| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
It is possible that NULL is given to the serializers, when
C_GetAttributeValue() just wants to know the size of an attribute.
Previously, this resulted in giving NULL to memcpy().
|
| |
|
|
|
|
| |
Previously, when "p11-kit server" started only with a token URI, it
couldn't properly find and initialize the module which provides the
token. This was because of the wrong order of cleanup of the modules.
|
| |
|
|
|
| |
This was mistakenly removed in commit efe6dc56c.
Pointed by Lars Wendler in issue #97.
|
| |
|
|
| |
Fixes issue #95.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
In C_GetFunctionList, state->virt is wrapped with a destroyer function
free(). Thus p11_rpc_transport_free must be called before
p11_virtual_unwrap.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used p11_dict to keep track of vendor query attributes.
This had a couple of limitations: duplicate attributes are not allowed
while they are actually allowed in RFC 7512, and the order of
attributes is unpredictable.
This patch switches to using an array instead of p11_dict and ensures
that the attributes are sorted in alphabetical order.
Fixes #88.
|
| | |
|
| |
|
|
|
|
| |
reallocarray is a new POSIX function added in glibc 2.26, with
built-in overflow checks. Take advantage of that function for
internal array allocation.
|
| |
|
|
|
| |
The scute project no longer exists, and the PKCS#11 standard is
from OASIS group.
|
| | |
|
| | |
|
| |
|
|
|
| |
This follows the definitions in PKCS#11 v2.40:
http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/os/pkcs11-curr-v2.40-os.html
|
| |
|
|
|
|
|
|
|
|
| |
The value given to p11_rpc_buffer_add_ulong_value() must be a pointer
of CK_ULONG. Similarly, the value returned from
p11_rpc_buffer_get_ulong_value() must be converted to CK_ULONG before
comparison.
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-July/000665.html
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.
And due to this bit of code in p11-kit, we end up looking for the home
directory for configuration. In this case, `/root`.
It's categorically wrong to do this; the root user is distinct from
"the system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c
Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.
Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
|
| |
|
|
|
|
|
|
|
| |
Solaris doesn't like it when dlclose is referenced using a define,
resulting in a linker error looking for a symbol version. Simply
calling the function in a normal way (instead of storing its address)
solves this linking error.
The error message seen by GNU ld is:
dlclose: invalid version 7 (max 0)
|
| |
|
|
| |
Solaris can retrieve this information via getpeerucred().
|
| |
|
|
| |
Solaris has socket() etc. in these two libs.
|
| |
|
|
|
|
|
|
|
| |
As p11-kit is a library there are cases where it is not desirable
to log on stderr by default. See for example this report
https://bugzilla.redhat.com/show_bug.cgi?id=1464490
where wget prints an error due to an unconfigured pkcs11 module.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
|
| |
|
|
|
|
| |
This reverts commit 6b457ffc, which forbids the use of GNU extension
for the incompatibility of strerror_r. However, now that strerror_l
is used instead on glibc systems, it has no point to do that.
|
| | |
|
| |
|
|
|
| |
strerror_r is being obsolete in the next POSIX specification:
http://austingroupbugs.net/view.php?id=655
|
| | |
|
| | |
|
| |
|
|
| |
Spotted by clang-analyzer.
|
| |
|
|
| |
Spotted by clang-analyzer.
|
| |
|
|
| |
Spotted by clang-analyzer.
|
| |
|
|
|
| |
This is to disable clang-analyzer against test programs, which can
contain several false-positives.
|
| | |
|
| |
|
|
|
| |
Reported by Mantas Mikulėnas in:
https://bugs.freedesktop.org/show_bug.cgi?id=101212
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Instead of a Unix domain socket on Unix, use a named pipe on Windows.
|
| | |
|
| | |
|
| |
|
|
| |
This is similar to commit ba49b85e, but for mechanism parameters.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
When using the RPC across multiple architectures, where data models
are different, say LP64 vs ILP32, there can be unwanted truncation of
attribute values.
This patch converts the values into portable format for the known
attributes.
Co-authored-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |
|
|
|
| |
Otherwise it will cause assertion failure in a few lines below.
Spotted by amrican fuzzy lop.
|
