From 0aad2e617a5e2e2aee0df1649327172e5aebcbec Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Mon, 2 May 2022 14:16:00 +0200 Subject: [PATCH] rebase 3.18.0 --- .gitignore | 1 + ...-deadlock-when-stopping-event-thread.patch | 64 --------------- opencryptoki-3.17-tokversion.patch | 34 -------- opencryptoki-3.17.0-covscan.patch | 24 ------ opencryptoki-3.17.0-init.patch | 25 ------ ...7.0-openssl-cleanup-for-opencryptoki.patch | 77 ------------------- opencryptoki-3.2-no-undefined.patch | 12 --- opencryptoki-pkcsslotd-pidfile.patch | 29 ------- opencryptoki.spec | 34 ++++---- sources | 2 +- 10 files changed, 22 insertions(+), 280 deletions(-) delete mode 100644 opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch delete mode 100644 opencryptoki-3.17-tokversion.patch delete mode 100644 opencryptoki-3.17.0-covscan.patch delete mode 100644 opencryptoki-3.17.0-init.patch delete mode 100644 opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch delete mode 100644 opencryptoki-3.2-no-undefined.patch delete mode 100644 opencryptoki-pkcsslotd-pidfile.patch diff --git a/.gitignore b/.gitignore index 3ce6307..0ecc220 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,4 @@ opencryptoki-2.3.1.tar.gz /opencryptoki-3.15.1.tar.gz /opencryptoki-3.16.0.tar.gz /opencryptoki-3.17.0.tar.gz +/opencryptoki-3.18.0.tar.gz diff --git a/opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch b/opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch deleted file mode 100644 index d552737..0000000 --- a/opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch +++ /dev/null @@ -1,64 +0,0 @@ -commit fed25d1f2f3fe43eb8f55f66e39b7f4dfdad2226 -Author: Ingo Franzki -Date: Mon Feb 21 13:31:20 2022 +0100 - - API: Avoid deadlock when stopping event thread - - Avoid that the event thread writes trace messages while it is - enabled for thread cancellation. This might leave the trace mutex in - the locked state and cause subsequent trace calls to lock forever - (e.g in stop_event_thread() right after canceling the thread). - - Disable cancellation right at the beginning of the thread function, - and disable it before calling a trace function or leaving the loop. - - Also make sure that the cleanup handler is registered and the - cancellation type is set before initially enabling cancellation. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/api/socket_client.c b/usr/lib/api/socket_client.c -index cbe55dce..62a8ec20 100644 ---- a/usr/lib/api/socket_client.c -+++ b/usr/lib/api/socket_client.c -@@ -284,6 +284,8 @@ static void *event_thread(void *arg) - - UNUSED(arg); - -+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); -+ - TRACE_DEVEL("Event thread %lu running\n", pthread_self()); - - if (anchor->socketfd < 0) { -@@ -303,13 +305,13 @@ static void *event_thread(void *arg) - #endif - - /* Enable cancellation */ -- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); -- pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype); - cleanup.anchor = anchor; - #if OPENSSL_VERSION_PREREQ(3, 0) - cleanup.prev_libctx = prev_libctx; - #endif - pthread_cleanup_push(event_thread_cleanup, &cleanup); -+ pthread_setcanceltype(PTHREAD_CANCEL_DEFERRED, &oldtype); -+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - - pollfd.fd = anchor->socketfd; - pollfd.events = POLLIN | POLLHUP | POLLERR; -@@ -320,6 +322,7 @@ static void *event_thread(void *arg) - if (rc < 0) { - if (errno == EINTR) - continue; -+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); - TRACE_ERROR("poll failed: %d\n", errno); - break; - } -@@ -328,6 +331,7 @@ static void *event_thread(void *arg) - continue; - - if (pollfd.revents & (POLLHUP | POLLERR)) { -+ pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &oldstate); - TRACE_ERROR("Error on socket, possibly closed by slot daemon\n"); - break; - } diff --git a/opencryptoki-3.17-tokversion.patch b/opencryptoki-3.17-tokversion.patch deleted file mode 100644 index 7b6f0fd..0000000 --- a/opencryptoki-3.17-tokversion.