From 1cdeded8311e24828831e7dbb4c9f8d3981528c7 Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Fri, 6 Nov 2015 15:56:13 +0100 Subject: [PATCH 1/4] YKCS11: turn off debug by default and make it a configure option (--enable-ykcs11-debug). --- configure.ac | 14 ++++++++++++++ ykcs11/debug.h | 3 --- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index f51533e..a291019 100644 --- a/configure.ac +++ b/configure.ac @@ -182,6 +182,19 @@ if test "$gl_gcc_warnings" = yes; then gl_WARN_ADD([-fdiagnostics-show-option]) fi +AC_ARG_ENABLE([ykcs11-debug], + [AS_HELP_STRING([--enable-ykcs11-debug], + [enables YKCS11 debug messages])], + [enable_ykcs11_debug="$enableval"], + [enable_ykcs11_debug="no"]) + +AS_IF([test "x$enable_ykcs11_debug" != xno], + [AC_DEFINE([YKCS11_DBG], [1], [Regular debug flag]) + AC_DEFINE([YKCS11_DINOUT], [1], [Function accessed/left debug flag])], + [true], + [AC_DEFINE([YKCS11_DBG], [0], [Regular debug flag]) + AC_DEFINE([YKCS11_DINOUT], [0], [Function accessed/left debug flag])]) + AC_SUBST(YKPIV_VERSION_MAJOR, `echo $PACKAGE_VERSION | sed 's/\(.*\)\..*\..*/\1/g'`) AC_SUBST(YKPIV_VERSION_MINOR, `echo $PACKAGE_VERSION | sed 's/.*\.\(.*\)\..*/\1/g'`) AC_SUBST(YKPIV_VERSION_PATCH, `echo $PACKAGE_VERSION | sed 's/.*\..*\.\(.*\)/\1/g'`) @@ -223,4 +236,5 @@ AC_MSG_NOTICE([summary of build options: LIBS: ${PCSC_WIN_LIBS} Mac PCSC LIBS: ${PCSC_MACOSX_LIBS} + ]) diff --git a/ykcs11/debug.h b/ykcs11/debug.h index 84ab9ce..ec475c9 100644 --- a/ykcs11/debug.h +++ b/ykcs11/debug.h @@ -1,9 +1,6 @@ #ifndef DEBUG_H #define DEBUG_H -#define YKCS11_DBG 1 // General debug, must be either 1 or 0 -#define YKCS11_DINOUT 1 // Function in/out debug, must be either 1 or 0 - #define D(x...) do { \ fprintf (stderr, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ fprintf (stderr, x); \ From c2a528e3f7c49f41016a23ad6a1132ffe940c743 Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Fri, 6 Nov 2015 16:00:17 +0100 Subject: [PATCH 2/4] YKCS11: update docs. --- doc/YKCS11_release_notes.adoc | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/doc/YKCS11_release_notes.adoc b/doc/YKCS11_release_notes.adoc index e53609d..206251d 100644 --- a/doc/YKCS11_release_notes.adoc +++ b/doc/YKCS11_release_notes.adoc @@ -126,7 +126,13 @@ valid information except for the public key. DEBUGGING ^^^^^^^^^ -By default the module has debugging enabled. This is _highly_ verbose -and might be confusing. In order to disable it, the two macros -`YKCS11_DBG` and `YKCS11_DINOUT` in the file `debug.h` should be set -to `0`. Once this is done the module must be recompiled. +By default the module has debugging disabled. This is _highly_ verbose +and might be confusing. In order to enabled it rebuild the project as +follows: + +---- +yubico-piv-tool$ autoreconf --install +yubico-piv-tool$ ./configure --enable-ykcs11-debug +yubico-piv-tool$ make +yubico-piv-tool$ sudo make install +---- From 46455168a2d1021ca25e0b8d19061784a6ff55df Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Fri, 6 Nov 2015 16:09:02 +0100 Subject: [PATCH 3/4] YKCS11: print out signature related data only if debug is enabled. --- ykcs11/ykcs11.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index 9b6bf51..739df2b 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -1784,7 +1784,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( } DBG("Sending %lu bytes to sign", ulDataLen); +#if YKCS11_DBG == 1 dump_hex(pData, ulDataLen, stderr, CK_TRUE); +#endif if (is_hashed_mechanism(op_info.mechanism.mechanism) == CK_TRUE) { if (apply_sign_mechanism_update(&op_info, pData, ulDataLen) != CKR_OK) { @@ -1824,7 +1826,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( DBG("Using key %lx", op_info.op.sign.key_id); DBG("After padding and transformation there are %lu bytes", op_info.buf_len); +#if YKCS11_DBG == 1 dump_hex(op_info.buf, op_info.buf_len, stderr, CK_TRUE); +#endif *pulSignatureLen = sizeof(op_info.buf); @@ -1843,7 +1847,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( } DBG("Got %lu bytes back", *pulSignatureLen); +#if YKCS11_DBG == 1 dump_hex(pSignature, *pulSignatureLen, stderr, CK_TRUE); +#endif if (!is_RSA_mechanism(op_info.mechanism.mechanism)) { // ECDSA, we must remove the DER encoding and only return R,S @@ -1851,7 +1857,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( strip_DER_encoding_from_ECSIG(pSignature, pulSignatureLen); DBG("After removing DER encoding %lu", *pulSignatureLen); +#if YKCS11_DBG == 1 dump_hex(pSignature, *pulSignatureLen, stderr, CK_TRUE); +#endif } op_info.type = YKCS11_NOOP; From 94f8d57af94a3bba3c04f37ef0bd0b1e662e3c32 Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Fri, 6 Nov 2015 16:10:35 +0100 Subject: [PATCH 4/4] YKCS11: minor fix. --- ykcs11/yubico_token.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ykcs11/yubico_token.c b/ykcs11/yubico_token.c index 25da01a..7210a29 100644 --- a/ykcs11/yubico_token.c +++ b/ykcs11/yubico_token.c @@ -123,7 +123,7 @@ CK_RV YUBICO_get_token_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len) { return CKR_OK; } -#include "debug.h" + CK_RV YUBICO_get_token_model(ykpiv_state *state, CK_UTF8CHAR_PTR str, CK_ULONG len) { char buf[16];