Merged with Alon's r688.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@689 e7ae566f-a301-0410-adde-c780ea21d3b5

Makefile.am

@@ -67,7 +67,7 @@ openvpn_SOURCES = \
 	multi.c multi.h \
         ntlm.c ntlm.h \
 	occ.c occ.h occ-inline.h \
-	pkcs11.c pkcs11.h cryptoki.h \
+	pkcs11.c pkcs11.h pkcs11-helper.c pkcs11-helper.h pkcs11-helper-config.h cryptoki.h \
 	openvpn.c openvpn.h \
 	openvpn-plugin.h \
 	options.c options.h \

error.c

@@ -300,26 +300,29 @@ void x_msg (const unsigned int flags, const char *format, ...)
 
 	  if ((flags & M_NOPREFIX) || suppress_timestamps)
 	    {
-	      fprintf (fp, "%s%s%s\n",
+	      fprintf (fp, "%s%s%s%s",
 		       prefix,
 		       prefix_sep,
-		       m1);
+		       m1,
+		       (flags&M_NOLF) ? "" : "\n");
 	    }
 	  else
 	    {
 #ifdef USE_PTHREAD
-	      fprintf (fp, "%s [%d] %s%s%s\n",
+	      fprintf (fp, "%s [%d] %s%s%s%s",
 		       time_string (0, 0, show_usec, &gc),
 		       (int) openvpn_thread_self (),
 		       prefix,
 		       prefix_sep,
-		       m1);
+		       m1,
+		       (flags&M_NOLF) ? "" : "\n");
 #else
-	      fprintf (fp, "%s %s%s%s\n",
+	      fprintf (fp, "%s %s%s%s%s",
 		       time_string (0, 0, show_usec, &gc),
 		       prefix,
 		       prefix_sep,
-		       m1);
+		       m1,
+		       (flags&M_NOLF) ? "" : "\n");
 #endif
 	    }
 	  fflush(fp);

error.h

@@ -97,6 +97,7 @@ extern int x_msg_line_num;
 #define M_USAGE_SMALL     (1<<13)        /* fatal options error, call usage_small */
 #define M_MSG_VIRT_OUT    (1<<14)        /* output message through msg_status_output callback */
 #define M_OPTERR          (1<<15)        /* print "Options error:" prefix */
+#define M_NOLF            (1<<16)        /* don't print new line */
 
 /* flag combinations which are frequently used */
 #define M_ERR     (M_FATAL | M_ERRNO)

init.c

@@ -116,12 +116,12 @@ context_init_1 (struct context *c)
 #if defined(ENABLE_PKCS11)
   {
     int i;
-    init_pkcs11 (c->options.pkcs11_pin_cache_period);
+    pkcs11_initialize (c->options.pkcs11_pin_cache_period);
     for (i=0;i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL;i++)
-     add_pkcs11 (c->options.pkcs11_providers[i], c->options.pkcs11_sign_mode[i]);
+     pkcs11_addProvider (c->options.pkcs11_providers[i], c->options.pkcs11_sign_mode[i]);
   }
 #endif
-  
+
 #if P2MP
   /* Auth user/pass input */
   if (c->options.auth_user_pass_file)
@@ -236,7 +236,7 @@ uninit_static (void)
 #endif
 
 #ifdef ENABLE_PKCS11
-  free_pkcs11 ();
+  pkcs11_terminate ();
 #endif
 
 #if defined(MEASURE_TLS_HANDSHAKE_STATS) && defined(USE_CRYPTO) && defined(USE_SSL)
@@ -376,7 +376,7 @@ possibly_become_daemon (const struct options *options, const bool first_time)
 	set_std_files_to_null (true);
 
