From: Martin Willi <martin@revosec.ch>
Date: Fri, 12 Nov 2010 13:45:09 +0000 (+0100)
Subject: Added a PKCS#11 module option to enforce OS Locking functions
X-Git-Tag: 4.5.1~522
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9cda39923e7f6328bb9e14830e146e6ac9b4e99a;p=thirdparty%2Fstrongswan.git

Added a PKCS#11 module option to enforce OS Locking functions
---

diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index e2b06ccc1e..4373647811 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -800,7 +800,8 @@ static void check_features(private_pkcs11_library_t *this, CK_INFO *info)
 /**
  * Initialize a PKCS#11 library
  */
-static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
+static bool initialize(private_pkcs11_library_t *this, char *name, char *file,
+					   bool os_locking)
 {
 	CK_C_GetFunctionList pC_GetFunctionList;
 	CK_INFO info;
@@ -825,10 +826,16 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 			 name, ck_rv_names, rv);
 		return FALSE;
 	}
-
-	rv = this->public.f->C_Initialize(&args);
+	if (os_locking)
+	{
+		rv = CKR_CANT_LOCK;
+	}
+	else
+	{
+		rv = this->public.f->C_Initialize(&args);
+	}
 	if (rv == CKR_CANT_LOCK)
-	{	/* try OS locking */
+	{	/* fallback to OS locking */
 		memset(&args, 0, sizeof(args));
 		args.flags = CKF_OS_LOCKING_OK;
 		rv = this->public.f->C_Initialize(&args);
@@ -870,7 +877,7 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file)
 /**
  * See header
  */
-pkcs11_library_t *pkcs11_library_create(char *name, char *file)
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking)
 {
 	private_pkcs11_library_t *this;
 
@@ -893,7 +900,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file)
 		return NULL;
 	}
 
-	if (!initialize(this, name, file))
+	if (!initialize(this, name, file, os_locking))
 	{
 		dlclose(this->handle);
 		free(this);
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
index 36fe841b4e..33e5f97dcd 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h
@@ -119,8 +119,9 @@ void pkcs11_library_trim(char *str, int len);
  *
  * @param name		an arbitrary name, for debugging
  * @param file		pkcs11 library file to dlopen()
+ * @param os_lock	enforce OS Locking for this library
  * @return			library abstraction
  */
-pkcs11_library_t *pkcs11_library_create(char *name, char *file);
+pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock);
 
 #endif /** PKCS11_LIBRARY_H_ @}*/
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
index 0c27600a6a..9308e9c257 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
@@ -373,7 +373,10 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
 			free(entry);
 			continue;
 		}
-		entry->lib = pkcs11_library_create(module, entry->path);
+		entry->lib = pkcs11_library_create(module, entry->path,
+						lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
+							FALSE, module));
 		if (!entry->lib)
 		{
 			free(entry);