diff --git a/.gitignore b/.gitignore index 0df1015..0c316ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/p11-kit-0.20.7.tar.gz +SOURCES/p11-kit-0.23.5.tar.gz diff --git a/.p11-kit.metadata b/.p11-kit.metadata index 2d7d667..d550650 100644 --- a/.p11-kit.metadata +++ b/.p11-kit.metadata @@ -1 +1 @@ -7b486d570fddfe91ff33c49e0672a4338bab4643 SOURCES/p11-kit-0.20.7.tar.gz +964ef53439fff90ce2bf60024ef9bc26cb8534f7 SOURCES/p11-kit-0.23.5.tar.gz diff --git a/SOURCES/p11-kit-doc.patch b/SOURCES/p11-kit-doc.patch new file mode 100644 index 0000000..0a056a0 --- /dev/null +++ b/SOURCES/p11-kit-doc.patch @@ -0,0 +1,25 @@ +From 14c50e25d8280ce81a323ef79a71a66892b65f1a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 12 Jun 2017 15:38:21 +0200 +Subject: [PATCH] doc: Use correct PKCS#11 URI syntax + +--- + doc/manual/trust.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/manual/trust.xml b/doc/manual/trust.xml +index f6f2b3e..14dcbba 100644 +--- a/doc/manual/trust.xml ++++ b/doc/manual/trust.xml +@@ -157,7 +157,7 @@ $ trust list + + $ trust anchor /path/to/certificate.crt + $ trust anchor --remove /path/to/certificate.crt +-$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;object-type=cert" ++$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert" + + + Store or remove trust anchors in the trust policy store. These are +-- +2.9.4 + diff --git a/SOURCES/p11-kit-modifiable.patch b/SOURCES/p11-kit-modifiable.patch new file mode 100644 index 0000000..3d4b4d3 --- /dev/null +++ b/SOURCES/p11-kit-modifiable.patch @@ -0,0 +1,256 @@ +From acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 10:45:26 +0200 +Subject: [PATCH 1/2] Revert "trust: Honor "modifiable" setting in persist + file" + +This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which +broke "trust anchor --remove". +--- + trust/input/verisign-v1.p11-kit | 1 - + trust/parser.c | 10 +--------- + trust/test-parser.c | 1 - + 3 files changed, 1 insertion(+), 11 deletions(-) + +diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit +index aea49ea..eaa080d 100644 +--- a/trust/input/verisign-v1.p11-kit ++++ b/trust/input/verisign-v1.p11-kit +@@ -1,6 +1,5 @@ + [p11-kit-object-v1] + trusted: true +-modifiable: false + + -----BEGIN CERTIFICATE----- + MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG +diff --git a/trust/parser.c b/trust/parser.c +index 52d1128..41513d4 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -610,7 +610,6 @@ p11_parser_format_persist (p11_parser *parser, + { + CK_BBOOL modifiablev = CK_TRUE; + CK_ATTRIBUTE *attrs; +- CK_ATTRIBUTE *attr; + p11_array *objects; + bool ret; + int i; +@@ -631,14 +630,7 @@ p11_parser_format_persist (p11_parser *parser, + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { + for (i = 0; i < objects->num; i++) { +- /* By default, we mark objects read from a persist +- * file as modifiable, as the persist format is +- * writable. However, if CKA_MODIFIABLE is explictly +- * set in the file, respect the setting. */ +- attrs = objects->elem[i]; +- attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE); +- if (!attr) +- attrs = p11_attrs_build (attrs, &modifiable, NULL); ++ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/test-parser.c b/trust/test-parser.c +index 088cff9..b5c2525 100644 +--- a/trust/test-parser.c ++++ b/trust/test-parser.c +@@ -168,7 +168,6 @@ test_parse_p11_kit_persist (void) + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, +- { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; +-- +2.9.4 + + +From 66c6a7e912d39d66cd4cc91375ac7be418bf7176 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 11:11:45 +0200 +Subject: [PATCH 2/2] trust: Check magic comment in persist file for + modifiablity + +A persistent file written by the trust module starts with the line "# +This file has been auto-generated and written by p11-kit". This can +be used as a magic word to determine whether the objects read from a +.p11-kit file are read-only. +--- + trust/parser.c | 6 +++++- + trust/persist.c | 9 ++++++++- + trust/test-token.c | 1 + + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/trust/parser.c b/trust/parser.c +index 41513d4..abe86fc 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -49,6 +49,7 @@ + #include "pem.h" + #include "pkcs11x.h" + #include "persist.h" ++#include "types.h" + #include "x509.h" + + #include +@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser, + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { + for (i = 0; i < objects->num; i++) { +- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); ++ CK_BBOOL generatedv; ++ attrs = objects->elem[i]; ++ if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv) ++ attrs = p11_attrs_build (attrs, &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/persist.c b/trust/persist.c +index 63a531e..928260e 100644 +--- a/trust/persist.c ++++ b/trust/persist.c +@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist, + CK_ATTRIBUTE *attrs; + bool failed; + bool skip; ++ CK_BBOOL generatedv = CK_FALSE; ++ CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; ++ static const char comment[] = "# This file has been auto-generated and written by p11-kit."; + + return_val_if_fail (persist != NULL, false); + return_val_if_fail (objects != NULL, false); +@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist, + attrs = NULL; + failed = false; + ++ if (length >= sizeof (comment) - 1 && ++ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0) ++ generatedv = CK_TRUE; ++ + p11_lexer_init (&lexer, filename, (const char *)data, length); + while (p11_lexer_next (&lexer, &failed)) { + switch (lexer.tok_type) { +@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist, + p11_lexer_msg (&lexer, "unrecognized or invalid section header"); + skip = true; + } else { +- attrs = p11_attrs_build (NULL, NULL); ++ attrs = p11_attrs_build (NULL, &generated, NULL); + return_val_if_fail (attrs != NULL, false); + skip = false; + } +diff --git a/trust/test-token.c b/trust/test-token.c +index ad22fcb..3e7d735 100644 +--- a/trust/test-token.c ++++ b/trust/test-token.c +@@ -610,6 +610,7 @@ static void + test_modify_multiple (void) + { + const char *test_data = ++ "# This file has been auto-generated and written by p11-kit.\n" + "[p11-kit-object-v1]\n" + "class: data\n" + "label: \"first\"\n" +-- +2.9.4 + +From d661194319f2375c1764125b449bf924c0cbc8a1 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 14:27:36 +0200 +Subject: [PATCH] trust: Simplify the check for the magic + +Instead of reusing the CKA_X_GENERATED attribute, check the file +contents directly in the caller side. +--- + trust/parser.c | 7 +++---- + trust/persist.c | 19 +++++++++++-------- + trust/persist.h | 3 +++ + 3 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/trust/parser.c b/trust/parser.c +index abe86fc..f92cdc9 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -630,11 +630,10 @@ p11_parser_format_persist (p11_parser *parser, + + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { ++ if (!p11_persist_is_generated (data, length)) ++ modifiablev = CK_FALSE; + for (i = 0; i < objects->num; i++) { +- CK_BBOOL generatedv; +- attrs = objects->elem[i]; +- if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv) +- attrs = p11_attrs_build (attrs, &modifiable, NULL); ++ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/persist.c b/trust/persist.c +index 928260e..887b316 100644 +--- a/trust/persist.c ++++ b/trust/persist.c +@@ -70,6 +70,16 @@ p11_persist_magic (const unsigned char *data, + return (strnstr ((char *)data, "[" PERSIST_HEADER "]", length) != NULL); + } + ++bool ++p11_persist_is_generated (const unsigned char *data, ++ size_t length) ++{ ++ static const char comment[] = ++ "# This file has been auto-generated and written by p11-kit."; ++ return length >= sizeof (comment) - 1 && ++ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0; ++} ++ + p11_persist * + p11_persist_new (void) + { +@@ -631,9 +641,6 @@ p11_persist_read (p11_persist *persist, + CK_ATTRIBUTE *attrs; + bool failed; + bool skip; +- CK_BBOOL generatedv = CK_FALSE; +- CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; +- static const char comment[] = "# This file has been auto-generated and written by p11-kit."; + + return_val_if_fail (persist != NULL, false); + return_val_if_fail (objects != NULL, false); +@@ -642,10 +649,6 @@ p11_persist_read (p11_persist *persist, + attrs = NULL; + failed = false; + +- if (length >= sizeof (comment) - 1 && +- memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0) +- generatedv = CK_TRUE; +- + p11_lexer_init (&lexer, filename, (const char *)data, length); + while (p11_lexer_next (&lexer, &failed)) { + switch (lexer.tok_type) { +@@ -657,7 +660,7 @@ p11_persist_read (p11_persist *persist, + p11_lexer_msg (&lexer, "unrecognized or invalid section header"); + skip = true; + } else { +- attrs = p11_attrs_build (NULL, &generated, NULL); ++ attrs = p11_attrs_build (NULL, NULL); + return_val_if_fail (attrs != NULL, false); + skip = false; + } +diff --git a/trust/persist.h b/trust/persist.h +index 0ef142c..6344e4e 100644 +--- a/trust/persist.h ++++ b/trust/persist.h +@@ -60,4 +60,7 @@ bool p11_persist_write (p11_persist *persist, + + void p11_persist_free (p11_persist *persist); + ++bool p11_persist_is_generated (const unsigned char *data, ++ size_t length); ++ + #endif /* P11_PERSIST_H_ */ +-- +2.9.4 + diff --git a/SOURCES/p11-kit-oaep.patch b/SOURCES/p11-kit-oaep.patch new file mode 100644 index 0000000..9b5766b --- /dev/null +++ b/SOURCES/p11-kit-oaep.patch @@ -0,0 +1,38 @@ +From c11a951a24b91f80e109951b0fe2ce418ea70f17 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 May 2017 11:55:25 +0200 +Subject: [PATCH] pkcs11: Make CK_RSA_PKCS_OAEP_PARAMS useful + +--- + common/pkcs11.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/common/pkcs11.h b/common/pkcs11.h +index 357c9bb..ad1cdec 100644 +--- a/common/pkcs11.h ++++ b/common/pkcs11.h +@@ -738,6 +738,12 @@ struct ck_mechanism_info + ck_flags_t flags; + }; + ++#define CKG_MGF1_SHA1 0x00000001UL ++#define CKG_MGF1_SHA224 0x00000005UL ++#define CKG_MGF1_SHA256 0x00000002UL ++#define CKG_MGF1_SHA384 0x00000003UL ++#define CKG_MGF1_SHA512 0x00000004UL ++ + typedef unsigned long ck_rsa_pkcs_mgf_type_t; + typedef unsigned long ck_rsa_pkcs_oaep_source_type_t; + +@@ -1319,7 +1325,7 @@ typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; + typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; + typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; + +-typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAM; ++typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; + typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; + + #define NULL_PTR NULL +-- +2.9.4 + diff --git a/SOURCES/p11-kit-strerror.patch b/SOURCES/p11-kit-strerror.patch new file mode 100644 index 0000000..f72764c --- /dev/null +++ b/SOURCES/p11-kit-strerror.patch @@ -0,0 +1,17 @@ +diff -up ./p11-kit/rpc-transport.c.strerror ./p11-kit/rpc-transport.c +--- ./p11-kit/rpc-transport.c.strerror 2017-06-12 11:44:45.799209430 +0200 ++++ ./p11-kit/rpc-transport.c 2017-06-12 11:46:41.979498070 +0200 +@@ -1065,7 +1065,12 @@ rpc_unix_connect (p11_rpc_client_vtable + } + + if (connect (fd, (struct sockaddr *)&run->sa, sizeof (run->sa)) < 0) { +- p11_debug ("failed to connect to socket: %s", strerror (errno)); ++ int errn = errno; ++ char strerr[P11_MESSAGE_MAX]; ++ snprintf (strerr, sizeof (strerr), "Unknown error %d", errn); ++ strerror_r (errn, strerr, sizeof (strerr)); ++ strerr[P11_MESSAGE_MAX - 1] = 0; ++ p11_debug ("failed to connect to socket: %s", strerr); + close (fd); + return CKR_DEVICE_REMOVED; + } diff --git a/SOURCES/pthread-atfork-fix-deadlock.patch b/SOURCES/pthread-atfork-fix-deadlock.patch deleted file mode 100644 index f6f7f15..0000000 --- a/SOURCES/pthread-atfork-fix-deadlock.patch +++ /dev/null @@ -1,421 +0,0 @@ -From 0ecc141f372b375ddd2087a8ca406797976f03bf Mon Sep 17 00:00:00 2001 -From: Stef Walter -Date: Fri, 3 Oct 2014 09:42:27 +0200 -Subject: [PATCH] p11-kit: Use pthread_atfork() in a safe manner - -Instead of trying to perform actions in pthread_atfork() which -are not async-signal-safe, just increment a counter so we can -later tell if the process has forked. - -Note this does not make it safe to mix threads and forking without -immediately execing. This is a far broader problem that p11-kit, -however we now do the right thing when fork+exec is used from a -thread. - -https://bugs.freedesktop.org/show_bug.cgi?id=84567 ---- - common/library.c | 11 ++++++++ - common/library.h | 2 ++ - common/mock.c | 1 + - p11-kit/modules.c | 55 +++++++++------------------------------- - p11-kit/proxy.c | 62 ++++++++++++++-------------------------------- - p11-kit/proxy.h | 2 -- - p11-kit/tests/test-proxy.c | 2 +- - 7 files changed, 46 insertions(+), 89 deletions(-) - -diff --git a/common/library.c b/common/library.c -index b7d6923..502ea98 100644 ---- a/common/library.c -+++ b/common/library.c -@@ -63,6 +63,8 @@ p11_mutex_t p11_library_mutex; - pthread_once_t p11_library_once = PTHREAD_ONCE_INIT; - #endif - -+unsigned int p11_forkid = 1; -+ - static char * - thread_local_message (void) - { -@@ -103,6 +105,13 @@ _p11_library_get_thread_local (void) - return local; - } - -+static void -+count_forks (void) -+{ -+ /* Thread safe, executed in child, one thread exists */ -+ p11_forkid++; -+} -+ - void - p11_library_init_impl (void) - { -@@ -111,6 +120,8 @@ p11_library_init_impl (void) - p11_mutex_init (&p11_library_mutex); - pthread_key_create (&thread_local, free); - p11_message_storage = thread_local_message; -+ -+ pthread_atfork (NULL, NULL, count_forks); - } - - void -diff --git a/common/library.h b/common/library.h -index 33a33fb..f87494d 100644 ---- a/common/library.h -+++ b/common/library.h -@@ -44,6 +44,8 @@ - - extern p11_mutex_t p11_library_mutex; - -+extern unsigned int p11_forkid; -+ - #define p11_lock() p11_mutex_lock (&p11_library_mutex); - - #define p11_unlock() p11_mutex_unlock (&p11_library_mutex); -diff --git a/common/mock.c b/common/mock.c -index 51b32b6..ed2fad6 100644 ---- a/common/mock.c -+++ b/common/mock.c -@@ -46,6 +46,7 @@ - #include "debug.h" - #include "dict.h" - #include "array.h" -+#include "library.h" - - #include - #include -diff --git a/p11-kit/modules.c b/p11-kit/modules.c -index 1d9fe61..4a84803 100644 ---- a/p11-kit/modules.c -+++ b/p11-kit/modules.c -@@ -157,7 +157,7 @@ typedef struct _Module { - - /* Initialization, mutex must be held */ - p11_mutex_t initialize_mutex; -- bool initialize_called; -+ unsigned int initialize_called; - p11_thread_id_t initialize_thread; - } Module; - -@@ -239,7 +239,6 @@ free_module_unlocked (void *data) - p11_debug_precond ("module unloaded without C_Finalize having been " - "called for each C_Initialize"); - } else { -- assert (!mod->initialize_called); - assert (mod->initialize_thread == 0); - } - -@@ -580,7 +579,7 @@ initialize_module_inlock_reentrant (Module *mod) - p11_unlock (); - p11_mutex_lock (&mod->initialize_mutex); - -- if (!mod->initialize_called) { -+ if (mod->initialize_called != p11_forkid) { - p11_debug ("C_Initialize: calling"); - - rv = mod->virt.funcs.C_Initialize (&mod->virt.funcs, -@@ -590,10 +589,12 @@ initialize_module_inlock_reentrant (Module *mod) - - /* Module was initialized and C_Finalize should be called */ - if (rv == CKR_OK) -- mod->initialize_called = true; -+ mod->initialize_called = p11_forkid; -+ else -+ mod->initialize_called = 0; - - /* Module was already initialized, we don't call C_Finalize */ -- else if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) -+ if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) - rv = CKR_OK; - } - -@@ -612,31 +613,6 @@ initialize_module_inlock_reentrant (Module *mod) - return rv; - } - --#ifdef OS_UNIX -- --static void --reinitialize_after_fork (void) --{ -- p11_dictiter iter; -- Module *mod; -- -- p11_debug ("forked"); -- -- p11_lock (); -- -- if (gl.modules) { -- p11_dict_iterate (gl.modules, &iter); -- while (p11_dict_next (&iter, (void **)&mod, NULL)) -- mod->initialize_called = false; -- } -- -- p11_unlock (); -- -- p11_proxy_after_fork (); --} -- --#endif /* OS_UNIX */ -- - static CK_RV - init_globals_unlocked (void) - { -@@ -666,9 +642,6 @@ init_globals_unlocked (void) - if (once) - return CKR_OK; - --#ifdef OS_UNIX -- pthread_atfork (NULL, NULL, reinitialize_after_fork); --#endif - once = true; - - return CKR_OK; -@@ -724,9 +697,9 @@ finalize_module_inlock_reentrant (Module *mod) - p11_unlock (); - p11_mutex_lock (&mod->initialize_mutex); - -- if (mod->initialize_called) { -+ if (mod->initialize_called == p11_forkid) { - mod->virt.funcs.C_Finalize (&mod->virt.funcs, NULL); -- mod->initialize_called = false; -+ mod->initialize_called = 0; - } - - p11_mutex_unlock (&mod->initialize_mutex); -@@ -1384,7 +1357,7 @@ cleanup: - typedef struct { - p11_virtual virt; - Module *mod; -- pid_t initialized; -+ unsigned int initialized; - p11_dict *sessions; - } Managed; - -@@ -1394,14 +1367,12 @@ managed_C_Initialize (CK_X_FUNCTION_LIST *self, - { - Managed *managed = ((Managed *)self); - p11_dict *sessions; -- pid_t pid; - CK_RV rv; - - p11_debug ("in"); - p11_lock (); - -- pid = getpid (); -- if (managed->initialized == pid) { -+ if (managed->initialized == p11_forkid) { - rv = CKR_CRYPTOKI_ALREADY_INITIALIZED; - - } else { -@@ -1414,7 +1385,7 @@ managed_C_Initialize (CK_X_FUNCTION_LIST *self, - rv = initialize_module_inlock_reentrant (managed->mod); - if (rv == CKR_OK) { - managed->sessions = sessions; -- managed->initialized = pid; -+ managed->initialized = p11_forkid; - } else { - p11_dict_free (sessions); - } -@@ -1515,18 +1486,16 @@ managed_C_Finalize (CK_X_FUNCTION_LIST *self, - { - Managed *managed = ((Managed *)self); - CK_SESSION_HANDLE *sessions; -- pid_t pid; - int count; - CK_RV rv; - - p11_debug ("in"); - p11_lock (); - -- pid = getpid (); - if (managed->initialized == 0) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - -- } else if (managed->initialized != pid) { -+ } else if (managed->initialized != p11_forkid) { - /* - * In theory we should be returning CKR_CRYPTOKI_NOT_INITIALIZED here - * but enough callers are not completely aware of their forking. -diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c -index 3e76f15..db2acb8 100644 ---- a/p11-kit/proxy.c -+++ b/p11-kit/proxy.c -@@ -82,6 +82,7 @@ typedef struct { - unsigned int n_mappings; - p11_dict *sessions; - CK_FUNCTION_LIST **inited; -+ unsigned int forkid; - } Proxy; - - typedef struct _State { -@@ -96,6 +97,8 @@ static CK_FUNCTION_LIST **all_modules = NULL; - static State *all_instances = NULL; - static State global = { { { { -1, -1 }, NULL, }, }, NULL, NULL, FIRST_HANDLE, NULL }; - -+#define PROXY_VALID(px) ((px) && (px)->forkid == p11_forkid) -+ - #define MANUFACTURER_ID "PKCS#11 Kit " - #define LIBRARY_DESCRIPTION "PKCS#11 Kit Proxy Module " - #define LIBRARY_VERSION_MAJOR 1 -@@ -137,7 +140,7 @@ map_slot_to_real (Proxy *px, - - p11_lock (); - -- if (!px) -+ if (!PROXY_VALID (px)) - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - else - rv = map_slot_unlocked (px, *slot, mapping); -@@ -163,7 +166,7 @@ map_session_to_real (Proxy *px, - - p11_lock (); - -- if (!px) { -+ if (!PROXY_VALID (px)) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - } else { - assert (px->sessions); -@@ -195,40 +198,6 @@ proxy_free (Proxy *py) - } - } - --void --p11_proxy_after_fork (void) --{ -- p11_array *array; -- State *state; -- unsigned int i; -- -- /* -- * After a fork the callers are supposed to call C_Initialize and all. -- * In addition the underlying libraries may change their state so free -- * up any mappings and all -- */ -- -- array = p11_array_new (NULL); -- -- p11_lock (); -- -- if (global.px) -- p11_array_push (array, global.px); -- global.px = NULL; -- -- for (state = all_instances; state != NULL; state = state->next) { -- if (state->px) -- p11_array_push (array, state->px); -- state->px = NULL; -- } -- -- p11_unlock (); -- -- for (i = 0; i < array->num; i++) -- proxy_free (array->elem[i]); -- p11_array_free (array); --} -- - static CK_RV - proxy_C_Finalize (CK_X_FUNCTION_LIST *self, - CK_VOID_PTR reserved) -@@ -247,8 +216,10 @@ proxy_C_Finalize (CK_X_FUNCTION_LIST *self, - } else { - p11_lock (); - -- if (!state->px) { -+ if (!PROXY_VALID (state->px)) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; -+ py = state->px; -+ state->px = NULL; - } else if (state->px->refs-- == 1) { - py = state->px; - state->px = NULL; -@@ -287,6 +258,8 @@ proxy_create (Proxy **res) - py = calloc (1, sizeof (Proxy)); - return_val_if_fail (py != NULL, CKR_HOST_MEMORY); - -+ py->forkid = p11_forkid; -+ - py->inited = modules_dup (all_modules); - return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY); - -@@ -357,10 +330,13 @@ proxy_C_Initialize (CK_X_FUNCTION_LIST *self, - - p11_lock (); - -- if (state->px == NULL) -+ if (!PROXY_VALID (state->px)) { - initialize = true; -- else -+ proxy_free (state->px); -+ state->px = NULL; -+ } else { - state->px->refs++; -+ } - - p11_unlock (); - -@@ -402,7 +378,7 @@ proxy_C_GetInfo (CK_X_FUNCTION_LIST *self, - - p11_lock (); - -- if (!state->px) -+ if (!PROXY_VALID (state->px)) - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - - p11_unlock (); -@@ -438,7 +414,7 @@ proxy_C_GetSlotList (CK_X_FUNCTION_LIST *self, - - p11_lock (); - -- if (!state->px) { -+ if (!PROXY_VALID (state->px)) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - } else { - index = 0; -@@ -586,7 +562,7 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self, - if (rv == CKR_OK) { - p11_lock (); - -- if (!state->px) { -+ if (!PROXY_VALID (state->px)) { - /* - * The underlying module should have returned an error, so this - * code should never be reached with properly behaving modules. -@@ -650,7 +626,7 @@ proxy_C_CloseAllSessions (CK_X_FUNCTION_LIST *self, - - p11_lock (); - -- if (!state->px) { -+ if (!PROXY_VALID (state->px)) { - rv = CKR_CRYPTOKI_NOT_INITIALIZED; - } else { - assert (state->px->sessions != NULL); -diff --git a/p11-kit/proxy.h b/p11-kit/proxy.h -index df05be0..f3d56d7 100644 ---- a/p11-kit/proxy.h -+++ b/p11-kit/proxy.h -@@ -35,8 +35,6 @@ - #ifndef __P11_PROXY_H__ - #define __P11_PROXY_H__ - --void p11_proxy_after_fork (void); -- - bool p11_proxy_module_check (CK_FUNCTION_LIST_PTR module); - - void p11_proxy_module_cleanup (void); -diff --git a/p11-kit/tests/test-proxy.c b/p11-kit/tests/test-proxy.c -index bf5007d..e4998be 100644 ---- a/p11-kit/tests/test-proxy.c -+++ b/p11-kit/tests/test-proxy.c -@@ -76,7 +76,7 @@ test_initialize_finalize (void) - assert (rv == CKR_OK); - - rv = proxy->C_Finalize (NULL); -- assert (rv == CKR_OK); -+ assert_num_eq (rv, CKR_OK); - - p11_proxy_module_cleanup (); - } --- -1.9.3 - diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec index 4f517bb..6a057e2 100644 --- a/SPECS/p11-kit.spec +++ b/SPECS/p11-kit.spec @@ -1,5 +1,5 @@ Name: p11-kit -Version: 0.20.7 +Version: 0.23.5 Release: 3%{?dist} Summary: Library for loading and sharing PKCS#11 modules @@ -7,7 +7,10 @@ License: BSD URL: http://p11-glue.freedesktop.org/p11-kit.html Source0: http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz Source1: trust-extract-compat -Patch1: pthread-atfork-fix-deadlock.patch +Patch0: p11-kit-modifiable.patch +Patch1: p11-kit-strerror.patch +Patch2: p11-kit-oaep.patch +Patch3: p11-kit-doc.patch BuildRequires: libtasn1-devel >= 2.3 BuildRequires: nss-softokn-freebl @@ -57,8 +60,7 @@ contains certificate anchors and black lists. %prep -%setup -q -%patch1 -p1 +%autosetup -p1 %build # These paths are the source paths that come from the plan here: @@ -71,9 +73,12 @@ make install DESTDIR=$RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la -install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libdir}/p11-kit/ +install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ # Install the example conf with %%doc instead rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example +# We don't support PKCS#11 forwarding in RHEL-7 yet +rm -f $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/p11-kit-server +rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/p11-kit-client.so %check make check @@ -112,10 +117,11 @@ fi %dir %{_sysconfdir}/pkcs11/modules %dir %{_datadir}/p11-kit %dir %{_datadir}/p11-kit/modules -%dir %{_libdir}/p11-kit +%dir %{_libexecdir}/p11-kit %{_bindir}/p11-kit %{_libdir}/libp11-kit.so.* %{_libdir}/p11-kit-proxy.so +%{_libexecdir}/p11-kit/p11-kit-remote %{_mandir}/man8/p11-kit.8.gz %{_mandir}/man5/pkcs11.conf.5.gz @@ -132,10 +138,24 @@ fi %{_mandir}/man1/trust.1.gz %{_libdir}/pkcs11/p11-kit-trust.so %{_datadir}/p11-kit/modules/p11-kit-trust.module -%{_libdir}/p11-kit/trust-extract-compat +%{_libexecdir}/p11-kit/trust-extract-compat %changelog +* Mon Jun 12 2017 Daiki Ueno - 0.23.5-3 +- Avoid reference to thread-unsafe strerror rhbz#1378947 +- Fix PKCS#11 OAEP interface rhbz#1191209 +- Update documentation to follow RFC7512 rhbz#1165977 + +* Thu May 18 2017 Daiki Ueno - 0.23.5-2 +- Make "trust anchor --remove" work again + +* Mon Mar 6 2017 Daiki Ueno - 0.23.5-1 +- Rebase to upstream version 0.23.5 + +* Wed Feb 22 2017 Daiki Ueno - 0.23.4-1 +- Rebase to upstream version 0.23.4 + * Thu Jan 08 2015 Stef Walter - 0.20.7-3 - Fix incorrect alternative links for s390 and s390x rhbz#1174178 @@ -166,7 +186,7 @@ fi * Mon Nov 04 2013 Stef Walter - 0.18.7-2 - Move devel docs into subpackage due to gtk-doc multilib incompatibility (#983176) -* Tue Oct 10 2013 Stef Walter - 0.18.7-1 +* Thu Oct 10 2013 Stef Walter - 0.18.7-1 - Update to new upstream point release for RHEL bug fixes * Thu Jul 18 2013 Stef Walter - 0.18.5-1