import opencryptoki-3.15.1-5.el8
This commit is contained in:
parent
58e9493abf
commit
01d210de16
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/opencryptoki-3.14.0.tar.gz
|
SOURCES/opencryptoki-3.15.1.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
9ddd1bbe34992707b20b314645fd92d35cb298ef SOURCES/opencryptoki-3.14.0.tar.gz
|
66baf9c90f144bb273964270a39f23fadd86143d SOURCES/opencryptoki-3.15.1.tar.gz
|
||||||
|
@ -1,134 +0,0 @@
|
|||||||
From 583f0210bb8f371c2071966f27b83c95230d50cc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Thu, 2 Jul 2020 14:09:18 +0200
|
|
||||||
Subject: [PATCH 1/2] pkcstok_migrate: Fix NVTOK.DAT conversion on little
|
|
||||||
endian platforms
|
|
||||||
|
|
||||||
The new format stores all numeric fields in big endian, while the old
|
|
||||||
format uses the platform endianness. So convert the fields to big endian
|
|
||||||
during conversion.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 84 ++++++++++++++++++++++++++----
|
|
||||||
1 file changed, 74 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
index e90a5c91..e0c19125 100644
|
|
||||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
@@ -1077,6 +1077,42 @@ static CK_RV load_NVTOK_DAT(const char *data_store, const char *nvtok_name,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (stbuf.st_size == sizeof(TOKEN_DATA)) {
|
|
||||||
+ /* The 312 version always uses big endian */
|
|
||||||
+ td->token_info.flags = be32toh(td->token_info.flags);
|
|
||||||
+ td->token_info.ulMaxSessionCount
|
|
||||||
+ = be32toh(td->token_info.ulMaxSessionCount);
|
|
||||||
+ td->token_info.ulSessionCount
|
|
||||||
+ = be32toh(td->token_info.ulSessionCount);
|
|
||||||
+ td->token_info.ulMaxRwSessionCount
|
|
||||||
+ = be32toh(td->token_info.ulMaxRwSessionCount);
|
|
||||||
+ td->token_info.ulRwSessionCount
|
|
||||||
+ = be32toh(td->token_info.ulRwSessionCount);
|
|
||||||
+ td->token_info.ulMaxPinLen = be32toh(td->token_info.ulMaxPinLen);
|
|
||||||
+ td->token_info.ulMinPinLen = be32toh(td->token_info.ulMinPinLen);
|
|
||||||
+ td->token_info.ulTotalPublicMemory
|
|
||||||
+ = be32toh(td->token_info.ulTotalPublicMemory);
|
|
||||||
+ td->token_info.ulFreePublicMemory
|
|
||||||
+ = be32toh(td->token_info.ulFreePublicMemory);
|
|
||||||
+ td->token_info.ulTotalPrivateMemory
|
|
||||||
+ = be32toh(td->token_info.ulTotalPrivateMemory);
|
|
||||||
+ td->token_info.ulFreePrivateMemory
|
|
||||||
+ = be32toh(td->token_info.ulFreePrivateMemory);
|
|
||||||
+ td->tweak_vector.allow_weak_des
|
|
||||||
+ = be32toh(td->tweak_vector.allow_weak_des);
|
|
||||||
+ td->tweak_vector.check_des_parity
|
|
||||||
+ = be32toh(td->tweak_vector.check_des_parity);
|
|
||||||
+ td->tweak_vector.allow_key_mods
|
|
||||||
+ = be32toh(td->tweak_vector.allow_key_mods);
|
|
||||||
+ td->tweak_vector.netscape_mods
|
|
||||||
+ = be32toh(td->tweak_vector.netscape_mods);
|
|
||||||
+ td->dat.version = be32toh(td->dat.version);
|
|
||||||
+ td->dat.so_login_it = be64toh(td->dat.so_login_it);
|
|
||||||
+ td->dat.user_login_it = be64toh(td->dat.user_login_it);
|
|
||||||
+ td->dat.so_wrap_it = be64toh(td->dat.so_wrap_it);
|
|
||||||
+ td->dat.user_wrap_it = be64toh(td->dat.user_wrap_it);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = CKR_OK;
|
|
||||||
|
|
||||||
done:
|
|
||||||
@@ -1628,6 +1664,7 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
|
|
||||||
{
|
|
||||||
const char *nvtok = "NVTOK.DAT_312";
|
|
||||||
char fname[PATH_MAX + 1 + strlen(nvtok) + 1];
|
|
||||||
+ TOKEN_DATA be_tokdata;
|
|
||||||
FILE *fp = NULL;
|
|
||||||
CK_RV ret;
|
|
||||||
size_t rc;
|
|
||||||
@@ -1656,14 +1693,6 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Write old part into NVTOK.DAT_312 */
|
|
||||||
- rc = fwrite(tokdata, sizeof(TOKEN_DATA_OLD), 1, fp);
|
|
||||||
- if (rc != 1) {
|
|
||||||
- TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
|
|
||||||
- ret = CKR_FUNCTION_FAILED;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
/* Create additions for new format */
|
|
||||||
ret = create_TOKEN_DATA_VERSION(sopin, userpin, tokdata);
|
|
||||||
if (ret != CKR_OK) {
|
|
||||||
@@ -1671,8 +1700,43 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Append TOKEN_DATA_VERSION to NVTOK.DAT_312 */
|
|
||||||
- rc = fwrite(&(tokdata->dat), sizeof(TOKEN_DATA_VERSION), 1, fp);
|
|
||||||
+ /* The 312 version always uses big endian */
|
|
||||||
