]>
Commit | Line | Data |
---|---|---|
cb394d7c JB |
1 | --- opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c.orig 2011-05-18 00:27:00.000000000 +0200 |
2 | +++ opencryptoki-2.4/usr/lib/pkcs11/aep_stdll/aeptok_api.c 2011-06-19 20:39:06.422327697 +0200 | |
3 | @@ -34,6 +34,12 @@ | |
4 | #include <sys/types.h> | |
5 | #include <sys/stat.h> | |
6 | #include <fcntl.h> | |
7 | +#include <string.h> | |
8 | + | |
9 | +#include "pkcs11types.h" | |
10 | +#include "defs.h" | |
11 | +#include "host_defs.h" | |
12 | +#include "h_extern.h" | |
13 | ||
14 | #include "aeptok_api.h" | |
15 | ||
fb843822 JB |
16 | --- opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c.orig 2013-07-15 19:25:40.000000000 +0200 |
17 | +++ opencryptoki/usr/lib/pkcs11/aep_stdll/aeptok_specific.c 2013-12-30 22:59:58.222059030 +0100 | |
18 | @@ -14,7 +14,6 @@ | |
19 | #include "defs.h" | |
20 | #include "host_defs.h" | |
21 | #include "h_extern.h" | |
22 | -#include "args.h" | |
23 | #include "errno.h" | |
24 | #include "tok_specific.h" | |
25 | ||
26 | @@ -49,13 +48,13 @@ int cryptoki_aep_avail = TRUE; | |
27 | static int max_key_len = 2176; | |
28 | ||
29 | CK_RV | |
30 | -token_specific_session(CK_SLOT_ID slotid) | |
31 | +token_specific_open_session(SESSION *session) | |
32 | { | |
33 | return CKR_OK; | |
34 | } | |
35 | ||
36 | CK_RV | |
37 | -token_rng(CK_BYTE *output, CK_ULONG bytes) | |
38 | +token_specific_rng(CK_BYTE *output, CK_ULONG bytes) | |
39 | { | |
40 | #if 0 | |
41 | int bytes2 = 384; | |
42 | @@ -97,19 +96,19 @@ tok_slot2local(CK_SLOT_ID snum) | |
43 | ||
44 | ||
45 | CK_RV | |
46 | -token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber) | |
47 | +token_specific_init(char * Correlator,CK_SLOT_ID SlotNumber,char * conf_name) | |
48 | { | |
49 | return CKR_OK; | |
50 | } | |
51 | ||
52 | CK_RV | |
53 | -token_specific_final() | |
54 | +token_specific_final(void) | |
55 | { | |
56 | return CKR_OK; | |
57 | } | |
58 | ||
59 | CK_RV | |
60 | -token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len) | |
61 | +token_specific_des_key_gen(CK_BYTE *des_key,CK_ULONG len,CK_ULONG keysize) | |
62 | { | |
63 | ||
64 | // Nothing different to do for DES or TDES here as this is just | |
65 | @@ -127,10 +126,11 @@ token_specific_des_ecb(CK_BYTE * in_data | |
66 | CK_ULONG in_data_len, | |
67 | CK_BYTE *out_data, | |
68 | CK_ULONG *out_data_len, | |
69 | - CK_BYTE *key_value, | |
70 | + OBJECT *key, | |
71 | CK_BYTE encrypt) | |
72 | { | |
73 | CK_ULONG rc; | |
74 | + CK_ATTRIBUTE *attr = NULL; | |
75 | ||
76 | des_key_schedule des_key2; | |
77 | const_des_cblock key_val_SSL, in_key_data; | |
78 | @@ -138,8 +138,14 @@ token_specific_des_ecb(CK_BYTE * in_data | |
79 | int i,j; | |
80 | int ret; | |
81 | ||
82 | + // get the key value | |
83 | + if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
84 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
85 | + return CKR_FUNCTION_FAILED; | |
86 | + } | |
87 | + | |
88 | // Create the key schedule | |
89 | - memcpy(&key_val_SSL, key_value, 8); | |
90 | + memcpy(&key_val_SSL, attr->pValue, 8); | |
91 | des_set_key_unchecked(&key_val_SSL, des_key2); | |
92 | ||
93 | // the des decrypt will only fail if the data length is not | |
94 | @@ -181,11 +187,12 @@ token_specific_des_cbc(CK_BYTE * in_data | |
95 | CK_ULONG in_data_len, | |
96 | CK_BYTE *out_data, | |
97 | CK_ULONG *out_data_len, | |
98 | - CK_BYTE *key_value, | |
99 | + OBJECT *key, | |
100 | CK_BYTE *init_v, | |
101 | CK_BYTE encrypt) | |
102 | { | |
103 | CK_ULONG rc; | |
104 | + CK_ATTRIBUTE *attr = NULL; | |
105 | ||
106 | des_cblock ivec; | |
107 | int ret; | |
108 | @@ -194,8 +201,14 @@ token_specific_des_cbc(CK_BYTE * in_data | |
109 | const_des_cblock key_val_SSL, in_key_data; | |
110 | des_cblock out_key_data; | |
111 | ||
112 | + // get the key value | |
113 | + if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
114 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
115 | + return CKR_FUNCTION_FAILED; | |
116 | + } | |
117 | + | |
118 | // Create the key schedule | |
119 | - memcpy(&key_val_SSL, key_value, 8); | |
120 | + memcpy(&key_val_SSL, attr->pValue, 8); | |
121 | des_set_key_unchecked(&key_val_SSL, des_key2); | |
122 | ||
123 | memcpy(&ivec, init_v, 8); | |
124 | @@ -225,10 +238,13 @@ token_specific_tdes_ecb(CK_BYTE * in_dat | |
125 | CK_ULONG in_data_len, | |
126 | CK_BYTE *out_data, | |
127 | CK_ULONG *out_data_len, | |
128 | - CK_BYTE *key_value, | |
129 | + OBJECT *key, | |
130 | CK_BYTE encrypt) | |
131 | { | |
132 | CK_RV rc; | |
133 | + CK_ATTRIBUTE *attr = NULL; | |
134 | + CK_KEY_TYPE keytype; | |
135 | + CK_BYTE key_value[3*DES_KEY_SIZE]; | |
136 | ||
137 | int k,j, ret; | |
138 | des_cblock out_temp; | |
139 | @@ -239,6 +255,25 @@ token_specific_tdes_ecb(CK_BYTE * in_dat | |
140 | const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data; | |
141 | des_cblock out_key_data; | |
142 | ||
143 | + // get the key type | |
144 | + rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); | |
145 | + if (rc == FALSE) { | |
146 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
147 | + return CKR_FUNCTION_FAILED; | |
148 | + } | |
149 | + keytype = *(CK_KEY_TYPE *)attr->pValue; | |
150 | + | |
151 | + // get the key value | |
152 | + if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
153 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
154 | + return CKR_FUNCTION_FAILED; | |
155 | + } | |
156 | + if (keytype == CKK_DES2) { | |
157 | + memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); | |
158 | + memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); | |
159 | + } else | |
160 | + memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); | |
161 | + | |
162 | // The key as passed is a 24 byte long string containing three des keys | |
163 | // pick them apart and create the 3 corresponding key schedules | |
164 | memcpy(&key_SSL1, key_value, 8); | |
165 | @@ -291,12 +326,16 @@ token_specific_tdes_cbc(CK_BYTE * in_dat | |
166 | CK_ULONG in_data_len, | |
167 | CK_BYTE *out_data, | |
168 | CK_ULONG *out_data_len, | |
169 | - CK_BYTE *key_value, | |
170 | + OBJECT *key, | |
171 | CK_BYTE *init_v, | |
172 | CK_BYTE encrypt) | |
173 | { | |
174 | ||
175 | CK_RV rc = CKR_OK; | |
176 | + CK_ATTRIBUTE *attr = NULL; | |
177 | + CK_KEY_TYPE keytype; | |
178 | + CK_BYTE key_value[3*DES_KEY_SIZE]; | |
179 | + | |
180 | des_key_schedule des_key1; | |
181 | des_key_schedule des_key2; | |
182 | des_key_schedule des_key3; | |
183 | @@ -304,6 +343,25 @@ token_specific_tdes_cbc(CK_BYTE * in_dat | |
184 | const_des_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data; | |
185 | des_cblock ivec; | |
186 | ||
187 | + // get the key type | |
188 | + rc = template_attribute_find(key->template, CKA_KEY_TYPE, &attr); | |
189 | + if (rc == FALSE) { | |
190 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
