Resolves: #2015888, rebase to 3.17.0
Resolves: #2017720, openCryptoki key management tool
This commit is contained in:
parent
d116cb6599
commit
cf99734584
1
.gitignore
vendored
1
.gitignore
vendored
@ -28,3 +28,4 @@ opencryptoki-2.3.1.tar.gz
|
||||
/opencryptoki-3.15.0.tar.gz
|
||||
/opencryptoki-3.15.1.tar.gz
|
||||
/opencryptoki-3.16.0.tar.gz
|
||||
/opencryptoki-3.17.0.tar.gz
|
||||
|
@ -1,136 +0,0 @@
|
||||
commit 19f56d12b302b87e1dacf613cc61a063ad209d15
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Feb 12 15:57:20 2021 +0100
|
||||
|
||||
Fix compile warning when compiling pkcsslotd with -DDEV and/or -DTHREADED
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcsslotd/garbage_linux.c b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
index d4878c3b..a4dd9713 100644
|
||||
--- a/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
+++ b/usr/sbin/pkcsslotd/garbage_linux.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <fcntl.h>
|
||||
+#include <stdlib.h>
|
||||
|
||||
#include "log.h"
|
||||
#include "slotmgr.h"
|
||||
@@ -80,8 +81,8 @@ BOOL StartGCThread(Slot_Mgr_Shr_t *MemPtr)
|
||||
#ifdef DEV
|
||||
// Only development builds
|
||||
LogLog("StartGCThread: garbage collection thread started as ID "
|
||||
- "%d (%#x) by ID %d (%#x)",
|
||||
- GCThread, GCThread, pthread_self(), pthread_self());
|
||||
+ "%lu by ID %lu",
|
||||
+ GCThread, pthread_self());
|
||||
#endif
|
||||
|
||||
return TRUE;
|
||||
@@ -115,8 +116,8 @@ BOOL StopGCThread(void *Ptr)
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- DbgLog(DL0, "StopGCThread: tid %d is stopping the garbage collection "
|
||||
- "thread (tid %d)",
|
||||
+ DbgLog(DL0, "StopGCThread: tid %lu is stopping the garbage collection "
|
||||
+ "thread (tid %lu)",
|
||||
pthread_self(), GCThread);
|
||||
|
||||
/* Cause the GC thread to be cancelled */
|
||||
@@ -245,7 +246,7 @@ void GCCancel(void *Ptr)
|
||||
UNUSED(Ptr);
|
||||
|
||||
/* Yeah, yeah. Doesn't do anything, but I had plans */
|
||||
- DbgLog(DL3, "GCCancel: tid: %d running cleanup routine", pthread_self());
|
||||
+ DbgLog(DL3, "GCCancel: tid: %lu running cleanup routine", pthread_self());
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -268,7 +269,7 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
|
||||
ASSERT(MemPtr != NULL_PTR);
|
||||
#ifdef DEV
|
||||
- DbgLog(DL5, "Thread %d is checking for garbage", pthread_self());
|
||||
+ DbgLog(DL5, "Thread %lu is checking for garbage", pthread_self());
|
||||
#endif /* DEV */
|
||||
|
||||
|
||||
@@ -326,9 +327,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
if (*pProcSessions > 0) {
|
||||
|
||||
#ifdef DEV
|
||||
- DbgLog(DL2, "GC: Invalid pid (%d) is holding %d sessions "
|
||||
+ DbgLog(DL2, "GC: Invalid pid (%d) is holding %u sessions "
|
||||
"open on slot %d. Global session count for this "
|
||||
- "slot is %d",
|
||||
+ "slot is %u",
|
||||
pProc->proc_id, *pProcSessions, SlotIndex,
|
||||
*pGlobalSessions);
|
||||
#endif /* DEV */
|
||||
@@ -338,9 +339,9 @@ BOOL CheckForGarbage(Slot_Mgr_Shr_t *MemPtr)
|
||||
WarnLog("Garbage Collection: Illegal values in table "
|
||||
"for defunct process");
|
||||
DbgLog(DL0, "Garbage collection: A process "
|
||||
- "( Index: %d, pid: %d ) showed %d sessions "
|
||||
- "open on slot %s, but the global count for this "
|
||||
- "slot is only %d",
|
||||
+ "( Index: %d, pid: %d ) showed %u sessions "
|
||||
+ "open on slot %d, but the global count for this "
|
||||
+ "slot is only %u",
|
||||
ProcIndex, pProc->proc_id, *pProcSessions,
|
||||
SlotIndex, *pGlobalSessions);
|
||||
#endif /* DEV */
|
||||
@@ -395,14 +396,8 @@ int Stat2Proc(int pid, proc_t *p)
|
||||
char fbuf[800]; // about 40 fields, 64-bit decimal is about 20 chars
|
||||
char *tmp;
|
||||
int fd, num;
|
||||
- // FILE *fp;
|
||||
-
|
||||
- // sprintf(buf, "%s/%d/stat", PROC_BASE, pid);
|
||||
- // if( (fp = fopen(buf, "r")) == NULL )
|
||||
- // return FALSE;
|
||||
|
||||
sprintf(fbuf, "%s/%d/stat", PROC_BASE, pid);
|
||||
- printf("Buff = %s \n", fbuf);
|
||||
fflush(stdout);
|
||||
if ((fd = open(fbuf, O_RDONLY, 0)) == -1)
|
||||
return FALSE;
|
||||
diff --git a/usr/sbin/pkcsslotd/log.c b/usr/sbin/pkcsslotd/log.c
|
||||
index 0214f952..0394cc7d 100644
|
||||
--- a/usr/sbin/pkcsslotd/log.c
|
||||
+++ b/usr/sbin/pkcsslotd/log.c
|
||||
@@ -463,8 +463,8 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||
#endif /* DEV */
|
||||
|
||||
if (WriteNow) {
|
||||
- fprintf(stderr, "%s[%d.%d]: %s\n", pInfo->Descrip, getpid(),
|
||||
- (int) pthread_self(), buf);
|
||||
+ fprintf(stderr, "%s[%d.%lu]: %s\n", pInfo->Descrip, getpid(),
|
||||
+ pthread_self(), buf);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -482,7 +482,7 @@ BOOL PKCS_Log(pLogHandle phLog, char *fmt, va_list ap)
|
||||
GetCurrentTimeString(timebuf);
|
||||
|
||||
/* Date/Time stamp, descrip, Error message */
|
||||
- fprintf(fd, "%s %s[%d.%d]: ", timebuf, pInfo->Descrip, getpid(),
|
||||
+ fprintf(fd, "%s %s[%d.%lu]: ", timebuf, pInfo->Descrip, getpid(),
|
||||
pthread_self());
|
||||
fprintf(fd, "%s\n", buf);
|
||||
fflush(fd);
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index 94288f13..efbfe8fd 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -660,7 +660,6 @@ int main(int argc, char *argv[], char *envp[])
|
||||
*/
|
||||
|
||||
#if !defined(NOGARBAGE)
|
||||
- printf("Start garbage \n");
|
||||
/* start garbage collection thread */
|
||||
if (!StartGCThread(shmp)) {
|
||||
term_socket_server();
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,47 +0,0 @@
|
||||
commit 4e3b43c3d8844402c04a66b55c6c940f965109f0
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon May 3 10:05:07 2021 +0200
|
||||
|
||||
SOFT: Check the EC Key on C_CreateObject and C_DeriveKey
|
||||
|
||||
When constructing an OpenSSL EC public or private key from PKCS#11
|
||||
attributes or ECDH public data, check that the key is valid, i.e. that
|
||||
the point is on the curve.
|
||||
|
||||
This prevents one from creating an EC key object via C_CreateObject with
|
||||
invalid key data. It also prevents C_DeriveKey to derive a secret using
|
||||
ECDH with an EC public key (public data) that uses a different curve
|
||||
or is invalid by other means.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index c30be1da..aeff39a9 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -4365,6 +4365,12 @@ static CK_RV fill_ec_key_from_pubkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (!EC_KEY_check_key(ec_key)) {
|
||||
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||
+ rc = CKR_PUBLIC_KEY_INVALID;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
out:
|
||||
if (allocated && ecpoint != NULL)
|
||||
free(ecpoint);
|
||||
@@ -4404,6 +4410,12 @@ static CK_RV fill_ec_key_from_privkey(EC_KEY *ec_key, const CK_BYTE *data,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (!EC_KEY_check_key(ec_key)) {
|
||||
+ TRACE_ERROR("EC_KEY_check_key failed\n");
|
||||
+ rc = CKR_FUNCTION_FAILED;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
out:
|
||||
if (point != NULL)
|
||||
EC_POINT_free(point);
|
@ -1,28 +0,0 @@
|
||||
commit 5824364d995e5d2418f885ee57e377e11d1b3302
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jul 7 13:44:46 2021 +0200
|
||||
|
||||
pkcstok_migrate: Quote strings with spaces in opencryptoki.conf
|
||||
|
||||
When modifying opencryptoki.conf during token migration, put quotes
|
||||
around strings that contain spaces, e.g. for the slot description and
|
||||
manufacturer.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 94fd1196..3df1596e 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2107,7 +2107,10 @@ static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_TOKVERSION)
|
||||
+ if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||
+ strchr(val, ' ') != NULL)
|
||||
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
+ else if (tok != KW_TOKVERSION)
|
||||
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
return 0;
|
||||
}
|
@ -1,23 +0,0 @@
|
||||
commit 69244a5e0d9dfec3ef534b19b89a541576bb17dc
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 9 10:47:57 2021 +0100
|
||||
|
||||
TRACE: Use gettid() if SYS_gettid is not defined
|
||||
|
||||
Also print the thread ID in the trace, if SYS_gettid is not defined.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/trace.c b/usr/lib/common/trace.c
|
||||
index 678c0b96..bdc5256a 100644
|
||||
--- a/usr/lib/common/trace.c
|
||||
+++ b/usr/lib/common/trace.c
|
||||
@@ -33,6 +33,8 @@
|
||||
|
||||
#ifdef SYS_gettid
|
||||
#define __gettid() syscall(SYS_gettid)
|
||||
+#else
|
||||
+#define __gettid() gettid()
|
||||
#endif
|
||||
|
||||
pthread_mutex_t tlmtx = PTHREAD_MUTEX_INITIALIZER;
|
@ -1,367 +0,0 @@
|
||||
commit 7b7d83c571ceb3050969359817d4145600f14ae8
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Apr 9 17:07:31 2021 +0200
|
||||
|
||||
Check CKF_LIBRARY_CANT_CREATE_OS_THREADS at C_Initialize
|
||||
|
||||
Fail if flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set at C_Initialize,
|
||||
and event support is enabled (this is the default). We need to use pthreads
|
||||
for the event thread, so we can't work if CKF_LIBRARY_CANT_CREATE_OS_THREADS
|
||||
is set. Fail with CKR_NEED_TO_CREATE_THREADS if so.
|
||||
|
||||
The event support can be globally disabled using keyword 'disable-event-support'
|
||||
in opencryptoki.conf. This disables pkcsslots to accept admin connections,
|
||||
and it does not monitor for AP UDEV events (on s390 platform). No event
|
||||
thread is started in the opencryptoki processes, thus we can accept if flag
|
||||
CKF_LIBRARY_CANT_CREATE_OS_THREADS is set in that case.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in
|
||||
index 71218f79..7dc676ab 100644
|
||||
--- a/man/man5/opencryptoki.conf.5.in
|
||||
+++ b/man/man5/opencryptoki.conf.5.in
|
||||
@@ -10,8 +10,16 @@ pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to
|
||||
determine which slots will be made available.
|
||||
|
||||
.SH SYNTAX
|
||||
-This file is made up of slot descriptions. Each slot description
|
||||
-is composed of a slot number, brackets and key-value pairs.
|
||||
+This file is made up of optional global definitions, and slot descriptions.
|
||||
+
|
||||
+The following global definitions are valid:
|
||||
+
|
||||
+.TP
|
||||
+.BR disable-event-support
|
||||
+If this keyword is specified the openCryptoki event support is disabled.
|
||||
+
|
||||
+.P
|
||||
+Each slot description is composed of a slot number, brackets and key-value pairs.
|
||||
|
||||
slot number
|
||||
{
|
||||
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||
index e37368a5..451a8cf1 100644
|
||||
--- a/usr/include/slotmgr.h
|
||||
+++ b/usr/include/slotmgr.h
|
||||
@@ -99,6 +99,7 @@ typedef struct {
|
||||
LW_SHM_TYPE *shm_addr; // token specific shm address
|
||||
} Slot_Info_t;
|
||||
|
||||
+#define FLAG_EVENT_SUPPORT_DISABLED 0x01
|
||||
|
||||
#ifdef PKCS64
|
||||
|
||||
@@ -200,6 +201,7 @@ typedef struct {
|
||||
|
||||
typedef struct {
|
||||
uint8 num_slots;
|
||||
+ uint8 flags;
|
||||
CK_INFO_64 ck_info;
|
||||
Slot_Info_t_64 slot_info[NUMBER_SLOTS_MANAGED];
|
||||
} Slot_Mgr_Socket_t;
|
||||
@@ -214,6 +216,7 @@ typedef struct {
|
||||
|
||||
typedef struct {
|
||||
uint8 num_slots;
|
||||
+ uint8 flags;
|
||||
CK_INFO ck_info;
|
||||
Slot_Info_t slot_info[NUMBER_SLOTS_MANAGED];
|
||||
} Slot_Mgr_Socket_t;
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index 2873a20a..6517ca6c 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -308,7 +308,8 @@ void parent_fork_after()
|
||||
return;
|
||||
|
||||
/* Restart the event thread in the parent when fork is complete */
|
||||
- if (Anchor->event_thread == 0)
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ Anchor->event_thread == 0)
|
||||
start_event_thread();
|
||||
}
|
||||
|
||||
@@ -2752,13 +2753,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
- // If we EVER need to create threads from this library we must
|
||||
- // check the Flags for the Can_Create_OS_Threads flag
|
||||
- // Right now the library DOES NOT create threads and therefore this
|
||||
- // check is irrelavant.
|
||||
- if (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) {
|
||||
- TRACE_DEVEL("Can't create OS threads...This is OK\n");
|
||||
- }
|
||||
+
|
||||
// Since this is an initialization path, we will be verbose in the
|
||||
// code rather than efficient.
|
||||
//
|
||||
@@ -2848,7 +2843,21 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto error_shm;
|
||||
}
|
||||
- // Initialize structure values
|
||||
+
|
||||
+ if (pVoid != NULL) {
|
||||
+ pArg = (CK_C_INITIALIZE_ARGS *) pVoid;
|
||||
+
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ (pArg->flags & CKF_LIBRARY_CANT_CREATE_OS_THREADS) != 0) {
|
||||
+ TRACE_ERROR("Flag CKF_LIBRARY_CANT_CREATE_OS_THREADS is set and "
|
||||
+ "event support is enabled\n");
|
||||
+ OCK_SYSLOG(LOG_ERR, "C_Initialize: Application specified that "
|
||||
+ "library can't create OS threads. PKCS11 Module requires "
|
||||
+ "to create threads when event support is enabled.\n");
|
||||
+ rc = CKR_NEED_TO_CREATE_THREADS;
|
||||
+ goto error;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
//Register with pkcsslotd
|
||||
if (!API_Register()) {
|
||||
@@ -2867,7 +2876,8 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
}
|
||||
|
||||
/* Start event receiver thread */
|
||||
- if (start_event_thread() != 0) {
|
||||
+ if ((Anchor->SocketDataP.flags & FLAG_EVENT_SUPPORT_DISABLED) == 0 &&
|
||||
+ start_event_thread() != 0) {
|
||||
TRACE_ERROR("Failed to start event thread\n");
|
||||
|
||||
// unload all the STDLL's from the application
|
||||
diff --git a/usr/lib/common/configparser.h b/usr/lib/common/configparser.h
|
||||
index 13ca648d..b3c32496 100644
|
||||
--- a/usr/lib/common/configparser.h
|
||||
+++ b/usr/lib/common/configparser.h
|
||||
@@ -35,6 +35,7 @@ typedef int (*end_slot_f)(void *private);
|
||||
typedef int (*key_str_f)(void *private, int tok, const char *val);
|
||||
typedef int (*key_vers_f)(void *private, int tok, unsigned int vers);
|
||||
typedef void (*eolcomment_f)(void *private, const char *comment);
|
||||
+typedef void (*disab_event_supp_f)(void *private);
|
||||
/*
|
||||
* Report an error. If the error is not reported by the parser itself
|
||||
* but via one of the parse functions, \c parsermsg will be \c NULL.
|
||||
@@ -52,6 +53,7 @@ typedef void (*error_f)(void *private, int line, const char *parsermsg);
|
||||
*/
|
||||
struct parsefuncs {
|
||||
ockversion_f version;
|
||||
+ disab_event_supp_f disab_event_supp;
|
||||
eol_f eol;
|
||||
begin_slot_f begin_slot;
|
||||
end_slot_f end_slot;
|
||||
diff --git a/usr/lib/common/lexer.l b/usr/lib/common/lexer.l
|
||||
index b35a0b72..38cbcb70 100644
|
||||
--- a/usr/lib/common/lexer.l
|
||||
+++ b/usr/lib/common/lexer.l
|
||||
@@ -69,6 +69,7 @@ extern char *configparse_strdup(const char *s);
|
||||
|
||||
version return OCKVERSION;
|
||||
slot return SLOT;
|
||||
+disable-event-support return DISABLE_EVENT_SUPPORT;
|
||||
|
||||
[^\"= \t\n]+ {
|
||||
yylval.str = configparse_strdup(yytext);
|
||||
diff --git a/usr/lib/common/parser.y b/usr/lib/common/parser.y
|
||||
index 86806fcb..40c3994d 100644
|
||||
--- a/usr/lib/common/parser.y
|
||||
+++ b/usr/lib/common/parser.y
|
||||
@@ -65,7 +65,7 @@ int lookup_keyword(const char *key);
|
||||
int err;
|
||||
}
|
||||
|
||||
-%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF
|
||||
+%token EQUAL DOT SLOT EOL OCKVERSION BEGIN_DEF END_DEF DISABLE_EVENT_SUPPORT
|
||||
%token <str> STRING
|
||||
%token <str> KEYWORD
|
||||
%token <num> INTEGER
|
||||
@@ -81,6 +81,7 @@ config_file:
|
||||
|
||||
sections:
|
||||
version_def eolcomment
|
||||
+ | disable_event_support_def eolcomment
|
||||
| SLOT INTEGER BEGIN_DEF
|
||||
{
|
||||
if (parsefuncs->begin_slot && parsefuncs->begin_slot(parsedata, $2, 0)) {
|
||||
@@ -125,6 +126,13 @@ version_def:
|
||||
}
|
||||
configparse_freestringsfrom($2);
|
||||
}
|
||||
+
|
||||
+disable_event_support_def:
|
||||
+ DISABLE_EVENT_SUPPORT
|
||||
+ {
|
||||
+ if (parsefuncs->disab_event_supp)
|
||||
+ parsefuncs->disab_event_supp(parsedata);
|
||||
+ }
|
||||
|
||||
line_def:
|
||||
STRING EQUAL TOKVERSION
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
index d7edcb3c..1dd0bac9 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
@@ -88,7 +88,7 @@ int XProcLock(void);
|
||||
int XProcUnLock(void);
|
||||
int CreateXProcLock(void);
|
||||
|
||||
-int init_socket_server();
|
||||
+int init_socket_server(int event_support_disabled);
|
||||
int term_socket_server();
|
||||
int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||
int socket_connection_handler(int timeout_secs);
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index efbfe8fd..3b328a6c 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -34,6 +34,7 @@ int shmid;
|
||||
key_t tok;
|
||||
Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||
unsigned int NumberSlotsInDB = 0;
|
||||
+int event_support_disabled = 0;
|
||||
|
||||
Slot_Info_t_64 *psinfo;
|
||||
|
||||
@@ -467,6 +468,13 @@ static int slotmgr_key_vers(void *private, int tok, unsigned int vers)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static void slotmgr_disab_event_supp(void *private)
|
||||
+{
|
||||
+ UNUSED(private);
|
||||
+
|
||||
+ event_support_disabled = 1;
|
||||
+}
|
||||
+
|
||||
static void slotmgr_parseerror(void *private, int line, const char *parsermsg)
|
||||
{
|
||||
struct parse_data *d = (struct parse_data *)private;
|
||||
@@ -480,6 +488,7 @@ static struct parsefuncs slotmgr_parsefuncs = {
|
||||
.end_slot = slotmgr_end_slot,
|
||||
.key_str = slotmgr_key_str,
|
||||
.key_vers = slotmgr_key_vers,
|
||||
+ .disab_event_supp = slotmgr_disab_event_supp,
|
||||
.parseerror = slotmgr_parseerror
|
||||
};
|
||||
|
||||
@@ -568,7 +577,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (!XProcUnLock())
|
||||
return 4;
|
||||
|
||||
- if (!init_socket_server()) {
|
||||
+ if (!init_socket_server(event_support_disabled)) {
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -582,6 +591,8 @@ int main(int argc, char *argv[], char *envp[])
|
||||
DestroySharedMemory();
|
||||
return 6;
|
||||
}
|
||||
+ if (event_support_disabled)
|
||||
+ socketData.flags |= FLAG_EVENT_SUPPORT_DISABLED;
|
||||
|
||||
/* Create customized token directories */
|
||||
psinfo = &socketData.slot_info[0];
|
||||
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||
index 41408670..3aa40267 100644
|
||||
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||
@@ -139,12 +139,12 @@ struct event_info {
|
||||
};
|
||||
|
||||
static int epoll_fd = -1;
|
||||
-static struct listener_info proc_listener;
|
||||
+static struct listener_info proc_listener = { .socket = -1 };
|
||||
static DL_NODE *proc_connections = NULL;
|
||||
-static struct listener_info admin_listener;
|
||||
+static struct listener_info admin_listener = { .socket = -1 };
|
||||
static DL_NODE *admin_connections = NULL;
|
||||
#ifdef WITH_LIBUDEV
|
||||
-static struct udev_mon udev_mon;
|
||||
+static struct udev_mon udev_mon = { .socket = -1 };
|
||||
#endif
|
||||
static DL_NODE *pending_events = NULL;
|
||||
static unsigned long pending_events_count = 0;
|
||||
@@ -1620,6 +1620,9 @@ static void udev_mon_term(struct udev_mon *udev_mon)
|
||||
if (udev_mon == NULL)
|
||||
return;
|
||||
|
||||
+ if (udev_mon->socket < 0)
|
||||
+ return;
|
||||
+
|
||||
epoll_ctl(epoll_fd, EPOLL_CTL_DEL, udev_mon->socket, NULL);
|
||||
if (udev_mon->udev != NULL)
|
||||
udev_unref(udev_mon->udev);
|
||||
@@ -1636,6 +1639,7 @@ int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||
{
|
||||
unsigned int processed = 0;
|
||||
|
||||
+ socketData->flags = 0;
|
||||
PopulateCKInfo(&(socketData->ck_info));
|
||||
socketData->num_slots = NumberSlotsInDB;
|
||||
PopulateSlotInfo(socketData->slot_info, &processed);
|
||||
@@ -1692,7 +1696,7 @@ int socket_connection_handler(int timeout_secs)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
-int init_socket_server()
|
||||
+int init_socket_server(int event_support_disabled)
|
||||
{
|
||||
int err;
|
||||
|
||||
@@ -1710,18 +1714,20 @@ int init_socket_server()
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
- if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||
- admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||
- term_socket_server();
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (!event_support_disabled) {
|
||||
+ if (!listener_create(ADMIN_SOCKET_FILE_PATH, &admin_listener,
|
||||
+ admin_new_conn, NUMBER_ADMINS_ALLOWED)) {
|
||||
+ term_socket_server();
|
||||
+ return FALSE;
|
||||
+ }
|
||||
|
||||
#ifdef WITH_LIBUDEV
|
||||
- if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||
- term_socket_server();
|
||||
- return FALSE;
|
||||
- }
|
||||
+ if (!udev_mon_init(UDEV_SUBSYSTEM_AP, &udev_mon)) {
|
||||
+ term_socket_server();
|
||||
+ return FALSE;
|
||||
+ }
|
||||
#endif
|
||||
+ }
|
||||
|
||||
DbgLog(DL0, "%s: Socket server started", __func__);
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 7c225730..94fd1196 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2066,6 +2066,13 @@ static int parseupdate_ockversion(void *private, const char *version)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void parseupdate_disab_event_supp(void *private)
|
||||
+{
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
+
|
||||
+ fprintf(u->f, "disable-event-support");
|
||||
+}
|
||||
+
|
||||
static void parseupdate_eol(void *private)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
@@ -2124,6 +2131,7 @@ static void parseupdate_eolcomment(void *private, const char *comment)
|
||||
|
||||
static struct parsefuncs parseupdatefuncs = {
|
||||
.version = parseupdate_ockversion,
|
||||
+ .disab_event_supp = parseupdate_disab_event_supp,
|
||||
.eol = parseupdate_eol,
|
||||
.begin_slot = parseupdate_begin_slot,
|
||||
.end_slot = parseupdate_end_slot,
|
File diff suppressed because it is too large
Load Diff
@ -1,37 +0,0 @@
|
||||
commit b07505993dd8b2f367cf3b630f6da186e4e8550d
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Feb 10 15:12:25 2021 +0100
|
||||
|
||||
Avoid deadlock in dlclose() after a fork
|
||||
|
||||
Calling dlclose() in a atfork handler may cause a deadlock.
|
||||
dlclose() may itself modify the atfork handler table to remove
|
||||
any fork handlers that the to be unloaded library has registered.
|
||||
Since the atfork handler table is currently locked when we are in
|
||||
an atfork handler, this would produce a deadlock.
|
||||
|
||||
Skip the dlclose() if we are in an atfork handler to avoid the deadlock.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index 3ccb6d41..f1ee9132 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -1516,7 +1516,15 @@ CK_RV C_Finalize(CK_VOID_PTR pReserved)
|
||||
}
|
||||
}
|
||||
|
||||
- DL_UnLoad(sltp, slotID);
|
||||
+ /*
|
||||
+ * Calling dlclose() in a atfork handler may cause a deadlock.
