Home | History | Annotate | Download | only in openssh
      1 /* $OpenBSD: ssh-pkcs11.c,v 1.6 2010/06/08 21:32:19 markus Exp $ */
      2 /*
      3  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
      4  *
      5  * Permission to use, copy, modify, and distribute this software for any
      6  * purpose with or without fee is hereby granted, provided that the above
      7  * copyright notice and this permission notice appear in all copies.
      8  *
      9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
     10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
     11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
     12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
     13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
     14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
     15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
     16  */
     17 
     18 #include "includes.h"
     19 
     20 #ifdef ENABLE_PKCS11
     21 
     22 #include <sys/types.h>
     23 #ifdef HAVE_SYS_TIME_H
     24 # include <sys/time.h>
     25 #endif
     26 #include <stdarg.h>
     27 #include <stdio.h>
     28 
     29 #include <string.h>
     30 #include <dlfcn.h>
     31 
     32 #include "openbsd-compat/sys-queue.h"
     33 
     34 #define CRYPTOKI_COMPAT
     35 #include "pkcs11.h"
     36 
     37 #include "log.h"
     38 #include "misc.h"
     39 #include "key.h"
     40 #include "ssh-pkcs11.h"
     41 #include "xmalloc.h"
     42 
     43 struct pkcs11_slotinfo {
     44 	CK_TOKEN_INFO		token;
     45 	CK_SESSION_HANDLE	session;
     46 	int			logged_in;
     47 };
     48 
     49 struct pkcs11_provider {
     50 	char			*name;
     51 	void			*handle;
     52 	CK_FUNCTION_LIST	*function_list;
     53 	CK_INFO			info;
     54 	CK_ULONG		nslots;
     55 	CK_SLOT_ID		*slotlist;
     56 	struct pkcs11_slotinfo	*slotinfo;
     57 	int			valid;
     58 	int			refcount;
     59 	TAILQ_ENTRY(pkcs11_provider) next;
     60 };
     61 
     62 TAILQ_HEAD(, pkcs11_provider) pkcs11_providers;
     63 
     64 struct pkcs11_key {
     65 	struct pkcs11_provider	*provider;
     66 	CK_ULONG		slotidx;
     67 	int			(*orig_finish)(RSA *rsa);
     68 	RSA_METHOD		rsa_method;
     69 	char			*keyid;
     70 	int			keyid_len;
     71 };
     72 
     73 int pkcs11_interactive = 0;
     74 
     75 int
     76 pkcs11_init(int interactive)
     77 {
     78 	pkcs11_interactive = interactive;
     79 	TAILQ_INIT(&pkcs11_providers);
     80 	return (0);
     81 }
     82 
     83 /*
     84  * finalize a provider shared libarary, it's no longer usable.
     85  * however, there might still be keys referencing this provider,
     86  * so the actuall freeing of memory is handled by pkcs11_provider_unref().
     87  * this is called when a provider gets unregistered.
     88  */
     89 static void
     90 pkcs11_provider_finalize(struct pkcs11_provider *p)
     91 {
     92 	CK_RV rv;
     93 	CK_ULONG i;
     94 
     95 	debug("pkcs11_provider_finalize: %p refcount %d valid %d",
     96 	    p, p->refcount, p->valid);
     97 	if (!p->valid)
     98 		return;
     99 	for (i = 0; i < p->nslots; i++) {
    100 		if (p->slotinfo[i].session &&
    101 		    (rv = p->function_list->C_CloseSession(
    102 		    p->slotinfo[i].session)) != CKR_OK)
    103 			error("C_CloseSession failed: %lu", rv);
    104 	}
    105 	if ((rv = p->function_list->C_Finalize(NULL)) != CKR_OK)
    106 		error("C_Finalize failed: %lu", rv);
    107 	p->valid = 0;
    108 	p->function_list = NULL;
    109 	dlclose(p->handle);
    110 }
    111 
    112 /*
    113  * remove a reference to the provider.
    114  * called when a key gets destroyed or when the provider is unregistered.
    115  */
    116 static void
    117 pkcs11_provider_unref(struct pkcs11_provider *p)
    118 {
    119 	debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
    120 	if (--p->refcount <= 0) {
    121 		if (p->valid)
    122 			error("pkcs11_provider_unref: %p still valid", p);
    123 		xfree(p->slotlist);
    124 		xfree(p->slotinfo);
    125 		xfree(p);
    126 	}
    127 }
    128 
    129 /* unregister all providers, keys might still point to the providers */
    130 void
    131 pkcs11_terminate(void)
    132 {
    133 	struct pkcs11_provider *p;
    134 
    135 	while ((p = TAILQ_FIRST(&pkcs11_providers)) != NULL) {
    136 		TAILQ_REMOVE(&pkcs11_providers, p, next);
    137 		pkcs11_provider_finalize(p);
    138 		pkcs11_provider_unref(p);
    139 	}
    140 }
    141 
    142 /* lookup provider by name */
    143 static struct pkcs11_provider *
    144 pkcs11_provider_lookup(char *provider_id)
    145 {
    146 	struct pkcs11_provider *p;
    147 
    148 	TAILQ_FOREACH(p, &pkcs11_providers, next) {
    149 		debug("check %p %s", p, p->name);
    150 		if (!strcmp(provider_id, p->name))
    151 			return (p);
    152 	}
    153 	return (NULL);
    154 }
    155 
    156 /* unregister provider by name */
    157 int
    158 pkcs11_del_provider(char *provider_id)
    159 {
    160 	struct pkcs11_provider *p;
    161 
    162 	if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
    163 		TAILQ_REMOVE(&pkcs11_providers, p, next);
    164 		pkcs11_provider_finalize(p);
    165 		pkcs11_provider_unref(p);
    166 		return (0);
    167 	}
    168 	return (-1);
    169 }
    170 
    171 /* openssl callback for freeing an RSA key */
    172 static int
    173 pkcs11_rsa_finish(RSA *rsa)
    174 {
    175 	struct pkcs11_key	*k11;
    176 	int rv = -1;
    177 
    178 	if ((k11 = RSA_get_app_data(rsa)) != NULL) {
    179 		if (k11->orig_finish)
    180 			rv = k11->orig_finish(rsa);
    181 		if (k11->provider)
    182 			pkcs11_provider_unref(k11->provider);
    183 		if (k11->keyid)
    184 			xfree(k11->keyid);
    185 		xfree(k11);
    186 	}
    187 	return (rv);
    188 }
    189 
    190 /* find a single 'obj' for given attributes */
    191 static int
    192 pkcs11_find(struct pkcs11_provider *p, CK_ULONG slotidx, CK_ATTRIBUTE *attr,
    193     CK_ULONG nattr, CK_OBJECT_HANDLE *obj)
    194 {
    195 	CK_FUNCTION_LIST	*f;
    196 	CK_SESSION_HANDLE	session;
    197 	CK_ULONG		nfound = 0;
    198 	CK_RV			rv;
    199 	int			ret = -1;
    200 
    201 	f = p->function_list;
    202 	session = p->slotinfo[slotidx].session;
    203 	if ((rv = f->C_FindObjectsInit(session, attr, nattr)) != CKR_OK) {
    204 		error("C_FindObjectsInit failed (nattr %lu): %lu", nattr, rv);
    205 		return (-1);
    206 	}
    207 	if ((rv = f->C_FindObjects(session, obj, 1, &nfound)) != CKR_OK ||
    208 	    nfound != 1) {
    209 		debug("C_FindObjects failed (nfound %lu nattr %lu): %lu",
    210 		    nfound, nattr, rv);
    211 	} else
    212 		ret = 0;
    213 	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
    214 		error("C_FindObjectsFinal failed: %lu", rv);
    215 	return (ret);
    216 }
    217 
    218 /* openssl callback doing the actual signing operation */
    219 static int
    220 pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
    221     int padding)
    222 {
    223 	struct pkcs11_key	*k11;
    224 	struct pkcs11_slotinfo	*si;
    225 	CK_FUNCTION_LIST	*f;
    226 	CK_OBJECT_HANDLE	obj;
    227 	CK_ULONG		tlen = 0;
    228 	CK_RV			rv;
    229 	CK_OBJECT_CLASS		private_key_class = CKO_PRIVATE_KEY;
    230 	CK_BBOOL		true_val = CK_TRUE;
    231 	CK_MECHANISM		mech = {
    232 		CKM_RSA_PKCS, NULL_PTR, 0
    233 	};
    234 	CK_ATTRIBUTE		key_filter[] = {
    235 		{CKA_CLASS, NULL, sizeof(private_key_class) },
    236 		{CKA_ID, NULL, 0},
    237 		{CKA_SIGN, NULL, sizeof(true_val) }
    238 	};
    239 	char			*pin, prompt[1024];
    240 	int			rval = -1;
    241 
    242 	/* some compilers complain about non-constant initializer so we
    243 	   use NULL in CK_ATTRIBUTE above and set the values here */
    244 	key_filter[0].pValue = &private_key_class;
    245 	key_filter[2].pValue = &true_val;
    246 
    247 	if ((k11 = RSA_get_app_data(rsa)) == NULL) {
    248 		error("RSA_get_app_data failed for rsa %p", rsa);
    249 		return (-1);
    250 	}
    251 	if (!k11->provider || !k11->provider->valid) {
    252 		error("no pkcs11 (valid) provider for rsa %p", rsa);
    253 		return (-1);
    254 	}
    255 	f = k11->provider->function_list;
    256 	si = &k11->provider->slotinfo[k11->slotidx];
    257 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
    258 		if (!pkcs11_interactive) {
    259 			error("need pin");
    260 			return (-1);
    261 		}
    262 		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
    263 		    si->token.label);
    264 		pin = read_passphrase(prompt, RP_ALLOW_EOF);
    265 		if (pin == NULL)
    266 			return (-1);	/* bail out */
    267 		if ((rv = f->C_Login(si->session, CKU_USER, pin, strlen(pin)))
    268 		    != CKR_OK) {
    269 			xfree(pin);
    270 			error("C_Login failed: %lu", rv);
    271 			return (-1);
    272 		}
    273 		xfree(pin);
    274 		si->logged_in = 1;
    275 	}
    276 	key_filter[1].pValue = k11->keyid;
    277 	key_filter[1].ulValueLen = k11->keyid_len;
    278 	/* try to find object w/CKA_SIGN first, retry w/o */
    279 	if (pkcs11_find(k11->provider, k11->slotidx, key_filter, 3, &obj) < 0 &&
    280 	    pkcs11_find(k11->provider, k11->slotidx, key_filter, 2, &obj) < 0) {
    281 		error("cannot find private key");
    282 	} else if ((rv = f->C_SignInit(si->session, &mech, obj)) != CKR_OK) {
    283 		error("C_SignInit failed: %lu", rv);
    284 	} else {
    285 		/* XXX handle CKR_BUFFER_TOO_SMALL */
    286 		tlen = RSA_size(rsa);
    287 		rv = f->C_Sign(si->session, (CK_BYTE *)from, flen, to, &tlen);
    288 		if (rv == CKR_OK)
    289 			rval = tlen;
    290 		else
    291 			error("C_Sign failed: %lu", rv);
    292 	}
    293 	return (rval);
    294 }
    295 
    296 static int
    297 pkcs11_rsa_private_decrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
    298     int padding)
    299 {
    300 	return (-1);
    301 }
    302 
    303 /* redirect private key operations for rsa key to pkcs11 token */
    304 static int
    305 pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx,
    306     CK_ATTRIBUTE *keyid_attrib, RSA *rsa)
    307 {
    308 	struct pkcs11_key	*k11;
    309 	const RSA_METHOD	*def = RSA_get_default_method();
    310 
    311 	k11 = xcalloc(1, sizeof(*k11));
    312 	k11->provider = provider;
    313 	provider->refcount++;	/* provider referenced by RSA key */
    314 	k11->slotidx = slotidx;
    315 	/* identify key object on smartcard */
    316 	k11->keyid_len = keyid_attrib->ulValueLen;
    317 	k11->keyid = xmalloc(k11->keyid_len);
    318 	memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
    319 	k11->orig_finish = def->finish;
    320 	memcpy(&k11->rsa_method, def, sizeof(k11->rsa_method));
    321 	k11->rsa_method.name = "pkcs11";
    322 	k11->rsa_method.rsa_priv_enc = pkcs11_rsa_private_encrypt;
    323 	k11->rsa_method.rsa_priv_dec = pkcs11_rsa_private_decrypt;
    324 	k11->rsa_method.finish = pkcs11_rsa_finish;
    325 	RSA_set_method(rsa, &k11->rsa_method);
    326 	RSA_set_app_data(rsa, k11);
    327 	return (0);
    328 }
    329 
    330 /* remove trailing spaces */
    331 static void
    332 rmspace(char *buf, size_t len)
    333 {
    334 	size_t i;
    335 
    336 	if (!len)
    337 		return;
    338 	for (i = len - 1;  i > 0; i--)
    339 		if (i == len - 1 || buf[i] == ' ')
    340 			buf[i] = '\0';
    341 		else
    342 			break;
    343 }
    344 
    345 /*
    346  * open a pkcs11 session and login if required.
    347  * if pin == NULL we delay login until key use
    348  */
    349 static int
    350 pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
    351 {
    352 	CK_RV			rv;
    353 	CK_FUNCTION_LIST	*f;
    354 	CK_SESSION_HANDLE	session;
    355 	int			login_required;
    356 
    357 	f = p->function_list;
    358 	login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED;
    359 	if (pin && login_required && !strlen(pin)) {
    360 		error("pin required");
    361 		return (-1);
    362 	}
    363 	if ((rv = f->C_OpenSession(p->slotlist[slotidx], CKF_RW_SESSION|
    364 	    CKF_SERIAL_SESSION, NULL, NULL, &session))
    365 	    != CKR_OK) {
    366 		error("C_OpenSession failed: %lu", rv);
    367 		return (-1);
    368 	}
    369 	if (login_required && pin) {
    370 		if ((rv = f->C_Login(session, CKU_USER, pin, strlen(pin)))
    371 		    != CKR_OK) {
    372 			error("C_Login failed: %lu", rv);
    373 			if ((rv = f->C_CloseSession(session)) != CKR_OK)
    374 				error("C_CloseSession failed: %lu", rv);
    375 			return (-1);
    376 		}
    377 		p->slotinfo[slotidx].logged_in = 1;
    378 	}
    379 	p->slotinfo[slotidx].session = session;
    380 	return (0);
    381 }
    382 
    383 /*
    384  * lookup public keys for token in slot identified by slotidx,
    385  * add 'wrapped' public keys to the 'keysp' array and increment nkeys.
    386  * keysp points to an (possibly empty) array with *nkeys keys.
    387  */
    388 static int
    389 pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, Key ***keysp,
    390     int *nkeys)
    391 {
    392 	Key			*key;
    393 	RSA			*rsa;
    394 	int			i;
    395 	CK_RV			rv;
    396 	CK_OBJECT_HANDLE	obj;
    397 	CK_ULONG		nfound;
    398 	CK_SESSION_HANDLE	session;
    399 	CK_FUNCTION_LIST	*f;
    400 	CK_OBJECT_CLASS		pubkey_class = CKO_PUBLIC_KEY;
    401 	CK_ATTRIBUTE		pubkey_filter[] = {
    402 		{ CKA_CLASS, NULL, sizeof(pubkey_class) }
    403 	};
    404 	CK_ATTRIBUTE		attribs[] = {
    405 		{ CKA_ID, NULL, 0 },
    406 		{ CKA_MODULUS, NULL, 0 },
    407 		{ CKA_PUBLIC_EXPONENT, NULL, 0 }
    408 	};
    409 
    410 	/* some compilers complain about non-constant initializer so we
    411 	   use NULL in CK_ATTRIBUTE above and set the value here */
    412 	pubkey_filter[0].pValue = &pubkey_class;
    413 
    414 	f = p->function_list;
    415 	session = p->slotinfo[slotidx].session;
    416 	/* setup a filter the looks for public keys */
    417 	if ((rv = f->C_FindObjectsInit(session, pubkey_filter, 1)) != CKR_OK) {
    418 		error("C_FindObjectsInit failed: %lu", rv);
    419 		return (-1);
    420 	}
    421 	while (1) {
    422 		/* XXX 3 attributes in attribs[] */
    423 		for (i = 0; i < 3; i++) {
    424 			attribs[i].pValue = NULL;
    425 			attribs[i].ulValueLen = 0;
    426 		}
    427 		if ((rv = f->C_FindObjects(session, &obj, 1, &nfound)) != CKR_OK
    428 		    || nfound == 0)
    429 			break;
    430 		/* found a key, so figure out size of the attributes */
    431 		if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))
    432 		    != CKR_OK) {
    433 			error("C_GetAttributeValue failed: %lu", rv);
    434 			continue;
    435 		}
    436 		/* check that none of the attributes are zero length */
    437 		if (attribs[0].ulValueLen == 0 ||
    438 		    attribs[1].ulValueLen == 0 ||
    439 		    attribs[2].ulValueLen == 0) {
    440 			continue;
    441 		}
    442 		/* allocate buffers for attributes */
    443 		for (i = 0; i < 3; i++)
    444 			attribs[i].pValue = xmalloc(attribs[i].ulValueLen);
    445 		/* retrieve ID, modulus and public exponent of RSA key */
    446 		if ((rv = f->C_GetAttributeValue(session, obj, attribs, 3))
    447 		    != CKR_OK) {
    448 			error("C_GetAttributeValue failed: %lu", rv);
    449 		} else if ((rsa = RSA_new()) == NULL) {
    450 			error("RSA_new failed");
    451 		} else {
    452 			rsa->n = BN_bin2bn(attribs[1].pValue,
    453 			    attribs[1].ulValueLen, NULL);
    454 			rsa->e = BN_bin2bn(attribs[2].pValue,
    455 			    attribs[2].ulValueLen, NULL);
    456 			if (rsa->n && rsa->e &&
    457 			    pkcs11_rsa_wrap(p, slotidx, &attribs[0], rsa) == 0) {
    458 				key = key_new(KEY_UNSPEC);
    459 				key->rsa = rsa;
    460 				key->type = KEY_RSA;
    461 				key->flags |= KEY_FLAG_EXT;
    462 				/* expand key array and add key */
    463 				*keysp = xrealloc(*keysp, *nkeys + 1,
    464 				    sizeof(Key *));
    465 				(*keysp)[*nkeys] = key;
    466 				*nkeys = *nkeys + 1;
    467 				debug("have %d keys", *nkeys);
    468 			} else {
    469 				RSA_free(rsa);
    470 			}
    471 		}
    472 		for (i = 0; i < 3; i++)
    473 			xfree(attribs[i].pValue);
    474 	}
    475 	if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)
    476 		error("C_FindObjectsFinal failed: %lu", rv);
    477 	return (0);
    478 }
    479 
    480 /* register a new provider, fails if provider already exists */
    481 int
    482 pkcs11_add_provider(char *provider_id, char *pin, Key ***keyp)
    483 {
    484 	int nkeys, need_finalize = 0;
    485 	struct pkcs11_provider *p = NULL;
    486 	void *handle = NULL;
    487 	CK_RV (*getfunctionlist)(CK_FUNCTION_LIST **);
    488 	CK_RV rv;
    489 	CK_FUNCTION_LIST *f = NULL;
    490 	CK_TOKEN_INFO *token;
    491 	CK_ULONG i;
    492 
    493 	*keyp = NULL;
    494 	if (pkcs11_provider_lookup(provider_id) != NULL) {
    495 		error("provider already registered: %s", provider_id);
    496 		goto fail;
    497 	}
    498 	/* open shared pkcs11-libarary */
    499 	if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) {
    500 		error("dlopen %s failed: %s", provider_id, dlerror());
    501 		goto fail;
    502 	}
    503 	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
    504 		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
    505 		goto fail;
    506 	}
    507 	p = xcalloc(1, sizeof(*p));
    508 	p->name = xstrdup(provider_id);
    509 	p->handle = handle;
    510 	/* setup the pkcs11 callbacks */
    511 	if ((rv = (*getfunctionlist)(&f)) != CKR_OK) {
    512 		error("C_GetFunctionList failed: %lu", rv);
    513 		goto fail;
    514 	}
    515 	p->function_list = f;
    516 	if ((rv = f->C_Initialize(NULL)) != CKR_OK) {
