rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #1989138, Support for OpenSSL 3.0

Browse Source
This commit is contained in:
Than Ngo 2021-08-23 13:00:44 +02:00
parent 7c21ce0d0a
commit 86274e8523
19 changed files with 9659 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch Normal file
View File

@ -0,0 +1,24 @@
commit 11196c4d7e221d29f0d385bd48ae4d6023a6e874
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 10:56:17 2021 +0200
CONFIGURE: fix configure.ac for --with-openssl
The openSSL include files are in <openssl-path>/include while
the libraries are in <openssl-path> directly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index e2cc537a..d3374476 100644
--- a/configure.ac
+++ b/configure.ac
@@ -272,7 +272,7 @@ OPENSSL_CFLAGS=
OPENSSL_LIBS=
if test "x$with_openssl" != "xno"; then
if test "x$with_openssl" != "xyes" -a "x$with_openssl" != "xcheck"; then
- OPENSSL_CFLAGS="-I$with_openssl"
+ OPENSSL_CFLAGS="-I$with_openssl/include"
OPENSSL_LIBS="-L$with_openssl"
fi
old_cflags="$CFLAGS"

123
opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch Normal file
View File

@ -0,0 +1,123 @@
commit 11a53055b22d590bd3c197908b0ff63f6fd3c520
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jun 29 17:35:18 2021 +0200
COMMON: mech_ec: Remove deprecated OpenSSL functions
All low level EC_KEY functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/ec_defs.h b/usr/lib/common/ec_defs.h
index 1f48794b..897cf891 100644
--- a/usr/lib/common/ec_defs.h
+++ b/usr/lib/common/ec_defs.h
@@ -14,13 +14,6 @@
#include <openssl/opensslv.h>
#include "ec_curves.h"
-/* OpenSSL compat */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
-# define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp
-# define EC_POINT_set_compressed_coordinates \
- EC_POINT_set_compressed_coordinates_GFp
-#endif
-
// Elliptic Curve type
//
#define PRIME_CURVE 0x00
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
index b54e2db9..a0a06302 100644
--- a/usr/lib/common/mech_ec.c
+++ b/usr/lib/common/mech_ec.c
@@ -32,34 +32,6 @@
#include "openssl/obj_mac.h"
#include <openssl/ec.h>
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-/*
- * Older OpenSLL versions do not have BN_bn2binpad, so implement it here
- */
-static int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
-{
- int len, pad;
- unsigned char *buf;
-
- len = BN_num_bytes(a);
- buf = (unsigned char *)malloc(len);
- if (buf == NULL)
- return -1;
- BN_bn2bin(a, buf);
-
- if (len >= tolen) {
- memcpy(to, buf, tolen);
- } else {
- pad = tolen - len;
- memset(to, 0, pad);
- memcpy(to + pad, buf, len);
- }
-
- free(buf);
- return tolen;
-}
-#endif
-
#ifndef NID_brainpoolP160r1
/*
* Older OpenSLL versions may not have the brainpool NIDs defined, define them
@@ -1522,9 +1494,8 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
CK_BYTE *d, CK_ULONG d_len,
CK_BYTE **point, CK_ULONG *point_len)
{
- EC_KEY *eckey = NULL;
EC_POINT *pub_key = NULL;
- const EC_GROUP *group = NULL;
+ EC_GROUP *group = NULL;
int nid, p_len;
BIGNUM *bn_d = NULL, *bn_x = NULL, *bn_y = NULL;
CK_RV rc = CKR_OK;
@@ -1541,17 +1512,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
goto done;
}
- eckey = EC_KEY_new_by_curve_name(nid);
- if (eckey == NULL) {
- rc = CKR_FUNCTION_FAILED;
- goto done;
- }
- if (EC_KEY_set_private_key(eckey, bn_d) != 1) {
- rc = CKR_FUNCTION_FAILED;
- goto done;
- }
-
- group = EC_KEY_get0_group(eckey);
+ group = EC_GROUP_new_by_curve_name(nid);
if (group == NULL) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -1576,7 +1537,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
rc = CKR_HOST_MEMORY;
goto done;
}
- if (!EC_POINT_get_affine_coordinates_GFp(group, pub_key, bn_x, bn_y, NULL)) {
+ if (!EC_POINT_get_affine_coordinates(group, pub_key, bn_x, bn_y, NULL)) {
rc = CKR_FUNCTION_FAILED;
goto done;
}
@@ -1599,13 +1560,13 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
done:
if (pub_key)
EC_POINT_free(pub_key);
- if (eckey)
- EC_KEY_free(eckey);
BN_clear_free(bn_x);
BN_clear_free(bn_y);
BN_clear_free(bn_d);
if (ec_point != NULL)
free(ec_point);
+ if (group != NULL)
+ EC_GROUP_free(group);
return rc;
}

30
opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch Normal file
View File

@ -0,0 +1,30 @@
commit 145a696d478a1694ef314659a3d374f03f75c1b1
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 13:49:09 2021 +0200
CONFIGURE: Remove AC_FUNC_MALLOC and AC_FUNC_REALLOC
The AC_FUNC_MALLOC configure check might add the rpl_malloc() entry if it
does not like the default malloc implementation. The user would need to
provide the rpl_malloc implementation. This happens depending on compiler and
OS/distro being used. Same applies for AC_FUNC_REALLOC and rpl_realloc.
It happened for me when I configured it with address sanitizer (libubsan,
libasan) activated.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index d3374476..286b7408 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,10 +39,8 @@ dnl Checks for library functions.
AC_FUNC_ALLOCA
AC_FUNC_CHOWN
AC_FUNC_FORK
-AC_FUNC_MALLOC
AC_FUNC_MKTIME
AC_FUNC_MMAP
-AC_FUNC_REALLOC
AC_FUNC_STRERROR_R
AC_CHECK_FUNCS([atexit ftruncate gettimeofday localtime_r memchr memmove \
memset mkdir munmap regcomp select socket strchr strcspn \

38
opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch Normal file
View File

@ -0,0 +1,38 @@
commit 2c116d49359a5eb91ad7f1483c64650c7874a513
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 14:08:03 2021 +0200
TESTCASES: Skip test if operation state is not savable
The sess_opstate testcase now handles the return code of CKR_STATE_UNSAVEABLE
from C_GetOperationState() and skips the test if that return code is
encountered.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/pkcs11/sess_opstate.c b/testcases/pkcs11/sess_opstate.c
index 3235b450..3d1ab9d7 100644
--- a/testcases/pkcs11/sess_opstate.c
+++ b/testcases/pkcs11/sess_opstate.c
@@ -123,6 +123,10 @@ int sess_opstate_funcs(int loops)
opstatelen = 0;
rc = funcs->C_GetOperationState(s2, NULL, &opstatelen);
if (rc != CKR_OK) {
+ if (rc == CKR_STATE_UNSAVEABLE) {
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
+ goto out;
+ }
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
goto out;
}
@@ -135,6 +139,10 @@ int sess_opstate_funcs(int loops)
rc = funcs->C_GetOperationState(s2, opstate, &opstatelen);
if (rc != CKR_OK) {
+ if (rc == CKR_STATE_UNSAVEABLE) {
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
+ goto out;
+ }
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
goto out;
}

322
opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch Normal file
View File

@ -0,0 +1,322 @@
commit 50408fc3ae0f25b256dda2033d538f88c9b4f903
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 16:02:28 2021 +0200
COMMON: Fix memory leaks
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
index 59f82482..a1241693 100644
--- a/usr/lib/common/mech_aes.c
+++ b/usr/lib/common/mech_aes.c
@@ -2359,6 +2359,8 @@ CK_RV aes_mac_sign(STDLL_TokData_t *tokdata,
memcpy(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
}
@@ -2497,6 +2499,8 @@ CK_RV aes_mac_sign_final(STDLL_TokData_t *tokdata,
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2554,8 +2558,12 @@ CK_RV aes_mac_verify(STDLL_TokData_t *tokdata,
}
if (CRYPTO_memcmp(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv,
- out_data_len) == 0)
+ out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2685,8 +2693,12 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
}
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2766,6 +2778,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -2913,6 +2927,8 @@ done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2969,9 +2985,12 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
}
+ verify_mgr_cleanup(tokdata, sess, ctx);
+
return CKR_SIGNATURE_INVALID;
}
@@ -3105,8 +3124,12 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
return rc;
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
index 591ad3fa..3582102a 100644
--- a/usr/lib/common/mech_des3.c
+++ b/usr/lib/common/mech_des3.c
@@ -2006,6 +2006,8 @@ CK_RV des3_mac_sign(STDLL_TokData_t *tokdata,
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
}
@@ -2144,6 +2146,8 @@ CK_RV des3_mac_sign_final(STDLL_TokData_t *tokdata,
*out_data_len = mac_len;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2197,8 +2201,12 @@ CK_RV des3_mac_verify(STDLL_TokData_t *tokdata,
key_obj = NULL;
if (CRYPTO_memcmp(out_data, ((DES_DATA_CONTEXT *) ctx->context)->iv,
- out_data_len) == 0)
+ out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2328,8 +2336,12 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
}
}
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
@@ -2410,6 +2422,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2553,6 +2567,8 @@ done:
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
+ sign_mgr_cleanup(tokdata, sess, ctx);
+
return rc;
}
@@ -2605,8 +2621,12 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
}
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
+
return CKR_SIGNATURE_INVALID;
}
@@ -2739,8 +2759,12 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
ctx->context_free_func = des3_cmac_cleanup;
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_OK;
+ }
+
+ verify_mgr_cleanup(tokdata, sess, ctx);
return CKR_SIGNATURE_INVALID;
}
diff --git a/usr/lib/common/new_host.c b/usr/lib/common/new_host.c
index d01091f9..8bff6ada 100644
--- a/usr/lib/common/new_host.c
+++ b/usr/lib/common/new_host.c
@@ -174,6 +174,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -186,6 +187,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -218,6 +220,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index a0e7517c..45f13551 100644
--- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c
@@ -164,6 +164,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -176,6 +177,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -208,6 +210,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
index 09e9d27a..eed632c3 100644
--- a/usr/lib/icsf_stdll/new_host.c
+++ b/usr/lib/icsf_stdll/new_host.c
@@ -162,6 +162,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
if (rc != 0) {
sltp->FcnList = NULL;
detach_shm(sltp->TokData, 0);
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -174,6 +175,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
rc = load_token_data(sltp->TokData, SlotNumber);
if (rc != CKR_OK) {
sltp->FcnList = NULL;
+ final_data_store(sltp->TokData);
if (sltp->TokData)
free(sltp->TokData);
sltp->TokData = NULL;
@@ -206,6 +208,7 @@ done:
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
} else {
CloseXProcLock(sltp->TokData);
+ final_data_store(sltp->TokData);
free(sltp->TokData);
sltp->TokData = NULL;
}
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
index 45bc4b78..c7557108 100644
--- a/usr/lib/tpm_stdll/tpm_specific.c
+++ b/usr/lib/tpm_stdll/tpm_specific.c
@@ -213,6 +213,10 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
}
tpm_data = (tpm_private_data_t *)calloc(1, sizeof(tpm_private_data_t));
+ if (tpm_data == NULL) {
+ TRACE_ERROR("calloc failed\n");
+ return CKR_HOST_MEMORY;
+ }
tokdata->private_data = tpm_data;
tpm_data->tspContext = NULL_HCONTEXT;
@@ -221,12 +225,15 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
result = Tspi_Context_Create(&tpm_data->tspContext);
if (result) {
TRACE_ERROR("Tspi_Context_Create failed. rc=0x%x\n", result);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}
result = Tspi_Context_Connect(tpm_data->tspContext, NULL);
if (result) {
TRACE_ERROR("Tspi_Context_Connect failed. rc=0x%x\n", result);
+ Tspi_Context_Close(tpm_data->tspContext);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}
@@ -234,6 +241,8 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
&tpm_data->hDefaultPolicy);
if (result) {
TRACE_ERROR("Tspi_Context_GetDefaultPolicy failed. rc=0x%x\n", result);
+ Tspi_Context_Close(tpm_data->tspContext);
+ free(tpm_data);
return CKR_FUNCTION_FAILED;
}

3420
opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch Normal file
View File

File diff suppressed because it is too large Load Diff

147
opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch Normal file
View File

@ -0,0 +1,147 @@
commit 533cdea6897d1bc0af13490f1c89248c52e7a73b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 11:30:00 2021 +0200
COMMON: utilities.c: Remove deprecated OpenSSL functions
Rework functions compute_sha(), compute_sha1(), and compute_md5() to
no longer use the mech_sha and mech_md5 routines, but to use the
OpenSSL EVP interface directly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
index bcdc15bf..5fc68938 100644
--- a/usr/lib/common/utility.c
+++ b/usr/lib/common/utility.c
@@ -849,66 +849,89 @@ CK_RV get_hmac_digest(CK_ULONG mech, CK_ULONG *digest_mech, CK_BBOOL *general)
return CKR_OK;
}
-/* Compute specified SHA using either software or token implementation */
+/* Compute specified SHA or MD5 using software */
CK_RV compute_sha(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash, CK_ULONG mech)
{
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len;
- CK_RV rv;
+ const EVP_MD *md;
+ unsigned int hash_len;
- memset(&ctx, 0x0, sizeof(ctx));
- ctx.mech.mechanism = mech;
+ UNUSED(tokdata);
- rv = get_sha_size(mech, &hash_len);
- if (rv != CKR_OK)
- return rv;
+ switch (mech) {
+ case CKM_MD5:
+ hash_len = MD5_HASH_SIZE;
+ md = EVP_md5();
+ break;
+ case CKM_SHA_1:
+ hash_len = SHA1_HASH_SIZE;
+ md = EVP_sha1();
+ break;
+ case CKM_SHA224:
+ case CKM_SHA512_224:
+ hash_len = SHA224_HASH_SIZE;
+ md = EVP_sha224();
+ break;
+ case CKM_SHA256:
+ case CKM_SHA512_256:
+ hash_len = SHA256_HASH_SIZE;
+ md = EVP_sha256();
+ break;
+ case CKM_SHA384:
+ hash_len = SHA384_HASH_SIZE;
+ md = EVP_sha384();
+ break;
+ case CKM_SHA512:
+ hash_len = SHA512_HASH_SIZE;
+ md = EVP_sha512();
+ break;
+#ifdef NID_sha3_224
+ case CKM_IBM_SHA3_224:
+ hash_len = SHA3_224_HASH_SIZE;
+ md = EVP_sha3_224();
+ break;
+#endif
+#ifdef NID_sha3_256
+ case CKM_IBM_SHA3_256:
+ hash_len = SHA3_256_HASH_SIZE;
+ md = EVP_sha3_256();
+ break;
+#endif
+#ifdef NID_sha3_384
+ case CKM_IBM_SHA3_384:
+ hash_len = SHA3_384_HASH_SIZE;
+ md = EVP_sha3_384();
+ break;
+#endif
+#ifdef NID_sha3_512
+ case CKM_IBM_SHA3_512:
+ hash_len = SHA3_512_HASH_SIZE;
+ md = EVP_sha3_512();
+ break;
+#endif
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
- rv = sha_init(tokdata, NULL, &ctx, &ctx.mech);
- if (rv != CKR_OK) {
- TRACE_DEBUG("failed to create digest.\n");
- return rv;
+ if (EVP_Digest(data, len, hash, &hash_len, md, NULL) != 1) {
+ TRACE_ERROR("%s EVP_Digest failed\n", __func__);
+ return CKR_FUNCTION_FAILED;
}
- rv = sha_hash(tokdata, NULL, FALSE, &ctx, data, len, hash, &hash_len);
- digest_mgr_cleanup(&ctx);
- return rv;
+ return CKR_OK;
}
/* Compute SHA1 using software implementation */
CK_RV compute_sha1(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash)
{
- // XXX KEY
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len = SHA1_HASH_SIZE;
-
- UNUSED(tokdata);
-
- memset(&ctx, 0x0, sizeof(ctx));
-
- sw_sha1_init(&ctx);
- if (ctx.context == NULL)
- return CKR_HOST_MEMORY;
-
- return sw_sha1_hash(&ctx, data, len, hash, &hash_len);
+ return compute_sha(tokdata, data, len, hash, CKM_SHA_1);
}
CK_RV compute_md5(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
CK_BYTE *hash)
{
- DIGEST_CONTEXT ctx;
- CK_ULONG hash_len = MD5_HASH_SIZE;
-
- UNUSED(tokdata);
-
- memset(&ctx, 0x0, sizeof(ctx));
-
- sw_md5_init(&ctx);
- if (ctx.context == NULL)
- return CKR_HOST_MEMORY;
-
- return sw_md5_hash(&ctx, data, len, hash, &hash_len);
+ return compute_sha(tokdata, data, len, hash, CKM_MD5);
}
CK_RV get_keytype(STDLL_TokData_t *tokdata, CK_OBJECT_HANDLE hkey,

174
opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch Normal file
View File

@ -0,0 +1,174 @@
commit 5377d25a6cbe3d07afcd08276ad7e90f62cad0c9
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 13:51:02 2021 +0200
COMMON: mech_sha: Remove deprecated OpenSSL functions
All low level SHA functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 314613a5..b3b965bf 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -1543,7 +1543,7 @@ CK_RV aes_cfb_decrypt_final(STDLL_TokData_t *tokdata, SESSION *sess,
// SHA mechanisms
//
-void sw_sha1_init(DIGEST_CONTEXT *ctx);
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx);
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
diff --git a/usr/lib/common/mech_sha.c b/usr/lib/common/mech_sha.c
index 0b9b7b28..1c81abe2 100644
--- a/usr/lib/common/mech_sha.c
+++ b/usr/lib/common/mech_sha.c
@@ -38,30 +38,49 @@
#include "tok_spec_struct.h"
#include "trace.h"
-#include <openssl/sha.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
//
// Software SHA-1 implementation (OpenSSL based)
//
-void sw_sha1_init(DIGEST_CONTEXT *ctx)
+static void sw_sha1_free(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
{
- ctx->context_len = sizeof(SHA_CTX);
- ctx->context = (CK_BYTE *) malloc(sizeof(SHA_CTX));
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
+}
+
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx)
+{
+ ctx->context_len = 1;
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
if (ctx->context == NULL) {
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- // TODO: propagate error up?
- return;
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_sha1(), NULL)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ return CKR_FUNCTION_FAILED;
}
- SHA1_Init((SHA_CTX *)ctx->context);
+ ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = sw_sha1_free;
+
+ return CKR_OK;
}
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
CK_ULONG *out_data_len)
{
+ unsigned int len;
if (!ctx || !out_data_len) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
@@ -76,43 +95,60 @@ CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
- *out_data_len = SHA1_HASH_SIZE;
+ len = *out_data_len;
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
-CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
- CK_ULONG in_data_len)
+static CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
+ CK_ULONG in_data_len)
{
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
return CKR_OK;
}
-CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
- CK_ULONG *out_data_len)
+static CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
+ CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
- *out_data_len = SHA1_HASH_SIZE;
+ if (*out_data_len < SHA1_HASH_SIZE) {
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
+ return CKR_BUFFER_TOO_SMALL;
+ }
+
+ len = *out_data_len;
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
@@ -134,8 +170,7 @@ CK_RV sha_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
* supported. JML
*/
if (mech->mechanism == CKM_SHA_1) {
- sw_sha1_init(ctx);
- return CKR_OK;
+ return sw_sha1_init(ctx);
} else {
return CKR_MECHANISM_INVALID;
}

84
opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch Normal file
View File

@ -0,0 +1,84 @@
commit 5cceead028ec8e0c244b01d38c9096c96d98f96b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 10:46:52 2021 +0200
ICSF: Remove support for OpenSSL < v1.1.1
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
index 4ddd0fd7..6ec4128a 100644
--- a/usr/lib/icsf_stdll/pbkdf.c
+++ b/usr/lib/icsf_stdll/pbkdf.c
@@ -82,7 +82,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
int tmplen;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_EncryptInit_ex(ctx, cipher, NULL, dkey, iv);
@@ -98,24 +97,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
*outbuflen = (*outbuflen) + tmplen;
EVP_CIPHER_CTX_free(ctx);
-#else
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
-
- EVP_EncryptInit_ex(&ctx, cipher, NULL, dkey, iv);
- if (!EVP_EncryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
- TRACE_ERROR("EVP_EncryptUpdate failed.\n");
- return CKR_FUNCTION_FAILED;
- }
- if (!EVP_EncryptFinal_ex(&ctx, outbuf + (*outbuflen), &tmplen)) {
- TRACE_ERROR("EVP_EncryptFinal failed.\n");
- return CKR_FUNCTION_FAILED;
- }
-
- *outbuflen = (*outbuflen) + tmplen;
- EVP_CIPHER_CTX_cleanup(&ctx);
-#endif
-
return CKR_OK;
}
@@ -125,7 +106,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
int size;
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
EVP_DecryptInit_ex(ctx, cipher, NULL, dkey, iv);
@@ -147,30 +127,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
EVP_CIPHER_CTX_free(ctx);
-#else
- EVP_CIPHER_CTX ctx;
- EVP_CIPHER_CTX_init(&ctx);
-
- EVP_DecryptInit_ex(&ctx, cipher, NULL, dkey, iv);
- if (!EVP_DecryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
- TRACE_ERROR("EVP_DecryptUpdate failed.\n");
- return CKR_FUNCTION_FAILED;
- }
- if (!EVP_DecryptFinal_ex(&ctx, outbuf + (*outbuflen), &size)) {
- TRACE_ERROR("EVP_DecryptFinal failed.\n");
- return CKR_FUNCTION_FAILED;
- }
-
- /* total length of the decrypted data */
- *outbuflen = (*outbuflen) + size;
-
- /* EVP_DecryptFinal removes any padding. The final length
- * is the length of the decrypted data without padding.
- */
-
- EVP_CIPHER_CTX_cleanup(&ctx);
-#endif
-
return CKR_OK;
}

226
opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch Normal file
View File

@ -0,0 +1,226 @@
commit 62fc2bcd98672c5d0ff8a2c926f3103110e91ed7
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jul 1 13:37:04 2021 +0200
COMMON: Perform proper context cleanup for 3DES/AES CMAC mechanisms
The handling of 3DES/AES CMAC mechanisms use a complex context structure,
that contains pointers. Such state can not be saved, and needs a custom
context free routine to properly clean up the context.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
index ad6af16b..59f82482 100644
--- a/usr/lib/common/mech_aes.c
+++ b/usr/lib/common/mech_aes.c
@@ -2691,6 +2691,24 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
return CKR_SIGNATURE_INVALID;
}
+static void aes_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
+{
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ if (((AES_CMAC_CONTEXT *)context)->ctx != NULL) {
+ token_specific.t_aes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
+ ((AES_CMAC_CONTEXT *)context)->iv,
+ CK_FALSE, CK_TRUE,
+ ((AES_CMAC_CONTEXT *)context)->ctx);
+ ((AES_CMAC_CONTEXT *)context)->ctx = NULL;
+ }
+
+ free(context);
+}
+
CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
SESSION *sess,
CK_BBOOL length_only,
@@ -2743,6 +2761,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
@@ -2816,6 +2836,8 @@ CK_RV aes_cmac_sign_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = aes_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific aes cmac failed.\n");
}
@@ -2882,6 +2904,8 @@ CK_RV aes_cmac_sign_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
@@ -2941,6 +2965,8 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
return CKR_OK;
@@ -3012,6 +3038,8 @@ CK_RV aes_cmac_verify_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = aes_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific aes cmac failed.\n");
}
@@ -3070,6 +3098,8 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = aes_cmac_cleanup;
+
if (rc != CKR_OK) {
TRACE_DEVEL("Token specific aes mac failed.\n");
return rc;
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
index be8d6075..591ad3fa 100644
--- a/usr/lib/common/mech_des3.c
+++ b/usr/lib/common/mech_des3.c
@@ -2334,6 +2334,24 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
return CKR_SIGNATURE_INVALID;
}
+static void des3_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
+{
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ if (((DES_CMAC_CONTEXT *)context)->ctx != NULL) {
+ token_specific.t_tdes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
+ ((DES_CMAC_CONTEXT *)context)->iv,
+ CK_FALSE, CK_TRUE,
+ ((DES_CMAC_CONTEXT *)context)->ctx);
+ ((DES_CMAC_CONTEXT *)context)->ctx = NULL;
+ }
+
+ free(context);
+}
+
CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
SESSION *sess,
CK_BBOOL length_only,
@@ -2383,6 +2401,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
memcpy(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
*out_data_len = mac_len;
@@ -2456,6 +2476,8 @@ CK_RV des3_cmac_sign_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = des3_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific des3 cmac failed.\n");
}
@@ -2521,6 +2543,8 @@ CK_RV des3_cmac_sign_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
memcpy(out_data, context->iv, mac_len);
*out_data_len = mac_len;
@@ -2577,6 +2601,8 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
out_data_len) == 0) {
return CKR_OK;
@@ -2646,6 +2672,8 @@ CK_RV des3_cmac_verify_update(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+
+ ctx->context_free_func = des3_cmac_cleanup;
} else {
TRACE_DEVEL("Token specific des3 cmac failed.\n");
}
@@ -2709,6 +2737,8 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
if (context->ctx != NULL)
ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = des3_cmac_cleanup;
+
if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
return CKR_OK;
diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
index 77876467..881a430c 100644
--- a/usr/lib/ica_s390_stdll/ica_specific.c
+++ b/usr/lib/ica_s390_stdll/ica_specific.c
@@ -713,6 +713,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
UNUSED(ctx);
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key type
rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
if (rc != CKR_OK) {
@@ -3621,6 +3624,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
UNUSED(ctx);
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
if (rc != CKR_OK) {
TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index aeff39a9..5ca22693 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -3994,6 +3994,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
if (first) {
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key type
rv = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
if (rv != CKR_OK) {
@@ -4194,6 +4197,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
UNUSED(tokdata);
if (first) {
+ if (key == NULL)
+ return CKR_ARGUMENTS_BAD;
+
// get the key value
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
if (rc != CKR_OK) {

