import opencryptoki-3.16.0-12.el9
This commit is contained in:
commit
0e3033616c
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
SOURCES/opencryptoki-3.16.0.tar.gz
|
1
.opencryptoki.metadata
Normal file
1
.opencryptoki.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
e5d8cf8df446a9bdcb3658a8f191f5a31d3a751e SOURCES/opencryptoki-3.16.0.tar.gz
|
31
SOURCES/opencryptoki-3.11.0-group.patch
Normal file
31
SOURCES/opencryptoki-3.11.0-group.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in
|
||||||
|
--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100
|
||||||
|
+++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100
|
||||||
|
@@ -55,9 +55,11 @@ void *attach_shared_memory()
|
||||||
|
int shmid;
|
||||||
|
char *shmp;
|
||||||
|
struct stat statbuf;
|
||||||
|
+#if 0
|
||||||
|
struct group *grp;
|
||||||
|
struct passwd *pw, *epw;
|
||||||
|
uid_t uid, euid;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#if !(MMAP)
|
||||||
|
// Really should fstat the tok_path, since it will be the actual
|
||||||
|
@@ -69,6 +71,7 @@ void *attach_shared_memory()
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
uid = getuid();
|
||||||
|
euid = geteuid();
|
||||||
|
// only check group membership if not root user
|
||||||
|
@@ -102,6 +105,7 @@ void *attach_shared_memory()
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
Anchor->shm_tok = ftok(TOK_PATH, 'b');
|
||||||
|
|
12
SOURCES/opencryptoki-3.11.0-lockdir.patch
Normal file
12
SOURCES/opencryptoki-3.11.0-lockdir.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
|
||||||
|
--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
|
||||||
|
+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
|
||||||
|
@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
|
||||||
|
|
||||||
|
dnl Define custom variables
|
||||||
|
|
||||||
|
-lockdir=$localstatedir/lock/opencryptoki
|
||||||
|
+lockdir=/run/lock/opencryptoki
|
||||||
|
AC_SUBST(lockdir)
|
||||||
|
|
||||||
|
logdir=$localstatedir/log/opencryptoki
|
@ -0,0 +1,136 @@
|
|||||||
|
commit 19f56d12b302b87e1dacf613cc61a063ad209d15
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Feb 12 15:57:20 2021 +0100
|
||||||
|
|
||||||
|
Fix compile warning when compiling pkcsslotd with -DDEV and/or -DTHREADED
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/garbage_linux.c b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||||
|
index d4878c3b..a4dd9713 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/garbage_linux.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include <string.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
|
||||||
|
#include "log.h"
|
||||||
|
#include "slotmgr.h"
|
||||||
|
@@ -80,8 +81,8 @@ BOOL StartGCThread(Slot_Mgr_Shr_t *MemPtr)
|
||||||
|
#ifdef DEV
|
||||||
|
// Only development builds
|
||||||
|
LogLog("StartGCThread: garbage collection thread started as ID "
|
||||||
|
- "%d (%#x) by ID %d (%#x)",
|
||||||
|
- GCThread, GCThread, pthread_self(), pthread_self());
|
||||||
|
+ "%lu by ID %lu",
|
||||||
|
+ GCThread, pthread_self());
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
@@ -115,8 +116,8 @@ BOOL StopGCThread(void *Ptr)
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- DbgLog(DL0, "StopGCThread: tid %d is stopping the garbage collection "
|
||||||
|
- "thread (tid %d)",
|
||||||
|
+ DbgLog(DL0, "StopGCThread: tid %lu is stopping the garbage collection "
|
||||||
|
+ "thread (tid %lu)",
|
||||||
|
pthread_self(), GCThread);
|
||||||
|
|
||||||
|
/* Cause the GC thread to be cancelled */
|
||||||
|
@@ -245,7 +246,7 @@ void GCCancel(void *Ptr)
|
||||||
|
UNUSED(Ptr);
|
||||||
|
|
||||||
|
/* Yeah, yeah. Doesn't do anything, but I had plans */
|
||||||
|
- DbgLog(DL3, "GCCancel: tid: %d running cleanup routine", pthread_self());
|
||||||
|
+ DbgLog(DL3, "GCCancel: tid: %lu running cleanup routine", pthread_self());
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -268,7 +269,7 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||||
|
|
||||||
|
ASSERT(MemPtr != NULL_PTR);
|
||||||
|
#ifdef DEV
|
||||||
|
- DbgLog(DL5, "Thread %d is checking for garbage", pthread_self());
|
||||||
|
+ DbgLog(DL5, "Thread %lu is checking for garbage", pthread_self());
|
||||||
|
#endif /* DEV */
|
||||||
|
|
||||||
|
|
||||||
|
@@ -326,9 +327,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||||
|
if (*pProcSessions > 0) {
|
||||||
|
|
||||||
|
#ifdef DEV
|
||||||
|
- DbgLog(DL2, "GC: Invalid pid (%d) is holding %d sessions "
|
||||||
|
+ DbgLog(DL2, "GC: Invalid pid (%d) is holding %u sessions "
|
||||||
|
"open on slot %d. Global session count for this "
|
||||||
|
- "slot is %d",
|
||||||
|
+ "slot is %u",
|
||||||
|
pProc->proc_id, *pProcSessions, SlotIndex,
|
||||||
|
*pGlobalSessions);
|
||||||
|
#endif /* DEV */
|
||||||
|
@@ -338,9 +339,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||||
|
WarnLog("Garbage Collection: Illegal values in table "
|
||||||
|
"for defunct process");
|
||||||
|
DbgLog(DL0, "Garbage collection: A process "
|
||||||
|
- "( Index: %d, pid: %d ) showed %d sessions "
|
||||||
|
- "open on slot %s, but the global count for this "
|
||||||
|
- "slot is only %d",
|
||||||
|
+ "( Index: %d, pid: %d ) showed %u sessions "
|
||||||
|
+ "open on slot %d, but the global count for this "
|
||||||
|
+ "slot is only %u",
|
||||||
|
ProcIndex, pProc->proc_id, *pProcSessions,
|
||||||
|
SlotIndex, *pGlobalSessions);
|
||||||
|
#endif /* DEV */
|
||||||
|
@@ -395,14 +396,8 @@ int Stat2Proc(int pid, proc_t *p)
|
||||||
|
char fbuf[800]; // about 40 fields, 64-bit decimal is about 20 chars
|
||||||
|
char *tmp;
|
||||||
|
int fd, num;
|
||||||
|
- // FILE *fp;
|
||||||
|
-
|
||||||
|
- // sprintf(buf, "%s/%d/stat", PROC_BASE, pid);
|
||||||
|
- // if( (fp = fopen(buf, "r")) == NULL )
|
||||||
|
- // return FALSE;
|
||||||
|
|
||||||
|
sprintf(fbuf, "%s/%d/stat", PROC_BASE, pid);
|
||||||
|
- printf("Buff = %s \n", fbuf);
|
||||||
|
fflush(stdout);
|
||||||
|
if ((fd = open(fbuf, O_RDONLY, 0)) == -1)
|
||||||
|
return FALSE;
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/log.c b/usr/sbin/pkcsslotd/log.c
|
||||||
|
index 0214f952..0394cc7d 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/log.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/log.c
|
||||||
|
@@ -463,8 +463,8 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||||
|
#endif /* DEV */
|
||||||
|
|
||||||
|
if (WriteNow) {
|
||||||
|
- fprintf(stderr, "%s[%d.%d]: %s\n", pInfo->Descrip, getpid(),
|
||||||
|
- (int) pthread_self(), buf);
|
||||||
|
+ fprintf(stderr, "%s[%d.%lu]: %s\n", pInfo->Descrip, getpid(),
|
||||||
|
+ pthread_self(), buf);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -482,7 +482,7 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||||
|
GetCurrentTimeString(timebuf);
|
||||||
|
|
||||||
|
/* Date/Time stamp, descrip, Error message */
|
||||||
|
- fprintf(fd, "%s %s[%d.%d]: ", timebuf, pInfo->Descrip, getpid(),
|
||||||
|
+ fprintf(fd, "%s %s[%d.%lu]: ", timebuf, pInfo->Descrip, getpid(),
|
||||||
|
pthread_self());
|
||||||
|
fprintf(fd, "%s\n", buf);
|
||||||
|
fflush(fd);
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
index 94288f13..efbfe8fd 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
@@ -660,7 +660,6 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(NOGARBAGE)
|
||||||
|
- printf("Start garbage \n");
|
||||||
|
/* start garbage collection thread */
|
||||||
|
if (!StartGCThread(shmp)) {
|
||||||
|
term_socket_server();
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,47 @@
|
|||||||
|
commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon May 3 10:05:07 2021 +0200
|
||||||
|
|
||||||
|
SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
|
||||||
|
|
||||||
|
When constructing an OpenSSL EC public or private key from PKCS#11
|
||||||
|
attributes or ECDH public data, check that the key is valid, i.e. that
|
||||||
|
the point is on the curve.
|
||||||
|
|
||||||
|
This prevents one from creating an EC key object via C_CreateObject with
|
||||||
|
invalid key data. It also prevents C_DeriveKey to derive a secret using
|
||||||
|
ECDH with an EC public key (public data) that uses a different curve
|
||||||
|
or is invalid by other means.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
index c30be1da..aeff39a9 100644
|
||||||
|
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!EC_KEY_check_key(ec_key)) {
|
||||||
|
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||||
|
+ rc = CKR_PUBLIC_KEY_INVALID;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
out:
|
||||||
|
if (allocated && ecpoint != NULL)
|
||||||
|
free(ecpoint);
|
||||||
|
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!EC_KEY_check_key(ec_key)) {
|
||||||
|
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||||
|
+ rc = CKR_FUNCTION_FAILED;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
out:
|
||||||
|
if (point != NULL)
|
||||||
|
EC_POINT_free(point);
|
@ -0,0 +1,28 @@
|
|||||||
|
commit 5824364d995e5d2418f885ee57e377e11d1b3302
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jul 7 13:44:46 2021 +0200
|
||||||
|
|
||||||
|
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
|
||||||
|
|
||||||
|
When modifying opencryptoki.conf during token migration, put quotes
|
||||||
|
around strings that contain spaces, e.g. for the slot description and
|
||||||
|
manufacturer.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
index 94fd1196..3df1596e 100644
|
||||||
|
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||||
|
{
|
||||||
|
struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
- if (tok != KW_TOKVERSION)
|
||||||
|
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||||
|
+ strchr(val, ' ') != NULL)
|
||||||
|
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||||
|
+ else if (tok != KW_TOKVERSION)
|
||||||
|
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||||
|
return 0;
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
commit 69244a5e0d9dfec3ef534b19b89a541576bb17dc
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Feb 9 10:47:57 2021 +0100
|
||||||
|
|
||||||
|
TRACE: Use gettid() if SYS_gettid is not defined
|
||||||
|
|
||||||
|
Also print the thread ID in the trace, if SYS_gettid is not defined.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/trace.c b/usr/lib/common/trace.c
|
||||||
|
index 678c0b96..bdc5256a 100644
|
||||||
|
--- a/usr/lib/common/trace.c
|
||||||
|
+++ b/usr/lib/common/trace.c
|
||||||
|
@@ -33,6 +33,8 @@
|
||||||
|
|
||||||
|
#ifdef SYS_gettid
|
||||||
|
#define __gettid() syscall(SYS_gettid)
|
||||||
|
+#else
|
||||||
|
+#define __gettid() gettid()
|
||||||
|
#endif
|
||||||
|
|
||||||
|
pthread_mutex_t tlmtx = PTHREAD_MUTEX_INITIALIZER;
|
@ -0,0 +1,367 @@
|
|||||||
|
commit 7b7d83c571ceb3050969359817d4145600f14ae8
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Apr 9 17:07:31 2021 +0200
|
||||||
|
|
||||||
|
Check CKF_LIBRARY_CANT_CREATE_OS_THREADS at C_Initialize
|
||||||
|
|
||||||
|
Fail if flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set at C_Initialize,
|
||||||
|
and event support is enabled (this is the default). We need to use pthreads
|
||||||
|
for the event thread, so we can't work if CKF_LIBRARY_CANT_CREATE_OS_THREADS
|
||||||
|
is set. Fail with CKR_NEED_TO_CREATE_THREADS if so.
|
||||||
|
|
||||||
|
The event support can be globally disabled using keyword 'disable-event-support'
|
||||||
|
in opencryptoki.conf. This disables pkcsslots to accept admin connections,
|
||||||
|
and it does not monitor for AP UDEV events (on s390 platform). No event
|
||||||
|
thread is started in the opencryptoki processes, thus we can accept if flag
|
||||||
|
CKF_LIBRARY_CANT_CREATE_OS_THREADS is set in that case.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
|
||||||
|
index 71218f79..7dc676ab 100644
|
||||||
|
--- a/man/man5/opencryptoki.conf.5.in
|
||||||
|
+++ b/man/man5/opencryptoki.conf.5.in
|
||||||
|
@@ -10,8 +10,16 @@ pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
|
||||||
|
determine which slots will be made available.
|
||||||
|
|
||||||
|
.SH SYNTAX
|
||||||
|
-This file is made up of slot descriptions. Each slot description
|
||||||
|
-is composed of a slot number, brackets and key-value pairs.
|
||||||
|
+This file is made up of optional global definitions, and slot descriptions.
|
||||||
|
+
|
||||||
|
+The following global definitions are valid:
|
||||||
|
+
|
||||||
|
+.TP
|
||||||
|
+.BR disable-event-support
|
||||||
|
+If this keyword is specified the openCryptoki event support is disabled.
|
||||||
|
+
|
||||||
|
+.P
|
||||||
|
+Each slot description is composed of a slot number, brackets and key-value pairs.
|
||||||
|
|
||||||
|
slot number
|
||||||
|
{
|
||||||
|
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||||
|
index e37368a5..451a8cf1 100644
|
||||||
|
--- a/usr/include/slotmgr.h
|
||||||
|
+++ b/usr/include/slotmgr.h
|
||||||
|
@@ -99,6 +99,7 @@ typedef struct {
|
||||||
|
LW_SHM_TYPE *shm_addr; // token specific shm address
|
||||||
|
} Slot_Info_t;
|
||||||
|
|
||||||
|
+#define FLAG_EVENT_SUPPORT_DISABLED 0x01
|
||||||
|
|
||||||
|
#ifdef PKCS64
|
||||||
|
|
||||||
|
@@ -200,6 +201,7 @@ typedef struct {
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
uint8 num_slots;
|
||||||
|
+ uint8 flags;
|
||||||
|
CK_INFO_64 ck_info;
|
||||||
|
Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED];
|
||||||
|
} Slot_Mgr_Socket_t;
|
||||||
|
@@ -214,6 +216,7 @@ typedef struct {
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
uint8 num_slots;
|
||||||
|
+ uint8 flags;
|
||||||
|
CK_INFO ck_info;
|
||||||
|
Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED];
|
||||||
|
} Slot_Mgr_Socket_t;
|
||||||
|
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||||
|
index 2873a20a..6517ca6c 100644
|
||||||
|
--- a/usr/lib/api/api_interface.c
|
||||||
|
+++ b/usr/lib/api/api_interface.c
|
||||||
|
@@ -308,7 +308,8 @@ void parent_fork_after()
|
||||||
|
return;
|
||||||
|
|
||||||
|
/* Restart the event thread in the parent when fork is complete */
|
||||||
|
- if (Anchor->event_thread == 0)
|
||||||
|
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||||
|
+ Anchor->event_thread == 0)
|
||||||
|
start_event_thread();
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2752,13 +2753,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- // If we EVER need to create threads from this library we must
|
||||||
|
- // check the Flags for the Can_Create_OS_Threads flag
|
||||||
|
- // Right now the library DOES NOT create threads and therefore this
|
||||||
|
- // check is irrelavant.
|
||||||
|
- if (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
|
||||||
|
- TRACE_DEVEL("Can't create OS threads...This is OK\n");
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
// Since this is an initialization path, we will be verbose in the
|
||||||
|
// code rather than efficient.
|
||||||
|
//
|
||||||
|
@@ -2848,7 +2843,21 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto error_shm;
|
||||||
|
}
|
||||||
|
- // Initialize structure values
|
||||||
|
+
|
||||||
|
+ if (pVoid != NULL) {
|
||||||
|
+ pArg = (CK_C_INITIALIZE_ARGS *) pVoid;
|
||||||
|
+
|
||||||
|
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||||
|
+ (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) != 0) {
|
||||||
|
+ TRACE_ERROR("Flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set and "
|
||||||
|
+ "event support is enabled\n");
|
||||||
|
+ OCK_SYSLOG(LOG_ERR, "C_Initialize: Application specified that "
|
||||||
|
+ "library can't create OS threads. PKCS11 Module requires "
|
||||||
|
+ "to create threads when event support is enabled.\n");
|
||||||
|
+ rc = CKR_NEED_TO_CREATE_THREADS;
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
//Register with pkcsslotd
|
||||||
|
if (!API_Register()) {
|
||||||
|
@@ -2867,7 +2876,8 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Start event receiver thread */
|
||||||
|
- if (start_event_thread() != 0) {
|
||||||
|
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||||
|
+ start_event_thread() != 0) {
|
||||||
|
TRACE_ERROR("Failed to start event thread\n");
|
||||||
|
|
||||||
|
// unload all the STDLL's from the application
|
||||||
|
diff --git a/usr/lib/common/configparser.h b/usr/lib/common/configparser.h
|
||||||
|
index 13ca648d..b3c32496 100644
|
||||||
|
--- a/usr/lib/common/configparser.h
|
||||||
|
+++ b/usr/lib/common/configparser.h
|
||||||
|
@@ -35,6 +35,7 @@ typedef int (*end_slot_f)(void *private);
|
||||||
|
typedef int (*key_str_f)(void *private, int tok, const char *val);
|
||||||
|
typedef int (*key_vers_f)(void *private, int tok, unsigned int vers);
|
||||||
|
typedef void (*eolcomment_f)(void *private, const char *comment);
|
||||||
|
+typedef void (*disab_event_supp_f)(void *private);
|
||||||
|
/*
|
||||||
|
* Report an error. If the error is not reported by the parser itself
|
||||||
|
* but via one of the parse functions, \c parsermsg will be \c NULL.
|
||||||
|
@@ -52,6 +53,7 @@ typedef void (*error_f)(void *private, int line, const char *parsermsg);
|
||||||
|
*/
|
||||||
|
struct parsefuncs {
|
||||||
|
ockversion_f version;
|
||||||
|
+ disab_event_supp_f disab_event_supp;
|
||||||
|
eol_f eol;
|
||||||
|
begin_slot_f begin_slot;
|
||||||
|
end_slot_f end_slot;
|
||||||
|
diff --git a/usr/lib/common/lexer.l b/usr/lib/common/lexer.l
|
||||||
|
index b35a0b72..38cbcb70 100644
|
||||||
|
--- a/usr/lib/common/lexer.l
|
||||||
|
+++ b/usr/lib/common/lexer.l
|
||||||
|
@@ -69,6 +69,7 @@ extern char *configparse_strdup(const char *s);
|
||||||
|
|
||||||
|
version return OCKVERSION;
|
||||||
|
slot return SLOT;
|
||||||
|
+disable-event-support return DISABLE_EVENT_SUPPORT;
|
||||||
|
|
||||||
|
[^\"= \t\n]+ {
|
||||||
|
yylval.str = configparse_strdup(yytext);
|
||||||
|
diff --git a/usr/lib/common/parser.y b/usr/lib/common/parser.y
|
||||||
|
index 86806fcb..40c3994d 100644
|
||||||
|
--- a/usr/lib/common/parser.y
|
||||||
|
+++ b/usr/lib/common/parser.y
|
||||||
|
@@ -65,7 +65,7 @@ int lookup_keyword(const char *key);
|
||||||
|
int err;
|
||||||
|
}
|
||||||
|
|
||||||
|
-%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF
|
||||||
|
+%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF DISABLE_EVENT_SUPPORT
|
||||||
|
%token <str> STRING
|
||||||
|
%token <str> KEYWORD
|
||||||
|
%token <num> INTEGER
|
||||||
|
@@ -81,6 +81,7 @@ config_file:
|
||||||
|
|
||||||
|
sections:
|
||||||
|
version_def eolcomment
|
||||||
|
+ | disable_event_support_def eolcomment
|
||||||
|
| SLOT INTEGER BEGIN_DEF
|
||||||
|
{
|
||||||
|
if (parsefuncs->begin_slot && parsefuncs->begin_slot(parsedata, $2, 0)) {
|
||||||
|
@@ -125,6 +126,13 @@ version_def:
|
||||||
|
}
|
||||||
|
configparse_freestringsfrom($2);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+disable_event_support_def:
|
||||||
|
+ DISABLE_EVENT_SUPPORT
|
||||||
|
+ {
|
||||||
|
+ if (parsefuncs->disab_event_supp)
|
||||||
|
+ parsefuncs->disab_event_supp(parsedata);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
line_def:
|
||||||
|
STRING EQUAL TOKVERSION
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
index d7edcb3c..1dd0bac9 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
@@ -88,7 +88,7 @@ int XProcLock(void);
|
||||||
|
int XProcUnLock(void);
|
||||||
|
int CreateXProcLock(void);
|
||||||
|
|
||||||
|
-int init_socket_server();
|
||||||
|
+int init_socket_server(int event_support_disabled);
|
||||||
|
int term_socket_server();
|
||||||
|
int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||||
|
int socket_connection_handler(int timeout_secs);
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
index efbfe8fd..3b328a6c 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
@@ -34,6 +34,7 @@ int shmid;
|
||||||
|
key_t tok;
|
||||||
|
Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||||
|
unsigned int NumberSlotsInDB = 0;
|
||||||
|
+int event_support_disabled = 0;
|
||||||
|
|
||||||
|
Slot_Info_t_64 *psinfo;
|
||||||
|
|
||||||
|
@@ -467,6 +468,13 @@ static int slotmgr_key_vers(void *private, int tok, unsigned int vers)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void slotmgr_disab_event_supp(void *private)
|
||||||
|
+{
|
||||||
|
+ UNUSED(private);
|
||||||
|
+
|
||||||
|
+ event_support_disabled = 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void slotmgr_parseerror(void *private, int line, const char *parsermsg)
|
||||||
|
{
|
||||||
|
struct parse_data *d = (struct parse_data *)private;
|
||||||
|
@@ -480,6 +488,7 @@ static struct parsefuncs slotmgr_parsefuncs = {
|
||||||
|
.end_slot = slotmgr_end_slot,
|
||||||
|
.key_str = slotmgr_key_str,
|
||||||
|
.key_vers = slotmgr_key_vers,
|
||||||
|
+ .disab_event_supp = slotmgr_disab_event_supp,
|
||||||
|
.parseerror = slotmgr_parseerror
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -568,7 +577,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
if (!XProcUnLock())
|
||||||
|
return 4;
|
||||||
|
|
||||||
|
- if (!init_socket_server()) {
|
||||||
|
+ if (!init_socket_server(event_support_disabled)) {
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
@@ -582,6 +591,8 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
DestroySharedMemory();
|
||||||
|
return 6;
|
||||||
|
}
|
||||||
|
+ if (event_support_disabled)
|
||||||
|
+ socketData.flags |= FLAG_EVENT_SUPPORT_DISABLED;
|
||||||
|
|
||||||
|
/* Create customized token directories */
|
||||||
|
psinfo = &socketData.slot_info[0];
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
index 41408670..3aa40267 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
@@ -139,12 +139,12 @@ struct event_info {
|
||||||
|
};
|
||||||
|
|
||||||
|
static int epoll_fd = -1;
|
||||||
|
-static struct listener_info proc_listener;
|
||||||
|
+static struct listener_info proc_listener = { .socket = -1 };
|
||||||
|
static DL_NODE *proc_connections = NULL;
|
||||||
|
-static struct listener_info admin_listener;
|
||||||
|
+static struct listener_info admin_listener = { .socket = -1 };
|
||||||
|
static DL_NODE *admin_connections = NULL;
|
||||||
|
#ifdef WITH_LIBUDEV
|
||||||
|
-static struct udev_mon udev_mon;
|
||||||
|
+static struct udev_mon udev_mon = { .socket = -1 };
|
||||||
|
#endif
|
||||||
|
static DL_NODE *pending_events = NULL;
|
||||||
|
static unsigned long pending_events_count = 0;
|
||||||
|
@@ -1620,6 +1620,9 @@ static void udev_mon_term(struct udev_mon *udev_mon)
|
||||||
|
if (udev_mon == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ if (udev_mon->socket < 0)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
epoll_ctl(epoll_fd, EPOLL_CTL_DEL, udev_mon->socket, NULL);
|
||||||
|
if (udev_mon->udev != NULL)
|
||||||
|
udev_unref(udev_mon->udev);
|
||||||
|
@@ -1636,6 +1639,7 @@ int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||||
|
{
|
||||||
|
unsigned int processed = 0;
|
||||||
|
|
||||||
|
+ socketData->flags = 0;
|
||||||
|
PopulateCKInfo(&(socketData->ck_info));
|
||||||
|
socketData->num_slots = NumberSlotsInDB;
|
||||||
|
PopulateSlotInfo(socketData->slot_info, &processed);
|
||||||
|
@@ -1692,7 +1696,7 @@ int socket_connection_handler(int timeout_secs)
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int init_socket_server()
|
||||||
|
+int init_socket_server(int event_support_disabled)
|
||||||
|
{
|
||||||
|
int err;
|
||||||
|
|
||||||
|
@@ -1710,18 +1714,20 @@ int init_socket_server()
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||||
|
- admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||||
|
- term_socket_server();
|
||||||
|
- return FALSE;
|
||||||
|
- }
|
||||||
|
+ if (!event_support_disabled) {
|
||||||
|
+ if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||||
|
+ admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||||
|
+ term_socket_server();
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#ifdef WITH_LIBUDEV
|
||||||
|
- if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||||
|
- term_socket_server();
|
||||||
|
- return FALSE;
|
||||||
|
- }
|
||||||
|
+ if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||||
|
+ term_socket_server();
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
DbgLog(DL0, "%s: Socket server started", __func__);
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
index 7c225730..94fd1196 100644
|
||||||
|
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
@@ -2066,6 +2066,13 @@ static int parseupdate_ockversion(void *private, const char *version)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void parseupdate_disab_event_supp(void *private)
|
||||||
|
+{
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+
|
||||||
|
+ fprintf(u->f, "disable-event-support");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void parseupdate_eol(void *private)
|
||||||
|
{
|
||||||
|
struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
@@ -2124,6 +2131,7 @@ static void parseupdate_eolcomment(void *private, const char *comment)
|
||||||
|
|
||||||
|
static struct parsefuncs parseupdatefuncs = {
|
||||||
|
.version = parseupdate_ockversion,
|
||||||
|
+ .disab_event_supp = parseupdate_disab_event_supp,
|
||||||
|
.eol = parseupdate_eol,
|
||||||
|
.begin_slot = parseupdate_begin_slot,
|
||||||
|
.end_slot = parseupdate_end_slot,
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,37 @@
|
|||||||
|
commit b07505993dd8b2f367cf3b630f6da186e4e8550d
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Feb 10 15:12:25 2021 +0100
|
||||||
|
|
||||||
|
Avoid deadlock in dlclose() after a fork
|
||||||
|
|
||||||
|
Calling dlclose() in a atfork handler may cause a deadlock.
|
||||||
|
dlclose() may itself modify the atfork handler table to remove
|
||||||
|
any fork handlers that the to be unloaded library has registered.
|
||||||
|
Since the atfork handler table is currently locked when we are in
|
||||||
|
an atfork handler, this would produce a deadlock.
|
||||||
|
|
||||||
|
Skip the dlclose() if we are in an atfork handler to avoid the deadlock.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||||
|
index 3ccb6d41..f1ee9132 100644
|
||||||
|
--- a/usr/lib/api/api_interface.c
|
||||||
|
+++ b/usr/lib/api/api_interface.c
|
||||||
|
@@ -1516,7 +1516,15 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- DL_UnLoad(sltp, slotID);
|
||||||
|
+ /*
|
||||||
|
+ * Calling dlclose() in a atfork handler may cause a deadlock.
|
||||||
|
+ * dlclose() may itself modify the atfork handler table to remove
|
||||||
|
+ * any fork handlers that the to be unloaded library has registered.
|
||||||
|
+ * Since the atfork handler table is currently locked when we are in
|
||||||
|
+ * an atfork handler, this would produce a deadlock.
|
||||||
|
+ */
|
||||||
|
+ if (!in_child_fork_initializer)
|
||||||
|
+ DL_UnLoad(sltp, slotID);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Un register from Slot D
|
@ -0,0 +1,21 @@
|
|||||||
|
commit bf812c652c49d7e248b115d121a4f7f6568941a2
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Apr 6 13:41:55 2021 +0200
|
||||||
|
|
||||||
|
Update travis yaml file to install libudev development files
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/.travis.yml b/.travis.yml
|
||||||
|
index d2907246..fd4092e3 100644
|
||||||
|
--- a/.travis.yml
|
||||||
|
+++ b/.travis.yml
|
||||||
|
@@ -5,7 +5,7 @@ language: c
|
||||||
|
|
||||||
|
before_install:
|
||||||
|
- sudo apt-get -qq update
|
||||||
|
- - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget
|
||||||
|
+ - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget libudev-dev
|
||||||
|
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb
|
||||||
|
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb
|
||||||
|
- sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3
|
@ -0,0 +1,462 @@
|
|||||||
|
commit c79e899d77a5724635a9d4451a34a240e2c7e891
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Apr 16 13:41:41 2021 +0200
|
||||||
|
|
||||||
|
Fix potential deadlock situation with double read-locks
|
||||||
|
|
||||||
|
Do not get and read-lock an object twice within the same thread via
|
||||||
|
function object_mgr_find_in_map1(), as this would read-lock the object
|
||||||
|
twice.
|
||||||
|
|
||||||
|
This could cause a deadlock situation, when in-between the first
|
||||||
|
and the second call to object_mgr_find_in_map1() the token object is
|
||||||
|
modified by another process. The second object_mgr_find_in_map1() would
|
||||||
|
detect that the object has been modified (object_mgr_check_shm()), and
|
||||||
|
would try to re-load the object from the disk. For re-loading, the
|
||||||
|
object is unlocked once, and a write-lock is acquired instead.
|
||||||
|
However, if the current thread has read-locked the object twice, but
|
||||||
|
releases only one read-lock, then it will never get the write lock,
|
||||||
|
because it still owns the read lock itself.
|
||||||
|
|
||||||
|
To avoid this situation, release the read-lock before calling another
|
||||||
|
function that also acquires the read lock of the object. That way, only
|
||||||
|
one read-lock is held by the current thread, and re-loading the object
|
||||||
|
will not cause a deadlock.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/decr_mgr.c b/usr/lib/common/decr_mgr.c
|
||||||
|
index 317ef995..9842302b 100644
|
||||||
|
--- a/usr/lib/common/decr_mgr.c
|
||||||
|
+++ b/usr/lib/common/decr_mgr.c
|
||||||
|
@@ -540,6 +540,10 @@ CK_RV decr_mgr_init(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 0);
|
||||||
|
if (rc) {
|
||||||
|
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||||
|
diff --git a/usr/lib/common/encr_mgr.c b/usr/lib/common/encr_mgr.c
|
||||||
|
index d3ecdeee..3e85ceab 100644
|
||||||
|
--- a/usr/lib/common/encr_mgr.c
|
||||||
|
+++ b/usr/lib/common/encr_mgr.c
|
||||||
|
@@ -537,6 +537,10 @@ CK_RV encr_mgr_init(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 1);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||||
|
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
|
||||||
|
index 1652f90a..e35b383c 100644
|
||||||
|
--- a/usr/lib/common/mech_rsa.c
|
||||||
|
+++ b/usr/lib/common/mech_rsa.c
|
||||||
|
@@ -602,6 +602,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = token_specific.t_rsa_oaep_encrypt(tokdata, ctx, in_data,
|
||||||
|
in_data_len, out_data,
|
||||||
|
out_data_len, hash, hlen);
|
||||||
|
@@ -625,6 +629,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = token_specific.t_rsa_oaep_decrypt(tokdata, ctx, in_data,
|
||||||
|
in_data_len, out_data,
|
||||||
|
out_data_len, hash, hlen);
|
||||||
|
@@ -1331,6 +1339,10 @@ CK_RV rsa_pss_sign(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = token_specific.t_rsa_pss_sign(tokdata, sess, ctx, in_data, in_data_len,
|
||||||
|
out_data, out_data_len);
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
@@ -1389,6 +1401,10 @@ CK_RV rsa_pss_verify(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = token_specific.t_rsa_pss_verify(tokdata, sess, ctx, in_data,
|
||||||
|
in_data_len, signature, sig_len);
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
diff --git a/usr/lib/common/sign_mgr.c b/usr/lib/common/sign_mgr.c
|
||||||
|
index 937a371a..c7268e01 100644
|
||||||
|
--- a/usr/lib/common/sign_mgr.c
|
||||||
|
+++ b/usr/lib/common/sign_mgr.c
|
||||||
|
@@ -424,6 +424,10 @@ CK_RV sign_mgr_init(STDLL_TokData_t *tokdata,
|
||||||
|
ctx->context_len = 0;
|
||||||
|
ctx->context = NULL;
|
||||||
|
|
||||||
|
+ /* Release obj lock, token specific hmac-sign may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = hmac_sign_init(tokdata, sess, mech, key);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_ERROR("Failed to initialize hmac.\n");
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index 3ac3768a..52f95d7a 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -6948,6 +6948,13 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
+ /*
|
||||||
|
+ * Release obj lock, sign_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||||
|
+ * may re-acquire the lock
|
||||||
|
+ */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
/* Note that Edwards curves in general are not yet supported in
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
* supported by the ep11token, so let's keep them local here. */
|
||||||
|
@@ -7029,11 +7036,16 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
* supported by the ep11token, so let's keep them local here. */
|
||||||
|
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||||
|
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||||
|
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||||
|
rc = pkey_ibm_ed_sign(key_obj, in_data, in_data_len, signature, sig_len);
|
||||||
|
- else
|
||||||
|
+ } else {
|
||||||
|
+ /* Release obj lock, sign_mgr_sign may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = sign_mgr_sign(tokdata, session, length_only, ctx, in_data,
|
||||||
|
in_data_len, signature, sig_len);
|
||||||
|
+ }
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -7071,6 +7083,11 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
if (!in_data || !in_data_len)
|
||||||
|
return CKR_OK;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7078,11 +7095,6 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_SignUpdate(ctx->context, ctx->context_len, in_data,
|
||||||
|
in_data_len, ep11_data->target);
|
||||||
|
@@ -7115,6 +7127,11 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7122,11 +7139,6 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_SignFinal(ctx->context, ctx->context_len, signature, sig_len,
|
||||||
|
ep11_data->target);
|
||||||
|
@@ -7241,6 +7253,13 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
+ /*
|
||||||
|
+ * Release obj lock, verify_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||||
|
+ * may re-acquire the lock
|
||||||
|
+ */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
/* Note that Edwards curves in general are not yet supported in
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
* supported by the ep11token, so let's keep them local here. */
|
||||||
|
@@ -7320,12 +7339,17 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
* supported by the ep11token, so let's keep them local here. */
|
||||||
|
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||||
|
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||||
|
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||||
|
rc = pkey_ibm_ed_verify(key_obj, in_data, in_data_len,
|
||||||
|
signature, sig_len);
|
||||||
|
- else
|
||||||
|
+ } else {
|
||||||
|
+ /* Release obj lock, verify_mgr_verify may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
rc = verify_mgr_verify(tokdata, session, ctx, in_data,
|
||||||
|
in_data_len, signature, sig_len);
|
||||||
|
+ }
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -7363,6 +7387,11 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
if (!in_data || !in_data_len)
|
||||||
|
return CKR_OK;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7370,11 +7399,6 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_VerifyUpdate(ctx->context, ctx->context_len, in_data,
|
||||||
|
in_data_len, ep11_data->target);
|
||||||
|
@@ -7406,6 +7430,11 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7413,11 +7442,6 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_VerifyFinal(ctx->context, ctx->context_len, signature,
|
||||||
|
sig_len, ep11_data->target);
|
||||||
|
@@ -7501,6 +7525,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||||
|
+ ctx, output_part, p_output_part_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7508,12 +7538,6 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||||
|
- ctx, output_part, p_output_part_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_DecryptFinal(ctx->context, ctx->context_len,
|
||||||
|
output_part, p_output_part_len,
|
||||||
|
@@ -7548,13 +7572,6 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
- READ_LOCK);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
rc = decr_mgr_decrypt(tokdata, session, length_only, ctx,
|
||||||
|
input_data, input_data_len, output_data,
|
||||||
|
@@ -7562,6 +7579,13 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
+ READ_LOCK);
|
||||||
|
+ if (rc != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_Decrypt(ctx->context, ctx->context_len, input_data,
|
||||||
|
input_data_len, output_data, p_output_data_len,
|
||||||
|
@@ -7602,13 +7626,6 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return CKR_OK; /* nothing to update, keep context */
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
- READ_LOCK);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
rc = decr_mgr_decrypt_update(tokdata, session, length_only,
|
||||||
|
ctx, input_part, input_part_len,
|
||||||
|
@@ -7616,6 +7633,13 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
+ READ_LOCK);
|
||||||
|
+ if (rc != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_DecryptUpdate(ctx->context, ctx->context_len,
|
||||||
|
input_part, input_part_len, output_part,
|
||||||
|
@@ -7695,6 +7719,12 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
+ if (ctx->pkey_active) {
|
||||||
|
+ rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||||
|
+ ctx, output_part, p_output_part_len);
|
||||||
|
+ goto done; /* no ep11 fallback possible */
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
READ_LOCK);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -7702,12 +7732,6 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ctx->pkey_active) {
|
||||||
|
- rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||||
|
- ctx, output_part, p_output_part_len);
|
||||||
|
- goto done; /* no ep11 fallback possible */
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_EncryptFinal(ctx->context, ctx->context_len,
|
||||||
|
output_part, p_output_part_len,
|
||||||
|
@@ -7742,13 +7766,6 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj = NULL;
|
||||||
|
|
||||||
|
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
- READ_LOCK);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
rc = encr_mgr_encrypt(tokdata, session, length_only, ctx,
|
||||||
|
input_data, input_data_len, output_data,
|
||||||
|
@@ -7756,6 +7773,13 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
+ READ_LOCK);
|
||||||
|
+ if (rc != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_Encrypt(ctx->context, ctx->context_len, input_data,
|
||||||
|
input_data_len, output_data, p_output_data_len,
|
||||||
|
@@ -7796,13 +7820,6 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return CKR_OK; /* nothing to update, keep context */
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
- READ_LOCK);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
rc = encr_mgr_encrypt_update(tokdata, session, length_only, ctx,
|
||||||
|
input_part, input_part_len, output_part,
|
||||||
|
@@ -7810,6 +7827,13 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||||
|
+ READ_LOCK);
|
||||||
|
+ if (rc != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
RETRY_START
|
||||||
|
rc = dll_m_EncryptUpdate(ctx->context, ctx->context_len,
|
||||||
|
input_part, input_part_len, output_part,
|
||||||
|
@@ -7921,6 +7945,10 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
+ /* Release obj lock, encr/decr_mgr_init may re-acquire the lock */
|
||||||
|
+ object_put(tokdata, key_obj, TRUE);
|
||||||
|
+ key_obj = NULL;
|
||||||
|
+
|
||||||
|
if (op == DECRYPT) {
|
||||||
|
rc = decr_mgr_init(tokdata, session, &session->decr_ctx,
|
||||||
|
OP_DECRYPT_INIT, mech, key);
|
@ -0,0 +1,104 @@
|
|||||||
|
commit d2f137cce5e6efb123842509352c7c49f889c67f
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu Jul 22 15:55:02 2021 +0200
|
||||||
|
|
||||||
|
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
|
||||||
|
|
||||||
|
Due to the way the parser works, a slot description like
|
||||||
|
'description = "slot"' works, but not without quotes ('description = slot').
|
||||||
|
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
|
||||||
|
too), so if the word 'slot' would appear in an unquoted string, the
|
||||||
|
configuration file would fail to parse.
|
||||||
|
|
||||||
|
Always quote the value of 'description' and 'manufacturer'. Quote the
|
||||||
|
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
|
||||||
|
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
index a29dc8f7..853986e8 100644
|
||||||
|
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
@@ -2060,7 +2060,7 @@ done:
|
||||||
|
*/
|
||||||
|
static int parseupdate_ockversion(void *private, const char *version)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
fprintf(u->f, "version %s", version);
|
||||||
|
return 0;
|
||||||
|
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
|
||||||
|
|
||||||
|
static void parseupdate_eol(void *private)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
fputc('\n', u->f);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
u->activeslot = (slot == u->slotnum);
|
||||||
|
if (nl_before_begin)
|
||||||
|
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||||
|
|
||||||
|
static int parseupdate_end_slot(void *private)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
if (u->activeslot)
|
||||||
|
fprintf(u->f, " tokversion = 3.12\n");
|
||||||
|
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
|
||||||
|
|
||||||
|
static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||||
|
- strchr(val, ' ') != NULL)
|
||||||
|
+ switch (tok) {
|
||||||
|
+ case KW_SLOTDESC:
|
||||||
|
+ case KW_MANUFID:
|
||||||
|
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||||
|
- else if (tok != KW_TOKVERSION)
|
||||||
|
+ break;
|
||||||
|
+ case KW_STDLL:
|
||||||
|
+ case KW_CONFNAME:
|
||||||
|
+ case KW_TOKNAME:
|
||||||
|
+ if (strchr(val, ' ') != NULL)
|
||||||
|
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||||
|
+ else
|
||||||
|
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||||
|
+ break;
|
||||||
|
+ case KW_HWVERSION:
|
||||||
|
+ case KW_FWVERSION:
|
||||||
|
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
if (tok == KW_TOKVERSION && !u->activeslot)
|
||||||
|
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||||
|
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||||
|
|
||||||
|
static void parseupdate_eolcomment(void *private, const char *comment)
|
||||||
|
{
|
||||||
|
- struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
fprintf(u->f, "#%s", comment);
|
||||||
|
}
|
@ -0,0 +1,239 @@
|
|||||||
|
commit d7de5092247a0efc2c397f12977a7c9925420143
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Feb 16 17:15:20 2021 +0100
|
||||||
|
|
||||||
|
TESTCASES: Add event support tests
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/testcases/misc_tests/events.c b/testcases/misc_tests/events.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..fecc7bfe
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/testcases/misc_tests/events.c
|
||||||
|
@@ -0,0 +1,190 @@
|
||||||
|
+/*
|
||||||
|
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||||
|
+ *
|
||||||
|
+ * This program is provided under the terms of the Common Public License,
|
||||||
|
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||||
|
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||||
|
+ * found in the file LICENSE file or at
|
||||||
|
+ * https://opensource.org/licenses/cpl1.0.php
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+
|
||||||
|
+#include "event_client.h"
|
||||||
|
+#include "regress.h"
|
||||||
|
+#include "defs.h"
|
||||||
|
+
|
||||||
|
+const char payload[20] = "12345678901234567890";
|
||||||
|
+
|
||||||
|
+static inline void init_event_destination(struct event_destination *dest,
|
||||||
|
+ unsigned int token_type,
|
||||||
|
+ const char *label,
|
||||||
|
+ pid_t process_id)
|
||||||
|
+{
|
||||||
|
+ size_t len;
|
||||||
|
+
|
||||||
|
+ dest->token_type = token_type;
|
||||||
|
+ dest->process_id = process_id;
|
||||||
|
+
|
||||||
|
+ memset(dest->token_label, ' ', sizeof(dest->token_label));
|
||||||
|
+ if (label != NULL) {
|
||||||
|
+ len = strlen(label);
|
||||||
|
+ memcpy(dest->token_label, label, len > sizeof(dest->token_label) ?
|
||||||
|
+ sizeof(dest->token_label) : len);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int main(int argc, char **argv)
|
||||||
|
+{
|
||||||
|
+ CK_C_INITIALIZE_ARGS cinit_args;
|
||||||
|
+ int rc, fd = -1, ret = 1;
|
||||||
|
+ struct event_destination dest;
|
||||||
|
+ struct event_reply reply;
|
||||||
|
+
|
||||||
|
+ UNUSED(argc);
|
||||||
|
+ UNUSED(argv);
|
||||||
|
+
|
||||||
|
+ rc = do_GetFunctionList();
|
||||||
|
+ if (!rc) {
|
||||||
|
+ testcase_error("do_getFunctionList(), rc=%s", p11_get_ckr(rc));
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Initialize Opencryptoki in this process, so that at least one
|
||||||
|
+ * process is receiving the events.
|
||||||
|
+ */
|
||||||
|
+ memset(&cinit_args, 0x0, sizeof(cinit_args));
|
||||||
|
+ cinit_args.flags = CKF_OS_LOCKING_OK;
|
||||||
|
+ funcs->C_Initialize(&cinit_args);
|
||||||
|
+
|
||||||
|
+ testcase_setup(0);
|
||||||
|
+ testcase_begin("Starting event tests");
|
||||||
|
+
|
||||||
|
+ // Test fork before C_Initialize
|
||||||
|
+ testcase_new_assertion();
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (simple, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (simple, one-shot)");
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||||
|
+ NULL, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (payload, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (payload, one-shot)");
|
||||||
|
+
|
||||||
|
+ init_event_destination(&dest, EVENT_TOK_TYPE_CCA, NULL, 0);
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (token-type, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (token-type, one-shot)");
|
||||||
|
+
|
||||||
|
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, "cca", 0);
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (token-label, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (token-label, one-shot)");
|
||||||
|
+
|
||||||
|
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, NULL, 12345);
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (pid, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (pid, one-shot)");
|
||||||
|
+
|
||||||
|
+ memset(&reply, 0, sizeof(reply));
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (reply, one-shot) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||||
|
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||||
|
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||||
|
+ if (reply.positive_replies + reply.negative_replies +
|
||||||
|
+ reply.nothandled_replies == 0) {
|
||||||
|
+ testcase_fail("send_event (reply, one-shot) replies all zero");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (reply, one-shot)");
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ fd = init_event_client();
|
||||||
|
+ if (fd < 0) {
|
||||||
|
+ testcase_fail("init_event_client rc = %d (%s)", fd, strerror(-fd));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("init_event_client()");
|
||||||
|
+
|
||||||
|
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (simple) rc = %d (%s)", rc, strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (simple)");
|
||||||
|
+
|
||||||
|
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||||
|
+ NULL, NULL);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (payload) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (payload)");
|
||||||
|
+
|
||||||
|
+ memset(&reply, 0, sizeof(reply));
|
||||||
|
+
|
||||||
|
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ testcase_fail("send_event (reply) rc = %d (%s)", rc,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||||
|
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||||
|
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||||
|
+ if (reply.positive_replies + reply.negative_replies +
|
||||||
|
+ reply.nothandled_replies == 0) {
|
||||||
|
+ testcase_fail("send_event (reply) replies all zero");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ testcase_pass("send_event (reply)");
|
||||||
|
+
|
||||||
|
+ term_event_client(fd);
|
||||||
|
+ fd = -1;
|
||||||
|
+
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ term_event_client(fd);
|
||||||
|
+
|
||||||
|
+ funcs->C_Finalize(NULL);
|
||||||
|
+
|
||||||
|
+ testcase_print_result();
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
diff --git a/testcases/misc_tests/misc_tests.mk b/testcases/misc_tests/misc_tests.mk
|
||||||
|
index 3de11ebe..fb7cc0a1 100644
|
||||||
|
--- a/testcases/misc_tests/misc_tests.mk
|
||||||
|
+++ b/testcases/misc_tests/misc_tests.mk
|
||||||
|
@@ -7,7 +7,8 @@ noinst_PROGRAMS += \
|
||||||
|
testcases/misc_tests/fork testcases/misc_tests/multi_instance \
|
||||||
|
testcases/misc_tests/obj_lock testcases/misc_tests/tok2tok_transport \
|
||||||
|
testcases/misc_tests/obj_lock testcases/misc_tests/reencrypt \
|
||||||
|
- testcases/misc_tests/cca_export_import_test
|
||||||
|
+ testcases/misc_tests/cca_export_import_test \
|
||||||
|
+ testcases/misc_tests/events
|
||||||
|
|
||||||
|
testcases_misc_tests_obj_mgmt_tests_CFLAGS = ${testcases_inc}
|
||||||
|
testcases_misc_tests_obj_mgmt_tests_LDADD = \
|
||||||
|
@@ -73,3 +74,8 @@ testcases_misc_tests_cca_export_import_test_LDADD = \
|
||||||
|
testcases/common/libcommon.la
|
||||||
|
testcases_misc_tests_cca_export_import_test_SOURCES = \
|
||||||
|
testcases/misc_tests/cca_export_import_test.c
|
||||||
|
+
|
||||||
|
+testcases_misc_tests_events_CFLAGS = ${testcases_inc}
|
||||||
|
+testcases_misc_tests_events_LDADD = testcases/common/libcommon.la
|
||||||
|
+testcases_misc_tests_events_SOURCES = testcases/misc_tests/events.c \
|
||||||
|
+ usr/lib/common/event_client.c
|
||||||
|
diff --git a/testcases/ock_tests.sh.in b/testcases/ock_tests.sh.in
|
||||||
|
index 64c77a7d..6558b031 100755
|
||||||
|
--- a/testcases/ock_tests.sh.in
|
||||||
|
+++ b/testcases/ock_tests.sh.in
|
||||||
|
@@ -53,6 +53,7 @@ OCK_TESTS+=" pkcs11/findobjects pkcs11/generate_keypair"
|
||||||
|
OCK_TESTS+=" pkcs11/get_interface pkcs11/getobjectsize pkcs11/sess_opstate"
|
||||||
|
OCK_TESTS+=" misc_tests/fork misc_tests/obj_mgmt_tests"
|
||||||
|
OCK_TESTS+=" misc_tests/obj_mgmt_lock_tests misc_tests/reencrypt"
|
||||||
|
+OCK_TESTS+=" misc_tests/events"
|
||||||
|
OCK_TEST=""
|
||||||
|
OCK_BENCHS="pkcs11/*bench"
|
||||||
|
|
@ -0,0 +1,619 @@
|
|||||||
|
commit d929fe8470e99f4dcbbd889e7aa87e147d0d5b48
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Feb 12 11:25:21 2021 +0100
|
||||||
|
|
||||||
|
Externalize linked list functions
|
||||||
|
|
||||||
|
Externalize the linked list functions (dlist_xxx), so that they
|
||||||
|
can also be used on pkcsslotd.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
|
||||||
|
index bd230b9f..c5e86fa7 100644
|
||||||
|
--- a/usr/lib/cca_stdll/cca_stdll.mk
|
||||||
|
+++ b/usr/lib/cca_stdll/cca_stdll.mk
|
||||||
|
@@ -35,7 +35,8 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = \
|
||||||
|
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||||
|
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||||
|
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||||
|
- usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c
|
||||||
|
+ usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c \
|
||||||
|
+ usr/lib/common/dlist.c
|
||||||
|
|
||||||
|
if ENABLE_LOCKS
|
||||||
|
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
|
||||||
|
diff --git a/usr/lib/common/dlist.c b/usr/lib/common/dlist.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..1fee1ea9
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/usr/lib/common/dlist.c
|
||||||
|
@@ -0,0 +1,218 @@
|
||||||
|
+/*
|
||||||
|
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||||
|
+ *
|
||||||
|
+ * This program is provided under the terms of the Common Public License,
|
||||||
|
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||||
|
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||||
|
+ * found in the file LICENSE file or at
|
||||||
|
+ * https://opensource.org/licenses/cpl1.0.php
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+
|
||||||
|
+#include "dlist.h"
|
||||||
|
+#include "host_defs.h"
|
||||||
|
+#include "h_extern.h"
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+// Function: dlist_add_as_first()
|
||||||
|
+//
|
||||||
|
+// Adds the specified node to the start of the list
|
||||||
|
+//
|
||||||
|
+// Returns: pointer to the start of the list
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *node = NULL;
|
||||||
|
+
|
||||||
|
+ if (!data)
|
||||||
|
+ return list;
|
||||||
|
+
|
||||||
|
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||||
|
+ if (!node)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ node->data = data;
|
||||||
|
+ node->prev = NULL;
|
||||||
|
+ node->next = list;
|
||||||
|
+ if (list)
|
||||||
|
+ list->prev = node;
|
||||||
|
+
|
||||||
|
+ return node;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Function: dlist_add_as_last()
|
||||||
|
+//
|
||||||
|
+// Adds the specified node to the end of the list
|
||||||
|
+//
|
||||||
|
+// Returns: pointer to the start of the list
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *node = NULL;
|
||||||
|
+
|
||||||
|
+ if (!data)
|
||||||
|
+ return list;
|
||||||
|
+
|
||||||
|
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||||
|
+ if (!node)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ node->data = data;
|
||||||
|
+ node->next = NULL;
|
||||||
|
+
|
||||||
|
+ if (!list) {
|
||||||
|
+ node->prev = NULL;
|
||||||
|
+ return node;
|
||||||
|
+ } else {
|
||||||
|
+ DL_NODE *temp = dlist_get_last(list);
|
||||||
|
+ temp->next = node;
|
||||||
|
+ node->prev = temp;
|
||||||
|
+
|
||||||
|
+ return list;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Function: dlist_find()
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *node = list;
|
||||||
|
+
|
||||||
|
+ while (node && node->data != data)
|
||||||
|
+ node = node->next;
|
||||||
|
+
|
||||||
|
+ return node;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Function: dlist_get_first()
|
||||||
|
+//
|
||||||
|
+// Returns the last node in the list or NULL if list is empty
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_get_first(DL_NODE *list)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *temp = list;
|
||||||
|
+
|
||||||
|
+ if (!list)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ while (temp->prev != NULL)
|
||||||
|
+ temp = temp->prev;
|
||||||
|
+
|
||||||
|
+ return temp;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Function: dlist_get_last()
|
||||||
|
+//
|
||||||
|
+// Returns the last node in the list or NULL if list is empty
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_get_last(DL_NODE *list)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *temp = list;
|
||||||
|
+
|
||||||
|
+ if (!list)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ while (temp->next != NULL)
|
||||||
|
+ temp = temp->next;
|
||||||
|
+
|
||||||
|
+ return temp;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+//
|
||||||
|
+//
|
||||||
|
+CK_ULONG dlist_length(DL_NODE *list)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *temp = list;
|
||||||
|
+ CK_ULONG len = 0;
|
||||||
|
+
|
||||||
|
+ while (temp) {
|
||||||
|
+ len++;
|
||||||
|
+ temp = temp->next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+//
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_next(DL_NODE *node)
|
||||||
|
+{
|
||||||
|
+ if (!node)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ return node->next;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+//
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_prev(DL_NODE *node)
|
||||||
|
+{
|
||||||
|
+ if (!node)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ return node->prev;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+//
|
||||||
|
+//
|
||||||
|
+void dlist_purge(DL_NODE *list)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *node;
|
||||||
|
+
|
||||||
|
+ if (!list)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ node = list->next;
|
||||||
|
+ free(list);
|
||||||
|
+ list = node;
|
||||||
|
+ } while (list);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// Function: dlist_remove_node()
|
||||||
|
+//
|
||||||
|
+// Attempts to remove the specified node from the list. The caller is
|
||||||
|
+// responsible for freeing the data associated with the node prior to
|
||||||
|
+// calling this routine
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||||
|
+{
|
||||||
|
+ DL_NODE *temp = list;
|
||||||
|
+
|
||||||
|
+ if (!list || !node)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ // special case: removing head of the list
|
||||||
|
+ //
|
||||||
|
+ if (list == node) {
|
||||||
|
+ temp = list->next;
|
||||||
|
+ if (temp)
|
||||||
|
+ temp->prev = NULL;
|
||||||
|
+
|
||||||
|
+ free(list);
|
||||||
|
+ return temp;
|
||||||
|
+ }
|
||||||
|
+ // we have no guarantee that the node is in the list
|
||||||
|
+ // so search through the list to find it
|
||||||
|
+ //
|
||||||
|
+ while ((temp != NULL) && (temp->next != node))
|
||||||
|
+ temp = temp->next;
|
||||||
|
+
|
||||||
|
+ if (temp != NULL) {
|
||||||
|
+ DL_NODE *next = node->next;
|
||||||
|
+
|
||||||
|
+ temp->next = next;
|
||||||
|
+ if (next)
|
||||||
|
+ next->prev = temp;
|
||||||
|
+
|
||||||
|
+ free(node);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return list;
|
||||||
|
+}
|
||||||
|
diff --git a/usr/lib/common/dlist.h b/usr/lib/common/dlist.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..eda4af9c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/usr/lib/common/dlist.h
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+/*
|
||||||
|
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||||
|
+ *
|
||||||
|
+ * This program is provided under the terms of the Common Public License,
|
||||||
|
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||||
|
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||||
|
+ * found in the file LICENSE file or at
|
||||||
|
+ * https://opensource.org/licenses/cpl1.0.php
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#ifndef _DLIST_H_
|
||||||
|
+#define _DLIST_H_
|
||||||
|
+
|
||||||
|
+#include "pkcs11types.h"
|
||||||
|
+#include "defs.h"
|
||||||
|
+
|
||||||
|
+// linked-list routines
|
||||||
|
+//
|
||||||
|
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||||
|
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||||
|
+DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||||
|
+DL_NODE *dlist_get_first(DL_NODE *list);
|
||||||
|
+DL_NODE *dlist_get_last(DL_NODE *list);
|
||||||
|
+CK_ULONG dlist_length(DL_NODE *list);
|
||||||
|
+DL_NODE *dlist_next(DL_NODE *list);
|
||||||
|
+DL_NODE *dlist_prev(DL_NODE *list);
|
||||||
|
+void dlist_purge(DL_NODE *list);
|
||||||
|
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||||
|
index 63aff79f..5e251d95 100644
|
||||||
|
--- a/usr/lib/common/h_extern.h
|
||||||
|
+++ b/usr/lib/common/h_extern.h
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
#define _H_EXTERN_H
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
+#include "dlist.h"
|
||||||
|
|
||||||
|
// global variables
|
||||||
|
//
|
||||||
|
@@ -1759,19 +1760,6 @@ int ec_point_from_public_data(const CK_BYTE *data, CK_ULONG data_len,
|
||||||
|
CK_BBOOL *allocated, CK_BYTE **ec_point,
|
||||||
|
CK_ULONG *ec_point_len);
|
||||||
|
|
||||||
|
-// linked-list routines
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||||
|
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||||
|
-DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||||
|
-DL_NODE *dlist_get_first(DL_NODE *list);
|
||||||
|
-DL_NODE *dlist_get_last(DL_NODE *list);
|
||||||
|
-CK_ULONG dlist_length(DL_NODE *list);
|
||||||
|
-DL_NODE *dlist_next(DL_NODE *list);
|
||||||
|
-DL_NODE *dlist_prev(DL_NODE *list);
|
||||||
|
-void dlist_purge(DL_NODE *list);
|
||||||
|
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||||
|
-
|
||||||
|
CK_RV attach_shm(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id);
|
||||||
|
CK_RV detach_shm(STDLL_TokData_t *tokdata, CK_BBOOL ignore_ref_count);
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
|
||||||
|
index 38d8d959..b2c6ee50 100644
|
||||||
|
--- a/usr/lib/common/utility.c
|
||||||
|
+++ b/usr/lib/common/utility.c
|
||||||
|
@@ -40,203 +40,6 @@
|
||||||
|
#include <sys/file.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
|
||||||
|
-// Function: dlist_add_as_first()
|
||||||
|
-//
|
||||||
|
-// Adds the specified node to the start of the list
|
||||||
|
-//
|
||||||
|
-// Returns: pointer to the start of the list
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||||
|
-{
|
||||||
|
- DL_NODE *node = NULL;
|
||||||
|
-
|
||||||
|
- if (!data)
|
||||||
|
- return list;
|
||||||
|
-
|
||||||
|
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||||
|
- if (!node)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- node->data = data;
|
||||||
|
- node->prev = NULL;
|
||||||
|
- node->next = list;
|
||||||
|
- if (list)
|
||||||
|
- list->prev = node;
|
||||||
|
-
|
||||||
|
- return node;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-// Function: dlist_add_as_last()
|
||||||
|
-//
|
||||||
|
-// Adds the specified node to the end of the list
|
||||||
|
-//
|
||||||
|
-// Returns: pointer to the start of the list
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||||
|
-{
|
||||||
|
- DL_NODE *node = NULL;
|
||||||
|
-
|
||||||
|
- if (!data)
|
||||||
|
- return list;
|
||||||
|
-
|
||||||
|
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||||
|
- if (!node)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- node->data = data;
|
||||||
|
- node->next = NULL;
|
||||||
|
-
|
||||||
|
- if (!list) {
|
||||||
|
- node->prev = NULL;
|
||||||
|
- return node;
|
||||||
|
- } else {
|
||||||
|
- DL_NODE *temp = dlist_get_last(list);
|
||||||
|
- temp->next = node;
|
||||||
|
- node->prev = temp;
|
||||||
|
-
|
||||||
|
- return list;
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-// Function: dlist_find()
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||||
|
-{
|
||||||
|
- DL_NODE *node = list;
|
||||||
|
-
|
||||||
|
- while (node && node->data != data)
|
||||||
|
- node = node->next;
|
||||||
|
-
|
||||||
|
- return node;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-// Function: dlist_get_first()
|
||||||
|
-//
|
||||||
|
-// Returns the last node in the list or NULL if list is empty
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_get_first(DL_NODE *list)
|
||||||
|
-{
|
||||||
|
- DL_NODE *temp = list;
|
||||||
|
-
|
||||||
|
- if (!list)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- while (temp->prev != NULL)
|
||||||
|
- temp = temp->prev;
|
||||||
|
-
|
||||||
|
- return temp;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-// Function: dlist_get_last()
|
||||||
|
-//
|
||||||
|
-// Returns the last node in the list or NULL if list is empty
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_get_last(DL_NODE *list)
|
||||||
|
-{
|
||||||
|
- DL_NODE *temp = list;
|
||||||
|
-
|
||||||
|
- if (!list)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- while (temp->next != NULL)
|
||||||
|
- temp = temp->next;
|
||||||
|
-
|
||||||
|
- return temp;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-//
|
||||||
|
-//
|
||||||
|
-CK_ULONG dlist_length(DL_NODE *list)
|
||||||
|
-{
|
||||||
|
- DL_NODE *temp = list;
|
||||||
|
- CK_ULONG len = 0;
|
||||||
|
-
|
||||||
|
- while (temp) {
|
||||||
|
- len++;
|
||||||
|
- temp = temp->next;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return len;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-//
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_next(DL_NODE *node)
|
||||||
|
-{
|
||||||
|
- if (!node)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- return node->next;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-//
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_prev(DL_NODE *node)
|
||||||
|
-{
|
||||||
|
- if (!node)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- return node->prev;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-//
|
||||||
|
-//
|
||||||
|
-void dlist_purge(DL_NODE *list)
|
||||||
|
-{
|
||||||
|
- DL_NODE *node;
|
||||||
|
-
|
||||||
|
- if (!list)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- do {
|
||||||
|
- node = list->next;
|
||||||
|
- free(list);
|
||||||
|
- list = node;
|
||||||
|
- } while (list);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-// Function: dlist_remove_node()
|
||||||
|
-//
|
||||||
|
-// Attempts to remove the specified node from the list. The caller is
|
||||||
|
-// responsible for freeing the data associated with the node prior to
|
||||||
|
-// calling this routine
|
||||||
|
-//
|
||||||
|
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||||
|
-{
|
||||||
|
- DL_NODE *temp = list;
|
||||||
|
-
|
||||||
|
- if (!list || !node)
|
||||||
|
- return NULL;
|
||||||
|
-
|
||||||
|
- // special case: removing head of the list
|
||||||
|
- //
|
||||||
|
- if (list == node) {
|
||||||
|
- temp = list->next;
|
||||||
|
- if (temp)
|
||||||
|
- temp->prev = NULL;
|
||||||
|
-
|
||||||
|
- free(list);
|
||||||
|
- return temp;
|
||||||
|
- }
|
||||||
|
- // we have no guarantee that the node is in the list
|
||||||
|
- // so search through the list to find it
|
||||||
|
- //
|
||||||
|
- while ((temp != NULL) && (temp->next != node))
|
||||||
|
- temp = temp->next;
|
||||||
|
-
|
||||||
|
- if (temp != NULL) {
|
||||||
|
- DL_NODE *next = node->next;
|
||||||
|
-
|
||||||
|
- temp->next = next;
|
||||||
|
- if (next)
|
||||||
|
- next->prev = temp;
|
||||||
|
-
|
||||||
|
- free(node);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return list;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t *tokdata)
|
||||||
|
{
|
||||||
|
char lockfile[PATH_MAX];
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
index bc617124..b5574d9e 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = \
|
||||||
|
usr/lib/common/utility.c usr/lib/common/trace.c \
|
||||||
|
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||||
|
usr/lib/common/attributes.c usr/lib/common/sw_crypt.c \
|
||||||
|
- usr/lib/common/profile_obj.c \
|
||||||
|
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||||
|
usr/lib/common/pkey_utils.c \
|
||||||
|
usr/lib/ep11_stdll/new_host.c usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||||
|
index d8448486..8f467e11 100644
|
||||||
|
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||||
|
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||||
|
@@ -34,7 +34,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
|
||||||
|
usr/lib/common/verify_mgr.c usr/lib/common/trace.c \
|
||||||
|
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||||
|
usr/lib/common/profile_obj.c usr/lib/common/attributes.c \
|
||||||
|
- usr/lib/ica_s390_stdll/ica_specific.c
|
||||||
|
+ usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c
|
||||||
|
|
||||||
|
if ENABLE_LOCKS
|
||||||
|
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
|
||||||
|
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||||
|
index 788478c2..21c64f9a 100644
|
||||||
|
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||||
|
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||||
|
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = \
|
||||||
|
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||||
|
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||||
|
usr/lib/common/attributes.c usr/lib/icsf_stdll/new_host.c \
|
||||||
|
- usr/lib/common/profile_obj.c \
|
||||||
|
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||||
|
usr/lib/icsf_stdll/pbkdf.c usr/lib/icsf_stdll/icsf_specific.c \
|
||||||
|
usr/lib/icsf_stdll/icsf_config_parse.y \
|
||||||
|
usr/lib/icsf_stdll/icsf_config_lexer.l \
|
||||||
|
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
|
||||||
|
index cea802b5..ac401539 100644
|
||||||
|
--- a/usr/lib/soft_stdll/soft_stdll.mk
|
||||||
|
+++ b/usr/lib/soft_stdll/soft_stdll.mk
|
||||||
|
@@ -32,7 +32,8 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
|
||||||
|
usr/lib/common/utility.c usr/lib/common/verify_mgr.c \
|
||||||
|
usr/lib/common/trace.c usr/lib/common/mech_list.c \
|
||||||
|
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||||
|
- usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c
|
||||||
|
+ usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
|
||||||
|
+ usr/lib/common/dlist.c
|
||||||
|
|
||||||
|
if ENABLE_LOCKS
|
||||||
|
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
|
||||||
|
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||||
|
index f199a103..0e0eb024 100644
|
||||||
|
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||||
|
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||||
|
@@ -34,7 +34,8 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
|
||||||
|
usr/lib/common/verify_mgr.c usr/lib/common/mech_list.c \
|
||||||
|
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||||
|
usr/lib/tpm_stdll/tpm_specific.c usr/lib/common/attributes.c \
|
||||||
|
- usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c
|
||||||
|
+ usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
|
||||||
|
+ usr/lib/common/dlist.c
|
||||||
|
|
||||||
|
if ENABLE_LOCKS
|
||||||
|
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
|
||||||
|
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
|
||||||
|
index a223265f..cc40f819 100644
|
||||||
|
--- a/usr/sbin/pkcscca/pkcscca.mk
|
||||||
|
+++ b/usr/sbin/pkcscca/pkcscca.mk
|
||||||
|
@@ -36,7 +36,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = \
|
||||||
|
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||||
|
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||||
|
usr/lib/common/attributes.c usr/lib/common/mech_rng.c \
|
||||||
|
- usr/lib/common/pkcs_utils.c \
|
||||||
|
+ usr/lib/common/pkcs_utils.c usr/lib/common/dlist.c \
|
||||||
|
usr/sbin/pkcscca/pkcscca.c
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.mk b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||||
|
index 4f0e3c56..2d36b4a9 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||||
|
+++ b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||||
|
@@ -21,5 +21,6 @@ usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||||
|
usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
|
||||||
|
nodist_usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||||
|
- usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c
|
||||||
|
+ usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c \
|
||||||
|
+ usr/lib/common/dlist.c
|
||||||
|
usr/sbin/pkcsslotd/slotmgr.$(OBJEXT): usr/lib/common/parser.h
|
@ -0,0 +1,25 @@
|
|||||||
|
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu Jul 8 15:18:30 2021 +0200
|
||||||
|
|
||||||
|
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
|
||||||
|
|
||||||
|
When migrating a slot the opencryptoki.conf file is modified. If it
|
||||||
|
contains slots that already contain the 'tokversion = x.y' keyword,
|
||||||
|
this is accidentally removed when migrating another slot.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
index 3df1596e..05081aff 100644
|
||||||
|
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||||
|
{
|
||||||
|
struct parseupdate *u = (struct parseupdate *)private;
|
||||||
|
|
||||||
|
- if (tok != KW_TOKVERSION)
|
||||||
|
+ if (tok == KW_TOKVERSION && !u->activeslot)
|
||||||
|
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||||
|
vers >> 16, vers & 0xffu);
|
||||||
|
return 0;
|
@ -0,0 +1,310 @@
|
|||||||
|
commit e9548127edae313da7840bcb87fd0afd04549c2e
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Feb 8 15:26:23 2021 +0100
|
||||||
|
|
||||||
|
pkcsslotd: Refactoring in preparation for event support
|
||||||
|
|
||||||
|
No functional change so far, just making things a bit bore clearer.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||||
|
index 3950a9a3..4d038435 100644
|
||||||
|
--- a/usr/include/slotmgr.h
|
||||||
|
+++ b/usr/include/slotmgr.h
|
||||||
|
@@ -30,7 +30,7 @@
|
||||||
|
#define TOK_PATH SBIN_PATH "/pkcsslotd"
|
||||||
|
#define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock"
|
||||||
|
|
||||||
|
-#define SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||||
|
+#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||||
|
|
||||||
|
#define PID_FILE_PATH "/var/run/pkcsslotd.pid"
|
||||||
|
#define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf"
|
||||||
|
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||||
|
index b74b763f..2873a20a 100644
|
||||||
|
--- a/usr/lib/api/api_interface.c
|
||||||
|
+++ b/usr/lib/api/api_interface.c
|
||||||
|
@@ -2831,7 +2831,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||||
|
TRACE_DEBUG("Shared memory %p \n", Anchor->SharedMemP);
|
||||||
|
|
||||||
|
/* Connect to slot daemon and retrieve slot infos */
|
||||||
|
- Anchor->socketfd = connect_socket(SOCKET_FILE_PATH);
|
||||||
|
+ Anchor->socketfd = connect_socket(PROC_SOCKET_FILE_PATH);
|
||||||
|
if (Anchor->socketfd < 0) {
|
||||||
|
OCK_SYSLOG(LOG_ERR, "C_Initialize: Module failed to create a "
|
||||||
|
"socket. Verify that the slot management daemon is "
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
index 813db9f4..69eb59f3 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||||
|
@@ -61,7 +61,6 @@ extern key_t tok;
|
||||||
|
extern Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||||
|
extern unsigned int NumberSlotsInDB;
|
||||||
|
|
||||||
|
-extern int socketfd;
|
||||||
|
extern Slot_Mgr_Socket_t socketData;
|
||||||
|
|
||||||
|
|
||||||
|
@@ -89,9 +88,9 @@ int XProcLock(void);
|
||||||
|
int XProcUnLock(void);
|
||||||
|
int CreateXProcLock(void);
|
||||||
|
|
||||||
|
-int CreateListenerSocket(void);
|
||||||
|
-int InitSocketData(Slot_Mgr_Socket_t *sp);
|
||||||
|
-int SocketConnectionHandler(int socketfd, int timeout_secs);
|
||||||
|
-void DetachSocketListener(int socketfd);
|
||||||
|
+int init_socket_server();
|
||||||
|
+int term_socket_server();
|
||||||
|
+int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||||
|
+int socket_connection_handler(int timeout_secs);
|
||||||
|
|
||||||
|
#endif /* _SLOTMGR_H */
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/signal.c b/usr/sbin/pkcsslotd/signal.c
|
||||||
|
index cf7b9087..49482a2f 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/signal.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/signal.c
|
||||||
|
@@ -101,7 +101,7 @@ void slotdGenericSignalHandler(int Signal)
|
||||||
|
|
||||||
|
InfoLog("Exiting on %s (%d; %#x)", SignalConst(Signal), Signal, Signal);
|
||||||
|
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
+ term_socket_server();
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
index ea5c86f5..94288f13 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||||
|
@@ -37,7 +37,6 @@ unsigned int NumberSlotsInDB = 0;
|
||||||
|
|
||||||
|
Slot_Info_t_64 *psinfo;
|
||||||
|
|
||||||
|
-int socketfd;
|
||||||
|
Slot_Mgr_Socket_t socketData;
|
||||||
|
|
||||||
|
struct dircheckinfo_s {
|
||||||
|
@@ -569,15 +568,15 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
if (!XProcUnLock())
|
||||||
|
return 4;
|
||||||
|
|
||||||
|
- if ((socketfd = CreateListenerSocket()) < 0) {
|
||||||
|
+ if (!init_socket_server()) {
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
return 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!InitSocketData(&socketData)) {
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
+ if (!init_socket_data(&socketData)) {
|
||||||
|
+ term_socket_server();
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
@@ -598,7 +597,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
if (Daemon) {
|
||||||
|
pid_t pid;
|
||||||
|
if ((pid = fork()) < 0) {
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
+ term_socket_server();
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
@@ -643,7 +642,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
* the daemonization process redefines our handler for (at least) SIGTERM
|
||||||
|
*/
|
||||||
|
if (!SetupSignalHandlers()) {
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
+ term_socket_server();
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
@@ -664,7 +663,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
printf("Start garbage \n");
|
||||||
|
/* start garbage collection thread */
|
||||||
|
if (!StartGCThread(shmp)) {
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
+ term_socket_server();
|
||||||
|
DestroyMutexes();
|
||||||
|
DetachFromSharedMemory();
|
||||||
|
DestroySharedMemory();
|
||||||
|
@@ -684,7 +683,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||||
|
#if !(THREADED) && !(NOGARBAGE)
|
||||||
|
CheckForGarbage(shmp);
|
||||||
|
#endif
|
||||||
|
- SocketConnectionHandler(socketfd, 10);
|
||||||
|
+ socket_connection_handler(10);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*************************************************************
|
||||||
|
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
index ae0eff92..1fae0b95 100644
|
||||||
|
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||||
|
@@ -25,10 +25,14 @@
|
||||||
|
#include "pkcsslotd.h"
|
||||||
|
#include "apictl.h"
|
||||||
|
|
||||||
|
+int proc_listener_socket = -1;
|
||||||
|
+
|
||||||
|
+static void close_listener_socket(int socketfd, const char *file_path);
|
||||||
|
+
|
||||||
|
// Creates the daemon's listener socket, to which clients will connect and
|
||||||
|
// retrieve slot information through. Returns the file descriptor of the
|
||||||
|
// created socket.
