[Cryptech-Commits] [sw/pkcs11] 03/03: Consolidate session-state-based access control.

git at cryptech.is git at cryptech.is
Fri May 19 04:46:07 UTC 2017

Previous message (by thread): [Cryptech-Commits] [sw/pkcs11] 02/03: Translate more PKCS #11 attributes into HAL_KEY_FLAG_* settings.
Next message (by thread): [Cryptech-Commits] [releng/alpha] branch master updated: PKCS #11 fixes du jour.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/pkcs11.

commit be5a83543764d4d40e20dfd72ea9c70e82842700
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Fri May 19 00:43:12 2017 -0400

    Consolidate session-state-based access control.
---
 pkcs11.c | 115 +++++++++++++++++++++++++++++++++++----------------------------
 1 file changed, 64 insertions(+), 51 deletions(-)

diff --git a/pkcs11.c b/pkcs11.c
index a17eec9..de639ab 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -775,6 +775,25 @@ static void *p11_attribute_find_value_in_template(const CK_ATTRIBUTE_TYPE type,
 }
 
 /*
+ * Idiom for combination of p11_attribute_find_value_in_template() and
+ * p11_find_attribute_in_descriptor().
+ */
+
+static const void *
+p11_attribute_find_value_in_template_or_descriptor(const p11_descriptor_t *descriptor,
+                                                   const CK_ATTRIBUTE_TYPE type,
+                                                   const CK_ATTRIBUTE_PTR template,
+                                                   const CK_ULONG length)
+{
+  const int i = p11_attribute_find_in_template(type, template, length);
+  if (i >= 0)
+    return template[i].pValue;
+  const p11_attribute_descriptor_t * const atd = p11_find_attribute_in_descriptor(descriptor, type);
+  assert(atd != NULL);
+  return atd->value;
+}
+
+/*
  * Set attributes for a newly-created or newly-uploaded HSM key.
  */
 
@@ -1701,7 +1720,8 @@ static CK_RV p11_template_check_1(const CK_ATTRIBUTE_TYPE type,
 
 /*
  * Second pass: called once per template to check that each attribute
- * required for that template has been specified exactly once.
+ * required for that template has been specified exactly once and that
+ * the session's current login state allows access with this template.
  */
 
 static CK_RV p11_template_check_2(const p11_session_t *session,
@@ -1711,28 +1731,55 @@ static CK_RV p11_template_check_2(const p11_session_t *session,
                                   unsigned long required_flag,
                                   unsigned long forbidden_flag)
 {
-  const CK_BBOOL *object_is_private;
+  const CK_BBOOL * const cka_private
+    = p11_attribute_find_value_in_template_or_descriptor(descriptor, CKA_PRIVATE,
+                                                         template, template_length);
+  const CK_BBOOL * const cka_token
+    = p11_attribute_find_value_in_template_or_descriptor(descriptor, CKA_TOKEN,
+                                                         template, template_length);
   CK_RV rv;
-  int i, j;
+
+  assert(cka_private != NULL && cka_token != NULL);
 
   /*
-   * Some session states aren't allowed to play with private objects.
+   * Morass of session-state-specific restrictions on which objects we
+   * can even see, much less modify.  Callers of this function need RW
+   * acecss to the object in question, which simplifies this a bit.
    */
 
   switch (session->state) {
+
   case CKS_RO_PUBLIC_SESSION:
+    /* RO access to public token objects, RW access to public session objects */
+    if (*cka_private || *cka_token)
+      lose(CKR_USER_NOT_LOGGED_IN);
+    break;
+
+  case CKS_RO_USER_FUNCTIONS:
+    /* RO access to all token objects, RW access to all session objects */
+    if (*cka_token)
+      lose(CKR_SESSION_READ_ONLY);
+    break;
+
   case CKS_RW_PUBLIC_SESSION:
+    /* RW access all public objects */
+    if (*cka_private)
+      lose(CKR_USER_NOT_LOGGED_IN);
+    break;
+
+  case CKS_RW_USER_FUNCTIONS:
+    /* RW acess to all objects */
+    break;
+
   case CKS_RW_SO_FUNCTIONS:
-    if ((object_is_private = p11_attribute_find_value_in_template(CKA_PRIVATE, template, template_length)) == NULL) {
-      const p11_attribute_descriptor_t * const atd = p11_find_attribute_in_descriptor(descriptor, CKA_PRIVATE);
-      assert(atd != NULL && atd->value != NULL);
-      object_is_private = atd->value;
-    }
-    if (*object_is_private)
-      lose(CKR_TEMPLATE_INCONSISTENT);
+    /* RW access to public token objects only */
+    if (*cka_private || ! *cka_token)
+      lose(CKR_USER_NOT_LOGGED_IN);
+    break;
+
   }
 
