From d6c48bed19e3ef380ccbe5e08a355d1951eb9cbd39e67a230d7961cfbff29b9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 2 Jul 2014 09:29:50 +0000 Subject: [PATCH 1/3] Accepting request 238818 from home:jjolly:branches:security Fixes for bnc#880217 - systemd enabled OBS-URL: https://build.opensuse.org/request/show/238818 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=17 --- ocki-3.1-fix-libica-link.patch | 11 + ...-3.1-remove-make-install-chgrp-chmod.patch | 100 ++++++-- ocki-3.1_01_ep11_makefile.patch | 42 ++++ ocki-3.1_02_ep11_m_init.patch | 21 ++ ocki-3.1_03_ock_obj_mgr.patch | 129 ++++++++++ ...-3.1_04_ep11_opaque2blob_error_handl.patch | 233 ++++++++++++++++++ ocki-3.1_05_ep11_readme_update.patch | 187 ++++++++++++++ ...ignored-bad-returncodes-from-the-cal.patch | 110 +++++++++ ...-confname-is-not-given-use-default-e.patch | 172 +++++++++++++ ...ecking-for-the-ep11-lib-and-the-m_in.patch | 38 +++ ...-header-file-uses-some-std-int-types.patch | 35 +++ ocki-3.1_06_0005-Small-reworks.patch | 144 +++++++++++ ...-on-s390-showed-an-build-error-at-in.patch | 32 +++ ...ding-because-not-setting-with_zcrypt.patch | 27 ++ openCryptoki-tmp.conf | 7 + openCryptoki.changes | 61 +++++ openCryptoki.spec | 126 ++++++++-- 17 files changed, 1430 insertions(+), 45 deletions(-) create mode 100644 ocki-3.1-fix-libica-link.patch create mode 100644 ocki-3.1_01_ep11_makefile.patch create mode 100644 ocki-3.1_02_ep11_m_init.patch create mode 100644 ocki-3.1_03_ock_obj_mgr.patch create mode 100644 ocki-3.1_04_ep11_opaque2blob_error_handl.patch create mode 100644 ocki-3.1_05_ep11_readme_update.patch create mode 100644 ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch create mode 100644 ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch create mode 100644 ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch create mode 100644 ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch create mode 100644 ocki-3.1_06_0005-Small-reworks.patch create mode 100644 ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch create mode 100644 ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch create mode 100644 openCryptoki-tmp.conf diff --git a/ocki-3.1-fix-libica-link.patch b/ocki-3.1-fix-libica-link.patch new file mode 100644 index 0000000..d319258 --- /dev/null +++ b/ocki-3.1-fix-libica-link.patch @@ -0,0 +1,11 @@ +--- opencryptoki/configure.in ++++ opencryptoki/configure.in +@@ -328,7 +328,7 @@ + old_cflags="$CFLAGS" + old_libs="$LIBS" + CFLAGS="$CFLAGS $LIBICA_CFLAGS" +- LIBS="$LIBS $LIBICA_LIBS" ++ LIBS="$LIBS $LIBICA_LIBS -lrt -lcrypto -lpthread" + AC_CHECK_HEADER([ica_api.h], [], [ + if test "x$with_libica" != "xcheck"; then + AC_MSG_ERROR([Build with Libica requested but Libica headers couldn't be found]) diff --git a/ocki-3.1-remove-make-install-chgrp-chmod.patch b/ocki-3.1-remove-make-install-chgrp-chmod.patch index ce8bdcd..289d1f4 100644 --- a/ocki-3.1-remove-make-install-chgrp-chmod.patch +++ b/ocki-3.1-remove-make-install-chgrp-chmod.patch @@ -1,6 +1,76 @@ ---- opencryptoki.orig/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-31 08:15:21.781145000 -0700 -@@ -54,13 +54,7 @@ install-data-hook: +--- opencryptoki/usr/Makefile.am ++++ opencryptoki/usr/Makefile.am +@@ -6,5 +6,3 @@ + + install-data-hook: + $(MKDIR_P) $(DESTDIR)$(lockdir) +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) +- $(CHMOD) 0770 $(DESTDIR)$(lockdir) +--- opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am +@@ -66,13 +66,7 @@ + cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_cca.so PKCS11_CCA.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok + $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok + + uninstall-hook: + if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am +@@ -54,13 +54,7 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_ep11.so PKCS11_EP11.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok + $(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok + + uninstall-hook: + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am +@@ -62,13 +62,7 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_ica.so PKCS11_ICA.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite + $(MKDIR_P) $(DESTDIR)$(lockdir)/lite +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite + + uninstall-hook: + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am +@@ -76,11 +76,7 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -sf libpkcs11_icsf.so PKCS11_ICSF.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf + $(MKDIR_P) $(DESTDIR)$(lockdir)/icsf +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf +- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf + + uninstall-hook: + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ +--- opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am ++++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am +@@ -54,13 +54,7 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -sf libpkcs11_sw.so PKCS11_SW.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ @@ -28,27 +98,3 @@ uninstall-hook: if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ ---- opencryptoki.orig/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-31 08:30:51.030956000 -0700 -@@ -66,13 +66,7 @@ install-data-hook: - cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_cca.so PKCS11_CCA.so - $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok -- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ -- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok - $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok -- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok - - uninstall-hook: - if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \ ---- opencryptoki.orig/usr/Makefile.am 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/Makefile.am 2014-01-31 08:33:02.949361000 -0700 -@@ -6,5 +6,3 @@ SUBDIRS = lib $(DAEMONDIRS) - - install-data-hook: - $(MKDIR_P) $(DESTDIR)$(lockdir) -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) -- $(CHMOD) 0770 $(DESTDIR)$(lockdir) diff --git a/ocki-3.1_01_ep11_makefile.patch b/ocki-3.1_01_ep11_makefile.patch new file mode 100644 index 0000000..097bd9b --- /dev/null +++ b/ocki-3.1_01_ep11_makefile.patch @@ -0,0 +1,42 @@ +commit f558043c9c7aa2ada4dd9d7548c2c713aea24753 +Author: Ingo Tuchscherer +Date: Fri Feb 7 15:03:48 2014 -0600 + + ep11: Fixed Makefile to complement common code dependencies + This will fix the side effect that the ep11 token could not + plugged into slot 0, because of unresolved symbols. + + Signed-off-by: Ingo Tuchscherer + +diff --git a/usr/lib/pkcs11/ep11_stdll/Makefile.am b/usr/lib/pkcs11/ep11_stdll/Makefile.am +index fd940ec..d587fd2 100644 +--- a/usr/lib/pkcs11/ep11_stdll/Makefile.am ++++ b/usr/lib/pkcs11/ep11_stdll/Makefile.am +@@ -28,10 +28,15 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \ + ../common/loadsave.c \ + ../common/key.c \ + ../common/key_mgr.c \ +- ../common/mech_md5.c \ ++ ../common/mech_des.c \ ++ ../common/mech_des3.c \ ++ ../common/mech_aes.c \ ++ ../common/mech_md5.c \ + ../common/mech_md2.c \ + ../common/mech_rng.c \ ++ ../common/mech_rsa.c \ + ../common/mech_sha.c \ ++ ../common/mech_ssl3.c \ + ../common/new_host.c \ + ../common/obj_mgr.c \ + ../common/object.c \ +@@ -44,8 +49,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \ + ../common/log.c \ + ../common/mech_list.c \ + ../common/shared_memory.c \ +- ../common/attributes.c \ +- ../common/sw_crypt.c \ ++ ../common/attributes.c \ ++ ../common/sw_crypt.c \ + ep11_specific.c + + noinst_HEADERS = ep11.h diff --git a/ocki-3.1_02_ep11_m_init.patch b/ocki-3.1_02_ep11_m_init.patch new file mode 100644 index 0000000..20bceeb --- /dev/null +++ b/ocki-3.1_02_ep11_m_init.patch @@ -0,0 +1,21 @@ +commit d564279d2c2913021ca325507d1ce3af3aff078a +Author: Ingo Tuchscherer +Date: Fri Feb 7 15:08:27 2014 -0600 + + ep11: switched to official m_init() function based on library change + + Signed-off-by: Ingo Tuchscherer + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index a9a72e4..1a43ccb 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -1281,7 +1281,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na + /* for real HW on Z-series, this would open the + * device driver file /dev/zcrypt. + */ +- if (m_add_backend(NULL,0) < 0) { ++ if (m_init() < 0) { + EP11TOK_ELOG(1,"open of the zcrypt device driver failed"); + return CKR_DEVICE_ERROR; + } diff --git a/ocki-3.1_03_ock_obj_mgr.patch b/ocki-3.1_03_ock_obj_mgr.patch new file mode 100644 index 0000000..0056666 --- /dev/null +++ b/ocki-3.1_03_ock_obj_mgr.patch @@ -0,0 +1,129 @@ +commit 099a3a110a733ef3a91c41a88dcd45f15af8a6cd +Author: Joy Latten +Date: Wed Feb 12 12:06:53 2014 -0600 + + Scenario: processA creates private token key object and before he can + use it, processB gets it, uses it, and deletes it. + Because opencryptoki was not checking the global token object count, + process B segfaulted when count was zero, thinking there were objects in + shared memory to search. + Also, it was not checking return code of object_mgr_check_shm() in + object_mgr_find_in_map1 to see if anything was found in shm. + And lastly, return correct error code. + + Signed-off-by: Joy Latten + +diff --git a/usr/lib/pkcs11/common/obj_mgr.c b/usr/lib/pkcs11/common/obj_mgr.c +index 92c11c2..8d42d9e 100755 +--- a/usr/lib/pkcs11/common/obj_mgr.c ++++ b/usr/lib/pkcs11/common/obj_mgr.c +@@ -1340,13 +1340,28 @@ object_mgr_find_in_map1( CK_OBJECT_HANDLE handle, + goto done; + } + +-// SAB XXX Fix me.. need to make it more efficient than just looking for the object to be changed +-// set a global flag that contains the ref count to all objects.. if the shm ref count changes, then we update the object +-// if not +- +- XProcLock(); +- object_mgr_check_shm( obj ); +- XProcUnLock(); ++ /* SAB XXX Fix me.. need to make it more efficient than just looking ++ * for the object to be changed. set a global flag that contains the ++ * ref count to all objects.. if the shm ref count changes, then we ++ * update the object. if not ++ */ ++ ++ /* Note: Each C_Initialize call loads up the public token objects ++ * and build corresponding tree(s). The same for private token objects ++ * upon successful C_Login. Since token objects can be shared, it is ++ * possible another process or session has deleted a token object. ++ * Accounting is done in shm, so check shm to see if object still exists. ++ */ ++ if (!object_is_session_object(obj)) { ++ XProcLock(); ++ rc = object_mgr_check_shm( obj ); ++ XProcUnLock(); ++ ++ if (rc != CKR_OK) { ++ OCK_LOG_ERR(ERR_FUNCTION_FAILED); ++ goto done; ++ } ++ } + + *ptr = obj; + done: +@@ -2101,8 +2116,8 @@ object_mgr_del_from_shm( OBJECT *obj ) + 0, global_shm->num_priv_tok_obj-1, + obj, &index ); + if (rc != CKR_OK){ +- OCK_LOG_ERR(ERR_FUNCTION_FAILED); +- return CKR_FUNCTION_FAILED; ++ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); ++ return rc; + } + // Since the number of objects starts at 1 and index starts at zero, we + // decrement before we get count. This eliminates the need to perform +@@ -2139,8 +2154,8 @@ object_mgr_del_from_shm( OBJECT *obj ) + 0, global_shm->num_publ_tok_obj-1, + obj, &index ); + if (rc != CKR_OK){ +- OCK_LOG_ERR(ERR_FUNCTION_FAILED); +- return CKR_FUNCTION_FAILED; ++ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); ++ return rc; + } + global_shm->num_publ_tok_obj--; + +@@ -2189,25 +2204,36 @@ object_mgr_check_shm( OBJECT *obj ) + // the calling routine is responsible for locking the global_shm mutex + // + ++ /* first check the object count. If it is 0, then just return. */ + priv = object_is_private( obj ); + + if (priv) { ++ ++ if (global_shm->num_priv_tok_obj == 0) { ++ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); ++ return CKR_OBJECT_HANDLE_INVALID; ++ } + rc = object_mgr_search_shm_for_obj( global_shm->priv_tok_objs, + 0, global_shm->num_priv_tok_obj-1, + obj, &index ); + if (rc != CKR_OK){ +- OCK_LOG_ERR(ERR_FUNCTION_FAILED); +- return CKR_FUNCTION_FAILED; ++ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); ++ return rc; + } + entry = &global_shm->priv_tok_objs[index]; + } + else { ++ ++ if (global_shm->num_publ_tok_obj == 0) { ++ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); ++ return CKR_OBJECT_HANDLE_INVALID; ++ } + rc = object_mgr_search_shm_for_obj( global_shm->publ_tok_objs, + 0, global_shm->num_publ_tok_obj-1, + obj, &index ); + if (rc != CKR_OK){ +- OCK_LOG_ERR(ERR_FUNCTION_FAILED); +- return CKR_FUNCTION_FAILED; ++ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); ++ return rc; + } + entry = &global_shm->publ_tok_objs[index]; + } +@@ -2256,8 +2282,8 @@ object_mgr_search_shm_for_obj( TOK_OBJ_ENTRY * obj_list, + } + } + } +- OCK_LOG_ERR(ERR_FUNCTION_FAILED); +- return CKR_FUNCTION_FAILED; ++ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); ++ return CKR_OBJECT_HANDLE_INVALID; + } + + diff --git a/ocki-3.1_04_ep11_opaque2blob_error_handl.patch b/ocki-3.1_04_ep11_opaque2blob_error_handl.patch new file mode 100644 index 0000000..588890f --- /dev/null +++ b/ocki-3.1_04_ep11_opaque2blob_error_handl.patch @@ -0,0 +1,233 @@ +commit 9d445b0294b588a834797e4f8c3d6ea3c1b3da2b +Author: Joy Latten +Date: Wed Feb 12 12:09:14 2014 -0600 + + ep11's h_opaque_2_blob needs to catch the return code from + object_mgr_find_in_map1 and return it. + + Signed-off-by: Joy Latten + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index 1a43ccb..90d3df1 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -1814,12 +1814,12 @@ CK_RV token_specific_derive_key(SESSION *session, CK_MECHANISM_PTR mech, + memset(&secret_op, 0, sizeof(secret_op)); + secret_op.blob_size = blobsize; + +- if (h_opaque_2_blob(hBaseKey, &blob, &blob_len) != CKR_OK) { ++ rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len); ++ if (rc != CKR_OK) { + EP11TOK_ELOG(1,"FAIL hBaseKey=0x%lx",hBaseKey); +- return CKR_CANCEL; ++ return rc; + } + +- + /* Get the keytype to use when creating the key object */ + rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class); + if (rc != CKR_OK) { +@@ -2732,36 +2732,19 @@ CK_RV token_specific_generate_key_pair(SESSION * sess, + private_key_obj->name, public_key_obj, private_key_obj); + } + +- /* Keys should be fully constructed, +- * assign object handles and store keys. +- */ +- rc = object_mgr_create_final(sess, public_key_obj, phPublicKey); +- if (rc != CKR_OK) { +- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); +- goto error; +- } +- +- rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey); +- if (rc != CKR_OK) { +- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); +- object_mgr_destroy_object(sess, *phPublicKey); +- public_key_obj = NULL; +- goto error; +- } +- + /* copy CKA_CLASS, CKA_KEY_TYPE to private template */ + if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) { + rc = build_attribute(attr->type, attr->pValue, + attr->ulValueLen, &n_attr); + if (rc != CKR_OK) { + EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); +- return rc; ++ goto error; + } + + rc = template_update_attribute(private_key_obj->template, n_attr); + if (rc != CKR_OK) { + EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); +- return rc; ++ goto error; + } + } + +@@ -2770,17 +2753,34 @@ CK_RV token_specific_generate_key_pair(SESSION * sess, + attr->ulValueLen, &n_attr); + if (rc != CKR_OK) { + EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); +- return rc; ++ goto error; + } + + rc = template_update_attribute(private_key_obj->template, n_attr); + if (rc != CKR_OK) { + EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); +- return rc; ++ goto error; + } + } + ++ /* Keys