Accepting request 1089152 from security

OBS-URL: https://build.opensuse.org/request/show/1089152
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=68

ocki-3.21-remove-make-install-chgrp.patch

@@ -1,105 +1,119 @@
---- opencryptoki-3.20.0/Makefile.am	2023-02-13 03:22:42.000000000 -0500
+--- Makefile.am	2023-05-15 14:42:55.000000000 +0200
-+++ opencryptoki-3.20.0/Makefile.am	2023-02-13 10:40:14.561790695 -0500
++++ Makefile-3.21.am	2023-05-25 17:13:36.266936832 +0200
-@@ -39,7 +39,6 @@
+@@ -39,14 +39,9 @@
  include doc/doc.mk
  
  install-data-hook:
--	getent group pkcs11 > /dev/null || $(GROUPADD) -r pkcs11
+-	getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
+-	getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
+ 	$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
+-	$(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
+ 	$(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
+ 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
  if ENABLE_LIBRARY
  	$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
- 	$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
+@@ -66,19 +61,15 @@
-@@ -60,12 +59,9 @@
+ endif
+ if ENABLE_PKCSHSM_MK_CHANGE
+ 	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+ 	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
+ endif
+ if ENABLE_CCATOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_cca.so PKCS11_CCA.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ccatok
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true
-@@ -74,12 +70,9 @@
+@@ -87,12 +78,9 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_ep11.so PKCS11_EP11.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ep11tok
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
-@@ -87,30 +80,24 @@
+@@ -100,30 +88,24 @@
  endif
  if ENABLE_P11SAK
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
--	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g pkcs11 -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
-+	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
++	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL)  -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
  endif
  if ENABLE_ICATOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_ica.so PKCS11_ICA.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/lite
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/lite
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite
  endif
  if ENABLE_SWTOK
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_sw.so PKCS11_SW.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/swtok
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/swtok
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
  endif
  if ENABLE_TPMTOK
-@@ -118,10 +105,8 @@
+@@ -131,10 +113,8 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_tpm.so PKCS11_TPM.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/tpm
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/tpm
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
  endif
  if ENABLE_ICSFTOK
-@@ -129,16 +114,14 @@
+@@ -142,16 +122,14 @@
  	cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
  		ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
  	$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
--	$(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
  	$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
  	$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/icsf
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
  endif
  if ENABLE_DAEMON
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
  	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
--	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g pkcs11 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+-	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
 +	test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
  endif
  	$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
  	echo "$(libdir)/opencryptoki" >\
-@@ -149,7 +132,6 @@
+@@ -162,7 +140,6 @@
  	@echo "Remember you must run ldconfig before using the above settings"
  	@echo "--------------------------------------------------------------"
  	$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
--	$(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
+-	$(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
  	$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
  
  

openCryptoki-3.20.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:9cdbb92c046444623f2b5f8d3ea2052fe0954ea548b4415c1f9d67c9935e06f0
-size 1655534

openCryptoki-3.21.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:26fcb547028d3964b88736bcb64bdd20c3d5369f9e7117dba584e51a47cf1f4d
+size 1787924

openCryptoki.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri May 26 06:55:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Update to version 3.21 (jsc#PED-3360, jsc#PED-3361)
+  * openCryptoki 3.21
+    - EP11 and CCA: Support concurrent HSM master key changes
+    - CCA: protected-key option
+    - pkcsslotd: no longer run as root user and further hardening
+    - p11sak: Add support for additional key types (DH, DSA, generic secret)
+    - p11sak: Allow wildcards in label filter
+    - p11sak: Allow to specify hex value for CKA_ID attribute
+    - p11sak: Support sorting when listing keys
+    - p11sak: New commands: set-key-attr, copy-key to modify and copy keys
+    - p11sak: New commands: import-key, export-key to import and export keys
+    - Remove support for --disable-locks (transactional memory)
+    - Updates to harden against RSA timing attacks
+    - Bug fixes
+- Amended a new patch to fit the version 3.21
+  * ocki-3.21-remove-make-install-chgrp.patch
+- Removed the old patch for the version 3.20
+  * ocki-3.20-remove-make-install-chgrp.patch
+
 -------------------------------------------------------------------
 Thu Feb 16 13:22:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 

openCryptoki.spec

@@ -26,20 +26,19 @@
 %define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
-Version:        3.20.0
+Version:        3.21.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
 Group:          Productivity/Security
 URL:            https://github.com/opencryptoki/opencryptoki
-# Source:         https://github.com/opencryptoki/%{oc_cvs_tag}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source:         https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        openCryptoki.pkcsslotd
 Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
-# Patch 1 is needed because group pkcs11 doesn't exist in the build environment
+# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch001:       ocki-3.20-remove-make-install-chgrp.patch
+Patch000:       ocki-3.21-remove-make-install-chgrp.patch
 #
 #
 BuildRequires:  bison
@@ -56,6 +55,8 @@ BuildRequires:  trousers-devel
 BuildRequires:  pkgconfig(systemd)
 Requires(pre):  %{_sbindir}/groupadd
 Requires(pre):  %{_sbindir}/usermod
+###
+BuildRequires:  libcap-devel
 
 # IBM maintains openCryptoki on these architectures:
 ExclusiveArch:  %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
@@ -130,7 +131,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 
 %prep
 # setup -q -n %{oc_cvs_tag}-%{version}
-%autosetup -p 1 -n %{oc_cvs_tag}-%{version}
+%autosetup -p 0 -n %{oc_cvs_tag}-%{version}
 
 cp %{SOURCE2} .
 
@@ -235,8 +236,8 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
   # configuration directory
 %dir %{_sysconfdir}/opencryptoki
 %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
-%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/strength.conf
+%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
-%config %attr(640,root,pkcs11) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
+%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
 %ifarch s390 s390x
 %config %{_sysconfdir}/opencryptoki/ccatok.conf
 %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
@@ -260,22 +261,22 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories
-%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki
+%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
 %ifarch s390 s390x
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
 %endif
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/icsf
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
 %ifarch s390 s390x
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
-%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
 %endif
-%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki/
+%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
 %{_mandir}/man*/*
 
 %files devel
@@ -283,6 +284,8 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki/stdll
 %{_includedir}/opencryptoki
 %{_libdir}/pkgconfig/opencryptoki.pc
+###
+%{_sbindir}/pkcshsm_mk_change
 
 %ifarch %{openCryptoki_32bit_arch}
 %files 32bit