From 58a54abac4535e990688d575144e12e0e8af2b5cee06ba1ac3a3489130d64f97 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 6 Feb 2014 09:10:48 +0000 Subject: [PATCH 1/3] Accepting request 220960 from home:oertel:branches:security - Updated to openCryptoki v3.1: See ChangeLog for complete details (FATE#315426) - opencryptoki-3.1 - New ep11 token to support IBM Crypto Express adpaters (starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11(EP11) firmware. (FATE#315330) - opencryptoki-3.0 - New opencryptoki.conf file to replace pk_config_data and pkcs11_starup. The opencryptoki.conf contains slot entry information for tokens. - Removed pkcs_slot and pkcs11_startup shell scripts. - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 mechanisms using 3DES keys. (FATE#315323) - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL mechanisms. (FATE#315323) - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL mechanisms. (FATE#315323) - opencryptoki-2.4.1 (21 Feb 2012) - SHA256 support added for CCA token (FATE#315289) - Using insserv macros in %post, %preun and %postun sections - Cleaned up spec file - removed patches: - ocki-2.2.6-PIN-backspace.patch - added patches: - ocki-3.1-fix-implicit-decl.patch - ocki-3.1-remove-make-install-chgrp-chmod.patch - ocki-3.1-fix-init_d-path.patch - add aarch64 to 64bit archs OBS-URL: https://build.opensuse.org/request/show/220960 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=13 --- ocki-2.2.6-PIN-backspace.patch | 228 ------------------ ocki-3.1-fix-implicit-decl.patch | 66 +++++ ocki-3.1-fix-init_d-path.patch | 11 + ...-3.1-remove-make-install-chgrp-chmod.patch | 54 +++++ openCryptoki.changes | 37 +++ openCryptoki.pkcsslotd | 1 + openCryptoki.spec | 54 +++-- opencryptoki-2.2.6.tar.bz2 | 3 - opencryptoki-v3.1.tar.bz2 | 3 + 9 files changed, 208 insertions(+), 249 deletions(-) delete mode 100644 ocki-2.2.6-PIN-backspace.patch create mode 100644 ocki-3.1-fix-implicit-decl.patch create mode 100644 ocki-3.1-fix-init_d-path.patch create mode 100644 ocki-3.1-remove-make-install-chgrp-chmod.patch delete mode 100644 opencryptoki-2.2.6.tar.bz2 create mode 100644 opencryptoki-v3.1.tar.bz2 diff --git a/ocki-2.2.6-PIN-backspace.patch b/ocki-2.2.6-PIN-backspace.patch deleted file mode 100644 index 90d3424..0000000 --- a/ocki-2.2.6-PIN-backspace.patch +++ /dev/null @@ -1,228 +0,0 @@ ---- usr/sbin/pkcsconf/pkcsconf.c -+++ usr/sbin/pkcsconf/pkcsconf.c -@@ -333,7 +333,7 @@ - CK_RV init(void); - void usage(char *); - int echo(int); --void get_pin(CK_CHAR **); -+int get_pin(CK_CHAR **); - CK_RV cleanup(void); - CK_RV display_pkcs11_info(void); - CK_RV get_slot_list(int, CK_CHAR_PTR); -@@ -499,9 +499,13 @@ - * the SO pin, if not ask for the PIN */ - if (flags & CFG_INITIALIZE){ - if (~flags & CFG_SO_PIN){ -- printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -- fflush(stdout); -- get_pin(&(sopin)); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&(sopin)); -+ } while (rc == -EINVAL); - } - rc = init_token(sopin); - } -@@ -511,18 +515,29 @@ - * the New User PIN on the command line if not ask for the PIN and verify it */ - if (flags & CFG_INIT_USER){ - if (~flags & CFG_SO_PIN) { -- printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -- fflush(stdout); -- get_pin(&sopin); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&sopin); -+ } while (rc == -EINVAL); - } - if (~flags & CFG_NEW_PIN) { -- printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: ")); -- fflush(stdout); -- get_pin(&newpin); -- newpinlen = strlen(newpin); -- printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: ")); -- fflush(stdout); -- get_pin(&newpin2); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin); -+ } while (rc == -EINVAL); -+ newpinlen = strlen(newpin); -+ do { -+ printf(PKCSINIT_MSG(VNEWUSER, -+ "Re-enter the new user PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin2); -+ } while (rc == -EINVAL); - newpin2len = strlen(newpin2); - if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) { - printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n")); -@@ -537,18 +552,28 @@ - * current SO PIN and the New PIN in. If not prompt and validate them. */ - if (flags & CFG_SET_SO){ - if (~flags & CFG_SO_PIN) { -- printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -- fflush(stdout); -- get_pin(&sopin); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(SOPIN, "Enter the SO PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&sopin); -+ } while (rc == -EINVAL); - } - if (~flags & CFG_NEW_PIN) { -- printf(PKCSINIT_MSG(NEWSO, "Enter the new SO PIN: ")); -- fflush(stdout); -- get_pin(&newpin); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(NEWSO, "Enter the new SO PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin); -+ } while (rc == -EINVAL); - newpinlen = strlen(newpin); -- printf(PKCSINIT_MSG(VNEWSO, "Re-enter the new SO PIN: ")); -- fflush(stdout); -- get_pin(&newpin2); -+ do { -+ printf(PKCSINIT_MSG(VNEWSO, "Re-enter the new SO PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin2); -+ } while (rc == -EINVAL); - newpin2len = strlen(newpin2); - if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) { - printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n")); -@@ -563,18 +588,26 @@ - * current User PIN and the New PIN in. If not prompt and validate them. */ - if (flags & CFG_SET_USER){ - if (~flags & CFG_USER_PIN) { -- printf(PKCSINIT_MSG(USERPIN, "Enter user PIN: ")); -- fflush(stdout); -- get_pin(&pin); -+ int rc; -+ -+ do { -+ printf(PKCSINIT_MSG(USERPIN, "Enter user PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&pin); -+ } while (rc == -EINVAL); - } - if (~flags & CFG_NEW_PIN) { -- printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: ")); -- fflush(stdout); -- get_pin(&newpin); -- newpinlen = strlen(newpin); -- printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: ")); -- fflush(stdout); -- get_pin(&newpin2); -+ do { -+ printf(PKCSINIT_MSG(NEWUSER, "Enter the new user PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin); -+ } while (rc == -EINVAL); -+ newpinlen = strlen(newpin); -+ do { -+ printf(PKCSINIT_MSG(VNEWUSER, "Re-enter the new user PIN: ")); -+ fflush(stdout); -+ rc = get_pin(&newpin2); -+ } while (rc == -EINVAL); - newpin2len = strlen(newpin2); - if (newpinlen != newpin2len || memcmp(newpin, newpin2, strlen((char *)newpin)) != 0) { - printf(PKCSINIT_MSG(PINMISMATCH, "New PINs do not match.\n")); -@@ -619,41 +652,49 @@ - - } - --void --get_pin(CK_CHAR ** pin){ -- int count = 0; -- char buff[PIN_SIZE] = { 0 }, c = 0; -- -- /* Turn off echoing to the terminal when getting the password */ -- echo(FALSE); -- -- /* Get each character and print out a '*' for each input */ -- for (count = 0; (c != LINE_FEED) && (count < PIN_SIZE); count++){ -- buff[count] = getc(stdin); -- c = buff[count]; -- if ((c != LINE_FEED) && (c != BACK_SPACE)) -- printf("*"); -- if (c == BACK_SPACE) { -- printf("%c%c%c", BACK_SPACE, ' ', BACK_SPACE); -- count-=2; -- } -- fflush(stdout); -- } -- -- echo(TRUE); -- -- /* After we get the password go to the next line */ -- printf("\n"); -- fflush(stdout); -- -- /* Allocate 80 bytes for the user PIN. This is large enough for the tokens -- * supported in AIX 5.0 and 5.1 */ -- *pin = (unsigned char *)malloc(PIN_SIZE); -- -- /* Strip the carage return from the user input (it is not part of the PIN) -- * and put the PIN in the return buffer */ -- buff[count-1] = '\0'; //NULL; -- strncpy((char *)*pin, buff, strlen((char *)buff)+1); // keep the trailing null for the strlen -+int get_pin(CK_CHAR **pin) -+{ -+ int count; -+ char buff[PIN_SIZE] = { 0 }, c = 0; -+ int rc = 0; -+ -+ *pin = NULL; -+ /* Turn off echoing to the terminal when getting the password */ -+ echo(FALSE); -+ /* Get each character and print out a '*' for each input */ -+ for (count = 0; (c != LINE_FEED) && (count < PIN_SIZE); count++) { -+ buff[count] = getc(stdin); -+ c = buff[count]; -+ if (c == BACK_SPACE || c == DELETE) { -+ printf("\nBackspace and delete character not allowed. " -+ "Please retry entering your PIN.\n"); -+ rc = -EINVAL; -+ echo(TRUE); -+ fflush(stdout); -+ goto out; -+ } -+ if ((c != LINE_FEED)) -+ printf("*"); -+ fflush(stdout); -+ } -+ echo(TRUE); -+ /* After we get the password go to the next line */ -+ printf("\n"); -+ fflush(stdout); -+ /* Allocate 80 bytes for the user PIN. This is large enough -+ * for the tokens supported in AIX 5.0 and 5.1 */ -+ *pin = (unsigned char *)malloc(PIN_SIZE); -+ if (!