summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH timeHarald Hoyer2018-11-021-4/+34
| | | | | | | For reproducible builds, accept a define timestamp for the java keystore. See https://reproducible-builds.org/docs/source-date-epoch/
* build: Require pkg.m4 >= 0.29 at bootstrapDaiki Ueno2018-10-311-0/+2
|
* virtual: Prefer fixed closures to libffi closuresDaiki Ueno2018-10-241-5/+14
| | | | | | | | On some circumstances (such as when loading p11-kit-proxy from httpd), it is known that creation of libffi closure always fails, due to SELinux policy. Although this is harmless, it pollutes the journal and gives wrong hints when troubleshooting. This patch changes the order of preference of libffi vs pre-compiled closures to avoid that.
* trust: Check index->buckets is allocated on cleanupDaiki Ueno2018-10-171-3/+5
|
* rpc-server: Check calloc failureDaiki Ueno2018-10-171-0/+4
|
* trust: Set umask before calling mkstempDaiki Ueno2018-10-171-0/+3
|
* proxy: Fix null dereference when reusing slotsDaiki Ueno2018-10-171-1/+4
|
* rpc-server: p11_kit_remote_serve_tokens: Fix memleakDaiki Ueno2018-10-171-0/+5
|
* build: Check return value of p11_rpc_buffer_get_uint64Daiki Ueno2018-10-171-1/+2
|
* build: Check return value of p11_dict_setDaiki Ueno2018-10-173-3/+9
|
* build: Free memory before return{,_val}_if_* macrosDaiki Ueno2018-10-179-17/+77
|
* build: Call va_end() always when leaving the functionDaiki Ueno2018-10-174-4/+14
|
* debug: Work around cppcheck false-positivesDaiki Ueno2018-10-171-3/+3
| | | | https://trac.cppcheck.net/ticket/8794
* common: use /proc only on LinuxLeonardo Brondani Schenkel2018-09-121-0/+2
| | | | | Non-Linux systems do not have /proc, so do not attempt to open it and eliminate an unnecessary access() syscall on those systems.
* pkcs11: Don't redefine CKM_CAMELLIA_KEY_GENDaiki Ueno2018-08-311-2/+1
| | | | Also reorder the CKM_CAMELLIA_* definitions.
* Release 0.23.14Daiki Ueno2018-08-282-1/+7
|
* virtual: Tighten error handling when fixed closures are exhaustedDaiki Ueno2018-08-281-9/+8
|
* virtual: Don't be too loud about recoverable failureDaiki Ueno2018-08-281-2/+2
|
* trust: Factor out module initialization into separate fileDaiki Ueno2018-08-283-55/+44
| | | | | This prevents double call to p11_library_init() in test-module.c, once from the ELF constructor, and secondly from the test itself.
* common: Factor out common initializer code into a headerDaiki Ueno2018-08-284-111/+103
|
* travis: Manually install cpp-coverallsDaiki Ueno2018-08-281-2/+6
| | | | | | To accommodate the gcov format change in gcc 8.1: https://github.com/eddyxu/cpp-coveralls/pull/127 which is not yet available in the pip version.
* travis: Check valgrind exit code more strictlyDaiki Ueno2018-08-281-1/+1
|
* README.md: Add CII Best Practices badgeDaiki Ueno2018-08-211-1/+1
|
* README.md: Mention contact method for security issuesDaiki Ueno2018-08-211-0/+5
|
* Revert "build: Explicitly link threaded test programs to libpthread"Daiki Ueno2018-08-172-14/+4
| | | | This reverts commit dc4a6eaddbb36a344cc6a9c7eb12cab9df4899b0.
* Revert "build: Stop linking the library with libpthread when possible"Daiki Ueno2018-08-171-3/+3
| | | | This reverts commit 50f8906e63c9413a7687bab6608496d83c29a222.
* Revert "common: Prefer __register_atfork() to pthread_atfork() if possible"Daiki Ueno2018-08-172-20/+1
| | | | This reverts commit ce3cec7f8742254b8627b9db48973b81e91cbfc8.
* Revert "build: Link to libpthread, if pthread_atfork() needs to be used"Daiki Ueno2018-08-173-13/+6
| | | | This reverts commit 541d79cb651cfd3238b9aa41fce70208df8e9496.
* Update pkcs11 header to allow SoftHSMv2 to compileAlexander Bokovoy2018-08-171-18/+220
| | | | | Replace vendor-specific values with the IDs from PKCS11 v3.0 for those constants that were already standardized.
