- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes

- Resolves: #1974365, Fix detection if pkcsslotd is still running
This commit is contained in:
Than Ngo 2021-09-03 15:28:58 +02:00
parent b6ef252c47
commit b43456fda0
5 changed files with 272 additions and 1 deletions

View File

@ -0,0 +1,28 @@
commit 5824364d995e5d2418f885ee57e377e11d1b3302
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 7 13:44:46 2021 +0200
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 94fd1196..3df1596e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+ strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else if (tok != KW_TOKVERSION)
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
return 0;
}

View File

@ -0,0 +1,104 @@
commit d2f137cce5e6efb123842509352c7c49f889c67f
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 22 15:55:02 2021 +0200
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
Due to the way the parser works, a slot description like
'description = "slot"' works, but not without quotes ('description = slot').
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
too), so if the word 'slot' would appear in an unquoted string, the
configuration file would fail to parse.
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index a29dc8f7..853986e8 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2060,7 +2060,7 @@ done:
*/
static int parseupdate_ockversion(void *private, const char *version)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "version %s", version);
return 0;
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
static void parseupdate_eol(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fputc('\n', u->f);
}
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
u->activeslot = (slot == u->slotnum);
if (nl_before_begin)
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
static int parseupdate_end_slot(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (u->activeslot)
fprintf(u->f, " tokversion = 3.12\n");
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
static int parseupdate_key_str(void *private, int tok, const char *val)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
- strchr(val, ' ') != NULL)
+ switch (tok) {
+ case KW_SLOTDESC:
+ case KW_MANUFID:
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
- else if (tok != KW_TOKVERSION)
+ break;
+ case KW_STDLL:
+ case KW_CONFNAME:
+ case KW_TOKNAME:
+ if (strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ case KW_HWVERSION:
+ case KW_FWVERSION:
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ }
return 0;
}
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
static void parseupdate_eolcomment(void *private, const char *comment)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "#%s", comment);
}

View File

@ -0,0 +1,25 @@
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 8 15:18:30 2021 +0200
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 3df1596e..05081aff 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
vers >> 16, vers & 0xffu);
return 0;

View File

@ -0,0 +1,106 @@
commit 5951869263b556280da53498270cf4826f779c5b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jul 13 09:05:22 2021 +0200
pkcstok_migrate: Fix detection if pkcsslotd is still running
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 05081aff..a29dc8f7 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
*/
static CK_BBOOL pkcsslotd_running(void)
{
- DIR *dir;
FILE *fp;
- struct dirent* ent;
char* endptr;
- char buf[PATH_MAX];
+ long lpid;
char fname[PATH_MAX];
+ char buf[PATH_MAX];
+ char* first;
TRACE_INFO("Checking if pkcsslotd is running ...\n");
- if (!(dir = opendir("/proc"))) {
- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
- return CK_TRUE;
+
+ fp = fopen(PID_FILE_PATH, "r");
+ if (fp == NULL) {
+ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
+ PID_FILE_PATH);
+ return CK_FALSE;
}
- while ((ent = readdir(dir)) != NULL) {
- /* if endptr is not a null character, the directory is not
- * entirely numeric, so ignore it */
- long lpid = strtol(ent->d_name, &endptr, 10);
- if (*endptr != '\0') {
- continue;
- }
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
+ strerror(errno));
+ fclose(fp);
+ return CK_FALSE;
+ }
+ fclose(fp);
- /* try to open the cmdline file */
- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
- fp = fopen(fname, "r");
- if (!fp) {
- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
- return CK_TRUE;
- }
+ lpid = strtol(buf, &endptr, 10);
+ if (*endptr != '\0' && *endptr != '\n') {
+ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
+ buf);
+ return CK_FALSE;
+ }
- /* check the first token in the file: the program pathname */
- if (fgets(buf, sizeof(buf), fp) != NULL) {
- char* first = strtok(buf, " ");
- if (!first) {
- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
- fname);
- return CK_TRUE;
- }
- if (strstr(first, "pkcsslotd") != NULL) {
- fclose(fp);
- closedir(dir);
- return CK_TRUE;
- }
- }
+ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
+ fp = fopen(fname, "r");
+ if (fp == NULL) {
+ TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
+ return CK_FALSE;
+ }
+
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ TRACE_INFO("Failed to read '%s'\n", fname);
fclose(fp);
+ return CK_FALSE;
}
+ fclose(fp);
- closedir(dir);
- return CK_FALSE;
+ first = strtok(buf, " ");
+ return (first != NULL && strstr(first, "pkcsslotd") != NULL);
}
/**

View File

@ -1,7 +1,7 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.16.0 Version: 3.16.0
Release: 3%{?dist} Release: 4%{?dist}
License: CPL License: CPL
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -30,6 +30,10 @@ Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
# PIDfile below legacy directory /var/run/ # PIDfile below legacy directory /var/run/
Patch300: opencryptoki-pkcsslotd-pidfile.patch Patch300: opencryptoki-pkcsslotd-pidfile.patch
@ -340,6 +344,10 @@ fi
%changelog %changelog
* Fri Sep 03 2021 Than Ngo <than@redhat.com> - 3.16.0-4
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
- Resolves: #1974365, Fix detection if pkcsslotd is still running
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild