Differences From Artifact [e8f3ee7748]:
- File cackey.c — part of check-in [0233c7b5fe] at 2010-05-15 00:39:44 on branch trunk — Updated to censor PIN in debugging output (user: rkeene, size: 143682) [annotate] [blame] [check-ins using]
To Artifact [4cc11579bd]:
- File
cackey.c
— part of check-in
[eaa9f36a2b]
at
2010-05-17 00:20:06
on branch trunk
— Fixed issues with signdecrypt buffer sizes
Centralized reading of identities
Added debugging to determine why wrong applet ID is being stored in identity (user: rkeene, size: 144712) [annotate] [blame] [check-ins using]
1757 1757 curr_id = &certs[outidx]; 1758 1758 outidx++; 1759 1759 1760 1760 memcpy(curr_id->applet, curr_aid, sizeof(curr_id->applet)); 1761 1761 curr_id->file = ccc_curr->value_cardurl->objectid; 1762 1762 curr_id->label = NULL; 1763 1763 1764 + CACKEY_DEBUG_PRINTF("Filling curr_id->applet (%p) with %lu bytes:", curr_id->applet, (unsigned long) sizeof(curr_id->applet)); 1765 + CACKEY_DEBUG_PRINTBUF("VAL:", curr_id->applet, sizeof(curr_id->applet)); 1766 + 1764 1767 curr_id->certificate_len = app_curr->length; 1765 1768 1766 1769 curr_id->certificate = malloc(curr_id->certificate_len); 1767 1770 memcpy(curr_id->certificate, app_curr->value, curr_id->certificate_len); 1768 1771 1769 1772 if (outidx >= *count) { 1770 1773 if (certs_resizable) { ................................................................................ 1809 1812 * 1810 1813 * NOTES 1811 1814 * ... 1812 1815 * 1813 1816 */ 1814 1817 static ssize_t cackey_signdecrypt(struct cackey_slot *slot, struct cackey_identity *identity, unsigned char *buf, size_t buflen, unsigned char *outbuf, size_t outbuflen) { 1815 1818 cackey_ret send_ret; 1819 + int le; 1816 1820 1817 1821 CACKEY_DEBUG_PRINTF("Called."); 1818 1822 1819 1823 if (buflen > 255) { 1820 1824 CACKEY_DEBUG_PRINTF("Error. buflen is greater than 255 (buflen = %lu)", (unsigned long) buflen); 1821 1825 1822 1826 return(-1); 1823 1827 } 1824 1828 1825 - if (outbuflen > 255) { 1826 - CACKEY_DEBUG_PRINTF("Error. outbuflen is grater than 255 (outbuflen = %lu)", (unsigned long) outbuflen); 1827 - 1828 - return(-1); 1829 + if (outbuflen > 253) { 1830 + le = 253; 1831 + } else { 1832 + le = outbuflen; 1829 1833 } 1830 1834 1831 1835 if (slot == NULL) { 1832 1836 CACKEY_DEBUG_PRINTF("Error. slot is NULL"); 1833 1837 1834 1838 return(-1); 1835 1839 } ................................................................................ 1846 1850 return(-1); 1847 1851 } 1848 1852 1849 1853 /* Begin transaction */ 1850 1854 cackey_begin_transaction(slot); 1851 1855 1852 1856 /* Select correct applet */ 1857 + CACKEY_DEBUG_PRINTF("Selecting applet found at %p ...", identity->identity->applet); 1853 1858 cackey_select_applet(slot, identity->identity->applet, sizeof(identity->identity->applet)); 1854 1859 1855 1860 /* Select correct file */ 1856 1861 cackey_select_file(slot, identity->identity->file); 1857 1862 1858 - send_ret = cackey_send_apdu(slot, GSCIS_CLASS_GLOBAL_PLATFORM, GSCIS_INSTR_SIGNDECRYPT, 0x00, 0x00, buflen, buf, outbuflen, NULL, outbuf, &outbuflen); 1863 + send_ret = cackey_send_apdu(slot, GSCIS_CLASS_GLOBAL_PLATFORM, GSCIS_INSTR_SIGNDECRYPT, 0x00, 0x00, buflen, buf, le, NULL, outbuf, &outbuflen); 1859 1864 if (send_ret != CACKEY_PCSC_S_OK) { 1860 1865 CACKEY_DEBUG_PRINTF("ADPU Sending Failed -- returning in error."); 1861 1866 1862 1867 /* End transaction */ 1863 1868 cackey_end_transaction(slot); 1864 1869 1865 1870 return(-1); ................................................................................ 2110 2115 } 2111 2116 2112 2117 CACKEY_DEBUG_PRINTF("Returning sucessfully (0)"); 2113 2118 2114 2119 return(0); 2115 2120 } 2116 2121 2117 -static void cackey_free_identities(struct cackey_identity *identities, unsigned long identities_count) { 2118 - CK_ATTRIBUTE *curr_attr; 2119 - unsigned long id_idx, attr_idx; 2120 - 2121 - if (identities == NULL || identities_count == 0) { 2122 - return; 2123 - } 2124 - 2125 - for (id_idx = 0; id_idx < identities_count; id_idx++) { 2126 - if (identities[id_idx].attributes) { 2127 - for (attr_idx = 0; attr_idx < identities[id_idx].attributes_count; attr_idx++) { 2128 - curr_attr = &identities[id_idx].attributes[attr_idx]; 2129 - 2130 - if (curr_attr->pValue) { 2131 - free(curr_attr->pValue); 2132 - } 2133 - } 2134 - 2135 - free(identities[id_idx].attributes); 2136 - } 2137 - } 2138 - 2139 - free(identities); 2140 -} 2141 - 2142 2122 static CK_ATTRIBUTE_PTR cackey_get_attributes(CK_OBJECT_CLASS objectclass, struct cackey_pcsc_identity *identity, unsigned long identity_num, CK_ULONG_PTR pulCount) { 2143 2123 static CK_BBOOL ck_true = 1; 2144 2124 static CK_BBOOL ck_false = 0; 2145 2125 CK_ULONG numattrs = 0, retval_count; 2146 2126 CK_ATTRIBUTE_TYPE curr_attr_type; 2147 2127 CK_ATTRIBUTE curr_attr, *retval; 2148 2128 CK_VOID_PTR pValue; ................................................................................ 2477 2457 2478 2458 *pulCount = numattrs; 2479 2459 2480 2460 CACKEY_DEBUG_PRINTF("Returning %lu objects (%p).", numattrs, retval); 2481 2461 2482 2462 return(retval); 2483 2463 } 2464 + 2465 +static void cackey_free_identities(struct cackey_identity *identities, unsigned long identities_count) { 2466 + CK_ATTRIBUTE *curr_attr; 2467 + unsigned long id_idx, attr_idx; 2468 + 2469 + if (identities == NULL || identities_count == 0) { 2470 + return; 2471 + } 2472 + 2473 + for (id_idx = 0; id_idx < identities_count; id_idx++) { 2474 + if (identities[id_idx].attributes) { 2475 + for (attr_idx = 0; attr_idx < identities[id_idx].attributes_count; attr_idx++) { 2476 + curr_attr = &identities[id_idx].attributes[attr_idx]; 2477 + 2478 + if (curr_attr->pValue) { 2479 + free(curr_attr->pValue); 2480 + } 2481 + } 2482 + 2483 + free(identities[id_idx].attributes); 2484 + } 2485 + } 2486 + 2487 + free(identities); 2488 +} 2489 + 2490 +static struct cackey_identity *cackey_read_identities(struct cackey_slot *slot, unsigned long *ids_found) { 2491 + struct cackey_pcsc_identity *pcsc_identities; 2492 + struct cackey_identity *identities; 2493 + unsigned long num_ids, id_idx, curr_id_type; 2494 + unsigned long num_certs, cert_idx; 2495 + 2496 + CACKEY_DEBUG_PRINTF("Called."); 2497 + 2498 + if (ids_found == NULL) { 2499 + CACKEY_DEBUG_PRINTF("Error. ids_found is NULL"); 2500 + 2501 + return(NULL); 2502 + } 2503 + 2504 + pcsc_identities = cackey_read_certs(slot, NULL, &num_certs); 2505 + if (pcsc_identities != NULL) { 2506 + /* Convert number of Certs to number of objects */ 2507 + num_ids = (CKO_PRIVATE_KEY - CKO_CERTIFICATE + 1) * num_certs; 2508 + 2509 + identities = malloc(num_ids * sizeof(*identities)); 2510 + 2511 + id_idx = 0; 2512 + for (cert_idx = 0; cert_idx < num_certs; cert_idx++) { 2513 + for (curr_id_type = CKO_CERTIFICATE; curr_id_type <= CKO_PRIVATE_KEY; curr_id_type++) { 2514 + identities[id_idx].attributes = cackey_get_attributes(curr_id_type, &pcsc_identities[cert_idx], cert_idx, &identities[id_idx].attributes_count); 2515 + 2516 + if (identities[id_idx].attributes == NULL) { 2517 + identities[id_idx].attributes_count = 0; 2518 + } 2519 + 2520 + id_idx++; 2521 + } 2522 + } 2523 + 2524 + cackey_free_certs(pcsc_identities, num_certs, 1); 2525 + 2526 + *ids_found = num_ids; 2527 + return(identities); 2528 + } 2529 + 2530 + *ids_found = 0; 2531 + return(NULL); 2532 +} 2484 2533 2485 2534 CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(CK_VOID_PTR pInitArgs) { 2486 2535 CK_C_INITIALIZE_ARGS CK_PTR args; 2487 2536 uint32_t idx; 2488 2537 int mutex_init_ret; 2489 2538 2490 2539 CACKEY_DEBUG_PRINTF("Called."); ................................................................................ 3171 3220 3172 3221 cackey_mutex_unlock(cackey_biglock); 3173 3222 3174 3223 return(CKR_SLOT_ID_INVALID); 3175 3224 } 3176 3225 3177 3226 /* Verify that the card is actually in the slot. */ 3227 + /* XXX: Check to make sure this is in the PKCS#11 specification */ 3178 3228 if (cackey_token_present(&cackey_slots[slotID]) != CACKEY_PCSC_S_TOKENPRESENT) { 3179 3229 CACKEY_DEBUG_PRINTF("Error. Card not present. Returning CKR_DEVICE_REMOVED"); 3180 3230 3181 3231 cackey_mutex_unlock(cackey_biglock); 3182 3232 3183 3233 return(CKR_DEVICE_REMOVED); 3184 3234 } ................................................................................ 3201 3251 cackey_sessions[idx].identities_count = 0; 3202 3252 3203 3253 cackey_sessions[idx].search_active = 0; 3204 3254 3205 3255 cackey_sessions[idx].sign_active = 0; 3206 3256 3207 3257 cackey_sessions[idx].decrypt_active = 0; 3258 + 3259 + cackey_sessions[idx].identities = cackey_read_identities(&cackey_slots[slotID], &cackey_sessions[idx].identities_count); 3260 + 3208 3261 3209 3262 break; 3210 3263 } 3211 3264 } 3212 3265 3213 3266 mutex_retval = cackey_mutex_unlock(cackey_biglock); 3214 3267 if (mutex_retval != 0) { ................................................................................ 3721 3774 3722 3775 CACKEY_DEBUG_PRINTF("Returning CKR_FUNCTION_NOT_SUPPORTED (%i)", CKR_FUNCTION_NOT_SUPPORTED); 3723 3776 3724 3777 return(CKR_FUNCTION_NOT_SUPPORTED); 3725 3778 } 3726 3779 3727 3780 CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { 3728 - struct cackey_pcsc_identity *pcsc_identities; 3729 - struct cackey_identity *identities; 3730 - unsigned long num_ids, id_idx, curr_id_type; 3731 - unsigned long num_certs, cert_idx; 3732 3781 int mutex_retval; 3733 3782 3734 3783 CACKEY_DEBUG_PRINTF("Called."); 3735 3784 3736 3785 if (!cackey_initialized) { 3737 3786 CACKEY_DEBUG_PRINTF("Error. Not initialized."); 3738 3787 ................................................................................ 