import softhsm-2.6.0-5.module+el8.4.0+10227+076cd560

This commit is contained in:
CentOS Sources 2021-03-31 15:44:04 +00:00 committed by Andrew Lukoshko
parent ce72e13201
commit bc035bc0c7
2 changed files with 246 additions and 5 deletions

View File

@ -0,0 +1,230 @@
From cfe1f7fdd12e202fa2d056c7fd731cfeee378a98 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 15 Jul 2020 18:12:32 +0200
Subject: [PATCH] Unbreak negative mechanism lists in slots.mechanisms +
testcase
Previously, when the list for slots.mechanisms was prefixed with
minus sign "-", the first mechanism was skipped as invalid and
therefore the tool was presenting wrong list of algorithms.
This fixes the initial index for selection of first algorithm
and adds unit test for this scenario.
---
.gitignore | 1 +
configure.ac | 1 +
src/lib/SoftHSM.cpp | 9 ++-
src/lib/test/InfoTests.cpp | 70 ++++++++++++++++++-
src/lib/test/InfoTests.h | 2 +
src/lib/test/Makefile.am | 1 +
src/lib/test/softhsm2-negative-mech.conf.in | 8 +++
.../test/softhsm2-negative-mech.conf.win32 | 7 ++
win32/p11test/p11test.vcxproj.in | 2 +
9 files changed, 97 insertions(+), 4 deletions(-)
create mode 100644 src/lib/test/softhsm2-negative-mech.conf.in
create mode 100644 src/lib/test/softhsm2-negative-mech.conf.win32
diff --git a/configure.ac b/configure.ac
index d4dad435..c6a51c7a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -217,6 +217,7 @@ AC_CONFIG_FILES([
src/lib/test/softhsm2-alt.conf
src/lib/test/softhsm2-reset-on-fork.conf
src/lib/test/softhsm2-mech.conf
+ src/lib/test/softhsm2-negative-mech.conf
src/lib/test/tokens/dummy
src/bin/Makefile
src/bin/common/Makefile
diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
index 0a0c32cc..cac724e6 100644
--- a/src/lib/SoftHSM.cpp
+++ b/src/lib/SoftHSM.cpp
@@ -791,12 +791,17 @@ void SoftHSM::prepareSupportedMecahnisms(std::map<std::string, CK_MECHANISM_TYPE
if (mechs != "ALL")
{
bool negative = (mechs[0] == '-');
- if (!negative)
+ size_t pos = 0, prev = 0;
+ if (negative)
+ {
+ /* Skip the minus sign */
+ prev = 1;
+ }
+ else
{
/* For positive list, we remove everything */
supportedMechanisms.clear();
}
- size_t pos = 0, prev = 0;
std::string token;
do
{
diff --git a/src/lib/test/InfoTests.cpp b/src/lib/test/InfoTests.cpp
index a07956fb..d2218e34 100644
--- a/src/lib/test/InfoTests.cpp
+++ b/src/lib/test/InfoTests.cpp
@@ -328,9 +328,9 @@ void InfoTests::testGetMechanismListConfig()
CK_MECHANISM_TYPE_PTR pMechanismList;
#ifndef _WIN32
- setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
+ setenv("SOFTHSM2_CONF", "./softhsm2-mech.conf", 1);
#else
- setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
+ setenv("SOFTHSM2_CONF", ".\\softhsm2-mech.conf", 1);
#endif
// Just make sure that we finalize any previous failed tests
@@ -363,6 +363,72 @@ void InfoTests::testGetMechanismListConfig()
#endif
}
+void InfoTests::testGetMechanismNegativeListConfig()
+{
+ CK_RV rv;
+ CK_ULONG ulMechCount = 0;
+ CK_MECHANISM_TYPE_PTR pMechanismList;
+ CK_ULONG allMechsCount = 0;
+
+ // Just make sure that we finalize any previous failed tests
+ CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
+
+ // First of all, try to get the default list
+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
+ CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);
+
+ rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+
+ // Get the size of the buffer
+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
+ /* Remember how many mechanisms are supported */
+ allMechsCount = ulMechCount;
+
+ // Get the mechanism list
+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ CPPUNIT_ASSERT_EQUAL(allMechsCount, ulMechCount);
+ free(pMechanismList);
+
+ CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
+ /* Now try with configuration having negative list */
+#ifndef _WIN32
+ setenv("SOFTHSM2_CONF", "./softhsm2-negative-mech.conf", 1);
+#else
+ setenv("SOFTHSM2_CONF", ".\\softhsm2-negative-mech.conf", 1);
+#endif
+
+ rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+