-  for (i = 0; i < descriptor->n_attributes; i++) {
+  for (int i = 0; i < descriptor->n_attributes; i++) {
     const p11_attribute_descriptor_t * const atd = &descriptor->attributes[i];
     const int required_by_api  = (atd->flags & required_flag) != 0;
     const int forbidden_by_api = (atd->flags & forbidden_flag) != 0;
@@ -1741,7 +1788,7 @@ static CK_RV p11_template_check_2(const p11_session_t *session,
 
     /* Multiple entries for same attribute */
     if (pos_in_template >= 0)
-      for (j = pos_in_template + 1; j < template_length; j++)
+      for (int j = pos_in_template + 1; j < template_length; j++)
         if (template[j].type == atd->type)
           lose(CKR_TEMPLATE_INCONSISTENT);
 
@@ -1867,7 +1914,8 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
     *private_flags |= HAL_KEY_FLAG_EXPORTABLE;
 
   /*
-   * Check that all required attributes have been specified.
+   * Check that all required attributes have been specified,
+   * and that our current session state allows this access.
    */
 
   if ((rv = p11_template_check_2(session,
@@ -1885,25 +1933,6 @@ static CK_RV p11_check_keypair_attributes(const p11_session_t *session,
     goto fail;
 
   /*
-   * Read-only sessions can't create objects, doh.
-   * Well, except when they can, thanks, PKCS #11.
-   */
-
-  switch (session->state) {
-  case CKS_RO_PUBLIC_SESSION:
-    if ((public_cka_private  == NULL || *public_cka_private) ||
-        (private_cka_private == NULL || *private_cka_private))
-      lose(CKR_SESSION_READ_ONLY);
-    /* Fall through */
-
-  case CKS_RO_USER_FUNCTIONS:
-    if ((public_cka_token  != NULL && *public_cka_token) ||
-        (private_cka_token != NULL && *private_cka_token))
-      lose(CKR_SESSION_READ_ONLY);
-    /* Fall through */
-  }
-
-  /*
    * If we get this far, we're happy.  Maybe.
    */
 
@@ -2235,7 +2264,8 @@ static CK_RV p11_check_create_attributes(const p11_session_t *session,
   }
 
   /*
-   * Check that all required attributes have been specified.
+   * Check that all required attributes have been specified,
+   * and that our current session state allows this access.
    */
 
   if ((rv = p11_template_check_2(session, descriptor, pTemplate, ulCount,
@@ -2244,23 +2274,6 @@ static CK_RV p11_check_create_attributes(const p11_session_t *session,
     goto fail;
 
   /*
-   * Read-only sessions can't create objects, doh.
-   * Well, except when they can, thanks, PKCS #11.
-   */
-
-  switch (session->state) {
-  case CKS_RO_PUBLIC_SESSION:
-    if (cka_private == NULL || *cka_private)
-      lose(CKR_SESSION_READ_ONLY);
-    /* Fall through */
-
-  case CKS_RO_USER_FUNCTIONS:
-    if (cka_token != NULL && *cka_token)
-      lose(CKR_SESSION_READ_ONLY);
-    /* Fall through */
-  }
-
-  /*
    * If we get this far, we're happy.  Maybe.
    */

Previous message (by thread): [Cryptech-Commits] [sw/pkcs11] 02/03: Translate more PKCS #11 attributes into HAL_KEY_FLAG_* settings.
Next message (by thread): [Cryptech-Commits] [releng/alpha] branch master updated: PKCS #11 fixes du jour.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list