summaryrefslogtreecommitdiff
path: root/p11-kit/conf.c
Commit message (Collapse)AuthorAgeFilesLines
* conf: Skip root UID check on WindowsDaiki Ueno2019-06-181-0/+2
|
* conf: Ignore user configuration if the program is running as rootDaiki Ueno2019-05-181-1/+3
| | | | | Suggested by Bastien Nocera: https://bugzilla.redhat.com/show_bug.cgi?id=1688583
* conf: Introduce P11_KIT_NO_USER_CONFIGColin Walters2017-07-101-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | Currently `ca-certificates.spec` in Fedora ends up doing in `%post`: ``` /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt ``` etc. And due to this bit of code in p11-kit, we end up looking for the home directory for configuration. In this case, `/root`. It's categorically wrong to do this; the root user is distinct from "the system". This issue is equivalent to one I fixed in Pango: https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c Fast forward to today, and the reason I'm making this change is I'm working on `rpm-ostree ex container`, which builds containers as *non-root* (like gnome-continuous does, but now with RPMs), keeping the invoking uid. And this bug causes the `ca-certificates` `%post` to fail because it's trying to look for my uid 1000 which doesn't exist in the target rootfs' password database. Again, there's no reason to be looking for a home directory for system triggers, regadless of UID, so once this patch lands, I'll update `ca-certificates` to use it, and traditional RPM `%post` will stop looking in `/root` too.
* Avoid multiple stat() calls for same fileStef Walter2013-08-281-19/+16
| | | | | | As a side effect we can also not use the dirent.d_type field https://bugs.freedesktop.org/show_bug.cgi?id=68525
* Use simple serial automake test harnessStef Walter2013-07-231-1/+1
| | | | | * Add a testing sanity check to see if we're catching errors * Fix a few other testing issues
* Add appropriate const qualifiersStef Walter2013-07-181-1/+1
|
* Avoid using the non-thread-safe strerror() functionStef Walter2013-07-181-4/+2
| | | | https://bugzilla.redhat.com/show_bug.cgi?id=985481
* Declare static variables const where it makes senseStef Walter2013-07-181-2/+2
| | | | https://bugzilla.redhat.com/show_bug.cgi?id=985337
* Don't load configs from user directory when setuidStef Walter2013-07-181-0/+5
| | | | | | | When running as setuid() or setgid() don't access the user's home directory, or use $HOME environment variables. https://bugzilla.redhat.com/show_bug.cgi?id=985014
* open files with O_CLOEXEC when possibleStef Walter2013-07-181-75/+26
| | | | | | | | | | | | | This helps prevent leaked file descriptors when the library is used in a process which exec's. opendir() already uses O_CLOEXEC on platforms that support O_CLOEXEC so we don't need to make changes there. In addition read config files using p11_mmap_open() so that we get the simple benefits of O_CLOEXEC with the open() call there. https://bugzilla.redhat.com/show_bug.cgi?id=984986
* Remove erroneous comments about readdir() and thread-safetyStef Walter2013-07-171-1/+0
| | | | https://bugzilla.redhat.com/show_bug.cgi?id=984989
* More compatible path munging and handling codeStef Walter2013-04-031-56/+4
| | | | | | | | | | Centralize the path handling code, so we can remove unixy assumptions and have a chance of running on Windows. The current goal is to run all the tests on Windows. Includes some code from LRN <lrn1986@gmail.com> https://bugs.freedesktop.org/show_bug.cgi?id=63062
* Separate library init from message codeStef Walter2013-04-031-1/+1
| | | | | | | | | | | Put library init/uninit code its into their own statically linked library so that they don't get linked into the p11-kit executable. Refactor the message code so that the library initialization can plug in its per thread message buffer. https://bugs.freedesktop.org/show_bug.cgi?id=63046
* lexer: Make a lexer for our config file formatStef Walter2013-03-151-92/+39
| | | | | | This lexer will be used in our PKCS#11 persistence format as well. https://bugs.freedesktop.org/show_bug.cgi?id=62156
* Fix syntax errors in OS_WIN32 ifdefsStef Walter2013-03-031-1/+1
|
* Open files in binary mode on windowsStef Walter2013-03-031-1/+1
| | | | So that the Windows' C library doesn't munge line endings
* Fix various clang analyzer warningsStef Walter2013-02-061-1/+1
| | | | | * Add annotations to our precondition functions so that they don't make the analyzer complain
* Add basic trust moduleStef Walter2013-02-051-37/+0
| | | | | | This is based off the roots-store from gnome-keyring and loads certificates from a root directory and exposes them as PKCS#11 objects.
