 +
1325 + if (certificate != NULL) {
1326 + pkcs11h_certificate_freeCertificate (certificate);
1327 + certificate = NULL;
1328 + }
1329 +
1330 + if (ser != NULL) {
1331 + xfree (ser);
1332 + ser = NULL;
1333 + }
1334 +
1335 + /*
1336 + * Ignore error
1337 + */
1338 + if (rv != CKR_OK) {
1339 + error ("PKCS#11: Failed to get id %ld-'%s'", rv, pkcs11h_getMessage (rv));
1340 + rv = CKR_OK;
1341 + }
1342 + }
1343 +
1344 + if (user_certificates != NULL) {
1345 + pkcs11h_certificate_freeCertificateIdList (user_certificates);
1346 + user_certificates = NULL;
1347 + }
1348 +
1349 + pkcs11h_terminate ();
1350 +}
1351 +
1352 +void
1353 +pkcs11_dump_slots (
1354 + const char * const provider
1355 +) {
1356 + pkcs11h_standalone_dump_slots (
1357 + _pkcs11_ssh_print,
1358 + NULL,
1359 + provider
1360 + );
1361 +}
1362 +
1363 +void
1364 +pkcs11_dump_objects (
1365 + const char * const provider,
1366 + const char * const slot,
1367 + const char * const pin
1368 +) {
1369 + pkcs11h_standalone_dump_objects (
1370 + _pkcs11_ssh_print,
1371 + NULL,
1372 + provider,
1373 + slot,
1374 + pin
1375 + );
1376 +}
1377 +
1378 +/*
1379 + * The ssh_from_x509 is dirived of Tatu and Markus work.
1380 + *
1381 + * Copyright (c) 2006 Alon bar-Lev <alon.barlev@gmail.com>. All rights reserved.
1382 + * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
1383 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
1384 + */
1385 +
1386 +#define PUT_32BIT(cp, value) ( \
1387 + (cp)[0] = (value) >> 24, \
1388 + (cp)[1] = (value) >> 16, \
1389 + (cp)[2] = (value) >> 8, \
1390 + (cp)[3] = (value) )
1391 +
1392 +static
1393 +char *
1394 +ssh_from_x509 (X509 *x509) {
1395 +
1396 + EVP_PKEY *pubkey = NULL;
1397 + BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
1398 + unsigned char *blob = NULL, *buffer = NULL;
1399 + char *ret = NULL;
1400 + int blobsize = 0, retsize = 0;
1401 + int bytes_name = 0, bytes_exponent = 0, bytes_modulus = 0;
1402 + unsigned char *bp;
1403 + char *p;
1404 + int n;
1405 + const char *keyname = NULL;
1406 + int ok = 1;
1407 +
1408 + if (ok && (pubkey = X509_get_pubkey (x509)) == NULL) {
1409 + ok = 0;
1410 + }
1411 +
1412 + if (ok && (bio64 = BIO_new (BIO_f_base64 ())) == NULL) {
1413 + ok = 0;
1414 + }
1415 +
1416 + if (ok && (bio = BIO_new (BIO_s_mem ())) == NULL) {
1417 + ok = 0;
1418 + }
1419 +
1420 + if (ok && (bio2 = BIO_push (bio64, bio)) == NULL) {
1421 + ok = 0;
1422 + }
1423 +
1424 + if (ok && pubkey->type != EVP_PKEY_RSA) {
1425 + ok = 0;
1426 + }
1427 +
1428 + if (ok) {
1429 + keyname = "ssh-rsa";
1430 + }
1431 +
1432 + if (ok) {
1433 + bytes_name = strlen (keyname);
1434 + bytes_exponent = BN_num_bytes (pubkey->pkey.rsa->e);
1435 + bytes_modulus = BN_num_bytes (pubkey->pkey.rsa->n);
1436 +
1437 + blobsize = (
1438 + 4 + bytes_name +
1439 + 4 + (bytes_exponent + 1) +
1440 + 4 + (bytes_modulus + 1) +
1441 + 1
1442 + );
1443 + }
1444 +
1445 + if (ok && (blob = (unsigned char *)xmalloc (blobsize)) == NULL) {
1446 + ok = 0;
1447 + }
1448 +
1449 + if (ok && (buffer = (unsigned char *)xmalloc (blobsize)) == NULL) {
1450 + ok = 0;
1451 + }
1452 +
1453 + if (ok) {
1454 + bp = blob;
1455 +
1456 + PUT_32BIT (bp, bytes_name), bp += 4;
1457 + memcpy (bp, keyname, bytes_name), bp += bytes_name;
1458 +
1459 + BN_bn2bin (pubkey->pkey.rsa->e, buffer);
1460 + if (buffer[0] & 0x80) {
1461 + // highest bit set would indicate a negative number.
1462 + // to avoid this, we have to spend an extra byte:
1463 + PUT_32BIT (bp, bytes_exponent+1), bp += 4;
1464 + *(bp++) = 0;
1465 + } else {
1466 + PUT_32BIT (bp, bytes_exponent), bp += 4;
1467 + }
1468 + memcpy (bp, buffer, bytes_exponent), bp += bytes_exponent;
1469 +
1470 + BN_bn2bin (pubkey->pkey.rsa->n, buffer);
1471 + if (buffer[0] & 0x80) {
1472 + PUT_32BIT (bp, bytes_modulus+1), bp += 4;
1473 + *(bp++) = 0;
1474 + } else {
1475 + PUT_32BIT( bp, bytes_modulus ), bp += 4;
1476 + }
1477 + memcpy (bp, buffer, bytes_modulus), bp += bytes_modulus;
1478 + }
1479 +
1480 +
1481 + if (ok && BIO_write (bio2, blob, bp-blob) == -1) {
1482 + ok = 0;
1483 + }
1484 +
1485 + if (ok && BIO_flush (bio2) == -1) {
1486 + ok = 0;
1487 + }
1488 +
1489 + /*
1490 + * Allocate the newline too... We will remove them later
1491 + * For MS, allocate return as well.
1492 + */
1493 + if (ok) {
1494 + retsize = strlen (keyname) + 1 + (blobsize * 4 / 3) + (blobsize * 2 / 50) + 10 + 1;
1495 + }
1496 +
1497 + if (ok && (ret = xmalloc (retsize)) == NULL) {
1498 + ok = 0;
1499 + }
1500 +
1501 + if (ok) {
1502 + strcpy (ret, keyname);
1503 + strcat (ret, " ");
1504 + }
1505 +
1506 + if (ok && (n = BIO_read (bio, ret + strlen (ret), retsize - strlen (ret) - 1)) == -1) {
1507 + ok = 0;
1508 + }
1509 +
1510 + if (ok) {
1511 + ret[strlen (keyname) + 1 + n] = '\x0';
1512 + }
1513 +
1514 + if (ok) {
1515 + while ((p = strchr (ret, '\n')) != NULL) {
1516 + memmove (p, p+1, strlen (p)+1);
1517 + }
1518 + while ((p = strchr (ret, '\r')) != NULL) {
1519 + memmove (p, p+1, strlen (p)+1);
1520 + }
1521 +
1522 + }
1523 +
1524 + if (bio != NULL) {
1525 + BIO_free_all (bio);
1526 + bio = NULL;
1527 + }
1528 +
1529 + if (pubkey != NULL) {
1530 + EVP_PKEY_free (pubkey);
1531 + pubkey = NULL;
1532 + }
1533 +
1534 + if (buffer != NULL) {
1535 + xfree (buffer);
1536 + buffer = NULL;
1537 + }
1538 +
1539 + if (blob != NULL) {
1540 + xfree (blob);
1541 + blob = NULL;
1542 + }
1543 +
1544 + if (!ok) {
1545 + if (ret != NULL) {
1546 + xfree (ret);
1547 + ret = NULL;
1548 + }
1549 + }
1550 +
1551 + return ret;
1552 +}
1553 +
1554 +#else
1555 +static void dummy (void) {}
1556 +#endif /* SSH_PKCS11_DISABLED */
1557 diff -urNp openssh-4.4p1/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11.h
1558 --- openssh-4.4p1/pkcs11.h 1970-01-01 02:00:00.000000000 +0200
1559 +++ openssh-4.4p1+pkcs11-0.17/pkcs11.h 2006-10-12 13:55:28.000000000 +0200
1560 @@ -0,0 +1,100 @@
1561 +/*
1562 + * Copyright (c) 2005-2006 Alon Bar-Lev. All rights reserved.
1563 + *
1564 + * Redistribution and use in source and binary forms, with or without
1565 + * modification, are permitted provided that the following conditions
1566 + * are met:
1567 + * 1. Redistributions of source code must retain the above copyright
1568 + * notice, this list of conditions and the following disclaimer.
1569 + * 2. Redistributions in binary form must reproduce the above copyright
1570 + * notice, this list of conditions and the following disclaimer in the
1571 + * documentation and/or other materials provided with the distribution.
1572 + *
1573 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1574 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1575 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1576 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1577 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1578 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
1579 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
1580 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
1581 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
1582 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1583 + */
1584 +
1585 +#ifndef SSH_PKCS11_H
1586 +#define SSH_PKCS11_H
1587 +
1588 +#if !defined(SSH_PKCS11_DISABLED)
1589 +
1590 +#include "key.h"
1591 +
1592 +typedef struct pkcs11_identity_s {
1593 + char *id;
1594 + int pin_cache_period;
1595 + char *cert_file;
1596 +} pkcs11_identity;
1597 +
1598 +int
1599 +pkcs11_initialize (
1600 + const int fProtectedAuthentication,
1601 + const int nPINCachePeriod
1602 +);
1603 +
1604 +void
1605 +pkcs11_terminate ();
1606 +
1607 +void
1608 +pkcs11_forkFix ();
1609 +
1610 +int
1611 +pkcs11_setAskPIN (
1612 + const char * const pin_prog
1613 +);
1614 +
1615 +int
1616 +pkcs11_addProvider (
1617 + const char * const provider,
1618 + const int fProtectedAuthentication,
1619 + const char * const sign_mode,
1620 + const int fCertIsPrivate
1621 +);
1622 +
1623 +pkcs11_identity *
1624 +pkcs11_identity_new ();
1625 +
1626 +void
1627 +pkcs11_identity_free (
1628 + const pkcs11_identity * const id
1629 +);
1630 +
1631 +void
1632 +pkcs11_getKey (
1633 + const pkcs11_identity * const id,
1634 + Key ** const sshkey,
1635 + char * const szComment,
1636 + const int nCommentMax
1637 +);
1638 +
1639 +void
1640 +pkcs11_show_ids (
1641 + const char * const provider,
1642 + int allow_protected_auth,
1643 + int cert_is_private
1644 +);
1645 +
1646 +void
1647 +pkcs11_dump_slots (
1648 + const char * const provider
1649 +);
1650 +
1651 +void
1652 +pkcs11_dump_objects (
1653 + const char * const provider,
1654 + const char * const slot,
1655 + const char * const pin
1656 +);
1657 +
1658 +#endif /* SSH_PKCS11_DISABLED */
1659 +
1660 +#endif /* OPENSSH_PKCS11_H */
1661 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11f.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h
1662 --- openssh-4.4p1/pkcs11-headers/pkcs11f.h 1970-01-01 02:00:00.000000000 +0200
1663 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h 2006-09-28 08:05:35.000000000 +0300
1664 @@ -0,0 +1,912 @@
1665 +/* pkcs11f.h include file for PKCS #11. */
1666 +/* $Revision: 1.4 $ */
1667 +
1668 +/* License to copy and use this software is granted provided that it is
1669 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
1670 + * (Cryptoki)" in all material mentioning or referencing this software.
1671 +
1672 + * License is also granted to make and use derivative works provided that
1673 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
1674 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
1675 + * referencing the derived work.
1676 +
1677 + * RSA Security Inc. makes no representations concerning either the
1678 + * merchantability of this software or the suitability of this software for
1679 + * any particular purpose. It is provided "as is" without express or implied
1680 + * warranty of any kind.
1681 + */
1682 +
1683 +/* This header file contains pretty much everything about all the */
1684 +/* Cryptoki function prototypes. Because this information is */
1685 +/* used for more than just declaring function prototypes, the */
1686 +/* order of the functions appearing herein is important, and */
1687 +/* should not be altered. */
1688 +
1689 +/* General-purpose */
1690 +
1691 +/* C_Initialize initializes the Cryptoki library. */
1692 +CK_PKCS11_FUNCTION_INFO(C_Initialize)
1693 +#ifdef CK_NEED_ARG_LIST
1694 +(
1695 + CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
1696 + * cast to CK_C_INITIALIZE_ARGS_PTR
1697 + * and dereferenced */
1698 +);
1699 +#endif
1700 +
1701 +
1702 +/* C_Finalize indicates that an application is done with the
1703 + * Cryptoki library. */
1704 +CK_PKCS11_FUNCTION_INFO(C_Finalize)
1705 +#ifdef CK_NEED_ARG_LIST
1706 +(
1707 + CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
1708 +);
1709 +#endif
1710 +
1711 +
1712 +/* C_GetInfo returns general information about Cryptoki. */
1713 +CK_PKCS11_FUNCTION_INFO(C_GetInfo)
1714 +#ifdef CK_NEED_ARG_LIST
1715 +(
1716 + CK_INFO_PTR pInfo /* location that receives information */
1717 +);
1718 +#endif
1719 +
1720 +
1721 +/* C_GetFunctionList returns the function list. */
1722 +CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
1723 +#ifdef CK_NEED_ARG_LIST
1724 +(
1725 + CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
1726 + * function list */
1727 +);
1728 +#endif
1729 +
1730 +
1731 +
1732 +/* Slot and token management */
1733 +
1734 +/* C_GetSlotList obtains a list of slots in the system. */
1735 +CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
1736 +#ifdef CK_NEED_ARG_LIST
1737 +(
1738 + CK_BBOOL tokenPresent, /* only slots with tokens? */
1739 + CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
1740 + CK_ULONG_PTR pulCount /* receives number of slots */
1741 +);
1742 +#endif
1743 +
1744 +
1745 +/* C_GetSlotInfo obtains information about a particular slot in
1746 + * the system. */
1747 +CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
1748 +#ifdef CK_NEED_ARG_LIST
1749 +(
1750 + CK_SLOT_ID slotID, /* the ID of the slot */
1751 + CK_SLOT_INFO_PTR pInfo /* receives the slot information */
1752 +);
1753 +#endif
1754 +
1755 +
1756 +/* C_GetTokenInfo obtains information about a particular token
1757 + * in the system. */
1758 +CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
1759 +#ifdef CK_NEED_ARG_LIST
1760 +(
1761 + CK_SLOT_ID slotID, /* ID of the token's slot */
1762 + CK_TOKEN_INFO_PTR pInfo /* receives the token information */
1763 +);
1764 +#endif
1765 +
1766 +
1767 +/* C_GetMechanismList obtains a list of mechanism types
1768 + * supported by a token. */
1769 +CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
1770 +#ifdef CK_NEED_ARG_LIST
1771 +(
1772 + CK_SLOT_ID slotID, /* ID of token's slot */
1773 + CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
1774 + CK_ULONG_PTR pulCount /* gets # of mechs. */
1775 +);
1776 +#endif
1777 +
1778 +
1779 +/* C_GetMechanismInfo obtains information about a particular
1780 + * mechanism possibly supported by a token. */
1781 +CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
1782 +#ifdef CK_NEED_ARG_LIST
1783 +(
1784 + CK_SLOT_ID slotID, /* ID of the token's slot */
1785 + CK_MECHANISM_TYPE type, /* type of mechanism */
1786 + CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
1787 +);
1788 +#endif
1789 +
1790 +
1791 +/* C_InitToken initializes a token. */
1792 +CK_PKCS11_FUNCTION_INFO(C_InitToken)
1793 +#ifdef CK_NEED_ARG_LIST
1794 +/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
1795 +(
1796 + CK_SLOT_ID slotID, /* ID of the token's slot */
1797 + CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
1798 + CK_ULONG ulPinLen, /* length in bytes of the PIN */
1799 + CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
1800 +);
1801 +#endif
1802 +
1803 +
1804 +/* C_InitPIN initializes the normal user's PIN. */
1805 +CK_PKCS11_FUNCTION_INFO(C_InitPIN)
1806 +#ifdef CK_NEED_ARG_LIST
1807 +(
1808 + CK_SESSION_HANDLE hSession, /* the session's handle */
1809 + CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
1810 + CK_ULONG ulPinLen /* length in bytes of the PIN */
1811 +);
1812 +#endif
1813 +
1814 +
1815 +/* C_SetPIN modifies the PIN of the user who is logged in. */
1816 +CK_PKCS11_FUNCTION_INFO(C_SetPIN)
1817 +#ifdef CK_NEED_ARG_LIST
1818 +(
1819 + CK_SESSION_HANDLE hSession, /* the session's handle */
1820 + CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
1821 + CK_ULONG ulOldLen, /* length of the old PIN */
1822 + CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
1823 + CK_ULONG ulNewLen /* length of the new PIN */
1824 +);
1825 +#endif
1826 +
1827 +
1828 +
1829 +/* Session management */
1830 +
1831 +/* C_OpenSession opens a session between an application and a
1832 + * token. */
1833 +CK_PKCS11_FUNCTION_INFO(C_OpenSession)
1834 +#ifdef CK_NEED_ARG_LIST
1835 +(
1836 + CK_SLOT_ID slotID, /* the slot's ID */
1837 + CK_FLAGS flags, /* from CK_SESSION_INFO */
1838 + CK_VOID_PTR pApplication, /* passed to callback */
1839 + CK_NOTIFY Notify, /* callback function */
1840 + CK_SESSION_HANDLE_PTR phSession /* gets session handle */
1841 +);
1842 +#endif
1843 +
1844 +
1845 +/* C_CloseSession closes a session between an application and a
1846 + * token. */
1847 +CK_PKCS11_FUNCTION_INFO(C_CloseSession)
1848 +#ifdef CK_NEED_ARG_LIST
1849 +(
1850 + CK_SESSION_HANDLE hSession /* the session's handle */
1851 +);
1852 +#endif
1853 +
1854 +
1855 +/* C_CloseAllSessions closes all sessions with a token. */
1856 +CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
1857 +#ifdef CK_NEED_ARG_LIST
1858 +(
1859 + CK_SLOT_ID slotID /* the token's slot */
1860 +);
1861 +#endif
1862 +
1863 +
1864 +/* C_GetSessionInfo obtains information about the session. */
1865 +CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
1866 +#ifdef CK_NEED_ARG_LIST
1867 +(
1868 + CK_SESSION_HANDLE hSession, /* the session's handle */
1869 + CK_SESSION_INFO_PTR pInfo /* receives session info */
1870 +);
1871 +#endif
1872 +
1873 +
1874 +/* C_GetOperationState obtains the state of the cryptographic operation
1875 + * in a session. */
1876 +CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
1877 +#ifdef CK_NEED_ARG_LIST
1878 +(
1879 + CK_SESSION_HANDLE hSession, /* session's handle */
1880 + CK_BYTE_PTR pOperationState, /* gets state */
1881 + CK_ULONG_PTR pulOperationStateLen /* gets state length */
1882 +);
1883 +#endif
1884 +
1885 +
1886 +/* C_SetOperationState restores the state of the cryptographic
1887 + * operation in a session. */
1888 +CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
1889 +#ifdef CK_NEED_ARG_LIST
1890 +(
1891 + CK_SESSION_HANDLE hSession, /* session's handle */
1892 + CK_BYTE_PTR pOperationState, /* holds state */
1893 + CK_ULONG ulOperationStateLen, /* holds state length */
1894 + CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
1895 + CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
1896 +);
1897 +#endif
1898 +
1899 +
1900 +/* C_Login logs a user into a token. */
1901 +CK_PKCS11_FUNCTION_INFO(C_Login)
1902 +#ifdef CK_NEED_ARG_LIST
1903 +(
1904 + CK_SESSION_HANDLE hSession, /* the session's handle */
1905 + CK_USER_TYPE userType, /* the user type */
1906 + CK_UTF8CHAR_PTR pPin, /* the user's PIN */
1907 + CK_ULONG ulPinLen /* the length of the PIN */
1908 +);
1909 +#endif
1910 +
1911 +
1912 +/* C_Logout logs a user out from a token. */
1913 +CK_PKCS11_FUNCTION_INFO(C_Logout)
1914 +#ifdef CK_NEED_ARG_LIST
1915 +(
1916 + CK_SESSION_HANDLE hSession /* the session's handle */
1917 +);
1918 +#endif
1919 +
1920 +
1921 +
1922 +/* Object management */
1923 +
1924 +/* C_CreateObject creates a new object. */
1925 +CK_PKCS11_FUNCTION_INFO(C_CreateObject)
1926 +#ifdef CK_NEED_ARG_LIST
1927 +(
1928 + CK_SESSION_HANDLE hSession, /* the session's handle */
1929 + CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
1930 + CK_ULONG ulCount, /* attributes in template */
1931 + CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
1932 +);
1933 +#endif
1934 +
1935 +
1936 +/* C_CopyObject copies an object, creating a new object for the
1937 + * copy. */
1938 +CK_PKCS11_FUNCTION_INFO(C_CopyObject)
1939 +#ifdef CK_NEED_ARG_LIST
1940 +(
1941 + CK_SESSION_HANDLE hSession, /* the session's handle */
1942 + CK_OBJECT_HANDLE hObject, /* the object's handle */
1943 + CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
1944 + CK_ULONG ulCount, /* attributes in template */
1945 + CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
1946 +);
1947 +#endif
1948 +
1949 +
1950 +/* C_DestroyObject destroys an object. */
1951 +CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
1952 +#ifdef CK_NEED_ARG_LIST
1953 +(
1954 + CK_SESSION_HANDLE hSession, /* the session's handle */
1955 + CK_OBJECT_HANDLE hObject /* the object's handle */
1956 +);
1957 +#endif
1958 +
1959 +
1960 +/* C_GetObjectSize gets the size of an object in bytes. */
1961 +CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
1962 +#ifdef CK_NEED_ARG_LIST
1963 +(
1964 + CK_SESSION_HANDLE hSession, /* the session's handle */
1965 + CK_OBJECT_HANDLE hObject, /* the object's handle */
1966 + CK_ULONG_PTR pulSize /* receives size of object */
1967 +);
1968 +#endif
1969 +
1970 +
1971 +/* C_GetAttributeValue obtains the value of one or more object
1972 + * attributes. */
1973 +CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
1974 +#ifdef CK_NEED_ARG_LIST
1975 +(
1976 + CK_SESSION_HANDLE hSession, /* the session's handle */
1977 + CK_OBJECT_HANDLE hObject, /* the object's handle */
1978 + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
1979 + CK_ULONG ulCount /* attributes in template */
1980 +);
1981 +#endif
1982 +
1983 +
1984 +/* C_SetAttributeValue modifies the value of one or more object
1985 + * attributes */
1986 +CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
1987 +#ifdef CK_NEED_ARG_LIST
1988 +(
1989 + CK_SESSION_HANDLE hSession, /* the session's handle */
1990 + CK_OBJECT_HANDLE hObject, /* the object's handle */
1991 + CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
1992 + CK_ULONG ulCount /* attributes in template */
1993 +);
1994 +#endif
1995 +
1996 +
1997 +/* C_FindObjectsInit initializes a search for token and session
1998 + * objects that match a template. */
1999 +CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
2000 +#ifdef CK_NEED_ARG_LIST
2001 +(
2002 + CK_SESSION_HANDLE hSession, /* the session's handle */
2003 + CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
2004 + CK_ULONG ulCount /* attrs in search template */
2005 +);
2006 +#endif
2007 +
2008 +
2009 +/* C_FindObjects continues a search for token and session
2010 + * objects that match a template, obtaining additional object
2011 + * handles. */
2012 +CK_PKCS11_FUNCTION_INFO(C_FindObjects)
2013 +#ifdef CK_NEED_ARG_LIST
2014 +(
2015 + CK_SESSION_HANDLE hSession, /* session's handle */
2016 + CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
2017 + CK_ULONG ulMaxObjectCount, /* max handles to get */
2018 + CK_ULONG_PTR pulObjectCount /* actual # returned */
2019 +);
2020 +#endif
2021 +
2022 +
2023 +/* C_FindObjectsFinal finishes a search for token and session
2024 + * objects. */
2025 +CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
2026 +#ifdef CK_NEED_ARG_LIST
2027 +(
2028 + CK_SESSION_HANDLE hSession /* the session's handle */
2029 +);
2030 +#endif
2031 +
2032 +
2033 +
2034 +/* Encryption and decryption */
2035 +
2036 +/* C_EncryptInit initializes an encryption operation. */
2037 +CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
2038 +#ifdef CK_NEED_ARG_LIST
2039 +(
2040 + CK_SESSION_HANDLE hSession, /* the session's handle */
2041 + CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
2042 + CK_OBJECT_HANDLE hKey /* handle of encryption key */
2043 +);
2044 +#endif
2045 +
2046 +
2047 +/* C_Encrypt encrypts single-part data. */
2048 +CK_PKCS11_FUNCTION_INFO(C_Encrypt)
2049 +#ifdef CK_NEED_ARG_LIST
2050 +(
2051 + CK_SESSION_HANDLE hSession, /* session's handle */
2052 + CK_BYTE_PTR pData, /* the plaintext data */
2053 + CK_ULONG ulDataLen, /* bytes of plaintext */
2054 + CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
2055 + CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
2056 +);
2057 +#endif
2058 +
2059 +
2060 +/* C_EncryptUpdate continues a multiple-part encryption
2061 + * operation. */
2062 +CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
2063 +#ifdef CK_NEED_ARG_LIST
2064 +(
2065 + CK_SESSION_HANDLE hSession, /* session's handle */
2066 + CK_BYTE_PTR pPart, /* the plaintext data */
2067 + CK_ULONG ulPartLen, /* plaintext data len */
2068 + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2069 + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
2070 +);
2071 +#endif
2072 +
2073 +
2074 +/* C_EncryptFinal finishes a multiple-part encryption
2075 + * operation. */
2076 +CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
2077 +#ifdef CK_NEED_ARG_LIST
2078 +(
2079 + CK_SESSION_HANDLE hSession, /* session handle */
2080 + CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
