diff --git a/.gitignore b/.gitignore index f618106..80cc070 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-v3.2.tgz +SOURCES/opencryptoki-3.5.tgz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 3af4ed2..07ed87a 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -876f34f5fc2dc6d1bd66b70710683854a2e0b265 SOURCES/opencryptoki-v3.2.tgz +bc66eeae637cb32288ade25826c98458d3fd7502 SOURCES/opencryptoki-3.5.tgz diff --git a/SOURCES/opencryptoki-3.2-Correctly-declare-OAEP-parameter-in-RSA-Wrap-tests-t.patch b/SOURCES/opencryptoki-3.2-Correctly-declare-OAEP-parameter-in-RSA-Wrap-tests-t.patch deleted file mode 100644 index 251d46d..0000000 --- a/SOURCES/opencryptoki-3.2-Correctly-declare-OAEP-parameter-in-RSA-Wrap-tests-t.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1e86226c8a6c2f0f6fe262e5e4b9c5f01f5ce272 Mon Sep 17 00:00:00 2001 -From: Joy Latten -Date: Wed, 29 Oct 2014 15:23:12 -0500 -Subject: [PATCH 2/2] Correctly declare OAEP parameter in RSA Wrap tests to - prevent a possible scope issue. - -Signed-off-by: Joy Latten ---- - testcases/crypto/rsa_func.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c -index 36fe75b..89eb7d4 100644 ---- a/testcases/crypto/rsa_func.c -+++ b/testcases/crypto/rsa_func.c -@@ -725,6 +725,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO *tsuite) - CK_BYTE re_cipher[32]; - CK_ULONG cipher_len = 32; - CK_ULONG re_cipher_len = 32; -+ CK_RSA_PKCS_OAEP_PARAMS oaep_params; - - char *s; - -@@ -802,8 +803,6 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO *tsuite) - // get wrapping mechanism - wrap_mech = tsuite->mech; - if (wrap_mech.mechanism == CKM_RSA_PKCS_OAEP) { -- CK_RSA_PKCS_OAEP_PARAMS oaep_params; -- - oaep_params = tsuite->tv[i].oaep_params; - wrap_mech.pParameter = &oaep_params; - wrap_mech.ulParameterLen = sizeof(CK_RSA_PKCS_OAEP_PARAMS); --- -2.1.0 - diff --git a/SOURCES/opencryptoki-3.2-ep11-token-obj-class.patch b/SOURCES/opencryptoki-3.2-ep11-token-obj-class.patch deleted file mode 100644 index 2721d62..0000000 --- a/SOURCES/opencryptoki-3.2-ep11-token-obj-class.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up opencryptoki/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.ep11 opencryptoki/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ---- opencryptoki/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.ep11 2016-01-28 14:07:08.314440344 +0100 -+++ opencryptoki/usr/lib/pkcs11/ep11_stdll/ep11_specific.c 2016-01-28 14:09:22.195368138 +0100 -@@ -2765,37 +2765,6 @@ CK_RV token_specific_generate_key_pair(S - private_key_obj->name, public_key_obj, private_key_obj); - } - -- /* copy CKA_CLASS, CKA_KEY_TYPE to private template */ -- if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) { -- rc = build_attribute(attr->type, attr->pValue, -- attr->ulValueLen, &n_attr); -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); -- goto error; -- } -- -- rc = template_update_attribute(private_key_obj->template, n_attr); -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); -- goto error; -- } -- } -- -- if (template_attribute_find(public_key_obj->template, CKA_KEY_TYPE, &attr)) { -- rc = build_attribute(attr->type, attr->pValue, -- attr->ulValueLen, &n_attr); -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); -- goto error; -- } -- -- rc = template_update_attribute(private_key_obj->template, n_attr); -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); -- goto error; -- } -- } -- - /* Keys should be fully constructed, - * assign object handles and store keys. - */ diff --git a/SOURCES/opencryptoki-3.2-fix-root-checks.patch b/SOURCES/opencryptoki-3.2-fix-root-checks.patch deleted file mode 100644 index b12297a..0000000 --- a/SOURCES/opencryptoki-3.2-fix-root-checks.patch +++ /dev/null @@ -1,108 +0,0 @@ -diff --git a/usr/lib/pkcs11/api/shrd_mem.c.in b/usr/lib/pkcs11/api/shrd_mem.c.in -index 42022c7..9e70a26 100644 ---- a/usr/lib/pkcs11/api/shrd_mem.c.in -+++ b/usr/lib/pkcs11/api/shrd_mem.c.in -@@ -340,6 +340,7 @@ attach_shared_memory() { - struct stat statbuf; - struct group *grp; - struct passwd *pw, *epw; -+ uid_t uid, euid; - - #if !(MMAP) - // Really should fstat the tok_path, since it will be the actual -@@ -351,42 +352,36 @@ attach_shared_memory() { - return NULL; - } - -- -- // SAB check for the group id here and membership here as well -- grp = getgrnam("pkcs11"); -- if ( grp ) { -- int i=0; -- char member=0; -- -- pw = getpwuid(getuid()); -- -- epw = getpwuid(geteuid()); -- -- while( grp->gr_mem[i] ) { -- if (pw) { -- if ( strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name)) == 0 ){ -- member = 1; -- break; -- } -- } -- if (epw) { -- if ( strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name)) == 0 ){ -- member = 1; -- break; -- } -- } -- i++; -- } -- if ( ! member ) { -- return NULL; // SAB don't bother even attaching... -- } -- -- -- } else { -- return NULL; -+ uid = getuid(); -+ euid = geteuid(); -+ // only check group membership if not root user -+ if (uid != 0 && euid != 0) { -+ int i, member=0; -+ grp = getgrnam("pkcs11"); -+ if (!grp) { -+ // group pkcs11 not known to the system -+ return NULL; -+ } -+ pw = getpwuid(uid); -+ epw = getpwuid(euid); -+ for (i=0; grp->gr_mem[i]; i++) { -+ if (pw) { -+ if (!strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name))) { -+ member = 1; -+ break; -+ } -+ } -+ if (epw) { -+ if (!strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name))) { -+ member = 1; -+ break; -+ } -+ } -+ } -+ if (!member) { -+ return NULL; -+ } - } -- -- - - Anchor->shm_tok = ftok(TOK_PATH,'b'); - -diff --git a/usr/lib/pkcs11/common/new_host.c b/usr/lib/pkcs11/common/new_host.c -index b6275ab..6c49a07 100755 ---- a/usr/lib/pkcs11/common/new_host.c -+++ b/usr/lib/pkcs11/common/new_host.c -@@ -521,7 +521,7 @@ check_user_and_group() - euid = geteuid(); - - /* Root or effective Root is ok */ -- if (uid != 0 && euid != 0) -+ if (uid == 0 || euid == 0) - return CKR_OK; - - /* -@@ -541,8 +541,8 @@ check_user_and_group() - pw = getpwuid(uid); - epw = getpwuid(euid); - for (i = 0; grp->gr_mem[i]; i++) { -- if ((pw && strcmp(pw->pw_name, grp->gr_mem[i]) == 0) || -- (epw && strcmp(epw->pw_name, grp->gr_mem[i]) == 0)) -+ if ((pw && (strncmp(pw->pw_name, grp->gr_mem[i], strlen(pw->pw_name)) == 0)) || -+ (epw && (strncmp(epw->pw_name, grp->gr_mem[i], strlen(epw->pw_name)) == 0))) - return CKR_OK; - } - diff --git a/SOURCES/opencryptoki-3.2-pkcsep11_migrate-Fixed-parameter-handling-for-pkcsep.patch b/SOURCES/opencryptoki-3.2-pkcsep11_migrate-Fixed-parameter-handling-for-pkcsep.patch deleted file mode 100644 index 289f1f2..0000000 --- a/SOURCES/opencryptoki-3.2-pkcsep11_migrate-Fixed-parameter-handling-for-pkcsep.patch +++ /dev/null @@ -1,172 +0,0 @@ -From f28dc082ad7a7a431d1b66a0de87b5e484fe08b9 Mon Sep 17 00:00:00 2001 -From: Ingo Tuchscherer -Date: Tue, 21 Oct 2014 10:00:52 -0500 -Subject: [PATCH 1/2] pkcsep11_migrate: Fixed parameter handling for - pkcsep11_migrate tool - Hexadecimal values allowed for input - parameters - Non digit input parameters will be rejected - - Extended Error messages with ock error strings - - improved man-page - -Signed-off-by: Ingo Tuchscherer ---- - man/man1/pkcsep11_migrate.1.in | 8 +++++-- - usr/sbin/pkcsep11_migrate/Makefile.am | 4 ++-- - usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c | 36 +++++++++++++++++++--------- - 3 files changed, 33 insertions(+), 15 deletions(-) - -diff --git a/man/man1/pkcsep11_migrate.1.in b/man/man1/pkcsep11_migrate.1.in -index 0dffb1b..d1b21b0 100644 ---- a/man/man1/pkcsep11_migrate.1.in -+++ b/man/man1/pkcsep11_migrate.1.in -@@ -25,8 +25,8 @@ Trusted Key Entry console (TKE) before using this utility. - .br - 3. Before using this tool make a back-up of the token objects in ep11tok/TOK_OBJ/. - .br --4. After successfully appling the utility and before (re)starting programs --using the EP11 token the new master key must be activated using the TKE. -+4. After successfully execution of the migrate utility and before (re)starting -+ programs using the EP11 token the new master key must be activated using the TKE. - - .SH "COMMAND SUMMARY" - .IP "\fB-slot\fP \fIslot-number\fP" 10 -@@ -35,8 +35,12 @@ specifies the token slot of the EP11 token - specifies an EP11 adapter ID. - (Refer to lszcrypt to get a list of installed crypto adapters. - The adapter ID will be the number xx in 'card\fBxx\fP' from the output.) -+This value can be provided either in hexadecimal (e.g. 0x0A) or decimal (10) -+notation. - .IP "\fB-domain\fP \fIdomain-ID\fP" 10 - specifies the usage domain for the EP11 adapter. (see /sys/bus/ap/ap_domain.) -+This value can be provided either in hexadecimal (e.g. 0x0B) or decimal (11) -+notation. - .IP "\fB-h\fP" 10 - show usage information - -diff --git a/usr/sbin/pkcsep11_migrate/Makefile.am b/usr/sbin/pkcsep11_migrate/Makefile.am -index 49deb74..b43756c 100644 ---- a/usr/sbin/pkcsep11_migrate/Makefile.am -+++ b/usr/sbin/pkcsep11_migrate/Makefile.am -@@ -1,9 +1,9 @@ - sbin_PROGRAMS=pkcsep11_migrate - --pkcsep11_migrate_SOURCES = pkcsep11_migrate.c -+pkcsep11_migrate_SOURCES = ../../lib/pkcs11/common/p11util.c pkcsep11_migrate.c - pkcsep11_migrate_CFLAGS = -I ../../include/pkcs11/ -I../../lib/pkcs11/ep11_stdll/ -DLINUX -DPROGRAM_NAME=\"$(@)\" - pkcsep11_migrate_LDFLAGS = -lc -ldl -lpthread --INCLUDES = -I. -+INCLUDES = -I. -I../../lib/pkcs11/common - - # Not all versions of automake observe sbinname_CFLAGS - # AM_CFLAGS = -DLINUX -DPROGRAM_NAME=\"$(@)\" -diff --git a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c -index aa1c3f1..4325b9d 100644 ---- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c -+++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - - #define EP11SHAREDLIB "libep11.so" - #define PKCS11_MAX_PIN_LEN 128 -@@ -180,16 +181,16 @@ check_card_status() - - if (rc != CKR_OK) - { -- fprintf(stderr,"m_get_ep11_info rc %lx, valid apapter/domain %lx/%lx?.\n", -+ fprintf(stderr,"m_get_ep11_info rc 0x%lx, valid apapter/domain 0x%02lx/%ld?.\n", - rc,adapter,domain); - return -1; - } - - if (CK_IBM_DOM_COMMITTED_NWK & dinf.flags) { -- fprintf(stderr,"Card ID %ld, domain ID %ld has committed pending(next) WK\n", -+ fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has committed pending(next) WK\n", - adapter, domain); - } else { -- fprintf(stderr,"Card ID %ld, domain ID %ld has no committed pending WK\n", -+ fprintf(stderr,"Card ID 0x%02lx, domain ID %ld has no committed pending WK\n", - adapter, domain); - return -1; - } -@@ -277,15 +278,27 @@ do_ParseArgs(int argc, char **argv) - return 0; - } - else if (strcmp (argv[i], "-slot") == 0) { -- SLOT_ID = atoi (argv[i+1]); -+ if (!isdigit(*argv[i+1])) { -+ printf("Slot parameter is not numeric!\n"); -+ return -1; -+ } -+ SLOT_ID = (int)strtol(argv[i+1], NULL, 0); - i++; - } - else if (strcmp (argv[i], "-adapter") == 0) { -- adapter = atoi (argv[i+1]); -+ if (!isdigit(*argv[i+1])) { -+ printf("Adapter parameter is not numeric!\n"); -+ return -1; -+ } -+ adapter = (int)strtol(argv[i+1], NULL, 0); - i++; - } - else if (strcmp (argv[i], "-domain") == 0) { -- domain = atoi (argv[i+1]); -+ if (!isdigit(*argv[i+1])) { -+ printf("Domain parameter is not numeric!\n"); -+ return -1; -+ } -+ domain = (int)strtol(argv[i+1], NULL, 0); - i++; - } - else { -@@ -374,7 +387,7 @@ int main (int argc, char **argv){ - rc = funcs->C_OpenSession(SLOT_ID, flags, - NULL, NULL, &session ); - if (rc != CKR_OK) { -- fprintf(stderr,"C_OpenSession() rc = %x\n",rc); -+ fprintf(stderr,"C_OpenSession() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); - session = CK_INVALID_HANDLE; - return rc; - } -@@ -384,7 +397,7 @@ int main (int argc, char **argv){ - fprintf(stderr,"get_user_pin() failed\n"); - rc = funcs->C_CloseAllSessions(SLOT_ID); - if (rc != CKR_OK) -- fprintf(stderr,"C_CloseAllSessions() rc = %x\n",rc); -+ fprintf(stderr,"C_CloseAllSessions() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); - return rc; - } - -@@ -392,7 +405,7 @@ int main (int argc, char **argv){ - rc = funcs->C_Login(session, CKU_USER, - user_pin, user_pin_len); - if (rc != CKR_OK) { -- fprintf(stderr,"C_Login() rc = %x\n",rc); -+ fprintf(stderr,"C_Login() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); - return rc; - } - -@@ -410,7 +423,7 @@ int main (int argc, char **argv){ - - if (rc != CKR_OK) - { -- fprintf(stderr,"C_FindObjects() rc = %x\n",rc); -+ fprintf(stderr,"C_FindObjects() rc = 0x%02x [%s]\n",rc, p11_get_ckr(rc)); - return rc; - } - -@@ -443,7 +456,8 @@ int main (int argc, char **argv){ - - if (rc != CKR_OK) - { -- fprintf(stderr,"second C_GetAttributeValue failed %x\n",rc); -+ fprintf(stderr,"second C_GetAttributeValue failed rc = 0x%02x [%s]\n", -+ rc, p11_get_ckr(rc)); - return rc; - } - else --- -2.1.0 - diff --git a/SOURCES/opencryptoki-3.4-fix-root-checks.patch b/SOURCES/opencryptoki-3.4-fix-root-checks.patch new file mode 100644 index 0000000..ba2b5c7 --- /dev/null +++ b/SOURCES/opencryptoki-3.4-fix-root-checks.patch @@ -0,0 +1,13 @@ +diff -up opencryptoki/usr/lib/pkcs11/common/new_host.c.fix-root opencryptoki/usr/lib/pkcs11/common/new_host.c +diff -up opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root opencryptoki/usr/lib/pkcs11/common/utility.c +--- opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root 2015-12-04 15:27:56.038413538 +0100 ++++ opencryptoki/usr/lib/pkcs11/common/utility.c 2015-12-04 15:28:02.557395798 +0100 +@@ -1122,7 +1122,7 @@ CK_RV check_user_and_group() + euid = geteuid(); + + /* Root or effective Root is ok */ +- if (uid == 0 && euid == 0) ++ if (uid == 0 || euid == 0) + return CKR_OK; + + /* diff --git a/SOURCES/opencryptoki-3.5-coverity-null.patch b/SOURCES/opencryptoki-3.5-coverity-null.patch new file mode 100644 index 0000000..559a323 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-coverity-null.patch @@ -0,0 +1,51 @@ +commit ca61c6e68ecd04c5f319056a6a3eba4b261f5481 +Author: Jakub Jelen +Date: Tue Jun 28 16:23:06 2016 -0400 + + Coverity:Check for NULL returns + Signed-off-by: Jakub Jelen + +diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c +index 3cbb8da..39ecae8 100755 +--- a/usr/lib/pkcs11/common/utility.c ++++ b/usr/lib/pkcs11/common/utility.c +@@ -589,6 +589,11 @@ CK_RV CreateXProcLock(void) + goto err; + } + grp = getgrnam("pkcs11"); ++ if (grp == NULL) { ++ fprintf(stderr, "getgrname(pkcs11): %s", ++ strerror(errno)); ++ goto err; ++ } + /* set ownership to euid, and pkcs11 group */ + if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { + fprintf(stderr, "Failed to set owner:group \ +diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c +index 9863d52..9478e92 100644 +--- a/usr/lib/pkcs11/icsf_stdll/new_host.c ++++ b/usr/lib/pkcs11/icsf_stdll/new_host.c +@@ -813,6 +813,11 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, + } + + sess = session_mgr_find(*phSession); ++ if (!sess) { ++ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); ++ rc = CKR_SESSION_HANDLE_INVALID; ++ goto done; ++ } + sess->handle = *phSession; + rc = icsftok_open_session(sess); + done: +@@ -835,6 +840,11 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) + } + + sess = session_mgr_find(sSession->sessionh); ++ if (!sess) { ++ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); ++ rc = CKR_SESSION_HANDLE_INVALID; ++ goto done; ++ } + //set the handle here as handle is never set into session during creation + sess->handle = sSession->sessionh; + rc = icsftok_close_session(sess); diff --git a/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch b/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch new file mode 100644 index 0000000..7d36f83 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch @@ -0,0 +1,46 @@ +From 7d1d3131fd114af7b6e48074a04ee2a34f63d97a Mon Sep 17 00:00:00 2001 +From: Vineetha Pai +Date: Wed, 20 Jul 2016 11:05:06 -0400 +Subject: [PATCH] coverity scan fixes - memory leak and variable initialization + Signed-off-by: Vineetha Pai + +--- + usr/lib/pkcs11/icsf_stdll/icsf_specific.c | 4 +++- + usr/lib/pkcs11/tpm_stdll/tpm_specific.c | 4 ++-- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +index c9b986b..622fb6d 100644 +--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c ++++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +@@ -4658,8 +4658,10 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, + case CKM_DES3_CBC_PAD: + case CKM_AES_CBC_PAD: + if ((rc = icsf_block_size(mech->mechanism, +- &expected_block_size))) ++ &expected_block_size))){ ++ free(key_mapping); + return rc; ++ } + + if (mech->ulParameterLen != expected_block_size) { + TRACE_ERROR("Invalid mechanism parameter length: %lu " +diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c +index 2a20d7d..3104d9d 100644 +--- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c ++++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c +@@ -3398,9 +3398,9 @@ token_specific_creatlock(void) + struct passwd *pw = NULL; + struct stat statbuf; + mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR); +- int lockfd; ++ int lockfd = -1;; + int ret = -1; +- struct group *grp; ++ struct group *grp = NULL; + + /* get userid */ + if ((pw = getpwuid(getuid())) == NULL) { +-- +2.7.4 + diff --git a/SOURCES/opencryptoki-3.5-create-log-lock.patch b/SOURCES/opencryptoki-3.5-create-log-lock.patch new file mode 100644 index 0000000..171c1e3 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-create-log-lock.patch @@ -0,0 +1,676 @@ +commit 8962d298d98df0331d3870e2a490e1781a33a872 +Author: Vineetha Pai +Date: Fri Jun 3 16:34:54 2016 -0400 + + 1) Create lock and log directories from pkcsslotd when + they are not available on the system. + 2) The patch also does basic sanity checks of asserting the presence + of pkcs11 group, euid, gid of the process running pkcsslotd. + 3) The patch also checks if token directories are available on + the system. + 4) The token lock sub-directories are created from opencryptoki while + the token is configured via pkcsconf or when the first call to the token + is made via C_Initialize. + Signed-off-by: Vineetha Pai + Signed-off-by: Harald Freudenberger + +diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c +index 9f58849..3cbb8da 100755 +--- a/usr/lib/pkcs11/common/utility.c ++++ b/usr/lib/pkcs11/common/utility.c +@@ -557,9 +557,11 @@ static int spinxplfd = -1; + CK_RV CreateXProcLock(void) + { + CK_BYTE lockfile[PATH_MAX]; ++ CK_BYTE lockdir[PATH_MAX]; + struct group *grp; + struct stat statbuf; + mode_t mode = (S_IRUSR | S_IRGRP); ++ int ret = -1; + + if (spinxplfd == -1) { + +@@ -571,9 +573,42 @@ CK_RV CreateXProcLock(void) + return CKR_FUNCTION_FAILED; + } + ++ /** create lock subdir for each token if it doesn't exist. ++ * The root directory should be created in slotmgr daemon **/ ++ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); ++ ++ ret = stat(lockdir, &statbuf); ++ if (ret != 0 && errno == ENOENT) { ++ /* dir does not exist, try to create it */ ++ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); ++ if (ret != 0) { ++ OCK_SYSLOG(LOG_ERR, ++ "Directory(%s) missing: %s\n", ++ lockdir, ++ strerror(errno)); ++ goto err; ++ } ++ grp = getgrnam("pkcs11"); ++ /* set ownership to euid, and pkcs11 group */ ++ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { ++ fprintf(stderr, "Failed to set owner:group \ ++ ownership\ ++ on %s directory", lockdir); ++ goto err; ++ } ++ /* mkdir does not set group permission right, so ++ ** trying explictly here again */ ++ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ ++ fprintf(stderr, "Failed to change \ ++ permissions\ ++ on %s directory", lockdir); ++ goto err; ++ } ++ } ++ + /* create user lock file */ + sprintf(lockfile, "%s/%s/LCK..%s", +- LOCKDIR_PATH, SUB_DIR, SUB_DIR); ++ LOCKDIR_PATH, SUB_DIR, SUB_DIR); + + if (stat(lockfile, &statbuf) == 0) + spinxplfd = open(lockfile, O_RDONLY, mode); +@@ -583,30 +618,30 @@ CK_RV CreateXProcLock(void) + /* umask may prevent correct mode,so set it. */ + if (fchmod(spinxplfd, mode) == -1) { + OCK_SYSLOG(LOG_ERR, "fchmod(%s): %s\n", +- lockfile, strerror(errno)); ++ lockfile, strerror(errno)); + goto err; + } + + grp = getgrnam("pkcs11"); + if (grp != NULL) { + if (fchown(spinxplfd, -1, grp->gr_gid) +- == -1) { ++ == -1) { + OCK_SYSLOG(LOG_ERR, +- "fchown(%s): %s\n", +- lockfile, +- strerror(errno)); ++ "fchown(%s): %s\n", ++ lockfile, ++ strerror(errno)); + goto err; + } + } else { + OCK_SYSLOG(LOG_ERR, "getgrnam(): %s\n", +- strerror(errno)); ++ strerror(errno)); + goto err; + } + } + } + if (spinxplfd == -1) { + OCK_SYSLOG(LOG_ERR, "open(%s): %s\n", +- lockfile, strerror(errno)); ++ lockfile, strerror(errno)); + return CKR_FUNCTION_FAILED; + } + } +diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c +index 8a2f521..e28fadb 100755 +--- a/usr/sbin/pkcsslotd/slotmgr.c ++++ b/usr/sbin/pkcsslotd/slotmgr.c +@@ -8,10 +8,10 @@ + + 1. DEFINITIONS + +- "Contribution" means: ++ "Contribution" means: + a) in the case of the initial Contributor, the + initial code and documentation distributed under +- this Agreement, and ++ this Agreement, and + + b) in the case of each subsequent Contributor: + i) changes to the Program, and +@@ -35,7 +35,7 @@ + "Licensed Patents " mean patent claims licensable by a + Contributor which are necessarily infringed by the use or + sale of its Contribution alone or when combined with the +- Program. ++ Program. + + "Program" means the Contributions distributed in + accordance with this Agreement. +@@ -130,7 +130,7 @@ + a) it must be made available under this Agreement; + and + b) a copy of this Agreement must be included with +- each copy of the Program. ++ each copy of the Program. + + Contributors may not remove or alter any copyright notices + contained within the Program. +@@ -138,7 +138,7 @@ + Each Contributor must identify itself as the originator of + its Contribution, if any, in a manner that reasonably + allows subsequent Recipients to identify the originator of +- the Contribution. ++ the Contribution. + + + 4. COMMERCIAL DISTRIBUTION +@@ -199,7 +199,7 @@ + Agreement, including but not limited to the risks and + costs of program errors, compliance with applicable laws, + damage to or loss of data, programs or equipment, and +- unavailability or interruption of operations. ++ unavailability or interruption of operations. + + 6. DISCLAIMER OF LIABILITY + EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER +@@ -248,7 +248,7 @@ + use and distribution of the Program as soon as reasonably + practicable. However, Recipient's obligations under this + Agreement and any licenses granted by Recipient relating +- to the Program shall continue and survive. ++ to the Program shall continue and survive. + + Everyone is permitted to copy and distribute copies of + this Agreement, but in order to avoid inconsistency the +@@ -280,7 +280,7 @@ + States of America. No party to this Agreement will bring a + legal action under this Agreement more than one year after + the cause of action arose. Each party waives its rights to +- a jury trial in any resulting litigation. ++ a jury trial in any resulting litigation. + + + +@@ -294,6 +294,8 @@ + #include + #include + #include ++#include ++#include + + #include "log.h" + #include "slotmgr.h" +@@ -309,8 +311,13 @@ unsigned char NumberSlotsInDB = 0; + int socketfd; + Slot_Mgr_Socket_t socketData; + +-/* +- We make main() able to modify Daemon so that we can ++struct dircheckinfo_s { ++ const char *dir; ++ int mode; ++}; ++ ++/* ++ We make main() able to modify Daemon so that we can + daemonize or not based on a command-line argument + */ + extern BOOL Daemon; +@@ -322,9 +329,9 @@ DumpSharedMemory(void) + u_int32 *p; + char Buf[PATH_MAX]; + u_int32 i; +- ++ + p = (u_int32 *) shmp; +- ++ + for ( i = 0; i < 15; i++ ) { + sprintf(Buf, "%08X %08X %08X %08X", p[0+(i*4)], p[1+(i*4)], p[2+(i*4)], p[3+(i*4)]); + LogLog(Buf); +@@ -332,6 +339,83 @@ DumpSharedMemory(void) + return; + } + ++/** This function does basic sanity checks to make sure the ++ * eco system is in place for opencryptoki to run properly. ++ **/ ++void run_sanity_checks() ++{ ++ int i, ec, uid = -1; ++ struct group *grp = NULL; ++ struct stat sbuf; ++ struct dircheckinfo_s dircheck[] = { ++ //drwxrwx--- ++ {LOCKDIR_PATH, S_IRWXU|S_IRWXG}, ++ {OCK_LOGDIR, S_IRWXU|S_IRWXG}, ++ {NULL, 0}, ++ }; ++ ++ /* first check that our effective user id is root */ ++ uid = (int) geteuid(); ++ if (uid != 0) { ++ fprintf(stderr, "This daemon needs root privilegies, but the effective user id is not 'root'.\n"); ++ exit(1); ++ } ++ ++ /* check that the pkcs11 group exists */ ++ grp = getgrnam("pkcs11"); ++ if (!grp) { ++ fprintf(stderr, "There is no 'pkcs11' group on this system.\n"); ++ exit(1); ++ } ++ ++ /* check effective group id */ ++ uid = (int) getegid(); ++ if (uid != 0 && uid != (int) grp->gr_gid) { ++ fprintf(stderr, "This daemon should have an effective group id of 'root' or 'pkcs11'.\n"); ++ exit(1); ++ } ++ ++ /* Create base lock and log directory here. API..Lock file is ++ * accessed from the daemon in CreateXProcLock() in mutex.c.*/ ++ for (i=0; dircheck[i].dir != NULL; i++) { ++ ec = stat(dircheck[i].dir, &sbuf); ++ if (ec != 0 && errno == ENOENT) { ++ /* dir does not exist, try to create it */ ++ ec = mkdir(dircheck[i].dir, dircheck[i].mode); ++ if (ec != 0) { ++ fprintf(stderr, "Directory %s missing\n", ++ dircheck[i].dir); ++ exit(2); ++ } ++ /* set ownership to root, and pkcs11 group */ ++ if (chown(dircheck[i].dir, geteuid(), grp->gr_gid) != 0) { ++ fprintf(stderr, "Failed to set owner:group \ ++ ownership\ ++ on %s directory", dircheck[i].dir); ++ exit(1); ++ } ++ /* mkdir does not set group permission right, so ++ * trying explictly here again */ ++ if (chmod(dircheck[i].dir, dircheck[i].mode) != 0){ ++ fprintf(stderr, "Failed to change \ ++ permissions\ ++ on %s directory", dircheck[i].dir); ++ exit(1); ++ } ++ } ++ } ++ ++ /** check if token directory is available, if not flag an error. ++ * We do not create token directories here as admin should ++ * configure and decide which tokens to expose to opencryptoki ++ * outside of opencryptoki and pkcsslotd */ ++ ec = stat(CONFIG_PATH, &sbuf); ++ if (ec != 0 && errno == ENOENT) { ++ fprintf(stderr, "Token directories missing\n"); ++ exit(2); ++ } ++} ++ + /***************************************** + * main() - + * You know what main does. +@@ -341,205 +425,191 @@ DumpSharedMemory(void) + *****************************************/ + + int main ( int argc, char *argv[], char *envp[]) { +- int ret; +- +- /**********************************/ +- /* Read in command-line arguments */ +- /**********************************/ +- +- /* FIXME: Argument for daemonizing or not */ +- /* FIXME: Argument for debug level */ +- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ +- +- +- /* Report our debug level */ +- if ( GetDebugLevel() > DEBUG_NONE) { +- +- DbgLog(GetDebugLevel(), "Starting with debugging messages logged at level %d (%d = No messages; %d = few; %d = more, etc.)", +- GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); +- +- } +- +- +- /* Save our startup directory */ +- SaveStartupDirectory( argv[0] ); +- +- ret = load_and_parse(OCK_CONFIG); +- if (ret != 0) { +- ErrLog("Failed to read config file.\n"); +- return 1; +- } else +- DbgLog (DL0, "Parse config file succeeded.\n"); +- +- /* Allocate and Attach the shared memory region */ +- if ( ! CreateSharedMemory() ) { +- /* CreateSharedMemory() does it's own error logging */ +- return 1; +- } +- +- DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); +- +- /* Now that we've created the shared memory segment, we attach to it */ +- if ( ! AttachToSharedMemory() ) { +- /* AttachToSharedMemory() does it's own error logging */ +- DestroySharedMemory(); +- return 2; +- } +- +- /* Initialize the global shared memory mutex (and the attribute used to create the per-process mutexes */ +- if ( ! InitializeMutexes() ) { +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 3; +- } +- +- /* Get the global shared memory mutex */ +- +- XProcLock(); +- +- /* Populate the Shared Memory Region */ +- if ( ! InitSharedMemory(shmp) ) { +- +- XProcUnLock(); +- +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 4; +- } +- +- /* Release the global shared memory mutex */ +- XProcUnLock(); +- +- if ((socketfd = CreateListenerSocket()) < 0) { +- DestroyMutexes(); +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 5; +- } +- +- if (!InitSocketData(&socketData)) { +- DetachSocketListener(socketfd); +- DestroyMutexes(); +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 6; +- } +- +- /* +- * Become a Daemon, if called for +- */ +- if ( Daemon ) { +- pid_t pid; +- if ( (pid = fork()) < 0 ){ +- DetachSocketListener(socketfd); +- DestroyMutexes(); +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 7; +- } else { +- if ( pid != 0) { +- exit(0); // Terminate the parent +- } else { +- +- setsid(); // Session leader +-#ifndef DEV +- fclose(stderr); +- fclose(stdout); +- fclose(stdin); +-#endif ++ int ret; + +- } +- } ++ /**********************************/ ++ /* Read in command-line arguments */ ++ /**********************************/ + ++ /* FIXME: Argument for daemonizing or not */ ++ /* FIXME: Argument for debug level */ ++ /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ + +- } else { ++ /* Do some basic sanity checks */ ++ run_sanity_checks(); + +-#ifdef DEV +- // Log only on development builds +- LogLog("Not becoming a daemon...\n"); +-#endif ++ /* Report our debug level */ ++ if ( GetDebugLevel() > DEBUG_NONE) { ++ DbgLog(GetDebugLevel(), "Starting with debugging messages logged at \ ++ level %d (%d = No messages; %d = few; %d = more, etc.)", ++ GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); ++ } ++ ++ /* Save our startup directory */ ++ SaveStartupDirectory( argv[0] ); ++ ++ ret = load_and_parse(OCK_CONFIG); ++ if (ret != 0) { ++ ErrLog("Failed to read config file.\n"); ++ return 1; ++ } else ++ DbgLog (DL0, "Parse config file succeeded.\n"); + +- } ++ /* Allocate and Attach the shared memory region */ ++ if ( ! CreateSharedMemory() ) { ++ /* CreateSharedMemory() does it's own error logging */ ++ return 1; ++ } + +- +- /***************************************** +- * +- * Register Signal Handlers +- * Daemon probably should ignore ALL signals possible, since termination +- * while active is a bad thing... however one could check for +- * any processes active in the shared memory, and destroy the shm if +- * the process wishes to terminate. +- * +- *****************************************/ ++ DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); + +- /* +- * We have to set up the signal handlers after we daemonize because +- * the daemonization process redefines our handler for (at least) SIGTERM +- */ ++ /* Now that we've created the shared memory segment, we attach to it */ ++ if ( ! AttachToSharedMemory() ) { ++ /* AttachToSharedMemory() does it's own error logging */ ++ DestroySharedMemory(); ++ return 2; ++ } + +- if ( ! SetupSignalHandlers() ) { +- DetachSocketListener(socketfd); +- DestroyMutexes(); +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 8; +- } ++ /* Initialize the global shared memory mutex (and the attribute ++ * used to create the per-process mutexes */ ++ if ( ! InitializeMutexes() ) { ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 3; ++ } + ++ /* Get the global shared memory mutex */ ++ XProcLock(); + ++ /* Populate the Shared Memory Region */ ++ if ( ! InitSharedMemory(shmp) ) { + ++ XProcUnLock(); + +- /* ultimatly we will create a couple of threads which monitor the slot db +- and handle the insertion and removal of tokens from the slot. +- */ ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 4; ++ } + +- /* For Testing the Garbage collection routines */ +- /* +- shmp->proc_table[3].inuse = TRUE; +- shmp->proc_table[3].proc_id = 24328; +- */ ++ /* Release the global shared memory mutex */ ++ XProcUnLock(); + +-#if !defined(NOGARBAGE) +-printf("Start garbage \n"); +- /* start garbage collection thread */ +- if ( ! StartGCThread(shmp) ) { +- DetachSocketListener(socketfd); +- DestroyMutexes(); +- DetachFromSharedMemory(); +- DestroySharedMemory(); +- return 9; +- } ++ if ((socketfd = CreateListenerSocket()) < 0) { ++ DestroyMutexes(); ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 5; ++ } ++ ++ if (!InitSocketData(&socketData)) { ++ DetachSocketListener(socketfd); ++ DestroyMutexes(); ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 6; ++ } ++ ++ /* ++ * Become a Daemon, if called for ++ */ ++ if ( Daemon ) { ++ pid_t pid; ++ if ( (pid = fork()) < 0 ){ ++ DetachSocketListener(socketfd); ++ DestroyMutexes(); ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 7; ++ } else { ++ if ( pid != 0) { ++ exit(0); // Terminate the parent ++ } else { ++ ++ setsid(); // Session leader ++#ifndef DEV ++ fclose(stderr); ++ fclose(stdout); ++ fclose(stdin); ++#endif ++ } ++ } ++ } else { ++#ifdef DEV ++ // Log only on development builds ++ LogLog("Not becoming a daemon...\n"); + #endif ++ } + +- // We've fully become a daemon. Now create the PID file +- { +- FILE *pidfile; ++ /***************************************** ++ * ++ * Register Signal Handlers ++ * Daemon probably should ignore ALL signals possible, since termination ++ * while active is a bad thing... however one could check for ++ * any processes active in the shared memory, and destroy the shm if ++ * the process wishes to terminate. ++ * ++ *****************************************/ ++ ++ /* ++ * We have to set up the signal handlers after we daemonize because ++ * the daemonization process redefines our handler for (at least) SIGTERM ++ */ ++ if ( ! SetupSignalHandlers() ) { ++ DetachSocketListener(socketfd); ++ DestroyMutexes(); ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 8; ++ } + +- pidfile = fopen(PID_FILE_PATH,"w"); +- if (pidfile) { +- fprintf(pidfile,"%d",getpid()); +- fclose(pidfile); +- } +- } ++ /* ultimatly we will create a couple of threads which monitor the slot db ++ and handle the insertion and removal of tokens from the slot. ++ */ + +- while (1) { +-#if !(THREADED) && !(NOGARBAGE) +- CheckForGarbage(shmp); +-#endif ++ /* For Testing the Garbage collection routines */ ++ /* ++ shmp->proc_table[3].inuse = TRUE; ++ shmp->proc_table[3].proc_id = 24328; ++ */ + +- SocketConnectionHandler(socketfd, 10); ++#if !defined(NOGARBAGE) ++ printf("Start garbage \n"); ++ /* start garbage collection thread */ ++ if ( ! StartGCThread(shmp) ) { ++ DetachSocketListener(socketfd); ++ DestroyMutexes(); ++ DetachFromSharedMemory(); ++ DestroySharedMemory(); ++ return 9; ++ } ++#endif + +- } ++ // We've fully become a daemon. Now create the PID file ++ { ++ FILE *pidfile; + ++ pidfile = fopen(PID_FILE_PATH,"w"); ++ if (pidfile) { ++ fprintf(pidfile,"%d",getpid()); ++ fclose(pidfile); ++ } ++ } + +- /************************************************************* +- * +- * Here we need to actualy go through the processes and verify that thye +- * still exist. If not, then they terminated with out properly calling +- * C_Finalize and therefore need to be removed from the system. +- * Look for a system routine to determine if the shared memory is held by +- * the process to further verify that the proper processes are in the +- * table. +- * +- *************************************************************/ ++ while (1) { ++#if !(THREADED) && !