diff options
author | Stef Walter <stefw@collabora.co.uk> | 2011-01-24 21:25:02 -0600 |
---|---|---|
committer | Stef Walter <stefw@collabora.co.uk> | 2011-01-24 21:25:02 -0600 |
commit | b2b0acbc5789823a33de9eabec10e2b8656f3632 (patch) | |
tree | b58da958f53ce32d560fa5290d30b0aa834cccd7 /module/p11-kit-lib.c | |
parent | 5a53e44a73d4fb62483e890fe348ea40d27ef573 (diff) |
Initial implementation with new config system.
Diffstat (limited to 'module/p11-kit-lib.c')
-rw-r--r-- | module/p11-kit-lib.c | 810 |
1 files changed, 810 insertions, 0 deletions
diff --git a/module/p11-kit-lib.c b/module/p11-kit-lib.c new file mode 100644 index 0000000..60662d1 --- /dev/null +++ b/module/p11-kit-lib.c @@ -0,0 +1,810 @@ +/* + * Copyright (C) 2011 Collabora Ltd. + * Copyright (C) 2008 Stefan Walter + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * * Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and + * the following disclaimer in the documentation and/or + * other materials provided with the distribution. + * * The names of contributors to this software may not be + * used to endorse or promote products derived from this + * software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED + * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + * DAMAGE. + * + * Author: Stef Walter <stefw@collabora.co.uk> + */ + +#include "config.h" + +#include "conf.h" +#include "hash.h" +#include "pkcs11.h" +#include "p11-kit.h" +#include "p11-kit-private.h" + +#include <sys/types.h> + +#include <assert.h> +#include <dirent.h> +#include <dlfcn.h> +#include <errno.h> +#include <pthread.h> +#include <pwd.h> +#include <stdarg.h> +#include <stddef.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +typedef struct _Module { + char *name; + hash_t *config; + void *dl_module; + CK_FUNCTION_LIST_PTR funcs; + int ref_count; + int initialize_count; +} Module; + +/* + * This is the mutex that protects the global data of this library + * and the pkcs11 proxy module. Note that we *never* call into our + * underlying pkcs11 modules while holding this mutex. Therefore it + * doesn't have to be recursive and we can keep things simple. + */ +pthread_mutex_t _p11_mutex = PTHREAD_MUTEX_INITIALIZER; + +/* + * Shared data between threads, protected by the mutex, a structure so + * we can audit thread safety easier. + */ +static struct _Shared { + hash_t *modules; + hash_t *config; +} gl = { NULL, NULL }; + +/* ----------------------------------------------------------------------------- + * UTILITIES + */ + +static void +warning (const char* msg, ...) +{ + char buffer[512]; + va_list va; + + va_start (va, msg); + + vsnprintf(buffer, sizeof (buffer) - 1, msg, va); + buffer[sizeof (buffer) - 1] = 0; + fprintf (stderr, "p11-kit: %s\n", buffer); + + va_end (va); +} + +void +conf_error (const char *filename, const char *buffer) +{ + /* called from conf.c */ + fprintf (stderr, "p11-kit: %s\n", buffer); +} + +static char* +strconcat (const char *first, ...) +{ + size_t length = 0; + const char *arg; + char *result, *at; + va_list va; + + va_start (va, first); + + for (arg = first; arg; arg = va_arg (va, const char*)) + length += strlen (arg); + + va_end (va); + + at = result = malloc (length); + if (!result) + return NULL; + + va_start (va, first); + + for (arg = first; arg; arg = va_arg (va, const char*)) { + length = strlen (arg); + memcpy (at, arg, length); + at += length; + } + + va_end (va); + + *at = 0; + return result; +} + +static int +strequal (const