|
||||||
|
-int CreateListenerSocket(void)
|
||||||
|
+static int create_listener_socket(const char *file_path)
|
||||||
|
{
|
||||||
|
struct sockaddr_un address;
|
||||||
|
struct group *grp;
|
||||||
|
@@ -39,53 +43,60 @@ int CreateListenerSocket(void)
|
||||||
|
ErrLog("Failed to create listener socket, errno 0x%X.", errno);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
- if (unlink(SOCKET_FILE_PATH) && errno != ENOENT) {
|
||||||
|
+ if (unlink(file_path) && errno != ENOENT) {
|
||||||
|
ErrLog("Failed to unlink socket file, errno 0x%X.", errno);
|
||||||
|
- close(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(&address, 0, sizeof(struct sockaddr_un));
|
||||||
|
address.sun_family = AF_UNIX;
|
||||||
|
- strcpy(address.sun_path, SOCKET_FILE_PATH);
|
||||||
|
+ strcpy(address.sun_path, file_path);
|
||||||
|
|
||||||
|
if (bind(socketfd,
|
||||||
|
(struct sockaddr *) &address, sizeof(struct sockaddr_un)) != 0) {
|
||||||
|
ErrLog("Failed to bind to socket, errno 0x%X.", errno);
|
||||||
|
- close(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
// make socket file part of the pkcs11 group, and write accessable
|
||||||
|
// for that group
|
||||||
|
grp = getgrnam("pkcs11");
|
||||||
|
if (!grp) {
|
||||||
|
ErrLog("Group PKCS#11 does not exist");
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
- if (chown(SOCKET_FILE_PATH, 0, grp->gr_gid)) {
|
||||||
|
+ if (chown(file_path, 0, grp->gr_gid)) {
|
||||||
|
ErrLog("Could not change file group on socket, errno 0x%X.", errno);
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
- if (chmod(SOCKET_FILE_PATH,
|
||||||
|
+ if (chmod(file_path,
|
||||||
|
S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP | S_IXUSR | S_IXGRP)) {
|
||||||
|
ErrLog("Could not change file permissions on socket, errno 0x%X.",
|
||||||
|
errno);
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (listen(socketfd, 20) != 0) {
|
||||||
|
ErrLog("Failed to listen to socket, errno 0x%X.", errno);
|
||||||
|
- DetachSocketListener(socketfd);
|
||||||
|
- return -1;
|
||||||
|
+ goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
return socketfd;
|
||||||
|
+
|
||||||
|
+error:
|
||||||
|
+ if (socketfd >= 0)
|
||||||
|
+ close_listener_socket(socketfd, file_path);
|
||||||
|
+
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static void close_listener_socket(int socketfd, const char *file_path)
|
||||||
|
+{
|
||||||
|
+ close(socketfd);
|
||||||
|
+ unlink(file_path);
|
||||||
|
}
|
||||||
|
|
||||||
|
-int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||||
|
+int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||||
|
{
|
||||||
|
unsigned int processed = 0;
|
||||||
|
|
||||||
|
@@ -102,19 +113,19 @@ int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||||
|
+int socket_connection_handler(int timeout_secs)
|
||||||
|
{
|
||||||
|
int returnVal;
|
||||||
|
fd_set set;
|
||||||
|
struct timeval timeout;
|
||||||
|
|
||||||
|
FD_ZERO(&set);
|
||||||
|
- FD_SET(socketfd, &set);
|
||||||
|
+ FD_SET(proc_listener_socket, &set);
|
||||||
|
|
||||||
|
timeout.tv_sec = timeout_secs;
|
||||||
|
timeout.tv_usec = 0;
|
||||||
|
|
||||||
|
- returnVal = select(socketfd + 1, &set, NULL, NULL, &timeout);
|
||||||
|
+ returnVal = select(proc_listener_socket + 1, &set, NULL, NULL, &timeout);
|
||||||
|
if (returnVal == -1) {
|
||||||
|
ErrLog("select failed on socket connection, errno 0x%X.", errno);
|
||||||
|
return FALSE;
|
||||||
|
@@ -125,7 +136,7 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||||
|
struct sockaddr_un address;
|
||||||
|
socklen_t address_length = sizeof(address);
|
||||||
|
|
||||||
|
- int connectionfd = accept(socketfd,
|
||||||
|
+ int connectionfd = accept(proc_listener_socket,
|
||||||
|
(struct sockaddr *) &address,
|
||||||
|
&address_length);
|
||||||
|
if (connectionfd < 0) {
|
||||||
|
@@ -138,6 +149,10 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||||
|
}
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ DbgLog(DL0, "Accepted connection from process: socket: %d",
|
||||||
|
+ connectionfd);
|
||||||
|
+
|
||||||
|
if (write(connectionfd, &socketData, sizeof(socketData)) !=
|
||||||
|
sizeof(socketData)) {
|
||||||
|
ErrLog("Failed to write socket data, errno 0x%X.", errno);
|
||||||
|
@@ -149,8 +164,23 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-void DetachSocketListener(int socketfd)
|
||||||
|
+int init_socket_server()
|
||||||
|
{
|
||||||
|
- close(socketfd);
|
||||||
|
- unlink(SOCKET_FILE_PATH);
|
||||||
|
+ proc_listener_socket = create_listener_socket(PROC_SOCKET_FILE_PATH);
|
||||||
|
+ if (proc_listener_socket < 0)
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
+ DbgLog(DL0, "Socket server started");
|
||||||
|
+
|
||||||
|
+ return TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int term_socket_server()
|
||||||
|
+{
|
||||||
|
+ if (proc_listener_socket >= 0)
|
||||||
|
+ close_listener_socket(proc_listener_socket, PROC_SOCKET_FILE_PATH);
|
||||||
|
+
|
||||||
|
+ DbgLog(DL0, "Socket server stopped");
|
||||||
|
+
|
||||||
|
+ return TRUE;
|
||||||
|
}
|
@ -0,0 +1,287 @@
|
|||||||
|
commit fa94a16116d8382a987ddf9e8cdd88027dd1f647
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Feb 16 17:13:34 2021 +0100
|
||||||
|
|
||||||
|
Event support: Add event client
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/common.mk b/usr/lib/common/common.mk
|
||||||
|
index 2178ad45..882c84f4 100644
|
||||||
|
--- a/usr/lib/common/common.mk
|
||||||
|
+++ b/usr/lib/common/common.mk
|
||||||
|
@@ -4,7 +4,7 @@ noinst_HEADERS += \
|
||||||
|
usr/lib/common/shared_memory.h usr/lib/common/tok_spec_struct.h \
|
||||||
|
usr/lib/common/trace.h usr/lib/common/h_extern.h \
|
||||||
|
usr/lib/common/sw_crypt.h usr/lib/common/defs.h \
|
||||||
|
- usr/lib/common/p11util.h \
|
||||||
|
+ usr/lib/common/p11util.h usr/lib/common/event_client.h \
|
||||||
|
usr/lib/common/list.h usr/lib/common/tok_specific.h
|
||||||
|
|
||||||
|
usr/lib/common/lexer.c: usr/lib/common/parser.h
|
||||||
|
diff --git a/usr/lib/common/event_client.c b/usr/lib/common/event_client.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..86117b84
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/usr/lib/common/event_client.c
|
||||||
|
@@ -0,0 +1,215 @@
|
||||||
|
+/*
|
||||||
|
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||||
|
+ *
|
||||||
|
+ * This program is provided under the terms of the Common Public License,
|
||||||
|
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||||
|
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||||
|
+ * found in the file LICENSE file or at
|
||||||
|
+ * https://opensource.org/licenses/cpl1.0.php
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <sys/un.h>
|
||||||
|
+#include <sys/socket.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <unistd.h>
|
||||||
|
+#include <grp.h>
|
||||||
|
+
|
||||||
|
+#include "slotmgr.h"
|
||||||
|
+#include "event_client.h"
|
||||||
|
+
|
||||||
|
+static int connect_socket(const char *file_path)
|
||||||
|
+{
|
||||||
|
+ int socketfd;
|
||||||
|
+ struct sockaddr_un daemon_address;
|
||||||
|
+ struct stat file_info;
|
||||||
|
+ struct group *grp;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ if (stat(file_path, &file_info))
|
||||||
|
+ return -errno;
|
||||||
|
+
|
||||||
|
+ grp = getgrnam("pkcs11");
|
||||||
|
+ if (!grp)
|
||||||
|
+ return -errno;
|
||||||
|
+
|
||||||
|
+ if (file_info.st_uid != 0 || file_info.st_gid != grp->gr_gid)
|
||||||
|
+ return -EPERM;
|
||||||
|
+
|
||||||
|
+ if ((socketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
|
||||||
|
+ return -errno;
|
||||||
|
+
|
||||||
|
+ memset(&daemon_address, 0, sizeof(struct sockaddr_un));
|
||||||
|
+ daemon_address.sun_family = AF_UNIX;
|
||||||
|
+ strcpy(daemon_address.sun_path, file_path);
|
||||||
|
+
|
||||||
|
+ if (connect(socketfd, (struct sockaddr *) &daemon_address,
|
||||||
|
+ sizeof(struct sockaddr_un)) != 0) {
|
||||||
|
+ rc = -errno;
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return socketfd;
|
||||||
|
+
|
||||||
|
+error:
|
||||||
|
+ close(socketfd);
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t read_all(int socketfd, char *buffer, size_t size)
|
||||||
|
+{
|
||||||
|
+ size_t bytes_received = 0;
|
||||||
|
+ ssize_t n;
|
||||||
|
+
|
||||||
|
+ while (bytes_received < size) {
|
||||||
|
+ n = read(socketfd, buffer + bytes_received, size - bytes_received);
|
||||||
|
+ if (n < 0) {
|
||||||
|
+ // read error
|
||||||
|
+ if (errno == EINTR)
|
||||||
|
+ continue;
|
||||||
|
+ return -errno;
|
||||||
|
+ }
|
||||||
|
+ if (n == 0)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ bytes_received += n;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return bytes_received;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static ssize_t send_all(int socketfd, char *buffer, size_t size)
|
||||||
|
+{
|
||||||
|
+ size_t bytes_sent = 0;
|
||||||
|
+ ssize_t n;
|
||||||
|
+
|
||||||
|
+ while (bytes_sent < size) {
|
||||||
|
+ n = send(socketfd, buffer + bytes_sent, size - bytes_sent, 0);
|
||||||
|
+ if (n < 0) {
|
||||||
|
+ // send error
|
||||||
|
+ if (errno == EINTR)
|
||||||
|
+ continue;
|
||||||
|
+ return -errno;
|
||||||
|
+ }
|
||||||
|
+ if (n == 0)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ bytes_sent += n;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return bytes_sent;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Initialize an admin connection to the pkcsslotd.
|
||||||
|
+ * Returns a file descriptor representing the connection, or a negative errno
|
||||||
|
+ * in case of an error.
|
||||||
|
+ */
|
||||||
|
+int init_event_client()
|
||||||
|
+{
|
||||||
|
+ int fd;
|
||||||
|
+
|
||||||
|
+ fd = connect_socket(ADMIN_SOCKET_FILE_PATH);
|
||||||
|
+
|
||||||
|
+ return fd;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Send an event though the admin connection to the pkcsslotd, and thus to
|
||||||
|
+ * all active token instances.
|
||||||
|
+ * If parameter fd is < 0, then a connection to pkcsslotd is established
|
||||||
|
+ * inside the function and closed before return. This is for a one shot event.
|
||||||
|
+ * Otherwise, pass a file descriptor received from init_event_client(). This
|
||||||
|
+ * is to send multiple events.
|
||||||
|
+ * Event type is mandatory, flags can be zero.
|
||||||
|
+ * The event payload is optional, if payload_len is non-zero, then payload must
|
||||||
|
+ * point to a buffer containing the payload to send with the event.
|
||||||
|
+ * The event destination can be used to selectively send the event to certain
|
||||||
|
+ * token instances only. If destination is NULL, it is sent to all token
|
||||||
|
+ * instances.
|
||||||
|
+ * If flag EVENT_FLAGS_REPLY_REQ is on in the flags parameter, then it is waited
|
||||||
|
+ * until all active token instances have replied. The combined result of the
|
||||||
|
+ * replies from the token instances is returned in the reply structure.
|
||||||
|
+ * Parameter reply must be non-NULL if flag EVENT_FLAGS_REPLY_REQ is set.
|
||||||
|
+ * Returns zero for success, or a negative errno in case of an error. In most
|
||||||
|
+ * error cases the connection to the pkcsslotd is out of sequence and can no
|
||||||
|
+ * longer be used to send further events.
|
||||||
|
+ */
|
||||||
|
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||||
|
+ unsigned int payload_len, const char *payload,
|
||||||
|
+ const struct event_destination *destination,
|
||||||
|
+ struct event_reply *reply)
|
||||||
|
+{
|
||||||
|
+ event_msg_t event_msg;
|
||||||
|
+ event_reply_t event_reply;
|
||||||
|
+ int rc, term = 0;
|
||||||
|
+
|
||||||
|
+ if (payload_len > 0 && payload == NULL)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ if ((flags & EVENT_FLAGS_REPLY_REQ) && reply == NULL)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ if (payload_len > EVENT_MAX_PAYLOAD_LENGTH)
|
||||||
|
+ return -EMSGSIZE;
|
||||||
|
+
|
||||||
|
+ if (fd < 0) {
|
||||||
|
+ fd = init_event_client();
|
||||||
|
+ if (fd < 0)
|
||||||
|
+ return fd;
|
||||||
|
+ term = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memset(&event_msg, 0, sizeof(event_msg));
|
||||||
|
+ event_msg.version = EVENT_VERSION_1;
|
||||||
|
+ event_msg.type = type;
|
||||||
|
+ event_msg.flags = flags;
|
||||||
|
+ if (destination != NULL) {
|
||||||
|
+ event_msg.token_type = destination->token_type;
|
||||||
|
+ memcpy(event_msg.token_label, destination->token_label,
|
||||||
|
+ sizeof(event_msg.token_label));
|
||||||
|
+ event_msg.process_id = destination->process_id;
|
||||||
|
+ } else {
|
||||||
|
+ memset(event_msg.token_label, ' ', sizeof(event_msg.token_label));
|
||||||
|
+ }
|
||||||
|
+ event_msg.payload_len = payload_len;
|
||||||
|
+
|
||||||
|
+ rc = send_all(fd, (char *)&event_msg, sizeof(event_msg));
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ if (payload_len > 0) {
|
||||||
|
+ rc = send_all(fd, (char *)payload, payload_len);
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (flags & EVENT_FLAGS_REPLY_REQ) {
|
||||||
|
+ rc = read_all(fd, (char *)&event_reply, sizeof(event_reply));
|
||||||
|
+ if (rc < 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ reply->positive_replies = event_reply.positive_replies;
|
||||||
|
+ reply->negative_replies = event_reply.negative_replies;
|
||||||
|
+ reply->nothandled_replies = event_reply.nothandled_replies;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = 0;
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (term)
|
||||||
|
+ term_event_client(fd);
|
||||||
|
+
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Terminate the admin connection to the pkcsslotd.
|
||||||
|
+ */
|
||||||
|
+void term_event_client(int fd)
|
||||||
|
+{
|
||||||
|
+ if (fd >= 0)
|
||||||
|
+ close(fd);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
diff --git a/usr/lib/common/event_client.h b/usr/lib/common/event_client.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..2e4917b0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/usr/lib/common/event_client.h
|
||||||
|
@@ -0,0 +1,39 @@
|
||||||
|
+/*
|
||||||
|
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||||
|
+ *
|
||||||
|
+ * This program is provided under the terms of the Common Public License,
|
||||||
|
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||||
|
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||||
|
+ * found in the file LICENSE file or at
|
||||||
|
+ * https://opensource.org/licenses/cpl1.0.php
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#ifndef _EVENT_CLIENT_H_
|
||||||
|
+#define _EVENT_CLIENT_H_
|
||||||
|
+
|
||||||
|
+#include "events.h"
|
||||||
|
+
|
||||||
|
+struct event_destination {
|
||||||
|
+ unsigned int token_type; /* Destination token type: EVENT_TOK_TYPE_xxx */
|
||||||
|
+ char token_label[member_size(event_msg_t, token_label)];
|
||||||
|
+ /* Label of destination token (or blanks) */
|
||||||
|
+ pid_t process_id; /* Process ID of destination process (or 0) */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct event_reply {
|
||||||
|
+ unsigned long positive_replies;
|
||||||
|
+ unsigned long negative_replies;
|
||||||
|
+ unsigned long nothandled_replies;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+int init_event_client();
|
||||||
|
+
|
||||||
|
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||||
|
+ unsigned int payload_len, const char *payload,
|
||||||
|
+ const struct event_destination *destination,
|
||||||
|
+ struct event_reply *reply);
|
||||||
|
+
|
||||||
|
+void term_event_client(int fd);
|
||||||
|
+
|
||||||
|
+#endif
|
@ -0,0 +1,106 @@
|
|||||||
|
commit 5951869263b556280da53498270cf4826f779c5b
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Jul 13 09:05:22 2021 +0200
|
||||||
|
|
||||||
|
pkcstok_migrate: Fix detection if pkcsslotd is still running
|
||||||
|
|
||||||
|
Change the code to use the pid file that pkcsslotd creates, and check
|
||||||
|
if the process with the pid contained in the pid file still exists and
|
||||||
|
runs pkcsslotd.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
index 05081aff..a29dc8f7 100644
|
||||||
|
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||||
|
@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
|
||||||
|
*/
|
||||||
|
static CK_BBOOL pkcsslotd_running(void)
|
||||||
|
{
|
||||||
|
- DIR *dir;
|
||||||
|
FILE *fp;
|
||||||
|
- struct dirent* ent;
|
||||||
|
char* endptr;
|
||||||
|
- char buf[PATH_MAX];
|
||||||
|
+ long lpid;
|
||||||
|
char fname[PATH_MAX];
|
||||||
|
+ char buf[PATH_MAX];
|
||||||
|
+ char* first;
|
||||||
|
|
||||||
|
TRACE_INFO("Checking if pkcsslotd is running ...\n");
|
||||||
|
- if (!(dir = opendir("/proc"))) {
|
||||||
|
- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
|
||||||
|
- return CK_TRUE;
|
||||||
|
+
|
||||||
|
+ fp = fopen(PID_FILE_PATH, "r");
|
||||||
|
+ if (fp == NULL) {
|
||||||
|
+ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
|
||||||
|
+ PID_FILE_PATH);
|
||||||
|
+ return CK_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- while ((ent = readdir(dir)) != NULL) {
|
||||||
|
- /* if endptr is not a null character, the directory is not
|
||||||
|
- * entirely numeric, so ignore it */
|
||||||
|
- long lpid = strtol(ent->d_name, &endptr, 10);
|
||||||
|
- if (*endptr != '\0') {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
|
||||||
|
+ strerror(errno));
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+ }
|
||||||
|
+ fclose(fp);
|
||||||
|
|
||||||
|
- /* try to open the cmdline file */
|
||||||
|
- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||||
|
- fp = fopen(fname, "r");
|
||||||
|
- if (!fp) {
|
||||||
|
- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
|
||||||
|
- return CK_TRUE;
|
||||||
|
- }
|
||||||
|
+ lpid = strtol(buf, &endptr, 10);
|
||||||
|
+ if (*endptr != '\0' && *endptr != '\n') {
|
||||||
|
+ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
|
||||||
|
+ buf);
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- /* check the first token in the file: the program pathname */
|
||||||
|
- if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||||
|
- char* first = strtok(buf, " ");
|
||||||
|
- if (!first) {
|
||||||
|
- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
|
||||||
|
- fname);
|
||||||
|
- return CK_TRUE;
|
||||||
|
- }
|
||||||
|
- if (strstr(first, "pkcsslotd") != NULL) {
|
||||||
|
- fclose(fp);
|
||||||
|
- closedir(dir);
|
||||||
|
- return CK_TRUE;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||||
|
+ fp = fopen(fname, "r");
|
||||||
|
+ if (fp == NULL) {
|
||||||
|
+ TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ TRACE_INFO("Failed to read '%s'\n", fname);
|
||||||
|
fclose(fp);
|
||||||
|
+ return CK_FALSE;
|
||||||
|
}
|
||||||
|
+ fclose(fp);
|
||||||
|
|
||||||
|
- closedir(dir);
|
||||||
|
- return CK_FALSE;
|
||||||
|
+ first = strtok(buf, " ");
|
||||||
|
+ return (first != NULL && strstr(first, "pkcsslotd") != NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
@ -0,0 +1,24 @@
|
|||||||
|
commit 11196c4d7e221d29f0d385bd48ae4d6023a6e874
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 10:56:17 2021 +0200
|
||||||
|
|
||||||
|
CONFIGURE: fix configure.ac for --with-openssl
|
||||||
|
|
||||||
|
The openSSL include files are in <openssl-path>/include while
|
||||||
|
the libraries are in <openssl-path> directly.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index e2cc537a..d3374476 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -272,7 +272,7 @@ OPENSSL_CFLAGS=
|
||||||
|
OPENSSL_LIBS=
|
||||||
|
if test "x$with_openssl" != "xno"; then
|
||||||
|
if test "x$with_openssl" != "xyes" -a "x$with_openssl" != "xcheck"; then
|
||||||
|
- OPENSSL_CFLAGS="-I$with_openssl"
|
||||||
|
+ OPENSSL_CFLAGS="-I$with_openssl/include"
|
||||||
|
OPENSSL_LIBS="-L$with_openssl"
|
||||||
|
fi
|
||||||
|
old_cflags="$CFLAGS"
|
@ -0,0 +1,123 @@
|
|||||||
|
commit 11a53055b22d590bd3c197908b0ff63f6fd3c520
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Jun 29 17:35:18 2021 +0200
|
||||||
|
|
||||||
|
COMMON: mech_ec: Remove deprecated OpenSSL functions
|
||||||
|
|
||||||
|
All low level EC_KEY functions are deprecated in OpenSSL 3.0.
|
||||||
|
Update the code to not use any of those.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/ec_defs.h b/usr/lib/common/ec_defs.h
|
||||||
|
index 1f48794b..897cf891 100644
|
||||||
|
--- a/usr/lib/common/ec_defs.h
|
||||||
|
+++ b/usr/lib/common/ec_defs.h
|
||||||
|
@@ -14,13 +14,6 @@
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
|
#include "ec_curves.h"
|
||||||
|
|
||||||
|
-/* OpenSSL compat */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
-# define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp
|
||||||
|
-# define EC_POINT_set_compressed_coordinates \
|
||||||
|
- EC_POINT_set_compressed_coordinates_GFp
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
// Elliptic Curve type
|
||||||
|
//
|
||||||
|
#define PRIME_CURVE 0x00
|
||||||
|
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
|
||||||
|
index b54e2db9..a0a06302 100644
|
||||||
|
--- a/usr/lib/common/mech_ec.c
|
||||||
|
+++ b/usr/lib/common/mech_ec.c
|
||||||
|
@@ -32,34 +32,6 @@
|
||||||
|
#include "openssl/obj_mac.h"
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
-/*
|
||||||
|
- * Older OpenSLL versions do not have BN_bn2binpad, so implement it here
|
||||||
|
- */
|
||||||
|
-static int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||||
|
-{
|
||||||
|
- int len, pad;
|
||||||
|
- unsigned char *buf;
|
||||||
|
-
|
||||||
|
- len = BN_num_bytes(a);
|
||||||
|
- buf = (unsigned char *)malloc(len);
|
||||||
|
- if (buf == NULL)
|
||||||
|
- return -1;
|
||||||
|
- BN_bn2bin(a, buf);
|
||||||
|
-
|
||||||
|
- if (len >= tolen) {
|
||||||
|
- memcpy(to, buf, tolen);
|
||||||
|
- } else {
|
||||||
|
- pad = tolen - len;
|
||||||
|
- memset(to, 0, pad);
|
||||||
|
- memcpy(to + pad, buf, len);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- free(buf);
|
||||||
|
- return tolen;
|
||||||
|
-}
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
#ifndef NID_brainpoolP160r1
|
||||||
|
/*
|
||||||
|
* Older OpenSLL versions may not have the brainpool NIDs defined, define them
|
||||||
|
@@ -1522,9 +1494,8 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||||
|
CK_BYTE *d, CK_ULONG d_len,
|
||||||
|
CK_BYTE **point, CK_ULONG *point_len)
|
||||||
|
{
|
||||||
|
- EC_KEY *eckey = NULL;
|
||||||
|
EC_POINT *pub_key = NULL;
|
||||||
|
- const EC_GROUP *group = NULL;
|
||||||
|
+ EC_GROUP *group = NULL;
|
||||||
|
int nid, p_len;
|
||||||
|
BIGNUM *bn_d = NULL, *bn_x = NULL, *bn_y = NULL;
|
||||||
|
CK_RV rc = CKR_OK;
|
||||||
|
@@ -1541,17 +1512,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- eckey = EC_KEY_new_by_curve_name(nid);
|
||||||
|
- if (eckey == NULL) {
|
||||||
|
- rc = CKR_FUNCTION_FAILED;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- if (EC_KEY_set_private_key(eckey, bn_d) != 1) {
|
||||||
|
- rc = CKR_FUNCTION_FAILED;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- group = EC_KEY_get0_group(eckey);
|
||||||
|
+ group = EC_GROUP_new_by_curve_name(nid);
|
||||||
|
if (group == NULL) {
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto done;
|
||||||
|
@@ -1576,7 +1537,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||||
|
rc = CKR_HOST_MEMORY;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- if (!EC_POINT_get_affine_coordinates_GFp(group, pub_key, bn_x, bn_y, NULL)) {
|
||||||
|
+ if (!EC_POINT_get_affine_coordinates(group, pub_key, bn_x, bn_y, NULL)) {
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
@@ -1599,13 +1560,13 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||||
|
done:
|
||||||
|
if (pub_key)
|
||||||
|
EC_POINT_free(pub_key);
|
||||||
|
- if (eckey)
|
||||||
|
- EC_KEY_free(eckey);
|
||||||
|
BN_clear_free(bn_x);
|
||||||
|
BN_clear_free(bn_y);
|
||||||
|
BN_clear_free(bn_d);
|
||||||
|
if (ec_point != NULL)
|
||||||
|
free(ec_point);
|
||||||
|
+ if (group != NULL)
|
||||||
|
+ EC_GROUP_free(group);
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
@ -0,0 +1,30 @@
|
|||||||
|
commit 145a696d478a1694ef314659a3d374f03f75c1b1
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 5 13:49:09 2021 +0200
|
||||||
|
|
||||||
|
CONFIGURE: Remove AC_FUNC_MALLOC and AC_FUNC_REALLOC
|
||||||
|
|
||||||
|
The AC_FUNC_MALLOC configure check might add the rpl_malloc() entry if it
|
||||||
|
does not like the default malloc implementation. The user would need to
|
||||||
|
provide the rpl_malloc implementation. This happens depending on compiler and
|
||||||
|
OS/distro being used. Same applies for AC_FUNC_REALLOC and rpl_realloc.
|
||||||
|
It happened for me when I configured it with address sanitizer (libubsan,
|
||||||
|
libasan) activated.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index d3374476..286b7408 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -39,10 +39,8 @@ dnl Checks for library functions.
|
||||||
|
AC_FUNC_ALLOCA
|
||||||
|
AC_FUNC_CHOWN
|
||||||
|
AC_FUNC_FORK
|
||||||
|
-AC_FUNC_MALLOC
|
||||||
|
AC_FUNC_MKTIME
|
||||||
|
AC_FUNC_MMAP
|
||||||
|
-AC_FUNC_REALLOC
|
||||||
|
AC_FUNC_STRERROR_R
|
||||||
|
AC_CHECK_FUNCS([atexit ftruncate gettimeofday localtime_r memchr memmove \
|
||||||
|
memset mkdir munmap regcomp select socket strchr strcspn \
|
@ -0,0 +1,38 @@
|
|||||||
|
commit 2c116d49359a5eb91ad7f1483c64650c7874a513
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 14:08:03 2021 +0200
|
||||||
|
|
||||||
|
TESTCASES: Skip test if operation state is not savable
|
||||||
|
|
||||||
|
The sess_opstate testcase now handles the return code of CKR_STATE_UNSAVEABLE
|
||||||
|
from C_GetOperationState() and skips the test if that return code is
|
||||||
|
encountered.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/testcases/pkcs11/sess_opstate.c b/testcases/pkcs11/sess_opstate.c
|
||||||
|
index 3235b450..3d1ab9d7 100644
|
||||||
|
--- a/testcases/pkcs11/sess_opstate.c
|
||||||
|
+++ b/testcases/pkcs11/sess_opstate.c
|
||||||
|
@@ -123,6 +123,10 @@ int sess_opstate_funcs(int loops)
|
||||||
|
opstatelen = 0;
|
||||||
|
rc = funcs->C_GetOperationState(s2, NULL, &opstatelen);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
+ if (rc == CKR_STATE_UNSAVEABLE) {
|
||||||
|
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -135,6 +139,10 @@ int sess_opstate_funcs(int loops)
|
||||||
|
|
||||||
|
rc = funcs->C_GetOperationState(s2, opstate, &opstatelen);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
+ if (rc == CKR_STATE_UNSAVEABLE) {
|
||||||
|
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
|
||||||
|
goto out;
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
commit 376e664f082b66de970b62a81588b034fd560d27
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Aug 13 10:54:44 2021 +0200
|
||||||
|
|
||||||
|
TESTCASES: Remove RSA public exponent restriction for Soft token
|
||||||
|
|
||||||
|
Since commit "Allow small RSA exponents in the default provider"
|
||||||
|
https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce
|
||||||
|
in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft
|
||||||
|
token to RSA public exponents of 3 and 65537 only.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/testcases/common/common.c b/testcases/common/common.c
|
||||||
|
index 0a64ecf2..abbe354f 100644
|
||||||
|
--- a/testcases/common/common.c
|
||||||
|
+++ b/testcases/common/common.c
|
||||||
|
@@ -16,6 +16,8 @@
|
||||||
|
#include "pkcs11types.h"
|
||||||
|
#include "regress.h"
|
||||||
|
|
||||||
|
+#define UNUSED(var) ((void)(var))
|
||||||
|
+
|
||||||
|
CK_FUNCTION_LIST *funcs;
|
||||||
|
CK_FUNCTION_LIST_3_0 *funcs3;
|
||||||
|
CK_INTERFACE *ifs;
|
||||||
|
@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||||
|
/** Returns true if pubexp is valid for Soft Tokens **/
|
||||||
|
int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||||
|
{
|
||||||
|
- CK_BYTE exp3[] = { 0x03 }; // 3
|
||||||
|
- CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
|
||||||
|
+ UNUSED(pubexp);
|
||||||
|
+ UNUSED(pubexp_len);
|
||||||
|
|
||||||
|
- return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
|
||||||
|
- || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||||
|
+ return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Returns true if slot_id is an ICSF token
|
@ -0,0 +1,37 @@
|
|||||||
|
commit 4dd8a952fc00dd54cce090e4c053de408ba3884b
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Aug 24 10:14:39 2021 +0200
|
||||||
|
|
||||||
|
SOFT: Detect unsupported EC curves with OpenSSL 3.0
|
||||||
|
|
||||||
|
OpenSSL 3.0 behaves different in reporting an error when an unsupported
|
||||||
|
EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error
|
||||||
|
at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns
|
||||||
|
an error only at EVP_PKEY_keygen().
