summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stefw@collabora.co.uk>2011-08-30 21:17:41 +0200
committerStef Walter <stefw@collabora.co.uk>2011-08-30 21:17:41 +0200
commit21b64c68e6a5ffcae50f3561f6dec6ee943a006f (patch)
tree1955ce851df90b88ec163acf30a37d75fe0a2484
parent25512ca5a03d723a84d6de67a7036188d08ec21b (diff)
Add 'critical' setting for modules
* When a module has critical set to 'yes', and that module fails to init then it aborts the entire init process. * Defaults to 'no'
-rw-r--r--doc/p11-kit-config.xml24
-rw-r--r--p11-kit/conf.c18
-rw-r--r--p11-kit/conf.h3
-rw-r--r--p11-kit/modules.c7
4 files changed, 49 insertions, 3 deletions
diff --git a/doc/p11-kit-config.xml b/doc/p11-kit-config.xml
index 89ba7e7..76b3fa2 100644
--- a/doc/p11-kit-config.xml
+++ b/doc/p11-kit-config.xml
@@ -43,6 +43,10 @@ user-config: merge
# This setting controls the actual module library to load. This config file might
# be installed by the package that installs this module library.
module: /usr/lib/my-pkcs11-module.so
+
+# This controls whether the module is required to successfully initialize. If 'yes', then
+# a failure to load or initialize this module will result in a p11-kit system failure.
+critical: no
</programlisting>
<para>User configuration file: <literal>~/.pkcs11/pkcs11.conf</literal></para>
@@ -63,6 +67,7 @@ module: /home/user/src/custom-module/my-module.so
# some custom non-standard initialization arguments, as NSS expects.
module: /usr/lib/libsoftokn3.so
x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db'
+critical: yes
</programlisting>
@@ -113,8 +118,23 @@ x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='
<variablelist>
<varlistentry>
<term>module:</term>
- <listitem><para>The absolute path to the PKCS#11 module to load.
- This should include an extension like <literal>.so</literal></para></listitem>
+ <listitem>
+ <para>The absolute path to the PKCS#11 module to load.
+ This should include an extension like <literal>.so</literal></para>
+ <para>If this value is blank, then the module will be ignored.
+ This can be used in the user configs to override loading of a module
+ specified in the system configuration.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>critical:</term>
+ <listitem>
+ <para>Set to <literal>yes</literal> if the module is critical and
+ required to load. If a critical module fails to load or initialize,
+ then the loading process for all registered modules will abort and
+ return an error code.</para>
+ <para>This argument is optional and defaults to <literal>no</literal>.</para>
+ </listitem>
</varlistentry>
</variablelist>
diff --git a/p11-kit/conf.c b/p11-kit/conf.c
index 55e0268..1e2d880 100644
--- a/p11-kit/conf.c
+++ b/p11-kit/conf.c
@@ -608,3 +608,21 @@ _p11_conf_load_modules (int mode, const char *system_dir, const char *user_dir)
return configs;
}
+
+int
+_p11_conf_parse_boolean (const char *string,
+ int default_value)
+{
+ if (!string)
+ return default_value;
+
+ if (strcmp (string, "yes") == 0) {
+ return 1;
+ } else if (strcmp (string, "no") == 0) {
+ return 0;
+ } else {
+ _p11_message ("invalid setting '%s' defaulting to '%s'",
+ default_value ? "yes" : "no");
+ return default_value;
+ }
+}
diff --git a/p11-kit/conf.h b/p11-kit/conf.h
index dccaebf..30f078d 100644
--- a/p11-kit/conf.h
+++ b/p11-kit/conf.h
@@ -66,4 +66,7 @@ hashmap * _p11_conf_load_globals (const char *system_conf, const cha
hashmap * _p11_conf_load_modules (int user_mode, const char *system_dir,
const char *user_dir);
+int _p11_conf_parse_boolean (const char *string,
+ int default_value);
+
#endif /* __CONF_H__ */
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index d5dae32..33101fa 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -389,6 +389,7 @@ load_registered_modules_unlocked (void)
hashmap *config;
int mode;
CK_RV rv;
+ int critical;
if (gl.config)
return CKR_OK;
@@ -419,6 +420,9 @@ load_registered_modules_unlocked (void)
if (!hash_steal (configs, key, (void**)&name, (void**)&config))
assert (0 && "not reached");
+ /* Is this a critical module, should abort loading of others? */
+ critical = _p11_conf_parse_boolean (hash_get (config, "critical"), 0);
+
rv = take_config_and_load_module_unlocked (&name, &config);
/*
@@ -428,7 +432,8 @@ load_registered_modules_unlocked (void)
free (name);
hash_free (config);
- if (rv != CKR_OK) {
+ if (critical && rv != CKR_OK) {
+ _p11_message ("aborting initializationg because module '%s' was marked as critical");
hash_free (configs);
return rv;
}