- drop p11_kit_support

- fix handling of user name
- fix user confirmation prompt behavior when stdin is closed
This commit is contained in:
Than Ngo 2023-05-22 20:57:47 +02:00
parent a36c8e96e9
commit e6fc48bed6
3 changed files with 146 additions and 15 deletions

View File

@ -0,0 +1,52 @@
commit 4ff774568e334a719fc8de16fe2309e2070f0da8
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 11:40:01 2023 +0200
p11sak: Fix user confirmation prompt behavior when stdin is closed
Treat any error during user confirmation prompt as 'cancel' and skip all
operations.
One can for example close stdin during a user prompt via CTRL+D. This was
erroneously treated as positive confirmation and therefore caused the
operation to be performed on the current key object and all further objects
matching the filter as well, instead of canceling the operation entirely.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d75d8343..5b54b538 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;

View File

@ -0,0 +1,84 @@
commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 13:31:21 2023 +0200
pkcsstats: Fix handling of user name
The struct passwd returned by getpwuid() is a pointer to a static area, that
may get overwritten by subsequent calls to getpwuid() or similar.
Actually, C_Initialize() itself is using getpwuid() internally, and thus will
interfere with the getpwuid() usage in pkcsstats.
Make a copy of the returned user name before calling C_Initialize() in
init_ock() to ensure to work with the desired user name, and not with anything
left over from previous calls.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
index c2444cf5..a842a295 100644
--- a/usr/sbin/pkcsstats/pkcsstats.c
+++ b/usr/sbin/pkcsstats/pkcsstats.c
@@ -783,6 +783,7 @@ int main(int argc, char **argv)
int opt = 0;
struct passwd *pswd = NULL;
int user_id = -1;
+ char *user_name = NULL;
bool summary = false, all_users = false, all_mechs = false;
bool reset = false, reset_all = false;
bool delete = false, delete_all = false;
@@ -903,19 +904,27 @@ int main(int argc, char **argv)
}
}
+ user_name = strdup(pswd->pw_name);
+ if (user_name == NULL) {
+ warnx("Failed to get current user name");
+ exit(EXIT_FAILURE);
+ }
+
if (delete) {
if (slot_id_specified) {
warnx("Options -s/--slot and -d/--delete can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
- rc = delete_shm(user_id, pswd->pw_name);
+ rc = delete_shm(user_id, user_name);
goto done;
}
if (delete_all) {
if (slot_id_specified) {
warnx("Options -s/--slot and -D/--delete-all can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
@@ -932,7 +941,7 @@ int main(int argc, char **argv)
goto done;
if (reset) {
- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
+ rc = reset_shm(user_id, user_name, num_slots, slots,
slot_id_specified, slot_id);
goto done;
}
@@ -968,7 +977,7 @@ int main(int argc, char **argv)
rc = display_summary(&dd);
goto done;
} else {
- rc = display_stats(user_id, pswd->pw_name, &dd);
+ rc = display_stats(user_id, user_name, &dd);
goto done;
}
@@ -984,5 +993,7 @@ done:
dlclose(dll);
}
+ free(user_name);
+
return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

View File

@ -1,12 +1,7 @@
# p11-kit needs pkcsslotd daemon starting by default
# upstream does not recommend to enable the pkcsslotd service by default.
# we disable it
%global p11_kit_support 0
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.21.0 Version: 3.21.0
Release: 2%{?dist} Release: 3%{?dist}
License: CPL-1.0 License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -16,6 +11,10 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
# fix install problem in buildroot # fix install problem in buildroot
Patch2: opencryptoki-3.21.0-p11sak.patch Patch2: opencryptoki-3.21.0-p11sak.patch
# upstream patches # upstream patches
# pkcsstats: Fix handling of user name
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
# p11sak: Fix user confirmation prompt behavior when stdin is closed
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
Requires(pre): coreutils Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
@ -206,9 +205,6 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%install %install
%make_install CHGRP=/bin/true %make_install CHGRP=/bin/true
%if 0%{?p11_kit_support}
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
%endif
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -296,12 +292,6 @@ fi
%{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll %{_libdir}/pkcs11/stdll
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%if 0%{?p11_kit_support}
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%endif
%files devel %files devel
%{_includedir}/%{name}/ %{_includedir}/%{name}/
@ -362,6 +352,11 @@ fi
%changelog %changelog
* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
- drop p11_kit_support
- fix handling of user name
- fix user confirmation prompt behavior when stdin is closed
* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2 * Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
- add missing /var/lib/opencryptoki/HSM_MK_CHANGE - add missing /var/lib/opencryptoki/HSM_MK_CHANGE