diff --color -ruNp a/common/attrs.c b/common/attrs.c --- a/common/attrs.c 2020-12-11 15:48:46.000000000 +0100 +++ b/common/attrs.c 2023-11-29 14:29:45.130552239 +0100 @@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU X (CKA_TRUST_STEP_UP_APPROVED) X (CKA_CERT_SHA1_HASH) X (CKA_CERT_MD5_HASH) + X (CKA_IBM_OPAQUE) + X (CKA_IBM_RESTRICTABLE) + X (CKA_IBM_NEVER_MODIFIABLE) + X (CKA_IBM_RETAINKEY) + X (CKA_IBM_ATTRBOUND) + X (CKA_IBM_KEYTYPE) + X (CKA_IBM_CV) + X (CKA_IBM_MACKEY) + X (CKA_IBM_USE_AS_DATA) + X (CKA_IBM_STRUCT_PARAMS) + X (CKA_IBM_STD_COMPLIANCE1) + X (CKA_IBM_PROTKEY_EXTRACTABLE) + X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE) + X (CKA_IBM_OPAQUE_PKEY) + X (CKA_IBM_DILITHIUM_KEYFORM) + X (CKA_IBM_DILITHIUM_RHO) + X (CKA_IBM_DILITHIUM_T1) case CKA_VALUE: return (klass != CKO_CERTIFICATE && klass != CKO_X_CERTIFICATE_EXTENSION); diff --color -ruNp a/common/constants.c b/common/constants.c --- a/common/constants.c 2020-12-11 15:48:46.000000000 +0100 +++ b/common/constants.c 2023-11-29 14:29:45.130552239 +0100 @@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] CT (CKA_WRAP_TEMPLATE, "wrap-template") CT (CKA_UNWRAP_TEMPLATE, "unwrap-template") CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms") + CT (CKA_IBM_OPAQUE, "ibm-opaque") + CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable") + CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable") + CT (CKA_IBM_RETAINKEY, "ibm-retainkey") + CT (CKA_IBM_ATTRBOUND, "ibm-attrbound") + CT (CKA_IBM_KEYTYPE, "ibm-keytype") + CT (CKA_IBM_CV, "ibm-cv") + CT (CKA_IBM_MACKEY, "ibm-mackey") + CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data") + CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params") + CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1") + CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable") + CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable") + CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform") + CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho") + CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed") + CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr") + CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1") + CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2") + CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0") + CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1") + CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey") CT (CKA_NSS_URL, "nss-url") CT (CKA_NSS_EMAIL, "nss-email") CT (CKA_NSS_SMIME_INFO, "nss-smime-constant") @@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = CT (CKK_AES, "aes") CT (CKK_BLOWFISH, "blowfish") CT (CKK_TWOFISH, "twofish") + CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium") CT (CKK_NSS_PKCS8, "nss-pkcs8") { CKA_INVALID }, }; @@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen") CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen") CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen") + CT (CKM_IBM_SHA3_224, "ibm-sha3-224") + CT (CKM_IBM_SHA3_256, "ibm-sha3-256") + CT (CKM_IBM_SHA3_384, "ibm-sha3-384") + CT (CKM_IBM_SHA3_512, "ibm-sha3-512") + CT (CKM_IBM_CMAC, "ibm-cmac") + CT (CKM_IBM_EC_X25519, "ibm-ec-x25519") + CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512") + CT (CKM_IBM_EC_X448, "ibm-ec-x448") + CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3") + CT (CKM_IBM_DILITHIUM, "ibm-dilithium") + CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac") + CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac") + CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac") + CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac") + CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap") { CKA_INVALID }, }; diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h --- a/common/pkcs11x.h 2020-12-11 16:24:01.000000000 +0100 +++ b/common/pkcs11x.h 2023-11-29 14:29:45.252554771 +0100 @@ -181,6 +181,71 @@ typedef CK_ULONG #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */ +/* Define this if you want the IBM specific symbols */ +#define CRYPTOKI_IBM_VENDOR_DEFINED 1 +#ifdef CRYPTOKI_IBM_VENDOR_DEFINED + +#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023 + +#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1) +#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001) +#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002) +#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003) +#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004) +#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005) +#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006) +#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007) +#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008) +#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009) +#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a) +#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c) +#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d) +#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001) +#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002) +#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003) +#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004) +#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005) +#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006) +#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007) +#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008) +#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100) + +#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001) +#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002) +#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003) +#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004) +#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007) +#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b) +#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c) +#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e) +#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f) +#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023) +#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025) +#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026) +#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027) +#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) +#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) + +/* + * If the caller is using the PKCS#11 GNU calling convention, then we cater + * to that here. + */ +#ifdef CRYPTOKI_GNU +#define hSignVerifyKey h_sign_verify_key +#endif + +struct ck_ibm_attributebound_wrap { + CK_OBJECT_HANDLE hSignVerifyKey; +}; + +typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; + +#ifdef CRYPTOKI_GNU +#undef hSignVerifyKey +#endif + +#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ + #if defined(__cplusplus) } #endif diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build --- a/p11-kit/meson.build 2023-11-29 14:27:53.265231072 +0100 +++ b/p11-kit/meson.build 2023-11-29 14:29:45.264555020 +0100 @@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea static_library('p11-kit-pkcs11-gnu', gnu_h, 'pkcs11-gnu.c', + c_args: [ + '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1', + ], include_directories: [configinc, commoninc]) # Tests ---------------------------------------------------------------- diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h --- a/p11-kit/p11-kit.h 2020-12-11 15:48:46.000000000 +0100 +++ b/p11-kit/p11-kit.h 2023-11-29 14:29:45.265555041 +0100 @@ -43,12 +43,17 @@ */ #ifdef CRYPTOKI_GNU typedef ck_rv_t CK_RV; +typedef ck_object_handle_t CK_OBJECT_HANDLE; +typedef unsigned long int CK_ULONG; typedef struct ck_function_list* CK_FUNCTION_LIST_PTR; typedef struct ck_function_list CK_FUNCTION_LIST; #endif #include "p11-kit/deprecated.h" +/* For size_t. */ +#include + #ifdef __cplusplus extern "C" { #endif diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c --- a/p11-kit/pkcs11-gnu.c 2020-12-11 15:48:46.000000000 +0100 +++ b/p11-kit/pkcs11-gnu.c 2023-11-29 14:29:45.265555041 +0100 @@ -1,3 +1,8 @@ +#include "config.h" + +#include "p11-kit.h" +#include "pkcs11x.h" + #include "pkcs11-gnu-iter.h" #include "pkcs11-gnu-pin.h" #include "pkcs11-gnu-uri.h" diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c --- a/p11-kit/rpc-client.c 2020-12-11 15:48:46.000000000 +0100 +++ b/p11-kit/rpc-client.c 2023-11-29 14:29:45.220554107 +0100 @@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag #define IN_BYTE_BUFFER(arr, len) \ if (len == NULL) \ { _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \ - if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \ + if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \ { _ret = CKR_HOST_MEMORY; goto _cleanup; } #define IN_BYTE_ARRAY(arr, len) \ @@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se CK_BYTE_PTR part, CK_ULONG part_len) { - return_val_if_fail (part_len, CKR_ARGUMENTS_BAD); - BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID); IN_ULONG (session); IN_BYTE_ARRAY (part, part_len); diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c --- a/p11-kit/rpc-message.c 2020-12-11 16:25:36.000000000 +0100 +++ b/p11-kit/rpc-message.c 2023-11-29 14:29:45.243554584 +0100 @@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay")); /* No array, no data, just length */ - if (!arr) { + if (!arr && num != 0) { p11_rpc_buffer_add_byte (msg->output, 0); p11_rpc_buffer_add_uint32 (msg->output, num); } else { @@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT case CKA_RESET_ON_INIT: case CKA_HAS_RESET: case CKA_COLOR: + case CKA_IBM_RESTRICTABLE: + case CKA_IBM_NEVER_MODIFIABLE: + case CKA_IBM_RETAINKEY: + case CKA_IBM_ATTRBOUND: + case CKA_IBM_USE_AS_DATA: + case CKA_IBM_PROTKEY_EXTRACTABLE: + case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: return P11_RPC_VALUE_BYTE; case CKA_CLASS: case CKA_CERTIFICATE_TYPE: @@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT case CKA_CHAR_COLUMNS: case CKA_BITS_PER_PIXEL: case CKA_MECHANISM_TYPE: + case CKA_IBM_DILITHIUM_KEYFORM: + case CKA_IBM_STD_COMPLIANCE1: + case CKA_IBM_KEYTYPE: return P11_RPC_VALUE_ULONG; case CKA_WRAP_TEMPLATE: case CKA_UNWRAP_TEMPLATE: + case CKA_DERIVE_TEMPLATE: return P11_RPC_VALUE_ATTRIBUTE_ARRAY; case CKA_ALLOWED_MECHANISMS: return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY; @@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT case CKA_REQUIRED_CMS_ATTRIBUTES: case CKA_DEFAULT_CMS_ATTRIBUTES: case CKA_SUPPORTED_CMS_ATTRIBUTES: + case CKA_IBM_OPAQUE: + case CKA_IBM_CV: + case CKA_IBM_MACKEY: + case CKA_IBM_STRUCT_PARAMS: + case CKA_IBM_OPAQUE_PKEY: + case CKA_IBM_DILITHIUM_RHO: + case CKA_IBM_DILITHIUM_SEED: + case CKA_IBM_DILITHIUM_TR: + case CKA_IBM_DILITHIUM_S1: + case CKA_IBM_DILITHIUM_S2: + case CKA_IBM_DILITHIUM_T0: + case CKA_IBM_DILITHIUM_T1: return P11_RPC_VALUE_BYTE_ARRAY; } } @@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani return true; } +void +p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + CK_ECDH1_DERIVE_PARAMS params; + + /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */ + if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) { + p11_buffer_fail (buffer); + return; + } + + memcpy (¶ms, value, value_length); + + /* Check if params.kdf can be converted to uint64_t. */ + if (params.kdf > UINT64_MAX) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_uint64 (buffer, params.kdf); + + /* parmas.shared_data can only be an array of CK_BYTE or + * NULL */ + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)params.shared_data, + params.shared_data_len); + + /* parmas.public_data can only be an array of CK_BYTE or + * NULL */ + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)params.public_data, + params.public_data_len); +} + +bool +p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + uint64_t val; + const unsigned char *data1, *data2; + size_t len1, len2; + + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) + return false; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) + return false; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) + return false; + + + if (value) { + CK_ECDH1_DERIVE_PARAMS params; + + params.kdf = val; + params.shared_data = (void *) data1; + params.shared_data_len = len1; + params.public_data = (void *) data2; + params.public_data_len = len2; + + memcpy (value, ¶ms, sizeof (CK_ECDH1_DERIVE_PARAMS)); + } + + if (value_length) + *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS); + + return true; +} + +void +p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; + + /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */ + if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) { + p11_buffer_fail (buffer); + return; + } + + memcpy (¶ms, value, value_length); + + /* Check if params.hSignVerifyKey can be converted to uint64_t. */ + if (params.hSignVerifyKey > UINT64_MAX) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey); +} + +bool +p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + uint64_t val; + + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) + return false; + + if (value) { + CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; + + params.hSignVerifyKey = val; + + memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)); + } + + if (value_length) + *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS); + + return true; +} + +void +p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + /* Check if value can be converted to an AES IV. */ + if (value_length != 16) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)value, + value_length); +} + +bool +p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + const unsigned char *data; + size_t len; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) + return false; + + if (len != 16) + return false; + + if (value) + memcpy (value, data, len); + + if (value_length) + *value_length = len; + + return true; +} + +void +p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + CK_AES_CTR_PARAMS params; + + /* Check if value can be converted to CK_AES_CTR_PARAMS. */ + if (value_length != sizeof (CK_AES_CTR_PARAMS)) { + p11_buffer_fail (buffer); + return; + } + + memcpy (¶ms, value, value_length); + + /* Check if params.counter_bits can be converted to uint64_t. */ + if (params.counter_bits > UINT64_MAX) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_uint64 (buffer, params.counter_bits); + + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)params.cb, + sizeof(params.cb)); +} + +bool +p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + uint64_t val; + const unsigned char *data; + size_t len; + + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) + return false; + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) + return false; + + if (value) { + CK_AES_CTR_PARAMS params; + + params.ulCounterBits = val; + + if (len != sizeof (params.cb)) + return false; + + memcpy (params.cb, data, sizeof (params.cb)); + memcpy (value, ¶ms, sizeof (CK_AES_CTR_PARAMS)); + } + + if (value_length) + *value_length = sizeof (CK_AES_CTR_PARAMS); + + return true; +} + +void +p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + CK_GCM_PARAMS params; + + /* Check if value can be converted to CK_GCM_PARAMS. */ + if (value_length != sizeof (CK_GCM_PARAMS)) { + p11_buffer_fail (buffer); + return; + } + + memcpy (¶ms, value, value_length); + + /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */ + if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)params.pIv, + params.ulIvLen); + p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits); + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)params.pAAD, + params.ulAADLen); + p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits); +} + +bool +p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + uint64_t val1, val2; + const unsigned char *data1, *data2; + size_t len1, len2; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) + return false; + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) + return false; + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) + return false; + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2)) + return false; + + if (value) { + CK_GCM_PARAMS params; + + params.pIv = (void *) data1; + params.ulIvLen = len1; + params.ulIvBits = val1; + params.pAAD = (void *) data2; + params.ulAADLen = len2; + params.ulTagBits = val2; + + memcpy (value, ¶ms, sizeof (CK_GCM_PARAMS)); + } + + if (value_length) + *value_length = sizeof (CK_GCM_PARAMS); + + return true; +} + +void +p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + /* Check if value can be converted to an DES IV. */ + if (value_length != 8) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)value, + value_length); +} + +bool +p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + const unsigned char *data; + size_t len; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) + return false; + + if (len != 8) + return false; + + if (value) + memcpy (value, data, len); + + if (value_length) + *value_length = len; + + return true; +} + +void +p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + CK_ULONG val; + uint64_t params; + + /* + * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which + * is a CK_ULONG. + */ + if (value_length != sizeof (CK_ULONG)) { + p11_buffer_fail (buffer); + return; + } + + memcpy (&val, value, value_length); + params = val; + + p11_rpc_buffer_add_uint64 (buffer, params); +} + +bool +p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + uint64_t val; + CK_ULONG params; + + if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) + return false; + + params = val; + + if (value) + memcpy (value, ¶ms, sizeof (params)); + + if (value_length) + *value_length = sizeof (params); + + return true; +} + +void +p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length) +{ + /* Mechanism parameter is public value of the other party */ + if (value_length == 0) { + p11_buffer_fail (buffer); + return; + } + + p11_rpc_buffer_add_byte_array (buffer, + (unsigned char *)value, + value_length); +} + +bool +p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length) +{ + const unsigned char *data; + size_t