From d536f5aa5076cba1e7f2614578cc648f70bff945 Mon Sep 17 00:00:00 2001 From: Than Ngo Date: Wed, 16 Oct 2024 21:31:55 +0200 Subject: [PATCH] - Resolves: RHEL-58996, update to 3.24.0 - Resolves: RHEL-39004, provide opencryptoki CCA Token also on x86_64 and ppc64le - Resolves: RHEL-43675, openCryptoki cca token RSA OAEP v2.1 support - Resolves: RHEL-43674, openCryptoki CCA token support of Dilithium - Resolves: RHEL-43676, openCryptoki cca token SHA3 support - Resolves: RHEL-24036, support protected keys for extractable keys --- opencryptoki-3.11.0-lockdir.patch | 12 - opencryptoki-3.23-SEC2356-backport-01.patch | 50 -- opencryptoki-3.23-SEC2356-backport-02.patch | 222 ------- opencryptoki-3.23-SEC2356-backport-03.patch | 62 -- opencryptoki-3.23-SEC2356-backport-04.patch | 555 ------------------ opencryptoki-3.23-SEC2356-backport-05.patch | 61 -- opencryptoki-3.23-SEC2356-backport-06.patch | 26 - opencryptoki-3.23-SEC2356-backport-07.patch | 31 - opencryptoki-3.23-SEC2356-backport-08.patch | 306 ---------- opencryptoki-3.23-SEC2356-backport-09.patch | 36 -- opencryptoki-3.23-covcan-part1.patch | 59 -- opencryptoki-3.23-covcan-part2.patch | 73 --- ...or-due-to-incompatible-pointer-types.patch | 66 +++ ....patch => opencryptoki-3.24.0-p11sak.patch | 29 +- opencryptoki.spec | 146 +++-- sources | 2 +- 16 files changed, 155 insertions(+), 1581 deletions(-) delete mode 100644 opencryptoki-3.11.0-lockdir.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-01.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-02.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-03.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-04.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-05.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-06.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-07.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-08.patch delete mode 100644 opencryptoki-3.23-SEC2356-backport-09.patch delete mode 100644 opencryptoki-3.23-covcan-part1.patch delete mode 100644 opencryptoki-3.23-covcan-part2.patch create mode 100644 opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch rename opencryptoki-3.21.0-p11sak.patch => opencryptoki-3.24.0-p11sak.patch (67%) diff --git a/opencryptoki-3.11.0-lockdir.patch b/opencryptoki-3.11.0-lockdir.patch deleted file mode 100644 index 936a654..0000000 --- a/opencryptoki-3.11.0-lockdir.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac ---- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100 -+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100 -@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS]) - - dnl Define custom variables - --lockdir=$localstatedir/lock/opencryptoki -+lockdir=/run/lock/opencryptoki - AC_SUBST(lockdir) - - logdir=$localstatedir/log/opencryptoki diff --git a/opencryptoki-3.23-SEC2356-backport-01.patch b/opencryptoki-3.23-SEC2356-backport-01.patch deleted file mode 100644 index 2ddce4e..0000000 --- a/opencryptoki-3.23-SEC2356-backport-01.patch +++ /dev/null @@ -1,50 +0,0 @@ -commit 2d68f8626d15b9697a29a377a63bbdf35b42ee36 -Author: Joerg Schmidbauer -Date: Tue Feb 13 16:20:06 2024 +0100 - - EP11 pkey option: add new PKEY_MODE parms to ep11 config file - - Add two new parameter values ENABLE4EXTR and ENABLE4ALL to the ep11token - PKEY_MODE config option. Older ep11 card firmware enforces the restriction that - keys can not have CKA_EXTRACTABLE=true and CKA_IBM_PROTKEY_EXTRACTABLE=true at - the same time. With newer card firmware this restriction is removed and a new - control point is introduced to allow checking for this feature. - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11tok.conf b/usr/lib/ep11_stdll/ep11tok.conf -index 19c9963f..afe237b9 100644 ---- a/usr/lib/ep11_stdll/ep11tok.conf -+++ b/usr/lib/ep11_stdll/ep11tok.conf -@@ -104,7 +104,7 @@ - # disabled and additional hardware and firmware prerequisites are met. AES-XTS - # is not supported via the EP11 coprocessor itself. - # --# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR -+# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR | ENABLE4EXTR | ENABLE4ALL - # - # DISABLED : Protected key support disabled. All key operations - # are performed via EP11 coprocessor, even if a -@@ -119,6 +119,22 @@ - # but not CKA_IBM_PROTKEY_EXTRACTABLE, new keys get - # CKA_IBM_PROTKEY_EXTRACTABLE=true internally. - # -+# Control point 75 (XCP_CPB_ALLOW_COMBINED_EXTRACT) must be enabled for all -+# APQNs accessible by the token for the following parameters. -+# -+# ENABLE4EXTR : If the application did not specify -+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys -+# of any type with CKA_EXTRACTABLE=true get -+# CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key -+# is automatically created at first use of the key. -+# -+# ENABLE4ALL : If the application did not specify -+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys -+# of any type, regardless of the CKA_EXTRACTABLE -+# attribute, get CKA_IBM_PROTKEY_EXTRACTABLE=true and -+# a protected key is automatically created at first -+# use of the key. -+# - # -------------------------------------------------------------------------- - # - # Specify the expected wrapping key verification pattern. When specified, all diff --git a/opencryptoki-3.23-SEC2356-backport-02.patch b/opencryptoki-3.23-SEC2356-backport-02.patch deleted file mode 100644 index 09d98ed..0000000 --- a/opencryptoki-3.23-SEC2356-backport-02.patch +++ /dev/null @@ -1,222 +0,0 @@ -commit a6192bb9c3263fb691da87b3a1ed5f66f887b09a -Author: Joerg Schmidbauer -Date: Tue Feb 13 16:35:53 2024 +0100 - - EP11 pkey option: handle new PKEY_MODE parms for new objects - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index d5964a9c..d1efd8c5 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1239,6 +1239,33 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, - return CKR_OK; - } - -+CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl) -+{ -+ CK_ATTRIBUTE *pkey_attr = NULL; -+ CK_BBOOL btrue = CK_TRUE; -+ CK_RV ret; -+ -+ if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) { -+ ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, &btrue, -+ sizeof(CK_BBOOL), &pkey_attr); -+ if (ret != CKR_OK) { -+ TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret); -+ goto done; -+ } -+ ret = template_update_attribute(tmpl, pkey_attr); -+ if (ret != CKR_OK) { -+ TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret); -+ free(pkey_attr); -+ goto done; -+ } -+ } -+ -+ ret = CKR_OK; -+ -+done: -+ return ret; -+} -+ - /** - * This function is called whenever a new object is created. It sets - * attribute CKA_IBM_PROTKEY_EXTRACTABLE according to the PKEY_MODE token -@@ -1254,7 +1281,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - CK_ULONG mode, TEMPLATE *tmpl) - { - ep11_private_data_t *ep11_data = tokdata->private_data; -- CK_ATTRIBUTE *pkey_attr = NULL, *ecp_attr = NULL, *sensitive_attr = NULL; -+ CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL; - CK_BBOOL extractable, sensitive, btrue = CK_TRUE; - CK_BBOOL add_pkey_extractable = CK_FALSE; - CK_RV ret; -@@ -1314,23 +1341,62 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - add_pkey_extractable = CK_TRUE; - break; - } -- - if (add_pkey_extractable) { -- if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) { -- ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, -- (CK_BBOOL *)&btrue, sizeof(CK_BBOOL), -- &pkey_attr); -- if (ret != CKR_OK) { -- TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret); -- goto done; -- } -- ret = template_update_attribute(tmpl, pkey_attr); -- if (ret != CKR_OK) { -- TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret); -- free(pkey_attr); -- goto done; -- } -- } -+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -+ if (ret != CKR_OK) -+ goto done; -+ } -+ break; -+ case PKEY_MODE_ENABLE4EXTR: -+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in -+ * its template, new keys of any type with CKA_EXTRACTABLE=true