rpms/opencryptoki
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS opencryptoki-3.25.0-4.el9

Browse Source
This commit is contained in:
eabdullin 2025-09-15 12:28:02 +00:00
parent 04181851a0
commit e11bf47e77
12 changed files with 474 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/opencryptoki-3.24.0.tar.gz
SOURCES/opencryptoki-3.25.0.tar.gz

2
.opencryptoki.metadata
View File

@ -1 +1 @@
598811b208d43bbc12722bd10c7e3a14185d882b SOURCES/opencryptoki-3.24.0.tar.gz
a52c4873734e8e68ae8d599e08d5a55c0b3459ad SOURCES/opencryptoki-3.25.0.tar.gz

66
SOURCES/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
View File

@ -1,66 +0,0 @@
commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Sep 16 09:16:03 2024 +0200
COMMON: Fix compile error due to incompatible pointer types
usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of
'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types]
4751 | rc = get_sha_size(digest_mech, &mac_len);
usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of
'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types]
4851 | rc = get_sha_size(digest_mech, &mac_len);
Closes: https://github.com/opencryptoki/opencryptoki/issues/809
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index 296b5e0a..500b6f91 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
CK_RV rv = CKR_OK;
CK_BBOOL general = FALSE;
CK_MECHANISM_TYPE digest_mech;
+ CK_ULONG mac_len2;
if (!ctx || !ctx->context) {
TRACE_ERROR("%s received bad argument(s)\n", __func__);
@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data,
return rc;
}
- rc = get_sha_size(digest_mech, &mac_len);
+ rc = get_sha_size(digest_mech, &mac_len2);
if (rc != CKR_OK) {
TRACE_ERROR("%s get_sha_size failed\n", __func__);
return rc;
}
+ mac_len = mac_len2;
mdctx = (EVP_MD_CTX *) ctx->context;
@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
CK_RV rv = CKR_OK;
CK_BBOOL general = FALSE;
CK_MECHANISM_TYPE digest_mech;
+ CK_ULONG mac_len2;
if (!ctx || !ctx->context)
return CKR_OPERATION_NOT_INITIALIZED;
@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature,
return rc;
}
- rc = get_sha_size(digest_mech, &mac_len);
+ rc = get_sha_size(digest_mech, &mac_len2);
if (rc != CKR_OK) {
TRACE_ERROR("%s get_sha_size failed\n", __func__);
return rc;
}
+ mac_len = mac_len2;
if (signature == NULL) {
if (sign) {

75
SOURCES/opencryptoki-3.24.0-resource-leaks.patch
View File

@ -1,75 +0,0 @@
commit 66a18ffa057565b6bf292e50969ea27ce33b394c
Author: Than Ngo <than@redhat.com>
Date: Tue Oct 29 13:41:23 2024 +0100
Fix resource leak
1. Defect type: RESOURCE_LEAK
4. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: alloc_fn: Storage is returned from allocation function "malloc".
5. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: var_assign: Assigning: "new_key->opaque_attr" = storage returned from "malloc(attrs[0].ulValueLen)".
7. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:748:5: noescape: Resource "new_key->opaque_attr" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
9. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:752:9: leaked_storage: Freeing "new_key" without freeing its pointer field "opaque_attr" leaks the storage that "opaque_attr" points to.
750| if (!new_key->label) {
751| print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1);
752|-> free(new_key);
753| return 2;
754| }
2. Defect type: RESOURCE_LEAK
15. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1140:5: alloc_arg: "object_mgr_create_skel" allocates memory that is stored into "temp_obj".
21. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1182:5: leaked_storage: Variable "temp_obj" going out of scope leaks the storage it points to.
1180| free(derived_key);
1181|
1182|-> return rc;
1183| }
1184|
Signed-off-by: Than Ngo <than@redhat.com>
diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c
index b59ed852..79ac5b4d 100644
--- a/usr/lib/common/mech_dh.c
+++ b/usr/lib/common/mech_dh.c
@@ -124,6 +124,8 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata,
if (rc != CKR_OK) {
TRACE_ERROR("template_update_attribute failed\n");
free(new_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
return rc;
}
diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
index be8f5218..b062dbfb 100644
--- a/usr/lib/common/mech_ec.c
+++ b/usr/lib/common/mech_ec.c
@@ -1152,6 +1152,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess,
TRACE_ERROR("template_update_attribute failed\n");
free(value_attr);
free(vallen_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
goto end;
}
@@ -1160,6 +1162,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess,
if (rc != CKR_OK) {
TRACE_ERROR("template_update_attribute failed\n");
free(vallen_attr);
+ object_free(temp_obj);
+ temp_obj = NULL;
goto end;
}
}
diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
index ffbe3311..a3756c14 100644
--- a/usr/sbin/pkcscca/pkcscca.c
+++ b/usr/sbin/pkcscca/pkcscca.c
@@ -749,6 +749,7 @@ int add_key(CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *attrs, struct key **keys)
new_key->label = malloc(attrs[2].ulValueLen + 1);
if (!new_key->label) {
print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1);
+ free(new_key->opaque_attr);
free(new_key);
return 2;
}

