commit
c0cead4463
@ -0,0 +1 @@
|
|||||||
|
SOURCES/opencryptoki-3.23.0.tar.gz
|
@ -0,0 +1 @@
|
|||||||
|
0d70d0a5170a79fc358107d07a62bea1b476e0cc SOURCES/opencryptoki-3.23.0.tar.gz
|
@ -0,0 +1,12 @@
|
|||||||
|
diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
|
||||||
|
--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
|
||||||
|
+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
|
||||||
|
@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
|
||||||
|
|
||||||
|
dnl Define custom variables
|
||||||
|
|
||||||
|
-lockdir=$localstatedir/lock/opencryptoki
|
||||||
|
+lockdir=/run/lock/opencryptoki
|
||||||
|
AC_SUBST(lockdir)
|
||||||
|
|
||||||
|
logdir=$localstatedir/log/opencryptoki
|
@ -0,0 +1,37 @@
|
|||||||
|
diff -up opencryptoki-3.21.0/Makefile.am.me opencryptoki-3.21.0/Makefile.am
|
||||||
|
--- opencryptoki-3.21.0/Makefile.am.me 2023-05-15 17:01:04.932616030 +0200
|
||||||
|
+++ opencryptoki-3.21.0/Makefile.am 2023-05-15 17:00:45.732131601 +0200
|
||||||
|
@@ -39,15 +39,8 @@ include tools/tools.mk
|
||||||
|
include doc/doc.mk
|
||||||
|
|
||||||
|
install-data-hook:
|
||||||
|
- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
|
||||||
|
- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
|
||||||
|
$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
|
||||||
|
- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
|
||||||
|
- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
|
||||||
|
- $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
|
||||||
|
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
|
||||||
|
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
|
||||||
|
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
|
||||||
|
if ENABLE_LIBRARY
|
||||||
|
$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
|
||||||
|
$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
|
||||||
|
@@ -100,7 +93,7 @@ if ENABLE_EP11TOK
|
||||||
|
endif
|
||||||
|
if ENABLE_P11SAK
|
||||||
|
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
|
||||||
|
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
|
||||||
|
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
|
||||||
|
endif
|
||||||
|
if ENABLE_ICATOK
|
||||||
|
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
|
||||||
|
@@ -151,7 +144,7 @@ endif
|
||||||
|
if ENABLE_DAEMON
|
||||||
|
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
|
||||||
|
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
|
||||||
|
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
|
||||||
|
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
|
||||||
|
endif
|
||||||
|
$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
|
||||||
|
echo "$(libdir)/opencryptoki" >\
|
@ -0,0 +1,50 @@
|
|||||||
|
commit 2d68f8626d15b9697a29a377a63bbdf35b42ee36
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Tue Feb 13 16:20:06 2024 +0100
|
||||||
|
|
||||||
|
EP11 pkey option: add new PKEY_MODE parms to ep11 config file
|
||||||
|
|
||||||
|
Add two new parameter values ENABLE4EXTR and ENABLE4ALL to the ep11token
|
||||||
|
PKEY_MODE config option. Older ep11 card firmware enforces the restriction that
|
||||||
|
keys can not have CKA_EXTRACTABLE=true and CKA_IBM_PROTKEY_EXTRACTABLE=true at
|
||||||
|
the same time. With newer card firmware this restriction is removed and a new
|
||||||
|
control point is introduced to allow checking for this feature.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11tok.conf b/usr/lib/ep11_stdll/ep11tok.conf
|
||||||
|
index 19c9963f..afe237b9 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11tok.conf
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11tok.conf
|
||||||
|
@@ -104,7 +104,7 @@
|
||||||
|
# disabled and additional hardware and firmware prerequisites are met. AES-XTS
|
||||||
|
# is not supported via the EP11 coprocessor itself.
|
||||||
|
#
|
||||||
|
-# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR
|
||||||
|
+# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR | ENABLE4EXTR | ENABLE4ALL
|
||||||
|
#
|
||||||
|
# DISABLED : Protected key support disabled. All key operations
|
||||||
|
# are performed via EP11 coprocessor, even if a
|
||||||
|
@@ -119,6 +119,22 @@
|
||||||
|
# but not CKA_IBM_PROTKEY_EXTRACTABLE, new keys get
|
||||||
|
# CKA_IBM_PROTKEY_EXTRACTABLE=true internally.
|
||||||
|
#
|
||||||
|
+# Control point 75 (XCP_CPB_ALLOW_COMBINED_EXTRACT) must be enabled for all
|
||||||
|
+# APQNs accessible by the token for the following parameters.
|
||||||
|
+#
|
||||||
|
+# ENABLE4EXTR : If the application did not specify
|
||||||
|
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
|
||||||
|
+# of any type with CKA_EXTRACTABLE=true get
|
||||||
|
+# CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key
|
||||||
|
+# is automatically created at first use of the key.
|
||||||
|
+#
|
||||||
|
+# ENABLE4ALL : If the application did not specify
|
||||||
|
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
|
||||||
|
+# of any type, regardless of the CKA_EXTRACTABLE
|
||||||
|
+# attribute, get CKA_IBM_PROTKEY_EXTRACTABLE=true and
|
||||||
|
+# a protected key is automatically created at first
|
||||||
|
+# use of the key.
|
||||||
|
+#
|
||||||
|
# --------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# Specify the expected wrapping key verification pattern. When specified, all
|
@ -0,0 +1,222 @@
|
|||||||
|
commit a6192bb9c3263fb691da87b3a1ed5f66f887b09a
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Tue Feb 13 16:35:53 2024 +0100
|
||||||
|
|
||||||
|
EP11 pkey option: handle new PKEY_MODE parms for new objects
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index d5964a9c..d1efd8c5 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1239,6 +1239,33 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
|
||||||
|
+{
|
||||||
|
+ CK_ATTRIBUTE *pkey_attr = NULL;
|
||||||
|
+ CK_BBOOL btrue = CK_TRUE;
|
||||||
|
+ CK_RV ret;
|
||||||
|
+
|
||||||
|
+ if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
|
||||||
|
+ ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, &btrue,
|
||||||
|
+ sizeof(CK_BBOOL), &pkey_attr);
|
||||||
|
+ if (ret != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ ret = template_update_attribute(tmpl, pkey_attr);
|
||||||
|
+ if (ret != CKR_OK) {
|
||||||
|
+ TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
|
||||||
|
+ free(pkey_attr);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ret = CKR_OK;
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* This function is called whenever a new object is created. It sets
|
||||||
|
* attribute CKA_IBM_PROTKEY_EXTRACTABLE according to the PKEY_MODE token
|
||||||
|
@@ -1254,7 +1281,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
CK_ULONG mode, TEMPLATE *tmpl)
|
||||||
|
{
|
||||||
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
||||||
|
- CK_ATTRIBUTE *pkey_attr = NULL, *ecp_attr = NULL, *sensitive_attr = NULL;
|
||||||
|
+ CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
|
||||||
|
CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
|
||||||
|
CK_BBOOL add_pkey_extractable = CK_FALSE;
|
||||||
|
CK_RV ret;
|
||||||
|
@@ -1314,23 +1341,62 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
add_pkey_extractable = CK_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
if (add_pkey_extractable) {
|
||||||
|
- if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
|
||||||
|
- ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE,
|
||||||
|
- (CK_BBOOL *)&btrue, sizeof(CK_BBOOL),
|
||||||
|
- &pkey_attr);
|
||||||
|
- if (ret != CKR_OK) {
|
||||||
|
- TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- ret = template_update_attribute(tmpl, pkey_attr);
|
||||||
|
- if (ret != CKR_OK) {
|
||||||
|
- TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
|
||||||
|
- free(pkey_attr);
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case PKEY_MODE_ENABLE4EXTR:
|
||||||
|
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
|
||||||
|
+ * its template, new keys of any type with CKA_EXTRACTABLE=true get
|
||||||
|
+ * CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is automatically
|
||||||
|
+ * created at first use of the key.
|
||||||
|
+ */
|
||||||
|
+ switch (class) {
|
||||||
|
+ case CKO_PUBLIC_KEY:
|
||||||
|
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
|
||||||
|
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
|
||||||
|
+ add_pkey_extractable = CK_TRUE;
|
||||||
|
+ /* Note that the explicit parm CKM_ECDSA just tells the
|
||||||
|
+ * function that it's not AES here. It covers all EC and ED
|
||||||
|
+ * mechs */
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
|
||||||
|
+ if (ret == CKR_OK && extractable) // Einziger Unterschied: extractable, statt !extractable
|
||||||
|
+ add_pkey_extractable = CK_TRUE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (add_pkey_extractable) {
|
||||||
|
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case PKEY_MODE_ENABLE4ALL:
|
||||||
|
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
|
||||||
|
+ * its template, new keys of any type, regardless of CKA_EXTRACTABLE,
|
||||||
|
+ * get CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is
|
||||||
|
+ * automatically created at first use of the key.
