From 6a1e6d9c7bd12817ea89ab2e7535a14615797d1e Mon Sep 17 00:00:00 2001 From: Etienne Carriere Date: Sun, 5 Apr 2020 15:54:21 +0200 Subject: [PATCH] ta: sks: fix precedence of invalid session handle over other errors As per PKCS#11 specification, an invalid session handle argument should be reported with CKR_SESSION_HANDLE_INVALID over any other error found when executing the requested command. This change complies with this by introducing helper serialargs_get_session() that gets the session handle value from the input argument buffer and finds related session instance. This allows to factorize early reporting of invalid session handles when parsing client input arguments over the several TA commands that gets a session handle argument. Signed-off-by: Etienne Carriere --- ta/pkcs11/src/object.c | 45 ++++------------------ ta/pkcs11/src/pkcs11_token.c | 50 +++++------------------- ta/pkcs11/src/processing.c | 74 ++++++++++++------------------------ ta/pkcs11/src/serializer.c | 27 +++++++++++++ ta/pkcs11/src/serializer.h | 7 ++++ 5 files changed, 76 insertions(+), 127 deletions(-) diff --git a/ta/pkcs11/src/object.c b/ta/pkcs11/src/object.c index d8276d81ad4..2ec9d87e1cd 100644 --- a/ta/pkcs11/src/object.c +++ b/ta/pkcs11/src/object.c @@ -271,7 +271,6 @@ uint32_t entry_destroy_object(struct pkcs11_client *client, TEE_PARAM_TYPE_NONE); TEE_Param *ctrl = ¶ms[0]; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; uint32_t object_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_object *object = NULL; @@ -282,7 +281,7 @@ uint32_t entry_destroy_object(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -293,10 +292,6 @@ uint32_t entry_destroy_object(struct pkcs11_client *client, if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (session_is_active(session)) return PKCS11_CKR_OPERATION_ACTIVE; @@ -308,7 +303,7 @@ uint32_t entry_destroy_object(struct pkcs11_client *client, handle_put(&session->object_handle_db, object_handle); DMSG("PKCS11 session %"PRIu32": destroy object %#"PRIx32, - session_handle, object_handle); + session->handle, object_handle); return rv; } @@ -424,7 +419,6 @@ uint32_t entry_find_objects_init(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_object_head *template = NULL; struct pkcs11_attrs_head *req_attrs = NULL; @@ -436,7 +430,7 @@ uint32_t entry_find_objects_init(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -449,12 +443,6 @@ uint32_t entry_find_objects_init(struct pkcs11_client *client, goto bail; } - session = pkcs11_handle2session(session_handle, client); - if (!session) { - rv = PKCS11_CKR_SESSION_HANDLE_INVALID; - goto bail; - } - /* Search objects only if no operation is on-going */ if (session_is_active(session)) { rv = PKCS11_CKR_OPERATION_ACTIVE; @@ -606,7 +594,6 @@ uint32_t entry_find_objects(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_find_objects *ctx = NULL; char *out_handles = NULL; @@ -622,17 +609,13 @@ uint32_t entry_find_objects(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - ctx = session->find_ctx; /* @@ -665,7 +648,7 @@ uint32_t entry_find_objects(struct pkcs11_client *client, /* Update output buffer according the number of handles provided */ out->memref.size = count * sizeof(uint32_t); - DMSG("PKCS11 session %"PRIu32": finding objects", session_handle); + DMSG("PKCS11 session %"PRIu32": finding objects", session->handle); return PKCS11_CKR_OK; } @@ -686,7 +669,6 @@ uint32_t entry_find_objects_final(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 9; struct pkcs11_session *session = NULL; if (!client || ptypes != exp_pt) @@ -694,17 +676,13 @@ uint32_t entry_find_objects_final(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (!session->find_ctx) return PKCS11_CKR_OPERATION_NOT_INITIALIZED; @@ -724,7 +702,6 @@ uint32_t entry_get_attribute_value(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_object_head *template = NULL; struct pkcs11_object *obj = NULL; @@ -741,7 +718,7 @@ uint32_t entry_get_attribute_value(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -758,12 +735,6 @@ uint32_t entry_get_attribute_value(struct pkcs11_client *client, goto bail; } - session = pkcs11_handle2session(session_handle, client); - if (!session) { - rv = PKCS11_CKR_SESSION_HANDLE_INVALID; - goto bail; - } - obj = pkcs11_handle2object(object_handle, session); if (!obj) { rv = PKCS11_CKR_ARGUMENTS_BAD; @@ -864,7 +835,7 @@ uint32_t entry_get_attribute_value(struct pkcs11_client *client, TEE_MemMove(out->memref.buffer, template, out->memref.size); DMSG("PKCS11 session %"PRIu32": get attributes %#"PRIx32, - session_handle, object_handle); + session->handle, object_handle); bail: TEE_Free(template); diff --git a/ta/pkcs11/src/pkcs11_token.c b/ta/pkcs11/src/pkcs11_token.c index 804dd9b6adb..4ad6cefc0b3 100644 --- a/ta/pkcs11/src/pkcs11_token.c +++ b/ta/pkcs11/src/pkcs11_token.c @@ -947,7 +947,6 @@ uint32_t entry_ck_close_session(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; if (!client || ptypes != exp_pt) @@ -955,17 +954,13 @@ uint32_t entry_ck_close_session(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - close_ck_session(session); return PKCS11_CKR_OK; @@ -1022,7 +1017,6 @@ uint32_t entry_ck_session_info(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_session_info info = { .flags = PKCS11_CKFSS_SERIAL_SESSION, @@ -1033,17 +1027,13 @@ uint32_t entry_ck_session_info(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - info.slot_id = get_token_id(session->token); info.state = session->state; if (pkcs11_session_is_read_write(session)) @@ -1143,7 +1133,6 @@ uint32_t entry_init_pin(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; uint32_t pin_size = 0; void *pin = NULL; @@ -1153,7 +1142,7 @@ uint32_t entry_init_pin(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -1168,16 +1157,12 @@ uint32_t entry_init_pin(struct pkcs11_client *client, if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (!pkcs11_session_is_so(session)) return PKCS11_CKR_USER_NOT_LOGGED_IN; assert(session->token->db_main->flags & PKCS11_CKFT_TOKEN_INITIALIZED); - DMSG("PKCS11 session %"PRIu32": init PIN", session_handle); + DMSG("PKCS11 session %"PRIu32": init PIN", session->handle); return set_pin(session, pin, pin_size, PKCS11_CKU_USER); } @@ -1357,7 +1342,6 @@ uint32_t entry_set_pin(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; uint32_t old_pin_size = 0; uint32_t pin_size = 0; @@ -1369,7 +1353,7 @@ uint32_t entry_set_pin(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -1392,10 +1376,6 @@ uint32_t entry_set_pin(struct pkcs11_client *client, if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (!pkcs11_session_is_read_write(session)) return PKCS11_CKR_SESSION_READ_ONLY; @@ -1419,7 +1399,7 @@ uint32_t entry_set_pin(struct pkcs11_client *client, if (rv) return rv; - DMSG("PKCS11 session %"PRIu32": set PIN", session_handle); + DMSG("PKCS11 session %"PRIu32": set PIN", session->handle); return set_pin(session, pin, pin_size, PKCS11_CKU_USER); } @@ -1434,7 +1414,6 @@ uint32_t entry_login(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_session *sess = NULL; uint32_t user_type = 0; @@ -1446,7 +1425,7 @@ uint32_t entry_login(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -1465,10 +1444,6 @@ uint32_t entry_login(struct pkcs11_client *client, if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - switch ((enum pkcs11_user_type)user_type) { case PKCS11_CKU_SO: if (pkcs11_session_is_so(session)) @@ -1540,7 +1515,7 @@ uint32_t entry_login(struct pkcs11_client *client, } if (!rv) - DMSG("PKCS11 session %"PRIu32": login", session_handle); + DMSG("PKCS11 session %"PRIu32": login", session->handle); return rv; } @@ -1555,7 +1530,6 @@ uint32_t entry_logout(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; if (!client || ptypes != exp_pt) @@ -1563,23 +1537,19 @@ uint32_t entry_logout(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (pkcs11_session_is_public(session)) return PKCS11_CKR_USER_NOT_LOGGED_IN; session_logout(session); - DMSG("PKCS11 session %"PRIu32": logout", session_handle); + DMSG("PKCS11 session %"PRIu32": logout", session->handle); return PKCS11_CKR_OK; } diff --git a/ta/pkcs11/src/processing.c b/ta/pkcs11/src/processing.c index 494d9c12f6f..0ca54b38ebd 100644 --- a/ta/pkcs11/src/processing.c +++ b/ta/pkcs11/src/processing.c @@ -20,21 +20,11 @@ #include "processing.h" #include "serializer.h" -static uint32_t get_ready_session(struct pkcs11_session **sess, - uint32_t session_handle, - struct pkcs11_client *client) +static uint32_t get_ready_session(struct pkcs11_session *session) { - struct pkcs11_session *session = NULL; - - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (session_is_active(session)) return PKCS11_CKR_OPERATION_ACTIVE; - *sess = session; - return PKCS11_CKR_OK; } @@ -69,23 +59,14 @@ static bool func_matches_state(enum processing_func function, } } -static uint32_t get_active_session(struct pkcs11_session **sess, - uint32_t session_handle, - struct pkcs11_client *client, +static uint32_t get_active_session(struct pkcs11_session *session, enum processing_func function) { - struct pkcs11_session *session = NULL; uint32_t rv = PKCS11_CKR_OPERATION_NOT_INITIALIZED; - session = pkcs11_handle2session(session_handle, client); - if (!session) - return PKCS11_CKR_SESSION_HANDLE_INVALID; - if (session->processing && - func_matches_state(function, session->processing->state)) { - *sess = session; + func_matches_state(function, session->processing->state)) rv = PKCS11_CKR_OK; - } return rv; } @@ -136,7 +117,6 @@ uint32_t entry_import_object(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_attrs_head *head = NULL; struct pkcs11_object_head *template = NULL; @@ -153,7 +133,7 @@ uint32_t entry_import_object(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -166,7 +146,7 @@ uint32_t entry_import_object(struct pkcs11_client *client, goto bail; } - rv = get_ready_session(&session, session_handle, client); + rv = get_ready_session(session); if (rv) goto bail; @@ -221,7 +201,7 @@ uint32_t entry_import_object(struct pkcs11_client *client, out->memref.size = sizeof(obj_handle); DMSG("PKCS11 session %"PRIu32": import object %#"PRIx32, - session_handle, obj_handle); + session->handle, obj_handle); bail: TEE_Free(template); @@ -316,7 +296,6 @@ uint32_t entry_generate_secret(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_attribute_head *proc_params = NULL; struct pkcs11_attrs_head *head = NULL; @@ -330,7 +309,7 @@ uint32_t entry_generate_secret(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(session_handle)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -347,7 +326,7 @@ uint32_t entry_generate_secret(struct pkcs11_client *client, goto bail; } - rv = get_ready_session(&session, session_handle, client); + rv = get_ready_session(session); if (rv) goto bail; @@ -424,7 +403,7 @@ uint32_t entry_generate_secret(struct pkcs11_client *client, out->memref.size = sizeof(obj_handle); DMSG("PKCS11 session %"PRIu32": generate secret %#"PRIx32, - session_handle, obj_handle); + session->handle, obj_handle); bail: TEE_Free(proc_params); @@ -495,7 +474,6 @@ uint32_t entry_generate_key_pair(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_attribute_head *proc_params = NULL; struct pkcs11_attrs_head *pub_head = NULL; @@ -512,7 +490,7 @@ uint32_t entry_generate_key_pair(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -526,7 +504,7 @@ uint32_t entry_generate_key_pair(struct pkcs11_client *client, if (rv) goto bail; - rv = get_ready_session(&session, session_handle, client); + rv = get_ready_session(session); if (rv) goto bail; @@ -637,7 +615,7 @@ uint32_t entry_generate_key_pair(struct pkcs11_client *client, TEE_MemMove(hdl_ptr + 1, &privkey_handle, sizeof(privkey_handle)); DMSG("PKCS11 session %"PRIu32": create key pair %#"PRIx32"/%#"PRIx32, - session_handle, privkey_handle, pubkey_handle); + session->handle, privkey_handle, pubkey_handle); bail: TEE_Free(proc_params); @@ -670,7 +648,6 @@ uint32_t entry_processing_init(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_attribute_head *proc_params = NULL; uint32_t key_handle = 0; @@ -681,7 +658,7 @@ uint32_t entry_processing_init(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -698,7 +675,7 @@ uint32_t entry_processing_init(struct pkcs11_client *client, goto bail; } - rv = get_ready_session(&session, session_handle, client); + rv = get_ready_session(session); if (rv) goto bail; @@ -737,7 +714,7 @@ uint32_t entry_processing_init(struct pkcs11_client *client, if (rv == PKCS11_CKR_OK) { session->processing->mecha_type = proc_params->id; DMSG("PKCS11 session %"PRIu32": init processing %s %s", - session_handle, id2str_proc(proc_params->id), + session->handle, id2str_proc(proc_params->id), id2str_function(function)); } @@ -770,7 +747,6 @@ uint32_t entry_processing_step(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; uint32_t mecha_type = 0; @@ -780,14 +756,14 @@ uint32_t entry_processing_step(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - rv = get_active_session(&session, session_handle, client, function); + rv = get_active_session(session, function); if (rv) return rv; @@ -810,7 +786,7 @@ uint32_t entry_processing_step(struct pkcs11_client *client, if (rv == PKCS11_CKR_OK) { session->processing->updated = true; DMSG("PKCS11 session%"PRIu32": processing %s %s", - session_handle, id2str_proc(mecha_type), + session->handle, id2str_proc(mecha_type), id2str_function(function)); } @@ -851,7 +827,6 @@ uint32_t entry_verify_oneshot(struct pkcs11_client *client, TEE_Param *ctrl = ¶ms[0]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; uint32_t mecha_type = 0; @@ -862,14 +837,14 @@ uint32_t entry_verify_oneshot(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; if (serialargs_remaining_bytes(&ctrlargs)) return PKCS11_CKR_ARGUMENTS_BAD; - rv = get_active_session(&session, session_handle, client, function); + rv = get_active_session(session, function); if (rv) return rv; @@ -889,7 +864,7 @@ uint32_t entry_verify_oneshot(struct pkcs11_client *client, else rv = PKCS11_CKR_MECHANISM_INVALID; - DMSG("PKCS11 session %"PRIu32": verify %s %s: %s", session_handle, + DMSG("PKCS11 session %"PRIu32": verify %s %s: %s", session->handle, id2str_proc(mecha_type), id2str_function(function), id2str_rc(rv)); @@ -911,7 +886,6 @@ uint32_t entry_derive_key(struct pkcs11_client *client, TEE_Param *out = ¶ms[2]; uint32_t rv = 0; struct serialargs ctrlargs = { }; - uint32_t session_handle = 0; struct pkcs11_session *session = NULL; struct pkcs11_attribute_head *proc_params = NULL; uint32_t parent_handle = 0; @@ -928,7 +902,7 @@ uint32_t entry_derive_key(struct pkcs11_client *client, serialargs_init(&ctrlargs, ctrl->memref.buffer, ctrl->memref.size); - rv = serialargs_get(&ctrlargs, &session_handle, sizeof(uint32_t)); + rv = serialargs_get_session(&ctrlargs, client, &session); if (rv) return rv; @@ -949,7 +923,7 @@ uint32_t entry_derive_key(struct pkcs11_client *client, goto bail; } - rv = get_ready_session(&session, session_handle, client); + rv = get_ready_session(session); if (rv) goto bail; @@ -1067,7 +1041,7 @@ uint32_t entry_derive_key(struct pkcs11_client *client, out->memref.size = sizeof(out_handle); DMSG("PKCS11 session %"PRIu32": derive key %#"PRIx32"/%s", - session_handle, out_handle, id2str_proc(mecha_id)); + session->handle, out_handle, id2str_proc(mecha_id)); bail: release_active_processing(session); diff --git a/ta/pkcs11/src/serializer.c b/ta/pkcs11/src/serializer.c index 9e0860487b8..d4d48d30dad 100644 --- a/ta/pkcs11/src/serializer.c +++ b/ta/pkcs11/src/serializer.c @@ -17,6 +17,7 @@ #include "serializer.h" #include "pkcs11_helpers.h" +#include "pkcs11_token.h" /* * Util routines for serializes unformatted arguments in a client memref @@ -173,6 +174,32 @@ bool serialargs_remaining_bytes(struct serialargs *args) return args->next < args->start + args->size; } +/* + * Specific helper has PKCS11_CKR_SESSION_HANDLE_INVALID shall take precedence + * other errors when a request is invoked with a bad PKCS#11 session handle + * as specified by the PKCS#11 specification. + */ +uint32_t serialargs_get_session(struct serialargs *args, + struct pkcs11_client *client, + struct pkcs11_session **session) +{ + uint32_t rv = PKCS11_CKR_GENERAL_ERROR; + uint32_t session_handle = 0; + struct pkcs11_session *sess = NULL; + + rv = serialargs_get(args, &session_handle, sizeof(session_handle)); + if (rv) + return rv; + + sess = pkcs11_handle2session(session_handle, client); + if (!sess) + return PKCS11_CKR_SESSION_HANDLE_INVALID; + + *session = sess; + + return PKCS11_CKR_OK; +} + /* * serialize - serialize input data in buffer * diff --git a/ta/pkcs11/src/serializer.h b/ta/pkcs11/src/serializer.h index 00392e4ca37..52d60e36b81 100644 --- a/ta/pkcs11/src/serializer.h +++ b/ta/pkcs11/src/serializer.h @@ -12,6 +12,9 @@ #include #include +struct pkcs11_client; +struct pkcs11_session; + /* * Util routines for serializes unformated arguments in a client memref */ @@ -38,6 +41,10 @@ uint32_t serialargs_alloc_and_get(struct serialargs *args, bool serialargs_remaining_bytes(struct serialargs *args); +uint32_t serialargs_get_session(struct serialargs *args, + struct pkcs11_client *client, + struct pkcs11_session **session); + #define PKCS11_MAX_BOOLPROP_SHIFT 64 #define PKCS11_MAX_BOOLPROP_ARRAY (PKCS11_MAX_BOOLPROP_SHIFT / \ sizeof(uint32_t))