rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import opencryptoki-3.14.0-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:48:20 -05:00 committed by Andrew Lukoshko
parent 2137b71446
commit 58e9493abf
12 changed files with 4107 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opencryptoki-3.12.1.tar.gz
SOURCES/opencryptoki-3.14.0.tar.gz

2
.opencryptoki.metadata
View File

@ -1 +1 @@
8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz
9ddd1bbe34992707b20b314645fd92d35cb298ef SOURCES/opencryptoki-3.14.0.tar.gz

134
SOURCES/0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch Normal file
View File

@ -0,0 +1,134 @@
From 583f0210bb8f371c2071966f27b83c95230d50cc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:09:18 +0200
Subject: [PATCH 1/2] pkcstok_migrate: Fix NVTOK.DAT conversion on little
endian platforms
The new format stores all numeric fields in big endian, while the old
format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 84 ++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 10 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e90a5c91..e0c19125 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -1077,6 +1077,42 @@ static CK_RV load_NVTOK_DAT(const char *data_store, const char *nvtok_name,
goto done;
}
+ if (stbuf.st_size == sizeof(TOKEN_DATA)) {
+ /* The 312 version always uses big endian */
+ td->token_info.flags = be32toh(td->token_info.flags);
+ td->token_info.ulMaxSessionCount
+ = be32toh(td->token_info.ulMaxSessionCount);
+ td->token_info.ulSessionCount
+ = be32toh(td->token_info.ulSessionCount);
+ td->token_info.ulMaxRwSessionCount
+ = be32toh(td->token_info.ulMaxRwSessionCount);
+ td->token_info.ulRwSessionCount
+ = be32toh(td->token_info.ulRwSessionCount);
+ td->token_info.ulMaxPinLen = be32toh(td->token_info.ulMaxPinLen);
+ td->token_info.ulMinPinLen = be32toh(td->token_info.ulMinPinLen);
+ td->token_info.ulTotalPublicMemory
+ = be32toh(td->token_info.ulTotalPublicMemory);
+ td->token_info.ulFreePublicMemory
+ = be32toh(td->token_info.ulFreePublicMemory);
+ td->token_info.ulTotalPrivateMemory
+ = be32toh(td->token_info.ulTotalPrivateMemory);
+ td->token_info.ulFreePrivateMemory
+ = be32toh(td->token_info.ulFreePrivateMemory);
+ td->tweak_vector.allow_weak_des
+ = be32toh(td->tweak_vector.allow_weak_des);
+ td->tweak_vector.check_des_parity
+ = be32toh(td->tweak_vector.check_des_parity);
+ td->tweak_vector.allow_key_mods
+ = be32toh(td->tweak_vector.allow_key_mods);
+ td->tweak_vector.netscape_mods
+ = be32toh(td->tweak_vector.netscape_mods);
+ td->dat.version = be32toh(td->dat.version);
+ td->dat.so_login_it = be64toh(td->dat.so_login_it);
+ td->dat.user_login_it = be64toh(td->dat.user_login_it);
+ td->dat.so_wrap_it = be64toh(td->dat.so_wrap_it);
+ td->dat.user_wrap_it = be64toh(td->dat.user_wrap_it);
+ }
+
ret = CKR_OK;
done:
@@ -1628,6 +1664,7 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
{
const char *nvtok = "NVTOK.DAT_312";
char fname[PATH_MAX + 1 + strlen(nvtok) + 1];
+ TOKEN_DATA be_tokdata;
FILE *fp = NULL;
CK_RV ret;
size_t rc;
@@ -1656,14 +1693,6 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Write old part into NVTOK.DAT_312 */
- rc = fwrite(tokdata, sizeof(TOKEN_DATA_OLD), 1, fp);
- if (rc != 1) {
- TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
- ret = CKR_FUNCTION_FAILED;
- goto done;
- }
-
/* Create additions for new format */
ret = create_TOKEN_DATA_VERSION(sopin, userpin, tokdata);
if (ret != CKR_OK) {
@@ -1671,8 +1700,43 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Append TOKEN_DATA_VERSION to NVTOK.DAT_312 */
- rc = fwrite(&(tokdata->dat), sizeof(TOKEN_DATA_VERSION), 1, fp);
+ /* The 312 version always uses big endian */
+ memcpy(&be_tokdata, tokdata, sizeof(TOKEN_DATA));
+ be_tokdata.token_info.flags = htobe32(tokdata->token_info.flags);
+ be_tokdata.token_info.ulMaxSessionCount
+ = htobe32(tokdata->token_info.ulMaxSessionCount);
+ be_tokdata.token_info.ulSessionCount
+ = htobe32(tokdata->token_info.ulSessionCount);
+ be_tokdata.token_info.ulMaxRwSessionCount
+ = htobe32(tokdata->token_info.ulMaxRwSessionCount);
+ be_tokdata.token_info.ulRwSessionCount
+ = htobe32(tokdata->token_info.ulRwSessionCount);
+ be_tokdata.token_info.ulMaxPinLen = htobe32(tokdata->token_info.ulMaxPinLen);
+ be_tokdata.token_info.ulMinPinLen = htobe32(tokdata->token_info.ulMinPinLen);
+ be_tokdata.token_info.ulTotalPublicMemory
+ = htobe32(tokdata->token_info.ulTotalPublicMemory);
+ be_tokdata.token_info.ulFreePublicMemory
+ = htobe32(tokdata->token_info.ulFreePublicMemory);
+ be_tokdata.token_info.ulTotalPrivateMemory
+ = htobe32(tokdata->token_info.ulTotalPrivateMemory);
+ be_tokdata.token_info.ulFreePrivateMemory
+ = htobe32(tokdata->token_info.ulFreePrivateMemory);
+ be_tokdata.tweak_vector.allow_weak_des
+ = htobe32(tokdata->tweak_vector.allow_weak_des);
+ be_tokdata.tweak_vector.check_des_parity
+ = htobe32(tokdata->tweak_vector.check_des_parity);
+ be_tokdata.tweak_vector.allow_key_mods
+ = htobe32(tokdata->tweak_vector.allow_key_mods);
+ be_tokdata.tweak_vector.netscape_mods
+ = htobe32(tokdata->tweak_vector.netscape_mods);
+ be_tokdata.dat.version = htobe32(tokdata->dat.version);
+ be_tokdata.dat.so_login_it = htobe64(tokdata->dat.so_login_it);
+ be_tokdata.dat.user_login_it = htobe64(tokdata->dat.user_login_it);
+ be_tokdata.dat.so_wrap_it = htobe64(tokdata->dat.so_wrap_it);
+ be_tokdata.dat.user_wrap_it = htobe64(tokdata->dat.user_wrap_it);
+
+ /* Write converted token data into NVTOK.DAT_312 */
+ rc = fwrite(&be_tokdata, sizeof(TOKEN_DATA), 1, fp);
if (rc != 1) {
TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
ret = CKR_FUNCTION_FAILED;
--
2.16.2.windows.1

