import opencryptoki-3.15.1-5.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:35:31 -04:00 committed by Andrew Lukoshko
parent 58e9493abf
commit 01d210de16
16 changed files with 516 additions and 4083 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opencryptoki-3.14.0.tar.gz
SOURCES/opencryptoki-3.15.1.tar.gz

View File

@ -1 +1 @@
9ddd1bbe34992707b20b314645fd92d35cb298ef SOURCES/opencryptoki-3.14.0.tar.gz
66baf9c90f144bb273964270a39f23fadd86143d SOURCES/opencryptoki-3.15.1.tar.gz

View File

@ -1,134 +0,0 @@
From 583f0210bb8f371c2071966f27b83c95230d50cc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:09:18 +0200
Subject: [PATCH 1/2] pkcstok_migrate: Fix NVTOK.DAT conversion on little
endian platforms
The new format stores all numeric fields in big endian, while the old
format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 84 ++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 10 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e90a5c91..e0c19125 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -1077,6 +1077,42 @@ static CK_RV load_NVTOK_DAT(const char *data_store, const char *nvtok_name,
goto done;
}
+ if (stbuf.st_size == sizeof(TOKEN_DATA)) {
+ /* The 312 version always uses big endian */
+ td->token_info.flags = be32toh(td->token_info.flags);
+ td->token_info.ulMaxSessionCount
+ = be32toh(td->token_info.ulMaxSessionCount);
+ td->token_info.ulSessionCount
+ = be32toh(td->token_info.ulSessionCount);
+ td->token_info.ulMaxRwSessionCount
+ = be32toh(td->token_info.ulMaxRwSessionCount);
+ td->token_info.ulRwSessionCount
+ = be32toh(td->token_info.ulRwSessionCount);
+ td->token_info.ulMaxPinLen = be32toh(td->token_info.ulMaxPinLen);
+ td->token_info.ulMinPinLen = be32toh(td->token_info.ulMinPinLen);
+ td->token_info.ulTotalPublicMemory
+ = be32toh(td->token_info.ulTotalPublicMemory);
+ td->token_info.ulFreePublicMemory
+ = be32toh(td->token_info.ulFreePublicMemory);
+ td->token_info.ulTotalPrivateMemory
+ = be32toh(td->token_info.ulTotalPrivateMemory);
+ td->token_info.ulFreePrivateMemory
+ = be32toh(td->token_info.ulFreePrivateMemory);
+ td->tweak_vector.allow_weak_des
+ = be32toh(td->tweak_vector.allow_weak_des);
+ td->tweak_vector.check_des_parity
+ = be32toh(td->tweak_vector.check_des_parity);
+ td->tweak_vector.allow_key_mods
+ = be32toh(td->tweak_vector.allow_key_mods);
+ td->tweak_vector.netscape_mods
+ = be32toh(td->tweak_vector.netscape_mods);
+ td->dat.version = be32toh(td->dat.version);
+ td->dat.so_login_it = be64toh(td->dat.so_login_it);
+ td->dat.user_login_it = be64toh(td->dat.user_login_it);
+ td->dat.so_wrap_it = be64toh(td->dat.so_wrap_it);
+ td->dat.user_wrap_it = be64toh(td->dat.user_wrap_it);
+ }
+
ret = CKR_OK;
done:
@@ -1628,6 +1664,7 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
