From b43456fda0bf52db12a880a4ac40377cb7007c0e Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Fri, 3 Sep 2021 15:28:58 +0200
Subject: [PATCH] - Resolves: #1987186, pkcstok_migrate leaves options with
 multiple strings in opencryptoki.conf options without double-quotes -
 Resolves: #1974365, Fix detection if pkcsslotd is still running

---
 ...364d995e5d2418f885ee57e377e11d1b3302.patch |  28 +++++
 ...37cce5e6efb123842509352c7c49f889c67f.patch | 104 +++++++++++++++++
 ...9de3128df1c4b89bd4c7312c15bb3eb34593.patch |  25 +++++
 ...ection_if_pkcsslotd_is_still_running.patch | 106 ++++++++++++++++++
 opencryptoki.spec                             |  10 +-
 5 files changed, 272 insertions(+), 1 deletion(-)
 create mode 100644 opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
 create mode 100644 opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
 create mode 100644 opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
 create mode 100644 opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch

diff --git a/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch b/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
new file mode 100644
index 0000000..c38fef0
--- /dev/null
+++ b/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
@@ -0,0 +1,28 @@
+commit 5824364d995e5d2418f885ee57e377e11d1b3302
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Wed Jul 7 13:44:46 2021 +0200
+
+    pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
+    
+    When modifying opencryptoki.conf during token migration, put quotes
+    around strings that contain spaces, e.g. for the slot description and
+    manufacturer.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 94fd1196..3df1596e 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
+ {
+ 	struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_TOKVERSION)
++    if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
++        strchr(val, ' ') != NULL)
++        fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
++    else if (tok != KW_TOKVERSION)
+         fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
+     return 0;
+ }
diff --git a/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch b/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
new file mode 100644
index 0000000..8f1477c
--- /dev/null
+++ b/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
@@ -0,0 +1,104 @@
+commit d2f137cce5e6efb123842509352c7c49f889c67f
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Jul 22 15:55:02 2021 +0200
+
+    pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
+    
+    Due to the way the parser works, a slot description like
+    'description = "slot"' works, but not without quotes ('description = slot').
+    The word 'slot' is treated as a keyword if not quoted (besides other keywords,
+    too), so if the word 'slot' would appear in an unquoted string, the
+    configuration file would fail to parse.
+    
+    Always quote the value of 'description' and 'manufacturer'. Quote the
+    value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
+    never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index a29dc8f7..853986e8 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2060,7 +2060,7 @@ done:
+  */
+ static int parseupdate_ockversion(void *private, const char *version)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fprintf(u->f, "version %s", version);
+     return 0;
+@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
+ 
+ static void parseupdate_eol(void *private)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fputc('\n', u->f);
+ }
+ 
+ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     u->activeslot = (slot == u->slotnum);
+     if (nl_before_begin)
+@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
+ 
+ static int parseupdate_end_slot(void *private)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     if (u->activeslot)
+         fprintf(u->f, "  tokversion = 3.12\n");
+@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
+ 
+ static int parseupdate_key_str(void *private, int tok, const char *val)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+-        strchr(val, ' ') != NULL)
++    switch (tok) {
++    case KW_SLOTDESC:
++    case KW_MANUFID:
+         fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
+-    else if (tok != KW_TOKVERSION)
++        break;
++    case KW_STDLL:
++    case KW_CONFNAME:
++    case KW_TOKNAME:
++        if (strchr(val, ' ') != NULL)
++            fprintf(u->f, "  %s = \"%s\"", keyword_token_to_str(tok), val);
++        else
++            fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
++        break;
++    case KW_HWVERSION:
++    case KW_FWVERSION:
+         fprintf(u->f, "  %s = %s", keyword_token_to_str(tok), val);
++        break;
++	}
+     return 0;
+ }
+ 
+ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     if (tok == KW_TOKVERSION && !u->activeslot)
+         fprintf(u->f, "  %s = %d.%d", keyword_token_to_str(tok),
+@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ 
+ static void parseupdate_eolcomment(void *private, const char *comment)
+ {
+-	struct parseupdate *u = (struct parseupdate *)private;
++    struct parseupdate *u = (struct parseupdate *)private;
+ 
+     fprintf(u->f, "#%s", comment);
+ }
diff --git a/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch b/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
new file mode 100644
index 0000000..a3bf6ea
--- /dev/null
+++ b/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
@@ -0,0 +1,25 @@
+commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Thu Jul 8 15:18:30 2021 +0200
+
+    pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
+    
+    When migrating a slot the opencryptoki.conf file is modified. If it
+    contains slots that already contain the 'tokversion = x.y' keyword,
+    this is accidentally removed when migrating another slot.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 3df1596e..05081aff 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
+ {
+ 	struct parseupdate *u = (struct parseupdate *)private;
+ 
+-    if (tok != KW_TOKVERSION)
++    if (tok == KW_TOKVERSION && !u->activeslot)
+         fprintf(u->f, "  %s = %d.%d", keyword_token_to_str(tok),
+                 vers >> 16, vers & 0xffu);
+     return 0;
diff --git a/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch b/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
new file mode 100644
index 0000000..128ea06
--- /dev/null
+++ b/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
@@ -0,0 +1,106 @@
+commit 5951869263b556280da53498270cf4826f779c5b
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Jul 13 09:05:22 2021 +0200
+
+    pkcstok_migrate: Fix detection if pkcsslotd is still running
+    
+    Change the code to use the pid file that pkcsslotd creates, and check
+    if the process with the pid contained in the pid file still exists and
+    runs pkcsslotd.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+index 05081aff..a29dc8f7 100644
+--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
++++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
+  */
+ static CK_BBOOL pkcsslotd_running(void)
+ {
+-    DIR *dir;
+     FILE *fp;
+-    struct dirent* ent;
+     char* endptr;
+-    char buf[PATH_MAX];
++    long lpid;
+     char fname[PATH_MAX];
++    char buf[PATH_MAX];
++    char* first;
+ 
+     TRACE_INFO("Checking if pkcsslotd is running ...\n");
+-    if (!(dir = opendir("/proc"))) {
+-        TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
+-        return CK_TRUE;
++
++    fp = fopen(PID_FILE_PATH, "r");
++    if (fp == NULL) {
++        TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
++                   PID_FILE_PATH);
++        return CK_FALSE;
+     }
+ 
+-    while ((ent = readdir(dir)) != NULL) {
+-        /* if endptr is not a null character, the directory is not
+-         * entirely numeric, so ignore it */
+-        long lpid = strtol(ent->d_name, &endptr, 10);
+-        if (*endptr != '\0') {
+-            continue;
+-        }
++    if (fgets(buf, sizeof(buf), fp) == NULL) {
++        TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
++                   strerror(errno));
++        fclose(fp);
++        return CK_FALSE;
++    }
++    fclose(fp);
+ 
+-        /* try to open the cmdline file */
+-        snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
+-        fp = fopen(fname, "r");
+-        if (!fp) {
+-            warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
+-            return CK_TRUE;
+-        }
++    lpid = strtol(buf, &endptr, 10);
++    if (*endptr != '\0' && *endptr != '\n') {
++        TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
++                           buf);
++        return CK_FALSE;
++    }
+ 
+-        /* check the first token in the file: the program pathname */
+-        if (fgets(buf, sizeof(buf), fp) != NULL) {
+-            char* first = strtok(buf, " ");
+-            if (!first) {
+-                TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
+-                           fname);
+-                return CK_TRUE;
+-            }
+-            if (strstr(first, "pkcsslotd") != NULL) {
+-                fclose(fp);
+-                closedir(dir);
+-                return CK_TRUE;
+-            }
+-        }
++    snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
++    fp = fopen(fname, "r");
++    if (fp == NULL) {
++        TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
++        return CK_FALSE;
++    }
++
++    if (fgets(buf, sizeof(buf), fp) == NULL) {
++        TRACE_INFO("Failed to read '%s'\n", fname);
+         fclose(fp);
++        return CK_FALSE;
+     }
++    fclose(fp);
+ 
+-    closedir(dir);
+-    return CK_FALSE;
++    first = strtok(buf, " ");
++    return (first != NULL && strstr(first, "pkcsslotd") != NULL);
+ }
+ 
+ /**
diff --git a/opencryptoki.spec b/opencryptoki.spec
index 94a1de6..c437de6 100644
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
 Version:		3.16.0
-Release:		3%{?dist}
+Release:		4%{?dist}
 License:		CPL
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -30,6 +30,10 @@ Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
 Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
 Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
 Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
+Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
+Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
+Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
+Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
 
 # PIDfile below legacy directory /var/run/
 Patch300: opencryptoki-pkcsslotd-pidfile.patch
@@ -340,6 +344,10 @@ fi
 
 
 %changelog
+* Fri Sep 03 2021 Than Ngo <than@redhat.com> - 3.16.0-4
+- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
+- Resolves: #1974365, Fix detection if pkcsslotd is still running
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild