Compare commits

...

No commits in common. "imports/c8-beta/p11-kit-0.23.14-5.el8_0" and "c8" have entirely different histories.

9 changed files with 1111 additions and 779 deletions

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/p11-kit-0.23.14.tar.gz
SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
SOURCES/p11-kit-0.23.22.tar.xz
SOURCES/p11-kit-0.23.22.tar.xz.sig

View File

@ -1 +1,3 @@
30cab1d4b716022e6918f9a49976609c425f9cfc SOURCES/p11-kit-0.23.14.tar.gz
526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz
1ab50d9f01bb186c60c32b56467c6f9f56e365da SOURCES/p11-kit-0.23.22.tar.xz.sig

View File

@ -0,0 +1,42 @@
From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 18 Dec 2020 13:37:10 +0100
Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl
This adds the -ldl link flag missing in the meson build, but present
in the autotools build. Although the use-case is unlikely, this
allows those modules to be linked as a normal shared library to a
program.
---
p11-kit/meson.build | 1 +
trust/meson.build | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 7d57cd7..02147a9 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -92,6 +92,7 @@ if host_system != 'windows'
'client.c', 'client-init.c',
name_prefix: '',
include_directories: [configinc, commoninc],
+ dependencies: dlopen_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
diff --git a/trust/meson.build b/trust/meson.build
index 482a3c1..d4a8e15 100644
--- a/trust/meson.build
+++ b/trust/meson.build
@@ -56,7 +56,7 @@ shared_module('p11-kit-trust',
'module-init.c',
name_prefix: '',
c_args: p11_kit_trust_c_args,
- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps,
+ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps,
link_args: p11_module_ldflags,
link_depends: [p11_module_symbol_map,
p11_module_symbol_def],
--
2.29.2

42
SOURCES/002-doc-dep.patch Normal file
View File

@ -0,0 +1,42 @@
From 9f01a8a45ba913a9b65894cef9369b6010005096 Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Tue, 11 Jan 2022 23:25:05 -0500
Subject: [PATCH] gtkdoc: remove dependencies on custom target files
Sadly, the `dependencies` kwarg does not actually do what it seems to be
trying to be used for, here. It is for listing dependency or library
objects whose compiler flags should be added to gtkdoc-scangobj.
It will not actually add ninja target dependencies. The similar kwarg in
other meson functions (e.g. genmarshal and compile_schemas) that *do*
allow adding target dependencies, is `depend_files`.
Older versions of meson simply did nothing in an if/elif/elif block
where these custom_targets never matched anything, and were thus
silently ignored.
Meson 0.61 type-validates the arguments and rejects CustomTarget as
invalid:
```
doc/manual/meson.build:72:8: ERROR: gnome.gtkdoc keyword argument 'dependencies' was of type array[CustomTarget | PkgConfigDependency] but should have been array[Dependency | SharedLibrary | StaticLibrary]
```
Fixes #406
---
doc/manual/meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/manual/meson.build b/doc/manual/meson.build
index cf8758dbf..560df8dbc 100644
--- a/doc/manual/meson.build
+++ b/doc/manual/meson.build
@@ -73,7 +73,7 @@ if get_option('gtk_doc')
main_xml: 'p11-kit-docs.xml',
namespace: 'p11_kit',
src_dir: 'p11-kit',
- dependencies: libffi_deps + dlopen_deps + xml_deps,
+ dependencies: libffi_deps + dlopen_deps,
scan_args: [
'--ignore-headers=' + ' '.join(ignore_headers),
'--rebuild-types',

View File

@ -0,0 +1,953 @@
diff --color -ruNp a/common/attrs.c b/common/attrs.c
--- a/common/attrs.c 2020-12-11 15:48:46.000000000 +0100
+++ b/common/attrs.c 2023-11-29 14:29:45.130552239 +0100
@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU
X (CKA_TRUST_STEP_UP_APPROVED)
X (CKA_CERT_SHA1_HASH)
X (CKA_CERT_MD5_HASH)
+ X (CKA_IBM_OPAQUE)
+ X (CKA_IBM_RESTRICTABLE)
+ X (CKA_IBM_NEVER_MODIFIABLE)
+ X (CKA_IBM_RETAINKEY)
+ X (CKA_IBM_ATTRBOUND)
+ X (CKA_IBM_KEYTYPE)
+ X (CKA_IBM_CV)
+ X (CKA_IBM_MACKEY)
+ X (CKA_IBM_USE_AS_DATA)
+ X (CKA_IBM_STRUCT_PARAMS)
+ X (CKA_IBM_STD_COMPLIANCE1)
+ X (CKA_IBM_PROTKEY_EXTRACTABLE)
+ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
+ X (CKA_IBM_OPAQUE_PKEY)
+ X (CKA_IBM_DILITHIUM_KEYFORM)
+ X (CKA_IBM_DILITHIUM_RHO)
+ X (CKA_IBM_DILITHIUM_T1)
case CKA_VALUE:
return (klass != CKO_CERTIFICATE &&
klass != CKO_X_CERTIFICATE_EXTENSION);
diff --color -ruNp a/common/constants.c b/common/constants.c
--- a/common/constants.c 2020-12-11 15:48:46.000000000 +0100
+++ b/common/constants.c 2023-11-29 14:29:45.130552239 +0100
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[]
CT (CKA_WRAP_TEMPLATE, "wrap-template")
CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
+ CT (CKA_IBM_OPAQUE, "ibm-opaque")
+ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
+ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
+ CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
+ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
+ CT (CKA_IBM_KEYTYPE, "ibm-keytype")
+ CT (CKA_IBM_CV, "ibm-cv")
+ CT (CKA_IBM_MACKEY, "ibm-mackey")
+ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
+ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
+ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
+ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
+ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
+ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
+ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
+ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
+ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
+ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
+ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
+ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
+ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
+ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
CT (CKA_NSS_URL, "nss-url")
CT (CKA_NSS_EMAIL, "nss-email")
CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] =
CT (CKK_AES, "aes")
CT (CKK_BLOWFISH, "blowfish")
CT (CKK_TWOFISH, "twofish")
+ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
CT (CKK_NSS_PKCS8, "nss-pkcs8")
{ CKA_INVALID },
};
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis
CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
+ CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
+ CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
+ CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
+ CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
+ CT (CKM_IBM_CMAC, "ibm-cmac")
+ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
+ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
+ CT (CKM_IBM_EC_X448, "ibm-ec-x448")
+ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
+ CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
+ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
+ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
+ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
+ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
+ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
{ CKA_INVALID },
};
diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h
--- a/common/pkcs11x.h 2020-12-11 16:24:01.000000000 +0100
+++ b/common/pkcs11x.h 2023-11-29 14:29:45.252554771 +0100
@@ -181,6 +181,71 @@ typedef CK_ULONG
#endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+/* Define this if you want the IBM specific symbols */
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
+
+#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023
+
+#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1)
+#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001)
+#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002)
+#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003)
+#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004)
+#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005)
+#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006)
+#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007)
+#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008)
+#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009)
+#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a)
+#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c)
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d)
+#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001)
+#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002)
+#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003)
+#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004)
+#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005)
+#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006)
+#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007)
+#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008)
+#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100)
+
+#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001)
+#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002)
+#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003)
+#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004)
+#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007)
+#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b)
+#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c)
+#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e)
+#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f)
+#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023)
+#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025)
+#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026)
+#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027)
+#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
+
+/*
+ * If the caller is using the PKCS#11 GNU calling convention, then we cater
+ * to that here.
+ */
+#ifdef CRYPTOKI_GNU
+#define hSignVerifyKey h_sign_verify_key
+#endif
+
+struct ck_ibm_attributebound_wrap {
+ CK_OBJECT_HANDLE hSignVerifyKey;
+};
+
+typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#ifdef CRYPTOKI_GNU
+#undef hSignVerifyKey
+#endif
+
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
+
#if defined(__cplusplus)
}
#endif
diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build
--- a/p11-kit/meson.build 2023-11-29 14:27:53.265231072 +0100
+++ b/p11-kit/meson.build 2023-11-29 14:29:45.264555020 +0100
@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea
static_library('p11-kit-pkcs11-gnu',
gnu_h,
'pkcs11-gnu.c',
+ c_args: [
+ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1',
+ ],
include_directories: [configinc, commoninc])
# Tests ----------------------------------------------------------------
diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h
--- a/p11-kit/p11-kit.h 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/p11-kit.h 2023-11-29 14:29:45.265555041 +0100
@@ -43,12 +43,17 @@
*/
#ifdef CRYPTOKI_GNU
typedef ck_rv_t CK_RV;
+typedef ck_object_handle_t CK_OBJECT_HANDLE;
+typedef unsigned long int CK_ULONG;
typedef struct ck_function_list* CK_FUNCTION_LIST_PTR;
typedef struct ck_function_list CK_FUNCTION_LIST;
#endif
#include "p11-kit/deprecated.h"
+/* For size_t. */
+#include <stddef.h>
+
#ifdef __cplusplus
extern "C" {
#endif
diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c
--- a/p11-kit/pkcs11-gnu.c 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/pkcs11-gnu.c 2023-11-29 14:29:45.265555041 +0100
@@ -1,3 +1,8 @@
+#include "config.h"
+
+#include "p11-kit.h"
+#include "pkcs11x.h"
+
#include "pkcs11-gnu-iter.h"
#include "pkcs11-gnu-pin.h"
#include "pkcs11-gnu-uri.h"
diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
--- a/p11-kit/rpc-client.c 2020-12-11 15:48:46.000000000 +0100
+++ b/p11-kit/rpc-client.c 2023-11-29 14:29:45.220554107 +0100
@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag
#define IN_BYTE_BUFFER(arr, len) \
if (len == NULL) \
{ _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \
- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \
+ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \
{ _ret = CKR_HOST_MEMORY; goto _cleanup; }
#define IN_BYTE_ARRAY(arr, len) \
@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se
CK_BYTE_PTR part,
CK_ULONG part_len)
{
- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD);
-
BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID);
IN_ULONG (session);
IN_BYTE_ARRAY (part, part_len);
diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
--- a/p11-kit/rpc-message.c 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-message.c 2023-11-29 14:29:45.243554584 +0100
@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp
assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay"));
/* No array, no data, just length */
- if (!arr) {
+ if (!arr && num != 0) {
p11_rpc_buffer_add_byte (msg->output, 0);
p11_rpc_buffer_add_uint32 (msg->output, num);
} else {
@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_RESET_ON_INIT:
case CKA_HAS_RESET:
case CKA_COLOR:
+ case CKA_IBM_RESTRICTABLE:
+ case CKA_IBM_NEVER_MODIFIABLE:
+ case CKA_IBM_RETAINKEY:
+ case CKA_IBM_ATTRBOUND:
+ case CKA_IBM_USE_AS_DATA:
+ case CKA_IBM_PROTKEY_EXTRACTABLE:
+ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
return P11_RPC_VALUE_BYTE;
case CKA_CLASS:
case CKA_CERTIFICATE_TYPE:
@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_CHAR_COLUMNS:
case CKA_BITS_PER_PIXEL:
case CKA_MECHANISM_TYPE:
+ case CKA_IBM_DILITHIUM_KEYFORM:
+ case CKA_IBM_STD_COMPLIANCE1:
+ case CKA_IBM_KEYTYPE:
return P11_RPC_VALUE_ULONG;
case CKA_WRAP_TEMPLATE:
case CKA_UNWRAP_TEMPLATE:
+ case CKA_DERIVE_TEMPLATE:
return P11_RPC_VALUE_ATTRIBUTE_ARRAY;
case CKA_ALLOWED_MECHANISMS:
return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;
@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT
case CKA_REQUIRED_CMS_ATTRIBUTES:
case CKA_DEFAULT_CMS_ATTRIBUTES:
case CKA_SUPPORTED_CMS_ATTRIBUTES:
+ case CKA_IBM_OPAQUE:
+ case CKA_IBM_CV:
+ case CKA_IBM_MACKEY:
+ case CKA_IBM_STRUCT_PARAMS:
+ case CKA_IBM_OPAQUE_PKEY:
+ case CKA_IBM_DILITHIUM_RHO:
+ case CKA_IBM_DILITHIUM_SEED:
+ case CKA_IBM_DILITHIUM_TR:
+ case CKA_IBM_DILITHIUM_S1:
+ case CKA_IBM_DILITHIUM_S2:
+ case CKA_IBM_DILITHIUM_T0:
+ case CKA_IBM_DILITHIUM_T1:
return P11_RPC_VALUE_BYTE_ARRAY;
}
}
@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani
return true;
}
+void
+p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */
+ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.kdf can be converted to uint64_t. */
+ if (params.kdf > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.kdf);
+
+ /* parmas.shared_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.shared_data,
+ params.shared_data_len);
+
+ /* parmas.public_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.public_data,
+ params.public_data_len);
+}
+
+bool
+p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+
+
+ if (value) {
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ params.kdf = val;
+ params.shared_data = (void *) data1;
+ params.shared_data_len = len1;
+ params.public_data = (void *) data2;
+ params.public_data_len = len2;
+
+ memcpy (value, &params, sizeof (CK_ECDH1_DERIVE_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
+ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.hSignVerifyKey can be converted to uint64_t. */
+ if (params.hSignVerifyKey > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
+}
+
+bool
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (value) {
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ params.hSignVerifyKey = val;
+
+ memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an AES IV. */
+ if (value_length != 16) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 16)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_AES_CTR_PARAMS params;
+
+ /* Check if value can be converted to CK_AES_CTR_PARAMS. */
+ if (value_length != sizeof (CK_AES_CTR_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.counter_bits can be converted to uint64_t. */
+ if (params.counter_bits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits);
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.cb,
+ sizeof(params.cb));
+}
+
+bool
+p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (value) {
+ CK_AES_CTR_PARAMS params;
+
+ params.ulCounterBits = val;
+
+ if (len != sizeof (params.cb))
+ return false;
+
+ memcpy (params.cb, data, sizeof (params.cb));
+ memcpy (value, &params, sizeof (CK_AES_CTR_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_AES_CTR_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_GCM_PARAMS params;
+
+ /* Check if value can be converted to CK_GCM_PARAMS. */
+ if (value_length != sizeof (CK_GCM_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */
+ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pIv,
+ params.ulIvLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits);
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pAAD,
+ params.ulAADLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits);
+}
+
+bool
+p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val1, val2;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2))
+ return false;
+
+ if (value) {
+ CK_GCM_PARAMS params;
+
+ params.pIv = (void *) data1;
+ params.ulIvLen = len1;
+ params.ulIvBits = val1;
+ params.pAAD = (void *) data2;
+ params.ulAADLen = len2;
+ params.ulTagBits = val2;
+
+ memcpy (value, &params, sizeof (CK_GCM_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_GCM_PARAMS);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an DES IV. */
+ if (value_length != 8) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 8)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ULONG val;
+ uint64_t params;
+
+ /*
+ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which
+ * is a CK_ULONG.
+ */
+ if (value_length != sizeof (CK_ULONG)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&val, value, value_length);
+ params = val;
+
+ p11_rpc_buffer_add_uint64 (buffer, params);
+}
+
+bool
+p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ CK_ULONG params;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ params = val;
+
+ if (value)
+ memcpy (value, &params, sizeof (params));
+
+ if (value_length)
+ *value_length = sizeof (params);
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Mechanism parameter is public value of the other party */
+ if (value_length == 0) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len == 0)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
+ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
+ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
+ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
+ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value },
+ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_MD2_RSA_PKCS:
case CKM_MD5_RSA_PKCS:
case CKM_SHA1_RSA_PKCS:
+ case CKM_SHA224_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_EC_KEY_PAIR_GEN:
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA224:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
case CKM_DH_PKCS_KEY_PAIR_GEN:
case CKM_DH_PKCS_PARAMETER_GEN:
case CKM_X9_42_DH_KEY_PAIR_GEN:
@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_AES_KEY_GEN:
case CKM_AES_ECB:
case CKM_AES_MAC:
+ case CKM_AES_CMAC:
case CKM_DES_KEY_GEN:
case CKM_DES2_KEY_GEN:
case CKM_DES3_KEY_GEN:
@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_RC2_MAC:
case CKM_DES_MAC:
case CKM_DES3_MAC:
+ case CKM_DES3_CMAC:
case CKM_CDMF_MAC:
case CKM_CAST_MAC:
case CKM_CAST3_MAC:
@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS
case CKM_MD5_HMAC:
case CKM_SHA_1:
case CKM_SHA_1_HMAC:
+ case CKM_SHA1_KEY_DERIVATION:
+ case CKM_SHA224:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA224_KEY_DERIVATION:
case CKM_SHA256:
case CKM_SHA256_HMAC:
+ case CKM_SHA256_KEY_DERIVATION:
case CKM_SHA384:
case CKM_SHA384_HMAC:
+ case CKM_SHA384_KEY_DERIVATION:
case CKM_SHA512:
case CKM_SHA512_HMAC:
+ case CKM_SHA512_KEY_DERIVATION:
+ case CKM_SHA512_T:
+ case CKM_SHA512_T_HMAC:
+ case CKM_SHA512_T_KEY_DERIVATION:
+ case CKM_SHA512_224:
+ case CKM_SHA512_224_HMAC:
+ case CKM_SHA512_224_KEY_DERIVATION:
+ case CKM_SHA512_256:
+ case CKM_SHA512_256_HMAC:
+ case CKM_SHA512_256_KEY_DERIVATION:
case CKM_FASTHASH:
case CKM_RIPEMD128:
case CKM_RIPEMD128_HMAC:
case CKM_RIPEMD160:
case CKM_RIPEMD160_HMAC:
case CKM_KEY_WRAP_LYNKS:
+ case CKM_IBM_SHA3_224:
+ case CKM_IBM_SHA3_256:
+ case CKM_IBM_SHA3_384:
+ case CKM_IBM_SHA3_512:
+ case CKM_IBM_CMAC:
+ case CKM_IBM_DILITHIUM:
+ case CKM_IBM_SHA3_224_HMAC:
+ case CKM_IBM_SHA3_256_HMAC:
+ case CKM_IBM_SHA3_384_HMAC:
+ case CKM_IBM_SHA3_512_HMAC:
+ case CKM_IBM_ED25519_SHA512:
+ case CKM_IBM_ED448_SHA3:
return true;
default:
return false;
diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
--- a/p11-kit/rpc-message.h 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-message.h 2023-11-29 14:29:45.243554584 +0100
@@ -42,6 +42,7 @@
#include "buffer.h"
#include "pkcs11.h"
+#include "pkcs11x.h"
/* The calls, must be in sync with array below */
enum {
@@ -478,5 +479,85 @@ bool p11_rpc_buffer_get_rsa_
size_t *offset,
void *value,
CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
#endif /* _RPC_MESSAGE_H */
diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
--- a/p11-kit/rpc-server.c 2020-12-11 16:25:36.000000000 +0100
+++ b/p11-kit/rpc-server.c 2023-11-29 14:29:45.221554128 +0100
@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message
*n_buffer = length;
*buffer = NULL;
+ /* length = -1 indicates length = 0, but buffer not NULL */
+ if (length == (uint32_t)-1) {
+ *n_buffer = 0;
+ length = 1; /*allocate 1 dummy byte */
+ }
+
/* If set to zero, then they just want the length */
if (length == 0)
return CKR_OK;

View File

@ -1,623 +0,0 @@
From 8a8db182af533a43b4d478d28af8623035475d68 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:05:10 +0200
Subject: [PATCH 01/10] debug: Work around cppcheck false-positives
https://trac.cppcheck.net/ticket/8794
---
common/debug.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/common/debug.h b/common/debug.h
index 255c62c..7ea36f3 100644
--- a/common/debug.h
+++ b/common/debug.h
@@ -71,13 +71,13 @@ void p11_debug_precond (const char *format,
#endif
#define return_val_if_fail(x, v) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
return v; \
} } while (false)
#define return_if_fail(x) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
return; \
} } while (false)
@@ -100,7 +100,7 @@ void p11_debug_precond (const char *format,
} while (false)
#define warn_if_fail(x) \
- do { if (!(x)) { \
+ do { if (x) { } else { \
p11_debug_precond ("p11-kit: '%s' not true at %s\n", #x, __func__); \
} } while (false)
--
2.17.2
From c76197ddbbd0c29adc2bceff2ee9f740f71d134d Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:06:56 +0200
Subject: [PATCH 02/10] build: Call va_end() always when leaving the function
---
common/attrs.c | 4 +++-
common/compat.c | 5 ++++-
common/path.c | 5 ++++-
trust/parser.c | 4 +++-
4 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/common/attrs.c b/common/attrs.c
index aa91891..a387a66 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -538,8 +538,10 @@ buffer_append_printf (p11_buffer *buffer,
va_list va;
va_start (va, format);
- if (vasprintf (&string, format, va) < 0)
+ if (vasprintf (&string, format, va) < 0) {
+ va_end (va);
return_if_reached ();
+ }
va_end (va);
p11_buffer_add (buffer, string, -1);
diff --git a/common/compat.c b/common/compat.c
index 5a9702d..48614fa 100644
--- a/common/compat.c
+++ b/common/compat.c
@@ -525,7 +525,10 @@ strconcat (const char *first,
for (arg = first; arg; arg = va_arg (va, const char*)) {
size_t old_length = length;
length += strlen (arg);
- return_val_if_fail (length >= old_length, NULL);
+ if (length < old_length) {
+ va_end (va);
+ return_val_if_reached (NULL);
+ }
}
va_end (va);
diff --git a/common/path.c b/common/path.c
index 5cf0e1a..17a6230 100644
--- a/common/path.c
+++ b/common/path.c
@@ -218,7 +218,10 @@ p11_path_build (const char *path,
while (path != NULL) {
size_t old_len = len;
len += strlen (path) + 1;
- return_val_if_fail (len >= old_len, NULL);
+ if (len < old_len) {
+ va_end (va);
+ return_val_if_reached (NULL);
+ }
path = va_arg (va, const char *);
}
va_end (va);
diff --git a/trust/parser.c b/trust/parser.c
index f92cdc9..e912c3a 100644
--- a/trust/parser.c
+++ b/trust/parser.c
@@ -697,8 +697,10 @@ p11_parser_formats (p11_parser *parser,
func = va_arg (va, parser_func);
if (func == NULL)
break;
- if (!p11_array_push (formats, func))
+ if (!p11_array_push (formats, func)) {
+ va_end (va);
return_if_reached ();
+ }
}
va_end (va);
--
2.17.2
From b10dadce5a3c921149b2c9fe0dec614f8076ebda Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:10:05 +0200
Subject: [PATCH 03/10] build: Free memory before return{,_val}_if_* macros
---
p11-kit/iter.c | 5 ++++-
p11-kit/proxy.c | 10 ++++++++--
trust/asn1.c | 15 ++++++++++++---
trust/builder.c | 5 ++++-
trust/index.c | 10 ++++++++--
trust/persist.c | 5 ++++-
trust/save.c | 29 +++++++++++++++++++++++++----
trust/session.c | 10 ++++++++--
trust/token.c | 5 ++++-
9 files changed, 77 insertions(+), 17 deletions(-)
diff --git a/p11-kit/iter.c b/p11-kit/iter.c
index 0e4ca6e..d1ffd91 100644
--- a/p11-kit/iter.c
+++ b/p11-kit/iter.c
@@ -157,7 +157,10 @@ p11_kit_iter_new (P11KitUri *uri,
return_val_if_fail (iter != NULL, NULL);
iter->modules = p11_array_new (NULL);
- return_val_if_fail (iter->modules != NULL, NULL);
+ if (iter->modules == NULL) {
+ p11_kit_iter_free (iter);
+ return_val_if_reached (NULL);
+ }
iter->want_writable = !!(behavior & P11_KIT_ITER_WANT_WRITABLE);
iter->preload_results = !(behavior & P11_KIT_ITER_BUSY_SESSIONS);
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index b7fb63d..abe7935 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -267,7 +267,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
py->forkid = p11_forkid;
py->inited = modules_dup (loaded);
- return_val_if_fail (py->inited != NULL, CKR_HOST_MEMORY);
+ if (py->inited == NULL) {
+ proxy_free (py, 0);
+ return_val_if_reached (CKR_HOST_MEMORY);
+ }
rv = p11_kit_modules_initialize (py->inited, NULL);
@@ -320,7 +323,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
}
py->sessions = p11_dict_new (p11_dict_ulongptr_hash, p11_dict_ulongptr_equal, NULL, free);
- return_val_if_fail (py->sessions != NULL, CKR_HOST_MEMORY);
+ if (py->sessions == NULL) {
+ proxy_free (py, 1);
+ return_val_if_reached (CKR_HOST_MEMORY);
+ }
py->refs = 1;
*res = py;
diff --git a/trust/asn1.c b/trust/asn1.c
index dd1812d..5ce682d 100644
--- a/trust/asn1.c
+++ b/trust/asn1.c
@@ -285,11 +285,17 @@ p11_asn1_cache_new (void)
return_val_if_fail (cache != NULL, NULL);
cache->defs = p11_asn1_defs_load ();
- return_val_if_fail (cache->defs != NULL, NULL);
+ if (cache->defs == NULL) {
+ p11_asn1_cache_free (cache);
+ return_val_if_reached (NULL);
+ }
cache->items = p11_dict_new (p11_dict_direct_hash, p11_dict_direct_equal,
NULL, free_asn1_item);
- return_val_if_fail (cache->items != NULL, NULL);
+ if (cache->items == NULL) {
+ p11_asn1_cache_free (cache);
+ return_val_if_reached (NULL);
+ }
return cache;
}
@@ -342,7 +348,10 @@ p11_asn1_cache_take (p11_asn1_cache *cache,
item->length = der_len;
item->node = node;
item->struct_name = strdup (struct_name);
- return_if_fail (item->struct_name != NULL);
+ if (item->struct_name == NULL) {
+ free_asn1_item (item);
+ return_if_reached ();
+ }
if (!p11_dict_set (cache->items, (void *)der, item))
return_if_reached ();
diff --git a/trust/builder.c b/trust/builder.c
index 742c544..d819dc8 100644
--- a/trust/builder.c
+++ b/trust/builder.c
@@ -187,7 +187,10 @@ p11_builder_new (int flags)
return_val_if_fail (builder != NULL, NULL);
builder->asn1_cache = p11_asn1_cache_new ();
- return_val_if_fail (builder->asn1_cache, NULL);
+ if (builder->asn1_cache == NULL) {
+ p11_builder_free (builder);
+ return_val_if_reached (NULL);
+ }
builder->asn1_defs = p11_asn1_cache_defs (builder->asn1_cache);
builder->flags = flags;
diff --git a/trust/index.c b/trust/index.c
index f4b6b4b..6a8e535 100644
--- a/trust/index.c
+++ b/trust/index.c
@@ -170,10 +170,16 @@ p11_index_new (p11_index_build_cb build,
index->objects = p11_dict_new (p11_dict_ulongptr_hash,
p11_dict_ulongptr_equal,
NULL, free_object);
- return_val_if_fail (index->objects != NULL, NULL);
+ if (index->objects == NULL) {
+ p11_index_free (index);
+ return_val_if_reached (NULL);
+ }
index->buckets = calloc (NUM_BUCKETS, sizeof (index_bucket));
- return_val_if_fail (index->buckets != NULL, NULL);
+ if (index->buckets == NULL) {
+ p11_index_free (index);
+ return_val_if_reached (NULL);
+ }
return index;
}
diff --git a/trust/persist.c b/trust/persist.c
index 887b316..569cea1 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -89,7 +89,10 @@ p11_persist_new (void)
return_val_if_fail (persist != NULL, NULL);
persist->constants = p11_constant_reverse (true);
- return_val_if_fail (persist->constants != NULL, NULL);
+ if (persist->constants == NULL) {
+ free (persist);
+ return_val_if_reached (NULL);
+ }
return persist;
}
diff --git a/trust/save.c b/trust/save.c
index abff864..8184e13 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -68,6 +68,8 @@ static char * make_unique_name (const char *bare,
const char *extension,
int (*check) (void *, char *),
void *data);
+static void filo_free (p11_save_file *file);
+static void dir_free (p11_save_dir *dir);
bool
p11_save_write_and_finish (p11_save_file *file,
@@ -114,9 +116,15 @@ p11_save_open_file (const char *path,
return_val_if_fail (file != NULL, NULL);
file->temp = temp;
file->bare = strdup (path);
- return_val_if_fail (file->bare != NULL, NULL);
+ if (file->bare == NULL) {
+ filo_free (file);
+ return_val_if_reached (NULL);
+ }
file->extension = strdup (extension);
- return_val_if_fail (file->extension != NULL, NULL);
+ if (file->extension == NULL) {
+ filo_free (file);
+ return_val_if_reached (NULL);
+ }
file->flags = flags;
file->fd = fd;
@@ -166,6 +174,13 @@ filo_free (p11_save_file *file)
free (file);
}
+static void
+dir_free (p11_save_dir *dir) {
+ p11_dict_free (dir->cache);
+ free (dir->path);
+ free (dir);
+}
+
#ifdef OS_UNIX
static int
@@ -349,10 +364,16 @@ p11_save_open_directory (const char *path,
return_val_if_fail (dir != NULL, NULL);
dir->path = strdup (path);
- return_val_if_fail (dir->path != NULL, NULL);
+ if (dir->path == NULL) {
+ dir_free (dir);
+ return_val_if_reached (NULL);
+ }
dir->cache = p11_dict_new (p11_dict_str_hash, p11_dict_str_equal, free, NULL);
- return_val_if_fail (dir->cache != NULL, NULL);
+ if (dir->cache == NULL) {
+ dir_free (dir);
+ return_val_if_reached (NULL);
+ }
dir->flags = flags;
return dir;
diff --git a/trust/session.c b/trust/session.c
index b93a5c3..d464394 100644
--- a/trust/session.c
+++ b/trust/session.c
@@ -59,12 +59,18 @@ p11_session_new (p11_token *token)
session->handle = p11_module_next_id ();
session->builder = p11_builder_new (P11_BUILDER_FLAG_NONE);
- return_val_if_fail (session->builder, NULL);
+ if (session->builder == NULL) {
+ p11_session_free (session);
+ return_val_if_reached (NULL);
+ }
session->index = p11_index_new (p11_builder_build, NULL, NULL,
p11_builder_changed,
session->builder);
- return_val_if_fail (session->index != NULL, NULL);
+ if (session->index == NULL) {
+ p11_session_free (session);
+ return_val_if_reached (NULL);
+ }
session->token = token;
diff --git a/trust/token.c b/trust/token.c
index 4cbcc77..fd3b043 100644
--- a/trust/token.c
+++ b/trust/token.c
@@ -829,7 +829,10 @@ p11_token_new (CK_SLOT_ID slot,
return_val_if_fail (token != NULL, NULL);
token->builder = p11_builder_new (P11_BUILDER_FLAG_TOKEN);
- return_val_if_fail (token->builder != NULL, NULL);
+ if (token->builder == NULL) {
+ p11_token_free (token);
+ return_val_if_reached (NULL);
+ }
token->index = p11_index_new (on_index_build,
on_index_store,
--
2.17.2
From 06323aed926ddc67bd18ed98e5af92035a8e3d39 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:14:46 +0200
Subject: [PATCH 04/10] build: Check return value of p11_dict_set
---
p11-kit/proxy.c | 3 ++-
p11-kit/rpc-server.c | 6 +++++-
trust/module.c | 3 ++-
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index abe7935..11e6165 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -612,7 +612,8 @@ proxy_C_OpenSession (CK_X_FUNCTION_LIST *self,
sess->wrap_slot = map.wrap_slot;
sess->real_session = *handle;
sess->wrap_session = ++state->last_handle; /* TODO: Handle wrapping, and then collisions */
- p11_dict_set (state->px->sessions, &sess->wrap_session, sess);
