rpms
/
opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import opencryptoki-3.16.0-12.el9

This commit is contained in:
CentOS Sources 2021-11-03 23:49:31 -04:00 committed by Stepan Oksanichenko
commit 0e3033616c
45 changed files with 18763 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/opencryptoki-3.16.0.tar.gz

1
.opencryptoki.metadata Normal file
View File

@ -0,0 +1 @@
e5d8cf8df446a9bdcb3658a8f191f5a31d3a751e SOURCES/opencryptoki-3.16.0.tar.gz

31
SOURCES/opencryptoki-3.11.0-group.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in
--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100
+++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100
@@ -55,9 +55,11 @@ void *attach_shared_memory()
int shmid;
char *shmp;
struct stat statbuf;
+#if 0
struct group *grp;
struct passwd *pw, *epw;
uid_t uid, euid;
+#endif
#if !(MMAP)
// Really should fstat the tok_path, since it will be the actual
@@ -69,6 +71,7 @@ void *attach_shared_memory()
return NULL;
}
+#if 0
uid = getuid();
euid = geteuid();
// only check group membership if not root user
@@ -102,6 +105,7 @@ void *attach_shared_memory()
return NULL;
}
}
+#endif
Anchor->shm_tok = ftok(TOK_PATH, 'b');

12
SOURCES/opencryptoki-3.11.0-lockdir.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
dnl Define custom variables
-lockdir=$localstatedir/lock/opencryptoki
+lockdir=/run/lock/opencryptoki
AC_SUBST(lockdir)
logdir=$localstatedir/log/opencryptoki

136
SOURCES/opencryptoki-3.16.0-19f56d12b302b87e1dacf613cc61a063ad209d15.patch Normal file
View File

@ -0,0 +1,136 @@
commit 19f56d12b302b87e1dacf613cc61a063ad209d15
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Feb 12 15:57:20 2021 +0100
Fix compile warning when compiling pkcsslotd with -DDEV and/or -DTHREADED
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcsslotd/garbage_linux.c b/usr/sbin/pkcsslotd/garbage_linux.c
index d4878c3b..a4dd9713 100644
--- a/usr/sbin/pkcsslotd/garbage_linux.c
+++ b/usr/sbin/pkcsslotd/garbage_linux.c
@@ -15,6 +15,7 @@
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>
+#include <stdlib.h>
#include "log.h"
#include "slotmgr.h"
@@ -80,8 +81,8 @@ BOOL StartGCThread(Slot_Mgr_Shr_t *MemPtr)
#ifdef DEV
// Only development builds
LogLog("StartGCThread: garbage collection thread started as ID "
- "%d (%#x) by ID %d (%#x)",
- GCThread, GCThread, pthread_self(), pthread_self());
+ "%lu by ID %lu",
+ GCThread, pthread_self());
#endif
return TRUE;
@@ -115,8 +116,8 @@ BOOL StopGCThread(void *Ptr)
return FALSE;
}
- DbgLog(DL0, "StopGCThread: tid %d is stopping the garbage collection "
- "thread (tid %d)",
+ DbgLog(DL0, "StopGCThread: tid %lu is stopping the garbage collection "
+ "thread (tid %lu)",
pthread_self(), GCThread);
/* Cause the GC thread to be cancelled */
@@ -245,7 +246,7 @@ void GCCancel(void *Ptr)
UNUSED(Ptr);
/* Yeah, yeah. Doesn't do anything, but I had plans */
- DbgLog(DL3, "GCCancel: tid: %d running cleanup routine", pthread_self());
+ DbgLog(DL3, "GCCancel: tid: %lu running cleanup routine", pthread_self());
return;
}
@@ -268,7 +269,7 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
ASSERT(MemPtr != NULL_PTR);
#ifdef DEV
- DbgLog(DL5, "Thread %d is checking for garbage", pthread_self());
+ DbgLog(DL5, "Thread %lu is checking for garbage", pthread_self());
#endif /* DEV */
@@ -326,9 +327,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
if (*pProcSessions > 0) {
#ifdef DEV
- DbgLog(DL2, "GC: Invalid pid (%d) is holding %d sessions "
+ DbgLog(DL2, "GC: Invalid pid (%d) is holding %u sessions "
"open on slot %d. Global session count for this "
- "slot is %d",
+ "slot is %u",
pProc->proc_id, *pProcSessions, SlotIndex,
*pGlobalSessions);
#endif /* DEV */
@@ -338,9 +339,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
WarnLog("Garbage Collection: Illegal values in table "
"for defunct process");
DbgLog(DL0, "Garbage collection: A process "
- "( Index: %d, pid: %d ) showed %d sessions "
- "open on slot %s, but the global count for this "
- "slot is only %d",
+ "( Index: %d, pid: %d ) showed %u sessions "
+ "open on slot %d, but the global count for this "
+ "slot is only %u",
ProcIndex, pProc->proc_id, *pProcSessions,
SlotIndex, *pGlobalSessions);
#endif /* DEV */
@@ -395,14 +396,8 @@ int Stat2Proc(int pid, proc_t *p)
char fbuf[800]; // about 40 fields, 64-bit decimal is about 20 chars
char *tmp;
int fd, num;
- // FILE *fp;
-
- // sprintf(buf, "%s/%d/stat", PROC_BASE, pid);
- // if( (fp = fopen(buf, "r")) == NULL )
- // return FALSE;
sprintf(fbuf, "%s/%d/stat", PROC_BASE, pid);
- printf("Buff = %s \n", fbuf);
fflush(stdout);
if ((fd = open(fbuf, O_RDONLY, 0)) == -1)
return FALSE;
diff --git a/usr/sbin/pkcsslotd/log.c b/usr/sbin/pkcsslotd/log.c
index 0214f952..0394cc7d 100644
--- a/usr/sbin/pkcsslotd/log.c
+++ b/usr/sbin/pkcsslotd/log.c
@@ -463,8 +463,8 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
#endif /* DEV */
if (WriteNow) {
- fprintf(stderr, "%s[%d.%d]: %s\n", pInfo->Descrip, getpid(),
- (int) pthread_self(), buf);
+ fprintf(stderr, "%s[%d.%lu]: %s\n", pInfo->Descrip, getpid(),
+ pthread_self(), buf);
}
}
@@ -482,7 +482,7 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
GetCurrentTimeString(timebuf);
/* Date/Time stamp, descrip, Error message */
- fprintf(fd, "%s %s[%d.%d]: ", timebuf, pInfo->Descrip, getpid(),
+ fprintf(fd, "%s %s[%d.%lu]: ", timebuf, pInfo->Descrip, getpid(),
pthread_self());
fprintf(fd, "%s\n", buf);
fflush(fd);
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index 94288f13..efbfe8fd 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -660,7 +660,6 @@ int main(int argc, char *argv[], char *envp[])
*/
#if !defined(NOGARBAGE)
- printf("Start garbage \n");
/* start garbage collection thread */
if (!StartGCThread(shmp)) {
term_socket_server();

2304
SOURCES/opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2159
SOURCES/opencryptoki-3.16.0-342dfbeb8275f5ea6ed52dd3f30126614ec1d037.patch Normal file
View File

File diff suppressed because it is too large Load Diff

47
SOURCES/opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch Normal file
View File

@ -0,0 +1,47 @@
commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 3 10:05:07 2021 +0200
SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
When constructing an OpenSSL EC public or private key from PKCS#11
attributes or ECDH public data, check that the key is valid, i.e. that
the point is on the curve.
This prevents one from creating an EC key object via C_CreateObject with
invalid key data. It also prevents C_DeriveKey to derive a secret using
ECDH with an EC public key (public data) that uses a different curve
or is invalid by other means.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index c30be1da..aeff39a9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_PUBLIC_KEY_INVALID;
+ goto out;
+ }
+
out:
if (allocated && ecpoint != NULL)
free(ecpoint);
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
goto out;
}
+ if (!EC_KEY_check_key(ec_key)) {
+ TRACE_ERROR("EC_KEY_check_key failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
out:
if (point != NULL)
EC_POINT_free(point);

28
SOURCES/opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch Normal file
View File

@ -0,0 +1,28 @@
commit 5824364d995e5d2418f885ee57e377e11d1b3302
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 7 13:44:46 2021 +0200
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
When modifying opencryptoki.conf during token migration, put quotes
around strings that contain spaces, e.g. for the slot description and
manufacturer.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 94fd1196..3df1596e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
+ strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else if (tok != KW_TOKVERSION)
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
return 0;
}

23
SOURCES/opencryptoki-3.16.0-69244a5e0d9dfec3ef534b19b89a541576bb17dc.patch Normal file
View File

@ -0,0 +1,23 @@
commit 69244a5e0d9dfec3ef534b19b89a541576bb17dc
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Feb 9 10:47:57 2021 +0100
TRACE: Use gettid() if SYS_gettid is not defined
Also print the thread ID in the trace, if SYS_gettid is not defined.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/trace.c b/usr/lib/common/trace.c
index 678c0b96..bdc5256a 100644
--- a/usr/lib/common/trace.c
+++ b/usr/lib/common/trace.c
@@ -33,6 +33,8 @@
#ifdef SYS_gettid
#define __gettid() syscall(SYS_gettid)
+#else
+#define __gettid() gettid()
#endif
pthread_mutex_t tlmtx = PTHREAD_MUTEX_INITIALIZER;

367
SOURCES/opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch Normal file
View File

@ -0,0 +1,367 @@
commit 7b7d83c571ceb3050969359817d4145600f14ae8
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Apr 9 17:07:31 2021 +0200
Check CKF_LIBRARY_CANT_CREATE_OS_THREADS at C_Initialize
Fail if flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set at C_Initialize,
and event support is enabled (this is the default). We need to use pthreads
for the event thread, so we can't work if CKF_LIBRARY_CANT_CREATE_OS_THREADS
is set. Fail with CKR_NEED_TO_CREATE_THREADS if so.
The event support can be globally disabled using keyword 'disable-event-support'
in opencryptoki.conf. This disables pkcsslots to accept admin connections,
and it does not monitor for AP UDEV events (on s390 platform). No event
thread is started in the opencryptoki processes, thus we can accept if flag
CKF_LIBRARY_CANT_CREATE_OS_THREADS is set in that case.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
index 71218f79..7dc676ab 100644
--- a/man/man5/opencryptoki.conf.5.in
+++ b/man/man5/opencryptoki.conf.5.in
@@ -10,8 +10,16 @@ pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
determine which slots will be made available.
.SH SYNTAX
-This file is made up of slot descriptions. Each slot description
-is composed of a slot number, brackets and key-value pairs.
+This file is made up of optional global definitions, and slot descriptions.
+
+The following global definitions are valid:
+
+.TP
+.BR disable-event-support
+If this keyword is specified the openCryptoki event support is disabled.
+
+.P
+Each slot description is composed of a slot number, brackets and key-value pairs.
slot number
{
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
index e37368a5..451a8cf1 100644
--- a/usr/include/slotmgr.h
+++ b/usr/include/slotmgr.h
@@ -99,6 +99,7 @@ typedef struct {
LW_SHM_TYPE *shm_addr; // token specific shm address
} Slot_Info_t;
+#define FLAG_EVENT_SUPPORT_DISABLED 0x01
#ifdef PKCS64
@@ -200,6 +201,7 @@ typedef struct {
typedef struct {
uint8 num_slots;
+ uint8 flags;
CK_INFO_64 ck_info;
Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED];
} Slot_Mgr_Socket_t;
@@ -214,6 +216,7 @@ typedef struct {
typedef struct {
uint8 num_slots;
+ uint8 flags;
CK_INFO ck_info;
Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED];
} Slot_Mgr_Socket_t;
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index 2873a20a..6517ca6c 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -308,7 +308,8 @@ void parent_fork_after()
return;
/* Restart the event thread in the parent when fork is complete */
- if (Anchor->event_thread == 0)
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
+ Anchor->event_thread == 0)
start_event_thread();
}
@@ -2752,13 +2753,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
goto error;
}
}
- // If we EVER need to create threads from this library we must
- // check the Flags for the Can_Create_OS_Threads flag
- // Right now the library DOES NOT create threads and therefore this
- // check is irrelavant.
- if (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
- TRACE_DEVEL("Can't create OS threads...This is OK\n");
- }
+
// Since this is an initialization path, we will be verbose in the
// code rather than efficient.
//
@@ -2848,7 +2843,21 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
rc = CKR_FUNCTION_FAILED;
goto error_shm;
}
- // Initialize structure values
+
+ if (pVoid != NULL) {
+ pArg = (CK_C_INITIALIZE_ARGS *) pVoid;
+
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
+ (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) != 0) {
+ TRACE_ERROR("Flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set and "
+ "event support is enabled\n");
+ OCK_SYSLOG(LOG_ERR, "C_Initialize: Application specified that "
+ "library can't create OS threads. PKCS11 Module requires "
+ "to create threads when event support is enabled.\n");
+ rc = CKR_NEED_TO_CREATE_THREADS;
+ goto error;
+ }
+ }
//Register with pkcsslotd
if (!API_Register()) {
@@ -2867,7 +2876,8 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
}
/* Start event receiver thread */
- if (start_event_thread() != 0) {
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
+ start_event_thread() != 0) {
TRACE_ERROR("Failed to start event thread\n");
// unload all the STDLL's from the application
diff --git a/usr/lib/common/configparser.h b/usr/lib/common/configparser.h
index 13ca648d..b3c32496 100644
--- a/usr/lib/common/configparser.h
+++ b/usr/lib/common/configparser.h
@@ -35,6 +35,7 @@ typedef int (*end_slot_f)(void *private);
typedef int (*key_str_f)(void *private, int tok, const char *val);
typedef int (*key_vers_f)(void *private, int tok, unsigned int vers);
typedef void (*eolcomment_f)(void *private, const char *comment);
+typedef void (*disab_event_supp_f)(void *private);
/*
* Report an error. If the error is not reported by the parser itself
* but via one of the parse functions, \c parsermsg will be \c NULL.
@@ -52,6 +53,7 @@ typedef void (*error_f)(void *private, int line, const char *parsermsg);
*/
struct parsefuncs {
ockversion_f version;
+ disab_event_supp_f disab_event_supp;
eol_f eol;
begin_slot_f begin_slot;
end_slot_f end_slot;
diff --git a/usr/lib/common/lexer.l b/usr/lib/common/lexer.l
index b35a0b72..38cbcb70 100644
--- a/usr/lib/common/lexer.l
+++ b/usr/lib/common/lexer.l
@@ -69,6 +69,7 @@ extern char *configparse_strdup(const char *s);
version return OCKVERSION;
slot return SLOT;
+disable-event-support return DISABLE_EVENT_SUPPORT;
[^\"= \t\n]+ {
yylval.str = configparse_strdup(yytext);
diff --git a/usr/lib/common/parser.y b/usr/lib/common/parser.y
index 86806fcb..40c3994d 100644
--- a/usr/lib/common/parser.y
+++ b/usr/lib/common/parser.y
@@ -65,7 +65,7 @@ int lookup_keyword(const char *key);
int err;
}
-%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF
+%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF DISABLE_EVENT_SUPPORT
%token <str> STRING
%token <str> KEYWORD
%token <num> INTEGER
@@ -81,6 +81,7 @@ config_file:
sections:
version_def eolcomment
+ | disable_event_support_def eolcomment
| SLOT INTEGER BEGIN_DEF
{
if (parsefuncs->begin_slot && parsefuncs->begin_slot(parsedata, $2, 0)) {
@@ -125,6 +126,13 @@ version_def:
}
configparse_freestringsfrom($2);
}
+
+disable_event_support_def:
+ DISABLE_EVENT_SUPPORT
+ {
+ if (parsefuncs->disab_event_supp)
+ parsefuncs->disab_event_supp(parsedata);
+ }
line_def:
STRING EQUAL TOKVERSION
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
index d7edcb3c..1dd0bac9 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
@@ -88,7 +88,7 @@ int XProcLock(void);
int XProcUnLock(void);
int CreateXProcLock(void);
-int init_socket_server();
+int init_socket_server(int event_support_disabled);
int term_socket_server();
int init_socket_data(Slot_Mgr_Socket_t *sp);
int socket_connection_handler(int timeout_secs);
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index efbfe8fd..3b328a6c 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -34,6 +34,7 @@ int shmid;
key_t tok;
Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
unsigned int NumberSlotsInDB = 0;
+int event_support_disabled = 0;
Slot_Info_t_64 *psinfo;
@@ -467,6 +468,13 @@ static int slotmgr_key_vers(void *private, int tok, unsigned int vers)
return 1;
}
+static void slotmgr_disab_event_supp(void *private)
+{
+ UNUSED(private);
+
+ event_support_disabled = 1;
+}
+
static void slotmgr_parseerror(void *private, int line, const char *parsermsg)
{
struct parse_data *d = (struct parse_data *)private;
@@ -480,6 +488,7 @@ static struct parsefuncs slotmgr_parsefuncs = {
.end_slot = slotmgr_end_slot,
.key_str = slotmgr_key_str,
.key_vers = slotmgr_key_vers,
+ .disab_event_supp = slotmgr_disab_event_supp,
.parseerror = slotmgr_parseerror
};
@@ -568,7 +577,7 @@ int main(int argc, char *argv[], char *envp[])
if (!XProcUnLock())
return 4;
- if (!init_socket_server()) {
+ if (!init_socket_server(event_support_disabled)) {
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
@@ -582,6 +591,8 @@ int main(int argc, char *argv[], char *envp[])
DestroySharedMemory();
return 6;
}
+ if (event_support_disabled)
+ socketData.flags |= FLAG_EVENT_SUPPORT_DISABLED;
/* Create customized token directories */
psinfo = &socketData.slot_info[0];
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
index 41408670..3aa40267 100644
--- a/usr/sbin/pkcsslotd/socket_server.c
+++ b/usr/sbin/pkcsslotd/socket_server.c
@@ -139,12 +139,12 @@ struct event_info {
};
static int epoll_fd = -1;
-static struct listener_info proc_listener;
+static struct listener_info proc_listener = { .socket = -1 };
static DL_NODE *proc_connections = NULL;
-static struct listener_info admin_listener;
+static struct listener_info admin_listener = { .socket = -1 };
static DL_NODE *admin_connections = NULL;
#ifdef WITH_LIBUDEV
-static struct udev_mon udev_mon;
+static struct udev_mon udev_mon = { .socket = -1 };
#endif
static DL_NODE *pending_events = NULL;
static unsigned long pending_events_count = 0;
@@ -1620,6 +1620,9 @@ static void udev_mon_term(struct udev_mon *udev_mon)
if (udev_mon == NULL)
return;
+ if (udev_mon->socket < 0)
+ return;
+
epoll_ctl(epoll_fd, EPOLL_CTL_DEL, udev_mon->socket, NULL);
if (udev_mon->udev != NULL)
udev_unref(udev_mon->udev);
@@ -1636,6 +1639,7 @@ int init_socket_data(Slot_Mgr_Socket_t *socketData)
{
unsigned int processed = 0;
+ socketData->flags = 0;
PopulateCKInfo(&(socketData->ck_info));
socketData->num_slots = NumberSlotsInDB;
PopulateSlotInfo(socketData->slot_info, &processed);
@@ -1692,7 +1696,7 @@ int socket_connection_handler(int timeout_secs)
return TRUE;
}
-int init_socket_server()
+int init_socket_server(int event_support_disabled)
{
int err;
@@ -1710,18 +1714,20 @@ int init_socket_server()
return FALSE;
}
- if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
- admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
- term_socket_server();
- return FALSE;
- }
+ if (!event_support_disabled) {
+ if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
+ admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
+ term_socket_server();
+ return FALSE;
+ }
#ifdef WITH_LIBUDEV
- if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
- term_socket_server();
- return FALSE;
- }
+ if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
+ term_socket_server();
+ return FALSE;
+ }
#endif
+ }
DbgLog(DL0, "%s: Socket server started", __func__);
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 7c225730..94fd1196 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2066,6 +2066,13 @@ static int parseupdate_ockversion(void *private, const char *version)
return 0;
}
+static void parseupdate_disab_event_supp(void *private)
+{
+ struct parseupdate *u = (struct parseupdate *)private;
+
+ fprintf(u->f, "disable-event-support");
+}
+
static void parseupdate_eol(void *private)
{
struct parseupdate *u = (struct parseupdate *)private;
@@ -2124,6 +2131,7 @@ static void parseupdate_eolcomment(void *private, const char *comment)
static struct parsefuncs parseupdatefuncs = {
.version = parseupdate_ockversion,
+ .disab_event_supp = parseupdate_disab_event_supp,
.eol = parseupdate_eol,
.begin_slot = parseupdate_begin_slot,
.end_slot = parseupdate_end_slot,

