IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix memory leaks in ipap11helper

Browse Source 
Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This commit is contained in:
Martin Basti 2015-02-24 19:25:31 +01:00 committed by Tomas Babej
parent c411d6a908
commit 508ad92b71
1 changed files with 194 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

311
ipapython/ipap11helper/p11helper.c
View File

@ -160,6 +160,12 @@ static PyObject *ipap11helperDuplicationError; //key already exists
* Support functions * Support functions
*/ */
#define GOTO_FAIL \
do { \
error = 1; \
goto final; \
} while(0);
CK_BBOOL* pyobj_to_bool(PyObject* pyobj) { CK_BBOOL* pyobj_to_bool(PyObject* pyobj) {
if (PyObject_IsTrue(pyobj)) if (PyObject_IsTrue(pyobj))
return &true; return &true;
@ -200,9 +206,11 @@ unsigned char* unicode_to_char_array(PyObject *unicode, Py_ssize_t *l) {
/* Copy string first, then DECREF /* Copy string first, then DECREF
* https://docs.python.org/2/c-api/string.html#c.PyString_AS_STRING * https://docs.python.org/2/c-api/string.html#c.PyString_AS_STRING
*/ */
result = (unsigned char *) malloc((size_t) *l); result = (unsigned char *) PyMem_Malloc((size_t) *l);
if (result == NULL){ if (result == NULL){
PyErr_SetString(ipap11helperError, "Memory allocation error"); Py_DECREF(utf8_str);
PyErr_NoMemory();
return NULL;
} else { } else {
memcpy(result, bytes, *l); memcpy(result, bytes, *l);
} }
@ -689,7 +697,9 @@ P11_Helper_generate_master_key(P11_Helper* self, PyObject *args, PyObject *kwds)
PyObject *label_unicode = NULL; PyObject *label_unicode = NULL;
Py_ssize_t label_length = 0; Py_ssize_t label_length = 0;
CK_BYTE *label = NULL;
int r; int r;
int error = 0;
static char *kwlist[] = { "subject", "id", "key_length", "cka_copyable", static char *kwlist[] = { "subject", "id", "key_length", "cka_copyable",
"cka_decrypt", "cka_derive", "cka_encrypt", "cka_extractable", "cka_decrypt", "cka_derive", "cka_encrypt", "cka_extractable",
"cka_modifiable", "cka_private", "cka_sensitive", "cka_sign", "cka_modifiable", "cka_private", "cka_sensitive", "cka_sign",
@ -711,26 +721,26 @@ P11_Helper_generate_master_key(P11_Helper* self, PyObject *args, PyObject *kwds)
return NULL; return NULL;
} }
CK_BYTE *label = (unsigned char*) unicode_to_char_array(label_unicode, label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); &label_length);
if (label == NULL) GOTO_FAIL;
CK_MECHANISM mechanism = { //TODO param? CK_MECHANISM mechanism = { //TODO param?
CKM_AES_KEY_GEN, NULL_PTR, 0 }; CKM_AES_KEY_GEN, NULL_PTR, 0 };
if ((key_length != 16) && (key_length != 24) && (key_length != 32)) { if ((key_length != 16) && (key_length != 24) && (key_length != 32)) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"generate_master_key: key length allowed values are: 16, 24 and 32"); "generate_master_key: key length allowed values are: 16, 24 and 32");
return NULL; GOTO_FAIL;
} }
//TODO free label if check failed
//TODO is label freed inside???? dont we use freed value later
r = _id_exists(self, id, id_length, CKO_SECRET_KEY); r = _id_exists(self, id, id_length, CKO_SECRET_KEY);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Master key with same ID already exists"); "Master key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
/* Process keyword boolean arguments */ /* Process keyword boolean arguments */
@ -758,9 +768,13 @@ P11_Helper_generate_master_key(P11_Helper* self, PyObject *args, PyObject *kwds)
rv = self->p11->C_GenerateKey(self->session, &mechanism, symKeyTemplate, rv = self->p11->C_GenerateKey(self->session, &mechanism, symKeyTemplate,
sizeof(symKeyTemplate) / sizeof(CK_ATTRIBUTE), &master_key); sizeof(symKeyTemplate) / sizeof(CK_ATTRIBUTE), &master_key);
if (!check_return_value(rv, "generate master key")) if (!check_return_value(rv, "generate master key")){
return NULL; GOTO_FAIL;
}
final:
if (label != NULL) PyMem_Free(label);
if (error) return NULL;
return Py_BuildValue("k", master_key); return Py_BuildValue("k", master_key);
} }
@ -779,6 +793,8 @@ P11_Helper_generate_replica_key_pair(P11_Helper* self, PyObject *args,
int id_length = 0; int id_length = 0;
PyObject* label_unicode = NULL; PyObject* label_unicode = NULL;
Py_ssize_t label_length = 0; Py_ssize_t label_length = 0;
CK_BYTE *label = NULL;
int error = 0;
PyObj2Bool_mapping_t attrs_pub[] = { { NULL, &true }, //pub_en_cka_copyable PyObj2Bool_mapping_t attrs_pub[] = { { NULL, &true }, //pub_en_cka_copyable
{ NULL, &false }, //pub_en_cka_derive { NULL, &false }, //pub_en_cka_derive
@ -845,30 +861,29 @@ P11_Helper_generate_replica_key_pair(P11_Helper* self, PyObject *args,
return NULL; return NULL;
} }
CK_BYTE *label = unicode_to_char_array(label_unicode, &label_length); label = unicode_to_char_array(label_unicode, &label_length);
if (label == NULL) GOTO_FAIL;
CK_OBJECT_HANDLE public_key, private_key; CK_OBJECT_HANDLE public_key, private_key;
CK_MECHANISM mechanism = { CK_MECHANISM mechanism = {
CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 }; CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0 };
//TODO free variables
r = _id_exists(self, id, id_length, CKO_PRIVATE_KEY); r = _id_exists(self, id, id_length, CKO_PRIVATE_KEY);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Private key with same ID already exists"); "Private key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
r = _id_exists(self, id, id_length, CKO_PUBLIC_KEY); r = _id_exists(self, id, id_length, CKO_PUBLIC_KEY);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Public key with same ID already exists"); "Public key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
/* Process keyword boolean arguments */ /* Process keyword boolean arguments */
@ -917,9 +932,14 @@ P11_Helper_generate_replica_key_pair(P11_Helper* self, PyObject *args,
privateKeyTemplate, privateKeyTemplate,
sizeof(privateKeyTemplate) / sizeof(CK_ATTRIBUTE), &public_key, sizeof(privateKeyTemplate) / sizeof(CK_ATTRIBUTE), &public_key,
&private_key); &private_key);
if (!check_return_value(rv, "generate key pair")) if (!check_return_value(rv, "generate key pair")){
return NULL; GOTO_FAIL;
}
final:
if (label != NULL) PyMem_Free(label);
if (error) return NULL;
return Py_BuildValue("(kk)", public_key, private_key); return Py_BuildValue("(kk)", public_key, private_key);
} }
@ -930,7 +950,7 @@ static PyObject *
P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) { P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED; CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED;
CK_OBJECT_CLASS *class_ptr = &class; CK_OBJECT_CLASS *class_ptr = &class;
CK_BYTE *id = NULL; //TODO free CK_BYTE *id = NULL;
CK_BBOOL *ckawrap = NULL; CK_BBOOL *ckawrap = NULL;
CK_BBOOL *ckaunwrap = NULL; CK_BBOOL *ckaunwrap = NULL;
int id_length = 0; int id_length = 0;
@ -941,12 +961,13 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
CK_OBJECT_HANDLE *objects = NULL; CK_OBJECT_HANDLE *objects = NULL;
unsigned int objects_len = 0; unsigned int objects_len = 0;
PyObject *result_list = NULL; PyObject *result_list = NULL;
const char *uri_str = NULL; //TODO free? const char *uri_str = NULL;
P11KitUri *uri = NULL; P11KitUri *uri = NULL;
CK_BYTE *label = NULL; //TODO free CK_BYTE *label = NULL;
CK_ATTRIBUTE template_static[MAX_TEMPLATE_LEN]; CK_ATTRIBUTE template_static[MAX_TEMPLATE_LEN];
CK_ATTRIBUTE_PTR template = template_static; CK_ATTRIBUTE_PTR template = template_static;
CK_ULONG template_len = MAX_TEMPLATE_LEN; CK_ULONG template_len = MAX_TEMPLATE_LEN;
int error = 0;
static char *kwlist[] = { "objclass", "label", "id", "cka_wrap", static char *kwlist[] = { "objclass", "label", "id", "cka_wrap",
"cka_unwrap", "uri", NULL }; "cka_unwrap", "uri", NULL };
@ -954,12 +975,13 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
if (!PyArg_ParseTupleAndKeywords(args, kwds, "|iUz#OOs", kwlist, &class, if (!PyArg_ParseTupleAndKeywords(args, kwds, "|iUz#OOs", kwlist, &class,
&label_unicode, &id, &id_length, &cka_wrap_bool, &cka_unwrap_bool, &label_unicode, &id, &id_length, &cka_wrap_bool, &cka_unwrap_bool,
&uri_str)) { &uri_str)) {
return NULL; GOTO_FAIL;
} }
if (label_unicode != NULL) { if (label_unicode != NULL) {
label = (unsigned char*) unicode_to_char_array(label_unicode, label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); //TODO verify signed/unsigned &label_length); //TODO verify signed/unsigned
if (label == NULL) GOTO_FAIL;
} }
if (cka_wrap_bool != NULL) { if (cka_wrap_bool != NULL) {
@ -985,25 +1007,23 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
_fill_template_from_parts(template, &template_len, id, id_length, label, _fill_template_from_parts(template, &template_len, id, id_length, label,
label_length, class_ptr, ckawrap, ckaunwrap); label_length, class_ptr, ckawrap, ckaunwrap);
else { else {
if (!_parse_uri(uri_str, &uri)) if (!_parse_uri(uri_str, &uri)) {
return 0; GOTO_FAIL;
}
template = p11_kit_uri_get_attributes(uri, &template_len); template = p11_kit_uri_get_attributes(uri, &template_len);
/* Do not deallocate URI while you are using the template. /* Do not deallocate URI while you are using the template.
