From f28dc082ad7a7a431d1b66a0de87b5e484fe08b9 Mon Sep 17 00:00:00 2001

From: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>

Date: Tue, 21 Oct 2014 10:00:52 -0500

Subject: [PATCH 1/2] pkcsep11_migrate: Fixed parameter handling for

 pkcsep11_migrate tool               - Hexadecimal values allowed for input

 parameters               - Non digit input parameters will be rejected       

        - Extended Error messages with ock error strings               -

 improved man-page

Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>

---

 man/man1/pkcsep11_migrate.1.in               |  8 +++++--

 usr/sbin/pkcsep11_migrate/Makefile.am        |  4 ++--

 usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c | 36 +++++++++++++++++++---------

 3 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/man/man1/pkcsep11_migrate.1.in b/man/man1/pkcsep11_migrate.1.in

index 0dffb1b..d1b21b0 100644

--- a/man/man1/pkcsep11_migrate.1.in

+++ b/man/man1/pkcsep11_migrate.1.in

@@ -25,8 +25,8 @@ Trusted Key Entry console (TKE) before using this utility.

 .br

 3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/.

 .br

-4. After successfully appling the utility and before (re)starting programs

-using the EP11 token the new master key must be activated using the TKE.

+4. After successfully execution of the migrate utility and before (re)starting

+   programs using the EP11 token the new master key must be activated using the TKE.

 .SH "COMMAND SUMMARY"

 .IP "\fB-slot\fP \fIslot-number\fP" 10

@@ -35,8 +35,12 @@ specifies the token slot of the EP11 token

 specifies an EP11 adapter ID.

 (Refer to lszcrypt to get a list of installed crypto adapters.

 The adapter ID will be the number xx  in 'card\fBxx\fP' from the output.)

+This value can be provided either in hexadecimal (e.g. 0x0A) or decimal (10) 

+notation.

 .IP "\fB-domain\fP \fIdomain-ID\fP" 10

 specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.)

+This value can be provided either in hexadecimal (e.g. 0x0B) or decimal (11)

+notation.

 .IP "\fB-h\fP" 10

 show usage information

diff --git a/usr/sbin/pkcsep11_migrate/Makefile.am b/usr/sbin/pkcsep11_migrate/Makefile.am

index 49deb74..b43756c 100644

--- a/usr/sbin/pkcsep11_migrate/Makefile.am

+++ b/usr/sbin/pkcsep11_migrate/Makefile.am

@@ -1,9 +1,9 @@

 sbin_PROGRAMS=pkcsep11_migrate

-pkcsep11_migrate_SOURCES = pkcsep11_migrate.c 

+pkcsep11_migrate_SOURCES = ../../lib/pkcs11/common/p11util.c pkcsep11_migrate.c 

 pkcsep11_migrate_CFLAGS  = -I ../../include/pkcs11/ -I../../lib/pkcs11/ep11_stdll/ -DLINUX -DPROGRAM_NAME=\"$(@)\"

 pkcsep11_migrate_LDFLAGS = -lc  -ldl -lpthread

-INCLUDES = -I. 

+INCLUDES = -I. -I../../lib/pkcs11/common

 # Not all versions of automake observe sbinname_CFLAGS

 # AM_CFLAGS = -DLINUX -DPROGRAM_NAME=\"$(@)\"

diff --git a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c

index aa1c3f1..4325b9d 100644

--- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c

+++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c

@@ -17,6 +17,7 @@

 #include <pkcs11types.h>

 #include <ep11.h>

 #include <ep11adm.h>

+#include <p11util.h>

 #define EP11SHAREDLIB "libep11.so"

 #define PKCS11_MAX_PIN_LEN	128

@@ -180,16 +181,16 @@ check_card_status()

   if (rc != CKR_OK)

     {

-      fprintf(stderr,"m_get_ep11_info rc %lx, valid apapter/domain %lx/%lx?.\n",

+      fprintf(stderr,"m_get_ep11_info rc 0x%lx, valid apapter/domain 0x%02lx/%ld?.\n",

               rc,adapter,domain);

       return -1; 

     }

   if (CK_IBM_DOM_COMMITTED_NWK & dinf.flags) {

-    fprintf(stderr,"Card ID %ld, domain ID %ld has committed pending(next) WK\n",

+    fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has committed pending(next) WK\n",

             adapter, domain);

   } else {

-    fprintf(stderr,"Card ID %ld, domain ID %ld has no committed pending WK\n",

+    fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has no committed pending WK\n",

             adapter, domain);

     return -1; 

    }

@@ -277,15 +278,27 @@ do_ParseArgs(int argc, char **argv)

       return 0;

     }

     else if (strcmp (argv[i], "-slot") == 0) {

-      SLOT_ID = atoi (argv[i+1]);

+      if (!isdigit(*argv[i+1])) {

+         printf("Slot parameter is not numeric!\n");

+         return -1;

+      }

+      SLOT_ID = (int)strtol(argv[i+1], NULL, 0);

       i++;

     }

     else if (strcmp (argv[i], "-adapter") == 0) {

-      adapter = atoi (argv[i+1]);

+      if (!isdigit(*argv[i+1])) {

+         printf("Adapter parameter is not numeric!\n");

+         return -1;

+      }

+      adapter = (int)strtol(argv[i+1], NULL, 0);

       i++; 

     }

     else if (strcmp (argv[i], "-domain") == 0) {

-      domain = atoi (argv[i+1]);

+      if (!isdigit(*argv[i+1])) {

+         printf("Domain parameter is not numeric!\n");

+         return -1;

+      }

+      domain = (int)strtol(argv[i+1], NULL, 0);

       i++; 

     }

     else {

@@ -374,7 +387,7 @@ int main  (int argc, char **argv){

   rc = funcs->C_OpenSession(SLOT_ID, flags,             

                             NULL, NULL, &session );     

   if (rc != CKR_OK) {

-    fprintf(stderr,"C_OpenSession() rc = %x\n",rc);                    

+    fprintf(stderr,"C_OpenSession() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));

     session = CK_INVALID_HANDLE;    

     return rc; 

   }                                       

@@ -384,7 +397,7 @@ int main  (int argc, char **argv){

       fprintf(stderr,"get_user_pin() failed\n"); 

       rc = funcs->C_CloseAllSessions(SLOT_ID); 

       if (rc != CKR_OK) 

-        fprintf(stderr,"C_CloseAllSessions() rc = %x\n",rc); 

+        fprintf(stderr,"C_CloseAllSessions() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); 

       return rc; 

     }

@@ -392,7 +405,7 @@ int main  (int argc, char **argv){

   rc = funcs->C_Login(session, CKU_USER,                               

                       user_pin, user_pin_len);                         

   if (rc != CKR_OK) {                                                  

-    fprintf(stderr,"C_Login() rc = %x\n",rc);                                 

+    fprintf(stderr,"C_Login() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));                                 

     return rc; 

   }                                                                    

@@ -410,7 +423,7 @@ int main  (int argc, char **argv){

     if (rc != CKR_OK)

       {

-        fprintf(stderr,"C_FindObjects() rc = %x\n",rc);                                 

+        fprintf(stderr,"C_FindObjects() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));

         return rc; 

       }

@@ -443,7 +456,8 @@ int main  (int argc, char **argv){

             if (rc != CKR_OK)

               {

-                fprintf(stderr,"second C_GetAttributeValue failed %x\n",rc);

+                fprintf(stderr,"second C_GetAttributeValue failed rc = 0x%02x [%s]\n",

+			rc, p11_get_ckr(rc));

                 return rc; 

               }

             else

-- 

2.1.0