Skip to content

Commit

Permalink
Use a genereic mechanism to block calls to tokens
Browse files Browse the repository at this point in the history
And use this mechanism to reimplement the no_operation_state quirk.

Signed-off-by: Simo Sorce <[email protected]>
  • Loading branch information
simo5 committed Apr 12, 2024
1 parent f3d6bab commit fbce5af
Show file tree
Hide file tree
Showing 8 changed files with 257 additions and 25 deletions.
9 changes: 2 additions & 7 deletions src/digests.c
Original file line number Diff line number Diff line change
Expand Up @@ -191,13 +191,8 @@ static void *p11prov_digest_dupctx(void *ctx)
dctx->session = NULL;

/* NOTE: most tokens will probably return errors trying to do this on digest
* sessions. If the configuration indicates that GetOperationState will fail
* we don't even try to duplicate the context. */

if (p11prov_ctx_no_operation_state(dctx->provctx)) {
goto done;
}

* sessions. If GetOperationState fails we don't even try to duplicate the
* context. */
ret = p11prov_GetOperationState(dctx->provctx, sess, NULL_PTR, &state_len);
if (ret != CKR_OK) {
goto done;
Expand Down
172 changes: 172 additions & 0 deletions src/interface.gen.c

Large diffs are not rendered by default.

60 changes: 60 additions & 0 deletions src/interface.h
Original file line number Diff line number Diff line change
Expand Up @@ -135,4 +135,64 @@ CK_RV side_channel_free_Decrypt(P11PROV_CTX *ctx, CK_SESSION_HANDLE hSession,

CK_INFO p11prov_module_ck_info(P11PROV_MODULE *mctx);


/* The following defines are needed for a generic mask for any of the functions
* we generate via interface.pre, however there is no need to assign a blocking
* value until we'll have a configuration option that allows to set blocks, so
* most of these are defined to 0 which won't block anything.
* Additionally we reserve the lower 4 bits to future "group" blocking. For
* example we may introduce a way to block all the PCS#11 v3 function calls to
* simulate a 2.40 token */
#define P11PROV_BLOCK_Initialize 0b0000000000000000
#define P11PROV_BLOCK_Finalize 0b0000000000000000
#define P11PROV_BLOCK_GetInfo 0b0000000000000000
#define P11PROV_BLOCK_GetFunctionList 0b0000000000000000
#define P11PROV_BLOCK_GetSlotList 0b0000000000000000
#define P11PROV_BLOCK_GetSlotInfo 0b0000000000000000
#define P11PROV_BLOCK_GetTokenInfo 0b0000000000000000
#define P11PROV_BLOCK_GetMechanismList 0b0000000000000000
#define P11PROV_BLOCK_GetMechanismInfo 0b0000000000000000
#define P11PROV_BLOCK_OpenSession 0b0000000000000000
#define P11PROV_BLOCK_CloseSession 0b0000000000000000
#define P11PROV_BLOCK_GetSessionInfo 0b0000000000000000
#define P11PROV_BLOCK_GetOperationState 0b0000000000001000
#define P11PROV_BLOCK_SetOperationState 0b0000000000001000
#define P11PROV_BLOCK_Login 0b0000000000000000
#define P11PROV_BLOCK_Logout 0b0000000000000000
#define P11PROV_BLOCK_CreateObject 0b0000000000000000
#define P11PROV_BLOCK_CopyObject 0b0000000000000000
#define P11PROV_BLOCK_DestroyObject 0b0000000000000000
#define P11PROV_BLOCK_GetAttributeValue 0b0000000000000000
#define P11PROV_BLOCK_SetAttributeValue 0b0000000000000000
#define P11PROV_BLOCK_FindObjectsInit 0b0000000000000000
#define P11PROV_BLOCK_FindObjects 0b0000000000000000
#define P11PROV_BLOCK_FindObjectsFinal 0b0000000000000000
#define P11PROV_BLOCK_EncryptInit 0b0000000000000000
#define P11PROV_BLOCK_Encrypt 0b0000000000000000
#define P11PROV_BLOCK_EncryptUpdate 0b0000000000000000
#define P11PROV_BLOCK_EncryptFinal 0b0000000000000000
#define P11PROV_BLOCK_DecryptInit 0b0000000000000000
#define P11PROV_BLOCK_Decrypt 0b0000000000000000
#define P11PROV_BLOCK_DecryptUpdate 0b0000000000000000
#define P11PROV_BLOCK_DecryptFinal 0b0000000000000000
#define P11PROV_BLOCK_DigestInit 0b0000000000000000
#define P11PROV_BLOCK_Digest 0b0000000000000000
#define P11PROV_BLOCK_DigestUpdate 0b0000000000000000
#define P11PROV_BLOCK_DigestKey 0b0000000000000000
#define P11PROV_BLOCK_DigestFinal 0b0000000000000000
#define P11PROV_BLOCK_SignInit 0b0000000000000000
#define P11PROV_BLOCK_Sign 0b0000000000000000
#define P11PROV_BLOCK_SignUpdate 0b0000000000000000
#define P11PROV_BLOCK_SignFinal 0b0000000000000000
#define P11PROV_BLOCK_VerifyInit 0b0000000000000000
#define P11PROV_BLOCK_Verify 0b0000000000000000
#define P11PROV_BLOCK_VerifyUpdate 0b0000000000000000
#define P11PROV_BLOCK_VerifyFinal 0b0000000000000000
#define P11PROV_BLOCK_GenerateKeyPair 0b0000000000000000
#define P11PROV_BLOCK_DeriveKey 0b0000000000000000
#define P11PROV_BLOCK_SeedRandom 0b0000000000000000
#define P11PROV_BLOCK_GenerateRandom 0b0000000000000000
/* 3.x functions: */
#define P11PROV_BLOCK_GetInterface 0b0000000000000000

#endif /* _INTERFACE_H */
4 changes: 4 additions & 0 deletions src/interface.pre
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ BEGIN:
P11PROV_raise(ctx, ret, "Can't get module interfaces"); \
return ret; \
} \
if (p11prov_ctx_is_call_blocked(ctx, P11PROV_BLOCK_##name)) { \
P11PROV_debug("C_%s is blocked", #name); \
return CKR_FUNCTION_NOT_SUPPORTED; \
} \
P11PROV_debug("Calling C_" #name);
#define IMPL_CALL_EPILOG(name) \
if (ret != CKR_OK) { \
Expand Down
16 changes: 11 additions & 5 deletions src/pk11_uri.gen.c
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,9 @@ extern P11PROV_PK11_URI *
d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len);
extern int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out);
extern const ASN1_ITEM *P11PROV_PK11_URI_it(void);
P11PROV_PK11_URI *d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a,
const unsigned char **in, long len)

P11PROV_PK11_URI
*d2i_P11PROV_PK11_URI(P11PROV_PK11_URI **a, const unsigned char **in, long len)
{
return (P11PROV_PK11_URI *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
(P11PROV_PK11_URI_it()));
Expand All @@ -17,7 +18,8 @@ int i2d_P11PROV_PK11_URI(const P11PROV_PK11_URI *a, unsigned char **out)
{
return ASN1_item_i2d((const ASN1_VALUE *)a, out, (P11PROV_PK11_URI_it()));
}
P11PROV_PK11_URI *P11PROV_PK11_URI_new(void)
P11PROV_PK11_URI
*P11PROV_PK11_URI_new(void)
{
return (P11PROV_PK11_URI *)ASN1_item_new((P11PROV_PK11_URI_it()));
}
Expand All @@ -27,8 +29,10 @@ void P11PROV_PK11_URI_free(P11PROV_PK11_URI *a)
}

static const ASN1_TEMPLATE P11PROV_PK11_URI_seq_tt[] = {

{ (0), (0), __builtin_offsetof(P11PROV_PK11_URI, desc), "desc",
(ASN1_VISIBLESTRING_it) },

