Daiki Ueno [Thu, 24 May 2018 09:01:33 +0000 (11:01 +0200)]
common: Make case conversion locale independent
The tolower()/toupper() functions take into account of the current
locale settings, which p11-kit doesn't want. Add replacement
functions that work as if they are called under the C locale.
This does not improve const for the getters. The reason for this is that
they are usually passed into the PKCS#11 APIs directly and these APIs
are not const correct. Trying to force const correctnesss here would
result in pain for library consumers.
That is, use README.md as primary source to generate README as
README is required by the GNU guidelines. We don't try to convert
to "real" plain text as markdown is readable, and to avoid introducing
another dependency (e.g., pandoc).
We should rather use newlocale() when per-thread locale is not set.
Otherwise uselocale() could return LC_GLOBAL_LOCALE on some
platforms (e.g. musl-libc) and calling strerror_l() with it leads to
an undefined behavior.
build: Check strerror_l() and uselocale() seperately
NetBSD deliberately doesn't support per-thread locale and our
thread-safe replacement of strerror() using strerror_l() cannot be
used. Fallback to strerror_r() in that case.
modules: Add option to control module visibility from proxy
This enables to control whether a module will be loaded from the proxy
module. The configuration reuses the "enable-in" and "disable-in"
options, with a special literal "p11-kit-proxy" as the value.
Laszlo Ersek [Tue, 27 Mar 2018 15:28:11 +0000 (17:28 +0200)]
trust: implement the "edk2-cacerts" extractor
Extract the DER-encoded X.509 certificates in the EFI_SIGNATURE_LIST
format that is
- defined by the UEFI 2.7 spec (using one inner EFI_SIGNATURE_DATA object
per EFI_SIGNATURE_LIST, as specified for EFI_CERT_X509_GUID),
- and expected by edk2's HttpDxe when it configures the certificate list
for HTTPS boot from EFI_TLS_CA_CERTIFICATE_VARIABLE (see the
TlsConfigCertificate() function in "NetworkPkg/HttpDxe/HttpsSupport.c").
Daiki Ueno [Mon, 26 Feb 2018 10:44:01 +0000 (11:44 +0100)]
test: Add test for client-server interaction
The test spawns a process running the server command and connects to
it through p11-kit-client.so. It's is a bit tricky that the child
process requires to preload libasan.so when ASan is in in effect, to
properly load a mock module.
Daiki Ueno [Wed, 31 Jan 2018 13:07:51 +0000 (14:07 +0100)]
trust: Filter out duplicate extensions
The trust policy module keeps all the objects in the database, while
PKIX doesn't allow multiple extensions identified by the same OID can
be attached to a certificate. Add a check to C_FindObjects to exclude
any duplicates and only return the first matching object.
It would be better if the module rejects such duplicates when loading,
but it would make startup slower.
Daiki Ueno [Tue, 16 Jan 2018 15:17:22 +0000 (16:17 +0100)]
proxy: Reuse the existing slot ID mapping after fork
While the proxy module reassigns slot IDs in C_Initialize(), some
applications assume that valid slot IDs should never change across
multiple calls to C_Initialize(). This patch mitigates this by
preserving the slot IDs, if they are known to the proxy module.
Daiki Ueno [Wed, 15 Nov 2017 11:51:40 +0000 (12:51 +0100)]
travis: Use in-tree build for coverage
The coverage tools (gcov, cpp-coveralls, etc) cannot detect source
files if the project is built out-of-tree. Use the same directory for
$srcdir and $builddir for the build with --enable-coverage.
Daiki Ueno [Fri, 6 Oct 2017 08:58:50 +0000 (10:58 +0200)]
server: Better shell integration
This adds -k, -c, and -s options to the "p11-kit server" command,
which allows you to terminate the server process, select which C-shell
or Bourne shell command line is printed on startup, respectively.
It is possible that NULL is given to the serializers, when
C_GetAttributeValue() just wants to know the size of an attribute.
Previously, this resulted in giving NULL to memcpy().
server: Make it work only when token URI is provided
Previously, when "p11-kit server" started only with a token URI, it
couldn't properly find and initialize the module which provides the
token. This was because of the wrong order of cleanup of the modules.
Daiki Ueno [Tue, 8 Aug 2017 12:52:41 +0000 (14:52 +0200)]
uri: Make vendor query attribute handling reliable
Previously we used p11_dict to keep track of vendor query attributes.
This had a couple of limitations: duplicate attributes are not allowed
while they are actually allowed in RFC 7512, and the order of
attributes is unpredictable.
This patch switches to using an array instead of p11_dict and ensures
that the attributes are sorted in alphabetical order.
Daiki Ueno [Tue, 8 Aug 2017 12:52:24 +0000 (14:52 +0200)]
common: Use reallocarray instead of realloc as appropriate
reallocarray is a new POSIX function added in glibc 2.26, with
built-in overflow checks. Take advantage of that function for
internal array allocation.
The value given to p11_rpc_buffer_add_ulong_value() must be a pointer
of CK_ULONG. Similarly, the value returned from
p11_rpc_buffer_get_ulong_value() must be converted to CK_ULONG before
comparison.
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-July/000665.html
Colin Walters [Fri, 7 Jul 2017 17:19:18 +0000 (13:19 -0400)]
conf: Introduce P11_KIT_NO_USER_CONFIG
Currently `ca-certificates.spec` in Fedora ends up doing in `%post`:
```
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
```
etc.
And due to this bit of code in p11-kit, we end up looking for the home
directory for configuration. In this case, `/root`.
It's categorically wrong to do this; the root user is distinct from
"the system". This issue is equivalent to one I fixed in Pango:
https://git.gnome.org/browse/pango/commit/?id=aecbe27c1b08f517c0e05f03308d3ac55cef490c
Fast forward to today, and the reason I'm making this change is I'm working on
`rpm-ostree ex container`, which builds containers as *non-root* (like
gnome-continuous does, but now with RPMs), keeping the invoking uid. And this
bug causes the `ca-certificates` `%post` to fail because it's trying to look for
my uid 1000 which doesn't exist in the target rootfs' password database.
Again, there's no reason to be looking for a home directory for system triggers,
regadless of UID, so once this patch lands, I'll update `ca-certificates` to use
it, and traditional RPM `%post` will stop looking in `/root` too.
Fabian Groffen [Wed, 7 Jun 2017 12:37:27 +0000 (14:37 +0200)]
common: always use p11_dl_close wrapper
Solaris doesn't like it when dlclose is referenced using a define,
resulting in a linker error looking for a symbol version. Simply
calling the function in a normal way (instead of storing its address)
solves this linking error.
The error message seen by GNU ld is:
dlclose: invalid version 7 (max 0)