Daiki Ueno [Fri, 26 Aug 2016 15:20:06 +0000 (17:20 +0200)]
build: Make libffi closure optional
libffi's closure support is not available on all platforms and may fail
at run time if running under a stricter SELinux policy. Fallback to
pre-compiled closures if it is not usable.
* common/compat.c: Fix "implicit declaration of function 'issetugid'"
warning. On FreeBSD, it's required to define __BSD_VISIBLE to make
issetugid(2) visible
* common/test-message.c: Fix "implicit declaration of function
'asprintf'" by including <stdio.h>
* p11-kit/test-iter.c: Fix "format '%lu' expects argument of
type 'long unsigned int', but argument 3 has type 'int'" by
changing format string to "%d"
Lubomir Rintel [Thu, 8 Dec 2016 17:20:37 +0000 (18:20 +0100)]
systemd: add per-user remoting socket
This allows daemons outside user's session to use per-user PKCS#11
modules. Useful for letting VPN daemons or wpa_supplicant use
certificates stored in user's GNOME keyring, etc.
Lubomir Rintel [Tue, 3 Nov 2015 07:11:39 +0000 (08:11 +0100)]
common: use recursive pthread mutex for library lock
This allows us to do nested locking within one thread avoiding a lockup
when remoting the p11-kit-proxy.so module:
#0 0x00007f190f35838d in __lll_lock_wait () from /lib64/libpthread.so.0
#1 0x00007f190f351e4d in pthread_mutex_lock () from /lib64/libpthread.so.0
#2 0x00007f190f98657f in C_GetFunctionList (list=0x7ffe7ec3f798) at p11-kit/proxy.c:2355
#3 0x00007f190f993cc9 in dlopen_and_get_function_list (funcs=0x7ffe7ec3f798, path=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", mod=0x249e3d0) at p11-kit/modules.c:337
#4 load_module_from_file_inlock (name=name@entry=0x0, path=path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", result=result@entry=0x7ffe7ec3f7e8) at p11-kit/modules.c:382
#5 0x00007f190f99587f in p11_kit_module_load (module_path=module_path@entry=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so", flags=flags@entry=0) at p11-kit/modules.c:2427
#6 0x0000000000401c4b in serve_module_from_file (file=0x7ffe7ec40926 "/usr/local/lib/p11-kit-proxy.so") at p11-kit/remote.c:105
#7 main (argc=1, argv=<optimized out>) at p11-kit/remote.c:169
The Windows NT mutex is aready recursive by default.
Daiki Ueno [Mon, 16 Jan 2017 13:06:30 +0000 (14:06 +0100)]
uri: Avoid typecasting confusion on s390x
Like memcpy(), the 'void *' argument of p11_buffer_add() points to the
memory area ordered in host's endianness. Add typecast of int->char to
avoid the confusion.
Reported by Andreas Metzler in:
https://lists.freedesktop.org/archives/p11-glue/2017-January/000633.html
Lubomir Rintel [Wed, 28 Dec 2016 15:11:21 +0000 (16:11 +0100)]
uri: fix the query attribute parsing
The pin-* attributes belong to the query part. We should not parse them
until we see a '?' and they're separated with a '&'.
This might be an important thing -- some of the query attributes may
have security implications reaching outside scope of the token itself, to the
host system itself. E.g. a pin-source may cause the consumer to access a file
or module-path (unimplemented) execute code. The user may want to just chop the
attribute part off if they want the consumer access the token and not take the
security considerations into account.
- Current command for creation of the p11-kit-proxy symlink
uses shell brace expansion that isn't supported by all
the shells (e.g. FreeBSD's /bin/sh does not support that).
Replace it with the old-fashioned 'for' loop
- Match extension of the source and the target, i.e. so links
to so, dylib links to dylib (previously dylib linked to so)
- Add an uninstall-local target to clean up the symlink
This fixes issues pointed in:
https://bugzilla.redhat.com/show_bug.cgi?id=985445
except for p11-kit/conf.c:read_config_file(), which was rewritten using
mmap() and thus length calculation is no longer needed.
Previously p11-kit-trust.so tried to interpret certificate as PEM format
first. This could cause potential conflict if the certificate were
actually in DER format and contained a PEM marker strings.
This test hasn't been working since the removal of the pthread_atfork()
deinit code. To properly clean up, the child process needs to call
C_Initialize() and C_Finalize(), and it is already tested by
/proxy/initialize-child.
GCC's asan spotted this:
Direct leak of 338 byte(s) in 13 object(s) allocated from:
#0 0x7f54f03fee20 in malloc (/lib64/libasan.so.3+0xc6e20)
#1 0x445e8c in p11_path_build ../common/path.c:222
#2 0x4385bd in expand_tempdir ../common/test.c:334
#3 0x43869c in p11_test_directory ../common/test.c:361
#4 0x4033e3 in setup_temp ../trust/test-token.c:79
Reset mod->init_count when forkid has changed. Otherwise C_Finalize
does not get called.
GCC's asan spotted this:
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x7f89bc7bfe20 in malloc (/lib64/libasan.so.3+0xc6e20)
#1 0x7f89bc47a1f1 in p11_dict_new ../common/dict.c:278
#2 0x7f89bc42143d in managed_C_Initialize ../p11-kit/modules.c:1477
#3 0x7f89bc464c72 in binding_C_Initialize ../p11-kit/virtual.c:121
#4 0x7f89bc1b0a51 in ffi_closure_unix64_inner (/lib64/libffi.so.6+0x5a51)
#5 0x7f89bc1b0dbf in ffi_closure_unix64 (/lib64/libffi.so.6+0x5dbf)
#6 0x7f89bc44f9e8 in rpc_C_Initialize ../p11-kit/rpc-server.c:691
Make sure to call p11_virtual_uninit() on managed module. Otherwise the
associated lower_module will not be released.
GCC's asan spotted this:
Direct leak of 56 byte(s) in 1 object(s) allocated from:
#0 0x7f6c5368dfe0 in calloc (/lib64/libasan.so.3+0xc6fe0)
#1 0x4436ba in p11_rpc_client_init ../p11-kit/rpc-client.c:2082
#2 0x42c147 in p11_rpc_transport_new ../p11-kit/rpc-transport.c:850
#3 0x415d95 in setup_module_for_remote_inlock ../p11-kit/modules.c:411
GCC's asan spotted this:
Direct leak of 120 byte(s) in 1 object(s) allocated from:
#0 0x7f8d4f221fe0 in calloc (/lib64/libasan.so.3+0xc6fe0)
#1 0x427f55 in rpc_socket_new ../p11-kit/rpc-transport.c:100
#2 0x42bc1b in rpc_exec_connect ../p11-kit/rpc-transport.c:767
However, on Mac OS X the library is named libp11-kit.dylib so
in the above command the source of the link resolves to nothing,
the destination becomes the source and the link to a non-existent
file is created in the working directory.
Daiki Ueno [Fri, 12 Aug 2016 12:27:46 +0000 (14:27 +0200)]
test: Make test-module work --without-trust-module
The test-module program currently depends on TRUST_PATHS, which is
determined by the configure script and normally points to a resource
outside of the build tree. To make the test system-independent, use
a crafted path for testing.
Daiki Ueno [Mon, 8 Aug 2016 08:31:19 +0000 (10:31 +0200)]
uri: Remove whitespace early when parsing
For every path/query component, p11_kit_uri_parse() allocates a small
buffer to strip whitespace out. This patch removes any whitespace in
the URI at the entry of the function to simplify the code.
Note that RFC 7512 actually suggests to ignore whitespace at the
extracting phase rather than the parsing phase.
Daiki Ueno [Fri, 12 Aug 2016 14:16:38 +0000 (16:16 +0200)]
Fix leak when C_Initialize() is called from child
The test case added for bug 90289 (commit c73edd00) revealed that some
of the C_Initialize() implementations do not consider the case where it
is called from the parent process and then from the child process,
without calling C_Finalize() in between.
Andreas Metzler [Tue, 23 Feb 2016 18:12:40 +0000 (19:12 +0100)]
Doc: p11_kit_module_load accepts a filename arg.
p11_kit_module_load() hands on the module_path argument to
load_module_from_file_inlock() which accepts relative paths, prepending
P11_MODULE_PATH. Update API documentation accordingly.
fd_set and friends, according to POSIX.1-2001, needs sys/select.h, so
include it otherwise the build fails for uClibc:
p11-kit/rpc-transport.c: In function ‘rpc_socket_read’:
p11-kit/rpc-transport.c:350:2: error: unknown type name ‘fd_set’
p11-kit/rpc-transport.c:416:4: warning: implicit declaration of function
‘FD_ZERO’ [-Wimplicit-function-declaration]
Robert Milasan [Thu, 30 Jul 2015 09:27:13 +0000 (11:27 +0200)]
Fix trust command segfaults in expand_homedir() when no matching password record was found
Hello, it looks like under some conditions, command trust segfaults in
expand_homedir() due to no matching password record was found:
Signed-off-by: Robert Milasan <rmilasan@suse.com> Signed-off-by: Stef Walter <stefw@redhat.com>
* Updated path so message is printed and errno is not overwritten
In proxy module don't call C_Finalize on a forked process.
This corrects a deadlock on the forked process. The deadlock
happened because the proxy called C_Finalize prior to a C_Initialize
which is wrong according to PKCS #11 (2.40). This patch eliminates
the C_Finalize call in that case.
This resolves #90289
https://bugs.freedesktop.org/show_bug.cgi?id=90289
Generate URIs compliant to the PKCS#11 URI draft in LC
We continue to accept both the older style 'object-type' field
in addition to the new 'type' field. However we start generating
URIs in the new form.
In other words we have backwards compatibility, but not forwards
compatibility. Given the fact that PKCS#11 URIs are now standardizing
this is an acceptable compromise.
Adam Williamson [Wed, 14 Jan 2015 04:52:20 +0000 (20:52 -0800)]
trust: Add pem-directory-hash extract format
This allows extraction of a directory of standard PEM files
with the OpenSSL hash symlinks; this is a format used by
some popular platforms (Debian's /etc/ssl/certs is in this
form, and OpenSUSE provides it for compatibility).
Initially by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Stef Walter <stefw@redhat.com>
* Added header, fixed compiler warnings
projects / p11-kit / log