import opencryptoki-3.16.0-5.el8
This commit is contained in:
parent
d7cd1e49bb
commit
3870a97f75
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/opencryptoki-3.15.1.tar.gz
|
||||
SOURCES/opencryptoki-3.16.0.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
66baf9c90f144bb273964270a39f23fadd86143d SOURCES/opencryptoki-3.15.1.tar.gz
|
||||
e5d8cf8df446a9bdcb3658a8f191f5a31d3a751e SOURCES/opencryptoki-3.16.0.tar.gz
|
||||
|
@ -1,285 +0,0 @@
|
||||
commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 9 16:22:51 2021 +0100
|
||||
|
||||
SOFT: Fix problem with C_Get/SetOperationState and digest contexts
|
||||
|
||||
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
|
||||
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
|
||||
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
|
||||
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
|
||||
was set to 1.
|
||||
|
||||
This hinders C_Get/SetOperationState to correctly save and restore the digest
|
||||
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
|
||||
C_SetOperationState also can't restore the digest state, leaving a subsequent
|
||||
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
|
||||
produces a segfault.
|
||||
|
||||
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
|
||||
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
|
||||
|
||||
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index 0b28daa8..a836efa9 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
|
||||
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
|
||||
}
|
||||
|
||||
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
- CK_MECHANISM *mech)
|
||||
+#ifdef OLDER_OPENSSL
|
||||
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
|
||||
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
|
||||
+#endif
|
||||
+
|
||||
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
|
||||
{
|
||||
const EVP_MD *md = NULL;
|
||||
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
|
||||
-#else
|
||||
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||
-#endif
|
||||
- if (ctx->context == NULL) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
- return CKR_HOST_MEMORY;
|
||||
- }
|
||||
-
|
||||
switch (mech->mechanism) {
|
||||
case CKM_SHA_1:
|
||||
md = EVP_sha1();
|
||||
@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
+ return md;
|
||||
+}
|
||||
+
|
||||
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
|
||||
+{
|
||||
+ const EVP_MD *md;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ md_ctx = EVP_MD_CTX_create();
|
||||
+#else
|
||||
+ md_ctx = EVP_MD_CTX_new();
|
||||
+#endif
|
||||
+ if (md_ctx == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ md = md_from_mech(&ctx->mech);
|
||||
if (md == NULL ||
|
||||
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
|
||||
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
|
||||
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
- ctx->context = NULL;
|
||||
- ctx->context_len = 0;
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
+ if (ctx->context_len == 0) {
|
||||
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
|
||||
+ ctx->context = malloc(ctx->context_len);
|
||||
+ if (ctx->context == NULL) {
|
||||
+ TRACE_ERROR("malloc failed\n");
|
||||
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+ #else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+ #endif
|
||||
+ ctx->context_len = 0;
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* Save context data for later use */
|
||||
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||
+ } else {
|
||||
+ if (ctx->context_len !=
|
||||
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
|
||||
+ TRACE_ERROR("context size mismatcht\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ /* restore the MD context data */
|
||||
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
|
||||
}
|
||||
|
||||
+ return md_ctx;
|
||||
+}
|
||||
+
|
||||
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
+ CK_MECHANISM *mech)
|
||||
+{
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
+ UNUSED(tokdata);
|
||||
+
|
||||
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
|
||||
+ ctx->mech.mechanism = mech->mechanism;
|
||||
+
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+#else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+#endif
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
{
|
||||
unsigned int len;
|
||||
CK_RV rc = CKR_OK;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
|
||||
UNUSED(tokdata);
|
||||
|
||||
@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!in_data || !out_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
|
||||
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto out;
|
||||
}
|
||||
@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
|
||||
out:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
|
||||
@@ -3229,6 +3295,8 @@ out:
|
||||
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
CK_BYTE *in_data, CK_ULONG in_data_len)
|
||||
{
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
+
|
||||
UNUSED(tokdata);
|
||||
|
||||
if (!ctx || !ctx->context)
|
||||
@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!in_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
+ /* Save context data for later use */
|
||||
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||
+
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
+#else
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
+#endif
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
{
|
||||
unsigned int len;
|
||||
CK_RV rc = CKR_OK;
|
||||
+ EVP_MD_CTX *md_ctx;
|
||||
|
||||
UNUSED(tokdata);
|
||||
|
||||
@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
if (!out_data)
|
||||
return CKR_ARGUMENTS_BAD;
|
||||
|
||||
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||
+ md_ctx = md_ctx_from_context(ctx);
|
||||
+ if (md_ctx == NULL) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
|
||||
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto out;
|
||||
}
|
||||
@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||
|
||||
out:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_destroy(md_ctx);
|
||||
#else
|
||||
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ EVP_MD_CTX_free(md_ctx);
|
||||
#endif
|
||||
+ free(ctx->context);
|
||||
ctx->context = NULL;
|
||||
ctx->context_len = 0;
|
||||
|
@ -1,118 +0,0 @@
|
||||
diff -up opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c
|
||||
--- opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig 2020-11-26 13:25:41.679655774 +0100
|
||||
+++ opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c 2020-11-26 13:26:00.170892352 +0100
|
||||
@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user
|
||||
while (1){
|
||||
nread = getline(user_input, &buflen, stdin);
|
||||
if (nread == -1) {
|
||||
- printf("User input failed (error code 0x%lX: %s)\n",
|
||||
- rc, p11_get_ckr(rc));
|
||||
- rc = -1;
|
||||
- return rc;
|
||||
+ printf("User input: EOF\n");
|
||||
+ return CKR_CANCEL;
|
||||
}
|
||||
|
||||
if (user_input_ok(*user_input)) {
|
||||
@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user
|
||||
return rc;
|
||||
}
|
||||
|
||||
-
|
||||
static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
|
||||
- CK_OBJECT_HANDLE *hkey)
|
||||
+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
|
||||
{
|
||||
char *user_input = NULL;
|
||||
CK_RV rc = CKR_OK;
|
||||
|
||||
rc = confirm_destroy(&user_input, label);
|
||||
if (rc != CKR_OK) {
|
||||
- printf("User input failed (error code 0x%lX: %s)\n",
|
||||
- rc, p11_get_ckr(rc));
|
||||
+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
|
||||
+ rc = CKR_CANCEL;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(cha
|
||||
label, rc, p11_get_ckr(rc));
|
||||
goto done;
|
||||
}
|
||||
+ *boolDestroyFlag = CK_TRUE;
|
||||
printf("DONE - Destroy Object with Label: %s\n", label);
|
||||
} else if (strncmp(user_input, "n", 1) == 0) {
|
||||
printf("Skip deleting Key\n");
|
||||
+ *boolDestroyFlag = CK_FALSE;
|
||||
} else {
|
||||
printf("Please just enter (y) for yes or (n) for no.\n");
|
||||
}
|
||||
@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||
CK_OBJECT_HANDLE hkey;
|
||||
char *keytype = NULL;
|
||||
char *label = NULL;
|
||||
+ CK_BBOOL boolDestroyFlag = CK_FALSE;
|
||||
+ CK_BBOOL boolSkipFlag = CK_FALSE;
|
||||
CK_RV rc = CKR_OK;
|
||||
|
||||
rc = tok_key_list_init(session, kt, label);
|
||||
@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||
if (*forceAll) {
|
||||
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
|
||||
printf("Destroy Object with Label: %s\n", label);
|
||||
+
|
||||
rc = funcs->C_DestroyObject(session, hkey);
|
||||
if (rc != CKR_OK) {
|
||||
printf(
|
||||
@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||
label, rc, p11_get_ckr(rc));
|
||||
goto done;
|
||||
}
|
||||
- printf("DONE - Destroy Object with Label: %s\n", label);
|
||||
+ boolDestroyFlag = CK_TRUE;
|
||||
}
|
||||
} else {
|
||||
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
|
||||
- rc = finalize_destroy_object(label, &session, &hkey);
|
||||
+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
|
||||
if (rc != CKR_OK) {
|
||||
goto done;
|
||||
}
|
||||
+
|
||||
+ if (!boolDestroyFlag) {
|
||||
+ boolSkipFlag = CK_TRUE;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||
|
||||
done:
|
||||
|
||||
+ if (strlen(rm_label) > 0) {
|
||||
+ if (boolDestroyFlag) {
|
||||
+ printf("Object with Label: %s found and destroyed \n", rm_label);
|
||||
+ } else if (boolSkipFlag) {
|
||||
+ printf("Object with Label: %s not deleted\n", rm_label);
|
||||
+ } else if (rc == CKR_OK) {
|
||||
+ printf("Object with Label: %s not found\n", rm_label);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (rc != CKR_OK) {
|
||||
free(label);
|
||||
free(keytype);
|
||||
@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
|
||||
/* Execute command */
|
||||
rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
|
||||
label, attr_string, long_print, &forceAll);
|
||||
- if (rc != CKR_OK) {
|
||||
- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
|
||||
+ if (rc == CKR_CANCEL) {
|
||||
+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
|
||||
+ p11_get_ckr(rc));
|
||||
+ } else if (rc != CKR_OK) {
|
||||
+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
|
||||
p11_get_ckr(rc));
|
||||
goto done;
|
||||
}
|
@ -1,42 +0,0 @@
|
||||
From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||
Date: Tue, 19 Jan 2021 14:29:57 +0100
|
||||
Subject: [PATCH] A slot ID has nothing to do with the number of slots
|
||||
|
||||
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||
---
|
||||
usr/sbin/pkcscca/pkcscca.c | 14 --------------
|
||||
1 file changed, 14 deletions(-)
|
||||
|
||||
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
|
||||
index f268f1be..d0bb3160 100644
|
||||
--- a/usr/sbin/pkcscca/pkcscca.c
|
||||
+++ b/usr/sbin/pkcscca/pkcscca.c
|
||||
@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||
{
|
||||
CK_FUNCTION_LIST *funcs;
|
||||
CK_KEY_TYPE key_type = 0;
|
||||
- CK_ULONG slot_count;
|
||||
CK_SESSION_HANDLE sess;
|
||||
CK_RV rv;
|
||||
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
|
||||
@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||
return 2;
|
||||
}
|
||||
|
||||
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
|
||||
- if (rv != CKR_OK) {
|
||||
- p11_error("C_GetSlotList", rv);
|
||||
- exit_code = 3;
|
||||
- goto finalize;
|
||||
- }
|
||||
-
|
||||
- if (slot_id >= slot_count) {
|
||||
- print_error("%lu is not a valid slot ID.", slot_id);
|
||||
- exit_code = 4;
|
||||
- goto finalize;
|
||||
- }
|
||||
-
|
||||
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
|
||||
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
|
||||
if (rv != CKR_OK) {
|
@ -1,13 +0,0 @@
|
||||
diff -up opencryptoki-3.15.1/usr/include/pkcs11types.h.me opencryptoki-3.15.1/usr/include/pkcs11types.h
|
||||
--- opencryptoki-3.15.1/usr/include/pkcs11types.h.me 2020-11-26 18:33:58.707979547 +0100
|
||||
+++ opencryptoki-3.15.1/usr/include/pkcs11types.h 2020-11-26 18:35:22.428095872 +0100
|
||||
@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR
|
||||
|
||||
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
|
||||
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
|
||||
-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
|
||||
+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
|
||||
|
||||
typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
|
||||
typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
|
||||
diff -up opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c.me opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
@ -0,0 +1,136 @@
|
||||
commit 19f56d12b302b87e1dacf613cc61a063ad209d15
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Feb 12 15:57:20 2021 +0100
|
||||
|
||||
Fix compile warning when compiling pkcsslotd with -DDEV and/or -DTHREADED
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcsslotd/garbage_linux.c b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
index d4878c3b..a4dd9713 100644
|
||||
--- a/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
+++ b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <fcntl.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "slotmgr.h"
|
||||
@@ -80,8 +81,8 @@ BOOL StartGCThread(Slot_Mgr_Shr_t *MemPtr)
|
||||
#ifdef DEV
|
||||
// Only development builds
|
||||
LogLog("StartGCThread: garbage collection thread started as ID "
|
||||
- "%d (%#x) by ID %d (%#x)",
|
||||
- GCThread, GCThread, pthread_self(), pthread_self());
|
||||
+ "%lu by ID %lu",
|
||||
+ GCThread, pthread_self());
|
||||
#endif
|
||||
|
||||
return TRUE;
|
||||
@@ -115,8 +116,8 @@ BOOL StopGCThread(void *Ptr)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- DbgLog(DL0, "StopGCThread: tid %d is stopping the garbage collection "
|
||||
- "thread (tid %d)",
|
||||
+ DbgLog(DL0, "StopGCThread: tid %lu is stopping the garbage collection "
|
||||
+ "thread (tid %lu)",
|
||||
pthread_self(), GCThread);
|
||||
|
||||
/* Cause the GC thread to be cancelled */
|
||||
@@ -245,7 +246,7 @@ void GCCancel(void *Ptr)
|
||||
UNUSED(Ptr);
|
||||
|
||||
/* Yeah, yeah. Doesn't do anything, but I had plans */
|
||||
- DbgLog(DL3, "GCCancel: tid: %d running cleanup routine", pthread_self());
|
||||
+ DbgLog(DL3, "GCCancel: tid: %lu running cleanup routine", pthread_self());
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -268,7 +269,7 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
|
||||
ASSERT(MemPtr != NULL_PTR);
|
||||
#ifdef DEV
|
||||
- DbgLog(DL5, "Thread %d is checking for garbage", pthread_self());
|
||||
+ DbgLog(DL5, "Thread %lu is checking for garbage", pthread_self());
|
||||
#endif /* DEV */
|
||||
|
||||
|
||||
@@ -326,9 +327,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
if (*pProcSessions > 0) {
|
||||
|
||||
#ifdef DEV
|
||||
- DbgLog(DL2, "GC: Invalid pid (%d) is holding %d sessions "
|
||||
+ DbgLog(DL2, "GC: Invalid pid (%d) is holding %u sessions "
|
||||
"open on slot %d. Global session count for this "
|
||||
- "slot is %d",
|
||||
+ "slot is %u",
|
||||
pProc->proc_id, *pProcSessions, SlotIndex,
|
||||
*pGlobalSessions);
|
||||
#endif /* DEV */
|
||||
@@ -338,9 +339,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
WarnLog("Garbage Collection: Illegal values in table "
|
||||
"for defunct process");
|
||||
DbgLog(DL0, "Garbage collection: A process "
|
||||
- "( Index: %d, pid: %d ) showed %d sessions "
|
||||
- "open on slot %s, but the global count for this "
|
||||
- "slot is only %d",
|
||||
+ "( Index: %d, pid: %d ) showed %u sessions "
|
||||
+ "open on slot %d, but the global count for this "
|
||||
+ "slot is only %u",
|
||||
ProcIndex, pProc->proc_id, *pProcSessions,
|
||||
SlotIndex, *pGlobalSessions);
|
||||
#endif /* DEV */
|
||||
@@ -395,14 +396,8 @@ int Stat2Proc(int pid, proc_t *p)
|
||||
char fbuf[800]; // about 40 fields, 64-bit decimal is about 20 chars
|
||||
char *tmp;
|
||||
int fd, num;
|
||||
- // FILE *fp;
|
||||
-
|
||||
- // sprintf(buf, "%s/%d/stat", PROC_BASE, pid);
|
||||
- // if( (fp = fopen(buf, "r")) == NULL )
|
||||
- // return FALSE;
|
||||
|
||||
sprintf(fbuf, "%s/%d/stat", PROC_BASE, pid);
|
||||
- printf("Buff = %s \n", fbuf);
|
||||
fflush(stdout);
|
||||
if ((fd = open(fbuf, O_RDONLY, 0)) == -1)
|
||||
return FALSE;
|
||||
diff --git a/usr/sbin/pkcsslotd/log.c b/usr/sbin/pkcsslotd/log.c
|
||||
index 0214f952..0394cc7d 100644
|
||||
--- a/usr/sbin/pkcsslotd/log.c
|
||||
+++ b/usr/sbin/pkcsslotd/log.c
|
||||
@@ -463,8 +463,8 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||
#endif /* DEV */
|
||||
|
||||
if (WriteNow) {
|
||||
- fprintf(stderr, "%s[%d.%d]: %s\n", pInfo->Descrip, getpid(),
|
||||
- (int) pthread_self(), buf);
|
||||
+ fprintf(stderr, "%s[%d.%lu]: %s\n", pInfo->Descrip, getpid(),
|
||||
+ pthread_self(), buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -482,7 +482,7 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||
GetCurrentTimeString(timebuf);
|
||||
|
||||
/* Date/Time stamp, descrip, Error message */
|
||||
- fprintf(fd, "%s %s[%d.%d]: ", timebuf, pInfo->Descrip, getpid(),
|
||||
+ fprintf(fd, "%s %s[%d.%lu]: ", timebuf, pInfo->Descrip, getpid(),
|
||||
pthread_self());
|
||||
fprintf(fd, "%s\n", buf);
|
||||
fflush(fd);
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index 94288f13..efbfe8fd 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -660,7 +660,6 @@ int main(int argc, char *argv[], char *envp[])
|
||||
*/
|
||||
|
||||
#if !defined(NOGARBAGE)
|
||||
- printf("Start garbage \n");
|
||||
/* start garbage collection thread */
|
||||
if (!StartGCThread(shmp)) {
|
||||
term_socket_server();
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,47 @@
|
||||
commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon May 3 10:05:07 2021 +0200
|
||||
|
||||
SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
|
||||
|
||||
When constructing an OpenSSL EC public or private key from PKCS#11
|
||||
attributes or ECDH public data, check that the key is valid, i.e. that
|
||||
the point is on the curve.
|
||||
|
||||
This prevents one from creating an EC key object via C_CreateObject with
|
||||
invalid key data. It also prevents C_DeriveKey to derive a secret using
|
||||
ECDH with an EC public key (public data) that uses a different curve
|
||||
or is invalid by other means.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index c30be1da..aeff39a9 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (!EC_KEY_check_key(ec_key)) {
|
||||
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||
+ rc = CKR_PUBLIC_KEY_INVALID;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
out:
|
||||
if (allocated && ecpoint != NULL)
|
||||
free(ecpoint);
|
||||
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (!EC_KEY_check_key(ec_key)) {
|
||||
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||
+ rc = CKR_FUNCTION_FAILED;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
out:
|
||||
if (point != NULL)
|
||||
EC_POINT_free(point);
|
@ -0,0 +1,28 @@
|
||||
commit 5824364d995e5d2418f885ee57e377e11d1b3302
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jul 7 13:44:46 2021 +0200
|
||||
|
||||
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
|
||||
|
||||
When modifying opencryptoki.conf during token migration, put quotes
|
||||
around strings that contain spaces, e.g. for the slot description and
|
||||
manufacturer.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 94fd1196..3df1596e 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_TOKVERSION)
|
||||
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||
+ strchr(val, ' ') != NULL)
|
||||
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
+ else if (tok != KW_TOKVERSION)
|
||||
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
return 0;
|
||||
}
|
@ -0,0 +1,23 @@
|
||||
commit 69244a5e0d9dfec3ef534b19b89a541576bb17dc
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 9 10:47:57 2021 +0100
|
||||
|
||||
TRACE: Use gettid() if SYS_gettid is not defined
|
||||
|
||||
Also print the thread ID in the trace, if SYS_gettid is not defined.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/trace.c b/usr/lib/common/trace.c
|
||||
index 678c0b96..bdc5256a 100644
|
||||
--- a/usr/lib/common/trace.c
|
||||
+++ b/usr/lib/common/trace.c
|
||||
@@ -33,6 +33,8 @@
|
||||
|
||||
#ifdef SYS_gettid
|
||||
#define __gettid() syscall(SYS_gettid)
|
||||
+#else
|
||||
+#define __gettid() gettid()
|
||||
#endif
|
||||
|
||||
pthread_mutex_t tlmtx = PTHREAD_MUTEX_INITIALIZER;
|
@ -0,0 +1,367 @@
|
||||
commit 7b7d83c571ceb3050969359817d4145600f14ae8
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Apr 9 17:07:31 2021 +0200
|
||||
|
||||
Check CKF_LIBRARY_CANT_CREATE_OS_THREADS at C_Initialize
|
||||
|
||||
Fail if flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set at C_Initialize,
|
||||
and event support is enabled (this is the default). We need to use pthreads
|
||||
for the event thread, so we can't work if CKF_LIBRARY_CANT_CREATE_OS_THREADS
|
||||
is set. Fail with CKR_NEED_TO_CREATE_THREADS if so.
|
||||
|
||||
The event support can be globally disabled using keyword 'disable-event-support'
|
||||
in opencryptoki.conf. This disables pkcsslots to accept admin connections,
|
||||
and it does not monitor for AP UDEV events (on s390 platform). No event
|
||||
thread is started in the opencryptoki processes, thus we can accept if flag
|
||||
CKF_LIBRARY_CANT_CREATE_OS_THREADS is set in that case.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
|
||||
index 71218f79..7dc676ab 100644
|
||||
--- a/man/man5/opencryptoki.conf.5.in
|
||||
+++ b/man/man5/opencryptoki.conf.5.in
|
||||
@@ -10,8 +10,16 @@ pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
|
||||
determine which slots will be made available.
|
||||
|
||||
.SH SYNTAX
|
||||
-This file is made up of slot descriptions. Each slot description
|
||||
-is composed of a slot number, brackets and key-value pairs.
|
||||
+This file is made up of optional global definitions, and slot descriptions.
|
||||
+
|
||||
+The following global definitions are valid:
|
||||
+
|
||||
+.TP
|
||||
+.BR disable-event-support
|
||||
+If this keyword is specified the openCryptoki event support is disabled.
|
||||
+
|
||||
+.P
|
||||
+Each slot description is composed of a slot number, brackets and key-value pairs.
|
||||
|
||||
slot number
|
||||
{
|
||||
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||
index e37368a5..451a8cf1 100644
|
||||
--- a/usr/include/slotmgr.h
|
||||
+++ b/usr/include/slotmgr.h
|
||||
@@ -99,6 +99,7 @@ typedef struct {
|
||||
LW_SHM_TYPE *shm_addr; // token specific shm address
|
||||
} Slot_Info_t;
|
||||
|
||||
+#define FLAG_EVENT_SUPPORT_DISABLED 0x01
|
||||
|
||||
#ifdef PKCS64
|
||||
|
||||
@@ -200,6 +201,7 @@ typedef struct {
|
||||
|
||||
typedef struct {
|
||||
uint8 num_slots;
|
||||
+ uint8 flags;
|
||||
CK_INFO_64 ck_info;
|
||||
Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED];
|
||||
} Slot_Mgr_Socket_t;
|
||||
@@ -214,6 +216,7 @@ typedef struct {
|
||||
|
||||
typedef struct {
|
||||
uint8 num_slots;
|
||||
+ uint8 flags;
|
||||
CK_INFO ck_info;
|
||||
Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED];
|
||||
} Slot_Mgr_Socket_t;
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index 2873a20a..6517ca6c 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -308,7 +308,8 @@ void parent_fork_after()
|
||||
return;
|
||||
|
||||
/* Restart the event thread in the parent when fork is complete */
|
||||
- if (Anchor->event_thread == 0)
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ Anchor->event_thread == 0)
|
||||
start_event_thread();
|
||||
}
|
||||
|
||||
@@ -2752,13 +2753,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
- // If we EVER need to create threads from this library we must
|
||||
- // check the Flags for the Can_Create_OS_Threads flag
|
||||
- // Right now the library DOES NOT create threads and therefore this
|
||||
- // check is irrelavant.
