rpc: add support for recursive attributes

Signed-off-by: Zoltan Fridrich <[email protected]>
p11-glue · Mar 8, 2024 · 8ff4bf0 · 8ff4bf0
1 parent 935e285
commit 8ff4bf0
Show file tree

Hide file tree

Showing 9 changed files with 447 additions and 112 deletions.
diff --git a/common/attrs.c b/common/attrs.c
@@ -141,12 +141,12 @@ attrs_build (CK_ATTRIBUTE *attrs,
 		/* The attribute exists and we're not overriding */
 		} else if (!override) {
 			if (take_values)
-				free (add->pValue);
+				p11_attr_clear (add);
 			continue;
 
 		/* The attribute exists but we're overriding */
 		} else {
-			free (attr->pValue);
+			p11_attr_clear (attr);
 		}
 
 		if (take_values) {

diff --git a/common/mock.c b/common/mock.c
@@ -286,17 +286,24 @@ module_reset_objects (CK_SLOT_ID slot_id)
 	{
 		CK_OBJECT_CLASS klass = CKO_PUBLIC_KEY;
 		char *label = "Public prefix key";
+		char *wrapped_label = "Wrapped label";
 		char *value = "value";
 		CK_MECHANISM_TYPE type = CKM_MOCK_PREFIX;
 		CK_BBOOL btrue = CK_TRUE;
 		CK_BBOOL bfalse = CK_FALSE;
+		CK_ATTRIBUTE wrap_template[] = {
+			{ CKA_LABEL, wrapped_label, strlen (wrapped_label) },
+			{ CKA_VERIFY, &btrue, sizeof (btrue) },
+			{ CKA_ENCRYPT, &btrue, sizeof (btrue) },
+		};
 		CK_ATTRIBUTE attrs[] = {
 			{ CKA_CLASS, &klass, sizeof (klass) },
 			{ CKA_LABEL, label, strlen (label) },
 			{ CKA_ALLOWED_MECHANISMS, &type, sizeof (type) },
 			{ CKA_VERIFY, &btrue, sizeof (btrue) },
 			{ CKA_PRIVATE, &bfalse, sizeof (bfalse) },
 			{ CKA_ALWAYS_AUTHENTICATE, &btrue, sizeof (btrue) },
+			{ CKA_WRAP_TEMPLATE, wrap_template, sizeof (wrap_template) },
 			{ CKA_VALUE, value, strlen (value) },
 			{ CKA_INVALID, NULL, 0 },
 		};
@@ -1618,6 +1625,51 @@ mock_X_GetObjectSize__invalid_handle (CK_X_FUNCTION_LIST *self,
 	return CKR_SESSION_HANDLE_INVALID;
 }
 
+static CK_RV
+get_recursive_attribute_value (CK_ATTRIBUTE_PTR dst,
+			       CK_ATTRIBUTE_PTR src,
+			       CK_ULONG count)
+{
+	CK_RV rv, ret = CKR_OK;
+	CK_ULONG i;
+	CK_ATTRIBUTE *result, *attr;
+
+	for (i = 0; i < count; ++i) {
+		result = dst + i;
+		attr = src + i;
+
+		result->type = attr->type;
+
+		if (result->pValue == NULL) {
+			result->ulValueLen = attr->ulValueLen;
+			continue;
+		}
+
+		if (result->ulValueLen < attr->ulValueLen) {
+			result->ulValueLen = (CK_ULONG)-1;
+			ret = CKR_BUFFER_TOO_SMALL;
+			continue;
+		}
+
+		if (IS_ATTRIBUTE_ARRAY (attr)) {
+			rv = get_recursive_attribute_value (result->pValue,
+				attr->pValue, attr->ulValueLen / sizeof (CK_ATTRIBUTE));
+			if (rv != CKR_OK) {
+				result->ulValueLen = (CK_ULONG)-1;
+				ret = rv;
+				continue;
+			}
+			result->ulValueLen = attr->ulValueLen;
+			continue;
+		}
+
+		memcpy (result->pValue, attr->pValue, attr->ulValueLen);
+		result->ulValueLen = attr->ulValueLen;
+	}
+
+	return ret;
+}
+
 CK_RV
 mock_C_GetAttributeValue (CK_SESSION_HANDLE session,
                           CK_OBJECT_HANDLE object,
@@ -1654,14 +1706,26 @@ mock_C_GetAttributeValue (CK_SESSION_HANDLE session,
 			continue;
 		}
 
-		if (result->ulValueLen >= attr->ulValueLen) {
-			memcpy (result->pValue, attr->pValue, attr->ulValueLen);
+		if (result->ulValueLen < attr->ulValueLen) {
+			result->ulValueLen = (CK_ULONG)-1;
+			ret = CKR_BUFFER_TOO_SMALL;
+			continue;
+		}
+
+		if (IS_ATTRIBUTE_ARRAY (attr)) {
+			rv = get_recursive_attribute_value (result->pValue,
+				attr->pValue, attr->ulValueLen / sizeof (CK_ATTRIBUTE));
+			if (rv != CKR_OK) {
+				result->ulValueLen = (CK_ULONG)-1;
+				ret = rv;
+				continue;
+			}
 			result->ulValueLen = attr->ulValueLen;
 			continue;
 		}
 