|
||||
+ * dlclose() may itself modify the atfork handler table to remove
|
||||
+ * any fork handlers that the to be unloaded library has registered.
|
||||
+ * Since the atfork handler table is currently locked when we are in
|
||||
+ * an atfork handler, this would produce a deadlock.
|
||||
+ */
|
||||
+ if (!in_child_fork_initializer)
|
||||
+ DL_UnLoad(sltp, slotID);
|
||||
}
|
||||
|
||||
// Un register from Slot D
|
@ -1,21 +0,0 @@
|
||||
commit bf812c652c49d7e248b115d121a4f7f6568941a2
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Apr 6 13:41:55 2021 +0200
|
||||
|
||||
Update travis yaml file to install libudev development files
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/.travis.yml b/.travis.yml
|
||||
index d2907246..fd4092e3 100644
|
||||
--- a/.travis.yml
|
||||
+++ b/.travis.yml
|
||||
@@ -5,7 +5,7 @@ language: c
|
||||
|
||||
before_install:
|
||||
- sudo apt-get -qq update
|
||||
- - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget
|
||||
+ - sudo apt-get install -y expect trousers libldap2-dev libtspi-dev wget libudev-dev
|
||||
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica3_3.4.0-0ubuntu1_s390x.deb
|
||||
- sudo wget https://launchpad.net/ubuntu/+archive/primary/+files/libica-dev_3.4.0-0ubuntu1_s390x.deb
|
||||
- sudo dpkg -i libica3_3.4.0-0ubuntu1_s390x.deb || true # icatok needs libica >= 3.3
|
@ -1,462 +0,0 @@
|
||||
commit c79e899d77a5724635a9d4451a34a240e2c7e891
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Apr 16 13:41:41 2021 +0200
|
||||
|
||||
Fix potential deadlock situation with double read-locks
|
||||
|
||||
Do not get and read-lock an object twice within the same thread via
|
||||
function object_mgr_find_in_map1(), as this would read-lock the object
|
||||
twice.
|
||||
|
||||
This could cause a deadlock situation, when in-between the first
|
||||
and the second call to object_mgr_find_in_map1() the token object is
|
||||
modified by another process. The second object_mgr_find_in_map1() would
|
||||
detect that the object has been modified (object_mgr_check_shm()), and
|
||||
would try to re-load the object from the disk. For re-loading, the
|
||||
object is unlocked once, and a write-lock is acquired instead.
|
||||
However, if the current thread has read-locked the object twice, but
|
||||
releases only one read-lock, then it will never get the write lock,
|
||||
because it still owns the read lock itself.
|
||||
|
||||
To avoid this situation, release the read-lock before calling another
|
||||
function that also acquires the read lock of the object. That way, only
|
||||
one read-lock is held by the current thread, and re-loading the object
|
||||
will not cause a deadlock.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/decr_mgr.c b/usr/lib/common/decr_mgr.c
|
||||
index 317ef995..9842302b 100644
|
||||
--- a/usr/lib/common/decr_mgr.c
|
||||
+++ b/usr/lib/common/decr_mgr.c
|
||||
@@ -540,6 +540,10 @@ CK_RV decr_mgr_init(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||
|
||||
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 0);
|
||||
if (rc) {
|
||||
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||
diff --git a/usr/lib/common/encr_mgr.c b/usr/lib/common/encr_mgr.c
|
||||
index d3ecdeee..3e85ceab 100644
|
||||
--- a/usr/lib/common/encr_mgr.c
|
||||
+++ b/usr/lib/common/encr_mgr.c
|
||||
@@ -537,6 +537,10 @@ CK_RV encr_mgr_init(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
memset(ctx->context, 0x0, sizeof(AES_GCM_CONTEXT));
|
||||
|
||||
+ /* Release obj lock, token specific aes-gcm may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = aes_gcm_init(tokdata, sess, ctx, mech, key_handle, 1);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_ERROR("Could not initialize AES_GCM parms.\n");
|
||||
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
|
||||
index 1652f90a..e35b383c 100644
|
||||
--- a/usr/lib/common/mech_rsa.c
|
||||
+++ b/usr/lib/common/mech_rsa.c
|
||||
@@ -602,6 +602,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_oaep_encrypt(tokdata, ctx, in_data,
|
||||
in_data_len, out_data,
|
||||
out_data_len, hash, hlen);
|
||||
@@ -625,6 +629,10 @@ CK_RV rsa_oaep_crypt(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa-oaep may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_oaep_decrypt(tokdata, ctx, in_data,
|
||||
in_data_len, out_data,
|
||||
out_data_len, hash, hlen);
|
||||
@@ -1331,6 +1339,10 @@ CK_RV rsa_pss_sign(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_pss_sign(tokdata, sess, ctx, in_data, in_data_len,
|
||||
out_data, out_data_len);
|
||||
if (rc != CKR_OK)
|
||||
@@ -1389,6 +1401,10 @@ CK_RV rsa_pss_verify(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ /* Release obj lock, token specific rsa_pss may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = token_specific.t_rsa_pss_verify(tokdata, sess, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
if (rc != CKR_OK)
|
||||
diff --git a/usr/lib/common/sign_mgr.c b/usr/lib/common/sign_mgr.c
|
||||
index 937a371a..c7268e01 100644
|
||||
--- a/usr/lib/common/sign_mgr.c
|
||||
+++ b/usr/lib/common/sign_mgr.c
|
||||
@@ -424,6 +424,10 @@ CK_RV sign_mgr_init(STDLL_TokData_t *tokdata,
|
||||
ctx->context_len = 0;
|
||||
ctx->context = NULL;
|
||||
|
||||
+ /* Release obj lock, token specific hmac-sign may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = hmac_sign_init(tokdata, sess, mech, key);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_ERROR("Failed to initialize hmac.\n");
|
||||
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||
index 3ac3768a..52f95d7a 100644
|
||||
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||
@@ -6948,6 +6948,13 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /*
|
||||
+ * Release obj lock, sign_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||
+ * may re-acquire the lock
|
||||
+ */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
/* Note that Edwards curves in general are not yet supported in
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
@@ -7029,11 +7036,16 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||
rc = pkey_ibm_ed_sign(key_obj, in_data, in_data_len, signature, sig_len);
|
||||
- else
|
||||
+ } else {
|
||||
+ /* Release obj lock, sign_mgr_sign may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = sign_mgr_sign(tokdata, session, length_only, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
+ }
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
@@ -7071,6 +7083,11 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
if (!in_data || !in_data_len)
|
||||
return CKR_OK;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7078,11 +7095,6 @@ CK_RV ep11tok_sign_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = sign_mgr_sign_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_SignUpdate(ctx->context, ctx->context_len, in_data,
|
||||
in_data_len, ep11_data->target);
|
||||
@@ -7115,6 +7127,11 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7122,11 +7139,6 @@ CK_RV ep11tok_sign_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = sign_mgr_sign_final(tokdata, session, length_only, ctx, signature, sig_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_SignFinal(ctx->context, ctx->context_len, signature, sig_len,
|
||||
ep11_data->target);
|
||||
@@ -7241,6 +7253,13 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /*
|
||||
+ * Release obj lock, verify_mgr_init or ep11tok_sign_verify_init_ibm_ed
|
||||
+ * may re-acquire the lock
|
||||
+ */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
/* Note that Edwards curves in general are not yet supported in
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
@@ -7320,12 +7339,17 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
* opencryptoki. These two special IBM specific ED mechs are only
|
||||
* supported by the ep11token, so let's keep them local here. */
|
||||
if (ctx->mech.mechanism == CKM_IBM_ED25519_SHA512 ||
|
||||
- ctx->mech.mechanism == CKM_IBM_ED448_SHA3)
|
||||
+ ctx->mech.mechanism == CKM_IBM_ED448_SHA3) {
|
||||
rc = pkey_ibm_ed_verify(key_obj, in_data, in_data_len,
|
||||
signature, sig_len);
|
||||
- else
|
||||
+ } else {
|
||||
+ /* Release obj lock, verify_mgr_verify may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
rc = verify_mgr_verify(tokdata, session, ctx, in_data,
|
||||
in_data_len, signature, sig_len);
|
||||
+ }
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
@@ -7363,6 +7387,11 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
if (!in_data || !in_data_len)
|
||||
return CKR_OK;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7370,11 +7399,6 @@ CK_RV ep11tok_verify_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = verify_mgr_verify_update(tokdata, session, ctx, in_data, in_data_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_VerifyUpdate(ctx->context, ctx->context_len, in_data,
|
||||
in_data_len, ep11_data->target);
|
||||
@@ -7406,6 +7430,11 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7413,11 +7442,6 @@ CK_RV ep11tok_verify_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = verify_mgr_verify_final(tokdata, session, ctx, signature, sig_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_VerifyFinal(ctx->context, ctx->context_len, signature,
|
||||
sig_len, ep11_data->target);
|
||||
@@ -7501,6 +7525,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||
+ ctx, output_part, p_output_part_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7508,12 +7538,6 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = decr_mgr_decrypt_final(tokdata, session, length_only,
|
||||
- ctx, output_part, p_output_part_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_DecryptFinal(ctx->context, ctx->context_len,
|
||||
output_part, p_output_part_len,
|
||||
@@ -7548,13 +7572,6 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = decr_mgr_decrypt(tokdata, session, length_only, ctx,
|
||||
input_data, input_data_len, output_data,
|
||||
@@ -7562,6 +7579,13 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_Decrypt(ctx->context, ctx->context_len, input_data,
|
||||
input_data_len, output_data, p_output_data_len,
|
||||
@@ -7602,13 +7626,6 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return CKR_OK; /* nothing to update, keep context */
|
||||
}
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = decr_mgr_decrypt_update(tokdata, session, length_only,
|
||||
ctx, input_part, input_part_len,
|
||||
@@ -7616,6 +7633,13 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_DecryptUpdate(ctx->context, ctx->context_len,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7695,6 +7719,12 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
+ if (ctx->pkey_active) {
|
||||
+ rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||
+ ctx, output_part, p_output_part_len);
|
||||
+ goto done; /* no ep11 fallback possible */
|
||||
+ }
|
||||
+
|
||||
rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
READ_LOCK);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -7702,12 +7732,6 @@ CK_RV ep11tok_encrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (ctx->pkey_active) {
|
||||
- rc = encr_mgr_encrypt_final(tokdata, session, length_only,
|
||||
- ctx, output_part, p_output_part_len);
|
||||
- goto done; /* no ep11 fallback possible */
|
||||
- }
|
||||
-
|
||||
RETRY_START
|
||||
rc = dll_m_EncryptFinal(ctx->context, ctx->context_len,
|
||||
output_part, p_output_part_len,
|
||||
@@ -7742,13 +7766,6 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
CK_BYTE *keyblob;
|
||||
OBJECT *key_obj = NULL;
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = encr_mgr_encrypt(tokdata, session, length_only, ctx,
|
||||
input_data, input_data_len, output_data,
|
||||
@@ -7756,6 +7773,13 @@ CK_RV ep11tok_encrypt(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_Encrypt(ctx->context, ctx->context_len, input_data,
|
||||
input_data_len, output_data, p_output_data_len,
|
||||
@@ -7796,13 +7820,6 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
return CKR_OK; /* nothing to update, keep context */
|
||||
}
|
||||
|
||||
- rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
- READ_LOCK);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
if (ctx->pkey_active) {
|
||||
rc = encr_mgr_encrypt_update(tokdata, session, length_only, ctx,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7810,6 +7827,13 @@ CK_RV ep11tok_encrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
goto done; /* no ep11 fallback possible */
|
||||
}
|
||||
|
||||
+ rc = h_opaque_2_blob(tokdata, ctx->key, &keyblob, &keyblobsize, &key_obj,
|
||||
+ READ_LOCK);
|
||||
+ if (rc != CKR_OK) {
|
||||
+ TRACE_ERROR("%s h_opaque_2_blob, rc=0x%lx\n", __func__, rc);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
RETRY_START
|
||||
rc = dll_m_EncryptUpdate(ctx->context, ctx->context_len,
|
||||
input_part, input_part_len, output_part,
|
||||
@@ -7921,6 +7945,10 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||
switch (rc) {
|
||||
case CKR_OK:
|
||||
+ /* Release obj lock, encr/decr_mgr_init may re-acquire the lock */
|
||||
+ object_put(tokdata, key_obj, TRUE);
|
||||
+ key_obj = NULL;
|
||||
+
|
||||
if (op == DECRYPT) {
|
||||
rc = decr_mgr_init(tokdata, session, &session->decr_ctx,
|
||||
OP_DECRYPT_INIT, mech, key);
|
@ -1,104 +0,0 @@
|
||||
commit d2f137cce5e6efb123842509352c7c49f889c67f
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu Jul 22 15:55:02 2021 +0200
|
||||
|
||||
pkcstok_migrate: Rework string quoting for opencryptoki.conf migration
|
||||
|
||||
Due to the way the parser works, a slot description like
|
||||
'description = "slot"' works, but not without quotes ('description = slot').
|
||||
The word 'slot' is treated as a keyword if not quoted (besides other keywords,
|
||||
too), so if the word 'slot' would appear in an unquoted string, the
|
||||
configuration file would fail to parse.
|
||||
|
||||
Always quote the value of 'description' and 'manufacturer'. Quote the
|
||||
value of 'stdll', 'confname', and 'tokname' if it contains spaces, and
|
||||
never quote the value of 'hwversion', 'firmwareversion', and 'tokversion'.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index a29dc8f7..853986e8 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2060,7 +2060,7 @@ done:
|
||||
*/
|
||||
static int parseupdate_ockversion(void *private, const char *version)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fprintf(u->f, "version %s", version);
|
||||
return 0;
|
||||
@@ -2075,14 +2075,14 @@ static void parseupdate_disab_event_supp(void *private)
|
||||
|
||||
static void parseupdate_eol(void *private)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fputc('\n', u->f);
|
||||
}
|
||||
|
||||
static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
u->activeslot = (slot == u->slotnum);
|
||||
if (nl_before_begin)
|
||||
@@ -2094,7 +2094,7 @@ static int parseupdate_begin_slot(void *private, int slot, int nl_before_begin)
|
||||
|
||||
static int parseupdate_end_slot(void *private)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
if (u->activeslot)
|
||||
fprintf(u->f, " tokversion = 3.12\n");
|
||||
@@ -2105,19 +2105,32 @@ static int parseupdate_end_slot(void *private)
|
||||
|
||||
static int parseupdate_key_str(void *private, int tok, const char *val)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_HWVERSION && tok != KW_FWVERSION &&
|
||||
- strchr(val, ' ') != NULL)
|
||||
+ switch (tok) {
|
||||
+ case KW_SLOTDESC:
|
||||
+ case KW_MANUFID:
|
||||
fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
- else if (tok != KW_TOKVERSION)
|
||||
+ break;
|
||||
+ case KW_STDLL:
|
||||
+ case KW_CONFNAME:
|
||||
+ case KW_TOKNAME:
|
||||
+ if (strchr(val, ' ') != NULL)
|
||||
+ fprintf(u->f, " %s = \"%s\"", keyword_token_to_str(tok), val);
|
||||
+ else
|
||||
+ fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
+ break;
|
||||
+ case KW_HWVERSION:
|
||||
+ case KW_FWVERSION:
|
||||
fprintf(u->f, " %s = %s", keyword_token_to_str(tok), val);
|
||||
+ break;
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
if (tok == KW_TOKVERSION && !u->activeslot)
|
||||
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||
@@ -2127,7 +2140,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
|
||||
static void parseupdate_eolcomment(void *private, const char *comment)
|
||||
{
|
||||
- struct parseupdate *u = (struct parseupdate *)private;
|
||||
+ struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
fprintf(u->f, "#%s", comment);
|
||||
}
|
@ -1,239 +0,0 @@
|
||||
commit d7de5092247a0efc2c397f12977a7c9925420143
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 16 17:15:20 2021 +0100
|
||||
|
||||
TESTCASES: Add event support tests
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/testcases/misc_tests/events.c b/testcases/misc_tests/events.c
|
||||
new file mode 100644
|
||||
index 00000000..fecc7bfe
|
||||
--- /dev/null
|
||||
+++ b/testcases/misc_tests/events.c
|
||||
@@ -0,0 +1,190 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include "event_client.h"
|
||||
+#include "regress.h"
|
||||
+#include "defs.h"
|
||||
+
|
||||
+const char payload[20] = "12345678901234567890";
|
||||
+
|
||||
+static inline void init_event_destination(struct event_destination *dest,
|
||||
+ unsigned int token_type,
|
||||
+ const char *label,
|
||||
+ pid_t process_id)
|
||||
+{
|
||||
+ size_t len;
|
||||
+
|
||||
+ dest->token_type = token_type;
|
||||
+ dest->process_id = process_id;
|
||||
+
|
||||
+ memset(dest->token_label, ' ', sizeof(dest->token_label));
|
||||
+ if (label != NULL) {
|
||||
+ len = strlen(label);
|
||||
+ memcpy(dest->token_label, label, len > sizeof(dest->token_label) ?
|
||||
+ sizeof(dest->token_label) : len);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int main(int argc, char **argv)
|
||||
+{
|
||||
+ CK_C_INITIALIZE_ARGS cinit_args;
|
||||
+ int rc, fd = -1, ret = 1;
|
||||
+ struct event_destination dest;
|
||||
+ struct event_reply reply;
|
||||
+
|
||||
+ UNUSED(argc);
|
||||
+ UNUSED(argv);
|
||||
+
|
||||
+ rc = do_GetFunctionList();
|
||||
+ if (!rc) {
|
||||
+ testcase_error("do_getFunctionList(), rc=%s", p11_get_ckr(rc));
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Initialize Opencryptoki in this process, so that at least one
|
||||
+ * process is receiving the events.
|
||||
+ */
|
||||
+ memset(&cinit_args, 0x0, sizeof(cinit_args));
|
||||
+ cinit_args.flags = CKF_OS_LOCKING_OK;
|
||||
+ funcs->C_Initialize(&cinit_args);
|
||||
+
|
||||
+ testcase_setup(0);
|
||||
+ testcase_begin("Starting event tests");
|
||||
+
|
||||
+ // Test fork before C_Initialize
|
||||
+ testcase_new_assertion();
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (simple, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (simple, one-shot)");
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||
+ NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (payload, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (payload, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_CCA, NULL, 0);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (token-type, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (token-type, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, "cca", 0);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (token-label, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (token-label, one-shot)");
|
||||
+
|
||||
+ init_event_destination(&dest, EVENT_TOK_TYPE_ALL, NULL, 12345);
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_NONE, 0, NULL, &dest, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (pid, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (pid, one-shot)");
|
||||
+
|
||||
+ memset(&reply, 0, sizeof(reply));
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (reply, one-shot) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||
+ if (reply.positive_replies + reply.negative_replies +
|
||||
+ reply.nothandled_replies == 0) {
|
||||
+ testcase_fail("send_event (reply, one-shot) replies all zero");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (reply, one-shot)");
|
||||
+
|
||||
+
|
||||
+ fd = init_event_client();
|
||||
+ if (fd < 0) {
|
||||
+ testcase_fail("init_event_client rc = %d (%s)", fd, strerror(-fd));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("init_event_client()");
|
||||
+
|
||||
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, 0, NULL, NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (simple) rc = %d (%s)", rc, strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (simple)");
|
||||
+
|
||||
+ rc = send_event(fd, 0x12345, EVENT_FLAGS_NONE, sizeof(payload), payload,
|
||||
+ NULL, NULL);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (payload) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (payload)");
|
||||
+
|
||||
+ memset(&reply, 0, sizeof(reply));
|
||||
+
|
||||
+ rc = send_event(-1, 0x12345, EVENT_FLAGS_REPLY_REQ, 0, NULL, NULL, &reply);
|
||||
+ if (rc != 0) {
|
||||
+ testcase_fail("send_event (reply) rc = %d (%s)", rc,
|
||||
+ strerror(-rc));
|
||||
+ goto out;
|
||||
+ }
|
||||
+ printf("Reply: positive_replies: %lu\n", reply.positive_replies);
|
||||
+ printf(" negative_replies: %lu\n", reply.negative_replies);
|
||||
+ printf(" nothandled_replies: %lu\n", reply.nothandled_replies);
|
||||
+ if (reply.positive_replies + reply.negative_replies +
|
||||
+ reply.nothandled_replies == 0) {
|
||||
+ testcase_fail("send_event (reply) replies all zero");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ testcase_pass("send_event (reply)");
|
||||
+
|
||||
+ term_event_client(fd);
|
||||
+ fd = -1;
|
||||
+
|
||||
+ ret = 0;
|
||||
+
|
||||
+out:
|
||||
+ if (fd >= 0)
|
||||
+ term_event_client(fd);
|
||||
+
|
||||
+ funcs->C_Finalize(NULL);
|
||||
+
|
||||
+ testcase_print_result();
|
||||
+ return ret;
|
||||
+}
|
||||
diff --git a/testcases/misc_tests/misc_tests.mk b/testcases/misc_tests/misc_tests.mk
|
||||
index 3de11ebe..fb7cc0a1 100644
|
||||
--- a/testcases/misc_tests/misc_tests.mk
|
||||
+++ b/testcases/misc_tests/misc_tests.mk
|
||||
@@ -7,7 +7,8 @@ noinst_PROGRAMS += \
|
||||
testcases/misc_tests/fork testcases/misc_tests/multi_instance \
|
||||
testcases/misc_tests/obj_lock testcases/misc_tests/tok2tok_transport \
|
||||
testcases/misc_tests/obj_lock testcases/misc_tests/reencrypt \
|
||||
- testcases/misc_tests/cca_export_import_test
|
||||
+ testcases/misc_tests/cca_export_import_test \
|
||||
+ testcases/misc_tests/events
|
||||
|
||||
testcases_misc_tests_obj_mgmt_tests_CFLAGS = ${testcases_inc}
|
||||
testcases_misc_tests_obj_mgmt_tests_LDADD = \
|
||||
@@ -73,3 +74,8 @@ testcases_misc_tests_cca_export_import_test_LDADD = \
|
||||
testcases/common/libcommon.la
|
||||
testcases_misc_tests_cca_export_import_test_SOURCES = \
|
||||
testcases/misc_tests/cca_export_import_test.c
|
||||
+
|
||||
+testcases_misc_tests_events_CFLAGS = ${testcases_inc}
|
||||
+testcases_misc_tests_events_LDADD = testcases/common/libcommon.la
|
||||
+testcases_misc_tests_events_SOURCES = testcases/misc_tests/events.c \
|
||||
+ usr/lib/common/event_client.c
|
||||
diff --git a/testcases/ock_tests.sh.in b/testcases/ock_tests.sh.in
|
||||
index 64c77a7d..6558b031 100755
|
||||
--- a/testcases/ock_tests.sh.in
|
||||
+++ b/testcases/ock_tests.sh.in
|
||||
@@ -53,6 +53,7 @@ OCK_TESTS+=" pkcs11/findobjects pkcs11/generate_keypair"
|
||||
OCK_TESTS+=" pkcs11/get_interface pkcs11/getobjectsize pkcs11/sess_opstate"
|
||||
OCK_TESTS+=" misc_tests/fork misc_tests/obj_mgmt_tests"
|
||||
OCK_TESTS+=" misc_tests/obj_mgmt_lock_tests misc_tests/reencrypt"
|
||||
+OCK_TESTS+=" misc_tests/events"
|
||||
OCK_TEST=""
|
||||
OCK_BENCHS="pkcs11/*bench"
|
||||
|
@ -1,619 +0,0 @@
|
||||
commit d929fe8470e99f4dcbbd889e7aa87e147d0d5b48
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Feb 12 11:25:21 2021 +0100
|
||||
|
||||
Externalize linked list functions
|
||||
|
||||
Externalize the linked list functions (dlist_xxx), so that they
|
||||
can also be used on pkcsslotd.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/cca_stdll/cca_stdll.mk b/usr/lib/cca_stdll/cca_stdll.mk
|
||||
index bd230b9f..c5e86fa7 100644
|
||||
--- a/usr/lib/cca_stdll/cca_stdll.mk
|
||||
+++ b/usr/lib/cca_stdll/cca_stdll.mk
|
||||
@@ -35,7 +35,8 @@ opencryptoki_stdll_libpkcs11_cca_la_SOURCES = \
|
||||
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
- usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c
|
||||
+ usr/lib/cca_stdll/cca_specific.c usr/lib/common/attributes.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_cca_la_SOURCES += \
|
||||
diff --git a/usr/lib/common/dlist.c b/usr/lib/common/dlist.c
|
||||
new file mode 100644
|
||||
index 00000000..1fee1ea9
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/dlist.c
|
||||
@@ -0,0 +1,218 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <errno.h>
|
||||
+
|
||||
+#include "dlist.h"
|
||||
+#include "host_defs.h"
|
||||
+#include "h_extern.h"
|
||||
+
|
||||
+
|
||||
+// Function: dlist_add_as_first()
|
||||
+//
|
||||
+// Adds the specified node to the start of the list
|
||||
+//
|
||||
+// Returns: pointer to the start of the list
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = NULL;
|
||||
+
|
||||
+ if (!data)
|
||||
+ return list;
|
||||
+
|
||||
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ node->data = data;
|
||||
+ node->prev = NULL;
|
||||
+ node->next = list;
|
||||
+ if (list)
|
||||
+ list->prev = node;
|
||||
+
|
||||
+ return node;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_add_as_last()
|
||||
+//
|
||||
+// Adds the specified node to the end of the list
|
||||
+//
|
||||
+// Returns: pointer to the start of the list
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = NULL;
|
||||
+
|
||||
+ if (!data)
|
||||
+ return list;
|
||||
+
|
||||
+ node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ node->data = data;
|
||||
+ node->next = NULL;
|
||||
+
|
||||
+ if (!list) {
|
||||
+ node->prev = NULL;
|
||||
+ return node;
|
||||
+ } else {
|
||||
+ DL_NODE *temp = dlist_get_last(list);
|
||||
+ temp->next = node;
|
||||
+ node->prev = temp;
|
||||
+
|
||||
+ return list;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_find()
|
||||
+//
|
||||
+DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||
+{
|
||||
+ DL_NODE *node = list;
|
||||
+
|
||||
+ while (node && node->data != data)
|
||||
+ node = node->next;
|
||||
+
|
||||
+ return node;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_get_first()
|
||||
+//
|
||||
+// Returns the last node in the list or NULL if list is empty
|
||||
+//
|
||||
+DL_NODE *dlist_get_first(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (temp->prev != NULL)
|
||||
+ temp = temp->prev;
|
||||
+
|
||||
+ return temp;
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_get_last()
|
||||
+//
|
||||
+// Returns the last node in the list or NULL if list is empty
|
||||
+//
|
||||
+DL_NODE *dlist_get_last(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return NULL;
|
||||
+
|
||||
+ while (temp->next != NULL)
|
||||
+ temp = temp->next;
|
||||
+
|
||||
+ return temp;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+CK_ULONG dlist_length(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+ CK_ULONG len = 0;
|
||||
+
|
||||
+ while (temp) {
|
||||
+ len++;
|
||||
+ temp = temp->next;
|
||||
+ }
|
||||
+
|
||||
+ return len;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+DL_NODE *dlist_next(DL_NODE *node)
|
||||
+{
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return node->next;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+DL_NODE *dlist_prev(DL_NODE *node)
|
||||
+{
|
||||
+ if (!node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return node->prev;
|
||||
+}
|
||||
+
|
||||
+//
|
||||
+//
|
||||
+void dlist_purge(DL_NODE *list)
|
||||
+{
|
||||
+ DL_NODE *node;
|
||||
+
|
||||
+ if (!list)
|
||||
+ return;
|
||||
+
|
||||
+ do {
|
||||
+ node = list->next;
|
||||
+ free(list);
|
||||
+ list = node;
|
||||
+ } while (list);
|
||||
+}
|
||||
+
|
||||
+// Function: dlist_remove_node()
|
||||
+//
|
||||
+// Attempts to remove the specified node from the list. The caller is
|
||||
+// responsible for freeing the data associated with the node prior to
|
||||
+// calling this routine
|
||||
+//
|
||||
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||
+{
|
||||
+ DL_NODE *temp = list;
|
||||
+
|
||||
+ if (!list || !node)
|
||||
+ return NULL;
|
||||
+
|
||||
+ // special case: removing head of the list
|
||||
+ //
|
||||
+ if (list == node) {
|
||||
+ temp = list->next;
|
||||
+ if (temp)
|
||||
+ temp->prev = NULL;
|
||||
+
|
||||
+ free(list);
|
||||
+ return temp;
|
||||
+ }
|
||||
+ // we have no guarantee that the node is in the list
|
||||
+ // so search through the list to find it
|
||||
+ //
|
||||
+ while ((temp != NULL) && (temp->next != node))
|
||||
+ temp = temp->next;
|
||||
+
|
||||
+ if (temp != NULL) {
|
||||
+ DL_NODE *next = node->next;
|
||||
+
|
||||
+ temp->next = next;
|
||||
+ if (next)
|
||||
+ next->prev = temp;
|
||||
+
|
||||
+ free(node);
|
||||
+ }
|
||||
+
|
||||
+ return list;
|
||||
+}
|
||||
diff --git a/usr/lib/common/dlist.h b/usr/lib/common/dlist.h
|
||||
new file mode 100644
|
||||
index 00000000..eda4af9c
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/dlist.h
|
||||
@@ -0,0 +1,32 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+
|
||||
+#ifndef _DLIST_H_
|
||||
+#define _DLIST_H_
|
||||
+
|
||||
+#include "pkcs11types.h"
|
||||
+#include "defs.h"
|
||||
+
|
||||
+// linked-list routines
|
||||
+//
|
||||
+DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||
+DL_NODE *dlist_get_first(DL_NODE *list);
|
||||
+DL_NODE *dlist_get_last(DL_NODE *list);
|
||||
+CK_ULONG dlist_length(DL_NODE *list);
|
||||
+DL_NODE *dlist_next(DL_NODE *list);
|
||||
+DL_NODE *dlist_prev(DL_NODE *list);
|
||||
+void dlist_purge(DL_NODE *list);
|
||||
+DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||
+
|
||||
+#endif
|
||||
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||
index 63aff79f..5e251d95 100644
|
||||
--- a/usr/lib/common/h_extern.h
|
||||
+++ b/usr/lib/common/h_extern.h
|
||||
@@ -24,6 +24,7 @@
|
||||
#define _H_EXTERN_H
|
||||
|
||||
#include <stdio.h>
|
||||
+#include "dlist.h"
|
||||
|
||||
// global variables
|
||||
//
|
||||
@@ -1759,19 +1760,6 @@ int ec_point_from_public_data(const CK_BYTE *data, CK_ULONG data_len,
|
||||
CK_BBOOL *allocated, CK_BYTE **ec_point,
|
||||
CK_ULONG *ec_point_len);
|
||||
|
||||
-// linked-list routines
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_find(DL_NODE *list, void *data);
|
||||
-DL_NODE *dlist_get_first(DL_NODE *list);
|
||||
-DL_NODE *dlist_get_last(DL_NODE *list);
|
||||
-CK_ULONG dlist_length(DL_NODE *list);
|
||||
-DL_NODE *dlist_next(DL_NODE *list);
|
||||
-DL_NODE *dlist_prev(DL_NODE *list);
|
||||
-void dlist_purge(DL_NODE *list);
|
||||
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node);
|
||||
-
|
||||
CK_RV attach_shm(STDLL_TokData_t *tokdata, CK_SLOT_ID slot_id);
|
||||
CK_RV detach_shm(STDLL_TokData_t *tokdata, CK_BBOOL ignore_ref_count);
|
||||
|
||||
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
|
||||
index 38d8d959..b2c6ee50 100644
|
||||
--- a/usr/lib/common/utility.c
|
||||
+++ b/usr/lib/common/utility.c
|
||||
@@ -40,203 +40,6 @@
|
||||
#include <sys/file.h>
|
||||
#include <syslog.h>
|
||||
|
||||
-// Function: dlist_add_as_first()
|
||||
-//
|
||||
-// Adds the specified node to the start of the list
|
||||
-//
|
||||
-// Returns: pointer to the start of the list
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_first(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = NULL;
|
||||
-
|
||||
- if (!data)
|
||||
- return list;
|
||||
-
|
||||
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- node->data = data;
|
||||
- node->prev = NULL;
|
||||
- node->next = list;
|
||||
- if (list)
|
||||
- list->prev = node;
|
||||
-
|
||||
- return node;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_add_as_last()
|
||||
-//
|
||||
-// Adds the specified node to the end of the list
|
||||
-//
|
||||
-// Returns: pointer to the start of the list
|
||||
-//
|
||||
-DL_NODE *dlist_add_as_last(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = NULL;
|
||||
-
|
||||
- if (!data)
|
||||
- return list;
|
||||
-
|
||||
- node = (DL_NODE *) malloc(sizeof(DL_NODE));
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- node->data = data;
|
||||
- node->next = NULL;
|
||||
-
|
||||
- if (!list) {
|
||||
- node->prev = NULL;
|
||||
- return node;
|
||||
- } else {
|
||||
- DL_NODE *temp = dlist_get_last(list);
|
||||
- temp->next = node;
|
||||
- node->prev = temp;
|
||||
-
|
||||
- return list;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_find()
|
||||
-//
|
||||
-DL_NODE *dlist_find(DL_NODE *list, void *data)
|
||||
-{
|
||||
- DL_NODE *node = list;
|
||||
-
|
||||
- while (node && node->data != data)
|
||||
- node = node->next;
|
||||
-
|
||||
- return node;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_get_first()
|
||||
-//
|
||||
-// Returns the last node in the list or NULL if list is empty
|
||||
-//
|
||||
-DL_NODE *dlist_get_first(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list)
|
||||
- return NULL;
|
||||
-
|
||||
- while (temp->prev != NULL)
|
||||
- temp = temp->prev;
|
||||
-
|
||||
- return temp;
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_get_last()
|
||||
-//
|
||||
-// Returns the last node in the list or NULL if list is empty
|
||||
-//
|
||||
-DL_NODE *dlist_get_last(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list)
|
||||
- return NULL;
|
||||
-
|
||||
- while (temp->next != NULL)
|
||||
- temp = temp->next;
|
||||
-
|
||||
- return temp;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-CK_ULONG dlist_length(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
- CK_ULONG len = 0;
|
||||
-
|
||||
- while (temp) {
|
||||
- len++;
|
||||
- temp = temp->next;
|
||||
- }
|
||||
-
|
||||
- return len;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-DL_NODE *dlist_next(DL_NODE *node)
|
||||
-{
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- return node->next;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-DL_NODE *dlist_prev(DL_NODE *node)
|
||||
-{
|
||||
- if (!node)
|
||||
- return NULL;
|
||||
-
|
||||
- return node->prev;
|
||||
-}
|
||||
-
|
||||
-//
|
||||
-//
|
||||
-void dlist_purge(DL_NODE *list)
|
||||
-{
|
||||
- DL_NODE *node;
|
||||
-
|
||||
- if (!list)
|
||||
- return;
|
||||
-
|
||||
- do {
|
||||
- node = list->next;
|
||||
- free(list);
|
||||
- list = node;
|
||||
- } while (list);
|
||||
-}
|
||||
-
|
||||
-// Function: dlist_remove_node()
|
||||
-//
|
||||
-// Attempts to remove the specified node from the list. The caller is
|
||||
-// responsible for freeing the data associated with the node prior to
|
||||
-// calling this routine
|
||||
-//
|
||||
-DL_NODE *dlist_remove_node(DL_NODE *list, DL_NODE *node)
|
||||
-{
|
||||
- DL_NODE *temp = list;
|
||||
-
|
||||
- if (!list || !node)
|
||||
- return NULL;
|
||||
-
|
||||
- // special case: removing head of the list
|
||||
- //
|
||||
- if (list == node) {
|
||||
- temp = list->next;
|
||||
- if (temp)
|
||||
- temp->prev = NULL;
|
||||
-
|
||||
- free(list);
|
||||
- return temp;
|
||||
- }
|
||||
- // we have no guarantee that the node is in the list
|
||||
- // so search through the list to find it
|
||||
- //
|
||||
- while ((temp != NULL) && (temp->next != node))
|
||||
- temp = temp->next;
|
||||
-
|
||||
- if (temp != NULL) {
|
||||
- DL_NODE *next = node->next;
|
||||
-
|
||||
- temp->next = next;
|
||||
- if (next)
|
||||
- next->prev = temp;
|
||||
-
|
||||
- free(node);
|
||||
- }
|
||||
-
|
||||
- return list;
|
||||
-}
|
||||
-
|
||||
CK_RV CreateXProcLock(char *tokname, STDLL_TokData_t *tokdata)
|
||||
{
|
||||
char lockfile[PATH_MAX];
|
||||
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
index bc617124..b5574d9e 100644
|
||||
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||
@@ -36,7 +36,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = \
|
||||
usr/lib/common/utility.c usr/lib/common/trace.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/attributes.c usr/lib/common/sw_crypt.c \
|
||||
- usr/lib/common/profile_obj.c \
|
||||
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||
usr/lib/common/pkey_utils.c \
|
||||
usr/lib/ep11_stdll/new_host.c usr/lib/ep11_stdll/ep11_specific.c
|
||||
|
||||
diff --git a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
index d8448486..8f467e11 100644
|
||||
--- a/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
+++ b/usr/lib/ica_s390_stdll/ica_s390_stdll.mk
|
||||
@@ -34,7 +34,7 @@ opencryptoki_stdll_libpkcs11_ica_la_SOURCES = \
|
||||
usr/lib/common/verify_mgr.c usr/lib/common/trace.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/profile_obj.c usr/lib/common/attributes.c \
|
||||
- usr/lib/ica_s390_stdll/ica_specific.c
|
||||
+ usr/lib/ica_s390_stdll/ica_specific.c usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_ica_la_SOURCES += \
|
||||
diff --git a/usr/lib/icsf_stdll/icsf_stdll.mk b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
index 788478c2..21c64f9a 100644
|
||||
--- a/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
+++ b/usr/lib/icsf_stdll/icsf_stdll.mk
|
||||
@@ -43,7 +43,7 @@ opencryptoki_stdll_libpkcs11_icsf_la_SOURCES = \
|
||||
usr/lib/common/mech_ssl3.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/mech_list.c usr/lib/common/shared_memory.c \
|
||||
usr/lib/common/attributes.c usr/lib/icsf_stdll/new_host.c \
|
||||
- usr/lib/common/profile_obj.c \
|
||||
+ usr/lib/common/profile_obj.c usr/lib/common/dlist.c \
|
||||
usr/lib/icsf_stdll/pbkdf.c usr/lib/icsf_stdll/icsf_specific.c \
|
||||
usr/lib/icsf_stdll/icsf_config_parse.y \
|
||||
usr/lib/icsf_stdll/icsf_config_lexer.l \
|
||||
diff --git a/usr/lib/soft_stdll/soft_stdll.mk b/usr/lib/soft_stdll/soft_stdll.mk
|
||||
index cea802b5..ac401539 100644
|
||||
--- a/usr/lib/soft_stdll/soft_stdll.mk
|
||||
+++ b/usr/lib/soft_stdll/soft_stdll.mk
|
||||
@@ -32,7 +32,8 @@ opencryptoki_stdll_libpkcs11_sw_la_SOURCES = \
|
||||
usr/lib/common/utility.c usr/lib/common/verify_mgr.c \
|
||||
usr/lib/common/trace.c usr/lib/common/mech_list.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
- usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c
|
||||
+ usr/lib/soft_stdll/soft_specific.c usr/lib/common/attributes.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_sw_la_SOURCES += \
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_stdll.mk b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
index f199a103..0e0eb024 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
+++ b/usr/lib/tpm_stdll/tpm_stdll.mk
|
||||
@@ -34,7 +34,8 @@ opencryptoki_stdll_libpkcs11_tpm_la_SOURCES = \
|
||||
usr/lib/common/verify_mgr.c usr/lib/common/mech_list.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
usr/lib/tpm_stdll/tpm_specific.c usr/lib/common/attributes.c \
|
||||
- usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c
|
||||
+ usr/lib/tpm_stdll/tpm_openssl.c usr/lib/tpm_stdll/tpm_util.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
|
||||
if ENABLE_LOCKS
|
||||
opencryptoki_stdll_libpkcs11_tpm_la_SOURCES += \
|
||||
diff --git a/usr/sbin/pkcscca/pkcscca.mk b/usr/sbin/pkcscca/pkcscca.mk
|
||||
index a223265f..cc40f819 100644
|
||||
--- a/usr/sbin/pkcscca/pkcscca.mk
|
||||
+++ b/usr/sbin/pkcscca/pkcscca.mk
|
||||
@@ -36,7 +36,7 @@ usr_sbin_pkcscca_pkcscca_SOURCES = \
|
||||
usr/lib/common/p11util.c usr/lib/common/sw_crypt.c \
|
||||
usr/lib/common/shared_memory.c usr/lib/common/profile_obj.c \
|
||||
usr/lib/common/attributes.c usr/lib/common/mech_rng.c \
|
||||
- usr/lib/common/pkcs_utils.c \
|
||||
+ usr/lib/common/pkcs_utils.c usr/lib/common/dlist.c \
|
||||
usr/sbin/pkcscca/pkcscca.c
|
||||
|
||||
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.mk b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
index 4f0e3c56..2d36b4a9 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.mk
|
||||
@@ -21,5 +21,6 @@ usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||
usr/sbin/pkcsslotd/socket_server.c
|
||||
|
||||
nodist_usr_sbin_pkcsslotd_pkcsslotd_SOURCES = \
|
||||
- usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c
|
||||
+ usr/lib/common/parser.h usr/lib/common/parser.c usr/lib/common/lexer.c \
|
||||
+ usr/lib/common/dlist.c
|
||||
usr/sbin/pkcsslotd/slotmgr.$(OBJEXT): usr/lib/common/parser.h
|
@ -1,25 +0,0 @@
|
||||
commit e88a9de3128df1c4b89bd4c7312c15bb3eb34593
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu Jul 8 15:18:30 2021 +0200
|
||||
|
||||
pkcstok_migrate: Don't remove 'tokversion = x.y' during migration
|
||||
|
||||
When migrating a slot the opencryptoki.conf file is modified. If it
|
||||
contains slots that already contain the 'tokversion = x.y' keyword,
|
||||
this is accidentally removed when migrating another slot.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 3df1596e..05081aff 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2119,7 +2119,7 @@ static int parseupdate_key_vers(void *private, int tok, unsigned int vers)
|
||||
{
|
||||
struct parseupdate *u = (struct parseupdate *)private;
|
||||
|
||||
- if (tok != KW_TOKVERSION)
|
||||
+ if (tok == KW_TOKVERSION && !u->activeslot)
|
||||
fprintf(u->f, " %s = %d.%d", keyword_token_to_str(tok),
|
||||
vers >> 16, vers & 0xffu);
|
||||
return 0;
|
@ -1,310 +0,0 @@
|
||||
commit e9548127edae313da7840bcb87fd0afd04549c2e
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Feb 8 15:26:23 2021 +0100
|
||||
|
||||
pkcsslotd: Refactoring in preparation for event support
|
||||
|
||||
No functional change so far, just making things a bit bore clearer.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/include/slotmgr.h b/usr/include/slotmgr.h
|
||||
index 3950a9a3..4d038435 100644
|
||||
--- a/usr/include/slotmgr.h
|
||||
+++ b/usr/include/slotmgr.h
|
||||
@@ -30,7 +30,7 @@
|
||||
#define TOK_PATH SBIN_PATH "/pkcsslotd"
|
||||
#define OCK_API_LOCK_FILE LOCKDIR_PATH "/LCK..APIlock"
|
||||
|
||||
-#define SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||
+#define PROC_SOCKET_FILE_PATH "/var/run/pkcsslotd.socket"
|
||||
|
||||
#define PID_FILE_PATH "/var/run/pkcsslotd.pid"
|
||||
#define OCK_CONFIG OCK_CONFDIR "/opencryptoki.conf"
|
||||
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
|
||||
index b74b763f..2873a20a 100644
|
||||
--- a/usr/lib/api/api_interface.c
|
||||
+++ b/usr/lib/api/api_interface.c
|
||||
@@ -2831,7 +2831,7 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
|
||||
TRACE_DEBUG("Shared memory %p \n", Anchor->SharedMemP);
|
||||
|
||||
/* Connect to slot daemon and retrieve slot infos */
|
||||
- Anchor->socketfd = connect_socket(SOCKET_FILE_PATH);
|
||||
+ Anchor->socketfd = connect_socket(PROC_SOCKET_FILE_PATH);
|
||||
if (Anchor->socketfd < 0) {
|
||||
OCK_SYSLOG(LOG_ERR, "C_Initialize: Module failed to create a "
|
||||
"socket. Verify that the slot management daemon is "
|
||||
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
index 813db9f4..69eb59f3 100644
|
||||
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
|
||||
@@ -61,7 +61,6 @@ extern key_t tok;
|
||||
extern Slot_Info_t_64 sinfo[NUMBER_SLOTS_MANAGED];
|
||||
extern unsigned int NumberSlotsInDB;
|
||||
|
||||
-extern int socketfd;
|
||||
extern Slot_Mgr_Socket_t socketData;
|
||||
|
||||
|
||||
@@ -89,9 +88,9 @@ int XProcLock(void);
|
||||
int XProcUnLock(void);
|
||||
int CreateXProcLock(void);
|
||||
|
||||
-int CreateListenerSocket(void);
|
||||
-int InitSocketData(Slot_Mgr_Socket_t *sp);
|
||||
-int SocketConnectionHandler(int socketfd, int timeout_secs);
|
||||
-void DetachSocketListener(int socketfd);
|
||||
+int init_socket_server();
|
||||
+int term_socket_server();
|
||||
+int init_socket_data(Slot_Mgr_Socket_t *sp);
|
||||
+int socket_connection_handler(int timeout_secs);
|
||||
|
||||
#endif /* _SLOTMGR_H */
|
||||
diff --git a/usr/sbin/pkcsslotd/signal.c b/usr/sbin/pkcsslotd/signal.c
|
||||
index cf7b9087..49482a2f 100644
|
||||
--- a/usr/sbin/pkcsslotd/signal.c
|
||||
+++ b/usr/sbin/pkcsslotd/signal.c
|
||||
@@ -101,7 +101,7 @@ void slotdGenericSignalHandler(int Signal)
|
||||
|
||||
InfoLog("Exiting on %s (%d; %#x)", SignalConst(Signal), Signal, Signal);
|
||||
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
index ea5c86f5..94288f13 100644
|
||||
--- a/usr/sbin/pkcsslotd/slotmgr.c
|
||||
+++ b/usr/sbin/pkcsslotd/slotmgr.c
|
||||
@@ -37,7 +37,6 @@ unsigned int NumberSlotsInDB = 0;
|
||||
|
||||
Slot_Info_t_64 *psinfo;
|
||||
|
||||
-int socketfd;
|
||||
Slot_Mgr_Socket_t socketData;
|
||||
|
||||
struct dircheckinfo_s {
|
||||
@@ -569,15 +568,15 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (!XProcUnLock())
|
||||
return 4;
|
||||
|
||||
- if ((socketfd = CreateListenerSocket()) < 0) {
|
||||
+ if (!init_socket_server()) {
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
return 5;
|
||||
}
|
||||
|
||||
- if (!InitSocketData(&socketData)) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ if (!init_socket_data(&socketData)) {
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -598,7 +597,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
if (Daemon) {
|
||||
pid_t pid;
|
||||
if ((pid = fork()) < 0) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -643,7 +642,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
* the daemonization process redefines our handler for (at least) SIGTERM
|
||||
*/
|
||||
if (!SetupSignalHandlers()) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -664,7 +663,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
printf("Start garbage \n");
|
||||
/* start garbage collection thread */
|
||||
if (!StartGCThread(shmp)) {
|
||||
- DetachSocketListener(socketfd);
|
||||
+ term_socket_server();
|
||||
DestroyMutexes();
|
||||
DetachFromSharedMemory();
|
||||
DestroySharedMemory();
|
||||
@@ -684,7 +683,7 @@ int main(int argc, char *argv[], char *envp[])
|
||||
#if !(THREADED) && !(NOGARBAGE)
|
||||
CheckForGarbage(shmp);
|
||||
#endif
|
||||
- SocketConnectionHandler(socketfd, 10);
|
||||
+ socket_connection_handler(10);
|
||||
}
|
||||
|
||||
/*************************************************************
|
||||
diff --git a/usr/sbin/pkcsslotd/socket_server.c b/usr/sbin/pkcsslotd/socket_server.c
|
||||
index ae0eff92..1fae0b95 100644
|
||||
--- a/usr/sbin/pkcsslotd/socket_server.c
|
||||
+++ b/usr/sbin/pkcsslotd/socket_server.c
|
||||
@@ -25,10 +25,14 @@
|
||||
#include "pkcsslotd.h"
|
||||
#include "apictl.h"
|
||||
|
||||
+int proc_listener_socket = -1;
|
||||
+
|
||||
+static void close_listener_socket(int socketfd, const char *file_path);
|
||||
+
|
||||
// Creates the daemon's listener socket, to which clients will connect and
|
||||
// retrieve slot information through. Returns the file descriptor of the
|
||||
// created socket.