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf.me opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf ---- opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf.me 2022-04-06 06:46:43.905040507 -0400 -+++ opencryptoki-3.17.0/usr/sbin/pkcsslotd/opencryptoki.conf 2022-04-06 06:47:51.375040507 -0400 -@@ -22,25 +22,30 @@ version opencryptoki-3.17 - slot 0 - { - stdll = libpkcs11_tpm.so -+tokversion = 3.12 - } - - slot 1 - { - stdll = libpkcs11_ica.so -+tokversion = 3.12 - } - - slot 2 - { - stdll = libpkcs11_cca.so -+tokversion = 3.12 - } - - slot 3 - { - stdll = libpkcs11_sw.so -+tokversion = 3.12 - } - - slot 4 - { - stdll = libpkcs11_ep11.so -+tokversion = 3.12 - confname = ep11tok.conf - } diff --git a/opencryptoki-3.17.0-covscan.patch b/opencryptoki-3.17.0-covscan.patch deleted file mode 100644 index e331a14..0000000 --- a/opencryptoki-3.17.0-covscan.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up opencryptoki-3.17.0/usr/lib/common/asn1.c.me opencryptoki-3.17.0/usr/lib/common/asn1.c ---- opencryptoki-3.17.0/usr/lib/common/asn1.c.me 2021-11-22 21:13:31.408617676 +0100 -+++ opencryptoki-3.17.0/usr/lib/common/asn1.c 2021-11-22 21:13:40.759754932 +0100 -@@ -3483,7 +3483,6 @@ CK_RV ber_encode_DHPublicKey(CK_BBOOL le - TRACE_DEVEL("%s ber_put_bitstring/ber_flatten failed\n", __func__); - ber_free(ber, 1); - ber_bvfree(val); -- free(buf); - free(buf2); - return CKR_FUNCTION_FAILED; - } -diff -up opencryptoki-3.17.0/usr/lib/common/mech_openssl.c.me opencryptoki-3.17.0/usr/lib/common/mech_openssl.c -diff -up opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c.me opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c ---- opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c.me 2021-11-23 13:25:37.950776199 +0100 -+++ opencryptoki-3.17.0/usr/sbin/p11sak/p11sak.c 2021-11-23 13:27:03.560963809 +0100 -@@ -1148,7 +1148,7 @@ static CK_RV print_vendor(CK_SESSION_HAN - int f; - struct ConfigBaseNode *c, *name, *hex_string, *type; - struct ConfigStructNode *structnode; -- int def_attr; -+ int def_attr = 0; - - if (cfg != NULL) - { diff --git a/opencryptoki-3.17.0-init.patch b/opencryptoki-3.17.0-init.patch deleted file mode 100644 index d45675b..0000000 --- a/opencryptoki-3.17.0-init.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 3fea29baa97be9c132a8189eb00c7a782900d472 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 18 Nov 2021 10:15:53 +0100 -Subject: [PATCH] API: Unlock GlobMutex if user and group check fails - -Closes: https://github.com/opencryptoki/opencryptoki/issues/493 - -Signed-off-by: Ingo Franzki ---- - usr/lib/api/api_interface.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c -index 6fac7e0bf..20f605c3a 100644 ---- a/usr/lib/api/api_interface.c -+++ b/usr/lib/api/api_interface.c -@@ -2872,7 +2872,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid) - - rc = check_user_and_group(); - if (rc != CKR_OK) -- return rc; -+ goto done; - - if (!Anchor) { - Anchor = (API_Proc_Struct_t *) malloc(sizeof(API_Proc_Struct_t)); diff --git a/opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch b/opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch deleted file mode 100644 index e341e47..0000000 --- a/opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch +++ /dev/null @@ -1,77 +0,0 @@ -commit 22c625eedbc1b993cf3e0caaaf0fe64ec5c1a15c -Author: Ingo Franzki -Date: Tue Apr 5 15:09:58 2022 +0200 - - API: Do not cleanup OpenSSL library context during library destructor - - Only cleanup OpenSSL library context and providers if we are not in the - library destructor. The library destructor calls C_Finalize if not - already finalized, but this may happen during at-exit handlers when the - program is terminating. At that point in time, the OpenSSL at-exit - handler may already have performed cleanup which will then