Related: #1989138, Support for OpenSSL 3.0

2021-08-26 17:01:37 +02:00 · 2021-08-26 17:01:37 +02:00 · d116cb6599
commit d116cb6599
parent 86274e8523
3 changed files with 84 additions and 1 deletions
--- a/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
+++ b/opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch
@ -0,0 +1,41 @@
+commit 376e664f082b66de970b62a81588b034fd560d27
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Fri Aug 13 10:54:44 2021 +0200
+
+    TESTCASES: Remove RSA public exponent restriction for Soft token
+    
+    Since commit "Allow small RSA exponents in the default provider"
+    https://github.com/openssl/openssl/commit/254957f768a61c91c14d89566224173d0831c2ce
+    in OpenSSL 3.0, we do no longer need to restrict the tests for the Soft
+    token to RSA public exponents of 3 and 65537 only.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/testcases/common/common.c b/testcases/common/common.c
+index 0a64ecf2..abbe354f 100644
+--- a/testcases/common/common.c
+++ b/testcases/common/common.c
+@@ -16,6 +16,8 @@
+ #include "pkcs11types.h"
+ #include "regress.h"
+ 
+#define UNUSED(var)            ((void)(var))
+
+ CK_FUNCTION_LIST *funcs;
+ CK_FUNCTION_LIST_3_0 *funcs3;
+ CK_INTERFACE *ifs;
+@@ -879,11 +881,10 @@ int is_valid_cca_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
+ /** Returns true if pubexp is valid for Soft Tokens **/
+ int is_valid_soft_pubexp(CK_BYTE pubexp[], CK_ULONG pubexp_len)
+ {
+-    CK_BYTE exp3[] = { 0x03 };  // 3
+-    CK_BYTE exp65537[] = { 0x01, 0x00, 0x01 };  // 65537
+    UNUSED(pubexp);
+    UNUSED(pubexp_len);
+ 
+-    return (pubexp_len == 1 && (!memcmp(pubexp, exp3, 1)))
+-        || (pubexp_len == 3 && (!memcmp(pubexp, exp65537, 3)));
+    return TRUE;
+ }
+ 
+ /** Returns true if slot_id is an ICSF token
--- a/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
+++ b/opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
@ -0,0 +1,37 @@
+commit 4dd8a952fc00dd54cce090e4c053de408ba3884b
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Aug 24 10:14:39 2021 +0200
+
+    SOFT: Detect unsupported EC curves with OpenSSL 3.0
+    
+    OpenSSL 3.0 behaves different in reporting an error when an unsupported
+    EC curve is used to generate an EC key. OpenSSL 1.1.1 returns an error
+    at EVP_PKEY_CTX_set_ec_paramgen_curve_nid() already, but OpenSSL 3.0 returns
+    an error only at EVP_PKEY_keygen().
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
+index 43fd17c3..03767ec8 100644
+--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
+@@ -51,6 +51,7 @@
+ #include <openssl/cmac.h>
+ #include <openssl/ec.h>
+ #include <openssl/bn.h>
+#include <openssl/err.h>
+ #if OPENSSL_VERSION_PREREQ(3, 0)
+ #include <openssl/core_names.h>
+ #include <openssl/param_build.h>
+@@ -4548,7 +4549,10 @@ CK_RV token_specific_ec_generate_keypair(STDLL_TokData_t *tokdata,
+ 
+     if (EVP_PKEY_keygen(ctx, &ec_pkey) <= 0) {
+         TRACE_ERROR("EVP_PKEY_keygen failed\n");
+-        rc = CKR_FUNCTION_FAILED;
+        if (ERR_GET_REASON(ERR_peek_last_error()) == EC_R_INVALID_CURVE)
+            rc = CKR_CURVE_NOT_SUPPORTED;
+        else
+            rc = CKR_FUNCTION_FAILED;
+         goto out;
+     }
+ 
--- a/opencryptoki.spec
+++ b/opencryptoki.spec
@ -1,7 +1,7 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
 Version:		3.16.0
-Release:		11%{?dist}
+Release:		12%{?dist}
 License:		CPL
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -53,6 +53,8 @@ Patch233:	opencryptoki-openssl3-7b4177e8557887d196ce77a129d457e817f8cc59.patch
 Patch234:	opencryptoki-openssl3-11a53055b22d590bd3c197908b0ff63f6fd3c520.patch
 Patch235:	opencryptoki-openssl3-c4683eb904238d20cb34a4c7661ffac04901283c.patch
 Patch236:	opencryptoki-openssl3-11196c4d7e221d29f0d385bd48ae4d6023a6e874.patch
+Patch237:	opencryptoki-openssl3-4dd8a952fc00dd54cce090e4c053de408ba3884b.patch
+Patch238:	opencryptoki-openssl3-376e664f082b66de970b62a81588b034fd560d27.patch

 Requires(pre):		coreutils
 Requires: 		(selinux-policy >= 34.1.8-1 if selinux-policy-targeted)
@ -355,6 +357,9 @@ fi


 %changelog
+* Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
+- Related: #1989138, Support for OpenSSL 3.0
+
 * Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
 - Resolves: #1989138, Support for OpenSSL 3.0