pool/openCryptoki
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 451674 from security

Browse Source 
Upgraded to latest version per IBM request (fate#321451)

OBS-URL: https://build.opensuse.org/request/show/451674
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openCryptoki?expand=0&rev=38
This commit is contained in:
Dominique Leuenberger 2017-01-24 09:38:17 +00:00 committed by Git OBS Bridge
commit d71451abde
13 changed files with 46 additions and 1348 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
ocki-3.5-added-NULLreturn-check.patch
View File

@ -1,51 +0,0 @@
commit ca61c6e68ecd04c5f319056a6a3eba4b261f5481
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Jun 28 16:23:06 2016 -0400
Coverity:Check for NULL returns
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c
index 3cbb8da..39ecae8 100755
--- a/usr/lib/pkcs11/common/utility.c
+++ b/usr/lib/pkcs11/common/utility.c
@@ -589,6 +589,11 @@ CK_RV CreateXProcLock(void)
goto err;
}
grp = getgrnam("pkcs11");
+ if (grp == NULL) {
+ fprintf(stderr, "getgrname(pkcs11): %s",
+ strerror(errno));
+ goto err;
+ }
/* set ownership to euid, and pkcs11 group */
if (chown(lockdir, geteuid(), grp->gr_gid) != 0) {
fprintf(stderr, "Failed to set owner:group \
diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c
index 9863d52..9478e92 100644
--- a/usr/lib/pkcs11/icsf_stdll/new_host.c
+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c
@@ -813,6 +813,11 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags,
}
sess = session_mgr_find(*phSession);
+ if (!sess) {
+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID));
+ rc = CKR_SESSION_HANDLE_INVALID;
+ goto done;
+ }
sess->handle = *phSession;
rc = icsftok_open_session(sess);
done:
@@ -835,6 +840,11 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession)
}
sess = session_mgr_find(sSession->sessionh);
+ if (!sess) {
+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID));
+ rc = CKR_SESSION_HANDLE_INVALID;
+ goto done;
+ }
//set the handle here as handle is never set into session during creation
sess->handle = sSession->sessionh;
rc = icsftok_close_session(sess);

83
ocki-3.5-create-missing-tpm-token-lock-directory.patch
View File

@ -1,83 +0,0 @@
commit aeea198cb8ea640cd37735365ee51a03aca67036
Author: Vineetha Pai <vpishar@us.ibm.com>
Date: Mon Jul 18 15:41:24 2016 -0400
create missing tpm lock directory from tpm stdll.
tpm token does not use common/utility function to create token lock
directory. Hence the patch to create missing lock directories was not
working on tpm token. Modified the tpm stdll code to create the token
lock directory if it is missing on the system.
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
index e7978d3..2a20d7d 100644
--- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
+++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
@@ -44,6 +44,7 @@
#include <errno.h>
#include <pwd.h>
#include <syslog.h>
+#include <grp.h>
#include <openssl/des.h>
#include <openssl/rand.h>
@@ -3393,10 +3394,13 @@ int
token_specific_creatlock(void)
{
CK_BYTE lockfile[PATH_MAX];
+ CK_BYTE lockdir[PATH_MAX];
struct passwd *pw = NULL;
struct stat statbuf;
mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR);
int lockfd;
+ int ret = -1;
+ struct group *grp;
/* get userid */
if ((pw = getpwuid(getuid())) == NULL) {
@@ -3404,6 +3408,45 @@ token_specific_creatlock(void)
return -1;
}
+ /** create lock subdir for each token if it doesn't exist.
+ * The root /var/lock/opencryptoki directory should be created in slotmgr
+ * daemon **/
+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR);
+
+ ret = stat(lockdir, &statbuf);
+ if (ret != 0 && errno == ENOENT) {
+ /* dir does not exist, try to create it */
+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG);
+ if (ret != 0) {
+ OCK_SYSLOG(LOG_ERR,
+ "Directory(%s) missing: %s\n",
+ lockdir,
+ strerror(errno));
+ goto err;
+ }
+ grp = getgrnam("pkcs11");
+ if (grp == NULL) {
+ fprintf(stderr, "getgrname(pkcs11): %s",
+ strerror(errno));
+ goto err;
+ }
+ /* set ownership to euid, and pkcs11 group */
+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) {
+ fprintf(stderr, "Failed to set owner:group \
+ ownership\
+ on %s directory", lockdir);
+ goto err;
+ }
+ /* mkdir does not set group permission right, so
+ ** trying explictly here again */
+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){
+ fprintf(stderr, "Failed to change \
+ permissions\
+ on %s directory", lockdir);
+ goto err;
+ }
+ }
+
/* create user-specific directory */
sprintf(lockfile, "%s/%s/%s", LOCKDIR_PATH, SUB_DIR, pw->pw_name);