should be fully constructed, ++ * assign object handles and store keys. ++ */ ++ rc = object_mgr_create_final(sess, public_key_obj, phPublicKey); ++ if (rc != CKR_OK) { ++ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); ++ goto error; ++ } ++ ++ rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey); ++ if (rc != CKR_OK) { ++ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); ++ object_mgr_destroy_object(sess, *phPublicKey); ++ public_key_obj = NULL; ++ goto error; ++ } + return rc; ++ + error: + if (public_key_obj) object_free(public_key_obj); + if (private_key_obj) object_free(private_key_obj); +@@ -2801,11 +2801,13 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, + OBJECT *key_obj; + CK_ATTRIBUTE *attr = NULL; + ep11_opaque *op; ++ CK_RV rc; + + /* find the key obj by the key handle */ +- if (object_mgr_find_in_map1(handle,&key_obj) != CKR_OK) { ++ rc = object_mgr_find_in_map1(handle,&key_obj); ++ if (rc != CKR_OK) { + EP11TOK_ELOG(1,"key 0x%lx not mapped", handle); +- return CKR_FUNCTION_FAILED; ++ return rc; + } + + /* blob already exists */ +@@ -2844,30 +2846,31 @@ CK_RV token_specific_sign_init(SESSION *session, CK_MECHANISM *mech, + return CKR_HOST_MEMORY; + } + +- if (h_opaque_2_blob(key,&privkey_blob,&blob_len) == CKR_OK) { +- rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l, +- mech, privkey_blob, blob_len, ep11tok_target) ; ++ rc = h_opaque_2_blob(key, &privkey_blob, &blob_len); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); ++ return rc; ++ } + +- /* SIGN_VERIFY_CONTEX holds all needed for continuing, +- * also by another adapter (stateless requests) +- */ +- ctx->key = key; +- ctx->multi = FALSE; +- ctx->active = TRUE; +- ctx->context = ep11_sign_state; +- ctx->context_len = ep11_sign_state_l; ++ rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l, ++ mech, privkey_blob, blob_len, ep11tok_target) ; + +- if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); +- } else { +- EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); +- } ++ /* SIGN_VERIFY_CONTEX holds all needed for continuing, ++ * also by another adapter (stateless requests) ++ */ ++ ctx->key = key; ++ ctx->multi = FALSE; ++ ctx->active = TRUE; ++ ctx->context = ep11_sign_state; ++ ctx->context_len = ep11_sign_state_l; + +- return rc; ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); + } else { +- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); +- return CKR_FUNCTION_FAILED; ++ EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); + } ++ ++ return rc; + } + + +@@ -2946,27 +2949,26 @@ CK_RV token_specific_verify_init(SESSION *session, CK_MECHANISM *mech, + return CKR_HOST_MEMORY; + } + +- if (h_opaque_2_blob(key,&spki,&spki_len) == CKR_OK) { +- rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech, +- spki, spki_len, ep11tok_target); +- +- ctx->key = key; +- ctx->multi = FALSE; +- ctx->active = TRUE; +- ctx->context = ep11_sign_state; +- ctx->context_len = ep11_sign_state_l; +- +- if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); +- } else { +- EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); +- } +- ++ rc = h_opaque_2_blob(key, &spki, &spki_len); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); + return rc; ++ } ++ ++ rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech, ++ spki, spki_len, ep11tok_target); ++ ctx->key = key; ++ ctx->multi = FALSE; ++ ctx->active = TRUE; ++ ctx->context = ep11_sign_state; ++ ctx->context_len = ep11_sign_state_l; ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); + } else { +- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); +- return CKR_FUNCTION_FAILED; ++ EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); + } ++ ++ return rc; + } + + +@@ -3169,11 +3171,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech, + return CKR_HOST_MEMORY; + } + +- if (h_opaque_2_blob(key, &blob, &blob_len) != CKR_OK) { ++ rc = h_opaque_2_blob(key, &blob, &blob_len); ++ if (rc != CKR_OK) { + EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); +- return CKR_FUNCTION_FAILED; ++ return rc; + } +- ++ + if (op == DECRYPT) { + rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob, + blob_len, ep11tok_target); diff --git a/ocki-3.1_05_ep11_readme_update.patch b/ocki-3.1_05_ep11_readme_update.patch new file mode 100644 index 0000000..e4c2fce --- /dev/null +++ b/ocki-3.1_05_ep11_readme_update.patch @@ -0,0 +1,187 @@ +commit 6589fae1561d1d050b743d3ff5e0b846616664a0 +Author: Ingo Tuchscherer +Date: Wed Feb 12 15:56:46 2014 -0600 + + EP11: some README updates about usage and restrictions. + + Signed-off-by: Joy Latten + +diff --git a/doc/README.ep11_stdll b/doc/README.ep11_stdll +index dedb76c..e972391 100644 +--- a/doc/README.ep11_stdll ++++ b/doc/README.ep11_stdll +@@ -3,8 +3,8 @@ EP11 Token + + The EP11 token is a token that uses the IBM Crypto Express adapters + (starting with Crypto Express 4S adapters) configured with Enterprise +-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with +-that firmware load are also called CEXnP adapters for n >= 4. ++PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that ++firmware load are also called CEXnP adapters for n >= 4. + + The EP11 token is only supported on the System z architecture and requires a + Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver +@@ -17,14 +17,13 @@ Configuration + ------------- + + To use the EP11 token a slot entry must be defined in the general opencryptoki +-configuration file that sets the stdll attribute to libpkcs11_epp.so. ++configuration file that sets the stdll attribute to libpkcs11_ep11.so. + + A EP11 token specific configuration file must be set up to define the target +-adapters and target adapter domains. The name of the configuration file must +-be defined in the global openCryptoki configuration opencryptoki.conf file +-as part of the token specification using the confname attribute. +- +-E.g. the entry, ++adapters and target adapter domains. The name of the configuration file must be ++defined in the global openCryptoki configuration opencryptoki.conf file as part ++of the token specification using the confname attribute. ++E.g. the entry + + slot 4 + { +@@ -35,39 +34,39 @@ confname = ep11tok.conf + defines the name of the configuration file of the EP11 token to be + ep11tok.conf. Per default this file is searched in the directory where + openCryptoki searches its global configuration file. This default path can +-be overwritten using the OCK_EP11_TOKEN_DIR environment variable. +- +-EP11 token configuration files defines a list of adapter/domain pairs to +-which the EP11 token sends its cryptographic requests. This list can be +-specified as a white list starting with a line containing the key word +-APQN_WHITELIST followed by one or more lines containing each 2 white space +-separted positive integers followed by a line with the key word END. +-In each of these lines the first integer denotes the adapter number +-and the second integer denotes the domain id. Alternatively the keyword +-APQN_ANY can be used to define that all adapter/domain pairs with EP11 +-firmware load that are available to the system shall be used as target +-adapters. An adapter number corresponds to the numerical part xx of an +-adapter id of the form cardxx as displayed by the lszcrypt tool or in +-the sys file system (e.g. in /sys/bus/ap/devices). +-Currently Linux on z only supports a single domain. That domain number +-can be displayed with lszcrypt -b (see the value of ap_domain) or +-alternatively as contents of /sys/bus/ap/ap_domain. ++be overriden using the OCK_EP11_TOKEN_DIR environment variable. ++ ++EP11 token configuration files defines a list of adapter/domain pairs to which ++the EP11 token sends its cryptographic requests. This list can be specified as ++a white list starting