cause - crashes when trying to cleanup the already freed library context here. - - We are leaking the library context and providers if one just unloads - the library without calling C_Finalize. However, OpenSSL cleanup will - clean up the context at program termination anyway - - Closes: https://github.com/opencryptoki/opencryptoki/issues/527 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c -index 15520db9..97b5471c 100644 ---- a/usr/lib/api/api_interface.c -+++ b/usr/lib/api/api_interface.c -@@ -272,6 +272,7 @@ int slot_loaded[NUMBER_SLOTS_MANAGED]; // Array of flags to indicate - // if the STDLL loaded - - CK_BBOOL in_child_fork_initializer = FALSE; -+CK_BBOOL in_destructor = FALSE; - - /* - * Ordered array of interfaces: If more than one interface matches -@@ -1705,14 +1706,27 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved) - bt_destroy(&Anchor->sess_btree); - - #if OPENSSL_VERSION_PREREQ(3, 0) -- ERR_set_mark(); -- if (Anchor->openssl_default_provider != NULL) -- OSSL_PROVIDER_unload(Anchor->openssl_default_provider); -- if (Anchor->openssl_legacy_provider != NULL) -- OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider); -- if (Anchor->openssl_libctx != NULL) -- OSSL_LIB_CTX_free(Anchor->openssl_libctx); -- ERR_pop_to_mark(); -+ /* -+ * Only cleanup OpenSSL library context and providers if we are not in the -+ * library destructor. The library destructor calls C_Finalize if not -+ * already finalized, but this may happen during at-exit handlers when the -+ * program is terminating. At that point in time, the OpenSSL at-exit -+ * handler may already have performed cleanup which will then cause -+ * crashes when trying to cleanup the already freed library context here. -+ * We are leaking the library context and providers if one just unloads -+ * the library without calling C_Finalize. However, OpenSSL cleanup will -+ * clean up the context at program termination anyway. -+ */ -+ if (in_destructor == FALSE) { -+ ERR_set_mark(); -+ if (Anchor->openssl_default_provider != NULL) -+ OSSL_PROVIDER_unload(Anchor->openssl_default_provider); -+ if (Anchor->openssl_legacy_provider != NULL) -+ OSSL_PROVIDER_unload(Anchor->openssl_legacy_provider); -+ if (Anchor->openssl_libctx != NULL) -+ OSSL_LIB_CTX_free(Anchor->openssl_libctx); -+ ERR_pop_to_mark(); -+ } - #endif - - detach_shared_memory(Anchor->SharedMemP); -@@ -5469,6 +5483,7 @@ void api_fini(void) __attribute__ ((destructor)); - void api_fini() - { - if (API_Initialized() == TRUE) { -+ in_destructor = TRUE; - Call_Finalize(); - } - } diff --git a/opencryptoki-3.2-no-undefined.patch b/opencryptoki-3.2-no-undefined.patch deleted file mode 100644 index b5806f3..0000000 --- a/opencryptoki-3.2-no-undefined.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up opencryptoki/configure.in.no-undefined opencryptoki/configure.in ---- opencryptoki/configure.in.no-undefined 2015-08-27 11:49:50.815984145 +0200 -+++ opencryptoki/configure.in 2015-08-27 11:50:59.432874245 +0200 -@@ -574,7 +574,7 @@ fi - AM_CONDITIONAL([ENABLE_PKCSCCA_MIGRATE], [test "x$enable_pkcscca_migrate" = "xyes"]) - AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"]) - --CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500" -+CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wl,--no-undefined" - - CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"' - diff --git a/opencryptoki-pkcsslotd-pidfile.patch b/opencryptoki-pkcsslotd-pidfile.patch deleted file mode 100644 index 92f7e3c..0000000 --- a/opencryptoki-pkcsslotd-pidfile.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -up opencryptoki-3.16.0/misc/pkcsslotd.service.in.me opencryptoki-3.16.0/misc/pkcsslotd.service.in ---- opencryptoki-3.16.0/misc/pkcsslotd.service.in.me 2021-06-25 09:25:11.464487847 +0200 -+++ opencryptoki-3.16.0/misc/pkcsslotd.service.in 2021-06-25 09:25:38.701225760 +0200 -@@ -4,7 +4,7 @@ After=local-fs.target - - [Service] - Type=forking --PIDFile=/var/run/pkcsslotd.pid -+PIDFile=/run/pkcsslotd.pid - ExecStart=@sbindir@/pkcsslotd - - [Install] -diff -up opencryptoki-3.16.0/usr/include/slotmgr.h.me opencryptoki-3.16.0/usr/include/slotmgr.h ---- opencryptoki-3.16.0/usr/include/slotmgr.h.me 2021-06-30 17:28:18.000594834 +0200 -+++ opencryptoki-3.16.0/usr/include/slotmgr.h 2021-06-30 17:28:38.920890278 +0200 -@@ -30,10 +30,10 @@ - #define TOK_PATH SBIN_PATH "/pkcsslotd" - #define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock" - --#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket" --#define ADMIN_SOCKET_FILE_PATH "/var/run/pkcsslotd.admin.socket" -+#define PROC_SOCKET_FILE_PATH "/run/pkcsslotd.socket" -+#define ADMIN_SOCKET_FILE_PATH "/run/pkcsslotd.admin.socket" - --#define PID_FILE_PATH "/var/run/pkcsslotd.pid" -+#define PID_FILE_PATH "/run/pkcsslotd.pid" - #define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf" - - #ifndef CK_BOOL diff --git a/opencryptoki.spec b/opencryptoki.spec index 660ddb0..0f172a2 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,12 @@ +# p11-kit needs pkcsslotd daemon starting by default +# upstream does not recommend to enable the pkcsslotd service by default. +# we disable it +%global p11_kit_support 0 + Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.17.0 -Release: 7%{?dist} +Version: 3.18.0 +Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -12,17 +17,6 @@ Patch0: opencryptoki-3.11.0-group.patch Patch1: opencryptoki-3.11.0-lockdir.patch # add missing config file Patch2: opencryptoki-1.17.0-p11sak.patch -# covscan -Patch3: opencryptoki-3.17.0-covscan.patch -# Use --no-undefined to debug missing symbols -#Patch100: %%{name}-3.2-no-undefined.patch -# upstream patches -# PIDfile below legacy directory /var/run/ -Patch300: opencryptoki-pkcsslotd-pidfile.patch -Patch301: opencryptoki-3.17-avoid-deadlock-when-stopping-event-thread.patch -Patch302: opencryptoki-3.17.0-openssl-cleanup-for-opencryptoki.patch -Patch303: opencryptoki-3.17-tokversion.patch -Patch304: opencryptoki-3.17.0-init.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) @@ -209,8 +203,10 @@ configured with Enterprise PKCS#11 (EP11) firmware. %install %make_install CHGRP=/bin/true -install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module +%if 0%{?p11_kit_support} +install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module +%endif %pre libs getent group pkcs11 >/dev/null || groupadd -r pkcs11 @@ -233,6 +229,7 @@ fi %doc ChangeLog FAQ README.md %doc doc/opencryptoki-howto.md %doc doc/README.token_data +%doc %{_docdir}/%{name}/*.conf %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf @@ -242,9 +239,13 @@ fi %{_sbindir}/pkcstok_migrate %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd +%{_sbindir}/pkcsstats %{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/pkcsstats.1* +%{_mandir}/man5/policy.conf.5* +%{_mandir}/man5/strength.conf.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man7/%{name}.7* @@ -270,10 +271,12 @@ fi %{_libdir}/pkcs11/libopencryptoki.so %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll +%if 0%{?p11_kit_support} # Co-owned with p11-kit %dir %{_datadir}/p11-kit/ %dir %{_datadir}/p11-kit/modules/ %{_datadir}/p11-kit/modules/opencryptoki.module +%endif %files devel %{_includedir}/%{name}/ @@ -332,6 +335,9 @@ fi %changelog +* Mon May 02 2022 Than Ngo - 3.18.0-1 +- 3.18.0 + * Wed Apr 20 2022 Dan HorĂ¡k - 3.17.0-7 - fix initialization (#2075851, #2074587) diff --git a/sources b/sources index 7bfc995..5c6e201 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.17.0.tar.gz) = 1e80f4cebfffef1b50f3a29577c003e3a3ac68f9c93c3fd49537dad5ab82d02ab54f62fa73e93cd20f2ea1517eb4aa3a0ac167df3597bb801e8781a4162f9d01 +SHA512 (opencryptoki-3.18.0.tar.gz) = ec975ad15766d1565bb8134160c1a6373a1106486acc924f34d63d8a02c2f2b4d88caa443d17a5f7f92c8d99d3e5c1604073d879403e4f531019ced736422ea3