| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Instead of a Unix domain socket on Unix, use a named pipe on Windows.
|
| |
|
| |
|
|
|
|
| |
This is similar to commit ba49b85e, but for mechanism parameters.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using the RPC across multiple architectures, where data models
are different, say LP64 vs ILP32, there can be unwanted truncation of
attribute values.
This patch converts the values into portable format for the known
attributes.
Co-authored-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|
|
|
|
| |
Otherwise it will cause assertion failure in a few lines below.
Spotted by amrican fuzzy lop.
|
| |
|
|
|
|
|
| |
Instead of reusing the CKA_X_GENERATED attribute, check the file
contents directly in the caller side.
|
|
|
|
|
|
|
| |
A persistent file written by the trust module starts with the line "#
This file has been auto-generated and written by p11-kit". This can
be used as a magic word to determine whether the objects read from a
.p11-kit file are read-only.
|
|
|
|
|
| |
This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which
broke "trust anchor --remove".
|
|
|
|
|
| |
out_fd is not always 1 when p11_kit_remote_serve_module() is used for
writing a custom server.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Given that the remote proxy service shall be only used by NetworkManager
and not generally useful, revert commit
a4fb2bb587fb1a0146cf97f039b671d3258488f9 for now.
Once the necessary command that runs the proxy module is implemented in
p11-kit, maybe NetworkManager itself could install those files.
|
|
|
|
|
| |
The p11-kit-remote executable is now located under $libexecdir, but we
should use the p11-kit command to launch the subcommand.
|
| |
|
|
|
|
| |
Include signal.h for kill(2) and SIGKILL on FreeBSD.
|
|
|
|
|
|
| |
In common/unix-peer.c, we are checking if HAVE_GETPEEREID is defined,
however, we never actually check if getpeereid() is available, so
fix that by checking this function using AC_CHECK_FUNCS().
|
| |
|
|
|
|
|
|
|
|
| |
If an unknown attribute is present in the query part of the PKCS#11 URI,
the parser treated it as unrecognized and subsequent matches failed.
Instead, keep track of such attributes and provide a set of API to deal
with them.
|
|
|
|
|
| |
The connection failure here is not fatal. Use p11_debug() instead of
p11_message().
|
|
|
|
|
| |
This is unset on most systems, but might as well follow the Base
Directory spec properly.
|
|
|
|
|
|
|
|
|
| |
Previously, all objects read from p11-kit persist files are marked as
modifiable when parsing, regardless of the explicit "modifiable: false"
setting in the file.
Reported by Kai Engert in:
https://bugs.freedesktop.org/show_bug.cgi?id=99797
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a PKCS#11 module that connects to the p11-kit server
exposed on the filesystem. The filename of the socket is determined in
the following order:
- $P11_KIT_SERVER_ADDRESS, if the envvar is available
- $XDG_RUNTIME_DIR/p11-kit/pkcs11, if the envvar is available
- /run/$(id -u)/p11-kit/pkcs11, if /run/$(id -u) exists
- /var/run/$(id -u)/p11-kit/pkcs11, if /var/run/$(id -u) exists
- ~/.cache/p11-kit/pkcs11.
Note that the program loading this module may have called setuid() and
secure_getenv() which we use for fetching envvars could return NULL.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This adds a new tool to the p11-kit command called 'server', which
allows us to access a PKCS#11 module over a Unix domain socket.
Internally, it is implemented as a wrapper around 'p11-kit remote'.
Upon connection it executes 'p11-kit remote' in a forked process.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds p11_path_{encode,decode}(), following the escaping rule
described in:
https://dbus.freedesktop.org/doc/dbus-specification.html#addresses
Although they are merely a wrapper around p11_url_{decode,encode}(),
having dedicated functions hides the implementation details.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Synchronize the fixture module to the non-Unix one and enable
"/modules/test_filename".
|
| |
|
| |
|
|
|
|
|
|
|
| |
On Windows, use _spawnv() to create a subprocess and two unidirectional
pipe created with _pipe() to communicate with it. If we can assume
WinSock, it might be simpler to use a socketpair() replacement from:
https://github.com/ncm/selectable-socketpair.
|
|
|
|
| |
Append EXEEXT or SHLEXT to the filename if needed.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Don't append the backslash character twice to the output. It is
interpolated a few lines below, if it is really required.
|
| |
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=99600
|
|
|
|
|
| |
See also NSS bug https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
and p11-kit bug https://bugs.freedesktop.org/show_bug.cgi?id=99453
|