+ if (!p11_dict_set (state->px->sessions, &sess->wrap_session, sess))
+ warn_if_reached ();
*handle = sess->wrap_session;
}
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 2db3524..3a8991d 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2226,7 +2226,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
p11_message_err (error, "couldn't subclass filter");
goto out;
}
- p11_dict_set (filters, module, filter);
+ if (!p11_dict_set (filters, module, filter)) {
+ error = EINVAL;
+ p11_message_err (error, "couldn't register filter");
+ goto out;
+ }
}
for (i = 0; i < n_tokens; i++) {
diff --git a/trust/module.c b/trust/module.c
index e09113b..24cda87 100644
--- a/trust/module.c
+++ b/trust/module.c
@@ -1321,7 +1321,8 @@ find_objects_match (CK_ATTRIBUTE *attrs,
}
value = memdup (oid->pValue, oid->ulValueLen);
return_val_if_fail (value != NULL, false);
- p11_dict_set (find->extensions, value, value);
+ if (!p11_dict_set (find->extensions, value, value))
+ warn_if_reached ();
}
}
--
2.17.2
From 213ea0815ef45411bf6c134918b79d2aad69c1dc Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:16:12 +0200
Subject: [PATCH 05/10] build: Check return value of p11_rpc_buffer_get_uint64
---
p11-kit/rpc-client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index 0dd4525..e202e37 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -371,7 +371,8 @@ proto_read_ulong_array (p11_rpc_message *msg, CK_ULONG_PTR arr,
/* We need to go ahead and read everything in all cases */
for (i = 0; i < num; ++i) {
- p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val);
+ if (!p11_rpc_buffer_get_uint64 (msg->input, &msg->parsed, &val))
+ return PARSE_ERROR;
if (arr)
arr[i] = (CK_ULONG)val;
}
--
2.17.2
From 1f78cb0b4dd193ec1f1b2b424a497a6c2edec043 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:16:51 +0200
Subject: [PATCH 06/10] rpc-server: p11_kit_remote_serve_tokens: Fix memleak
---
p11-kit/rpc-server.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 3a8991d..5b3dbf0 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2285,6 +2285,11 @@ p11_kit_remote_serve_tokens (const char **tokens,
p11_kit_modules_release (modules);
if (error != 0)
errno = error;
+ if (uris) {
+ for (i = 0; i < n_tokens; i++)
+ p11_kit_uri_free (uris[i]);
+ free (uris);
+ }
return ret;
}
--
2.17.2
From 033cd90806cb1e2eab7e799703757abc2f07052e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:18:05 +0200
Subject: [PATCH 07/10] proxy: Fix null dereference when reusing slots
---
p11-kit/proxy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index 11e6165..8eaf205 100644
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -307,7 +307,10 @@ proxy_create (Proxy **res, CK_FUNCTION_LIST **loaded,
break;
}
py->mappings[py->n_mappings].funcs = funcs;
- py->mappings[py->n_mappings].wrap_slot = j == n_mappings ? py->n_mappings + MAPPING_OFFSET : mappings[j].wrap_slot;
+ py->mappings[py->n_mappings].wrap_slot =
+ (n_mappings == 0 || j == n_mappings) ?
+ py->n_mappings + MAPPING_OFFSET :
+ mappings[j].wrap_slot;
py->mappings[py->n_mappings].real_slot = slots[i];
++py->n_mappings;
}
--
2.17.2
From da73c2804b3ca962fa51473bb4c303a5ed32d4a1 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Tue, 16 Oct 2018 18:20:12 +0200
Subject: [PATCH 08/10] trust: Set umask before calling mkstemp
---
trust/save.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/trust/save.c b/trust/save.c
index 8184e13..bb77348 100644
--- a/trust/save.c
+++ b/trust/save.c
@@ -95,6 +95,7 @@ p11_save_open_file (const char *path,
{
p11_save_file *file;
char *temp;
+ mode_t mode;
int fd;
return_val_if_fail (path != NULL, NULL);
@@ -105,7 +106,9 @@ p11_save_open_file (const char *path,
if (asprintf (&temp, "%s%s.XXXXXX", path, extension) < 0)
return_val_if_reached (NULL);
+ mode = umask (0077);
fd = mkstemp (temp);
+ umask (mode);
if (fd < 0) {
p11_message_err (errno, "couldn't create file: %s%s", path, extension);
free (temp);
--
2.17.2
From 6417780ebbbbb0f01ddb001b239347655fb98578 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 17 Oct 2018 09:53:27 +0200
Subject: [PATCH 09/10] rpc-server: Check calloc failure
---
p11-kit/rpc-server.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index 5b3dbf0..3216742 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -2219,6 +2219,10 @@ p11_kit_remote_serve_tokens (const char **tokens,
filter = p11_dict_get (filters, module);
if (filter == NULL) {
lower = calloc (1, sizeof (p11_virtual));
+ if (lower == NULL) {
+ error = ENOMEM;
+ goto out;
+ }
p11_virtual_init (lower, &p11_virtual_base, module, NULL);
filter = p11_filter_subclass (lower, NULL);
if (filter == NULL) {
--
2.17.2
From 83e92c2f9575707083d8b0c70ef330e285d70836 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 17 Oct 2018 09:53:46 +0200
Subject: [PATCH 10/10] trust: Check index->buckets is allocated on cleanup
---
trust/index.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/trust/index.c b/trust/index.c
index 6a8e535..2d1da29 100644
--- a/trust/index.c
+++ b/trust/index.c
@@ -193,9 +193,11 @@ p11_index_free (p11_index *index)
p11_dict_free (index->objects);
p11_dict_free (index->changes);
- for (i = 0; i < NUM_BUCKETS; i++)
- free (index->buckets[i].elem);
- free (index->buckets);
+ if (index->buckets) {
+ for (i = 0; i < NUM_BUCKETS; i++)
+ free (index->buckets[i].elem);
+ free (index->buckets);
+ }
free (index);
}
--
2.17.2

View File

@ -1,71 +0,0 @@
From 6e1046de2233fba7875d3d6a1b260192678dd0ad Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 19 Oct 2018 10:21:36 +0200
Subject: [PATCH] virtual: Prefer fixed closures to libffi closures
On some circumstances (such as when loading p11-kit-proxy from httpd),
it is known that creation of libffi closure always fails, due to
SELinux policy. Although this is harmless, it pollutes the journal
and gives wrong hints when troubleshooting. This patch changes the
order of preference of libffi vs pre-compiled closures to avoid that.
---
p11-kit/virtual.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/p11-kit/virtual.c b/p11-kit/virtual.c
index 6abfe7a..338239f 100644
--- a/p11-kit/virtual.c
+++ b/p11-kit/virtual.c
@@ -2832,9 +2832,14 @@ p11_virtual_wrap (p11_virtual *virt,
p11_destroyer destroyer)
{
Wrapper *wrapper;
+ CK_FUNCTION_LIST *result;
return_val_if_fail (virt != NULL, NULL);
+ result = p11_virtual_wrap_fixed (virt, destroyer);
+ if (result)
+ return result;
+
wrapper = calloc (1, sizeof (Wrapper));
return_val_if_fail (wrapper != NULL, NULL);
@@ -2844,8 +2849,10 @@ p11_virtual_wrap (p11_virtual *virt,
wrapper->bound.version.minor = CRYPTOKI_VERSION_MINOR;
wrapper->fixed_index = -1;
- if (!init_wrapper_funcs (wrapper))
- return p11_virtual_wrap_fixed (virt, destroyer);
+ if (!init_wrapper_funcs (wrapper)) {
+ free (wrapper);
+ return_val_if_reached (NULL);
+ }
assert ((void *)wrapper == (void *)&wrapper->bound);
assert (p11_virtual_is_wrapper (&wrapper->bound));
@@ -2859,7 +2866,11 @@ CK_FUNCTION_LIST *
p11_virtual_wrap (p11_virtual *virt,
p11_destroyer destroyer)
{
- return p11_virtual_wrap_fixed (virt, destroyer);
+ CK_FUNCTION_LIST *result;
+
+ result = p11_virtual_wrap_fixed (virt, destroyer);
+ return_val_if_fail (result != NULL, NULL);
+ return result;
}
#endif /* !FFI_CLOSURES */
@@ -3068,8 +3079,6 @@ p11_virtual_wrap_fixed (p11_virtual *virt,
}
p11_mutex_unlock (&p11_virtual_mutex);
- return_val_if_fail (result != NULL, NULL);
-
return result;
}
--
2.17.2