char *one, const char *two) +{ + return strcmp (one, two) == 0; +} + +/* ----------------------------------------------------------------------------- + * P11-KIT FUNCTIONALITY + */ + +static void +free_module_unlocked (void *data) +{ + Module *module = data; + + assert (module); + + /* Module must be finalized */ + assert (module->initialize_count == 0); + + /* Module must have no outstanding references */ + assert (module->ref_count == 0); + + dlclose (module->dl_module); + hash_free (module->config); + free (module->name); + free (module); +} + +static CK_RV +load_module_from_config_unlocked (const char *configfile, const char *name) +{ + Module *module, *prev; + const char *path; + CK_C_GetFunctionList gfl; + CK_RV rv; + + assert (configfile); + + module = calloc (sizeof (Module), 1); + if (!module) + return CKR_HOST_MEMORY; + + module->config = conf_parse_file (configfile, 0); + if (!module->config) { + free_module_unlocked (module); + if (errno == ENOMEM) + return CKR_HOST_MEMORY; + return CKR_GENERAL_ERROR; + } + + module->name = strdup (name); + if (!module->name) { + free_module_unlocked (module); + return CKR_HOST_MEMORY; + } + + path = hash_get (module->config, "module"); + if (path == NULL) { + free_module_unlocked (module); + warning ("no module path specified in config: %s", configfile); + return CKR_GENERAL_ERROR; + } + + module->dl_module = dlopen (path, RTLD_LOCAL | RTLD_NOW); + if (module->dl_module == NULL) { + warning ("couldn't load module: %s: %s", path, dlerror ()); + free_module_unlocked (module); + return CKR_GENERAL_ERROR; + } + + gfl = dlsym (module->dl_module, "C_GetFunctionList"); + if (!gfl) { + warning ("couldn't find C_GetFunctionList entry point in module: %s: %s", + path, dlerror ()); + free_module_unlocked (module); + return CKR_GENERAL_ERROR; + } + + rv = gfl (&module->funcs); + if (rv != CKR_OK) { + warning ("call to C_GetFunctiontList failed in module: %s: %lu", + path, (unsigned long)rv); + free_module_unlocked (module); + return rv; + } + + prev = hash_get (gl.modules, module->funcs); + + /* Replace previous module that was loaded explicitly? */ + if (prev && !prev->name) { + module->ref_count = prev->ref_count; + module->initialize_count = prev->initialize_count; + prev->ref_count = 0; + prev->initialize_count = 0; + hash_set (gl.modules, module->funcs, module); + prev = NULL; /* freed by hash above */ + } + + /* Refuse to load duplicate module */ + if (prev) { + warning ("duplicate configured module: %s: %s", + module->name, path); + free_module_unlocked (module); + return CKR_GENERAL_ERROR; + } + + return CKR_OK; +} + +static CK_RV +load_modules_from_config_unlocked (const char *directory) +{ + struct dirent *dp; + CK_RV rv = CKR_OK; + DIR *dir; + char *path; + + /* First we load all the modules */ + dir = opendir (directory); + if (!dir) { + if (errno == ENOENT || errno == ENOTDIR) + warning ("couldn't list directory: %s", directory); + return CKR_GENERAL_ERROR; + } + + /* We're within a global mutex, so readdir is safe */ + while ((dp = readdir(dir)) != NULL) { + path = strconcat (directory, "/", dp->d_name); + if (!path) { + rv = CKR_HOST_MEMORY; + break; + } + + rv = load_module_from_config_unlocked (path, dp->d_name); + free (path); + + if (rv != CKR_OK) + break; + } + + closedir (dir); + + return rv; +} + +static CK_RV +load_config_modules_unlocked (hash_t *config) +{ + const char *user_config; + struct passwd *pwd; + char *path; + CK_RV rv; + + /* Whether we should use or override from user directory */ + user_config = hash_get (config, "user-config"); + if (user_config == NULL) + user_config = "none"; + + /* Load each module from the main list */ + if (strequal (user_config, "none") || strequal (user_config, "merge")) { + rv = load_modules_from_config_unlocked (PKCS11_CONFIG_LIBS); + if (rv != CKR_OK); + return rv; + } + if (strequal (user_config, "override") || strequal (user_config, "merge")) { + pwd = getpwuid (getuid ()); + if (!pwd) + rv = CKR_GENERAL_ERROR; + else { + path = strconcat (pwd->pw_dir, "/.pkcs11/libs"); + if (path == NULL) + rv = CKR_HOST_MEMORY; + else + rv = load_modules_from_config_unlocked (path); + free (path); + } + if (rv != CKR_OK); + return rv; + } + + return CKR_OK; +} + +static CK_RV +load_registered_modules_unlocked (void) +{ + hash_t *config; + CK_RV rv; + + /* Should only be called after everything has been unloaded */ + assert (!gl.config); + + /* Load the main configuration */ + config = conf_parse_file (PKCS11_CONFIG_FILE, CONF_IGNORE_MISSING); + if (!config) { + if (errno == ENOMEM) + return CKR_HOST_MEMORY; + return CKR_GENERAL_ERROR; + } + + rv = load_config_modules_unlocked (config); + if (rv != CKR_OK) { + hash_free (config); + return rv; + } + + gl.config = config; + return CKR_OK; +} + +static CK_RV +create_mutex (CK_VOID_PTR_PTR mut) +{ + pthread_mutex_t *pmutex; + int err; + + pmutex = malloc (sizeof (pthread_mutex_t)); + if (!pmutex) + return CKR_HOST_MEMORY; + err = pthread_mutex_init (pmutex, NULL); + if (err == ENOMEM) + return CKR_HOST_MEMORY; + else if (err != 0) + return CKR_GENERAL_ERROR; + *mut = pmutex; + return CKR_OK; +} + +static CK_RV +destroy_mutex (CK_VOID_PTR mut) +{ + pthread_mutex_t *pmutex = mut; + int err; + + err = pthread_mutex_destroy (pmutex); + if (err == EINVAL) + return CKR_MUTEX_BAD; + else if (err != 0) + return CKR_GENERAL_ERROR; + free (pmutex); + return CKR_OK; +} + +static CK_RV +lock_mutex (CK_VOID_PTR mut) +{ + pthread_mutex_t *pmutex = mut; + int err; + + err = pthread_mutex_lock (pmutex); + if (err == EINVAL) + return CKR_MUTEX_BAD; + else if (err != 0) + return CKR_GENERAL_ERROR; + return CKR_OK; +} + +static CK_RV +unlock_mutex (CK_VOID_PTR mut) +{ + pthread_mutex_t *pmutex = mut; + int err; + + err = pthread_mutex_unlock (pmutex); + if (err == EINVAL) + return CKR_MUTEX_BAD; + else if (err == EPERM) + return CKR_MUTEX_NOT_LOCKED; + else if (err != 0) + return CKR_GENERAL_ERROR; + return CKR_OK; +} + +static CK_RV +initialize_module_unlocked_reentrant (Module *module, CK_C_INITIALIZE_ARGS_PTR args) +{ + CK_RV rv = CKR_OK; + + assert (module); + + /* + * Initialize first, so module doesn't get freed out from + * underneath us when the mutex is unlocked below. + */ + ++module->ref_count; + + if (!module->initialize_count) { + + _p11_unlock (); + + assert (module->funcs); + rv = module->funcs->C_Initialize (args); + + _p11_lock (); + + /* + * Because we have the mutex unlocked above, two initializes could + * race. Therefore we need to take CKR_CRYPTOKI_ALREADY_INITIALIZED + * into account. + * + * We also need to take into account where in a race both calls return + * CKR_OK (which is not according to the spec but may happen, I mean we + * do it in this module, so it's not unimaginable). + */ + + if (rv == CKR_OK) + ++module->initialize_count; + else if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) + rv = CKR_OK; + else + --module->ref_count; + } + + return rv; +} + +static CK_RV +init_modules_unlocked (void) +{ + if (!gl.modules) + gl.modules = hash_create (hash_direct_hash, hash_direct_equal, + NULL, free_module_unlocked); + if (!gl.modules) + return CKR_HOST_MEMORY; + return CKR_OK; +} + +static void +free_modules_when_no_refs_unlocked (void) +{ + Module *module; + hash_iter_t it; + + /* Check if any modules have a ref count */ + hash_iterate (gl.modules, &it); + while (hash_next (&it, NULL, (void**)&module)) { + if (module->ref_count) + return; + } + + hash_free (gl.modules); + gl.modules = NULL; + hash_free (gl.config); + gl.config = NULL; +} + +static CK_RV +finalize_module_unlocked_reentrant (Module *module, CK_VOID_PTR args) +{ + assert (module); + + /* + * We leave module info around until all are finalized + * so we can encounter these zombie Module structures. + */ + if (module->ref_count == 0) + return CKR_ARGUMENTS_BAD; + + if (--module->ref_count > 0) + return CKR_OK; + + /* + * Becuase of the mutex unlock below, we temporarily increase + * the ref count. This prevents module from being freed out + * from ounder us. + */ + ++module->ref_count; + + while (module->initialize_count > 0) { + + _p11_unlock (); + + assert (module->funcs); + module->funcs->C_Finalize (args); + + _p11_lock (); + + if (module->initialize_count > 0) + --module->initialize_count; + } + + /* Match the increment above */ + --module->ref_count; + + free_modules_when_no_refs_unlocked (); + return CKR_OK; +} + +static Module* +find_module_for_name_unlocked (const char *name) +{ + Module *module; + hash_iter_t it; + + assert (name); + + hash_iterate (gl.modules, &it); + while (hash_next (&it, NULL, (void**)&module)) + if (module->ref_count && module->name && strcmp (name, module->name)) + return module; + return NULL; +} + +CK_RV +_p11_kit_initialize_registered_unlocked_reentrant (CK_C_INITIALIZE_ARGS_PTR args) +{ + Module *module; + hash_iter_t it; + CK_RV rv; + + rv = load_registered_modules_unlocked (); + if (rv == CKR_OK) { + hash_iterate (gl.modules, &it); + while (hash_next (&it, NULL, (void**)&module)) { + + /* Skip all modules that aren't registered */ + if (!module->name) + continue; + + rv = initialize_module_unlocked_reentrant (module, args); + + if (rv != CKR_OK) + break; + } + } + + return rv; +} + +CK_RV +p11_kit_initialize_registered (void) +{ + CK_C_INITIALIZE_ARGS args; + CK_RV rv; + + /* WARNING: This function must be reentrant */ + + memset (&args, 0, sizeof (args)); + args.CreateMutex = create_mutex; + args.DestroyMutex = destroy_mutex; + args.LockMutex = lock_mutex; + args.UnlockMutex = unlock_mutex; + args.flags = CKF_OS_LOCKING_OK; + + _p11_lock (); + + /* WARNING: Reentrancy can occur here */ + rv = _p11_kit_initialize_registered_unlocked_reentrant (&args); + + _p11_unlock (); + + /* Cleanup any partial initialization */ + if (rv != CKR_OK) + p11_kit_finalize_registered (); + + return rv; +} + +CK_RV +_p11_kit_finalize_registered_unlocked_reentrant (CK_VOID_PTR args) +{ + Module *module; + hash_iter_t it; + Module **to_finalize; + int i, count; + + if (!gl.modules) + return CKR_CRYPTOKI_NOT_INITIALIZED; + + /* WARNING: This function must be reentrant */ + + to_finalize = calloc (hash_count (gl.modules), sizeof (Module*)); + if (!to_finalize) + return CKR_HOST_MEMORY; + + count = 0; + hash_iterate (gl.modules, &it); + while (hash_next (&it, NULL, (void**)&module)) { + + /* Skip all modules that aren't registered */ + if (module->name) + to_finalize[count++] = module; + } + + for (i = 0; i < count; ++i) { + + /* WARNING: Reentrant calls can occur here */ + finalize_module_unlocked_reentrant (to_finalize[i], args); + } + + free (to_finalize); + return CKR_OK; +} + +CK_RV +p11_kit_finalize_registered (void) +{ + CK_RV rv; + + /* WARNING: This function must be reentrant */ + + _p11_lock (); + + /* WARNING: Reentrant calls can occur here */ + rv = _p11_kit_finalize_registered_unlocked_reentrant (NULL); + + _p11_unlock (); + + return rv; +} + +CK_FUNCTION_LIST_PTR_PTR +_p11_kit_registered_modules_unlocked (void) +{ + CK_FUNCTION_LIST_PTR_PTR result; + Module *module; + hash_iter_t it; + int i = 0; + + result = calloc (hash_count (gl.modules) + 1, sizeof (CK_FUNCTION_LIST_PTR)); + if (result) { + hash_iterate (gl.modules, &it); + while (hash_next (&it, NULL, (void**)&module)) { + if (module->ref_count && module->name) + result[i++] = module->funcs; + } + } + + return result; +} + +CK_FUNCTION_LIST_PTR_PTR +p11_kit_registered_modules (void) +{ + CK_FUNCTION_LIST_PTR_PTR result; + + _p11_lock (); + + result = _p11_kit_registered_modules_unlocked (); + + _p11_unlock (); + + return result; +} + +char* +p11_kit_registered_module_to_name (CK_FUNCTION_LIST_PTR funcs) +{ + Module *module; + char *name = NULL; + + if (!funcs) + return NULL; + + _p11_lock (); + + module = gl.modules ? hash_get (gl.modules, funcs) : NULL; + if (module && module->name) + name = strdup (module->name); + + _p11_unlock (); + + return name; +} + +CK_FUNCTION_LIST_PTR +p11_kit_registered_name_to_module (const char *name) +{ + CK_FUNCTION_LIST_PTR funcs = NULL; + Module *module; + + _p11_lock (); + + if (gl.modules) { + module = find_module_for_name_unlocked (name); + if (module) + funcs = module->funcs; + } + + _p11_unlock (); + + return funcs; +} + +char* +p11_kit_registered_option (CK_FUNCTION_LIST_PTR funcs, const char *field) +{ + Module *module; + char *option = NULL; + + if (!funcs || !field) + return NULL; + + _p11_lock (); + + module = gl.modules ? hash_get (gl.modules, funcs) : NULL; + if (module && module->config) { + option = hash_get (module->config, field); + if (option) + option = strdup (option); + } + + _p11_unlock (); + + return option; +} + +CK_RV +p11_kit_initialize_module (CK_FUNCTION_LIST_PTR funcs, CK_C_INITIALIZE_ARGS_PTR init_args) +{ + Module *module; + Module *allocated = NULL; + CK_RV rv = CKR_OK; + + /* WARNING: This function must be reentrant for the same arguments */ + + _p11_lock (); + + rv = init_modules_unlocked (); + if (rv == CKR_OK) { + + module = hash_get (gl.modules, funcs); + if (module == NULL) { + allocated = module = calloc (1, sizeof (Module)); + module->funcs = funcs; + } + + /* WARNING: Reentrancy can occur here */ + rv = initialize_module_unlocked_reentrant (module, init_args); + + /* If this was newly allocated, add it to the list */ + if (rv == CKR_OK && allocated) { + hash_set (gl.modules, allocated->funcs, allocated); + allocated = NULL; + } + + free (allocated); + } + + _p11_unlock (); + + return rv; +} + +CK_RV +p11_kit_finalize_module (CK_FUNCTION_LIST_PTR funcs, CK_VOID_PTR reserved) +{ + Module *module; + CK_RV rv = CKR_OK; + + /* WARNING: This function must be reentrant for the same arguments */ + + _p11_lock (); + + module = gl.modules ? hash_get (gl.modules, funcs) : NULL; + if (module == NULL) { + rv = CKR_ARGUMENTS_BAD; + } else { + /* WARNING: Rentrancy can occur here */ + rv = finalize_module_unlocked_reentrant (module, reserved); + } + + _p11_unlock (); + + return rv; +} |