2081 + CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
2082 +);
2083 +#endif
2084 +
2085 +
2086 +/* C_DecryptInit initializes a decryption operation. */
2087 +CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
2088 +#ifdef CK_NEED_ARG_LIST
2089 +(
2090 + CK_SESSION_HANDLE hSession, /* the session's handle */
2091 + CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
2092 + CK_OBJECT_HANDLE hKey /* handle of decryption key */
2093 +);
2094 +#endif
2095 +
2096 +
2097 +/* C_Decrypt decrypts encrypted data in a single part. */
2098 +CK_PKCS11_FUNCTION_INFO(C_Decrypt)
2099 +#ifdef CK_NEED_ARG_LIST
2100 +(
2101 + CK_SESSION_HANDLE hSession, /* session's handle */
2102 + CK_BYTE_PTR pEncryptedData, /* ciphertext */
2103 + CK_ULONG ulEncryptedDataLen, /* ciphertext length */
2104 + CK_BYTE_PTR pData, /* gets plaintext */
2105 + CK_ULONG_PTR pulDataLen /* gets p-text size */
2106 +);
2107 +#endif
2108 +
2109 +
2110 +/* C_DecryptUpdate continues a multiple-part decryption
2111 + * operation. */
2112 +CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
2113 +#ifdef CK_NEED_ARG_LIST
2114 +(
2115 + CK_SESSION_HANDLE hSession, /* session's handle */
2116 + CK_BYTE_PTR pEncryptedPart, /* encrypted data */
2117 + CK_ULONG ulEncryptedPartLen, /* input length */
2118 + CK_BYTE_PTR pPart, /* gets plaintext */
2119 + CK_ULONG_PTR pulPartLen /* p-text size */
2120 +);
2121 +#endif
2122 +
2123 +
2124 +/* C_DecryptFinal finishes a multiple-part decryption
2125 + * operation. */
2126 +CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
2127 +#ifdef CK_NEED_ARG_LIST
2128 +(
2129 + CK_SESSION_HANDLE hSession, /* the session's handle */
2130 + CK_BYTE_PTR pLastPart, /* gets plaintext */
2131 + CK_ULONG_PTR pulLastPartLen /* p-text size */
2132 +);
2133 +#endif
2134 +
2135 +
2136 +
2137 +/* Message digesting */
2138 +
2139 +/* C_DigestInit initializes a message-digesting operation. */
2140 +CK_PKCS11_FUNCTION_INFO(C_DigestInit)
2141 +#ifdef CK_NEED_ARG_LIST
2142 +(
2143 + CK_SESSION_HANDLE hSession, /* the session's handle */
2144 + CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
2145 +);
2146 +#endif
2147 +
2148 +
2149 +/* C_Digest digests data in a single part. */
2150 +CK_PKCS11_FUNCTION_INFO(C_Digest)
2151 +#ifdef CK_NEED_ARG_LIST
2152 +(
2153 + CK_SESSION_HANDLE hSession, /* the session's handle */
2154 + CK_BYTE_PTR pData, /* data to be digested */
2155 + CK_ULONG ulDataLen, /* bytes of data to digest */
2156 + CK_BYTE_PTR pDigest, /* gets the message digest */
2157 + CK_ULONG_PTR pulDigestLen /* gets digest length */
2158 +);
2159 +#endif
2160 +
2161 +
2162 +/* C_DigestUpdate continues a multiple-part message-digesting
2163 + * operation. */
2164 +CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
2165 +#ifdef CK_NEED_ARG_LIST
2166 +(
2167 + CK_SESSION_HANDLE hSession, /* the session's handle */
2168 + CK_BYTE_PTR pPart, /* data to be digested */
2169 + CK_ULONG ulPartLen /* bytes of data to be digested */
2170 +);
2171 +#endif
2172 +
2173 +
2174 +/* C_DigestKey continues a multi-part message-digesting
2175 + * operation, by digesting the value of a secret key as part of
2176 + * the data already digested. */
2177 +CK_PKCS11_FUNCTION_INFO(C_DigestKey)
2178 +#ifdef CK_NEED_ARG_LIST
2179 +(
2180 + CK_SESSION_HANDLE hSession, /* the session's handle */
2181 + CK_OBJECT_HANDLE hKey /* secret key to digest */
2182 +);
2183 +#endif
2184 +
2185 +
2186 +/* C_DigestFinal finishes a multiple-part message-digesting
2187 + * operation. */
2188 +CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
2189 +#ifdef CK_NEED_ARG_LIST
2190 +(
2191 + CK_SESSION_HANDLE hSession, /* the session's handle */
2192 + CK_BYTE_PTR pDigest, /* gets the message digest */
2193 + CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
2194 +);
2195 +#endif
2196 +
2197 +
2198 +
2199 +/* Signing and MACing */
2200 +
2201 +/* C_SignInit initializes a signature (private key encryption)
2202 + * operation, where the signature is (will be) an appendix to
2203 + * the data, and plaintext cannot be recovered from the
2204 + *signature. */
2205 +CK_PKCS11_FUNCTION_INFO(C_SignInit)
2206 +#ifdef CK_NEED_ARG_LIST
2207 +(
2208 + CK_SESSION_HANDLE hSession, /* the session's handle */
2209 + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
2210 + CK_OBJECT_HANDLE hKey /* handle of signature key */
2211 +);
2212 +#endif
2213 +
2214 +
2215 +/* C_Sign signs (encrypts with private key) data in a single
2216 + * part, where the signature is (will be) an appendix to the
2217 + * data, and plaintext cannot be recovered from the signature. */
2218 +CK_PKCS11_FUNCTION_INFO(C_Sign)
2219 +#ifdef CK_NEED_ARG_LIST
2220 +(
2221 + CK_SESSION_HANDLE hSession, /* the session's handle */
2222 + CK_BYTE_PTR pData, /* the data to sign */
2223 + CK_ULONG ulDataLen, /* count of bytes to sign */
2224 + CK_BYTE_PTR pSignature, /* gets the signature */
2225 + CK_ULONG_PTR pulSignatureLen /* gets signature length */
2226 +);
2227 +#endif
2228 +
2229 +
2230 +/* C_SignUpdate continues a multiple-part signature operation,
2231 + * where the signature is (will be) an appendix to the data,
2232 + * and plaintext cannot be recovered from the signature. */
2233 +CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
2234 +#ifdef CK_NEED_ARG_LIST
2235 +(
2236 + CK_SESSION_HANDLE hSession, /* the session's handle */
2237 + CK_BYTE_PTR pPart, /* the data to sign */
2238 + CK_ULONG ulPartLen /* count of bytes to sign */
2239 +);
2240 +#endif
2241 +
2242 +
2243 +/* C_SignFinal finishes a multiple-part signature operation,
2244 + * returning the signature. */
2245 +CK_PKCS11_FUNCTION_INFO(C_SignFinal)
2246 +#ifdef CK_NEED_ARG_LIST
2247 +(
2248 + CK_SESSION_HANDLE hSession, /* the session's handle */
2249 + CK_BYTE_PTR pSignature, /* gets the signature */
2250 + CK_ULONG_PTR pulSignatureLen /* gets signature length */
2251 +);
2252 +#endif
2253 +
2254 +
2255 +/* C_SignRecoverInit initializes a signature operation, where
2256 + * the data can be recovered from the signature. */
2257 +CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
2258 +#ifdef CK_NEED_ARG_LIST
2259 +(
2260 + CK_SESSION_HANDLE hSession, /* the session's handle */
2261 + CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
2262 + CK_OBJECT_HANDLE hKey /* handle of the signature key */
2263 +);
2264 +#endif
2265 +
2266 +
2267 +/* C_SignRecover signs data in a single operation, where the
2268 + * data can be recovered from the signature. */
2269 +CK_PKCS11_FUNCTION_INFO(C_SignRecover)
2270 +#ifdef CK_NEED_ARG_LIST
2271 +(
2272 + CK_SESSION_HANDLE hSession, /* the session's handle */
2273 + CK_BYTE_PTR pData, /* the data to sign */
2274 + CK_ULONG ulDataLen, /* count of bytes to sign */
2275 + CK_BYTE_PTR pSignature, /* gets the signature */
2276 + CK_ULONG_PTR pulSignatureLen /* gets signature length */
2277 +);
2278 +#endif
2279 +
2280 +
2281 +
2282 +/* Verifying signatures and MACs */
2283 +
2284 +/* C_VerifyInit initializes a verification operation, where the
2285 + * signature is an appendix to the data, and plaintext cannot
2286 + * cannot be recovered from the signature (e.g. DSA). */
2287 +CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
2288 +#ifdef CK_NEED_ARG_LIST
2289 +(
2290 + CK_SESSION_HANDLE hSession, /* the session's handle */
2291 + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
2292 + CK_OBJECT_HANDLE hKey /* verification key */
2293 +);
2294 +#endif
2295 +
2296 +
2297 +/* C_Verify verifies a signature in a single-part operation,
2298 + * where the signature is an appendix to the data, and plaintext
2299 + * cannot be recovered from the signature. */
2300 +CK_PKCS11_FUNCTION_INFO(C_Verify)
2301 +#ifdef CK_NEED_ARG_LIST
2302 +(
2303 + CK_SESSION_HANDLE hSession, /* the session's handle */
2304 + CK_BYTE_PTR pData, /* signed data */
2305 + CK_ULONG ulDataLen, /* length of signed data */
2306 + CK_BYTE_PTR pSignature, /* signature */
2307 + CK_ULONG ulSignatureLen /* signature length*/
2308 +);
2309 +#endif
2310 +
2311 +
2312 +/* C_VerifyUpdate continues a multiple-part verification
2313 + * operation, where the signature is an appendix to the data,
2314 + * and plaintext cannot be recovered from the signature. */
2315 +CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
2316 +#ifdef CK_NEED_ARG_LIST
2317 +(
2318 + CK_SESSION_HANDLE hSession, /* the session's handle */
2319 + CK_BYTE_PTR pPart, /* signed data */
2320 + CK_ULONG ulPartLen /* length of signed data */
2321 +);
2322 +#endif
2323 +
2324 +
2325 +/* C_VerifyFinal finishes a multiple-part verification
2326 + * operation, checking the signature. */
2327 +CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
2328 +#ifdef CK_NEED_ARG_LIST
2329 +(
2330 + CK_SESSION_HANDLE hSession, /* the session's handle */
2331 + CK_BYTE_PTR pSignature, /* signature to verify */
2332 + CK_ULONG ulSignatureLen /* signature length */
2333 +);
2334 +#endif
2335 +
2336 +
2337 +/* C_VerifyRecoverInit initializes a signature verification
2338 + * operation, where the data is recovered from the signature. */
2339 +CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
2340 +#ifdef CK_NEED_ARG_LIST
2341 +(
2342 + CK_SESSION_HANDLE hSession, /* the session's handle */
2343 + CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
2344 + CK_OBJECT_HANDLE hKey /* verification key */
2345 +);
2346 +#endif
2347 +
2348 +
2349 +/* C_VerifyRecover verifies a signature in a single-part
2350 + * operation, where the data is recovered from the signature. */
2351 +CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
2352 +#ifdef CK_NEED_ARG_LIST
2353 +(
2354 + CK_SESSION_HANDLE hSession, /* the session's handle */
2355 + CK_BYTE_PTR pSignature, /* signature to verify */
2356 + CK_ULONG ulSignatureLen, /* signature length */
2357 + CK_BYTE_PTR pData, /* gets signed data */
2358 + CK_ULONG_PTR pulDataLen /* gets signed data len */
2359 +);
2360 +#endif
2361 +
2362 +
2363 +
2364 +/* Dual-function cryptographic operations */
2365 +
2366 +/* C_DigestEncryptUpdate continues a multiple-part digesting
2367 + * and encryption operation. */
2368 +CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
2369 +#ifdef CK_NEED_ARG_LIST
2370 +(
2371 + CK_SESSION_HANDLE hSession, /* session's handle */
2372 + CK_BYTE_PTR pPart, /* the plaintext data */
2373 + CK_ULONG ulPartLen, /* plaintext length */
2374 + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2375 + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
2376 +);
2377 +#endif
2378 +
2379 +
2380 +/* C_DecryptDigestUpdate continues a multiple-part decryption and
2381 + * digesting operation. */
2382 +CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
2383 +#ifdef CK_NEED_ARG_LIST
2384 +(
2385 + CK_SESSION_HANDLE hSession, /* session's handle */
2386 + CK_BYTE_PTR pEncryptedPart, /* ciphertext */
2387 + CK_ULONG ulEncryptedPartLen, /* ciphertext length */
2388 + CK_BYTE_PTR pPart, /* gets plaintext */
2389 + CK_ULONG_PTR pulPartLen /* gets plaintext len */
2390 +);
2391 +#endif
2392 +
2393 +
2394 +/* C_SignEncryptUpdate continues a multiple-part signing and
2395 + * encryption operation. */
2396 +CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
2397 +#ifdef CK_NEED_ARG_LIST
2398 +(
2399 + CK_SESSION_HANDLE hSession, /* session's handle */
2400 + CK_BYTE_PTR pPart, /* the plaintext data */
2401 + CK_ULONG ulPartLen, /* plaintext length */
2402 + CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
2403 + CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
2404 +);
2405 +#endif
2406 +
2407 +
2408 +/* C_DecryptVerifyUpdate continues a multiple-part decryption and
2409 + * verify operation. */
2410 +CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
2411 +#ifdef CK_NEED_ARG_LIST
2412 +(
2413 + CK_SESSION_HANDLE hSession, /* session's handle */
2414 + CK_BYTE_PTR pEncryptedPart, /* ciphertext */
2415 + CK_ULONG ulEncryptedPartLen, /* ciphertext length */
2416 + CK_BYTE_PTR pPart, /* gets plaintext */
2417 + CK_ULONG_PTR pulPartLen /* gets p-text length */
2418 +);
2419 +#endif
2420 +
2421 +
2422 +
2423 +/* Key management */
2424 +
2425 +/* C_GenerateKey generates a secret key, creating a new key
2426 + * object. */
2427 +CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
2428 +#ifdef CK_NEED_ARG_LIST
2429 +(
2430 + CK_SESSION_HANDLE hSession, /* the session's handle */
2431 + CK_MECHANISM_PTR pMechanism, /* key generation mech. */
2432 + CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
2433 + CK_ULONG ulCount, /* # of attrs in template */
2434 + CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
2435 +);
2436 +#endif
2437 +
2438 +
2439 +/* C_GenerateKeyPair generates a public-key/private-key pair,
2440 + * creating new key objects. */
2441 +CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
2442 +#ifdef CK_NEED_ARG_LIST
2443 +(
2444 + CK_SESSION_HANDLE hSession, /* session
2445 + * handle */
2446 + CK_MECHANISM_PTR pMechanism, /* key-gen
2447 + * mech. */
2448 + CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
2449 + * for pub.
2450 + * key */
2451 + CK_ULONG ulPublicKeyAttributeCount, /* # pub.
2452 + * attrs. */
2453 + CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
2454 + * for priv.
2455 + * key */
2456 + CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
2457 + * attrs. */
2458 + CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
2459 + * key
2460 + * handle */
2461 + CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
2462 + * priv. key
2463 + * handle */
2464 +);
2465 +#endif
2466 +
2467 +
2468 +/* C_WrapKey wraps (i.e., encrypts) a key. */
2469 +CK_PKCS11_FUNCTION_INFO(C_WrapKey)
2470 +#ifdef CK_NEED_ARG_LIST
2471 +(
2472 + CK_SESSION_HANDLE hSession, /* the session's handle */
2473 + CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
2474 + CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
2475 + CK_OBJECT_HANDLE hKey, /* key to be wrapped */
2476 + CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
2477 + CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
2478 +);
2479 +#endif
2480 +
2481 +
2482 +/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
2483 + * key object. */
2484 +CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
2485 +#ifdef CK_NEED_ARG_LIST
2486 +(
2487 + CK_SESSION_HANDLE hSession, /* session's handle */
2488 + CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
2489 + CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
2490 + CK_BYTE_PTR pWrappedKey, /* the wrapped key */
2491 + CK_ULONG ulWrappedKeyLen, /* wrapped key len */
2492 + CK_ATTRIBUTE_PTR pTemplate, /* new key template */
2493 + CK_ULONG ulAttributeCount, /* template length */
2494 + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
2495 +);
2496 +#endif
2497 +
2498 +
2499 +/* C_DeriveKey derives a key from a base key, creating a new key
2500 + * object. */
2501 +CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
2502 +#ifdef CK_NEED_ARG_LIST
2503 +(
2504 + CK_SESSION_HANDLE hSession, /* session's handle */
2505 + CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
2506 + CK_OBJECT_HANDLE hBaseKey, /* base key */
2507 + CK_ATTRIBUTE_PTR pTemplate, /* new key template */
2508 + CK_ULONG ulAttributeCount, /* template length */
2509 + CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
2510 +);
2511 +#endif
2512 +
2513 +
2514 +
2515 +/* Random number generation */
2516 +
2517 +/* C_SeedRandom mixes additional seed material into the token's
2518 + * random number generator. */
2519 +CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
2520 +#ifdef CK_NEED_ARG_LIST
2521 +(
2522 + CK_SESSION_HANDLE hSession, /* the session's handle */
2523 + CK_BYTE_PTR pSeed, /* the seed material */
2524 + CK_ULONG ulSeedLen /* length of seed material */
2525 +);
2526 +#endif
2527 +
2528 +
2529 +/* C_GenerateRandom generates random data. */
2530 +CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
2531 +#ifdef CK_NEED_ARG_LIST
2532 +(
2533 + CK_SESSION_HANDLE hSession, /* the session's handle */
2534 + CK_BYTE_PTR RandomData, /* receives the random data */
2535 + CK_ULONG ulRandomLen /* # of bytes to generate */
2536 +);
2537 +#endif
2538 +
2539 +
2540 +
2541 +/* Parallel function management */
2542 +
2543 +/* C_GetFunctionStatus is a legacy function; it obtains an
2544 + * updated status of a function running in parallel with an
2545 + * application. */
2546 +CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
2547 +#ifdef CK_NEED_ARG_LIST
2548 +(
2549 + CK_SESSION_HANDLE hSession /* the session's handle */
2550 +);
2551 +#endif
2552 +
2553 +
2554 +/* C_CancelFunction is a legacy function; it cancels a function
2555 + * running in parallel. */
2556 +CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
2557 +#ifdef CK_NEED_ARG_LIST
2558 +(
2559 + CK_SESSION_HANDLE hSession /* the session's handle */
2560 +);
2561 +#endif
2562 +
2563 +
2564 +
2565 +/* Functions added in for Cryptoki Version 2.01 or later */
2566 +
2567 +/* C_WaitForSlotEvent waits for a slot event (token insertion,
2568 + * removal, etc.) to occur. */
2569 +CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
2570 +#ifdef CK_NEED_ARG_LIST
2571 +(
2572 + CK_FLAGS flags, /* blocking/nonblocking flag */
2573 + CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
2574 + CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
2575 +);
2576 +#endif
2577 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h
2578 --- openssh-4.4p1/pkcs11-headers/pkcs11.h 1970-01-01 02:00:00.000000000 +0200
2579 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h 2006-09-28 08:05:35.000000000 +0300
2580 @@ -0,0 +1,299 @@
2581 +/* pkcs11.h include file for PKCS #11. */
2582 +/* $Revision: 1.4 $ */
2583 +
2584 +/* License to copy and use this software is granted provided that it is
2585 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
2586 + * (Cryptoki)" in all material mentioning or referencing this software.
2587 +
2588 + * License is also granted to make and use derivative works provided that
2589 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
2590 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
2591 + * referencing the derived work.
2592 +
2593 + * RSA Security Inc. makes no representations concerning either the
2594 + * merchantability of this software or the suitability of this software for
2595 + * any particular purpose. It is provided "as is" without express or implied
2596 + * warranty of any kind.
2597 + */
2598 +
2599 +#ifndef _PKCS11_H_
2600 +#define _PKCS11_H_ 1
2601 +
2602 +#ifdef __cplusplus
2603 +extern "C" {
2604 +#endif
2605 +
2606 +/* Before including this file (pkcs11.h) (or pkcs11t.h by
2607 + * itself), 6 platform-specific macros must be defined. These
2608 + * macros are described below, and typical definitions for them
2609 + * are also given. Be advised that these definitions can depend
2610 + * on both the platform and the compiler used (and possibly also
2611 + * on whether a Cryptoki library is linked statically or
2612 + * dynamically).
2613 + *
2614 + * In addition to defining these 6 macros, the packing convention
2615 + * for Cryptoki structures should be set. The Cryptoki
2616 + * convention on packing is that structures should be 1-byte
2617 + * aligned.
2618 + *
2619 + * If you're using Microsoft Developer Studio 5.0 to produce
2620 + * Win32 stuff, this might be done by using the following
2621 + * preprocessor directive before including pkcs11.h or pkcs11t.h:
2622 + *
2623 + * #pragma pack(push, cryptoki, 1)
2624 + *
2625 + * and using the following preprocessor directive after including
2626 + * pkcs11.h or pkcs11t.h:
2627 + *
2628 + * #pragma pack(pop, cryptoki)
2629 + *
2630 + * If you're using an earlier version of Microsoft Developer
2631 + * Studio to produce Win16 stuff, this might be done by using
2632 + * the following preprocessor directive before including
2633 + * pkcs11.h or pkcs11t.h:
2634 + *
2635 + * #pragma pack(1)
2636 + *
2637 + * In a UNIX environment, you're on your own for this. You might
2638 + * not need to do (or be able to do!) anything.
2639 + *
2640 + *
2641 + * Now for the macros:
2642 + *
2643 + *
2644 + * 1. CK_PTR: The indirection string for making a pointer to an
2645 + * object. It can be used like this:
2646 + *
2647 + * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
2648 + *
2649 + * If you're using Microsoft Developer Studio 5.0 to produce
2650 + * Win32 stuff, it might be defined by:
2651 + *
2652 + * #define CK_PTR *
2653 + *
2654 + * If you're using an earlier version of Microsoft Developer
2655 + * Studio to produce Win16 stuff, it might be defined by:
2656 + *
2657 + * #define CK_PTR far *
2658 + *
2659 + * In a typical UNIX environment, it might be defined by:
2660 + *
2661 + * #define CK_PTR *
2662 + *
2663 + *
2664 + * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
2665 + * an exportable Cryptoki library function definition out of a
2666 + * return type and a function name. It should be used in the
2667 + * following fashion to define the exposed Cryptoki functions in
2668 + * a Cryptoki library:
2669 + *
2670 + * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
2671 + * CK_VOID_PTR pReserved
2672 + * )
2673 + * {
2674 + * ...
2675 + * }
2676 + *
2677 + * If you're using Microsoft Developer Studio 5.0 to define a
2678 + * function in a Win32 Cryptoki .dll, it might be defined by:
2679 + *
2680 + * #define CK_DEFINE_FUNCTION(returnType, name) \
2681 + * returnType __declspec(dllexport) name
2682 + *
2683 + * If you're using an earlier version of Microsoft Developer
2684 + * Studio to define a function in a Win16 Cryptoki .dll, it
2685 + * might be defined by:
2686 + *
2687 + * #define CK_DEFINE_FUNCTION(returnType, name) \
2688 + * returnType __export _far _pascal name
2689 + *
2690 + * In a UNIX environment, it might be defined by:
2691 + *
2692 + * #define CK_DEFINE_FUNCTION(returnType, name) \
2693 + * returnType name
2694 + *
2695 + *
2696 + * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
2697 + * an importable Cryptoki library function declaration out of a
2698 + * return type and a function name. It should be used in the
2699 + * following fashion:
2700 + *
2701 + * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
2702 + * CK_VOID_PTR pReserved
2703 + * );
2704 + *
2705 + * If you're using Microsoft Developer Studio 5.0 to declare a
2706 + * function in a Win32 Cryptoki .dll, it might be defined by:
2707 + *
2708 + * #define CK_DECLARE_FUNCTION(returnType, name) \
2709 + * returnType __declspec(dllimport) name
2710 + *
2711 + * If you're using an earlier version of Microsoft Developer
2712 + * Studio to declare a function in a Win16 Cryptoki .dll, it
2713 + * might be defined by:
2714 + *
2715 + * #define CK_DECLARE_FUNCTION(returnType, name) \
2716 + * returnType __export _far _pascal name
2717 + *
2718 + * In a UNIX environment, it might be defined by:
2719 + *
2720 + * #define CK_DECLARE_FUNCTION(returnType, name) \
2721 + * returnType name
2722 + *
2723 + *
2724 + * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
2725 + * which makes a Cryptoki API function pointer declaration or
2726 + * function pointer type declaration out of a return type and a
2727 + * function name. It should be used in the following fashion:
2728 + *
2729 + * // Define funcPtr to be a pointer to a Cryptoki API function
2730 + * // taking arguments args and returning CK_RV.
2731 + * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
2732 + *
2733 + * or
2734 + *
2735 + * // Define funcPtrType to be the type of a pointer to a
2736 + * // Cryptoki API function taking arguments args and returning
2737 + * // CK_RV, and then define funcPtr to be a variable of type
2738 + * // funcPtrType.
2739 + * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
2740 + * funcPtrType funcPtr;
2741 + *
2742 + * If you're using Microsoft Developer Studio 5.0 to access
2743 + * functions in a Win32 Cryptoki .dll, in might be defined by:
2744 + *
2745 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2746 + * returnType __declspec(dllimport) (* name)
2747 + *
2748 + * If you're using an earlier version of Microsoft Developer
2749 + * Studio to access functions in a Win16 Cryptoki .dll, it might
2750 + * be defined by:
2751 + *
2752 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2753 + * returnType __export _far _pascal (* name)
2754 + *
2755 + * In a UNIX environment, it might be defined by:
2756 + *
2757 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
2758 + * returnType (* name)
2759 + *
2760 + *
2761 + * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
2762 + * a function pointer type for an application callback out of
2763 + * a return type for the callback and a name for the callback.
2764 + * It should be used in the following fashion:
2765 + *
2766 + * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
2767 + *
2768 + * to declare a function pointer, myCallback, to a callback
2769 + * which takes arguments args and returns a CK_RV. It can also
2770 + * be used like this:
2771 + *
2772 + * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
2773 + * myCallbackType myCallback;
2774 + *
2775 + * If you're using Microsoft Developer Studio 5.0 to do Win32
2776 + * Cryptoki development, it might be defined by:
2777 + *
2778 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
2779 + * returnType (* name)
2780 + *
2781 + * If you're using an earlier version of Microsoft Developer
2782 + * Studio to do Win16 development, it might be defined by:
2783 + *
2784 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
2785 + * returnType _far _pascal (* name)
2786 + *
2787 + * In a UNIX environment, it might be defined by:
2788 + *
2789 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
2790 + * returnType (* name)
2791 + *
2792 + *
2793 + * 6. NULL_PTR: This macro is the value of a NULL pointer.
2794 + *
2795 + * In any ANSI/ISO C environment (and in many others as well),
2796 + * this should best be defined by
2797 + *
2798 + * #ifndef NULL_PTR
2799 + * #define NULL_PTR 0
2800 + * #endif
2801 + */
2802 +
2803 +
2804 +/* All the various Cryptoki types and #define'd values are in the
2805 + * file pkcs11t.h. */
2806 +#include "pkcs11t.h"
2807 +
2808 +#define __PASTE(x,y) x##y
2809 +
2810 +
2811 +/* ==============================================================
2812 + * Define the "extern" form of all the entry points.
2813 + * ==============================================================
2814 + */
2815 +
2816 +#define CK_NEED_ARG_LIST 1
2817 +#define CK_PKCS11_FUNCTION_INFO(name) \
2818 + extern CK_DECLARE_FUNCTION(CK_RV, name)
2819 +
2820 +/* pkcs11f.h has all the information about the Cryptoki
2821 + * function prototypes. */
2822 +#include "pkcs11f.h"
2823 +
2824 +#undef CK_NEED_ARG_LIST
2825 +#undef CK_PKCS11_FUNCTION_INFO
2826 +
2827 +
2828 +/* ==============================================================
2829 + * Define the typedef form of all the entry points. That is, for
2830 + * each Cryptoki function C_XXX, define a type CK_C_XXX which is
2831 + * a pointer to that kind of function.
2832 + * ==============================================================
2833 + */
2834 +
2835 +#define CK_NEED_ARG_LIST 1
2836 +#define CK_PKCS11_FUNCTION_INFO(name) \
2837 + typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
2838 +
2839 +/* pkcs11f.h has all the information about the Cryptoki
2840 + * function prototypes. */
2841 +#include "pkcs11f.h"
2842 +
2843 +#undef CK_NEED_ARG_LIST
2844 +#undef CK_PKCS11_FUNCTION_INFO
2845 +
2846 +
2847 +/* ==============================================================
2848 + * Define structed vector of entry points. A CK_FUNCTION_LIST
2849 + * contains a CK_VERSION indicating a library's Cryptoki version
2850 + * and then a whole slew of function pointers to the routines in
2851 + * the library. This type was declared, but not defined, in
2852 + * pkcs11t.h.
