New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About the safety of CK_ATTRIBUTE::get_bytes
#15
Comments
obviously buggy behavior :) The question though is on how we should fix it. I still believe that the I'm very open for a PR that addresses this. Unfortunately, I can't spare as much time on developing this as I could when I started to work on this. My original goal for this library was:
Any input in which direction you would like this library to develop would be useful as well. |
My gut feeling tells me that this might be the right approach: Result of a vector of Result. Or cleaning the Result to only return the successful ones. |
Thanks for your feedback, I will try to get a PR started for this 😃 I also thought that maybe the Concerning the library, it is very useful for us as it is but it might be worth to audit the use of Concerning our use-case, we are mainly using this library as part of PARSEC which is a service interfacing with different cryptographic backends (and PKCS 11 is one of them) with the same API (PSA Crypto API over protobuf). Clients can connect to the service through a Unix socket and send crypto requests. Client libraries can be written in any language and should provide the most easy-to-use abstraction with secure defaults. For example, a client library written in Rust (here the test client) could be used like this to create a RSA key, sign a message and export the public key: use parsec_client_test::TestClient;
let mut client = TestClient::new();
let key_name = String::from("🔑 Bob's Key 🔑");
let message = String::from("Bob wrote this message.");
client.create_rsa_sign_key(key_name.clone()).unwrap();
let signature = client.sign(key_name.clone(), message.into_bytes()).unwrap();
let public_key = client.export_public_key(key_name).unwrap(); And we also have started a Go client. |
@hug-dev I assume you got busy and did not start writing a PR? (no worries, I know how it is) |
Thanks for pinging me! I actually proposed a solution in a PR linked above 😃 |
Hi!
First thanks for your library, it is very helpful for us 😃 !
As the title says, I have a question regarding the safety of the
CK_ATTRIBUTE::get_bytes
function. I ran into a memory safety bug (the classicSegmentation Fault
) which I think is related.On version
0.4.0
the function is:and is safe. However, I think that in certain cases it can still exhibit an
unsafe
behaviour, specially because it assumes the values of the fields of the attributes to be valid (without checking them).One of those cases I found is when using the
Ctx::get_attribute_value
function. As it says in the code, the function will return theOk
variant even if some attributes given in the templates were invalid or missing from the object. In those cases, as per PKCS 11 specification (C_GetAttributeValue
function), it will modify theulValueLen
field of the attribute toCK_UNAVAILABLE_INFORMATION
which is a really large number:After that, a subsequent call to
get_bytes
will create a very big vector (all the memory space actually?).If the attribute method
with_bytes
was called before with a byte array of addressP
then theget_bytes
function will return a vector of addressP
and size!0
.Maybe the
get_attribute_value
function should actually return anErr
variant when that happens or, if we do not want to fail the function for all the attribute if only one failed, it could return aResult
of a vector ofResult
.The text was updated successfully, but these errors were encountered: