From e6fc48bed664ab6b42741180048cb1f77917e3f1 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Mon, 22 May 2023 20:57:47 +0200 Subject: [PATCH] - drop p11_kit_support - fix handling of user name - fix user confirmation prompt behavior when stdin is closed --- ...74568e334a719fc8de16fe2309e2070f0da8.patch | 52 ++++++++++++ ...6214552a92d8d66de8011ab11c9c2c6bb0a4.patch | 84 +++++++++++++++++++ opencryptoki.spec | 25 +++--- 3 files changed, 146 insertions(+), 15 deletions(-) create mode 100644 opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch create mode 100644 opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch diff --git a/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch b/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch new file mode 100644 index 0000000..7c74f79 --- /dev/null +++ b/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch @@ -0,0 +1,52 @@ +commit 4ff774568e334a719fc8de16fe2309e2070f0da8 +Author: Ingo Franzki +Date: Mon May 22 11:40:01 2023 +0200 + + p11sak: Fix user confirmation prompt behavior when stdin is closed + + Treat any error during user confirmation prompt as 'cancel' and skip all + operations. + + One can for example close stdin during a user prompt via CTRL+D. This was + erroneously treated as positive confirmation and therefore caused the + operation to be performed on the current key object and all further objects + matching the filter as well, instead of canceling the operation entirely. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c +index d75d8343..5b54b538 100644 +--- a/usr/sbin/p11sak/p11sak.c ++++ b/usr/sbin/p11sak/p11sak.c +@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, + data->num_skipped++; + return CKR_OK; + case 'c': ++ case '\0': + data->skip_all = true; + data->num_skipped++; + return CKR_OK; +@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, + data->num_skipped++; + return CKR_OK; + case 'c': ++ case '\0': + data->skip_all = true; + data->num_skipped++; + return CKR_OK; +@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, + data->num_skipped++; + return CKR_OK; + case 'c': ++ case '\0': + data->skip_all = true; + data->num_skipped++; + return CKR_OK; +@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class, + data->num_skipped++; + return CKR_OK; + case 'c': ++ case '\0': + data->skip_all = true; + data->num_skipped++; + return CKR_OK; diff --git a/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch b/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch new file mode 100644 index 0000000..0bf6df4 --- /dev/null +++ b/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch @@ -0,0 +1,84 @@ +commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4 +Author: Ingo Franzki +Date: Mon May 22 13:31:21 2023 +0200 + + pkcsstats: Fix handling of user name + + The struct passwd returned by getpwuid() is a pointer to a static area, that + may get overwritten by subsequent calls to getpwuid() or similar. + Actually, C_Initialize() itself is using getpwuid() internally, and thus will + interfere with the getpwuid() usage in pkcsstats. + + Make a copy of the returned user name before calling C_Initialize() in + init_ock() to ensure to work with the desired user name, and not with anything + left over from previous calls. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c +index c2444cf5..a842a295 100644 +--- a/usr/sbin/pkcsstats/pkcsstats.c ++++ b/usr/sbin/pkcsstats/pkcsstats.c +@@ -783,6 +783,7 @@ int main(int argc, char **argv) + int opt = 0; + struct passwd *pswd = NULL; + int user_id = -1; ++ char *user_name = NULL; + bool summary = false, all_users = false, all_mechs = false; + bool reset = false, reset_all = false; + bool delete = false, delete_all = false; +@@ -903,19 +904,27 @@ int main(int argc, char **argv) + } + } + ++ user_name = strdup(pswd->pw_name); ++ if (user_name == NULL) { ++ warnx("Failed to get current user name"); ++ exit(EXIT_FAILURE); ++ } ++ + if (delete) { + if (slot_id_specified) { + warnx("Options -s/--slot and -d/--delete can not be specified together"); ++ free(user_name); + exit(EXIT_FAILURE); + } + +- rc = delete_shm(user_id, pswd->pw_name); ++ rc = delete_shm(user_id, user_name); + goto done; + } + + if (delete_all) { + if (slot_id_specified) { + warnx("Options -s/--slot and -D/--delete-all can not be specified together"); ++ free(user_name); + exit(EXIT_FAILURE); + } + +@@ -932,7 +941,7 @@ int main(int argc, char **argv) + goto done; + + if (reset) { +- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots, ++ rc = reset_shm(user_id, user_name, num_slots, slots, + slot_id_specified, slot_id); + goto done; + } +@@ -968,7 +977,7 @@ int main(int argc, char **argv) + rc = display_summary(&dd); + goto done; + } else { +- rc = display_stats(user_id, pswd->pw_name, &dd); ++ rc = display_stats(user_id, user_name, &dd); + goto done; + } + +@@ -984,5 +993,7 @@ done: + dlclose(dll); + } + ++ free(user_name); ++ + return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE; + } diff --git a/opencryptoki.spec b/opencryptoki.spec index be5f23d..fd8fd93 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,12 +1,7 @@ -# p11-kit needs pkcsslotd daemon starting by default -# upstream does not recommend to enable the pkcsslotd service by default. -# we disable it -%global p11_kit_support 0 - Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.21.0 -Release: 2%{?dist} +Release: 3%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -16,6 +11,10 @@ Patch1: opencryptoki-3.11.0-lockdir.patch # fix install problem in buildroot Patch2: opencryptoki-3.21.0-p11sak.patch # upstream patches +# pkcsstats: Fix handling of user name +Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch +# p11sak: Fix user confirmation prompt behavior when stdin is closed +Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) @@ -206,9 +205,6 @@ configured with Enterprise PKCS#11 (EP11) firmware. %install %make_install CHGRP=/bin/true -%if 0%{?p11_kit_support} -install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module -%endif %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion @@ -296,12 +292,6 @@ fi %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki -%if 0%{?p11_kit_support} -# Co-owned with p11-kit -%dir %{_datadir}/p11-kit/ -%dir %{_datadir}/p11-kit/modules/ -%{_datadir}/p11-kit/modules/opencryptoki.module -%endif %files devel %{_includedir}/%{name}/ @@ -362,6 +352,11 @@ fi %changelog +* Mon May 22 2023 Than Ngo - 3.21.0-3 +- drop p11_kit_support +- fix handling of user name +- fix user confirmation prompt behavior when stdin is closed + * Tue May 16 2023 Than Ngo - 3.21.0-2 - add missing /var/lib/opencryptoki/HSM_MK_CHANGE