(*pin)) { -+ rc = -ENOMEM; -+ goto out; -+ } -+ /* Strip the carage return from the user input (it is not part -+ * of the PIN) and put the PIN in the return buffer */ -+ buff[count - 1] = '\0'; -+ /* keep the trailing null for the strlen */ -+ strncpy((char *)*pin, buff, (strlen((char *)buff) + 1)); -+out: -+ return rc; - } - - int diff --git a/ocki-3.1-fix-implicit-decl.patch b/ocki-3.1-fix-implicit-decl.patch new file mode 100644 index 0000000..b9345ca --- /dev/null +++ b/ocki-3.1-fix-implicit-decl.patch @@ -0,0 +1,66 @@ +--- opencryptoki.orig/usr/lib/pkcs11/common/loadsave.c 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/common/loadsave.c 2014-01-31 10:56:26.377812000 -0700 +@@ -287,6 +287,9 @@ + // + // + ++/* _GNU_SOURCE necessary for asprintf */ ++#define _GNU_SOURCE ++ + #include + #include + #include +--- opencryptoki.orig/usr/lib/pkcs11/common/mech_rng.c 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/common/mech_rng.c 2014-01-31 11:00:30.004283000 -0700 +@@ -301,6 +301,7 @@ + #include + #include + #include ++#include + + + #include "pkcs11types.h" +--- opencryptoki.orig/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/sbin/pkcsslotd/garbage_linux.c 2014-01-31 11:03:14.422314000 -0700 +@@ -294,6 +294,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "slotmgr.h" +--- opencryptoki.orig/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:15.000000000 -0700 ++++ opencryptoki/usr/sbin/pkcsslotd/mutex.c 2014-01-31 11:08:25.929081000 -0700 +@@ -293,6 +293,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "log.h" + #include "slotmgr.h" +--- opencryptoki.orig/usr/sbin/pkcsslotd/slotmgr.c 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/sbin/pkcsslotd/slotmgr.c 2014-01-31 11:12:08.708122000 -0700 +@@ -292,6 +292,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "slotmgr.h" +--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/tpm_specific.c 2014-01-31 11:16:45.158228000 -0700 +@@ -31,6 +31,9 @@ + * + */ + ++#define _GNU_SOURCE ++#include ++ + #include + #include + #include diff --git a/ocki-3.1-fix-init_d-path.patch b/ocki-3.1-fix-init_d-path.patch new file mode 100644 index 0000000..8102c32 --- /dev/null +++ b/ocki-3.1-fix-init_d-path.patch @@ -0,0 +1,11 @@ +--- opencryptoki.orig/misc/Makefile.am 2014-01-27 15:01:57.000000000 -0700 ++++ opencryptoki/misc/Makefile.am 2014-01-31 09:15:15.816980000 -0700 +@@ -11,7 +11,7 @@ pkcsslotd.service: pkcsslotd.service.in + @SED@ -e s!\@sbindir\@!"@sbindir@"!g < $< > $@-t + mv $@-t $@ + else +-initddir = $(sysconfdir)/rc.d/init.d ++initddir = $(sysconfdir)/init.d + initd_SCRIPTS = pkcsslotd + + CLEANFILES = pkcsslotd diff --git a/ocki-3.1-remove-make-install-chgrp-chmod.patch b/ocki-3.1-remove-make-install-chgrp-chmod.patch new file mode 100644 index 0000000..ce8bdcd --- /dev/null +++ b/ocki-3.1-remove-make-install-chgrp-chmod.patch @@ -0,0 +1,54 @@ +--- opencryptoki.orig/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-31 08:15:21.781145000 -0700 +@@ -54,13 +54,7 @@ install-data-hook: + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_sw.so PKCS11_SW.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok + $(MKDIR_P) $(DESTDIR)$(lockdir)/swtok +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok + + uninstall-hook: + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki.orig/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am 2014-01-31 08:20:37.999866000 -0700 +@@ -69,11 +69,7 @@ install-data-hook: + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_tpm.so PKCS11_TPM.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm + $(MKDIR_P) $(DESTDIR)$(lockdir)/tpm +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm + + uninstall-hook: + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki.orig/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-31 08:30:51.030956000 -0700 +@@ -66,13 +66,7 @@ install-data-hook: + cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_cca.so PKCS11_CCA.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok + $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok + + uninstall-hook: + if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki.orig/usr/Makefile.am 2014-01-27 15:01:58.000000000 -0700 ++++ opencryptoki/usr/Makefile.am 2014-01-31 08:33:02.949361000 -0700 +@@ -6,5 +6,3 @@ SUBDIRS = lib $(DAEMONDIRS) + + install-data-hook: + $(MKDIR_P) $(DESTDIR)$(lockdir) +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) +- $(CHMOD) 0770 $(DESTDIR)$(lockdir) diff --git a/openCryptoki.changes b/openCryptoki.changes index 0c64b02..ac894e1 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,40 @@ +------------------------------------------------------------------- +Mon Feb 4 17:16:25 UTC 2014 - jjolly@suse.com + +- Updated to openCryptoki v3.1: See ChangeLog for complete details + (FATE#315426) + - opencryptoki-3.1 + - New ep11 token to support IBM Crypto Express adpaters + (starting with Crypto Express 4S adapters) configured with + Enterprise PKCS#11(EP11) firmware. (FATE#315330) + - opencryptoki-3.0 + - New opencryptoki.conf file to replace pk_config_data and + pkcs11_starup. The opencryptoki.conf contains slot entry + information for tokens. + - Removed pkcs_slot and pkcs11_startup shell scripts. + - ICA token supports CKM_DES_OFB64, CKM_DES_CFB8, CKM_DES_CFB6 + mechanisms using 3DES keys. (FATE#315323) + - ICA token supports CKM_DES3_MAC and CKM_DES3_MAC_GENERAL + mechanisms. (FATE#315323) + - ICA token supports CKM_AES_OFB, CKM_AES_CFB8, CKM_AES_CFB64, + CKM_AES_CFB128, CKM_AES_MAC, and CKM_AES_MAC_GENERAL + mechanisms. (FATE#315323) + - opencryptoki-2.4.1 (21 Feb 2012) + - SHA256 support added for CCA token (FATE#315289) +- Using insserv macros in %post, %preun and %postun sections +- Cleaned up spec file +- removed patches: + - ocki-2.2.6-PIN-backspace.patch +- added patches: + - ocki-3.1-fix-implicit-decl.patch + - ocki-3.1-remove-make-install-chgrp-chmod.patch + - ocki-3.1-fix-init_d-path.patch + +------------------------------------------------------------------- +Tue Feb 4 13:22:49 CET 2014 - ro@suse.de + +- add aarch64 to 64bit archs + ------------------------------------------------------------------- Tue Dec 10 19:25:44 UTC 2013 - dvaleev@suse.com diff --git a/openCryptoki.pkcsslotd b/openCryptoki.pkcsslotd index 35d918e..c0751db 100644 --- a/openCryptoki.pkcsslotd +++ b/openCryptoki.pkcsslotd @@ -18,6 +18,7 @@ # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Start the pkcsslotd daemon +# Short-Description: Start the pkcsslotd daemon ### END INIT INFO . /etc/rc.status diff --git a/openCryptoki.spec b/openCryptoki.spec index fc134aa..837a4f7 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -1,7 +1,7 @@ # # spec file for package openCryptoki # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,32 +19,37 @@ %define openCryptoki_32bit_arch %ix86 s390 ppc %arm # support in the workings for: ppc64 # no support in sight for: ia64 -%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 +%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 # autobuild:/work/cd/lib/misc/group # openCryptoki pkcs11:x:64: %define pkcs11_group_id 64 -%define oc_cvs_tag opencryptoki-%{version} +%define oc_cvs_tag opencryptoki Name: openCryptoki +BuildRequires: bison +BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: libica BuildRequires: libtool BuildRequires: openssl-devel BuildRequires: pwdutils +BuildRequires: trousers-devel Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: IPL-1.0 Group: Productivity/Security -Version: 2.2.6 +Version: 3.1 Release: 0 # :pserver:anonymous@cvs.sourceforge.net:/cvsroot/opencryptoki # cvs co -r openCryptoki-2-1-5 -d openCryptoki-2-1-5 . -Source: %{oc_cvs_tag}.tar.bz2 +Source: %{oc_cvs_tag}-v%{version}.tar.bz2 Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html -Patch1: ocki-2.2.6-PIN-backspace.patch +Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch +Patch2: ocki-3.1-fix-init_d-path.patch +Patch3: ocki-3.1-fix-implicit-decl.patch Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed +PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq # IBM maintains openCryptoki on these architectures: ExclusiveArch: %openCryptoki_32bit_arch %openCryptoki_64bit_arch # @@ -119,12 +124,14 @@ Cryptographic Accelerator (FC 4960 on pSeries). %prep %setup -q -n %{oc_cvs_tag} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 cp %{SOURCE2} . -%patch1 %build autoreconf --force --install -CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok +CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} make %install @@ -154,6 +161,9 @@ y/ /,/ s/^,// '),pkcs11 root +%preun +%{stop_on_removal pkcsslotd} + %post # Symlink from /var/lib/opencryptoki to /etc/pkcs11 if [ ! -L %{_sysconfdir}/pkcs11 ] ; then @@ -164,11 +174,15 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then fi fi /sbin/ldconfig +%{fillup_and_insserv -f pkcsslotd} %postun if [ -L %{_sysconfdir}/pkcs11 ] ; then rm %{_sysconfdir}/pkcs11 fi +%{restart_on_update pkcsslotd} +%{insserv_cleanup} + %ifarch %openCryptoki_32bit_arch %postun 32bit @@ -180,8 +194,6 @@ fi cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods rm -rf %{_libdir}/pkcs11/stdll -if [ -d %{_libdir}/pkcs11 ] ; then - cd %{_libdir}/pkcs11 ln -sf ../opencryptoki/stdll stdll cd stdll [ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true @@ -202,16 +214,26 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %defattr(-,root,root) %doc openCryptoki-TFAQ.html # configuration directory -%dir %attr(755,root,pkcs11) /var/lib/opencryptoki +%dir /etc/opencryptoki +%config /etc/opencryptoki/opencryptoki.conf /etc/init.d/pkcsslotd /usr/sbin/rcpkcsslotd # utilities /usr/sbin/pkcsslotd -/usr/sbin/pkcs11_startup /usr/sbin/pkcsconf -/usr/sbin/pkcs_slot %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll + # State and lock directories +%dir %attr(755,root,pkcs11) %{_localstatedir}/lib/opencryptoki +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm %{_mandir}/man*/* %files devel @@ -242,8 +264,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %ghost %{_libdir}/pkcs11/stdll %ghost %{_libdir}/pkcs11/methods %{_libdir}/pkcs11/*.so -# %{_libdir}/libopencryptoki.so -# %{_libdir}/libopencryptoki.so.0 %{_sysconfdir}/ld.so.conf.d/* %endif %ifarch %openCryptoki_64bit_arch @@ -257,8 +277,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %{_libdir}/opencryptoki/stdll/*.so %{_libdir}/opencryptoki/stdll/*.0 %{_libdir}/pkcs11 -# %{_libdir}/libopencryptoki.so -# %{_libdir}/libopencryptoki.so.0 %{_sysconfdir}/ld.so.conf.d/* %endif diff --git a/opencryptoki-2.2.6.tar.bz2 b/opencryptoki-2.2.6.tar.bz2 deleted file mode 100644 index cf3ef41..0000000 --- a/opencryptoki-2.2.6.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c4e59e4a67207986c4cb77bc6a922806d6fa53282a722a17eb08095b0778c8fb -size 983838 diff --git a/opencryptoki-v3.1.tar.bz2 b/opencryptoki-v3.1.tar.bz2 new file mode 100644 index 0000000..8d6f091 --- /dev/null +++ b/opencryptoki-v3.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:05df5d5657e1de41ca7c81e0cc8c8c42d7b842fb062ad76f4961efffb0984aca +size 680250 From 7de3ec42faedf79b06645e313e3fef402648d06354fe5f461428796a50bc42fe Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 6 Feb 2014 12:42:44 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=14 --- openCryptoki.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openCryptoki.spec b/openCryptoki.spec index 837a4f7..8527943 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -253,8 +253,12 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %ghost %{_libdir}/opencryptoki/PKCS11_API.so %{_libdir}/opencryptoki/*.0 %ifnarch s390 s390x +%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %else %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so From 8883ecb0eca8b12b5636fe4dba4a6e3f7fe38c7b7b06416c21b8bdfcf97059b3 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 6 Feb 2014 12:57:43 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=15 --- openCryptoki.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openCryptoki.spec b/openCryptoki.spec index 8527943..52adcc9 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -194,6 +194,8 @@ fi cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods rm -rf %{_libdir}/pkcs11/stdll +if [ -d %{_libdir}/pkcs11 ] ; then + cd %{_libdir}/pkcs11 ln -sf ../opencryptoki/stdll stdll cd stdll [ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true