From 1592b227c74fc12b4311c223587a5cb46eb1070c Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 18 Jan 2018 17:03:20 +0100
Subject: [PATCH 1/2] conf: Add global options to filter tokens

This patch adds two new global options: allow-tokens and deny-tokens.
Those options take a comma separated list of PKCS #11 URI of tokens,
either to be allowed or disallowed.
---
 .../fixtures/test-system-allow-tokens.conf    |  9 +++
 p11-kit/fixtures/test-system-deny-tokens.conf |  9 +++
 p11-kit/modules.c                             | 70 ++++++++++++++++++-
 p11-kit/test-modules.c                        | 49 +++++++++++++
 4 files changed, 135 insertions(+), 2 deletions(-)
 create mode 100644 p11-kit/fixtures/test-system-allow-tokens.conf
 create mode 100644 p11-kit/fixtures/test-system-deny-tokens.conf

diff --git a/p11-kit/fixtures/test-system-allow-tokens.conf b/p11-kit/fixtures/test-system-allow-tokens.conf
new file mode 100644
index 000000000..4469483fc
--- /dev/null
+++ b/p11-kit/fixtures/test-system-allow-tokens.conf
@@ -0,0 +1,9 @@
+
+# Merge in user config
+user-config: merge
+
+key1: system1
+key2: system2
+key3: system3
+
+allow-tokens: pkcs11:model=TEST%20MODEL;manufacturer=TEST%20MANUFACTURER;serial=TEST%20SERIAL;token=TEST%20LABEL
diff --git a/p11-kit/fixtures/test-system-deny-tokens.conf b/p11-kit/fixtures/test-system-deny-tokens.conf
new file mode 100644
index 000000000..471f13fe1
--- /dev/null
+++ b/p11-kit/fixtures/test-system-deny-tokens.conf
@@ -0,0 +1,9 @@
+
+# Merge in user config
+user-config: merge
+
+key1: system1
+key2: system2
+key3: system3
+
+deny-tokens: pkcs11:model=TEST%20MODEL;manufacturer=TEST%20MANUFACTURER;serial=TEST%20SERIAL;token=TEST%20LABEL
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index fb99e31e6..94f61cf17 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -43,6 +43,7 @@
 #include "conf.h"
 #include "debug.h"
 #include "dict.h"
+#include "filter.h"
 #include "library.h"
 #include "log.h"
 #include "message.h"
@@ -53,6 +54,7 @@
 #include "private.h"
 #include "proxy.h"
 #include "rpc.h"
+#include "uri.h"
 #include "virtual.h"
 
 #include <sys/stat.h>
@@ -1887,6 +1889,9 @@ prepare_module_inlock_reentrant (Module *mod,
 	p11_virtual *virt;
 	bool is_managed;
 	bool with_log;
+	const char *allow_tokens;
+	const char *deny_tokens;
+	CK_RV rv = CKR_OK;
 
 	assert (module != NULL);
 
@@ -1909,12 +1914,73 @@ prepare_module_inlock_reentrant (Module *mod,
 		return_val_if_fail (virt != NULL, CKR_HOST_MEMORY);
 		destroyer = managed_free_inlock;
 
+		allow_tokens = module_get_option_inlock (NULL, "allow-tokens");
+		deny_tokens = module_get_option_inlock (NULL, "deny-tokens");
+
+		if (allow_tokens && deny_tokens) {
+			p11_message ("'%s' and '%s' are mutually exclusive",
+				     "allow-tokens", "deny-tokens");
+			rv = CKR_FUNCTION_NOT_SUPPORTED;
+		}
+
+		/* Add the filter if configured */
+		if (rv == CKR_OK && (allow_tokens || deny_tokens)) {
+			char *str, *tok, *saveptr;
+			P11KitUri *uri = NULL;
+
+			virt = p11_filter_subclass (virt, destroyer);
+			if (virt == NULL)
+				rv = CKR_HOST_MEMORY;
+			else
+				destroyer = p11_filter_release;
+
+			if (rv == CKR_OK) {
+				uri = p11_kit_uri_new ();
+				if (uri == NULL)
+					rv = CKR_HOST_MEMORY;
+			}
+
+			if (rv == CKR_OK) {
+				for (str = (char *) allow_tokens; ; str = NULL) {
+					tok = strtok_r (str, ", ", &saveptr);
+					if (tok == NULL)
+						break;
+					if (p11_kit_uri_parse (tok, P11_KIT_URI_FOR_TOKEN, uri) != P11_KIT_URI_OK) {
+						p11_message ("skipping unparsable URI '%s'",
+							     tok);
+					} else {
+						p11_filter_allow_token (virt, p11_kit_uri_get_token_info (uri));
+					}
+				}
+
+				for (str = (char *) deny_tokens; ; str = NULL) {
+					tok = strtok_r (str, ", ", &saveptr);
+					if (tok == NULL)
+						break;
+					if (p11_kit_uri_parse (tok, P11_KIT_URI_FOR_TOKEN, uri) != P11_KIT_URI_OK) {
+						p11_message ("skipping unparsable URI '%s'",
+							     tok);
+					} else {
+						p11_filter_deny_token (virt, p11_kit_uri_get_token_info (uri));
+					}
+				}
+			}
+
+			p11_kit_uri_free (uri);
+		}
+
 		/* Add the logger if configured */
-		if (p11_log_force || with_log) {
+		if (rv == CKR_OK && (p11_log_force || with_log)) {
 			virt = p11_log_subclass (virt, destroyer);
-			destroyer = p11_log_release;
+			if (virt == NULL)
+				rv = CKR_HOST_MEMORY;
+			else
+				destroyer = p11_log_release;
 		}
 
