Hi Ross, Thanks for the submission. It has been integrated into the v3alpha branch, thus the delay. I made a few changes such that we use this method by default.
regards, Joy On Fri, 2013-03-01 at 10:11 +0000, Ross McIlroy wrote: > Hi, > > Resending this as 1 patch per email since my original email bounced, > apologies if you receive it multiple times. > > This set of patches enables OpenCryptoKI to be configured to pass slot > information between the daemon and the pkcs11 library using sockets > rather than shared memory. The reason for these patches is to avoid the > potential priv escalation issue whereby members of the pkcs11 group can > override the locations of the backend library .so files, and so can > execute arbitrary code with the privileges of other pkcs11 group members. > > The patches build on each other (the first two being refactorings to > avoid duplicate code in the second two patches). > > Please let me know if you have any questions or comments on the patches. > > Cheers, > Ross > > -------- [PATCH 1/4] --------------- > > > Add a CK_Info_From_Internal helper function to apiutil to avoid > duplicating code. > > The CK_Info_From_Internal function copies the internal representation of > CK_Info to the external one. > > Signed-off-by: Ross McIlroy <[email protected]> > --- > usr/lib/pkcs11/api/api_interface.c | 36 > +----------------------------------- > usr/lib/pkcs11/api/apiproto.h | 6 ++++++ > usr/lib/pkcs11/api/apiutil.c | 24 ++++++++++++++++++++++++ > 3 files changed, 31 insertions(+), 35 deletions(-) > > diff --git a/usr/lib/pkcs11/api/api_interface.c > b/usr/lib/pkcs11/api/api_interface.c > index 3489abc..56ad6a8 100755 > --- a/usr/lib/pkcs11/api/api_interface.c > +++ b/usr/lib/pkcs11/api/api_interface.c > @@ -2287,8 +2287,6 @@ C_GetFunctionStatus ( CK_SESSION_HANDLE hSession ) > // > //------------------------------------------------------------------------ > > -#ifdef PKCS64 > - > CK_RV > C_GetInfo ( CK_INFO_PTR pInfo ) > { > @@ -2306,44 +2304,12 @@ C_GetInfo ( CK_INFO_PTR pInfo ) > } > > shm = Anchor->SharedMemP; > - > - memset(pInfo, 0, sizeof(*pInfo)); > - > - pInfo->cryptokiVersion = shm->ck_info.cryptokiVersion; > - memset(pInfo->manufacturerID, '\0', 32); > - memcpy(pInfo->manufacturerID, &(shm->ck_info.manufacturerID), 32); > - pInfo->flags = shm->ck_info.flags; > - memcpy(pInfo->libraryDescription, > &(shm->ck_info.libraryDescription), 32); > - pInfo->libraryVersion = shm->ck_info.libraryVersion; > + CK_Info_From_Internal(pInfo, &(shm->ck_info)); > > return CKR_OK; > } // end of C_GetInfo > > -#else > - > -CK_RV > -C_GetInfo ( CK_INFO_PTR pInfo ) > -{ > - Slot_Mgr_Shr_t *shm; > > - OCK_LOG_DEBUG("C_GetInfo\n"); > - if (! API_Initialized() ) { > - OCK_LOG_ERR(ERR_CRYPTOKI_NOT_INITIALIZED); > - return CKR_CRYPTOKI_NOT_INITIALIZED; > - } > - > - if ( !pInfo ) { > - OCK_LOG_ERR(ERR_FUNCTION_FAILED); > - return CKR_FUNCTION_FAILED; > - } > - > - shm = Anchor->SharedMemP; > - memcpy(pInfo, &(shm->ck_info), sizeof(CK_INFO)); > - > - return CKR_OK; > -} // end of C_GetInfo > - > -#endif > > //------------------------------------------------------------------------ > // API function C_GetMechanismInfo > diff --git a/usr/lib/pkcs11/api/apiproto.h b/usr/lib/pkcs11/api/apiproto.h > index 69702c7..4671446 100755 > --- a/usr/lib/pkcs11/api/apiproto.h > +++ b/usr/lib/pkcs11/api/apiproto.h > @@ -332,6 +332,12 @@ int Valid_Session(CK_SESSION_HANDLE, ST_SESSION_T *); > void DL_UnLoad( API_Slot_t *, CK_SLOT_ID); > void DL_Unload(API_Slot_t *); > > +#ifdef PKCS64 > +void CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR_64 src ); > +#else > +void CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR src ); > +#endif > + > int sessions_exist(CK_SLOT_ID); > > #ifdef DEBUG > diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c > index 4474648..dafb3c8 100755 > --- a/usr/lib/pkcs11/api/apiutil.c > +++ b/usr/lib/pkcs11/api/apiutil.c > @@ -1010,3 +1010,27 @@ DL_Load_and_Init(sltp,slotID ) > return TRUE; > > } > + > +#ifdef PKCS64 > +// copies internal representation of ck_info structure to local process > representation > +void > +CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR_64 src ) { > + > + memset(dest, 0, sizeof(*dest)); > + > + dest->cryptokiVersion = src->cryptokiVersion; > + memset(dest->manufacturerID, '\0', 32); > + memcpy(dest->manufacturerID, src->manufacturerID, 32); > + dest->flags = src->flags; > + memcpy(dest->libraryDescription, src->libraryDescription, 32); > + dest->libraryVersion = src->libraryVersion; > +} > + > +#else > + > +void > +CK_Info_From_Internal ( CK_INFO_PTR dest, CK_INFO_PTR src ) { > + memcpy(dest, src, sizeof(CK_INFO)); > +} > + > +#endif > -- 1.8.1.3 > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Opencryptoki-tech mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opencryptoki-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