|
||||
-int CreateListenerSocket(void)
|
||||
+static int create_listener_socket(const char *file_path)
|
||||
{
|
||||
struct sockaddr_un address;
|
||||
struct group *grp;
|
||||
@@ -39,53 +43,60 @@ int CreateListenerSocket(void)
|
||||
ErrLog("Failed to create listener socket, errno 0x%X.", errno);
|
||||
return -1;
|
||||
}
|
||||
- if (unlink(SOCKET_FILE_PATH) && errno != ENOENT) {
|
||||
+ if (unlink(file_path) && errno != ENOENT) {
|
||||
ErrLog("Failed to unlink socket file, errno 0x%X.", errno);
|
||||
- close(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
memset(&address, 0, sizeof(struct sockaddr_un));
|
||||
address.sun_family = AF_UNIX;
|
||||
- strcpy(address.sun_path, SOCKET_FILE_PATH);
|
||||
+ strcpy(address.sun_path, file_path);
|
||||
|
||||
if (bind(socketfd,
|
||||
(struct sockaddr *) &address, sizeof(struct sockaddr_un)) != 0) {
|
||||
ErrLog("Failed to bind to socket, errno 0x%X.", errno);
|
||||
- close(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
// make socket file part of the pkcs11 group, and write accessable
|
||||
// for that group
|
||||
grp = getgrnam("pkcs11");
|
||||
if (!grp) {
|
||||
ErrLog("Group PKCS#11 does not exist");
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
- if (chown(SOCKET_FILE_PATH, 0, grp->gr_gid)) {
|
||||
+ if (chown(file_path, 0, grp->gr_gid)) {
|
||||
ErrLog("Could not change file group on socket, errno 0x%X.", errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
- if (chmod(SOCKET_FILE_PATH,
|
||||
+ if (chmod(file_path,
|
||||
S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP | S_IXUSR | S_IXGRP)) {
|
||||
ErrLog("Could not change file permissions on socket, errno 0x%X.",
|
||||
errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
if (listen(socketfd, 20) != 0) {
|
||||
ErrLog("Failed to listen to socket, errno 0x%X.", errno);
|
||||
- DetachSocketListener(socketfd);
|
||||
- return -1;
|
||||
+ goto error;
|
||||
}
|
||||
|
||||
return socketfd;
|
||||
+
|
||||
+error:
|
||||
+ if (socketfd >= 0)
|
||||
+ close_listener_socket(socketfd, file_path);
|
||||
+
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static void close_listener_socket(int socketfd, const char *file_path)
|
||||
+{
|
||||
+ close(socketfd);
|
||||
+ unlink(file_path);
|
||||
}
|
||||
|
||||
-int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||
+int init_socket_data(Slot_Mgr_Socket_t *socketData)
|
||||
{
|
||||
unsigned int processed = 0;
|
||||
|
||||
@@ -102,19 +113,19 @@ int InitSocketData(Slot_Mgr_Socket_t *socketData)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
-int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
+int socket_connection_handler(int timeout_secs)
|
||||
{
|
||||
int returnVal;
|
||||
fd_set set;
|
||||
struct timeval timeout;
|
||||
|
||||
FD_ZERO(&set);
|
||||
- FD_SET(socketfd, &set);
|
||||
+ FD_SET(proc_listener_socket, &set);
|
||||
|
||||
timeout.tv_sec = timeout_secs;
|
||||
timeout.tv_usec = 0;
|
||||
|
||||
- returnVal = select(socketfd + 1, &set, NULL, NULL, &timeout);
|
||||
+ returnVal = select(proc_listener_socket + 1, &set, NULL, NULL, &timeout);
|
||||
if (returnVal == -1) {
|
||||
ErrLog("select failed on socket connection, errno 0x%X.", errno);
|
||||
return FALSE;
|
||||
@@ -125,7 +136,7 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
struct sockaddr_un address;
|
||||
socklen_t address_length = sizeof(address);
|
||||
|
||||
- int connectionfd = accept(socketfd,
|
||||
+ int connectionfd = accept(proc_listener_socket,
|
||||
(struct sockaddr *) &address,
|
||||
&address_length);
|
||||
if (connectionfd < 0) {
|
||||
@@ -138,6 +149,10 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
}
|
||||
return FALSE;
|
||||
}
|
||||
+
|
||||
+ DbgLog(DL0, "Accepted connection from process: socket: %d",
|
||||
+ connectionfd);
|
||||
+
|
||||
if (write(connectionfd, &socketData, sizeof(socketData)) !=
|
||||
sizeof(socketData)) {
|
||||
ErrLog("Failed to write socket data, errno 0x%X.", errno);
|
||||
@@ -149,8 +164,23 @@ int SocketConnectionHandler(int socketfd, int timeout_secs)
|
||||
}
|
||||
}
|
||||
|
||||
-void DetachSocketListener(int socketfd)
|
||||
+int init_socket_server()
|
||||
{
|
||||
- close(socketfd);
|
||||
- unlink(SOCKET_FILE_PATH);
|
||||
+ proc_listener_socket = create_listener_socket(PROC_SOCKET_FILE_PATH);
|
||||
+ if (proc_listener_socket < 0)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ DbgLog(DL0, "Socket server started");
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
+int term_socket_server()
|
||||
+{
|
||||
+ if (proc_listener_socket >= 0)
|
||||
+ close_listener_socket(proc_listener_socket, PROC_SOCKET_FILE_PATH);
|
||||
+
|
||||
+ DbgLog(DL0, "Socket server stopped");
|
||||
+
|
||||
+ return TRUE;
|
||||
}
|
@ -1,287 +0,0 @@
|
||||
commit fa94a16116d8382a987ddf9e8cdd88027dd1f647
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Feb 16 17:13:34 2021 +0100
|
||||
|
||||
Event support: Add event client
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/common.mk b/usr/lib/common/common.mk
|
||||
index 2178ad45..882c84f4 100644
|
||||
--- a/usr/lib/common/common.mk
|
||||
+++ b/usr/lib/common/common.mk
|
||||
@@ -4,7 +4,7 @@ noinst_HEADERS += \
|
||||
usr/lib/common/shared_memory.h usr/lib/common/tok_spec_struct.h \
|
||||
usr/lib/common/trace.h usr/lib/common/h_extern.h \
|
||||
usr/lib/common/sw_crypt.h usr/lib/common/defs.h \
|
||||
- usr/lib/common/p11util.h \
|
||||
+ usr/lib/common/p11util.h usr/lib/common/event_client.h \
|
||||
usr/lib/common/list.h usr/lib/common/tok_specific.h
|
||||
|
||||
usr/lib/common/lexer.c: usr/lib/common/parser.h
|
||||
diff --git a/usr/lib/common/event_client.c b/usr/lib/common/event_client.c
|
||||
new file mode 100644
|
||||
index 00000000..86117b84
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/event_client.c
|
||||
@@ -0,0 +1,215 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <errno.h>
|
||||
+#include <sys/un.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <stdio.h>
|
||||
+#include <unistd.h>
|
||||
+#include <grp.h>
|
||||
+
|
||||
+#include "slotmgr.h"
|
||||
+#include "event_client.h"
|
||||
+
|
||||
+static int connect_socket(const char *file_path)
|
||||
+{
|
||||
+ int socketfd;
|
||||
+ struct sockaddr_un daemon_address;
|
||||
+ struct stat file_info;
|
||||
+ struct group *grp;
|
||||
+ int rc;
|
||||
+
|
||||
+ if (stat(file_path, &file_info))
|
||||
+ return -errno;
|
||||
+
|
||||
+ grp = getgrnam("pkcs11");
|
||||
+ if (!grp)
|
||||
+ return -errno;
|
||||
+
|
||||
+ if (file_info.st_uid != 0 || file_info.st_gid != grp->gr_gid)
|
||||
+ return -EPERM;
|
||||
+
|
||||
+ if ((socketfd = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
|
||||
+ return -errno;
|
||||
+
|
||||
+ memset(&daemon_address, 0, sizeof(struct sockaddr_un));
|
||||
+ daemon_address.sun_family = AF_UNIX;
|
||||
+ strcpy(daemon_address.sun_path, file_path);
|
||||
+
|
||||
+ if (connect(socketfd, (struct sockaddr *) &daemon_address,
|
||||
+ sizeof(struct sockaddr_un)) != 0) {
|
||||
+ rc = -errno;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ return socketfd;
|
||||
+
|
||||
+error:
|
||||
+ close(socketfd);
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+static ssize_t read_all(int socketfd, char *buffer, size_t size)
|
||||
+{
|
||||
+ size_t bytes_received = 0;
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ while (bytes_received < size) {
|
||||
+ n = read(socketfd, buffer + bytes_received, size - bytes_received);
|
||||
+ if (n < 0) {
|
||||
+ // read error
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ return -errno;
|
||||
+ }
|
||||
+ if (n == 0)
|
||||
+ break;
|
||||
+
|
||||
+ bytes_received += n;
|
||||
+ }
|
||||
+
|
||||
+ return bytes_received;
|
||||
+}
|
||||
+
|
||||
+static ssize_t send_all(int socketfd, char *buffer, size_t size)
|
||||
+{
|
||||
+ size_t bytes_sent = 0;
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ while (bytes_sent < size) {
|
||||
+ n = send(socketfd, buffer + bytes_sent, size - bytes_sent, 0);
|
||||
+ if (n < 0) {
|
||||
+ // send error
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ return -errno;
|
||||
+ }
|
||||
+ if (n == 0)
|
||||
+ break;
|
||||
+
|
||||
+ bytes_sent += n;
|
||||
+ }
|
||||
+
|
||||
+ return bytes_sent;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Initialize an admin connection to the pkcsslotd.
|
||||
+ * Returns a file descriptor representing the connection, or a negative errno
|
||||
+ * in case of an error.
|
||||
+ */
|
||||
+int init_event_client()
|
||||
+{
|
||||
+ int fd;
|
||||
+
|
||||
+ fd = connect_socket(ADMIN_SOCKET_FILE_PATH);
|
||||
+
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Send an event though the admin connection to the pkcsslotd, and thus to
|
||||
+ * all active token instances.
|
||||
+ * If parameter fd is < 0, then a connection to pkcsslotd is established
|
||||
+ * inside the function and closed before return. This is for a one shot event.
|
||||
+ * Otherwise, pass a file descriptor received from init_event_client(). This
|
||||
+ * is to send multiple events.
|
||||
+ * Event type is mandatory, flags can be zero.
|
||||
+ * The event payload is optional, if payload_len is non-zero, then payload must
|
||||
+ * point to a buffer containing the payload to send with the event.
|
||||
+ * The event destination can be used to selectively send the event to certain
|
||||
+ * token instances only. If destination is NULL, it is sent to all token
|
||||
+ * instances.
|
||||
+ * If flag EVENT_FLAGS_REPLY_REQ is on in the flags parameter, then it is waited
|
||||
+ * until all active token instances have replied. The combined result of the
|
||||
+ * replies from the token instances is returned in the reply structure.
|
||||
+ * Parameter reply must be non-NULL if flag EVENT_FLAGS_REPLY_REQ is set.
|
||||
+ * Returns zero for success, or a negative errno in case of an error. In most
|
||||
+ * error cases the connection to the pkcsslotd is out of sequence and can no
|
||||
+ * longer be used to send further events.
|
||||
+ */
|
||||
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||
+ unsigned int payload_len, const char *payload,
|
||||
+ const struct event_destination *destination,
|
||||
+ struct event_reply *reply)
|
||||
+{
|
||||
+ event_msg_t event_msg;
|
||||
+ event_reply_t event_reply;
|
||||
+ int rc, term = 0;
|
||||
+
|
||||
+ if (payload_len > 0 && payload == NULL)
|
||||
+ return -EINVAL;
|
||||
+ if ((flags & EVENT_FLAGS_REPLY_REQ) && reply == NULL)
|
||||
+ return -EINVAL;
|
||||
+ if (payload_len > EVENT_MAX_PAYLOAD_LENGTH)
|
||||
+ return -EMSGSIZE;
|
||||
+
|
||||
+ if (fd < 0) {
|
||||
+ fd = init_event_client();
|
||||
+ if (fd < 0)
|
||||
+ return fd;
|
||||
+ term = 1;
|
||||
+ }
|
||||
+
|
||||
+ memset(&event_msg, 0, sizeof(event_msg));
|
||||
+ event_msg.version = EVENT_VERSION_1;
|
||||
+ event_msg.type = type;
|
||||
+ event_msg.flags = flags;
|
||||
+ if (destination != NULL) {
|
||||
+ event_msg.token_type = destination->token_type;
|
||||
+ memcpy(event_msg.token_label, destination->token_label,
|
||||
+ sizeof(event_msg.token_label));
|
||||
+ event_msg.process_id = destination->process_id;
|
||||
+ } else {
|
||||
+ memset(event_msg.token_label, ' ', sizeof(event_msg.token_label));
|
||||
+ }
|
||||
+ event_msg.payload_len = payload_len;
|
||||
+
|
||||
+ rc = send_all(fd, (char *)&event_msg, sizeof(event_msg));
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ if (payload_len > 0) {
|
||||
+ rc = send_all(fd, (char *)payload, payload_len);
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (flags & EVENT_FLAGS_REPLY_REQ) {
|
||||
+ rc = read_all(fd, (char *)&event_reply, sizeof(event_reply));
|
||||
+ if (rc < 0)
|
||||
+ goto out;
|
||||
+
|
||||
+ reply->positive_replies = event_reply.positive_replies;
|
||||
+ reply->negative_replies = event_reply.negative_replies;
|
||||
+ reply->nothandled_replies = event_reply.nothandled_replies;
|
||||
+ }
|
||||
+
|
||||
+ rc = 0;
|
||||
+
|
||||
+out:
|
||||
+ if (term)
|
||||
+ term_event_client(fd);
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Terminate the admin connection to the pkcsslotd.
|
||||
+ */
|
||||
+void term_event_client(int fd)
|
||||
+{
|
||||
+ if (fd >= 0)
|
||||
+ close(fd);
|
||||
+}
|
||||
+
|
||||
diff --git a/usr/lib/common/event_client.h b/usr/lib/common/event_client.h
|
||||
new file mode 100644
|
||||
index 00000000..2e4917b0
|
||||
--- /dev/null
|
||||
+++ b/usr/lib/common/event_client.h
|
||||
@@ -0,0 +1,39 @@
|
||||
+/*
|
||||
+ * COPYRIGHT (c) International Business Machines Corp. 2021
|
||||
+ *
|
||||
+ * This program is provided under the terms of the Common Public License,
|
||||
+ * version 1.0 (CPL-1.0). Any use, reproduction or distribution for this
|
||||
+ * software constitutes recipient's acceptance of CPL-1.0 terms which can be
|
||||
+ * found in the file LICENSE file or at
|
||||
+ * https://opensource.org/licenses/cpl1.0.php
|
||||
+ */
|
||||
+
|
||||
+
|
||||
+#ifndef _EVENT_CLIENT_H_
|
||||
+#define _EVENT_CLIENT_H_
|
||||
+
|
||||
+#include "events.h"
|
||||
+
|
||||
+struct event_destination {
|
||||
+ unsigned int token_type; /* Destination token type: EVENT_TOK_TYPE_xxx */
|
||||
+ char token_label[member_size(event_msg_t, token_label)];
|
||||
+ /* Label of destination token (or blanks) */
|
||||
+ pid_t process_id; /* Process ID of destination process (or 0) */
|
||||
+};
|
||||
+
|
||||
+struct event_reply {
|
||||
+ unsigned long positive_replies;
|
||||
+ unsigned long negative_replies;
|
||||
+ unsigned long nothandled_replies;
|
||||
+};
|
||||
+
|
||||
+int init_event_client();
|
||||
+
|
||||
+int send_event(int fd, unsigned int type, unsigned int flags,
|
||||
+ unsigned int payload_len, const char *payload,
|
||||
+ const struct event_destination *destination,
|
||||
+ struct event_reply *reply);
|
||||
+
|
||||
+void term_event_client(int fd);
|
||||
+
|
||||
+#endif
|
@ -1,106 +0,0 @@
|
||||
commit 5951869263b556280da53498270cf4826f779c5b
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Jul 13 09:05:22 2021 +0200
|
||||
|
||||
pkcstok_migrate: Fix detection if pkcsslotd is still running
|
||||
|
||||
Change the code to use the pid file that pkcsslotd creates, and check
|
||||
if the process with the pid contained in the pid file still exists and
|
||||
runs pkcsslotd.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
index 05081aff..a29dc8f7 100644
|
||||
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
|
||||
@@ -2474,54 +2474,53 @@ static CK_RV backup_repository(const char *data_store)
|
||||
*/
|
||||
static CK_BBOOL pkcsslotd_running(void)
|
||||
{
|
||||
- DIR *dir;
|
||||
FILE *fp;
|
||||
- struct dirent* ent;
|
||||
char* endptr;
|
||||
- char buf[PATH_MAX];
|
||||
+ long lpid;
|
||||
char fname[PATH_MAX];
|
||||
+ char buf[PATH_MAX];
|
||||
+ char* first;
|
||||
|
||||
TRACE_INFO("Checking if pkcsslotd is running ...\n");
|
||||
- if (!(dir = opendir("/proc"))) {
|
||||
- TRACE_WARN("Cannot open /proc, i.e. cannot check if pkcsslotd is running.\n");
|
||||
- return CK_TRUE;
|
||||
+
|
||||
+ fp = fopen(PID_FILE_PATH, "r");
|
||||
+ if (fp == NULL) {
|
||||
+ TRACE_INFO("Pid file '%s' not existent, pkcsslotd is not running\n",
|
||||
+ PID_FILE_PATH);
|
||||
+ return CK_FALSE;
|
||||
}
|
||||
|
||||
- while ((ent = readdir(dir)) != NULL) {
|
||||
- /* if endptr is not a null character, the directory is not
|
||||
- * entirely numeric, so ignore it */
|
||||
- long lpid = strtol(ent->d_name, &endptr, 10);
|
||||
- if (*endptr != '\0') {
|
||||
- continue;
|
||||
- }
|
||||
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ TRACE_WARN("Cannot read pid file '%s': %s\n", PID_FILE_PATH,
|
||||
+ strerror(errno));
|
||||
+ fclose(fp);
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
|
||||
- /* try to open the cmdline file */
|
||||
- snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||
- fp = fopen(fname, "r");
|
||||
- if (!fp) {
|
||||
- warnx("fopen(%s) failed, errno=%s", fname, strerror(errno));
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
+ lpid = strtol(buf, &endptr, 10);
|
||||
+ if (*endptr != '\0' && *endptr != '\n') {
|
||||
+ TRACE_WARN("Failed to parse pid file '%s': %s\n", PID_FILE_PATH,
|
||||
+ buf);
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
|
||||
- /* check the first token in the file: the program pathname */
|
||||
- if (fgets(buf, sizeof(buf), fp) != NULL) {
|
||||
- char* first = strtok(buf, " ");
|
||||
- if (!first) {
|
||||
- TRACE_WARN("Cannot read program name from %s, i.e. cannot check if pkcsslotd is running.\n",
|
||||
- fname);
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
- if (strstr(first, "pkcsslotd") != NULL) {
|
||||
- fclose(fp);
|
||||
- closedir(dir);
|
||||
- return CK_TRUE;
|
||||
- }
|
||||
- }
|
||||
+ snprintf(fname, sizeof(fname), "/proc/%ld/cmdline", lpid);
|
||||
+ fp = fopen(fname, "r");
|
||||
+ if (fp == NULL) {
|
||||
+ TRACE_INFO("Stale pid file, pkcsslotd is not running\n");
|
||||
+ return CK_FALSE;
|
||||
+ }
|
||||
+
|
||||
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
|
||||
+ TRACE_INFO("Failed to read '%s'\n", fname);
|
||||
fclose(fp);
|
||||
+ return CK_FALSE;
|
||||
}
|
||||
+ fclose(fp);
|
||||
|
||||
- closedir(dir);
|
||||
- return CK_FALSE;
|
||||
+ first = strtok(buf, " ");
|
||||
+ return (first != NULL && strstr(first, "pkcsslotd") != NULL);
|
||||
}
|
||||
|
||||
/**
|
@ -1,12 +0,0 @@
|
||||
diff -up opencryptoki/configure.in.no-undefined opencryptoki/configure.in
|
||||
--- opencryptoki/configure.in.no-undefined 2015-08-27 11:49:50.815984145 +0200
|
||||
+++ opencryptoki/configure.in 2015-08-27 11:50:59.432874245 +0200
|
||||
@@ -574,7 +574,7 @@ fi
|
||||
AM_CONDITIONAL([ENABLE_PKCSCCA_MIGRATE], [test "x$enable_pkcscca_migrate" = "xyes"])
|
||||
AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
|
||||
|
||||
-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500"
|
||||
+CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wl,--no-undefined"
|
||||
|
||||
CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'
|
||||
|
@ -1,24 +0,0 @@
|
||||
commit 11196c4d7e221d29f0d385bd48ae4d6023a6e874
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 10:56:17 2021 +0200
|
||||
|
||||
CONFIGURE: fix configure.ac for --with-openssl
|
||||
|
||||
The openSSL include files are in <openssl-path>/include while
|
||||
the libraries are in <openssl-path> directly.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index e2cc537a..d3374476 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -272,7 +272,7 @@ OPENSSL_CFLAGS=
|
||||
OPENSSL_LIBS=
|
||||
if test "x$with_openssl" != "xno"; then
|
||||
if test "x$with_openssl" != "xyes" -a "x$with_openssl" != "xcheck"; then
|
||||
- OPENSSL_CFLAGS="-I$with_openssl"
|
||||
+ OPENSSL_CFLAGS="-I$with_openssl/include"
|
||||
OPENSSL_LIBS="-L$with_openssl"
|
||||
fi
|
||||
old_cflags="$CFLAGS"
|
@ -1,123 +0,0 @@
|
||||
commit 11a53055b22d590bd3c197908b0ff63f6fd3c520
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Jun 29 17:35:18 2021 +0200
|
||||
|
||||
COMMON: mech_ec: Remove deprecated OpenSSL functions
|
||||
|
||||
All low level EC_KEY functions are deprecated in OpenSSL 3.0.
|
||||
Update the code to not use any of those.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/ec_defs.h b/usr/lib/common/ec_defs.h
|
||||
index 1f48794b..897cf891 100644
|
||||
--- a/usr/lib/common/ec_defs.h
|
||||
+++ b/usr/lib/common/ec_defs.h
|
||||
@@ -14,13 +14,6 @@
|
||||
#include <openssl/opensslv.h>
|
||||
#include "ec_curves.h"
|
||||
|
||||
-/* OpenSSL compat */
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
-# define EC_POINT_get_affine_coordinates EC_POINT_get_affine_coordinates_GFp
|
||||
-# define EC_POINT_set_compressed_coordinates \
|
||||
- EC_POINT_set_compressed_coordinates_GFp
|
||||
-#endif
|
||||
-
|
||||
// Elliptic Curve type
|
||||
//
|
||||
#define PRIME_CURVE 0x00
|
||||
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
|
||||
index b54e2db9..a0a06302 100644
|
||||
--- a/usr/lib/common/mech_ec.c
|
||||
+++ b/usr/lib/common/mech_ec.c
|
||||
@@ -32,34 +32,6 @@
|
||||
#include "openssl/obj_mac.h"
|
||||
#include <openssl/ec.h>
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
-/*
|
||||
- * Older OpenSLL versions do not have BN_bn2binpad, so implement it here
|
||||
- */
|
||||
-static int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
|
||||
-{
|
||||
- int len, pad;
|
||||
- unsigned char *buf;
|
||||
-
|
||||
- len = BN_num_bytes(a);
|
||||
- buf = (unsigned char *)malloc(len);
|
||||
- if (buf == NULL)
|
||||
- return -1;
|
||||
- BN_bn2bin(a, buf);
|
||||
-
|
||||
- if (len >= tolen) {
|
||||
- memcpy(to, buf, tolen);
|
||||
- } else {
|
||||
- pad = tolen - len;
|
||||
- memset(to, 0, pad);
|
||||
- memcpy(to + pad, buf, len);
|
||||
- }
|
||||
-
|
||||
- free(buf);
|
||||
- return tolen;
|
||||
-}
|
||||
-#endif
|
||||
-
|
||||
#ifndef NID_brainpoolP160r1
|
||||
/*
|
||||
* Older OpenSLL versions may not have the brainpool NIDs defined, define them
|
||||
@@ -1522,9 +1494,8 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||
CK_BYTE *d, CK_ULONG d_len,
|
||||
CK_BYTE **point, CK_ULONG *point_len)
|
||||
{
|
||||
- EC_KEY *eckey = NULL;
|
||||
EC_POINT *pub_key = NULL;
|
||||
- const EC_GROUP *group = NULL;
|
||||
+ EC_GROUP *group = NULL;
|
||||
int nid, p_len;
|
||||
BIGNUM *bn_d = NULL, *bn_x = NULL, *bn_y = NULL;
|
||||
CK_RV rc = CKR_OK;
|
||||
@@ -1541,17 +1512,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- eckey = EC_KEY_new_by_curve_name(nid);
|
||||
- if (eckey == NULL) {
|
||||
- rc = CKR_FUNCTION_FAILED;
|
||||
- goto done;
|
||||
- }
|
||||
- if (EC_KEY_set_private_key(eckey, bn_d) != 1) {
|
||||
- rc = CKR_FUNCTION_FAILED;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- group = EC_KEY_get0_group(eckey);
|
||||
+ group = EC_GROUP_new_by_curve_name(nid);
|
||||
if (group == NULL) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto done;
|
||||
@@ -1576,7 +1537,7 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||
rc = CKR_HOST_MEMORY;
|
||||
goto done;
|
||||
}
|
||||
- if (!EC_POINT_get_affine_coordinates_GFp(group, pub_key, bn_x, bn_y, NULL)) {
|
||||
+ if (!EC_POINT_get_affine_coordinates(group, pub_key, bn_x, bn_y, NULL)) {
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
goto done;
|
||||
}
|
||||
@@ -1599,13 +1560,13 @@ CK_RV ec_point_from_priv_key(CK_BYTE *parms, CK_ULONG parms_len,
|
||||
done:
|
||||
if (pub_key)
|
||||
EC_POINT_free(pub_key);
|
||||
- if (eckey)
|
||||
- EC_KEY_free(eckey);
|
||||
BN_clear_free(bn_x);
|
||||
BN_clear_free(bn_y);
|
||||
BN_clear_free(bn_d);
|
||||
if (ec_point != NULL)
|
||||
free(ec_point);
|
||||
+ if (group != NULL)
|
||||
+ EC_GROUP_free(group);
|
||||
|
||||
return rc;
|
||||
}
|
@ -1,30 +0,0 @@
|
||||
commit 145a696d478a1694ef314659a3d374f03f75c1b1
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 5 13:49:09 2021 +0200
|
||||
|
||||
CONFIGURE: Remove AC_FUNC_MALLOC and AC_FUNC_REALLOC
|
||||
|
||||
The AC_FUNC_MALLOC configure check might add the rpl_malloc() entry if it
|
||||
does not like the default malloc implementation. The user would need to
|
||||
provide the rpl_malloc implementation. This happens depending on compiler and
|
||||
OS/distro being used. Same applies for AC_FUNC_REALLOC and rpl_realloc.
|
||||
It happened for me when I configured it with address sanitizer (libubsan,
|
||||
libasan) activated.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d3374476..286b7408 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -39,10 +39,8 @@ dnl Checks for library functions.
|
||||
AC_FUNC_ALLOCA
|
||||
AC_FUNC_CHOWN
|
||||
AC_FUNC_FORK
|
||||
-AC_FUNC_MALLOC
|
||||
AC_FUNC_MKTIME
|
||||
AC_FUNC_MMAP
|
||||
-AC_FUNC_REALLOC
|
||||
AC_FUNC_STRERROR_R
|
||||
AC_CHECK_FUNCS([atexit ftruncate gettimeofday localtime_r memchr memmove \
|
||||
memset mkdir munmap regcomp select socket strchr strcspn \
|
@ -1,38 +0,0 @@
|
||||
commit 2c116d49359a5eb91ad7f1483c64650c7874a513
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 14:08:03 2021 +0200
|
||||
|
||||
TESTCASES: Skip test if operation state is not savable
|
||||
|
||||
The sess_opstate testcase now handles the return code of CKR_STATE_UNSAVEABLE
|
||||
from C_GetOperationState() and skips the test if that return code is
|
||||
encountered.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/testcases/pkcs11/sess_opstate.c b/testcases/pkcs11/sess_opstate.c
|
||||
index 3235b450..3d1ab9d7 100644
|
||||
--- a/testcases/pkcs11/sess_opstate.c
|
||||
+++ b/testcases/pkcs11/sess_opstate.c
|
||||
@@ -123,6 +123,10 @@ int sess_opstate_funcs(int loops)
|
||||
opstatelen = 0;
|
||||
rc = funcs->C_GetOperationState(s2, NULL, &opstatelen);
|
||||
if (rc != CKR_OK) {
|
||||
+ if (rc == CKR_STATE_UNSAVEABLE) {
|
||||
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
|
||||
+ goto out;
|
||||
+ }
|
||||
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
|
||||
goto out;
|
||||
}
|
||||
@@ -135,6 +139,10 @@ int sess_opstate_funcs(int loops)
|
||||
|
||||
rc = funcs->C_GetOperationState(s2, opstate, &opstatelen);
|
||||
if (rc != CKR_OK) {
|
||||
+ if (rc == CKR_STATE_UNSAVEABLE) {
|
||||
+ testcase_skip("Get/SetOperationState digest test: state unsavable");
|
||||
+ goto out;
|
||||
+ }
|
||||
testcase_error("C_GetOperationState rc=%s", p11_get_ckr(rc));
|
||||
goto out;
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
commit 376e664f082b66de970b62a81588b034fd560d27
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Aug 13 10:54:44 2021 +0200
|
||||
|
||||
TESTCASES: Remove RSA public exponent restriction for Soft token
|
||||
|
||||
Since commit "Allow small RSA exponents in the default provider"
|
||||
https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce
|
||||
in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft
|
||||
token to RSA public exponents of 3 and 65537 only.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/testcases/common/common.c b/testcases/common/common.c
|
||||
index 0a64ecf2..abbe354f 100644
|
||||
--- a/testcases/common/common.c
|
||||
+++ b/testcases/common/common.c
|
||||
@@ -16,6 +16,8 @@
|
||||
#include "pkcs11types.h"
|
||||
#include "regress.h"
|
||||
|
||||
+#define UNUSED(var) ((void)(var))
|
||||
+
|
||||
CK_FUNCTION_LIST *funcs;
|
||||
CK_FUNCTION_LIST_3_0 *funcs3;
|
||||
CK_INTERFACE *ifs;
|
||||
@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||
/** Returns true if pubexp is valid for Soft Tokens **/
|
||||
int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||
{
|
||||
- CK_BYTE exp3[] = { 0x03 }; // 3
|
||||
- CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
|
||||
+ UNUSED(pubexp);
|
||||
+ UNUSED(pubexp_len);
|
||||
|
||||
- return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
|
||||
- || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||
+ return TRUE;
|
||||
}
|
||||
|
||||
/** Returns true if slot_id is an ICSF token
|
@ -1,37 +0,0 @@
|
||||
commit 4dd8a952fc00dd54cce090e4c053de408ba3884b
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Aug 24 10:14:39 2021 +0200
|
||||
|
||||
SOFT: Detect unsupported EC curves with OpenSSL 3.0
|
||||
|
||||
OpenSSL 3.0 behaves different in reporting an error when an unsupported
|
||||
EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error
|
||||
at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns
|
||||
an error only at EVP_PKEY_keygen().
