diff options
33 files changed, 688 insertions, 187 deletions
diff --git a/security/opencryptoki/Makefile b/security/opencryptoki/Makefile index 4b95be7be1f7..e829cbf166ed 100644 --- a/security/opencryptoki/Makefile +++ b/security/opencryptoki/Makefile @@ -1,8 +1,7 @@ # Created by: Ralf Meister PORTNAME= opencryptoki -PORTVERSION= 3.11.0 -PORTREVISION= 2 +PORTVERSION= 3.18.0 DISTVERSIONPREFIX= v CATEGORIES= security @@ -14,19 +13,22 @@ LICENSE_NAME= Common Public License LICENSE_FILE= ${WRKSRC}/LICENSE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept -LIB_DEPENDS= libtspi.so:security/trousers +LIB_DEPENDS= libtspi.so:security/trousers \ + libepoll-shim.so:devel/libepoll-shim USES= alias autoreconf gmake libtool localbase ssl tar:tgz -USE_GCC= yes USE_OPENLDAP= yes USE_LDCONFIG= ${PREFIX}/lib/opencryptoki USE_GITHUB= yes -INSTALL_TARGET= install-strip GNU_CONFIGURE= yes -CONFIGURE_ARGS= --enable-swtok --enable-tpmtok \ +CONFIGURE_ENV= LOCALBASE=${LOCALBASE} +CONFIGURE_ARGS= --enable-swtok \ + --enable-tpmtok \ --enable-icsftok \ - --disable-crtok --disable-aeptok \ - --disable-ccatok --disable-bcomtok \ + --disable-crtok \ + --disable-aeptok \ + --disable-ccatok \ + --disable-bcomtok \ --disable-pkcscca_migrate \ --with-lockdir=/var/run/opencryptoki \ --with-logdir=/var/log/opencryptoki \ @@ -35,6 +37,7 @@ CONFIGURE_ARGS= --enable-swtok --enable-tpmtok \ --with-pkcs11user=${USERS} \ --with-pkcs11group=${GROUPS} \ ac_cv_path_CHGRP=true +INSTALL_TARGET= install-strip USE_RC_SUBR= pkcsslotd SUB_FILES= pkg-message SUB_LIST= USERS="${USERS}" GROUPS="${GROUPS}" @@ -42,9 +45,16 @@ PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}" USERS= _pkcs11 GROUPS= _pkcs11 +post-patch: + cd ${WRKSRC} && \ + ${REINPLACE_CMD} 's,%%DLLDIR%%,${PREFIX}/lib/opencryptoki/stdll,' \ + usr/sbin/pkcsslotd/opencryptoki.conf + post-install: - ${MV} ${STAGEDIR}${ETCDIR}/opencryptoki.conf \ - ${STAGEDIR}${ETCDIR}/opencryptoki.conf.sample + ${MV} ${STAGEDIR}${DOCSDIR}/strength-example.conf \ + ${STAGEDIR}${ETCDIR}/strength.conf.sample + ${MV} ${STAGEDIR}${DOCSDIR}/policy-example.conf \ + ${STAGEDIR}${ETCDIR}/policy.conf.sample ${RMDIR} ${STAGEDIR}/var/run/opencryptoki/* \ ${STAGEDIR}/var/run/opencryptoki diff --git a/security/opencryptoki/distinfo b/security/opencryptoki/distinfo index 263bcc0db79a..b969f909723a 100644 --- a/security/opencryptoki/distinfo +++ b/security/opencryptoki/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1551564276 -SHA256 (opencryptoki-opencryptoki-v3.11.0_GH0.tar.gz) = 4d901373b08ed0b0d56a4df5e3f35a7d17142bdc5c5bf9b37c8a10200a08d6fd -SIZE (opencryptoki-opencryptoki-v3.11.0_GH0.tar.gz) = 935891 +TIMESTAMP = 1651086346 +SHA256 (opencryptoki-opencryptoki-v3.18.0_GH0.tar.gz) = 18882bbb3eaff37b2badf93bce1faab86406ed60f40fd5debc08afd3ceba36c2 +SIZE (opencryptoki-opencryptoki-v3.18.0_GH0.tar.gz) = 1337092 diff --git a/security/opencryptoki/files/patch-Makefile.am b/security/opencryptoki/files/patch-Makefile.am index b8e43eab836d..36da7c4e1f9c 100644 --- a/security/opencryptoki/files/patch-Makefile.am +++ b/security/opencryptoki/files/patch-Makefile.am @@ -1,14 +1,6 @@ ---- Makefile.am.orig 2018-11-16 23:53:03.000000000 +0900 -+++ Makefile.am 2019-03-03 12:39:45.031868000 +0900 -@@ -29,7 +29,6 @@ - include man/man.mk - include usr/usr.mk - -- - install-data-hook: - if ENABLE_LIBRARY - $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll -@@ -37,9 +36,9 @@ +--- Makefile.am.orig 2022-04-25 11:04:51 UTC ++++ Makefile.am +@@ -39,9 +39,9 @@ if ENABLE_LIBRARY cd $(DESTDIR)$(libdir)/opencryptoki && \ ln -fs libopencryptoki.so PKCS11_API.so cd $(DESTDIR)$(libdir)/opencryptoki && \ @@ -20,7 +12,7 @@ cd $(DESTDIR)$(libdir)/pkcs11 && \ ln -fs ../opencryptoki/libopencryptoki.so PKCS11_API.so cd $(DESTDIR)$(libdir)/pkcs11 && \ -@@ -51,24 +50,24 @@ +@@ -53,55 +53,55 @@ if ENABLE_CCATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_cca.so PKCS11_CCA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ @@ -47,11 +39,20 @@ $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok $(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok -+ $(CHGRP) @PKCS11GROUP@ $(DESTDIR)$(lockdir)/ep11tok ++ $(CHGRP) @PKCSGROUP11@ $(DESTDIR)$(lockdir)/ep11tok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true -@@ -78,24 +77,24 @@ +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11cpfilter.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11cpfilter.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11cpfilter.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf.sample || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf.sample || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11cpfilter.conf.sample || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11cpfilter.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11cpfilter.conf.sample || true + endif + if ENABLE_P11SAK + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g pkcs11 -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf.sample || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf.sample || true + endif + if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_ica.so PKCS11_ICA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ @@ -82,7 +83,7 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok endif if ENABLE_TPMTOK -@@ -103,10 +102,10 @@ +@@ -109,10 +109,10 @@ if ENABLE_TPMTOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_tpm.so PKCS11_TPM.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm @@ -95,7 +96,7 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm endif if ENABLE_ICSFTOK -@@ -114,10 +113,10 @@ +@@ -120,16 +120,15 @@ if ENABLE_ICSFTOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ ln -fs libpkcs11_icsf.so PKCS11_ICSF.