>From 56c47c3c664bf96a7e2603bcc107c7ae6bac4236 Mon Sep 17 00:00:00 2001
From: Stef Walter <address@hidden>
Date: Tue, 21 May 2013 12:34:29 +0200
Subject: [PATCH] Update to use new p11-kit APIs

Some of the older APIs were deprecated in order to support
multiple callers of the same PKCS#11 module correctly.

This increases the necessary p11-kit to 0.19.1 or later.
---
 configure.ac |  5 +++--
 lib/pkcs11.c | 48 ++++++++++++++++++++++--------------------------
 2 files changed, 25 insertions(+), 28 deletions(-)

diff --git a/configure.ac b/configure.ac
index 064d079..609a900 100644
--- a/configure.ac
+++ b/configure.ac
@@ -258,11 +258,12 @@ AC_DEFINE_UNQUOTED([UNBOUND_ROOT_KEY_FILE],
 
 
 dnl Check for p11-kit
+P11_KIT_MINIMUM=0.19.1
 AC_ARG_WITH(p11-kit,
 	AS_HELP_STRING([--without-p11-kit],
 		[Build without p11-kit and PKCS#11 support]))
 if test "$with_p11_kit" != "no"; then
-	PKG_CHECK_MODULES(P11_KIT, [p11-kit-1 >= 0.11], [with_p11_kit=yes], [with_p11_kit=no])
+	PKG_CHECK_MODULES(P11_KIT, [p11-kit-1 >= $P11_KIT_MINIMUM], [with_p11_kit=yes], [with_p11_kit=no])
 	if test "$with_p11_kit" != "no";then
 		AC_DEFINE([ENABLE_PKCS11], 1, [Build PKCS#11 support])
 		if test "x$GNUTLS_REQUIRES_PRIVATE" = "x"; then
@@ -274,7 +275,7 @@ if test "$with_p11_kit" != "no"; then
 	        with_p11_kit=no
 	        AC_MSG_WARN([[
 *** 
-*** p11-kit was not found. PKCS #11 support will be disabled.
+*** p11-kit >= $P11_KIT_MINIMUM was not found. PKCS #11 support will be disabled.
 *** You may get it from http://p11-glue.freedesktop.org/p11-kit.html
 *** ]])
 	fi
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 98ae83f..27ea3f4 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -45,7 +45,6 @@ struct gnutls_pkcs11_provider_s
 {
   struct ck_function_list *module;
   struct ck_info info;
-  unsigned int initialized;
 };
 
 struct flags_find_data_st
@@ -71,7 +70,6 @@ struct crt_find_data_st
 
 static struct gnutls_pkcs11_provider_s providers[MAX_PROVIDERS];
 static unsigned int active_providers = 0;
-static unsigned int initialized_registered = 0;
 
 gnutls_pkcs11_token_callback_t _gnutls_token_func;
 void *_gnutls_token_data;
@@ -234,23 +232,28 @@ gnutls_pkcs11_add_provider (const char *name, const char *params)
   struct ck_function_list *module;
   int ret;
 
-  if (p11_kit_load_initialize_module (name, &module) != CKR_OK)
+  module = p11_kit_module_load (name, P11_KIT_MODULE_CRITICAL);
+  if (module == NULL)
     {
       gnutls_assert ();
       _gnutls_debug_log ("p11: Cannot load provider %s\n", name);
       return GNUTLS_E_PKCS11_LOAD_ERROR;
     }
 
-  ret = pkcs11_add_module (name, module);
-  if (ret == 0)
+  if (p11_kit_module_initialize (module) != CKR_OK)
     {
-      /* Mark this one as having been separately initialized */
-      providers[active_providers - 1].initialized = 1;
+      p11_kit_module_release (module);
+      gnutls_assert ();
+      _gnutls_debug_log ("p11: Cannot initialize provider %s\n", name);
+      return GNUTLS_E_PKCS11_LOAD_ERROR;
     }
-  else
+
+  ret = pkcs11_add_module (name, module);
+  if (ret != 0)
     {
       if (ret == GNUTLS_E_INT_RET_0) ret = 0;
-      p11_kit_finalize_module (module);
+      p11_kit_module_finalize (module);
+      p11_kit_module_release (module);
       gnutls_assert ();
     }
 
@@ -460,24 +463,20 @@ initialize_automatic_p11_kit (void)
 {
   struct ck_function_list **modules;
   char *name;
-  ck_rv_t rv;
   int i, ret;
 
-  rv = p11_kit_initialize_registered ();
-  if (rv != CKR_OK)
+  modules = p11_kit_modules_load_and_initialize (0);
+  if (modules == NULL)
     {
       gnutls_assert ();
-      _gnutls_debug_log ("Cannot initialize registered module: %s\n",
-                         p11_kit_strerror (rv));
-      return pkcs11_rv_to_err(rv);
+      _gnutls_debug_log ("Cannot initialize registered modules: %s\n",
+                         p11_kit_message ());
+      return GNUTLS_E_PKCS11_LOAD_ERROR;
     }
 
-  initialized_registered = 1;
-
-  modules = p11_kit_registered_modules ();
   for (i = 0; modules[i] != NULL; i++)
     {
-      name = p11_kit_registered_module_to_name (modules[i]);
+      name = p11_kit_module_get_name (modules[i]);
       ret = pkcs11_add_module (name, modules[i]);
       if (ret != 0 && ret != GNUTLS_E_INT_RET_0)
         {
@@ -487,6 +486,7 @@ initialize_automatic_p11_kit (void)
       free(name);
     }
 
+  /* Shallow free */
   free (modules);
   return 0;
 }
@@ -562,7 +562,7 @@ int gnutls_pkcs11_reinit (void)
     {
       if (providers[i].module != NULL) 
         {
-          rv = p11_kit_initialize_module(providers[i].module);
+          rv = p11_kit_module_initialize (providers[i].module);
           if (rv != CKR_OK)
             _gnutls_debug_log ("Cannot initialize registered module '%s': %s\n", 
               providers[i].info.library_description, p11_kit_strerror (rv));
@@ -595,15 +595,11 @@ gnutls_pkcs11_deinit (void)
 
   for (i = 0; i < active_providers; i++)
     {
-      if (providers[i].initialized)
-        p11_kit_finalize_module (providers[i].module);
+      p11_kit_module_finalize (providers[i].module);
+      p11_kit_module_release (providers[i].module);
     }
   active_providers = 0;
   
-  if (initialized_registered != 0)
-    p11_kit_finalize_registered ();
-  initialized_registered = 0;
-  
   gnutls_pkcs11_set_pin_function (NULL, NULL);
   gnutls_pkcs11_set_token_function (NULL, NULL);
   p11_kit_pin_unregister_callback (P11_KIT_PIN_FALLBACK, p11_kit_pin_file_callback,
-- 
1.8.2.1