import CS opencryptoki-3.23.0-1.el9

This commit is contained in:
eabdullin 2024-09-30 16:13:44 +00:00
parent 782f2d4ee2
commit b8fca99ebc
17 changed files with 1368 additions and 2331 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opencryptoki-3.22.0.tar.gz
SOURCES/opencryptoki-3.23.0.tar.gz

View File

@ -1 +1 @@
4618b82afde56a8177e888c26d336c6f521bed8a SOURCES/opencryptoki-3.22.0.tar.gz
0d70d0a5170a79fc358107d07a62bea1b476e0cc SOURCES/opencryptoki-3.23.0.tar.gz

View File

@ -0,0 +1,50 @@
commit 2d68f8626d15b9697a29a377a63bbdf35b42ee36
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Feb 13 16:20:06 2024 +0100
EP11 pkey option: add new PKEY_MODE parms to ep11 config file
Add two new parameter values ENABLE4EXTR and ENABLE4ALL to the ep11token
PKEY_MODE config option. Older ep11 card firmware enforces the restriction that
keys can not have CKA_EXTRACTABLE=true and CKA_IBM_PROTKEY_EXTRACTABLE=true at
the same time. With newer card firmware this restriction is removed and a new
control point is introduced to allow checking for this feature.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11tok.conf b/usr/lib/ep11_stdll/ep11tok.conf
index 19c9963f..afe237b9 100644
--- a/usr/lib/ep11_stdll/ep11tok.conf
+++ b/usr/lib/ep11_stdll/ep11tok.conf
@@ -104,7 +104,7 @@
# disabled and additional hardware and firmware prerequisites are met. AES-XTS
# is not supported via the EP11 coprocessor itself.
#
-# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR
+# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR | ENABLE4EXTR | ENABLE4ALL
#
# DISABLED : Protected key support disabled. All key operations
# are performed via EP11 coprocessor, even if a
@@ -119,6 +119,22 @@
# but not CKA_IBM_PROTKEY_EXTRACTABLE, new keys get
# CKA_IBM_PROTKEY_EXTRACTABLE=true internally.
#
+# Control point 75 (XCP_CPB_ALLOW_COMBINED_EXTRACT) must be enabled for all
+# APQNs accessible by the token for the following parameters.
+#
+# ENABLE4EXTR : If the application did not specify
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
+# of any type with CKA_EXTRACTABLE=true get
+# CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key
+# is automatically created at first use of the key.
+#
+# ENABLE4ALL : If the application did not specify
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
+# of any type, regardless of the CKA_EXTRACTABLE
+# attribute, get CKA_IBM_PROTKEY_EXTRACTABLE=true and
+# a protected key is automatically created at first
+# use of the key.
+#
# --------------------------------------------------------------------------
#
# Specify the expected wrapping key verification pattern. When specified, all

View File

@ -0,0 +1,222 @@
commit a6192bb9c3263fb691da87b3a1ed5f66f887b09a
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Feb 13 16:35:53 2024 +0100
EP11 pkey option: handle new PKEY_MODE parms for new objects
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index d5964a9c..d1efd8c5 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1239,6 +1239,33 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
return CKR_OK;
}
+CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
+{
+ CK_ATTRIBUTE *pkey_attr = NULL;
+ CK_BBOOL btrue = CK_TRUE;
+ CK_RV ret;
+
+ if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
+ ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, &btrue,
+ sizeof(CK_BBOOL), &pkey_attr);
+ if (ret != CKR_OK) {
+ TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
+ goto done;
+ }
+ ret = template_update_attribute(tmpl, pkey_attr);
+ if (ret != CKR_OK) {
+ TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
+ free(pkey_attr);
+ goto done;
+ }
+ }
+
+ ret = CKR_OK;
+
+done:
+ return ret;
+}
+
/**
* This function is called whenever a new object is created. It sets
* attribute CKA_IBM_PROTKEY_EXTRACTABLE according to the PKEY_MODE token
@@ -1254,7 +1281,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
CK_ULONG mode, TEMPLATE *tmpl)
{
ep11_private_data_t *ep11_data = tokdata->private_data;
- CK_ATTRIBUTE *pkey_attr = NULL, *ecp_attr = NULL, *sensitive_attr = NULL;
+ CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
CK_BBOOL add_pkey_extractable = CK_FALSE;
CK_RV ret;
@@ -1314,23 +1341,62 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
-
if (add_pkey_extractable) {
- if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
- ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE,
- (CK_BBOOL *)&btrue, sizeof(CK_BBOOL),
- &pkey_attr);
- if (ret != CKR_OK) {
- TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
- goto done;
- }
- ret = template_update_attribute(tmpl, pkey_attr);
- if (ret != CKR_OK) {
- TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
- free(pkey_attr);
- goto done;
- }
- }
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
+ break;
+ case PKEY_MODE_ENABLE4EXTR:
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
+ * its template, new keys of any type with CKA_EXTRACTABLE=true get
+ * CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is automatically
+ * created at first use of the key.
+ */
+ switch (class) {
+ case CKO_PUBLIC_KEY:
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
+ add_pkey_extractable = CK_TRUE;
+ /* Note that the explicit parm CKM_ECDSA just tells the
+ * function that it's not AES here. It covers all EC and ED
+ * mechs */
+ break;
+ default:
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
+ if (ret == CKR_OK && extractable) // Einziger Unterschied: extractable, statt !extractable
+ add_pkey_extractable = CK_TRUE;
+ break;
+ }
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
+ break;
+ case PKEY_MODE_ENABLE4ALL:
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
+ * its template, new keys of any type, regardless of CKA_EXTRACTABLE,
+ * get CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is
+ * automatically created at first use of the key.
+ */
+ switch (class) {
+ case CKO_PUBLIC_KEY:
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
+ add_pkey_extractable = CK_TRUE;
+ /* Note that the explicit parm CKM_ECDSA just tells the
+ * function that it's not AES here. It covers all EC and ED
+ * mechs */
+ break;
+ default:
+ add_pkey_extractable = CK_TRUE;
+ break;
+ }
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
}
break;
default:
@@ -12188,6 +12254,10 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
ep11_data->pkey_mode = PKEY_MODE_ENABLE4NONEXTR;
+ else if (strcmp(strval, "ENABLE4EXTR") == 0)
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
+ else if (strcmp(strval, "ENABLE4ALL") == 0)
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
else {
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
@@ -13252,6 +13322,7 @@ typedef struct cp_handler_data {
int first;
size_t max_cp_index;
CK_BBOOL error;
+ CK_BBOOL allow_combined_extract;
} cp_handler_data_t;
static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
@@ -13329,6 +13400,27 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
}
}
+ /* Combined extract is only supported if all APQNs support it */
+ if (max_cp_index < XCP_CPB_ALLOW_COMBINED_EXTRACT ||
+ (cp[CP_BYTE_NO(XCP_CPB_ALLOW_COMBINED_EXTRACT)] &
+ CP_BIT_MASK(XCP_CPB_ALLOW_COMBINED_EXTRACT)) == 0) {
+ data->allow_combined_extract = CK_FALSE;
+
+ if (ep11_data->pkey_mode == PKEY_MODE_ENABLE4EXTR ||
+ ep11_data->pkey_mode == PKEY_MODE_ENABLE4ALL) {
+ TRACE_ERROR("Control point setting for adapter %02X.%04X does not "
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
+ "ENABLE4ALL specified in ep11 token config file.\n",
+ adapter, domain);
+ OCK_SYSLOG(LOG_ERR,
+ "Control point setting for adapter %02X.%04X does not "
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
+ "ENABLE4ALL specified in ep11 token config file.\n",
+ adapter, domain);
+ data->error = TRUE;
+ }
+ }
+
/* Check FIPS-session related CPs for non-FIPS-session mode */
if (!ep11_data->fips_session_mode) {
if (max_cp_index >= XCP_CPB_ALLOW_NONSESSION &&
@@ -13392,6 +13484,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
* to older cards default to ON. CPs being OFF disable functionality.
*/
memset(data.combined_cp, 0xff, sizeof(data.combined_cp));
+ data.allow_combined_extract = CK_TRUE;
data.first = 1;
rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler,
&data);
@@ -13410,6 +13503,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
print_control_points(cp, *cp_len, data.max_cp_index);
#endif
+ if (data.allow_combined_extract == CK_FALSE)
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 0);
+ else
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 1);
+
return data.error ? CKR_DEVICE_ERROR : CKR_OK;
}
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
index deb8f45f..16d3c719 100644
--- a/usr/lib/ep11_stdll/ep11_specific.h
+++ b/usr/lib/ep11_stdll/ep11_specific.h
@@ -241,6 +241,8 @@ typedef struct {
#define PKEY_MODE_DISABLED 0
#define PKEY_MODE_DEFAULT 1
#define PKEY_MODE_ENABLE4NONEXTR 2
+#define PKEY_MODE_ENABLE4EXTR 3
+#define PKEY_MODE_ENABLE4ALL 4
#define PQC_BYTE_NO(idx) (((idx) - 1) / 8)
#define PQC_BIT_IN_BYTE(idx) (((idx - 1)) % 8)
@@ -278,6 +280,7 @@ typedef struct {
int fips_session_mode;
int optimize_single_ops;
int pkey_mode;
+ volatile int pkey_combined_extract_supported;
volatile int pkey_wrap_supported;
int pkey_wrap_support_checked;
char pkey_mk_vp[PKEY_MK_VP_LENGTH];

View File

@ -0,0 +1,62 @@
commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu Mar 7 17:42:11 2024 +0100
EP11 pkey option: handle new PKEY_MODE parms in eligibility check
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index d1efd8c5..a163587c 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
return CK_TRUE;
}
+/*
+ * Returns true if the given key object is eligible to get a protected key
+ * attribute, false otherwise.
+ */
+CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
+ OBJECT *key_obj)
+{
+ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
+ !object_is_pkey_extractable(key_obj)) {
+ return CK_FALSE;
+ }
+
+ if (!ep11_data->pkey_combined_extract_supported &&
+ object_is_extractable(key_obj)) {
+ return CK_FALSE;
+ }
+
+ return CK_TRUE;
+}
+
/**
* Checks if the preconditions for using the related protected key of
* the given secure key object are met. The caller of this routine must
@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
break;
case PKEY_MODE_DEFAULT:
case PKEY_MODE_ENABLE4NONEXTR:
+ case PKEY_MODE_ENABLE4EXTR:
+ case PKEY_MODE_ENABLE4ALL:
/* Use existing pkeys, re-create invalid pkeys, and also create new
* pkeys for secret/private keys that do not already have one. EC
* public keys that are pkey-extractable, can always be used via CPACF
@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
goto done;
- if (object_is_extractable(key_obj) ||
- !object_is_pkey_extractable(key_obj) ||
- object_is_attr_bound(key_obj) ||
- !ep11_data->pkey_wrap_supported) {
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
goto done;
- }
if (template_attribute_get_non_empty(key_obj->template,
CKA_IBM_OPAQUE_PKEY,

View File

@ -0,0 +1,555 @@
commit b9e33fced0654aac939182957bf2eba2eda77872
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed Feb 21 13:48:15 2024 +0100
EP11 pkey option: add NO_PKEY compile option for EP11 token
On 32-bit s390 platforms, the pkey related assembler code parts won't
compile. Therefore, add NO_PKEY compile switches where necessary.
The NO_PKEY compile switch is already handled in configure.ac.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index a163587c..114c4ce1 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -60,7 +60,9 @@
#include <openssl/ec.h>
#include "ep11_specific.h"
+#ifndef NO_PKEY
#include "pkey_utils.h"
+#endif
CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
CK_MECHANISM_TYPE_PTR mlist,
@@ -256,11 +258,13 @@ static const version_req_t reencrypt_single_req_versions[] = {
#define NUM_REENCRYPT_SINGLE_REQ (sizeof(reencrypt_single_req_versions) / \
sizeof(version_req_t))
+#ifndef NO_PKEY
static const CK_VERSION ibm_cex7p_cpacf_wrap_support = { .major = 7, .minor = 15 };
static const version_req_t ibm_cpacf_wrap_req_versions[] = {
{ .card_type = 7, .min_firmware_version = &ibm_cex7p_cpacf_wrap_support }
};
#define NUM_CPACF_WRAP_REQ (sizeof(ibm_cpacf_wrap_req_versions) / sizeof(version_req_t))
+#endif /* NO_PKEY */
static const CK_ULONG ibm_cex_ab_ecdh_api_version = 3;
static const version_req_t ibm_ab_ecdh_req_versions[] = {
@@ -504,6 +508,7 @@ static CK_BBOOL ep11tok_pkey_option_disabled(STDLL_TokData_t *tokdata)
return CK_FALSE;
}
+#ifndef NO_PKEY
/**
* Callback function used by handle_all_ep11_cards() for creating a protected
* key via the given APQN (adaper,domain).
@@ -1283,6 +1288,7 @@ CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
done:
return ret;
}
+#endif /* NO_PKEY */
/**
* This function is called whenever a new object is created. It sets
@@ -1299,9 +1305,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
CK_ULONG mode, TEMPLATE *tmpl)
{
ep11_private_data_t *ep11_data = tokdata->private_data;
- CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
- CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
- CK_BBOOL add_pkey_extractable = CK_FALSE;
+ CK_ATTRIBUTE *sensitive_attr = NULL;
+ CK_BBOOL sensitive, btrue = CK_TRUE;
+#ifndef NO_PKEY
+ CK_ATTRIBUTE *ecp_attr = NULL;
+ CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
+#endif
CK_RV ret;
UNUSED(mode);
@@ -1331,6 +1340,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
}
}
+#ifndef NO_PKEY
switch (ep11_data->pkey_mode) {
case PKEY_MODE_DISABLED:
/* Nothing to do */
@@ -1423,6 +1433,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
goto done;
break;
}
+#endif /* NO_PKEY */
ret = CKR_OK;
@@ -1431,6 +1442,19 @@ done:
return ret;
}
+#ifdef NO_PKEY
+CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+{
+ UNUSED(tokdata);
+ UNUSED(session);
+ UNUSED(hkey);
+ UNUSED(mech);
+
+ return CK_FALSE;
+}
+#endif /* NO_PKEY */
+
static CK_RV check_ab_supported(CK_KEY_TYPE type) {
switch(type) {
case CKK_AES:
@@ -2837,8 +2861,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
goto error;
}
+#ifndef NO_PKEY
ep11_data->msa_level = get_msa_level();
TRACE_INFO("MSA level = %i\n", ep11_data->msa_level);
+#endif
if (pthread_mutex_init(&ep11_data->raw2key_wrap_blob_mutex, NULL) != 0) {
TRACE_ERROR("Initializing Wrap-Blob lock failed.\n");
@@ -2847,19 +2873,20 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
}
ep11_data->raw2key_wrap_blob_l = 0;
-
if (pthread_mutex_init(&ep11_data->pkey_mutex, NULL) != 0) {
TRACE_ERROR("Initializing PKEY lock failed.\n");
rc = CKR_CANT_LOCK;
goto error;
}
+#ifndef NO_PKEY
if (!ep11tok_pkey_option_disabled(tokdata) &&
!ep11_data->fips_session_mode) {
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, NULL);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
}
+#endif /* NO_PKEY */
if (ep11_data->vhsm_mode || ep11_data->fips_session_mode) {
if (pthread_mutex_init(&ep11_data->session_mutex, NULL) != 0) {
@@ -3178,7 +3205,11 @@ static CK_RV import_aes_xts_key(STDLL_TokData_t *tokdata, SESSION *sess,
if (rc != CKR_OK)
goto import_aes_xts_key_end;
+#ifndef NO_PKEY
rc = ep11tok_pkey_check_aes_xts(tokdata, aes_xts_key_obj, CKM_AES_XTS);
+#else
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
+#endif
if (rc != CKR_OK) {
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", __func__, rc);
goto import_aes_xts_key_end;
@@ -4562,10 +4593,12 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
return rc;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
return rc;
+#endif /* NO_PKEY */
memset(blob, 0, sizeof(blob));
memset(blobreenc, 0, sizeof(blobreenc));
@@ -4797,10 +4830,12 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
goto error;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
MODE_KEYGEN, CKO_SECRET_KEY, ktype, &key_obj);
@@ -4820,7 +4855,11 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
if (mech->mechanism == CKM_AES_XTS_KEY_GEN) {
xts = TRUE;
+#ifndef NO_PKEY
rc = ep11tok_pkey_check_aes_xts(tokdata, key_obj, mech->mechanism);
+#else
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
+#endif
if (rc != CKR_OK) {
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n",
__func__, rc);
@@ -5812,7 +5851,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
CK_BYTE *out_data, CK_ULONG *out_data_len,
OBJECT *key_obj )
{
+#ifndef NO_PKEY
SIGN_VERIFY_CONTEXT *ctx = &(session->sign_ctx);
+#endif
CK_RV rc;
size_t keyblobsize = 0;
CK_BYTE *keyblob;
@@ -5826,6 +5867,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
return rc;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
switch (rc) {
case CKR_OK:
@@ -5837,6 +5879,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
default:
goto done;
}
+#endif /* NO_PKEY */
mech.mechanism = CKM_ECDSA;
mech.pParameter = NULL;
@@ -5856,7 +5899,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
return rc;
}
@@ -5866,7 +5911,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
CK_BYTE *out_data, CK_ULONG out_data_len,
OBJECT *key_obj )
{
+#ifndef NO_PKEY
SIGN_VERIFY_CONTEXT *ctx = &(session->verify_ctx);
+#endif
CK_RV rc;
CK_BYTE *spki;
size_t spki_len = 0;
@@ -5880,6 +5927,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
return rc;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
switch (rc) {
case CKR_OK:
@@ -5891,6 +5939,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
default:
goto done;
}
+#endif /* NO_PKEY */
mech.mechanism = CKM_ECDSA;
mech.pParameter = NULL;
@@ -5911,7 +5960,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
return rc;
}
@@ -5981,6 +6032,7 @@ CK_RV token_specific_reencrypt_single(STDLL_TokData_t *tokdata,
return rc;
}
+#ifndef NO_PKEY
/**
* This routine is currently only used when the operation is performed using
* a protected key. Therefore we don't have (and don't need) an ep11
@@ -6062,6 +6114,7 @@ CK_RV token_specific_aes_xts(STDLL_TokData_t *tokdata, SESSION *session,
return pkey_aes_xts(key_obj, init_v, in_data, in_data_len,
out_data, out_data_len, encrypt, initial, final, iv);
}
+#endif /* NO_PKEY */
struct EP11_KYBER_MECH {
CK_MECHANISM mech;
@@ -6829,10 +6882,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t *tokdata, SESSION *session,
goto error;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Start creating the key object */
rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len,
@@ -8554,10 +8609,12 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess,
if (rc != CKR_OK)
goto error;
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Now build the skeleton key. */
rc = object_mgr_create_skel(tokdata, sess, pPublicKeyTemplate,
@@ -9202,6 +9259,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -9239,6 +9297,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_sign_state);
goto done;
}
+#endif /* NO_PKEY */
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
@@ -9340,6 +9399,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
CK_ULONG in_data_len, CK_BYTE * signature,
CK_ULONG * sig_len)
{
+#ifdef NO_PKEY
+ UNUSED(length_only);
+#endif
CK_RV rc;
SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx;
size_t keyblobsize = 0;
@@ -9355,6 +9417,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
+#ifndef NO_PKEY
if (ctx->pkey_active) {
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
@@ -9372,6 +9435,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
}
goto done; /* no ep11 fallback possible */
}
+#endif /* NO_PKEY */
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
RETRY_UPDATE_BLOB_START(tokdata, target_info,
@@ -9394,7 +9458,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -9638,6 +9704,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -9675,6 +9742,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_sign_state);
goto done;
}
+#endif /* NO_PKEY */
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
@@ -9787,6 +9855,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
+#ifndef NO_PKEY
if (ctx->pkey_active) {
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
@@ -9805,6 +9874,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
}
goto done; /* no ep11 fallback possible */
}
+#endif /* NO_PKEY */
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
RETRY_UPDATE_BLOB_START(tokdata, target_info,
@@ -9827,7 +9897,9 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -10561,6 +10633,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
goto error;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -10604,6 +10677,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_state);
goto done;
}
+#endif /* NO_PKEY */
/*
* ep11_state is allocated large enough to hold 2 times the max state blob.
@@ -11150,10 +11224,12 @@ CK_RV ep11tok_unwrap_key(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Start creating the key object */
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
@@ -11878,6 +11954,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
}
break;
+#ifndef NO_PKEY
case CKM_IBM_CPACF_WRAP:
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3) <= 0) {
TRACE_INFO("%s Mech '%s' banned due to host library version\n",
@@ -11895,6 +11972,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
goto out;
}
break;
+#endif /* NO_PKEY */
case CKM_IBM_BTC_DERIVE:
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3_1) < 0) {
@@ -12268,6 +12346,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
{
if (strcmp(strval, "DISABLED") == 0)
ep11_data->pkey_mode = PKEY_MODE_DISABLED;
+#ifndef NO_PKEY
else if (strcmp(strval, "DEFAULT") == 0)
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
@@ -12276,6 +12355,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
else if (strcmp(strval, "ENABLE4ALL") == 0)
ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
+#endif /* NO_PKEY */
else {
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
@@ -12456,7 +12536,11 @@ static CK_RV read_adapter_config_file(STDLL_TokData_t * tokdata,
sizeof(ep11_data->token_config_filename) - 1] = '\0';
ep11_data->target_list.length = 0;
+#ifndef NO_PKEY
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
+#else
+ ep11_data->pkey_mode = PKEY_MODE_DISABLED;
+#endif
/* Default to use default libica library for digests */
ep11_data->digest_libica = 1;
@@ -14695,10 +14779,12 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
}
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
return rc;
+#endif /* NO_PKEY */
node = new_tmpl->attribute_list;
while (node) {
@@ -14734,6 +14820,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
goto out;
}
break;
+#ifndef NO_PKEY
case CKA_IBM_PROTKEY_EXTRACTABLE:
if (ep11_data->pkey_wrap_supported) {
rc = add_to_attribute_array(&attributes, &num_attributes,
@@ -14746,6 +14833,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
}
}
break;
+#endif /* NO_PKEY */
default:
/* Either non-boolean, or read-only */
break;
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
index 6a1d68be..e543c514 100644
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/trace.c usr/lib/common/mech_list.c \
usr/lib/common/shared_memory.c usr/lib/common/attributes.c \
usr/lib/common/sw_crypt.c usr/lib/common/profile_obj.c \
- usr/lib/common/dlist.c usr/lib/common/pkey_utils.c \
+ usr/lib/common/dlist.c \
usr/lib/ep11_stdll/new_host.c usr/lib/common/mech_openssl.c \
usr/lib/ep11_stdll/ep11_specific.c \
usr/lib/ep11_stdll/ep11_session.c \
@@ -53,3 +53,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/pqc_supported.c \
usr/lib/hsm_mk_change/hsm_mk_change.c \
usr/lib/common/btree.c usr/lib/common/sess_mgr.c
+
+if !NO_PKEY
+opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
+ usr/lib/common/pkey_utils.c
+endif
diff --git a/usr/lib/ep11_stdll/tok_struct.h b/usr/lib/ep11_stdll/tok_struct.h
index 304e3eb9..17a5bcf0 100644
--- a/usr/lib/ep11_stdll/tok_struct.h
+++ b/usr/lib/ep11_stdll/tok_struct.h
@@ -115,8 +115,13 @@ token_spec_t token_specific = {
// AES
NULL, // aes_key_gen,
NULL, // aes_xts_key_gen
+#ifndef NO_PKEY
&token_specific_aes_ecb,
&token_specific_aes_cbc,
+#else
+ NULL, // aes_ecb
+ NULL, // aes_cbc
+#endif
NULL, // aes_ctr
NULL, // aes_gcm_init
NULL, // aes_gcm
@@ -125,8 +130,13 @@ token_spec_t token_specific = {
NULL, // aes_ofb
NULL, // aes_cfb
NULL, // aes_mac
+#ifndef NO_PKEY
&token_specific_aes_cmac,
&token_specific_aes_xts, // aes_xts
+#else
+ NULL, // aes_cmac
+ NULL, // aes_xts
+#endif
// DSA
NULL, // dsa_generate_keypair,
NULL, // dsa_sign

View File

@ -0,0 +1,61 @@
commit 0bdcc661e64950e5ea11d950484631ba90e69426
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu Mar 7 17:51:40 2024 +0100
EP11 pkey option: consolidate code parts, no logic change
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 114c4ce1..9f855934 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1369,11 +1369,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
case PKEY_MODE_ENABLE4EXTR:
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
@@ -1396,11 +1391,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
case PKEY_MODE_ENABLE4ALL:
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
@@ -1421,11 +1411,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
default:
TRACE_ERROR("PKEY_MODE %i unsupported.\n", ep11_data->pkey_mode);
@@ -1433,6 +1418,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
goto done;
break;
}
+
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
#endif /* NO_PKEY */
ret = CKR_OK;

View File

@ -0,0 +1,26 @@
commit 88761bc4bd560801ec8a18b96cc82586dd719ca3
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Mar 12 17:13:33 2024 +0100
EP11: add check if protected-key support available at all
If it is already known that the PKEY wrap is not supported or not
functioning (for whatever reason), then don't report the XTS
mechanisms as supported.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 9f855934..7850e43f 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -12001,7 +12001,8 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
case CKM_AES_XTS:
case CKM_AES_XTS_KEY_GEN:
- if (ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
+ if ((ep11_data->pkey_wrap_support_checked && !ep11_data->pkey_wrap_supported) ||
+ ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
ep11tok_is_mechanism_supported(tokdata, CKM_IBM_CPACF_WRAP) != CKR_OK ||
ep11tok_is_mechanism_supported(tokdata, CKM_AES_KEY_GEN) != CKR_OK) {
TRACE_INFO("%s Mech '%s' not suppported\n", __func__,

View File

@ -0,0 +1,31 @@
commit 99b87ff678abfb71ba05741d1942e8ac723110c8
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Mar 12 17:30:36 2024 +0100
EP11: consider combined-extract for XTS pkey check
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 7850e43f..e2c9a77e 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
CK_MECHANISM_TYPE type)
{
+ ep11_private_data_t *ep11_data = tokdata->private_data;
+
if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) {
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
return CKR_MECHANISM_INVALID;
}
- if (object_is_extractable(key_obj) ||
- !object_is_pkey_extractable(key_obj) ||
- object_is_attr_bound(key_obj)) {
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
+ TRACE_ERROR("Key not eligible for pkey support\n");
return CKR_TEMPLATE_INCONSISTENT;
}

View File

@ -0,0 +1,306 @@
commit 5b20a1454ca464b07e7686340a579d8b1870e572
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Mar 20 08:44:25 2024 +0100
EP11: Reject combined extract attribute settings if it is not supported
In case the control point setting of the adapters do not allow that attributes
CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE are both true, then reject
this with CKR_TEMPLATE_INCONSISTENT.
The EP11 code would reject that with CKR_FUNCTION_CANCELED, which for EP11
it means that it violates an internal policy (i.e. control point settings),
but in PKCS#11 this return code has a totally different meaning. So reject
such situations explicitly with the correct return code.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index e2c9a77e..b5d788bf 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1089,20 +1089,23 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
* Returns true if the given key object is eligible to get a protected key
* attribute, false otherwise.
*/
-CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
- OBJECT *key_obj)
+static CK_RV ep11tok_pkey_obj_eligible_for_pkey_support(
+ ep11_private_data_t *ep11_data,
+ OBJECT *key_obj)
{
if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
!object_is_pkey_extractable(key_obj)) {
- return CK_FALSE;
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
if (!ep11_data->pkey_combined_extract_supported &&
object_is_extractable(key_obj)) {
- return CK_FALSE;
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
+ return CKR_TEMPLATE_INCONSISTENT;
}
- return CK_TRUE;
+ return CKR_OK;
}
/**
@@ -1176,7 +1179,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
goto done;
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
+ ret = ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj);
+ if (ret != CKR_OK)
goto done;
if (template_attribute_get_non_empty(key_obj->template,
@@ -1218,11 +1222,14 @@ done:
/**
* Wrapper function around ep11tok_pkey_check for the case where we don't
* have a key object. This function is called externally from new_host.c.
+ * Returns CKR_OK if pkey usage is OK, CKR_FUNCTION_NOT_SUPPORTED if pkey
+ * is not supported, or any other return code in case of an error. In such
+ * cases the calling function should itself return with an error, because
+ * neither the secure key nor the protected key path will work.
*/
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
{
- CK_BBOOL success = CK_FALSE;
size_t keyblobsize = 0;
CK_BYTE *keyblob;
OBJECT *key_obj;
@@ -1232,17 +1239,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
READ_LOCK);
if (ret != CKR_OK) {
TRACE_ERROR("%s no blob ret=0x%lx\n", __func__, ret);
- return CK_FALSE;
+ return ret;
}
ret = ep11tok_pkey_check(tokdata, session, key_obj, mech);
- if (ret == CKR_OK)
- success = CK_TRUE;
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
- return success;
+ return ret;
}
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
@@ -1255,7 +1260,8 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
return CKR_MECHANISM_INVALID;
}
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
+ if (ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data,
+ key_obj) != CKR_OK) {
TRACE_ERROR("Key not eligible for pkey support\n");
return CKR_TEMPLATE_INCONSISTENT;
}
@@ -1307,10 +1313,10 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
{
ep11_private_data_t *ep11_data = tokdata->private_data;
CK_ATTRIBUTE *sensitive_attr = NULL;
- CK_BBOOL sensitive, btrue = CK_TRUE;
+ CK_BBOOL sensitive, extractable, pkey_extractable, btrue = CK_TRUE;
#ifndef NO_PKEY
CK_ATTRIBUTE *ecp_attr = NULL;
- CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
+ CK_BBOOL add_pkey_extractable = CK_FALSE;
#endif
CK_RV ret;
@@ -1341,6 +1347,25 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
}
}
+ if (!ep11_data->pkey_combined_extract_supported) {
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
+ if (ret != CKR_OK)
+ extractable = FALSE;
+
+ ret = template_attribute_get_bool(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE,
+ &pkey_extractable);
+ if (ret != CKR_OK)
+ pkey_extractable = FALSE;
+
+ if (extractable && pkey_extractable) {
+ /* The EP11 call would return CKR_FUNCTION_CANCELED in that case */
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
+ ret = CKR_TEMPLATE_INCONSISTENT;
+ goto done;
+ }
+ }
+
#ifndef NO_PKEY
switch (ep11_data->pkey_mode) {
case PKEY_MODE_DISABLED:
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
index 16d3c719..9ba28cb8 100644
--- a/usr/lib/ep11_stdll/ep11_specific.h
+++ b/usr/lib/ep11_stdll/ep11_specific.h
@@ -585,8 +585,8 @@ CK_BBOOL ep11tok_libica_mech_available(STDLL_TokData_t *tokdata,
CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata,
CK_TOKEN_INFO_PTR pInfo);
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
CK_RV ep11tok_set_operation_state(STDLL_TokData_t *tokdata, SESSION *session);
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index 299a1d3c..f84d0810 100644
--- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c
@@ -2080,9 +2080,15 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->encr_ctx.multi_init = FALSE;
sess->encr_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part encrypt operation we don't need the
* EncryptInit, instead we can use the EncryptSingle which is much
* faster. In case of multi-part operations we are doing the EncryptInit
@@ -2179,9 +2185,16 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key,
+ &sess->encr_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->encr_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech,
length_only, sess->encr_ctx.key,
pData, ulDataLen, pEncryptedData,
@@ -2408,9 +2421,15 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->decr_ctx.multi_init = FALSE;
sess->decr_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part decrypt operation we don't need the
* DecryptInit, instead we can use the EncryptSingle which is much
* faster. In case of multi-part operations we are doing the DecryptInit
@@ -2508,9 +2527,16 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key,
+ &sess->decr_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->decr_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech,
length_only, sess->decr_ctx.key,
pEncryptedData, ulEncryptedDataLen,
@@ -2992,9 +3018,15 @@ CK_RV SC_SignInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->sign_ctx.multi_init = FALSE;
sess->sign_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part sign operation we don't need the SignInit,
* instead we can use the SignSingle which is much faster.
* In case of multi-part operations we are doing the SignInit when
@@ -3101,9 +3133,16 @@ CK_RV SC_Sign(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key,
+ &sess->sign_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->sign_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, &sess->sign_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_sign_single(tokdata, sess, &sess->sign_ctx.mech,
length_only, sess->sign_ctx.key,
pData, ulDataLen, pSignature, pulSignatureLen);
@@ -3391,9 +3430,15 @@ CK_RV SC_VerifyInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->verify_ctx.multi_init = FALSE;
sess->verify_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part verify operation we don't need the
* VerifyInit, instead we can use the VerifySingle which is much
* faster. In case of multi-part operations we are doing the VerifyInit
@@ -3497,9 +3542,16 @@ CK_RV SC_Verify(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key,
+ &sess->verify_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->verify_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, &sess->verify_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_verify_single(tokdata, sess, &sess->verify_ctx.mech,
sess->verify_ctx.key, pData, ulDataLen,
pSignature, ulSignatureLen);

View File

@ -0,0 +1,36 @@
commit 4fefcf517133260a7b63049d3a02c9249fe7776c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Apr 15 09:31:12 2024 +0200
EP11: Fix compile error with NO_PKEY defined
Function signature of ep11tok_pkey_usage_ok() has changed, also change the
code inside the #ifdef NO_PKEY block.
Fixes: cf978b111205b206c7b3c53f424f7085913c00d0
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index b5d788bf..e9007a16 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1460,15 +1460,15 @@ done:
}
#ifdef NO_PKEY
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
{
UNUSED(tokdata);
UNUSED(session);
UNUSED(hkey);
UNUSED(mech);
- return CK_FALSE;
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
#endif /* NO_PKEY */

View File

@ -1,153 +0,0 @@
commit f931d6e47bf2fb26aa9cf52e231d13edc1c837a1
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Dec 12 17:16:56 2023 +0100
COMMON: Update rsa_parse_block_type_2() to not leak the message length
Take the implementation of OpenSSL function RSA_padding_check_PKCS1_type_2()
in crypto/rsa/rsa_pk1.c instead of ossl_rsa_padding_check_PKCS1_type_2(), since
the latter leaks the message size.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
index 326c5795..7bab1a84 100644
--- a/usr/lib/common/mech_rsa.c
+++ b/usr/lib/common/mech_rsa.c
@@ -29,6 +29,7 @@
#include "constant_time.h"
#include <openssl/crypto.h>
+#include <openssl/rsa.h>
CK_BBOOL is_rsa_mechanism(CK_MECHANISM_TYPE mech)
{
@@ -293,13 +294,16 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
CK_BYTE *out_data,
CK_ULONG *out_data_len)
{
- unsigned int ok = 0, found, zero;
- size_t zero_index = 0, msg_index, mlen;
- size_t i, j;
+ int i;
+ unsigned char *em = NULL;
+ unsigned int good, found_zero_byte, mask, equals0;
+ int zero_index = 0, msg_index, mlen = -1;
+ int out_len = *out_data_len;
+ int rsa_size = in_data_len;
/*
* The implementation of this function is copied from OpenSSL's function
- * ossl_rsa_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
+ * RSA_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
* and is slightly modified to fit to the OpenCryptoki environment.
*
* The OpenSSL code is licensed under the Apache License 2.0.
@@ -324,55 +328,86 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard",
* section 7.2.2.
*/
- if (in_data_len < 11) {
+ if (rsa_size < RSA_PKCS1_PADDING_SIZE) {
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
return CKR_FUNCTION_FAILED;
}
- ok = constant_time_is_zero(in_data[0]);
- ok &= constant_time_eq(in_data[1], 2);
+ em = malloc(rsa_size);
+ if (em == NULL) {
+ TRACE_DEVEL("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ /* in_data_len is always equal to rsa_size */
+ memcpy(em, in_data, rsa_size);
+
+ good = constant_time_is_zero(em[0]);
+ good &= constant_time_eq(em[1], 2);
/* scan over padding data */
- found = 0;
- for (i = 2; i < in_data_len; i++) {
- zero = constant_time_is_zero(in_data[i]);
+ found_zero_byte = 0;
+ for (i = 2; i < rsa_size; i++) {
+ equals0 = constant_time_is_zero(em[i]);
- zero_index = constant_time_select_int(~found & zero, i, zero_index);
- found |= zero;
+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
+ i, zero_index);
+ found_zero_byte |= equals0;
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |enc_msg|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
- ok &= constant_time_ge(zero_index, 2 + 8);
+ good &= constant_time_ge(zero_index, 2 + 8);
/*
* Skip the zero byte. This is incorrect if we never found a zero-byte
* but in this case we also do not copy the message out.
*/
msg_index = zero_index + 1;
- mlen = in_data_len - msg_index;
+ mlen = rsa_size - msg_index;
/*
* For good measure, do this check in constant time as well.
*/
- ok &= constant_time_ge(*out_data_len, mlen);
+ good &= constant_time_ge(out_len, mlen);
/*
- * since at this point the |msg_index| does not provide the signal
- * indicating if the padding check failed or not, we don't have to worry
- * about leaking the length of returned message, we still need to ensure
- * that we read contents of both buffers so that cache accesses don't leak
- * the value of |good|
+ * Move the result in-place by |rsa_size|-RSA_PKCS1_PADDING_SIZE-|mlen|
+ * bytes to the left.
+ * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to
+ * |out_data|. Otherwise leave |out_data| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
*/
- for (i = msg_index, j = 0; i < in_data_len && j < *out_data_len; i++, j++)
- out_data[j] = constant_time_select_8(ok, in_data[i], out_data[j]);
+ out_len = constant_time_select_int(
+ constant_time_lt(rsa_size - RSA_PKCS1_PADDING_SIZE, out_len),
+ rsa_size - RSA_PKCS1_PADDING_SIZE,
+ out_len);
+ for (msg_index = 1; msg_index < rsa_size - RSA_PKCS1_PADDING_SIZE;
+ msg_index <<= 1) {
+ mask = ~constant_time_eq(
+ msg_index & (rsa_size - RSA_PKCS1_PADDING_SIZE - mlen), 0);
+ for (i = RSA_PKCS1_PADDING_SIZE; i < rsa_size - msg_index; i++)
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
+ }
+ for (i = 0; i < out_len; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ out_data[i] = constant_time_select_8(
+ mask, em[i + RSA_PKCS1_PADDING_SIZE], out_data[i]);
+ }
+
+ OPENSSL_cleanse(em, rsa_size);
+ free(em);
- *out_data_len = j;
+ *out_data_len = constant_time_select_int(good, mlen, 0);
- return constant_time_select_int(ok, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
+ return constant_time_select_int(good, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
}
CK_RV rsa_parse_block(CK_BYTE *in_data,

View File

@ -1,737 +0,0 @@
commit 5f1a4f8641306ee192b70c8a32c9ee8a0fe9be5f
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jan 15 12:53:37 2024 +0100
common: Add support for implicit rejection for RSA PKCS#1 v1.5 de-padding
Implicit rejection returns a pseudo random message in case the RSA PKCS#1 v1.5
padding is incorrect, but returns no error. The pseudo random message is based
on static secret data (the private exponent) and the provided ciphertext, so
that the attacker cannot determine that the returned value is randomly generated
instead of the result of decryption and de-padding.
The implicit rejection algorithm is the same as used by OpenSSL.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/COPYRIGHTS b/COPYRIGHTS
index 2bb3dffe..21b6b702 100644
--- a/COPYRIGHTS
+++ b/COPYRIGHTS
@@ -12,19 +12,29 @@ For code originating from OpenSSL:
* Note that in OpenSSL the file crypto/bn/rsa_sup_mul.c does no longer
* exist, it was removed with commit https://github.com/openssl/openssl/commit/4209ce68d8fe8b1506494efa03d378d05baf9ff8
* - usr/lib/common/constant_time.h: Copied unchanged from OpenSSL from
- include/internal/constant_time.h
+ * include/internal/constant_time.h
* - The implementation of function rsa_parse_block_type_2() in
* usr/lib/common/mech_rsa.c is copied from OpenSSL's function
* ossl_rsa_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
* and is slightly modified to fit to the OpenCryptoki environment.
* See comment in function rsa_parse_block_type_2() for a list of changes.
+ * - The implementation of function openssl_specific_rsa_derive_kdk() in
+ * usr/lib/common/mech_openssl.c is copied from OpenSSL's function
+ * derive_kdk() in crypto/rsa/rsa_ossl.c and is slightly modified to fit to
+ * the OpenCryptoki environment. See comment in function
+ * openssl_specific_rsa_derive_kdk() for a list of changes.
+ * - The implementation of function openssl_specific_rsa_prf() in
+ * usr/lib/common/mech_openssl.c is copied from OpenSSL's function
+ * ossl_rsa_prf() in crypto/rsa/rsapk1.c and is slightly modified to fit to
+ * the OpenCryptoki environment. See comment in function
+ * openssl_specific_rsa_prf() for a list of changes.
* - The implementation of function decode_eme_oaep() in
* usr/lib/common/mech_rsa.c is copied from OpenSSL's function
* RSA_padding_check_PKCS1_OAEP_mgf1() in crypto/rsa/rsa_oaep.c and is
* slightly modified to fit to the OpenCryptoki environment. See comment in
* function decode_eme_oaep() for a list of changes.
*
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* The OpenSSL code is licensed under the Apache License 2.0 (the "License").
* You can obtain a copy in the file LICENSE in the OpenSSL source distribution
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index a88b57d0..29496d99 100644
--- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h
@@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata,
CK_RV rsa_parse_block(CK_BYTE *in_data,
CK_ULONG in_data_len,
CK_BYTE *out_data,
- CK_ULONG *out_data_len, CK_ULONG type);
+ CK_ULONG *out_data_len, CK_ULONG type,
+ CK_BYTE *kdk, CK_ULONG kdklen);
CK_RV get_mgf_mech(CK_RSA_PKCS_MGF_TYPE mgf, CK_MECHANISM_TYPE *mech);
@@ -3179,6 +3180,14 @@ CK_RV openssl_specific_hmac_update(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
CK_ULONG *sig_len, CK_BBOOL sign);
+CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
+ const CK_BYTE *in, CK_ULONG inlen,
+ CK_BYTE *kdk, CK_ULONG kdklen);
+CK_RV openssl_specific_rsa_prf(CK_BYTE *out, CK_ULONG outlen,
+ const char *label, CK_ULONG labellen,
+ const CK_BYTE *kdk, CK_ULONG kdklen,
+ uint16_t bitlen);
+
#include "tok_spec_struct.h"
extern token_spec_t token_specific;
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index 9983fcb3..da515289 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -1154,6 +1154,7 @@ CK_RV openssl_specific_rsa_pkcs_decrypt(STDLL_TokData_t *tokdata,
CK_RV rc;
CK_BYTE out[MAX_RSA_KEYLEN];
CK_ULONG modulus_bytes;
+ unsigned char kdk[SHA256_HASH_SIZE] = { 0 };
modulus_bytes = in_data_len;
@@ -1163,7 +1164,16 @@ CK_RV openssl_specific_rsa_pkcs_decrypt(STDLL_TokData_t *tokdata,
goto done;
}
- rc = rsa_parse_block(out, modulus_bytes, out_data, out_data_len, PKCS_BT_2);
+ rc = openssl_specific_rsa_derive_kdk(tokdata, key_obj,
+ in_data, in_data_len,
+ kdk, sizeof(kdk));
+ if (rc != CKR_OK) {
+ TRACE_DEVEL("openssl_specific_rsa_derive_kdk failed\n");
+ goto done;
+ }
+
+ rc = rsa_parse_block(out, modulus_bytes, out_data, out_data_len, PKCS_BT_2,
+ kdk, sizeof(kdk));
done:
OPENSSL_cleanse(out, sizeof(out));
@@ -1254,7 +1264,7 @@ CK_RV openssl_specific_rsa_pkcs_verify(STDLL_TokData_t *tokdata, SESSION *sess,
}
rc = rsa_parse_block(out, modulus_bytes, out_data, &out_data_len,
- PKCS_BT_1);
+ PKCS_BT_1, NULL, 0);
if (rc == CKR_ENCRYPTED_DATA_INVALID) {
TRACE_ERROR("%s\n", ock_err(ERR_SIGNATURE_INVALID));
return CKR_SIGNATURE_INVALID;
@@ -1318,7 +1328,8 @@ CK_RV openssl_specific_rsa_pkcs_verify_recover(STDLL_TokData_t *tokdata,
return rc;
}
- rc = rsa_parse_block(out, modulus_bytes, out_data, out_data_len, PKCS_BT_1);
+ rc = rsa_parse_block(out, modulus_bytes, out_data, out_data_len, PKCS_BT_1,
+ NULL, 0);
if (rc == CKR_ENCRYPTED_DATA_INVALID) {
TRACE_ERROR("%s\n", ock_err(ERR_SIGNATURE_INVALID));
return CKR_SIGNATURE_INVALID;
@@ -4983,3 +4994,388 @@ done:
ctx->context = NULL;
return rv;
}
+
+static CK_RV calc_rsa_priv_exp(STDLL_TokData_t *tokdata, OBJECT *key_obj,
+ CK_BYTE *priv_exp, CK_ULONG priv_exp_len)
+{
+ CK_ATTRIBUTE *modulus = NULL, *pub_exp = NULL;
+ CK_ATTRIBUTE *prime1 = NULL, *prime2 = NULL;
+ BN_CTX *bn_ctx;
+ BIGNUM *n, *e, *p, *q, *d;
+ CK_RV rc;
+
+ UNUSED(tokdata);
+
+ bn_ctx = BN_CTX_secure_new();
+ if (bn_ctx == NULL) {
+ TRACE_ERROR("BN_CTX_secure_new failed\n");
+ return CKR_FUNCTION_FAILED;
+ }
+
+ /* Get modulus a BIGNUM */
+ rc = template_attribute_get_non_empty(key_obj->template, CKA_MODULUS,
+ &modulus);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("Failed to get CKA_MODULUS\n");
+ goto done;
+ }
+
+ n = BN_CTX_get(bn_ctx);
+ if (n == NULL ||
+ BN_bin2bn(modulus->pValue, modulus->ulValueLen, n) == NULL) {
+ TRACE_ERROR("BN_CTX_get/BN_bin2bn failed for modulus\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+ BN_set_flags(n, BN_FLG_CONSTTIME);
+
+ /* Get public exponent a BIGNUM */
+ rc = template_attribute_get_non_empty(key_obj->template,
+ CKA_PUBLIC_EXPONENT, &pub_exp);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("Failed to get CKA_PUBLIC_EXPONENT\n");
+ goto done;
+ }
+
+ e = BN_CTX_get(bn_ctx);
+ if (e == NULL ||
+ BN_bin2bn(pub_exp->pValue, pub_exp->ulValueLen, e) == NULL) {
+ TRACE_ERROR("BN_CTX_get/BN_bin2bn failed for public exponent\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+ BN_set_flags(e, BN_FLG_CONSTTIME);
+
+ /* Get prime1 a BIGNUM */
+ rc = template_attribute_get_non_empty(key_obj->template, CKA_PRIME_1,
+ &prime1);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("Failed to get CKA_PRIME_1\n");
+ goto done;
+ }
+
+ p = BN_CTX_get(bn_ctx);
+ if (p == NULL ||
+ BN_bin2bn(prime1->pValue, prime1->ulValueLen, p) == NULL) {
+ TRACE_ERROR("BN_CTX_get/BN_bin2bn failed for prime1\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+ BN_set_flags(p, BN_FLG_CONSTTIME);
+
+ /* Get prime2 a BIGNUM */
+ rc = template_attribute_get_non_empty(key_obj->template, CKA_PRIME_2,
+ &prime2);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("Failed to get CKA_PRIME_2\n");
+ goto done;
+ }
+
+ q = BN_CTX_get(bn_ctx);
+ if (q == NULL ||
+ BN_bin2bn(prime2->pValue, prime2->ulValueLen, q) == NULL) {
+ TRACE_ERROR("BN_CTX_get/BN_bin2bn failed for prime2\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+ BN_set_flags(q, BN_FLG_CONSTTIME);
+
+ d = BN_CTX_get(bn_ctx);
+ if (d == NULL) {
+ TRACE_ERROR("BN_CTX_get failed to get d\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+ BN_set_flags(d, BN_FLG_CONSTTIME);
+
+ /*
+ * phi(n) = (p - 1 )(q - 1) = n - p - q + 1
+ * d = e ^{-1} mod phi(n).
+ */
+ if (BN_copy(d, n) == NULL ||
+ BN_sub(d, d, p) == 0 ||
+ BN_sub(d, d, q) == 0 ||
+ BN_add_word(d, 1) == 0 ||
+ BN_mod_inverse(d, e, d, bn_ctx) == NULL) {
+ TRACE_ERROR("Failed to calculate private key part d\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+
+ if (BN_bn2binpad(d, priv_exp, priv_exp_len) <= 0) {
+ TRACE_ERROR("BN_bn2binpad failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto done;
+ }
+
+done:
+ BN_CTX_free(bn_ctx);
+
+ return rc;
+}
+
+CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
+ const CK_BYTE *in, CK_ULONG inlen,
+ CK_BYTE *kdk, CK_ULONG kdklen)
+{
+ CK_ATTRIBUTE *priv_exp_attr = NULL, *modulus = NULL;
+ CK_BYTE *priv_exp = NULL, *buf = NULL;
+ EVP_PKEY *pkey = NULL;
+ EVP_MD_CTX *mdctx = NULL;
+ const EVP_MD *md = NULL;
+ size_t md_len;
+ unsigned char d_hash[SHA256_HASH_SIZE] = { 0 };
+ CK_RV rc;
+
+ /*
+ * The implementation of this function is copied from OpenSSL's function
+ * derive_kdk() in crypto/rsa/rsa_ossl.c and is slightly modified to fit to
+ * the OpenCryptoki environment.
+ * Changes include:
+ * - Different variable and define names.
+ * - Usage of TRACE_ERROR to report errors and issue debug messages.
+ * - Different return codes.
+ * - Different code to get the private key component 'd'.
+ * - Use of the EVP APIs instead of the internal APIs for Digest and HMAC
+ * operations.
+ */
+
+ if (kdklen != SHA256_HASH_SIZE) {
+ TRACE_ERROR("KDK length is wrong\n");
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ rc = template_attribute_get_non_empty(key_obj->template, CKA_MODULUS,
+ &modulus);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("Failed to get CKA_MODULUS\n");
+ return rc;
+ }
+
+ buf = calloc(1, modulus->ulValueLen);
+ if (buf == NULL) {
+ TRACE_ERROR("Failed to allocate a buffer for private exponent\n");
+ return CKR_HOST_MEMORY;
+ }
+
+ rc = template_attribute_get_non_empty(key_obj->template,
+ CKA_PRIVATE_EXPONENT, &priv_exp_attr);
+ if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE) {
+ TRACE_ERROR("Failed to get CKA_PRIVATE_EXPONENT\n");
+ goto out;
+ }
+
+ if (priv_exp_attr == NULL) {
+ rc = calc_rsa_priv_exp(tokdata, key_obj, buf, modulus->ulValueLen);
+ if (rc != CKR_OK) {
+ TRACE_ERROR("calc_rsa_priv_exp failed\n");
+ goto out;
+ }
+ priv_exp = buf;
+ } else {
+ if (priv_exp_attr->ulValueLen < modulus->ulValueLen) {
+ memcpy(buf + modulus->ulValueLen - priv_exp_attr->ulValueLen,
+ priv_exp_attr->pValue, priv_exp_attr->ulValueLen);
+ priv_exp = buf;
+ } else {
+ priv_exp = (CK_BYTE *)priv_exp_attr->pValue +
+ priv_exp_attr->ulValueLen - modulus->ulValueLen;
+ }
+ }
+
+ /*
+ * we use hardcoded hash so that migrating between versions that use
+ * different hash doesn't provide a Bleichenbacher oracle:
+ * if the attacker can see that different versions return different
+ * messages for the same ciphertext, they'll know that the message is
+ * synthetically generated, which means that the padding check failed
+ */
+ md = EVP_sha256();
+ if (md == NULL) {
+ TRACE_ERROR("EVP_sha256 failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ if (EVP_Digest(priv_exp, modulus->ulValueLen, d_hash, NULL,
+ md, NULL) <= 0) {
+ TRACE_ERROR("EVP_Digest failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, d_hash, sizeof(d_hash));
+ if (pkey == NULL) {
+ TRACE_ERROR("EVP_PKEY_new_mac_key() failed.\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ mdctx = EVP_MD_CTX_create();
+ if (mdctx == NULL) {
+ TRACE_ERROR("EVP_MD_CTX_create() failed.\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ if (EVP_DigestSignInit(mdctx, NULL, md, NULL, pkey) != 1) {
+ TRACE_ERROR("EVP_DigestSignInit failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ if (inlen < modulus->ulValueLen) {
+ memset(buf, 0, modulus->ulValueLen - inlen);
+ if (EVP_DigestSignUpdate(mdctx, buf, modulus->ulValueLen - inlen)!= 1) {
+ TRACE_ERROR("EVP_DigestSignUpdate failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+ }
+ if (EVP_DigestSignUpdate(mdctx, in, inlen) != 1) {
+ TRACE_ERROR("EVP_DigestSignUpdate failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ md_len = kdklen;
+ if (EVP_DigestSignFinal(mdctx, kdk, &md_len) != 1 ||
+ md_len != kdklen) {
+ TRACE_ERROR("EVP_DigestSignFinal failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ rc = CKR_OK;
+
+out:
+ if (buf != NULL)
+ free(buf);
+ if (pkey != NULL)
+ EVP_PKEY_free(pkey);
+ if (mdctx != NULL)
+ EVP_MD_CTX_free(mdctx);
+
+ return rc;
+}
+
+CK_RV openssl_specific_rsa_prf(CK_BYTE *out, CK_ULONG outlen,
+ const char *label, CK_ULONG labellen,
+ const CK_BYTE *kdk, CK_ULONG kdklen,
+ uint16_t bitlen)
+{
+ CK_RV rc;
+ CK_ULONG pos;
+ uint16_t iter = 0;
+ unsigned char be_iter[sizeof(iter)];
+ unsigned char be_bitlen[sizeof(bitlen)];
+ EVP_PKEY *pkey = NULL;
+ EVP_MD_CTX *mdctx = NULL;
+ unsigned char hmac_out[SHA256_HASH_SIZE];
+ size_t md_len;
+
+ /*
+ * The implementation of this function is copied from OpenSSL's function
+ * ossl_rsa_prf() in crypto/rsa/rsapk1.c and is slightly modified to fit to
+ * the providers environment.
+ * Changes include:
+ * - Different variable and define names.
+ * - Usage of TRACE_ERROR report errors and issue debug messages.
+ * - Different return codes.
+ * - Use of the EVP API instead of the internal APIs for HMAC operations.
+ */
+
+ if (kdklen != SHA256_HASH_SIZE) {
+ TRACE_ERROR("invalid kdklen\n");
+ return CKR_ARGUMENTS_BAD;
+ }
+ if (outlen * 8 != bitlen) {
+ TRACE_ERROR("invalid outlen\n");
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ be_bitlen[0] = (bitlen >> 8) & 0xff;
+ be_bitlen[1] = bitlen & 0xff;
+
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, kdk, kdklen);
+ if (pkey == NULL) {
+ TRACE_ERROR("EVP_PKEY_new_mac_key() failed.\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ mdctx = EVP_MD_CTX_create();
+ if (mdctx == NULL) {
+ TRACE_ERROR("EVP_MD_CTX_create() failed.\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ /*
+ * we use hardcoded hash so that migrating between versions that use
+ * different hash doesn't provide a Bleichenbacher oracle:
+ * if the attacker can see that different versions return different
+ * messages for the same ciphertext, they'll know that the message is
+ * synthetically generated, which means that the padding check failed
+ */
+ for (pos = 0; pos < outlen; pos += SHA256_HASH_SIZE, iter++) {
+ if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey) != 1) {
+ TRACE_ERROR("EVP_DigestSignInit failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ be_iter[0] = (iter >> 8) & 0xff;
+ be_iter[1] = iter & 0xff;
+
+ if (EVP_DigestSignUpdate(mdctx, be_iter, sizeof(be_iter)) != 1) {
+ TRACE_ERROR("EVP_DigestSignUpdate failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+ if (EVP_DigestSignUpdate(mdctx, (unsigned char *)label, labellen) != 1) {
+ TRACE_ERROR("EVP_DigestSignUpdate failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+ if (EVP_DigestSignUpdate(mdctx, be_bitlen, sizeof(be_bitlen)) != 1) {
+ TRACE_ERROR("EVP_DigestSignUpdate failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+
+ /*
+ * HMAC_Final requires the output buffer to fit the whole MAC
+ * value, so we need to use the intermediate buffer for the last
+ * unaligned block
+ */
+ md_len = SHA256_HASH_SIZE;
+ if (pos + SHA256_HASH_SIZE > outlen) {
