/* libp11, a simple layer on to of PKCS#11 API

 * Copyright (C) 2005 Olaf Kirch <okir@lst.de>

 * Copyright (C) 2015-2018 Michał Trojnara <Michal.Trojnara@stunnel.org>

 *

 *  This library is free software; you can redistribute it and/or

 *  modify it under the terms of the GNU Lesser General Public

 *  License as published by the Free Software Foundation; either

 *  version 2.1 of the License, or (at your option) any later version.

 *

 *  This library is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

 *  Lesser General Public License for more details.

 *

 *  You should have received a copy of the GNU Lesser General Public

 *  License along with this library; if not, write to the Free Software

 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA

 */

#ifndef _LIBP11_INT_H

#define _LIBP11_INT_H

#ifndef _WIN32

#include "config.h"

#endif

#include "libp11.h"

#define CRYPTOKI_EXPORTS

#include "pkcs11.h"

#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)

typedef int PKCS11_RWLOCK;

#else

typedef CRYPTO_RWLOCK *PKCS11_RWLOCK;

#endif

/* get private implementations of PKCS11 structures */

/*

 * PKCS11_CTX: context for a PKCS11 implementation

 */

typedef struct pkcs11_ctx_private {

	CK_FUNCTION_LIST_PTR method;

	void *handle;

	char *init_args;

	UI_METHOD *ui_method; /* UI_METHOD for CKU_CONTEXT_SPECIFIC PINs */

	void *ui_user_data;

	unsigned int forkid;

	PKCS11_RWLOCK rwlock;

	int sign_initialized;

	int decrypt_initialized;

} PKCS11_CTX_private;

#define PRIVCTX(ctx)		((PKCS11_CTX_private *) ((ctx)->_private))

typedef struct pkcs11_slot_private {

	PKCS11_CTX *parent;

	unsigned char haveSession, loggedIn;

	CK_SLOT_ID id;

	CK_SESSION_HANDLE session;

	unsigned int forkid;

	int prev_rw; /* the rw status the session was open */

	/* options used in last PKCS11_login */

	char *prev_pin;

	int prev_so;

} PKCS11_SLOT_private;

#define PRIVSLOT(slot)		((PKCS11_SLOT_private *) ((slot)->_private))

#define SLOT2CTX(slot)		(PRIVSLOT(slot)->parent)

typedef struct pkcs11_keys {

	int num;

	PKCS11_KEY *keys;

} PKCS11_keys;

typedef struct pkcs11_token_private {

	PKCS11_SLOT *parent;

	PKCS11_keys prv, pub;

	int ncerts;

	PKCS11_CERT *certs;

} PKCS11_TOKEN_private;

#define PRIVTOKEN(token)	((PKCS11_TOKEN_private *) ((token)->_private))

#define TOKEN2SLOT(token)	(PRIVTOKEN(token)->parent)

#define TOKEN2CTX(token)	SLOT2CTX(TOKEN2SLOT(token))

typedef struct pkcs11_key_ops {

	int type; /* EVP_PKEY_xxx */

	EVP_PKEY *(*get_evp_key) (PKCS11_KEY *);

	void (*update_ex_data) (PKCS11_KEY *);

} PKCS11_KEY_ops;

typedef struct pkcs11_key_private {

	PKCS11_TOKEN *parent;

	CK_OBJECT_HANDLE object;

	CK_BBOOL always_authenticate;

	unsigned char id[255];

	size_t id_len;

	PKCS11_KEY_ops *ops;

	unsigned int forkid;

} PKCS11_KEY_private;

#define PRIVKEY(key)		((PKCS11_KEY_private *) (key)->_private)

#define KEY2SLOT(key)		TOKEN2SLOT(KEY2TOKEN(key))

#define KEY2TOKEN(key)		(PRIVKEY(key)->parent)

#define KEY2CTX(key)		TOKEN2CTX(KEY2TOKEN(key))

typedef struct pkcs11_cert_private {

	PKCS11_TOKEN *parent;

	CK_OBJECT_HANDLE object;

	unsigned char id[255];

	size_t id_len;

} PKCS11_CERT_private;

#define PRIVCERT(cert)		((PKCS11_CERT_private *) (cert)->_private)

#define CERT2SLOT(cert)		TOKEN2SLOT(CERT2TOKEN(cert))

#define CERT2TOKEN(cert)	(PRIVCERT(cert)->parent)

#define CERT2CTX(cert)		TOKEN2CTX(CERT2TOKEN(cert))

extern PKCS11_KEY_ops pkcs11_rsa_ops;

extern PKCS11_KEY_ops *pkcs11_ec_ops;

/*

 * Internal functions

 */

#define CRYPTOKI_checkerr(f, rv) \

	do { \

		if (rv) { \

			CKRerr(f, rv); \

			return -1; \

		} \

		ERR_clear_error(); \

	} while (0)

#define CRYPTOKI_call(ctx, func_and_args) \

	PRIVCTX(ctx)->method->func_and_args

extern int ERR_load_CKR_strings(void);

/* Memory allocation */

#define PKCS11_DUP(s) \

	pkcs11_strdup((char *) s, sizeof(s))

extern char *pkcs11_strdup(char *, size_t);

/* Emulate the OpenSSL 1.1 locking API for older OpenSSL versions */

#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)

int CRYPTO_THREAD_lock_new();

void CRYPTO_THREAD_lock_free(int);

#define CRYPTO_THREAD_write_lock(type) \

	if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)

#define CRYPTO_THREAD_unlock(type) \

	if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__)

#define CRYPTO_THREAD_read_lock(type) \

	if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,__FILE__,__LINE__)

#define CRYPTO_THREAD_read_unlock(type) \

	if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,__FILE__,__LINE__)

#endif

/* Emulate the OpenSSL 1.1 getters */

#if OPENSSL_VERSION_NUMBER < 0x10100003L || defined(LIBRESSL_VERSION_NUMBER)

#define EVP_PKEY_get0_RSA(key) ((key)->pkey.rsa)

#define EVP_PKEY_get0_EC_KEY(key) ((key)->pkey.ec)

#endif

/* Reinitializing the module afer fork (if detected) */

extern unsigned int get_forkid();

extern int check_fork(PKCS11_CTX *ctx);

extern int check_slot_fork(PKCS11_SLOT *slot);

extern int check_token_fork(PKCS11_TOKEN *token);

extern int check_key_fork(PKCS11_KEY *key);

extern int check_cert_fork(PKCS11_CERT *cert);

/* Other internal functions */

extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);

extern CK_RV C_UnloadModule(void *module);

extern void pkcs11_destroy_keys(PKCS11_TOKEN *, unsigned int);

extern void pkcs11_destroy_certs(PKCS11_TOKEN *);

extern int pkcs11_reload_key(PKCS11_KEY *);

extern int pkcs11_reopen_session(PKCS11_SLOT * slot);

extern int pkcs11_relogin(PKCS11_SLOT * slot);

/* Managing object attributes */

extern int pkcs11_getattr_var(PKCS11_TOKEN *, CK_OBJECT_HANDLE,

	unsigned int, CK_BYTE *, size_t *);

extern int pkcs11_getattr_val(PKCS11_TOKEN *, CK_OBJECT_HANDLE,

	unsigned int, void *, size_t);

extern int pkcs11_getattr_alloc(PKCS11_TOKEN *, CK_OBJECT_HANDLE,

	unsigned int, CK_BYTE **, size_t *);

/*

 * Caution: the BIGNUM ** shall reference either a NULL pointer or a

 * pointer to a valid BIGNUM.

 */

extern int pkcs11_getattr_bn(PKCS11_TOKEN *, CK_OBJECT_HANDLE,

	unsigned int, BIGNUM **);

#define key_getattr_var(key, t, p, s) \

	pkcs11_getattr_var(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))

#define key_getattr_val(key, t, p, s) \

	pkcs11_getattr_val(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))

#define key_getattr_alloc(key, t, p, s) \

	pkcs11_getattr_alloc(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (p), (s))

/*

 * Caution: bn shall reference either a NULL pointer or a pointer to

 * a valid BIGNUM.

 */

#define key_getattr_bn(key, t, bn) \

	pkcs11_getattr_bn(KEY2TOKEN((key)), PRIVKEY((key))->object, (t), (bn))

typedef int (*pkcs11_i2d_fn) (void *, unsigned char **);

extern void pkcs11_addattr(CK_ATTRIBUTE_PTR, int, const void *, size_t);

extern void pkcs11_addattr_int(CK_ATTRIBUTE_PTR, int, unsigned long);

extern void pkcs11_addattr_bool(CK_ATTRIBUTE_PTR, int, int);

extern void pkcs11_addattr_s(CK_ATTRIBUTE_PTR, int, const char *);

extern void pkcs11_addattr_bn(CK_ATTRIBUTE_PTR, int, const BIGNUM *);

extern void pkcs11_addattr_obj(CK_ATTRIBUTE_PTR, int, pkcs11_i2d_fn, void *);

extern void pkcs11_zap_attrs(CK_ATTRIBUTE_PTR, unsigned int);

/* Internal implementation of current features */

/* Allocate the context */

extern PKCS11_CTX *pkcs11_CTX_new(void);

/* Specify any private PKCS#11 module initialization args, if necessary */

extern void pkcs11_CTX_init_args(PKCS11_CTX * ctx, const char * init_args);

/* Load a PKCS#11 module */

extern int pkcs11_CTX_load(PKCS11_CTX * ctx, const char * ident);

/* Reinitialize a PKCS#11 module (after a fork) */

extern int pkcs11_CTX_reload(PKCS11_CTX * ctx);

/* Unload a PKCS#11 module */

extern void pkcs11_CTX_unload(PKCS11_CTX * ctx);

/* Free a libp11 context */

extern void pkcs11_CTX_free(PKCS11_CTX * ctx);

/* Open a session in RO or RW mode */

extern int pkcs11_open_session(PKCS11_SLOT * slot, int rw, int relogin);

/* Get a list of all slots */

extern int pkcs11_enumerate_slots(PKCS11_CTX * ctx,

			PKCS11_SLOT **slotsp, unsigned int *nslotsp);

/* Get the slot_id from a slot as it is stored in private */

extern unsigned long pkcs11_get_slotid_from_slot(PKCS11_SLOT *slot);

/* Free the list of slots allocated by PKCS11_enumerate_slots() */

extern void pkcs11_release_all_slots(PKCS11_CTX * ctx,

			PKCS11_SLOT *slots, unsigned int nslots);

/* Find the first slot with a token */

extern PKCS11_SLOT *pkcs11_find_token(PKCS11_CTX * ctx,

			PKCS11_SLOT *slots, unsigned int nslots);

/* Find the next slot with a token */

extern PKCS11_SLOT *pkcs11_find_next_token(PKCS11_CTX * ctx,

			PKCS11_SLOT *slots, unsigned int nslots,

			PKCS11_SLOT *current);

/* Check if user is already authenticated to a card */

extern int pkcs11_is_logged_in(PKCS11_SLOT * slot, int so, int * res);

/* Authenticate to the card */

extern int pkcs11_login(PKCS11_SLOT * slot, int so, const char *pin, int relogin);

/* De-authenticate from the card */

extern int pkcs11_logout(PKCS11_SLOT * slot);

/* Authenticate a private the key operation if needed */

int pkcs11_authenticate(PKCS11_KEY *key);

/* Get a list of keys associated with this token */

extern int pkcs11_enumerate_keys(PKCS11_TOKEN *token, unsigned int type,

	PKCS11_KEY **keys, unsigned int *nkeys);

/* Remove a key from the token */

extern int pkcs11_remove_key(PKCS11_KEY *key);

/* Get the key type (as EVP_PKEY_XXX) */

extern int pkcs11_get_key_type(PKCS11_KEY *key);

/* Returns a EVP_PKEY object with the private or public key */

extern EVP_PKEY *pkcs11_get_key(PKCS11_KEY *key, int isPrivate);

/* Find the corresponding certificate (if any) */

extern PKCS11_CERT *pkcs11_find_certificate(PKCS11_KEY *key);

/* Find the corresponding key (if any) */

extern PKCS11_KEY *pkcs11_find_key(PKCS11_CERT *cert);

/* Find the corresponding key (if any)  pub <-> priv base on ID */

extern PKCS11_KEY *pkcs11_find_key_from_key(PKCS11_KEY *key);

/* Get a list of all certificates associated with this token */

extern int pkcs11_enumerate_certs(PKCS11_TOKEN *token,

	PKCS11_CERT **certs, unsigned int *ncerts);

/* Remove a certificate from the token */

extern int pkcs11_remove_certificate(PKCS11_CERT *key);

/* Set UI method to allow retrieving CKU_CONTEXT_SPECIFIC PINs interactively */

extern int pkcs11_set_ui_method(PKCS11_CTX *ctx,

	UI_METHOD *ui_method, void *ui_user_data);

/* Initialize a token */

extern int pkcs11_init_token(PKCS11_TOKEN * token, const char *pin,

	const char *label);

/* Initialize the user PIN on a token */

extern int pkcs11_init_pin(PKCS11_TOKEN * token, const char *pin);

/* Change the user PIN on a token */

extern int pkcs11_change_pin(PKCS11_SLOT * slot,

	const char *old_pin, const char *new_pin);

/* Store private key on a token */

extern int pkcs11_store_private_key(PKCS11_TOKEN * token,

	EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);

/* Store public key on a token */

extern int pkcs11_store_public_key(PKCS11_TOKEN * token,

	EVP_PKEY * pk, char *label, unsigned char *id, size_t id_len);

/* Store certificate on a token */

extern int pkcs11_store_certificate(PKCS11_TOKEN * token, X509 * x509,

		char *label, unsigned char *id, size_t id_len,

		PKCS11_CERT **ret_cert);

/* Access the random number generator */

extern int pkcs11_seed_random(PKCS11_SLOT *, const unsigned char *s, unsigned int s_len);

extern int pkcs11_generate_random(PKCS11_SLOT *, unsigned char *r, unsigned int r_len);

/* Internal implementation of deprecated features */

/* Generate and store a private key on the token */

extern int pkcs11_generate_key(PKCS11_TOKEN * token,

	int algorithm, unsigned int bits,

	char *label, unsigned char* id, size_t id_len);

/* Get the RSA key modulus size (in bytes) */

extern int pkcs11_get_key_size(PKCS11_KEY *);

/* Get the RSA key modules as BIGNUM */

extern int pkcs11_get_key_modulus(PKCS11_KEY *, BIGNUM **);

/* Get the RSA key public exponent as BIGNUM */

extern int pkcs11_get_key_exponent(PKCS11_KEY *, BIGNUM **);

/* Sign with the RSA private key */

extern int pkcs11_sign(int type,

	const unsigned char *m, unsigned int m_len,

	unsigned char *sigret, unsigned int *siglen, PKCS11_KEY * key);

/* This function has never been implemented */

extern int pkcs11_verify(int type,

	const unsigned char *m, unsigned int m_len,

	unsigned char *signature, unsigned int siglen, PKCS11_KEY * key);

/* Encrypts data using the private key */

extern int pkcs11_private_encrypt(

	int flen, const unsigned char *from,

	unsigned char *to, PKCS11_KEY * rsa, int padding);

/* Decrypts data using the private key */

extern int pkcs11_private_decrypt(

	int flen, const unsigned char *from,

	unsigned char *to, PKCS11_KEY * key, int padding);

/* Retrieve PKCS11_KEY from an RSA key */

extern PKCS11_KEY *pkcs11_get_ex_data_rsa(const RSA *rsa);

/* Retrieve PKCS11_KEY from an EC_KEY */

extern PKCS11_KEY *pkcs11_get_ex_data_ec(const EC_KEY *ec);

#endif

/* vim: set noexpandtab: */