import opencryptoki-3.23.0-5.el10

c10-beta imports/c10-beta/opencryptoki-3.23.0-5.el10
MSVSphere Packaging Team 4 weeks ago
commit c0cead4463
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/opencryptoki-3.23.0.tar.gz

@ -0,0 +1 @@
0d70d0a5170a79fc358107d07a62bea1b476e0cc SOURCES/opencryptoki-3.23.0.tar.gz

@ -0,0 +1,12 @@
diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac
--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100
+++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100
@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS])
dnl Define custom variables
-lockdir=$localstatedir/lock/opencryptoki
+lockdir=/run/lock/opencryptoki
AC_SUBST(lockdir)
logdir=$localstatedir/log/opencryptoki

@ -0,0 +1,37 @@
diff -up opencryptoki-3.21.0/Makefile.am.me opencryptoki-3.21.0/Makefile.am
--- opencryptoki-3.21.0/Makefile.am.me 2023-05-15 17:01:04.932616030 +0200
+++ opencryptoki-3.21.0/Makefile.am 2023-05-15 17:00:45.732131601 +0200
@@ -39,15 +39,8 @@ include tools/tools.mk
include doc/doc.mk
install-data-hook:
- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
- $(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
if ENABLE_LIBRARY
$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
$(MKDIR_P) $(DESTDIR)$(libdir)/pkcs11
@@ -100,7 +93,7 @@ if ENABLE_EP11TOK
endif
if ENABLE_P11SAK
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
endif
if ENABLE_ICATOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
@@ -151,7 +144,7 @@ endif
if ENABLE_DAEMON
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
endif
$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
echo "$(libdir)/opencryptoki" >\

@ -0,0 +1,50 @@
commit 2d68f8626d15b9697a29a377a63bbdf35b42ee36
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Feb 13 16:20:06 2024 +0100
EP11 pkey option: add new PKEY_MODE parms to ep11 config file
Add two new parameter values ENABLE4EXTR and ENABLE4ALL to the ep11token
PKEY_MODE config option. Older ep11 card firmware enforces the restriction that
keys can not have CKA_EXTRACTABLE=true and CKA_IBM_PROTKEY_EXTRACTABLE=true at
the same time. With newer card firmware this restriction is removed and a new
control point is introduced to allow checking for this feature.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11tok.conf b/usr/lib/ep11_stdll/ep11tok.conf
index 19c9963f..afe237b9 100644
--- a/usr/lib/ep11_stdll/ep11tok.conf
+++ b/usr/lib/ep11_stdll/ep11tok.conf
@@ -104,7 +104,7 @@
# disabled and additional hardware and firmware prerequisites are met. AES-XTS
# is not supported via the EP11 coprocessor itself.
#
-# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR
+# PKEY_MODE DISABLED | DEFAULT | ENABLE4NONEXTR | ENABLE4EXTR | ENABLE4ALL
#
# DISABLED : Protected key support disabled. All key operations
# are performed via EP11 coprocessor, even if a
@@ -119,6 +119,22 @@
# but not CKA_IBM_PROTKEY_EXTRACTABLE, new keys get
# CKA_IBM_PROTKEY_EXTRACTABLE=true internally.
#
+# Control point 75 (XCP_CPB_ALLOW_COMBINED_EXTRACT) must be enabled for all
+# APQNs accessible by the token for the following parameters.
+#
+# ENABLE4EXTR : If the application did not specify
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
+# of any type with CKA_EXTRACTABLE=true get
+# CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key
+# is automatically created at first use of the key.
+#
+# ENABLE4ALL : If the application did not specify
+# CKA_IBM_PROTKEY_EXTRACTABLE in its template, new keys
+# of any type, regardless of the CKA_EXTRACTABLE
+# attribute, get CKA_IBM_PROTKEY_EXTRACTABLE=true and
+# a protected key is automatically created at first
+# use of the key.
+#
# --------------------------------------------------------------------------
#
# Specify the expected wrapping key verification pattern. When specified, all

@ -0,0 +1,222 @@
commit a6192bb9c3263fb691da87b3a1ed5f66f887b09a
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Feb 13 16:35:53 2024 +0100
EP11 pkey option: handle new PKEY_MODE parms for new objects
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index d5964a9c..d1efd8c5 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1239,6 +1239,33 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
return CKR_OK;
}
+CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
+{
+ CK_ATTRIBUTE *pkey_attr = NULL;
+ CK_BBOOL btrue = CK_TRUE;
+ CK_RV ret;
+
+ if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
+ ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE, &btrue,
+ sizeof(CK_BBOOL), &pkey_attr);
+ if (ret != CKR_OK) {
+ TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
+ goto done;
+ }
+ ret = template_update_attribute(tmpl, pkey_attr);
+ if (ret != CKR_OK) {
+ TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
+ free(pkey_attr);
+ goto done;
+ }
+ }
+
+ ret = CKR_OK;
+
+done:
+ return ret;
+}
+
/**
* This function is called whenever a new object is created. It sets
* attribute CKA_IBM_PROTKEY_EXTRACTABLE according to the PKEY_MODE token
@@ -1254,7 +1281,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
CK_ULONG mode, TEMPLATE *tmpl)
{
ep11_private_data_t *ep11_data = tokdata->private_data;
- CK_ATTRIBUTE *pkey_attr = NULL, *ecp_attr = NULL, *sensitive_attr = NULL;
+ CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
CK_BBOOL add_pkey_extractable = CK_FALSE;
CK_RV ret;
@@ -1314,23 +1341,62 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
-
if (add_pkey_extractable) {
- if (!template_attribute_find(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE, &pkey_attr)) {
- ret = build_attribute(CKA_IBM_PROTKEY_EXTRACTABLE,
- (CK_BBOOL *)&btrue, sizeof(CK_BBOOL),
- &pkey_attr);
- if (ret != CKR_OK) {
- TRACE_ERROR("build_attribute failed with ret=0x%lx\n", ret);
- goto done;
- }
- ret = template_update_attribute(tmpl, pkey_attr);
- if (ret != CKR_OK) {
- TRACE_ERROR("update_attribute failed with ret=0x%lx\n", ret);
- free(pkey_attr);
- goto done;
- }
- }
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
+ break;
+ case PKEY_MODE_ENABLE4EXTR:
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
+ * its template, new keys of any type with CKA_EXTRACTABLE=true get
+ * CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is automatically
+ * created at first use of the key.
+ */
+ switch (class) {
+ case CKO_PUBLIC_KEY:
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
+ add_pkey_extractable = CK_TRUE;
+ /* Note that the explicit parm CKM_ECDSA just tells the
+ * function that it's not AES here. It covers all EC and ED
+ * mechs */
+ break;
+ default:
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
+ if (ret == CKR_OK && extractable) // Einziger Unterschied: extractable, statt !extractable
+ add_pkey_extractable = CK_TRUE;
+ break;
+ }
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
+ break;
+ case PKEY_MODE_ENABLE4ALL:
+ /* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
+ * its template, new keys of any type, regardless of CKA_EXTRACTABLE,
+ * get CKA_IBM_PROTKEY_EXTRACTABLE=true and a protected key is
+ * automatically created at first use of the key.
+ */
+ switch (class) {
+ case CKO_PUBLIC_KEY:
+ if (template_attribute_get_non_empty(tmpl, CKA_EC_PARAMS, &ecp_attr) == CKR_OK &&
+ pkey_op_supported_by_cpacf(ep11_data->msa_level, CKM_ECDSA, tmpl))
+ add_pkey_extractable = CK_TRUE;
+ /* Note that the explicit parm CKM_ECDSA just tells the
+ * function that it's not AES here. It covers all EC and ED
+ * mechs */
+ break;
+ default:
+ add_pkey_extractable = CK_TRUE;
+ break;
+ }
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
}
break;
default:
@@ -12188,6 +12254,10 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
ep11_data->pkey_mode = PKEY_MODE_ENABLE4NONEXTR;
+ else if (strcmp(strval, "ENABLE4EXTR") == 0)
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
+ else if (strcmp(strval, "ENABLE4ALL") == 0)
+ ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
else {
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
@@ -13252,6 +13322,7 @@ typedef struct cp_handler_data {
int first;
size_t max_cp_index;
CK_BBOOL error;
+ CK_BBOOL allow_combined_extract;
} cp_handler_data_t;
static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
@@ -13329,6 +13400,27 @@ static CK_RV control_point_handler(uint_32 adapter, uint_32 domain,
}
}
+ /* Combined extract is only supported if all APQNs support it */
+ if (max_cp_index < XCP_CPB_ALLOW_COMBINED_EXTRACT ||
+ (cp[CP_BYTE_NO(XCP_CPB_ALLOW_COMBINED_EXTRACT)] &
+ CP_BIT_MASK(XCP_CPB_ALLOW_COMBINED_EXTRACT)) == 0) {
+ data->allow_combined_extract = CK_FALSE;
+
+ if (ep11_data->pkey_mode == PKEY_MODE_ENABLE4EXTR ||
+ ep11_data->pkey_mode == PKEY_MODE_ENABLE4ALL) {
+ TRACE_ERROR("Control point setting for adapter %02X.%04X does not "
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
+ "ENABLE4ALL specified in ep11 token config file.\n",
+ adapter, domain);
+ OCK_SYSLOG(LOG_ERR,
+ "Control point setting for adapter %02X.%04X does not "
+ "allow combined extract, but PKEY_MODE ENABLE4EXTR or "
+ "ENABLE4ALL specified in ep11 token config file.\n",
+ adapter, domain);
+ data->error = TRUE;
+ }
+ }
+
/* Check FIPS-session related CPs for non-FIPS-session mode */
if (!ep11_data->fips_session_mode) {
if (max_cp_index >= XCP_CPB_ALLOW_NONSESSION &&
@@ -13392,6 +13484,7 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
* to older cards default to ON. CPs being OFF disable functionality.
*/
memset(data.combined_cp, 0xff, sizeof(data.combined_cp));
+ data.allow_combined_extract = CK_TRUE;
data.first = 1;
rc = handle_all_ep11_cards(&ep11_data->target_list, control_point_handler,
&data);
@@ -13410,6 +13503,11 @@ static CK_RV get_control_points(STDLL_TokData_t * tokdata,
print_control_points(cp, *cp_len, data.max_cp_index);
#endif
+ if (data.allow_combined_extract == CK_FALSE)
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 0);
+ else
+ __sync_or_and_fetch(&ep11_data->pkey_combined_extract_supported, 1);
+
return data.error ? CKR_DEVICE_ERROR : CKR_OK;
}
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
index deb8f45f..16d3c719 100644
--- a/usr/lib/ep11_stdll/ep11_specific.h
+++ b/usr/lib/ep11_stdll/ep11_specific.h
@@ -241,6 +241,8 @@ typedef struct {
#define PKEY_MODE_DISABLED 0
#define PKEY_MODE_DEFAULT 1
#define PKEY_MODE_ENABLE4NONEXTR 2
+#define PKEY_MODE_ENABLE4EXTR 3
+#define PKEY_MODE_ENABLE4ALL 4
#define PQC_BYTE_NO(idx) (((idx) - 1) / 8)
#define PQC_BIT_IN_BYTE(idx) (((idx - 1)) % 8)
@@ -278,6 +280,7 @@ typedef struct {
int fips_session_mode;
int optimize_single_ops;
int pkey_mode;
+ volatile int pkey_combined_extract_supported;
volatile int pkey_wrap_supported;
int pkey_wrap_support_checked;
char pkey_mk_vp[PKEY_MK_VP_LENGTH];

