Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes

This commit is contained in:
Than Ngo 2021-08-19 18:27:24 +02:00
parent 24c95b2c9c
commit 7c21ce0d0a
4 changed files with 164 additions and 1 deletions

View File

@ -0,0 +1,28 @@
commit 5824364d995e5d2418f885ee57e377e11d1b3302
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 7 13:44:46 2021 +0200
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 94fd1196..3df1596e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+ strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else if (tok != KW_TOKVERSION)
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
return 0;
}

View File

@ -0,0 +1,104 @@
commit d2f137cce5e6efb123842509352c7c49f889c67f
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 22 15:55:02 2021 +0200
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
Due to the way the parser works, a slot description like
'description = "slot"' works, but not without quotes ('description = slot').
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
too), so if the word 'slot' would appear in an unquoted string, the
configuration file would fail to parse.
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index a29dc8f7..853986e8 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2060,7 +2060,7 @@ done:
*/
static int parseupdate_ockversion(void *private, const char *version)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "version %s", version);
return 0;
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
static void parseupdate_eol(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fputc('\n', u->f);
}
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
u->activeslot = (slot == u->slotnum);
if (nl_before_begin)
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
static int parseupdate_end_slot(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (u->activeslot)
fprintf(u->f, " tokversion = 3.12\n");
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
static int parseupdate_key_str(void *private, int tok, const char *val)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
- strchr(val, ' ') != NULL)
+ switch (tok) {
+ case KW_SLOTDESC:
+ case KW_MANUFID:
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
- else if (tok != KW_TOKVERSION)
+ break;
+ case KW_STDLL:
+ case KW_CONFNAME:
+ case KW_TOKNAME:
+ if (strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ case KW_HWVERSION:
+ case KW_FWVERSION:
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ }
return 0;
}
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
static void parseupdate_eolcomment(void *private, const char *comment)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "#%s", comment);
}

View File

@ -0,0 +1,25 @@
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 8 15:18:30 2021 +0200
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 3df1596e..05081aff 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
vers >> 16, vers & 0xffu);
return 0;

View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.16.0
Release: 9%{?dist}
Release: 10%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -32,6 +32,9 @@ Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
@ -339,6 +342,9 @@ fi
%changelog
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688