Merged. Thanks! regards, Joy
On Thu, 2015-07-16 at 13:05 +0200, Harald Freudenberger wrote: > Rework of the EP11 token code to store only the real size of the blob into > the IBM_OPAQUE attribute. Together with this change some code could be > removed as it was for bringup purpose only. > > Signed-off-by: Harald Freudenberger <[email protected]> > --- > usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 531 > +++++++++++++---------------- > 1 file changed, 231 insertions(+), 300 deletions(-) > > diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > index eb8165f..663ec39 100644 > --- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > +++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c > @@ -372,25 +372,19 @@ CK_CHAR descr[] = "IBM PKCS#11 EP11 token"; > CK_CHAR label[] = "IBM OS PKCS#11 "; > > /* largest blobsize ever seen is about 5k (for 4096 mod bits RSA keys) */ > -#define blobsize 2048*4 > +#define MAX_BLOBSIZE 8192 > +#define MAX_CSUMSIZE 64 > +#define MAX_DIGEST_STATE_BYTES 1024 > +#define MAX_CRYPT_STATE_BYTES 8192 > +#define MAX_SIGN_STATE_BYTES 8192 > #define MAX_APQN 256 > > /* wrap_key is used for importing keys */ > -char wrap_key_name[16]; > +char wrap_key_name[] = "EP11_wrapkey"; > /* blob and blobsize of wrap key */ > -CK_BYTE raw2key_wrap_blob[blobsize]; > +CK_BYTE raw2key_wrap_blob[MAX_BLOBSIZE]; > size_t raw2key_wrap_blob_l = 0; > > -/* blob id for debugging */ > -static unsigned long long ep11_blobs = 0; > - > -/* blobs are stored in attribute IBM_OPAQUE and this is the layout */ > -typedef struct { > - size_t blob_size; > - size_t blob_id; > - unsigned char blob[blobsize]; > -} ep11_opaque; > - > /* target list of adapters/domains, specified in a config file by user, > tells the device driver which adapter/domain pairs should be used, > they must have the same master key */ > @@ -427,21 +421,8 @@ static CK_ULONG ep11_pin_blob_len = 0; > #define CKM_SHA384_KEY_DERIVATION 0x00000394 > #define CKM_SHA512_KEY_DERIVATION 0x00000395 > > -static pthread_mutex_t ep11blob_lock = PTHREAD_MUTEX_INITIALIZER; > - > static CK_BBOOL ep11_initialized = FALSE; > > -static unsigned long long ep11_blobs_inc() > -{ > - unsigned long long count; > - > - pthread_mutex_lock(&ep11blob_lock); > - count = ep11_blobs++; > - pthread_mutex_unlock(&ep11blob_lock); > - return count; > -} > - > - > static CK_RV > check_key_attributes(CK_KEY_TYPE kt, CK_OBJECT_CLASS kc, CK_ATTRIBUTE_PTR > attrs, > CK_ULONG attrs_len, CK_ATTRIBUTE_PTR *p_attrs, > @@ -1034,10 +1015,10 @@ static CK_RV rawkey_2_blob(unsigned char *key, > CK_ULONG ksize, > CK_KEY_TYPE ktype, unsigned char *blob, > size_t *blen, OBJECT *key_obj) > { > - char cipher[blobsize]; > - CK_ULONG clen = blobsize; > - char csum[64]; > - CK_ULONG cslen = 64; > + char cipher[MAX_BLOBSIZE]; > + CK_ULONG clen = sizeof(cipher); > + CK_BYTE csum[MAX_CSUMSIZE]; > + size_t cslen = sizeof(csum); > CK_BYTE iv[AES_BLOCK_SIZE]; > CK_MECHANISM mech = { CKM_AES_CBC_PAD, iv, AES_BLOCK_SIZE }; > DL_NODE *node = key_obj->template->attribute_list; > @@ -1072,7 +1053,7 @@ static CK_RV rawkey_2_blob(unsigned char *key, CK_ULONG > ksize, > node = node->next; > } > > - memset(cipher, 0, blobsize); > + memset(cipher, 0, sizeof(cipher)); > memcpy(iv, "1234567812345678", AES_BLOCK_SIZE); > > /* > @@ -1107,11 +1088,9 @@ static CK_RV rawkey_2_blob(unsigned char *key, > CK_ULONG ksize, > ep11tok_target); > > if (rc != CKR_OK) { > - TRACE_ERROR("%s unwrap blen=%zd rc=0x%lx ep11_blobs=0x%llx\n", > - __func__, *blen, rc, ep11_blobs); > + TRACE_ERROR("%s unwrap blen=%zd rc=0x%lx\n", __func__, *blen, > rc); > } else { > - TRACE_INFO("%s unwrap blen=%zd rc=0x%lx ep11_blobs=0x%llx\n", > - __func__, *blen, rc, ep11_blobs); > + TRACE_INFO("%s unwrap blen=%zd rc=0x%lx\n", __func__, *blen, > rc); > } > > rawkey_2_blob_end: > @@ -1222,18 +1201,17 @@ CK_RV token_specific_rng(CK_BYTE *output, CK_ULONG > bytes) > static CK_RV make_wrapblob(CK_ATTRIBUTE *tmpl_in, CK_ULONG tmpl_len) > { > CK_MECHANISM mech = {CKM_AES_KEY_GEN, NULL_PTR, 0}; > - unsigned char csum[64]; > - size_t csum_l = 64; > + unsigned char csum[MAX_CSUMSIZE]; > + size_t csum_l = sizeof(csum); > CK_RV rc; > > - > if (raw2key_wrap_blob_l != 0) { > TRACE_INFO("%s blob already exists raw2key_wrap_blob_l=0x%zx\n", > __func__, raw2key_wrap_blob_l); > return CKR_OK; > } > > - raw2key_wrap_blob_l = blobsize; > + raw2key_wrap_blob_l = sizeof(raw2key_wrap_blob); > rc = m_GenerateKey(&mech, tmpl_in, tmpl_len, NULL, 0, raw2key_wrap_blob, > &raw2key_wrap_blob_l, csum, &csum_l, ep11tok_target); > > @@ -1274,10 +1252,6 @@ CK_RV ep11tok_init(CK_SLOT_ID SlotNumber, char > *conf_name) > return CKR_GENERAL_ERROR; > } > > - /* wrap key name */ > - memset(wrap_key_name, 0, sizeof(wrap_key_name)); > - memcpy(wrap_key_name, "EP11_wrapkey", sizeof("EP11_wrapkey")); > - > /* dynamically load in the ep11 shared library */ > lib_ep11 = dlopen(EP11SHAREDLIB, RTLD_GLOBAL | RTLD_NOW); > if (!lib_ep11) { > @@ -1345,17 +1319,17 @@ static CK_RV import_RSA_key(OBJECT *rsa_key_obj, > CK_BYTE *blob, size_t *blob_siz > CK_ATTRIBUTE *attr = NULL; > CK_BYTE iv[AES_BLOCK_SIZE]; > CK_MECHANISM mech_w = {CKM_AES_CBC_PAD, iv, AES_BLOCK_SIZE}; > - CK_BYTE cipher[blobsize]; > - CK_ULONG cipher_l = blobsize; > + CK_BYTE cipher[MAX_BLOBSIZE]; > + CK_ULONG cipher_l = sizeof(cipher); > DL_NODE *node; > CK_ATTRIBUTE_PTR p_attrs = NULL; > CK_ULONG attrs_len = 0; > CK_ATTRIBUTE_PTR new_p_attrs = NULL; > CK_ULONG new_attrs_len = 0; > - char csum[blobsize]; > - CK_ULONG cslen = blobsize; > + char csum[MAX_CSUMSIZE]; > + CK_ULONG cslen = sizeof(csum); > CK_OBJECT_CLASS class; > - CK_BYTE *data; > + CK_BYTE *data = NULL; > CK_ULONG data_len; > > memcpy(iv, "1234567812345678", AES_BLOCK_SIZE); > @@ -1393,8 +1367,10 @@ static CK_RV import_RSA_key(OBJECT *rsa_key_obj, > CK_BYTE *blob, size_t *blob_siz > > class = *(CK_OBJECT_CLASS *)attr->pValue; > > - /* an imported public RSA key, we need a SPKI for it. */ > if (class != CKO_PRIVATE_KEY) { > + > + /* an imported public RSA key, we need a SPKI for it. */ > + > CK_ATTRIBUTE *modulus; > CK_ATTRIBUTE *publ_exp; > > @@ -1430,63 +1406,62 @@ static CK_RV import_RSA_key(OBJECT *rsa_key_obj, > CK_BYTE *blob, size_t *blob_siz > */ > memcpy(blob, data, data_len); > *blob_size = data_len; > - goto import_RSA_key_end; > - } > > - /* only imported private RSA keys go here */ > + } else { > > - /* extract the secret data to be wrapped > - * since this is AES_CBC_PAD, padding is done in mechanism. > - */ > - rc = rsa_priv_wrap_get_data(rsa_key_obj->template, FALSE, > - &data, &data_len); > - if (rc != CKR_OK) { > - TRACE_DEVEL("%s RSA wrap get data failed\n", __func__); > - goto import_RSA_key_end; > - } > + /* imported private RSA key goes here */ > > - /* encrypt */ > - rc = m_EncryptSingle(raw2key_wrap_blob, raw2key_wrap_blob_l, &mech_w, > - data, data_len, cipher, &cipher_l, ep11tok_target); > + /* extract the secret data to be wrapped > + * since this is AES_CBC_PAD, padding is done in mechanism. > + */ > + rc = rsa_priv_wrap_get_data(rsa_key_obj->template, FALSE, > + &data, &data_len); > + if (rc != CKR_OK) { > + TRACE_DEVEL("%s RSA wrap get data failed\n", __func__); > + goto import_RSA_key_end; > + } > > - /* done with data */ > - if (data != NULL) > - free (data); > + /* encrypt */ > + rc = m_EncryptSingle(raw2key_wrap_blob, raw2key_wrap_blob_l, > &mech_w, > + data, data_len, cipher, &cipher_l, > ep11tok_target); > > - TRACE_INFO("%s wrapping wrap key rc=0x%lx cipher_l=0x%lx\n", > - __func__, rc, cipher_l); > + TRACE_INFO("%s wrapping wrap key rc=0x%lx cipher_l=0x%lx\n", > + __func__, rc, cipher_l); > > - if (rc != CKR_OK) { > - TRACE_ERROR("%s wrapping wrap key rc=0x%lx cipher_l=0x%lx\n", > - __func__, rc, cipher_l); > - goto import_RSA_key_end; > - } > + if (rc != CKR_OK) { > + TRACE_ERROR("%s wrapping wrap key rc=0x%lx > cipher_l=0x%lx\n", > + __func__, rc, cipher_l); > + goto import_RSA_key_end; > + } > > - rc = check_key_attributes(CKK_RSA, CKO_PRIVATE_KEY, p_attrs, attrs_len, > - &new_p_attrs, &new_attrs_len); > - if (rc != CKR_OK) { > - TRACE_ERROR("%s RSA/EC check private key attributes failed with > rc=0x%lx\n", > - __func__, rc); > - return rc; > - } > + rc = check_key_attributes(CKK_RSA, CKO_PRIVATE_KEY, p_attrs, > attrs_len, > + &new_p_attrs, &new_attrs_len); > + if (rc != CKR_OK) { > + TRACE_ERROR("%s RSA/EC check private key attributes > failed with rc=0x%lx\n", > + __func__, rc); > + return rc; > + } > > - /* calls the card, it decrypts the private RSA key, > - * reads its BER format and builds a blob. > - */ > - rc = m_UnwrapKey(cipher, cipher_l, raw2key_wrap_blob, > raw2key_wrap_blob_l, > - NULL, ~0, ep11_pin_blob, ep11_pin_blob_len, &mech_w, > - new_p_attrs, new_attrs_len, blob, blob_size, csum, > &cslen, > - ep11tok_target); > + /* calls the card, it decrypts the private RSA key, > + * reads its BER format and builds a blob. > + */ > + rc = m_UnwrapKey(cipher, cipher_l, raw2key_wrap_blob, > raw2key_wrap_blob_l, > + NULL, ~0, ep11_pin_blob, ep11_pin_blob_len, > &mech_w, > + new_p_attrs, new_attrs_len, blob, blob_size, > csum, &cslen, > + ep11tok_target); > > - if (rc != CKR_OK) { > - TRACE_ERROR("%s wrapping unwrap key rc=0x%lx blob_size=0x%zx\n", > - __func__, rc, *blob_size); > - } else { > - TRACE_INFO("%s wrapping unwrap key rc=0x%lx blob_size=0x%zx\n", > - __func__, rc, *blob_size); > + if (rc != CKR_OK) { > + TRACE_ERROR("%s wrapping unwrap key rc=0x%lx > blob_size=0x%zx\n", > + __func__, rc, *blob_size); > + } else { > + TRACE_INFO("%s wrapping unwrap key rc=0x%lx > blob_size=0x%zx\n", > + __func__, rc, *blob_size); > + } > } > > import_RSA_key_end: > + if (data) > + free(data); > if (p_attrs != NULL) > free_attribute_array(p_attrs, attrs_len); > if (new_p_attrs) > @@ -1499,7 +1474,8 @@ token_specific_object_add(OBJECT *obj) > { > CK_KEY_TYPE keytype; > CK_ATTRIBUTE *attr = NULL; > - ep11_opaque new_op; > + CK_BYTE blob[MAX_BLOBSIZE]; > + size_t blobsize = sizeof(blob); > CK_RV rc; > > /* get key type */ > @@ -1510,21 +1486,19 @@ token_specific_object_add(OBJECT *obj) > > keytype = *(CK_KEY_TYPE *)attr->pValue; > > - memset(&new_op, 