* travis: Check that proxy module can be loaded and unloadedDaiki Ueno2018-08-152-1/+2
|
* proxy: Avoid invalid memory access when unloading proxy moduleDaiki Ueno2018-08-151-13/+4
| | | | | | | | | | | | | | | | | | | | | | | When loading and unloading p11-kit-proxy.so with pkcs11-tool, it accesses already free'd memory area: $ valgrind pkcs11-tool --module p11-kit-proxy.so -L ==25173== Invalid read of size 8 ==25173== at 0x64BF493: p11_proxy_module_cleanup (proxy.c:1724) ==25173== by 0x64BD028: _p11_kit_fini (proxy-init.c:65) ==25173== by 0x401477C: _dl_close_worker (in /usr/lib64/ld-2.27.so) ==25173== by 0x4014E1D: _dl_close (in /usr/lib64/ld-2.27.so) ==25173== by 0x5E08C4E: _dl_catch_exception (in /usr/lib64/libc-2.27.so) ==25173== by 0x5E08CDE: _dl_catch_error (in /usr/lib64/libc-2.27.so) ==25173== by 0x58B1724: _dlerror_run (in /usr/lib64/libdl-2.27.so) ==25173== by 0x58B1113: dlclose (in /usr/lib64/libdl-2.27.so) ==25173== by 0x11E5A7: ??? (in /usr/bin/pkcs11-tool) ==25173== by 0x110023: ??? (in /usr/bin/pkcs11-tool) ==25173== by 0x5CF624A: (below main) (in /usr/lib64/libc-2.27.so) ==25173== Address 0x61231c8 is 552 bytes inside a block of size 584 free'd ==25173== at 0x4C2FDAC: free (vg_replace_malloc.c:530) ==25173== by 0x6548492: p11_virtual_unwrap (virtual.c:2902) ==25173== by 0x64BF492: p11_proxy_module_cleanup (proxy.c:1723)
* build: Link to libpthread, if pthread_atfork() needs to be usedDaiki Ueno2018-08-103-6/+13
| | | | | | | | On non-glibc systems (e.g., FreeBSD), pthread_atfork() stub is provided as a nop and our fork detection mechanism doesn't work. Pull in the actual implementation from libpthread in that case. Signed-off-by: Daiki Ueno <dueno@redhat.com>
* build: Don't install systemd unit files when "make distcheck"Daiki Ueno2018-08-101-0/+1
|
* Release 0.23.13Daiki Ueno2018-08-102-1/+8
|
* common: Prefer __register_atfork() to pthread_atfork() if possibleDaiki Ueno2018-08-102-1/+20
|
* build: Stop linking the library with libpthread when possibleDaiki Ueno2018-08-101-3/+3
|
* common: Use thread-local storage class when possibleDaiki Ueno2018-08-102-0/+34
| | | | | This eliminates the unconditional use of pthread_{get,set}specific() and pthread_key_{create,delete}(), which glibc doesn't provide the stubs.
* build: Explicitly link threaded test programs to libpthreadDaiki Ueno2018-08-102-4/+14
| | | | | Some test programs use pthread_create(), which glibc doesn't provide the stub. Link those programs with -lpthread.
* common, p11-kit, trust: Use pthread_once only when necessaryDaiki Ueno2018-08-105-4/+16
| | | | | | If the ELF constructor is usable, we don't really need the once-init function because it is guaranteed that the code runs only once in the constructor.
* common: Use static mutex initializer when possibleDaiki Ueno2018-08-103-6/+30
| | | | | This eliminates the use of pthread_mutexattr_* functions, which glibc doesn't provide the stubs.
* server: Avoid FD leak in error casesDaiki Ueno2018-08-011-0/+3
| | | | Spotted by coverity.
* trust: Clarify C_Login behavior that returns an errorDaiki Ueno2018-07-191-0/+11
|
* proxy: Fail early if there is no slot mappingsDaiki Ueno2018-07-162-0/+44
|
* travis: Install pip for coverallsDaiki Ueno2018-07-161-1/+1
|
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modulesDaiki Ueno2018-07-164-89/+210
| | | | | This patch removes the restriction of p11_kit_remote_serve_tokens() that were not capable of serving tokens across multiple modules.
* build: Use separate p11-kit-{remote,server} executable for testingDaiki Ueno2018-07-164-3/+31
| | | | | Otherwise, the p11-kit-remote program called from p11-kit-server would load the system modules instead of the local fixtures.
* proxy: Allow proxy to be created from the libraryDaiki Ueno2018-07-162-1/+42
| | | | | | | | | | Previously, to aggregate multiple modules into one, there was no other way than loading the proxy module. From the p11-kit applications, however, it is not possible to load that module because of the recursive loading check (p11_proxy_module_check). This patch adds another means to aggregate modules, through a library function p11_proxy_module_create.
* proxy: Turn global variables module localDaiki Ueno2018-07-161-21/+14
|
* build: Make reallocarray detection robusterDaiki Ueno2018-07-162-1/+2
| | | | | | On NetBSD, reallocarray is not declared until _OPENBSD_SOURCE is defined. Reported by Patrick Welche in: https://lists.freedesktop.org/archives/p11-glue/2018-July/000691.html
* server: Enable socket activation through systemdDaiki Ueno2018-06-206-10/+96
| | | | | | | | | | | This enables socket activation of "p11-kit server" through systemd. The feature provided is essentially the same as commit a4fb2bb5 (reverted), but implemented with "p11-kit server" and libsystemd API instead of wrapping "p11-kit remote" in the unit file. Note that, while it exposes all tokens through the socket, it doesn't increase attack surface beyond the PKCS#11 binary interface provided by p11-kit-proxy.so, because the service is per-user.