Tree - rpms/coolkey - CentOS Git server

rpms / coolkey

Blame SOURCES/coolkey-1.1.0-cardos-5-3.patch

Blob History Raw

		d98f6e	`diff -up ./src/coolkey/object.cpp.cardos-5-3 ./src/coolkey/object.cpp`
		d98f6e	`--- ./src/coolkey/object.cpp.cardos-5-3 2017-03-16 17:14:02.415338726 -0700`
		d98f6e	`+++ ./src/coolkey/object.cpp 2017-03-16 17:14:02.419338794 -0700`
		d98f6e	`@@ -32,7 +32,7 @@ const CKYByte eccOID[] = {0x2a,0x86,0x48`
		d98f6e	`void dump(const char label, const CKYBuffer buf)`
		d98f6e	`{`
		d98f6e	`CKYSize i;`
		d98f6e	`- CKYSize size = CKYBuffer_Size(buf);`
		d98f6e	`+ CKYSize size = buf ? CKYBuffer_Size(buf) : 0;`
		d98f6e	`#define ROW_LENGTH 60`
		d98f6e	`char string[ROW_LENGTH+1];`
		d98f6e	`char *bp = &string[0];`
		d98f6e	`diff -up ./src/coolkey/object.h.cardos-5-3 ./src/coolkey/object.h`
		d98f6e	`--- ./src/coolkey/object.h.cardos-5-3 2017-03-16 17:14:02.415338726 -0700`
		d98f6e	`+++ ./src/coolkey/object.h 2017-03-16 17:14:02.419338794 -0700`
		d98f6e	`@@ -200,9 +200,11 @@ class PKCS11Object {`
		d98f6e	`CK_USER_TYPE getUser(void) const { return user; }`
		d98f6e	`void setKeyType(KeyType theType) { keyType = theType; }`
		d98f6e	`void setKeySize(unsigned int keySize_) { keySize = keySize_; }`
		d98f6e	`+ void setUser(CK_USER_TYPE user_) { user = user_; }`
		d98f6e	`const CKYBuffer *getAuthId(void) const { return &authId; }`
		d98f6e	`const CKYBuffer *getPinAuthId(void) const { return &pinAuthId; }`
		d98f6e	`const PK15ObjectPath &getObjectPath() const { return objectPath; }`
		d98f6e	`+ void setObjectPath(const PK15ObjectPath &newPath) { objectPath = newPath; }`
		d98f6e	`void completeKey(const PKCS11Object &cert);`
		d98f6e	`};`
		d98f6e
		d98f6e	`@@ -308,6 +310,7 @@ class PK15Object : public PKCS11Object {`
		d98f6e	`bool isLocal(void) const { return`
		d98f6e	`(pinInfo.pinFlags & P15PinLocal) ? true : false; }`
		d98f6e	`const P15PinInfo *getPinInfo(void) const { return &pinInfo; }`
		d98f6e	`+ void setPinRef(CK_BYTE pinRef) { pinInfo.pinRef = pinRef; }`
		d98f6e	`};`
		d98f6e
		d98f6e	`class Reader : public PKCS11Object {`
		d98f6e	`diff -up ./src/coolkey/slot.cpp.cardos-5-3 ./src/coolkey/slot.cpp`
		d98f6e	`--- ./src/coolkey/slot.cpp.cardos-5-3 2017-03-16 17:14:02.416338743 -0700`
		d98f6e	`+++ ./src/coolkey/slot.cpp 2017-03-17 13:48:26.661205327 -0700`
		d98f6e	`@@ -41,6 +41,7 @@`
		d98f6e	`#define PRINTF(args)`
		d98f6e	`#endif`
		d98f6e	`// #define DISPLAY_WHOLE_GET_DATA 1`
		d98f6e	`+void dump(const char label, const CKYBuffer buf);`
		d98f6e
		d98f6e