* Template contains pointers to values inside URI! */ * Template contains pointers to values inside URI! */
} }
if (!_find_key(self, template, template_len, &objects, &objects_len)) if (!_find_key(self, template, template_len, &objects, &objects_len)){
return NULL; GOTO_FAIL;
}
if (uri != NULL)
p11_kit_uri_free(uri);
result_list = PyList_New(objects_len); result_list = PyList_New(objects_len);
if (result_list == NULL) { if (result_list == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"Unable to create list with results"); "Unable to create list with results");
free(objects); GOTO_FAIL;
return NULL;
} }
for (int i = 0; i < objects_len; ++i) { for (int i = 0; i < objects_len; ++i) {
@ -1011,13 +1031,16 @@ P11_Helper_find_keys(P11_Helper* self, PyObject *args, PyObject *kwds) {
== -1) { == -1) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"Unable to add to value to result list"); "Unable to add to value to result list");
free(objects);
Py_DECREF(result_list); Py_DECREF(result_list);
return NULL; GOTO_FAIL;
} }
} }
final:
if (label != NULL) PyMem_Free(label);
if (objects != NULL) free(objects);
if (uri != NULL) p11_kit_uri_free(uri);
free(objects); if (error) return NULL;
return result_list; return result_list;
} }
@ -1107,38 +1130,49 @@ P11_Helper_export_RSA_public_key(P11_Helper* self, CK_OBJECT_HANDLE object) {
CK_BYTE_PTR exponent = NULL; CK_BYTE_PTR exponent = NULL;
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY; CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
CK_KEY_TYPE key_type = CKK_RSA; CK_KEY_TYPE key_type = CKK_RSA;
int error = 0;
CK_ATTRIBUTE obj_template[] = { { CKA_MODULUS, NULL_PTR, 0 }, { CK_ATTRIBUTE obj_template[] = { { CKA_MODULUS, NULL_PTR, 0 }, {
CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }, { CKA_CLASS, &class, CKA_PUBLIC_EXPONENT, NULL_PTR, 0 }, { CKA_CLASS, &class,
sizeof(class) }, { CKA_KEY_TYPE, &key_type, sizeof(key_type) } }; sizeof(class) }, { CKA_KEY_TYPE, &key_type, sizeof(key_type) } };
rv = self->p11->C_GetAttributeValue(self->session, object, obj_template, 4); rv = self->p11->C_GetAttributeValue(self->session, object, obj_template, 4);
if (!check_return_value(rv, "get RSA public key values - prepare")) if (!check_return_value(rv, "get RSA public key values - prepare")){
return NULL; GOTO_FAIL;
}
/* Set proper size for attributes*/ /* Set proper size for attributes*/
modulus = (CK_BYTE_PTR) malloc( modulus = (CK_BYTE_PTR) PyMem_Malloc(
obj_template[0].ulValueLen * sizeof(CK_BYTE)); obj_template[0].ulValueLen * sizeof(CK_BYTE));
if (modulus == NULL){
PyErr_NoMemory();
GOTO_FAIL;
}
obj_template[0].pValue = modulus; obj_template[0].pValue = modulus;
exponent = (CK_BYTE_PTR) malloc( exponent = (CK_BYTE_PTR) PyMem_Malloc(
obj_template[1].ulValueLen * sizeof(CK_BYTE)); obj_template[1].ulValueLen * sizeof(CK_BYTE));
if (exponent == NULL){
PyErr_NoMemory();
GOTO_FAIL;
}
obj_template[1].pValue = exponent; obj_template[1].pValue = exponent;
rv = self->p11->C_GetAttributeValue(self->session, object, obj_template, 4); rv = self->p11->C_GetAttributeValue(self->session, object, obj_template, 4);
if (!check_return_value(rv, "get RSA public key values")) if (!check_return_value(rv, "get RSA public key values")){
return NULL; GOTO_FAIL;
}
/* Check if the key is RSA public key */ /* Check if the key is RSA public key */
if (class != CKO_PUBLIC_KEY) { if (class != CKO_PUBLIC_KEY) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"export_RSA_public_key: required public key class"); "export_RSA_public_key: required public key class");
return NULL; GOTO_FAIL;
} }
if (key_type != CKK_RSA) { if (key_type != CKK_RSA) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"export_RSA_public_key: required RSA key type"); "export_RSA_public_key: required RSA key type");
return NULL; GOTO_FAIL;
} }
rsa = RSA_new(); rsa = RSA_new();
@ -1148,7 +1182,7 @@ P11_Helper_export_RSA_public_key(P11_Helper* self, CK_OBJECT_HANDLE object) {
if (n == NULL) { if (n == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"export_RSA_public_key: internal error: unable to convert modulus"); "export_RSA_public_key: internal error: unable to convert modulus");
goto final; GOTO_FAIL;
} }
e = BN_bin2bn((const unsigned char *) exponent, e = BN_bin2bn((const unsigned char *) exponent,
@ -1156,7 +1190,7 @@ P11_Helper_export_RSA_public_key(P11_Helper* self, CK_OBJECT_HANDLE object) {
if (e == NULL) { if (e == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"export_RSA_public_key: internal error: unable to convert exponent"); "export_RSA_public_key: internal error: unable to convert exponent");
goto final; GOTO_FAIL;
} }
/* set modulus and exponent */ /* set modulus and exponent */
@ -1166,13 +1200,14 @@ P11_Helper_export_RSA_public_key(P11_Helper* self, CK_OBJECT_HANDLE object) {
if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed"); "export_RSA_public_key: internal error: EVP_PKEY_set1_RSA failed");
goto final; GOTO_FAIL;
} }
pp_len = i2d_PUBKEY(pkey, &pp); pp_len = i2d_PUBKEY(pkey, &pp);
ret = Py_BuildValue("s#", pp, pp_len); ret = Py_BuildValue("s#", pp, pp_len);
final: if (rsa != NULL) { final:
if (rsa != NULL) {
RSA_free(rsa); // this free also 'n' and 'e' RSA_free(rsa); // this free also 'n' and 'e'
} else { } else {
if (n != NULL) if (n != NULL)
@ -1181,10 +1216,12 @@ P11_Helper_export_RSA_public_key(P11_Helper* self, CK_OBJECT_HANDLE object) {
BN_free(e); BN_free(e);
} }
if (pkey != NULL) if (pkey != NULL) EVP_PKEY_free(pkey);
EVP_PKEY_free(pkey); if (pp != NULL) free(pp);
if (pp != NULL) if (modulus != NULL) PyMem_Free(modulus);
free(pp); if (exponent != NULL) PyMem_Free(exponent);
if (error) return NULL;
return ret; return ret;
} }
@ -1250,36 +1287,43 @@ P11_Helper_import_RSA_public_key(P11_Helper* self, CK_UTF8CHAR *label,
int modulus_len = 0; int modulus_len = 0;
CK_BYTE_PTR exponent = NULL; CK_BYTE_PTR exponent = NULL;
int exponent_len = 0; int exponent_len = 0;
int error = 0;
if (pkey->type != EVP_PKEY_RSA) { if (pkey->type != EVP_PKEY_RSA) {
PyErr_SetString(ipap11helperError, "Required RSA public key"); PyErr_SetString(ipap11helperError, "Required RSA public key");
return NULL; GOTO_FAIL;
} }
rsa = EVP_PKEY_get1_RSA(pkey); rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) { if (rsa == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"import_RSA_public_key: EVP_PKEY_get1_RSA error"); "import_RSA_public_key: EVP_PKEY_get1_RSA error");
return NULL; GOTO_FAIL;
} }
/* convert BIGNUM to binary array */ /* convert BIGNUM to binary array */
modulus = (CK_BYTE_PTR) malloc(BN_num_bytes(rsa->n)); modulus = (CK_BYTE_PTR) PyMem_Malloc(BN_num_bytes(rsa->n));
if (modulus == NULL){
PyErr_NoMemory();
GOTO_FAIL;
}
modulus_len = BN_bn2bin(rsa->n, (unsigned char *) modulus); modulus_len = BN_bn2bin(rsa->n, (unsigned char *) modulus);
if (modulus == NULL) { if (modulus == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"import_RSA_public_key: BN_bn2bin modulus error"); "import_RSA_public_key: BN_bn2bin modulus error");
//TODO free GOTO_FAIL;
return NULL;
} }
exponent = (CK_BYTE_PTR) malloc(BN_num_bytes(rsa->e)); exponent = (CK_BYTE_PTR) PyMem_Malloc(BN_num_bytes(rsa->e));
if (exponent == NULL){
PyErr_NoMemory();
GOTO_FAIL;
}
exponent_len = BN_bn2bin(rsa->e, (unsigned char *) exponent); exponent_len = BN_bn2bin(rsa->e, (unsigned char *) exponent);
if (exponent == NULL) { if (exponent == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"import_RSA_public_key: BN_bn2bin exponent error"); "import_RSA_public_key: BN_bn2bin exponent error");
//TODO free GOTO_FAIL;
return NULL;
} }
CK_ATTRIBUTE template[] = { CK_ATTRIBUTE template[] = {
@ -1304,11 +1348,14 @@ P11_Helper_import_RSA_public_key(P11_Helper* self, CK_UTF8CHAR *label,
rv = self->p11->C_CreateObject(self->session, template, rv = self->p11->C_CreateObject(self->session, template,
sizeof(template) / sizeof(CK_ATTRIBUTE), &object); sizeof(template) / sizeof(CK_ATTRIBUTE), &object);
if (!check_return_value(rv, "create public key object")) if (!check_return_value(rv, "create public key object"))
return NULL; GOTO_FAIL;
if (rsa != NULL) final:
RSA_free(rsa); if (rsa != NULL) RSA_free(rsa);
if (modulus != NULL) PyMem_Free(modulus);
if (exponent != NULL) PyMem_Free(exponent);
if (error) return NULL;
return Py_BuildValue("k", object); return Py_BuildValue("k", object);
} }
@ -1328,6 +1375,7 @@ P11_Helper_import_public_key(P11_Helper* self, PyObject *args, PyObject *kwds) {
Py_ssize_t data_length = 0; Py_ssize_t data_length = 0;
Py_ssize_t label_length = 0; Py_ssize_t label_length = 0;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
int error = 0;
PyObj2Bool_mapping_t attrs_pub[] = { { NULL, &true }, //pub_en_cka_copyable PyObj2Bool_mapping_t attrs_pub[] = { { NULL, &true }, //pub_en_cka_copyable
{ NULL, &false }, //pub_en_cka_derive { NULL, &false }, //pub_en_cka_derive
@ -1362,14 +1410,15 @@ P11_Helper_import_public_key(P11_Helper* self, PyObject *args, PyObject *kwds) {
label = (unsigned char*) unicode_to_char_array(label_unicode, label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); &label_length);
if (label == NULL) GOTO_FAIL;
r = _id_exists(self, id, id_length, CKO_PUBLIC_KEY); r = _id_exists(self, id, id_length, CKO_PUBLIC_KEY);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Public key with same ID already exists"); "Public key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
/* Process keyword boolean arguments */ /* Process keyword boolean arguments */
@ -1381,7 +1430,7 @@ P11_Helper_import_public_key(P11_Helper* self, PyObject *args, PyObject *kwds) {
if (pkey == NULL) { if (pkey == NULL) {
PyErr_SetString(ipap11helperError, PyErr_SetString(ipap11helperError,
"import_public_key: d2i_PUBKEY error"); "import_public_key: d2i_PUBKEY error");
return NULL; GOTO_FAIL;
} }
switch (pkey->type) { switch (pkey->type) {
case EVP_PKEY_RSA: case EVP_PKEY_RSA:
@ -1397,19 +1446,22 @@ P11_Helper_import_public_key(P11_Helper* self, PyObject *args, PyObject *kwds) {
attrs_pub[pub_en_cka_wrap].bool); attrs_pub[pub_en_cka_wrap].bool);
break; break;
case EVP_PKEY_DSA: case EVP_PKEY_DSA:
ret = NULL; error = 1;
PyErr_SetString(ipap11helperError, "DSA is not supported"); PyErr_SetString(ipap11helperError, "DSA is not supported");
break; break;
case EVP_PKEY_EC: case EVP_PKEY_EC:
ret = NULL; error = 1;
PyErr_SetString(ipap11helperError, "EC is not supported"); PyErr_SetString(ipap11helperError, "EC is not supported");
break; break;
default: default:
ret = NULL; error = 1;
PyErr_SetString(ipap11helperError, "Unsupported key type"); PyErr_SetString(ipap11helperError, "Unsupported key type");
} }
if (pkey != NULL) final:
EVP_PKEY_free(pkey); if (pkey != NULL) EVP_PKEY_free(pkey);
if (label != NULL) PyMem_Free(label);
if (error) return NULL;
return ret; return ret;
} }
@ -1426,36 +1478,50 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds)
CK_ULONG wrapped_key_len = 0; CK_ULONG wrapped_key_len = 0;
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