40
SOURCES/0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch Normal file
View File

@ -0,0 +1,40 @@
From 6faa13d83e5166e4bbe97d85935aca779fde9089 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:46:29 +0200
Subject: [PATCH 2/2] pkcstok_migrate: Fix private token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e0c19125..0148102c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -239,7 +239,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
/* Setup header */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x01;
ret = aes_256_wrap(header.key_wrapped, obj_key, masterkey);
if (ret != CKR_OK) {
@@ -252,7 +252,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
header.iv[9] = 0;
header.iv[10] = 0;
header.iv[11] = 1;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, HEADER_LEN);
/* Encrypt body */
--
2.16.2.windows.1

34
SOURCES/0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch Normal file
View File

@ -0,0 +1,34 @@
From c090136338b585370df6a8e29518f9e55d388fe5 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:34 +0200
Subject: [PATCH 3/5] pkcstok_migrate: Fix public token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 0148102c..136c010c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -103,9 +103,9 @@ static CK_RV make_OBJECT_PUB_312(char **obj_new, unsigned int *obj_new_len,
/* Setup object */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x00;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, sizeof(header));
memcpy(object + sizeof(header), clear, clear_len);
--
2.16.2.windows.1

93
SOURCES/0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch Normal file
View File

@ -0,0 +1,93 @@
From d1dbc25c6f424a12860295008991cd1392c888a8 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 09:56:31 +0200
Subject: [PATCH 4/5] pkcstok_migrate: Remove the token's shared memory segment
After successfully migration, remove the tokens shared memory segment.
This will be re-created on the first use of the token.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 38 +++++++++++++++++++++++++++++
usr/sbin/pkcstok_migrate/pkcstok_migrate.mk | 2 +-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 136c010c..46e5e57f 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -31,6 +31,7 @@
#include <termios.h>
#include <unistd.h>
#include <dirent.h>
+#include <sys/mman.h>
#include <pkcs11types.h>
#include "sw_crypt.h"
@@ -2108,6 +2109,36 @@ done:
}
+/**
+ * Removes the token_s shared memory from /dev/shm
+ */
+static CK_RV remove_shared_memory(char *location)
+{
+ char shm_name[PATH_MAX];
+ int i, k, rc;
+
+ i = k = 0;
+ shm_name[k++] = '/';
+ if (location[i] == '/')
+ i++;
+
+ for (; location[i]; i++, k++) {
+ if (location[i] == '/')
+ shm_name[k] = '.';
+ else
+ shm_name[k] = location[i];
+ }
+ shm_name[k] = '\0';
+
+ rc = shm_unlink(shm_name);
+ if (rc != 0) {
+ warnx("shm_unlink(%s) failed, errno=%s", shm_name, strerror(errno));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ return CKR_OK;
+}
+
/**
* Copy a file given by name from a src folder to a dst folder.
*/
@@ -2718,6 +2749,13 @@ int main(int argc, char **argv)
goto done;
}
+ /* Remove the token's shared memory */
+ ret = remove_shared_memory(data_store);
+ if (ret != CKR_OK) {
+ warnx("Failed to remove token's shared memory.");
+ goto done;
+ }
+
/* Now insert new 'tokversion=3.12' parm in opencryptoki.conf */
ret = update_opencryptoki_conf(slot_id, conf_dir);
if (ret != CKR_OK) {
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
index dc4582e5..028a383e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
@@ -6,7 +6,7 @@ noinst_HEADERS += usr/include/local_types.h
noinst_HEADERS += usr/lib/common/h_extern.h
noinst_HEADERS += usr/lib/common/pkcs_utils.h
-usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl
+usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl -lrt
usr_sbin_pkcstok_migrate_pkcstok_migrate_CFLAGS = \
-DSTDLL_NAME=\"pkcstok_migrate\" \
--
2.16.2.windows.1

107
SOURCES/0005-Fix-storing-of-public-token-objects-in-new-data-form.patch Normal file
View File

@ -0,0 +1,107 @@
From 6850ae623f9d36b70f1d2919c8390a4b14d393a1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:01 +0200
Subject: [PATCH 5/5] Fix storing of public token objects in new data format
The tokversion and object length field are supposed to be stored
in big endian (BE) on all platforms. This was not the case for public
token objects.
Fix this by always storing it in BE, and add logic to the read routines
to automatically detect if the fields are in the expected byte order,
or not, and handle them accordingly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/common/loadsave.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index 068fdf36..b76dea9f 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2557,6 +2557,7 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG size_64;
CK_RV rc;
uint32_t len;
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return reload_token_object_old(tokdata, obj);
@@ -2580,9 +2581,18 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&len, header + 60, 4);
- size = be32toh(len);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also.
+ */
+ if (ver == TOK_NEW_DATA_STORE)
+ size = len;
+ else
+ size = be32toh(len);
buf = (CK_BYTE *) malloc(size);
if (buf == NULL) {
@@ -2647,8 +2657,9 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG clear_len;
CK_BBOOL flag = FALSE;
CK_RV rc;
- CK_ULONG_32 len;
+ CK_ULONG_32 len, be_len;
unsigned char reserved[7] = {0};
+ uint32_t tmp;
if (tokdata->version < TOK_NEW_DATA_STORE)
return save_public_token_object_old(tokdata, obj);
@@ -2669,11 +2680,14 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ tmp = htobe32(tokdata->version);
+ be_len = htobe32(len);
+
set_perm(fileno(fp));
- if (fwrite(&tokdata->version, 4, 1, fp) != 1
+ if (fwrite(&tmp, 4, 1, fp) != 1
|| fwrite(&flag, 1, 1, fp) != 1
|| fwrite(reserved, 7, 1, fp) != 1
- || fwrite(&len, 4, 1, fp) != 1
+ || fwrite(&be_len, 4, 1, fp) != 1
|| fwrite(clear, len, 1, fp) != 1) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -2704,6 +2718,7 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
CK_BBOOL priv;
CK_ULONG_32 size;
unsigned char header[PUB_HEADER_LEN];
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return load_public_token_objects_old(tokdata);
@@ -2731,9 +2746,16 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&size, header + 12, 4);
- size = be32toh(size);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also
+ */
+ if (ver != TOK_NEW_DATA_STORE)
+ size = be32toh(size);
if (priv == TRUE) {
fclose(fp2);
--
2.16.2.windows.1

3575
SOURCES/opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch Normal file
View File

File diff suppressed because it is too large Load Diff

63
SOURCES/opencryptoki-3.14.0-crash-in-c_setpin.patch Normal file
View File

@ -0,0 +1,63 @@
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400
@@ -57,7 +57,7 @@ void openssl_print_errors()
}
#endif
-RSA *openssl_gen_key()
+RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
{
RSA *rsa;
int rc, counter = 0;
@@ -66,7 +66,7 @@ RSA *openssl_gen_key()
BIGNUM *bne;
#endif
- token_specific_rng(NULL, (CK_BYTE *) buf, 32);
+ token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400
@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t
TSS_HTPM hTPM;
BYTE *random_bytes = NULL;
- UNUSED(tokdata);
-
rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);
if (rc) {
TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);
@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400
@@ -56,7 +56,7 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key();
+RSA *openssl_gen_key(STDLL_TokData_t *);
int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,

22
SOURCES/opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch Normal file
View File

@ -0,0 +1,22 @@
commit a94436937b6364c53219fb3c7922439f403e8d5e
Author: Harald Freudenberger <freude@linux.ibm.com>
Date: Wed May 27 07:30:33 2020 +0200
Fix missing entries for p11sak tool in template spec file
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
index fa4b9899..ae563406 100644
--- a/rpm/opencryptoki.spec
+++ b/rpm/opencryptoki.spec
@@ -238,7 +238,9 @@ exit 0
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
+%{_sbindir}/p11sak
%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/p11sak.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*

33
SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
View File

@ -1,33 +0,0 @@
commit 50a8a8806059647a3e446fd129995af61ec54867
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Dec 3 14:58:26 2019 +0100
EP11: Fix EC-uncompress buffer length
Function ec_uncompress_public_key() expects the size of the output
buffer in out_pubkey to be specified in the out_len parameter.
However, variable pubkey_len is uninitialized when calling
ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL
dependent on the value of pubkey_len.
Fix this by setting pubkey_len to the size of the public key buffer
allocated above.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 38b6708f..10dfe4e0 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
rc = get_ecsiglen(ec_key_obj, &privkey_len);
if (rc != CKR_OK)
goto import_EC_key_end;
- privkey_len /= 2; /* Public key is half the size of an EC signature */
+ privkey_len /= 2; /* private key is half the size of an EC signature */
- pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len);
+ pubkey_len = 1 + 2 * privkey_len;
+ pubkey = (CK_BYTE *)malloc(pubkey_len);
if (pubkey == NULL) {
rc = CKR_HOST_MEMORY;
goto import_EC_key_end;

40
SPECS/opencryptoki.spec
View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.12.1
Release: 2%{?dist}
Version: 3.14.0
Release: 5%{?dist}
License: CPL
Group: System Environment/Base
URL: https://github.com/opencryptoki/opencryptoki
@ -10,7 +10,18 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{
Patch0: opencryptoki-3.11.0-group.patch
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
Patch2: opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
# bz#1780293, fix regression, segfault in C_SetPin
Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
# Fix missing entries for p11sak tool in template spec file
Patch3: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
# bz#1780294, PIN conversion tool
Patch4: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
# bz#1853420, endian issue
Patch5: 0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch
Patch6: 0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch
Patch7: 0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch
Patch8: 0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch
Patch9: 0005-Fix-storing-of-public-token-objects-in-new-data-form.patch
Requires(pre): coreutils
BuildRequires: gcc
BuildRequires: openssl-devel
@ -244,8 +255,12 @@ fi
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
@ -327,6 +342,25 @@ fi
%changelog
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
- Related: #1853420, more fixes
* Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- Resolves: #1853420, endian issue
* Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- Resolves: #1780294, PIN conversion tool
* Tue May 26 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- Related: #1780293, fix regression, segfault in C_SetPin
* Tue May 19 2020 Than Ngo <than@redhat.com> - 3.14.0-1
- Resolves: #1723863 - ep11 token: Enhanced Support
- Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15
- Resolves: #1780293 - rebase to 3.14.0
- Resolves: #1800549 - key management tool: list keys function
-Resolves: #1800555 - key management tool: random key generation function
* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
- Resolves: #1782445, EP11: Fix EC-uncompress buffer length