		d98f6e	`// The Cyberflex Access 32k egate ATR`
		d98f6e	`@@ -467,6 +468,8 @@ Slot::Slot(const char *readerName_, Log`
		d98f6e	`}`
		d98f6e	`CKYBuffer_InitEmpty(&cardATR);`
		d98f6e	`CKYBuffer_InitEmpty(&mCUID);`
		d98f6e	`+ CKYBuffer_InitEmpty(&candidateUserAuthId);`
		d98f6e	`+ CKYBuffer_InitEmpty(&candidateContextSpecificAuthId);`
		d98f6e	`for (int i=0; i < MAX_CERT_SLOTS; i++) {`
		d98f6e	`CKYBuffer_InitEmpty(&cardAID[i]);`
		d98f6e	`}`
		d98f6e	`@@ -540,6 +543,8 @@ Slot::~Slot()`
		d98f6e	`CKYBuffer_FreeData(&nonce);`
		d98f6e	`CKYBuffer_FreeData(&cardATR);`
		d98f6e	`CKYBuffer_FreeData(&mCUID);`
		d98f6e	`+ CKYBuffer_FreeData(&candidateUserAuthId);`
		d98f6e	`+ CKYBuffer_FreeData(&candidateContextSpecificAuthId);`
		d98f6e	`CKYBuffer_FreeData(&p15AID);`
		d98f6e	`CKYBuffer_FreeData(&p15odf);`
		d98f6e	`CKYBuffer_FreeData(&p15tokenInfo);`
		d98f6e	`@@ -1272,6 +1277,41 @@ class ObjectKeyCKAIDMatch {`
		d98f6e	`}`
		d98f6e	`};`
		d98f6e
		d98f6e	`+#ifdef DEBUG`
		d98f6e	`+void`
		d98f6e	`+dumpPin(const char label, const PK15Object pin)`
		d98f6e	`+{`
		d98f6e	`+ const P15PinInfo *pinInfo = pin->getPinInfo();`
		d98f6e	`+ const PK15ObjectPath &pinPath=pin->getObjectPath();`
		d98f6e	`+ unsigned int pin_type = (unsigned int) pinInfo->pinType;`
		d98f6e	`+ const char *pin_name[3] = {"BCD", "ASCIINum", "UTF8" };`
		d98f6e	`+`
		d98f6e	`+ printf("Pin Object %s\n",label);`
		d98f6e	`+ printf(" Pin flags=0x%08lx\n",pinInfo->pinFlags);`
		d98f6e	`+ printf(" Pin type=%d (%s)\n",(int) pin_type,`
		d98f6e	`+ pin_type < 3U ? pin_name[pin_type] :`
		d98f6e	`+ "Invalid");`
		d98f6e	`+ printf(" Pin length= %d (%d - %d)\n",(int)pinInfo->storedLength,`
		d98f6e	`+ (int)pinInfo->minLength,`
		d98f6e	`+ (int)pinInfo->maxLength);`
		d98f6e	`+ printf(" Pin pad = 0x%02x,<%c>\n", pinInfo->padChar, pinInfo->padChar);`
		d98f6e	`+ printf(" Pin Ref = 0x%02x\n", pinInfo->pinRef);`
		d98f6e	`+ printf(" Pin Path index = %ld\n",(long)pinPath.getIndex());`
		d98f6e	`+ printf(" Pin Path size = %ld\n",(long)pinPath.getLength());`
		d98f6e	`+ dump(" Pin Path:",pinPath.getPath());`
		d98f6e	`+}`
		d98f6e	`+`
		d98f6e	`+void`
		d98f6e	`+dumpPath(const char *label, const PK15ObjectPath &path)`
		d98f6e	`+{`
		d98f6e	`+ printf(" Path for %s\n", label);`
		d98f6e	`+ printf(" index = %ld\n",(long)path.getIndex());`
		d98f6e	`+ printf(" size = %ld\n",(long)path.getLength());`
		d98f6e	`+ dump(" objPath:",path.getPath());`
		d98f6e	`+}`
		d98f6e	`+#endif`
		d98f6e	`+`
		d98f6e	`+`
		d98f6e	`CKYStatus`
		d98f6e	`Slot::parseEF_Directory(const CKYByte *current,`
		d98f6e	`CKYSize size, PK15ObjectType type)`
		d98f6e	`@@ -1326,7 +1366,22 @@ Slot::parseEF_Directory(const CKYByte *c`
		d98f6e	`auth[CKU_SO] = new PK15Object(obj);`
		d98f6e	`}`
		d98f6e	`} else if (auth[CKU_USER] == NULL) {`
		d98f6e	`+ const CKYBuffer *authid = obj.getPinAuthId();`
		d98f6e	`auth[CKU_USER] = new PK15Object(obj);`
		d98f6e	`+ if ((CKYBuffer_Size(&candidateUserAuthId) != 0)`
		d98f6e	`+ && !CKYBuffer_IsEqual(authid, &candidateUserAuthId)) {`
		d98f6e	`+ /* validate our candidates */`
		d98f6e	`+ if ((CKYBuffer_Size(&candidateContextSpecificAuthId)`
		d98f6e	`+ == 0) \|\| (CKYBuffer_IsEqual(`
		d98f6e	`+ &candidateContextSpecificAuthId, authid))) {`
		d98f6e	`+ CKYBuffer_Replace(&candidateContextSpecificAuthId,0,`
		d98f6e	`+ CKYBuffer_Data(&candidateUserAuthId),`
		d98f6e	`+ CKYBuffer_Size(&candidateUserAuthId));`
		d98f6e	`+ }`
		d98f6e	`+ CKYBuffer_Replace(&candidateUserAuthId, 0,`
		d98f6e	`+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));`
		d98f6e	`+ }`
		d98f6e	`+`
		d98f6e	`} else if (auth[CKU_CONTEXT_SPECIFIC] == NULL) {`
		d98f6e	`ObjectIter iter;`
		d98f6e	`const CKYBuffer *authid = obj.getPinAuthId();`
		d98f6e	`@@ -1339,6 +1394,8 @@ Slot::parseEF_Directory(const CKYByte *c`
		d98f6e	`if( CKYBuffer_IsEqual(iter->getAuthId(),authid)) {`
		d98f6e	`iter->setAttributeBool(CKA_ALWAYS_AUTHENTICATE,`
		d98f6e	`TRUE);`
		d98f6e	`+ iter->setUser(CKU_CONTEXT_SPECIFIC);`
		d98f6e	`+printf("Setting Context Specific pin on key\n");`
		d98f6e	`}`
		d98f6e	`}`
		d98f6e	`}`
		d98f6e	`@@ -1349,7 +1406,19 @@ Slot::parseEF_Directory(const CKYByte *c`
		d98f6e	`{`
		d98f6e	`ObjectConstIter iter;`
		d98f6e	`const CKYBuffer *id;`
		d98f6e	`+ const CKYBuffer *authid;`
		d98f6e
		d98f6e	`+ authid = obj.getAuthId();`
		d98f6e	`+ if (authid) {`
		d98f6e	`+ if (CKYBuffer_Size(&candidateUserAuthId) == 0) {`
		d98f6e	`+ CKYBuffer_Replace(&candidateUserAuthId, 0,`
		d98f6e	`+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));`
		d98f6e	`+ } else if (!CKYBuffer_IsEqual(&candidateUserAuthId,`
		d98f6e	`+ authid)) {`
		d98f6e	`+ CKYBuffer_Replace(&candidateContextSpecificAuthId,0,`
		d98f6e	`+ CKYBuffer_Data(authid), CKYBuffer_Size(authid));`
		d98f6e	`+ }`
		d98f6e	`+ }`
		d98f6e	`id = obj.getAttribute(CKA_ID);`
		d98f6e	`if ((!id) \|\| (CKYBuffer_Size(id) != 1)) {`
		d98f6e	`break;`
		d98f6e	`@@ -1386,6 +1455,31 @@ Slot::parseEF_Directory(const CKYByte *c`
		d98f6e	`tokenObjects.push_back(obj);`
		d98f6e	`} while ( false );`
		d98f6e	`}`
		d98f6e	`+`
