rpms
/
opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

added PIN conversion tool

This commit is contained in:
Than Ngo 2020-07-08 17:04:38 +02:00
parent 6fc6ecb12c
commit a8de22032c
8 changed files with 4022 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch Normal file
View File

@ -0,0 +1,134 @@
From 583f0210bb8f371c2071966f27b83c95230d50cc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:09:18 +0200
Subject: [PATCH 1/2] pkcstok_migrate: Fix NVTOK.DAT conversion on little
endian platforms
The new format stores all numeric fields in big endian, while the old
format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 84 ++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 10 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e90a5c91..e0c19125 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -1077,6 +1077,42 @@ static CK_RV load_NVTOK_DAT(const char *data_store, const char *nvtok_name,
goto done;
}
+ if (stbuf.st_size == sizeof(TOKEN_DATA)) {
+ /* The 312 version always uses big endian */
+ td->token_info.flags = be32toh(td->token_info.flags);
+ td->token_info.ulMaxSessionCount
+ = be32toh(td->token_info.ulMaxSessionCount);
+ td->token_info.ulSessionCount
+ = be32toh(td->token_info.ulSessionCount);
+ td->token_info.ulMaxRwSessionCount
+ = be32toh(td->token_info.ulMaxRwSessionCount);
+ td->token_info.ulRwSessionCount
+ = be32toh(td->token_info.ulRwSessionCount);
+ td->token_info.ulMaxPinLen = be32toh(td->token_info.ulMaxPinLen);
+ td->token_info.ulMinPinLen = be32toh(td->token_info.ulMinPinLen);
+ td->token_info.ulTotalPublicMemory
+ = be32toh(td->token_info.ulTotalPublicMemory);
+ td->token_info.ulFreePublicMemory
+ = be32toh(td->token_info.ulFreePublicMemory);
+ td->token_info.ulTotalPrivateMemory
+ = be32toh(td->token_info.ulTotalPrivateMemory);
+ td->token_info.ulFreePrivateMemory
+ = be32toh(td->token_info.ulFreePrivateMemory);
+ td->tweak_vector.allow_weak_des
+ = be32toh(td->tweak_vector.allow_weak_des);
+ td->tweak_vector.check_des_parity
+ = be32toh(td->tweak_vector.check_des_parity);
+ td->tweak_vector.allow_key_mods
+ = be32toh(td->tweak_vector.allow_key_mods);
+ td->tweak_vector.netscape_mods
+ = be32toh(td->tweak_vector.netscape_mods);
+ td->dat.version = be32toh(td->dat.version);
+ td->dat.so_login_it = be64toh(td->dat.so_login_it);
+ td->dat.user_login_it = be64toh(td->dat.user_login_it);
+ td->dat.so_wrap_it = be64toh(td->dat.so_wrap_it);
+ td->dat.user_wrap_it = be64toh(td->dat.user_wrap_it);
+ }
+
ret = CKR_OK;
done:
@@ -1628,6 +1664,7 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
{
const char *nvtok = "NVTOK.DAT_312";
char fname[PATH_MAX + 1 + strlen(nvtok) + 1];
+ TOKEN_DATA be_tokdata;
FILE *fp = NULL;
CK_RV ret;
size_t rc;
@@ -1656,14 +1693,6 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Write old part into NVTOK.DAT_312 */
- rc = fwrite(tokdata, sizeof(TOKEN_DATA_OLD), 1, fp);
- if (rc != 1) {
- TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
- ret = CKR_FUNCTION_FAILED;
- goto done;
- }
-
/* Create additions for new format */
ret = create_TOKEN_DATA_VERSION(sopin, userpin, tokdata);
if (ret != CKR_OK) {
@@ -1671,8 +1700,43 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Append TOKEN_DATA_VERSION to NVTOK.DAT_312 */
- rc = fwrite(&(tokdata->dat), sizeof(TOKEN_DATA_VERSION), 1, fp);
+ /* The 312 version always uses big endian */
+ memcpy(&be_tokdata, tokdata, sizeof(TOKEN_DATA));
+ be_tokdata.token_info.flags = htobe32(tokdata->token_info.flags);
+ be_tokdata.token_info.ulMaxSessionCount
+ = htobe32(tokdata->token_info.ulMaxSessionCount);
+ be_tokdata.token_info.ulSessionCount
+ = htobe32(tokdata->token_info.ulSessionCount);
+ be_tokdata.token_info.ulMaxRwSessionCount
+ = htobe32(tokdata->token_info.ulMaxRwSessionCount);
+ be_tokdata.token_info.ulRwSessionCount
+ = htobe32(tokdata->token_info.ulRwSessionCount);
+ be_tokdata.token_info.ulMaxPinLen = htobe32(tokdata->token_info.ulMaxPinLen);
+ be_tokdata.token_info.ulMinPinLen = htobe32(tokdata->token_info.ulMinPinLen);
+ be_tokdata.token_info.ulTotalPublicMemory
+ = htobe32(tokdata->token_info.ulTotalPublicMemory);
+ be_tokdata.token_info.ulFreePublicMemory
+ = htobe32(tokdata->token_info.ulFreePublicMemory);
+ be_tokdata.token_info.ulTotalPrivateMemory
+ = htobe32(tokdata->token_info.ulTotalPrivateMemory);
+ be_tokdata.token_info.ulFreePrivateMemory
+ = htobe32(tokdata->token_info.ulFreePrivateMemory);
+ be_tokdata.tweak_vector.allow_weak_des
+ = htobe32(tokdata->tweak_vector.allow_weak_des);
+ be_tokdata.tweak_vector.check_des_parity
+ = htobe32(tokdata->tweak_vector.check_des_parity);
+ be_tokdata.tweak_vector.allow_key_mods
+ = htobe32(tokdata->tweak_vector.allow_key_mods);
+ be_tokdata.tweak_vector.netscape_mods
+ = htobe32(tokdata->tweak_vector.netscape_mods);
+ be_tokdata.dat.version = htobe32(tokdata->dat.version);
+ be_tokdata.dat.so_login_it = htobe64(tokdata->dat.so_login_it);
+ be_tokdata.dat.user_login_it = htobe64(tokdata->dat.user_login_it);
+ be_tokdata.dat.so_wrap_it = htobe64(tokdata->dat.so_wrap_it);
+ be_tokdata.dat.user_wrap_it = htobe64(tokdata->dat.user_wrap_it);
+
+ /* Write converted token data into NVTOK.DAT_312 */
+ rc = fwrite(&be_tokdata, sizeof(TOKEN_DATA), 1, fp);
if (rc != 1) {
TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
ret = CKR_FUNCTION_FAILED;
--
2.16.2.windows.1

