diff options
| author | Daiki Ueno <ueno@gnu.org> | 2020-05-16 18:29:56 +0200 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2021-02-15 16:59:05 +0100 |
| commit | b13e76d921ecda40c9e8eb1389f191628ac72208 (patch) | |
| tree | 0f78fb0f900bccbe6e94ecc565f4ae899ebdbe78 /lib | |
| parent | 71f7e59fe4952bebcf27eaf4f9fc000c722946fa (diff) | |
| download | gnutls-tmp-pkcs11-reject-duplicate-modules.tar.gz | |
pkcs11: add option to skip the duplicate modules checktmp-pkcs11-reject-duplicate-modules
The check introduced by commit
12f4abc02e718e2ab0f7ae80b3026a29028536e7 prevents the same smart card
drivers being accessed from multiple drivers, but also prevents using
multiple different tokens configured to be used with p11-kit's
"remote:" option.
This reverts that behavior but adds a new flag to opt for the check.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/includes/gnutls/pkcs11.h | 1 | ||||
| -rw-r--r-- | lib/pkcs11.c | 31 |
2 files changed, 18 insertions, 14 deletions
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h index 2436069849..fc4031e47d 100644 --- a/lib/includes/gnutls/pkcs11.h +++ b/lib/includes/gnutls/pkcs11.h @@ -67,6 +67,7 @@ typedef struct gnutls_pkcs11_obj_st *gnutls_pkcs11_obj_t; #define GNUTLS_PKCS11_FLAG_MANUAL 0 /* Manual loading of libraries */ #define GNUTLS_PKCS11_FLAG_AUTO 1 /* Automatically load libraries by reading /etc/gnutls/pkcs11.conf */ #define GNUTLS_PKCS11_FLAG_AUTO_TRUSTED (1<<1) /* Automatically load trusted libraries by reading /etc/gnutls/pkcs11.conf */ +#define GNUTLS_PKCS11_FLAG_IGNORE_DUPLICATE (1<<2) /* Ignore modules with duplicate module info when loading */ /* pkcs11.conf format: * load = /lib/xxx-pkcs11.so diff --git a/lib/pkcs11.c b/lib/pkcs11.c index 0d5e83a0c6..c4f848a44a 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -228,7 +228,8 @@ static int scan_slots(struct gnutls_pkcs11_provider_st *p, } static int -pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned custom_init, const char *params) +pkcs11_add_module(const char* name, struct ck_function_list *module, + unsigned custom_init, const char *params, unsigned flags) { unsigned int i; struct ck_info info; @@ -241,13 +242,15 @@ pkcs11_add_module(const char* name, struct ck_function_list *module, unsigned cu memset(&info, 0, sizeof(info)); pkcs11_get_module_info(module, &info); - /* initially check if this module is a duplicate */ - for (i = 0; i < active_providers; i++) { - /* already loaded, skip the rest */ - if (module == providers[i].module || - memcmp(&info, &providers[i].info, sizeof(info)) == 0) { - _gnutls_debug_log("p11: module %s is already loaded.\n", name); - return GNUTLS_E_INT_RET_0; + if (flags & GNUTLS_PKCS11_FLAG_IGNORE_DUPLICATE) { + /* initially check if this module is a duplicate */ + for (i = 0; i < active_providers; i++) { + /* already loaded, skip the rest */ + if (module == providers[i].module || + memcmp(&info, &providers[i].info, sizeof(info)) == 0) { + _gnutls_debug_log("p11: module %s is already loaded.\n", name); + return GNUTLS_E_INT_RET_0; + } } } @@ -415,7 +418,7 @@ int gnutls_pkcs11_add_provider(const char *name, const char *params) return pkcs11_rv_to_err(ret); } - ret = pkcs11_add_module(name, module, custom_init, params); + ret = pkcs11_add_module(name, module, custom_init, params, 0); if (ret != 0) { if (ret == GNUTLS_E_INT_RET_0) ret = 0; @@ -925,13 +928,13 @@ static void compat_load(const char *configfile) return; } -static int auto_load(unsigned trusted) +static int auto_load(unsigned flags) { struct ck_function_list **modules; int i, ret; char* name; - modules = p11_kit_modules_load_and_initialize(trusted?P11_KIT_MODULE_TRUSTED:0); + modules = p11_kit_modules_load_and_initialize((flags & GNUTLS_PKCS11_FLAG_AUTO_TRUSTED)?P11_KIT_MODULE_TRUSTED:0); if (modules == NULL) { gnutls_assert(); _gnutls_debug_log @@ -945,7 +948,7 @@ static int auto_load(unsigned trusted) _gnutls_debug_log ("p11: Initializing module: %s\n", name); - ret = pkcs11_add_module(name, modules[i], 0, NULL); + ret = pkcs11_add_module(name, modules[i], 0, NULL, flags); if (ret < 0) { gnutls_assert(); _gnutls_debug_log @@ -1004,7 +1007,7 @@ gnutls_pkcs11_init(unsigned int flags, const char *deprecated_config_file) return 0; } else if (flags & GNUTLS_PKCS11_FLAG_AUTO) { if (deprecated_config_file == NULL) - ret = auto_load(0); + ret = auto_load(flags); compat_load(deprecated_config_file); @@ -1012,7 +1015,7 @@ gnutls_pkcs11_init(unsigned int flags, const char *deprecated_config_file) return ret; } else if (flags & GNUTLS_PKCS11_FLAG_AUTO_TRUSTED) { - ret = auto_load(1); + ret = auto_load(flags); providers_initialized = PROV_INIT_TRUSTED; |