 #if defined(ENABLE_PKCS11)
-      fork_fix_pkcs11 ();
+      pkcs11_forkFixup ();
 #endif
 
       ret = true;

makefile.w32

@@ -96,7 +96,7 @@ HEADERS = \
 	ntlm.h \
 	occ-inline.h \
 	occ.h \
-	pkcs11.h \
+	pkcs11.h pkcs11-helper.h cryptoki.h \
         openvpn.h \
 	openvpn-plugin.h \
 	options.h \
@@ -151,7 +151,7 @@ OBJS =  base64.o \
 	multi.o \
 	ntlm.o \
 	occ.o \
-	pkcs11.o \
+	pkcs11.o pkcs11-helper.o \
         openvpn.o \
 	options.o \
 	otime.o \

makefile.w32-vc

@@ -81,7 +81,7 @@ HEADERS = \
 	ntlm.h \
 	occ-inline.h \
 	occ.h \
-	pkcs11.h \
+	pkcs11.h pkcs11-helper.h cryptoki.h \
         openvpn.h \
 	openvpn-plugin.h \
 	options.h \
@@ -136,7 +136,7 @@ OBJS =  base64.obj \
 	multi.obj \
 	ntlm.obj \
 	occ.obj \
-	pkcs11.obj \
+	pkcs11.obj pkcs11-helper.obj \
         openvpn.obj \
 	options.obj \
 	otime.obj \

manage.c

@@ -39,6 +39,7 @@
 #include "event.h"
 #include "otime.h"
 #include "integer.h"
+#include "misc.h"
 #include "manage.h"
 
 #include "memdbg.h"
@@ -74,6 +75,7 @@ man_help ()
   msg (M_CLIENT, "                         + show last N lines or 'all' for entire history.");
   msg (M_CLIENT, "mute [n]               : Set log mute level to n, or show level if n is absent.");
   msg (M_CLIENT, "net                    : (Windows only) Show network info and routing table.");
+  msg (M_CLIENT, "ok type                : Enter confirmation for NEED-OK request.");
   msg (M_CLIENT, "password type p        : Enter password p for a queried OpenVPN password.");
   msg (M_CLIENT, "signal s               : Send signal s to daemon,");
   msg (M_CLIENT, "                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
@@ -467,6 +469,10 @@ man_up_finalize (struct management *man)
       if (strlen (man->connection.up_query.password))
 	man->connection.up_query.defined = true;
       break;
+    case UP_QUERY_NEED_OK:
+      if (strlen (man->connection.up_query.password))
+	man->connection.up_query.defined = true;
+      break;
     default:
       ASSERT (0);
     }
@@ -520,6 +526,13 @@ man_query_password (struct management *man, const char *type, const char *string
   man_query_user_pass (man, type, string, needed, "password", man->connection.up_query.password, USER_PASS_LEN);
 }
 
+static void
+man_query_need_ok (struct management *man, const char *type)
+{
+  const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
+  man_query_user_pass (man, type, "ok", needed, "ok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
+}
+
 static void
 man_net (struct management *man)
 {
@@ -708,6 +721,11 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch
       if (man_need (man, p, 2, 0))
 	man_query_password (man, p[1], p[2]);
     }
+  else if (streq (p[0], "ok"))
+    {
+      if (man_need (man, p, 1, 0))
+	man_query_need_ok (man, p[1]);
+    }
   else if (streq (p[0], "net"))
     {
       man_net (man);
@@ -1130,7 +1148,7 @@ man_settings_init (struct man_settings *ms,
        * Get username/password
        */
       if (pass_file)
-	get_user_pass (&ms->up, pass_file, true, "Management", 0);
+	get_user_pass (&ms->up, pass_file, "Management", GET_USER_PASS_PASSWORD_ONLY);
 
       /*
        * Should OpenVPN query the management layer for
@@ -1728,7 +1746,7 @@ bool
 management_query_user_pass (struct management *man,
 			    struct user_pass *up,
 			    const char *type,
-			    const bool password_only)
+			    const unsigned int flags)
 {
   struct gc_arena gc = gc_new ();
   bool ret = false;
@@ -1738,6 +1756,9 @@ management_query_user_pass (struct management *man,
       volatile int signal_received = 0;
       const bool standalone_disabled_save = man->persist.standalone_disabled;
       struct buffer alert_msg = alloc_buf_gc (128, &gc);
+      const char *alert_type = NULL;
+      const char *prefix = NULL;
+      unsigned int up_query_mode = 0;
 
       ret = true;
       man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
@@ -1745,9 +1766,28 @@ management_query_user_pass (struct management *man,
 
