Resolves: RHEL-11412, rebase to 3.22.0

Resolves: RHEL-10569, openCryptoki for PKCS #11 3.0
This commit is contained in:
Than Ngo 2023-11-21 20:05:54 +01:00 committed by than
parent be77334b0e
commit 5229a62455
7 changed files with 8 additions and 277 deletions

1
.gitignore vendored
View File

@ -32,3 +32,4 @@ opencryptoki-2.3.1.tar.gz
/opencryptoki-3.18.0.tar.gz
/opencryptoki-3.19.0.tar.gz
/opencryptoki-3.21.0.tar.gz
/opencryptoki-3.22.0.tar.gz

View File

@ -1,34 +0,0 @@
commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 10 13:22:48 2023 +0200
p11sak: Fix parsing of slot number 0
Running command 'p11sak list-key aes --slot 0' may result in
'p11sak: Invalid argument '0' for option '-s/--slot''
This is because of the error checking after strtoul() within function
process_number_argument(). In case errno is not zero, it treats a
parsed value of zero as an error.
Under certain circumstances, errno is non-zero already before calling
strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
an incorrect error checking, and it is treated as error.
Initialize errno to zero before calling strtoul() to avoid such false error
detection.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 6e11cb41..38665bbd 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
{
char *endptr;
+ errno = 0;
*arg->value.number = strtoul(val, &endptr, 0);
if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||

View File

@ -1,52 +0,0 @@
commit 4ff774568e334a719fc8de16fe2309e2070f0da8
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 11:40:01 2023 +0200
p11sak: Fix user confirmation prompt behavior when stdin is closed
Treat any error during user confirmation prompt as 'cancel' and skip all
operations.
One can for example close stdin during a user prompt via CTRL+D. This was
erroneously treated as positive confirmation and therefore caused the
operation to be performed on the current key object and all further objects
matching the filter as well, instead of canceling the operation entirely.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d75d8343..5b54b538 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;

View File

@ -1,96 +0,0 @@
commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 10 10:19:13 2023 +0200
p11sak: Fix listing of key objects when other object types are present
A command like 'p11sak list-key all --slot N ...' fails with
p11sak: Attribute CKA_KEY_TYPE is not available in key object
p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
when the object repository contains other, non-key objects, e.g. certificates.
When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
with C_FindObjects(), and thus other non-key objects also match the filter.
When a specific key type is specified, then only such objects match that
have the desired CKA_KEY_TYPE attribute value.
Fix this by checking the object class in get_key_infos() and skip the object,
if it is not a key object.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index a6213720..6e11cb41 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
}
}
+ switch (class_val) {
+ case CKO_PUBLIC_KEY:
+ case CKO_PRIVATE_KEY:
+ case CKO_SECRET_KEY:
+ break;
+ default:
+ free(attrs[0].pValue);
+ return CKR_KEY_NEEDED;
+ }
+
for (i = 0; i < num_attrs; i++) {
if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
warnx("Attribute %s is not available in key object",
@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
if (manual_filtering) {
rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ goto next;
+ }
if (rc != CKR_OK)
break;
@@ -3672,6 +3686,10 @@ done_find:
for (i = 0; i < num_matched_keys; i++) {
rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
&label, &typestr, &type);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ goto next2;
+ }
if (rc != CKR_OK)
break;
@@ -3680,6 +3698,7 @@ done_find:
if (rc != CKR_OK)
break;
+next2:
if (label != NULL)
free(label);
label = NULL;
@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
*result = 0;
rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ *result = 1; /* non-key objects are always greater than key objects */
+ goto done;
+ }
if (rc != CKR_OK)
goto done;
rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ *result = -1; /* key objects are always smaller than non-key objects */
+ goto done;
+ }
if (rc != CKR_OK)
goto done;

View File

@ -1,84 +0,0 @@
commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 13:31:21 2023 +0200
pkcsstats: Fix handling of user name
The struct passwd returned by getpwuid() is a pointer to a static area, that
may get overwritten by subsequent calls to getpwuid() or similar.
Actually, C_Initialize() itself is using getpwuid() internally, and thus will
interfere with the getpwuid() usage in pkcsstats.
Make a copy of the returned user name before calling C_Initialize() in
init_ock() to ensure to work with the desired user name, and not with anything
left over from previous calls.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
index c2444cf5..a842a295 100644
--- a/usr/sbin/pkcsstats/pkcsstats.c
+++ b/usr/sbin/pkcsstats/pkcsstats.c
@@ -783,6 +783,7 @@ int main(int argc, char **argv)
int opt = 0;
struct passwd *pswd = NULL;
int user_id = -1;
+ char *user_name = NULL;
bool summary = false, all_users = false, all_mechs = false;
bool reset = false, reset_all = false;
bool delete = false, delete_all = false;
@@ -903,19 +904,27 @@ int main(int argc, char **argv)
}
}
+ user_name = strdup(pswd->pw_name);
+ if (user_name == NULL) {
+ warnx("Failed to get current user name");
+ exit(EXIT_FAILURE);
+ }
+
if (delete) {
if (slot_id_specified) {
warnx("Options -s/--slot and -d/--delete can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
- rc = delete_shm(user_id, pswd->pw_name);
+ rc = delete_shm(user_id, user_name);
goto done;
}
if (delete_all) {
if (slot_id_specified) {
warnx("Options -s/--slot and -D/--delete-all can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
@@ -932,7 +941,7 @@ int main(int argc, char **argv)
goto done;
if (reset) {
- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
+ rc = reset_shm(user_id, user_name, num_slots, slots,
slot_id_specified, slot_id);
goto done;
}
@@ -968,7 +977,7 @@ int main(int argc, char **argv)
rc = display_summary(&dd);
goto done;
} else {
- rc = display_stats(user_id, pswd->pw_name, &dd);
+ rc = display_stats(user_id, user_name, &dd);
goto done;
}
@@ -984,5 +993,7 @@ done:
dlclose(dll);
}
+ free(user_name);
+
return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.21.0
Release: 8%{?dist}
Version: 3.22.0
Release: 1%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -11,14 +11,6 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
Patch2: opencryptoki-3.21.0-p11sak.patch
# upstream patches
# pkcsstats: Fix handling of user name
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
# p11sak: Fix user confirmation prompt behavior when stdin is closed
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
# p11sak fails as soon as there reside non-key objects
Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
Requires(pre): coreutils diffutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
@ -353,6 +345,10 @@ fi
%changelog
* Tue Nov 21 2023 Than Ngo <than@redhat.com> - 3.22.0-1
- Resolves: RHEL-11412, rebase to 3.22.0
- Resolves: RHEL-10569, openCryptoki for PKCS #11 3.0
* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-8
- Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
- Resolves: #2222596, p11sak fails as soon as there reside non-key objects

View File

@ -1 +1 @@
SHA512 (opencryptoki-3.21.0.tar.gz) = a1843a395770d7b93df46e26a87779f636cf490b300be8f0af97643ffde01460199aa7634e11708cd2353ef534d8df0cfe6e408229c6b4869446aa6886f4e740
SHA512 (opencryptoki-3.22.0.tar.gz) = 404b32b19ef70c3e971bf6dd918fa5fa23701eff591282330085b53491597a2fb5928f800110a28dbc8a22744e00477dadadedf5cea5503984078cad38c46b25