rpms/opencryptoki
7
0
Fork 0
Code Issues Pull Requests Releases Activity

RHEL 9.0.0 Alpha bootstrap

Browse Source 
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/opencryptoki#28f33cc369b00493951d176ecb864885577c381b
This commit is contained in:
Petr Šabata 2020-10-15 21:52:06 +02:00
parent e1b64f3c3e
commit fdb1d74ac8
16 changed files with 4836 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.gitignore vendored
View File

@ -0,0 +1,27 @@
opencryptoki-2.3.1.tar.gz
/opencryptoki-2.3.2.tar.gz
/opencryptoki-2.3.3.tar.gz
/opencryptoki-2.4.tar.gz
/opencryptoki-2.4.1.tar.gz
/opencryptoki-2.4.2.tar.gz
/opencryptoki-2.4.3.tar.gz
/opencryptoki-2.4.3.1-tar.gz
/opencryptoki-v3.0.tar.gz
/opencryptoki-v3.1.tgz
/opencryptoki-v3.2.tgz
/opencryptoki-v3.3.tgz
/opencryptoki-v3.4.tgz
/opencryptoki-v3.4.1.tgz
/opencryptoki-3.5.tgz
/opencryptoki-3.5.1.tgz
/opencryptoki-3.6.2.tar.gz
/opencryptoki-3.7.0.tar.gz
/opencryptoki-3.8.2.tar.gz
/opencryptoki-3.9.0.tar.gz
/opencryptoki-3.10.0.tar.gz
/opencryptoki-3.11.0.tar.gz
/opencryptoki-3.11.1.tar.gz
/opencryptoki-3.12.0.tar.gz
/opencryptoki-3.12.1.tar.gz
/opencryptoki-3.13.0.tar.gz
/opencryptoki-3.14.0.tar.gz

134
0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch Normal file
View File

