commit c0cead4463996362b0e4aaaa886363c80fd778b4 Author: MSVSphere Packaging Team Date: Tue Nov 26 17:40:41 2024 +0300 import opencryptoki-3.23.0-5.el10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f734d50 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/opencryptoki-3.23.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata new file mode 100644 index 0000000..ccf8951 --- /dev/null +++ b/.opencryptoki.metadata @@ -0,0 +1 @@ +0d70d0a5170a79fc358107d07a62bea1b476e0cc SOURCES/opencryptoki-3.23.0.tar.gz diff --git a/SOURCES/opencryptoki-3.11.0-lockdir.patch b/SOURCES/opencryptoki-3.11.0-lockdir.patch new file mode 100644 index 0000000..936a654 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-lockdir.patch @@ -0,0 +1,12 @@ +diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac +--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100 ++++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100 +@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS]) + + dnl Define custom variables + +-lockdir=$localstatedir/lock/opencryptoki ++lockdir=/run/lock/opencryptoki + AC_SUBST(lockdir) + + logdir=$localstatedir/log/opencryptoki diff --git a/SOURCES/opencryptoki-3.21.0-p11sak.patch b/SOURCES/opencryptoki-3.21.0-p11sak.patch new file mode 100644 index 0000000..197ad52 --- /dev/null +++ b/SOURCES/opencryptoki-3.21.0-p11sak.patch @@ -0,0 +1,37 @@ +diff -up opencryptoki-3.21.0/Makefile.am.me opencryptoki-3.21.0/Makefile.am +--- opencryptoki-3.21.0/Makefile.am.me 2023-05-15 17:01:04.932616030 +0200 ++++ opencryptoki-3.21.0/Makefile.am 2023-05-15 17:00:45.732131601 +0200 +@@ -39,15 +39,8 @@ include tools/tools.mk + include doc/doc.mk + + install-data-hook: +- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group) +- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user) + $(MKDIR_P) $(DESTDIR)/run/opencryptoki/ +- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/ +- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/ +- $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/ + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki +- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki +- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki + if ENABLE_LIBRARY + $(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll + $(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11 +@@ -100,7 +93,7 @@ if ENABLE_EP11TOK + endif + if ENABLE_P11SAK + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true + endif + if ENABLE_ICATOK + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ +@@ -151,7 +144,7 @@ endif + if ENABLE_DAEMON + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true +- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true ++ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true + endif + $(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d + echo "$(libdir)/opencryptoki" >\ diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-01.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-01.patch new file mode 100644 index 0000000..2ddce4e --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-01.patch @@ -0,0 +1,50 @@ +commit 2d68f8626d15b9697a29a377a63bbdf35b42ee36 +Author: Joerg Schmidbauer +Date: Tue Feb 13 16:20:06 2024 +0100 + + EP11 pkey option: add new PKEY_MODE parms to ep11 config file + + Add two new parameter values ENABLE4EXTR and ENABLE4ALL to the ep11token + PKEY_MODE config option. Older ep11 card firmware enforces the restriction that + keys can not have CKA_EXTRACTABLE=true and CKA_IBM_PROTKEY_EXTRACTABLE=true at + the same time. With newer card firmware this restriction is removed and a new + control point is introduced to allow checking for this feature. + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11tok.conf b/usr/lib/ep11_stdll/ep11tok.conf +index 19c9963f..afe237b9 100644 +--- a/usr/lib/ep11_stdll/ep11tok.conf ++++ b/usr/lib/ep11_stdll/ep11tok.conf +@@ -104,7 +104,7 @@ + # disabled and additional hardware and firmware prerequisites are met. AES-XTS + # is not supported via the EP11 coprocessor itself. + # +-# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR ++# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR | ENABLE4EXTR | ENABLE4ALL + # + # DISABLED : Protected key support disabled. All key operations + # are performed via EP11 coprocessor, even if a +@@ -119,6 +119,22 @@ + # but not CKA_IBM_PROTKEY_EXTRACTABLE, new keys get + # CKA_IBM_PROTKEY_EXTRACTABLE=true internally. + # ++# Control point 75 (XCP_CPB_ALLOW_COMBINED_EXTRACT) must be enabled for all ++# APQNs accessible by the token for the following parameters. ++# ++# ENABLE4EXTR : If the application did not specify ++# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys ++# of any type with CKA_EXTRACTABLE=true get ++# CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key ++# is automatically created at first use of the key. ++# ++# ENABLE4ALL : If the application did not specify ++# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys ++# of any type, regardless of the CKA_EXTRACTABLE ++# attribute, get CKA_IBM_PROTKEY_EXTRACTABLE=true and ++# a protected key is automatically created at first ++# use of the key. ++# + # -------------------------------------------------------------------------- + # + # Specify the expected wrapping key verification pattern. When specified, all diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-02.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-02.patch new file mode 100644 index 0000000..09d98ed --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-02.patch @@ -0,0 +1,222 @@ +commit a6192bb9c3263fb691da87b3a1ed5f66f887b09a +Author: Joerg Schmidbauer +Date: Tue Feb 13 16:35:53 2024 +0100 + + EP11 pkey option: handle new PKEY_MODE parms for new objects + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index d5964a9c..d1efd8c5 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1239,6 +1239,33 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, + return CKR_OK; + } + ++CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl) ++{ ++ CK_ATTRIBUTE *pkey_attr = NULL; ++ CK_BBOOL btrue = CK_TRUE; ++ CK_RV ret; ++ ++ if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) { ++ ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, &btrue, ++ sizeof(CK_BBOOL), &pkey_attr); ++ if (ret != CKR_OK) { ++ TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret); ++ goto done; ++ } ++ ret = template_update_attribute(tmpl, pkey_attr); ++ if (ret != CKR_OK) { ++ TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret); ++ free(pkey_attr); ++ goto done; ++ } ++ } ++ ++ ret = CKR_OK; ++ ++done: ++ return ret; ++} ++ + /** + * This function is called whenever a new object is created. It sets + * attribute CKA_IBM_PROTKEY_EXTRACTABLE according to the PKEY_MODE token +@@ -1254,7 +1281,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + CK_ULONG mode, TEMPLATE *tmpl) + { + ep11_private_data_t *ep11_data = tokdata->private_data; +- CK_ATTRIBUTE *pkey_attr = NULL, *ecp_attr = NULL, *sensitive_attr = NULL; ++ CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL; + CK_BBOOL extractable, sensitive, btrue = CK_TRUE; + CK_BBOOL add_pkey_extractable = CK_FALSE; + CK_RV ret; +@@ -1314,23 +1341,62 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + add_pkey_extractable = CK_TRUE; + break; + } +- + if (add_pkey_extractable) { +- if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) { +- ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, +- (CK_BBOOL *)&btrue, sizeof(CK_BBOOL), +- &pkey_attr); +- if (ret != CKR_OK) { +- TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret); +- goto done; +- } +- ret = template_update_attribute(tmpl, pkey_attr); +- if (ret != CKR_OK) { +- TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret); +- free(pkey_attr); +- goto done; +- } +- } ++ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); ++ if (ret != CKR_OK) ++ goto done; ++ } ++ break; ++ case PKEY_MODE_ENABLE4EXTR: ++ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in ++ * its template, new keys of any type with CKA_EXTRACTABLE=true get ++ * CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is automatically ++ * created at first use of the key. ++ */ ++ switch (class) { ++ case CKO_PUBLIC_KEY: ++ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK && ++ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl)) ++ add_pkey_extractable = CK_TRUE; ++ /* Note that the explicit parm CKM_ECDSA just tells the ++ * function that it's not AES here. It covers all EC and ED ++ * mechs */ ++ break; ++ default: ++ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable); ++ if (ret == CKR_OK && extractable) // Einziger Unterschied: extractable, statt !extractable ++ add_pkey_extractable = CK_TRUE; ++ break; ++ } ++ if (add_pkey_extractable) { ++ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); ++ if (ret != CKR_OK) ++ goto done; ++ } ++ break; ++ case PKEY_MODE_ENABLE4ALL: ++ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in ++ * its template, new keys of any type, regardless of CKA_EXTRACTABLE, ++ * get CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is ++ * automatically created at first use of the key. ++ */ ++ switch (class) { ++ case CKO_PUBLIC_KEY: ++ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK && ++ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl)) ++ add_pkey_extractable = CK_TRUE; ++ /* Note that the explicit parm CKM_ECDSA just tells the ++ * function that it's not AES here. It covers all EC and ED ++ * mechs */ ++ break; ++ default: ++ add_pkey_extractable = CK_TRUE; ++ break; ++ } ++ if (add_pkey_extractable) { ++ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); ++ if (ret != CKR_OK) ++ goto done; + } + break; + default: +@@ -12188,6 +12254,10 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, + ep11_data->pkey_mode = PKEY_MODE_DEFAULT; + else if (strcmp(strval, "ENABLE4NONEXTR") == 0) + ep11_data->pkey_mode = PKEY_MODE_ENABLE4NONEXTR; ++ else if (strcmp(strval, "ENABLE4EXTR") == 0) ++ ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR; ++ else if (strcmp(strval, "ENABLE4ALL") == 0) ++ ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL; + else { + TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval); + OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' " +@@ -13252,6 +13322,7 @@ typedef struct cp_handler_data { + int first; + size_t max_cp_index; + CK_BBOOL error; ++ CK_BBOOL allow_combined_extract; + } cp_handler_data_t; + + static CK_RV control_point_handler(uint_32 adapter, uint_32 domain, +@@ -13329,6 +13400,27 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain, + } + } + ++ /* Combined extract is only supported if all APQNs support it */ ++ if (max_cp_index < XCP_CPB_ALLOW_COMBINED_EXTRACT || ++ (cp[CP_BYTE_NO(XCP_CPB_ALLOW_COMBINED_EXTRACT)] & ++ CP_BIT_MASK(XCP_CPB_ALLOW_COMBINED_EXTRACT)) == 0) { ++ data->allow_combined_extract = CK_FALSE; ++ ++ if (ep11_data->pkey_mode == PKEY_MODE_ENABLE4EXTR || ++ ep11_data->pkey_mode == PKEY_MODE_ENABLE4ALL) { ++ TRACE_ERROR("Control point setting for adapter %02X.%04X does not " ++ "allow combined extract, but PKEY_MODE ENABLE4EXTR or " ++ "ENABLE4ALL specified in ep11 token config file.\n", ++ adapter, domain); ++ OCK_SYSLOG(LOG_ERR, ++ "Control point setting for adapter %02X.%04X does not " ++ "allow combined extract, but PKEY_MODE ENABLE4EXTR or " ++ "ENABLE4ALL specified in ep11 token config file.\n", ++ adapter, domain); ++ data->error = TRUE; ++ } ++ } ++ + /* Check FIPS-session related CPs for non-FIPS-session mode */ + if (!ep11_data->fips_session_mode) { + if (max_cp_index >= XCP_CPB_ALLOW_NONSESSION && +@@ -13392,6 +13484,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata, + * to older cards default to ON. CPs being OFF disable functionality. + */ + memset(data.combined_cp, 0xff, sizeof(data.combined_cp)); ++ data.allow_combined_extract = CK_TRUE; + data.first = 1; + rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler, + &data); +@@ -13410,6 +13503,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata, + print_control_points(cp, *cp_len, data.max_cp_index); + #endif + ++ if (data.allow_combined_extract == CK_FALSE) ++ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 0); ++ else ++ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 1); ++ + return data.error ? CKR_DEVICE_ERROR : CKR_OK; + } + +diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h +index deb8f45f..16d3c719 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.h ++++ b/usr/lib/ep11_stdll/ep11_specific.h +@@ -241,6 +241,8 @@ typedef struct { + #define PKEY_MODE_DISABLED 0 + #define PKEY_MODE_DEFAULT 1 + #define PKEY_MODE_ENABLE4NONEXTR 2 ++#define PKEY_MODE_ENABLE4EXTR 3 ++#define PKEY_MODE_ENABLE4ALL 4 + + #define PQC_BYTE_NO(idx) (((idx) - 1) / 8) + #define PQC_BIT_IN_BYTE(idx) (((idx - 1)) % 8) +@@ -278,6 +280,7 @@ typedef struct { + int fips_session_mode; + int optimize_single_ops; + int pkey_mode; ++ volatile int pkey_combined_extract_supported; + volatile int pkey_wrap_supported; + int pkey_wrap_support_checked; + char pkey_mk_vp[PKEY_MK_VP_LENGTH]; diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-03.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-03.patch new file mode 100644 index 0000000..fed6888 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-03.patch @@ -0,0 +1,62 @@ +commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a +Author: Joerg Schmidbauer +Date: Thu Mar 7 17:42:11 2024 +0100 + + EP11 pkey option: handle new PKEY_MODE parms in eligibility check + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index d1efd8c5..a163587c 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session, + return CK_TRUE; + } + ++/* ++ * Returns true if the given key object is eligible to get a protected key ++ * attribute, false otherwise. ++ */ ++CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data, ++ OBJECT *key_obj) ++{ ++ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported || ++ !object_is_pkey_extractable(key_obj)) { ++ return CK_FALSE; ++ } ++ ++ if (!ep11_data->pkey_combined_extract_supported && ++ object_is_extractable(key_obj)) { ++ return CK_FALSE; ++ } ++ ++ return CK_TRUE; ++} ++ + /** + * Checks if the preconditions for using the related protected key of + * the given secure key object are met. The caller of this routine must +@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, + break; + case PKEY_MODE_DEFAULT: + case PKEY_MODE_ENABLE4NONEXTR: ++ case PKEY_MODE_ENABLE4EXTR: ++ case PKEY_MODE_ENABLE4ALL: + /* Use existing pkeys, re-create invalid pkeys, and also create new + * pkeys for secret/private keys that do not already have one. EC + * public keys that are pkey-extractable, can always be used via CPACF +@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, + if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK) + goto done; + +- if (object_is_extractable(key_obj) || +- !object_is_pkey_extractable(key_obj) || +- object_is_attr_bound(key_obj) || +- !ep11_data->pkey_wrap_supported) { ++ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) + goto done; +- } + + if (template_attribute_get_non_empty(key_obj->template, + CKA_IBM_OPAQUE_PKEY, diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-04.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-04.patch new file mode 100644 index 0000000..c57e81a --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-04.patch @@ -0,0 +1,555 @@ +commit b9e33fced0654aac939182957bf2eba2eda77872 +Author: Joerg Schmidbauer +Date: Wed Feb 21 13:48:15 2024 +0100 + + EP11 pkey option: add NO_PKEY compile option for EP11 token + + On 32-bit s390 platforms, the pkey related assembler code parts won't + compile. Therefore, add NO_PKEY compile switches where necessary. + The NO_PKEY compile switch is already handled in configure.ac. + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index a163587c..114c4ce1 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -60,7 +60,9 @@ + #include + + #include "ep11_specific.h" ++#ifndef NO_PKEY + #include "pkey_utils.h" ++#endif + + CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + CK_MECHANISM_TYPE_PTR mlist, +@@ -256,11 +258,13 @@ static const version_req_t reencrypt_single_req_versions[] = { + #define NUM_REENCRYPT_SINGLE_REQ (sizeof(reencrypt_single_req_versions) / \ + sizeof(version_req_t)) + ++#ifndef NO_PKEY + static const CK_VERSION ibm_cex7p_cpacf_wrap_support = { .major = 7, .minor = 15 }; + static const version_req_t ibm_cpacf_wrap_req_versions[] = { + { .card_type = 7, .min_firmware_version = &ibm_cex7p_cpacf_wrap_support } + }; + #define NUM_CPACF_WRAP_REQ (sizeof(ibm_cpacf_wrap_req_versions) / sizeof(version_req_t)) ++#endif /* NO_PKEY */ + + static const CK_ULONG ibm_cex_ab_ecdh_api_version = 3; + static const version_req_t ibm_ab_ecdh_req_versions[] = { +@@ -504,6 +508,7 @@ static CK_BBOOL ep11tok_pkey_option_disabled(STDLL_TokData_t *tokdata) + return CK_FALSE; + } + ++#ifndef NO_PKEY + /** + * Callback function used by handle_all_ep11_cards() for creating a protected + * key via the given APQN (adaper,domain). +@@ -1283,6 +1288,7 @@ CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl) + done: + return ret; + } ++#endif /* NO_PKEY */ + + /** + * This function is called whenever a new object is created. It sets +@@ -1299,9 +1305,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + CK_ULONG mode, TEMPLATE *tmpl) + { + ep11_private_data_t *ep11_data = tokdata->private_data; +- CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL; +- CK_BBOOL extractable, sensitive, btrue = CK_TRUE; +- CK_BBOOL add_pkey_extractable = CK_FALSE; ++ CK_ATTRIBUTE *sensitive_attr = NULL; ++ CK_BBOOL sensitive, btrue = CK_TRUE; ++#ifndef NO_PKEY ++ CK_ATTRIBUTE *ecp_attr = NULL; ++ CK_BBOOL extractable, add_pkey_extractable = CK_FALSE; ++#endif + CK_RV ret; + + UNUSED(mode); +@@ -1331,6 +1340,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + } + } + ++#ifndef NO_PKEY + switch (ep11_data->pkey_mode) { + case PKEY_MODE_DISABLED: + /* Nothing to do */ +@@ -1423,6 +1433,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + goto done; + break; + } ++#endif /* NO_PKEY */ + + ret = CKR_OK; + +@@ -1431,6 +1442,19 @@ done: + return ret; + } + ++#ifdef NO_PKEY ++CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, ++ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) ++{ ++ UNUSED(tokdata); ++ UNUSED(session); ++ UNUSED(hkey); ++ UNUSED(mech); ++ ++ return CK_FALSE; ++} ++#endif /* NO_PKEY */ ++ + static CK_RV check_ab_supported(CK_KEY_TYPE type) { + switch(type) { + case CKK_AES: +@@ -2837,8 +2861,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, + goto error; + } + ++#ifndef NO_PKEY + ep11_data->msa_level = get_msa_level(); + TRACE_INFO("MSA level = %i\n", ep11_data->msa_level); ++#endif + + if (pthread_mutex_init(&ep11_data->raw2key_wrap_blob_mutex, NULL) != 0) { + TRACE_ERROR("Initializing Wrap-Blob lock failed.\n"); +@@ -2847,19 +2873,20 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber, + } + ep11_data->raw2key_wrap_blob_l = 0; + +- + if (pthread_mutex_init(&ep11_data->pkey_mutex, NULL) != 0) { + TRACE_ERROR("Initializing PKEY lock failed.\n"); + rc = CKR_CANT_LOCK; + goto error; + } + ++#ifndef NO_PKEY + if (!ep11tok_pkey_option_disabled(tokdata) && + !ep11_data->fips_session_mode) { + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, NULL); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + goto error; + } ++#endif /* NO_PKEY */ + + if (ep11_data->vhsm_mode || ep11_data->fips_session_mode) { + if (pthread_mutex_init(&ep11_data->session_mutex, NULL) != 0) { +@@ -3178,7 +3205,11 @@ static CK_RV import_aes_xts_key(STDLL_TokData_t *tokdata, SESSION *sess, + if (rc != CKR_OK) + goto import_aes_xts_key_end; + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check_aes_xts(tokdata, aes_xts_key_obj, CKM_AES_XTS); ++#else ++ rc = CKR_FUNCTION_NOT_SUPPORTED; ++#endif + if (rc != CKR_OK) { + TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", __func__, rc); + goto import_aes_xts_key_end; +@@ -4562,10 +4593,12 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess, + return rc; + } + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + return rc; ++#endif /* NO_PKEY */ + + memset(blob, 0, sizeof(blob)); + memset(blobreenc, 0, sizeof(blobreenc)); +@@ -4797,10 +4830,12 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session, + goto error; + } + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + goto error; ++#endif /* NO_PKEY */ + + rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len, + MODE_KEYGEN, CKO_SECRET_KEY, ktype, &key_obj); +@@ -4820,7 +4855,11 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session, + + if (mech->mechanism == CKM_AES_XTS_KEY_GEN) { + xts = TRUE; ++#ifndef NO_PKEY + rc = ep11tok_pkey_check_aes_xts(tokdata, key_obj, mech->mechanism); ++#else ++ rc = CKR_FUNCTION_NOT_SUPPORTED; ++#endif + if (rc != CKR_OK) { + TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", + __func__, rc); +@@ -5812,7 +5851,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, + CK_BYTE *out_data, CK_ULONG *out_data_len, + OBJECT *key_obj ) + { ++#ifndef NO_PKEY + SIGN_VERIFY_CONTEXT *ctx = &(session->sign_ctx); ++#endif + CK_RV rc; + size_t keyblobsize = 0; + CK_BYTE *keyblob; +@@ -5826,6 +5867,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, + return rc; + } + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech); + switch (rc) { + case CKR_OK: +@@ -5837,6 +5879,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, + default: + goto done; + } ++#endif /* NO_PKEY */ + + mech.mechanism = CKM_ECDSA; + mech.pParameter = NULL; +@@ -5856,7 +5899,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session, + TRACE_INFO("%s rc=0x%lx\n", __func__, rc); + } + ++#ifndef NO_PKEY + done: ++#endif + + return rc; + } +@@ -5866,7 +5911,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, + CK_BYTE *out_data, CK_ULONG out_data_len, + OBJECT *key_obj ) + { ++#ifndef NO_PKEY + SIGN_VERIFY_CONTEXT *ctx = &(session->verify_ctx); ++#endif + CK_RV rc; + CK_BYTE *spki; + size_t spki_len = 0; +@@ -5880,6 +5927,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, + return rc; + } + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech); + switch (rc) { + case CKR_OK: +@@ -5891,6 +5939,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, + default: + goto done; + } ++#endif /* NO_PKEY */ + + mech.mechanism = CKM_ECDSA; + mech.pParameter = NULL; +@@ -5911,7 +5960,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session, + TRACE_INFO("%s rc=0x%lx\n", __func__, rc); + } + ++#ifndef NO_PKEY + done: ++#endif + + return rc; + } +@@ -5981,6 +6032,7 @@ CK_RV token_specific_reencrypt_single(STDLL_TokData_t *tokdata, + return rc; + } + ++#ifndef NO_PKEY + /** + * This routine is currently only used when the operation is performed using + * a protected key. Therefore we don't have (and don't need) an ep11 +@@ -6062,6 +6114,7 @@ CK_RV token_specific_aes_xts(STDLL_TokData_t *tokdata, SESSION *session, + return pkey_aes_xts(key_obj, init_v, in_data, in_data_len, + out_data, out_data_len, encrypt, initial, final, iv); + } ++#endif /* NO_PKEY */ + + struct EP11_KYBER_MECH { + CK_MECHANISM mech; +@@ -6829,10 +6882,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t *tokdata, SESSION *session, + goto error; + } + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + goto error; ++#endif /* NO_PKEY */ + + /* Start creating the key object */ + rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len, +@@ -8554,10 +8609,12 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess, + if (rc != CKR_OK) + goto error; + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + goto error; ++#endif /* NO_PKEY */ + + /* Now build the skeleton key. */ + rc = object_mgr_create_skel(tokdata, sess, pPublicKeyTemplate, +@@ -9202,6 +9259,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session, + goto done; + } + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); + switch (rc) { + case CKR_OK: +@@ -9239,6 +9297,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session, + free(ep11_sign_state); + goto done; + } ++#endif /* NO_PKEY */ + + if (mech->mechanism == CKM_IBM_ECDSA_OTHER) { + rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11); +@@ -9340,6 +9399,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, + CK_ULONG in_data_len, CK_BYTE * signature, + CK_ULONG * sig_len) + { ++#ifdef NO_PKEY ++ UNUSED(length_only); ++#endif + CK_RV rc; + SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx; + size_t keyblobsize = 0; +@@ -9355,6 +9417,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, + return rc; + } + ++#ifndef NO_PKEY + if (ctx->pkey_active) { + /* Note that Edwards curves in general are not yet supported in + * opencryptoki. These two special IBM specific ED mechs are only +@@ -9372,6 +9435,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, + } + goto done; /* no ep11 fallback possible */ + } ++#endif /* NO_PKEY */ + + RETRY_SESSION_SINGLE_APQN_START(rc, tokdata) + RETRY_UPDATE_BLOB_START(tokdata, target_info, +@@ -9394,7 +9458,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session, + TRACE_INFO("%s rc=0x%lx\n", __func__, rc); + } + ++#ifndef NO_PKEY + done: ++#endif + + object_put(tokdata, key_obj, TRUE); + key_obj = NULL; +@@ -9638,6 +9704,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session, + goto done; + } + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); + switch (rc) { + case CKR_OK: +@@ -9675,6 +9742,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session, + free(ep11_sign_state); + goto done; + } ++#endif /* NO_PKEY */ + + if (mech->mechanism == CKM_IBM_ECDSA_OTHER) { + rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11); +@@ -9787,6 +9855,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, + return rc; + } + ++#ifndef NO_PKEY + if (ctx->pkey_active) { + /* Note that Edwards curves in general are not yet supported in + * opencryptoki. These two special IBM specific ED mechs are only +@@ -9805,6 +9874,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, + } + goto done; /* no ep11 fallback possible */ + } ++#endif /* NO_PKEY */ + + RETRY_SESSION_SINGLE_APQN_START(rc, tokdata) + RETRY_UPDATE_BLOB_START(tokdata, target_info, +@@ -9827,7 +9897,9 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session, + TRACE_INFO("%s rc=0x%lx\n", __func__, rc); + } + ++#ifndef NO_PKEY + done: ++#endif + + object_put(tokdata, key_obj, TRUE); + key_obj = NULL; +@@ -10561,6 +10633,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session, + goto error; + } + ++#ifndef NO_PKEY + rc = ep11tok_pkey_check(tokdata, session, key_obj, mech); + switch (rc) { + case CKR_OK: +@@ -10604,6 +10677,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session, + free(ep11_state); + goto done; + } ++#endif /* NO_PKEY */ + + /* + * ep11_state is allocated large enough to hold 2 times the max state blob. +@@ -11150,10 +11224,12 @@ CK_RV ep11tok_unwrap_key(STDLL_TokData_t * tokdata, SESSION * session, + goto done; + } + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + goto error; ++#endif /* NO_PKEY */ + + /* Start creating the key object */ + rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len, +@@ -11878,6 +11954,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, + } + break; + ++#ifndef NO_PKEY + case CKM_IBM_CPACF_WRAP: + if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3) <= 