From b9e3fdf501c8c05eb4c74c5d4a679b5f0c2d239d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 12 Apr 2024 10:30:45 -0400 Subject: [PATCH] Use a genereic mechanism to block calls to tokens And use this mechanism to reimplement the no_operation_state quirk. Signed-off-by: Simo Sorce --- src/digests.c | 9 +- src/interface.gen.c | 301 ++++++++++++++++++++++++++++++++++++++++++++ src/interface.h | 54 ++++++++ src/interface.pre | 4 + src/pk11_uri.gen.c | 16 ++- src/provider.c | 11 +- src/provider.h | 2 +- src/signature.c | 11 +- 8 files changed, 383 insertions(+), 25 deletions(-) diff --git a/src/digests.c b/src/digests.c index 17ffd5de..214ffbf6 100644 --- a/src/digests.c +++ b/src/digests.c @@ -191,13 +191,8 @@ static void *p11prov_digest_dupctx(void *ctx) dctx->session = NULL; /* NOTE: most tokens will probably return errors trying to do this on digest - * sessions. If the configuration indicates that GetOperationState will fail - * we don't even try to duplicate the context. */ - - if (p11prov_ctx_no_operation_state(dctx->provctx)) { - goto done; - } - + * sessions. If GetOperationState fails we don't even try to duplicate the + * context. */ ret = p11prov_GetOperationState(dctx->provctx, sess, NULL_PTR, &state_len); if (ret != CKR_OK) { goto done; diff --git a/src/interface.gen.c b/src/interface.gen.c index cb8f191f..fb6a019d 100644 --- a/src/interface.gen.c +++ b/src/interface.gen.c @@ -9,6 +9,13 @@ CK_RV p11prov_Initialize(P11PROV_CTX *ctx, CK_VOID_PTR pInitArgs) P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Initialize)) { + P11PROV_raise(ctx, ret, + "C_" + "Initialize" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Initialize"); ret = intf->Initialize(pInitArgs); @@ -28,6 +35,13 @@ CK_RV p11prov_Finalize(P11PROV_CTX *ctx, CK_VOID_PTR pReserved) P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Finalize)) { + P11PROV_raise(ctx, ret, + "C_" + "Finalize" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Finalize"); ret = intf->Finalize(pReserved); @@ -47,6 +61,13 @@ CK_RV p11prov_GetInfo(P11PROV_CTX *ctx, CK_INFO_PTR pInfo) P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetInfo)) { + P11PROV_raise(ctx, ret, + "C_" + "GetInfo" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetInfo"); ret = intf->GetInfo(pInfo); @@ -68,6 +89,13 @@ CK_RV p11prov_GetInterface(P11PROV_CTX *ctx, CK_UTF8CHAR_PTR pInterfaceName, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetInterface)) { + P11PROV_raise(ctx, ret, + "C_" + "GetInterface" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetInterface"); ret = intf->GetInterface(pInterfaceName, pVersion, ppInterface, flags); @@ -88,6 +116,13 @@ CK_RV p11prov_GetFunctionList(P11PROV_CTX *ctx, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetFunctionList)) { + P11PROV_raise(ctx, ret, + "C_" + "GetFunctionList" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetFunctionList"); ret = intf->GetFunctionList(ppFunctionList); @@ -108,6 +143,13 @@ CK_RV p11prov_GetSlotList(P11PROV_CTX *ctx, CK_BBOOL tokenPresent, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetSlotList)) { + P11PROV_raise(ctx, ret, + "C_" + "GetSlotList" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetSlotList"); ret = intf->GetSlotList(tokenPresent, pSlotList, pulCount); @@ -128,6 +170,13 @@ CK_RV p11prov_GetSlotInfo(P11PROV_CTX *ctx, CK_SLOT_ID slotID, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetSlotInfo)) { + P11PROV_raise(ctx, ret, + "C_" + "GetSlotInfo" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetSlotInfo"); ret = intf->GetSlotInfo(slotID, pInfo); @@ -148,6 +197,13 @@ CK_RV p11prov_GetTokenInfo(P11PROV_CTX *ctx, CK_SLOT_ID