with a line containing the key word APQN_WHITELIST ++followed by one or more lines containing each two integers (in the range ++of 0 - 255) separated by a white space. The white list is ended with a line ++containing the key word END. In each of lines of the white list the first ++integer denotes the adapter number and the second integer denotes the domain ++id. Alternatively the keyword APQN_ANY can be used to define that all ++adapter/domain pairs with EP11 firmware load that are available to the system ++shall be used as target adapters. An adapter number corresponds to the ++numerical part xx of an adapter id of the form cardxx as displayed by the ++lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). ++Currently Linux on z only supports a single domain. That domain number can be ++displayed with lszcrypt -b (see the value of ap_domain) or alternatively as ++contents of /sys/bus/ap/ap_domain. + + In addition to the target adapter a log level can be defined in the EP11 +-configuration file using a line consisting of the key word LOGLEVEL +-followed by an integer between 0 and 9. ++configuration file using a line consisting of the key word LOGLEVEL followed ++by an integer between 0 and 9. + + Logging + ------- + + If a log level greater than 0 is defined in the environment variable +-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 +-configuration file then log entries are written to a log file +-/var/log/ock_ep11_token..log where is the process id of the +-process using the EP11 token. ++OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration ++file then log entries are written to a log file ++/var/log/ock_ep11_token..log where is the process id of the process ++using the EP11 token. + +-Note, that the handling of EP11 logs is subject to change in future +-releases of opencryptoki. ++Note, that the handling of EP11 logs is subject to change in future releases ++of opencryptoki. + + Crypto Express Adapter EP11 Master Key Management + ------------------------------------------------- +@@ -77,28 +76,27 @@ object repository (in the TOK_OBJ directory within the EP11 token directory) + become invalid. + + The key migration tool pkcsep11_migrate can be used to perform the migration +-of the current EP11 master keys to new master keys. Therefore the +-following steps must be performed: +- +-1) on the Trusted Key Entry console (TKE): submit and commit +-new master keys on the EP11 adapter(s) +-2) on Linux: stop all processes using openCryptoki with the EP11 token +-3) on Linux: back up the token object repository of the EP11 token +-4) on Linux: migrate keys of object repository of EP11 token with +-migration tool. If a failure occurs restore the backed up token +-repository and retry step 4 +-5) on the TKE: activate new master keys on the EP11 adapter(s) +-6) on Linux: restart applications using openCryptoki with the EP11 token ++of the current EP11 master keys to new master keys. Therefore the following ++steps must be performed: ++1) On the Trusted Key Entry console (TKE): Submit and commit new master ++keys on the EP11 adapter(s). ++2) On Linux: Stop all processes using openCryptoki with the EP11 token. ++3) On Linux: Back up the token object repository of the EP11 token. ++4) On Linux: Migrate keys of object repository of EP11 token with ++migration tool. If a failure occurs restore the backed up token repository ++and retry step 4. ++5) On the TKE: Activate new master keys on the EP11 adapter(s). ++6) On Linux: Restart applications using openCryptoki with the EP11 token. + + Token specifics + --------------- + +-The EP11 token only supports secure keys (i.e. key wrapped by a master key +-of the Crypto Express adapter). Therefore all keys must have the attribute +-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define +-a (token specific) default for secure keys the attribute must be explicitly +-provided whenever a secret key is generated, unwrapped or created with +-C_CreateObject. In addition all keys used with the EP11 token are extractable ++The EP11 token only supports secure keys (i.e. key wrapped by a master key of ++the Crypto Express adapter). Therefore all keys must have the attribute ++CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a ++(token specific) default for secure keys the attribute must be explicitly ++provided whenever a secret key is generated, unwrapped or build with ++C_CreateObject. In addition all keys used with the EP11 token are extractable. + i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. + + When creating keys the default values of the attributes CKA_ENCRYPT, +@@ -108,18 +106,21 @@ Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. + All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than + or equal to 17. + +-See the mechanism list and mechanism info (pkcsconf -m) for supported +-mechanisms together with supported functions and key sizes. +-Note the supported mechanism list is currently fixed and matches the +-most stringent setting of the Crypto Express adapter. ++The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) ++according to ANSI X9.31. Therefore in the EP11 token the lengths of the ++RSA primes (p or q) must be a multiple of 128 bits and the length of the ++modulus (CKA_MODULUS_BITS) must be a multiple of 256. + +-Temporary Restrictions & Circumventions +---------------------------------------- ++The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have ++a length that is a multiple of the block size of DES3 or AES respectively. + +-Wrapping 192 bit AES keys with the mechanism CKM_AES_CBC is not supported, use +-CKM_AES_CBC_PAD instead. ++See the mechanism list and mechanism info (pkcsconf -m) for supported ++mechanisms together with supported functions and key sizes. Note the ++supported mechanism list is currently fix and matches the most stringent ++setting of the Crypto Express adapter. + +-Importing RAS private keys with C_Unwrap is not supported for key sizes that +-are not a multiple of AES blocksize. No circumvention possible. ++Note, the EP11 coprocessor adapter can be configured to restrict the ++cryptographic capababilities in order for the adapter to comply with specific ++security requirements and regulations. Such restrictions on the adapter impact ++the capabilitiy of the EP11 token. + +-CKM_SHA512_HMAC is not supported. No circumvention possible. diff --git a/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch b/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch new file mode 100644 index 0000000..46bb07b --- /dev/null +++ b/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch @@ -0,0 +1,110 @@ +From 68a30e9bf0e494057a889e06623dd0d8ab95acf7 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 2 Apr 2014 12:03:53 -0500 +Subject: [PATCH 1/6] print_mechanism() ignored bad returncodes from the + called function token_specific_get_mechanism_list(). So + the token init was just running fine but mechanism list + kept empty (eg. because of wrong adapter + configuration). Fixed this and adjusted some of the + related log messages. + +Signed-off-by: Harald Freudenberger +--- + usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 32 +++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index 90d3df1..4e3703b 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -1140,17 +1140,27 @@ static CK_RV print_mechanism(void) + CK_ULONG count = 0; + int i; + CK_MECHANISM_INFO m_info; ++ CK_RV rc; + +- /* only informational */ +- (void) token_specific_get_mechanism_list(list, &count); ++ /* first call is just to fetch the count value */ ++ rc = token_specific_get_mechanism_list(list, &count); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"can't fetch mechanism list."); ++ return rc; ++ } + list = (CK_MECHANISM_TYPE_PTR)malloc(sizeof(CK_MECHANISM_TYPE) * count); + if (!list) { + EP11TOK_ELOG(1,"Memory allocation failed."); + return CKR_HOST_MEMORY; + } + +- /* only informational */ +- (void) token_specific_get_mechanism_list(list, &count); ++ /* now really fill the list */ ++ rc = token_specific_get_mechanism_list(list, &count); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"can't fetch mechanism list!"); ++ free(list); ++ return rc; ++ } + + EP11TOK_LOG(2,"EP11 token mechanism list, %lu entries:", count); + for (i = 0; i < count; i++) { +@@ -1170,6 +1180,7 @@ static CK_RV print_mechanism(void) + EP11TOK_LOG(2," %s {%lu,%lu%s}", ep11_get_ckm(list[i]), + m_info.ulMinKeySize, m_info.ulMaxKeySize, strflags); + } ++ + free(list); + return CKR_OK; + } +@@ -1295,7 +1306,11 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na + } + + /* print mechanismlist to log file */ +- (void)print_mechanism(); ++ rc = print_mechanism(); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"failure on fetching mechanism list rc=0x%lx, maybe wrong config ?", rc); ++ return CKR_GENERAL_ERROR; ++ } + + /* create an AES key needed for importing keys + * (encrypt by wrap_key and m_UnwrapKey by wrap key) +@@ -3528,7 +3543,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, + rc = m_GetMechanismList(0, pMechanismList, pulCount, + ep11tok_target); + if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"bad rc #1 rc=0x%lx", rc); ++ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); + return rc; + } + +@@ -3543,7 +3558,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, + } + rc = m_GetMechanismList(0, mlist, &counter, ep11tok_target); + if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"bad rc #2 rc=0x%lx", rc); ++ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); + free(mlist); + return rc; + } +@@ -3573,7 +3588,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, + */ + rc = m_GetMechanismList(0,mlist,&counter,ep11tok_target); + if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"bad rc #3 rc=0x%lx", rc); ++ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); + return rc; + } + +@@ -3743,6 +3758,7 @@ static int read_adapter_config_file(const char* conf_name) + + if (!conf_name) { + /* no conf_name was given, should not happen */ ++ EP11TOK_ELOG(1,"no conf_name argument found"); + return APQN_FILE_INV_1; + } + +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch b/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch new file mode 100644 index 0000000..c8a2c78 --- /dev/null +++ b/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch @@ -0,0 +1,172 @@ +From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 2 Apr 2014 12:05:12 -0500 +Subject: [PATCH 2/6] Fix failure when confname is not given, use default + ep11tok.conf instead. + +Slight rework on the way how the ep11 token config file is found: +If env has no OCK_EP11_TOKEN_DIR + if confname is not null, try to use it + if this fails, try ock default config dir + confname + if this fails, try ock default config dir + ep11tok.conf +if OCK_EP11_TOKEN_DIR given then + if confname is not null, try OCK_EP11_TOKEN_DIR + confname + if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf +if still unsuccessful then token init will fail. + +Signed-off-by: Harald Freudenberger +--- + usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------ + 1 file changed, 52 insertions(+), 33 deletions(-) + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index 4e3703b..0eea8c9 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism) + static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, + CK_BYTE **blob, size_t *blob_len); + ++#define EP11_DEFAULT_CFG_FILE "ep11tok.conf" + #define EP11_CFG_FILE_SIZE 4096 + + /* error rc for reading the adapter config file */ +@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na + } + } + EP11TOK_LOG(1,"init running"); ++ ++ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */ ++ rc = read_adapter_config_file(conf_name); ++ if (rc != CKR_OK) { ++ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc); ++ return CKR_GENERAL_ERROR; ++ } + + /* wrap key name */ + memset(wrap_key_name, 0, sizeof(wrap_key_name)); +@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na + return CKR_DEVICE_ERROR; + } + #endif +- +- /* user specified adapter/domain pairs the token is supposed to use */ +- rc = read_adapter_config_file(conf_name); +- if (rc != CKR_OK) { +- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc); +- return CKR_GENERAL_ERROR; +- } +- ++ + /* print mechanismlist to log file */ + rc = print_mechanism(); + if (rc != CKR_OK) { +@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name) + if (ep11_initialized) { + return 0; + } +- ++ + memset(fname,0,PATH_MAX); +- +- if (!conf_name) { +- /* no conf_name was given, should not happen */ +- EP11TOK_ELOG(1,"no conf_name argument found"); +- return APQN_FILE_INV_1; +- } + + /* via envrionment variable it is possible to overwrite the +- * config file given in the opencryptoki.conf. Then we use +- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf. ++ * directory where the ep11 token config file is searched. + */ + if (conf_dir) { +- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name); +- ap_fp = fopen(fname,"r"); +- } +- +- /* if there was no environment variable or fopen failed, use the +- * default given from opencryptoki.conf via conf_name argument. +- */ +- if (!ap_fp) { +- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name); +- ap_fp = fopen(fname,"r"); ++ if (conf_name && strlen(conf_name) > 0) { ++ /* extract filename part from conf_name */ ++ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--); ++ if (i < strlen(conf_name)-1) { ++ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1); ++ fname[sizeof(fname)-1] = '\0'; ++ ap_fp = fopen(fname,"r"); ++ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); ++ } ++ } ++ if (!ap_fp) { ++ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE); ++ fname[sizeof(fname)-1] = '\0'; ++ ap_fp = fopen(fname,"r"); ++ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); ++ } ++ } else { ++ if (conf_name && strlen(conf_name) > 0) { ++ strncpy(fname, conf_name, sizeof(fname)); ++ fname[sizeof(fname)-1] = '\0'; ++ ap_fp = fopen(fname,"r"); ++ if (!ap_fp) { ++ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); ++ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name); ++ fname[sizeof(fname)-1] = '\0'; ++ ap_fp = fopen(fname,"r"); ++ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); ++ } ++ } else { ++ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE); ++ fname[sizeof(fname)-1] = '\0'; ++ ap_fp = fopen(fname,"r"); ++ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); ++ } + } +- ++ + /* now we should really have an open ep11 token config file */ + if (!ap_fp) { + EP11TOK_ELOG(1,"no valid EP 11 config file found"); + return APQN_FILE_INV_2; + } +- ++ + EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname); +- ++ + /* read config file line by line, + * ignore empty and # and copy rest into file buf + */ +@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name) + } + + ep11_targets.length = 0; +- ++ + for (i=0,j=0,str=filebuf; rc == 0; str=NULL) { + /* strtok tokenizes the string, + * delimiters are newline and whitespace. + */ + token = strtok(str, "\n\t "); +- ++ + if (i == 0) { + /* expecting APQN_WHITELIST or APQN_BLACKLIST + * or APQN_ANY or LOGLEVEL or eof. +@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name) + /* do some checks: */ + if (rc == 0) { + if ( !