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
index 43fd17c3..03767ec8 100644
|
||||||
|
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include <openssl/cmac.h>
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
+#include <openssl/err.h>
|
||||||
|
#if OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
#include <openssl/core_names.h>
|
||||||
|
#include <openssl/param_build.h>
|
||||||
|
@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) {
|
||||||
|
TRACE_ERROR("EVP_PKEY_keygen failed\n");
|
||||||
|
- rc = CKR_FUNCTION_FAILED;
|
||||||
|
+ if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE)
|
||||||
|
+ rc = CKR_CURVE_NOT_SUPPORTED;
|
||||||
|
+ else
|
||||||
|
+ rc = CKR_FUNCTION_FAILED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,322 @@
|
|||||||
|
commit 50408fc3ae0f25b256dda2033d538f88c9b4f903
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 5 16:02:28 2021 +0200
|
||||||
|
|
||||||
|
COMMON: Fix memory leaks
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
|
||||||
|
index 59f82482..a1241693 100644
|
||||||
|
--- a/usr/lib/common/mech_aes.c
|
||||||
|
+++ b/usr/lib/common/mech_aes.c
|
||||||
|
@@ -2359,6 +2359,8 @@ CK_RV aes_mac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
memcpy(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv, mac_len);
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -2497,6 +2499,8 @@ CK_RV aes_mac_sign_final(STDLL_TokData_t *tokdata,
|
||||||
|
memcpy(out_data, context->iv, mac_len);
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2554,8 +2558,12 @@ CK_RV aes_mac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (CRYPTO_memcmp(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv,
|
||||||
|
- out_data_len) == 0)
|
||||||
|
+ out_data_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
@@ -2685,8 +2693,12 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||||
|
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
@@ -2766,6 +2778,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
@@ -2913,6 +2927,8 @@ done:
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2969,9 +2985,12 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||||
|
out_data_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -3105,8 +3124,12 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||||
|
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
|
||||||
|
index 591ad3fa..3582102a 100644
|
||||||
|
--- a/usr/lib/common/mech_des3.c
|
||||||
|
+++ b/usr/lib/common/mech_des3.c
|
||||||
|
@@ -2006,6 +2006,8 @@ CK_RV des3_mac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -2144,6 +2146,8 @@ CK_RV des3_mac_sign_final(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2197,8 +2201,12 @@ CK_RV des3_mac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
key_obj = NULL;
|
||||||
|
|
||||||
|
if (CRYPTO_memcmp(out_data, ((DES_DATA_CONTEXT *) ctx->context)->iv,
|
||||||
|
- out_data_len) == 0)
|
||||||
|
+ out_data_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
@@ -2328,8 +2336,12 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||||
|
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
@@ -2410,6 +2422,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2553,6 +2567,8 @@ done:
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
|
||||||
|
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2605,8 +2621,12 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||||
|
out_data_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
+
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2739,8 +2759,12 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
|
||||||
|
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||||
|
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
return CKR_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||||
|
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/common/new_host.c b/usr/lib/common/new_host.c
|
||||||
|
index d01091f9..8bff6ada 100644
|
||||||
|
--- a/usr/lib/common/new_host.c
|
||||||
|
+++ b/usr/lib/common/new_host.c
|
||||||
|
@@ -174,6 +174,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
if (rc != 0) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
detach_shm(sltp->TokData, 0);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -186,6 +187,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -218,6 +220,7 @@ done:
|
||||||
|
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||||
|
} else {
|
||||||
|
CloseXProcLock(sltp->TokData);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
|
||||||
|
index a0e7517c..45f13551 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/new_host.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/new_host.c
|
||||||
|
@@ -164,6 +164,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
if (rc != 0) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
detach_shm(sltp->TokData, 0);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -176,6 +177,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -208,6 +210,7 @@ done:
|
||||||
|
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||||
|
} else {
|
||||||
|
CloseXProcLock(sltp->TokData);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
|
||||||
|
index 09e9d27a..eed632c3 100644
|
||||||
|
--- a/usr/lib/icsf_stdll/new_host.c
|
||||||
|
+++ b/usr/lib/icsf_stdll/new_host.c
|
||||||
|
@@ -162,6 +162,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
if (rc != 0) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
detach_shm(sltp->TokData, 0);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -174,6 +175,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||||
|
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
sltp->FcnList = NULL;
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
if (sltp->TokData)
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
@@ -206,6 +208,7 @@ done:
|
||||||
|
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||||
|
} else {
|
||||||
|
CloseXProcLock(sltp->TokData);
|
||||||
|
+ final_data_store(sltp->TokData);
|
||||||
|
free(sltp->TokData);
|
||||||
|
sltp->TokData = NULL;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
index 45bc4b78..c7557108 100644
|
||||||
|
--- a/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
+++ b/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
@@ -213,6 +213,10 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||||
|
}
|
||||||
|
|
||||||
|
tpm_data = (tpm_private_data_t *)calloc(1, sizeof(tpm_private_data_t));
|
||||||
|
+ if (tpm_data == NULL) {
|
||||||
|
+ TRACE_ERROR("calloc failed\n");
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
tokdata->private_data = tpm_data;
|
||||||
|
|
||||||
|
tpm_data->tspContext = NULL_HCONTEXT;
|
||||||
|
@@ -221,12 +225,15 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||||
|
result = Tspi_Context_Create(&tpm_data->tspContext);
|
||||||
|
if (result) {
|
||||||
|
TRACE_ERROR("Tspi_Context_Create failed. rc=0x%x\n", result);
|
||||||
|
+ free(tpm_data);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
result = Tspi_Context_Connect(tpm_data->tspContext, NULL);
|
||||||
|
if (result) {
|
||||||
|
TRACE_ERROR("Tspi_Context_Connect failed. rc=0x%x\n", result);
|
||||||
|
+ Tspi_Context_Close(tpm_data->tspContext);
|
||||||
|
+ free(tpm_data);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -234,6 +241,8 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||||
|
&tpm_data->hDefaultPolicy);
|
||||||
|
if (result) {
|
||||||
|
TRACE_ERROR("Tspi_Context_GetDefaultPolicy failed. rc=0x%x\n", result);
|
||||||
|
+ Tspi_Context_Close(tpm_data->tspContext);
|
||||||
|
+ free(tpm_data);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,147 @@
|
|||||||
|
commit 533cdea6897d1bc0af13490f1c89248c52e7a73b
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 11:30:00 2021 +0200
|
||||||
|
|
||||||
|
COMMON: utilities.c: Remove deprecated OpenSSL functions
|
||||||
|
|
||||||
|
Rework functions compute_sha(), compute_sha1(), and compute_md5() to
|
||||||
|
no longer use the mech_sha and mech_md5 routines, but to use the
|
||||||
|
OpenSSL EVP interface directly.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
|
||||||
|
index bcdc15bf..5fc68938 100644
|
||||||
|
--- a/usr/lib/common/utility.c
|
||||||
|
+++ b/usr/lib/common/utility.c
|
||||||
|
@@ -849,66 +849,89 @@ CK_RV get_hmac_digest(CK_ULONG mech, CK_ULONG *digest_mech, CK_BBOOL *general)
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* Compute specified SHA using either software or token implementation */
|
||||||
|
+/* Compute specified SHA or MD5 using software */
|
||||||
|
CK_RV compute_sha(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||||
|
CK_BYTE *hash, CK_ULONG mech)
|
||||||
|
{
|
||||||
|
- DIGEST_CONTEXT ctx;
|
||||||
|
- CK_ULONG hash_len;
|
||||||
|
- CK_RV rv;
|
||||||
|
+ const EVP_MD *md;
|
||||||
|
+ unsigned int hash_len;
|
||||||
|
|
||||||
|
- memset(&ctx, 0x0, sizeof(ctx));
|
||||||
|
- ctx.mech.mechanism = mech;
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
|
||||||
|
- rv = get_sha_size(mech, &hash_len);
|
||||||
|
- if (rv != CKR_OK)
|
||||||
|
- return rv;
|
||||||
|
+ switch (mech) {
|
||||||
|
+ case CKM_MD5:
|
||||||
|
+ hash_len = MD5_HASH_SIZE;
|
||||||
|
+ md = EVP_md5();
|
||||||
|
+ break;
|
||||||
|
+ case CKM_SHA_1:
|
||||||
|
+ hash_len = SHA1_HASH_SIZE;
|
||||||
|
+ md = EVP_sha1();
|
||||||
|
+ break;
|
||||||
|
+ case CKM_SHA224:
|
||||||
|
+ case CKM_SHA512_224:
|
||||||
|
+ hash_len = SHA224_HASH_SIZE;
|
||||||
|
+ md = EVP_sha224();
|
||||||
|
+ break;
|
||||||
|
+ case CKM_SHA256:
|
||||||
|
+ case CKM_SHA512_256:
|
||||||
|
+ hash_len = SHA256_HASH_SIZE;
|
||||||
|
+ md = EVP_sha256();
|
||||||
|
+ break;
|
||||||
|
+ case CKM_SHA384:
|
||||||
|
+ hash_len = SHA384_HASH_SIZE;
|
||||||
|
+ md = EVP_sha384();
|
||||||
|
+ break;
|
||||||
|
+ case CKM_SHA512:
|
||||||
|
+ hash_len = SHA512_HASH_SIZE;
|
||||||
|
+ md = EVP_sha512();
|
||||||
|
+ break;
|
||||||
|
+#ifdef NID_sha3_224
|
||||||
|
+ case CKM_IBM_SHA3_224:
|
||||||
|
+ hash_len = SHA3_224_HASH_SIZE;
|
||||||
|
+ md = EVP_sha3_224();
|
||||||
|
+ break;
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha3_256
|
||||||
|
+ case CKM_IBM_SHA3_256:
|
||||||
|
+ hash_len = SHA3_256_HASH_SIZE;
|
||||||
|
+ md = EVP_sha3_256();
|
||||||
|
+ break;
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha3_384
|
||||||
|
+ case CKM_IBM_SHA3_384:
|
||||||
|
+ hash_len = SHA3_384_HASH_SIZE;
|
||||||
|
+ md = EVP_sha3_384();
|
||||||
|
+ break;
|
||||||
|
+#endif
|
||||||
|
+#ifdef NID_sha3_512
|
||||||
|
+ case CKM_IBM_SHA3_512:
|
||||||
|
+ hash_len = SHA3_512_HASH_SIZE;
|
||||||
|
+ md = EVP_sha3_512();
|
||||||
|
+ break;
|
||||||
|
+#endif
|
||||||
|
+ default:
|
||||||
|
+ return CKR_MECHANISM_INVALID;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rv = sha_init(tokdata, NULL, &ctx, &ctx.mech);
|
||||||
|
- if (rv != CKR_OK) {
|
||||||
|
- TRACE_DEBUG("failed to create digest.\n");
|
||||||
|
- return rv;
|
||||||
|
+ if (EVP_Digest(data, len, hash, &hash_len, md, NULL) != 1) {
|
||||||
|
+ TRACE_ERROR("%s EVP_Digest failed\n", __func__);
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
- rv = sha_hash(tokdata, NULL, FALSE, &ctx, data, len, hash, &hash_len);
|
||||||
|
|
||||||
|
- digest_mgr_cleanup(&ctx);
|
||||||
|
- return rv;
|
||||||
|
+ return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Compute SHA1 using software implementation */
|
||||||
|
CK_RV compute_sha1(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||||
|
CK_BYTE *hash)
|
||||||
|
{
|
||||||
|
- // XXX KEY
|
||||||
|
- DIGEST_CONTEXT ctx;
|
||||||
|
- CK_ULONG hash_len = SHA1_HASH_SIZE;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- memset(&ctx, 0x0, sizeof(ctx));
|
||||||
|
-
|
||||||
|
- sw_sha1_init(&ctx);
|
||||||
|
- if (ctx.context == NULL)
|
||||||
|
- return CKR_HOST_MEMORY;
|
||||||
|
-
|
||||||
|
- return sw_sha1_hash(&ctx, data, len, hash, &hash_len);
|
||||||
|
+ return compute_sha(tokdata, data, len, hash, CKM_SHA_1);
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV compute_md5(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||||
|
CK_BYTE *hash)
|
||||||
|
{
|
||||||
|
- DIGEST_CONTEXT ctx;
|
||||||
|
- CK_ULONG hash_len = MD5_HASH_SIZE;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- memset(&ctx, 0x0, sizeof(ctx));
|
||||||
|
-
|
||||||
|
- sw_md5_init(&ctx);
|
||||||
|
- if (ctx.context == NULL)
|
||||||
|
- return CKR_HOST_MEMORY;
|
||||||
|
-
|
||||||
|
- return sw_md5_hash(&ctx, data, len, hash, &hash_len);
|
||||||
|
+ return compute_sha(tokdata, data, len, hash, CKM_MD5);
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV get_keytype(STDLL_TokData_t *tokdata, CK_OBJECT_HANDLE hkey,
|
@ -0,0 +1,174 @@
|
|||||||
|
commit 5377d25a6cbe3d07afcd08276ad7e90f62cad0c9
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 13:51:02 2021 +0200
|
||||||
|
|
||||||
|
COMMON: mech_sha: Remove deprecated OpenSSL functions
|
||||||
|
|
||||||
|
All low level SHA functions are deprecated in OpenSSL 3.0.
|
||||||
|
Update the code to not use any of those.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||||
|
index 314613a5..b3b965bf 100644
|
||||||
|
--- a/usr/lib/common/h_extern.h
|
||||||
|
+++ b/usr/lib/common/h_extern.h
|
||||||
|
@@ -1543,7 +1543,7 @@ CK_RV aes_cfb_decrypt_final(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
// SHA mechanisms
|
||||||
|
//
|
||||||
|
|
||||||
|
-void sw_sha1_init(DIGEST_CONTEXT *ctx);
|
||||||
|
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx);
|
||||||
|
|
||||||
|
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||||
|
diff --git a/usr/lib/common/mech_sha.c b/usr/lib/common/mech_sha.c
|
||||||
|
index 0b9b7b28..1c81abe2 100644
|
||||||
|
--- a/usr/lib/common/mech_sha.c
|
||||||
|
+++ b/usr/lib/common/mech_sha.c
|
||||||
|
@@ -38,30 +38,49 @@
|
||||||
|
#include "tok_spec_struct.h"
|
||||||
|
#include "trace.h"
|
||||||
|
|
||||||
|
-#include <openssl/sha.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
//
|
||||||
|
// Software SHA-1 implementation (OpenSSL based)
|
||||||
|
//
|
||||||
|
|
||||||
|
-void sw_sha1_init(DIGEST_CONTEXT *ctx)
|
||||||
|
+static void sw_sha1_free(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
+ CK_BYTE *context, CK_ULONG context_len)
|
||||||
|
{
|
||||||
|
- ctx->context_len = sizeof(SHA_CTX);
|
||||||
|
- ctx->context = (CK_BYTE *) malloc(sizeof(SHA_CTX));
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+ UNUSED(sess);
|
||||||
|
+ UNUSED(context_len);
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx)
|
||||||
|
+{
|
||||||
|
+ ctx->context_len = 1;
|
||||||
|
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||||
|
if (ctx->context == NULL) {
|
||||||
|
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
- // TODO: propagate error up?
|
||||||
|
- return;
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_sha1(), NULL)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- SHA1_Init((SHA_CTX *)ctx->context);
|
||||||
|
+ ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+ ctx->context_free_func = sw_sha1_free;
|
||||||
|
+
|
||||||
|
+ return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||||
|
CK_ULONG *out_data_len)
|
||||||
|
{
|
||||||
|
+ unsigned int len;
|
||||||
|
|
||||||
|
if (!ctx || !out_data_len) {
|
||||||
|
TRACE_ERROR("%s received bad argument(s)\n", __func__);
|
||||||
|
@@ -76,43 +95,60 @@ CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
|
||||||
|
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
|
||||||
|
- *out_data_len = SHA1_HASH_SIZE;
|
||||||
|
+ len = *out_data_len;
|
||||||
|
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||||
|
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *out_data_len = len;
|
||||||
|
|
||||||
|
- if (ctx->context_free_func != NULL)
|
||||||
|
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||||
|
- else
|
||||||
|
- free(ctx->context);
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
+ ctx->context_free_func = NULL;
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
- CK_ULONG in_data_len)
|
||||||
|
+static CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
+ CK_ULONG in_data_len)
|
||||||
|
{
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
|
||||||
|
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||||
|
- CK_ULONG *out_data_len)
|
||||||
|
+static CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||||
|
+ CK_ULONG *out_data_len)
|
||||||
|
{
|
||||||
|
+ unsigned int len;
|
||||||
|
+
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
|
||||||
|
- *out_data_len = SHA1_HASH_SIZE;
|
||||||
|
+ if (*out_data_len < SHA1_HASH_SIZE) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
|
||||||
|
+ return CKR_BUFFER_TOO_SMALL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ len = *out_data_len;
|
||||||
|
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *out_data_len = len;
|
||||||
|
|
||||||
|
- if (ctx->context_free_func != NULL)
|
||||||
|
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||||
|
- else
|
||||||
|
- free(ctx->context);
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
+ ctx->context_free_func = NULL;
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
@@ -134,8 +170,7 @@ CK_RV sha_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
|
||||||
|
* supported. JML
|
||||||
|
*/
|
||||||
|
if (mech->mechanism == CKM_SHA_1) {
|
||||||
|
- sw_sha1_init(ctx);
|
||||||
|
- return CKR_OK;
|
||||||
|
+ return sw_sha1_init(ctx);
|
||||||
|
} else {
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
@ -0,0 +1,84 @@
|
|||||||
|
commit 5cceead028ec8e0c244b01d38c9096c96d98f96b
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 5 10:46:52 2021 +0200
|
||||||
|
|
||||||
|
ICSF: Remove support for OpenSSL < v1.1.1
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
|
||||||
|
index 4ddd0fd7..6ec4128a 100644
|
||||||
|
--- a/usr/lib/icsf_stdll/pbkdf.c
|
||||||
|
+++ b/usr/lib/icsf_stdll/pbkdf.c
|
||||||
|
@@ -82,7 +82,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||||
|
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
|
||||||
|
int tmplen;
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
|
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
||||||
|
|
||||||
|
EVP_EncryptInit_ex(ctx, cipher, NULL, dkey, iv);
|
||||||
|
@@ -98,24 +97,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||||
|
*outbuflen = (*outbuflen) + tmplen;
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
|
||||||
|
-#else
|
||||||
|
- EVP_CIPHER_CTX ctx;
|
||||||
|
- EVP_CIPHER_CTX_init(&ctx);
|
||||||
|
-
|
||||||
|
- EVP_EncryptInit_ex(&ctx, cipher, NULL, dkey, iv);
|
||||||
|
- if (!EVP_EncryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
|
||||||
|
- TRACE_ERROR("EVP_EncryptUpdate failed.\n");
|
||||||
|
- return CKR_FUNCTION_FAILED;
|
||||||
|
- }
|
||||||
|
- if (!EVP_EncryptFinal_ex(&ctx, outbuf + (*outbuflen), &tmplen)) {
|
||||||
|
- TRACE_ERROR("EVP_EncryptFinal failed.\n");
|
||||||
|
- return CKR_FUNCTION_FAILED;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- *outbuflen = (*outbuflen) + tmplen;
|
||||||
|
- EVP_CIPHER_CTX_cleanup(&ctx);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -125,7 +106,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||||
|
int size;
|
||||||
|
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||||
|
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
||||||
|
|
||||||
|
EVP_DecryptInit_ex(ctx, cipher, NULL, dkey, iv);
|
||||||
|
@@ -147,30 +127,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||||
|
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
|
||||||
|
-#else
|
||||||
|
- EVP_CIPHER_CTX ctx;
|
||||||
|
- EVP_CIPHER_CTX_init(&ctx);
|
||||||
|
-
|
||||||
|
- EVP_DecryptInit_ex(&ctx, cipher, NULL, dkey, iv);
|
||||||
|
- if (!EVP_DecryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
|
||||||
|
- TRACE_ERROR("EVP_DecryptUpdate failed.\n");
|
||||||
|
- return CKR_FUNCTION_FAILED;
|
||||||
|
- }
|
||||||
|
- if (!EVP_DecryptFinal_ex(&ctx, outbuf + (*outbuflen), &size)) {
|
||||||
|
- TRACE_ERROR("EVP_DecryptFinal failed.\n");
|
||||||
|
- return CKR_FUNCTION_FAILED;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* total length of the decrypted data */
|
||||||
|
- *outbuflen = (*outbuflen) + size;
|
||||||
|
-
|
||||||
|
- /* EVP_DecryptFinal removes any padding. The final length
|
||||||
|
- * is the length of the decrypted data without padding.
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- EVP_CIPHER_CTX_cleanup(&ctx);
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,226 @@
|
|||||||
|
commit 62fc2bcd98672c5d0ff8a2c926f3103110e91ed7
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu Jul 1 13:37:04 2021 +0200
|
||||||
|
|
||||||
|
COMMON: Perform proper context cleanup for 3DES/AES CMAC mechanisms
|
||||||
|
|
||||||
|
The handling of 3DES/AES CMAC mechanisms use a complex context structure,
|
||||||
|
that contains pointers. Such state can not be saved, and needs a custom
|
||||||
|
context free routine to properly clean up the context.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
|
||||||
|
index ad6af16b..59f82482 100644
|
||||||
|
--- a/usr/lib/common/mech_aes.c
|
||||||
|
+++ b/usr/lib/common/mech_aes.c
|
||||||
|
@@ -2691,6 +2691,24 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void aes_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
+ CK_BYTE *context, CK_ULONG context_len)
|
||||||
|
+{
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+ UNUSED(sess);
|
||||||
|
+ UNUSED(context_len);
|
||||||
|
+
|
||||||
|
+ if (((AES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
||||||
|
+ token_specific.t_aes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
||||||
|
+ ((AES_CMAC_CONTEXT *)context)->iv,
|
||||||
|
+ CK_FALSE, CK_TRUE,
|
||||||
|
+ ((AES_CMAC_CONTEXT *)context)->ctx);
|
||||||
|
+ ((AES_CMAC_CONTEXT *)context)->ctx = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(context);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
SESSION *sess,
|
||||||
|
CK_BBOOL length_only,
|
||||||
|
@@ -2743,6 +2761,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
+
|
||||||
|
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
@@ -2816,6 +2836,8 @@ CK_RV aes_cmac_sign_update(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
} else {
|
||||||
|
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
||||||
|
}
|
||||||
|
@@ -2882,6 +2904,8 @@ CK_RV aes_cmac_sign_final(STDLL_TokData_t *tokdata,
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
+
|
||||||
|
memcpy(out_data, context->iv, mac_len);
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
|
||||||
|
@@ -2941,6 +2965,8 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
+
|
||||||
|
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||||
|
out_data_len) == 0) {
|
||||||
|
return CKR_OK;
|
||||||
|
@@ -3012,6 +3038,8 @@ CK_RV aes_cmac_verify_update(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
} else {
|
||||||
|
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
||||||
|
}
|
||||||
|
@@ -3070,6 +3098,8 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||||
|
+
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_DEVEL("Token specific aes mac failed.\n");
|
||||||
|
return rc;
|
||||||
|
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
|
||||||
|
index be8d6075..591ad3fa 100644
|
||||||
|
--- a/usr/lib/common/mech_des3.c
|
||||||
|
+++ b/usr/lib/common/mech_des3.c
|
||||||
|
@@ -2334,6 +2334,24 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
return CKR_SIGNATURE_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void des3_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
+ CK_BYTE *context, CK_ULONG context_len)
|
||||||
|
+{
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+ UNUSED(sess);
|
||||||
|
+ UNUSED(context_len);
|
||||||
|
+
|
||||||
|
+ if (((DES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
||||||
|
+ token_specific.t_tdes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
||||||
|
+ ((DES_CMAC_CONTEXT *)context)->iv,
|
||||||
|
+ CK_FALSE, CK_TRUE,
|
||||||
|
+ ((DES_CMAC_CONTEXT *)context)->ctx);
|
||||||
|
+ ((DES_CMAC_CONTEXT *)context)->ctx = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(context);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
SESSION *sess,
|
||||||
|
CK_BBOOL length_only,
|
||||||
|
@@ -2383,6 +2401,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||||
|
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
+
|
||||||
|
memcpy(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||||
|
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
@@ -2456,6 +2476,8 @@ CK_RV des3_cmac_sign_update(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
} else {
|
||||||
|
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
||||||
|
}
|
||||||
|
@@ -2521,6 +2543,8 @@ CK_RV des3_cmac_sign_final(STDLL_TokData_t *tokdata,
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
+
|
||||||
|
memcpy(out_data, context->iv, mac_len);
|
||||||
|
|
||||||
|
*out_data_len = mac_len;
|
||||||
|
@@ -2577,6 +2601,8 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
+
|
||||||
|
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||||
|
out_data_len) == 0) {
|
||||||
|
return CKR_OK;
|
||||||
|
@@ -2646,6 +2672,8 @@ CK_RV des3_cmac_verify_update(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
} else {
|
||||||
|
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
||||||
|
}
|
||||||
|
@@ -2709,6 +2737,8 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||||
|
if (context->ctx != NULL)
|
||||||
|
ctx->state_unsaveable = CK_TRUE;
|
||||||
|
|
||||||
|
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||||
|
+
|
||||||
|
if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||||
|
return CKR_OK;
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
|
||||||
|
index 77876467..881a430c 100644
|
||||||
|
--- a/usr/lib/ica_s390_stdll/ica_specific.c
|
||||||
|
+++ b/usr/lib/ica_s390_stdll/ica_specific.c
|
||||||
|
@@ -713,6 +713,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||||
|
UNUSED(tokdata);
|
||||||
|
UNUSED(ctx);
|
||||||
|
|
||||||
|
+ if (key == NULL)
|
||||||
|
+ return CKR_ARGUMENTS_BAD;
|
||||||
|
+
|
||||||
|
// get the key type
|
||||||
|
rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
@@ -3621,6 +3624,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||||
|
UNUSED(tokdata);
|
||||||
|
UNUSED(ctx);
|
||||||
|
|
||||||
|
+ if (key == NULL)
|
||||||
|
+ return CKR_ARGUMENTS_BAD;
|
||||||
|
+
|
||||||
|
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||||
|
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
index aeff39a9..5ca22693 100644
|
||||||
|
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||||
|
@@ -3994,6 +3994,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||||
|
UNUSED(tokdata);
|
||||||
|
|
||||||
|
if (first) {
|
||||||
|
+ if (key == NULL)
|
||||||
|
+ return CKR_ARGUMENTS_BAD;
|
||||||
|
+
|
||||||
|
// get the key type
|
||||||
|
rv = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||||
|
if (rv != CKR_OK) {
|
||||||
|
@@ -4194,6 +4197,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||||
|
UNUSED(tokdata);
|
||||||
|
|
||||||
|
if (first) {
|
||||||
|
+ if (key == NULL)
|
||||||
|
+ return CKR_ARGUMENTS_BAD;
|
||||||
|
+
|
||||||
|
// get the key value
|
||||||
|
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
if (rc != CKR_OK) {
|
@ -0,0 +1,193 @@
|
|||||||
|
commit 6fee37f08391415cdf8d8610c501516c3d3ed29c
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 13:41:57 2021 +0200
|
||||||
|
|
||||||
|
COMMON: mech_md5: Remove deprecated OpenSSL functions
|
||||||
|
|
||||||
|
All low level MD5 functions are deprecated in OpenSSL 3.0.
|
||||||
|
Update the code to not use any of those.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||||
|
index 47b96ba0..314613a5 100644
|
||||||
|
--- a/usr/lib/common/h_extern.h
|
||||||
|
+++ b/usr/lib/common/h_extern.h
|
||||||
|
@@ -1667,7 +1667,7 @@ CK_RV md5_hmac_verify(STDLL_TokData_t *tokdata,
|
||||||
|
CK_ULONG in_data_len,
|
||||||
|
CK_BYTE *signature, CK_ULONG sig_len);
|
||||||
|
|
||||||
|
-void sw_md5_init(DIGEST_CONTEXT *ctx);
|
||||||
|
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx);
|
||||||
|
|
||||||
|
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||||
|
diff --git a/usr/lib/common/mech_md5.c b/usr/lib/common/mech_md5.c
|
||||||
|
index 320e2549..65c11def 100644
|
||||||
|
--- a/usr/lib/common/mech_md5.c
|
||||||
|
+++ b/usr/lib/common/mech_md5.c
|
||||||
|
@@ -20,30 +20,50 @@
|
||||||
|
#include "tok_spec_struct.h"
|
||||||
|
#include "trace.h"
|
||||||
|
|
||||||
|
-#include <openssl/md5.h>
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
|
||||||
|
//
|
||||||
|
// Software MD5 implementation (OpenSSL based)
|
||||||
|
//
|
||||||
|
|
||||||
|
-void sw_md5_init(DIGEST_CONTEXT *ctx)
|
||||||
|
+static void sw_md5_free(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
+ CK_BYTE *context, CK_ULONG context_len)
|
||||||
|
{
|
||||||
|
- ctx->context_len = sizeof(MD5_CTX);
|
||||||
|
- ctx->context = (CK_BYTE *) malloc(sizeof(MD5_CTX));
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+ UNUSED(sess);
|
||||||
|
+ UNUSED(context_len);
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx)
|
||||||
|
+{
|
||||||
|
+ ctx->context_len = 1;
|
||||||
|
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||||
|
if (ctx->context == NULL) {
|
||||||
|
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||||
|
- // TODO: propagate error up?
|
||||||
|
- return;
|
||||||
|
+ return CKR_HOST_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_md5(), NULL)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- MD5_Init((MD5_CTX *)ctx->context);
|
||||||
|
+ ctx->state_unsaveable = CK_TRUE;
|
||||||
|
+ ctx->context_free_func = sw_md5_free;
|
||||||
|
+
|
||||||
|
+ return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||||
|
CK_ULONG *out_data_len)
|
||||||
|
{
|
||||||
|
+ unsigned int len;
|
||||||
|
+
|
||||||
|
if (!ctx || !out_data_len) {
|
||||||
|
TRACE_ERROR("%s received bad argument(s)\n", __func__);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
@@ -57,43 +77,60 @@ CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
|
||||||
|
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
|
||||||
|
- *out_data_len = MD5_HASH_SIZE;
|
||||||
|
+ len = *out_data_len;
|
||||||
|
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||||
|
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (ctx->context_free_func != NULL)
|
||||||
|
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||||
|
- else
|
||||||
|
- free(ctx->context);
|
||||||
|
+ *out_data_len = len;
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
+ ctx->context_free_func = NULL;
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-CK_RV sw_MD5_Update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
- CK_ULONG in_data_len)
|
||||||
|
+static CK_RV sw_md5_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||||
|
+ CK_ULONG in_data_len)
|
||||||
|
{
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
|
||||||
|
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-CK_RV sw_MD5_Final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||||
|
- CK_ULONG *out_data_len)
|
||||||
|
+static CK_RV sw_md5_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||||
|
+ CK_ULONG *out_data_len)
|
||||||
|
{
|
||||||
|
+ unsigned int len;
|
||||||
|
+
|
||||||
|
if (ctx->context == NULL)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
|
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
|
||||||
|
- *out_data_len = MD5_HASH_SIZE;
|
||||||
|
+ if (*out_data_len < MD5_HASH_SIZE) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
|
||||||
|
+ return CKR_BUFFER_TOO_SMALL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (ctx->context_free_func != NULL)
|
||||||
|
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||||
|
- else
|
||||||
|
- free(ctx->context);
|
||||||
|
+ len = *out_data_len;
|
||||||
|
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||||
|
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *out_data_len = len;
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||||
|
ctx->context = NULL;
|
||||||
|
+ ctx->context_free_func = NULL;
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
@@ -105,8 +142,7 @@ CK_RV md5_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
|
||||||
|
UNUSED(sess);
|
||||||
|
|
||||||
|
if (mech->mechanism == CKM_MD5) {
|
||||||
|
- sw_md5_init(ctx);
|
||||||
|
- return CKR_OK;
|
||||||
|
+ return sw_md5_init(ctx);
|
||||||
|
} else {
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
||||||
|
@@ -159,7 +195,7 @@ CK_RV md5_hash_update(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
return CKR_OK;
|
||||||
|
|
||||||
|
if (ctx->mech.mechanism == CKM_MD5)
|
||||||
|
- return sw_MD5_Update(ctx, in_data, in_data_len);
|
||||||
|
+ return sw_md5_update(ctx, in_data, in_data_len);
|
||||||
|
else
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
||||||
|
@@ -188,7 +224,7 @@ CK_RV md5_hash_final(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ctx->mech.mechanism == CKM_MD5)
|
||||||
|
- return sw_MD5_Final(ctx, out_data, out_data_len);
|
||||||
|
+ return sw_md5_final(ctx, out_data, out_data_len);
|
||||||
|
else
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,870 @@
|
|||||||
|
commit 7b4177e8557887d196ce77a129d457e817f8cc59
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jun 30 10:47:28 2021 +0200
|
||||||
|
|
||||||
|
TPM: Remove deprecated OpenSSL functions
|
||||||
|
|
||||||
|
All low level RSA functions are deprecated in OpenSSL 3.0.
|
||||||
|
Update the code to not use any of those, and only use the EVP
|
||||||
|
interface.
|
||||||
|
|
||||||
|
Also remove support for OpenSSL < v1.1.1. This code used even more
|
||||||
|
low level RSA, DES, and AES functions.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/tpm_stdll/tpm_openssl.c b/usr/lib/tpm_stdll/tpm_openssl.c
|
||||||
|
index 94ef9a62..0ccc543d 100644
|
||||||
|
--- a/usr/lib/tpm_stdll/tpm_openssl.c
|
||||||
|
+++ b/usr/lib/tpm_stdll/tpm_openssl.c
|
||||||
|
@@ -39,50 +39,33 @@
|
||||||
|
|
||||||
|
#include "tpm_specific.h"
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * In order to make opencryptoki compatible with
|
||||||
|
- * OpenSSL 1.1 API Changes and backward compatible
|
||||||
|
- * we need to check for its version
|
||||||
|
- */
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
-#define OLDER_OPENSSL
|
||||||
|
+#if OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
+#include <openssl/core_names.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
void openssl_print_errors()
|
||||||
|
{
|
||||||
|
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
ERR_load_ERR_strings();
|
||||||
|
+#endif
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
ERR_print_errors_fp(stderr);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
|
||||||
|
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *tokdata)
|
||||||
|
{
|
||||||
|
- RSA *rsa = NULL;
|
||||||
|
int rc = 0, counter = 0;
|
||||||
|
char buf[32];
|
||||||
|
-#ifndef OLDER_OPENSSL
|
||||||
|
EVP_PKEY *pkey = NULL;
|
||||||
|
EVP_PKEY_CTX *ctx = NULL;
|
||||||
|
BIGNUM *bne = NULL;
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
|
||||||
|
RAND_seed(buf, 32);
|
||||||
|
|
||||||
|
regen_rsa_key:
|
||||||
|
-#ifdef OLDER_OPENSSL
|
||||||
|
- rsa = RSA_generate_key(2048, 65537, NULL, NULL);
|
||||||
|
- if (rsa == NULL) {
|
||||||
|
- fprintf(stderr, "Error generating user's RSA key\n");
|
||||||
|
- ERR_load_crypto_strings();
|
||||||
|
- ERR_print_errors_fp(stderr);
|
||||||
|
- goto err;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- rc = RSA_check_key(rsa);
|
||||||
|
-#else
|
||||||
|
bne = BN_new();
|
||||||
|
rc = BN_set_word(bne, 65537);
|
||||||
|
if (!rc) {
|
||||||
|
@@ -98,35 +81,36 @@ regen_rsa_key:
|
||||||
|
|
||||||
|
if (EVP_PKEY_keygen_init(ctx) <= 0
|
||||||
|
|| EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0
|
||||||
|
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
|| EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
||||||
|
+#else
|
||||||
|
+ || EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
||||||
|
+#endif
|
||||||
|
fprintf(stderr, "Error generating user's RSA key\n");
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
ERR_print_errors_fp(stderr);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
bne = NULL; // will be freed as part of the context
|
||||||
|
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0
|
||||||
|
- || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
|
||||||
|
+#else
|
||||||
|
+ BN_free(bne);
|
||||||
|
+ bne = NULL;
|
||||||
|
+#endif
|
||||||
|
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
|
||||||
|
fprintf(stderr, "Error generating user's RSA key\n");
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
ERR_print_errors_fp(stderr);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||||
|
- rc = RSA_check_key(rsa);
|
||||||
|
-#else
|
||||||
|
EVP_PKEY_CTX_free(ctx);
|
||||||
|
ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
||||||
|
if (ctx == NULL)
|
||||||
|
goto err;
|
||||||
|
rc = (EVP_PKEY_check(ctx) == 1 ? 1 : 0);
|
||||||
|
-#endif
|
||||||
|
-#endif
|
||||||
|
switch (rc) {
|
||||||
|
case 0:
|
||||||
|
/* rsa is not a valid RSA key */
|
||||||
|
- RSA_free(rsa);
|
||||||
|
- rsa = NULL;
|
||||||
|
counter++;
|
||||||
|
if (counter == KEYGEN_RETRY) {
|
||||||
|
TRACE_DEVEL("Tried %d times to generate a "
|
||||||
|
@@ -145,30 +129,23 @@ regen_rsa_key:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifndef OLDER_OPENSSL
|
||||||
|
- if (pkey != NULL)
|
||||||
|
- EVP_PKEY_free(pkey);
|
||||||
|
if (ctx != NULL)
|
||||||
|
EVP_PKEY_CTX_free(ctx);
|
||||||
|
if (bne != NULL)
|
||||||
|
BN_free(bne);
|
||||||
|
-#endif
|
||||||
|
- return rsa;
|
||||||
|
+ return pkey;
|
||||||
|
err:
|
||||||
|
- if (rsa != NULL)
|
||||||
|
- RSA_free(rsa);
|
||||||
|
-#ifndef OLDER_OPENSSL
|
||||||
|
if (pkey != NULL)
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
|
if (ctx != NULL)
|
||||||
|
EVP_PKEY_CTX_free(ctx);
|
||||||
|
if (bne != NULL)
|
||||||
|
BN_free(bne);
|
||||||
|
-#endif
|
||||||
|
+
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||||
|
+int openssl_write_key(STDLL_TokData_t * tokdata, EVP_PKEY *pkey, char *filename,
|
||||||
|
CK_BYTE * pPin)
|
||||||
|
{
|
||||||
|
BIO *b = NULL;
|
||||||
|
@@ -193,8 +170,8 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!PEM_write_bio_RSAPrivateKey(b, rsa,
|
||||||
|
- EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
||||||
|
+ if (!PEM_write_bio_PrivateKey(b, pkey,
|
||||||
|
+ EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
||||||
|
BIO_free(b);
|
||||||
|
TRACE_ERROR("Writing key %s to disk failed.\n", loc);
|
||||||
|
DEBUG_openssl_print_errors();
|
||||||
|
@@ -211,10 +188,10 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||||
|
- CK_BYTE * pPin, RSA ** ret)
|
||||||
|
+ CK_BYTE * pPin, EVP_PKEY **ret)
|
||||||
|
{
|
||||||
|
BIO *b = NULL;
|
||||||
|
- RSA *rsa = NULL;
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
char loc[PATH_MAX];
|
||||||
|
struct passwd *pw = NULL;
|
||||||
|
CK_RV rc = CKR_FUNCTION_FAILED;
|
||||||
|
@@ -242,7 +219,7 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||||
|
return CKR_FILE_NOT_FOUND;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((rsa = PEM_read_bio_RSAPrivateKey(b, NULL, 0, pPin)) == NULL) {
|
||||||
|
+ if ((pkey = PEM_read_bio_PrivateKey(b, NULL, 0, pPin)) == NULL) {
|
||||||
|
TRACE_ERROR("Reading key %s from disk failed.\n", loc);
|
||||||
|
DEBUG_openssl_print_errors();
|
||||||
|
if (ERR_GET_REASON(ERR_get_error()) == PEM_R_BAD_DECRYPT) {
|
||||||
|
@@ -253,40 +230,54 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||||
|
}
|
||||||
|
|
||||||
|
BIO_free(b);
|
||||||
|
- *ret = rsa;
|
||||||
|
+ *ret = pkey;
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int openssl_get_modulus_and_prime(RSA * rsa, unsigned int *size_n,
|
||||||
|
+int openssl_get_modulus_and_prime(EVP_PKEY *pkey, unsigned int *size_n,
|
||||||
|
unsigned char *n, unsigned int *size_p,
|
||||||
|
unsigned char *p)
|
||||||
|
{
|
||||||
|
-#ifndef OLDER_OPENSSL
|
||||||
|
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
const BIGNUM *n_tmp, *p_tmp;
|
||||||
|
+ RSA *rsa;
|
||||||
|
+#else
|
||||||
|
+ BIGNUM *n_tmp, *p_tmp;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||||
|
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
||||||
|
/* get the modulus from the RSA object */
|
||||||
|
-#ifdef OLDER_OPENSSL
|
||||||
|
- if ((*size_n = BN_bn2bin(rsa->n, n)) <= 0) {
|
||||||
|
-#else
|
||||||
|
RSA_get0_key(rsa, &n_tmp, NULL, NULL);
|
||||||
|
if ((*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
||||||
|
-#endif
|
||||||
|
DEBUG_openssl_print_errors();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* get one of the primes from the RSA object */
|
||||||
|
-#ifdef OLDER_OPENSSL
|
||||||
|
- if ((*size_p = BN_bn2bin(rsa->p, p)) <= 0) {
|
||||||
|
-#else
|
||||||
|
RSA_get0_factors(rsa, &p_tmp, NULL);
|
||||||
|
if ((*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
||||||
|
-#endif
|
||||||
|
DEBUG_openssl_print_errors();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+#else
|
||||||
|
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n_tmp) ||
|
||||||
|
+ (*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
||||||
|
+ DEBUG_openssl_print_errors();
|
||||||
|
+ BN_free(n_tmp);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ BN_free(n_tmp);
|
||||||
|
+
|
||||||
|
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p_tmp) ||
|
||||||
|
+ (*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
||||||
|
+ DEBUG_openssl_print_errors();
|
||||||
|
+ BN_free(p_tmp);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ BN_free(p_tmp);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
index 4ebb4a88..45bc4b78 100644
|
||||||
|
--- a/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
+++ b/usr/lib/tpm_stdll/tpm_specific.c
|
||||||
|
@@ -1451,15 +1451,15 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||||
|
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||||
|
CK_RV rc;
|
||||||
|
TSS_RESULT result;
|
||||||
|
- RSA *rsa;
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
unsigned int size_n, size_p;
|
||||||
|
unsigned char n[256], p[256];
|
||||||
|
|
||||||
|
/* all sw generated keys are 2048 bits */
|
||||||
|
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
||||||
|
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
||||||
|
return CKR_HOST_MEMORY;
|
||||||
|
|
||||||
|
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||||
|
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||||
|
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
@@ -1473,13 +1473,13 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (openssl_write_key(tokdata, rsa, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
||||||
|
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
||||||
|
TRACE_DEVEL("openssl_write_key failed.\n");
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
|
/* store the user base key in a PKCS#11 object internally */
|
||||||
|
rc = token_store_tss_key(tokdata, tpm_data->hPrivateRootKey,
|
||||||
|
@@ -1529,15 +1529,15 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||||
|
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||||
|
CK_RV rc;
|
||||||
|
TSS_RESULT result;
|
||||||
|
- RSA *rsa;
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
unsigned int size_n, size_p;
|
||||||
|
unsigned char n[256], p[256];
|
||||||
|
|
||||||
|
/* all sw generated keys are 2048 bits */
|
||||||
|
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
||||||
|
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
||||||
|
return CKR_HOST_MEMORY;
|
||||||
|
|
||||||
|
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||||
|
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||||
|
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
@@ -1551,13 +1551,13 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (openssl_write_key(tokdata, rsa, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
||||||
|
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
||||||
|
TRACE_DEVEL("openssl_write_key\n");
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
|
result = Tspi_Key_LoadKey(tpm_data->hPublicRootKey, tpm_data->hSRK);
|
||||||
|
if (result) {
|
||||||
|
@@ -1602,7 +1602,7 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||||
|
CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||||
|
{
|
||||||
|
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||||
|
- RSA *rsa;
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
char *backup_loc;
|
||||||
|
unsigned int size_n, size_p;
|
||||||
|
unsigned char n[256], p[256];
|
||||||
|
@@ -1630,7 +1630,7 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* read the backup key with the old pin */
|
||||||
|
- if ((rc = openssl_read_key(tokdata, backup_loc, pin, &rsa))) {
|
||||||
|
+ if ((rc = openssl_read_key(tokdata, backup_loc, pin, &pkey))) {
|
||||||
|
if (rc == CKR_FILE_NOT_FOUND)
|
||||||
|
rc = CKR_FUNCTION_FAILED;
|
||||||
|
TRACE_DEVEL("openssl_read_key failed\n");
|
||||||
|
@@ -1640,8 +1640,9 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||||
|
/* So, reading the backup openssl key off disk succeeded with the SOs PIN.
|
||||||
|
* We will now try to re-wrap that key with the current SRK
|
||||||
|
*/
|
||||||
|
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||||
|
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||||
|
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1650,10 +1651,10 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||||
|
phKey);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lx\n", rc);
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
- RSA_free(rsa);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
|
result = Tspi_Key_LoadKey(*phKey, tpm_data->hSRK);
|
||||||
|
if (result) {
|
||||||
|
@@ -1998,7 +1999,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||||
|
CK_BYTE oldpin_hash[SHA1_HASH_SIZE], newpin_hash[SHA1_HASH_SIZE];
|
||||||
|
CK_RV rc;
|
||||||
|
- RSA *rsa_root;
|
||||||
|
+ EVP_PKEY *pkey_root;
|
||||||
|
TSS_RESULT result;
|
||||||
|
|
||||||
|
if (!sess) {
|
||||||
|
@@ -2094,7 +2095,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
|
||||||
|
/* read the backup key with the old pin */
|
||||||
|
rc = openssl_read_key(tokdata, TPMTOK_PRIV_ROOT_KEY_FILE, pOldPin,
|
||||||
|
- &rsa_root);
|
||||||
|
+ &pkey_root);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
if (rc == CKR_FILE_NOT_FOUND) {
|
||||||
|
/* If the user has moved his backup PEM file off site, allow a
|
||||||
|
@@ -2107,14 +2108,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* write it out using the new pin */
|
||||||
|
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
||||||
|
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
||||||
|
pNewPin);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
- RSA_free(rsa_root);
|
||||||
|
+ EVP_PKEY_free(pkey_root);
|
||||||
|
TRACE_DEVEL("openssl_write_key failed\n");
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
- RSA_free(rsa_root);
|
||||||
|
+ EVP_PKEY_free(pkey_root);
|
||||||
|
} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
|
||||||
|
if (tpm_data->not_initialized) {
|
||||||
|
if (memcmp(default_so_pin_sha, oldpin_hash, SHA1_HASH_SIZE)) {
|
||||||
|
@@ -2166,7 +2167,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
|
||||||
|
/* change auth on the public root key's openssl backup */
|
||||||
|
rc = openssl_read_key(tokdata, TPMTOK_PUB_ROOT_KEY_FILE, pOldPin,
|
||||||
|
- &rsa_root);
|
||||||
|
+ &pkey_root);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
if (rc == CKR_FILE_NOT_FOUND) {
|
||||||
|
/* If the user has moved his backup PEM file off site, allow a
|
||||||
|
@@ -2179,14 +2180,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* write it out using the new pin */
|
||||||
|
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
||||||
|
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
||||||
|
pNewPin);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
- RSA_free(rsa_root);
|
||||||
|
+ EVP_PKEY_free(pkey_root);
|
||||||
|
TRACE_DEVEL("openssl_write_key failed\n");
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
}
|
||||||
|
- RSA_free(rsa_root);
|
||||||
|
+ EVP_PKEY_free(pkey_root);
|
||||||
|
} else {
|
||||||
|
TRACE_ERROR("%s\n", ock_err(ERR_SESSION_READ_ONLY));
|
||||||
|
rc = CKR_SESSION_READ_ONLY;
|
||||||
|
@@ -2401,60 +2402,6 @@ CK_RV token_specific_des_ecb(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- CK_RV rc;
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
-
|
||||||
|
- DES_key_schedule des_key2;
|
||||||
|
- const_DES_cblock key_val_SSL, in_key_data;
|
||||||
|
- DES_cblock out_key_data;
|
||||||
|
- unsigned int i, j;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // Create the key schedule
|
||||||
|
- memcpy(&key_val_SSL, attr->pValue, 8);
|
||||||
|
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
||||||
|
-
|
||||||
|
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by 8
|
||||||
|
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
- // Both the encrypt and the decrypt are done 8 bytes at a time
|
||||||
|
- if (encrypt) {
|
||||||
|
- for (i = 0; i < in_data_len; i = i + 8) {
|
||||||
|
- memcpy(in_key_data, in_data + i, 8);
|
||||||
|
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
||||||
|
- DES_ENCRYPT);
|
||||||
|
- memcpy(out_data + i, out_key_data, 8);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- } else {
|
||||||
|
-
|
||||||
|
- for (j = 0; j < in_data_len; j = j + 8) {
|
||||||
|
- memcpy(in_key_data, in_data + j, 8);
|
||||||
|
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
||||||
|
- DES_DECRYPT);
|
||||||
|
- memcpy(out_data + j, out_key_data, 8);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return rc;
|
||||||
|
-#else
|
||||||
|
const EVP_CIPHER *cipher = EVP_des_ecb();
|
||||||
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
|
CK_ATTRIBUTE *attr = NULL;
|
||||||
|
@@ -2501,7 +2448,6 @@ done:
|
||||||
|
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
@@ -2511,50 +2457,6 @@ CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- CK_RV rc;
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
-
|
||||||
|
- DES_cblock ivec;
|
||||||
|
-
|
||||||
|
- DES_key_schedule des_key2;
|
||||||
|
- const_DES_cblock key_val_SSL;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // Create the key schedule
|
||||||
|
- memcpy(&key_val_SSL, attr->pValue, 8);
|
||||||
|
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
||||||
|
-
|
||||||
|
- memcpy(&ivec, init_v, 8);
|
||||||
|
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by 8
|
||||||
|
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- if (encrypt) {
|
||||||
|
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
||||||
|
- DES_ENCRYPT);
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- } else {
|
||||||
|
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
||||||
|
- DES_DECRYPT);
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- }
|
||||||
|
- return rc;
|
||||||
|
-#else
|
||||||
|
const EVP_CIPHER *cipher = EVP_des_cbc();
|
||||||
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
|
CK_ATTRIBUTE *attr = NULL;
|
||||||
|
@@ -2601,7 +2503,6 @@ done:
|
||||||
|
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
||||||
|
@@ -2611,83 +2512,6 @@ CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- CK_RV rc;
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
- CK_KEY_TYPE keytype;
|
||||||
|
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
||||||
|
-
|
||||||
|
- unsigned int k, j;
|
||||||
|
- DES_key_schedule des_key1;
|
||||||
|
- DES_key_schedule des_key2;
|
||||||
|
- DES_key_schedule des_key3;
|
||||||
|
-
|
||||||
|
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
|
||||||
|
- DES_cblock out_key_data;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key type
|
||||||
|
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (keytype == CKK_DES2) {
|
||||||
|
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
||||||
|
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
||||||
|
- } else {
|
||||||
|
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // The key as passed is a 24 byte long string containing three des keys
|
||||||
|
- // pick them apart and create the 3 corresponding key schedules
|
||||||
|
- memcpy(&key_SSL1, key_value, 8);
|
||||||
|
- memcpy(&key_SSL2, key_value + 8, 8);
|
||||||
|
- memcpy(&key_SSL3, key_value + 16, 8);
|
||||||
|
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||||
|
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||||
|
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||||
|
-
|
||||||
|
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by 8
|
||||||
|
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
- // the encrypt and decrypt are done 8 bytes at a time
|
||||||
|
- if (encrypt) {
|
||||||
|
- for (k = 0; k < in_data_len; k = k + 8) {
|
||||||
|
- memcpy(in_key_data, in_data + k, 8);
|
||||||
|
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
||||||
|
- (DES_cblock *) & out_key_data,
|
||||||
|
- &des_key1, &des_key2, &des_key3, DES_ENCRYPT);
|
||||||
|
- memcpy(out_data + k, out_key_data, 8);
|
||||||
|
- }
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- } else {
|
||||||
|
- for (j = 0; j < in_data_len; j = j + 8) {
|
||||||
|
- memcpy(in_key_data, in_data + j, 8);
|
||||||
|
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
||||||
|
- (DES_cblock *) & out_key_data,
|
||||||
|
- &des_key1, &des_key2, &des_key3, DES_DECRYPT);
|
||||||
|
- memcpy(out_data + j, out_key_data, 8);
|
||||||
|
- }
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return rc;
|
||||||
|
-#else
|
||||||
|
const EVP_CIPHER *cipher = EVP_des_ede3_ecb();
|
||||||
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
|
CK_ATTRIBUTE *attr = NULL;
|
||||||
|
@@ -2747,7 +2571,6 @@ done:
|
||||||
|
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
@@ -2757,81 +2580,6 @@ CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- CK_RV rc = CKR_OK;
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
- CK_KEY_TYPE keytype;
|
||||||
|
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
||||||
|
-
|
||||||
|
- DES_key_schedule des_key1;
|
||||||
|
- DES_key_schedule des_key2;
|
||||||
|
- DES_key_schedule des_key3;
|
||||||
|
-
|
||||||
|
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
|
||||||
|
- DES_cblock ivec;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key type
|
||||||
|
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (keytype == CKK_DES2) {
|
||||||
|
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
||||||
|
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
||||||
|
- } else {
|
||||||
|
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // The key as passed in is a 24 byte string containing 3 keys
|
||||||
|
- // pick it apart and create the key schedules
|
||||||
|
- memcpy(&key_SSL1, key_value, 8);
|
||||||
|
- memcpy(&key_SSL2, key_value + 8, 8);
|
||||||
|
- memcpy(&key_SSL3, key_value + 16, 8);
|
||||||
|
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||||
|
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||||
|
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||||
|
-
|
||||||
|
- memcpy(ivec, init_v, sizeof(ivec));
|
||||||
|
-
|
||||||
|
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by 8
|
||||||
|
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
- // Encrypt or decrypt the data
|
||||||
|
- if (encrypt) {
|
||||||
|
- DES_ede3_cbc_encrypt(in_data,
|
||||||
|
- out_data,
|
||||||
|
- in_data_len,
|
||||||
|
- &des_key1,
|
||||||
|
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- } else {
|
||||||
|
- DES_ede3_cbc_encrypt(in_data,
|
||||||
|
- out_data,
|
||||||
|
- in_data_len,
|
||||||
|
- &des_key1,
|
||||||
|
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
|
||||||
|
-
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- rc = CKR_OK;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return rc;
|
||||||
|
-#else
|
||||||
|
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
|
||||||
|
EVP_CIPHER_CTX *ctx = NULL;
|
||||||
|
CK_ATTRIBUTE *attr = NULL;
|
||||||
|
@@ -2891,7 +2639,6 @@ done:
|
||||||
|
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/* wrap the 20 bytes of auth data @authData and store in an attribute of the two
|
||||||
|
@@ -3626,49 +3373,6 @@ CK_RV token_specific_aes_ecb(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
- AES_KEY ssl_aes_key;
|
||||||
|
- unsigned int i;
|
||||||
|
- /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
|
||||||
|
- * so this is fine */
|
||||||
|
- CK_ULONG loops = (CK_ULONG) (in_data_len / AES_BLOCK_SIZE);
|
||||||
|
- CK_RV rc;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
||||||
|
-
|
||||||
|
- // AES_ecb_encrypt encrypts only a single block, so we have to break up the
|
||||||
|
- // input data here
|
||||||
|
- if (encrypt) {
|
||||||
|
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
||||||
|
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||||
|
- for (i = 0; i < loops; i++) {
|
||||||
|
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
||||||
|
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
||||||
|
- &ssl_aes_key, AES_ENCRYPT);
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
||||||
|
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||||
|
- for (i = 0; i < loops; i++) {
|
||||||
|
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
||||||
|
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
||||||
|
- &ssl_aes_key, AES_DECRYPT);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
-
|
||||||
|
- return CKR_OK;
|
||||||
|
-#else
|
||||||
|
CK_RV rc;
|
||||||
|
int outlen;
|
||||||
|
unsigned char akey[AES_KEY_SIZE_256];
|
||||||
|
@@ -3729,7 +3433,6 @@ done:
|
||||||
|
OPENSSL_cleanse(akey, sizeof(akey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
@@ -3739,39 +3442,6 @@ CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
||||||
|
CK_ULONG * out_data_len,
|
||||||
|
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- AES_KEY ssl_aes_key;
|
||||||
|
- CK_ATTRIBUTE *attr = NULL;
|
||||||
|
- CK_RV rc;
|
||||||
|
-
|
||||||
|
- UNUSED(tokdata);
|
||||||
|
-
|
||||||
|
- // get the key value
|
||||||
|
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||||
|
- if (rc != CKR_OK) {
|
||||||
|
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||||
|
- return rc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
||||||
|
-
|
||||||
|
- // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
|
||||||
|
- // AES_ecb_encrypt, so no looping required.
|
||||||
|
- if (encrypt) {
|
||||||
|
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
||||||
|
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||||
|
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
||||||
|
- in_data_len, &ssl_aes_key, init_v, AES_ENCRYPT);
|
||||||
|
- } else {
|
||||||
|
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
||||||
|
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||||
|
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
||||||
|
- in_data_len, &ssl_aes_key, init_v, AES_DECRYPT);
|
||||||
|
- }
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
-
|
||||||
|
- return CKR_OK;
|
||||||
|
-#else
|
||||||
|
CK_RV rc;
|
||||||
|
int outlen;
|
||||||
|
unsigned char akey[AES_KEY_SIZE_256];
|
||||||
|
@@ -3832,7 +3502,6 @@ done:
|
||||||
|
OPENSSL_cleanse(akey, sizeof(akey));
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV token_specific_get_mechanism_list(STDLL_TokData_t * tokdata,
|
||||||
|
diff --git a/usr/lib/tpm_stdll/tpm_specific.h b/usr/lib/tpm_stdll/tpm_specific.h
|
||||||
|
index 81af2744..2ffd0afc 100644
|
||||||
|
--- a/usr/lib/tpm_stdll/tpm_specific.h
|
||||||
|
+++ b/usr/lib/tpm_stdll/tpm_specific.h
|
||||||
|
@@ -56,10 +56,10 @@
|
||||||
|
/* retry count for generating software RSA keys */
|
||||||
|
#define KEYGEN_RETRY 5
|
||||||
|
|
||||||
|
-RSA *openssl_gen_key(STDLL_TokData_t *);
|
||||||
|
-int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
|
||||||
|
-CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
|
||||||
|
-int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
|
||||||
|
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *);
|
||||||
|
+int openssl_write_key(STDLL_TokData_t *, EVP_PKEY *, char *, CK_BYTE *);
|
||||||
|
+CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, EVP_PKEY **);
|
||||||
|
+int openssl_get_modulus_and_prime(EVP_PKEY *, unsigned int *, unsigned char *,
|
||||||
|
unsigned int *, unsigned char *);
|
||||||
|
int util_set_file_mode(char *, mode_t);
|
||||||
|
CK_BYTE *util_create_id(int);
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,115 @@
|
|||||||
|
commit ab3fceae6194e8213e9d3ffb7447ccd04d469b9d
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jul 5 10:45:04 2021 +0200
|
||||||
|
|
||||||
|
COMMON: sw_crypt.c: Remove support for OpenSSL < v1.1.1
|
||||||
|
|
||||||
|
Remove support for OpenSSL < v1.1.1. This code used low level
|
||||||
|
DES/AES functions.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/sw_crypt.c b/usr/lib/common/sw_crypt.c
|
||||||
|
index 906a41ab..253b3c26 100644
|
||||||
|
--- a/usr/lib/common/sw_crypt.c
|
||||||
|
+++ b/usr/lib/common/sw_crypt.c
|
||||||
|
@@ -32,51 +32,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
|
||||||
|
CK_ULONG *out_data_len,
|
||||||
|
CK_BYTE *init_v, CK_BYTE *key_value, CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- DES_key_schedule des_key1;
|
||||||
|
- DES_key_schedule des_key2;
|
||||||
|
- DES_key_schedule des_key3;
|
||||||
|
-
|
||||||
|
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
|
||||||
|
- DES_cblock ivec;
|
||||||
|
-
|
||||||
|
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by DES_BLOCK_SIZE
|
||||||
|
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
- // The key as passed in is a 24 byte string containing 3 keys
|
||||||
|
- // pick it apart and create the key schedules
|
||||||
|
- memcpy(&key_SSL1, key_value, (size_t) 8);
|
||||||
|
- memcpy(&key_SSL2, key_value + 8, (size_t) 8);
|
||||||
|
- memcpy(&key_SSL3, key_value + 16, (size_t) 8);
|
||||||
|
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||||
|
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||||
|
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||||
|
-
|
||||||
|
- memcpy(ivec, init_v, sizeof(ivec));
|
||||||
|
-
|
||||||
|
- // Encrypt or decrypt the data
|
||||||
|
- if (encrypt) {
|
||||||
|
- DES_ede3_cbc_encrypt(in_data,
|
||||||
|
- out_data,
|
||||||
|
- in_data_len,
|
||||||
|
- &des_key1,
|
||||||
|
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- } else {
|
||||||
|
- DES_ede3_cbc_encrypt(in_data,
|
||||||
|
- out_data,
|
||||||
|
- in_data_len,
|
||||||
|
- &des_key1,
|
||||||
|
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
|
||||||
|
-
|
||||||
|
- *out_data_len = in_data_len;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return CKR_OK;
|
||||||
|
-#else
|
||||||
|
CK_RV rc;
|
||||||
|
int outlen;
|
||||||
|
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
|
||||||
|
@@ -109,7 +64,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
|
||||||
|
done:
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||||
|
@@ -119,33 +73,6 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||||
|
CK_BYTE *init_v, CK_BYTE *key_value, CK_ULONG keylen,
|
||||||
|
CK_BYTE encrypt)
|
||||||
|
{
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
- AES_KEY aes_key;
|
||||||
|
-
|
||||||
|
- UNUSED(out_data_len); //XXX can this parameter be removed ?
|
||||||
|
-
|
||||||
|
- memset(&aes_key, 0, sizeof(aes_key));
|
||||||
|
-
|
||||||
|
- // the aes decrypt will only fail if the data length is not evenly divisible
|
||||||
|
- // by AES_BLOCK_SIZE
|
||||||
|
- if (in_data_len % AES_BLOCK_SIZE) {
|
||||||
|
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||||
|
- return CKR_DATA_LEN_RANGE;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // Encrypt or decrypt the data
|
||||||
|
- if (encrypt) {
|
||||||
|
- AES_set_encrypt_key(key_value, keylen * 8, &aes_key);
|
||||||
|
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
|
||||||
|
- init_v, AES_ENCRYPT);
|
||||||
|
- } else {
|
||||||
|
- AES_set_decrypt_key(key_value, keylen * 8, &aes_key);
|
||||||
|
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
|
||||||
|
- init_v, AES_DECRYPT);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return CKR_OK;
|
||||||
|
-#else
|
||||||
|
CK_RV rc;
|
||||||
|
int outlen;
|
||||||
|
const EVP_CIPHER *cipher = NULL;
|
||||||
|
@@ -187,5 +114,4 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||||
|
done:
|
||||||
|
EVP_CIPHER_CTX_free(ctx);
|
||||||
|
return rc;
|
||||||
|
-#endif
|
||||||
|
}
|
@ -0,0 +1,37 @@
|
|||||||
|
commit c4683eb904238d20cb34a4c7661ffac04901283c
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Tue Jun 29 17:35:30 2021 +0200
|
||||||
|
|
||||||
|
COMMON: Add OPENSSL_VERSION_PREREQ macro to check for OpenSSL version
|
||||||
|
|
||||||
|
Make the OPENSSL_VERSION_PREREQ macro available independent of the
|
||||||
|
used OpenSSL version, so that the code can easily check for the OpenSSL
|
||||||
|
version it is compiled with.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/defs.h b/usr/lib/common/defs.h
|
||||||
|
index 22d75d2d..8ab50517 100644
|
||||||
|
--- a/usr/lib/common/defs.h
|
||||||
|
+++ b/usr/lib/common/defs.h
|
||||||
|
@@ -17,6 +17,20 @@
|
||||||
|
#ifndef _DEFS_H
|
||||||
|
#define _DEFS_H
|
||||||
|
|
||||||
|
+#include <openssl/opensslv.h>
|
||||||
|
+
|
||||||
|
+#ifndef OPENSSL_VERSION_PREREQ
|
||||||
|
+ #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR)
|
||||||
|
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
|
||||||
|
+ ((OPENSSL_VERSION_MAJOR << 16) + \
|
||||||
|
+ OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min))
|
||||||
|
+ #else
|
||||||
|
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
|
||||||
|
+ (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | \
|
||||||
|
+ ((min) << 20)))
|
||||||
|
+ #endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#define MAX_SESSION_COUNT 64
|
||||||
|
#define MAX_PIN_LEN 8
|
||||||
|
#define MIN_PIN_LEN 4
|
@ -0,0 +1,49 @@
|
|||||||
|
commit dd9cfe2ef89dad185397df46227f9392a6317d35
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Jul 21 13:54:59 2021 +0200
|
||||||
|
|
||||||
|
CONFIGURE: Check that OpenSSL 1.1.1 or later is available
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 286b7408..f47060d9 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -277,21 +277,14 @@ if test "x$with_openssl" != "xno"; then
|
||||||
|
old_libs="$LIBS"
|
||||||
|
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
|
||||||
|
LIBS="$LIBS $OPENSSL_LIBS"
|
||||||
|
- AC_CHECK_HEADER([openssl/ssl.h], [], [
|
||||||
|
- if test "x$with_openssl" != "xcheck"; then
|
||||||
|
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL headers couldn't be found])
|
||||||
|
- fi
|
||||||
|
- with_openssl=no
|
||||||
|
+ AC_CHECK_HEADER([openssl/evp.h], [], [
|
||||||
|
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL headers couldn't be found])
|
||||||
|
])
|
||||||
|
if test "x$with_openssl" != "xno"; then
|
||||||
|
- AC_CHECK_LIB([crypto], [RSA_generate_key], [
|
||||||
|
+ AC_CHECK_LIB([crypto], [EVP_sha3_256], [
|
||||||
|
OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto"
|
||||||
|
- with_openssl=yes
|
||||||
|
- ], [
|
||||||
|
- if test "x$with_openssl" != "xcheck"; then
|
||||||
|
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL libraries couldn't be found])
|
||||||
|
- fi
|
||||||
|
- with_openssl=no
|
||||||
|
+ with_openssl=yes], [
|
||||||
|
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL libraries version 1.1.1 or later couldn't be found])
|
||||||
|
])
|
||||||
|
fi
|
||||||
|
if test "x$with_openssl" = "xno"; then
|
||||||
|
@@ -299,6 +292,9 @@ if test "x$with_openssl" != "xno"; then
|
||||||
|
LIBS="$old_libs"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
+if test "x$with_openssl" != "xyes"; then
|
||||||
|
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but build without OpenSSL was requested])
|
||||||
|
+fi
|
||||||
|
AC_SUBST([OPENSSL_CFLAGS])
|
||||||
|
AC_SUBST([OPENSSL_LIBS])
|
||||||
|
|
@ -0,0 +1,853 @@
|
|||||||
|
commit ecf71404e84ae35931cd6c7398c825378ee052b6
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Fri Jul 2 11:20:22 2021 +0200
|
||||||
|
|
||||||
|
TESTCASES: Soft: Skip tests with RSA publ.exp. not supported by OpenSSL
|
||||||
|
|
||||||
|
OpenSSL 3.0 only accepts public exponents of 3 and 65537 for RSA keys.
|
||||||
|
Skip the testcase if another public exponent is used.
|
||||||
|
|
||||||
|
Also fixed some ugly line breaks within messages.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/testcases/common/common.c b/testcases/common/common.c
|
||||||
|
index bfd486cb..0a64ecf2 100644
|
||||||
|
--- a/testcases/common/common.c
|
||||||
|
+++ b/testcases/common/common.c
|
||||||
|
@@ -876,6 +876,16 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||||
|
|| (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||||
|
}
|
||||||
|
|
||||||
|
+/** Returns true if pubexp is valid for Soft Tokens **/
|
||||||
|
+int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||||
|
+{
|
||||||
|
+ CK_BYTE exp3[] = { 0x03 }; // 3
|
||||||
|
+ CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
|
||||||
|
+
|
||||||
|
+ return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
|
||||||
|
+ || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/** Returns true if slot_id is an ICSF token
|
||||||
|
** ICSF token info is not necessarily hard-coded like the other tokens
|
||||||
|
** so there is no single identifying attribute. So, instead just
|
||||||
|
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
|
||||||
|
index 62aa7a76..8739ed37 100644
|
||||||
|
--- a/testcases/crypto/rsa_func.c
|
||||||
|
+++ b/testcases/crypto/rsa_func.c
|
||||||
|
@@ -102,8 +102,8 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -111,8 +111,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -124,8 +123,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -148,6 +146,16 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'",
|
||||||
|
+ s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
// tpm special cases:
|
||||||
|
// tpm token can only use public exponent 0x010001 (65537)
|
||||||
|
// so skip test if invalid public exponent is used
|
||||||
|
@@ -155,8 +163,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||||
|
- s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -166,8 +173,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len) ||
|
||||||
|
(tsuite->tv[i].modbits < 1024)) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -376,8 +382,8 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].mod_len * 8)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].mod_len * 8);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].mod_len * 8);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -385,16 +391,14 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// modulus length must be multiple of 128 byte
|
||||||
|
// skip test if modulus length has unsuported size
|
||||||
|
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||||
|
- testcase_skip("EP11 Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -416,8 +420,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
(tsuite->tv[i].exp2_len >
|
||||||
|
(tsuite->tv[i].mod_len / 2)) ||
|
||||||
|
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||||
|
- testcase_skip("ICA Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -431,12 +434,21 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
+ tsuite->tv[i].pubexp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
// tpm special cases:
|
||||||
|
// tpm token can only use public exponent 0x010001 (65537)
|
||||||
|
// so skip test if invalid public exponent is used
|
||||||
|
@@ -444,8 +456,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len * 8))) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||||
|
- s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -455,8 +466,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len) ||
|
||||||
|
(tsuite->tv[i].mod_len * 8 < 1024)) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -691,8 +701,8 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -700,8 +710,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -710,8 +719,16 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -721,8 +738,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
|
||||||
|
- s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -732,8 +748,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len) ||
|
||||||
|
(tsuite->tv[i].modbits < 1024)) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -944,16 +959,23 @@ CK_RV do_SignVerify_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1154,8 +1176,8 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// get public exponent from test vector
|
||||||
|
@@ -1169,8 +1191,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1179,8 +1200,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len) ||
|
||||||
|
(tsuite->tv[i].modbits < 1024)) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1189,8 +1209,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) ||
|
||||||
|
(!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||||
|
- s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1198,8 +1217,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -1228,6 +1246,14 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
// begin test
|
||||||
|
testcase_begin("%s Wrap Unwrap with test vector %d, "
|
||||||
|
@@ -1554,8 +1580,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
(tsuite->tv[i].exp2_len >
|
||||||
|
(tsuite->tv[i].mod_len / 2)) ||
|
||||||
|
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||||
|
- testcase_skip("ICA Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1565,8 +1590,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
// skip test if modulus length has unsuported size
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||||
|
- testcase_skip("EP11 Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1575,8 +1599,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||||
|
- testcase_skip("TPM Token cannot "
|
||||||
|
- "be used with this test vector.");
|
||||||
|
+ testcase_skip("TPM Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1584,8 +1607,15 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with this test vector.");
|
||||||
|
+ testcase_skip("CCA Token cannot be used with this test vector.");
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
+ tsuite->tv[i].pubexp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1735,8 +1765,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
// skip test if modulus length has unsuported size
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||||
|
- testcase_skip("EP11 Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1745,8 +1774,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||||
|
- testcase_skip("TPM Token cannot "
|
||||||
|
- "be used with this test vector.");
|
||||||
|
+ testcase_skip("TPM Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1754,8 +1782,15 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with this test vector.");
|
||||||
|
+ testcase_skip("CCA Token cannot be used with this test vector.");
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
+ tsuite->tv[i].pubexp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with this test vector.");
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/testcases/crypto/rsaupdate_func.c b/testcases/crypto/rsaupdate_func.c
|
||||||
|
index 20611b85..22f8d7e4 100644
|
||||||
|
--- a/testcases/crypto/rsaupdate_func.c
|
||||||
|
+++ b/testcases/crypto/rsaupdate_func.c
|
||||||
|
@@ -96,8 +96,8 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -105,8 +105,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -115,19 +114,27 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (is_tpm_token(slot_id)) {
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len))
|
||||||
|
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
|
||||||
|
- s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -137,8 +144,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len) ||
|
||||||
|
(tsuite->tv[i].modbits < 1024)) {
|
||||||
|
- testcase_skip("ICSF Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -162,8 +168,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||||
|
tsuite->tv[i].publ_exp_len,
|
||||||
|
&publ_key, &priv_key);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
- testcase_error("generate_RSA_PKCS_KeyPair(), "
|
||||||
|
- "rc=%s", p11_get_ckr(rc));
|
||||||
|
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -367,8 +372,8 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||||
|
tsuite->tv[i].modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -376,8 +381,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -386,8 +390,16 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
tsuite->tv[i].publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||||
|
+ tsuite->tv[i].publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -412,8 +424,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||||
|
tsuite->tv[i].publ_exp_len,
|
||||||
|
&publ_key, &priv_key);
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
- testcase_error("generate_RSA_PKCS_KeyPair(), "
|
||||||
|
- "rc=%s", p11_get_ckr(rc));
|
||||||
|
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
// generate message
|
||||||
|
@@ -639,8 +650,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with pub_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with pub_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -650,8 +660,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) ||
|
||||||
|
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||||
|
- testcase_skip("TPM Token cannot "
|
||||||
|
- "be used with pub_exp='%s'.", s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -660,8 +669,16 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
+ tsuite->tv[i].pubexp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -826,8 +843,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
(tsuite->tv[i].exp2_len >
|
||||||
|
(tsuite->tv[i].mod_len / 2)) ||
|
||||||
|
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||||
|
- testcase_skip("ICA Token cannot be used with "
|
||||||
|
- "this test vector.");
|
||||||
|
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -848,8 +864,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("EP11 Token cannot "
|
||||||
|
- "be used with publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -859,8 +874,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) ||
|
||||||
|
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||||
|
- testcase_skip("TPM Token cannot "
|
||||||
|
- "be used with pub_exp='%s'.", s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -869,8 +883,16 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
tsuite->tv[i].pubexp_len)) {
|
||||||
|
- testcase_skip("CCA Token cannot "
|
||||||
|
- "be used with publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
+ free(s);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||||
|
+ tsuite->tv[i].pubexp_len)) {
|
||||||
|
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
free(s);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
diff --git a/testcases/misc_tests/reencrypt.c b/testcases/misc_tests/reencrypt.c
|
||||||
|
index a78e1f5a..93fa31bd 100644
|
||||||
|
--- a/testcases/misc_tests/reencrypt.c
|
||||||
|
+++ b/testcases/misc_tests/reencrypt.c
|
||||||
|
@@ -361,24 +361,29 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id, mech2->key_gen_mech.mechanism,
|
||||||
|
mech2->rsa_modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", slot_id, mech2->rsa_modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ slot_id, mech2->rsa_modbits);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (is_ep11_token(slot_id)) {
|
||||||
|
if (!is_valid_ep11_pubexp(mech2->rsa_publ_exp,
|
||||||
|
mech2->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token in cannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (is_cca_token(slot_id)) {
|
||||||
|
if (!is_valid_cca_pubexp(mech2->rsa_publ_exp,
|
||||||
|
mech2->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token in cannot be used with "
|
||||||
|
- " publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("CCA Token in cannot be used with publ_exp.='%s'", s);
|
||||||
|
+ goto testcase_cleanup;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(mech2->rsa_publ_exp,
|
||||||
|
+ mech2->rsa_publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token in cannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -386,8 +391,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||||
|
if (!is_valid_tpm_pubexp(mech2->rsa_publ_exp,
|
||||||
|
mech2->rsa_publ_exp_len) ||
|
||||||
|
!is_valid_tpm_modbits(mech2->rsa_modbits)) {
|
||||||
|
- testcase_skip("TPM Token cannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -395,8 +399,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||||
|
if (!is_valid_icsf_pubexp(mech2->rsa_publ_exp,
|
||||||
|
mech2->rsa_publ_exp_len) ||
|
||||||
|
mech2->rsa_modbits < 1024) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -619,6 +622,14 @@ CK_RV do_encrypt_reencrypt(struct mech_info *mech1)
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (is_soft_token(slot_id)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(mech1->rsa_publ_exp,
|
||||||
|
+ mech1->rsa_publ_exp_len)) {
|
||||||
|
+ testsuite_skip(NUM_REENCRYPT_TESTS, "Soft Token cannot be "
|
||||||
|
+ "used with publ_exp.='%s'", s);
|
||||||
|
+ goto testcase_cleanup;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
if (is_tpm_token(slot_id) ) {
|
||||||
|
if (!is_valid_tpm_pubexp(mech1->rsa_publ_exp,
|
||||||
|
mech1->rsa_publ_exp_len) ||
|
||||||
|
diff --git a/testcases/misc_tests/tok2tok_transport.c b/testcases/misc_tests/tok2tok_transport.c
|
||||||
|
index 9c1dee8f..ebb44760 100644
|
||||||
|
--- a/testcases/misc_tests/tok2tok_transport.c
|
||||||
|
+++ b/testcases/misc_tests/tok2tok_transport.c
|
||||||
|
@@ -581,30 +581,35 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||||
|
|
||||||
|
if (!keysize_supported(slot_id1, tsuite->wrapped_key_gen_mech.mechanism,
|
||||||
|
tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("Token in slot %lu cannot be used with "
|
||||||
|
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
|
||||||
|
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
|
||||||
|
+ slot_id1, tsuite->rsa_modbits);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
if (!keysize_supported(slot_id2, tsuite->wrapped_key_gen_mech.mechanism,
|
||||||
|
tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("Token in slot %lu cannot be used with "
|
||||||
|
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
|
||||||
|
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
|
||||||
|
+ slot_id2, tsuite->rsa_modbits);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token in cannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token in scannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
|
||||||
|
+ goto testcase_cleanup;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (is_soft_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
+ tsuite->rsa_publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -612,8 +617,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||||
|
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len) ||
|
||||||
|
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -621,8 +625,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len) ||
|
||||||
|
tsuite->rsa_modbits < 1024) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -967,31 +970,36 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||||
|
if (!keysize_supported(slot_id1,
|
||||||
|
tsuite->wrapping_key_gen_mech.mechanism,
|
||||||
|
tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ slot_id1, tsuite->rsa_modbits);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
if (!keysize_supported(slot_id2,
|
||||||
|
tsuite->wrapping_key_gen_mech.mechanism,
|
||||||
|
tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("Token in slot %ld cannot be used with "
|
||||||
|
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
|
||||||
|
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||||
|
+ slot_id2, tsuite->rsa_modbits);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
|
||||||
|
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("EP11 Token in cannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||||
|
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len)) {
|
||||||
|
- testcase_skip("CCA Token in scannot be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
|
||||||
|
+ goto testcase_cleanup;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (is_soft_token(slot_id1) || is_soft_token(slot_id2)) {
|
||||||
|
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
+ tsuite->rsa_publ_exp_len)) {
|
||||||
|
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -999,8 +1007,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||||
|
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len) ||
|
||||||
|
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
|
||||||
|
- testcase_skip("TPM Token cannot " "be used with "
|
||||||
|
- "publ_exp.='%s'", s);
|
||||||
|
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1008,8 +1015,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||||
|
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
|
||||||
|
tsuite->rsa_publ_exp_len) ||
|
||||||
|
tsuite->rsa_modbits < 1024) {
|
||||||
|
- testcase_skip("ICSF Token cannot be used with "
|
||||||
|
- "publ_exp='%s'.", s);
|
||||||
|
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||||
|
goto testcase_cleanup;
|
||||||
|
}
|
||||||
|
}
|
12
SOURCES/opencryptoki-pkcsslotd-pidfile.patch
Normal file
12
SOURCES/opencryptoki-pkcsslotd-pidfile.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up opencryptoki-3.16.0/misc/pkcsslotd.service.in.me opencryptoki-3.16.0/misc/pkcsslotd.service.in
|
||||||
|
--- opencryptoki-3.16.0/misc/pkcsslotd.service.in.me 2021-06-25 09:25:11.464487847 +0200
|
||||||
|
+++ opencryptoki-3.16.0/misc/pkcsslotd.service.in 2021-06-25 09:25:38.701225760 +0200
|
||||||
|
@@ -4,7 +4,7 @@ After=local-fs.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
-PIDFile=/var/run/pkcsslotd.pid
|
||||||
|
+PIDFile=/run/pkcsslotd.pid
|
||||||
|
ExecStart=@sbindir@/pkcsslotd
|
||||||
|
|
||||||
|
[Install]
|
8
SOURCES/opencryptoki.module
Normal file
8
SOURCES/opencryptoki.module
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# This file describes how to load the opensc module
|
||||||
|
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
|
||||||
|
|
||||||
|
# This is a relative path, which means it will be loaded from
|
||||||
|
# the p11-kit default path which is usually $(libdir)/pkcs11.
|
||||||
|
# Doing it this way allows for packagers to package opensc for
|
||||||
|
# 32-bit and 64-bit and make them parallel installable
|
||||||
|
module: libopencryptoki.so
|
686
SPECS/opencryptoki.spec
Normal file
686
SPECS/opencryptoki.spec
Normal file
@ -0,0 +1,686 @@
|
|||||||
|
Name: opencryptoki
|
||||||
|
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||||
|
Version: 3.16.0
|
||||||
|
Release: 12%{?dist}
|
||||||
|
License: CPL
|
||||||
|
URL: https://github.com/opencryptoki/opencryptoki
|
||||||
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
|
Source1: opencryptoki.module
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
|
||||||
|
Patch0: opencryptoki-3.11.0-group.patch
|
||||||
|
|
||||||
|
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
|
||||||
|
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||||
|
# PIDfile below legacy directory /var/run/
|
||||||
|
Patch2: opencryptoki-pkcsslotd-pidfile.patch
|
||||||
|
# Use --no-undefined to debug missing symbols
|
||||||
|
#Patch100: %%{name}-3.2-no-undefined.patch
|
||||||
|
|
||||||
|
# upstream patches
|
||||||
|
Patch200: opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch
|
||||||
|
Patch201: opencryptoki-3.16.0-c79e899d77a5724635a9d4451a34a240e2c7e891.patch
|
||||||
|
Patch202: opencryptoki-3.16.0-69244a5e0d9dfec3ef534b19b89a541576bb17dc.patch
|
||||||
|
Patch203: opencryptoki-3.16.0-b07505993dd8b2f367cf3b630f6da186e4e8550d.patch
|
||||||
|
Patch204: opencryptoki-3.16.0-b048be548508dd1958bb7271568f388d0f6cbcf8.patch
|
||||||
|
Patch205: opencryptoki-3.16.0-e9548127edae313da7840bcb87fd0afd04549c2e.patch
|
||||||
|
Patch206: opencryptoki-3.16.0-d929fe8470e99f4dcbbd889e7aa87e147d0d5b48.patch
|
||||||
|
Patch207: opencryptoki-3.16.0-19f56d12b302b87e1dacf613cc61a063ad209d15.patch
|
||||||
|
Patch208: opencryptoki-3.16.0-342dfbeb8275f5ea6ed52dd3f30126614ec1d037.patch
|
||||||
|
Patch209: opencryptoki-3.16.0-fa94a16116d8382a987ddf9e8cdd88027dd1f647.patch
|
||||||
|
Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
|
||||||
|
Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
|
||||||
|
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
|
||||||
|
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
|
||||||
|
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
|
||||||
|
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
|
||||||
|
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
|
||||||
|
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
|
||||||
|
Patch218: opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch
|
||||||
|
Patch219: opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch
|
||||||
|
Patch220: opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch
|
||||||
|
Patch221: opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch
|
||||||
|
Patch222: opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch
|
||||||
|
Patch223: opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch
|
||||||
|
Patch224: opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch
|
||||||
|
Patch225: opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch
|
||||||
|
Patch226: opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch
|
||||||
|
Patch227: opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch
|
||||||
|
Patch228: opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch
|
||||||
|
Patch230: opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch
|
||||||
|
Patch231: opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch
|
||||||
|
Patch232: opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch
|
||||||
|
Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
|
||||||
|
Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
|
||||||
|
Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
|
||||||
|
Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
|
||||||
|
Patch237: opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
|
||||||
|
Patch238: opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
|
||||||
|
|
||||||
|
Requires(pre): coreutils
|
||||||
|
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: openssl-devel
|
||||||
|
%if 0%{?tmptok}
|
||||||
|
BuildRequires: trousers-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: openldap-devel
|
||||||
|
BuildRequires: autoconf automake libtool
|
||||||
|
BuildRequires: bison flex
|
||||||
|
BuildRequires: systemd-devel
|
||||||
|
BuildRequires: libitm-devel
|
||||||
|
BuildRequires: expect
|
||||||
|
BuildRequires: make
|
||||||
|
%ifarch s390 s390x
|
||||||
|
BuildRequires: libica-devel >= 2.3
|
||||||
|
%endif
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}(token)
|
||||||
|
Requires(post): systemd
|
||||||
|
Requires(preun): systemd
|
||||||
|
Requires(postun): systemd
|
||||||
|
|
||||||
|
|
||||||
|
%description
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package contains the Slot Daemon (pkcsslotd) and general utilities.
|
||||||
|
|
||||||
|
|
||||||
|
%package libs
|
||||||
|
Summary: The run-time libraries for opencryptoki package
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
|
||||||
|
%description libs
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package contains the PKCS#11 library implementation, and requires
|
||||||
|
at least one token implementation (packaged separately) to be fully
|
||||||
|
functional.
|
||||||
|
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development files for openCryptoki
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package contains the development header files for building
|
||||||
|
opencryptoki and PKCS#11 based applications
|
||||||
|
|
||||||
|
|
||||||
|
%package swtok
|
||||||
|
Summary: The software token implementation for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description swtok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the software token implementation to use opencryptoki
|
||||||
|
without any specific cryptographic hardware.
|
||||||
|
|
||||||
|
|
||||||
|
%package tpmtok
|
||||||
|
Summary: Trusted Platform Module (TPM) device support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description tpmtok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support
|
||||||
|
Trusted Platform Module (TPM) devices in the opencryptoki stack.
|
||||||
|
|
||||||
|
|
||||||
|
%package icsftok
|
||||||
|
Summary: ICSF token support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description icsftok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support
|
||||||
|
ICSF token in the opencryptoki stack.
|
||||||
|
|
||||||
|
|
||||||
|
%ifarch s390 s390x
|
||||||
|
%package icatok
|
||||||
|
Summary: ICA cryptographic devices (clear-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description icatok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support ICA
|
||||||
|
devices in the opencryptoki stack. ICA is an interface to IBM
|
||||||
|
cryptographic hardware such as IBM 4764 or 4765 that uses the
|
||||||
|
"accelerator" or "clear-key" path.
|
||||||
|
|
||||||
|
%package ccatok
|
||||||
|
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description ccatok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support CCA
|
||||||
|
devices in the opencryptoki stack. CCA is an interface to IBM
|
||||||
|
cryptographic hardware such as IBM 4764 or 4765 that uses the
|
||||||
|
"co-processor" or "secure-key" path.
|
||||||
|
|
||||||
|
%package ep11tok
|
||||||
|
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description ep11tok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support EP11
|
||||||
|
tokens in the opencryptoki stack. The EP11 token is a token that uses
|
||||||
|
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
|
||||||
|
configured with Enterprise PKCS#11 (EP11) firmware.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
|
||||||
|
%build
|
||||||
|
./bootstrap.sh
|
||||||
|
|
||||||
|
%configure --with-systemd=%{_unitdir} --enable-testcases \
|
||||||
|
%if 0%{?tpmtok}
|
||||||
|
--enable-tpmtok \
|
||||||
|
%else
|
||||||
|
--disable-tpmtok \
|
||||||
|
%endif
|
||||||
|
%ifarch s390 s390x
|
||||||
|
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
|
||||||
|
%else
|
||||||
|
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%make_build CHGRP=/bin/true
|
||||||
|
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install CHGRP=/bin/true
|
||||||
|
|
||||||
|
|
||||||
|
%pre libs
|
||||||
|
getent group pkcs11 >/dev/null || groupadd -r pkcs11
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post
|
||||||
|
%systemd_post pkcsslotd.service
|
||||||
|
if test $1 -eq 1; then
|
||||||
|
%tmpfiles_create %{name}.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun pkcsslotd.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart pkcsslotd.service
|
||||||
|
|
||||||
|
|
||||||
|
%files
|
||||||
|
%doc ChangeLog FAQ README.md
|
||||||
|
%doc doc/opencryptoki-howto.md
|
||||||
|
%doc doc/README.token_data
|
||||||
|
%dir %{_sysconfdir}/%{name}
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
|
||||||
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%{_unitdir}/pkcsslotd.service
|
||||||
|
%{_sbindir}/p11sak
|
||||||
|
%{_sbindir}/pkcstok_migrate
|
||||||
|
%{_sbindir}/pkcsconf
|
||||||
|
%{_sbindir}/pkcsslotd
|
||||||
|
%{_mandir}/man1/p11sak.1*
|
||||||
|
%{_mandir}/man1/pkcstok_migrate.1*
|
||||||
|
%{_mandir}/man1/pkcsconf.1*
|
||||||
|
%{_mandir}/man5/%{name}.conf.5*
|
||||||
|
%{_mandir}/man7/%{name}.7*
|
||||||
|
%{_mandir}/man8/pkcsslotd.8*
|
||||||
|
%{_libdir}/opencryptoki/methods
|
||||||
|
%{_libdir}/pkcs11/methods
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
|
||||||
|
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
|
||||||
|
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
|
||||||
|
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
|
||||||
|
|
||||||
|
%files libs
|
||||||
|
%license LICENSE
|
||||||
|
%{_sysconfdir}/ld.so.conf.d/*
|
||||||
|
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
|
||||||
|
# needs them in the main package, because:
|
||||||
|
# documentation suggests that programs should dlopen "PKCS11_API.so".
|
||||||
|
%dir %{_libdir}/opencryptoki
|
||||||
|
%{_libdir}/opencryptoki/libopencryptoki.*
|
||||||
|
%{_libdir}/opencryptoki/PKCS11_API.so
|
||||||
|
%dir %{_libdir}/opencryptoki/stdll
|
||||||
|
%dir %{_libdir}/pkcs11
|
||||||
|
%{_libdir}/pkcs11/libopencryptoki.so
|
||||||
|
%{_libdir}/pkcs11/PKCS11_API.so
|
||||||
|
%{_libdir}/pkcs11/stdll
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_includedir}/%{name}/
|
||||||
|
|
||||||
|
%files swtok
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
|
||||||
|
|
||||||
|
%if 0%{?tmptok}
|
||||||
|
%files tpmtok
|
||||||
|
%doc doc/README.tpm_stdll
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files icsftok
|
||||||
|
%doc doc/README.icsf_stdll
|
||||||
|
%{_sbindir}/pkcsicsf
|
||||||
|
%{_mandir}/man1/pkcsicsf.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
|
||||||
|
|
||||||
|
%ifarch s390 s390x
|
||||||
|
%files icatok
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
|
||||||
|
|
||||||
|
%files ccatok
|
||||||
|
%doc doc/README.cca_stdll
|
||||||
|
%{_sbindir}/pkcscca
|
||||||
|
%{_mandir}/man1/pkcscca.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
|
||||||
|
|
||||||
|
%files ep11tok
|
||||||
|
%doc doc/README.ep11_stdll
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
|
||||||
|
%{_sbindir}/pkcsep11_migrate
|
||||||
|
%{_sbindir}/pkcsep11_session
|
||||||
|
%{_mandir}/man1/pkcsep11_migrate.1*
|
||||||
|
%{_mandir}/man1/pkcsep11_session.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
|
||||||
|
- Related: #1989138, Support for OpenSSL 3.0
|
||||||
|
|
||||||
|
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
|
||||||
|
- Resolves: #1989138, Support for OpenSSL 3.0
|
||||||
|
|
||||||
|
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
|
||||||
|
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
|
||||||
|
|
||||||
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
|
||||||
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Related: rhbz#1991688
|
||||||
|
|
||||||
|
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8
|
||||||
|
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
|
||||||
|
|
||||||
|
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7
|
||||||
|
- Resolves: #1974365, Fix detection if pkcsslotd is still running
|
||||||
|
|
||||||
|
* Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6
|
||||||
|
- Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/
|
||||||
|
|
||||||
|
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5
|
||||||
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||||
|
Related: rhbz#1971065
|
||||||
|
|
||||||
|
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4
|
||||||
|
- Related: #1924120, add conditional requirement on new selinux-policy
|
||||||
|
|
||||||
|
* Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3
|
||||||
|
- Resolves: #1959894, Soft token does not check if an EC key is valid
|
||||||
|
- Resolves: #1924120, Event Notification Support
|
||||||
|
|
||||||
|
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2
|
||||||
|
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||||
|
|
||||||
|
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
|
||||||
|
- Rebase to 3.16.0
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
|
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
|
||||||
|
- Added upstream patch, a slot ID has nothing to do with the number of slots
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
|
||||||
|
- Drop tpm1.2 support by default
|
||||||
|
|
||||||
|
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
|
||||||
|
- Fix compiling with c++
|
||||||
|
- Added error message handling for p11sak remove-key command
|
||||||
|
- Add BR on make
|
||||||
|
|
||||||
|
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
|
||||||
|
- Rebase to 3.15.1
|
||||||
|
|
||||||
|
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
|
||||||
|
- Rebase to 3.15.0
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
|
||||||
|
- added PIN conversion tool
|
||||||
|
|
||||||
|
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
|
||||||
|
- upstream fix - handle early error cases in C_Initialize
|
||||||
|
|
||||||
|
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
|
||||||
|
- fix regression, segfault in C_SetPin
|
||||||
|
|
||||||
|
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
|
||||||
|
- Rebase to 3.14.0
|
||||||
|
|
||||||
|
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
|
||||||
|
- Rebase to 3.13.0
|
||||||
|
|
||||||
|
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
|
||||||
|
- fix build with gcc 10
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
|
||||||
|
- Rebase to 3.12.1
|
||||||
|
|
||||||
|
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
|
||||||
|
- Rebase to 3.12.0
|
||||||
|
|
||||||
|
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
|
||||||
|
- Rebase to 3.11.1
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
|
||||||
|
- enable testcase by default
|
||||||
|
- fix URL
|
||||||
|
|
||||||
|
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
|
||||||
|
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
|
||||||
|
- Updated to 3.11.0
|
||||||
|
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
|
||||||
|
- Ported root's group membership's patch for 3.11.0
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
|
||||||
|
- Rebase to 3.10.0
|
||||||
|
|
||||||
|
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
|
||||||
|
- Rebase to 3.9.0
|
||||||
|
|
||||||
|
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
|
||||||
|
- use upstream tmpfiles config
|
||||||
|
|
||||||
|
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
|
||||||
|
- Rebase to 3.8.2 (#1512678)
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
|
||||||
|
- Rebase to 3.7.0
|
||||||
|
- Added libitm-devel as BuildRequires
|
||||||
|
|
||||||
|
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
|
||||||
|
- Rebase to 3.6.2
|
||||||
|
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
|
||||||
|
|
||||||
|
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
|
||||||
|
- New bugfix upstream release
|
||||||
|
|
||||||
|
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
|
||||||
|
- New upstream release
|
||||||
|
- Adding post-release patch fixing compile warnings
|
||||||
|
|
||||||
|
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
|
||||||
|
- New upstream release
|
||||||
|
- Correct dependencies for group creation
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
|
||||||
|
- Few more undefined symbols fixed for s390(x) specific targets
|
||||||
|
- Do not require --no-undefined, because s390(x) requires some
|
||||||
|
|
||||||
|
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
|
||||||
|
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
|
||||||
|
- Make inline function compatible for GCC5
|
||||||
|
|
||||||
|
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
|
||||||
|
- new upstream release 3.2
|
||||||
|
- add new sub-package opencryptoki-ep11tok on s390x
|
||||||
|
|
||||||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
|
||||||
|
- new upstream release 3.1
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
|
||||||
|
- create the right lock directory for cca tokens (#1054442)
|
||||||
|
|
||||||
|
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
|
||||||
|
- use Requires(pre): opencryptoki-libs for subpackages
|
||||||
|
|
||||||
|
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
|
||||||
|
- include token specific directories (#1013017, #1045775, #1054442)
|
||||||
|
- fix pkcsconf crash for non-root users (#10054661)
|
||||||
|
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
|
||||||
|
|
||||||
|
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
|
||||||
|
- fix build with -Werror=format-security (#1037228)
|
||||||
|
|
||||||
|
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
|
||||||
|
- apply post-3.0 fixes (#1033284)
|
||||||
|
|
||||||
|
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
|
||||||
|
- update opencryptoki man page (#1001729)
|
||||||
|
|
||||||
|
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
|
||||||
|
- update unit file (#995002)
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
|
||||||
|
- update pkcsconf man page (#948460)
|
||||||
|
|
||||||
|
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
|
||||||
|
- new upstream release 3.0
|
||||||
|
|
||||||
|
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
|
||||||
|
- new upstream release 2.4.3.1
|
||||||
|
|
||||||
|
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
|
||||||
|
- new upstream release 2.4.3
|
||||||
|
|
||||||
|
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
|
||||||
|
- enable hardened build
|
||||||
|
- switch to systemd macros in scriptlets (#850240)
|
||||||
|
|
||||||
|
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
|
||||||
|
- add virtual opencryptoki(token) Provides to token modules and as Requires
|
||||||
|
to main package (#904986)
|
||||||
|
|
||||||
|
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
|
||||||
|
- new upstream release 2.4.2
|
||||||
|
- add pkcs_slot man page
|
||||||
|
- don't add root to the pkcs11 group
|
||||||
|
|
||||||
|
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
|
||||||
|
- fix unresolved symbols in TPM module (#830129)
|
||||||
|
|
||||||
|
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
|
||||||
|
- new upstream release 2.4.1
|
||||||
|
- convert from initscript to systemd unit
|
||||||
|
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
|
||||||
|
|
||||||
|
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
|
||||||
|
- new upstream release 2.4
|
||||||
|
|
||||||
|
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
|
||||||
|
- new upstream release 2.3.3
|
||||||
|
|
||||||
|
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
|
||||||
|
- Apply Obsoletes to package names, not provides.
|
||||||
|
|
||||||
|
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
|
||||||
|
- new upstream release 2.3.2
|
||||||
|
- put STDLLs in separate packages to match upstream package design
|
||||||
|
|
||||||
|
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
|
||||||
|
- Move the LICENSE file to the -libs subpackage.
|
||||||
|
|
||||||
|
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
|
||||||
|
- rebuilt with CCA enabled (#604287)
|
||||||
|
- fixed issues from #546274
|
||||||
|
|
||||||
|
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
|
||||||
|
- fixed one more issue in the initscript (#547324)
|
||||||
|
|
||||||
|
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
|
||||||
|
- fixed pidfile creating and usage (#547324)
|
||||||
|
|
||||||
|
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
|
||||||
|
- Also list 'reload' and 'force-reload' in "Usage: ...".
|
||||||
|
|
||||||
|
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
|
||||||
|
- Support 'force-reload' in the initscript.
|
||||||
|
|
||||||
|
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
|
||||||
|
- New upstream release 2.3.1.
|
||||||
|
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
|
||||||
|
|
||||||
|
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
|
||||||
|
- made pkcsslotd initscript LSB compliant (#522149)
|
||||||
|
|
||||||
|
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
|
||||||
|
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
|
||||||
|
|
||||||
|
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
|
||||||
|
- rebuilt with new openssl
|
||||||
|
|
||||||
|
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
|
||||||
|
- Require libica-2.0.
|
||||||
|
|
||||||
|
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
|
||||||
|
- New upstream release 2.3.0:
|
||||||
|
- adds support for RSA 4096 bit keys in the ICA token.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
|
||||||
|
- Require arch-specific dependency on -libs.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
|
||||||
|
- Return support for crypto hw on s390.
|
||||||
|
- Renamed to opencryptoki.
|
||||||
|
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
|
||||||
|
- Fedora package based on RHEL-5 package.
|
Loading…
Reference in New Issue
Block a user