From: Ken Hornstein Date: Mon, 15 Mar 2021 02:18:53 +0000 (-0400) Subject: Use krb5int_open_plugin for PKCS#11 module X-Git-Tag: krb5-1.20-beta1~111 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1170%2Fhead;p=thirdparty%2Fkrb5.git Use krb5int_open_plugin for PKCS#11 module Instead of calling dlopen() directly, use the krb5 cross-platform interfaces (krb5int_open_plugin()). The goal here is to eventually support pkinit on Windows; this is just the first small step in that direction. [ghudson@mit.edu: fixed memory leak; changed type of p11_module field; added intermediate sym variable for strict aliasing conformance; simplified out pkinit_C_UnloadModule() wrapper] --- diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index d29b03dfb6..b6266b4b55 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -34,7 +34,6 @@ #include "k5-json.h" #include -#include #include /** diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index e5940a5135..fbbdab5108 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -33,7 +33,6 @@ #include "pkinit_crypto_openssl.h" #include "k5-buf.h" #include "k5-hex.h" -#include #include #include #include @@ -102,8 +101,8 @@ static krb5_error_code pkinit_login CK_TOKEN_INFO *tip, const char *password); static krb5_error_code pkinit_open_session (krb5_context context, pkinit_identity_crypto_context id_cryptoctx); -static void * pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p); -static CK_RV pkinit_C_UnloadModule(void *handle); +static struct plugin_file_handle *pkinit_C_LoadModule +(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p); #ifdef SILLYDECRYPT CK_RV pkinit_C_Decrypt (pkinit_identity_crypto_context id_cryptoctx, @@ -1006,7 +1005,7 @@ pkinit_fini_pkcs11(pkinit_identity_crypto_context ctx) ctx->p11 = NULL; } if (ctx->p11_module != NULL) { - pkinit_C_UnloadModule(ctx->p11_module); + krb5int_close_plugin(ctx->p11_module); ctx->p11_module = NULL; } free(ctx->p11_module_name); @@ -3548,21 +3547,30 @@ prepare_enc_data(const uint8_t *indata, int indata_len, uint8_t **outdata, } #ifndef WITHOUT_PKCS11 -static void * +static struct plugin_file_handle * pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p) { - void *handle; + struct plugin_file_handle *handle; CK_RV (*getflist)(CK_FUNCTION_LIST_PTR_PTR); + struct errinfo einfo = EMPTY_ERRINFO; + void (*sym)(); + long err; + CK_RV rv; pkiDebug("loading module \"%s\"... ", modname); - handle = dlopen(modname, RTLD_NOW); - if (handle == NULL) { + if (krb5int_open_plugin(modname, &handle, &einfo) != 0) { pkiDebug("not found\n"); return NULL; } - getflist = (CK_RV (*)(CK_FUNCTION_LIST_PTR_PTR)) dlsym(handle, "C_GetFunctionList"); - if (getflist == NULL || (*getflist)(p11p) != CKR_OK) { - dlclose(handle); + + err = krb5int_get_plugin_func(handle, "C_GetFunctionList", &sym, &einfo); + k5_clear_error(&einfo); + if (!err) { + getflist = (CK_RV (*)())sym; + rv = (*getflist)(p11p); + } + if (err || rv != CKR_OK) { + krb5int_close_plugin(handle); pkiDebug("failed\n"); return NULL; } @@ -3570,13 +3578,6 @@ pkinit_C_LoadModule(const char *modname, CK_FUNCTION_LIST_PTR_PTR p11p) return handle; } -static CK_RV -pkinit_C_UnloadModule(void *handle) -{ - dlclose(handle); - return CKR_OK; -} - static krb5_error_code pkinit_login(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h index 957c3def45..ea28b8edc4 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h @@ -84,7 +84,7 @@ struct _pkinit_identity_crypto_context { char *token_label; char *cert_label; /* These are crypto-specific */ - void *p11_module; + struct plugin_file_handle *p11_module; CK_SESSION_HANDLE session; CK_FUNCTION_LIST_PTR p11; uint8_t *cert_id; diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index cee448db98..4c8e8434c2 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -30,7 +30,6 @@ */ #include "pkinit.h" -#include #include static void