Upstream fixes already included in the latest community updates to coolkey v1.1.0

Addresses various bugs found in PKCS11 object handling.

--- ORIGINAL/./src/coolkey/object.cpp	2016-06-24 16:07:19.782779440 -0400

+++ ././src/coolkey/object.cpp	2016-06-27 13:43:35.548673450 -0400

@@ -21,15 +21,48 @@

 #include "PKCS11Exception.h"

 #include "object.h"

 #include <algorithm>

+#include <string.h>

 using std::find_if;

+const CKYByte rsaOID[] = {0x2A,0x86,0x48,0x86,0xF7,0x0D, 0x01, 0x01,0x1};

+const CKYByte eccOID[] = {0x2a,0x86,0x48,0xce,0x3d,0x02,0x01};

+

+#ifdef DEBUG

+void dump(CKYBuffer *buf)

+{

+    CKYSize i;

+    CKYSize size = CKYBuffer_Size(buf);

+#define ROW_LENGTH 60

+    char string[ROW_LENGTH+1];

+    char *bp = &string[0];

+    CKYByte c;

+

+    for (i=0; i < size; i++) {

+        if (i && ((i % (ROW_LENGTH-1)) == 0) ) {

+            *bp = 0;

+            printf(" %s\n",string);

+            bp = &string[0];

+        }

+        c = CKYBuffer_GetChar(buf, i);

+        printf("%02x ",c);

+        *bp++ =  (c < ' ') ? '.' : ((c & 0x80) ? '*' : c);

+    }

+    *bp = 0;

+    for (i= (i % (ROW_LENGTH-1)); i && (i < ROW_LENGTH); i++) {

+        printf("   ");

+    }

+    printf(" %s\n",string);

+    fflush(stdout);

+}

+#endif

+

 bool AttributeMatch::operator()(const PKCS11Attribute& cmp) 

 {

     return (attr->type == cmp.getType()) &&

-	CKYBuffer_DataIsEqual(cmp.getValue(), 

-			(const CKYByte *)attr->pValue, attr->ulValueLen);

+        CKYBuffer_DataIsEqual(cmp.getValue(), 

+                        (const CKYByte *)attr->pValue, attr->ulValueLen);

 }

 class AttributeTypeMatch

@@ -44,14 +77,14 @@

 };

 PKCS11Object::PKCS11Object(unsigned long muscleObjID_,CK_OBJECT_HANDLE handle_)

-    : muscleObjID(muscleObjID_), handle(handle_), label(NULL), name(NULL)

+    : muscleObjID(muscleObjID_), handle(handle_), label(NULL), name(NULL), keyType(unknown)

 { 

     CKYBuffer_InitEmpty(&pubKey);

 }

 PKCS11Object::PKCS11Object(unsigned long muscleObjID_, const CKYBuffer *data,

     CK_OBJECT_HANDLE handle_) :  muscleObjID(muscleObjID_), handle(handle_),

-			label(NULL), name(NULL)

+                        label(NULL), name(NULL), keyType(unknown)

 {

     CKYBuffer_InitEmpty(&pubKey);

@@ -62,9 +95,98 @@

             "PKCS #11 actual object id does not match stated id");

     }

     if (type == 0) {

-	parseOldObject(data);

+        parseOldObject(data);

     } else if (type == 1) {

-	parseNewObject(data);

+        parseNewObject(data);

+    }

+}

+

+SecretKey::SecretKey(unsigned long muscleObjID_, CK_OBJECT_HANDLE handle_, CKYBuffer *secretKeyBuffer, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount)

+     : PKCS11Object(muscleObjID_, handle_)

+{

+    static CK_OBJECT_CLASS objClass = CKO_SECRET_KEY;

+    static CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;

+    static CK_BBOOL value = 0x1;

+

+    if ( secretKeyBuffer == NULL)

+        return;

+

+    /* Rifle through the input template */

+

+    CK_ATTRIBUTE_TYPE type;

+    CK_ATTRIBUTE attr;

+    CK_ULONG valueLength = 0;

+

+    for(int i = 0; i <  (int) ulAttributeCount; i++) {

+       attr = pTemplate[i];

+       type =  attr.type;

+

+       if ( type == CKA_VALUE_LEN) {

+           //CK_ULONG ulValueLen = attr.ulValueLen;

+           valueLength = *((CK_ULONG *)attr.pValue);

+       } else {

+

+           CKYBuffer val;

+           CKYBuffer_InitFromData(&val,(const CK_BYTE *) attr.pValue, attr.ulValueLen);

+           setAttribute( type, &val);

+           CKYBuffer_FreeData(&val);

+       }

+    }

+

+    adjustToKeyValueLength( secretKeyBuffer, valueLength ); 

+

+    /* Fall backs. */

+

+    if(!attributeExists(CKA_CLASS))

+        setAttributeULong(CKA_CLASS, objClass);

+

+    if(!attributeExists(CKA_KEY_TYPE))

+        setAttributeULong(CKA_KEY_TYPE, keyType);

+

+    if(!attributeExists(CKA_TOKEN))

+        setAttributeBool(CKA_TOKEN, value);

+      

+    if(!attributeExists(CKA_DERIVE)) 

+        setAttributeBool(CKA_DERIVE, value);

+

+    /* Actual value */

+    setAttribute(CKA_VALUE, secretKeyBuffer);

+

+}

+

+void SecretKey::adjustToKeyValueLength(CKYBuffer * secretKeyBuffer,CK_ULONG valueLength)

+{

+    const CK_LONG MAX_DIFF = 200; /* Put some bounds on this value */

+

+    if ( !secretKeyBuffer ) {

+        return;

+    }

+

+    CKYBuffer scratch;

+    CK_ULONG actual_length = CKYBuffer_Size(secretKeyBuffer);

+

+    CK_LONG diff = 0;

+    diff = (CK_LONG) valueLength - actual_length;

+

+    if ( diff == 0 ) {

+        return;

+    }

+

+    if ( diff > 0 && diff < MAX_DIFF ) { /*check for silly values */

+        /* prepend with zeroes */

+        CKYBuffer_InitFromLen(&scratch, diff);

+        CKYBuffer_AppendCopy(&scratch, secretKeyBuffer);

+

+        CKYBuffer_FreeData(secretKeyBuffer);

+        CKYBuffer_InitFromCopy(secretKeyBuffer, &scratch);

+        CKYBuffer_FreeData(&scratch);

+

+    } else if (diff < 0 ) {

+        /* truncate most significant bytes */

+        CKYBuffer_InitFromData(&scratch, CKYBuffer_Data(secretKeyBuffer)-diff, valueLength);

+        CKYBuffer_FreeData(secretKeyBuffer);

+        CKYBuffer_InitFromCopy(secretKeyBuffer, &scratch);

+        CKYBuffer_FreeData(&scratch);

     }

 }

@@ -94,29 +216,29 @@

         attrib.setType(CKYBuffer_GetLong(data, idx));

         idx += 4;

         unsigned int attrLen = CKYBuffer_GetShort(data, idx);

-		idx += 2;

+                idx += 2;

         if( attrLen > CKYBuffer_Size(data) 

-			|| (idx + attrLen > CKYBuffer_Size(data)) ) {

+                        || (idx + attrLen > CKYBuffer_Size(data)) ) {

             throw PKCS11Exception(CKR_DEVICE_ERROR,

                 "Invalid attribute length %d\n", attrLen);

         }

-	/* these two types are ints, read them back from 

-	 * the card in host order */

-	if ((attrib.getType() == CKA_CLASS) || 

-	    (attrib.getType() == CKA_CERTIFICATE_TYPE) ||

-	    (attrib.getType() == CKA_KEY_TYPE)) {

-	    /* ulongs are 4 bytes on the token, even if they are 8 or

-	     * more in the pkcs11 module */

-	    if (attrLen != 4) {

+        /* these two types are ints, read them back from 

+         * the card in host order */

+        if ((attrib.getType() == CKA_CLASS) || 

+            (attrib.getType() == CKA_CERTIFICATE_TYPE) ||

+            (attrib.getType() == CKA_KEY_TYPE)) {

+            /* ulongs are 4 bytes on the token, even if they are 8 or

+             * more in the pkcs11 module */

+            if (attrLen != 4) {

                 throw PKCS11Exception(CKR_DEVICE_ERROR,

                 "Invalid attribute length %d\n", attrLen);

-	    }

-	    CK_ULONG value = makeLEUInt(data,idx);

+            }

+            CK_ULONG value = makeLEUInt(data,idx);

-	    attrib.setValue((const CKYByte *)&value, sizeof(CK_ULONG));

-	} else {

-	    attrib.setValue(CKYBuffer_Data(data)+idx, attrLen);

-	}

+            attrib.setValue((const CKYByte *)&value, sizeof(CK_ULONG));

+        } else {

+            attrib.setValue(CKYBuffer_Data(data)+idx, attrLen);

+        }

         idx += attrLen;

         attributes.push_back(attrib);

     }

@@ -176,33 +298,33 @@

     unsigned long i;

     if (!attributeExists(CKA_ID)) {

-	PKCS11Attribute attrib;

-	attrib.setType(CKA_ID);

-	attrib.setValue(&cka_id, 1);

+        PKCS11Attribute attrib;

+        attrib.setType(CKA_ID);

+        attrib.setValue(&cka_id, 1);

         attributes.push_back(attrib);

     }

     /* unpack the class */

     if (!attributeExists(CKA_CLASS)) {

-	PKCS11Attribute attrib;

-	attrib.setType(CKA_CLASS);

-	attrib.setValue((CKYByte *)&objectType, sizeof(CK_ULONG));

+        PKCS11Attribute attrib;

+        attrib.setType(CKA_CLASS);

+        attrib.setValue((CKYByte *)&objectType, sizeof(CK_ULONG));

         attributes.push_back(attrib);

     }

     /* unpack the boolean flags. Note, the default mask is based on

      * the class specified in fixedAttrs, not on the real class */

     for (i=1; i < sizeof(unsigned long)*8; i++) {

-	unsigned long iMask = 1<< i;

-	if ((mask & iMask) == 0) {

-	   continue;

-	}

-	if (attributeExists(boolType[i])) {

-	    continue;

-	}

-	PKCS11Attribute attrib;

-	CKYByte bVal = (fixedAttrs & iMask) != 0;

-	attrib.setType(boolType[i]);

-	attrib.setValue(&bVal, 1);

+        unsigned long iMask = 1<< i;

+        if ((mask & iMask) == 0) {

+           continue;

+        }

+        if (attributeExists(boolType[i])) {

+            continue;

+        }

+        PKCS11Attribute attrib;

+        CKYByte bVal = (fixedAttrs & iMask) != 0;

+        attrib.setType(boolType[i]);

+        attrib.setValue(&bVal, 1);

         attributes.push_back(attrib);

     }

 }

@@ -223,40 +345,40 @@

     // load up the explicit attributes first

     for (j=0, offset = 11; j < attributeCount && offset < size; j++) {

         PKCS11Attribute attrib;

-	CKYByte attributeDataType = CKYBuffer_GetChar(data, offset+4);

-	unsigned int attrLen = 0;

+        CKYByte attributeDataType = CKYBuffer_GetChar(data, offset+4);

+        unsigned int attrLen = 0;

         attrib.setType(CKYBuffer_GetLong(data, offset));

         offset += 5;

-	switch(attributeDataType) {

-	case DATATYPE_STRING:

-	    attrLen = CKYBuffer_GetShort(data, offset);

-	    offset += 2;

+        switch(attributeDataType) {

+        case DATATYPE_STRING:

+            attrLen = CKYBuffer_GetShort(data, offset);

+            offset += 2;

             if (attrLen > CKYBuffer_Size(data) 