2853 + * ==============================================================
2854 + */
2855 +
2856 +#define CK_PKCS11_FUNCTION_INFO(name) \
2857 + __PASTE(CK_,name) name;
2858 +
2859 +struct CK_FUNCTION_LIST {
2860 +
2861 + CK_VERSION version; /* Cryptoki version */
2862 +
2863 +/* Pile all the function pointers into the CK_FUNCTION_LIST. */
2864 +/* pkcs11f.h has all the information about the Cryptoki
2865 + * function prototypes. */
2866 +#include "pkcs11f.h"
2867 +
2868 +};
2869 +
2870 +#undef CK_PKCS11_FUNCTION_INFO
2871 +
2872 +
2873 +#undef __PASTE
2874 +
2875 +#ifdef __cplusplus
2876 +}
2877 +#endif
2878 +
2879 +#endif
2880 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11t.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h
2881 --- openssh-4.4p1/pkcs11-headers/pkcs11t.h 1970-01-01 02:00:00.000000000 +0200
2882 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h 2006-09-28 08:05:35.000000000 +0300
2883 @@ -0,0 +1,1685 @@
2884 +/* pkcs11t.h include file for PKCS #11. */
2885 +/* $Revision: 1.6 $ */
2886 +
2887 +/* License to copy and use this software is granted provided that it is
2888 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
2889 + * (Cryptoki)" in all material mentioning or referencing this software.
2890 +
2891 + * License is also granted to make and use derivative works provided that
2892 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
2893 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
2894 + * referencing the derived work.
2895 +
2896 + * RSA Security Inc. makes no representations concerning either the
2897 + * merchantability of this software or the suitability of this software for
2898 + * any particular purpose. It is provided "as is" without express or implied
2899 + * warranty of any kind.
2900 + */
2901 +
2902 +/* See top of pkcs11.h for information about the macros that
2903 + * must be defined and the structure-packing conventions that
2904 + * must be set before including this file. */
2905 +
2906 +#ifndef _PKCS11T_H_
2907 +#define _PKCS11T_H_ 1
2908 +
2909 +#define CK_TRUE 1
2910 +#define CK_FALSE 0
2911 +
2912 +#ifndef CK_DISABLE_TRUE_FALSE
2913 +#ifndef FALSE
2914 +#define FALSE CK_FALSE
2915 +#endif
2916 +
2917 +#ifndef TRUE
2918 +#define TRUE CK_TRUE
2919 +#endif
2920 +#endif
2921 +
2922 +/* an unsigned 8-bit value */
2923 +typedef unsigned char CK_BYTE;
2924 +
2925 +/* an unsigned 8-bit character */
2926 +typedef CK_BYTE CK_CHAR;
2927 +
2928 +/* an 8-bit UTF-8 character */
2929 +typedef CK_BYTE CK_UTF8CHAR;
2930 +
2931 +/* a BYTE-sized Boolean flag */
2932 +typedef CK_BYTE CK_BBOOL;
2933 +
2934 +/* an unsigned value, at least 32 bits long */
2935 +typedef unsigned long int CK_ULONG;
2936 +
2937 +/* a signed value, the same size as a CK_ULONG */
2938 +/* CK_LONG is new for v2.0 */
2939 +typedef long int CK_LONG;
2940 +
2941 +/* at least 32 bits; each bit is a Boolean flag */
2942 +typedef CK_ULONG CK_FLAGS;
2943 +
2944 +
2945 +/* some special values for certain CK_ULONG variables */
2946 +#define CK_UNAVAILABLE_INFORMATION (~0UL)
2947 +#define CK_EFFECTIVELY_INFINITE 0
2948 +
2949 +
2950 +typedef CK_BYTE CK_PTR CK_BYTE_PTR;
2951 +typedef CK_CHAR CK_PTR CK_CHAR_PTR;
2952 +typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
2953 +typedef CK_ULONG CK_PTR CK_ULONG_PTR;
2954 +typedef void CK_PTR CK_VOID_PTR;
2955 +
2956 +/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
2957 +typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
2958 +
2959 +
2960 +/* The following value is always invalid if used as a session */
2961 +/* handle or object handle */
2962 +#define CK_INVALID_HANDLE 0
2963 +
2964 +
2965 +typedef struct CK_VERSION {
2966 + CK_BYTE major; /* integer portion of version number */
2967 + CK_BYTE minor; /* 1/100ths portion of version number */
2968 +} CK_VERSION;
2969 +
2970 +typedef CK_VERSION CK_PTR CK_VERSION_PTR;
2971 +
2972 +
2973 +typedef struct CK_INFO {
2974 + /* manufacturerID and libraryDecription have been changed from
2975 + * CK_CHAR to CK_UTF8CHAR for v2.10 */
2976 + CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
2977 + CK_UTF8CHAR manufacturerID[32]; /* blank padded */
2978 + CK_FLAGS flags; /* must be zero */
2979 +
2980 + /* libraryDescription and libraryVersion are new for v2.0 */
2981 + CK_UTF8CHAR libraryDescription[32]; /* blank padded */
2982 + CK_VERSION libraryVersion; /* version of library */
2983 +} CK_INFO;
2984 +
2985 +typedef CK_INFO CK_PTR CK_INFO_PTR;
2986 +
2987 +
2988 +/* CK_NOTIFICATION enumerates the types of notifications that
2989 + * Cryptoki provides to an application */
2990 +/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
2991 + * for v2.0 */
2992 +typedef CK_ULONG CK_NOTIFICATION;
2993 +#define CKN_SURRENDER 0
2994 +
2995 +
2996 +typedef CK_ULONG CK_SLOT_ID;
2997 +
2998 +typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
2999 +
3000 +
3001 +/* CK_SLOT_INFO provides information about a slot */
3002 +typedef struct CK_SLOT_INFO {
3003 + /* slotDescription and manufacturerID have been changed from
3004 + * CK_CHAR to CK_UTF8CHAR for v2.10 */
3005 + CK_UTF8CHAR slotDescription[64]; /* blank padded */
3006 + CK_UTF8CHAR manufacturerID[32]; /* blank padded */
3007 + CK_FLAGS flags;
3008 +
3009 + /* hardwareVersion and firmwareVersion are new for v2.0 */
3010 + CK_VERSION hardwareVersion; /* version of hardware */
3011 + CK_VERSION firmwareVersion; /* version of firmware */
3012 +} CK_SLOT_INFO;
3013 +
3014 +/* flags: bit flags that provide capabilities of the slot
3015 + * Bit Flag Mask Meaning
3016 + */
3017 +#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
3018 +#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
3019 +#define CKF_HW_SLOT 0x00000004 /* hardware slot */
3020 +
3021 +typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
3022 +
3023 +
3024 +/* CK_TOKEN_INFO provides information about a token */
3025 +typedef struct CK_TOKEN_INFO {
3026 + /* label, manufacturerID, and model have been changed from
3027 + * CK_CHAR to CK_UTF8CHAR for v2.10 */
3028 + CK_UTF8CHAR label[32]; /* blank padded */
3029 + CK_UTF8CHAR manufacturerID[32]; /* blank padded */
3030 + CK_UTF8CHAR model[16]; /* blank padded */
3031 + CK_CHAR serialNumber[16]; /* blank padded */
3032 + CK_FLAGS flags; /* see below */
3033 +
3034 + /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
3035 + * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
3036 + * changed from CK_USHORT to CK_ULONG for v2.0 */
3037 + CK_ULONG ulMaxSessionCount; /* max open sessions */
3038 + CK_ULONG ulSessionCount; /* sess. now open */
3039 + CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
3040 + CK_ULONG ulRwSessionCount; /* R/W sess. now open */
3041 + CK_ULONG ulMaxPinLen; /* in bytes */
3042 + CK_ULONG ulMinPinLen; /* in bytes */
3043 + CK_ULONG ulTotalPublicMemory; /* in bytes */
3044 + CK_ULONG ulFreePublicMemory; /* in bytes */
3045 + CK_ULONG ulTotalPrivateMemory; /* in bytes */
3046 + CK_ULONG ulFreePrivateMemory; /* in bytes */
3047 +
3048 + /* hardwareVersion, firmwareVersion, and time are new for
3049 + * v2.0 */
3050 + CK_VERSION hardwareVersion; /* version of hardware */
3051 + CK_VERSION firmwareVersion; /* version of firmware */
3052 + CK_CHAR utcTime[16]; /* time */
3053 +} CK_TOKEN_INFO;
3054 +
3055 +/* The flags parameter is defined as follows:
3056 + * Bit Flag Mask Meaning
3057 + */
3058 +#define CKF_RNG 0x00000001 /* has random #
3059 + * generator */
3060 +#define CKF_WRITE_PROTECTED 0x00000002 /* token is
3061 + * write-
3062 + * protected */
3063 +#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
3064 + * login */
3065 +#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
3066 + * PIN is set */
3067 +
3068 +/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
3069 + * that means that *every* time the state of cryptographic
3070 + * operations of a session is successfully saved, all keys
3071 + * needed to continue those operations are stored in the state */
3072 +#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
3073 +
3074 +/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
3075 + * that the token has some sort of clock. The time on that
3076 + * clock is returned in the token info structure */
3077 +#define CKF_CLOCK_ON_TOKEN 0x00000040
3078 +
3079 +/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
3080 + * set, that means that there is some way for the user to login
3081 + * without sending a PIN through the Cryptoki library itself */
3082 +#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
3083 +
3084 +/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
3085 + * that means that a single session with the token can perform
3086 + * dual simultaneous cryptographic operations (digest and
3087 + * encrypt; decrypt and digest; sign and encrypt; and decrypt
3088 + * and sign) */
3089 +#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
3090 +
3091 +/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
3092 + * token has been initialized using C_InitializeToken or an
3093 + * equivalent mechanism outside the scope of PKCS #11.
3094 + * Calling C_InitializeToken when this flag is set will cause
3095 + * the token to be reinitialized. */
3096 +#define CKF_TOKEN_INITIALIZED 0x00000400
3097 +
3098 +/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
3099 + * true, the token supports secondary authentication for
3100 + * private key objects. This flag is deprecated in v2.11 and
3101 + onwards. */
3102 +#define CKF_SECONDARY_AUTHENTICATION 0x00000800
3103 +
3104 +/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
3105 + * incorrect user login PIN has been entered at least once
3106 + * since the last successful authentication. */
3107 +#define CKF_USER_PIN_COUNT_LOW 0x00010000
3108 +
3109 +/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
3110 + * supplying an incorrect user PIN will it to become locked. */
3111 +#define CKF_USER_PIN_FINAL_TRY 0x00020000
3112 +
3113 +/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
3114 + * user PIN has been locked. User login to the token is not
3115 + * possible. */
3116 +#define CKF_USER_PIN_LOCKED 0x00040000
3117 +
3118 +/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
3119 + * the user PIN value is the default value set by token
3120 + * initialization or manufacturing, or the PIN has been
3121 + * expired by the card. */
3122 +#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
3123 +
3124 +/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
3125 + * incorrect SO login PIN has been entered at least once since
3126 + * the last successful authentication. */
3127 +#define CKF_SO_PIN_COUNT_LOW 0x00100000
3128 +
3129 +/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
3130 + * supplying an incorrect SO PIN will it to become locked. */
3131 +#define CKF_SO_PIN_FINAL_TRY 0x00200000
3132 +
3133 +/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
3134 + * PIN has been locked. SO login to the token is not possible.