|
||||||
|
+ */
|
||||||
|
+ switch (class) {
|
||||||
|
+ case CKO_PUBLIC_KEY:
|
||||||
|
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
|
||||||
|
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
|
||||||
|
+ add_pkey_extractable = CK_TRUE;
|
||||||
|
+ /* Note that the explicit parm CKM_ECDSA just tells the
|
||||||
|
+ * function that it's not AES here. It covers all EC and ED
|
||||||
|
+ * mechs */
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ add_pkey_extractable = CK_TRUE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (add_pkey_extractable) {
|
||||||
|
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ goto done;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
@@ -12188,6 +12254,10 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
|
||||||
|
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_ENABLE4NONEXTR;
|
||||||
|
+ else if (strcmp(strval, "ENABLE4EXTR") == 0)
|
||||||
|
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
|
||||||
|
+ else if (strcmp(strval, "ENABLE4ALL") == 0)
|
||||||
|
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
|
||||||
|
else {
|
||||||
|
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
|
||||||
|
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
|
||||||
|
@@ -13252,6 +13322,7 @@ typedef struct cp_handler_data {
|
||||||
|
int first;
|
||||||
|
size_t max_cp_index;
|
||||||
|
CK_BBOOL error;
|
||||||
|
+ CK_BBOOL allow_combined_extract;
|
||||||
|
} cp_handler_data_t;
|
||||||
|
|
||||||
|
static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
|
||||||
|
@@ -13329,6 +13400,27 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Combined extract is only supported if all APQNs support it */
|
||||||
|
+ if (max_cp_index < XCP_CPB_ALLOW_COMBINED_EXTRACT ||
|
||||||
|
+ (cp[CP_BYTE_NO(XCP_CPB_ALLOW_COMBINED_EXTRACT)] &
|
||||||
|
+ CP_BIT_MASK(XCP_CPB_ALLOW_COMBINED_EXTRACT)) == 0) {
|
||||||
|
+ data->allow_combined_extract = CK_FALSE;
|
||||||
|
+
|
||||||
|
+ if (ep11_data->pkey_mode == PKEY_MODE_ENABLE4EXTR ||
|
||||||
|
+ ep11_data->pkey_mode == PKEY_MODE_ENABLE4ALL) {
|
||||||
|
+ TRACE_ERROR("Control point setting for adapter %02X.%04X does not "
|
||||||
|
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
|
||||||
|
+ "ENABLE4ALL specified in ep11 token config file.\n",
|
||||||
|
+ adapter, domain);
|
||||||
|
+ OCK_SYSLOG(LOG_ERR,
|
||||||
|
+ "Control point setting for adapter %02X.%04X does not "
|
||||||
|
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
|
||||||
|
+ "ENABLE4ALL specified in ep11 token config file.\n",
|
||||||
|
+ adapter, domain);
|
||||||
|
+ data->error = TRUE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Check FIPS-session related CPs for non-FIPS-session mode */
|
||||||
|
if (!ep11_data->fips_session_mode) {
|
||||||
|
if (max_cp_index >= XCP_CPB_ALLOW_NONSESSION &&
|
||||||
|
@@ -13392,6 +13484,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
|
||||||
|
* to older cards default to ON. CPs being OFF disable functionality.
|
||||||
|
*/
|
||||||
|
memset(data.combined_cp, 0xff, sizeof(data.combined_cp));
|
||||||
|
+ data.allow_combined_extract = CK_TRUE;
|
||||||
|
data.first = 1;
|
||||||
|
rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler,
|
||||||
|
&data);
|
||||||
|
@@ -13410,6 +13503,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
|
||||||
|
print_control_points(cp, *cp_len, data.max_cp_index);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ if (data.allow_combined_extract == CK_FALSE)
|
||||||
|
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 0);
|
||||||
|
+ else
|
||||||
|
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 1);
|
||||||
|
+
|
||||||
|
return data.error ? CKR_DEVICE_ERROR : CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
index deb8f45f..16d3c719 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
@@ -241,6 +241,8 @@ typedef struct {
|
||||||
|
#define PKEY_MODE_DISABLED 0
|
||||||
|
#define PKEY_MODE_DEFAULT 1
|
||||||
|
#define PKEY_MODE_ENABLE4NONEXTR 2
|
||||||
|
+#define PKEY_MODE_ENABLE4EXTR 3
|
||||||
|
+#define PKEY_MODE_ENABLE4ALL 4
|
||||||
|
|
||||||
|
#define PQC_BYTE_NO(idx) (((idx) - 1) / 8)
|
||||||
|
#define PQC_BIT_IN_BYTE(idx) (((idx - 1)) % 8)
|
||||||
|
@@ -278,6 +280,7 @@ typedef struct {
|
||||||
|
int fips_session_mode;
|
||||||
|
int optimize_single_ops;
|
||||||
|
int pkey_mode;
|
||||||
|
+ volatile int pkey_combined_extract_supported;
|
||||||
|
volatile int pkey_wrap_supported;
|
||||||
|
int pkey_wrap_support_checked;
|
||||||
|
char pkey_mk_vp[PKEY_MK_VP_LENGTH];
|
@ -0,0 +1,62 @@
|
|||||||
|
commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Thu Mar 7 17:42:11 2024 +0100
|
||||||
|
|
||||||
|
EP11 pkey option: handle new PKEY_MODE parms in eligibility check
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index d1efd8c5..a163587c 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
|
||||||
|
return CK_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Returns true if the given key object is eligible to get a protected key
|
||||||
|
+ * attribute, false otherwise.
|
||||||
|
+ */
|
||||||
|
+CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
|
||||||
|
+ OBJECT *key_obj)
|
||||||
|
+{
|
||||||
|
+ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
|
||||||
|
+ !object_is_pkey_extractable(key_obj)) {
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!ep11_data->pkey_combined_extract_supported &&
|
||||||
|
+ object_is_extractable(key_obj)) {
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return CK_TRUE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Checks if the preconditions for using the related protected key of
|
||||||
|
* the given secure key object are met. The caller of this routine must
|
||||||
|
@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
break;
|
||||||
|
case PKEY_MODE_DEFAULT:
|
||||||
|
case PKEY_MODE_ENABLE4NONEXTR:
|
||||||
|
+ case PKEY_MODE_ENABLE4EXTR:
|
||||||
|
+ case PKEY_MODE_ENABLE4ALL:
|
||||||
|
/* Use existing pkeys, re-create invalid pkeys, and also create new
|
||||||
|
* pkeys for secret/private keys that do not already have one. EC
|
||||||
|
* public keys that are pkey-extractable, can always be used via CPACF
|
||||||
|
@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
- if (object_is_extractable(key_obj) ||
|
||||||
|
- !object_is_pkey_extractable(key_obj) ||
|
||||||
|
- object_is_attr_bound(key_obj) ||
|
||||||
|
- !ep11_data->pkey_wrap_supported) {
|
||||||
|
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
|
||||||
|
goto done;
|
||||||
|
- }
|
||||||
|
|
||||||
|
if (template_attribute_get_non_empty(key_obj->template,
|
||||||
|
CKA_IBM_OPAQUE_PKEY,
|
@ -0,0 +1,555 @@
|
|||||||
|
commit b9e33fced0654aac939182957bf2eba2eda77872
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Wed Feb 21 13:48:15 2024 +0100
|
||||||
|
|
||||||
|
EP11 pkey option: add NO_PKEY compile option for EP11 token
|
||||||
|
|
||||||
|
On 32-bit s390 platforms, the pkey related assembler code parts won't
|
||||||
|
compile. Therefore, add NO_PKEY compile switches where necessary.
|
||||||
|
The NO_PKEY compile switch is already handled in configure.ac.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index a163587c..114c4ce1 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -60,7 +60,9 @@
|
||||||
|
#include <openssl/ec.h>
|
||||||
|
|
||||||
|
#include "ep11_specific.h"
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
#include "pkey_utils.h"
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
|
||||||
|
CK_MECHANISM_TYPE_PTR mlist,
|
||||||
|
@@ -256,11 +258,13 @@ static const version_req_t reencrypt_single_req_versions[] = {
|
||||||
|
#define NUM_REENCRYPT_SINGLE_REQ (sizeof(reencrypt_single_req_versions) / \
|
||||||
|
sizeof(version_req_t))
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
static const CK_VERSION ibm_cex7p_cpacf_wrap_support = { .major = 7, .minor = 15 };
|
||||||
|
static const version_req_t ibm_cpacf_wrap_req_versions[] = {
|
||||||
|
{ .card_type = 7, .min_firmware_version = &ibm_cex7p_cpacf_wrap_support }
|
||||||
|
};
|
||||||
|
#define NUM_CPACF_WRAP_REQ (sizeof(ibm_cpacf_wrap_req_versions) / sizeof(version_req_t))
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
static const CK_ULONG ibm_cex_ab_ecdh_api_version = 3;
|
||||||
|
static const version_req_t ibm_ab_ecdh_req_versions[] = {
|
||||||
|
@@ -504,6 +508,7 @@ static CK_BBOOL ep11tok_pkey_option_disabled(STDLL_TokData_t *tokdata)
|
||||||
|
return CK_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/**
|
||||||
|
* Callback function used by handle_all_ep11_cards() for creating a protected
|
||||||
|
* key via the given APQN (adaper,domain).
