forked from pool/openCryptoki
d6c48bed19
Fixes for bnc#880217 - systemd enabled OBS-URL: https://build.opensuse.org/request/show/238818 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=17
173 lines
5.9 KiB
Diff
173 lines
5.9 KiB
Diff
From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001
|
|
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
|
Date: Wed, 2 Apr 2014 12:05:12 -0500
|
|
Subject: [PATCH 2/6] Fix failure when confname is not given, use default
|
|
ep11tok.conf instead.
|
|
|
|
Slight rework on the way how the ep11 token config file is found:
|
|
If env has no OCK_EP11_TOKEN_DIR
|
|
if confname is not null, try to use it
|
|
if this fails, try ock default config dir + confname
|
|
if this fails, try ock default config dir + ep11tok.conf
|
|
if OCK_EP11_TOKEN_DIR given then
|
|
if confname is not null, try OCK_EP11_TOKEN_DIR + confname
|
|
if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf
|
|
if still unsuccessful then token init will fail.
|
|
|
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
|
---
|
|
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------
|
|
1 file changed, 52 insertions(+), 33 deletions(-)
|
|
|
|
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
|
index 4e3703b..0eea8c9 100644
|
|
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
|
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
|
|
@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
|
|
static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
|
|
CK_BYTE **blob, size_t *blob_len);
|
|
|
|
+#define EP11_DEFAULT_CFG_FILE "ep11tok.conf"
|
|
#define EP11_CFG_FILE_SIZE 4096
|
|
|
|
/* error rc for reading the adapter config file */
|
|
@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
|
}
|
|
}
|
|
EP11TOK_LOG(1,"init running");
|
|
+
|
|
+ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */
|
|
+ rc = read_adapter_config_file(conf_name);
|
|
+ if (rc != CKR_OK) {
|
|
+ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc);
|
|
+ return CKR_GENERAL_ERROR;
|
|
+ }
|
|
|
|
/* wrap key name */
|
|
memset(wrap_key_name, 0, sizeof(wrap_key_name));
|
|
@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
|
|
return CKR_DEVICE_ERROR;
|
|
}
|
|
#endif
|
|
-
|
|
- /* user specified adapter/domain pairs the token is supposed to use */
|
|
- rc = read_adapter_config_file(conf_name);
|
|
- if (rc != CKR_OK) {
|
|
- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc);
|
|
- return CKR_GENERAL_ERROR;
|
|
- }
|
|
-
|
|
+
|
|
/* print mechanismlist to log file */
|
|
rc = print_mechanism();
|
|
if (rc != CKR_OK) {
|
|
@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name)
|
|
if (ep11_initialized) {
|
|
return 0;
|
|
}
|
|
-
|
|
+
|
|
memset(fname,0,PATH_MAX);
|
|
-
|
|
- if (!conf_name) {
|
|
- /* no conf_name was given, should not happen */
|
|
- EP11TOK_ELOG(1,"no conf_name argument found");
|
|
- return APQN_FILE_INV_1;
|
|
- }
|
|
|
|
/* via envrionment variable it is possible to overwrite the
|
|
- * config file given in the opencryptoki.conf. Then we use
|
|
- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf.
|
|
+ * directory where the ep11 token config file is searched.
|
|
*/
|
|
if (conf_dir) {
|
|
- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name);
|
|
- ap_fp = fopen(fname,"r");
|
|
- }
|
|
-
|
|
- /* if there was no environment variable or fopen failed, use the
|
|
- * default given from opencryptoki.conf via conf_name argument.
|
|
- */
|
|
- if (!ap_fp) {
|
|
- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
|
|
- ap_fp = fopen(fname,"r");
|
|
+ if (conf_name && strlen(conf_name) > 0) {
|
|
+ /* extract filename part from conf_name */
|
|
+ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--);
|
|
+ if (i < strlen(conf_name)-1) {
|
|
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1);
|
|
+ fname[sizeof(fname)-1] = '\0';
|
|
+ ap_fp = fopen(fname,"r");
|
|
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
|
+ }
|
|
+ }
|
|
+ if (!ap_fp) {
|
|
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE);
|
|
+ fname[sizeof(fname)-1] = '\0';
|
|
+ ap_fp = fopen(fname,"r");
|
|
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
|
+ }
|
|
+ } else {
|
|
+ if (conf_name && strlen(conf_name) > 0) {
|
|
+ strncpy(fname, conf_name, sizeof(fname));
|
|
+ fname[sizeof(fname)-1] = '\0';
|
|
+ ap_fp = fopen(fname,"r");
|
|
+ if (!ap_fp) {
|
|
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
|
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
|
|
+ fname[sizeof(fname)-1] = '\0';
|
|
+ ap_fp = fopen(fname,"r");
|
|
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
|
+ }
|
|
+ } else {
|
|
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE);
|
|
+ fname[sizeof(fname)-1] = '\0';
|
|
+ ap_fp = fopen(fname,"r");
|
|
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
|
|
+ }
|
|
}
|
|
-
|
|
+
|
|
/* now we should really have an open ep11 token config file */
|
|
if (!ap_fp) {
|
|
EP11TOK_ELOG(1,"no valid EP 11 config file found");
|
|
return APQN_FILE_INV_2;
|
|
}
|
|
-
|
|
+
|
|
EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname);
|
|
-
|
|
+
|
|
/* read config file line by line,
|
|
* ignore empty and # and copy rest into file buf
|
|
*/
|
|
@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name)
|
|
}
|
|
|
|
ep11_targets.length = 0;
|
|
-
|
|
+
|
|
for (i=0,j=0,str=filebuf; rc == 0; str=NULL) {
|
|
/* strtok tokenizes the string,
|
|
* delimiters are newline and whitespace.
|
|
*/
|
|
token = strtok(str, "\n\t ");
|
|
-
|
|
+
|
|
if (i == 0) {
|
|
/* expecting APQN_WHITELIST or APQN_BLACKLIST
|
|
* or APQN_ANY or LOGLEVEL or eof.
|
|
@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name)
|
|
/* do some checks: */
|
|
if (rc == 0) {
|
|
if ( !(whitemode || blackmode || anymode)) {
|
|
- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
|
|
+ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:"
|
|
+ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
|
|
rc = APQN_FILE_NO_APQN_MODE;
|
|
} else if (whitemode || blackmode) {
|
|
/* at least one APQN needs to be defined */
|
|
--
|
|
1.7.12.4
|
|
|