rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase 3.18.0

Browse Source
This commit is contained in:
Than Ngo 2022-05-02 14:16:00 +02:00
parent 5d430b6742
commit 0aad2e617a
10 changed files with 22 additions and 280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@ opencryptoki-2.3.1.tar.gz
/opencryptoki-3.15.1.tar.gz
/opencryptoki-3.16.0.tar.gz
/opencryptoki-3.17.0.tar.gz
/opencryptoki-3.18.0.tar.gz

64
opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch
View File

@ -1,64 +0,0 @@
commit fed25d1f2f3fe43eb8f55f66e39b7f4dfdad2226
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Feb 21 13:31:20 2022 +0100
API: Avoid deadlock when stopping event thread
Avoid that the event thread writes trace messages while it is
enabled for thread cancellation. This might leave the trace mutex in
the locked state and cause subsequent trace calls to lock forever
(e.g in stop_event_thread() right after canceling the thread).
Disable cancellation right at the beginning of the thread function,
and disable it before calling a trace function or leaving the loop.
Also make sure that the cleanup handler is registered and the
cancellation type is set before initially enabling cancellation.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/api/socket_client.c b/usr/lib/api/socket_client.c
index cbe55dce..62a8ec20 100644
--- a/usr/lib/api/socket_client.c
+++ b/usr/lib/api/socket_client.c
@@ -284,6 +284,8 @@ static void *event_thread(void *arg)
UNUSED(arg);
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
+
TRACE_DEVEL("Event thread %lu running\n", pthread_self());
if (anchor->socketfd < 0) {
@@ -303,13 +305,13 @@ static void *event_thread(void *arg)
#endif
/* Enable cancellation */
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype);
cleanup.anchor = anchor;
#if OPENSSL_VERSION_PREREQ(3, 0)
cleanup.prev_libctx = prev_libctx;
#endif
pthread_cleanup_push(event_thread_cleanup, &cleanup);
+ pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype);
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
pollfd.fd = anchor->socketfd;
pollfd.events = POLLIN | POLLHUP | POLLERR;
@@ -320,6 +322,7 @@ static void *event_thread(void *arg)
if (rc < 0) {
if (errno == EINTR)
continue;
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
TRACE_ERROR("poll failed: %d\n", errno);
break;
}
@@ -328,6 +331,7 @@ static void *event_thread(void *arg)
continue;
if (pollfd.revents & (POLLHUP | POLLERR)) {
+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate);
TRACE_ERROR("Error on socket, possibly closed by slot daemon\n");
break;
}

34
opencryptoki-3.17-tokversion.patch
View File

@ -1,34 +0,0 @@
diff -up opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf.me opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf
--- opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf.me 2022-04-06 06:46:43.905040507 -0400
+++ opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf 2022-04-06 06:47:51.375040507 -0400
@@ -22,25 +22,30 @@ version opencryptoki-3.17
slot 0
{
stdll = libpkcs11_tpm.so
+tokversion = 3.12
}
slot 1
{
stdll = libpkcs11_ica.so
+tokversion = 3.12
}
slot 2
{
stdll = libpkcs11_cca.so
+tokversion = 3.12
}
slot 3
{
stdll = libpkcs11_sw.so
+tokversion = 3.12
}
slot 4
{
stdll = libpkcs11_ep11.so
+tokversion = 3.12
confname = ep11tok.conf
}

24
opencryptoki-3.17.0-covscan.patch
View File

@ -1,24 +0,0 @@
diff -up opencryptoki-3.17.0/usr/lib/common/asn1.c.me opencryptoki-3.17.0/usr/lib/common/asn1.c
--- opencryptoki-3.17.0/usr/lib/common/asn1.c.me 2021-11-22 21:13:31.408617676 +0100
+++ opencryptoki-3.17.0/usr/lib/common/asn1.c 2021-11-22 21:13:40.759754932 +0100
@@ -3483,7 +3483,6 @@ CK_RV ber_encode_DHPublicKey(CK_BBOOL le
TRACE_DEVEL("%s ber_put_bitstring/ber_flatten failed\n", __func__);
ber_free(ber, 1);
ber_bvfree(val);
- free(buf);
free(buf2);
return CKR_FUNCTION_FAILED;
}
diff -up opencryptoki-3.17.0/usr/lib/common/mech_openssl.c.me opencryptoki-3.17.0/usr/lib/common/mech_openssl.c
diff -up opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c.me opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c
--- opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c.me 2021-11-23 13:25:37.950776199 +0100
+++ opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c 2021-11-23 13:27:03.560963809 +0100
@@ -1148,7 +1148,7 @@ static CK_RV print_vendor(CK_SESSION_HAN
int f;
struct ConfigBaseNode *c, *name, *hex_string, *type;
struct ConfigStructNode *structnode;
- int def_attr;
+ int def_attr = 0;
if (cfg != NULL)
{

