diff --git a/.gitignore b/.gitignore index 80cc070..745bc54 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.5.tgz +SOURCES/opencryptoki-3.6.2.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 07ed87a..de71344 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -bc66eeae637cb32288ade25826c98458d3fd7502 SOURCES/opencryptoki-3.5.tgz +3ab535b2fc10957eb489cb086d37a6b124a9d9b1 SOURCES/opencryptoki-3.6.2.tar.gz diff --git a/SOURCES/opencryptoki-3.5-coverity-null.patch b/SOURCES/opencryptoki-3.5-coverity-null.patch deleted file mode 100644 index 559a323..0000000 --- a/SOURCES/opencryptoki-3.5-coverity-null.patch +++ /dev/null @@ -1,51 +0,0 @@ -commit ca61c6e68ecd04c5f319056a6a3eba4b261f5481 -Author: Jakub Jelen -Date: Tue Jun 28 16:23:06 2016 -0400 - - Coverity:Check for NULL returns - Signed-off-by: Jakub Jelen - -diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c -index 3cbb8da..39ecae8 100755 ---- a/usr/lib/pkcs11/common/utility.c -+++ b/usr/lib/pkcs11/common/utility.c -@@ -589,6 +589,11 @@ CK_RV CreateXProcLock(void) - goto err; - } - grp = getgrnam("pkcs11"); -+ if (grp == NULL) { -+ fprintf(stderr, "getgrname(pkcs11): %s", -+ strerror(errno)); -+ goto err; -+ } - /* set ownership to euid, and pkcs11 group */ - if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { - fprintf(stderr, "Failed to set owner:group \ -diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c -index 9863d52..9478e92 100644 ---- a/usr/lib/pkcs11/icsf_stdll/new_host.c -+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c -@@ -813,6 +813,11 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, - } - - sess = session_mgr_find(*phSession); -+ if (!sess) { -+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); -+ rc = CKR_SESSION_HANDLE_INVALID; -+ goto done; -+ } - sess->handle = *phSession; - rc = icsftok_open_session(sess); - done: -@@ -835,6 +840,11 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) - } - - sess = session_mgr_find(sSession->sessionh); -+ if (!sess) { -+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); -+ rc = CKR_SESSION_HANDLE_INVALID; -+ goto done; -+ } - //set the handle here as handle is never set into session during creation - sess->handle = sSession->sessionh; - rc = icsftok_close_session(sess); diff --git a/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch b/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch deleted file mode 100644 index 7d36f83..0000000 --- a/SOURCES/opencryptoki-3.5-coverity-scan-fixes.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 7d1d3131fd114af7b6e48074a04ee2a34f63d97a Mon Sep 17 00:00:00 2001 -From: Vineetha Pai -Date: Wed, 20 Jul 2016 11:05:06 -0400 -Subject: [PATCH] coverity scan fixes - memory leak and variable initialization - Signed-off-by: Vineetha Pai - ---- - usr/lib/pkcs11/icsf_stdll/icsf_specific.c | 4 +++- - usr/lib/pkcs11/tpm_stdll/tpm_specific.c | 4 ++-- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index c9b986b..622fb6d 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -4658,8 +4658,10 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, - case CKM_DES3_CBC_PAD: - case CKM_AES_CBC_PAD: - if ((rc = icsf_block_size(mech->mechanism, -- &expected_block_size))) -+ &expected_block_size))){ -+ free(key_mapping); - return rc; -+ } - - if (mech->ulParameterLen != expected_block_size) { - TRACE_ERROR("Invalid mechanism parameter length: %lu " -diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -index 2a20d7d..3104d9d 100644 ---- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -+++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -@@ -3398,9 +3398,9 @@ token_specific_creatlock(void) - struct passwd *pw = NULL; - struct stat statbuf; - mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR); -- int lockfd; -+ int lockfd = -1;; - int ret = -1; -- struct group *grp; -+ struct group *grp = NULL; - - /* get userid */ - if ((pw = getpwuid(getuid())) == NULL) { --- -2.7.4 - diff --git a/SOURCES/opencryptoki-3.5-create-log-lock.patch b/SOURCES/opencryptoki-3.5-create-log-lock.patch deleted file mode 100644 index 171c1e3..0000000 --- a/SOURCES/opencryptoki-3.5-create-log-lock.patch +++ /dev/null @@ -1,676 +0,0 @@ -commit 8962d298d98df0331d3870e2a490e1781a33a872 -Author: Vineetha Pai -Date: Fri Jun 3 16:34:54 2016 -0400 - - 1) Create lock and log directories from pkcsslotd when - they are not available on the system. - 2) The patch also does basic sanity checks of asserting the presence - of pkcs11 group, euid, gid of the process running pkcsslotd. - 3) The patch also checks if token directories are available on - the system. - 4) The token lock sub-directories are created from opencryptoki while - the token is configured via pkcsconf or when the first call to the token - is made via C_Initialize. - Signed-off-by: Vineetha Pai - Signed-off-by: Harald Freudenberger - -diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c -index 9f58849..3cbb8da 100755 ---- a/usr/lib/pkcs11/common/utility.c -+++ b/usr/lib/pkcs11/common/utility.c -@@ -557,9 +557,11 @@ static int spinxplfd = -1; - CK_RV CreateXProcLock(void) - { - CK_BYTE lockfile[PATH_MAX]; -+ CK_BYTE lockdir[PATH_MAX]; - struct group *grp; - struct stat statbuf; - mode_t mode = (S_IRUSR | S_IRGRP); -+ int ret = -1; - - if (spinxplfd == -1) { - -@@ -571,9 +573,42 @@ CK_RV CreateXProcLock(void) - return CKR_FUNCTION_FAILED; - } - -+ /** create lock subdir for each token if it doesn't exist. -+ * The root directory should be created in slotmgr daemon **/ -+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); -+ -+ ret = stat(lockdir, &statbuf); -+ if (ret != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); -+ if (ret != 0) { -+ OCK_SYSLOG(LOG_ERR, -+ "Directory(%s) missing: %s\n", -+ lockdir, -+ strerror(errno)); -+ goto err; -+ } -+ grp = getgrnam("pkcs11"); -+ /* set ownership to euid, and pkcs11 group */ -+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ /* mkdir does not set group permission right, so -+ ** trying explictly here again */ -+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ } -+ - /* create user lock file */ - sprintf(lockfile, "%s/%s/LCK..%s", -- LOCKDIR_PATH, SUB_DIR, SUB_DIR); -+ LOCKDIR_PATH, SUB_DIR, SUB_DIR); - - if (stat(lockfile, &statbuf) == 0) - spinxplfd = open(lockfile, O_RDONLY, mode); -@@ -583,30 +618,30 @@ CK_RV CreateXProcLock(void) - /* umask may prevent correct mode,so set it. */ - if (fchmod(spinxplfd, mode) == -1) { - OCK_SYSLOG(LOG_ERR, "fchmod(%s): %s\n", -- lockfile, strerror(errno)); -+ lockfile, strerror(errno)); - goto err; - } - - grp = getgrnam("pkcs11"); - if (grp != NULL) { - if (fchown(spinxplfd, -1, grp->gr_gid) -- == -1) { -+ == -1) { - OCK_SYSLOG(LOG_ERR, -- "fchown(%s): %s\n", -- lockfile, -- strerror(errno)); -+ "fchown(%s): %s\n", -+ lockfile, -+ strerror(errno)); - goto err; - } - } else { - OCK_SYSLOG(LOG_ERR, "getgrnam(): %s\n", -- strerror(errno)); -+ strerror(errno)); - goto err; - } - } - } - if (spinxplfd == -1) { - OCK_SYSLOG(LOG_ERR, "open(%s): %s\n", -- lockfile, strerror(errno)); -+ lockfile, strerror(errno)); - return CKR_FUNCTION_FAILED; - } - } -diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c -index 8a2f521..e28fadb 100755 ---- a/usr/sbin/pkcsslotd/slotmgr.c -+++ b/usr/sbin/pkcsslotd/slotmgr.c -@@ -8,10 +8,10 @@ - - 1. DEFINITIONS - -- "Contribution" means: -+ "Contribution" means: - a) in the case of the initial Contributor, the - initial code and documentation distributed under -- this Agreement, and -+ this Agreement, and - - b) in the case of each subsequent Contributor: - i) changes to the Program, and -@@ -35,7 +35,7 @@ - "Licensed Patents " mean patent claims licensable by a - Contributor which are necessarily infringed by the use or - sale of its Contribution alone or when combined with the -- Program. -+ Program. - - "Program" means the Contributions distributed in - accordance with this Agreement. -@@ -130,7 +130,7 @@ - a) it must be made available under this Agreement; - and - b) a copy of this Agreement must be included with -- each copy of the Program. -+ each copy of the Program. - - Contributors may not remove or alter any copyright notices - contained within the Program. -@@ -138,7 +138,7 @@ - Each Contributor must identify itself as the originator of - its Contribution, if any, in a manner that reasonably - allows subsequent Recipients to identify the originator of -- the Contribution. -+ the Contribution. - - - 4. COMMERCIAL DISTRIBUTION -@@ -199,7 +199,7 @@ - Agreement, including but not limited to the risks and - costs of program errors, compliance with applicable laws, - damage to or loss of data, programs or equipment, and -- unavailability or interruption of operations. -+ unavailability or interruption of operations. - - 6. DISCLAIMER OF LIABILITY - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER -@@ -248,7 +248,7 @@ - use and distribution of the Program as soon as reasonably - practicable. However, Recipient's obligations under this - Agreement and any licenses granted by Recipient relating -- to the Program shall continue and survive. -+ to the Program shall continue and survive. - - Everyone is permitted to copy and distribute copies of - this Agreement, but in order to avoid inconsistency the -@@ -280,7 +280,7 @@ - States of America. No party to this Agreement will bring a - legal action under this Agreement more than one year after - the cause of action arose. Each party waives its rights to -- a jury trial in any resulting litigation. -+ a jury trial in any resulting litigation. - - - -@@ -294,6 +294,8 @@ - #include - #include - #include -+#include -+#include - - #include "log.h" - #include "slotmgr.h" -@@ -309,8 +311,13 @@ unsigned char NumberSlotsInDB = 0; - int socketfd; - Slot_Mgr_Socket_t socketData; - --/* -- We make main() able to modify Daemon so that we can -+struct dircheckinfo_s { -+ const char *dir; -+ int mode; -+}; -+ -+/* -+ We make main() able to modify Daemon so that we can - daemonize or not based on a command-line argument - */ - extern BOOL Daemon; -@@ -322,9 +329,9 @@ DumpSharedMemory(void) - u_int32 *p; - char Buf[PATH_MAX]; - u_int32 i; -- -+ - p = (u_int32 *) shmp; -- -+ - for ( i = 0; i < 15; i++ ) { - sprintf(Buf, "%08X %08X %08X %08X", p[0+(i*4)], p[1+(i*4)], p[2+(i*4)], p[3+(i*4)]); - LogLog(Buf); -@@ -332,6 +339,83 @@ DumpSharedMemory(void) - return; - } - -+/** This function does basic sanity checks to make sure the -+ * eco system is in place for opencryptoki to run properly. -+ **/ -+void run_sanity_checks() -+{ -+ int i, ec, uid = -1; -+ struct group *grp = NULL; -+ struct stat sbuf; -+ struct dircheckinfo_s dircheck[] = { -+ //drwxrwx--- -+ {LOCKDIR_PATH, S_IRWXU|S_IRWXG}, -+ {OCK_LOGDIR, S_IRWXU|S_IRWXG}, -+ {NULL, 0}, -+ }; -+ -+ /* first check that our effective user id is root */ -+ uid = (int) geteuid(); -+ if (uid != 0) { -+ fprintf(stderr, "This daemon needs root privilegies, but the effective user id is not 'root'.\n"); -+ exit(1); -+ } -+ -+ /* check that the pkcs11 group exists */ -+ grp = getgrnam("pkcs11"); -+ if (!grp) { -+ fprintf(stderr, "There is no 'pkcs11' group on this system.\n"); -+ exit(1); -+ } -+ -+ /* check effective group id */ -+ uid = (int) getegid(); -+ if (uid != 0 && uid != (int) grp->gr_gid) { -+ fprintf(stderr, "This daemon should have an effective group id of 'root' or 'pkcs11'.\n"); -+ exit(1); -+ } -+ -+ /* Create base lock and log directory here. API..Lock file is -+ * accessed from the daemon in CreateXProcLock() in mutex.c.*/ -+ for (i=0; dircheck[i].dir != NULL; i++) { -+ ec = stat(dircheck[i].dir, &sbuf); -+ if (ec != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ec = mkdir(dircheck[i].dir, dircheck[i].mode); -+ if (ec != 0) { -+ fprintf(stderr, "Directory %s missing\n", -+ dircheck[i].dir); -+ exit(2); -+ } -+ /* set ownership to root, and pkcs11 group */ -+ if (chown(dircheck[i].dir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", dircheck[i].dir); -+ exit(1); -+ } -+ /* mkdir does not set group permission right, so -+ * trying explictly here again */ -+ if (chmod(dircheck[i].dir, dircheck[i].mode) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", dircheck[i].dir); -+ exit(1); -+ } -+ } -+ } -+ -+ /** check if token directory is available, if not flag an error. -+ * We do not create token directories here as admin should -+ * configure and decide which tokens to expose to opencryptoki -+ * outside of opencryptoki and pkcsslotd */ -+ ec = stat(CONFIG_PATH, &sbuf); -+ if (ec != 0 && errno == ENOENT) { -+ fprintf(stderr, "Token directories missing\n"); -+ exit(2); -+ } -+} -+ - /***************************************** - * main() - - * You know what main does. -@@ -341,205 +425,191 @@ DumpSharedMemory(void) - *****************************************/ - - int main ( int argc, char *argv[], char *envp[]) { -- int ret; -- -- /**********************************/ -- /* Read in command-line arguments */ -- /**********************************/ -- -- /* FIXME: Argument for daemonizing or not */ -- /* FIXME: Argument for debug level */ -- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ -- -- -- /* Report our debug level */ -- if ( GetDebugLevel() > DEBUG_NONE) { -- -- DbgLog(GetDebugLevel(), "Starting with debugging messages logged at level %d (%d = No messages; %d = few; %d = more, etc.)", -- GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); -- -- } -- -- -- /* Save our startup directory */ -- SaveStartupDirectory( argv[0] ); -- -- ret = load_and_parse(OCK_CONFIG); -- if (ret != 0) { -- ErrLog("Failed to read config file.\n"); -- return 1; -- } else -- DbgLog (DL0, "Parse config file succeeded.\n"); -- -- /* Allocate and Attach the shared memory region */ -- if ( ! CreateSharedMemory() ) { -- /* CreateSharedMemory() does it's own error logging */ -- return 1; -- } -- -- DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); -- -- /* Now that we've created the shared memory segment, we attach to it */ -- if ( ! AttachToSharedMemory() ) { -- /* AttachToSharedMemory() does it's own error logging */ -- DestroySharedMemory(); -- return 2; -- } -- -- /* Initialize the global shared memory mutex (and the attribute used to create the per-process mutexes */ -- if ( ! InitializeMutexes() ) { -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 3; -- } -- -- /* Get the global shared memory mutex */ -- -- XProcLock(); -- -- /* Populate