-			|| (offset + attrLen > CKYBuffer_Size(data)) ) {

-            	throw PKCS11Exception(CKR_DEVICE_ERROR,

-            	    "Invalid attribute length %d\n", attrLen);

+                        || (offset + attrLen > CKYBuffer_Size(data)) ) {

+                    throw PKCS11Exception(CKR_DEVICE_ERROR,

+                        "Invalid attribute length %d\n", attrLen);

              }

-	    attrib.setValue(CKYBuffer_Data(data)+offset, attrLen);

-	    break;

-	case DATATYPE_BOOL_FALSE:

-	case DATATYPE_BOOL_TRUE:

-	    {

-		CKYByte bval = attributeDataType & 1;

-		attrib.setValue(&bval, 1);

-	    }

-	    break;

-	case DATATYPE_INTEGER:

-	    {

-		CK_ULONG value = CKYBuffer_GetLong(data, offset);

-		attrLen = 4;

-		attrib.setValue((const CKYByte *)&value, sizeof(CK_ULONG));

-	    }

-	    break;

-	default:

-	    throw PKCS11Exception(CKR_DEVICE_ERROR, 

-		"Invalid attribute Data Type %d\n", attributeDataType);

-	}

+            attrib.setValue(CKYBuffer_Data(data)+offset, attrLen);

+            break;

+        case DATATYPE_BOOL_FALSE:

+        case DATATYPE_BOOL_TRUE:

+            {

+                CKYByte bval = attributeDataType & 1;

+                attrib.setValue(&bval, 1);

+            }

+            break;

+        case DATATYPE_INTEGER:

+            {

+                CK_ULONG value = CKYBuffer_GetLong(data, offset);

+                attrLen = 4;

+                attrib.setValue((const CKYByte *)&value, sizeof(CK_ULONG));

+            }

+            break;

+        default:

+            throw PKCS11Exception(CKR_DEVICE_ERROR, 

+                "Invalid attribute Data Type %d\n", attributeDataType);

+        }

         offset += attrLen;

         attributes.push_back(attrib);

     }

@@ -273,9 +395,10 @@

 };

 #endif

+// XXX - Need to use a correct signature. This is necessary only on SPARC

 bool

-PKCS11Object::matchesTemplate(const CK_ATTRIBUTE_PTR pTemplate, 

-						CK_ULONG ulCount)

+PKCS11Object::matchesTemplate(CK_ATTRIBUTE_PTR pTemplate, 

+                                                CK_ULONG ulCount)

     const

 {

     unsigned int i;

@@ -284,10 +407,10 @@

 #if defined( NSS_HIDE_NONSTANDARD_OBJECTS )

     if (!ulCount) {

-	// exclude MOZ reader objects from searches for all objects.

-	// To find an MOZ reader object, one must search for it by 

-	// some matching attribute, such as class.

-	iterator iter = find_if(attributes.begin(), attributes.end(),

+        // exclude MOZ reader objects from searches for all objects.

+        // To find an MOZ reader object, one must search for it by 

+        // some matching attribute, such as class.

+        iterator iter = find_if(attributes.begin(), attributes.end(),

                                 AttributeMatch(&rdr_template[0]));

         return (iter == attributes.end()) ? true : false;

     }

@@ -324,7 +447,7 @@

             AttributeTypeMatch(type));

     if( iter == attributes.end() ) {

-	return NULL;

+        return NULL;

     }

     return iter->getValue();

 }

@@ -348,8 +471,9 @@

         if( iter == attributes.end() ) {

             // no attribute of this type

             attrTypeInvalid = true;

-            log->log("GetAttributeValue: invalid type 0x%08x on object %x\n",

-                pTemplate[i].type, muscleObjID);

+            if ( log )

+                log->log("GetAttributeValue: invalid type 0x%08x on object %x\n",

+                    pTemplate[i].type, muscleObjID);

             pTemplate[i].ulValueLen = (CK_ULONG)-1;

             continue;

         }

@@ -370,7 +494,7 @@

         // the buffer is large enough. return the value and set the exact

         // length.

         memcpy(pTemplate[i].pValue, CKYBuffer_Data(iter->getValue()), 

-					CKYBuffer_Size(iter->getValue()));

+                                        CKYBuffer_Size(iter->getValue()));

         pTemplate[i].ulValueLen = CKYBuffer_Size(iter->getValue());

     }

@@ -396,7 +520,7 @@

 {

     // clean up old one

     if (label) {

-	delete label;

+	delete [] label;

 	label = NULL;

     }

     // find matching attribute

@@ -405,14 +529,14 @@

     // none found 

     if( iter == attributes.end() ) {

-	return "";

+        return "";

     }

     int size = CKYBuffer_Size(iter->getValue());

     label = new char [ size + 1 ];

     if (!label) {

-	return "";

+        return "";

     }

     memcpy(label, CKYBuffer_Data(iter->getValue()), size);

     label[size] = 0;

@@ -430,13 +554,13 @@

     // none found */

     if( iter == attributes.end() ) {

-	return (CK_OBJECT_CLASS) -1;

+        return (CK_OBJECT_CLASS) -1;

     }

     int size = CKYBuffer_Size(iter->getValue());

     if (size != sizeof(objClass)) {

-	return (CK_OBJECT_CLASS) -1;

+        return (CK_OBJECT_CLASS) -1;

     }

     memcpy(&objClass, CKYBuffer_Data(iter->getValue()), size);

@@ -452,7 +576,7 @@

     iter = find_if(attributes.begin(), attributes.end(),

         AttributeTypeMatch(type));

     if( iter != attributes.end() )  {

-	iter->setValue( CKYBuffer_Data(value), CKYBuffer_Size(value));

+        iter->setValue( CKYBuffer_Data(value), CKYBuffer_Size(value));

     } else {

         attributes.push_back(PKCS11Attribute(type, value));

     }

@@ -504,6 +628,16 @@

     unsigned char tag;

     unsigned int used_length= 0;

+    *data_length = 0; /* make sure data_length is zero on failure */

+

+    if(!buf) {

+        return NULL;

+    }

+    /* there must be at least 2 bytes */

+    if (length < 2) {

+	return NULL;

+    }

+

     tag = buf[used_length++];

     /* blow out when we come to the end */

@@ -516,15 +650,22 @@

     if (*data_length&0x80) {

         int  len_count = *data_length & 0x7f;

+	if (len_count+used_length > length) {

+	    return NULL;

+	}

+

         *data_length = 0;

         while (len_count-- > 0) {

             *data_length = (*data_length << 8) | buf[used_length++];

         }

     }

+    /* paranoia, can't happen */

+    if (length < used_length) {

+	return NULL;

+    }

     if (*data_length > (length-used_length) ) {

-        *data_length = length-used_length;

         return NULL;

     }

     if (includeTag) *data_length += used_length;

@@ -537,16 +678,158 @@

 {

     /* for RSA, bit string always has byte number of bits */

     if (buf[0] != 0) {

-	return NULL;

+        return NULL;

     }

     if (len < 1) {

-	return NULL;

+        return NULL;

     }

     *retLen = len -1;

     return buf+1;

 }

 static SECStatus

+GetECKeyFieldItems(const CKYByte *spki_data,unsigned int spki_length,

+        CCItem *point, CCItem *params)

+{

+    const CKYByte *buf = spki_data;

+    unsigned int buf_length = spki_length;

+    const CKYByte *algid;

+    unsigned int algidlen;

+    const CKYByte *dummy;

+    unsigned int dummylen;

+

+    if (!point || !params || !buf)

+        return SECFailure;

+

+    point->data = NULL;

+    point->len = 0;

+    params->data = NULL;

+    params->len = 0;

+

+    /* unwrap the algorithm id */

+    dummy = dataStart(buf,buf_length,&dummylen,false);

+    if (dummy == NULL) return SECFailure;