Hello community, here is the log from the commit of package coolkey for openSUSE:Factory checked in at 2017-07-28 09:48:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/coolkey (Old) and /work/SRC/openSUSE:Factory/.coolkey.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "coolkey" Fri Jul 28 09:48:01 2017 rev:22 rq:512692 version:1.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/coolkey/coolkey.changes 2016-11-28 15:07:21.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.coolkey.new/coolkey.changes 2017-07-28 09:48:06.384345205 +0200 @@ -1,0 +2,34 @@ +Mon Jul 24 23:02:16 UTC 2017 - [email protected] + +- Remove vision statement and development methods from description. + +------------------------------------------------------------------- +Fri Jul 21 14:00:08 CEST 2017 - [email protected] + +- Add nssdb installation scripts. +- Run spec-cleaner. +- Drop coolkey-1.1.0-evoandooo.patch: The patch does nothing now. + Evolution and LibreOffice changed over time. They moved its + directories and they don't use secmod.db any more. + +------------------------------------------------------------------- +Mon Jul 17 20:55:48 CEST 2017 - [email protected] + +- Integrate latest Centos 7 patches [bsc#1049213] + (coolkey-fix-token-removal-failure.patch, + coolkey-piv-ecc-el7.patch, coolkey-1.1.0-noapplet.patch, + coolkey-1.1.0-fix-spurious-event.patch, + coolkey-1.1.0-p15.patch, coolkey-1.1.0-p15-coverity.patch, + coolkey-1.1.0-more-keys.patch, + coolkey-1.1.0-fail-on-bad-mechanisms.patch, + coolkey-1.1.0-max-cpu-bug.patch, + coolkey-1.1.0-rhel7-alt-cac.patch). + * PK15 support. + * Fix CAC card support. + * Fix card removal issues. +- Use original tarball + (coolkey-1.1.0.tar.bz2 -> coolkey-1.1.0.tar.gz). +- Drop patch coolkey-null.patch. It is now part of + coolkey-piv-ecc-el7.patch. + +------------------------------------------------------------------- Old: ---- coolkey-1.1.0-evoandooo.patch coolkey-1.1.0.tar.bz2 coolkey-null.patch coolkey-rpmlintrc New: ---- coolkey-1.1.0-fail-on-bad-mechanisms.patch coolkey-1.1.0-fix-spurious-event.patch coolkey-1.1.0-max-cpu-bug.patch coolkey-1.1.0-more-keys.patch coolkey-1.1.0-noapplet.patch coolkey-1.1.0-p15-coverity.patch coolkey-1.1.0-p15.patch coolkey-1.1.0-rhel7-alt-cac.patch coolkey-1.1.0.tar.gz coolkey-fix-token-removal-failure.patch coolkey-piv-ecc-el7.patch coolkey.rpmlintrc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ coolkey.spec ++++++ --- /var/tmp/diff_new_pack.5zmlSC/_old 2017-07-28 09:48:07.060249997 +0200 +++ /var/tmp/diff_new_pack.5zmlSC/_new 2017-07-28 09:48:07.064249434 +0200 @@ -1,7 +1,7 @@ # # spec file for package coolkey # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,8 @@ # +%define coolkey_module "CoolKey PKCS #11 Module" +%define nssdb %{_sysconfdir}/pki/nssdb Name: coolkey Version: 1.1.0 Release: 0 @@ -23,10 +25,12 @@ License: LGPL-2.1 Group: Productivity/Security Url: http://directory.fedoraproject.org/wiki/CoolKey -Source: %{name}-%{version}.tar.bz2 -Source1: %{name}-rpmlintrc +Source: %{name}-%{version}.tar.gz +Source1: %{name}.rpmlintrc Source2: baselibs.conf -# Patches imported from Fedora: +# Patches imported from Fedora and CentOS: +# PATCH-FIX-SECURITY coolkey-cache-dir-move.patch [email protected] bnc304180 CVE-2007-4129 -- Fix file and directory permission flaw. +Patch1: coolkey-cache-dir-move.patch # PATCH-FIX-FEDORA coolkey-gcc43.patch bnc661643 [email protected] -- Fix for gcc-4.3. Patch2: coolkey-gcc43.patch # PATCH-FEATURE-FEDORA coolkey-latest.patch bnc661643 [email protected] -- The head branch patch. @@ -41,19 +45,23 @@ Patch7: coolkey-cac-1.patch # PATCH-FIX-FEDORA coolkey-pcsc-lite-fix.patch bnc661643 [email protected] -- Port to the latest pcsc-lite. Patch8: coolkey-pcsc-lite-fix.patch -# SUSE specific patches: -# PATCH-FEATURE-SLES coolkey-1.1.0-evoandooo.patch [email protected] -- Teach pk11install about evolution and openoffice. -Patch53: coolkey-1.1.0-evoandooo.patch -# PATCH-FIX-SECURITY coolkey-cache-dir-move.patch [email protected] bnc304180 CVE-2007-4129 -- Fix file and directory permission flaw. -Patch54: coolkey-cache-dir-move.patch -# PATCH-FIX-UPSTREAM coolkey-null.patch redhat356971 [email protected] -- Fix invalid NULL declaration. -Patch55: coolkey-null.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build +Patch9: coolkey-fix-token-removal-failure.patch +Patch10: coolkey-piv-ecc-el7.patch +Patch20: coolkey-1.1.0-noapplet.patch +Patch21: coolkey-1.1.0-fix-spurious-event.patch +Patch22: coolkey-1.1.0-p15.patch +Patch23: coolkey-1.1.0-p15-coverity.patch +Patch24: coolkey-1.1.0-more-keys.patch +Patch25: coolkey-1.1.0-fail-on-bad-mechanisms.patch +Patch26: coolkey-1.1.0-max-cpu-bug.patch +Patch27: coolkey-1.1.0-rhel7-alt-cac.patch BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: mozilla-nss-devel +BuildRequires: mozilla-nss-sysinit +BuildRequires: mozilla-nss-tools BuildRequires: pcsc-lite-devel -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: zlib-devel #Requires: pcsc-lite # Requires: ifd-egate @@ -71,14 +79,8 @@ unique for that user by the Red Hat Certificate System. Once the CoolKey is provisioned, the user can take the key to any system and use it to login (authenticate), send and receive signed and encrypted -email, or participate in secure messaging or IRC communication. Using a -CoolKey should be as easy as starting a car. To accomplish that vision, -we are focusing on building complete support for CoolKey on exactly one -token. As the system is built out, we can add token support. CoolKeys -are based on JavaCard 1.2. We are testing with Axalto Egate Cyberflex -cards, which are available in both smart card and USB Fob form factors. - - +email, or participate in secure messaging or IRC communication. +CoolKeys are based on JavaCard 1.2. %package devel Summary: CoolKey and CAC PKCS #11 PKI Module for Smart Cards @@ -97,18 +99,13 @@ Once the CoolKey is provisioned, the user can take the key to any system and use it to login (authenticate), send and receive signed and encrypted email, or participate in secure messaging or IRC -communication. Using a CoolKey should be as easy as starting a car. - -To accomplish that vision we are focusing on building complete support -for CoolKey on exactly one token. As the system is built out, we can -add token support. CoolKeys are based on JavaCard 1.2. We are testing -with Axalto Egate Cyberflex cards, which are available in both smart -card and USB Fob form factors. - +communication. +CoolKeys are based on JavaCard 1.2. %prep %setup -q +%patch1 %patch2 %patch3 %patch4 @@ -116,29 +113,64 @@ %patch6 %patch7 %patch8 -%patch53 -p1 -%patch54 -%patch55 +%patch9 -p1 +%patch10 +%patch20 +%patch21 +%patch22 +%patch23 +%patch24 +%patch25 +%patch26 +%patch27 %build autoreconf -f -i -export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" -export CXXFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" +export CFLAGS="%{optflags} -fno-strict-aliasing" +export CXXFLAGS="%{optflags} -fno-strict-aliasing" %configure\ - --disable-dependency-tracking \ + --with-debug\ + --disable-dependency-tracking\ --enable-pk11install make %{?