+ memcpy(&be_tokdata, tokdata, sizeof(TOKEN_DATA));
|
|
||||||
+ be_tokdata.token_info.flags = htobe32(tokdata->token_info.flags);
|
|
||||||
+ be_tokdata.token_info.ulMaxSessionCount
|
|
||||||
+ = htobe32(tokdata->token_info.ulMaxSessionCount);
|
|
||||||
+ be_tokdata.token_info.ulSessionCount
|
|
||||||
+ = htobe32(tokdata->token_info.ulSessionCount);
|
|
||||||
+ be_tokdata.token_info.ulMaxRwSessionCount
|
|
||||||
+ = htobe32(tokdata->token_info.ulMaxRwSessionCount);
|
|
||||||
+ be_tokdata.token_info.ulRwSessionCount
|
|
||||||
+ = htobe32(tokdata->token_info.ulRwSessionCount);
|
|
||||||
+ be_tokdata.token_info.ulMaxPinLen = htobe32(tokdata->token_info.ulMaxPinLen);
|
|
||||||
+ be_tokdata.token_info.ulMinPinLen = htobe32(tokdata->token_info.ulMinPinLen);
|
|
||||||
+ be_tokdata.token_info.ulTotalPublicMemory
|
|
||||||
+ = htobe32(tokdata->token_info.ulTotalPublicMemory);
|
|
||||||
+ be_tokdata.token_info.ulFreePublicMemory
|
|
||||||
+ = htobe32(tokdata->token_info.ulFreePublicMemory);
|
|
||||||
+ be_tokdata.token_info.ulTotalPrivateMemory
|
|
||||||
+ = htobe32(tokdata->token_info.ulTotalPrivateMemory);
|
|
||||||
+ be_tokdata.token_info.ulFreePrivateMemory
|
|
||||||
+ = htobe32(tokdata->token_info.ulFreePrivateMemory);
|
|
||||||
+ be_tokdata.tweak_vector.allow_weak_des
|
|
||||||
+ = htobe32(tokdata->tweak_vector.allow_weak_des);
|
|
||||||
+ be_tokdata.tweak_vector.check_des_parity
|
|
||||||
+ = htobe32(tokdata->tweak_vector.check_des_parity);
|
|
||||||
+ be_tokdata.tweak_vector.allow_key_mods
|
|
||||||
+ = htobe32(tokdata->tweak_vector.allow_key_mods);
|
|
||||||
+ be_tokdata.tweak_vector.netscape_mods
|
|
||||||
+ = htobe32(tokdata->tweak_vector.netscape_mods);
|
|
||||||
+ be_tokdata.dat.version = htobe32(tokdata->dat.version);
|
|
||||||
+ be_tokdata.dat.so_login_it = htobe64(tokdata->dat.so_login_it);
|
|
||||||
+ be_tokdata.dat.user_login_it = htobe64(tokdata->dat.user_login_it);
|
|
||||||
+ be_tokdata.dat.so_wrap_it = htobe64(tokdata->dat.so_wrap_it);
|
|
||||||
+ be_tokdata.dat.user_wrap_it = htobe64(tokdata->dat.user_wrap_it);
|
|
||||||
+
|
|
||||||
+ /* Write converted token data into NVTOK.DAT_312 */
|
|
||||||
+ rc = fwrite(&be_tokdata, sizeof(TOKEN_DATA), 1, fp);
|
|
||||||
if (rc != 1) {
|
|
||||||
TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
|
|
||||||
ret = CKR_FUNCTION_FAILED;
|
|
||||||
--
|
|
||||||
2.16.2.windows.1
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 6faa13d83e5166e4bbe97d85935aca779fde9089 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Thu, 2 Jul 2020 14:46:29 +0200
|
|
||||||
Subject: [PATCH 2/2] pkcstok_migrate: Fix private token object conversion on
|
|
||||||
little endian platforms
|
|
||||||
|
|
||||||
The new format stores numeric fields in the object header in big endian, while
|
|
||||||
the old format uses the platform endianness. So convert the fields to big endian
|
|
||||||
during conversion.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
index e0c19125..0148102c 100644
|
|
||||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
@@ -239,7 +239,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
|
|
||||||
|
|
||||||
/* Setup header */
|
|
||||||
memset(&header, 0, sizeof(header));
|
|
||||||
- header.tokversion = 0x0003000C;
|
|
||||||
+ header.tokversion = htobe32(0x0003000C);
|
|
||||||
header.private_flag = 0x01;
|
|
||||||
ret = aes_256_wrap(header.key_wrapped, obj_key, masterkey);
|
|
||||||
if (ret != CKR_OK) {
|
|
||||||
@@ -252,7 +252,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
|
|
||||||
header.iv[9] = 0;
|
|
||||||
header.iv[10] = 0;
|
|
||||||
header.iv[11] = 1;
|
|
||||||
- header.object_len = clear_len;
|
|
||||||
+ header.object_len = htobe32(clear_len);
|
|
||||||
memcpy(object, &header, HEADER_LEN);
|
|
||||||
|
|
||||||
/* Encrypt body */
|
|
||||||
--
|
|
||||||
2.16.2.windows.1
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From c090136338b585370df6a8e29518f9e55d388fe5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 6 Jul 2020 13:16:34 +0200
|
|
||||||
Subject: [PATCH 3/5] pkcstok_migrate: Fix public token object conversion on
|
|
||||||
little endian platforms
|
|
||||||
|
|
||||||
The new format stores numeric fields in the object header in big endian, while
|
|
||||||
the old format uses the platform endianness. So convert the fields to big endian
|
|
||||||
during conversion.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
index 0148102c..136c010c 100644
|
|
||||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
@@ -103,9 +103,9 @@ static CK_RV make_OBJECT_PUB_312(char **obj_new, unsigned int *obj_new_len,
|
|
||||||
|
|
||||||
/* Setup object */
|
|
||||||
memset(&header, 0, sizeof(header));
|
|
||||||
- header.tokversion = 0x0003000C;
|
|
||||||
+ header.tokversion = htobe32(0x0003000C);
|
|
||||||
header.private_flag = 0x00;
|
|
||||||
- header.object_len = clear_len;
|
|
||||||
+ header.object_len = htobe32(clear_len);
|
|
||||||
memcpy(object, &header, sizeof(header));
|
|
||||||
memcpy(object + sizeof(header), clear, clear_len);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.16.2.windows.1
|
|
||||||
|
|
@ -1,93 +0,0 @@
|
|||||||
From d1dbc25c6f424a12860295008991cd1392c888a8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 6 Jul 2020 09:56:31 +0200
|
|
||||||
Subject: [PATCH 4/5] pkcstok_migrate: Remove the token's shared memory segment
|
|
||||||
|
|
||||||
After successfully migration, remove the tokens shared memory segment.
|
|
||||||
This will be re-created on the first use of the token.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 38 +++++++++++++++++++++++++++++
|
|
||||||
usr/sbin/pkcstok_migrate/pkcstok_migrate.mk | 2 +-
|
|
||||||
2 files changed, 39 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
index 136c010c..46e5e57f 100644
|
|
||||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
|
||||||
@@ -31,6 +31,7 @@
|
|
||||||
#include <termios.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <dirent.h>
|
|
||||||
+#include <sys/mman.h>
|
|
||||||
#include <pkcs11types.h>
|
|
||||||
|
|
||||||
#include "sw_crypt.h"
|
|
||||||
@@ -2108,6 +2109,36 @@ done:
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Removes the token_s shared memory from /dev/shm
|
|
||||||
+ */
|
|
||||||
+static CK_RV remove_shared_memory(char *location)
|
|
||||||
+{
|
|
||||||
+ char shm_name[PATH_MAX];
|
|
||||||
+ int i, k, rc;
|
|
||||||
+
|
|
||||||
+ i = k = 0;
|
|
||||||
+ shm_name[k++] = '/';
|
|
||||||
+ if (location[i] == '/')
|
|
||||||
+ i++;
|
|
||||||
+
|
|
||||||
+ for (; location[i]; i++, k++) {
|
|
||||||
+ if (location[i] == '/')
|
|
||||||
+ shm_name[k] = '.';
|
|
||||||
+ else
|
|
||||||
+ shm_name[k] = location[i];
|
|
||||||
+ }
|
|
||||||
+ shm_name[k] = '\0';
|
|
||||||
+
|
|
||||||
+ rc = shm_unlink(shm_name);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ warnx("shm_unlink(%s) failed, errno=%s", shm_name, strerror(errno));
|
|
||||||
+ return CKR_FUNCTION_FAILED;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return CKR_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Copy a file given by name from a src folder to a dst folder.
|
|
||||||
*/
|
|
||||||
@@ -2718,6 +2749,13 @@ int main(int argc, char **argv)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Remove the token's shared memory */
|
|
||||||
+ ret = remove_shared_memory(data_store);
|
|
||||||
+ if (ret != CKR_OK) {
|
|
||||||
+ warnx("Failed to remove token's shared memory.");
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Now insert new 'tokversion=3.12' parm in opencryptoki.conf */
|
|
||||||
ret = update_opencryptoki_conf(slot_id, conf_dir);
|
|
||||||
if (ret != CKR_OK) {
|
|
||||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
|
|
||||||
index dc4582e5..028a383e 100644
|
|
||||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
|
|
||||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
|
|
||||||
@@ -6,7 +6,7 @@ noinst_HEADERS += usr/include/local_types.h
|
|
||||||
noinst_HEADERS += usr/lib/common/h_extern.h
|
|
||||||
noinst_HEADERS += usr/lib/common/pkcs_utils.h
|
|
||||||
|
|
||||||
-usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl
|
|
||||||
+usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl -lrt
|
|
||||||
|
|
||||||
usr_sbin_pkcstok_migrate_pkcstok_migrate_CFLAGS = \
|
|
||||||
-DSTDLL_NAME=\"pkcstok_migrate\" \
|
|
||||||
--
|
|
||||||
2.16.2.windows.1
|
|
||||||
|
|
@ -1,107 +0,0 @@
|
|||||||
From 6850ae623f9d36b70f1d2919c8390a4b14d393a1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 6 Jul 2020 13:16:01 +0200
|
|
||||||
Subject: [PATCH 5/5] Fix storing of public token objects in new data format
|
|
||||||
|
|
||||||
The tokversion and object length field are supposed to be stored
|
|
||||||
in big endian (BE) on all platforms. This was not the case for public
|
|
||||||
token objects.
|
|
||||||
|
|
||||||
Fix this by always storing it in BE, and add logic to the read routines
|
|
||||||
to automatically detect if the fields are in the expected byte order,
|
|
||||||
or not, and handle them accordingly.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
---
|
|
||||||
usr/lib/common/loadsave.c | 32 +++++++++++++++++++++++++++-----
|
|
||||||
1 file changed, 27 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
|
|
||||||
index 068fdf36..b76dea9f 100644
|
|
||||||
--- a/usr/lib/common/loadsave.c
|
|
||||||
+++ b/usr/lib/common/loadsave.c
|
|
||||||
@@ -2557,6 +2557,7 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
|
|
||||||
CK_ULONG size_64;
|
|
||||||
CK_RV rc;
|
|
||||||
uint32_t len;
|
|
||||||
+ uint32_t ver;
|
|
||||||
|
|
||||||
if (tokdata->version < TOK_NEW_DATA_STORE)
|
|
||||||
return reload_token_object_old(tokdata, obj);
|
|
||||||
@@ -2580,9 +2581,18 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memcpy(&ver, header, 4);
|
|
||||||
memcpy(&priv, header + 4, 1);
|
|
||||||
memcpy(&len, header + 60, 4);
|
|
||||||
- size = be32toh(len);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
|
|
||||||
+ * version field is in platform endianness, keep size as is also.
|
|
||||||
+ */
|
|
||||||
+ if (ver == TOK_NEW_DATA_STORE)
|
|
||||||
+ size = len;
|
|
||||||
+ else
|
|
||||||
+ size = be32toh(len);
|
|
||||||
|
|
||||||
buf = (CK_BYTE *) malloc(size);
|
|
||||||
if (buf == NULL) {
|
|
||||||
@@ -2647,8 +2657,9 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
|
|
||||||
CK_ULONG clear_len;
|
|
||||||
CK_BBOOL flag = FALSE;
|
|
||||||
CK_RV rc;
|
|
||||||
- CK_ULONG_32 len;
|
|
||||||
+ CK_ULONG_32 len, be_len;
|
|
||||||
unsigned char reserved[7] = {0};
|
|
||||||
+ uint32_t tmp;
|
|
||||||
|
|
||||||
if (tokdata->version < TOK_NEW_DATA_STORE)
|
|
||||||
return save_public_token_object_old(tokdata, obj);
|
|
||||||
@@ -2669,11 +2680,14 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ tmp = htobe32(tokdata->version);
|
|
||||||
+ be_len = htobe32(len);
|
|
||||||
+
|
|
||||||
set_perm(fileno(fp));
|
|
||||||
- if (fwrite(&tokdata->version, 4, 1, fp) != 1
|
|
||||||
+ if (fwrite(&tmp, 4, 1, fp) != 1
|
|
||||||
|| fwrite(&flag, 1, 1, fp) != 1
|
|
||||||
|| fwrite(reserved, 7, 1, fp) != 1
|
|
||||||
- || fwrite(&len, 4, 1, fp) != 1
|
|
||||||
+ || fwrite(&be_len, 4, 1, fp) != 1
|
|
||||||
|| fwrite(clear, len, 1, fp) != 1) {
|
|
||||||
rc = CKR_FUNCTION_FAILED;
|
|
||||||
goto done;
|
|
||||||
@@ -2704,6 +2718,7 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
|
|
||||||
CK_BBOOL priv;
|
|
||||||
CK_ULONG_32 size;
|
|
||||||
unsigned char header[PUB_HEADER_LEN];
|
|
||||||
+ uint32_t ver;
|
|
||||||
|
|
||||||
if (tokdata->version < TOK_NEW_DATA_STORE)
|
|
||||||
return load_public_token_objects_old(tokdata);
|
|
||||||
@@ -2731,9 +2746,16 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memcpy(&ver, header, 4);
|
|
||||||
memcpy(&priv, header + 4, 1);
|
|
||||||
memcpy(&size, header + 12, 4);
|
|
||||||
- size = be32toh(size);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
|
|
||||||
+ * version field is in platform endianness, keep size as is also
|
|
||||||
+ */
|
|
||||||
+ if (ver != TOK_NEW_DATA_STORE)
|
|
||||||
+ size = be32toh(size);
|
|
||||||
|
|
||||||
if (priv == TRUE) {
|
|
||||||
fclose(fp2);
|
|
||||||
--
|
|
||||||
2.16.2.windows.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,63 +0,0 @@
|
|||||||
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c
|
|
||||||
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400
|
|
||||||
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400
|
|
||||||
@@ -57,7 +57,7 @@ void openssl_print_errors()
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-RSA *openssl_gen_key()
|
|
||||||
+RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
|
|
||||||
{
|
|
||||||
RSA *rsa;
|
|
||||||
int rc, counter = 0;
|
|
||||||
@@ -66,7 +66,7 @@ RSA *openssl_gen_key()
|
|
||||||
BIGNUM *bne;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- token_specific_rng(NULL, (CK_BYTE *) buf, 32);
|
|
||||||
+ token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
|
|
||||||
RAND_seed(buf, 32);
|
|
||||||
|
|
||||||
regen_rsa_key:
|
|
||||||
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c
|
|
||||||
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400
|
|
||||||
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400
|
|
||||||
@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t
|
|
||||||
TSS_HTPM hTPM;
|
|
||||||
BYTE *random_bytes = NULL;
|
|
||||||
|
|
||||||
- UNUSED(tokdata);
|
|
||||||
-
|
|
||||||
rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);
|
|
||||||
if (rc) {
|
|
||||||
TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);
|
|
||||||
@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To
|
|
||||||
unsigned char n[256], p[256];
|
|
||||||
|
|
||||||
/* all sw generated keys are 2048 bits */
|
|
||||||
- if ((rsa = openssl_gen_key()) == NULL)
|
|
||||||
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
|
||||||
return CKR_HOST_MEMORY;
|
|
||||||
|
|
||||||
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
|
||||||
@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok
|
|
||||||
unsigned char n[256], p[256];
|
|
||||||
|
|
||||||
/* all sw generated keys are 2048 bits */
|
|
||||||
- if ((rsa = openssl_gen_key()) == NULL)
|
|
||||||
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
|
||||||
return CKR_HOST_MEMORY;
|
|
||||||
|
|
||||||
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
|
||||||
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h
|
|
||||||
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400
|
|
||||||
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400
|
|
||||||
@@ -56,7 +56,7 @@
|
|
||||||
/* retry count for generating software RSA keys */
|
|
||||||
#define KEYGEN_RETRY 5
|
|
||||||
|
|
||||||
-RSA *openssl_gen_key();
|
|
||||||
+RSA *openssl_gen_key(STDLL_TokData_t *);
|
|
||||||
int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
|
|
||||||
CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
|
|
||||||
int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
|
|
@ -1,22 +0,0 @@
|
|||||||
commit a94436937b6364c53219fb3c7922439f403e8d5e
|
|
||||||
Author: Harald Freudenberger <freude@linux.ibm.com>
|
|
||||||
Date: Wed May 27 07:30:33 2020 +0200
|
|
||||||
|
|
||||||
Fix missing entries for p11sak tool in template spec file
|
|
||||||
|
|
||||||
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
|
|
||||||
|
|
||||||
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
|
|
||||||
index fa4b9899..ae563406 100644
|
|
||||||
--- a/rpm/opencryptoki.spec
|
|
||||||
+++ b/rpm/opencryptoki.spec
|
|
||||||
@@ -238,7 +238,9 @@ exit 0
|
|
||||||
%{_unitdir}/pkcsslotd.service
|
|
||||||
%{_sbindir}/pkcsconf
|
|
||||||
%{_sbindir}/pkcsslotd
|
|
||||||
+%{_sbindir}/p11sak
|
|
||||||
%{_mandir}/man1/pkcsconf.1*
|
|
||||||
+%{_mandir}/man1/p11sak.1*
|
|
||||||
%{_mandir}/man5/%{name}.conf.5*
|
|
||||||
%{_mandir}/man7/%{name}.7*
|
|
||||||
%{_mandir}/man8/pkcsslotd.8*
|
|
@ -0,0 +1,285 @@
|
|||||||
|
commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Feb 9 16:22:51 2021 +0100
|
||||||
|
|
||||||
|
SOFT: Fix problem with C_Get/SetOperationState and digest contexts
|
||||||
|
|
||||||
|
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
|
||||||
|
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
|
||||||
|
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
|
||||||
|
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
|
||||||
|
was set to 1.
|
||||||
|
|
||||||
|
This hinders C_Get/SetOperationState to correctly save and restore the digest
|
||||||
|
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
|
||||||
|
C_SetOperationState also can't restore the digest state, leaving a subsequent
|
||||||
|
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
|
||||||
|
produces a segfault.
|
||||||
|
|
||||||
|
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
|
||||||
|
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
|
||||||
|
|
||||||
|
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
index 0b28daa8..a836efa9 100644
|
||||||
|
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
|
||||||
|
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
|
||||||
|
}
|
||||||
|
|
||||||
|
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
- CK_MECHANISM *mech)
|
||||||
|
+#ifdef OLDER_OPENSSL
|
||||||
|
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
|
||||||
|
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
|
||||||
|
{
|
||||||
|
const EVP_MD *md = NULL;
|
||||||
|
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
|
||||||
|
-#else
|
||||||
|
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||||
|
-#endif
|
||||||
|
- if (ctx->context == NULL) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
- return CKR_HOST_MEMORY;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
switch (mech->mechanism) {
|
||||||
|
case CKM_SHA_1:
|
||||||
|
md = EVP_sha1();
|
||||||
|
@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ return md;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
|
||||||
|
+{
|
||||||
|
+ const EVP_MD *md;
|
||||||
|
+ EVP_MD_CTX *md_ctx;
|
||||||
|
+
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
+ md_ctx = EVP_MD_CTX_create();
|
||||||
|
+#else
|
||||||
|
+ md_ctx = EVP_MD_CTX_new();
|
||||||
|
+#endif
|
||||||
|
+ if (md_ctx == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ md = md_from_mech(&ctx->mech);
|
||||||
|
if (md == NULL ||
|
||||||
|
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
|
||||||
|
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
|
||||||
|
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
#else
|
||||||
|
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
#endif
|
||||||
|
- ctx->context = NULL;
|
||||||
|
- ctx->context_len = 0;
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- return CKR_FUNCTION_FAILED;
|
||||||
|
+ if (ctx->context_len == 0) {
|
||||||
|
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
|
||||||
|
+ ctx->context = malloc(ctx->context_len);
|
||||||
|
+ if (ctx->context == NULL) {
|
||||||
|
+ TRACE_ERROR("malloc failed\n");
|
||||||
|
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
+ #else
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
+ #endif
|
||||||
|
+ ctx->context_len = 0;
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Save context data for later use */
|
||||||
|
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||||
|
+ } else {
|
||||||
|
+ if (ctx->context_len !=
|
||||||
|
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
|
||||||
|
+ TRACE_ERROR("context size mismatcht\n");
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ /* restore the MD context data */
|
||||||
|
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ return md_ctx;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
+ CK_MECHANISM *mech)
|
||||||
|
+{
|
||||||
|
+ EVP_MD_CTX *md_ctx;
|
||||||
|
+
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+
|
||||||
|
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
|
||||||
|
+ ctx->mech.mechanism = mech->mechanism;
|
||||||
|
+
|
||||||
|
+ md_ctx = md_ctx_from_context(ctx);
|
||||||
|
+ if (md_ctx == NULL) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
+#else
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
{
|
||||||
|
unsigned int len;
|
||||||
|
CK_RV rc = CKR_OK;
|
||||||
|
+ EVP_MD_CTX *md_ctx;
|
||||||
|
|
||||||
|
UNUSED(tokdata);
|
||||||
|
|
||||||
|
@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
if (!in_data || !out_data)
|
||||||
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
|
||||||
|
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||||
|
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||||
|
+ md_ctx = md_ctx_from_context(ctx);
|
||||||
|
+ if (md_ctx == NULL) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||||
|
return CKR_BUFFER_TOO_SMALL;
|
||||||
|
|
||||||
|
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||||
|
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
|
||||||
|
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
|
||||||
|
out:
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
#else
|
||||||
|
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
#endif
|
||||||
|
+ free(ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
ctx->context_len = 0;
|
||||||
|
|
||||||
|
@@ -3229,6 +3295,8 @@ out:
|
||||||
|
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
CK_BYTE *in_data, CK_ULONG in_data_len)
|
||||||
|
{
|
||||||
|
+ EVP_MD_CTX *md_ctx;
|
||||||
|
+
|
||||||
|
UNUSED(tokdata);
|
||||||
|
|
||||||
|
if (!ctx || !ctx->context)
|
||||||
|
@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
if (!in_data)
|
||||||
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
|
||||||
|
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||||
|
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||||
|
+ md_ctx = md_ctx_from_context(ctx);
|
||||||
|
+ if (md_ctx == NULL) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
#else
|
||||||
|
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
#endif
|
||||||
|
+ free(ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
ctx->context_len = 0;
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Save context data for later use */
|
||||||
|
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
|
||||||
|
+
|
||||||
|
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
+#else
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
{
|
||||||
|
unsigned int len;
|
||||||
|
CK_RV rc = CKR_OK;
|
||||||
|
+ EVP_MD_CTX *md_ctx;
|
||||||
|
|
||||||
|
UNUSED(tokdata);
|
||||||
|
|
||||||
|
@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
if (!out_data)
|
||||||
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
|
||||||
|
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
|
||||||
|
+ /* Recreate the OpenSSL MD context from the saved context */
|
||||||
|
+ md_ctx = md_ctx_from_context(ctx);
|
||||||
|
+ if (md_ctx == NULL) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
|
||||||
|
return CKR_BUFFER_TOO_SMALL;
|
||||||
|
|
||||||
|
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
|
||||||
|
|
||||||
|
out:
|
||||||
|
#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_destroy(md_ctx);
|
||||||
|
#else
|
||||||
|
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ EVP_MD_CTX_free(md_ctx);
|
||||||
|
#endif
|
||||||
|
+ free(ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
ctx->context_len = 0;
|
||||||
|
|
@ -0,0 +1,118 @@
|
|||||||
|
diff -up opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c
|
||||||
|
--- opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig 2020-11-26 13:25:41.679655774 +0100
|
||||||
|
+++ opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c 2020-11-26 13:26:00.170892352 +0100
|
||||||
|
@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user
|
||||||
|
while (1){
|
||||||
|
nread = getline(user_input, &buflen, stdin);
|
||||||
|
if (nread == -1) {
|
||||||
|
- printf("User input failed (error code 0x%lX: %s)\n",
|
||||||
|
- rc, p11_get_ckr(rc));
|
||||||
|
- rc = -1;
|
||||||
|
- return rc;
|
||||||
|
+ printf("User input: EOF\n");
|
||||||
|
+ return CKR_CANCEL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (user_input_ok(*user_input)) {
|
||||||
|
@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
|
||||||
|
- CK_OBJECT_HANDLE *hkey)
|
||||||
|
+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
|
||||||
|
{
|
||||||
|
char *user_input = NULL;
|
||||||
|
CK_RV rc = CKR_OK;
|
||||||
|
|
||||||
|
rc = confirm_destroy(&user_input, label);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
- printf("User input failed (error code 0x%lX: %s)\n",
|
||||||
|
- rc, p11_get_ckr(rc));
|
||||||
|
+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
|
||||||
|
+ rc = CKR_CANCEL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(cha
|
||||||
|
label, rc, p11_get_ckr(rc));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+ *boolDestroyFlag = CK_TRUE;
|
||||||
|
printf("DONE - Destroy Object with Label: %s\n", label);
|
||||||
|
} else if (strncmp(user_input, "n", 1) == 0) {
|
||||||
|
printf("Skip deleting Key\n");
|
||||||
|
+ *boolDestroyFlag = CK_FALSE;
|
||||||
|
} else {
|
||||||
|
printf("Please just enter (y) for yes or (n) for no.\n");
|
||||||
|
}
|
||||||
|
@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||||
|
CK_OBJECT_HANDLE hkey;
|
||||||
|
char *keytype = NULL;
|
||||||
|
char *label = NULL;
|
||||||
|
+ CK_BBOOL boolDestroyFlag = CK_FALSE;
|
||||||
|
+ CK_BBOOL boolSkipFlag = CK_FALSE;
|
||||||
|
CK_RV rc = CKR_OK;
|
||||||
|
|
||||||
|
rc = tok_key_list_init(session, kt, label);
|
||||||
|
@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||||
|
if (*forceAll) {
|
||||||
|
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
|
||||||
|
printf("Destroy Object with Label: %s\n", label);
|
||||||
|
+
|
||||||
|
rc = funcs->C_DestroyObject(session, hkey);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
printf(
|
||||||
|
@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||||
|
label, rc, p11_get_ckr(rc));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- printf("DONE - Destroy Object with Label: %s\n", label);
|
||||||
|
+ boolDestroyFlag = CK_TRUE;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
|
||||||
|
- rc = finalize_destroy_object(label, &session, &hkey);
|
||||||
|
+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (!boolDestroyFlag) {
|
||||||
|
+ boolSkipFlag = CK_TRUE;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDL
|
||||||
|
|
||||||
|
done:
|
||||||
|
|
||||||
|
+ if (strlen(rm_label) > 0) {
|
||||||
|
+ if (boolDestroyFlag) {
|
||||||
|
+ printf("Object with Label: %s found and destroyed \n", rm_label);
|
||||||
|
+ } else if (boolSkipFlag) {
|
||||||
|
+ printf("Object with Label: %s not deleted\n", rm_label);
|
||||||
|
+ } else if (rc == CKR_OK) {
|
||||||
|
+ printf("Object with Label: %s not found\n", rm_label);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
free(label);
|
||||||
|
free(keytype);
|
||||||
|
@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
|
||||||
|
/* Execute command */
|
||||||
|
rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
|
||||||
|
label, attr_string, long_print, &forceAll);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
|
||||||
|
+ if (rc == CKR_CANCEL) {
|
||||||
|
+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
|
||||||
|
+ p11_get_ckr(rc));
|
||||||
|
+ } else if (rc != CKR_OK) {
|
||||||
|
+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
|
||||||
|
p11_get_ckr(rc));
|
||||||
|
goto done;
|
||||||
|
}
|
@ -0,0 +1,42 @@
|
|||||||
|
From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||||
|
Date: Tue, 19 Jan 2021 14:29:57 +0100
|
||||||
|
Subject: [PATCH] A slot ID has nothing to do with the number of slots
|
||||||
|
|
||||||
|
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
|
||||||
|
---
|
||||||
|
usr/sbin/pkcscca/pkcscca.c | 14 --------------
|
||||||
|
1 file changed, 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
|
||||||
|
index f268f1be..d0bb3160 100644
|
||||||
|
--- a/usr/sbin/pkcscca/pkcscca.c
|
||||||
|
+++ b/usr/sbin/pkcscca/pkcscca.c
|
||||||
|
@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||||
|
{
|
||||||
|
CK_FUNCTION_LIST *funcs;
|
||||||
|
CK_KEY_TYPE key_type = 0;
|
||||||
|
- CK_ULONG slot_count;
|
||||||
|
CK_SESSION_HANDLE sess;
|
||||||
|
CK_RV rv;
|
||||||
|
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
|
||||||
|
@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
|
||||||
|
return 2;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
|
||||||
|
- if (rv != CKR_OK) {
|
||||||
|
- p11_error("C_GetSlotList", rv);
|
||||||
|
- exit_code = 3;
|
||||||
|
- goto finalize;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (slot_id >= slot_count) {
|
||||||
|
- print_error("%lu is not a valid slot ID.", slot_id);
|
||||||
|
- exit_code = 4;
|
||||||
|
- goto finalize;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
|
||||||
|
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
|
||||||
|
if (rv != CKR_OK) {
|
13
SOURCES/opencryptoki-3.15.1-fix_compiling_with_c++.patch
Normal file
13
SOURCES/opencryptoki-3.15.1-fix_compiling_with_c++.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -up opencryptoki-3.15.1/usr/include/pkcs11types.h.me opencryptoki-3.15.1/usr/include/pkcs11types.h
|
||||||
|
--- opencryptoki-3.15.1/usr/include/pkcs11types.h.me 2020-11-26 18:33:58.707979547 +0100
|
||||||
|
+++ opencryptoki-3.15.1/usr/include/pkcs11types.h 2020-11-26 18:35:22.428095872 +0100
|
||||||
|
@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR
|
||||||
|
|
||||||
|
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
|
||||||
|
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
|
||||||
|
-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
|
||||||
|
+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
|
||||||
|
|
||||||
|
typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
|
||||||
|
typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
|
||||||
|
diff -up opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c.me opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
8
SOURCES/opencryptoki.module
Normal file
8
SOURCES/opencryptoki.module
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# This file describes how to load the opensc module
