From 733359f04850b53a582a59a7d461b5fa9a198526 Mon Sep 17 00:00:00 2001
From: Eric Devolder <eric.devolder@gmail.com>
Date: Mon, 2 Aug 2021 14:19:19 +0000
Subject: [PATCH] release 2.4.1 - ignoring wrongly-formatted templates

---
 CHANGELOG.md      |  7 +++++++
 configure.ac      |  2 +-
 lib/pkcs11_ls.c   |  5 ++++-
 lib/pkcs11_od.c   | 12 +++++++++---
 lib/pkcs11_wrap.c |  7 +++++++
 5 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e9c6984..35344f42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 =======
+# [2.4.1]
+### Fixed
+ - template content is no more wrapped/dipsplayed if length is not a multiple of CK_ATTRIBUTE structure,
+   to ignore templates incorrectly reported by some tokens
+
 # [2.4.0]
 ### Added
  - support for template attributes on most commands
@@ -109,6 +114,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Initial public release
 
+[2.4.1]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.1
+[2.4.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.4.0
 [2.3.1]: https://github.com/Mastercard/pkcs11-tools/tree/v2.3.1
 [2.3.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.3.0
 [2.2.0]: https://github.com/Mastercard/pkcs11-tools/tree/v2.2.0
diff --git a/configure.ac b/configure.ac
index 402ee2d1..ccf66669 100644
--- a/configure.ac
+++ b/configure.ac
@@ -14,7 +14,7 @@ dnl limitations under the License.
 
 
 AC_PREREQ([2.64])
-AC_INIT([pkcs11-tools], [2.4.0], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
+AC_INIT([pkcs11-tools], [2.4.1], [https://github.com/Mastercard/pkcs11-tools/issues], [pkcs11-tools], [https://github.com/Mastercard/pkcs11-tools])
 AC_CONFIG_MACRO_DIR([m4])
 
 dnl adding AM_MAINTAINER_MODE to address autotools issues with git
diff --git a/lib/pkcs11_ls.c b/lib/pkcs11_ls.c
index 633b1344..b78dc4bf 100644
--- a/lib/pkcs11_ls.c
+++ b/lib/pkcs11_ls.c
@@ -69,7 +69,10 @@ static char* value_for_template( pkcs11AttrList *attrlist,
     attr = pkcs11_get_attr_in_attrlist ( attrlist, attrtype );
 
     if(attr==NULL) return ck_false;
-    else if(attr!=NULL_PTR && attr->pValue!=NULL_PTR && attr->ulValueLen>0) return ck_true;
+    else if( attr!=NULL_PTR &&
+	     attr->pValue!=NULL_PTR &&
+	     attr->ulValueLen>0 &&
+	     attr->ulValueLen % sizeof(CK_ATTRIBUTE) == 0) return ck_true;
     else return ck_false;
 }
 
diff --git a/lib/pkcs11_od.c b/lib/pkcs11_od.c
index 3d2fb473..e0e02eb0 100644
--- a/lib/pkcs11_od.c
+++ b/lib/pkcs11_od.c
@@ -184,7 +184,13 @@ static void hexdump (attrib_repr *item, void *addr, unsigned long len, bool temp
     unsigned char *pc = (unsigned char*)addr;
     char *info;
 
-    // Output description
+    /* spot early invalid template condition */
+    /* some HSM vendor are messing up with the CKA_XXX_TEMPLATE attributes,  */
+    /* we will detect when it happens and skip them.  */
+    if ( item && item->cast==as_template && ( len==0 || (len % sizeof(CK_ATTRIBUTE) != 0) ) ) {
+	return;			/* bad template, return early, skip any printing */
+    }
+    
     printf (" %s%s:\n", template ? "| " : "" , item->name);
 
     switch(item->cast) {
@@ -589,12 +595,12 @@ static void hexdump (attrib_repr *item, void *addr, unsigned long len, bool temp
 	    
 	    CK_ATTRIBUTE_PTR item = pkcs11_get_attr_in_array(addr, len, list[i].attr );
 
-	    if(item && item->ulValueLen) {
+	    /* if the template does not have a compliant length, do not show it. */
+	    if(item && item->pValue && item->ulValueLen) {
 		hexdump( &list[i], item->pValue, item->ulValueLen, true);
 	    }
 	}	
 	break;
-    
     }
 }
 
diff --git a/lib/pkcs11_wrap.c b/lib/pkcs11_wrap.c
index fb85e152..bec0734d 100644
--- a/lib/pkcs11_wrap.c
+++ b/lib/pkcs11_wrap.c
@@ -982,6 +982,13 @@ static func_rc _output_wrapped_key_attributes(wrappedKeyCtx *wctx, FILE *fp)
 		fprintf(fp, "CKA_TOKEN: true\n");
 	    } else if (o_attr->ulValueLen == 0) {
 		fprintf(fp, "# %s attribute is empty\n", alist[i].name);
+	    } else if ( ( o_attr->type==CKA_UNWRAP_TEMPLATE ||
+			  o_attr->type==CKA_DERIVE_TEMPLATE ||
+			  o_attr->type==CKA_WRAP_TEMPLATE) &&
+			o_attr->ulValueLen % sizeof(CK_ATTRIBUTE) != 0 ) {
+		/* on Safenet Luna, private keys have, by default, templates that are 1 byte long */
+		/* which is not a valid content for templates */
+		fprintf(fp, "# %s attribute invalid on the source token\n", alist[i].name);
 	    } else {
 		alist[i].func_ptr(fp, alist[i].name, o_attr, alist[i].commented );
 	    }