pool/openCryptoki
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 728362 from home:markkp:branches:security

Browse Source 
Upgrade to 3.11.1

OBS-URL: https://build.opensuse.org/request/show/728362
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=89
This commit is contained in:
Mark Post 2019-09-04 22:38:50 +00:00 committed by Git OBS Bridge
parent 61fa2dac51
commit b9b0c3bdde
7 changed files with 48 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
View File

@ -1,60 +0,0 @@
From 1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 19 Nov 2018 13:30:09 +0100
Subject: [PATCH] EP11: Fix target_list passing for EP11-session logon/logoff
The target list is passed incorrectly to the handle_all_ep11_cards()
function. Dependent on memory content, this can cause it to
fail processing all EP11 cards. This will most likely cause a
CKR_DEVICE_ERROR to be returned by C_Login when the STRICT_SESSION
and/or VHSM_MODE is enabled in the ep11tok.conf config file.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/ep11_stdll/ep11_specific.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 2129762f..05332429 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -7600,7 +7600,7 @@ CK_RV ep11tok_login_session(STDLL_TokData_t * tokdata, SESSION * session)
}
}
- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list,
+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
ep11_login_handler, ep11_session);
if (rc != CKR_OK) {
TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc);
@@ -7646,8 +7646,7 @@ done:
if (ep11_session->flags &
(EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) {
rc2 =
- handle_all_ep11_cards((ep11_target_t *) &
- ep11_data->target_list,
+ handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
ep11_logout_handler, ep11_session);
if (rc2 != CKR_OK)
TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n",
@@ -7700,7 +7699,7 @@ static CK_RV ep11tok_relogin_session(STDLL_TokData_t * tokdata,
return CKR_USER_NOT_LOGGED_IN;
}
- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list,
+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
ep11_login_handler, ep11_session);
if (rc != CKR_OK)
TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc);
@@ -7747,7 +7746,7 @@ CK_RV ep11tok_logout_session(STDLL_TokData_t * tokdata, SESSION * session)
return CKR_USER_NOT_LOGGED_IN;
}
- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list,
+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list,
ep11_logout_handler, ep11_session);
if (rc != CKR_OK)
TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc);
--
2.16.2.windows.1

3
openCryptoki-3.11.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9e79c732eb4ba938a96f73c1dadc4ee9b97eb57cfb6f5218bf66b1238059c2eb
size 938221

2
openCryptoki-rpmlintrc
View File

@ -1 +1 @@
addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki/") addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki")

7
openCryptoki-tmp.conf
View File

@ -1,7 +0,0 @@
# Lock directories needed by openCryptoki
D /var/lock/opencryptoki/swtok 0770 root pkcs11
D /var/lock/opencryptoki/lite 0770 root pkcs11
D /var/lock/opencryptoki/tpm 0770 root pkcs11
D /var/lock/opencryptoki/ccatok 0770 root pkcs11
D /var/lock/opencryptoki/icsf 0770 root pkcs11
D /var/lock/opencryptoki/ep11tok 0770 root pkcs11

11
openCryptoki.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Sep 3 23:02:38 UTC 2019 - Mark Post <mpost@suse.com>
- Upgraded to version 3.11.1 (Fate#327837)
Bug fixes.
- Dropped obsolete ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 15 05:22:55 UTC 2019 - mpost@suse.com Fri Feb 15 05:22:55 UTC 2019 - mpost@suse.com
@ -47,7 +54,7 @@ Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com
Fix and improve testcases. Fix and improve testcases.
Fix spec file permission for log directory. Fix spec file permission for log directory.
Fix build warnings. Fix build warnings.
* opencryptoki 3.9.0 * opencryptoki 3.9.0
Fix token reinitialization Fix token reinitialization
Fix conditional man pages Fix conditional man pages
EP11 enhancements EP11 enhancements
@ -59,7 +66,7 @@ Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com
- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch
- Made multiple changes to the spec file based on spec-cleaner output. - Made multiple changes to the spec file based on spec-cleaner output.
- Added an rpmlintrc file to squelch warnings about adding ghost - Added an rpmlintrc file to squelch warnings about adding ghost
entries for files under /var/log/opencryptoki/ entries for files under /var/lock/opencryptoki/
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com