       CLEAR (man->connection.up_query);
 
-      buf_printf (&alert_msg, ">PASSWORD:Need '%s' %s",
+      if (flags & GET_USER_PASS_NEED_OK)
+	{
+	  up_query_mode = UP_QUERY_NEED_OK;
+	  prefix= "NEED-OK";
+	  alert_type = "confirmation";
+	}
+      else if (flags & GET_USER_PASS_PASSWORD_ONLY)
+	{
+	  up_query_mode = UP_QUERY_PASS;
+	  prefix = "PASSWORD";
+	  alert_type = "password";
+	}
+      else
+	{
+	  up_query_mode = UP_QUERY_USER_PASS;
+	  prefix = "PASSWORD";
+	  alert_type = "username/password";
+	}
+      buf_printf (&alert_msg, ">%s:Need '%s' %s",
+		  prefix,
 		  type,
-		  password_only ? "password" : "username/password");
+		  alert_type);
 
       man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
       if (signal_received)
@@ -1759,7 +1799,7 @@ management_query_user_pass (struct management *man,
 	  msg (M_CLIENT, "%s", man->persist.special_state_msg);
 
 	  /* tell command line parser which info we need */
-	  man->connection.up_query_mode = password_only ? UP_QUERY_PASS : UP_QUERY_USER_PASS;
+	  man->connection.up_query_mode = up_query_mode;
 	  man->connection.up_query_type = type;
 
 	  /* run command processing event loop until we get our username/password */

manage.h

@@ -203,6 +203,7 @@ struct man_settings {
 #define UP_QUERY_DISABLED  0
 #define UP_QUERY_USER_PASS 1
 #define UP_QUERY_PASS      2
+#define UP_QUERY_NEED_OK   3
 
 /* states */
 #define MS_INITIAL          0  /* all sockets are closed */
@@ -282,7 +283,7 @@ void management_set_callback (struct management *man,
 
 void management_clear_callback (struct management *man);
 
-bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const bool password_only);
+bool management_query_user_pass (struct management *man, struct user_pass *up, const char *type, const unsigned int flags);
 
 bool management_would_hold (struct management *man);
 bool management_hold (struct management *man);

misc.c

@@ -1155,7 +1155,6 @@ get_console_input (const char *prompt, const bool echo, char *input, const int c
 void
 get_user_pass (struct user_pass *up,
 	       const char *auth_file,
-	       const bool password_only,
 	       const char *prefix,
 	       const unsigned int flags)
 {
@@ -1173,32 +1172,44 @@ get_user_pass (struct user_pass *up,
 	  && ((auth_file && streq (auth_file, "management")) || (from_stdin && (flags & GET_USER_PASS_MANAGEMENT)))
 	  && management_query_user_pass_enabled (management))
 	{
-	  if (!management_query_user_pass (management, up, prefix, password_only))
-	    msg (M_FATAL, "ERROR: could not read %s username/password from management interface", prefix);
+	  if (!management_query_user_pass (management, up, prefix, flags))
+	    msg (M_FATAL, "ERROR: could not read %s username/password/ok from management interface", prefix);
 	}
       else
 #endif
       /*
        * Get username/password from standard input?
        */
-      if (from_stdin)
+      if (from_stdin || (flags & GET_USER_PASS_NEED_OK))
 	{
 	  struct buffer user_prompt = alloc_buf_gc (128, &gc);
 	  struct buffer pass_prompt = alloc_buf_gc (128, &gc);
 