|
||||||
|
@@ -1283,6 +1288,7 @@ CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
|
||||||
|
done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function is called whenever a new object is created. It sets
|
||||||
|
@@ -1299,9 +1305,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
CK_ULONG mode, TEMPLATE *tmpl)
|
||||||
|
{
|
||||||
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
||||||
|
- CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
|
||||||
|
- CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
|
||||||
|
- CK_BBOOL add_pkey_extractable = CK_FALSE;
|
||||||
|
+ CK_ATTRIBUTE *sensitive_attr = NULL;
|
||||||
|
+ CK_BBOOL sensitive, btrue = CK_TRUE;
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
+ CK_ATTRIBUTE *ecp_attr = NULL;
|
||||||
|
+ CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
|
||||||
|
+#endif
|
||||||
|
CK_RV ret;
|
||||||
|
|
||||||
|
UNUSED(mode);
|
||||||
|
@@ -1331,6 +1340,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
switch (ep11_data->pkey_mode) {
|
||||||
|
case PKEY_MODE_DISABLED:
|
||||||
|
/* Nothing to do */
|
||||||
|
@@ -1423,6 +1433,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
goto done;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
ret = CKR_OK;
|
||||||
|
|
||||||
|
@@ -1431,6 +1442,19 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef NO_PKEY
|
||||||
|
+CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
|
||||||
|
+{
|
||||||
|
+ UNUSED(tokdata);
|
||||||
|
+ UNUSED(session);
|
||||||
|
+ UNUSED(hkey);
|
||||||
|
+ UNUSED(mech);
|
||||||
|
+
|
||||||
|
+ return CK_FALSE;
|
||||||
|
+}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
+
|
||||||
|
static CK_RV check_ab_supported(CK_KEY_TYPE type) {
|
||||||
|
switch(type) {
|
||||||
|
case CKK_AES:
|
||||||
|
@@ -2837,8 +2861,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
ep11_data->msa_level = get_msa_level();
|
||||||
|
TRACE_INFO("MSA level = %i\n", ep11_data->msa_level);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if (pthread_mutex_init(&ep11_data->raw2key_wrap_blob_mutex, NULL) != 0) {
|
||||||
|
TRACE_ERROR("Initializing Wrap-Blob lock failed.\n");
|
||||||
|
@@ -2847,19 +2873,20 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
|
||||||
|
}
|
||||||
|
ep11_data->raw2key_wrap_blob_l = 0;
|
||||||
|
|
||||||
|
-
|
||||||
|
if (pthread_mutex_init(&ep11_data->pkey_mutex, NULL) != 0) {
|
||||||
|
TRACE_ERROR("Initializing PKEY lock failed.\n");
|
||||||
|
rc = CKR_CANT_LOCK;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
if (!ep11tok_pkey_option_disabled(tokdata) &&
|
||||||
|
!ep11_data->fips_session_mode) {
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, NULL);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
if (ep11_data->vhsm_mode || ep11_data->fips_session_mode) {
|
||||||
|
if (pthread_mutex_init(&ep11_data->session_mutex, NULL) != 0) {
|
||||||
|
@@ -3178,7 +3205,11 @@ static CK_RV import_aes_xts_key(STDLL_TokData_t *tokdata, SESSION *sess,
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
goto import_aes_xts_key_end;
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check_aes_xts(tokdata, aes_xts_key_obj, CKM_AES_XTS);
|
||||||
|
+#else
|
||||||
|
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
|
||||||
|
+#endif
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", __func__, rc);
|
||||||
|
goto import_aes_xts_key_end;
|
||||||
|
@@ -4562,10 +4593,12 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
return rc;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
memset(blob, 0, sizeof(blob));
|
||||||
|
memset(blobreenc, 0, sizeof(blobreenc));
|
||||||
|
@@ -4797,10 +4830,12 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
goto error;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
|
||||||
|
MODE_KEYGEN, CKO_SECRET_KEY, ktype, &key_obj);
|
||||||
|
@@ -4820,7 +4855,11 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
|
||||||
|
if (mech->mechanism == CKM_AES_XTS_KEY_GEN) {
|
||||||
|
xts = TRUE;
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check_aes_xts(tokdata, key_obj, mech->mechanism);
|
||||||
|
+#else
|
||||||
|
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
|
||||||
|
+#endif
|
||||||
|
if (rc != CKR_OK) {
|
||||||
|
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n",
|
||||||
|
__func__, rc);
|
||||||
|
@@ -5812,7 +5851,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
CK_BYTE *out_data, CK_ULONG *out_data_len,
|
||||||
|
OBJECT *key_obj )
|
||||||
|
{
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
SIGN_VERIFY_CONTEXT *ctx = &(session->sign_ctx);
|
||||||
|
+#endif
|
||||||
|
CK_RV rc;
|
||||||
|
size_t keyblobsize = 0;
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
@@ -5826,6 +5867,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
@@ -5837,6 +5879,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
default:
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
mech.mechanism = CKM_ECDSA;
|
||||||
|
mech.pParameter = NULL;
|
||||||
|
@@ -5856,7 +5899,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
done:
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -5866,7 +5911,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
CK_BYTE *out_data, CK_ULONG out_data_len,
|
||||||
|
OBJECT *key_obj )
|
||||||
|
{
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
SIGN_VERIFY_CONTEXT *ctx = &(session->verify_ctx);
|
||||||
|
+#endif
|
||||||
|
CK_RV rc;
|
||||||
|
CK_BYTE *spki;
|
||||||
|
size_t spki_len = 0;
|
||||||
|
@@ -5880,6 +5927,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
@@ -5891,6 +5939,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
default:
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
mech.mechanism = CKM_ECDSA;
|
||||||
|
mech.pParameter = NULL;
|
||||||
|
@@ -5911,7 +5960,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
done:
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -5981,6 +6032,7 @@ CK_RV token_specific_reencrypt_single(STDLL_TokData_t *tokdata,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/**
|
||||||
|
* This routine is currently only used when the operation is performed using
|
||||||
|
* a protected key. Therefore we don't have (and don't need) an ep11
|
||||||
|
@@ -6062,6 +6114,7 @@ CK_RV token_specific_aes_xts(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
return pkey_aes_xts(key_obj, init_v, in_data, in_data_len,
|
||||||
|
out_data, out_data_len, encrypt, initial, final, iv);
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
struct EP11_KYBER_MECH {
|
||||||
|
CK_MECHANISM mech;
|
||||||
|
@@ -6829,10 +6882,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
goto error;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
/* Start creating the key object */
|
||||||
|
rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len,
|
||||||
|
@@ -8554,10 +8609,12 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess,
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
goto error;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
/* Now build the skeleton key. */
|
||||||
|
rc = object_mgr_create_skel(tokdata, sess, pPublicKeyTemplate,
|
||||||
|
@@ -9202,6 +9259,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
@@ -9239,6 +9297,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
free(ep11_sign_state);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
|
||||||
|
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
|
||||||
|
@@ -9340,6 +9399,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
CK_ULONG in_data_len, CK_BYTE * signature,
|
||||||
|
CK_ULONG * sig_len)
|
||||||
|
{
|
||||||
|
+#ifdef NO_PKEY
|
||||||
|
+ UNUSED(length_only);
|
||||||
|
+#endif
|
||||||
|
CK_RV rc;
|
||||||
|
SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx;
|
||||||
|
size_t keyblobsize = 0;
|
||||||
|
@@ -9355,6 +9417,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
/* Note that Edwards curves in general are not yet supported in
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
@@ -9372,6 +9435,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
}
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
|
||||||
|
RETRY_UPDATE_BLOB_START(tokdata, target_info,
|
||||||
|
@@ -9394,7 +9458,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
done:
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
@@ -9638,6 +9704,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
@@ -9675,6 +9742,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
free(ep11_sign_state);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
|
||||||
|
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
|
||||||
|
@@ -9787,6 +9855,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
if (ctx->pkey_active) {
|
||||||
|
/* Note that Edwards curves in general are not yet supported in
|
||||||
|
* opencryptoki. These two special IBM specific ED mechs are only
|
||||||
|
@@ -9805,6 +9874,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
}
|
||||||
|
goto done; /* no ep11 fallback possible */
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
|
||||||
|
RETRY_UPDATE_BLOB_START(tokdata, target_info,
|
||||||
|
@@ -9827,7 +9897,9 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
done:
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
@@ -10561,6 +10633,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
switch (rc) {
|
||||||
|
case CKR_OK:
|
||||||
|
@@ -10604,6 +10677,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
free(ep11_state);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* ep11_state is allocated large enough to hold 2 times the max state blob.