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf @@ -108,7 +109,14 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf endif if ENABLE_DAEMON -@@ -130,16 +129,8 @@ + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g pkcs11 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf.sample || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf.sample || true + if ENABLE_SYSTEMD + mkdir -p $(DESTDIR)/usr/lib/tmpfiles.d + cp $(srcdir)/misc/tmpfiles.conf $(DESTDIR)/usr/lib/tmpfiles.d/opencryptoki.conf +@@ -137,16 +136,8 @@ if ENABLE_SYSTEMD rm -f $(DESTDIR)/usr/lib/systemd/system/tmpfiles.conf endif endif @@ -126,3 +134,11 @@ $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) +@@ -190,7 +181,6 @@ if ENABLE_TPMTOK + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + rm -rf PKCS11_TPM.so; fi + endif +- rm -f $(DESTDIR)/etc/ld.so.conf.d/opencryptoki-$(target_cpu).conf + if ENABLE_ICSFTOK + if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ diff --git a/security/opencryptoki/files/patch-configure.ac b/security/opencryptoki/files/patch-configure.ac index 866c75f80e4d..8dd546747d7f 100644 --- a/security/opencryptoki/files/patch-configure.ac +++ b/security/opencryptoki/files/patch-configure.ac @@ -1,4 +1,4 @@ ---- configure.ac.orig 2018-11-16 14:53:03 UTC +--- configure.ac.orig 2022-04-25 11:04:51 UTC +++ configure.ac @@ -12,6 +12,9 @@ dnl Checks for header files. AC_DISABLE_STATIC @@ -10,16 +10,25 @@ AC_HEADER_STDC AC_CHECK_HEADER_STDBOOL AC_CHECK_HEADERS([arpa/inet.h fcntl.h libintl.h limits.h locale.h malloc.h \ -@@ -77,18 +80,27 @@ fi +@@ -47,7 +50,7 @@ AC_CHECK_FUNCS([atexit ftruncate gettimeofday localtim + strdup strerror strncasecmp strrchr strstr strtol strtoul]) + + dnl Used in various scripts +-AC_PATH_PROG([ID], [id], [/us/bin/id]) ++AC_PATH_PROG([ID], [id], [/usr/bin/id]) + AC_PATH_PROG([USERMOD], [usermod], [/usr/sbin/usermod]) + AC_PATH_PROG([GROUPADD], [groupadd], [/usr/sbin/groupadd]) + AC_PATH_PROG([CAT], [cat], [/bin/cat]) +@@ -71,19 +74,27 @@ fi AC_CHECK_LIB([itm], [_ITM_commitTransaction], [itm=yes], [itm=no]) OPENLDAP_LIBS= -AC_CHECK_HEADERS([lber.h ldap.h], +if test "x$enable_icsftok" = "xyes"; then + AC_CHECK_HEADERS([lber.h ldap.h], - [OPENLDAP_LIBS="-llber -lldap"], - [AC_MSG_ERROR([lber.h and ldap.h are missing. Please install - 'openldap-devel'.])]) + [OPENLDAP_LIBS="-llber -lldap"], + [AC_MSG_ERROR([lber.h and ldap.h are missing. Please install + 'openldap-devel'.])]) -LIBS="$LIBS $OPENLDAP_LIBS" + LIBS="$LIBS $OPENLDAP_LIBS" +fi @@ -34,65 +43,59 @@ + [lockdir=$localstatedir/lock/opencryptoki]) AC_SUBST(lockdir) +-logdir=$localstatedir/log/opencryptoki +AC_ARG_WITH([logdir], + [AS_HELP_STRING([--with-logdir],[log directory])], + [logdir=$withval], + [logdir=$localstatedir/log/opencryptoki]) - logdir=$localstatedir/log/opencryptoki AC_SUBST(logdir) -@@ -225,6 +237,19 @@ AC_ARG_WITH([systemd], + dnl --- +@@ -241,6 +252,19 @@ AC_ARG_WITH([libudev], [], - [with_systemd=no]) + [with_libudev=check]) +dnl --- check for pkcs11 user +AC_ARG_WITH([pkcs11user], + AC_HELP_STRING([--with-pkcs11user[[=USER]]], [set pkcs11 user [[pkcs11]]]), + [pkcs11_user=$withval], -+ [pkcs11_user=pkcs11]) ++ [pkcs11_user=_pkcs11]) +dnl --- check for pkcs11 group +AC_ARG_WITH(pkcs11group, + AC_HELP_STRING([--with-pkcs11group[[=GROUP]]], [set pkcs11 group [[pkcs11]]]), + [pkcs11_group=$withval], -+ [pkcs11_group=pkcs11]) ++ [pkcs11_group=_pkcs11]) +AC_SUBST(PKCS11USER, $pkcs11_user) +AC_SUBST(PKCS11GROUP, $pkcs11_group) + dnl --- dnl --- dnl --- Now that we have all the options, let's check for a valid build -@@ -598,12 +623,31 @@ else +@@ -662,10 +686,14 @@ libitm and gcc>=4.7 is required]) fi AM_CONDITIONAL([ENABLE_LOCKS], [test "x$enable_locks" = "xyes"]) -CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 -Wall -Wextra" -+CFLAGS="$CFLAGS \ -+ -Wall \ -+ -Wextra \ -+ -Wno-pointer-sign \ -+" -+CPPFX=' \ -+ -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" \ -+ -DSBIN_PATH=\"$(sbindir)\" \ -+ -DLIB_PATH=\"$(libdir)\" \ -+ -DLOCKDIR_PATH=\"$(lockdir)\" \ -+ -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" \ -+ -DOCK_LOGDIR=\"$(logdir)\" \ -+' -+CPPFLAGS="$CPPFLAGS \ -+ -DPKCS64 \ -+ -D_XOPEN_SOURCE=600 \ -+ $CPPFX \ -+ -DPKCS11USER=\\\"${pkcs11_user}\\\" \ -+ -DPKCS11GROUP=\\\"${pkcs11_group}\\\" \ -+" ++CFLAGS="$CFLAGS -Wall -Wextra -Wno-pointer-sign" -CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"' -- ++CPPFX='-DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"' + ++CPPFLAGS="$CPPFLAGS -DPKCS64 -D_XOPEN_SOURCE=600 $CPPFX" ++CPPFLAGS="$CPPFLAGS -DPKCS11USER=\\\"${pkcs11_user}\\\"" ++CPPFLAGS="$CPPFLAGS -DPKCS11GROUP=\\\"${pkcs11_group}\\\"" ++ # At this point, CFLAGS is set to something sensible AC_PROG_CC + AC_PROG_CXX +@@ -678,6 +706,10 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM( + #endif]])],, + [AC_MSG_ERROR([C++ compiler is missing on your system. Please install 'gcc-c++'.])]) + AC_LANG_POP([C++]) + +AC_SUBST(FPIC, $lt_prog_compiler_pic) ++ ++AC_SUBST(LOCALBASE, $LOCALBASE) AC_CONFIG_MACRO_DIRS([m4]) diff --git a/security/opencryptoki/files/patch-usr-include-slotmgr.h b/security/opencryptoki/files/patch-usr-include-slotmgr.h new file mode 100644 index 000000000000..eaef763f7ffd --- /dev/null +++ b/security/opencryptoki/files/patch-usr-include-slotmgr.h @@ -0,0 +1,16 @@ +--- usr/include/slotmgr.h.orig 2022-04-25 11:04:51 UTC ++++ usr/include/slotmgr.h +@@ -31,10 +31,10 @@ + #define TOK_PATH SBIN_PATH "/pkcsslotd" + #define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock" + +-#define PROC_SOCKET_FILE_PATH "/run/pkcsslotd.socket" +-#define ADMIN_SOCKET_FILE_PATH "/run/pkcsslotd.admin.socket" ++#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket" ++#define ADMIN_SOCKET_FILE_PATH "/var/run/pkcsslotd.admin.socket" + +-#define PID_FILE_PATH "/run/pkcsslotd.pid" ++#define PID_FILE_PATH "/var/run/pkcsslotd.pid" + #define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf" + + #ifndef CK_BOOL diff --git a/security/opencryptoki/files/patch-usr-lib-api-api.mk b/security/opencryptoki/files/patch-usr-lib-api-api.mk index 759a7e0e62a7..22d4bf1a3284 100644 --- a/security/opencryptoki/files/patch-usr-lib-api-api.mk +++ b/security/opencryptoki/files/patch-usr-lib-api-api.mk @@ -1,17 +1,19 @@ ---- usr/lib/api/api.mk.orig 2018-11-16 14:53:03 UTC +--- usr/lib/api/api.mk.orig 2022-04-25 11:04:51 UTC +++ usr/lib/api/api.mk -@@ -7,12 +7,12 @@ SO_REVISION=0 +@@ -8,14 +8,14 @@ SO_REVISION=0 SO_AGE=0 opencryptoki_libopencryptoki_la_CFLAGS = \ - -DAPI -DDEV -D_THREAD_SAFE -fPIC -I${srcdir}/usr/include \ + -DAPI -DDEV -D_THREAD_SAFE $(FPIC) -I${srcdir}/usr/include \ -I${srcdir}/usr/lib/common -I${srcdir}/usr/lib/api \ - -DSTDLL_NAME=\"api\" + -I${srcdir}/usr/lib/config -I${top_builddir}/usr/lib/config \ + -DSTDLL_NAME=\"api\" -DHASHMAP_JENKINS_MIX \ + -I${top_builddir}/usr/lib/api opencryptoki_libopencryptoki_la_LDFLAGS = \ -- -shared -Wl,-z,defs,-Bsymbolic -lc -ldl -lpthread \ -+ -shared -Wl,-z,defs,-Bsymbolic -lc -lpthread \ +- -shared -Wl,-z,defs,-Bsymbolic -lc -ldl -lpthread -lcrypto -lrt \ ++ -shared -Wl,-z,defs,-Bsymbolic -lc -lpthread -lcrypto -lrt \ -version-info $(SO_CURRENT):$(SO_REVISION):$(SO_AGE) \ -Wl,--version-script=${srcdir}/opencryptoki.map diff --git a/security/opencryptoki/files/patch-usr-lib-api-api_interface.c b/security/opencryptoki/files/patch-usr-lib-api-api_interface.c new file mode 100644 index 000000000000..f23f53dae326 --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-api-api_interface.c @@ -0,0 +1,11 @@ +--- usr/lib/api/api_interface.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/api/api_interface.c +@@ -373,7 +373,7 @@ static CK_RV check_user_and_group() + * when forked). So we need to get the group information. + * Really need to take the uid and map it to a name. + */ +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (grp == NULL) { + OCK_SYSLOG(LOG_ERR, "getgrnam() failed: %s\n", strerror(errno)); + goto error; diff --git a/security/opencryptoki/files/patch-usr-lib-api-apiutil.c b/security/opencryptoki/files/patch-usr-lib-api-apiutil.c index 76d2b849d7fb..32708dbcdfe3 100644 --- a/security/opencryptoki/files/patch-usr-lib-api-apiutil.c +++ b/security/opencryptoki/files/patch-usr-lib-api-apiutil.c @@ -1,22 +1,25 @@ ---- usr/lib/api/apiutil.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/api/apiutil.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/api/apiutil.c -@@ -19,10 +19,10 @@ +@@ -19,11 +19,14 @@ #include <string.h> #include <strings.h> #include <unistd.h> --#include <alloca.h> ++#if !defined(__FreeBSD__) + #include <alloca.h> ++#endif #include <dlfcn.h> #include <errno.h> #include <sys/syslog.h> + #include <pthread.h> +#include <limits.h> #include <sys/ipc.h> -@@ -35,7 +35,6 @@ +@@ -36,7 +39,6 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> -#include <sys/file.h> static int xplfd = -1; - + pthread_rwlock_t xplfd_rwlock = PTHREAD_RWLOCK_INITIALIZER; diff --git a/security/opencryptoki/files/patch-usr-lib-api-policy.c b/security/opencryptoki/files/patch-usr-lib-api-policy.c new file mode 100644 index 000000000000..af6fca6c14aa --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-api-policy.c @@ -0,0 +1,39 @@ +--- usr/lib/api/policy.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/api/policy.c +@@ -1178,10 +1178,10 @@ static CK_RV policy_check_cfg_file(FILE *fp, const cha + struct group *grp = NULL; + int err; + +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (!grp) { +- TRACE_ERROR("Could not retrieve \"pkcs11\" group!"); +- OCK_SYSLOG(LOG_ERR, "POLICY: Could not retrieve \"pkcs11\" group!"); ++ TRACE_ERROR("Could not retrieve \"" PKCS11GROUP "\" group!"); ++ OCK_SYSLOG(LOG_ERR, "POLICY: Could not retrieve \"" PKCS11GROUP "\" group!"); + return CKR_GENERAL_ERROR; + } + if (fstat(fileno(fp), &statbuf)) { +@@ -1200,16 +1200,17 @@ static CK_RV policy_check_cfg_file(FILE *fp, const cha + return CKR_GENERAL_ERROR; + } + if (statbuf.st_gid != grp->gr_gid) { +- TRACE_ERROR("Policy configuration file %s should have group \"pkcs11\"!\n", ++ TRACE_ERROR("Policy configuration file %s should have group \"" PKCS11GROUP "\"!\n", + name); +- OCK_SYSLOG(LOG_ERR, "POLICY: Configuration file %s should have group \"pkcs11\"!\n", ++ OCK_SYSLOG(LOG_ERR, "POLICY: Configuration file %s should have group \"" PKCS11GROUP "\"!\n", + name); + return CKR_GENERAL_ERROR; + } + if ((statbuf.st_mode & ~S_IFMT) != OCK_POLICY_PERMS) { +- TRACE_ERROR("Configuration file %s has wrong permissions!\n", name); +- OCK_SYSLOG(LOG_ERR, "POLICY: Configuration file %s has wrong permissions!\n", +- name); ++ TRACE_ERROR("Configuration file %s must have %04o permission (was %04o)\n", ++ name, OCK_POLICY_PERMS, (statbuf.st_mode & ~S_IFMT)); ++ OCK_SYSLOG(LOG_ERR, "POLICY: Configuration file %s must have %04o permission (is %04o)\n", ++ name, OCK_POLICY_PERMS, (statbuf.st_mode & ~S_IFMT)); + return CKR_GENERAL_ERROR; + } + return CKR_OK; diff --git a/security/opencryptoki/files/patch-usr-lib-api-socket_client.c b/security/opencryptoki/files/patch-usr-lib-api-socket_client.c index 51ad9ddeb5ed..9d989df6b181 100644 --- a/security/opencryptoki/files/patch-usr-lib-api-socket_client.c +++ b/security/opencryptoki/files/patch-usr-lib-api-socket_client.c @@ -1,11 +1,11 @@ ---- usr/lib/api/socket_client.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/api/socket_client.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/api/socket_client.c -@@ -51,7 +51,7 @@ int init_socket_data() - return FALSE; +@@ -49,7 +49,7 @@ int connect_socket(const char *file_path) + return -1; } - grp = getgrnam("pkcs11"); + grp = getgrnam(PKCS11GROUP); if (!grp) { OCK_SYSLOG(LOG_ERR, - "init_socket_data: pkcs11 group does not exist, errno=%d", + "connect_socket: pkcs11 group does not exist, errno=%d", diff --git a/security/opencryptoki/files/patch-usr-lib-common-event_client.c b/security/opencryptoki/files/patch-usr-lib-common-event_client.c new file mode 100644 index 000000000000..258299588368 --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-common-event_client.c @@ -0,0 +1,11 @@ +--- usr/lib/common/event_client.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/common/event_client.c +@@ -32,7 +32,7 @@ static int connect_socket(const char *file_path) + if (stat(file_path, &file_info)) + return -errno; + +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (!grp) + return -errno; + diff --git a/security/opencryptoki/files/patch-usr-lib-common-loadsave.c b/security/opencryptoki/files/patch-usr-lib-common-loadsave.c index 2ac5ea0f2587..4560b35b683c 100644 --- a/security/opencryptoki/files/patch-usr-lib-common-loadsave.c +++ b/security/opencryptoki/files/patch-usr-lib-common-loadsave.c @@ -1,10 +1,12 @@ ---- usr/lib/common/loadsave.