@ -0,0 +1,134 @@
From 583f0210bb8f371c2071966f27b83c95230d50cc Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:09:18 +0200
Subject: [PATCH 1/2] pkcstok_migrate: Fix NVTOK.DAT conversion on little
endian platforms
The new format stores all numeric fields in big endian, while the old
format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 84 ++++++++++++++++++++++++++----
1 file changed, 74 insertions(+), 10 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e90a5c91..e0c19125 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -1077,6 +1077,42 @@ static CK_RV load_NVTOK_DAT(const char *data_store, const char *nvtok_name,
goto done;
}
+ if (stbuf.st_size == sizeof(TOKEN_DATA)) {
+ /* The 312 version always uses big endian */
+ td->token_info.flags = be32toh(td->token_info.flags);
+ td->token_info.ulMaxSessionCount
+ = be32toh(td->token_info.ulMaxSessionCount);
+ td->token_info.ulSessionCount
+ = be32toh(td->token_info.ulSessionCount);
+ td->token_info.ulMaxRwSessionCount
+ = be32toh(td->token_info.ulMaxRwSessionCount);
+ td->token_info.ulRwSessionCount
+ = be32toh(td->token_info.ulRwSessionCount);
+ td->token_info.ulMaxPinLen = be32toh(td->token_info.ulMaxPinLen);
+ td->token_info.ulMinPinLen = be32toh(td->token_info.ulMinPinLen);
+ td->token_info.ulTotalPublicMemory
+ = be32toh(td->token_info.ulTotalPublicMemory);
+ td->token_info.ulFreePublicMemory
+ = be32toh(td->token_info.ulFreePublicMemory);
+ td->token_info.ulTotalPrivateMemory
+ = be32toh(td->token_info.ulTotalPrivateMemory);
+ td->token_info.ulFreePrivateMemory
+ = be32toh(td->token_info.ulFreePrivateMemory);
+ td->tweak_vector.allow_weak_des
+ = be32toh(td->tweak_vector.allow_weak_des);
+ td->tweak_vector.check_des_parity
+ = be32toh(td->tweak_vector.check_des_parity);
+ td->tweak_vector.allow_key_mods
+ = be32toh(td->tweak_vector.allow_key_mods);
+ td->tweak_vector.netscape_mods
+ = be32toh(td->tweak_vector.netscape_mods);
+ td->dat.version = be32toh(td->dat.version);
+ td->dat.so_login_it = be64toh(td->dat.so_login_it);
+ td->dat.user_login_it = be64toh(td->dat.user_login_it);
+ td->dat.so_wrap_it = be64toh(td->dat.so_wrap_it);
+ td->dat.user_wrap_it = be64toh(td->dat.user_wrap_it);
+ }
+
ret = CKR_OK;
done:
@@ -1628,6 +1664,7 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
{
const char *nvtok = "NVTOK.DAT_312";
char fname[PATH_MAX + 1 + strlen(nvtok) + 1];
+ TOKEN_DATA be_tokdata;
FILE *fp = NULL;
CK_RV ret;
size_t rc;
@@ -1656,14 +1693,6 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Write old part into NVTOK.DAT_312 */
- rc = fwrite(tokdata, sizeof(TOKEN_DATA_OLD), 1, fp);
- if (rc != 1) {
- TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
- ret = CKR_FUNCTION_FAILED;
- goto done;
- }
-
/* Create additions for new format */
ret = create_TOKEN_DATA_VERSION(sopin, userpin, tokdata);
if (ret != CKR_OK) {
@@ -1671,8 +1700,43 @@ static CK_RV create_NVTOK_DAT_312(const char *data_store, const char *sopin,
goto done;
}
- /* Append TOKEN_DATA_VERSION to NVTOK.DAT_312 */
- rc = fwrite(&(tokdata->dat), sizeof(TOKEN_DATA_VERSION), 1, fp);
+ /* The 312 version always uses big endian */
+ memcpy(&be_tokdata, tokdata, sizeof(TOKEN_DATA));
+ be_tokdata.token_info.flags = htobe32(tokdata->token_info.flags);
+ be_tokdata.token_info.ulMaxSessionCount
+ = htobe32(tokdata->token_info.ulMaxSessionCount);
+ be_tokdata.token_info.ulSessionCount
+ = htobe32(tokdata->token_info.ulSessionCount);
+ be_tokdata.token_info.ulMaxRwSessionCount
+ = htobe32(tokdata->token_info.ulMaxRwSessionCount);
+ be_tokdata.token_info.ulRwSessionCount
+ = htobe32(tokdata->token_info.ulRwSessionCount);
+ be_tokdata.token_info.ulMaxPinLen = htobe32(tokdata->token_info.ulMaxPinLen);
+ be_tokdata.token_info.ulMinPinLen = htobe32(tokdata->token_info.ulMinPinLen);
+ be_tokdata.token_info.ulTotalPublicMemory
+ = htobe32(tokdata->token_info.ulTotalPublicMemory);
+ be_tokdata.token_info.ulFreePublicMemory
+ = htobe32(tokdata->token_info.ulFreePublicMemory);
+ be_tokdata.token_info.ulTotalPrivateMemory
+ = htobe32(tokdata->token_info.ulTotalPrivateMemory);
+ be_tokdata.token_info.ulFreePrivateMemory
+ = htobe32(tokdata->token_info.ulFreePrivateMemory);
+ be_tokdata.tweak_vector.allow_weak_des
+ = htobe32(tokdata->tweak_vector.allow_weak_des);
+ be_tokdata.tweak_vector.check_des_parity
+ = htobe32(tokdata->tweak_vector.check_des_parity);
+ be_tokdata.tweak_vector.allow_key_mods
+ = htobe32(tokdata->tweak_vector.allow_key_mods);
+ be_tokdata.tweak_vector.netscape_mods
+ = htobe32(tokdata->tweak_vector.netscape_mods);
+ be_tokdata.dat.version = htobe32(tokdata->dat.version);
+ be_tokdata.dat.so_login_it = htobe64(tokdata->dat.so_login_it);
+ be_tokdata.dat.user_login_it = htobe64(tokdata->dat.user_login_it);
+ be_tokdata.dat.so_wrap_it = htobe64(tokdata->dat.so_wrap_it);
+ be_tokdata.dat.user_wrap_it = htobe64(tokdata->dat.user_wrap_it);
+
+ /* Write converted token data into NVTOK.DAT_312 */
+ rc = fwrite(&be_tokdata, sizeof(TOKEN_DATA), 1, fp);
if (rc != 1) {
TRACE_ERROR("fwrite(%s) failed, errno=%s.\n", fname, strerror(errno));
ret = CKR_FUNCTION_FAILED;
--
2.16.2.windows.1

40
0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch Normal file
View File

