Rewrite networking to have proper round-robin across instances and retries

Cargo.toml

@@ -13,4 +13,4 @@ panic = 'abort'     # Abort on panic
 strip = true        # Strip symbols from binary
 
 [patch.crates-io]
-ureq =  { git = "https://github.com/Nitrokey/ureq.git", rev = "dc716a0eb412db14ca75694ab7b99fb6f5d179f0" }
+ureq =  { git = "https://github.com/Nitrokey/ureq.git", rev = "9ee324596cad8132d488721652dad7c37ed1987c" }

pkcs11/Cargo.toml

@@ -50,7 +50,7 @@ pkcs11 = "0.5.0"
 tempfile = "3.12.0"
 test-log = "0.2.16"
 time = "0.3.36"
-tokio = {version = "1", default-features = false, features = ["net", "sync", "rt", "io-util"] }
+tokio = {version = "1", default-features = false, features = ["net", "sync", "rt", "io-util", "time"] }
 
 [features]
 pkcs11-full-tests = []

pkcs11/src/api/generation.rs

@@ -8,7 +8,7 @@ use crate::{
         db::attr::CkRawAttrTemplate,
         mechanism::{CkRawMechanism, Mechanism},
     },
-    lock_session, read_session,
+    read_session,
 };
 
 pub extern "C" fn C_GenerateKey(
@@ -232,7 +232,7 @@ pub extern "C" fn C_GenerateRandom(
 
         return cryptoki_sys::CKR_ARGUMENTS_BAD;
     }
-    lock_session!(hSession, session);
+    read_session!(hSession, session);
 
     if !session
         .login_ctx

pkcs11/src/api/object.rs

@@ -276,9 +276,8 @@ mod tests {
             db::{Db, Object},
             login::LoginCtx,
             session::Session,
-            slot::init_for_tests,
+            slot::{get_slot, init_for_tests},
         },
-        config::config_file::RetryConfig,
         data::SESSION_MANAGER,
     };
 
@@ -399,6 +398,7 @@ mod tests {
     #[test]
     fn test_get_object_size() {
         init_for_tests();
+        let slot = get_slot(0).unwrap();
         let size = 32;
         let mut db = Db::new();
         let mut object = Object::default();
@@ -414,15 +414,7 @@ mod tests {
             device_error: 0,
             enum_ctx: None,
             flags: 0,
-            login_ctx: LoginCtx::new(
-                None,
-                None,
-                vec![],
-                Some(RetryConfig {
-                    count: 2,
-                    delay_seconds: 0,
-                }),
-            ),
+            login_ctx: LoginCtx::new(slot, false, false),
             slot_id: 0,
         };
 

pkcs11/src/api/token.rs

@@ -92,7 +92,7 @@ pub extern "C" fn C_GetSlotInfo(
 
     let mut flags = 0;
 
-    let mut login_ctx = LoginCtx::new(None, None, slot.instances.clone(), slot.retries);
+    let login_ctx = LoginCtx::new(slot.clone(), false, false);
 
     let result = login_ctx.try_(
         default_api::info_get,
@@ -166,12 +166,7 @@ pub extern "C" fn C_GetTokenInfo(
         return cryptoki_sys::CKR_ARGUMENTS_BAD;
     }
 
-    let mut login_ctx = LoginCtx::new(
-        None,
-        slot.administrator.clone(),
-        slot.instances.clone(),
-        slot.retries,
-    );
+    let login_ctx = LoginCtx::new(slot.clone(), true, false);
 
     let result = login_ctx.try_(
         default_api::info_get,

pkcs11/src/backend/decrypt.rs

@@ -14,11 +14,10 @@ pub struct DecryptCtx {
     pub mechanism: Mechanism,
     pub key_id: String,
     pub data: Vec<u8>,
-    login_ctx: LoginCtx,
 }
 
 impl DecryptCtx {
-    pub fn init(mechanism: Mechanism, key: &Object, login_ctx: LoginCtx) -> Result<Self, Error> {
+    pub fn init(mechanism: Mechanism, key: &Object, login_ctx: &LoginCtx) -> Result<Self, Error> {
         if !login_ctx.can_run_mode(crate::backend::login::UserMode::Operator) {
             return Err(Error::NotLoggedIn(login::UserMode::Operator));
         }
@@ -42,14 +41,13 @@ impl DecryptCtx {
             mechanism,
             key_id: key.id.clone(),
             data: Vec::new(),
-            login_ctx,
         })
     }
     pub fn update(&mut self, data: &[u8]) {
         self.data.extend_from_slice(data);
     }
 