{
const char *nvtok = "NVTOK.DAT_312";
char fname[PATH_MAX + 1 + strlen(nvtok) + 1];
+ TOKEN_DATA be_tokdata;
FILE *fp = NULL;
CK_RV ret;
size_t rc;
@@ -1656,14 +1693,6 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Write old part into NVTOK.DAT_312 */
- rc = fwrite(tokdata, sizeof(TOKEN_DATA_OLD), 1, fp);
- if (rc != 1) {
- TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
- ret = CKR_FUNCTION_FAILED;
- goto done;
- }
-
/* Create additions for new format */
ret = create_TOKEN_DATA_VERSION(sopin, userpin, tokdata);
if (ret != CKR_OK) {
@@ -1671,8 +1700,43 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Append TOKEN_DATA_VERSION to NVTOK.DAT_312 */
- rc = fwrite(&(tokdata->dat), sizeof(TOKEN_DATA_VERSION), 1, fp);
+ /* The 312 version always uses big endian */
+ memcpy(&be_tokdata, tokdata, sizeof(TOKEN_DATA));
+ be_tokdata.token_info.flags = htobe32(tokdata->token_info.flags);
+ be_tokdata.token_info.ulMaxSessionCount
+ = htobe32(tokdata->token_info.ulMaxSessionCount);
+ be_tokdata.token_info.ulSessionCount
+ = htobe32(tokdata->token_info.ulSessionCount);
+ be_tokdata.token_info.ulMaxRwSessionCount
+ = htobe32(tokdata->token_info.ulMaxRwSessionCount);
+ be_tokdata.token_info.ulRwSessionCount
+ = htobe32(tokdata->token_info.ulRwSessionCount);
+ be_tokdata.token_info.ulMaxPinLen = htobe32(tokdata->token_info.ulMaxPinLen);
+ be_tokdata.token_info.ulMinPinLen = htobe32(tokdata->token_info.ulMinPinLen);
+ be_tokdata.token_info.ulTotalPublicMemory
+ = htobe32(tokdata->token_info.ulTotalPublicMemory);
+ be_tokdata.token_info.ulFreePublicMemory
+ = htobe32(tokdata->token_info.ulFreePublicMemory);
+ be_tokdata.token_info.ulTotalPrivateMemory
+ = htobe32(tokdata->token_info.ulTotalPrivateMemory);
+ be_tokdata.token_info.ulFreePrivateMemory
+ = htobe32(tokdata->token_info.ulFreePrivateMemory);
+ be_tokdata.tweak_vector.allow_weak_des
+ = htobe32(tokdata->tweak_vector.allow_weak_des);
+ be_tokdata.tweak_vector.check_des_parity
+ = htobe32(tokdata->tweak_vector.check_des_parity);
+ be_tokdata.tweak_vector.allow_key_mods
+ = htobe32(tokdata->tweak_vector.allow_key_mods);
+ be_tokdata.tweak_vector.netscape_mods
+ = htobe32(tokdata->tweak_vector.netscape_mods);
+ be_tokdata.dat.version = htobe32(tokdata->dat.version);
+ be_tokdata.dat.so_login_it = htobe64(tokdata->dat.so_login_it);
+ be_tokdata.dat.user_login_it = htobe64(tokdata->dat.user_login_it);
+ be_tokdata.dat.so_wrap_it = htobe64(tokdata->dat.so_wrap_it);
+ be_tokdata.dat.user_wrap_it = htobe64(tokdata->dat.user_wrap_it);
+
+ /* Write converted token data into NVTOK.DAT_312 */
+ rc = fwrite(&be_tokdata, sizeof(TOKEN_DATA), 1, fp);
if (rc != 1) {
TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
ret = CKR_FUNCTION_FAILED;
--
2.16.2.windows.1

