| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Since the libffi became optional (commit 9f632bed), the fallback code
path in proxy.c has never taken.
|
|
|
|
|
|
|
| |
While the proxy module reassigns slot IDs in C_Initialize(), some
applications assume that valid slot IDs should never change across
multiple calls to C_Initialize(). This patch mitigates this by
preserving the slot IDs, if they are known to the proxy module.
|
|
|
|
| |
Spotted by clang-analyzer.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
The coverage tools (gcov, cpp-coveralls, etc) cannot detect source
files if the project is built out-of-tree. Use the same directory for
$srcdir and $builddir for the build with --enable-coverage.
|
| |
|
| |
|
|
|
|
|
|
|
| |
That allows overriding the default module and configuration
locations, for use in test suites, etc.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
| |
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| |
|
|
|
|
|
|
| |
This adds -k, -c, and -s options to the "p11-kit server" command,
which allows you to terminate the server process, select which C-shell
or Bourne shell command line is printed on startup, respectively.
|
|
|
|
|
| |
Previously, calling "eval $(p11-kit server)" from shell hung because
the program didn't properly close stdout before forking.
|
| |
|
| |
|
|
|
|
|
|
| |
It is possible that NULL is given to the serializers, when
C_GetAttributeValue() just wants to know the size of an attribute.
Previously, this resulted in giving NULL to memcpy().
|
|
|
|
|
|
| |
Previously, when "p11-kit server" started only with a token URI, it
couldn't properly find and initialize the module which provides the
token. This was because of the wrong order of cleanup of the modules.
|
|
|
|
|
| |
This was mistakenly removed in commit efe6dc56c.
Pointed by Lars Wendler in issue #97.
|
|
|
|
| |
Fixes issue #95.
|
| |
|
| |
|
|
|
|
|
|
| |
In C_GetFunctionList, state->virt is wrapped with a destroyer function
free(). Thus p11_rpc_transport_free must be called before
p11_virtual_unwrap.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we used p11_dict to keep track of vendor query attributes.
This had a couple of limitations: duplicate attributes are not allowed
while they are actually allowed in RFC 7512, and the order of
attributes is unpredictable.
This patch switches to using an array instead of p11_dict and ensures
that the attributes are sorted in alphabetical order.
Fixes #88.
|
| |
|
|
|
|
|
|
| |
reallocarray is a new POSIX function added in glibc 2.26, with
built-in overflow checks. Take advantage of that function for
internal array allocation.
|
|
|
|
|
| |
The scute project no longer exists, and the PKCS#11 standard is
from OASIS group.
|
| |
|
| |
|
|
|
|
|
| |
This follows the definitions in PKCS#11 v2.40:
http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html
|
|
|
|
|
|
|
|
|
|
| |
The value given to p11_rpc_buffer_add_ulong_value() must be a pointer
of CK_ULONG. Similarly, the value returned from
p11_rpc_buffer_get_ulong_value() must be converted to CK_ULONG before
comparison.
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-July/000665.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.
And due to this bit of code in p11-kit, we end up looking for the home
directory for configuration. In this case, `/root`.
It's categorically wrong to do this; the root user is distinct from
"the system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c
Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.
Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
|
|
|
|
|
|
|
|
|
| |
Solaris doesn't like it when dlclose is referenced using a define,
resulting in a linker error looking for a symbol version. Simply
calling the function in a normal way (instead of storing its address)
solves this linking error.
The error message seen by GNU ld is:
dlclose: invalid version 7 (max 0)
|
|
|
|
| |
Solaris can retrieve this information via getpeerucred().
|
|
|
|
| |
Solaris has socket() etc. in these two libs.
|
|
|
|
|
|
|
|
|
| |
As p11-kit is a library there are cases where it is not desirable
to log on stderr by default. See for example this report
https://bugzilla.redhat.com/show_bug.cgi?id=1464490
where wget prints an error due to an unconfigured pkcs11 module.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 6b457ffc, which forbids the use of GNU extension
for the incompatibility of strerror_r. However, now that strerror_l
is used instead on glibc systems, it has no point to do that.
|
| |
|
|
|
|
|
| |
strerror_r is being obsolete in the next POSIX specification:
http://austingroupbugs.net/view.php?id=655
|
| |
|
| |
|
|
|
|
| |
Spotted by clang-analyzer.
|
|
|
|
| |
Spotted by clang-analyzer.
|
|
|
|
| |
Spotted by clang-analyzer.
|
|
|
|
|
| |
This is to disable clang-analyzer against test programs, which can
contain several false-positives.
|
| |
|