tests: added unit test for safenet protectserver HSM's PKCS#11 supportgnutls_3_5_x_safenet_updates

That is, detect whether the absence of C_Login on a token, will result to C_Sign or C_Decrypt to a login using CKU_USER. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-05-28 11:07:50 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-06-17 14:14:44 +0200
commit: 77927aacb6a4e3d76d3fb388e67180c99cf9a287 (patch)
tree: 2267bb6593700830f6be452bd6659853b889faa7
parent: 1380acbf29c71a536274d30106e85d47b1fa2045 (diff)
download: gnutls_3_5_x_safenet_updates.tar.gz
4 files changed, 227 insertions, 11 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 547909d17c..c0e760a417 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -202,6 +202,10 @@ pkcs11_privkey_always_auth_SOURCES = pkcs11/pkcs11-privkey-always-auth.c
 pkcs11_privkey_always_auth_DEPENDENCIES = libpkcs11mock1.la libutils.la
 pkcs11_privkey_always_auth_LDADD = $(LDADD) $(LIBDL)
 
+pkcs11_privkey_safenet_always_auth_SOURCES = pkcs11/pkcs11-privkey-safenet-always-auth.c
+pkcs11_privkey_safenet_always_auth_DEPENDENCIES = libpkcs11mock1.la libutils.la
+pkcs11_privkey_safenet_always_auth_LDADD = $(LDADD) $(LIBDL)
+
 pkcs11_pkcs11_privkey_pthread_LDADD = $(LDADD) -lpthread
 
 ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts \
@@ -209,7 +213,7 @@ ctests += pkcs11-cert-import-url-exts pkcs11-get-exts pkcs11-get-raw-issuer-exts
 	pkcs11/pkcs11-combo pkcs11/pkcs11-privkey pkcs11/pkcs11-pubkey-import-rsa pkcs11/pkcs11-pubkey-import-ecdsa \
 	pkcs11-import-url-privkey pkcs11-privkey-fork pkcs11/pkcs11-ec-privkey-test \
 	pkcs11-privkey-always-auth pkcs11-privkey-export pkcs11/pkcs11-import-with-pin \
-	pkcs11/pkcs11-privkey-pthread
+	pkcs11/pkcs11-privkey-pthread pkcs11-privkey-safenet-always-auth
 
 
 endif
diff --git a/tests/pkcs11/pkcs11-mock-ext.h b/tests/pkcs11/pkcs11-mock-ext.h
index c2267e86b2..277e4a7d8e 100644
--- a/tests/pkcs11/pkcs11-mock-ext.h
+++ b/tests/pkcs11/pkcs11-mock-ext.h
@@ -27,5 +27,7 @@
  * objects */
 #define MOCK_FLAG_BROKEN_GET_ATTRIBUTES 1
 #define MOCK_FLAG_ALWAYS_AUTH (1<<1)
+/* simulate the safenet HSMs always auth behavior */
+#define MOCK_FLAG_SAFENET_ALWAYS_AUTH (1<<2)
 
 #endif
diff --git a/tests/pkcs11/pkcs11-mock.c b/tests/pkcs11/pkcs11-mock.c
index bdf803fb6d..b66073ca2d 100644
--- a/tests/pkcs11/pkcs11-mock.c
+++ b/tests/pkcs11/pkcs11-mock.c
@@ -373,6 +373,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetTokenInfo)(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR p
 	memset(pInfo->serialNumber, ' ', sizeof(pInfo->serialNumber));
 	memcpy(pInfo->serialNumber, PKCS11_MOCK_CK_TOKEN_INFO_SERIAL_NUMBER, strlen(PKCS11_MOCK_CK_TOKEN_INFO_SERIAL_NUMBER));
 	pInfo->flags = CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED;
+
+	if (pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH)
+		pInfo->flags &= ~CKF_LOGIN_REQUIRED;
+
 	pInfo->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE;
 	pInfo->ulSessionCount = (CK_TRUE == pkcs11_mock_session_opened) ? 1 : 0;
 	pInfo->ulMaxRwSessionCount = CK_EFFECTIVELY_INFINITE;
@@ -726,7 +730,11 @@ CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE user
 	if ((CK_FALSE == pkcs11_mock_session_opened) || (PKCS11_MOCK_CK_SESSION_ID != hSession))
 		return CKR_SESSION_HANDLE_INVALID;
 