@ -0,0 +1,40 @@
From 6faa13d83e5166e4bbe97d85935aca779fde9089 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 2 Jul 2020 14:46:29 +0200
Subject: [PATCH 2/2] pkcstok_migrate: Fix private token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index e0c19125..0148102c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -239,7 +239,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
/* Setup header */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x01;
ret = aes_256_wrap(header.key_wrapped, obj_key, masterkey);
if (ret != CKR_OK) {
@@ -252,7 +252,7 @@ static CK_RV make_OBJECT_PRIV_312(unsigned char **obj_new, unsigned int *obj_new
header.iv[9] = 0;
header.iv[10] = 0;
header.iv[11] = 1;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, HEADER_LEN);
/* Encrypt body */
--
2.16.2.windows.1

34
0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch Normal file
View File

@ -0,0 +1,34 @@
From c090136338b585370df6a8e29518f9e55d388fe5 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:34 +0200
Subject: [PATCH 3/5] pkcstok_migrate: Fix public token object conversion on
little endian platforms
The new format stores numeric fields in the object header in big endian, while
the old format uses the platform endianness. So convert the fields to big endian
during conversion.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 0148102c..136c010c 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -103,9 +103,9 @@ static CK_RV make_OBJECT_PUB_312(char **obj_new, unsigned int *obj_new_len,
/* Setup object */
memset(&header, 0, sizeof(header));
- header.tokversion = 0x0003000C;
+ header.tokversion = htobe32(0x0003000C);
header.private_flag = 0x00;
- header.object_len = clear_len;
+ header.object_len = htobe32(clear_len);
memcpy(object, &header, sizeof(header));
memcpy(object + sizeof(header), clear, clear_len);
--
2.16.2.windows.1

93
0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch Normal file
View File

@ -0,0 +1,93 @@
From d1dbc25c6f424a12860295008991cd1392c888a8 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 09:56:31 +0200
Subject: [PATCH 4/5] pkcstok_migrate: Remove the token's shared memory segment
After successfully migration, remove the tokens shared memory segment.
This will be re-created on the first use of the token.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcstok_migrate/pkcstok_migrate.c | 38 +++++++++++++++++++++++++++++
usr/sbin/pkcstok_migrate/pkcstok_migrate.mk | 2 +-
2 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
index 136c010c..46e5e57f 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.c
@@ -31,6 +31,7 @@
#include <termios.h>
#include <unistd.h>
#include <dirent.h>
+#include <sys/mman.h>
#include <pkcs11types.h>
#include "sw_crypt.h"
@@ -2108,6 +2109,36 @@ done:
}
+/**
+ * Removes the token_s shared memory from /dev/shm
+ */
+static CK_RV remove_shared_memory(char *location)
+{
+ char shm_name[PATH_MAX];
+ int i, k, rc;
+
+ i = k = 0;
+ shm_name[k++] = '/';
+ if (location[i] == '/')
+ i++;
+
+ for (; location[i]; i++, k++) {
+ if (location[i] == '/')
+ shm_name[k] = '.';
+ else
+ shm_name[k] = location[i];
+ }
+ shm_name[k] = '\0';
+
+ rc = shm_unlink(shm_name);
+ if (rc != 0) {
+ warnx("shm_unlink(%s) failed, errno=%s", shm_name, strerror(errno));
+ return CKR_FUNCTION_FAILED;
+ }
+
+ return CKR_OK;
+}
+
/**
* Copy a file given by name from a src folder to a dst folder.
*/
@@ -2718,6 +2749,13 @@ int main(int argc, char **argv)
goto done;
}
+ /* Remove the token's shared memory */
+ ret = remove_shared_memory(data_store);
+ if (ret != CKR_OK) {
+ warnx("Failed to remove token's shared memory.");
+ goto done;
+ }
+
/* Now insert new 'tokversion=3.12' parm in opencryptoki.conf */
ret = update_opencryptoki_conf(slot_id, conf_dir);
if (ret != CKR_OK) {
diff --git a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
index dc4582e5..028a383e 100644
--- a/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
+++ b/usr/sbin/pkcstok_migrate/pkcstok_migrate.mk
@@ -6,7 +6,7 @@ noinst_HEADERS += usr/include/local_types.h
noinst_HEADERS += usr/lib/common/h_extern.h
noinst_HEADERS += usr/lib/common/pkcs_utils.h
-usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl
+usr_sbin_pkcstok_migrate_pkcstok_migrate_LDFLAGS = -lcrypto -ldl -lrt
usr_sbin_pkcstok_migrate_pkcstok_migrate_CFLAGS = \
-DSTDLL_NAME=\"pkcstok_migrate\" \
--
2.16.2.windows.1

107
0005-Fix-storing-of-public-token-objects-in-new-data-form.patch Normal file
View File

@ -0,0 +1,107 @@
From 6850ae623f9d36b70f1d2919c8390a4b14d393a1 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 6 Jul 2020 13:16:01 +0200
Subject: [PATCH 5/5] Fix storing of public token objects in new data format
The tokversion and object length field are supposed to be stored
in big endian (BE) on all platforms. This was not the case for public
token objects.
Fix this by always storing it in BE, and add logic to the read routines
to automatically detect if the fields are in the expected byte order,
or not, and handle them accordingly.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/lib/common/loadsave.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index 068fdf36..b76dea9f 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2557,6 +2557,7 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG size_64;
CK_RV rc;
uint32_t len;
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return reload_token_object_old(tokdata, obj);
@@ -2580,9 +2581,18 @@ CK_RV reload_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&len, header + 60, 4);
- size = be32toh(len);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also.
+ */
+ if (ver == TOK_NEW_DATA_STORE)
+ size = len;
+ else
+ size = be32toh(len);
buf = (CK_BYTE *) malloc(size);
if (buf == NULL) {
@@ -2647,8 +2657,9 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
CK_ULONG clear_len;
CK_BBOOL flag = FALSE;
CK_RV rc;
- CK_ULONG_32 len;
+ CK_ULONG_32 len, be_len;
unsigned char reserved[7] = {0};
+ uint32_t tmp;
if (tokdata->version < TOK_NEW_DATA_STORE)
return save_public_token_object_old(tokdata, obj);
@@ -2669,11 +2680,14 @@ CK_RV save_public_token_object(STDLL_TokData_t *tokdata, OBJECT *obj)
goto done;
}
+ tmp = htobe32(tokdata->version);
+ be_len = htobe32(len);
+
set_perm(fileno(fp));
- if (fwrite(&tokdata->version, 4, 1, fp) != 1
+ if (fwrite(&tmp, 4, 1, fp) != 1
|| fwrite(&flag, 1, 1, fp) != 1
|| fwrite(reserved, 7, 1, fp) != 1
- || fwrite(&len, 4, 1, fp) != 1
+ || fwrite(&be_len, 4, 1, fp) != 1
|| fwrite(clear, len, 1, fp) != 1) {
rc = CKR_FUNCTION_FAILED;
goto done;
@@ -2704,6 +2718,7 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
CK_BBOOL priv;
CK_ULONG_32 size;
unsigned char header[PUB_HEADER_LEN];
+ uint32_t ver;
if (tokdata->version < TOK_NEW_DATA_STORE)
return load_public_token_objects_old(tokdata);
@@ -2731,9 +2746,16 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ memcpy(&ver, header, 4);
memcpy(&priv, header + 4, 1);
memcpy(&size, header + 12, 4);
- size = be32toh(size);
+
+ /*
+ * In OCK 3.12 - 3.14 the version and size was not stored in BE. So if
+ * version field is in platform endianness, keep size as is also
+ */
+ if (ver != TOK_NEW_DATA_STORE)
+ size = be32toh(size);
if (priv == TRUE) {
fclose(fp2);
--
2.16.2.windows.1

31
opencryptoki-3.11.0-group.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in
--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100
+++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100
@@ -55,9 +55,11 @@ void *attach_shared_memory()
int shmid;
char *shmp;
struct stat statbuf;
+#if 0
struct group *grp;
struct passwd *pw, *epw;
uid_t uid, euid;
+#endif
#if !(MMAP)
// Really should fstat the tok_path, since it will be the actual
@@ -69,6 +71,7 @@ void *attach_shared_memory()
return NULL;
}
+#if 0
uid = getuid();
euid = geteuid();
// only check group membership if not root user
@@ -102,6 +105,7 @@ void *attach_shared_memory()
return NULL;
}
}
+#endif
Anchor->shm_tok = ftok(TOK_PATH, 'b');

12
opencryptoki-3.11.0-lockdir.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
dnl Define custom variables
-lockdir=$localstatedir/lock/opencryptoki
+lockdir=/run/lock/opencryptoki
AC_SUBST(lockdir)
logdir=$localstatedir/log/opencryptoki

3575
opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch Normal file
View File