3135 + */
3136 +#define CKF_SO_PIN_LOCKED 0x00400000
3137 +
3138 +/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
3139 + * the SO PIN value is the default value set by token
3140 + * initialization or manufacturing, or the PIN has been
3141 + * expired by the card. */
3142 +#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
3143 +
3144 +typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
3145 +
3146 +
3147 +/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
3148 + * identifies a session */
3149 +typedef CK_ULONG CK_SESSION_HANDLE;
3150 +
3151 +typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
3152 +
3153 +
3154 +/* CK_USER_TYPE enumerates the types of Cryptoki users */
3155 +/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
3156 + * v2.0 */
3157 +typedef CK_ULONG CK_USER_TYPE;
3158 +/* Security Officer */
3159 +#define CKU_SO 0
3160 +/* Normal user */
3161 +#define CKU_USER 1
3162 +/* Context specific (added in v2.20) */
3163 +#define CKU_CONTEXT_SPECIFIC 2
3164 +
3165 +/* CK_STATE enumerates the session states */
3166 +/* CK_STATE has been changed from an enum to a CK_ULONG for
3167 + * v2.0 */
3168 +typedef CK_ULONG CK_STATE;
3169 +#define CKS_RO_PUBLIC_SESSION 0
3170 +#define CKS_RO_USER_FUNCTIONS 1
3171 +#define CKS_RW_PUBLIC_SESSION 2
3172 +#define CKS_RW_USER_FUNCTIONS 3
3173 +#define CKS_RW_SO_FUNCTIONS 4
3174 +
3175 +
3176 +/* CK_SESSION_INFO provides information about a session */
3177 +typedef struct CK_SESSION_INFO {
3178 + CK_SLOT_ID slotID;
3179 + CK_STATE state;
3180 + CK_FLAGS flags; /* see below */
3181 +
3182 + /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
3183 + * v2.0 */
3184 + CK_ULONG ulDeviceError; /* device-dependent error code */
3185 +} CK_SESSION_INFO;
3186 +
3187 +/* The flags are defined in the following table:
3188 + * Bit Flag Mask Meaning
3189 + */
3190 +#define CKF_RW_SESSION 0x00000002 /* session is r/w */
3191 +#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
3192 +
3193 +typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
3194 +
3195 +
3196 +/* CK_OBJECT_HANDLE is a token-specific identifier for an
3197 + * object */
3198 +typedef CK_ULONG CK_OBJECT_HANDLE;
3199 +
3200 +typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
3201 +
3202 +
3203 +/* CK_OBJECT_CLASS is a value that identifies the classes (or
3204 + * types) of objects that Cryptoki recognizes. It is defined
3205 + * as follows: */
3206 +/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
3207 + * v2.0 */
3208 +typedef CK_ULONG CK_OBJECT_CLASS;
3209 +
3210 +/* The following classes of objects are defined: */
3211 +/* CKO_HW_FEATURE is new for v2.10 */
3212 +/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
3213 +/* CKO_MECHANISM is new for v2.20 */
3214 +#define CKO_DATA 0x00000000
3215 +#define CKO_CERTIFICATE 0x00000001
3216 +#define CKO_PUBLIC_KEY 0x00000002
3217 +#define CKO_PRIVATE_KEY 0x00000003
3218 +#define CKO_SECRET_KEY 0x00000004
3219 +#define CKO_HW_FEATURE 0x00000005
3220 +#define CKO_DOMAIN_PARAMETERS 0x00000006
3221 +#define CKO_MECHANISM 0x00000007
3222 +#define CKO_VENDOR_DEFINED 0x80000000
3223 +
3224 +typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
3225 +
3226 +/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
3227 + * value that identifies the hardware feature type of an object
3228 + * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
3229 +typedef CK_ULONG CK_HW_FEATURE_TYPE;
3230 +
3231 +/* The following hardware feature types are defined */
3232 +/* CKH_USER_INTERFACE is new for v2.20 */
3233 +#define CKH_MONOTONIC_COUNTER 0x00000001
3234 +#define CKH_CLOCK 0x00000002
3235 +#define CKH_USER_INTERFACE 0x00000003
3236 +#define CKH_VENDOR_DEFINED 0x80000000
3237 +
3238 +/* CK_KEY_TYPE is a value that identifies a key type */
3239 +/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
3240 +typedef CK_ULONG CK_KEY_TYPE;
3241 +
3242 +/* the following key types are defined: */
3243 +#define CKK_RSA 0x00000000
3244 +#define CKK_DSA 0x00000001
3245 +#define CKK_DH 0x00000002
3246 +
3247 +/* CKK_ECDSA and CKK_KEA are new for v2.0 */
3248 +/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
3249 +#define CKK_ECDSA 0x00000003
3250 +#define CKK_EC 0x00000003
3251 +#define CKK_X9_42_DH 0x00000004
3252 +#define CKK_KEA 0x00000005
3253 +
3254 +#define CKK_GENERIC_SECRET 0x00000010
3255 +#define CKK_RC2 0x00000011
3256 +#define CKK_RC4 0x00000012
3257 +#define CKK_DES 0x00000013
3258 +#define CKK_DES2 0x00000014
3259 +#define CKK_DES3 0x00000015
3260 +
3261 +/* all these key types are new for v2.0 */
3262 +#define CKK_CAST 0x00000016
3263 +#define CKK_CAST3 0x00000017
3264 +/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
3265 +#define CKK_CAST5 0x00000018
3266 +#define CKK_CAST128 0x00000018
3267 +#define CKK_RC5 0x00000019
3268 +#define CKK_IDEA 0x0000001A
3269 +#define CKK_SKIPJACK 0x0000001B
3270 +#define CKK_BATON 0x0000001C
3271 +#define CKK_JUNIPER 0x0000001D
3272 +#define CKK_CDMF 0x0000001E
3273 +#define CKK_AES 0x0000001F
3274 +
3275 +/* BlowFish and TwoFish are new for v2.20 */
3276 +#define CKK_BLOWFISH 0x00000020
3277 +#define CKK_TWOFISH 0x00000021
3278 +
3279 +#define CKK_VENDOR_DEFINED 0x80000000
3280 +
3281 +
3282 +/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
3283 + * type */
3284 +/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
3285 + * for v2.0 */
3286 +typedef CK_ULONG CK_CERTIFICATE_TYPE;
3287 +
3288 +/* The following certificate types are defined: */
3289 +/* CKC_X_509_ATTR_CERT is new for v2.10 */
3290 +/* CKC_WTLS is new for v2.20 */
3291 +#define CKC_X_509 0x00000000
3292 +#define CKC_X_509_ATTR_CERT 0x00000001
3293 +#define CKC_WTLS 0x00000002
3294 +#define CKC_VENDOR_DEFINED 0x80000000
3295 +
3296 +
3297 +/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
3298 + * type */
3299 +/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
3300 + * v2.0 */
3301 +typedef CK_ULONG CK_ATTRIBUTE_TYPE;
3302 +
3303 +/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
3304 + consists of an array of values. */
3305 +#define CKF_ARRAY_ATTRIBUTE 0x40000000
3306 +
3307 +/* The following attribute types are defined: */
3308 +#define CKA_CLASS 0x00000000
3309 +#define CKA_TOKEN 0x00000001
3310 +#define CKA_PRIVATE 0x00000002
3311 +#define CKA_LABEL 0x00000003
3312 +#define CKA_APPLICATION 0x00000010
3313 +#define CKA_VALUE 0x00000011
3314 +
3315 +/* CKA_OBJECT_ID is new for v2.10 */
3316 +#define CKA_OBJECT_ID 0x00000012
3317 +
3318 +#define CKA_CERTIFICATE_TYPE 0x00000080
3319 +#define CKA_ISSUER 0x00000081
3320 +#define CKA_SERIAL_NUMBER 0x00000082
3321 +
3322 +/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
3323 + * for v2.10 */
3324 +#define CKA_AC_ISSUER 0x00000083
3325 +#define CKA_OWNER 0x00000084
3326 +#define CKA_ATTR_TYPES 0x00000085
3327 +
3328 +/* CKA_TRUSTED is new for v2.11 */
3329 +#define CKA_TRUSTED 0x00000086
3330 +
3331 +/* CKA_CERTIFICATE_CATEGORY ...
3332 + * CKA_CHECK_VALUE are new for v2.20 */
3333 +#define CKA_CERTIFICATE_CATEGORY 0x00000087
3334 +#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
3335 +#define CKA_URL 0x00000089
3336 +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
3337 +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
3338 +#define CKA_CHECK_VALUE 0x00000090
3339 +
3340 +#define CKA_KEY_TYPE 0x00000100
3341 +#define CKA_SUBJECT 0x00000101
3342 +#define CKA_ID 0x00000102
3343 +#define CKA_SENSITIVE 0x00000103
3344 +#define CKA_ENCRYPT 0x00000104
3345 +#define CKA_DECRYPT 0x00000105
3346 +#define CKA_WRAP 0x00000106
3347 +#define CKA_UNWRAP 0x00000107
3348 +#define CKA_SIGN 0x00000108
3349 +#define CKA_SIGN_RECOVER 0x00000109
3350 +#define CKA_VERIFY 0x0000010A
3351 +#define CKA_VERIFY_RECOVER 0x0000010B
3352 +#define CKA_DERIVE 0x0000010C
3353 +#define CKA_START_DATE 0x00000110
3354 +#define CKA_END_DATE 0x00000111
3355 +#define CKA_MODULUS 0x00000120
3356 +#define CKA_MODULUS_BITS 0x00000121
3357 +#define CKA_PUBLIC_EXPONENT 0x00000122
3358 +#define CKA_PRIVATE_EXPONENT 0x00000123
3359 +#define CKA_PRIME_1 0x00000124
3360 +#define CKA_PRIME_2 0x00000125
3361 +#define CKA_EXPONENT_1 0x00000126
3362 +#define CKA_EXPONENT_2 0x00000127
3363 +#define CKA_COEFFICIENT 0x00000128
3364 +#define CKA_PRIME 0x00000130
3365 +#define CKA_SUBPRIME 0x00000131
3366 +#define CKA_BASE 0x00000132
3367 +
3368 +/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
3369 +#define CKA_PRIME_BITS 0x00000133
3370 +#define CKA_SUBPRIME_BITS 0x00000134
3371 +#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
3372 +/* (To retain backwards-compatibility) */
3373 +
3374 +#define CKA_VALUE_BITS 0x00000160
3375 +#define CKA_VALUE_LEN 0x00000161
3376 +
3377 +/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
3378 + * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
3379 + * and CKA_EC_POINT are new for v2.0 */
3380 +#define CKA_EXTRACTABLE 0x00000162
3381 +#define CKA_LOCAL 0x00000163
3382 +#define CKA_NEVER_EXTRACTABLE 0x00000164
3383 +#define CKA_ALWAYS_SENSITIVE 0x00000165
3384 +
3385 +/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
3386 +#define CKA_KEY_GEN_MECHANISM 0x00000166
3387 +
3388 +#define CKA_MODIFIABLE 0x00000170
3389 +
3390 +/* CKA_ECDSA_PARAMS is deprecated in v2.11,
3391 + * CKA_EC_PARAMS is preferred. */
3392 +#define CKA_ECDSA_PARAMS 0x00000180
3393 +#define CKA_EC_PARAMS 0x00000180
3394 +
3395 +#define CKA_EC_POINT 0x00000181
3396 +
3397 +/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
3398 + * are new for v2.10. Deprecated in v2.11 and onwards. */
3399 +#define CKA_SECONDARY_AUTH 0x00000200
3400 +#define CKA_AUTH_PIN_FLAGS 0x00000201
3401 +
3402 +/* CKA_ALWAYS_AUTHENTICATE ...
3403 + * CKA_UNWRAP_TEMPLATE are new for v2.20 */
3404 +#define CKA_ALWAYS_AUTHENTICATE 0x00000202
3405 +
3406 +#define CKA_WRAP_WITH_TRUSTED 0x00000210
3407 +#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
3408 +#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
3409 +
3410 +/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
3411 + * are new for v2.10 */
3412 +#define CKA_HW_FEATURE_TYPE 0x00000300
3413 +#define CKA_RESET_ON_INIT 0x00000301
3414 +#define CKA_HAS_RESET 0x00000302
3415 +
3416 +/* The following attributes are new for v2.20 */
3417 +#define CKA_PIXEL_X 0x00000400
3418 +#define CKA_PIXEL_Y 0x00000401
3419 +#define CKA_RESOLUTION 0x00000402
3420 +#define CKA_CHAR_ROWS 0x00000403
3421 +#define CKA_CHAR_COLUMNS 0x00000404
3422 +#define CKA_COLOR 0x00000405
3423 +#define CKA_BITS_PER_PIXEL 0x00000406
3424 +#define CKA_CHAR_SETS 0x00000480
3425 +#define CKA_ENCODING_METHODS 0x00000481
3426 +#define CKA_MIME_TYPES 0x00000482
3427 +#define CKA_MECHANISM_TYPE 0x00000500
3428 +#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
3429 +#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
3430 +#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
3431 +#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
3432 +
3433 +#define CKA_VENDOR_DEFINED 0x80000000
3434 +
3435 +
3436 +/* CK_ATTRIBUTE is a structure that includes the type, length
3437 + * and value of an attribute */
3438 +typedef struct CK_ATTRIBUTE {
3439 + CK_ATTRIBUTE_TYPE type;
3440 + CK_VOID_PTR pValue;
3441 +
3442 + /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
3443 + CK_ULONG ulValueLen; /* in bytes */
3444 +} CK_ATTRIBUTE;
3445 +
3446 +typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
3447 +
3448 +
3449 +/* CK_DATE is a structure that defines a date */
3450 +typedef struct CK_DATE{
3451 + CK_CHAR year[4]; /* the year ("1900" - "9999") */
3452 + CK_CHAR month[2]; /* the month ("01" - "12") */
3453 + CK_CHAR day[2]; /* the day ("01" - "31") */
3454 +} CK_DATE;
3455 +
3456 +
3457 +/* CK_MECHANISM_TYPE is a value that identifies a mechanism
3458 + * type */
3459 +/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
3460 + * v2.0 */
3461 +typedef CK_ULONG CK_MECHANISM_TYPE;
3462 +
3463 +/* the following mechanism types are defined: */
3464 +#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
3465 +#define CKM_RSA_PKCS 0x00000001
3466 +#define CKM_RSA_9796 0x00000002
3467 +#define CKM_RSA_X_509 0x00000003
3468 +
3469 +/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
3470 + * are new for v2.0. They are mechanisms which hash and sign */
3471 +#define CKM_MD2_RSA_PKCS 0x00000004
3472 +#define CKM_MD5_RSA_PKCS 0x00000005
3473 +#define CKM_SHA1_RSA_PKCS 0x00000006
3474 +
3475 +/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
3476 + * CKM_RSA_PKCS_OAEP are new for v2.10 */
3477 +#define CKM_RIPEMD128_RSA_PKCS 0x00000007
3478 +#define CKM_RIPEMD160_RSA_PKCS 0x00000008
3479 +#define CKM_RSA_PKCS_OAEP 0x00000009
3480 +
3481 +/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
3482 + * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
3483 +#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
3484 +#define CKM_RSA_X9_31 0x0000000B
3485 +#define CKM_SHA1_RSA_X9_31 0x0000000C
3486 +#define CKM_RSA_PKCS_PSS 0x0000000D
3487 +#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
3488 +
3489 +#define CKM_DSA_KEY_PAIR_GEN 0x00000010
3490 +#define CKM_DSA 0x00000011
3491 +#define CKM_DSA_SHA1 0x00000012
3492 +#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
3493 +#define CKM_DH_PKCS_DERIVE 0x00000021
3494 +
3495 +/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
3496 + * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
3497 + * v2.11 */
3498 +#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
3499 +#define CKM_X9_42_DH_DERIVE 0x00000031
3500 +#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
3501 +#define CKM_X9_42_MQV_DERIVE 0x00000033
3502 +
3503 +/* CKM_SHA256/384/512 are new for v2.20 */
3504 +#define CKM_SHA256_RSA_PKCS 0x00000040
3505 +#define CKM_SHA384_RSA_PKCS 0x00000041
3506 +#define CKM_SHA512_RSA_PKCS 0x00000042
3507 +#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
3508 +#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
3509 +#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
3510 +
3511 +#define CKM_RC2_KEY_GEN 0x00000100
3512 +#define CKM_RC2_ECB 0x00000101
3513 +#define CKM_RC2_CBC 0x00000102
3514 +#define CKM_RC2_MAC 0x00000103
3515 +
3516 +/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
3517 +#define CKM_RC2_MAC_GENERAL 0x00000104
3518 +#define CKM_RC2_CBC_PAD 0x00000105
3519 +
3520 +#define CKM_RC4_KEY_GEN 0x00000110
3521 +#define CKM_RC4 0x00000111
3522 +#define CKM_DES_KEY_GEN 0x00000120
3523 +#define CKM_DES_ECB 0x00000121
3524 +#define CKM_DES_CBC 0x00000122
3525 +#define CKM_DES_MAC 0x00000123
3526 +
3527 +/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
3528 +#define CKM_DES_MAC_GENERAL 0x00000124
3529 +#define CKM_DES_CBC_PAD 0x00000125
3530 +
3531 +#define CKM_DES2_KEY_GEN 0x00000130
3532 +#define CKM_DES3_KEY_GEN 0x00000131
3533 +#define CKM_DES3_ECB 0x00000132
3534 +#define CKM_DES3_CBC 0x00000133
3535 +#define CKM_DES3_MAC 0x00000134
3536 +
3537 +/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
3538 + * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
3539 + * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
3540 +#define CKM_DES3_MAC_GENERAL 0x00000135
3541 +#define CKM_DES3_CBC_PAD 0x00000136
3542 +#define CKM_CDMF_KEY_GEN 0x00000140
3543 +#define CKM_CDMF_ECB 0x00000141
3544 +#define CKM_CDMF_CBC 0x00000142
3545 +#define CKM_CDMF_MAC 0x00000143
3546 +#define CKM_CDMF_MAC_GENERAL 0x00000144
3547 +#define CKM_CDMF_CBC_PAD 0x00000145
3548 +
3549 +/* the following four DES mechanisms are new for v2.20 */
3550 +#define CKM_DES_OFB64 0x00000150
3551 +#define CKM_DES_OFB8 0x00000151
3552 +#define CKM_DES_CFB64 0x00000152
3553 +#define CKM_DES_CFB8 0x00000153
3554 +
3555 +#define CKM_MD2 0x00000200
3556 +
3557 +/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
3558 +#define CKM_MD2_HMAC 0x00000201
3559 +#define CKM_MD2_HMAC_GENERAL 0x00000202
3560 +
3561 +#define CKM_MD5 0x00000210
3562 +
3563 +/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
3564 +#define CKM_MD5_HMAC 0x00000211
3565 +#define CKM_MD5_HMAC_GENERAL 0x00000212
3566 +
3567 +#define CKM_SHA_1 0x00000220
3568 +
3569 +/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
3570 +#define CKM_SHA_1_HMAC 0x00000221
3571 +#define CKM_SHA_1_HMAC_GENERAL 0x00000222
3572 +
3573 +/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
3574 + * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
3575 + * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
3576 +#define CKM_RIPEMD128 0x00000230
3577 +#define CKM_RIPEMD128_HMAC 0x00000231
3578 +#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
3579 +#define CKM_RIPEMD160 0x00000240
3580 +#define CKM_RIPEMD160_HMAC 0x00000241
3581 +#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
3582 +
3583 +/* CKM_SHA256/384/512 are new for v2.20 */
3584 +#define CKM_SHA256 0x00000250
3585 +#define CKM_SHA256_HMAC 0x00000251
3586 +#define CKM_SHA256_HMAC_GENERAL 0x00000252
3587 +#define CKM_SHA384 0x00000260
3588 +#define CKM_SHA384_HMAC 0x00000261
3589 +#define CKM_SHA384_HMAC_GENERAL 0x00000262
3590 +#define CKM_SHA512 0x00000270
3591 +#define CKM_SHA512_HMAC 0x00000271
3592 +#define CKM_SHA512_HMAC_GENERAL 0x00000272
3593 +
3594 +/* All of the following mechanisms are new for v2.0 */
3595 +/* Note that CAST128 and CAST5 are the same algorithm */
3596 +#define CKM_CAST_KEY_GEN 0x00000300
3597 +#define CKM_CAST_ECB 0x00000301
3598 +#define CKM_CAST_CBC 0x00000302
3599 +#define CKM_CAST_MAC 0x00000303
3600 +#define CKM_CAST_MAC_GENERAL 0x00000304
3601 +#define CKM_CAST_CBC_PAD 0x00000305
3602 +#define CKM_CAST3_KEY_GEN 0x00000310
3603 +#define CKM_CAST3_ECB 0x00000311
3604 +#define CKM_CAST3_CBC 0x00000312
3605 +#define CKM_CAST3_MAC 0x00000313
3606 +#define CKM_CAST3_MAC_GENERAL 0x00000314
3607 +#define CKM_CAST3_CBC_PAD 0x00000315
3608 +#define CKM_CAST5_KEY_GEN 0x00000320
3609 +#define CKM_CAST128_KEY_GEN 0x00000320
3610 +#define CKM_CAST5_ECB 0x00000321
3611 +#define CKM_CAST128_ECB 0x00000321
3612 +#define CKM_CAST5_CBC 0x00000322
3613 +#define CKM_CAST128_CBC 0x00000322
3614 +#define CKM_CAST5_MAC 0x00000323
3615 +#define CKM_CAST128_MAC 0x00000323
3616 +#define CKM_CAST5_MAC_GENERAL 0x00000324
3617 +#define CKM_CAST128_MAC_GENERAL 0x00000324
3618 +#define CKM_CAST5_CBC_PAD 0x00000325
3619 +#define CKM_CAST128_CBC_PAD 0x00000325
3620 +#define CKM_RC5_KEY_GEN 0x00000330
3621 +#define CKM_RC5_ECB 0x00000331
3622 +#define CKM_RC5_CBC 0x00000332
3623 +#define CKM_RC5_MAC 0x00000333
3624 +#define CKM_RC5_MAC_GENERAL 0x00000334
3625 +#define CKM_RC5_CBC_PAD 0x00000335
3626 +#define CKM_IDEA_KEY_GEN 0x00000340
3627 +#define CKM_IDEA_ECB 0x00000341
3628 +#define CKM_IDEA_CBC 0x00000342
3629 +#define CKM_IDEA_MAC 0x00000343
3630 +#define CKM_IDEA_MAC_GENERAL 0x00000344
3631 +#define CKM_IDEA_CBC_PAD 0x00000345
3632 +#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
3633 +#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
3634 +#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
3635 +#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
3636 +#define CKM_XOR_BASE_AND_DATA 0x00000364
3637 +#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
3638 +#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
3639 +#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
3640 +#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
3641 +
3642 +/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
3643 + * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
3644 + * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
3645 +#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
3646 +#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
3647 +#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
3648 +#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
3649 +#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
3650 +
3651 +/* CKM_TLS_PRF is new for v2.20 */
3652 +#define CKM_TLS_PRF 0x00000378
3653 +
3654 +#define CKM_SSL3_MD5_MAC 0x00000380
3655 +#define CKM_SSL3_SHA1_MAC 0x00000381
3656 +#define CKM_MD5_KEY_DERIVATION 0x00000390
3657 +#define CKM_MD2_KEY_DERIVATION 0x00000391
3658 +#define CKM_SHA1_KEY_DERIVATION 0x00000392
3659 +
3660 +/* CKM_SHA256/384/512 are new for v2.20 */
3661 +#define CKM_SHA256_KEY_DERIVATION 0x00000393
3662 +#define CKM_SHA384_KEY_DERIVATION 0x00000394
3663 +#define CKM_SHA512_KEY_DERIVATION 0x00000395
3664 +
3665 +#define CKM_PBE_MD2_DES_CBC 0x000003A0
3666 +#define CKM_PBE_MD5_DES_CBC 0x000003A1
3667 +#define CKM_PBE_MD5_CAST_CBC 0x000003A2
3668 +#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
3669 +#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
3670 +#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
3671 +#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
3672 +#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
3673 +#define CKM_PBE_SHA1_RC4_128 0x000003A6
3674 +#define CKM_PBE_SHA1_RC4_40 0x000003A7
3675 +#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
3676 +#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
3677 +#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
3678 +#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
3679 +
3680 +/* CKM_PKCS5_PBKD2 is new for v2.10 */
3681 +#define CKM_PKCS5_PBKD2 0x000003B0
3682 +
3683 +#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
3684 +
3685 +/* WTLS mechanisms are new for v2.20 */
3686 +#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
3687 +#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
3688 +#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
3689 +#define CKM_WTLS_PRF 0x000003D3
3690 +#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
3691 +#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
3692 +
3693 +#define CKM_KEY_WRAP_LYNKS 0x00000400
3694 +#define CKM_KEY_WRAP_SET_OAEP 0x00000401
3695 +
3696 +/* CKM_CMS_SIG is new for v2.20 */
3697 +#define CKM_CMS_SIG 0x00000500
3698 +
3699 +/* Fortezza mechanisms */
3700 +#define CKM_SKIPJACK_KEY_GEN 0x00001000
3701 +#define CKM_SKIPJACK_ECB64 0x00001001
3702 +#define CKM_SKIPJACK_CBC64 0x00001002
3703 +#define CKM_SKIPJACK_OFB64 0x00001003
3704 +#define CKM_SKIPJACK_CFB64 0x00001004
3705 +#define CKM_SKIPJACK_CFB32 0x00001005
3706 +#define CKM_SKIPJACK_CFB16 0x00001006
3707 +#define CKM_SKIPJACK_CFB8 0x00001007
3708 +#define CKM_SKIPJACK_WRAP 0x00001008
3709 +#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
3710 +#define CKM_SKIPJACK_RELAYX 0x0000100a
3711 +#define CKM_KEA_KEY_PAIR_GEN 0x00001010
3712 +#define CKM_KEA_KEY_DERIVE 0x00001011
3713 +#define CKM_FORTEZZA_TIMESTAMP 0x00001020
3714 +#define CKM_BATON_KEY_GEN 0x00001030
3715 +#define CKM_BATON_ECB128 0x00001031
3716 +#define CKM_BATON_ECB96 0x00001032
3717 +#define CKM_BATON_CBC128 0x00001033
3718 +#define CKM_BATON_COUNTER 0x00001034
3719 +#define CKM_BATON_SHUFFLE 0x00001035
3720 +#define CKM_BATON_WRAP 0x00001036
3721 +
3722 +/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
3723 + * CKM_EC_KEY_PAIR_GEN is preferred */
3724 +#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
3725 +#define CKM_EC_KEY_PAIR_GEN 0x00001040
3726 +
3727 +#define CKM_ECDSA 0x00001041
3728 +#define CKM_ECDSA_SHA1 0x00001042
3729 +
3730 +/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
3731 + * are new for v2.11 */
3732 +#define CKM_ECDH1_DERIVE 0x00001050
3733 +#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
3734 +#define CKM_ECMQV_DERIVE 0x00001052
3735 +
3736 +#define CKM_JUNIPER_KEY_GEN 0x00001060
3737 +#define CKM_JUNIPER_ECB128 0x00001061
3738 +#define CKM_JUNIPER_CBC128 0x00001062
3739 +#define CKM_JUNIPER_COUNTER 0x00001063
3740 +#define CKM_JUNIPER_SHUFFLE 0x00001064
3741 +#define CKM_JUNIPER_WRAP 0x00001065
3742 +#define CKM_FASTHASH 0x00001070
3743 +
3744 +/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
3745 + * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
3746 + * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
3747 + * new for v2.11 */
3748 +#define CKM_AES_KEY_GEN 0x00001080
3749 +#define CKM_AES_ECB 0x00001081
3750 +#define CKM_AES_CBC 0x00001082
3751 +#define CKM_AES_MAC 0x00001083
3752 +#define CKM_AES_MAC_GENERAL 0x00001084
3753 +#define CKM_AES_CBC_PAD 0x00001085
3754 +
3755 +/* BlowFish and TwoFish are new for v2.20 */
3756 +#define CKM_BLOWFISH_KEY_GEN 0x00001090
3757 +#define CKM_BLOWFISH_CBC 0x00001091
3758 +#define CKM_TWOFISH_KEY_GEN 0x00001092
3759 +#define CKM_TWOFISH_CBC 0x00001093
3760 +
3761 +
3762 +/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
3763 +#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
3764 +#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
3765 +#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
3766 +#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
3767 +#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
3768 +#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
3769 +
3770 +#define CKM_DSA_PARAMETER_GEN 0x00002000
3771 +#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
3772 +#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
3773 +
3774 +#define CKM_VENDOR_DEFINED 0x80000000
3775 +
3776 +typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
3777 +
3778 +
3779 +/* CK_MECHANISM is a structure that specifies a particular
3780 + * mechanism */
3781 +typedef struct CK_MECHANISM {
3782 + CK_MECHANISM_TYPE mechanism;
3783 + CK_VOID_PTR pParameter;
3784 +
3785 + /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
3786 + * v2.0 */
3787 + CK_ULONG ulParameterLen; /* in bytes */
3788 +} CK_MECHANISM;
3789 +
3790 +typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
3791 +
3792 +
3793 +/* CK_MECHANISM_INFO provides information about a particular
3794 + * mechanism */
3795 +typedef struct CK_MECHANISM_INFO {
3796 + CK_ULONG ulMinKeySize;
3797 + CK_ULONG ulMaxKeySize;
3798 + CK_FLAGS flags;
3799 +} CK_MECHANISM_INFO;
3800 +
3801 +/* The flags are defined as follows:
3802 + * Bit Flag Mask Meaning */
3803 +#define CKF_HW 0x00000001 /* performed by HW */
3804 +
3805 +/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
3806 + * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
3807 + * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
3808 + * and CKF_DERIVE are new for v2.0. They specify whether or not
3809 + * a mechanism can be used for a particular task */
3810 +#define CKF_ENCRYPT 0x00000100
3811 +#define CKF_DECRYPT 0x00000200
3812 +#define CKF_DIGEST 0x00000400
3813 +#define CKF_SIGN 0x00000800
3814 +#define CKF_SIGN_RECOVER 0x00001000
3815 +#define CKF_VERIFY 0x00002000
3816 +#define CKF_VERIFY_RECOVER 0x00004000
3817 +#define CKF_GENERATE 0x00008000
3818 +#define CKF_GENERATE_KEY_PAIR 0x00010000
3819 +#define CKF_WRAP 0x00020000
3820 +#define CKF_UNWRAP 0x00040000
3821 +#define CKF_DERIVE 0x00080000
3822 +
3823 +/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
3824 + * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
3825 + * describe a token's EC capabilities not available in mechanism
3826 + * information. */
3827 +#define CKF_EC_F_P 0x00100000
3828 +#define CKF_EC_F_2M 0x00200000
3829 +#define CKF_EC_ECPARAMETERS 0x00400000
3830 +#define CKF_EC_NAMEDCURVE 0x00800000
3831 +#define CKF_EC_UNCOMPRESS 0x01000000
3832 +#define CKF_EC_COMPRESS 0x02000000
3833 +
3834 +#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
3835 +
3836 +typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
3837 +
3838 +
3839 +/* CK_RV is a value that identifies the return value of a
3840 + * Cryptoki function */
3841 +/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
3842 +typedef CK_ULONG CK_RV;
3843 +
3844 +#define CKR_OK 0x00000000
3845 +#define CKR_CANCEL 0x00000001
3846 +#define CKR_HOST_MEMORY 0x00000002
3847 +#define CKR_SLOT_ID_INVALID 0x00000003
3848 +
3849 +/* CKR_FLAGS_INVALID was removed for v2.0 */
3850 +
3851 +/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
3852 +#define CKR_GENERAL_ERROR 0x00000005
3853 +#define CKR_FUNCTION_FAILED 0x00000006
3854 +
3855 +/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
3856 + * and CKR_CANT_LOCK are new for v2.01 */
3857 +#define CKR_ARGUMENTS_BAD 0x00000007
3858 +#define CKR_NO_EVENT 0x00000008
3859 +#define CKR_NEED_TO_CREATE_THREADS 0x00000009
3860 +#define CKR_CANT_LOCK 0x0000000A
3861 +
3862 +#define CKR_ATTRIBUTE_READ_ONLY 0x00000010
3863 +#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
3864 +#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
3865 +#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
3866 +#define CKR_DATA_INVALID 0x00000020
3867 +#define CKR_DATA_LEN_RANGE 0x00000021
3868 +#define CKR_DEVICE_ERROR 0x00000030
3869 +#define CKR_DEVICE_MEMORY 0x00000031
3870 +#define CKR_DEVICE_REMOVED 0x00000032
3871 +#define CKR_ENCRYPTED_DATA_INVALID 0x00000040
3872 +#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041
3873 +#define CKR_FUNCTION_CANCELED 0x00000050
3874 +#define CKR_FUNCTION_NOT_PARALLEL 0x00000051
3875 +
3876 +/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
3877 +#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054
3878 +
3879 +#define CKR_KEY_HANDLE_INVALID 0x00000060
3880 +
3881 +/* CKR_KEY_SENSITIVE was removed for v2.0 */
3882 +
3883 +#define CKR_KEY_SIZE_RANGE 0x00000062
3884 +#define CKR_KEY_TYPE_INCONSISTENT 0x00000063
3885 +
3886 +/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
3887 + * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
3888 + * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
3889 + * v2.0 */
3890 +#define CKR_KEY_NOT_NEEDED 0x00000064
3891 +#define CKR_KEY_CHANGED 0x00000065
3892 +#define CKR_KEY_NEEDED 0x00000066
3893 +#define CKR_KEY_INDIGESTIBLE 0x00000067
3894 +#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068
3895 +#define CKR_KEY_NOT_WRAPPABLE 0x00000069
3896 +#define CKR_KEY_UNEXTRACTABLE 0x0000006A
3897 +
3898 +#define CKR_MECHANISM_INVALID 0x00000070
3899 +#define CKR_MECHANISM_PARAM_INVALID 0x00000071
3900 +
3901 +/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
3902 + * were removed for v2.0 */
3903 +#define CKR_OBJECT_HANDLE_INVALID 0x00000082
3904 +#define CKR_OPERATION_ACTIVE 0x00000090
3905 +#define CKR_OPERATION_NOT_INITIALIZED 0x00000091
3906 +#define CKR_PIN_INCORRECT 0x000000A0
3907 +#define CKR_PIN_INVALID 0x000000A1
3908 +#define CKR_PIN_LEN_RANGE 0x000000A2
3909 +
3910 +/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
3911 +#define CKR_PIN_EXPIRED 0x000000A3
3912 +#define CKR_PIN_LOCKED 0x000000A4
3913 +
3914 +#define CKR_SESSION_CLOSED 0x000000B0
3915 +#define CKR_SESSION_COUNT 0x000000B1
3916 +#define CKR_SESSION_HANDLE_INVALID 0x000000B3
3917 +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4
3918 +#define CKR_SESSION_READ_ONLY 0x000000B5
3919 +#define CKR_SESSION_EXISTS 0x000000B6
3920 +
3921 +/* CKR_SESSION_READ_ONLY_EXISTS and
3922 + * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
3923 +#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7
3924 +#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8
3925 +
3926 +#define CKR_SIGNATURE_INVALID 0x000000C0
3927 +#define CKR_SIGNATURE_LEN_RANGE 0x000000C1
3928 +#define CKR_TEMPLATE_INCOMPLETE 0x000000D0
3929 +#define CKR_TEMPLATE_INCONSISTENT 0x000000D1
3930 +#define CKR_TOKEN_NOT_PRESENT 0x000000E0
3931 +#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1
3932 +#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2
3933 +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
3934 +#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
3935 +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
3936 +#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
3937 +#define CKR_USER_NOT_LOGGED_IN 0x00000101
3938 +#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
3939 +#define CKR_USER_TYPE_INVALID 0x00000103
3940 +
3941 +/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
3942 + * are new to v2.01 */
3943 +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104
3944 +#define CKR_USER_TOO_MANY_TYPES 0x00000105
3945 +
3946 +#define CKR_WRAPPED_KEY_INVALID 0x00000110
3947 +#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112
3948 +#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113
3949 +#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114
3950 +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115
3951 +#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120
3952 +
3953 +/* These are new to v2.0 */
3954 +#define CKR_RANDOM_NO_RNG 0x00000121
3955 +
3956 +/* These are new to v2.11 */
3957 +#define CKR_DOMAIN_PARAMS_INVALID 0x00000130
3958 +
3959 +/* These are new to v2.0 */
3960 +#define CKR_BUFFER_TOO_SMALL 0x00000150
3961 +#define CKR_SAVED_STATE_INVALID 0x00000160
3962 +#define CKR_INFORMATION_SENSITIVE 0x00000170
3963 +#define CKR_STATE_UNSAVEABLE 0x00000180
3964 +
3965 +/* These are new to v2.01 */
3966 +#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190
3967 +#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191
3968 +#define CKR_MUTEX_BAD 0x000001A0
3969 +#define CKR_MUTEX_NOT_LOCKED 0x000001A1
3970 +
3971 +/* This is new to v2.20 */
3972 +#define CKR_FUNCTION_REJECTED 0x00000200
3973 +
3974 +#define CKR_VENDOR_DEFINED 0x80000000
3975 +
3976 +
3977 +/* CK_NOTIFY is an application callback that processes events */
3978 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
3979 + CK_SESSION_HANDLE hSession, /* the session's handle */
3980 + CK_NOTIFICATION event,
3981 + CK_VOID_PTR pApplication /* passed to C_OpenSession */
3982 +);
3983 +
3984 +
3985 +/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
3986 + * version and pointers of appropriate types to all the
3987 + * Cryptoki functions */
3988 +/* CK_FUNCTION_LIST is new for v2.0 */
3989 +typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
3990 +
3991 +typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
3992 +
3993 +typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
3994 +
3995 +
3996 +/* CK_CREATEMUTEX is an application callback for creating a
3997 + * mutex object */
3998 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
3999 + CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
4000 +);
4001 +
4002 +
4003 +/* CK_DESTROYMUTEX is an application callback for destroying a
4004 + * mutex object */
4005 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
4006 + CK_VOID_PTR pMutex /* pointer to mutex */
4007 +);
4008 +
4009 +
4010 +/* CK_LOCKMUTEX is an application callback for locking a mutex */
4011 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
4012 + CK_VOID_PTR pMutex /* pointer to mutex */
4013 +);
4014 +
4015 +
4016 +/* CK_UNLOCKMUTEX is an application callback for unlocking a
4017 + * mutex */
4018 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
4019 + CK_VOID_PTR pMutex /* pointer to mutex */
4020 +);
4021 +
4022 +
4023 +/* CK_C_INITIALIZE_ARGS provides the optional arguments to
4024 + * C_Initialize */
4025 +typedef struct CK_C_INITIALIZE_ARGS {
4026 + CK_CREATEMUTEX CreateMutex;
4027 + CK_DESTROYMUTEX DestroyMutex;
4028 + CK_LOCKMUTEX LockMutex;
4029 + CK_UNLOCKMUTEX UnlockMutex;
4030 + CK_FLAGS flags;
4031 + CK_VOID_PTR pReserved;
4032 +} CK_C_INITIALIZE_ARGS;
4033 +
4034 +/* flags: bit flags that provide capabilities of the slot
4035 + * Bit Flag Mask Meaning
4036 + */
4037 +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
4038 +#define CKF_OS_LOCKING_OK 0x00000002
4039 +
4040 +typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
4041 +
4042 +
4043 +/* additional flags for parameters to functions */
4044 +
4045 +/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
4046 +#define CKF_DONT_BLOCK 1
4047 +
4048 +/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
4049 + * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message
4050 + * Generation Function (MGF) applied to a message block when
4051 + * formatting a message block for the PKCS #1 OAEP encryption
4052 + * scheme. */
4053 +typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
4054 +
4055 +typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
4056 +
4057 +/* The following MGFs are defined */
4058 +/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
4059 + * are new for v2.20 */
4060 +#define CKG_MGF1_SHA1 0x00000001
4061 +#define CKG_MGF1_SHA256 0x00000002
4062 +#define CKG_MGF1_SHA384 0x00000003
4063 +#define CKG_MGF1_SHA512 0x00000004
4064 +
4065 +/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
4066 + * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
4067 + * of the encoding parameter when formatting a message block
4068 + * for the PKCS #1 OAEP encryption scheme. */
4069 +typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
4070 +
4071 +typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
4072 +
4073 +/* The following encoding parameter sources are defined */
4074 +#define CKZ_DATA_SPECIFIED 0x00000001
4075 +
4076 +/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
4077 + * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
4078 + * CKM_RSA_PKCS_OAEP mechanism. */
4079 +typedef struct CK_RSA_PKCS_OAEP_PARAMS {
4080 + CK_MECHANISM_TYPE hashAlg;
4081 + CK_RSA_PKCS_MGF_TYPE mgf;
4082 + CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
4083 + CK_VOID_PTR pSourceData;
4084 + CK_ULONG ulSourceDataLen;
4085 +} CK_RSA_PKCS_OAEP_PARAMS;
4086 +
4087 +typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
4088 +
4089 +/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
4090 + * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
4091 + * CKM_RSA_PKCS_PSS mechanism(s). */
4092 +typedef struct CK_RSA_PKCS_PSS_PARAMS {
4093 + CK_MECHANISM_TYPE hashAlg;
4094 + CK_RSA_PKCS_MGF_TYPE mgf;
4095 + CK_ULONG sLen;
4096 +} CK_RSA_PKCS_PSS_PARAMS;
4097 +
4098 +typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
4099 +
4100 +/* CK_EC_KDF_TYPE is new for v2.11. */
4101 +typedef CK_ULONG CK_EC_KDF_TYPE;
4102 +
4103 +/* The following EC Key Derivation Functions are defined */
4104 +#define CKD_NULL 0x00000001
4105 +#define CKD_SHA1_KDF 0x00000002
4106 +
4107 +/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
4108 + * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
4109 + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
4110 + * where each party contributes one key pair.
4111 + */
4112 +typedef struct CK_ECDH1_DERIVE_PARAMS {
4113 + CK_EC_KDF_TYPE kdf;
4114 + CK_ULONG ulSharedDataLen;
4115 + CK_BYTE_PTR pSharedData;
4116 + CK_ULONG ulPublicDataLen;
4117 + CK_BYTE_PTR pPublicData;
4118 +} CK_ECDH1_DERIVE_PARAMS;
4119 +
4120 +typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
4121 +
4122 +
4123 +/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
4124 + * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
4125 + * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
4126 +typedef struct CK_ECDH2_DERIVE_PARAMS {
4127 + CK_EC_KDF_TYPE kdf;
4128 + CK_ULONG ulSharedDataLen;
4129 + CK_BYTE_PTR pSharedData;
4130 + CK_ULONG ulPublicDataLen;
4131 + CK_BYTE_PTR pPublicData;
4132 + CK_ULONG ulPrivateDataLen;
4133 + CK_OBJECT_HANDLE hPrivateData;
4134 + CK_ULONG ulPublicDataLen2;
4135 + CK_BYTE_PTR pPublicData2;
4136 +} CK_ECDH2_DERIVE_PARAMS;
4137 +
4138 +typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
4139 +
4140 +typedef struct CK_ECMQV_DERIVE_PARAMS {
4141 + CK_EC_KDF_TYPE kdf;
4142 + CK_ULONG ulSharedDataLen;
4143 + CK_BYTE_PTR pSharedData;
4144 + CK_ULONG ulPublicDataLen;
4145 + CK_BYTE_PTR pPublicData;
4146 + CK_ULONG ulPrivateDataLen;
4147 + CK_OBJECT_HANDLE hPrivateData;
4148 + CK_ULONG ulPublicDataLen2;
4149 + CK_BYTE_PTR pPublicData2;
4150 + CK_OBJECT_HANDLE publicKey;
4151 +} CK_ECMQV_DERIVE_PARAMS;
4152 +
4153 +typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
4154 +
4155 +/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
4156 + * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
4157 +typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
4158 +typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;