-------- [PATCH 4/4] --------------- Part 2 of slot-info via socket.
This patch enables all the non-changing slot information to be transmitted over the sockets, rather via shared memory. By doing this, the members of the pkcs11 group can no longer override the locations of the backend library .so files, and so can no longer execute arbitary code with the preivileges of other pkcs11 group members. Signed-off-by: Ross McIlroy <[email protected]> --- usr/include/pkcs11/slotmgr.h | 20 +++++++++--- usr/lib/pkcs11/api/api_interface.c | 40 +++++++++++++++-------- usr/lib/pkcs11/api/apiutil.c | 67 +++++++++++++++++++++++--------------- usr/lib/pkcs11/api/socket_client.c | 2 +- usr/sbin/pkcsslotd/garbage_linux.c | 11 +++---- usr/sbin/pkcsslotd/no_odm.c | 4 +++ usr/sbin/pkcsslotd/odm.c | 2 ++ usr/sbin/pkcsslotd/shmem.c | 4 ++- usr/sbin/pkcsslotd/socket_server.c | 5 ++- 9 files changed, 103 insertions(+), 52 deletions(-) diff --git a/usr/include/pkcs11/slotmgr.h b/usr/include/pkcs11/slotmgr.h index 1a27edd..a0e5a37 100755 --- a/usr/include/pkcs11/slotmgr.h +++ b/usr/include/pkcs11/slotmgr.h @@ -373,9 +373,11 @@ typedef struct{ char dll_location[PATH_MAX+1]; // location of slot management DLL char slot_init_fcn[PATH_MAX+1]; // function to call to initialize the token in the slot char correlator[PATH_MAX+1]; // Slot DLL Slotindex to dev correlation string +#ifndef SLOT_INFO_BY_SOCKET uint32 global_sessions; // counter of the total sessions on a token in // a slot. Used for quick check of no // sessions +#endif }Slot_Info_t; @@ -459,21 +461,25 @@ typedef struct{ char slot_init_fcn[PATH_MAX+1]; // function to call to initialize the token in the slot char correlator[PATH_MAX+1]; // Slot DLL Slotindex to dev correlation string char pad2[5]; // pad for dword alignment +#ifndef SLOT_INFO_BY_SOCKET uint32 global_sessions; // counter of the total sessions on a token in char pad3[4]; // pad for dword alignment // a slot. Used for quick check of no // sessions +#endif }Slot_Info_t_64; typedef struct { /* Information that the API calls will use. */ - uint8 num_slots; #ifndef SLOT_INFO_BY_SOCKET + uint8 num_slots; CK_INFO_64 ck_info; -#endif Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED]; +#else + uint32 slot_global_sessions[NUMBER_SLOTS_MANAGED]; +#endif Slot_Mgr_Proc_t_64 proc_table[NUMBER_PROCESSES_ALLOWED]; @@ -481,7 +487,9 @@ typedef struct { #ifdef SLOT_INFO_BY_SOCKET typedef struct { + uint8 num_slots; CK_INFO_64 ck_info; + Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED]; } Slot_Mgr_Socket_t; #endif @@ -490,11 +498,13 @@ typedef struct { typedef struct { /* Information that the API calls will use. */ - uint8 num_slots; #ifndef SLOT_INFO_BY_SOCKET + uint8 num_slots; CK_INFO ck_info; -#endif Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED]; +#else + uint32 slot_global_sessions[NUMBER_SLOTS_MANAGED]; +#endif Slot_Mgr_Proc_t proc_table[NUMBER_PROCESSES_ALLOWED]; @@ -502,7 +512,9 @@ typedef struct { #ifdef SLOT_INFO_BY_SOCKET typedef struct { + uint8 num_slots; CK_INFO ck_info; + Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED]; } Slot_Mgr_Socket_t; #endif diff --git a/usr/lib/pkcs11/api/api_interface.c