summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* filter: Respect CKF_WRITE_PROTECTED setting when allowing a tokenDaiki Ueno2018-02-272-16/+134
|
* test: Add test for client-server interactionDaiki Ueno2018-02-274-3/+213
| | | | | | | The test spawns a process running the server command and connects to it through p11-kit-client.so. It's is a bit tricky that the child process requires to preload libasan.so when ASan is in in effect, to properly load a mock module.
* server: Print envvars even when running in foregroundDaiki Ueno2018-02-271-22/+39
|
* test-transport: Make sure to initialize addrlen given to acceptDaiki Ueno2018-02-271-0/+1
|
* client: Fix memleaks in the moduleDaiki Ueno2018-02-271-3/+9
|
* test: Fix unconditional jump in test-proxy.cDaiki Ueno2018-02-271-0/+1
|
* doc: Replace links to freedesktop.org to github pagesDaiki Ueno2018-02-264-10/+10
|
* trust: Forcibly mark "Default Trust" read-onlyDaiki Ueno2018-02-057-15/+101
| | | | | | | | The "Default Trust" token is typically mounted as $datadir, which is considered as read-only on modern OSes. Suggestd by Kai Engert in: https://bugzilla.redhat.com/show_bug.cgi?id=1523630
* po: Update translations from transifexDaiki Ueno2018-01-3138-447/+1139
|
* build: Add more files to .gitignoreDaiki Ueno2018-01-311-19/+7
|
* travis: Exclude generated files from coverageDaiki Ueno2018-01-311-1/+1
|
* build: Split out generated code from p11-kit/virtual.cDaiki Ueno2018-01-316-199/+51
|
* trust: Filter out duplicate extensionsDaiki Ueno2018-01-315-5/+120
| | | | | | | | | | | | The trust policy module keeps all the objects in the database, while PKIX doesn't allow multiple extensions identified by the same OID can be attached to a certificate. Add a check to C_FindObjects to exclude any duplicates and only return the first matching object. It would be better if the module rejects such duplicates when loading, but it would make startup slower. https://bugzilla.redhat.com/show_bug.cgi?id=1141241
* build: Delay compilation of test-related stuffDaiki Ueno2018-01-304-16/+29
|
* proxy: Remove dead codeDaiki Ueno2018-01-301-708/+0
| | | | | Since the libffi became optional (commit 9f632bed), the fallback code path in proxy.c has never taken.
* proxy: Reuse the existing slot ID mapping after forkDaiki Ueno2018-01-295-4/+122
| | | | | | | While the proxy module reassigns slot IDs in C_Initialize(), some applications assume that valid slot IDs should never change across multiple calls to C_Initialize(). This patch mitigates this by preserving the slot IDs, if they are known to the proxy module.
* server: Avoid null-dereference of timespec value on timeoutDaiki Ueno2018-01-171-1/+2
| | | | Spotted by clang-analyzer.
* Added p11-kit remoting page in manualNikos Mavrogiannopoulos2018-01-053-0/+255
|
* build: Add README.md to display build statusDaiki Ueno2017-12-211-0/+10
|
* travis: Exclude test programs from coverallsDaiki Ueno2017-12-211-1/+1
|
* travis: Supply necessary envvars to container for coverallsDaiki Ueno2017-11-271-1/+1
|
* travis: Use in-tree build for coverageDaiki Ueno2017-11-151-14/+16
| | | | | | The coverage tools (gcov, cpp-coveralls, etc) cannot detect source files if the project is built out-of-tree. Use the same directory for $srcdir and $builddir for the build with --enable-coverage.
* test: Improve code coverage of filter.cDaiki Ueno2017-11-151-0/+67
|
* travis: Use coveralls for measuring coverageDaiki Ueno2017-11-151-1/+5
|
* p11_kit_override_system_files: introduced new functionNikos Mavrogiannopoulos2017-11-013-5/+59
| | | | | | | That allows overriding the default module and configuration locations, for use in test suites, etc. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* p11_kit_modules_load*: enhanced documentation on flagsNikos Mavrogiannopoulos2017-10-311-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* build: Take advantage of parallel-testsDaiki Ueno2017-10-063-2/+6
|
* server: Better shell integrationDaiki Ueno2017-10-064-20/+152
| | | | | | This adds -k, -c, and -s options to the "p11-kit server" command, which allows you to terminate the server process, select which C-shell or Bourne shell command line is printed on startup, respectively.
* server: Make it possible to eval envvar settingsDaiki Ueno2017-10-051-9/+11
| | | | | Previously, calling "eval $(p11-kit server)" from shell hung because the program didn't properly close stdout before forking.