0, sizeof(new_op)); > - new_op.blob_size = blobsize; > + memset(blob, 0, sizeof(blob)); > > /* only these keys can be imported */ > switch(keytype) { > case CKK_RSA: > - rc = import_RSA_key(obj, new_op.blob, &new_op.blob_size); > + rc = import_RSA_key(obj, blob, &blobsize); > if (rc != CKR_OK) { > - TRACE_ERROR("%s import RSA key rc=0x%lx " > - "blob_size=0x%zx\n", __func__, rc, > - new_op.blob_size); > + TRACE_ERROR("%s import RSA key rc=0x%lx > blobsize=0x%zx\n", > + __func__, rc, blobsize); > return CKR_FUNCTION_FAILED; > } > - TRACE_INFO("%s import RSA key rc=0x%lx blob_size=0x%zx\n", > - __func__, rc, new_op.blob_size); > + TRACE_INFO("%s import RSA key rc=0x%lx blobsize=0x%zx\n", > + __func__, rc, blobsize); > break; > > case CKK_DES2: > @@ -1541,29 +1515,25 @@ token_specific_object_add(OBJECT *obj) > * import that key (make a blob) > */ > rc = rawkey_2_blob(attr->pValue, attr->ulValueLen, keytype, > - new_op.blob, &new_op.blob_size, obj); > + blob, &blobsize, obj); > if (rc != CKR_OK) { > - TRACE_ERROR("%s rawkey_2_blob rc=0x%lx " > - "blob_size=0x%zx\n", __func__, rc, > - new_op.blob_size); > + TRACE_ERROR("%s rawkey_2_blob rc=0x%lx > blobsize=0x%zx\n", > + __func__, rc, blobsize); > return CKR_FUNCTION_FAILED; > } > /* clear value attribute */ > memset(attr->pValue, 0, attr->ulValueLen); > > - TRACE_INFO("%s rawkey_2_blob rc=0x%lx blob_size=0x%zx\n", > - __func__, rc, new_op.blob_size); > + TRACE_INFO("%s rawkey_2_blob rc=0x%lx blobsize=0x%zx\n", > + __func__, rc, blobsize); > > break; > default: > return CKR_KEY_FUNCTION_NOT_PERMITTED; > } > > - new_op.blob_id = ep11_blobs_inc(); > - > /* store the blob in the key obj */ > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &new_op, > - sizeof(ep11_opaque), &attr); > + rc = build_attribute(CKA_IBM_OPAQUE, blob, blobsize, &attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > @@ -1585,9 +1555,10 @@ CK_RV ep11tok_generate_key(SESSION *session, > CK_MECHANISM_PTR mech, > CK_ATTRIBUTE_PTR attrs, CK_ULONG attrs_len, > CK_OBJECT_HANDLE_PTR handle) > { > - ep11_opaque new_op; > - CK_BYTE csum[64]; > - size_t csum_len = 64; > + CK_BYTE blob[MAX_BLOBSIZE]; > + size_t blobsize = sizeof(blob); > + CK_BYTE csum[MAX_CSUMSIZE]; > + size_t csum_len = sizeof(csum); > CK_ATTRIBUTE *attr = NULL; > OBJECT *key_obj = NULL; > CK_ULONG ktype; > @@ -1596,9 +1567,8 @@ CK_RV ep11tok_generate_key(SESSION *session, > CK_MECHANISM_PTR mech, > CK_ULONG new_attrs_len = 0; > CK_RV rc; > > - memset(&new_op, 0, sizeof(new_op)); > + memset(blob, 0, sizeof(blob)); > memset(csum, 0, sizeof(csum)); > - new_op.blob_size = blobsize; > > /* Get the keytype to use when creating the key object */ > rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class); > @@ -1617,7 +1587,7 @@ CK_RV ep11tok_generate_key(SESSION *session, > CK_MECHANISM_PTR mech, > } > > rc = m_GenerateKey(mech, new_attrs, new_attrs_len, ep11_pin_blob, > - ep11_pin_blob_len, new_op.blob, &new_op.blob_size, > + ep11_pin_blob_len, blob, &blobsize, > csum, &csum_len, ep11tok_target); > if (rc != CKR_OK) { > TRACE_ERROR("%s m_GenerateKey rc=0x%lx mech='%s' > attrs_len=0x%lx\n", > @@ -1638,8 +1608,7 @@ CK_RV ep11tok_generate_key(SESSION *session, > CK_MECHANISM_PTR mech, > goto error; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &new_op, > - sizeof(ep11_opaque), &attr); > + rc = build_attribute(CKA_IBM_OPAQUE, blob, blobsize, &attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > @@ -1677,13 +1646,14 @@ done: > CK_RV token_specific_sha_init(DIGEST_CONTEXT *c) > { > CK_RV rc; > - CK_BYTE *state = malloc(blobsize); /* freed by dig_mgr.c */ > + CK_MECHANISM mechanism = { CKM_SHA_1, NULL_PTR, 0 }; > + size_t state_len = MAX_DIGEST_STATE_BYTES; > + CK_BYTE *state = malloc(state_len); /* freed by dig_mgr.c */ > + > if (!state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > } > - size_t state_len = blobsize; > - CK_MECHANISM mechanism = { CKM_SHA_1, NULL_PTR, 0 }; > > rc = m_DigestInit (state, &state_len, &mechanism, ep11tok_target) ; > > @@ -1762,13 +1732,14 @@ CK_RV token_specific_sha_final(DIGEST_CONTEXT *c, > CK_BYTE *out_data, > CK_RV token_specific_sha2_init(DIGEST_CONTEXT *c) > { > CK_RV rc; > - CK_BYTE *state = malloc(blobsize); > + CK_MECHANISM mechanism = { CKM_SHA256, NULL_PTR, 0 }; > + size_t state_len = MAX_DIGEST_STATE_BYTES; > + CK_BYTE *state = malloc(state_len); > + > if (!state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > } > - size_t state_len = blobsize; > - CK_MECHANISM mechanism = { CKM_SHA256, NULL_PTR, 0 }; > > rc = m_DigestInit (state, &state_len, &mechanism, ep11tok_target); > > @@ -1788,13 +1759,14 @@ CK_RV token_specific_sha2_init(DIGEST_CONTEXT *c) > CK_RV token_specific_sha3_init(DIGEST_CONTEXT *c) > { > CK_RV rc; > - CK_BYTE *state = malloc(blobsize); > + CK_MECHANISM mechanism = { CKM_SHA384, NULL_PTR, 0 }; > + size_t state_len = MAX_DIGEST_STATE_BYTES; > + CK_BYTE *state = malloc(state_len); > + > if (!state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > } > - size_t state_len = blobsize; > - CK_MECHANISM mechanism = { CKM_SHA384, NULL_PTR, 0 }; > > rc = m_DigestInit (state, &state_len, &mechanism, ep11tok_target) ; > > @@ -1815,13 +1787,14 @@ CK_RV token_specific_sha3_init(DIGEST_CONTEXT *c) > CK_RV token_specific_sha5_init(DIGEST_CONTEXT *c) > { > CK_RV rc; > - CK_BYTE *state = malloc(blobsize); > + CK_MECHANISM mechanism = { CKM_SHA512, NULL_PTR, 0 }; > + size_t state_len = MAX_DIGEST_STATE_BYTES; > + CK_BYTE *state = malloc(state_len); > + > if (!state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > } > - size_t state_len = blobsize; > - CK_MECHANISM mechanism = { CKM_SHA512, NULL_PTR, 0 }; > > rc = m_DigestInit (state, &state_len, &mechanism, ep11tok_target) ; > > @@ -1843,11 +1816,12 @@ CK_RV ep11tok_derive_key(SESSION *session, > CK_MECHANISM_PTR mech, > CK_ATTRIBUTE_PTR attrs, CK_ULONG attrs_len) > { > CK_RV rc; > - unsigned char *blob; > - size_t blob_len = 0; > - ep11_opaque secret_op; > - char csum[blobsize]; > - CK_ULONG cslen = blobsize; > + CK_BYTE *keyblob; > + size_t keyblobsize; > + CK_BYTE newblob[MAX_BLOBSIZE]; > + size_t newblobsize = sizeof(newblob); > + char csum[MAX_CSUMSIZE]; > + CK_ULONG cslen = sizeof(csum); > CK_ATTRIBUTE *opaque_attr = NULL; > OBJECT *key_obj = NULL; > CK_ULONG ktype; > @@ -1855,10 +1829,9 @@ CK_RV ep11tok_derive_key(SESSION *session, > CK_MECHANISM_PTR mech, > CK_ATTRIBUTE_PTR new_attrs = NULL; > CK_ULONG new_attrs_len = 0; > > - memset(&secret_op, 0, sizeof(secret_op)); > - secret_op.blob_size = blobsize; > + memset(newblob, 0, sizeof(newblob)); > > - rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len, &key_obj); > + rc = h_opaque_2_blob(hBaseKey, &keyblob, &keyblobsize, &key_obj); > if (rc != CKR_OK) { > TRACE_ERROR("%s failedL hBaseKey=0x%lx\n", __func__, hBaseKey); > return rc; > @@ -1879,18 +1852,17 @@ CK_RV ep11tok_derive_key(SESSION *session, > CK_MECHANISM_PTR mech, > return rc; > } > > - rc = m_DeriveKey (mech, new_attrs, new_attrs_len, blob, blob_len, NULL, > - 0, ep11_pin_blob, ep11_pin_blob_len, secret_op.blob, > - &secret_op.blob_size, csum, &cslen, ep11tok_target); > + rc = m_DeriveKey (mech, new_attrs, new_attrs_len, keyblob, keyblobsize, > NULL, > + 0, ep11_pin_blob, ep11_pin_blob_len, newblob, > &newblobsize, > + csum, &cslen, ep11tok_target); > > if (rc != CKR_OK) { > - TRACE_ERROR("%s hBaseKey=0x%lx rc=0x%lx handle=0x%lx " > - "blob_size=0x%zx\n", __func__, hBaseKey, rc, > - *handle, secret_op.blob_size); > + TRACE_ERROR("%s hBaseKey=0x%lx rc=0x%lx handle=0x%lx > blobsize=0x%zx\n", > + __func__, hBaseKey, rc, *handle, newblobsize); > return rc; > } > - TRACE_INFO("%s hBaseKey=0x%lx rc=0x%lx handle=0x%lx blob_size=0x%zx\n", > - __func__, hBaseKey, rc, *handle, secret_op.blob_size); > + TRACE_INFO("%s hBaseKey=0x%lx rc=0x%lx handle=0x%lx blobsize=0x%zx\n", > + __func__, hBaseKey, rc, *handle, newblobsize); > > /* Start creating the key object */ > rc = object_mgr_create_skel(session, new_attrs, new_attrs_len, > @@ -1901,8 +1873,7 @@ CK_RV ep11tok_derive_key(SESSION *session, > CK_MECHANISM_PTR mech, > goto error; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &secret_op, > - sizeof(ep11_opaque), &opaque_attr); > + rc = build_attribute(CKA_IBM_OPAQUE, newblob, newblobsize, > &opaque_attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto error; > @@ -1947,8 +1918,10 @@ static CK_RV dh_generate_keypair(CK_MECHANISM_PTR > pMechanism, > CK_SESSION_HANDLE h) > { > CK_RV rc; > - ep11_opaque publ_op; > - ep11_opaque priv_op; > + CK_BYTE publblob[MAX_BLOBSIZE]; > + size_t publblobsize = sizeof(publblob); > + CK_BYTE privblob[MAX_BLOBSIZE]; > + size_t privblobsize = sizeof(privblob); > CK_ATTRIBUTE *prime_attr = NULL; > CK_ATTRIBUTE *base_attr = NULL; > CK_ATTRIBUTE *opaque_attr = NULL; > @@ -1971,10 +1944,8 @@ static CK_RV dh_generate_keypair(CK_MECHANISM_PTR > pMechanism, > unsigned char *pg; > } dh_pgs; > memset(&dh_pgs, 0, sizeof(dh_pgs)); > - memset(&publ_op, 0, sizeof(publ_op)); > - memset(&priv_op, 0, sizeof(priv_op)); > - publ_op.blob_size = blobsize; > - priv_op.blob_size = blobsize; > + memset(publblob, 0, sizeof(publblob)); > + memset(privblob, 0, sizeof(privblob)); > > /* card does not want CKA_PRIME/CKA_BASE in template but in dh_pgs */ > pPublicKeyTemplate_new = (CK_ATTRIBUTE *)malloc(sizeof(CK_ATTRIBUTE) * > ulPublicKeyAttributeCount); > @@ -2068,27 +2039,19 @@ static CK_RV dh_generate_keypair(CK_MECHANISM_PTR > pMechanism, > rc = m_GenerateKeyPair(pMechanism, pPublicKeyTemplate_new, > new_public_attr+1, pPrivateKeyTemplate, > ulPrivateKeyAttributeCount, ep11_pin_blob, > - ep11_pin_blob_len, priv_op.blob, > - &priv_op.blob_size, publ_op.blob, > - &publ_op.blob_size, ep11tok_target); > + ep11_pin_blob_len, privblob, &privblobsize, > + publblob, &publblobsize, ep11tok_target); > > if (rc != CKR_OK) { > TRACE_ERROR("%s m_GenerateKeyPair failed rc=0x%lx\n", __func__, > rc); > goto dh_generate_keypair_end; > } > > - /* only debug */ > - publ_op.blob_id = ep11_blobs_inc(); > - priv_op.blob_id = ep11_blobs_inc(); > - > - TRACE_INFO("%s rc=0x%lx blobs1=0x%llx