From owner-svn-ports-head@FreeBSD.ORG  Fri Apr  4 10:16:47 2014
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D8C94C63;
 Fri,  4 Apr 2014 10:16:47 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B8F439B4;
 Fri,  4 Apr 2014 10:16:47 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s34AGlrd021191;
 Fri, 4 Apr 2014 10:16:47 GMT (envelope-from mat@svn.freebsd.org)
Received: (from mat@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s34AGlNI021189;
 Fri, 4 Apr 2014 10:16:47 GMT (envelope-from mat@svn.freebsd.org)
Message-Id: <201404041016.s34AGlNI021189@svn.freebsd.org>
From: Mathieu Arnold <mat@FreeBSD.org>
Date: Fri, 4 Apr 2014 10:16:47 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r350089 - in head/security/softhsm: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Apr 2014 10:16:47 -0000

Author: mat
Date: Fri Apr  4 10:16:47 2014
New Revision: 350089
URL: http://svnweb.freebsd.org/changeset/ports/350089
QAT: https://qat.redports.org/buildarchive/r350089/

Log:
  Fix SoftHSM's umask handling (upstream patch)
  
  Approved by:	maintainer
  Obtained from:	https://github.com/opendnssec/SoftHSMv1/pull/11
  Sponsored by:	Absolight

Added:
  head/security/softhsm/files/
  head/security/softhsm/files/patch-SOFTHSM-94   (contents, props changed)
Modified:
  head/security/softhsm/Makefile

Modified: head/security/softhsm/Makefile
==============================================================================
--- head/security/softhsm/Makefile	Fri Apr  4 10:14:34 2014	(r350088)
+++ head/security/softhsm/Makefile	Fri Apr  4 10:16:47 2014	(r350089)
@@ -3,6 +3,7 @@
 
 PORTNAME=	softhsm
 PORTVERSION=	1.3.6
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	http://dist.opendnssec.org/source/
 

Added: head/security/softhsm/files/patch-SOFTHSM-94
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/softhsm/files/patch-SOFTHSM-94	Fri Apr  4 10:16:47 2014	(r350089)
@@ -0,0 +1,119 @@
+From 39b1e1115501a042597ce0c2bc17659c4082fc9e Mon Sep 17 00:00:00 2001
+From: Rickard Bellgrim <rickard@opendnssec.org>
+Date: Thu, 3 Apr 2014 13:19:02 +0200
+Subject: [PATCH] SOFTHSM-94: umask affecting the calling application.
+
+---
+ NEWS                      |  6 ++++++
+ src/lib/SoftDatabase.cpp  | 20 +++++++++++++++-----
+ src/lib/tokenhandling.cpp | 21 ++++++++++++++++-----
+ 3 files changed, 37 insertions(+), 10 deletions(-)
+
+diff --git NEWS NEWS
+index a69e16f..04473dd 100644
+--- NEWS
++++ NEWS
+@@ -1,5 +1,11 @@
+ NEWS for SoftHSM -- History of user visible changes
+ 
++SoftHSM 1.3 develop
++
++Bugfixes:
++* SOFTHSM-94: umask affecting the calling application.
++
++
+ SoftHSM 1.3.6 - 2014-02-24
+ 
+ * SOFTHSM-51: Call umask to restrict created files.
+diff --git src/lib/SoftDatabase.cpp src/lib/SoftDatabase.cpp
+index 492883e..aac5fe1 100644
+--- src/lib/SoftDatabase.cpp
++++ src/lib/SoftDatabase.cpp
+@@ -40,6 +40,9 @@
+ #include <sched.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
+ 
+ using std::string;
+ 
+@@ -115,15 +118,22 @@ static int db_is_locked(void* /*data*/, int /*retry*/) {
+ }
+ 
+ CK_RV SoftDatabase::init(char *dbPath) {
+-  // Circumvent the sqlite3 reliance on umask to enforce secure permissions
+-  mode_t saved_umask = umask(S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
++  // Create and set file permissions if the DB does not exist.
++  int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR);
++  if(fd == -1) {
++    char warnMsg[1024];
++    snprintf(warnMsg, sizeof(warnMsg), "Could not open the token database. errno=%i. "
++                                       "Probably wrong privileges: %s", errno, dbPath);
++    ERROR_MSG("init", warnMsg);
++    return CKR_TOKEN_NOT_PRESENT;
++  }
++  close(fd);
++
+   // Open the database
+   int result = sqlite3_open(dbPath, &db);
+-  // Restore umask to avoid side effects
+-  (void) umask(saved_umask);
+   if(result) {
+     char warnMsg[1024];
+-    snprintf(warnMsg, sizeof(warnMsg), "Could not open token database. Probably wrong privileges: %s", dbPath);
++    snprintf(warnMsg, sizeof(warnMsg), "Could not open the token database: %s", dbPath);
+     ERROR_MSG("init", warnMsg);
+     return CKR_TOKEN_NOT_PRESENT;
+   }
+diff --git src/lib/tokenhandling.cpp src/lib/tokenhandling.cpp
+index 8857574..ac3d7ed 100644
+--- src/lib/tokenhandling.cpp
++++ src/lib/tokenhandling.cpp
+@@ -40,6 +40,9 @@
+ #include <sqlite3.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include <errno.h>
+ 
+ #define EXEC_DB(db, sql) \
+   if(sqlite3_exec(db, sql, NULL, NULL, NULL)) { \
+@@ -99,19 +102,27 @@ CK_RV softInitToken(SoftSlot *currentSlot, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinL
+     }
+   }
+ 
+-  // Circumvent the sqlite3 reliance on umask to enforce secure permissions
+-  mode_t saved_umask = umask(S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
++  // Create and set file permissions if the DB does not exist.
++  int fd = open(currentSlot->dbPath, O_CREAT, S_IRUSR | S_IWUSR);
++  if(fd == -1) {
++    free(soPIN);
++    char warnMsg[1024];
++    snprintf(warnMsg, sizeof(warnMsg), "Could not open the token database. errno=%i. "
++                                       "Probably wrong privileges: %s", errno, currentSlot->dbPath);
++    DEBUG_MSG("C_InitToken", warnMsg);
++    return CKR_DEVICE_ERROR;
++  }
++  close(fd);
++
+   // Open the database
+   sqlite3 *db = NULL;
+   int result = sqlite3_open(currentSlot->dbPath, &db);
+-  // Restore umask to avoid side effects
+-  (void) umask(saved_umask);
+   if(result){
+     if(db != NULL) {
+       sqlite3_close(db);
+     }
+     free(soPIN);
+-    DEBUG_MSG("C_InitToken", "Could not open the token database file");
++    DEBUG_MSG("C_InitToken", "Could not open the token database");
+     return CKR_DEVICE_ERROR;
+   }
+ 
+-- 
+1.9.1
+