Project

General

Profile

Issue #2494

Problems With 64bit Slot IDs With Pkcs11 Plugin

Added by Jordan Hrycaj almost 3 years ago. Updated almost 3 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
libstrongswan
Affected version:
5.5.3
Resolution:

Description

Pkcs#11 defines a (ck_slot_id_t) type as an alias of (unsigned long). Yet the pkcs11 plugin uses the
type (int) in many places instead of a (ck_slot_id_t). Apart from a possible signed/unsigned clash,
(int) might be 32bit while (unsigned long) has 64bit (happens on a 64bit ubuntu 14.04).

As a pkcs11 back end provider, this can only work with the StrongSwan plugin if she restricts herself
to 31bit. This contradicts pkcs#11 specification (AFAIK, unless pointed out otherwise).

Example:

pkcs11_public_key.c(853):
static private_pkcs11_public_key find_key_by_keyid(..., int slot, ...) ..

will later call

C_OpenSession(slot, ..)

which cannot work in general.

Sorry, no patch at the moment due to time restrictions.

History

#1 Updated by Tobias Brunner almost 3 years ago

  • Status changed from New to Feedback

While I see the theoretical problem, are there even such large slot IDs in practice that this would become an issue?

#2 Updated by Jordan Hrycaj almost 3 years ago

yes it is if you run on a system with limited space.

#3 Updated by Jordan Hrycaj almost 3 years ago

Sorry wrong thread

Yes it is a problem unless you assume that slots have low integers. In general, an ID might be anything, maybe a hash or a pointer?

#4 Updated by Tobias Brunner almost 3 years ago

Yes it is a problem unless you assume that slots have low integers.

Well, low is relative even considering 2^31. But that obviously has been the assumption and experience so far. I've no problem with using the proper type for the slot ID throughout the pkcs11 plugin, however, it will currently not be possible to configure such slot IDs (e.g. via VICI).

Also available in: Atom PDF