Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rewrite networking to have proper round-robin across instances and retries #218

Merged
merged 6 commits into from
Sep 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 14 additions & 14 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ panic = 'abort' # Abort on panic
strip = true # Strip symbols from binary

[patch.crates-io]
ureq = { git = "https://github.com/Nitrokey/ureq.git", rev = "dc716a0eb412db14ca75694ab7b99fb6f5d179f0" }
ureq = { git = "https://github.com/Nitrokey/ureq.git", rev = "9ee324596cad8132d488721652dad7c37ed1987c" }
2 changes: 1 addition & 1 deletion pkcs11/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ pkcs11 = "0.5.0"
tempfile = "3.12.0"
test-log = "0.2.16"
time = "0.3.36"
tokio = {version = "1", default-features = false, features = ["net", "sync", "rt", "io-util"] }
tokio = {version = "1", default-features = false, features = ["net", "sync", "rt", "io-util", "time"] }

[features]
pkcs11-full-tests = []
Expand Down
4 changes: 2 additions & 2 deletions pkcs11/src/api/generation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ use crate::{
db::attr::CkRawAttrTemplate,
mechanism::{CkRawMechanism, Mechanism},
},
lock_session, read_session,
read_session,
};

pub extern "C" fn C_GenerateKey(
Expand Down Expand Up @@ -232,7 +232,7 @@ pub extern "C" fn C_GenerateRandom(

return cryptoki_sys::CKR_ARGUMENTS_BAD;
}
lock_session!(hSession, session);
read_session!(hSession, session);

if !session
.login_ctx
Expand Down
14 changes: 3 additions & 11 deletions pkcs11/src/api/object.rs
Original file line number Diff line number Diff line change
Expand Up @@ -276,9 +276,8 @@ mod tests {
db::{Db, Object},
login::LoginCtx,
session::Session,
slot::init_for_tests,
slot::{get_slot, init_for_tests},
},
config::config_file::RetryConfig,
data::SESSION_MANAGER,
};

Expand Down Expand Up @@ -399,6 +398,7 @@ mod tests {
#[test]
fn test_get_object_size() {
init_for_tests();
let slot = get_slot(0).unwrap();
let size = 32;
let mut db = Db::new();
let mut object = Object::default();
Expand All @@ -414,15 +414,7 @@ mod tests {
device_error: 0,
enum_ctx: None,
flags: 0,
login_ctx: LoginCtx::new(
None,
None,
vec![],
Some(RetryConfig {
count: 2,
delay_seconds: 0,
}),
),
login_ctx: LoginCtx::new(slot, false, false),
slot_id: 0,
};

Expand Down
9 changes: 2 additions & 7 deletions pkcs11/src/api/token.rs
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ pub extern "C" fn C_GetSlotInfo(

let mut flags = 0;

let mut login_ctx = LoginCtx::new(None, None, slot.instances.clone(), slot.retries);
let login_ctx = LoginCtx::new(slot.clone(), false, false);

let result = login_ctx.try_(
default_api::info_get,
Expand Down Expand Up @@ -166,12 +166,7 @@ pub extern "C" fn C_GetTokenInfo(
return cryptoki_sys::CKR_ARGUMENTS_BAD;
}

let mut login_ctx = LoginCtx::new(
None,
slot.administrator.clone(),
slot.instances.clone(),
slot.retries,
);
let login_ctx = LoginCtx::new(slot.clone(), true, false);

let result = login_ctx.try_(
default_api::info_get,
Expand Down
8 changes: 3 additions & 5 deletions pkcs11/src/backend/decrypt.rs
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,10 @@ pub struct DecryptCtx {
pub mechanism: Mechanism,
pub key_id: String,
pub data: Vec<u8>,
login_ctx: LoginCtx,
}

impl DecryptCtx {
pub fn init(mechanism: Mechanism, key: &Object, login_ctx: LoginCtx) -> Result<Self, Error> {
pub fn init(mechanism: Mechanism, key: &Object, login_ctx: &LoginCtx) -> Result<Self, Error> {
if !login_ctx.can_run_mode(crate::backend::login::UserMode::Operator) {
return Err(Error::NotLoggedIn(login::UserMode::Operator));
}
Expand All @@ -42,14 +41,13 @@ impl DecryptCtx {
mechanism,
key_id: key.id.clone(),
data: Vec::new(),
login_ctx,
})
}
pub fn update(&mut self, data: &[u8]) {
self.data.extend_from_slice(data);
}

pub fn decrypt_final(&mut self) -> Result<Vec<u8>, Error> {
pub fn decrypt_final(&mut self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
if self.data.is_empty() {
return Err(Error::InvalidEncryptedDataLength);
}
Expand All @@ -72,7 +70,7 @@ impl DecryptCtx {

let key_id = self.key_id.as_str();

let output = self.login_ctx.try_(
let output = login_ctx.try_(
|api_config| {
default_api::keys_key_id_decrypt_post(
api_config,
Expand Down
23 changes: 8 additions & 15 deletions pkcs11/src/backend/encrypt.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,10 @@ pub struct EncryptCtx {
pub mechanism: Mechanism,
pub key_id: String,
pub data: Vec<u8>,
login_ctx: LoginCtx,
}

impl EncryptCtx {
pub fn init(mechanism: Mechanism, key: &Object, login_ctx: LoginCtx) -> Result<Self, Error> {
pub fn init(mechanism: Mechanism, key: &Object, login_ctx: &LoginCtx) -> Result<Self, Error> {
if !login_ctx.can_run_mode(crate::backend::login::UserMode::Operator) {
return Err(Error::NotLoggedIn(login::UserMode::Operator));
}
Expand Down Expand Up @@ -56,7 +55,6 @@ impl EncryptCtx {
mechanism,
key_id: key.id.clone(),
data: Vec::new(),
login_ctx,
})
}

Expand All @@ -70,7 +68,7 @@ impl EncryptCtx {
full_blocks * ENCRYPT_BLOCK_SIZE
}

pub fn encrypt_available_data(&mut self) -> Result<Vec<u8>, Error> {
pub fn encrypt_available_data(&mut self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
let chunk_size = self.get_biggest_chunk_len();

// if there is no data to encrypt, return an empty vector
Expand All @@ -81,18 +79,13 @@ impl EncryptCtx {
// drain the data to encrypt from the data vector

let input_data = self.data.drain(..chunk_size).collect::<Vec<u8>>();
encrypt_data(
&self.key_id,
self.login_ctx.clone(),
&input_data,
&self.mechanism,
)
encrypt_data(&self.key_id, login_ctx, &input_data, &self.mechanism)
}

pub fn encrypt_final(&self) -> Result<Vec<u8>, Error> {
pub fn encrypt_final(&self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
encrypt_data(
&self.key_id,
self.login_ctx.clone(),
login_ctx,
self.data.as_slice(),
&self.mechanism,
)
Expand All @@ -101,7 +94,7 @@ impl EncryptCtx {

fn encrypt_data(
key_id: &str,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
data: &[u8],
mechanism: &Mechanism,
) -> Result<Vec<u8>, Error> {
Expand Down Expand Up @@ -134,15 +127,15 @@ fn encrypt_data(
login::UserMode::Operator,
)
.map_err(|err| {
if let ApiError::ResponseError(ref resp) = err {
if let Error::Api(ApiError::ResponseError(ref resp)) = err {
if resp.status == 400 {
if resp.content.contains("argument length") {
return Error::InvalidDataLength;
}
return Error::InvalidData;
}
}
err.into()
err
})?;

