Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: restore compatibility with libp11 0.4.13 #36

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: restore compatibility with libp11 0.4.13 #36

wants to merge 2 commits into from
+12 −5

Conversation

nkraetzschmar
Copy link

This module is no longer compatible with the openssl pkcs11 engine since libp11 version 0.4.13.

Compatibility between this module and libp11 has been broken since OpenSC/libp11@da8cd1f.

Root cause

This change introduced some automatic clearing of keys when no more valid sessions exist. However, since checking if a session is valid is done by checking if C_GetSessionInfo returns CKR_OK1 this currently always marks all sessions as invalid as C_GetSessionInfo always returns CKR_FUNCTION_NOT_SUPPORTED.

Therefore keys get cleared too early, causing undefined behaviour.

Initially this caused a segfault and since OpenSC/libp11@7f6eba0 the visible behaviour of the bug changed to instead result in errors of the form:

Public Key operation error
003C7E99FFFF0000:error:020000B3:rsa routines:rsa_ossl_private_encrypt:missing private key:../crypto/rsa/rsa_ossl.c:367:

Likely due to the new key->object_class == CKO_PRIVATE_KEY check always failing on cleared keys.

Fix

This PR restores the old behaviour by now always returning CKR_OK in C_GetSessionInfo.

Disclaimer: I lack the in-depth understanding of pkcs11 modules to properly asses wether implementing C_GetSessionInfo this way may cause other issues.

Footnotes

  1. https://github.com/OpenSC/libp11/blob/6d669183c7b241ce47ecce28744837ad92814f5c/src/p11_slot.c#L156

@nkraetzschmar nkraetzschmar mentioned this pull request Jan 16, 2025
Open
@JackOfMostTrades
Copy link
Owner

Thank you for the detailed PR! I was reading up on this function and I think if this is going to return CKR_OK then it should probably fill in the session info. I spent some time in the manuals and I think the session info fields are probably best filled in as below. Could you update the implementation with something along these lines?

CK_RV C_GetSessionInfo(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) {
    CkSession *session = (CkSession*)hSession;
    if (session == NULL) {
        return CKR_SESSION_HANDLE_INVALID;
    }
    memset(pInfo, 0, sizeof(*pInfo));
    pInfo->slotID = session->slot_id;
    pInfo->state = CKS_RW_USER_FUNCTIONS;
    pInfo->flags = CKF_RW_SESSION | CKF_SERIAL_SESSION;
    return CKR_OK;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nkraetzschmar @JackOfMostTrades