66
openCryptoki.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package openCryptoki # spec file for package openCryptoki
# #
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018, 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,35 +16,34 @@
# #
%define openCryptoki_32bit_arch %{arm} %{ix86} s390 ppc %define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
# support in the workings for: ppc64 # support in the workings for: ppc64
# no support in sight for: ia64 # no support in sight for: ia64
%define openCryptoki_64bit_arch aarch64 s390x ppc64 ppc64le x86_64 %define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
# autobuild:/work/cd/lib/misc/group # autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64: # openCryptoki pkcs11:x:64:
%define pkcs11_group_id 64 %define pkcs11_group_id 64
%define oc_cvs_tag opencryptoki %define oc_cvs_tag opencryptoki
Name: openCryptoki Name: openCryptoki
Version: 3.11.0 Version: 3.11.1
Release: 0 Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0 License: CPL-1.0
Group: Productivity/Security Group: Productivity/Security
URL: https://sourceforge.net/projects/opencryptoki/ URL: https://github.com/opencryptoki/opencryptoki
Source: %{oc_cvs_tag}-%{version}.tar.gz Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: openCryptoki.pkcsslotd Source1: openCryptoki.pkcsslotd
Source2: openCryptoki-TFAQ.html Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-tmp.conf Source3: openCryptoki-rpmlintrc
Source4: openCryptoki-rpmlintrc
# Patch 1 is needed because group pkcs11 doesn't exist in the build environment # Patch 1 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700. # and because we don't want(?) various file and directory permissions to be 0700.
Patch1: ocki-3.11-remove-make-install-chgrp.patch Patch1: ocki-3.11-remove-make-install-chgrp.patch
Patch2: ocki-3.11-Fix-target_list-passing-for-EP11-session.patch
BuildRequires: bison BuildRequires: bison
BuildRequires: dos2unix BuildRequires: dos2unix
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: libitm1
BuildRequires: libtool BuildRequires: libtool
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: openssl-devel >= 1.0 BuildRequires: openssl-devel >= 1.0
@ -52,7 +51,6 @@ BuildRequires: pkgconfig
BuildRequires: pwdutils BuildRequires: pwdutils
BuildRequires: trousers-devel BuildRequires: trousers-devel
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
Requires(pre): %{_bindir}/getent
Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/groupadd
Requires(pre): %{_sbindir}/usermod Requires(pre): %{_sbindir}/usermod
@ -88,13 +86,12 @@ co-processor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries). Cryptographic Accelerator (FC 4960 on pSeries).
%ifarch %{openCryptoki_32bit_arch} %ifarch %{openCryptoki_32bit_arch}
%package 32bit %package 32bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before # this is needed to make sure the pkcs11 group exists before
# installation: # installation:
Group: Productivity/Security Group: Productivity/Security
PreReq: openCryptoki Requires: openCryptoki
ExclusiveArch: %{openCryptoki_32bit_arch} ExclusiveArch: %{openCryptoki_32bit_arch}
%description 32bit %description 32bit
@ -109,13 +106,12 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%endif %endif
%ifarch %{openCryptoki_64bit_arch} %ifarch %{openCryptoki_64bit_arch}
%package 64bit %package 64bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before # this is needed to make sure the pkcs11 group exists before
# installation: # installation:
Group: Productivity/Security Group: Productivity/Security
PreReq: openCryptoki Requires: openCryptoki
ExclusiveArch: %{openCryptoki_64bit_arch} ExclusiveArch: %{openCryptoki_64bit_arch}
%description 64bit %description 64bit
@ -132,15 +128,23 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%prep %prep
%setup -q -n %{oc_cvs_tag}-%{version} %setup -q -n %{oc_cvs_tag}-%{version}
%patch1 -p1 %patch1 -p1
%patch2 -p1
cp %{SOURCE2} . cp %{SOURCE2} .
%build %build
autoreconf --force --install ./bootstrap.sh
%configure \
--enable-tpmtok \ %configure --with-systemd=%{_unitdir} \
--with-systemd=%{_unitdir} --enable-tpmtok \
%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory
--enable-locks \
%endif
%ifarch s390 s390x
--enable-pkcsep11_migrate
%else
--disable-ccatok
%endif
make %{?_smp_mflags} make %{?_smp_mflags}
dos2unix doc/README.ep11_stdll dos2unix doc/README.ep11_stdll
@ -151,19 +155,19 @@ install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
install -d %{buildroot}%{_initddir} install -d %{buildroot}%{_initddir}
install -d %{buildroot}%{_sbindir} install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_prefix}/lib/tmpfiles.d install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
