Commit Graph

328 Commits

Author SHA1 Message Date
Jakub Jelen e2fe24d56a clang static analyzer reports
tools/pkcs15-tool.c:
	Dead assignment: Value stored to 'c' is never read
tools/pkcs11-tool.c:
	Dead assignment: Value stored to 'n' is never read
	Dead assignment: Value stored to 'rv' is never read
libopensc/card-cac.c:
	Dead assignemnt: Value stored to 'tl_head_len' is never read
	Dead increment: Value stored to 'outp' is never read
common/libpkcs11.c:
	Memory leak in case of C_UnloadModule() fails
libopensc/pkcs15-pubkey.c:
	Potential memory leaks
pkcs11/mechanism.c:
	Potential memory leak
pkcs11/framework-pkcs15.c:
	Potential memory leaks
	Dereference of null pointer
	Dead assignments
tools/sc-hsm-tool.c:
	Function call argument is an uninitialized value
	Dead assignment: Value stored to 'r' is never read
libopensc/card-openpgp.c:
	Dead assignment: ignoring the errors in case of sc_pkcs15_encode_pubkey() failed
libopensc/pkcs15-cac.c:
	Dead assignments: ignoring return values
libopensc/pkcs15-coolkey.c:
	Dead assignments: ignoring return values
libopensc/card-sc-hsm.c:
	Dereference of undefined pointer value: Properly check the file allocation
pkcs11/slot.c:
	Dead assignment
pkcs15init/pkcs15-cflex.c:
	Dereference of null pointer
	Uninitialized argument values
2017-07-18 22:40:20 +02:00
Frank Morgner 4c654606ea fixed Coverity issues
Fixes https://github.com/OpenSC/OpenSC/issues/1057
2017-06-13 13:07:52 +02:00
Timo Teräs e2e1cbd10f pkcs15init: prepare sc_pkcs15init_skeyargs for proper secret key support 2017-06-13 10:40:36 +02:00
Frank Morgner 35c5eb0659 fixed ressource leak 2017-06-09 10:33:46 +02:00
konstantinpersidskiy 083cec8fda pkcs11-tool: add GOSTR3410 keypair generation (#997)
* pkcs11-tool: add GOSTR3410 keypair generation
* Refactor gost3410 generation
2017-06-09 10:30:40 +02:00
Jakuje 0e70c59aef If the underlying PKCS#15 structure does not provide label for a cert… (#1045) 2017-05-30 00:05:30 +02:00
Frank Morgner 74ec7b04ff sc-hsm: Add support for SoC
- eac: allow CA without EF.CardSecurity
- sc-hsm: implemented CA based on document PKI
- sc-hsm: adds receive limit for SoC card
- introduces dedicated card type for SoC card
- md: integrate card's PIN pad capabilities
- installer: added SC-HSM SoC card to registry
- pkcs15-tool: Added support for PIN entry on card
- change/unblock PIN: add support for PIN entry on card
- added OpenPACE to macOS build
- travis-ci: install gengetopt/help2man via brew
- sc-hsm: Cache EF.C_DevAut
- sc-hsm: Prevent unnecessary applet selection and state resets
- sc-hsm: added support for session pin
- sc-hsm: avoid multiple AID selection
- sc-hsm: Use the information from match_card for all subsequent selections of the applet
- sc-hsm: cache optional files as empty files (Decoding the files will reveal that they were not existing prior caching. This avoids selecting the file though we have already tried to cache the file before.)
- use dedicated directory for CVC trust anchors
- appveyor: added OpenPACE to windows build
2017-05-22 16:25:08 +02:00
Doug Engert 35bae65f11 Make sure it is an SPKI
On branch verify-pubkey-as-spki-2
 Changes to be committed:
	modified:   framework-pkcs15.c
2017-04-26 13:08:49 +02:00
Doug Engert 4049283675 Add new attribute CKA_SPKI for CKO_PUBLIC_KEY
CKA_SPKI is a vendor defined attribute to be used internally
as input to to OpenSSL d2i_PUBKEY