3778 3827 cackey_sessions[hSession].identities_count = 0; 3779 3828 } 3780 3829 3781 3830 cackey_slots[cackey_sessions[hSession].slotID].slot_reset = 0; 3782 3831 } 3783 3832 3784 3833 if (cackey_sessions[hSession].identities == NULL) { 3785 - pcsc_identities = cackey_read_certs(&cackey_slots[cackey_sessions[hSession].slotID], NULL, &num_certs); 3786 - if (pcsc_identities != NULL) { 3787 - /* Convert number of Certs to number of objects */ 3788 - num_ids = (CKO_PRIVATE_KEY - CKO_CERTIFICATE + 1) * num_certs; 3789 - 3790 - identities = malloc(num_ids * sizeof(*identities)); 3791 - 3792 - id_idx = 0; 3793 - for (cert_idx = 0; cert_idx < num_certs; cert_idx++) { 3794 - for (curr_id_type = CKO_CERTIFICATE; curr_id_type <= CKO_PRIVATE_KEY; curr_id_type++) { 3795 - identities[id_idx].attributes = cackey_get_attributes(curr_id_type, &pcsc_identities[cert_idx], cert_idx, &identities[id_idx].attributes_count); 3796 - 3797 - if (identities[id_idx].attributes == NULL) { 3798 - identities[id_idx].attributes_count = 0; 3799 - } 3800 - 3801 - id_idx++; 3802 - } 3803 - } 3804 - 3805 - cackey_sessions[hSession].identities = identities; 3806 - cackey_sessions[hSession].identities_count = num_ids; 3807 - 3808 - cackey_free_certs(pcsc_identities, num_certs, 1); 3809 - } 3834 + cackey_sessions[hSession].identities = cackey_read_identities(&cackey_slots[cackey_sessions[hSession].slotID], &cackey_sessions[hSession].identities_count); 3810 3835 } 3811 3836 3812 3837 if (pTemplate != NULL) { 3813 3838 if (ulCount != 0) { 3814 3839 cackey_sessions[hSession].search_query_count = ulCount; 3815 3840 cackey_sessions[hSession].search_query = malloc(ulCount * sizeof(*pTemplate)); 3816 3841 ................................................................................ 4538 4563 cackey_sessions[hSession].sign_active = 1; 4539 4564 4540 4565 cackey_sessions[hSession].sign_mechanism = pMechanism->mechanism; 4541 4566 4542 4567 cackey_sessions[hSession].sign_buflen = 128; 4543 4568 cackey_sessions[hSession].sign_bufused = 0; 4544 4569 cackey_sessions[hSession].sign_buf = malloc(sizeof(*cackey_sessions[hSession].sign_buf) * cackey_sessions[hSession].sign_buflen); 4570 + 4571 + CACKEY_DEBUG_PRINTF("Session %lu sign_identity is %p (identitie #%lu)", (unsigned long) hSession, &cackey_sessions[hSession].identities[hKey], (unsigned long) hKey); 4545 4572 cackey_sessions[hSession].sign_identity = &cackey_sessions[hSession].identities[hKey]; 4546 4573 4547 4574 mutex_retval = cackey_mutex_unlock(cackey_biglock); 4548 4575 if (mutex_retval != 0) { 4549 4576 CACKEY_DEBUG_PRINTF("Error. Unlocking failed."); 4550 4577 4551 4578 return(CKR_GENERAL_ERROR); ................................................................................ 4730 4757 4731 4758 return(CKR_OPERATION_NOT_INITIALIZED); 4732 4759 } 4733 4760 4734 4761 switch (cackey_sessions[hSession].sign_mechanism) { 4735 4762 case CKM_RSA_PKCS: 4736 4763 /* Ask card to sign */ 4764 + CACKEY_DEBUG_PRINTF("Asking to decrypt from identity %p in session %lu", cackey_sessions[hSession].sign_identity, (unsigned long) hSession); 4737 4765 sigbuflen = cackey_signdecrypt(&cackey_slots[cackey_sessions[hSession].slotID], cackey_sessions[hSession].sign_identity, cackey_sessions[hSession].sign_buf, cackey_sessions[hSession].sign_buflen, sigbuf, sizeof(sigbuf)); 4738 4766 4739 4767 if (sigbuflen < 0) { 4740 4768 /* Signing failed. */ 4741 4769 retval = CKR_GENERAL_ERROR; 4742 4770 } else if (((unsigned long) sigbuflen) > *pulSignatureLen && pSignature) { 4743 4771 /* Signed data too large */