blobs2=0x%llx plen=%zd" > - " pub.blob_size=0x%zx priv.blob_size=0x%zx\n", > - __func__, rc, ep11_blobs-1, ep11_blobs-2, p_len, > - publ_op.blob_size, priv_op.blob_size); > + TRACE_INFO("%s rc=0x%lx plen=%zd publblobsize=0x%zx > privblobsize=0x%zx\n", > + __func__, rc, p_len, publblobsize, privblobsize); > > /* store the blobs */ > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &publ_op, > - sizeof(ep11_opaque), &opaque_attr); > + rc = build_attribute(CKA_IBM_OPAQUE, publblob, publblobsize, > &opaque_attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto dh_generate_keypair_end; > @@ -2101,8 +2064,7 @@ static CK_RV dh_generate_keypair(CK_MECHANISM_PTR > pMechanism, > goto dh_generate_keypair_end; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &priv_op, > - sizeof(ep11_opaque), &opaque_attr); > + rc = build_attribute(CKA_IBM_OPAQUE, privblob, privblobsize, > &opaque_attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto dh_generate_keypair_end; > @@ -2117,11 +2079,11 @@ static CK_RV dh_generate_keypair(CK_MECHANISM_PTR > pMechanism, > > #ifdef DEBUG > TRACE_DEBUG("%s DH SPKI\n", __func__ ); > - TRACE_DEBUG_DUMP(publ_op.blob, publ_op.blob_size); > + TRACE_DEBUG_DUMP(publblob, publblobsize); > #endif > > /* CKA_VALUE of the public key must hold 'y' */ > - rc = ep11_spki_key(publ_op.blob, &y_start, &bit_str_len); > + rc = ep11_spki_key(publblob, &y_start, &bit_str_len); > if (rc != CKR_OK) { > TRACE_ERROR("%s ber_decode SKPI failed rc=0x%lx\n", __func__, > rc); > rc = CKR_GENERAL_ERROR; > @@ -2182,8 +2144,10 @@ static CK_RV dsa_generate_keypair(CK_MECHANISM_PTR > pMechanism, > CK_SESSION_HANDLE h) > { > CK_RV rc; > - ep11_opaque publ_op; > - ep11_opaque priv_op; > + CK_BYTE publblob[MAX_BLOBSIZE]; > + size_t publblobsize = sizeof(publblob); > + CK_BYTE privblob[MAX_BLOBSIZE]; > + size_t privblobsize = sizeof(privblob); > CK_ATTRIBUTE *prime_attr = NULL; > CK_ATTRIBUTE *sub_prime_attr = NULL; > CK_ATTRIBUTE *base_attr = NULL; > @@ -2207,10 +2171,8 @@ static CK_RV dsa_generate_keypair(CK_MECHANISM_PTR > pMechanism, > unsigned char *pqg; > } dsa_pqgs; > memset(&dsa_pqgs, 0, sizeof(dsa_pqgs)); > - memset(&publ_op, 0, sizeof(publ_op)); > - memset(&priv_op, 0, sizeof(priv_op)); > - publ_op.blob_size = blobsize; > - priv_op.blob_size = blobsize; > + memset(publblob, 0, sizeof(publblob)); > + memset(privblob, 0, sizeof(privblob)); > > /* card does not want CKA_PRIME/CKA_BASE/CKA_SUBPRIME > * in template but in dsa_pqgs > @@ -2345,25 +2307,18 @@ static CK_RV dsa_generate_keypair(CK_MECHANISM_PTR > pMechanism, > dsa_ulPublicKeyAttributeCount, > dsa_pPrivateKeyTemplate, > dsa_ulPrivateKeyAttributeCount, ep11_pin_blob, > - ep11_pin_blob_len, priv_op.blob, > - &priv_op.blob_size, publ_op.blob, > - &publ_op.blob_size, ep11tok_target); > + ep11_pin_blob_len, privblob, &privblobsize, > + publblob, &publblobsize, ep11tok_target); > > if (rc != CKR_OK) { > TRACE_ERROR("%s m_GenerateKeyPair failed with rc=0x%lx\n", > __func__, rc); > goto dsa_generate_keypair_end; > } > > - publ_op.blob_id = ep11_blobs_inc(); > - priv_op.blob_id = ep11_blobs_inc(); > + TRACE_INFO("%s rc=0x%lx p_len=%zd publblobsize=0x%zx privblobsize=0x%zx > npattr=0x%x\n", > + __func__, rc, p_len, publblobsize, privblobsize, > new_public_attr+1); > > - TRACE_INFO("%s rc=0x%lx blobs1=0x%llx blobs2=0x%llx p_len=%zd" > - " pub.blob_size=0x%zx priv.blob_size=0x%zx npattr=0x%x\n", > - __func__, rc, ep11_blobs-1, ep11_blobs-2, p_len, > - publ_op.blob_size, priv_op.blob_size, new_public_attr+1); > - > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &publ_op, > - sizeof(ep11_opaque), &opaque_attr); > + rc = build_attribute(CKA_IBM_OPAQUE, publblob, publblobsize, > &opaque_attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto dsa_generate_keypair_end; > @@ -2376,8 +2331,7 @@ static CK_RV dsa_generate_keypair(CK_MECHANISM_PTR > pMechanism, > goto dsa_generate_keypair_end; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &priv_op, > - sizeof(ep11_opaque), &opaque_attr); > + rc = build_attribute(CKA_IBM_OPAQUE, privblob, privblobsize, > &opaque_attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto dsa_generate_keypair_end; > @@ -2391,7 +2345,7 @@ static CK_RV dsa_generate_keypair(CK_MECHANISM_PTR > pMechanism, > } > > /* set CKA_VALUE of the public key, first get key from SPKI */ > - rc = ep11_spki_key(publ_op.blob, &key, &bit_str_len); > + rc = ep11_spki_key(publblob, &key, &bit_str_len); > if (rc != CKR_OK) { > TRACE_ERROR("%s reading DSA SPKI failed with rc=0x%lx\n", > __func__, rc); > goto dsa_generate_keypair_end; > @@ -2446,12 +2400,14 @@ static CK_RV rsa_ec_generate_keypair(CK_MECHANISM_PTR > pMechanism, > CK_RV rc; > CK_ATTRIBUTE *attr = NULL; > CK_ATTRIBUTE *n_attr = NULL; > - unsigned char privkey_blob[blobsize]; > - unsigned char spki[blobsize]; > - size_t privkey_blob_len = blobsize; > - size_t spki_len = blobsize; > - ep11_opaque publ_op; > - ep11_opaque priv_op; > + CK_BYTE privkey_blob[MAX_BLOBSIZE]; > + size_t privkey_blob_len = sizeof(privkey_blob); > + unsigned char