@ -0,0 +1,62 @@
commit 88a01a9c4ba237431d89e3999cd6fdfddd10a51a
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu Mar 7 17:42:11 2024 +0100
EP11 pkey option: handle new PKEY_MODE parms in eligibility check
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index d1efd8c5..a163587c 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1080,6 +1080,26 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
return CK_TRUE;
}
+/*
+ * Returns true if the given key object is eligible to get a protected key
+ * attribute, false otherwise.
+ */
+CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
+ OBJECT *key_obj)
+{
+ if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
+ !object_is_pkey_extractable(key_obj)) {
+ return CK_FALSE;
+ }
+
+ if (!ep11_data->pkey_combined_extract_supported &&
+ object_is_extractable(key_obj)) {
+ return CK_FALSE;
+ }
+
+ return CK_TRUE;
+}
+
/**
* Checks if the preconditions for using the related protected key of
* the given secure key object are met. The caller of this routine must
@@ -1135,6 +1155,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
break;
case PKEY_MODE_DEFAULT:
case PKEY_MODE_ENABLE4NONEXTR:
+ case PKEY_MODE_ENABLE4EXTR:
+ case PKEY_MODE_ENABLE4ALL:
/* Use existing pkeys, re-create invalid pkeys, and also create new
* pkeys for secret/private keys that do not already have one. EC
* public keys that are pkey-extractable, can always be used via CPACF
@@ -1149,12 +1171,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
goto done;
- if (object_is_extractable(key_obj) ||
- !object_is_pkey_extractable(key_obj) ||
- object_is_attr_bound(key_obj) ||
- !ep11_data->pkey_wrap_supported) {
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
goto done;
- }
if (template_attribute_get_non_empty(key_obj->template,
CKA_IBM_OPAQUE_PKEY,

@ -0,0 +1,555 @@
commit b9e33fced0654aac939182957bf2eba2eda77872
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed Feb 21 13:48:15 2024 +0100
EP11 pkey option: add NO_PKEY compile option for EP11 token
On 32-bit s390 platforms, the pkey related assembler code parts won't
compile. Therefore, add NO_PKEY compile switches where necessary.
The NO_PKEY compile switch is already handled in configure.ac.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index a163587c..114c4ce1 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -60,7 +60,9 @@
#include <openssl/ec.h>
#include "ep11_specific.h"
+#ifndef NO_PKEY
#include "pkey_utils.h"
+#endif
CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
CK_MECHANISM_TYPE_PTR mlist,
@@ -256,11 +258,13 @@ static const version_req_t reencrypt_single_req_versions[] = {
#define NUM_REENCRYPT_SINGLE_REQ (sizeof(reencrypt_single_req_versions) / \
sizeof(version_req_t))
+#ifndef NO_PKEY
static const CK_VERSION ibm_cex7p_cpacf_wrap_support = { .major = 7, .minor = 15 };
static const version_req_t ibm_cpacf_wrap_req_versions[] = {
{ .card_type = 7, .min_firmware_version = &ibm_cex7p_cpacf_wrap_support }
};
#define NUM_CPACF_WRAP_REQ (sizeof(ibm_cpacf_wrap_req_versions) / sizeof(version_req_t))
+#endif /* NO_PKEY */
static const CK_ULONG ibm_cex_ab_ecdh_api_version = 3;
static const version_req_t ibm_ab_ecdh_req_versions[] = {
@@ -504,6 +508,7 @@ static CK_BBOOL ep11tok_pkey_option_disabled(STDLL_TokData_t *tokdata)
return CK_FALSE;
}
+#ifndef NO_PKEY
/**
* Callback function used by handle_all_ep11_cards() for creating a protected
* key via the given APQN (adaper,domain).
@@ -1283,6 +1288,7 @@ CK_RV ep11tok_pkey_add_protkey_attr_to_tmpl(TEMPLATE *tmpl)
done:
return ret;
}
+#endif /* NO_PKEY */
/**
* This function is called whenever a new object is created. It sets
@@ -1299,9 +1305,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
CK_ULONG mode, TEMPLATE *tmpl)
{
ep11_private_data_t *ep11_data = tokdata->private_data;
- CK_ATTRIBUTE *ecp_attr = NULL, *sensitive_attr = NULL;
- CK_BBOOL extractable, sensitive, btrue = CK_TRUE;
- CK_BBOOL add_pkey_extractable = CK_FALSE;
+ CK_ATTRIBUTE *sensitive_attr = NULL;
+ CK_BBOOL sensitive, btrue = CK_TRUE;
+#ifndef NO_PKEY
+ CK_ATTRIBUTE *ecp_attr = NULL;
+ CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
+#endif
CK_RV ret;
UNUSED(mode);
@@ -1331,6 +1340,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
}
}
+#ifndef NO_PKEY
switch (ep11_data->pkey_mode) {
case PKEY_MODE_DISABLED:
/* Nothing to do */
@@ -1423,6 +1433,7 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
goto done;
break;
}
+#endif /* NO_PKEY */
ret = CKR_OK;
@@ -1431,6 +1442,19 @@ done:
return ret;
}
+#ifdef NO_PKEY
+CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+{
+ UNUSED(tokdata);
+ UNUSED(session);
+ UNUSED(hkey);
+ UNUSED(mech);
+
+ return CK_FALSE;
+}
+#endif /* NO_PKEY */
+
static CK_RV check_ab_supported(CK_KEY_TYPE type) {
switch(type) {
case CKK_AES:
@@ -2837,8 +2861,10 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
goto error;
}
+#ifndef NO_PKEY
ep11_data->msa_level = get_msa_level();
TRACE_INFO("MSA level = %i\n", ep11_data->msa_level);
+#endif
if (pthread_mutex_init(&ep11_data->raw2key_wrap_blob_mutex, NULL) != 0) {
TRACE_ERROR("Initializing Wrap-Blob lock failed.\n");
@@ -2847,19 +2873,20 @@ CK_RV ep11tok_init(STDLL_TokData_t * tokdata, CK_SLOT_ID SlotNumber,
}
ep11_data->raw2key_wrap_blob_l = 0;
-
if (pthread_mutex_init(&ep11_data->pkey_mutex, NULL) != 0) {
TRACE_ERROR("Initializing PKEY lock failed.\n");
rc = CKR_CANT_LOCK;
goto error;
}
+#ifndef NO_PKEY
if (!ep11tok_pkey_option_disabled(tokdata) &&
!ep11_data->fips_session_mode) {
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, NULL);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
}
+#endif /* NO_PKEY */
if (ep11_data->vhsm_mode || ep11_data->fips_session_mode) {
if (pthread_mutex_init(&ep11_data->session_mutex, NULL) != 0) {
@@ -3178,7 +3205,11 @@ static CK_RV import_aes_xts_key(STDLL_TokData_t *tokdata, SESSION *sess,
if (rc != CKR_OK)
goto import_aes_xts_key_end;
+#ifndef NO_PKEY
rc = ep11tok_pkey_check_aes_xts(tokdata, aes_xts_key_obj, CKM_AES_XTS);
+#else
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
+#endif
if (rc != CKR_OK) {
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n", __func__, rc);
goto import_aes_xts_key_end;
@@ -4562,10 +4593,12 @@ CK_RV token_specific_object_add(STDLL_TokData_t * tokdata, SESSION * sess,
return rc;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
return rc;
+#endif /* NO_PKEY */
memset(blob, 0, sizeof(blob));
memset(blobreenc, 0, sizeof(blobreenc));
@@ -4797,10 +4830,12 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
goto error;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
MODE_KEYGEN, CKO_SECRET_KEY, ktype, &key_obj);
@@ -4820,7 +4855,11 @@ CK_RV ep11tok_generate_key(STDLL_TokData_t * tokdata, SESSION * session,
if (mech->mechanism == CKM_AES_XTS_KEY_GEN) {
xts = TRUE;
+#ifndef NO_PKEY
rc = ep11tok_pkey_check_aes_xts(tokdata, key_obj, mech->mechanism);
+#else
+ rc = CKR_FUNCTION_NOT_SUPPORTED;
+#endif
if (rc != CKR_OK) {
TRACE_ERROR("%s EP11 AES XTS is not supported: rc=0x%lx\n",
__func__, rc);
@@ -5812,7 +5851,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
CK_BYTE *out_data, CK_ULONG *out_data_len,
OBJECT *key_obj )
{
+#ifndef NO_PKEY
SIGN_VERIFY_CONTEXT *ctx = &(session->sign_ctx);
+#endif
CK_RV rc;
size_t keyblobsize = 0;
CK_BYTE *keyblob;
@@ -5826,6 +5867,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
return rc;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
switch (rc) {
case CKR_OK:
@@ -5837,6 +5879,7 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
default:
goto done;
}
+#endif /* NO_PKEY */
mech.mechanism = CKM_ECDSA;
mech.pParameter = NULL;
@@ -5856,7 +5899,9 @@ CK_RV token_specific_ec_sign(STDLL_TokData_t *tokdata, SESSION *session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
return rc;
}
@@ -5866,7 +5911,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
CK_BYTE *out_data, CK_ULONG out_data_len,
OBJECT *key_obj )
{
+#ifndef NO_PKEY
SIGN_VERIFY_CONTEXT *ctx = &(session->verify_ctx);
+#endif
CK_RV rc;
CK_BYTE *spki;
size_t spki_len = 0;
@@ -5880,6 +5927,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
return rc;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, &ctx->mech);
switch (rc) {
case CKR_OK:
@@ -5891,6 +5939,7 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
default:
goto done;
}
+#endif /* NO_PKEY */
mech.mechanism = CKM_ECDSA;
mech.pParameter = NULL;
@@ -5911,7 +5960,9 @@ CK_RV token_specific_ec_verify(STDLL_TokData_t *tokdata, SESSION *session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
return rc;
}
@@ -5981,6 +6032,7 @@ CK_RV token_specific_reencrypt_single(STDLL_TokData_t *tokdata,
return rc;
}
+#ifndef NO_PKEY
/**
* This routine is currently only used when the operation is performed using
* a protected key. Therefore we don't have (and don't need) an ep11
@@ -6062,6 +6114,7 @@ CK_RV token_specific_aes_xts(STDLL_TokData_t *tokdata, SESSION *session,
return pkey_aes_xts(key_obj, init_v, in_data, in_data_len,
out_data, out_data_len, encrypt, initial, final, iv);
}
+#endif /* NO_PKEY */
struct EP11_KYBER_MECH {
CK_MECHANISM mech;
@@ -6829,10 +6882,12 @@ CK_RV ep11tok_derive_key(STDLL_TokData_t *tokdata, SESSION *session,
goto error;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Start creating the key object */
rc = object_mgr_create_skel(tokdata, session, new_attrs1, new_attrs1_len,
@@ -8554,10 +8609,12 @@ CK_RV ep11tok_generate_key_pair(STDLL_TokData_t * tokdata, SESSION * sess,
if (rc != CKR_OK)
goto error;
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, sess);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Now build the skeleton key. */
rc = object_mgr_create_skel(tokdata, sess, pPublicKeyTemplate,
@@ -9202,6 +9259,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -9239,6 +9297,7 @@ CK_RV ep11tok_sign_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_sign_state);
goto done;
}
+#endif /* NO_PKEY */
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
@@ -9340,6 +9399,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
CK_ULONG in_data_len, CK_BYTE * signature,
CK_ULONG * sig_len)
{
+#ifdef NO_PKEY
+ UNUSED(length_only);
+#endif
CK_RV rc;
SIGN_VERIFY_CONTEXT *ctx = &session->sign_ctx;
size_t keyblobsize = 0;
@@ -9355,6 +9417,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
+#ifndef NO_PKEY
if (ctx->pkey_active) {
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
@@ -9372,6 +9435,7 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
}
goto done; /* no ep11 fallback possible */
}
+#endif /* NO_PKEY */
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
RETRY_UPDATE_BLOB_START(tokdata, target_info,
@@ -9394,7 +9458,9 @@ CK_RV ep11tok_sign(STDLL_TokData_t * tokdata, SESSION * session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -9638,6 +9704,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -9675,6 +9742,7 @@ CK_RV ep11tok_verify_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_sign_state);
goto done;
}
+#endif /* NO_PKEY */
if (mech->mechanism == CKM_IBM_ECDSA_OTHER) {
rc = ep11tok_ecdsa_other_mech_adjust(mech, &mech_ep11);
@@ -9787,6 +9855,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
return rc;
}
+#ifndef NO_PKEY
if (ctx->pkey_active) {
/* Note that Edwards curves in general are not yet supported in
* opencryptoki. These two special IBM specific ED mechs are only
@@ -9805,6 +9874,7 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
}
goto done; /* no ep11 fallback possible */
}
+#endif /* NO_PKEY */
RETRY_SESSION_SINGLE_APQN_START(rc, tokdata)
RETRY_UPDATE_BLOB_START(tokdata, target_info,
@@ -9827,7 +9897,9 @@ CK_RV ep11tok_verify(STDLL_TokData_t * tokdata, SESSION * session,
TRACE_INFO("%s rc=0x%lx\n", __func__, rc);
}
+#ifndef NO_PKEY
done:
+#endif
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
@@ -10561,6 +10633,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
goto error;
}
+#ifndef NO_PKEY
rc = ep11tok_pkey_check(tokdata, session, key_obj, mech);
switch (rc) {
case CKR_OK:
@@ -10604,6 +10677,7 @@ static CK_RV ep11_ende_crypt_init(STDLL_TokData_t * tokdata, SESSION * session,
free(ep11_state);
goto done;
}
+#endif /* NO_PKEY */
/*
* ep11_state is allocated large enough to hold 2 times the max state blob.
@@ -11150,10 +11224,12 @@ CK_RV ep11tok_unwrap_key(STDLL_TokData_t * tokdata, SESSION * session,
goto done;
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
goto error;
+#endif /* NO_PKEY */
/* Start creating the key object */
rc = object_mgr_create_skel(tokdata, session, new_attrs, new_attrs_len,
@@ -11878,6 +11954,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
}
break;
+#ifndef NO_PKEY
case CKM_IBM_CPACF_WRAP:
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3) <= 0) {
TRACE_INFO("%s Mech '%s' banned due to host library version\n",
@@ -11895,6 +11972,7 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
goto out;
}
break;
+#endif /* NO_PKEY */
case CKM_IBM_BTC_DERIVE:
if (compare_ck_version(&ep11_data->ep11_lib_version, &ver3_1) < 0) {
@@ -12268,6 +12346,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
{
if (strcmp(strval, "DISABLED") == 0)
ep11_data->pkey_mode = PKEY_MODE_DISABLED;
+#ifndef NO_PKEY
else if (strcmp(strval, "DEFAULT") == 0)
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
else if (strcmp(strval, "ENABLE4NONEXTR") == 0)
@@ -12276,6 +12355,7 @@ static CK_RV ep11_config_set_pkey_mode(ep11_private_data_t *ep11_data,
ep11_data->pkey_mode = PKEY_MODE_ENABLE4EXTR;
else if (strcmp(strval, "ENABLE4ALL") == 0)
ep11_data->pkey_mode = PKEY_MODE_ENABLE4ALL;
+#endif /* NO_PKEY */
else {
TRACE_ERROR("%s unsupported PKEY mode : '%s'\n", __func__, strval);
OCK_SYSLOG(LOG_ERR,"%s: Error: unsupported PKEY mode '%s' "
@@ -12456,7 +12536,11 @@ static CK_RV read_adapter_config_file(STDLL_TokData_t * tokdata,
sizeof(ep11_data->token_config_filename) - 1] = '\0';
ep11_data->target_list.length = 0;
+#ifndef NO_PKEY
ep11_data->pkey_mode = PKEY_MODE_DEFAULT;
+#else
+ ep11_data->pkey_mode = PKEY_MODE_DISABLED;
+#endif
/* Default to use default libica library for digests */
ep11_data->digest_libica = 1;
@@ -14695,10 +14779,12 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
}
}
+#ifndef NO_PKEY
/* Ensure the firmware master key verification pattern is available */
rc = ep11tok_pkey_get_firmware_mk_vp(tokdata, session);
if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED)
return rc;
+#endif /* NO_PKEY */
node = new_tmpl->attribute_list;
while (node) {
@@ -14734,6 +14820,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
goto out;
}
break;
+#ifndef NO_PKEY
case CKA_IBM_PROTKEY_EXTRACTABLE:
if (ep11_data->pkey_wrap_supported) {
rc = add_to_attribute_array(&attributes, &num_attributes,
@@ -14746,6 +14833,7 @@ CK_RV token_specific_set_attribute_values(STDLL_TokData_t *tokdata,
}
}
break;
+#endif /* NO_PKEY */
default:
/* Either non-boolean, or read-only */
break;
diff --git a/usr/lib/ep11_stdll/ep11_stdll.mk b/usr/lib/ep11_stdll/ep11_stdll.mk
index 6a1d68be..e543c514 100644
--- a/usr/lib/ep11_stdll/ep11_stdll.mk
+++ b/usr/lib/ep11_stdll/ep11_stdll.mk
@@ -41,7 +41,7 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/trace.c usr/lib/common/mech_list.c \
usr/lib/common/shared_memory.c usr/lib/common/attributes.c \
usr/lib/common/sw_crypt.c usr/lib/common/profile_obj.c \
- usr/lib/common/dlist.c usr/lib/common/pkey_utils.c \
+ usr/lib/common/dlist.c \
usr/lib/ep11_stdll/new_host.c usr/lib/common/mech_openssl.c \
usr/lib/ep11_stdll/ep11_specific.c \
usr/lib/ep11_stdll/ep11_session.c \
@@ -53,3 +53,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = usr/lib/common/asn1.c \
usr/lib/common/pqc_supported.c \
usr/lib/hsm_mk_change/hsm_mk_change.c \
usr/lib/common/btree.c usr/lib/common/sess_mgr.c
+
+if !NO_PKEY
+opencryptoki_stdll_libpkcs11_ep11_la_SOURCES += \
+ usr/lib/common/pkey_utils.c
+endif
diff --git a/usr/lib/ep11_stdll/tok_struct.h b/usr/lib/ep11_stdll/tok_struct.h
index 304e3eb9..17a5bcf0 100644
--- a/usr/lib/ep11_stdll/tok_struct.h
+++ b/usr/lib/ep11_stdll/tok_struct.h
@@ -115,8 +115,13 @@ token_spec_t token_specific = {
// AES
NULL, // aes_key_gen,
NULL, // aes_xts_key_gen
+#ifndef NO_PKEY
&token_specific_aes_ecb,
&token_specific_aes_cbc,
+#else
+ NULL, // aes_ecb
+ NULL, // aes_cbc
+#endif
NULL, // aes_ctr
NULL, // aes_gcm_init
NULL, // aes_gcm
@@ -125,8 +130,13 @@ token_spec_t token_specific = {
NULL, // aes_ofb
NULL, // aes_cfb
NULL, // aes_mac
+#ifndef NO_PKEY
&token_specific_aes_cmac,
&token_specific_aes_xts, // aes_xts
+#else
+ NULL, // aes_cmac
+ NULL, // aes_xts
+#endif
// DSA
NULL, // dsa_generate_keypair,
NULL, // dsa_sign

@ -0,0 +1,61 @@
commit 0bdcc661e64950e5ea11d950484631ba90e69426
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Thu Mar 7 17:51:40 2024 +0100
EP11 pkey option: consolidate code parts, no logic change
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 114c4ce1..9f855934 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1369,11 +1369,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
case PKEY_MODE_ENABLE4EXTR:
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
@@ -1396,11 +1391,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
case PKEY_MODE_ENABLE4ALL:
/* If the application did not specify CKA_IBM_PROTKEY_EXTRACTABLE in
@@ -1421,11 +1411,6 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
add_pkey_extractable = CK_TRUE;
break;
}
- if (add_pkey_extractable) {
- ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
- if (ret != CKR_OK)
- goto done;
- }
break;
default:
TRACE_ERROR("PKEY_MODE %i unsupported.\n", ep11_data->pkey_mode);
@@ -1433,6 +1418,12 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
goto done;
break;
}
+
+ if (add_pkey_extractable) {
+ ret = ep11tok_pkey_add_protkey_attr_to_tmpl(tmpl);
+ if (ret != CKR_OK)
+ goto done;
+ }
#endif /* NO_PKEY */
ret = CKR_OK;

@ -0,0 +1,26 @@
commit 88761bc4bd560801ec8a18b96cc82586dd719ca3
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Mar 12 17:13:33 2024 +0100
EP11: add check if protected-key support available at all
If it is already known that the PKEY wrap is not supported or not
functioning (for whatever reason), then don't report the XTS
mechanisms as supported.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 9f855934..7850e43f 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -12001,7 +12001,8 @@ CK_RV ep11tok_is_mechanism_supported(STDLL_TokData_t *tokdata,
case CKM_AES_XTS:
case CKM_AES_XTS_KEY_GEN:
- if (ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
+ if ((ep11_data->pkey_wrap_support_checked && !ep11_data->pkey_wrap_supported) ||
+ ep11tok_pkey_option_disabled(tokdata) || ep11_data->msa_level < 4 ||
ep11tok_is_mechanism_supported(tokdata, CKM_IBM_CPACF_WRAP) != CKR_OK ||
ep11tok_is_mechanism_supported(tokdata, CKM_AES_KEY_GEN) != CKR_OK) {
TRACE_INFO("%s Mech '%s' not suppported\n", __func__,

@ -0,0 +1,31 @@
commit 99b87ff678abfb71ba05741d1942e8ac723110c8
Author: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Tue Mar 12 17:30:36 2024 +0100
EP11: consider combined-extract for XTS pkey check
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 7850e43f..e2c9a77e 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1248,14 +1248,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
CK_MECHANISM_TYPE type)
{
+ ep11_private_data_t *ep11_data = tokdata->private_data;
+
if (ep11tok_is_mechanism_supported(tokdata, type) != CKR_OK) {
TRACE_ERROR("%s\n", ock_err(ERR_MECHANISM_INVALID));
return CKR_MECHANISM_INVALID;
}
- if (object_is_extractable(key_obj) ||
- !object_is_pkey_extractable(key_obj) ||
- object_is_attr_bound(key_obj)) {
+ if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
+ TRACE_ERROR("Key not eligible for pkey support\n");
return CKR_TEMPLATE_INCONSISTENT;
}

