gnome-keyring r1408 - in trunk: . pkcs11/gck
- From: nnielsen svn gnome org
- To: svn-commits-list gnome org
- Subject: gnome-keyring r1408 - in trunk: . pkcs11/gck
- Date: Wed, 24 Dec 2008 21:20:55 +0000 (UTC)
Author: nnielsen
Date: Wed Dec 24 21:20:55 2008
New Revision: 1408
URL: http://svn.gnome.org/viewvc/gnome-keyring?rev=1408&view=rev
Log:
* pkcs11/gck/gck-crypto.c:
* pkcs11/gck/gck-crypto.h:
* pkcs11/gck/gck-session.c: Test invalid inputs and states
on crypto functions, and bring in line with PKCS#11 spec.
Modified:
trunk/ChangeLog
trunk/pkcs11/gck/gck-crypto.c
trunk/pkcs11/gck/gck-crypto.h
trunk/pkcs11/gck/gck-session.c
Modified: trunk/pkcs11/gck/gck-crypto.c
==============================================================================
--- trunk/pkcs11/gck/gck-crypto.c (original)
+++ trunk/pkcs11/gck/gck-crypto.c Wed Dec 24 21:20:55 2008
@@ -110,7 +110,6 @@
g_assert (sexp);
g_assert (data);
g_assert (n_data);
- g_assert (*n_data);
g_assert (bits);
/* First try and dig out sexp child based on arguments */
@@ -142,8 +141,9 @@
/* Pad it properly if necessary */
if (padding != NULL) {
guchar *padded = (padding) (bits, block, n_block, &n_block);
- g_return_val_if_fail (padded, CKR_GENERAL_ERROR);
g_free (block);
+ if (!padded)
+ return CKR_DATA_LEN_RANGE;
block = padded;
}
@@ -357,7 +357,7 @@
g_return_val_if_fail (sexp, CKR_GENERAL_ERROR);
g_return_val_if_fail (n_data, CKR_ARGUMENTS_BAD);
- g_return_val_if_fail (data, CKR_ARGUMENTS_BAD);
+ g_return_val_if_fail (encrypted, CKR_ARGUMENTS_BAD);
nbits = gcry_pk_get_nbits (sexp);
g_return_val_if_fail (nbits > 0, CKR_GENERAL_ERROR);
@@ -368,6 +368,9 @@
return CKR_OK;
}
+ if (n_encrypted != (nbits + 7) / 8)
+ return CKR_DATA_LEN_RANGE;
+
/* Prepare the input s expression */
rv = data_to_sexp ("(enc-val (flags) (rsa (a %m)))",
nbits, NULL, encrypted, n_encrypted, &sdata);
@@ -594,7 +597,9 @@
/* The key size */
nbits = gcry_pk_get_nbits (sexp);
g_return_val_if_fail (nbits > 0, CKR_GENERAL_ERROR);
- g_return_val_if_fail (nbits % 8 == 0, CKR_GENERAL_ERROR);
+
+ if (n_signature != (nbits + 7) / 8)
+ return CKR_SIGNATURE_LEN_RANGE;
/* Prepare the input s expressions */
rv = data_to_sexp ("(data (flags raw) (value %m))",
@@ -640,7 +645,7 @@
if (n_data != 20)
return CKR_DATA_LEN_RANGE;
if (n_signature != 40)
- return CKR_DATA_LEN_RANGE;
+ return CKR_SIGNATURE_LEN_RANGE;
/* Prepare the input s-expressions */
gcry = gcry_mpi_scan (&mpi, GCRYMPI_FMT_USG, data, n_data, NULL);
@@ -865,15 +870,6 @@
return padded;
}
-guchar*
-gck_crypto_rsa_unpad_pkcs1 (guint bits, const guchar *padded,
- gsize n_padded, gsize *n_raw)
-{
- /* Further checks are done later */
- g_return_val_if_fail (n_padded > 2, NULL);
- return unpad_rsa_pkcs1 (padded[1], bits, padded, n_padded, n_raw);
-}
-
guchar*
gck_crypto_rsa_unpad_one (guint bits, const guchar *padded,
gsize n_padded, gsize *n_raw)
Modified: trunk/pkcs11/gck/gck-crypto.h
==============================================================================
--- trunk/pkcs11/gck/gck-crypto.h (original)
+++ trunk/pkcs11/gck/gck-crypto.h Wed Dec 24 21:20:55 2008
@@ -144,11 +144,6 @@
gsize n_raw,
gsize *n_padded);
-guchar* gck_crypto_rsa_unpad_pkcs1 (guint bits,
- const guchar *padded,
- gsize n_padded,
- gsize *n_raw);
-
guchar* gck_crypto_rsa_unpad_one (guint bits,
const guchar *padded,
gsize n_padded,
Modified: trunk/pkcs11/gck/gck-session.c
==============================================================================
--- trunk/pkcs11/gck/gck-session.c (original)
+++ trunk/pkcs11/gck/gck-session.c Wed Dec 24 21:20:55 2008
@@ -87,14 +87,15 @@
{
g_assert (self->pv->current_operation == cleanup_crypto);
- g_assert (self->pv->crypto_sexp);
- g_assert (GCK_IS_KEY (self->pv->current_object));