len; + + if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) + return false; + + if (len == 0) + return false; + + if (value) + memcpy (value, data, len); + + if (value_length) + *value_length = len; + + return true; +} + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, - { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value } + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, + { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, + { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, + { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value }, + { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value }, }; static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { @@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS case CKM_MD2_RSA_PKCS: case CKM_MD5_RSA_PKCS: case CKM_SHA1_RSA_PKCS: + case CKM_SHA224_RSA_PKCS: case CKM_SHA256_RSA_PKCS: case CKM_SHA384_RSA_PKCS: case CKM_SHA512_RSA_PKCS: @@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS case CKM_EC_KEY_PAIR_GEN: case CKM_ECDSA: case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA224: + case CKM_ECDSA_SHA256: + case CKM_ECDSA_SHA384: + case CKM_ECDSA_SHA512: case CKM_DH_PKCS_KEY_PAIR_GEN: case CKM_DH_PKCS_PARAMETER_GEN: case CKM_X9_42_DH_KEY_PAIR_GEN: @@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS case CKM_AES_KEY_GEN: case CKM_AES_ECB: case CKM_AES_MAC: + case CKM_AES_CMAC: case CKM_DES_KEY_GEN: case CKM_DES2_KEY_GEN: case CKM_DES3_KEY_GEN: @@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS case CKM_RC2_MAC: case CKM_DES_MAC: case CKM_DES3_MAC: + case CKM_DES3_CMAC: case CKM_CDMF_MAC: case CKM_CAST_MAC: case CKM_CAST3_MAC: @@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS case CKM_MD5_HMAC: case CKM_SHA_1: case CKM_SHA_1_HMAC: + case CKM_SHA1_KEY_DERIVATION: + case CKM_SHA224: + case CKM_SHA224_HMAC: + case CKM_SHA224_KEY_DERIVATION: case CKM_SHA256: case CKM_SHA256_HMAC: + case CKM_SHA256_KEY_DERIVATION: case CKM_SHA384: case CKM_SHA384_HMAC: + case CKM_SHA384_KEY_DERIVATION: case CKM_SHA512: case CKM_SHA512_HMAC: + case CKM_SHA512_KEY_DERIVATION: + case CKM_SHA512_T: + case CKM_SHA512_T_HMAC: + case CKM_SHA512_T_KEY_DERIVATION: + case CKM_SHA512_224: + case CKM_SHA512_224_HMAC: + case CKM_SHA512_224_KEY_DERIVATION: + case CKM_SHA512_256: + case CKM_SHA512_256_HMAC: + case CKM_SHA512_256_KEY_DERIVATION: case CKM_FASTHASH: case CKM_RIPEMD128: case CKM_RIPEMD128_HMAC: case CKM_RIPEMD160: case CKM_RIPEMD160_HMAC: case CKM_KEY_WRAP_LYNKS: + case CKM_IBM_SHA3_224: + case CKM_IBM_SHA3_256: + case CKM_IBM_SHA3_384: + case CKM_IBM_SHA3_512: + case CKM_IBM_CMAC: + case CKM_IBM_DILITHIUM: + case CKM_IBM_SHA3_224_HMAC: + case CKM_IBM_SHA3_256_HMAC: + case CKM_IBM_SHA3_384_HMAC: + case CKM_IBM_SHA3_512_HMAC: + case CKM_IBM_ED25519_SHA512: + case CKM_IBM_ED448_SHA3: return true; default: return false; diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h --- a/p11-kit/rpc-message.h 2020-12-11 16:25:36.000000000 +0100 +++ b/p11-kit/rpc-message.h 2023-11-29 14:29:45.243554584 +0100 @@ -42,6 +42,7 @@ #include "buffer.h" #include "pkcs11.h" +#include "pkcs11x.h" /* The calls, must be in sync with array below */ enum { @@ -478,5 +479,85 @@ bool p11_rpc_buffer_get_rsa_ size_t *offset, void *value, CK_ULONG *value_length); + +void p11_rpc_buffer_add_ecdh1_derive_mechanism_value + (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value + (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value + (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value + (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_mac_general_mechanism_value + (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_mac_general_mechanism_value + (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); + +void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value + (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); + +bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value + (p11_buffer *buffer, + size_t *offset, + void *value, + CK_ULONG *value_length); #endif /* _RPC_MESSAGE_H */ diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c --- a/p11-kit/rpc-server.c 2020-12-11 16:25:36.000000000 +0100 +++ b/p11-kit/rpc-server.c 2023-11-29 14:29:45.221554128 +0100 @@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message *n_buffer = length; *buffer = NULL; + /* length = -1 indicates length = 0, but buffer not NULL */ + if (length == (uint32_t)-1) { + *n_buffer = 0; + length = 1; /*allocate 1 dummy byte */ + } + /* If set to zero, then they just want the length */ if (length == 0) return CKR_OK;