 On branch verify-pubkey-as-spki-2
 Changes to be committed:
	modified:   framework-pkcs15.c
	modified:   mechanism.c
	modified:   openssl.c
	modified:   pkcs11-opensc.h
2017-04-26 13:08:49 +02:00
Frank Morgner 6bfb39454b Fix missing error handling of memory allocation (#1020)
* libopensc: handle allocation errors
* handle more faults during memory allocation

fixes several situations that cause segmentation fault
2017-04-20 21:08:49 +02:00
Jakub Jelen 7214516547 Make sure the lock is released when returning 2017-04-13 15:18:54 +02:00
Frank Morgner c5e40127d0 Coverity fixes (#1012)
card-cac.c
 * CLANG_WARNING: The left operand of '<' is a garbage value
card-coolkey.c
 * CLANG_WARNING: overwriting variable
 * CPPCHECK_WARNING: memory leak / overwrite variable
 * CLANG_WARNING: null pointer dereference
 * UNUSED_VALUE: unused return value
card-gids.c
 * CLANG_WARNING: Branch condition evaluates to a garbage value
 * SIZEOF_MISMATCH: suspicious_sizeof
card-myeid.c
 * RESOURCE_LEAK: Variable "buf" going out of scope leaks the storage it points to.
 * CLANG_WARNING: overwriting variable
 * (rewrite not to confuse coverity)
pkcs15-cac.c
 * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
pkcs15-coolkey.c
 * UNUSED_VALUE: unused return value
pkcs15-piv.c
 * RESOURCE_LEAK: Variable "cert_out" going out of scope leaks the storage it points to.
pkcs15-sc-hsm.c
 * DEADCODE
pkcs11/framework-pkcs15.c
 * RESOURCE_LEAK: Variable "p15_cert" going out of scope leaks the storage it points to.
pkcs15init/pkcs15-lib.c
 * CLANG_WARNING: Assigned value is garbage or undefined
pkcs15init/pkcs15-myeid.c
 * UNREACHABLE: Probably wrong placement of code block
tests/p15dump.c
 * IDENTICAL_BRANCHES
pkcs15-init.c
 * CLANG_WARNING: Potential leak of memory pointed to by 'args.der_encoded.value'
pkcs15-tool.c
 * RESOURCE_LEAK: Variable "cert" going out of scope leaks the storage it points to.
 * MISSING_BREAK: The above case falls through to this one.
sc-hsm-tool.c
 * CLANG_WARNING: Potential leak of memory pointed to by 'sp'
westcos-tool.c
 * FORWARD_NULL: Passing null pointer "pin" to "unlock_pin", which dereferences it.
 * (rewrite not to confuse coverity)
card-cac.c
* Avoid malloc with 0 argument
gids-tool.c
* FORWARD_NULL -- copy&paste error
scconf.c
* CLANG_WARNING: Call to 'malloc' has an allocation size of 0 bytes

closes #982
2017-04-03 13:43:30 +02:00
Maciej S. Szmigiero 62cbda6cd9 Fix log messages format and parameter issues flagged by GCC
Since "Add GCC format checking attributes to log functions" commit GCC
warns us about problems with format strings and their arguments provided
to OpenSC message logging functions.

This commit fixes all cases where GCC warned about incorrect format on
64-bit Linux, 32-bit and 64-bit mingw builds (with SM and OpenSSL enabled).
Well, almost all since on mingw GCC does not recognize "ll" size specifier
(present at least since Visual Studio 2005, also in mingw own CRT) so these
(few) warnings about it remain.

In most cases format size specifier for size_t type was missing (usually
size was left at default int level, with is different on 64-bit x86).
Some formats had too few / too many arguments.
In some cases pointers were printed as integers.
Some long variables were missing "l" prefix (especially with regard to %x
format).

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-27 11:05:16 +02:00
Maciej S. Szmigiero 7f778ccff8 Fix most of warnings shown when building on Linux and mingw
This commit fixes most of warnings shown by GCC on 64-bit Linux, 32-bit and
64-bit mingw builds (with SM and OpenSSL enabled).

These warnings were mostly caused by missing casts.

In minidriver there was also a bit of unused variables and dead code.

Remaining warnings on mingw are mostly caused by GCC not recognizing on
this platform "ll" size specifier (present at least since
Visual Studio 2005, also in mingw own CRT) and "z" size specifier (this one
will be fixed in next commits).

There is also a warning about pointer truncation on Win64 when making
PKCS#11 object handle from pointer to this object.
This is a legitimate warning, since it could result in the same handles
being generated from different pointers and so from different objects.

Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
2017-03-27 10:58:26 +02:00
Nuno Goncalves 3635dbe78a pkcs11: remove redundant validation of PIN length
PIN length validation is done at pkcs15 layer and shall be done only there.

Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
2017-02-04 22:44:26 +01:00
Frank Morgner 24b7507a69 pkcs11: don't shrink the number of slots
... as required by PKCS#11 2.30, if the application doesn't call
`C_GetSlotList` with `NULL`.

Fixes ghost tokens in Firefox when detaching a reader that contained a
card.

Fixes https://github.com/OpenSC/OpenSC/issues/629
2017-01-09 08:35:42 +01:00
Frank Morgner 526ae18696 PKCS#11: Don't use ':' in the token name
Fixes https://github.com/OpenSC/OpenSC/issues/849
2016-09-01 01:25:29 +02:00
carblue 1ab99f3756 pkcs11-tool: in 4rd test use other signature keys
also increase signature buffer in framework-pkcs15

closes #814
2016-07-24 19:26:10 +02:00
Frank Morgner 2f10de4f5c use sc_pkcs15_get_pin_info in C_GetTokenInfo
introduced paramter to signal back the login state
- used for the pin command SC_PIN_CMD_GET_INFO
- implemented in accordance to ISO 7816-4; all other implementations
  are currently set to an unknown login state

implemented and exporeted sc_pkcs15_get_pin_info

use sc_pkcs15_get_pin_info in C_GetTokenInfo

C_GetSessionInfo: Check whether a logout was done

Closes https://github.com/OpenSC/OpenSC/pull/624

rebased by @viktorTarasov
2016-07-17 14:07:43 +02:00
Raul Metsma 22f9ad704a Move PIN type label front of description
With very long labels it is unable identify which PIN Firefox is asking.
PKCS11 label is 32 char's and it gets truncated.

Current format "LABEL (PIN1)"
New format "PIN1: LABEL"
2016-04-13 13:57:32 +03:00
Ludovic Rousseau 89ec66fbe8 framework-pkcs15.c: fix compiler warning
framework-pkcs15.c:706:1: warning: unused function
      '__pkcs15_create_secret_key_object' [-Wunused-function]
__pkcs15_create_secret_key_object(struct pkcs15_fw_data *fw_data,
^
2016-02-29 20:19:42 +01:00
Viktor Tarasov b8c3722bf5 pkcs11/framework: no more 'for-applications' mode for slot creation
Simplify create tokens rules, no need to manipulate applications in
'pkcs11' configuration part,
applications can be enabled/disabled on the 'pkcs15' one.

Fix the possibility to expose only 'sign' PIN
2016-02-24 13:39:27 +01:00
Frank Morgner 89f9d9e85d add compatibility implementation for strnlen
fixes https://github.com/OpenSC/OpenSC/issues/660
2016-01-20 10:47:27 +01:00
Frank Morgner e8d8f9f2bb Merge pull request #650 from vletoux/pkcs11-crash-when-read-public-key-fails
fix a pkcs11 crash when the public key reading fails

fixes #649
2016-01-06 07:30:15 +01:00
LE TOUX Vincent 6e5ae841eb fix a pkcs11 crash when the public key reading fails 2016-01-02 09:31:36 +01:00
Uri Blumenthal 76ed06981b Made sure attribute CKA_TOKEN is set to TRUE. 2015-12-22 13:31:42 -05:00
Uri Blumenthal 2b6b0ee05a According to PKCS#11 standard, public key should not have the
attribute CKA_SENSITIVE set to TRUE. This attribute is for
private and secret keys only.
2015-12-21 12:11:48 -05:00
Frank Morgner 5129c5a060 Fixed memory leaks 2015-12-09 08:22:45 +01:00
Frank Morgner 1046d951ba framework-pkcs15.c: fixed accessing label in sc_pkcs15_object_t 2015-10-04 17:33:14 +02:00
Frank Morgner d551f9a8e0 avoid registering pkcs11 mechanisms multiple times
fixes #349
2015-09-07 09:53:02 +02:00
Doug Engert b48fa70308 sc_pkcs11_card improvements
This is name change only fix.

    The variable name "card" was being used to refer to a struct sc_card or a struct sc_pkcs11_card
    in some files including sc_pkcs11.h. In other files the variable name "p11card" is used for struct sc_pkcs11_card.
    This creates hard to read code, such as: slot->card->card.

    All definitations of sc_pkcs11_card *card now use p11card as the variable name.

Fix #471
2015-05-24 11:41:29 +02:00
Philip Wendland 78e434da93 register EC mechanisms with flags independent of RSA flags
Prior to this commit, all hashes registered for RSA or other key types were
registered for ECDSA as well.

register ECDH mechanism only when supported by card

ECDH should only be registered if the card driver sets the
SC_ALGORITHM_ECDH_CDH_RAW flag.

