From f6aa30d173c80568fe608664eef07fb14b7da967 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 03 2016 06:11:56 +0000
Subject: import coolkey-1.1.0-35.el7


---

diff --git a/SOURCES/coolkey-1.1.0-fail-on-bad-mechanisms.patch b/SOURCES/coolkey-1.1.0-fail-on-bad-mechanisms.patch
new file mode 100644
index 0000000..c0d1c43
--- /dev/null
+++ b/SOURCES/coolkey-1.1.0-fail-on-bad-mechanisms.patch
@@ -0,0 +1,109 @@
+diff -up ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms ./src/coolkey/coolkey.cpp
+--- ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms	2016-06-16 14:36:05.934755563 -0700
++++ ./src/coolkey/coolkey.cpp	2016-06-16 14:36:05.945755372 -0700
+@@ -77,7 +77,8 @@ rsaMechanismList[] = {
+ 
+ static const MechInfo
+ ecMechanismList[] = {
+-    {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDSA_SHA1, {256, 521, CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }
++    {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},
++    {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} }
+ };
+ 
+ unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo);
+diff -up ./src/coolkey/slot.cpp.fail-on-bad-mechanisms ./src/coolkey/slot.cpp
+--- ./src/coolkey/slot.cpp.fail-on-bad-mechanisms	2016-06-16 14:36:05.943755407 -0700
++++ ./src/coolkey/slot.cpp	2016-06-16 15:07:40.255882660 -0700
+@@ -4185,11 +4185,30 @@ Slot::signInit(SessionHandleSuffix suffi
+ {
+     refreshTokenState();
+     SessionIter session = findSession(suffix);
++    PKCS11Object *key = getKeyFromHandle(hKey);
+     if( session == sessions.end() ) {
+         throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
+     }
++    if (pMechanism == NULL) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++
++    switch (pMechanism->mechanism) {
++    case CKM_RSA_PKCS:
++	if (key->getKeyType() != Key::rsa) {
++        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);
++	}
++	break;
++    case CKM_ECDSA:
++	if (key->getKeyType() != Key::ecc) {
++        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);
++	}
++	break;
++    default:
++        throw PKCS11Exception(CKR_MECHANISM_INVALID);
++    }
+ 
+-    session->signatureState.initialize(getKeyFromHandle(hKey));
++    session->signatureState.initialize(key);
+ }
+ 
+ void
+@@ -4198,11 +4217,24 @@ Slot::decryptInit(SessionHandleSuffix su
+ {
+     refreshTokenState();
+     SessionIter session = findSession(suffix);
++    PKCS11Object *key = getKeyFromHandle(hKey);
+     if( session == sessions.end() ) {
+         throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID);
+     }
++    if (pMechanism == NULL) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++    switch (pMechanism->mechanism) {
++    case CKM_RSA_PKCS:
++	if (key->getKeyType() != Key::rsa) {
++        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);
++	}
++	break;
++    default:
++        throw PKCS11Exception(CKR_MECHANISM_INVALID);
++    }
+ 
+-    session->decryptionState.initialize(getKeyFromHandle(hKey));
++    session->decryptionState.initialize(key);
+ }
+ 
+ /**
+@@ -5008,8 +5040,23 @@ Slot::derive(SessionHandleSuffix suffix,
+ 
+     ECCKeyAgreementParams params(CryptParams::ECC_DEFAULT_KEY_SIZE);
+     SessionIter session = findSession(suffix);
++    PKCS11Object *key=getKeyFromHandle(hBaseKey);
+ 
+-    session->keyAgreementState.initialize(getKeyFromHandle(hBaseKey));
++    if (pMechanism == NULL ) {
++        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
++    }
++
++    switch (pMechanism->mechanism) {
++    case CKM_ECDH1_DERIVE:
++	if (key->getKeyType() != Key::ecc) {
++        	throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT);
++	}
++	break;
++    default:
++        throw PKCS11Exception(CKR_MECHANISM_INVALID);
++    }
++
++    session->keyAgreementState.initialize(key);
+     deriveECC(suffix, pMechanism, hBaseKey, pTemplate, ulAttributeCount, 
+ 		phKey, params);
+ 
+@@ -5018,9 +5065,6 @@ Slot::derive(SessionHandleSuffix suffix,
+ void Slot::deriveECC(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism,
+        CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params)
+ {
+-    if (pMechanism == NULL ) {
+-        throw PKCS11Exception(CKR_ARGUMENTS_BAD);
+-    }
+ 
+     CK_ECDH1_DERIVE_PARAMS *mechParams      = NULL;
+ 
diff --git a/SOURCES/coolkey-1.1.0-max-cpu-bug.patch b/SOURCES/coolkey-1.1.0-max-cpu-bug.patch
new file mode 100644
index 0000000..aab85f7
--- /dev/null
+++ b/SOURCES/coolkey-1.1.0-max-cpu-bug.patch
@@ -0,0 +1,12 @@
+diff -up ./src/coolkey/slot.cpp.max-cpu-bug ./src/coolkey/slot.cpp
+--- ./src/coolkey/slot.cpp.max-cpu-bug	2016-06-30 14:36:10.502785885 -0700
++++ ./src/coolkey/slot.cpp	2016-06-30 14:36:15.812876256 -0700
+@@ -1875,6 +1875,8 @@ SlotList::waitForSlotEvent(CK_FLAGS flag
+ 	if (status != CKYSUCCESS) {
+ 	    if ((CKYCardContext_GetLastError(context) ==
+ 						 SCARD_E_READER_UNAVAILABLE) ||
++	       (CKYCardContext_GetLastError(context) ==
++						 SCARD_E_UNKNOWN_READER) ||
+ 	       (CKYCardContext_GetLastError(context) == SCARD_E_TIMEOUT)) {
+ 		OSSleep(timeout*PKCS11_CARD_ERROR_LATENCY);
+ 	    }
diff --git a/SOURCES/coolkey-1.1.0-more-keys.patch b/SOURCES/coolkey-1.1.0-more-keys.patch
new file mode 100644
index 0000000..fb94ec3
--- /dev/null
+++ b/SOURCES/coolkey-1.1.0-more-keys.patch
@@ -0,0 +1,61 @@
+diff -up ./src/coolkey/slot.cpp.more_keys ./src/coolkey/slot.cpp
+--- ./src/coolkey/slot.cpp.more_keys	2016-06-16 11:50:01.027432856 -0700
++++ ./src/coolkey/slot.cpp	2016-06-16 11:50:13.267224824 -0700
+@@ -32,7 +32,8 @@
+ 
+ #define MIN(x, y) ((x) < (y) ? (x) : (y))
+ 
+-
++#define MAX_NUM_KEYS  32
++#define MAX_NUM_CERTS 32
+ 
+ #ifdef DEBUG
+ #define PRINTF(args) printf args
+@@ -3458,7 +3459,7 @@ Slot::loadObjects()
+         } else if( type == 'c' ) {
+             // cert attribute object. find the DER encoding
+             unsigned short certnum = getObjectIndex(iter->obj.objectID);
+-            if( certnum > 9 ) {
++            if( certnum > MAX_NUM_CERTS ) {
+                 //invalid object id
+                 throw PKCS11Exception(CKR_DEVICE_ERROR,
+                     "Invalid object id %08x",iter->obj.objectID);
+@@ -4154,7 +4155,7 @@ Slot::objectToKeyNum(const PKCS11Object
+         throw PKCS11Exception(CKR_KEY_HANDLE_INVALID);
+     }
+     unsigned short keyNum = getObjectIndex(id);
+-    if( keyNum > 9 ) {
++    if( keyNum > MAX_NUM_KEYS ) {
+         throw PKCS11Exception(CKR_KEY_HANDLE_INVALID);
+     }
+     return keyNum & 0xFF;
+@@ -4911,7 +4912,6 @@ Slot::generateRandom(SessionHandleSuffix
+     }
+ }
+ 
+-#define MAX_NUM_KEYS 8
+ unsigned int
+ Slot::getRSAKeySize(PKCS11Object *key)
+ {
+diff -up ./src/coolkey/slot.h.more_keys ./src/coolkey/slot.h
+--- ./src/coolkey/slot.h.more_keys	2016-06-16 11:50:08.627303984 -0700
++++ ./src/coolkey/slot.h	2016-06-16 11:54:08.872153180 -0700
+@@ -512,7 +512,17 @@ class Slot {
+         return (char) (objectID >> 24) & 0xff;
+     }
+     unsigned short getObjectIndex(unsigned long objectID) const {
+-        return (char )((objectID >> 16) & 0xff) - '0';
++       char char_index = (char) ((objectID >> 16) & 0xff);
++       if (char_index >= '0' && char_index <= '9') {
++           return char_index - '0';
++       }
++       if (char_index >= 'A' && char_index <= 'Z') {
++           return char_index - 'A' + 10;
++       }
++       if (char_index >= 'a' && char_index <= 'z') {
++           return char_index - 'a' + 26 + 10;
++       }
++       return 0x0100 + char_index;
+     }
+ 
+     // actually get the size of a key in bits from the card
diff --git a/SPECS/coolkey.spec b/SPECS/coolkey.spec
index 482656c..ee4cc82 100644
--- a/SPECS/coolkey.spec
+++ b/SPECS/coolkey.spec
@@ -22,7 +22,7 @@
 
