update to 3.22.0
This commit is contained in:
parent
0eba1a05ea
commit
4f20e1212b
1
.gitignore
vendored
1
.gitignore
vendored
@ -33,3 +33,4 @@ opencryptoki-2.3.1.tar.gz
|
||||
/opencryptoki-3.19.0.tar.gz
|
||||
/opencryptoki-3.20.0.tar.gz
|
||||
/opencryptoki-3.21.0.tar.gz
|
||||
/opencryptoki-3.22.0.tar.gz
|
||||
|
@ -1,34 +0,0 @@
|
||||
commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 10 13:22:48 2023 +0200
|
||||
|
||||
p11sak: Fix parsing of slot number 0
|
||||
|
||||
Running command 'p11sak list-key aes --slot 0' may result in
|
||||
'p11sak: Invalid argument '0' for option '-s/--slot''
|
||||
|
||||
This is because of the error checking after strtoul() within function
|
||||
process_number_argument(). In case errno is not zero, it treats a
|
||||
parsed value of zero as an error.
|
||||
|
||||
Under certain circumstances, errno is non-zero already before calling
|
||||
strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
|
||||
an incorrect error checking, and it is treated as error.
|
||||
|
||||
Initialize errno to zero before calling strtoul() to avoid such false error
|
||||
detection.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
||||
index 6e11cb41..38665bbd 100644
|
||||
--- a/usr/sbin/p11sak/p11sak.c
|
||||
+++ b/usr/sbin/p11sak/p11sak.c
|
||||
@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
|
||||
{
|
||||
char *endptr;
|
||||
|
||||
+ errno = 0;
|
||||
*arg->value.number = strtoul(val, &endptr, 0);
|
||||
|
||||
if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||
|
@ -1,52 +0,0 @@
|
||||
commit 4ff774568e334a719fc8de16fe2309e2070f0da8
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon May 22 11:40:01 2023 +0200
|
||||
|
||||
p11sak: Fix user confirmation prompt behavior when stdin is closed
|
||||
|
||||
Treat any error during user confirmation prompt as 'cancel' and skip all
|
||||
operations.
|
||||
|
||||
One can for example close stdin during a user prompt via CTRL+D. This was
|
||||
erroneously treated as positive confirmation and therefore caused the
|
||||
operation to be performed on the current key object and all further objects
|
||||
matching the filter as well, instead of canceling the operation entirely.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
||||
index d75d8343..5b54b538 100644
|
||||
--- a/usr/sbin/p11sak/p11sak.c
|
||||
+++ b/usr/sbin/p11sak/p11sak.c
|
||||
@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
case 'c':
|
||||
+ case '\0':
|
||||
data->skip_all = true;
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
case 'c':
|
||||
+ case '\0':
|
||||
data->skip_all = true;
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
case 'c':
|
||||
+ case '\0':
|
||||
data->skip_all = true;
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
||||
case 'c':
|
||||
+ case '\0':
|
||||
data->skip_all = true;
|
||||
data->num_skipped++;
|
||||
return CKR_OK;
|
@ -1,96 +0,0 @@
|
||||
commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 10 10:19:13 2023 +0200
|
||||
|
||||
p11sak: Fix listing of key objects when other object types are present
|
||||
|
||||
A command like 'p11sak list-key all --slot N ...' fails with
|
||||
|
||||
p11sak: Attribute CKA_KEY_TYPE is not available in key object
|
||||
p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
|
||||
p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
|
||||
|
||||
when the object repository contains other, non-key objects, e.g. certificates.
|
||||
|
||||
When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
|
||||
with C_FindObjects(), and thus other non-key objects also match the filter.
|
||||
When a specific key type is specified, then only such objects match that
|
||||
have the desired CKA_KEY_TYPE attribute value.
|
||||
|
||||
Fix this by checking the object class in get_key_infos() and skip the object,
|
||||
if it is not a key object.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
|
||||
index a6213720..6e11cb41 100644
|
||||
--- a/usr/sbin/p11sak/p11sak.c
|
||||
+++ b/usr/sbin/p11sak/p11sak.c
|
||||
@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
|
||||
}
|
||||
}
|
||||
|
||||
+ switch (class_val) {
|
||||
+ case CKO_PUBLIC_KEY:
|
||||
+ case CKO_PRIVATE_KEY:
|
||||
+ case CKO_SECRET_KEY:
|
||||
+ break;
|
||||
+ default:
|
||||
+ free(attrs[0].pValue);
|
||||
+ return CKR_KEY_NEEDED;
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < num_attrs; i++) {
|
||||
if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
|
||||
warnx("Attribute %s is not available in key object",
|
||||
@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
|
||||
if (manual_filtering) {
|
||||
rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
|
||||
NULL, NULL);
|
||||
+ if (rc == CKR_KEY_NEEDED) {
|
||||
+ rc = CKR_OK;
|
||||
+ goto next;
|
||||
+ }
|
||||
if (rc != CKR_OK)
|
||||
break;
|
||||
|
||||
@@ -3672,6 +3686,10 @@ done_find:
|
||||
for (i = 0; i < num_matched_keys; i++) {
|
||||
rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
|
||||
&label, &typestr, &type);
|
||||
+ if (rc == CKR_KEY_NEEDED) {
|
||||
+ rc = CKR_OK;
|
||||
+ goto next2;
|
||||
+ }
|
||||
if (rc != CKR_OK)
|
||||
break;
|
||||
|
||||
@@ -3680,6 +3698,7 @@ done_find:
|
||||
if (rc != CKR_OK)
|
||||
break;
|
||||
|
||||
+next2:
|
||||
if (label != NULL)
|
||||
free(label);
|
||||
label = NULL;
|
||||
@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
|
||||
*result = 0;
|
||||
|
||||
rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
|
||||
+ if (rc == CKR_KEY_NEEDED) {
|
||||
+ rc = CKR_OK;
|
||||
+ *result = 1; /* non-key objects are always greater than key objects */
|
||||
+ goto done;
|
||||
+ }
|
||||
if (rc != CKR_OK)
|
||||
goto done;
|
||||
|
||||
rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
|
||||
+ if (rc == CKR_KEY_NEEDED) {
|
||||
+ rc = CKR_OK;
|
||||
+ *result = -1; /* key objects are always smaller than non-key objects */
|
||||
+ goto done;
|
||||
+ }
|
||||
if (rc != CKR_OK)
|
||||
goto done;
|
||||
|
@ -1,84 +0,0 @@
|
||||
commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon May 22 13:31:21 2023 +0200
|
||||
|
||||
pkcsstats: Fix handling of user name
|
||||
|
||||
The struct passwd returned by getpwuid() is a pointer to a static area, that
|
||||
may get overwritten by subsequent calls to getpwuid() or similar.
