From eeda4c4af763e926a180d49564a0596f0572f376 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 4 Dec 2025 12:40:13 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- .gitignore | 2 +- .opencryptoki.metadata | 2 +- ...ost-library-version-detection-for-ne.patch | 62 ------ ...or-due-to-incompatible-pointer-types.patch | 66 ------- .../opencryptoki-3.24.0-resource-leaks.patch | 75 -------- ...ncryptoki-3.24.0-tmpfiles-image-mode.patch | 47 +++++ ...opencryptoki-3.25.0-covscan-findings.patch | 43 +++++ ...patch => opencryptoki-3.25.0-p11sak.patch} | 17 +- ...3.25.0-reject-using-md5-in-fips-mode.patch | 176 +++++++++++++++++ SOURCES/opencryptoki-lockdir-image-mode.patch | 12 ++ SOURCES/opencryptoki-openssl-3.5.x.patch | 48 +++++ SOURCES/opencryptoki.sysusers.conf | 2 + SPECS/opencryptoki.spec | 181 +++++++++++++----- 13 files changed, 472 insertions(+), 261 deletions(-) delete mode 100644 SOURCES/3.24-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch delete mode 100644 SOURCES/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch delete mode 100644 SOURCES/opencryptoki-3.24.0-resource-leaks.patch create mode 100644 SOURCES/opencryptoki-3.24.0-tmpfiles-image-mode.patch create mode 100644 SOURCES/opencryptoki-3.25.0-covscan-findings.patch rename SOURCES/{opencryptoki-3.24.0-p11sak.patch => opencryptoki-3.25.0-p11sak.patch} (72%) create mode 100644 SOURCES/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch create mode 100644 SOURCES/opencryptoki-lockdir-image-mode.patch create mode 100644 SOURCES/opencryptoki-openssl-3.5.x.patch create mode 100644 SOURCES/opencryptoki.sysusers.conf diff --git a/.gitignore b/.gitignore index 760b746..6694472 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.24.0.tar.gz +SOURCES/opencryptoki-3.25.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 541ea02..f27e9b1 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -598811b208d43bbc12722bd10c7e3a14185d882b SOURCES/opencryptoki-3.24.0.tar.gz +a52c4873734e8e68ae8d599e08d5a55c0b3459ad SOURCES/opencryptoki-3.25.0.tar.gz diff --git a/SOURCES/3.24-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch b/SOURCES/3.24-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch deleted file mode 100644 index afb740c..0000000 --- a/SOURCES/3.24-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 992b006107dc1be18ef24b77be441c4861d3deee Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Wed, 2 Apr 2025 16:36:45 +0200 -Subject: [PATCH] CCA: Adjust CCA host library version detection for newer CCA - versions - -Newer CCA versions might report the version string with CSUACFV or CSUACFQ -with keyword STATCCA using a different indicator character after the version -information. Ignore the indication character and the remaining data entirely. -Only the version information as such is of interest. - -Signed-off-by: Ingo Franzki ---- - usr/lib/cca_stdll/cca_specific.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/usr/lib/cca_stdll/cca_specific.c b/usr/lib/cca_stdll/cca_specific.c -index f57e3483..e592cdb6 100644 ---- a/usr/lib/cca_stdll/cca_specific.c -+++ b/usr/lib/cca_stdll/cca_specific.c -@@ -887,14 +887,6 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata) - long return_code, reason_code; - long version_data_length; - long exit_data_len = 0; -- char date[20]; -- -- /* Version data format of CSUACFV is different on non-s390x- platforms */ --#if !defined(__s390__) -- const char *verstrfmt = "%u.%u.%uc %s"; --#else -- const char *verstrfmt = "%u.%u.%uz%s"; --#endif - - /* Get CCA host library version */ - version_data_length = sizeof(version_data); -@@ -910,10 +902,10 @@ static CK_RV cca_get_version(STDLL_TokData_t *tokdata) - /* CSUACFV returns a null-terminated version string */ - TRACE_DEVEL("CCA Version string: %s\n", version_data); - -- if (sscanf((char *)version_data, verstrfmt, -+ if (sscanf((char *)version_data, "%u.%u.%u", - &cca_private->cca_lib_version.ver, - &cca_private->cca_lib_version.rel, -- &cca_private->cca_lib_version.mod, date) != 4) { -+ &cca_private->cca_lib_version.mod) != 3) { - TRACE_ERROR("CCA library version is invalid: %s\n", version_data); - return CKR_FUNCTION_FAILED; - } -@@ -3876,8 +3868,8 @@ static CK_RV cca_get_adapter_version(cca_min_card_version_t *data) - memcpy(ccaversion, &rule_array[CCA_STATCCA_CCA_VERSION_OFFSET], - CCA_STATCCA_CCA_VERSION_LENGTH); - -- if (sscanf(ccaversion, "%d.