|
||||
- if (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
|
||||
- TRACE_DEVEL("Can't create OS threads...This is OK\n");
|
||||
- }
|
||||
+
|
||||
// Since this is an initialization path, we will be verbose in the
|
||||
// code rather than efficient.
|
||||
//
|
||||
@@ -2848,7 +2843,21 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto error_shm;
|
||||
}
|
||||
- // Initialize structure values
|
||||
+
|
||||
+ if (pVoid != NULL) {
|
||||
+ pArg = (CK_C_INITIALIZE_ARGS *) pVoid;
|
||||
+
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) != 0) {
|
||||
+ TRACE_ERROR("Flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set and "
|
||||
+ "event support is enabled\n");
|
||||
+ OCK_SYSLOG(LOG_ERR, "C_Initialize: Application specified that "
|
||||
+ "library can't create OS threads. PKCS11 Module requires "
|
||||
+ "to create threads when event support is enabled.\n");
|
||||
+ rc = CKR_NEED_TO_CREATE_THREADS;
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
//Register with pkcsslotd
|
||||
if (!API_Register()) {
|
||||
@@ -2867,7 +2876,8 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
}
|
||||
|
||||
/* Start event receiver thread */
|
||||
- if (start_event_thread() != 0) {
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ start_event_thread() != 0) {
|
||||
TRACE_ERROR("Failed to start event thread\n");
|
||||
|
||||
// unload all the STDLL's from the application
|
||||
diff --git a/usr/lib/common/configparser.h b/usr/lib/common/configparser.h
|
||||
index 13ca648d..b3c32496 100644
|
||||
--- a/usr/lib/common/configparser.h
|
||||
+++ b/usr/lib/common/configparser.h
|
||||
@@ -35,6 +35,7 @@ typedef int (*end_slot_f)(void *private);
|
||||
typedef int (*key_str_f)(void *private, int tok, const char *val);
|
||||
typedef int (*key_vers_f)(void *private, int tok, unsigned int vers);
|
||||
typedef void (*eolcomment_f)(void *private, const char *comment);
|
||||
+typedef void (*disab_event_supp_f)(void *private);
|
||||
/*
|
||||
* Report an error. If the error is not reported by the parser itself
|
||||
* but via one of the parse functions, \c parsermsg will be \c NULL.
|
||||
@@ -52,6 +53,7 @@ typedef void (*error_f)(void *private, int line, const char *parsermsg);
|
||||
*/
|
||||
struct parsefuncs {
|
||||
ockversion_f version;
|
||||
+ disab_event_supp_f disab_event_supp;
|
||||
eol_f eol;
|
||||
begin_slot_f begin_slot;
|
||||
end_slot_f end_slot;
|
||||
diff --git a/usr/lib/common/lexer.l b/usr/lib/common/lexer.l
|
||||
index b35a0b72..38cbcb70 100644
|
||||
--- a/usr/lib/common/lexer.l
|
||||
+++ b/usr/lib/common/lexer.l
|
||||
@@ -69,6 +69,7 @@ extern char *configparse_strdup(const char *s);
|
||||
|
||||
version return OCKVERSION;
|
||||
slot return SLOT;
|
||||
+disable-event-support return DISABLE_EVENT_SUPPORT;
|
||||
|
||||
[^\"= \t\n]+ {
|
||||
yylval.str = configparse_strdup(yytext);
|
||||
diff --git a/usr/lib/common/parser.y b/usr/lib/common/parser.y
|
||||
index 86806fcb..40c3994d 100644
|
||||
--- a/usr/lib/common/parser.y
|
||||
+++ b/usr/lib/common/parser.y
|
||||
@@ -65,7 +65,7 @@ int lookup_keyword(const char *key);
|
||||
int err;
|
||||
}
|
||||
|
||||
-%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF
|
||||
+%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF DISABLE_EVENT_SUPPORT
|
||||
%token <str> STRING
|
||||
%token <str> KEYWORD
|
||||
%token <num> INTEGER
|
||||
@@ -81,6 +81,7 @@ config_file:
|
||||
|
||||
sections:
|
||||
version_def eolcomment
|
||||
+ | disable_event_support_def eolcomment
|
||||
| SLOT INTEGER BEGIN_DEF
|
||||
{
|
||||
if (parsefuncs->begin_slot && parsefuncs->begin_slot(parsedata, $2, 0)) {
|
||||
@@ -125,6 +126,13 @@ version_def:
|
||||
}
|
||||
configparse_freestringsfrom($2);
|
||||
}
|
||||
+
|
||||
+disable_event_support_def:
|
||||
+ DISABLE_EVENT_SUPPORT
|
||||
+ {
|
||||
+ if (parsefuncs->disab_event_supp)
|
||||
+ parsefuncs->disab_event_supp(parsedata);
|
||||
+ }
|
||||
|
||||
line_def:
|
||||
STRING EQUAL TOKVERSION
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
index d7edcb3c..1dd0bac9 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
@@ -88,7 +88,7 @@ int XProcLock(void);
|
||||
int XProcUnLock(void);
|
||||
int CreateXProcLock(void);
|
||||
|
||||
-int init_socket_server();
|
||||
+int init_socket_server(int event_support_disabled);
|
||||
int term_socket_server();
|
||||
int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||
int socket_connection_handler(int timeout_secs);
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index efbfe8fd..3b328a6c 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -34,6 +34,7 @@ int shmid;
|
||||
key_t tok;
|
||||
Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||
unsigned int NumberSlotsInDB = 0;
|
||||
+int event_support_disabled = 0;
|
||||
|
||||
Slot_Info_t_64 *psinfo;
|
||||
|
||||
@@ -467,6 +468,13 @@ static int slotmgr_key_vers(void *private, int tok, unsigned int vers)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static void slotmgr_disab_event_supp(void *private)
|
||||
+{
|
||||
+ UNUSED(private);
|
||||
+
|
||||
+ event_support_disabled = 1;
|
||||
+}
|
||||
+
|
||||
static void slotmgr_parseerror(void *private, int line, const char *parsermsg)
|
||||
{
|
||||
struct parse_data *d = (struct parse_data *)private;
|
||||
@@ -480,6 +488,7 @@ static struct parsefuncs slotmgr_parsefuncs = {
|
||||
.end_slot = slotmgr_end_slot,
|
||||
.key_str = slotmgr_key_str,
|
||||
.key_vers = slotmgr_key_vers,
|
||||
+ .disab_event_supp = slotmgr_disab_event_supp,
|
||||
.parseerror = slotmgr_parseerror
|
||||
};
|
||||
|
||||
@@ -568,7 +577,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (!XProcUnLock())
|
||||
return 4;
|
||||
|
||||
- if (!init_socket_server()) {
|
||||
+ if (!init_socket_server(event_support_disabled)) {
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -582,6 +591,8 @@ int main(int argc, char *argv[], char *envp[])
|
||||
DestroySharedMemory();
|
||||
return 6;
|
||||
}
|
||||
+ if (event_support_disabled)
|
||||
+ socketData.flags |= FLAG_EVENT_SUPPORT_DISABLED;
|
||||
|
||||
/* Create customized token directories */
|
||||
psinfo = &socketData.slot_info[0];
|
||||
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||
index 41408670..3aa40267 100644
|
||||
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||
@@ -139,12 +139,12 @@ struct event_info {
|
||||
};
|
||||
|
||||
static int epoll_fd = -1;
|
||||
-static struct listener_info proc_listener;
|
||||
+static struct listener_info proc_listener = { .socket = -1 };
|
||||
static DL_NODE *proc_connections = NULL;
|
||||
-static struct listener_info admin_listener;
|
||||
+static struct listener_info admin_listener = { .socket = -1 };
|
||||
static DL_NODE *admin_connections = NULL;
|
||||
#ifdef WITH_LIBUDEV
|
||||
-static struct udev_mon udev_mon;
|
||||
+static struct udev_mon udev_mon = { .socket = -1 };
|
||||
#endif
|
||||
static DL_NODE *pending_events = NULL;
|
||||
static unsigned long pending_events_count = 0;
|
||||
@@ -1620,6 +1620,9 @@ static void udev_mon_term(struct udev_mon *udev_mon)
|
||||
if (udev_mon == NULL)
|
||||
return;
|
||||
|
||||
+ if (udev_mon->socket < 0)
|
||||
+ return;
|
||||
+
|
||||
epoll_ctl(epoll_fd, EPOLL_CTL_DEL, udev_mon->socket, NULL);
|
||||
if (udev_mon->udev != NULL)
|
||||
udev_unref(udev_mon->udev);
|
||||
@@ -1636,6 +1639,7 @@ int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||
{
|
||||
unsigned int processed = 0;
|
||||
|
||||
+ socketData->flags = 0;
|
||||
PopulateCKInfo(&(socketData->ck_info));
|
||||
socketData->num_slots = NumberSlotsInDB;
|
||||
PopulateSlotInfo(socketData->slot_info, &processed);
|
||||
@@ -1692,7 +1696,7 @@ int socket_connection_handler(int timeout_secs)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
-int init_socket_server()
|
||||
+int init_socket_server(int event_support_disabled)
|
||||
{
|
||||
int err;
|
||||
|
||||
@@ -1710,18 +1714,20 @@ int init_socket_server()
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||
- admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||
- term_socket_server();
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (!event_support_disabled) {
|
||||
+ if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||
+ admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||
+ term_socket_server();
|
||||
+ return FALSE;
|
||||
+ }
|
||||
|
||||
#ifdef WITH_LIBUDEV
|
||||
- if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||
- term_socket_server();
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||
+ term_socket_server();
|
||||
+ return FALSE;
|
||||
+ }
|
||||
#endif
|
||||
+ }
|
||||
|
||||
DbgLog(DL0, "%s: Socket server started", __func__);
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 7c225730..94fd1196 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2066,6 +2066,13 @@ static int parseupdate_ockversion(void *private, const char *version)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void parseupdate_disab_event_supp(void *private)
|
||||
+{
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
+
|
||||
+ fprintf(u->f, "disable-event-support");
|
||||
+}
|
||||
+
|
||||
static void parseupdate_eol(void *private)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
@@ -2124,6 +2131,7 @@ static void parseupdate_eolcomment(void *private, const char *comment)
|
||||
|
||||
static struct parsefuncs parseupdatefuncs = {
|
||||
.version = parseupdate_ockversion,
|
||||
+ .disab_event_supp = parseupdate_disab_event_supp,
|
||||
.eol = parseupdate_eol,
|
||||
.begin_slot = parseupdate_begin_slot,
|
||||
.end_slot = parseupdate_end_slot,
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,37 @@
|
||||
commit b07505993dd8b2f367cf3b630f6da186e4e8550d
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Feb 10 15:12:25 2021 +0100
|
||||
|
||||
Avoid deadlock in dlclose() after a fork
|
||||
|
||||
Calling dlclose() in a atfork handler may cause a deadlock.
|
||||
dlclose() may itself modify the atfork handler table to remove
|
||||
any fork handlers that the to be unloaded library has registered.
|
||||
Since the atfork handler table is currently locked when we are in
|
||||
an atfork handler, this would produce a deadlock.
|
||||
|
||||
Skip the dlclose() if we are in an atfork handler to avoid the deadlock.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index 3ccb6d41..f1ee9132 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -1516,7 +1516,15 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved)
|
||||
}
|
||||
}
|
||||
|
||||
- DL_UnLoad(sltp, slotID);
|
||||
+ /*
|
||||
+ * Calling dlclose() in a atfork handler may cause a deadlock.
|
||||
+ * dlclose() may itself modify the atfork handler table to remove
|
||||
+ * any fork handlers that the to be unloaded library has registered.
|
||||
+ * Since the atfork handler table is currently locked when we are in
|
||||
+ * an atfork handler, this would produce a deadlock.