@ -0,0 +1,306 @@
commit 5b20a1454ca464b07e7686340a579d8b1870e572
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed Mar 20 08:44:25 2024 +0100
EP11: Reject combined extract attribute settings if it is not supported
In case the control point setting of the adapters do not allow that attributes
CKA_EXTRACTABLE and CKA_IBM_PROTKEY_EXTRACTABLE are both true, then reject
this with CKR_TEMPLATE_INCONSISTENT.
The EP11 code would reject that with CKR_FUNCTION_CANCELED, which for EP11
it means that it violates an internal policy (i.e. control point settings),
but in PKCS#11 this return code has a totally different meaning. So reject
such situations explicitly with the correct return code.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index e2c9a77e..b5d788bf 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1089,20 +1089,23 @@ static CK_BBOOL ep11tok_pkey_session_ok_for_obj(SESSION *session,
* Returns true if the given key object is eligible to get a protected key
* attribute, false otherwise.
*/
-CK_BBOOL ep11tok_pkey_obj_eligible_for_pkey_support(ep11_private_data_t *ep11_data,
- OBJECT *key_obj)
+static CK_RV ep11tok_pkey_obj_eligible_for_pkey_support(
+ ep11_private_data_t *ep11_data,
+ OBJECT *key_obj)
{
if (object_is_attr_bound(key_obj) || !ep11_data->pkey_wrap_supported ||
!object_is_pkey_extractable(key_obj)) {
- return CK_FALSE;
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
if (!ep11_data->pkey_combined_extract_supported &&
object_is_extractable(key_obj)) {
- return CK_FALSE;
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
+ return CKR_TEMPLATE_INCONSISTENT;
}
- return CK_TRUE;
+ return CKR_OK;
}
/**
@@ -1176,7 +1179,8 @@ CK_RV ep11tok_pkey_check(STDLL_TokData_t *tokdata, SESSION *session,
if (ep11tok_pkey_get_firmware_mk_vp(tokdata, session) != CKR_OK)
goto done;
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj))
+ ret = ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj);
+ if (ret != CKR_OK)
goto done;
if (template_attribute_get_non_empty(key_obj->template,
@@ -1218,11 +1222,14 @@ done:
/**
* Wrapper function around ep11tok_pkey_check for the case where we don't
* have a key object. This function is called externally from new_host.c.
+ * Returns CKR_OK if pkey usage is OK, CKR_FUNCTION_NOT_SUPPORTED if pkey
+ * is not supported, or any other return code in case of an error. In such
+ * cases the calling function should itself return with an error, because
+ * neither the secure key nor the protected key path will work.
*/
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
{
- CK_BBOOL success = CK_FALSE;
size_t keyblobsize = 0;
CK_BYTE *keyblob;
OBJECT *key_obj;
@@ -1232,17 +1239,15 @@ CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
READ_LOCK);
if (ret != CKR_OK) {
TRACE_ERROR("%s no blob ret=0x%lx\n", __func__, ret);
- return CK_FALSE;
+ return ret;
}
ret = ep11tok_pkey_check(tokdata, session, key_obj, mech);
- if (ret == CKR_OK)
- success = CK_TRUE;
object_put(tokdata, key_obj, TRUE);
key_obj = NULL;
- return success;
+ return ret;
}
CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
@@ -1255,7 +1260,8 @@ CK_RV ep11tok_pkey_check_aes_xts(STDLL_TokData_t *tokdata, OBJECT *key_obj,
return CKR_MECHANISM_INVALID;
}
- if (!ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data, key_obj)) {
+ if (ep11tok_pkey_obj_eligible_for_pkey_support(ep11_data,
+ key_obj) != CKR_OK) {
TRACE_ERROR("Key not eligible for pkey support\n");
return CKR_TEMPLATE_INCONSISTENT;
}
@@ -1307,10 +1313,10 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
{
ep11_private_data_t *ep11_data = tokdata->private_data;
CK_ATTRIBUTE *sensitive_attr = NULL;
- CK_BBOOL sensitive, btrue = CK_TRUE;
+ CK_BBOOL sensitive, extractable, pkey_extractable, btrue = CK_TRUE;
#ifndef NO_PKEY
CK_ATTRIBUTE *ecp_attr = NULL;
- CK_BBOOL extractable, add_pkey_extractable = CK_FALSE;
+ CK_BBOOL add_pkey_extractable = CK_FALSE;
#endif
CK_RV ret;
@@ -1341,6 +1347,25 @@ CK_RV token_specific_set_attrs_for_new_object(STDLL_TokData_t *tokdata,
}
}
+ if (!ep11_data->pkey_combined_extract_supported) {
+ ret = template_attribute_get_bool(tmpl, CKA_EXTRACTABLE, &extractable);
+ if (ret != CKR_OK)
+ extractable = FALSE;
+
+ ret = template_attribute_get_bool(tmpl, CKA_IBM_PROTKEY_EXTRACTABLE,
+ &pkey_extractable);
+ if (ret != CKR_OK)
+ pkey_extractable = FALSE;
+
+ if (extractable && pkey_extractable) {
+ /* The EP11 call would return CKR_FUNCTION_CANCELED in that case */
+ TRACE_ERROR("Combined extract not supported, but CKA_EXTRACTABLE "
+ "and CKA_IBM_PROTKEY_EXTRACTABLE are both TRUE\n");
+ ret = CKR_TEMPLATE_INCONSISTENT;
+ goto done;
+ }
+ }
+
#ifndef NO_PKEY
switch (ep11_data->pkey_mode) {
case PKEY_MODE_DISABLED:
diff --git a/usr/lib/ep11_stdll/ep11_specific.h b/usr/lib/ep11_stdll/ep11_specific.h
index 16d3c719..9ba28cb8 100644
--- a/usr/lib/ep11_stdll/ep11_specific.h
+++ b/usr/lib/ep11_stdll/ep11_specific.h
@@ -585,8 +585,8 @@ CK_BBOOL ep11tok_libica_mech_available(STDLL_TokData_t *tokdata,
CK_RV ep11tok_copy_firmware_info(STDLL_TokData_t *tokdata,
CK_TOKEN_INFO_PTR pInfo);
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech);
CK_RV ep11tok_set_operation_state(STDLL_TokData_t *tokdata, SESSION *session);
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index 299a1d3c..f84d0810 100644
--- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c
@@ -2080,9 +2080,15 @@ CK_RV SC_EncryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->encr_ctx.multi_init = FALSE;
sess->encr_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part encrypt operation we don't need the
* EncryptInit, instead we can use the EncryptSingle which is much
* faster. In case of multi-part operations we are doing the EncryptInit
@@ -2179,9 +2185,16 @@ CK_RV SC_Encrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key,
+ &sess->encr_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->encr_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->encr_ctx.key, &sess->encr_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_encrypt_single(tokdata, sess, &sess->encr_ctx.mech,
length_only, sess->encr_ctx.key,
pData, ulDataLen, pEncryptedData,
@@ -2408,9 +2421,15 @@ CK_RV SC_DecryptInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->decr_ctx.multi_init = FALSE;
sess->decr_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part decrypt operation we don't need the
* DecryptInit, instead we can use the EncryptSingle which is much
* faster. In case of multi-part operations we are doing the DecryptInit
@@ -2508,9 +2527,16 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key,
+ &sess->decr_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->decr_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->decr_ctx.key, &sess->decr_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_decrypt_single(tokdata, sess, &sess->decr_ctx.mech,
length_only, sess->decr_ctx.key,
pEncryptedData, ulEncryptedDataLen,
@@ -2992,9 +3018,15 @@ CK_RV SC_SignInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->sign_ctx.multi_init = FALSE;
sess->sign_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part sign operation we don't need the SignInit,
* instead we can use the SignSingle which is much faster.
* In case of multi-part operations we are doing the SignInit when
@@ -3101,9 +3133,16 @@ CK_RV SC_Sign(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key,
+ &sess->sign_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->sign_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->sign_ctx.key, &sess->sign_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_sign_single(tokdata, sess, &sess->sign_ctx.mech,
length_only, sess->sign_ctx.key,
pData, ulDataLen, pSignature, pulSignatureLen);
@@ -3391,9 +3430,15 @@ CK_RV SC_VerifyInit(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
sess->verify_ctx.multi_init = FALSE;
sess->verify_ctx.multi = FALSE;
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(pMechanism)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, hKey, pMechanism)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
/* In case of a single part verify operation we don't need the
* VerifyInit, instead we can use the VerifySingle which is much
* faster. In case of multi-part operations we are doing the VerifyInit
@@ -3497,9 +3542,16 @@ CK_RV SC_Verify(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
goto done;
}
+ rc = ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key,
+ &sess->verify_ctx.mech);
+ if (rc != CKR_OK && rc != CKR_FUNCTION_NOT_SUPPORTED) {
+ /* CKR_FUNCTION_NOT_SUPPORTED indicates pkey support is not available,
+ but the ep11 fallback can be tried */
+ goto done;
+ }
if ((ep11tok_optimize_single_ops(tokdata) ||
ep11tok_mech_single_only(&sess->verify_ctx.mech)) &&
- !ep11tok_pkey_usage_ok(tokdata, sess, sess->verify_ctx.key, &sess->verify_ctx.mech)) {
+ rc == CKR_FUNCTION_NOT_SUPPORTED) {
rc = ep11tok_verify_single(tokdata, sess, &sess->verify_ctx.mech,
sess->verify_ctx.key, pData, ulDataLen,
pSignature, ulSignatureLen);

