summaryrefslogtreecommitdiff
path: root/p11-kit
Commit message (Collapse)AuthorAgeFilesLines
* Improve const correctness for P11KitUriNathaniel McCallum2018-05-243-41/+41
| | | | | | | | | This does not improve const for the getters. The reason for this is that they are usually passed into the PKCS#11 APIs directly and these APIs are not const correct. Trying to force const correctnesss here would result in pain for library consumers. This is an API and ABI compatible change.
* proxy: Don't null terminate PKCS #11 string fieldsDaiki Ueno2018-05-071-2/+2
|
* test: Avoid exceeding maximum pathname length of Unix socketDaiki Ueno2018-05-041-2/+7
|
* mock-module-ep: Properly override C_GetFunctionListDaiki Ueno2018-04-061-1/+1
|
* modules: Add option to control module visibility from proxyDaiki Ueno2018-04-065-10/+116
| | | | | | This enables to control whether a module will be loaded from the proxy module. The configuration reuses the "enable-in" and "disable-in" options, with a special literal "p11-kit-proxy" as the value.
* modules: Fix memleak in re-initialization caseDaiki Ueno2018-03-291-0/+1
|
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctlyJustin King-Lacroix2018-03-291-1/+6
| | | | | | In p11_kit_modules_initialize(), treat a return code of CKR_CRYPTOKI_ALREADY_INITIALIZED as identical to CKR_OK.
* test: Add missing seven.module in Windows fixturesDaiki Ueno2018-03-291-0/+4
|
* build: Enable make check with wineDaiki Ueno2018-03-291-1/+1
|
* test: Add failing test for CKR_CRYPTOKI_ALREADY_INITIALIZEDDaiki Ueno2018-03-294-1/+115
|
* test: Add test for error messagesDaiki Ueno2018-03-292-0/+112
|
* test: Use _exit() in child process to immediately close open FDsDaiki Ueno2018-03-291-1/+1
|
* test: Rewrite test-server.sh in TAP styleDaiki Ueno2018-03-291-11/+27
|
* test-server.sh: Fix bashismAndreas Metzler2018-02-281-4/+4
|
* test-server: Add test for detecting addressDaiki Ueno2018-02-271-1/+29
|
* test-server: Fix compilation error on FreeBSDDaiki Ueno2018-02-271-0/+1
|
* common, client: Move runtime directory detection to libp11-commonDaiki Ueno2018-02-271-65/+2
|
* test: Improve temporary directory handlingDaiki Ueno2018-02-271-2/+4
|
* p11_kit_remote_serve_tokens: Read "write-protected" setting from URIDaiki Ueno2018-02-272-0/+42
|
* filter: Respect CKF_WRITE_PROTECTED setting when allowing a tokenDaiki Ueno2018-02-272-16/+134
|
* test: Add test for client-server interactionDaiki Ueno2018-02-272-0/+203
| | | | | | | The test spawns a process running the server command and connects to it through p11-kit-client.so. It's is a bit tricky that the child process requires to preload libasan.so when ASan is in in effect, to properly load a mock module.
* server: Print envvars even when running in foregroundDaiki Ueno2018-02-271-22/+39
|
* test-transport: Make sure to initialize addrlen given to acceptDaiki Ueno2018-02-271-0/+1
|
* client: Fix memleaks in the moduleDaiki Ueno2018-02-271-3/+9
|
* test: Fix unconditional jump in test-proxy.cDaiki Ueno2018-02-271-0/+1
|
* build: Split out generated code from p11-kit/virtual.cDaiki Ueno2018-01-313-199/+35
|
* build: Delay compilation of test-related stuffDaiki Ueno2018-01-301-6/+9
|
* proxy: Remove dead codeDaiki Ueno2018-01-301-708/+0
| | | | | Since the libffi became optional (commit 9f632bed), the fallback code path in proxy.c has never taken.
* proxy: Reuse the existing slot ID mapping after forkDaiki Ueno2018-01-295-4/+122
| | | | | | | While the proxy module reassigns slot IDs in C_Initialize(), some applications assume that valid slot IDs should never change across multiple calls to C_Initialize(). This patch mitigates this by preserving the slot IDs, if they are known to the proxy module.
* server: Avoid null-dereference of timespec value on timeoutDaiki Ueno2018-01-171-1/+2
| | | | Spotted by clang-analyzer.
