diff options
-rw-r--r-- | doc/p11-kit-config.xml | 24 | ||||
-rw-r--r-- | p11-kit/conf.c | 18 | ||||
-rw-r--r-- | p11-kit/conf.h | 3 | ||||
-rw-r--r-- | p11-kit/modules.c | 7 |
4 files changed, 49 insertions, 3 deletions
diff --git a/doc/p11-kit-config.xml b/doc/p11-kit-config.xml index 89ba7e7..76b3fa2 100644 --- a/doc/p11-kit-config.xml +++ b/doc/p11-kit-config.xml @@ -43,6 +43,10 @@ user-config: merge # This setting controls the actual module library to load. This config file might # be installed by the package that installs this module library. module: /usr/lib/my-pkcs11-module.so + +# This controls whether the module is required to successfully initialize. If 'yes', then +# a failure to load or initialize this module will result in a p11-kit system failure. +critical: no </programlisting> <para>User configuration file: <literal>~/.pkcs11/pkcs11.conf</literal></para> @@ -63,6 +67,7 @@ module: /home/user/src/custom-module/my-module.so # some custom non-standard initialization arguments, as NSS expects. module: /usr/lib/libsoftokn3.so x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db' +critical: yes </programlisting> @@ -113,8 +118,23 @@ x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix=' <variablelist> <varlistentry> <term>module:</term> - <listitem><para>The absolute path to the PKCS#11 module to load. - This should include an extension like <literal>.so</literal></para></listitem> + <listitem> + <para>The absolute path to the PKCS#11 module to load. + This should include an extension like <literal>.so</literal></para> + <para>If this value is blank, then the module will be ignored. + This can be used in the user configs to override loading of a module + specified in the system configuration.</para> + </listitem> + </varlistentry> + <varlistentry> + <term>critical:</term> + <listitem> + <para>Set to <literal>yes</literal> if the module is critical and + required to load. If a critical module fails to load or initialize, + then the loading process for all registered modules will abort and + return an error code.</para> + <para>This argument is optional and defaults to <literal>no</literal>.</para> + </listitem> </varlistentry> </variablelist> diff --git a/p11-kit/conf.c b/p11-kit/conf.c index 55e0268..1e2d880 100644 --- a/p11-kit/conf.c +++ b/p11-kit/conf.c @@ -608,3 +608,21 @@ _p11_conf_load_modules (int mode, const char *system_dir, const char *user_dir) return configs; } + +int +_p11_conf_parse_boolean (const char *string, + int default_value) +{ + if (!string) + return default_value; + + if (strcmp (string, "yes") == 0) { + return 1; + } else if (strcmp (string, "no") == 0) { + return 0; + } else { + _p11_message ("invalid setting '%s' defaulting to '%s'", + default_value ? "yes" : "no"); + return default_value; + } +} diff --git a/p11-kit/conf.h b/p11-kit/conf.h index dccaebf..30f078d 100644 --- a/p11-kit/conf.h +++ b/p11-kit/conf.h @@ -66,4 +66,7 @@ hashmap * _p11_conf_load_globals (const char *system_conf, const cha hashmap * _p11_conf_load_modules (int user_mode, const char *system_dir, const char *user_dir); +int _p11_conf_parse_boolean (const char *string, + int default_value); + #endif /* __CONF_H__ */ diff --git a/p11-kit/modules.c b/p11-kit/modules.c index d5dae32..33101fa 100644 --- a/p11-kit/modules.c +++ b/p11-kit/modules.c @@ -389,6 +389,7 @@ load_registered_modules_unlocked (void) hashmap *config; int mode; CK_RV rv; + int critical; if (gl.config) return CKR_OK; @@ -419,6 +420,9 @@ load_registered_modules_unlocked (void) if (!hash_steal (configs, key, (void**)&name, (void**)&config)) assert (0 && "not reached"); + /* Is this a critical module, should abort loading of others? */ + critical = _p11_conf_parse_boolean (hash_get (config, "critical"), 0); + rv = take_config_and_load_module_unlocked (&name, &config); /* @@ -428,7 +432,8 @@ load_registered_modules_unlocked (void) free (name); hash_free (config); - if (rv != CKR_OK) { + if (critical && rv != CKR_OK) { + _p11_message ("aborting initializationg because module '%s' was marked as critical"); hash_free (configs); return rv; } |