1023
SOURCES/opencryptoki-3.16.0-b048be548508dd1958bb7271568f388d0f6cbcf8.patch Normal file
View File

File diff suppressed because it is too large Load Diff

37
SOURCES/opencryptoki-3.16.0-b07505993dd8b2f367cf3b630f6da186e4e8550d.patch Normal file
View File

@ -0,0 +1,37 @@
commit b07505993dd8b2f367cf3b630f6da186e4e8550d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Feb 10 15:12:25 2021 +0100
Avoid deadlock in dlclose() after a fork
Calling dlclose() in a atfork handler may cause a deadlock.
dlclose() may itself modify the atfork handler table to remove
any fork handlers that the to be unloaded library has registered.
Since the atfork handler table is currently locked when we are in
an atfork handler, this would produce a deadlock.
Skip the dlclose() if we are in an atfork handler to avoid the deadlock.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index 3ccb6d41..f1ee9132 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -1516,7 +1516,15 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved)
}
}
- DL_UnLoad(sltp, slotID);
+ /*
+ * Calling dlclose() in a atfork handler may cause a deadlock.
+ * dlclose() may itself modify the atfork handler table to remove
+ * any fork handlers that the to be unloaded library has registered.
+ * Since the atfork handler table is currently locked when we are in
+ * an atfork handler, this would produce a deadlock.
+ */
+ if (!in_child_fork_initializer)
+ DL_UnLoad(sltp, slotID);
}
// Un register from Slot D

21
SOURCES/opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch Normal file
View File

@ -0,0 +1,21 @@
commit bf812c652c49d7e248b115d121a4f7f6568941a2
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Apr 6 13:41:55 2021 +0200
Update travis yaml file to install libudev development files
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/.travis.yml b/.travis.yml
index d2907246..fd4092e3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,7 +5,7 @@ language: c
before_install:
- sudo apt-get -qq update
- - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget
+ - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget libudev-dev
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb
- sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3

462
SOURCES/opencryptoki-3.16.0-c79e899d77a5724635a9d4451a34a240e2c7e891.patch Normal file
View File

@ -0,0 +1,462 @@
commit c79e899d77a5724635a9d4451a34a240e2c7e891
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Apr 16 13:41:41 2021 +0200
Fix potential deadlock situation with double read-locks
Do not get and read-lock an object twice within the same thread via
function object_mgr_find_in_map1(), as this would read-lock the object
twice.
This could cause a deadlock situation, when in-between the first
and the second call to object_mgr_find_in_map1() the token object is
modified by another process. The second object_mgr_find_in_map1() would
detect that the object has been modified (object_mgr_check_shm()), and
would try to re-load the object from the disk. For re-loading, the
object is unlocked once, and a write-lock is acquired instead.
However, if the current thread has read-locked the object twice, but
releases only one read-lock, then it will never get the write lock,
because it still owns the read lock itself.
To avoid this situation, release the read-lock before calling another
function that also acquires the read lock of the object. That way, only
one read-lock is held by the current thread, and re-loading the object
will not cause a deadlock.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/decr_mgr.c b/usr/lib/common/decr_mgr.c
index 317ef995..9842302b 100644
--- a/usr/lib/common/decr_mgr.c
+++ b/usr/lib/common/decr_mgr.c
@@ -540,6 +540,10 @@ CK_RV decr_mgr_init(STDLL_TokData_t *tokdata,
}
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 0);
if (rc) {
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
diff --git a/usr/lib/common/encr_mgr.c b/usr/lib/common/encr_mgr.c
index d3ecdeee..3e85ceab 100644
--- a/usr/lib/common/encr_mgr.c
+++ b/usr/lib/common/encr_mgr.c
@@ -537,6 +537,10 @@ CK_RV encr_mgr_init(STDLL_TokData_t *tokdata,
}
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 1);
if (rc != CKR_OK) {
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
index 1652f90a..e35b383c 100644
--- a/usr/lib/common/mech_rsa.c
+++ b/usr/lib/common/mech_rsa.c
@@ -602,6 +602,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
goto done;
}
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = token_specific.t_rsa_oaep_encrypt(tokdata, ctx, in_data,
in_data_len, out_data,
out_data_len, hash, hlen);
@@ -625,6 +629,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
goto done;
}
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = token_specific.t_rsa_oaep_decrypt(tokdata, ctx, in_data,
in_data_len, out_data,
out_data_len, hash, hlen);
@@ -1331,6 +1339,10 @@ CK_RV rsa_pss_sign(STDLL_TokData_t *tokdata, SESSION *sess,
goto done;
}
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = token_specific.t_rsa_pss_sign(tokdata, sess, ctx, in_data, in_data_len,
out_data, out_data_len);
if (rc != CKR_OK)
@@ -1389,6 +1401,10 @@ CK_RV rsa_pss_verify(STDLL_TokData_t *tokdata, SESSION *sess,
goto done;
}
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = token_specific.t_rsa_pss_verify(tokdata, sess, ctx, in_data,
in_data_len, signature, sig_len);
if (rc != CKR_OK)
diff --git a/usr/lib/common/sign_mgr.c b/usr/lib/common/sign_mgr.c
index 937a371a..c7268e01 100644
--- a/usr/lib/common/sign_mgr.c
+++ b/usr/lib/common/sign_mgr.c
@@ -424,6 +424,10 @@ CK_RV sign_mgr_init(STDLL_TokData_t *tokdata,
ctx->context_len = 0;
ctx->context = NULL;
+ /* Release obj lock, token specific hmac-sign may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = hmac_sign_init(tokdata, sess, mech, key);
if (rc != CKR_OK) {
TRACE_ERROR("Failed to initialize hmac.\n");
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 3ac3768a..52f95d7a 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -6948,6 +6948,13 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
+ /*
+ * Release obj lock, sign_mgr_init or ep11tok_sign_verify_init_ibm_ed
+ * may re-acquire the lock
+ */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
* supported by the ep11token, so let's keep them local here. */
@@ -7029,11 +7036,16 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
* opencryptoki. These two special IBM specific ED mechs are only
* supported by the ep11token, so let's keep them local here. */
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
rc = pkey_ibm_ed_sign(key_obj, in_data, in_data_len, signature, sig_len);
- else
+ } else {
+ /* Release obj lock, sign_mgr_sign may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = sign_mgr_sign(tokdata, session, length_only, ctx, in_data,
in_data_len, signature, sig_len);
+ }
goto done; /* no ep11 fallback possible */
}
@@ -7071,6 +7083,11 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
if (!in_data || !in_data_len)
return CKR_OK;
+ if (ctx->pkey_active) {
+ rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7078,11 +7095,6 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_SignUpdate(ctx->context, ctx->context_len, in_data,
in_data_len, ep11_data->target);
@@ -7115,6 +7127,11 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
+ if (ctx->pkey_active) {
+ rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7122,11 +7139,6 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_SignFinal(ctx->context, ctx->context_len, signature, sig_len,
ep11_data->target);
@@ -7241,6 +7253,13 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
+ /*
+ * Release obj lock, verify_mgr_init or ep11tok_sign_verify_init_ibm_ed
+ * may re-acquire the lock
+ */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
* supported by the ep11token, so let's keep them local here. */
@@ -7320,12 +7339,17 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
* opencryptoki. These two special IBM specific ED mechs are only
* supported by the ep11token, so let's keep them local here. */
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
rc = pkey_ibm_ed_verify(key_obj, in_data, in_data_len,
signature, sig_len);
- else
+ } else {
+ /* Release obj lock, verify_mgr_verify may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
rc = verify_mgr_verify(tokdata, session, ctx, in_data,
in_data_len, signature, sig_len);
+ }
goto done; /* no ep11 fallback possible */
}
@@ -7363,6 +7387,11 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
if (!in_data || !in_data_len)
return CKR_OK;
+ if (ctx->pkey_active) {
+ rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7370,11 +7399,6 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_VerifyUpdate(ctx->context, ctx->context_len, in_data,
in_data_len, ep11_data->target);
@@ -7406,6 +7430,11 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
+ if (ctx->pkey_active) {
+ rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7413,11 +7442,6 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_VerifyFinal(ctx->context, ctx->context_len, signature,
sig_len, ep11_data->target);
@@ -7501,6 +7525,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
+ if (ctx->pkey_active) {
+ rc = decr_mgr_decrypt_final(tokdata, session, length_only,
+ ctx, output_part, p_output_part_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7508,12 +7538,6 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = decr_mgr_decrypt_final(tokdata, session, length_only,
- ctx, output_part, p_output_part_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_DecryptFinal(ctx->context, ctx->context_len,
output_part, p_output_part_len,
@@ -7548,13 +7572,6 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
- READ_LOCK);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
- return rc;
- }
-
if (ctx->pkey_active) {
rc = decr_mgr_decrypt(tokdata, session, length_only, ctx,
input_data, input_data_len, output_data,
@@ -7562,6 +7579,13 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
goto done; /* no ep11 fallback possible */
}
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
+ READ_LOCK);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
+ return rc;
+ }
+
RETRY_START
rc = dll_m_Decrypt(ctx->context, ctx->context_len, input_data,
input_data_len, output_data, p_output_data_len,
@@ -7602,13 +7626,6 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
return CKR_OK; /* nothing to update, keep context */
}
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
- READ_LOCK);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
- return rc;
- }
-
if (ctx->pkey_active) {
rc = decr_mgr_decrypt_update(tokdata, session, length_only,
ctx, input_part, input_part_len,
@@ -7616,6 +7633,13 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
goto done; /* no ep11 fallback possible */
}
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
+ READ_LOCK);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
+ return rc;
+ }
+
RETRY_START
rc = dll_m_DecryptUpdate(ctx->context, ctx->context_len,
input_part, input_part_len, output_part,
@@ -7695,6 +7719,12 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
+ if (ctx->pkey_active) {
+ rc = encr_mgr_encrypt_final(tokdata, session, length_only,
+ ctx, output_part, p_output_part_len);
+ goto done; /* no ep11 fallback possible */
+ }
+
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
READ_LOCK);
if (rc != CKR_OK) {
@@ -7702,12 +7732,6 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
- if (ctx->pkey_active) {
- rc = encr_mgr_encrypt_final(tokdata, session, length_only,
- ctx, output_part, p_output_part_len);
- goto done; /* no ep11 fallback possible */
- }
-
RETRY_START
rc = dll_m_EncryptFinal(ctx->context, ctx->context_len,
output_part, p_output_part_len,
@@ -7742,13 +7766,6 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
CK_BYTE *keyblob;
OBJECT *key_obj = NULL;
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
- READ_LOCK);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
- return rc;
- }
-
if (ctx->pkey_active) {
rc = encr_mgr_encrypt(tokdata, session, length_only, ctx,
input_data, input_data_len, output_data,
@@ -7756,6 +7773,13 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
goto done; /* no ep11 fallback possible */
}
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
+ READ_LOCK);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
+ return rc;
+ }
+
RETRY_START
rc = dll_m_Encrypt(ctx->context, ctx->context_len, input_data,
input_data_len, output_data, p_output_data_len,
@@ -7796,13 +7820,6 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
return CKR_OK; /* nothing to update, keep context */
}
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
- READ_LOCK);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
- return rc;
- }
-
if (ctx->pkey_active) {
rc = encr_mgr_encrypt_update(tokdata, session, length_only, ctx,
input_part, input_part_len, output_part,
@@ -7810,6 +7827,13 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
goto done; /* no ep11 fallback possible */
}
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
+ READ_LOCK);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
+ return rc;
+ }
+
RETRY_START
rc = dll_m_EncryptUpdate(ctx->context, ctx->context_len,
input_part, input_part_len, output_part,
@@ -7921,6 +7945,10 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
+ /* Release obj lock, encr/decr_mgr_init may re-acquire the lock */
+ object_put(tokdata, key_obj, TRUE);
+ key_obj = NULL;
+
if (op == DECRYPT) {
rc = decr_mgr_init(tokdata, session, &session->decr_ctx,
OP_DECRYPT_INIT, mech, key);

104
SOURCES/opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch Normal file
View File

@ -0,0 +1,104 @@
commit d2f137cce5e6efb123842509352c7c49f889c67f
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 22 15:55:02 2021 +0200
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
Due to the way the parser works, a slot description like
'description = "slot"' works, but not without quotes ('description = slot').
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
too), so if the word 'slot' would appear in an unquoted string, the
configuration file would fail to parse.
Always quote the value of 'description' and 'manufacturer'. Quote the
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index a29dc8f7..853986e8 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2060,7 +2060,7 @@ done:
*/
static int parseupdate_ockversion(void *private, const char *version)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "version %s", version);
return 0;
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
static void parseupdate_eol(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fputc('\n', u->f);
}
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
u->activeslot = (slot == u->slotnum);
if (nl_before_begin)
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
static int parseupdate_end_slot(void *private)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (u->activeslot)
fprintf(u->f, " tokversion = 3.12\n");
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
static int parseupdate_key_str(void *private, int tok, const char *val)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
- strchr(val, ' ') != NULL)
+ switch (tok) {
+ case KW_SLOTDESC:
+ case KW_MANUFID:
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
- else if (tok != KW_TOKVERSION)
+ break;
+ case KW_STDLL:
+ case KW_CONFNAME:
+ case KW_TOKNAME:
+ if (strchr(val, ' ') != NULL)
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
+ else
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ case KW_HWVERSION:
+ case KW_FWVERSION:
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
+ break;
+ }
return 0;
}
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
static void parseupdate_eolcomment(void *private, const char *comment)
{
- struct parseupdate *u = (struct parseupdate *)private;
+ struct parseupdate *u = (struct parseupdate *)private;
fprintf(u->f, "#%s", comment);
}

239
SOURCES/opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch Normal file
View File

@ -0,0 +1,239 @@
commit d7de5092247a0efc2c397f12977a7c9925420143
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Feb 16 17:15:20 2021 +0100
TESTCASES: Add event support tests
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/misc_tests/events.c b/testcases/misc_tests/events.c
new file mode 100644
index 00000000..fecc7bfe
--- /dev/null
+++ b/testcases/misc_tests/events.c
@@ -0,0 +1,190 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2021
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "event_client.h"
+#include "regress.h"
+#include "defs.h"
+
+const char payload[20] = "12345678901234567890";
+
+static inline void init_event_destination(struct event_destination *dest,
+ unsigned int token_type,
+ const char *label,
+ pid_t process_id)
+{
+ size_t len;
+
+ dest->token_type = token_type;
+ dest->process_id = process_id;
+
+ memset(dest->token_label, ' ', sizeof(dest->token_label));
+ if (label != NULL) {
+ len = strlen(label);
+ memcpy(dest->token_label, label, len > sizeof(dest->token_label) ?
+ sizeof(dest->token_label) : len);
+ }
+}
+
+int main(int argc, char **argv)
+{
+ CK_C_INITIALIZE_ARGS cinit_args;
+ int rc, fd = -1, ret = 1;
+ struct event_destination dest;
+ struct event_reply reply;
+
+ UNUSED(argc);
+ UNUSED(argv);
+
+ rc = do_GetFunctionList();
+ if (!rc) {
+ testcase_error("do_getFunctionList(), rc=%s", p11_get_ckr(rc));
+ return rc;
+ }
+
+ /*
+ * Initialize Opencryptoki in this process, so that at least one
+ * process is receiving the events.
+ */
+ memset(&cinit_args, 0x0, sizeof(cinit_args));
+ cinit_args.flags = CKF_OS_LOCKING_OK;
+ funcs->C_Initialize(&cinit_args);
+
+ testcase_setup(0);
+ testcase_begin("Starting event tests");
+
+ // Test fork before C_Initialize
+ testcase_new_assertion();
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (simple, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (simple, one-shot)");
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
+ NULL, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (payload, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (payload, one-shot)");
+
+ init_event_destination(&dest, EVENT_TOK_TYPE_CCA, NULL, 0);
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (token-type, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (token-type, one-shot)");
+
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, "cca", 0);
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (token-label, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (token-label, one-shot)");
+
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, NULL, 12345);
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (pid, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (pid, one-shot)");
+
+ memset(&reply, 0, sizeof(reply));
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
+ if (rc != 0) {
+ testcase_fail("send_event (reply, one-shot) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
+ printf(" negative_replies: %lu\n", reply.negative_replies);
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
+ if (reply.positive_replies + reply.negative_replies +
+ reply.nothandled_replies == 0) {
+ testcase_fail("send_event (reply, one-shot) replies all zero");
+ goto out;
+ }
+ testcase_pass("send_event (reply, one-shot)");
+
+
+ fd = init_event_client();
+ if (fd < 0) {
+ testcase_fail("init_event_client rc = %d (%s)", fd, strerror(-fd));
+ goto out;
+ }
+ testcase_pass("init_event_client()");
+
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (simple) rc = %d (%s)", rc, strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (simple)");
+
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
+ NULL, NULL);
+ if (rc != 0) {
+ testcase_fail("send_event (payload) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ testcase_pass("send_event (payload)");
+
+ memset(&reply, 0, sizeof(reply));
+
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
+ if (rc != 0) {
+ testcase_fail("send_event (reply) rc = %d (%s)", rc,
+ strerror(-rc));
+ goto out;
+ }
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
+ printf(" negative_replies: %lu\n", reply.negative_replies);
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
+ if (reply.positive_replies + reply.negative_replies +
+ reply.nothandled_replies == 0) {
+ testcase_fail("send_event (reply) replies all zero");
+ goto out;
+ }
+ testcase_pass("send_event (reply)");
+
+ term_event_client(fd);
+ fd = -1;
+
+ ret = 0;
+
+out:
+ if (fd >= 0)
+ term_event_client(fd);
+
+ funcs->C_Finalize(NULL);
+
+ testcase_print_result();
+ return ret;
+}
diff --git a/testcases/misc_tests/misc_tests.mk b/testcases/misc_tests/misc_tests.mk
index 3de11ebe..fb7cc0a1 100644
--- a/testcases/misc_tests/misc_tests.mk
+++ b/testcases/misc_tests/misc_tests.mk
@@ -7,7 +7,8 @@ noinst_PROGRAMS += \
testcases/misc_tests/fork testcases/misc_tests/multi_instance \
testcases/misc_tests/obj_lock testcases/misc_tests/tok2tok_transport \
testcases/misc_tests/obj_lock testcases/misc_tests/reencrypt \
- testcases/misc_tests/cca_export_import_test
+ testcases/misc_tests/cca_export_import_test \
+ testcases/misc_tests/events
testcases_misc_tests_obj_mgmt_tests_CFLAGS = ${testcases_inc}
testcases_misc_tests_obj_mgmt_tests_LDADD = \
@@ -73,3 +74,8 @@ testcases_misc_tests_cca_export_import_test_LDADD = \
testcases/common/libcommon.la
testcases_misc_tests_cca_export_import_test_SOURCES = \
testcases/misc_tests/cca_export_import_test.c
+
+testcases_misc_tests_events_CFLAGS = ${testcases_inc}
+testcases_misc_tests_events_LDADD = testcases/common/libcommon.la
+testcases_misc_tests_events_SOURCES = testcases/misc_tests/events.c \
+ usr/lib/common/event_client.c
diff --git a/testcases/ock_tests.sh.in b/testcases/ock_tests.sh.in
index 64c77a7d..6558b031 100755
--- a/testcases/ock_tests.sh.in
+++ b/testcases/ock_tests.sh.in
@@ -53,6 +53,7 @@ OCK_TESTS+=" pkcs11/findobjects pkcs11/generate_keypair"
OCK_TESTS+=" pkcs11/get_interface pkcs11/getobjectsize pkcs11/sess_opstate"
OCK_TESTS+=" misc_tests/fork misc_tests/obj_mgmt_tests"
OCK_TESTS+=" misc_tests/obj_mgmt_lock_tests misc_tests/reencrypt"
+OCK_TESTS+=" misc_tests/events"
OCK_TEST=""
OCK_BENCHS="pkcs11/*bench"

619
SOURCES/opencryptoki-3.16.0-d929fe8470e99f4dcbbd889e7aa87e147d0d5b48.patch Normal file
View File

@ -0,0 +1,619 @@
commit d929fe8470e99f4dcbbd889e7aa87e147d0d5b48
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Feb 12 11:25:21 2021 +0100
Externalize linked list functions
Externalize the linked list functions (dlist_xxx), so that they
can also be used on pkcsslotd.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
index bd230b9f..c5e86fa7 100644
--- a/usr/lib/cca_stdll/cca_stdll.mk
+++ b/usr/lib/cca_stdll/cca_stdll.mk
@@ -35,7 +35,8 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = \
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
- usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c
+ usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c \
+ usr/lib/common/dlist.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
diff --git a/usr/lib/common/dlist.c b/usr/lib/common/dlist.c
new file mode 100644
index 00000000..1fee1ea9
--- /dev/null
+++ b/usr/lib/common/dlist.c
@@ -0,0 +1,218 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2021
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+
+#include "dlist.h"
+#include "host_defs.h"
+#include "h_extern.h"
+
+
+// Function: dlist_add_as_first()
+//
+// Adds the specified node to the start of the list
+//
+// Returns: pointer to the start of the list
+//
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
+{
+ DL_NODE *node = NULL;
+
+ if (!data)
+ return list;
+
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
+ if (!node)
+ return NULL;
+
+ node->data = data;
+ node->prev = NULL;
+ node->next = list;
+ if (list)
+ list->prev = node;
+
+ return node;
+}
+
+// Function: dlist_add_as_last()
+//
+// Adds the specified node to the end of the list
+//
+// Returns: pointer to the start of the list
+//
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
+{
+ DL_NODE *node = NULL;
+
+ if (!data)
+ return list;
+
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
+ if (!node)
+ return NULL;
+
+ node->data = data;
+ node->next = NULL;
+
+ if (!list) {
+ node->prev = NULL;
+ return node;
+ } else {
+ DL_NODE *temp = dlist_get_last(list);
+ temp->next = node;
+ node->prev = temp;
+
+ return list;
+ }
+}
+
+// Function: dlist_find()
+//
+DL_NODE *dlist_find(DL_NODE *list, void *data)
+{
+ DL_NODE *node = list;
+
+ while (node && node->data != data)
+ node = node->next;
+
+ return node;
+}
+
+// Function: dlist_get_first()
+//
+// Returns the last node in the list or NULL if list is empty
+//
+DL_NODE *dlist_get_first(DL_NODE *list)
+{
+ DL_NODE *temp = list;
+
+ if (!list)
+ return NULL;
+
+ while (temp->prev != NULL)
+ temp = temp->prev;
+
+ return temp;
+}
+
+// Function: dlist_get_last()
+//
+// Returns the last node in the list or NULL if list is empty
+//
+DL_NODE *dlist_get_last(DL_NODE *list)
+{
+ DL_NODE *temp = list;
+
+ if (!list)
+ return NULL;
+
+ while (temp->next != NULL)
+ temp = temp->next;
+
+ return temp;
+}
+
+//
+//
+CK_ULONG dlist_length(DL_NODE *list)
+{
+ DL_NODE *temp = list;
+ CK_ULONG len = 0;
+
+ while (temp) {
+ len++;
+ temp = temp->next;
+ }
+
+ return len;
+}
+
+//
+//
+DL_NODE *dlist_next(DL_NODE *node)
+{
+ if (!node)
+ return NULL;
+
+ return node->next;
+}
+
+//
+//
+DL_NODE *dlist_prev(DL_NODE *node)
+{
+ if (!node)
+ return NULL;
+
+ return node->prev;
+}
+
+//
+//
+void dlist_purge(DL_NODE *list)
+{
+ DL_NODE *node;
+
+ if (!list)
+ return;
+
+ do {
+ node = list->next;
+ free(list);
+ list = node;
+ } while (list);
+}
+
+// Function: dlist_remove_node()
+//
+// Attempts to remove the specified node from the list. The caller is
+// responsible for freeing the data associated with the node prior to
+// calling this routine
+//
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
+{
+ DL_NODE *temp = list;
+
+ if (!list || !node)
+ return NULL;
+
+ // special case: removing head of the list
+ //
+ if (list == node) {
+ temp = list->next;
+ if (temp)
+ temp->prev = NULL;
+
+ free(list);
+ return temp;
+ }
+ // we have no guarantee that the node is in the list
+ // so search through the list to find it
+ //
+ while ((temp != NULL) && (temp->next != node))
+ temp = temp->next;
+
+ if (temp != NULL) {
+ DL_NODE *next = node->next;
+
+ temp->next = next;
+ if (next)
+ next->prev = temp;
+
+ free(node);
+ }
+
+ return list;
+}
diff --git a/usr/lib/common/dlist.h b/usr/lib/common/dlist.h
new file mode 100644
index 00000000..eda4af9c
--- /dev/null
+++ b/usr/lib/common/dlist.h
@@ -0,0 +1,32 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2021
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+
+
+#ifndef _DLIST_H_
+#define _DLIST_H_
+
+#include "pkcs11types.h"
+#include "defs.h"
+
+// linked-list routines
+//
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
+DL_NODE *dlist_find(DL_NODE *list, void *data);
+DL_NODE *dlist_get_first(DL_NODE *list);
+DL_NODE *dlist_get_last(DL_NODE *list);
+CK_ULONG dlist_length(DL_NODE *list);
+DL_NODE *dlist_next(DL_NODE *list);
+DL_NODE *dlist_prev(DL_NODE *list);
+void dlist_purge(DL_NODE *list);
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
+
+#endif
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 63aff79f..5e251d95 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -24,6 +24,7 @@
#define _H_EXTERN_H
#include <stdio.h>
+#include "dlist.h"
// global variables
//
@@ -1759,19 +1760,6 @@ int ec_point_from_public_data(const CK_BYTE *data, CK_ULONG data_len,
CK_BBOOL *allocated, CK_BYTE **ec_point,
CK_ULONG *ec_point_len);
-// linked-list routines
-//
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
-DL_NODE *dlist_find(DL_NODE *list, void *data);
-DL_NODE *dlist_get_first(DL_NODE *list);
-DL_NODE *dlist_get_last(DL_NODE *list);
-CK_ULONG dlist_length(DL_NODE *list);
-DL_NODE *dlist_next(DL_NODE *list);
-DL_NODE *dlist_prev(DL_NODE *list);
-void dlist_purge(DL_NODE *list);
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
-
CK_RV attach_shm(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id);
CK_RV detach_shm(STDLL_TokData_t *tokdata, CK_BBOOL ignore_ref_count);
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
index 38d8d959..b2c6ee50 100644
--- a/usr/lib/common/utility.c
+++ b/usr/lib/common/utility.c
@@ -40,203 +40,6 @@
#include <sys/file.h>
#include <syslog.h>
-// Function: dlist_add_as_first()
-//
-// Adds the specified node to the start of the list
-//
-// Returns: pointer to the start of the list
-//
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
-{
- DL_NODE *node = NULL;
-
- if (!data)
- return list;
-
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
- if (!node)
- return NULL;
-
- node->data = data;
- node->prev = NULL;
- node->next = list;
- if (list)
- list->prev = node;
-
- return node;
-}
-
-// Function: dlist_add_as_last()
-//
-// Adds the specified node to the end of the list
-//
-// Returns: pointer to the start of the list
-//
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
-{
- DL_NODE *node = NULL;
-
- if (!data)
- return list;
-
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
- if (!node)
- return NULL;
-
- node->data = data;
- node->next = NULL;
-
- if (!list) {
- node->prev = NULL;
- return node;
- } else {
- DL_NODE *temp = dlist_get_last(list);
- temp->next = node;
- node->prev = temp;
-
- return list;
- }
-}
-
-// Function: dlist_find()
-//
-DL_NODE *dlist_find(DL_NODE *list, void *data)
-{
- DL_NODE *node = list;
-
- while (node && node->data != data)
- node = node->next;
-
- return node;
-}
-
-// Function: dlist_get_first()
-//
-// Returns the last node in the list or NULL if list is empty
-//
-DL_NODE *dlist_get_first(DL_NODE *list)
-{
- DL_NODE *temp = list;
-
- if (!list)
- return NULL;
-
- while (temp->prev != NULL)
- temp = temp->prev;
-
- return temp;
-}
-
-// Function: dlist_get_last()
-//
-// Returns the last node in the list or NULL if list is empty
-//
-DL_NODE *dlist_get_last(DL_NODE *list)
-{
- DL_NODE *temp = list;
-
- if (!list)
- return NULL;
-
- while (temp->next != NULL)
- temp = temp->next;
-
- return temp;
-}
-
-//
-//
-CK_ULONG dlist_length(DL_NODE *list)
-{
- DL_NODE *temp = list;
- CK_ULONG len = 0;
-
- while (temp) {
- len++;
- temp = temp->next;
- }
-
- return len;
-}
-
-//
-//
-DL_NODE *dlist_next(DL_NODE *node)
-{
- if (!node)
- return NULL;
-
- return node->next;
-}
-
-//
-//
-DL_NODE *dlist_prev(DL_NODE *node)
-{
- if (!node)
- return NULL;
-
- return node->prev;
-}
-
-//
-//
-void dlist_purge(DL_NODE *list)
-{
- DL_NODE *node;
-
- if (!list)
- return;
-
- do {
- node = list->next;
- free(list);
- list = node;
- } while (list);
-}
-
-// Function: dlist_remove_node()
-//
-// Attempts to remove the specified node from the list. The caller is
-// responsible for freeing the data associated with the node prior to
-// calling this routine
-//
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
-{
- DL_NODE *temp = list;
-
- if (!list || !node)
- return NULL;
-
- // special case: removing head of the list
- //
- if (list == node) {
- temp = list->next;
- if (temp)
- temp->prev = NULL;
-
- free(list);
- return temp;
- }
- // we have no guarantee that the node is in the list
- // so search through the list to find it
- //
- while ((temp != NULL) && (temp->next != node))
- temp = temp->next;
-
- if (temp != NULL) {
- DL_NODE *next = node->next;
-
- temp->next = next;
- if (next)
- next->prev = temp;
-
- free(node);
- }
-
- return list;
-}
-
CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t *tokdata)
{
char lockfile[PATH_MAX];
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
index bc617124..b5574d9e 100644
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = \
usr/lib/common/utility.c usr/lib/common/trace.c \
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
usr/lib/common/attributes.c usr/lib/common/sw_crypt.c \
- usr/lib/common/profile_obj.c \
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
usr/lib/common/pkey_utils.c \
usr/lib/ep11_stdll/new_host.c usr/lib/ep11_stdll/ep11_specific.c
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
index d8448486..8f467e11 100644
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
@@ -34,7 +34,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
usr/lib/common/verify_mgr.c usr/lib/common/trace.c \
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
usr/lib/common/profile_obj.c usr/lib/common/attributes.c \
- usr/lib/ica_s390_stdll/ica_specific.c
+ usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
index 788478c2..21c64f9a 100644
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = \
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
usr/lib/common/attributes.c usr/lib/icsf_stdll/new_host.c \
- usr/lib/common/profile_obj.c \
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
usr/lib/icsf_stdll/pbkdf.c usr/lib/icsf_stdll/icsf_specific.c \
usr/lib/icsf_stdll/icsf_config_parse.y \
usr/lib/icsf_stdll/icsf_config_lexer.l \
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
index cea802b5..ac401539 100644
--- a/usr/lib/soft_stdll/soft_stdll.mk
+++ b/usr/lib/soft_stdll/soft_stdll.mk
@@ -32,7 +32,8 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
usr/lib/common/utility.c usr/lib/common/verify_mgr.c \
usr/lib/common/trace.c usr/lib/common/mech_list.c \
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
- usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c
+ usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
+ usr/lib/common/dlist.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
index f199a103..0e0eb024 100644
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
@@ -34,7 +34,8 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
usr/lib/common/verify_mgr.c usr/lib/common/mech_list.c \
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
usr/lib/tpm_stdll/tpm_specific.c usr/lib/common/attributes.c \
- usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c
+ usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
+ usr/lib/common/dlist.c
if ENABLE_LOCKS
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
index a223265f..cc40f819 100644
--- a/usr/sbin/pkcscca/pkcscca.mk
+++ b/usr/sbin/pkcscca/pkcscca.mk
@@ -36,7 +36,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = \
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
usr/lib/common/attributes.c usr/lib/common/mech_rng.c \
- usr/lib/common/pkcs_utils.c \
+ usr/lib/common/pkcs_utils.c usr/lib/common/dlist.c \
usr/sbin/pkcscca/pkcscca.c
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.mk b/usr/sbin/pkcsslotd/pkcsslotd.mk
index 4f0e3c56..2d36b4a9 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.mk
+++ b/usr/sbin/pkcsslotd/pkcsslotd.mk
@@ -21,5 +21,6 @@ usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
usr/sbin/pkcsslotd/socket_server.c
nodist_usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
- usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c
+ usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c \
+ usr/lib/common/dlist.c
usr/sbin/pkcsslotd/slotmgr.$(OBJEXT): usr/lib/common/parser.h

25
SOURCES/opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch Normal file
View File

@ -0,0 +1,25 @@
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 8 15:18:30 2021 +0200
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
When migrating a slot the opencryptoki.conf file is modified. If it
contains slots that already contain the 'tokversion = x.y' keyword,
this is accidentally removed when migrating another slot.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 3df1596e..05081aff 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
{
struct parseupdate *u = (struct parseupdate *)private;
- if (tok != KW_TOKVERSION)
+ if (tok == KW_TOKVERSION && !u->activeslot)
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
vers >> 16, vers & 0xffu);
return 0;

310
SOURCES/opencryptoki-3.16.0-e9548127edae313da7840bcb87fd0afd04549c2e.patch Normal file
View File

@ -0,0 +1,310 @@
commit e9548127edae313da7840bcb87fd0afd04549c2e
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Feb 8 15:26:23 2021 +0100
pkcsslotd: Refactoring in preparation for event support
No functional change so far, just making things a bit bore clearer.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
index 3950a9a3..4d038435 100644
--- a/usr/include/slotmgr.h
+++ b/usr/include/slotmgr.h
@@ -30,7 +30,7 @@
#define TOK_PATH SBIN_PATH "/pkcsslotd"
#define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock"
-#define SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
+#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
#define PID_FILE_PATH "/var/run/pkcsslotd.pid"
#define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf"
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index b74b763f..2873a20a 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -2831,7 +2831,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
TRACE_DEBUG("Shared memory %p \n", Anchor->SharedMemP);
/* Connect to slot daemon and retrieve slot infos */
- Anchor->socketfd = connect_socket(SOCKET_FILE_PATH);
+ Anchor->socketfd = connect_socket(PROC_SOCKET_FILE_PATH);
if (Anchor->socketfd < 0) {
OCK_SYSLOG(LOG_ERR, "C_Initialize: Module failed to create a "
"socket. Verify that the slot management daemon is "
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
index 813db9f4..69eb59f3 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
@@ -61,7 +61,6 @@ extern key_t tok;
extern Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
extern unsigned int NumberSlotsInDB;
-extern int socketfd;
extern Slot_Mgr_Socket_t socketData;
@@ -89,9 +88,9 @@ int XProcLock(void);
int XProcUnLock(void);
int CreateXProcLock(void);
-int CreateListenerSocket(void);
-int InitSocketData(Slot_Mgr_Socket_t *sp);
-int SocketConnectionHandler(int socketfd, int timeout_secs);
-void DetachSocketListener(int socketfd);
+int init_socket_server();
+int term_socket_server();
+int init_socket_data(Slot_Mgr_Socket_t *sp);
+int socket_connection_handler(int timeout_secs);
#endif /* _SLOTMGR_H */
diff --git a/usr/sbin/pkcsslotd/signal.c b/usr/sbin/pkcsslotd/signal.c
index cf7b9087..49482a2f 100644
--- a/usr/sbin/pkcsslotd/signal.c
+++ b/usr/sbin/pkcsslotd/signal.c
@@ -101,7 +101,7 @@ void slotdGenericSignalHandler(int Signal)
InfoLog("Exiting on %s (%d; %#x)", SignalConst(Signal), Signal, Signal);
- DetachSocketListener(socketfd);
+ term_socket_server();
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index ea5c86f5..94288f13 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -37,7 +37,6 @@ unsigned int NumberSlotsInDB = 0;
Slot_Info_t_64 *psinfo;
-int socketfd;
Slot_Mgr_Socket_t socketData;
struct dircheckinfo_s {
@@ -569,15 +568,15 @@ int main(int argc, char *argv[], char *envp[])
if (!XProcUnLock())
return 4;
- if ((socketfd = CreateListenerSocket()) < 0) {
+ if (!init_socket_server()) {
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
return 5;
}
- if (!InitSocketData(&socketData)) {
- DetachSocketListener(socketfd);
+ if (!init_socket_data(&socketData)) {
+ term_socket_server();
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
@@ -598,7 +597,7 @@ int main(int argc, char *argv[], char *envp[])
if (Daemon) {
pid_t pid;
if ((pid = fork()) < 0) {
- DetachSocketListener(socketfd);
+ term_socket_server();
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
@@ -643,7 +642,7 @@ int main(int argc, char *argv[], char *envp[])
* the daemonization process redefines our handler for (at least) SIGTERM
*/
if (!SetupSignalHandlers()) {
- DetachSocketListener(socketfd);
+ term_socket_server();
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
@@ -664,7 +663,7 @@ int main(int argc, char *argv[], char *envp[])
printf("Start garbage \n");
/* start garbage collection thread */
if (!StartGCThread(shmp)) {
- DetachSocketListener(socketfd);
+ term_socket_server();
DestroyMutexes();
DetachFromSharedMemory();
DestroySharedMemory();
@@ -684,7 +683,7 @@ int main(int argc, char *argv[], char *envp[])
#if !(THREADED) && !(NOGARBAGE)
CheckForGarbage(shmp);
#endif
- SocketConnectionHandler(socketfd, 10);
+ socket_connection_handler(10);
}
/*************************************************************
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
index ae0eff92..1fae0b95 100644
--- a/usr/sbin/pkcsslotd/socket_server.c
+++ b/usr/sbin/pkcsslotd/socket_server.c
@@ -25,10 +25,14 @@
#include "pkcsslotd.h"
#include "apictl.h"
+int proc_listener_socket = -1;
+
+static void close_listener_socket(int socketfd, const char *file_path);
+
// Creates the daemon's listener socket, to which clients will connect and
// retrieve slot information through. Returns the file descriptor of the
// created socket.
-int CreateListenerSocket(void)
+static int create_listener_socket(const char *file_path)
{
struct sockaddr_un address;
struct group *grp;
@@ -39,53 +43,60 @@ int CreateListenerSocket(void)
ErrLog("Failed to create listener socket, errno 0x%X.", errno);
return -1;
}
- if (unlink(SOCKET_FILE_PATH) && errno != ENOENT) {
+ if (unlink(file_path) && errno != ENOENT) {
ErrLog("Failed to unlink socket file, errno 0x%X.", errno);
- close(socketfd);
- return -1;
+ goto error;
}
memset(&address, 0, sizeof(struct sockaddr_un));
address.sun_family = AF_UNIX;
- strcpy(address.sun_path, SOCKET_FILE_PATH);
+ strcpy(address.sun_path, file_path);
if (bind(socketfd,
(struct sockaddr *) &address, sizeof(struct sockaddr_un)) != 0) {
ErrLog("Failed to bind to socket, errno 0x%X.", errno);
- close(socketfd);
- return -1;
+ goto error;
}
// make socket file part of the pkcs11 group, and write accessable
// for that group
grp = getgrnam("pkcs11");
if (!grp) {
ErrLog("Group PKCS#11 does not exist");
- DetachSocketListener(socketfd);
- return -1;
+ goto error;
}
- if (chown(SOCKET_FILE_PATH, 0, grp->gr_gid)) {
+ if (chown(file_path, 0, grp->gr_gid)) {
ErrLog("Could not change file group on socket, errno 0x%X.", errno);
- DetachSocketListener(socketfd);
- return -1;
+ goto error;
}
- if (chmod(SOCKET_FILE_PATH,
+ if (chmod(file_path,
S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP | S_IXUSR | S_IXGRP)) {
ErrLog("Could not change file permissions on socket, errno 0x%X.",
errno);
- DetachSocketListener(socketfd);
- return -1;
+ goto error;
}
if (listen(socketfd, 20) != 0) {
ErrLog("Failed to listen to socket, errno 0x%X.", errno);
- DetachSocketListener(socketfd);
- return -1;
+ goto error;
}
return socketfd;
+
+error:
+ if (socketfd >= 0)
+ close_listener_socket(socketfd, file_path);
+
+ return -1;
+}
+
+
+static void close_listener_socket(int socketfd, const char *file_path)
+{
+ close(socketfd);
+ unlink(file_path);
}
-int InitSocketData(Slot_Mgr_Socket_t *socketData)
+int init_socket_data(Slot_Mgr_Socket_t *socketData)
{
unsigned int processed = 0;
@@ -102,19 +113,19 @@ int InitSocketData(Slot_Mgr_Socket_t *socketData)
return TRUE;
}
-int SocketConnectionHandler(int socketfd, int timeout_secs)
+int socket_connection_handler(int timeout_secs)
{
int returnVal;
fd_set set;
struct timeval timeout;
FD_ZERO(&set);
- FD_SET(socketfd, &set);
+ FD_SET(proc_listener_socket, &set);
timeout.tv_sec = timeout_secs;
timeout.tv_usec = 0;
- returnVal = select(socketfd + 1, &set, NULL, NULL, &timeout);
+ returnVal = select(proc_listener_socket + 1, &set, NULL, NULL, &timeout);
if (returnVal == -1) {
ErrLog("select failed on socket connection, errno 0x%X.", errno);
return FALSE;
@@ -125,7 +136,7 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
struct sockaddr_un address;
socklen_t address_length = sizeof(address);
- int connectionfd = accept(socketfd,
+ int connectionfd = accept(proc_listener_socket,
(struct sockaddr *) &address,
&address_length);
if (connectionfd < 0) {
@@ -138,6 +149,10 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
}
return FALSE;
}
+
+ DbgLog(DL0, "Accepted connection from process: socket: %d",
+ connectionfd);
+
if (write(connectionfd, &socketData, sizeof(socketData)) !=
sizeof(socketData)) {
ErrLog("Failed to write socket data, errno 0x%X.", errno);
@@ -149,8 +164,23 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
}
}
-void DetachSocketListener(int socketfd)
+int init_socket_server()
{
- close(socketfd);
- unlink(SOCKET_FILE_PATH);
+ proc_listener_socket = create_listener_socket(PROC_SOCKET_FILE_PATH);
+ if (proc_listener_socket < 0)
+ return FALSE;
+
+ DbgLog(DL0, "Socket server started");
+
+ return TRUE;
+}
+
+int term_socket_server()
+{
+ if (proc_listener_socket >= 0)
+ close_listener_socket(proc_listener_socket, PROC_SOCKET_FILE_PATH);
+
+ DbgLog(DL0, "Socket server stopped");
+
+ return TRUE;
}

287
SOURCES/opencryptoki-3.16.0-fa94a16116d8382a987ddf9e8cdd88027dd1f647.patch Normal file
View File

@ -0,0 +1,287 @@
commit fa94a16116d8382a987ddf9e8cdd88027dd1f647
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Feb 16 17:13:34 2021 +0100
Event support: Add event client
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/common.mk b/usr/lib/common/common.mk
index 2178ad45..882c84f4 100644
--- a/usr/lib/common/common.mk
+++ b/usr/lib/common/common.mk
@@ -4,7 +4,7 @@ noinst_HEADERS += \
usr/lib/common/shared_memory.h usr/lib/common/tok_spec_struct.h \
usr/lib/common/trace.h usr/lib/common/h_extern.h \
usr/lib/common/sw_crypt.h usr/lib/common/defs.h \
- usr/lib/common/p11util.h \
+ usr/lib/common/p11util.h usr/lib/common/event_client.h \
usr/lib/common/list.h usr/lib/common/tok_specific.h
usr/lib/common/lexer.c: usr/lib/common/parser.h
diff --git a/usr/lib/common/event_client.c b/usr/lib/common/event_client.c
new file mode 100644
index 00000000..86117b84
--- /dev/null
+++ b/usr/lib/common/event_client.c
@@ -0,0 +1,215 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2021
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/un.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <grp.h>
+
+#include "slotmgr.h"
+#include "event_client.h"
+
+static int connect_socket(const char *file_path)
+{
+ int socketfd;
+ struct sockaddr_un daemon_address;
+ struct stat file_info;
+ struct group *grp;
+ int rc;
+
+ if (stat(file_path, &file_info))
+ return -errno;
+
+ grp = getgrnam("pkcs11");
+ if (!grp)
+ return -errno;
+
+ if (file_info.st_uid != 0 || file_info.st_gid != grp->gr_gid)
+ return -EPERM;
+
+ if ((socketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
+ return -errno;
+
+ memset(&daemon_address, 0, sizeof(struct sockaddr_un));
+ daemon_address.sun_family = AF_UNIX;
+ strcpy(daemon_address.sun_path, file_path);
+
+ if (connect(socketfd, (struct sockaddr *) &daemon_address,
+ sizeof(struct sockaddr_un)) != 0) {
+ rc = -errno;
+ goto error;
+ }
+
+ return socketfd;
+
+error:
+ close(socketfd);
+ return rc;
+}
+
+static ssize_t read_all(int socketfd, char *buffer, size_t size)
+{
+ size_t bytes_received = 0;
+ ssize_t n;
+
+ while (bytes_received < size) {
+ n = read(socketfd, buffer + bytes_received, size - bytes_received);
+ if (n < 0) {
+ // read error
+ if (errno == EINTR)
+ continue;
+ return -errno;
+ }
+ if (n == 0)
+ break;
+
+ bytes_received += n;
+ }
+
+ return bytes_received;
+}
+
+static ssize_t send_all(int socketfd, char *buffer, size_t size)
+{
+ size_t bytes_sent = 0;
+ ssize_t n;
+
+ while (bytes_sent < size) {
+ n = send(socketfd, buffer + bytes_sent, size - bytes_sent, 0);
+ if (n < 0) {
+ // send error
+ if (errno == EINTR)
+ continue;
+ return -errno;
+ }
+ if (n == 0)
+ break;
+
+ bytes_sent += n;
+ }
+
+ return bytes_sent;
+}
+
+/*
+ * Initialize an admin connection to the pkcsslotd.
+ * Returns a file descriptor representing the connection, or a negative errno
+ * in case of an error.
+ */
+int init_event_client()
+{
+ int fd;
+
+ fd = connect_socket(ADMIN_SOCKET_FILE_PATH);
+
+ return fd;
+}
+
+/*
+ * Send an event though the admin connection to the pkcsslotd, and thus to
+ * all active token instances.
+ * If parameter fd is < 0, then a connection to pkcsslotd is established
+ * inside the function and closed before return. This is for a one shot event.
+ * Otherwise, pass a file descriptor received from init_event_client(). This
+ * is to send multiple events.
+ * Event type is mandatory, flags can be zero.
+ * The event payload is optional, if payload_len is non-zero, then payload must
+ * point to a buffer containing the payload to send with the event.
+ * The event destination can be used to selectively send the event to certain
+ * token instances only. If destination is NULL, it is sent to all token
+ * instances.
+ * If flag EVENT_FLAGS_REPLY_REQ is on in the flags parameter, then it is waited
+ * until all active token instances have replied. The combined result of the
+ * replies from the token instances is returned in the reply structure.
+ * Parameter reply must be non-NULL if flag EVENT_FLAGS_REPLY_REQ is set.
+ * Returns zero for success, or a negative errno in case of an error. In most
+ * error cases the connection to the pkcsslotd is out of sequence and can no
+ * longer be used to send further events.
+ */
+int send_event(int fd, unsigned int type, unsigned int flags,
+ unsigned int payload_len, const char *payload,
+ const struct event_destination *destination,
+ struct event_reply *reply)
+{
+ event_msg_t event_msg;
+ event_reply_t event_reply;
+ int rc, term = 0;
+
+ if (payload_len > 0 && payload == NULL)
+ return -EINVAL;
+ if ((flags & EVENT_FLAGS_REPLY_REQ) && reply == NULL)
+ return -EINVAL;
+ if (payload_len > EVENT_MAX_PAYLOAD_LENGTH)
+ return -EMSGSIZE;
+
+ if (fd < 0) {
+ fd = init_event_client();
+ if (fd < 0)
+ return fd;
+ term = 1;
+ }
+
+ memset(&event_msg, 0, sizeof(event_msg));
+ event_msg.version = EVENT_VERSION_1;
+ event_msg.type = type;
+ event_msg.flags = flags;
+ if (destination != NULL) {
+ event_msg.token_type = destination->token_type;
+ memcpy(event_msg.token_label, destination->token_label,
+ sizeof(event_msg.token_label));
+ event_msg.process_id = destination->process_id;
+ } else {
+ memset(event_msg.token_label, ' ', sizeof(event_msg.token_label));
+ }
+ event_msg.payload_len = payload_len;
+
+ rc = send_all(fd, (char *)&event_msg, sizeof(event_msg));
+ if (rc < 0)
+ goto out;
+
+ if (payload_len > 0) {
+ rc = send_all(fd, (char *)payload, payload_len);
+ if (rc < 0)
+ goto out;
+ }
+
+ if (flags & EVENT_FLAGS_REPLY_REQ) {
+ rc = read_all(fd, (char *)&event_reply, sizeof(event_reply));
+ if (rc < 0)
+ goto out;
+
+ reply->positive_replies = event_reply.positive_replies;
+ reply->negative_replies = event_reply.negative_replies;
+ reply->nothandled_replies = event_reply.nothandled_replies;
+ }
+
+ rc = 0;
+
+out:
+ if (term)
+ term_event_client(fd);
+
+ return rc;
+}
+
+/*
+ * Terminate the admin connection to the pkcsslotd.
+ */
+void term_event_client(int fd)
+{
+ if (fd >= 0)
+ close(fd);
+}
+
diff --git a/usr/lib/common/event_client.h b/usr/lib/common/event_client.h
new file mode 100644
index 00000000..2e4917b0
--- /dev/null
+++ b/usr/lib/common/event_client.h
@@ -0,0 +1,39 @@
+/*
+ * COPYRIGHT (c) International Business Machines Corp. 2021
+ *
+ * This program is provided under the terms of the Common Public License,
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
+ * found in the file LICENSE file or at
+ * https://opensource.org/licenses/cpl1.0.php
+ */
+
+
+#ifndef _EVENT_CLIENT_H_
+#define _EVENT_CLIENT_H_
+
+#include "events.h"
+
+struct event_destination {
+ unsigned int token_type; /* Destination token type: EVENT_TOK_TYPE_xxx */
+ char token_label[member_size(event_msg_t, token_label)];
+ /* Label of destination token (or blanks) */
+ pid_t process_id; /* Process ID of destination process (or 0) */
+};
+
+struct event_reply {
+ unsigned long positive_replies;
+ unsigned long negative_replies;
+ unsigned long nothandled_replies;
+};
+
+int init_event_client();
+
+int send_event(int fd, unsigned int type, unsigned int flags,
+ unsigned int payload_len, const char *payload,
+ const struct event_destination *destination,
+ struct event_reply *reply);
+
+void term_event_client(int fd);
+
+#endif

106
SOURCES/opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch Normal file
View File

@ -0,0 +1,106 @@
commit 5951869263b556280da53498270cf4826f779c5b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jul 13 09:05:22 2021 +0200
pkcstok_migrate: Fix detection if pkcsslotd is still running
Change the code to use the pid file that pkcsslotd creates, and check
if the process with the pid contained in the pid file still exists and
runs pkcsslotd.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 05081aff..a29dc8f7 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
*/
static CK_BBOOL pkcsslotd_running(void)
{
- DIR *dir;
FILE *fp;
- struct dirent* ent;
char* endptr;
- char buf[PATH_MAX];
+ long lpid;
char fname[PATH_MAX];
+ char buf[PATH_MAX];
+ char* first;
TRACE_INFO("Checking if pkcsslotd is running ...\n");
- if (!(dir = opendir("/proc"))) {
- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
- return CK_TRUE;
+
+ fp = fopen(PID_FILE_PATH, "r");
+ if (fp == NULL) {
+ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
+ PID_FILE_PATH);
+ return CK_FALSE;
}
- while ((ent = readdir(dir)) != NULL) {
- /* if endptr is not a null character, the directory is not
- * entirely numeric, so ignore it */
- long lpid = strtol(ent->d_name, &endptr, 10);
- if (*endptr != '\0') {
- continue;
- }
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
+ strerror(errno));
+ fclose(fp);
+ return CK_FALSE;
+ }
+ fclose(fp);
- /* try to open the cmdline file */
- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
- fp = fopen(fname, "r");
- if (!fp) {
- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
- return CK_TRUE;
- }
+ lpid = strtol(buf, &endptr, 10);
+ if (*endptr != '\0' && *endptr != '\n') {
+ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
+ buf);
+ return CK_FALSE;
+ }
- /* check the first token in the file: the program pathname */
- if (fgets(buf, sizeof(buf), fp) != NULL) {
- char* first = strtok(buf, " ");
- if (!first) {
- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
- fname);
- return CK_TRUE;
- }
- if (strstr(first, "pkcsslotd") != NULL) {
- fclose(fp);
- closedir(dir);
- return CK_TRUE;
- }
- }
+ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
+ fp = fopen(fname, "r");
+ if (fp == NULL) {
+ TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
+ return CK_FALSE;
+ }
+
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ TRACE_INFO("Failed to read '%s'\n", fname);
fclose(fp);
+ return CK_FALSE;
}
+ fclose(fp);
- closedir(dir);
- return CK_FALSE;
+ first = strtok(buf, " ");
+ return (first != NULL && strstr(first, "pkcsslotd") != NULL);
}
/**

24
SOURCES/opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch Normal file
View File

@ -0,0 +1,24 @@
commit 11196c4d7e221d29f0d385bd48ae4d6023a6e874
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 10:56:17 2021 +0200
CONFIGURE: fix configure.ac for --with-openssl
The openSSL include files are in <openssl-path>/include while
the libraries are in <openssl-path> directly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index e2cc537a..d3374476 100644
--- a/configure.ac
+++ b/configure.ac
@@ -272,7 +272,7 @@ OPENSSL_CFLAGS=
OPENSSL_LIBS=
if test "x$with_openssl" != "xno"; then
if test "x$with_openssl" != "xyes" -a "x$with_openssl" != "xcheck"; then
- OPENSSL_CFLAGS="-I$with_openssl"
+ OPENSSL_CFLAGS="-I$with_openssl/include"
OPENSSL_LIBS="-L$with_openssl"
fi
old_cflags="$CFLAGS"

123
SOURCES/opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch Normal file
View File

@ -0,0 +1,123 @@
commit 11a53055b22d590bd3c197908b0ff63f6fd3c520
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jun 29 17:35:18 2021 +0200
COMMON: mech_ec: Remove deprecated OpenSSL functions
All low level EC_KEY functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/ec_defs.h b/usr/lib/common/ec_defs.h
index 1f48794b..897cf891 100644
--- a/usr/lib/common/ec_defs.h
+++ b/usr/lib/common/ec_defs.h
@@ -14,13 +14,6 @@
#include <openssl/opensslv.h>
#include "ec_curves.h"
-/* OpenSSL compat */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-# define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp
-# define EC_POINT_set_compressed_coordinates \
- EC_POINT_set_compressed_coordinates_GFp
-#endif
-
// Elliptic Curve type
//
#define PRIME_CURVE 0x00
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
index b54e2db9..a0a06302 100644
--- a/usr/lib/common/mech_ec.c
+++ b/usr/lib/common/mech_ec.c
@@ -32,34 +32,6 @@
#include "openssl/obj_mac.h"
#include <openssl/ec.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-/*
- * Older OpenSLL versions do not have BN_bn2binpad, so implement it here
- */
-static int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
- int len, pad;
- unsigned char *buf;
-
- len = BN_num_bytes(a);
- buf = (unsigned char *)malloc(len);
- if (buf == NULL)
- return -1;
- BN_bn2bin(a, buf);
-
- if (len >= tolen) {
- memcpy(to, buf, tolen);
- } else {
- pad = tolen - len;
- memset(to, 0, pad);
- memcpy(to + pad, buf, len);
- }
-
- free(buf);
- return tolen;
-}
-#endif
-
#ifndef NID_brainpoolP160r1
/*
* Older OpenSLL versions may not have the brainpool NIDs defined, define them
@@ -1522,9 +1494,8 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
CK_BYTE *d, CK_ULONG d_len,
CK_BYTE **point, CK_ULONG *point_len)
{
- EC_KEY *eckey = NULL;
EC_POINT *pub_key = NULL;
- const EC_GROUP *group = NULL;
+ EC_GROUP *group = NULL;
int nid, p_len;
BIGNUM *bn_d = NULL, *bn_x = NULL, *bn_y = NULL;
CK_RV rc = CKR_OK;
@@ -1541,17 +1512,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
goto done;
}
- eckey = EC_KEY_new_by_curve_name(nid);
- if (eckey == NULL) {
- rc = CKR_FUNCTION_FAILED;
- goto done;
- }
- if (EC_KEY_set_private_key(eckey, bn_d) != 1) {
- rc = CKR_FUNCTION_FAILED;
- goto done;
- }
-
- group = EC_KEY_get0_group(eckey);
+ group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -1576,7 +1537,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
rc = CKR_HOST_MEMORY;
goto done;
}
- if (!EC_POINT_get_affine_coordinates_GFp(group, pub_key, bn_x, bn_y, NULL)) {
+ if (!EC_POINT_get_affine_coordinates(group, pub_key, bn_x, bn_y, NULL)) {
rc = CKR_FUNCTION_FAILED;
goto done;
}
@@ -1599,13 +1560,13 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
done:
if (pub_key)
EC_POINT_free(pub_key);
- if (eckey)
- EC_KEY_free(eckey);
BN_clear_free(bn_x);
BN_clear_free(bn_y);
BN_clear_free(bn_d);
if (ec_point != NULL)
free(ec_point);
+ if (group != NULL)
+ EC_GROUP_free(group);
return rc;
}

30
SOURCES/opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch Normal file
View File

@ -0,0 +1,30 @@
commit 145a696d478a1694ef314659a3d374f03f75c1b1
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 13:49:09 2021 +0200
CONFIGURE: Remove AC_FUNC_MALLOC and AC_FUNC_REALLOC
The AC_FUNC_MALLOC configure check might add the rpl_malloc() entry if it
does not like the default malloc implementation. The user would need to
provide the rpl_malloc implementation. This happens depending on compiler and
OS/distro being used. Same applies for AC_FUNC_REALLOC and rpl_realloc.
It happened for me when I configured it with address sanitizer (libubsan,
libasan) activated.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index d3374476..286b7408 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,10 +39,8 @@ dnl Checks for library functions.
AC_FUNC_ALLOCA
AC_FUNC_CHOWN
AC_FUNC_FORK
-AC_FUNC_MALLOC
AC_FUNC_MKTIME
AC_FUNC_MMAP
-AC_FUNC_REALLOC
AC_FUNC_STRERROR_R
AC_CHECK_FUNCS([atexit ftruncate gettimeofday localtime_r memchr memmove \
memset mkdir munmap regcomp select socket strchr strcspn \

38
SOURCES/opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch Normal file
View File

@ -0,0 +1,38 @@
commit 2c116d49359a5eb91ad7f1483c64650c7874a513
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 14:08:03 2021 +0200
TESTCASES: Skip test if operation state is not savable
The sess_opstate testcase now handles the return code of CKR_STATE_UNSAVEABLE
from C_GetOperationState() and skips the test if that return code is
encountered.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/pkcs11/sess_opstate.c b/testcases/pkcs11/sess_opstate.c
index 3235b450..3d1ab9d7 100644
--- a/testcases/pkcs11/sess_opstate.c
+++ b/testcases/pkcs11/sess_opstate.c
@@ -123,6 +123,10 @@ int sess_opstate_funcs(int loops)
opstatelen = 0;
rc = funcs->C_GetOperationState(s2, NULL, &opstatelen);
if (rc != CKR_OK) {
+ if (rc == CKR_STATE_UNSAVEABLE) {
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
+ goto out;
+ }
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
goto out;
}
@@ -135,6 +139,10 @@ int sess_opstate_funcs(int loops)
rc = funcs->C_GetOperationState(s2, opstate, &opstatelen);
if (rc != CKR_OK) {
+ if (rc == CKR_STATE_UNSAVEABLE) {
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
+ goto out;
+ }
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
goto out;
}

41
SOURCES/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch Normal file
View File

@ -0,0 +1,41 @@
commit 376e664f082b66de970b62a81588b034fd560d27
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Aug 13 10:54:44 2021 +0200
TESTCASES: Remove RSA public exponent restriction for Soft token
Since commit "Allow small RSA exponents in the default provider"
https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce
in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft
token to RSA public exponents of 3 and 65537 only.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/common/common.c b/testcases/common/common.c
index 0a64ecf2..abbe354f 100644
--- a/testcases/common/common.c
+++ b/testcases/common/common.c
@@ -16,6 +16,8 @@
#include "pkcs11types.h"
#include "regress.h"
+#define UNUSED(var) ((void)(var))
+
CK_FUNCTION_LIST *funcs;
CK_FUNCTION_LIST_3_0 *funcs3;
CK_INTERFACE *ifs;
@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
/** Returns true if pubexp is valid for Soft Tokens **/
int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
{
- CK_BYTE exp3[] = { 0x03 }; // 3
- CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
+ UNUSED(pubexp);
+ UNUSED(pubexp_len);
- return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
- || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
+ return TRUE;
}
/** Returns true if slot_id is an ICSF token

37
SOURCES/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch Normal file
View File

@ -0,0 +1,37 @@
commit 4dd8a952fc00dd54cce090e4c053de408ba3884b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Aug 24 10:14:39 2021 +0200
SOFT: Detect unsupported EC curves with OpenSSL 3.0
OpenSSL 3.0 behaves different in reporting an error when an unsupported
EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error
at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns
an error only at EVP_PKEY_keygen().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 43fd17c3..03767ec8 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -51,6 +51,7 @@
#include <openssl/cmac.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
+#include <openssl/err.h>
#if OPENSSL_VERSION_PREREQ(3, 0)
#include <openssl/core_names.h>
#include <openssl/param_build.h>
@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata,
if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) {
TRACE_ERROR("EVP_PKEY_keygen failed\n");
- rc = CKR_FUNCTION_FAILED;
+ if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE)
+ rc = CKR_CURVE_NOT_SUPPORTED;
+ else
+ rc = CKR_FUNCTION_FAILED;
goto out;
}

322
SOURCES/opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch Normal file
View File

@ -0,0 +1,322 @@
commit 50408fc3ae0f25b256dda2033d538f88c9b4f903
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 16:02:28 2021 +0200
COMMON: Fix memory leaks
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
index 59f82482..a1241693 100644
--- a/usr/lib/common/mech_aes.c
+++ b/usr/lib/common/mech_aes.c
@@ -2359,6 +2359,8 @@ CK_RV aes_mac_sign(STDLL_TokData_t *tokdata,
memcpy(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
}
@@ -2497,6 +2499,8 @@ CK_RV aes_mac_sign_final(STDLL_TokData_t *tokdata,
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2554,8 +2558,12 @@ CK_RV aes_mac_verify(STDLL_TokData_t *tokdata,
}
if (CRYPTO_memcmp(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv,
- out_data_len) == 0)
+ out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2685,8 +2693,12 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
}
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2766,6 +2778,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -2913,6 +2927,8 @@ done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2969,9 +2985,12 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
}
+ verify_mgr_cleanup(tokdata, sess, ctx);
+
return CKR_SIGNATURE_INVALID;
}
@@ -3105,8 +3124,12 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
return rc;
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
index 591ad3fa..3582102a 100644
--- a/usr/lib/common/mech_des3.c
+++ b/usr/lib/common/mech_des3.c
@@ -2006,6 +2006,8 @@ CK_RV des3_mac_sign(STDLL_TokData_t *tokdata,
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
}
@@ -2144,6 +2146,8 @@ CK_RV des3_mac_sign_final(STDLL_TokData_t *tokdata,
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2197,8 +2201,12 @@ CK_RV des3_mac_verify(STDLL_TokData_t *tokdata,
key_obj = NULL;
if (CRYPTO_memcmp(out_data, ((DES_DATA_CONTEXT *) ctx->context)->iv,
- out_data_len) == 0)
+ out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2328,8 +2336,12 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
}
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2410,6 +2422,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2553,6 +2567,8 @@ done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2605,8 +2621,12 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
}
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
+
return CKR_SIGNATURE_INVALID;
}
@@ -2739,8 +2759,12 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
ctx->context_free_func = des3_cmac_cleanup;
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
diff --git a/usr/lib/common/new_host.c b/usr/lib/common/new_host.c
index d01091f9..8bff6ada 100644
--- a/usr/lib/common/new_host.c
+++ b/usr/lib/common/new_host.c
@@ -174,6 +174,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -186,6 +187,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -218,6 +220,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index a0e7517c..45f13551 100644
--- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c
@@ -164,6 +164,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -176,6 +177,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -208,6 +210,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
index 09e9d27a..eed632c3 100644
--- a/usr/lib/icsf_stdll/new_host.c
+++ b/usr/lib/icsf_stdll/new_host.c
@@ -162,6 +162,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -174,6 +175,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -206,6 +208,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
index 45bc4b78..c7557108 100644
--- a/usr/lib/tpm_stdll/tpm_specific.c
+++ b/usr/lib/tpm_stdll/tpm_specific.c
@@ -213,6 +213,10 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
}
tpm_data = (tpm_private_data_t *)calloc(1, sizeof(tpm_private_data_t));
+ if (tpm_data == NULL) {
+ TRACE_ERROR("calloc failed\n");
+ return CKR_HOST_MEMORY;
+ }
tokdata->private_data = tpm_data;
tpm_data->tspContext = NULL_HCONTEXT;
@@ -221,12 +225,15 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
result = Tspi_Context_Create(&tpm_data->tspContext);
if (result) {
TRACE_ERROR("Tspi_Context_Create failed. rc=0x%x\n", result);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}
result = Tspi_Context_Connect(tpm_data->tspContext, NULL);
if (result) {
TRACE_ERROR("Tspi_Context_Connect failed. rc=0x%x\n", result);
+ Tspi_Context_Close(tpm_data->tspContext);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}
@@ -234,6 +241,8 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
&tpm_data->hDefaultPolicy);
if (result) {
TRACE_ERROR("Tspi_Context_GetDefaultPolicy failed. rc=0x%x\n", result);
+ Tspi_Context_Close(tpm_data->tspContext);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}

3420
SOURCES/opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch Normal file
View File

File diff suppressed because it is too large Load Diff

147
SOURCES/opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch Normal file
View File

@ -0,0 +1,147 @@
commit 533cdea6897d1bc0af13490f1c89248c52e7a73b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 11:30:00 2021 +0200
COMMON: utilities.c: Remove deprecated OpenSSL functions
Rework functions compute_sha(), compute_sha1(), and compute_md5() to
no longer use the mech_sha and mech_md5 routines, but to use the
OpenSSL EVP interface directly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
index bcdc15bf..5fc68938 100644
--- a/usr/lib/common/utility.c
+++ b/usr/lib/common/utility.c
@@ -849,66 +849,89 @@ CK_RV get_hmac_digest(CK_ULONG mech, CK_ULONG *digest_mech, CK_BBOOL *general)
return CKR_OK;
}
-/* Compute specified SHA using either software or token implementation */
+/* Compute specified SHA or MD5 using software */
CK_RV compute_sha(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash, CK_ULONG mech)
{
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len;
- CK_RV rv;
+ const EVP_MD *md;
+ unsigned int hash_len;
- memset(&ctx, 0x0, sizeof(ctx));
- ctx.mech.mechanism = mech;
+ UNUSED(tokdata);
- rv = get_sha_size(mech, &hash_len);
- if (rv != CKR_OK)
- return rv;
+ switch (mech) {
+ case CKM_MD5:
+ hash_len = MD5_HASH_SIZE;
+ md = EVP_md5();
+ break;
+ case CKM_SHA_1:
+ hash_len = SHA1_HASH_SIZE;
+ md = EVP_sha1();
+ break;
+ case CKM_SHA224:
+ case CKM_SHA512_224:
+ hash_len = SHA224_HASH_SIZE;
+ md = EVP_sha224();
+ break;
+ case CKM_SHA256:
+ case CKM_SHA512_256:
+ hash_len = SHA256_HASH_SIZE;
+ md = EVP_sha256();
+ break;
+ case CKM_SHA384:
+ hash_len = SHA384_HASH_SIZE;
+ md = EVP_sha384();
+ break;
+ case CKM_SHA512:
+ hash_len = SHA512_HASH_SIZE;
+ md = EVP_sha512();
+ break;
+#ifdef NID_sha3_224
+ case CKM_IBM_SHA3_224:
+ hash_len = SHA3_224_HASH_SIZE;
+ md = EVP_sha3_224();
+ break;
+#endif
+#ifdef NID_sha3_256
+ case CKM_IBM_SHA3_256:
+ hash_len = SHA3_256_HASH_SIZE;
+ md = EVP_sha3_256();
+ break;
+#endif
+#ifdef NID_sha3_384
+ case CKM_IBM_SHA3_384:
+ hash_len = SHA3_384_HASH_SIZE;
+ md = EVP_sha3_384();
+ break;
+#endif
+#ifdef NID_sha3_512
+ case CKM_IBM_SHA3_512:
+ hash_len = SHA3_512_HASH_SIZE;
+ md = EVP_sha3_512();
+ break;
+#endif
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
- rv = sha_init(tokdata, NULL, &ctx, &ctx.mech);
- if (rv != CKR_OK) {
- TRACE_DEBUG("failed to create digest.\n");
- return rv;
+ if (EVP_Digest(data, len, hash, &hash_len, md, NULL) != 1) {
+ TRACE_ERROR("%s EVP_Digest failed\n", __func__);
+ return CKR_FUNCTION_FAILED;
}
- rv = sha_hash(tokdata, NULL, FALSE, &ctx, data, len, hash, &hash_len);
- digest_mgr_cleanup(&ctx);
- return rv;
+ return CKR_OK;
}
/* Compute SHA1 using software implementation */
CK_RV compute_sha1(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash)
{
- // XXX KEY
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len = SHA1_HASH_SIZE;
-
- UNUSED(tokdata);
-
- memset(&ctx, 0x0, sizeof(ctx));
-
- sw_sha1_init(&ctx);
- if (ctx.context == NULL)
- return CKR_HOST_MEMORY;
-
- return sw_sha1_hash(&ctx, data, len, hash, &hash_len);
+ return compute_sha(tokdata, data, len, hash, CKM_SHA_1);
}
CK_RV compute_md5(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash)
{
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len = MD5_HASH_SIZE;
-
- UNUSED(tokdata);
-
- memset(&ctx, 0x0, sizeof(ctx));
-
- sw_md5_init(&ctx);
- if (ctx.context == NULL)
- return CKR_HOST_MEMORY;
-
- return sw_md5_hash(&ctx, data, len, hash, &hash_len);
+ return compute_sha(tokdata, data, len, hash, CKM_MD5);
}
CK_RV get_keytype(STDLL_TokData_t *tokdata, CK_OBJECT_HANDLE hkey,

