diff options
| author | Stef Walter <stefw@gnome.org> | 2012-09-18 16:26:06 +0200 |
|---|---|---|
| committer | Stef Walter <stefw@gnome.org> | 2012-09-18 16:37:20 +0200 |
| commit | b5de8e1d514794f6ec3e8d79a766a9dae9eab6ea (patch) | |
| tree | 7e0cb56c1286cbb0e413f78ce730c457f4f32b4a | |
| parent | 3e82c6182d913a3fd5cf904342a9a6fa44aef0d6 (diff) | |
Refuse to load the p11-kit-proxy.so as a registered module
* Since p11-kit-proxy.so is a symlink to the libp11-kit.so library
we check that we are not calling into our known CK_FUNCTION_LIST
for the proxy code.
* Although such a configuration is invalid, detecting this directly
prevents strange initialization loop issues that are hard to debug.
https://bugs.freedesktop.org/show_bug.cgi?id=55052
| -rw-r--r-- | p11-kit/modules.c | 14 | ||||
| -rw-r--r-- | p11-kit/private.h | 1 | ||||
| -rw-r--r-- | p11-kit/proxy.c | 7 |
3 files changed, 13 insertions, 9 deletions
diff --git a/p11-kit/modules.c b/p11-kit/modules.c index 9dc3a3a..a4ffc43 100644 --- a/p11-kit/modules.c +++ b/p11-kit/modules.c @@ -553,13 +553,19 @@ initialize_module_unlocked_reentrant (Module *mod) _p11_unlock (); if (!mod->initialize_called) { + assert (mod->funcs); - _p11_debug ("C_Initialize: calling"); + if (mod->funcs == &_p11_proxy_function_list) { + _p11_message ("refusing to load the p11-kit-proxy.so module as a registered module"); + rv = CKR_FUNCTION_FAILED; - assert (mod->funcs); - rv = mod->funcs->C_Initialize (&mod->init_args); + } else { + _p11_debug ("C_Initialize: calling"); - _p11_debug ("C_Initialize: result: %lu", rv); + rv = mod->funcs->C_Initialize (&mod->init_args); + + _p11_debug ("C_Initialize: result: %lu", rv); + } /* Module was initialized and C_Finalize should be called */ if (rv == CKR_OK) diff --git a/p11-kit/private.h b/p11-kit/private.h index f2cd181..61cd142 100644 --- a/p11-kit/private.h +++ b/p11-kit/private.h @@ -73,6 +73,7 @@ extern pthread_once_t _p11_once; #endif /* !OS_WIN32 */ +extern CK_FUNCTION_LIST _p11_proxy_function_list; void _p11_library_init (void); diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c index bae25d3..a4b947a 100644 --- a/p11-kit/proxy.c +++ b/p11-kit/proxy.c @@ -69,9 +69,6 @@ typedef struct _Session { CK_SLOT_ID wrap_slot; } Session; -/* Forward declaration */ -static CK_FUNCTION_LIST proxy_function_list; - /* * Shared data between threads, protected by the mutex, a structure so * we can audit thread safety easier. @@ -365,7 +362,7 @@ proxy_C_GetFunctionList (CK_FUNCTION_LIST_PTR_PTR list) /* Can be called before C_Initialize */ return_val_if_fail (list != NULL, CKR_ARGUMENTS_BAD); - *list = &proxy_function_list; + *list = &_p11_proxy_function_list; return CKR_OK; } @@ -1312,7 +1309,7 @@ proxy_C_GenerateRandom (CK_SESSION_HANDLE handle, CK_BYTE_PTR random_data, * MODULE ENTRY POINT */ -static CK_FUNCTION_LIST proxy_function_list = { +CK_FUNCTION_LIST _p11_proxy_function_list = { { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR }, /* version */ proxy_C_Initialize, proxy_C_Finalize, |