spki[MAX_BLOBSIZE]; > + size_t spki_len = sizeof(spki); > + CK_BYTE publblob[MAX_BLOBSIZE]; > + size_t publblobsize = sizeof(publblob); > + CK_BYTE privblob[MAX_BLOBSIZE]; > + size_t privblobsize = sizeof(privblob); > int i; > CK_ULONG bit_str_len; > CK_BYTE *key; > @@ -2511,37 +2467,32 @@ static CK_RV rsa_ec_generate_keypair(CK_MECHANISM_PTR > pMechanism, > ep11tok_target); > if (rc != CKR_OK) { > TRACE_ERROR("%s m_GenerateKeyPair rc=0x%lx spki_len=0x%zx " > - "privkey_blob_len=0x%zx ep11_blobs=0x%llx " > - "ep11_blobs+1=0x%llx mech='%s'\n", __func__, rc, > - spki_len, privkey_blob_len, ep11_blobs, > - ep11_blobs+1, ep11_get_ckm(pMechanism->mechanism)); > + "privkey_blob_len=0x%zx mech='%s'\n", > + __func__, rc, spki_len, privkey_blob_len, > + ep11_get_ckm(pMechanism->mechanism)); > goto error; > } > TRACE_INFO("%s m_GenerateKeyPair rc=0x%lx spki_len=0x%zx " > - "privkey_blob_len=0x%zx ep11_blobs=0x%llx " > - "ep11_blobs+1=0x%llx mech='%s'\n", __func__, rc, spki_len, > - privkey_blob_len, ep11_blobs, ep11_blobs+1, > + "privkey_blob_len=0x%zx mech='%s'\n", > + __func__, rc, spki_len, privkey_blob_len, > ep11_get_ckm(pMechanism->mechanism)); > > - if (spki_len > blobsize || privkey_blob_len > blobsize) { > + if (spki_len > MAX_BLOBSIZE || privkey_blob_len > MAX_BLOBSIZE) { > TRACE_ERROR("%s blobsize error\n", __func__); > rc = CKR_KEY_INDIGESTIBLE; > goto error; > } > > - memset(&publ_op, 0, sizeof(publ_op)); > - memset(&priv_op, 0, sizeof(priv_op)); > + memset(publblob, 0, sizeof(publblob)); > + memset(privblob, 0, sizeof(privblob)); > > - memcpy(publ_op.blob, spki, spki_len); > - publ_op.blob_size = spki_len; > - publ_op.blob_id = ep11_blobs_inc(); > + memcpy(publblob, spki, spki_len); > + publblobsize = spki_len; > > - memcpy(priv_op.blob, privkey_blob, privkey_blob_len); > - priv_op.blob_size = privkey_blob_len; > - priv_op.blob_id = ep11_blobs_inc(); > + memcpy(privblob, privkey_blob, privkey_blob_len); > + privblobsize = privkey_blob_len; > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &publ_op, > - sizeof(ep11_opaque), &attr); > + rc = build_attribute(CKA_IBM_OPAQUE, publblob, publblobsize, &attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto error; > @@ -2553,8 +2504,7 @@ static CK_RV rsa_ec_generate_keypair(CK_MECHANISM_PTR > pMechanism, > goto error; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &priv_op, > - sizeof(ep11_opaque), &attr); > + rc = build_attribute(CKA_IBM_OPAQUE, privblob, privblobsize, &attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > @@ -2913,11 +2863,10 @@ error: > * The blob is created if none was build yet. > */ > static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, > - CK_BYTE **blob, size_t *blob_len, OBJECT **kobj) > + CK_BYTE **blob, size_t *blobsize, OBJECT **kobj) > { > OBJECT *key_obj; > CK_ATTRIBUTE *attr = NULL; > - ep11_opaque *op; > CK_RV rc; > > /* find the key obj by the key handle */ > @@ -2930,13 +2879,11 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, > /* blob already exists */ > if (template_attribute_find(key_obj->template, CKA_IBM_OPAQUE, &attr) && > (attr->ulValueLen > 0)) { > - op = attr->pValue; > - *blob = op->blob; > - *blob_len = op->blob_size; > + *blob = attr->pValue; > + *blobsize = (size_t) attr->ulValueLen; > *kobj = key_obj; > - TRACE_INFO("%s blob found blob_len=0x%zx valuelen=0x%lx " > - "blob_id=0x%zx\n", __func__, *blob_len, > - attr->ulValueLen, op->blob_id); > + TRACE_INFO("%s blob found blobsize=0x%zx\n", > + __func__, *blobsize); > return CKR_OK; > } else { > > @@ -2951,33 +2898,31 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, > CK_RV ep11tok_sign_init(SESSION *session, CK_MECHANISM *mech, > CK_BBOOL recover_mode, CK_OBJECT_HANDLE key) > { > - CK_BYTE *privkey_blob; > - size_t blob_len = 0; > CK_RV rc; > - SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx; > - CK_BYTE *ep11_sign_state; > - size_t ep11_sign_state_l; > + size_t keyblobsize = 0; > + CK_BYTE *keyblob; > OBJECT *key_obj = NULL; > + SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx; > + size_t ep11_sign_state_l = MAX_SIGN_STATE_BYTES; > + CK_BYTE *ep11_sign_state = malloc(ep11_sign_state_l); > > - ep11_sign_state_l = blobsize; > - ep11_sign_state = malloc(blobsize); > if (!ep11_sign_state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > } > > - rc = h_opaque_2_blob(key, &privkey_blob, &blob_len, &key_obj); > + rc = h_opaque_2_blob(key, &keyblob, &keyblobsize, &key_obj); > if (rc != CKR_OK) { > TRACE_ERROR("%s no blob rc=0x%lx\n", __func__, rc); > return rc; > } > > rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l, > - mech, privkey_blob, blob_len, ep11tok_target) ; > + mech, keyblob, keyblobsize, ep11tok_target) ; > > if (rc != CKR_OK) { > - TRACE_ERROR("%s rc=0x%lx blob_len=0x%zx key=0x%lx mech=0x%lx\n", > - __func__, rc, blob_len, key, mech->mechanism); > + TRACE_ERROR("%s rc=0x%lx blobsize=0x%zx key=0x%lx mech=0x%lx\n", > + __func__, rc, keyblobsize, key, mech->mechanism); > free(ep11_sign_state); > } else { > /* SIGN_VERIFY_CONTEX holds all needed for continuing, > @@ -2989,8 +2934,8 @@ CK_RV ep11tok_sign_init(SESSION *session, CK_MECHANISM > *mech, > ctx->context = ep11_sign_state; > ctx->context_len = ep11_sign_state_l; > > - TRACE_INFO("%s rc=0x%lx blob_len=0x%zx key=0x%lx mech=0x%lx\n", > - __func__, rc, blob_len, key, mech->mechanism); > + TRACE_INFO("%s rc=0x%lx blobsize=0x%zx key=0x%lx mech=0x%lx\n", > + __func__, rc, keyblobsize, key, mech->mechanism); > } > > return rc; > @@ -3060,16 +3005,14 @@ CK_RV ep11tok_sign_final(SESSION *session, CK_BBOOL > length_only, > CK_RV ep11tok_verify_init(SESSION *session, CK_MECHANISM *mech, > CK_BBOOL recover_mode, CK_OBJECT_HANDLE key) > { > + CK_RV rc; > CK_BYTE *spki; > size_t spki_len = 0; > - CK_RV rc; > - SIGN_VERIFY_CONTEXT *ctx = &session->verify_ctx; > - CK_BYTE *ep11_sign_state; > - size_t ep11_sign_state_l; > OBJECT *key_obj = NULL; > + SIGN_VERIFY_CONTEXT *ctx = &session->verify_ctx; > + size_t ep11_sign_state_l = MAX_SIGN_STATE_BYTES; > + CK_BYTE *ep11_sign_state = malloc(ep11_sign_state_l); > > - ep11_sign_state_l = blobsize; > - ep11_sign_state = malloc(blobsize); > if (!ep11_sign_state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > @@ -3155,6 +3098,7 @@ CK_RV ep11tok_verify_final(SESSION *session, CK_BYTE > *signature, > > rc = m_VerifyFinal(ctx->context, ctx->context_len, signature, > sig_len, ep11tok_target); > + > if (rc != CKR_OK) { > TRACE_ERROR("%s rc=0x%lx\n", __func__, rc); > } else { > @@ -3169,9 +3113,9 @@ CK_RV ep11tok_decrypt_final(SESSION *session, > CK_BYTE_PTR output_part, > CK_ULONG_PTR p_output_part_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *decr_ctx = &session->decr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->decr_ctx; > > - rc = m_DecryptFinal(decr_ctx->context, decr_ctx->context_len, > + rc = m_DecryptFinal(ctx->context, ctx->context_len, > output_part, p_output_part_len, ep11tok_target); > > if (rc != CKR_OK) { > @@ -3189,9 +3133,9 @@ CK_RV ep11tok_decrypt(SESSION *session, CK_BYTE_PTR > input_data, > CK_ULONG_PTR p_output_data_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *decr_ctx = &session->decr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->decr_ctx; > > - rc = m_Decrypt(decr_ctx->context, decr_ctx->context_len, input_data, > + rc = m_Decrypt(ctx->context, ctx->context_len, input_data, > input_data_len, output_data, p_output_data_len, > ep11tok_target); > > @@ -3210,14 +3154,14 @@ CK_RV ep11tok_decrypt_update(SESSION *session, > CK_BYTE_PTR input_part, > CK_ULONG_PTR p_output_part_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *decr_ctx = &session->decr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->decr_ctx; > > if (!input_part || !input_part_len) { > *p_output_part_len = 0; > return CKR_OK; /* nothing to update, keep context */ > } > > - rc = m_DecryptUpdate(decr_ctx->context, decr_ctx->context_len, > + rc = m_DecryptUpdate(ctx->context, ctx->context_len, > input_part, input_part_len, output_part, > p_output_part_len, ep11tok_target) ; > > @@ -3235,9 +3179,9 @@ CK_RV ep11tok_encrypt_final(SESSION *session, > CK_BYTE_PTR output_part, > CK_ULONG_PTR p_output_part_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *encr_ctx = &session->encr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->encr_ctx; > > - rc = m_EncryptFinal(encr_ctx->context, encr_ctx->context_len, > + rc = m_EncryptFinal(ctx->context, ctx->context_len, > output_part, p_output_part_len, ep11tok_target); > > if (rc != CKR_OK) { > @@ -3255,9 +3199,9 @@ CK_RV ep11tok_encrypt(SESSION *session, CK_BYTE_PTR > input_data, > CK_ULONG_PTR p_output_data_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *encr_ctx = &session->encr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->encr_ctx; > > - rc = m_Encrypt(encr_ctx->context, encr_ctx->context_len, input_data, > + rc = m_Encrypt(ctx->context, ctx->context_len, input_data, > input_data_len, output_data, p_output_data_len, > ep11tok_target); > > @@ -3276,14 +3220,14 @@ CK_RV ep11tok_encrypt_update(SESSION *session, > CK_BYTE_PTR input_part, > CK_ULONG_PTR p_output_part_len) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *encr_ctx = &session->encr_ctx; > + ENCR_DECR_CONTEXT *ctx = &session->encr_ctx; > > if (!input_part || !input_part_len) { > *p_output_part_len = 0; > return CKR_OK; /* nothing to update, keep context */ > } > > - rc = m_EncryptUpdate(encr_ctx->context, encr_ctx->context_len, > + rc = m_EncryptUpdate(ctx->context, ctx->context_len, > input_part, input_part_len, output_part, > p_output_part_len, ep11tok_target); > > @@ -3301,16 +3245,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, > CK_MECHANISM_PTR mech, > CK_OBJECT_HANDLE key, int op) > { > CK_RV rc = CKR_OK; > - ENCR_DECR_CONTEXT *decr_ctx = &session->decr_ctx; > - ENCR_DECR_CONTEXT *encr_ctx = &session->encr_ctx; > - CK_BYTE *ep11_state; > - size_t ep11_state_l; > CK_BYTE *blob; > size_t blob_len = 0; > OBJECT *key_obj = NULL; > + size_t ep11_state_l = MAX_CRYPT_STATE_BYTES; > + CK_BYTE *ep11_state = malloc(ep11_state_l); /* freed by encr/decr_mgr.c > */ > > - ep11_state_l = blobsize; > - ep11_state = malloc(blobsize); /* freed by encr/decr_mgr.c */ > if (!ep11_state) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > @@ -3323,12 +3263,13 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, > CK_MECHANISM_PTR mech, > } > > if (op == DECRYPT) { > + ENCR_DECR_CONTEXT *ctx = &session->decr_ctx; > rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob, > blob_len, ep11tok_target); > - decr_ctx->key = key; > - decr_ctx->active = TRUE; > - decr_ctx->context = ep11_state; > - decr_ctx->context_len = ep11_state_l; > + ctx->key = key; > + ctx->active = TRUE; > + ctx->context = ep11_state; > + ctx->context_len = ep11_state_l; > if (rc != CKR_OK) { > TRACE_ERROR("%s m_DecryptInit rc=0x%lx blob_len=0x%zx " > "mech=0x%lx\n", __func__, rc, blob_len, > @@ -3338,15 +3279,14 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, > CK_MECHANISM_PTR mech, > "mech=0x%lx\n", __func__, rc, blob_len, > mech->mechanism); > } > - > - return rc; > } else { > + ENCR_DECR_CONTEXT *ctx = &session->encr_ctx; > rc = m_EncryptInit (ep11_state, &ep11_state_l, mech, blob, > blob_len, ep11tok_target); > - encr_ctx->key = key; > - encr_ctx->active = TRUE; > - encr_ctx->context = ep11_state; > - encr_ctx->context_len = ep11_state_l; > + ctx->key = key; > + ctx->active = TRUE; > + ctx->context = ep11_state; > + ctx->context_len = ep11_state_l; > if (rc != CKR_OK) { > TRACE_ERROR("%s m_EncryptInit rc=0x%lx blob_len=0x%zx " > "mech=0x%lx\n", __func__, rc, blob_len, > @@ -3356,9 +3296,9 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, > CK_MECHANISM_PTR mech, > "mech=0x%lx\n", __func__, rc, blob_len, > mech->mechanism); > } > - > - return rc; > } > + > + return rc; > } > > > @@ -3420,8 +3360,8 @@ CK_RV ep11tok_wrap_key(SESSION *session, > CK_MECHANISM_PTR mech, > */ > if (wrapped_key == NULL) { > size_querry = 1; > - *p_wrapped_key_len = blobsize; > - wrapped_key = malloc(blobsize); > + *p_wrapped_key_len = MAX_BLOBSIZE; > + wrapped_key = malloc(MAX_BLOBSIZE); > if (!wrapped_key) { > TRACE_ERROR("%s Memory allocation failed\n", __func__); > return CKR_HOST_MEMORY; > @@ -3494,10 +3434,11 @@ CK_RV ep11tok_unwrap_key(SESSION *session, > CK_MECHANISM_PTR mech, > CK_RV rc; > CK_BYTE *wrapping_blob; > size_t wrapping_blob_len; > - char csum[blobsize]; > - CK_ULONG cslen = blobsize; > + char csum[MAX_CSUMSIZE]; > + CK_ULONG cslen = sizeof(csum); > OBJECT *key_obj = NULL; > - ep11_opaque op; > + CK_BYTE keyblob[MAX_BLOBSIZE]; > + size_t keyblobsize = sizeof(keyblob); > CK_ATTRIBUTE *attr = NULL; > int i = 0; > CK_ULONG ktype; > @@ -3520,8 +3461,7 @@ CK_RV ep11tok_unwrap_key(SESSION *session, > CK_MECHANISM_PTR mech, > TRACE_DEVEL(" attribute attrs.type=0x%lx\n", attrs[i].type); > } > > - memset(&op, 0, sizeof(op)); > - op.blob_size = blobsize; > + memset(keyblob, 0, sizeof(keyblob)); > > /*get key type of unwrapped key*/ > CK_ATTRIBUTE_PTR cla_attr = get_attribute_by_type(attrs, attrs_len, > CKA_CLASS); > @@ -3570,20 +3510,15 @@ CK_RV ep11tok_unwrap_key(SESSION *session, > CK_MECHANISM_PTR mech, > rc = m_UnwrapKey(wrapped_key, wrapped_key_len, wrapping_blob, > wrapping_blob_len, NULL, ~0, ep11_pin_blob, > ep11_pin_blob_len, mech, new_attrs, new_attrs_len, > - op.blob, &(op.blob_size), csum, &cslen, > - ep11tok_target); > - > - op.blob_id = ep11_blobs_inc(); > + keyblob, &keyblobsize, csum, &cslen, ep11tok_target); > > if (rc != CKR_OK) { > - TRACE_ERROR("%s m_UnwrapKey rc=0x%lx blob_size=0x%zx " > - "mech=0x%lx ep11_blobs-1=%llx\n", __func__, rc, > - op.blob_size, mech->mechanism, ep11_blobs-1); > + TRACE_ERROR("%s m_UnwrapKey rc=0x%lx blobsize=0x%zx > mech=0x%lx\n", > + __func__, rc, keyblobsize, mech->mechanism); > goto error; > } > - TRACE_INFO("%s m_UnwrapKey rc=0x%lx blob_size=0x%zx mech=0x%lx " > - "ep11_blobs-1=%llx\n", __func__, rc, op.blob_size, > - mech->mechanism, ep11_blobs-1); > + TRACE_INFO("%s m_UnwrapKey rc=0x%lx blobsize=0x%zx mech=0x%lx\n", > + __func__, rc, keyblobsize, mech->mechanism); > > /* card provides length in csum bytes 4 - 7, big endian */ > len = csum[6] + 256*csum[5] + 256*256*csum[4] + 256*256*256*csum[3]; > @@ -3606,7 +3541,7 @@ CK_RV ep11tok_unwrap_key(SESSION *session, > CK_MECHANISM_PTR mech, > goto error; > } > > - rc = build_attribute(CKA_IBM_OPAQUE, (CK_BYTE *) &op, > sizeof(ep11_opaque), &attr); > + rc = build_attribute(CKA_IBM_OPAQUE, keyblob, keyblobsize, &attr); > if (rc != CKR_OK) { > TRACE_ERROR("%s build_attribute failed with rc=0x%lx\n", > __func__, rc); > goto error; > @@ -3652,10 +3587,6 @@ done: > } > > > -/* use ep11 mech list */ > -MECH_LIST_ELEMENT mech_list[] = { }; > -CK_ULONG mech_list_len = (sizeof(mech_list) / sizeof(MECH_LIST_ELEMENT)); > - > /* mechanisms ep11 reports but should be hidden because e.g. > the EP11 card operates in a FIPS mode that forbides the mechanism, > add here other mechanisms if required */ > -- > 1.7.9.5 > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > Opencryptoki-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech > ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
