Add 'critical' setting for modules

 * When a module has critical set to 'yes', and that module fails to init
   then it aborts the entire init process.
 * Defaults to 'no'

diff --git a/doc/p11-kit-config.xml b/doc/p11-kit-config.xml
index 89ba7e7619fbfbefe8ef02dfe7112aacff8e27d3..76b3fa2d2f2ececd7e7717ac58e3b3342394a894 100644 (file)
--- a/doc/p11-kit-config.xml
+++ b/doc/p11-kit-config.xml
@@ -43,6 +43,10 @@ user-config: merge
 # This setting controls the actual module library to load. This config file might
 # be installed by the package that installs this module library.
 module: /usr/lib/my-pkcs11-module.so
+
+# This controls whether the module is required to successfully initialize. If 'yes', then
+# a failure to load or initialize this module will result in a p11-kit system failure.
+critical: no
 </programlisting>
 
 <para>User configuration file: <literal>~/.pkcs11/pkcs11.conf</literal></para>
@@ -63,6 +67,7 @@ module: /home/user/src/custom-module/my-module.so
 # some custom non-standard initialization arguments, as NSS expects.
 module: /usr/lib/libsoftokn3.so
 x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='' secmod='socmod.db'
+critical: yes
 </programlisting>
 
 
@@ -113,8 +118,23 @@ x-init-reserved: configdir='sql:/home/test/.pki/nssdb' certPrefix='' keyPrefix='
                <variablelist>
                        <varlistentry>
                                <term>module:</term>
-                               <listitem><para>The absolute path to the PKCS#11 module to load.
-                               This should include an extension like <literal>.so</literal></para></listitem>
+                               <listitem>
+                                       <para>The absolute path to the PKCS#11 module to load.
+                                       This should include an extension like <literal>.so</literal></para>
+                                       <para>If this value is blank, then the module will be ignored.
+                                       This can be used in the user configs to override loading of a module
+                                       specified in the system configuration.</para>
+                               </listitem>
+                       </varlistentry>
+                       <varlistentry>
+                               <term>critical:</term>
+                               <listitem>
+                                       <para>Set to <literal>yes</literal> if the module is critical and
+                                       required to load. If a critical module fails to load or initialize,
+                                       then the loading process for all registered modules will abort and
+                                       return an error code.</para>
+                                       <para>This argument is optional and defaults to <literal>no</literal>.</para>
+                               </listitem>
                        </varlistentry>
                </variablelist>
 

diff --git a/p11-kit/conf.c b/p11-kit/conf.c
index 55e02685fa35e240d6523e8cd8ee4c7d105a2b53..1e2d880665fea06419d7630ce348ff94b00194fe 100644 (file)
--- a/p11-kit/conf.c
+++ b/p11-kit/conf.c
@@ -608,3 +608,21 @@ _p11_conf_load_modules (int mode, const char *system_dir, const char *user_dir)
 
        return configs;
 }
+
+int
+_p11_conf_parse_boolean (const char *string,
+                         int default_value)
+{
+       if (!string)
+               return default_value;
+
+       if (strcmp (string, "yes") == 0) {
+               return 1;
+       } else if (strcmp (string, "no") == 0) {
+               return 0;
+       } else {
+               _p11_message ("invalid setting '%s' defaulting to '%s'",
+                             default_value ? "yes" : "no");
+               return default_value;
+       }
+}

diff --git a/p11-kit/conf.h b/p11-kit/conf.h
index dccaebf0d4aac1eba640e14b35c9adfa71aa45aa..30f078d3b64f1e7e2828a89ad34f0fb5f25b0e75 100644 (file)
--- a/p11-kit/conf.h
+++ b/p11-kit/conf.h
@@ -66,4 +66,7 @@ hashmap *     _p11_conf_load_globals         (const char *system_conf, const cha
 hashmap *     _p11_conf_load_modules         (int user_mode, const char *system_dir,
                                               const char *user_dir);
 
+int           _p11_conf_parse_boolean        (const char *string,
+                                              int default_value);
+
 #endif /* __CONF_H__ */

diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index d5dae32ce6ce498d4c2a6d9419ec3ddce5f63e95..33101fa01773323c1ff22da51d81a65bd84bca61 100644 (file)
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -389,6 +389,7 @@ load_registered_modules_unlocked (void)
        hashmap *config;
        int mode;
        CK_RV rv;
+       int critical;
 
        if (gl.config)
                return CKR_OK;
@@ -419,6 +420,9 @@ load_registered_modules_unlocked (void)
                if (!hash_steal (configs, key, (void**)&name, (void**)&config))
                        assert (0 && "not reached");
 
+               /* Is this a critical module, should abort loading of others? */
+               critical = _p11_conf_parse_boolean (hash_get (config, "critical"), 0);
+
                rv = take_config_and_load_module_unlocked (&name, &config);
 
                /*
@@ -428,7 +432,8 @@ load_registered_modules_unlocked (void)
                free (name);
                hash_free (config);
 
-               if (rv != CKR_OK) {
+               if (critical && rv != CKR_OK) {
+                       _p11_message ("aborting initializationg because module '%s' was marked as critical");
                        hash_free (configs);
                        return rv;
                }