From db96aa831f0bff3e50241babb7e701ae8cbb2e57 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 18 Apr 2023 16:29:58 -0400 Subject: [PATCH] Add URI filtering by slot attributes Signed-off-by: Simo Sorce --- src/session.c | 9 ++++----- src/slot.c | 4 ++-- src/slot.h | 2 +- src/util.c | 22 +++++++++++++++++++++- src/util.h | 3 ++- 5 files changed, 30 insertions(+), 10 deletions(-) diff --git a/src/session.c b/src/session.c index bd9ac4db..274a81e0 100644 --- a/src/session.c +++ b/src/session.c @@ -479,7 +479,7 @@ static CK_RV check_slot(P11PROV_CTX *ctx, P11PROV_SLOT *slot, P11PROV_URI *uri, CK_MECHANISM_TYPE mechtype, bool rw) { CK_TOKEN_INFO *token; - CK_FLAGS slot_flags; + CK_SLOT_INFO *ck_slot; CK_SLOT_ID slotid; CK_RV ret; @@ -488,8 +488,8 @@ static CK_RV check_slot(P11PROV_CTX *ctx, P11PROV_SLOT *slot, P11PROV_URI *uri, P11PROV_debug("Checking Slot id=%lu, uri=%p, mechtype=%lx, rw=%s)", slotid, uri, mechtype, rw ? "true" : "false"); - slot_flags = p11prov_slot_get_slot_flags(slot); - if ((slot_flags & CKF_TOKEN_PRESENT) == 0) { + ck_slot = p11prov_slot_get_slot(slot); + if ((ck_slot->flags & CKF_TOKEN_PRESENT) == 0) { return CKR_TOKEN_NOT_PRESENT; } token = p11prov_slot_get_token(slot); @@ -500,8 +500,7 @@ static CK_RV check_slot(P11PROV_CTX *ctx, P11PROV_SLOT *slot, P11PROV_URI *uri, return CKR_TOKEN_WRITE_PROTECTED; } if (uri) { - /* skip slots that do not match */ - ret = p11prov_uri_match_token(uri, token); + ret = p11prov_uri_match_token(uri, slotid, ck_slot, token); if (ret != CKR_OK) { return ret; } diff --git a/src/slot.c b/src/slot.c index 8f55cd4f..034eb4ee 100644 --- a/src/slot.c +++ b/src/slot.c @@ -463,9 +463,9 @@ CK_SLOT_ID p11prov_slot_get_slot_id(P11PROV_SLOT *slot) return slot->id; } -CK_FLAGS p11prov_slot_get_slot_flags(P11PROV_SLOT *slot) +CK_SLOT_INFO *p11prov_slot_get_slot(P11PROV_SLOT *slot) { - return slot->slot.flags; + return &slot->slot; } CK_TOKEN_INFO *p11prov_slot_get_token(P11PROV_SLOT *slot) diff --git a/src/slot.h b/src/slot.h index 22d05dce..414826aa 100644 --- a/src/slot.h +++ b/src/slot.h @@ -20,7 +20,7 @@ int p11prov_check_mechanism(P11PROV_CTX *ctx, CK_SLOT_ID id, CK_RV p11prov_slot_get_obj_pool(P11PROV_CTX *provctx, CK_SLOT_ID id, P11PROV_OBJ_POOL **pool); CK_SLOT_ID p11prov_slot_get_slot_id(P11PROV_SLOT *slot); -CK_FLAGS p11prov_slot_get_slot_flags(P11PROV_SLOT *slot); +CK_SLOT_INFO *p11prov_slot_get_slot(P11PROV_SLOT *slot); CK_TOKEN_INFO *p11prov_slot_get_token(P11PROV_SLOT *slot); const char *p11prov_slot_get_login_info(P11PROV_SLOT *slot); const char *p11prov_slot_get_bad_pin(P11PROV_SLOT *slot); diff --git a/src/util.c b/src/util.c index 097ea1c7..61b246d5 100644 --- a/src/util.c +++ b/src/util.c @@ -537,6 +537,7 @@ P11PROV_URI *p11prov_parse_uri(P11PROV_CTX *ctx, const char *uri) { struct p11prov_uri u = { .type = CK_UNAVAILABLE_INFORMATION, + .slot_id = CK_UNAVAILABLE_INFORMATION, .id = { .type = CKA_ID }, .object = { .type = CKA_LABEL }, }; @@ -829,8 +830,27 @@ char *p11prov_uri_get_pin(P11PROV_URI *uri) return uri->pin; } -CK_RV p11prov_uri_match_token(P11PROV_URI *uri, CK_TOKEN_INFO *token) +CK_RV p11prov_uri_match_token(P11PROV_URI *uri, CK_SLOT_ID slot_id, + CK_SLOT_INFO *slot, CK_TOKEN_INFO *token) { + if (uri->slot_id != CK_UNAVAILABLE_INFORMATION && uri->slot_id != slot_id) { + return CKR_CANCEL; + } + + if (uri->slot_description + && strncmp(uri->slot_description, (const char *)slot->slotDescription, + 64) + != 0) { + return CKR_CANCEL; + } + + if (uri->slot_manufacturer + && strncmp(uri->slot_manufacturer, (const char *)slot->manufacturerID, + 32) + != 0) { + return CKR_CANCEL; + } + if (uri->model && strncmp(uri->model, (const char *)token->model, 16) != 0) { return CKR_CANCEL; diff --git a/src/util.h b/src/util.h index 6020928d..626cddbc 100644 --- a/src/util.h +++ b/src/util.h @@ -60,7 +60,8 @@ CK_ATTRIBUTE p11prov_uri_get_id(P11PROV_URI *uri); CK_ATTRIBUTE p11prov_uri_get_label(P11PROV_URI *uri); char *p11prov_uri_get_serial(P11PROV_URI *uri); char *p11prov_uri_get_pin(P11PROV_URI *uri); -CK_RV p11prov_uri_match_token(P11PROV_URI *uri, CK_TOKEN_INFO *token); +CK_RV p11prov_uri_match_token(P11PROV_URI *uri, CK_SLOT_ID slot_id, + CK_SLOT_INFO *slot, CK_TOKEN_INFO *token); int p11prov_get_pin(P11PROV_CTX *ctx, const char *in, char **out); bool cyclewait_with_timeout(uint64_t max_wait, uint64_t interval, uint64_t *start_time);