_smp_mflags} %install -%makeinstall -ln -s pkcs11/libcoolkeypk11.so $RPM_BUILD_ROOT/%{_libdir} - -%post -p /sbin/ldconfig +%make_install +ln -s pkcs11/libcoolkeypk11.so %{buildroot}/%{_libdir} -%postun -p /sbin/ldconfig +%triggerin -- mozilla-nss-sysinit mozilla-nss-tools +if [ -x %{_bindir}/pk11install -a -x %{_bindir}/modutil -a -f %{_sysconfdir}/pki/nssdb/pkcs11.txt ]; then + isThere=`modutil -rawlist -dbdir dbm:%{nssdb} | grep %{coolkey_module} || echo NO` + if [ "$isThere" == "NO" ]; then + pk11install -l -p %{nssdb} 'name=%{coolkey_module} library=libcoolkeypk11.so' ||: + fi + isThere=`modutil -rawlist -dbdir sql:%{nssdb} | grep %{coolkey_module} || echo NO` + if [ "$isThere" == "NO" ]; then + pk11install -s -p %{nssdb} 'name=%{coolkey_module} library=libcoolkeypk11.so' ||: + fi +fi + +%post +/sbin/ldconfig +if [ -x %{_bindir}/pk11install -a -x %{_bindir}/modutil -a -f %{_sysconfdir}/pki/nssdb/pkcs11.txt ]; then + isThere=`modutil -rawlist -dbdir dbm:%{nssdb} | grep %{coolkey_module} || echo NO` + if [ "$isThere" == "NO" ]; then + pk11install -l -p %{nssdb} 'name=%{coolkey_module} library=libcoolkeypk11.so' ||: + fi + isThere=`modutil -rawlist -dbdir sql:%{nssdb} | grep %{coolkey_module} || echo NO` + if [ "$isThere" == "NO" ]; then + pk11install -s -p %{nssdb} 'name=%{coolkey_module} library=libcoolkeypk11.so' ||: + fi +fi + +%postun +/sbin/ldconfig +if [ $1 -eq 0 -a -x %{_bindir}/modutil -a -f %{_sysconfdir}/pki/nssdb/pkcs11.txt ]; then + modutil -delete %{coolkey_module} -dbdir dbm:%{nssdb} -force || : + modutil -delete %{coolkey_module} -dbdir sql:%{nssdb} -force || : +fi %files -%defattr(-,root,root) %doc ChangeLog LICENSE README %{_bindir}/pk11install %{_libdir}/libcoolkeypk11.so @@ -148,7 +180,6 @@ %dir %{_libdir}/pkcs11 %files devel -%defattr(-,root,root) %{_libdir}/libckyapplet.so %{_libdir}/pkgconfig/*.pc %{_includedir}/*.h ++++++ coolkey-1.1.0-fail-on-bad-mechanisms.patch ++++++ diff -up ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms ./src/coolkey/coolkey.cpp --- ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms 2016-06-16 14:36:05.934755563 -0700 +++ ./src/coolkey/coolkey.cpp 2016-06-16 14:36:05.945755372 -0700 @@ -77,7 +77,8 @@ rsaMechanismList[] = { static const MechInfo ecMechanismList[] = { - {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDSA_SHA1, {256, 521, CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} } + {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}}, + {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} } }; unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo); diff -up ./src/coolkey/slot.cpp.fail-on-bad-mechanisms ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.fail-on-bad-mechanisms 2016-06-16 14:36:05.943755407 -0700 +++ ./src/coolkey/slot.cpp 2016-06-16 15:07:40.255882660 -0700 @@ -4185,11 +4185,30 @@ Slot::signInit(SessionHandleSuffix suffi { refreshTokenState(); SessionIter