193
opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch Normal file
View File

@ -0,0 +1,193 @@
commit 6fee37f08391415cdf8d8610c501516c3d3ed29c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 13:41:57 2021 +0200
COMMON: mech_md5: Remove deprecated OpenSSL functions
All low level MD5 functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index 47b96ba0..314613a5 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -1667,7 +1667,7 @@ CK_RV md5_hmac_verify(STDLL_TokData_t *tokdata,
CK_ULONG in_data_len,
CK_BYTE *signature, CK_ULONG sig_len);
-void sw_md5_init(DIGEST_CONTEXT *ctx);
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx);
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
diff --git a/usr/lib/common/mech_md5.c b/usr/lib/common/mech_md5.c
index 320e2549..65c11def 100644
--- a/usr/lib/common/mech_md5.c
+++ b/usr/lib/common/mech_md5.c
@@ -20,30 +20,50 @@
#include "tok_spec_struct.h"
#include "trace.h"
-#include <openssl/md5.h>
+#include <openssl/evp.h>
#include <openssl/crypto.h>
//
// Software MD5 implementation (OpenSSL based)
//
-void sw_md5_init(DIGEST_CONTEXT *ctx)
+static void sw_md5_free(STDLL_TokData_t *tokdata, SESSION *sess,
+ CK_BYTE *context, CK_ULONG context_len)
{
- ctx->context_len = sizeof(MD5_CTX);
- ctx->context = (CK_BYTE *) malloc(sizeof(MD5_CTX));
+ UNUSED(tokdata);
+ UNUSED(sess);
+ UNUSED(context_len);
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
+}
+
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx)
+{
+ ctx->context_len = 1;
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
if (ctx->context == NULL) {
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- // TODO: propagate error up?
- return;
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_md5(), NULL)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ return CKR_FUNCTION_FAILED;
}
- MD5_Init((MD5_CTX *)ctx->context);
+ ctx->state_unsaveable = CK_TRUE;
+ ctx->context_free_func = sw_md5_free;
+
+ return CKR_OK;
}
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
CK_ULONG in_data_len, CK_BYTE *out_data,
CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (!ctx || !out_data_len) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
return CKR_FUNCTION_FAILED;
@@ -57,43 +77,60 @@ CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
- *out_data_len = MD5_HASH_SIZE;
+ len = *out_data_len;
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ *out_data_len = len;
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
-CK_RV sw_MD5_Update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
- CK_ULONG in_data_len)
+static CK_RV sw_md5_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
+ CK_ULONG in_data_len)
{
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
return CKR_OK;
}
-CK_RV sw_MD5_Final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
- CK_ULONG *out_data_len)
+static CK_RV sw_md5_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
+ CK_ULONG *out_data_len)
{
+ unsigned int len;
+
if (ctx->context == NULL)
return CKR_OPERATION_NOT_INITIALIZED;
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
- *out_data_len = MD5_HASH_SIZE;
+ if (*out_data_len < MD5_HASH_SIZE) {
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
+ return CKR_BUFFER_TOO_SMALL;
+ }
- if (ctx->context_free_func != NULL)
- ctx->context_free_func(ctx->context, ctx->context_len);
- else
- free(ctx->context);
+ len = *out_data_len;
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ *out_data_len = len;
+
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
ctx->context = NULL;
+ ctx->context_free_func = NULL;
return CKR_OK;
}
@@ -105,8 +142,7 @@ CK_RV md5_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
UNUSED(sess);
if (mech->mechanism == CKM_MD5) {
- sw_md5_init(ctx);
- return CKR_OK;
+ return sw_md5_init(ctx);
} else {
return CKR_MECHANISM_INVALID;
}
@@ -159,7 +195,7 @@ CK_RV md5_hash_update(STDLL_TokData_t *tokdata, SESSION *sess,
return CKR_OK;
if (ctx->mech.mechanism == CKM_MD5)
- return sw_MD5_Update(ctx, in_data, in_data_len);
+ return sw_md5_update(ctx, in_data, in_data_len);
else
return CKR_MECHANISM_INVALID;
}
@@ -188,7 +224,7 @@ CK_RV md5_hash_final(STDLL_TokData_t *tokdata, SESSION *sess,
}
if (ctx->mech.mechanism == CKM_MD5)
- return sw_MD5_Final(ctx, out_data, out_data_len);
+ return sw_md5_final(ctx, out_data, out_data_len);
else
return CKR_MECHANISM_INVALID;
}

1085
opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch Normal file
View File

File diff suppressed because it is too large Load Diff

870
opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch Normal file
View File

@ -0,0 +1,870 @@
commit 7b4177e8557887d196ce77a129d457e817f8cc59
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jun 30 10:47:28 2021 +0200
TPM: Remove deprecated OpenSSL functions
All low level RSA functions are deprecated in OpenSSL 3.0.
Update the code to not use any of those, and only use the EVP
interface.
Also remove support for OpenSSL < v1.1.1. This code used even more
low level RSA, DES, and AES functions.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/tpm_stdll/tpm_openssl.c b/usr/lib/tpm_stdll/tpm_openssl.c
index 94ef9a62..0ccc543d 100644
--- a/usr/lib/tpm_stdll/tpm_openssl.c
+++ b/usr/lib/tpm_stdll/tpm_openssl.c
@@ -39,50 +39,33 @@
#include "tpm_specific.h"
-/*
- * In order to make opencryptoki compatible with
- * OpenSSL 1.1 API Changes and backward compatible
- * we need to check for its version
- */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define OLDER_OPENSSL
+#if OPENSSL_VERSION_PREREQ(3, 0)
+#include <openssl/core_names.h>
#endif
#ifdef DEBUG
void openssl_print_errors()
{
+#if !OPENSSL_VERSION_PREREQ(3, 0)
ERR_load_ERR_strings();
+#endif
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
}
#endif
-RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *tokdata)
{
- RSA *rsa = NULL;
int rc = 0, counter = 0;
char buf[32];
-#ifndef OLDER_OPENSSL
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
BIGNUM *bne = NULL;
-#endif
token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
-#ifdef OLDER_OPENSSL
- rsa = RSA_generate_key(2048, 65537, NULL, NULL);
- if (rsa == NULL) {
- fprintf(stderr, "Error generating user's RSA key\n");
- ERR_load_crypto_strings();
- ERR_print_errors_fp(stderr);
- goto err;
- }
-
- rc = RSA_check_key(rsa);
-#else
bne = BN_new();
rc = BN_set_word(bne, 65537);
if (!rc) {
@@ -98,35 +81,36 @@ regen_rsa_key:
if (EVP_PKEY_keygen_init(ctx) <= 0
|| EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|| EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bne) <= 0) {
+#else
+ || EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bne) <= 0) {
+#endif
fprintf(stderr, "Error generating user's RSA key\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
goto err;
}
+#if !OPENSSL_VERSION_PREREQ(3, 0)
bne = NULL; // will be freed as part of the context
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0
- || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
+#else
+ BN_free(bne);
+ bne = NULL;
+#endif
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
fprintf(stderr, "Error generating user's RSA key\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
goto err;
}
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- rc = RSA_check_key(rsa);
-#else
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new(pkey, NULL);
if (ctx == NULL)
goto err;
rc = (EVP_PKEY_check(ctx) == 1 ? 1 : 0);
-#endif
-#endif
switch (rc) {
case 0:
/* rsa is not a valid RSA key */
- RSA_free(rsa);
- rsa = NULL;
counter++;
if (counter == KEYGEN_RETRY) {
TRACE_DEVEL("Tried %d times to generate a "
@@ -145,30 +129,23 @@ regen_rsa_key:
break;
}
-#ifndef OLDER_OPENSSL
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
if (ctx != NULL)
EVP_PKEY_CTX_free(ctx);
if (bne != NULL)
BN_free(bne);
-#endif
- return rsa;
+ return pkey;
err:
- if (rsa != NULL)
- RSA_free(rsa);
-#ifndef OLDER_OPENSSL
if (pkey != NULL)
EVP_PKEY_free(pkey);
if (ctx != NULL)
EVP_PKEY_CTX_free(ctx);
if (bne != NULL)
BN_free(bne);
-#endif
+
return NULL;
}
-int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
+int openssl_write_key(STDLL_TokData_t * tokdata, EVP_PKEY *pkey, char *filename,
CK_BYTE * pPin)
{
BIO *b = NULL;
@@ -193,8 +170,8 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
return -1;
}
- if (!PEM_write_bio_RSAPrivateKey(b, rsa,
- EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
+ if (!PEM_write_bio_PrivateKey(b, pkey,
+ EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
BIO_free(b);
TRACE_ERROR("Writing key %s to disk failed.\n", loc);
DEBUG_openssl_print_errors();
@@ -211,10 +188,10 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
}
CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
- CK_BYTE * pPin, RSA ** ret)
+ CK_BYTE * pPin, EVP_PKEY **ret)
{
BIO *b = NULL;
- RSA *rsa = NULL;
+ EVP_PKEY *pkey = NULL;
char loc[PATH_MAX];
struct passwd *pw = NULL;
CK_RV rc = CKR_FUNCTION_FAILED;
@@ -242,7 +219,7 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
return CKR_FILE_NOT_FOUND;
}
- if ((rsa = PEM_read_bio_RSAPrivateKey(b, NULL, 0, pPin)) == NULL) {
+ if ((pkey = PEM_read_bio_PrivateKey(b, NULL, 0, pPin)) == NULL) {
TRACE_ERROR("Reading key %s from disk failed.\n", loc);
DEBUG_openssl_print_errors();
if (ERR_GET_REASON(ERR_get_error()) == PEM_R_BAD_DECRYPT) {
@@ -253,40 +230,54 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
}
BIO_free(b);
- *ret = rsa;
+ *ret = pkey;
return CKR_OK;
}
-int openssl_get_modulus_and_prime(RSA * rsa, unsigned int *size_n,
+int openssl_get_modulus_and_prime(EVP_PKEY *pkey, unsigned int *size_n,
unsigned char *n, unsigned int *size_p,
unsigned char *p)
{
-#ifndef OLDER_OPENSSL
+#if !OPENSSL_VERSION_PREREQ(3, 0)
const BIGNUM *n_tmp, *p_tmp;
+ RSA *rsa;
+#else
+ BIGNUM *n_tmp, *p_tmp;
#endif
+#if !OPENSSL_VERSION_PREREQ(3, 0)
+ rsa = EVP_PKEY_get0_RSA(pkey);
/* get the modulus from the RSA object */
-#ifdef OLDER_OPENSSL
- if ((*size_n = BN_bn2bin(rsa->n, n)) <= 0) {
-#else
RSA_get0_key(rsa, &n_tmp, NULL, NULL);
if ((*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
-#endif
DEBUG_openssl_print_errors();
return -1;
}
/* get one of the primes from the RSA object */
-#ifdef OLDER_OPENSSL
- if ((*size_p = BN_bn2bin(rsa->p, p)) <= 0) {
-#else
RSA_get0_factors(rsa, &p_tmp, NULL);
if ((*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
-#endif
DEBUG_openssl_print_errors();
return -1;
}
+#else
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n_tmp) ||
+ (*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
+ DEBUG_openssl_print_errors();
+ BN_free(n_tmp);
+ return -1;
+ }
+ BN_free(n_tmp);
+
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p_tmp) ||
+ (*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
+ DEBUG_openssl_print_errors();
+ BN_free(p_tmp);
+ return -1;
+ }
+ BN_free(p_tmp);
+#endif
return 0;
}
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
index 4ebb4a88..45bc4b78 100644
--- a/usr/lib/tpm_stdll/tpm_specific.c
+++ b/usr/lib/tpm_stdll/tpm_specific.c
@@ -1451,15 +1451,15 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_RV rc;
TSS_RESULT result;
- RSA *rsa;
+ EVP_PKEY *pkey;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
return CKR_FUNCTION_FAILED;
}
@@ -1473,13 +1473,13 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
return rc;
}
- if (openssl_write_key(tokdata, rsa, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
TRACE_DEVEL("openssl_write_key failed.\n");
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
/* store the user base key in a PKCS#11 object internally */
rc = token_store_tss_key(tokdata, tpm_data->hPrivateRootKey,
@@ -1529,15 +1529,15 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_RV rc;
TSS_RESULT result;
- RSA *rsa;
+ EVP_PKEY *pkey;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
return CKR_FUNCTION_FAILED;
}
@@ -1551,13 +1551,13 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
return rc;
}
- if (openssl_write_key(tokdata, rsa, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
TRACE_DEVEL("openssl_write_key\n");
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
result = Tspi_Key_LoadKey(tpm_data->hPublicRootKey, tpm_data->hSRK);
if (result) {
@@ -1602,7 +1602,7 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
{
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
- RSA *rsa;
+ EVP_PKEY *pkey;
char *backup_loc;
unsigned int size_n, size_p;
unsigned char n[256], p[256];
@@ -1630,7 +1630,7 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
}
/* read the backup key with the old pin */
- if ((rc = openssl_read_key(tokdata, backup_loc, pin, &rsa))) {
+ if ((rc = openssl_read_key(tokdata, backup_loc, pin, &pkey))) {
if (rc == CKR_FILE_NOT_FOUND)
rc = CKR_FUNCTION_FAILED;
TRACE_DEVEL("openssl_read_key failed\n");
@@ -1640,8 +1640,9 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
/* So, reading the backup openssl key off disk succeeded with the SOs PIN.
* We will now try to re-wrap that key with the current SRK
*/
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
+ EVP_PKEY_free(pkey);
return CKR_FUNCTION_FAILED;
}
@@ -1650,10 +1651,10 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
phKey);
if (rc != CKR_OK) {
TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lx\n", rc);
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
return rc;
}
- RSA_free(rsa);
+ EVP_PKEY_free(pkey);
result = Tspi_Key_LoadKey(*phKey, tpm_data->hSRK);
if (result) {
@@ -1998,7 +1999,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
CK_BYTE oldpin_hash[SHA1_HASH_SIZE], newpin_hash[SHA1_HASH_SIZE];
CK_RV rc;
- RSA *rsa_root;
+ EVP_PKEY *pkey_root;
TSS_RESULT result;
if (!sess) {
@@ -2094,7 +2095,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
/* read the backup key with the old pin */
rc = openssl_read_key(tokdata, TPMTOK_PRIV_ROOT_KEY_FILE, pOldPin,
- &rsa_root);
+ &pkey_root);
if (rc != CKR_OK) {
if (rc == CKR_FILE_NOT_FOUND) {
/* If the user has moved his backup PEM file off site, allow a
@@ -2107,14 +2108,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
}
/* write it out using the new pin */
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PRIV_ROOT_KEY_FILE,
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PRIV_ROOT_KEY_FILE,
pNewPin);
if (rc != CKR_OK) {
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
TRACE_DEVEL("openssl_write_key failed\n");
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
if (tpm_data->not_initialized) {
if (memcmp(default_so_pin_sha, oldpin_hash, SHA1_HASH_SIZE)) {
@@ -2166,7 +2167,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
/* change auth on the public root key's openssl backup */
rc = openssl_read_key(tokdata, TPMTOK_PUB_ROOT_KEY_FILE, pOldPin,
- &rsa_root);
+ &pkey_root);
if (rc != CKR_OK) {
if (rc == CKR_FILE_NOT_FOUND) {
/* If the user has moved his backup PEM file off site, allow a
@@ -2179,14 +2180,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
}
/* write it out using the new pin */
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PUB_ROOT_KEY_FILE,
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PUB_ROOT_KEY_FILE,
pNewPin);
if (rc != CKR_OK) {
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
TRACE_DEVEL("openssl_write_key failed\n");
return CKR_FUNCTION_FAILED;
}
- RSA_free(rsa_root);
+ EVP_PKEY_free(pkey_root);
} else {
TRACE_ERROR("%s\n", ock_err(ERR_SESSION_READ_ONLY));
rc = CKR_SESSION_READ_ONLY;
@@ -2401,60 +2402,6 @@ CK_RV token_specific_des_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
-
- DES_key_schedule des_key2;
- const_DES_cblock key_val_SSL, in_key_data;
- DES_cblock out_key_data;
- unsigned int i, j;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- // Create the key schedule
- memcpy(&key_val_SSL, attr->pValue, 8);
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // Both the encrypt and the decrypt are done 8 bytes at a time
- if (encrypt) {
- for (i = 0; i < in_data_len; i = i + 8) {
- memcpy(in_key_data, in_data + i, 8);
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
- DES_ENCRYPT);
- memcpy(out_data + i, out_key_data, 8);
- }
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
-
- for (j = 0; j < in_data_len; j = j + 8) {
- memcpy(in_key_data, in_data + j, 8);
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
- DES_DECRYPT);
- memcpy(out_data + j, out_key_data, 8);
- }
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ecb();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2501,7 +2448,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
@@ -2511,50 +2457,6 @@ CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
-
- DES_cblock ivec;
-
- DES_key_schedule des_key2;
- const_DES_cblock key_val_SSL;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- // Create the key schedule
- memcpy(&key_val_SSL, attr->pValue, 8);
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
-
- memcpy(&ivec, init_v, 8);
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
-
-
- if (encrypt) {
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
- DES_ENCRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
- DES_DECRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_cbc();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2601,7 +2503,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
@@ -2611,83 +2512,6 @@ CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc;
- CK_ATTRIBUTE *attr = NULL;
- CK_KEY_TYPE keytype;
- CK_BYTE key_value[3 * DES_KEY_SIZE];
-
- unsigned int k, j;
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
- DES_cblock out_key_data;
-
- UNUSED(tokdata);
-
- // get the key type
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
- return rc;
- }
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
- return rc;
- }
-
- if (keytype == CKK_DES2) {
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
- } else {
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
- }
-
- // The key as passed is a 24 byte long string containing three des keys
- // pick them apart and create the 3 corresponding key schedules
- memcpy(&key_SSL1, key_value, 8);
- memcpy(&key_SSL2, key_value + 8, 8);
- memcpy(&key_SSL3, key_value + 16, 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // the encrypt and decrypt are done 8 bytes at a time
- if (encrypt) {
- for (k = 0; k < in_data_len; k = k + 8) {
- memcpy(in_key_data, in_data + k, 8);
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
- (DES_cblock *) & out_key_data,
- &des_key1, &des_key2, &des_key3, DES_ENCRYPT);
- memcpy(out_data + k, out_key_data, 8);
- }
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- for (j = 0; j < in_data_len; j = j + 8) {
- memcpy(in_key_data, in_data + j, 8);
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
- (DES_cblock *) & out_key_data,
- &des_key1, &des_key2, &des_key3, DES_DECRYPT);
- memcpy(out_data + j, out_key_data, 8);
- }
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ede3_ecb();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2747,7 +2571,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
@@ -2757,81 +2580,6 @@ CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_RV rc = CKR_OK;
- CK_ATTRIBUTE *attr = NULL;
- CK_KEY_TYPE keytype;
- CK_BYTE key_value[3 * DES_KEY_SIZE];
-
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
- DES_cblock ivec;
-
- UNUSED(tokdata);
-
- // get the key type
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
- return rc;
- }
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
- return rc;
- }
-
- if (keytype == CKK_DES2) {
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
- } else {
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
- }
-
- // The key as passed in is a 24 byte string containing 3 keys
- // pick it apart and create the key schedules
- memcpy(&key_SSL1, key_value, 8);
- memcpy(&key_SSL2, key_value + 8, 8);
- memcpy(&key_SSL3, key_value + 16, 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- memcpy(ivec, init_v, sizeof(ivec));
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by 8
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // Encrypt or decrypt the data
- if (encrypt) {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
- *out_data_len = in_data_len;
- rc = CKR_OK;
- } else {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
-
- *out_data_len = in_data_len;
- rc = CKR_OK;
- }
-
- return rc;
-#else
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
EVP_CIPHER_CTX *ctx = NULL;
CK_ATTRIBUTE *attr = NULL;
@@ -2891,7 +2639,6 @@ done:
OPENSSL_cleanse(dkey, sizeof(dkey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
/* wrap the 20 bytes of auth data @authData and store in an attribute of the two
@@ -3626,49 +3373,6 @@ CK_RV token_specific_aes_ecb(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- CK_ATTRIBUTE *attr = NULL;
- AES_KEY ssl_aes_key;
- unsigned int i;
- /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
- * so this is fine */
- CK_ULONG loops = (CK_ULONG) (in_data_len / AES_BLOCK_SIZE);
- CK_RV rc;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
-
- // AES_ecb_encrypt encrypts only a single block, so we have to break up the
- // input data here
- if (encrypt) {
- AES_set_encrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- for (i = 0; i < loops; i++) {
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
- &ssl_aes_key, AES_ENCRYPT);
- }
- } else {
- AES_set_decrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- for (i = 0; i < loops; i++) {
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
- &ssl_aes_key, AES_DECRYPT);
- }
- }
- *out_data_len = in_data_len;
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
unsigned char akey[AES_KEY_SIZE_256];
@@ -3729,7 +3433,6 @@ done:
OPENSSL_cleanse(akey, sizeof(akey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
@@ -3739,39 +3442,6 @@ CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
CK_ULONG * out_data_len,
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- AES_KEY ssl_aes_key;
- CK_ATTRIBUTE *attr = NULL;
- CK_RV rc;
-
- UNUSED(tokdata);
-
- // get the key value
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
- if (rc != CKR_OK) {
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
- return rc;
- }
-
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
-
- // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
- // AES_ecb_encrypt, so no looping required.
- if (encrypt) {
- AES_set_encrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
- in_data_len, &ssl_aes_key, init_v, AES_ENCRYPT);
- } else {
- AES_set_decrypt_key((unsigned char *) attr->pValue,
- (attr->ulValueLen * 8), &ssl_aes_key);
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
- in_data_len, &ssl_aes_key, init_v, AES_DECRYPT);
- }
- *out_data_len = in_data_len;
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
unsigned char akey[AES_KEY_SIZE_256];
@@ -3832,7 +3502,6 @@ done:
OPENSSL_cleanse(akey, sizeof(akey));
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV token_specific_get_mechanism_list(STDLL_TokData_t * tokdata,
diff --git a/usr/lib/tpm_stdll/tpm_specific.h b/usr/lib/tpm_stdll/tpm_specific.h
index 81af2744..2ffd0afc 100644
--- a/usr/lib/tpm_stdll/tpm_specific.h
+++ b/usr/lib/tpm_stdll/tpm_specific.h
@@ -56,10 +56,10 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key(STDLL_TokData_t *);
-int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
-CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
-int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *);
+int openssl_write_key(STDLL_TokData_t *, EVP_PKEY *, char *, CK_BYTE *);
+CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, EVP_PKEY **);
+int openssl_get_modulus_and_prime(EVP_PKEY *, unsigned int *, unsigned char *,
unsigned int *, unsigned char *);
int util_set_file_mode(char *, mode_t);
CK_BYTE *util_create_id(int);

1847
opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch Normal file
View File

File diff suppressed because it is too large Load Diff

115
opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch Normal file
View File

@ -0,0 +1,115 @@
commit ab3fceae6194e8213e9d3ffb7447ccd04d469b9d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 5 10:45:04 2021 +0200
COMMON: sw_crypt.c: Remove support for OpenSSL < v1.1.1
Remove support for OpenSSL < v1.1.1. This code used low level
DES/AES functions.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/sw_crypt.c b/usr/lib/common/sw_crypt.c
index 906a41ab..253b3c26 100644
--- a/usr/lib/common/sw_crypt.c
+++ b/usr/lib/common/sw_crypt.c
@@ -32,51 +32,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
CK_ULONG *out_data_len,
CK_BYTE *init_v, CK_BYTE *key_value, CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- DES_key_schedule des_key1;
- DES_key_schedule des_key2;
- DES_key_schedule des_key3;
-
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
- DES_cblock ivec;
-
- // the des decrypt will only fail if the data length is not evenly divisible
- // by DES_BLOCK_SIZE
- if (in_data_len % DES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
- // The key as passed in is a 24 byte string containing 3 keys
- // pick it apart and create the key schedules
- memcpy(&key_SSL1, key_value, (size_t) 8);
- memcpy(&key_SSL2, key_value + 8, (size_t) 8);
- memcpy(&key_SSL3, key_value + 16, (size_t) 8);
- DES_set_key_unchecked(&key_SSL1, &des_key1);
- DES_set_key_unchecked(&key_SSL2, &des_key2);
- DES_set_key_unchecked(&key_SSL3, &des_key3);
-
- memcpy(ivec, init_v, sizeof(ivec));
-
- // Encrypt or decrypt the data
- if (encrypt) {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
- *out_data_len = in_data_len;
- } else {
- DES_ede3_cbc_encrypt(in_data,
- out_data,
- in_data_len,
- &des_key1,
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
-
- *out_data_len = in_data_len;
- }
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
@@ -109,7 +64,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
done:
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}
CK_RV sw_aes_cbc(CK_BYTE *in_data,
@@ -119,33 +73,6 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
CK_BYTE *init_v, CK_BYTE *key_value, CK_ULONG keylen,
CK_BYTE encrypt)
{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
- AES_KEY aes_key;
-
- UNUSED(out_data_len); //XXX can this parameter be removed ?
-
- memset(&aes_key, 0, sizeof(aes_key));
-
- // the aes decrypt will only fail if the data length is not evenly divisible
- // by AES_BLOCK_SIZE
- if (in_data_len % AES_BLOCK_SIZE) {
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
- return CKR_DATA_LEN_RANGE;
- }
-
- // Encrypt or decrypt the data
- if (encrypt) {
- AES_set_encrypt_key(key_value, keylen * 8, &aes_key);
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
- init_v, AES_ENCRYPT);
- } else {
- AES_set_decrypt_key(key_value, keylen * 8, &aes_key);
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
- init_v, AES_DECRYPT);
- }
-
- return CKR_OK;
-#else
CK_RV rc;
int outlen;
const EVP_CIPHER *cipher = NULL;
@@ -187,5 +114,4 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
done:
EVP_CIPHER_CTX_free(ctx);
return rc;
-#endif
}

37
opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch Normal file
View File

@ -0,0 +1,37 @@
commit c4683eb904238d20cb34a4c7661ffac04901283c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jun 29 17:35:30 2021 +0200
COMMON: Add OPENSSL_VERSION_PREREQ macro to check for OpenSSL version
Make the OPENSSL_VERSION_PREREQ macro available independent of the
used OpenSSL version, so that the code can easily check for the OpenSSL
version it is compiled with.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/defs.h b/usr/lib/common/defs.h
index 22d75d2d..8ab50517 100644
--- a/usr/lib/common/defs.h
+++ b/usr/lib/common/defs.h
@@ -17,6 +17,20 @@
#ifndef _DEFS_H
#define _DEFS_H
+#include <openssl/opensslv.h>
+
+#ifndef OPENSSL_VERSION_PREREQ
+ #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR)
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
+ ((OPENSSL_VERSION_MAJOR << 16) + \
+ OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min))
+ #else
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
+ (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | \
+ ((min) << 20)))
+ #endif
+#endif
+
#define MAX_SESSION_COUNT 64
#define MAX_PIN_LEN 8
#define MIN_PIN_LEN 4

49
opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch Normal file
View File

@ -0,0 +1,49 @@
commit dd9cfe2ef89dad185397df46227f9392a6317d35
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 21 13:54:59 2021 +0200
CONFIGURE: Check that OpenSSL 1.1.1 or later is available
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/configure.ac b/configure.ac
index 286b7408..f47060d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -277,21 +277,14 @@ if test "x$with_openssl" != "xno"; then
old_libs="$LIBS"
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
LIBS="$LIBS $OPENSSL_LIBS"
- AC_CHECK_HEADER([openssl/ssl.h], [], [
- if test "x$with_openssl" != "xcheck"; then
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL headers couldn't be found])
- fi
- with_openssl=no
+ AC_CHECK_HEADER([openssl/evp.h], [], [
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL headers couldn't be found])
])
if test "x$with_openssl" != "xno"; then
- AC_CHECK_LIB([crypto], [RSA_generate_key], [
+ AC_CHECK_LIB([crypto], [EVP_sha3_256], [
OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto"
- with_openssl=yes
- ], [
- if test "x$with_openssl" != "xcheck"; then
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL libraries couldn't be found])
- fi
- with_openssl=no
+ with_openssl=yes], [
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL libraries version 1.1.1 or later couldn't be found])
])
fi
if test "x$with_openssl" = "xno"; then
@@ -299,6 +292,9 @@ if test "x$with_openssl" != "xno"; then
LIBS="$old_libs"
fi
fi
+if test "x$with_openssl" != "xyes"; then
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but build without OpenSSL was requested])
+fi
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])

853
opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch Normal file
View File

@ -0,0 +1,853 @@
commit ecf71404e84ae35931cd6c7398c825378ee052b6
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Jul 2 11:20:22 2021 +0200
TESTCASES: Soft: Skip tests with RSA publ.exp. not supported by OpenSSL
OpenSSL 3.0 only accepts public exponents of 3 and 65537 for RSA keys.
Skip the testcase if another public exponent is used.
Also fixed some ugly line breaks within messages.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/common/common.c b/testcases/common/common.c
index bfd486cb..0a64ecf2 100644
--- a/testcases/common/common.c
+++ b/testcases/common/common.c
@@ -876,6 +876,16 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|| (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
}
+/** Returns true if pubexp is valid for Soft Tokens **/
+int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
+{
+ CK_BYTE exp3[] = { 0x03 }; // 3
+ CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
+
+ return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
+ || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
+}
+
/** Returns true if slot_id is an ICSF token
** ICSF token info is not necessarily hard-coded like the other tokens
** so there is no single identifying attribute. So, instead just
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
index 62aa7a76..8739ed37 100644
--- a/testcases/crypto/rsa_func.c
+++ b/testcases/crypto/rsa_func.c
@@ -102,8 +102,8 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -111,8 +111,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -124,8 +123,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -148,6 +146,16 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
continue;
}
}
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'",
+ s);
+ free(s);
+ continue;
+ }
+ }
// tpm special cases:
// tpm token can only use public exponent 0x010001 (65537)
// so skip test if invalid public exponent is used
@@ -155,8 +163,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -166,8 +173,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -376,8 +382,8 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].mod_len * 8)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].mod_len * 8);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].mod_len * 8);
free(s);
continue;
}
@@ -385,16 +391,14 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
// modulus length must be multiple of 128 byte
// skip test if modulus length has unsuported size
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -416,8 +420,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -431,12 +434,21 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
}
+
// tpm special cases:
// tpm token can only use public exponent 0x010001 (65537)
// so skip test if invalid public exponent is used
@@ -444,8 +456,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len * 8))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -455,8 +466,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len) ||
(tsuite->tv[i].mod_len * 8 < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -691,8 +701,8 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -700,8 +710,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -710,8 +719,16 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -721,8 +738,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -732,8 +748,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -944,16 +959,23 @@ CK_RV do_SignVerify_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1154,8 +1176,8 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
continue;
}
// get public exponent from test vector
@@ -1169,8 +1191,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -1179,8 +1200,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1189,8 +1209,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -1198,8 +1217,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -1228,6 +1246,14 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
continue;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
// begin test
testcase_begin("%s Wrap Unwrap with test vector %d, "
@@ -1554,8 +1580,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
continue;
}
@@ -1565,8 +1590,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
// skip test if modulus length has unsuported size
if (is_ep11_token(slot_id)) {
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
continue;
}
}
@@ -1575,8 +1599,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with this test vector.");
+ testcase_skip("TPM Token cannot be used with this test vector.");
continue;
}
}
@@ -1584,8 +1607,15 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with this test vector.");
+ testcase_skip("CCA Token cannot be used with this test vector.");
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with this test vector.");
continue;
}
}
@@ -1735,8 +1765,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
// skip test if modulus length has unsuported size
if (is_ep11_token(slot_id)) {
if ((tsuite->tv[i].mod_len % 128) != 0) {
- testcase_skip("EP11 Token cannot be used with "
- "this test vector.");
+ testcase_skip("EP11 Token cannot be used with this test vector.");
continue;
}
}
@@ -1745,8 +1774,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with this test vector.");
+ testcase_skip("TPM Token cannot be used with this test vector.");
continue;
}
}
@@ -1754,8 +1782,15 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with this test vector.");
+ testcase_skip("CCA Token cannot be used with this test vector.");
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with this test vector.");
continue;
}
}
diff --git a/testcases/crypto/rsaupdate_func.c b/testcases/crypto/rsaupdate_func.c
index 20611b85..22f8d7e4 100644
--- a/testcases/crypto/rsaupdate_func.c
+++ b/testcases/crypto/rsaupdate_func.c
@@ -96,8 +96,8 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -105,8 +105,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -115,19 +114,27 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+
if (is_tpm_token(slot_id)) {
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len))
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
- s);
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -137,8 +144,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len) ||
(tsuite->tv[i].modbits < 1024)) {
- testcase_skip("ICSF Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -162,8 +168,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
tsuite->tv[i].publ_exp_len,
&publ_key, &priv_key);
if (rc != CKR_OK) {
- testcase_error("generate_RSA_PKCS_KeyPair(), "
- "rc=%s", p11_get_ckr(rc));
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
goto testcase_cleanup;
}
@@ -367,8 +372,8 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
tsuite->tv[i].modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ SLOT_ID, tsuite->tv[i].modbits);
free(s);
continue;
}
@@ -376,8 +381,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -386,8 +390,16 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
tsuite->tv[i].publ_exp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
+ tsuite->tv[i].publ_exp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -412,8 +424,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
tsuite->tv[i].publ_exp_len,
&publ_key, &priv_key);
if (rc != CKR_OK) {
- testcase_error("generate_RSA_PKCS_KeyPair(), "
- "rc=%s", p11_get_ckr(rc));
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
goto error;
}
// generate message
@@ -639,8 +650,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with pub_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with pub_exp.='%s'", s);
free(s);
continue;
}
@@ -650,8 +660,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with pub_exp='%s'.", s);
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
free(s);
continue;
}
@@ -660,8 +669,16 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
@@ -826,8 +843,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
(tsuite->tv[i].exp2_len >
(tsuite->tv[i].mod_len / 2)) ||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
- testcase_skip("ICA Token cannot be used with "
- "this test vector.");
+ testcase_skip("ICA Token cannot be used with this test vector.");
free(s);
continue;
}
@@ -848,8 +864,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("EP11 Token cannot "
- "be used with publ_exp.='%s'", s);
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
free(s);
continue;
}
@@ -859,8 +874,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) ||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
- testcase_skip("TPM Token cannot "
- "be used with pub_exp='%s'.", s);
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
free(s);
continue;
}
@@ -869,8 +883,16 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
tsuite->tv[i].pubexp_len)) {
- testcase_skip("CCA Token cannot "
- "be used with publ_exp='%s'.", s);
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
+ free(s);
+ continue;
+ }
+ }
+
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
+ tsuite->tv[i].pubexp_len)) {
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
free(s);
continue;
}
diff --git a/testcases/misc_tests/reencrypt.c b/testcases/misc_tests/reencrypt.c
index a78e1f5a..93fa31bd 100644
--- a/testcases/misc_tests/reencrypt.c
+++ b/testcases/misc_tests/reencrypt.c
@@ -361,24 +361,29 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!keysize_supported(slot_id, mech2->key_gen_mech.mechanism,
mech2->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id, mech2->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id, mech2->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id)) {
if (!is_valid_ep11_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id)) {
if (!is_valid_cca_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in cannot be used with "
- " publ_exp.='%s'", s);
+ testcase_skip("CCA Token in cannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(mech2->rsa_publ_exp,
+ mech2->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -386,8 +391,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!is_valid_tpm_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(mech2->rsa_modbits)) {
- testcase_skip("TPM Token cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -395,8 +399,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
if (!is_valid_icsf_pubexp(mech2->rsa_publ_exp,
mech2->rsa_publ_exp_len) ||
mech2->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}
@@ -619,6 +622,14 @@ CK_RV do_encrypt_reencrypt(struct mech_info *mech1)
goto testcase_cleanup;
}
}
+ if (is_soft_token(slot_id)) {
+ if (!is_valid_soft_pubexp(mech1->rsa_publ_exp,
+ mech1->rsa_publ_exp_len)) {
+ testsuite_skip(NUM_REENCRYPT_TESTS, "Soft Token cannot be "
+ "used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
if (is_tpm_token(slot_id) ) {
if (!is_valid_tpm_pubexp(mech1->rsa_publ_exp,
mech1->rsa_publ_exp_len) ||
diff --git a/testcases/misc_tests/tok2tok_transport.c b/testcases/misc_tests/tok2tok_transport.c
index 9c1dee8f..ebb44760 100644
--- a/testcases/misc_tests/tok2tok_transport.c
+++ b/testcases/misc_tests/tok2tok_transport.c
@@ -581,30 +581,35 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!keysize_supported(slot_id1, tsuite->wrapped_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %lu cannot be used with "
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
+ slot_id1, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (!keysize_supported(slot_id2, tsuite->wrapped_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %lu cannot be used with "
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
+ slot_id2, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in scannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id1) || is_cca_token(slot_id2)) {
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
+ tsuite->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -612,8 +617,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
- testcase_skip("TPM Token cannot " "be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -621,8 +625,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
tsuite->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}
@@ -967,31 +970,36 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!keysize_supported(slot_id1,
tsuite->wrapping_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id1, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (!keysize_supported(slot_id2,
tsuite->wrapping_key_gen_mech.mechanism,
tsuite->rsa_modbits)) {
- testcase_skip("Token in slot %ld cannot be used with "
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
+ slot_id2, tsuite->rsa_modbits);
goto testcase_cleanup;
}
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("EP11 Token in cannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len)) {
- testcase_skip("CCA Token in scannot be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
+ goto testcase_cleanup;
+ }
+ }
+ if (is_soft_token(slot_id1) || is_soft_token(slot_id2)) {
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
+ tsuite->rsa_publ_exp_len)) {
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -999,8 +1007,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
- testcase_skip("TPM Token cannot " "be used with "
- "publ_exp.='%s'", s);
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
goto testcase_cleanup;
}
}
@@ -1008,8 +1015,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
tsuite->rsa_publ_exp_len) ||
tsuite->rsa_modbits < 1024) {
- testcase_skip("ICSF Token cannot be used with "
- "publ_exp='%s'.", s);
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
goto testcase_cleanup;
}
}

28
opencryptoki.spec
View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.16.0
Release: 10%{?dist}
Release: 11%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -35,6 +35,24 @@ Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_ru
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
Patch218: opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch
Patch219: opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch
Patch220: opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch
Patch221: opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch
Patch222: opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch
Patch223: opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch
Patch224: opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch
Patch225: opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch
Patch226: opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch
Patch227: opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch
Patch228: opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch
Patch230: opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch
Patch231: opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch
Patch232: opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch
Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
@ -221,7 +239,6 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%install
%make_install CHGRP=/bin/true
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
%pre libs
@ -280,10 +297,6 @@ fi
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%files devel
%{_includedir}/%{name}/
@ -342,6 +355,9 @@ fi
%changelog
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
- Resolves: #1989138, Support for OpenSSL 3.0
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes