From 1a052543f3092a628ad0da28ac942e8d3a20e34d Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Wed, 17 Dec 2025 10:39:28 +0100 Subject: [PATCH] - Resolves: RHEL-75138, ep11 token BLS support - Resolves: RHEL-85380, ep11 token: ML-KEM and ML-DSA support - Resolves: RHEL-85383, cca token: ML-KEM and ML-DSA support - Resolves: RHEL-100058, openCryptoki 3.26.0 --- .gitignore | 1 + opencryptoki-3.25.0-covscan-findings.patch | 43 ----- ...3.25.0-reject-using-md5-in-fips-mode.patch | 176 ------------------ opencryptoki-openssl-3.5.x.patch | 48 ----- opencryptoki.spec | 18 +- sources | 2 +- 6 files changed, 10 insertions(+), 278 deletions(-) delete mode 100644 opencryptoki-3.25.0-covscan-findings.patch delete mode 100644 opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch delete mode 100644 opencryptoki-openssl-3.5.x.patch diff --git a/.gitignore b/.gitignore index b294784..49667d7 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ opencryptoki-2.3.1.tar.gz /opencryptoki-3.22.0.tar.gz /opencryptoki-3.23.0.tar.gz /opencryptoki-3.25.0.tar.gz +/opencryptoki-3.26.0.tar.gz diff --git a/opencryptoki-3.25.0-covscan-findings.patch b/opencryptoki-3.25.0-covscan-findings.patch deleted file mode 100644 index 6a2e866..0000000 --- a/opencryptoki-3.25.0-covscan-findings.patch +++ /dev/null @@ -1,43 +0,0 @@ -commit 003d658322df316a352af591a3d059ca22fc40a3 -Author: Ingo Franzki -Date: Mon Jul 21 11:02:42 2025 +0200 - - Fix covscan findings - - Closes: https://github.com/opencryptoki/opencryptoki/issues/879 - - Reported-by: Than Ngo - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c -index 9195ff3c..383fb775 100644 ---- a/usr/lib/common/mech_aes.c -+++ b/usr/lib/common/mech_aes.c -@@ -4561,6 +4561,11 @@ static CK_RV aeskw_wrap_pad(STDLL_TokData_t *tokdata, SESSION *sess, - * contains exactly eight octets, then prepend the AIV and encrypt - * the resulting 128-bit block using AES in ECB mode. - */ -+ if (in_data_len > AES_KEY_WRAP_BLOCK_SIZE) { -+ TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE)); -+ return CKR_DATA_LEN_RANGE; -+ } -+ - memmove(buff + AES_KEY_WRAP_BLOCK_SIZE, in_data, in_data_len); - memcpy(buff, aiv, AES_KEY_WRAP_IV_SIZE); - memset(buff + AES_KEY_WRAP_IV_SIZE + in_data_len, 0, padding_len); -diff --git a/usr/sbin/p11sak/p11tool.c b/usr/sbin/p11sak/p11tool.c -index da684f79..5b72b93b 100644 ---- a/usr/sbin/p11sak/p11tool.c -+++ b/usr/sbin/p11sak/p11tool.c -@@ -567,6 +567,11 @@ static void p11tool_print_options_help(const struct p11tool_opt *opts, - else - len = snprintf(tmp, sizeof(tmp),"-%c", opt->short_opt); - -+ if (len >= (int)sizeof(tmp) || len < 0) { -+ warnx("Error formatting option string. Skipping.\n"); -+ continue; -+ } -+ - if (opt->arg.type != ARG_TYPE_PLAIN) { - if (opt->arg.required) - snprintf(&tmp[len], sizeof(tmp) - len, " %s", opt->arg.name); diff --git a/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch b/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch deleted file mode 100644 index 29b29ca..0000000 --- a/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch +++ /dev/null @@ -1,176 +0,0 @@ -commit 144456ede9897662eed35ac8415d0ecb1c5907e3 -Author: Ingo Franzki -Date: Wed Aug 13 13:50:24 2025 +0200 - - PKCSSLOTD: Remove the use of MD5 - - The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory - path, for easy checking if the same token directory has already been used by - other tokens. - - The use of MD5 for this is just historical, and has no security relevance at - all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so - pkcsslotd will fail to start. - - Change the code to use SHA256 instead. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h -index ec6a489a..fa0db30f 100644 ---- a/usr/sbin/pkcsslotd/pkcsslotd.h -+++ b/usr/sbin/pkcsslotd/pkcsslotd.h -@@ -42,11 +42,7 @@ - - #endif /* DEV */ - --#define HASH_SHA1 1 --#define HASH_MD5 2 --#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c) -- --int compute_hash(int hash_type, int buf_size, char *buf, char *digest); -+int compute_sha256(char *buf, int buf_size, char *digest); - - /******************** - * Global Variables * -diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c -index 0c1a5586..d0d85a85 100644 ---- a/usr/sbin/pkcsslotd/slotmgr.c -+++ b/usr/sbin/pkcsslotd/slotmgr.c -@@ -27,7 +27,7 @@ - #include "configuration.h" - - #define OBJ_DIR "TOK_OBJ" --#define MD5_HASH_SIZE 16 -+#define SHA256_HASH_SIZE 32 - - #define DEF_MANUFID "IBM" - -@@ -44,8 +44,8 @@ - #define DEF_SLOTDESC "Linux" - #endif - --typedef char md5_hash_entry[MD5_HASH_SIZE]; --md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED]; -+typedef char sha256_hash_entry[SHA256_HASH_SIZE]; -+sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED]; - - Slot_Mgr_Shr_t *shmp; // pointer to the shared memory region. - int shmid; -@@ -86,27 +86,19 @@ void DumpSharedMemory(void) - } - } - --int compute_hash(int hash_type, int buf_size, char *buf, char *digest) -+int compute_sha256(char *buf, int buf_size, char *digest) - { - EVP_MD_CTX *md_ctx = NULL; - unsigned int result_size; - int rc; - - md_ctx = EVP_MD_CTX_create(); -- -- switch (hash_type) { -- case HASH_SHA1: -- rc = EVP_DigestInit(md_ctx, EVP_sha1()); -- break; -- case HASH_MD5: -- rc = EVP_DigestInit(md_ctx, EVP_md5()); -- break; -- default: -- EVP_MD_CTX_destroy(md_ctx); -+ if (md_ctx == NULL) { -+ fprintf(stderr, "EVP_MD_CTX_create() failed\n"); - return -1; -- break; - } - -+ rc = EVP_DigestInit(md_ctx, EVP_sha256()); - if (rc != 1) { - fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc); - return -1; -@@ -374,12 +366,12 @@ void run_sanity_checks(void) - } - } - --int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table) -+int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table) - { - int i; - - for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) { -- if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0) -+ if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0) - return 1; - } - -@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) - mode_t proc_umask; - char *tokdir = psinfo->tokname; - char *tokgroup = psinfo->usergroup; -- char token_md5_hash[MD5_HASH_SIZE]; -+ char token_sha256_hash[SHA256_HASH_SIZE]; - - if (psinfo->present == FALSE) - return 0; -@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) - */ - if (!tokdir || strlen(tokdir) == 0) { - /* -- * Build the md5 hash from the dll name prefixed with 'dll:' to -+ * Build the SHA256 hash from the dll name prefixed with 'dll:' to - * check for duplicate tokens with no 'tokname'. - */ - snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location); -- rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash); -+ rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash); - if (rc) { -- fprintf(stderr, "Error calculating MD5 of token name!\n"); -+ fprintf(stderr, "Error calculating SHA256 of token name!\n"); - return -1; - } - - /* check for duplicate token names */ -- if (is_duplicate(token_md5_hash, tokname_hash_table)) { -+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) { - fprintf(stderr, "Duplicate token in slot %llu!\n", - psinfo->slot_number); - return -1; - } - - /* add entry into hash table */ -- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash, -- MD5_HASH_SIZE); -+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash, -+ SHA256_HASH_SIZE); - - return 0; - } -@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) - return -1; - } - -- /* calculate md5 hash from token name */ -- rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash); -+ /* calculate SHA256 hash from token name */ -+ rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash); - if (rc) { -- fprintf(stderr, "Error calculating MD5 of token name!