-	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) {
+	if ((pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) && userType == CKU_CONTEXT_SPECIFIC) {
+		return CKR_USER_TYPE_INVALID;
+	}
+
+	if ((pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) || (pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH)) {
 		if ((CKU_CONTEXT_SPECIFIC != userType) && (CKU_SO != userType) && (CKU_USER != userType))
 			return CKR_USER_TYPE_INVALID;
 	} else if ((CKU_SO != userType) && (CKU_USER != userType)) {
@@ -770,7 +778,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_Login)(CK_SESSION_HANDLE hSession, CK_USER_TYPE user
 			break;
 	}
 
-	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH && rv == CKR_USER_ALREADY_LOGGED_IN) {
+	if ((pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH || pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) && rv == CKR_USER_ALREADY_LOGGED_IN) {
 		rv = 0;
 	}
 
@@ -1016,6 +1024,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)(CK_SESSION_HANDLE hSession, CK_OB
 		else if (CKA_ALWAYS_AUTHENTICATE == pTemplate[i].type)
 		{
 			CK_BBOOL t;
+			if (pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH)
+				return CKR_ATTRIBUTE_TYPE_INVALID;
+
 			if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL))
 				return CKR_ARGUMENTS_BAD;
 
@@ -1541,10 +1552,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_DecryptInit)(CK_SESSION_HANDLE hSession, CK_MECHANIS
 	if ((CK_FALSE == pkcs11_mock_session_opened) || (PKCS11_MOCK_CK_SESSION_ID != hSession))
 		return CKR_SESSION_HANDLE_INVALID;
 
-	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) {
-		if (!pkcs11_mock_session_reauth) {
-			return CKR_USER_NOT_LOGGED_IN;
-		}
+	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH || pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) {
+		mock_session->state = CKS_RO_PUBLIC_SESSION;
 		pkcs11_mock_session_reauth = 0;
 	}
 
@@ -1630,6 +1639,15 @@ CK_DEFINE_FUNCTION(CK_RV, C_Decrypt)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEn
 	if ((CK_FALSE == pkcs11_mock_session_opened) || (PKCS11_MOCK_CK_SESSION_ID != hSession))
 		return CKR_SESSION_HANDLE_INVALID;
 
+	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH || pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) {
+		if (!pkcs11_mock_session_reauth) {
+			return CKR_USER_NOT_LOGGED_IN;
+		}
+		if ((pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) && pData != NULL) {
+			pkcs11_mock_session_reauth = 0;
+		}
+	}
+
 	if (NULL == pEncryptedData)
 		return CKR_ARGUMENTS_BAD;
 
@@ -1925,10 +1943,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)(CK_SESSION_HANDLE hSession, CK_MECHANISM_P
 	if ((CK_FALSE == pkcs11_mock_session_opened) || (PKCS11_MOCK_CK_SESSION_ID != hSession))
 		return CKR_SESSION_HANDLE_INVALID;
 
-	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) {
-		if (!pkcs11_mock_session_reauth) {
-			return CKR_USER_NOT_LOGGED_IN;
-		}
+	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH || pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) {
+		mock_session->state = CKS_RO_PUBLIC_SESSION;
 		pkcs11_mock_session_reauth = 0;
 	}
 
@@ -1970,6 +1986,16 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
 	if ((CK_FALSE == pkcs11_mock_session_opened) || (PKCS11_MOCK_CK_SESSION_ID != hSession))
 		return CKR_SESSION_HANDLE_INVALID;
 