|
||||||
|
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
|
||||||
|
|
||||||
|
# This is a relative path, which means it will be loaded from
|
||||||
|
# the p11-kit default path which is usually $(libdir)/pkcs11.
|
||||||
|
# Doing it this way allows for packagers to package opensc for
|
||||||
|
# 32-bit and 64-bit and make them parallel installable
|
||||||
|
module: libopencryptoki.so
|
@ -1,27 +1,26 @@
|
|||||||
Name: opencryptoki
|
Name: opencryptoki
|
||||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||||
Version: 3.14.0
|
Version: 3.15.1
|
||||||
Release: 5%{?dist}
|
Release: 5%{?dist}
|
||||||
License: CPL
|
License: CPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
URL: https://github.com/opencryptoki/opencryptoki
|
URL: https://github.com/opencryptoki/opencryptoki
|
||||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
|
Source1: opencryptoki.module
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
|
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
|
||||||
Patch0: opencryptoki-3.11.0-group.patch
|
Patch0: opencryptoki-3.11.0-group.patch
|
||||||
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
|
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
|
||||||
Patch1: opencryptoki-3.11.0-lockdir.patch
|
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||||
# bz#1780293, fix regression, segfault in C_SetPin
|
# upstream fixes
|
||||||
Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
|
# https://github.com/opencryptoki/opencryptoki/commit/eef7049ce857ee5d5ec64e369a10e05e8bb5c4dd
|
||||||
# Fix missing entries for p11sak tool in template spec file
|
Patch2: opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
|
||||||
Patch3: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
|
# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
|
||||||
# bz#1780294, PIN conversion tool
|
Patch3: opencryptoki-3.15.1-fix_compiling_with_c++.patch
|
||||||
Patch4: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
|
# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||||
# bz#1853420, endian issue
|
Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
|
||||||
Patch5: 0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch
|
# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
|
||||||
Patch6: 0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch
|
Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
|
||||||
Patch7: 0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch
|
|
||||||
Patch8: 0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch
|
|
||||||
Patch9: 0005-Fix-storing-of-public-token-objects-in-new-data-form.patch
|
|
||||||
Requires(pre): coreutils
|
Requires(pre): coreutils
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
@ -204,6 +203,7 @@ make %{?_smp_mflags} CHGRP=/bin/true
|
|||||||
|
|
||||||
%install
|
%install
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
|
make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
|
||||||
|
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
|
||||||
|
|
||||||
# Remove unwanted cruft
|
# Remove unwanted cruft
|
||||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
|
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
|
||||||
@ -286,6 +286,10 @@ fi
|
|||||||
%{_libdir}/pkcs11/libopencryptoki.so
|
%{_libdir}/pkcs11/libopencryptoki.so
|
||||||
%{_libdir}/pkcs11/PKCS11_API.so
|
%{_libdir}/pkcs11/PKCS11_API.so
|
||||||
%{_libdir}/pkcs11/stdll
|
%{_libdir}/pkcs11/stdll
|
||||||
|
# Co-owned with p11-kit
|
||||||
|
%dir %{_datadir}/p11-kit/
|
||||||
|
%dir %{_datadir}/p11-kit/modules/
|
||||||
|
%{_datadir}/p11-kit/modules/opencryptoki.module
|
||||||
|
|
||||||
%files devel
|
%files devel
|
||||||
%{_includedir}/%{name}/
|
%{_includedir}/%{name}/
|
||||||
@ -342,6 +346,37 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
|
||||||
|
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
|
||||||
|
|
||||||
|
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
|
||||||
|
- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
|
||||||
|
|
||||||
|
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
|
||||||
|
- Resolves: #1902022
|
||||||
|
Fix compiling with c++
|
||||||
|
Added error message handling for p11sak remove-key command
|
||||||
|
|
||||||
|
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
|
||||||
|
- Related: #1847433, Added error message handling for p11sak remove-key command
|
||||||
|
|
||||||
|
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
|
||||||
|
- Related: #1847433
|
||||||
|
upstream fixes:
|
||||||
|
- Free generated key in all error cases
|
||||||
|
- CCA: Zeroize key buffer to avoid CCA 8/32 error
|
||||||
|
- Do not delete the map-btree entry if destroying an object is not allowed
|
||||||
|
- Remove now unused header timeb.h
|
||||||
|
- TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
|
||||||
|
- Fix buffer overrun in C_CopyObject
|
||||||
|
- TPM: Fix double free in openssl_gen_key
|
||||||
|
|
||||||
|
* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
|
||||||
|
- Resolves: #1847433, rebase to 3.15.0
|
||||||
|
- Resolves: #1851105, PKCS #11 3.0 - baseline provider support
|
||||||
|
- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
|
||||||
|
- Resolves: #1851109, openCryptoki key management tool: key deletion function
|
||||||
|
|
||||||
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
|
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
|
||||||
- Related: #1853420, more fixes
|
- Related: #1853420, more fixes
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user