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index 43fd17c3..03767ec8 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include <openssl/cmac.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/bn.h>
|
||||
+#include <openssl/err.h>
|
||||
#if OPENSSL_VERSION_PREREQ(3, 0)
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/param_build.h>
|
||||
@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) {
|
||||
TRACE_ERROR("EVP_PKEY_keygen failed\n");
|
||||
- rc = CKR_FUNCTION_FAILED;
|
||||
+ if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE)
|
||||
+ rc = CKR_CURVE_NOT_SUPPORTED;
|
||||
+ else
|
||||
+ rc = CKR_FUNCTION_FAILED;
|
||||
goto out;
|
||||
}
|
||||
|
@ -1,322 +0,0 @@
|
||||
commit 50408fc3ae0f25b256dda2033d538f88c9b4f903
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 5 16:02:28 2021 +0200
|
||||
|
||||
COMMON: Fix memory leaks
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
|
||||
index 59f82482..a1241693 100644
|
||||
--- a/usr/lib/common/mech_aes.c
|
||||
+++ b/usr/lib/common/mech_aes.c
|
||||
@@ -2359,6 +2359,8 @@ CK_RV aes_mac_sign(STDLL_TokData_t *tokdata,
|
||||
memcpy(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv, mac_len);
|
||||
*out_data_len = mac_len;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
@@ -2497,6 +2499,8 @@ CK_RV aes_mac_sign_final(STDLL_TokData_t *tokdata,
|
||||
memcpy(out_data, context->iv, mac_len);
|
||||
*out_data_len = mac_len;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -2554,8 +2558,12 @@ CK_RV aes_mac_verify(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
|
||||
if (CRYPTO_memcmp(out_data, ((AES_DATA_CONTEXT *) ctx->context)->iv,
|
||||
- out_data_len) == 0)
|
||||
+ out_data_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
@@ -2685,8 +2693,12 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
}
|
||||
|
||||
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
@@ -2766,6 +2778,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||
*out_data_len = mac_len;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
done:
|
||||
object_put(tokdata, key_obj, TRUE);
|
||||
key_obj = NULL;
|
||||
@@ -2913,6 +2927,8 @@ done:
|
||||
object_put(tokdata, key_obj, TRUE);
|
||||
key_obj = NULL;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -2969,9 +2985,12 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||
out_data_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
|
||||
@@ -3105,8 +3124,12 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
|
||||
index 591ad3fa..3582102a 100644
|
||||
--- a/usr/lib/common/mech_des3.c
|
||||
+++ b/usr/lib/common/mech_des3.c
|
||||
@@ -2006,6 +2006,8 @@ CK_RV des3_mac_sign(STDLL_TokData_t *tokdata,
|
||||
|
||||
*out_data_len = mac_len;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
@@ -2144,6 +2146,8 @@ CK_RV des3_mac_sign_final(STDLL_TokData_t *tokdata,
|
||||
|
||||
*out_data_len = mac_len;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -2197,8 +2201,12 @@ CK_RV des3_mac_verify(STDLL_TokData_t *tokdata,
|
||||
key_obj = NULL;
|
||||
|
||||
if (CRYPTO_memcmp(out_data, ((DES_DATA_CONTEXT *) ctx->context)->iv,
|
||||
- out_data_len) == 0)
|
||||
+ out_data_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
@@ -2328,8 +2336,12 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||
}
|
||||
}
|
||||
|
||||
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
@@ -2410,6 +2422,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
object_put(tokdata, key_obj, TRUE);
|
||||
key_obj = NULL;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -2553,6 +2567,8 @@ done:
|
||||
object_put(tokdata, key_obj, TRUE);
|
||||
key_obj = NULL;
|
||||
|
||||
+ sign_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
@@ -2605,8 +2621,12 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||
out_data_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
}
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
+
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
|
||||
@@ -2739,8 +2759,12 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||
|
||||
ctx->context_free_func = des3_cmac_cleanup;
|
||||
|
||||
- if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||
+ if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0) {
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
return CKR_OK;
|
||||
+ }
|
||||
+
|
||||
+ verify_mgr_cleanup(tokdata, sess, ctx);
|
||||
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
diff --git a/usr/lib/common/new_host.c b/usr/lib/common/new_host.c
|
||||
index d01091f9..8bff6ada 100644
|
||||
--- a/usr/lib/common/new_host.c
|
||||
+++ b/usr/lib/common/new_host.c
|
||||
@@ -174,6 +174,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
if (rc != 0) {
|
||||
sltp->FcnList = NULL;
|
||||
detach_shm(sltp->TokData, 0);
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -186,6 +187,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||
if (rc != CKR_OK) {
|
||||
sltp->FcnList = NULL;
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -218,6 +220,7 @@ done:
|
||||
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||
} else {
|
||||
CloseXProcLock(sltp->TokData);
|
||||
+ final_data_store(sltp->TokData);
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
}
|
||||
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
|
||||
index a0e7517c..45f13551 100644
|
||||
--- a/usr/lib/ep11_stdll/new_host.c
|
||||
+++ b/usr/lib/ep11_stdll/new_host.c
|
||||
@@ -164,6 +164,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
if (rc != 0) {
|
||||
sltp->FcnList = NULL;
|
||||
detach_shm(sltp->TokData, 0);
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -176,6 +177,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||
if (rc != CKR_OK) {
|
||||
sltp->FcnList = NULL;
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -208,6 +210,7 @@ done:
|
||||
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||
} else {
|
||||
CloseXProcLock(sltp->TokData);
|
||||
+ final_data_store(sltp->TokData);
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
}
|
||||
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
|
||||
index 09e9d27a..eed632c3 100644
|
||||
--- a/usr/lib/icsf_stdll/new_host.c
|
||||
+++ b/usr/lib/icsf_stdll/new_host.c
|
||||
@@ -162,6 +162,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
if (rc != 0) {
|
||||
sltp->FcnList = NULL;
|
||||
detach_shm(sltp->TokData, 0);
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -174,6 +175,7 @@ CK_RV ST_Initialize(API_Slot_t *sltp, CK_SLOT_ID SlotNumber,
|
||||
rc = load_token_data(sltp->TokData, SlotNumber);
|
||||
if (rc != CKR_OK) {
|
||||
sltp->FcnList = NULL;
|
||||
+ final_data_store(sltp->TokData);
|
||||
if (sltp->TokData)
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
@@ -206,6 +208,7 @@ done:
|
||||
SC_Finalize(sltp->TokData, SlotNumber, sinfp, NULL, 0);
|
||||
} else {
|
||||
CloseXProcLock(sltp->TokData);
|
||||
+ final_data_store(sltp->TokData);
|
||||
free(sltp->TokData);
|
||||
sltp->TokData = NULL;
|
||||
}
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
|
||||
index 45bc4b78..c7557108 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_specific.c
|
||||
+++ b/usr/lib/tpm_stdll/tpm_specific.c
|
||||
@@ -213,6 +213,10 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||
}
|
||||
|
||||
tpm_data = (tpm_private_data_t *)calloc(1, sizeof(tpm_private_data_t));
|
||||
+ if (tpm_data == NULL) {
|
||||
+ TRACE_ERROR("calloc failed\n");
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
tokdata->private_data = tpm_data;
|
||||
|
||||
tpm_data->tspContext = NULL_HCONTEXT;
|
||||
@@ -221,12 +225,15 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||
result = Tspi_Context_Create(&tpm_data->tspContext);
|
||||
if (result) {
|
||||
TRACE_ERROR("Tspi_Context_Create failed. rc=0x%x\n", result);
|
||||
+ free(tpm_data);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
result = Tspi_Context_Connect(tpm_data->tspContext, NULL);
|
||||
if (result) {
|
||||
TRACE_ERROR("Tspi_Context_Connect failed. rc=0x%x\n", result);
|
||||
+ Tspi_Context_Close(tpm_data->tspContext);
|
||||
+ free(tpm_data);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
@@ -234,6 +241,8 @@ CK_RV token_specific_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||
&tpm_data->hDefaultPolicy);
|
||||
if (result) {
|
||||
TRACE_ERROR("Tspi_Context_GetDefaultPolicy failed. rc=0x%x\n", result);
|
||||
+ Tspi_Context_Close(tpm_data->tspContext);
|
||||
+ free(tpm_data);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,147 +0,0 @@
|
||||
commit 533cdea6897d1bc0af13490f1c89248c52e7a73b
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 11:30:00 2021 +0200
|
||||
|
||||
COMMON: utilities.c: Remove deprecated OpenSSL functions
|
||||
|
||||
Rework functions compute_sha(), compute_sha1(), and compute_md5() to
|
||||
no longer use the mech_sha and mech_md5 routines, but to use the
|
||||
OpenSSL EVP interface directly.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/utility.c b/usr/lib/common/utility.c
|
||||
index bcdc15bf..5fc68938 100644
|
||||
--- a/usr/lib/common/utility.c
|
||||
+++ b/usr/lib/common/utility.c
|
||||
@@ -849,66 +849,89 @@ CK_RV get_hmac_digest(CK_ULONG mech, CK_ULONG *digest_mech, CK_BBOOL *general)
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-/* Compute specified SHA using either software or token implementation */
|
||||
+/* Compute specified SHA or MD5 using software */
|
||||
CK_RV compute_sha(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||
CK_BYTE *hash, CK_ULONG mech)
|
||||
{
|
||||
- DIGEST_CONTEXT ctx;
|
||||
- CK_ULONG hash_len;
|
||||
- CK_RV rv;
|
||||
+ const EVP_MD *md;
|
||||
+ unsigned int hash_len;
|
||||
|
||||
- memset(&ctx, 0x0, sizeof(ctx));
|
||||
- ctx.mech.mechanism = mech;
|
||||
+ UNUSED(tokdata);
|
||||
|
||||
- rv = get_sha_size(mech, &hash_len);
|
||||
- if (rv != CKR_OK)
|
||||
- return rv;
|
||||
+ switch (mech) {
|
||||
+ case CKM_MD5:
|
||||
+ hash_len = MD5_HASH_SIZE;
|
||||
+ md = EVP_md5();
|
||||
+ break;
|
||||
+ case CKM_SHA_1:
|
||||
+ hash_len = SHA1_HASH_SIZE;
|
||||
+ md = EVP_sha1();
|
||||
+ break;
|
||||
+ case CKM_SHA224:
|
||||
+ case CKM_SHA512_224:
|
||||
+ hash_len = SHA224_HASH_SIZE;
|
||||
+ md = EVP_sha224();
|
||||
+ break;
|
||||
+ case CKM_SHA256:
|
||||
+ case CKM_SHA512_256:
|
||||
+ hash_len = SHA256_HASH_SIZE;
|
||||
+ md = EVP_sha256();
|
||||
+ break;
|
||||
+ case CKM_SHA384:
|
||||
+ hash_len = SHA384_HASH_SIZE;
|
||||
+ md = EVP_sha384();
|
||||
+ break;
|
||||
+ case CKM_SHA512:
|
||||
+ hash_len = SHA512_HASH_SIZE;
|
||||
+ md = EVP_sha512();
|
||||
+ break;
|
||||
+#ifdef NID_sha3_224
|
||||
+ case CKM_IBM_SHA3_224:
|
||||
+ hash_len = SHA3_224_HASH_SIZE;
|
||||
+ md = EVP_sha3_224();
|
||||
+ break;
|
||||
+#endif
|
||||
+#ifdef NID_sha3_256
|
||||
+ case CKM_IBM_SHA3_256:
|
||||
+ hash_len = SHA3_256_HASH_SIZE;
|
||||
+ md = EVP_sha3_256();
|
||||
+ break;
|
||||
+#endif
|
||||
+#ifdef NID_sha3_384
|
||||
+ case CKM_IBM_SHA3_384:
|
||||
+ hash_len = SHA3_384_HASH_SIZE;
|
||||
+ md = EVP_sha3_384();
|
||||
+ break;
|
||||
+#endif
|
||||
+#ifdef NID_sha3_512
|
||||
+ case CKM_IBM_SHA3_512:
|
||||
+ hash_len = SHA3_512_HASH_SIZE;
|
||||
+ md = EVP_sha3_512();
|
||||
+ break;
|
||||
+#endif
|
||||
+ default:
|
||||
+ return CKR_MECHANISM_INVALID;
|
||||
+ }
|
||||
|
||||
- rv = sha_init(tokdata, NULL, &ctx, &ctx.mech);
|
||||
- if (rv != CKR_OK) {
|
||||
- TRACE_DEBUG("failed to create digest.\n");
|
||||
- return rv;
|
||||
+ if (EVP_Digest(data, len, hash, &hash_len, md, NULL) != 1) {
|
||||
+ TRACE_ERROR("%s EVP_Digest failed\n", __func__);
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
- rv = sha_hash(tokdata, NULL, FALSE, &ctx, data, len, hash, &hash_len);
|
||||
|
||||
- digest_mgr_cleanup(&ctx);
|
||||
- return rv;
|
||||
+ return CKR_OK;
|
||||
}
|
||||
|
||||
/* Compute SHA1 using software implementation */
|
||||
CK_RV compute_sha1(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||
CK_BYTE *hash)
|
||||
{
|
||||
- // XXX KEY
|
||||
- DIGEST_CONTEXT ctx;
|
||||
- CK_ULONG hash_len = SHA1_HASH_SIZE;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- memset(&ctx, 0x0, sizeof(ctx));
|
||||
-
|
||||
- sw_sha1_init(&ctx);
|
||||
- if (ctx.context == NULL)
|
||||
- return CKR_HOST_MEMORY;
|
||||
-
|
||||
- return sw_sha1_hash(&ctx, data, len, hash, &hash_len);
|
||||
+ return compute_sha(tokdata, data, len, hash, CKM_SHA_1);
|
||||
}
|
||||
|
||||
CK_RV compute_md5(STDLL_TokData_t *tokdata, CK_BYTE *data, CK_ULONG len,
|
||||
CK_BYTE *hash)
|
||||
{
|
||||
- DIGEST_CONTEXT ctx;
|
||||
- CK_ULONG hash_len = MD5_HASH_SIZE;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- memset(&ctx, 0x0, sizeof(ctx));
|
||||
-
|
||||
- sw_md5_init(&ctx);
|
||||
- if (ctx.context == NULL)
|
||||
- return CKR_HOST_MEMORY;
|
||||
-
|
||||
- return sw_md5_hash(&ctx, data, len, hash, &hash_len);
|
||||
+ return compute_sha(tokdata, data, len, hash, CKM_MD5);
|
||||
}
|
||||
|
||||
CK_RV get_keytype(STDLL_TokData_t *tokdata, CK_OBJECT_HANDLE hkey,
|
@ -1,174 +0,0 @@
|
||||
commit 5377d25a6cbe3d07afcd08276ad7e90f62cad0c9
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 13:51:02 2021 +0200
|
||||
|
||||
COMMON: mech_sha: Remove deprecated OpenSSL functions
|
||||
|
||||
All low level SHA functions are deprecated in OpenSSL 3.0.
|
||||
Update the code to not use any of those.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||
index 314613a5..b3b965bf 100644
|
||||
--- a/usr/lib/common/h_extern.h
|
||||
+++ b/usr/lib/common/h_extern.h
|
||||
@@ -1543,7 +1543,7 @@ CK_RV aes_cfb_decrypt_final(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
// SHA mechanisms
|
||||
//
|
||||
|
||||
-void sw_sha1_init(DIGEST_CONTEXT *ctx);
|
||||
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx);
|
||||
|
||||
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||
diff --git a/usr/lib/common/mech_sha.c b/usr/lib/common/mech_sha.c
|
||||
index 0b9b7b28..1c81abe2 100644
|
||||
--- a/usr/lib/common/mech_sha.c
|
||||
+++ b/usr/lib/common/mech_sha.c
|
||||
@@ -38,30 +38,49 @@
|
||||
#include "tok_spec_struct.h"
|
||||
#include "trace.h"
|
||||
|
||||
-#include <openssl/sha.h>
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
//
|
||||
// Software SHA-1 implementation (OpenSSL based)
|
||||
//
|
||||
|
||||
-void sw_sha1_init(DIGEST_CONTEXT *ctx)
|
||||
+static void sw_sha1_free(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
+ CK_BYTE *context, CK_ULONG context_len)
|
||||
{
|
||||
- ctx->context_len = sizeof(SHA_CTX);
|
||||
- ctx->context = (CK_BYTE *) malloc(sizeof(SHA_CTX));
|
||||
+ UNUSED(tokdata);
|
||||
+ UNUSED(sess);
|
||||
+ UNUSED(context_len);
|
||||
+
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
|
||||
+}
|
||||
+
|
||||
+CK_RV sw_sha1_init(DIGEST_CONTEXT *ctx)
|
||||
+{
|
||||
+ ctx->context_len = 1;
|
||||
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||
if (ctx->context == NULL) {
|
||||
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
- // TODO: propagate error up?
|
||||
- return;
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_sha1(), NULL)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
- SHA1_Init((SHA_CTX *)ctx->context);
|
||||
+ ctx->state_unsaveable = CK_TRUE;
|
||||
+ ctx->context_free_func = sw_sha1_free;
|
||||
+
|
||||
+ return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||
CK_ULONG *out_data_len)
|
||||
{
|
||||
+ unsigned int len;
|
||||
|
||||
if (!ctx || !out_data_len) {
|
||||
TRACE_ERROR("%s received bad argument(s)\n", __func__);
|
||||
@@ -76,43 +95,60 @@ CK_RV sw_sha1_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
|
||||
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
|
||||
- *out_data_len = SHA1_HASH_SIZE;
|
||||
+ len = *out_data_len;
|
||||
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
+
|
||||
+ *out_data_len = len;
|
||||
|
||||
- if (ctx->context_free_func != NULL)
|
||||
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||
- else
|
||||
- free(ctx->context);
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
ctx->context = NULL;
|
||||
+ ctx->context_free_func = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
- CK_ULONG in_data_len)
|
||||
+static CK_RV sw_sha1_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
+ CK_ULONG in_data_len)
|
||||
{
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- SHA1_Update((SHA_CTX *)ctx->context, in_data, in_data_len);
|
||||
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||
- CK_ULONG *out_data_len)
|
||||
+static CK_RV sw_sha1_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||
+ CK_ULONG *out_data_len)
|
||||
{
|
||||
+ unsigned int len;
|
||||
+
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- SHA1_Final(out_data, (SHA_CTX *)ctx->context);
|
||||
- *out_data_len = SHA1_HASH_SIZE;
|
||||
+ if (*out_data_len < SHA1_HASH_SIZE) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
|
||||
+ return CKR_BUFFER_TOO_SMALL;
|
||||
+ }
|
||||
+
|
||||
+ len = *out_data_len;
|
||||
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
+
|
||||
+ *out_data_len = len;
|
||||
|
||||
- if (ctx->context_free_func != NULL)
|
||||
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||
- else
|
||||
- free(ctx->context);
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
ctx->context = NULL;
|
||||
+ ctx->context_free_func = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -134,8 +170,7 @@ CK_RV sha_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
|
||||
* supported. JML
|
||||
*/
|
||||
if (mech->mechanism == CKM_SHA_1) {
|
||||
- sw_sha1_init(ctx);
|
||||
- return CKR_OK;
|
||||
+ return sw_sha1_init(ctx);
|
||||
} else {
|
||||
return CKR_MECHANISM_INVALID;
|
||||
}
|
@ -1,84 +0,0 @@
|
||||
commit 5cceead028ec8e0c244b01d38c9096c96d98f96b
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 5 10:46:52 2021 +0200
|
||||
|
||||
ICSF: Remove support for OpenSSL < v1.1.1
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/icsf_stdll/pbkdf.c b/usr/lib/icsf_stdll/pbkdf.c
|
||||
index 4ddd0fd7..6ec4128a 100644
|
||||
--- a/usr/lib/icsf_stdll/pbkdf.c
|
||||
+++ b/usr/lib/icsf_stdll/pbkdf.c
|
||||
@@ -82,7 +82,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
|
||||
int tmplen;
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
||||
|
||||
EVP_EncryptInit_ex(ctx, cipher, NULL, dkey, iv);
|
||||
@@ -98,24 +97,6 @@ CK_RV encrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||
*outbuflen = (*outbuflen) + tmplen;
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
|
||||
-#else
|
||||
- EVP_CIPHER_CTX ctx;
|
||||
- EVP_CIPHER_CTX_init(&ctx);
|
||||
-
|
||||
- EVP_EncryptInit_ex(&ctx, cipher, NULL, dkey, iv);
|
||||
- if (!EVP_EncryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
|
||||
- TRACE_ERROR("EVP_EncryptUpdate failed.\n");
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
- }
|
||||
- if (!EVP_EncryptFinal_ex(&ctx, outbuf + (*outbuflen), &tmplen)) {
|
||||
- TRACE_ERROR("EVP_EncryptFinal failed.\n");
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
- }
|
||||
-
|
||||
- *outbuflen = (*outbuflen) + tmplen;
|
||||
- EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
-#endif
|
||||
-
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
@@ -125,7 +106,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||
int size;
|
||||
const EVP_CIPHER *cipher = EVP_aes_256_cbc();
|
||||
|
||||
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
||||
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
|
||||
|
||||
EVP_DecryptInit_ex(ctx, cipher, NULL, dkey, iv);
|
||||
@@ -147,30 +127,6 @@ CK_RV decrypt_aes(CK_BYTE * inbuf, int inbuflen, CK_BYTE * dkey,
|
||||
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
|
||||
-#else
|
||||
- EVP_CIPHER_CTX ctx;
|
||||
- EVP_CIPHER_CTX_init(&ctx);
|
||||
-
|
||||
- EVP_DecryptInit_ex(&ctx, cipher, NULL, dkey, iv);
|
||||
- if (!EVP_DecryptUpdate(&ctx, outbuf, outbuflen, inbuf, inbuflen)) {
|
||||
- TRACE_ERROR("EVP_DecryptUpdate failed.\n");
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
- }
|
||||
- if (!EVP_DecryptFinal_ex(&ctx, outbuf + (*outbuflen), &size)) {
|
||||
- TRACE_ERROR("EVP_DecryptFinal failed.\n");
|
||||
- return CKR_FUNCTION_FAILED;
|
||||
- }
|
||||
-
|
||||
- /* total length of the decrypted data */
|
||||
- *outbuflen = (*outbuflen) + size;
|
||||
-
|
||||
- /* EVP_DecryptFinal removes any padding. The final length
|
||||
- * is the length of the decrypted data without padding.
|
||||
- */
|
||||
-
|
||||
- EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
-#endif
|
||||
-
|
||||
return CKR_OK;
|
||||
}
|
||||
|
@ -1,226 +0,0 @@
|
||||
commit 62fc2bcd98672c5d0ff8a2c926f3103110e91ed7
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Thu Jul 1 13:37:04 2021 +0200
|
||||
|
||||
COMMON: Perform proper context cleanup for 3DES/AES CMAC mechanisms
|
||||
|
||||
The handling of 3DES/AES CMAC mechanisms use a complex context structure,
|
||||
that contains pointers. Such state can not be saved, and needs a custom
|
||||
context free routine to properly clean up the context.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
|
||||
index ad6af16b..59f82482 100644
|
||||
--- a/usr/lib/common/mech_aes.c
|
||||
+++ b/usr/lib/common/mech_aes.c
|
||||
@@ -2691,6 +2691,24 @@ CK_RV aes_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
|
||||
+static void aes_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
+ CK_BYTE *context, CK_ULONG context_len)
|
||||
+{
|
||||
+ UNUSED(tokdata);
|
||||
+ UNUSED(sess);
|
||||
+ UNUSED(context_len);
|
||||
+
|
||||
+ if (((AES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
||||
+ token_specific.t_aes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
||||
+ ((AES_CMAC_CONTEXT *)context)->iv,
|
||||
+ CK_FALSE, CK_TRUE,
|
||||
+ ((AES_CMAC_CONTEXT *)context)->ctx);
|
||||
+ ((AES_CMAC_CONTEXT *)context)->ctx = NULL;
|
||||
+ }
|
||||
+
|
||||
+ free(context);
|
||||
+}
|
||||
+
|
||||
CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
SESSION *sess,
|
||||
CK_BBOOL length_only,
|
||||
@@ -2743,6 +2761,8 @@ CK_RV aes_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
+
|
||||
memcpy(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||
*out_data_len = mac_len;
|
||||
|
||||
@@ -2816,6 +2836,8 @@ CK_RV aes_cmac_sign_update(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
+
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
} else {
|
||||
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
||||
}
|
||||
@@ -2882,6 +2904,8 @@ CK_RV aes_cmac_sign_final(STDLL_TokData_t *tokdata,
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
+
|
||||
memcpy(out_data, context->iv, mac_len);
|
||||
*out_data_len = mac_len;
|
||||
|
||||
@@ -2941,6 +2965,8 @@ CK_RV aes_cmac_verify(STDLL_TokData_t *tokdata,
|
||||
if (((AES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
+
|
||||
if (CRYPTO_memcmp(out_data, ((AES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||
out_data_len) == 0) {
|
||||
return CKR_OK;
|
||||
@@ -3012,6 +3038,8 @@ CK_RV aes_cmac_verify_update(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
+
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
} else {
|
||||
TRACE_DEVEL("Token specific aes cmac failed.\n");
|
||||
}
|
||||
@@ -3070,6 +3098,8 @@ CK_RV aes_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = aes_cmac_cleanup;
|
||||
+
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_DEVEL("Token specific aes mac failed.\n");
|
||||
return rc;
|
||||
diff --git a/usr/lib/common/mech_des3.c b/usr/lib/common/mech_des3.c
|
||||
index be8d6075..591ad3fa 100644
|
||||
--- a/usr/lib/common/mech_des3.c
|
||||
+++ b/usr/lib/common/mech_des3.c
|
||||
@@ -2334,6 +2334,24 @@ CK_RV des3_mac_verify_final(STDLL_TokData_t *tokdata,
|
||||
return CKR_SIGNATURE_INVALID;
|
||||
}
|
||||
|
||||
+static void des3_cmac_cleanup(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
+ CK_BYTE *context, CK_ULONG context_len)
|
||||
+{
|
||||
+ UNUSED(tokdata);
|
||||
+ UNUSED(sess);
|
||||
+ UNUSED(context_len);
|
||||
+
|
||||
+ if (((DES_CMAC_CONTEXT *)context)->ctx != NULL) {
|
||||
+ token_specific.t_tdes_cmac(tokdata, (CK_BYTE *)"", 0, NULL,
|
||||
+ ((DES_CMAC_CONTEXT *)context)->iv,
|
||||
+ CK_FALSE, CK_TRUE,
|
||||
+ ((DES_CMAC_CONTEXT *)context)->ctx);
|
||||
+ ((DES_CMAC_CONTEXT *)context)->ctx = NULL;
|
||||
+ }
|
||||
+
|
||||
+ free(context);
|
||||
+}
|
||||
+
|
||||
CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
SESSION *sess,
|
||||
CK_BBOOL length_only,
|
||||
@@ -2383,6 +2401,8 @@ CK_RV des3_cmac_sign(STDLL_TokData_t *tokdata,
|
||||
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
+
|
||||
memcpy(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv, mac_len);
|
||||
|
||||
*out_data_len = mac_len;
|
||||
@@ -2456,6 +2476,8 @@ CK_RV des3_cmac_sign_update(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
+
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
} else {
|
||||
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
||||
}
|
||||
@@ -2521,6 +2543,8 @@ CK_RV des3_cmac_sign_final(STDLL_TokData_t *tokdata,
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
+
|
||||
memcpy(out_data, context->iv, mac_len);
|
||||
|
||||
*out_data_len = mac_len;
|
||||
@@ -2577,6 +2601,8 @@ CK_RV des3_cmac_verify(STDLL_TokData_t *tokdata,
|
||||
if (((DES_CMAC_CONTEXT *)ctx->context)->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
+
|
||||
if (CRYPTO_memcmp(out_data, ((DES_CMAC_CONTEXT *) ctx->context)->iv,
|
||||
out_data_len) == 0) {
|
||||
return CKR_OK;
|
||||
@@ -2646,6 +2672,8 @@ CK_RV des3_cmac_verify_update(STDLL_TokData_t *tokdata,
|
||||
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
+
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
} else {
|
||||
TRACE_DEVEL("Token specific des3 cmac failed.\n");
|
||||
}
|
||||
@@ -2709,6 +2737,8 @@ CK_RV des3_cmac_verify_final(STDLL_TokData_t *tokdata,
|
||||
if (context->ctx != NULL)
|
||||
ctx->state_unsaveable = CK_TRUE;
|
||||
|
||||
+ ctx->context_free_func = des3_cmac_cleanup;
|
||||
+
|
||||
if (CRYPTO_memcmp(signature, context->iv, signature_len) == 0)
|
||||
return CKR_OK;
|
||||
|
||||
diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c
|
||||
index 77876467..881a430c 100644
|
||||
--- a/usr/lib/ica_s390_stdll/ica_specific.c
|
||||
+++ b/usr/lib/ica_s390_stdll/ica_specific.c
|
||||
@@ -713,6 +713,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||
UNUSED(tokdata);
|
||||
UNUSED(ctx);
|
||||
|
||||
+ if (key == NULL)
|
||||
+ return CKR_ARGUMENTS_BAD;
|
||||
+
|
||||
// get the key type
|
||||
rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||
if (rc != CKR_OK) {
|
||||
@@ -3621,6 +3624,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||
UNUSED(tokdata);
|
||||
UNUSED(ctx);
|
||||
|
||||
+ if (key == NULL)
|
||||
+ return CKR_ARGUMENTS_BAD;
|
||||
+
|
||||
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
|
||||
index aeff39a9..5ca22693 100644
|
||||
--- a/usr/lib/soft_stdll/soft_specific.c
|
||||
+++ b/usr/lib/soft_stdll/soft_specific.c
|
||||
@@ -3994,6 +3994,9 @@ CK_RV token_specific_tdes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||
UNUSED(tokdata);
|
||||
|
||||
if (first) {
|
||||
+ if (key == NULL)
|
||||
+ return CKR_ARGUMENTS_BAD;
|
||||
+
|
||||
// get the key type
|
||||
rv = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||
if (rv != CKR_OK) {
|
||||
@@ -4194,6 +4197,9 @@ CK_RV token_specific_aes_cmac(STDLL_TokData_t *tokdata, CK_BYTE *message,
|
||||
UNUSED(tokdata);
|
||||
|
||||
if (first) {
|
||||
+ if (key == NULL)
|
||||
+ return CKR_ARGUMENTS_BAD;
|
||||
+
|
||||
// get the key value
|
||||
rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
if (rc != CKR_OK) {
|
@ -1,193 +0,0 @@
|
||||
commit 6fee37f08391415cdf8d8610c501516c3d3ed29c
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 13:41:57 2021 +0200
|
||||
|
||||
COMMON: mech_md5: Remove deprecated OpenSSL functions
|
||||
|
||||
All low level MD5 functions are deprecated in OpenSSL 3.0.
|
||||
Update the code to not use any of those.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
|
||||
index 47b96ba0..314613a5 100644
|
||||
--- a/usr/lib/common/h_extern.h
|
||||
+++ b/usr/lib/common/h_extern.h
|
||||
@@ -1667,7 +1667,7 @@ CK_RV md5_hmac_verify(STDLL_TokData_t *tokdata,
|
||||
CK_ULONG in_data_len,
|
||||
CK_BYTE *signature, CK_ULONG sig_len);
|
||||
|
||||
-void sw_md5_init(DIGEST_CONTEXT *ctx);
|
||||
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx);
|
||||
|
||||
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||
diff --git a/usr/lib/common/mech_md5.c b/usr/lib/common/mech_md5.c
|
||||
index 320e2549..65c11def 100644
|
||||
--- a/usr/lib/common/mech_md5.c
|
||||
+++ b/usr/lib/common/mech_md5.c
|
||||
@@ -20,30 +20,50 @@
|
||||
#include "tok_spec_struct.h"
|
||||
#include "trace.h"
|
||||
|
||||
-#include <openssl/md5.h>
|
||||
+#include <openssl/evp.h>
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
//
|
||||
// Software MD5 implementation (OpenSSL based)
|
||||
//
|
||||
|
||||
-void sw_md5_init(DIGEST_CONTEXT *ctx)
|
||||
+static void sw_md5_free(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
+ CK_BYTE *context, CK_ULONG context_len)
|
||||
{
|
||||
- ctx->context_len = sizeof(MD5_CTX);
|
||||
- ctx->context = (CK_BYTE *) malloc(sizeof(MD5_CTX));
|
||||
+ UNUSED(tokdata);
|
||||
+ UNUSED(sess);
|
||||
+ UNUSED(context_len);
|
||||
+
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)context);
|
||||
+}
|
||||
+
|
||||
+CK_RV sw_md5_init(DIGEST_CONTEXT *ctx)
|
||||
+{
|
||||
+ ctx->context_len = 1;
|
||||
+ ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
|
||||
if (ctx->context == NULL) {
|
||||
TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
|
||||
- // TODO: propagate error up?
|
||||
- return;
|
||||
+ return CKR_HOST_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ if (!EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, EVP_md5(), NULL)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
- MD5_Init((MD5_CTX *)ctx->context);
|
||||
+ ctx->state_unsaveable = CK_TRUE;
|
||||
+ ctx->context_free_func = sw_md5_free;
|
||||
+
|
||||
+ return CKR_OK;
|
||||
}
|
||||
|
||||
CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
CK_ULONG in_data_len, CK_BYTE *out_data,
|
||||
CK_ULONG *out_data_len)
|
||||
{
|
||||
+ unsigned int len;
|
||||
+
|
||||
if (!ctx || !out_data_len) {
|
||||
TRACE_ERROR("%s received bad argument(s)\n", __func__);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
@@ -57,43 +77,60 @@ CK_RV sw_md5_hash(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
|
||||
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
|
||||
- *out_data_len = MD5_HASH_SIZE;
|
||||
+ len = *out_data_len;
|
||||
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
|
||||
+ !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
|
||||
- if (ctx->context_free_func != NULL)
|
||||
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||
- else
|
||||
- free(ctx->context);
|
||||
+ *out_data_len = len;
|
||||
+
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
ctx->context = NULL;
|
||||
+ ctx->context_free_func = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-CK_RV sw_MD5_Update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
- CK_ULONG in_data_len)
|
||||
+static CK_RV sw_md5_update(DIGEST_CONTEXT *ctx, CK_BYTE *in_data,
|
||||
+ CK_ULONG in_data_len)
|
||||
{
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- MD5_Update((MD5_CTX *)ctx->context, in_data, in_data_len);
|
||||
+ if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-CK_RV sw_MD5_Final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||
- CK_ULONG *out_data_len)
|
||||
+static CK_RV sw_md5_final(DIGEST_CONTEXT *ctx, CK_BYTE *out_data,
|
||||
+ CK_ULONG *out_data_len)
|
||||
{
|
||||
+ unsigned int len;
|
||||
+
|
||||
if (ctx->context == NULL)
|
||||
return CKR_OPERATION_NOT_INITIALIZED;
|
||||
|
||||
- MD5_Final(out_data, (MD5_CTX *)ctx->context);
|
||||
- *out_data_len = MD5_HASH_SIZE;
|
||||
+ if (*out_data_len < MD5_HASH_SIZE) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_BUFFER_TOO_SMALL));
|
||||
+ return CKR_BUFFER_TOO_SMALL;
|
||||
+ }
|
||||
|
||||
- if (ctx->context_free_func != NULL)
|
||||
- ctx->context_free_func(ctx->context, ctx->context_len);
|
||||
- else
|
||||
- free(ctx->context);
|
||||
+ len = *out_data_len;
|
||||
+ if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
|
||||
+ TRACE_ERROR("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
||||
+ return CKR_FUNCTION_FAILED;
|
||||
+ }
|
||||
+
|
||||
+ *out_data_len = len;
|
||||
+
|
||||
+ EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
|
||||
ctx->context = NULL;
|
||||
+ ctx->context_free_func = NULL;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -105,8 +142,7 @@ CK_RV md5_init(STDLL_TokData_t *tokdata, SESSION *sess, DIGEST_CONTEXT *ctx,
|
||||
UNUSED(sess);
|
||||
|
||||
if (mech->mechanism == CKM_MD5) {
|
||||
- sw_md5_init(ctx);
|
||||
- return CKR_OK;
|
||||
+ return sw_md5_init(ctx);
|
||||
} else {
|
||||
return CKR_MECHANISM_INVALID;
|
||||
}
|
||||
@@ -159,7 +195,7 @@ CK_RV md5_hash_update(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
return CKR_OK;
|
||||
|
||||
if (ctx->mech.mechanism == CKM_MD5)
|
||||
- return sw_MD5_Update(ctx, in_data, in_data_len);
|
||||
+ return sw_md5_update(ctx, in_data, in_data_len);
|
||||
else
|
||||
return CKR_MECHANISM_INVALID;
|
||||
}
|
||||
@@ -188,7 +224,7 @@ CK_RV md5_hash_final(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||
}
|
||||
|
||||
if (ctx->mech.mechanism == CKM_MD5)
|
||||
- return sw_MD5_Final(ctx, out_data, out_data_len);
|
||||
+ return sw_md5_final(ctx, out_data, out_data_len);
|
||||
else
|
||||
return CKR_MECHANISM_INVALID;
|
||||
}
|
File diff suppressed because it is too large
Load Diff
@ -1,870 +0,0 @@
|
||||
commit 7b4177e8557887d196ce77a129d457e817f8cc59
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jun 30 10:47:28 2021 +0200
|
||||
|
||||
TPM: Remove deprecated OpenSSL functions
|
||||
|
||||
All low level RSA functions are deprecated in OpenSSL 3.0.
|
||||
Update the code to not use any of those, and only use the EVP
|
||||
interface.
|
||||
|
||||
Also remove support for OpenSSL < v1.1.1. This code used even more
|
||||
low level RSA, DES, and AES functions.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_openssl.c b/usr/lib/tpm_stdll/tpm_openssl.c
|
||||
index 94ef9a62..0ccc543d 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_openssl.c
|
||||
+++ b/usr/lib/tpm_stdll/tpm_openssl.c
|
||||
@@ -39,50 +39,33 @@
|
||||
|
||||
#include "tpm_specific.h"
|
||||
|
||||
-/*
|
||||
- * In order to make opencryptoki compatible with
|
||||
- * OpenSSL 1.1 API Changes and backward compatible
|
||||
- * we need to check for its version
|
||||
- */
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
-#define OLDER_OPENSSL
|
||||
+#if OPENSSL_VERSION_PREREQ(3, 0)
|
||||
+#include <openssl/core_names.h>
|
||||
#endif
|
||||
|
||||
#ifdef DEBUG
|
||||
void openssl_print_errors()
|
||||
{
|
||||
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||
ERR_load_ERR_strings();
|
||||
+#endif
|
||||
ERR_load_crypto_strings();
|
||||
ERR_print_errors_fp(stderr);
|
||||
}
|
||||
#endif
|
||||
|
||||
-RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
|
||||
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *tokdata)
|
||||
{
|
||||
- RSA *rsa = NULL;
|
||||
int rc = 0, counter = 0;
|
||||
char buf[32];
|
||||
-#ifndef OLDER_OPENSSL
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
BIGNUM *bne = NULL;
|
||||
-#endif
|
||||
|
||||
token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
|
||||
RAND_seed(buf, 32);
|
||||
|
||||
regen_rsa_key:
|
||||
-#ifdef OLDER_OPENSSL
|
||||
- rsa = RSA_generate_key(2048, 65537, NULL, NULL);
|
||||
- if (rsa == NULL) {
|
||||
- fprintf(stderr, "Error generating user's RSA key\n");
|
||||
- ERR_load_crypto_strings();
|
||||
- ERR_print_errors_fp(stderr);
|
||||
- goto err;
|
||||
- }
|
||||
-
|
||||
- rc = RSA_check_key(rsa);
|
||||
-#else
|
||||
bne = BN_new();
|
||||
rc = BN_set_word(bne, 65537);
|
||||
if (!rc) {
|
||||
@@ -98,35 +81,36 @@ regen_rsa_key:
|
||||
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0
|
||||
|| EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0
|
||||
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||
|| EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
||||
+#else
|
||||
+ || EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bne) <= 0) {
|
||||
+#endif
|
||||
fprintf(stderr, "Error generating user's RSA key\n");
|
||||
ERR_load_crypto_strings();
|
||||
ERR_print_errors_fp(stderr);
|
||||
goto err;
|
||||
}
|
||||
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||
bne = NULL; // will be freed as part of the context
|
||||
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0
|
||||
- || (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
|
||||
+#else
|
||||
+ BN_free(bne);
|
||||
+ bne = NULL;
|
||||
+#endif
|
||||
+ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
|
||||
fprintf(stderr, "Error generating user's RSA key\n");
|
||||
ERR_load_crypto_strings();
|
||||
ERR_print_errors_fp(stderr);
|
||||
goto err;
|
||||
}
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
||||
- rc = RSA_check_key(rsa);
|
||||
-#else
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
rc = (EVP_PKEY_check(ctx) == 1 ? 1 : 0);
|
||||
-#endif
|
||||
-#endif
|
||||
switch (rc) {
|
||||
case 0:
|
||||
/* rsa is not a valid RSA key */
|
||||
- RSA_free(rsa);
|
||||
- rsa = NULL;
|
||||
counter++;
|
||||
if (counter == KEYGEN_RETRY) {
|
||||
TRACE_DEVEL("Tried %d times to generate a "
|
||||
@@ -145,30 +129,23 @@ regen_rsa_key:
|
||||
break;
|
||||
}
|
||||
|
||||
-#ifndef OLDER_OPENSSL
|
||||
- if (pkey != NULL)
|
||||
- EVP_PKEY_free(pkey);
|
||||
if (ctx != NULL)
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
if (bne != NULL)
|
||||
BN_free(bne);
|
||||
-#endif
|
||||
- return rsa;
|
||||
+ return pkey;
|
||||
err:
|
||||
- if (rsa != NULL)
|
||||
- RSA_free(rsa);
|
||||
-#ifndef OLDER_OPENSSL
|
||||
if (pkey != NULL)
|
||||
EVP_PKEY_free(pkey);
|
||||
if (ctx != NULL)
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
if (bne != NULL)
|
||||
BN_free(bne);
|
||||
-#endif
|
||||
+
|
||||
return NULL;
|
||||
}
|
||||
|
||||
-int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||
+int openssl_write_key(STDLL_TokData_t * tokdata, EVP_PKEY *pkey, char *filename,
|
||||
CK_BYTE * pPin)
|
||||
{
|
||||
BIO *b = NULL;
|
||||
@@ -193,8 +170,8 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (!PEM_write_bio_RSAPrivateKey(b, rsa,
|
||||
- EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
||||
+ if (!PEM_write_bio_PrivateKey(b, pkey,
|
||||
+ EVP_aes_256_cbc(), NULL, 0, 0, pPin)) {
|
||||
BIO_free(b);
|
||||
TRACE_ERROR("Writing key %s to disk failed.\n", loc);
|
||||
DEBUG_openssl_print_errors();
|
||||
@@ -211,10 +188,10 @@ int openssl_write_key(STDLL_TokData_t * tokdata, RSA * rsa, char *filename,
|
||||
}
|
||||
|
||||
CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||
- CK_BYTE * pPin, RSA ** ret)
|
||||
+ CK_BYTE * pPin, EVP_PKEY **ret)
|
||||
{
|
||||
BIO *b = NULL;
|
||||
- RSA *rsa = NULL;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
char loc[PATH_MAX];
|
||||
struct passwd *pw = NULL;
|
||||
CK_RV rc = CKR_FUNCTION_FAILED;
|
||||
@@ -242,7 +219,7 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||
return CKR_FILE_NOT_FOUND;
|
||||
}
|
||||
|
||||
- if ((rsa = PEM_read_bio_RSAPrivateKey(b, NULL, 0, pPin)) == NULL) {
|
||||
+ if ((pkey = PEM_read_bio_PrivateKey(b, NULL, 0, pPin)) == NULL) {
|
||||
TRACE_ERROR("Reading key %s from disk failed.\n", loc);
|
||||
DEBUG_openssl_print_errors();
|
||||
if (ERR_GET_REASON(ERR_get_error()) == PEM_R_BAD_DECRYPT) {
|
||||
@@ -253,40 +230,54 @@ CK_RV openssl_read_key(STDLL_TokData_t * tokdata, char *filename,
|
||||
}
|
||||
|
||||
BIO_free(b);
|
||||
- *ret = rsa;
|
||||
+ *ret = pkey;
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
-int openssl_get_modulus_and_prime(RSA * rsa, unsigned int *size_n,
|
||||
+int openssl_get_modulus_and_prime(EVP_PKEY *pkey, unsigned int *size_n,
|
||||
unsigned char *n, unsigned int *size_p,
|
||||
unsigned char *p)
|
||||
{
|
||||
-#ifndef OLDER_OPENSSL
|
||||
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||
const BIGNUM *n_tmp, *p_tmp;
|
||||
+ RSA *rsa;
|
||||
+#else
|
||||
+ BIGNUM *n_tmp, *p_tmp;
|
||||
#endif
|
||||
|
||||
+#if !OPENSSL_VERSION_PREREQ(3, 0)
|
||||
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
||||
/* get the modulus from the RSA object */
|
||||
-#ifdef OLDER_OPENSSL
|
||||
- if ((*size_n = BN_bn2bin(rsa->n, n)) <= 0) {
|
||||
-#else
|
||||
RSA_get0_key(rsa, &n_tmp, NULL, NULL);
|
||||
if ((*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
||||
-#endif
|
||||
DEBUG_openssl_print_errors();
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* get one of the primes from the RSA object */
|
||||
-#ifdef OLDER_OPENSSL
|
||||
- if ((*size_p = BN_bn2bin(rsa->p, p)) <= 0) {
|
||||
-#else
|
||||
RSA_get0_factors(rsa, &p_tmp, NULL);
|
||||
if ((*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
||||
-#endif
|
||||
DEBUG_openssl_print_errors();
|
||||
return -1;
|
||||
}
|
||||
+#else
|
||||
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &n_tmp) ||
|
||||
+ (*size_n = BN_bn2bin(n_tmp, n)) <= 0) {
|
||||
+ DEBUG_openssl_print_errors();
|
||||
+ BN_free(n_tmp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ BN_free(n_tmp);
|
||||
+
|
||||
+ if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &p_tmp) ||
|
||||
+ (*size_p = BN_bn2bin(p_tmp, p)) <= 0) {
|
||||
+ DEBUG_openssl_print_errors();
|
||||
+ BN_free(p_tmp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ BN_free(p_tmp);
|
||||
+#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_specific.c b/usr/lib/tpm_stdll/tpm_specific.c
|
||||
index 4ebb4a88..45bc4b78 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_specific.c
|
||||
+++ b/usr/lib/tpm_stdll/tpm_specific.c
|
||||
@@ -1451,15 +1451,15 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||
CK_RV rc;
|
||||
TSS_RESULT result;
|
||||
- RSA *rsa;
|
||||
+ EVP_PKEY *pkey;
|
||||
unsigned int size_n, size_p;
|
||||
unsigned char n[256], p[256];
|
||||
|
||||
/* all sw generated keys are 2048 bits */
|
||||
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
||||
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
||||
return CKR_HOST_MEMORY;
|
||||
|
||||
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
@@ -1473,13 +1473,13 @@ CK_RV token_create_private_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (openssl_write_key(tokdata, rsa, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
||||
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PRIV_ROOT_KEY_FILE, pPin)) {
|
||||
TRACE_DEVEL("openssl_write_key failed.\n");
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
|
||||
/* store the user base key in a PKCS#11 object internally */
|
||||
rc = token_store_tss_key(tokdata, tpm_data->hPrivateRootKey,
|
||||
@@ -1529,15 +1529,15 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||
CK_RV rc;
|
||||
TSS_RESULT result;
|
||||
- RSA *rsa;
|
||||
+ EVP_PKEY *pkey;
|
||||
unsigned int size_n, size_p;
|
||||
unsigned char n[256], p[256];
|
||||
|
||||
/* all sw generated keys are 2048 bits */
|
||||
- if ((rsa = openssl_gen_key(tokdata)) == NULL)
|
||||
+ if ((pkey = openssl_gen_key(tokdata)) == NULL)
|
||||
return CKR_HOST_MEMORY;
|
||||
|
||||
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
@@ -1551,13 +1551,13 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||
return rc;
|
||||
}
|
||||
|
||||
- if (openssl_write_key(tokdata, rsa, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
||||
+ if (openssl_write_key(tokdata, pkey, TPMTOK_PUB_ROOT_KEY_FILE, pPin)) {
|
||||
TRACE_DEVEL("openssl_write_key\n");
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
|
||||
result = Tspi_Key_LoadKey(tpm_data->hPublicRootKey, tpm_data->hSRK);
|
||||
if (result) {
|
||||
@@ -1602,7 +1602,7 @@ CK_RV token_create_public_tree(STDLL_TokData_t * tokdata, CK_BYTE * pinHash,
|
||||
CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||
{
|
||||
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||
- RSA *rsa;
|
||||
+ EVP_PKEY *pkey;
|
||||
char *backup_loc;
|
||||
unsigned int size_n, size_p;
|
||||
unsigned char n[256], p[256];
|
||||
@@ -1630,7 +1630,7 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||
}
|
||||
|
||||
/* read the backup key with the old pin */
|
||||
- if ((rc = openssl_read_key(tokdata, backup_loc, pin, &rsa))) {
|
||||
+ if ((rc = openssl_read_key(tokdata, backup_loc, pin, &pkey))) {
|
||||
if (rc == CKR_FILE_NOT_FOUND)
|
||||
rc = CKR_FUNCTION_FAILED;
|
||||
TRACE_DEVEL("openssl_read_key failed\n");
|
||||
@@ -1640,8 +1640,9 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||
/* So, reading the backup openssl key off disk succeeded with the SOs PIN.
|
||||
* We will now try to re-wrap that key with the current SRK
|
||||
*/
|
||||
- if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
|
||||
+ if (openssl_get_modulus_and_prime(pkey, &size_n, n, &size_p, p) != 0) {
|
||||
TRACE_DEVEL("openssl_get_modulus_and_prime failed\n");
|
||||
+ EVP_PKEY_free(pkey);
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
|
||||
@@ -1650,10 +1651,10 @@ CK_RV token_migrate(STDLL_TokData_t * tokdata, int key_type, CK_BYTE * pin)
|
||||
phKey);
|
||||
if (rc != CKR_OK) {
|
||||
TRACE_DEVEL("token_wrap_sw_key failed. rc=0x%lx\n", rc);
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
return rc;
|
||||
}
|
||||
- RSA_free(rsa);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
|
||||
result = Tspi_Key_LoadKey(*phKey, tpm_data->hSRK);
|
||||
if (result) {
|
||||
@@ -1998,7 +1999,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||
tpm_private_data_t *tpm_data = (tpm_private_data_t *)tokdata->private_data;
|
||||
CK_BYTE oldpin_hash[SHA1_HASH_SIZE], newpin_hash[SHA1_HASH_SIZE];
|
||||
CK_RV rc;
|
||||
- RSA *rsa_root;
|
||||
+ EVP_PKEY *pkey_root;
|
||||
TSS_RESULT result;
|
||||
|
||||
if (!sess) {
|
||||
@@ -2094,7 +2095,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||
|
||||
/* read the backup key with the old pin */
|
||||
rc = openssl_read_key(tokdata, TPMTOK_PRIV_ROOT_KEY_FILE, pOldPin,
|
||||
- &rsa_root);
|
||||
+ &pkey_root);
|
||||
if (rc != CKR_OK) {
|
||||
if (rc == CKR_FILE_NOT_FOUND) {
|
||||
/* If the user has moved his backup PEM file off site, allow a
|
||||
@@ -2107,14 +2108,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||
}
|
||||
|
||||
/* write it out using the new pin */
|
||||
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
||||
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PRIV_ROOT_KEY_FILE,
|
||||
pNewPin);
|
||||
if (rc != CKR_OK) {
|
||||
- RSA_free(rsa_root);
|
||||
+ EVP_PKEY_free(pkey_root);
|
||||
TRACE_DEVEL("openssl_write_key failed\n");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
- RSA_free(rsa_root);
|
||||
+ EVP_PKEY_free(pkey_root);
|
||||
} else if (sess->session_info.state == CKS_RW_SO_FUNCTIONS) {
|
||||
if (tpm_data->not_initialized) {
|
||||
if (memcmp(default_so_pin_sha, oldpin_hash, SHA1_HASH_SIZE)) {
|
||||
@@ -2166,7 +2167,7 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||
|
||||
/* change auth on the public root key's openssl backup */
|
||||
rc = openssl_read_key(tokdata, TPMTOK_PUB_ROOT_KEY_FILE, pOldPin,
|
||||
- &rsa_root);
|
||||
+ &pkey_root);
|
||||
if (rc != CKR_OK) {
|
||||
if (rc == CKR_FILE_NOT_FOUND) {
|
||||
/* If the user has moved his backup PEM file off site, allow a
|
||||
@@ -2179,14 +2180,14 @@ CK_RV token_specific_set_pin(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||
}
|
||||
|
||||
/* write it out using the new pin */
|
||||
- rc = openssl_write_key(tokdata, rsa_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
||||
+ rc = openssl_write_key(tokdata, pkey_root, TPMTOK_PUB_ROOT_KEY_FILE,
|
||||
pNewPin);
|
||||
if (rc != CKR_OK) {
|
||||
- RSA_free(rsa_root);
|
||||
+ EVP_PKEY_free(pkey_root);
|
||||
TRACE_DEVEL("openssl_write_key failed\n");
|
||||
return CKR_FUNCTION_FAILED;
|
||||
}
|
||||
- RSA_free(rsa_root);
|
||||
+ EVP_PKEY_free(pkey_root);
|
||||
} else {
|
||||
TRACE_ERROR("%s\n", ock_err(ERR_SESSION_READ_ONLY));
|
||||
rc = CKR_SESSION_READ_ONLY;
|
||||
@@ -2401,60 +2402,6 @@ CK_RV token_specific_des_ecb(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- CK_RV rc;
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
-
|
||||
- DES_key_schedule des_key2;
|
||||
- const_DES_cblock key_val_SSL, in_key_data;
|
||||
- DES_cblock out_key_data;
|
||||
- unsigned int i, j;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- // Create the key schedule
|
||||
- memcpy(&key_val_SSL, attr->pValue, 8);
|
||||
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
||||
-
|
||||
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||
- // by 8
|
||||
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
- // Both the encrypt and the decrypt are done 8 bytes at a time
|
||||
- if (encrypt) {
|
||||
- for (i = 0; i < in_data_len; i = i + 8) {
|
||||
- memcpy(in_key_data, in_data + i, 8);
|
||||
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
||||
- DES_ENCRYPT);
|
||||
- memcpy(out_data + i, out_key_data, 8);
|
||||
- }
|
||||
-
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- } else {
|
||||
-
|
||||
- for (j = 0; j < in_data_len; j = j + 8) {
|
||||
- memcpy(in_key_data, in_data + j, 8);
|
||||
- DES_ecb_encrypt(&in_key_data, &out_key_data, &des_key2,
|
||||
- DES_DECRYPT);
|
||||
- memcpy(out_data + j, out_key_data, 8);
|
||||
- }
|
||||
-
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- }
|
||||
-
|
||||
- return rc;
|
||||
-#else
|
||||
const EVP_CIPHER *cipher = EVP_des_ecb();
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
CK_ATTRIBUTE *attr = NULL;
|
||||
@@ -2501,7 +2448,6 @@ done:
|
||||
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
||||
@@ -2511,50 +2457,6 @@ CK_RV token_specific_des_cbc(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- CK_RV rc;
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
-
|
||||
- DES_cblock ivec;
|
||||
-
|
||||
- DES_key_schedule des_key2;
|
||||
- const_DES_cblock key_val_SSL;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- // Create the key schedule
|
||||
- memcpy(&key_val_SSL, attr->pValue, 8);
|
||||
- DES_set_key_unchecked(&key_val_SSL, &des_key2);
|
||||
-
|
||||
- memcpy(&ivec, init_v, 8);
|
||||
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||
- // by 8
|
||||
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
-
|
||||
-
|
||||
- if (encrypt) {
|
||||
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
||||
- DES_ENCRYPT);
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- } else {
|
||||
- DES_ncbc_encrypt(in_data, out_data, in_data_len, &des_key2, &ivec,
|
||||
- DES_DECRYPT);
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- }
|
||||
- return rc;
|
||||
-#else
|
||||
const EVP_CIPHER *cipher = EVP_des_cbc();
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
CK_ATTRIBUTE *attr = NULL;
|
||||
@@ -2601,7 +2503,6 @@ done:
|
||||
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
||||
@@ -2611,83 +2512,6 @@ CK_RV token_specific_tdes_ecb(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- CK_RV rc;
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
- CK_KEY_TYPE keytype;
|
||||
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
||||
-
|
||||
- unsigned int k, j;
|
||||
- DES_key_schedule des_key1;
|
||||
- DES_key_schedule des_key2;
|
||||
- DES_key_schedule des_key3;
|
||||
-
|
||||
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3, in_key_data;
|
||||
- DES_cblock out_key_data;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key type
|
||||
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- if (keytype == CKK_DES2) {
|
||||
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
||||
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
||||
- } else {
|
||||
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
||||
- }
|
||||
-
|
||||
- // The key as passed is a 24 byte long string containing three des keys
|
||||
- // pick them apart and create the 3 corresponding key schedules
|
||||
- memcpy(&key_SSL1, key_value, 8);
|
||||
- memcpy(&key_SSL2, key_value + 8, 8);
|
||||
- memcpy(&key_SSL3, key_value + 16, 8);
|
||||
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||
-
|
||||
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||
- // by 8
|
||||
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
- // the encrypt and decrypt are done 8 bytes at a time
|
||||
- if (encrypt) {
|
||||
- for (k = 0; k < in_data_len; k = k + 8) {
|
||||
- memcpy(in_key_data, in_data + k, 8);
|
||||
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
||||
- (DES_cblock *) & out_key_data,
|
||||
- &des_key1, &des_key2, &des_key3, DES_ENCRYPT);
|
||||
- memcpy(out_data + k, out_key_data, 8);
|
||||
- }
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- } else {
|
||||
- for (j = 0; j < in_data_len; j = j + 8) {
|
||||
- memcpy(in_key_data, in_data + j, 8);
|
||||
- DES_ecb3_encrypt((const_DES_cblock *) & in_key_data,
|
||||
- (DES_cblock *) & out_key_data,
|
||||
- &des_key1, &des_key2, &des_key3, DES_DECRYPT);
|
||||
- memcpy(out_data + j, out_key_data, 8);
|
||||
- }
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- }
|
||||
-
|
||||
- return rc;
|
||||
-#else
|
||||
const EVP_CIPHER *cipher = EVP_des_ede3_ecb();
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
CK_ATTRIBUTE *attr = NULL;
|
||||
@@ -2747,7 +2571,6 @@ done:
|
||||
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
||||
@@ -2757,81 +2580,6 @@ CK_RV token_specific_tdes_cbc(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- CK_RV rc = CKR_OK;
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
- CK_KEY_TYPE keytype;
|
||||
- CK_BYTE key_value[3 * DES_KEY_SIZE];
|
||||
-
|
||||
- DES_key_schedule des_key1;
|
||||
- DES_key_schedule des_key2;
|
||||
- DES_key_schedule des_key3;
|
||||
-
|
||||
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
|
||||
- DES_cblock ivec;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key type
|
||||
- rc = template_attribute_get_ulong(key->template, CKA_KEY_TYPE, &keytype);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_KEY_TYPE for the key\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- if (keytype == CKK_DES2) {
|
||||
- memcpy(key_value, attr->pValue, 2 * DES_KEY_SIZE);
|
||||
- memcpy(key_value + (2 * DES_KEY_SIZE), attr->pValue, DES_KEY_SIZE);
|
||||
- } else {
|
||||
- memcpy(key_value, attr->pValue, 3 * DES_KEY_SIZE);
|
||||
- }
|
||||
-
|
||||
- // The key as passed in is a 24 byte string containing 3 keys
|
||||
- // pick it apart and create the key schedules
|
||||
- memcpy(&key_SSL1, key_value, 8);
|
||||
- memcpy(&key_SSL2, key_value + 8, 8);
|
||||
- memcpy(&key_SSL3, key_value + 16, 8);
|
||||
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||
-
|
||||
- memcpy(ivec, init_v, sizeof(ivec));
|
||||
-
|
||||
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||
- // by 8
|
||||
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
- // Encrypt or decrypt the data
|
||||
- if (encrypt) {
|
||||
- DES_ede3_cbc_encrypt(in_data,
|
||||
- out_data,
|
||||
- in_data_len,
|
||||
- &des_key1,
|
||||
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- } else {
|
||||
- DES_ede3_cbc_encrypt(in_data,
|
||||
- out_data,
|
||||
- in_data_len,
|
||||
- &des_key1,
|
||||
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
|
||||
-
|
||||
- *out_data_len = in_data_len;
|
||||
- rc = CKR_OK;
|
||||
- }
|
||||
-
|
||||
- return rc;
|
||||
-#else
|
||||
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
CK_ATTRIBUTE *attr = NULL;
|
||||
@@ -2891,7 +2639,6 @@ done:
|
||||
OPENSSL_cleanse(dkey, sizeof(dkey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
/* wrap the 20 bytes of auth data @authData and store in an attribute of the two
|
||||
@@ -3626,49 +3373,6 @@ CK_RV token_specific_aes_ecb(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
- AES_KEY ssl_aes_key;
|
||||
- unsigned int i;
|
||||
- /* There's a previous check that in_data_len % AES_BLOCK_SIZE == 0,
|
||||
- * so this is fine */
|
||||
- CK_ULONG loops = (CK_ULONG) (in_data_len / AES_BLOCK_SIZE);
|
||||
- CK_RV rc;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
||||
-
|
||||
- // AES_ecb_encrypt encrypts only a single block, so we have to break up the
|
||||
- // input data here
|
||||
- if (encrypt) {
|
||||
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
||||
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||
- for (i = 0; i < loops; i++) {
|
||||
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
||||
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
||||
- &ssl_aes_key, AES_ENCRYPT);
|
||||
- }
|
||||
- } else {
|
||||
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
||||
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||
- for (i = 0; i < loops; i++) {
|
||||
- AES_ecb_encrypt((unsigned char *) in_data + (i * AES_BLOCK_SIZE),
|
||||
- (unsigned char *) out_data + (i * AES_BLOCK_SIZE),
|
||||
- &ssl_aes_key, AES_DECRYPT);
|
||||
- }
|
||||
- }
|
||||
- *out_data_len = in_data_len;
|
||||
-
|
||||
- return CKR_OK;
|
||||
-#else
|
||||
CK_RV rc;
|
||||
int outlen;
|
||||
unsigned char akey[AES_KEY_SIZE_256];
|
||||
@@ -3729,7 +3433,6 @@ done:
|
||||
OPENSSL_cleanse(akey, sizeof(akey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
||||
@@ -3739,39 +3442,6 @@ CK_RV token_specific_aes_cbc(STDLL_TokData_t * tokdata,
|
||||
CK_ULONG * out_data_len,
|
||||
OBJECT * key, CK_BYTE * init_v, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- AES_KEY ssl_aes_key;
|
||||
- CK_ATTRIBUTE *attr = NULL;
|
||||
- CK_RV rc;
|
||||
-
|
||||
- UNUSED(tokdata);
|
||||
-
|
||||
- // get the key value
|
||||
- rc = template_attribute_get_non_empty(key->template, CKA_VALUE, &attr);
|
||||
- if (rc != CKR_OK) {
|
||||
- TRACE_ERROR("Could not find CKA_VALUE for the key.\n");
|
||||
- return rc;
|
||||
- }
|
||||
-
|
||||
- memset(&ssl_aes_key, 0, sizeof(AES_KEY));
|
||||
-
|
||||
- // AES_cbc_encrypt chunks the data into AES_BLOCK_SIZE blocks, unlike
|
||||
- // AES_ecb_encrypt, so no looping required.
|
||||
- if (encrypt) {
|
||||
- AES_set_encrypt_key((unsigned char *) attr->pValue,
|
||||
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
||||
- in_data_len, &ssl_aes_key, init_v, AES_ENCRYPT);
|
||||
- } else {
|
||||
- AES_set_decrypt_key((unsigned char *) attr->pValue,
|
||||
- (attr->ulValueLen * 8), &ssl_aes_key);
|
||||
- AES_cbc_encrypt((unsigned char *) in_data, (unsigned char *) out_data,
|
||||
- in_data_len, &ssl_aes_key, init_v, AES_DECRYPT);
|
||||
- }
|
||||
- *out_data_len = in_data_len;
|
||||
-
|
||||
- return CKR_OK;
|
||||
-#else
|
||||
CK_RV rc;
|
||||
int outlen;
|
||||
unsigned char akey[AES_KEY_SIZE_256];
|
||||
@@ -3832,7 +3502,6 @@ done:
|
||||
OPENSSL_cleanse(akey, sizeof(akey));
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV token_specific_get_mechanism_list(STDLL_TokData_t * tokdata,
|
||||
diff --git a/usr/lib/tpm_stdll/tpm_specific.h b/usr/lib/tpm_stdll/tpm_specific.h
|
||||
index 81af2744..2ffd0afc 100644
|
||||
--- a/usr/lib/tpm_stdll/tpm_specific.h
|
||||
+++ b/usr/lib/tpm_stdll/tpm_specific.h
|
||||
@@ -56,10 +56,10 @@
|
||||
/* retry count for generating software RSA keys */
|
||||
#define KEYGEN_RETRY 5
|
||||
|
||||
-RSA *openssl_gen_key(STDLL_TokData_t *);
|
||||
-int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
|
||||
-CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
|
||||
-int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,
|
||||
+EVP_PKEY *openssl_gen_key(STDLL_TokData_t *);
|
||||
+int openssl_write_key(STDLL_TokData_t *, EVP_PKEY *, char *, CK_BYTE *);
|
||||
+CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, EVP_PKEY **);
|
||||
+int openssl_get_modulus_and_prime(EVP_PKEY *, unsigned int *, unsigned char *,
|
||||
unsigned int *, unsigned char *);
|
||||
int util_set_file_mode(char *, mode_t);
|
||||
CK_BYTE *util_create_id(int);
|
File diff suppressed because it is too large
Load Diff
@ -1,115 +0,0 @@
|
||||
commit ab3fceae6194e8213e9d3ffb7447ccd04d469b9d
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Mon Jul 5 10:45:04 2021 +0200
|
||||
|
||||
COMMON: sw_crypt.c: Remove support for OpenSSL < v1.1.1
|
||||
|
||||
Remove support for OpenSSL < v1.1.1. This code used low level
|
||||
DES/AES functions.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/sw_crypt.c b/usr/lib/common/sw_crypt.c
|
||||
index 906a41ab..253b3c26 100644
|
||||
--- a/usr/lib/common/sw_crypt.c
|
||||
+++ b/usr/lib/common/sw_crypt.c
|
||||
@@ -32,51 +32,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
|
||||
CK_ULONG *out_data_len,
|
||||
CK_BYTE *init_v, CK_BYTE *key_value, CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- DES_key_schedule des_key1;
|
||||
- DES_key_schedule des_key2;
|
||||
- DES_key_schedule des_key3;
|
||||
-
|
||||
- const_DES_cblock key_SSL1, key_SSL2, key_SSL3;
|
||||
- DES_cblock ivec;
|
||||
-
|
||||
- // the des decrypt will only fail if the data length is not evenly divisible
|
||||
- // by DES_BLOCK_SIZE
|
||||
- if (in_data_len % DES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
- // The key as passed in is a 24 byte string containing 3 keys
|
||||
- // pick it apart and create the key schedules
|
||||
- memcpy(&key_SSL1, key_value, (size_t) 8);
|
||||
- memcpy(&key_SSL2, key_value + 8, (size_t) 8);
|
||||
- memcpy(&key_SSL3, key_value + 16, (size_t) 8);
|
||||
- DES_set_key_unchecked(&key_SSL1, &des_key1);
|
||||
- DES_set_key_unchecked(&key_SSL2, &des_key2);
|
||||
- DES_set_key_unchecked(&key_SSL3, &des_key3);
|
||||
-
|
||||
- memcpy(ivec, init_v, sizeof(ivec));
|
||||
-
|
||||
- // Encrypt or decrypt the data
|
||||
- if (encrypt) {
|
||||
- DES_ede3_cbc_encrypt(in_data,
|
||||
- out_data,
|
||||
- in_data_len,
|
||||
- &des_key1,
|
||||
- &des_key2, &des_key3, &ivec, DES_ENCRYPT);
|
||||
- *out_data_len = in_data_len;
|
||||
- } else {
|
||||
- DES_ede3_cbc_encrypt(in_data,
|
||||
- out_data,
|
||||
- in_data_len,
|
||||
- &des_key1,
|
||||
- &des_key2, &des_key3, &ivec, DES_DECRYPT);
|
||||
-
|
||||
- *out_data_len = in_data_len;
|
||||
- }
|
||||
-
|
||||
- return CKR_OK;
|
||||
-#else
|
||||
CK_RV rc;
|
||||
int outlen;
|
||||
const EVP_CIPHER *cipher = EVP_des_ede3_cbc();
|
||||
@@ -109,7 +64,6 @@ CK_RV sw_des3_cbc(CK_BYTE *in_data,
|
||||
done:
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
||||
|
||||
CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||
@@ -119,33 +73,6 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||
CK_BYTE *init_v, CK_BYTE *key_value, CK_ULONG keylen,
|
||||
CK_BYTE encrypt)
|
||||
{
|
||||
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
- AES_KEY aes_key;
|
||||
-
|
||||
- UNUSED(out_data_len); //XXX can this parameter be removed ?
|
||||
-
|
||||
- memset(&aes_key, 0, sizeof(aes_key));
|
||||
-
|
||||
- // the aes decrypt will only fail if the data length is not evenly divisible
|
||||
- // by AES_BLOCK_SIZE
|
||||
- if (in_data_len % AES_BLOCK_SIZE) {
|
||||
- TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
|
||||
- return CKR_DATA_LEN_RANGE;
|
||||
- }
|
||||
-
|
||||
- // Encrypt or decrypt the data
|
||||
- if (encrypt) {
|
||||
- AES_set_encrypt_key(key_value, keylen * 8, &aes_key);
|
||||
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
|
||||
- init_v, AES_ENCRYPT);
|
||||
- } else {
|
||||
- AES_set_decrypt_key(key_value, keylen * 8, &aes_key);
|
||||
- AES_cbc_encrypt(in_data, out_data, in_data_len, &aes_key,
|
||||
- init_v, AES_DECRYPT);
|
||||
- }
|
||||
-
|
||||
- return CKR_OK;
|
||||
-#else
|
||||
CK_RV rc;
|
||||
int outlen;
|
||||
const EVP_CIPHER *cipher = NULL;
|
||||
@@ -187,5 +114,4 @@ CK_RV sw_aes_cbc(CK_BYTE *in_data,
|
||||
done:
|
||||
EVP_CIPHER_CTX_free(ctx);
|
||||
return rc;
|
||||
-#endif
|
||||
}
|
@ -1,37 +0,0 @@
|
||||
commit c4683eb904238d20cb34a4c7661ffac04901283c
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Tue Jun 29 17:35:30 2021 +0200
|
||||
|
||||
COMMON: Add OPENSSL_VERSION_PREREQ macro to check for OpenSSL version
|
||||
|
||||
Make the OPENSSL_VERSION_PREREQ macro available independent of the
|
||||
used OpenSSL version, so that the code can easily check for the OpenSSL
|
||||
version it is compiled with.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/usr/lib/common/defs.h b/usr/lib/common/defs.h
|
||||
index 22d75d2d..8ab50517 100644
|
||||
--- a/usr/lib/common/defs.h
|
||||
+++ b/usr/lib/common/defs.h
|
||||
@@ -17,6 +17,20 @@
|
||||
#ifndef _DEFS_H
|
||||
#define _DEFS_H
|
||||
|
||||
+#include <openssl/opensslv.h>
|
||||
+
|
||||
+#ifndef OPENSSL_VERSION_PREREQ
|
||||
+ #if defined(OPENSSL_VERSION_MAJOR) && defined(OPENSSL_VERSION_MINOR)
|
||||
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
|
||||
+ ((OPENSSL_VERSION_MAJOR << 16) + \
|
||||
+ OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min))
|
||||
+ #else
|
||||
+ #define OPENSSL_VERSION_PREREQ(maj, min) \
|
||||
+ (OPENSSL_VERSION_NUMBER >= (((maj) << 28) | \
|
||||
+ ((min) << 20)))
|
||||
+ #endif
|
||||
+#endif
|
||||
+
|
||||
#define MAX_SESSION_COUNT 64
|
||||
#define MAX_PIN_LEN 8
|
||||
#define MIN_PIN_LEN 4
|
@ -1,49 +0,0 @@
|
||||
commit dd9cfe2ef89dad185397df46227f9392a6317d35
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Wed Jul 21 13:54:59 2021 +0200
|
||||
|
||||
CONFIGURE: Check that OpenSSL 1.1.1 or later is available
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 286b7408..f47060d9 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -277,21 +277,14 @@ if test "x$with_openssl" != "xno"; then
|
||||
old_libs="$LIBS"
|
||||
CFLAGS="$CFLAGS $OPENSSL_CFLAGS"
|
||||
LIBS="$LIBS $OPENSSL_LIBS"
|
||||
- AC_CHECK_HEADER([openssl/ssl.h], [], [
|
||||
- if test "x$with_openssl" != "xcheck"; then
|
||||
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL headers couldn't be found])
|
||||
- fi
|
||||
- with_openssl=no
|
||||
+ AC_CHECK_HEADER([openssl/evp.h], [], [
|
||||
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL headers couldn't be found])
|
||||
])
|
||||
if test "x$with_openssl" != "xno"; then
|
||||
- AC_CHECK_LIB([crypto], [RSA_generate_key], [
|
||||
+ AC_CHECK_LIB([crypto], [EVP_sha3_256], [
|
||||
OPENSSL_LIBS="$OPENSSL_LIBS -lcrypto"
|
||||
- with_openssl=yes
|
||||
- ], [
|
||||
- if test "x$with_openssl" != "xcheck"; then
|
||||
- AC_MSG_ERROR([Build with OpenSSL requested but OpenSSL libraries couldn't be found])
|
||||
- fi
|
||||
- with_openssl=no
|
||||
+ with_openssl=yes], [
|
||||
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but OpenSSL libraries version 1.1.1 or later couldn't be found])
|
||||
])
|
||||
fi
|
||||
if test "x$with_openssl" = "xno"; then
|
||||
@@ -299,6 +292,9 @@ if test "x$with_openssl" != "xno"; then
|
||||
LIBS="$old_libs"
|
||||
fi
|
||||
fi
|
||||
+if test "x$with_openssl" != "xyes"; then
|
||||
+ AC_MSG_ERROR([OpenSSL 1.1.1 or later is required but build without OpenSSL was requested])
|
||||
+fi
|
||||
AC_SUBST([OPENSSL_CFLAGS])
|
||||
AC_SUBST([OPENSSL_LIBS])
|
||||
|
@ -1,853 +0,0 @@
|
||||
commit ecf71404e84ae35931cd6c7398c825378ee052b6
|
||||
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
Date: Fri Jul 2 11:20:22 2021 +0200
|
||||
|
||||
TESTCASES: Soft: Skip tests with RSA publ.exp. not supported by OpenSSL
|
||||
|
||||
OpenSSL 3.0 only accepts public exponents of 3 and 65537 for RSA keys.
|
||||
Skip the testcase if another public exponent is used.
|
||||
|
||||
Also fixed some ugly line breaks within messages.
|
||||
|
||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||
|
||||
diff --git a/testcases/common/common.c b/testcases/common/common.c
|
||||
index bfd486cb..0a64ecf2 100644
|
||||
--- a/testcases/common/common.c
|
||||
+++ b/testcases/common/common.c
|
||||
@@ -876,6 +876,16 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||
|| (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||
}
|
||||
|
||||
+/** Returns true if pubexp is valid for Soft Tokens **/
|
||||
+int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
|
||||
+{
|
||||
+ CK_BYTE exp3[] = { 0x03 }; // 3
|
||||
+ CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
|
||||
+
|
||||
+ return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
|
||||
+ || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
|
||||
+}
|
||||
+
|
||||
/** Returns true if slot_id is an ICSF token
|
||||
** ICSF token info is not necessarily hard-coded like the other tokens
|
||||
** so there is no single identifying attribute. So, instead just
|
||||
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
|
||||
index 62aa7a76..8739ed37 100644
|
||||
--- a/testcases/crypto/rsa_func.c
|
||||
+++ b/testcases/crypto/rsa_func.c
|
||||
@@ -102,8 +102,8 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -111,8 +111,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -124,8 +123,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -148,6 +146,16 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
continue;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'",
|
||||
+ s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
// tpm special cases:
|
||||
// tpm token can only use public exponent 0x010001 (65537)
|
||||
// so skip test if invalid public exponent is used
|
||||
@@ -155,8 +163,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||
- s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -166,8 +173,7 @@ CK_RV do_EncryptDecryptRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len) ||
|
||||
(tsuite->tv[i].modbits < 1024)) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -376,8 +382,8 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].mod_len * 8)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].mod_len * 8);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].mod_len * 8);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -385,16 +391,14 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
// modulus length must be multiple of 128 byte
|
||||
// skip test if modulus length has unsuported size
|
||||
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||
- testcase_skip("EP11 Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -416,8 +420,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
(tsuite->tv[i].exp2_len >
|
||||
(tsuite->tv[i].mod_len / 2)) ||
|
||||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||
- testcase_skip("ICA Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -431,12 +434,21 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp.='%s'", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||
+ tsuite->tv[i].pubexp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
+
|
||||
// tpm special cases:
|
||||
// tpm token can only use public exponent 0x010001 (65537)
|
||||
// so skip test if invalid public exponent is used
|
||||
@@ -444,8 +456,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len * 8))) {
|
||||
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||
- s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -455,8 +466,7 @@ CK_RV do_EncryptDecryptImportRSA(struct PUBLISHED_TEST_SUITE_INFO *tsuite)
|
||||
if (!is_valid_icsf_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len) ||
|
||||
(tsuite->tv[i].mod_len * 8 < 1024)) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -691,8 +701,8 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -700,8 +710,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -710,8 +719,16 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -721,8 +738,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
|
||||
- s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -732,8 +748,7 @@ CK_RV do_SignVerifyRSA(struct GENERATED_TEST_SUITE_INFO * tsuite,
|
||||
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len) ||
|
||||
(tsuite->tv[i].modbits < 1024)) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -944,16 +959,23 @@ CK_RV do_SignVerify_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -1154,8 +1176,8 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
continue;
|
||||
}
|
||||
// get public exponent from test vector
|
||||
@@ -1169,8 +1191,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -1179,8 +1200,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len) ||
|
||||
(tsuite->tv[i].modbits < 1024)) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -1189,8 +1209,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) ||
|
||||
(!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||
- testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'",
|
||||
- s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -1198,8 +1217,7 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -1228,6 +1246,14 @@ CK_RV do_WrapUnwrapRSA(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
continue;
|
||||
}
|
||||
}
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
// begin test
|
||||
testcase_begin("%s Wrap Unwrap with test vector %d, "
|
||||
@@ -1554,8 +1580,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
(tsuite->tv[i].exp2_len >
|
||||
(tsuite->tv[i].mod_len / 2)) ||
|
||||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||
- testcase_skip("ICA Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -1565,8 +1590,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
// skip test if modulus length has unsuported size
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||
- testcase_skip("EP11 Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -1575,8 +1599,7 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||
- testcase_skip("TPM Token cannot "
|
||||
- "be used with this test vector.");
|
||||
+ testcase_skip("TPM Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -1584,8 +1607,15 @@ CK_RV do_SignRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with this test vector.");
|
||||
+ testcase_skip("CCA Token cannot be used with this test vector.");
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||
+ tsuite->tv[i].pubexp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -1735,8 +1765,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
// skip test if modulus length has unsuported size
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if ((tsuite->tv[i].mod_len % 128) != 0) {
|
||||
- testcase_skip("EP11 Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("EP11 Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -1745,8 +1774,7 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||
- testcase_skip("TPM Token cannot "
|
||||
- "be used with this test vector.");
|
||||
+ testcase_skip("TPM Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
@@ -1754,8 +1782,15 @@ CK_RV do_VerifyRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with this test vector.");
|
||||
+ testcase_skip("CCA Token cannot be used with this test vector.");
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||
+ tsuite->tv[i].pubexp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with this test vector.");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
diff --git a/testcases/crypto/rsaupdate_func.c b/testcases/crypto/rsaupdate_func.c
|
||||
index 20611b85..22f8d7e4 100644
|
||||
--- a/testcases/crypto/rsaupdate_func.c
|
||||
+++ b/testcases/crypto/rsaupdate_func.c
|
||||
@@ -96,8 +96,8 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -105,8 +105,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -115,19 +114,27 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+
|
||||
if (is_tpm_token(slot_id)) {
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len))
|
||||
|| (!is_valid_tpm_modbits(tsuite->tv[i].modbits))) {
|
||||
- testcase_skip("TPM Token cannot " "be used with publ_exp='%s'.",
|
||||
- s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -137,8 +144,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
if (!is_valid_icsf_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len) ||
|
||||
(tsuite->tv[i].modbits < 1024)) {
|
||||
- testcase_skip("ICSF Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -162,8 +168,7 @@ CK_RV do_SignVerifyUpdateRSA(struct GENERATED_TEST_SUITE_INFO *tsuite)
|
||||
tsuite->tv[i].publ_exp_len,
|
||||
&publ_key, &priv_key);
|
||||
if (rc != CKR_OK) {
|
||||
- testcase_error("generate_RSA_PKCS_KeyPair(), "
|
||||
- "rc=%s", p11_get_ckr(rc));
|
||||
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
|
||||
@@ -367,8 +372,8 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
|
||||
if (!keysize_supported(slot_id, tsuite->mech.mechanism,
|
||||
tsuite->tv[i].modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", SLOT_ID, tsuite->tv[i].modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ SLOT_ID, tsuite->tv[i].modbits);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -376,8 +381,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -386,8 +390,16 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].publ_exp,
|
||||
tsuite->tv[i].publ_exp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].publ_exp,
|
||||
+ tsuite->tv[i].publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -412,8 +424,7 @@ CK_RV do_SignVerifyUpdate_RSAPSS(struct GENERATED_TEST_SUITE_INFO * tsuite)
|
||||
tsuite->tv[i].publ_exp_len,
|
||||
&publ_key, &priv_key);
|
||||
if (rc != CKR_OK) {
|
||||
- testcase_error("generate_RSA_PKCS_KeyPair(), "
|
||||
- "rc=%s", p11_get_ckr(rc));
|
||||
+ testcase_error("generate_RSA_PKCS_KeyPair(), rc=%s", p11_get_ckr(rc));
|
||||
goto error;
|
||||
}
|
||||
// generate message
|
||||
@@ -639,8 +650,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with pub_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with pub_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -650,8 +660,7 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) ||
|
||||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||
- testcase_skip("TPM Token cannot "
|
||||
- "be used with pub_exp='%s'.", s);
|
||||
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -660,8 +669,16 @@ CK_RV do_VerifyUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||
+ tsuite->tv[i].pubexp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -826,8 +843,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
(tsuite->tv[i].exp2_len >
|
||||
(tsuite->tv[i].mod_len / 2)) ||
|
||||
(tsuite->tv[i].coef_len > (tsuite->tv[i].mod_len / 2))) {
|
||||
- testcase_skip("ICA Token cannot be used with "
|
||||
- "this test vector.");
|
||||
+ testcase_skip("ICA Token cannot be used with this test vector.");
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -848,8 +864,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("EP11 Token cannot "
|
||||
- "be used with publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token cannot be used with publ_exp.='%s'", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -859,8 +874,7 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if ((!is_valid_tpm_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) ||
|
||||
(!is_valid_tpm_modbits(tsuite->tv[i].mod_len))) {
|
||||
- testcase_skip("TPM Token cannot "
|
||||
- "be used with pub_exp='%s'.", s);
|
||||
+ testcase_skip("TPM Token cannot be used with pub_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
@@ -869,8 +883,16 @@ CK_RV do_SignUpdateRSA(struct PUBLISHED_TEST_SUITE_INFO * tsuite)
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->tv[i].pub_exp,
|
||||
tsuite->tv[i].pubexp_len)) {
|
||||
- testcase_skip("CCA Token cannot "
|
||||
- "be used with publ_exp='%s'.", s);
|
||||
+ testcase_skip("CCA Token cannot be used with publ_exp='%s'.", s);
|
||||
+ free(s);
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->tv[i].pub_exp,
|
||||
+ tsuite->tv[i].pubexp_len)) {
|
||||
+ testcase_skip("Soft Token cannot be used with publ_exp='%s'.", s);
|
||||
free(s);
|
||||
continue;
|
||||
}
|
||||
diff --git a/testcases/misc_tests/reencrypt.c b/testcases/misc_tests/reencrypt.c
|
||||
index a78e1f5a..93fa31bd 100644
|
||||
--- a/testcases/misc_tests/reencrypt.c
|
||||
+++ b/testcases/misc_tests/reencrypt.c
|
||||
@@ -361,24 +361,29 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||
|
||||
if (!keysize_supported(slot_id, mech2->key_gen_mech.mechanism,
|
||||
mech2->rsa_modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", slot_id, mech2->rsa_modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ slot_id, mech2->rsa_modbits);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
|
||||
if (is_ep11_token(slot_id)) {
|
||||
if (!is_valid_ep11_pubexp(mech2->rsa_publ_exp,
|
||||
mech2->rsa_publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token in cannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
if (is_cca_token(slot_id)) {
|
||||
if (!is_valid_cca_pubexp(mech2->rsa_publ_exp,
|
||||
mech2->rsa_publ_exp_len)) {
|
||||
- testcase_skip("CCA Token in cannot be used with "
|
||||
- " publ_exp.='%s'", s);
|
||||
+ testcase_skip("CCA Token in cannot be used with publ_exp.='%s'", s);
|
||||
+ goto testcase_cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(mech2->rsa_publ_exp,
|
||||
+ mech2->rsa_publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token in cannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -386,8 +391,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||
if (!is_valid_tpm_pubexp(mech2->rsa_publ_exp,
|
||||
mech2->rsa_publ_exp_len) ||
|
||||
!is_valid_tpm_modbits(mech2->rsa_modbits)) {
|
||||
- testcase_skip("TPM Token cannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("TPM Token cannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -395,8 +399,7 @@ CK_RV do_reencrypt(struct mech_info *mech1, struct mech_info *mech2)
|
||||
if (!is_valid_icsf_pubexp(mech2->rsa_publ_exp,
|
||||
mech2->rsa_publ_exp_len) ||
|
||||
mech2->rsa_modbits < 1024) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -619,6 +622,14 @@ CK_RV do_encrypt_reencrypt(struct mech_info *mech1)
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
+ if (is_soft_token(slot_id)) {
|
||||
+ if (!is_valid_soft_pubexp(mech1->rsa_publ_exp,
|
||||
+ mech1->rsa_publ_exp_len)) {
|
||||
+ testsuite_skip(NUM_REENCRYPT_TESTS, "Soft Token cannot be "
|
||||
+ "used with publ_exp.='%s'", s);
|
||||
+ goto testcase_cleanup;
|
||||
+ }
|
||||
+ }
|
||||
if (is_tpm_token(slot_id) ) {
|
||||
if (!is_valid_tpm_pubexp(mech1->rsa_publ_exp,
|
||||
mech1->rsa_publ_exp_len) ||
|
||||
diff --git a/testcases/misc_tests/tok2tok_transport.c b/testcases/misc_tests/tok2tok_transport.c
|
||||
index 9c1dee8f..ebb44760 100644
|
||||
--- a/testcases/misc_tests/tok2tok_transport.c
|
||||
+++ b/testcases/misc_tests/tok2tok_transport.c
|
||||
@@ -581,30 +581,35 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||
|
||||
if (!keysize_supported(slot_id1, tsuite->wrapped_key_gen_mech.mechanism,
|
||||
tsuite->rsa_modbits)) {
|
||||
- testcase_skip("Token in slot %lu cannot be used with "
|
||||
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
|
||||
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
|
||||
+ slot_id1, tsuite->rsa_modbits);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
if (!keysize_supported(slot_id2, tsuite->wrapped_key_gen_mech.mechanism,
|
||||
tsuite->rsa_modbits)) {
|
||||
- testcase_skip("Token in slot %lu cannot be used with "
|
||||
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
|
||||
+ testcase_skip("Token in slot %lu cannot be used with modbits.='%ld'",
|
||||
+ slot_id2, tsuite->rsa_modbits);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
|
||||
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token in cannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len)) {
|
||||
- testcase_skip("CCA Token in scannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
|
||||
+ goto testcase_cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+ if (is_soft_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
|
||||
+ tsuite->rsa_publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -612,8 +617,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len) ||
|
||||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
|
||||
- testcase_skip("TPM Token cannot " "be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -621,8 +625,7 @@ CK_RV do_wrap_key_test(struct wrapped_mech_info *tsuite,
|
||||
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len) ||
|
||||
tsuite->rsa_modbits < 1024) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -967,31 +970,36 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||
if (!keysize_supported(slot_id1,
|
||||
tsuite->wrapping_key_gen_mech.mechanism,
|
||||
tsuite->rsa_modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", slot_id1, tsuite->rsa_modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ slot_id1, tsuite->rsa_modbits);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
if (!keysize_supported(slot_id2,
|
||||
tsuite->wrapping_key_gen_mech.mechanism,
|
||||
tsuite->rsa_modbits)) {
|
||||
- testcase_skip("Token in slot %ld cannot be used with "
|
||||
- "modbits.='%ld'", slot_id2, tsuite->rsa_modbits);
|
||||
+ testcase_skip("Token in slot %ld cannot be used with modbits.='%ld'",
|
||||
+ slot_id2, tsuite->rsa_modbits);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
|
||||
if (is_ep11_token(slot_id1) || is_ep11_token(slot_id2)) {
|
||||
if (!is_valid_ep11_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len)) {
|
||||
- testcase_skip("EP11 Token in cannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("EP11 Token in cannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
if (is_cca_token(slot_id1) || is_cca_token(slot_id2)) {
|
||||
if (!is_valid_cca_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len)) {
|
||||
- testcase_skip("CCA Token in scannot be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("CCA Token in scannot be used with publ_exp.='%s'", s);
|
||||
+ goto testcase_cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+ if (is_soft_token(slot_id1) || is_soft_token(slot_id2)) {
|
||||
+ if (!is_valid_soft_pubexp(tsuite->rsa_publ_exp,
|
||||
+ tsuite->rsa_publ_exp_len)) {
|
||||
+ testcase_skip("Soft Token in scannot be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -999,8 +1007,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||
if (!is_valid_tpm_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len) ||
|
||||
!is_valid_tpm_modbits(tsuite->rsa_modbits)) {
|
||||
- testcase_skip("TPM Token cannot " "be used with "
|
||||
- "publ_exp.='%s'", s);
|
||||
+ testcase_skip("TPM Token cannot " "be used with publ_exp.='%s'", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
||||
@@ -1008,8 +1015,7 @@ CK_RV do_wrapping_test(struct wrapping_mech_info *tsuite)
|
||||
if (!is_valid_icsf_pubexp(tsuite->rsa_publ_exp,
|
||||
tsuite->rsa_publ_exp_len) ||
|
||||
tsuite->rsa_modbits < 1024) {
|
||||
- testcase_skip("ICSF Token cannot be used with "
|
||||
- "publ_exp='%s'.", s);
|
||||
+ testcase_skip("ICSF Token cannot be used with publ_exp='%s'.", s);
|
||||
goto testcase_cleanup;
|
||||
}
|
||||
}
|
@ -1,12 +0,0 @@
|
||||
diff -up opencryptoki-3.16.0/misc/pkcsslotd.service.in.me opencryptoki-3.16.0/misc/pkcsslotd.service.in
|
||||
--- opencryptoki-3.16.0/misc/pkcsslotd.service.in.me 2021-06-25 09:25:11.464487847 +0200
|
||||
+++ opencryptoki-3.16.0/misc/pkcsslotd.service.in 2021-06-25 09:25:38.701225760 +0200
|
||||
@@ -4,7 +4,7 @@ After=local-fs.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
-PIDFile=/var/run/pkcsslotd.pid
|
||||
+PIDFile=/run/pkcsslotd.pid
|
||||
ExecStart=@sbindir@/pkcsslotd
|
||||
|
||||
[Install]
|
@ -1,8 +0,0 @@
|
||||
# This file describes how to load the opensc module
|
||||
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
|
||||
|
||||
# This is a relative path, which means it will be loaded from
|
||||
# the p11-kit default path which is usually $(libdir)/pkcs11.
|
||||
# Doing it this way allows for packagers to package opensc for
|
||||
# 32-bit and 64-bit and make them parallel installable
|
||||
module: libopencryptoki.so
|
@ -1,11 +1,10 @@
|
||||
Name: opencryptoki
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
|
||||
Version: 3.16.0
|
||||
Release: 12%{?dist}
|
||||
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
||||
Version: 3.17.0
|
||||
Release: 1%{?dist}
|
||||
License: CPL
|
||||
URL: https://github.com/opencryptoki/opencryptoki
|
||||
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: opencryptoki.module
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
|
||||
Patch0: opencryptoki-3.11.0-group.patch
|
||||
|
||||
@ -13,54 +12,14 @@ Patch0: opencryptoki-3.11.0-group.patch
|
||||
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||
# PIDfile below legacy directory /var/run/
|
||||
Patch2: opencryptoki-pkcsslotd-pidfile.patch
|
||||
# Use --no-undefined to debug missing symbols
|
||||
#Patch100: %%{name}-3.2-no-undefined.patch
|
||||
|
||||
# upstream patches
|
||||
Patch200: opencryptoki-3.16.0-4e3b43c3d8844402c04a66b55c6c940f965109f0.patch
|
||||
Patch201: opencryptoki-3.16.0-c79e899d77a5724635a9d4451a34a240e2c7e891.patch
|
||||
Patch202: opencryptoki-3.16.0-69244a5e0d9dfec3ef534b19b89a541576bb17dc.patch
|
||||
Patch203: opencryptoki-3.16.0-b07505993dd8b2f367cf3b630f6da186e4e8550d.patch
|
||||
Patch204: opencryptoki-3.16.0-b048be548508dd1958bb7271568f388d0f6cbcf8.patch
|
||||
Patch205: opencryptoki-3.16.0-e9548127edae313da7840bcb87fd0afd04549c2e.patch
|
||||
Patch206: opencryptoki-3.16.0-d929fe8470e99f4dcbbd889e7aa87e147d0d5b48.patch
|
||||
Patch207: opencryptoki-3.16.0-19f56d12b302b87e1dacf613cc61a063ad209d15.patch
|
||||
Patch208: opencryptoki-3.16.0-342dfbeb8275f5ea6ed52dd3f30126614ec1d037.patch
|
||||
Patch209: opencryptoki-3.16.0-fa94a16116d8382a987ddf9e8cdd88027dd1f647.patch
|
||||
Patch210: opencryptoki-3.16.0-d7de5092247a0efc2c397f12977a7c9925420143.patch
|
||||
Patch211: opencryptoki-3.16.0-1fdd0e4497b0078e73e0004e3492db647c7c458b.patch
|
||||
Patch212: opencryptoki-3.16.0-bf812c652c49d7e248b115d121a4f7f6568941a2.patch
|
||||
Patch213: opencryptoki-3.16.0-7b7d83c571ceb3050969359817d4145600f14ae8.patch
|
||||
Patch214: opencryptoki-3.16.0-pkcstok_migrate-detection_if_pkcsslotd_is_still_running.patch
|
||||
Patch215: opencryptoki-3.16.0-5824364d995e5d2418f885ee57e377e11d1b3302.patch
|
||||
Patch216: opencryptoki-3.16.0-e88a9de3128df1c4b89bd4c7312c15bb3eb34593.patch
|
||||
Patch217: opencryptoki-3.16.0-d2f137cce5e6efb123842509352c7c49f889c67f.patch
|
||||
Patch218: opencryptoki-openssl3-dd9cfe2ef89dad185397df46227f9392a6317d35.patch
|
||||
Patch219: opencryptoki-openssl3-93588f53d918fe6c7452da076b95081fb6aa9aef.patch
|
||||
Patch220: opencryptoki-openssl3-62fc2bcd98672c5d0ff8a2c926f3103110e91ed7.patch
|
||||
Patch221: opencryptoki-openssl3-50408fc3ae0f25b256dda2033d538f88c9b4f903.patch
|
||||
Patch222: opencryptoki-openssl3-145a696d478a1694ef314659a3d374f03f75c1b1.patch
|
||||
Patch223: opencryptoki-openssl3-7a23c12214688b287b9591133445e593da633caa.patch
|
||||
Patch224: opencryptoki-openssl3-ecf71404e84ae35931cd6c7398c825378ee052b6.patch
|
||||
Patch225: opencryptoki-openssl3-50e3f06823696c74eea90a77e16b28da1f79cd47.patch
|
||||
Patch226: opencryptoki-openssl3-ab3fceae6194e8213e9d3ffb7447ccd04d469b9d.patch
|
||||
Patch227: opencryptoki-openssl3-5377d25a6cbe3d07afcd08276ad7e90f62cad0c9.patch
|
||||
Patch228: opencryptoki-openssl3-6fee37f08391415cdf8d8610c501516c3d3ed29c.patch
|
||||
Patch230: opencryptoki-openssl3-2c116d49359a5eb91ad7f1483c64650c7874a513.patch
|
||||
Patch231: opencryptoki-openssl3-533cdea6897d1bc0af13490f1c89248c52e7a73b.patch
|
||||
Patch232: opencryptoki-openssl3-5cceead028ec8e0c244b01d38c9096c96d98f96b.patch
|
||||
Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
|
||||
Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
|
||||
Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
|
||||
Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
|
||||
Patch237: opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
|
||||
Patch238: opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
|
||||
|
||||
Requires(pre): coreutils
|
||||
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openssl-devel >= 1.1.1
|
||||
%if 0%{?tmptok}
|
||||
BuildRequires: trousers-devel
|
||||
%endif
|
||||
@ -72,7 +31,7 @@ BuildRequires: libitm-devel
|
||||
BuildRequires: expect
|
||||
BuildRequires: make
|
||||
%ifarch s390 s390x
|
||||
BuildRequires: libica-devel >= 2.3
|
||||
BuildRequires: libica-devel >= 3.3
|
||||
%endif
|
||||
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
@ -83,7 +42,7 @@ Requires(postun): systemd
|
||||
|
||||
|
||||
%description
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -96,7 +55,7 @@ Summary: The run-time libraries for opencryptoki package
|
||||
Requires(pre): shadow-utils
|
||||
|
||||
%description libs
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -122,7 +81,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description swtok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -138,7 +97,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description tpmtok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -154,7 +113,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description icsftok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -171,7 +130,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description icatok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -188,7 +147,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description ccatok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -205,7 +164,7 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: %{name}(token)
|
||||
|
||||
%description ep11tok
|
||||
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
|
||||
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||
token implementation that can be used without any cryptographic
|
||||
@ -276,6 +235,7 @@ fi
|
||||
%{_mandir}/man1/pkcstok_migrate.1*
|
||||
%{_mandir}/man1/pkcsconf.1*
|
||||
%{_mandir}/man5/%{name}.conf.5*
|
||||
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
|
||||
%{_mandir}/man7/%{name}.7*
|
||||
%{_mandir}/man8/pkcsslotd.8*
|
||||
%{_libdir}/opencryptoki/methods
|
||||
@ -357,6 +317,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Nov 03 2021 Than Ngo <than@redhat.com> - 3.17.0-1
|
||||
- Resolves: #2015888, rebase to 3.17.0
|
||||
- Resolves: #2017720, openCryptoki key management tool
|
||||
|
||||
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
|
||||
- Related: #1989138, Support for OpenSSL 3.0
|
||||
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (opencryptoki-3.16.0.tar.gz) = e7f54653bf8b57f7fb713c03aafe07e44a028d7ca10f68a3049e0353014c379a0c1aeda19329f5da4974cc6f2f7c906f4964586abd682cc867eccecc05f134a4
|
||||
SHA512 (opencryptoki-3.17.0.tar.gz) = 1e80f4cebfffef1b50f3a29577c003e3a3ac68f9c93c3fd49537dad5ab82d02ab54f62fa73e93cd20f2ea1517eb4aa3a0ac167df3597bb801e8781a4162f9d01
|
||||
|
Loading…
Reference in New Issue
Block a user