diff --git a/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch b/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch new file mode 100644 index 0000000..3661cad --- /dev/null +++ b/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch @@ -0,0 +1,34 @@ +commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445 +Author: Ingo Franzki +Date: Mon Jul 10 13:22:48 2023 +0200 + + p11sak: Fix parsing of slot number 0 + + Running command 'p11sak list-key aes --slot 0' may result in + 'p11sak: Invalid argument '0' for option '-s/--slot'' + + This is because of the error checking after strtoul() within function + process_number_argument(). In case errno is not zero, it treats a + parsed value of zero as an error. + + Under certain circumstances, errno is non-zero already before calling + strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to + an incorrect error checking, and it is treated as error. + + Initialize errno to zero before calling strtoul() to avoid such false error + detection. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index 6e11cb41..38665bbd 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val) + { + char *endptr; + ++ errno = 0; + *arg->value.number = strtoul(val, &endptr, 0); + + if ((errno == ERANGE && *arg->value.number == ULONG_MAX) || diff --git a/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch b/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch new file mode 100644 index 0000000..ec74c5f --- /dev/null +++ b/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch @@ -0,0 +1,96 @@ +commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc +Author: Ingo Franzki +Date: Mon Jul 10 10:19:13 2023 +0200 + + p11sak: Fix listing of key objects when other object types are present + + A command like 'p11sak list-key all --slot N ...' fails with + + p11sak: Attribute CKA_KEY_TYPE is not available in key object + p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE + p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE + + when the object repository contains other, non-key objects, e.g. certificates. + + When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used + with C_FindObjects(), and thus other non-key objects also match the filter. + When a specific key type is specified, then only such objects match that + have the desired CKA_KEY_TYPE attribute value. + + Fix this by checking the object class in get_key_infos() and skip the object, + if it is not a key object. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index a6213720..6e11cb41 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class, + } + } + ++ switch (class_val) { ++ case CKO_PUBLIC_KEY: ++ case CKO_PRIVATE_KEY: ++ case CKO_SECRET_KEY: ++ break; ++ default: ++ free(attrs[0].pValue); ++ return CKR_KEY_NEEDED; ++ } ++ + for (i = 0; i < num_attrs; i++) { + if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) { + warnx("Attribute %s is not available in key object", +@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype, + if (manual_filtering) { + rc = get_key_infos(keys[i], NULL, NULL, NULL, &label, + NULL, NULL); ++ if (rc == CKR_KEY_NEEDED) { ++ rc = CKR_OK; ++ goto next; ++ } + if (rc != CKR_OK) + break; + +@@ -3672,6 +3686,10 @@ done_find: + for (i = 0; i < num_matched_keys; i++) { + rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize, + &label, &typestr, &type); ++ if (rc == CKR_KEY_NEEDED) { ++ rc = CKR_OK; ++ goto next2; ++ } + if (rc != CKR_OK) + break; + +@@ -3680,6 +3698,7 @@ done_find: + if (rc != CKR_OK) + break; + ++next2: + if (label != NULL) + free(label); + label = NULL; +@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1, + *result = 0; + + rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL); ++ if (rc == CKR_KEY_NEEDED) { ++ rc = CKR_OK; ++ *result = 1; /* non-key objects are always greater than key objects */ ++ goto done; ++ } + if (rc != CKR_OK) + goto done; + + rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL); ++ if (rc == CKR_KEY_NEEDED) { ++ rc = CKR_OK; ++ *result = -1; /* key objects are always smaller than non-key objects */ ++ goto done; ++ } + if (rc != CKR_OK) + goto done; + diff --git a/opencryptoki.spec b/opencryptoki.spec index 4268661..1f2b0ac 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.21.0 -Release: 5%{?dist} +Release: 8%{?dist} License: CPL URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -9,11 +9,16 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{ Patch1: opencryptoki-3.11.0-lockdir.patch # add missing p11sak_defined_attrs.conf, strength.conf Patch2: opencryptoki-3.21.0-p11sak.patch + # upstream patches # pkcsstats: Fix handling of user name Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch # p11sak: Fix user confirmation prompt behavior when stdin is closed Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch +# p11sak fails as soon as there reside non-key objects +Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch +# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0 +Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch Requires(pre): coreutils diffutils Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) @@ -348,6 +353,10 @@ fi %changelog +* Fri Jul 14 2023 Than Ngo - 3.21.0-8 +- Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0 +- Resolves: #2222596, p11sak fails as soon as there reside non-key objects + * Tue Jun 13 2023 Than Ngo - 3.21.0-5 - add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing Related: #2160061