b/usr/lib/pkcs11/api/api_interface.c index 65e5230..daaaab4 100755 --- a/usr/lib/pkcs11/api/api_interface.c +++ b/usr/lib/pkcs11/api/api_interface.c @@ -2631,9 +2631,14 @@ C_GetSlotInfo ( CK_SLOT_ID slotID, ) { uint16 count; - Slot_Mgr_Shr_t *shm; Slot_Info_t_64 *sinfp; +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif + OCK_LOG_DEBUG("C_GetSlotInfo Slot=%d ptr=%x\n",slotID,pInfo); //OCK_LOG_DEBUG(" Slot %d \n",slotID); @@ -2648,8 +2653,7 @@ C_GetSlotInfo ( CK_SLOT_ID slotID, return CKR_FUNCTION_FAILED; } - shm = Anchor->SharedMemP; - sinfp = shm->slot_info; + sinfp = shData->slot_info; sinfp += slotID; count = 0; @@ -2700,9 +2704,13 @@ C_GetSlotInfo ( CK_SLOT_ID slotID, uint16 count; uint16 index; uint16 sindx; - Slot_Mgr_Shr_t *shm; Slot_Info_t *sinfp; +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif OCK_LOG_DEBUG("C_GetSlotInfo Slot=%d ptr=%x\n",slotID,pInfo); //OCK_LOG_DEBUG(" Slot %d \n",slotID); @@ -2717,8 +2725,7 @@ C_GetSlotInfo ( CK_SLOT_ID slotID, return CKR_FUNCTION_FAILED; } - shm = Anchor->SharedMemP; - sinfp = shm->slot_info; + sinfp = shData->slot_info; sinfp += slotID; count = 0; @@ -2764,7 +2771,12 @@ C_GetSlotList ( CK_BBOOL tokenPresent, CK_ULONG count; uint16 index; uint16 sindx; - Slot_Mgr_Shr_t *shm; + +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif #ifdef PKCS64 Slot_Info_t_64 *sinfp; @@ -2788,9 +2800,7 @@ C_GetSlotList ( CK_BBOOL tokenPresent, } - - shm = Anchor->SharedMemP; - sinfp = shm->slot_info; + sinfp = shData->slot_info; count = 0; // Count the slots based off the present flag // Go through all the slots and count them up @@ -2908,7 +2918,12 @@ C_GetTokenInfo ( CK_SLOT_ID slotID, CK_RV rv; API_Slot_t *sltp; STDLL_FcnList_t *fcn; - Slot_Mgr_Shr_t *shm; + +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif #ifdef PKCS64 Slot_Info_t_64 *sinfp; @@ -2941,8 +2956,7 @@ C_GetTokenInfo ( CK_SLOT_ID slotID, // Need to check if the slot is not populated // then we can return the proper return code for a // slot that has no content. - shm = Anchor->SharedMemP; - sinfp = shm->slot_info; + sinfp = shData->slot_info; if (sinfp[slotID].present == FALSE ){ OCK_LOG_ERR(ERR_TOKEN_NOT_PRESENT); return CKR_TOKEN_NOT_PRESENT; diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c index dafb3c8..a64157d 100755 --- a/usr/lib/pkcs11/api/apiutil.c +++ b/usr/lib/pkcs11/api/apiutil.c @@ -486,17 +486,19 @@ slot_present(id) { Slot_Mgr_Shr_t *shm; +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif + #ifdef PKCS64 Slot_Info_t_64 *sinfp; #else Slot_Info_t *sinfp; #endif - // Get pointer to shared memory from the anchor block - // - - shm = Anchor->SharedMemP; - sinfp = &(shm->slot_info[id]); + sinfp = &(shData->slot_info[id]); if ( sinfp->present == FALSE ){ return FALSE; @@ -509,7 +511,7 @@ slot_present(id) void get_sess_count(CK_SLOT_ID slotID, CK_ULONG *ret) { - Slot_Mgr_Shr_t *shm; + Slot_Mgr_Shr_t *shm; Slot_Info_t_64 *sinfp; Slot_Mgr_Proc_t_64 *procp; @@ -517,8 +519,12 @@ get_sess_count(CK_SLOT_ID slotID, CK_ULONG *ret) XProcLock(); +#ifdef SLOT_INFO_BY_SOCKET + *ret = shm->slot_global_sessions[slotID]; +#else sinfp = &(shm->slot_info[slotID]); *ret = sinfp->global_sessions; +#endif XProcUnLock(); } @@ -542,8 +548,12 @@ incr_sess_counts(slotID) XProcLock(); +#ifdef SLOT_INFO_BY_SOCKET + shm->slot_global_sessions[slotID]++; +#else sinfp = &(shm->slot_info[slotID]); sinfp->global_sessions++; +#endif procp = &shm->proc_table[Anchor->MgrProcIndex]; procp->slot_session_count[slotID]++; @@ -571,10 +581,16 @@ decr_sess_counts(slotID) XProcLock(); +#ifdef SLOT_INFO_BY_SOCKET + if (shm->slot_global_sessions[slotID] > 0) { + shm->slot_global_sessions[slotID]--; + } +#else sinfp = &(shm->slot_info[slotID]); if (sinfp->global_sessions > 0){ sinfp->global_sessions--; } +#endif procp = &shm->proc_table[Anchor->MgrProcIndex]; if (procp->slot_session_count[slotID] > 0){ @@ -598,6 +614,7 @@ sessions_exist(slotID) CK_SLOT_ID slotID; { Slot_Mgr_Shr_t *shm; + uint32 numSessions; #ifdef PKCS64 Slot_Info_t_64 *sinfp; @@ -608,26 +625,18 @@ sessions_exist(slotID) // Get the slot mutex shm = Anchor->SharedMemP; -#ifdef PKCS64 XProcLock(); - sinfp = &(shm->slot_info[slotID]); - if (sinfp->global_sessions == 0) { - XProcUnLock(); - return FALSE; - } - XProcUnLock(); +#ifdef SLOT_INFO_BY_SOCKET + numSessions = shm->slot_global_sessions[slotID]; #else - XProcLock(); sinfp = &(shm->slot_info[slotID]); - if (sinfp->global_sessions == 0) { - XProcUnLock(); - return FALSE; - } - XProcUnLock(); + sinfp->global_sessions #endif - return TRUE; + XProcUnLock(); + + return numSessions != 0; } // Terminates all sessions associated with a given process @@ -809,7 +818,11 @@ DL_UnLoad( sltp,slotID ) API_Slot_t *sltp; CK_SLOT_ID slotID; { - Slot_Mgr_Shr_t *shm; +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif #ifdef PKCS64 Slot_Info_t_64 *sinfp; @@ -817,8 +830,7 @@ DL_UnLoad( sltp,slotID ) Slot_Info_t *sinfp; #endif - shm = Anchor->SharedMemP; - sinfp = &(shm->slot_info[slotID]); + sinfp = &(shData->slot_info[slotID]); if ( sinfp->present == FALSE ){ return; @@ -927,7 +939,11 @@ DL_Load_and_Init(sltp,slotID ) CK_SLOT_ID slotID; { - Slot_Mgr_Shr_t *shm; +#ifdef SLOT_INFO_BY_SOCKET + Slot_Mgr_Socket_t *shData = &(Anchor->SocketDataP); +#else + Slot_Mgr_Shr_t *shData = Anchor->SharedMemP; +#endif #ifdef PKCS64 Slot_Info_t_64 *sinfp; @@ -945,8 +961,7 @@ DL_Load_and_Init(sltp,slotID ) // Get pointer to shared memory from the anchor block // - shm = Anchor->SharedMemP; - sinfp = &(shm->slot_info[slotID]); + sinfp = &(shData->slot_info[slotID]); dllload = Anchor->DLLs; // list of dll's in the system if ( sinfp->present == FALSE ){ diff --git a/usr/lib/pkcs11/api/socket_client.c b/usr/lib/pkcs11/api/socket_client.c index 71901ce..6572166 100644 --- a/usr/lib/pkcs11/api/socket_client.c +++ b/usr/lib/pkcs11/api/socket_client.c @@ -364,7 +364,7 @@ init_socket_data() { close(socketfd); - memcpy(&(Anchor->SocketDataP.ck_info), &daemon_socket_data, sizeof(Slot_Mgr_Socket_t)); + memcpy(&(Anchor->SocketDataP), &daemon_socket_data, sizeof(Slot_Mgr_Socket_t)); return TRUE; } diff --git a/usr/sbin/pkcsslotd/garbage_linux.c b/usr/sbin/pkcsslotd/garbage_linux.c index 8780e2f..9239be4 100755 --- a/usr/sbin/pkcsslotd/garbage_linux.c +++ b/usr/sbin/pkcsslotd/garbage_linux.c @@ -589,15 +589,14 @@ BOOL CheckForGarbage ( Slot_Mgr_Shr_t *MemPtr ) { /* */ for ( SlotIndex = 0; SlotIndex < NUMBER_SLOTS_MANAGED; SlotIndex++ ) { - -#ifdef PKCS64 - unsigned int *pGlobalSessions = &(MemPtr->slot_info[SlotIndex].global_sessions); - unsigned int *pProcSessions = &(pProc->slot_session_count[SlotIndex]); +#ifdef SLOT_INFO_BY_SOCKET + unsigned int *pGlobalSessions = &(MemPtr->slot_global_sessions[SlotIndex]); #else - int *pGlobalSessions = &(MemPtr->slot_info[SlotIndex].global_sessions); - int *pProcSessions = &(pProc->slot_session_count[SlotIndex]); + unsigned int *pGlobalSessions = &(MemPtr->slot_info[SlotIndex].global_sessions); #endif + unsigned int *pProcSessions = &(pProc->slot_session_count[SlotIndex]); + if ( *pProcSessions > 0 ) { diff --git a/usr/sbin/pkcsslotd/no_odm.c b/usr/sbin/pkcsslotd/no_odm.c index c30c316..606e737 100755 --- a/usr/sbin/pkcsslotd/no_odm.c +++ b/usr/sbin/pkcsslotd/no_odm.c @@ -412,7 +412,9 @@ void PrintSlotInfo ( Slot_Info_t *P ) { DbgLog(DL3, "dll_location: '%s'", P->dll_location); DbgLog(DL3, "slot_init_fcn: '%s'", P->slot_init_fcn); DbgLog(DL3, "correlator: '%s'", P->correlator); +#ifndef SLOT_INFO_BY_SOCKET DbgLog(DL3, "global_sessions: %#X", P->global_sessions); +#endif DbgLog(DL3, "************************************************"); return; @@ -521,7 +523,9 @@ BOOL ReadSlotInfoDB ( void ) { memset(&sinfo_struct, 0, sizeof(sinfo_struct)); // for good measure zero it out before use each time +#ifndef SLOT_INFO_BY_SOCKET sinfo_struct.global_sessions = 0; // initializing to zero +#endif element_num = Present; diff --git a/usr/sbin/pkcsslotd/odm.c b/usr/sbin/pkcsslotd/odm.c index 8c7b02f..2b2f95f 100755 --- a/usr/sbin/pkcsslotd/odm.c +++ b/usr/sbin/pkcsslotd/odm.c @@ -421,7 +421,9 @@ void PrintSlotInfo ( Slot_Info_t *P ) { DbgLog(DL3, "dll_location: '%s'", P->dll_location); DbgLog(DL3, "slot_init_fcn: '%s'", P->slot_init_fcn); DbgLog(DL3, "correlator: '%s'", P->correlator); +#ifndef SLOT_INFO_BY_SOCKET DbgLog(DL3, "global_sessions: %#X", P->global_sessions); +#endif DbgLog(DL3, "************************************************"); return; diff --git a/usr/sbin/pkcsslotd/shmem.c b/usr/sbin/pkcsslotd/shmem.c index 5410b65..f974138 100755 --- a/usr/sbin/pkcsslotd/shmem.c +++ b/usr/sbin/pkcsslotd/shmem.c @@ -599,10 +599,12 @@ int InitSharedMemory ( Slot_Mgr_Shr_t *sp ) { #ifndef SLOT_INFO_BY_SOCKET PopulateCKInfo(&(sp->ck_info)); -#endif sp->num_slots = NumberSlotsInDB; PopulateSlotInfo(sp->slot_info); +#else + memset(sp->slot_global_sessions, 0, NUMBER_SLOTS_MANAGED * sizeof(uint32)); +#endif /* Initialize the process side of things. */ /* for now don't worry about the condition variables */ diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c index 06f0415..5006264 100755 --- a/usr/sbin/pkcsslotd/socket_server.c +++ b/usr/sbin/pkcsslotd/socket_server.c @@ -371,8 +371,11 @@ int CreateListenerSocket ( void ) { int InitSocketData ( Slot_Mgr_Socket_t *socketData ) { PopulateCKInfo( &(socketData->ck_info) ); - return TRUE; + socketData->num_slots = NumberSlotsInDB; + PopulateSlotInfo(socketData->slot_info); + + return TRUE; } int SocketConnectionHandler ( int socketfd, int timeout_secs ) { -- 1.8.1.3 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