|
||||
+ */
|
||||
+ if (!in_child_fork_initializer)
|
||||
+ DL_UnLoad(sltp, slotID);
|
||||
}
|
||||
|
||||
// Un register from Slot D
|
@ -0,0 +1,21 @@
|
||||
commit bf812c652c49d7e248b115d121a4f7f6568941a2
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Apr 6 13:41:55 2021 +0200
|
||||
|
||||
Update travis yaml file to install libudev development files
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/.travis.yml b/.travis.yml
|
||||
index d2907246..fd4092e3 100644
|
||||
--- a/.travis.yml
|
||||
+++ b/.travis.yml
|
||||
@@ -5,7 +5,7 @@ language: c
|
||||
|
||||
before_install:
|
||||
- sudo apt-get -qq update
|
||||
- - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget
|
||||
+ - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget libudev-dev
|
||||
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb
|
||||
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb
|
||||
- sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3
|
@ -0,0 +1,462 @@
|
||||
commit c79e899d77a5724635a9d4451a34a240e2c7e891
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Apr 16 13:41:41 2021 +0200
|
||||
|
||||
Fix potential deadlock situation with double read-locks
|
||||
|
||||
Do not get and read-lock an object twice within the same thread via
|
||||
function object_mgr_find_in_map1(), as this would read-lock the object
|
||||
twice.
|
||||
|
||||
This could cause a deadlock situation, when in-between the first
|
||||
and the second call to object_mgr_find_in_map1() the token object is
|
||||
modified by another process. The second object_mgr_find_in_map1() would
|
||||
detect that the object has been modified (object_mgr_check_shm()), and
|
||||
would try to re-load the object from the disk. For re-loading, the
|
||||
object is unlocked once, and a write-lock is acquired instead.
|
||||
However, if the current thread has read-locked the object twice, but
|
||||
releases only one read-lock, then it will never get the write lock,
|
||||
because it still owns the read lock itself.
|
||||
|
||||
To avoid this situation, release the read-lock before calling another
|
||||
function that also acquires the read lock of the object. That way, only
|
||||
one read-lock is held by the current thread, and re-loading the object
|
||||
will not cause a deadlock.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/decr_mgr.c b/usr/lib/common/decr_mgr.c
|
||||
index 317ef995..9842302b 100644
|
||||
--- a/usr/lib/common/decr_mgr.c
|
||||
+++ b/usr/lib/common/decr_mgr.c
|
||||
@@ -540,6 +540,10 @@ CK_RV decr_mgr_init(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||
|
||||
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 0);
|
||||
if (rc) {
|
||||
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||
diff --git a/usr/lib/common/encr_mgr.c b/usr/lib/common/encr_mgr.c
|
||||
index d3ecdeee..3e85ceab 100644
|
||||
--- a/usr/lib/common/encr_mgr.c
|
||||
+++ b/usr/lib/common/encr_mgr.c
|
||||
@@ -537,6 +537,10 @@ CK_RV encr_mgr_init(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||
|
||||
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 1);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
|
||||
index 1652f90a..e35b383c 100644
|
||||
--- a/usr/lib/common/mech_rsa.c
|
||||
+++ b/usr/lib/common/mech_rsa.c
|
||||
@@ -602,6 +602,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_oaep_encrypt(tokdata, ctx, in_data,
|
||||
in_data_len, out_data,
|
||||
out_data_len, hash, hlen);
|
||||
@@ -625,6 +629,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_oaep_decrypt(tokdata, ctx, in_data,
|
||||
in_data_len, out_data,
|
||||
out_data_len, hash, hlen);
|
||||
@@ -1331,6 +1339,10 @@ CK_RV rsa_pss_sign(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_pss_sign(tokdata, sess, ctx, in_data, in_data_len,
|
||||
out_data, out_data_len);
|
||||
if (rc != CKR_OK)
|
||||
@@ -1389,6 +1401,10 @@ CK_RV rsa_pss_verify(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_pss_verify(tokdata, sess, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
if (rc != CKR_OK)
|
||||
diff --git a/usr/lib/common/sign_mgr.c b/usr/lib/common/sign_mgr.c
|
||||
index 937a371a..c7268e01 100644
|
||||
--- a/usr/lib/common/sign_mgr.c
|
||||
+++ b/usr/lib/common/sign_mgr.c
|
||||
@@ -424,6 +424,10 @@ CK_RV sign_mgr_init(STDLL_TokData_t *tokdata,
|
||||
ctx->context_len = 0;
|
||||
ctx->context = NULL;
|
||||
|
||||
+ /* Release obj lock, token specific hmac-sign may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = hmac_sign_init(tokdata, sess, mech, key);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_ERROR("Failed to initialize hmac.\n");
|
||||
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||
index 3ac3768a..52f95d7a 100644
|
||||
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||
@@ -6948,6 +6948,13 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /*
|
||||
+ * Release obj lock, sign_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||
+ * may re-acquire the lock
|
||||
+ */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
/* Note that Edwards curves in general are not yet supported in
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
@@ -7029,11 +7036,16 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||
rc = pkey_ibm_ed_sign(key_obj, in_data, in_data_len, signature, sig_len);
|
||||
- else
|
||||
+ } else {
|
||||
+ /* Release obj lock, sign_mgr_sign may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = sign_mgr_sign(tokdata, session, length_only, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
+ }
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
@@ -7071,6 +7083,11 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
if (!in_data || !in_data_len)
|
||||
return CKR_OK;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7078,11 +7095,6 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_SignUpdate(ctx->context, ctx->context_len, in_data,
|
||||
in_data_len, ep11_data->target);
|
||||
@@ -7115,6 +7127,11 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7122,11 +7139,6 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_SignFinal(ctx->context, ctx->context_len, signature, sig_len,
|
||||
ep11_data->target);
|
||||
@@ -7241,6 +7253,13 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /*
|
||||
+ * Release obj lock, verify_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||
+ * may re-acquire the lock
|
||||
+ */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
/* Note that Edwards curves in general are not yet supported in
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
@@ -7320,12 +7339,17 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||
rc = pkey_ibm_ed_verify(key_obj, in_data, in_data_len,
|
||||
signature, sig_len);
|
||||
- else
|
||||
+ } else {
|
||||
+ /* Release obj lock, verify_mgr_verify may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = verify_mgr_verify(tokdata, session, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
+ }
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
@@ -7363,6 +7387,11 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
if (!in_data || !in_data_len)
|
||||
return CKR_OK;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7370,11 +7399,6 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_VerifyUpdate(ctx->context, ctx->context_len, in_data,
|
||||
in_data_len, ep11_data->target);
|
||||
@@ -7406,6 +7430,11 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7413,11 +7442,6 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_VerifyFinal(ctx->context, ctx->context_len, signature,
|
||||
sig_len, ep11_data->target);
|
||||
@@ -7501,6 +7525,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||
+ ctx, output_part, p_output_part_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7508,12 +7538,6 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||
- ctx, output_part, p_output_part_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_DecryptFinal(ctx->context, ctx->context_len,
|
||||
output_part, p_output_part_len,
|
||||
@@ -7548,13 +7572,6 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = decr_mgr_decrypt(tokdata, session, length_only, ctx,
|
||||
input_data, input_data_len, output_data,
|
||||
@@ -7562,6 +7579,13 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_Decrypt(ctx->context, ctx->context_len, input_data,
|
||||
input_data_len, output_data, p_output_data_len,
|
||||
@@ -7602,13 +7626,6 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return CKR_OK; /* nothing to update, keep context */
|
||||
}
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = decr_mgr_decrypt_update(tokdata, session, length_only,
|
||||
ctx, input_part, input_part_len,
|
||||
@@ -7616,6 +7633,13 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_DecryptUpdate(ctx->context, ctx->context_len,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7695,6 +7719,12 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||
+ ctx, output_part, p_output_part_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7702,12 +7732,6 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||
- ctx, output_part, p_output_part_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_EncryptFinal(ctx->context, ctx->context_len,
|
||||
output_part, p_output_part_len,
|
||||
@@ -7742,13 +7766,6 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = encr_mgr_encrypt(tokdata, session, length_only, ctx,
|
||||
input_data, input_data_len, output_data,
|
||||
@@ -7756,6 +7773,13 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_Encrypt(ctx->context, ctx->context_len, input_data,
|
||||
input_data_len, output_data, p_output_data_len,
|
||||
@@ -7796,13 +7820,6 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return CKR_OK; /* nothing to update, keep context */
|
||||
}
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = encr_mgr_encrypt_update(tokdata, session, length_only, ctx,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7810,6 +7827,13 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_EncryptUpdate(ctx->context, ctx->context_len,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7921,6 +7945,10 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /* Release obj lock, encr/decr_mgr_init may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
if (op == DECRYPT) {
|
||||
rc = decr_mgr_init(tokdata, session, &session->decr_ctx,
|
||||
OP_DECRYPT_INIT, mech, key);
|
@ -0,0 +1,104 @@
|
||||
commit d2f137cce5e6efb123842509352c7c49f889c67f
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu Jul 22 15:55:02 2021 +0200
|
||||
|
||||
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
|
||||
|
||||
Due to the way the parser works, a slot description like
|
||||
'description = "slot"' works, but not without quotes ('description = slot').
|
||||
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
|
||||
too), so if the word 'slot' would appear in an unquoted string, the
|
||||
configuration file would fail to parse.
|
||||
|
||||
Always quote the value of 'description' and 'manufacturer'. Quote the
|
||||
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
|
||||
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index a29dc8f7..853986e8 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2060,7 +2060,7 @@ done:
|
||||
*/
|
||||
static int parseupdate_ockversion(void *private, const char *version)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fprintf(u->f, "version %s", version);
|
||||
return 0;
|
||||
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
|
||||
|
||||
static void parseupdate_eol(void *private)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fputc('\n', u->f);
|
||||
}
|
||||
|
||||
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
u->activeslot = (slot == u->slotnum);
|
||||
if (nl_before_begin)
|
||||
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||
|
||||
static int parseupdate_end_slot(void *private)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
if (u->activeslot)
|
||||
fprintf(u->f, " tokversion = 3.12\n");
|
||||
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
|
||||
|
||||
static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||
- strchr(val, ' ') != NULL)
|
||||
+ switch (tok) {
|
||||
+ case KW_SLOTDESC:
|
||||
+ case KW_MANUFID:
|
||||
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
- else if (tok != KW_TOKVERSION)
|
||||
+ break;
|
||||
+ case KW_STDLL:
|
||||
+ case KW_CONFNAME:
|
||||
+ case KW_TOKNAME:
|
||||
+ if (strchr(val, ' ') != NULL)
|
||||
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
+ else
|
||||
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
+ break;
|
||||
+ case KW_HWVERSION:
|
||||
+ case KW_FWVERSION:
|
||||
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
+ break;
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
if (tok == KW_TOKVERSION && !u->activeslot)
|
||||
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
|
||||
static void parseupdate_eolcomment(void *private, const char *comment)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fprintf(u->f, "#%s", comment);
|
||||
}
|
@ -0,0 +1,239 @@
|
||||
commit d7de5092247a0efc2c397f12977a7c9925420143
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 16 17:15:20 2021 +0100
|
||||
|
||||
TESTCASES: Add event support tests
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/testcases/misc_tests/events.c b/testcases/misc_tests/events.c
|
||||
new file mode 100644
|
||||
index 00000000..fecc7bfe
|
||||
--- /dev/null
|
||||
+++ b/testcases/misc_tests/events.c
|
||||
@@ -0,0 +1,190 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include "event_client.h"
|
||||
+#include "regress.h"
|
||||
+#include "defs.h"
|
||||
+
|
||||
+const char payload[20] = "12345678901234567890";
|
||||
+
|
||||
+static inline void init_event_destination(struct event_destination *dest,
|
||||
+ unsigned int token_type,
|
||||
+ const char *label,
|
||||
+ pid_t process_id)
|
||||
+{
|
||||
+ size_t len;
|
||||
+
|
||||
+ dest->token_type = token_type;
|
||||
+ dest->process_id = process_id;
|
||||
+
|
||||
+ memset(dest->token_label, ' ', sizeof(dest->token_label));
|
||||
+ if (label != NULL) {
|
||||
+ len = strlen(label);
|
||||
+ memcpy(dest->token_label, label, len > sizeof(dest->token_label) ?
