diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata new file mode 100644 index 0000000..b96efa9 --- /dev/null +++ b/.opencryptoki.metadata @@ -0,0 +1 @@ +4618b82afde56a8177e888c26d336c6f521bed8a SOURCES/opencryptoki-3.22.0.tar.gz diff --git a/SOURCES/3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch b/SOURCES/3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch new file mode 100644 index 0000000..b2137f3 --- /dev/null +++ b/SOURCES/3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch @@ -0,0 +1,55 @@ +From 742463a3c5a25313ab7ceb578d81b9998db65f67 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 2 Apr 2025 16:36:45 +0200 +Subject: [PATCH] CCA: Adjust CCA host library version detection for newer CCA + versions + +Newer CCA versions might report the version string with CSUACFV or CSUACFQ +with keyword STATCCA using a different indicator character after the version +information. Ignore the indication character and the remaining data entirely. +Only the version information as such is of interest. + +Signed-off-by: Ingo Franzki +--- + usr/lib/cca_stdll/cca_specific.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/usr/lib/cca_stdll/cca_specific.c b/usr/lib/cca_stdll/cca_specific.c +index 80369248..08e794d0 100644 +--- a/usr/lib/cca_stdll/cca_specific.c ++++ b/usr/lib/cca_stdll/cca_specific.c +@@ -751,7 +751,6 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata) + long return_code, reason_code; + long version_data_length; + long exit_data_len = 0; +- char date[20]; + + /* Get CCA host library version */ + version_data_length = sizeof(version_data); +@@ -767,10 +766,10 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata) + version_data[sizeof(version_data) - 1] = '\0'; + TRACE_DEVEL("CCA Version string: %s\n", version_data); + +- if (sscanf((char *)version_data, "%u.%u.%uz%s", ++ if (sscanf((char *)version_data, "%u.%u.%u", + &cca_private->cca_lib_version.ver, + &cca_private->cca_lib_version.rel, +- &cca_private->cca_lib_version.mod, date) != 4) { ++ &cca_private->cca_lib_version.mod) != 3) { + TRACE_ERROR("CCA library version is invalid: %s\n", version_data); + return CKR_FUNCTION_FAILED; + } +@@ -3431,8 +3430,8 @@ static CK_RV cca_get_adapter_version(cca_min_card_version_t *data) + memcpy(ccaversion, &rule_array[CCA_STATCCA_CCA_VERSION_OFFSET], + CCA_STATCCA_CCA_VERSION_LENGTH); + +- if (sscanf(ccaversion, "%d.%d.%02d*", (int *)&adapter_version.ver, +- (int *)&adapter_version.rel, (int *)&adapter_version.mod) != 3) { ++ if (sscanf(ccaversion, "%u.%u.%u", &adapter_version.ver, ++ &adapter_version.rel, &adapter_version.mod) != 3) { + TRACE_ERROR("sscanf of string %s failed, cannot determine CCA card version\n", + ccaversion); + return CKR_FUNCTION_FAILED; +-- +2.16.2.windows.1 + diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 8a996e7..bbd7c5a 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Version: 3.22.0 -Release: 3%{?dist} +Release: 3%{?dist}.1 License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -21,6 +21,8 @@ Patch21: opencryptoki-CVE-2024-0914-part2.patch Patch22: opencryptoki-CVE-2024-0914-part3.patch Patch23: opencryptoki-CVE-2024-0914-part4.patch Patch24: opencryptoki-CVE-2024-0914-part5.patch +# supporting CCA 8.4 +Patch25: 3.22-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch Requires(pre): coreutils diffutils Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted) @@ -381,6 +383,9 @@ fi %changelog +* Mon Aug 11 2025 Than Ngo - 3.22.0-3.1 +- Resolves: RHEL-105918, fix for supporting CCA 8.4 + * Fri Feb 16 2024 Than Ngo - 3.22.0-3 - Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT Related: RHEL-22791