+ // Get the size of the buffer
+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, NULL_PTR, &ulMechCount) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ /* We should get 2 shorter */
+ //CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
+ pMechanismList = (CK_MECHANISM_TYPE_PTR)malloc(ulMechCount * sizeof(CK_MECHANISM_TYPE_PTR));
+
+ // Get the mechanism list
+ rv = CRYPTOKI_F_PTR( C_GetMechanismList(m_initializedTokenSlotID, pMechanismList, &ulMechCount) );
+ CPPUNIT_ASSERT(rv == CKR_OK);
+ //CPPUNIT_ASSERT_EQUAL(allMechsCount - 2, ulMechCount);
+ for (unsigned long i = 0; i < ulMechCount; i++) {
+ CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_X_509);
+ CPPUNIT_ASSERT(pMechanismList[i] != CKM_RSA_PKCS);
+ }
+ free(pMechanismList);
+
+ CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
+#ifndef _WIN32
+ setenv("SOFTHSM2_CONF", "./softhsm2.conf", 1);
+#else
+ setenv("SOFTHSM2_CONF", ".\\softhsm2.conf", 1);
+#endif
+}
+
void InfoTests::testWaitForSlotEvent()
{
CK_RV rv;
diff --git a/src/lib/test/InfoTests.h b/src/lib/test/InfoTests.h
index dfd02953..1cc99ccb 100644
--- a/src/lib/test/InfoTests.h
+++ b/src/lib/test/InfoTests.h
@@ -49,6 +49,7 @@ class InfoTests : public TestsNoPINInitBase
CPPUNIT_TEST(testGetMechanismInfo);
CPPUNIT_TEST(testGetSlotInfoAlt);
CPPUNIT_TEST(testGetMechanismListConfig);
+ CPPUNIT_TEST(testGetMechanismNegativeListConfig);
CPPUNIT_TEST(testWaitForSlotEvent);
CPPUNIT_TEST_SUITE_END();
@@ -62,6 +63,7 @@ class InfoTests : public TestsNoPINInitBase
void testGetMechanismInfo();
void testGetSlotInfoAlt();
void testGetMechanismListConfig();
+ void testGetMechanismNegativeListConfig();
void testWaitForSlotEvent();
};
diff --git a/src/lib/test/Makefile.am b/src/lib/test/Makefile.am
index 17887dd4..a22ce668 100644
--- a/src/lib/test/Makefile.am
+++ b/src/lib/test/Makefile.am
@@ -39,6 +39,7 @@ EXTRA_DIST = $(srcdir)/CMakeLists.txt \
$(srcdir)/*.h \
$(srcdir)/softhsm2-alt.conf.win32 \
$(srcdir)/softhsm2-reset-on-fork.conf.win32 \
+ $(srcdir)/softhsm2-negative-mech.conf.win32 \
$(srcdir)/softhsm2-mech.conf.win32 \
$(srcdir)/softhsm2.conf.win32 \
$(srcdir)/tokens/dummy.in
diff --git a/src/lib/test/softhsm2-negative-mech.conf.in b/src/lib/test/softhsm2-negative-mech.conf.in
new file mode 100644
index 00000000..51f7e6ac
--- /dev/null
+++ b/src/lib/test/softhsm2-negative-mech.conf.in
@@ -0,0 +1,8 @@
+# SoftHSM v2 configuration file
+
+directories.tokendir = @builddir@/tokens
+objectstore.backend = file
+log.level = INFO
+slots.removable = false
+slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
+
diff --git a/src/lib/test/softhsm2-negative-mech.conf.win32 b/src/lib/test/softhsm2-negative-mech.conf.win32
new file mode 100644
index 00000000..a3aefb96
--- /dev/null
+++ b/src/lib/test/softhsm2-negative-mech.conf.win32
@@ -0,0 +1,7 @@
+# SoftHSM v2 configuration file
+
+directories.tokendir = .\tokens
+objectstore.backend = file
+log.level = INFO
+slots.removable = false
+slots.mechanisms = -CKM_RSA_X_509,CKM_RSA_PKCS
diff --git a/win32/p11test/p11test.vcxproj.in b/win32/p11test/p11test.vcxproj.in
index 55dfb087..88859bca 100644
--- a/win32/p11test/p11test.vcxproj.in
+++ b/win32/p11test/p11test.vcxproj.in
@@ -67,6 +67,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
+copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
mkdir "$(TargetDir)\tokens" 2&gt; nul
copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
</Command>
@@ -99,6 +100,7 @@ copy ..\..\src\lib\test\softhsm2.conf.win32 "$(TargetDir)\softhsm2.conf"
copy ..\..\src\lib\test\softhsm2-alt.conf.win32 "$(TargetDir)\softhsm2-alt.conf"
copy ..\..\src\lib\test\softhsm2-reset-on-fork.conf.win32 "$(TargetDir)\softhsm2-reset-on-fork.conf"
copy ..\..\src\lib\test\softhsm2-mech.conf.win32 "$(TargetDir)\softhsm2-mech.conf"
+copy ..\..\src\lib\test\softhsm2-negative-mech.conf.win32 "$(TargetDir)\softhsm2-negative-mech.conf"
mkdir "$(TargetDir)\tokens" 2&gt; nul
copy ..\..\src\lib\test\tokens\dummy.in "$(TargetDir)\tokens\dummy"
</Command>

View File

@ -1,15 +1,18 @@
#global prever rc1 #global prever rc1
# Rebuild configure.ac if patches do change it
%global rebuild_ac 1
Summary: Software version of a PKCS#11 Hardware Security Module Summary: Software version of a PKCS#11 Hardware Security Module
Name: softhsm Name: softhsm
Version: 2.6.0 Version: 2.6.0
Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}
License: BSD License: BSD
Url: http://www.opendnssec.org/ Url: http://www.opendnssec.org/
Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
Patch1: softhsm-2.6.1-rh1834909-exit.patch Patch1: softhsm-2.6.1-rh1834909-exit.patch
Patch2: softhsm-2.6.1-rh1857272-negatives.patch
Group: Applications/System Group: Applications/System
BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
@ -33,7 +36,7 @@ with other cryptographic products because of the PKCS#11 interface.
Summary: Development package of softhsm that includes the header files Summary: Development package of softhsm that includes the header files
Group: Development/Libraries Group: Development/Libraries
Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel Requires: %{name} = %{version}-%{release}, openssl-devel, sqlite-devel
%if 0%{?prever:1} %if 0%{?prever:!} || 0%{?rebuild_ac}
BuildRequires: autoconf, libtool, automake BuildRequires: autoconf, libtool, automake
%endif %endif
@ -43,21 +46,22 @@ The devel package contains the libsofthsm include files
%prep %prep
%setup -q -n %{name}-%{version}%{?prever} %setup -q -n %{name}-%{version}%{?prever}
%patch1 -p1 %patch1 -p1
%patch2 -p1
# remove softhsm/ subdir auto-added to --libdir # remove softhsm/ subdir auto-added to --libdir
sed -i "s:full_libdir/softhsm:full_libdir:g" configure sed -i "s:full_libdir/softhsm:full_libdir:g" configure
%if 0%{?prever:1} %if 0%{?prever:1} || 0%{?rebuild_ac}
sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac
%endif %endif
sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in
sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure
%if 0%{?prever:1} %if 0%{?prever:1} || 0%{?rebuild_ac}
sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure.ac sed -i 's:$full_libdir/libsofthsm2\.so:libsofthsm2\.so:g' configure.ac
%endif %endif
%if 0%{?prever:1} %if 0%{?prever:1} || 0%{?rebuild_ac}
autoreconf -fiv autoreconf -fiv
%endif %endif
@ -121,6 +125,13 @@ if [ -f /var/softhsm/slot0.db ]; then
fi fi
%changelog %changelog
* Mon Feb 15 2021 Thomas Woerner <twoerner@redhat.com> - 2.6.0-5
- Install prever devel package requirements for new negative option patch
Related: RHBZ#1857272
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-4
- Fixes: rhbz#1857272 - negative option for token.mechanism not working correctly
* Thu Jun 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-3 * Thu Jun 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.0-3
- Fixes: rhbz#1834909 - softhsm use-after-free on process exit - Fixes: rhbz#1834909 - softhsm use-after-free on process exit
- Synchronize the final fix with Fedora - Synchronize the final fix with Fedora