-	  buf_printf (&user_prompt, "Enter %s Username:", prefix);
-	  buf_printf (&pass_prompt, "Enter %s Password:", prefix);
-
-	  if (!password_only)
+	  if (flags & GET_USER_PASS_NEED_OK)
 	    {
-	      if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
-		msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
-	      if (strlen (up->username) == 0)
-		msg (M_FATAL, "ERROR: %s username is empty", prefix);
+	      buf_printf (&pass_prompt, "NEED-OK:%s:", prefix);
+	    }
+	  else
+	    {
+	      buf_printf (&user_prompt, "Enter %s Username:", prefix);
+	      buf_printf (&pass_prompt, "Enter %s Password:", prefix);
+
+	      if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
+		{
+		  if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
+		    msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
+		  if (strlen (up->username) == 0)
+		    msg (M_FATAL, "ERROR: %s username is empty", prefix);
+		}
 	    }
 
 	  if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))
-	    msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);
+	    msg (M_FATAL, "ERROR: could not not read %s %s from stdin",
+		 prefix,
+		 (flags & GET_USER_PASS_NEED_OK) ? "ok-confirmation" : "password");
+
+	  if (flags & GET_USER_PASS_NEED_OK)
+	    strcpy (up->password, "ok");
 	}
       else
 	{
@@ -1222,7 +1233,7 @@ get_user_pass (struct user_pass *up,
 	  if (!fp)
 	    msg (M_ERR, "Error opening '%s' auth file: %s", prefix, auth_file);
 
-	  if (password_only)
+	  if (flags & GET_USER_PASS_PASSWORD_ONLY)
 	    {
 	      if (fgets (up->password, USER_PASS_LEN, fp) == NULL)
 		msg (M_FATAL, "Error reading password from %s authfile: %s",
@@ -1243,7 +1254,7 @@ get_user_pass (struct user_pass *up,
 	  chomp (up->username);
 	  chomp (up->password);
       
-	  if (!password_only && strlen (up->username) == 0)
+	  if (!(flags & GET_USER_PASS_PASSWORD_ONLY) && strlen (up->username) == 0)
 	    msg (M_FATAL, "ERROR: username from %s authfile '%s' is empty", prefix, auth_file);
 	}
 

misc.h

@@ -229,12 +229,16 @@ struct user_pass
 
 bool get_console_input (const char *prompt, const bool echo, char *input, const int capacity);
 
-#define GET_USER_PASS_MANAGEMENT  (1<<0)
-#define GET_USER_PASS_SENSITIVE   (1<<1)
+/*
+ * Flags for get_user_pass and management_query_user_pass
+ */
+#define GET_USER_PASS_MANAGEMENT    (1<<0)
+#define GET_USER_PASS_SENSITIVE     (1<<1)
+#define GET_USER_PASS_PASSWORD_ONLY (1<<2)
+#define GET_USER_PASS_NEED_OK       (1<<3)
 
 void get_user_pass (struct user_pass *up,
 		    const char *auth_file,
-		    const bool password_only,
 		    const char *prefix,
 		    const unsigned int flags);
 

options.c

@@ -4896,7 +4896,7 @@ add_option (struct options *options,
     {
       char *module =  p[i++];
       VERIFY_PERMISSION (OPT_P_GENERAL);
-      show_pkcs11_slots (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, module);
+      show_pkcs11_slots (module);
       openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
     }
   else if (streq (p[0], "show-pkcs11-objects") && p[1] && p[2])
@@ -4916,7 +4916,7 @@ add_option (struct options *options,
       
       gc_free (&gc);
       