174
SOURCES/opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch Normal file
View File

@ -0,0 +1,174 @@
commit 5377d25a6cbe3d07afcd08276ad7e90f62cad0c9
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 13:51:02 2021 +0200
COMMON: mech_sha: Remove deprecated OpenSSL functions
All low level SHA functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 314613a5..b3b965bf 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -1543,7 +1543,7 @@ CK_RV aes_cfb_decrypt_final(STDLL_TokData_t *tokdata, SESSION *sess,
// SHA mechanisms
//
-void sw_sha1_init(DIGEST_CONTEXT *ctx);
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx);
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
diff --git a/usr/lib/common/mech_sha.c b/usr/lib/common/mech_sha.c
index 0b9b7b28..1c81abe2 100644
--- a/usr/lib/common/mech_sha.c
+++ b/usr/lib/common/mech_sha.c
@@ -38,30 +38,49 @@
#include "tok_spec_struct.h"
#include "trace.h"
-#include <openssl/sha.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
//
// Software SHA-1 implementation (OpenSSL based)
//
-void sw_sha1_init(DIGEST_CONTEXT *ctx)
+static void sw_sha1_free(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
{
- ctx->context_len = sizeof(SHA_CTX);
- ctx->context = (CK_BYTE *) malloc(sizeof(SHA_CTX));
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
+}
+
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx)
+{
+ ctx->context_len = 1;
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
if (ctx->context == NULL) {
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- // TODO: propagate error up?
- return;
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_sha1(), NULL)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ return CKR_FUNCTION_FAILED;
}
- SHA1_Init((SHA_CTX *)ctx->context);
+ ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = sw_sha1_free;
+
+ return CKR_OK;
}
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
CK_ULONG *out_data_len)
{
+ unsigned int len;
if (!ctx || !out_data_len) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
@@ -76,43 +95,60 @@ CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
- *out_data_len = SHA1_HASH_SIZE;
+ len = *out_data_len;
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
-CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
- CK_ULONG in_data_len)
+static CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
+ CK_ULONG in_data_len)
{
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
return CKR_OK;
}
-CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
- CK_ULONG *out_data_len)
+static CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
+ CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
- *out_data_len = SHA1_HASH_SIZE;
+ if (*out_data_len < SHA1_HASH_SIZE) {
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
+ return CKR_BUFFER_TOO_SMALL;
+ }
+
+ len = *out_data_len;
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
@@ -134,8 +170,7 @@ CK_RV sha_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
* supported. JML
*/
if (mech->mechanism == CKM_SHA_1) {
- sw_sha1_init(ctx);
- return CKR_OK;
+ return sw_sha1_init(ctx);
} else {
return CKR_MECHANISM_INVALID;
}

84
SOURCES/opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch Normal file
View File

@ -0,0 +1,84 @@
commit 5cceead028ec8e0c244b01d38c9096c96d98f96b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 10:46:52 2021 +0200
ICSF: Remove support for OpenSSL < v1.1.1
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
index 4ddd0fd7..6ec4128a 100644
--- a/usr/lib/icsf_stdll/pbkdf.c
+++ b/usr/lib/icsf_stdll/pbkdf.c
@@ -82,7 +82,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
int tmplen;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, cipher, NULL, dkey, iv);
@@ -98,24 +97,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
*outbuflen = (*outbuflen) + tmplen;
EVP_CIPHER_CTX_free(ctx);
-#else
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
-
- EVP_EncryptInit_ex(&ctx, cipher, NULL, dkey, iv);
- if (!EVP_EncryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
- TRACE_ERROR("EVP_EncryptUpdate failed.\n");
- return CKR_FUNCTION_FAILED;
- }
- if (!EVP_EncryptFinal_ex(&ctx, outbuf + (*outbuflen), &tmplen)) {
- TRACE_ERROR("EVP_EncryptFinal failed.\n");
- return CKR_FUNCTION_FAILED;
- }
-
- *outbuflen = (*outbuflen) + tmplen;
- EVP_CIPHER_CTX_cleanup(&ctx);
-#endif
-
return CKR_OK;
}
@@ -125,7 +106,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
int size;
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_DecryptInit_ex(ctx, cipher, NULL, dkey, iv);
@@ -147,30 +127,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
EVP_CIPHER_CTX_free(ctx);
-#else
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
-
- EVP_DecryptInit_ex(&ctx, cipher, NULL, dkey, iv);
- if (!EVP_DecryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
- TRACE_ERROR("EVP_DecryptUpdate failed.\n");
- return CKR_FUNCTION_FAILED;
- }
- if (!EVP_DecryptFinal_ex(&ctx, outbuf + (*outbuflen), &size)) {
- TRACE_ERROR("EVP_DecryptFinal failed.\n");
- return CKR_FUNCTION_FAILED;
- }
-
- /* total length of the decrypted data */
- *outbuflen = (*outbuflen) + size;
-
- /* EVP_DecryptFinal removes any padding. The final length
- * is the length of the decrypted data without padding.
- */
-
- EVP_CIPHER_CTX_cleanup(&ctx);
-#endif
-
return CKR_OK;
}

226
SOURCES/opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch Normal file
View File

@ -0,0 +1,226 @@
commit 62fc2bcd98672c5d0ff8a2c926f3103110e91ed7
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 1 13:37:04 2021 +0200
COMMON: Perform proper context cleanup for 3DES/AES CMAC mechanisms
The handling of 3DES/AES CMAC mechanisms use a complex context structure,
that contains pointers. Such state can not be saved, and needs a custom
context free routine to properly clean up the context.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
index ad6af16b..59f82482 100644
--- a/usr/lib/common/mech_aes.c
+++ b/usr/lib/common/mech_aes.c
@@ -2691,6 +2691,24 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
return CKR_SIGNATURE_INVALID;
}
+static void aes_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
+{
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ if (((AES_CMAC_CONTEXT *)context)->ctx != NULL) {
+ token_specific.t_aes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
+ ((AES_CMAC_CONTEXT *)context)->iv,
+ CK_FALSE, CK_TRUE,
+ ((AES_CMAC_CONTEXT *)context)->ctx);
+ ((AES_CMAC_CONTEXT *)context)->ctx = NULL;
+ }
+
+ free(context);
+}
+
CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
SESSION *sess,
CK_BBOOL length_only,
@@ -2743,6 +2761,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
@@ -2816,6 +2836,8 @@ CK_RV aes_cmac_sign_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = aes_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific aes cmac failed.\n");
}
@@ -2882,6 +2904,8 @@ CK_RV aes_cmac_sign_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
@@ -2941,6 +2965,8 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
return CKR_OK;
@@ -3012,6 +3038,8 @@ CK_RV aes_cmac_verify_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = aes_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific aes cmac failed.\n");
}
@@ -3070,6 +3098,8 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
if (rc != CKR_OK) {
TRACE_DEVEL("Token specific aes mac failed.\n");
return rc;
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
index be8d6075..591ad3fa 100644
--- a/usr/lib/common/mech_des3.c
+++ b/usr/lib/common/mech_des3.c
@@ -2334,6 +2334,24 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
return CKR_SIGNATURE_INVALID;
}
+static void des3_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
+{
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ if (((DES_CMAC_CONTEXT *)context)->ctx != NULL) {
+ token_specific.t_tdes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
+ ((DES_CMAC_CONTEXT *)context)->iv,
+ CK_FALSE, CK_TRUE,
+ ((DES_CMAC_CONTEXT *)context)->ctx);
+ ((DES_CMAC_CONTEXT *)context)->ctx = NULL;
+ }
+
+ free(context);
+}
+
CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
SESSION *sess,
CK_BBOOL length_only,
@@ -2383,6 +2401,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
memcpy(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
@@ -2456,6 +2476,8 @@ CK_RV des3_cmac_sign_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = des3_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific des3 cmac failed.\n");
}
@@ -2521,6 +2543,8 @@ CK_RV des3_cmac_sign_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
@@ -2577,6 +2601,8 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
return CKR_OK;
@@ -2646,6 +2672,8 @@ CK_RV des3_cmac_verify_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = des3_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific des3 cmac failed.\n");
}
@@ -2709,6 +2737,8 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
return CKR_OK;
diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
index 77876467..881a430c 100644
--- a/usr/lib/ica_s390_stdll/ica_specific.c
+++ b/usr/lib/ica_s390_stdll/ica_specific.c
@@ -713,6 +713,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
UNUSED(ctx);
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key type
rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
if (rc != CKR_OK) {
@@ -3621,6 +3624,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
UNUSED(ctx);
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
if (rc != CKR_OK) {
TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index aeff39a9..5ca22693 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -3994,6 +3994,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
if (first) {
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key type
rv = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
if (rv != CKR_OK) {
@@ -4194,6 +4197,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
if (first) {
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key value
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
if (rc != CKR_OK) {

193
SOURCES/opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch Normal file
View File

@ -0,0 +1,193 @@
commit 6fee37f08391415cdf8d8610c501516c3d3ed29c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 13:41:57 2021 +0200
COMMON: mech_md5: Remove deprecated OpenSSL functions
All low level MD5 functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 47b96ba0..314613a5 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -1667,7 +1667,7 @@ CK_RV md5_hmac_verify(STDLL_TokData_t *tokdata,
CK_ULONG in_data_len,
CK_BYTE *signature, CK_ULONG sig_len);
-void sw_md5_init(DIGEST_CONTEXT *ctx);
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx);
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
diff --git a/usr/lib/common/mech_md5.c b/usr/lib/common/mech_md5.c
index 320e2549..65c11def 100644
--- a/usr/lib/common/mech_md5.c
+++ b/usr/lib/common/mech_md5.c
@@ -20,30 +20,50 @@
#include "tok_spec_struct.h"
#include "trace.h"
-#include <openssl/md5.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
//
// Software MD5 implementation (OpenSSL based)
//
-void sw_md5_init(DIGEST_CONTEXT *ctx)
+static void sw_md5_free(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
{
- ctx->context_len = sizeof(MD5_CTX);
- ctx->context = (CK_BYTE *) malloc(sizeof(MD5_CTX));
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
+}
+
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx)
+{
+ ctx->context_len = 1;
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
if (ctx->context == NULL) {
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- // TODO: propagate error up?
- return;
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_md5(), NULL)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ return CKR_FUNCTION_FAILED;
}
- MD5_Init((MD5_CTX *)ctx->context);
+ ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = sw_md5_free;
+
+ return CKR_OK;
}
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (!ctx || !out_data_len) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
return CKR_FUNCTION_FAILED;
@@ -57,43 +77,60 @@ CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
- *out_data_len = MD5_HASH_SIZE;
+ len = *out_data_len;
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ *out_data_len = len;
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
-CK_RV sw_MD5_Update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
- CK_ULONG in_data_len)
+static CK_RV sw_md5_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
+ CK_ULONG in_data_len)
{
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
return CKR_OK;
}
-CK_RV sw_MD5_Final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
- CK_ULONG *out_data_len)
+static CK_RV sw_md5_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
+ CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
- *out_data_len = MD5_HASH_SIZE;
+ if (*out_data_len < MD5_HASH_SIZE) {
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
+ return CKR_BUFFER_TOO_SMALL;
+ }
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ len = *out_data_len;
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
@@ -105,8 +142,7 @@ CK_RV md5_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
UNUSED(sess);
if (mech->mechanism == CKM_MD5) {
- sw_md5_init(ctx);
- return CKR_OK;
+ return sw_md5_init(ctx);
} else {
return CKR_MECHANISM_INVALID;
}
@@ -159,7 +195,7 @@ CK_RV md5_hash_update(STDLL_TokData_t *tokdata, SESSION *sess,
return CKR_OK;
if (ctx->mech.mechanism == CKM_MD5)
- return sw_MD5_Update(ctx, in_data, in_data_len);
+ return sw_md5_update(ctx, in_data, in_data_len);
else
return CKR_MECHANISM_INVALID;
}
@@ -188,7 +224,7 @@ CK_RV md5_hash_final(STDLL_TokData_t *tokdata, SESSION *sess,
}
if (ctx->mech.mechanism == CKM_MD5)
- return sw_MD5_Final(ctx, out_data, out_data_len);
+ return sw_md5_final(ctx, out_data, out_data_len);
else
return CKR_MECHANISM_INVALID;
}

