Reworked trace and syslog statements on token init for the cca and ep11 token. Added warning traces on several en/decrypt verbs in the cca token for cases where returncode == 0 but reasoncode != 0. This is the case eg. when old keys are used and the master key in the card has changed in the meantime. All the code has been tested and verified.
Signed-off-by: Harald Freudenberger <[email protected]> --- usr/lib/pkcs11/cca_stdll/cca_specific.c | 521 ++++++++++++++----------- usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 605 +++++++++++++++-------------- 2 files changed, 594 insertions(+), 532 deletions(-) diff --git a/usr/lib/pkcs11/cca_stdll/cca_specific.c b/usr/lib/pkcs11/cca_stdll/cca_specific.c index 75762a2..a56fe2e 100644 --- a/usr/lib/pkcs11/cca_stdll/cca_specific.c +++ b/usr/lib/pkcs11/cca_stdll/cca_specific.c @@ -37,6 +37,8 @@ CK_CHAR model[] = "IBM CCA Token"; CK_CHAR descr[] = "IBM PKCS#11 CCA Token"; CK_CHAR label[] = "IBM PKCS#11 for CCA"; +#define CCASHAREDLIB "libcsulcca.so" + /* mechanisms provided by this token */ MECH_LIST_ELEMENT mech_list[] = { {CKM_DES_KEY_GEN, 8, 8, CKF_HW|CKF_GENERATE}, @@ -130,31 +132,34 @@ token_specific_init(CK_SLOT_ID SlotNumber, char *conf_name) unsigned char rule_array[256] = { 0, }; long return_code, reason_code, rule_array_count, verb_data_length; void *lib_csulcca; - - lib_csulcca = dlopen("libcsulcca.so", (RTLD_GLOBAL | RTLD_NOW)); + + lib_csulcca = dlopen(CCASHAREDLIB, RTLD_GLOBAL | RTLD_NOW); if (lib_csulcca == NULL) { - OCK_SYSLOG(LOG_ERR, "%s: Error loading library: [%s]\n", __FUNCTION__, dlerror()); + OCK_SYSLOG(LOG_ERR, "%s: Error loading shared library '%s' [%s]\n", + __func__, CCASHAREDLIB, dlerror()); + TRACE_ERROR("%s: Error loading shared library '%s' [%s]\n", + __func__, CCASHAREDLIB, dlerror()); return CKR_FUNCTION_FAILED; } memcpy(rule_array, "STATCCAE", 8); - rule_array_count = 1; - verb_data_length = 0; - CSUACFQ(&return_code, - &reason_code, - NULL, - NULL, - &rule_array_count, - rule_array, - &verb_data_length, - NULL); - - if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSUACFQ failed. return: %ld, reason: %ld\n", + rule_array_count = 1; + verb_data_length = 0; + CSUACFQ(&return_code, + &reason_code, + NULL, + NULL, + &rule_array_count, + rule_array, + &verb_data_length, + NULL); + + if (return_code != CCA_SUCCESS) { + TRACE_ERROR("CSUACFQ failed. return: %ld, reason: %ld\n", return_code, reason_code); - return CKR_FUNCTION_FAILED; - } + return CKR_FUNCTION_FAILED; + } /* This value should be 2 if the master key is set in the card */ if (memcmp(&rule_array[CCA_STATCCAE_SYM_CMK_OFFSET], "2 ", 8)) { @@ -346,11 +351,22 @@ token_specific_des_cbc(CK_BYTE *in_data, } if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNBENC (DES ENCRYPT) failed. return:%ld, " - "reason:%ld\n", return_code, reason_code); + if (encrypt) + TRACE_ERROR("CSNBENC (DES ENCRYPT) failed. return:%ld, " + "reason:%ld\n", return_code, reason_code); + else + TRACE_ERROR("CSNBDEC (DES DECRYPT) failed. return:%ld, " + "reason:%ld\n", return_code, reason_code); if (out_data != local_out) free(local_out); return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + if (encrypt) + TRACE_WARNING("CSNBENC (DES ENCRYPT) succeeded, but " + "returned reason:%ld\n", reason_code); + else + TRACE_WARNING("CSNBDEC (DES DECRYPT) succeeded, but " + "returned reason:%ld\n", reason_code); } /* If we malloc'd a new buffer due to overflow concerns and the data @@ -382,7 +398,7 @@ token_specific_tdes_ecb(CK_BYTE *in_data, OBJECT *key, CK_BYTE encrypt) { - TRACE_WARN("Unsupported function reached."); + TRACE_WARNING("Unsupported function reached."); return CKR_FUNCTION_NOT_SUPPORTED; } @@ -561,8 +577,8 @@ token_specific_rsa_generate_keypair(TEMPLATE *publ_tmpl, uint16_t mod_bits; CK_ATTRIBUTE *pub_exp = NULL, *attr = NULL; CK_RV rv; - CK_BYTE_PTR ptr; - CK_ULONG tmpsize, tmpexp; + CK_BYTE_PTR ptr; + CK_ULONG tmpsize, tmpexp; if (!template_attribute_find(publ_tmpl, CKA_MODULUS_BITS, &attr)) { @@ -576,29 +592,29 @@ token_specific_rsa_generate_keypair(TEMPLATE *publ_tmpl, rv = template_attribute_find(publ_tmpl, CKA_PUBLIC_EXPONENT, &pub_exp); if (rv == TRUE) { - /* Per CCA manual, we really only support 3 values here: * - * * 0 (generate random public exponent) * - * * 3 or * - * * 65537 * - * Trim the P11 value so we can check what's comming our way */ - - tmpsize = pub_exp->ulValueLen; - ptr = p11_bigint_trim(pub_exp->pValue, &tmpsize); - /* If we trimmed the number correctly, only 3 bytes are * - * sufficient to hold 65537 (0x010001) */ - if (tmpsize > 3) + /* Per CCA manual, we really only support 3 values here: * + * * 0 (generate random public exponent) * + * * 3 or * + * * 65537 * + * Trim the P11 value so we can check what's comming our way */ + + tmpsize = pub_exp->ulValueLen; + ptr = p11_bigint_trim(pub_exp->pValue, &tmpsize); + /* If we trimmed the number correctly, only 3 bytes are * + * sufficient to hold 65537 (0x010001) */ + if (tmpsize > 3) return CKR_TEMPLATE_INCONSISTENT; - /* make pValue into CK_ULONG so we can compare */ - tmpexp = 0; - memcpy((void *)&tmpexp + sizeof(CK_ULONG) - tmpsize, // right align - ptr, tmpsize); + /* make pValue into CK_ULONG so we can compare */ + tmpexp = 0; + memcpy((void *)&tmpexp + sizeof(CK_ULONG) - tmpsize, // right align + ptr, tmpsize); - /* Check for one of the three allowed values */ - if ( (tmpexp != 0) && - (tmpexp != 3) && - (tmpexp != 65537) ) - return CKR_TEMPLATE_INCONSISTENT; + /* Check for one of the three allowed values */ + if ( (tmpexp != 0) && + (tmpexp != 3) && + (tmpexp != 65537) ) + return CKR_TEMPLATE_INCONSISTENT; size_of_e = (uint16_t)tmpsize; @@ -612,19 +628,19 @@ token_specific_rsa_generate_keypair(TEMPLATE *publ_tmpl, key_value_structure_length = CCA_KEY_VALUE_STRUCT_SIZE; memcpy(key_value_structure, &mod_bits, sizeof(uint16_t)); - /* One last check. CCA can't auto-generate a random public * - * exponent if the modulus length is more than 2048 bits * - * We should be ok checking the public exponent length in the * - * key_value_structure, since either the caller never * - * specified it or we trimmed it's size. The size should be * - * zero if the value is zero in both cases. * - * public exponent has CCA_PKB_E_SIZE_OFFSET offset with * - * 2-bytes size */ - if (mod_bits > 2048 && - key_value_structure[CCA_PKB_E_SIZE_OFFSET] == 0x00 && - key_value_structure[CCA_PKB_E_SIZE_OFFSET + 1] == 0x00) { - return CKR_TEMPLATE_INCONSISTENT; - } + /* One last check. CCA can't auto-generate a random public * + * exponent if the modulus length is more than 2048 bits * + * We should be ok checking the public exponent length in the * + * key_value_structure, since either the caller never * + * specified it or we trimmed it's size. The size should be * + * zero if the value is zero in both cases. * + * public exponent has CCA_PKB_E_SIZE_OFFSET offset with * + * 2-bytes size */ + if (mod_bits > 2048 && + key_value_structure[CCA_PKB_E_SIZE_OFFSET] == 0x00 && + key_value_structure[CCA_PKB_E_SIZE_OFFSET + 1] == 0x00) { + return CKR_TEMPLATE_INCONSISTENT; + } rule_array_count = 2; memcpy(rule_array, "RSA-CRT KEY-MGMT", (size_t)(CCA_KEYWORD_SIZE * 2)); @@ -633,62 +649,62 @@ token_specific_rsa_generate_keypair(TEMPLATE *publ_tmpl, key_token_length = CCA_KEY_TOKEN_SIZE; - CSNDPKB(&return_code, - &reason_code, + CSNDPKB(&return_code, + &reason_code, NULL, - NULL, - &rule_array_count, - rule_array, - &key_value_structure_length, - key_value_structure, - &private_key_name_length, - private_key_name, - 0, - NULL, - 0, - NULL, - 0, - NULL, - 0, - NULL, - 0, - NULL, - &key_token_length, - key_token); - - if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNDPKB (RSA KEY TOKEN BUILD) failed. return:%ld," + NULL, + &rule_array_count, + rule_array, + &key_value_structure_length, + key_value_structure, + &private_key_name_length, + private_key_name, + 0, + NULL, + 0, + NULL, + 0, + NULL, + 0, + NULL, + 0, + NULL, + &key_token_length, + key_token); + + if (return_code != CCA_SUCCESS) { + TRACE_ERROR("CSNDPKB (RSA KEY TOKEN BUILD) failed. return:%ld," " reason:%ld\n", return_code, reason_code); - return CKR_FUNCTION_FAILED; - } - - rule_array_count = 1; - memset(rule_array, 0, sizeof(rule_array)); - memcpy(rule_array, "MASTER ", (size_t)CCA_KEYWORD_SIZE); - - generated_key_token_length = CCA_KEY_TOKEN_SIZE; - - regeneration_data_length = 0; - - CSNDPKG(&return_code, - &reason_code, - NULL, - NULL, - &rule_array_count, - rule_array, - ®eneration_data_length, - regeneration_data, - &key_token_length, - key_token, - transport_key_identifier, - &generated_key_token_length, - generated_key_token); - - if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNDPKG (RSA KEY GENERATE) failed. return: %ld, " + return CKR_FUNCTION_FAILED; + } + + rule_array_count = 1; + memset(rule_array, 0, sizeof(rule_array)); + memcpy(rule_array, "MASTER ", (size_t)CCA_KEYWORD_SIZE); + + generated_key_token_length = CCA_KEY_TOKEN_SIZE; + + regeneration_data_length = 0; + + CSNDPKG(&return_code, + &reason_code, + NULL, + NULL, + &rule_array_count, + rule_array, + ®eneration_data_length, + regeneration_data, + &key_token_length, + key_token, + transport_key_identifier, + &generated_key_token_length, + generated_key_token); + + if (return_code != CCA_SUCCESS) { + TRACE_ERROR("CSNDPKG (RSA KEY GENERATE) failed. return: %ld, " "return: %ld\n", return_code, reason_code); - return CKR_FUNCTION_FAILED; - } + return CKR_FUNCTION_FAILED; + } TRACE_DEVEL("RSA secure key token generated. size: %ld\n", generated_key_token_length); @@ -755,6 +771,9 @@ token_specific_rsa_encrypt(CK_BYTE *in_data, TRACE_ERROR("CSNDPKE (RSA ENCRYPT) failed. return: %ld ", "reason: %ld\n", return_code, reason_code); return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_WARNING("CSNDPKE (RSA ENCRYPT) succeeded, but ", + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -806,6 +825,9 @@ token_specific_rsa_decrypt(CK_BYTE *in_data, TRACE_ERROR("CSNDPKD (RSA DECRYPT) failed. return: %ld, " "reason: %ld\n", return_code, reason_code); return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_WARNING("CSNDPKD (RSA DECRYPT) succeeded, but " + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -818,9 +840,9 @@ token_specific_rsa_sign(CK_BYTE * in_data, CK_ULONG * out_data_len, OBJECT * key_obj ) { - long return_code, reason_code, rule_array_count; - unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0, }; - long signature_bit_length; + long return_code, reason_code, rule_array_count; + unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0, }; + long signature_bit_length; CK_ATTRIBUTE *attr; /* Find the secure key token */ @@ -829,30 +851,33 @@ token_specific_rsa_sign(CK_BYTE * in_data, return CKR_TEMPLATE_INCOMPLETE; } - rule_array_count = 1; - memcpy(rule_array, "PKCS-1.1", CCA_KEYWORD_SIZE); - - CSNDDSG(&return_code, - &reason_code, - NULL, - NULL, - &rule_array_count, - rule_array, - (long *)&(attr->ulValueLen), - attr->pValue, - (long *)&in_data_len, - in_data, - (long *)out_data_len, - &signature_bit_length, - out_data); - - if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNDDSG (RSA SIGN) failed. return :%ld, " + rule_array_count = 1; + memcpy(rule_array, "PKCS-1.1", CCA_KEYWORD_SIZE); + + CSNDDSG(&return_code, + &reason_code, + NULL, + NULL, + &rule_array_count, + rule_array, + (long *)&(attr->ulValueLen), + attr->pValue, + (long *)&in_data_len, + in_data, + (long *)out_data_len, + &signature_bit_length, + out_data); + + if (return_code != CCA_SUCCESS) { + TRACE_ERROR("CSNDDSG (RSA SIGN) failed. return :%ld, " "reason: %ld\n", return_code, reason_code); - return CKR_FUNCTION_FAILED; - } + return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_WARNING("CSNDDSG (RSA SIGN) succeeded, but " + "returned reason: %ld\n", reason_code); + } - return CKR_OK; + return CKR_OK; } CK_RV @@ -891,9 +916,12 @@ token_specific_rsa_verify(CK_BYTE * in_data, if (return_code == 4 && reason_code == 429) { return CKR_SIGNATURE_INVALID; } else if (return_code != CCA_SUCCESS) { - TRACE_DEVEL("CSNDDSV (RSA VERIFY) failed. return: %ld, " + TRACE_ERROR("CSNDDSV (RSA VERIFY) failed. return: %ld, " "reason: %ld\n", return_code, reason_code); return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_WARNING("CSNDDSV (RSA VERIFY) succeeded, but " + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -918,14 +946,14 @@ token_specific_aes_key_gen(CK_BYTE *aes_key, CK_ULONG len, CK_ULONG key_size) unsigned char mkvp[16] = { 0, }; CK_RV rc; CK_ATTRIBUTE *opaque_attr = NULL; - + /* make sure key is the right size for the token */ if (len != CCA_KEY_ID_SIZE) return CKR_FUNCTION_FAILED; memcpy(rule_array, "INTERNALAES NO-KEY ", (size_t) (CCA_KEYWORD_SIZE*3)); memcpy(key_type, "DATA ", (size_t)CCA_KEYWORD_SIZE); - + switch (key_size) { case 16: memcpy(rule_array + 3*CCA_KEYWORD_SIZE, "KEYLN16 ", CCA_KEYWORD_SIZE); @@ -969,7 +997,7 @@ token_specific_aes_key_gen(CK_BYTE *aes_key, CK_ULONG len, CK_ULONG key_size) NULL, NULL, mkvp); - + if (return_code != CCA_SUCCESS) { TRACE_ERROR("CSNBTKB (TOKEN BUILD) failed. return: %ld, " "reason: %ld\n", return_code, reason_code); @@ -977,7 +1005,7 @@ token_specific_aes_key_gen(CK_BYTE *aes_key, CK_ULONG len, CK_ULONG key_size) } memcpy(key_form, "OP ", (size_t)CCA_KEYWORD_SIZE); memcpy(key_type, "AESTOKEN", (size_t) CCA_KEYWORD_SIZE); - memcpy(aes_key, key_token, (size_t)CCA_KEY_ID_SIZE); + memcpy(aes_key, key_token, (size_t)CCA_KEY_ID_SIZE); return cca_key_gen(CCA_AES_KEY, aes_key, key_form, key_type, key_size); } @@ -990,7 +1018,7 @@ token_specific_aes_ecb(CK_BYTE *in_data, OBJECT *key, CK_BYTE encrypt) { - + long return_code, reason_code, rule_array_count, length; long pad_character = 0, block_size = 16; unsigned char chaining_vector[CCA_OCV_SIZE]; @@ -1006,11 +1034,11 @@ token_specific_aes_ecb(CK_BYTE *in_data, return CKR_FUNCTION_FAILED; } - key_len = 64; + key_len = 64; rule_array_count = 4; - memcpy(rule_array, "AES ECB KEYIDENTINITIAL ", + memcpy(rule_array, "AES ECB KEYIDENTINITIAL ", rule_array_count*(size_t)CCA_KEYWORD_SIZE); - + if (encrypt) { CSNBSAE(&return_code, &reason_code, @@ -1056,7 +1084,7 @@ token_specific_aes_ecb(CK_BYTE *in_data, &opt_data_len, NULL); } - + if (return_code != CCA_SUCCESS) { if (encrypt) TRACE_ERROR("CSNBSAE (AES ENCRYPT) failed. return: %ld " @@ -1066,6 +1094,13 @@ token_specific_aes_ecb(CK_BYTE *in_data, "reason: %ld\n", return_code, reason_code); (*out_data_len) = 0; return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + if (encrypt) + TRACE_WARNING("CSNBSAE (AES ENCRYPT) succeeded, but " + "returned reason: %ld\n", reason_code); + else + TRACE_WARNING("CSNBSAD (AES DECRYPT) succeeded, but " + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -1099,7 +1134,7 @@ token_specific_aes_cbc(CK_BYTE *in_data, if (in_data_len%16 == 0) { rule_array_count = 3; - memcpy(rule_array, "AES KEYIDENTINITIAL ", + memcpy(rule_array, "AES KEYIDENTINITIAL ", rule_array_count*(size_t)CCA_KEYWORD_SIZE); } else { if ((encrypt) && (*out_data_len < (in_data_len + 16))) { @@ -1112,7 +1147,7 @@ token_specific_aes_cbc(CK_BYTE *in_data, } rule_array_count = 3; - memcpy(rule_array, "AES PKCS-PADKEYIDENT", + memcpy(rule_array, "AES PKCS-PADKEYIDENT", rule_array_count*(size_t)CCA_KEYWORD_SIZE); } @@ -1163,11 +1198,23 @@ token_specific_aes_cbc(CK_BYTE *in_data, &opt_data_len, NULL); } - + if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNBENC (AES ENCRYPT) failed. return: %ld, " - "reason: %ld\n", return_code, reason_code); + if (encrypt) + TRACE_ERROR("CSNBSAE (AES ENCRYPT) failed. return: %ld " + "reason: %ld\n", return_code, reason_code); + else + TRACE_ERROR("CSNBSAD (AES DECRYPT) failed. return: %ld " + "reason: %ld\n", return_code, reason_code); + (*out_data_len) = 0; return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + if (encrypt) + TRACE_WARNING("CSNBSAE (AES ENCRYPT) suceeded, but " + "returned reason: %ld\n", reason_code); + else + TRACE_WARNING("CSNBSAD (AES DECRYPT) succeedec, but " + "returned reason: %ld\n", reason_code); } /* If we malloc'd a new buffer due to overflow concerns and the data @@ -1195,13 +1242,13 @@ token_specific_aes_cbc(CK_BYTE *in_data, /* Begin code contributed by Corrent corp. */ CK_RV token_specific_dh_pkcs_derive(CK_BYTE *z, - CK_ULONG *z_len, - CK_BYTE *y, - CK_ULONG y_len, - CK_BYTE *x, - CK_ULONG x_len, - CK_BYTE *p, - CK_ULONG p_len) + CK_ULONG *z_len, + CK_BYTE *y, + CK_ULONG y_len, + CK_BYTE *x, + CK_ULONG x_len, + CK_BYTE *p, + CK_ULONG p_len) { TRACE_DEVEL("Unsupported function reached."); return CKR_FUNCTION_NOT_SUPPORTED; @@ -1209,7 +1256,7 @@ token_specific_dh_pkcs_derive(CK_BYTE *z, CK_RV token_specific_dh_pkcs_key_pair_gen(TEMPLATE *publ_tmpl, - TEMPLATE *priv_tmpl ) + TEMPLATE *priv_tmpl ) { TRACE_DEVEL("Unsupported function reached."); return CKR_FUNCTION_NOT_SUPPORTED; @@ -1246,18 +1293,18 @@ token_specific_get_mechanism_list(CK_MECHANISM_TYPE *pMechanismList, CK_ULONG *p CK_RV token_specific_get_mechanism_info(CK_MECHANISM_TYPE type, CK_MECHANISM_INFO *pInfo) { - CK_ULONG i; + CK_ULONG i; for (i = 0; i < mech_list_len; i++) { - if (mech_list[i].mech_type == type) { - memcpy(pInfo, &mech_list[i].mech_info, - sizeof(CK_MECHANISM_INFO)); - return CKR_OK; - } - } - - TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID)); - return CKR_MECHANISM_INVALID; + if (mech_list[i].mech_type == type) { + memcpy(pInfo, &mech_list[i].mech_info, + sizeof(CK_MECHANISM_INFO)); + return CKR_OK; + } + } + + TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID)); + return CKR_MECHANISM_INVALID; } CK_RV @@ -1539,23 +1586,26 @@ token_specific_ec_sign(CK_BYTE * in_data, memcpy(rule_array, "ECDSA ", CCA_KEYWORD_SIZE); CSNDDSG(&return_code, - &reason_code, - NULL, - NULL, - &rule_array_count, - rule_array, - (long *)&(attr->ulValueLen), - attr->pValue, - (long *)&in_data_len, - in_data, - (long *)out_data_len, - &signature_bit_length, - out_data); + &reason_code, + NULL, + NULL, + &rule_array_count, + rule_array, + (long *)&(attr->ulValueLen), + attr->pValue, + (long *)&in_data_len, + in_data, + (long *)out_data_len, + &signature_bit_length, + out_data); if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNDDSG (EC SIGN) failed. return: %ld, " - "reason: %ld\n", return_code, reason_code); - return CKR_FUNCTION_FAILED; + TRACE_ERROR("CSNDDSG (EC SIGN) failed. return: %ld, " + "reason: %ld\n", return_code, reason_code); + return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_ERROR("CSNDDSG (EC SIGN) succeeded, but " + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -1583,24 +1633,27 @@ token_specific_ec_verify(CK_BYTE * in_data, memcpy(rule_array, "ECDSA ", CCA_KEYWORD_SIZE); CSNDDSV(&return_code, - &reason_code, - NULL, - NULL, - &rule_array_count, - rule_array, - (long *)&(attr->ulValueLen), - attr->pValue, - (long *)&in_data_len, - in_data, - (long *)&out_data_len, - out_data); + &reason_code, + NULL, + NULL, + &rule_array_count, + rule_array, + (long *)&(attr->ulValueLen), + attr->pValue, + (long *)&in_data_len, + in_data, + (long *)&out_data_len, + out_data); if (return_code == 4 && reason_code == 429) { return CKR_SIGNATURE_INVALID; } else if (return_code != CCA_SUCCESS) { - TRACE_ERROR("CSNDDSV (EC VERIFY) failed. reason: %ld, " - "return: %ld\n", return_code, reason_code); + TRACE_ERROR("CSNDDSV (EC VERIFY) failed. return: %ld, " + "reason: %ld\n", return_code, reason_code); return CKR_FUNCTION_FAILED; + } else if (reason_code != 0) { + TRACE_ERROR("CSNDDSV (EC VERIFY) succeeded, but " + "returned reason: %ld\n", reason_code); } return CKR_OK; @@ -1666,7 +1719,7 @@ CK_RV cca_sha(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, CK_ULONG in_data_len, case CKM_SHA384: memcpy(rule_array, "SHA-384 ONLY ", CCA_KEYWORD_SIZE * 2); cca_ctx->part = CCA_HASH_PART_ONLY; - break; + break; case CKM_SHA512: memcpy(rule_array, "SHA-512 ONLY ", CCA_KEYWORD_SIZE * 2); cca_ctx->part = CCA_HASH_PART_ONLY; @@ -1695,24 +1748,24 @@ CK_RV cca_sha(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, CK_ULONG in_data_len, } CK_RV token_specific_sha2(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, - CK_ULONG in_data_len, CK_BYTE *out_data, - CK_ULONG *out_data_len) + CK_ULONG in_data_len, CK_BYTE *out_data, + CK_ULONG *out_data_len) { - return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); + return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); } CK_RV token_specific_sha3(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, - CK_ULONG in_data_len, CK_BYTE *out_data, - CK_ULONG *out_data_len) + CK_ULONG in_data_len, CK_BYTE *out_data, + CK_ULONG *out_data_len) { - return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); + return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); } CK_RV token_specific_sha5(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, - CK_ULONG in_data_len, CK_BYTE *out_data, - CK_ULONG *out_data_len) + CK_ULONG in_data_len, CK_BYTE *out_data, + CK_ULONG *out_data_len) { - return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); + return cca_sha(ctx, in_data, in_data_len, out_data, out_data_len); } CK_RV cca_sha_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, @@ -1722,9 +1775,9 @@ CK_RV cca_sha_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, long return_code, reason_code, total, buffer_len, rule_array_count = 2; unsigned char rule_array[CCA_RULE_ARRAY_SIZE] = { 0, }; CK_RV rc = CKR_OK; - unsigned char *buffer = NULL; + unsigned char *buffer = NULL; int blocksz, blocksz_mask, use_buffer = 0; - + if (!in_data) return CKR_ARGUMENTS_BAD; @@ -1767,7 +1820,7 @@ CK_RV cca_sha_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, remainder = total & blocksz_mask; buffer_len = total - remainder; - + /* allocate a buffer for sending... */ if (!(buffer = malloc(buffer_len))) { TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); @@ -1776,16 +1829,16 @@ CK_RV cca_sha_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data, } memcpy(buffer, cca_ctx->tail, cca_ctx->tail_len); - memcpy(buffer + cca_ctx->tail_len, in_data, + memcpy(buffer + cca_ctx->tail_len, in_data, in_data_len - remainder); - use_buffer = 1; + use_buffer = 1; /* save remainder data for next time */ if (remainder) memcpy(cca_ctx->tail, in_data + (in_data_len - remainder), remainder); cca_ctx->tail_len = remainder; - + } else { /* not enough to fill a block, save off data for next round */ memcpy(cca_ctx->tail + cca_ctx->tail_len, in_data, in_data_len); @@ -1826,7 +1879,7 @@ send: } break; } - + CSNBOWH(&return_code, &reason_code, NULL, NULL, &rule_array_count, rule_array, use_buffer ? &buffer_len : (long *)&in_data_len, use_buffer ? buffer : in_data, &cca_ctx->chain_vector_len, @@ -2340,25 +2393,25 @@ token_specific_object_add(OBJECT *object) CK_RV get_ecsiglen(OBJECT *key_obj, CK_ULONG *size) { - CK_BBOOL flag; - CK_ATTRIBUTE *attr = NULL; - int i; + CK_BBOOL flag; + CK_ATTRIBUTE *attr = NULL; + int i; - flag = template_attribute_find( key_obj->template, - CKA_ECDSA_PARAMS, &attr ); - if (flag == FALSE) { + flag = template_attribute_find( key_obj->template, + CKA_ECDSA_PARAMS, &attr ); + if (flag == FALSE) { TRACE_ERROR("Could not find CKA_ECDSA_PARAMS for the key.\n"); - return CKR_FUNCTION_FAILED; - } - - /* loop thru supported curves to find the size. - * both pkcs#11v2.20 and CCA expect the signature length to be - * twice the length of p. - * (See EC Signatures in pkcs#11v2.20 and docs for CSNDDSG.) - */ - for (i = 0; i < NUMEC; i++) { - if ((memcmp(attr->pValue, der_ec_supported[i].data, - attr->ulValueLen) == 0)) { + return CKR_FUNCTION_FAILED; + } + + /* loop thru supported curves to find the size. + * both pkcs#11v2.20 and CCA expect the signature length to be + * twice the length of p. + * (See EC Signatures in pkcs#11v2.20 and docs for CSNDDSG.) + */ + for (i = 0; i < NUMEC; i++) { + if ((memcmp(attr->pValue, der_ec_supported[i].data, + attr->ulValueLen) == 0)) { *size = der_ec_supported[i].len_bits; /* round up if necessary */ if ((*size % 8) == 0) @@ -2366,10 +2419,10 @@ get_ecsiglen(OBJECT *key_obj, CK_ULONG *size) else *size = ((*size / 8) + 1) * 2; TRACE_DEVEL("getlen, curve = %d, size = %d\n", der_ec_supported[i].len_bits, *size); - return CKR_OK; - } - } + return CKR_OK; + } + } - TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID)); - return CKR_MECHANISM_PARAM_INVALID; + TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_PARAM_INVALID)); + return CKR_MECHANISM_PARAM_INVALID; } diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c index a0fc2d3..744e61f 100644 --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c @@ -1,294 +1,294 @@ /* - Common Public License Version 1.0 - - THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF - THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, - REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES - RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. - - 1. DEFINITIONS - - "Contribution" means: - a) in the case of the initial Contributor, the - initial code and documentation distributed under - this Agreement, and - - b) in the case of each subsequent Contributor: - i) changes to the Program, and - ii) additions to the Program; - - where such changes and/or additions to the Program - originate from and are distributed by that - particular Contributor. A Contribution 'originates' - from a Contributor if it was added to the Program - by such Contributor itself or anyone acting on such - Contributor's behalf. Contributions do not include - additions to the Program which: (i) are separate - modules of software distributed in conjunction with - the Program under their own license agreement, and - (ii) are not derivative works of the Program. - - - "Contributor" means any person or entity that distributes - the Program. - - "Licensed Patents " mean patent claims licensable by a - Contributor which are necessarily infringed by the use or - sale of its Contribution alone or when combined with the - Program. - - "Program" means the Contributions distributed in - accordance with this Agreement. - - "Recipient" means anyone who receives the Program under - this Agreement, including all Contributors. - - 2. GRANT OF RIGHTS - - a) Subject to the terms of this Agreement, each - Contributor hereby grants Recipient a - non-exclusive, worldwide, royalty-free copyright - license to reproduce, prepare derivative works of, - publicly display, publicly perform, distribute and - sublicense the Contribution of such Contributor, if - any, and such derivative works, in source code and - object code form. - - b) Subject to the terms of this Agreement, each - Contributor hereby grants Recipient a - non-exclusive, worldwide, royalty-free patent - license under Licensed Patents to make, use, sell, - offer to sell, import and otherwise transfer the - Contribution of such Contributor, if any, in source - code and object code form. This patent license - shall apply to the combination of the Contribution - and the Program if, at the time the Contribution is - added by the Contributor, such addition of the - Contribution causes such combination to be covered - by the Licensed Patents. The patent license shall - not apply to any other combinations which include - the Contribution. No hardware per se is licensed - hereunder. - - c) Recipient understands that although each - Contributor grants the licenses to its - Contributions set forth herein, no assurances are - provided by any Contributor that the Program does - not infringe the patent or other intellectual - property rights of any other entity. Each - Contributor disclaims any liability to Recipient - for claims brought by any other entity based on - infringement of intellectual property rights or - otherwise. As a condition to exercising the rights - and licenses granted hereunder, each Recipient - hereby assumes sole responsibility to secure any - other intellectual property rights needed, if any. - - For example, if a third party patent license is - required to allow Recipient to distribute the - Program, it is Recipient's responsibility to - acquire that license before distributing the - Program. - - d) Each Contributor represents that to its - knowledge it has sufficient copyright rights in its - Contribution, if any, to grant the copyright - license set forth in this Agreement. - - 3. REQUIREMENTS - - A Contributor may choose to distribute the Program in - object code form under its own license agreement, provided - that: - a) it complies with the terms and conditions of - this Agreement; and - - b) its license agreement: - i) effectively disclaims on behalf of all - Contributors all warranties and conditions, express - and implied, including warranties or conditions of - title and non-infringement, and implied warranties - or conditions of merchantability and fitness for a - particular purpose; - - ii) effectively excludes on behalf of all - Contributors all liability for damages, including - direct, indirect, special, incidental and - consequential damages, such as lost profits; - - iii) states that any provisions which differ from - this Agreement are offered by that Contributor - alone and not by any other party; and - - iv) states that source code for the Program is - available from such Contributor, and informs - licensees how to obtain it in a reasonable manner - on or through a medium customarily used for - software exchange. - - When the Program is made available in source code form: - a) it must be made available under this Agreement; - and - b) a copy of this Agreement must be included with - each copy of the Program. - - Contributors may not remove or alter any copyright notices - contained within the Program. - - Each Contributor must identify itself as the originator of - its Contribution, if any, in a manner that reasonably - allows subsequent Recipients to identify the originator of - the Contribution. - - - 4. COMMERCIAL DISTRIBUTION - - Commercial distributors of software may accept certain - responsibilities with respect to end users, business - partners and the like. While this license is intended to - facilitate the commercial use of the Program, the - Contributor who includes the Program in a commercial - product offering should do so in a manner which does not - create potential liability for other Contributors. - Therefore, if a Contributor includes the Program in a - commercial product offering, such Contributor ("Commercial - Contributor") hereby agrees to defend and indemnify every - other Contributor ("Indemnified Contributor") against any - losses, damages and costs (collectively "Losses") arising - from claims, lawsuits and other legal actions brought by a - third party against the Indemnified Contributor to the - extent caused by the acts or omissions of such Commercial - Contributor in connection with its distribution of the - Program in a commercial product offering. The obligations - in this section do not apply to any claims or Losses - relating to any actual or alleged intellectual property - infringement. In order to qualify, an Indemnified - Contributor must: a) promptly notify the Commercial - Contributor in writing of such claim, and b) allow the - Commercial Contributor to control, and cooperate with the - Commercial Contributor in, the defense and any related - settlement negotiations. The Indemnified Contributor may - participate in any such claim at its own expense. - - - For example, a Contributor might include the Program in a - commercial product offering, Product X. That Contributor - is then a Commercial Contributor. If that Commercial - Contributor then makes performance claims, or offers - warranties related to Product X, those performance claims - and warranties are such Commercial Contributor's - responsibility alone. Under this section, the Commercial - Contributor would have to defend claims against the other - Contributors related to those performance claims and - warranties, and if a court requires any other Contributor - to pay any damages as a result, the Commercial Contributor - must pay those damages. - - - 5. NO WARRANTY - - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE - PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR - IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR - CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR - FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely - responsible for determining the appropriateness of using - and distributing the Program and assumes all risks - associated with its exercise of rights under this - Agreement, including but not limited to the risks and - costs of program errors, compliance with applicable laws, - damage to or loss of data, programs or equipment, and - unavailability or interruption of operations. - - 6. DISCLAIMER OF LIABILITY - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER - RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION - LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF - LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT - OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE - OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGES. - - 7. GENERAL - - If any provision of this Agreement is invalid or - unenforceable under applicable law, it shall not affect - the validity or enforceability of the remainder of the - terms of this Agreement, and without further action by the - parties hereto, such provision shall be reformed to the - minimum extent necessary to make such provision valid and - enforceable. - - - If Recipient institutes patent litigation against a - Contributor with respect to a patent applicable to - software (including a cross-claim or counterclaim in a - lawsuit), then any patent licenses granted by that - Contributor to such Recipient under this Agreement shall - terminate as of the date such litigation is filed. In - addition, If Recipient institutes patent litigation - against any entity (including a cross-claim or - counterclaim in a lawsuit) alleging that the Program - itself (excluding combinations of the Program with other - software or hardware) infringes such Recipient's - patent(s), then such Recipient's rights granted under - Section 2(b) shall terminate as of the date such - litigation is filed. - - All Recipient's rights under this Agreement shall - terminate if it fails to comply with any of the material - terms or conditions of this Agreement and does not cure - such failure in a reasonable period of time after becoming - aware of such noncompliance. If all Recipient's rights - under this Agreement terminate, Recipient agrees to cease - use and distribution of the Program as soon as reasonably - practicable. However, Recipient's obligations under this - Agreement and any licenses granted by Recipient relating - to the Program shall continue and survive. - - Everyone is permitted to copy and distribute copies of - this Agreement, but in order to avoid inconsistency the - Agreement is copyrighted and may only be modified in the - following manner. The Agreement Steward reserves the right - to publish new versions (including revisions) of this - Agreement from time to time. No one other than the - Agreement Steward has the right to modify this Agreement. - - IBM is the initial Agreement Steward. IBM may assign the - responsibility to serve as the Agreement Steward to a - suitable separate entity. Each new version of the - Agreement will be given a distinguishing version number. - The Program (including Contributions) may always be - distributed subject to the version of the Agreement under - which it was received. In addition, after a new version of - the Agreement is published, Contributor may elect to - distribute the Program (including its Contributions) under - the new version. Except as expressly stated in Sections - 2(a) and 2(b) above, Recipient receives no rights or - licenses to the intellectual property of any Contributor - under this Agreement, whether expressly, by implication, - estoppel or otherwise. All rights in the Program not - expressly granted under this Agreement are reserved. - - - This Agreement is governed by the laws of the State of New - York and the intellectual property laws of the United - States of America. No party to this Agreement will bring a - legal action under this Agreement more than one year after - the cause of action arose. Each party waives its rights to - a jury trial in any resulting litigation. + Common Public License Version 1.0 + + THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF + THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE, + REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES + RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT. + + 1. DEFINITIONS + + "Contribution" means: + a) in the case of the initial Contributor, the + initial code and documentation distributed under + this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and + ii) additions to the Program; + + where such changes and/or additions to the Program + originate from and are distributed by that + particular Contributor. A Contribution 'originates' + from a Contributor if it was added to the Program + by such Contributor itself or anyone acting on such + Contributor's behalf. Contributions do not include + additions to the Program which: (i) are separate + modules of software distributed in conjunction with + the Program under their own license agreement, and + (ii) are not derivative works of the Program. + + + "Contributor" means any person or entity that distributes + the Program. + + "Licensed Patents " mean patent claims licensable by a + Contributor which are necessarily infringed by the use or + sale of its Contribution alone or when combined with the + Program. + + "Program" means the Contributions distributed in + accordance with this Agreement. + + "Recipient" means anyone who receives the Program under + this Agreement, including all Contributors. + + 2. GRANT OF RIGHTS + + a) Subject to the terms of this Agreement, each + Contributor hereby grants Recipient a + non-exclusive, worldwide, royalty-free copyright + license to reproduce, prepare derivative works of, + publicly display, publicly perform, distribute and + sublicense the Contribution of such Contributor, if + any, and such derivative works, in source code and + object code form. + + b) Subject to the terms of this Agreement, each + Contributor hereby grants Recipient a + non-exclusive, worldwide, royalty-free patent + license under Licensed Patents to make, use, sell, + offer to sell, import and otherwise transfer the + Contribution of such Contributor, if any, in source + code and object code form. This patent license + shall apply to the combination of the Contribution + and the Program if, at the time the Contribution is + added by the Contributor, such addition of the + Contribution causes such combination to be covered + by the Licensed Patents. The patent license shall + not apply to any other combinations which include + the Contribution. No hardware per se is licensed + hereunder. + + c) Recipient understands that although each + Contributor grants the licenses to its + Contributions set forth herein, no assurances are + provided by any Contributor that the Program does + not infringe the patent or other intellectual + property rights of any other entity. Each + Contributor disclaims any liability to Recipient + for claims brought by any other entity based on + infringement of intellectual property rights or + otherwise. As a condition to exercising the rights + and licenses granted hereunder, each Recipient + hereby assumes sole responsibility to secure any + other intellectual property rights needed, if any. + + For example, if a third party patent license is + required to allow Recipient to distribute the + Program, it is Recipient's responsibility to + acquire that license before distributing the + Program. + + d) Each Contributor represents that to its + knowledge it has sufficient copyright rights in its + Contribution, if any, to grant the copyright + license set forth in this Agreement. + + 3. REQUIREMENTS + + A Contributor may choose to distribute the Program in + object code form under its own license agreement, provided + that: + a) it complies with the terms and conditions of + this Agreement; and + + b) its license agreement: + i) effectively disclaims on behalf of all + Contributors all warranties and conditions, express + and implied, including warranties or conditions of + title and non-infringement, and implied warranties + or conditions of merchantability and fitness for a + particular purpose; + + ii) effectively excludes on behalf of all + Contributors all liability for damages, including + direct, indirect, special, incidental and + consequential damages, such as lost profits; + + iii) states that any provisions which differ from + this Agreement are offered by that Contributor + alone and not by any other party; and + + iv) states that source code for the Program is + available from such Contributor, and informs + licensees how to obtain it in a reasonable manner + on or through a medium customarily used for + software exchange. + + When the Program is made available in source code form: + a) it must be made available under this Agreement; + and + b) a copy of this Agreement must be included with + each copy of the Program. + + Contributors may not remove or alter any copyright notices + contained within the Program. + + Each Contributor must identify itself as the originator of + its Contribution, if any, in a manner that reasonably + allows subsequent Recipients to identify the originator of + the Contribution. + + + 4. COMMERCIAL DISTRIBUTION + + Commercial distributors of software may accept certain + responsibilities with respect to end users, business + partners and the like. While this license is intended to + facilitate the commercial use of the Program, the + Contributor who includes the Program in a commercial + product offering should do so in a manner which does not + create potential liability for other Contributors. + Therefore, if a Contributor includes the Program in a + commercial product offering, such Contributor ("Commercial + Contributor") hereby agrees to defend and indemnify every + other Contributor ("Indemnified Contributor") against any + losses, damages and costs (collectively "Losses") arising + from claims, lawsuits and other legal actions brought by a + third party against the Indemnified Contributor to the + extent caused by the acts or omissions of such Commercial + Contributor in connection with its distribution of the + Program in a commercial product offering. The obligations + in this section do not apply to any claims or Losses + relating to any actual or alleged intellectual property + infringement. In order to qualify, an Indemnified + Contributor must: a) promptly notify the Commercial + Contributor in writing of such claim, and b) allow the + Commercial Contributor to control, and cooperate with the + Commercial Contributor in, the defense and any related + settlement negotiations. The Indemnified Contributor may + participate in any such claim at its own expense. + + + For example, a Contributor might include the Program in a + commercial product offering, Product X. That Contributor + is then a Commercial Contributor. If that Commercial + Contributor then makes performance claims, or offers + warranties related to Product X, those performance claims + and warranties are such Commercial Contributor's + responsibility alone. Under this section, the Commercial + Contributor would have to defend claims against the other + Contributors related to those performance claims and + warranties, and if a court requires any other Contributor + to pay any damages as a result, the Commercial Contributor + must pay those damages. + + + 5. NO WARRANTY + + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE + PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR + IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR + CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR + FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely + responsible for determining the appropriateness of using + and distributing the Program and assumes all risks + associated with its exercise of rights under this + Agreement, including but not limited to the risks and + costs of program errors, compliance with applicable laws, + damage to or loss of data, programs or equipment, and + unavailability or interruption of operations. + + 6. DISCLAIMER OF LIABILITY + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER + RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION + LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE + OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGES. + + 7. GENERAL + + If any provision of this Agreement is invalid or + unenforceable under applicable law, it shall not affect + the validity or enforceability of the remainder of the + terms of this Agreement, and without further action by the + parties hereto, such provision shall be reformed to the + minimum extent necessary to make such provision valid and + enforceable. + + + If Recipient institutes patent litigation against a + Contributor with respect to a patent applicable to + software (including a cross-claim or counterclaim in a + lawsuit), then any patent licenses granted by that + Contributor to such Recipient under this Agreement shall + terminate as of the date such litigation is filed. In + addition, If Recipient institutes patent litigation + against any entity (including a cross-claim or + counterclaim in a lawsuit) alleging that the Program + itself (excluding combinations of the Program with other + software or hardware) infringes such Recipient's + patent(s), then such Recipient's rights granted under + Section 2(b) shall terminate as of the date such + litigation is filed. + + All Recipient's rights under this Agreement shall + terminate if it fails to comply with any of the material + terms or conditions of this Agreement and does not cure + such failure in a reasonable period of time after becoming + aware of such noncompliance. If all Recipient's rights + under this Agreement terminate, Recipient agrees to cease + use and distribution of the Program as soon as reasonably + practicable. However, Recipient's obligations under this + Agreement and any licenses granted by Recipient relating + to the Program shall continue and survive. + + Everyone is permitted to copy and distribute copies of + this Agreement, but in order to avoid inconsistency the + Agreement is copyrighted and may only be modified in the + following manner. The Agreement Steward reserves the right + to publish new versions (including revisions) of this + Agreement from time to time. No one other than the + Agreement Steward has the right to modify this Agreement. + + IBM is the initial Agreement Steward. IBM may assign the + responsibility to serve as the Agreement Steward to a + suitable separate entity. Each new version of the + Agreement will be given a distinguishing version number. + The Program (including Contributions) may always be + distributed subject to the version of the Agreement under + which it was received. In addition, after a new version of + the Agreement is published, Contributor may elect to + distribute the Program (including its Contributions) under + the new version. Except as expressly stated in Sections + 2(a) and 2(b) above, Recipient receives no rights or + licenses to the intellectual property of any Contributor + under this Agreement, whether expressly, by implication, + estoppel or otherwise. All rights in the Program not + expressly granted under this Agreement are reserved. + + + This Agreement is governed by the laws of the State of New + York and the intellectual property laws of the United + States of America. No party to this Agreement will bring a + legal action under this Agreement more than one year after + the cause of action arose. Each party waives its rights to + a jury trial in any resulting litigation. */ /* (C) COPYRIGHT International Business Machines Corp. 2001,2002,2013 */ /*************************************************************************** - Change Log - ========== + Change Log + ========== ****************************************************************************/ #define _BSD_SOURCE @@ -320,6 +320,7 @@ #include <grp.h> #include "ep11.h" + #define EP11SHAREDLIB "libep11.so" CK_RV ep11tok_get_mechanism_list(CK_MECHANISM_TYPE_PTR mlist, @@ -376,13 +377,13 @@ CK_CHAR label[] = "IBM OS PKCS#11 "; CK_BBOOL cktrue = 1; \ CK_MECHANISM mech = { CKM_AES_KEY_GEN, NULL_PTR, 0 }; \ CK_ATTRIBUTE wrap_tmpl[] = {{CKA_VALUE_LEN, &len, sizeof(CK_ULONG)}, \ - {CKA_WRAP,(void *) &cktrue, sizeof(cktrue)} , \ - {CKA_UNWRAP,(void *) &cktrue, sizeof(cktrue)}, \ - {CKA_ENCRYPT,(void *) &cktrue, sizeof(cktrue)}, \ - {CKA_DECRYPT,(void *) &cktrue, sizeof(cktrue)}, \ - {CKA_EXTRACTABLE,(void *) &cktrue, sizeof(cktrue) }, \ - {CKA_LABEL,(void *) wrap_key_name, sizeof(wrap_key_name)}, \ - {CKA_TOKEN,(void *) &cktrue, sizeof(cktrue)}}; + {CKA_WRAP,(void *) &cktrue, sizeof(cktrue)} , \ + {CKA_UNWRAP,(void *) &cktrue, sizeof(cktrue)}, \ + {CKA_ENCRYPT,(void *) &cktrue, sizeof(cktrue)}, \ + {CKA_DECRYPT,(void *) &cktrue, sizeof(cktrue)}, \ + {CKA_EXTRACTABLE,(void *) &cktrue, sizeof(cktrue) }, \ + {CKA_LABEL,(void *) wrap_key_name, sizeof(wrap_key_name)}, \ + {CKA_TOKEN,(void *) &cktrue, sizeof(cktrue)}}; /* largest blobsize ever seen is about 5k (for 4096 mod bits RSA keys) */ #define blobsize 2048*4 @@ -722,9 +723,9 @@ ep11_spki_key(CK_BYTE *spki, CK_BYTE **key, CK_ULONG *bit_str_len) } -CK_RV +CK_RV ep11_get_keytype(CK_ATTRIBUTE *attrs, CK_ULONG attrs_len, - CK_MECHANISM_PTR mech, CK_ULONG *type, CK_ULONG *class) + CK_MECHANISM_PTR mech, CK_ULONG *type, CK_ULONG *class) { int i; CK_RV rc = CKR_TEMPLATE_INCONSISTENT; @@ -1005,7 +1006,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism) } static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, - CK_BYTE **blob, size_t *blob_len, OBJECT **kobj); + CK_BYTE **blob, size_t *blob_len, OBJECT **kobj); #define EP11_DEFAULT_CFG_FILE "ep11tok.conf" #define EP11_CFG_FILE_SIZE 4096 @@ -1275,7 +1276,9 @@ CK_RV ep11tok_init(CK_SLOT_ID SlotNumber, char *conf_name) /* dynamically load in the ep11 shared library */ lib_ep11 = dlopen(EP11SHAREDLIB, RTLD_GLOBAL | RTLD_NOW); if (!lib_ep11) { - TRACE_ERROR("%s Error loading shared lib '%s' [%s]\n", + OCK_SYSLOG(LOG_ERR, "%s: Error loading shared library '%s' [%s]\n", + __func__, EP11SHAREDLIB, dlerror()); + TRACE_ERROR("%s Error loading shared library '%s' [%s]\n", __func__, EP11SHAREDLIB, dlerror()); return CKR_FUNCTION_FAILED; } @@ -1302,6 +1305,12 @@ CK_RV ep11tok_init(CK_SLOT_ID SlotNumber, char *conf_name) rc = make_wrapblob(wrap_tmpl, 8); if (rc != CKR_OK) { TRACE_ERROR("%s make_wrapblob failed rc=0x%lx\n", __func__, rc); + if (rc == 0x80010009) { + TRACE_ERROR("%s rc is CKR_IBM_WK_NOT_INITIALIZED, no master key set ?\n", + __func__); + OCK_SYSLOG(LOG_ERR, "%s: CKR_IBM_WK_NOT_INITIALIZED occured, no master key set ?\n", + __func__); + } return CKR_GENERAL_ERROR; } @@ -2888,7 +2897,7 @@ error: * The blob is created if none was build yet. */ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, - CK_BYTE **blob, size_t *blob_len, OBJECT **kobj) + CK_BYTE **blob, size_t *blob_len, OBJECT **kobj) { OBJECT *key_obj; CK_ATTRIBUTE *attr = NULL; @@ -3269,7 +3278,7 @@ CK_RV ep11tok_encrypt_update(SESSION *session, CK_BYTE_PTR input_part, static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech, - CK_OBJECT_HANDLE key, int op) + CK_OBJECT_HANDLE key, int op) { CK_RV rc = CKR_OK; ENCR_DECR_CONTEXT *decr_ctx = &session->decr_ctx; @@ -3822,7 +3831,7 @@ CK_RV ep11tok_get_mechanism_info(CK_MECHANISM_TYPE type, * lower key sizes < 80 bits. */ if (pInfo->ulMinKeySize == 8) - pInfo->ulMinKeySize = 16; + pInfo->ulMinKeySize = 16; break; default: -- 1.7.9.5 ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