191 | + return CKR_FUNCTION_FAILED; | |
192 | + } | |
193 | + keytype = *(CK_KEY_TYPE *)attr->pValue; | |
194 | + | |
195 | + // get the key value | |
196 | + if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
197 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
198 | + return CKR_FUNCTION_FAILED; | |
199 | + } | |
200 | + if (keytype == CKK_DES2) { | |
201 | + memcpy(key_value, attr->pValue, 2*DES_KEY_SIZE); | |
202 | + memcpy(key_value + (2*DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE); | |
203 | + } else | |
204 | + memcpy(key_value, attr->pValue, 3*DES_KEY_SIZE); | |
205 | + | |
206 | // The key as passed in is a 24 byte string containing 3 keys | |
207 | // pick it apart and create the key schedules | |
208 | memcpy(&key_SSL1, key_value, 8); | |
209 | @@ -829,12 +887,18 @@ CK_RV | |
210 | token_specific_rsa_encrypt( CK_BYTE * in_data, | |
211 | CK_ULONG in_data_len, | |
212 | CK_BYTE * out_data, | |
213 | + CK_ULONG * out_data_len, | |
214 | OBJECT * key_obj ) | |
215 | { | |
216 | CK_RV rc; | |
217 | RSA *rsa; | |
218 | int mLen; | |
219 | ||
220 | + if (in_data_len > *out_data_len) { | |
221 | + OCK_LOG_DEBUG("CKR_DATA_LEN_RANGE\n"); | |
222 | + return CKR_DATA_LEN_RANGE; | |
223 | + } | |
224 | + | |
225 | // Convert the local representation to an RSA representation | |
226 | rsa = (RSA *)rsa_convert_public_key(key_obj, &mLen); | |
227 | if (rsa==NULL) { | |
228 | @@ -862,6 +926,7 @@ token_specific_rsa_encrypt( CK_BYTE * | |
229 | } | |
230 | ||
231 | if (rc != 0) { | |
232 | + *out_data_len = in_data_len; | |
233 | rc = CKR_OK; | |
234 | } else { | |
235 | OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
236 | @@ -879,12 +944,18 @@ CK_RV | |
237 | token_specific_rsa_decrypt( CK_BYTE * in_data, | |
238 | CK_ULONG in_data_len, | |
239 | CK_BYTE * out_data, | |
240 | + CK_ULONG * out_data_len, | |
241 | OBJECT * key_obj ) | |
242 | { | |
243 | CK_RV rc; | |
244 | RSA *rsa; | |
245 | int mLen; | |
246 | ||
247 | + if (*out_data_len < in_data_len) { | |
248 | + OCK_LOG_ERR(ERR_BUFFER_TOO_SMALL); | |
249 | + return CKR_BUFFER_TOO_SMALL; | |
250 | + } | |
251 | + | |
252 | // Convert the local key representation to an RSA key representaion | |
253 | rsa = (RSA *)rsa_convert_private_key(key_obj, &mLen); | |
254 | if (rsa == NULL) { | |
255 | @@ -910,6 +981,7 @@ token_specific_rsa_decrypt( CK_BYTE * | |
256 | rsa, RSA_NO_PADDING); | |
257 | } | |
258 | if (rc != 0) { | |
259 | + *out_data_len = in_data_len; | |
260 | rc = CKR_OK; | |
261 | } else { | |
262 | OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
263 | @@ -925,7 +997,7 @@ token_specific_rsa_decrypt( CK_BYTE * | |
264 | #ifndef NOAES | |
265 | ||
266 | CK_RV | |
267 | -token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len ) | |
268 | +token_specific_aes_key_gen( CK_BYTE *key, CK_ULONG len, CK_ULONG keysize ) | |
269 | { | |
270 | return rng_generate(key, len); | |
271 | } | |
272 | @@ -935,22 +1007,28 @@ token_specific_aes_ecb( CK_BYTE | |
273 | CK_ULONG in_data_len, | |
274 | CK_BYTE *out_data, | |
275 | CK_ULONG *out_data_len, | |
276 | - CK_BYTE *key_value, | |
277 | - CK_ULONG key_len, | |
278 | + OBJECT *key, | |
279 | CK_BYTE encrypt) | |
280 | { | |
281 | + CK_ATTRIBUTE *attr = NULL; | |
282 | AES_KEY ssl_aes_key; | |
283 | int i; | |
284 | /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0, | |
285 | * so this is fine */ | |
