import opencryptoki-3.15.1-7.el8_4

2021-09-21 03:15:21 -04:00 · 2021-09-21 03:15:21 -04:00 · 6d7053f9c8
parent c18ba52ac6
commit 6d7053f9c8
5 changed files with 272 additions and 1 deletions
--- a/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
+++ b/SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
@ -0,0 +1,28 @@
+commit 5824364d995e5d2418f885ee57e377e11d1b3302
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Jul 7 13:44:46 2021 +0200
+
+    pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
+    
+    When modifying opencryptoki.conf during token migration, put quotes
+    around strings that contain spaces, e.g. for the slot description and
+    manufacturer.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 94fd1196..3df1596e 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
+ {
+ 	struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_TOKVERSION)
+    if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+        strchr(val, ' ') != NULL)
+        fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
+    else if (tok != KW_TOKVERSION)
+         fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
+     return 0;
+ }
--- a/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
+++ b/SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
@ -0,0 +1,104 @@
+commit d2f137cce5e6efb123842509352c7c49f889c67f
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Jul 22 15:55:02 2021 +0200
+
+    pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
+    
+    Due to the way the parser works, a slot description like
+    'description = "slot"' works, but not without quotes ('description = slot').
+    The word 'slot' is treated as a keyword if not quoted (besides other keywords,
+    too), so if the word 'slot' would appear in an unquoted string, the
+    configuration file would fail to parse.
+    
+    Always quote the value of 'description' and 'manufacturer'. Quote the
+    value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
+    never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index a29dc8f7..853986e8 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2060,7 +2060,7 @@ done:
+  */
+ static int parseupdate_ockversion(void *private, const char *version)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fprintf(u->f, "version %s", version);
+     return 0;
+@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
+ 
+ static void parseupdate_eol(void *private)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fputc('\n', u->f);
+ }
+ 
+ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     u->activeslot = (slot == u->slotnum);
+     if (nl_before_begin)
+@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
+ 
+ static int parseupdate_end_slot(void *private)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     if (u->activeslot)
+         fprintf(u->f, "  tokversion = 3.12\n");
+@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
+ 
+ static int parseupdate_key_str(void *private, int tok, const char *val)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+-        strchr(val, ' ') != NULL)
+    switch (tok) {
+    case KW_SLOTDESC:
+    case KW_MANUFID:
+         fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
+-    else if (tok != KW_TOKVERSION)
+        break;
+    case KW_STDLL:
+    case KW_CONFNAME:
+    case KW_TOKNAME:
+        if (strchr(val, ' ') != NULL)
+            fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
+        else
+            fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
+        break;
+    case KW_HWVERSION:
+    case KW_FWVERSION:
+         fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
+        break;
+	}
+     return 0;
+ }
+ 
+ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     if (tok == KW_TOKVERSION && !u->activeslot)
+         fprintf(u->f, "  %s = %d.%d", keyword_token_to_str(tok),
+@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ 
+ static void parseupdate_eolcomment(void *private, const char *comment)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
+    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fprintf(u->f, "#%s", comment);
+ }
--- a/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
+++ b/SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
@ -0,0 +1,25 @@
+commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Jul 8 15:18:30 2021 +0200
+
+    pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
+    
+    When migrating a slot the opencryptoki.conf file is modified. If it
+    contains slots that already contain the 'tokversion = x.y' keyword,
+    this is accidentally removed when migrating another slot.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 3df1596e..05081aff 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ {
+ 	struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_TOKVERSION)
+    if (tok == KW_TOKVERSION && !u->activeslot)
+         fprintf(u->f, "  %s = %d.%d", keyword_token_to_str(tok),
+                 vers >> 16, vers & 0xffu);
+     return 0;
--- a/SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
+++ b/SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
@ -0,0 +1,106 @@
+commit 5951869263b556280da53498270cf4826f779c5b
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Jul 13 09:05:22 2021 +0200
+
+    pkcstok_migrate: Fix detection if pkcsslotd is still running
+    
+    Change the code to use the pid file that pkcsslotd creates, and check
+    if the process with the pid contained in the pid file still exists and
+    runs pkcsslotd.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 05081aff..a29dc8f7 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
+  */
+ static CK_BBOOL pkcsslotd_running(void)
+ {
+-    DIR *dir;
+     FILE *fp;
+-    struct dirent* ent;
+     char* endptr;
+-    char buf[PATH_MAX];
+    long lpid;
+     char fname[PATH_MAX];
+    char buf[PATH_MAX];
+    char* first;
+ 
+     TRACE_INFO("Checking if pkcsslotd is running ...\n");
+-    if (!(dir = opendir("/proc"))) {
+-        TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
+-        return CK_TRUE;
+
+    fp = fopen(PID_FILE_PATH, "r");
+    if (fp == NULL) {
+        TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
+                   PID_FILE_PATH);
+        return CK_FALSE;
+     }
+ 
+-    while ((ent = readdir(dir)) != NULL) {
+-        /* if endptr is not a null character, the directory is not
+-         * entirely numeric, so ignore it */
+-        long lpid = strtol(ent->d_name, &endptr, 10);
+-        if (*endptr != '\0') {
+-            continue;
+-        }
+    if (fgets(buf, sizeof(buf), fp) == NULL) {
+        TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
+                   strerror(errno));
+        fclose(fp);
+        return CK_FALSE;
+    }
+    fclose(fp);
+ 
+-        /* try to open the cmdline file */
+-        snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
+-        fp = fopen(fname, "r");
+-        if (!fp) {
+-            warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
+-            return CK_TRUE;
+-        }
+    lpid = strtol(buf, &endptr, 10);
+    if (*endptr != '\0' && *endptr != '\n') {
+        TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
+                           buf);
+        return CK_FALSE;
+    }
+ 
+-        /* check the first token in the file: the program pathname */
+-        if (fgets(buf, sizeof(buf), fp) != NULL) {
+-            char* first = strtok(buf, " ");
+-            if (!first) {
+-                TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
+-                           fname);
+-                return CK_TRUE;
+-            }
+-            if (strstr(first, "pkcsslotd") != NULL) {
+-                fclose(fp);
+-                closedir(dir);
+-                return CK_TRUE;
+-            }
+-        }
+    snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
+    fp = fopen(fname, "r");
+    if (fp == NULL) {
+        TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
+        return CK_FALSE;
+    }
+
+    if (fgets(buf, sizeof(buf), fp) == NULL) {
+        TRACE_INFO("Failed to read '%s'\n", fname);
+         fclose(fp);
+        return CK_FALSE;
+     }
+    fclose(fp);
+ 
+-    closedir(dir);
+-    return CK_FALSE;
+    first = strtok(buf, " ");
+    return (first != NULL && strstr(first, "pkcsslotd") != NULL);
+ }
+ 
+ /**
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
 Version:		3.15.1
-Release:		6%{?dist}
+Release:		7%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			https://github.com/opencryptoki/opencryptoki
@ -21,6 +21,11 @@ Patch4:			opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
 # https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
 Patch5:			opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
 Patch6:			opencryptoki-3.15.1-soft_token_does_not_check_if_an_EC_key_is_valid.patch
+Patch7:			opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
+Patch8:			opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
+Patch9:			opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
+Patch10:			opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
+
 Requires(pre):		coreutils
 BuildRequires:		gcc
 BuildRequires:		openssl-devel
@ -346,6 +351,9 @@ fi


 %changelog
+* Fri Aug 20 2021 Than Ngo <than@redhat.com> - 3.15.1-7
+- Resolves: #1995919, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
+
 * Thu Jul 08 2021 Than Ngo <than@redhat.com> - 3.15.1-6
 - Resolves: #1979173, Soft token does not check if an EC key is valid