-    pub fn decrypt_final(&mut self) -> Result<Vec<u8>, Error> {
+    pub fn decrypt_final(&mut self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
         if self.data.is_empty() {
             return Err(Error::InvalidEncryptedDataLength);
         }
@@ -72,7 +70,7 @@ impl DecryptCtx {
 
         let key_id = self.key_id.as_str();
 
-        let output = self.login_ctx.try_(
+        let output = login_ctx.try_(
             |api_config| {
                 default_api::keys_key_id_decrypt_post(
                     api_config,

pkcs11/src/backend/encrypt.rs

@@ -21,11 +21,10 @@ pub struct EncryptCtx {
     pub mechanism: Mechanism,
     pub key_id: String,
     pub data: Vec<u8>,
-    login_ctx: LoginCtx,
 }
 
 impl EncryptCtx {
-    pub fn init(mechanism: Mechanism, key: &Object, login_ctx: LoginCtx) -> Result<Self, Error> {
+    pub fn init(mechanism: Mechanism, key: &Object, login_ctx: &LoginCtx) -> Result<Self, Error> {
         if !login_ctx.can_run_mode(crate::backend::login::UserMode::Operator) {
             return Err(Error::NotLoggedIn(login::UserMode::Operator));
         }
@@ -56,7 +55,6 @@ impl EncryptCtx {
             mechanism,
             key_id: key.id.clone(),
             data: Vec::new(),
-            login_ctx,
         })
     }
 
@@ -70,7 +68,7 @@ impl EncryptCtx {
         full_blocks * ENCRYPT_BLOCK_SIZE
     }
 
-    pub fn encrypt_available_data(&mut self) -> Result<Vec<u8>, Error> {
+    pub fn encrypt_available_data(&mut self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
         let chunk_size = self.get_biggest_chunk_len();
 
         // if there is no data to encrypt, return an empty vector
@@ -81,18 +79,13 @@ impl EncryptCtx {
         // drain the data to encrypt from the data vector
 
         let input_data = self.data.drain(..chunk_size).collect::<Vec<u8>>();
-        encrypt_data(
-            &self.key_id,
-            self.login_ctx.clone(),
-            &input_data,
-            &self.mechanism,
-        )
+        encrypt_data(&self.key_id, login_ctx, &input_data, &self.mechanism)
     }
 
-    pub fn encrypt_final(&self) -> Result<Vec<u8>, Error> {
+    pub fn encrypt_final(&self, login_ctx: &LoginCtx) -> Result<Vec<u8>, Error> {
         encrypt_data(
             &self.key_id,
-            self.login_ctx.clone(),
+            login_ctx,
             self.data.as_slice(),
             &self.mechanism,
         )
@@ -101,7 +94,7 @@ impl EncryptCtx {
 
 fn encrypt_data(
     key_id: &str,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
     data: &[u8],
     mechanism: &Mechanism,
 ) -> Result<Vec<u8>, Error> {
@@ -134,15 +127,15 @@ fn encrypt_data(
             login::UserMode::Operator,
         )
         .map_err(|err| {
-            if let ApiError::ResponseError(ref resp) = err {
+            if let Error::Api(ApiError::ResponseError(ref resp)) = err {
                 if resp.status == 400 {
                     if resp.content.contains("argument length") {
                         return Error::InvalidDataLength;
                     }
                     return Error::InvalidData;
                 }
             }
-            err.into()
+            err
         })?;
 
     Ok(Base64::decode_vec(&output.entity.encrypted)?)

pkcs11/src/backend/events.rs

@@ -42,7 +42,7 @@ pub fn fetch_slots_state() -> Result<(), cryptoki_sys::CK_RV> {
     };
 
     for (index, slot) in device.slots.iter().enumerate() {
-        let mut login_ctx = LoginCtx::new(None, None, slot.instances.clone(), slot.retries);
+        let login_ctx = LoginCtx::new(slot.clone(), false, false);
         let status = login_ctx
             .try_(default_api::health_state_get, super::login::UserMode::Guest)
             .map(|state| state.entity.state == SystemState::Operational)

pkcs11/src/backend/key.rs

@@ -154,7 +154,7 @@ pub fn parse_attributes(template: &CkRawAttrTemplate) -> Result<ParsedAttributes
 
 fn upload_certificate(
     parsed_template: &ParsedAttributes,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
 ) -> Result<(String, ObjectKind, Option<Vec<u8>>), Error> {
     let cert = parsed_template
         .value
@@ -196,7 +196,7 @@ fn upload_certificate(
 
 pub fn create_key_from_template(
     template: CkRawAttrTemplate,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
 ) -> Result<(String, ObjectKind, Option<Vec<u8>>), Error> {
     let parsed = parse_attributes(&template)?;
 
@@ -415,7 +415,7 @@ pub fn generate_key_from_template(
     template: &CkRawAttrTemplate,
     public_template: Option<&CkRawAttrTemplate>,
     mechanism: &Mechanism,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
     db: &Mutex<db::Db>,
 ) -> Result<Vec<(CK_OBJECT_HANDLE, Object)>, Error> {
     let parsed = parse_attributes(template)?;
@@ -462,7 +462,7 @@ pub fn generate_key_from_template(
 fn fetch_one_key(
     key_id: &str,
     raw_id: Option<Vec<u8>>,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
 ) -> Result<Vec<Object>, Error> {
     if !login_ctx.can_run_mode(super::login::UserMode::OperatorOrAdministrator) {
         return Err(Error::NotLoggedIn(
@@ -479,11 +479,14 @@ fn fetch_one_key(
             debug!("Failed to fetch key {}: {:?}", key_id, err);
             if matches!(
                 err,
-                ApiError::ResponseError(backend::ResponseContent { status: 404, .. })
+                Error::Api(ApiError::ResponseError(backend::ResponseContent {
+                    status: 404,
+                    ..
+                }))
             ) {
                 return Ok(vec![]);
             }
-            return Err(err.into());
+            return Err(err);
         }
     };
 
@@ -496,7 +499,7 @@ fn fetch_one_key(
 pub fn fetch_key(
     key_id: &str,
     raw_id: Option<Vec<u8>>,
-    login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
     db: &Mutex<db::Db>,
 ) -> Result<Vec<(CK_OBJECT_HANDLE, Object)>, Error> {
     let objects = fetch_one_key(key_id, raw_id, login_ctx)?;
@@ -509,7 +512,7 @@ pub fn fetch_key(
 fn fetch_one_certificate(
     key_id: &str,
     raw_id: Option<Vec<u8>>,
-    mut login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
 ) -> Result<Object, Error> {
     if !login_ctx.can_run_mode(super::login::UserMode::OperatorOrAdministrator) {
         return Err(Error::NotLoggedIn(
@@ -530,7 +533,7 @@ fn fetch_one_certificate(
 pub fn fetch_certificate(
     key_id: &str,
     raw_id: Option<Vec<u8>>,
-    login_ctx: LoginCtx,
+    login_ctx: &LoginCtx,
     db: &Mutex<db::Db>,
 ) -> Result<(CK_OBJECT_HANDLE, Object), Error> {
     let object = fetch_one_certificate(key_id, raw_id, login_ctx)?;
@@ -568,12 +571,10 @@ pub fn fetch_one(
             | Some(ObjectKind::PublicKey)
             | Some(ObjectKind::SecretKey)
     ) {
-        let login_ctx = login_ctx.clone();
         acc = fetch_one_key(&key.id, None, login_ctx)?;
     }
 
     if matches!(kind, None | Some(ObjectKind::Certificate)) {
-        let login_ctx = login_ctx.clone();
         match fetch_one_certificate(&key.id, None, login_ctx) {
             Ok(cert) => acc.push(cert),
             Err(err) => {