Ok(Base64::decode_vec(&output.entity.encrypted)?)
Expand Down
2 changes: 1 addition & 1 deletion pkcs11/src/backend/events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ pub fn fetch_slots_state() -> Result<(), cryptoki_sys::CK_RV> {
};

for (index, slot) in device.slots.iter().enumerate() {
let mut login_ctx = LoginCtx::new(None, None, slot.instances.clone(), slot.retries);
let login_ctx = LoginCtx::new(slot.clone(), false, false);
let status = login_ctx
.try_(default_api::health_state_get, super::login::UserMode::Guest)
.map(|state| state.entity.state == SystemState::Operational)
Expand Down
23 changes: 12 additions & 11 deletions pkcs11/src/backend/key.rs
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ pub fn parse_attributes(template: &CkRawAttrTemplate) -> Result<ParsedAttributes

fn upload_certificate(
parsed_template: &ParsedAttributes,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
) -> Result<(String, ObjectKind, Option<Vec<u8>>), Error> {
let cert = parsed_template
.value
Expand Down Expand Up @@ -196,7 +196,7 @@ fn upload_certificate(

pub fn create_key_from_template(
template: CkRawAttrTemplate,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
) -> Result<(String, ObjectKind, Option<Vec<u8>>), Error> {
let parsed = parse_attributes(&template)?;

Expand Down Expand Up @@ -415,7 +415,7 @@ pub fn generate_key_from_template(
template: &CkRawAttrTemplate,
public_template: Option<&CkRawAttrTemplate>,
mechanism: &Mechanism,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
db: &Mutex<db::Db>,
) -> Result<Vec<(CK_OBJECT_HANDLE, Object)>, Error> {
let parsed = parse_attributes(template)?;
Expand Down Expand Up @@ -462,7 +462,7 @@ pub fn generate_key_from_template(
fn fetch_one_key(
key_id: &str,
raw_id: Option<Vec<u8>>,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
) -> Result<Vec<Object>, Error> {
if !login_ctx.can_run_mode(super::login::UserMode::OperatorOrAdministrator) {
return Err(Error::NotLoggedIn(
Expand All @@ -479,11 +479,14 @@ fn fetch_one_key(
debug!("Failed to fetch key {}: {:?}", key_id, err);
if matches!(
err,
ApiError::ResponseError(backend::ResponseContent { status: 404, .. })
Error::Api(ApiError::ResponseError(backend::ResponseContent {
status: 404,
..
}))
) {
return Ok(vec![]);
}
return Err(err.into());
return Err(err);
}
};

Expand All @@ -496,7 +499,7 @@ fn fetch_one_key(
pub fn fetch_key(
key_id: &str,
raw_id: Option<Vec<u8>>,
login_ctx: LoginCtx,
login_ctx: &LoginCtx,
db: &Mutex<db::Db>,
) -> Result<Vec<(CK_OBJECT_HANDLE, Object)>, Error> {
let objects = fetch_one_key(key_id, raw_id, login_ctx)?;
Expand All @@ -509,7 +512,7 @@ pub fn fetch_key(
fn fetch_one_certificate(
key_id: &str,
raw_id: Option<Vec<u8>>,
mut login_ctx: LoginCtx,
login_ctx: &LoginCtx,
) -> Result<Object, Error> {
if !login_ctx.can_run_mode(super::login::UserMode::OperatorOrAdministrator) {
return Err(Error::NotLoggedIn(
Expand All @@ -530,7 +533,7 @@ fn fetch_one_certificate(
pub fn fetch_certificate(
key_id: &str,
raw_id: Option<Vec<u8>>,
login_ctx: LoginCtx,
login_ctx: &LoginCtx,
db: &Mutex<db::Db>,
) -> Result<(CK_OBJECT_HANDLE, Object), Error> {
let object = fetch_one_certificate(key_id, raw_id, login_ctx)?;
Expand Down Expand Up @@ -568,12 +571,10 @@ pub fn fetch_one(
| Some(ObjectKind::PublicKey)
| Some(ObjectKind::SecretKey)
) {
let login_ctx = login_ctx.clone();
acc = fetch_one_key(&key.id, None, login_ctx)?;
}

if matches!(kind, None | Some(ObjectKind::Certificate)) {
let login_ctx = login_ctx.clone();
match fetch_one_certificate(&key.id, None, login_ctx) {
Ok(cert) => acc.push(cert),
Err(err) => {
Expand Down
Loading
Loading