/* currently we don't support parameter in mechanism */ /* currently we don't support parameter in mechanism */
PyObject *result = NULL;
int error = 0;
static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL }; static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
//TODO check long overflow //TODO check long overflow
//TODO export method //TODO export method
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key, if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
&object_wrapping_key, &wrapping_mech.mechanism)) { &object_wrapping_key, &wrapping_mech.mechanism)) {
return NULL; GOTO_FAIL;
} }
// fill mech parameters // fill mech parameters
if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){ if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){
return NULL; GOTO_FAIL;
} }
rv = self->p11->C_WrapKey(self->session, &wrapping_mech, rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
object_wrapping_key, object_key, NULL, &wrapped_key_len); object_wrapping_key, object_key, NULL, &wrapped_key_len);
if (!check_return_value(rv, "key wrapping: get buffer length")) if (!check_return_value(rv, "key wrapping: get buffer length")){
return 0; GOTO_FAIL;
wrapped_key = malloc(wrapped_key_len); }
wrapped_key = PyMem_Malloc(wrapped_key_len);
if (wrapped_key == NULL){
PyErr_NoMemory();
GOTO_FAIL;
}
if (wrapped_key == NULL) { if (wrapped_key == NULL) {
rv = CKR_HOST_MEMORY; rv = CKR_HOST_MEMORY;
if (!check_return_value(rv, "key wrapping: buffer allocation")) if (!check_return_value(rv, "key wrapping: buffer allocation")){
return 0; GOTO_FAIL;
}
} }
rv = self->p11->C_WrapKey(self->session, &wrapping_mech, rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
object_wrapping_key, object_key, wrapped_key, &wrapped_key_len); object_wrapping_key, object_key, wrapped_key, &wrapped_key_len);
if (!check_return_value(rv, "key wrapping: wrapping")) if (!check_return_value(rv, "key wrapping: wrapping")){
return NULL; GOTO_FAIL;
}
result = Py_BuildValue("s#", wrapped_key, wrapped_key_len);
return Py_BuildValue("s#", wrapped_key, wrapped_key_len); final:
if (wrapped_key != NULL) PyMem_Free(wrapped_key);
if (error) return NULL;
return result;
} }
@ -1480,6 +1546,7 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
CK_OBJECT_CLASS key_class = CKO_SECRET_KEY; CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
CK_KEY_TYPE key_type = CKK_RSA; CK_KEY_TYPE key_type = CKK_RSA;
int error = 0;
PyObj2Bool_mapping_t attrs[] = { { NULL, &true }, //sec_en_cka_copyable PyObj2Bool_mapping_t attrs[] = { { NULL, &true }, //sec_en_cka_copyable
{ NULL, &false }, //sec_en_cka_decrypt { NULL, &false }, //sec_en_cka_decrypt
@ -1526,15 +1593,16 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
} }
label = (unsigned char*) unicode_to_char_array(label_unicode, label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); //TODO verify signed/unsigned &label_length);
if (label == NULL) GOTO_FAIL;
r = _id_exists(self, id, id_length, key_class); r = _id_exists(self, id, id_length, key_class);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Secret key with same ID already exists"); "Secret key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
/* Process keyword boolean arguments */ /* Process keyword boolean arguments */
@ -1565,9 +1633,12 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
unwrapping_key_object, wrapped_key, wrapped_key_len, template, unwrapping_key_object, wrapped_key, wrapped_key_len, template,
sizeof(template) / sizeof(CK_ATTRIBUTE), &unwrapped_key_object); sizeof(template) / sizeof(CK_ATTRIBUTE), &unwrapped_key_object);
if (!check_return_value(rv, "import_wrapped_key: key unwrapping")) { if (!check_return_value(rv, "import_wrapped_key: key unwrapping")) {
