Secure AuthenticationのトピックRe: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Riz — Mon, 21 Nov 2022 08:07:45 GMT

I am trying out TLS communication with openssl and Pkcs11-SSS library.

After a successful handshake, I observed that I was unable to send data from TLS server stdin to the TLS client.

Setup:

TLS server: Device with Secure element SE05X. Example command below.

OPENSSL_CONF=engine.conf openssl s_server -port <PORT_NO> -engine pkcs11 -keyform engine -key 1:XXXXXXXX -dtls1_2 -cert server.crt -CAfile rootCA.crt -cipher DHE-RSA-AES128-GCM-SHA256

TLS client: Regular Linux machine connected to it. Example command below.

openssl s_client -connect <IP_OF_SERVER>:<PORT> -dtls1_2 -CAfile rootCA.crt -cipher DHE-RSA-AES128-GCM-SHA256

Digging deeper I observed that the file descriptor 0 (stdin) was closed by the pkcs11-sss library which was then used for connection with access manager. Due to which no input was read from stdin.

See code snippet below.

File: sss_pkcs11_pal_core.c

There are no comments near the code that would explain why this is being done.
Can you please look into this?

Regards
Riz

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Riz — Wed, 23 Nov 2022 09:06:23 GMT

Hi @Kan_Li
Could you please look into this?

Regards,
Riz

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Kan_Li — Fri, 25 Nov 2022 03:58:33 GMT

Hi @Riz ,

SM_Close() is used to close the communication with the Security Module before establishing a new connection. maybe you can redirect the stdin to some file/queue instead for communication between threads in this case.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Riz — Wed, 21 Dec 2022 08:57:55 GMT

Hi @Kan_Li ,

I tried looking into the code further, below is my observation.

The SM_Close(NULL,0) call from within the sss_pkcs11_pal_core.c is closing fd "0" even though there is no prior connection to the Security module.

This is because the "pSockCtx->sockfd" is initialized as static so gets a default value of 0.
See below code for reference from smComSocket_linux.c line ~50.

typedef struct { int sockfd; char * ipString; } socket_Context_t; static socket_Context_t sockCtx; static socket_Context_t* pSockCtx = (socket_Context_t *)&sockCtx; static U32 smComSocket_GetATR(U8* pAtr, U16* atrLen); U16 smComSocket_Close() { if (pSockCtx->ipString != NULL) free(pSockCtx->ipString); pSockCtx->ipString = NULL; close(pSockCtx->sockfd); return SW_OK; }

I think adding a static initializer to sockfd (may be -1) and a condition to check if fd is valid before closing should fix the issue.

Let me know your thoughts.

I have another question:

Why is the SM_Close(NULL, 0) call inside the sss_pkcs11_pal_core.c file required at all??

I temporarily removed the SM_Close(NULL, 0) and ran pkcs11 operations concurrently. Everything seemed to work fine.

Can you clarify on why this is really required at first place please?

Thanks in advance.

Regards,
Riz

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

michaelsalfer — Thu, 22 Dec 2022 17:30:04 GMT

Hello Riz,

thanks for reporting this, check is ongoing what is the purpose of this SM_Close().

Kind regards,
Michael

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Kan_Li — Mon, 26 Dec 2022 03:24:17 GMT

Hi @Riz ,

I think the purpose is still to close any possible communication with the Security Module before establishing a new connection, and I am suspecting if removing this would lead to open session failed error, let me check with the expert for double confirm.

Thanks for your patience!

Have a great day,
Kan

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Riz — Mon, 26 Dec 2022 15:09:01 GMT

Hi @Kan_Li

Thanks for your reply, do let me know once you get an answer from the expert.

Also, please look into my earlier comment here , even if it is required, looks like by default fd 0 (stdin) is closed (due to static initialisation) even though there is no prior connection and this should ideally not happen, right?

let me know your thoughts.

Regards,

Riz

Re: TLS issue: Re-using fd 0 (stdin) for access manager connection from pkcs11-sss library

Kan_Li — Tue, 27 Dec 2022 02:03:03 GMT

Hi @Riz ,

From my understanding, SM_Close() closes any current connection over the interface and prepares for a new connection, it also applies for the case when there is no prior connection, but I think your workaround should also be feasible, you may try to exclude this case with some condition as you mentioned.

Have a great day,
Kan