20
ocki-3.5-downgrade-syslogerror.patch
View File

@ -1,20 +0,0 @@
commit 786b6a4223119501f4aa7faf5a413c1ba10e38f6
Author: Vineetha Pai <vpishar@us.ibm.com>
Date: Tue May 31 15:15:14 2016 -0400
Downgraded a syslog error to warning
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c
index ce0dc18..ec50f71 100755
--- a/usr/lib/pkcs11/api/apiutil.c
+++ b/usr/lib/pkcs11/api/apiutil.c
@@ -820,7 +820,7 @@ DLL_Load_t *dllload;
} else {
char *e = dlerror();
- OCK_SYSLOG(LOG_ERR,
+ OCK_SYSLOG(LOG_WARNING,
"%s: dlopen() failed for [%s]; dlerror = [%s]\n",
__FUNCTION__, sinfp->dll_location, e);
TRACE_DEVEL("DL_Load of %s failed, dlerror: %s\n",

35
ocki-3.5-fix-pkcscca-calls.patch
View File

@ -1,35 +0,0 @@
From 814e5861701798b4f5872fcc20f7292f79987104 Mon Sep 17 00:00:00 2001
From: Eduardo Barretto <ebarreto@linux.vnet.ibm.com>
Date: Tue, 30 Aug 2016 16:46:40 -0300
Subject: [PATCH] PKCSCCA: Fix symbol name to get the correct address
The csulincl.h file was changed to substitute the xxx_32 bit API
declarations with the latest CCA v5. In order to pkcscca work and avoid
"Illegal Instruction" we had to fix the symbol name that should be called
based on the csulincl.h change.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
---
usr/sbin/pkcscca/pkcscca.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index 6d9f8dd..05caea3 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -1387,9 +1387,9 @@ int main(int argc, char **argv)
return -1;
}
- CSNDKTC = dlsym(lib_csulcca, "CSNDKTC_32");
- CSNBKTC = dlsym(lib_csulcca, "CSNBKTC_32");
- CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2_32");
+ CSNDKTC = dlsym(lib_csulcca, "CSNDKTC");
+ CSNBKTC = dlsym(lib_csulcca, "CSNBKTC");
+ CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2");
ret = migrate_wrapped_keys(slot_id, userpin, masterkey);
}
done:
--
1.9.1

21
ocki-3.5-icsf-reasoncode-2028-added.patch
View File

@ -1,21 +0,0 @@
commit f45ddf572c05cbeb54c524805060256a33435149
Author: Vineetha Pai <vpishar@us.ibm.com>
Date: Tue Jun 21 17:06:25 2016 -0400
Added support for rc=8, reasoncode=2028 in icsf token
bz#142190
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
index 1c25cd2..c9b986b 100644
--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
@@ -233,6 +233,8 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code)
switch(icsf_reason_code) {
case 2154:
return CKR_KEY_TYPE_INCONSISTENT;
+ case 2028:
+ return CKR_WRAPPED_KEY_INVALID;
case 3003:
return CKR_BUFFER_TOO_SMALL;
case 3019:

19
ocki-3.5-icsf-reasoncode72-support.patch
View File

@ -1,19 +0,0 @@
commit 165a1020da10ddbdc39e51e9a411a5c09f6dbae6
Author: Vineetha Pai <vpishar@us.ibm.com>
Date: Thu May 19 16:46:51 2016 -0400
Added pkcs11 mapping for icsf reason code 72 for return code 8
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
index d71b19f..5b7fb45 100644
--- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c
@@ -258,6 +258,7 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code)
return CKR_KEY_HANDLE_INVALID;
case 3045:
return CKR_KEY_UNEXTRACTABLE;
+ case 72:
case 11000:
return CKR_DATA_LEN_RANGE;
case 11028:

418
ocki-3.5-icsf-sessionhandle-missing-fix.patch
View File

@ -1,418 +0,0 @@
commit 2d03c609981cd3bf5cefb7d3188878f68b33f722
Author: Vineetha Pai <vpishar@us.ibm.com>
Date: Tue Jun 21 16:43:53 2016 -0400
Fix for session handle not set in session issue.
bz142186
icsf token uses the session handle for a session as the session_id in
its own internal session state structure. The session handle is an
index into the session btree and is not set in the SESSION structure
after a new session is created. This causes session_handle to be always 0 and
session_id to be always set to 0, causing issues when multiple sessions are active.
This affects icsf token as it stores and uses session handle internally
unlike other tokens. This patch sets the session handle into the session
structure for all SC_API calls.
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c
index 4923a77..9863d52 100644
--- a/usr/lib/pkcs11/icsf_stdll/new_host.c
+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c
@@ -703,6 +703,9 @@ CK_RV SC_InitPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pPin,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle here as handle is never set into session during creation
+ sess->handle = sSession->sessionh;
+
if (pin_locked(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED));
rc = CKR_PIN_LOCKED;
@@ -746,6 +749,9 @@ CK_RV SC_SetPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pOldPin,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle here as handle is never set into session during creation
+ sess->handle = sSession->sessionh;
+
if (pin_locked(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED));
@@ -807,6 +813,7 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags,
}
sess = session_mgr_find(*phSession);
+ sess->handle = *phSession;
rc = icsftok_open_session(sess);
done:
if (locked)
@@ -828,6 +835,8 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession)
}
sess = session_mgr_find(sSession->sessionh);
+ //set the handle here as handle is never set into session during creation
+ sess->handle = sSession->sessionh;
rc = icsftok_close_session(sess);
if (rc)
goto done;
@@ -923,6 +932,8 @@ CK_RV SC_GetOperationState(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = session_mgr_get_op_state(sess, length_only, pOperationState,
pulOperationStateLen);
@@ -962,6 +973,8 @@ CK_RV SC_SetOperationState(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = session_mgr_set_op_state(sess, hEncryptionKey, hAuthenticationKey,
pOperationState, ulOperationStateLen);
@@ -1000,6 +1013,9 @@ CK_RV SC_Login(ST_SESSION_HANDLE *sSession, CK_USER_TYPE userType,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
+
flags = &nv_token_data->token_info.flags;
if (!pPin || ulPinLen > MAX_PIN_LEN) {
@@ -1113,6 +1129,8 @@ CK_RV SC_Logout(ST_SESSION_HANDLE *sSession)
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
/* all sessions have the same state so we just have to check one */
if (session_mgr_public_session_exists()) {
@@ -1155,6 +1173,8 @@ CK_RV SC_CreateObject(ST_SESSION_HANDLE *sSession, CK_ATTRIBUTE_PTR pTemplate,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags)) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1204,6 +1224,8 @@ CK_RV SC_CopyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1240,6 +1262,8 @@ CK_RV SC_DestroyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject)
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1285,6 +1309,8 @@ CK_RV SC_GetObjectSize(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = icsftok_get_attribute_value(sess, hObject, pTemplate,
ulCount, pulSize);
@@ -1319,6 +1345,8 @@ CK_RV SC_GetAttributeValue(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = icsftok_get_attribute_value(sess, hObject, pTemplate,
ulCount, NULL);
@@ -1369,6 +1397,8 @@ CK_RV SC_SetAttributeValue(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = icsftok_set_attribute_value(sess, hObject, pTemplate, ulCount);
if (rc != CKR_OK)
@@ -1416,6 +1446,8 @@ CK_RV SC_FindObjectsInit(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1480,6 +1512,8 @@ CK_RV SC_FindObjects(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE_PTR phObject,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->find_active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1525,6 +1559,8 @@ CK_RV SC_FindObjectsFinal(ST_SESSION_HANDLE *sSession)
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->find_active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1576,6 +1612,8 @@ CK_RV SC_EncryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1626,6 +1664,8 @@ CK_RV SC_Encrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->encr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1677,6 +1717,8 @@ CK_RV SC_EncryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->encr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1726,6 +1768,8 @@ CK_RV SC_EncryptFinal(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->encr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1780,6 +1824,8 @@ CK_RV SC_DecryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -1832,6 +1878,8 @@ CK_RV SC_Decrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->decr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1884,6 +1932,8 @@ CK_RV SC_DecryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->decr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1933,6 +1983,8 @@ CK_RV SC_DecryptFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pLastPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->decr_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -1984,6 +2036,8 @@ CK_RV SC_DigestInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism)
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) {
TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED));
@@ -2039,6 +2093,8 @@ CK_RV SC_Digest(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->digest_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2086,6 +2142,8 @@ CK_RV SC_DigestUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->digest_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2125,6 +2183,8 @@ CK_RV SC_DigestKey(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hKey)
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->digest_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2169,6 +2229,8 @@ CK_RV SC_DigestFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pDigest,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->digest_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2216,6 +2278,8 @@ CK_RV SC_SignInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = valid_mech(pMechanism, CKF_SIGN);
if (rc != CKR_OK)
@@ -2271,6 +2335,8 @@ CK_RV SC_Sign(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->sign_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2318,6 +2384,8 @@ CK_RV SC_SignUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->sign_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2363,6 +2431,8 @@ CK_RV SC_SignFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->sign_ctx.active == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED));
@@ -2440,6 +2510,8 @@ CK_RV SC_VerifyInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -2492,6 +2564,8 @@ CK_RV SC_Verify(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->verify_ctx.active == FALSE) {
rc = CKR_OPERATION_NOT_INITIALIZED;
@@ -2537,6 +2611,8 @@ CK_RV SC_VerifyUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->verify_ctx.active == FALSE) {
rc = CKR_OPERATION_NOT_INITIALIZED;
@@ -2583,6 +2659,8 @@ CK_RV SC_VerifyFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (sess->verify_ctx.active == FALSE) {
rc = CKR_OPERATION_NOT_INITIALIZED;
@@ -2718,6 +2796,8 @@ CK_RV SC_GenerateKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -2791,6 +2871,8 @@ CK_RV SC_GenerateKeyPair(ST_SESSION_HANDLE *sSession,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -2875,6 +2957,8 @@ CK_RV SC_WrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -2929,6 +3013,8 @@ CK_RV SC_UnwrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -2998,6 +3084,8 @@ CK_RV SC_DeriveKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
if (pin_expired(&sess->session_info,
nv_token_data->token_info.flags) == TRUE) {
@@ -3104,6 +3192,8 @@ CK_RV SC_GenerateRandom(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pRandomData,
rc = CKR_SESSION_HANDLE_INVALID;
goto done;
}
+ //set the handle into the session.
+ sess->handle = sSession->sessionh;
rc = rng_generate(pRandomData, ulRandomLen);
if (rc != CKR_OK)

674
ocki-3.5-sanity-checking.patch
View File

@ -1,674 +0,0 @@
1) Create lock and log directories from pkcsslotd when they are not available on the system.
2) The patch also does basic sanity checks of asserting the presence of pkcs11 group, euid, gid of the process running pkcsslotd.
3) The patch also checks if token directories are available on the system.
4) The token lock sub-directories are created from opencryptoki while the token is configured via pkcsconf or when the first call to the token is made via C_Initialize.
Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
--- a/usr/lib/pkcs11/common/utility.c
+++ b/usr/lib/pkcs11/common/utility.c
@@ -557,9 +557,11 @@
CK_RV CreateXProcLock(void)
{
CK_BYTE lockfile[PATH_MAX];
+ CK_BYTE lockdir[PATH_MAX];
struct group *grp;
struct stat statbuf;
mode_t mode = (S_IRUSR | S_IRGRP);
+ int ret = -1;
if (spinxplfd == -1) {
@@ -571,9 +573,42 @@
return CKR_FUNCTION_FAILED;
}
+ /** create lock subdir for each token if it doesn't exist.
+ * The root directory should be created in slotmgr daemon **/
+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR);
+
+ ret = stat(lockdir, &statbuf);
+ if (ret != 0 && errno == ENOENT) {
+ /* dir does not exist, try to create it */
+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG);
+ if (ret != 0) {
+ OCK_SYSLOG(LOG_ERR,
+ "Directory(%s) missing: %s\n",
+ lockdir,
+ strerror(errno));
+ goto err;
+ }
+ grp = getgrnam("pkcs11");
+ /* set ownership to euid, and pkcs11 group */
+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) {
+ fprintf(stderr, "Failed to set owner:group \
+ ownership\
+ on %s directory", lockdir);
+ goto err;
+ }
+ /* mkdir does not set group permission right, so
+ ** trying explictly here again */
+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){
+ fprintf(stderr, "Failed to change \
+ permissions\
+ on %s directory", lockdir);
+ goto err;
+ }
+ }
+
/* create user lock file */
sprintf(lockfile, "%s/%s/LCK..%s",
- LOCKDIR_PATH, SUB_DIR, SUB_DIR);
+ LOCKDIR_PATH, SUB_DIR, SUB_DIR);
if (stat(lockfile, &statbuf) == 0)
spinxplfd = open(lockfile, O_RDONLY, mode);
@@ -583,30 +618,30 @@
/* umask may prevent correct mode,so set it. */
if (fchmod(spinxplfd, mode) == -1) {
OCK_SYSLOG(LOG_ERR, "fchmod(%s): %s\n",
- lockfile, strerror(errno));
+ lockfile, strerror(errno));
goto err;
}
grp = getgrnam("pkcs11");
if (grp != NULL) {
if (fchown(spinxplfd, -1, grp->gr_gid)
- == -1) {
+ == -1) {
OCK_SYSLOG(LOG_ERR,
- "fchown(%s): %s\n",
- lockfile,
- strerror(errno));
+ "fchown(%s): %s\n",
+ lockfile,
+ strerror(errno));
goto err;
}
} else {
OCK_SYSLOG(LOG_ERR, "getgrnam(): %s\n",
- strerror(errno));
+ strerror(errno));
goto err;
}
}
}
if (spinxplfd == -1) {
OCK_SYSLOG(LOG_ERR, "open(%s): %s\n",
- lockfile, strerror(errno));
+ lockfile, strerror(errno));
return CKR_FUNCTION_FAILED;
}
}
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -8,10 +8,10 @@
1. DEFINITIONS
- "Contribution" means:
+ "Contribution" means:
a) in the case of the initial Contributor, the
initial code and documentation distributed under
- this Agreement, and
+ this Agreement, and
b) in the case of each subsequent Contributor:
i) changes to the Program, and
@@ -35,7 +35,7 @@
"Licensed Patents " mean patent claims licensable by a
Contributor which are necessarily infringed by the use or
sale of its Contribution alone or when combined with the
- Program.
+ Program.
"Program" means the Contributions distributed in
accordance with this Agreement.
@@ -130,7 +130,7 @@
a) it must be made available under this Agreement;
and
b) a copy of this Agreement must be included with
- each copy of the Program.
+ each copy of the Program.
Contributors may not remove or alter any copyright notices
contained within the Program.
@@ -138,7 +138,7 @@
Each Contributor must identify itself as the originator of
its Contribution, if any, in a manner that reasonably
allows subsequent Recipients to identify the originator of
- the Contribution.
+ the Contribution.
4. COMMERCIAL DISTRIBUTION
@@ -199,7 +199,7 @@
Agreement, including but not limited to the risks and
costs of program errors, compliance with applicable laws,
damage to or loss of data, programs or equipment, and
- unavailability or interruption of operations.
+ unavailability or interruption of operations.
6. DISCLAIMER OF LIABILITY
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
@@ -248,7 +248,7 @@
use and distribution of the Program as soon as reasonably
practicable. However, Recipient's obligations under this
Agreement and any licenses granted by Recipient relating
- to the Program shall continue and survive.
+ to the Program shall continue and survive.
Everyone is permitted to copy and distribute copies of
this Agreement, but in order to avoid inconsistency the
@@ -280,7 +280,7 @@
States of America. No party to this Agreement will bring a
legal action under this Agreement more than one year after
the cause of action arose. Each party waives its rights to
- a jury trial in any resulting litigation.
+ a jury trial in any resulting litigation.
@@ -294,6 +294,8 @@
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
+#include <sys/stat.h>
+#include <grp.h>
#include "log.h"
#include "slotmgr.h"
@@ -309,8 +311,13 @@
int socketfd;
Slot_Mgr_Socket_t socketData;
-/*
- We make main() able to modify Daemon so that we can
+struct dircheckinfo_s {
+ const char *dir;
+ int mode;
+};
+
+/*
+ We make main() able to modify Daemon so that we can
daemonize or not based on a command-line argument
*/
extern BOOL Daemon;
@@ -322,14 +329,91 @@
u_int32 *p;
char Buf[PATH_MAX];
u_int32 i;
-
+
p = (u_int32 *) shmp;
-
+
for ( i = 0; i < 15; i++ ) {
sprintf(Buf, "%08X %08X %08X %08X", p[0+(i*4)], p[1+(i*4)], p[2+(i*4)], p[3+(i*4)]);
LogLog(Buf);
}
return;
+}
+
+/** This function does basic sanity checks to make sure the
+ * eco system is in place for opencryptoki to run properly.
+ **/
+void run_sanity_checks()
+{
+ int i, ec, uid = -1;
+ struct group *grp = NULL;
+ struct stat sbuf;
+ struct dircheckinfo_s dircheck[] = {
+ //drwxrwx---
+ {LOCKDIR_PATH, S_IRWXU|S_IRWXG},
+ {OCK_LOGDIR, S_IRWXU|S_IRWXG},
+ {NULL, 0},
+ };
+
+ /* first check that our effective user id is root */
+ uid = (int) geteuid();
+ if (uid != 0) {
+ fprintf(stderr, "This daemon needs root privilegies, but the effective user id is not 'root'.\n");
+ exit(1);
+ }
+
+ /* check that the pkcs11 group exists */
+ grp = getgrnam("pkcs11");
+ if (!grp) {
+ fprintf(stderr, "There is no 'pkcs11' group on this system.\n");
+ exit(1);
+ }
+
+ /* check effective group id */
+ uid = (int) getegid();
+ if (uid != 0 && uid != (int) grp->gr_gid) {
+ fprintf(stderr, "This daemon should have an effective group id of 'root' or 'pkcs11'.\n");
+ exit(1);
+ }
+
+ /* Create base lock and log directory here. API..Lock file is
+ * accessed from the daemon in CreateXProcLock() in mutex.c.*/
+ for (i=0; dircheck[i].dir != NULL; i++) {
+ ec = stat(dircheck[i].dir, &sbuf);
+ if (ec != 0 && errno == ENOENT) {
+ /* dir does not exist, try to create it */
+ ec = mkdir(dircheck[i].dir, dircheck[i].mode);
+ if (ec != 0) {
+ fprintf(stderr, "Directory %s missing\n",
+ dircheck[i].dir);
+ exit(2);
+ }
+ /* set ownership to root, and pkcs11 group */
+ if (chown(dircheck[i].dir, geteuid(), grp->gr_gid) != 0) {
+ fprintf(stderr, "Failed to set owner:group \
+ ownership\
+ on %s directory", dircheck[i].dir);
+ exit(1);
+ }
+ /* mkdir does not set group permission right, so
+ * trying explictly here again */
+ if (chmod(dircheck[i].dir, dircheck[i].mode) != 0){
+ fprintf(stderr, "Failed to change \
+ permissions\
+ on %s directory", dircheck[i].dir);
+ exit(1);
+ }
+ }
+ }
+
+ /** check if token directory is available, if not flag an error.
+ * We do not create token directories here as admin should
+ * configure and decide which tokens to expose to opencryptoki
+ * outside of opencryptoki and pkcsslotd */
+ ec = stat(CONFIG_PATH, &sbuf);
+ if (ec != 0 && errno == ENOENT) {
+ fprintf(stderr, "Token directories missing\n");
+ exit(2);
+ }
}
/*****************************************
@@ -341,205 +425,191 @@
*****************************************/
int main ( int argc, char *argv[], char *envp[]) {
- int ret;
-
- /**********************************/
- /* Read in command-line arguments */
- /**********************************/
-
- /* FIXME: Argument for daemonizing or not */
- /* FIXME: Argument for debug level */
- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */
-
-
- /* Report our debug level */
- if ( GetDebugLevel() > DEBUG_NONE) {
-
- DbgLog(GetDebugLevel(), "Starting with debugging messages logged at level %d (%d = No messages; %d = few; %d = more, etc.)",
- GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1);
-
- }
-
-
- /* Save our startup directory */
- SaveStartupDirectory( argv[0] );
-
- ret = load_and_parse(OCK_CONFIG);
- if (ret != 0) {
- ErrLog("Failed to read config file.\n");
- return 1;
- } else
- DbgLog (DL0, "Parse config file succeeded.\n");
-
- /* Allocate and Attach the shared memory region */
- if ( ! CreateSharedMemory() ) {
- /* CreateSharedMemory() does it's own error logging */
- return 1;
- }
-
- DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok);
-
- /* Now that we've created the shared memory segment, we attach to it */
- if ( ! AttachToSharedMemory() ) {
- /* AttachToSharedMemory() does it's own error logging */
- DestroySharedMemory();
- return 2;
- }
-
- /* Initialize the global shared memory mutex (and the attribute used to create the per-process mutexes */
- if ( ! InitializeMutexes() ) {
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 3;
- }
-
- /* Get the global shared memory mutex */
-
- XProcLock();
-
- /* Populate the Shared Memory Region */
- if ( ! InitSharedMemory(shmp) ) {
-
- XProcUnLock();
-
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 4;
- }
-
- /* Release the global shared memory mutex */
- XProcUnLock();
-
- if ((socketfd = CreateListenerSocket()) < 0) {
- DestroyMutexes();
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 5;
- }
-
- if (!InitSocketData(&socketData)) {
- DetachSocketListener(socketfd);
- DestroyMutexes();
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 6;
- }
-
- /*
- * Become a Daemon, if called for
- */
- if ( Daemon ) {
- pid_t pid;
- if ( (pid = fork()) < 0 ){
- DetachSocketListener(socketfd);
- DestroyMutexes();
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 7;
- } else {
- if ( pid != 0) {
- exit(0); // Terminate the parent
- } else {
-
- setsid(); // Session leader
+ int ret;
+
+ /**********************************/
+ /* Read in command-line arguments */
+ /**********************************/
+
+ /* FIXME: Argument for daemonizing or not */
+ /* FIXME: Argument for debug level */
+ /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */
+
+ /* Do some basic sanity checks */
+ run_sanity_checks();
+
+ /* Report our debug level */
+ if ( GetDebugLevel() > DEBUG_NONE) {
+ DbgLog(GetDebugLevel(), "Starting with debugging messages logged at \
+ level %d (%d = No messages; %d = few; %d = more, etc.)",
+ GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1);
+ }
+
+ /* Save our startup directory */
+ SaveStartupDirectory( argv[0] );
+
+ ret = load_and_parse(OCK_CONFIG);
+ if (ret != 0) {
+ ErrLog("Failed to read config file.\n");
+ return 1;
+ } else
+ DbgLog (DL0, "Parse config file succeeded.\n");
+
+ /* Allocate and Attach the shared memory region */
+ if ( ! CreateSharedMemory() ) {
+ /* CreateSharedMemory() does it's own error logging */
+ return 1;
+ }
+
+ DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok);
+
+ /* Now that we've created the shared memory segment, we attach to it */
+ if ( ! AttachToSharedMemory() ) {
+ /* AttachToSharedMemory() does it's own error logging */
+ DestroySharedMemory();
+ return 2;
+ }
+
+ /* Initialize the global shared memory mutex (and the attribute
+ * used to create the per-process mutexes */
+ if ( ! InitializeMutexes() ) {
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 3;
+ }
+
+ /* Get the global shared memory mutex */
+ XProcLock();
+
+ /* Populate the Shared Memory Region */
+ if ( ! InitSharedMemory(shmp) ) {
+
+ XProcUnLock();
+
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 4;
+ }
+
+ /* Release the global shared memory mutex */
+ XProcUnLock();
+
+ if ((socketfd = CreateListenerSocket()) < 0) {
+ DestroyMutexes();
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 5;
+ }
+
+ if (!InitSocketData(&socketData)) {
+ DetachSocketListener(socketfd);
+ DestroyMutexes();
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 6;
+ }
+
+ /*
+ * Become a Daemon, if called for
+ */
+ if ( Daemon ) {
+ pid_t pid;
+ if ( (pid = fork()) < 0 ){
+ DetachSocketListener(socketfd);
+ DestroyMutexes();
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 7;
+ } else {
+ if ( pid != 0) {
+ exit(0); // Terminate the parent
+ } else {
+
+ setsid(); // Session leader
#ifndef DEV
- fclose(stderr);
- fclose(stdout);
- fclose(stdin);
+ fclose(stderr);
