From 5229a62455aea9d75713cfad733c4895228ad6e2 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Tue, 21 Nov 2023 20:05:54 +0100 Subject: [PATCH] Resolves: RHEL-11412, rebase to 3.22.0 Resolves: RHEL-10569, openCryptoki for PKCS #11 3.0 --- .gitignore | 1 + ...f41ef5e14d4b509c8854e27cf98e3ee89445.patch | 34 ------- ...74568e334a719fc8de16fe2309e2070f0da8.patch | 52 ---------- ...9f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch | 96 ------------------- ...6214552a92d8d66de8011ab11c9c2c6bb0a4.patch | 84 ---------------- opencryptoki.spec | 16 ++-- sources | 2 +- 7 files changed, 8 insertions(+), 277 deletions(-) delete mode 100644 opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch delete mode 100644 opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch delete mode 100644 opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch delete mode 100644 opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch diff --git a/.gitignore b/.gitignore index 7c1cdbd..6b866ee 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ opencryptoki-2.3.1.tar.gz /opencryptoki-3.18.0.tar.gz /opencryptoki-3.19.0.tar.gz /opencryptoki-3.21.0.tar.gz +/opencryptoki-3.22.0.tar.gz diff --git a/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch b/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch deleted file mode 100644 index 3661cad..0000000 --- a/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445 -Author: Ingo Franzki -Date: Mon Jul 10 13:22:48 2023 +0200 - - p11sak: Fix parsing of slot number 0 - - Running command 'p11sak list-key aes --slot 0' may result in - 'p11sak: Invalid argument '0' for option '-s/--slot'' - - This is because of the error checking after strtoul() within function - process_number_argument(). In case errno is not zero, it treats a - parsed value of zero as an error. - - Under certain circumstances, errno is non-zero already before calling - strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to - an incorrect error checking, and it is treated as error. - - Initialize errno to zero before calling strtoul() to avoid such false error - detection. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index 6e11cb41..38665bbd 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val) - { - char *endptr; - -+ errno = 0; - *arg->value.number = strtoul(val, &endptr, 0); - - if ((errno == ERANGE && *arg->value.number == ULONG_MAX) || diff --git a/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch b/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch deleted file mode 100644 index 7c74f79..0000000 --- a/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch +++ /dev/null @@ -1,52 +0,0 @@ -commit 4ff774568e334a719fc8de16fe2309e2070f0da8 -Author: Ingo Franzki -Date: Mon May 22 11:40:01 2023 +0200 - - p11sak: Fix user confirmation prompt behavior when stdin is closed - - Treat any error during user confirmation prompt as 'cancel' and skip all - operations. - - One can for example close stdin during a user prompt via CTRL+D. This was - erroneously treated as positive confirmation and therefore caused the - operation to be performed on the current key object and all further objects - matching the filter as well, instead of canceling the operation entirely. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index d75d8343..5b54b538 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, - data->num_skipped++; - return CKR_OK; - case 'c': -+ case '\0': - data->skip_all = true; - data->num_skipped++; - return CKR_OK; -@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, - data->num_skipped++; - return CKR_OK; - case 'c': -+ case '\0': - data->skip_all = true; - data->num_skipped++; - return CKR_OK; -@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, - data->num_skipped++; - return CKR_OK; - case 'c': -+ case '\0': - data->skip_all = true; - data->num_skipped++; - return CKR_OK; -@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, - data->num_skipped++; - return CKR_OK; - case 'c': -+ case '\0': - data->skip_all = true; - data->num_skipped++; - return CKR_OK; diff --git a/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch b/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch deleted file mode 100644 index ec74c5f..0000000 --- a/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch +++ /dev/null @@ -1,96 +0,0 @@ -commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc -Author: Ingo Franzki -Date: Mon Jul 10 10:19:13 2023 +0200 - - p11sak: Fix listing of key objects when other object types are present - - A command like 'p11sak list-key all --slot N ...' fails with - - p11sak: Attribute CKA_KEY_TYPE is not available in key object - p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE - p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE - - when the object repository contains other, non-key objects, e.g. certificates. - - When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used - with C_FindObjects(), and thus other non-key objects also match the filter. - When a specific key type is specified, then only such objects match that - have the desired CKA_KEY_TYPE attribute value. - - Fix this by checking the object class in get_key_infos() and skip the object, - if it is not a key object. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c -index a6213720..6e11cb41 100644 ---- a/usr/sbin/p11sak/p11sak.c -+++ b/usr/sbin/p11sak/p11sak.c -@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class, - } - } - -+ switch (class_val) { -+ case CKO_PUBLIC_KEY: -+ case CKO_PRIVATE_KEY: -+ case CKO_SECRET_KEY: -+ break; -+ default: -+ free(attrs[0].pValue); -+ return CKR_KEY_NEEDED; -+ } -+ - for (i = 0; i < num_attrs; i++) { - if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) { - warnx("Attribute %s is not available in key object", -@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype, - if (manual_filtering) { - rc = get_key_infos(keys[i], NULL, NULL, NULL, &label, - NULL, NULL); -+ if (rc == CKR_KEY_NEEDED) { -+ rc = CKR_OK; -+ goto next; -+ } - if (rc != CKR_OK) - break; - -@@ -3672,6 +3686,10 @@ done_find: - for (i = 0; i < num_matched_keys; i++) { - rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize, - &label, &typestr, &type); -+ if (rc == CKR_KEY_NEEDED) { -+ rc = CKR_OK; -+ goto next2; -+ } - if (rc != CKR_OK) - break; - -@@ -3680,6 +3698,7 @@ done_find: - if (rc != CKR_OK) - break; - -+next2: - if (label != NULL) - free(label); - label = NULL; -@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1, - *result = 0; - - rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL); -+ if (rc == CKR_KEY_NEEDED) { -+ rc = CKR_OK; -+ *result = 1; /* non-key objects are always greater than key objects */ -+ goto done; -+ } - if (rc != CKR_OK) - goto done; - - rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL); -+ if (rc == CKR_KEY_NEEDED) { -+ rc = CKR_OK; -+ *result = -1; /* key objects are always smaller than non-key objects */ -+ goto done; -+ } - if (rc != CKR_OK) - goto done; - diff --git a/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch b/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch deleted file mode 100644 index 0bf6df4..0000000 --- a/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch +++ /dev/null @@ -1,84 +0,0 @@ -commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4 -Author: Ingo Franzki -Date: Mon May 22 13:31:21 2023 +0200 - - pkcsstats: Fix handling of user name - - The struct passwd returned by getpwuid() is a pointer to a static area, that - may get overwritten by subsequent calls to getpwuid() or similar. - Actually, C_Initialize() itself is using getpwuid() internally, and thus will - interfere with the getpwuid() usage in pkcsstats. - - Make a copy of the returned user name before calling C_Initialize() in - init_ock() to ensure to work with the desired user name, and not with anything - left over from previous calls. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c -index c2444cf5..a842a295 100644 ---- a/usr/sbin/pkcsstats/pkcsstats.c -+++ b/usr/sbin/pkcsstats/pkcsstats.c -@@ -783,6 +783,7 @@ int main(int argc, char **argv) - int opt = 0; - struct passwd *pswd = NULL; - int user_id = -1; -+ char *user_name = NULL; - bool summary = false, all_users = false, all_mechs = false; - bool reset = false, reset_all = false; - bool delete = false, delete_all = false; -@@ -903,19 +904,27 @@ int main(int argc, char **argv) - } - } - -+ user_name = strdup(pswd->pw_name); -+ if (user_name == NULL) { -+ warnx("Failed to get current user name"); -+ exit(EXIT_FAILURE); -+ } -+ - if (delete) { - if (slot_id_specified) { - warnx("Options -s/--slot and -d/--delete can not be specified together"); -+ free(user_name); - exit(EXIT_FAILURE); - } - -- rc = delete_shm(user_id, pswd->pw_name); -+ rc = delete_shm(user_id, user_name); - goto done; - } - - if (delete_all) { - if (slot_id_specified) { - warnx("Options -s/--slot and -D/--delete-all can not be specified together"); -+ free(user_name); - exit(EXIT_FAILURE); - } - -@@ -932,7 +941,7 @@ int main(int argc, char **argv) - goto done; - - if (reset) { -- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots, -+ rc = reset_shm(user_id, user_name, num_slots, slots, - slot_id_specified, slot_id); - goto done; - } -@@ -968,7 +977,7 @@ int main(int argc, char **argv) - rc = display_summary(&dd); - goto done; - } else { -- rc = display_stats(user_id, pswd->pw_name, &dd); -+ rc = display_stats(user_id, user_name, &dd); - goto done; - } - -@@ -984,5 +993,7 @@ done: - dlclose(dll); - } - -+ free(user_name); -+ - return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE; - } diff --git a/opencryptoki.spec b/opencryptoki.spec index 1f2b0ac..705ae85 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.21.0 -Release: 8%{?dist} +Version: 3.22.0 +Release: 1%{?dist} License: CPL URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -11,14 +11,6 @@ Patch1: opencryptoki-3.11.0-lockdir.patch Patch2: opencryptoki-3.21.0-p11sak.patch # upstream patches -# pkcsstats: Fix handling of user name -Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch -# p11sak: Fix user confirmation prompt behavior when stdin is closed -Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch -# p11sak fails as soon as there reside non-key objects -Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch -# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0 -Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch Requires(pre): coreutils diffutils Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) @@ -353,6 +345,10 @@ fi %changelog +* Tue Nov 21 2023 Than Ngo - 3.22.0-1 +- Resolves: RHEL-11412, rebase to 3.22.0 +- Resolves: RHEL-10569, openCryptoki for PKCS #11 3.0 + * Fri Jul 14 2023 Than Ngo - 3.21.0-8 - Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0 - Resolves: #2222596, p11sak fails as soon as there reside non-key objects diff --git a/sources b/sources index 44afc26..97307d3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.21.0.tar.gz) = a1843a395770d7b93df46e26a87779f636cf490b300be8f0af97643ffde01460199aa7634e11708cd2353ef534d8df0cfe6e408229c6b4869446aa6886f4e740 +SHA512 (opencryptoki-3.22.0.tar.gz) = 404b32b19ef70c3e971bf6dd918fa5fa23701eff591282330085b53491597a2fb5928f800110a28dbc8a22744e00477dadadedf5cea5503984078cad38c46b25