--- usr/lib/pkcs11/common/loadsave.c 2006-01-25 17:06:14.000000000 -0600 +++ usr/lib/pkcs11/common/loadsave.c 2006-01-25 18:02:20.000000000 -0600 @@ -320,9 +320,21 @@ void set_perm(int file) { +#ifdef PER_USER_TOKEN /* With per user data stores, we don't share the token data amongst a * group. In fact, we want to restrict access to a single user */ fchmod(file,S_IRUSR|S_IWUSR); +#else + struct group *grp; + + // Set absolute permissions or rw-rw-r-- + fchmod(file,S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH); + + grp = getgrnam("pkcs11"); // Obtain the group id + if (grp){ + fchown(file,getuid(),grp->gr_gid); // set ownership to root, and pkcs11 group + } +#endif } // @@ -339,6 +351,7 @@ CK_ULONG clear_len, cipher_len; #endif CK_RV rc; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -347,6 +360,9 @@ } sprintf((char *)fname,"%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_NV); +#else + sprintf((char *)fname,"%s/%s",(char *)pk_dir, PK_LITE_NV); +#endif rc = XProcLock( xproclock ); if (rc != CKR_OK){ @@ -440,6 +456,7 @@ #endif CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -448,6 +465,9 @@ } sprintf((char *)fname,"%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_NV); +#else + sprintf((char *)fname,"%s/%s",pk_dir, PK_LITE_NV); +#endif rc = XProcLock( xproclock ); if (rc != CKR_OK){ @@ -507,8 +527,9 @@ CK_BYTE line[100]; CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; - +#endif if (object_is_private(obj) == TRUE) rc = save_private_token_object( obj ); @@ -521,6 +542,7 @@ } // update the index file if it exists // +#ifdef PER_USER_TOKEN if ((pw = getpwuid(getuid())) == NULL){ LogError("getpwuid failed: %s", strerror(errno)); return CKR_FUNCTION_FAILED; @@ -528,6 +550,9 @@ sprintf((char *)fname,"%s/%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); +#else + sprintf((char *)fname,"%s/%s/%s",pk_dir,PK_LITE_OBJ_DIR,PK_LITE_OBJ_IDX); +#endif //fp = fopen( "/tmp/TOK_OBJ/OBJ.IDX", "r" ); fp = fopen( (char *)fname, "r" ); @@ -579,6 +604,7 @@ CK_BBOOL flag = FALSE; CK_RV rc; CK_ULONG_32 total_len; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -588,6 +614,9 @@ sprintf((char *)fname,"%s/%s/%s/",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR); +#else + sprintf( (char *)fname,"%s/%s/", pk_dir,PK_LITE_OBJ_DIR); +#endif //strcpy( fname, "/tmp/TOK_OBJ/" ); strncat( (char *)fname, (char *) obj->name, 8 ); @@ -643,6 +672,7 @@ CK_RV rc; CK_ULONG_32 obj_data_len_32; CK_ULONG_32 total_len; +#ifdef PER_USER_TOKEN struct passwd * pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -652,6 +682,9 @@ sprintf((char *)fname,"%s/%s/%s/",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR); +#else + sprintf( (char *)fname,"%s/%s/", pk_dir,PK_LITE_OBJ_DIR); +#endif rc = object_flatten( obj, &obj_data, &obj_data_len ); obj_data_len_32 = obj_data_len; @@ -777,6 +810,7 @@ CK_BYTE tmp[2048], fname[2048],iname[2048]; CK_BBOOL priv; CK_ULONG_32 size; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -786,6 +820,9 @@ sprintf((char *)iname,"%s/%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); +#else + sprintf((char *)iname,"%s/%s/%s",pk_dir,PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); +#endif //fp1 = fopen("/tmp/TOK_OBJ/OBJ.IDX", "r"); fp1 = fopen((char *)iname, "r"); @@ -798,7 +835,11 @@ tmp[ strlen((char *)tmp)-1 ] = 0; //strcpy(fname,"/tmp/TOK_OBJ/"); +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/%s/",pk_dir, pw->pw_name, PK_LITE_OBJ_DIR); +#else + sprintf((char *)fname,"%s/%s/",pk_dir, PK_LITE_OBJ_DIR); +#endif strcat((char *)fname, (char *)tmp ); fp2 = fopen( (char *)fname, "r" ); @@ -849,6 +890,7 @@ CK_BBOOL priv; CK_ULONG_32 size; CK_RV rc; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -858,6 +900,9 @@ sprintf((char *)iname,"%s/%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); +#else + sprintf((char *)iname,"%s/%s/%s",pk_dir,PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); +#endif //fp1 = fopen("/tmp/TOK_OBJ/OBJ.IDX", "r"); fp1 = fopen((char *)iname, "r"); @@ -870,7 +915,11 @@ tmp[ strlen((char *)tmp)-1 ] = 0; //strcpy(fname,"/tmp/TOK_OBJ/"); +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/%s/",pk_dir, pw->pw_name, PK_LITE_OBJ_DIR); +#else + sprintf((char *)fname,"%s/%s/",pk_dir,PK_LITE_OBJ_DIR); +#endif strcat((char *)fname,(char *) tmp ); fp2 = fopen( (char *)fname, "r" ); @@ -1057,6 +1106,7 @@ CK_ULONG cipher_len, clear_len, hash_len; CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd * pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -1065,6 +1115,9 @@ } sprintf((char *)fname,"%s/%s/MK_SO",(char *)pk_dir, pw->pw_name); +#else + sprintf((char *)fname,"%s/MK_SO",pk_dir); +#endif memset( master_key, 0x0, 3*DES_KEY_SIZE ); @@ -1167,6 +1220,7 @@ CK_ULONG cipher_len, clear_len, hash_len; CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd * pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -1175,6 +1229,9 @@ } sprintf((char *)fname,"%s/%s/MK_USER",(char *)pk_dir, pw->pw_name); +#else + sprintf((char *)fname,"%s/MK_USER",pk_dir); +#endif memset( master_key, 0x0, 3*DES_KEY_SIZE ); @@ -1274,12 +1331,14 @@ CK_ULONG hash_len, cleartxt_len, ciphertxt_len, padded_len; CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd * pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ LogError("getpwuid failed: %s", strerror(errno)); return CKR_FUNCTION_FAILED; } +#endif memcpy( mk.key, master_key, 3 * DES_KEY_SIZE); @@ -1329,7 +1388,11 @@ // // probably ought to ensure the permissions are correct // +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/MK_SO",(char *)pk_dir, pw->pw_name); +#else + sprintf((char *)fname,"%s/MK_SO",pk_dir); +#endif //fp = fopen( "/tmp/MK_SO", "w" ); fp = fopen( (char *)fname, "w" ); if (!fp) { @@ -1369,12 +1432,14 @@ CK_ULONG hash_len, cleartxt_len, ciphertxt_len, padded_len; CK_RV rc; CK_BYTE fname[2048]; +#ifdef PER_USER_TOKEN struct passwd * pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ LogError("getpwuid failed: %s", strerror(errno)); return CKR_FUNCTION_FAILED; } +#endif memcpy( mk.key, master_key, 3 * DES_KEY_SIZE); @@ -1426,7 +1491,11 @@ // // probably ought to ensure the permissions are correct // +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/MK_USER",(char *)pk_dir, pw->pw_name); +#else + sprintf((char *)fname,"%s/MK_USER", pk_dir); +#endif //fp = fopen( "/tmp/MK_USER", "w" ); fp = fopen( (char *)fname, "w" ); if (!fp) { @@ -1463,17 +1532,22 @@ CK_ULONG_32 size; CK_ULONG size_64; CK_RV rc; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ LogError("getpwuid failed: %s", strerror(errno)); return CKR_FUNCTION_FAILED; } - +#endif memset( (char *)fname, 0x0, sizeof(fname) ); +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/%s/",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR); +#else + sprintf((char *)fname,"%s/%s/",pk_dir, PK_LITE_OBJ_DIR); +#endif // strcpy(fname, "/tmp/TOK_OBJ/" ); strncat((char *)fname,(char *) obj->name, 8 ); @@ -1532,6 +1606,7 @@ FILE *fp1, *fp2; CK_BYTE line[100]; CK_BYTE objidx[2048], idxtmp[2048],fname[2048]; +#ifdef PER_USER_TOKEN struct passwd *pw = NULL; if ((pw = getpwuid(getuid())) == NULL){ @@ -1543,7 +1618,10 @@ PK_LITE_OBJ_DIR, PK_LITE_OBJ_IDX); sprintf((char *)idxtmp,"%s/%s/%s/%s",(char *)pk_dir, pw->pw_name, PK_LITE_OBJ_DIR, "IDX.TMP"); - +#else + sprintf((char *)objidx,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR,PK_LITE_OBJ_IDX); + sprintf((char *)idxtmp,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR, "IDX.TMP"); +#endif // FIXME: on UNIX, we need to make sure these guys aren't symlinks // before we blindly write to these files... @@ -1600,7 +1678,11 @@ fclose(fp1); fclose(fp2); +#ifdef PER_USER_TOKEN sprintf((char *)fname,"%s/%s/%s/%s",pk_dir, pw->pw_name, PK_LITE_OBJ_DIR, (char *)obj->name); +#else + sprintf((char *)fname,"%s/%s/%s",pk_dir, PK_LITE_OBJ_DIR,(char *)obj->name); +#endif unlink((char *)fname); return CKR_OK;