diff options
author | Stef Walter <stefw@collabora.co.uk> | 2011-08-30 21:17:41 +0200 |
---|---|---|
committer | Stef Walter <stefw@collabora.co.uk> | 2011-08-30 21:17:41 +0200 |
commit | 21b64c68e6a5ffcae50f3561f6dec6ee943a006f (patch) | |
tree | 1955ce851df90b88ec163acf30a37d75fe0a2484 | |
parent | 25512ca5a03d723a84d6de67a7036188d08ec21b (diff) |
Add 'critical' setting for modules
* When a module has critical set to 'yes', and that module fails to init
then it aborts the entire init process.
* Defaults to 'no'
-rw-r--r-- | doc/p11-kit-config.xml | 24 | ||||
-rw-r--r-- | p11-kit/conf.c | 18 | ||||
-rw-r--r-- | p11-kit/conf.h | 3 | ||||
-rw-r--r-- | p11-kit/modules.c | 7 |
4 files changed, 49 insertions, 3 deletions
diff --git a/doc/p11-kit-config.xml b/doc/p11-kit-config.xml index 89ba7e7..76b3fa2 100644 --- a/doc/p11-kit-config.xml +++ b/doc/p11-kit-config.xml @@ -43,6 +43,10 @@ user-config: merge # This setting controls the actual module library to load. This config file might # be installed by the package that installs this module library. module: /usr/lib/my-pkcs11-module.so + +# This controls whether the module is required to successfully initialize. If 'yes', then +# a failure to load or initialize this module will result in a p11-kit system failure. +critical: no </programlisting> <para>User configuration file: <literal>~/.pkcs11/pkcs11.conf</literal></para> @@ -63,6 +67,7 @@ module: /home/user/src/custom-module/my-module.so # some custom non-standard initialization arguments, as NSS expects. module: /usr/lib/libsoftokn3.so x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db' +critical: yes </programlisting> @@ -113,8 +118,23 @@ x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix=' <variablelist> <varlistentry> <term>module:</term> - <listitem><para>The absolute path to the PKCS#11 module to load. - This should include an extension like <literal>.so</literal></para></listitem> + <listitem> + <para>The absolute path to the PKCS#11 module to load. + This should include an extension like <literal>.so</literal></para> + <para>If this value is blank, then the module will be ignored. + This can be used in the user configs to override loading of a module + specified in the system configuration.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>critical:</term> + <listitem> + <para>Set to <literal>yes</literal> if the module is critical and + required to load. If a critical module fails to load or initialize, + then the loading process for all registered modules will abort and + return an error code.</para> + <para>This argument is optional and defaults to <literal>no</literal>.</para> + </listitem> </varlistentry> </variablelist> diff --git a/p11-kit/conf.c b/p11-kit/conf.c index 55e0268..1e2d880 100644 --- a/p11-kit/conf.c +++ b/p11-kit/conf.c @@ -608,3 +608,21 @@ _p11_conf_load_modules (int mode, const char *system_dir, const char *user_dir) return configs; } + +int +_p11_conf_parse_boolean (const char *string, + int default_value) +{ + if (!string) + return default_value; + + if (strcmp (string, "yes") == 0) { + return 1; + } else if (strcmp (string, "no") == 0) { + return 0; + } else { + _p11_message ("invalid setting '%s' defaulting to '%s'", + default_value ? "yes" : "no"); + return default_value; + } +} diff --git a/p11-kit/conf.h b/p11-kit/conf.h index dccaebf..30f078d 100644 --- a/p11-kit/conf.h +++ b/p11-kit/conf.h @@ -66,4 +66,7 @@ hashmap * _p11_conf_load_globals (const char *system_conf, const cha hashmap * _p11_conf_load_modules (int user_mode, const char *system_dir, const char *user_dir); +int _p11_conf_parse_boolean (const char *string, + int default_value); + #endif /* __CONF_H__ */ diff --git a/p11-kit/modules.c b/p11-kit/modules.c index d5dae32..33101fa 100644 --- a/p11-kit/modules.c +++ b/p11-kit/modules.c @@ -389,6 +389,7 @@ load_registered_modules_unlocked (void) hashmap *config; int mode; CK_RV rv; + int critical; if (gl.config) return CKR_OK; @@ -419,6 +420,9 @@ load_registered_modules_unlocked (void) if (!hash_steal (configs, key, (void**)&name, (void**)&config)) assert (0 && "not reached"); + /* Is this a critical module, should abort loading of others? */ + critical = _p11_conf_parse_boolean (hash_get (config, "critical"), 0); + rv = take_config_and_load_module_unlocked (&name, &config); /* @@ -428,7 +432,8 @@ load_registered_modules_unlocked (void) free (name); hash_free (config); - if (rv != CKR_OK) { + if (critical && rv != CKR_OK) { + _p11_message ("aborting initializationg because module '%s' was marked as critical"); hash_free (configs); return rv; } |