From e9742235f7b111e35262a5a7e84dae020ffcee2c7714ad4b1d424929a7376d38 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 17 Jan 2017 20:14:46 +0000 Subject: [PATCH] - Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081) OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=55 --- ocki-3.5-added-NULLreturn-check.patch | 51 -- ...ate-missing-tpm-token-lock-directory.patch | 83 --- ocki-3.5-downgrade-syslogerror.patch | 20 - ocki-3.5-fix-pkcscca-calls.patch | 35 - ocki-3.5-icsf-reasoncode-2028-added.patch | 21 - ocki-3.5-icsf-reasoncode72-support.patch | 19 - ocki-3.5-icsf-sessionhandle-missing-fix.patch | 418 ----------- ocki-3.5-sanity-checking.patch | 674 ------------------ openCryptoki.changes | 5 + openCryptoki.pkcsslotd | 3 - opencryptoki-3.5.tgz | 3 - 11 files changed, 5 insertions(+), 1327 deletions(-) delete mode 100644 ocki-3.5-added-NULLreturn-check.patch delete mode 100644 ocki-3.5-create-missing-tpm-token-lock-directory.patch delete mode 100644 ocki-3.5-downgrade-syslogerror.patch delete mode 100644 ocki-3.5-fix-pkcscca-calls.patch delete mode 100644 ocki-3.5-icsf-reasoncode-2028-added.patch delete mode 100644 ocki-3.5-icsf-reasoncode72-support.patch delete mode 100644 ocki-3.5-icsf-sessionhandle-missing-fix.patch delete mode 100644 ocki-3.5-sanity-checking.patch delete mode 100644 opencryptoki-3.5.tgz diff --git a/ocki-3.5-added-NULLreturn-check.patch b/ocki-3.5-added-NULLreturn-check.patch deleted file mode 100644 index 5266680..0000000 --- a/ocki-3.5-added-NULLreturn-check.patch +++ /dev/null @@ -1,51 +0,0 @@ -commit ca61c6e68ecd04c5f319056a6a3eba4b261f5481 -Author: Jakub Jelen -Date: Tue Jun 28 16:23:06 2016 -0400 - - Coverity:Check for NULL returns - Signed-off-by: Jakub Jelen - -diff --git a/usr/lib/pkcs11/common/utility.c b/usr/lib/pkcs11/common/utility.c -index 3cbb8da..39ecae8 100755 ---- a/usr/lib/pkcs11/common/utility.c -+++ b/usr/lib/pkcs11/common/utility.c -@@ -589,6 +589,11 @@ CK_RV CreateXProcLock(void) - goto err; - } - grp = getgrnam("pkcs11"); -+ if (grp == NULL) { -+ fprintf(stderr, "getgrname(pkcs11): %s", -+ strerror(errno)); -+ goto err; -+ } - /* set ownership to euid, and pkcs11 group */ - if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { - fprintf(stderr, "Failed to set owner:group \ -diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c -index 9863d52..9478e92 100644 ---- a/usr/lib/pkcs11/icsf_stdll/new_host.c -+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c -@@ -813,6 +813,11 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, - } - - sess = session_mgr_find(*phSession); -+ if (!sess) { -+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); -+ rc = CKR_SESSION_HANDLE_INVALID; -+ goto done; -+ } - sess->handle = *phSession; - rc = icsftok_open_session(sess); - done: -@@ -835,6 +840,11 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) - } - - sess = session_mgr_find(sSession->sessionh); -+ if (!sess) { -+ TRACE_ERROR("%s\n", ock_err(ERR_SESSION_HANDLE_INVALID)); -+ rc = CKR_SESSION_HANDLE_INVALID; -+ goto done; -+ } - //set the handle here as handle is never set into session during creation - sess->handle = sSession->sessionh; - rc = icsftok_close_session(sess); diff --git a/ocki-3.5-create-missing-tpm-token-lock-directory.patch b/ocki-3.5-create-missing-tpm-token-lock-directory.patch deleted file mode 100644 index 37f4cb4..0000000 --- a/ocki-3.5-create-missing-tpm-token-lock-directory.patch +++ /dev/null @@ -1,83 +0,0 @@ -commit aeea198cb8ea640cd37735365ee51a03aca67036 -Author: Vineetha Pai -Date: Mon Jul 18 15:41:24 2016 -0400 - - create missing tpm lock directory from tpm stdll. - tpm token does not use common/utility function to create token lock - directory. Hence the patch to create missing lock directories was not - working on tpm token. Modified the tpm stdll code to create the token - lock directory if it is missing on the system. - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -index e7978d3..2a20d7d 100644 ---- a/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -+++ b/usr/lib/pkcs11/tpm_stdll/tpm_specific.c -@@ -44,6 +44,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -3393,10 +3394,13 @@ int - token_specific_creatlock(void) - { - CK_BYTE lockfile[PATH_MAX]; -+ CK_BYTE lockdir[PATH_MAX]; - struct passwd *pw = NULL; - struct stat statbuf; - mode_t mode = (S_IRUSR|S_IWUSR|S_IXUSR); - int lockfd; -+ int ret = -1; -+ struct group *grp; - - /* get userid */ - if ((pw = getpwuid(getuid())) == NULL) { -@@ -3404,6 +3408,45 @@ token_specific_creatlock(void) - return -1; - } - -+ /** create lock subdir for each token if it doesn't exist. -+ * The root /var/lock/opencryptoki directory should be created in slotmgr -+ * daemon **/ -+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); -+ -+ ret = stat(lockdir, &statbuf); -+ if (ret != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); -+ if (ret != 0) { -+ OCK_SYSLOG(LOG_ERR, -+ "Directory(%s) missing: %s\n", -+ lockdir, -+ strerror(errno)); -+ goto err; -+ } -+ grp = getgrnam("pkcs11"); -+ if (grp == NULL) { -+ fprintf(stderr, "getgrname(pkcs11): %s", -+ strerror(errno)); -+ goto err; -+ } -+ /* set ownership to euid, and pkcs11 group */ -+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ /* mkdir does not set group permission right, so -+ ** trying explictly here again */ -+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ } -+ - /* create user-specific directory */ - sprintf(lockfile, "%s/%s/%s", LOCKDIR_PATH, SUB_DIR, pw->pw_name); - diff --git a/ocki-3.5-downgrade-syslogerror.patch b/ocki-3.5-downgrade-syslogerror.patch deleted file mode 100644 index db3d88f..0000000 --- a/ocki-3.5-downgrade-syslogerror.patch +++ /dev/null @@ -1,20 +0,0 @@ -commit 786b6a4223119501f4aa7faf5a413c1ba10e38f6 -Author: Vineetha Pai -Date: Tue May 31 15:15:14 2016 -0400 - - Downgraded a syslog error to warning - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/api/apiutil.c b/usr/lib/pkcs11/api/apiutil.c -index ce0dc18..ec50f71 100755 ---- a/usr/lib/pkcs11/api/apiutil.c -+++ b/usr/lib/pkcs11/api/apiutil.c -@@ -820,7 +820,7 @@ DLL_Load_t *dllload; - - } else { - char *e = dlerror(); -- OCK_SYSLOG(LOG_ERR, -+ OCK_SYSLOG(LOG_WARNING, - "%s: dlopen() failed for [%s]; dlerror = [%s]\n", - __FUNCTION__, sinfp->dll_location, e); - TRACE_DEVEL("DL_Load of %s failed, dlerror: %s\n", diff --git a/ocki-3.5-fix-pkcscca-calls.patch b/ocki-3.5-fix-pkcscca-calls.patch deleted file mode 100644 index 907444e..0000000 --- a/ocki-3.5-fix-pkcscca-calls.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 814e5861701798b4f5872fcc20f7292f79987104 Mon Sep 17 00:00:00 2001 -From: Eduardo Barretto -Date: Tue, 30 Aug 2016 16:46:40 -0300 -Subject: [PATCH] PKCSCCA: Fix symbol name to get the correct address - -The csulincl.h file was changed to substitute the xxx_32 bit API -declarations with the latest CCA v5. In order to pkcscca work and avoid -"Illegal Instruction" we had to fix the symbol name that should be called -based on the csulincl.h change. - -Signed-off-by: Eduardo Barretto ---- - usr/sbin/pkcscca/pkcscca.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index 6d9f8dd..05caea3 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -1387,9 +1387,9 @@ int main(int argc, char **argv) - return -1; - } - -- CSNDKTC = dlsym(lib_csulcca, "CSNDKTC_32"); -- CSNBKTC = dlsym(lib_csulcca, "CSNBKTC_32"); -- CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2_32"); -+ CSNDKTC = dlsym(lib_csulcca, "CSNDKTC"); -+ CSNBKTC = dlsym(lib_csulcca, "CSNBKTC"); -+ CSNBKTC2 = dlsym(lib_csulcca, "CSNBKTC2"); - ret = migrate_wrapped_keys(slot_id, userpin, masterkey); - } - done: --- -1.9.1 - diff --git a/ocki-3.5-icsf-reasoncode-2028-added.patch b/ocki-3.5-icsf-reasoncode-2028-added.patch deleted file mode 100644 index 422b64e..0000000 --- a/ocki-3.5-icsf-reasoncode-2028-added.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit f45ddf572c05cbeb54c524805060256a33435149 -Author: Vineetha Pai -Date: Tue Jun 21 17:06:25 2016 -0400 - - Added support for rc=8, reasoncode=2028 in icsf token - bz#142190 - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index 1c25cd2..c9b986b 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -233,6 +233,8 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) - switch(icsf_reason_code) { - case 2154: - return CKR_KEY_TYPE_INCONSISTENT; -+ case 2028: -+ return CKR_WRAPPED_KEY_INVALID; - case 3003: - return CKR_BUFFER_TOO_SMALL; - case 3019: diff --git a/ocki-3.5-icsf-reasoncode72-support.patch b/ocki-3.5-icsf-reasoncode72-support.patch deleted file mode 100644 index fe67ed9..0000000 --- a/ocki-3.5-icsf-reasoncode72-support.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 165a1020da10ddbdc39e51e9a411a5c09f6dbae6 -Author: Vineetha Pai -Date: Thu May 19 16:46:51 2016 -0400 - - Added pkcs11 mapping for icsf reason code 72 for return code 8 - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index d71b19f..5b7fb45 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -258,6 +258,7 @@ int icsf_to_ock_err(int icsf_return_code, int icsf_reason_code) - return CKR_KEY_HANDLE_INVALID; - case 3045: - return CKR_KEY_UNEXTRACTABLE; -+ case 72: - case 11000: - return CKR_DATA_LEN_RANGE; - case 11028: diff --git a/ocki-3.5-icsf-sessionhandle-missing-fix.patch b/ocki-3.5-icsf-sessionhandle-missing-fix.patch deleted file mode 100644 index 2847e25..0000000 --- a/ocki-3.5-icsf-sessionhandle-missing-fix.patch +++ /dev/null @@ -1,418 +0,0 @@ -commit 2d03c609981cd3bf5cefb7d3188878f68b33f722 -Author: Vineetha Pai -Date: Tue Jun 21 16:43:53 2016 -0400 - - Fix for session handle not set in session issue. - bz142186 - icsf token uses the session handle for a session as the session_id in - its own internal session state structure. The session handle is an - index into the session btree and is not set in the SESSION structure - after a new session is created. This causes session_handle to be always 0 and - session_id to be always set to 0, causing issues when multiple sessions are active. - This affects icsf token as it stores and uses session handle internally - unlike other tokens. This patch sets the session handle into the session - structure for all SC_API calls. - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/new_host.c b/usr/lib/pkcs11/icsf_stdll/new_host.c -index 4923a77..9863d52 100644 ---- a/usr/lib/pkcs11/icsf_stdll/new_host.c -+++ b/usr/lib/pkcs11/icsf_stdll/new_host.c -@@ -703,6 +703,9 @@ CK_RV SC_InitPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pPin, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; -+ - if (pin_locked(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); - rc = CKR_PIN_LOCKED; -@@ -746,6 +749,9 @@ CK_RV SC_SetPIN(ST_SESSION_HANDLE *sSession, CK_CHAR_PTR pOldPin, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; -+ - if (pin_locked(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_LOCKED)); -@@ -807,6 +813,7 @@ CK_RV SC_OpenSession(CK_SLOT_ID sid, CK_FLAGS flags, - } - - sess = session_mgr_find(*phSession); -+ sess->handle = *phSession; - rc = icsftok_open_session(sess); - done: - if (locked) -@@ -828,6 +835,8 @@ CK_RV SC_CloseSession(ST_SESSION_HANDLE *sSession) - } - - sess = session_mgr_find(sSession->sessionh); -+ //set the handle here as handle is never set into session during creation -+ sess->handle = sSession->sessionh; - rc = icsftok_close_session(sess); - if (rc) - goto done; -@@ -923,6 +932,8 @@ CK_RV SC_GetOperationState(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = session_mgr_get_op_state(sess, length_only, pOperationState, - pulOperationStateLen); -@@ -962,6 +973,8 @@ CK_RV SC_SetOperationState(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = session_mgr_set_op_state(sess, hEncryptionKey, hAuthenticationKey, - pOperationState, ulOperationStateLen); -@@ -1000,6 +1013,9 @@ CK_RV SC_Login(ST_SESSION_HANDLE *sSession, CK_USER_TYPE userType, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; -+ - flags = &nv_token_data->token_info.flags; - - if (!pPin || ulPinLen > MAX_PIN_LEN) { -@@ -1113,6 +1129,8 @@ CK_RV SC_Logout(ST_SESSION_HANDLE *sSession) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - /* all sessions have the same state so we just have to check one */ - if (session_mgr_public_session_exists()) { -@@ -1155,6 +1173,8 @@ CK_RV SC_CreateObject(ST_SESSION_HANDLE *sSession, CK_ATTRIBUTE_PTR pTemplate, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags)) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1204,6 +1224,8 @@ CK_RV SC_CopyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1240,6 +1262,8 @@ CK_RV SC_DestroyObject(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1285,6 +1309,8 @@ CK_RV SC_GetObjectSize(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_get_attribute_value(sess, hObject, pTemplate, - ulCount, pulSize); -@@ -1319,6 +1345,8 @@ CK_RV SC_GetAttributeValue(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_get_attribute_value(sess, hObject, pTemplate, - ulCount, NULL); -@@ -1369,6 +1397,8 @@ CK_RV SC_SetAttributeValue(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = icsftok_set_attribute_value(sess, hObject, pTemplate, ulCount); - if (rc != CKR_OK) -@@ -1416,6 +1446,8 @@ CK_RV SC_FindObjectsInit(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1480,6 +1512,8 @@ CK_RV SC_FindObjects(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE_PTR phObject, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->find_active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1525,6 +1559,8 @@ CK_RV SC_FindObjectsFinal(ST_SESSION_HANDLE *sSession) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->find_active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1576,6 +1612,8 @@ CK_RV SC_EncryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1626,6 +1664,8 @@ CK_RV SC_Encrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1677,6 +1717,8 @@ CK_RV SC_EncryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1726,6 +1768,8 @@ CK_RV SC_EncryptFinal(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->encr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1780,6 +1824,8 @@ CK_RV SC_DecryptInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -1832,6 +1878,8 @@ CK_RV SC_Decrypt(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1884,6 +1932,8 @@ CK_RV SC_DecryptUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pEncryptedPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1933,6 +1983,8 @@ CK_RV SC_DecryptFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pLastPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->decr_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -1984,6 +2036,8 @@ CK_RV SC_DigestInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, nv_token_data->token_info.flags) == TRUE) { - TRACE_ERROR("%s\n", ock_err(ERR_PIN_EXPIRED)); -@@ -2039,6 +2093,8 @@ CK_RV SC_Digest(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2086,6 +2142,8 @@ CK_RV SC_DigestUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2125,6 +2183,8 @@ CK_RV SC_DigestKey(ST_SESSION_HANDLE *sSession, CK_OBJECT_HANDLE hKey) - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2169,6 +2229,8 @@ CK_RV SC_DigestFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pDigest, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->digest_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2216,6 +2278,8 @@ CK_RV SC_SignInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = valid_mech(pMechanism, CKF_SIGN); - if (rc != CKR_OK) -@@ -2271,6 +2335,8 @@ CK_RV SC_Sign(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2318,6 +2384,8 @@ CK_RV SC_SignUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2363,6 +2431,8 @@ CK_RV SC_SignFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->sign_ctx.active == FALSE) { - TRACE_ERROR("%s\n", ock_err(ERR_OPERATION_NOT_INITIALIZED)); -@@ -2440,6 +2510,8 @@ CK_RV SC_VerifyInit(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2492,6 +2564,8 @@ CK_RV SC_Verify(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2537,6 +2611,8 @@ CK_RV SC_VerifyUpdate(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pPart, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2583,6 +2659,8 @@ CK_RV SC_VerifyFinal(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pSignature, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (sess->verify_ctx.active == FALSE) { - rc = CKR_OPERATION_NOT_INITIALIZED; -@@ -2718,6 +2796,8 @@ CK_RV SC_GenerateKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2791,6 +2871,8 @@ CK_RV SC_GenerateKeyPair(ST_SESSION_HANDLE *sSession, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2875,6 +2957,8 @@ CK_RV SC_WrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2929,6 +3013,8 @@ CK_RV SC_UnwrapKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -2998,6 +3084,8 @@ CK_RV SC_DeriveKey(ST_SESSION_HANDLE *sSession, CK_MECHANISM_PTR pMechanism, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - if (pin_expired(&sess->session_info, - nv_token_data->token_info.flags) == TRUE) { -@@ -3104,6 +3192,8 @@ CK_RV SC_GenerateRandom(ST_SESSION_HANDLE *sSession, CK_BYTE_PTR pRandomData, - rc = CKR_SESSION_HANDLE_INVALID; - goto done; - } -+ //set the handle into the session. -+ sess->handle = sSession->sessionh; - - rc = rng_generate(pRandomData, ulRandomLen); - if (rc != CKR_OK) diff --git a/ocki-3.5-sanity-checking.patch b/ocki-3.5-sanity-checking.patch deleted file mode 100644 index 7b34d59..0000000 --- a/ocki-3.5-sanity-checking.patch +++ /dev/null @@ -1,674 +0,0 @@ -1) Create lock and log directories from pkcsslotd when they are not available on the system. -2) The patch also does basic sanity checks of asserting the presence of pkcs11 group, euid, gid of the process running pkcsslotd. -3) The patch also checks if token directories are available on the system. -4) The token lock sub-directories are created from opencryptoki while the token is configured via pkcsconf or when the first call to the token is made via C_Initialize. -Signed-off-by: Vineetha Pai -Signed-off-by: Harald Freudenberger - ---- a/usr/lib/pkcs11/common/utility.c -+++ b/usr/lib/pkcs11/common/utility.c -@@ -557,9 +557,11 @@ - CK_RV CreateXProcLock(void) - { - CK_BYTE lockfile[PATH_MAX]; -+ CK_BYTE lockdir[PATH_MAX]; - struct group *grp; - struct stat statbuf; - mode_t mode = (S_IRUSR | S_IRGRP); -+ int ret = -1; - - if (spinxplfd == -1) { - -@@ -571,9 +573,42 @@ - return CKR_FUNCTION_FAILED; - } - -+ /** create lock subdir for each token if it doesn't exist. -+ * The root directory should be created in slotmgr daemon **/ -+ sprintf(lockdir, "%s/%s", LOCKDIR_PATH, SUB_DIR); -+ -+ ret = stat(lockdir, &statbuf); -+ if (ret != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ret = mkdir(lockdir, S_IRWXU|S_IRWXG); -+ if (ret != 0) { -+ OCK_SYSLOG(LOG_ERR, -+ "Directory(%s) missing: %s\n", -+ lockdir, -+ strerror(errno)); -+ goto err; -+ } -+ grp = getgrnam("pkcs11"); -+ /* set ownership to euid, and pkcs11 group */ -+ if (chown(lockdir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ /* mkdir does not set group permission right, so -+ ** trying explictly here again */ -+ if (chmod(lockdir, S_IRWXU|S_IRWXG) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", lockdir); -+ goto err; -+ } -+ } -+ - /* create user lock file */ - sprintf(lockfile, "%s/%s/LCK..%s", -- LOCKDIR_PATH, SUB_DIR, SUB_DIR); -+ LOCKDIR_PATH, SUB_DIR, SUB_DIR); - - if (stat(lockfile, &statbuf) == 0) - spinxplfd = open(lockfile, O_RDONLY, mode); -@@ -583,30 +618,30 @@ - /* umask may prevent correct mode,so set it. */ - if (fchmod(spinxplfd, mode) == -1) { - OCK_SYSLOG(LOG_ERR, "fchmod(%s): %s\n", -- lockfile, strerror(errno)); -+ lockfile, strerror(errno)); - goto err; - } - - grp = getgrnam("pkcs11"); - if (grp != NULL) { - if (fchown(spinxplfd, -1, grp->gr_gid) -- == -1) { -+ == -1) { - OCK_SYSLOG(LOG_ERR, -- "fchown(%s): %s\n", -- lockfile, -- strerror(errno)); -+ "fchown(%s): %s\n", -+ lockfile, -+ strerror(errno)); - goto err; - } - } else { - OCK_SYSLOG(LOG_ERR, "getgrnam(): %s\n", -- strerror(errno)); -+ strerror(errno)); - goto err; - } - } - } - if (spinxplfd == -1) { - OCK_SYSLOG(LOG_ERR, "open(%s): %s\n", -- lockfile, strerror(errno)); -+ lockfile, strerror(errno)); - return CKR_FUNCTION_FAILED; - } - } ---- a/usr/sbin/pkcsslotd/slotmgr.c -+++ b/usr/sbin/pkcsslotd/slotmgr.c -@@ -8,10 +8,10 @@ - - 1. DEFINITIONS - -- "Contribution" means: -+ "Contribution" means: - a) in the case of the initial Contributor, the - initial code and documentation distributed under -- this Agreement, and -+ this Agreement, and - - b) in the case of each subsequent Contributor: - i) changes to the Program, and -@@ -35,7 +35,7 @@ - "Licensed Patents " mean patent claims licensable by a - Contributor which are necessarily infringed by the use or - sale of its Contribution alone or when combined with the -- Program. -+ Program. - - "Program" means the Contributions distributed in - accordance with this Agreement. -@@ -130,7 +130,7 @@ - a) it must be made available under this Agreement; - and - b) a copy of this Agreement must be included with -- each copy of the Program. -+ each copy of the Program. - - Contributors may not remove or alter any copyright notices - contained within the Program. -@@ -138,7 +138,7 @@ - Each Contributor must identify itself as the originator of - its Contribution, if any, in a manner that reasonably - allows subsequent Recipients to identify the originator of -- the Contribution. -+ the Contribution. - - - 4. COMMERCIAL DISTRIBUTION -@@ -199,7 +199,7 @@ - Agreement, including but not limited to the risks and - costs of program errors, compliance with applicable laws, - damage to or loss of data, programs or equipment, and -- unavailability or interruption of operations. -+ unavailability or interruption of operations. - - 6. DISCLAIMER OF LIABILITY - EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER -@@ -248,7 +248,7 @@ - use and distribution of the Program as soon as reasonably - practicable. However, Recipient's obligations under this - Agreement and any licenses granted by Recipient relating -- to the Program shall continue and survive. -+ to the Program shall continue and survive. - - Everyone is permitted to copy and distribute copies of - this Agreement, but in order to avoid inconsistency the -@@ -280,7 +280,7 @@ - States of America. No party to this Agreement will bring a - legal action under this Agreement more than one year after - the cause of action arose. Each party waives its rights to -- a jury trial in any resulting litigation. -+ a jury trial in any resulting litigation. - - - -@@ -294,6 +294,8 @@ - #include - #include - #include -+#include -+#include - - #include "log.h" - #include "slotmgr.h" -@@ -309,8 +311,13 @@ - int socketfd; - Slot_Mgr_Socket_t socketData; - --/* -- We make main() able to modify Daemon so that we can -+struct dircheckinfo_s { -+ const char *dir; -+ int mode; -+}; -+ -+/* -+ We make main() able to modify Daemon so that we can - daemonize or not based on a command-line argument - */ - extern BOOL Daemon; -@@ -322,14 +329,91 @@ - u_int32 *p; - char Buf[PATH_MAX]; - u_int32 i; -- -+ - p = (u_int32 *) shmp; -- -+ - for ( i = 0; i < 15; i++ ) { - sprintf(Buf, "%08X %08X %08X %08X", p[0+(i*4)], p[1+(i*4)], p[2+(i*4)], p[3+(i*4)]); - LogLog(Buf); - } - return; -+} -+ -+/** This function does basic sanity checks to make sure the -+ * eco system is in place for opencryptoki to run properly. -+ **/ -+void run_sanity_checks() -+{ -+ int i, ec, uid = -1; -+ struct group *grp = NULL; -+ struct stat sbuf; -+ struct dircheckinfo_s dircheck[] = { -+ //drwxrwx--- -+ {LOCKDIR_PATH, S_IRWXU|S_IRWXG}, -+ {OCK_LOGDIR, S_IRWXU|S_IRWXG}, -+ {NULL, 0}, -+ }; -+ -+ /* first check that our effective user id is root */ -+ uid = (int) geteuid(); -+ if (uid != 0) { -+ fprintf(stderr, "This daemon needs root privilegies, but the effective user id is not 'root'.\n"); -+ exit(1); -+ } -+ -+ /* check that the pkcs11 group exists */ -+ grp = getgrnam("pkcs11"); -+ if (!grp) { -+ fprintf(stderr, "There is no 'pkcs11' group on this system.\n"); -+ exit(1); -+ } -+ -+ /* check effective group id */ -+ uid = (int) getegid(); -+ if (uid != 0 && uid != (int) grp->gr_gid) { -+ fprintf(stderr, "This daemon should have an effective group id of 'root' or 'pkcs11'.\n"); -+ exit(1); -+ } -+ -+ /* Create base lock and log directory here. API..Lock file is -+ * accessed from the daemon in CreateXProcLock() in mutex.c.*/ -+ for (i=0; dircheck[i].dir != NULL; i++) { -+ ec = stat(dircheck[i].dir, &sbuf); -+ if (ec != 0 && errno == ENOENT) { -+ /* dir does not exist, try to create it */ -+ ec = mkdir(dircheck[i].dir, dircheck[i].mode); -+ if (ec != 0) { -+ fprintf(stderr, "Directory %s missing\n", -+ dircheck[i].dir); -+ exit(2); -+ } -+ /* set ownership to root, and pkcs11 group */ -+ if (chown(dircheck[i].dir, geteuid(), grp->gr_gid) != 0) { -+ fprintf(stderr, "Failed to set owner:group \ -+ ownership\ -+ on %s directory", dircheck[i].dir); -+ exit(1); -+ } -+ /* mkdir does not set group permission right, so -+ * trying explictly here again */ -+ if (chmod(dircheck[i].dir, dircheck[i].mode) != 0){ -+ fprintf(stderr, "Failed to change \ -+ permissions\ -+ on %s directory", dircheck[i].dir); -+ exit(1); -+ } -+ } -+ } -+ -+ /** check if token directory is available, if not flag an error. -+ * We do not create token directories here as admin should -+ * configure and decide which tokens to expose to opencryptoki -+ * outside of opencryptoki and pkcsslotd */ -+ ec = stat(CONFIG_PATH, &sbuf); -+ if (ec != 0 && errno == ENOENT) { -+ fprintf(stderr, "Token directories missing\n"); -+ exit(2); -+ } - } - - /***************************************** -@@ -341,205 +425,191 @@ - *****************************************/ - - int main ( int argc, char *argv[], char *envp[]) { -- int ret; -- -- /**********************************/ -- /* Read in command-line arguments */ -- /**********************************/ -- -- /* FIXME: Argument for daemonizing or not */ -- /* FIXME: Argument for debug level */ -- /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ -- -- -- /* Report our debug level */ -- if ( GetDebugLevel() > DEBUG_NONE) { -- -- DbgLog(GetDebugLevel(), "Starting with debugging messages logged at level %d (%d = No messages; %d = few; %d = more, etc.)", -- GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); -- -- } -- -- -- /* Save our startup directory */ -- SaveStartupDirectory( argv[0] ); -- -- ret = load_and_parse(OCK_CONFIG); -- if (ret != 0) { -- ErrLog("Failed to read config file.\n"); -- return 1; -- } else -- DbgLog (DL0, "Parse config file succeeded.