diff --git a/src/objects.c b/src/objects.c index c7590eba..5898c875 100644 --- a/src/objects.c +++ b/src/objects.c @@ -325,6 +325,13 @@ static void cache_key(P11PROV_OBJ *obj) CK_SESSION_HANDLE sess; CK_BBOOL can_cache = CK_TRUE; CK_RV ret; + int cache_keys; + + /* check whether keys should be cached at all */ + cache_keys = p11prov_ctx_cache_keys(obj->ctx); + if (cache_keys == P11PROV_CACHE_KEYS_NEVER) { + return; + } /* We cache only keys on the token */ if ((obj->class != CKO_PRIVATE_KEY && obj->class != CKO_PUBLIC_KEY) diff --git a/src/provider.c b/src/provider.c index c8783f32..1e428b63 100644 --- a/src/provider.c +++ b/src/provider.c @@ -28,6 +28,7 @@ struct p11prov_ctx { int allow_export; int login_behavior; bool cache_pins; + int cache_keys; /* TODO: ui_method */ /* TODO: fork id */ @@ -538,6 +539,12 @@ bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx) return ctx->cache_pins; } +int p11prov_ctx_cache_keys(P11PROV_CTX *ctx) +{ + P11PROV_debug("cache_keys = %d", ctx->cache_keys); + return ctx->cache_keys; +} + static void p11prov_teardown(void *ctx) { p11prov_ctx_free((P11PROV_CTX *)ctx); @@ -1196,6 +1203,7 @@ enum p11prov_cfg_enum { P11PROV_CFG_LOGIN_BEHAVIOR, P11PROV_CFG_LOAD_BEHAVIOR, P11PROV_CFG_CACHE_PINS, + P11PROV_CFG_CACHE_KEYS, P11PROV_CFG_SIZE, }; @@ -1205,23 +1213,14 @@ static struct p11prov_cfg_names { { "pkcs11-module-path" }, { "pkcs11-module-init-args" }, { "pkcs11-module-token-pin" }, { "pkcs11-module-allow-export" }, { "pkcs11-module-login-behavior" }, { "pkcs11-module-load-behavior" }, - { "pkcs11-module-cache-pins" }, + { "pkcs11-module-cache-pins" }, { "pkcs11-module-cache-keys" }, }; int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, const OSSL_DISPATCH **out, void **provctx) { const char *cfg[P11PROV_CFG_SIZE] = { 0 }; - OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1] = { - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[0].name, &cfg[0], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[1].name, &cfg[1], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[2].name, &cfg[2], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[3].name, &cfg[3], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[4].name, &cfg[4], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[5].name, &cfg[5], sizeof(void *)), - OSSL_PARAM_utf8_ptr(p11prov_cfg_names[6].name, &cfg[6], sizeof(void *)), - OSSL_PARAM_END - }; + OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1]; P11PROV_CTX *ctx; int ret; @@ -1249,6 +1248,12 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, return RET_OSSL_ERR; } + for (int i = 0; i < P11PROV_CFG_SIZE; i++) { + core_params[i] = OSSL_PARAM_construct_utf8_ptr( + p11prov_cfg_names[i].name, (char **)&cfg[i], sizeof(void *)); + } + core_params[P11PROV_CFG_SIZE] = OSSL_PARAM_construct_end(); + ret = core_get_params(handle, core_params); if (ret != RET_OSSL_OK) { ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); @@ -1307,6 +1312,17 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, ctx->cache_pins = true; } + if (cfg[P11PROV_CFG_CACHE_KEYS] != NULL) { + if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "true") == 0) { + ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION; + } else if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "false") == 0) { + ctx->cache_keys = P11PROV_CACHE_KEYS_NEVER; + } + } else { + /* defaults to session */ + ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION; + } + /* do this as the last thing */ if (cfg[P11PROV_CFG_LOAD_BEHAVIOR] != NULL && strcmp(cfg[P11PROV_CFG_LOAD_BEHAVIOR], "early") == 0) { diff --git a/src/provider.h b/src/provider.h index a9e12252..f0231629 100644 --- a/src/provider.h +++ b/src/provider.h @@ -94,6 +94,12 @@ int p11prov_ctx_allow_export(P11PROV_CTX *ctx); int p11prov_ctx_login_behavior(P11PROV_CTX *ctx); bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx); +enum p11prov_cache_keys { + P11PROV_CACHE_KEYS_NEVER = 0, + P11PROV_CACHE_KEYS_IN_SESSION, +}; +int p11prov_ctx_cache_keys(P11PROV_CTX *ctx); + #include "debug.h" /* Errors */