| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Add missing header for strdup(3).
When EPROTO is not available, fallback to EIO.
https://bugs.freedesktop.org/show_bug.cgi?id=84665
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of trying to perform actions in pthread_atfork() which
are not async-signal-safe, just increment a counter so we can
later tell if the process has forked.
Note this does not make it safe to mix threads and forking without
immediately execing. This is a far broader problem that p11-kit,
however we now do the right thing when fork+exec is used from a
thread.
https://bugs.freedesktop.org/show_bug.cgi?id=84567
|
|
|
|
|
| |
This allows security frameworks like SELinux or AppArmor to target
it specifically.
|
|
|
|
|
|
| |
External binaries are searched for in $(libdir)/p11-kit. The
P11_KIT_PRIVATEDIR can be used to override that, for example during
'make check'
|
|
|
|
|
|
| |
This option was not completed in time, and as implemented suffers
from limitations that the module is not really completely isolated
as it still runs under the same user id as the calling process.
|
|
|
|
|
|
|
| |
Move our internal stuff to pkcs11i.h, and install the pkcs11x.h
header containing extensions.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
|
|
|
| |
Pushed the wrong version
|
|
|
|
|
|
|
| |
The p11-kit-proxy.so module would not respect the critical = no setting
in module configuration, and fail if any module failed to initialize.
https://bugs.freedesktop.org/show_bug.cgi?id=83651
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building without debug build fails with:
CCLD p11-kit/p11-kit
./.libs/libp11-kit.so: undefined reference to `P11_RPC_CHECK_CALLS'
cc: error: linker command failed with exit code 1 (use -v to see
invocation)
gmake[2]: *** [p11-kit/p11-kit] Error 1
This happens because P11_RPC_CHECK_CALLS is not defined when
debugging is enabled, so provide a noop macro for that case.
|
|
|
|
| |
Still use recursive for documentation and translation.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
When we hadn't forked, but were just not initialized, still return
CKR_CRYPTOKI_NOT_INITIALIZED from managed modules.
|
|
|
|
|
|
| |
When C_Finalize is called in the wrong process, it's often because
of a caller unaware of forking. This is a painful area of PKCS#11,
but at least for C_Finalize, lets not complain loudly about it.
|
|
|
|
|
|
|
| |
This sets 'remote' appropriately to run the module in a separate
process.
https://bugs.freedesktop.org/show_bug.cgi?id=80472
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=54105
|
|
|
|
|
| |
This adds a new tool to the p11-kit command called 'remote'. This
is the server side of remoting a PKCS#11 module.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* This enables passing around bytes which represent PKCS#11 RPC calls.
* Caller is responsible for connecting/disconnecting and so on.
* Client side caller gets a mixin from p11_rpc_client_init() to call
into, which generates callbacks with byte arrays to be transported.
* Server side calls p11_rpc_server_handle() with a CK_FUNCTION_LIST_PTR
on which relevant methods get called.
* Doesn't yet implement the actual daemon or clients etc...
https://bugs.freedesktop.org/show_bug.cgi?id=54105
|
| |
|
| |
|
|
|
|
|
| |
These are useful functions for callers who want to supress all output
from p11-kit library.
|
|
|
|
|
|
|
|
| |
Correctly allow reinitialization when a process forks.
We don't yet implement checks on all entry points of a managed
module, but this allows callers to call C_Initialize again
after forking, as outlined by the PKCS#11 v2 spec.
|
|
|
|
|
|
|
|
| |
This fixes the function call p11_kit_module_initialize() to
correctly rearrange the modules array when initializing a module
fails.
Also fixes p11_kit_modules_load_and_initialize()
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=76594
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The proxy module would unload the PKCS#11 modules it was proxying
when C_Finalize() was called. However if a caller in another thread
was inside of a PKCS#11 function at the time, this would cause
a crash.
Change things around so that underlying modules are finalized during
the proxy C_Finalize() but not released/unloaded until the proxy
module itself is unloaded.
https://bugs.freedesktop.org/show_bug.cgi?id=74919
|
|
|
|
|
|
|
|
| |
We should return CKR_CRYPTOKI_NOT_INITIALIZED rather than
assert() when proxy PKCS#11 functions are called before the
module is initialized.
https://bugs.freedesktop.org/show_bug.cgi?id=74919
|
| |
|
| |
|
|
|
|
| |
A simple wrapper for C_GetAttributeValue()
|
|
|
|
|
| |
We use the FAKED_MODE environment variable as a way to detect
fakeroot.
|
| |
|
| |
|
|
|
|
|
|
| |
The actual command is 'trust extract-compat'. Make installed placeholder
script reflect this. We still support the old placeholder script
if it is present.
|
|
|
|
|
| |
In general we're slowly migrating towards the lower case style
for stuctures/objects.
|
|
|
|
| |
Handy function since this is a common need.
|
|
|
|
| |
This is so we can set a filtering uri on the iterator after construction
|
|
|
|
|
| |
To get the already loaded CK_TOKEN_INFO during iteration for the
token that the current object is on.
|
|
|
|
|
| |
This allows us to try to get a RW session, but if not fallback
to a read-only session.
|
| |
|
|
|
|
|
|
| |
As a side effect we can also not use the dirent.d_type field
https://bugs.freedesktop.org/show_bug.cgi?id=68525
|
| |
|
|
|
|
|
| |
* Add a testing sanity check to see if we're catching errors
* Fix a few other testing issues
|