+ fclose(stdout);
+ fclose(stdin);
#endif
-
- }
- }
-
-
- } else {
-
+ }
+ }
+ } else {
#ifdef DEV
- // Log only on development builds
- LogLog("Not becoming a daemon...\n");
+ // Log only on development builds
+ LogLog("Not becoming a daemon...\n");
#endif
-
- }
-
-
- /*****************************************
- *
- * Register Signal Handlers
- * Daemon probably should ignore ALL signals possible, since termination
- * while active is a bad thing... however one could check for
- * any processes active in the shared memory, and destroy the shm if
- * the process wishes to terminate.
- *
- *****************************************/
-
- /*
- * We have to set up the signal handlers after we daemonize because
- * the daemonization process redefines our handler for (at least) SIGTERM
- */
-
- if ( ! SetupSignalHandlers() ) {
- DetachSocketListener(socketfd);
- DestroyMutexes();
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 8;
- }
-
-
-
-
- /* ultimatly we will create a couple of threads which monitor the slot db
- and handle the insertion and removal of tokens from the slot.
- */
-
- /* For Testing the Garbage collection routines */
- /*
- shmp->proc_table[3].inuse = TRUE;
- shmp->proc_table[3].proc_id = 24328;
- */
+ }
+
+ /*****************************************
+ *
+ * Register Signal Handlers
+ * Daemon probably should ignore ALL signals possible, since termination
+ * while active is a bad thing... however one could check for
+ * any processes active in the shared memory, and destroy the shm if
+ * the process wishes to terminate.
+ *
+ *****************************************/
+
+ /*
+ * We have to set up the signal handlers after we daemonize because
+ * the daemonization process redefines our handler for (at least) SIGTERM
+ */
+ if ( ! SetupSignalHandlers() ) {
+ DetachSocketListener(socketfd);
+ DestroyMutexes();
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 8;
+ }
+
+ /* ultimatly we will create a couple of threads which monitor the slot db
+ and handle the insertion and removal of tokens from the slot.
+ */
+
+ /* For Testing the Garbage collection routines */
+ /*
+ shmp->proc_table[3].inuse = TRUE;
+ shmp->proc_table[3].proc_id = 24328;
+ */
#if !defined(NOGARBAGE)
-printf("Start garbage \n");
- /* start garbage collection thread */
- if ( ! StartGCThread(shmp) ) {
- DetachSocketListener(socketfd);
- DestroyMutexes();
- DetachFromSharedMemory();
- DestroySharedMemory();
- return 9;
- }
+ printf("Start garbage \n");
+ /* start garbage collection thread */
+ if ( ! StartGCThread(shmp) ) {
+ DetachSocketListener(socketfd);
+ DestroyMutexes();
+ DetachFromSharedMemory();
+ DestroySharedMemory();
+ return 9;
+ }
#endif
- // We've fully become a daemon. Now create the PID file
- {
- FILE *pidfile;
-
- pidfile = fopen(PID_FILE_PATH,"w");
- if (pidfile) {
- fprintf(pidfile,"%d",getpid());
- fclose(pidfile);
- }
- }
-
- while (1) {
+ // We've fully become a daemon. Now create the PID file
+ {
+ FILE *pidfile;
+
+ pidfile = fopen(PID_FILE_PATH,"w");
+ if (pidfile) {
+ fprintf(pidfile,"%d",getpid());
+ fclose(pidfile);
+ }
+ }
+
+ while (1) {
#if !(THREADED) && !(NOGARBAGE)
- CheckForGarbage(shmp);
+ CheckForGarbage(shmp);
#endif
-
- SocketConnectionHandler(socketfd, 10);
-
- }
-
-
- /*************************************************************
- *
- * Here we need to actualy go through the processes and verify that thye
- * still exist. If not, then they terminated with out properly calling
- * C_Finalize and therefore need to be removed from the system.
- * Look for a system routine to determine if the shared memory is held by
- * the process to further verify that the proper processes are in the
- * table.
- *
- *************************************************************/
-
+ SocketConnectionHandler(socketfd, 10);
+ }
+
+ /*************************************************************
+ *
+ * Here we need to actualy go through the processes and verify that thye
+ * still exist. If not, then they terminated with out properly calling
+ * C_Finalize and therefore need to be removed from the system.
+ * Look for a system routine to determine if the shared memory is held by
+ * the process to further verify that the proper processes are in the
+ * table.
+ *
+ *************************************************************/
} /* end main */

38
openCryptoki.changes
View File

@ -1,3 +1,41 @@
-------------------------------------------------------------------
Tue Jan 17 17:12:30 UTC 2017 - mpost@suse.com
- Upgraded to version 3.6.1 (fate#321451)
- opencryptoki 3.6.1
- Fix SOFT token implementation of digest functions.
- Replace deprecated OpenSSL interfaces.
- opencryptoki 3.6
- Replace deprecated libica interfaces.
- Performance improvement for ICA.
- Improvement in documentation on system resources.
- Improvement in testcases.
- Added support for rc=8, reasoncode=2028 in icsf token.
- Fix for session handle not set in session issue.
- Multiple fixes for lock and log directories.
- Downgraded a syslog error to warning.
- Multiple fixes based on coverity scan results.
- Added pkcs11 mapping for icsf reason code 72 for return code 8.
- opencryptoki 3.5.1
- Fix Illegal Intruction on pkcscca tool.
- Removed the following obsolete patches:
- ocki-3.5-sanity-checking.patch
- ocki-3.5-icsf-reasoncode72-support.patch
- ocki-3.5-downgrade-syslogerror.patch
- ocki-3.5-icsf-sessionhandle-missing-fix.patch
- ocki-3.5-icsf-reasoncode-2028-added.patch
- ocki-3.5-added-NULLreturn-check.patch
- ocki-3.5-create-missing-tpm-token-lock-directory.patch
- ocki-3.5-fix-pkcscca-calls.patch
-------------------------------------------------------------------
Mon Oct 31 14:19:17 UTC 2016 - jjolly@suse.com
- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081)
-------------------------------------------------------------------
Thu Sep 1 17:06:45 UTC 2016 - mpost@suse.com

3
openCryptoki.pkcsslotd
View File

@ -57,9 +57,6 @@ case "$1" in
echo -n "Starting pkcsslotd daemon:"
# Generate the configuration information
/usr/sbin/pkcs11_startup
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.

26
openCryptoki.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openCryptoki
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -54,7 +54,7 @@ BuildRequires: dos2unix
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: IPL-1.0
Group: Productivity/Security
Version: 3.5
Version: 3.6.1
Release: 0
Source: %{oc_cvs_tag}-%{version}.tgz
Source1: openCryptoki.pkcsslotd
@ -63,15 +63,7 @@ Source3: openCryptoki-tmp.conf
# Patch 1 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch1: ocki-3.1-remove-make-install-chgrp.patch
Patch2: ocki-3.5-sanity-checking.patch
Patch3: ocki-3.5-icsf-reasoncode72-support.patch
Patch4: ocki-3.5-icsf-coverity-memoryleakfix.patch
Patch5: ocki-3.5-downgrade-syslogerror.patch
Patch6: ocki-3.5-icsf-sessionhandle-missing-fix.patch
Patch7: ocki-3.5-icsf-reasoncode-2028-added.patch
Patch8: ocki-3.5-added-NULLreturn-check.patch
Patch9: ocki-3.5-create-missing-tpm-token-lock-directory.patch
Patch10: ocki-3.5-fix-pkcscca-calls.patch
Patch2: ocki-3.5-icsf-coverity-memoryleakfix.patch
Url: https://sourceforge.net/projects/opencryptoki/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -109,9 +101,9 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%package 32bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
Group: Productivity/Security
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
PreReq: openCryptoki
ExclusiveArch: %openCryptoki_32bit_arch
@ -130,9 +122,9 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%package 64bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
Group: Productivity/Security
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
PreReq: openCryptoki
ExclusiveArch: %openCryptoki_64bit_arch
@ -152,14 +144,6 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%setup -q -n %{oc_cvs_tag}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
cp %{SOURCE2} .

3
opencryptoki-3.5.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2789e3135196828e2b904faba766aa4c7fd9d1e67664df79bd9a05381a771452
size 1031722

3
opencryptoki-3.6.1.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:163dd6419963c834e57423168aa92a9f68f867baf523212f66eff428853ef9df
size 1068197