		d98f6e	`+ /* handle the case where we have context specific with the same user pin */`
		d98f6e	`+ if ((type == PK15AuthObj)`
		d98f6e	`+ && (CKYBuffer_Size(&candidateContextSpecificAuthId) != 0)`
		d98f6e	`+ && (auth[CKU_CONTEXT_SPECIFIC] == NULL)) {`
		d98f6e	`+ ObjectIter iter;`
		d98f6e	`+`
		d98f6e	`+ /* these should put on the individual keys */`
		d98f6e	`+ auth[CKU_CONTEXT_SPECIFIC] = new PK15Object(*auth[CKU_USER]);`
		d98f6e	`+ /* set the pin ref for the context specific auth */`
		d98f6e	`+ auth[CKU_CONTEXT_SPECIFIC]->setPinRef(`
		d98f6e	`+ (CK_BYTE) CKYBuffer_GetChar(&candidateContextSpecificAuthId,0));`
		d98f6e	`+ for( iter = tokenObjects.begin(); iter != tokenObjects.end(); ++iter) {`
		d98f6e	`+ const CKYBuffer *authid = iter->getAuthId();`
		d98f6e	`+ if(authid &&`
		d98f6e	`+ CKYBuffer_IsEqual(authid,&candidateContextSpecificAuthId)) {`
		d98f6e	`+ iter->setAttributeBool(CKA_ALWAYS_AUTHENTICATE, TRUE);`
		d98f6e	`+ iter->setUser(CKU_CONTEXT_SPECIFIC);`
		d98f6e	`+ /* auth[CKU_CONTEXT_SPECIFIC]->`
		d98f6e	`+ setObjectPath(iter->getObjectPath()); */`
		d98f6e	`+ }`
		d98f6e	`+ }`
		d98f6e	`+`
		d98f6e	`+`
		d98f6e	`+ }`
		d98f6e	`CKYBuffer_FreeData(&file;;`
		d98f6e	`return CKYSUCCESS;`
		d98f6e	`}`
		d98f6e	`@@ -2221,6 +2315,12 @@ Slot::unloadObjects()`
		d98f6e	`tokenManufacturer = NULL;`
		d98f6e	`}`
		d98f6e	`CKYBuffer_Resize(&p15serialNumber,0);`
		d98f6e	`+ CKYBuffer_Resize(&candidateUserAuthId,0);`
		d98f6e	`+ CKYBuffer_Resize(&candidateContextSpecificAuthId,0);`
		d98f6e	`+ for (int i=0; i < MAX_AUTH_USERS; i++) {`
		d98f6e	`+ if (auth[i]) delete auth[i];`
		d98f6e	`+ auth[i]=NULL;`
		d98f6e	`+ }`
		d98f6e	`}`
		d98f6e
		d98f6e	`#ifdef USE_SHMEM`
		d98f6e	`@@ -3766,7 +3866,6 @@ Slot::attemptLogin(CK_USER_TYPE user, bo`
		d98f6e	`contextPinCache.clearPin();`
		d98f6e	`}`
		d98f6e	`}`
		d98f6e	`-void dump(const char label, const CKYBuffer buf);`
		d98f6e
		d98f6e	`void`
		d98f6e	`Slot::attemptP15Login(CK_USER_TYPE user)`
		d98f6e	`@@ -3794,7 +3893,6 @@ Slot::attemptP15Login(CK_USER_TYPE user)`
		d98f6e	`throw PKCS11Exception(CKR_DEVICE_ERROR, "Applet select return 0x%04x",`
		d98f6e	`result);`
		d98f6e	`}`
		d98f6e	`-`
		d98f6e	`status = P15Applet_VerifyPIN(conn,`
		d98f6e	`(const char *)CKYBuffer_Data(pinCachePtr->get()),`
		d98f6e	`auth[user]->getPinInfo(), &result);`
		d98f6e	`@@ -4636,7 +4734,14 @@ Slot::cryptRSA(SessionHandleSuffix suffi`
		d98f6e	`params.padInput(&inputPad, &input);`
		d98f6e	`performRSAOp(&output, &inputPad, params.getKeySize(), key,`
		d98f6e	`params.getDirection());`
		d98f6e	`- params.unpadOutput(result, &output);`
		d98f6e	`+ if (CKYBuffer_Size(&output) < CKYBuffer_Size(&inputPad)) {`
		d98f6e	`+ /* if the size is smaller than the input, treat it as`
		d98f6e	`+ * unpadded */`
		d98f6e	`+ CKYBuffer_Replace(result, 0, CKYBuffer_Data(&output),`
		d98f6e	`+ CKYBuffer_Size(&output));`
		d98f6e	`+ } else {`
		d98f6e	`+ params.unpadOutput(result, &output);`
		d98f6e	`+ }`
		d98f6e	`CKYBuffer_FreeData(&input);`
		d98f6e	`CKYBuffer_FreeData(&inputPad);`
		d98f6e	`CKYBuffer_FreeData(&output);`
		d98f6e	`@@ -4787,9 +4892,8 @@ retry:`
		d98f6e	`} else if (state & CAC_CARD) {`
		d98f6e	`status = CACApplet_SignDecrypt(conn, input, output, &result);`
		d98f6e	`} else if (state & P15_CARD) {`
		d98f6e	`- status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,`
		d98f6e	`+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(), (keySize/8)*2,`
		d98f6e	`CKY_DIR_ENCRYPT, input, output, &result);`
		d98f6e	`-`
		d98f6e	`} else {`
		d98f6e	`status = CKYApplet_ComputeECCSignature(conn, objectToKeyNum(key), input, NULL, output, getNonce(), &result);`
		d98f6e	`}`
		d98f6e	`@@ -4861,8 +4965,32 @@ retry:`
		d98f6e	`} else if (state & CAC_CARD) {`
		d98f6e	`status = CACApplet_SignDecrypt(conn, input, output, &result);`
		d98f6e	`} else if (state & P15_CARD) {`
		d98f6e	`- status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,`
		d98f6e	`- direction, input, output, &result);`
		d98f6e	`+ if (direction == CKY_DIR_DECRYPT) {`
		d98f6e	`+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),`
		d98f6e	`+ keySize/8, direction, input, output, &result);`
		d98f6e	`+ } else {`
		d98f6e	`+ CKYBuffer unpadInput;`
		d98f6e	`+ CKYBuffer_InitEmpty(&unpadInput);`
		d98f6e	`+ stripRSAPadding(&unpadInput, input); /* will throw exception`
		d98f6e	`+ * on error */`
		d98f6e	`+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(), keySize/8,`
		d98f6e	`+ direction, &unpadInput, output, &result);`
		d98f6e	`+ CKYBuffer_FreeData(&unpadInput);`
		d98f6e	`+ /* if it didn't work, try full padded the input first */`
		d98f6e	`+ if ((status != CKYSUCCESS)`
		d98f6e	`+ && (result != CKYISO_CONDITION_NOT_SATISFIED)`
		d98f6e	`+ && (result != CKYISO_SECURITY_NOT_SATISFIED)) {`
		d98f6e	`+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),`
		d98f6e	`+ keySize/8, direction, input, output, &result);`
		d98f6e	`+ }`
		d98f6e	`+ /* finally just lie and try to "decrypt" the buffer */`
		d98f6e	`+ if ((status != CKYSUCCESS)`
		d98f6e	`+ && (result != CKYISO_CONDITION_NOT_SATISFIED)`
