| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
In common/ there are sub-libraries namely libp11-common.a,
libp11-library.a, libp11-tool.a, and libp11-test.a.
All the latter 3 libs use the symbols from libp11-common.a, it would
make sense to declare a dependency against it.
|
| |
|
| |
|
|
|
|
| |
This adds support for meson as an alternative build system.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
To prevent BUILDDIR being embedded in the library.
|
| |
|
| |
|
|
|
|
| |
On mingw64/wine, unlink fails if the file has no write bit.
|
| |
|
| |
|
|
|
|
|
| |
Previously the generated .c file was included in another source file,
which is not supported in some build systems (e.g., meson).
|
| |
|
|
|
|
| |
va_list must be saved when calling vsnprintf() in a loop.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
different thread.
If rpc_socket_read() receives a header for a different thread, it tries to yield by
releasing the read mutex and waiting on the socket's read FD. On Linux systems, this has
been observed to cause a performance problem in cases where multiple threads are being
used. Threads expecting a different header can rapidly unlock and relock the read mutex,
as they resume when sock->read_code hasn't changed. This can result in contention on the
read mutex, which delays the thread that is expecting to consume the header.
This fix updates rpc_socket_read() on UNIX to wait on a condition variable instead of the
socket's read FD. The condition variable is signalled when sock->read_code changes. This
allows waiting threads to only resume once the header and payload have been consumed by
their target thread. This fix only targets UNIX platforms, as the Windows version that
p11-kit targets by default (Windows 2000) does not provide support for condition
variables.
Signed-off-by: Simon Haggett <simon.haggett@gmail.com>
|
| |
|
|
|
|
| |
Remove unused "global" variable.
|
|
|
|
|
|
| |
'server' is the last common command which is not in CLI help.
IMHO, adding this small documentation could help to promote usage of
pkcs11 forwarding.
|
| |
|
|
|
|
|
|
|
|
| |
While fully implementing C_WaitForSlotEvent() would require a separate
thread to monitor events, it is straightforward to implement the
function if the CKF_DONT_BLOCK flag is given.
Suggested by David Ward.
|
|
|
|
|
| |
Suggested by Bastien Nocera:
https://bugzilla.redhat.com/show_bug.cgi?id=1688583
|
|
|
|
|
|
|
|
| |
Previously, the proxy module calculated the slot list only once at the
C_Initialize() call. That was causing a usability limitation when the
user attaches HSM after starting an application.
Suggested by David Ward.
|
|
|
|
|
|
|
|
|
| |
This fixes a call to p11_dict_remove() in managed_steal_sessions_inlock() to use
the correct index in the stolen array (i, rather than at). This avoids an
assert, which was encountered on a host serving a PKCS#11 module to a remote
Linux client.
Signed-off-by: Simon Haggett <simon.haggett@gmail.com>
|
|
|
|
|
|
| |
Caused by returning a buffer that wasn't allocated with malloc and
needed to be freed with LocalFree() instead. The fix is to strdup
msg_buf so what's returned can be free()d.
|
|
|
|
|
|
|
|
|
|
|
| |
In some circumstances, as described in the BZ, can happen that
free_modules_when_no_refs_unlocked() is called multiple times
when the module destructor is invoked.
We should check gl.modules before iterates on it in the
free_modules_when_no_refs_unlocked() functions, to avoid
a SIGSEGV.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1680963
|
|
|
|
|
|
|
|
|
| |
This amends eb503f3a1467f21a5ecc9ae84ae23b216afc102f. Instead of
failing C_FindObjectsInit, treat any errors internally and accumulates
the successfully loaded certificates.
Reported by Andrej Kvasnica in:
https://bugzilla.redhat.com/show_bug.cgi?id=1675441
|
|
|
|
|
| |
Give _p11_extract_jks_timestamp precedence over SOURCE_DATE_EPOCH so
that the test results are not affected by the envvar settings.
|
| |
|
|
|
|
|
|
| |
If the PEM header is "-----BEGIN -----", *type should be an empty
string and the parser shouldn't fail. Reported by Han Han in:
https://bugzilla.redhat.com/show_bug.cgi?id=1665172
|
| |
|
|
|
|
|
| |
When there is a duplicate, the JKS extractor previously assigned
somewhat obscure name "-<digit>" (not "<name>-<digit>").
|
|
|
|
|
|
| |
A corrupted file that contains "[p11-kit-object-v1]" can be a valid
PEM certs file. Continue with the next format if it cannot be read as
a persistent format.
|
|
|
|
|
|
| |
Those conditions can happen when the trust file is corrupted, so it
makes more sense to treat them as a failure instead of programmer
error.
|
|
|
|
|
| |
If the trust path is a file, treat parse error as fatal and abort the
C_FindObjectsInit call.
|
|
|
|
|
|
| |
Previously, even when the -v option is used with the 'trust' command,
the messages from p11-kit-trust.so module were suppressed because the
verbosity setting is not propagated to the module.
|
| |
|
| |
|
|
|
|
|
| |
Let it leak memory when we assert, so not to confuse static analyzers
as if this is the normal case.
|
| |
|
| |
|
| |
|
|
|
|
| |
Reported and suggested in #197.
|
|
|
|
|
|
|
| |
This makes it more compliant with RFC 3986, where the use of
upper-case letters is recommended (as "SHOULD").
Suggested by Sumit Bose.
|
|
|
|
|
|
|
| |
For reproducible builds, accept a define timestamp for the java
keystore.
See https://reproducible-builds.org/docs/source-date-epoch/
|
| |
|
|
|
|
|
|
|
|
| |
On some circumstances (such as when loading p11-kit-proxy from httpd),
it is known that creation of libffi closure always fails, due to
SELinux policy. Although this is harmless, it pollutes the journal
and gives wrong hints when troubleshooting. This patch changes the
order of preference of libffi vs pre-compiled closures to avoid that.
|
| |
|