|
||||
+ sizeof(dest->token_label) : len);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int main(int argc, char **argv)
|
||||
+{
|
||||
+ CK_C_INITIALIZE_ARGS cinit_args;
|
||||
+ int rc, fd = -1, ret = 1;
|
||||
+ struct event_destination dest;
|
||||
+ struct event_reply reply;
|
||||
+
|
||||
+ UNUSED(argc);
|
||||
+ UNUSED(argv);
|
||||
+
|
||||
+ rc = do_GetFunctionList();
|
||||
+ if (!rc) {
|
||||
+ testcase_error("do_getFunctionList(), rc=%s", p11_get_ckr(rc));
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Initialize Opencryptoki in this process, so that at least one
|
||||
+ * process is receiving the events.
|
||||
+ */
|
||||
+ memset(&cinit_args, 0x0, sizeof(cinit_args));
|
||||
+ cinit_args.flags = CKF_OS_LOCKING_OK;
|
||||
+ funcs->C_Initialize(&cinit_args);
|
||||
+
|
||||
+ testcase_setup(0);
|
||||
+ testcase_begin("Starting event tests");
|
||||
+
|
||||
+ // Test fork before C_Initialize
|
||||
+ testcase_new_assertion();
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (simple, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (simple, one-shot)");
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||
+ NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (payload, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (payload, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_CCA, NULL, 0);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (token-type, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (token-type, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, "cca", 0);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (token-label, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (token-label, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, NULL, 12345);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (pid, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (pid, one-shot)");
|
||||
+
|
||||
+ memset(&reply, 0, sizeof(reply));
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (reply, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||
+ if (reply.positive_replies + reply.negative_replies +
|
||||
+ reply.nothandled_replies == 0) {
|
||||
+ testcase_fail("send_event (reply, one-shot) replies all zero");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (reply, one-shot)");
|
||||
+
|
||||
+
|
||||
+ fd = init_event_client();
|
||||
+ if (fd < 0) {
|
||||
+ testcase_fail("init_event_client rc = %d (%s)", fd, strerror(-fd));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("init_event_client()");
|
||||
+
|
||||
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (simple) rc = %d (%s)", rc, strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (simple)");
|
||||
+
|
||||
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||
+ NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (payload) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (payload)");
|
||||
+
|
||||
+ memset(&reply, 0, sizeof(reply));
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (reply) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||
+ if (reply.positive_replies + reply.negative_replies +
|
||||
+ reply.nothandled_replies == 0) {
|
||||
+ testcase_fail("send_event (reply) replies all zero");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (reply)");
|
||||
+
|
||||
+ term_event_client(fd);
|
||||
+ fd = -1;
|
||||
+
|
||||
+ ret = 0;
|
||||
+
|
||||
+out:
|
||||
+ if (fd >= 0)
|
||||
+ term_event_client(fd);
|
||||
+
|
||||
+ funcs->C_Finalize(NULL);
|
||||
+
|
||||
+ testcase_print_result();
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/testcases/misc_tests/misc_tests.mk b/testcases/misc_tests/misc_tests.mk
|
||||
index 3de11ebe..fb7cc0a1 100644
|
||||
--- a/testcases/misc_tests/misc_tests.mk
|
||||
+++ b/testcases/misc_tests/misc_tests.mk
|
||||
@@ -7,7 +7,8 @@ noinst_PROGRAMS += \
|
||||
testcases/misc_tests/fork testcases/misc_tests/multi_instance \
|
||||
testcases/misc_tests/obj_lock testcases/misc_tests/tok2tok_transport \
|
||||
testcases/misc_tests/obj_lock testcases/misc_tests/reencrypt \
|
||||
- testcases/misc_tests/cca_export_import_test
|
||||
+ testcases/misc_tests/cca_export_import_test \
|
||||
+ testcases/misc_tests/events
|
||||
|
||||
testcases_misc_tests_obj_mgmt_tests_CFLAGS = ${testcases_inc}
|
||||
testcases_misc_tests_obj_mgmt_tests_LDADD = \
|
||||
@@ -73,3 +74,8 @@ testcases_misc_tests_cca_export_import_test_LDADD = \
|
||||
testcases/common/libcommon.la
|
||||
testcases_misc_tests_cca_export_import_test_SOURCES = \
|
||||
testcases/misc_tests/cca_export_import_test.c
|
||||
+
|
||||
+testcases_misc_tests_events_CFLAGS = ${testcases_inc}
|
||||
+testcases_misc_tests_events_LDADD = testcases/common/libcommon.la
|
||||
+testcases_misc_tests_events_SOURCES = testcases/misc_tests/events.c \
|
||||
+ usr/lib/common/event_client.c
|
||||
diff --git a/testcases/ock_tests.sh.in b/testcases/ock_tests.sh.in
|
||||
index 64c77a7d..6558b031 100755
|
||||
--- a/testcases/ock_tests.sh.in
|
||||
+++ b/testcases/ock_tests.sh.in
|
||||
@@ -53,6 +53,7 @@ OCK_TESTS+=" pkcs11/findobjects pkcs11/generate_keypair"
|
||||
OCK_TESTS+=" pkcs11/get_interface pkcs11/getobjectsize pkcs11/sess_opstate"
|
||||
OCK_TESTS+=" misc_tests/fork misc_tests/obj_mgmt_tests"
|
||||
OCK_TESTS+=" misc_tests/obj_mgmt_lock_tests misc_tests/reencrypt"
|
||||
+OCK_TESTS+=" misc_tests/events"
|
||||
OCK_TEST=""
|
||||
OCK_BENCHS="pkcs11/*bench"
|
||||
|
@ -0,0 +1,619 @@
|
||||
commit d929fe8470e99f4dcbbd889e7aa87e147d0d5b48
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Feb 12 11:25:21 2021 +0100
|
||||
|
||||
Externalize linked list functions
|
||||
|
||||
Externalize the linked list functions (dlist_xxx), so that they
|
||||
can also be used on pkcsslotd.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
|
||||
index bd230b9f..c5e86fa7 100644
|
||||
--- a/usr/lib/cca_stdll/cca_stdll.mk
|
||||
+++ b/usr/lib/cca_stdll/cca_stdll.mk
|
||||
@@ -35,7 +35,8 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = \
|
||||
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
- usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c
|
||||
+ usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
|
||||
diff --git a/usr/lib/common/dlist.c b/usr/lib/common/dlist.c
|
||||
new file mode 100644
|
||||
index 00000000..1fee1ea9
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/dlist.c
|
||||
@@ -0,0 +1,218 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#include "dlist.h"
|
||||
+#include "host_defs.h"
|
||||
+#include "h_extern.h"
|
||||
+
|
||||
+
|
||||
+// Function: dlist_add_as_first()
|
||||
+//
|
||||
+// Adds the specified node to the start of the list
|
||||
+//
|
||||
+// Returns: pointer to the start of the list
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = NULL;
|
||||
+
|
||||
+ if (!data)
|
||||
+ return list;
|
||||
+
|
||||
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ node->data = data;
|
||||
+ node->prev = NULL;
|
||||
+ node->next = list;
|
||||
+ if (list)
|
||||
+ list->prev = node;
|
||||
+
|
||||
+ return node;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_add_as_last()
|
||||
+//
|
||||
+// Adds the specified node to the end of the list
|
||||
+//
|
||||
+// Returns: pointer to the start of the list
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = NULL;
|
||||
+
|
||||
+ if (!data)
|
||||
+ return list;
|
||||
+
|
||||
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ node->data = data;
|
||||
+ node->next = NULL;
|
||||
+
|
||||
+ if (!list) {
|
||||
+ node->prev = NULL;
|
||||
+ return node;
|
||||
+ } else {
|
||||
+ DL_NODE *temp = dlist_get_last(list);
|
||||
+ temp->next = node;
|
||||
+ node->prev = temp;
|
||||
+
|
||||
+ return list;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_find()
|
||||
+//
|
||||
+DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = list;
|
||||
+
|
||||
+ while (node && node->data != data)
|
||||
+ node = node->next;
|
||||
+
|
||||
+ return node;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_get_first()
|
||||
+//
|
||||
+// Returns the last node in the list or NULL if list is empty
|
||||
+//
|
||||
+DL_NODE *dlist_get_first(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (temp->prev != NULL)
|
||||
+ temp = temp->prev;
|
||||
+
|
||||
+ return temp;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_get_last()
|
||||
+//
|
||||
+// Returns the last node in the list or NULL if list is empty
|
||||
+//
|
||||
+DL_NODE *dlist_get_last(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (temp->next != NULL)
|
||||
+ temp = temp->next;
|
||||
+
|
||||
+ return temp;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+CK_ULONG dlist_length(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+ CK_ULONG len = 0;
|
||||
+
|
||||
+ while (temp) {
|
||||
+ len++;
|
||||
+ temp = temp->next;
|
||||
+ }
|
||||
+
|
||||
+ return len;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+DL_NODE *dlist_next(DL_NODE *node)
|
||||
+{
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return node->next;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+DL_NODE *dlist_prev(DL_NODE *node)
|
||||
+{
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return node->prev;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+void dlist_purge(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *node;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return;
|
||||
+
|
||||
+ do {
|
||||
+ node = list->next;
|
||||
+ free(list);
|
||||
+ list = node;
|
||||
+ } while (list);
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_remove_node()
|
||||
+//
|
||||
+// Attempts to remove the specified node from the list. The caller is
|
||||
+// responsible for freeing the data associated with the node prior to
|
||||
+// calling this routine
|
||||
+//
|
||||
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list || !node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ // special case: removing head of the list
|
||||
+ //
|
||||
+ if (list == node) {
|
||||
+ temp = list->next;
|
||||
+ if (temp)
|
||||
+ temp->prev = NULL;
|
||||
+
|
||||
+ free(list);
|
||||
+ return temp;
|
||||
+ }
|
||||
+ // we have no guarantee that the node is in the list
|
||||
+ // so search through the list to find it
|
||||
+ //
|
||||
+ while ((temp != NULL) && (temp->next != node))
|
||||
+ temp = temp->next;
|
||||
+
|
||||
+ if (temp != NULL) {
|
||||
+ DL_NODE *next = node->next;
|
||||
+
|
||||
+ temp->next = next;
|
||||
+ if (next)
|
||||
+ next->prev = temp;
|
||||
+
|
||||
+ free(node);
|
||||
+ }
|
||||
+
|
||||
+ return list;
|
||||
+}
|
||||
diff --git a/usr/lib/common/dlist.h b/usr/lib/common/dlist.h
|
||||
new file mode 100644
|
||||
index 00000000..eda4af9c
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/dlist.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+
|
||||
+#ifndef _DLIST_H_
|
||||
+#define _DLIST_H_
|
||||
+
|
||||
+#include "pkcs11types.h"
|
||||
+#include "defs.h"
|
||||
+
|
||||
+// linked-list routines
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_get_first(DL_NODE *list);
|
||||
+DL_NODE *dlist_get_last(DL_NODE *list);
|
||||
+CK_ULONG dlist_length(DL_NODE *list);
|
||||
+DL_NODE *dlist_next(DL_NODE *list);
|
||||
+DL_NODE *dlist_prev(DL_NODE *list);
|
||||
+void dlist_purge(DL_NODE *list);
|
||||
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||
+
|
||||
+#endif
|
||||
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||
index 63aff79f..5e251d95 100644
|
||||
--- a/usr/lib/common/h_extern.h
|
||||
+++ b/usr/lib/common/h_extern.h
|
||||
@@ -24,6 +24,7 @@
|
||||
#define _H_EXTERN_H
|
||||
|
||||
#include <stdio.h>
|
||||
+#include "dlist.h"
|
||||
|
||||
// global variables
|
||||
//
|
||||
@@ -1759,19 +1760,6 @@ int ec_point_from_public_data(const CK_BYTE *data, CK_ULONG data_len,
|
||||
CK_BBOOL *allocated, CK_BYTE **ec_point,
|
||||
CK_ULONG *ec_point_len);
|
||||
|
||||
-// linked-list routines
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_get_first(DL_NODE *list);
|
||||
-DL_NODE *dlist_get_last(DL_NODE *list);
|
||||
-CK_ULONG dlist_length(DL_NODE *list);
|
||||
-DL_NODE *dlist_next(DL_NODE *list);
|
||||
-DL_NODE *dlist_prev(DL_NODE *list);
|
||||
-void dlist_purge(DL_NODE *list);
|
||||
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||
-
|
||||
CK_RV attach_shm(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id);
|
||||
CK_RV detach_shm(STDLL_TokData_t *tokdata, CK_BBOOL ignore_ref_count);
|
||||
|
||||
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
|
||||
index 38d8d959..b2c6ee50 100644
|
||||
--- a/usr/lib/common/utility.c
|
||||
+++ b/usr/lib/common/utility.c
|
||||
@@ -40,203 +40,6 @@
|
||||
#include <sys/file.h>
|
||||
#include <syslog.h>
|
||||
|
||||
-// Function: dlist_add_as_first()
|
||||
-//
|
||||
-// Adds the specified node to the start of the list
|
||||
-//
|
||||
-// Returns: pointer to the start of the list
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = NULL;
|
||||
-
|
||||
- if (!data)
|
||||
- return list;
|
||||
-
|
||||
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- node->data = data;
|
||||
- node->prev = NULL;
|
||||
- node->next = list;
|
||||
- if (list)
|
||||
- list->prev = node;