25
opencryptoki-3.17.0-init.patch
View File

@ -1,25 +0,0 @@
From 3fea29baa97be9c132a8189eb00c7a782900d472 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 18 Nov 2021 10:15:53 +0100
Subject: [PATCH] API: Unlock GlobMutex if user and group check fails
Closes: https://github.com/opencryptoki/opencryptoki/issues/493
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/api/api_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index 6fac7e0bf..20f605c3a 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -2872,7 +2872,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
rc = check_user_and_group();
if (rc != CKR_OK)
- return rc;
+ goto done;
if (!Anchor) {
Anchor = (API_Proc_Struct_t *) malloc(sizeof(API_Proc_Struct_t));

77
opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch
View File

@ -1,77 +0,0 @@
commit 22c625eedbc1b993cf3e0caaaf0fe64ec5c1a15c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Apr 5 15:09:58 2022 +0200
API: Do not cleanup OpenSSL library context during library destructor
Only cleanup OpenSSL library context and providers if we are not in the
library destructor. The library destructor calls C_Finalize if not
already finalized, but this may happen during at-exit handlers when the
program is terminating. At that point in time, the OpenSSL at-exit
handler may already have performed cleanup which will then cause
crashes when trying to cleanup the already freed library context here.
We are leaking the library context and providers if one just unloads
the library without calling C_Finalize. However, OpenSSL cleanup will
clean up the context at program termination anyway
Closes: https://github.com/opencryptoki/opencryptoki/issues/527
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index 15520db9..97b5471c 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -272,6 +272,7 @@ int slot_loaded[NUMBER_SLOTS_MANAGED]; // Array of flags to indicate
// if the STDLL loaded
CK_BBOOL in_child_fork_initializer = FALSE;
+CK_BBOOL in_destructor = FALSE;
/*
* Ordered array of interfaces: If more than one interface matches
@@ -1705,14 +1706,27 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved)
bt_destroy(&Anchor->sess_btree);
#if OPENSSL_VERSION_PREREQ(3, 0)
- ERR_set_mark();
- if (Anchor->openssl_default_provider != NULL)
- OSSL_PROVIDER_unload(Anchor->openssl_default_provider);
- if (Anchor->openssl_legacy_provider != NULL)
- OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider);
- if (Anchor->openssl_libctx != NULL)
- OSSL_LIB_CTX_free(Anchor->openssl_libctx);
- ERR_pop_to_mark();
+ /*
+ * Only cleanup OpenSSL library context and providers if we are not in the
+ * library destructor. The library destructor calls C_Finalize if not
+ * already finalized, but this may happen during at-exit handlers when the
+ * program is terminating. At that point in time, the OpenSSL at-exit
+ * handler may already have performed cleanup which will then cause
+ * crashes when trying to cleanup the already freed library context here.
+ * We are leaking the library context and providers if one just unloads
+ * the library without calling C_Finalize. However, OpenSSL cleanup will
+ * clean up the context at program termination anyway.
+ */
+ if (in_destructor == FALSE) {
+ ERR_set_mark();
+ if (Anchor->openssl_default_provider != NULL)
+ OSSL_PROVIDER_unload(Anchor->openssl_default_provider);
+ if (Anchor->openssl_legacy_provider != NULL)
+ OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider);
+ if (Anchor->openssl_libctx != NULL)
+ OSSL_LIB_CTX_free(Anchor->openssl_libctx);
+ ERR_pop_to_mark();
+ }
#endif
detach_shared_memory(Anchor->SharedMemP);
@@ -5469,6 +5483,7 @@ void api_fini(void) __attribute__ ((destructor));
void api_fini()
{
if (API_Initialized() == TRUE) {
+ in_destructor = TRUE;
Call_Finalize();
}
}

12
opencryptoki-3.2-no-undefined.patch
View File

@ -1,12 +0,0 @@
diff -up opencryptoki/configure.in.no-undefined opencryptoki/configure.in
--- opencryptoki/configure.in.no-undefined 2015-08-27 11:49:50.815984145 +0200
+++ opencryptoki/configure.in 2015-08-27 11:50:59.432874245 +0200
@@ -574,7 +574,7 @@ fi
AM_CONDITIONAL([ENABLE_PKCSCCA_MIGRATE], [test "x$enable_pkcscca_migrate" = "xyes"])
AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500"
+CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wl,--no-undefined"
CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'

