summaryrefslogtreecommitdiff
path: root/trust
diff options
context:
space:
mode:
authorDaiki Ueno <dueno@redhat.com>2019-02-18 14:53:49 +0100
committerDaiki Ueno <ueno@gnu.org>2019-02-18 16:09:45 +0100
commite2170b295992cb7fdf115227a78028ac3780619f (patch)
tree50548db3e4def3ead3d466e2cb63b0ba637b71f1 /trust
parent2a474e1fe8f4bd8b4ed7622e5cf3b2718a202562 (diff)
trust: Ignore unreadable content in anchors
This amends eb503f3a1467f21a5ecc9ae84ae23b216afc102f. Instead of failing C_FindObjectsInit, treat any errors internally and accumulates the successfully loaded certificates. Reported by Andrej Kvasnica in: https://bugzilla.redhat.com/show_bug.cgi?id=1675441
Diffstat (limited to 'trust')
-rw-r--r--trust/module.c3
-rw-r--r--trust/test-module.c77
-rw-r--r--trust/token.c23
3 files changed, 88 insertions, 15 deletions
diff --git a/trust/module.c b/trust/module.c
index 1722340..ec3333d 100644
--- a/trust/module.c
+++ b/trust/module.c
@@ -1198,8 +1198,7 @@ sys_C_FindObjectsInit (CK_SESSION_HANDLE handle,
indices[n++] = session->index;
if (want_token_objects) {
if (!session->loaded)
- if (p11_token_load (session->token) < 0)
- rv = CKR_FUNCTION_FAILED;
+ p11_token_load (session->token);
if (rv == CKR_OK) {
session->loaded = CK_TRUE;
indices[n++] = p11_token_index (session->token);
diff --git a/trust/test-module.c b/trust/test-module.c
index 1e8d812..4024d81 100644
--- a/trust/test-module.c
+++ b/trust/test-module.c
@@ -163,6 +163,80 @@ setup_writable (void *unused)
p11_parser_formats (test.parser, p11_parser_format_persist, NULL);
}
+/* This is similar to setup(), but it adds an unreadable content in
+ * the anchor directory. */
+static void
+setup_unreadable (void *unused)
+{
+ CK_C_INITIALIZE_ARGS args;
+ const char *paths;
+ char *p, *pp, *anchors;
+ FILE *f, *ff;
+ char buffer[4096];
+ char *arguments;
+ CK_ULONG count;
+ CK_RV rv;
+
+ memset (&test, 0, sizeof (test));
+
+ /* This is the entry point of the trust module, linked to this test */
+ rv = C_GetFunctionList (&test.module);
+ assert (rv == CKR_OK);
+
+ test.directory = p11_test_directory ("test-module");
+ anchors = p11_path_build (test.directory, "anchors", NULL);
+#ifdef OS_UNIX
+ if (mkdir (anchors, S_IRWXU) < 0)
+#else
+ if (mkdir (anchors) < 0)
+#endif
+ assert_fail ("mkdir()", anchors);
+
+ p = p11_path_build (anchors, "unreadable", NULL);
+ f = fopen (p, "w");
+ fwrite ("foo", 3, 1, f);
+ fclose (f);
+ chmod (p, 0);
+ free (p);
+
+ pp = p11_path_build (anchors, "thawte", NULL);
+ ff = fopen (pp, "w");
+ f = fopen (SRCDIR "/trust/fixtures/thawte.pem", "r");
+ while (!feof (f)) {
+ size_t size;
+ size = fread (buffer, 1, sizeof (buffer), f);
+ if (ferror (f))
+ assert_fail ("fread()",
+ SRCDIR "/trust/fixtures/thawte.pem");
+ fwrite (buffer, 1, size, ff);
+ if (ferror (ff))
+ assert_fail ("write()", pp);
+ }
+ free (pp);
+ fclose (ff);
+ fclose (f);
+ free (anchors);
+
+ memset (&args, 0, sizeof (args));
+ paths = SRCDIR "/trust/input" P11_PATH_SEP \
+ SRCDIR "/trust/fixtures/self-signed-with-ku.der";
+ if (asprintf (&arguments, "paths='%s%c%s'",
+ paths, P11_PATH_SEP_C, test.directory) < 0)
+ assert (false && "not reached");
+ args.pReserved = arguments;
+ args.flags = CKF_OS_LOCKING_OK;
+
+ rv = test.module->C_Initialize (&args);
+ assert (rv == CKR_OK);
+
+ free (arguments);
+
+ count = NUM_SLOTS;
+ rv = test.module->C_GetSlotList (CK_TRUE, test.slots, &count);
+ assert (rv == CKR_OK);
+ assert (count == NUM_SLOTS);
+}
+
static void
test_get_slot_list (void)
{
@@ -1324,5 +1398,8 @@ main (int argc,
p11_fixture (NULL, NULL);
p11_test (test_token_write_protected, "/module/token-write-protected");
+ p11_fixture (setup_unreadable, teardown);
+ p11_test (test_find_certificates, "/module/unreadable");
+
return p11_test_run (argc, argv);
}
diff --git a/trust/token.c b/trust/token.c
index b91a1d0..8c75d06 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -266,8 +266,8 @@ loader_load_directory (p11_token *token,
return_val_if_fail (path != NULL, -1);
ret = loader_load_if_file (token, path);
- return_val_if_fail (ret >=0, -1);
- total += ret;
+ if (ret >= 0)
+ total += ret;
/* Make note that this file was seen */
p11_dict_remove (present, path);
@@ -328,8 +328,8 @@ loader_load_path (p11_token *token,
p11_dict_iterate (present, &iter);
while (p11_dict_next (&iter, (void **)&filename, NULL)) {
ret = loader_load_if_file (token, filename);
- return_val_if_fail (ret >= 0, ret);
- total += ret;
+ if (ret >= 0)
+ total += ret;
}
}
@@ -377,20 +377,17 @@ p11_token_load (p11_token *token)
int ret;
ret = loader_load_path (token, token->path, &is_dir);
- if (ret < 0)
- return -1;
- total += ret;
+ if (ret >= 0)
+ total += ret;
if (is_dir) {
ret = loader_load_path (token, token->anchors, &is_dir);
- if (ret < 0)
- return -1;
- total += ret;
+ if (ret >= 0)
+ total += ret;
ret = loader_load_path (token, token->blacklist, &is_dir);
- if (ret < 0)
- return -1;
- total += ret;
+ if (ret >= 0)
+ total += ret;
}
return total;