get -+ * CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is automatically -+ * created at first use of the key. -+ */ -+ switch (class) { -+ case CKO_PUBLIC_KEY: -+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK && -+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl)) -+ add_pkey_extractable = CK_TRUE; -+ /* Note that the explicit parm CKM_ECDSA just tells the -+ * function that it's not AES here. It covers all EC and ED -+ * mechs */ -+ break; -+ default: -+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable); -+ if (ret == CKR_OK && extractable) // Einziger Unterschied: extractable, statt !extractable -+ add_pkey_extractable = CK_TRUE; -+ break; -+ } -+ if (add_pkey_extractable) { -+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -+ if (ret != CKR_OK) -+ goto done; -+ } -+ break; -+ case PKEY_MODE_ENABLE4ALL: -+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in -+ * its template, new keys of any type, regardless of CKA_EXTRACTABLE, -+ * get CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is -+ * automatically created at first use of the key. -+ */ -+ switch (class) { -+ case CKO_PUBLIC_KEY: -+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK && -+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl)) -+ add_pkey_extractable = CK_TRUE; -+ /* Note that the explicit parm CKM_ECDSA just tells the -+ * function that it's not AES here. It covers all EC and ED -+ * mechs */ -+ break; -+ default: -+ add_pkey_extractable = CK_TRUE; -+ break; -+ } -+ if (add_pkey_extractable) { -+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -+ if (ret != CKR_OK) -+ goto done; - } - break; - default: -@@ -12188,6 +12254,10 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, - ep11_data->pkey_mode = PKEY_MODE_DEFAULT; - else if (strcmp(strval, "ENABLE4NONEXTR") == 0) - ep11_data->pkey_mode = PKEY_MODE_ENABLE4NONEXTR; -+ else if (strcmp(strval, "ENABLE4EXTR") == 0) -+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR; -+ else if (strcmp(strval, "ENABLE4ALL") == 0) -+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL; - else { - TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval); - OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' " -@@ -13252,6 +13322,7 @@ typedef struct cp_handler_data { - int first; - size_t max_cp_index; - CK_BBOOL error; -+ CK_BBOOL allow_combined_extract; - } cp_handler_data_t; - - static CK_RV control_point_handler(uint_32 adapter, uint_32 domain, -@@ -13329,6 +13400,27 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain, - } - } - -+ /* Combined extract is only supported if all APQNs support it */ -+ if (max_cp_index < XCP_CPB_ALLOW_COMBINED_EXTRACT || -+ (cp[CP_BYTE_NO(XCP_CPB_ALLOW_COMBINED_EXTRACT)] & -+ CP_BIT_MASK(XCP_CPB_ALLOW_COMBINED_EXTRACT)) == 0) { -+ data->allow_combined_extract = CK_FALSE; -+ -+ if (ep11_data->pkey_mode == PKEY_MODE_ENABLE4EXTR || -+ ep11_data->pkey_mode == PKEY_MODE_ENABLE4ALL) { -+ TRACE_ERROR("Control point setting for adapter %02X.%04X does not " -+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or " -+ "ENABLE4ALL specified in ep11 token config file.\n", -+ adapter, domain); -+ OCK_SYSLOG(LOG_ERR, -+ "Control point setting for adapter %02X.%04X does not " -+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or " -+ "ENABLE4ALL specified in ep11 token config file.\n", -+ adapter, domain); -+ data->error = TRUE; -+ } -+ } -+ - /* Check FIPS-session related CPs for non-FIPS-session mode */ - if (!ep11_data->fips_session_mode) { - if (max_cp_index >= XCP_CPB_ALLOW_NONSESSION && -@@ -13392,6 +13484,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata, - * to older cards default to ON. CPs being OFF disable functionality. - */ - memset(data.combined_cp, 0xff, sizeof(data.combined_cp)); -+ data.allow_combined_extract = CK_TRUE; - data.first = 1; - rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler, - &data); -@@ -13410,6 +13503,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata, - print_control_points(cp, *cp_len, data.max_cp_index); - #endif - -+ if (data.allow_combined_extract == CK_FALSE) -+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 0); -+ else -+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 1); -+ - return data.error ? CKR_DEVICE_ERROR : CKR_OK; - } - -diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h -index deb8f45f..16d3c719 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.h -+++ b/usr/lib/ep11_stdll/ep11_specific.h -@@ -241,6 +241,8 @@ typedef struct { - #define PKEY_MODE_DISABLED 0 - #define PKEY_MODE_DEFAULT 1 - #define PKEY_MODE_ENABLE4NONEXTR 2 -+#define PKEY_MODE_ENABLE4EXTR 3 -+#define PKEY_MODE_ENABLE4ALL 4 - - #define PQC_BYTE_NO(idx) (((idx) - 1) / 8) - #define PQC_BIT_IN_BYTE(idx) (((idx - 1)) % 8) -@@ -278,6 +280,7 @@ typedef struct { - int fips_session_mode; - int optimize_single_ops; - int pkey_mode; -+ volatile int pkey_combined_extract_supported; - volatile int pkey_wrap_supported; - int pkey_wrap_support_checked; - char pkey_mk_vp[PKEY_MK_VP_LENGTH]; diff --git a/opencryptoki-3.23-SEC2356-backport-03.patch b/opencryptoki-3.23-SEC2356-backport-03.patch deleted file mode 100644 index fed6888..0000000 --- a/opencryptoki-3.23-SEC2356-backport-03.patch +++ /dev/null @@ -1,62 +0,0 @@ -commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a -Author: Joerg Schmidbauer -Date: Thu Mar 7 17:42:11 2024 +0100 - - EP11 pkey option: handle new PKEY_MODE parms in eligibility check - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index d1efd8c5..a163587c 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session, - return CK_TRUE; - } - -+/* -+ * Returns true if the given key object is eligible to get a protected key -+ * attribute, false otherwise. -+ */ -+CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data, -+ OBJECT *key_obj) -+{ -+ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported || -+ !object_is_pkey_extractable(key_obj)) { -+ return CK_FALSE; -+ } -+ -+ if (!ep11_data->pkey_combined_extract_supported && -+ object_is_extractable(key_obj)) { -+ return CK_FALSE; -+ } -+ -+ return CK_TRUE; -+} -+ - /** - * Checks if the preconditions for using the related protected key of - * the given secure key object are met. The caller of this routine must -@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, - break; - case PKEY_MODE_DEFAULT: - case PKEY_MODE_ENABLE4NONEXTR: -+ case PKEY_MODE_ENABLE4EXTR: -+ case PKEY_MODE_ENABLE4ALL: - /* Use existing pkeys, re-create invalid pkeys, and also create new - * pkeys for secret/private keys that do not already have one. EC - * public keys that are pkey-extractable, can always be used via CPACF -@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, - if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK) - goto done; - -- if (object_is_extractable(key_obj) || -- !object_is_pkey_extractable(key_obj) || -- object_is_attr_bound(key_obj) || -- !ep11_data->pkey_wrap_supported) { -+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) - goto done; -- } - - if (template_attribute_get_non_empty(key_obj->template, - CKA_IBM_OPAQUE_PKEY, diff --git a/opencryptoki-3.23-SEC2356-backport-04.patch b/opencryptoki-3.23-SEC2356-backport-04.patch deleted file mode 100644 index c57e81a..0000000 --- a/opencryptoki-3.23-SEC2356-backport-04.patch +++ /dev/null @@ -1,555 +0,0 @@ -commit b9e33fced0654aac939182957bf2eba2eda77872 -Author: Joerg Schmidbauer -Date: Wed Feb 21 13:48:15 2024 +0100 - - EP11 pkey option: add NO_PKEY compile option for EP11 token - - On 32-bit s390 platforms, the pkey related assembler code parts won't - compile. Therefore, add NO_PKEY compile switches where necessary. - The NO_PKEY compile switch is already handled in configure.ac. - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index a163587c..114c4ce1 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -60,7 +60,9 @@ - #include - - #include "ep11_specific.h" -+#ifndef NO_PKEY - #include "pkey_utils.h" -+#endif - - CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, - CK_MECHANISM_TYPE_PTR mlist, -@@ -256,11 +258,13 @@ static const version_req_t reencrypt_single_req_versions[] = { - #define NUM_REENCRYPT_SINGLE_REQ (sizeof(reencrypt_single_req_versions) / \ - sizeof(version_req_t)) - -+#ifndef NO_PKEY - static const CK_VERSION ibm_cex7p_cpacf_wrap_support = { .major = 7, .minor = 15 }; - static const version_req_t ibm_cpacf_wrap_req_versions[] = { - { .card_type = 7, .min_firmware_version = &ibm_cex7p_cpacf_wrap_support } - }; - #define NUM_CPACF_WRAP_REQ (sizeof(ibm_cpacf_wrap_req_versions) / sizeof(version_req_t)) -+#endif /* NO_PKEY */ - - static const CK_ULONG ibm_cex_ab_ecdh_api_version = 3; - static const version_req_t ibm_ab_ecdh_req_versions[] = { -@@ -504,6 +508,7 @@ static CK_BBOOL ep11tok_pkey_option_disabled(STDLL_TokData_t *tokdata) - return CK_FALSE; - } - -+#ifndef NO_PKEY - /** - * Callback function used by handle_all_ep11_cards() for creating a protected - * key via the given APQN (adaper,domain). -@@ -1283,6 +1288,7 @@ CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl) - done: - return ret; - } -+#endif /* NO_PKEY */ - - /** - * This function is called whenever a new object is created. It sets -@@ -1299,9 +1305,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - CK_ULONG mode, TEMPLATE *tmpl) - { - ep11_private_data_t *ep11_data = tokdata->private_data; -- CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL; -- CK_BBOOL extractable, sensitive, btrue = CK_TRUE; -- CK_BBOOL add_pkey_extractable = CK_FALSE; -+ CK_ATTRIBUTE *sensitive_attr = NULL; -+ CK_BBOOL sensitive, btrue = CK_TRUE; -+#ifndef NO_PKEY -+ CK_ATTRIBUTE *ecp_attr = NULL; -+ CK_BBOOL extractable, add_pkey_extractable = CK_FALSE; -+#endif - CK_RV ret; - - UNUSED(mode); -@@ -1331,6 +1340,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - } - } - -+#ifndef NO_PKEY - switch (ep11_data->pkey_mode) { - case PKEY_MODE_DISABLED: - /* Nothing to do */ -@@ -1423,6 +1433,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - goto done; - break; - } -+#endif /* NO_PKEY */ - - ret = CKR_OK; - -@@ -1431,6 +1442,19 @@ done: - return ret; - } - -+#ifdef NO_PKEY -+CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) -+{ -+ UNUSED(tokdata); -+ UNUSED(session); -+ UNUSED(hkey); -+ UNUSED(mech); -+ -+ return CK_FALSE; -+} -+#endif /* NO_PKEY */ -+ - static CK_RV check_ab_supported(CK_KEY_TYPE type) { - switch(type) { - case CKK_AES: -@@ -2837,8 +2861,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, - goto error; - } - -+#ifndef NO_PKEY - ep11_data->msa_level = get_msa_level(); - TRACE_INFO("MSA level = %i\n", ep11_data->msa_level); -+#endif - - if (pthread_mutex_init(&ep11_data->raw2key_wrap_blob_mutex, NULL) != 0) { - TRACE_ERROR("Initializing Wrap-Blob lock failed.\n"); -@@ -2847,19 +2873,20 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, - } - ep11_data->raw2key_wrap_blob_l = 0; - -- - if (pthread_mutex_init(&ep11_data->pkey_mutex, NULL) != 0) { - TRACE_ERROR("Initializing PKEY lock failed.\n"); - rc = CKR_CANT_LOCK; - goto error; - } - -+#ifndef NO_PKEY - if (!ep11tok_pkey_option_disabled(tokdata) && - !ep11_data->fips_session_mode) { - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, NULL); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - goto error; - } -+#endif /* NO_PKEY */ - - if (ep11_data->vhsm_mode || ep11_data->fips_session_mode) { - if (pthread_mutex_init(&ep11_data->session_mutex, NULL) != 0) { -@@ -3178,7 +3205,11 @@ static CK_RV import_aes_xts_key(STDLL_TokData_t *tokdata, SESSION *sess, - if (rc != CKR_OK) - goto import_aes_xts_key_end; - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check_aes_xts(tokdata, aes_xts_key_obj, CKM_AES_XTS); -+#else -+ rc = CKR_FUNCTION_NOT_SUPPORTED; -+#endif - if (rc != CKR_OK) { - TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", __func__, rc); - goto import_aes_xts_key_end; -@@ -4562,10 +4593,12 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess, - return rc; - } - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - return rc; -+#endif /* NO_PKEY */ - - memset(blob, 0, sizeof(blob)); - memset(blobreenc, 0, sizeof(blobreenc)); -@@ -4797,10 +4830,12 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session, - goto error; - } - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - goto error; -+#endif /* NO_PKEY */ - - rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len, - MODE_KEYGEN, CKO_SECRET_KEY, ktype, &key_obj); -@@ -4820,7 +4855,11 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session, - - if (mech->mechanism == CKM_AES_XTS_KEY_GEN) { - xts = TRUE; -+#ifndef NO_PKEY - rc = ep11tok_pkey_check_aes_xts(tokdata, key_obj, mech->mechanism); -+#else -+ rc = CKR_FUNCTION_NOT_SUPPORTED; -+#endif - if (rc != CKR_OK) { - TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", - __func__, rc); -@@ -5812,7 +5851,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, - CK_BYTE *out_data, CK_ULONG *out_data_len, - OBJECT *key_obj ) - { -+#ifndef NO_PKEY - SIGN_VERIFY_CONTEXT *ctx = &(session->sign_ctx); -+#endif - CK_RV rc; - size_t keyblobsize = 0; - CK_BYTE *keyblob; -@@ -5826,6 +5867,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, - return rc; - } - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech); - switch (rc) { - case CKR_OK: -@@ -5837,6 +5879,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, - default: - goto done; - } -+#endif /* NO_PKEY */ - - mech.mechanism = CKM_ECDSA; - mech.pParameter = NULL; -@@ -5856,7 +5899,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, - TRACE_INFO("%s rc=0x%lx\n", __func__, rc); - } - -+#ifndef NO_PKEY - done: -+#endif - - return rc; - } -@@ -5866,7 +5911,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, - CK_BYTE *out_data, CK_ULONG out_data_len, - OBJECT *key_obj ) - { -+#ifndef NO_PKEY - SIGN_VERIFY_CONTEXT *ctx = &(session->verify_ctx); -+#endif - CK_RV rc; - CK_BYTE *spki; - size_t spki_len = 0; -@@ -5880,6 +5927,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, - return rc; - } - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech); - switch (rc) { - case CKR_OK: -@@ -5891,6 +5939,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, - default: - goto done; - } -+#endif /* NO_PKEY */ - - mech.mechanism = CKM_ECDSA; - mech.pParameter = NULL; -@@ -5911,7 +5960,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, - TRACE_INFO("%s rc=0x%lx\n", __func__, rc); - } - -+#ifndef NO_PKEY - done: -+#endif - - return rc; - } -@@ -5981,6 +6032,7 @@ CK_RV token_specific_reencrypt_single(STDLL_TokData_t *tokdata, - return rc; - } - -+#ifndef NO_PKEY - /** - * This routine is currently only used when the operation is performed using - * a protected key. Therefore we don't have (and don't need) an ep11 -@@ -6062,6 +6114,7 @@ CK_RV token_specific_aes_xts(STDLL_TokData_t *tokdata, SESSION *session, - return pkey_aes_xts(key_obj, init_v, in_data, in_data_len, - out_data, out_data_len, encrypt, initial, final, iv); - } -+#endif /* NO_PKEY */ - - struct EP11_KYBER_MECH { - CK_MECHANISM mech; -@@ -6829,10 +6882,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t *tokdata, SESSION *session, - goto error; - } - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - goto error; -+#endif /* NO_PKEY */ - - /* Start creating the key object */ - rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len, -@@ -8554,10 +8609,12 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess, - if (rc != CKR_OK) - goto error; - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - goto error; -+#endif /* NO_PKEY */ - - /* Now build the skeleton key. */ - rc = object_mgr_create_skel(tokdata, sess, pPublicKeyTemplate, -@@ -9202,6 +9259,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session, - goto done; - } - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); - switch (rc) { - case CKR_OK: -@@ -9239,6 +9297,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session, - free(ep11_sign_state); - goto