Accepting request 412843 from home:markkp:branches:security

Latest patch from IBM.

OBS-URL: https://build.opensuse.org/request/show/412843
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=38

ocki-3.5-create-missing-tpm-token-lock-directory.patch

@@ -0,0 +1,83 @@
+commit aeea198cb8ea640cd37735365ee51a03aca67036
+Author: Vineetha Pai <vpishar@us.ibm.com>
+Date:   Mon Jul 18 15:41:24 2016 -0400
+
+    create missing tpm lock directory from tpm stdll.
+    tpm token does not use common/utility function to create token lock
+    directory. Hence the patch to create missing lock directories was not
+    working on tpm token. Modified the tpm stdll code to create the token
+    lock directory if it is missing on the system.
+    Signed-off-by: Vineetha Pai <vpishar@us.ibm.com>
+
+diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
+index e7978d3..2a20d7d 100644
+--- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
++++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c
+@@ -44,6 +44,7 @@
+ #include <errno.h>
+ #include <pwd.h>
+ #include <syslog.h>
++#include <grp.h>
+ 
+ #include <openssl/des.h>
+ #include <openssl/rand.h>
+@@ -3393,10 +3394,13 @@ int
+ token_specific_creatlock(void)
+ {
+ 	CK_BYTE lockfile[PATH_MAX];
++	CK_BYTE lockdir[PATH_MAX];
+ 	struct passwd *pw = NULL;
+ 	struct stat statbuf;
+ 	mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR);
+ 	int lockfd;
++	int ret = -1;
++	struct group *grp;
+ 
+ 	/* get userid */
+ 	if ((pw = getpwuid(getuid())) == NULL) {
+@@ -3404,6 +3408,45 @@ token_specific_creatlock(void)
+ 		return -1;
+ 	}
+ 
++	/** create lock subdir for each token if it doesn't exist.
++	 * The root /var/lock/opencryptoki directory should be created in slotmgr
++	 * daemon **/
++	sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR);
++
++	ret = stat(lockdir, &statbuf);
++	if (ret != 0 && errno == ENOENT) {
++		/* dir does not exist, try to create it */
++		ret  = mkdir(lockdir, S_IRWXU|S_IRWXG);
++		if (ret != 0) {
++			OCK_SYSLOG(LOG_ERR,
++					"Directory(%s) missing: %s\n",
++					lockdir,
++					strerror(errno));
++			goto err;
++		}
++		grp = getgrnam("pkcs11");
++		if (grp == NULL) {
++			fprintf(stderr, "getgrname(pkcs11): %s",
++					strerror(errno));
++			goto err;
++		}
++		/* set ownership to euid, and pkcs11 group */
++		if (chown(lockdir, geteuid(), grp->gr_gid) != 0) {
++			fprintf(stderr, "Failed to set owner:group \
++					ownership\
++					on %s directory", lockdir);
++			goto err;
++		}
++		/* mkdir does not set group permission right, so
++		 ** trying explictly here again */
++		if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){
++			fprintf(stderr, "Failed to change \
++					permissions\
++					on %s directory", lockdir);
++			goto err;
++		}
++	}
++
+ 	/* create user-specific directory */
+ 	sprintf(lockfile, "%s/%s/%s", LOCKDIR_PATH, SUB_DIR, pw->pw_name);
+ 

openCryptoki.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Jul 19 17:07:16 UTC 2016 - mpost@suse.com
+
+- Added ocki-3.5-create-missing-tpm-token-lock-directory.patch
+  (bsc#989602).
+
 -------------------------------------------------------------------
 Fri Jul  8 18:06:42 UTC 2016 - mpost@suse.com
 

openCryptoki.spec

@@ -70,6 +70,7 @@ Patch5:         ocki-3.5-downgrade-syslogerror.patch
 Patch6:         ocki-3.5-icsf-sessionhandle-missing-fix.patch
 Patch7:         ocki-3.5-icsf-reasoncode-2028-added.patch
 Patch8:         ocki-3.5-added-NULLreturn-check.patch
+Patch9:         ocki-3.5-create-missing-tpm-token-lock-directory.patch
 
 Url:            https://sourceforge.net/projects/opencryptoki/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -156,6 +157,7 @@ Cryptographic Accelerator (FC 4960 on pSeries).
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 cp %{SOURCE2} .