return NULL; GOTO_FAIL;
} }
final:
if (label != NULL) PyMem_Free(label);
if (error) return NULL;
return Py_BuildValue("k", unwrapped_key_object); return Py_BuildValue("k", unwrapped_key_object);
} }
@ -1593,6 +1664,7 @@ P11_Helper_import_wrapped_private_key(P11_Helper* self, PyObject *args,
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY; CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
CK_KEY_TYPE key_type = CKK_RSA; CK_KEY_TYPE key_type = CKK_RSA;
int error = 0;
PyObj2Bool_mapping_t attrs_priv[] = { { NULL, &false }, //priv_en_cka_always_authenticate PyObj2Bool_mapping_t attrs_priv[] = { { NULL, &false }, //priv_en_cka_always_authenticate
{ NULL, &true }, //priv_en_cka_copyable { NULL, &true }, //priv_en_cka_copyable
@ -1636,15 +1708,16 @@ P11_Helper_import_wrapped_private_key(P11_Helper* self, PyObject *args,
} }
label = (unsigned char*) unicode_to_char_array(label_unicode, label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); //TODO verify signed/unsigned &label_length);
if (label == NULL) GOTO_FAIL;
r = _id_exists(self, id, id_length, CKO_SECRET_KEY); r = _id_exists(self, id, id_length, CKO_SECRET_KEY);
if (r == 1) { if (r == 1) {
PyErr_SetString(ipap11helperDuplicationError, PyErr_SetString(ipap11helperDuplicationError,
"Secret key with same ID already exists"); "Secret key with same ID already exists");
return NULL; GOTO_FAIL;
} else if (r == -1) { } else if (r == -1) {
return NULL; GOTO_FAIL;
} }
/* Process keyword boolean arguments */ /* Process keyword boolean arguments */
@ -1675,9 +1748,12 @@ P11_Helper_import_wrapped_private_key(P11_Helper* self, PyObject *args,
unwrapping_key_object, wrapped_key, wrapped_key_len, template, unwrapping_key_object, wrapped_key, wrapped_key_len, template,
sizeof(template) / sizeof(CK_ATTRIBUTE), &unwrapped_key_object); sizeof(template) / sizeof(CK_ATTRIBUTE), &unwrapped_key_object);
if (!check_return_value(rv, "import_wrapped_key: key unwrapping")) { if (!check_return_value(rv, "import_wrapped_key: key unwrapping")) {
return NULL; GOTO_FAIL;
} }
final:
if (label != NULL) PyMem_Free(label);
if (error) return NULL;
return PyLong_FromUnsignedLong(unwrapped_key_object); return PyLong_FromUnsignedLong(unwrapped_key_object);
} }
@ -1694,6 +1770,8 @@ P11_Helper_set_attribute(P11_Helper* self, PyObject *args, PyObject *kwds) {
CK_ATTRIBUTE attribute; CK_ATTRIBUTE attribute;
CK_RV rv; CK_RV rv;
Py_ssize_t len = 0; Py_ssize_t len = 0;
CK_UTF8CHAR *label = NULL;
int error = 0;
static char *kwlist[] = { "key_object", "attr", "value", NULL }; static char *kwlist[] = { "key_object", "attr", "value", NULL };
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkO|", kwlist, &object, &attr, if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkO|", kwlist, &object, &attr,
@ -1730,53 +1808,49 @@ P11_Helper_set_attribute(P11_Helper* self, PyObject *args, PyObject *kwds) {
case CKA_ID: case CKA_ID:
if (!PyString_Check(value)) { if (!PyString_Check(value)) {
PyErr_SetString(ipap11helperError, "String value expected"); PyErr_SetString(ipap11helperError, "String value expected");
ret = NULL; GOTO_FAIL;
goto final;
} }
if (PyString_AsStringAndSize(value, (char **) &attribute.pValue, if (PyString_AsStringAndSize(value, (char **) &attribute.pValue,
&len) == -1) { &len) == -1) {
ret = NULL; GOTO_FAIL;
goto final;
} }
attribute.ulValueLen = len; attribute.ulValueLen = len;
break; break;
case CKA_LABEL: case CKA_LABEL:
if (!PyUnicode_Check(value)) { if (!PyUnicode_Check(value)) {
PyErr_SetString(ipap11helperError, "Unicode value expected"); PyErr_SetString(ipap11helperError, "Unicode value expected");
ret = NULL; GOTO_FAIL;
goto final;
}
attribute.pValue = unicode_to_char_array(value, &len);
/* check for conversion error */
if (attribute.pValue == NULL) {
ret = NULL;
goto final;
} }
label = unicode_to_char_array(value, &len);
/* check for conversion error */
if (label == NULL) GOTO_FAIL;
attribute.pValue = label;
attribute.ulValueLen = len; attribute.ulValueLen = len;
break; break;
case CKA_KEY_TYPE: case CKA_KEY_TYPE:
if (!PyInt_Check(value)) { if (!PyInt_Check(value)) {
PyErr_SetString(ipap11helperError, "Integer value expected"); PyErr_SetString(ipap11helperError, "Integer value expected");
ret = NULL; GOTO_FAIL;
goto final;
} }
unsigned long lv = PyInt_AsUnsignedLongMask(value); unsigned long lv = PyInt_AsUnsignedLongMask(value);
attribute.pValue = &lv; attribute.pValue = &lv;
attribute.ulValueLen = sizeof(unsigned long); attribute.ulValueLen = sizeof(unsigned long);
break; break;
default: default:
ret = NULL;
PyErr_SetString(ipap11helperError, "Unknown attribute"); PyErr_SetString(ipap11helperError, "Unknown attribute");
goto final; GOTO_FAIL;
} }
CK_ATTRIBUTE template[] = { attribute }; CK_ATTRIBUTE template[] = { attribute };
rv = self->p11->C_SetAttributeValue(self->session, object, template, 1); rv = self->p11->C_SetAttributeValue(self->session, object, template, 1);
if (!check_return_value(rv, "set_attribute")) if (!check_return_value(rv, "set_attribute"))
ret = NULL; GOTO_FAIL;
final: final:
if (label != NULL) PyMem_Free(label);
Py_XINCREF(ret); Py_XINCREF(ret);
if (error) return NULL;
return ret; return ret;
} }
@ -1791,6 +1865,7 @@ P11_Helper_get_attribute(P11_Helper* self, PyObject *args, PyObject *kwds) {
unsigned long attr = 0; unsigned long attr = 0;
CK_ATTRIBUTE attribute; CK_ATTRIBUTE attribute;
CK_RV rv; CK_RV rv;
int error = 0;
static char *kwlist[] = { "key_object", "attr", NULL }; static char *kwlist[] = { "key_object", "attr", NULL };
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kk|", kwlist, &object, if (!PyArg_ParseTupleAndKeywords(args, kwds, "kk|", kwlist, &object,
@ -1808,20 +1883,21 @@ P11_Helper_get_attribute(P11_Helper* self, PyObject *args, PyObject *kwds) {
if (rv == CKR_ATTRIBUTE_TYPE_INVALID if (rv == CKR_ATTRIBUTE_TYPE_INVALID
|| template[0].ulValueLen == (unsigned long) -1) { || template[0].ulValueLen == (unsigned long) -1) {
PyErr_SetString(ipap11helperNotFound, "attribute does not exist"); PyErr_SetString(ipap11helperNotFound, "attribute does not exist");
ret = NULL; GOTO_FAIL;
goto final;
} }
if (!check_return_value(rv, "get_attribute init")) { if (!check_return_value(rv, "get_attribute init")) {
ret = NULL; GOTO_FAIL;
goto final; }
value = PyMem_Malloc(template[0].ulValueLen);
if (value == NULL){
PyErr_NoMemory();
GOTO_FAIL;
} }
value = malloc(template[0].ulValueLen);
template[0].pValue = value; template[0].pValue = value;
rv = self->p11->C_GetAttributeValue(self->session, object, template, 1); rv = self->p11->C_GetAttributeValue(self->session, object, template, 1);
if (!check_return_value(rv, "get_attribute")) { if (!check_return_value(rv, "get_attribute")) {
ret = NULL; GOTO_FAIL;
goto final;
} }
switch (attr) { switch (attr) {
@ -1864,13 +1940,14 @@ P11_Helper_get_attribute(P11_Helper* self, PyObject *args, PyObject *kwds) {
ret = Py_BuildValue("k", *(unsigned long *) value); ret = Py_BuildValue("k", *(unsigned long *) value);
break; break;
default: default:
ret = NULL;
PyErr_SetString(ipap11helperError, "Unknown attribute"); PyErr_SetString(ipap11helperError, "Unknown attribute");
goto final; GOTO_FAIL;
} }
final: if (value != NULL) final:
free(value); if (value != NULL) PyMem_Free(value);
if (error) return NULL;
return ret; return ret;
} }