From 0e81088dd1867bac13b845970e656dc72fede4ff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 21 2021 07:15:21 +0000 Subject: import opencryptoki-3.15.1-7.el8_4 --- diff --git a/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch b/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch new file mode 100644 index 0000000..c38fef0 --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch @@ -0,0 +1,28 @@ +commit 5824364d995e5d2418f885ee57e377e11d1b3302 +Author: Ingo Franzki +Date: Wed Jul 7 13:44:46 2021 +0200 + + pkcstok_migrate: Quote strings with spaces in opencryptoki.conf + + When modifying opencryptoki.conf during token migration, put quotes + around strings that contain spaces, e.g. for the slot description and + manufacturer. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index 94fd1196..3df1596e 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val) + { + struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_TOKVERSION) ++ if (tok != KW_HWVERSION && tok != KW_FWVERSION && ++ strchr(val, ' ') != NULL) ++ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); ++ else if (tok != KW_TOKVERSION) + fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); + return 0; + } diff --git a/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch b/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch new file mode 100644 index 0000000..8f1477c --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch @@ -0,0 +1,104 @@ +commit d2f137cce5e6efb123842509352c7c49f889c67f +Author: Ingo Franzki +Date: Thu Jul 22 15:55:02 2021 +0200 + + pkcstok_migrate: Rework string quoting for opencryptoki.conf migration + + Due to the way the parser works, a slot description like + 'description = "slot"' works, but not without quotes ('description = slot'). + The word 'slot' is treated as a keyword if not quoted (besides other keywords, + too), so if the word 'slot' would appear in an unquoted string, the + configuration file would fail to parse. + + Always quote the value of 'description' and 'manufacturer'. Quote the + value of 'stdll', 'confname', and 'tokname' if it contains spaces, and + never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index a29dc8f7..853986e8 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2060,7 +2060,7 @@ done: + */ + static int parseupdate_ockversion(void *private, const char *version) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fprintf(u->f, "version %s", version); + return 0; +@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private) + + static void parseupdate_eol(void *private) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fputc('\n', u->f); + } + + static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + u->activeslot = (slot == u->slotnum); + if (nl_before_begin) +@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin) + + static int parseupdate_end_slot(void *private) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + if (u->activeslot) + fprintf(u->f, " tokversion = 3.12\n"); +@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private) + + static int parseupdate_key_str(void *private, int tok, const char *val) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_HWVERSION && tok != KW_FWVERSION && +- strchr(val, ' ') != NULL) ++ switch (tok) { ++ case KW_SLOTDESC: ++ case KW_MANUFID: + fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); +- else if (tok != KW_TOKVERSION) ++ break; ++ case KW_STDLL: ++ case KW_CONFNAME: ++ case KW_TOKNAME: ++ if (strchr(val, ' ') != NULL) ++ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val); ++ else ++ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); ++ break; ++ case KW_HWVERSION: ++ case KW_FWVERSION: + fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val); ++ break; ++ } + return 0; + } + + static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + if (tok == KW_TOKVERSION && !u->activeslot) + fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok), +@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + + static void parseupdate_eolcomment(void *private, const char *comment) + { +- struct parseupdate *u = (struct parseupdate *)private; ++ struct parseupdate *u = (struct parseupdate *)private; + + fprintf(u->f, "#%s", comment); + } diff --git a/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch b/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch new file mode 100644 index 0000000..a3bf6ea --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch @@ -0,0 +1,25 @@ +commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593 +Author: Ingo Franzki +Date: Thu Jul 8 15:18:30 2021 +0200 + + pkcstok_migrate: Don't remove 'tokversion = x.y' during migration + + When migrating a slot the opencryptoki.conf file is modified. If it + contains slots that already contain the 'tokversion = x.y' keyword, + this is accidentally removed when migrating another slot. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index 3df1596e..05081aff 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers) + { + struct parseupdate *u = (struct parseupdate *)private; + +- if (tok != KW_TOKVERSION) ++ if (tok == KW_TOKVERSION && !u->activeslot) + fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok), + vers >> 16, vers & 0xffu); + return 0; diff --git a/SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch b/SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch new file mode 100644 index 0000000..128ea06 --- /dev/null +++ b/SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch @@ -0,0 +1,106 @@ +commit 5951869263b556280da53498270cf4826f779c5b +Author: Ingo Franzki +Date: Tue Jul 13 09:05:22 2021 +0200 + + pkcstok_migrate: Fix detection if pkcsslotd is still running + + Change the code to use the pid file that pkcsslotd creates, and check + if the process with the pid contained in the pid file still exists and + runs pkcsslotd. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +index 05081aff..a29dc8f7 100644 +--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c ++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store) + */ + static CK_BBOOL pkcsslotd_running(void) + { +- DIR *dir; + FILE *fp; +- struct dirent* ent; + char* endptr; +- char buf[PATH_MAX]; ++ long lpid; + char fname[PATH_MAX]; ++ char buf[PATH_MAX]; ++ char* first; + + TRACE_INFO("Checking if pkcsslotd is running ...\n"); +- if (!(dir = opendir("/proc"))) { +- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n"); +- return CK_TRUE; ++ ++ fp = fopen(PID_FILE_PATH, "r"); ++ if (fp == NULL) { ++ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n", ++ PID_FILE_PATH); ++ return CK_FALSE; + } + +- while ((ent = readdir(dir)) != NULL) { +- /* if endptr is not a null character, the directory is not +- * entirely numeric, so ignore it */ +- long lpid = strtol(ent->d_name, &endptr, 10); +- if (*endptr != '\0') { +- continue; +- } ++ if (fgets(buf, sizeof(buf), fp) == NULL) { ++ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH, ++ strerror(errno)); ++ fclose(fp); ++ return CK_FALSE; ++ } ++ fclose(fp); + +- /* try to open the cmdline file */ +- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid); +- fp = fopen(fname, "r"); +- if (!fp) { +- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno)); +- return CK_TRUE; +- } ++ lpid = strtol(buf, &endptr, 10); ++ if (*endptr != '\0' && *endptr != '\n') { ++ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH, ++ buf); ++ return CK_FALSE; ++ } + +- /* check the first token in the file: the program pathname */ +- if (fgets(buf, sizeof(buf), fp) != NULL) { +- char* first = strtok(buf, " "); +- if (!first) { +- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n", +- fname); +- return CK_TRUE; +- } +- if (strstr(first, "pkcsslotd") != NULL) { +- fclose(fp); +- closedir(dir); +- return CK_TRUE; +- } +- } ++ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid); ++ fp = fopen(fname, "r"); ++ if (fp == NULL) { ++ TRACE_INFO("Stale pid file, pkcsslotd is not running\n"); ++ return CK_FALSE; ++ } ++ ++ if (fgets(buf, sizeof(buf), fp) == NULL) { ++ TRACE_INFO("Failed to read '%s'\n", fname); + fclose(fp); ++ return CK_FALSE; + } ++ fclose(fp); + +- closedir(dir); +- return CK_FALSE; ++ first = strtok(buf, " "); ++ return (first != NULL && strstr(first, "pkcsslotd") != NULL); + } + + /** diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index f6fe29f..07c4f31 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Version: 3.15.1 -Release: 6%{?dist} +Release: 7%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -21,6 +21,11 @@ Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch # https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890 Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch Patch6: opencryptoki-3.15.1-soft_token_does_not_check_if_an_EC_key_is_valid.patch +Patch7: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch +Patch8: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch +Patch9: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch +Patch10: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch + Requires(pre): coreutils BuildRequires: gcc BuildRequires: openssl-devel @@ -346,6 +351,9 @@ fi %changelog +* Fri Aug 20 2021 Than Ngo - 3.15.1-7 +- Resolves: #1995919, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes + * Thu Jul 08 2021 Than Ngo - 3.15.1-6 - Resolves: #1979173, Soft token does not check if an EC key is valid