|
||||||
|
@@ -11150,10 +11224,12 @@ CK_RV ep11tok_unwrap_key(STDLL_TokData_t * tokdata, SESSION * session,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
goto error;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
/* Start creating the key object */
|
||||||
|
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
|
||||||
|
@@ -11878,6 +11954,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
case CKM_IBM_CPACF_WRAP:
|
||||||
|
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3) <= 0) {
|
||||||
|
TRACE_INFO("%s Mech '%s' banned due to host library version\n",
|
||||||
|
@@ -11895,6 +11972,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
case CKM_IBM_BTC_DERIVE:
|
||||||
|
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3_1) < 0) {
|
||||||
|
@@ -12268,6 +12346,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
|
||||||
|
{
|
||||||
|
if (strcmp(strval, "DISABLED") == 0)
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_DISABLED;
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
else if (strcmp(strval, "DEFAULT") == 0)
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
|
||||||
|
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
|
||||||
|
@@ -12276,6 +12355,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
|
||||||
|
else if (strcmp(strval, "ENABLE4ALL") == 0)
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
else {
|
||||||
|
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
|
||||||
|
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
|
||||||
|
@@ -12456,7 +12536,11 @@ static CK_RV read_adapter_config_file(STDLL_TokData_t * tokdata,
|
||||||
|
sizeof(ep11_data->token_config_filename) - 1] = '\0';
|
||||||
|
|
||||||
|
ep11_data->target_list.length = 0;
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
|
||||||
|
+#else
|
||||||
|
+ ep11_data->pkey_mode = PKEY_MODE_DISABLED;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/* Default to use default libica library for digests */
|
||||||
|
ep11_data->digest_libica = 1;
|
||||||
|
@@ -14695,10 +14779,12 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
/* Ensure the firmware master key verification pattern is available */
|
||||||
|
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
|
||||||
|
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
|
||||||
|
return rc;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
node = new_tmpl->attribute_list;
|
||||||
|
while (node) {
|
||||||
|
@@ -14734,6 +14820,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
case CKA_IBM_PROTKEY_EXTRACTABLE:
|
||||||
|
if (ep11_data->pkey_wrap_supported) {
|
||||||
|
rc = add_to_attribute_array(&attributes, &num_attributes,
|
||||||
|
@@ -14746,6 +14833,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+#endif /* NO_PKEY */
|
||||||
|
default:
|
||||||
|
/* Either non-boolean, or read-only */
|
||||||
|
break;
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
index 6a1d68be..e543c514 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
|
||||||
|
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
|
||||||
|
usr/lib/common/trace.c usr/lib/common/mech_list.c \
|
||||||
|
usr/lib/common/shared_memory.c usr/lib/common/attributes.c \
|
||||||
|
usr/lib/common/sw_crypt.c usr/lib/common/profile_obj.c \
|
||||||
|
- usr/lib/common/dlist.c usr/lib/common/pkey_utils.c \
|
||||||
|
+ usr/lib/common/dlist.c \
|
||||||
|
usr/lib/ep11_stdll/new_host.c usr/lib/common/mech_openssl.c \
|
||||||
|
usr/lib/ep11_stdll/ep11_specific.c \
|
||||||
|
usr/lib/ep11_stdll/ep11_session.c \
|
||||||
|
@@ -53,3 +53,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
|
||||||
|
usr/lib/common/pqc_supported.c \
|
||||||
|
usr/lib/hsm_mk_change/hsm_mk_change.c \
|
||||||
|
usr/lib/common/btree.c usr/lib/common/sess_mgr.c
|
||||||
|
+
|
||||||
|
+if !NO_PKEY
|
||||||
|
+opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
|
||||||
|
+ usr/lib/common/pkey_utils.c
|
||||||
|
+endif
|
||||||
|
diff --git a/usr/lib/ep11_stdll/tok_struct.h b/usr/lib/ep11_stdll/tok_struct.h
|
||||||
|
index 304e3eb9..17a5bcf0 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/tok_struct.h
|
||||||
|
+++ b/usr/lib/ep11_stdll/tok_struct.h
|
||||||
|
@@ -115,8 +115,13 @@ token_spec_t token_specific = {
|
||||||
|
// AES
|
||||||
|
NULL, // aes_key_gen,
|
||||||
|
NULL, // aes_xts_key_gen
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
&token_specific_aes_ecb,
|
||||||
|
&token_specific_aes_cbc,
|
||||||
|
+#else
|
||||||
|
+ NULL, // aes_ecb
|
||||||
|
+ NULL, // aes_cbc
|
||||||
|
+#endif
|
||||||
|
NULL, // aes_ctr
|
||||||
|
NULL, // aes_gcm_init
|
||||||
|
NULL, // aes_gcm
|
||||||
|
@@ -125,8 +130,13 @@ token_spec_t token_specific = {
|
||||||
|
NULL, // aes_ofb
|
||||||
|
NULL, // aes_cfb
|
||||||
|
NULL, // aes_mac
|
||||||
|
+#ifndef NO_PKEY
|
||||||
|
&token_specific_aes_cmac,
|
||||||
|
&token_specific_aes_xts, // aes_xts
|
||||||
|
+#else
|
||||||
|
+ NULL, // aes_cmac
|
||||||
|
+ NULL, // aes_xts
|
||||||
|
+#endif
|
||||||
|
// DSA
|
||||||
|
NULL, // dsa_generate_keypair,
|
||||||
|
NULL, // dsa_sign
|
@ -0,0 +1,61 @@
|
|||||||
|
commit 0bdcc661e64950e5ea11d950484631ba90e69426
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Thu Mar 7 17:51:40 2024 +0100
|
||||||
|
|
||||||
|
EP11 pkey option: consolidate code parts, no logic change
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index 114c4ce1..9f855934 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1369,11 +1369,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
add_pkey_extractable = CK_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- if (add_pkey_extractable) {
|
||||||
|
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
- if (ret != CKR_OK)
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
break;
|
||||||
|
case PKEY_MODE_ENABLE4EXTR:
|
||||||
|
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
|
||||||
|
@@ -1396,11 +1391,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
add_pkey_extractable = CK_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- if (add_pkey_extractable) {
|
||||||
|
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
- if (ret != CKR_OK)
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
break;
|
||||||
|
case PKEY_MODE_ENABLE4ALL:
|
||||||
|
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
|
||||||
|
@@ -1421,11 +1411,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
add_pkey_extractable = CK_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- if (add_pkey_extractable) {
|
||||||
|
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
- if (ret != CKR_OK)
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
TRACE_ERROR("PKEY_MODE %i unsupported.\n", ep11_data->pkey_mode);
|
||||||
|
@@ -1433,6 +1418,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
goto done;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (add_pkey_extractable) {
|
||||||
|
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
#endif /* NO_PKEY */
|
||||||
|
|
||||||
|
ret = CKR_OK;
|
@ -0,0 +1,26 @@
|
|||||||
|
commit 88761bc4bd560801ec8a18b96cc82586dd719ca3
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Tue Mar 12 17:13:33 2024 +0100
|
||||||
|
|
||||||
|
EP11: add check if protected-key support available at all
|
||||||
|
|
||||||
|
If it is already known that the PKEY wrap is not supported or not
|
||||||
|
functioning (for whatever reason), then don't report the XTS
|
||||||
|
mechanisms as supported.
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index 9f855934..7850e43f 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -12001,7 +12001,8 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
|
||||||
|
|
||||||
|
case CKM_AES_XTS:
|
||||||
|
case CKM_AES_XTS_KEY_GEN:
|
||||||
|
- if (ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
|
||||||
|
+ if ((ep11_data->pkey_wrap_support_checked && !ep11_data->pkey_wrap_supported) ||
|
||||||
|
+ ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
|
||||||
|
ep11tok_is_mechanism_supported(tokdata, CKM_IBM_CPACF_WRAP) != CKR_OK ||
|
||||||
|
ep11tok_is_mechanism_supported(tokdata, CKM_AES_KEY_GEN) != CKR_OK) {
|
||||||
|
TRACE_INFO("%s Mech '%s' not suppported\n", __func__,
|
@ -0,0 +1,31 @@
|
|||||||
|
commit 99b87ff678abfb71ba05741d1942e8ac723110c8
|
||||||
|
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
Date: Tue Mar 12 17:30:36 2024 +0100
|
||||||
|
|
||||||
|
EP11: consider combined-extract for XTS pkey check
|
||||||
|
|
||||||
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index 7850e43f..e2c9a77e 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
|
||||||
|
CK_MECHANISM_TYPE type)
|
||||||
|
{
|
||||||
|
+ ep11_private_data_t *ep11_data = tokdata->private_data;
|
||||||
|
+
|
||||||
|
if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) {
|
||||||
|
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (object_is_extractable(key_obj) ||
|
||||||
|
- !object_is_pkey_extractable(key_obj) ||
|
||||||
|
- object_is_attr_bound(key_obj)) {
|
||||||
|
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
|
||||||
|
+ TRACE_ERROR("Key not eligible for pkey support\n");
|
||||||
|
return CKR_TEMPLATE_INCONSISTENT;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,306 @@
|
|||||||
|
commit 5b20a1454ca464b07e7686340a579d8b1870e572
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Wed Mar 20 08:44:25 2024 +0100
|
||||||
|
|
||||||
|
EP11: Reject combined extract attribute settings if it is not supported
|
||||||
|
|
||||||
|
In case the control point setting of the adapters do not allow that attributes
|
||||||
|
CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE are both true, then reject
|
||||||
|
this with CKR_TEMPLATE_INCONSISTENT.
|
||||||
|
|
||||||
|
The EP11 code would reject that with CKR_FUNCTION_CANCELED, which for EP11
|
||||||
|
it means that it violates an internal policy (i.e. control point settings),
|
||||||
|
but in PKCS#11 this return code has a totally different meaning. So reject
|
||||||
|
such situations explicitly with the correct return code.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index e2c9a77e..b5d788bf 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1089,20 +1089,23 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
|
||||||
|
* Returns true if the given key object is eligible to get a protected key
|
||||||
|
* attribute, false otherwise.
|
||||||
|
*/
|
||||||
|
-CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
|
||||||
|
- OBJECT *key_obj)
|
||||||
|
+static CK_RV ep11tok_pkey_obj_eligible_for_pkey_support(
|
||||||
|
+ ep11_private_data_t *ep11_data,
|
||||||
|
+ OBJECT *key_obj)
|
||||||
|
{
|
||||||
|
if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
|
||||||
|
!object_is_pkey_extractable(key_obj)) {
|
||||||
|
- return CK_FALSE;
|
||||||
|
+ return CKR_FUNCTION_NOT_SUPPORTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ep11_data->pkey_combined_extract_supported &&
|
||||||
|
object_is_extractable(key_obj)) {
|
||||||
|
- return CK_FALSE;
|
||||||
|
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
|
||||||
|
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
|
||||||
|
+ return CKR_TEMPLATE_INCONSISTENT;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return CK_TRUE;
|
||||||
|
+ return CKR_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -1176,7 +1179,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
|
||||||
|
+ ret = ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
goto done;
|
||||||
|
|
||||||
|
if (template_attribute_get_non_empty(key_obj->template,
|
||||||
|
@@ -1218,11 +1222,14 @@ done:
|
||||||
|
/**
|
||||||
|
* Wrapper function around ep11tok_pkey_check for the case where we don't
|
||||||
|
* have a key object. This function is called externally from new_host.c.
|
||||||
|
+ * Returns CKR_OK if pkey usage is OK, CKR_FUNCTION_NOT_SUPPORTED if pkey
|
||||||
|
+ * is not supported, or any other return code in case of an error. In such
|
||||||
|
+ * cases the calling function should itself return with an error, because
|
||||||
|
+ * neither the secure key nor the protected key path will work.
