rpms
/
opencryptoki
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:i8c-beta
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:i9c
rpms:c9
..
compare: rpms:c9
Branches Tags
rpms:i10cs
rpms:cs10
rpms:i9c-beta
rpms:c9-beta
rpms:i8c
rpms:c8
rpms:i8c-beta
rpms:c8-beta
rpms:i9c
rpms:c9

No commits in common. 'i8c-beta' and 'c9' have entirely different histories.
i8c-beta ... c9

13 changed files with 508 additions and 290 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/opencryptoki-3.22.0.tar.gz SOURCES/opencryptoki-3.21.0.tar.gz

2
.opencryptoki.metadata
Unescape View File

@ -1 +1 @@
4618b82afde56a8177e888c26d336c6f521bed8a SOURCES/opencryptoki-3.22.0.tar.gz 4a0f2ed8f965a948057ab833f1fafabf58929d3f SOURCES/opencryptoki-3.21.0.tar.gz

27
SOURCES/opencryptoki-3.21-sandboxing.patch
Unescape View File

@ -1,27 +0,0 @@
diff -up opencryptoki-3.21.0/misc/pkcsslotd.service.in.me opencryptoki-3.21.0/misc/pkcsslotd.service.in
--- opencryptoki-3.21.0/misc/pkcsslotd.service.in.me 2023-05-16 20:50:08.128841932 +0200
+++ opencryptoki-3.21.0/misc/pkcsslotd.service.in 2023-05-16 21:19:35.208570589 +0200
@@ -22,17 +22,17 @@ PrivateUsers=no
PrivateNetwork=no
RestrictAddressFamilies=AF_UNIX AF_NETLINK
IPAddressDeny=any
-ProtectClock=yes
+#ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
-ProtectKernelLogs=yes
+#ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHome=yes
-ProtectHostname=yes
-ProtectProc=default
+#ProtectHostname=yes
+#ProtectProc=default
ProtectSystem=strict
-ReadWritePaths=@localstatedir@
-ProcSubset=all
+ReadWritePaths=@localstatedir@ /run
+#ProcSubset=all
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes

34
SOURCES/opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
Unescape View File

@ -0,0 +1,34 @@
commit 2ba0f41ef5e14d4b509c8854e27cf98e3ee89445
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 10 13:22:48 2023 +0200
p11sak: Fix parsing of slot number 0
Running command 'p11sak list-key aes --slot 0' may result in
'p11sak: Invalid argument '0' for option '-s/--slot''
This is because of the error checking after strtoul() within function
process_number_argument(). In case errno is not zero, it treats a
parsed value of zero as an error.
Under certain circumstances, errno is non-zero already before calling
strtoul(), and stays non-zero in case of strtoul() succeeds. This leads to
an incorrect error checking, and it is treated as error.
Initialize errno to zero before calling strtoul() to avoid such false error
detection.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index 6e11cb41..38665bbd 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -1712,6 +1712,7 @@ static CK_RV process_number_argument(const struct p11sak_arg *arg, char *val)
{
char *endptr;
+ errno = 0;
*arg->value.number = strtoul(val, &endptr, 0);
if ((errno == ERANGE && *arg->value.number == ULONG_MAX) ||

52
SOURCES/opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
Unescape View File

@ -0,0 +1,52 @@
commit 4ff774568e334a719fc8de16fe2309e2070f0da8
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 11:40:01 2023 +0200
p11sak: Fix user confirmation prompt behavior when stdin is closed
Treat any error during user confirmation prompt as 'cancel' and skip all
operations.
One can for example close stdin during a user prompt via CTRL+D. This was
erroneously treated as positive confirmation and therefore caused the
operation to be performed on the current key object and all further objects
matching the filter as well, instead of canceling the operation entirely.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index d75d8343..5b54b538 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -4736,6 +4736,7 @@ static CK_RV handle_key_remove(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4825,6 +4826,7 @@ static CK_RV handle_key_set_attr(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -4974,6 +4976,7 @@ static CK_RV handle_key_copy(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;
@@ -6983,6 +6986,7 @@ static CK_RV handle_key_export(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS class,
data->num_skipped++;
return CKR_OK;
case 'c':
+ case '\0':
data->skip_all = true;
data->num_skipped++;
return CKR_OK;

