| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This adds a new tool to the p11-kit command called 'server', which
allows us to access a PKCS#11 module over a Unix domain socket.
Internally, it is implemented as a wrapper around 'p11-kit remote'.
Upon connection it executes 'p11-kit remote' in a forked process.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This adds p11_path_{encode,decode}(), following the escaping rule
described in:
https://dbus.freedesktop.org/doc/dbus-specification.html#addresses
Although they are merely a wrapper around p11_url_{decode,encode}(),
having dedicated functions hides the implementation details.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Synchronize the fixture module to the non-Unix one and enable
"/modules/test_filename".
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
On Windows, use _spawnv() to create a subprocess and two unidirectional
pipe created with _pipe() to communicate with it. If we can assume
WinSock, it might be simpler to use a socketpair() replacement from:
https://github.com/ncm/selectable-socketpair.
|
| |
|
|
| |
Append EXEEXT or SHLEXT to the filename if needed.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Don't append the backslash character twice to the output. It is
interpolated a few lines below, if it is really required.
|
| | |
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99600
|
| |
|
|
|
| |
See also NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
and p11-kit bug https://bugs.freedesktop.org/show_bug.cgi?id=99453
|
| |
|
|
|
| |
Follow-up fix for commit 4d228aa0, which forgot to clear
p11_virtual_mutex on library finalization.
|
| |
|
|
|
|
|
|
|
| |
We used to provide p11_virtual_fixed_{,un}init() to only initialize a
mutex used in virtual.c. That required all the tests calling virtual
functions to call p11_virtual_fixed_{,un}init() in main().
For simplicity, move the mutex variable initialization into
p11_library_init().
|
| |
|
|
|
|
|
|
| |
Since commit f4384a40, due to a missing ex->flags setting, the 'trust
extract' command didn't retrieve correlation between related objects and
that was causing assertion failure when writing PEM files.
https://bugs.freedesktop.org/show_bug.cgi?id=99795
|
| | |
|
| |
|
|
|
|
|
|
|
| |
While PKCS#11 URI can identify slots/tokens/modules, P11KitIter is only
capable of iterating over objects.
This patch adds new behaviors to P11KitIter to support iterations over
slots/tokens/modules, using the C coroutine trick as described in:
http://www.chiark.greenend.org.uk/~sgtatham/coroutines.html
|
| |
|
|
|
|
|
|
|
|
|
|
| |
While 'pin-source' and 'pin-value' are defined as query atttribute, they
were defined as path attribute in earlier drafts, and some
implementations still stick to it.
For backward compatibility, accept those in path attributes when
parsing (but not when formatting).
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-January/000637.html
|
| |
|
|
|
|
|
|
|
|
|
| |
This dumps all the PKCS#11 objects in the internal .p11-kit
persistence format.
This is part of the trust command and tooling, even though
at some point it could go in the p11-kit command. The reason
for this is that the code related to the internal .p11-kit
objects is in the trust code, and consumed solely by the
trust related modules.
|
| |
|
|
|
| |
These should not be encoded by default for readability in
strings.
|
| | |
|
| |
|
|
|
| |
This is so that the code can be shared by the upcoming 'trust dump'
command where correlation between related objects is not desired.
|
| |
|
|
|
| |
We load all known attributes for each object we're enumerating
over in the 'trust list' and 'trust extract' commands.
|
| |
|
|
|
| |
Add proper inclusion guard to virtual-fixed.h and move the declarations
of the (un)initialization functions there.
|
| |
|
|
|
| |
To prevent leaks of fixed closures, p11_kit_module_release() needs to be
called on the mock module itself.
|
| | |
|
| |
|
|
|
|
|
|
| |
libffi's closure support is not available on all platforms and may fail
at run time if running under a stricter SELinux policy. Fallback to
pre-compiled closures if it is not usable.
https://bugs.freedesktop.org/show_bug.cgi?id=97611
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* common/compat.c: Fix "implicit declaration of function 'issetugid'"
warning. On FreeBSD, it's required to define __BSD_VISIBLE to make
issetugid(2) visible
* common/test-message.c: Fix "implicit declaration of function
'asprintf'" by including <stdio.h>
* p11-kit/test-iter.c: Fix "format '%lu' expects argument of
type 'long unsigned int', but argument 3 has type 'int'" by
changing format string to "%d"
|
| |
|
|
|
|
| |
This allows daemons outside user's session to use per-user PKCS#11
modules. Useful for letting VPN daemons or wpa_supplicant use
certificates stored in user's GNOME keyring, etc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows us to do nested locking within one thread avoiding a lockup
when remoting the p11-kit-proxy.so module:
#0 0x00007f190f35838d in __lll_lock_wait () from /lib64/libpthread.so.0
#1 0x00007f190f351e4d in pthread_mutex_lock () from /lib64/libpthread.so.0
#2 0x00007f190f98657f in C_GetFunctionList (list=0x7ffe7ec3f798) at p11-kit/proxy.c:2355
#3 0x00007f190f993cc9 in dlopen_and_get_function_list (funcs=0x7ffe7ec3f798, path=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", mod=0x249e3d0) at p11-kit/modules.c:337
#4 load_module_from_file_inlock (name=name@entry=0x0, path=path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", result=result@entry=0x7ffe7ec3f7e8) at p11-kit/modules.c:382
#5 0x00007f190f99587f in p11_kit_module_load (module_path=module_path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", flags=flags@entry=0) at p11-kit/modules.c:2427
#6 0x0000000000401c4b in serve_module_from_file (file=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so") at p11-kit/remote.c:105
#7 main (argc=1, argv=<optimized out>) at p11-kit/remote.c:169
The Windows NT mutex is aready recursive by default.
|
| |
|
|
|
| |
Accept and produce 'module-name' and 'module-path' query attributes
defined in RFC 7512.
|
| |
|
|
|
|
|
|
|
| |
Like memcpy(), the 'void *' argument of p11_buffer_add() points to the
memory area ordered in host's endianness. Add typecast of int->char to
avoid the confusion.
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-January/000633.html
|
| |
|
|
| |
Put the pin-* attributes where they belong: to the query part.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The pin-* attributes belong to the query part. We should not parse them
until we see a '?' and they're separated with a '&'.
This might be an important thing -- some of the query attributes may
have security implications reaching outside scope of the token itself, to the
host system itself. E.g. a pin-source may cause the consumer to access a file
or module-path (unimplemented) execute code. The user may want to just chop the
attribute part off if they want the consumer access the token and not take the
security considerations into account.
|
| |
|
|
|
|
|
|
|
|
| |
- Current command for creation of the p11-kit-proxy symlink
uses shell brace expansion that isn't supported by all
the shells (e.g. FreeBSD's /bin/sh does not support that).
Replace it with the old-fashioned 'for' loop
- Match extension of the source and the target, i.e. so links
to so, dylib links to dylib (previously dylib linked to so)
- Add an uninstall-local target to clean up the symlink
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Otherwise the file is left in builddir, after make distclean.
|
| |
|
|
|
| |
Since $privatedir expands to "${libexecdir}/p11-kit", $libexecdir must
be substituted in the script beforehand.
|