0) { + TRACE_INFO("%s Mech '%s' banned due to host library version\n", +@@ -11895,6 +11972,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, + goto out; + } + break; ++#endif /* NO_PKEY */ + + case CKM_IBM_BTC_DERIVE: + if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3_1) < 0) { +@@ -12268,6 +12346,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, + { + if (strcmp(strval, "DISABLED") == 0) + ep11_data->pkey_mode = PKEY_MODE_DISABLED; ++#ifndef NO_PKEY + else if (strcmp(strval, "DEFAULT") == 0) + ep11_data->pkey_mode = PKEY_MODE_DEFAULT; + else if (strcmp(strval, "ENABLE4NONEXTR") == 0) +@@ -12276,6 +12355,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data, + ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR; + else if (strcmp(strval, "ENABLE4ALL") == 0) + ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL; ++#endif /* NO_PKEY */ + else { + TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval); + OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' " +@@ -12456,7 +12536,11 @@ static CK_RV read_adapter_config_file(STDLL_TokData_t * tokdata, + sizeof(ep11_data->token_config_filename) - 1] = '\0'; + + ep11_data->target_list.length = 0; ++#ifndef NO_PKEY + ep11_data->pkey_mode = PKEY_MODE_DEFAULT; ++#else ++ ep11_data->pkey_mode = PKEY_MODE_DISABLED; ++#endif + + /* Default to use default libica library for digests */ + ep11_data->digest_libica = 1; +@@ -14695,10 +14779,12 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, + } + } + ++#ifndef NO_PKEY + /* Ensure the firmware master key verification pattern is available */ + rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session); + if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) + return rc; ++#endif /* NO_PKEY */ + + node = new_tmpl->attribute_list; + while (node) { +@@ -14734,6 +14820,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, + goto out; + } + break; ++#ifndef NO_PKEY + case CKA_IBM_PROTKEY_EXTRACTABLE: + if (ep11_data->pkey_wrap_supported) { + rc = add_to_attribute_array(&attributes, &num_attributes, +@@ -14746,6 +14833,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata, + } + } + break; ++#endif /* NO_PKEY */ + default: + /* Either non-boolean, or read-only */ + break; +diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk +index 6a1d68be..e543c514 100644 +--- a/usr/lib/ep11_stdll/ep11_stdll.mk ++++ b/usr/lib/ep11_stdll/ep11_stdll.mk +@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \ + usr/lib/common/trace.c usr/lib/common/mech_list.c \ + usr/lib/common/shared_memory.c usr/lib/common/attributes.c \ + usr/lib/common/sw_crypt.c usr/lib/common/profile_obj.c \ +- usr/lib/common/dlist.c usr/lib/common/pkey_utils.c \ ++ usr/lib/common/dlist.c \ + usr/lib/ep11_stdll/new_host.c usr/lib/common/mech_openssl.c \ + usr/lib/ep11_stdll/ep11_specific.c \ + usr/lib/ep11_stdll/ep11_session.c \ +@@ -53,3 +53,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \ + usr/lib/common/pqc_supported.c \ + usr/lib/hsm_mk_change/hsm_mk_change.c \ + usr/lib/common/btree.c usr/lib/common/sess_mgr.c ++ ++if !NO_PKEY ++opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \ ++ usr/lib/common/pkey_utils.c ++endif +diff --git a/usr/lib/ep11_stdll/tok_struct.h b/usr/lib/ep11_stdll/tok_struct.h +index 304e3eb9..17a5bcf0 100644 +--- a/usr/lib/ep11_stdll/tok_struct.h ++++ b/usr/lib/ep11_stdll/tok_struct.h +@@ -115,8 +115,13 @@ token_spec_t token_specific = { + // AES + NULL, // aes_key_gen, + NULL, // aes_xts_key_gen ++#ifndef NO_PKEY + &token_specific_aes_ecb, + &token_specific_aes_cbc, ++#else ++ NULL, // aes_ecb ++ NULL, // aes_cbc ++#endif + NULL, // aes_ctr + NULL, // aes_gcm_init + NULL, // aes_gcm +@@ -125,8 +130,13 @@ token_spec_t token_specific = { + NULL, // aes_ofb + NULL, // aes_cfb + NULL, // aes_mac ++#ifndef NO_PKEY + &token_specific_aes_cmac, + &token_specific_aes_xts, // aes_xts ++#else ++ NULL, // aes_cmac ++ NULL, // aes_xts ++#endif + // DSA + NULL, // dsa_generate_keypair, + NULL, // dsa_sign diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-05.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-05.patch new file mode 100644 index 0000000..7daf5d0 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-05.patch @@ -0,0 +1,61 @@ +commit 0bdcc661e64950e5ea11d950484631ba90e69426 +Author: Joerg Schmidbauer +Date: Thu Mar 7 17:51:40 2024 +0100 + + EP11 pkey option: consolidate code parts, no logic change + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 114c4ce1..9f855934 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1369,11 +1369,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + add_pkey_extractable = CK_TRUE; + break; + } +- if (add_pkey_extractable) { +- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); +- if (ret != CKR_OK) +- goto done; +- } + break; + case PKEY_MODE_ENABLE4EXTR: + /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in +@@ -1396,11 +1391,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + add_pkey_extractable = CK_TRUE; + break; + } +- if (add_pkey_extractable) { +- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); +- if (ret != CKR_OK) +- goto done; +- } + break; + case PKEY_MODE_ENABLE4ALL: + /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in +@@ -1421,11 +1411,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + add_pkey_extractable = CK_TRUE; + break; + } +- if (add_pkey_extractable) { +- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); +- if (ret != CKR_OK) +- goto done; +- } + break; + default: + TRACE_ERROR("PKEY_MODE %i unsupported.\n", ep11_data->pkey_mode); +@@ -1433,6 +1418,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + goto done; + break; + } ++ ++ if (add_pkey_extractable) { ++ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl); ++ if (ret != CKR_OK) ++ goto done; ++ } + #endif /* NO_PKEY */ + + ret = CKR_OK; diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-06.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-06.patch new file mode 100644 index 0000000..5494187 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-06.patch @@ -0,0 +1,26 @@ +commit 88761bc4bd560801ec8a18b96cc82586dd719ca3 +Author: Joerg Schmidbauer +Date: Tue Mar 12 17:13:33 2024 +0100 + + EP11: add check if protected-key support available at all + + If it is already known that the PKEY wrap is not supported or not + functioning (for whatever reason), then don't report the XTS + mechanisms as supported. + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 9f855934..7850e43f 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -12001,7 +12001,8 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata, + + case CKM_AES_XTS: + case CKM_AES_XTS_KEY_GEN: +- if (ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 || ++ if ((ep11_data->pkey_wrap_support_checked && !ep11_data->pkey_wrap_supported) || ++ ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 || + ep11tok_is_mechanism_supported(tokdata, CKM_IBM_CPACF_WRAP) != CKR_OK || + ep11tok_is_mechanism_supported(tokdata, CKM_AES_KEY_GEN) != CKR_OK) { + TRACE_INFO("%s Mech '%s' not suppported\n", __func__, diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-07.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-07.patch new file mode 100644 index 0000000..7ba6623 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-07.patch @@ -0,0 +1,31 @@ +commit 99b87ff678abfb71ba05741d1942e8ac723110c8 +Author: Joerg Schmidbauer +Date: Tue Mar 12 17:30:36 2024 +0100 + + EP11: consider combined-extract for XTS pkey check + + Signed-off-by: Joerg Schmidbauer + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 7850e43f..e2c9a77e 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, + CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, + CK_MECHANISM_TYPE type) + { ++ ep11_private_data_t *ep11_data = tokdata->private_data; ++ + if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) { + TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID)); + return CKR_MECHANISM_INVALID; + } + +- if (object_is_extractable(key_obj) || +- !object_is_pkey_extractable(key_obj) || +- object_is_attr_bound(key_obj)) { ++ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) { ++ TRACE_ERROR("Key not eligible for pkey support\n"); + return CKR_TEMPLATE_INCONSISTENT; + } + diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-08.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-08.patch new file mode 100644 index 0000000..bdae467 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-08.patch @@ -0,0 +1,306 @@ +commit 5b20a1454ca464b07e7686340a579d8b1870e572 +Author: Ingo Franzki +Date: Wed Mar 20 08:44:25 2024 +0100 + + EP11: Reject combined extract attribute settings if it is not supported + + In case the control point setting of the adapters do not allow that attributes + CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE are both true, then reject + this with CKR_TEMPLATE_INCONSISTENT. + + The EP11 code would reject that with CKR_FUNCTION_CANCELED, which for EP11 + it means that it violates an internal policy (i.e. control point settings), + but in PKCS#11 this return code has a totally different meaning. So reject + such situations explicitly with the correct return code. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index e2c9a77e..b5d788bf 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1089,20 +1089,23 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session, + * Returns true if the given key object is eligible to get a protected key + * attribute, false otherwise. + */ +-CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data, +- OBJECT *key_obj) ++static CK_RV ep11tok_pkey_obj_eligible_for_pkey_support( ++ ep11_private_data_t *ep11_data, ++ OBJECT *key_obj) + { + if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported || + !object_is_pkey_extractable(key_obj)) { +- return CK_FALSE; ++ return CKR_FUNCTION_NOT_SUPPORTED; + } + + if (!ep11_data->pkey_combined_extract_supported && + object_is_extractable(key_obj)) { +- return CK_FALSE; ++ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE " ++ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n"); ++ return CKR_TEMPLATE_INCONSISTENT; + } + +- return CK_TRUE; ++ return CKR_OK; + } + + /** +@@ -1176,7 +1179,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session, + if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK) + goto done; + +- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) ++ ret = ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj); ++ if (ret != CKR_OK) + goto done; + + if (template_attribute_get_non_empty(key_obj->template, +@@ -1218,11 +1222,14 @@ done: + /** + * Wrapper function around ep11tok_pkey_check for the case where we don't + * have a key object. This function is called externally from new_host.c. ++ * Returns CKR_OK if pkey usage is OK, CKR_FUNCTION_NOT_SUPPORTED if pkey ++ * is not supported, or any other return code in case of an error. In such ++ * cases the calling function should itself return with an error, because ++ * neither the secure key nor the protected key path will work. + */ +-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, +- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) ++CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, ++ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) + { +- CK_BBOOL success = CK_FALSE; + size_t keyblobsize = 0; + CK_BYTE *keyblob; + OBJECT *key_obj; +@@ -1232,17 +1239,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, + READ_LOCK); + if (ret != CKR_OK) { + TRACE_ERROR("%s no blob ret=0x%lx\n", __func__, ret); +- return CK_FALSE; ++ return ret; + } + + ret = ep11tok_pkey_check(tokdata, session, key_obj, mech); +- if (ret == CKR_OK) +- success = CK_TRUE; + + object_put(tokdata, key_obj, TRUE); + key_obj = NULL; + +- return success; ++ return ret; + } + + CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, +@@ -1255,7 +1260,8 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj, + return CKR_MECHANISM_INVALID; + } + +- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) { ++ if (ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, ++ key_obj) != CKR_OK) { + TRACE_ERROR("Key not eligible for pkey support\n"); + return CKR_TEMPLATE_INCONSISTENT; + } +@@ -1307,10 +1313,10 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + { + ep11_private_data_t *ep11_data = tokdata->private_data; + CK_ATTRIBUTE *sensitive_attr = NULL; +- CK_BBOOL sensitive, btrue = CK_TRUE; ++ CK_BBOOL sensitive, extractable, pkey_extractable, btrue = CK_TRUE; + #ifndef NO_PKEY + CK_ATTRIBUTE *ecp_attr = NULL; +- CK_BBOOL extractable, add_pkey_extractable = CK_FALSE; ++ CK_BBOOL add_pkey_extractable = CK_FALSE; + #endif + CK_RV ret; + +@@ -1341,6 +1347,25 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata, + } + } + ++ if (!ep11_data->pkey_combined_extract_supported) { ++ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable); ++ if (ret != CKR_OK) ++ extractable = FALSE; ++ ++ ret = template_attribute_get_bool(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, ++ &pkey_extractable); ++ if (ret != CKR_OK) ++ pkey_extractable = FALSE; ++ ++ if (extractable && pkey_extractable) { ++ /* The EP11 call would return CKR_FUNCTION_CANCELED in that case */ ++ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE " ++ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n"); ++ ret = CKR_TEMPLATE_INCONSISTENT; ++ goto done; ++ } ++ } ++ + #ifndef NO_PKEY + switch (ep11_data->pkey_mode) { + case PKEY_MODE_DISABLED: +diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h +index 16d3c719..9ba28cb8 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.h ++++ b/usr/lib/ep11_stdll/ep11_specific.h +@@ -585,8 +585,8 @@ CK_BBOOL ep11tok_libica_mech_available(STDLL_TokData_t *tokdata, + CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata, + CK_TOKEN_INFO_PTR pInfo); + +-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, +- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech); ++CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, ++ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech); + + CK_RV ep11tok_set_operation_state(STDLL_TokData_t *tokdata, SESSION *session); + +diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c +index 299a1d3c..f84d0810 100644 +--- a/usr/lib/ep11_stdll/new_host.c ++++ b/usr/lib/ep11_stdll/new_host.c +@@ -2080,9 +2080,15 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + sess->encr_ctx.multi_init = FALSE; + sess->encr_ctx.multi = FALSE; + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(pMechanism)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + /* In case of a single part encrypt operation we don't need the + * EncryptInit, instead we can use the EncryptSingle which is much + * faster. In case of multi-part operations we are doing the EncryptInit +@@ -2179,9 +2185,16 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + goto done; + } + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, ++ &sess->encr_ctx.mech); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(&sess->encr_ctx.mech)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech, + length_only, sess->encr_ctx.key, + pData, ulDataLen, pEncryptedData, +@@ -2408,9 +2421,15 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + sess->decr_ctx.multi_init = FALSE; + sess->decr_ctx.multi = FALSE; + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(pMechanism)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + /* In case of a single part decrypt operation we don't need the + * DecryptInit, instead we can use the EncryptSingle which is much + * faster. In case of multi-part operations we are doing the DecryptInit +@@ -2508,9 +2527,16 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + goto done; + } + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, ++ &sess->decr_ctx.mech); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(&sess->decr_ctx.mech)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech, + length_only, sess->decr_ctx.key, + pEncryptedData, ulEncryptedDataLen, +@@ -2992,9 +3018,15 @@ CK_RV SC_SignInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + sess->sign_ctx.multi_init = FALSE; + sess->sign_ctx.multi = FALSE; + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(pMechanism)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + /* In case of a single part sign operation we don't need the SignInit, + * instead we can use the SignSingle which is much faster. + * In case of multi-part operations we are doing the SignInit when +@@ -3101,9 +3133,16 @@ CK_RV SC_Sign(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + goto done; + } + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, ++ &sess->sign_ctx.mech); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(&sess->sign_ctx.mech)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, &sess->sign_ctx.mech)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + rc = ep11tok_sign_single(tokdata, sess, &sess->sign_ctx.mech, + length_only, sess->sign_ctx.key, + pData, ulDataLen, pSignature, pulSignatureLen); +@@ -3391,9 +3430,15 @@ CK_RV SC_VerifyInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + sess->verify_ctx.multi_init = FALSE; + sess->verify_ctx.multi = FALSE; + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(pMechanism)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + /* In case of a single part verify operation we don't need the + * VerifyInit, instead we can use the VerifySingle which is much + * faster. In case of multi-part operations we are doing the VerifyInit +@@ -3497,9 +3542,16 @@ CK_RV SC_Verify(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, + goto done; + } + ++ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, ++ &sess->verify_ctx.mech); ++ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) { ++ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available, ++ but the ep11 fallback can be tried */ ++ goto done; ++ } + if ((ep11tok_optimize_single_ops(tokdata) || + ep11tok_mech_single_only(&sess->verify_ctx.mech)) && +- !ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, &sess->verify_ctx.mech)) { ++ rc == CKR_FUNCTION_NOT_SUPPORTED) { + rc = ep11tok_verify_single(tokdata, sess, &sess->verify_ctx.mech, + sess->verify_ctx.key, pData, ulDataLen, + pSignature, ulSignatureLen); diff --git a/SOURCES/opencryptoki-3.23-SEC2356-backport-09.patch b/SOURCES/opencryptoki-3.23-SEC2356-backport-09.patch new file mode 100644 index 0000000..e3e1974 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-SEC2356-backport-09.patch @@ -0,0 +1,36 @@ +commit 4fefcf517133260a7b63049d3a02c9249fe7776c +Author: Ingo Franzki +Date: Mon Apr 15 09:31:12 2024 +0200 + + EP11: Fix compile error with NO_PKEY defined + + Function signature of ep11tok_pkey_usage_ok() has changed, also change the + code inside the #ifdef NO_PKEY block. + + Fixes: cf978b111205b206c7b3c53f424f7085913c00d0 + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index b5d788bf..e9007a16 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -1460,15 +1460,15 @@ done: + } + + #ifdef NO_PKEY +-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, +- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) ++CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session, ++ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech) + { + UNUSED(tokdata); + UNUSED(session); + UNUSED(hkey); + UNUSED(mech); + +- return CK_FALSE; ++ return CKR_FUNCTION_NOT_SUPPORTED; + } + #endif /* NO_PKEY */ + diff --git a/SOURCES/opencryptoki-3.23-covcan-part1.patch b/SOURCES/opencryptoki-3.23-covcan-part1.patch new file mode 100644 index 0000000..c2a51d1 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-covcan-part1.patch @@ -0,0 +1,59 @@ +commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca +Author: Ingo Franzki +Date: Thu Jun 13 11:20:43 2024 +0200 + + COMMON: Fix errors reported by covscan + + Closes: https://github.com/opencryptoki/opencryptoki/issues/782 + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c +index b7e1f78e..fc88cbad 100644 +--- a/usr/lib/common/loadsave.c ++++ b/usr/lib/common/loadsave.c +@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata) + continue; + } + ++ /* size can not be negative if treated as signed int */ ++ if (size >= 0x80000000) { ++ fclose(fp2); ++ OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s " ++ "(ignoring it)\n", fname); ++ continue; ++ } ++ + buf = (CK_BYTE *) malloc(size); + if (!buf) { + fclose(fp2); +diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c +index 71402700..4bc19814 100644 +--- a/usr/lib/common/mech_rng.c ++++ b/usr/lib/common/mech_rng.c +@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes) + if (ranfd >= 0) { + do { + rlen = read(ranfd, output + totallen, bytes - totallen); ++ if (rlen <= 0) { ++ close(ranfd); ++ return CKR_FUNCTION_FAILED; ++ } + totallen += rlen; + } while (totallen < bytes); + close(ranfd); +diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c +index 04edc76f..7421d1c5 100644 +--- a/usr/lib/common/pkcs_utils.c ++++ b/usr/lib/common/pkcs_utils.c +@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes) + if (ranfd >= 0) { + do { + rlen = read(ranfd, output + totallen, bytes - totallen); ++ if (rlen <= 0) { ++ close(ranfd); ++ return CKR_FUNCTION_FAILED; ++ } + totallen += rlen; + } while (totallen < bytes); + close(ranfd); diff --git a/SOURCES/opencryptoki-3.23-covcan-part2.patch b/SOURCES/opencryptoki-3.23-covcan-part2.patch new file mode 100644 index 0000000..49a4991 --- /dev/null +++ b/SOURCES/opencryptoki-3.23-covcan-part2.patch @@ -0,0 +1,73 @@ +commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02 +Author: Ingo Franzki +Date: Mon Jun 17 09:03:36 2024 +0200 + + ICSF: Fix covscan findings on potential integer overflows + + Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b' + are unsigned types. In case 'b' is larger than 'a', then the subtraction + result may overflow because the result is also treated as unsigned type. + Fix this by using 'if (a > b)' instead. + + Note that in the changed places 'a' is always larger or equal than 'b', + so the overflow does not happen. Still, changing the code to be less + error-prone is a good thing. + + Closes: https://github.com/opencryptoki/opencryptoki/issues/782 + + Suggested-by: Than Ngo + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c +index c3479cf8..1deb129c 100644 +--- a/usr/lib/icsf_stdll/icsf.c ++++ b/usr/lib/icsf_stdll/icsf.c +@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char) + str_len = len; + + memcpy(dest, orig, str_len); +- if ((len - str_len) > 0) ++ if (len > str_len) + memset(dest + str_len, ' ', len - str_len); + } + +diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c +index c617f1e6..6f16ca5e 100644 +--- a/usr/lib/icsf_stdll/icsf_specific.c ++++ b/usr/lib/icsf_stdll/icsf_specific.c +@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata, + goto done; + } + memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len); +- if (input_part_len - remaining > 0) ++ if (input_part_len > remaining) + memcpy(buffer + multi_part_ctx->used_data_len, input_part, + input_part_len - remaining); + +@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata, + goto done; + } + memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len); +- if (input_part_len - remaining > 0) ++ if (input_part_len > remaining) + memcpy(buffer + multi_part_ctx->used_data_len, input_part, + input_part_len - remaining); + +@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata, + } + memcpy(buffer, multi_part_ctx->data, + multi_part_ctx->used_data_len); +- if (out_len - multi_part_ctx->used_data_len > 0) ++ if (out_len > multi_part_ctx->used_data_len) + memcpy(buffer + multi_part_ctx->used_data_len, + (char *)in_data, + out_len - multi_part_ctx->used_data_len); +@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata, + } + memcpy(buffer, multi_part_ctx->data, + multi_part_ctx->used_data_len); +- if (out_len - multi_part_ctx->used_data_len > 0) ++ if (out_len > multi_part_ctx->used_data_len) + memcpy(buffer + multi_part_ctx->used_data_len, + (char *)in_data, + out_len - multi_part_ctx->used_data_len); diff --git a/SOURCES/opencryptoki.module b/SOURCES/opencryptoki.module new file mode 100644 index 0000000..4720c04 --- /dev/null +++ b/SOURCES/opencryptoki.module @@ -0,0 +1,8 @@ +# This file describes how to load the opensc module +# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: libopencryptoki.so diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec new file mode 100644 index 0000000..d333c9a --- /dev/null +++ b/SPECS/opencryptoki.spec @@ -0,0 +1,776 @@ +Name: opencryptoki +Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 +Version: 3.23.0 +Release: 5%{?dist} +License: CPL-1.0 +URL: https://github.com/opencryptoki/opencryptoki +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: opencryptoki.module +# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* +Patch1: opencryptoki-3.11.0-lockdir.patch +# fix install problem in buildroot +Patch2: opencryptoki-3.21.0-p11sak.patch +# upstream patches +# SEC2356-backport +Patch100: opencryptoki-3.23-SEC2356-backport-01.patch +Patch101: opencryptoki-3.23-SEC2356-backport-02.patch +Patch102: opencryptoki-3.23-SEC2356-backport-03.patch +Patch103: opencryptoki-3.23-SEC2356-backport-04.patch +Patch104: opencryptoki-3.23-SEC2356-backport-05.patch +Patch105: opencryptoki-3.23-SEC2356-backport-06.patch +Patch106: opencryptoki-3.23-SEC2356-backport-07.patch +Patch107: opencryptoki-3.23-SEC2356-backport-08.patch +Patch108: opencryptoki-3.23-SEC2356-backport-09.patch +Patch109: opencryptoki-3.23-covcan-part1.patch +Patch110: opencryptoki-3.23-covcan-part2.patch + +Requires(pre): coreutils +Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted) +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: openssl-devel >= 1.1.1 +%if 0%{?tmptok} +BuildRequires: trousers-devel +%endif +BuildRequires: openldap-devel +BuildRequires: autoconf automake libtool +BuildRequires: bison flex +BuildRequires: libcap-devel +BuildRequires: expect +BuildRequires: make +BuildRequires: systemd-rpm-macros +%ifarch s390 s390x +BuildRequires: libica-devel >= 2.3 +# for /usr/include/libudev.h +BuildRequires: systemd-devel +%endif +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}(token) +Requires(post): systemd diffutils +Requires(preun): systemd +Requires(postun): systemd + + +%description +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the Slot Daemon (pkcsslotd) and general utilities. + + +%package libs +Summary: The run-time libraries for opencryptoki package +Requires(pre): shadow-utils + +%description libs +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package contains the PKCS#11 library implementation, and requires +at least one token implementation (packaged separately) to be fully +functional. + + +%package devel +Summary: Development files for openCryptoki +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description devel +This package contains the development header files for building +opencryptoki and PKCS#11 based applications + + +%package swtok +Summary: The software token implementation for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description swtok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the software token implementation to use opencryptoki +without any specific cryptographic hardware. + + +%package tpmtok +Summary: Trusted Platform Module (TPM) device support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description tpmtok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +Trusted Platform Module (TPM) devices in the opencryptoki stack. + + +%package icsftok +Summary: ICSF token support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icsftok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support +ICSF token in the opencryptoki stack. + + +%ifarch s390 s390x +%package icatok +Summary: ICA cryptographic devices (clear-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description icatok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support ICA +devices in the opencryptoki stack. ICA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"accelerator" or "clear-key" path. + +%package ccatok +Summary: CCA cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ccatok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support CCA +devices in the opencryptoki stack. CCA is an interface to IBM +cryptographic hardware such as IBM 4764 or 4765 that uses the +"co-processor" or "secure-key" path. + +%package ep11tok +Summary: EP11 cryptographic devices (secure-key) support for opencryptoki +Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: %{name}(token) + +%description ep11tok +Opencryptoki implements the PKCS#11 specification v2.20 for a set of +cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the +Trusted Platform Module (TPM) chip. Opencryptoki also brings a software +token implementation that can be used without any cryptographic +hardware. +This package brings the necessary libraries and files to support EP11 +tokens in the opencryptoki stack. The EP11 token is a token that uses +the IBM Crypto Express adapters (starting with Crypto Express 4S adapters) +configured with Enterprise PKCS#11 (EP11) firmware. +%endif + + +%prep +%autosetup -p1 + + +%build +./bootstrap.sh + +%configure --with-systemd=%{_unitdir} --enable-testcases \ + --with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \ +%if 0%{?tpmtok} + --enable-tpmtok \ +%else + --disable-tpmtok \ +%endif +%ifarch s390 s390x + --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate +%else + --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate +%endif + +%make_build CHGRP=/bin/true + + +%install +%make_install CHGRP=/bin/true + + +%pre +# don't touch opencryptoki.conf even if it is unchanged due to new tokversion +# backup config file. bz#2044179 +%global cfile /etc/opencryptoki/opencryptoki.conf +%global csuffix .rpmsave.XyoP +if test $1 -gt 1 && test -f %{cfile} ; then + cp -p %{cfile} %{cfile}%{csuffix} +fi + +%pre libs +getent group pkcs11 >/dev/null || groupadd -r pkcs11 +getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd +exit 0 + +%post +# restore the config file from %pre +if test $1 -gt 1 && test -f %{cfile} ; then + if ( ! cmp -s %{cfile} %{cfile}%{csuffix} ) ; then + cp -p %{cfile} %{cfile}.rpmnew + fi + cp -p %{cfile}%{csuffix} %{cfile} && rm -f %{cfile}%{csuffix} +fi + +%systemd_post pkcsslotd.service +if test $1 -eq 1; then + %tmpfiles_create %{name}.conf +fi + +%preun +%systemd_preun pkcsslotd.service + +%postun +%systemd_postun_with_restart pkcsslotd.service + + +%files +%doc ChangeLog FAQ README.md +%doc doc/opencryptoki-howto.md +%doc doc/README.token_data +%doc %{_docdir}/%{name}/*.conf +%dir %{_sysconfdir}/%{name} +%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf +%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf +%{_tmpfilesdir}/%{name}.conf +%{_unitdir}/pkcsslotd.service +%{_sbindir}/p11sak +%{_sbindir}/pkcstok_migrate +%{_sbindir}/pkcsconf +%{_sbindir}/pkcsslotd +%{_sbindir}/pkcsstats +%{_sbindir}/pkcshsm_mk_change +%{_mandir}/man1/p11sak.1* +%{_mandir}/man1/pkcstok_migrate.1* +%{_mandir}/man1/pkcsconf.1* +%{_mandir}/man1/pkcsstats.1* +%{_mandir}/man1/pkcshsm_mk_change.1* +%{_mandir}/man5/policy.conf.5* +%{_mandir}/man5/strength.conf.5* +%{_mandir}/man5/%{name}.conf.5* +%{_mandir}/man5/p11sak_defined_attrs.conf.5* +%{_mandir}/man7/%{name}.7* +%{_mandir}/man8/pkcsslotd.8* +%{_libdir}/opencryptoki/methods +%{_libdir}/pkcs11/methods +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name} +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/* +%dir %attr(710,pkcsslotd,pkcs11) /run/%{name} + +%files libs +%license LICENSE +%{_sysconfdir}/ld.so.conf.d/* +# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki +# needs them in the main package, because: +# documentation suggests that programs should dlopen "PKCS11_API.so". +%dir %{_libdir}/opencryptoki +%{_libdir}/opencryptoki/libopencryptoki.* +%{_libdir}/opencryptoki/PKCS11_API.so +%dir %{_libdir}/opencryptoki/stdll +%dir %{_libdir}/pkcs11 +%{_libdir}/pkcs11/libopencryptoki.so +%{_libdir}/pkcs11/PKCS11_API.so +%{_libdir}/pkcs11/stdll +%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki + +%files devel +%{_includedir}/%{name}/ +%{_libdir}/pkgconfig/%{name}.pc + +%files swtok +%{_libdir}/opencryptoki/stdll/libpkcs11_sw.* +%{_libdir}/opencryptoki/stdll/PKCS11_SW.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ + +%if 0%{?tmptok} +%files tpmtok +%doc doc/README.tpm_stdll +%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* +%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ +%endif + +%files icsftok +%doc doc/README.icsf_stdll +%{_sbindir}/pkcsicsf +%{_mandir}/man1/pkcsicsf.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/ + +%ifarch s390 s390x +%files icatok +%{_libdir}/opencryptoki/stdll/libpkcs11_ica.* +%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ + +%files ccatok +%doc doc/README.cca_stdll +%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf +%{_sbindir}/pkcscca +%{_mandir}/man1/pkcscca.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_cca.* +%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/ + +%files ep11tok +%doc doc/README.ep11_stdll +%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf +%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf +%{_sbindir}/pkcsep11_migrate +%{_sbindir}/pkcsep11_session +%{_mandir}/man1/pkcsep11_migrate.1* +%{_mandir}/man1/pkcsep11_session.1* +%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.* +%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ +%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/ +%endif + + +%changelog +* Mon Jun 24 2024 Troy Dawson - 3.23.0-5 +- Bump release for June 2024 mass rebuild + +* Tue Jun 18 2024 Than Ngo - 3.23.0-4 +- Resolves: RHEL-42492, SAST + +* Wed May 22 2024 Than Ngo - 3.23.0-3 +- Related: RHEL-24038, backport - ep11 token: support protected keys for extractable keys + +* Tue Apr 16 2024 Than Ngo - 3.23.0-2 +- enable gating tests + +Resolves: RHEL-24037, RHEL-24038 + +* Wed Feb 07 2024 Than Ngo - 3.23.0-1 +- 3.23.0 + * EP11: Add support for FIPS-session mode + * Updates to harden against RSA timing attacks + * Bug fixes + +* Tue Jan 30 2024 Dan Horák - 3.22.0-4 +- fix all errors and warnings (rhbz#2261419) + +* Thu Jan 25 2024 Fedora Release Engineering - 3.22.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 3.22.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Sep 21 2023 Than Ngo - 3.22.0-1 +- update to 3.22.0 + +* Thu Jul 20 2023 Fedora Release Engineering - 3.21.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 17 2023 Than Ngo - 3.21.0-5 +- p11sak tool: slot option does not accept argument 0 for slot index 0 +- p11sak fails as soon as there reside non-key objects + +* Thu May 25 2023 Than Ngo - 3.21.0-4 +- add verify attributes for opencryptoki.conf to ignore the + verification + +* Mon May 22 2023 Than Ngo - 3.21.0-3 +- drop p11_kit_support +- fix handling of user name +- fix user confirmation prompt behavior when stdin is closed + +* Tue May 16 2023 Than Ngo - 3.21.0-2 +- add missing /var/lib/opencryptoki/HSM_MK_CHANGE + +* Mon May 15 2023 Than Ngo - 3.21.0-1 +- update to 3.21.0 + +* Tue Feb 14 2023 Than Ngo - 3.20.0-2 +- migrated to SPDX license + +* Mon Feb 13 2023 Than Ngo - 3.20.0-1 +- update to 3.20.0 +- drop unnecessary opencryptoki-3.11.0-group.patch + +* Wed Feb 08 2023 Than Ngo - 3.19.0-3 +- Add support of ep11 token for new IBM Z Hardware (IBM z16) + +* Thu Jan 19 2023 Fedora Release Engineering - 3.19.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Tue Oct 11 2022 Than Ngo - 3.19.0-1 +- update to 3.19.0 + +* Wed Sep 14 2022 Florian Weimer - 3.18.0-5 +- Add missing build dependency on systemd-rpm-macros + +* Mon Aug 01 2022 Than Ngo - 3.18.0-4 +- fix json output +- do not touch opencryptoki.conf if it is in place already and even if it is unchanged + +* Fri Jul 22 2022 Fedora Release Engineering - 3.18.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon May 09 2022 Than Ngo - 3.18.0-2 +- add missing strength.conf + +* Mon May 02 2022 Than Ngo - 3.18.0-1 +- 3.18.0 + +* Wed Apr 20 2022 Dan Horák - 3.17.0-7 +- fix initialization (#2075851, #2074587) + +* Wed Apr 06 2022 Than Ngo - 3.17.0-6 +- add tokversion + +* Wed Apr 06 2022 Than Ngo - 3.17.0-5 +- upstream fixes - openssl cleanup for opencryptoki, Avoid deadlock when stopping event thread + +* Thu Jan 20 2022 Fedora Release Engineering - 3.17.