rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import opencryptoki-3.15.1-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 11:00:10 -04:00 committed by Stepan Oksanichenko
parent a92f62a7f6
commit d7cd1e49bb
11 changed files with 523 additions and 3670 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opencryptoki-3.14.0.tar.gz
SOURCES/opencryptoki-3.15.1.tar.gz

2
.opencryptoki.metadata
View File

@ -1 +1 @@
9ddd1bbe34992707b20b314645fd92d35cb298ef SOURCES/opencryptoki-3.14.0.tar.gz
66baf9c90f144bb273964270a39f23fadd86143d SOURCES/opencryptoki-3.15.1.tar.gz

3575
SOURCES/opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
View File

File diff suppressed because it is too large Load Diff

63
SOURCES/opencryptoki-3.14.0-crash-in-c_setpin.patch
View File

@ -1,63 +0,0 @@
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400
@@ -57,7 +57,7 @@ void openssl_print_errors()
}
#endif
-RSA *openssl_gen_key()
+RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
{
RSA *rsa;
int rc, counter = 0;
@@ -66,7 +66,7 @@ RSA *openssl_gen_key()
BIGNUM *bne;
#endif
- token_specific_rng(NULL, (CK_BYTE *) buf, 32);
+ token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400
@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t
TSS_HTPM hTPM;
BYTE *random_bytes = NULL;
- UNUSED(tokdata);
-
rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);
if (rc) {
TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);
@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400
@@ -56,7 +56,7 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key();
+RSA *openssl_gen_key(STDLL_TokData_t *);
int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,

22
SOURCES/opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
View File

@ -1,22 +0,0 @@
commit a94436937b6364c53219fb3c7922439f403e8d5e
Author: Harald Freudenberger <freude@linux.ibm.com>
Date: Wed May 27 07:30:33 2020 +0200
Fix missing entries for p11sak tool in template spec file
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
index fa4b9899..ae563406 100644
--- a/rpm/opencryptoki.spec
+++ b/rpm/opencryptoki.spec
@@ -238,7 +238,9 @@ exit 0
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
+%{_sbindir}/p11sak
%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/p11sak.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*

285
SOURCES/opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch Normal file
View File

@ -0,0 +1,285 @@
commit 1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Feb 9 16:22:51 2021 +0100
SOFT: Fix problem with C_Get/SetOperationState and digest contexts
In commit 46829bf986d45262ad45c782c084a3f908f4acb8 the SOFT token was changed
to use OpenSSL's EVP interface for implementing SHA digest. With this change,
the OpenSSL digest context (EVP_MD_CTX) was saved in the DIGEST_CONTEXT's
context field. Since EVP_MD_CTX is opaque, its length is not known, so context_len
was set to 1.
This hinders C_Get/SetOperationState to correctly save and restore the digest
state, since the EVP_MD_CTX is not saved by C_GetOperationState, and
C_SetOperationState also can't restore the digest state, leaving a subsequent
C_DigestUpdate or C_DigestFinal with an invalid EVP_MD_CTX. This most likely
produces a segfault.
Fix this by saving the md_data from within the EVP_MD_CTX after each digest operation,
and restoring md_data on every operation with a fresh initialized EVP_MD_CTX.
Fixes: 46829bf986d45262ad45c782c084a3f908f4acb8
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/soft_stdll/soft_specific.c b/usr/lib/soft_stdll/soft_specific.c
index 0b28daa8..a836efa9 100644
--- a/usr/lib/soft_stdll/soft_specific.c
+++ b/usr/lib/soft_stdll/soft_specific.c
@@ -3104,24 +3104,15 @@ CK_RV token_specific_get_mechanism_info(STDLL_TokData_t *tokdata,
return ock_generic_get_mechanism_info(tokdata, type, pInfo);
}
-CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
- CK_MECHANISM *mech)
+#ifdef OLDER_OPENSSL
+#define EVP_MD_meth_get_app_datasize(md) md->ctx_size
+#define EVP_MD_CTX_md_data(ctx) ctx->md_data
+#endif
+
+static const EVP_MD *md_from_mech(CK_MECHANISM *mech)
{
const EVP_MD *md = NULL;
- UNUSED(tokdata);
-
- ctx->context_len = 1; /* Dummy length, size of EVP_MD_CTX is unknown */
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- ctx->context = (CK_BYTE *)EVP_MD_CTX_create();
-#else
- ctx->context = (CK_BYTE *)EVP_MD_CTX_new();
-#endif
- if (ctx->context == NULL) {
- TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
- return CKR_HOST_MEMORY;
- }
-
switch (mech->mechanism) {
case CKM_SHA_1:
md = EVP_sha1();
@@ -3172,19 +3163,85 @@ CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
break;
}
+ return md;
+}
+
+static EVP_MD_CTX *md_ctx_from_context(DIGEST_CONTEXT *ctx)
+{
+ const EVP_MD *md;
+ EVP_MD_CTX *md_ctx;
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ md_ctx = EVP_MD_CTX_create();
+#else
+ md_ctx = EVP_MD_CTX_new();
+#endif
+ if (md_ctx == NULL)
+ return NULL;
+
+ md = md_from_mech(&ctx->mech);
if (md == NULL ||
- !EVP_DigestInit_ex((EVP_MD_CTX *)ctx->context, md, NULL)) {
+ !EVP_DigestInit_ex(md_ctx, md, NULL)) {
+ TRACE_ERROR("md_from_mech or EVP_DigestInit_ex failed\n");
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
- ctx->context = NULL;
- ctx->context_len = 0;
+ return NULL;
+ }
- return CKR_FUNCTION_FAILED;
+ if (ctx->context_len == 0) {
+ ctx->context_len = EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx));
+ ctx->context = malloc(ctx->context_len);
+ if (ctx->context == NULL) {
+ TRACE_ERROR("malloc failed\n");
+ #if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+ #else
+ EVP_MD_CTX_free(md_ctx);
+ #endif
+ ctx->context_len = 0;
+ return NULL;
+ }
+
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+ } else {
+ if (ctx->context_len !=
+ (CK_ULONG)EVP_MD_meth_get_app_datasize(EVP_MD_CTX_md(md_ctx))) {
+ TRACE_ERROR("context size mismatcht\n");
+ return NULL;
+ }
+ /* restore the MD context data */
+ memcpy(EVP_MD_CTX_md_data(md_ctx), ctx->context, ctx->context_len);
}
+ return md_ctx;
+}
+
+CK_RV token_specific_sha_init(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
+ CK_MECHANISM *mech)
+{
+ EVP_MD_CTX *md_ctx;
+
+ UNUSED(tokdata);
+
+ ctx->mech.ulParameterLen = mech->ulParameterLen;
+ ctx->mech.mechanism = mech->mechanism;
+
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3194,6 +3251,7 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3203,11 +3261,18 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data || !out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len) ||
- !EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len) ||
+ !EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3216,10 +3281,11 @@ CK_RV token_specific_sha(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
@@ -3229,6 +3295,8 @@ out:
CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
CK_BYTE *in_data, CK_ULONG in_data_len)
{
+ EVP_MD_CTX *md_ctx;
+
UNUSED(tokdata);
if (!ctx || !ctx->context)
@@ -3237,17 +3305,34 @@ CK_RV token_specific_sha_update(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!in_data)
return CKR_ARGUMENTS_BAD;
- if (!EVP_DigestUpdate((EVP_MD_CTX *)ctx->context, in_data, in_data_len)) {
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (!EVP_DigestUpdate(md_ctx, in_data, in_data_len)) {
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;
return CKR_FUNCTION_FAILED;
}
+ /* Save context data for later use */
+ memcpy(ctx->context, EVP_MD_CTX_md_data(md_ctx), ctx->context_len);
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+ EVP_MD_CTX_destroy(md_ctx);
+#else
+ EVP_MD_CTX_free(md_ctx);
+#endif
+
return CKR_OK;
}
@@ -3256,6 +3341,7 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
{
unsigned int len;
CK_RV rc = CKR_OK;
+ EVP_MD_CTX *md_ctx;
UNUSED(tokdata);
@@ -3265,10 +3351,17 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
if (!out_data)
return CKR_ARGUMENTS_BAD;
- if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size((EVP_MD_CTX *)ctx->context))
+ /* Recreate the OpenSSL MD context from the saved context */
+ md_ctx = md_ctx_from_context(ctx);
+ if (md_ctx == NULL) {
+ TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY));
+ return CKR_HOST_MEMORY;
+ }
+
+ if (*out_data_len < (CK_ULONG)EVP_MD_CTX_size(md_ctx))
return CKR_BUFFER_TOO_SMALL;
- if (!EVP_DigestFinal((EVP_MD_CTX *)ctx->context, out_data, &len)) {
+ if (!EVP_DigestFinal(md_ctx, out_data, &len)) {
rc = CKR_FUNCTION_FAILED;
goto out;
}
@@ -3276,10 +3369,11 @@ CK_RV token_specific_sha_final(STDLL_TokData_t *tokdata, DIGEST_CONTEXT *ctx,
out:
#if OPENSSL_VERSION_NUMBER < 0x10101000L
- EVP_MD_CTX_destroy((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_destroy(md_ctx);
#else
- EVP_MD_CTX_free((EVP_MD_CTX *)ctx->context);
+ EVP_MD_CTX_free(md_ctx);
#endif
+ free(ctx->context);
ctx->context = NULL;
ctx->context_len = 0;

118
SOURCES/opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch Normal file
View File

@ -0,0 +1,118 @@
diff -up opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c
--- opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c.orig 2020-11-26 13:25:41.679655774 +0100
+++ opencryptoki-3.15.1/usr/sbin/p11sak/p11sak.c 2020-11-26 13:26:00.170892352 +0100
@@ -2192,10 +2192,8 @@ static CK_RV confirm_destroy(char **user
while (1){
nread = getline(user_input, &buflen, stdin);
if (nread == -1) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
- rc = -1;
- return rc;
+ printf("User input: EOF\n");
+ return CKR_CANCEL;
}
if (user_input_ok(*user_input)) {
@@ -2210,17 +2208,16 @@ static CK_RV confirm_destroy(char **user
return rc;
}
-
static CK_RV finalize_destroy_object(char *label, CK_SESSION_HANDLE *session,
- CK_OBJECT_HANDLE *hkey)
+ CK_OBJECT_HANDLE *hkey, CK_BBOOL *boolDestroyFlag)
{
char *user_input = NULL;
CK_RV rc = CKR_OK;
rc = confirm_destroy(&user_input, label);
if (rc != CKR_OK) {
- printf("User input failed (error code 0x%lX: %s)\n",
- rc, p11_get_ckr(rc));
+ printf("Skip deleting Key. User input %s\n", p11_get_ckr(rc));
+ rc = CKR_CANCEL;
goto done;
}
@@ -2232,9 +2229,11 @@ static CK_RV finalize_destroy_object(cha
label, rc, p11_get_ckr(rc));
goto done;
}
+ *boolDestroyFlag = CK_TRUE;
printf("DONE - Destroy Object with Label: %s\n", label);
} else if (strncmp(user_input, "n", 1) == 0) {
printf("Skip deleting Key\n");
+ *boolDestroyFlag = CK_FALSE;
} else {
printf("Please just enter (y) for yes or (n) for no.\n");
}
@@ -2254,6 +2253,8 @@ static CK_RV delete_key(CK_SESSION_HANDL
CK_OBJECT_HANDLE hkey;
char *keytype = NULL;
char *label = NULL;
+ CK_BBOOL boolDestroyFlag = CK_FALSE;
+ CK_BBOOL boolSkipFlag = CK_FALSE;
CK_RV rc = CKR_OK;
rc = tok_key_list_init(session, kt, label);
@@ -2290,6 +2291,7 @@ static CK_RV delete_key(CK_SESSION_HANDL
if (*forceAll) {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
printf("Destroy Object with Label: %s\n", label);
+
rc = funcs->C_DestroyObject(session, hkey);
if (rc != CKR_OK) {
printf(
@@ -2297,14 +2299,18 @@ static CK_RV delete_key(CK_SESSION_HANDL
label, rc, p11_get_ckr(rc));
goto done;
}
- printf("DONE - Destroy Object with Label: %s\n", label);
+ boolDestroyFlag = CK_TRUE;
}
} else {
if ((strcmp(rm_label, "") == 0) || (strcmp(rm_label, label) == 0)) {
- rc = finalize_destroy_object(label, &session, &hkey);
+ rc = finalize_destroy_object(label, &session, &hkey, &boolDestroyFlag);
if (rc != CKR_OK) {
goto done;
}
+
+ if (!boolDestroyFlag) {
+ boolSkipFlag = CK_TRUE;
+ }
}
}
@@ -2321,6 +2327,16 @@ static CK_RV delete_key(CK_SESSION_HANDL
done:
+ if (strlen(rm_label) > 0) {
+ if (boolDestroyFlag) {
+ printf("Object with Label: %s found and destroyed \n", rm_label);
+ } else if (boolSkipFlag) {
+ printf("Object with Label: %s not deleted\n", rm_label);
+ } else if (rc == CKR_OK) {
+ printf("Object with Label: %s not found\n", rm_label);
+ }
+ }
+
if (rc != CKR_OK) {
free(label);
free(keytype);
@@ -2494,8 +2510,11 @@ int main(int argc, char *argv[])
/* Execute command */
rc = execute_cmd(session, slot, cmd, kt, keylength, exponent, ECcurve,
label, attr_string, long_print, &forceAll);
- if (rc != CKR_OK) {
- printf("Failed to execute p11sak command (error code 0x%lX: %s)\n", rc,
+ if (rc == CKR_CANCEL) {
+ printf("Cancel execution: p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
+ p11_get_ckr(rc));
+ } else if (rc != CKR_OK) {
+ printf("Failed to execute p11sak %s command (error code 0x%lX: %s)\n", cmd2str(cmd), rc,
p11_get_ckr(rc));
goto done;
}

42
SOURCES/opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch Normal file
View File

@ -0,0 +1,42 @@
From f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43 Mon Sep 17 00:00:00 2001
From: Patrick Steuer <patrick.steuer@de.ibm.com>
Date: Tue, 19 Jan 2021 14:29:57 +0100
Subject: [PATCH] A slot ID has nothing to do with the number of slots
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
---
usr/sbin/pkcscca/pkcscca.c | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index f268f1be..d0bb3160 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -1980,7 +1980,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
{
CK_FUNCTION_LIST *funcs;
CK_KEY_TYPE key_type = 0;
- CK_ULONG slot_count;
CK_SESSION_HANDLE sess;
CK_RV rv;
struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
@@ -1992,19 +1991,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
return 2;
}
- rv = funcs->C_GetSlotList(TRUE, NULL_PTR, &slot_count);
- if (rv != CKR_OK) {
- p11_error("C_GetSlotList", rv);
- exit_code = 3;
- goto finalize;
- }
-
- if (slot_id >= slot_count) {
- print_error("%lu is not a valid slot ID.", slot_id);
- exit_code = 4;
- goto finalize;
- }
-
rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
if (rv != CKR_OK) {

13
SOURCES/opencryptoki-3.15.1-fix_compiling_with_c++.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up opencryptoki-3.15.1/usr/include/pkcs11types.h.me opencryptoki-3.15.1/usr/include/pkcs11types.h
--- opencryptoki-3.15.1/usr/include/pkcs11types.h.me 2020-11-26 18:33:58.707979547 +0100
+++ opencryptoki-3.15.1/usr/include/pkcs11types.h 2020-11-26 18:35:22.428095872 +0100
@@ -1483,7 +1483,7 @@ typedef CK_FUNCTION_LIST_3_0_PTR CK_PTR
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_IBM_FUNCTION_LIST_1_0;
typedef struct CK_IBM_FUNCTION_LIST_1_0 CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR;
-typedef struct CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
+typedef CK_IBM_FUNCTION_LIST_1_0_PTR CK_PTR CK_IBM_FUNCTION_LIST_1_0_PTR_PTR;
typedef CK_RV (CK_PTR CK_C_Initialize) (CK_VOID_PTR pReserved);
typedef CK_RV (CK_PTR CK_C_Finalize) (CK_VOID_PTR pReserved);
diff -up opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c.me opencryptoki-3.15.1/usr/sbin/pkcstok_migrate/pkcstok_migrate.c

8
SOURCES/opencryptoki.module Normal file
View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: libopencryptoki.so

63
SPECS/opencryptoki.spec
View File

@ -1,21 +1,26 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.14.0
Release: 3%{?dist}
Version: 3.15.1
Release: 5%{?dist}
License: CPL
Group: System Environment/Base
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
Patch0: opencryptoki-3.11.0-group.patch
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
# bz#1780293, fix regression, segfault in C_SetPin
Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
# Fix missing entries for p11sak tool in template spec file
Patch3: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
# bz#1780294, PIN conversion tool
Patch4: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
# upstream fixes
# https://github.com/opencryptoki/opencryptoki/commit/eef7049ce857ee5d5ec64e369a10e05e8bb5c4dd
Patch2: opencryptoki-3.15.1-error_message_handling_for_p11sak_remove-key_command.patch
# https://github.com/opencryptoki/opencryptoki/commit/2d16f003911ceee50967546f4b3c7cac2db9ba86
Patch3: opencryptoki-3.15.1-fix_compiling_with_c++.patch
# https://github.com/opencryptoki/opencryptoki/commit/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
Patch4: opencryptoki-3.15.1-f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
# https://github.com/opencryptoki/opencryptoki/commit/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890
Patch5: opencryptoki-3.15.1-1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
Requires(pre): coreutils
BuildRequires: gcc
BuildRequires: openssl-devel
@ -198,6 +203,7 @@ make %{?_smp_mflags} CHGRP=/bin/true
%install
make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
# Remove unwanted cruft
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
@ -280,6 +286,10 @@ fi
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%files devel
%{_includedir}/%{name}/
@ -336,6 +346,43 @@ fi
%changelog
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4
- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Resolves: #1902022
Fix compiling with c++
Added error message handling for p11sak remove-key command
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Related: #1847433, Added error message handling for p11sak remove-key command
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Related: #1847433
upstream fixes:
- Free generated key in all error cases
- CCA: Zeroize key buffer to avoid CCA 8/32 error
- Do not delete the map-btree entry if destroying an object is not allowed
- Remove now unused header timeb.h
- TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors
- Fix buffer overrun in C_CopyObject
- TPM: Fix double free in openssl_gen_key
* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1
- Resolves: #1847433, rebase to 3.15.0
- Resolves: #1851105, PKCS #11 3.0 - baseline provider support
- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality
- Resolves: #1851109, openCryptoki key management tool: key deletion function
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5
- Related: #1853420, more fixes
* Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- Resolves: #1853420, endian issue
* Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- Resolves: #1780294, PIN conversion tool