diff options
Diffstat (limited to 'p11-kit')
-rw-r--r-- | p11-kit/modules.c | 48 | ||||
-rw-r--r-- | p11-kit/p11-kit.h | 1 | ||||
-rw-r--r-- | p11-kit/tests/files/package-modules/four.module | 3 | ||||
-rw-r--r-- | p11-kit/tests/files/system-modules/one.module | 3 | ||||
-rw-r--r-- | p11-kit/tests/test-modules.c | 50 |
5 files changed, 86 insertions, 19 deletions
diff --git a/p11-kit/modules.c b/p11-kit/modules.c index ef8cea6..43ace18 100644 --- a/p11-kit/modules.c +++ b/p11-kit/modules.c @@ -1126,6 +1126,21 @@ p11_kit_module_get_name (CK_FUNCTION_LIST *module) return name; } +static const char * +module_get_option_inlock (Module *mod, + const char *option) +{ + p11_dict *config; + + if (mod == NULL) + config = gl.config; + else + config = mod->config; + if (config == NULL) + return NULL; + return p11_dict_get (config, option); +} + /** * p11_kit_module_get_flags: * @module: the module @@ -1145,6 +1160,7 @@ p11_kit_module_get_name (CK_FUNCTION_LIST *module) int p11_kit_module_get_flags (CK_FUNCTION_LIST *module) { + const char *trusted; Module *mod; int flags = 0; @@ -1165,6 +1181,11 @@ p11_kit_module_get_flags (CK_FUNCTION_LIST *module) } if (!mod || mod->critical) flags |= P11_KIT_MODULE_CRITICAL; + if (mod) { + trusted = module_get_option_inlock (mod, "trust-policy"); + if (_p11_conf_parse_boolean (trusted, false)) + flags |= P11_KIT_MODULE_TRUSTED; + } } p11_unlock (); @@ -1265,21 +1286,6 @@ p11_kit_module_for_name (CK_FUNCTION_LIST **modules, return ret; } -static const char * -module_get_option_inlock (Module *mod, - const char *option) -{ - p11_dict *config; - - if (mod == NULL) - config = gl.config; - else - config = mod->config; - if (config == NULL) - return NULL; - return p11_dict_get (config, option); -} - /** * p11_kit_registered_option: * @module: a pointer to a registered module @@ -1735,12 +1741,19 @@ prepare_module_inlock_reentrant (Module *mod, CK_FUNCTION_LIST **module) { p11_destroyer destroyer; + const char *trusted; p11_virtual *virt; bool is_managed; bool with_log; assert (module != NULL); + if (flags & P11_KIT_MODULE_TRUSTED) { + trusted = module_get_option_inlock (mod, "trust-policy"); + if (!_p11_conf_parse_boolean (trusted, false)) + return CKR_FUNCTION_NOT_SUPPORTED; + } + if (flags & P11_KIT_MODULE_UNMANAGED) { is_managed = false; with_log = false; @@ -1821,7 +1834,9 @@ p11_modules_load_inlock_reentrant (int flags, rv = prepare_module_inlock_reentrant (mod, flags, modules + at); if (rv == CKR_OK) at++; - else if (rv != CKR_FUNCTION_NOT_SUPPORTED) + else if (rv == CKR_FUNCTION_NOT_SUPPORTED) + rv = CKR_OK; + else break; } @@ -2301,7 +2316,6 @@ p11_kit_module_load (const char *module_path, rv = load_module_from_file_inlock (NULL, module_path, &mod); if (rv == CKR_OK) { - /* WARNING: Reentrancy can occur here */ rv = prepare_module_inlock_reentrant (mod, flags, &module); if (rv != CKR_OK) diff --git a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h index a07bf40..d5f0bd9 100644 --- a/p11-kit/p11-kit.h +++ b/p11-kit/p11-kit.h @@ -56,6 +56,7 @@ extern "C" { enum { P11_KIT_MODULE_UNMANAGED = 1 << 0, P11_KIT_MODULE_CRITICAL = 1 << 1, + P11_KIT_MODULE_TRUSTED = 1 << 2, }; typedef void (* p11_kit_destroyer) (void *data); diff --git a/p11-kit/tests/files/package-modules/four.module b/p11-kit/tests/files/package-modules/four.module index 545c285..933af2b 100644 --- a/p11-kit/tests/files/package-modules/four.module +++ b/p11-kit/tests/files/package-modules/four.module @@ -1,4 +1,5 @@ module: mock-four.so disable-in: test-disable, test-other -priority: 4
\ No newline at end of file +priority: 4 +trust-policy: no
\ No newline at end of file diff --git a/p11-kit/tests/files/system-modules/one.module b/p11-kit/tests/files/system-modules/one.module index 3620869..15cb7f2 100644 --- a/p11-kit/tests/files/system-modules/one.module +++ b/p11-kit/tests/files/system-modules/one.module @@ -1,3 +1,4 @@ module: mock-one.so -setting: system1
\ No newline at end of file +setting: system1 +trust-policy: yes
\ No newline at end of file diff --git a/p11-kit/tests/test-modules.c b/p11-kit/tests/test-modules.c index d50b2d5..f274502 100644 --- a/p11-kit/tests/test-modules.c +++ b/p11-kit/tests/test-modules.c @@ -307,6 +307,54 @@ test_module_flags (void) } static void +test_module_trusted_only (void) +{ + CK_FUNCTION_LIST_PTR_PTR modules; + char *name; + + modules = p11_kit_modules_load_and_initialize (P11_KIT_MODULE_TRUSTED); + assert_ptr_not_null (modules); + assert_ptr_not_null (modules[0]); + assert (modules[1] == NULL); + + name = p11_kit_module_get_name (modules[0]); + assert_str_eq (name, "one"); + free (name); + + assert_num_eq (p11_kit_module_get_flags (modules[0]), P11_KIT_MODULE_TRUSTED); + + finalize_and_free_modules (modules); +} + +static void +test_module_trust_flags (void) +{ + CK_FUNCTION_LIST_PTR_PTR modules; + char *name; + int flags; + int i; + + modules = initialize_and_get_modules (); + assert_ptr_not_null (modules); + + for (i = 0; modules[i] != NULL; i++) { + name = p11_kit_module_get_name (modules[i]); + assert_ptr_not_null (name); + + flags = p11_kit_module_get_flags (modules[i]); + if (strcmp (name, "one") == 0) { + assert_num_eq (flags, P11_KIT_MODULE_TRUSTED); + } else { + assert_num_eq (flags, 0); + } + + free (name); + } + + finalize_and_free_modules (modules); +} + +static void test_config_option (void) { CK_FUNCTION_LIST_PTR_PTR modules; @@ -358,6 +406,8 @@ main (int argc, p11_test (test_module_name, "/modules/test_module_name"); p11_test (test_module_flags, "/modules/test_module_flags"); p11_test (test_config_option, "/modules/test_config_option"); + p11_test (test_module_trusted_only, "/modules/trusted-only"); + p11_test (test_module_trust_flags, "/modules/trust-flags"); p11_kit_be_quiet (); |