* Release 0.23.9Daiki Ueno2017-10-022-1/+6
|
* trust: Respect anyExtendedKeyUsage in CA certificatesDaiki Ueno2017-10-023-0/+45
|
* rpc: Fix crash when retrieving attribute lengthDaiki Ueno2017-09-272-4/+34
| | | | | | It is possible that NULL is given to the serializers, when C_GetAttributeValue() just wants to know the size of an attribute. Previously, this resulted in giving NULL to memcpy().
* server: Make it work only when token URI is providedDaiki Ueno2017-09-271-47/+41
| | | | | | Previously, when "p11-kit server" started only with a token URI, it couldn't properly find and initialize the module which provides the token. This was because of the wrong order of cleanup of the modules.
* common: Re-add placeholder definition of p11_debugDaiki Ueno2017-08-181-0/+4
| | | | | This was mistakenly removed in commit efe6dc56c. Pointed by Lars Wendler in issue #97.
* build: Include <stdint.h> for SIZE_MAXDaiki Ueno2017-08-161-0/+1
| | | | Fixes issue #95.
* Release 0.23.8Daiki Ueno2017-08-152-1/+8
|
* build: Include <stdint.h> for SIZE_MAXDaiki Ueno2017-08-151-0/+1
|
* client: Fix order of cleanupDaiki Ueno2017-08-111-1/+1
| | | | | | In C_GetFunctionList, state->virt is wrapped with a destroyer function free(). Thus p11_rpc_transport_free must be called before p11_virtual_unwrap.
* test: Add checks for duplicate vendor attributesDaiki Ueno2017-08-081-0/+10
|
* uri: Make vendor query attribute handling reliableDaiki Ueno2017-08-081-24/+80
| | | | | | | | | | | | Previously we used p11_dict to keep track of vendor query attributes. This had a couple of limitations: duplicate attributes are not allowed while they are actually allowed in RFC 7512, and the order of attributes is unpredictable. This patch switches to using an array instead of p11_dict and ensures that the attributes are sorted in alphabetical order. Fixes #88.
* common: New p11_array_insert functionDaiki Ueno2017-08-082-0/+20
|
* common: Use reallocarray instead of realloc as appropriateDaiki Ueno2017-08-085-4/+36
| | | | | | reallocarray is a new POSIX function added in glibc 2.26, with built-in overflow checks. Take advantage of that function for internal array allocation.
* pkcs11.h: updated informationNikos Mavrogiannopoulos2017-08-031-3/+3
| | | | | The scute project no longer exists, and the PKCS#11 standard is from OASIS group.
* pkcs11.h: added OTP-related mechanismsNikos Mavrogiannopoulos2017-08-031-0/+97
|
* pkcs11.h: added definitions of GOST CKA attributesNikos Mavrogiannopoulos2017-08-011-0/+3
|
* pkcs11.h: added definitions of GOST mechanismsNikos Mavrogiannopoulos2017-08-011-0/+12
| | | | | This follows the definitions in PKCS#11 v2.40: http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html
* test: Fix failure on 32-bit big endian platformDaiki Ueno2017-07-141-14/+15
| | | | | | | | | | The value given to p11_rpc_buffer_add_ulong_value() must be a pointer of CK_ULONG. Similarly, the value returned from p11_rpc_buffer_get_ulong_value() must be converted to CK_ULONG before comparison. Reported by Andreas Metzler in: https://lists.freedesktop.org/archives/p11-glue/2017-July/000665.html
* trust: Fix build error with -Werror=return-typeDaiki Ueno2017-07-141-1/+1
|
* conf: Introduce P11_KIT_NO_USER_CONFIGColin Walters2017-07-101-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | Currently `ca-certificates.spec` in Fedora ends up doing in `%post`: ``` /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt ``` etc. And due to this bit of code in p11-kit, we end up looking for the home directory for configuration. In this case, `/root`. It's categorically wrong to do this; the root user is distinct from "the system". This issue is equivalent to one I fixed in Pango: https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c Fast forward to today, and the reason I'm making this change is I'm working on `rpm-ostree ex container`, which builds containers as *non-root* (like gnome-continuous does, but now with RPMs), keeping the invoking uid. And this bug causes the `ca-certificates` `%post` to fail because it's trying to look for my uid 1000 which doesn't exist in the target rootfs' password database. Again, there's no reason to be looking for a home directory for system triggers, regadless of UID, so once this patch lands, I'll update `ca-certificates` to use it, and traditional RPM `%post` will stop looking in `/root` too.
* common: always use p11_dl_close wrapperFabian Groffen2017-06-272-10/+13
| | | | | | | | | Solaris doesn't like it when dlclose is referenced using a define, resulting in a linker error looking for a symbol version. Simply calling the function in a normal way (instead of storing its address) solves this linking error. The error message seen by GNU ld is: dlclose: invalid version 7 (max 0)