diff --git a/003-IBM-mechs-and-attrs.patch b/003-IBM-mechs-and-attrs.patch new file mode 100644 index 0000000..8561b16 --- /dev/null +++ b/003-IBM-mechs-and-attrs.patch @@ -0,0 +1,953 @@ +diff --color -ruNp a/common/attrs.c b/common/attrs.c +--- a/common/attrs.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/common/attrs.c 2023-11-29 14:29:45.130552239 +0100 +@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU + X (CKA_TRUST_STEP_UP_APPROVED) + X (CKA_CERT_SHA1_HASH) + X (CKA_CERT_MD5_HASH) ++ X (CKA_IBM_OPAQUE) ++ X (CKA_IBM_RESTRICTABLE) ++ X (CKA_IBM_NEVER_MODIFIABLE) ++ X (CKA_IBM_RETAINKEY) ++ X (CKA_IBM_ATTRBOUND) ++ X (CKA_IBM_KEYTYPE) ++ X (CKA_IBM_CV) ++ X (CKA_IBM_MACKEY) ++ X (CKA_IBM_USE_AS_DATA) ++ X (CKA_IBM_STRUCT_PARAMS) ++ X (CKA_IBM_STD_COMPLIANCE1) ++ X (CKA_IBM_PROTKEY_EXTRACTABLE) ++ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE) ++ X (CKA_IBM_OPAQUE_PKEY) ++ X (CKA_IBM_DILITHIUM_KEYFORM) ++ X (CKA_IBM_DILITHIUM_RHO) ++ X (CKA_IBM_DILITHIUM_T1) + case CKA_VALUE: + return (klass != CKO_CERTIFICATE && + klass != CKO_X_CERTIFICATE_EXTENSION); +diff --color -ruNp a/common/constants.c b/common/constants.c +--- a/common/constants.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/common/constants.c 2023-11-29 14:29:45.130552239 +0100 +@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] + CT (CKA_WRAP_TEMPLATE, "wrap-template") + CT (CKA_UNWRAP_TEMPLATE, "unwrap-template") + CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms") ++ CT (CKA_IBM_OPAQUE, "ibm-opaque") ++ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable") ++ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable") ++ CT (CKA_IBM_RETAINKEY, "ibm-retainkey") ++ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound") ++ CT (CKA_IBM_KEYTYPE, "ibm-keytype") ++ CT (CKA_IBM_CV, "ibm-cv") ++ CT (CKA_IBM_MACKEY, "ibm-mackey") ++ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data") ++ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params") ++ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1") ++ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable") ++ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable") ++ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform") ++ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho") ++ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed") ++ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr") ++ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1") ++ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2") ++ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0") ++ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1") ++ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey") + CT (CKA_NSS_URL, "nss-url") + CT (CKA_NSS_EMAIL, "nss-email") + CT (CKA_NSS_SMIME_INFO, "nss-smime-constant") +@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = + CT (CKK_AES, "aes") + CT (CKK_BLOWFISH, "blowfish") + CT (CKK_TWOFISH, "twofish") ++ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium") + CT (CKK_NSS_PKCS8, "nss-pkcs8") + { CKA_INVALID }, + }; +@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis + CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen") + CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen") + CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen") ++ CT (CKM_IBM_SHA3_224, "ibm-sha3-224") ++ CT (CKM_IBM_SHA3_256, "ibm-sha3-256") ++ CT (CKM_IBM_SHA3_384, "ibm-sha3-384") ++ CT (CKM_IBM_SHA3_512, "ibm-sha3-512") ++ CT (CKM_IBM_CMAC, "ibm-cmac") ++ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519") ++ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512") ++ CT (CKM_IBM_EC_X448, "ibm-ec-x448") ++ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3") ++ CT (CKM_IBM_DILITHIUM, "ibm-dilithium") ++ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac") ++ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac") ++ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac") ++ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac") ++ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap") + { CKA_INVALID }, + }; + +diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h +--- a/common/pkcs11x.h 2020-12-11 16:24:01.000000000 +0100 ++++ b/common/pkcs11x.h 2023-11-29 14:29:45.252554771 +0100 +@@ -181,6 +181,71 @@ typedef CK_ULONG + + #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */ + ++/* Define this if you want the IBM specific symbols */ ++#define CRYPTOKI_IBM_VENDOR_DEFINED 1 ++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED ++ ++#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023 ++ ++#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1) ++#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001) ++#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002) ++#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003) ++#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004) ++#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005) ++#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006) ++#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007) ++#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008) ++#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009) ++#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a) ++#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c) ++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d) ++#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001) ++#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002) ++#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003) ++#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004) ++#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005) ++#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006) ++#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007) ++#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008) ++#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100) ++ ++#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001) ++#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002) ++#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003) ++#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004) ++#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007) ++#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b) ++#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c) ++#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e) ++#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f) ++#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023) ++#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025) ++#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026) ++#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027) ++#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) ++#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) ++ ++/* ++ * If the caller is using the PKCS#11 GNU calling convention, then we cater ++ * to that here. ++ */ ++#ifdef CRYPTOKI_GNU ++#define hSignVerifyKey h_sign_verify_key ++#endif ++ ++struct ck_ibm_attributebound_wrap { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++}; ++ ++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#ifdef CRYPTOKI_GNU ++#undef hSignVerifyKey ++#endif ++ ++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ ++ + #if defined(__cplusplus) + } + #endif +diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build +--- a/p11-kit/meson.build 2023-11-29 14:27:53.265231072 +0100 ++++ b/p11-kit/meson.build 2023-11-29 14:29:45.264555020 +0100 +@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea + static_library('p11-kit-pkcs11-gnu', + gnu_h, + 'pkcs11-gnu.c', ++ c_args: [ ++ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1', ++ ], + include_directories: [configinc, commoninc]) + + # Tests ---------------------------------------------------------------- +diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h +--- a/p11-kit/p11-kit.h 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/p11-kit.h 2023-11-29 14:29:45.265555041 +0100 +@@ -43,12 +43,17 @@ + */ + #ifdef CRYPTOKI_GNU + typedef ck_rv_t CK_RV; ++typedef ck_object_handle_t CK_OBJECT_HANDLE; ++typedef unsigned long int CK_ULONG; + typedef struct ck_function_list* CK_FUNCTION_LIST_PTR; + typedef struct ck_function_list CK_FUNCTION_LIST; + #endif + + #include "p11-kit/deprecated.h" + ++/* For size_t. */ ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c +--- a/p11-kit/pkcs11-gnu.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/pkcs11-gnu.c 2023-11-29 14:29:45.265555041 +0100 +@@ -1,3 +1,8 @@ ++#include "config.h" ++ ++#include "p11-kit.h" ++#include "pkcs11x.h" ++ + #include "pkcs11-gnu-iter.h" + #include "pkcs11-gnu-pin.h" + #include "pkcs11-gnu-uri.h" +diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +--- a/p11-kit/rpc-client.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/rpc-client.c 2023-11-29 14:29:45.220554107 +0100 +@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag + #define IN_BYTE_BUFFER(arr, len) \ + if (len == NULL) \ + { _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \ +- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \ ++ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \ + { _ret = CKR_HOST_MEMORY; goto _cleanup; } + + #define IN_BYTE_ARRAY(arr, len) \ +@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se + CK_BYTE_PTR part, + CK_ULONG part_len) + { +- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD); +- + BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID); + IN_ULONG (session); + IN_BYTE_ARRAY (part, part_len); +diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +--- a/p11-kit/rpc-message.c 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-message.c 2023-11-29 14:29:45.243554584 +0100 +@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp + assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay")); + + /* No array, no data, just length */ +- if (!arr) { ++ if (!arr && num != 0) { + p11_rpc_buffer_add_byte (msg->output, 0); + p11_rpc_buffer_add_uint32 (msg->output, num); + } else { +@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_RESET_ON_INIT: + case CKA_HAS_RESET: + case CKA_COLOR: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_RETAINKEY: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ case CKA_IBM_PROTKEY_EXTRACTABLE: ++ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: + return P11_RPC_VALUE_BYTE; + case CKA_CLASS: + case CKA_CERTIFICATE_TYPE: +@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_CHAR_COLUMNS: + case CKA_BITS_PER_PIXEL: + case CKA_MECHANISM_TYPE: ++ case CKA_IBM_DILITHIUM_KEYFORM: ++ case CKA_IBM_STD_COMPLIANCE1: ++ case CKA_IBM_KEYTYPE: + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: ++ case CKA_DERIVE_TEMPLATE: + return P11_RPC_VALUE_ATTRIBUTE_ARRAY; + case CKA_ALLOWED_MECHANISMS: + return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY; +@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_REQUIRED_CMS_ATTRIBUTES: + case CKA_DEFAULT_CMS_ATTRIBUTES: + case CKA_SUPPORTED_CMS_ATTRIBUTES: ++ case CKA_IBM_OPAQUE: ++ case CKA_IBM_CV: ++ case CKA_IBM_MACKEY: ++ case CKA_IBM_STRUCT_PARAMS: ++ case CKA_IBM_OPAQUE_PKEY: ++ case CKA_IBM_DILITHIUM_RHO: ++ case CKA_IBM_DILITHIUM_SEED: ++ case CKA_IBM_DILITHIUM_TR: ++ case CKA_IBM_DILITHIUM_S1: ++ case CKA_IBM_DILITHIUM_S2: ++ case CKA_IBM_DILITHIUM_T0: ++ case CKA_IBM_DILITHIUM_T1: + return P11_RPC_VALUE_BYTE_ARRAY; + } + } +@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani + return true; + } + ++void ++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */ ++ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.kdf can be converted to uint64_t. */ ++ if (params.kdf > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.kdf); ++ ++ /* parmas.shared_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.shared_data, ++ params.shared_data_len); ++ ++ /* parmas.public_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.public_data, ++ params.public_data_len); ++} ++ ++bool ++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ ++ ++ if (value) { ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ params.kdf = val; ++ params.shared_data = (void *) data1; ++ params.shared_data_len = len1; ++ params.public_data = (void *) data2; ++ params.public_data_len = len2; ++ ++ memcpy (value, ¶ms, sizeof (CK_ECDH1_DERIVE_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */ ++ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.hSignVerifyKey can be converted to uint64_t. */ ++ if (params.hSignVerifyKey > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey); ++} ++ ++bool ++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (value) { ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ params.hSignVerifyKey = val; ++ ++ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an AES IV. */ ++ if (value_length != 16) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 16) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_AES_CTR_PARAMS params; ++ ++ /* Check if value can be converted to CK_AES_CTR_PARAMS. */ ++ if (value_length != sizeof (CK_AES_CTR_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.counter_bits can be converted to uint64_t. */ ++ if (params.counter_bits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits); ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.cb, ++ sizeof(params.cb)); ++} ++ ++bool ++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (value) { ++ CK_AES_CTR_PARAMS params; ++ ++ params.ulCounterBits = val; ++ ++ if (len != sizeof (params.cb)) ++ return false; ++ ++ memcpy (params.cb, data, sizeof (params.cb)); ++ memcpy (value, ¶ms, sizeof (CK_AES_CTR_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_AES_CTR_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_GCM_PARAMS params; ++ ++ /* Check if value can be converted to CK_GCM_PARAMS. */ ++ if (value_length != sizeof (CK_GCM_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */ ++ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pIv, ++ params.ulIvLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits); ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pAAD, ++ params.ulAADLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits); ++} ++ ++bool ++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val1, val2; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2)) ++ return false; ++ ++ if (value) { ++ CK_GCM_PARAMS params; ++ ++ params.pIv = (void *) data1; ++ params.ulIvLen = len1; ++ params.ulIvBits = val1; ++ params.pAAD = (void *) data2; ++ params.ulAADLen = len2; ++ params.ulTagBits = val2; ++ ++ memcpy (value, ¶ms, sizeof (CK_GCM_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_GCM_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an DES IV. */ ++ if (value_length != 8) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 8) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ULONG val; ++ uint64_t params; ++ ++ /* ++ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which ++ * is a CK_ULONG. ++ */ ++ if (value_length != sizeof (CK_ULONG)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (&val, value, value_length); ++ params = val; ++ ++ p11_rpc_buffer_add_uint64 (buffer, params); ++} ++ ++bool ++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ CK_ULONG params; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ params = val; ++ ++ if (value) ++ memcpy (value, ¶ms, sizeof (params)); ++ ++ if (value_length) ++ *value_length = sizeof (params); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Mechanism parameter is public value of the other party */ ++ if (value_length == 0) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len == 0) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value } ++ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, ++ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, ++ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, ++ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value }, ++ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: ++ case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: +@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_EC_KEY_PAIR_GEN: + case CKM_ECDSA: + case CKM_ECDSA_SHA1: ++ case CKM_ECDSA_SHA224: ++ case CKM_ECDSA_SHA256: ++ case CKM_ECDSA_SHA384: ++ case CKM_ECDSA_SHA512: + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_PARAMETER_GEN: + case CKM_X9_42_DH_KEY_PAIR_GEN: +@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_AES_KEY_GEN: + case CKM_AES_ECB: + case CKM_AES_MAC: ++ case CKM_AES_CMAC: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: +@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_RC2_MAC: + case CKM_DES_MAC: + case CKM_DES3_MAC: ++ case CKM_DES3_CMAC: + case CKM_CDMF_MAC: + case CKM_CAST_MAC: + case CKM_CAST3_MAC: +@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_MD5_HMAC: + case CKM_SHA_1: + case CKM_SHA_1_HMAC: ++ case CKM_SHA1_KEY_DERIVATION: ++ case CKM_SHA224: ++ case CKM_SHA224_HMAC: ++ case CKM_SHA224_KEY_DERIVATION: + case CKM_SHA256: + case CKM_SHA256_HMAC: ++ case CKM_SHA256_KEY_DERIVATION: + case CKM_SHA384: + case CKM_SHA384_HMAC: ++ case CKM_SHA384_KEY_DERIVATION: + case CKM_SHA512: + case CKM_SHA512_HMAC: ++ case CKM_SHA512_KEY_DERIVATION: ++ case CKM_SHA512_T: ++ case CKM_SHA512_T_HMAC: ++ case CKM_SHA512_T_KEY_DERIVATION: ++ case CKM_SHA512_224: ++ case CKM_SHA512_224_HMAC: ++ case CKM_SHA512_224_KEY_DERIVATION: ++ case CKM_SHA512_256: ++ case CKM_SHA512_256_HMAC: ++ case CKM_SHA512_256_KEY_DERIVATION: + case CKM_FASTHASH: + case CKM_RIPEMD128: + case CKM_RIPEMD128_HMAC: + case CKM_RIPEMD160: + case CKM_RIPEMD160_HMAC: + case CKM_KEY_WRAP_LYNKS: ++ case CKM_IBM_SHA3_224: ++ case CKM_IBM_SHA3_256: ++ case CKM_IBM_SHA3_384: ++ case CKM_IBM_SHA3_512: ++ case CKM_IBM_CMAC: ++ case CKM_IBM_DILITHIUM: ++ case CKM_IBM_SHA3_224_HMAC: ++ case CKM_IBM_SHA3_256_HMAC: ++ case CKM_IBM_SHA3_384_HMAC: ++ case CKM_IBM_SHA3_512_HMAC: ++ case CKM_IBM_ED25519_SHA512: ++ case CKM_IBM_ED448_SHA3: + return true; + default: + return false; +diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +--- a/p11-kit/rpc-message.h 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-message.h 2023-11-29 14:29:45.243554584 +0100 +@@ -42,6 +42,7 @@ + + #include "buffer.h" + #include "pkcs11.h" ++#include "pkcs11x.h" + + /* The calls, must be in sync with array below */ + enum { +@@ -478,5 +479,85 @@ bool p11_rpc_buffer_get_rsa_ + size_t *offset, + void *value, + CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); + + #endif /* _RPC_MESSAGE_H */ +diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +--- a/p11-kit/rpc-server.c 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-server.c 2023-11-29 14:29:45.221554128 +0100 +@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message + *n_buffer = length; + *buffer = NULL; + ++ /* length = -1 indicates length = 0, but buffer not NULL */ ++ if (length == (uint32_t)-1) { ++ *n_buffer = 0; ++ length = 1; /*allocate 1 dummy byte */ ++ } ++ + /* If set to zero, then they just want the length */ + if (length == 0) + return CKR_OK; diff --git a/p11-kit.spec b/p11-kit.spec index d22f0ce..b842443 100644 --- a/p11-kit.spec +++ b/p11-kit.spec @@ -1,6 +1,6 @@ # This spec file has been automatically updated Version: 0.23.22 -Release: 1%{?dist} +Release: 2%{?dist} Name: p11-kit Summary: Library for loading and sharing PKCS#11 modules @@ -14,6 +14,9 @@ Source4: p11-kit-client.service Patch0: 001-dt-needed.patch Patch1: 002-doc-dep.patch +# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6, +# b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6 +Patch2: 003-IBM-mechs-and-attrs.patch BuildRequires: gcc BuildRequires: libtasn1-devel >= 2.3 @@ -156,6 +159,10 @@ fi %changelog +* Fri Dec 01 2023 Zoltan Fridrich - 0.23.22-2 +- Add IBM specific mechanisms and attributes + Resolves: RHEL-10571 + * Mon Jan 11 2021 Daiki Ueno - 0.23.22-1 - Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363) - Preserve DT_NEEDED information from the previous version, flagged by rpmdiff