View File

@ -1,40 +0,0 @@
From 6faa13d83e5166e4bbe97d85935aca779fde9089 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:46:29 +0200
Subject: [PATCH 2/2] pkcstok_migrate: Fix private token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e0c19125..0148102c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -239,7 +239,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
/* Setup header */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x01;
ret = aes_256_wrap(header.key_wrapped, obj_key, masterkey);
if (ret != CKR_OK) {
@@ -252,7 +252,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
header.iv[9] = 0;
header.iv[10] = 0;
header.iv[11] = 1;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, HEADER_LEN);
/* Encrypt body */
--
2.16.2.windows.1

View File

@ -1,34 +0,0 @@
From c090136338b585370df6a8e29518f9e55d388fe5 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:34 +0200
Subject: [PATCH 3/5] pkcstok_migrate: Fix public token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 0148102c..136c010c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -103,9 +103,9 @@ static CK_RV make_OBJECT_PUB_312(char **obj_new, unsigned int *obj_new_len,
/* Setup object */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x00;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, sizeof(header));
memcpy(object + sizeof(header), clear, clear_len);
--
2.16.2.windows.1

View File

@ -1,93 +0,0 @@
From d1dbc25c6f424a12860295008991cd1392c888a8 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 09:56:31 +0200
Subject: [PATCH 4/5] pkcstok_migrate: Remove the token's shared memory segment
After successfully migration, remove the tokens shared memory segment.
This will be re-created on the first use of the token.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 38 +++++++++++++++++++++++++++++
usr/sbin/pkcstok_migrate/pkcstok_migrate.mk | 2 +-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 136c010c..46e5e57f 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -31,6 +31,7 @@
#include <termios.h>
#include <unistd.h>
#include <dirent.h>
+#include <sys/mman.h>
#include <pkcs11types.h>
#include "sw_crypt.h"
@@ -2108,6 +2109,36 @@ done:
}
+/**
+ * Removes the token_s shared memory from /dev/shm
+ */
+static CK_RV remove_shared_memory(char *location)
+{
+ char shm_name[PATH_MAX];
+ int i, k, rc;
+
+ i = k = 0;
+ shm_name[k++] = '/';
+ if (location[i] == '/')
+ i++;
+
+ for (; location[i]; i++, k++) {
+ if (location[i] == '/')
+ shm_name[k] = '.';
+ else
+ shm_name[k] = location[i];
+ }
+ shm_name[k] = '\0';
+
+ rc = shm_unlink(shm_name);
+ if (rc != 0) {
+ warnx("shm_unlink(%s) failed, errno=%s", shm_name, strerror(errno));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ return CKR_OK;
+}
+
/**
* Copy a file given by name from a src folder to a dst folder.
*/
@@ -2718,6 +2749,13 @@ int main(int argc, char **argv)
goto done;
}
+ /* Remove the token's shared memory */
+ ret = remove_shared_memory(data_store);
+ if (ret != CKR_OK) {
+ warnx("Failed to remove token's shared memory.");
+ goto done;
+ }
+
/* Now insert new 'tokversion=3.12' parm in opencryptoki.conf */
ret = update_opencryptoki_conf(slot_id, conf_dir);
if (ret != CKR_OK) {
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
index dc4582e5..028a383e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
@@ -6,7 +6,7 @@ noinst_HEADERS += usr/include/local_types.h
noinst_HEADERS += usr/lib/common/h_extern.h
noinst_HEADERS += usr/lib/common/pkcs_utils.h
-usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl
+usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl -lrt
usr_sbin_pkcstok_migrate_pkcstok_migrate_CFLAGS = \
-DSTDLL_NAME=\"pkcstok_migrate\" \
--
2.16.2.windows.1

View File

@ -1,107 +0,0 @@
From 6850ae623f9d36b70f1d2919c8390a4b14d393a1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:01 +0200
Subject: [PATCH 5/5] Fix storing of public token objects in new data format
The tokversion and object length field are supposed to be stored
in big endian (BE) on all platforms. This was not the case for public
token objects.
Fix this by always storing it in BE, and add logic to the read routines
to automatically detect if the fields are in the expected byte order,
or not, and handle them accordingly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/common/loadsave.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index 068fdf36..b76dea9f 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2557,6 +2557,7 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG size_64;
CK_RV rc;
uint32_t len;
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return reload_token_object_old(tokdata, obj);
@@ -2580,9 +2581,18 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&len, header + 60, 4);
- size = be32toh(len);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also.
+ */
+ if (ver == TOK_NEW_DATA_STORE)
+ size = len;
+ else
+ size = be32toh(len);
buf = (CK_BYTE *) malloc(size);
if (buf == NULL) {
@@ -2647,8 +2657,9 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG clear_len;
CK_BBOOL flag = FALSE;
CK_RV rc;
- CK_ULONG_32 len;
+ CK_ULONG_32 len, be_len;
unsigned char reserved[7] = {0};
+ uint32_t tmp;
if (tokdata->version < TOK_NEW_DATA_STORE)
return save_public_token_object_old(tokdata, obj);
@@ -2669,11 +2680,14 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ tmp = htobe32(tokdata->version);
+ be_len = htobe32(len);
+
set_perm(fileno(fp));
- if (fwrite(&tokdata->version, 4, 1, fp) != 1
+ if (fwrite(&tmp, 4, 1, fp) != 1
|| fwrite(&flag, 1, 1, fp) != 1
|| fwrite(reserved, 7, 1, fp) != 1
- || fwrite(&len, 4, 1, fp) != 1
+ || fwrite(&be_len, 4, 1, fp) != 1
|| fwrite(clear, len, 1, fp) != 1) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -2704,6 +2718,7 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
CK_BBOOL priv;
CK_ULONG_32 size;
unsigned char header[PUB_HEADER_LEN];
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return load_public_token_objects_old(tokdata);
@@ -2731,9 +2746,16 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&size, header + 12, 4);
- size = be32toh(size);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also
+ */
+ if (ver != TOK_NEW_DATA_STORE)
+ size = be32toh(size);
if (priv == TRUE) {
fclose(fp2);
--
2.16.2.windows.1

View File

@ -1,63 +0,0 @@
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400
@@ -57,7 +57,7 @@ void openssl_print_errors()
}
#endif
-RSA *openssl_gen_key()
+RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
{
RSA *rsa;
int rc, counter = 0;
@@ -66,7 +66,7 @@ RSA *openssl_gen_key()
BIGNUM *bne;
#endif
- token_specific_rng(NULL, (CK_BYTE *) buf, 32);
+ token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400
@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t
TSS_HTPM hTPM;
BYTE *random_bytes = NULL;
- UNUSED(tokdata);
-
rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);
if (rc) {
TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);
@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400
@@ -56,7 +56,7 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key();
+RSA *openssl_gen_key(STDLL_TokData_t *);
int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,

View File

@ -1,22 +0,0 @@
commit a94436937b6364c53219fb3c7922439f403e8d5e
Author: Harald Freudenberger <freude@linux.ibm.com>
Date: Wed May 27 07:30:33 2020 +0200
Fix missing entries for p11sak tool in template spec file
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
index fa4b9899..ae563406 100644
--- a/rpm/opencryptoki.spec
+++ b/rpm/opencryptoki.spec
@@ -238,7 +238,9 @@ exit 0
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
+%{_sbindir}/p11sak
%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/p11sak.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*