the Shared Memory Region */ -- if ( ! InitSharedMemory(shmp) ) { -- -- XProcUnLock(); -- -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 4; -- } -- -- /* Release the global shared memory mutex */ -- XProcUnLock(); -- -- if ((socketfd = CreateListenerSocket()) < 0) { -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 5; -- } -- -- if (!InitSocketData(&socketData)) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 6; -- } -- -- /* -- * Become a Daemon, if called for -- */ -- if ( Daemon ) { -- pid_t pid; -- if ( (pid = fork()) < 0 ){ -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 7; -- } else { -- if ( pid != 0) { -- exit(0); // Terminate the parent -- } else { -- -- setsid(); // Session leader --#ifndef DEV -- fclose(stderr); -- fclose(stdout); -- fclose(stdin); --#endif -+ int ret; - -- } -- } -+ /**********************************/ -+ /* Read in command-line arguments */ -+ /**********************************/ - -+ /* FIXME: Argument for daemonizing or not */ -+ /* FIXME: Argument for debug level */ -+ /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ - -- } else { -+ /* Do some basic sanity checks */ -+ run_sanity_checks(); - --#ifdef DEV -- // Log only on development builds -- LogLog("Not becoming a daemon...\n"); --#endif -+ /* Report our debug level */ -+ if ( GetDebugLevel() > DEBUG_NONE) { -+ DbgLog(GetDebugLevel(), "Starting with debugging messages logged at \ -+ level %d (%d = No messages; %d = few; %d = more, etc.)", -+ GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); -+ } -+ -+ /* Save our startup directory */ -+ SaveStartupDirectory( argv[0] ); -+ -+ ret = load_and_parse(OCK_CONFIG); -+ if (ret != 0) { -+ ErrLog("Failed to read config file.\n"); -+ return 1; -+ } else -+ DbgLog (DL0, "Parse config file succeeded.\n"); - -- } -+ /* Allocate and Attach the shared memory region */ -+ if ( ! CreateSharedMemory() ) { -+ /* CreateSharedMemory() does it's own error logging */ -+ return 1; -+ } - -- -- /***************************************** -- * -- * Register Signal Handlers -- * Daemon probably should ignore ALL signals possible, since termination -- * while active is a bad thing... however one could check for -- * any processes active in the shared memory, and destroy the shm if -- * the process wishes to terminate. -- * -- *****************************************/ -+ DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); - -- /* -- * We have to set up the signal handlers after we daemonize because -- * the daemonization process redefines our handler for (at least) SIGTERM -- */ -+ /* Now that we've created the shared memory segment, we attach to it */ -+ if ( ! AttachToSharedMemory() ) { -+ /* AttachToSharedMemory() does it's own error logging */ -+ DestroySharedMemory(); -+ return 2; -+ } - -- if ( ! SetupSignalHandlers() ) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 8; -- } -+ /* Initialize the global shared memory mutex (and the attribute -+ * used to create the per-process mutexes */ -+ if ( ! InitializeMutexes() ) { -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 3; -+ } - -+ /* Get the global shared memory mutex */ -+ XProcLock(); - -+ /* Populate the Shared Memory Region */ -+ if ( ! InitSharedMemory(shmp) ) { - -+ XProcUnLock(); - -- /* ultimatly we will create a couple of threads which monitor the slot db -- and handle the insertion and removal of tokens from the slot. -- */ -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 4; -+ } - -- /* For Testing the Garbage collection routines */ -- /* -- shmp->proc_table[3].inuse = TRUE; -- shmp->proc_table[3].proc_id = 24328; -- */ -+ /* Release the global shared memory mutex */ -+ XProcUnLock(); - --#if !defined(NOGARBAGE) --printf("Start garbage \n"); -- /* start garbage collection thread */ -- if ( ! StartGCThread(shmp) ) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 9; -- } -+ if ((socketfd = CreateListenerSocket()) < 0) { -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 5; -+ } -+ -+ if (!InitSocketData(&socketData)) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 6; -+ } -+ -+ /* -+ * Become a Daemon, if called for -+ */ -+ if ( Daemon ) { -+ pid_t pid; -+ if ( (pid = fork()) < 0 ){ -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 7; -+ } else { -+ if ( pid != 0) { -+ exit(0); // Terminate the parent -+ } else { -+ -+ setsid(); // Session leader -+#ifndef DEV -+ fclose(stderr); -+ fclose(stdout); -+ fclose(stdin); -+#endif -+ } -+ } -+ } else { -+#ifdef DEV -+ // Log only on development builds -+ LogLog("Not becoming a daemon...\n"); - #endif -+ } - -- // We've fully become a daemon. Now create the PID file -- { -- FILE *pidfile; -+ /***************************************** -+ * -+ * Register Signal Handlers -+ * Daemon probably should ignore ALL signals possible, since termination -+ * while active is a bad thing... however one could check for -+ * any processes active in the shared memory, and destroy the shm if -+ * the process wishes to terminate. -+ * -+ *****************************************/ -+ -+ /* -+ * We have to set up the signal handlers after we daemonize because -+ * the daemonization process redefines our handler for (at least) SIGTERM -+ */ -+ if ( ! SetupSignalHandlers() ) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 8; -+ } - -- pidfile = fopen(PID_FILE_PATH,"w"); -- if (pidfile) { -- fprintf(pidfile,"%d",getpid()); -- fclose(pidfile); -- } -- } -+ /* ultimatly we will create a couple of threads which monitor the slot db -+ and handle the insertion and removal of tokens from the slot. -+ */ - -- while (1) { --#if !(THREADED) && !(NOGARBAGE) -- CheckForGarbage(shmp); --#endif -+ /* For Testing the Garbage collection routines */ -+ /* -+ shmp->proc_table[3].inuse = TRUE; -+ shmp->proc_table[3].proc_id = 24328; -+ */ - -- SocketConnectionHandler(socketfd, 10); -+#if !defined(NOGARBAGE) -+ printf("Start garbage \n"); -+ /* start garbage collection thread */ -+ if ( ! StartGCThread(shmp) ) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 9; -+ } -+#endif - -- } -+ // We've fully become a daemon. Now create the PID file -+ { -+ FILE *pidfile; - -+ pidfile = fopen(PID_FILE_PATH,"w"); -+ if (pidfile) { -+ fprintf(pidfile,"%d",getpid()); -+ fclose(pidfile); -+ } -+ } - -- /************************************************************* -- * -- * Here we need to actualy go through the processes and verify that thye -- * still exist. If not, then they terminated with out properly calling -- * C_Finalize and therefore need to be removed from the system. -- * Look for a system routine to determine if the shared memory is held by -- * the process to further verify that the proper processes are in the -- * table. -- * -- *************************************************************/ -+ while (1) { -+#if !(THREADED) && !(NOGARBAGE) -+ CheckForGarbage(shmp); -+#endif -+ SocketConnectionHandler(socketfd, 10); -+ } - -+ /************************************************************* -+ * -+ * Here we need to actualy go through the processes and verify that thye -+ * still exist. If not, then they terminated with out properly calling -+ * C_Finalize and therefore need to be removed from the system. -+ * Look for a system routine to determine if the shared memory is held by -+ * the process to further verify that the proper processes are in the -+ * table. -+ * -+ *************************************************************/ - } /* end main */ diff --git a/SOURCES/opencryptoki-3.5-ecdsa-return.patch b/SOURCES/opencryptoki-3.5-ecdsa-return.patch deleted file mode 100644 index 527f452..0000000 --- a/SOURCES/opencryptoki-3.5-ecdsa-return.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 165a1020da10ddbdc39e51e9a411a5c09f6dbae6 -Author: Vineetha Pai -Date: Thu May 19 16:46:51 2016 -0400 - - Added pkcs11 mapping for icsf reason code 72 for return code 8 - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index d71b19f..5b7fb45 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -258,6 +258,7 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) - return CKR_KEY_HANDLE_INVALID; - case 3045: - return CKR_KEY_UNEXTRACTABLE; -+ case 72: - case 11000: - return CKR_DATA_LEN_RANGE; - case 11028: diff --git a/SOURCES/opencryptoki-3.5-icsf-error.patch b/SOURCES/opencryptoki-3.5-icsf-error.patch deleted file mode 100644 index 92cfc63..0000000 --- a/SOURCES/opencryptoki-3.5-icsf-error.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit f45ddf572c05cbeb54c524805060256a33435149 -Author: Vineetha Pai -Date: Tue Jun 21 17:06:25 2016 -0400 - - Added support for rc=8, reasoncode=2028 in icsf token - bz#142190 - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index 1c25cd2..c9b986b 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -233,6 +233,8 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) - switch(icsf_reason_code) { - case 2154: - return CKR_KEY_TYPE_INCONSISTENT; -+ case 2028: -+ return CKR_WRAPPED_KEY_INVALID; - case 3003: - return CKR_BUFFER_TOO_SMALL; - case 3019: diff --git a/SOURCES/opencryptoki-3.5-illegal-instruction.patch b/SOURCES/opencryptoki-3.5-illegal-instruction.patch deleted file mode 100644 index 5288704..0000000 --- a/SOURCES/opencryptoki-3.5-illegal-instruction.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 814e5861701798b4f5872fcc20f7292f79987104 Mon Sep 17 00:00:00 2001 -From: Eduardo Barretto -Date: Tue, 30 Aug 2016 16:46:40 -0300 -Subject: [PATCH] PKCSCCA: Fix symbol name to get the correct address - -The csulincl.h file was changed to substitute the xxx_32 bit API -declarations with the latest CCA v5. In order to pkcscca work and avoid -"Illegal Instruction" we had to fix the symbol name that should be called -based on the csulincl.h change. - -Signed-off-by: Eduardo Barretto ---- - usr/sbin/pkcscca/pkcscca.