29
opencryptoki-pkcsslotd-pidfile.patch
View File

@ -1,29 +0,0 @@
diff -up opencryptoki-3.16.0/misc/pkcsslotd.service.in.me opencryptoki-3.16.0/misc/pkcsslotd.service.in
--- opencryptoki-3.16.0/misc/pkcsslotd.service.in.me 2021-06-25 09:25:11.464487847 +0200
+++ opencryptoki-3.16.0/misc/pkcsslotd.service.in 2021-06-25 09:25:38.701225760 +0200
@@ -4,7 +4,7 @@ After=local-fs.target
[Service]
Type=forking
-PIDFile=/var/run/pkcsslotd.pid
+PIDFile=/run/pkcsslotd.pid
ExecStart=@sbindir@/pkcsslotd
[Install]
diff -up opencryptoki-3.16.0/usr/include/slotmgr.h.me opencryptoki-3.16.0/usr/include/slotmgr.h
--- opencryptoki-3.16.0/usr/include/slotmgr.h.me 2021-06-30 17:28:18.000594834 +0200
+++ opencryptoki-3.16.0/usr/include/slotmgr.h 2021-06-30 17:28:38.920890278 +0200
@@ -30,10 +30,10 @@
#define TOK_PATH SBIN_PATH "/pkcsslotd"
#define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock"
-#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
-#define ADMIN_SOCKET_FILE_PATH "/var/run/pkcsslotd.admin.socket"
+#define PROC_SOCKET_FILE_PATH "/run/pkcsslotd.socket"
+#define ADMIN_SOCKET_FILE_PATH "/run/pkcsslotd.admin.socket"
-#define PID_FILE_PATH "/var/run/pkcsslotd.pid"
+#define PID_FILE_PATH "/run/pkcsslotd.pid"
#define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf"
#ifndef CK_BOOL

34
opencryptoki.spec
View File

@ -1,7 +1,12 @@
# p11-kit needs pkcsslotd daemon starting by default
# upstream does not recommend to enable the pkcsslotd service by default.
# we disable it
%global p11_kit_support 0
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.17.0
Release: 7%{?dist}
Version: 3.18.0
Release: 1%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -12,17 +17,6 @@ Patch0: opencryptoki-3.11.0-group.patch
Patch1: opencryptoki-3.11.0-lockdir.patch
# add missing config file
Patch2: opencryptoki-1.17.0-p11sak.patch
# covscan
Patch3: opencryptoki-3.17.0-covscan.patch
# Use --no-undefined to debug missing symbols
#Patch100: %%{name}-3.2-no-undefined.patch
# upstream patches
# PIDfile below legacy directory /var/run/
Patch300: opencryptoki-pkcsslotd-pidfile.patch
Patch301: opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch
Patch302: opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch
Patch303: opencryptoki-3.17-tokversion.patch
Patch304: opencryptoki-3.17.0-init.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
@ -209,8 +203,10 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%install
%make_install CHGRP=/bin/true
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
%if 0%{?p11_kit_support}
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
%endif
%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
@ -233,6 +229,7 @@ fi
%doc ChangeLog FAQ README.md
%doc doc/opencryptoki-howto.md
%doc doc/README.token_data
%doc %{_docdir}/%{name}/*.conf
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
@ -242,9 +239,13 @@ fi
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_sbindir}/pkcsstats
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man1/pkcsstats.1*
%{_mandir}/man5/policy.conf.5*
%{_mandir}/man5/strength.conf.5*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
%{_mandir}/man7/%{name}.7*
@ -270,10 +271,12 @@ fi
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
%if 0%{?p11_kit_support}
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%endif
%files devel
%{_includedir}/%{name}/
@ -332,6 +335,9 @@ fi
%changelog
* Mon May 02 2022 Than Ngo <than@redhat.com> - 3.18.0-1
- 3.18.0
* Wed Apr 20 2022 Dan Horák <dan[at]danny.cz> - 3.17.0-7
- fix initialization (#2075851, #2074587)

2
sources
View File

@ -1 +1 @@
SHA512 (opencryptoki-3.17.0.tar.gz) = 1e80f4cebfffef1b50f3a29577c003e3a3ac68f9c93c3fd49537dad5ab82d02ab54f62fa73e93cd20f2ea1517eb4aa3a0ac167df3597bb801e8781a4162f9d01
SHA512 (opencryptoki-3.18.0.tar.gz) = ec975ad15766d1565bb8134160c1a6373a1106486acc924f34d63d8a02c2f2b4d88caa443d17a5f7f92c8d99d3e5c1604073d879403e4f531019ced736422ea3