File diff suppressed because it is too large Load Diff

63
opencryptoki-3.14.0-crash-in-c_setpin.patch Normal file
View File

@ -0,0 +1,63 @@
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400
@@ -57,7 +57,7 @@ void openssl_print_errors()
}
#endif
-RSA *openssl_gen_key()
+RSA *openssl_gen_key(STDLL_TokData_t *tokdata)
{
RSA *rsa;
int rc, counter = 0;
@@ -66,7 +66,7 @@ RSA *openssl_gen_key()
BIGNUM *bne;
#endif
- token_specific_rng(NULL, (CK_BYTE *) buf, 32);
+ token_specific_rng(tokdata, (CK_BYTE *) buf, 32);
RAND_seed(buf, 32);
regen_rsa_key:
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400
@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t
TSS_HTPM hTPM;
BYTE *random_bytes = NULL;
- UNUSED(tokdata);
-
rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM);
if (rc) {
TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc);
@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok
unsigned char n[256], p[256];
/* all sw generated keys are 2048 bits */
- if ((rsa = openssl_gen_key()) == NULL)
+ if ((rsa = openssl_gen_key(tokdata)) == NULL)
return CKR_HOST_MEMORY;
if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) {
diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h
--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400
+++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400
@@ -56,7 +56,7 @@
/* retry count for generating software RSA keys */
#define KEYGEN_RETRY 5
-RSA *openssl_gen_key();
+RSA *openssl_gen_key(STDLL_TokData_t *);
int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *);
CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **);
int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *,

85
opencryptoki-3.14.0-early-error-in-c-initialize.patch Normal file
View File

@ -0,0 +1,85 @@
commit 2585fc1a52afdfc6ec119e6a27d7c5d52c06d4e2
Author: Alexander Scheel <ascheel@redhat.com>
Date: Wed Jul 1 08:23:42 2020 -0400
Handle early error cases in C_Initialize
When C_Initialize errors prior to the bt_init call, bt_destroy will be
called on garbage memory because Anchor hasn't yet been zeroed. This
gives a stack trace such as:
Stack trace of thread 27740:
#0 0x00007fce91552b05 raise (libc.so.6 + 0x3cb05)
#1 0x00007fce9153b8a4 abort (libc.so.6 + 0x258a4)
#2 0x00007fce908db2e1 _ZN2os5abortEb.cold (libjvm.so + 0x20f2e1)
#3 0x00007fce911f76c2 _ZN7VMError14report_and_dieEv (libjvm.so + 0xb2b6c2)
#4 0x00007fce90fe7a24 JVM_handle_linux_signal (libjvm.so + 0x91ba24)
#5 0x00007fce90fdaa9c _Z13signalHandleriP9siginfo_tPv (libjvm.so + 0x90ea9c)
#6 0x00007fce91552b90 __restore_rt (libc.so.6 + 0x3cb90)
#7 0x00007fce7a262550 bt_destroy (libopencryptoki.so + 0x11550)
#8 0x00007fce7a2600d6 C_Initialize (libopencryptoki.so + 0xf0d6)
#9 0x00007fce7a6c8234 initialize_module_inlock_reentrant (p11-kit-proxy.so + 0x2d234)
#10 0x00007fce7a6c8383 managed_C_Initialize (p11-kit-proxy.so + 0x2d383)
#11 0x00007fce7a6cabe0 p11_kit_modules_initialize (p11-kit-proxy.so + 0x2fbe0)
#12 0x00007fce7a6cea97 proxy_C_Initialize (p11-kit-proxy.so + 0x33a97)
#13 0x00007fce7aaaa6f2 secmod_ModuleInit (libnss3.so + 0x486f2)
#14 0x00007fce7aaaae4a secmod_LoadPKCS11Module (libnss3.so + 0x48e4a)
#15 0x00007fce7aab800d SECMOD_LoadModule (libnss3.so + 0x5600d)
#16 0x00007fce7aab8148 SECMOD_LoadModule (libnss3.so + 0x56148)
#17 0x00007fce7aa80dc1 nss_Init (libnss3.so + 0x1edc1)
#18 0x00007fce7aa8124d NSS_InitReadWrite (libnss3.so + 0x1f24d)
#19 0x00007fce7ac47a29 Java_org_mozilla_jss_CryptoManager_initializeAllNative2 (libjss4.so + 0x15a29)
#20 0x00007fce7c8133c7 n/a (n/a + 0x0)
#21 0x00007fce7c802ffd n/a (n/a + 0x0)
#22 0x00007fce7c802ffd n/a (n/a + 0x0)
#23 0x00007fce7c802ffd n/a (n/a + 0x0)
#24 0x00007fce7c802ffd n/a (n/a + 0x0)
#25 0x00007fce7c802ffd n/a (n/a + 0x0)
#26 0x00007fce7c802ffd n/a (n/a + 0x0)
#27 0x00007fce7c802ffd n/a (n/a + 0x0)
#28 0x00007fce7c802ffd n/a (n/a + 0x0)
#29 0x00007fce7c802ffd n/a (n/a + 0x0)
#30 0x00007fce7c7fb4e7 n/a (n/a + 0x0)
#31 0x00007fce90d60e45 _ZN9JavaCalls11call_helperEP9JavaValueP12methodHandleP17JavaCallArgumentsP6Thread (libjvm.so + 0x694e45)
#32 0x00007fce90d8488d _ZL17jni_invoke_staticP7JNIEnv_P9JavaValueP8_jobject11JNICallTypeP10_jmethodIDP18JNI_ArgumentPusherP6Thread.constprop.1 (libjvm.so + 0x6b888d)
#33 0x00007fce90d87996 jni_CallStaticVoidMethod (libjvm.so + 0x6bb996)
#34 0x00007fce916ee877 JavaMain (libjli.so + 0x4877)
#35 0x00007fce914dc3f9 start_thread (libpthread.so.0 + 0x93f9)
#36 0x00007fce916183b3 __clone (libc.so.6 + 0x1023b3)
Fixing this requires zeroing Anchor earlier, making t->size 0 and
allowing bt_destroy to exit with accessing uninitialized memory.
Resolves: #304
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
diff --git a/usr/lib/api/api_interface.c b/usr/lib/api/api_interface.c
index 51ab30fe..f61f2368 100644
--- a/usr/lib/api/api_interface.c
+++ b/usr/lib/api/api_interface.c
@@ -2557,6 +2557,11 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
// Clear out the load list
memset(slot_loaded, 0, sizeof(int) * NUMBER_SLOTS_MANAGED);
+ // Zero out API_Proc_Struct
+ // This must be done prior to all goto error calls, else bt_destroy()
+ // will fail because it accesses uninitialized memory when t->size > 0.
+ memset(Anchor, 0, sizeof(API_Proc_Struct_t));
+
TRACE_DEBUG("Anchor allocated at %s\n", (char *) Anchor);
// Validation of the parameters passed
@@ -2653,12 +2658,10 @@ CK_RV C_Initialize(CK_VOID_PTR pVoid)
rc = CKR_FUNCTION_FAILED;
goto error;
}
- //Zero out API_Proc_Struct
//Map Shared Memory Region
//if ( Shared Memory Mapped not Successful )
// Free allocated Memory
// Return CKR_HOST_MEMORY
- memset((char *) Anchor, 0, sizeof(API_Proc_Struct_t));
bt_init(&Anchor->sess_btree, free);
Anchor->Pid = getpid();