done; - } -+#endif /* NO_PKEY */ - - if (mech->mechanism == CKM_IBM_ECDSA_OTHER) { - rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11); -@@ -9340,6 +9399,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, - CK_ULONG in_data_len, CK_BYTE * signature, - CK_ULONG * sig_len) - { -+#ifdef NO_PKEY -+ UNUSED(length_only); -+#endif - CK_RV rc; - SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx; - size_t keyblobsize = 0; -@@ -9355,6 +9417,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, - return rc; - } - -+#ifndef NO_PKEY - if (ctx->pkey_active) { - /* Note that Edwards curves in general are not yet supported in - * opencryptoki. These two special IBM specific ED mechs are only -@@ -9372,6 +9435,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, - } - goto done; /* no ep11 fallback possible */ - } -+#endif /* NO_PKEY */ - - RETRY_SESSION_SINGLE_APQN_START(rc, tokdata) - RETRY_UPDATE_BLOB_START(tokdata, target_info, -@@ -9394,7 +9458,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, - TRACE_INFO("%s rc=0x%lx\n", __func__, rc); - } - -+#ifndef NO_PKEY - done: -+#endif - - object_put(tokdata, key_obj, TRUE); - key_obj = NULL; -@@ -9638,6 +9704,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session, - goto done; - } - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); - switch (rc) { - case CKR_OK: -@@ -9675,6 +9742,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session, - free(ep11_sign_state); - goto done; - } -+#endif /* NO_PKEY */ - - if (mech->mechanism == CKM_IBM_ECDSA_OTHER) { - rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11); -@@ -9787,6 +9855,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, - return rc; - } - -+#ifndef NO_PKEY - if (ctx->pkey_active) { - /* Note that Edwards curves in general are not yet supported in - * opencryptoki. These two special IBM specific ED mechs are only -@@ -9805,6 +9874,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, - } - goto done; /* no ep11 fallback possible */ - } -+#endif /* NO_PKEY */ - - RETRY_SESSION_SINGLE_APQN_START(rc, tokdata) - RETRY_UPDATE_BLOB_START(tokdata, target_info, -@@ -9827,7 +9897,9 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, - TRACE_INFO("%s rc=0x%lx\n", __func__, rc); - } - -+#ifndef NO_PKEY - done: -+#endif - - object_put(tokdata, key_obj, TRUE); - key_obj = NULL; -@@ -10561,6 +10633,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session, - goto error; - } - -+#ifndef NO_PKEY - rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); - switch (rc) { - case CKR_OK: -@@ -10604,6 +10677,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session, - free(ep11_state); - goto done; - } -+#endif /* NO_PKEY */ - - /* - * ep11_state is allocated large enough to hold 2 times the max state blob. -@@ -11150,10 +11224,12 @@ CK_RV ep11tok_unwrap_key(STDLL_TokData_t * tokdata, SESSION * session, - goto done; - } - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - goto error; -+#endif /* NO_PKEY */ - - /* Start creating the key object */ - rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len, -@@ -11878,6 +11954,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, - } - break; - -+#ifndef NO_PKEY - case CKM_IBM_CPACF_WRAP: - if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3) <= 0) { - TRACE_INFO("%s Mech '%s' banned due to host library version\n", -@@ -11895,6 +11972,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, - goto out; - } - break; -+#endif /* NO_PKEY */ - - case CKM_IBM_BTC_DERIVE: - if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3_1) < 0) { -@@ -12268,6 +12346,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, - { - if (strcmp(strval, "DISABLED") == 0) - ep11_data->pkey_mode = PKEY_MODE_DISABLED; -+#ifndef NO_PKEY - else if (strcmp(strval, "DEFAULT") == 0) - ep11_data->pkey_mode = PKEY_MODE_DEFAULT; - else if (strcmp(strval, "ENABLE4NONEXTR") == 0) -@@ -12276,6 +12355,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, - ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR; - else if (strcmp(strval, "ENABLE4ALL") == 0) - ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL; -+#endif /* NO_PKEY */ - else { - TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval); - OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' " -@@ -12456,7 +12536,11 @@ static CK_RV read_adapter_config_file(STDLL_TokData_t * tokdata, - sizeof(ep11_data->token_config_filename) - 1] = '\0'; - - ep11_data->target_list.length = 0; -+#ifndef NO_PKEY - ep11_data->pkey_mode = PKEY_MODE_DEFAULT; -+#else -+ ep11_data->pkey_mode = PKEY_MODE_DISABLED; -+#endif - - /* Default to use default libica library for digests */ - ep11_data->digest_libica = 1; -@@ -14695,10 +14779,12 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, - } - } - -+#ifndef NO_PKEY - /* Ensure the firmware master key verification pattern is available */ - rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); - if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) - return rc; -+#endif /* NO_PKEY */ - - node = new_tmpl->attribute_list; - while (node) { -@@ -14734,6 +14820,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, - goto out; - } - break; -+#ifndef NO_PKEY - case CKA_IBM_PROTKEY_EXTRACTABLE: - if (ep11_data->pkey_wrap_supported) { - rc = add_to_attribute_array(&attributes, &num_attributes, -@@ -14746,6 +14833,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, - } - } - break; -+#endif /* NO_PKEY */ - default: - /* Either non-boolean, or read-only */ - break; -diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk -index 6a1d68be..e543c514 100644 ---- a/usr/lib/ep11_stdll/ep11_stdll.mk -+++ b/usr/lib/ep11_stdll/ep11_stdll.mk -@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \ - usr/lib/common/trace.c usr/lib/common/mech_list.c \ - usr/lib/common/shared_memory.c usr/lib/common/attributes.c \ - usr/lib/common/sw_crypt.c usr/lib/common/profile_obj.c \ -- usr/lib/common/dlist.c usr/lib/common/pkey_utils.c \ -+ usr/lib/common/dlist.c \ - usr/lib/ep11_stdll/new_host.c usr/lib/common/mech_openssl.c \ - usr/lib/ep11_stdll/ep11_specific.c \ - usr/lib/ep11_stdll/ep11_session.c \ -@@ -53,3 +53,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \ - usr/lib/common/pqc_supported.c \ - usr/lib/hsm_mk_change/hsm_mk_change.c \ - usr/lib/common/btree.c usr/lib/common/sess_mgr.c -+ -+if !NO_PKEY -+opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \ -+ usr/lib/common/pkey_utils.c -+endif -diff --git a/usr/lib/ep11_stdll/tok_struct.h b/usr/lib/ep11_stdll/tok_struct.h -index 304e3eb9..17a5bcf0 100644 ---- a/usr/lib/ep11_stdll/tok_struct.h -+++ b/usr/lib/ep11_stdll/tok_struct.h -@@ -115,8 +115,13 @@ token_spec_t token_specific = { - // AES - NULL, // aes_key_gen, - NULL, // aes_xts_key_gen -+#ifndef NO_PKEY - &token_specific_aes_ecb, - &token_specific_aes_cbc, -+#else -+ NULL, // aes_ecb -+ NULL, // aes_cbc -+#endif - NULL, // aes_ctr - NULL, // aes_gcm_init - NULL, // aes_gcm -@@ -125,8 +130,13 @@ token_spec_t token_specific = { - NULL, // aes_ofb - NULL, // aes_cfb - NULL, // aes_mac -+#ifndef NO_PKEY - &token_specific_aes_cmac, - &token_specific_aes_xts, // aes_xts -+#else -+ NULL, // aes_cmac -+ NULL, // aes_xts -+#endif - // DSA - NULL, // dsa_generate_keypair, - NULL, // dsa_sign diff --git a/opencryptoki-3.23-SEC2356-backport-05.patch b/opencryptoki-3.23-SEC2356-backport-05.patch deleted file mode 100644 index 7daf5d0..0000000 --- a/opencryptoki-3.23-SEC2356-backport-05.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 0bdcc661e64950e5ea11d950484631ba90e69426 -Author: Joerg Schmidbauer -Date: Thu Mar 7 17:51:40 2024 +0100 - - EP11 pkey option: consolidate code parts, no logic change - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 114c4ce1..9f855934 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1369,11 +1369,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - add_pkey_extractable = CK_TRUE; - break; - } -- if (add_pkey_extractable) { -- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -- if (ret != CKR_OK) -- goto done; -- } - break; - case PKEY_MODE_ENABLE4EXTR: - /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in -@@ -1396,11 +1391,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - add_pkey_extractable = CK_TRUE; - break; - } -- if (add_pkey_extractable) { -- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -- if (ret != CKR_OK) -- goto done; -- } - break; - case PKEY_MODE_ENABLE4ALL: - /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in -@@ -1421,11 +1411,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - add_pkey_extractable = CK_TRUE; - break; - } -- if (add_pkey_extractable) { -- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -- if (ret != CKR_OK) -- goto done; -- } - break; - default: - TRACE_ERROR("PKEY_MODE %i unsupported.\n", ep11_data->pkey_mode); -@@ -1433,6 +1418,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - goto done; - break; - } -+ -+ if (add_pkey_extractable) { -+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); -+ if (ret != CKR_OK) -+ goto done; -+ } - #endif /* NO_PKEY */ - - ret = CKR_OK; diff --git a/opencryptoki-3.23-SEC2356-backport-06.patch b/opencryptoki-3.23-SEC2356-backport-06.patch deleted file mode 100644 index 5494187..0000000 --- a/opencryptoki-3.23-SEC2356-backport-06.patch +++ /dev/null @@ -1,26 +0,0 @@ -commit 88761bc4bd560801ec8a18b96cc82586dd719ca3 -Author: Joerg Schmidbauer -Date: Tue Mar 12 17:13:33 2024 +0100 - - EP11: add check if protected-key support available at all - - If it is already known that the PKEY wrap is not supported or not - functioning (for whatever reason), then don't report the XTS - mechanisms as supported. - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 9f855934..7850e43f 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -12001,7 +12001,8 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, - - case CKM_AES_XTS: - case CKM_AES_XTS_KEY_GEN: -- if (ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 || -+ if ((ep11_data->pkey_wrap_support_checked && !ep11_data->pkey_wrap_supported) || -+ ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 || - ep11tok_is_mechanism_supported(tokdata, CKM_IBM_CPACF_WRAP) != CKR_OK || - ep11tok_is_mechanism_supported(tokdata, CKM_AES_KEY_GEN) != CKR_OK) { - TRACE_INFO("%s Mech '%s' not suppported\n", __func__, diff --git a/opencryptoki-3.23-SEC2356-backport-07.patch b/opencryptoki-3.23-SEC2356-backport-07.patch deleted file mode 100644 index 7ba6623..0000000 --- a/opencryptoki-3.23-SEC2356-backport-07.patch +++ /dev/null @@ -1,31 +0,0 @@ -commit 99b87ff678abfb71ba05741d1942e8ac723110c8 -Author: Joerg Schmidbauer -Date: Tue Mar 12 17:30:36 2024 +0100 - - EP11: consider combined-extract for XTS pkey check - - Signed-off-by: Joerg Schmidbauer - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 7850e43f..e2c9a77e 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, - CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, - CK_MECHANISM_TYPE type) - { -+ ep11_private_data_t *ep11_data = tokdata->private_data; -+ - if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) { - TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID)); - return CKR_MECHANISM_INVALID; - } - -- if (object_is_extractable(key_obj) || -- !object_is_pkey_extractable(key_obj) || -- object_is_attr_bound(key_obj)) { -+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) { -+ TRACE_ERROR("Key not eligible for pkey support\n"); - return CKR_TEMPLATE_INCONSISTENT; - } - diff --git a/opencryptoki-3.23-SEC2356-backport-08.patch b/opencryptoki-3.23-SEC2356-backport-08.patch deleted file mode 100644 index bdae467..0000000 --- a/opencryptoki-3.23-SEC2356-backport-08.patch +++ /dev/null @@ -1,306 +0,0 @@ -commit 5b20a1454ca464b07e7686340a579d8b1870e572 -Author: Ingo Franzki -Date: Wed Mar 20 08:44:25 2024 +0100 - - EP11: Reject combined extract attribute settings if it is not supported - - In case the control point setting of the adapters do not allow that attributes - CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE are both true, then reject - this with CKR_TEMPLATE_INCONSISTENT. - - The EP11 code would reject that with CKR_FUNCTION_CANCELED, which for EP11 - it means that it violates an internal policy (i.e. control point settings), - but in PKCS#11 this return code has a totally different meaning. So reject - such situations explicitly with the correct return code. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index e2c9a77e..b5d788bf 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1089,20 +1089,23 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session, - * Returns true if the given key object is eligible to get a protected key - * attribute, false otherwise. - */ --CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data, -- OBJECT *key_obj) -+static CK_RV ep11tok_pkey_obj_eligible_for_pkey_support( -+ ep11_private_data_t *ep11_data, -+ OBJECT *key_obj) - { - if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported || - !object_is_pkey_extractable(key_obj)) { -- return CK_FALSE; -+ return CKR_FUNCTION_NOT_SUPPORTED; - } - - if (!ep11_data->pkey_combined_extract_supported && - object_is_extractable(key_obj)) { -- return CK_FALSE; -+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE " -+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n"); -+ return CKR_TEMPLATE_INCONSISTENT; - } - -- return CK_TRUE; -+ return CKR_OK; - } - - /** -@@ -1176,7 +1179,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, - if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK) - goto done; - -- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) -+ ret = ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj); -+ if (ret != CKR_OK) - goto done; - - if (template_attribute_get_non_empty(key_obj->template, -@@ -1218,11 +1222,14 @@ done: - /** - * Wrapper function around ep11tok_pkey_check for the case where we don't - * have a key object. This function is called externally from new_host.c. -+ * Returns CKR_OK if pkey usage is OK, CKR_FUNCTION_NOT_SUPPORTED if pkey -+ * is not supported, or any other return code in case of an error. In such -+ * cases the calling function should itself return with an error, because -+ * neither the secure key nor the protected key path will work. - */ --CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) -+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) - { -- CK_BBOOL success = CK_FALSE; - size_t keyblobsize = 0; - CK_BYTE *keyblob; - OBJECT *key_obj; -@@ -1232,17 +1239,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, - READ_LOCK); - if (ret != CKR_OK) { - TRACE_ERROR("%s no blob ret=0x%lx\n", __func__, ret); -- return CK_FALSE; -+ return ret; - } - - ret = ep11tok_pkey_check(tokdata, session, key_obj, mech); -- if (ret == CKR_OK) -- success = CK_TRUE; - - object_put(tokdata, key_obj, TRUE); - key_obj = NULL; - -- return success; -+ return ret; - } - - CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, -@@ -1255,7 +1260,8 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, - return CKR_MECHANISM_INVALID; - } - -- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) { -+ if (ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, -+ key_obj) != CKR_OK) { - TRACE_ERROR("Key not eligible for pkey support\n"); - return CKR_TEMPLATE_INCONSISTENT; - } -@@ -1307,10 +1313,10 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - { - ep11_private_data_t *ep11_data = tokdata->private_data; - CK_ATTRIBUTE *sensitive_attr = NULL; -- CK_BBOOL sensitive, btrue = CK_TRUE; -+ CK_BBOOL sensitive, extractable, pkey_extractable, btrue = CK_TRUE; - #ifndef NO_PKEY - CK_ATTRIBUTE *ecp_attr = NULL; -- CK_BBOOL extractable, add_pkey_extractable = CK_FALSE; -+ CK_BBOOL add_pkey_extractable = CK_FALSE; - #endif - CK_RV ret; - -@@ -1341,6 +1347,25 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, - } - } - -+ if (!ep11_data->pkey_combined_extract_supported) { -+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable); -+ if (ret != CKR_OK) -+ extractable = FALSE; -+ -+ ret = template_attribute_get_bool(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, -+ &pkey_extractable); -+ if (ret != CKR_OK) -+ pkey_extractable = FALSE; -+ -+ if (extractable && pkey_extractable) { -+ /* The EP11 call would return CKR_FUNCTION_CANCELED in that case */ -+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE " -+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n"); -+ ret = CKR_TEMPLATE_INCONSISTENT; -+ goto done; -+ } -+ } -+ - #ifndef NO_PKEY - switch (ep11_data->pkey_mode) { - case PKEY_MODE_DISABLED: -diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h -index 16d3c719..9ba28cb8 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.h -+++ b/usr/lib/ep11_stdll/ep11_specific.h -@@ -585,8 +585,8 @@ CK_BBOOL ep11tok_libica_mech_available(STDLL_TokData_t *tokdata, - CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata, - CK_TOKEN_INFO_PTR pInfo); - --CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech); -+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech); - - CK_RV ep11tok_set_operation_state(STDLL_TokData_t *tokdata, SESSION *session); - -diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c -index 299a1d3c..f84d0810 100644 ---- a/usr/lib/ep11_stdll/new_host.c -+++ b/usr/lib/ep11_stdll/new_host.c -@@ -2080,9 +2080,15 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - sess->encr_ctx.multi_init = FALSE; - sess->encr_ctx.multi = FALSE; - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(pMechanism)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - /* In case of a single part encrypt operation we don't need the - * EncryptInit, instead we can use the EncryptSingle which is much - * faster. In case of multi-part operations we are doing the EncryptInit -@@ -2179,9 +2185,16 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - goto done; - } - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, -+ &sess->encr_ctx.mech); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(&sess->encr_ctx.mech)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech, - length_only, sess->encr_ctx.key, - pData, ulDataLen, pEncryptedData, -@@ -2408,9 +2421,15 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - sess->decr_ctx.multi_init = FALSE; - sess->decr_ctx.multi = FALSE; - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(pMechanism)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - /* In case of a single part decrypt operation we don't need the - * DecryptInit, instead we can use the EncryptSingle which is much - * faster. In case of multi-part operations we are doing the DecryptInit -@@ -2508,9 +2527,16 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - goto done; - } - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, -+ &sess->decr_ctx.mech); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(&sess->decr_ctx.mech)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech, - length_only, sess->decr_ctx.key, - pEncryptedData, ulEncryptedDataLen, -@@ -2992,9 +3018,15 @@ CK_RV SC_SignInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - sess->sign_ctx.multi_init = FALSE; - sess->sign_ctx.multi = FALSE; - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(pMechanism)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - /* In case of a single part sign operation we don't need the SignInit, - * instead we can use the SignSingle which is much faster. - * In case of multi-part operations we are doing the SignInit when -@@ -3101,9 +3133,16 @@ CK_RV SC_Sign(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - goto done; - } - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, -+ &sess->sign_ctx.mech); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(&sess->sign_ctx.mech)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, &sess->sign_ctx.mech)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - rc = ep11tok_sign_single(tokdata, sess, &sess->sign_ctx.mech, - length_only, sess->sign_ctx.key, - pData, ulDataLen, pSignature, pulSignatureLen); -@@ -3391,9 +3430,15 @@ CK_RV SC_VerifyInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - sess->verify_ctx.multi_init = FALSE; - sess->verify_ctx.multi = FALSE; - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(pMechanism)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - /* In case of a single part verify operation we don't need the - * VerifyInit, instead we can use the VerifySingle which is much - * faster. In case of multi-part operations we are doing the VerifyInit -@@ -3497,9 +3542,16 @@ CK_RV SC_Verify(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, - goto done; - } - -+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, -+ &sess->verify_ctx.mech); -+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { -+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, -+ but the ep11 fallback can be tried */ -+ goto done; -+ } - if ((ep11tok_optimize_single_ops(tokdata) || - ep11tok_mech_single_only(&sess->verify_ctx.mech)) && -- !ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, &sess->verify_ctx.mech)) { -+ rc == CKR_FUNCTION_NOT_SUPPORTED) { - rc = ep11tok_verify_single(tokdata, sess, &sess->verify_ctx.mech, - sess->verify_ctx.key, pData, ulDataLen, - pSignature, ulSignatureLen); diff --git a/opencryptoki-3.23-SEC2356-backport-09.patch b/opencryptoki-3.23-SEC2356-backport-09.patch deleted file mode 100644 index e3e1974..0000000 --- a/opencryptoki-3.23-SEC2356-backport-09.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 4fefcf517133260a7b63049d3a02c9249fe7776c -Author: Ingo Franzki -Date: Mon Apr 15 09:31:12 2024 +0200 - - EP11: Fix compile error with NO_PKEY defined - - Function signature of ep11tok_pkey_usage_ok() has changed, also change the - code inside the #ifdef NO_PKEY block. - - Fixes: cf978b111205b206c7b3c53f424f7085913c00d0 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index b5d788bf..e9007a16 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -1460,15 +1460,15 @@ done: - } - - #ifdef NO_PKEY --CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) -+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, -+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) - { - UNUSED(tokdata); - UNUSED(session); - UNUSED(hkey); - UNUSED(mech); - -- return CK_FALSE; -+ return CKR_FUNCTION_NOT_SUPPORTED; - } - #endif /* NO_PKEY */ - diff --git a/opencryptoki-3.23-covcan-part1.patch b/opencryptoki-3.23-covcan-part1.patch deleted file mode 100644 index c2a51d1..0000000 --- a/opencryptoki-3.23-covcan-part1.patch +++ /dev/null @@ -1,59 +0,0 @@ -commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca -Author: Ingo Franzki -Date: Thu Jun 13 11:20:43 2024 +0200 - - COMMON: Fix errors reported by covscan - - Closes: https://github.com/opencryptoki/opencryptoki/issues/782 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c -index b7e1f78e..fc88cbad 100644 ---- a/usr/lib/common/loadsave.c -+++ b/usr/lib/common/loadsave.c -@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata) - continue; - } - -+ /* size can not be negative if treated as signed int */ -+ if (size >= 0x80000000) { -+ fclose(fp2); -+ OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s " -+ "(ignoring it)\n", fname); -+ continue; -+ } -+ - buf = (CK_BYTE *) malloc(size); - if (!buf) { - fclose(fp2); -diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c -index 71402700..4bc19814 100644 ---- a/usr/lib/common/mech_rng.c -+++ b/usr/lib/common/mech_rng.c -@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes) - if (ranfd >= 0) { - do { - rlen = read(ranfd, output + totallen, bytes - totallen); -+ if (rlen <= 0) { -+ close(ranfd); -+ return CKR_FUNCTION_FAILED; -+ } - totallen += rlen; - } while (totallen < bytes); - close(ranfd); -diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c -index 04edc76f..7421d1c5 100644 ---- a/usr/lib/common/pkcs_utils.c -+++ b/usr/lib/common/pkcs_utils.c -@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes) - if (ranfd >= 0) { - do { - rlen = read(ranfd, output + totallen, bytes - totallen); -+ if (rlen <= 0) { -+ close(ranfd); -+ return CKR_FUNCTION_FAILED; -+ } - totallen += rlen; - } while (totallen < bytes); - close(ranfd); diff --git a/opencryptoki-3.23-covcan-part2.patch b/opencryptoki-3.23-covcan-part2.patch deleted file mode 100644 index 49a4991..0000000 --- a/opencryptoki-3.23-covcan-part2.patch +++ /dev/null @@ -1,73 +0,0 @@ -commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02 -Author: Ingo Franzki -Date: Mon Jun 17 09:03:36 2024 +0200 - - ICSF: Fix covscan findings on potential integer overflows - - Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b' - are unsigned types. In case 'b' is larger than 'a', then the subtraction - result may overflow because the result is also treated as unsigned type. - Fix this by using 'if (a > b)' instead. - - Note that in the changed places 'a' is always larger or equal than 'b', - so the overflow does not happen. Still, changing the code to be less - error-prone is a good thing. - - Closes: https://github.com/opencryptoki/opencryptoki/issues/782 - - Suggested-by: Than Ngo - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c -index c3479cf8..1deb129c 100644 ---- a/usr/lib/icsf_stdll/icsf.c -+++ b/usr/lib/icsf_stdll/icsf.c -@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char) - str_len = len; - - memcpy(dest, orig, str_len); -- if ((len - str_len) > 0) -+ if (len > str_len) - memset(dest + str_len, ' ', len - str_len); - } - -diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c -index c617f1e6..6f16ca5e 100644 ---- a/usr/lib/icsf_stdll/icsf_specific.c -+++ b/usr/lib/icsf_stdll/icsf_specific.c -@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata, - goto done; - } - memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len); -- if (input_part_len - remaining > 0) -+ if (input_part_len > remaining) - memcpy(buffer + multi_part_ctx->used_data_len, input_part, - input_part_len - remaining); - -@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata, - goto done; - } - memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len); -- if (input_part_len - remaining > 0) -+ if (input_part_len > remaining) - memcpy(buffer + multi_part_ctx->used_data_len, input_part, - input_part_len - remaining); - -@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata, - } - memcpy(buffer, multi_part_ctx->data, - multi_part_ctx->used_data_len); -- if (out_len - multi_part_ctx->used_data_len > 0) -+ if (out_len > multi_part_ctx->used_data_len) - memcpy(buffer + multi_part_ctx->used_data_len, - (char *)in_data, - out_len - multi_part_ctx->used_data_len); -@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata, - } - memcpy(buffer, multi_part_ctx->data, - multi_part_ctx->used_data_len); -- if (out_len - multi_part_ctx->used_data_len > 0) -+ if (out_len > multi_part_ctx->used_data_len) - memcpy(buffer + multi_part_ctx->used_data_len, - (char *)in_data, - out_len - multi_part_ctx->used_data_len); diff --git a/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch b/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch new file mode 100644 index 0000000..a0b77dd --- /dev/null +++ b/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch @@ -0,0 +1,66 @@ +commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233 +Author: Ingo Franzki +Date: Mon Sep 16 09:16:03 2024 +0200 + + COMMON: Fix compile error due to incompatible pointer types + + usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of + 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] + 4751 | rc = get_sha_size(digest_mech, &mac_len); + + usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of + 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] + 4851 | rc = get_sha_size(digest_mech, &mac_len); + + Closes: https://github.com/opencryptoki/opencryptoki/issues/809 + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c +index 296b5e0a..500b6f91 100644 +--- a/usr/lib/common/mech_openssl.c ++++ b/usr/lib/common/mech_openssl.c +@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, + CK_RV rv = CKR_OK; + CK_BBOOL general = FALSE; + CK_MECHANISM_TYPE digest_mech; ++ CK_ULONG mac_len2; + + if (!ctx || !ctx->context) { + TRACE_ERROR("%s received bad argument(s)\n", __func__); +@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, + return rc; + } + +- rc = get_sha_size(digest_mech, &mac_len); ++ rc = get_sha_size(digest_mech, &mac_len2); + if (rc != CKR_OK) { + TRACE_ERROR("%s get_sha_size failed\n", __func__); + return rc; + } ++ mac_len = mac_len2; + + mdctx = (EVP_MD_CTX *) ctx->context; + +@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, + CK_RV rv = CKR_OK; + CK_BBOOL general = FALSE; + CK_MECHANISM_TYPE digest_mech; ++ CK_ULONG mac_len2; + + if (!ctx || !ctx->context) + return CKR_OPERATION_NOT_INITIALIZED; +@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, + return rc; + } + +- rc = get_sha_size(digest_mech, &mac_len); ++ rc = get_sha_size(digest_mech, &mac_len2); + if (rc != CKR_OK) { + TRACE_ERROR("%s get_sha_size failed\n", __func__); + return rc; + } ++ mac_len = mac_len2; + + if (signature == NULL) { + if (sign) { diff --git a/opencryptoki-3.21.0-p11sak.patch b/opencryptoki-3.24.0-p11sak.patch similarity index 67% rename from opencryptoki-3.21.0-p11sak.patch rename to opencryptoki-3.24.0-p11sak.patch index 197ad52..a730c0b 100644 --- a/opencryptoki-3.21.0-p11sak.patch +++ b/opencryptoki-3.24.0-p11sak.patch @@ -1,23 +1,28 @@ -diff -up opencryptoki-3.21.0/Makefile.am.me opencryptoki-3.21.0/Makefile.am ---- opencryptoki-3.21.0/Makefile.am.me 2023-05-15 17:01:04.932616030 +0200 -+++ opencryptoki-3.21.0/Makefile.am 2023-05-15 17:00:45.732131601 +0200 -@@ -39,15 +39,8 @@ include tools/tools.mk +diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am +--- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200 ++++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200 +@@ -51,20 +51,8 @@ include tools/tools.mk include doc/doc.mk install-data-hook: +-if AIX +- lsgroup $(pkcs_group) > /dev/null || $(GROUPADD) -a pkcs11 +- lsuser $(pkcsslotd_user) > /dev/null || $(USERADD) -g $(pkcs_group) -d $(DESTDIR)$(RUN_PATH)/opencryptoki -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) +-else - getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group) -- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) - $(MKDIR_P) $(DESTDIR)/run/opencryptoki/ -- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/ -- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/ -- $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/ +- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d $(RUN_PATH)/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) +-endif + $(MKDIR_P) $(DESTDIR)$(RUN_PATH)/opencryptoki/ +- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/ +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(RUN_PATH)/opencryptoki/ +- $(CHMOD) 0710 $(DESTDIR)$(RUN_PATH)/opencryptoki/ $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki - $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki - $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki if ENABLE_LIBRARY $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 -@@ -100,7 +93,7 @@ if ENABLE_EP11TOK +@@ -117,7 +105,7 @@ if ENABLE_EP11TOK endif if ENABLE_P11SAK test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true @@ -26,12 +31,12 @@ diff -up opencryptoki-3.21.0/Makefile.am.me opencryptoki-3.21.0/Makefile.am endif if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ -@@ -151,7 +144,7 @@ endif +@@ -168,7 +156,7 @@ endif if ENABLE_DAEMON test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true endif + if !AIX $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d - echo "$(libdir)/opencryptoki" >\ diff --git a/opencryptoki.spec b/opencryptoki.spec index d333c9a..68432c5 100644 --- a/opencryptoki.spec +++ b/opencryptoki.spec @@ -1,55 +1,41 @@ -Name: opencryptoki -Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.23.0 -Release: 5%{?dist} -License: CPL-1.0 -URL: https://github.com/opencryptoki/opencryptoki -Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz -Source1: opencryptoki.module -# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* -Patch1: opencryptoki-3.11.0-lockdir.patch +Name: opencryptoki +Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 +Version: 3.24.0 +Release: 1%{?dist} +License: CPL-1.0 +URL: https://github.com/opencryptoki/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: opencryptoki.module # fix install problem in buildroot -Patch2: opencryptoki-3.21.0-p11sak.patch +Patch1: opencryptoki-3.24.0-p11sak.patch # upstream patches -# SEC2356-backport -Patch100: opencryptoki-3.23-SEC2356-backport-01.patch -Patch101: opencryptoki-3.23-SEC2356-backport-02.patch -Patch102: opencryptoki-3.23-SEC2356-backport-03.patch -Patch103: opencryptoki-3.23-SEC2356-backport-04.patch -Patch104: opencryptoki-3.23-SEC2356-backport-05.patch -Patch105: opencryptoki-3.23-SEC2356-backport-06.patch -Patch106: opencryptoki-3.23-SEC2356-backport-07.patch -Patch107: opencryptoki-3.23-SEC2356-backport-08.patch -Patch108: opencryptoki-3.23-SEC2356-backport-09.patch -Patch109: opencryptoki-3.23-covcan-part1.patch -Patch110: opencryptoki-3.23-covcan-part2.patch +Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Requires(pre): coreutils -Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) -BuildRequires: gcc -BuildRequires: gcc-c++ -BuildRequires: openssl-devel >= 1.1.1 +Requires(pre): coreutils +Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) +BuildRequires: gcc gcc-c++ +BuildRequires: openssl-devel >= 1.1.1 %if 0%{?tmptok} -BuildRequires: trousers-devel +BuildRequires: trousers-devel %endif -BuildRequires: openldap-devel -BuildRequires: autoconf automake libtool -BuildRequires: bison flex -BuildRequires: libcap-devel -BuildRequires: expect -BuildRequires: make -BuildRequires: systemd-rpm-macros +BuildRequires: openldap-devel +BuildRequires: autoconf automake libtool +BuildRequires: bison flex +BuildRequires: libcap-devel +BuildRequires: expect +BuildRequires: make +BuildRequires: systemd-rpm-macros %ifarch s390 s390x -BuildRequires: libica-devel >= 2.3 +BuildRequires: libica-devel >= 3.3 # for /usr/include/libudev.h -BuildRequires: systemd-devel +BuildRequires: systemd-devel %endif -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}(token) -Requires(post): systemd diffutils -Requires(preun): systemd -Requires(postun): systemd +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}(token) +Requires(post): systemd diffutils +Requires(preun): systemd +Requires(postun): systemd %description @@ -62,8 +48,8 @@ This package contains the Slot Daemon (pkcsslotd) and general utilities. %package libs -Summary: The run-time libraries for opencryptoki package -Requires(pre): shadow-utils +Summary: The run-time libraries for opencryptoki package +Requires(pre): shadow-utils %description libs Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -77,8 +63,8 @@ functional. %package devel -Summary: Development files for openCryptoki -Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Summary: Development files for openCryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description devel This package contains the development header files for building @@ -86,10 +72,10 @@ opencryptoki and PKCS#11 based applications %package swtok -Summary: The software token implementation for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: The software token implementation for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description swtok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -102,10 +88,10 @@ without any specific cryptographic hardware. %package tpmtok -Summary: Trusted Platform Module (TPM) device support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: Trusted Platform Module (TPM) device support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description tpmtok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -118,10 +104,10 @@ Trusted Platform Module (TPM) devices in the opencryptoki stack. %package icsftok -Summary: ICSF token support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: ICSF token support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description icsftok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -133,12 +119,11 @@ This package brings the necessary libraries and files to support ICSF token in the opencryptoki stack. -%ifarch s390 s390x %package icatok -Summary: ICA cryptographic devices (clear-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: ICA cryptographic devices (clear-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description icatok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -152,10 +137,10 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the "accelerator" or "clear-key" path. %package ccatok -Summary: CCA cryptographic devices (secure-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description ccatok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -169,10 +154,10 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the "co-processor" or "secure-key" path. %package ep11tok -Summary: EP11 cryptographic devices (secure-key) support for opencryptoki -Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} -Requires: %{name}-libs%{?_isa} = %{version}-%{release} -Provides: %{name}(token) +Summary: EP11 cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) %description ep11tok Opencryptoki implements the PKCS#11 specification v2.20 for a set of @@ -184,7 +169,6 @@ This package brings the necessary libraries and files to support EP11 tokens in the opencryptoki stack. The EP11 token is a token that uses the IBM Crypto Express adapters (starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11 (EP11) firmware. -%endif %prep @@ -204,7 +188,7 @@ configured with Enterprise PKCS#11 (EP11) firmware. %ifarch s390 s390x --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate %else - --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate + --disable-icatok --enable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --enable-pkcscca_migrate %endif %make_build CHGRP=/bin/true @@ -266,11 +250,13 @@ fi %{_sbindir}/pkcsslotd %{_sbindir}/pkcsstats %{_sbindir}/pkcshsm_mk_change +%{_sbindir}/pkcstok_admin %{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcsconf.1* %{_mandir}/man1/pkcsstats.1* %{_mandir}/man1/pkcshsm_mk_change.1* +%{_mandir}/man1/pkcstok_admin.1* %{_mandir}/man5/policy.conf.5* %{_mandir}/man5/strength.conf.5* %{_mandir}/man5/%{name}.conf.5* @@ -333,6 +319,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ +%endif %files ccatok %doc doc/README.cca_stdll @@ -344,6 +331,7 @@ fi %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ +%ifarch s390 s390x %files ep11tok %doc doc/README.ep11_stdll %config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf @@ -360,6 +348,14 @@ fi %changelog +* Wed Oct 16 2024 Than Ngo - 3.24.0-1 +- Resolves: RHEL-58996, update to 3.24.0 +- Resolves: RHEL-39004, provide opencryptoki CCA Token also on x86_64 and ppc64le +- Resolves: RHEL-43675, openCryptoki cca token RSA OAEP v2.1 support +- Resolves: RHEL-43674, openCryptoki CCA token support of Dilithium +- Resolves: RHEL-43676, openCryptoki cca token SHA3 support +- Resolves: RHEL-24036, support protected keys for extractable keys + * Mon Jun 24 2024 Troy Dawson - 3.23.0-5 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index 4e2bf47..8c1e220 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (opencryptoki-3.23.0.tar.gz) = 782a1cc982f715a832aa5808d11c2f4e18e04c4eedb9971053f6601b5f80e6b42f390ac67cc0ec9f4d7e3e37b8dfa9df80e3be56c8cbf664b32629a888002c7e +SHA512 (opencryptoki-3.24.0.tar.gz) = 5a01c44cfd6b1a7021fabf5d0dda8871a8f569377f689109819c992fe4259764023bd76373b08040f1d01264567fceaeff2c43f2852c37f3a48450fe61c96ce7