From 613713aa8614e02448853b69bc05835ec6de2298 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Wed, 16 Mar 2022 13:54:28 +0100 Subject: [PATCH] Related: #2015888, ICA/EP11: Support libica version 4 --- ...00b492f7a40ed5dfcd85e042701b6a5c5a26.patch | 88 +++++++++++++++++++ opencryptoki.spec | 6 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 opencryptoki-3.17-libica4-8e9800b492f7a40ed5dfcd85e042701b6a5c5a26.patch diff --git a/opencryptoki-3.17-libica4-8e9800b492f7a40ed5dfcd85e042701b6a5c5a26.patch b/opencryptoki-3.17-libica4-8e9800b492f7a40ed5dfcd85e042701b6a5c5a26.patch new file mode 100644 index 0000000..540ac76 --- /dev/null +++ b/opencryptoki-3.17-libica4-8e9800b492f7a40ed5dfcd85e042701b6a5c5a26.patch @@ -0,0 +1,88 @@ +commit 8e9800b492f7a40ed5dfcd85e042701b6a5c5a26 +Author: Ingo Franzki +Date: Tue Dec 7 16:39:28 2021 +0100 + + ICA/EP11: Support libica version 4 + + Try to load libica version 4 (libica.so.4), but fall back to version 3 + (libica.so.3) if version 4 is not available. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 4029e5a5..f223017d 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -68,7 +68,8 @@ + #define EP11SHAREDLIB_V2 "libep11.so.2" + #define EP11SHAREDLIB_V1 "libep11.so.1" + #define EP11SHAREDLIB "libep11.so" +-#define ICASHAREDLIB "libica.so.3" ++#define ICASHAREDLIB_V4 "libica.so.4" ++#define ICASHAREDLIB_V3 "libica.so.3" + + CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + CK_MECHANISM_TYPE_PTR mlist, +@@ -2044,9 +2045,9 @@ static CK_RV make_wrapblob(STDLL_TokData_t * tokdata, CK_ATTRIBUTE * tmpl_in, + } + + #ifdef EP11_HSMSIM +-#define DLOPEN_FLAGS RTLD_GLOBAL | RTLD_NOW | RTLD_DEEPBIND ++#define DLOPEN_FLAGS RTLD_NOW | RTLD_DEEPBIND + #else +-#define DLOPEN_FLAGS RTLD_GLOBAL | RTLD_NOW ++#define DLOPEN_FLAGS RTLD_NOW + #endif + + static void *ep11_load_host_lib() +@@ -2209,12 +2210,16 @@ static CK_RV ep11tok_load_libica(STDLL_TokData_t *tokdata) + return CKR_OK; + + if (strcmp(ep11_data->digest_libica_path, "") == 0) { +- strcpy(ep11_data->digest_libica_path, ICASHAREDLIB); ++ strcpy(ep11_data->digest_libica_path, ICASHAREDLIB_V4); + default_libica = 1; ++ libica->library = dlopen(ep11_data->digest_libica_path, RTLD_NOW); ++ if (libica->library == NULL) { ++ strcpy(ep11_data->digest_libica_path, ICASHAREDLIB_V3); ++ libica->library = dlopen(ep11_data->digest_libica_path, RTLD_NOW); ++ } ++ } else { ++ libica->library = dlopen(ep11_data->digest_libica_path, RTLD_NOW); + } +- +- libica->library = dlopen(ep11_data->digest_libica_path, +- RTLD_GLOBAL | RTLD_NOW); + if (libica->library == NULL) { + errstr = dlerror(); + OCK_SYSLOG(default_libica ? LOG_WARNING : LOG_ERR, +diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c +index fd18de42..c4fa9654 100644 +--- a/usr/lib/ica_s390_stdll/ica_specific.c ++++ b/usr/lib/ica_s390_stdll/ica_specific.c +@@ -83,7 +83,8 @@ const char label[] = "icatok"; + + static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; + +-#define LIBICA_SHARED_LIB "libica.so.3" ++#define LIBICA_SHARED_LIB_V3 "libica.so.3" ++#define LIBICA_SHARED_LIB_V4 "libica.so.4" + #define BIND(dso, sym) do { \ + if (p_##sym == NULL) \ + *(void **)(&p_##sym) = dlsym(dso, #sym); \ +@@ -221,9 +222,13 @@ static CK_RV load_libica(void) + void *ibmca_dso = NULL; + + /* Load libica */ +- ibmca_dso = dlopen(LIBICA_SHARED_LIB, RTLD_NOW); ++ ibmca_dso = dlopen(LIBICA_SHARED_LIB_V4, RTLD_NOW); ++ if (ibmca_dso == NULL) ++ ibmca_dso = dlopen(LIBICA_SHARED_LIB_V3, RTLD_NOW); ++ + if (ibmca_dso == NULL) { +- TRACE_ERROR("%s: dlopen(%s) failed\n", __func__, LIBICA_SHARED_LIB); ++ TRACE_ERROR("%s: dlopen(%s or %s) failed: %s\n", __func__, ++ LIBICA_SHARED_LIB_V4, LIBICA_SHARED_LIB_V3, dlerror()); + return CKR_FUNCTION_FAILED; + } + diff --git a/opencryptoki.spec b/opencryptoki.spec index 3747f3f..b38b4c9 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.17.0 -Release: 4%{?dist} +Release: 5%{?dist} License: CPL URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -15,6 +15,7 @@ Patch2: opencryptoki-3.17.0-p11sak.patch # PIDfile below legacy directory /var/run/ Patch300: opencryptoki-pkcsslotd-pidfile.patch Patch301: opencryptoki-3.17.0-unlock-globmutex-if-user-and-group-check-fail.patch +Patch302: opencryptoki-3.17-libica4-8e9800b492f7a40ed5dfcd85e042701b6a5c5a26.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted) @@ -319,6 +320,9 @@ fi %changelog +* Mon Mar 14 2022 Than Ngo - 3.17.0-5 +- Related: #2015888, ICA/EP11: Support libica version 4 + * Mon Jan 17 2022 Than Ngo - 3.17.0-4 - Resolves: #2040678, API: Unlock GlobMutex if user and group check fails