|
||||||
|
*/
|
||||||
|
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
|
||||||
|
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
|
||||||
|
{
|
||||||
|
- CK_BBOOL success = CK_FALSE;
|
||||||
|
size_t keyblobsize = 0;
|
||||||
|
CK_BYTE *keyblob;
|
||||||
|
OBJECT *key_obj;
|
||||||
|
@@ -1232,17 +1239,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
READ_LOCK);
|
||||||
|
if (ret != CKR_OK) {
|
||||||
|
TRACE_ERROR("%s no blob ret=0x%lx\n", __func__, ret);
|
||||||
|
- return CK_FALSE;
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = ep11tok_pkey_check(tokdata, session, key_obj, mech);
|
||||||
|
- if (ret == CKR_OK)
|
||||||
|
- success = CK_TRUE;
|
||||||
|
|
||||||
|
object_put(tokdata, key_obj, TRUE);
|
||||||
|
key_obj = NULL;
|
||||||
|
|
||||||
|
- return success;
|
||||||
|
+ return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
|
||||||
|
@@ -1255,7 +1260,8 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
|
||||||
|
+ if (ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data,
|
||||||
|
+ key_obj) != CKR_OK) {
|
||||||
|
TRACE_ERROR("Key not eligible for pkey support\n");
|
||||||
|
return CKR_TEMPLATE_INCONSISTENT;
|
||||||
|
}
|
||||||
|
@@ -1307,10 +1313,10 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
{
|
||||||
|
ep11_private_data_t *ep11_data = tokdata->private_data;
|
||||||
|
CK_ATTRIBUTE *sensitive_attr = NULL;
|
||||||
|
- CK_BBOOL sensitive, btrue = CK_TRUE;
|
||||||
|
+ CK_BBOOL sensitive, extractable, pkey_extractable, btrue = CK_TRUE;
|
||||||
|
#ifndef NO_PKEY
|
||||||
|
CK_ATTRIBUTE *ecp_attr = NULL;
|
||||||
|
- CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
|
||||||
|
+ CK_BBOOL add_pkey_extractable = CK_FALSE;
|
||||||
|
#endif
|
||||||
|
CK_RV ret;
|
||||||
|
|
||||||
|
@@ -1341,6 +1347,25 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!ep11_data->pkey_combined_extract_supported) {
|
||||||
|
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ extractable = FALSE;
|
||||||
|
+
|
||||||
|
+ ret = template_attribute_get_bool(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE,
|
||||||
|
+ &pkey_extractable);
|
||||||
|
+ if (ret != CKR_OK)
|
||||||
|
+ pkey_extractable = FALSE;
|
||||||
|
+
|
||||||
|
+ if (extractable && pkey_extractable) {
|
||||||
|
+ /* The EP11 call would return CKR_FUNCTION_CANCELED in that case */
|
||||||
|
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
|
||||||
|
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
|
||||||
|
+ ret = CKR_TEMPLATE_INCONSISTENT;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifndef NO_PKEY
|
||||||
|
switch (ep11_data->pkey_mode) {
|
||||||
|
case PKEY_MODE_DISABLED:
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
index 16d3c719..9ba28cb8 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.h
|
||||||
|
@@ -585,8 +585,8 @@ CK_BBOOL ep11tok_libica_mech_available(STDLL_TokData_t *tokdata,
|
||||||
|
CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata,
|
||||||
|
CK_TOKEN_INFO_PTR pInfo);
|
||||||
|
|
||||||
|
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
|
||||||
|
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
|
||||||
|
|
||||||
|
CK_RV ep11tok_set_operation_state(STDLL_TokData_t *tokdata, SESSION *session);
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
|
||||||
|
index 299a1d3c..f84d0810 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/new_host.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/new_host.c
|
||||||
|
@@ -2080,9 +2080,15 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
sess->encr_ctx.multi_init = FALSE;
|
||||||
|
sess->encr_ctx.multi = FALSE;
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(pMechanism)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
/* In case of a single part encrypt operation we don't need the
|
||||||
|
* EncryptInit, instead we can use the EncryptSingle which is much
|
||||||
|
* faster. In case of multi-part operations we are doing the EncryptInit
|
||||||
|
@@ -2179,9 +2185,16 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key,
|
||||||
|
+ &sess->encr_ctx.mech);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(&sess->encr_ctx.mech)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech,
|
||||||
|
length_only, sess->encr_ctx.key,
|
||||||
|
pData, ulDataLen, pEncryptedData,
|
||||||
|
@@ -2408,9 +2421,15 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
sess->decr_ctx.multi_init = FALSE;
|
||||||
|
sess->decr_ctx.multi = FALSE;
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(pMechanism)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
/* In case of a single part decrypt operation we don't need the
|
||||||
|
* DecryptInit, instead we can use the EncryptSingle which is much
|
||||||
|
* faster. In case of multi-part operations we are doing the DecryptInit
|
||||||
|
@@ -2508,9 +2527,16 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key,
|
||||||
|
+ &sess->decr_ctx.mech);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(&sess->decr_ctx.mech)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech,
|
||||||
|
length_only, sess->decr_ctx.key,
|
||||||
|
pEncryptedData, ulEncryptedDataLen,
|
||||||
|
@@ -2992,9 +3018,15 @@ CK_RV SC_SignInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
sess->sign_ctx.multi_init = FALSE;
|
||||||
|
sess->sign_ctx.multi = FALSE;
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(pMechanism)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
/* In case of a single part sign operation we don't need the SignInit,
|
||||||
|
* instead we can use the SignSingle which is much faster.
|
||||||
|
* In case of multi-part operations we are doing the SignInit when
|
||||||
|
@@ -3101,9 +3133,16 @@ CK_RV SC_Sign(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key,
|
||||||
|
+ &sess->sign_ctx.mech);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(&sess->sign_ctx.mech)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, &sess->sign_ctx.mech)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
rc = ep11tok_sign_single(tokdata, sess, &sess->sign_ctx.mech,
|
||||||
|
length_only, sess->sign_ctx.key,
|
||||||
|
pData, ulDataLen, pSignature, pulSignatureLen);
|
||||||
|
@@ -3391,9 +3430,15 @@ CK_RV SC_VerifyInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
sess->verify_ctx.multi_init = FALSE;
|
||||||
|
sess->verify_ctx.multi = FALSE;
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(pMechanism)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
/* In case of a single part verify operation we don't need the
|
||||||
|
* VerifyInit, instead we can use the VerifySingle which is much
|
||||||
|
* faster. In case of multi-part operations we are doing the VerifyInit
|
||||||
|
@@ -3497,9 +3542,16 @@ CK_RV SC_Verify(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key,
|
||||||
|
+ &sess->verify_ctx.mech);
|
||||||
|
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
|
||||||
|
+ but the ep11 fallback can be tried */
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
if ((ep11tok_optimize_single_ops(tokdata) ||
|
||||||
|
ep11tok_mech_single_only(&sess->verify_ctx.mech)) &&
|
||||||
|
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, &sess->verify_ctx.mech)) {
|
||||||
|
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
|
||||||
|
rc = ep11tok_verify_single(tokdata, sess, &sess->verify_ctx.mech,
|
||||||
|
sess->verify_ctx.key, pData, ulDataLen,
|
||||||
|
pSignature, ulSignatureLen);
|
@ -0,0 +1,36 @@
|
|||||||
|
commit 4fefcf517133260a7b63049d3a02c9249fe7776c
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Apr 15 09:31:12 2024 +0200
|
||||||
|
|
||||||
|
EP11: Fix compile error with NO_PKEY defined
|
||||||
|
|
||||||
|
Function signature of ep11tok_pkey_usage_ok() has changed, also change the
|
||||||
|
code inside the #ifdef NO_PKEY block.
|
||||||
|
|
||||||
|
Fixes: cf978b111205b206c7b3c53f424f7085913c00d0
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
index b5d788bf..e9007a16 100644
|
||||||
|
--- a/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
+++ b/usr/lib/ep11_stdll/ep11_specific.c
|
||||||
|
@@ -1460,15 +1460,15 @@ done:
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef NO_PKEY
|
||||||
|
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
|
||||||
|
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
|
||||||
|
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
|
||||||
|
{
|
||||||
|
UNUSED(tokdata);
|
||||||
|
UNUSED(session);
|
||||||
|
UNUSED(hkey);
|
||||||
|
UNUSED(mech);
|
||||||
|
|
||||||
|
- return CK_FALSE;
|
||||||
|
+ return CKR_FUNCTION_NOT_SUPPORTED;
|
||||||
|
}
|
||||||
|
#endif /* NO_PKEY */
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu Jun 13 11:20:43 2024 +0200
|
||||||
|
|
||||||
|
COMMON: Fix errors reported by covscan
|
||||||
|
|
||||||
|
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
|
||||||
|
index b7e1f78e..fc88cbad 100644
|
||||||
|
--- a/usr/lib/common/loadsave.c
|
||||||
|
+++ b/usr/lib/common/loadsave.c
|
||||||
|
@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* size can not be negative if treated as signed int */
|
||||||
|
+ if (size >= 0x80000000) {
|
||||||
|
+ fclose(fp2);
|
||||||
|
+ OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s "
|
||||||
|
+ "(ignoring it)\n", fname);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
buf = (CK_BYTE *) malloc(size);
|
||||||
|
if (!buf) {
|
||||||
|
fclose(fp2);
|
||||||
|
diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c
|
||||||
|
index 71402700..4bc19814 100644
|
||||||
|
--- a/usr/lib/common/mech_rng.c
|
||||||
|
+++ b/usr/lib/common/mech_rng.c
|
||||||
|
@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
|
||||||
|
if (ranfd >= 0) {
|
||||||
|
do {
|
||||||
|
rlen = read(ranfd, output + totallen, bytes - totallen);
|
||||||
|
+ if (rlen <= 0) {
|
||||||
|
+ close(ranfd);
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
totallen += rlen;
|
||||||
|
} while (totallen < bytes);
|
||||||
|
close(ranfd);
|
||||||
|
diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c
|
||||||
|
index 04edc76f..7421d1c5 100644
|
||||||
|
--- a/usr/lib/common/pkcs_utils.c
|
||||||
|
+++ b/usr/lib/common/pkcs_utils.c
|
||||||
|
@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
|
||||||
|
if (ranfd >= 0) {
|
||||||
|
do {
|
||||||
|
rlen = read(ranfd, output + totallen, bytes - totallen);
|
||||||
|
+ if (rlen <= 0) {
|
||||||
|
+ close(ranfd);
|
||||||
|
+ return CKR_FUNCTION_FAILED;
|
||||||
|
+ }
|
||||||
|
totallen += rlen;
|
||||||
|
} while (totallen < bytes);
|
||||||
|
close(ranfd);
|
@ -0,0 +1,73 @@
|
|||||||
|
commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02
|
||||||
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon Jun 17 09:03:36 2024 +0200
|
||||||
|
|
||||||
|
ICSF: Fix covscan findings on potential integer overflows
|
||||||
|
|
||||||
|
Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b'
|
||||||
|
are unsigned types. In case 'b' is larger than 'a', then the subtraction
|
||||||
|
result may overflow because the result is also treated as unsigned type.
|
||||||
|
Fix this by using 'if (a > b)' instead.
|
||||||
|
|
||||||
|
Note that in the changed places 'a' is always larger or equal than 'b',
|
||||||
|
so the overflow does not happen. Still, changing the code to be less
|
||||||
|
error-prone is a good thing.
|
||||||
|
|
||||||
|
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
|
||||||
|
|
||||||
|
Suggested-by: Than Ngo <than@redhat.com>
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c
|
||||||
|
index c3479cf8..1deb129c 100644
|
||||||
|
--- a/usr/lib/icsf_stdll/icsf.c
|
||||||
|
+++ b/usr/lib/icsf_stdll/icsf.c
|
||||||
|
@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char)
|
||||||
|
str_len = len;
|
||||||
|
|
||||||
|
memcpy(dest, orig, str_len);
|
||||||
|
- if ((len - str_len) > 0)
|
||||||
|
+ if (len > str_len)
|
||||||
|
memset(dest + str_len, ' ', len - str_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c
|
||||||
|
index c617f1e6..6f16ca5e 100644
|
||||||
|
--- a/usr/lib/icsf_stdll/icsf_specific.c
|
||||||
|
+++ b/usr/lib/icsf_stdll/icsf_specific.c
|
||||||
|
@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
|
||||||
|
- if (input_part_len - remaining > 0)
|
||||||
|
+ if (input_part_len > remaining)
|
||||||
|
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
|
||||||
|
input_part_len - remaining);
|
||||||
|
|
||||||
|
@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
|
||||||
|
- if (input_part_len - remaining > 0)
|
||||||
|
+ if (input_part_len > remaining)
|
||||||
|
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
|
||||||
|
input_part_len - remaining);
|
||||||
|
|
||||||
|
@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata,
|
||||||
|
}
|
||||||
|
memcpy(buffer, multi_part_ctx->data,
|
||||||
|
multi_part_ctx->used_data_len);
|
||||||
|
- if (out_len - multi_part_ctx->used_data_len > 0)
|
||||||
|
+ if (out_len > multi_part_ctx->used_data_len)
|
||||||
|
memcpy(buffer + multi_part_ctx->used_data_len,
|
||||||
|
(char *)in_data,
|
||||||
|
out_len - multi_part_ctx->used_data_len);
|
||||||
|
@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata,
|
||||||
|
}
|
||||||
|
memcpy(buffer, multi_part_ctx->data,
|
||||||
|
multi_part_ctx->used_data_len);
|
||||||
|
- if (out_len - multi_part_ctx->used_data_len > 0)
|
||||||
|
+ if (out_len > multi_part_ctx->used_data_len)
|
||||||
|
memcpy(buffer + multi_part_ctx->used_data_len,
|
||||||
|
(char *)in_data,
|
||||||
|
out_len - multi_part_ctx->used_data_len);
|
@ -0,0 +1,8 @@
|
|||||||
|
# This file describes how to load the opensc module
|
||||||
|
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
|
||||||
|
|
||||||
|
# This is a relative path, which means it will be loaded from
|
||||||
|
# the p11-kit default path which is usually $(libdir)/pkcs11.
|
||||||
|
# Doing it this way allows for packagers to package opensc for
|
||||||
|
# 32-bit and 64-bit and make them parallel installable
|
||||||
|
module: libopencryptoki.so
|
@ -0,0 +1,776 @@
|
|||||||
|
Name: opencryptoki
|
||||||
|
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
|
||||||
|
Version: 3.23.0
|
||||||
|
Release: 5%{?dist}
|
||||||
|
License: CPL-1.0
|
||||||
|
URL: https://github.com/opencryptoki/opencryptoki
|
||||||
|
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||||
|
Source1: opencryptoki.module
|
||||||
|
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
|
||||||
|
Patch1: opencryptoki-3.11.0-lockdir.patch
|
||||||
|
# fix install problem in buildroot
|
||||||
|
Patch2: opencryptoki-3.21.0-p11sak.patch
|
||||||
|
# upstream patches
|
||||||
|
# SEC2356-backport
|
||||||
|
Patch100: opencryptoki-3.23-SEC2356-backport-01.patch
|
||||||
|
Patch101: opencryptoki-3.23-SEC2356-backport-02.patch
|
||||||
|
Patch102: opencryptoki-3.23-SEC2356-backport-03.patch
|
||||||
|
Patch103: opencryptoki-3.23-SEC2356-backport-04.patch
|
||||||
|
Patch104: opencryptoki-3.23-SEC2356-backport-05.patch
|
||||||
|
Patch105: opencryptoki-3.23-SEC2356-backport-06.patch
|
||||||
|
Patch106: opencryptoki-3.23-SEC2356-backport-07.patch
|
||||||
|
Patch107: opencryptoki-3.23-SEC2356-backport-08.patch
|
||||||
|
Patch108: opencryptoki-3.23-SEC2356-backport-09.patch
|
||||||
|
Patch109: opencryptoki-3.23-covcan-part1.patch
|
||||||
|
Patch110: opencryptoki-3.23-covcan-part2.patch
|
||||||
|
|
||||||
|
Requires(pre): coreutils
|
||||||
|
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
BuildRequires: openssl-devel >= 1.1.1
|
||||||
|
%if 0%{?tmptok}
|
||||||
|
BuildRequires: trousers-devel
|
||||||
|
%endif
|
||||||
|
BuildRequires: openldap-devel
|
||||||
|
BuildRequires: autoconf automake libtool
|
||||||
|
BuildRequires: bison flex
|
||||||
|
BuildRequires: libcap-devel
|
||||||
|
BuildRequires: expect
|
||||||
|
BuildRequires: make
|
||||||
|
BuildRequires: systemd-rpm-macros
|
||||||
|
%ifarch s390 s390x
|
||||||
|
BuildRequires: libica-devel >= 2.3
|
||||||
|
# for /usr/include/libudev.h
|
||||||
|
BuildRequires: systemd-devel
|
||||||
|
%endif
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}(token)
|
||||||
|
Requires(post): systemd diffutils
|
||||||
|
Requires(preun): systemd
|
||||||
|
Requires(postun): systemd
|
||||||
|
|
||||||
|
|
||||||
|
%description
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package contains the Slot Daemon (pkcsslotd) and general utilities.
|
||||||
|
|
||||||
|
|
||||||
|
%package libs
|
||||||
|
Summary: The run-time libraries for opencryptoki package
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
|
||||||
|
%description libs
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package contains the PKCS#11 library implementation, and requires
|
||||||
|
at least one token implementation (packaged separately) to be fully
|
||||||
|
functional.
|
||||||
|
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Development files for openCryptoki
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
This package contains the development header files for building
|
||||||
|
opencryptoki and PKCS#11 based applications
|
||||||
|
|
||||||
|
|
||||||
|
%package swtok
|
||||||
|
Summary: The software token implementation for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description swtok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the software token implementation to use opencryptoki
|
||||||
|
without any specific cryptographic hardware.
|
||||||
|
|
||||||
|
|
||||||
|
%package tpmtok
|
||||||
|
Summary: Trusted Platform Module (TPM) device support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description tpmtok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support
|
||||||
|
Trusted Platform Module (TPM) devices in the opencryptoki stack.
|
||||||
|
|
||||||
|
|
||||||
|
%package icsftok
|
||||||
|
Summary: ICSF token support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description icsftok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support
|
||||||
|
ICSF token in the opencryptoki stack.
|
||||||
|
|
||||||
|
|
||||||
|
%ifarch s390 s390x
|
||||||
|
%package icatok
|
||||||
|
Summary: ICA cryptographic devices (clear-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description icatok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support ICA
|
||||||
|
devices in the opencryptoki stack. ICA is an interface to IBM
|
||||||
|
cryptographic hardware such as IBM 4764 or 4765 that uses the
|
||||||
|
"accelerator" or "clear-key" path.
|
||||||
|
|
||||||
|
%package ccatok
|
||||||
|
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description ccatok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support CCA
|
||||||
|
devices in the opencryptoki stack. CCA is an interface to IBM
|
||||||
|
cryptographic hardware such as IBM 4764 or 4765 that uses the
|
||||||
|
"co-processor" or "secure-key" path.
|
||||||
|
|
||||||
|
%package ep11tok
|
||||||
|
Summary: EP11 cryptographic devices (secure-key) support for opencryptoki
|
||||||
|
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
|
Provides: %{name}(token)
|
||||||
|
|
||||||
|
%description ep11tok
|
||||||
|
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
|
||||||
|
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
|
||||||
|
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
|
||||||
|
token implementation that can be used without any cryptographic
|
||||||
|
hardware.
|
||||||
|
This package brings the necessary libraries and files to support EP11
|
||||||
|
tokens in the opencryptoki stack. The EP11 token is a token that uses
|
||||||
|
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
|
||||||
|
configured with Enterprise PKCS#11 (EP11) firmware.
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
|
||||||
|
%build
|
||||||
|
./bootstrap.sh
|
||||||
|
|
||||||
|
%configure --with-systemd=%{_unitdir} --enable-testcases \
|
||||||
|
--with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
|
||||||
|
%if 0%{?tpmtok}
|
||||||
|
--enable-tpmtok \
|
||||||
|
%else
|
||||||
|
--disable-tpmtok \
|
||||||
|
%endif
|
||||||
|
%ifarch s390 s390x
|
||||||
|
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
|
||||||
|
%else
|
||||||
|
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%make_build CHGRP=/bin/true
|
||||||
|
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install CHGRP=/bin/true
|
||||||
|
|
||||||
|
|
||||||
|
%pre
|
||||||
|
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
|
||||||
|
# backup config file. bz#2044179
|
||||||
|
%global cfile /etc/opencryptoki/opencryptoki.conf
|
||||||
|
%global csuffix .rpmsave.XyoP
|
||||||
|
if test $1 -gt 1 && test -f %{cfile} ; then
|
||||||
|
cp -p %{cfile} %{cfile}%{csuffix}
|
||||||
|
fi
|
||||||
|
|
||||||
|
%pre libs
|
||||||
|
getent group pkcs11 >/dev/null || groupadd -r pkcs11
|
||||||
|
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
%post
|
||||||
|
# restore the config file from %pre
|
||||||
|
if test $1 -gt 1 && test -f %{cfile} ; then
|
||||||
|
if ( ! cmp -s %{cfile} %{cfile}%{csuffix} ) ; then
|
||||||
|
cp -p %{cfile} %{cfile}.rpmnew
|
||||||
|
fi
|
||||||
|
cp -p %{cfile}%{csuffix} %{cfile} && rm -f %{cfile}%{csuffix}
|
||||||
|
fi
|
||||||
|
|
||||||
|
%systemd_post pkcsslotd.service
|
||||||
|
if test $1 -eq 1; then
|
||||||
|
%tmpfiles_create %{name}.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%systemd_preun pkcsslotd.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%systemd_postun_with_restart pkcsslotd.service
|
||||||
|
|
||||||
|
|
||||||
|
%files
|
||||||
|
%doc ChangeLog FAQ README.md
|
||||||
|
%doc doc/opencryptoki-howto.md
|
||||||
|
%doc doc/README.token_data
|
||||||
|
%doc %{_docdir}/%{name}/*.conf
|
||||||
|
%dir %{_sysconfdir}/%{name}
|
||||||
|
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
|
||||||
|
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
|
||||||
|
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
|
||||||
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
|
%{_unitdir}/pkcsslotd.service
|
||||||
|
%{_sbindir}/p11sak
|
||||||
|
%{_sbindir}/pkcstok_migrate
|
||||||
|
%{_sbindir}/pkcsconf
|
||||||
|
%{_sbindir}/pkcsslotd
|
||||||
|
%{_sbindir}/pkcsstats
|
||||||
|
%{_sbindir}/pkcshsm_mk_change
|
||||||
|
%{_mandir}/man1/p11sak.1*
|
||||||
|
%{_mandir}/man1/pkcstok_migrate.1*
|
||||||
|
%{_mandir}/man1/pkcsconf.1*
|
||||||
|
%{_mandir}/man1/pkcsstats.1*
|
||||||
|
%{_mandir}/man1/pkcshsm_mk_change.1*
|
||||||
|
%{_mandir}/man5/policy.conf.5*
|
||||||
|
%{_mandir}/man5/strength.conf.5*
|
||||||
|
%{_mandir}/man5/%{name}.conf.5*
|
||||||
|
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
|
||||||
|
%{_mandir}/man7/%{name}.7*
|
||||||
|
%{_mandir}/man8/pkcsslotd.8*
|
||||||
|
%{_libdir}/opencryptoki/methods
|
||||||
|
%{_libdir}/pkcs11/methods
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
|
||||||
|
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
|
||||||
|
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
|
||||||
|
%dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
|
||||||
|
|
||||||
|
%files libs
|
||||||
|
%license LICENSE
|
||||||
|
%{_sysconfdir}/ld.so.conf.d/*
|
||||||
|
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
|
||||||
|
# needs them in the main package, because:
|
||||||
|
# documentation suggests that programs should dlopen "PKCS11_API.so".
|
||||||
|
%dir %{_libdir}/opencryptoki
|
||||||
|
%{_libdir}/opencryptoki/libopencryptoki.*
|
||||||
|
%{_libdir}/opencryptoki/PKCS11_API.so
|
||||||
|
%dir %{_libdir}/opencryptoki/stdll
|
||||||
|
%dir %{_libdir}/pkcs11
|
||||||
|
%{_libdir}/pkcs11/libopencryptoki.so
|
||||||
|
%{_libdir}/pkcs11/PKCS11_API.so
|
||||||
|
%{_libdir}/pkcs11/stdll
|
||||||
|
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%{_includedir}/%{name}/
|
||||||
|
%{_libdir}/pkgconfig/%{name}.pc
|
||||||
|
|
||||||
|
%files swtok
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
|
||||||
|
|
||||||
|
%if 0%{?tmptok}
|
||||||
|
%files tpmtok
|
||||||
|
%doc doc/README.tpm_stdll
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files icsftok
|
||||||
|
%doc doc/README.icsf_stdll
|
||||||
|
%{_sbindir}/pkcsicsf
|
||||||
|
%{_mandir}/man1/pkcsicsf.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
|
||||||
|
|
||||||
|
%ifarch s390 s390x
|
||||||
|
%files icatok
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
|
||||||
|
|
||||||
|
%files ccatok
|
||||||
|
%doc doc/README.cca_stdll
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf
|
||||||
|
%{_sbindir}/pkcscca
|
||||||
|
%{_mandir}/man1/pkcscca.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
|
||||||
|
|
||||||
|
%files ep11tok
|
||||||
|
%doc doc/README.ep11_stdll
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
|
||||||
|
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
|
||||||
|
%{_sbindir}/pkcsep11_migrate
|
||||||
|
%{_sbindir}/pkcsep11_session
|
||||||
|
%{_mandir}/man1/pkcsep11_migrate.1*
|
||||||
|
%{_mandir}/man1/pkcsep11_session.1*
|
||||||
|
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
|
||||||
|
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
|
||||||
|
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.23.0-5
|
||||||
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
* Tue Jun 18 2024 Than Ngo <than@redhat.com> - 3.23.0-4
|
||||||
|
- Resolves: RHEL-42492, SAST
|
||||||
|
|
||||||
|
* Wed May 22 2024 Than Ngo <than@redhat.com> - 3.23.0-3
|
||||||
|
- Related: RHEL-24038, backport - ep11 token: support protected keys for extractable keys
|
||||||
|
|
||||||
|
* Tue Apr 16 2024 Than Ngo <than@redhat.com> - 3.23.0-2
|
||||||
|
- enable gating tests
|
||||||
|
|
||||||
|
Resolves: RHEL-24037, RHEL-24038
|
||||||
|
|
||||||
|
* Wed Feb 07 2024 Than Ngo <than@redhat.com> - 3.23.0-1
|
||||||
|
- 3.23.0
|
||||||
|
* EP11: Add support for FIPS-session mode
|
||||||
|
* Updates to harden against RSA timing attacks
|
||||||
|
* Bug fixes
|
||||||
|
|
||||||
|
* Tue Jan 30 2024 Dan Horák <dan[at]danny.cz> - 3.22.0-4
|
||||||
|
- fix all errors and warnings (rhbz#2261419)
|
||||||
|
|
||||||
|
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 21 2023 Than Ngo <than@redhat.com> - 3.22.0-1
|
||||||
|
- update to 3.22.0
|
||||||
|
|
||||||
|
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 17 2023 Than Ngo <than@redhat.com> - 3.21.0-5
|
||||||
|
- p11sak tool: slot option does not accept argument 0 for slot index 0
|
||||||
|
- p11sak fails as soon as there reside non-key objects
|
||||||
|
|
||||||
|
* Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4
|
||||||
|
- add verify attributes for opencryptoki.conf to ignore the
|
||||||
|
verification
|
||||||
|
|
||||||
|
* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
|
||||||
|
- drop p11_kit_support
|
||||||
|
- fix handling of user name
|
||||||
|
- fix user confirmation prompt behavior when stdin is closed
|
||||||
|
|
||||||
|
* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
|
||||||
|
- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
|
||||||
|
|
||||||
|
* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
|
||||||
|
- update to 3.21.0
|
||||||
|
|
||||||
|
* Tue Feb 14 2023 Than Ngo <than@redhat.com> - 3.20.0-2
|
||||||
|
- migrated to SPDX license
|
||||||
|
|
||||||
|
* Mon Feb 13 2023 Than Ngo <than@redhat.com> - 3.20.0-1
|
||||||
|
- update to 3.20.0
|
||||||
|
- drop unnecessary opencryptoki-3.11.0-group.patch
|
||||||
|
|
||||||
|
* Wed Feb 08 2023 Than Ngo <than@redhat.com> - 3.19.0-3
|
||||||
|
- Add support of ep11 token for new IBM Z Hardware (IBM z16)
|
||||||
|
|
||||||
|
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.19.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
|
||||||
|
- update to 3.19.0
|
||||||
|
|
||||||
|
* Wed Sep 14 2022 Florian Weimer <fweimer@redhat.com> - 3.18.0-5
|
||||||
|
- Add missing build dependency on systemd-rpm-macros
|
||||||
|
|
||||||
|
* Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-4
|
||||||
|
- fix json output
|
||||||
|
- do not touch opencryptoki.conf if it is in place already and even if it is unchanged
|
||||||
|
|
||||||
|
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.18.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
|
||||||
|
- add missing strength.conf
|
||||||
|
|
||||||
|
* Mon May 02 2022 Than Ngo <than@redhat.com> - 3.18.0-1
|
||||||
|
- 3.18.0
|
||||||
|
|
||||||
|
* Wed Apr 20 2022 Dan Horák <dan[at]danny.cz> - 3.17.0-7
|
||||||
|
- fix initialization (#2075851, #2074587)
|
||||||
|
|
||||||
|
* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-6
|
||||||
|
- add tokversion
|
||||||
|
|
||||||
|
* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-5
|
||||||
|
- upstream fixes - openssl cleanup for opencryptoki, Avoid deadlock when stopping event thread
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.17.0-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Nov 25 2021 Than Ngo <than@redhat.com> - 3.17.0-3
|
||||||
|
- fix covscan issues
|
||||||
|
|
||||||
|
* Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
|
||||||
|
- add missing config file p11sak_defined_attrs.conf
|
||||||
|
|
||||||
|
* Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1
|
||||||
|
- rebase to 3.17.0
|
||||||
|
|
||||||
|
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.16.0-5
|
||||||
|
- Rebuilt with OpenSSL 3.0.0
|
||||||
|
|
||||||
|
* Fri Sep 03 2021 Than Ngo <than@redhat.com> - 3.16.0-4
|
||||||
|
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
|
||||||
|
- Resolves: #1974365, Fix detection if pkcsslotd is still running
|
||||||
|
|
||||||
|
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jun 30 2021 Than Ngo <than@redhat.com> - 3.16.0-2
|
||||||
|
- Added Event Notification Support
|
||||||
|
- Added conditional requirement on selinux-policy >= 34.10-1
|
||||||
|
- pkcsslotd PIDfile below legacy directory
|
||||||
|
- Added BR on systemd-devel
|
||||||
|
|
||||||
|
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
|
||||||
|
- Rebase to 3.16.0
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
|
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
|
||||||
|
- Added upstream patch, a slot ID has nothing to do with the number of slots
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
|
||||||
|
- Drop tpm1.2 support by default
|
||||||
|
|
||||||
|
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
|
||||||
|
- Fix compiling with c++
|
||||||
|
- Added error message handling for p11sak remove-key command
|
||||||
|
- Add BR on make
|
||||||
|
|
||||||
|
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
|
||||||
|
- Rebase to 3.15.1
|
||||||
|
|
||||||
|
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
|
||||||
|
- Rebase to 3.15.0
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
|
||||||
|
- added PIN conversion tool
|
||||||
|
|
||||||
|
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
|
||||||
|
- upstream fix - handle early error cases in C_Initialize
|
||||||
|
|
||||||
|
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
|
||||||
|
- fix regression, segfault in C_SetPin
|
||||||
|
|
||||||
|
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
|
||||||
|
- Rebase to 3.14.0
|
||||||
|
|
||||||
|
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
|
||||||
|
- Rebase to 3.13.0
|
||||||
|
|
||||||
|
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
|
||||||
|
- fix build with gcc 10
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
|
||||||
|
- Rebase to 3.12.1
|
||||||
|
|
||||||
|
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
|
||||||
|
- Rebase to 3.12.0
|
||||||
|
|
||||||
|
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
|
||||||
|
- Rebase to 3.11.1
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
|
||||||
|
- enable testcase by default
|
||||||
|
- fix URL
|
||||||
|
|
||||||
|
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
|
||||||
|
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
|
||||||
|
- Updated to 3.11.0
|
||||||
|
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
|
||||||
|
- Ported root's group membership's patch for 3.11.0
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
|
||||||
|
- Rebase to 3.10.0
|
||||||
|
|
||||||
|
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
|
||||||
|
- Rebase to 3.9.0
|
||||||
|
|
||||||
|
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
|
||||||
|
- use upstream tmpfiles config
|
||||||
|
|
||||||
|
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
|
||||||
|
- Rebase to 3.8.2 (#1512678)
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
|
||||||
|
- Rebase to 3.7.0
|
||||||
|
- Added libitm-devel as BuildRequires
|
||||||
|
|
||||||
|
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
|
||||||
|
- Rebase to 3.6.2
|
||||||
|
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
|
||||||
|
|
||||||
|
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
|
||||||
|
- New upstream release
|
||||||
|
|
||||||
|
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
|
||||||
|
- New bugfix upstream release
|
||||||
|
|
||||||
|
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
|
||||||
|
- New upstream release
|
||||||
|
- Adding post-release patch fixing compile warnings
|
||||||
|
|
||||||
|
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
|
||||||
|
- New upstream release
|
||||||
|
- Correct dependencies for group creation
|
||||||
|
|
||||||
|
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
|
||||||
|
- Few more undefined symbols fixed for s390(x) specific targets
|
||||||
|
- Do not require --no-undefined, because s390(x) requires some
|
||||||
|
|
||||||
|
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
|
||||||
|
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
|
||||||
|
- Make inline function compatible for GCC5
|
||||||
|
|
||||||
|
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
|
||||||
|
- new upstream release 3.2
|
||||||
|
- add new sub-package opencryptoki-ep11tok on s390x
|
||||||
|
|
||||||
|
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
|
||||||
|
- new upstream release 3.1
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
|
||||||
|
- create the right lock directory for cca tokens (#1054442)
|
||||||
|
|
||||||
|
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
|
||||||
|
- use Requires(pre): opencryptoki-libs for subpackages
|
||||||
|
|
||||||
|
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
|
||||||
|
- include token specific directories (#1013017, #1045775, #1054442)
|
||||||
|
- fix pkcsconf crash for non-root users (#10054661)
|
||||||
|
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
|
||||||
|
|
||||||
|
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
|
||||||
|
- fix build with -Werror=format-security (#1037228)
|
||||||
|
|
||||||
|
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
|
||||||
|
- apply post-3.0 fixes (#1033284)
|
||||||
|
|
||||||
|
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
|
||||||
|
- update opencryptoki man page (#1001729)
|
||||||
|
|
||||||
|
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
|
||||||
|
- update unit file (#995002)
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
|
||||||
|
- update pkcsconf man page (#948460)
|
||||||
|
|
||||||
|
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
|
||||||
|
- new upstream release 3.0
|
||||||
|
|
||||||
|
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
|
||||||
|
- new upstream release 2.4.3.1
|
||||||
|
|
||||||
|
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
|
||||||
|
- new upstream release 2.4.3
|
||||||
|
|
||||||
|
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
|
||||||
|
- enable hardened build
|
||||||
|
- switch to systemd macros in scriptlets (#850240)
|
||||||
|
|
||||||
|
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
|
||||||
|
- add virtual opencryptoki(token) Provides to token modules and as Requires
|
||||||
|
to main package (#904986)
|
||||||
|
|
||||||
|
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
|
||||||
|
- new upstream release 2.4.2
|
||||||
|
- add pkcs_slot man page
|
||||||
|
- don't add root to the pkcs11 group
|
||||||
|
|
||||||
|
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
|
||||||
|
- fix unresolved symbols in TPM module (#830129)
|
||||||
|
|
||||||
|
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
|
||||||
|
- new upstream release 2.4.1
|
||||||
|
- convert from initscript to systemd unit
|
||||||
|
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
|
||||||
|
|
||||||
|
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
|
||||||
|
- new upstream release 2.4
|
||||||
|
|
||||||
|
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
|
||||||
|
- new upstream release 2.3.3
|
||||||
|
|
||||||
|
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
|
||||||
|
- Apply Obsoletes to package names, not provides.
|
||||||
|
|
||||||
|
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
|
||||||
|
- new upstream release 2.3.2
|
||||||
|
- put STDLLs in separate packages to match upstream package design
|
||||||
|
|
||||||
|
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
|
||||||
|
- Move the LICENSE file to the -libs subpackage.
|
||||||
|
|
||||||
|
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
|
||||||
|
- rebuilt with CCA enabled (#604287)
|
||||||
|
- fixed issues from #546274
|
||||||
|
|
||||||
|
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
|
||||||
|
- fixed one more issue in the initscript (#547324)
|
||||||
|
|
||||||
|
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
|
||||||
|
- fixed pidfile creating and usage (#547324)
|
||||||
|
|
||||||
|
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
|
||||||
|
- Also list 'reload' and 'force-reload' in "Usage: ...".
|
||||||
|
|
||||||
|
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
|
||||||
|
- Support 'force-reload' in the initscript.
|
||||||
|
|
||||||
|
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
|
||||||
|
- New upstream release 2.3.1.
|
||||||
|
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
|
||||||
|
|
||||||
|
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
|
||||||
|
- made pkcsslotd initscript LSB compliant (#522149)
|
||||||
|
|
||||||
|
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
|
||||||
|
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
|
||||||
|
|
||||||
|
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
|
||||||
|
- rebuilt with new openssl
|
||||||
|
|
||||||
|
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
|
||||||
|
- Require libica-2.0.
|
||||||
|
|
||||||
|
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
|
||||||
|
- New upstream release 2.3.0:
|
||||||
|
- adds support for RSA 4096 bit keys in the ICA token.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
|
||||||
|
- Require arch-specific dependency on -libs.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
|
||||||
|
- Return support for crypto hw on s390.
|
||||||
|
- Renamed to opencryptoki.
|
||||||
|
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
|
||||||
|
|
||||||
|
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
|
||||||
|
- Fedora package based on RHEL-5 package.
|
Loading…
Reference in new issue