View File

@ -0,0 +1,285 @@
commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Feb 9 16:22:51 2021 +0100
SOFT: Fix problem with C_Get/SetOperationState and digest contexts
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
was set to 1.
This hinders C_Get/SetOperationState to correctly save and restore the digest
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
C_SetOperationState also can't restore the digest state, leaving a subsequent
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
produces a segfault.
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 0b28daa8..a836efa9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
}
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
- CK_MECHANISM *mech)
+#ifdef OLDER_OPENSSL
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
+#endif
+
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
{
const EVP_MD *md = NULL;
- UNUSED(tokdata);
-
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
-#else
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
-#endif
- if (ctx->context == NULL) {
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- return CKR_HOST_MEMORY;
- }
-
switch (mech->mechanism) {
case CKM_SHA_1:
md = EVP_sha1();
@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
break;
}
+ return md;
+}
+
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
+{
+ const EVP_MD *md;
+ EVP_MD_CTX *md_ctx;
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ md_ctx = EVP_MD_CTX_create();
+#else
+ md_ctx = EVP_MD_CTX_new();
+#endif
+ if (md_ctx == NULL)
+ return NULL;
+
+ md = md_from_mech(&ctx->mech);
if (md == NULL ||
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
- ctx->context = NULL;
- ctx->context_len = 0;
+ return NULL;
+ }
- return CKR_FUNCTION_FAILED;
+ if (ctx->context_len == 0) {
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
+ ctx->context = malloc(ctx->context_len);
+ if (ctx->context == NULL) {
+ TRACE_ERROR("malloc failed\n");
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+ #else
+ EVP_MD_CTX_free(md_ctx);
+ #endif
+ ctx->context_len = 0;
+ return NULL;
+ }
+
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+ } else {
+ if (ctx->context_len !=
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
+ TRACE_ERROR("context size mismatcht\n");
+ return NULL;
+ }
+ /* restore the MD context data */
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
}
+ return md_ctx;
+}
+
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ CK_MECHANISM *mech)
+{
+ EVP_MD_CTX *md_ctx;
+
+ UNUSED(tokdata);
+
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
+ ctx->mech.mechanism = mech->mechanism;
+
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data || !out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
@@ -3229,6 +3295,8 @@ out:
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
CK_BYTE *in_data, CK_ULONG in_data_len)
{
+ EVP_MD_CTX *md_ctx;
+
UNUSED(tokdata);
if (!ctx || !ctx->context)
@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data)
return CKR_ARGUMENTS_BAD;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
return CKR_FUNCTION_FAILED;
}
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;

View File

@ -0,0 +1,118 @@
diff -up opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c
--- opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig 2020-11-26 13:25:41.679655774 +0100
+++ opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c 2020-11-26 13:26:00.170892352 +0100
@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user
while (1){
nread = getline(user_input, &buflen, stdin);
if (nread == -1) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
- rc = -1;
- return rc;
+ printf("User input: EOF\n");
+ return CKR_CANCEL;
}
if (user_input_ok(*user_input)) {
@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user
return rc;
}
-
static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
- CK_OBJECT_HANDLE *hkey)
+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
{
char *user_input = NULL;
CK_RV rc = CKR_OK;
rc = confirm_destroy(&user_input, label);
if (rc != CKR_OK) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
+ rc = CKR_CANCEL;
goto done;
}
@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(cha
label, rc, p11_get_ckr(rc));
goto done;
}
+ *boolDestroyFlag = CK_TRUE;
printf("DONE - Destroy Object with Label: %s\n", label);
} else if (strncmp(user_input, "n", 1) == 0) {
printf("Skip deleting Key\n");
+ *boolDestroyFlag = CK_FALSE;
} else {
printf("Please just enter (y) for yes or (n) for no.\n");
}
@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDL
CK_OBJECT_HANDLE hkey;
char *keytype = NULL;
char *label = NULL;
+ CK_BBOOL boolDestroyFlag = CK_FALSE;
+ CK_BBOOL boolSkipFlag = CK_FALSE;
CK_RV rc = CKR_OK;
rc = tok_key_list_init(session, kt, label);
@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDL
if (*forceAll) {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
printf("Destroy Object with Label: %s\n", label);
+
rc = funcs->C_DestroyObject(session, hkey);
if (rc != CKR_OK) {
printf(
@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDL
label, rc, p11_get_ckr(rc));
goto done;
}
- printf("DONE - Destroy Object with Label: %s\n", label);
+ boolDestroyFlag = CK_TRUE;
}
} else {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
- rc = finalize_destroy_object(label, &session, &hkey);
+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
if (rc != CKR_OK) {
goto done;
}
+
+ if (!boolDestroyFlag) {
+ boolSkipFlag = CK_TRUE;
+ }
}
}
@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDL
done:
+ if (strlen(rm_label) > 0) {
+ if (boolDestroyFlag) {
+ printf("Object with Label: %s found and destroyed \n", rm_label);
+ } else if (boolSkipFlag) {
+ printf("Object with Label: %s not deleted\n", rm_label);
+ } else if (rc == CKR_OK) {
+ printf("Object with Label: %s not found\n", rm_label);
+ }
+ }
+
if (rc != CKR_OK) {
free(label);
free(keytype);
@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
/* Execute command */
rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
label, attr_string, long_print, &forceAll);
- if (rc != CKR_OK) {
- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
+ if (rc == CKR_CANCEL) {
+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
+ p11_get_ckr(rc));
+ } else if (rc != CKR_OK) {
+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
p11_get_ckr(rc));
goto done;
}