    517 		error("C_Initialize failed: %lu", rv);
    518 		goto fail;
    519 	}
    520 	need_finalize = 1;
    521 	if ((rv = f->C_GetInfo(&p->info)) != CKR_OK) {
    522 		error("C_GetInfo failed: %lu", rv);
    523 		goto fail;
    524 	}
    525 	rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
    526 	rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
    527 	debug("manufacturerID <%s> cryptokiVersion %d.%d"
    528 	    " libraryDescription <%s> libraryVersion %d.%d",
    529 	    p->info.manufacturerID,
    530 	    p->info.cryptokiVersion.major,
    531 	    p->info.cryptokiVersion.minor,
    532 	    p->info.libraryDescription,
    533 	    p->info.libraryVersion.major,
    534 	    p->info.libraryVersion.minor);
    535 	if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) {
    536 		error("C_GetSlotList failed: %lu", rv);
    537 		goto fail;
    538 	}
    539 	if (p->nslots == 0) {
    540 		error("no slots");
    541 		goto fail;
    542 	}
    543 	p->slotlist = xcalloc(p->nslots, sizeof(CK_SLOT_ID));
    544 	if ((rv = f->C_GetSlotList(CK_TRUE, p->slotlist, &p->nslots))
    545 	    != CKR_OK) {
    546 		error("C_GetSlotList failed: %lu", rv);
    547 		goto fail;
    548 	}
    549 	p->slotinfo = xcalloc(p->nslots, sizeof(struct pkcs11_slotinfo));
    550 	p->valid = 1;
    551 	nkeys = 0;
    552 	for (i = 0; i < p->nslots; i++) {
    553 		token = &p->slotinfo[i].token;
    554 		if ((rv = f->C_GetTokenInfo(p->slotlist[i], token))
    555 		    != CKR_OK) {
    556 			error("C_GetTokenInfo failed: %lu", rv);
    557 			continue;
    558 		}
    559 		rmspace(token->label, sizeof(token->label));
    560 		rmspace(token->manufacturerID, sizeof(token->manufacturerID));
    561 		rmspace(token->model, sizeof(token->model));
    562 		rmspace(token->serialNumber, sizeof(token->serialNumber));
    563 		debug("label <%s> manufacturerID <%s> model <%s> serial <%s>"
    564 		    " flags 0x%lx",
    565 		    token->label, token->manufacturerID, token->model,
    566 		    token->serialNumber, token->flags);
    567 		/* open session, login with pin and retrieve public keys */
    568 		if (pkcs11_open_session(p, i, pin) == 0)
    569 			pkcs11_fetch_keys(p, i, keyp, &nkeys);
    570 	}
    571 	if (nkeys > 0) {
    572 		TAILQ_INSERT_TAIL(&pkcs11_providers, p, next);
    573 		p->refcount++;	/* add to provider list */
    574 		return (nkeys);
    575 	}
    576 	error("no keys");
    577 	/* don't add the provider, since it does not have any keys */
    578 fail:
    579 	if (need_finalize && (rv = f->C_Finalize(NULL)) != CKR_OK)
    580 		error("C_Finalize failed: %lu", rv);
    581 	if (p) {
    582 		if (p->slotlist)
    583 			xfree(p->slotlist);
    584 		if (p->slotinfo)
    585 			xfree(p->slotinfo);
    586 		xfree(p);
    587 	}
    588 	if (handle)
    589 		dlclose(handle);
    590 	return (-1);
    591 }
    592 
    593 #else
    594 
    595 int
    596 pkcs11_init(int interactive)
    597 {
    598 	return (0);
    599 }
    600 
    601 void
    602 pkcs11_terminate(void)
    603 {
    604 	return;
    605 }
    606 
    607 #endif /* ENABLE_PKCS11 */
    608