From eb398b8f36c2822a27527596ada1820e2fbee6a5 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 6 Sep 2021 09:31:29 +0200 Subject: [PATCH 1/2] Respect allowed mechanisms also in C_GetMechanismInfo Signed-off-by: Jakub Jelen --- src/lib/SoftHSM.cpp | 41 ++++++++++++++++++++++++----------------- src/lib/SoftHSM.h | 2 +- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp index 54f9089f..3fd21d05 100644 --- a/src/lib/SoftHSM.cpp +++ b/src/lib/SoftHSM.cpp @@ -932,6 +932,8 @@ CK_RV SoftHSM::C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_ { return CKR_SLOT_ID_INVALID; } + if (!isMechanismPermitted(NULL, type)) + return CKR_MECHANISM_INVALID; AsymmetricAlgorithm* rsa = CryptoFactory::i()->getAsymmetricAlgorithm(AsymAlgo::RSA); if (rsa != NULL) @@ -2186,7 +2188,7 @@ CK_RV SoftHSM::SymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get key info @@ -2916,7 +2918,7 @@ CK_RV SoftHSM::SymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get key info @@ -3164,7 +3166,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get key info @@ -3966,7 +3968,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get key info @@ -4118,7 +4120,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get the asymmetric algorithm matching the mechanism @@ -4944,7 +4946,7 @@ CK_RV SoftHSM::MacVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMecha return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get key info @@ -5096,7 +5098,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Get the asymmetric algorithm matching the mechanism @@ -6549,7 +6551,7 @@ CK_RV SoftHSM::C_WrapKey return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the wrapping key - if (!isMechanismPermitted(wrapKey, pMechanism)) + if (!isMechanismPermitted(wrapKey, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Check the to be wrapped key handle. @@ -7017,7 +7019,7 @@ CK_RV SoftHSM::C_UnwrapKey return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the unwrap key - if (!isMechanismPermitted(unwrapKey, pMechanism)) + if (!isMechanismPermitted(unwrapKey, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Extract information from the template that is needed to create the object. @@ -7300,7 +7302,7 @@ CK_RV SoftHSM::C_DeriveKey return CKR_KEY_FUNCTION_NOT_PERMITTED; // Check if the specified mechanism is allowed for the key - if (!isMechanismPermitted(key, pMechanism)) + if (!isMechanismPermitted(key, pMechanism->mechanism)) return CKR_MECHANISM_INVALID; // Extract information from the template that is needed to create the object. @@ -12858,22 +12860,27 @@ CK_RV SoftHSM::MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism) return CKR_OK; } -bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism) +bool SoftHSM::isMechanismPermitted(OSObject* key, CK_MECHANISM_TYPE mechanism) { std::list mechs = supportedMechanisms; /* First check if the algorithm is enabled in the global configuration */ - auto it = std::find(mechs.begin(), mechs.end(), pMechanism->mechanism); + auto it = std::find(mechs.begin(), mechs.end(), mechanism); if (it == mechs.end()) return false; - OSAttribute attribute = key->getAttribute(CKA_ALLOWED_MECHANISMS); - std::set allowed = attribute.getMechanismTypeSetValue(); + /* If we have object, consult also its allowed mechanisms */ + if (key) { + OSAttribute attribute = key->getAttribute(CKA_ALLOWED_MECHANISMS); + std::set allowed = attribute.getMechanismTypeSetValue(); - if (allowed.empty()) { + /* empty allow list means we allowing everything that is built-in */ + if (allowed.empty()) { + return true; + } + return allowed.find(mechanism) != allowed.end(); + } else { return true; } - - return allowed.find(pMechanism->mechanism) != allowed.end(); } bool SoftHSM::detectFork(void) { diff --git a/src/lib/SoftHSM.h b/src/lib/SoftHSM.h index e92a1772..98fef110 100644 --- a/src/lib/SoftHSM.h +++ b/src/lib/SoftHSM.h @@ -489,7 +489,7 @@ class SoftHSM CK_RV MechParamCheckRSAPKCSOAEP(CK_MECHANISM_PTR pMechanism); - bool isMechanismPermitted(OSObject* key, CK_MECHANISM_PTR pMechanism); + bool isMechanismPermitted(OSObject* key, CK_MECHANISM_TYPE mechanism); void prepareSupportedMechanisms(std::map &t); bool detectFork(void); }; From c6bdb9a58583d0612eea99f463dff7af2e9c927a Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 6 Sep 2021 09:47:46 +0200 Subject: [PATCH 2/2] tests: Verify the C_GetMechanismInfo does fails for not allowed mechanisms --- src/lib/test/InfoTests.cpp | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/lib/test/InfoTests.cpp b/src/lib/test/InfoTests.cpp index bb548440..eb2c07d0 100644 --- a/src/lib/test/InfoTests.cpp +++ b/src/lib/test/InfoTests.cpp @@ -329,6 +329,7 @@ void InfoTests::testGetMechanismListConfig() CK_RV rv; CK_ULONG ulMechCount = 0; CK_MECHANISM_TYPE_PTR pMechanismList; + CK_MECHANISM_INFO info; #ifndef _WIN32 setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1); @@ -358,6 +359,20 @@ void InfoTests::testGetMechanismListConfig() CPPUNIT_ASSERT(pMechanismList[1] == CKM_RSA_PKCS); free(pMechanismList); + /* Get good mechanism info */ + rv = CRYPTOKI_F_PTR( C_GetMechanismInfo(m_initializedTokenSlotID, CKM_RSA_X_509, &info) ); + CPPUNIT_ASSERT(rv == CKR_OK); + CPPUNIT_ASSERT(info.flags & CKF_SIGN); + rv = CRYPTOKI_F_PTR( C_GetMechanismInfo(m_initializedTokenSlotID, CKM_RSA_PKCS, &info) ); + CPPUNIT_ASSERT(rv == CKR_OK); + CPPUNIT_ASSERT(info.flags & CKF_SIGN); + + /* Get bad mechanism info */ + rv = CRYPTOKI_F_PTR( C_GetMechanismInfo(m_initializedTokenSlotID, CKM_ECDSA, &info) ); + CPPUNIT_ASSERT(rv == CKR_MECHANISM_INVALID); + rv = CRYPTOKI_F_PTR( C_GetMechanismInfo(m_initializedTokenSlotID, CKM_DSA, &info) ); + CPPUNIT_ASSERT(rv == CKR_MECHANISM_INVALID); + CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) ); #ifndef _WIN32 setenv("SOFTHSM2_CONF", "./softhsm2.conf", 1);