From d116cb6599a6ee42fb0e8feeea6eed10a6e6b897 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Thu, 26 Aug 2021 17:01:37 +0200 Subject: [PATCH] Related: #1989138, Support for OpenSSL 3.0 --- ...664f082b66de970b62a81588b034fd560d27.patch | 41 +++++++++++++++++++ ...a952fc00dd54cce090e4c053de408ba3884b.patch | 37 +++++++++++++++++ opencryptoki.spec | 7 +++- 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch create mode 100644 opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch diff --git a/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch b/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch new file mode 100644 index 0000000..8c81fe6 --- /dev/null +++ b/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch @@ -0,0 +1,41 @@ +commit 376e664f082b66de970b62a81588b034fd560d27 +Author: Ingo Franzki +Date: Fri Aug 13 10:54:44 2021 +0200 + + TESTCASES: Remove RSA public exponent restriction for Soft token + + Since commit "Allow small RSA exponents in the default provider" + https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce + in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft + token to RSA public exponents of 3 and 65537 only. + + Signed-off-by: Ingo Franzki + +diff --git a/testcases/common/common.c b/testcases/common/common.c +index 0a64ecf2..abbe354f 100644 +--- a/testcases/common/common.c ++++ b/testcases/common/common.c +@@ -16,6 +16,8 @@ + #include "pkcs11types.h" + #include "regress.h" + ++#define UNUSED(var) ((void)(var)) ++ + CK_FUNCTION_LIST *funcs; + CK_FUNCTION_LIST_3_0 *funcs3; + CK_INTERFACE *ifs; +@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len) + /** Returns true if pubexp is valid for Soft Tokens **/ + int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len) + { +- CK_BYTE exp3[] = { 0x03 }; // 3 +- CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537 ++ UNUSED(pubexp); ++ UNUSED(pubexp_len); + +- return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1))) +- || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3))); ++ return TRUE; + } + + /** Returns true if slot_id is an ICSF token diff --git a/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch b/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch new file mode 100644 index 0000000..66e0bba --- /dev/null +++ b/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch @@ -0,0 +1,37 @@ +commit 4dd8a952fc00dd54cce090e4c053de408ba3884b +Author: Ingo Franzki +Date: Tue Aug 24 10:14:39 2021 +0200 + + SOFT: Detect unsupported EC curves with OpenSSL 3.0 + + OpenSSL 3.0 behaves different in reporting an error when an unsupported + EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error + at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns + an error only at EVP_PKEY_keygen(). + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c +index 43fd17c3..03767ec8 100644 +--- a/usr/lib/soft_stdll/soft_specific.c ++++ b/usr/lib/soft_stdll/soft_specific.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #if OPENSSL_VERSION_PREREQ(3, 0) + #include + #include +@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata, + + if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) { + TRACE_ERROR("EVP_PKEY_keygen failed\n"); +- rc = CKR_FUNCTION_FAILED; ++ if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE) ++ rc = CKR_CURVE_NOT_SUPPORTED; ++ else ++ rc = CKR_FUNCTION_FAILED; + goto out; + } + diff --git a/opencryptoki.spec b/opencryptoki.spec index 94ab872..6235217 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Version: 3.16.0 -Release: 11%{?dist} +Release: 12%{?dist} License: CPL URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz @@ -53,6 +53,8 @@ Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch +Patch237: opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch +Patch238: opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch Requires(pre): coreutils Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted) @@ -355,6 +357,9 @@ fi %changelog +* Thu Aug 26 2021 Than Ngo - 3.16.0-12 +- Related: #1989138, Support for OpenSSL 3.0 + * Mon Aug 23 2021 Than Ngo - 3.16.0-11 - Resolves: #1989138, Support for OpenSSL 3.0