src/home/homework-pkcs11.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include "hexdecoct.h"
   4 #include "homework-pkcs11.h"
   5 #include "pkcs11-util.h"
   6 #include "strv.h"
   7
   8 int pkcs11_callback(
   9                 CK_FUNCTION_LIST *m,
  10                 CK_SESSION_HANDLE session,
  11                 CK_SLOT_ID slot_id,
  12                 const CK_SLOT_INFO *slot_info,
  13                 const CK_TOKEN_INFO *token_info,
  14                 P11KitUri *uri,
  15                 void *userdata) {
  16
  17         _cleanup_(erase_and_freep) void *decrypted_key = NULL;
  18         struct pkcs11_callback_data *data = userdata;
  19         _cleanup_free_ char *token_label = NULL;
  20         CK_TOKEN_INFO updated_token_info;
  21         size_t decrypted_key_size;
  22         CK_OBJECT_HANDLE object;
  23         CK_RV rv;
  24         int r;
  25
  26         assert(m);
  27         assert(slot_info);
  28         assert(token_info);
  29         assert(uri);
  30         assert(data);
  31
  32         /* Special return values:
  33          *
  34          * -ENOANO       → if we need a PIN but have none
  35          * -ERFKILL      → if a "protected authentication path" is needed but we have no OK to use it
  36          * -EOWNERDEAD   → if the PIN is locked
  37          * -ENOLCK       → if the supplied PIN is incorrect
  38          * -ETOOMANYREFS → ditto, but only a few tries left
  39          * -EUCLEAN      → ditto, but only a single try left
  40          */
  41
  42         token_label = pkcs11_token_label(token_info);
  43         if (!token_label)
  44                 return log_oom();
  45
  46         if (FLAGS_SET(token_info->flags, CKF_PROTECTED_AUTHENTICATION_PATH)) {
  47
  48                 if (data->secret->pkcs11_protected_authentication_path_permitted <= 0)
  49                         return log_error_errno(SYNTHETIC_ERRNO(ERFKILL), "Security token requires authentication through protected authentication path.");
  50
  51                 rv = m->C_Login(session, CKU_USER, NULL, 0);
  52                 if (rv != CKR_OK)
  53                         return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to log into security token '%s': %s", token_label, p11_kit_strerror(rv));
  54
  55                 log_info("Successfully logged into security token '%s' via protected authentication path.", token_label);
  56                 goto decrypt;
  57         }
  58
  59         if (!FLAGS_SET(token_info->flags, CKF_LOGIN_REQUIRED)) {
  60                 log_info("No login into security token '%s' required.", token_label);
  61                 goto decrypt;
  62         }
  63
  64         if (strv_isempty(data->secret->token_pin))
  65                 return log_error_errno(SYNTHETIC_ERRNO(ENOANO), "Security token requires PIN.");
  66
  67         STRV_FOREACH(i, data->secret->token_pin) {
  68                 rv = m->C_Login(session, CKU_USER, (CK_UTF8CHAR*) *i, strlen(*i));
  69                 if (rv == CKR_OK) {
  70                         log_info("Successfully logged into security token '%s' with PIN.", token_label);
  71                         goto decrypt;
  72                 }
  73                 if (rv == CKR_PIN_LOCKED)
  74                         return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD), "PIN of security token is blocked. Please unblock it first.");
  75                 if (!IN_SET(rv, CKR_PIN_INCORRECT, CKR_PIN_LEN_RANGE))
  76                         return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to log into security token '%s': %s", token_label, p11_kit_strerror(rv));
  77         }
  78
  79         rv = m->C_GetTokenInfo(slot_id, &updated_token_info);
  80         if (rv != CKR_OK)
  81                 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire updated security token information for slot %lu: %s", slot_id, p11_kit_strerror(rv));
  82
  83         if (FLAGS_SET(updated_token_info.flags, CKF_USER_PIN_FINAL_TRY))
  84                 return log_error_errno(SYNTHETIC_ERRNO(EUCLEAN), "PIN of security token incorrect, only a single try left.");
  85         if (FLAGS_SET(updated_token_info.flags, CKF_USER_PIN_COUNT_LOW))
  86                 return log_error_errno(SYNTHETIC_ERRNO(ETOOMANYREFS), "PIN of security token incorrect, only a few tries left.");
  87
  88         return log_error_errno(SYNTHETIC_ERRNO(ENOLCK), "PIN of security token incorrect.");
  89
  90 decrypt:
  91         r = pkcs11_token_find_private_key(m, session, uri, &object);
  92         if (r < 0)
  93                 return r;
  94
  95         r = pkcs11_token_decrypt_data(m, session, object, data->encrypted_key->data, data->encrypted_key->size, &decrypted_key, &decrypted_key_size);
  96         if (r < 0)
  97                 return r;
  98
  99         if (base64mem(decrypted_key, decrypted_key_size, &data->decrypted_password) < 0)
 100                 return log_oom();
 101
 102         return 1;
 103 }