session = findSession(suffix); + PKCS11Object *key = getKeyFromHandle(hKey); if( session == sessions.end() ) { throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID); } + if (pMechanism == NULL) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + if (key->getKeyType() != Key::rsa) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + case CKM_ECDSA: + if (key->getKeyType() != Key::ecc) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } - session->signatureState.initialize(getKeyFromHandle(hKey)); + session->signatureState.initialize(key); } void @@ -4198,11 +4217,24 @@ Slot::decryptInit(SessionHandleSuffix su { refreshTokenState(); SessionIter session = findSession(suffix); + PKCS11Object *key = getKeyFromHandle(hKey); if( session == sessions.end() ) { throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID); } + if (pMechanism == NULL) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + if (key->getKeyType() != Key::rsa) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } - session->decryptionState.initialize(getKeyFromHandle(hKey)); + session->decryptionState.initialize(key); } /** @@ -5008,8 +5040,23 @@ Slot::derive(SessionHandleSuffix suffix, ECCKeyAgreementParams params(CryptParams::ECC_DEFAULT_KEY_SIZE); SessionIter session = findSession(suffix); + PKCS11Object *key=getKeyFromHandle(hBaseKey); - session->keyAgreementState.initialize(getKeyFromHandle(hBaseKey)); + if (pMechanism == NULL ) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + + switch (pMechanism->mechanism) { + case CKM_ECDH1_DERIVE: + if (key->getKeyType() != Key::ecc) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } + + session->keyAgreementState.initialize(key); deriveECC(suffix, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey, params); @@ -5018,9 +5065,6 @@ Slot::derive(SessionHandleSuffix suffix, void Slot::deriveECC(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params) { - if (pMechanism == NULL ) { - throw PKCS11Exception(CKR_ARGUMENTS_BAD); - } CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; ++++++ coolkey-1.1.0-fix-spurious-event.patch ++++++ diff -up ./src/coolkey/slot.cpp.fix-spurious ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.fix-spurious 2014-09-26 15:31:17.277958895 -0700 +++ ./src/coolkey/slot.cpp 2014-09-26 15:34:33.218313227 -0700 @@ -1412,6 +1412,7 @@ SlotList::waitForSlotEvent(CK_FLAGS flag #endif } while ((status == CKYSUCCESS) || (CKYCardContext_GetLastError(context) == SCARD_E_TIMEOUT) || + (CKYCardContext_GetLastError(context) == SCARD_E_UNKNOWN_READER) || (CKYCardContext_GetLastError(context) == SCARD_E_READER_UNAVAILABLE) || (CKYCardContext_GetLastError(context) == SCARD_E_NO_SERVICE) || (CKYCardContext_GetLastError(context) == SCARD_E_SERVICE_STOPPED) ); ++++++ coolkey-1.1.0-max-cpu-bug.patch ++++++ diff -up ./src/coolkey/slot.cpp.max-cpu-bug ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.max-cpu-bug 2016-06-30 14:36:10.502785885 -0700 +++ ./src/coolkey/slot.cpp 2016-06-30 14:36:15.812876256 -0700 @@ -1875,6 +1875,8 @@ SlotList::waitForSlotEvent(CK_FLAGS flag if (status != CKYSUCCESS) { if ((CKYCardContext_GetLastError(context) == SCARD_E_READER_UNAVAILABLE) || + (CKYCardContext_GetLastError(context) == + SCARD_E_UNKNOWN_READER) || (CKYCardContext_GetLastError(context) == SCARD_E_TIMEOUT)) { OSSleep(timeout*PKCS11_CARD_ERROR_LATENCY); } ++++++ coolkey-1.1.0-more-keys.patch ++++++ diff -up ./src/coolkey/slot.cpp.more_keys ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.more_keys 2016-06-16 11:50:01.027432856 -0700 +++ ./src/coolkey/slot.cpp 2016-06-16 11:50:13.267224824 -0700 @@ -32,7 +32,8 @@ #define MIN(x, y) ((x) < (y) ? (x) : (y)) - +#define MAX_NUM_KEYS 32 +#define MAX_NUM_CERTS 32 #ifdef DEBUG #define PRINTF(args) printf args @@ -3458,7 +3459,7 @@ Slot::loadObjects() } else if( type == 'c' ) { // cert attribute object. find the DER encoding unsigned short certnum = getObjectIndex(iter->obj.objectID); - if( certnum > 9 ) { + if( certnum > MAX_NUM_CERTS ) { //invalid object id throw PKCS11Exception(CKR_DEVICE_ERROR, "Invalid object id %08x",iter->obj.objectID); @@ -4154,7 +4155,7 @@ Slot::objectToKeyNum(const PKCS11Object throw PKCS11Exception(CKR_KEY_HANDLE_INVALID); } unsigned short keyNum = getObjectIndex(id); - if( keyNum > 9 ) { + if( keyNum > MAX_NUM_KEYS ) { throw PKCS11Exception(CKR_KEY_HANDLE_INVALID); } return keyNum & 0xFF; @@ -4911,7 +4912,6 @@ Slot::generateRandom(SessionHandleSuffix } } -#define MAX_NUM_KEYS 8 unsigned int Slot::getRSAKeySize(PKCS11Object *key) { diff -up ./src/coolkey/slot.h.more_keys ./src/coolkey/slot.h --- ./src/coolkey/slot.h.more_keys 2016-06-16 11:50:08.627303984 -0700 +++ ./src/coolkey/slot.h 2016-06-16 11:54:08.872153180 -0700 @@ -512,7 +512,17 @@ class Slot { return (char) (objectID >> 24) & 0xff; } unsigned short getObjectIndex(unsigned long objectID) const { - return (char )((objectID >> 16) & 0xff) - '0'; + char char_index = (char) ((objectID >> 16) & 0xff); + if (char_index >= '0' && char_index <= '9') { + return char_index - '0'; + } + if (char_index >= 'A' && char_index <= 'Z') { + return char_index - 'A' + 10; + } + if (char_index >= 'a' && char_index <= 'z') { + return char_index - 'a' + 26 + 10; + } + return 0x0100 + char_index; } // actually get the size of a key in bits from the card ++++++ coolkey-1.1.0-noapplet.patch ++++++ diff -up ./src/coolkey/slot.cpp.noapplet ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.noapplet 2013-09-30 14:30:40.069595018 -0700 +++ ./src/coolkey/slot.cpp 2013-09-30 14:31:27.488595000 -0700 @@ -762,13 +762,7 @@ Slot::connectToToken() CKYCardConnection_GetLastError(conn)); disconnect(); } - /* CARD is a PIV card */ - state |= PIV_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED; - isVersion1Key = 0; - needLogin = 1; - mCoolkey = 0; - mOldCAC = 0; - mCACLocalLogin = getPIVLoginType(); + /* CARD is unknown */ return; } state |= CAC_CARD | APPLET_SELECTABLE | APPLET_PERSONALIZED; ++++++ coolkey-1.1.0-p15-coverity.patch ++++++ diff -up ./src/coolkey/object.cpp.p15-coverity ./src/coolkey/object.cpp --- ./src/coolkey/object.cpp.p15-coverity 2015-07-06 18:02:34.604191118 -0700 +++ ./src/coolkey/object.cpp 2015-07-06 19:06:04.432062377 -0700 @@ -1558,7 +1558,7 @@ unsigned long GetBits(const CKYByte *ent /* turn the flags into an int */ for (i=0; i < entrySize; i++) { CKYByte c = rev[entry[i]]; - bits = bits | (c << i*8); + bits = bits | (((unsigned long)c) << (i*8)); } return bits | bitFlag; } @@ -1585,8 +1585,8 @@ CKYStatus PK15ObjectPath::setObjectPath( if (entry == NULL) { return CKYINVALIDDATA; } tagSize = entry - current; current += entrySize + tagSize; + if (size < (entrySize + tagSize)) { return CKYINVALIDDATA; } size -= (entrySize +tagSize); - if (size < 0) { return CKYINVALIDDATA; } status = CKYBuffer_Replace(&path, 0, entry, entrySize); if (status != CKYSUCCESS) { return status; @@ -1598,8 +1598,8 @@ CKYStatus PK15ObjectPath::setObjectPath( if (entry == NULL) { return CKYINVALIDDATA; } tagSize = entry - current; current += entrySize + tagSize; + if (size < (entrySize + tagSize)) { return CKYINVALIDDATA; } size -= (entrySize +tagSize); - if (size < 0) { return CKYINVALIDDATA; } if (entrySize > 5) { return CKYINVALIDDATA; } for (index = 0, i=0; i < entrySize; i++) { index = (index << 8) + (unsigned int) entry[i]; @@ -1612,8 +1612,8 @@ CKYStatus PK15ObjectPath::setObjectPath( if (entry == NULL) { return CKYINVALIDDATA; } tagSize = entry - current; current += entrySize + tagSize; + if (size < (entrySize + tagSize)) { return CKYINVALIDDATA; } size -= (entrySize +tagSize); - if (size < 0) { return CKYINVALIDDATA; } if (entrySize > 5) { return CKYINVALIDDATA; } for (length = 0, i=0; i < entrySize; i++) { length = (length << 8) + (unsigned int) entry[i]; @@ -1741,8 +1741,8 @@ set_key_type: /* point current to the next section (cass attributes) */ tagSize = commonAttributes - current; current += commonSize + tagSize; + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } /* get the CKA_LABEL */ if (commonAttributes[0] != ASN1_UTF8_STRING) { return CKYINVALIDDATA; } @@ -1835,8 +1835,8 @@ PK15Object::completeCertObject(const CKY /* point current to the next section (type attributes) */ tagSize = commonCertAttributes - current; current += commonSize + tagSize; + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } /* get the id */ if (commonCertAttributes[0] != ASN1_OCTET_STRING) { return CKYINVALIDDATA; } @@ -1907,8 +1907,8 @@ PK15Object::completeAuthObject(const CKY if (commonAuthAttributes == NULL) { return CKYINVALIDDATA; } tagSize = commonAuthAttributes - current; current += commonSize + tagSize; + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } currentSize -= (commonSize + tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } if (commonAuthAttributes[0] != ASN1_OCTET_STRING) { return CKYINVALIDDATA; } @@ -1930,8 +1930,8 @@ PK15Object::completeAuthObject(const CKY if (commonAuthAttributes == NULL) { return CKYINVALIDDATA; } tagSize = commonAuthAttributes - current; current += commonSize + tagSize; - currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } + currentSize -= (commonSize + tagSize); /* * parse the Pin Auth Attributes * pinFlags BIT_STRING @@ -2093,8 +2093,8 @@ PK15Object::completeKeyObject(const CKYB /* point current to the next section (sublcass attributes) */ tagSize = commonKeyAttributes - current; current += commonSize + tagSize; - currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } + currentSize -= (commonSize + tagSize); /* get the id */ if (commonKeyAttributes[0] != ASN1_OCTET_STRING) { return CKYINVALIDDATA; } @@ -2263,8 +2263,8 @@ CKYStatus PK15Object::completePrivKeyObj /* point current to the next section (type attributes) */ tagSize = commonPrivKeyAttributes - current; current += commonSize + tagSize; + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } /* subjectName */ if (commonPrivKeyAttributes[0] == ASN1_SEQUENCE) { @@ -2385,8 +2385,8 @@ PK15Object::completePubKeyObject(const C /* point current to the next section (type attributes) */ tagSize = commonPubKeyAttributes - current; current += commonSize + tagSize; - currentSize -= (commonSize +tagSize); - if (currentSize < 0) { return CKYINVALIDDATA; } + if (currentSize < (commonSize + tagSize)) { return CKYINVALIDDATA; } + currentSize -= (commonSize + tagSize); /* subjectName */ if (commonPubKeyAttributes[0] == ASN1_SEQUENCE) { @@ -2535,8 +2535,8 @@ PK15Object::completeRawPublicKey(const C if (entry == NULL) { return CKYINVALIDDATA; } tagSize = entry - current; current += entrySize + tagSize; + if (size < (entrySize + tagSize)) { return CKYINVALIDDATA; } size -= (entrySize +tagSize); - if (size < 0) { return CKYINVALIDDATA; } if ((entry[0] == 0) && (entrySize > 1)) { entry++; entrySize--; } @@ -2548,8 +2548,8 @@ PK15Object::completeRawPublicKey(const C if (entry == NULL) { return CKYINVALIDDATA; } tagSize = entry - current; current += entrySize + tagSize; - size -= (entrySize +tagSize); - if (size < 0) { return CKYINVALIDDATA; } + if (size < (entrySize + tagSize)) { return CKYINVALIDDATA; } + size -= (entrySize + tagSize); if ((entry[0] == 0) && (entrySize > 1)) { entry++; entrySize--; } @@ -2682,11 +2682,11 @@ DEREncodedTokenInfo::DEREncodedTokenInfo if (entry == NULL) return; tagSize = entry - current; current += tagSize + entrySize; + if (size < tagSize + entrySize) return; size -= tagSize + entrySize; if (entrySize < 1) { version = *entry; } - if (size < 0) return; /* get the serial number */ if (current[0] != ASN1_OCTET_STRING) { return ; } @@ -2729,6 +2729,8 @@ DEREncodedTokenInfo::DEREncodedTokenInfo } /* parsing flags */ +#ifdef notdef + /* we arn't using this right now, keep it for future reference */ if (current[0] == ASN1_BIT_STRING) { /* recordinfo parsing would go here */ unsigned long bits; @@ -2739,6 +2741,7 @@ DEREncodedTokenInfo::DEREncodedTokenInfo size -= tagSize + entrySize; bits = GetBits(entry, entrySize,8,2); } +#endif return; } diff -up ./src/coolkey/slot.cpp.p15-coverity ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.p15-coverity 2015-07-06 18:02:34.606191081 -0700 +++ ./src/coolkey/slot.cpp 2015-07-06 18:02:34.610191006 -0700 @@ -3714,7 +3714,6 @@ void Slot::attemptP15Login(CK_USER_TYPE user) { PinCache *pinCachePtr = userPinCache(user); - const CKYBuffer *path; if (user == CKU_USER) { loggedIn = false; @@ -3729,7 +3728,6 @@ Slot::attemptP15Login(CK_USER_TYPE user) "No PKCS #15 auth object for user %d\n", user); } - path = auth[user]->getObjectPath().getPath(); status = selectPath(auth[user]->getObjectPath().getPath(), &result); if( status == CKYSCARDERR ) { handleConnectionError(); diff -up ./src/libckyapplet/cky_applet.c.p15-coverity ./src/libckyapplet/cky_applet.c --- ./src/libckyapplet/cky_applet.c.p15-coverity 2015-07-06 18:02:34.606191081 -0700 +++ ./src/libckyapplet/cky_applet.c 2015-07-06 18:02:34.610191006 -0700 @@ -1361,6 +1361,9 @@ P15Applet_SignDecrypt(CKYCardConnection appendLength = length; } else { ret = CKYBuffer_Reserve(&tmp, length); + if (ret != CKYSUCCESS) { + goto done; + } } CKYBuffer_AppendBuffer(&tmp, data, offset, appendLength); pso.chain = 0; diff -up ./src/libckyapplet/cky_base.c.p15-coverity ./src/libckyapplet/cky_base.c --- ./src/libckyapplet/cky_base.c.p15-coverity 2015-07-06 18:02:34.607191062 -0700 +++ ./src/libckyapplet/cky_base.c 2015-07-06 18:02:34.610191006 -0700 @@ -736,7 +736,7 @@ CKYAPDU_SetShortReceiveLen(CKYAPDU *apdu CKYStatus ret; if (recvlen <= CKYAPDU_MAX_DATA_LEN) { - return APDU_SetReceiveLen(apdu, (CKYByte)(recvlen & 0xff)); + return CKYAPDU_SetReceiveLen(apdu, (CKYByte)(recvlen & 0xff)); } ret = CKYBuffer_Resize(&apdu->apduBuf, CKYAPDU_HEADER_LEN+2); if (ret != CKYSUCCESS) { ++++++ coolkey-1.1.0-p15.patch ++++++ ++++ 4379 lines (skipped) ++++++ coolkey-1.1.0-rhel7-alt-cac.patch ++++++ ++++ 858 lines (skipped) ++++++ coolkey-fix-token-removal-failure.patch ++++++ Fix insertion/removal detection pcsc now errors out of the SCardGetStatusChange call with SCARD_E_UNKNOWN_READER if any of the passed readers aren't known. This includes readers that were very recently forgotton about because a user just disconnected them. (See http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/src/winscard_clnt.c?r1=5858&r2=5881 for the change to pcsc) Unfortunately, this means SECMOD_WaitForAnyTokenEvent will fail with a SC_NO_EVENT error if a user removes their smartcard at the wrong time. This patch changes coolkey to detect removed readers before calling SCardGetStatusChange, so that it can handle the removal itself. diff -up coolkey-1.1.0/src/coolkey/slot.cpp.fix coolkey-1.1.0/src/coolkey/slot.cpp --- coolkey-1.1.0/src/coolkey/slot.cpp.fix 2013-05-22 16:23:41.728846957 -0400 +++ coolkey-1.1.0/src/coolkey/slot.cpp 2013-05-22 17:09:59.813958927 -0400 @@ -279,24 +279,22 @@ SlotList::updateReaderList() * don't recognize. */ - /* first though, let's check to see if any previously removed readers have - * come back from the dead. If the ignored bit has been set, we do not need - * it any more. - */ + /* Iterate through all the readers to see if we need to make unavailable any + * freshly removed readers. Also, see if any previously removed + * readers have come back from the dead and don't need to be ignored. + */ const char *curReaderName = NULL; unsigned long knownState = 0; for(int ri = 0 ; ri < numReaders; ri ++) { - knownState = CKYReader_GetKnownState(&readerStates[ri]); - if( !(knownState & SCARD_STATE_IGNORE)) { - continue; - } - + curReaderName = CKYReader_GetReaderName(&readerStates[ri]); if(readerNameExistsInList(curReaderName,&readerNames)) { CKYReader_SetKnownState(&readerStates[ri], knownState & ~SCARD_STATE_IGNORE); - + } else { + if (!(knownState & SCARD_STATE_UNAVAILABLE)) + CKYReader_SetKnownState(&readerStates[ri], knownState | SCARD_STATE_UNAVAILABLE | SCARD_STATE_CHANGED); } } @@ -1238,6 +1236,32 @@ SlotList::waitForSlotEvent(CK_FLAGS flag throw; } + /* Before round-tripping to the daemon for the duration of the + * timeout, first see if we lost any readers, and pick a slot + * from that set to return + */ + for (i=0; i < numReaders; i++) { + unsigned long knownState = CKYReader_GetKnownState(&readerStates[i]); + + if ((knownState & SCARD_STATE_UNAVAILABLE) && + (knownState & SCARD_STATE_CHANGED)) { + CKYReader_SetKnownState(&readerStates[i], knownState & ~SCARD_STATE_CHANGED); + readerListLock.releaseLock(); + *slotp = slotIndexToID(i); + found = TRUE; + break; + } + } + + if (found) { + break; + } + + if (shuttingDown) { + readerListLock.releaseLock(); + break; + } + if (myNumReaders != numReaders) { if (myReaderStates) { delete [] myReaderStates; ++++++ coolkey-piv-ecc-el7.patch ++++++ ++++ 4792 lines (skipped) ++++++ coolkey-rpmlintrc -> coolkey.rpmlintrc ++++++