%d.%02d*", (int *)&adapter_version.ver, -- (int *)&adapter_version.rel, (int *)&adapter_version.mod) != 3) { -+ if (sscanf(ccaversion, "%u.%u.%u", &adapter_version.ver, -+ &adapter_version.rel, &adapter_version.mod) != 3) { - TRACE_ERROR("sscanf of string %s failed, cannot determine CCA card version\n", - ccaversion); - return CKR_FUNCTION_FAILED; --- -2.16.2.windows.1 - diff --git a/SOURCES/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch b/SOURCES/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch deleted file mode 100644 index a0b77dd..0000000 --- a/SOURCES/opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch +++ /dev/null @@ -1,66 +0,0 @@ -commit e58d2086cf9268a1dd2431c64c6bcdd74c2c3233 -Author: Ingo Franzki -Date: Mon Sep 16 09:16:03 2024 +0200 - - COMMON: Fix compile error due to incompatible pointer types - - usr/lib/common/mech_openssl.c:4751:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4751 | rc = get_sha_size(digest_mech, &mac_len); - - usr/lib/common/mech_openssl.c:4851:36: error: passing argument 2 of - 'get_sha_size' from incompatible pointer type [-Wincompatible-pointer-types] - 4851 | rc = get_sha_size(digest_mech, &mac_len); - - Closes: https://github.com/opencryptoki/opencryptoki/issues/809 - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c -index 296b5e0a..500b6f91 100644 ---- a/usr/lib/common/mech_openssl.c -+++ b/usr/lib/common/mech_openssl.c -@@ -4731,6 +4731,7 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) { - TRACE_ERROR("%s received bad argument(s)\n", __func__); -@@ -4748,11 +4749,12 @@ CK_RV openssl_specific_hmac(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *in_data, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - mdctx = (EVP_MD_CTX *) ctx->context; - -@@ -4833,6 +4835,7 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - CK_RV rv = CKR_OK; - CK_BBOOL general = FALSE; - CK_MECHANISM_TYPE digest_mech; -+ CK_ULONG mac_len2; - - if (!ctx || !ctx->context) - return CKR_OPERATION_NOT_INITIALIZED; -@@ -4848,11 +4851,12 @@ CK_RV openssl_specific_hmac_final(SIGN_VERIFY_CONTEXT *ctx, CK_BYTE *signature, - return rc; - } - -- rc = get_sha_size(digest_mech, &mac_len); -+ rc = get_sha_size(digest_mech, &mac_len2); - if (rc != CKR_OK) { - TRACE_ERROR("%s get_sha_size failed\n", __func__); - return rc; - } -+ mac_len = mac_len2; - - if (signature == NULL) { - if (sign) { diff --git a/SOURCES/opencryptoki-3.24.0-resource-leaks.patch b/SOURCES/opencryptoki-3.24.0-resource-leaks.patch deleted file mode 100644 index f0c2598..0000000 --- a/SOURCES/opencryptoki-3.24.0-resource-leaks.patch +++ /dev/null @@ -1,75 +0,0 @@ -commit 66a18ffa057565b6bf292e50969ea27ce33b394c -Author: Than Ngo -Date: Tue Oct 29 13:41:23 2024 +0100 - - Fix resource leak - - 1. Defect type: RESOURCE_LEAK - 4. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: alloc_fn: Storage is returned from allocation function "malloc". - 5. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:740:5: var_assign: Assigning: "new_key->opaque_attr" = storage returned from "malloc(attrs[0].ulValueLen)". - 7. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:748:5: noescape: Resource "new_key->opaque_attr" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.] - 9. opencryptoki-3.24.0/usr/sbin/pkcscca/pkcscca.c:752:9: leaked_storage: Freeing "new_key" without freeing its pointer field "opaque_attr" leaks the storage that "opaque_attr" points to. - 750| if (!new_key->label) { - 751| print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); - 752|-> free(new_key); - 753| return 2; - 754| } - - 2. Defect type: RESOURCE_LEAK - 15. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1140:5: alloc_arg: "object_mgr_create_skel" allocates memory that is stored into "temp_obj". - 21. opencryptoki-3.24.0/usr/lib/common/mech_ec.c:1182:5: leaked_storage: Variable "temp_obj" going out of scope leaks the storage it points to. - 1180| free(derived_key); - 1181| - 1182|-> return rc; - 1183| } - 1184| - - Signed-off-by: Than Ngo - -diff --git a/usr/lib/common/mech_dh.c b/usr/lib/common/mech_dh.c -index b59ed852..79ac5b4d 100644 ---- a/usr/lib/common/mech_dh.c -+++ b/usr/lib/common/mech_dh.c -@@ -124,6 +124,8 @@ CK_RV dh_pkcs_derive(STDLL_TokData_t *tokdata, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(new_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - return rc; - } - -diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c -index be8f5218..b062dbfb 100644 ---- a/usr/lib/common/mech_ec.c -+++ b/usr/lib/common/mech_ec.c -@@ -1152,6 +1152,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - TRACE_ERROR("template_update_attribute failed\n"); - free(value_attr); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - -@@ -1160,6 +1162,8 @@ CK_RV ecdh_pkcs_derive(STDLL_TokData_t *tokdata, SESSION *sess, - if (rc != CKR_OK) { - TRACE_ERROR("template_update_attribute failed\n"); - free(vallen_attr); -+ object_free(temp_obj); -+ temp_obj = NULL; - goto end; - } - } -diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c -index ffbe3311..a3756c14 100644 ---- a/usr/sbin/pkcscca/pkcscca.c -+++ b/usr/sbin/pkcscca/pkcscca.c -@@ -749,6 +749,7 @@ int add_key(CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *attrs, struct key **keys) - new_key->label = malloc(attrs[2].ulValueLen + 1); - if (!new_key->label) { - print_error("Malloc of %lu bytes failed!", attrs[2].ulValueLen + 1); -+ free(new_key->opaque_attr); - free(new_key); - return 2; - } diff --git a/SOURCES/opencryptoki-3.24.0-tmpfiles-image-mode.patch b/SOURCES/opencryptoki-3.24.0-tmpfiles-image-mode.patch new file mode 100644 index 0000000..3f39f14 --- /dev/null +++ b/SOURCES/opencryptoki-3.24.0-tmpfiles-image-mode.patch @@ -0,0 +1,47 @@ +diff -up opencryptoki-3.24.0/misc/tmpfiles.conf.in.me opencryptoki-3.24.0/misc/tmpfiles.conf.in +--- opencryptoki-3.24.0/misc/tmpfiles.conf.in.me 2025-02-04 16:59:16.072468667 +0100 ++++ opencryptoki-3.24.0/misc/tmpfiles.conf.in 2025-02-04 17:02:06.151451176 +0100 +@@ -1,5 +1,8 @@ + # path mode uid gid age + D /run/opencryptoki 710 @pkcsslotd_user@ @pkcs_group@ - + d @localstatedir@/lib/opencryptoki 0770 root @pkcs_group@ - ++d @localstatedir@/lib/opencryptoki/HSM_MK_CHANGE 770 root @pkcs_group@ - ++z /etc/opencryptoki/p11sak_defined_attrs.conf 0640 root pkcs11 - ++z /etc/opencryptoki/strength.conf 0640 root pkcs11 - + d @logdir@ 0770 root @pkcs_group@ - + D @lockdir@ 0770 root @pkcs_group@ - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-ccatok.conf opencryptoki-3.24.0/opencryptoki-ccatok.conf +--- opencryptoki-3.24.0.me/opencryptoki-ccatok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-ccatok.conf 2025-03-12 15:40:01.270065049 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/ccatok 770 root pkcs11 - ++d /var/lib/opencryptoki/ccatok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf opencryptoki-3.24.0/opencryptoki-ep11tok.conf +--- opencryptoki-3.24.0.me/opencryptoki-ep11tok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-ep11tok.conf 2025-03-12 15:40:01.270122658 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/ep11tok 770 root pkcs11 - ++d /var/lib/opencryptoki/ep11tok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-icatok.conf opencryptoki-3.24.0/opencryptoki-icatok.conf +--- opencryptoki-3.24.0.me/opencryptoki-icatok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-icatok.conf 2025-03-12 15:40:01.270168936 +0100 +@@ -0,0 +1,2 @@ ++d /var/lib/opencryptoki/lite 770 root pkcs11 - ++d /var/lib/opencryptoki/lite/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-icsftok.conf opencryptoki-3.24.0/opencryptoki-icsftok.conf +--- opencryptoki-3.24.0.me/opencryptoki-icsftok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-icsftok.conf 2025-03-12 15:40:01.270213441 +0100 +@@ -0,0 +1 @@ ++d /var/lib/opencryptoki/icsf 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-swtok.conf opencryptoki-3.24.0/opencryptoki-swtok.conf +--- opencryptoki-3.24.0.me/opencryptoki-swtok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-swtok.conf 2025-03-12 15:40:01.270256492 +0100 +@@ -0,0 +1,3 @@ ++# path mode uid gid age ++d /var/lib/opencryptoki/swtok 770 root pkcs11 - ++d /var/lib/opencryptoki/swtok/TOK_OBJ 770 root pkcs11 - +diff -Nur opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf opencryptoki-3.24.0/opencryptoki-tpmtok.conf +--- opencryptoki-3.24.0.me/opencryptoki-tpmtok.conf 1970-01-01 01:00:00.000000000 +0100 ++++ opencryptoki-3.24.0/opencryptoki-tpmtok.conf 2025-03-12 15:40:01.270339921 +0100 +@@ -0,0 +1 @@ ++d /var/lib/opencryptoki/tpm 770 root pkcs11 - diff --git a/SOURCES/opencryptoki-3.25.0-covscan-findings.patch b/SOURCES/opencryptoki-3.25.0-covscan-findings.patch new file mode 100644 index 0000000..6a2e866 --- /dev/null +++ b/SOURCES/opencryptoki-3.25.0-covscan-findings.patch @@ -0,0 +1,43 @@ +commit 003d658322df316a352af591a3d059ca22fc40a3 +Author: Ingo Franzki +Date: Mon Jul 21 11:02:42 2025 +0200 + + Fix covscan findings + + Closes: https://github.com/opencryptoki/opencryptoki/issues/879 + + Reported-by: Than Ngo + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/common/mech_aes.c b/usr/lib/common/mech_aes.c +index 9195ff3c..383fb775 100644 +--- a/usr/lib/common/mech_aes.c ++++ b/usr/lib/common/mech_aes.c +@@ -4561,6 +4561,11 @@ static CK_RV aeskw_wrap_pad(STDLL_TokData_t *tokdata, SESSION *sess, + * contains exactly eight octets, then prepend the AIV and encrypt + * the resulting 128-bit block using AES in ECB mode. + */ ++ if (in_data_len > AES_KEY_WRAP_BLOCK_SIZE) { ++ TRACE_ERROR("%s\n", ock_err(ERR_DATA_LEN_RANGE)); ++ return CKR_DATA_LEN_RANGE; ++ } ++ + memmove(buff + AES_KEY_WRAP_BLOCK_SIZE, in_data, in_data_len); + memcpy(buff, aiv, AES_KEY_WRAP_IV_SIZE); + memset(buff + AES_KEY_WRAP_IV_SIZE + in_data_len, 0, padding_len); +diff --git a/usr/sbin/p11sak/p11tool.c b/usr/sbin/p11sak/p11tool.c +index da684f79..5b72b93b 100644 +--- a/usr/sbin/p11sak/p11tool.c ++++ b/usr/sbin/p11sak/p11tool.c +@@ -567,6 +567,11 @@ static void p11tool_print_options_help(const struct p11tool_opt *opts, + else + len = snprintf(tmp, sizeof(tmp),"-%c", opt->short_opt); + ++ if (len >= (int)sizeof(tmp) || len < 0) { ++ warnx("Error formatting option string. Skipping.\n"); ++ continue; ++ } ++ + if (opt->arg.type != ARG_TYPE_PLAIN) { + if (opt->arg.required) + snprintf(&tmp[len], sizeof(tmp) - len, " %s", opt->arg.name); diff --git a/SOURCES/opencryptoki-3.24.0-p11sak.patch b/SOURCES/opencryptoki-3.25.0-p11sak.patch similarity index 72% rename from SOURCES/opencryptoki-3.24.0-p11sak.patch rename to SOURCES/opencryptoki-3.25.0-p11sak.patch index a730c0b..0fd3a84 100644 --- a/SOURCES/opencryptoki-3.24.0-p11sak.patch +++ b/SOURCES/opencryptoki-3.25.0-p11sak.patch @@ -1,6 +1,6 @@ -diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am ---- opencryptoki-3.24.0/Makefile.am.me 2024-09-12 12:53:05.023882913 +0200 -+++ opencryptoki-3.24.0/Makefile.am 2024-09-12 12:55:34.366644836 +0200 +diff -up opencryptoki-3.25.0/Makefile.am.me opencryptoki-3.25.0/Makefile.am +--- opencryptoki-3.25.0/Makefile.am.me 2025-06-10 08:52:39.000000000 +0200 ++++ opencryptoki-3.25.0/Makefile.am 2025-06-10 15:32:06.974976310 +0200 @@ -51,20 +51,8 @@ include tools/tools.mk include doc/doc.mk @@ -22,21 +22,26 @@ diff -up opencryptoki-3.24.0/Makefile.am.me opencryptoki-3.24.0/Makefile.am if ENABLE_LIBRARY $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 -@@ -117,7 +105,7 @@ if ENABLE_EP11TOK +@@ -117,11 +105,11 @@ if ENABLE_EP11TOK endif if ENABLE_P11SAK test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_P11KMIP + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11kmip/p11kmip.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11kmip.conf || true endif if ENABLE_ICATOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ -@@ -168,7 +156,7 @@ endif +@@ -172,7 +160,7 @@ endif if ENABLE_DAEMON test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true - test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true -+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true endif if !AIX $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d diff --git a/SOURCES/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch b/SOURCES/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch new file mode 100644 index 0000000..29b29ca --- /dev/null +++ b/SOURCES/opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch @@ -0,0 +1,176 @@ +commit 144456ede9897662eed35ac8415d0ecb1c5907e3 +Author: Ingo Franzki +Date: Wed Aug 13 13:50:24 2025 +0200 + + PKCSSLOTD: Remove the use of MD5 + + The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory + path, for easy checking if the same token directory has already been used by + other tokens. + + The use of MD5 for this is just historical, and has no security relevance at + all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so + pkcsslotd will fail to start. + + Change the code to use SHA256 instead. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h +index ec6a489a..fa0db30f 100644 +--- a/usr/sbin/pkcsslotd/pkcsslotd.h ++++ b/usr/sbin/pkcsslotd/pkcsslotd.h +@@ -42,11 +42,7 @@ + + #endif /* DEV */ + +-#define HASH_SHA1 1 +-#define HASH_MD5 2 +-#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c) +- +-int compute_hash(int hash_type, int buf_size, char *buf, char *digest); ++int compute_sha256(char *buf, int buf_size, char *digest); + + /******************** + * Global Variables * +diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c +index 0c1a5586..d0d85a85 100644 +--- a/usr/sbin/pkcsslotd/slotmgr.c ++++ b/usr/sbin/pkcsslotd/slotmgr.c +@@ -27,7 +27,7 @@ + #include "configuration.h" + + #define OBJ_DIR "TOK_OBJ" +-#define MD5_HASH_SIZE 16 ++#define SHA256_HASH_SIZE 32 + + #define DEF_MANUFID "IBM" + +@@ -44,8 +44,8 @@ + #define DEF_SLOTDESC "Linux" + #endif + +-typedef char md5_hash_entry[MD5_HASH_SIZE]; +-md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED]; ++typedef char sha256_hash_entry[SHA256_HASH_SIZE]; ++sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED]; + + Slot_Mgr_Shr_t *shmp; // pointer to the shared memory region. + int shmid; +@@ -86,27 +86,19 @@ void DumpSharedMemory(void) + } + } + +-int compute_hash(int hash_type, int buf_size, char *buf, char *digest) ++int compute_sha256(char *buf, int buf_size, char *digest) + { + EVP_MD_CTX *md_ctx = NULL; + unsigned int result_size; + int rc; + + md_ctx = EVP_MD_CTX_create(); +- +- switch (hash_type) { +- case HASH_SHA1: +- rc = EVP_DigestInit(md_ctx, EVP_sha1()); +- break; +- case HASH_MD5: +- rc = EVP_DigestInit(md_ctx, EVP_md5()); +- break; +- default: +- EVP_MD_CTX_destroy(md_ctx); ++ if (md_ctx == NULL) { ++ fprintf(stderr, "EVP_MD_CTX_create() failed\n"); + return -1; +- break; + } + ++ rc = EVP_DigestInit(md_ctx, EVP_sha256()); + if (rc != 1) { + fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc); + return -1; +@@ -374,12 +366,12 @@ void run_sanity_checks(void) + } + } + +-int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table) ++int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table) + { + int i; + + for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) { +- if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0) ++ if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0) + return 1; + } + +@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) + mode_t proc_umask; + char *tokdir = psinfo->tokname; + char *tokgroup = psinfo->usergroup; +- char token_md5_hash[MD5_HASH_SIZE]; ++ char token_sha256_hash[SHA256_HASH_SIZE]; + + if (psinfo->present == FALSE) + return 0; +@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) + */ + if (!tokdir || strlen(tokdir) == 0) { + /* +- * Build the md5 hash from the dll name prefixed with 'dll:' to ++ * Build the SHA256 hash from the dll name prefixed with 'dll:' to + * check for duplicate tokens with no 'tokname'. + */ + snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location); +- rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash); ++ rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash); + if (rc) { +- fprintf(stderr, "Error calculating MD5 of token name!\n"); ++ fprintf(stderr, "Error calculating SHA256 of token name!\n"); + return -1; + } + + /* check for duplicate token names */ +- if (is_duplicate(token_md5_hash, tokname_hash_table)) { ++ if (is_duplicate(token_sha256_hash, tokname_hash_table)) { + fprintf(stderr, "Duplicate token in slot %llu!\n", + psinfo->slot_number); + return -1; + } + + /* add entry into hash table */ +- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash, +- MD5_HASH_SIZE); ++ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash, ++ SHA256_HASH_SIZE); + + return 0; + } +@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo) + return -1; + } + +- /* calculate md5 hash from token name */ +- rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash); ++ /* calculate SHA256 hash from token name */ ++ rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash); + if (rc) { +- fprintf(stderr, "Error calculating MD5 of token name!\n"); ++ fprintf(stderr, "Error calculating SHA256 of token name!\n"); + return -1; + } + /* check for duplicate token names */ +- if (is_duplicate(token_md5_hash, tokname_hash_table)) { ++ if (is_duplicate(token_sha256_hash, tokname_hash_table)) { + fprintf(stderr, "Duplicate token name '%s'!\n", tokdir); + return -1; + } + + /* add entry into hash table */ +- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash, +- MD5_HASH_SIZE); ++ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash, ++ SHA256_HASH_SIZE); + + /* Create token specific directory */ + /* sprintf checked above */ diff --git a/SOURCES/opencryptoki-lockdir-image-mode.patch b/SOURCES/opencryptoki-lockdir-image-mode.patch new file mode 100644 index 0000000..0393ccd --- /dev/null +++ b/SOURCES/opencryptoki-lockdir-image-mode.patch @@ -0,0 +1,12 @@ +diff -up opencryptoki-3.25.0/configure.ac.me opencryptoki-3.25.0/configure.ac +--- opencryptoki-3.25.0/configure.ac.me 2025-07-09 16:20:51.825293158 +0200 ++++ opencryptoki-3.25.0/configure.ac 2025-07-09 16:23:42.416757050 +0200 +@@ -322,7 +322,7 @@ case "${host_os}" in + esac + + dnl Define custom variables +-lockdir=${localstatedir}/lock/opencryptoki ++lockdir=/run/lock/opencryptoki + logdir=${localstatedir}/log/opencryptoki + + dnl runstatedir is only defined starting from autoconf 2.70 diff --git a/SOURCES/opencryptoki-openssl-3.5.x.patch b/SOURCES/opencryptoki-openssl-3.5.x.patch new file mode 100644 index 0000000..e6dcb3a --- /dev/null +++ b/SOURCES/opencryptoki-openssl-3.5.x.patch @@ -0,0 +1,48 @@ +commit 8209874fc0ea78079aa21c386df0f385ee0e5dca +Author: Ingo Franzki +Date: Wed Jul 9 09:09:32 2025 +0200 + + COMMON: Fix detection of EC curve not supported by OpenSSL + + OpenSSL 3.5 recently changed the behavior in regards of error reporting + with EVP_PKEY_keygen(). When the EC curve is not supported it used to + return error EC_R_INVALID_CURVE as top most entry in the error stack. + + Since commit https://github.com/openssl/openssl/commit/72351b0d18078170af270418b2d5e9fc579cb1af + this is no longer the case, instead a generic EVP_R_PROVIDER_KEYMGMT_FAILURE + error is now the top most entry, and EC_R_INVALID_CURVE is the second one. + + Make the detection independent of the error reporting and check for the + curve already in curve_nid_from_params(). + + Closes: https://github.com/opencryptoki/opencryptoki/issues/877 + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/common/mech_openssl.c b/usr/lib/common/mech_openssl.c +index f29b4946..e1bb6b83 100644 +--- a/usr/lib/common/mech_openssl.c ++++ b/usr/lib/common/mech_openssl.c +@@ -1854,6 +1854,7 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len) + { + const unsigned char *oid; + ASN1_OBJECT *obj = NULL; ++ EC_GROUP *grp; + int nid; + + oid = params; +@@ -1866,6 +1867,14 @@ static int curve_nid_from_params(const CK_BYTE *params, CK_ULONG params_len) + nid = OBJ_obj2nid(obj); + ASN1_OBJECT_free(obj); + ++ grp = EC_GROUP_new_by_curve_name(nid); ++ if (grp == NULL) { ++ TRACE_ERROR("curve not supported by OpenSSL.\n"); ++ return NID_undef; ++ } ++ ++ EC_GROUP_free(grp); ++ + return nid; + } + diff --git a/SOURCES/opencryptoki.sysusers.conf b/SOURCES/opencryptoki.sysusers.conf new file mode 100644 index 0000000..b18be2a --- /dev/null +++ b/SOURCES/opencryptoki.sysusers.conf @@ -0,0 +1,2 @@ +g pkcs11 - - +u pkcsslotd -:pkcs11 "Opencryptoki pkcsslotd user" /run/opencryptoki /sbin/nologin diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 9f90236..2bb3efd 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,22 +1,41 @@ Name: opencryptoki -Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 -Version: 3.24.0 -Release: 5%{?dist} +Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 and partially v3.1 +Version: 3.25.0 +Release: 4%{?dist} License: CPL-1.0 URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +# sysusers.d config file to allow rpm to create users/groups automatically +Source1: opencryptoki.sysusers.conf + # fix install problem in buildroot -Patch1: opencryptoki-3.24.0-p11sak.patch +Patch1: opencryptoki-3.25.0-p11sak.patch + +# tmpfiles.d config files for image mode +Patch2: opencryptoki-3.24.0-tmpfiles-image-mode.patch + +# everything using /var/lock should be fixed in the end to use /run/lock +# https://gitlab.com/fedora/bootc/base-images/-/issues/48 +Patch3: opencryptoki-lockdir-image-mode.patch # upstream patches -Patch2: opencryptoki-3.24.0-compile-error-due-to-incompatible-pointer-types.patch -Patch3: opencryptoki-3.24.0-resource-leaks.patch -Patch4: 3.24-CCA-Adjust-CCA-host-library-version-detection-for-ne.patch +# Fix detection of EC curve not supported by OpenSSL-3.5.x +Patch10: opencryptoki-openssl-3.5.x.patch + +# Fix covscan findings, https://github.com/opencryptoki/opencryptoki/pull/880 +Patch11: opencryptoki-3.25.0-covscan-findings.patch + +# Remove the use of MD5, pkcsslotd crashes in FIPS mode +Patch12: opencryptoki-3.25.0-reject-using-md5-in-fips-mode.patch Requires(pre): coreutils Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted) BuildRequires: gcc gcc-c++ BuildRequires: openssl-devel >= 1.1.1 +# testcases require 'openssl' command line tool +BuildRequires: openssl >= 1.1.1 +# testcases require 'jq' command line tool +BuildRequires: jq %if 0%{?tmptok} BuildRequires: trousers-devel %endif @@ -26,7 +45,9 @@ BuildRequires: bison flex BuildRequires: libcap-devel BuildRequires: expect BuildRequires: make +# sysusers_create_compat macro BuildRequires: systemd-rpm-macros +%{?sysusers_requires_compat} %ifarch s390 s390x BuildRequires: libica-devel >= 3.3 # for /usr/include/libudev.h @@ -41,10 +62,10 @@ Requires(postun): systemd %description -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the Slot Daemon (pkcsslotd) and general utilities. @@ -54,10 +75,10 @@ Summary: The run-time libraries for opencryptoki package Requires(pre): shadow-utils %description libs -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package contains the PKCS#11 library implementation, and requires at least one token implementation (packaged separately) to be fully @@ -80,10 +101,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description swtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the software token implementation to use opencryptoki without any specific cryptographic hardware. @@ -96,10 +117,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description tpmtok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support Trusted Platform Module (TPM) devices in the opencryptoki stack. @@ -112,10 +133,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icsftok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICSF token in the opencryptoki stack. @@ -128,14 +149,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description icatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support ICA devices in the opencryptoki stack. ICA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "accelerator" or "clear-key" path. %package ccatok @@ -145,14 +166,14 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ccatok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support CCA devices in the opencryptoki stack. CCA is an interface to IBM -cryptographic hardware such as IBM 4764 or 4765 that uses the +cryptographic hardware such as IBM 4767, 4768, 4769 and 4770 that uses the "co-processor" or "secure-key" path. %package ep11tok @@ -162,10 +183,10 @@ Requires: %{name}-libs%{?_isa} = %{version}-%{release} Provides: %{name}(token) %description ep11tok -Opencryptoki implements the PKCS#11 specification v2.20 for a set of -cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the -Trusted Platform Module (TPM) chip. Opencryptoki also brings a software -token implementation that can be used without any cryptographic +Opencryptoki implements the PKCS#11 specification v3.0 and partially v3.1 +for a set of cryptographic hardware, such as IBM 4767, 4768, 4769 and 4770 +crypto cards, and the Trusted Platform Module (TPM) chip. Opencryptoki also +brings a software token implementation that can be used without any cryptographic hardware. This package brings the necessary libraries and files to support EP11 tokens in the opencryptoki stack. The EP11 token is a token that uses @@ -204,6 +225,32 @@ configured with Enterprise PKCS#11 (EP11) firmware. %install %make_install CHGRP=/bin/true +# Install sysusers.d config file +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{name}.sysusers.conf + +# Install tmpfiles.d config files +%ifarch s390 s390x +install -p -D -m 0644 %{name}-icatok.conf %{buildroot}%{_tmpfilesdir}/ +install -p -D -m 0644 %{name}-ep11tok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +%ifarch s390 s390x x86_64 ppc64le +install -p -D -m 0644 %{name}-ccatok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +%if 0%{?tmptok} +install -p -D -m 0644 %{name}-tpmtok.conf %{buildroot}%{_tmpfilesdir}/ +%endif + +install -p -D -m 0644 %{name}-swtok.conf %{buildroot}%{_tmpfilesdir}/ +install -p -D -m 0644 %{name}-icsftok.conf %{buildroot}%{_tmpfilesdir}/ + +# convert absolute links to relative links. +rm -f %{buildroot}%{_libdir}/%{name}/methods && ln -fs ../../bin %{buildroot}%{_libdir}/%{name}/methods +rm -f %{buildroot}%{_libdir}/pkcs11/methods && ln -fs ../../bin %{buildroot}%{_libdir}/pkcs11/methods + +%check +make check %pre # don't touch opencryptoki.conf even if it is unchanged due to new tokversion @@ -215,9 +262,7 @@ if test $1 -gt 1 && test -f %{cfile} ; then fi %pre libs -getent group pkcs11 >/dev/null || groupadd -r pkcs11 -getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd -exit 0 +%sysusers_create_compat %{SOURCE1} %post # restore the config file from %pre @@ -247,11 +292,13 @@ fi %doc %{_docdir}/%{name}/*.conf %dir %{_sysconfdir}/%{name} %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf -%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%verify(not md5 size mtime) %attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11kmip.conf %{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service %{_sbindir}/p11sak +%{_sbindir}/p11kmip %{_sbindir}/pkcstok_migrate %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd @@ -261,11 +308,13 @@ fi %{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcstok_migrate.1* %{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/p11kmip.1* %{_mandir}/man1/pkcsstats.1* %{_mandir}/man1/pkcshsm_mk_change.1* %{_mandir}/man1/pkcstok_admin.1* %{_mandir}/man5/policy.conf.5* %{_mandir}/man5/strength.conf.5* +%{_mandir}/man5/p11kmip.conf.5* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man5/p11sak_defined_attrs.conf.5* %{_mandir}/man7/%{name}.7* @@ -293,6 +342,7 @@ fi %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki +%{_sysusersdir}/%{name}.sysusers.conf %files devel %{_includedir}/%{name}/ @@ -303,6 +353,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_SW.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-swtok.conf %if 0%{?tmptok} %files tpmtok @@ -310,6 +361,7 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ +%{_tmpfilesdir}/%{name}-tpmtok.conf %endif %files icsftok @@ -319,6 +371,7 @@ fi %{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ +%{_tmpfilesdir}/%{name}-icsftok.conf %ifarch s390 s390x %files icatok @@ -326,6 +379,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-icatok.conf %endif %ifarch s390 s390x x86_64 ppc64le @@ -338,6 +392,7 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-ccatok.conf %endif %ifarch s390 s390x @@ -353,15 +408,41 @@ fi %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%{_tmpfilesdir}/%{name}-ep11tok.conf %endif %changelog -* Mon Aug 11 2025 Than Ngo - 3.24.0-5 -- Related: RHEL-106414, rebuilt +* Wed Aug 13 2025 Than Ngo - 3.25.0-4 +- Fix pkcsslotd fails to start in FIPS +- Drop tier1 test as it mostly provides duplicate results +- Enable ci test for FIPS mode + Resolves: RHEL-109050 -* Sun Aug 10 2025 Than Ngo - 3.24.0-4 -- Resolves: RHEL-108011, supporting CCA 8.4 +* Mon Jul 21 2025 Than Ngo - 3.25.0-3 +- Fix incorrect effective group id of pkcsslotd daemon +- Fix covscan findings + Resolves: RHEL-104602 + +* Mon Jul 14 2025 Than Ngo - 3.25.0-2 +- Related: RHEL-73344, Fix detection of EC curve not supported by OpenSSL-3.5.x +- Related: RHEL-77147, Fix the image mode issue again as bootc expects to use /run/lock + +* Fri Jul 04 2025 Than Ngo - 3.25.0-1 +- Resolves: RHEL-73344, upgrade openCryptoki +- Resolves: RHEL-90590, basic support of AES-GCM +- Resolves: RHEL-72965, cca token support cipher keys +- Resolves: RHEL-72969, support for CKM_RSA_AES_KEY_WRAP for cca, ica and soft tokens +- Resolves: RHEL-75141, add a tool to import/export PKCS #11 keys from to a KMIP server +- Resolves: RHEL-75762, ep11 token: import and export of secure key objects +- Resolves: RHEL-85375, cca token: Support ECDH to derive AES keys +- Resolves: RHEL-85377, ep11 token: PKCS #11 3.0 - support SHA3 + +* Wed Apr 09 2025 Than Ngo - 3.24.0-5 +- Related: RHEL-77147, opencryptoki doesn't work in image mode + +* Wed Mar 19 2025 Than Ngo - 3.24.0-4 +- Resolves: RHEL-77147, opencryptoki doesn't work in image mode * Tue Nov 26 2024 Than Ngo - 3.24.0-3 - Disable ccatok on aarch64