-      show_pkcs11_objects (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX, provider, slot, pin);
+      show_pkcs11_objects (provider, slot, pin);
       openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
     }
   else if (streq (p[0], "pkcs11-providers") && p[1])

pkcs11-helper-config.h

@@ -0,0 +1,84 @@
+/*
+*  OpenVPN -- An application to securely tunnel IP networks
+*             over a single TCP/UDP port, with support for SSL/TLS-based
+*             session authentication and key exchange,
+*             packet encryption, packet authentication, and
+*             packet compression.
+*
+*  Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+*
+*  This program is free software; you can redistribute it and/or modify
+*  it under the terms of the GNU General Public License version 2
+*  as published by the Free Software Foundation.
+*
+*  This program is distributed in the hope that it will be useful,
+*  but WITHOUT ANY WARRANTY; without even the implied warranty of
+*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+*  GNU General Public License for more details.
+*
+*  You should have received a copy of the GNU General Public License
+*  along with this program (see the file COPYING included with this
+*  distribution); if not, write to the Free Software Foundation, Inc.,
+*  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+*/
+
+#ifndef __PKCS11_HELPER_CONFIG_H
+#define __PKCS11_HELPER_CONFIG_H
+
+#if!defined(PKCS11H_NO_NEED_INCLUDE_CONFIG)
+
+#if defined(WIN32)
+#include "config-win32.h"
+#else
+#include "config.h"
+#endif
+
+#include "syshead.h"
+
+#endif /* PKCS11H_NO_NEED_INCLUDE_CONFIG */
+
+#ifdef ENABLE_PKCS11
+#define PKCS11H_ENABLE_HELPER
+#endif
+
+#ifdef PKCS11H_ENABLE_HELPER
+
+#if defined(WIN32)
+#include "cryptoki-win32.h"
+#else
+#include "cryptoki.h"
+#endif
+
+#include "error.h"
+#include "misc.h"
+#include "ssl.h"
+
+#define PKCS11ASSERT		ASSERT
+#define PKCS11LOG		msg
+#define PKCS11_LOG_DEBUG2	D_PKCS11_DEBUG
+#define PKCS11_LOG_DEBUG1	D_SHOW_PKCS11
+#define PKCS11_LOG_INFO		M_INFO
+#define PKCS11_LOG_WARN		M_WARN
+#define PKCS11_LOG_ERROR	M_FATAL
+
+#if !defined(false)
+#define false 0
+#endif
+#if !defined(true)
+#define true (!false)
+#endif
+
+#if !defined(IN)
+#define IN
+#endif
+#if !defined(OUT)
+#define OUT
+#endif
+
+#define PKCS11_PRM_SLOT_TYPE	"--pkcs11-slot-type"
+#define PKCS11_PRM_SLOT_ID	"--pkcs11-slot"
+#define PKCS11_PRM_OBJ_TYPE	"--pkcs11-id-type"
+#define PKCS11_PRM_OBJ_ID	"--pkcs11-id"
+
+#endif		/* PKCS11H_ENABLE_HELPER */
+#endif		/* __PKCS11_HELPER_CONFIG_H */

pkcs11-helper.h

@@ -0,0 +1,252 @@
+/*
+ * Copyright (c) 2005 Alon Bar-Lev <alon.barlev@gmail.com>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modifi-
+ * cation, are permitted provided that the following conditions are met:
+ *
+ *   o  Redistributions of source code must retain the above copyright notice,
+ *      this list of conditions and the following disclaimer.
+ *
+ *   o  Redistributions in binary form must reproduce the above copyright no-
+ *      tice, this list of conditions and the following disclaimer in the do-
+ *      cumentation and/or other materials provided with the distribution.
+ *
+ *   o  The names of the contributors may not be used to endorse or promote
+ *      products derived from this software without specific prior written
+ *      permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
+ * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
+ * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
+ * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
+ * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * The routines in this file deal with providing private key cryptography
+ * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
+ *
+ */
+
+#ifndef __PKCS11_HELPER_H
+#define __PKCS11_HELPER_H
+
+#include "pkcs11-helper-config.h"
+
+#define PKCS11H_MAX_ATTRIBUTE_SIZE (10*1024)
+
+typedef void (*pkcs11h_output_print_t)(
+	IN const void *pData,
+	IN const char * const szFormat,
+	IN ...
+);
+
+typedef bool (*pkcs11h_hook_card_prompt_t)(
+	IN const void *pData,
+	IN const char * const szLabel
+);
+
+typedef bool (*pkcs11h_hook_pin_prompt_t)(
+	IN const void *pData,
+	IN const char * const szLabel,
+	OUT char * const szPIN,
+	IN const size_t nMaxPIN
+);
+
+
+typedef struct pkcs11h_hooks_s {
+	void *card_prompt_data;
+	void *pin_prompt_data;
+	pkcs11h_hook_card_prompt_t card_prompt;
+	pkcs11h_hook_pin_prompt_t pin_prompt;
+} *pkcs11h_hooks_t;
+
+typedef struct pkcs11h_provider_s {
+	struct pkcs11h_provider_s *next;
+
+	bool fEnabled;
+	char *szName;
+	
+#if defined(WIN32)
+	HANDLE hLibrary;
+#else
+	void *hLibrary;
+#endif
+	CK_FUNCTION_LIST_PTR f;
+	bool fShouldFinalize;
+	char *szSignMode;
+
+} *pkcs11h_provider_t;
+
+typedef struct pkcs11h_session_s {
+
+	pkcs11h_provider_t provider;
+
+	bool fProtectedAuthentication;
+
+	char szLabel[sizeof (((CK_TOKEN_INFO *)NULL)->label)+1];
+	CK_CHAR serialNumber[sizeof (((CK_TOKEN_INFO *)NULL)->serialNumber)];
+	
+	unsigned char *certificate;
+	size_t certificate_size;
+	unsigned char *certificate_id;
+	size_t certificate_id_size;
+
+	CK_SLOT_ID slot;
+	bool fKeySignRecover;
+
+	CK_SESSION_HANDLE session;
+	CK_OBJECT_HANDLE key;
+
+	time_t timePINExpire;
+} *pkcs11h_session_t;
+
+typedef struct pkcs11h_data_s {
+	bool fInitialized;
+	int nPINCachePeriod;
+	pkcs11h_provider_t providers;
+	pkcs11h_hooks_t hooks;
+} *pkcs11h_data_t;
+
+typedef struct pkcs11h_openssl_session_s {
+	int nReferenceCount;
+	bool fInitialized;
+	bool fShouldPadSign;
+	X509 *x509;
+	RSA_METHOD smart_rsa;
+	int (*orig_finish)(RSA *rsa);
+	pkcs11h_session_t pkcs11h_session;
+} *pkcs11h_openssl_session_t;
+
+CK_RV
+pkcs11h_initialize ();
+
+CK_RV
+pkcs11h_terminate ();
+
+CK_RV
+pkcs11h_setCardPromptHook (
+	IN const pkcs11h_hook_card_prompt_t hook,
+	IN void * const pData
+);
+
+CK_RV
+pkcs11h_setPINPromptHook (
+	IN const pkcs11h_hook_pin_prompt_t hook,
+	IN void * const pData
+);
+
+CK_RV
+pkcs11h_setPINCachePeriod (
+	IN const int nPINCachePeriod
+);
+
+CK_RV
+pkcs11h_addProvider (
+	IN const char * const szProvider,
+	IN const char * const szSignMode
+);
+
+CK_RV
+pkcs11h_forkFixup ();
+
+CK_RV
+pkcs11h_createSession (
+	IN const char * const szSlotType,
+	IN const char * const szSlot,
+	IN const char * const szIdType,
+	IN const char * const szId,
+	IN const bool fProtectedAuthentication,
+	OUT pkcs11h_session_t * const pkcs11h_session
+);
+
+CK_RV
+pkcs11h_freeSession (
+	IN const pkcs11h_session_t pkcs11h_session
+);
+
+CK_RV
+pkcs11h_sign (
+	IN const pkcs11h_session_t pkcs11h_session,
+	IN const CK_MECHANISM_TYPE mech_type,
+	IN const unsigned char * const source,
+	IN const size_t source_size,
+	OUT unsigned char * const target,
+	IN OUT size_t * const target_size
+);
+
+CK_RV
+pkcs11h_signRecover (
+	IN const pkcs11h_session_t pkcs11h_session,
+	IN const CK_MECHANISM_TYPE mech_type,
+	IN const unsigned char * const source,
+	IN const size_t source_size,
+	OUT unsigned char * const target,
+	IN OUT size_t * const target_size
+);
+
+CK_RV
+pkcs11h_decrypt (
+	IN const pkcs11h_session_t pkcs11h_session,
+	IN const CK_MECHANISM_TYPE mech_type,
+	IN const unsigned char * const source,
+	IN const size_t source_size,
+	OUT unsigned char * const target,
+	IN OUT size_t * const target_size
+);
+
+CK_RV
+pkcs11h_getCertificate (
+	IN const pkcs11h_session_t pkcs11h_session,
+	OUT unsigned char * const certificate,
+	IN OUT size_t * const certificate_size
+);
+
+char *
+pkcs11h_getMessage (
+	IN const int rv
+);
+
+pkcs11h_openssl_session_t
+pkcs11h_openssl_createSession (
+	IN const bool fShouldPadSign
+);
+
+void
+pkcs11h_openssl_freeSession (
+	IN const pkcs11h_openssl_session_t pkcs11h_openssl_session
+);
+
+RSA *
+pkcs11h_openssl_getRSA (
+	IN const pkcs11h_openssl_session_t pkcs11h_openssl_session
+);
+
+X509 *
+pkcs11h_openssl_getX509 (
+	IN const pkcs11h_openssl_session_t pkcs11h_openssl_session
+);
+
+void
+pkcs11h_standalone_dump_slots (
+	IN const pkcs11h_output_print_t my_output,
+	IN const void *pData,
+	IN const char * const provider
+);
+
+void
+pkcs11h_standalone_dump_objects (
+	IN const pkcs11h_output_print_t my_output,
+	IN const void *pData,
+	IN const char * const provider,
+	IN const char * const slot,
+	IN const char * const pin
+);
+
+#endif