slotID, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetTokenInfo)) { + P11PROV_raise(ctx, ret, + "C_" + "GetTokenInfo" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetTokenInfo"); ret = intf->GetTokenInfo(slotID, pInfo); @@ -169,6 +225,13 @@ CK_RV p11prov_GetMechanismList(P11PROV_CTX *ctx, CK_SLOT_ID slotID, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetMechanismList)) { + P11PROV_raise(ctx, ret, + "C_" + "GetMechanismList" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetMechanismList"); ret = intf->GetMechanismList(slotID, pMechanismList, pulCount); @@ -190,6 +253,13 @@ CK_RV p11prov_GetMechanismInfo(P11PROV_CTX *ctx, CK_SLOT_ID slotID, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetMechanismInfo)) { + P11PROV_raise(ctx, ret, + "C_" + "GetMechanismInfo" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetMechanismInfo"); ret = intf->GetMechanismInfo(slotID, type, pInfo); @@ -211,6 +281,13 @@ CK_RV p11prov_OpenSession(P11PROV_CTX *ctx, CK_SLOT_ID slotID, CK_FLAGS flags, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_OpenSession)) { + P11PROV_raise(ctx, ret, + "C_" + "OpenSession" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "OpenSession"); ret = intf->OpenSession(slotID, flags, pApplication, Notify, phSession); @@ -230,6 +307,13 @@ CK_RV p11prov_CloseSession(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession) P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_CloseSession)) { + P11PROV_raise(ctx, ret, + "C_" + "CloseSession" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "CloseSession"); ret = intf->CloseSession(hSession); @@ -250,6 +334,13 @@ CK_RV p11prov_GetSessionInfo(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetSessionInfo)) { + P11PROV_raise(ctx, ret, + "C_" + "GetSessionInfo" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetSessionInfo"); ret = intf->GetSessionInfo(hSession, pInfo); @@ -271,6 +362,13 @@ CK_RV p11prov_GetOperationState(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetOperationState)) { + P11PROV_raise(ctx, ret, + "C_" + "GetOperationState" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetOperationState"); ret = intf->GetOperationState(hSession, pOperationState, @@ -295,6 +393,13 @@ CK_RV p11prov_SetOperationState(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SetOperationState)) { + P11PROV_raise(ctx, ret, + "C_" + "SetOperationState" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SetOperationState"); ret = @@ -318,6 +423,13 @@ CK_RV p11prov_Login(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Login)) { + P11PROV_raise(ctx, ret, + "C_" + "Login" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Login"); ret = intf->Login(hSession, userType, pPin, ulPinLen); @@ -339,6 +451,13 @@ CK_RV p11prov_CreateObject(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_CreateObject)) { + P11PROV_raise(ctx, ret, + "C_" + "CreateObject" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "CreateObject"); ret = intf->CreateObject(hSession, pTemplate, ulCount, phObject); @@ -360,6 +479,13 @@ CK_RV p11prov_CopyObject(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_CopyObject)) { + P11PROV_raise(ctx, ret, + "C_" + "CopyObject" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "CopyObject"); ret = intf->CopyObject(hSession, hObject, pTemplate, ulCount, phNewObject); @@ -380,6 +506,13 @@ CK_RV p11prov_DestroyObject(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DestroyObject)) { + P11PROV_raise(ctx, ret, + "C_" + "DestroyObject" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DestroyObject"); ret = intf->DestroyObject(hSession, hObject); @@ -401,6 +534,13 @@ CK_RV p11prov_GetAttributeValue(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GetAttributeValue)) { + P11PROV_raise(ctx, ret, + "C_" + "GetAttributeValue" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GetAttributeValue"); ret = intf->GetAttributeValue(hSession, hObject, pTemplate, ulCount); @@ -422,6 +562,13 @@ CK_RV p11prov_SetAttributeValue(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SetAttributeValue)) { + P11PROV_raise(ctx, ret, + "C_" + "SetAttributeValue" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SetAttributeValue"); ret = intf->SetAttributeValue(hSession, hObject, pTemplate, ulCount); @@ -442,6 +589,13 @@ CK_RV p11prov_FindObjectsInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_FindObjectsInit)) { + P11PROV_raise(ctx, ret, + "C_" + "FindObjectsInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "FindObjectsInit"); ret = intf->FindObjectsInit(hSession, pTemplate, ulCount); @@ -464,6 +618,13 @@ CK_RV p11prov_FindObjects(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_FindObjects)) { + P11PROV_raise(ctx, ret, + "C_" + "FindObjects" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "FindObjects"); ret = @@ -484,6 +645,13 @@ CK_RV p11prov_FindObjectsFinal(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession) P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_FindObjectsFinal)) { + P11PROV_raise(ctx, ret, + "C_" + "FindObjectsFinal" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "FindObjectsFinal"); ret = intf->FindObjectsFinal(hSession); @@ -504,6 +672,13 @@ CK_RV p11prov_EncryptInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_EncryptInit)) { + P11PROV_raise(ctx, ret, + "C_" + "EncryptInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "EncryptInit"); ret = intf->EncryptInit(hSession, pMechanism, hKey); @@ -526,6 +701,13 @@ CK_RV p11prov_Encrypt(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Encrypt)) { + P11PROV_raise(ctx, ret, + "C_" + "Encrypt" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Encrypt"); ret = intf->Encrypt(hSession, pData, ulDataLen, pEncryptedData, @@ -547,6 +729,13 @@ CK_RV p11prov_DecryptInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DecryptInit)) { + P11PROV_raise(ctx, ret, + "C_" + "DecryptInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DecryptInit"); ret = intf->DecryptInit(hSession, pMechanism, hKey); @@ -568,6 +757,13 @@ CK_RV p11prov_Decrypt(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Decrypt)) { + P11PROV_raise(ctx, ret, + "C_" + "Decrypt" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Decrypt"); ret = intf->Decrypt(hSession, pEncryptedData, ulEncryptedDataLen, pData, @@ -589,6 +785,13 @@ CK_RV p11prov_DigestInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DigestInit)) { + P11PROV_raise(ctx, ret, + "C_" + "DigestInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DigestInit"); ret = intf->DigestInit(hSession, pMechanism); @@ -609,6 +812,13 @@ CK_RV p11prov_DigestUpdate(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DigestUpdate)) { + P11PROV_raise(ctx, ret, + "C_" + "DigestUpdate" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DigestUpdate"); ret = intf->DigestUpdate(hSession, pPart, ulPartLen); @@ -629,6 +839,13 @@ CK_RV p11prov_DigestFinal(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DigestFinal)) { + P11PROV_raise(ctx, ret, + "C_" + "DigestFinal" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DigestFinal"); ret = intf->DigestFinal(hSession, pDigest, pulDigestLen); @@ -649,6 +866,13 @@ CK_RV p11prov_SignInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SignInit)) { + P11PROV_raise(ctx, ret, + "C_" + "SignInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SignInit"); ret = intf->SignInit(hSession, pMechanism, hKey); @@ -670,6 +894,13 @@ CK_RV p11prov_Sign(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Sign)) { + P11PROV_raise(ctx, ret, + "C_" + "Sign" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Sign"); ret = intf->Sign(hSession, pData, ulDataLen, pSignature, pulSignatureLen); @@ -690,6 +921,13 @@ CK_RV p11prov_SignUpdate(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SignUpdate)) { + P11PROV_raise(ctx, ret, + "C_" + "SignUpdate" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SignUpdate"); ret = intf->SignUpdate(hSession, pPart, ulPartLen); @@ -710,6 +948,13 @@ CK_RV p11prov_SignFinal(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SignFinal)) { + P11PROV_raise(ctx, ret, + "C_" + "SignFinal" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SignFinal"); ret = intf->SignFinal(hSession, pSignature, pulSignatureLen); @@ -730,6 +975,13 @@ CK_RV p11prov_VerifyInit(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_VerifyInit)) { + P11PROV_raise(ctx, ret, + "C_" + "VerifyInit" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "VerifyInit"); ret = intf->VerifyInit(hSession, pMechanism, hKey); @@ -751,6 +1003,13 @@ CK_RV p11prov_Verify(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_Verify)) { + P11PROV_raise(ctx, ret, + "C_" + "Verify" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "Verify"); ret = intf->Verify(hSession, pData, ulDataLen, pSignature, ulSignatureLen); @@ -771,6 +1030,13 @@ CK_RV p11prov_VerifyUpdate(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_VerifyUpdate)) { + P11PROV_raise(ctx, ret, + "C_" + "VerifyUpdate" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "VerifyUpdate"); ret = intf->VerifyUpdate(hSession, pPart, ulPartLen); @@ -791,6 +1057,13 @@ CK_RV p11prov_VerifyFinal(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_VerifyFinal)) { + P11PROV_raise(ctx, ret, + "C_" + "VerifyFinal" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "VerifyFinal"); ret = intf->VerifyFinal(hSession, pSignature, ulSignatureLen); @@ -814,6 +1087,13 @@ CK_RV p11prov_GenerateKeyPair( P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GenerateKeyPair)) { + P11PROV_raise(ctx, ret, + "C_" + "GenerateKeyPair" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GenerateKeyPair"); ret = intf->GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, @@ -839,6 +1119,13 @@ CK_RV p11prov_DeriveKey(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_DeriveKey)) { + P11PROV_raise(ctx, ret, + "C_" + "DeriveKey" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "DeriveKey"); ret = intf->DeriveKey(hSession, pMechanism, hBaseKey, pTemplate, @@ -860,6 +1147,13 @@ CK_RV p11prov_SeedRandom(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_SeedRandom)) { + P11PROV_raise(ctx, ret, + "C_" + "SeedRandom" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "SeedRandom"); ret = intf->SeedRandom(hSession, pSeed, ulSeedLen); @@ -880,6 +1174,13 @@ CK_RV p11prov_GenerateRandom(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, P11PROV_raise(ctx, ret, "Can't get module interfaces"); return ret; } + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_GenerateRandom)) { + P11PROV_raise(ctx, ret, + "C_" + "GenerateRandom" + " is blocked"); + return CKR_FUNCTION_NOT_SUPPORTED; + } P11PROV_debug("Calling C_" "GenerateRandom"); ret = intf->GenerateRandom(hSession, RandomData, ulRandomLen); diff --git a/src/interface.h b/src/interface.h index 509e6ebb..051f47eb 100644 --- a/src/interface.h +++ b/src/interface.h @@ -135,4 +135,58 @@ CK_RV side_channel_free_Decrypt(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession, CK_INFO p11prov_module_ck_info(P11PROV_MODULE *mctx); +/* never blocked calls are masked to 0 by default */ +/* 2.40 */ +#define P11PROV_BLOCK_Initialize 0b0000000000000000 +#define P11PROV_BLOCK_Finalize 0b0000000000000000 +#define P11PROV_BLOCK_GetInfo 0b0000000000000000 +#define P11PROV_BLOCK_GetFunctionList 0b0000000000000000 +#define P11PROV_BLOCK_GetSlotList 0b0000000000000000 +#define P11PROV_BLOCK_GetSlotInfo 0b0000000000000000 +#define P11PROV_BLOCK_GetTokenInfo 0b0000000000000000 +#define P11PROV_BLOCK_GetMechanismList 0b0000000000000000 +#define P11PROV_BLOCK_GetMechanismInfo 0b0000000000000000 +#define P11PROV_BLOCK_OpenSession 0b0000000000000000 +#define P11PROV_BLOCK_CloseSession 0b0000000000000000 +#define P11PROV_BLOCK_GetSessionInfo 0b0000000000000000 +#define P11PROV_BLOCK_GetOperationState 0b0000000000001000 +#define P11PROV_BLOCK_SetOperationState 0b0000000000001000 +#define P11PROV_BLOCK_Login 0b0000000000000000 +#define P11PROV_BLOCK_Logout 0b0000000000000000 +#define P11PROV_BLOCK_CreateObject 0b0000000000000000 +#define P11PROV_BLOCK_CopyObject 0b0000000000000000 +#define P11PROV_BLOCK_DestroyObject 0b0000000000000000 +#define P11PROV_BLOCK_GetAttributeValue 0b0000000000000000 +#define P11PROV_BLOCK_SetAttributeValue 0b0000000000000000 +#define P11PROV_BLOCK_FindObjectsInit 0b0000000000000000 +#define P11PROV_BLOCK_FindObjects 0b0000000000000000 +#define P11PROV_BLOCK_FindObjectsFinal 0b0000000000000000 +#define P11PROV_BLOCK_EncryptInit 0b0000000000000000 +#define P11PROV_BLOCK_Encrypt 0b0000000000000000 +#define P11PROV_BLOCK_EncryptUpdate 0b0000000000000000 +#define P11PROV_BLOCK_EncryptFinal 0b0000000000000000 +#define P11PROV_BLOCK_DecryptInit 0b0000000000000000 +#define P11PROV_BLOCK_Decrypt 0b0000000000000000 +#define P11PROV_BLOCK_DecryptUpdate 0b0000000000000000 +#define P11PROV_BLOCK_DecryptFinal 0b0000000000000000 +#define P11PROV_BLOCK_DigestInit 0b0000000000000000 +#define P11PROV_BLOCK_Digest 0b0000000000000000 +#define P11PROV_BLOCK_DigestUpdate 0b0000000000000000 +#define P11PROV_BLOCK_DigestKey 0b0000000000000000 +#define P11PROV_BLOCK_DigestFinal 0b0000000000000000 +#define P11PROV_BLOCK_SignInit 0b0000000000000000 +#define P11PROV_BLOCK_Sign 0b0000000000000000 +#define P11PROV_BLOCK_SignUpdate 0b0000000000000000 +#define P11PROV_BLOCK_SignFinal 0b0000000000000000 +#define P11PROV_BLOCK_VerifyInit 0b0000000000000000 +#define P11PROV_BLOCK_Verify 0b0000000000000000 +#define P11PROV_BLOCK_VerifyUpdate 0b0000000000000000 +#define P11PROV_BLOCK_VerifyFinal 0b0000000000000000 +#define P11PROV_BLOCK_GenerateKeyPair 0b0000000000000000 +#define P11PROV_BLOCK_DeriveKey 0b0000000000000000 +#define P11PROV_BLOCK_SeedRandom 0b0000000000000000 +#define P11PROV_BLOCK_GenerateRandom 0b0000000000000000 +/* 3.x */ +#define P11PROV_BLOCK_GetInterface 0b0000000000000000 + #endif /* _INTERFACE_H */ diff --git a/src/interface.pre b/src/interface.pre index b86a6760..5023d807 100644 --- a/src/interface.pre +++ b/src/interface.pre @@ -10,6 +10,10 @@ BEGIN: P11PROV_raise(ctx, ret, "Can't get module interfaces"); \ return ret; \ } \ + if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_##name)) { \ + P11PROV_raise(ctx, ret, "C_" #name " is blocked"); \ + return CKR_FUNCTION_NOT_SUPPORTED; \ + } \ P11PROV_debug("Calling C_" #name); #define IMPL_CALL_EPILOG(name) \ if (ret != CKR_OK) { \ diff --git a/src/pk11_uri.gen.c b/src/pk11_uri.gen.c index 70bc733e..ad416e3e 100644 --- a/src/pk11_uri.gen.c +++ b/src/pk11_uri.gen.c @@ -7,8 +7,9 @@ extern P11PROV_PK11_URI * d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len); extern int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out); extern const ASN1_ITEM *P11PROV_PK11_URI_it(void); -P11PROV_PK11_URI *d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, - const unsigned char **in, long len) + +P11PROV_PK11_URI +*d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len) { return (P11PROV_PK11_URI *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (P11PROV_PK11_URI_it())); @@ -17,7 +18,8 @@ int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out) { return ASN1_item_i2d((const ASN1_VALUE *)a, out, (P11PROV_PK11_URI_it())); } -P11PROV_PK11_URI *P11PROV_PK11_URI_new(void) +P11PROV_PK11_URI +*P11PROV_PK11_URI_new(void) { return (P11PROV_PK11_URI *)ASN1_item_new((P11PROV_PK11_URI_it())); } @@ -27,8 +29,10 @@ void P11PROV_PK11_URI_free(P11PROV_PK11_URI *a) } static const ASN1_TEMPLATE P11PROV_PK11_URI_seq_tt[] = { + { (0), (0), __builtin_offsetof(P11PROV_PK11_URI, desc), "desc", (ASN1_VISIBLESTRING_it) }, + { (0), (0), __builtin_offsetof(P11PROV_PK11_URI, uri), "uri", (ASN1_UTF8STRING_it) }, }; @@ -57,8 +61,10 @@ extern P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *out, P11PROV_PK11_URI **x, pem_password_cb *cb, void *u); -P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x, - pem_password_cb *cb, void *u) + +P11PROV_PK11_URI +*PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x, + pem_password_cb *cb, void *u) { return PEM_ASN1_read_bio((d2i_of_void *)d2i_P11PROV_PK11_URI, P11PROV_PEM_LABEL, bp, (void **)x, cb, u); diff --git a/src/provider.c b/src/provider.c index d54c6dae..5cf193e2 100644 --- a/src/provider.c +++ b/src/provider.c @@ -37,8 +37,8 @@ struct p11prov_ctx { /* cfg quirks */ bool no_deinit; bool no_allowed_mechanisms; - bool no_operation_state; bool no_session_callbacks; + uint64_t blocked_calls; /* module handles and data */ P11PROV_MODULE *module; @@ -613,9 +613,12 @@ int p11prov_ctx_cache_sessions(P11PROV_CTX *ctx) return ctx->cache_sessions; } -bool p11prov_ctx_no_operation_state(P11PROV_CTX *ctx) +bool p11prov_ctx_is_call_blocked(P11PROV_CTX *ctx, uint64_t mask) { - return ctx->no_operation_state; + if (ctx->blocked_calls & mask) { + return true; + } + return false; } bool p11prov_ctx_no_session_callbacks(P11PROV_CTX *ctx) @@ -1532,7 +1535,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, } else if (strncmp(str, "no-allowed-mechanisms", toklen) == 0) { ctx->no_allowed_mechanisms = true; } else if (strncmp(str, "no-operation-state", toklen) == 0) { - ctx->no_operation_state = true; + ctx->blocked_calls |= P11PROV_BLOCK_GetOperationState; } else if (strncmp(str, "no-session-callbacks", toklen) == 0) { ctx->no_session_callbacks = true; } diff --git a/src/provider.h b/src/provider.h index 921aeaea..b1f1643e 100644 --- a/src/provider.h +++ b/src/provider.h @@ -116,7 +116,7 @@ enum p11prov_cache_keys { int p11prov_ctx_cache_keys(P11PROV_CTX *ctx); int p11prov_ctx_cache_sessions(P11PROV_CTX *ctx); -bool p11prov_ctx_no_operation_state(P11PROV_CTX *ctx); +bool p11prov_ctx_is_call_blocked(P11PROV_CTX *ctx, uint64_t mask); bool p11prov_ctx_no_session_callbacks(P11PROV_CTX *ctx); CK_INFO p11prov_ctx_get_ck_info(P11PROV_CTX *ctx); diff --git a/src/signature.c b/src/signature.c index 7bfc72e3..f726a199 100644 --- a/src/signature.c +++ b/src/signature.c @@ -141,18 +141,13 @@ static void *p11prov_sig_dupctx(void *ctx) newctx->session = sigctx->session; sigctx->session = NULL; - /* NOTE: most tokens will probably return errors trying to do this on sign - * sessions. If the configuration indicates that GetOperationState will fail - * we don't even try to duplicate the context. */ - - if (p11prov_ctx_no_operation_state(sigctx->provctx)) { - goto done; - } - if (slotid != CK_UNAVAILABLE_INFORMATION && handle != CK_INVALID_HANDLE) { CK_SESSION_HANDLE newsess = p11prov_session_handle(newctx->session); CK_SESSION_HANDLE sess = CK_INVALID_HANDLE; + /* NOTE: most tokens will probably return errors trying to do this on + * sign sessions. If GetOperationState fails we don't try to duplicate + * the context and just return. */ ret = p11prov_GetOperationState(sigctx->provctx, newsess, NULL_PTR, &state_len); if (ret != CKR_OK) {