		d98f6e	`+ && (result != CKYISO_SECURITY_NOT_SATISFIED)) {`
		d98f6e	`+ status = P15Applet_SignDecrypt(conn, key->getKeyRef(),`
		d98f6e	`+ keySize/8, CKY_DIR_DECRYPT, input, output, &result);`
		d98f6e	`+ }`
		d98f6e	`+ }`
		d98f6e	`} else {`
		d98f6e	`status = CKYApplet_ComputeCrypt(conn, objectToKeyNum(key),`
		d98f6e	`CKY_RSA_NO_PAD, direction, input, NULL, output,`
		d98f6e	`@@ -4883,8 +5011,7 @@ retry:`
		d98f6e	`throw PKCS11Exception(CKR_DATA_INVALID);`
		d98f6e	`}`
		d98f6e	`// version0 keys could be logged out in the middle by someone else,`
		d98f6e	`- // reauthenticate... This code can go away when we depricate.`
		d98f6e	`- // version0 applets.`
		d98f6e	`+ // reauthenticate...`
		d98f6e	`if (!isVersion1Key && !loginAttempted &&`
		d98f6e	`userPinCache(key->getUser())->isValid() &&`
		d98f6e	`(result == CKYISO_UNAUTHORIZED)) {`
		d98f6e	`diff -up ./src/coolkey/slot.h.cardos-5-3 ./src/coolkey/slot.h`
		d98f6e	`--- ./src/coolkey/slot.h.cardos-5-3 2017-03-16 17:14:02.417338760 -0700`
		d98f6e	`+++ ./src/coolkey/slot.h 2017-03-16 17:14:02.421338828 -0700`
		d98f6e	`@@ -368,6 +368,8 @@ class Slot {`
		d98f6e	`CKYBuffer p15tokenInfo;`
		d98f6e	`CKYBuffer p15odf;`
		d98f6e	`CKYBuffer p15serialNumber;`
		d98f6e	`+ CKYBuffer candidateUserAuthId;`
		d98f6e	`+ CKYBuffer candidateContextSpecificAuthId;`
		d98f6e	`//enum { RW_SESSION_HANDLE = 1, RO_SESSION_HANDLE = 2 };`
		d98f6e
		d98f6e	`#ifdef USE_SHMEM`
		d98f6e	`diff -up ./src/libckyapplet/cky_applet.c.cardos-5-3 ./src/libckyapplet/cky_applet.c`
		d98f6e	`--- ./src/libckyapplet/cky_applet.c.cardos-5-3 2017-03-16 17:14:02.404338539 -0700`
		d98f6e	`+++ ./src/libckyapplet/cky_applet.c 2017-03-16 17:14:02.422338845 -0700`
		d98f6e	`@@ -1316,8 +1316,6 @@ P15Applet_SignDecrypt(CKYCardConnection`
		d98f6e	`int appendLength = length;`
		d98f6e	`int hasPad = 0;`
		d98f6e
		d98f6e	`- /* Hack, lie and say we are always doing encipherment */`
		d98f6e	`- direction = CKY_DIR_DECRYPT;`
		d98f6e	`CKYBuffer_Resize(result,0);`
		d98f6e	`/*`
		d98f6e	`* first set the security environment`
		d98f6e	`@@ -1367,7 +1365,7 @@ P15Applet_SignDecrypt(CKYCardConnection`
		d98f6e	`}`
		d98f6e	`CKYBuffer_AppendBuffer(&tmp, data, offset, appendLength);`
		d98f6e	`pso.chain = 0;`
		d98f6e	`- pso.retLen = dataSize;`
		d98f6e	`+ pso.retLen = keySize;`
		d98f6e
		d98f6e	`ret = CKYApplet_HandleAPDU(conn,`
		d98f6e	`P15AppletFactory_PerformSecurityOperation, &pso, NULL,`

rpms / coolkey

Source Code

Blame SOURCES/coolkey-1.1.0-cardos-5-3.patch