From 87822c14cbba2e712750ecb9c4157b0ae39f69fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Fri, 29 Jan 2021 16:30:42 -0600
Subject: [PATCH] Use system locks in pkcs11 library

This patch adds a new option to the PKCS#11 backend: `os_locking_ok`.
When set to true, the flag CKF_OS_LOCKING_OK is passed to the
C_Initialize function for the client library.

Change-Id: Iaa2a82718cb75e291a0b81b896bd136c29fa6fa0
(cherry picked from commit b5b350b4ced9aa5e7c7af424c439be7097052b21)
(cherry picked from commit 7a889cd200cc7a30ce1240cfd9718a60b1dbea21)
---
 barbican/plugin/crypto/p11_crypto.py          |  7 +++-
 barbican/plugin/crypto/pkcs11.py              | 38 +++++++++++++++++--
 ...os-locking-ok-option-d0cfc5883355632a.yaml |  6 +++
 3 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/add-os-locking-ok-option-d0cfc5883355632a.yaml

diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py
index f3a740372..40fa1a4bb 100644
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@@ -97,6 +97,10 @@ p11_crypto_plugin_opts = [
                 help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
                          'CKA_EXTRACTABLE=CK_TRUE keys.'),
                 default=True),
+    cfg.BoolOpt('os_locking_ok',
+                help=u._('Enable CKF_OS_LOCKING_OK flag when initializing the '
+                         'PKCS#11 client library.'),
+                default=False),
 ]
 CONF.register_group(p11_crypto_plugin_group)
 CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@@ -326,7 +330,8 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
             always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
             hmac_keywrap_mechanism=plugin_conf.hmac_keywrap_mechanism,
             token_serial_number=plugin_conf.token_serial_number,
-            token_label=plugin_conf.token_label
+            token_label=plugin_conf.token_label,
+            os_locking_ok=plugin_conf.os_locking_ok
         )
 
     def _reinitialize_pkcs11(self):
diff --git a/barbican/plugin/crypto/pkcs11.py b/barbican/plugin/crypto/pkcs11.py
index e851a609e..4083c72ea 100644
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@@ -34,6 +34,7 @@ CKR_OK = 0
 CK_TRUE = 1
 CKF_RW_SESSION = (1 << 1)
 CKF_SERIAL_SESSION = (1 << 2)
+CKF_OS_LOCKING_OK = 0x02
 CKU_SO = 0
 CKU_USER = 1
 
@@ -279,6 +280,8 @@ def build_ffi():
     typedef unsigned long CK_STATE;
     typedef unsigned long CK_USER_TYPE;
     typedef unsigned char * CK_UTF8CHAR_PTR;
+    typedef void * CK_VOID_PTR;
+    typedef CK_VOID_PTR * CK_VOID_PTR_PTR;
     typedef ... *CK_NOTIFY;
 
     typedef unsigned long ck_attribute_type_t;
@@ -290,6 +293,20 @@ def build_ffi():
     typedef struct ck_attribute CK_ATTRIBUTE;
     typedef CK_ATTRIBUTE *CK_ATTRIBUTE_PTR;
 
+    typedef CK_RV (*CK_CREATEMUTEX)(CK_VOID_PTR_PTR);
+    typedef CK_RV (*CK_DESTROYMUTEX)(CK_VOID_PTR);
+    typedef CK_RV (*CK_LOCKMUTEX)(CK_VOID_PTR);
+    typedef CK_RV (*CK_UNLOCKMUTEX)(CK_VOID_PTR);
+
+    typedef struct CK_C_INITIALIZE_ARGS {
+        CK_CREATEMUTEX CreateMutex;
+        CK_DESTROYMUTEX DestroyMutex;
+        CK_LOCKMUTEX LockMutex;
+        CK_UNLOCKMUTEX UnlockMutex;
+        CK_FLAGS flags;
+        CK_VOID_PTR pReserved;
+    } CK_C_INITIALIZE_ARGS;
+
     typedef unsigned long ck_mechanism_type_t;
     struct ck_mechanism {
         ck_mechanism_type_t mechanism;
@@ -415,7 +432,8 @@ class PKCS11(object):
                  generate_iv=None, always_set_cka_sensitive=None,
                  hmac_keywrap_mechanism='CKM_SHA256_HMAC',
                  token_serial_number=None,
-                 token_label=None):
+                 token_label=None,
+                 os_locking_ok=False):
         if algorithm:
             LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
             encryption_mechanism = encryption_mechanism or algorithm
@@ -433,7 +451,14 @@ class PKCS11(object):
 
         self.ffi = ffi or build_ffi()
         self.lib = self.ffi.dlopen(library_path)
-        rv = self.lib.C_Initialize(self.ffi.NULL)
+
+        if os_locking_ok:
+            init_arg_pt = self.ffi.new("CK_C_INITIALIZE_ARGS *")
+            init_arg_pt.flags = CKF_OS_LOCKING_OK
+        else:
+            init_arg_pt = self.ffi.NULL
+
+        rv = self.lib.C_Initialize(init_arg_pt)
         self._check_error(rv)
 
         # Session options
@@ -479,13 +504,18 @@ class PKCS11(object):
             token_info_ptr = self.ffi.new("CK_TOKEN_INFO_PTR")
             rv = self.lib.C_GetTokenInfo(id, token_info_ptr)
             self._check_error(rv)
-            tokens.append(Token(
+            token = Token(
                 id,
                 self.ffi.string(token_info_ptr.label).decode("UTF-8").strip(),
                 self.ffi.string(
                     token_info_ptr.serialNumber
                 ).decode("UTF-8").strip()
-            ))
+            )
+            LOG.debug("Slot %s: label: %s sn: %s",
+                      token.slot_id,
+                      token.label,
+                      token.serial_number)
+            tokens.append(token)
 
         # Matching serial number gets highest priority
         if token_serial_number:
diff --git a/releasenotes/notes/add-os-locking-ok-option-d0cfc5883355632a.yaml b/releasenotes/notes/add-os-locking-ok-option-d0cfc5883355632a.yaml
new file mode 100644
index 000000000..2239ca179
--- /dev/null
+++ b/releasenotes/notes/add-os-locking-ok-option-d0cfc5883355632a.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Added a new boolean option to the PKCS#11 backend: `os_locking_ok`.  When
+    set to True, the flag CKF_OS_LOCKING_OK will be passed to the C_Initialize
+    function.  The new option defaults to False.