96
SOURCES/opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
Unescape View File

@ -0,0 +1,96 @@
commit 92999f344a3ad99a67a1bcfd9ad28f28c33e51bc
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jul 10 10:19:13 2023 +0200
p11sak: Fix listing of key objects when other object types are present
A command like 'p11sak list-key all --slot N ...' fails with
p11sak: Attribute CKA_KEY_TYPE is not available in key object
p11sak: Failed to iterate over key objects for key type All: 0xD0: CKR_TEMPLATE_INCOMPLETE
p11sak: Failed to perform the 'list-key' command: CKR_TEMPLATE_INCOMPLETE
when the object repository contains other, non-key objects, e.g. certificates.
When 'all' is used as key type, then no filter for CKA_KEY_TYPE is used
with C_FindObjects(), and thus other non-key objects also match the filter.
When a specific key type is specified, then only such objects match that
have the desired CKA_KEY_TYPE attribute value.
Fix this by checking the object class in get_key_infos() and skip the object,
if it is not a key object.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/p11sak/p11sak.c b/usr/sbin/p11sak/p11sak.c
index a6213720..6e11cb41 100644
--- a/usr/sbin/p11sak/p11sak.c
+++ b/usr/sbin/p11sak/p11sak.c
@@ -3403,6 +3403,16 @@ static CK_RV get_key_infos(CK_OBJECT_HANDLE key, CK_OBJECT_CLASS *class,
}
}
+ switch (class_val) {
+ case CKO_PUBLIC_KEY:
+ case CKO_PRIVATE_KEY:
+ case CKO_SECRET_KEY:
+ break;
+ default:
+ free(attrs[0].pValue);
+ return CKR_KEY_NEEDED;
+ }
+
for (i = 0; i < num_attrs; i++) {
if (attrs[i].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
warnx("Attribute %s is not available in key object",
@@ -3614,6 +3624,10 @@ static CK_RV iterate_key_objects(const struct p11sak_keytype *keytype,
if (manual_filtering) {
rc = get_key_infos(keys[i], NULL, NULL, NULL, &label,
NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ goto next;
+ }
if (rc != CKR_OK)
break;
@@ -3672,6 +3686,10 @@ done_find:
for (i = 0; i < num_matched_keys; i++) {
rc = get_key_infos(matched_keys[i], &class, &ktype, &keysize,
&label, &typestr, &type);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ goto next2;
+ }
if (rc != CKR_OK)
break;
@@ -3680,6 +3698,7 @@ done_find:
if (rc != CKR_OK)
break;
+next2:
if (label != NULL)
free(label);
label = NULL;
@@ -4480,10 +4499,20 @@ static CK_RV p11sak_list_key_compare(CK_OBJECT_HANDLE key1,
*result = 0;
rc = get_key_infos(key1, &class1, &ktype1, &keysize1, &label1, NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ *result = 1; /* non-key objects are always greater than key objects */
+ goto done;
+ }
if (rc != CKR_OK)
goto done;
rc = get_key_infos(key2, &class2, &ktype2, &keysize2, &label2, NULL, NULL);
+ if (rc == CKR_KEY_NEEDED) {
+ rc = CKR_OK;
+ *result = -1; /* key objects are always smaller than non-key objects */
+ goto done;
+ }
if (rc != CKR_OK)
goto done;

