Pkcs11 login #3750
Pkcs11 login #3750
Conversation
Sync with PKCS11 TA API update from [1] for authentication related commands. Link: [1] OP-TEE/optee_os#3750 Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
| case TEE_ERROR_SHORT_BUFFER: | ||
| return PKCS11_CKR_BUFFER_TOO_SMALL; | ||
|
|
||
| case TEE_ERROR_MAC_INVALID: |
There was a problem hiding this comment.
for info: TEE_ERROR_SIGNATURE_INVALID from TEE_AsymmetricVerifyDigest() also matches PKCS11_CKR_SIGNATURE_INVALID.
There was a problem hiding this comment.
OK, I'll add that here.
ta/pkcs11/src/persistent_token.c
Outdated
|
|
||
| res = TEE_AllocateOperation(&oh, TEE_ALG_SHA256, TEE_MODE_DIGEST, 0); | ||
| if (res) | ||
| return PKCS11_CKR_GENERAL_ERROR; |
There was a problem hiding this comment.
don't you prefer to report at least of out-of-memory status when allocation fails for that.
There was a problem hiding this comment.
OK, I'll update with tee2pkcs_error().
There was a problem hiding this comment.
for commit "ta: pkcs11: update PIN fields in struct token_persistent_main"
Reviewed-by: Etienne Carriere <[email protected]>
There was a problem hiding this comment.
for commit "ta: pkcs11: update PIN fields in struct token_persistent_main"
Reviewed-by: Etienne Carriere <[email protected]>
|
|
||
| serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); | ||
|
|
||
| rc = serialargs_get(&ctrlargs, &token_id, sizeof(uint32_t)); |
There was a problem hiding this comment.
From PKCS11 spec, there are precedence requirement on some (very few) return values.
Invalid slot ID (or token ID, same) is one of them.
You can find below a suggestion to factorize this with a friendly serialargs_get_session() helper function:
etienne-lms@6a1e6d9
There was a problem hiding this comment.
PKCS11_CKR_SLOT_ID_INVALID, does not take precedence over any other error code (see 5.1.6 All other Cryptoki function return values).
The precedence rule (as I understand it) only is applicable if there's multiple competing errors. So if unpacking of arguments fail, we return PKCS11_CKR_ARGUMENTS_BAD, there's no other competing error code at this stage.
I'll move and update the pin_size check below though. I guess it makes sense to check the arguments in the order they were supplied to C_InitToken().
There was a problem hiding this comment.
You're right, sorry. I mixed up with the session handle that should take precedence (CKR_SESSION_HANDLE_INVALID).
I think my comment could apply to the commits where session_handle is read from the client arguments.
|
|
||
| token = get_token(token_id); | ||
| if (!token) | ||
| return PKCS11_CKR_SLOT_ID_INVALID; |
ta/pkcs11/src/pkcs11_token.c
Outdated
| return PKCS11_CKR_PIN_LOCKED; | ||
| } | ||
|
|
||
| /* Check there's no open session on this token */ |
| if (rc) | ||
| return rc; | ||
|
|
||
| update_persistent_db(token); |
There was a problem hiding this comment.
can't this operation fail?
Commit "ta: pkcs11: helper to update token persistent database" should be placed before this commit in the series.
There was a problem hiding this comment.
No it can't fail, the TA panics instead since continueing from here could be a security problem.
There was a problem hiding this comment.
true, sorry. I made this comment before looking at the implementation 👎
ta/pkcs11/src/pkcs11_token.c
Outdated
|
|
||
| if (token->db_main->so_pin_count == 6) | ||
| token->db_main->flags |= PKCS11_CKFT_SO_PIN_FINAL_TRY; | ||
| if (token->db_main->so_pin_count == 7) |
There was a problem hiding this comment.
Maybe the max number of attempts should be configurable.
There was a problem hiding this comment.