286 | CK_ULONG loops = (CK_ULONG)(in_data_len/AES_BLOCK_SIZE); | |
287 | ||
288 | + // get the key value | |
289 | + if (template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
290 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
291 | + return CKR_FUNCTION_FAILED; | |
292 | + } | |
293 | + | |
294 | memset( &ssl_aes_key, 0, sizeof(AES_KEY)); | |
295 | ||
296 | // AES_ecb_encrypt encrypts only a single block, so we have to break up the | |
297 | // input data here | |
298 | if (encrypt) { | |
299 | - AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); | |
300 | + AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); | |
301 | for( i=0; i<loops; i++ ) { | |
302 | AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), | |
303 | (unsigned char *)out_data + (i*AES_BLOCK_SIZE), | |
304 | @@ -958,7 +1036,7 @@ token_specific_aes_ecb( CK_BYTE | |
305 | AES_ENCRYPT); | |
306 | } | |
307 | } else { | |
308 | - AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); | |
309 | + AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); | |
310 | for( i=0; i<loops; i++ ) { | |
311 | AES_ecb_encrypt((unsigned char *)in_data + (i*AES_BLOCK_SIZE), | |
312 | (unsigned char *)out_data + (i*AES_BLOCK_SIZE), | |
313 | @@ -976,25 +1054,31 @@ token_specific_aes_cbc( CK_BYTE | |
314 | CK_ULONG in_data_len, | |
315 | CK_BYTE *out_data, | |
316 | CK_ULONG *out_data_len, | |
317 | - CK_BYTE *key_value, | |
318 | - CK_ULONG key_len, | |
319 | + OBJECT *key, | |
320 | CK_BYTE *init_v, | |
321 | CK_BYTE encrypt) | |
322 | { | |
323 | AES_KEY ssl_aes_key; | |
324 | + CK_ATTRIBUTE *attr = NULL; | |
325 | int i; | |
326 | ||
327 | + // get the key value | |
328 | + if(template_attribute_find(key->template, CKA_VALUE, &attr) == FALSE) { | |
329 | + OCK_LOG_ERR(ERR_FUNCTION_FAILED); | |
330 | + return CKR_FUNCTION_FAILED; | |
331 | + } | |
332 | + | |
333 | memset( &ssl_aes_key, 0, sizeof(AES_KEY)); | |
334 | ||
335 | // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike | |
336 | // AES_ecb_encrypt, so no looping required. | |
337 | if (encrypt) { | |
338 | - AES_set_encrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); | |
339 | + AES_set_encrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); | |
340 | AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, | |
341 | in_data_len, &ssl_aes_key, | |
342 | init_v, AES_ENCRYPT); | |
343 | } else { | |
344 | - AES_set_decrypt_key((unsigned char *)key_value, (key_len*8), &ssl_aes_key); | |
345 | + AES_set_decrypt_key((unsigned char *)attr->pValue, (attr->ulValueLen*8), &ssl_aes_key); | |
346 | AES_cbc_encrypt((unsigned char *)in_data, (unsigned char *)out_data, | |
347 | in_data_len, &ssl_aes_key, | |
348 | init_v, AES_DECRYPT); | |
349 | --- opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h.orig 2013-07-15 19:25:40.000000000 +0200 | |
350 | +++ opencryptoki/usr/lib/pkcs11/aep_stdll/tok_struct.h 2013-12-30 23:06:15.798709893 +0100 | |
351 | @@ -310,26 +310,91 @@ | |
352 | token_spec_t token_specific = { | |
353 | AEP_CONFIG_PATH, | |
354 | "aep", | |
355 | - "AEP_STDLL_Debug", | |
356 | + 0, | |
357 | + { | |
358 | + FALSE, | |
359 | + FALSE, | |
360 | + CKM_DES3_CBC, | |
361 | + "12345678", | |
362 | + "10293847" | |
363 | + }, | |
364 | + NULL, /* creatlock */ | |
365 | + NULL, /* attach_shm */ | |
366 | &token_specific_init, | |
367 | + NULL, /* init_token_data */ | |
368 | + NULL, /* load_token_data */ | |
369 | + NULL, /* save_token_data */ | |
370 | &tok_slot2local, | |
371 | - &token_rng, | |
372 | - &token_specific_session, | |
373 | + &token_specific_rng, | |
374 | + &token_specific_open_session, | |
375 | + NULL, /* close_session */ | |
376 | &token_specific_final, | |
377 | + NULL, /* init_token */ | |
378 | + NULL, /* login */ | |
379 | + NULL, /* logout */ | |
380 | + NULL, /* init_pin */ | |
381 | + NULL, /* set_pin */ | |
382 | + NULL, /* copy object */ | |
383 | + NULL, /* create_object */ | |
384 | + NULL, /* get_attribute_value */ | |
385 | + NULL, /* set_attribute_value */ | |
386 | + NULL, /* find_objects_init */ | |
387 | + NULL, /* destroy_object */ | |
388 | + NULL, /* generate_key */ | |
389 | + NULL, /* generate_key_pair */ | |
390 | + NULL, /* encrypt_init */ | |
391 | + NULL, /* encrypt */ | |
392 | + NULL, /* encrypt_update */ | |
393 | + NULL, /* encrypt_final */ | |
394 | + NULL, /* decrypt_init */ | |
395 | + NULL, /* decrypt */ | |
396 | + NULL, /* decrypt_update */ | |
397 | + NULL, /* decrypt_final */ | |
398 | + NULL, /* derive_key */ | |
399 | + NULL, /* wrap_key */ | |
400 | + NULL, /* unwrap_key */ | |
401 | + NULL, /* sign_init */ | |
402 | + NULL, /* sign */ | |
403 | + NULL, /* sign_update */ | |
404 | + NULL, /* sign_final */ | |
405 | + NULL, /* verify_init */ | |
406 | + NULL, /* verify */ | |
407 | + NULL, /* verify_update */ | |
408 | + NULL, /* verify_final */ | |
409 | + | |
410 | &token_specific_des_key_gen, | |
411 | &token_specific_des_ecb, | |
412 | &token_specific_des_cbc, | |
413 | ||
414 | &token_specific_tdes_ecb, | |
415 | &token_specific_tdes_cbc, | |
416 | - | |
417 | + NULL, /* tdes_ofb */ | |
418 | + NULL, /* tdes_cfb */ | |
419 | + NULL, /* tdes_mac */ | |
420 | ||
421 | &token_specific_rsa_decrypt, | |
422 | &token_specific_rsa_encrypt, | |
423 | + NULL, /* rsa_sign */ | |
424 | + NULL, /* rsa_verify */ | |
425 | + NULL, /* rsa_verify_recover */ | |
426 | + NULL, /* rsa_x509_decrypt */ | |
427 | + NULL, /* rsa_x509_encrypt */ | |
428 | + NULL, /* rsa_x509_sign */ | |
429 | + NULL, /* rsa_x509_verify */ | |
430 | + NULL, /* rsa_x509_verify_recover */ | |
431 | &token_specific_rsa_generate_keypair, | |
432 | + | |
433 | + NULL, /* ec_sign */ | |
434 | + NULL, /* ec_verify */ | |
435 | + NULL, /* ec_generate_keypair */ | |
436 | // DH | |
437 | +#ifndef NODH | |
438 | &token_specific_dh_pkcs_derive, | |
439 | &token_specific_dh_pkcs_key_pair_gen, | |
440 | +#else | |
441 | + NULL, | |
442 | + NULL, | |
443 | +#endif | |
444 | // SHA1 | |
445 | NULL, | |
446 | NULL, | |
447 | @@ -346,15 +411,29 @@ token_spec_t token_specific = { | |
448 | NULL, | |
449 | NULL, | |
450 | NULL, | |
451 | -#ifndef NOAES | |
452 | // AES | |
453 | +#ifndef NOAES | |
454 | &token_specific_aes_key_gen, | |
455 | &token_specific_aes_ecb, | |
456 | &token_specific_aes_cbc, | |
457 | +#else | |
458 | + NULL, | |
459 | + NULL, | |
460 | NULL, | |
461 | #endif | |
462 | + NULL, | |
463 | + | |
464 | + NULL, /* t_aes_ofb */ | |
465 | + NULL, /* t_aes_cfb */ | |
466 | + NULL, /* t_aes_mac */ | |
467 | + | |
468 | + NULL, /* dsa_generate_keypair */ | |
469 | + NULL, /* dsa_sign */ | |
470 | + NULL, /* dsa_verify */ | |
471 | + | |
472 | &token_specific_get_mechanism_list, | |
473 | - &token_specific_get_mechanism_info | |
474 | + &token_specific_get_mechanism_info, | |
475 | + NULL /* object_add */ | |
476 | }; | |
477 | ||
478 | #endif |