+ md_len = sizeof(hmac_out);
+ if (EVP_DigestSignFinal(mdctx, hmac_out, &md_len) != 1) {
+ TRACE_ERROR("EVP_DigestSignFinal failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+ memcpy(out + pos, hmac_out, outlen - pos);
+ } else {
+ md_len = outlen - pos;
+ if (EVP_DigestSignFinal(mdctx, out + pos, &md_len) != 1) {
+ TRACE_ERROR("EVP_DigestSignFinal failed\n");
+ rc = CKR_FUNCTION_FAILED;
+ goto out;
+ }
+ }
+ }
+
+ rc = CKR_OK;
+
+out:
+ if (pkey != NULL)
+ EVP_PKEY_free(pkey);
+ if (mdctx != NULL)
+ EVP_MD_CTX_free(mdctx);
+
+ return rc;
+}
+
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
index 7bab1a84..7dc9589a 100644
--- a/usr/lib/common/mech_rsa.c
+++ b/usr/lib/common/mech_rsa.c
@@ -289,21 +289,34 @@ static CK_RV rsa_parse_block_type_1(CK_BYTE *in_data,
return rc;
}
+#define MAX_LEN_GEN_TRIES 128
+
static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
CK_ULONG in_data_len,
CK_BYTE *out_data,
- CK_ULONG *out_data_len)
+ CK_ULONG *out_data_len,
+ CK_BYTE *kdk, CK_ULONG kdklen)
{
- int i;
- unsigned char *em = NULL;
- unsigned int good, found_zero_byte, mask, equals0;
- int zero_index = 0, msg_index, mlen = -1;
- int out_len = *out_data_len;
- int rsa_size = in_data_len;
+ unsigned int good = 0, found_zero_byte, equals0;
+ size_t zero_index = 0, msg_index;
+ unsigned char *synthetic = NULL;
+ int synthetic_length;
+ uint16_t len_candidate;
+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
+ uint16_t len_mask;
+ uint16_t max_sep_offset;
+ int synth_msg_index = 0;
+ size_t i, j;
+ CK_RV rc;
+
+ if (kdk == NULL || kdklen == 0) {
+ TRACE_DEVEL("%s\n", ock_err(ERR_ARGUMENTS_BAD));
+ return CKR_ARGUMENTS_BAD;
+ }
/*
* The implementation of this function is copied from OpenSSL's function
- * RSA_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
+ * ossl_rsa_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
* and is slightly modified to fit to the OpenCryptoki environment.
*
* The OpenSSL code is licensed under the Apache License 2.0.
@@ -328,27 +341,67 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard",
* section 7.2.2.
*/
- if (rsa_size < RSA_PKCS1_PADDING_SIZE) {
+ if (in_data_len < RSA_PKCS1_PADDING_SIZE) {
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
return CKR_FUNCTION_FAILED;
}
- em = malloc(rsa_size);
- if (em == NULL) {
- TRACE_DEVEL("%s\n", ock_err(ERR_HOST_MEMORY));
+ /* Generate a random message to return in case the padding checks fail. */
+ synthetic = calloc(1, in_data_len);
+ if (synthetic == NULL) {
+ TRACE_ERROR("Failed to allocate synthetic buffer");
return CKR_HOST_MEMORY;
}
- /* in_data_len is always equal to rsa_size */
- memcpy(em, in_data, rsa_size);
+ rc = openssl_specific_rsa_prf(synthetic, in_data_len, "message", 7,
+ kdk, kdklen, in_data_len * 8);
+ if (rc != CKR_OK)
+ goto out;
+
+ /* decide how long the random message should be */
+ rc = openssl_specific_rsa_prf(candidate_lengths,
+ sizeof(candidate_lengths),
+ "length", 6, kdk, kdklen,
+ MAX_LEN_GEN_TRIES *
+ sizeof(len_candidate) * 8);
+ if (rc != CKR_OK)
+ goto out;
- good = constant_time_is_zero(em[0]);
- good &= constant_time_eq(em[1], 2);
+ /*
+ * max message size is the size of the modulus size minus 2 bytes for
+ * version and padding type and a minimum of 8 bytes padding
+ */
+ len_mask = max_sep_offset = in_data_len - 2 - 8;
+ /*
+ * we want a mask so let's propagate the high bit to all positions less
+ * significant than it
+ */
+ len_mask |= len_mask >> 1;
+ len_mask |= len_mask >> 2;
+ len_mask |= len_mask >> 4;
+ len_mask |= len_mask >> 8;
+
+ synthetic_length = 0;
+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
+ i += sizeof(len_candidate)) {
+ len_candidate = (candidate_lengths[i] << 8) |
+ candidate_lengths[i + 1];
+ len_candidate &= len_mask;
+
+ synthetic_length = constant_time_select_int(
+ constant_time_lt(len_candidate, max_sep_offset),
+ len_candidate, synthetic_length);
+ }
+
+ synth_msg_index = in_data_len - synthetic_length;
+
+ good = constant_time_is_zero(in_data[0]);
+ good &= constant_time_eq(in_data[1], 2);
/* scan over padding data */
found_zero_byte = 0;
- for (i = 2; i < rsa_size; i++) {
- equals0 = constant_time_is_zero(em[i]);
+ for (i = 2; i < in_data_len; i++) {
+ equals0 = constant_time_is_zero(in_data[i]);
zero_index = constant_time_select_int(~found_zero_byte & equals0,
i, zero_index);
@@ -356,7 +409,7 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
}
/*
- * PS must be at least 8 bytes long, and it starts two bytes into |em|.
+ * PS must be at least 8 bytes long, and it starts two bytes into |in_data|.
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
@@ -367,53 +420,41 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
* but in this case we also do not copy the message out.
*/
msg_index = zero_index + 1;
- mlen = rsa_size - msg_index;
/*
- * For good measure, do this check in constant time as well.
+ * old code returned an error in case the decrypted message wouldn't fit
+ * into the |out_data|, since that would leak information, return the
+ * synthetic message instead
*/
- good &= constant_time_ge(out_len, mlen);
+ good &= constant_time_ge(*out_data_len, in_data_len - msg_index);
+
+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
/*
- * Move the result in-place by |rsa_size|-RSA_PKCS1_PADDING_SIZE-|mlen|
- * bytes to the left.
- * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to
- * |out_data|. Otherwise leave |out_data| unchanged.
- * Copy the memory back in a way that does not reveal the size of
- * the data being copied via a timing side channel. This requires copying
- * parts of the buffer multiple times based on the bits set in the real
- * length. Clear bits do a non-copy with identical access pattern.
- * The loop below has overall complexity of O(N*log(N)).
+ * since at this point the |msg_index| does not provide the signal
+ * indicating if the padding check failed or not, we don't have to worry
+ * about leaking the length of returned message, we still need to ensure
+ * that we read contents of both buffers so that cache accesses don't leak
+ * the value of |good|
*/
- out_len = constant_time_select_int(
- constant_time_lt(rsa_size - RSA_PKCS1_PADDING_SIZE, out_len),
- rsa_size - RSA_PKCS1_PADDING_SIZE,
- out_len);
- for (msg_index = 1; msg_index < rsa_size - RSA_PKCS1_PADDING_SIZE;
- msg_index <<= 1) {
- mask = ~constant_time_eq(
- msg_index & (rsa_size - RSA_PKCS1_PADDING_SIZE - mlen), 0);
- for (i = RSA_PKCS1_PADDING_SIZE; i < rsa_size - msg_index; i++)
- em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
- }
- for (i = 0; i < out_len; i++) {
- mask = good & constant_time_lt(i, mlen);
- out_data[i] = constant_time_select_8(
- mask, em[i + RSA_PKCS1_PADDING_SIZE], out_data[i]);
- }
+ for (i = msg_index, j = 0; i < in_data_len && j < *out_data_len;
+ i++, j++)
+ out_data[j] = constant_time_select_8(good, in_data[i], synthetic[i]);
- OPENSSL_cleanse(em, rsa_size);
- free(em);
+ *out_data_len = j;
- *out_data_len = constant_time_select_int(good, mlen, 0);
+out:
+ if (synthetic != NULL)
+ free(synthetic);
- return constant_time_select_int(good, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
+ return rc;
}
CK_RV rsa_parse_block(CK_BYTE *in_data,
CK_ULONG in_data_len,
CK_BYTE *out_data,
- CK_ULONG *out_data_len, CK_ULONG type)
+ CK_ULONG *out_data_len, CK_ULONG type,
+ CK_BYTE *kdk, CK_ULONG kdklen)
{
switch (type) {
case PKCS_BT_1:
@@ -421,7 +462,7 @@ CK_RV rsa_parse_block(CK_BYTE *in_data,
out_data, out_data_len);
case PKCS_BT_2:
return rsa_parse_block_type_2(in_data, in_data_len,
- out_data, out_data_len);
+ out_data, out_data_len, kdk, kdklen);
}
return CKR_ARGUMENTS_BAD;

View File

@ -1,387 +0,0 @@
commit e2b496f58a84c2f537667655fe08a0d4923f0c70
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Jan 12 09:36:27 2024 +0100
Constant time fixes for C_Decrypt return code handling
Return code handling of C_Decrypt, C_DecryptUpdate, and C_DecryptFinal must
be performed in a constant time manner for RSA mechanisms. Otherwise it
may cause a timing side channel that may be used to perform a Bleichenbacher
style attack.
Handling of error situations with CKR_BUFFER_TOO_SMALL or size-query calls,
where the output buffer is NULL and the required size of the output buffer
is to be returned, do not need to be performed in constant time, since
these cases are shortcut anyway, and the result is only dependent on the
modulus size of the RSA key (which is public information anyway).
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/new_host.c b/usr/lib/common/new_host.c
index 8a1e8723..bbb0f601 100644
--- a/usr/lib/common/new_host.c
+++ b/usr/lib/common/new_host.c
@@ -47,6 +47,7 @@
#include "trace.h"
#include "slotmgr.h"
#include "attributes.h"
+#include "constant_time.h"
#include "../api/apiproto.h"
#include "../api/policy.h"
@@ -2345,6 +2346,7 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2377,11 +2379,19 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = decr_mgr_decrypt(tokdata, sess, length_only, &sess->decr_ctx,
pEncryptedData, ulEncryptedDataLen, pData,
pulDataLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("decr_mgr_decrypt() failed.\n");
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -2404,6 +2414,7 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2436,11 +2447,18 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = decr_mgr_decrypt_update(tokdata, sess, length_only,
&sess->decr_ctx, pEncryptedPart,
ulEncryptedPartLen, pPart, pulPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("decr_mgr_decrypt_update() failed.\n");
done:
- if (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL && sess != NULL) {
+ /* (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -2462,6 +2480,7 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2493,11 +2512,19 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = decr_mgr_decrypt_final(tokdata, sess, length_only, &sess->decr_ctx,
pLastPart, pulLastPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("decr_mgr_decrypt_final() failed.\n");
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 073b349f..6d08b95e 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -9552,10 +9552,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session),
rc);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
- } else {
- TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ if (!is_rsa_mechanism(ctx->mech.mechanism)) {
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
+ } else {
+ TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ }
}
done:
@@ -9611,10 +9613,12 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session),
rc);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
- } else {
- TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ if (!is_rsa_mechanism(ctx->mech.mechanism)) {
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
+ } else {
+ TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ }
}
done:
@@ -9676,10 +9680,12 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session),
rc);
- if (rc != CKR_OK) {
- TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
- } else {
- TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ if (!is_rsa_mechanism(ctx->mech.mechanism)) {
+ if (rc != CKR_OK) {
+ TRACE_ERROR("%s rc=0x%lx\n", __func__, rc);
+ } else {
+ TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
+ }
}
done:
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index 55e34c18..299a1d3c 100644
--- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c
@@ -38,6 +38,7 @@
#include "slotmgr.h"
#include "attributes.h"
#include "ep11_specific.h"
+#include "constant_time.h"
#include "../api/apiproto.h"
#include "../api/policy.h"
@@ -2466,6 +2467,7 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2513,17 +2515,29 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
length_only, sess->decr_ctx.key,
pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("ep11tok_decrypt_single() failed.\n");
} else {
rc = ep11tok_decrypt(tokdata, sess, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("ep11tok_decrypt() failed.\n");
}
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -2545,6 +2559,7 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
{
SESSION *sess = NULL;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2596,11 +2611,18 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = ep11tok_decrypt_update(tokdata, sess, pEncryptedPart,
ulEncryptedPartLen, pPart, pulPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("ep11tok_decrypt_update() failed.\n");
done:
- if (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL && sess != NULL) {
+ /* (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -2622,6 +2644,7 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2670,10 +2693,18 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
}
rc = ep11tok_decrypt_final(tokdata, sess, pLastPart, pulLastPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("ep11tok_decrypt_final() failed.\n");
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
index 6c419750..d8064559 100644
--- a/usr/lib/icsf_stdll/new_host.c
+++ b/usr/lib/icsf_stdll/new_host.c
@@ -35,6 +35,8 @@
#include "slotmgr.h"
#include "attributes.h"
#include "icsf_specific.h"
+#include "constant_time.h"
+
#include "../api/apiproto.h"
#include "../api/policy.h"
@@ -1768,6 +1770,7 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -1801,11 +1804,19 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = icsftok_decrypt(tokdata, sess, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("icsftok_decrypt() failed.\n");
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -1827,6 +1838,7 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
{
SESSION *sess = NULL;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -1857,11 +1869,18 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = icsftok_decrypt_update(tokdata, sess, pEncryptedPart,
ulEncryptedPartLen, pPart, pulPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("icsftok_decrypt_update() failed.\n");
done:
- if (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL && sess != NULL) {
+ /* (rc != CKR_OK && rc != CKR_BUFFER_TOO_SMALL */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}
@@ -1883,6 +1902,7 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL;
CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK;
+ unsigned int mask;
if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -1915,10 +1935,18 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
length_only = TRUE;
rc = icsftok_decrypt_final(tokdata, sess, pLastPart, pulLastPartLen);
- if (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK)
+ /* (!is_rsa_mechanism(sess->decr_ctx.mech.mechanism) && rc != CKR_OK) */
+ mask = ~constant_time_is_zero(
+ is_rsa_mechanism(sess->decr_ctx.mech.mechanism));
+ mask &= ~constant_time_eq(rc, CKR_OK);
+ if (mask)
TRACE_DEVEL("icsftok_decrypt_final() failed.\n");
done:
- if (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) {
+ /* (rc != CKR_BUFFER_TOO_SMALL && (rc != CKR_OK || length_only != TRUE)) */
+ mask = ~constant_time_eq(rc, CKR_OK);
+ mask |= constant_time_is_zero(length_only);
+ mask &= ~constant_time_eq(rc, CKR_BUFFER_TOO_SMALL);
+ if (mask) {
if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
}

File diff suppressed because it is too large Load Diff

View File

@ -1,31 +0,0 @@
commit d756ba1ec270a289950e66398c7e8be59c4a594d
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Feb 9 14:07:34 2024 +0100
COMMON: Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
An RSA key object that has no CKA_PRIVATE_EXPONENT may either don't have that
attribute at all, or may have an empty CKA_PRIVATE_EXPONENT attribute.
Both situations should be handed the same, and the private exponent of the
key needs to be calculated from the other key components.
Note that RSA key objects generated with a current soft or ICA token will
always have a valid CKA_PRIVATE_EXPONENT attribute, since this is provided
during key generation.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index da515289..14c82e2d 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -5160,7 +5160,8 @@ CK_RV openssl_specific_rsa_derive_kdk(STDLL_TokData_t *tokdata, OBJECT *key_obj,
rc = template_attribute_get_non_empty(key_obj->template,
CKA_PRIVATE_EXPONENT, &priv_exp_attr);
- if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE) {
+ if (rc != CKR_OK && rc != CKR_TEMPLATE_INCOMPLETE &&
+ rc != CKR_ATTRIBUTE_VALUE_INVALID) {
TRACE_ERROR("Failed to get CKA_PRIVATE_EXPONENT\n");
goto out;
}

View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.22.0
Release: 3%{?dist}
Version: 3.23.0
Release: 1%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -11,12 +11,16 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
Patch2: opencryptoki-3.21.0-p11sak.patch
# upstream patches
# CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
Patch20: opencryptoki-CVE-2024-0914-part1.patch
Patch21: opencryptoki-CVE-2024-0914-part2.patch
Patch22: opencryptoki-CVE-2024-0914-part3.patch
Patch23: opencryptoki-CVE-2024-0914-part4.patch
Patch24: opencryptoki-CVE-2024-0914-part5.patch
# SEC2356-backport
Patch100: opencryptoki-3.23-SEC2356-backport-01.patch
Patch101: opencryptoki-3.23-SEC2356-backport-02.patch
Patch102: opencryptoki-3.23-SEC2356-backport-03.patch
Patch103: opencryptoki-3.23-SEC2356-backport-04.patch
Patch104: opencryptoki-3.23-SEC2356-backport-05.patch
Patch105: opencryptoki-3.23-SEC2356-backport-06.patch
Patch106: opencryptoki-3.23-SEC2356-backport-07.patch
Patch107: opencryptoki-3.23-SEC2356-backport-08.patch
Patch108: opencryptoki-3.23-SEC2356-backport-09.patch
Requires(pre): coreutils diffutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
@ -351,6 +355,11 @@ fi
%changelog
* Wed May 22 2024 Than Ngo <than@redhat.com> - 3.23.0-1
- Resolves: RHEL-23671, ep11 token: support protected keys for extractable keys
- Resolves: RHEL-23672, ep11 token support for FIPS 2021-session bound EP11 keys
- Resolves: RHEL-23673, update to 3.23.0
* Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3
- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT
Related: RHEL-22792