|
||||
Actually, C_Initialize() itself is using getpwuid() internally, and thus will
|
||||
interfere with the getpwuid() usage in pkcsstats.
|
||||
|
||||
Make a copy of the returned user name before calling C_Initialize() in
|
||||
init_ock() to ensure to work with the desired user name, and not with anything
|
||||
left over from previous calls.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
|
||||
index c2444cf5..a842a295 100644
|
||||
--- a/usr/sbin/pkcsstats/pkcsstats.c
|
||||
+++ b/usr/sbin/pkcsstats/pkcsstats.c
|
||||
@@ -783,6 +783,7 @@ int main(int argc, char **argv)
|
||||
int opt = 0;
|
||||
struct passwd *pswd = NULL;
|
||||
int user_id = -1;
|
||||
+ char *user_name = NULL;
|
||||
bool summary = false, all_users = false, all_mechs = false;
|
||||
bool reset = false, reset_all = false;
|
||||
bool delete = false, delete_all = false;
|
||||
@@ -903,19 +904,27 @@ int main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
+ user_name = strdup(pswd->pw_name);
|
||||
+ if (user_name == NULL) {
|
||||
+ warnx("Failed to get current user name");
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
if (delete) {
|
||||
if (slot_id_specified) {
|
||||
warnx("Options -s/--slot and -d/--delete can not be specified together");
|
||||
+ free(user_name);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
- rc = delete_shm(user_id, pswd->pw_name);
|
||||
+ rc = delete_shm(user_id, user_name);
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (delete_all) {
|
||||
if (slot_id_specified) {
|
||||
warnx("Options -s/--slot and -D/--delete-all can not be specified together");
|
||||
+ free(user_name);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
@@ -932,7 +941,7 @@ int main(int argc, char **argv)
|
||||
goto done;
|
||||
|
||||
if (reset) {
|
||||
- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
|
||||
+ rc = reset_shm(user_id, user_name, num_slots, slots,
|
||||
slot_id_specified, slot_id);
|
||||
goto done;
|
||||
}
|
||||
@@ -968,7 +977,7 @@ int main(int argc, char **argv)
|
||||
rc = display_summary(&dd);
|
||||
goto done;
|
||||
} else {
|
||||
- rc = display_stats(user_id, pswd->pw_name, &dd);
|
||||
+ rc = display_stats(user_id, user_name, &dd);
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -984,5 +993,7 @@ done:
|
||||
dlclose(dll);
|
||||
}
|
||||
|
||||
+ free(user_name);
|
||||
+
|
||||
return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
||||
Version: 3.21.0
|
||||
Release: 6%{?dist}
|
||||
Version: 3.22.0
|
||||
Release: 1%{?dist}
|
||||
License: CPL-1.0
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
@ -11,14 +11,6 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||
# fix install problem in buildroot
|
||||
Patch2: opencryptoki-3.21.0-p11sak.patch
|
||||
# upstream patches
|
||||
# pkcsstats: Fix handling of user name
|
||||
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
|
||||
# p11sak: Fix user confirmation prompt behavior when stdin is closed
|
||||
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
|
||||
# p11sak fails as soon as there reside non-key objects
|
||||
Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
|
||||
# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
|
||||
Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
|
||||
|
||||
Requires(pre): coreutils
|
||||
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
|
||||
@ -356,6 +348,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Sep 21 2023 Than Ngo <than@redhat.com> - 3.22.0-1
|
||||
- update to 3.22.0
|
||||
|
||||
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (opencryptoki-3.21.0.tar.gz) = a1843a395770d7b93df46e26a87779f636cf490b300be8f0af97643ffde01460199aa7634e11708cd2353ef534d8df0cfe6e408229c6b4869446aa6886f4e740
|
||||
SHA512 (opencryptoki-3.22.0.tar.gz) = 404b32b19ef70c3e971bf6dd918fa5fa23701eff591282330085b53491597a2fb5928f800110a28dbc8a22744e00477dadadedf5cea5503984078cad38c46b25
|
||||
|
Loading…
Reference in New Issue
Block a user