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Nov 25 2021 Than Ngo - 3.17.0-3 +- fix covscan issues + +* Tue Nov 09 2021 Than Ngo - 3.17.0-2 +- add missing config file p11sak_defined_attrs.conf + +* Tue Oct 19 2021 Than Ngo - 3.17.0-1 +- rebase to 3.17.0 + +* Tue Sep 14 2021 Sahana Prasad - 3.16.0-5 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Sep 03 2021 Than Ngo - 3.16.0-4 +- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes +- Resolves: #1974365, Fix detection if pkcsslotd is still running + +* Thu Jul 22 2021 Fedora Release Engineering - 3.16.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 30 2021 Than Ngo - 3.16.0-2 +- Added Event Notification Support +- Added conditional requirement on selinux-policy >= 34.10-1 +- pkcsslotd PIDfile below legacy directory +- Added BR on systemd-devel + +* Wed Mar 31 2021 Dan Horák - 3.16.0-1 +- Rebase to 3.16.0 + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 3.15.1-6 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Fri Feb 12 2021 Than Ngo - 3.15.1-5 +- Added upstream patch, a slot ID has nothing to do with the number of slots + +* Tue Jan 26 2021 Fedora Release Engineering - 3.15.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Dec 22 2020 Than Ngo - 3.15.1-3 +- Drop tpm1.2 support by default + +* Tue Dec 22 2020 Than Ngo - 3.15.1-2 +- Fix compiling with c++ +- Added error message handling for p11sak remove-key command +- Add BR on make + +* Mon Nov 02 2020 Than Ngo - 3.15.1-1 +- Rebase to 3.15.1 + +* Mon Oct 19 2020 Dan Horák - 3.15.0-1 +- Rebase to 3.15.0 + +* Tue Jul 28 2020 Fedora Release Engineering - 3.14.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 3.14.0-5 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Wed Jul 08 2020 Than Ngo - 3.14.0-4 +- added PIN conversion tool + +* Wed Jul 01 2020 Than Ngo - 3.14.0-3 +- upstream fix - handle early error cases in C_Initialize + +* Wed May 27 2020 Than Ngo - 3.14.0-2 +- fix regression, segfault in C_SetPin + +* Fri May 15 2020 Dan Horák - 3.14.0-1 +- Rebase to 3.14.0 + +* Fri Mar 06 2020 Dan Horák - 3.13.0-1 +- Rebase to 3.13.0 + +* Mon Feb 03 2020 Dan Horák - 3.12.1-3 +- fix build with gcc 10 + +* Wed Jan 29 2020 Fedora Release Engineering - 3.12.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Nov 27 2019 Dan Horák - 3.12.1-1 +- Rebase to 3.12.1 + +* Wed Nov 13 2019 Dan Horák - 3.12.0-1 +- Rebase to 3.12.0 + +* Sun Sep 22 2019 Dan Horák - 3.11.1-1 +- Rebase to 3.11.1 + +* Thu Jul 25 2019 Fedora Release Engineering - 3.11.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Mar 28 2019 Than Ngo - 3.11.0-4 +- enable testcase by default +- fix URL + +* Tue Feb 19 2019 Than Ngo - 3.11.0-3 +- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group + +* Fri Feb 01 2019 Fedora Release Engineering - 3.11.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jan 31 2019 Than Ngo - 3.11.0-1 +- Updated to 3.11.0 +- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki" +- Ported root's group membership's patch for 3.11.0 + +* Fri Jul 13 2018 Fedora Release Engineering - 3.10.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 12 2018 Dan Horák - 3.10.0-1 +- Rebase to 3.10.0 + +* Fri Feb 23 2018 Dan Horák - 3.9.0-1 +- Rebase to 3.9.0 + +* Thu Feb 08 2018 Fedora Release Engineering - 3.8.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Nov 24 2017 Dan Horák - 3.8.2-2 +- use upstream tmpfiles config + +* Thu Nov 23 2017 Dan Horák - 3.8.2-1 +- Rebase to 3.8.2 (#1512678) + +* Thu Aug 03 2017 Fedora Release Engineering - 3.7.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 3.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed May 17 2017 Sinny Kumari - 3.7.0-1 +- Rebase to 3.7.0 +- Added libitm-devel as BuildRequires + +* Mon Apr 03 2017 Sinny Kumari - 3.6.2-1 +- Rebase to 3.6.2 +- RHBZ#1424017 - opencryptoki: FTBFS in rawhide + +* Sat Feb 11 2017 Fedora Release Engineering - 3.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Sep 01 2016 Jakub Jelen - 3.5.1-1 +- New upstream release + +* Tue May 03 2016 Jakub Jelen - 3.5-1 +- New upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 3.4.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Dec 07 2015 Jakub Jelen 3.4.1-1 +- New bugfix upstream release + +* Wed Nov 18 2015 Jakub Jelen 3.4-1 +- New upstream release +- Adding post-release patch fixing compile warnings + +* Thu Aug 27 2015 Jakub Jelen 3.3-1.1 +- New upstream release +- Correct dependencies for group creation + +* Wed Jun 17 2015 Fedora Release Engineering - 3.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu May 07 2015 Jakub Jelen 3.2-3 +- Few more undefined symbols fixed for s390(x) specific targets +- Do not require --no-undefined, because s390(x) requires some + +* Mon May 04 2015 Jakub Jelen 3.2-2 +- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560) +- Make inline function compatible for GCC5 + +* Wed Sep 10 2014 Petr Lautrbach 3.2-1 +- new upstream release 3.2 +- add new sub-package opencryptoki-ep11tok on s390x + +* Sun Aug 17 2014 Fedora Release Engineering - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Jul 24 2014 Petr Lautrbach 3.1-1 +- new upstream release 3.1 + +* Sat Jun 07 2014 Fedora Release Engineering - 3.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Feb 17 2014 Petr Lautrbach 3.0-10 +- create the right lock directory for cca tokens (#1054442) + +* Wed Jan 29 2014 Petr Lautrbach 3.0-9 +- use Requires(pre): opencryptoki-libs for subpackages + +* Mon Jan 20 2014 Dan Horák - 3.0-8 +- include token specific directories (#1013017, #1045775, #1054442) +- fix pkcsconf crash for non-root users (#10054661) +- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed + +* Tue Dec 03 2013 Dan Horák - 3.0-7 +- fix build with -Werror=format-security (#1037228) + +* Fri Nov 22 2013 Dan Horák - 3.0-6 +- apply post-3.0 fixes (#1033284) + +* Tue Nov 19 2013 Dan Horák - 3.0-5 +- update opencryptoki man page (#1001729) + +* Fri Aug 23 2013 Dan Horák - 3.0-4 +- update unit file (#995002) + +* Sat Aug 03 2013 Fedora Release Engineering - 3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 23 2013 Dan Horák - 3.0-2 +- update pkcsconf man page (#948460) + +* Mon Jul 22 2013 Dan Horák - 3.0-1 +- new upstream release 3.0 + +* Tue Jun 25 2013 Dan Horák - 2.4.3.1-1 +- new upstream release 2.4.3.1 + +* Fri May 03 2013 Dan Horák - 2.4.3-1 +- new upstream release 2.4.3 + +* Thu Apr 04 2013 Dan Horák - 2.4.2-4 +- enable hardened build +- switch to systemd macros in scriptlets (#850240) + +* Mon Jan 28 2013 Dan Horák - 2.4.2-3 +- add virtual opencryptoki(token) Provides to token modules and as Requires + to main package (#904986) + +* Fri Jul 20 2012 Fedora Release Engineering - 2.4.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jun 21 2012 Dan Horák - 2.4.2-1 +- new upstream release 2.4.2 +- add pkcs_slot man page +- don't add root to the pkcs11 group + +* Mon Jun 11 2012 Dan Horák - 2.4.1-2 +- fix unresolved symbols in TPM module (#830129) + +* Sat Feb 25 2012 Dan Horák - 2.4.1-1 +- new upstream release 2.4.1 +- convert from initscript to systemd unit +- import fixes from RHEL-6 about root's group membership (#732756, #730903) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jul 07 2011 Dan Horák - 2.4-1 +- new upstream release 2.4 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Dan Horák 2.3.3-1 +- new upstream release 2.3.3 + +* Tue Nov 09 2010 Michal Schmidt 2.3.2-2 +- Apply Obsoletes to package names, not provides. + +* Tue Sep 14 2010 Dan Horák 2.3.2-1 +- new upstream release 2.3.2 +- put STDLLs in separate packages to match upstream package design + +* Thu Jul 08 2010 Michal Schmidt 2.3.1-7 +- Move the LICENSE file to the -libs subpackage. + +* Tue Jun 29 2010 Dan Horák 2.3.1-6 +- rebuilt with CCA enabled (#604287) +- fixed issues from #546274 + +* Fri Apr 30 2010 Dan Horák 2.3.1-5 +- fixed one more issue in the initscript (#547324) + +* Mon Apr 26 2010 Dan Horák 2.3.1-4 +- fixed pidfile creating and usage (#547324) + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-3 +- Also list 'reload' and 'force-reload' in "Usage: ...". + +* Mon Feb 08 2010 Michal Schmidt 2.3.1-2 +- Support 'force-reload' in the initscript. + +* Wed Jan 27 2010 Michal Schmidt 2.3.1-1 +- New upstream release 2.3.1. +- opencryptoki-2.3.0-fix-nss-breakage.patch was merged. + +* Fri Jan 22 2010 Dan Horák 2.3.0-5 +- made pkcsslotd initscript LSB compliant (#522149) + +* Mon Sep 07 2009 Michal Schmidt 2.3.0-4 +- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request. + +* Fri Aug 21 2009 Tomas Mraz - 2.3.0-3 +- rebuilt with new openssl + +* Sun Aug 16 2009 Michal Schmidt 2.3.0-2 +- Require libica-2.0. + +* Fri Aug 07 2009 Michal Schmidt 2.3.0-1 +- New upstream release 2.3.0: + - adds support for RSA 4096 bit keys in the ICA token. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-5 +- Require arch-specific dependency on -libs. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-4 +- Return support for crypto hw on s390. +- Renamed to opencryptoki. +- Simplified multilib by putting libs in subpackage as suggested by Dan Horák. + +* Tue Jul 21 2009 Michal Schmidt - 2.2.8-2 +- Fedora package based on RHEL-5 package.