22
opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch Normal file
View File

@ -0,0 +1,22 @@
commit a94436937b6364c53219fb3c7922439f403e8d5e
Author: Harald Freudenberger <freude@linux.ibm.com>
Date: Wed May 27 07:30:33 2020 +0200
Fix missing entries for p11sak tool in template spec file
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
diff --git a/rpm/opencryptoki.spec b/rpm/opencryptoki.spec
index fa4b9899..ae563406 100644
--- a/rpm/opencryptoki.spec
+++ b/rpm/opencryptoki.spec
@@ -238,7 +238,9 @@ exit 0
%{_unitdir}/pkcsslotd.service
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
+%{_sbindir}/p11sak
%{_mandir}/man1/pkcsconf.1*
+%{_mandir}/man1/p11sak.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*

12
opencryptoki-3.2-no-undefined.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up opencryptoki/configure.in.no-undefined opencryptoki/configure.in
--- opencryptoki/configure.in.no-undefined 2015-08-27 11:49:50.815984145 +0200
+++ opencryptoki/configure.in 2015-08-27 11:50:59.432874245 +0200
@@ -574,7 +574,7 @@ fi
AM_CONDITIONAL([ENABLE_PKCSCCA_MIGRATE], [test "x$enable_pkcscca_migrate" = "xyes"])
AM_CONDITIONAL([ENABLE_PKCSEP11_MIGRATE], [test "x$enable_pkcsep11_migrate" = "xyes"])
-CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500"
+CFLAGS="$CFLAGS -DPKCS64 -D_XOPEN_SOURCE=500 -Wl,--no-undefined"
CFLAGS+=' -DCONFIG_PATH=\"$(localstatedir)/lib/opencryptoki\" -DSBIN_PATH=\"$(sbindir)\" -DLIB_PATH=\"$(libdir)\" -DLOCKDIR_PATH=\"$(lockdir)\" -DOCK_CONFDIR=\"$(sysconfdir)/opencryptoki\" -DOCK_LOGDIR=\"$(logdir)\"'