+	if (pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH || pkcs11_mock_flags & MOCK_FLAG_SAFENET_ALWAYS_AUTH) {
+		if (!pkcs11_mock_session_reauth) {
+			return CKR_USER_NOT_LOGGED_IN;
+		}
+
+		if ((pkcs11_mock_flags & MOCK_FLAG_ALWAYS_AUTH) && pSignature != NULL) {
+			pkcs11_mock_session_reauth = 0;
+		}
+	}
+
 	if (NULL == pData)
 		return CKR_ARGUMENTS_BAD;
 
diff --git a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
new file mode 100644
index 0000000000..1b5b34054d
--- /dev/null
+++ b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
@@ -0,0 +1,184 @@
+/*
+ * Copyright (C) 2017 Nikos Mavrogiannopoulos
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GnuTLS; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <gnutls/pkcs11.h>
+
+#ifdef _WIN32
+
+void doit(void)
+{
+	exit(77);
+}
+
+#else
+
+# include "utils.h"
+# include "pkcs11-mock-ext.h"
+
+/* Tests whether a gnutls_privkey_t will work properly with a key marked
+ * as always authenticate, but on the safenet HSMs where CKA_ALWAYS_AUTHENTICATE
+ * is not supported */
+
+static unsigned pin_called = 0;
+static const char *_pin = "1234";
+
+# include <dlfcn.h>
+# define P11LIB "libpkcs11mock1.so"
+
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "|<%d>| %s", level, str);
+}
+
+static
+int pin_func(void* userdata, int attempt, const char* url, const char *label,
+		unsigned flags, char *pin, size_t pin_max)
+{
+	if (_pin == NULL)
+		return -1;
+
+	strcpy(pin, _pin);
+	pin_called++;
+	return 0;
+}
+
+void doit(void)
+{
+	int ret;
+	const char *lib;
+	gnutls_privkey_t key;
+	gnutls_datum_t sig = {NULL, 0}, data;
+
+	lib = getenv("P11MOCKLIB1");
+	if (lib == NULL)
+		lib = P11LIB;
+
+	{
+		void *dl;
+		unsigned int *pflags;
+
+		dl = dlopen(lib, RTLD_NOW);
+		if (dl == NULL) {
+			fail("could not dlopen %s\n", lib);
+			exit(1);
+		}
+
+		pflags = dlsym(dl, "pkcs11_mock_flags");
+		if (pflags == NULL) {
+			fail("could find pkcs11_mock_flags\n");
+			exit(1);
+		}
+
+		*pflags = MOCK_FLAG_SAFENET_ALWAYS_AUTH;
+	}
+
+	data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
+	data.size = 20;
+
+	ret = global_init();
+	if (ret != 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+	if (ret != 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	ret = gnutls_pkcs11_add_provider(lib, NULL);
+	if (ret != 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	ret = gnutls_privkey_init(&key);
+	assert(ret>=0);
+
+	gnutls_privkey_set_pin_function(key, pin_func, NULL);
+
+	ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+	if (ret < 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	pin_called = 0;
+
+	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
+	if (ret < 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (pin_called == 0) {
+		fail("PIN function wasn't called!\n");
+	}
+	pin_called = 0;
+
+	gnutls_free(sig.data);
+	sig.data = NULL;
+
+	/* call again - should re-authenticate */
+	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
+	if (ret < 0) {
+		fail("%d: %s\n", ret, gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (pin_called == 0) {
+		fail("PIN function wasn't called twice!\n");
+	}
+	pin_called = 0;
+
+	gnutls_free(sig.data);
+	sig.data = NULL;
+
+	if (debug)
+		printf("done\n\n\n");
+
+	gnutls_privkey_deinit(key);
+	gnutls_pkcs11_deinit();
+	gnutls_global_deinit();
+}
+#endif
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-05-28 11:07:50 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-06-17 14:14:44 +0200
commit	77927aacb6a4e3d76d3fb388e67180c99cf9a287 (patch)
tree	2267bb6593700830f6be452bd6659853b889faa7
parent	1380acbf29c71a536274d30106e85d47b1fa2045 (diff)
download	gnutls_3_5_x_safenet_updates.tar.gz