Agree, I'll fix.
ta/pkcs11/src/pkcs11_token.c
Outdated
| update_persistent_db(token); | ||
|
|
||
| label[PKCS11_TOKEN_LABEL_SIZE] = '\0'; | ||
| IMSG("PKCS11 token %"PRIu32": initialized \"%s\"", token_id, label); |
There was a problem hiding this comment.
Label is UTF8 so not sure IMSG() is able to print it.
There was a problem hiding this comment.
OK, I'll remove it.
ta/pkcs11/src/pkcs11_token.c
Outdated
| return PKCS11_CKR_OK; | ||
| } | ||
|
|
||
| /* ctrl=[session-handle][pin-size]{pin-arrays], in=unused, out=unused */ |
|
|
||
| serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); | ||
|
|
||
| rc = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); |
There was a problem hiding this comment.
minor: prefer here sizeof(uint32_t) or sizeof(session_handle)?
There was a problem hiding this comment.
In this case I prefer sizeof(uint32_t) since it's a bit easier to double check the ABI.
ta/pkcs11/include/pkcs11_ta.h
Outdated
| * [out] memref[0] = 32bit return code, enum pkcs11_rc | ||
| * | ||
| * This command relates to the PKCS#11 API function | ||
| * C_CloseAllSessions(). |
There was a problem hiding this comment.
s/C_CloseAllSessions/C_SetPIN.
ta/pkcs11/src/pkcs11_token.c
Outdated
| return PKCS11_CKR_OK; | ||
| } | ||
|
|
||
| /* ctrl=[session][old-size]{old-pin][pin-size]{pin], in=unused, out=unused */ |
| TEE_Param *ctrl = params; | ||
| uint32_t pin_size = 0; | ||
| void *old_pin = NULL; | ||
| void *pin = NULL; |
There was a problem hiding this comment.
beautiful trapezium :)
ta/pkcs11/src/pkcs11_token.c
Outdated
| enum pkcs11_rc rc = PKCS11_CKR_OK; | ||
|
|
||
| if (!token->db_main->user_pin_salt || | ||
| !(token->db_main->flags & PKCS11_CKFT_USER_PIN_INITIALIZED)) |
There was a problem hiding this comment.
need to check both? info is redundant.
There was a problem hiding this comment.
I'll remove the flags test.
ta/pkcs11/src/pkcs11_token.c
Outdated
| struct ck_token *token = session->token; | ||
| enum pkcs11_rc rc = PKCS11_CKR_OK; | ||
|
|
||
| /* Note: intentional return code USER_PIN_NOT_INITIALIZED */ |
There was a problem hiding this comment.
C_SetPIN() should not return CKR_USER_PIN_NOT_INITIALIZED. Is it because test below should be happen that this intentionally returns such status? Why not an assertion or a straight panic?
There was a problem hiding this comment.
OK, I'll assert.
ta/pkcs11/src/pkcs11_token.c
Outdated
| } | ||
|
|
||
| if (token->db_main->flags & (PKCS11_CKFT_SO_PIN_COUNT_LOW | | ||
| PKCS11_CKFT_SO_PIN_FINAL_TRY)) { |
There was a problem hiding this comment.
prefer indent to opening parenthesis.
ta/pkcs11/src/persistent_token.c
Outdated
|
|
||
| res = open_db_file(token, &db_hdl); | ||
| if (res) { | ||
| EMSG("Failed to open token persisten db: %#"PRIx32, res); |
There was a problem hiding this comment.
s/persisten/persisent/
ditto below.
There was a problem hiding this comment.
Or persistent even :-)
ta/pkcs11/src/persistent_token.c
Outdated
|
|
||
| TEE_CloseObject(db_hdl); | ||
|
|
||
| return tee2pkcs_error(res); |
ta/pkcs11/src/pkcs11_token.c
Outdated
| } | ||
| } | ||
|
|
||
| /* ctrl=[session][user_type][pin-size]{pin], in=unused, out=unused */ |
| * This is the point where we could check if another client | ||
| * has another user or SO logged in. Currently we don't | ||
| * care. | ||
| */ |
There was a problem hiding this comment.
why not checking that now? We could parse the client list pkcs11_client_list for that.
