rpc: Add PKCS#11 module that connects to socket

This patch adds a PKCS#11 module that connects to the p11-kit server exposed on the filesystem. The filename of the socket is determined in the following order: - $P11_KIT_SERVER_ADDRESS, if the envvar is available - $XDG_RUNTIME_DIR/p11-kit/pkcs11, if the envvar is available - /run/$(id -u)/p11-kit/pkcs11, if /run/$(id -u) exists - /var/run/$(id -u)/p11-kit/pkcs11, if /var/run/$(id -u) exists - ~/.cache/p11-kit/pkcs11. Note that the program loading this module may have called setuid() and secure_getenv() which we use for fetching envvars could return NULL.
p11-glue · Jan 26, 2017 · 423b999 · 423b999
1 parent 7efc1e3
commit 423b999
Show file tree

Hide file tree

Showing 12 changed files with 544 additions and 76 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -32,6 +32,9 @@ noinst_SCRIPTS =
 
 TESTS = $(CHECK_PROGS)
 
+moduledir = $(p11_module_path)
+module_LTLIBRARIES =
+
 include common/Makefile.am
 include p11-kit/Makefile.am
 

diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
@@ -59,6 +59,7 @@ IGNORE_HFILES= \
 	pkcs11i.h \
 	pkcs11x.h \
 	private.h \
+	client.h \
 	proxy.h \
 	rpc.h \
 	rpc-message.h \

diff --git a/doc/manual/p11-kit.xml b/doc/manual/p11-kit.xml
@@ -35,6 +35,9 @@
 	<cmdsynopsis>
 		<command>p11-kit extract</command> ...
 	</cmdsynopsis>
+	<cmdsynopsis>
+		<command>p11-kit server</command> ...
+	</cmdsynopsis>
 </refsynopsisdiv>
 
 <refsect1 id="p11-kit-description">
@@ -85,6 +88,20 @@ $ p11-kit list-modules
 	for more information</para>
 </refsect1>
 
+<refsect1 id="p11-kit-server">
+	<title>Server</title>
+
+	<para>Run a server process that exposes PKCS#11 module remotely.</para>
+
+<programlisting>
+$ p11-kit server /path/to/pkcs11-module.so
+$ p11-kit server pkcs11:token-uri
+</programlisting>
+
+	<para>This launches a server that exposes the given PKCS#11 module or token on a local socket. To access the socket, use <literal>p11-kit-client.so</literal> module. The server address and PID are printed as a shell-script snippet which sets the appropriate environment variable: <literal>P11_KIT_SERVER_ADDRESS</literal> and <literal>P11_KIT_SERVER_PID</literal>.</para>
+
+</refsect1>
+
 <refsect1 id="p11-kit-extract-trust">
 	<title>Extract Trust</title>
 

diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
@@ -8,7 +8,7 @@ inc_HEADERS += \
 	p11-kit/uri.h \
 	$(NULL)
 
-MODULE_SRCS = \
+COMMON_SRCS = \
 	p11-kit/util.c \
 	p11-kit/conf.c p11-kit/conf.h \
 	p11-kit/iter.c \
@@ -19,7 +19,6 @@ MODULE_SRCS = \
 	p11-kit/pin.c \
 	p11-kit/pkcs11.h \
 	p11-kit/private.h \
-	p11-kit/proxy.c p11-kit/proxy.h \
 	p11-kit/messages.c \
 	p11-kit/rpc-transport.c p11-kit/rpc.h \
 	p11-kit/rpc-message.c p11-kit/rpc-message.h \
@@ -32,7 +31,7 @@ MODULE_SRCS = \
 lib_LTLIBRARIES += \
 	libp11-kit.la
 
-libp11_kit_la_CFLAGS = \
+COMMON_CFLAGS = \
 	-DP11_SYSTEM_CONFIG_FILE=\""$(p11_system_config_file)"\" \
 	-DP11_SYSTEM_CONFIG_MODULES=\""$(p11_system_config_modules)"\" \
 	-DP11_PACKAGE_CONFIG_MODULES=\""$(p11_package_config_modules)"\" \
@@ -42,26 +41,44 @@ libp11_kit_la_CFLAGS = \
 	$(LIBFFI_CFLAGS) \
 	$(NULL)
 
+COMMON_LIBS = \
+	libp11-common.la \
+	libp11-library.la \
+	$(LIBFFI_LIBS) \
+	$(LTLIBINTL) \
+	$(NULL)
+
+libp11_kit_la_CFLAGS = $(COMMON_CFLAGS)
+
 libp11_kit_la_LDFLAGS = \
 	-no-undefined \
 	-version-info $(P11KIT_LT_RELEASE) \
 	-export-symbols-regex '^C_GetFunctionList|^p11_kit_'
 
-libp11_kit_la_SOURCES = $(MODULE_SRCS)
+libp11_kit_la_SOURCES = \
+	p11-kit/proxy.c p11-kit/proxy.h p11-kit/proxy-init.c
+	$(NULL)
 
 libp11_kit_la_LIBADD = \
-	libp11-common.la \
-	libp11-library.la \
-	$(LIBFFI_LIBS) \
-	$(LTLIBINTL) \
+	libp11-kit-internal.la \
+	$(COMMON_LIBS) \
 	$(NULL)
 
 noinst_LTLIBRARIES += \
-	libp11-kit-testable.la
+	libp11-kit-internal.la \
+	libp11-kit-testable.la \
+	$(NULL)
+
+libp11_kit_internal_la_LDFLAGS = -no-undefined
+libp11_kit_internal_la_CFLAGS = $(COMMON_CFLAGS)
+libp11_kit_internal_la_SOURCES = $(COMMON_SRCS)
 
 libp11_kit_testable_la_LDFLAGS = -no-undefined
-libp11_kit_testable_la_SOURCES = $(MODULE_SRCS)
-libp11_kit_testable_la_LIBADD = $(libp11_kit_la_LIBADD)
+libp11_kit_testable_la_SOURCES = \
+	$(libp11_kit_internal_la_SOURCES) \
+	$(libp11_kit_la_SOURCES) \
+	$(NULL)
+libp11_kit_testable_la_LIBADD = $(COMMON_LIBS)
 
 if OS_WIN32
 
@@ -112,6 +129,23 @@ systemduser_DATA = \
 	p11-kit/p11-kit-remote.socket \
 	p11-kit/[email protected]
 
+module_LTLIBRARIES += \
+	p11-kit-client.la
+
+p11_kit_client_la_LDFLAGS = \
+	-no-undefined -module -avoid-version \
+	-version-info $(P11KIT_LT_RELEASE) \
+	-export-symbols-regex '^C_GetFunctionList' \
+	$(NULL)
+
+p11_kit_client_la_CFLAGS = $(COMMON_CFLAGS)
+
+p11_kit_client_la_SOURCES = \
+	p11-kit/client.c p11-kit/client.h p11-kit/client-init.c \
+	$(NULL)
+
+p11_kit_client_la_LIBADD = $(libp11_kit_la_LIBADD)
+
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = p11-kit/p11-kit-1.pc
 

diff --git a/p11-kit/client-init.c b/p11-kit/client-init.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2011 Collabora Ltd
+ * Copyright (c) 2012 Stef Walter
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *     * Redistributions of source code must retain the above
+ *       copyright notice, this list of conditions and the
+ *       following disclaimer.
+ *     * Redistributions in binary form must reproduce the
+ *       above copyright notice, this list of conditions and
+ *       the following disclaimer in the documentation and/or
+ *       other materials provided with the distribution.
+ *     * The names of contributors to this software may not be
+ *       used to endorse or promote products derived from this
+ *       software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ *
+ *
+ * CONTRIBUTORS
+ *  Stef Walter <[email protected]>
+ */
+
+#include "config.h"
+
+#include "client.h"
+#include "library.h"
+#include "pkcs11.h"
+#include "virtual-fixed.h"
+
+/* p11_proxy_module_check() is defined as a weak symbol in modules.c */
+#ifndef __GNUC__
+bool       p11_proxy_module_check                    (CK_FUNCTION_LIST_PTR module);
+
+bool
+p11_proxy_module_check (CK_FUNCTION_LIST_PTR module)
+{
+	return false;
+}
+#endif
+
+#ifdef OS_UNIX
+
+void _p11_kit_init (void);
+
+void _p11_kit_fini (void);
+
+#ifdef __GNUC__
+__attribute__((constructor))
+#endif
+void
+_p11_kit_init (void)
+{
+	p11_library_init_once ();
+	p11_virtual_fixed_init ();
+}
+
+#ifdef __GNUC__
+__attribute__((destructor))
+#endif
+void
+_p11_kit_fini (void)
+{
+	p11_client_module_cleanup ();
+	p11_virtual_fixed_uninit ();
+	p11_library_uninit ();
+}
+
+#endif /* OS_UNIX */
+
+#ifdef OS_WIN32
+
+BOOL WINAPI DllMain (HINSTANCE, DWORD, LPVOID);
+
+BOOL WINAPI
+DllMain (HINSTANCE instance,
+         DWORD reason,
+         LPVOID reserved)
+{
+	switch (reason) {
+	case DLL_PROCESS_ATTACH:
+		p11_library_init ();
+		break;
+	case DLL_THREAD_DETACH:
+		p11_library_thread_cleanup ();
+		break;
+	case DLL_PROCESS_DETACH:
+		p11_client_module_cleanup ();
+		p11_library_uninit ();
+		break;
+	default:
+		break;
+	}
+
+	return TRUE;
+}
+
+#endif /* OS_WIN32 */