rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Related: #1989138, Support for OpenSSL 3.0

Browse Source
This commit is contained in:
Than Ngo 2021-08-26 17:01:37 +02:00
parent 86274e8523
commit d116cb6599
3 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch Normal file
View File

@ -0,0 +1,41 @@
commit 376e664f082b66de970b62a81588b034fd560d27
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Aug 13 10:54:44 2021 +0200
TESTCASES: Remove RSA public exponent restriction for Soft token
Since commit "Allow small RSA exponents in the default provider"
https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce
in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft
token to RSA public exponents of 3 and 65537 only.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/testcases/common/common.c b/testcases/common/common.c
index 0a64ecf2..abbe354f 100644
--- a/testcases/common/common.c
+++ b/testcases/common/common.c
@@ -16,6 +16,8 @@
#include "pkcs11types.h"
#include "regress.h"
+#define UNUSED(var) ((void)(var))
+
CK_FUNCTION_LIST *funcs;
CK_FUNCTION_LIST_3_0 *funcs3;
CK_INTERFACE *ifs;
@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
/** Returns true if pubexp is valid for Soft Tokens **/
int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
{
- CK_BYTE exp3[] = { 0x03 }; // 3
- CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 }; // 65537
+ UNUSED(pubexp);
+ UNUSED(pubexp_len);
- return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
- || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
+ return TRUE;
}
/** Returns true if slot_id is an ICSF token

37
opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch Normal file
View File

@ -0,0 +1,37 @@
commit 4dd8a952fc00dd54cce090e4c053de408ba3884b
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Aug 24 10:14:39 2021 +0200
SOFT: Detect unsupported EC curves with OpenSSL 3.0
OpenSSL 3.0 behaves different in reporting an error when an unsupported
EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error
at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns
an error only at EVP_PKEY_keygen().
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 43fd17c3..03767ec8 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -51,6 +51,7 @@
#include <openssl/cmac.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
+#include <openssl/err.h>
#if OPENSSL_VERSION_PREREQ(3, 0)
#include <openssl/core_names.h>
#include <openssl/param_build.h>
@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata,
if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) {
TRACE_ERROR("EVP_PKEY_keygen failed\n");
- rc = CKR_FUNCTION_FAILED;
+ if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE)
+ rc = CKR_CURVE_NOT_SUPPORTED;
+ else
+ rc = CKR_FUNCTION_FAILED;
goto out;
}

7
opencryptoki.spec
View File

@ -1,7 +1,7 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.16.0 Version: 3.16.0
Release: 11%{?dist} Release: 12%{?dist}
License: CPL License: CPL
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -53,6 +53,8 @@ Patch233: opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch Patch234: opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch Patch235: opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch Patch236: opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
Patch237: opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
Patch238: opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
Requires(pre): coreutils Requires(pre): coreutils
Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted) Requires: (selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
@ -355,6 +357,9 @@ fi
%changelog %changelog
* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
- Related: #1989138, Support for OpenSSL 3.0
* Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11 * Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
- Resolves: #1989138, Support for OpenSSL 3.0 - Resolves: #1989138, Support for OpenSSL 3.0