View File

@ -0,0 +1,42 @@
From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Tue, 19 Jan 2021 14:29:57 +0100
Subject: [PATCH] A slot ID has nothing to do with the number of slots
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
usr/sbin/pkcscca/pkcscca.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index f268f1be..d0bb3160 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
{
CK_FUNCTION_LIST *funcs;
CK_KEY_TYPE key_type = 0;
- CK_ULONG slot_count;
CK_SESSION_HANDLE sess;
CK_RV rv;
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
return 2;
}
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
- if (rv != CKR_OK) {
- p11_error("C_GetSlotList", rv);
- exit_code = 3;
- goto finalize;
- }
-
- if (slot_id >= slot_count) {
- print_error("%lu is not a valid slot ID.", slot_id);
- exit_code = 4;
- goto finalize;
- }
-
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
if (rv != CKR_OK) {

View File

@ -0,0 +1,13 @@
diff -up opencryptoki-3.15.1/usr/include/pkcs11types.h.me opencryptoki-3.15.1/usr/include/pkcs11types.h
--- opencryptoki-3.15.1/usr/include/pkcs11types.h.me 2020-11-26 18:33:58.707979547 +0100
+++ opencryptoki-3.15.1/usr/include/pkcs11types.h 2020-11-26 18:35:22.428095872 +0100
@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
diff -up opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c.me opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c

View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: libopencryptoki.so

View File

@ -1,27 +1,26 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.14.0
Version: 3.15.1
Release: 5%{?dist}
License: CPL
Group: System Environment/Base
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
Patch0: opencryptoki-3.11.0-group.patch
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
# bz#1780293, fix regression, segfault in C_SetPin
Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
# Fix missing entries for p11sak tool in template spec file
Patch3: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
# bz#1780294, PIN conversion tool
Patch4: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
# bz#1853420, endian issue
Patch5: 0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch
Patch6: 0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch
Patch7: 0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch
Patch8: 0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch
Patch9: 0005-Fix-storing-of-public-token-objects-in-new-data-form.patch
# upstream fixes
# https://github.com/opencryptoki/opencryptoki/commit/eef7049ce857ee5d5ec64e369a10e05e8bb5c4dd
Patch2: opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
Patch3: opencryptoki-3.15.1-fix_compiling_with_c++.patch
# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
Requires(pre): coreutils
BuildRequires: gcc
BuildRequires: openssl-devel
@ -204,6 +203,7 @@ make %{?_smp_mflags} CHGRP=/bin/true
%install
make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
# Remove unwanted cruft
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
@ -286,6 +286,10 @@ fi
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%files devel
%{_includedir}/%{name}/
@ -342,6 +346,37 @@ fi
%changelog
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Resolves: #1902022
Fix compiling with c++
Added error message handling for p11sak remove-key command
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Related: #1847433, Added error message handling for p11sak remove-key command
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Related: #1847433
upstream fixes:
- Free generated key in all error cases
- CCA: Zeroize key buffer to avoid CCA 8/32 error
- Do not delete the map-btree entry if destroying an object is not allowed
- Remove now unused header timeb.h
- TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
- Fix buffer overrun in C_CopyObject
- TPM: Fix double free in openssl_gen_key
* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
- Resolves: #1847433, rebase to 3.15.0
- Resolves: #1851105, PKCS #11 3.0 - baseline provider support
- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
- Resolves: #1851109, openCryptoki key management tool: key deletion function
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
- Related: #1853420, more fixes