Commit Graph

108 Commits

Author SHA1 Message Date
Peter Jones a4c64c8c21 Initialize C_Initialize's reader list to NULs.
valgrind --track-origins=true says:

==13529== Conditional jump or move depends on uninitialised value(s)
==13529==    at 0x4AF92D1: PK11_MakeString (pk11slot.c:1073)
==13529==    by 0x4AFA5AA: PK11_InitSlot (pk11slot.c:1456)
==13529==    by 0x4AE315E: secmod_LoadPKCS11Module (pk11load.c:563)
==13529==    by 0x4AEF68C: SECMOD_LoadModule (pk11pars.c:1838)
==13529==    by 0x4AEF7C7: SECMOD_LoadModule (pk11pars.c:1874)
==13529==    by 0x4ABCB6A: nss_InitModules (nssinit.c:464)
==13529==    by 0x4ABCB6A: nss_Init (nssinit.c:689)
==13529==    by 0x4ABD17C: NSS_Init (nssinit.c:824)
==13529==    by 0x4059C0: main (pesign.c:354)
==13529==  Uninitialised value was created by a stack allocation
==13529==    at 0x484D175: C_Initialize (in /usr/lib64/libykcs11.so.1.5.0)

This is the result of a combination of two problems.  In
ykcs11/utils.c:parse_readers(), the code does:

  for (i = 0; i < len; i++)
    if (readers[i] == '\0' && i != len - 1) {

But in ykcs11/ykcs11.c:C_Initialize(), the parts of readers[] that are
initialized are only the parts that have been populated; the rest of
the array is still just whatever value is on the stack.  Additionally,
in lib/ykpiv.c:ykpiv_list_readers(), which populates the array, the
length is updated only in the case where the buffer is smaller than the
data, not when there is additional buffer but no data:

  if (num_readers > *len) {
    num_readers = (pcsc_word)*len;
  }

The result is that if the amount of reader data is smaller than 2048
bytes, PK11_InitSlot() will try to find reader data in the rest of the
array, which has not been initialized.

This patch adds an initialization for the data to set it all '\0', and
also updates the length when there is excess buffer available.

Signed-off-by: Peter Jones <pjones@redhat.com>
2019-05-21 11:01:24 -04:00
Dave Pate c61d6c6f23 lib: warn, but don't fail on error reading serial number or version
lib: fix Windows build with OpenSSL 1.1.1
ykcs11: fix size_t/unsigned long type mismatch on Windows x64
2019-05-06 14:46:46 -07:00
Gabriel Kihlman bc2f161c51 Initialize buf to 0 to make a code scanner happy 2019-03-06 15:16:56 +01:00
Gabriel Kihlman f60d2d4ff8 Do not assign variable twice 2019-03-06 14:32:42 +01:00
Gabriel Kihlman 3f7f2b633b Remove duplicate check on op_info.type != YKCS11_SIGN 2019-03-06 14:31:04 +01:00
Alessio Di Mauro 5749371432 ykcs11: use a large enough buffer when writing EC signatures 2019-01-07 11:03:52 +01:00
Trevor Bentley 9a7ccf48fa Fix all clang scan-build warnings 2017-10-23 16:25:56 +02:00
Hannes Mehnert 03849d9722 alias RSA type, call openssl functions only in openssl_utils.c 2017-03-29 23:01:17 +01:00
Hannes Mehnert 847b0b4267 fix PSS signing support 2017-03-26 19:13:07 +02:00
Alessio Di Mauro 127227fe4c Better approximation for signature size
Relates to #98.
2016-10-05 16:39:58 +02:00
Alessio Di Mauro af78e18151 Always set number of slots
Relates to #98.
2016-10-05 16:39:58 +02:00
Simon Josefsson 89bec1260a Improve license headers. 2016-08-12 15:30:06 +02:00
Klas Lindfors e7b4fc6ccf switch out the pkcs11 headers for the SCUTE pkcs11 header from opensc
create pkcs11y.h for our additional things
2016-08-12 14:00:15 +02:00
Klas Lindfors fead011e71 add copyright and license header 2016-08-12 13:37:56 +02:00
Alessio Di Mauro 89d8a60876 Return CKR_FUNCTION_FAILED for unimplemented func
Closes #84
2016-08-11 14:41:12 +02:00
Mikhail Denisenko 47cb761a7e Fix bugs windows 2016-01-14 11:03:22 -05:00
Klas Lindfors abcce21353 Merge remote-tracking branch 'origin/generic_objects' 2015-12-21 10:42:38 +01:00
Klas Lindfors a143c6d67d remove the util function dump_hex() in favor of dump_data() 2015-12-15 10:27:54 +01:00
Klas Lindfors 35c449e374 change multiplication of minor to 10 so we don't overflow
possibly temporary fix..
2015-12-14 12:48:28 +01:00
Mikhail Denisenko 6042a2140e Implemented C_SetPIN 2015-12-11 13:23:38 -05:00
Alessio Di Mauro bfda53303c YKCS11: update cert buffer size. 2015-12-03 10:47:49 -08:00
denisenkom 9d4ff79dd6 Update ykcs11.c
According to PKCS11 spec CKR_SESSION_READ_ONLY_EXISTS should only be returned by C_Login when SO user is logging in.

From spec:
If the application calling C_Login has a R/O session open with the token, then it will be unable to log the SO into a session (see [PKCS11-UG] for further details).  An attempt to do this will result in the error code CKR_SESSION_READ_ONLY_EXISTS.
2015-12-01 13:26:33 -05:00
Alessio Di Mauro 721ad03e35 Fix parameter check in SignInit. 2015-11-27 15:43:32 +01:00
Alessio Di Mauro 8b0ed073d3 YKCS11: Return the object handler after importing certs/keys. 2015-11-27 15:43:32 +01:00
Alessio Di Mauro 8566e50f0c Typo 2015-11-27 15:43:31 +01:00
Alessio Di Mauro 8e3314ab42 Switch ykcs11 to use private key import from libykpiv. 2015-11-19 18:30:58 +01:00
Alessio Di Mauro 4b88b8e8fd Remove debug print. 2015-11-12 03:21:58 +01:00
Alessio Di Mauro a853902bcb YKCS11: more elaborate solution for stripping DER encoding from ECDSA signatures.
It is possible to receive different padding length for r and s, where their length
is [-1, 1] wrt the component lenght. Take this into account.
2015-11-12 03:07:35 +01:00
Alessio Di Mauro 46455168a2 YKCS11: print out signature related data only if debug is enabled. 2015-11-06 16:09:02 +01:00
Alessio Di Mauro 71bd376a39 YKCS11: expose module version. 2015-11-06 11:02:11 +01:00
Alessio Di Mauro fc9ebe996f YKCS11: remove some warnings. 2015-11-06 11:02:11 +01:00
Alessio Di Mauro 602208bf20 YKCS11: Change DBG to print to stderr. 2015-11-05 16:35:15 +01:00
Alessio Di Mauro 98f3462e5e YKCS11: Remove some useless comments. 2015-11-05 14:26:29 +01:00
Alessio Di Mauro f3bd827100 YKCS11: add more precondition checks during SingInit. 2015-11-05 14:09:22 +01:00
Alessio Di Mauro dcc2545a4c YKCS11: added certificate deletion. 2015-11-04 14:02:29 +01:00
Alessio Di Mauro e6bca9b332 YKCS11: Suppress some warnings. 2015-10-28 11:43:41 +01:00
Alessio Di Mauro b7c0e8ea6b YKCS11: added support for touch and PIN policy during generate. 2015-10-28 11:34:42 +01:00
Alessio Di Mauro a9ddf3e3b2 Added support for touch and change policy during key import. 2015-10-27 17:33:30 +01:00
Alessio Di Mauro a24727fd44 Move login into common functions. 2015-09-24 11:40:17 +02:00
Alessio Di Mauro 29bddc33b4 Fix return value check on parse_readers. 2015-09-24 11:39:47 +02:00
Alessio Di Mauro 4b668502ee Minor fixes. 2015-09-17 17:05:29 +02:00
Alessio Di Mauro bd6e6db138 Add parsing of model number. 2015-09-09 16:31:25 +02:00
Alessio Di Mauro 44dae19348 Imporve support for multiple readers/cards. 2015-09-09 15:42:14 +02:00
Alessio Di Mauro d820c314c4 Free more. 2015-09-09 13:16:45 +02:00
Alessio Di Mauro d793f200bb Merge branch 'development' of gitlab.yubico.com:/Yubico/yubico-piv-tool into development
Conflicts:
	ykcs11/ykcs11.c
2015-09-08 18:04:45 +02:00
Alessio Di Mauro 99ebfdf37c Added support for CKU_CONTEXT_SPECIFIC. 2015-09-08 18:00:48 +02:00
Klas Lindfors 49eab7dbfa drop ykpiv_sign_data2() and change ykpiv_sign_data() to not pad 2015-09-08 15:29:10 +02:00
Klas Lindfors 8eb7595d42 add list-readers action to tool
also refactor ykpiv_list_readers() a bit
2015-09-08 12:26:42 +02:00
Klas Lindfors 1a9e62cec8 drop ykpiv_connect2() and add ykpiv_list_readers() 2015-09-07 15:54:57 +02:00
Alessio Di Mauro ee2a364c15 More cleanup. 2015-09-02 16:06:50 +02:00