@ -0,0 +1,36 @@
commit 4fefcf517133260a7b63049d3a02c9249fe7776c
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Apr 15 09:31:12 2024 +0200
EP11: Fix compile error with NO_PKEY defined
Function signature of ep11tok_pkey_usage_ok() has changed, also change the
code inside the #ifdef NO_PKEY block.
Fixes: cf978b111205b206c7b3c53f424f7085913c00d0
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index b5d788bf..e9007a16 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -1460,15 +1460,15 @@ done:
}
#ifdef NO_PKEY
-CK_BBOOL ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
- CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
+CK_RV ep11tok_pkey_usage_ok(STDLL_TokData_t *tokdata, SESSION *session,
+ CK_OBJECT_HANDLE hkey, CK_MECHANISM *mech)
{
UNUSED(tokdata);
UNUSED(session);
UNUSED(hkey);
UNUSED(mech);
- return CK_FALSE;
+ return CKR_FUNCTION_NOT_SUPPORTED;
}
#endif /* NO_PKEY */

@ -0,0 +1,59 @@
commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jun 13 11:20:43 2024 +0200
COMMON: Fix errors reported by covscan
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index b7e1f78e..fc88cbad 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ /* size can not be negative if treated as signed int */
+ if (size >= 0x80000000) {
+ fclose(fp2);
+ OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s "
+ "(ignoring it)\n", fname);
+ continue;
+ }
+
buf = (CK_BYTE *) malloc(size);
if (!buf) {
fclose(fp2);
diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c
index 71402700..4bc19814 100644
--- a/usr/lib/common/mech_rng.c
+++ b/usr/lib/common/mech_rng.c
@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
if (ranfd >= 0) {
do {
rlen = read(ranfd, output + totallen, bytes - totallen);
+ if (rlen <= 0) {
+ close(ranfd);
+ return CKR_FUNCTION_FAILED;
+ }
totallen += rlen;
} while (totallen < bytes);
close(ranfd);
diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c
index 04edc76f..7421d1c5 100644
--- a/usr/lib/common/pkcs_utils.c
+++ b/usr/lib/common/pkcs_utils.c
@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
if (ranfd >= 0) {
do {
rlen = read(ranfd, output + totallen, bytes - totallen);
+ if (rlen <= 0) {
+ close(ranfd);
+ return CKR_FUNCTION_FAILED;
+ }
totallen += rlen;
} while (totallen < bytes);
close(ranfd);

@ -0,0 +1,73 @@
commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jun 17 09:03:36 2024 +0200
ICSF: Fix covscan findings on potential integer overflows
Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b'
are unsigned types. In case 'b' is larger than 'a', then the subtraction
result may overflow because the result is also treated as unsigned type.
Fix this by using 'if (a > b)' instead.
Note that in the changed places 'a' is always larger or equal than 'b',
so the overflow does not happen. Still, changing the code to be less
error-prone is a good thing.
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
Suggested-by: Than Ngo <than@redhat.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c
index c3479cf8..1deb129c 100644
--- a/usr/lib/icsf_stdll/icsf.c
+++ b/usr/lib/icsf_stdll/icsf.c
@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char)
str_len = len;
memcpy(dest, orig, str_len);
- if ((len - str_len) > 0)
+ if (len > str_len)
memset(dest + str_len, ' ', len - str_len);
}
diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c
index c617f1e6..6f16ca5e 100644
--- a/usr/lib/icsf_stdll/icsf_specific.c
+++ b/usr/lib/icsf_stdll/icsf_specific.c
@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata,
goto done;
}
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
- if (input_part_len - remaining > 0)
+ if (input_part_len > remaining)
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
input_part_len - remaining);
@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata,
goto done;
}
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
- if (input_part_len - remaining > 0)
+ if (input_part_len > remaining)
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
input_part_len - remaining);
@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata,
}
memcpy(buffer, multi_part_ctx->data,
multi_part_ctx->used_data_len);
- if (out_len - multi_part_ctx->used_data_len > 0)
+ if (out_len > multi_part_ctx->used_data_len)
memcpy(buffer + multi_part_ctx->used_data_len,
(char *)in_data,
out_len - multi_part_ctx->used_data_len);
@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata,
}
memcpy(buffer, multi_part_ctx->data,
multi_part_ctx->used_data_len);
- if (out_len - multi_part_ctx->used_data_len > 0)
+ if (out_len > multi_part_ctx->used_data_len)
memcpy(buffer + multi_part_ctx->used_data_len,
(char *)in_data,
out_len - multi_part_ctx->used_data_len);

@ -0,0 +1,8 @@
# This file describes how to load the opensc module
# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
# This is a relative path, which means it will be loaded from
# the p11-kit default path which is usually $(libdir)/pkcs11.
# Doing it this way allows for packagers to package opensc for
# 32-bit and 64-bit and make them parallel installable
module: libopencryptoki.so