-		result->ulValueLen = (CK_ULONG)-1;
-		ret = CKR_BUFFER_TOO_SMALL;
+		memcpy (result->pValue, attr->pValue, attr->ulValueLen);
+		result->ulValueLen = attr->ulValueLen;
 	}
 
 	return ret;

diff --git a/common/persist.c b/common/persist.c
@@ -562,6 +562,13 @@ field_to_attribute (p11_persist *persist,
 		return false;
 	}
 
+	/* Ignore recursive attributes */
+	if (IS_ATTRIBUTE_ARRAY (&attr)) {
+		free (attr.pValue);
+		attr.pValue = NULL;
+		attr.ulValueLen = 0;
+	}
+
 	*attrs = p11_attrs_take (*attrs, attr.type,
 	                         attr.pValue, attr.ulValueLen);
 	return true;

diff --git a/p11-kit/iter.c b/p11-kit/iter.c
@@ -1012,6 +1012,52 @@ p11_kit_iter_get_attributes (P11KitIter *iter,
 	                                            templ, count);
 }
 
+static CK_RV
+prepare_recursive_attribute (P11KitIter *iter,
+			     CK_ATTRIBUTE *attr,
+			     CK_ATTRIBUTE *templ,
+			     CK_ULONG templ_len)
+{
+	CK_RV rv;
+	CK_ULONG i;
+
+	return_val_if_fail (iter != NULL, CKR_GENERAL_ERROR);
+	return_val_if_fail (attr != NULL, CKR_GENERAL_ERROR);
+	return_val_if_fail (templ != NULL, CKR_GENERAL_ERROR);
+	return_val_if_fail (templ_len != 0, CKR_GENERAL_ERROR);
+	return_val_if_fail (IS_ATTRIBUTE_ARRAY (attr), CKR_GENERAL_ERROR);
+
+	memset (templ, 0, templ_len);
+	rv = (iter->module->C_GetAttributeValue) (iter->session, iter->object, attr, 1);
+
+	switch (rv) {
+	case CKR_OK:
+	case CKR_ATTRIBUTE_TYPE_INVALID:
+	case CKR_ATTRIBUTE_SENSITIVE:
+		break;
+	default:
+		return_val_if_fail (rv != CKR_BUFFER_TOO_SMALL, rv);
+		return rv;
+	}
+
+	for (i = 0; i < templ_len / sizeof (CK_ATTRIBUTE); ++i) {
+		return_val_if_fail (templ[i].type != CKA_INVALID, CKR_GENERAL_ERROR);
+		return_val_if_fail (templ[i].ulValueLen != 0, CKR_GENERAL_ERROR);
+		return_val_if_fail (templ[i].ulValueLen != (CK_ULONG)-1, CKR_GENERAL_ERROR);
+
+		templ[i].pValue = malloc (templ[i].ulValueLen);
+		return_val_if_fail (templ[i].pValue != NULL, CKR_HOST_MEMORY);
+
+		if (IS_ATTRIBUTE_ARRAY (attr)) {
+                        rv = prepare_recursive_attribute (iter, attr, templ[i].pValue,
+							  templ[i].ulValueLen);
+			return_val_if_fail (rv == CKR_OK, rv);
+                }
+	}
+
+	return CKR_OK;
+}
+
 /**
  * p11_kit_iter_load_attributes:
  * @iter: the iterator
@@ -1081,7 +1127,7 @@ p11_kit_iter_load_attributes (P11KitIter *iter,
 	for (i = 0; i < count; i++) {
 		if (templ[i].ulValueLen == (CK_ULONG)-1 ||
 		    templ[i].ulValueLen == 0) {
-			free (original[i].pValue);
+			p11_attr_clear (original + i);
 
 		} else if (original[i].pValue != NULL &&
 		           templ[i].ulValueLen == original[i].ulValueLen) {
@@ -1090,6 +1136,16 @@ p11_kit_iter_load_attributes (P11KitIter *iter,
 		} else {
 			templ[i].pValue = realloc (original[i].pValue, templ[i].ulValueLen);
 			return_val_if_fail (templ[i].pValue != NULL, CKR_HOST_MEMORY);
+
+			if (IS_ATTRIBUTE_ARRAY (templ + i)) {
+				rv = prepare_recursive_attribute (iter, templ + i,
+								  templ[i].pValue,
+								  templ[i].ulValueLen);
+				if (rv != CKR_OK) {
+					free (original);
+					return rv;
+				}
+			}
 		}
 	}
 

diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
@@ -240,16 +240,11 @@ proto_read_attribute_array (p11_rpc_message *msg,
 		CK_ATTRIBUTE temp;
 
 		memset (&temp, 0, sizeof (temp));
-		if (!p11_rpc_buffer_get_attribute (msg->input, &offset, &temp)) {
+		if (!p11_rpc_message_get_attribute (msg, msg->input, &offset, &temp)) {
 			msg->parsed = offset;
 			return PARSE_ERROR;
 		}
 
-		if (IS_ATTRIBUTE_ARRAY (&temp)) {
-			p11_debug("recursive attribute array is not supported");
-			return PARSE_ERROR;
-		}
-
 		/* Try and stuff it in the output data */
 		if (arr) {
 			CK_ATTRIBUTE *attr = &(arr[i]);