(NOGARBAGE) ++ CheckForGarbage(shmp); ++#endif ++ SocketConnectionHandler(socketfd, 10); ++ } + ++ /************************************************************* ++ * ++ * Here we need to actualy go through the processes and verify that thye ++ * still exist. If not, then they terminated with out properly calling ++ * C_Finalize and therefore need to be removed from the system. ++ * Look for a system routine to determine if the shared memory is held by ++ * the process to further verify that the proper processes are in the ++ * table. ++ * ++ *************************************************************/ + } /* end main */ diff --git a/SOURCES/opencryptoki-3.5-ecdsa-return.patch b/SOURCES/opencryptoki-3.5-ecdsa-return.patch new file mode 100644 index 0000000..527f452 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-ecdsa-return.patch @@ -0,0 +1,19 @@ +commit 165a1020da10ddbdc39e51e9a411a5c09f6dbae6 +Author: Vineetha Pai +Date: Thu May 19 16:46:51 2016 -0400 + + Added pkcs11 mapping for icsf reason code 72 for return code 8 + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +index d71b19f..5b7fb45 100644 +--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c ++++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +@@ -258,6 +258,7 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) + return CKR_KEY_HANDLE_INVALID; + case 3045: + return CKR_KEY_UNEXTRACTABLE; ++ case 72: + case 11000: + return CKR_DATA_LEN_RANGE; + case 11028: diff --git a/SOURCES/opencryptoki-3.5-icsf-error.patch b/SOURCES/opencryptoki-3.5-icsf-error.patch new file mode 100644 index 0000000..92cfc63 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-icsf-error.patch @@ -0,0 +1,21 @@ +commit f45ddf572c05cbeb54c524805060256a33435149 +Author: Vineetha Pai +Date: Tue Jun 21 17:06:25 2016 -0400 + + Added support for rc=8, reasoncode=2028 in icsf token + bz#142190 + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +index 1c25cd2..c9b986b 100644 +--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c ++++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +@@ -233,6 +233,8 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) + switch(icsf_reason_code) { + case 2154: + return CKR_KEY_TYPE_INCONSISTENT; ++ case 2028: ++ return CKR_WRAPPED_KEY_INVALID; + case 3003: + return CKR_BUFFER_TOO_SMALL; + case 3019: diff --git a/SOURCES/opencryptoki-3.5-illegal-instruction.patch b/SOURCES/opencryptoki-3.5-illegal-instruction.patch new file mode 100644 index 0000000..5288704 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-illegal-instruction.patch @@ -0,0 +1,35 @@ +From 814e5861701798b4f5872fcc20f7292f79987104 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 30 Aug 2016 16:46:40 -0300 +Subject: [PATCH] PKCSCCA: Fix symbol name to get the correct address + +The csulincl.h file was changed to substitute the xxx_32 bit API +declarations with the latest CCA v5. In order to pkcscca work and avoid +"Illegal Instruction" we had to fix the symbol name that should be called +based on the csulincl.h change. + +Signed-off-by: Eduardo Barretto +--- + usr/sbin/pkcscca/pkcscca.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c +index 6d9f8dd..05caea3 100644 +--- a/usr/sbin/pkcscca/pkcscca.c ++++ b/usr/sbin/pkcscca/pkcscca.c +@@ -1387,9 +1387,9 @@ int main(int argc, char **argv) + return -1; + } + +- CSNDKTC = dlsym(lib_csulcca, "CSNDKTC_32"); +- CSNBKTC = dlsym(lib_csulcca, "CSNBKTC_32"); +- CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2_32"); ++ CSNDKTC = dlsym(lib_csulcca, "CSNDKTC"); ++ CSNBKTC = dlsym(lib_csulcca, "CSNBKTC"); ++ CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2"); + ret = migrate_wrapped_keys(slot_id, userpin, masterkey); + } + done: +-- +2.7.4 + diff --git a/SOURCES/opencryptoki-3.5-memory-leak.patch b/SOURCES/opencryptoki-3.5-memory-leak.patch new file mode 100644 index 0000000..8d6b87d --- /dev/null +++ b/SOURCES/opencryptoki-3.5-memory-leak.patch @@ -0,0 +1,34 @@ +commit 54013d80a2f5eaa9ac58712a57de0cd87a55cdae +Author: Jakub Jelen +Date: Thu May 19 17:05:46 2016 -0400 + + icsftok memory leak fix identified in coverity scan + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +index 5b7fb45..1c25cd2 100644 +--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c ++++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c +@@ -4664,6 +4664,7 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, + "(expected %lu)\n", + (unsigned long) mech->ulParameterLen, + (unsigned long) expected_block_size); ++ free(key_mapping); + return CKR_MECHANISM_PARAM_INVALID; + } + break; +@@ -4671,12 +4672,14 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, + if (mech->ulParameterLen != 0){ + TRACE_ERROR("%s\n", + ock_err(ERR_MECHANISM_PARAM_INVALID)); ++ free(key_mapping); + return CKR_MECHANISM_PARAM_INVALID; + } + break; + default: + TRACE_ERROR("icsf invalid %lu mechanism for key wrapping\n", + mech->mechanism); ++ free(key_mapping); + return CKR_MECHANISM_INVALID; + } + diff --git a/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch b/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch new file mode 100644 index 0000000..c90a59f --- /dev/null +++ b/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch @@ -0,0 +1,83 @@ +commit aeea198cb8ea640cd37735365ee51a03aca67036 +Author: Vineetha Pai +Date: Mon Jul 18 15:41:24 2016 -0400 + + create missing tpm lock directory from tpm stdll. + tpm token does not use common/utility function to create token lock + directory. Hence the patch to create missing lock directories was not + working on tpm token. Modified the tpm stdll code to create the token + lock directory if it is missing on the system. + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c +index e7978d3..2a20d7d 100644 +--- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c ++++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c +@@ -44,6 +44,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -3393,10 +3394,13 @@ int + token_specific_creatlock(void) + { + CK_BYTE lockfile[PATH_MAX]; ++ CK_BYTE lockdir[PATH_MAX]; + struct passwd *pw = NULL; + struct stat statbuf; + mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR); + int lockfd; ++ int ret = -1; ++ struct group *grp; + + /* get userid */ + if ((pw = getpwuid(getuid())) == NULL) { +@@ -3404,6 +3408,45 @@ token_specific_creatlock(void) + return -1; + } + ++ /** create lock subdir for each token if it doesn't exist. ++ * The root /var/lock/opencryptoki directory should be created in slotmgr ++ * daemon **/ ++ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); ++ ++ ret = stat(lockdir, &statbuf); ++ if (ret != 0 && errno == ENOENT) { ++ /* dir does not exist, try to create it */ ++ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); ++ if (ret != 0) { ++ OCK_SYSLOG(LOG_ERR, ++ "Directory(%s) missing: %s\n", ++ lockdir, ++ strerror(errno)); ++ goto err; ++ } ++ grp = getgrnam("pkcs11"); ++ if (grp == NULL) { ++ fprintf(stderr, "getgrname(pkcs11): %s", ++ strerror(errno)); ++ goto err; ++ } ++ /* set ownership to euid, and pkcs11 group */ ++ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { ++ fprintf(stderr, "Failed to set owner:group \ ++ ownership\ ++ on %s directory", lockdir); ++ goto err; ++ } ++ /* mkdir does not set group permission right, so ++ ** trying explictly here again */ ++ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ ++ fprintf(stderr, "Failed to change \ ++ permissions\ ++ on %s directory", lockdir); ++ goto err; ++ } ++ } ++ + /* create user-specific directory */ + sprintf(lockfile, "%s/%s/%s", LOCKDIR_PATH, SUB_DIR, pw->pw_name); + diff --git a/SOURCES/opencryptoki-3.5-session-handle.patch b/SOURCES/opencryptoki-3.5-session-handle.patch new file mode 100644 index 0000000..baa103d --- /dev/null +++ b/SOURCES/opencryptoki-3.5-session-handle.patch @@ -0,0 +1,418 @@ +commit 2d03c609981cd3bf5cefb7d3188878f68b33f722 +Author: Vineetha Pai +Date: Tue Jun 21 16:43:53 2016 -0400 + + Fix for session handle not set in session issue. + bz142186 + icsf token uses the session handle for a session as the session_id in + its own internal session state structure. The session handle is an + index into the session btree and is not set in the SESSION structure + after a new session is created. This causes session_handle