8
opencryptoki.module Normal file
View File

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: libopencryptoki.so

592
opencryptoki.spec Normal file
View File

@ -0,0 +1,592 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11
Version: 3.14.0
Release: 6%{?dist}
License: CPL
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module
# https://bugzilla.redhat.com/show_bug.cgi?id=732756
Patch0: opencryptoki-3.11.0-group.patch
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
# upstream fix, regression - segfault in C_SetPin
Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch
# upstream fix, handle early error cases in C_Initialize
Patch3: opencryptoki-3.14.0-early-error-in-c-initialize.patch
# Fix missing entries for p11sak tool in template spec file
Patch4: opencryptoki-3.14.0-missing-p11sak-tool-a94436937b6364c53219fb3c7922439f403e8d5e.patch
# PIN conversion tool
Patch5: opencryptoki-3.14.0-cd40f4b7cb1b502ca754b9bfb307d934285709a9-PIN-conversion-tool.patch
Patch6: 0001-pkcstok_migrate-Fix-NVTOK.DAT-conversion-on-little-e.patch
Patch7: 0002-pkcstok_migrate-Fix-private-token-object-conversion-.patch
Patch8: 0003-pkcstok_migrate-Fix-public-token-object-conversion-o.patch
Patch9: 0004-pkcstok_migrate-Remove-the-token-s-shared-memory-seg.patch
Patch10: 0005-Fix-storing-of-public-token-objects-in-new-data-form.patch
# Use --no-undefined to debug missing symbols
#Patch100: %%{name}-3.2-no-undefined.patch
Requires(pre): coreutils
BuildRequires: gcc
BuildRequires: openssl-devel
BuildRequires: trousers-devel
BuildRequires: openldap-devel
BuildRequires: autoconf automake libtool
BuildRequires: bison flex
BuildRequires: systemd
BuildRequires: libitm-devel
BuildRequires: expect
%ifarch s390 s390x
BuildRequires: libica-devel >= 2.3
%endif
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}(token)
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.
%package libs
Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils
%description libs
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the PKCS#11 library implementation, and requires
at least one token implementation (packaged separately) to be fully
functional.
%package devel
Summary: Development files for openCryptoki
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
This package contains the development header files for building
opencryptoki and PKCS#11 based applications
%package swtok
Summary: The software token implementation for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description swtok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the software token implementation to use opencryptoki
without any specific cryptographic hardware.
%package tpmtok
Summary: Trusted Platform Module (TPM) device support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description tpmtok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
Trusted Platform Module (TPM) devices in the opencryptoki stack.
%package icsftok
Summary: ICSF token support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icsftok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
ICSF token in the opencryptoki stack.
%ifarch s390 s390x
%package icatok
Summary: ICA cryptographic devices (clear-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icatok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support ICA
devices in the opencryptoki stack. ICA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"accelerator" or "clear-key" path.
%package ccatok
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ccatok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support CCA
devices in the opencryptoki stack. CCA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"co-processor" or "secure-key" path.
%package ep11tok
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ep11tok
Opencryptoki implements the PKCS#11 specification v2.11 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support EP11
tokens in the opencryptoki stack. The EP11 token is a token that uses
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
configured with Enterprise PKCS#11 (EP11) firmware.
%endif
%prep
%autosetup -p1
%build
./bootstrap.sh
%configure --with-systemd=%{_unitdir} --enable-testcases \
%ifarch s390 s390x
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
%else
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
%endif
%make_build CHGRP=/bin/true
%install
%make_install CHGRP=/bin/true
install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opencryptoki.module
%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
exit 0
%post
%systemd_post pkcsslotd.service
if test $1 -eq 1; then
%tmpfiles_create %{name}.conf
fi
%preun
%systemd_preun pkcsslotd.service
%postun
%systemd_postun_with_restart pkcsslotd.service
%files
%doc ChangeLog FAQ README.md
%doc doc/opencryptoki-howto.md
%doc doc/README.token_data
%dir %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*
%{_libdir}/opencryptoki/methods
%{_libdir}/pkcs11/methods
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%files libs
%license LICENSE
%{_sysconfdir}/ld.so.conf.d/*
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
# needs them in the main package, because:
# documentation suggests that programs should dlopen "PKCS11_API.so".
%dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/libopencryptoki.*
%{_libdir}/opencryptoki/PKCS11_API.so
%dir %{_libdir}/opencryptoki/stdll
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
# Co-owned with p11-kit
%dir %{_datadir}/p11-kit/
%dir %{_datadir}/p11-kit/modules/
%{_datadir}/p11-kit/modules/opencryptoki.module
%files devel
%{_includedir}/%{name}/
%files swtok
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%files tpmtok
%doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%files icsftok
%doc doc/README.icsf_stdll
%{_sbindir}/pkcsicsf
%{_mandir}/man1/pkcsicsf.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%ifarch s390 s390x
%files icatok
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%files ccatok
%doc doc/README.cca_stdll
%{_sbindir}/pkcscca
%{_mandir}/man1/pkcscca.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%files ep11tok
%doc doc/README.ep11_stdll
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
%{_sbindir}/pkcsep11_migrate
%{_sbindir}/pkcsep11_session
%{_mandir}/man1/pkcsep11_migrate.1*
%{_mandir}/man1/pkcsep11_session.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%endif