1085
SOURCES/opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch Normal file
View File

File diff suppressed because it is too large Load Diff

870
SOURCES/opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch Normal file
View File

@ -0,0 +1,870 @@
commit 7b4177e8557887d196ce77a129d457e817f8cc59
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 10:47:28 2021 +0200
TPM: Remove deprecated OpenSSL functions
All low level RSA functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those, and only use the EVP
interface.
Also remove support for OpenSSL < v1.1.1. This code used even more
low level RSA, DES, and AES functions.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/tpm_stdll/tpm_openssl.c b/usr/lib/tpm_stdll/tpm_openssl.c
index 94ef9a62..0ccc543d 100644
--- a/usr/lib/tpm_stdll/tpm_openssl.c
+++ b/usr/lib/tpm_stdll/tpm_openssl.c
@@ -39,50 +39,33 @@
#include "tpm_specific.h"
-/*
- * In order to make opencryptoki compatible with
- * OpenSSL 1.1 API Changes and backward compatible
- * we need to check for its version
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define OLDER_OPENSSL
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#include <openssl/core_names.h>
#endif
#ifdef DEBUG
void openssl_print_errors()
{
+#if !OPENSSL_VERSION_PREREQ(3, 0)
ERR_load_ERR_strings();
+#endif
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
}
#endif
-RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *tokdata)
{
- RSA *rsa = NULL;
int rc = 0, counter = 0;
char buf[32];
-#ifndef OLDER_OPENSSL
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
BIGNUM *bne = NULL;
-#endif
token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
-#ifdef OLDER_OPENSSL
- rsa = RSA_generate_key(2048, 65537, NULL, NULL);
- if (rsa == NULL) {
- fprintf(stderr, "Error generating user's RSA key\n");
- ERR_load_crypto_strings();
- ERR_print_errors_fp(stderr);
- goto err;
- }
-
- rc = RSA_check_key(rsa);
-#else
bne = BN_new();
rc = BN_set_word(bne, 65537);
if (!rc) {
@@ -98,35 +81,36 @@ regen_rsa_key:
if (EVP_PKEY_keygen_init(ctx) <= 0
|| EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|| EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bne) <= 0) {
+#else
+ || EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bne) <= 0) {
+#endif
fprintf(stderr, "Error generating user's RSA key\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
goto err;
}
+#if !OPENSSL_VERSION_PREREQ(3, 0)
bne = NULL; // will be freed as part of the context
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0
- || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
+#else
+ BN_free(bne);
+ bne = NULL;
+#endif
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
fprintf(stderr, "Error generating user's RSA key\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
goto err;
}
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- rc = RSA_check_key(rsa);
-#else
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ctx == NULL)
goto err;
rc = (EVP_PKEY_check(ctx) == 1 ? 1 : 0);
-#endif
-#endif
switch (rc) {
case 0:
/* rsa is not a valid RSA key */
- RSA_free(rsa);
- rsa = NULL;
counter++;
if (counter == KEYGEN_RETRY) {
TRACE_DEVEL("Tried %d times to generate a "
@@ -145,30 +129,23 @@ regen_rsa_key:
break;
}
-#ifndef OLDER_OPENSSL
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
if (ctx != NULL)
EVP_PKEY_CTX_free(ctx);
if (bne != NULL)
BN_free(bne);
-#endif
- return rsa;
+ return pkey;
err:
- if (rsa != NULL)
- RSA_free(rsa);
-#ifndef OLDER_OPENSSL
if (pkey != NULL)
EVP_PKEY_free(pkey);
if (ctx != NULL)
EVP_PKEY_CTX_free(ctx);
if (bne != NULL)
BN_free(bne);
-#endif
+
return NULL;
}
-int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
+int openssl_write_key(STDLL_TokData_t * tokdata, EVP_PKEY *pkey, char *filename,
CK_BYTE * pPin)
{
BIO *b = NULL;
@@ -193,8 +170,8 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
return -1;
}
- if (!PEM_write_bio_RSAPrivateKey(b, rsa,
- EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
+ if (!PEM_write_bio_PrivateKey(b, pkey,
+ EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
BIO_free(b);
TRACE_ERROR("Writing key %s to disk failed.\n", loc);
DEBUG_openssl_print_errors();
@@ -211,10 +188,10 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
}
CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
- CK_BYTE * pPin, RSA ** ret)
+ CK_BYTE * pPin, EVP_PKEY **ret)
{
BIO *b = NULL;
- RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
char loc[PATH_MAX];
struct passwd *pw = NULL;
CK_RV rc = CKR_FUNCTION_FAILED;
@@ -242,7 +219,7 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
return CKR_FILE_NOT_FOUND;
}
- if ((rsa = PEM_read_bio_RSAPrivateKey(b, NULL, 0, pPin)) == NULL) {
+ if ((pkey = PEM_read_bio_PrivateKey(b, NULL, 0, pPin)) == NULL) {
TRACE_ERROR("Reading key %s from disk failed.\n", loc);
DEBUG_openssl_print_errors();
if (ERR_GET_REASON(ERR_get_error()) == PEM_R_BAD_DECRYPT) {
@@ -253,40 +230,54 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
}
BIO_free(b);
- *ret = rsa;
+ *ret = pkey;
return CKR_OK;
}
-int openssl_get_modulus_and_prime(RSA * rsa, unsigned int *size_n,
+int openssl_get_modulus_and_prime(EVP_PKEY *pkey, unsigned int *size_n,
unsigned char *n, unsigned int *size_p,
unsigned char *p)
{
-#ifndef OLDER_OPENSSL
+#if !OPENSSL_VERSION_PREREQ(3, 0)
const BIGNUM *n_tmp, *p_tmp;
+ RSA *rsa;
+#else
+ BIGNUM *n_tmp, *p_tmp;
#endif
+#if !OPENSSL_VERSION_PREREQ(3, 0)
+ rsa = EVP_PKEY_get0_RSA(pkey);
/* get the modulus from the RSA object */
-#ifdef OLDER_OPENSSL
- if ((*size_n = BN_bn2bin(rsa->n, n)) <= 0) {
-#else
RSA_get0_key(rsa, &n_tmp, NULL, NULL);
if ((*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
-#endif
DEBUG_openssl_print_errors();
return -1;
}
/* get one of the primes from the RSA object */
-#ifdef OLDER_OPENSSL
- if ((*size_p = BN_bn2bin(rsa->p, p)) <= 0) {
-#else
RSA_get0_factors(rsa, &p_tmp, NULL);
if ((*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
-#endif
DEBUG_openssl_print_errors();
return -1;
}
+#else
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n_tmp) ||
+ (*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
+ DEBUG_openssl_print_errors();
+ BN_free(n_tmp);
+ return -1;
+ }
+ BN_free(n_tmp);
+
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p_tmp) ||
+ (*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
+ DEBUG_openssl_print_errors();
+ BN_free(p_tmp);
+ return -1;
+ }
+ BN_free(p_tmp);
+#endif
return 0;
}
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
index 4ebb4a88..45bc4b78 100644
--- a/usr/lib/tpm_stdll/tpm_specific.c
+++ b/usr/lib/tpm_stdll/tpm_specific.c
@@ -1451,15 +1451,15 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_RV rc;
TSS_RESULT result;
- RSA *rsa;
+ EVP_PKEY *pkey;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
return CKR_FUNCTION_FAILED;
}
@@ -1473,13 +1473,13 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
return rc;
}
- if (openssl_write_key(tokdata, rsa, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
TRACE_DEVEL("openssl_write_key failed.\n");
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
/* store the user base key in a PKCS#11 object internally */
rc = token_store_tss_key(tokdata, tpm_data->hPrivateRootKey,
@@ -1529,15 +1529,15 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_RV rc;
TSS_RESULT result;
- RSA *rsa;
+ EVP_PKEY *pkey;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
return CKR_FUNCTION_FAILED;
}
@@ -1551,13 +1551,13 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
return rc;
}
- if (openssl_write_key(tokdata, rsa, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
TRACE_DEVEL("openssl_write_key\n");
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
result = Tspi_Key_LoadKey(tpm_data->hPublicRootKey, tpm_data->hSRK);
if (result) {
@@ -1602,7 +1602,7 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
{
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
- RSA *rsa;
+ EVP_PKEY *pkey;
char *backup_loc;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
@@ -1630,7 +1630,7 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
}
/* read the backup key with the old pin */
- if ((rc = openssl_read_key(tokdata, backup_loc, pin, &rsa))) {
+ if ((rc = openssl_read_key(tokdata, backup_loc, pin, &pkey))) {
if (rc == CKR_FILE_NOT_FOUND)
rc = CKR_FUNCTION_FAILED;
TRACE_DEVEL("openssl_read_key failed\n");
@@ -1640,8 +1640,9 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
/* So, reading the backup openssl key off disk succeeded with the SOs PIN.
* We will now try to re-wrap that key with the current SRK
*/
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
@@ -1650,10 +1651,10 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
phKey);
if (rc != CKR_OK) {
TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lx\n", rc);
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return rc;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
result = Tspi_Key_LoadKey(*phKey, tpm_data->hSRK);
if (result) {
@@ -1998,7 +1999,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_BYTE oldpin_hash[SHA1_HASH_SIZE], newpin_hash[SHA1_HASH_SIZE];
CK_RV rc;
- RSA *rsa_root;
+ EVP_PKEY *pkey_root;
TSS_RESULT result;
if (!sess) {
@@ -2094,7 +2095,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
/* read the backup key with the old pin */
rc = openssl_read_key(tokdata, TPMTOK_PRIV_ROOT_KEY_FILE, pOldPin,
- &rsa_root);
+ &pkey_root);
if (rc != CKR_OK) {
if (rc == CKR_FILE_NOT_FOUND) {
/* If the user has moved his backup PEM file off site, allow a
@@ -2107,14 +2108,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
}
/* write it out using the new pin */
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PRIV_ROOT_KEY_FILE,
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PRIV_ROOT_KEY_FILE,
pNewPin);
if (rc != CKR_OK) {
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
TRACE_DEVEL("openssl_write_key failed\n");
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
if (tpm_data->not_initialized) {
if (memcmp(default_so_pin_sha, oldpin_hash, SHA1_HASH_SIZE)) {
@@ -2166,7 +2167,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
/* change auth on the public root key's openssl backup */
rc = openssl_read_key(tokdata, TPMTOK_PUB_ROOT_KEY_FILE, pOldPin,
- &rsa_root);
+ &pkey_root);
if (rc != CKR_OK) {
if (rc == CKR_FILE_NOT_FOUND) {
/* If the user has moved his backup PEM file off site, allow a
@@ -2179,14 +2180,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
}
/* write it out using the new pin */
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PUB_ROOT_KEY_FILE,
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PUB_ROOT_KEY_FILE,
pNewPin);
if (rc != CKR_OK) {
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
TRACE_DEVEL("openssl_write_key failed\n");
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
} else {
TRACE_ERROR("%s\n", ock_err(ERR_SESSION_READ_ONLY));
rc = CKR_SESSION_READ_ONLY;
@@ -2401,60 +2402,6 @@ CK_RV token_specific_des_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
-
- DES_key_schedule des_key2;
- const_DES_cblock key_val_SSL, in_key_data;
- DES_cblock out_key_data;
- unsigned int i, j;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- // Create the key schedule
- memcpy(&key_val_SSL, attr->pValue, 8);
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // Both the encrypt and the decrypt are done 8 bytes at a time
- if (encrypt) {
- for (i = 0; i < in_data_len; i = i + 8) {
- memcpy(in_key_data, in_data + i, 8);
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
- DES_ENCRYPT);
- memcpy(out_data + i, out_key_data, 8);
- }
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
-
- for (j = 0; j < in_data_len; j = j + 8) {
- memcpy(in_key_data, in_data + j, 8);
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
- DES_DECRYPT);
- memcpy(out_data + j, out_key_data, 8);
- }
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ecb();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2501,7 +2448,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
@@ -2511,50 +2457,6 @@ CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
-
- DES_cblock ivec;
-
- DES_key_schedule des_key2;
- const_DES_cblock key_val_SSL;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- // Create the key schedule
- memcpy(&key_val_SSL, attr->pValue, 8);
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
-
- memcpy(&ivec, init_v, 8);
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
-
-
- if (encrypt) {
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
- DES_ENCRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
- DES_DECRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_cbc();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2601,7 +2503,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
@@ -2611,83 +2512,6 @@ CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
- CK_KEY_TYPE keytype;
- CK_BYTE key_value[3 * DES_KEY_SIZE];
-
- unsigned int k, j;
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
- DES_cblock out_key_data;
-
- UNUSED(tokdata);
-
- // get the key type
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
- return rc;
- }
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
- return rc;
- }
-
- if (keytype == CKK_DES2) {
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
- } else {
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
- }
-
- // The key as passed is a 24 byte long string containing three des keys
- // pick them apart and create the 3 corresponding key schedules
- memcpy(&key_SSL1, key_value, 8);
- memcpy(&key_SSL2, key_value + 8, 8);
- memcpy(&key_SSL3, key_value + 16, 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // the encrypt and decrypt are done 8 bytes at a time
- if (encrypt) {
- for (k = 0; k < in_data_len; k = k + 8) {
- memcpy(in_key_data, in_data + k, 8);
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
- (DES_cblock *) & out_key_data,
- &des_key1, &des_key2, &des_key3, DES_ENCRYPT);
- memcpy(out_data + k, out_key_data, 8);
- }
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- for (j = 0; j < in_data_len; j = j + 8) {
- memcpy(in_key_data, in_data + j, 8);
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
- (DES_cblock *) & out_key_data,
- &des_key1, &des_key2, &des_key3, DES_DECRYPT);
- memcpy(out_data + j, out_key_data, 8);
- }
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ede3_ecb();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2747,7 +2571,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
@@ -2757,81 +2580,6 @@ CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc = CKR_OK;
- CK_ATTRIBUTE *attr = NULL;
- CK_KEY_TYPE keytype;
- CK_BYTE key_value[3 * DES_KEY_SIZE];
-
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
- DES_cblock ivec;
-
- UNUSED(tokdata);
-
- // get the key type
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
- return rc;
- }
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
- return rc;
- }
-
- if (keytype == CKK_DES2) {
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
- } else {
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
- }
-
- // The key as passed in is a 24 byte string containing 3 keys
- // pick it apart and create the key schedules
- memcpy(&key_SSL1, key_value, 8);
- memcpy(&key_SSL2, key_value + 8, 8);
- memcpy(&key_SSL3, key_value + 16, 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- memcpy(ivec, init_v, sizeof(ivec));
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // Encrypt or decrypt the data
- if (encrypt) {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2891,7 +2639,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
/* wrap the 20 bytes of auth data @authData and store in an attribute of the two
@@ -3626,49 +3373,6 @@ CK_RV token_specific_aes_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_ATTRIBUTE *attr = NULL;
- AES_KEY ssl_aes_key;
- unsigned int i;
- /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
- * so this is fine */
- CK_ULONG loops = (CK_ULONG) (in_data_len / AES_BLOCK_SIZE);
- CK_RV rc;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
-
- // AES_ecb_encrypt encrypts only a single block, so we have to break up the
- // input data here
- if (encrypt) {
- AES_set_encrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- for (i = 0; i < loops; i++) {
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
- &ssl_aes_key, AES_ENCRYPT);
- }
- } else {
- AES_set_decrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- for (i = 0; i < loops; i++) {
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
- &ssl_aes_key, AES_DECRYPT);
- }
- }
- *out_data_len = in_data_len;
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
unsigned char akey[AES_KEY_SIZE_256];
@@ -3729,7 +3433,6 @@ done:
OPENSSL_cleanse(akey, sizeof(akey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
@@ -3739,39 +3442,6 @@ CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- AES_KEY ssl_aes_key;
- CK_ATTRIBUTE *attr = NULL;
- CK_RV rc;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
-
- // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
- // AES_ecb_encrypt, so no looping required.
- if (encrypt) {
- AES_set_encrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
- in_data_len, &ssl_aes_key, init_v, AES_ENCRYPT);
- } else {
- AES_set_decrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
- in_data_len, &ssl_aes_key, init_v, AES_DECRYPT);
- }
- *out_data_len = in_data_len;
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
unsigned char akey[AES_KEY_SIZE_256];
@@ -3832,7 +3502,6 @@ done:
OPENSSL_cleanse(akey, sizeof(akey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_get_mechanism_list(STDLL_TokData_t * tokdata,
diff --git a/usr/lib/tpm_stdll/tpm_specific.h b/usr/lib/tpm_stdll/tpm_specific.h
index 81af2744..2ffd0afc 100644
--- a/usr/lib/tpm_stdll/tpm_specific.h
+++ b/usr/lib/tpm_stdll/tpm_specific.h
@@ -56,10 +56,10 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key(STDLL_TokData_t *);
-int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
-CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
-int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *);
+int openssl_write_key(STDLL_TokData_t *, EVP_PKEY *, char *, CK_BYTE *);
+CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, EVP_PKEY **);
+int openssl_get_modulus_and_prime(EVP_PKEY *, unsigned int *, unsigned char *,
unsigned int *, unsigned char *);
int util_set_file_mode(char *, mode_t);
CK_BYTE *util_create_id(int);

1847
SOURCES/opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch Normal file
View File

File diff suppressed because it is too large Load Diff

115
SOURCES/opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch Normal file
View File

@ -0,0 +1,115 @@
commit ab3fceae6194e8213e9d3ffb7447ccd04d469b9d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 10:45:04 2021 +0200
COMMON: sw_crypt.c: Remove support for OpenSSL < v1.1.1
Remove support for OpenSSL < v1.1.1. This code used low level
DES/AES functions.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/sw_crypt.c b/usr/lib/common/sw_crypt.c
index 906a41ab..253b3c26 100644
--- a/usr/lib/common/sw_crypt.c
+++ b/usr/lib/common/sw_crypt.c
@@ -32,51 +32,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
CK_ULONG *out_data_len,
CK_BYTE *init_v, CK_BYTE *key_value, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
- DES_cblock ivec;
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by DES_BLOCK_SIZE
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // The key as passed in is a 24 byte string containing 3 keys
- // pick it apart and create the key schedules
- memcpy(&key_SSL1, key_value, (size_t) 8);
- memcpy(&key_SSL2, key_value + 8, (size_t) 8);
- memcpy(&key_SSL3, key_value + 16, (size_t) 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- memcpy(ivec, init_v, sizeof(ivec));
-
- // Encrypt or decrypt the data
- if (encrypt) {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
- *out_data_len = in_data_len;
- } else {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
-
- *out_data_len = in_data_len;
- }
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
@@ -109,7 +64,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
done:
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV sw_aes_cbc(CK_BYTE *in_data,
@@ -119,33 +73,6 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
CK_BYTE *init_v, CK_BYTE *key_value, CK_ULONG keylen,
CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- AES_KEY aes_key;
-
- UNUSED(out_data_len); //XXX can this parameter be removed ?
-
- memset(&aes_key, 0, sizeof(aes_key));
-
- // the aes decrypt will only fail if the data length is not evenly divisible
- // by AES_BLOCK_SIZE
- if (in_data_len % AES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
-
- // Encrypt or decrypt the data
- if (encrypt) {
- AES_set_encrypt_key(key_value, keylen * 8, &aes_key);
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
- init_v, AES_ENCRYPT);
- } else {
- AES_set_decrypt_key(key_value, keylen * 8, &aes_key);
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
- init_v, AES_DECRYPT);
- }
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
const EVP_CIPHER *cipher = NULL;
@@ -187,5 +114,4 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
done:
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}

37
SOURCES/opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch Normal file
View File

@ -0,0 +1,37 @@
commit c4683eb904238d20cb34a4c7661ffac04901283c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jun 29 17:35:30 2021 +0200
COMMON: Add OPENSSL_VERSION_PREREQ macro to check for OpenSSL version
Make the OPENSSL_VERSION_PREREQ macro available independent of the
used OpenSSL version, so that the code can easily check for the OpenSSL
version it is compiled with.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/defs.h b/usr/lib/common/defs.h
index 22d75d2d..8ab50517 100644
--- a/usr/lib/common/defs.h
+++ b/usr/lib/common/defs.h
@@ -17,6 +17,20 @@
#ifndef _DEFS_H
#define _DEFS_H
+#include <openssl/opensslv.h>
+
+#ifndef OPENSSL_VERSION_PREREQ
+ #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR)
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
+ ((OPENSSL_VERSION_MAJOR << 16) + \
+ OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min))
+ #else
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
+ (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | \
+ ((min) << 20)))
+ #endif
+#endif
+
#define MAX_SESSION_COUNT 64
#define MAX_PIN_LEN 8
#define MIN_PIN_LEN 4

49
SOURCES/opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch Normal file
View File

@ -0,0 +1,49 @@
commit dd9cfe2ef89dad185397df46227f9392a6317d35
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 21 13:54:59 2021 +0200
CONFIGURE: Check that OpenSSL 1.1.1 or later is available
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index 286b7408..f47060d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -277,21 +277,14 @@ if test "x$with_openssl" != "xno"; then
old_libs="$LIBS"
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
- AC_CHECK_HEADER([openssl/ssl.h], [], [
- if test "x$with_openssl" != "xcheck"; then
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL headers couldn't be found])
- fi
- with_openssl=no
+ AC_CHECK_HEADER([openssl/evp.h], [], [
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL headers couldn't be found])
])
if test "x$with_openssl" != "xno"; then
- AC_CHECK_LIB([crypto], [RSA_generate_key], [
+ AC_CHECK_LIB([crypto], [EVP_sha3_256], [
OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto"
- with_openssl=yes
- ], [
- if test "x$with_openssl" != "xcheck"; then
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL libraries couldn't be found])
- fi
- with_openssl=no
+ with_openssl=yes], [
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL libraries version 1.1.1 or later couldn't be found])
])
fi
if test "x$with_openssl" = "xno"; then
@@ -299,6 +292,9 @@ if test "x$with_openssl" != "xno"; then
LIBS="$old_libs"
fi
fi
+if test "x$with_openssl" != "xyes"; then
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but build without OpenSSL was requested])
+fi
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])

