import opencryptoki-3.12.1-2.el8

2020-04-28 05:42:44 -04:00 · 2020-04-28 05:42:44 -04:00 · 2137b71446
commit 2137b71446
parent 8b1403652a
7 changed files with 46 additions and 146 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/opencryptoki-3.11.1.tar.gz
+SOURCES/opencryptoki-3.12.1.tar.gz
--- a/.opencryptoki.metadata
+++ b/.opencryptoki.metadata
@ -1 +1 @@
-26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz
+8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz
--- a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
+++ b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
@ -1,13 +0,0 @@
 diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c
 --- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me	2019-01-31 13:27:05.720647942 +0100
 +++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c	2019-01-31 13:36:05.763624633 +0100
@@ -1072,6 +1072,9 @@ CK_RV init(void)
     if (rc != CKR_OK) {
         printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc,
                p11_get_ckr(rc));
 +        printf("Note: all non-root users that require access to PKCS#11 tokens "
 +               "using opencryptoki must be assigned to the pkcs11 group to be "
 +               "able to communicate with the pkcsslotd daemon.\n");
         fflush(stdout);
         cleanup();
     }
--- a/SOURCES/opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch
+++ b/SOURCES/opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch
@ -1,59 +0,0 @@
 commit d6ba9ff61743ce869a5a677f6f77339642efef4b
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Tue Sep 24 14:35:59 2019 +0200
    EP11: Support tolerated new crypto cards
    With just toleration support of new crypt cards, new crypto
    cards are reported as the last known crypto card version.
    E.g. a CEX7 card is reported as CEX6, when CEX6 is the last
    known crypto card version.
    The EP11 token checks the card versions and needs to distinguish
    tolerated cards from supported cards. New (tolerated) crypto cards
    may have different API and firmware versions, and thus need to be
    handled differently.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
 index e22dad5d..a65accea 100644
 --- a/usr/lib/ep11_stdll/ep11_specific.c
 +++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -8253,6 +8253,7 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type)
     char fname[PATH_MAX];
     char buf[250];
     CK_RV rc;
 +    CK_ULONG hwtype, rawtype;
     sprintf(fname, "%scard%02x/type", SYSFS_DEVICES_AP, adapter);
     rc = file_fgets(fname, buf, sizeof(buf));
@@ -8260,6 +8261,28 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type)
         return rc;
     if (sscanf(buf, "CEX%luP", type) != 1)
         return CKR_FUNCTION_FAILED;
 +
 +    sprintf(fname, "%scard%02x/hwtype", SYSFS_DEVICES_AP, adapter);
 +    rc = file_fgets(fname, buf, sizeof(buf));
 +    if (rc != CKR_OK)
 +        return rc;
 +    if (sscanf(buf, "%lu", &hwtype) != 1)
 +        return CKR_FUNCTION_FAILED;
 +
 +    sprintf(fname, "%scard%02x/raw_hwtype", SYSFS_DEVICES_AP, adapter);
 +    rc = file_fgets(fname, buf, sizeof(buf));
 +    if (rc != CKR_OK)
 +        return rc;
 +    if (sscanf(buf, "%lu", &rawtype) != 1)
 +        return CKR_FUNCTION_FAILED;
 +
 +    if (rawtype > hwtype) {
 +        TRACE_DEVEL("%s adapter: %u hwtype: %lu raw_hwtype: %lu\n",
 +                    __func__, adapter, hwtype, rawtype);
 +        /* Tolerated new card level: report calculated type */
 +        *type += (rawtype - hwtype);
 +    }
 +
     return CKR_OK;
 }
--- a/SOURCES/opencryptoki-3.11.1-use-soname.patch
+++ b/SOURCES/opencryptoki-3.11.1-use-soname.patch
@ -1,61 +0,0 @@
 From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Mon, 12 Aug 2019 10:54:27 +0200
 Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 Signed-off-by: Dan Horák <dan@danny.cz>
 ---
 usr/lib/ica_s390_stdll/ica_specific.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
 index d5a6d554..a72ce774 100644
 --- a/usr/lib/ica_s390_stdll/ica_specific.c
 +++ b/usr/lib/ica_s390_stdll/ica_specific.c
@@ -61,7 +61,7 @@ const char label[] = "IBM ICA  PKCS #11";