* test: Improve code coverage of filter.cDaiki Ueno2017-11-151-0/+67
|
* p11_kit_override_system_files: introduced new functionNikos Mavrogiannopoulos2017-11-013-5/+59
| | | | | | | That allows overriding the default module and configuration locations, for use in test suites, etc. Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* p11_kit_modules_load*: enhanced documentation on flagsNikos Mavrogiannopoulos2017-10-311-0/+6
| | | | Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
* server: Better shell integrationDaiki Ueno2017-10-063-19/+147
| | | | | | This adds -k, -c, and -s options to the "p11-kit server" command, which allows you to terminate the server process, select which C-shell or Bourne shell command line is printed on startup, respectively.
* server: Make it possible to eval envvar settingsDaiki Ueno2017-10-051-9/+11
| | | | | Previously, calling "eval $(p11-kit server)" from shell hung because the program didn't properly close stdout before forking.
* rpc: Fix crash when retrieving attribute lengthDaiki Ueno2017-09-272-4/+34
| | | | | | It is possible that NULL is given to the serializers, when C_GetAttributeValue() just wants to know the size of an attribute. Previously, this resulted in giving NULL to memcpy().
* server: Make it work only when token URI is providedDaiki Ueno2017-09-271-47/+41
| | | | | | Previously, when "p11-kit server" started only with a token URI, it couldn't properly find and initialize the module which provides the token. This was because of the wrong order of cleanup of the modules.
* client: Fix order of cleanupDaiki Ueno2017-08-111-1/+1
| | | | | | In C_GetFunctionList, state->virt is wrapped with a destroyer function free(). Thus p11_rpc_transport_free must be called before p11_virtual_unwrap.
* test: Add checks for duplicate vendor attributesDaiki Ueno2017-08-081-0/+10
|
* uri: Make vendor query attribute handling reliableDaiki Ueno2017-08-081-24/+80
| | | | | | | | | | | | Previously we used p11_dict to keep track of vendor query attributes. This had a couple of limitations: duplicate attributes are not allowed while they are actually allowed in RFC 7512, and the order of attributes is unpredictable. This patch switches to using an array instead of p11_dict and ensures that the attributes are sorted in alphabetical order. Fixes #88.
* test: Fix failure on 32-bit big endian platformDaiki Ueno2017-07-141-14/+15
| | | | | | | | | | The value given to p11_rpc_buffer_add_ulong_value() must be a pointer of CK_ULONG. Similarly, the value returned from p11_rpc_buffer_get_ulong_value() must be converted to CK_ULONG before comparison. Reported by Andreas Metzler in: https://lists.freedesktop.org/archives/p11-glue/2017-July/000665.html
* conf: Introduce P11_KIT_NO_USER_CONFIGColin Walters2017-07-101-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | Currently `ca-certificates.spec` in Fedora ends up doing in `%post`: ``` /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt ``` etc. And due to this bit of code in p11-kit, we end up looking for the home directory for configuration. In this case, `/root`. It's categorically wrong to do this; the root user is distinct from "the system". This issue is equivalent to one I fixed in Pango: https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c Fast forward to today, and the reason I'm making this change is I'm working on `rpm-ostree ex container`, which builds containers as *non-root* (like gnome-continuous does, but now with RPMs), keeping the invoking uid. And this bug causes the `ca-certificates` `%post` to fail because it's trying to look for my uid 1000 which doesn't exist in the target rootfs' password database. Again, there's no reason to be looking for a home directory for system triggers, regadless of UID, so once this patch lands, I'll update `ca-certificates` to use it, and traditional RPM `%post` will stop looking in `/root` too.
* debug: Add p11_debug_err to prevent use of strerrorDaiki Ueno2017-06-121-1/+1
|
* rpc: Avoid use-after-free when creating socket base directoryDaiki Ueno2017-05-291-1/+0
| | | | Spotted by clang-analyzer.
* rpc: Avoid calling memcmp() on NULL bufferDaiki Ueno2017-05-291-1/+3
| | | | Spotted by clang-analyzer.
* proxy: Don't call realloc() with size 0Daiki Ueno2017-05-291-9/+11
| | | | Spotted by clang-analyzer.
* build: Delay building test programs until "make check"Daiki Ueno2017-05-291-2/+2
| | | | | This is to disable clang-analyzer against test programs, which can contain several false-positives.
* server: Avoid use-after-freeDaiki Ueno2017-05-291-1/+0
| | | | | Reported by Mantas Mikulėnas in: https://bugs.freedesktop.org/show_bug.cgi?id=101212
* test: Check the size of unsigned longDaiki Ueno2017-05-261-9/+9
|
* rpc: Load advapi32.dll on the flyDaiki Ueno2017-05-262-7/+91
|