p11-kit: Add 'p11-kit remote' command for isolating modules

This adds a new tool to the p11-kit command called 'remote'. This
is the server side of remoting a PKCS#11 module.

7 files changed, 161 insertions, 58 deletions

diff --git a/doc/manual/p11-kit-sections.txt b/doc/manual/p11-kit-sections.txt
index 75dfce6..85e226f 100644
--- a/doc/manual/p11-kit-sections.txt
+++ b/doc/manual/p11-kit-sections.txt
@@ -118,6 +118,7 @@ p11_kit_iter_load_attributes
 p11_kit_iter_destroy_object
 p11_kit_iter_free
 P11KitIterBehavior
+p11_kit_remote_serve_module
 </SECTION>
 
 <SECTION>
diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
index 88883b5..dd2716d 100644
--- a/p11-kit/Makefile.am
+++ b/p11-kit/Makefile.am
@@ -21,6 +21,7 @@ inc_HEADERS = \
 	iter.h \
 	p11-kit.h \
 	pin.h \
+	remote.h \
 	uri.h \
 	$(NULL)
 
@@ -36,6 +37,7 @@ MODULE_SRCS = \
 	proxy.c proxy.h \
 	private.h \
 	messages.c \
+	remote.c \
 	rpc-transport.c rpc.h \
 	rpc-message.c rpc-message.h \
 	rpc-client.c rpc-server.c \
diff --git a/p11-kit/p11-kit.c b/p11-kit/p11-kit.c
index da9d400..e115c42 100644
--- a/p11-kit/p11-kit.c
+++ b/p11-kit/p11-kit.c
@@ -38,6 +38,8 @@
 #include "debug.h"
 #include "message.h"
 #include "path.h"
+#include "p11-kit.h"
+#include "remote.h"
 
 #include <assert.h>
 #include <ctype.h>
@@ -59,8 +61,12 @@ int       p11_kit_trust           (int argc,
 int       p11_kit_external        (int argc,
                                    char *argv[]);
 
+int       p11_kit_remote          (int argc,
+                                   char *argv[]);
+
 static const p11_tool_command commands[] = {
 	{ "list-modules", p11_kit_list_modules, "List modules and tokens" },
+	{ "remote", p11_kit_remote, "Run a specific PKCS#11 module remotely" },
 	{ P11_TOOL_FALLBACK, p11_kit_external, NULL },
 	{ 0, }
 };
@@ -121,6 +127,69 @@ p11_kit_external (int argc,
 }
 
 int
+p11_kit_remote (int argc,
+                char *argv[])
+{
+	CK_FUNCTION_LIST *module;
+	int opt;
+	int ret;
+
+	enum {
+		opt_verbose = 'v',
+		opt_help = 'h',
+	};
+
+	struct option options[] = {
+		{ "verbose", no_argument, NULL, opt_verbose },
+		{ "help", no_argument, NULL, opt_help },
+		{ 0 },
+	};
+
+	p11_tool_desc usages[] = {
+		{ 0, "usage: p11-kit remote <module>" },
+		{ 0 },
+	};
+
+	while ((opt = p11_tool_getopt (argc, argv, options)) != -1) {
+		switch (opt) {
+		case opt_verbose:
+			p11_kit_be_loud ();
+			break;
+		case opt_help:
+		case '?':
+			p11_tool_usage (usages, options);
+			return 0;
+		default:
+			assert_not_reached ();
+			break;
+		}
+	}
+
+	argc -= optind;
+	argv += optind;
+
+	if (argc != 1) {
+		p11_message ("specify the module to remote");
+		return 2;
+	}
+
+	if (isatty (0)) {
+		p11_message ("the 'remote' tool is not meant to be run from a terminal");
+		return 2;
+	}
+
+	module = p11_kit_module_load (argv[0], 0);
+	if (module == NULL)
+		return 1;
+
+	ret = p11_kit_remote_serve_module (module, 0, 1);
+	p11_kit_module_release (module);
+
+	return ret;
+}
+
+
+int
 main (int argc,
       char *argv[])
 {
diff --git a/p11-kit/tests/frob-server.c b/p11-kit/remote.c
index e0e7020..706d8b8 100644
--- a/p11-kit/tests/frob-server.c
+++ b/p11-kit/remote.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Red Hat Inc.
+ * Copyright (C) 2014 Red Hat Inc.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -37,8 +37,9 @@
 #include "buffer.h"
 #include "compat.h"
 #include "debug.h"
-#include "p11-kit.h"
+#include "message.h"
 #include "rpc.h"
+#include "remote.h"
 #include "virtual.h"
 
 #include <assert.h>
@@ -46,77 +47,51 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 int
-main (int argc,
-      char *argv[])
+p11_kit_remote_serve_module (CK_FUNCTION_LIST *module,
+                             int in_fd,
+                             int out_fd)
 {
-	CK_FUNCTION_LIST *funcs;
-	CK_C_GetFunctionList gfl;
 	p11_rpc_status status;
 	unsigned char version;
 	p11_virtual virt;
 	p11_buffer options;
 	p11_buffer buffer;
-	dl_module_t dl;
 	size_t state;
+	int ret = 1;
 	int code;
-	CK_RV rv;
 
-	p11_debug_init ();
+	return_val_if_fail (module != NULL, 1);
 
-	if (argc != 2) {
-		fprintf (stderr, "usage: frob-server module\n");
-		exit (2);
-	}
-
-	dl = p11_dl_open (argv[1]);
-	if (dl == NULL) {
-		fprintf (stderr, "couldn't load module: %s: %s\n",
-		         argv[1], p11_dl_error ());
-		exit (1);
-	}
-
-	gfl = p11_dl_symbol (dl, "C_GetFunctionList");
-	if (!gfl) {
-		fprintf (stderr, "couldn't find C_GetFunctionList entry point in module: %s: %s\n",
-		         argv[1], p11_dl_error ());
-		exit (1);
-	}
-
-	rv = gfl (&funcs);
-	if (rv != CKR_OK) {
-		fprintf (stderr, "call to C_GetFunctiontList failed in module: %s: %s\n",
-		         argv[1], p11_kit_strerror (rv));
-		exit (1);
-	}
-
-	p11_virtual_init (&virt, &p11_virtual_base, funcs, NULL);
 	p11_buffer_init (&options, 0);
 	p11_buffer_init (&buffer, 0);
 
-	switch (read (0, &version, 1)) {
+	p11_virtual_init (&virt, &p11_virtual_base, module, NULL);
+
+	switch (read (in_fd, &version, 1)) {
 	case 0:
 		status = P11_RPC_EOF;
 		break;
 	case 1:
 		if (version != 0) {
-			fprintf (stderr, "unspported version received: %d", (int)version);
-			exit (1);
+			p11_message ("unspported version received: %d", (int)version);
+			goto out;
 		}
 		break;
 	default:
-		fprintf (stderr, "couldn't read creds: %s", strerror (errno));
-		exit (1);
+		p11_message_err (errno, "couldn't read credential byte");
+		goto out;
 	}
 
 	version = 0;
-	switch (write (1, &version, 1)) {
+	switch (write (out_fd, &version, out_fd)) {
 	case 1:
 		break;
 	default:
-		fprintf (stderr, "couldn't read creds: %s", strerror (errno));
-		exit (1);
+		p11_message_err (errno, "couldn't write credential byte");
+		goto out;
 	}
 
 	status = P11_RPC_OK;
@@ -125,7 +100,7 @@ main (int argc,
 		code = 0;
 
 		do {
-			status = p11_rpc_transport_read (0, &state, &code,
+			status = p11_rpc_transport_read (in_fd, &state, &code,
 			                                 &options, &buffer);
 		} while (status == P11_RPC_AGAIN);
 
@@ -133,23 +108,24 @@ main (int argc,
 		case P11_RPC_OK:
 			break;
 		case P11_RPC_EOF:
+			ret = 0;
 			continue;
 		case P11_RPC_AGAIN:
 			assert_not_reached ();
 		case P11_RPC_ERROR:
-			fprintf (stderr, "failed to read rpc message: %s\n", strerror (errno));
-			exit (1);
+			p11_message_err (errno, "failed to read rpc message");
+			goto out;
 		}
 
 		if (!p11_rpc_server_handle (&virt.funcs, &buffer, &buffer)) {
-			fprintf (stderr, "unexpected error handling rpc message\n");
-			exit (1);
+			p11_message ("unexpected error handling rpc message");
+			goto out;
 		}
 
 		state = 0;
 		options.len = 0;
 		do {
-			status = p11_rpc_transport_write (1, &state, code,
+			status = p11_rpc_transport_write (out_fd, &state, code,
 			                                  &options, &buffer);
 		} while (status == P11_RPC_AGAIN);
 
@@ -160,14 +136,16 @@ main (int argc,
 		case P11_RPC_AGAIN:
 			assert_not_reached ();
 		case P11_RPC_ERROR:
-			fprintf (stderr, "failed to write rpc message: %s\n", strerror (errno));
-			exit (1);
+			p11_message_err (errno, "failed to write rpc message");
+			goto out;
 		}
 	}
 
+out:
 	p11_buffer_uninit (&buffer);
 	p11_buffer_uninit (&options);
-	p11_dl_close (dl);
 
-	return 0;
+	p11_virtual_uninit (&virt);
+
+	return ret;
 }
diff --git a/p11-kit/remote.h b/p11-kit/remote.h
new file mode 100644
index 0000000..12cbe6d
--- /dev/null
+++ b/p11-kit/remote.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2014 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ * Author: Stef Walter <stefw@redhat.com>
+ */
+
+#ifndef __P11_KIT_REMOTE_H__
+#define __P11_KIT_REMOTE_H__
+
+#include "p11-kit/p11-kit.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef P11_KIT_FUTURE_UNSTABLE_API
+
+int                    p11_kit_remote_serve_module          (CK_FUNCTION_LIST *module,
+							     int in_fd,
+							     int out_fd);
+
+#endif
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* __P11_KIT_REMOTE_H__ */
diff --git a/p11-kit/tests/Makefile.am b/p11-kit/tests/Makefile.am
index 0672d62..a7049a4 100644
--- a/p11-kit/tests/Makefile.am
+++ b/p11-kit/tests/Makefile.am
@@ -43,9 +43,6 @@ CHECK_PROGS += \
 	test-transport \
 	$(NULL)
 
-noinst_PROGRAMS += \
-	frob-server
-
 endif
 
 TESTS = $(CHECK_PROGS)
diff --git a/p11-kit/tests/test-transport.c b/p11-kit/tests/test-transport.c
index 32ec02a..6ae6072 100644
--- a/p11-kit/tests/test-transport.c
+++ b/p11-kit/tests/test-transport.c
@@ -68,7 +68,7 @@ setup_remote (void *unused)
 	test.user_config = p11_path_build (test.directory, "pkcs11.conf", NULL);
 	p11_test_file_write (NULL, test.user_config, data, strlen (data));
 
-	data = "remote: " BUILDDIR "/frob-server " BUILDDIR "/.libs/mock-two.so\n";
+	data = "remote: " BUILDDIR "/../p11-kit remote " BUILDDIR "/.libs/mock-two.so\n";
 	p11_test_file_write (test.user_modules, "remote.module", data, strlen (data));
 
 	p11_config_user_modules = test.user_modules;