opencryptoki/opencryptoki-3.23-SEC2356-backport-07.patch
Than Ngo f632fbe906 - Resolves: RHEL-23671, ep11 token support protected keys for extractable keys
- Resolves: RHEL-23672, ep11 token support for FIPS 2021-session bound EP11 keys
- Resolves: RHEL-23673, update to 3.23.0
2024-05-22 12:13:14 +02:00

32 lines
1.2 KiB
Diff

commit 99b87ff678abfb71ba05741d1942e8ac723110c8
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Mar 12 17:30:36 2024 +0100
EP11: consider combined-extract for XTS pkey check
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 7850e43f..e2c9a77e 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
CK_MECHANISM_TYPE type)
{
+ ep11_private_data_t *ep11_data = tokdata->private_data;
+
if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) {
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
return CKR_MECHANISM_INVALID;
}
- if (object_is_extractable(key_obj) ||
- !object_is_pkey_extractable(key_obj) ||
- object_is_attr_bound(key_obj)) {
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
+ TRACE_ERROR("Key not eligible for pkey support\n");
return CKR_TEMPLATE_INCONSISTENT;
}