| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Remove unused "global" variable.
|
| |
|
|
|
|
|
|
| |
While fully implementing C_WaitForSlotEvent() would require a separate
thread to monitor events, it is straightforward to implement the
function if the CKF_DONT_BLOCK flag is given.
Suggested by David Ward.
|
| |
|
|
|
|
|
|
| |
Previously, the proxy module calculated the slot list only once at the
C_Initialize() call. That was causing a usability limitation when the
user attaches HSM after starting an application.
Suggested by David Ward.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When loading and unloading p11-kit-proxy.so with pkcs11-tool, it
accesses already free'd memory area:
$ valgrind pkcs11-tool --module p11-kit-proxy.so -L
==25173== Invalid read of size 8
==25173== at 0x64BF493: p11_proxy_module_cleanup (proxy.c:1724)
==25173== by 0x64BD028: _p11_kit_fini (proxy-init.c:65)
==25173== by 0x401477C: _dl_close_worker (in /usr/lib64/ld-2.27.so)
==25173== by 0x4014E1D: _dl_close (in /usr/lib64/ld-2.27.so)
==25173== by 0x5E08C4E: _dl_catch_exception (in /usr/lib64/libc-2.27.so)
==25173== by 0x5E08CDE: _dl_catch_error (in /usr/lib64/libc-2.27.so)
==25173== by 0x58B1724: _dlerror_run (in /usr/lib64/libdl-2.27.so)
==25173== by 0x58B1113: dlclose (in /usr/lib64/libdl-2.27.so)
==25173== by 0x11E5A7: ??? (in /usr/bin/pkcs11-tool)
==25173== by 0x110023: ??? (in /usr/bin/pkcs11-tool)
==25173== by 0x5CF624A: (below main) (in /usr/lib64/libc-2.27.so)
==25173== Address 0x61231c8 is 552 bytes inside a block of size 584 free'd
==25173== at 0x4C2FDAC: free (vg_replace_malloc.c:530)
==25173== by 0x6548492: p11_virtual_unwrap (virtual.c:2902)
==25173== by 0x64BF492: p11_proxy_module_cleanup (proxy.c:1723)
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Previously, to aggregate multiple modules into one, there was no other
way than loading the proxy module. From the p11-kit applications,
however, it is not possible to load that module because of the
recursive loading check (p11_proxy_module_check).
This patch adds another means to aggregate modules, through a library
function p11_proxy_module_create.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This enables to control whether a module will be loaded from the proxy
module. The configuration reuses the "enable-in" and "disable-in"
options, with a special literal "p11-kit-proxy" as the value.
|
| |
|
|
|
| |
Since the libffi became optional (commit 9f632bed), the fallback code
path in proxy.c has never taken.
|
| |
|
|
|
|
|
| |
While the proxy module reassigns slot IDs in C_Initialize(), some
applications assume that valid slot IDs should never change across
multiple calls to C_Initialize(). This patch mitigates this by
preserving the slot IDs, if they are known to the proxy module.
|
| |
|
|
| |
Spotted by clang-analyzer.
|
| |
|
|
|
|
|
|
| |
libffi's closure support is not available on all platforms and may fail
at run time if running under a stricter SELinux policy. Fallback to
pre-compiled closures if it is not usable.
https://bugs.freedesktop.org/show_bug.cgi?id=97611
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=93589
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92815
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=92445
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This corrects a deadlock on the forked process. The deadlock
happened because the proxy called C_Finalize prior to a C_Initialize
which is wrong according to PKCS #11 (2.40). This patch eliminates
the C_Finalize call in that case.
This resolves #90289
https://bugs.freedesktop.org/show_bug.cgi?id=90289
Reviewed-by: Stef Walter <stefw@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of trying to perform actions in pthread_atfork() which
are not async-signal-safe, just increment a counter so we can
later tell if the process has forked.
Note this does not make it safe to mix threads and forking without
immediately execing. This is a far broader problem that p11-kit,
however we now do the right thing when fork+exec is used from a
thread.
https://bugs.freedesktop.org/show_bug.cgi?id=84567
|
| |
|
|
| |
Pushed the wrong version
|
| |
|
|
|
|
|
| |
The p11-kit-proxy.so module would not respect the critical = no setting
in module configuration, and fail if any module failed to initialize.
https://bugs.freedesktop.org/show_bug.cgi?id=83651
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The proxy module would unload the PKCS#11 modules it was proxying
when C_Finalize() was called. However if a caller in another thread
was inside of a PKCS#11 function at the time, this would cause
a crash.
Change things around so that underlying modules are finalized during
the proxy C_Finalize() but not released/unloaded until the proxy
module itself is unloaded.
https://bugs.freedesktop.org/show_bug.cgi?id=74919
|
| |
|
|
|
|
|
|
| |
We should return CKR_CRYPTOKI_NOT_INITIALIZED rather than
assert() when proxy PKCS#11 functions are called before the
module is initialized.
https://bugs.freedesktop.org/show_bug.cgi?id=74919
|
| |
|
|
|
|
|
|
|
|
| |
Each time C_GetFunctionList is called on the proxy module, a new
managed PKCS#11 set of functions is returned. These are all cleaned
up when the module is unloaded.
We want the proxy module to continue to work even without the highly
recommended libffi. For that reason we still keep the old behavior of
sharing state in the proxy module.
|
| |
|
|
|
|
|
|
|
| |
Support a new managed style module loading for PKCS#11 modules. This
allows us to better coordinate between multiple callers of the same
PKCS#11 modules and provide hooks into their behavior.
This meant redoing the public facing API. The old methods are now
deprecated, marked and documented as such.
|
| |
|
|
|
|
|
|
|
|
|
| |
Put library init/uninit code its into their own statically
linked library so that they don't get linked into the p11-kit
executable.
Refactor the message code so that the library initialization can
plug in its per thread message buffer.
https://bugs.freedesktop.org/show_bug.cgi?id=63046
|
| |
|
|
|
|
|
|
|
|
|
| |
Start using p11_ as our internal prefix rather than _p11_. We explicitly
export p11_kit_ so this is fine as far as visibility.
Move the threading, mutex, and module compat, dict, and array code
into the common directory too.
Take this opportunity to clean up a bit of internal API as well,
since so many lines are being touched internally.
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=58704
|
| |
|
|
|
|
|
|
|
|
| |
* Since p11-kit-proxy.so is a symlink to the libp11-kit.so library
we check that we are not calling into our known CK_FUNCTION_LIST
for the proxy code.
* Although such a configuration is invalid, detecting this directly
prevents strange initialization loop issues that are hard to debug.
https://bugs.freedesktop.org/show_bug.cgi?id=55052
|
| |
|
|
|
|
| |
* We don't try to guarantee completely robust and problem
free behavior in cases where the caller or process isn't
behaving. We consider these to be outside of our control.
|
| |
|
|
|
| |
* See previous commit
* Initialize library before debug statements
|
| |
|
|
|
|
|
| |
* Work around issues with brain-dead linkers not respecting
the libtool -export-symbol-regex argument
https://bugs.freedesktop.org/show_bug.cgi?id=42020
|
| |
|
|
|
|
|
|
| |
* Tests do not all yet pass, at least not on wine
* Added abstraction of some non-portable functions in compat.h/c
* Build with an argument like this for win32 support:
./autogen.sh --host=i586-mingw32msvc
* This win32 port needs more work from interested parties
|
| |
|
|
|
|
| |
* Initialize the mappings properly
* Lookup session handles correctly
* Debug initialization and finalization
|
| |
|
|
|
|
|
|
|
|
| |
* Reimplement the various bits of the hash table that were
still based on the apache apr code. Use different algorithms
for hashing, lookup and other stuff.
* Use this as an opportunity to cleanup that code and make
it more legible.
https://bugzilla.redhat.com/show_bug.cgi?id=725905
|
| | |
|
|
|
* Install headers to ${prefix}/include/p11-kit-1/p11-kit/
* This solves problems with other projects that have their own
pkcs11.h files.
* Change the pkg-config file name to p11-kit-1.pc
* Change the source file names.
|
