search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.25k stars 805 forks source link

[pkcs11] wolfCrypt assumes slot enumeration starts from 0 #7734

Closed space88man closed 2 weeks ago

space88man commented 2 weeks ago

Contact Details

shihping.chan@gmail.com

Version

5.7.2

Description

p11-kit (nss softoken) creates slots from 17, 18 When wolfSSL pkcs11 detects two slots with token present it calls C_GetTokenInfo starting from 0 instead of the correct values returned by C_GetSlotList

List of slots/tokens:

$ pkcs11-tool --module /usr/lib64/p11-kit-proxy.so -L
Available slots:
Slot 0 (0x11): NSS Internal Cryptographic Services
  token label        : NSS Generic Crypto Services
  token manufacturer : Mozilla Foundation
  token model        : NSS 3
  token flags        : rng, token initialized, readonly, other flags=0x200
  hardware version   : 4.0
  firmware version   : 0.0
  serial num         : 0000000000000000
  pin min/max        : 0/0
Slot 1 (0x12): NSS User Private Key and Certificate Services
  token label        : NSS Certificate DB
  token manufacturer : Mozilla Foundation
**[**  token model        : NSS 3
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 0000000000000000
  pin min/max        : 0/500

Log of wolfSSL pkcs11 when slot number is -1 (it detects slots 17, 18) but enumerates slots from 0

# observe slots are 17, 18 and enumeration starts from 0
0: C_GetFunctionList   
2024-07-10 12:15:20.787         
Returned:  0 CKR_OK

1: C_Initialize    
2024-07-10 12:15:20.787
[in] pInitArgs = 0x7ffe922a33b0 
     flags: 2
       CKF_OS_LOCKING_OK
Returned:  0 CKR_OK    

2: C_GetSlotList   
2024-07-10 12:15:20.832
[in] tokenPresent = 0x1
[out] pSlotList:       
Count is 2         
[out] *pulCount = 0x2   
Returned:  0 CKR_OK

3: C_GetSlotList
2024-07-10 12:15:20.852
[in] tokenPresent = 0x1
[out] pSlotList: 
Slot 17
Slot 18
[out] *pulCount = 0x2
Returned:  0 CKR_OK

4: C_GetSlotList
2024-07-10 12:15:20.872
[in] tokenPresent = 0x1
[out] pSlotList: 
Count is 2
[out] *pulCount = 0x2
Returned:  0 CKR_OK

5: C_GetTokenInfo
2024-07-10 12:15:20.893
[in] slotID = 0x0
Returned:  3 CKR_SLOT_ID_INVALID

Additional Notes

More simply: this issue can be triggered using NSS Softoken alone (don't need p11-kit-proxy). NSS Softoken enumerates tokens as 1, 2. So when passing -1 to wolfCrypt/pkcs11 it will not locate the correct token.

# observe slots are 1 and 2 (not 0 and 1)
0: C_GetFunctionList                                                                                                                                               
2024-07-10 12:29:23.905                                                                                                                                            
Returned:  0 CKR_OK                                                                                                                                                

1: C_Initialize                                                                                                                                                    
2024-07-10 12:29:23.905                                                                                                                                            
[in] pInitArgs = 0x7ffd72a90790                                                                                                                                    
     flags: 2                                                                                                                                                      
       CKF_OS_LOCKING_OK                                                                                                                                           
Returned:  0 CKR_OK                                                                                                                                                

2: C_GetSlotList                                                                                                                                                   
2024-07-10 12:29:23.907                                                                                                                                            
[in] tokenPresent = 0x1                                                                                                                                            
[out] pSlotList:                                                                                                                                                   
Count is 2                                                                                                                                                         
[out] *pulCount = 0x2                                                                                                                                              
Returned:  0 CKR_OK                                                                                                                                                

3: C_GetSlotList                                                                                                                                                   
2024-07-10 12:29:23.907                                                                                                                                            
[in] tokenPresent = 0x1                                                                                                                                            
[out] pSlotList:                                                                                                                                                   
Slot 1                                                                                                                                                             
Slot 2                                                                                                                                                             
[out] *pulCount = 0x2                                                                                                                                              
Returned:  0 CKR_OK                                                                                                                                                

4: C_GetSlotList                                                                                                                                                   
2024-07-10 12:29:23.907                                                                                                                                            
[in] tokenPresent = 0x1                                                                                                                                            
[out] pSlotList:                                                                                                                                                   
Count is 2                                                                                                                                                         
[out] *pulCount = 0x2                                                                                                                                              
Returned:  0 CKR_OK                                                                                                                                                

5: C_GetTokenInfo                                                                                                                                                  
2024-07-10 12:29:23.907                                                                                                                                            
[in] slotID = 0x0                                                                                                                                                  
Returned:  3 CKR_SLOT_ID_INVALID

Update: the bug is when searching from -1 wolfCrypt enumerates the slots and assumes [0] = 0, [1] = 1 etc. But the actual slotId doesn't have to match the index variable: e.g. NSS Softoken [0] = 1, [1] = 2 or p11-kit-proxy [0] = 17, [1] = 18.

The function Pkcs11Token_Init(...) has the correct behaviour and the PR copies that code to the function Pkcs11Slot_FindByTokenName(...).