@ -0,0 +1,776 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.23.0
Release: 5%{?dist}
License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
Source1: opencryptoki.module
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch
# fix install problem in buildroot
Patch2: opencryptoki-3.21.0-p11sak.patch
# upstream patches
# SEC2356-backport
Patch100: opencryptoki-3.23-SEC2356-backport-01.patch
Patch101: opencryptoki-3.23-SEC2356-backport-02.patch
Patch102: opencryptoki-3.23-SEC2356-backport-03.patch
Patch103: opencryptoki-3.23-SEC2356-backport-04.patch
Patch104: opencryptoki-3.23-SEC2356-backport-05.patch
Patch105: opencryptoki-3.23-SEC2356-backport-06.patch
Patch106: opencryptoki-3.23-SEC2356-backport-07.patch
Patch107: opencryptoki-3.23-SEC2356-backport-08.patch
Patch108: opencryptoki-3.23-SEC2356-backport-09.patch
Patch109: opencryptoki-3.23-covcan-part1.patch
Patch110: opencryptoki-3.23-covcan-part2.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: openssl-devel >= 1.1.1
%if 0%{?tmptok}
BuildRequires: trousers-devel
%endif
BuildRequires: openldap-devel
BuildRequires: autoconf automake libtool
BuildRequires: bison flex
BuildRequires: libcap-devel
BuildRequires: expect
BuildRequires: make
BuildRequires: systemd-rpm-macros
%ifarch s390 s390x
BuildRequires: libica-devel >= 2.3
# for /usr/include/libudev.h
BuildRequires: systemd-devel
%endif
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}(token)
Requires(post): systemd diffutils
Requires(preun): systemd
Requires(postun): systemd
%description
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the Slot Daemon (pkcsslotd) and general utilities.
%package libs
Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils
%description libs
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package contains the PKCS#11 library implementation, and requires
at least one token implementation (packaged separately) to be fully
functional.
%package devel
Summary: Development files for openCryptoki
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description devel
This package contains the development header files for building
opencryptoki and PKCS#11 based applications
%package swtok
Summary: The software token implementation for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description swtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the software token implementation to use opencryptoki
without any specific cryptographic hardware.
%package tpmtok
Summary: Trusted Platform Module (TPM) device support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description tpmtok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
Trusted Platform Module (TPM) devices in the opencryptoki stack.
%package icsftok
Summary: ICSF token support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icsftok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support
ICSF token in the opencryptoki stack.
%ifarch s390 s390x
%package icatok
Summary: ICA cryptographic devices (clear-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description icatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support ICA
devices in the opencryptoki stack. ICA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"accelerator" or "clear-key" path.
%package ccatok
Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ccatok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support CCA
devices in the opencryptoki stack. CCA is an interface to IBM
cryptographic hardware such as IBM 4764 or 4765 that uses the
"co-processor" or "secure-key" path.
%package ep11tok
Summary: EP11 cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: %{name}(token)
%description ep11tok
Opencryptoki implements the PKCS#11 specification v2.20 for a set of
cryptographic hardware, such as IBM 4764 and 4765 crypto cards, and the
Trusted Platform Module (TPM) chip. Opencryptoki also brings a software
token implementation that can be used without any cryptographic
hardware.
This package brings the necessary libraries and files to support EP11
tokens in the opencryptoki stack. The EP11 token is a token that uses
the IBM Crypto Express adapters (starting with Crypto Express 4S adapters)
configured with Enterprise PKCS#11 (EP11) firmware.
%endif
%prep
%autosetup -p1
%build
./bootstrap.sh
%configure --with-systemd=%{_unitdir} --enable-testcases \
--with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
%if 0%{?tpmtok}
--enable-tpmtok \
%else
--disable-tpmtok \
%endif
%ifarch s390 s390x
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
%else
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
%endif
%make_build CHGRP=/bin/true
%install
%make_install CHGRP=/bin/true
%pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion
# backup config file. bz#2044179
%global cfile /etc/opencryptoki/opencryptoki.conf
%global csuffix .rpmsave.XyoP
if test $1 -gt 1 && test -f %{cfile} ; then
cp -p %{cfile} %{cfile}%{csuffix}
fi
%pre libs
getent group pkcs11 >/dev/null || groupadd -r pkcs11
getent passwd pkcsslotd >/dev/null || useradd -r -g pkcs11 -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" pkcsslotd
exit 0
%post
# restore the config file from %pre
if test $1 -gt 1 && test -f %{cfile} ; then
if ( ! cmp -s %{cfile} %{cfile}%{csuffix} ) ; then
cp -p %{cfile} %{cfile}.rpmnew
fi
cp -p %{cfile}%{csuffix} %{cfile} && rm -f %{cfile}%{csuffix}
fi
%systemd_post pkcsslotd.service
if test $1 -eq 1; then
%tmpfiles_create %{name}.conf
fi
%preun
%systemd_preun pkcsslotd.service
%postun
%systemd_postun_with_restart pkcsslotd.service
%files
%doc ChangeLog FAQ README.md
%doc doc/opencryptoki-howto.md
%doc doc/README.token_data
%doc %{_docdir}/%{name}/*.conf
%dir %{_sysconfdir}/%{name}
%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/p11sak_defined_attrs.conf
%attr(0640, root, pkcs11) %config(noreplace) %{_sysconfdir}/%{name}/strength.conf
%{_tmpfilesdir}/%{name}.conf
%{_unitdir}/pkcsslotd.service
%{_sbindir}/p11sak
%{_sbindir}/pkcstok_migrate
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsslotd
%{_sbindir}/pkcsstats
%{_sbindir}/pkcshsm_mk_change
%{_mandir}/man1/p11sak.1*
%{_mandir}/man1/pkcstok_migrate.1*
%{_mandir}/man1/pkcsconf.1*
%{_mandir}/man1/pkcsstats.1*
%{_mandir}/man1/pkcshsm_mk_change.1*
%{_mandir}/man5/policy.conf.5*
%{_mandir}/man5/strength.conf.5*
%{_mandir}/man5/%{name}.conf.5*
%{_mandir}/man5/p11sak_defined_attrs.conf.5*
%{_mandir}/man7/%{name}.7*
%{_mandir}/man8/pkcsslotd.8*
%{_libdir}/opencryptoki/methods
%{_libdir}/pkcs11/methods
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/HSM_MK_CHANGE
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}
%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/*
%dir %attr(710,pkcsslotd,pkcs11) /run/%{name}
%files libs
%license LICENSE
%{_sysconfdir}/ld.so.conf.d/*
# Unversioned .so symlinks usually belong to -devel packages, but opencryptoki
# needs them in the main package, because:
# documentation suggests that programs should dlopen "PKCS11_API.so".
%dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/libopencryptoki.*
%{_libdir}/opencryptoki/PKCS11_API.so
%dir %{_libdir}/opencryptoki/stdll
%dir %{_libdir}/pkcs11
%{_libdir}/pkcs11/libopencryptoki.so
%{_libdir}/pkcs11/PKCS11_API.so
%{_libdir}/pkcs11/stdll
%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki
%files devel
%{_includedir}/%{name}/
%{_libdir}/pkgconfig/%{name}.pc
%files swtok
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
%{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%if 0%{?tmptok}
%files tpmtok
%doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%endif
%files icsftok
%doc doc/README.icsf_stdll
%{_sbindir}/pkcsicsf
%{_mandir}/man1/pkcsicsf.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/icsf/
%ifarch s390 s390x
%files icatok
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.*
%{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/
%files ccatok
%doc doc/README.cca_stdll
%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf
%{_sbindir}/pkcscca
%{_mandir}/man1/pkcscca.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
%{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ccatok/TOK_OBJ/
%files ep11tok
%doc doc/README.ep11_stdll
%config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf
%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf
%{_sbindir}/pkcsep11_migrate
%{_sbindir}/pkcsep11_session
%{_mandir}/man1/pkcsep11_migrate.1*
%{_mandir}/man1/pkcsep11_session.1*
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.*
%{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/TOK_OBJ/
%endif
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.23.0-5
- Bump release for June 2024 mass rebuild
* Tue Jun 18 2024 Than Ngo <than@redhat.com> - 3.23.0-4
- Resolves: RHEL-42492, SAST
* Wed May 22 2024 Than Ngo <than@redhat.com> - 3.23.0-3
- Related: RHEL-24038, backport - ep11 token: support protected keys for extractable keys
* Tue Apr 16 2024 Than Ngo <than@redhat.com> - 3.23.0-2
- enable gating tests
Resolves: RHEL-24037, RHEL-24038
* Wed Feb 07 2024 Than Ngo <than@redhat.com> - 3.23.0-1
- 3.23.0
* EP11: Add support for FIPS-session mode
* Updates to harden against RSA timing attacks
* Bug fixes
* Tue Jan 30 2024 Dan Horák <dan[at]danny.cz> - 3.22.0-4
- fix all errors and warnings (rhbz#2261419)
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.22.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Sep 21 2023 Than Ngo <than@redhat.com> - 3.22.0-1
- update to 3.22.0
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 17 2023 Than Ngo <than@redhat.com> - 3.21.0-5
- p11sak tool: slot option does not accept argument 0 for slot index 0
- p11sak fails as soon as there reside non-key objects
* Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4
- add verify attributes for opencryptoki.conf to ignore the
verification
* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
- drop p11_kit_support
- fix handling of user name
- fix user confirmation prompt behavior when stdin is closed
* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
- update to 3.21.0
* Tue Feb 14 2023 Than Ngo <than@redhat.com> - 3.20.0-2
- migrated to SPDX license
* Mon Feb 13 2023 Than Ngo <than@redhat.com> - 3.20.0-1
- update to 3.20.0