 static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER;
 -#define LIBICA_SHARED_LIB "libica.so"
 +#define LIBICA_SHARED_LIB "libica.so.3"
 #define BIND(dso, sym)  (*(void **)(&p_##sym) = dlsym(dso, #sym))
 #ifndef NO_EC
 -- 
 2.21.0
 From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001
 From: Ingo Franzki <ifranzki@linux.ibm.com>
 Date: Mon, 12 Aug 2019 10:54:44 +0200
 Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 Signed-off-by: Dan Horák <dan@danny.cz>
 ---
 usr/lib/ep11_stdll/ep11_specific.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
 index 231dd200..a3f14351 100644
 --- a/usr/lib/ep11_stdll/ep11_specific.c
 +++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -58,7 +58,7 @@
 #include "ep11_specific.h"
 #define EP11SHAREDLIB "libep11.so"
 -#define ICASHAREDLIB  "libica.so"
 +#define ICASHAREDLIB  "libica.so.3"
 CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
                                  CK_MECHANISM_TYPE_PTR mlist,
 -- 
 2.21.0
--- a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
+++ b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
@ -0,0 +1,33 @@
 commit 50a8a8806059647a3e446fd129995af61ec54867
 Author: Ingo Franzki <ifranzki@linux.ibm.com>
 Date:   Tue Dec 3 14:58:26 2019 +0100
    EP11: Fix EC-uncompress buffer length
    Function ec_uncompress_public_key() expects the size of the output
    buffer in out_pubkey to be specified in the out_len parameter.
    However, variable pubkey_len is uninitialized when calling
    ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL
    dependent on the value of pubkey_len.
    Fix this by setting pubkey_len to the size of the public key buffer
    allocated above.
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
 diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
 index 38b6708f..10dfe4e0 100644
 --- a/usr/lib/ep11_stdll/ep11_specific.c
 +++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
         rc = get_ecsiglen(ec_key_obj, &privkey_len);
         if (rc != CKR_OK)
             goto import_EC_key_end;
 -        privkey_len /= 2; /* Public key is half the size of an EC signature */
 +        privkey_len /= 2; /* private key is half the size of an EC signature */
 -        pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len);
 +        pubkey_len = 1 + 2 * privkey_len;
 +        pubkey = (CK_BYTE *)malloc(pubkey_len);
         if (pubkey == NULL) {
             rc = CKR_HOST_MEMORY;
             goto import_EC_key_end;
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
-Version:		3.11.1
+Version:		3.12.1
-Release:		3%{?dist}
+Release:		2%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			https://github.com/opencryptoki/opencryptoki
@ -10,13 +10,7 @@ Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{
 Patch0:			opencryptoki-3.11.0-group.patch
 # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
 Patch1:			opencryptoki-3.11.0-lockdir.patch
-# bz#1063763, inform the user that he is not in pkcs11 group
+Patch2:			opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
 Patch2:			opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1739433
 Patch3:			opencryptoki-3.11.1-use-soname.patch
 # bz#1772108, Support tolerated new crypto cards
 Patch4:			opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch
 Requires(pre):		coreutils
 BuildRequires:		gcc
 BuildRequires:		openssl-devel
@ -333,8 +327,14 @@ fi
 %changelog
-* Thu Nov 14 2019 Than Ngo <than@redhat.com> - 3.11.1-3
+* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
- Resolves: #1772108, support tolerated new crypto cards
+- Resolves: #1782445, EP11: Fix EC-uncompress buffer length
 * Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
 - Resolves: #1777313, rebase to 3.12.1
 * Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
 - Resolves: #1726243, rebase to 3.12.0
 * Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
 - Resolves: #1739433, ICA HW token missing after the package update
`@ -1 +1 @@`
	`SOURCES/opencryptoki-3.11.1.tar.gz`	`SOURCES/opencryptoki-3.12.1.tar.gz`
`@ -1 +1 @@`
	`26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz`	`8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz`