summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2017-10-30 09:57:09 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2017-11-03 16:10:55 +0000
commite85d0a63b6ffd4421a89bba86d58ec8cf9635aac (patch)
tree2fea7cd72eb8a0e5ecf53135ff8f2b5eccdef325 /lib
parent09e57d228c75dec9699ce5f45c8b1a84fe13a0bb (diff)
downloadgnutls-e85d0a63b6ffd4421a89bba86d58ec8cf9635aac.tar.gz
pkcs11: introduce multiple levels of loading
That allows to load the PKCS#11 trusted modules (on systems which use them) without loading all the potentially present PKCS#11 modules. Relates #315 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r--lib/includes/gnutls/pkcs11.h1
-rw-r--r--lib/pkcs11.c51
-rw-r--r--lib/pkcs11_int.h11
-rw-r--r--lib/pkcs11_privkey.c2
4 files changed, 50 insertions, 15 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index c3db2181aa..52f7898b44 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -65,6 +65,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t;
#define GNUTLS_PKCS11_FLAG_MANUAL 0 /* Manual loading of libraries */
#define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */
+#define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1) /* Automatically load trusted libraries by reading /etc/gnutls/pkcs11.conf */
/* pkcs11.conf format:
* load = /lib/xxx-pkcs11.so
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index e014a6b5f8..521aa3d5dd 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -108,7 +108,14 @@ struct find_cert_st {
static struct gnutls_pkcs11_provider_st providers[MAX_PROVIDERS];
static unsigned int active_providers = 0;
-static unsigned int providers_initialized = 0;
+
+typedef enum init_level_t {
+ PROV_UNINITIALIZED = 0,
+ PROV_INIT_TRUSTED,
+ PROV_INIT_ALL
+} init_level_t;
+
+static init_level_t providers_initialized = PROV_UNINITIALIZED;
static unsigned int pkcs11_forkid = 0;
static int _gnutls_pkcs11_reinit(void);
@@ -261,15 +268,21 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu
* The output value of the callback will be returned if it is
* a negative one (indicating failure).
*/
-int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
+int _gnutls_pkcs11_check_init(unsigned trusted, void *priv, pkcs11_reinit_function cb)
{
int ret;
+ init_level_t req_level = PROV_UNINITIALIZED;
+
+ if (trusted)
+ req_level = PROV_INIT_TRUSTED;
+ else
+ req_level = PROV_INIT_ALL;
ret = gnutls_mutex_lock(&_gnutls_pkcs11_mutex);
if (ret != 0)
return gnutls_assert_val(GNUTLS_E_LOCKING_ERROR);
- if (providers_initialized != 0) {
+ if (providers_initialized >= req_level) {
ret = 0;
if (_gnutls_detect_fork(pkcs11_forkid)) {
@@ -288,10 +301,16 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb)
gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
return ret;
+ } else if (providers_initialized < req_level) {
+ /* when upgrading initialization level, deinitialize
+ * and re-initialize everything. */
+ gnutls_pkcs11_deinit();
}
_gnutls_debug_log("Initializing PKCS #11 modules\n");
- ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_AUTO, NULL);
+ ret = gnutls_pkcs11_init(
+ trusted?GNUTLS_PKCS11_FLAG_AUTO_TRUSTED:GNUTLS_PKCS11_FLAG_AUTO,
+ NULL);
gnutls_mutex_unlock(&_gnutls_pkcs11_mutex);
@@ -742,13 +761,13 @@ static void compat_load(const char *configfile)
return;
}
-static int auto_load(void)
+static int auto_load(unsigned trusted)
{
struct ck_function_list **modules;
int i, ret;
char* name;
- modules = p11_kit_modules_load_and_initialize(0);
+ modules = p11_kit_modules_load_and_initialize(trusted?P11_KIT_MODULE_TRUSTED:0);
if (modules == NULL) {
gnutls_assert();
_gnutls_debug_log
@@ -817,15 +836,21 @@ gnutls_pkcs11_init(unsigned int flags, const char *deprecated_config_file)
if (flags == GNUTLS_PKCS11_FLAG_MANUAL) {
/* if manual configuration is requested then don't
* bother loading any other providers */
- providers_initialized = 1;
+ providers_initialized = PROV_INIT_ALL;
return 0;
} else if (flags & GNUTLS_PKCS11_FLAG_AUTO) {
if (deprecated_config_file == NULL)
- ret = auto_load();
+ ret = auto_load(0);
compat_load(deprecated_config_file);
- providers_initialized = 1;
+ providers_initialized = PROV_INIT_ALL;
+
+ return ret;
+ } else if (flags & GNUTLS_PKCS11_FLAG_AUTO_TRUSTED) {
+ ret = auto_load(1);
+
+ providers_initialized = PROV_INIT_TRUSTED;
return ret;
}
@@ -918,7 +943,7 @@ void gnutls_pkcs11_deinit(void)
p11_kit_module_release(providers[i].module);
}
active_providers = 0;
- providers_initialized = 0;
+ providers_initialized = PROV_UNINITIALIZED;
gnutls_pkcs11_set_pin_function(NULL, NULL);
gnutls_pkcs11_set_token_function(NULL, NULL);
@@ -3173,7 +3198,11 @@ gnutls_pkcs11_obj_list_import_url4(gnutls_pkcs11_obj_t ** p_list,
int ret;
struct find_obj_data_st priv;
- PKCS11_CHECK_INIT;
+ if (flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED) {
+ PKCS11_CHECK_INIT_TRUSTED;
+ } else {
+ PKCS11_CHECK_INIT;
+ }
memset(&priv, 0, sizeof(priv));
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 2c2de3463f..23b45fe36a 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -82,7 +82,7 @@ struct gnutls_pkcs11_privkey_st {
* directly. It can be provided a callback function to run when a reinitialization
* occurs. */
typedef int (*pkcs11_reinit_function)(void *priv);
-int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
+int _gnutls_pkcs11_check_init(unsigned trusted, void *priv, pkcs11_reinit_function cb);
#define FIX_KEY_USAGE(pk, usage) \
if (usage == 0) { \
@@ -93,12 +93,17 @@ int _gnutls_pkcs11_check_init(void *priv, pkcs11_reinit_function cb);
}
#define PKCS11_CHECK_INIT \
- ret = _gnutls_pkcs11_check_init(NULL, NULL); \
+ ret = _gnutls_pkcs11_check_init(0, NULL, NULL); \
+ if (ret < 0) \
+ return gnutls_assert_val(ret)
+
+#define PKCS11_CHECK_INIT_TRUSTED \
+ ret = _gnutls_pkcs11_check_init(1, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(ret)
#define PKCS11_CHECK_INIT_RET(x) \
- ret = _gnutls_pkcs11_check_init(NULL, NULL); \
+ ret = _gnutls_pkcs11_check_init(0, NULL, NULL); \
if (ret < 0) \
return gnutls_assert_val(x)
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 34fe47a38c..1665cf33f3 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -36,7 +36,7 @@
/* In case of a fork, it will invalidate the open session
* in the privkey and start another */
#define PKCS11_CHECK_INIT_PRIVKEY(k) \
- ret = _gnutls_pkcs11_check_init(k, reopen_privkey_session); \
+ ret = _gnutls_pkcs11_check_init(0, k, reopen_privkey_session); \
if (ret < 0) \
return gnutls_assert_val(ret)