From: Daiki Ueno Date: Tue, 16 Sep 2025 08:57:24 +0000 (+0900) Subject: pkcs11: use the same initialization code for provider X-Git-Tag: 3.8.11~13^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=642e4e4ac983e7461bb3ff249ed7c356f2853f8e;p=thirdparty%2Fgnutls.git pkcs11: use the same initialization code for provider This makes the pkcs11-provider code use the thread-safe module initialization code introduced in commit aa5f15a872e62e54abe58624ee393e68d1faf689. As the mechanism works over p11-kit managed modules, this switches the "path" config option to using PKCS#11 URI, through the "url" keyword. Signed-off-by: Daiki Ueno --- diff --git a/doc/cha-config.texi b/doc/cha-config.texi index 25ff0edaf3..8a9df42b48 100644 --- a/doc/cha-config.texi +++ b/doc/cha-config.texi @@ -313,10 +313,10 @@ and override the default cryptographic backend of the library with the cryptographic functions provided by the module. A PKCS#11 module can be configured to serve as cryptographic backend by adding -@code{path} and @code{pin} in the @code{[provider]} section. +@code{url} and @code{pin} in the @code{[provider]} section. @itemize -@item @code{path}: path to the PKCS#11 module. +@item @code{url}: URL of the PKCS#11 module. @item @code{pin}: PIN for logging into the PKCS#11 token. @end itemize @@ -327,6 +327,6 @@ Note that the module has to be initialized first. @example [provider] -path = /usr/lib64/pkcs11/libkryoptic_pkcs11.so +url = pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token pin = 1234 @end example diff --git a/lib/global.c b/lib/global.c index feda32eb32..03947cf7bc 100644 --- a/lib/global.c +++ b/lib/global.c @@ -249,7 +249,7 @@ static int _gnutls_global_init(unsigned constructor) int level; const char *e; #if defined(ENABLE_PKCS11) && defined(ENABLE_FIPS140) - const char *p11_provider_path = NULL; + const char *p11_provider_url = NULL; const char *p11_provider_pin = NULL; #endif @@ -411,11 +411,11 @@ static int _gnutls_global_init(unsigned constructor) _gnutls_prepare_to_load_system_priorities(); #if defined(ENABLE_PKCS11) && defined(ENABLE_FIPS140) - p11_provider_path = _gnutls_config_get_p11_provider_path(); + p11_provider_url = _gnutls_config_get_p11_provider_url(); p11_provider_pin = _gnutls_config_get_p11_provider_pin(); - if (res == 1 && p11_provider_path != NULL) { - ret = _p11_provider_init(p11_provider_path, + if (res == 1 && p11_provider_url != NULL) { + ret = _p11_provider_init(p11_provider_url, (const uint8_t *)p11_provider_pin, strlen(p11_provider_pin)); if (ret < 0) { diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index f3caea1170..54d3c9f672 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1808,7 +1808,7 @@ extern unsigned int _gnutls_global_version; bool _gnutls_config_is_ktls_enabled(void); bool _gnutls_config_is_rsa_pkcs1_encrypt_allowed(void); int _gnutls_config_set_certificate_compression_methods(gnutls_session_t session); -const char *_gnutls_config_get_p11_provider_path(void); +const char *_gnutls_config_get_p11_provider_url(void); const char *_gnutls_config_get_p11_provider_pin(void); #endif /* GNUTLS_LIB_GNUTLS_INT_H */ diff --git a/lib/pkcs11/p11_provider.c b/lib/pkcs11/p11_provider.c index faf75d219d..c786d9fa8c 100644 --- a/lib/pkcs11/p11_provider.c +++ b/lib/pkcs11/p11_provider.c @@ -28,91 +28,70 @@ #include "p11_mac.h" #include "p11_provider.h" -#define P11_KIT_FUTURE_UNSTABLE_API -#include - static struct { struct ck_function_list *module; ck_slot_id_t slot; - uint8_t *pin; - size_t pin_size; + gnutls_datum_t pin; bool initialized; } p11_provider; -int _p11_provider_init(const char *module_path, const uint8_t *pin, +int _p11_provider_init(const char *url, const uint8_t *pin_data, size_t pin_size) { int ret; - ck_rv_t rv; - P11KitIter *iter = NULL; - struct ck_function_list *modules[2] = { 0 }; - ck_slot_id_t slot = 0; - uint8_t *_pin = NULL; + struct p11_kit_uri *uinfo = NULL; + gnutls_datum_t pin = { NULL, 0 }; + struct ck_function_list *module; + ck_slot_id_t slot; if (p11_provider.initialized) return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - modules[0] = p11_kit_module_load(module_path, 0); - if (modules[0] == NULL) - return gnutls_assert_val(GNUTLS_E_PKCS11_LOAD_ERROR); + PKCS11_CHECK_INIT; - rv = p11_kit_module_initialize(modules[0]); - if (rv != CKR_OK) { - p11_kit_module_release(modules[0]); - return gnutls_assert_val(GNUTLS_E_PKCS11_ERROR); - } + uinfo = p11_kit_uri_new(); + if (uinfo == NULL) + return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - iter = p11_kit_iter_new(NULL, P11_KIT_ITER_WITH_TOKENS | - P11_KIT_ITER_WITHOUT_OBJECTS); - if (iter == NULL) { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto error; + ret = p11_kit_uri_parse(url, P11_KIT_URI_FOR_TOKEN, uinfo); + if (ret != P11_KIT_URI_OK) { + ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + goto cleanup; } - p11_kit_iter_begin(iter, modules); - rv = p11_kit_iter_next(iter); - if (rv != CKR_OK) { - ret = gnutls_assert_val(GNUTLS_E_PKCS11_ERROR); - goto error; + ret = _gnutls_set_datum(&pin, pin_data, pin_size); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } - slot = p11_kit_iter_get_slot(iter); - p11_kit_iter_free(iter); - - _pin = gnutls_malloc(pin_size); - if (_pin == NULL) { - ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); - goto error; + ret = pkcs11_find_slot(&module, &slot, uinfo, NULL, NULL, NULL); + if (ret < 0) { + gnutls_assert(); + goto cleanup; } - memcpy(_pin, pin, pin_size); - ret = _p11_ciphers_init(modules[0], slot); + ret = _p11_ciphers_init(module, slot); if (ret < 0) { gnutls_assert(); - goto error; + goto cleanup; } - ret = _p11_macs_init(modules[0], slot); + ret = _p11_macs_init(module, slot); if (ret < 0) { gnutls_assert(); - goto error; + goto cleanup; } - p11_provider.module = modules[0]; + p11_provider.module = module; p11_provider.slot = slot; - p11_provider.pin = _pin; - p11_provider.pin_size = pin_size; + p11_provider.pin = _gnutls_steal_datum(&pin); p11_provider.initialized = true; return 0; -error: - if (iter != NULL) - p11_kit_iter_free(iter); - gnutls_free(_pin); - p11_kit_module_finalize(modules[0]); - p11_kit_module_release(modules[0]); - _p11_ciphers_deinit(); - _p11_macs_deinit(); +cleanup: + p11_kit_uri_free(uinfo); + _gnutls_free_key_datum(&pin); return ret; } @@ -121,12 +100,11 @@ void _p11_provider_deinit(void) if (!p11_provider.initialized) return; - gnutls_free(p11_provider.pin); - p11_kit_module_finalize(p11_provider.module); - p11_kit_module_release(p11_provider.module); - memset(&p11_provider, 0, sizeof(p11_provider)); _p11_ciphers_deinit(); _p11_macs_deinit(); + + _gnutls_free_key_datum(&p11_provider.pin); + p11_provider.initialized = false; } bool _p11_provider_is_initialized(void) @@ -145,8 +123,9 @@ ck_session_handle_t _p11_provider_open_session(void) if (rv != CKR_OK) return CK_INVALID_HANDLE; - rv = p11_provider.module->C_Login(session, CKU_USER, p11_provider.pin, - p11_provider.pin_size); + rv = p11_provider.module->C_Login(session, CKU_USER, + p11_provider.pin.data, + p11_provider.pin.size); if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { p11_provider.module->C_CloseSession(session); return CK_INVALID_HANDLE; diff --git a/lib/priority.c b/lib/priority.c index 25a2de95a8..e705158a71 100644 --- a/lib/priority.c +++ b/lib/priority.c @@ -1022,7 +1022,7 @@ struct cfg { gnutls_compression_method_t cert_comp_algs[MAX_COMPRESS_CERTIFICATE_METHODS + 1]; - char *p11_provider_path; + char *p11_provider_url; char *p11_provider_pin; ext_master_secret_t force_ext_master_secret; @@ -1042,7 +1042,7 @@ static inline void cfg_deinit(struct cfg *cfg) } gnutls_free(cfg->priority_string); gnutls_free(cfg->default_priority_string); - gnutls_free(cfg->p11_provider_path); + gnutls_free(cfg->p11_provider_url); gnutls_free(cfg->p11_provider_pin); } @@ -1144,8 +1144,8 @@ static inline void cfg_steal(struct cfg *dst, struct cfg *src) dst->default_priority_string = src->default_priority_string; src->default_priority_string = NULL; - dst->p11_provider_path = src->p11_provider_path; - src->p11_provider_path = NULL; + dst->p11_provider_url = src->p11_provider_url; + src->p11_provider_url = NULL; dst->p11_provider_pin = src->p11_provider_pin; src->p11_provider_pin = NULL; @@ -1620,15 +1620,15 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, if (ret < 0) return 0; } else if (c_strcasecmp(section, PROVIDER_SECTION) == 0) { - if (c_strcasecmp(name, "path") == 0) { - gnutls_free(cfg->p11_provider_path); - cfg->p11_provider_path = NULL; + if (c_strcasecmp(name, "url") == 0) { + gnutls_free(cfg->p11_provider_url); + cfg->p11_provider_url = NULL; p = clear_spaces(value, str); _gnutls_debug_log( - "cfg: adding pkcs11 provider path %s\n", p); + "cfg: adding pkcs11 provider url %s\n", p); if (strlen(p) > 0) { - cfg->p11_provider_path = gnutls_strdup(p); - if (cfg->p11_provider_path == NULL) { + cfg->p11_provider_url = gnutls_strdup(p); + if (cfg->p11_provider_url == NULL) { _gnutls_debug_log( "cfg: failed setting pkcs11 provider path\n"); return 0; @@ -4095,9 +4095,9 @@ int _gnutls_config_set_certificate_compression_methods(gnutls_session_t session) return 0; } -const char *_gnutls_config_get_p11_provider_path(void) +const char *_gnutls_config_get_p11_provider_url(void) { - return system_wide_config.p11_provider_path; + return system_wide_config.p11_provider_url; } const char *_gnutls_config_get_p11_provider_pin(void) diff --git a/tests/pkcs11-provider/test-pkcs11-provider.sh b/tests/pkcs11-provider/test-pkcs11-provider.sh index 3c867b6882..69f4284d46 100755 --- a/tests/pkcs11-provider/test-pkcs11-provider.sh +++ b/tests/pkcs11-provider/test-pkcs11-provider.sh @@ -50,7 +50,7 @@ cat >"${PRIORITY_FILE}" <<_EOF_ allow-rsa-pkcs1-encrypt = true [provider] -path = ${MODULE} +url = pkcs11:model=v1;manufacturer=Kryoptic%20Project;token=Kryoptic%20Token pin = ${PIN} _EOF_