* Add a /usr/share/p11-kit/modules directory for package module configsStef Walter2013-02-051-2/+6
| | | | | | * Try to make /etc/pkcs11/modules for administrator use * Override the old pkg-config variables to help packages start using the new location
* Use the stdbool.h C99 bool typeStef Walter2013-01-231-29/+29
| | | | | | It was getting really wild knowing whether a function returning an int would return -1 on failure or 0 or whether the int return value was actually a number etc..
* Move debug and library code into the common/ subdirectoryStef Walter2013-01-091-57/+59
| | | | | | | | | | | Start using p11_ as our internal prefix rather than _p11_. We explicitly export p11_kit_ so this is fine as far as visibility. Move the threading, mutex, and module compat, dict, and array code into the common directory too. Take this opportunity to clean up a bit of internal API as well, since so many lines are being touched internally.
* Don't complain if we cannot access ~/.pkcs11/pkcs11.confStef Walter2012-11-141-9/+33
| | | | | | | * If a process is running under selinux it may not be able to access the home directory of the uid that it is running as. https://bugs.freedesktop.org/show_bug.cgi?id=57115
* Change the default of 'user-config' to merge.Stef Walter2012-09-061-1/+1
| | | | | | | * This allows user configured PKCS#11 modules by default. * Admins can change this to 'none' in /etc/pkcs11/pkcs11.conf to go back to the previous behavior. * Posted to the mailing list.
* Use '.module' extension on module configsStef Walter2012-07-241-4/+52
| | | | | | | | | | | | | * And want alphanumeric/_.- filenames * Currently this is just a warning, soon it will be enforced * The name of a module does not include the extension Andreas Metzler and Ubuntu both worked on this patch, and I've made some more changes. See https://bugs.launchpad.net/ubuntu/+source/p11-kit/+bug/911436 https://bugs.freedesktop.org/show_bug.cgi?id=52158
* Preconditions to check for input probs and out of memoryStef Walter2012-05-131-55/+21
| | | | | | * We don't try to guarantee completely robust and problem free behavior in cases where the caller or process isn't behaving. We consider these to be outside of our control.
* Use gcc extensions to check varargs during compileStef Walter2012-05-131-3/+8
| | | | | * Add macros GNUC_PRINTF and GNUC_NULL_TERMINATED to check correct printf and NULL terminated style varargs
* Move the compat.[ch] headers into common directory/Stef Walter2012-04-301-1/+1
| | | | | * And the compat stuff in the p11-kit directory merged into util.c and util.h
* More fixes for non-static function namesStef Walter2011-10-241-4/+4
| | | | | * See previous commit * Initialize library before debug statements
* Rename non-static functions to have a _p11_xxx prefix.Stef Walter2011-10-241-18/+18
| | | | | | | * Work around issues with brain-dead linkers not respecting the libtool -export-symbol-regex argument https://bugs.freedesktop.org/show_bug.cgi?id=42020
* Initial port to win32Stef Walter2011-10-171-20/+44
| | | | | | | | * Tests do not all yet pass, at least not on wine * Added abstraction of some non-portable functions in compat.h/c * Build with an argument like this for win32 support: ./autogen.sh --host=i586-mingw32msvc * This win32 port needs more work from interested parties
* Add 'critical' setting for modulesStef Walter2011-08-301-0/+18
| | | | | | * When a module has critical set to 'yes', and that module fails to init then it aborts the entire init process. * Defaults to 'no'
* Reimplement and remove apache licensed bits of code.Stef Walter2011-07-271-25/+25
| | | | | | | | | | * Reimplement the various bits of the hash table that were still based on the apache apr code. Use different algorithms for hashing, lookup and other stuff. * Use this as an opportunity to cleanup that code and make it more legible. https://bugzilla.redhat.com/show_bug.cgi?id=725905
* Store last failure message per thread.Stef Walter2011-06-091-10/+12
| | | | * Add p11_kit_message() function to get last message.
* Refactor configurationStef Walter2011-06-081-37/+392
| | | | | * Move configuration loading into conf.c * Have user modules with same name merge/override modules in system.
* Fix lots of bugs and add more debugging statements.Stef Walter2011-04-051-1/+2
|
* Add support for debug tracing.Stef Walter2011-04-051-0/+7
| | | | | | | | | | | Use P11_KIT_DEBUG=xxx environment variable to enable tracing. Must have been built without --disable-debug option. P11_KIT_DEBUG can (at this point) be one of these values: all help conf lib
* Fix up copyright lines.Stef Walter2011-04-011-2/+2
|
* Documentation and API cleanup.Stef Walter2011-03-311-0/+245
* Rename source directory * More consistent with return values from URI functions. * Allow formatting URI to take a uri type.