From f28dc082ad7a7a431d1b66a0de87b5e484fe08b9 Mon Sep 17 00:00:00 2001
From: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Tue, 21 Oct 2014 10:00:52 -0500
Subject: [PATCH 1/2] pkcsep11_migrate: Fixed parameter handling for
pkcsep11_migrate tool - Hexadecimal values allowed for input
parameters - Non digit input parameters will be rejected
- Extended Error messages with ock error strings -
improved man-page
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
---
man/man1/pkcsep11_migrate.1.in | 8 +++++--
usr/sbin/pkcsep11_migrate/Makefile.am | 4 ++--
usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c | 36 +++++++++++++++++++---------
3 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/man/man1/pkcsep11_migrate.1.in b/man/man1/pkcsep11_migrate.1.in
index 0dffb1b..d1b21b0 100644
--- a/man/man1/pkcsep11_migrate.1.in
+++ b/man/man1/pkcsep11_migrate.1.in
@@ -25,8 +25,8 @@ Trusted Key Entry console (TKE) before using this utility.
.br
3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/.
.br
-4. After successfully appling the utility and before (re)starting programs
-using the EP11 token the new master key must be activated using the TKE.
+4. After successfully execution of the migrate utility and before (re)starting
+ programs using the EP11 token the new master key must be activated using the TKE.
.SH "COMMAND SUMMARY"
.IP "\fB-slot\fP \fIslot-number\fP" 10
@@ -35,8 +35,12 @@ specifies the token slot of the EP11 token
specifies an EP11 adapter ID.
(Refer to lszcrypt to get a list of installed crypto adapters.
The adapter ID will be the number xx in 'card\fBxx\fP' from the output.)
+This value can be provided either in hexadecimal (e.g. 0x0A) or decimal (10)
+notation.
.IP "\fB-domain\fP \fIdomain-ID\fP" 10
specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.)
+This value can be provided either in hexadecimal (e.g. 0x0B) or decimal (11)
+notation.
.IP "\fB-h\fP" 10
show usage information
diff --git a/usr/sbin/pkcsep11_migrate/Makefile.am b/usr/sbin/pkcsep11_migrate/Makefile.am
index 49deb74..b43756c 100644
--- a/usr/sbin/pkcsep11_migrate/Makefile.am
+++ b/usr/sbin/pkcsep11_migrate/Makefile.am
@@ -1,9 +1,9 @@
sbin_PROGRAMS=pkcsep11_migrate
-pkcsep11_migrate_SOURCES = pkcsep11_migrate.c
+pkcsep11_migrate_SOURCES = ../../lib/pkcs11/common/p11util.c pkcsep11_migrate.c
pkcsep11_migrate_CFLAGS = -I ../../include/pkcs11/ -I../../lib/pkcs11/ep11_stdll/ -DLINUX -DPROGRAM_NAME=\"$(@)\"
pkcsep11_migrate_LDFLAGS = -lc -ldl -lpthread
-INCLUDES = -I.
+INCLUDES = -I. -I../../lib/pkcs11/common
# Not all versions of automake observe sbinname_CFLAGS
# AM_CFLAGS = -DLINUX -DPROGRAM_NAME=\"$(@)\"
diff --git a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
index aa1c3f1..4325b9d 100644
--- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
+++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
@@ -17,6 +17,7 @@
#include <pkcs11types.h>
#include <ep11.h>
#include <ep11adm.h>
+#include <p11util.h>
#define EP11SHAREDLIB "libep11.so"
#define PKCS11_MAX_PIN_LEN 128
@@ -180,16 +181,16 @@ check_card_status()
if (rc != CKR_OK)
{
- fprintf(stderr,"m_get_ep11_info rc %lx, valid apapter/domain %lx/%lx?.\n",
+ fprintf(stderr,"m_get_ep11_info rc 0x%lx, valid apapter/domain 0x%02lx/%ld?.\n",
rc,adapter,domain);
return -1;
}
if (CK_IBM_DOM_COMMITTED_NWK & dinf.flags) {
- fprintf(stderr,"Card ID %ld, domain ID %ld has committed pending(next) WK\n",
+ fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has committed pending(next) WK\n",
adapter, domain);
} else {
- fprintf(stderr,"Card ID %ld, domain ID %ld has no committed pending WK\n",
+ fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has no committed pending WK\n",
adapter, domain);
return -1;
}
@@ -277,15 +278,27 @@ do_ParseArgs(int argc, char **argv)
return 0;
}
else if (strcmp (argv[i], "-slot") == 0) {
- SLOT_ID = atoi (argv[i+1]);
+ if (!isdigit(*argv[i+1])) {
+ printf("Slot parameter is not numeric!\n");
+ return -1;
+ }
+ SLOT_ID = (int)strtol(argv[i+1], NULL, 0);
i++;
}
else if (strcmp (argv[i], "-adapter") == 0) {
- adapter = atoi (argv[i+1]);
+ if (!isdigit(*argv[i+1])) {
+ printf("Adapter parameter is not numeric!\n");
+ return -1;
+ }
+ adapter = (int)strtol(argv[i+1], NULL, 0);
i++;
}
else if (strcmp (argv[i], "-domain") == 0) {
- domain = atoi (argv[i+1]);
+ if (!isdigit(*argv[i+1])) {
+ printf("Domain parameter is not numeric!\n");
+ return -1;
+ }
+ domain = (int)strtol(argv[i+1], NULL, 0);
i++;
}
else {
@@ -374,7 +387,7 @@ int main (int argc, char **argv){
rc = funcs->C_OpenSession(SLOT_ID, flags,
NULL, NULL, &session );
if (rc != CKR_OK) {
- fprintf(stderr,"C_OpenSession() rc = %x\n",rc);
+ fprintf(stderr,"C_OpenSession() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));
session = CK_INVALID_HANDLE;
return rc;
}
@@ -384,7 +397,7 @@ int main (int argc, char **argv){
fprintf(stderr,"get_user_pin() failed\n");
rc = funcs->C_CloseAllSessions(SLOT_ID);
if (rc != CKR_OK)
- fprintf(stderr,"C_CloseAllSessions() rc = %x\n",rc);
+ fprintf(stderr,"C_CloseAllSessions() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));
return rc;
}
@@ -392,7 +405,7 @@ int main (int argc, char **argv){
rc = funcs->C_Login(session, CKU_USER,
user_pin, user_pin_len);
if (rc != CKR_OK) {
- fprintf(stderr,"C_Login() rc = %x\n",rc);
+ fprintf(stderr,"C_Login() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));
return rc;
}
@@ -410,7 +423,7 @@ int main (int argc, char **argv){
if (rc != CKR_OK)
{
- fprintf(stderr,"C_FindObjects() rc = %x\n",rc);
+ fprintf(stderr,"C_FindObjects() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc));
return rc;
}
@@ -443,7 +456,8 @@ int main (int argc, char **argv){
if (rc != CKR_OK)
{
- fprintf(stderr,"second C_GetAttributeValue failed %x\n",rc);
+ fprintf(stderr,"second C_GetAttributeValue failed rc = 0x%02x [%s]\n",
+ rc, p11_get_ckr(rc));
return rc;
}
else
--
2.1.0