40
0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch Normal file
View File

@ -0,0 +1,40 @@
From 6faa13d83e5166e4bbe97d85935aca779fde9089 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:46:29 +0200
Subject: [PATCH 2/2] pkcstok_migrate: Fix private token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e0c19125..0148102c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -239,7 +239,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
/* Setup header */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x01;
ret = aes_256_wrap(header.key_wrapped, obj_key, masterkey);
if (ret != CKR_OK) {
@@ -252,7 +252,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
header.iv[9] = 0;
header.iv[10] = 0;
header.iv[11] = 1;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, HEADER_LEN);
/* Encrypt body */
--
2.16.2.windows.1

34
0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch Normal file
View File

@ -0,0 +1,34 @@
From c090136338b585370df6a8e29518f9e55d388fe5 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:34 +0200
Subject: [PATCH 3/5] pkcstok_migrate: Fix public token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 0148102c..136c010c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -103,9 +103,9 @@ static CK_RV make_OBJECT_PUB_312(char **obj_new, unsigned int *obj_new_len,
/* Setup object */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x00;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, sizeof(header));
memcpy(object + sizeof(header), clear, clear_len);
--
2.16.2.windows.1

93
0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch Normal file
View File

@ -0,0 +1,93 @@
From d1dbc25c6f424a12860295008991cd1392c888a8 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 09:56:31 +0200
Subject: [PATCH 4/5] pkcstok_migrate: Remove the token's shared memory segment
After successfully migration, remove the tokens shared memory segment.
This will be re-created on the first use of the token.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 38 +++++++++++++++++++++++++++++
usr/sbin/pkcstok_migrate/pkcstok_migrate.mk | 2 +-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 136c010c..46e5e57f 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -31,6 +31,7 @@
#include <termios.h>
#include <unistd.h>
#include <dirent.h>
+#include <sys/mman.h>
#include <pkcs11types.h>
#include "sw_crypt.h"
@@ -2108,6 +2109,36 @@ done:
}
+/**
+ * Removes the token_s shared memory from /dev/shm
+ */
+static CK_RV remove_shared_memory(char *location)
+{
+ char shm_name[PATH_MAX];
+ int i, k, rc;
+
+ i = k = 0;
+ shm_name[k++] = '/';
+ if (location[i] == '/')
+ i++;
+
+ for (; location[i]; i++, k++) {
+ if (location[i] == '/')
+ shm_name[k] = '.';
+ else
+ shm_name[k] = location[i];
+ }
+ shm_name[k] = '\0';
+
+ rc = shm_unlink(shm_name);
+ if (rc != 0) {
+ warnx("shm_unlink(%s) failed, errno=%s", shm_name, strerror(errno));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ return CKR_OK;
+}
+
/**
* Copy a file given by name from a src folder to a dst folder.
*/
@@ -2718,6 +2749,13 @@ int main(int argc, char **argv)
goto done;
}
+ /* Remove the token's shared memory */
+ ret = remove_shared_memory(data_store);
+ if (ret != CKR_OK) {
+ warnx("Failed to remove token's shared memory.");
+ goto done;
+ }
+
/* Now insert new 'tokversion=3.12' parm in opencryptoki.conf */
ret = update_opencryptoki_conf(slot_id, conf_dir);
if (ret != CKR_OK) {
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
index dc4582e5..028a383e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
@@ -6,7 +6,7 @@ noinst_HEADERS += usr/include/local_types.h
noinst_HEADERS += usr/lib/common/h_extern.h
noinst_HEADERS += usr/lib/common/pkcs_utils.h
-usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl
+usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl -lrt
usr_sbin_pkcstok_migrate_pkcstok_migrate_CFLAGS = \
-DSTDLL_NAME=\"pkcstok_migrate\" \
--
2.16.2.windows.1

107
0005-Fix-storing-of-public-token-objects-in-new-data-form.patch Normal file
View File

@ -0,0 +1,107 @@
From 6850ae623f9d36b70f1d2919c8390a4b14d393a1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:01 +0200
Subject: [PATCH 5/5] Fix storing of public token objects in new data format
The tokversion and object length field are supposed to be stored
in big endian (BE) on all platforms. This was not the case for public
token objects.
Fix this by always storing it in BE, and add logic to the read routines
to automatically detect if the fields are in the expected byte order,
or not, and handle them accordingly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/common/loadsave.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index 068fdf36..b76dea9f 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2557,6 +2557,7 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG size_64;
CK_RV rc;
uint32_t len;
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return reload_token_object_old(tokdata, obj);
@@ -2580,9 +2581,18 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&len, header + 60, 4);
- size = be32toh(len);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also.
+ */
+ if (ver == TOK_NEW_DATA_STORE)
+ size = len;
+ else
+ size = be32toh(len);
buf = (CK_BYTE *) malloc(size);
if (buf == NULL) {
@@ -2647,8 +2657,9 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG clear_len;
CK_BBOOL flag = FALSE;
CK_RV rc;
- CK_ULONG_32 len;
+ CK_ULONG_32 len, be_len;
unsigned char reserved[7] = {0};
+ uint32_t tmp;
if (tokdata->version < TOK_NEW_DATA_STORE)
return save_public_token_object_old(tokdata, obj);
@@ -2669,11 +2680,14 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ tmp = htobe32(tokdata->version);
+ be_len = htobe32(len);
+
set_perm(fileno(fp));
- if (fwrite(&tokdata->version, 4, 1, fp) != 1
+ if (fwrite(&tmp, 4, 1, fp) != 1
|| fwrite(&flag, 1, 1, fp) != 1
|| fwrite(reserved, 7, 1, fp) != 1
- || fwrite(&len, 4, 1, fp) != 1
+ || fwrite(&be_len, 4, 1, fp) != 1
|| fwrite(clear, len, 1, fp) != 1) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -2704,6 +2718,7 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
CK_BBOOL priv;
CK_ULONG_32 size;
unsigned char header[PUB_HEADER_LEN];
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return load_public_token_objects_old(tokdata);
@@ -2731,9 +2746,16 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&size, header + 12, 4);
- size = be32toh(size);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also
+ */
+ if (ver != TOK_NEW_DATA_STORE)
+ size = be32toh(size);
if (priv == TRUE) {
fclose(fp2);
--
2.16.2.windows.1

3575
opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch Normal file
View File

File diff suppressed because it is too large Load Diff

22
opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch Normal file
View File

@ -0,0 +1,22 @@
commit a94436937b6364c53219fb3c7922439f403e8d5e
Author: Harald Freudenberger <freude@linux.ibm.com>
Date: Wed May 27 07:30:33 2020 +0200
Fix missing entries for p11sak tool in template spec file
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
index fa4b9899..ae563406 100644
--- a/rpm/opencryptoki.spec
+++ b/rpm/opencryptoki.spec
@@ -238,7 +238,9 @@ exit 0
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
+%{_sbindir}/p11sak
%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/p11sak.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*

18
opencryptoki.spec
View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.14.0
Release: 3%{?dist}
Release: 4%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -18,6 +18,17 @@ Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
# upstream fix, handle early error cases in C_Initialize
Patch3: opencryptoki-3.14.0-early-error-in-c-initialize.patch
# Fix missing entries for p11sak tool in template spec file
Patch4: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
# PIN conversion tool
Patch5: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
Patch6: 0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch
Patch7: 0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch
Patch8: 0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch
Patch9: 0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch
Patch10: 0005-Fix-storing-of-public-token-objects-in-new-data-form.patch
# Use --no-undefined to debug missing symbols
#Patch100: %%{name}-3.2-no-undefined.patch
@ -225,9 +236,11 @@ fi
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
@ -313,6 +326,9 @@ fi
%changelog
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- added PIN conversion tool
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- upstream fix - handle early error cases in C_Initialize