From 41bc63d2ee629610de41c793e1eb00e1571d38d4 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 24 Oct 2016 17:57:35 -0400
Subject: Flesh out key object access control.

This is more complicated than I'd have liked, because the PKCS #11
semantics are (much) more complicated than just "are you logged in?"

New code passes basic testing with libhal.py and the PKCS #11 unit
tests, but there are still unexplored corner cases to be checked.

Private token objects remain simple.  Code which does not need PKCS
HAL_KEY_FLAG_TOKEN and avoid HAL_KEY_FLAG_PUBLIC.
---
 ks_volatile.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'ks_volatile.c')

diff --git a/ks_volatile.c b/ks_volatile.c
index e88b871..0f53c11 100644
--- a/ks_volatile.c
+++ b/ks_volatile.c
@@ -106,14 +106,29 @@ static inline ks_t *ks_to_ksv(hal_ks_t *ks)
   return (ks_t *) ks;
 }
 
+/*
+ * Check whether the current session can see a particular key.  One
+ * might expect this to be based on whether the session matches, and
+ * indeed it would be in a sane world, but in the world of PKCS #11,
+ * keys belong to sessions, are visible to other sessions, and may
+ * even be modifiable by other sessions, but softly and silently
+ * vanish away when the original creating session is destroyed.
+ *
+ * In our terms, this means that visibility of session objects is
+ * determined only by the client handle, so taking the session handle
+ * as an argument here isn't really necessary, but we've flipflopped
+ * on that enough times that at least for now I'd prefer to leave the
+ * session handle here and not have to revise all the RPC calls again.
+ * Remove it at some later date and redo the RPC calls if we manage to
+ * avoid revising this yet again.
+ */
+
 static inline int key_visible_to_session(const ks_t * const ksv,
                                          const hal_client_handle_t client,
                                          const hal_session_handle_t session,
                                          const ks_key_t * const k)
 {
-  return (!ksv->per_session || client.handle == HAL_HANDLE_NONE ||
-          (k->client.handle  == client.handle &&
-           k->session.handle == session.handle));
+  return !ksv->per_session || client.handle == HAL_HANDLE_NONE || k->client.handle  == client.handle;
 }
 
 static inline void *gnaw(uint8_t **mem, size_t *len, const size_t size)
-- 
cgit v1.2.3