- gck_sexp_unref (self->pv->crypto_sexp);
- self->pv->crypto_sexp = NULL;
+ if (self->pv->crypto_sexp) {
+ gck_sexp_unref (self->pv->crypto_sexp);
+ self->pv->crypto_sexp = NULL;
+ }
self->pv->crypto_mechanism = 0;
self->pv->crypto_method = 0;
+ g_assert (GCK_IS_KEY (self->pv->current_object));
if (self->pv->current_object)
g_object_unref (self->pv->current_object);
@@ -145,9 +146,7 @@
return CKR_KEY_TYPE_INCONSISTENT;
/* Check that the object can do this method */
- if (!gck_object_get_attribute_boolean (object, method, &have))
- g_return_val_if_reached (CKR_GENERAL_ERROR);
- if (have == CK_FALSE)
+ if (!gck_object_get_attribute_boolean (object, method, &have) || !have)
return CKR_KEY_FUNCTION_NOT_PERMITTED;
/* Track the cyrpto object */
@@ -166,7 +165,7 @@
process_crypto (GckSession *self, CK_ATTRIBUTE_TYPE method, CK_BYTE_PTR bufone,
CK_ULONG n_bufone, CK_BYTE_PTR buftwo, CK_ULONG_PTR n_buftwo)
{
- CK_RV rv;
+ CK_RV rv = CKR_OK;
g_assert (GCK_IS_SESSION (self));
@@ -175,20 +174,28 @@
if (method != self->pv->crypto_method)
return CKR_OPERATION_NOT_INITIALIZED;
- /* Load up the actual sexp we're going to use */
- if (!self->pv->crypto_sexp) {
- g_return_val_if_fail (GCK_IS_KEY (self->pv->current_object), CKR_GENERAL_ERROR);
- self->pv->crypto_sexp = gck_key_acquire_crypto_sexp (GCK_KEY (self->pv->current_object));
- if (!self->pv->crypto_sexp)
- return CKR_USER_NOT_LOGGED_IN;
+ if (!bufone || !n_buftwo)
+ rv = CKR_ARGUMENTS_BAD;
+
+ if (rv == CKR_OK) {
+ /* Load up the actual sexp we're going to use */
+ if (!self->pv->crypto_sexp) {
+ g_return_val_if_fail (GCK_IS_KEY (self->pv->current_object), CKR_GENERAL_ERROR);
+ self->pv->crypto_sexp = gck_key_acquire_crypto_sexp (GCK_KEY (self->pv->current_object));
+ if (!self->pv->crypto_sexp)
+ rv = CKR_USER_NOT_LOGGED_IN;
+ }
}
- g_assert (self->pv->crypto_mechanism);
- rv = gck_crypto_perform (gck_sexp_get (self->pv->crypto_sexp), self->pv->crypto_mechanism,
- method, bufone, n_bufone, buftwo, n_buftwo);
+ if (rv == CKR_OK) {
+ g_assert (self->pv->crypto_mechanism);
+ rv = gck_crypto_perform (gck_sexp_get (self->pv->crypto_sexp), self->pv->crypto_mechanism,
+ method, bufone, n_bufone, buftwo, n_buftwo);
+ }
/* Under these conditions the operation isn't complete */
- if (rv == CKR_BUFFER_TOO_SMALL || (rv == CKR_OK && buftwo == NULL))
+ if (rv == CKR_BUFFER_TOO_SMALL || rv == CKR_USER_NOT_LOGGED_IN ||
+ (rv == CKR_OK && buftwo == NULL))
return rv;
cleanup_crypto (self);
@@ -821,8 +828,6 @@
CK_BYTE_PTR encrypted_data, CK_ULONG_PTR encrypted_data_len)
{
g_return_val_if_fail (GCK_IS_SESSION (self), CKR_SESSION_HANDLE_INVALID);
- if (!data || !encrypted_data_len)
- return CKR_ARGUMENTS_BAD;
return process_crypto (self, CKA_ENCRYPT, data, data_len, encrypted_data, encrypted_data_len);
}
@@ -858,8 +863,6 @@
CK_ULONG enc_data_len, CK_BYTE_PTR data, CK_ULONG_PTR data_len)
{
g_return_val_if_fail (GCK_IS_SESSION (self), CKR_SESSION_HANDLE_INVALID);
- if (!enc_data || !data_len)
- return CKR_ARGUMENTS_BAD;
return process_crypto (self, CKA_DECRYPT, enc_data, enc_data_len, data, data_len);
}
@@ -931,8 +934,6 @@
CK_BYTE_PTR signature, CK_ULONG_PTR signature_len)
{
g_return_val_if_fail (GCK_IS_SESSION (self), CKR_SESSION_HANDLE_INVALID);
- if (!data || !signature_len)
- return CKR_ARGUMENTS_BAD;
return process_crypto (self, CKA_SIGN, data, data_len, signature, signature_len);
}
@@ -982,8 +983,6 @@
CK_BYTE_PTR signature, CK_ULONG signature_len)
{
g_return_val_if_fail (GCK_IS_SESSION (self), CKR_SESSION_HANDLE_INVALID);
- if (!data || !signature)
- return CKR_ARGUMENTS_BAD;
return process_crypto (self, CKA_VERIFY, data, data_len, signature, &signature_len);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]