 Name: coolkey
 Version: 1.1.0
-Release: 33%{?dist}
+Release: 35%{?dist}
 Summary: CoolKey PKCS #11 module
 License: LGPLv2
 URL: http://directory.fedora.redhat.com/wiki/CoolKey
@@ -42,6 +42,9 @@ Patch20: coolkey-1.1.0-noapplet.patch
 Patch21: coolkey-1.1.0-fix-spurious-event.patch
 Patch22: coolkey-1.1.0-p15.patch
 Patch23: coolkey-1.1.0-p15-coverity.patch
+Patch24: coolkey-1.1.0-more-keys.patch
+Patch25: coolkey-1.1.0-fail-on-bad-mechanisms.patch
+Patch26: coolkey-1.1.0-max-cpu-bug.patch
 
 Group: System Environment/Libraries
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -86,6 +89,9 @@ Linux Driver support to access the CoolKey applet.
 %patch21 -b .fix-spurious
 %patch22 -b .p15
 %patch23 -b .p15-coverity
+%patch24 -b .more-keys
+%patch25 -b .fail-on-bad-mechanisms
+%patch26 -b .max-cpu-bug
 
 %build
 autoconf
@@ -134,6 +140,8 @@ fi
 %{_libdir}/libckyapplet.so.1
 %{_libdir}/libckyapplet.so.1.0.0
 %{_datadir}/p11-kit/modules/coolkey.module
+%attr(1777,root,root) /var/cache/coolkey
+
 
 %files devel
 %{_libdir}/libckyapplet.so
@@ -142,6 +150,14 @@ fi
 
 
 %changelog
+* Thu Jun 30 2016 Robert Relyea <rrelyea@redhat.com> - 1.1.0-35
+- include sleep on unknown reader errors.
+
+* Mon Jun 13 2016 Robert Relyea <rrelyea@redhat.com> - 1.1.0-34
+- recognize up to 32 keys and certs in coolkeys. (can go up to 62 with just #define changes)
+- own our cache file.
+- verify we are using the correct mechanisms
+
 * Mon Jul 6 2015 Robert Relyea <rrelyea@redhat.com> - 1.1.0-33
 - fix more coverity issues in p15 patch