84
SOURCES/opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
Unescape View File

@ -0,0 +1,84 @@
commit f4166214552a92d8d66de8011ab11c9c2c6bb0a4
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon May 22 13:31:21 2023 +0200
pkcsstats: Fix handling of user name
The struct passwd returned by getpwuid() is a pointer to a static area, that
may get overwritten by subsequent calls to getpwuid() or similar.
Actually, C_Initialize() itself is using getpwuid() internally, and thus will
interfere with the getpwuid() usage in pkcsstats.
Make a copy of the returned user name before calling C_Initialize() in
init_ock() to ensure to work with the desired user name, and not with anything
left over from previous calls.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
index c2444cf5..a842a295 100644
--- a/usr/sbin/pkcsstats/pkcsstats.c
+++ b/usr/sbin/pkcsstats/pkcsstats.c
@@ -783,6 +783,7 @@ int main(int argc, char **argv)
int opt = 0;
struct passwd *pswd = NULL;
int user_id = -1;
+ char *user_name = NULL;
bool summary = false, all_users = false, all_mechs = false;
bool reset = false, reset_all = false;
bool delete = false, delete_all = false;
@@ -903,19 +904,27 @@ int main(int argc, char **argv)
}
}
+ user_name = strdup(pswd->pw_name);
+ if (user_name == NULL) {
+ warnx("Failed to get current user name");
+ exit(EXIT_FAILURE);
+ }
+
if (delete) {
if (slot_id_specified) {
warnx("Options -s/--slot and -d/--delete can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
- rc = delete_shm(user_id, pswd->pw_name);
+ rc = delete_shm(user_id, user_name);
goto done;
}
if (delete_all) {
if (slot_id_specified) {
warnx("Options -s/--slot and -D/--delete-all can not be specified together");
+ free(user_name);
exit(EXIT_FAILURE);
}
@@ -932,7 +941,7 @@ int main(int argc, char **argv)
goto done;
if (reset) {
- rc = reset_shm(user_id, pswd->pw_name, num_slots, slots,
+ rc = reset_shm(user_id, user_name, num_slots, slots,
slot_id_specified, slot_id);
goto done;
}
@@ -968,7 +977,7 @@ int main(int argc, char **argv)
rc = display_summary(&dd);
goto done;
} else {
- rc = display_stats(user_id, pswd->pw_name, &dd);
+ rc = display_stats(user_id, user_name, &dd);
goto done;
}
@@ -984,5 +993,7 @@ done:
dlclose(dll);
}
+ free(user_name);
+
return rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}

2
SOURCES/opencryptoki-CVE-2024-0914-part1.patch → SOURCES/opencryptoki-v3.21.0-CVE-2024-0914-part01.patch
Unescape View File

@ -1,4 +1,4 @@
commit f931d6e47bf2fb26aa9cf52e231d13edc1c837a1 commit 47c55113f81794408a0afda2e19e1a5aa40d2212
Author: Ingo Franzki <ifranzki@linux.ibm.com> Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Dec 12 17:16:56 2023 +0100 Date: Tue Dec 12 17:16:56 2023 +0100

28
SOURCES/opencryptoki-CVE-2024-0914-part3.patch → SOURCES/opencryptoki-v3.21.0-CVE-2024-0914-part02.patch
Unescape View File