\n"); -- -- /* Allocate and Attach the shared memory region */ -- if ( ! CreateSharedMemory() ) { -- /* CreateSharedMemory() does it's own error logging */ -- return 1; -- } -- -- DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); -- -- /* Now that we've created the shared memory segment, we attach to it */ -- if ( ! AttachToSharedMemory() ) { -- /* AttachToSharedMemory() does it's own error logging */ -- DestroySharedMemory(); -- return 2; -- } -- -- /* Initialize the global shared memory mutex (and the attribute used to create the per-process mutexes */ -- if ( ! InitializeMutexes() ) { -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 3; -- } -- -- /* Get the global shared memory mutex */ -- -- XProcLock(); -- -- /* Populate the Shared Memory Region */ -- if ( ! InitSharedMemory(shmp) ) { -- -- XProcUnLock(); -- -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 4; -- } -- -- /* Release the global shared memory mutex */ -- XProcUnLock(); -- -- if ((socketfd = CreateListenerSocket()) < 0) { -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 5; -- } -- -- if (!InitSocketData(&socketData)) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 6; -- } -- -- /* -- * Become a Daemon, if called for -- */ -- if ( Daemon ) { -- pid_t pid; -- if ( (pid = fork()) < 0 ){ -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 7; -- } else { -- if ( pid != 0) { -- exit(0); // Terminate the parent -- } else { -- -- setsid(); // Session leader -+ int ret; -+ -+ /**********************************/ -+ /* Read in command-line arguments */ -+ /**********************************/ -+ -+ /* FIXME: Argument for daemonizing or not */ -+ /* FIXME: Argument for debug level */ -+ /* FIXME: Arguments affecting the log files, whether to use syslog, etc. (Read conf file?) */ -+ -+ /* Do some basic sanity checks */ -+ run_sanity_checks(); -+ -+ /* Report our debug level */ -+ if ( GetDebugLevel() > DEBUG_NONE) { -+ DbgLog(GetDebugLevel(), "Starting with debugging messages logged at \ -+ level %d (%d = No messages; %d = few; %d = more, etc.)", -+ GetDebugLevel(), DEBUG_NONE, DEBUG_LEVEL0, DEBUG_LEVEL1); -+ } -+ -+ /* Save our startup directory */ -+ SaveStartupDirectory( argv[0] ); -+ -+ ret = load_and_parse(OCK_CONFIG); -+ if (ret != 0) { -+ ErrLog("Failed to read config file.\n"); -+ return 1; -+ } else -+ DbgLog (DL0, "Parse config file succeeded.\n"); -+ -+ /* Allocate and Attach the shared memory region */ -+ if ( ! CreateSharedMemory() ) { -+ /* CreateSharedMemory() does it's own error logging */ -+ return 1; -+ } -+ -+ DbgLog(DL0,"SHMID %d token %#X \n", shmid, tok); -+ -+ /* Now that we've created the shared memory segment, we attach to it */ -+ if ( ! AttachToSharedMemory() ) { -+ /* AttachToSharedMemory() does it's own error logging */ -+ DestroySharedMemory(); -+ return 2; -+ } -+ -+ /* Initialize the global shared memory mutex (and the attribute -+ * used to create the per-process mutexes */ -+ if ( ! InitializeMutexes() ) { -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 3; -+ } -+ -+ /* Get the global shared memory mutex */ -+ XProcLock(); -+ -+ /* Populate the Shared Memory Region */ -+ if ( ! InitSharedMemory(shmp) ) { -+ -+ XProcUnLock(); -+ -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 4; -+ } -+ -+ /* Release the global shared memory mutex */ -+ XProcUnLock(); -+ -+ if ((socketfd = CreateListenerSocket()) < 0) { -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 5; -+ } -+ -+ if (!InitSocketData(&socketData)) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 6; -+ } -+ -+ /* -+ * Become a Daemon, if called for -+ */ -+ if ( Daemon ) { -+ pid_t pid; -+ if ( (pid = fork()) < 0 ){ -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 7; -+ } else { -+ if ( pid != 0) { -+ exit(0); // Terminate the parent -+ } else { -+ -+ setsid(); // Session leader - #ifndef DEV -- fclose(stderr); -- fclose(stdout); -- fclose(stdin); -+ fclose(stderr); -+ fclose(stdout); -+ fclose(stdin); - #endif -- -- } -- } -- -- -- } else { -- -+ } -+ } -+ } else { - #ifdef DEV -- // Log only on development builds -- LogLog("Not becoming a daemon...\n"); -+ // Log only on development builds -+ LogLog("Not becoming a daemon...\n"); - #endif -- -- } -- -- -- /***************************************** -- * -- * Register Signal Handlers -- * Daemon probably should ignore ALL signals possible, since termination -- * while active is a bad thing... however one could check for -- * any processes active in the shared memory, and destroy the shm if -- * the process wishes to terminate. -- * -- *****************************************/ -- -- /* -- * We have to set up the signal handlers after we daemonize because -- * the daemonization process redefines our handler for (at least) SIGTERM -- */ -- -- if ( ! SetupSignalHandlers() ) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 8; -- } -- -- -- -- -- /* ultimatly we will create a couple of threads which monitor the slot db -- and handle the insertion and removal of tokens from the slot. -- */ -- -- /* For Testing the Garbage collection routines */ -- /* -- shmp->proc_table[3].inuse = TRUE; -- shmp->proc_table[3].proc_id = 24328; -- */ -+ } -+ -+ /***************************************** -+ * -+ * Register Signal Handlers -+ * Daemon probably should ignore ALL signals possible, since termination -+ * while active is a bad thing... however one could check for -+ * any processes active in the shared memory, and destroy the shm if -+ * the process wishes to terminate. -+ * -+ *****************************************/ -+ -+ /* -+ * We have to set up the signal handlers after we daemonize because -+ * the daemonization process redefines our handler for (at least) SIGTERM -+ */ -+ if ( ! SetupSignalHandlers() ) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 8; -+ } -+ -+ /* ultimatly we will create a couple of threads which monitor the slot db -+ and handle the insertion and removal of tokens from the slot. -+ */ -+ -+ /* For Testing the Garbage collection routines */ -+ /* -+ shmp->proc_table[3].inuse = TRUE; -+ shmp->proc_table[3].proc_id = 24328; -+ */ - - #if !defined(NOGARBAGE) --printf("Start garbage \n"); -- /* start garbage collection thread */ -- if ( ! StartGCThread(shmp) ) { -- DetachSocketListener(socketfd); -- DestroyMutexes(); -- DetachFromSharedMemory(); -- DestroySharedMemory(); -- return 9; -- } -+ printf("Start garbage \n"); -+ /* start garbage collection thread */ -+ if ( ! StartGCThread(shmp) ) { -+ DetachSocketListener(socketfd); -+ DestroyMutexes(); -+ DetachFromSharedMemory(); -+ DestroySharedMemory(); -+ return 9; -+ } - #endif - -- // We've fully become a daemon. Now create the PID file -- { -- FILE *pidfile; -- -- pidfile = fopen(PID_FILE_PATH,"w"); -- if (pidfile) { -- fprintf(pidfile,"%d",getpid()); -- fclose(pidfile); -- } -- } -- -- while (1) { -+ // We've fully become a daemon. Now create the PID file -+ { -+ FILE *pidfile; -+ -+ pidfile = fopen(PID_FILE_PATH,"w"); -+ if (pidfile) { -+ fprintf(pidfile,"%d",getpid()); -+ fclose(pidfile); -+ } -+ } -+ -+ while (1) { - #if !(THREADED) && !(NOGARBAGE) -- CheckForGarbage(shmp); -+ CheckForGarbage(shmp); - #endif -- -- SocketConnectionHandler(socketfd, 10); -- -- } -- -- -- /************************************************************* -- * -- * Here we need to actualy go through the processes and verify that thye -- * still exist. If not, then they terminated with out properly calling -- * C_Finalize and therefore need to be removed from the system. -- * Look for a system routine to determine if the shared memory is held by -- * the process to further verify that the proper processes are in the -- * table. -- * -- *************************************************************/ -- -+ SocketConnectionHandler(socketfd, 10); -+ } -+ -+ /************************************************************* -+ * -+ * Here we need to actualy go through the processes and verify that thye -+ * still exist. If not, then they terminated with out properly calling -+ * C_Finalize and therefore need to be removed from the system. -+ * Look for a system routine to determine if the shared memory is held by -+ * the process to further verify that the proper processes are in the -+ * table. -+ * -+ *************************************************************/ - } /* end main */ diff --git a/openCryptoki.changes b/openCryptoki.changes index a1cd0db..5c88c48 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -31,6 +31,11 @@ Tue Jan 17 17:12:30 UTC 2017 - mpost@suse.com - ocki-3.5-create-missing-tpm-token-lock-directory.patch - ocki-3.5-fix-pkcscca-calls.patch +------------------------------------------------------------------- +Mon Oct 31 14:19:17 UTC 2016 - jjolly@suse.com + +- Removed reference to pkcs1_startup from pkcsslotd (bsc#1007081) + ------------------------------------------------------------------- Thu Sep 1 17:06:45 UTC 2016 - mpost@suse.com diff --git a/openCryptoki.pkcsslotd b/openCryptoki.pkcsslotd index c0751db..b4500ad 100644 --- a/openCryptoki.pkcsslotd +++ b/openCryptoki.pkcsslotd @@ -57,9 +57,6 @@ case "$1" in echo -n "Starting pkcsslotd daemon:" - # Generate the configuration information - /usr/sbin/pkcs11_startup - ## Start daemon with startproc(8). If this fails ## the echo return value is set appropriate. diff --git a/opencryptoki-3.5.tgz b/opencryptoki-3.5.tgz deleted file mode 100644 index d485e85..0000000 --- a/opencryptoki-3.5.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2789e3135196828e2b904faba766aa4c7fd9d1e67664df79bd9a05381a771452 -size 1031722