to be always 0 and + session_id to be always set to 0, causing issues when multiple sessions are active. + This affects icsf token as it stores and uses session handle internally + unlike other tokens. This patch sets the session handle into the session + structure for all SC_API calls. + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c +index 4923a77..9863d52 100644 +--- a/usr/lib/pkcs11/icsf_stdll/new_host.c ++++ b/usr/lib/pkcs11/icsf_stdll/new_host.c +@@ -703,6 +703,9 @@ CK_RV SC_InitPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pPin, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle here as handle is never set into session during creation ++ sess->handle = sSession->sessionh; ++ + if (pin_locked(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); + rc = CKR_PIN_LOCKED; +@@ -746,6 +749,9 @@ CK_RV SC_SetPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pOldPin, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle here as handle is never set into session during creation ++ sess->handle = sSession->sessionh; ++ + if (pin_locked(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); +@@ -807,6 +813,7 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, + } + + sess = session_mgr_find(*phSession); ++ sess->handle = *phSession; + rc = icsftok_open_session(sess); + done: + if (locked) +@@ -828,6 +835,8 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) + } + + sess = session_mgr_find(sSession->sessionh); ++ //set the handle here as handle is never set into session during creation ++ sess->handle = sSession->sessionh; + rc = icsftok_close_session(sess); + if (rc) + goto done; +@@ -923,6 +932,8 @@ CK_RV SC_GetOperationState(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = session_mgr_get_op_state(sess, length_only, pOperationState, + pulOperationStateLen); +@@ -962,6 +973,8 @@ CK_RV SC_SetOperationState(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = session_mgr_set_op_state(sess, hEncryptionKey, hAuthenticationKey, + pOperationState, ulOperationStateLen); +@@ -1000,6 +1013,9 @@ CK_RV SC_Login(ST_SESSION_HANDLE *sSession, CK_USER_TYPE userType, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; ++ + flags = &nv_token_data->token_info.flags; + + if (!pPin || ulPinLen > MAX_PIN_LEN) { +@@ -1113,6 +1129,8 @@ CK_RV SC_Logout(ST_SESSION_HANDLE *sSession) + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + /* all sessions have the same state so we just have to check one */ + if (session_mgr_public_session_exists()) { +@@ -1155,6 +1173,8 @@ CK_RV SC_CreateObject(ST_SESSION_HANDLE *sSession, CK_ATTRIBUTE_PTR pTemplate, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags)) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1204,6 +1224,8 @@ CK_RV SC_CopyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1240,6 +1262,8 @@ CK_RV SC_DestroyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject) + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1285,6 +1309,8 @@ CK_RV SC_GetObjectSize(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = icsftok_get_attribute_value(sess, hObject, pTemplate, + ulCount, pulSize); +@@ -1319,6 +1345,8 @@ CK_RV SC_GetAttributeValue(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = icsftok_get_attribute_value(sess, hObject, pTemplate, + ulCount, NULL); +@@ -1369,6 +1397,8 @@ CK_RV SC_SetAttributeValue(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = icsftok_set_attribute_value(sess, hObject, pTemplate, ulCount); + if (rc != CKR_OK) +@@ -1416,6 +1446,8 @@ CK_RV SC_FindObjectsInit(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1480,6 +1512,8 @@ CK_RV SC_FindObjects(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE_PTR phObject, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->find_active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1525,6 +1559,8 @@ CK_RV SC_FindObjectsFinal(ST_SESSION_HANDLE *sSession) + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->find_active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1576,6 +1612,8 @@ CK_RV SC_EncryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1626,6 +1664,8 @@ CK_RV SC_Encrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->encr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1677,6 +1717,8 @@ CK_RV SC_EncryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->encr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1726,6 +1768,8 @@ CK_RV SC_EncryptFinal(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->encr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1780,6 +1824,8 @@ CK_RV SC_DecryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -1832,6 +1878,8 @@ CK_RV SC_Decrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->decr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1884,6 +1932,8 @@ CK_RV SC_DecryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->decr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1933,6 +1983,8 @@ CK_RV SC_DecryptFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pLastPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->decr_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -1984,6 +2036,8 @@ CK_RV SC_DigestInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism) + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { + TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); +@@ -2039,6 +2093,8 @@ CK_RV SC_Digest(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->digest_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2086,6 +2142,8 @@ CK_RV SC_DigestUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->digest_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2125,6 +2183,8 @@ CK_RV SC_DigestKey(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hKey) + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->digest_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2169,6 +2229,8 @@ CK_RV SC_DigestFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pDigest, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->digest_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2216,6 +2278,8 @@ CK_RV SC_SignInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = valid_mech(pMechanism, CKF_SIGN); + if (rc != CKR_OK) +@@ -2271,6 +2335,8 @@ CK_RV SC_Sign(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->sign_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2318,6 +2384,8 @@ CK_RV SC_SignUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->sign_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2363,6 +2431,8 @@ CK_RV SC_SignFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->sign_ctx.active == FALSE) { + TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); +@@ -2440,6 +2510,8 @@ CK_RV SC_VerifyInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -2492,6 +2564,8 @@ CK_RV SC_Verify(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->verify_ctx.active == FALSE) { + rc = CKR_OPERATION_NOT_INITIALIZED; +@@ -2537,6 +2611,8 @@ CK_RV SC_VerifyUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->verify_ctx.active == FALSE) { + rc = CKR_OPERATION_NOT_INITIALIZED; +@@ -2583,6 +2659,8 @@ CK_RV SC_VerifyFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (sess->verify_ctx.active == FALSE) { + rc = CKR_OPERATION_NOT_INITIALIZED; +@@ -2718,6 +2796,8 @@ CK_RV SC_GenerateKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -2791,6 +2871,8 @@ CK_RV SC_GenerateKeyPair(ST_SESSION_HANDLE *sSession, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -2875,6 +2957,8 @@ CK_RV SC_WrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -2929,6 +3013,8 @@ CK_RV SC_UnwrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -2998,6 +3084,8 @@ CK_RV SC_DeriveKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + if (pin_expired(&sess->session_info, + nv_token_data->token_info.flags) == TRUE) { +@@ -3104,6 +3192,8 @@ CK_RV SC_GenerateRandom(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pRandomData, + rc = CKR_SESSION_HANDLE_INVALID; + goto done; + } ++ //set the handle into the session. ++ sess->handle = sSession->sessionh; + + rc = rng_generate(pRandomData, ulRandomLen); + if (rc != CKR_OK) diff --git a/SOURCES/opencryptoki-3.5-syslog-warning.patch b/SOURCES/opencryptoki-3.5-syslog-warning.patch new file mode 100644 index 0000000..0de10b2 --- /dev/null +++ b/SOURCES/opencryptoki-3.5-syslog-warning.patch @@ -0,0 +1,20 @@ +commit 786b6a4223119501f4aa7faf5a413c1ba10e38f6 +Author: Vineetha Pai +Date: Tue May 31 15:15:14 2016 -0400 + + Downgraded a syslog error to warning + Signed-off-by: Vineetha Pai + +diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c +index ce0dc18..ec50f71 100755 +--- a/usr/lib/pkcs11/api/apiutil.c ++++ b/usr/lib/pkcs11/api/apiutil.c +@@ -820,7 +820,7 @@ DLL_Load_t *dllload; + + } else { + char *e = dlerror(); +- OCK_SYSLOG(LOG_ERR, ++ OCK_SYSLOG(LOG_WARNING, + "%s: dlopen() failed for [%s]; dlerror = [%s]\n", + __FUNCTION__, sinfp->dll_location, e); + TRACE_DEVEL("DL_Load of %s failed, dlerror: %s\n", diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 2a4c71b..5305ae0 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -2,23 +2,29 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.2 -Release: 5%{?dist} +Version: 3.5 +Release: 7%{?dist} License: CPL Group: System Environment/Base URL: http://sourceforge.net/projects/opencryptoki -Source0: http://downloads.sourceforge.net/%{name}/%{name}-v%{version}.tgz +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz Source1: %{name}-tmpfiles.conf +# do not install pkcsep11_migrate.1 and pkcscca.1 when it's not enabled # https://bugzilla.redhat.com/show_bug.cgi?id=732756 # https://bugzilla.redhat.com/show_bug.cgi?id=1122505#c8 -Patch0: %{name}-3.2-fix-root-checks.patch -# do not install pkcsep11_migrate.1 and pkcscca.1 when it's not enabled +Patch0: %{name}-3.4-fix-root-checks.patch Patch1: %{name}-3.2-conditional-manpages.patch -Patch2: %{name}-3.2-pkcsep11_migrate-Fixed-parameter-handling-for-pkcsep.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1088512#c18 -Patch3: %{name}-3.2-Correctly-declare-OAEP-parameter-in-RSA-Wrap-tests-t.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1263179 -Patch4: %{name}-3.2-ep11-token-obj-class.patch +Patch2: %{name}-3.5-memory-leak.patch +Patch3: %{name}-3.5-ecdsa-return.patch +Patch4: %{name}-3.5-create-log-lock.patch +Patch5: %{name}-3.5-icsf-error.patch +Patch6: %{name}-3.5-session-handle.patch +Patch7: %{name}-3.5-coverity-null.patch +Patch8: %{name}-3.5-syslog-warning.patch +Patch9: %{name}-3.5-missing-tmp-lock-directory.patch +Patch10: %{name}-3.5-coverity-scan-fixes.patch +Patch11: %{name}-3.5-illegal-instruction.patch + Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel BuildRequires: trousers-devel @@ -27,7 +33,7 @@ BuildRequires: autoconf automake libtool BuildRequires: bison flex BuildRequires: systemd %ifarch s390 s390x -BuildRequires: libica-devel >= 2.3 +BuildRequires: libica-devel >= 2.5 %endif Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -35,6 +41,7 @@ Requires: %{name}(token) Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +conflicts: selinux-policy < 3.13.1-84 %description @@ -184,9 +191,16 @@ configured with Enterprise PKCS#11 (EP11) firmware. %setup -q -n %{name} %patch0 -p1 -b .fix-root %patch1 -p1 -b .man -%patch2 -p1 -b .pkcsep11_migrate -%patch3 -p1 -b .OAEP-in-test -%patch4 -p1 -b .ep11 +%patch2 -p1 -b .leak +%patch3 -p1 -b .return +%patch4 -p1 -b .create +%patch5 -p1 -b .icsf-return +%patch6 -p1 -b .hsession +%patch7 -p1 -b .coverity +%patch8 -p1 -b .syslog +%patch9 -p1 -b .tpm-dir +%patch10 -p1 -b .cov-fix +%patch11 -p1 -b .inst-fix # Upstream tarball has unnecessary executable perms set on the sources find . -name '*.[ch]' -print0 | xargs -0 chmod -x @@ -203,7 +217,6 @@ do echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf done - %build ./bootstrap.sh @@ -226,7 +239,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la # systemd must create /var/lock/opencryptoki mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d -install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf +install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf %post libs -p /sbin/ldconfig @@ -269,7 +282,7 @@ exit 0 %doc doc/README.token_data %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%{_prefix}/lib/tmpfiles.d/%{name}.conf +%{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd @@ -282,6 +295,7 @@ exit 0 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name} %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/* +%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %files libs %doc LICENSE @@ -351,6 +365,53 @@ exit 0 %changelog +* Mon Sep 19 2016 Sinny Kumari - 3.5-7 +- Related: RHBZ#1343671 - Make selinux-policy as Conflicts instead of Requires + +* Fri Sep 02 2016 Sinny Kumari - 3.5-6 +- RHBZ#1371095: coverity scan fixes - memory leak and variable initialization +- RHBZ#1372188: fix illegal instruction on pkcscca tool + +* Wed Jul 20 2016 Jakub Jelen - 3.5-5 +- Create missing tpm lock directory from tpm stdll (#1343671) + +* Thu Jul 14 2016 Jakub Jelen - 3.5-4 +- Require selinux-policy with changes related to #1343671 + +* Tue Jun 28 2016 Jakub Jelen - 3.5-3 +- Downgraded a syslog dlopen error to warning (#1059821) +- Coverity: NULL_RETURNS fixes + +* Tue Jun 28 2016 Jakub Jelen - 3.5-2 +- icsf token does not validate data length for verify operation for ECDSA (#1344383) +- Create lock and log directories from opencryptoki (#1343671) +- Create log directory with appropriate permissions (#1185421) +- Added support for rc=8, reasoncode=2028 in icsf token (#1348803) +- Fix for session handle not set in session issue (#1348804) +- Fix memory leak in icsf specific code + +* Fri May 13 2016 Jakub Jelen - 3.5-1 +- New upstream relase (#1185421) +- Implicit dependence on libica >= 2.5 + +* Fri Apr 29 2016 Jakub Jelen - 3.4.1-4 +- Added support for icsf reason code 11028 (#1325827) + +* Thu Mar 31 2016 Jakub Jelen 3.4.1-3 +- Few more issues reported by Coverity +- Fix Segfault when trace in enabled in api_interface.c +- Fix the misleading indentation +- Fix memory leak by closing the lock file descriptor in C_Final + +* Thu Mar 24 2016 Jakub Jelen 3.4.1-2 +- Fix problems reported by Coverity scan + +* Fri Feb 12 2016 Jakub Jelen 3.4.1-1 +- New upstream release (#1185421) +- Fix translating ICSF return code (#1306654) +- Fix getObjectsize call for opencryptoki ICSF token (#1303839) +- Fix for openCryptoki ICSF token failure (#1300194) + * Thu Jan 28 2016 Jakub Jelen 3.2-5 - Fix obj class for ep11 token (#1263179)