47
SOURCES/opencryptoki-3.24.0-tmpfiles-image-mode.patch Normal file
View File

@ -0,0 +1,47 @@
diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in
--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-04 16:59:16.072468667 +0100
+++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-04 17:02:06.151451176 +0100
@@ -1,5 +1,8 @@
# path mode uid gid age
D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ -
d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ -
+d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ -
+z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 -
+z /etc/opencryptoki/strength.conf 0640 root pkcs11 -
d @logdir@ 0770 root @pkcs_group@ -
D @lockdir@ 0770 root @pkcs_group@ -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf
--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-ccatok.conf 2025-03-12 15:40:01.270065049 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/ccatok 770 root pkcs11 -
+d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf
--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf 2025-03-12 15:40:01.270122658 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/ep11tok 770 root pkcs11 -
+d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf
--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-icatok.conf 2025-03-12 15:40:01.270168936 +0100
@@ -0,0 +1,2 @@
+d /var/lib/opencryptoki/lite 770 root pkcs11 -
+d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf
--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-icsftok.conf 2025-03-12 15:40:01.270213441 +0100
@@ -0,0 +1 @@
+d /var/lib/opencryptoki/icsf 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf
--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-swtok.conf 2025-03-12 15:40:01.270256492 +0100
@@ -0,0 +1,3 @@
+# path mode uid gid age
+d /var/lib/opencryptoki/swtok 770 root pkcs11 -
+d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 -
diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf
--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf 1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf 2025-03-12 15:40:01.270339921 +0100
@@ -0,0 +1 @@
+d /var/lib/opencryptoki/tpm 770 root pkcs11 -

43
SOURCES/opencryptoki-3.25.0-covscan-findings.patch Normal file
View File

@ -0,0 +1,43 @@
commit 003d658322df316a352af591a3d059ca22fc40a3
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 21 11:02:42 2025 +0200
Fix covscan findings
Closes: https://github.com/opencryptoki/opencryptoki/issues/879
Reported-by: Than Ngo <than@redhat.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c
index 9195ff3c..383fb775 100644
--- a/usr/lib/common/mech_aes.c
+++ b/usr/lib/common/mech_aes.c
@@ -4561,6 +4561,11 @@ static CK_RV aeskw_wrap_pad(STDLL_TokData_t *tokdata, SESSION *sess,
* contains exactly eight octets, then prepend the AIV and encrypt
* the resulting 128-bit block using AES in ECB mode.
*/
+ if (in_data_len > AES_KEY_WRAP_BLOCK_SIZE) {
+ TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE));
+ return CKR_DATA_LEN_RANGE;
+ }
+
memmove(buff + AES_KEY_WRAP_BLOCK_SIZE, in_data, in_data_len);
memcpy(buff, aiv, AES_KEY_WRAP_IV_SIZE);
memset(buff + AES_KEY_WRAP_IV_SIZE + in_data_len, 0, padding_len);
diff --git a/usr/sbin/p11sak/p11tool.c b/usr/sbin/p11sak/p11tool.c
index da684f79..5b72b93b 100644
--- a/usr/sbin/p11sak/p11tool.c
+++ b/usr/sbin/p11sak/p11tool.c
@@ -567,6 +567,11 @@ static void p11tool_print_options_help(const struct p11tool_opt *opts,
else
len = snprintf(tmp, sizeof(tmp),"-%c", opt->short_opt);
+ if (len >= (int)sizeof(tmp) || len < 0) {
+ warnx("Error formatting option string. Skipping.\n");
+ continue;
+ }
+
if (opt->arg.type != ARG_TYPE_PLAIN) {
if (opt->arg.required)
snprintf(&tmp[len], sizeof(tmp) - len, " %s", opt->arg.name);

17
SOURCES/opencryptoki-3.24.0-p11sak.patch → SOURCES/opencryptoki-3.25.0-p11sak.patch
View File

@ -1,6 +1,6 @@
diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am
--- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200
+++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200
diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am
--- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200
+++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200
@@ -51,20 +51,8 @@ include tools/tools.mk
include doc/doc.mk
@ -22,21 +22,26 @@ diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am
if ENABLE_LIBRARY
$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
@@ -117,7 +105,7 @@ if ENABLE_EP11TOK
@@ -117,11 +105,11 @@ if ENABLE_EP11TOK
endif
if ENABLE_P11SAK
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
endif
if ENABLE_P11KMIP
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true
endif
if ENABLE_ICATOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
@@ -168,7 +156,7 @@ endif
@@ -172,7 +160,7 @@ endif
if ENABLE_DAEMON
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
endif
if !AIX
$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d

176
SOURCES/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch Normal file
View File

@ -0,0 +1,176 @@
commit 144456ede9897662eed35ac8415d0ecb1c5907e3
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Aug 13 13:50:24 2025 +0200
PKCSSLOTD: Remove the use of MD5
The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory
path, for easy checking if the same token directory has already been used by
other tokens.
The use of MD5 for this is just historical, and has no security relevance at
all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so
pkcsslotd will fail to start.
Change the code to use SHA256 instead.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
index ec6a489a..fa0db30f 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
@@ -42,11 +42,7 @@
#endif /* DEV */
-#define HASH_SHA1 1
-#define HASH_MD5 2
-#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
-
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest);
+int compute_sha256(char *buf, int buf_size, char *digest);
/********************
* Global Variables *
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index 0c1a5586..d0d85a85 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -27,7 +27,7 @@
#include "configuration.h"
#define OBJ_DIR "TOK_OBJ"
-#define MD5_HASH_SIZE 16
+#define SHA256_HASH_SIZE 32
#define DEF_MANUFID "IBM"
@@ -44,8 +44,8 @@
#define DEF_SLOTDESC "Linux"
#endif
-typedef char md5_hash_entry[MD5_HASH_SIZE];
-md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
+typedef char sha256_hash_entry[SHA256_HASH_SIZE];
+sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
Slot_Mgr_Shr_t *shmp; // pointer to the shared memory region.
int shmid;
@@ -86,27 +86,19 @@ void DumpSharedMemory(void)
}
}
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
+int compute_sha256(char *buf, int buf_size, char *digest)
{
EVP_MD_CTX *md_ctx = NULL;
unsigned int result_size;
int rc;
md_ctx = EVP_MD_CTX_create();
-
- switch (hash_type) {
- case HASH_SHA1:
- rc = EVP_DigestInit(md_ctx, EVP_sha1());
- break;
- case HASH_MD5:
- rc = EVP_DigestInit(md_ctx, EVP_md5());
- break;
- default:
- EVP_MD_CTX_destroy(md_ctx);
+ if (md_ctx == NULL) {
+ fprintf(stderr, "EVP_MD_CTX_create() failed\n");
return -1;
- break;
}
+ rc = EVP_DigestInit(md_ctx, EVP_sha256());
if (rc != 1) {
fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
return -1;
@@ -374,12 +366,12 @@ void run_sanity_checks(void)
}
}
-int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table)
+int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table)
{
int i;
for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) {
- if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0)
+ if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0)
return 1;
}
@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
mode_t proc_umask;
char *tokdir = psinfo->tokname;
char *tokgroup = psinfo->usergroup;
- char token_md5_hash[MD5_HASH_SIZE];
+ char token_sha256_hash[SHA256_HASH_SIZE];
if (psinfo->present == FALSE)
return 0;
@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
*/
if (!tokdir || strlen(tokdir) == 0) {
/*
- * Build the md5 hash from the dll name prefixed with 'dll:' to
+ * Build the SHA256 hash from the dll name prefixed with 'dll:' to
* check for duplicate tokens with no 'tokname'.
*/
snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location);
- rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash);
+ rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token in slot %llu!\n",
psinfo->slot_number);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
return 0;
}
@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
return -1;
}
- /* calculate md5 hash from token name */
- rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash);
+ /* calculate SHA256 hash from token name */
+ rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token name '%s'!\n", tokdir);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
/* Create token specific directory */
/* sprintf checked above */

12
SOURCES/opencryptoki-lockdir-image-mode.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up opencryptoki-3.25.0/configure.ac.me opencryptoki-3.25.0/configure.ac
--- opencryptoki-3.25.0/configure.ac.me 2025-07-09 16:20:51.825293158 +0200
+++ opencryptoki-3.25.0/configure.ac 2025-07-09 16:23:42.416757050 +0200
@@ -322,7 +322,7 @@ case "${host_os}" in
esac
dnl Define custom variables
-lockdir=${localstatedir}/lock/opencryptoki
+lockdir=/run/lock/opencryptoki
logdir=${localstatedir}/log/opencryptoki
dnl runstatedir is only defined starting from autoconf 2.70

48
SOURCES/opencryptoki-openssl-3.5.x.patch Normal file
View File

@ -0,0 +1,48 @@
commit 8209874fc0ea78079aa21c386df0f385ee0e5dca
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Jul 9 09:09:32 2025 +0200
COMMON: Fix detection of EC curve not supported by OpenSSL
OpenSSL 3.5 recently changed the behavior in regards of error reporting
with EVP_PKEY_keygen(). When the EC curve is not supported it used to
return error EC_R_INVALID_CURVE as top most entry in the error stack.
Since commit https://github.com/openssl/openssl/commit/72351b0d18078170af270418b2d5e9fc579cb1af
this is no longer the case, instead a generic EVP_R_PROVIDER_KEYMGMT_FAILURE
error is now the top most entry, and EC_R_INVALID_CURVE is the second one.
Make the detection independent of the error reporting and check for the
curve already in curve_nid_from_params().
Closes: https://github.com/opencryptoki/opencryptoki/issues/877
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c
index f29b4946..e1bb6b83 100644
--- a/usr/lib/common/mech_openssl.c
+++ b/usr/lib/common/mech_openssl.c
@@ -1854,6 +1854,7 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len)
{
const unsigned char *oid;
ASN1_OBJECT *obj = NULL;
+ EC_GROUP *grp;
int nid;
oid = params;
@@ -1866,6 +1867,14 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len)
nid = OBJ_obj2nid(obj);
ASN1_OBJECT_free(obj);
+ grp = EC_GROUP_new_by_curve_name(nid);
+ if (grp == NULL) {
+ TRACE_ERROR("curve not supported by OpenSSL.\n");
+ return NID_undef;
+ }
+
+ EC_GROUP_free(grp);
+
return nid;
}

2
SOURCES/opencryptoki.sysusers.conf Normal file
View File

@ -0,0 +1,2 @@
g pkcs11 - -
u pkcsslotd -:pkcs11 "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin

178
SPECS/opencryptoki.spec
View File

@ -1,21 +1,41 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.24.0
Release: 3%{?dist}
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1
Version: 3.25.0
Release: 4%{?dist}
License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# sysusers.d config file to allow rpm to create users/groups automatically
Source1: opencryptoki.sysusers.conf
# fix install problem in buildroot
Patch1: opencryptoki-3.24.0-p11sak.patch
Patch1: opencryptoki-3.25.0-p11sak.patch
# tmpfiles.d config files for image mode
Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch
# everything using /var/lock should be fixed in the end to use /run/lock
# https://gitlab.com/fedora/bootc/base-images/-/issues/48
Patch3: opencryptoki-lockdir-image-mode.patch
# upstream patches
Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch
Patch3: opencryptoki-3.24.0-resource-leaks.patch
# Fix detection of EC curve not supported by OpenSSL-3.5.x
Patch10: opencryptoki-openssl-3.5.x.patch
# Fix covscan findings, https://github.com/opencryptoki/opencryptoki/pull/880
Patch11: opencryptoki-3.25.0-covscan-findings.patch
# Remove the use of MD5, pkcsslotd crashes in FIPS mode
Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
BuildRequires: gcc gcc-c++
BuildRequires: openssl-devel >= 1.1.1
# testcases require 'openssl' command line tool
BuildRequires: openssl >= 1.1.1
# testcases require 'jq' command line tool
BuildRequires: jq
%if 0%{?tmptok}
BuildRequires: trousers-devel
%endif
@ -25,7 +45,9 @@ BuildRequires: bison flex
BuildRequires: libcap-devel
BuildRequires: expect
BuildRequires: make
# sysusers_create_compat macro
BuildRequires: systemd-rpm-macros
%{?sysusers_requires_compat}
%ifarch s390 s390x
BuildRequires: libica-devel >= 3.3
# for /usr/include/libudev.h
@ -40,10 +62,10 @@ Requires(postun): systemd
%description
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.
@ -53,10 +75,10 @@ Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils
%description libs
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package contains the PKCS#11 library implementation, and requires
at least one token implementation (packaged separately) to be fully
@ -79,10 +101,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description swtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the software token implementation to use opencryptoki
without any specific cryptographic hardware.
@ -95,10 +117,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description tpmtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
Trusted Platform Module (TPM) devices in the opencryptoki stack.
@ -111,10 +133,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icsftok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
ICSF token in the opencryptoki stack.
@ -127,14 +149,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support ICA
devices in the opencryptoki stack. ICA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the
"accelerator" or "clear-key" path.
%package ccatok
@ -144,14 +166,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ccatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support CCA
devices in the opencryptoki stack. CCA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the
"co-processor" or "secure-key" path.
%package ep11tok
@ -161,10 +183,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ep11tok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1
for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770
crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also
brings a software token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support EP11
tokens in the opencryptoki stack. The EP11 token is a token that uses
@ -203,6 +225,32 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%install
%make_install CHGRP=/bin/true
# Install sysusers.d config file
install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf
# Install tmpfiles.d config files
%ifarch s390 s390x
install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/
%endif
%ifarch s390 s390x x86_64 ppc64le
install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/
%endif
%if 0%{?tmptok}
install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/
%endif
install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/
install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/
# convert absolute links to relative links.
rm -f %{buildroot}%{_libdir}/%{name}/methods && ln -fs ../../bin %{buildroot}%{_libdir}/%{name}/methods
rm -f %{buildroot}%{_libdir}/pkcs11/methods && ln -fs ../../bin %{buildroot}%{_libdir}/pkcs11/methods
%check
make check
%pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -214,9 +262,7 @@ if test $1 -gt 1 && test -f %{cfile} ; then
fi
%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
exit 0
%sysusers_create_compat %{SOURCE1}
%post
# restore the config file from %pre
@ -246,11 +292,13 @@ fi
%doc %{_docdir}/%{name}/*.conf
%dir %{_sysconfdir}/%{name}
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11kmip.conf
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/p11kmip
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
@ -260,11 +308,13 @@ fi
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man1/p11kmip.1*
%{_mandir}/man1/pkcsstats.1*
%{_mandir}/man1/pkcshsm_mk_change.1*
%{_mandir}/man1/pkcstok_admin.1*
%{_mandir}/man5/policy.conf.5*
%{_mandir}/man5/strength.conf.5*
%{_mandir}/man5/p11kmip.conf.5*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
%{_mandir}/man7/%{name}.7*
@ -292,6 +342,7 @@ fi
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%{_sysusersdir}/%{name}.sysusers.conf
%files devel
%{_includedir}/%{name}/
@ -302,6 +353,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-swtok.conf
%if 0%{?tmptok}
%files tpmtok
@ -309,6 +361,7 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%{_tmpfilesdir}/%{name}-tpmtok.conf
%endif
%files icsftok
@ -318,6 +371,7 @@ fi
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%{_tmpfilesdir}/%{name}-icsftok.conf
%ifarch s390 s390x
%files icatok
@ -325,6 +379,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%{_tmpfilesdir}/%{name}-icatok.conf
%endif
%ifarch s390 s390x x86_64 ppc64le
@ -337,6 +392,7 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-ccatok.conf
%endif
%ifarch s390 s390x
@ -352,10 +408,42 @@ fi
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%{_tmpfilesdir}/%{name}-ep11tok.conf
%endif
%changelog
* Wed Aug 13 2025 Than Ngo <than@redhat.com> - 3.25.0-4
- Fix pkcsslotd fails to start in FIPS
- Drop tier1 test as it mostly provides duplicate results
- Enable ci test for FIPS mode
Resolves: RHEL-109050
* Mon Jul 21 2025 Than Ngo <than@redhat.com> - 3.25.0-3
- Fix incorrect effective group id of pkcsslotd daemon
- Fix covscan findings
Resolves: RHEL-104602
* Mon Jul 14 2025 Than Ngo <than@redhat.com> - 3.25.0-2
- Related: RHEL-73344, Fix detection of EC curve not supported by OpenSSL-3.5.x
- Related: RHEL-77147, Fix the image mode issue again as bootc expects to use /run/lock
* Fri Jul 04 2025 Than Ngo <than@redhat.com> - 3.25.0-1
- Resolves: RHEL-73344, upgrade openCryptoki
- Resolves: RHEL-90590, basic support of AES-GCM
- Resolves: RHEL-72965, cca token support cipher keys
- Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens
- Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server
- Resolves: RHEL-75762, ep11 token: import and export of secure key objects
- Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys
- Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3
* Wed Apr 09 2025 Than Ngo <than@redhat.com> - 3.24.0-5
- Related: RHEL-77147, opencryptoki doesn't work in image mode
* Wed Mar 19 2025 Than Ngo <than@redhat.com> - 3.24.0-4
- Resolves: RHEL-77147, opencryptoki doesn't work in image mode
* Tue Nov 26 2024 Than Ngo <than@redhat.com> - 3.24.0-3
- Disable ccatok on aarch64
Related: RHEL-50064