Respect allowed mechanisms also in C_GetMechanismInfo

Jakuje · Jakuje · commit f5124cc6219f · 2021-09-06T10:34:52.000+02:00
Signed-off-by: Jakub Jelen &lt;jjelen@redhat.com&gt;
diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
@@ -931,6 +931,8 @@ CK_RV SoftHSM::C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_
 	{
 		return CKR_SLOT_ID_INVALID;
 	}
+	if (!isMechanismPermitted(NULL, type))
+		return CKR_MECHANISM_INVALID;
 
 	AsymmetricAlgorithm* rsa = CryptoFactory::i()->getAsymmetricAlgorithm(AsymAlgo::RSA);
 	if (rsa != NULL)
@@ -2183,7 +2185,7 @@ CK_RV SoftHSM::SymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get key info
@@ -2903,7 +2905,7 @@ CK_RV SoftHSM::SymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get key info
@@ -3150,7 +3152,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get key info
@@ -3944,7 +3946,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get key info
@@ -4096,7 +4098,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get the asymmetric algorithm matching the mechanism
@@ -4922,7 +4924,7 @@ CK_RV SoftHSM::MacVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMecha
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get key info
@@ -5074,7 +5076,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Get the asymmetric algorithm matching the mechanism
@@ -6527,7 +6529,7 @@ CK_RV SoftHSM::C_WrapKey
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the wrapping key
-	if (!isMechanismPermitted(wrapKey, pMechanism))
+	if (!isMechanismPermitted(wrapKey, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Check the to be wrapped key handle.
@@ -6993,7 +6995,7 @@ CK_RV SoftHSM::C_UnwrapKey
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the unwrap key
-	if (!isMechanismPermitted(unwrapKey, pMechanism))
+	if (!isMechanismPermitted(unwrapKey, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Extract information from the template that is needed to create the object.
@@ -7274,7 +7276,7 @@ CK_RV SoftHSM::C_DeriveKey
 		return CKR_KEY_FUNCTION_NOT_PERMITTED;
 
 	// Check if the specified mechanism is allowed for the key
-	if (!isMechanismPermitted(key, pMechanism))
+	if (!isMechanismPermitted(key, pMechanism->mechanism))
 		return CKR_MECHANISM_INVALID;
 
 	// Extract information from the template that is needed to create the object.
@@ -12829,22 +12831,27 @@ CK_RV SoftHSM::MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism)
 	return CKR_OK;
 }
 
-bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism)
+bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_TYPE mechanism)
 {
 	std::list<CK_MECHANISM_TYPE> mechs = supportedMechanisms;
 	/* First check if the algorithm is enabled in the global configuration */
-	auto it = std::find(mechs.begin(), mechs.end(), pMechanism->mechanism);
+	auto it = std::find(mechs.begin(), mechs.end(), mechanism);
 	if (it == mechs.end())
 		return false;
 
-	OSAttribute attribute = key->getAttribute(CKA_ALLOWED_MECHANISMS);
-	std::set<CK_MECHANISM_TYPE> allowed = attribute.getMechanismTypeSetValue();
+	/* If we have object, consult also its allowed mechanisms */
+	if (key) {
+		OSAttribute attribute = key->getAttribute(CKA_ALLOWED_MECHANISMS);
+		std::set<CK_MECHANISM_TYPE> allowed = attribute.getMechanismTypeSetValue();
 
-	if (allowed.empty()) {
+		/* empty allow list means we allowing everything that is built-in */
+		if (allowed.empty()) {
+			return true;
+		}
+		return allowed.find(mechanism) != allowed.end();
+	} else {
 		return true;
 	}
-
-	return allowed.find(pMechanism->mechanism) != allowed.end();
 }
 
 bool SoftHSM::detectFork(void) {
diff --git a/src/lib/SoftHSM.h b/src/lib/SoftHSM.h
@@ -489,7 +489,7 @@ class SoftHSM
 
 	CK_RV MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism);
 
-	bool isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism);
+	bool isMechanismPermitted(OSObject* key, CK_MECHANISM_TYPE mechanism);
 	void prepareSupportedMecahnisms(std::map<std::string, CK_MECHANISM_TYPE> &t);
 	bool detectFork(void);
 };
