From b9b0c3bdde423ed54222a8cbd5754ec8c3b8f5a81e84f882eaf2976cc8889c40 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Wed, 4 Sep 2019 22:38:50 +0000 Subject: [PATCH] Accepting request 728362 from home:markkp:branches:security Upgrade to 3.11.1 OBS-URL: https://build.opensuse.org/request/show/728362 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=89 --- ...target_list-passing-for-EP11-session.patch | 60 ----------------- openCryptoki-3.11.1.tar.gz | 3 + openCryptoki-rpmlintrc | 2 +- openCryptoki-tmp.conf | 7 -- openCryptoki.changes | 11 +++- openCryptoki.spec | 66 ++++++++++--------- opencryptoki-3.11.0.tar.gz | 3 - 7 files changed, 48 insertions(+), 104 deletions(-) delete mode 100644 ocki-3.11-Fix-target_list-passing-for-EP11-session.patch create mode 100644 openCryptoki-3.11.1.tar.gz delete mode 100644 openCryptoki-tmp.conf delete mode 100644 opencryptoki-3.11.0.tar.gz diff --git a/ocki-3.11-Fix-target_list-passing-for-EP11-session.patch b/ocki-3.11-Fix-target_list-passing-for-EP11-session.patch deleted file mode 100644 index aed5fc3..0000000 --- a/ocki-3.11-Fix-target_list-passing-for-EP11-session.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 19 Nov 2018 13:30:09 +0100 -Subject: [PATCH] EP11: Fix target_list passing for EP11-session logon/logoff - -The target list is passed incorrectly to the handle_all_ep11_cards() -function. Dependent on memory content, this can cause it to -fail processing all EP11 cards. This will most likely cause a -CKR_DEVICE_ERROR to be returned by C_Login when the STRICT_SESSION -and/or VHSM_MODE is enabled in the ep11tok.conf config file. - -Signed-off-by: Ingo Franzki ---- - usr/lib/ep11_stdll/ep11_specific.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 2129762f..05332429 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -7600,7 +7600,7 @@ CK_RV ep11tok_login_session(STDLL_TokData_t * tokdata, SESSION * session) - } - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) { - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); -@@ -7646,8 +7646,7 @@ done: - if (ep11_session->flags & - (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { - rc2 = -- handle_all_ep11_cards((ep11_target_t *) & -- ep11_data->target_list, -+ handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc2 != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", -@@ -7700,7 +7699,7 @@ static CK_RV ep11tok_relogin_session(STDLL_TokData_t * tokdata, - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); -@@ -7747,7 +7746,7 @@ CK_RV ep11tok_logout_session(STDLL_TokData_t * tokdata, SESSION * session) - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); --- -2.16.2.windows.1 - diff --git a/openCryptoki-3.11.1.tar.gz b/openCryptoki-3.11.1.tar.gz new file mode 100644 index 0000000..6791fbd --- /dev/null +++ b/openCryptoki-3.11.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9e79c732eb4ba938a96f73c1dadc4ee9b97eb57cfb6f5218bf66b1238059c2eb +size 938221 diff --git a/openCryptoki-rpmlintrc b/openCryptoki-rpmlintrc index d1ba8c3..761c90c 100644 --- a/openCryptoki-rpmlintrc +++ b/openCryptoki-rpmlintrc @@ -1 +1 @@ -addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki/") +addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki") diff --git a/openCryptoki-tmp.conf b/openCryptoki-tmp.conf deleted file mode 100644 index d178e4b..0000000 --- a/openCryptoki-tmp.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Lock directories needed by openCryptoki -D /var/lock/opencryptoki/swtok 0770 root pkcs11 -D /var/lock/opencryptoki/lite 0770 root pkcs11 -D /var/lock/opencryptoki/tpm 0770 root pkcs11 -D /var/lock/opencryptoki/ccatok 0770 root pkcs11 -D /var/lock/opencryptoki/icsf 0770 root pkcs11 -D /var/lock/opencryptoki/ep11tok 0770 root pkcs11 diff --git a/openCryptoki.changes b/openCryptoki.changes index 9137bce..1cd281c 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Sep 3 23:02:38 UTC 2019 - Mark Post + +- Upgraded to version 3.11.1 (Fate#327837) + Bug fixes. +- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch + ------------------------------------------------------------------- Fri Feb 15 05:22:55 UTC 2019 - mpost@suse.com @@ -47,7 +54,7 @@ Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com Fix and improve testcases. Fix spec file permission for log directory. Fix build warnings. -* opencryptoki 3.9.0 + * opencryptoki 3.9.0 Fix token reinitialization Fix conditional man pages EP11 enhancements @@ -59,7 +66,7 @@ Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - Made multiple changes to the spec file based on spec-cleaner output. - Added an rpmlintrc file to squelch warnings about adding ghost - entries for files under /var/log/opencryptoki/ + entries for files under /var/lock/opencryptoki/ ------------------------------------------------------------------- Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com diff --git a/openCryptoki.spec b/openCryptoki.spec index 7145231..7aba9ec 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -1,7 +1,7 @@ # # spec file for package openCryptoki # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,35 +16,34 @@ # -%define openCryptoki_32bit_arch %{arm} %{ix86} s390 ppc +%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm} # support in the workings for: ppc64 # no support in sight for: ia64 -%define openCryptoki_64bit_arch aarch64 s390x ppc64 ppc64le x86_64 +%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 # autobuild:/work/cd/lib/misc/group # openCryptoki pkcs11:x:64: %define pkcs11_group_id 64 %define oc_cvs_tag opencryptoki Name: openCryptoki -Version: 3.11.0 +Version: 3.11.1 Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 Group: Productivity/Security -URL: https://sourceforge.net/projects/opencryptoki/ -Source: %{oc_cvs_tag}-%{version}.tar.gz +URL: https://github.com/opencryptoki/opencryptoki +Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html -Source3: openCryptoki-tmp.conf -Source4: openCryptoki-rpmlintrc +Source3: openCryptoki-rpmlintrc # Patch 1 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. Patch1: ocki-3.11-remove-make-install-chgrp.patch -Patch2: ocki-3.11-Fix-target_list-passing-for-EP11-session.patch BuildRequires: bison BuildRequires: dos2unix BuildRequires: flex BuildRequires: gcc-c++ +BuildRequires: libitm1 BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: openssl-devel >= 1.0 @@ -52,7 +51,6 @@ BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: trousers-devel BuildRequires: pkgconfig(systemd) -Requires(pre): %{_bindir}/getent Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/usermod @@ -88,13 +86,12 @@ co-processor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries). %ifarch %{openCryptoki_32bit_arch} - %package 32bit Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware # this is needed to make sure the pkcs11 group exists before # installation: Group: Productivity/Security -PreReq: openCryptoki +Requires: openCryptoki ExclusiveArch: %{openCryptoki_32bit_arch} %description 32bit @@ -109,13 +106,12 @@ Cryptographic Accelerator (FC 4960 on pSeries). %endif %ifarch %{openCryptoki_64bit_arch} - %package 64bit Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware # this is needed to make sure the pkcs11 group exists before # installation: Group: Productivity/Security -PreReq: openCryptoki +Requires: openCryptoki ExclusiveArch: %{openCryptoki_64bit_arch} %description 64bit @@ -132,15 +128,23 @@ Cryptographic Accelerator (FC 4960 on pSeries). %prep %setup -q -n %{oc_cvs_tag}-%{version} %patch1 -p1 -%patch2 -p1 cp %{SOURCE2} . %build -autoreconf --force --install -%configure \ - --enable-tpmtok \ - --with-systemd=%{_unitdir} +./bootstrap.sh + +%configure --with-systemd=%{_unitdir} \ + --enable-tpmtok \ +%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory + --enable-locks \ +%endif +%ifarch s390 s390x + --enable-pkcsep11_migrate +%else + --disable-ccatok +%endif + make %{?_smp_mflags} dos2unix doc/README.ep11_stdll @@ -151,19 +155,19 @@ install -d %{buildroot}%{_localstatedir}/lib/opencryptoki install -d %{buildroot}%{_initddir} install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_prefix}/lib/tmpfiles.d -install -m 644 %{SOURCE3} %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd rm -rf %{buildroot}/tmp + # Remove all development files find %{buildroot} -type f -name "*.la" -delete -print rm -f %{buildroot}%{_libdir}/opencryptoki/methods %pre +%{service_add_pre pkcsslotd.service} # autobuild:/work/cd/lib/misc/group # openCryptoki pkcs11:x:64: -%{_bindir}/getent group %{pkcs11_group_id} >/dev/null || %{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 +%{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 2>/dev/null || true %{_sbindir}/usermod -a -G pkcs11 root -%{service_add_pre pkcsslotd.service} %preun %{service_del_preun pkcsslotd.service} @@ -188,7 +192,6 @@ fi %{service_del_postun pkcsslotd.service} %ifarch %{openCryptoki_32bit_arch} - %postun 32bit if [ -L %{_sysconfdir}/pkcs11 ] ; then rm %{_sysconfdir}/pkcs11 @@ -212,7 +215,6 @@ cd stdll %endif %ifarch %{openCryptoki_64bit_arch} - %post 64bit # Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only. test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 @@ -221,32 +223,35 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %endif %files -%defattr(-,root,root) %doc openCryptoki-TFAQ.html FAQ %doc doc/* # configuration directory %dir %{_sysconfdir}/opencryptoki %config %{_sysconfdir}/opencryptoki/opencryptoki.conf %ifarch s390 s390x -%{_sbindir}/pkcsep11_session -%config %{_sysconfdir}/opencryptoki/ep11tok.conf %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf +%config %{_sysconfdir}/opencryptoki/ep11tok.conf %{_sbindir}/pkcsep11_migrate %endif %{_unitdir}/pkcsslotd.service %{_tmpfilesdir}/opencryptoki.conf %{_sbindir}/rcpkcsslotd # utilities +%ifarch s390 s390x +%{_sbindir}/pkcsep11_session +%{_sbindir}/pkcscca +%endif %{_sbindir}/pkcsslotd %{_sbindir}/pkcsconf %{_sbindir}/pkcsicsf -%{_sbindir}/pkcscca %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll # State and lock directories %dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki +%ifarch s390 s390x %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ +%endif %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm @@ -261,21 +266,21 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %{_mandir}/man*/* %files devel -%defattr(-,root,root) %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll %{_includedir}/opencryptoki %ifarch %{openCryptoki_32bit_arch} %files 32bit -%defattr(-,root,root) # these don't conflict because they only exist as 64bit binaries if # there is no 32bit version of them usable %{_libdir}/opencryptoki/libopencryptoki.so %ghost %{_libdir}/opencryptoki/PKCS11_API.so %{_libdir}/opencryptoki/*.0 +%ifarch s390 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%endif %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so @@ -298,7 +303,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A %ifarch %{openCryptoki_64bit_arch} %files 64bit -%defattr(-,root,root) %dir %{_libdir}/opencryptoki %{_libdir}/opencryptoki/*.so %{_libdir}/opencryptoki/*.0 diff --git a/opencryptoki-3.11.0.tar.gz b/opencryptoki-3.11.0.tar.gz deleted file mode 100644 index 528bddb..0000000 --- a/opencryptoki-3.11.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4d901373b08ed0b0d56a4df5e3f35a7d17142bdc5c5bf9b37c8a10200a08d6fd -size 935891