There was a problem hiding this comment.
The spec says:
CKR_USER_TOO_MANY_TYPES: An attempt was made to have more distinct users simultaneously logged into the token than the token and/or library permits. For example, if some application has an open SO session, and another application attempts to log the normal user into a session, the attempt may return this error. It is not required to, however. Only if the simultaneous distinct users cannot be supported does C_Login have to return this value. Note that this error code generalizes to true multi-user tokens.
So we are permitted to skip this check, I don't see any harm in skipping it. The comment should be more clear on this though. I'll update that.
There was a problem hiding this comment.
Ok for nit dealing with CKR_USER_TOO_MANY_TYPES.
But maybe another client (client application) has open sessions towards the token. These session should be considered as well as the session owned by the current client.
I think made proto made a shortcut, returning CKR_USER_TOO_MANY_TYPES if other clients were found on same token instead of properly handling their sessions state.
There was a problem hiding this comment.
Please crosscheck with "2.6.8 Example of use of sessions" in "PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40".
To me it seems that clients are quite independent of each other when it comes to logins.
There was a problem hiding this comment.
You're right. Discard my comment.
ta/pkcs11/src/pkcs11_token.c
Outdated
| return rc; | ||
| } | ||
|
|
||
| /* ctrl=[session], in=unused, out=unused */ |
|
Update |
ta/pkcs11/src/pkcs11_token.c
Outdated
|
|
||
| update_persistent_db(token); | ||
|
|
||
| label[PKCS11_TOKEN_LABEL_SIZE] = '\0'; |
There was a problem hiding this comment.
can remove this, and:
- char label[PKCS11_TOKEN_LABEL_SIZE + 1] = { 0 };
+ char label[PKCS11_TOKEN_LABEL_SIZE] = { 0 };
|
@wamserma, @Emantor, @ricardosalveti could you have a look at this P-R and related OP-TEE/optee_client#205 and OP-TEE/optee_test#418? |
|
I'm going to squash the commits and rebase on master to make it easier to review. |
jenswi-linaro
force-pushed
the
pkcs11_login
branch
from
71545e8
to
52b5652
Compare
|
Updated and rebased on master |
| if (rc) | ||
| return rc; | ||
|
|
||
| IMSG("PKCS11 session %"PRIu32": set PIN", session_handle); |
There was a problem hiding this comment.
Maybe add an equivalent IMSG for the SO case above?
There was a problem hiding this comment.
I'll add one.
Sync with PKCS11 TA API update from [1] for authentication related commands. Link: [1] OP-TEE/optee_os#3750 Reviewed-by: Rouven Czerwinski <[email protected] Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Sync with PKCS11 TA API update from [1] for authentication related commands. Link: [1] OP-TEE/optee_os#3750 Reviewed-by: Rouven Czerwinski <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Introduce helper function pkcs2tee_error() for the several TEE Core Internal APIs called for which return value needs to be reported to caller in PKCS#11 return code format. The function returns PKCS11_CKR_GENERAL_ERROR for TEE_Result values that do not strictly match a PKCS#11 return code. Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Adds helpers to hash PIN and to verify the hash of a PIN. The PIN is hashed together with user type and a generated salt. A used salt never takes the value 0 so that can be used to tell if a PIN is set. Acked-by: Rouven Czerwinski <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Replaces the fields use to keep track of encrypted PINs with fields to keep track of hashed PINs instead. Acked-by: Rouven Czerwinski <[email protected]> Reviewed-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
update_persistent_db() updates the persistent database or panics on failure. Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