register software PKCS#1 (1.5) padding only when RAW RSA is supported by card

If OpenSC supports PSS/OAEP padding or other padding mechanisms in
future, and there would be a card that enforces hardware PSS/OAEP
padding, the PKCS#1 v1.5 padding mechanism should not be registered.
2015-05-08 20:45:27 +02:00
Frank Morgner e338b7c1ab framework-pkcs15: fixed memory leak when encoding pubkey 2015-05-08 09:11:55 +02:00
Frank Morgner e84951a5bf fix resource leaks in while registering PKCS#11 mechanisms
introduces a free_mech_data for sc_pkcs11_mechanism_type_t to clear the
mechanisms private memory
2015-05-08 09:11:55 +02:00
Viktor Tarasov 6f6286de99 pkcs11: generate EC key: use allocated EC params
For internal use allocate and copy the EC params data from the caller's template,
rather then use them directly as a pointer in internal public key data.
2015-03-04 19:47:13 +01:00
Viktor Tarasov fa923831f8 introduce EC curve OID into algorithm info data
needed to store information about EC curve supported by card.
Primary usage is when importing/generating key to get know if particular curve is supported by card.
2015-02-20 13:49:18 +01:00
Thomas Calderon 22fb49b554 PKCS#11: Improve compliance for public keys.
* Key usage required when calling C_CreateObject for public key are not used.
    This adds the logic to convert from PKCS#11 attributes to PKCS#15 in the
    structure that is sent to underlying _store_pubkey functions.
2015-02-07 20:17:12 +01:00
Viktor Tarasov 96265e6d08 pkcs15init: superpluous 'ec-params' in init data
Pkcs15init data, used to import/generate key objects, includes twice the same EC parameters data:
 - explicit 'params' data
 - part of sc_pkcs15_pubkey/sc_pkcs15_prkey
Explicit 'ec-params' data is removed.
2015-02-07 20:00:41 +01:00
Frank Morgner 11881a61b8 removed/fixed dead code 2015-02-05 01:38:41 +01:00
Frank Morgner 6759c04b26 don't ignore errors 2015-01-28 04:45:08 +01:00
Frank Morgner 77752f442d fixed unused value 2015-01-28 05:47:20 +01:00
Frank Morgner 7a34c204c1 fixed dereference before null check
silence warnings reported by coverity-scan
2015-01-22 20:29:33 +01:00
Mathias Brossard 17c1cffb3d Fix typo on CKF_EC_UNCOMPRESS 2015-01-20 23:14:50 -08:00
Thomas Calderon ed87ea38b9 PKCS#11: Fetch real value of CKA_LOCAL for pubkey
* Fetch value from pub_info structure for CKA_LOCAL attribute.
2015-01-14 17:38:08 +01:00
Thomas Calderon d727acb47a PKCS#11: Remove inconsistent attributes
* Improve compliance related to PKCS#11 attribute fetching.
2015-01-14 17:22:43 +01:00
Thomas Calderon 4915eaa56b Improve PKCS#11 compliance. Issue #335
* This simple patch allows for values of PKCS#11 attributes to be fetched
  from the underlying card.
2015-01-05 14:00:22 +01:00
Doug Engert fd22098e19 Public certs and pubkeys with an auth_id are treated as private (See #291)
Code to test for an auth_id for certs and pubkeys was removed.
See: PKCS#15 section 4.1.3 Access methods

This is conseritive change and all objects could be treaded the same.
2014-11-01 14:02:39 -05:00
Doug Engert 189e998486 PKCS#11 hashes for cards without RAW (see #241)
The framework-pkcs15.c did not add hashes correctly if the card did not support RSA RAW.
    This change fixes that and only adds hashes if the card did not specify a list of hashes.
    It also will not add hashes done in software if ENABLE_OPENSSL is not specified.
    Some error conditions are also tested for EC mechanisms.

    See bug report #241 for more information.
2014-10-13 10:29:27 -05:00
Andreas Schwier be200ab3c8 Merge pull request #282 from CardContact/fix-deleted-related-public-key
framework-pkcs15: Duplicate public key related to private key rather than referencing the framework object

Referencing the related public key is required to return PKCS#11 attributes for a private key only available
in the public key object (i.e. CKA_MODULUS). This patch adds a copy of the public key to the private key object rather than
referencing the public key object in the framework. This prevents SEGV when the public key framework object
is deleted with C_DestroyObject, but the reference from the public key remains intact.

The bug leads to all kind of stability problems when keys are created and deleted in the same session.

The patch is in particular important if OpenSC is used with EJBCA or any other application using the
SUN PKCS#11 provider: When generating key pairs, then the public key object is eventually garbage collected
which removes the related object in the PKCS#11 module. Because there is no fixed time for this operation,
corruption occurs at random.

In a next step, the remaining related_xxx fields in sc_pkcs11_object should be revised and possibly removed.

framework: Added more error checking
2014-09-07 23:47:24 +02:00
Andreas Schwier e6505b3d9c pkcs11: Fixed wrong reference to PIN object in C_SetPIN() for SO-PIN 2014-09-07 22:11:39 +02:00