- drop unnecessary opencryptoki-3.11.0-group.patch
* Wed Feb 08 2023 Than Ngo <than@redhat.com> - 3.19.0-3
- Add support of ep11 token for new IBM Z Hardware (IBM z16)
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.19.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
- update to 3.19.0
* Wed Sep 14 2022 Florian Weimer <fweimer@redhat.com> - 3.18.0-5
- Add missing build dependency on systemd-rpm-macros
* Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-4
- fix json output
- do not touch opencryptoki.conf if it is in place already and even if it is unchanged
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.18.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
- add missing strength.conf
* Mon May 02 2022 Than Ngo <than@redhat.com> - 3.18.0-1
- 3.18.0
* Wed Apr 20 2022 Dan Horák <dan[at]danny.cz> - 3.17.0-7
- fix initialization (#2075851, #2074587)
* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-6
- add tokversion
* Wed Apr 06 2022 Than Ngo <than@redhat.com> - 3.17.0-5
- upstream fixes - openssl cleanup for opencryptoki, Avoid deadlock when stopping event thread
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.17.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Nov 25 2021 Than Ngo <than@redhat.com> - 3.17.0-3
- fix covscan issues
* Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2
- add missing config file p11sak_defined_attrs.conf
* Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1
- rebase to 3.17.0
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.16.0-5
- Rebuilt with OpenSSL 3.0.0
* Fri Sep 03 2021 Than Ngo <than@redhat.com> - 3.16.0-4
- Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
- Resolves: #1974365, Fix detection if pkcsslotd is still running
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.16.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jun 30 2021 Than Ngo <than@redhat.com> - 3.16.0-2
- Added Event Notification Support
- Added conditional requirement on selinux-policy >= 34.10-1
- pkcsslotd PIDfile below legacy directory
- Added BR on systemd-devel
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
- Rebase to 3.16.0
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Added upstream patch, a slot ID has nothing to do with the number of slots
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Drop tpm1.2 support by default
* Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Fix compiling with c++
- Added error message handling for p11sak remove-key command
- Add BR on make
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Rebase to 3.15.1
* Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
- Rebase to 3.15.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- added PIN conversion tool
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
- upstream fix - handle early error cases in C_Initialize
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
- fix regression, segfault in C_SetPin
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
- Rebase to 3.14.0
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
- Rebase to 3.13.0
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
- fix build with gcc 10
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
- Rebase to 3.12.1
* Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
- Rebase to 3.12.0
* Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
- Rebase to 3.11.1
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
- enable testcase by default
- fix URL
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
- Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
- Updated to 3.11.0
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
- Ported root's group membership's patch for 3.11.0
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
- Rebase to 3.10.0
* Fri Feb 23 2018 Dan Horák <dan[at]danny.cz> - 3.9.0-1
- Rebase to 3.9.0
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Fri Nov 24 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-2
- use upstream tmpfiles config
* Thu Nov 23 2017 Dan Horák <dan[at]danny.cz> - 3.8.2-1
- Rebase to 3.8.2 (#1512678)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed May 17 2017 Sinny Kumari <sinny@redhat.com> - 3.7.0-1
- Rebase to 3.7.0
- Added libitm-devel as BuildRequires
* Mon Apr 03 2017 Sinny Kumari <sinny@redhat.com> - 3.6.2-1
- Rebase to 3.6.2
- RHBZ#1424017 - opencryptoki: FTBFS in rawhide
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Sep 01 2016 Jakub Jelen <jjelen@redhat.com> - 3.5.1-1
- New upstream release
* Tue May 03 2016 Jakub Jelen <jjelen@redhat.com> - 3.5-1
- New upstream release
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Dec 07 2015 Jakub Jelen <jjelen@redhat.com> 3.4.1-1
- New bugfix upstream release
* Wed Nov 18 2015 Jakub Jelen <jjelen@redhat.com> 3.4-1
- New upstream release
- Adding post-release patch fixing compile warnings
* Thu Aug 27 2015 Jakub Jelen <jjelen@redhat.com> 3.3-1.1
- New upstream release
- Correct dependencies for group creation
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 07 2015 Jakub Jelen <jjelen@redhat.com> 3.2-3
- Few more undefined symbols fixed for s390(x) specific targets
- Do not require --no-undefined, because s390(x) requires some
* Mon May 04 2015 Jakub Jelen <jjelen@redhat.com> 3.2-2
- Fix missing sources and libraries in makefiles causing undefined symbols (#1193560)
- Make inline function compatible for GCC5
* Wed Sep 10 2014 Petr Lautrbach <plautrba@redhat.com> 3.2-1
- new upstream release 3.2
- add new sub-package opencryptoki-ep11tok on s390x
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Thu Jul 24 2014 Petr Lautrbach <plautrba@redhat.com> 3.1-1
- new upstream release 3.1
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Mon Feb 17 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-10
- create the right lock directory for cca tokens (#1054442)
* Wed Jan 29 2014 Petr Lautrbach <plautrba@redhat.com> 3.0-9
- use Requires(pre): opencryptoki-libs for subpackages
* Mon Jan 20 2014 Dan Horák <dan[at]danny.cz> - 3.0-8
- include token specific directories (#1013017, #1045775, #1054442)
- fix pkcsconf crash for non-root users (#10054661)
- the libs subpackage must care of creating the pkcs11 group, it's the first to be installed
* Tue Dec 03 2013 Dan Horák <dan[at]danny.cz> - 3.0-7
- fix build with -Werror=format-security (#1037228)
* Fri Nov 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-6
- apply post-3.0 fixes (#1033284)
* Tue Nov 19 2013 Dan Horák <dan[at]danny.cz> - 3.0-5
- update opencryptoki man page (#1001729)
* Fri Aug 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-4
- update unit file (#995002)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Tue Jul 23 2013 Dan Horák <dan[at]danny.cz> - 3.0-2
- update pkcsconf man page (#948460)
* Mon Jul 22 2013 Dan Horák <dan[at]danny.cz> - 3.0-1
- new upstream release 3.0
* Tue Jun 25 2013 Dan Horák <dan[at]danny.cz> - 2.4.3.1-1
- new upstream release 2.4.3.1
* Fri May 03 2013 Dan Horák <dan[at]danny.cz> - 2.4.3-1
- new upstream release 2.4.3
* Thu Apr 04 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-4
- enable hardened build
- switch to systemd macros in scriptlets (#850240)
* Mon Jan 28 2013 Dan Horák <dan[at]danny.cz> - 2.4.2-3
- add virtual opencryptoki(token) Provides to token modules and as Requires
to main package (#904986)
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jun 21 2012 Dan Horák <dan[at]danny.cz> - 2.4.2-1
- new upstream release 2.4.2
- add pkcs_slot man page
- don't add root to the pkcs11 group
* Mon Jun 11 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-2
- fix unresolved symbols in TPM module (#830129)
* Sat Feb 25 2012 Dan Horák <dan[at]danny.cz> - 2.4.1-1
- new upstream release 2.4.1
- convert from initscript to systemd unit
- import fixes from RHEL-6 about root's group membership (#732756, #730903)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Jul 07 2011 Dan Horák <dan[at]danny.cz> - 2.4-1
- new upstream release 2.4
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Jan 17 2011 Dan Horák <dan[at]danny.cz> 2.3.3-1
- new upstream release 2.3.3
* Tue Nov 09 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.2-2
- Apply Obsoletes to package names, not provides.
* Tue Sep 14 2010 Dan Horák <dan[at]danny.cz> 2.3.2-1
- new upstream release 2.3.2
- put STDLLs in separate packages to match upstream package design
* Thu Jul 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-7
- Move the LICENSE file to the -libs subpackage.
* Tue Jun 29 2010 Dan Horák <dan[at]danny.cz> 2.3.1-6
- rebuilt with CCA enabled (#604287)
- fixed issues from #546274
* Fri Apr 30 2010 Dan Horák <dan[at]danny.cz> 2.3.1-5
- fixed one more issue in the initscript (#547324)
* Mon Apr 26 2010 Dan Horák <dan[at]danny.cz> 2.3.1-4
- fixed pidfile creating and usage (#547324)
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-3
- Also list 'reload' and 'force-reload' in "Usage: ...".
* Mon Feb 08 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-2
- Support 'force-reload' in the initscript.
* Wed Jan 27 2010 Michal Schmidt <mschmidt@redhat.com> 2.3.1-1
- New upstream release 2.3.1.
- opencryptoki-2.3.0-fix-nss-breakage.patch was merged.
* Fri Jan 22 2010 Dan Horák <dan[at]danny.cz> 2.3.0-5
- made pkcsslotd initscript LSB compliant (#522149)
* Mon Sep 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-4
- Added opencryptoki-2.3.0-fix-nss-breakage.patch on upstream request.
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.3.0-3
- rebuilt with new openssl
* Sun Aug 16 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-2
- Require libica-2.0.
* Fri Aug 07 2009 Michal Schmidt <mschmidt@redhat.com> 2.3.0-1
- New upstream release 2.3.0:
- adds support for RSA 4096 bit keys in the ICA token.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-5
- Require arch-specific dependency on -libs.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-4
- Return support for crypto hw on s390.
- Renamed to opencryptoki.
- Simplified multilib by putting libs in subpackage as suggested by Dan Horák.
* Tue Jul 21 2009 Michal Schmidt <mschmidt@redhat.com> - 2.2.8-2
- Fedora package based on RHEL-5 package.
Loading…
Cancel
Save