pkcs11.h

@@ -30,18 +30,18 @@
 #include <openssl/ssl.h>
 
 void
-init_pkcs11 (
+pkcs11_initialize (
 	const int nPINCachePeriod
 );
 
 void
-free_pkcs11 ();
+pkcs11_terminate ();
 
 void
-fork_fix_pkcs11 ();
+pkcs11_forkFixup ();
 
 void
-add_pkcs11 (
+pkcs11_addProvider (
 	const char * const provider,
 	const char * const sign_mode
 );
@@ -58,15 +58,11 @@ SSL_CTX_use_pkcs11 (
 
 void
 show_pkcs11_slots (
-	const int msglev,
-	const int warnlev,
 	const char * const provider
 );
 
 void
 show_pkcs11_objects (
-	const int msglev,
-	const int warnlev,
 	const char * const provider,
 	const char * const slot,
 	const char * const pin

proxy.c

@@ -280,7 +280,6 @@ new_http_proxy (const struct http_proxy_options *o,
     {
       get_user_pass (&static_proxy_user_pass,
 		     o->auth_file,
-		     false,
 		     "HTTP Proxy",
 		     GET_USER_PASS_MANAGEMENT);
       p->up = static_proxy_user_pass;

ssl.c

@@ -266,7 +266,7 @@ void
 pem_password_setup (const char *auth_file)
 {
   if (!strlen (passbuf.password))
-    get_user_pass (&passbuf, auth_file, true, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
+    get_user_pass (&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE|GET_USER_PASS_PASSWORD_ONLY);
 }
 
 int
@@ -296,7 +296,7 @@ auth_user_pass_setup (const char *auth_file)
 {
   auth_user_pass_enabled = true;
   if (!auth_user_pass.defined)
-    get_user_pass (&auth_user_pass, auth_file, false, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
+    get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
 }
 
 /*