install -m 644 %{SOURCE3} %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd
rm -rf %{buildroot}/tmp rm -rf %{buildroot}/tmp
# Remove all development files # Remove all development files
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
rm -f %{buildroot}%{_libdir}/opencryptoki/methods rm -f %{buildroot}%{_libdir}/opencryptoki/methods
%pre %pre
%{service_add_pre pkcsslotd.service}
# autobuild:/work/cd/lib/misc/group # autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64: # openCryptoki pkcs11:x:64:
%{_bindir}/getent group %{pkcs11_group_id} >/dev/null || %{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 %{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 2>/dev/null || true
%{_sbindir}/usermod -a -G pkcs11 root %{_sbindir}/usermod -a -G pkcs11 root
%{service_add_pre pkcsslotd.service}
%preun %preun
%{service_del_preun pkcsslotd.service} %{service_del_preun pkcsslotd.service}
@ -188,7 +192,6 @@ fi
%{service_del_postun pkcsslotd.service} %{service_del_postun pkcsslotd.service}
%ifarch %{openCryptoki_32bit_arch} %ifarch %{openCryptoki_32bit_arch}
%postun 32bit %postun 32bit
if [ -L %{_sysconfdir}/pkcs11 ] ; then if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11 rm %{_sysconfdir}/pkcs11
@ -212,7 +215,6 @@ cd stdll
%endif %endif
%ifarch %{openCryptoki_64bit_arch} %ifarch %{openCryptoki_64bit_arch}
%post 64bit %post 64bit
# Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only. # Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only.
test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
@ -221,32 +223,35 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%endif %endif
%files %files
%defattr(-,root,root)
%doc openCryptoki-TFAQ.html FAQ %doc openCryptoki-TFAQ.html FAQ
%doc doc/* %doc doc/*
# configuration directory # configuration directory
%dir %{_sysconfdir}/opencryptoki %dir %{_sysconfdir}/opencryptoki
%config %{_sysconfdir}/opencryptoki/opencryptoki.conf %config %{_sysconfdir}/opencryptoki/opencryptoki.conf
%ifarch s390 s390x %ifarch s390 s390x
%{_sbindir}/pkcsep11_session
%config %{_sysconfdir}/opencryptoki/ep11tok.conf
%config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf %config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
%config %{_sysconfdir}/opencryptoki/ep11tok.conf
%{_sbindir}/pkcsep11_migrate %{_sbindir}/pkcsep11_migrate
%endif %endif
%{_unitdir}/pkcsslotd.service %{_unitdir}/pkcsslotd.service
%{_tmpfilesdir}/opencryptoki.conf %{_tmpfilesdir}/opencryptoki.conf
%{_sbindir}/rcpkcsslotd %{_sbindir}/rcpkcsslotd
# utilities # utilities
%ifarch s390 s390x
%{_sbindir}/pkcsep11_session
%{_sbindir}/pkcscca
%endif
%{_sbindir}/pkcsslotd %{_sbindir}/pkcsslotd
%{_sbindir}/pkcsconf %{_sbindir}/pkcsconf
%{_sbindir}/pkcsicsf %{_sbindir}/pkcsicsf
%{_sbindir}/pkcscca
%dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll %dir %{_libdir}/opencryptoki/stdll
# State and lock directories # State and lock directories
%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki %dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki
%ifarch s390 s390x
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
%endif
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm
@ -261,21 +266,21 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%{_mandir}/man*/* %{_mandir}/man*/*
%files devel %files devel
%defattr(-,root,root)
%dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll %dir %{_libdir}/opencryptoki/stdll
%{_includedir}/opencryptoki %{_includedir}/opencryptoki
%ifarch %{openCryptoki_32bit_arch} %ifarch %{openCryptoki_32bit_arch}
%files 32bit %files 32bit
%defattr(-,root,root)
# these don't conflict because they only exist as 64bit binaries if # these don't conflict because they only exist as 64bit binaries if
# there is no 32bit version of them usable # there is no 32bit version of them usable
%{_libdir}/opencryptoki/libopencryptoki.so %{_libdir}/opencryptoki/libopencryptoki.so
%ghost %{_libdir}/opencryptoki/PKCS11_API.so %ghost %{_libdir}/opencryptoki/PKCS11_API.so
%{_libdir}/opencryptoki/*.0 %{_libdir}/opencryptoki/*.0
%ifarch s390
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%endif
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so
@ -298,7 +303,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%ifarch %{openCryptoki_64bit_arch} %ifarch %{openCryptoki_64bit_arch}
%files 64bit %files 64bit
%defattr(-,root,root)
%dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/*.so %{_libdir}/opencryptoki/*.so
%{_libdir}/opencryptoki/*.0 %{_libdir}/opencryptoki/*.0

3
opencryptoki-3.11.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4d901373b08ed0b0d56a4df5e3f35a7d17142bdc5c5bf9b37c8a10200a08d6fd
size 935891