+		if (rv != CKR_OK)
+			return rv;
+
 		*module = p11_virtual_wrap (virt, destroyer);
 		if (*module == NULL)
 			return CKR_GENERAL_ERROR;
diff --git a/p11-kit/test-modules.c b/p11-kit/test-modules.c
index a2e1430e7..03e145dfe 100644
--- a/p11-kit/test-modules.c
+++ b/p11-kit/test-modules.c
@@ -462,6 +462,54 @@ test_config_option (void)
 	finalize_and_free_modules (modules);
 }
 
+static void
+test_filter_tokens (void)
+{
+	CK_FUNCTION_LIST_PTR_PTR modules;
+	CK_FUNCTION_LIST_PTR module;
+	CK_ULONG count;
+	CK_RV rv;
+
+	modules = initialize_and_get_modules ();
+	module = lookup_module_with_name (modules, "four");
+	assert (module != NULL);
+	count = 32;
+	rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count);
+	assert_num_eq (CKR_OK, rv);
+	assert_num_eq (1, count);
+	finalize_and_free_modules (modules);
+
+	p11_kit_override_system_files (SRCDIR "/p11-kit/fixtures/test-system-deny-tokens.conf",
+				       NULL,
+				       NULL,
+				       NULL,
+				       NULL);
+
+	modules = initialize_and_get_modules ();
+	module = lookup_module_with_name (modules, "four");
+	assert (module != NULL);
+	count = 32;
+	rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count);
+	assert_num_eq (CKR_OK, rv);
+	assert_num_eq (0, count);
+	finalize_and_free_modules (modules);
+
+	p11_kit_override_system_files (SRCDIR "/p11-kit/fixtures/test-system-allow-tokens.conf",
+				       NULL,
+				       NULL,
+				       NULL,
+				       NULL);
+
+	modules = initialize_and_get_modules ();
+	module = lookup_module_with_name (modules, "four");
+	assert (module != NULL);
+	count = 32;
+	rv = (module->C_GetSlotList) (CK_TRUE, NULL, &count);
+	assert_num_eq (CKR_OK, rv);
+	assert_num_eq (1, count);
+	finalize_and_free_modules (modules);
+}
+
 int
 main (int argc,
       char *argv[])
@@ -480,6 +528,7 @@ main (int argc,
 	p11_test (test_config_option, "/modules/test_config_option");
 	p11_test (test_module_trusted_only, "/modules/trusted-only");
 	p11_test (test_module_trust_flags, "/modules/trust-flags");
+	p11_test (test_filter_tokens, "/modules/test_filter_tokens");
 
 	p11_kit_be_quiet ();
 

From 7d4b8af65dc0850f08ebea6412e3f317b05ef2ea Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 18 Jan 2018 17:23:25 +0100
Subject: [PATCH 2/2] proxy: Allow switching config profiles

That is, by specifying the P11_KIT_PROXY_CONFIG envvar, user could
apply different global settings for the proxy, e.g., allow-tokens and
deny-tokens.
---
 p11-kit/proxy.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index 8c437a0f9..b745c22a1 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -256,6 +256,11 @@ proxy_create (Proxy **res)
 	CK_ULONG i, count;
 	CK_RV rv = CKR_OK;
 	Proxy *py;
+	const char *envvar;
+
+	envvar = secure_getenv ("P11_KIT_PROXY_CONFIG");
+	if (envvar && *envvar != '\0')
+		p11_kit_override_system_files (envvar, NULL, NULL, NULL, NULL);
 
 	py = calloc (1, sizeof (Proxy));
 	return_val_if_fail (py != NULL, CKR_HOST_MEMORY);