{ (0), (0), __builtin_offsetof(P11PROV_PK11_URI, uri), "uri",
(ASN1_UTF8STRING_it) },
};
Expand Down Expand Up @@ -57,8 +61,10 @@ extern P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *out,
P11PROV_PK11_URI **x,
pem_password_cb *cb,
void *u);
P11PROV_PK11_URI *PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x,
pem_password_cb *cb, void *u)

P11PROV_PK11_URI
*PEM_read_bio_P11PROV_PK11_URI(BIO *bp, P11PROV_PK11_URI **x,
pem_password_cb *cb, void *u)
{
return PEM_ASN1_read_bio((d2i_of_void *)d2i_P11PROV_PK11_URI,
P11PROV_PEM_LABEL, bp, (void **)x, cb, u);
Expand Down
8 changes: 4 additions & 4 deletions src/provider.c
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ struct p11prov_ctx {
/* cfg quirks */
bool no_deinit;
bool no_allowed_mechanisms;
bool no_operation_state;
bool no_session_callbacks;
uint64_t blocked_calls;

/* module handles and data */
P11PROV_MODULE *module;
Expand Down Expand Up @@ -613,9 +613,9 @@ int p11prov_ctx_cache_sessions(P11PROV_CTX *ctx)
return ctx->cache_sessions;
}

bool p11prov_ctx_no_operation_state(P11PROV_CTX *ctx)
bool p11prov_ctx_is_call_blocked(P11PROV_CTX *ctx, uint64_t mask)
{
return ctx->no_operation_state;
return (ctx->blocked_calls & mask) != 0;
}

bool p11prov_ctx_no_session_callbacks(P11PROV_CTX *ctx)
Expand Down Expand Up @@ -1532,7 +1532,7 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
} else if (strncmp(str, "no-allowed-mechanisms", toklen) == 0) {
ctx->no_allowed_mechanisms = true;
} else if (strncmp(str, "no-operation-state", toklen) == 0) {
ctx->no_operation_state = true;
ctx->blocked_calls |= P11PROV_BLOCK_GetOperationState;
} else if (strncmp(str, "no-session-callbacks", toklen) == 0) {
ctx->no_session_callbacks = true;
}
Expand Down
2 changes: 1 addition & 1 deletion src/provider.h
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ enum p11prov_cache_keys {
int p11prov_ctx_cache_keys(P11PROV_CTX *ctx);
int p11prov_ctx_cache_sessions(P11PROV_CTX *ctx);

bool p11prov_ctx_no_operation_state(P11PROV_CTX *ctx);
bool p11prov_ctx_is_call_blocked(P11PROV_CTX *ctx, uint64_t mask);
bool p11prov_ctx_no_session_callbacks(P11PROV_CTX *ctx);

CK_INFO p11prov_ctx_get_ck_info(P11PROV_CTX *ctx);
Expand Down
11 changes: 3 additions & 8 deletions src/signature.c
Original file line number Diff line number Diff line change
Expand Up @@ -141,18 +141,13 @@ static void *p11prov_sig_dupctx(void *ctx)
newctx->session = sigctx->session;
sigctx->session = NULL;

/* NOTE: most tokens will probably return errors trying to do this on sign
* sessions. If the configuration indicates that GetOperationState will fail
* we don't even try to duplicate the context. */

if (p11prov_ctx_no_operation_state(sigctx->provctx)) {
goto done;
}

if (slotid != CK_UNAVAILABLE_INFORMATION && handle != CK_INVALID_HANDLE) {
CK_SESSION_HANDLE newsess = p11prov_session_handle(newctx->session);
CK_SESSION_HANDLE sess = CK_INVALID_HANDLE;

/* NOTE: most tokens will probably return errors trying to do this on
* sign sessions. If GetOperationState fails we don't try to duplicate
* the context and just return. */
ret = p11prov_GetOperationState(sigctx->provctx, newsess, NULL_PTR,
&state_len);
if (ret != CKR_OK) {
Expand Down

0 comments on commit fbce5af

Please sign in to comment.