%changelog
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- added PIN conversion tool
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- upstream fix - handle early error cases in C_Initialize
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- fix regression, segfault in C_SetPin
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
- Rebase to 3.14.0
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
- Rebase to 3.13.0
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
- fix build with gcc 10
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
- Rebase to 3.12.1
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
- Rebase to 3.12.0
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
- Rebase to 3.11.1
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
- enable testcase by default
- fix URL
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
- Updated to 3.11.0
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
- Ported root's group membership's patch for 3.11.0
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
- Rebase to 3.10.0
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
- Rebase to 3.9.0
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
- use upstream tmpfiles config
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
- Rebase to 3.8.2 (#1512678)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
- Rebase to 3.7.0
- Added libitm-devel as BuildRequires
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
- Rebase to 3.6.2
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
- New upstream release
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
- New upstream release
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
- New bugfix upstream release
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
- New upstream release
- Adding post-release patch fixing compile warnings
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
- New upstream release
- Correct dependencies for group creation
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
- Few more undefined symbols fixed for s390(x) specific targets
- Do not require --no-undefined, because s390(x) requires some
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
- Make inline function compatible for GCC5
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
- new upstream release 3.2
- add new sub-package opencryptoki-ep11tok on s390x
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
- new upstream release 3.1
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
- create the right lock directory for cca tokens (#1054442)
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
- use Requires(pre): opencryptoki-libs for subpackages
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
- include token specific directories (#1013017, #1045775, #1054442)
- fix pkcsconf crash for non-root users (#10054661)
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
- fix build with -Werror=format-security (#1037228)
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
- apply post-3.0 fixes (#1033284)
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
- update opencryptoki man page (#1001729)
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
- update unit file (#995002)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
- update pkcsconf man page (#948460)
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
- new upstream release 3.0
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
- new upstream release 2.4.3.1
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
- new upstream release 2.4.3
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
- enable hardened build
- switch to systemd macros in scriptlets (#850240)
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
- add virtual opencryptoki(token) Provides to token modules and as Requires
to main package (#904986)
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
- new upstream release 2.4.2
- add pkcs_slot man page
- don't add root to the pkcs11 group
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
- fix unresolved symbols in TPM module (#830129)
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
- new upstream release 2.4.1
- convert from initscript to systemd unit
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
- new upstream release 2.4
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
- new upstream release 2.3.3
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
- Apply Obsoletes to package names, not provides.
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
- new upstream release 2.3.2
- put STDLLs in separate packages to match upstream package design
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
- Move the LICENSE file to the -libs subpackage.
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
- rebuilt with CCA enabled (#604287)
- fixed issues from #546274
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
- fixed one more issue in the initscript (#547324)
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
- fixed pidfile creating and usage (#547324)
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
- Also list 'reload' and 'force-reload' in "Usage: ...".
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
- Support 'force-reload' in the initscript.
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
- New upstream release 2.3.1.
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
- made pkcsslotd initscript LSB compliant (#522149)
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
- rebuilt with new openssl
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
- Require libica-2.0.
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
- New upstream release 2.3.0:
- adds support for RSA 4096 bit keys in the ICA token.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
- Require arch-specific dependency on -libs.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
- Return support for crypto hw on s390.
- Renamed to opencryptoki.
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
- Fedora package based on RHEL-5 package.

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (opencryptoki-3.14.0.tar.gz) = 62928f30e3aed7adaafcbe90d1b65ae56dbf10308c0c2a0e6860c266fc68de44d7bfac5c5f7f302e88a032f5360452cdc1185dfd63c26ec1c1ebda0d8324df2b