Hi, Resending this as 1 patch per email since my original email bounced, apologies if you receive it multiple times.
This set of patches enables OpenCryptoKI to be configured to pass slot information between the daemon and the pkcs11 library using sockets rather than shared memory. The reason for these patches is to avoid the potential priv escalation issue whereby members of the pkcs11 group can override the locations of the backend library .so files, and so can execute arbitrary code with the privileges of other pkcs11 group members. The patches build on each other (the first two being refactorings to avoid duplicate code in the second two patches). Please let me know if you have any questions or comments on the patches. Cheers, Ross -------- [PATCH 1/4] --------------- Add a CK_Info_From_Internal helper function to apiutil to avoid duplicating code. The CK_Info_From_Internal function copies the internal representation of CK_Info to the external one. Signed-off-by: Ross McIlroy <[email protected]> --- usr/lib/pkcs11/api/api_interface.c | 36 +----------------------------------- usr/lib/pkcs11/api/apiproto.h | 6 ++++++ usr/lib/pkcs11/api/apiutil.c | 24 ++++++++++++++++++++++++ 3 files changed, 31 insertions(+), 35 deletions(-) diff --git a/usr/lib/pkcs11/api/api_interface.c b/usr/lib/pkcs11/api/api_interface.c index 3489abc..56ad6a8 100755 --- a/usr/lib/pkcs11/api/api_interface.c +++ b/usr/lib/pkcs11/api/api_interface.c @@ -2287,8 +2287,6 @@ C_GetFunctionStatus ( CK_SESSION_HANDLE hSession ) // //------------------------------------------------------------------------ -#ifdef PKCS64 - CK_RV C_GetInfo ( CK_INFO_PTR pInfo ) { @@ -2306,44 +2304,12 @@ C_GetInfo ( CK_INFO_PTR pInfo ) } shm = Anchor->SharedMemP; - - memset(pInfo, 0, sizeof(*pInfo)); - - pInfo->cryptokiVersion = shm->ck_info.cryptokiVersion; - memset(pInfo->manufacturerID, '\0', 32); - memcpy(pInfo->manufacturerID, &(shm->ck_info.manufacturerID), 32); - pInfo->flags = shm->ck_info.flags; - memcpy(pInfo->libraryDescription, &(shm->ck_info.libraryDescription), 32); - pInfo->libraryVersion = shm->ck_info.libraryVersion; + CK_Info_From_Internal(pInfo, &(shm->ck_info)); return CKR_OK; } // end of C_GetInfo -#else - -CK_RV -C_GetInfo ( CK_INFO_PTR pInfo ) -{ - Slot_Mgr_Shr_t *shm; - OCK_LOG_DEBUG("C_GetInfo\n"); - if (! API_Initialized() ) { - OCK_LOG_ERR(ERR_CRYPTOKI_NOT_INITIALIZED); - return CKR_CRYPTOKI_NOT_INITIALIZED; - } - - if ( !pInfo ) { - OCK_LOG_ERR(ERR_FUNCTION_FAILED); - return CKR_FUNCTION_FAILED; - } - - shm = Anchor->SharedMemP; - memcpy(pInfo, &(shm->ck_info), sizeof(CK_INFO)); - - return CKR_OK; -} // end of C_GetInfo - -#endif //------------------------------------------------------------------------ // API function C_GetMechanismInfo diff --git a/usr/lib/pkcs11/api/apiproto.h b/usr/lib/pkcs11/api/apiproto.h index 69702c7..4671446 100755 --- a/usr/lib/pkcs11/api/apiproto.h +++ b/usr/lib/pkcs11/api/apiproto.h @@ -332,6 +332,12 @@ int Valid_Session(CK_SESSION_HANDLE, ST_SESSION_T *); void DL_UnLoad( API_Slot_t *, CK_SLOT_ID); void DL_Unload(API_Slot_t *); +#ifdef PKCS64 +void CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR_64 src ); +#else +void CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR src ); +#endif + int sessions_exist(CK_SLOT_ID); #ifdef DEBUG diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c index 4474648..dafb3c8 100755 --- a/usr/lib/pkcs11/api/apiutil.c +++ b/usr/lib/pkcs11/api/apiutil.c @@ -1010,3 +1010,27 @@ DL_Load_and_Init(sltp,slotID ) return TRUE; } + +#ifdef PKCS64 +// copies internal representation of ck_info structure to local process representation +void +CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR_64 src ) { + + memset(dest, 0, sizeof(*dest)); + + dest->cryptokiVersion = src->cryptokiVersion; + memset(dest->manufacturerID, '\0', 32); + memcpy(dest->manufacturerID, src->manufacturerID, 32); + dest->flags = src->flags; + memcpy(dest->libraryDescription, src->libraryDescription, 32); + dest->libraryVersion = src->libraryVersion; +} + +#else + +void +CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR src ) { + memcpy(dest, src, sizeof(CK_INFO)); +} + +#endif -- 1.8.1.3 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