|
||||
-
|
||||
- return node;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_add_as_last()
|
||||
-//
|
||||
-// Adds the specified node to the end of the list
|
||||
-//
|
||||
-// Returns: pointer to the start of the list
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = NULL;
|
||||
-
|
||||
- if (!data)
|
||||
- return list;
|
||||
-
|
||||
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- node->data = data;
|
||||
- node->next = NULL;
|
||||
-
|
||||
- if (!list) {
|
||||
- node->prev = NULL;
|
||||
- return node;
|
||||
- } else {
|
||||
- DL_NODE *temp = dlist_get_last(list);
|
||||
- temp->next = node;
|
||||
- node->prev = temp;
|
||||
-
|
||||
- return list;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_find()
|
||||
-//
|
||||
-DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = list;
|
||||
-
|
||||
- while (node && node->data != data)
|
||||
- node = node->next;
|
||||
-
|
||||
- return node;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_get_first()
|
||||
-//
|
||||
-// Returns the last node in the list or NULL if list is empty
|
||||
-//
|
||||
-DL_NODE *dlist_get_first(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list)
|
||||
- return NULL;
|
||||
-
|
||||
- while (temp->prev != NULL)
|
||||
- temp = temp->prev;
|
||||
-
|
||||
- return temp;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_get_last()
|
||||
-//
|
||||
-// Returns the last node in the list or NULL if list is empty
|
||||
-//
|
||||
-DL_NODE *dlist_get_last(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list)
|
||||
- return NULL;
|
||||
-
|
||||
- while (temp->next != NULL)
|
||||
- temp = temp->next;
|
||||
-
|
||||
- return temp;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-CK_ULONG dlist_length(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
- CK_ULONG len = 0;
|
||||
-
|
||||
- while (temp) {
|
||||
- len++;
|
||||
- temp = temp->next;
|
||||
- }
|
||||
-
|
||||
- return len;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-DL_NODE *dlist_next(DL_NODE *node)
|
||||
-{
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- return node->next;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-DL_NODE *dlist_prev(DL_NODE *node)
|
||||
-{
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- return node->prev;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-void dlist_purge(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *node;
|
||||
-
|
||||
- if (!list)
|
||||
- return;
|
||||
-
|
||||
- do {
|
||||
- node = list->next;
|
||||
- free(list);
|
||||
- list = node;
|
||||
- } while (list);
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_remove_node()
|
||||
-//
|
||||
-// Attempts to remove the specified node from the list. The caller is
|
||||
-// responsible for freeing the data associated with the node prior to
|
||||
-// calling this routine
|
||||
-//
|
||||
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list || !node)
|
||||
- return NULL;
|
||||
-
|
||||
- // special case: removing head of the list
|
||||
- //
|
||||
- if (list == node) {
|
||||
- temp = list->next;
|
||||
- if (temp)
|
||||
- temp->prev = NULL;
|
||||
-
|
||||
- free(list);
|
||||
- return temp;
|
||||
- }
|
||||
- // we have no guarantee that the node is in the list
|
||||
- // so search through the list to find it
|
||||
- //
|
||||
- while ((temp != NULL) && (temp->next != node))
|
||||
- temp = temp->next;
|
||||
-
|
||||
- if (temp != NULL) {
|
||||
- DL_NODE *next = node->next;
|
||||
-
|
||||
- temp->next = next;
|
||||
- if (next)
|
||||
- next->prev = temp;
|
||||
-
|
||||
- free(node);
|
||||
- }
|
||||
-
|
||||
- return list;
|
||||
-}
|
||||
-
|
||||
CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t *tokdata)
|
||||
{
|
||||
char lockfile[PATH_MAX];
|
||||
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
index bc617124..b5574d9e 100644
|
||||
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = \
|
||||
usr/lib/common/utility.c usr/lib/common/trace.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/attributes.c usr/lib/common/sw_crypt.c \
|
||||
- usr/lib/common/profile_obj.c \
|
||||
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||
usr/lib/common/pkey_utils.c \
|
||||
usr/lib/ep11_stdll/new_host.c usr/lib/ep11_stdll/ep11_specific.c
|
||||
|
||||
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
index d8448486..8f467e11 100644
|
||||
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
@@ -34,7 +34,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
|
||||
usr/lib/common/verify_mgr.c usr/lib/common/trace.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/profile_obj.c usr/lib/common/attributes.c \
|
||||
- usr/lib/ica_s390_stdll/ica_specific.c
|
||||
+ usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
|
||||
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
index 788478c2..21c64f9a 100644
|
||||
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = \
|
||||
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/attributes.c usr/lib/icsf_stdll/new_host.c \
|
||||
- usr/lib/common/profile_obj.c \
|
||||
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||
usr/lib/icsf_stdll/pbkdf.c usr/lib/icsf_stdll/icsf_specific.c \
|
||||
usr/lib/icsf_stdll/icsf_config_parse.y \
|
||||
usr/lib/icsf_stdll/icsf_config_lexer.l \
|
||||
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
|
||||
index cea802b5..ac401539 100644
|
||||
--- a/usr/lib/soft_stdll/soft_stdll.mk
|
||||
+++ b/usr/lib/soft_stdll/soft_stdll.mk
|
||||
@@ -32,7 +32,8 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
|
||||
usr/lib/common/utility.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/trace.c usr/lib/common/mech_list.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
- usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c
|
||||
+ usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
index f199a103..0e0eb024 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
@@ -34,7 +34,8 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
|
||||
usr/lib/common/verify_mgr.c usr/lib/common/mech_list.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
usr/lib/tpm_stdll/tpm_specific.c usr/lib/common/attributes.c \
|
||||
- usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c
|
||||
+ usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
|
||||
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
|
||||
index a223265f..cc40f819 100644
|
||||
--- a/usr/sbin/pkcscca/pkcscca.mk
|
||||
+++ b/usr/sbin/pkcscca/pkcscca.mk
|
||||
@@ -36,7 +36,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = \
|
||||
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
usr/lib/common/attributes.c usr/lib/common/mech_rng.c \
|
||||
- usr/lib/common/pkcs_utils.c \
|
||||
+ usr/lib/common/pkcs_utils.c usr/lib/common/dlist.c \
|
||||
usr/sbin/pkcscca/pkcscca.c
|
||||
|
||||
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.mk b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
index 4f0e3c56..2d36b4a9 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
@@ -21,5 +21,6 @@ usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||
usr/sbin/pkcsslotd/socket_server.c
|
||||
|
||||
nodist_usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||
- usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c
|
||||
+ usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
usr/sbin/pkcsslotd/slotmgr.$(OBJEXT): usr/lib/common/parser.h
|
@ -0,0 +1,25 @@
|
||||
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu Jul 8 15:18:30 2021 +0200
|
||||
|
||||
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
|
||||
|
||||
When migrating a slot the opencryptoki.conf file is modified. If it
|
||||
contains slots that already contain the 'tokversion = x.y' keyword,
|
||||
this is accidentally removed when migrating another slot.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 3df1596e..05081aff 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_TOKVERSION)
|
||||
+ if (tok == KW_TOKVERSION && !u->activeslot)
|
||||
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||
vers >> 16, vers & 0xffu);
|
||||
return 0;
|
@ -0,0 +1,310 @@
|
||||
commit e9548127edae313da7840bcb87fd0afd04549c2e
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Feb 8 15:26:23 2021 +0100
|
||||
|
||||
pkcsslotd: Refactoring in preparation for event support
|
||||
|
||||
No functional change so far, just making things a bit bore clearer.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||
index 3950a9a3..4d038435 100644
|
||||
--- a/usr/include/slotmgr.h
|
||||
+++ b/usr/include/slotmgr.h
|
||||
@@ -30,7 +30,7 @@
|
||||
#define TOK_PATH SBIN_PATH "/pkcsslotd"
|
||||
#define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock"
|
||||
|
||||
-#define SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||
+#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||
|
||||
#define PID_FILE_PATH "/var/run/pkcsslotd.pid"
|
||||
#define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf"
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index b74b763f..2873a20a 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -2831,7 +2831,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
TRACE_DEBUG("Shared memory %p \n", Anchor->SharedMemP);
|
||||
|
||||
/* Connect to slot daemon and retrieve slot infos */
|
||||
- Anchor->socketfd = connect_socket(SOCKET_FILE_PATH);
|
||||
+ Anchor->socketfd = connect_socket(PROC_SOCKET_FILE_PATH);
|
||||
if (Anchor->socketfd < 0) {
|
||||
OCK_SYSLOG(LOG_ERR, "C_Initialize: Module failed to create a "
|
||||
"socket. Verify that the slot management daemon is "
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
index 813db9f4..69eb59f3 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
@@ -61,7 +61,6 @@ extern key_t tok;
|
||||
extern Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||
extern unsigned int NumberSlotsInDB;
|
||||
|
||||
-extern int socketfd;
|
||||
extern Slot_Mgr_Socket_t socketData;
|
||||
|
||||
|
||||
@@ -89,9 +88,9 @@ int XProcLock(void);
|
||||
int XProcUnLock(void);
|
||||
int CreateXProcLock(void);
|
||||
|
||||
-int CreateListenerSocket(void);
|
||||
-int InitSocketData(Slot_Mgr_Socket_t *sp);
|
||||
-int SocketConnectionHandler(int socketfd, int timeout_secs);
|
||||
-void DetachSocketListener(int socketfd);
|
||||
+int init_socket_server();
|
||||
+int term_socket_server();
|
||||
+int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||
+int socket_connection_handler(int timeout_secs);
|
||||
|
||||
#endif /* _SLOTMGR_H */
|
||||
diff --git a/usr/sbin/pkcsslotd/signal.c b/usr/sbin/pkcsslotd/signal.c
|
||||
index cf7b9087..49482a2f 100644
|
||||
--- a/usr/sbin/pkcsslotd/signal.c
|
||||
+++ b/usr/sbin/pkcsslotd/signal.c
|
||||
@@ -101,7 +101,7 @@ void slotdGenericSignalHandler(int Signal)
|
||||
|
||||
InfoLog("Exiting on %s (%d; %#x)", SignalConst(Signal), Signal, Signal);
|
||||
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index ea5c86f5..94288f13 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -37,7 +37,6 @@ unsigned int NumberSlotsInDB = 0;
|
||||
|
||||
Slot_Info_t_64 *psinfo;
|
||||
|
||||
-int socketfd;
|
||||
Slot_Mgr_Socket_t socketData;
|
||||
|
||||
struct dircheckinfo_s {
|
||||
@@ -569,15 +568,15 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (!XProcUnLock())
|
||||
return 4;
|
||||
|
||||
- if ((socketfd = CreateListenerSocket()) < 0) {
|
||||
+ if (!init_socket_server()) {
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
return 5;
|
||||
}
|
||||
|
||||
- if (!InitSocketData(&socketData)) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ if (!init_socket_data(&socketData)) {
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -598,7 +597,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (Daemon) {
|
||||
pid_t pid;
|
||||
if ((pid = fork()) < 0) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -643,7 +642,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
* the daemonization process redefines our handler for (at least) SIGTERM
|
||||
*/
|
||||
if (!SetupSignalHandlers()) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -664,7 +663,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
printf("Start garbage \n");
|
||||
/* start garbage collection thread */
|
||||
if (!StartGCThread(shmp)) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -684,7 +683,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
#if !(THREADED) && !(NOGARBAGE)
|
||||
CheckForGarbage(shmp);
|
||||
#endif
|
||||
- SocketConnectionHandler(socketfd, 10);
|
||||
+ socket_connection_handler(10);
|
||||
}
|
||||
|
||||
/*************************************************************
|
||||
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||
index ae0eff92..1fae0b95 100644
|
||||
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||
@@ -25,10 +25,14 @@
|
||||
#include "pkcsslotd.h"
|
||||
#include "apictl.h"
|
||||
|
||||
+int proc_listener_socket = -1;
|
||||
+
|
||||
+static void close_listener_socket(int socketfd, const char *file_path);
|
||||
+
|
||||
// Creates the daemon's listener socket, to which clients will connect and
|
||||
// retrieve slot information through. Returns the file descriptor of the
|
||||
// created socket.
|
||||
-int CreateListenerSocket(void)
|
||||
+static int create_listener_socket(const char *file_path)
|
||||
{
|
||||
struct sockaddr_un address;
|
||||
struct group *grp;
|
||||
@@ -39,53 +43,60 @@ int CreateListenerSocket(void)
|
||||
ErrLog("Failed to create listener socket, errno 0x%X.", errno);
|
||||
return -1;
|
||||
}
|
||||
- if (unlink(SOCKET_FILE_PATH) && errno != ENOENT) {
|
||||
+ if (unlink(file_path) && errno != ENOENT) {
|
||||
ErrLog("Failed to unlink socket file, errno 0x%X.", errno);
|
||||
- close(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
memset(&address, 0, sizeof(struct sockaddr_un));
|
||||
address.sun_family = AF_UNIX;
|
||||
- strcpy(address.sun_path, SOCKET_FILE_PATH);
|
||||
+ strcpy(address.sun_path, file_path);
|
||||
|
||||
if (bind(socketfd,
|
||||
(struct sockaddr *) &address, sizeof(struct sockaddr_un)) != 0) {
|
||||
ErrLog("Failed to bind to socket, errno 0x%X.", errno);
|
||||
- close(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
// make socket file part of the pkcs11 group, and write accessable
|
||||
// for that group
|
||||
grp = getgrnam("pkcs11");
|
||||
if (!grp) {
|
||||
ErrLog("Group PKCS#11 does not exist");
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
- if (chown(SOCKET_FILE_PATH, 0, grp->gr_gid)) {
|
||||
+ if (chown(file_path, 0, grp->gr_gid)) {
|
||||
ErrLog("Could not change file group on socket, errno 0x%X.", errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
- if (chmod(SOCKET_FILE_PATH,
|
||||
+ if (chmod(file_path,
|
||||
S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP | S_IXUSR | S_IXGRP)) {
|
||||
ErrLog("Could not change file permissions on socket, errno 0x%X.",
|
||||
errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
if (listen(socketfd, 20) != 0) {
|
||||
ErrLog("Failed to listen to socket, errno 0x%X.", errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
return socketfd;
|
||||
+
|
||||
+error:
|
||||
+ if (socketfd >= 0)
|
||||
+ close_listener_socket(socketfd, file_path);
|
||||
+
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static void close_listener_socket(int socketfd, const char *file_path)
|
||||
+{
|
||||
+ close(socketfd);
|
||||
+ unlink(file_path);
|
||||
}
|
||||
|
||||
-int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||
+int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||
{
|
||||
unsigned int processed = 0;
|
||||
|
||||
@@ -102,19 +113,19 @@ int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
-int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
+int socket_connection_handler(int timeout_secs)
|
||||
{
|
||||
int returnVal;
|
||||
fd_set set;
|
||||
struct timeval timeout;
|
||||
|
||||
FD_ZERO(&set);
|
||||
- FD_SET(socketfd, &set);
|
||||
+ FD_SET(proc_listener_socket, &set);
|
||||
|
||||
timeout.tv_sec = timeout_secs;
|
||||
timeout.tv_usec = 0;
|
||||
|
||||
- returnVal = select(socketfd + 1, &set, NULL, NULL, &timeout);
|
||||
+ returnVal = select(proc_listener_socket + 1, &set, NULL, NULL, &timeout);
|
||||
if (returnVal == -1) {
|
||||
ErrLog("select failed on socket connection, errno 0x%X.", errno);
|
||||
return FALSE;
|
||||
@@ -125,7 +136,7 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
struct sockaddr_un address;
|
||||
socklen_t address_length = sizeof(address);
|
||||
|
||||
- int connectionfd = accept(socketfd,
|
||||
+ int connectionfd = accept(proc_listener_socket,
|
||||
(struct sockaddr *) &address,
|
||||
&address_length);
|
||||
if (connectionfd < 0) {
|
||||
@@ -138,6 +149,10 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
+
|
||||
+ DbgLog(DL0, "Accepted connection from process: socket: %d",
|
||||
+ connectionfd);
|
||||
+
|
||||
if (write(connectionfd, &socketData, sizeof(socketData)) !=
|
||||
sizeof(socketData)) {
|
||||
ErrLog("Failed to write socket data, errno 0x%X.", errno);
|
||||
@@ -149,8 +164,23 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
}
|
||||
}
|
||||
|
||||
-void DetachSocketListener(int socketfd)
|
||||
+int init_socket_server()
|
||||
{
|
||||
- close(socketfd);
|
||||
- unlink(SOCKET_FILE_PATH);
|
||||
+ proc_listener_socket = create_listener_socket(PROC_SOCKET_FILE_PATH);
|
||||
+ if (proc_listener_socket < 0)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ DbgLog(DL0, "Socket server started");
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+int term_socket_server()
|
||||
+{
|
||||
+ if (proc_listener_socket >= 0)
|
||||
+ close_listener_socket(proc_listener_socket, PROC_SOCKET_FILE_PATH);
|
||||
+
|
||||
+ DbgLog(DL0, "Socket server stopped");
|
||||
+
|
||||
+ return TRUE;
|
||||
}
|
@ -0,0 +1,287 @@
|
||||
commit fa94a16116d8382a987ddf9e8cdd88027dd1f647
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 16 17:13:34 2021 +0100
|
||||
|
||||
Event support: Add event client
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/common.mk b/usr/lib/common/common.mk
|
||||
index 2178ad45..882c84f4 100644
|
||||
--- a/usr/lib/common/common.mk
|
||||
+++ b/usr/lib/common/common.mk
|
||||
@@ -4,7 +4,7 @@ noinst_HEADERS += \
|
||||
usr/lib/common/shared_memory.h usr/lib/common/tok_spec_struct.h \
|
||||
usr/lib/common/trace.h usr/lib/common/h_extern.h \
|
||||
usr/lib/common/sw_crypt.h usr/lib/common/defs.h \
|
||||
- usr/lib/common/p11util.h \
|
||||
+ usr/lib/common/p11util.h usr/lib/common/event_client.h \
|
||||
usr/lib/common/list.h usr/lib/common/tok_specific.h
|
||||
|
||||
usr/lib/common/lexer.c: usr/lib/common/parser.h
|
||||
diff --git a/usr/lib/common/event_client.c b/usr/lib/common/event_client.c
|
||||
new file mode 100644
|
||||
index 00000000..86117b84
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/event_client.c
|
||||
@@ -0,0 +1,215 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/un.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <stdio.h>
|
||||
+#include <unistd.h>
|
||||
+#include <grp.h>
|
||||
+
|
||||
+#include "slotmgr.h"
|
||||
+#include "event_client.h"
|
||||
+
|
||||
+static int connect_socket(const char *file_path)
|
||||
+{
|
||||
+ int socketfd;
|
||||
+ struct sockaddr_un daemon_address;
|
||||
+ struct stat file_info;
|
||||
+ struct group *grp;
|
||||
+ int rc;
|
||||
+
|
||||
+ if (stat(file_path, &file_info))
|
||||
+ return -errno;
|
||||
+
|
||||
+ grp = getgrnam("pkcs11");
|
||||
+ if (!grp)
|
||||
+ return -errno;
|
||||
+
|
||||
+ if (file_info.st_uid != 0 || file_info.st_gid != grp->gr_gid)
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ if ((socketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
|
||||
+ return -errno;
|
||||
+
|
||||
+ memset(&daemon_address, 0, sizeof(struct sockaddr_un));
|
||||
+ daemon_address.sun_family = AF_UNIX;
|
||||
+ strcpy(daemon_address.sun_path, file_path);
|
||||
+
|
||||
+ if (connect(socketfd, (struct sockaddr *) &daemon_address,
|
||||
+ sizeof(struct sockaddr_un)) != 0) {
|
||||
+ rc = -errno;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ return socketfd;
|
||||
+
|
||||
+error:
|
||||
+ close(socketfd);
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static ssize_t read_all(int socketfd, char *buffer, size_t size)
|
||||
+{
|
||||
+ size_t bytes_received = 0;
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ while (bytes_received < size) {
|
||||
+ n = read(socketfd, buffer + bytes_received, size - bytes_received);
|
||||
+ if (n < 0) {
|
||||
+ // read error
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ return -errno;
|
||||
+ }
|
||||
+ if (n == 0)
|
||||
+ break;
|
||||
+
|
||||
+ bytes_received += n;
|
||||
+ }
|
||||
+
|
||||
+ return bytes_received;
|
||||
+}
|
||||
+
|
||||
+static ssize_t send_all(int socketfd, char *buffer, size_t size)
|
||||
+{
|
||||
+ size_t bytes_sent = 0;
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ while (bytes_sent < size) {
|
||||
+ n = send(socketfd, buffer + bytes_sent, size - bytes_sent, 0);
|
||||
+ if (n < 0) {
|
||||
+ // send error
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ return -errno;
|
||||
+ }
|
||||
+ if (n == 0)
|
||||
+ break;
|
||||
+
|
||||
+ bytes_sent += n;
|
||||
+ }
|
||||
+
|
||||
+ return bytes_sent;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Initialize an admin connection to the pkcsslotd.
|
||||
+ * Returns a file descriptor representing the connection, or a negative errno
|
||||
+ * in case of an error.
|
||||
+ */
|
||||
+int init_event_client()
|
||||
+{
|
||||
+ int fd;
|
||||
+
|
||||
+ fd = connect_socket(ADMIN_SOCKET_FILE_PATH);
|
||||
+
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Send an event though the admin connection to the pkcsslotd, and thus to
|
||||
+ * all active token instances.
|
||||
+ * If parameter fd is < 0, then a connection to pkcsslotd is established
|
||||
+ * inside the function and closed before return. This is for a one shot event.
|
||||
+ * Otherwise, pass a file descriptor received from init_event_client(). This
|
||||
+ * is to send multiple events.
|
||||
+ * Event type is mandatory, flags can be zero.
|
||||
+ * The event payload is optional, if payload_len is non-zero, then payload must
|
||||
+ * point to a buffer containing the payload to send with the event.
|
||||
+ * The event destination can be used to selectively send the event to certain
|
||||
+ * token instances only. If destination is NULL, it is sent to all token
|
||||
+ * instances.
|
||||
+ * If flag EVENT_FLAGS_REPLY_REQ is on in the flags parameter, then it is waited
|
||||
+ * until all active token instances have replied. The combined result of the
|
||||
+ * replies from the token instances is returned in the reply structure.
|
||||
+ * Parameter reply must be non-NULL if flag EVENT_FLAGS_REPLY_REQ is set.
|
||||
+ * Returns zero for success, or a negative errno in case of an error. In most
|
||||
+ * error cases the connection to the pkcsslotd is out of sequence and can no
|
||||
+ * longer be used to send further events.
|
||||
+ */
|
||||
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||
+ unsigned int payload_len, const char *payload,
|
||||
+ const struct event_destination *destination,
|
||||
+ struct event_reply *reply)
|
||||
+{
|
||||
+ event_msg_t event_msg;
|
||||
+ event_reply_t event_reply;
|
||||
+ int rc, term = 0;
|
||||
+
|
||||
+ if (payload_len > 0 && payload == NULL)
|
||||
+ return -EINVAL;
|
||||
+ if ((flags & EVENT_FLAGS_REPLY_REQ) && reply == NULL)
|
||||
+ return -EINVAL;
|
||||
+ if (payload_len > EVENT_MAX_PAYLOAD_LENGTH)
|
||||
+ return -EMSGSIZE;
|
||||
+
|
||||
+ if (fd < 0) {
|
||||
+ fd = init_event_client();
|
||||
+ if (fd < 0)
|
||||
+ return fd;
|
||||
+ term = 1;
|
||||
+ }
|
||||
+
|
||||
+ memset(&event_msg, 0, sizeof(event_msg));
|
||||
+ event_msg.version = EVENT_VERSION_1;
|
||||
+ event_msg.type = type;
|
||||
+ event_msg.flags = flags;
|
||||
+ if (destination != NULL) {
|
||||
+ event_msg.token_type = destination->token_type;
|
||||
+ memcpy(event_msg.token_label, destination->token_label,
|
||||
+ sizeof(event_msg.token_label));
|
||||
+ event_msg.process_id = destination->process_id;
|
||||
+ } else {
|
||||
+ memset(event_msg.token_label, ' ', sizeof(event_msg.token_label));
|
||||
+ }
|
||||
+ event_msg.payload_len = payload_len;
|
||||
+
|
||||
+ rc = send_all(fd, (char *)&event_msg, sizeof(event_msg));
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (payload_len > 0) {
|
||||
+ rc = send_all(fd, (char *)payload, payload_len);
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (flags & EVENT_FLAGS_REPLY_REQ) {
|
||||
+ rc = read_all(fd, (char *)&event_reply, sizeof(event_reply));
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ reply->positive_replies = event_reply.positive_replies;
|
||||
+ reply->negative_replies = event_reply.negative_replies;
|
||||
+ reply->nothandled_replies = event_reply.nothandled_replies;
|
||||
+ }
|
||||
+
|
||||
+ rc = 0;
|
||||
+
|
||||
+out:
|
||||
+ if (term)
|
||||
+ term_event_client(fd);
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Terminate the admin connection to the pkcsslotd.
|
||||
+ */
|
||||
+void term_event_client(int fd)
|
||||
+{
|
||||
+ if (fd >= 0)
|
||||
+ close(fd);
|
||||
+}
|
||||
+
|
||||
diff --git a/usr/lib/common/event_client.h b/usr/lib/common/event_client.h
|
||||
new file mode 100644
|
||||
index 00000000..2e4917b0
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/event_client.h
|
||||
@@ -0,0 +1,39 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#ifndef _EVENT_CLIENT_H_
|
||||
+#define _EVENT_CLIENT_H_
|
||||
+
|
||||
+#include "events.h"
|
||||
+
|
||||
+struct event_destination {
|
||||
+ unsigned int token_type; /* Destination token type: EVENT_TOK_TYPE_xxx */
|
||||
+ char token_label[member_size(event_msg_t, token_label)];
|
||||
+ /* Label of destination token (or blanks) */
|
||||
+ pid_t process_id; /* Process ID of destination process (or 0) */
|
||||
+};
|
||||
+
|
||||
+struct event_reply {
|
||||
+ unsigned long positive_replies;
|
||||
+ unsigned long negative_replies;
|
||||
+ unsigned long nothandled_replies;
|
||||
+};
|
||||
+
|
||||
+int init_event_client();
|
||||
+
|
||||
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||
+ unsigned int payload_len, const char *payload,
|
||||
+ const struct event_destination *destination,
|
||||
+ struct event_reply *reply);
|
||||
+
|
||||
+void term_event_client(int fd);
|
||||
+
|
||||
+#endif
|
@ -0,0 +1,106 @@
|
||||
commit 5951869263b556280da53498270cf4826f779c5b
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Jul 13 09:05:22 2021 +0200
|
||||
|
||||
pkcstok_migrate: Fix detection if pkcsslotd is still running
|
||||
|
||||
Change the code to use the pid file that pkcsslotd creates, and check
|
||||
if the process with the pid contained in the pid file still exists and
|
||||
runs pkcsslotd.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 05081aff..a29dc8f7 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
|
||||
*/
|
||||
static CK_BBOOL pkcsslotd_running(void)
|
||||
{
|
||||
- DIR *dir;
|
||||
FILE *fp;
|
||||
- struct dirent* ent;
|
||||
char* endptr;
|
||||
- char buf[PATH_MAX];
|
||||
+ long lpid;
|
||||
char fname[PATH_MAX];
|
||||
+ char buf[PATH_MAX];
|
||||
+ char* first;
|
||||
|
||||
TRACE_INFO("Checking if pkcsslotd is running ...\n");
|
||||
- if (!(dir = opendir("/proc"))) {
|
||||
- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
|
||||
- return CK_TRUE;
|
||||
+
|
||||
+ fp = fopen(PID_FILE_PATH, "r");
|
||||
+ if (fp == NULL) {
|
||||
+ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
|
||||
+ PID_FILE_PATH);
|
||||
+ return CK_FALSE;
|
||||
}
|
||||
|
||||
- while ((ent = readdir(dir)) != NULL) {
|
||||
- /* if endptr is not a null character, the directory is not
|
||||
- * entirely numeric, so ignore it */
|
||||
- long lpid = strtol(ent->d_name, &endptr, 10);
|
||||
- if (*endptr != '\0') {
|
||||
- continue;
|
||||
- }
|
||||
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
|
||||
+ strerror(errno));
|
||||
+ fclose(fp);
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
|
||||
- /* try to open the cmdline file */
|
||||
- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||
- fp = fopen(fname, "r");
|
||||
- if (!fp) {
|
||||
- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
+ lpid = strtol(buf, &endptr, 10);
|
||||
+ if (*endptr != '\0' && *endptr != '\n') {
|
||||
+ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
|
||||
+ buf);
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
|
||||
- /* check the first token in the file: the program pathname */
|
||||
- if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
- char* first = strtok(buf, " ");
|
||||
- if (!first) {
|
||||
- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
|
||||
- fname);
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
- if (strstr(first, "pkcsslotd") != NULL) {
|
||||
- fclose(fp);
|
||||
- closedir(dir);
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
- }
|
||||
+ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||
+ fp = fopen(fname, "r");
|
||||
+ if (fp == NULL) {
|
||||
+ TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
+
|
||||
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ TRACE_INFO("Failed to read '%s'\n", fname);
|
||||
fclose(fp);
|
||||
+ return CK_FALSE;
|
||||
}
|
||||
+ fclose(fp);
|
||||
|
||||
- closedir(dir);
|
||||
- return CK_FALSE;
|
||||
+ first = strtok(buf, " ");
|
||||
+ return (first != NULL && strstr(first, "pkcsslotd") != NULL);
|
||||
}
|
||||
|
||||
/**
|
@ -1,44 +1,58 @@
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||
Version: 3.15.1
|
||||
Release: 5%{?dist}
|
||||
License: CPL
|
||||
Group: System Environment/Base
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: opencryptoki.module
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||
Version: 3.16.0
|
||||
Release: 5%{?dist}
|
||||
License: CPL
|
||||
Group: System Environment/Base
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: opencryptoki.module
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
|
||||
Patch0: opencryptoki-3.11.0-group.patch
|
||||
Patch0: opencryptoki-3.11.0-group.patch
|
||||
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
|
||||
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||
# upstream fixes
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/eef7049ce857ee5d5ec64e369a10e05e8bb5c4dd
|
||||
Patch2: opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
|
||||
Patch3: opencryptoki-3.15.1-fix_compiling_with_c++.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||
Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||
# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||
Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
|
||||
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||
# upstream patches
|
||||
Patch200: opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch
|
||||
Patch201: opencryptoki-3.16.0-c79e899d77a5724635a9d4451a34a240e2c7e891.patch
|
||||
Patch202: opencryptoki-3.16.0-69244a5e0d9dfec3ef534b19b89a541576bb17dc.patch
|
||||
Patch203: opencryptoki-3.16.0-b07505993dd8b2f367cf3b630f6da186e4e8550d.patch
|
||||
Patch204: opencryptoki-3.16.0-b048be548508dd1958bb7271568f388d0f6cbcf8.patch
|
||||
Patch205: opencryptoki-3.16.0-e9548127edae313da7840bcb87fd0afd04549c2e.patch
|
||||
Patch206: opencryptoki-3.16.0-d929fe8470e99f4dcbbd889e7aa87e147d0d5b48.patch
|
||||
Patch207: opencryptoki-3.16.0-19f56d12b302b87e1dacf613cc61a063ad209d15.patch
|
||||
Patch208: opencryptoki-3.16.0-342dfbeb8275f5ea6ed52dd3f30126614ec1d037.patch
|
||||
Patch209: opencryptoki-3.16.0-fa94a16116d8382a987ddf9e8cdd88027dd1f647.patch
|
||||
Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
|
||||
Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
|
||||
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
|
||||
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
|
||||
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
|
||||
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
|
||||
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
|
||||
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
|
||||
|
||||
Requires(pre): coreutils
|
||||
BuildRequires: gcc
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: trousers-devel
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: bison flex
|
||||
BuildRequires: systemd
|
||||
BuildRequires: libitm-devel
|
||||
Requires(pre): coreutils
|
||||
Requires: (selinux-policy >= 3.14.3-70 if selinux-policy-targeted)
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: trousers-devel
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: autoconf automake libtool
|
||||
BuildRequires: bison flex
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: libitm-devel
|
||||
BuildRequires: expect
|
||||
BuildRequires: make
|
||||
%ifarch s390 s390x
|
||||
BuildRequires: libica-devel >= 2.3
|
||||
BuildRequires: libica-devel >= 2.3
|
||||
%endif
|
||||
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}(token)
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}(token)
|
||||
Requires(post): systemd
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd
|
||||
|
||||
|
||||
%description
|
||||
@ -346,6 +360,26 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-5
|
||||
- Resolves: #1987256, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
|
||||
|
||||
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-4
|
||||
- Resolves: #1964304, Fix detection if pkcsslotd is still running
|
||||
|
||||
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-3
|
||||
- Related: #1919223, add conditional requirement
|
||||
|
||||
* Fri Jun 11 2021 Than Ngo <than@redhat.com> - 3.16.0-2
|
||||
- Related: #1919223, add requirement on selinux-policy >= 3.14.3-70 for using ipsec
|
||||
|
||||
* Tue Jun 01 2021 Than Ngo <than@redhat.com> - 3.16.0-1
|
||||
- Resolves: #1919223, rebase to 3.16.0
|
||||
- Resolves: #1922195, Event Notification Support
|
||||
- Resolves: #1959936, Soft token does not check if an EC key is valid
|
||||
- Resolves: #1851104, import and export of secure key objects
|
||||
- Resolves: #1851106, openCryptoki ep11 token: protected key support
|
||||
- Resolves: #1851107, openCryptoki ep11 token: support attribute bound keys
|
||||
|
||||
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
|
||||
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user