Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
dbd029bbf1 | ||
|
|
6a4694191f | ||
|
|
61db950bcf |
2
.gitignore
vendored
2
.gitignore
vendored
@ -4,3 +4,5 @@
|
||||
/pkcs11-provider-0.3.tar.xz.asc
|
||||
/pkcs11-provider-0.5.tar.xz
|
||||
/pkcs11-provider-0.5.tar.xz.asc
|
||||
/pkcs11-provider-1.0.tar.xz
|
||||
/pkcs11-provider-1.0.tar.xz.asc
|
||||
|
||||
91
0001-Fix-peer-keys-domain-parameter-copying.patch
Normal file
91
0001-Fix-peer-keys-domain-parameter-copying.patch
Normal file
@ -0,0 +1,91 @@
|
||||
From e4b44e81e8a4aa92ab62eca00eb046a99956b04d Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Thu, 13 Mar 2025 10:48:25 -0400
|
||||
Subject: [PATCH] Fix peer keys domain parameter copying
|
||||
|
||||
OpenSSL assumes you can create a new EC key by copying the domain
|
||||
parameters from a peer key first (to establish a compatible key
|
||||
type for operations like ECDH), and only later generates the private key
|
||||
material.
|
||||
|
||||
Better identify those keys by assigning the CKO_DOMAIN_PARAMETER class
|
||||
to them as parameters are set. We do not have a fully formed key at
|
||||
this point but we already have a bunch of parameters so this also
|
||||
allows to make decisions on what should or should not be changed anymore
|
||||
at this point. (for example this now will prevent re-importing other
|
||||
parameters over the "proto" key).
|
||||
|
||||
Fixes #543
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
---
|
||||
src/objects.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/objects.c b/src/objects.c
|
||||
index 310e6a5..69688a0 100644
|
||||
--- a/src/objects.c
|
||||
+++ b/src/objects.c
|
||||
@@ -574,6 +574,7 @@ CK_KEY_TYPE p11prov_obj_get_key_type(P11PROV_OBJ *obj)
|
||||
switch (obj->class) {
|
||||
case CKO_PRIVATE_KEY:
|
||||
case CKO_PUBLIC_KEY:
|
||||
+ case CKO_DOMAIN_PARAMETERS:
|
||||
return obj->data.key.type;
|
||||
}
|
||||
}
|
||||
@@ -638,6 +639,7 @@ CK_ULONG p11prov_obj_get_key_bit_size(P11PROV_OBJ *obj)
|
||||
switch (obj->class) {
|
||||
case CKO_PRIVATE_KEY:
|
||||
case CKO_PUBLIC_KEY:
|
||||
+ case CKO_DOMAIN_PARAMETERS:
|
||||
return obj->data.key.bit_size;
|
||||
}
|
||||
}
|
||||
@@ -650,6 +652,7 @@ CK_ULONG p11prov_obj_get_key_size(P11PROV_OBJ *obj)
|
||||
switch (obj->class) {
|
||||
case CKO_PRIVATE_KEY:
|
||||
case CKO_PUBLIC_KEY:
|
||||
+ case CKO_DOMAIN_PARAMETERS:
|
||||
return obj->data.key.size;
|
||||
}
|
||||
}
|
||||
@@ -4277,10 +4280,13 @@ CK_RV p11prov_obj_import_key(P11PROV_OBJ *key, CK_KEY_TYPE type,
|
||||
|
||||
switch (class) {
|
||||
case CKO_PUBLIC_KEY:
|
||||
+ key->class = CKO_PUBLIC_KEY;
|
||||
return p11prov_obj_import_public_key(key, type, params);
|
||||
case CKO_PRIVATE_KEY:
|
||||
+ key->class = CKO_PRIVATE_KEY;
|
||||
return p11prov_obj_import_private_key(key, type, params);
|
||||
case CKO_DOMAIN_PARAMETERS:
|
||||
+ key->class = CKO_DOMAIN_PARAMETERS;
|
||||
return p11prov_obj_set_domain_params(key, type, params);
|
||||
default:
|
||||
P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
|
||||
@@ -4313,15 +4319,15 @@ CK_RV p11prov_obj_set_ec_encoded_public_key(P11PROV_OBJ *key,
|
||||
return CKR_KEY_INDIGESTIBLE;
|
||||
}
|
||||
|
||||
- if (key->class == CK_UNAVAILABLE_INFORMATION) {
|
||||
- key->class = CKO_PUBLIC_KEY;
|
||||
- }
|
||||
-
|
||||
switch (key->data.key.type) {
|
||||
case CKK_EC:
|
||||
case CKK_EC_EDWARDS:
|
||||
- /* check that this is a public key */
|
||||
- if (key->class != CKO_PUBLIC_KEY) {
|
||||
+ /* if class is still "domain parameters" convert it to
|
||||
+ * a public key */
|
||||
+ if (key->class == CKO_DOMAIN_PARAMETERS) {
|
||||
+ key->class = CKO_PUBLIC_KEY;
|
||||
+ } else if (key->class != CKO_PUBLIC_KEY) {
|
||||
+ /* check that this is a public key */
|
||||
P11PROV_raise(key->ctx, CKR_KEY_INDIGESTIBLE,
|
||||
"Invalid Key type, not a public key");
|
||||
return CKR_KEY_INDIGESTIBLE;
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -1,49 +0,0 @@
|
||||
From 9fa16b7fd398b62f06cb10892fe93dc574d67399 Mon Sep 17 00:00:00 2001
|
||||
From: Simo Sorce <simo@redhat.com>
|
||||
Date: Wed, 5 Jun 2024 11:22:35 -0400
|
||||
Subject: [PATCH] Fix types for old 32 bit systems
|
||||
|
||||
On x86 CK_ULONG and size_t have different sizes, ensure we use
|
||||
compatible types on our helper functions.
|
||||
|
||||
Signed-off-by: Simo Sorce <simo@redhat.com>
|
||||
---
|
||||
src/asymmetric_cipher.c | 4 ++--
|
||||
src/util.h | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/asymmetric_cipher.c b/src/asymmetric_cipher.c
|
||||
index 4d87b1c..3256fd2 100644
|
||||
--- a/src/asymmetric_cipher.c
|
||||
+++ b/src/asymmetric_cipher.c
|
||||
@@ -251,12 +251,12 @@ static int p11prov_rsaenc_decrypt_init(void *ctx, void *provkey,
|
||||
static int
|
||||
p11prov_tls_constant_time_depadding(struct p11prov_rsaenc_ctx *encctx,
|
||||
unsigned char *out, unsigned char *buf,
|
||||
- size_t *out_size, CK_ULONG *ret_cond)
|
||||
+ CK_ULONG *out_size, CK_ULONG *ret_cond)
|
||||
{
|
||||
unsigned char randbuf[SSL_MAX_MASTER_KEY_LENGTH];
|
||||
CK_ULONG ver_cond = 0;
|
||||
CK_ULONG cond = 0;
|
||||
- size_t length = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
+ CK_ULONG length = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
int err;
|
||||
|
||||
/* always generate a random buffer, to constant_time swap in
|
||||
diff --git a/src/util.h b/src/util.h
|
||||
index bcbc2db..1b24666 100644
|
||||
--- a/src/util.h
|
||||
+++ b/src/util.h
|
||||
@@ -120,7 +120,7 @@ static inline int constant_select_int(CK_ULONG cond, int a, int b)
|
||||
return (int)((A & mask) | (B & ~mask));
|
||||
}
|
||||
|
||||
-static inline void constant_select_buf(CK_ULONG cond, size_t size,
|
||||
+static inline void constant_select_buf(CK_ULONG cond, CK_ULONG size,
|
||||
unsigned char *dst, unsigned char *a,
|
||||
unsigned char *b)
|
||||
{
|
||||
--
|
||||
2.45.0
|
||||
|
||||
@ -0,0 +1,35 @@
|
||||
From 577471d781d1ee0365f6739b1cfc1c9c566c893a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 3 Mar 2025 15:54:07 +0100
|
||||
Subject: [PATCH] utils: Do not fail if non-mandatory attribute is not
|
||||
available
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
src/util.c | 9 ++++++---
|
||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index 66a3bd0..a956f9d 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -34,10 +34,13 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
|
||||
unsigned long retrnums = 0;
|
||||
for (size_t i = 0; i < attrnums; i++) {
|
||||
if (q[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
|
||||
- /* This can't happen according to the algorithm described
|
||||
- * in the spec when the call returns CKR_OK. */
|
||||
+ /* This means the attribute is valid, but not available for a
|
||||
+ * given object. Just skip it, unless it is required */
|
||||
+ if (!attrs[i].required) {
|
||||
+ continue;
|
||||
+ }
|
||||
ret = CKR_GENERAL_ERROR;
|
||||
- P11PROV_raise(ctx, ret, "Failed to get attributes");
|
||||
+ P11PROV_raise(ctx, ret, "Failed to get required attributes");
|
||||
goto done;
|
||||
}
|
||||
if (attrs[i].allocate) {
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
From cf6bcbb4edbe983691996f8fb126c6b143dc796d Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 3 Mar 2025 17:11:03 +0100
|
||||
Subject: [PATCH] utils: Do not repeat GetAttribute calls when the size query
|
||||
already failed
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
src/util.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index bb1a389..3c72e8c 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -83,6 +83,9 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
|
||||
if (attrs[i].required) {
|
||||
return ret;
|
||||
}
|
||||
+ /* Invalid attribute: No need to call the function again for
|
||||
+ * this attribute */
|
||||
+ continue;
|
||||
} else {
|
||||
CK_ULONG len = attrs[i].attr.ulValueLen;
|
||||
if (len == CK_UNAVAILABLE_INFORMATION) {
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -0,0 +1,34 @@
|
||||
From 02dc73fd441f9f87bd237a1fbd0a7cab9d948cbe Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 3 Mar 2025 17:10:17 +0100
|
||||
Subject: [PATCH] utils: Handle correctly CK_UNAVAILABLE_INFORMATION when
|
||||
reading attributes
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
src/util.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/util.c b/src/util.c
|
||||
index a956f9d..bb1a389 100644
|
||||
--- a/src/util.c
|
||||
+++ b/src/util.c
|
||||
@@ -84,8 +84,13 @@ CK_RV p11prov_fetch_attributes(P11PROV_CTX *ctx, P11PROV_SESSION *session,
|
||||
return ret;
|
||||
}
|
||||
} else {
|
||||
- attrs[i].attr.pValue =
|
||||
- OPENSSL_zalloc(attrs[i].attr.ulValueLen + 1);
|
||||
+ CK_ULONG len = attrs[i].attr.ulValueLen;
|
||||
+ if (len == CK_UNAVAILABLE_INFORMATION) {
|
||||
+ /* The attribute is known to the module, but not
|
||||
+ * available on this object */
|
||||
+ continue;
|
||||
+ }
|
||||
+ attrs[i].attr.pValue = OPENSSL_zalloc(len + 1);
|
||||
if (!attrs[i].attr.pValue) {
|
||||
ret = CKR_HOST_MEMORY;
|
||||
P11PROV_raise(ctx, ret, "Failed to get attributes");
|
||||
--
|
||||
2.48.1
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
%bcond_with gpgcheck
|
||||
|
||||
Name: pkcs11-provider
|
||||
Version: 0.5
|
||||
Version: 1.0
|
||||
Release: %autorelease
|
||||
Summary: A PKCS#11 provider for OpenSSL 3.0+
|
||||
License: Apache-2.0
|
||||
@ -14,6 +14,11 @@ Source2: https://people.redhat.com/~ssorce/simo_redhat.asc
|
||||
%endif
|
||||
Source3: pkcs11-provider.conf
|
||||
|
||||
Patch1: 0001-utils-Do-not-fail-if-non-mandatory-attribute-is-not-.patch
|
||||
Patch2: 0001-utils-Handle-correctly-CK_UNAVAILABLE_INFORMATION-wh.patch
|
||||
Patch3: 0001-utils-Do-not-repeat-GetAttribute-calls-when-the-size.patch
|
||||
Patch4: 0001-Fix-peer-keys-domain-parameter-copying.patch
|
||||
|
||||
BuildRequires: openssl-devel >= 3.0.7
|
||||
BuildRequires: gcc
|
||||
BuildRequires: meson
|
||||
@ -35,7 +40,6 @@ BuildRequires: gnutls-utils
|
||||
BuildRequires: xz
|
||||
BuildRequires: expect
|
||||
|
||||
Patch01: 0001-Fix-types-for-old-32-bit-systems.patch
|
||||
|
||||
%description
|
||||
This is an Openssl 3.x provider to access Hardware or Software Tokens using
|
||||
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (pkcs11-provider-0.5.tar.xz) = df292ba7da467608aad5343041708ccbe896422f21718092235ae3610035c91b57ffc6f4e495edd29c55f6f48d9c88f29e0c251ab5ff865f3b1554de37d1492d
|
||||
SHA512 (pkcs11-provider-0.5.tar.xz.asc) = 2ad0b47e965171313fec76b399a613633671aa62438614abe42484a98d3f54388e6615f7169aed5b27c729684ffeae6df80a34b0c05a34515a73c72e51b843e2
|
||||
SHA512 (pkcs11-provider-1.0.tar.xz) = 004eeb8816903a670abff51c150e50b93515aeeeb29af7cdf921578981326286ffc7432057abf8e9b4e35972800a8bf554255ace3f8bf2359c010cc343194798
|
||||
SHA512 (pkcs11-provider-1.0.tar.xz.asc) = a19bea50f056a5dbe66ed3fc21960107eb49eb893d25b5b32599388042124bb06776a34596191cddd20ab660e07dccc14d4fb593eb8a001f84c94a9a5d4dd3c4
|
||||
|
||||
Loading…
Reference in New Issue
Block a user