853
SOURCES/opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch Normal file
View File

@ -0,0 +1,853 @@
commit ecf71404e84ae35931cd6c7398c825378ee052b6
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Jul 2 11:20:22 2021 +0200
TESTCASES: Soft: Skip tests with RSA publ.exp. not supported by OpenSSL
OpenSSL 3.0 only accepts public exponents of 3 and 65537 for RSA keys.
Skip the testcase if another public exponent is used.
Also fixed some ugly line breaks within messages.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/common/common.c b/testcases/common/common.c
index bfd486cb..0a64ecf2 100644
--- a/testcases/common/common.c
+++ b/testcases/common/common.c
@@ -876,6 +876,16 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|| (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
}
+/** Returns true if pubexp is valid for Soft Tokens **/
+int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
+{
+ CK_BYTE exp3[] = { 0x03 }; // 3
+ CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
+
+ return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
+ || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
+}
+
/** Returns true if slot_id is an ICSF token
** ICSF token info is not necessarily hard-coded like the other tokens
** so there is no single identifying attribute. So, instead just
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
index 62aa7a76..8739ed37 100644
--- a/testcases/crypto/rsa_func.c
+++ b/testcases/crypto/rsa_func.c
@@ -102,8 +102,8 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -111,8 +111,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -124,8 +123,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -148,6 +146,16 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
continue;
}
}
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'",
+ s);
+ free(s);
+ continue;
+ }
+ }
// tpm special cases:
// tpm token can only use public exponent 0x010001 (65537)
// so skip test if invalid public exponent is used
@@ -155,8 +163,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -166,8 +173,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -376,8 +382,8 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].mod_len * 8)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].mod_len * 8);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].mod_len * 8);
free(s);
continue;
}
@@ -385,16 +391,14 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
// modulus length must be multiple of 128 byte
// skip test if modulus length has unsuported size
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -416,8 +420,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -431,12 +434,21 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
}
+
// tpm special cases:
// tpm token can only use public exponent 0x010001 (65537)
// so skip test if invalid public exponent is used
@@ -444,8 +456,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len * 8))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -455,8 +466,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len) ||
(tsuite->tv[i].mod_len * 8 < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -691,8 +701,8 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -700,8 +710,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -710,8 +719,16 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -721,8 +738,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -732,8 +748,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -944,16 +959,23 @@ CK_RV do_SignVerify_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1154,8 +1176,8 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
continue;
}
// get public exponent from test vector
@@ -1169,8 +1191,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -1179,8 +1200,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1189,8 +1209,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -1198,8 +1217,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1228,6 +1246,14 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
continue;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
// begin test
testcase_begin("%s Wrap Unwrap with test vector %d, "
@@ -1554,8 +1580,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
continue;
}
@@ -1565,8 +1590,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
// skip test if modulus length has unsuported size
if (is_ep11_token(slot_id)) {
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
continue;
}
}
@@ -1575,8 +1599,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with this test vector.");
+ testcase_skip("TPM Token cannot be used with this test vector.");
continue;
}
}
@@ -1584,8 +1607,15 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with this test vector.");
+ testcase_skip("CCA Token cannot be used with this test vector.");
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with this test vector.");
continue;
}
}
@@ -1735,8 +1765,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
// skip test if modulus length has unsuported size
if (is_ep11_token(slot_id)) {
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
continue;
}
}
@@ -1745,8 +1774,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with this test vector.");
+ testcase_skip("TPM Token cannot be used with this test vector.");
continue;
}
}
@@ -1754,8 +1782,15 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with this test vector.");
+ testcase_skip("CCA Token cannot be used with this test vector.");
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with this test vector.");
continue;
}
}
diff --git a/testcases/crypto/rsaupdate_func.c b/testcases/crypto/rsaupdate_func.c
index 20611b85..22f8d7e4 100644
--- a/testcases/crypto/rsaupdate_func.c
+++ b/testcases/crypto/rsaupdate_func.c
@@ -96,8 +96,8 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -105,8 +105,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -115,19 +114,27 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+
if (is_tpm_token(slot_id)) {
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -137,8 +144,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -162,8 +168,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
tsuite->tv[i].publ_exp_len,
&publ_key, &priv_key);
if (rc != CKR_OK) {
- testcase_error("generate_RSA_PKCS_KeyPair(), "
- "rc=%s", p11_get_ckr(rc));
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
@@ -367,8 +372,8 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -376,8 +381,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -386,8 +390,16 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -412,8 +424,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
tsuite->tv[i].publ_exp_len,
&publ_key, &priv_key);
if (rc != CKR_OK) {
- testcase_error("generate_RSA_PKCS_KeyPair(), "
- "rc=%s", p11_get_ckr(rc));
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
goto error;
}
// generate message
@@ -639,8 +650,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with pub_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with pub_exp.='%s'", s);
free(s);
continue;
}
@@ -650,8 +660,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with pub_exp='%s'.", s);
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
free(s);
continue;
}
@@ -660,8 +669,16 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -826,8 +843,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -848,8 +864,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -859,8 +874,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with pub_exp='%s'.", s);
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
free(s);
continue;
}
@@ -869,8 +883,16 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
diff --git a/testcases/misc_tests/reencrypt.c b/testcases/misc_tests/reencrypt.c
index a78e1f5a..93fa31bd 100644
--- a/testcases/misc_tests/reencrypt.c
+++ b/testcases/misc_tests/reencrypt.c
@@ -361,24 +361,29 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!keysize_supported(slot_id, mech2->key_gen_mech.mechanism,
mech2->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id, mech2->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id, mech2->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in cannot be used with "
- " publ_exp.='%s'", s);
+ testcase_skip("CCA Token in cannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(mech2->rsa_publ_exp,
+ mech2->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -386,8 +391,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!is_valid_tpm_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(mech2->rsa_modbits)) {
- testcase_skip("TPM Token cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -395,8 +399,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!is_valid_icsf_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len) ||
mech2->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}
@@ -619,6 +622,14 @@ CK_RV do_encrypt_reencrypt(struct mech_info *mech1)
goto testcase_cleanup;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(mech1->rsa_publ_exp,
+ mech1->rsa_publ_exp_len)) {
+ testsuite_skip(NUM_REENCRYPT_TESTS, "Soft Token cannot be "
+ "used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
if (is_tpm_token(slot_id) ) {
if (!is_valid_tpm_pubexp(mech1->rsa_publ_exp,
mech1->rsa_publ_exp_len) ||
diff --git a/testcases/misc_tests/tok2tok_transport.c b/testcases/misc_tests/tok2tok_transport.c
index 9c1dee8f..ebb44760 100644
--- a/testcases/misc_tests/tok2tok_transport.c
+++ b/testcases/misc_tests/tok2tok_transport.c
@@ -581,30 +581,35 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!keysize_supported(slot_id1, tsuite->wrapped_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %lu cannot be used with "
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
+ slot_id1, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (!keysize_supported(slot_id2, tsuite->wrapped_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %lu cannot be used with "
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
+ slot_id2, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in scannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id1) || is_cca_token(slot_id2)) {
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
+ tsuite->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -612,8 +617,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
- testcase_skip("TPM Token cannot " "be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -621,8 +625,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
tsuite->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}
@@ -967,31 +970,36 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!keysize_supported(slot_id1,
tsuite->wrapping_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id1, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (!keysize_supported(slot_id2,
tsuite->wrapping_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id2, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in scannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id1) || is_soft_token(slot_id2)) {
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
+ tsuite->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -999,8 +1007,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
- testcase_skip("TPM Token cannot " "be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -1008,8 +1015,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
tsuite->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}

12
SOURCES/opencryptoki-pkcsslotd-pidfile.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up opencryptoki-3.16.0/misc/pkcsslotd.service.in.me opencryptoki-3.16.0/misc/pkcsslotd.service.in
--- opencryptoki-3.16.0/misc/pkcsslotd.service.in.me 2021-06-25 09:25:11.464487847 +0200
+++ opencryptoki-3.16.0/misc/pkcsslotd.service.in 2021-06-25 09:25:38.701225760 +0200
@@ -4,7 +4,7 @@ After=local-fs.target
[Service]
Type=forking
-PIDFile=/var/run/pkcsslotd.pid
+PIDFile=/run/pkcsslotd.pid
ExecStart=@sbindir@/pkcsslotd
[Install]

8
SOURCES/opencryptoki.module Normal file
View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: libopencryptoki.so

686
SPECS/opencryptoki.spec Normal file
View File

@ -0,0 +1,686 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.16.0
Release: 12%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
Patch0: opencryptoki-3.11.0-group.patch
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
# PIDfile below legacy directory /var/run/
Patch2: opencryptoki-pkcsslotd-pidfile.patch
# Use --no-undefined to debug missing symbols
#Patch100: %%{name}-3.2-no-undefined.patch
# upstream patches
Patch200: opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch
Patch201: opencryptoki-3.16.0-c79e899d77a5724635a9d4451a34a240e2c7e891.patch
Patch202: opencryptoki-3.16.0-69244a5e0d9dfec3ef534b19b89a541576bb17dc.patch
Patch203: opencryptoki-3.16.0-b07505993dd8b2f367cf3b630f6da186e4e8550d.patch
Patch204: opencryptoki-3.16.0-b048be548508dd1958bb7271568f388d0f6cbcf8.patch
Patch205: opencryptoki-3.16.0-e9548127edae313da7840bcb87fd0afd04549c2e.patch
Patch206: opencryptoki-3.16.0-d929fe8470e99f4dcbbd889e7aa87e147d0d5b48.patch
Patch207: opencryptoki-3.16.0-19f56d12b302b87e1dacf613cc61a063ad209d15.patch
Patch208: opencryptoki-3.16.0-342dfbeb8275f5ea6ed52dd3f30126614ec1d037.patch
Patch209: opencryptoki-3.16.0-fa94a16116d8382a987ddf9e8cdd88027dd1f647.patch
Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
Patch218: opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch
Patch219: opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch
Patch220: opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch
Patch221: opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch
Patch222: opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch
Patch223: opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch
Patch224: opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch
Patch225: opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch
Patch226: opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch
Patch227: opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch
Patch228: opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch
Patch230: opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch
Patch231: opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch
Patch232: opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch
Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
Patch237: opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
Patch238: opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: openssl-devel
%if 0%{?tmptok}
BuildRequires: trousers-devel
%endif
BuildRequires: openldap-devel
BuildRequires: autoconf automake libtool
BuildRequires: bison flex
BuildRequires: systemd-devel
BuildRequires: libitm-devel
BuildRequires: expect
BuildRequires: make
%ifarch s390 s390x
BuildRequires: libica-devel >= 2.3
%endif
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}(token)
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.
%package libs
Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils
%description libs
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the PKCS#11 library implementation, and requires
at least one token implementation (packaged separately) to be fully
functional.
%package devel
Summary: Development files for openCryptoki
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
This package contains the development header files for building
opencryptoki and PKCS#11 based applications
%package swtok
Summary: The software token implementation for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description swtok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the software token implementation to use opencryptoki
without any specific cryptographic hardware.
%package tpmtok
Summary: Trusted Platform Module (TPM) device support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description tpmtok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
Trusted Platform Module (TPM) devices in the opencryptoki stack.
%package icsftok
Summary: ICSF token support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icsftok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
ICSF token in the opencryptoki stack.
%ifarch s390 s390x
%package icatok
Summary: ICA cryptographic devices (clear-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icatok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support ICA
devices in the opencryptoki stack. ICA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"accelerator" or "clear-key" path.
%package ccatok
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ccatok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support CCA
devices in the opencryptoki stack. CCA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"co-processor" or "secure-key" path.
%package ep11tok
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ep11tok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support EP11
tokens in the opencryptoki stack. The EP11 token is a token that uses
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
configured with Enterprise PKCS#11 (EP11) firmware.
%endif
%prep
%autosetup -p1
%build
./bootstrap.sh
%configure --with-systemd=%{_unitdir} --enable-testcases \
%if 0%{?tpmtok}
--enable-tpmtok \
%else
--disable-tpmtok \
%endif
%ifarch s390 s390x
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
%else
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
%endif
%make_build CHGRP=/bin/true
%install
%make_install CHGRP=/bin/true
%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
exit 0
%post
%systemd_post pkcsslotd.service
if test $1 -eq 1; then
%tmpfiles_create %{name}.conf
fi
%preun
%systemd_preun pkcsslotd.service
%postun
%systemd_postun_with_restart pkcsslotd.service
%files
%doc ChangeLog FAQ README.md
%doc doc/opencryptoki-howto.md
%doc doc/README.token_data
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*
%{_libdir}/opencryptoki/methods
%{_libdir}/pkcs11/methods
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%files libs
%license LICENSE
%{_sysconfdir}/ld.so.conf.d/*
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
# needs them in the main package, because:
# documentation suggests that programs should dlopen "PKCS11_API.so".
%dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/libopencryptoki.*
%{_libdir}/opencryptoki/PKCS11_API.so
%dir %{_libdir}/opencryptoki/stdll
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
%files devel
%{_includedir}/%{name}/
%files swtok
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%if 0%{?tmptok}
%files tpmtok
%doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%endif
%files icsftok
%doc doc/README.icsf_stdll
%{_sbindir}/pkcsicsf
%{_mandir}/man1/pkcsicsf.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%ifarch s390 s390x
%files icatok
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%files ccatok
%doc doc/README.cca_stdll
%{_sbindir}/pkcscca
%{_mandir}/man1/pkcscca.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%files ep11tok
%doc doc/README.ep11_stdll
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
%{_sbindir}/pkcsep11_migrate
%{_sbindir}/pkcsep11_session
%{_mandir}/man1/pkcsep11_migrate.1*
%{_mandir}/man1/pkcsep11_session.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%endif
%changelog
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
- Related: #1989138, Support for OpenSSL 3.0
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
- Resolves: #1989138, Support for OpenSSL 3.0
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7
- Resolves: #1974365, Fix detection if pkcsslotd is still running
* Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6
- Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4
- Related: #1924120, add conditional requirement on new selinux-policy
* Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3
- Resolves: #1959894, Soft token does not check if an EC key is valid
- Resolves: #1924120, Event Notification Support
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
- Rebase to 3.16.0
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Added upstream patch, a slot ID has nothing to do with the number of slots
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Drop tpm1.2 support by default
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Fix compiling with c++
- Added error message handling for p11sak remove-key command
- Add BR on make
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Rebase to 3.15.1
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
- Rebase to 3.15.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- added PIN conversion tool
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- upstream fix - handle early error cases in C_Initialize
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- fix regression, segfault in C_SetPin
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
- Rebase to 3.14.0
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
- Rebase to 3.13.0
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
- fix build with gcc 10
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
- Rebase to 3.12.1
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
- Rebase to 3.12.0
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
- Rebase to 3.11.1
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
- enable testcase by default
- fix URL
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
- Updated to 3.11.0
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
- Ported root's group membership's patch for 3.11.0
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
- Rebase to 3.10.0
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
- Rebase to 3.9.0
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
- use upstream tmpfiles config
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
- Rebase to 3.8.2 (#1512678)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
- Rebase to 3.7.0
- Added libitm-devel as BuildRequires
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
- Rebase to 3.6.2
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
- New upstream release
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
- New upstream release
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
- New bugfix upstream release
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
- New upstream release
- Adding post-release patch fixing compile warnings
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
- New upstream release
- Correct dependencies for group creation
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
- Few more undefined symbols fixed for s390(x) specific targets
- Do not require --no-undefined, because s390(x) requires some
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
- Make inline function compatible for GCC5
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
- new upstream release 3.2
- add new sub-package opencryptoki-ep11tok on s390x
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
- new upstream release 3.1
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
- create the right lock directory for cca tokens (#1054442)
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
- use Requires(pre): opencryptoki-libs for subpackages
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
- include token specific directories (#1013017, #1045775, #1054442)
- fix pkcsconf crash for non-root users (#10054661)
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
- fix build with -Werror=format-security (#1037228)
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
- apply post-3.0 fixes (#1033284)
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
- update opencryptoki man page (#1001729)
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
- update unit file (#995002)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
- update pkcsconf man page (#948460)
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
- new upstream release 3.0
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
- new upstream release 2.4.3.1
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
- new upstream release 2.4.3
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
- enable hardened build
- switch to systemd macros in scriptlets (#850240)
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
- add virtual opencryptoki(token) Provides to token modules and as Requires
to main package (#904986)
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
- new upstream release 2.4.2
- add pkcs_slot man page
- don't add root to the pkcs11 group
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
- fix unresolved symbols in TPM module (#830129)
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
- new upstream release 2.4.1
- convert from initscript to systemd unit
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
- new upstream release 2.4
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
- new upstream release 2.3.3
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
- Apply Obsoletes to package names, not provides.
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
- new upstream release 2.3.2
- put STDLLs in separate packages to match upstream package design
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
- Move the LICENSE file to the -libs subpackage.
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
- rebuilt with CCA enabled (#604287)
- fixed issues from #546274
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
- fixed one more issue in the initscript (#547324)
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
- fixed pidfile creating and usage (#547324)
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
- Also list 'reload' and 'force-reload' in "Usage: ...".
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
- Support 'force-reload' in the initscript.
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
- New upstream release 2.3.1.
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
- made pkcsslotd initscript LSB compliant (#522149)
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
- rebuilt with new openssl
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
- Require libica-2.0.
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
- New upstream release 2.3.0:
- adds support for RSA 4096 bit keys in the ICA token.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
- Require arch-specific dependency on -libs.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
- Return support for crypto hw on s390.
- Renamed to opencryptoki.
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
- Fedora package based on RHEL-5 package.