PKCS11_CMD_INIT_TOKEN implements C_InitToken() client API function that is in charge of initializing the Security Officer login PIN if not already done and destroy objects that can be. As objects are not yet supported in the TA, this later feature is not implemented. Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
PKCS11_CMD_INIT_PIN implements C_InitPIN() client API function that is in charge of initializing the normal user login PIN. Security Officer must be logged to current session in order to call this function Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
PKCS11_CMD_SET_PIN implements C_SetPIN() client API function that is in charge of modifying a login PIN. Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
Implements login/logout support. Acked-by: Rouven Czerwinski <[email protected]> Co-developed-by: Etienne Carriere <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
PINs are hashed with a salt instead of being encrypted with a secret key. So remove the now unused management of these secret keys. Acked-by: Rouven Czerwinski <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
jenswi-linaro
force-pushed
the
pkcs11_login
branch
from
54dbf79
to
7b74833
Compare
|
Squashed and tag applied |
Sync with PKCS11 TA API update from [1] for authentication related commands. Link: [1] OP-TEE/optee_os#3750 Reviewed-by: Rouven Czerwinski <[email protected]> Signed-off-by: Etienne Carriere <[email protected]> Signed-off-by: Jens Wiklander <[email protected]>
| * | ||
| * [in] memref[0] = [ | ||
| * 32bit slot ID, | ||
| * 32bit PIN length, |
There was a problem hiding this comment.
align description of arguments with those of remaining pin functions, e.g. PIN length -> PIN byte size
| * 32bit session handle, | ||
| * 32bit old PIN byte size, | ||
| * 32bit new PIN byte size, | ||
| * byte array: PIN data, |
| PKCS11_CMD_SET_PIN = 12, | ||
|
|
||
| /* | ||
| * PKCS11_CMD_LOGIN - Initialize user PIN |
There was a problem hiding this comment.
-> PKCS11_CMD_LOGIN - Log into token
|
|
||
| if (res == TEE_SUCCESS) | ||
| DMSG("PIN key found"); | ||
| res = TEE_AllocateOperation(&oh, TEE_ALG_SHA256, TEE_MODE_DIGEST, 0); |
There was a problem hiding this comment.
SHA256 might not be the best choice here. Ideally it would be Argon2, but to do with what we have we could at least use PBKDF2 unless this was specifically excluded from OP-TEE in conf.mk.
This is a second line of defence in case RPMB-based retry-counters and/or secure storage are not available.
There was a problem hiding this comment.
Ah nice, I checked this to against the TEE specification, but did conclude that the specifications best hash function for this was SHA256 (or SHA512). As OP-TEE defines PBKDF2, we should definitely switch to it.
There was a problem hiding this comment.
Agreed, with sensible parameters for iteration count. What to do if PBKDF2 is deactivated from the config? Also deactivate PKCS#11 support or fall back to SHA256 (with more than one iteration)?
There was a problem hiding this comment.
I think we can depend on PBKDF2 being available.
| res = TEE_AllocateTransientObject(TEE_TYPE_AES, 128, &hdl); | ||
| if (res) | ||
| TEE_Panic(0); | ||
| enum pkcs11_rc hash_pin(enum pkcs11_user_type user, const uint8_t *pin, |
There was a problem hiding this comment.
I got a bit confused by the naming of the function. With hash_pin one would expect to get the same hash for a given set of inputs (and this function being used in the verification step), but this function also generates a fresh salt.
Maybe rename to init_pin_hash.
| TEE_Panic(0); | ||
| TEE_GenerateRandom(&s, sizeof(s)); | ||
| if (!s) | ||
| s++; |
There was a problem hiding this comment.
This creates a slight bias towards a salt of value 1 and looks a bit like a weird tacked-on fix. Is there a specific reason for excluding the value 0? If so, why not
uint32_t s = 0;
while (s == 0) { TEE_GenerateRandom(&s, sizeof(s)); }
for better readability.
If one also needs to cover the case of a broken GenerateRandom that always returns 0, add a constant in the loop body.
There was a problem hiding this comment.
A salt of 0 indicates that there is no salt set AFAIR from the rest of the code. I think the bias would be small, but agree that your implementation for this would be cleaner. Do you want to create a PR against current master with your fixes?
There was a problem hiding this comment.
From reading the rest of the code a salt of 0 indicates the user PIN has not yet been initialised.
|
|
||
| if (res) | ||
| TEE_Panic(res); | ||
| if (buf_compare_ct(tmp_hash, hash, TEE_MAX_HASH_SIZE)) |
There was a problem hiding this comment.
Use consttime_memcmp, see https://github.com/OP-TEE/optee_os/blob/3.8.0/lib/libutils/ext/include/string_ext.h#L27
|
|
||
| TEE_CloseObject(key_hdl); | ||
| return rc; |
There was a problem hiding this comment.
Execution flow arrives here only with rc being 0. But imho explicitly setting the OK in the else path of the hash-comparison would be clearer.
| @@ -39,6 +40,8 @@ struct pkcs11_client; | |||
| #define PKCS11_MAX_USERS 2 | |||
| #define PKCS11_TOKEN_PIN_SIZE_MAX 128 | |||
| #define PKCS11_TOKEN_PIN_SIZE_MIN 10 | |||
| #define PKCS11_TOKEN_SO_PIN_COUNT_MAX 7 | |||
| #define PKCS11_TOKEN_USER_PIN_COUNT_MAX 7 | |||
| @@ -47,22 +50,22 @@ struct pkcs11_client; | |||
| * @label - pkcs11 formatted token label, set by client | |||
| * @flags - pkcs11 token flags | |||
| * @so_pin_count - counter on security officer login failure | |||
| * @so_pin_size - byte size of the provisioned SO PIN | |||
| * @so_pin - stores the SO PIN | |||
| * @so_pin_salt - stores salt in hash of SO PIN, 0 if not set | |||
There was a problem hiding this comment.
stores salt for hash... (in is ambiguous: could also mean the salt is prepended to the hash instead of being stored in its own field)
| struct ck_token *token = session->token; | ||
| enum pkcs11_rc rc = PKCS11_CKR_OK; | ||
|
|
||
| assert(token->db_main->flags & PKCS11_CKFT_TOKEN_INITIALIZED); |
There was a problem hiding this comment.
As far as I understand the specification, we could also return CKR_OPERATION_NOT_INITIALIZED here instead of using the assert statement.
There was a problem hiding this comment.
This "can't happen", that flag is always checked before calling this function.
There was a problem hiding this comment.
So it is either dead code and can be removed or the abort is desired and a TEE_Panic would be the proper way to do this.
There was a problem hiding this comment.
All asserts are supposed to be dead code.
|
|
||
| TAILQ_FOREACH(sess, &client->session_list, link) { | ||
| if (sess->token != session->token) | ||
| continue; |
There was a problem hiding this comment.
This does assume that we eventually find the right one. Otherwise simply the last session in the list is used.
Maybe we should add
if (sess->token != session->token) return;
here to avoid manipulating the state of a wrong session (and possibly elevate privileges)
There was a problem hiding this comment.
We're not just looking for one session, we're looking for all sessions for the client on this token.
There was a problem hiding this comment.
My bad. Got the scope of the FOREACH wrong while reading.
| TAILQ_FOREACH(sess, &client->session_list, link) { | ||
| if (sess->token != session->token) | ||
| continue; | ||
|
|
| TAILQ_FOREACH(sess, &client->session_list, link) { | ||
| if (sess->token != session->token) | ||
| continue; | ||
|
|
😮 sorry about that. You're right, I should leave a bit more time for reviewers... But it should not prevent us from addressing your comments, let's address them in a new PR if you don't mind, @jenswi-linaro? |
|
@wamserma, feel free to raise PR to fix what you think need to be fixed. |
|
@jforissier It's ok. There were no super-critical comments and I don't want to slow down anything. |
No description provided.