\n"); -+ fprintf(stderr, "Error calculating SHA256 of token name!\n"); - return -1; - } - /* check for duplicate token names */ -- if (is_duplicate(token_md5_hash, tokname_hash_table)) { -+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) { - fprintf(stderr, "Duplicate token name '%s'!\n", tokdir); - return -1; - } - - /* add entry into hash table */ -- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash, -- MD5_HASH_SIZE); -+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash, -+ SHA256_HASH_SIZE); - - /* Create token specific directory */ - /* sprintf checked above */ diff --git a/opencryptoki-openssl-3.5.x.patch b/opencryptoki-openssl-3.5.x.patch deleted file mode 100644 index e6dcb3a..0000000 --- a/opencryptoki-openssl-3.5.x.patch +++ /dev/null @@ -1,48 +0,0 @@ -commit 8209874fc0ea78079aa21c386df0f385ee0e5dca -Author: Ingo Franzki -Date: Wed Jul 9 09:09:32 2025 +0200 - - COMMON: Fix detection of EC curve not supported by OpenSSL - - OpenSSL 3.5 recently changed the behavior in regards of error reporting - with EVP_PKEY_keygen(). When the EC curve is not supported it used to - return error EC_R_INVALID_CURVE as top most entry in the error stack. - - Since commit https://github.com/openssl/openssl/commit/72351b0d18078170af270418b2d5e9fc579cb1af - this is no longer the case, instead a generic EVP_R_PROVIDER_KEYMGMT_FAILURE - error is now the top most entry, and EC_R_INVALID_CURVE is the second one. - - Make the detection independent of the error reporting and check for the - curve already in curve_nid_from_params(). - - Closes: https://github.com/opencryptoki/opencryptoki/issues/877 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c -index f29b4946..e1bb6b83 100644 ---- a/usr/lib/common/mech_openssl.c -+++ b/usr/lib/common/mech_openssl.c -@@ -1854,6 +1854,7 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len) - { - const unsigned char *oid; - ASN1_OBJECT *obj = NULL; -+ EC_GROUP *grp; - int nid; - - oid = params; -@@ -1866,6 +1867,14 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len) - nid = OBJ_obj2nid(obj); - ASN1_OBJECT_free(obj); - -+ grp = EC_GROUP_new_by_curve_name(nid); -+ if (grp == NULL) { -+ TRACE_ERROR("curve not supported by OpenSSL.\n"); -+ return NID_undef; -+ } -+ -+ EC_GROUP_free(grp); -+ - return nid; - } - diff --git a/opencryptoki.spec b/opencryptoki.spec index 5de47c8..7552a15 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1 -Version: 3.25.0 -Release: 5%{?dist} +Version: 3.26.0 +Release: 1%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -21,14 +21,6 @@ Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch Patch3: opencryptoki-lockdir-image-mode.patch # upstream patches -# Fix detection of EC curve not supported by OpenSSL-3.5.x -Patch10: opencryptoki-openssl-3.5.x.patch - -# Fix covscan findings, https://github.com/opencryptoki/opencryptoki/pull/880 -Patch11: opencryptoki-3.25.0-covscan-findings.patch - -# Remove the use of MD5, pkcsslotd crashes in FIPS mode -Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) @@ -417,6 +409,12 @@ fi %changelog +* Wed Dec 17 2025 Than Ngo - 3.26.0-1 +- Resolves: RHEL-75138, ep11 token BLS support +- Resolves: RHEL-85380, ep11 token: ML-KEM and ML-DSA support +- Resolves: RHEL-85383, cca token: ML-KEM and ML-DSA support +- Resolves: RHEL-100058, openCryptoki 3.26.0 + * Wed Aug 13 2025 Than Ngo - 3.25.0-5 - Resolves: RHEL-109017, pkcsslotd fails to start in FIPS mode diff --git a/sources b/sources index 863e35e..687cb88 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.25.0.tar.gz) = 33ea9e8b39812af96ca858e9584d4d494a3c6e3761f1cb96d32a9f781a4d1bbcae161d8c593603f6cb9f6ec01f6ac3c3fb1629673e38e716712f8afe7589a1a0 +SHA512 (opencryptoki-3.26.0.tar.gz) = b135139494bfb619de7bb05f0d45f5fa09314405ff21eeacfc55b7fb73b352d7c36328ca85f4efac40e0c346ac9472683348635e6b88262952fdaf9f29664ad2