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/common/loadsave.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/common/loadsave.c -@@ -20,11 +20,9 @@ +@@ -20,17 +20,22 @@ #include <string.h> #include <strings.h> #include <unistd.h> --#include <alloca.h> ++#if !defined(__FreeBSD__) + #include <alloca.h> ++#endif #include <sys/types.h> #include <sys/stat.h> #include <sys/ipc.h> @@ -12,12 +14,34 @@ #include <errno.h> #include <syslog.h> #include <pwd.h> -@@ -370,7 +368,7 @@ void set_perm(int file) + #include <grp.h> + #include <openssl/evp.h> ++#if !defined(__FreeBSD__) + #include <endian.h> ++#else ++#include <sys/endian.h> ++#endif + + #include "pkcs11types.h" + #include "defs.h" +@@ -132,7 +137,7 @@ void set_perm(int file) // Set absolute permissions or rw-rw---- fchmod(file, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); - grp = getgrnam("pkcs11"); // Obtain the group id + grp = getgrnam(PKCS11GROUP); // Obtain the group id if (grp) { - // set ownership to root, and pkcs11 group - if (fchown(file, getuid(), grp->gr_gid) != 0) { + // set ownership to pkcs11 group + if (fchown(file, -1, grp->gr_gid) != 0) { +@@ -303,7 +308,11 @@ CK_RV init_data_store(STDLL_TokData_t *tokdata, char * + tokdata->pk_dir = NULL; + } + ++#if !defined(__FreeBSD__) + if ((pkdir = secure_getenv("PKCS_APP_STORE")) != NULL) { ++#else ++ if ((pkdir = getenv("PKCS_APP_STORE")) != NULL) { ++#endif + pklen = strlen(pkdir) + 1024; + tokdata->pk_dir = (char *) calloc(pklen, 1); + if (!(tokdata->pk_dir)) diff --git a/security/opencryptoki/files/patch-usr-lib-common-mech_ec.c b/security/opencryptoki/files/patch-usr-lib-common-mech_ec.c new file mode 100644 index 000000000000..4cab27ce0a2a --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-common-mech_ec.c @@ -0,0 +1,14 @@ +--- usr/lib/common/mech_ec.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/common/mech_ec.c +@@ -14,7 +14,11 @@ + */ + + #define _GNU_SOURCE ++#if !defined(__FreeBSD__) + #include <endian.h> ++#else ++#include <sys/endian.h> ++#endif + #include <stdio.h> + #include <stdlib.h> + #include <stdint.h> diff --git a/security/opencryptoki/files/patch-usr-lib-common-pkcs_utils.c b/security/opencryptoki/files/patch-usr-lib-common-pkcs_utils.c new file mode 100644 index 000000000000..d9a1b70e0bd4 --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-common-pkcs_utils.c @@ -0,0 +1,11 @@ +--- usr/lib/common/pkcs_utils.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/common/pkcs_utils.c +@@ -466,7 +466,7 @@ void set_perm(int file) + // Set absolute permissions or rw-rw---- + fchmod(file, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); + +- grp = getgrnam("pkcs11"); // Obtain the group id ++ grp = getgrnam(PKCS11GROUP); // Obtain the group id + if (grp) { + // set ownership to pkcs11 group + if (fchown(file, -1, grp->gr_gid) != 0) { diff --git a/security/opencryptoki/files/patch-usr-lib-common-shared_memory.c b/security/opencryptoki/files/patch-usr-lib-common-shared_memory.c new file mode 100644 index 000000000000..ed1caae32ede --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-common-shared_memory.c @@ -0,0 +1,15 @@ +--- usr/lib/common/shared_memory.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/common/shared_memory.c +@@ -172,10 +172,10 @@ int sm_open(const char *sm_name, int mode, void **p_ad + goto done; + } + +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (!grp) { + rc = -errno; +- SYS_ERROR(errno, "getgrname(\"pkcs11\"): %s\n", ++ SYS_ERROR(errno, "getgrname(\"" PKCS11GROUP "\"): %s\n", + strerror(errno)); + goto done; + } diff --git a/security/opencryptoki/files/patch-usr-lib-common-trace.c b/security/opencryptoki/files/patch-usr-lib-common-trace.c index 8af744f2dced..fbc6fefa6289 100644 --- a/security/opencryptoki/files/patch-usr-lib-common-trace.c +++ b/security/opencryptoki/files/patch-usr-lib-common-trace.c @@ -1,14 +1,26 @@ ---- usr/lib/common/trace.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/common/trace.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/common/trace.c -@@ -21,6 +21,7 @@ - #include <unistd.h> +@@ -23,7 +23,10 @@ #include <sys/file.h> #include <sys/types.h> + #include <sys/syscall.h> +#include <sys/stat.h> ++#include <pthread_np.h> ++ #include "pkcs11types.h" #include "defs.h" -@@ -170,7 +171,7 @@ CK_RV trace_initialize(void) + #include "host_defs.h" +@@ -34,7 +37,7 @@ + #ifdef SYS_gettid + #define __gettid() syscall(SYS_gettid) + #else +-#define __gettid() gettid() ++#define __gettid() pthread_getthreadid_np() + #endif + + pthread_mutex_t tlmtx = PTHREAD_MUTEX_INITIALIZER; +@@ -178,7 +181,7 @@ CK_RV trace_initialize(void) return (CKR_FUNCTION_FAILED); } diff --git a/security/opencryptoki/files/patch-usr-lib-common-utility.c b/security/opencryptoki/files/patch-usr-lib-common-utility.c index 106922a9c42d..0893560aba16 100644 --- a/security/opencryptoki/files/patch-usr-lib-common-utility.c +++ b/security/opencryptoki/files/patch-usr-lib-common-utility.c @@ -1,40 +1,37 @@ ---- usr/lib/common/utility.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/common/utility.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/common/utility.c @@ -21,6 +21,7 @@ #include <errno.h> #include <pwd.h> #include <grp.h> +#include <fcntl.h> + #include <pthread.h> + #include <openssl/evp.h> - #include "pkcs11types.h" - #include "defs.h" -@@ -35,6 +36,25 @@ +@@ -40,6 +41,22 @@ #include <sys/file.h> #include <syslog.h> -+#ifdef __sun -+#define LOCK_EX F_LOCK -+#define LOCK_UN F_ULOCK -+#define flock(fd, func) lockf(fd, func, 0) -+#endif -+ +#ifndef LOCK_SH -+#define LOCK_SH 1 /* shared lock */ ++#define LOCK_SH 1 +#endif ++ +#ifndef LOCK_EX -+#define LOCK_EX 2 /* exclusive lock */ ++#define LOCK_EX 2 +#endif ++ +#ifndef LOCK_NB -+#define LOCK_NB 4 /* don't block when locking */ ++#define LOCK_NB 4 +#endif ++ +#ifndef LOCK_UN -+#define LOCK_UN 8 /* unlock */ ++#define LOCK_UN 8 +#endif + - // Function: dlist_add_as_first() - // - // Adds the specified node to the start of the list -@@ -317,7 +337,7 @@ CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t * + CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t *tokdata) + { + char lockfile[PATH_MAX]; +@@ -82,7 +99,7 @@ CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t * lockdir, strerror(errno)); goto err; } @@ -43,7 +40,7 @@ if (grp == NULL) { fprintf(stderr, "getgrname(pkcs11): %s", strerror(errno)); goto err; -@@ -355,7 +375,7 @@ CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t * +@@ -122,7 +139,7 @@ CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t * goto err; } diff --git a/security/opencryptoki/files/patch-usr-lib-ica_s390_stdll-ica_s390_stdll.mk b/security/opencryptoki/files/patch-usr-lib-ica_s390_stdll-ica_s390_stdll.mk index 53c9d5f8ab0e..c8ea5dfc3812 100644 --- a/security/opencryptoki/files/patch-usr-lib-ica_s390_stdll-ica_s390_stdll.mk +++ b/security/opencryptoki/files/patch-usr-lib-ica_s390_stdll-ica_s390_stdll.mk @@ -1,14 +1,15 @@ ---- usr/lib/ica_s390_stdll/ica_s390_stdll.mk.orig 2018-11-16 14:53:03 UTC +--- usr/lib/ica_s390_stdll/ica_s390_stdll.mk.orig 2022-04-25 11:04:51 UTC +++ usr/lib/ica_s390_stdll/ica_s390_stdll.mk -@@ -3,14 +3,14 @@ nobase_lib_LTLIBRARIES += opencryptoki/stdll/libpkcs11 +@@ -3,7 +3,7 @@ nobase_lib_LTLIBRARIES += opencryptoki/stdll/libpkcs11 noinst_HEADERS += usr/lib/ica_s390_stdll/tok_struct.h opencryptoki_stdll_libpkcs11_ica_la_CFLAGS = \ - -DDEV -D_THREAD_SAFE -fPIC -DSHALLOW=0 -DSWTOK=0 -DLITE=1 \ + -DDEV -D_THREAD_SAFE $(FPIC) -DSHALLOW=0 -DSWTOK=0 -DLITE=1 \ -DNODH -DNOCDMF -DNOMD2 -DNODSA -DSTDLL_NAME=\"icatok\" \ + -DTOK_NEW_DATA_STORE=0x0003000c \ $(ICA_INC_DIRS) -I${srcdir}/usr/lib/ica_s390_stdll \ - -I${srcdir}/usr/lib/common -I${srcdir}/usr/include +@@ -12,7 +12,7 @@ opencryptoki_stdll_libpkcs11_ica_la_CFLAGS = \ opencryptoki_stdll_libpkcs11_ica_la_LDFLAGS = \ $(LCRYPTO) $(ICA_LIB_DIRS) -nostartfiles -shared \ diff --git a/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_specific.c b/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_specific.c index 164da96ccc76..a62410f0de9d 100644 --- a/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_specific.c +++ b/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_specific.c @@ -1,4 +1,4 @@ ---- usr/lib/soft_stdll/soft_specific.c.orig 2018-11-16 14:53:03 UTC +--- usr/lib/soft_stdll/soft_specific.c.orig 2022-04-25 11:04:51 UTC +++ usr/lib/soft_stdll/soft_specific.c @@ -19,6 +19,10 @@ @@ -11,7 +11,7 @@ #include <pthread.h> #include <string.h> // for memcmp() et al #include <stdlib.h> -@@ -36,7 +40,17 @@ +@@ -38,7 +42,17 @@ #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> @@ -27,5 +27,5 @@ #include <endian.h> +#endif - #include <openssl/des.h> #include <openssl/rand.h> + #include <openssl/dh.h> diff --git a/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_stdll.mk b/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_stdll.mk index 1c0b8fcdd670..484201a38bb4 100644 --- a/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_stdll.mk +++ b/security/opencryptoki/files/patch-usr-lib-soft_stdll-soft_stdll.mk @@ -1,4 +1,4 @@ ---- usr/lib/soft_stdll/soft_stdll.mk.orig 2018-11-16 14:53:03 UTC +--- usr/lib/soft_stdll/soft_stdll.mk.orig 2022-04-25 11:04:51 UTC +++ usr/lib/soft_stdll/soft_stdll.mk @@ -4,7 +4,7 @@ noinst_HEADERS += usr/lib/soft_stdll/tok_struct.h @@ -6,6 +6,6 @@ -DDEV -D_THREAD_SAFE -DSHALLOW=0 -DSWTOK=1 -DLITE=0 -DNOCDMF \ - -DNOMD2 -DNODSA -DNORIPE -fPIC -I${srcdir}/usr/lib/soft_stdll \ + -DNOMD2 -DNODSA -DNORIPE $(FPIC) -I${srcdir}/usr/lib/soft_stdll \ + -DTOK_NEW_DATA_STORE=0x0003000c \ -I${srcdir}/usr/lib/common -I${srcdir}/usr/include \ - -DSTDLL_NAME=\"swtok\" - + -DSTDLL_NAME=\"swtok\" -I${top_builddir}/usr/lib/api \ diff --git a/security/opencryptoki/files/patch-usr-lib-tpm_stdll-tpm_specific.c b/security/opencryptoki/files/patch-usr-lib-tpm_stdll-tpm_specific.c new file mode 100644 index 000000000000..076414c35609 --- /dev/null +++ b/security/opencryptoki/files/patch-usr-lib-tpm_stdll-tpm_specific.c @@ -0,0 +1,14 @@ +--- usr/lib/tpm_stdll/tpm_specific.c.orig 2022-04-25 11:04:51 UTC ++++ usr/lib/tpm_stdll/tpm_specific.c +@@ -3251,9 +3251,9 @@ int token_specific_creatlock(void) + "Directory(%s) missing: %s\n", lockdir, strerror(errno)); + goto err; + } +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (grp == NULL) { +- fprintf(stderr, "getgrname(pkcs11): %s", strerror(errno)); ++ fprintf(stderr, "getgrname(" PKCS11GROUP "): %s", strerror(errno)); + goto err; + } + /* set ownership to euid, and pkcs11 group */ diff --git a/security/opencryptoki/files/patch-usr-sbin-p11sak-p11sak.c b/security/opencryptoki/files/patch-usr-sbin-p11sak-p11sak.c new file mode 100644 index 000000000000..3dddb5de9d8b --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-p11sak-p11sak.c @@ -0,0 +1,20 @@ +--- usr/sbin/p11sak/p11sak.c.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/p11sak/p11sak.c +@@ -19,7 +19,7 @@ + #include "cfgparser.h" + #include "configuration.h" + #include <ctype.h> +-#include <linux/limits.h> ++#include <limits.h> + + #include <unistd.h> + #include <sys/types.h> +@@ -81,7 +81,7 @@ static void load_pkcs11lib(void) + const char *libname; + + /* check for environment variable PKCSLIB */ +- libname = secure_getenv("PKCSLIB"); ++ libname = getenv("PKCSLIB"); + if (libname == NULL || strlen(libname) < 1) + libname = default_pkcs11lib; + diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.c b/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.c index 96a5dff1a837..5191373d0e1e 100644 --- a/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.c +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.c @@ -1,11 +1,20 @@ ---- usr/sbin/pkcsconf/pkcsconf.c.orig 2018-11-16 14:53:03 UTC +--- usr/sbin/pkcsconf/pkcsconf.c.orig 2022-04-25 11:04:51 UTC +++ usr/sbin/pkcsconf/pkcsconf.c -@@ -530,6 +530,8 @@ CK_RV display_pkcs11_info(void) - printf("\tLibrary Version %d.%d \n", CryptokiInfo.libraryVersion.major, +@@ -548,7 +548,7 @@ CK_RV check_user_and_group(void) + * when forked). So we need to get the group information. + * Really need to take the uid and map it to a name. + */ +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (grp == NULL) { + return CKR_FUNCTION_FAILED; + } +@@ -589,6 +589,8 @@ CK_RV display_pkcs11_info(void) + printf("\tLibrary Description: %.32s \n", CryptokiInfo.libraryDescription); + printf("\tLibrary Version: %d.%d \n", CryptokiInfo.libraryVersion.major, CryptokiInfo.libraryVersion.minor); - -+ cleanup(); + ++ cleanup(); + return rc; } - diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.mk b/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.mk index 7f56db8137e3..f7c8bb358539 100644 --- a/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.mk +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsconf-pkcsconf.mk @@ -1,4 +1,4 @@ ---- usr/sbin/pkcsconf/pkcsconf.mk.orig 2018-11-16 14:53:03 UTC +--- usr/sbin/pkcsconf/pkcsconf.mk.orig 2022-04-25 11:04:51 UTC +++ usr/sbin/pkcsconf/pkcsconf.mk @@ -1,7 +1,7 @@ sbin_PROGRAMS += usr/sbin/pkcsconf/pkcsconf @@ -7,5 +7,5 @@ -usr_sbin_pkcsconf_pkcsconf_LDFLAGS = -lpthread -ldl -lcrypto +usr_sbin_pkcsconf_pkcsconf_LDFLAGS = -lpthread -lcrypto - usr_sbin_pkcsconf_pkcsconf_CFLAGS = \ - -D_THREAD_SAFE -DDEBUG -DDEV -DAPI \ + usr_sbin_pkcsconf_pkcsconf_CFLAGS = -D_THREAD_SAFE -DDEBUG -DDEV \ + -DAPI -I${srcdir}/usr/include -I${srcdir}/usr/lib/common \ diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-mutex.c b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-mutex.c index e64ad70486a9..dfb4f47233c6 100644 --- a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-mutex.c +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-mutex.c @@ -1,6 +1,6 @@ ---- usr/sbin/pkcsslotd/mutex.c.orig 2018-11-16 14:53:03 UTC +--- usr/sbin/pkcsslotd/mutex.c.orig 2022-04-25 11:04:51 UTC +++ usr/sbin/pkcsslotd/mutex.c -@@ -16,10 +16,29 @@ +@@ -16,10 +16,24 @@ #include <sys/stat.h> #include <grp.h> #include <string.h> @@ -9,11 +9,6 @@ #include "log.h" #include "slotmgr.h" -+#ifdef __sun -+#define LOCK_EX F_LOCK -+#define LOCK_UN F_ULOCK -+#define flock(fd, func) lockf(fd, func, 0) -+#endif +#ifndef LOCK_SH +#define LOCK_SH 1 /* shared lock */ +#endif @@ -30,12 +25,12 @@ static int xplfd = -1; int CreateXProcLock(void) -@@ -41,7 +60,7 @@ int CreateXProcLock(void) - goto error; - } +@@ -37,7 +51,7 @@ int CreateXProcLock(void) + goto error; + } -- grp = getgrnam("pkcs11"); -+ grp = getgrnam(PKCS11GROUP); - if (grp != NULL) { - if (fchown(xplfd, -1, grp->gr_gid) == -1) { - DbgLog(DL0, "%s:fchown(%s):%s\n", +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (grp != NULL) { + if (fchown(xplfd, -1, grp->gr_gid) == -1) { + DbgLog(DL0, "%s:fchown(%s):%s\n", diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-opencryptoki.conf b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-opencryptoki.conf new file mode 100644 index 000000000000..9b9a5c6060ca --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-opencryptoki.conf @@ -0,0 +1,60 @@ +--- usr/sbin/pkcsslotd/opencryptoki.conf.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/pkcsslotd/opencryptoki.conf +@@ -21,31 +21,40 @@ version opencryptoki-3.18 + # + slot 0 + { +-stdll = libpkcs11_tpm.so +-tokversion = 3.12 ++ stdll = %%DLLDIR%%/libpkcs11_tpm.so ++ description = "TPM (Trusted Platform Module) Token" ++ tokversion = 3.12 + } + + slot 1 + { +-stdll = libpkcs11_ica.so +-tokversion = 3.12 ++ stdll = %%DLLDIR%%/libpkcs11_sw.so ++ description = "Software Token backed by OpenSSL" ++ tokversion = 3.12 + } + + slot 2 + { +-stdll = libpkcs11_cca.so +-tokversion = 3.12 ++ stdll = %%DLLDIR%%/libpkcs11_icsf.so ++ description = "ICSF (Integrated Cryptographic Service Facility) Token" ++ tokversion = 3.12 + } + +-slot 3 +-{ +-stdll = libpkcs11_sw.so +-tokversion = 3.12 +-} ++# slot 3 ++# { ++# stdll = %%DLLDIR%%/libpkcs11_ica.so ++# tokversion = 3.12 ++# } + +-slot 4 +-{ +-stdll = libpkcs11_ep11.so +-confname = ep11tok.conf +-tokversion = 3.12 +-} ++# slot 4 ++# { ++# stdll = %%DLLDIR%%/libpkcs11_cca.so ++# tokversion = 3.12 ++# } ++ ++# slot 5 ++# { ++# stdll = %%DLLDIR%%/libpkcs11_ep11.so ++# confname = ep11tok.conf ++# tokversion = 3.12 ++# } diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd.mk b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd.mk new file mode 100644 index 000000000000..0688ecc545ca --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd.mk @@ -0,0 +1,52 @@ +--- usr/sbin/pkcsslotd/pkcsslotd.mk.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/pkcsslotd/pkcsslotd.mk +@@ -5,7 +5,7 @@ noinst_HEADERS += \ + + EXTRA_DIST += usr/sbin/pkcsslotd/opencryptoki.conf + +-usr_sbin_pkcsslotd_pkcsslotd_LDFLAGS = -lpthread -lcrypto ++usr_sbin_pkcsslotd_pkcsslotd_LDFLAGS = -lpthread -lcrypto -lepoll-shim -L$(LOCALBASE)/lib + if HAVE_LIBUDEV + usr_sbin_pkcsslotd_pkcsslotd_LDFLAGS += -ludev + endif +@@ -15,7 +15,39 @@ usr_sbin_pkcsslotd_pkcsslotd_CFLAGS = -DPROGRAM_NAME=\ + -I${top_builddir}/usr/lib/common \ + -I${top_builddir}/usr/lib/api \ + -I${srcdir}/usr/lib/config \ +- -I${top_builddir}/usr/lib/config ++ -I${top_builddir}/usr/lib/config \ ++ -I$(LOCALBASE)/include/libepoll-shim ++ ++usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \ ++ usr/sbin/pkcsslotd/slotmgr.c usr/sbin/pkcsslotd/shmem.c \ ++ usr/sbin/pkcsslotd/signal.c usr/sbin/pkcsslotd/mutex.c usr/sbin/pkcsslotd/err.c \ ++ usr/sbin/pkcsslotd/log.c usr/sbin/pkcsslotd/daemon.c \ ++ usr/sbin/pkcsslotd/garbage_linux.c usr/sbin/pkcsslotd/pkcsslotd_util.c \ ++ usr/sbin/pkcsslotd/socket_server.c usr/lib/config/configuration.c \ ++ usr/lib/config/cfgparse.y usr/lib/config/cfglex.l ++ ++nodist_usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \ ++ usr/lib/common/dlist.c ++usr/sbin/pkcsslotd/slotmgr.$(OBJEXT): usr/lib/config/cfgparse.h ++sbin_PROGRAMS += usr/sbin/pkcsslotd/pkcsslotd ++noinst_HEADERS += \ ++ usr/sbin/pkcsslotd/err.h usr/sbin/pkcsslotd/garbage_linux.h \ ++ usr/sbin/pkcsslotd/log.h usr/sbin/pkcsslotd/pkcsslotd.h ++ ++EXTRA_DIST += usr/sbin/pkcsslotd/opencryptoki.conf ++ ++usr_sbin_pkcsslotd_pkcsslotd_LDFLAGS = -lpthread -lcrypto -lepoll-shim -L$(LOCALBASE)/lib ++if HAVE_LIBUDEV ++usr_sbin_pkcsslotd_pkcsslotd_LDFLAGS += -ludev ++endif ++ ++usr_sbin_pkcsslotd_pkcsslotd_CFLAGS = -DPROGRAM_NAME=\"$(@)\" \ ++ -I${srcdir}/usr/include -I${srcdir}/usr/lib/common \ ++ -I${top_builddir}/usr/lib/common \ ++ -I${top_builddir}/usr/lib/api \ ++ -I${srcdir}/usr/lib/config \ ++ -I${top_builddir}/usr/lib/config \ ++ -I$(LOCALBASE)/include/libepoll-shim + + usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \ + usr/sbin/pkcsslotd/slotmgr.c usr/sbin/pkcsslotd/shmem.c \ diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd_util.c b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd_util.c new file mode 100644 index 000000000000..1d3b9f8df8c4 --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-pkcsslotd_util.c @@ -0,0 +1,10 @@ +--- usr/sbin/pkcsslotd/pkcsslotd_util.c.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/pkcsslotd/pkcsslotd_util.c +@@ -11,6 +11,7 @@ + #include <stdlib.h> + #include <string.h> + #include <stdio.h> ++#include <pthread.h> + + #include "slotmgr.h" + #include "log.h" diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-shmem.c b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-shmem.c index 7c67229f9718..59c785d32ab6 100644 --- a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-shmem.c +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-shmem.c @@ -1,6 +1,6 @@ ---- usr/sbin/pkcsslotd/shmem.c.orig 2018-11-16 14:53:03 UTC +--- usr/sbin/pkcsslotd/shmem.c.orig 2022-04-25 11:04:51 UTC +++ usr/sbin/pkcsslotd/shmem.c -@@ -54,9 +54,9 @@ int CreateSharedMemory(void) +@@ -58,9 +58,9 @@ int CreateSharedMemory(void) } // SAB Get the group information for the PKCS#11 group... fail if // it does not exist @@ -12,7 +12,7 @@ return FALSE; // Group does not exist... setup is wrong.. } -@@ -136,9 +136,9 @@ int CreateSharedMemory(void) +@@ -141,9 +141,9 @@ int CreateSharedMemory(void) int i; char *buffer; @@ -24,7 +24,7 @@ "Opencryptoki setup is incorrect."); return FALSE; // Group does not exist... setup is wrong.. } -@@ -160,8 +160,8 @@ int CreateSharedMemory(void) +@@ -165,8 +165,8 @@ int CreateSharedMemory(void) return FALSE; } if (fchown(fd, 0, grp->gr_gid) == -1) { diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-slotmgr.c b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-slotmgr.c new file mode 100644 index 000000000000..1c877f70cffa --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-slotmgr.c @@ -0,0 +1,55 @@ +--- usr/sbin/pkcsslotd/slotmgr.c.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/pkcsslotd/slotmgr.c +@@ -137,9 +137,9 @@ void run_sanity_checks() + } + + /* check that the pkcs11 group exists */ +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (!grp) { +- fprintf(stderr, "There is no 'pkcs11' group on this system.\n"); ++ fprintf(stderr, "There is no '" PKCS11GROUP "' group on this system.\n"); + exit(1); + } + +@@ -162,6 +162,15 @@ void run_sanity_checks() + fprintf(stderr, "Directory %s missing\n", dircheck[i].dir); + exit(2); + } ++ } ++ ec = stat(dircheck[i].dir, &sbuf); ++ if (ec != 0) { ++ fprintf(stderr, "Directory %s missing\n", dircheck[i].dir); ++ exit(2); ++ } ++ if (sbuf.st_mode != dircheck[i].mode || ++ sbuf.st_uid != geteuid() || ++ sbuf.st_gid != grp->gr_gid) { + /* set ownership to root, and pkcs11 group */ + if (chown(dircheck[i].dir, geteuid(), grp->gr_gid) != 0) { + fprintf(stderr, +@@ -230,9 +239,9 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) + + /* get 'PKCS11' group id */ + uid = (int) geteuid(); +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (!grp) { +- fprintf(stderr, "PKCS11 group does not exist [errno=%d].\n", errno); ++ fprintf(stderr, PKCS11GROUP " group does not exist [errno=%d].\n", errno); + return errno; + } else { + grpid = grp->gr_gid; +@@ -719,7 +728,12 @@ int main(int argc, char *argv[], char *envp[]) + */ + if (Daemon) { + pid_t pid; ++#if !defined(__FreeBSD__) + if ((pid = fork()) < 0) { ++#else ++ /* epoll emulation with kqueue requires sharing the fd table */ ++ if ((pid = rfork(RFPROC)) < 0) { ++#endif + term_socket_server(); + DestroyMutexes(); + DetachFromSharedMemory(); diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-socket_server.c b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-socket_server.c index 85029168445c..e5755ab0f517 100644 --- a/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-socket_server.c +++ b/security/opencryptoki/files/patch-usr-sbin-pkcsslotd-socket_server.c @@ -1,45 +1,110 @@ ---- usr/sbin/pkcsslotd/socket_server.c.orig 2018-11-16 14:53:03 UTC +--- usr/sbin/pkcsslotd/socket_server.c.orig 2022-04-25 11:04:51 UTC +++ usr/sbin/pkcsslotd/socket_server.c -@@ -19,6 +19,9 @@ - #include <sys/select.h> - #include <sys/stat.h> - #include <grp.h> -+#ifndef SOCK_NONBLOCK -+#include <fcntl.h> +@@ -18,6 +18,9 @@ + #include <stdlib.h> + #include <fcntl.h> + ++#if defined(__FreeBSD__) ++#include <sys/ucred.h> ++#endif + #include <sys/time.h> + #include <sys/socket.h> + #include <sys/un.h> +@@ -641,7 +644,11 @@ static int proc_new_conn(int socket, struct listener_i + struct proc_conn_info *conn; + struct event_info *event; + DL_NODE *list, *node; ++#if !defined(__FreeBSD__) + struct ucred ucred; ++#else ++ struct xucred ucred; +#endif + socklen_t len; + int rc = 0; - #include "log.h" - #include "slotmgr.h" -@@ -34,11 +37,23 @@ int CreateListenerSocket(void) - struct group *grp; - int socketfd; +@@ -661,21 +668,34 @@ static int proc_new_conn(int socket, struct listener_i + DbgLog(DL3, "%s: process conn: %p", __func__, conn); -+#ifdef SOCK_NONBLOCK - socketfd = socket(PF_UNIX, SOCK_STREAM | SOCK_NONBLOCK, 0); + len = sizeof(ucred); ++#if !defined(__FreeBSD__) + rc = getsockopt(socket, SOL_SOCKET, SO_PEERCRED, &ucred, &len); +#else -+ socketfd = socket(PF_UNIX, SOCK_STREAM, 0); ++ rc = getsockopt(socket, 0, LOCAL_PEERCRED, &ucred, &len); +#endif - if (socketfd < 0) { - ErrLog("Failed to create listener socket, errno 0x%X.", errno); - return -1; + if (rc != 0 || len != sizeof(ucred)) { + rc = -errno; +- ErrLog("%s: failed get credentials of peer process: %s", +- strerror(-rc), __func__); ++ ErrLog("%s: failed get credentials of peer process: %s (len=%zu)", ++ __func__, strerror(-rc), len); + goto out; } -+#ifndef SOCK_NONBLOCK -+ if (fcntl(socketfd, F_SETFL, -+ fcntl(socketfd, F_GETFL) | O_NONBLOCK) < 0) { -+ ErrLog("Failed to set listener non-block, errno 0x%X.", errno); -+ close(socketfd); -+ return -1; -+ } + ++#if !defined(__FreeBSD__) + DbgLog(DL3, "%s: process pid: %u uid: %u gid: %u", __func__, + ucred.pid, ucred.uid, ucred.gid); + + conn->client_cred.real_pid = ucred.pid; + conn->client_cred.real_uid = ucred.uid; + conn->client_cred.real_gid = ucred.gid; ++#else ++ DbgLog(DL3, "%s: process pid: %u uid: %u gid: %u", __func__, ++ ucred.cr_pid, ucred.cr_uid, ucred.cr_gid); + ++ conn->client_cred.real_pid = ucred.cr_pid; ++ conn->client_cred.real_uid = ucred.cr_uid; ++ conn->client_cred.real_gid = ucred.cr_gid; +#endif - if (unlink(SOCKET_FILE_PATH) && errno != ENOENT) { - ErrLog("Failed to unlink socket file, errno 0x%X.", errno); - close(socketfd); -@@ -57,7 +72,7 @@ int CreateListenerSocket(void) ++ + /* Add currently pending events to this connection */ + node = dlist_get_first(pending_events); + while (node != NULL) { +@@ -1280,13 +1300,13 @@ static int listener_socket_create(const char *file_pat + if (bind(listener_socket, + (struct sockaddr *) &address, sizeof(struct sockaddr_un)) != 0) { + err = errno; +- ErrLog("%s: Failed to bind to socket, errno %d (%s).", __func__, err, +- strerror(err)); ++ ErrLog("%s: Failed to bind to socket, errno %d (%s): %s", __func__, err, ++ strerror(err), address.sun_path); + goto error; } // make socket file part of the pkcs11 group, and write accessable // for that group - grp = getgrnam("pkcs11"); + grp = getgrnam(PKCS11GROUP); if (!grp) { - ErrLog("Group PKCS#11 does not exist"); - DetachSocketListener(socketfd); + ErrLog("%s: Group PKCS#11 does not exist", __func__); + goto error; +@@ -1408,7 +1428,9 @@ static int listener_create(const char *file_path, + if (listener->socket < 0) + return FALSE; + ++ memset(&evt, 0, sizeof(evt)); + evt.events = EPOLLIN | EPOLLET; ++ evt.data.fd = listener->socket; + evt.data.ptr = &listener->ep_info; + rc = epoll_ctl(epoll_fd, EPOLL_CTL_ADD, listener->socket, &evt); + if (rc != 0) { +@@ -1693,8 +1715,8 @@ int socket_connection_handler(int timeout_secs) + err = errno; + if (err == EINTR) + continue; +- ErrLog("%s: epoll_wait failed, errno %d (%s).", __func__, err, +- strerror(err)); ++ ErrLog("%s: epoll_wait failed, errno %d (%s): %d", __func__, err, ++ strerror(err), epoll_fd); + return FALSE; + } + +@@ -1730,8 +1752,8 @@ int init_socket_server(int event_support_disabled) + epoll_fd = epoll_create1(0); + if (epoll_fd < 0) { + err = errno; +- ErrLog("%s: Failed to open epoll socket, errno %d (%s).", __func__, err, +- strerror(err)); ++ ErrLog("%s: Failed to open epoll socket, errno %d (%s): %d", __func__, err, ++ strerror(err), epoll_fd); + return FALSE; + } + diff --git a/security/opencryptoki/files/patch-usr-sbin-pkcstok_migrate-pkcstok_migrate.c b/security/opencryptoki/files/patch-usr-sbin-pkcstok_migrate-pkcstok_migrate.c new file mode 100644 index 000000000000..d5658a72072b --- /dev/null +++ b/security/opencryptoki/files/patch-usr-sbin-pkcstok_migrate-pkcstok_migrate.c @@ -0,0 +1,23 @@ +--- usr/sbin/pkcstok_migrate/pkcstok_migrate.c.orig 2022-04-25 11:04:51 UTC ++++ usr/sbin/pkcstok_migrate/pkcstok_migrate.c +@@ -20,7 +20,11 @@ + #include <errno.h> + #include <getopt.h> + #include <memory.h> ++#if !defined(__FreeBSD__) + #include <linux/limits.h> ++#else ++#include <limits.h> ++#endif + #include <openssl/evp.h> + #include <string.h> + #include <stdio.h> +@@ -2239,7 +2243,7 @@ static CK_RV change_owner(char *dir) + CK_RV ret; + + /* Set group owner */ +- grp = getgrnam("pkcs11"); ++ grp = getgrnam(PKCS11GROUP); + if (grp) { + if (chown(dir, -1, grp->gr_gid)) { + ret = CKR_FUNCTION_FAILED; diff --git a/security/opencryptoki/pkg-plist b/security/opencryptoki/pkg-plist index 0c2f59eb93e5..54f88034d21e 100644 --- a/security/opencryptoki/pkg-plist +++ b/security/opencryptoki/pkg-plist @@ -1,40 +1,53 @@ @sample etc/opencryptoki/opencryptoki.conf.sample +@sample(0,%%GROUPS%%,640) etc/opencryptoki/p11sak_defined_attrs.conf.sample +@sample(0,%%GROUPS%%,640) etc/opencryptoki/policy.conf.sample +@sample(0,%%GROUPS%%,640) etc/opencryptoki/strength.conf.sample include/opencryptoki/apiclient.h +include/opencryptoki/ec_curves.h include/opencryptoki/pkcs11.h include/opencryptoki/pkcs11types.h -lib/opencryptoki/PKCS11_API.so lib/opencryptoki/libopencryptoki.so lib/opencryptoki/libopencryptoki.so.0 lib/opencryptoki/libopencryptoki.so.0.0.0 lib/opencryptoki/methods -lib/opencryptoki/stdll/PKCS11_ICSF.so -lib/opencryptoki/stdll/PKCS11_SW.so -lib/opencryptoki/stdll/PKCS11_TPM.so +lib/opencryptoki/PKCS11_API.so +lib/opencryptoki/stdll/libpkcs11_icsf.so +lib/opencryptoki/stdll/libpkcs11_icsf.so.0 +lib/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0 lib/opencryptoki/stdll/libpkcs11_sw.so lib/opencryptoki/stdll/libpkcs11_sw.so.0 lib/opencryptoki/stdll/libpkcs11_sw.so.0.0.0 lib/opencryptoki/stdll/libpkcs11_tpm.so lib/opencryptoki/stdll/libpkcs11_tpm.so.0 lib/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0 -lib/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0 -lib/opencryptoki/stdll/libpkcs11_icsf.so.0 -lib/opencryptoki/stdll/libpkcs11_icsf.so -lib/pkcs11/PKCS11_API.so +lib/opencryptoki/stdll/PKCS11_ICSF.so +lib/opencryptoki/stdll/PKCS11_SW.so +lib/opencryptoki/stdll/PKCS11_TPM.so lib/pkcs11/libopencryptoki.so lib/pkcs11/methods +lib/pkcs11/PKCS11_API.so lib/pkcs11/stdll +man/man1/p11sak.1.gz man/man1/pkcsconf.1.gz man/man1/pkcsicsf.1.gz +man/man1/pkcsstats.1.gz +man/man1/pkcstok_migrate.1.gz man/man5/opencryptoki.conf.5.gz +man/man5/p11sak_defined_attrs.conf.5.gz +man/man5/policy.conf.5.gz +man/man5/strength.conf.5.gz man/man7/opencryptoki.7.gz man/man8/pkcsslotd.8.gz +sbin/p11sak sbin/pkcsconf sbin/pkcsicsf sbin/pkcsslotd -@dir(%%USERS%%,%%GROUPS%%,700) /var/lib/opencryptoki/icsf -@dir(%%USERS%%,%%GROUPS%%,700) /var/lib/opencryptoki/swtok/TOK_OBJ -@dir(%%USERS%%,%%GROUPS%%,700) /var/lib/opencryptoki/swtok -@dir(%%USERS%%,%%GROUPS%%,700) /var/lib/opencryptoki/tpm -@dir(%%USERS%%,%%GROUPS%%,700) /var/lib/opencryptoki +sbin/pkcsstats +sbin/pkcstok_migrate +@dir(%%USERS%%,%%GROUPS%%,770) /var/lib/opencryptoki +@dir(%%USERS%%,%%GROUPS%%,770) /var/lib/opencryptoki/icsf +@dir(%%USERS%%,%%GROUPS%%,770) /var/lib/opencryptoki/swtok +@dir(%%USERS%%,%%GROUPS%%,770) /var/lib/opencryptoki/swtok/TOK_OBJ +@dir(%%USERS%%,%%GROUPS%%,770) /var/lib/opencryptoki/tpm @dir /var/lib @dir /var/log/opencryptoki |