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index 6d9f8dd..05caea3 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -1387,9 +1387,9 @@ int main(int argc, char **argv) - return -1; - } - -- CSNDKTC = dlsym(lib_csulcca, "CSNDKTC_32"); -- CSNBKTC = dlsym(lib_csulcca, "CSNBKTC_32"); -- CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2_32"); -+ CSNDKTC = dlsym(lib_csulcca, "CSNDKTC"); -+ CSNBKTC = dlsym(lib_csulcca, "CSNBKTC"); -+ CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2"); - ret = migrate_wrapped_keys(slot_id, userpin, masterkey); - } - done: --- -2.7.4 - diff --git a/SOURCES/opencryptoki-3.5-memory-leak.patch b/SOURCES/opencryptoki-3.5-memory-leak.patch deleted file mode 100644 index 8d6b87d..0000000 --- a/SOURCES/opencryptoki-3.5-memory-leak.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 54013d80a2f5eaa9ac58712a57de0cd87a55cdae -Author: Jakub Jelen -Date: Thu May 19 17:05:46 2016 -0400 - - icsftok memory leak fix identified in coverity scan - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index 5b7fb45..1c25cd2 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -4664,6 +4664,7 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, - "(expected %lu)\n", - (unsigned long) mech->ulParameterLen, - (unsigned long) expected_block_size); -+ free(key_mapping); - return CKR_MECHANISM_PARAM_INVALID; - } - break; -@@ -4671,12 +4672,14 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, - if (mech->ulParameterLen != 0){ - TRACE_ERROR("%s\n", - ock_err(ERR_MECHANISM_PARAM_INVALID)); -+ free(key_mapping); - return CKR_MECHANISM_PARAM_INVALID; - } - break; - default: - TRACE_ERROR("icsf invalid %lu mechanism for key wrapping\n", - mech->mechanism); -+ free(key_mapping); - return CKR_MECHANISM_INVALID; - } - diff --git a/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch b/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch deleted file mode 100644 index c90a59f..0000000 --- a/SOURCES/opencryptoki-3.5-missing-tmp-lock-directory.patch +++ /dev/null @@ -1,83 +0,0 @@ -commit aeea198cb8ea640cd37735365ee51a03aca67036 -Author: Vineetha Pai -Date: Mon Jul 18 15:41:24 2016 -0400 - - create missing tpm lock directory from tpm stdll. - tpm token does not use common/utility function to create token lock - directory. Hence the patch to create missing lock directories was not - working on tpm token. Modified the tpm stdll code to create the token - lock directory if it is missing on the system. - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -index e7978d3..2a20d7d 100644 ---- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -+++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -@@ -44,6 +44,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -3393,10 +3394,13 @@ int - token_specific_creatlock(void) - { - CK_BYTE lockfile[PATH_MAX]; -+ CK_BYTE lockdir[PATH_MAX]; - struct passwd *pw = NULL; - struct stat statbuf; - mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR); - int lockfd; -+ int ret = -1; -+ struct group *grp; - - /* get userid */ - if ((pw = getpwuid(getuid())) == NULL) { -@@ -3404,6 +3408,45 @@ token_specific_creatlock(void) - return -1; - } - -+ /** create lock subdir for each token if it doesn't exist. -+ * The root /var/lock/opencryptoki directory should be created in slotmgr -+ * daemon **/ -+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); -+ -+ ret = stat(lockdir, &statbuf); -+ if (ret != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); -+ if (ret != 0) { -+ OCK_SYSLOG(LOG_ERR, -+ "Directory(%s) missing: %s\n", -+ lockdir, -+ strerror(errno)); -+ goto err; -+ } -+ grp = getgrnam("pkcs11"); -+ if (grp == NULL) { -+ fprintf(stderr, "getgrname(pkcs11): %s", -+ strerror(errno)); -+ goto err; -+ } -+ /* set ownership to euid, and pkcs11 group */ -+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ /* mkdir does not set group permission right, so -+ ** trying explictly here again */ -+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ } -+ - /* create user-specific directory */ - sprintf(lockfile, "%s/%s/%s", LOCKDIR_PATH, SUB_DIR, pw->pw_name); - diff --git a/SOURCES/opencryptoki-3.5-session-handle.patch b/SOURCES/opencryptoki-3.5-session-handle.patch deleted file mode 100644 index baa103d..0000000 --- a/SOURCES/opencryptoki-3.5-session-handle.patch +++ /dev/null @@ -1,418 +0,0 @@ -commit 2d03c609981cd3bf5cefb7d3188878f68b33f722 -Author: Vineetha Pai -Date: Tue Jun 21 16:43:53 2016 -0400 - - Fix for session handle not set in session issue. - bz142186 - icsf token uses the session handle for a session as the session_id in - its own internal session state structure. The session handle is an - index into the session btree and is not set in the SESSION structure - after a new session is created. This causes session_handle to be always 0 and - session_id to be always set to 0, causing issues when multiple sessions are active. - This affects icsf token as it stores and uses session handle internally - unlike other tokens. This patch sets the session handle into the session - structure for all SC_API calls. - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c -index 4923a77..9863d52 100644 ---- a/usr/lib/pkcs11/icsf_stdll/new_host.c -+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c -@@ -703,6 +703,9 @@ CK_RV SC_InitPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pPin, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; -+ - if (pin_locked(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); - rc = CKR_PIN_LOCKED; -@@ -746,6 +749,9 @@ CK_RV SC_SetPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pOldPin, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; -+ - if (pin_locked(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); -@@ -807,6 +813,7 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, - } - - sess = session_mgr_find(*phSession); -+ sess->handle = *phSession; - rc = icsftok_open_session(sess); - done: - if (locked) -@@ -828,6 +835,8 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) - } - - sess = session_mgr_find(sSession->sessionh); -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; - rc = icsftok_close_session(sess); - if (rc) - goto done; -@@ -923,6 +932,8 @@ CK_RV SC_GetOperationState(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = session_mgr_get_op_state(sess, length_only, pOperationState, - pulOperationStateLen); -@@ -962,6 +973,8 @@ CK_RV SC_SetOperationState(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = session_mgr_set_op_state(sess, hEncryptionKey, hAuthenticationKey, - pOperationState, ulOperationStateLen); -@@ -1000,6 +1013,9 @@ CK_RV SC_Login(ST_SESSION_HANDLE *sSession, CK_USER_TYPE userType, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; -+ - flags = &nv_token_data->token_info.flags; - - if (!pPin || ulPinLen > MAX_PIN_LEN) { -@@ -1113,6 +1129,8 @@ CK_RV SC_Logout(ST_SESSION_HANDLE *sSession) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - /* all sessions have the same state so we just have to check one */ - if (session_mgr_public_session_exists()) { -@@ -1155,6 +1173,8 @@ CK_RV SC_CreateObject(ST_SESSION_HANDLE *sSession, CK_ATTRIBUTE_PTR pTemplate, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags)) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1204,6 +1224,8 @@ CK_RV SC_CopyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1240,6 +1262,8 @@ CK_RV SC_DestroyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1285,6 +1309,8 @@ CK_RV SC_GetObjectSize(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_get_attribute_value(sess, hObject, pTemplate, - ulCount, pulSize); -@@ -1319,6 +1345,8 @@ CK_RV SC_GetAttributeValue(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_get_attribute_value(sess, hObject, pTemplate, - ulCount, NULL); -@@ -1369,6 +1397,8 @@ CK_RV SC_SetAttributeValue(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_set_attribute_value(sess, hObject, pTemplate, ulCount); - if (rc != CKR_OK) -@@ -1416,6 +1446,8 @@ CK_RV SC_FindObjectsInit(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1480,6 +1512,8 @@ CK_RV SC_FindObjects(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE_PTR phObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->find_active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1525,6 +1559,8 @@ CK_RV SC_FindObjectsFinal(ST_SESSION_HANDLE *sSession) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->find_active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1576,6 +1612,8 @@ CK_RV SC_EncryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1626,6 +1664,8 @@ CK_RV SC_Encrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1677,6 +1717,8 @@ CK_RV SC_EncryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1726,6 +1768,8 @@ CK_RV SC_EncryptFinal(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1780,6 +1824,8 @@ CK_RV SC_DecryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1832,6 +1878,8 @@ CK_RV SC_Decrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1884,6 +1932,8 @@ CK_RV SC_DecryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1933,6 +1983,8 @@ CK_RV SC_DecryptFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pLastPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1984,6 +2036,8 @@ CK_RV SC_DigestInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -2039,6 +2093,8 @@ CK_RV SC_Digest(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2086,6 +2142,8 @@ CK_RV SC_DigestUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2125,6 +2183,8 @@ CK_RV SC_DigestKey(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hKey) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2169,6 +2229,8 @@ CK_RV SC_DigestFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pDigest, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2216,6 +2278,8 @@ CK_RV SC_SignInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = valid_mech(pMechanism, CKF_SIGN); - if (rc != CKR_OK) -@@ -2271,6 +2335,8 @@ CK_RV SC_Sign(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2318,6 +2384,8 @@ CK_RV SC_SignUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2363,6 +2431,8 @@ CK_RV SC_SignFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2440,6 +2510,8 @@ CK_RV SC_VerifyInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2492,6 +2564,8 @@ CK_RV SC_Verify(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2537,6 +2611,8 @@ CK_RV SC_VerifyUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2583,6 +2659,8 @@ CK_RV SC_VerifyFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2718,6 +2796,8 @@ CK_RV SC_GenerateKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2791,6 +2871,8 @@ CK_RV SC_GenerateKeyPair(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2875,6 +2957,8 @@ CK_RV SC_WrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2929,6 +3013,8 @@ CK_RV SC_UnwrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2998,6 +3084,8 @@ CK_RV SC_DeriveKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -3104,6 +3192,8 @@ CK_RV SC_GenerateRandom(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pRandomData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = rng_generate(pRandomData, ulRandomLen); - if (rc != CKR_OK) diff --git a/SOURCES/opencryptoki-3.5-syslog-warning.patch b/SOURCES/opencryptoki-3.5-syslog-warning.patch deleted file mode 100644 index 0de10b2..0000000 --- a/SOURCES/opencryptoki-3.5-syslog-warning.patch +++ /dev/null @@ -1,20 +0,0 @@ -commit 786b6a4223119501f4aa7faf5a413c1ba10e38f6 -Author: Vineetha Pai -Date: Tue May 31 15:15:14 2016 -0400 - - Downgraded a syslog error to warning - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c -index ce0dc18..ec50f71 100755 ---- a/usr/lib/pkcs11/api/apiutil.c -+++ b/usr/lib/pkcs11/api/apiutil.c -@@ -820,7 +820,7 @@ DLL_Load_t *dllload; - - } else { - char *e = dlerror(); -- OCK_SYSLOG(LOG_ERR, -+ OCK_SYSLOG(LOG_WARNING, - "%s: dlopen() failed for [%s]; dlerror = [%s]\n", - __FUNCTION__, sinfp->dll_location, e); - TRACE_DEVEL("DL_Load of %s failed, dlerror: %s\n", diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 5305ae0..b84e1b4 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -2,28 +2,18 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.5 -Release: 7%{?dist} +Version: 3.6.2 +Release: 1%{?dist} License: CPL Group: System Environment/Base URL: http://sourceforge.net/projects/opencryptoki -Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz +Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source1: %{name}-tmpfiles.conf # do not install pkcsep11_migrate.1 and pkcscca.1 when it's not enabled # https://bugzilla.redhat.com/show_bug.cgi?id=732756 # https://bugzilla.redhat.com/show_bug.cgi?id=1122505#c8 Patch0: %{name}-3.4-fix-root-checks.patch Patch1: %{name}-3.2-conditional-manpages.patch -Patch2: %{name}-3.5-memory-leak.patch -Patch3: %{name}-3.5-ecdsa-return.patch -Patch4: %{name}-3.5-create-log-lock.patch -Patch5: %{name}-3.5-icsf-error.patch -Patch6: %{name}-3.5-session-handle.patch -Patch7: %{name}-3.5-coverity-null.patch -Patch8: %{name}-3.5-syslog-warning.patch -Patch9: %{name}-3.5-missing-tmp-lock-directory.patch -Patch10: %{name}-3.5-coverity-scan-fixes.patch -Patch11: %{name}-3.5-illegal-instruction.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -188,19 +178,9 @@ configured with Enterprise PKCS#11 (EP11) firmware. %prep -%setup -q -n %{name} +%setup -q -n %{name}-%{version} %patch0 -p1 -b .fix-root %patch1 -p1 -b .man -%patch2 -p1 -b .leak -%patch3 -p1 -b .return -%patch4 -p1 -b .create -%patch5 -p1 -b .icsf-return -%patch6 -p1 -b .hsession -%patch7 -p1 -b .coverity -%patch8 -p1 -b .syslog -%patch9 -p1 -b .tpm-dir -%patch10 -p1 -b .cov-fix -%patch11 -p1 -b .inst-fix # Upstream tarball has unnecessary executable perms set on the sources find . -name '*.[ch]' -print0 | xargs -0 chmod -x @@ -365,6 +345,11 @@ exit 0 %changelog +* Mon Feb 20 2017 Sinny Kumari - 3.6.2-1 +- Rebase opencryptoki to 3.6.2 +- Remove patches from spec file applied during 3.5 release +- Resolves: #1391559, #1380784, #1417905 + * Mon Sep 19 2016 Sinny Kumari - 3.5-7 - Related: RHBZ#1343671 - Make selinux-policy as Conflicts instead of Requires