(whitemode || blackmode || anymode)) { +- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY"); ++ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:" ++ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY"); + rc = APQN_FILE_NO_APQN_MODE; + } else if (whitemode || blackmode) { + /* at least one APQN needs to be defined */ +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch b/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch new file mode 100644 index 0000000..1183dc7 --- /dev/null +++ b/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch @@ -0,0 +1,38 @@ +From 2bca1b392214241f84065d7709681c029b43b444 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 14 Apr 2014 11:48:56 -0500 +Subject: [PATCH 3/6] Configure was checking for the ep11 lib and the m_init() + function. As this library will be dynamically loaded at + run time and there is no dependency at build time (but + build will break if ep11 lib is not available) removed + this check. + +Signed-off-by: Harald Freudenberger +--- + configure.in | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/configure.in b/configure.in +index ac41e84..1a1601c 100644 +--- a/configure.in ++++ b/configure.in +@@ -372,14 +372,9 @@ if test "x$with_zcrypt" != "xno"; then + ]) + + if test "x$with_zcrypt" != "xno"; then +- AC_CHECK_LIB([ep11], [m_init], +- [with_zcrypt=yes], [ +- if test "x$with_zcrypt" != "xcheck"; then +- AC_MSG_ERROR([Build with zcrypt requested but zcrypt libraries couldn't be found]) +- fi +- with_zcrypt=no +- ]) ++ with_zcrypt=no + fi ++ + if test "x$with_zcrypt" = "xno"; then + CFLAGS="$old_cflags" + LIBS="$old_libs" +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch b/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch new file mode 100644 index 0000000..3ada476 --- /dev/null +++ b/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch @@ -0,0 +1,35 @@ +From 11e808223faa9c334858e38acacf277079264beb Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 14 Apr 2014 12:02:48 -0500 +Subject: [PATCH 4/6] The asm/zcrypt.h header file uses some std int types and + so the stdint.h include statement should occur before + the zcrypt header file. + +Signed-off-by: Harald Freudenberger +--- + usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index 0eea8c9..373be5b 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -296,6 +296,7 @@ + #include + #include + #include ++#include + + #include "pkcs11types.h" + #include "defs.h" +@@ -314,7 +315,6 @@ + #include + #include + #include +-#include + #include + #include + +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0005-Small-reworks.patch b/ocki-3.1_06_0005-Small-reworks.patch new file mode 100644 index 0000000..6619297 --- /dev/null +++ b/ocki-3.1_06_0005-Small-reworks.patch @@ -0,0 +1,144 @@ +From b0fc36e0e1fd549164a2502213163ce23d2f0138 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Mon, 14 Apr 2014 13:13:11 -0500 +Subject: [PATCH 5/6] Small reworks: - Some of the ock testcase c files are + tracked by git as 755. Fixed, c code files should + appear 644 now. - pkcs11 misc_func test improved to + show not just the mechanism number but also the + (preprocessor defined) mechanism name. - misc speed + test rsa encrypt receive buffer increased so the + "buffer size too small" is fixed now. - misc speed test + rsa uses now an exponent value of 17 (0x01,0x00,0x01) + instead of 3 (0x03). Some tokens (eg. ep11) do not + allow such low exponents and reject RSA key + generation. + +Signed-off-by: Harald Freudenberger +Signed-off-by: Joy Latten +--- + testcases/misc_tests/speed.c | 14 ++++++++------ + testcases/pkcs11/misc_func.c | 3 ++- + 2 files changed, 10 insertions(+), 7 deletions(-) + mode change 100755 => 100644 testcases/crypto/aes_func.c + mode change 100755 => 100644 testcases/crypto/des3_func.c + mode change 100755 => 100644 testcases/crypto/des_func.c + mode change 100755 => 100644 testcases/crypto/digest_func.c + mode change 100755 => 100644 testcases/crypto/dsa_func.c + mode change 100755 => 100644 testcases/crypto/rsa_func.c + mode change 100755 => 100644 testcases/crypto/ssl3_func.c + mode change 100755 => 100644 testcases/pkcs11/misc_func.c + mode change 100755 => 100644 testcases/pkcs11/sess_mgmt.c + mode change 100755 => 100644 testcases/pkcs11/sess_perf.c + +diff --git a/testcases/crypto/aes_func.c b/testcases/crypto/aes_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/des3_func.c b/testcases/crypto/des3_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/des_func.c b/testcases/crypto/des_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/digest_func.c b/testcases/crypto/digest_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/dsa_func.c b/testcases/crypto/dsa_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/crypto/ssl3_func.c b/testcases/crypto/ssl3_func.c +old mode 100755 +new mode 100644 +diff --git a/testcases/misc_tests/speed.c b/testcases/misc_tests/speed.c +index 102ba72..5df3169 100755 +--- a/testcases/misc_tests/speed.c ++++ b/testcases/misc_tests/speed.c +@@ -60,6 +60,7 @@ long speed_process_time(SYSTEMTIME t1, SYSTEMTIME t2) + int do_RSA_PKCS_EncryptDecrypt( void ) + { + CK_BYTE data1[100]; ++ CK_BYTE data2[200]; + CK_BYTE signature[256]; + CK_SLOT_ID slot_id; + CK_SESSION_HANDLE session; +@@ -69,14 +70,14 @@ int do_RSA_PKCS_EncryptDecrypt( void ) + CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; + CK_ULONG user_pin_len; + CK_ULONG i; +- CK_ULONG len1, sig_len; ++ CK_ULONG len1, len2, sig_len; + CK_RV rc; + + SYSTEMTIME t1, t2; + CK_ULONG diff, min_time, max_time, avg_time; + + CK_ULONG bits = 1024; +- CK_BYTE pub_exp[] = { 0x3 }; ++ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; + + CK_ATTRIBUTE pub_tmpl[] = + { +@@ -190,7 +191,8 @@ int do_RSA_PKCS_EncryptDecrypt( void ) + return FALSE; + } + +- rc = funcs->C_Decrypt( session, signature,sig_len,data1, &len1 ); ++ len2 = sizeof(data2); ++ rc = funcs->C_Decrypt( session, signature, sig_len, data2, &len2 ); + if (rc != CKR_OK) { + show_error(" C_Decrypt #1", rc ); + return FALSE; +@@ -259,7 +261,7 @@ int do_RSA_KeyGen_2048( void ) + { + SYSTEMTIME t1, t2; + CK_ULONG bits = 2048; +- CK_BYTE pub_exp[] = { 0x3 }; ++ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; + + CK_ATTRIBUTE pub_tmpl[] = + { +@@ -368,7 +370,7 @@ int do_RSA_KeyGen_1024( void ) + { + SYSTEMTIME t1, t2; + CK_ULONG bits = 1024; +- CK_BYTE pub_exp[] = { 0x3 }; ++ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; + + CK_ATTRIBUTE pub_tmpl[] = + { +@@ -468,7 +470,7 @@ int do_RSA_PKCS_SignVerify_1024( void ) + CK_ULONG diff, min_time, max_time, avg_time; + + CK_ULONG bits = 1024; +- CK_BYTE pub_exp[] = { 0x3 }; ++ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; + + CK_ATTRIBUTE pub_tmpl[] = + { +diff --git a/testcases/pkcs11/misc_func.c b/testcases/pkcs11/misc_func.c +old mode 100755 +new mode 100644 +index 8103649..d6619fd +--- a/testcases/pkcs11/misc_func.c ++++ b/testcases/pkcs11/misc_func.c +@@ -602,7 +602,8 @@ CK_RV do_GetMechanismInfo( void ) + return rc; + } + +- printf(" Mechanism #%ld\n", mech_list[i] ); ++ printf(" Mechanism #%ld %s\n", mech_list[i], ++ p11_get_ckm(mech_list[i]) ); + printf(" ulMinKeySize: %ld\n", info.ulMinKeySize ); + printf(" ulMaxKeySize: %ld\n", info.ulMaxKeySize ); + printf(" flags: %p\n", (void *)info.flags ); +diff --git a/testcases/pkcs11/sess_mgmt.c b/testcases/pkcs11/sess_mgmt.c +old mode 100755 +new mode 100644 +diff --git a/testcases/pkcs11/sess_perf.c b/testcases/pkcs11/sess_perf.c +old mode 100755 +new mode 100644 +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch b/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch new file mode 100644 index 0000000..9fa3b14 --- /dev/null +++ b/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch @@ -0,0 +1,32 @@ +From 10f4766cd6782f3d15e42a985cdf909fe4c7762e Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Tue, 15 Apr 2014 13:16:33 -0500 +Subject: [PATCH 6/6] The 31 bit build on s390 showed an build error at + initialization of an static long long variable which + gets an address assigned. Fixed and tested on 31 and 64 + bit. + +Signed-off-by: Harald Freudenberger +--- + usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +index 373be5b..5aa890b 100644 +--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ++++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c +@@ -407,9 +407,9 @@ static ep11_target_t ep11_targets; + /* defined in the makefile, ep11 library can run standalone (without HW card), + crypto algorithms are implemented in software then (no secure key) */ + #ifdef EP11_STANDALONE +-unsigned long long ep11tok_target = 0x0000000100000008ull; ++static unsigned long long ep11tok_target = 0x0000000100000008ull; + #else +-unsigned long long ep11tok_target = (unsigned long long) &ep11_targets; ++static void* ep11tok_target = (void*) &ep11_targets; + #endif + + /* */ +-- +1.7.12.4 + diff --git a/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch b/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch new file mode 100644 index 0000000..0ebabab --- /dev/null +++ b/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch @@ -0,0 +1,27 @@ +From 5b8d304e050467e4acfd02dcefdcebad0e61c472 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 30 Apr 2014 11:42:29 -0500 +Subject: [PATCH] ep11 is not building because not setting with_zcrypt + correctly. + +Signed-off-by: Harald Freudenberger +--- + configure.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.in b/configure.in +index 1a1601c..66bb329 100644 +--- a/configure.in ++++ b/configure.in +@@ -372,7 +372,7 @@ if test "x$with_zcrypt" != "xno"; then + ]) + + if test "x$with_zcrypt" != "xno"; then +- with_zcrypt=no ++ with_zcrypt=yes + fi + + if test "x$with_zcrypt" = "xno"; then +-- +1.7.12.4 + diff --git a/openCryptoki-tmp.conf b/openCryptoki-tmp.conf new file mode 100644 index 0000000..d178e4b --- /dev/null +++ b/openCryptoki-tmp.conf @@ -0,0 +1,7 @@ +# Lock directories needed by openCryptoki +D /var/lock/opencryptoki/swtok 0770 root pkcs11 +D /var/lock/opencryptoki/lite 0770 root pkcs11 +D /var/lock/opencryptoki/tpm 0770 root pkcs11 +D /var/lock/opencryptoki/ccatok 0770 root pkcs11 +D /var/lock/opencryptoki/icsf 0770 root pkcs11 +D /var/lock/opencryptoki/ep11tok 0770 root pkcs11 diff --git a/openCryptoki.changes b/openCryptoki.changes index ac894e1..dba1ee7 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,64 @@ +------------------------------------------------------------------- +Thu Jun 26 06:55:03 UTC 2014 - jjolly@suse.com + +- Several package changes as per bnc#880217 + - Added openCryptoki-tmp.conf for lock directory management + - Added 'lite' token support + - Changed from init.d daemon to systemd service + - Updated macros in %pre %post %preun and %postun sections + - Added missing icsf and ep11tok directories to %files section + +------------------------------------------------------------------- +Thu Jun 5 13:28:29 UTC 2014 - jjolly@suse.com + +- Moved libpkcs11_icsf 32-bit out of s390-specific files + +------------------------------------------------------------------- +Thu Jun 5 13:00:31 UTC 2014 - jjolly@suse.com + +- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x +- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x + +------------------------------------------------------------------- +Thu Jun 5 05:06:34 UTC 2014 - jjolly@suse.com + +- EP11 token available in the opencryptoki V3.1 package (bnc#879303) + - Specfile changed to include ep11tok.conf + - Specfile changed to include pkcsep11_migrate and pkcsicsf tools + - Specfile changed to BuildRequires openldap2-devel + - ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + - print_mechanism() ignored bad returncodes from the called + function token_specific_get_mechanism_list() + - ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + - Fix failure when confname is not given, use default + ep11tok.conf instead + - ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + - Removed check for ep11 lib at configure + - ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + - Move stdint.h before zcrypt.h to resolve dependencies + - ocki-3.1_06_0005-Small-reworks.patch + - testcase fixes and file permission changes + - ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + - Fix for s390 31-bit build error + - ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + - zcrypt library included in build by default + +------------------------------------------------------------------- +Fri Mar 7 19:03:59 UTC 2014 - jjolly@suse.com + +- Patches applied (bnc#865549) + - Fixed Makefile to complement common code dependencies + - switched to official m_init() function based on library change + - checking the global token object count + - catch the return code from object_mgr_find_in_map1 + - some README updates about usage and restrictions + +------------------------------------------------------------------- +Wed Mar 5 17:58:21 CET 2014 - ro@suse.de + +- fix build on x86 (add CCA and TPM to filelist) +- fix libica detection on s390/s390x to get ICA module built + ------------------------------------------------------------------- Mon Feb 4 17:16:25 UTC 2014 - jjolly@suse.com diff --git a/openCryptoki.spec b/openCryptoki.spec index 52adcc9..97c6dd2 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -25,15 +25,28 @@ %define pkcs11_group_id 64 %define oc_cvs_tag opencryptoki +%if 0%{?suse_version} > 1220 +%define uses_systemd 1 +%else +%define uses_systemd 0 +%endif + Name: openCryptoki BuildRequires: bison BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: libica +%ifarch s390 s390x +BuildRequires: libica-2_3_0-devel +%endif BuildRequires: libtool +BuildRequires: openldap2-devel BuildRequires: openssl-devel BuildRequires: pwdutils BuildRequires: trousers-devel +%if %{uses_systemd} +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%endif Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: IPL-1.0 Group: Productivity/Security @@ -44,9 +57,23 @@ Release: 0 Source: %{oc_cvs_tag}-v%{version}.tar.bz2 Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html +Source3: openCryptoki-tmp.conf Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch Patch2: ocki-3.1-fix-init_d-path.patch Patch3: ocki-3.1-fix-implicit-decl.patch +Patch4: ocki-3.1-fix-libica-link.patch +Patch5: ocki-3.1_01_ep11_makefile.patch +Patch6: ocki-3.1_02_ep11_m_init.patch +Patch7: ocki-3.1_03_ock_obj_mgr.patch +Patch8: ocki-3.1_04_ep11_opaque2blob_error_handl.patch +Patch9: ocki-3.1_05_ep11_readme_update.patch +Patch10: ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch +Patch11: ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch +Patch12: ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch +Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch +Patch14: ocki-3.1_06_0005-Small-reworks.patch +Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch +Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq @@ -127,11 +154,32 @@ Cryptographic Accelerator (FC 4960 on pSeries). %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 cp %{SOURCE2} . %build autoreconf --force --install -CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} +CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \ + --prefix=/usr \ + --libdir=%{_libdir} \ + --enable-tpmtok \ +%if %{uses_systemd} + --with-systemd=/usr/lib/systemd/system \ +%endif + --sysconfdir=%{_sysconfdir} \ + --localstatedir=%{_localstatedir} make %install @@ -140,14 +188,23 @@ install -d $RPM_BUILD_ROOT/usr/include install -d $RPM_BUILD_ROOT/var/lib/opencryptoki install -d $RPM_BUILD_ROOT/etc/init.d install -d $RPM_BUILD_ROOT/usr/sbin +%if %{uses_systemd} +install -d $RPM_BUILD_ROOT/usr/lib/tmpfiles.d +install -m 644 %{S:3} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/openCryptoki-tmp.conf +ln -s /usr/sbin/service $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd +%else install -m 544 %{S:1} $RPM_BUILD_ROOT/etc/init.d/pkcsslotd ln -sfv ../../etc/init.d/pkcsslotd $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd +%endif rm -rf $RPM_BUILD_ROOT/tmp # Remove all development files rm -f $RPM_BUILD_ROOT${_libdir}/opencryptoki/libopencryptoki.la rm -f $RPM_BUILD_ROOT/%_libdir/opencryptoki/methods %pre +%if %{uses_systemd} +%{service_add_pre pkcsslotd.service} +%endif # autobuild:/work/cd/lib/misc/group # openCryptoki pkcs11:x:64: /usr/sbin/groupadd -g %pkcs11_group_id -r pkcs11 2>/dev/null || true @@ -162,7 +219,11 @@ s/^,// '),pkcs11 root %preun +%if %{uses_systemd} +%{service_del_preun pkcsslotd.service} +%else %{stop_on_removal pkcsslotd} +%endif %post # Symlink from /var/lib/opencryptoki to /etc/pkcs11 @@ -174,14 +235,22 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then fi fi /sbin/ldconfig +%if %{uses_systemd} +%{service_add_post pkcsslotd.service} +%else %{fillup_and_insserv -f pkcsslotd} +%endif %postun if [ -L %{_sysconfdir}/pkcs11 ] ; then rm %{_sysconfdir}/pkcs11 fi +%if %{uses_systemd} +%{service_del_postun pkcsslotd.service} +%else %{restart_on_update pkcsslotd} %{insserv_cleanup} +%endif %ifarch %openCryptoki_32bit_arch @@ -194,13 +263,14 @@ fi cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods rm -rf %{_libdir}/pkcs11/stdll -if [ -d %{_libdir}/pkcs11 ] ; then - cd %{_libdir}/pkcs11 - ln -sf ../opencryptoki/stdll stdll - cd stdll - [ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true - [ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true -fi +test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11 +cd /usr/lib/pkcs11 +ln -sf ../opencryptoki/stdll stdll +cd stdll +[ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true +[ -f libpkcs11_tpm.so ] && ln -sf ./libpkcs11_tpm.so PKCS11_TPM.so || true +[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true +[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true /sbin/ldconfig %endif %ifarch %openCryptoki_64bit_arch @@ -218,11 +288,25 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 # configuration directory %dir /etc/opencryptoki %config /etc/opencryptoki/opencryptoki.conf +%ifarch s390 s390x +%config /etc/opencryptoki/ep11tok.conf +/usr/sbin/pkcsep11_migrate +%endif +%if %{uses_systemd} +/usr/lib/systemd/system/pkcsslotd.service +/usr/lib/tmpfiles.d/openCryptoki-tmp.conf +%else /etc/init.d/pkcsslotd +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok +%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm +%endif /usr/sbin/rcpkcsslotd # utilities /usr/sbin/pkcsslotd /usr/sbin/pkcsconf +/usr/sbin/pkcsicsf %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll # State and lock directories @@ -232,10 +316,13 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ %dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/icsf +%ifarch s390 s390x +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok +%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ +%endif %{_mandir}/man*/* %files devel @@ -254,16 +341,19 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %{_libdir}/opencryptoki/libopencryptoki.so %ghost %{_libdir}/opencryptoki/PKCS11_API.so %{_libdir}/opencryptoki/*.0 -%ifnarch s390 s390x %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so -%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so -%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so -%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so -%else +%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so +%ifarch s390 s390x %{_libdir}/opencryptoki/stdll/libpkcs11_ica.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so +%ghost %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %endif %{_libdir}/opencryptoki/stdll/*.0 %dir %{_libdir}/pkcs11 From f04f03e4fbf0c6717558d5d40217f35b71472f2dde6787bdffeea40007ec6314 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 2 Sep 2014 14:33:18 +0000 Subject: [PATCH 2/3] Accepting request 244776 from home:sfalken:branches:security - Specfile Cleanup, Added directory macros in appropriate places OBS-URL: https://build.opensuse.org/request/show/244776 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=18 --- openCryptoki.changes | 5 +++++ openCryptoki.spec | 26 +++++++++++++------------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/openCryptoki.changes b/openCryptoki.changes index dba1ee7..a2f27ab 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Aug 15 02:14:21 UTC 2014 - sfalken@opensuse.org + +- Specfile Cleanup, Added directory macros in appropriate places + ------------------------------------------------------------------- Thu Jun 26 06:55:03 UTC 2014 - jjolly@suse.com diff --git a/openCryptoki.spec b/openCryptoki.spec index 97c6dd2..b02992b 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -180,10 +180,10 @@ CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \ %endif --sysconfdir=%{_sysconfdir} \ --localstatedir=%{_localstatedir} -make +%__make %install -make install DESTDIR=$RPM_BUILD_ROOT INSROOT=$RPM_BUILD_ROOT +%make_install DESTDIR=$RPM_BUILD_ROOT INSROOT=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/usr/include install -d $RPM_BUILD_ROOT/var/lib/opencryptoki install -d $RPM_BUILD_ROOT/etc/init.d @@ -286,27 +286,27 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %defattr(-,root,root) %doc openCryptoki-TFAQ.html # configuration directory -%dir /etc/opencryptoki -%config /etc/opencryptoki/opencryptoki.conf +%dir %{_sysconfdir}/opencryptoki +%config %{_sysconfdir}/opencryptoki/opencryptoki.conf %ifarch s390 s390x -%config /etc/opencryptoki/ep11tok.conf -/usr/sbin/pkcsep11_migrate +%config %{_sysconfdir}/opencryptoki/ep11tok.conf +%{_sbindir}/pkcsep11_migrate %endif %if %{uses_systemd} -/usr/lib/systemd/system/pkcsslotd.service -/usr/lib/tmpfiles.d/openCryptoki-tmp.conf +%{_prefix}/lib/systemd/system/pkcsslotd.service +%{_prefix}/lib/tmpfiles.d/openCryptoki-tmp.conf %else -/etc/init.d/pkcsslotd +%{_sysconfdir}/init.d/pkcsslotd %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok %ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm %endif -/usr/sbin/rcpkcsslotd +%{_sbindir}/rcpkcsslotd # utilities -/usr/sbin/pkcsslotd -/usr/sbin/pkcsconf -/usr/sbin/pkcsicsf +%{_sbindir}/pkcsslotd +%{_sbindir}/pkcsconf +%{_sbindir}/pkcsicsf %dir %{_libdir}/opencryptoki %dir %{_libdir}/opencryptoki/stdll # State and lock directories From eb0091de2eeb4272f06ad6e50339d332e776d504bf68717a34a3c92c7394de09 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Tue, 2 Sep 2014 14:42:54 +0000 Subject: [PATCH 3/3] ocki-3.1_01_ep11_makefile.patch ocki-3.1_02_ep11_m_init.patch - Patches added: ocki-3.1-fix-libica-link.patch ocki-3.1_03_ock_obj_mgr.patch ocki-3.1_04_ep11_opaque2blob_error_handl.patch ocki-3.1_05_ep11_readme_update.patch ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch ocki-3.1_06_0005-Small-reworks.patch ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=19 --- openCryptoki.changes | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/openCryptoki.changes b/openCryptoki.changes index a2f27ab..4410e12 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -12,6 +12,21 @@ Thu Jun 26 06:55:03 UTC 2014 - jjolly@suse.com - Changed from init.d daemon to systemd service - Updated macros in %pre %post %preun and %postun sections - Added missing icsf and ep11tok directories to %files section + ocki-3.1_01_ep11_makefile.patch + ocki-3.1_02_ep11_m_init.patch + +- Patches added: + ocki-3.1-fix-libica-link.patch + ocki-3.1_03_ock_obj_mgr.patch + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + ocki-3.1_05_ep11_readme_update.patch + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + ocki-3.1_06_0005-Small-reworks.patch + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch ------------------------------------------------------------------- Thu Jun 5 13:28:29 UTC 2014 - jjolly@suse.com