View File

@ -1,49 +0,0 @@
From 4a925177a81c2566d2a81a0a450607a5ff4d9048 Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Wed, 27 Feb 2019 12:25:20 +0100
Subject: [PATCH] modules: check gl.modules before iterates on it when freeing
In some circumstances, as described in the BZ, can happen that
free_modules_when_no_refs_unlocked() is called multiple times
when the module destructor is invoked.
We should check gl.modules before iterates on it in the
free_modules_when_no_refs_unlocked() functions, to avoid
a SIGSEGV.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1680963
---
p11-kit/modules.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/p11-kit/modules.c b/p11-kit/modules.c
index 0299eda..891ce4c 100644
--- a/p11-kit/modules.c
+++ b/p11-kit/modules.c
@@ -797,14 +797,16 @@ init_globals_unlocked (void)
static void
free_modules_when_no_refs_unlocked (void)
{
- Module *mod;
- p11_dictiter iter;
-
- /* Check if any modules have a ref count */
- p11_dict_iterate (gl.modules, &iter);
- while (p11_dict_next (&iter, (void **)&mod, NULL)) {
- if (mod->ref_count)
- return;
+ if (gl.modules) {
+ Module *mod;
+ p11_dictiter iter;
+
+ /* Check if any modules have a ref count */
+ p11_dict_iterate (gl.modules, &iter);
+ while (p11_dict_next (&iter, (void **)&mod, NULL)) {
+ if (mod->ref_count)
+ return;
+ }
}
p11_dict_free (gl.unmanaged_by_funcs);
--
2.20.1

View File

@ -1,26 +1,38 @@
# This spec file has been automatically updated
Version: 0.23.14
Release: 5%{?dist}
Version: 0.23.22
Release: 2%{?dist}
Name: p11-kit
Summary: Library for loading and sharing PKCS#11 modules
License: BSD
License: BSD-3-Clause
URL: http://p11-glue.freedesktop.org/p11-kit.html
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz
Source1: trust-extract-compat
Source2: p11-kit-client.service
Patch1: p11-kit-coverity.patch
Patch2: p11-kit-lower-libffi-priority.patch
Patch3: p11-kit-unloading-fix.patch
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg
Source3: trust-extract-compat
Source4: p11-kit-client.service
Patch0: 001-dt-needed.patch
Patch1: 002-doc-dep.patch
# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6,
# b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6
Patch2: 003-IBM-mechs-and-attrs.patch
BuildRequires: gcc
BuildRequires: libtasn1-devel >= 2.3
BuildRequires: libtasn1-tools
BuildRequires: libffi-devel
BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: meson
BuildRequires: systemd-devel
BuildRequires: bash-completion
# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147
# Remove this once it is fixed
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(systemd)
BuildRequires: gnupg2
BuildRequires: /usr/bin/xsltproc
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
@ -40,13 +52,13 @@ developing applications that use %{name}.
%package trust
Summary: System trust module from %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires(post): %{_sbindir}/update-alternatives
Requires(postun): %{_sbindir}/update-alternatives
Requires(post): %{_sbindir}/alternatives
Requires(postun): %{_sbindir}/alternatives
Conflicts: nss < 3.14.3-9
%description trust
The %{name}-trust package contains a system trust PKCS#11 module which
contains certificate anchors and black lists.
contains certificate anchors and blocklists.
%package server
@ -69,49 +81,46 @@ feature is still experimental.
%prep
gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%autosetup -p1
%build
# These paths are the source paths that come from the plan here:
# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --disable-silent-rules
make %{?_smp_mflags} V=1
%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source
%meson_build
%install
make install DESTDIR=$RPM_BUILD_ROOT
%meson_install
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la
install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
install -p -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
# Install the example conf with %%doc instead
rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example
mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example $RPM_BUILD_ROOT%{_docdir}/%{name}/pkcs11.conf.example
mkdir -p $RPM_BUILD_ROOT%{_userunitdir}
install -p -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_userunitdir}
install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir}
%find_lang %{name}
%check
make check
%meson_test
%post -p /sbin/ldconfig
%post trust
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
%{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun -p /sbin/ldconfig
%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
%postun trust
if [ $1 -eq 0 ] ; then
# package removal
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
%{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
fi
%files
%files -f %{name}.lang
%{!?_licensedir:%global license %%doc}
%license COPYING
%doc AUTHORS NEWS README
%doc p11-kit/pkcs11.conf.example
%{_docdir}/%{name}/pkcs11.conf.example
%dir %{_sysconfdir}/pkcs11
%dir %{_sysconfdir}/pkcs11/modules
%dir %{_datadir}/p11-kit
@ -124,6 +133,7 @@ fi
%{_mandir}/man1/trust.1.gz
%{_mandir}/man8/p11-kit.8.gz
%{_mandir}/man5/pkcs11.conf.5.gz
%{_datadir}/bash-completion/completions/p11-kit
%files devel
%{_includedir}/p11-kit-1/
@ -138,6 +148,7 @@ fi
%{_libdir}/pkcs11/p11-kit-trust.so
%{_datadir}/p11-kit/modules/p11-kit-trust.module
%{_libexecdir}/p11-kit/trust-extract-compat
%{_datadir}/bash-completion/completions/trust
%files server
%{_libdir}/pkcs11/p11-kit-client.so
@ -148,6 +159,29 @@ fi
%changelog
* Fri Dec 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 0.23.22-2
- Add IBM specific mechanisms and attributes
Resolves: RHEL-10571
* Mon Jan 11 2021 Daiki Ueno <dueno@redhat.com> - 0.23.22-1
- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363)
- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff
- Add xsltproc to BR
* Tue Nov 10 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-4
- Fix realloc usage on proxy cleanup (#1894979)
- Make 'trust anchor --store' preserve all attributes from .p11-kit files
* Tue Nov 3 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-3
- Restore clobbered changelog entry
* Mon Nov 2 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-2
- Update p11-kit-invalid-config.patch to be more thorough (thanks to
Alexander Sosedkin)
* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 0.23.21-1
- Update to upstream 0.23.21 release
* Fri Mar 29 2019 Daiki Ueno <dueno@redhat.com> - 0.23.14-5
- Fix crash on unloading the library, when it is both linked and dlopen'ed