@ -1,4 +1,4 @@
commit e2b496f58a84c2f537667655fe08a0d4923f0c70 commit 2fb51b9e4d390f889c109e1765c3284b5d6f5fb8
Author: Ingo Franzki <ifranzki@linux.ibm.com> Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Jan 12 09:36:27 2024 +0100 Date: Fri Jan 12 09:36:27 2024 +0100
@ -119,10 +119,10 @@ index 8a1e8723..bbb0f601 100644
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx); decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
} }
diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
index 073b349f..6d08b95e 100644 index df1f68f9..42793955 100644
--- a/usr/lib/ep11_stdll/ep11_specific.c --- a/usr/lib/ep11_stdll/ep11_specific.c
+++ b/usr/lib/ep11_stdll/ep11_specific.c +++ b/usr/lib/ep11_stdll/ep11_specific.c
@@ -9552,10 +9552,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session, @@ -10777,10 +10777,12 @@ CK_RV ep11tok_decrypt_final(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK), rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session), ep11_error_to_pkcs11_error(rc, session),
rc); rc);
@ -139,7 +139,7 @@ index 073b349f..6d08b95e 100644
} }
done: done:
@@ -9611,10 +9613,12 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session, @@ -10836,10 +10838,12 @@ CK_RV ep11tok_decrypt(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK), rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session), ep11_error_to_pkcs11_error(rc, session),
rc); rc);
@ -156,7 +156,7 @@ index 073b349f..6d08b95e 100644
} }
done: done:
@@ -9676,10 +9680,12 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session, @@ -10901,10 +10905,12 @@ CK_RV ep11tok_decrypt_update(STDLL_TokData_t * tokdata, SESSION * session,
rc = constant_time_select(constant_time_eq(rc, CKR_OK), rc = constant_time_select(constant_time_eq(rc, CKR_OK),
ep11_error_to_pkcs11_error(rc, session), ep11_error_to_pkcs11_error(rc, session),
rc); rc);
@ -174,10 +174,10 @@ index 073b349f..6d08b95e 100644
done: done:
diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c diff --git a/usr/lib/ep11_stdll/new_host.c b/usr/lib/ep11_stdll/new_host.c
index 55e34c18..299a1d3c 100644 index ce18f729..f7ee0546 100644
--- a/usr/lib/ep11_stdll/new_host.c --- a/usr/lib/ep11_stdll/new_host.c
+++ b/usr/lib/ep11_stdll/new_host.c +++ b/usr/lib/ep11_stdll/new_host.c
@@ -38,6 +38,7 @@ @@ -37,6 +37,7 @@
#include "slotmgr.h" #include "slotmgr.h"
#include "attributes.h" #include "attributes.h"
#include "ep11_specific.h" #include "ep11_specific.h"
@ -185,7 +185,7 @@ index 55e34c18..299a1d3c 100644
#include "../api/apiproto.h" #include "../api/apiproto.h"
#include "../api/policy.h" #include "../api/policy.h"
@@ -2466,6 +2467,7 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2465,6 +2466,7 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL; SESSION *sess = NULL;
CK_BBOOL length_only = FALSE; CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK; CK_RV rc = CKR_OK;
@ -193,7 +193,7 @@ index 55e34c18..299a1d3c 100644
if (tokdata->initialized == FALSE) { if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED)); TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2513,17 +2515,29 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2512,17 +2514,29 @@ CK_RV SC_Decrypt(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
length_only, sess->decr_ctx.key, length_only, sess->decr_ctx.key,
pEncryptedData, ulEncryptedDataLen, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen); pData, pulDataLen);
@ -226,7 +226,7 @@ index 55e34c18..299a1d3c 100644
if (sess) if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx); decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
} }
@@ -2545,6 +2559,7 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2544,6 +2558,7 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
{ {
SESSION *sess = NULL; SESSION *sess = NULL;
CK_RV rc = CKR_OK; CK_RV rc = CKR_OK;
@ -234,7 +234,7 @@ index 55e34c18..299a1d3c 100644
if (tokdata->initialized == FALSE) { if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED)); TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2596,11 +2611,18 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2595,11 +2610,18 @@ CK_RV SC_DecryptUpdate(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
rc = ep11tok_decrypt_update(tokdata, sess, pEncryptedPart, rc = ep11tok_decrypt_update(tokdata, sess, pEncryptedPart,
ulEncryptedPartLen, pPart, pulPartLen); ulEncryptedPartLen, pPart, pulPartLen);
@ -255,7 +255,7 @@ index 55e34c18..299a1d3c 100644
if (sess) if (sess)
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx); decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
} }
@@ -2622,6 +2644,7 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2621,6 +2643,7 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
SESSION *sess = NULL; SESSION *sess = NULL;
CK_BBOOL length_only = FALSE; CK_BBOOL length_only = FALSE;
CK_RV rc = CKR_OK; CK_RV rc = CKR_OK;
@ -263,7 +263,7 @@ index 55e34c18..299a1d3c 100644
if (tokdata->initialized == FALSE) { if (tokdata->initialized == FALSE) {
TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED)); TRACE_ERROR("%s\n", ock_err(ERR_CRYPTOKI_NOT_INITIALIZED));
@@ -2670,10 +2693,18 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession, @@ -2669,10 +2692,18 @@ CK_RV SC_DecryptFinal(STDLL_TokData_t *tokdata, ST_SESSION_HANDLE *sSession,
} }
rc = ep11tok_decrypt_final(tokdata, sess, pLastPart, pulLastPartLen); rc = ep11tok_decrypt_final(tokdata, sess, pLastPart, pulLastPartLen);
@ -285,7 +285,7 @@ index 55e34c18..299a1d3c 100644
decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx); decr_mgr_cleanup(tokdata, sess, &sess->decr_ctx);
} }
diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c diff --git a/usr/lib/icsf_stdll/new_host.c b/usr/lib/icsf_stdll/new_host.c
index 6c419750..d8064559 100644 index 115fd40b..192fe128 100644
--- a/usr/lib/icsf_stdll/new_host.c --- a/usr/lib/icsf_stdll/new_host.c
+++ b/usr/lib/icsf_stdll/new_host.c +++ b/usr/lib/icsf_stdll/new_host.c
@@ -35,6 +35,8 @@ @@ -35,6 +35,8 @@

4
SOURCES/opencryptoki-CVE-2024-0914-part2.patch → SOURCES/opencryptoki-v3.21.0-CVE-2024-0914-part03.patch
Unescape View File

@ -1,4 +1,4 @@
commit 5f1a4f8641306ee192b70c8a32c9ee8a0fe9be5f commit 034d70ec4cfde81ea71cf8acbe9097fa15e49a02
Author: Ingo Franzki <ifranzki@linux.ibm.com> Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jan 15 12:53:37 2024 +0100 Date: Mon Jan 15 12:53:37 2024 +0100
@ -51,7 +51,7 @@ index 2bb3dffe..21b6b702 100644
* The OpenSSL code is licensed under the Apache License 2.0 (the "License"). * The OpenSSL code is licensed under the Apache License 2.0 (the "License").
* You can obtain a copy in the file LICENSE in the OpenSSL source distribution * You can obtain a copy in the file LICENSE in the OpenSSL source distribution
diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h diff --git a/usr/lib/common/h_extern.h b/usr/lib/common/h_extern.h
index a88b57d0..29496d99 100644 index a14542fa..a6ee4c33 100644
--- a/usr/lib/common/h_extern.h --- a/usr/lib/common/h_extern.h
+++ b/usr/lib/common/h_extern.h +++ b/usr/lib/common/h_extern.h
@@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata, @@ -731,7 +731,8 @@ CK_RV rsa_format_block(STDLL_TokData_t *tokdata,

4
SOURCES/opencryptoki-CVE-2024-0914-part4.patch → SOURCES/opencryptoki-v3.21.0-CVE-2024-0914-part04.patch
Unescape View File

@ -1,4 +1,4 @@
commit 7d064610937cdfb3cf8976adbb7eec6be3ea9d9f commit bc06acfb6c5e7a0fb4a384084b04404414360eaa
Author: Ingo Franzki <ifranzki@linux.ibm.com> Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Tue Jan 16 10:01:20 2024 +0100 Date: Tue Jan 16 10:01:20 2024 +0100
@ -829,7 +829,7 @@ index 7ed70262..6281d982 100644
+ }, + },
+}; +};
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
index 2c9984d0..c092110e 100644 index d9f4ebaf..cb7bf491 100644
--- a/testcases/crypto/rsa_func.c --- a/testcases/crypto/rsa_func.c
+++ b/testcases/crypto/rsa_func.c +++ b/testcases/crypto/rsa_func.c
@@ -1963,6 +1963,164 @@ testcase_cleanup: @@ -1963,6 +1963,164 @@ testcase_cleanup:

2
SOURCES/opencryptoki-CVE-2024-0914-part5.patch → SOURCES/opencryptoki-v3.21.0-CVE-2024-0914-part05.patch
Unescape View File

@ -1,4 +1,4 @@
commit d756ba1ec270a289950e66398c7e8be59c4a594d commit c859ed40828bf808e83a3f437c2e34c9c843a4c3
Author: Ingo Franzki <ifranzki@linux.ibm.com> Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri Feb 9 14:07:34 2024 +0100 Date: Fri Feb 9 14:07:34 2024 +0100

407
SPECS/opencryptoki.spec
Unescape View File

@ -1,33 +1,40 @@
Name: opencryptoki Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.22.0 Version: 3.21.0
Release: 3%{?dist} Release: 9%{?dist}
License: CPL License: CPL
Group: System Environment/Base
URL: https://github.com/opencryptoki/opencryptoki URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
Patch1: opencryptoki-3.11.0-lockdir.patch Patch1: opencryptoki-3.11.0-lockdir.patch
# add missing p11sak_defined_attrs.conf # add missing p11sak_defined_attrs.conf, strength.conf
Patch2: opencryptoki-3.21.0-p11sak.patch Patch2: opencryptoki-3.21.0-p11sak.patch
# comment some unsupported sandbox options and add /run to ReadWritePaths to exclude
# /run directory from being made read-only on rhel8
Patch3: opencryptoki-3.21-sandboxing.patch
# upstream patches # upstream patches
# CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts # CVE-2024-0914 opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts
Patch20: opencryptoki-CVE-2024-0914-part1.patch Patch20: opencryptoki-v3.21.0-CVE-2024-0914-part01.patch
Patch21: opencryptoki-CVE-2024-0914-part2.patch Patch21: opencryptoki-v3.21.0-CVE-2024-0914-part02.patch
Patch22: opencryptoki-CVE-2024-0914-part3.patch Patch22: opencryptoki-v3.21.0-CVE-2024-0914-part03.patch
Patch23: opencryptoki-CVE-2024-0914-part4.patch Patch23: opencryptoki-v3.21.0-CVE-2024-0914-part04.patch
Patch24: opencryptoki-CVE-2024-0914-part5.patch Patch24: opencryptoki-v3.21.0-CVE-2024-0914-part05.patch
# pkcsstats: Fix handling of user name
Patch100: opencryptoki-3.21.0-f4166214552a92d8d66de8011ab11c9c2c6bb0a4.patch
# p11sak: Fix user confirmation prompt behavior when stdin is closed
Patch101: opencryptoki-3.21.0-4ff774568e334a719fc8de16fe2309e2070f0da8.patch
# p11sak fails as soon as there reside non-key objects
Patch102: opencryptoki-3.21.0-92999f344a3ad99a67a1bcfd9ad28f28c33e51bc.patch
# opencryptoki p11sak tool: slot option does not accept argument 0 for slot index 0
Patch103: opencryptoki-3.21.0-2ba0f41ef5e14d4b509c8854e27cf98e3ee89445.patch
Requires(pre): coreutils diffutils Requires(pre): coreutils diffutils
Requires: (selinux-policy >= 3.14.3-121 if selinux-policy-targeted) Requires: (selinux-policy >= 38.1.14-1 if selinux-policy-targeted)
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: openssl-devel >= 1.1.1 BuildRequires: openssl-devel >= 1.1.1
%if 0%{?tmptok}
BuildRequires: trousers-devel BuildRequires: trousers-devel
%endif
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
BuildRequires: bison flex BuildRequires: bison flex
@ -56,7 +63,6 @@ This package contains the Slot Daemon (pkcsslotd) and general utilities.
%package libs %package libs
Group: System Environment/Libraries
Summary: The run-time libraries for opencryptoki package Summary: The run-time libraries for opencryptoki package
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -72,7 +78,6 @@ functional.
%package devel %package devel
Group: Development/Libraries
Summary: Development files for openCryptoki Summary: Development files for openCryptoki
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -82,7 +87,6 @@ opencryptoki and PKCS#11 based applications
%package swtok %package swtok
Group: System Environment/Libraries
Summary: The software token implementation for opencryptoki Summary: The software token implementation for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -99,7 +103,6 @@ without any specific cryptographic hardware.
%package tpmtok %package tpmtok
Group: System Environment/Libraries
Summary: Trusted Platform Module (TPM) device support for opencryptoki Summary: Trusted Platform Module (TPM) device support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -116,7 +119,6 @@ Trusted Platform Module (TPM) devices in the opencryptoki stack.
%package icsftok %package icsftok
Group: System Environment/Libraries
Summary: ICSF token support for opencryptoki Summary: ICSF token support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -134,7 +136,6 @@ ICSF token in the opencryptoki stack.
%ifarch s390 s390x %ifarch s390 s390x
%package icatok %package icatok
Group: System Environment/Libraries
Summary: ICA cryptographic devices (clear-key) support for opencryptoki Summary: ICA cryptographic devices (clear-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -152,7 +153,6 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
"accelerator" or "clear-key" path. "accelerator" or "clear-key" path.
%package ccatok %package ccatok
Group: System Environment/Libraries
Summary: CCA cryptographic devices (secure-key) support for opencryptoki Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -170,7 +170,6 @@ cryptographic hardware such as IBM 4764 or 4765 that uses the
"co-processor" or "secure-key" path. "co-processor" or "secure-key" path.
%package ep11tok %package ep11tok
Group: System Environment/Libraries
Summary: CCA cryptographic devices (secure-key) support for opencryptoki Summary: CCA cryptographic devices (secure-key) support for opencryptoki
Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release} Requires(pre): %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -196,44 +195,24 @@ configured with Enterprise PKCS#11 (EP11) firmware.
%build %build
./bootstrap.sh ./bootstrap.sh
%configure --with-systemd=%{_unitdir} \ %configure --with-systemd=%{_unitdir} --enable-testcases \
--with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \ --with-pkcsslotd-user=pkcsslotd --with-pkcs-group=pkcs11 \
%if 0%{?tpmtok}
--enable-tpmtok \
%else
--disable-tpmtok \
%endif
%ifarch s390 s390x %ifarch s390 s390x
--enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate --enable-icatok --enable-ccatok --enable-ep11tok --enable-pkcsep11_migrate
%else %else
--disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate --disable-pkcscca_migrate --disable-icatok --disable-ccatok --disable-ep11tok --disable-pkcsep11_migrate
%endif %endif
make %{?_smp_mflags} CHGRP=/bin/true %make_build CHGRP=/bin/true
%install %install
make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true %make_install CHGRP=/bin/true
# Remove unwanted cruft
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la
%post libs -p /sbin/ldconfig
%post swtok -p /sbin/ldconfig
%post tpmtok -p /sbin/ldconfig
%post icsftok -p /sbin/ldconfig
%ifarch s390 s390x
%post icatok -p /sbin/ldconfig
%post ccatok -p /sbin/ldconfig
%post ep11tok -p /sbin/ldconfig
%endif
%postun libs -p /sbin/ldconfig
%postun swtok -p /sbin/ldconfig
%postun tpmtok -p /sbin/ldconfig
%postun icsftok -p /sbin/ldconfig
%ifarch s390 s390x
%postun icatok -p /sbin/ldconfig
%postun ccatok -p /sbin/ldconfig
%postun ep11tok -p /sbin/ldconfig
%endif
%pre %pre
# don't touch opencryptoki.conf even if it is unchanged due to new tokversion # don't touch opencryptoki.conf even if it is unchanged due to new tokversion
@ -260,7 +239,7 @@ fi
%systemd_post pkcsslotd.service %systemd_post pkcsslotd.service
if test $1 -eq 1; then if test $1 -eq 1; then
%tmpfiles_create %tmpfiles_create %{name}.conf
fi fi
%preun %preun
@ -269,8 +248,6 @@ fi
%postun %postun
%systemd_postun_with_restart pkcsslotd.service %systemd_postun_with_restart pkcsslotd.service
%triggerun -- opencryptoki < 3.21.0-1
/usr/bin/systemctl daemon-reload
%files %files
%doc ChangeLog FAQ README.md %doc ChangeLog FAQ README.md
@ -334,11 +311,13 @@ fi
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/swtok/TOK_OBJ/
%if 0%{?tmptok}
%files tpmtok %files tpmtok
%doc doc/README.tpm_stdll %doc doc/README.tpm_stdll
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.* %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.*
%{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/ %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/tpm/
%endif
%files icsftok %files icsftok
%doc doc/README.icsf_stdll %doc doc/README.icsf_stdll
@ -381,199 +360,199 @@ fi
%changelog %changelog
* Fri Mar 29 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.22.0-3 * Wed Feb 07 2024 Than Ngo <than@redhat.com> - 3.21.0-9
- Rebuilt for MSVSphere 8.10 beta - timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)
Resolves: RHEL-23490
* Fri Feb 16 2024 Than Ngo <than@redhat.com> - 3.22.0-3 * Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-8
- Fix implicit rejection with RSA keys with empty CKA_PRIVATE_EXPONENT - Resolves: #2222592, p11sak tool: slot option does not accept argument 0 for slot index 0
Related: RHEL-22791 - Resolves: #2222596, p11sak fails as soon as there reside non-key objects
* Thu Feb 08 2024 Than Ngo <than@redhat.com> - 3.22.0-2 * Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5
- timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) - add requirement on selinux-policy >= 38.1.14-1 for pkcsslotd policy sandboxing
Resolves: RHEL-22791 Related: #2160061
* Thu Nov 23 2023 Than Ngo <than@redhat.com> - 3.22.0-1 * Fri May 26 2023 Than Ngo <than@redhat.com> - 3.21.0-4
- Resolves: RHEL-11413, update to 3.22.0 - add verify attributes for opencryptoki.conf to ignore the verification
* Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-9 Related: #2160061
- Resolves: #2223588, FTBFS
* Tue Jul 18 2023 Than Ngo <than@redhat.com> - 3.21.0-8 * Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3
- Related: #2222595, add triggerun to reload daemon - Resolves: #2110497, concurrent MK rotation for cca token
- Resolves: #2110498, concurrent MK rotation for ep11 token
- Resolves: #2110499, ep11 token: PKCS #11 3.0 - support AES_XTS
- Resolves: #2111010, cca token: protected key support
- Resolves: #2160061, rebase to 3.21.0
- Resolves: #2160105, pkcsslotd hardening
- Resolves: #2160107, p11sak support Dilithium and Kyber keys
- Resolves: #2160109, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
* Fri Jul 14 2023 Than Ngo <than@redhat.com> - 3.21.0-7 * Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2
- Resolves: #2222595, p11sak tool: slot option does not accept argument 0 for slot index 0 - Resolves: #2044182, Support of ep11 token for new IBM Z Hardware (IBM z16)
- Resolves: #2222594, p11sak fails as soon as there reside non-key objects
* Tue Jul 04 2023 Than Ngo <than@redhat.com> - 3.21.0-6 * Tue Oct 11 2022 Than Ngo <than@redhat.com> - 3.19.0-1
- add workaround for segfault in PEM_write_bio() on OpenSSL 1.1.1 - Resolves: #2126294, opencryptoki fails after generating > 500 RSA keys
Related: #2159741 - Resolves: #2110314, rebase to 3.19.0
- Resolves: #2110989, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
- Resolves: #2110476, openCryptoki ep11 token: master key consistency
- Resolves: #2018458, openCryptoki ep11 token: vendor specific key derivation
* Tue Jun 13 2023 Than Ngo <than@redhat.com> - 3.21.0-5 * Fri Jul 29 2022 Than Ngo <than@redhat.com> - 3.18.0-4
- add requirement on selinux-policy >= 3.14.3-121 for pkcsslotd policy sandboxing - Related: #2044179, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
Related: #2159697
* Thu May 25 2023 Than Ngo <than@redhat.com> - 3.21.0-4 * Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-3
- add verify attributes for opencryptoki.conf to ignore the verification - Related: #2044179, fix json output
Related: #2159697
* Mon May 22 2023 Than Ngo <than@redhat.com> - 3.21.0-3 * Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-2
- pkcsstats: Fix handling of user name - Related: #2044179, add missing strength.conf
- p11sak: Fix user confirmation prompt behavior when stdin is closed
Related: #2159697
* Tue May 16 2023 Than Ngo <than@redhat.com> - 3.21.0-2
- add missing /var/lib/opencryptoki/HSM_MK_CHANGE
- disable unsupported sandbox options and add /run to ReadWritePaths to exclude
/run directory from being made read-only on rhel8
Related: #2159697
* Mon May 15 2023 Than Ngo <than@redhat.com> - 3.21.0-1
- Resolves: #1984865, ep11 and cca: support concurrent HSM master key changes
- Resolves: #2110500, ep11 token: PKCS #11 3.0 - support AES_XTS
- Resolves: #2111011, cca token: protected key support
- Resolves: #2159697, update to 3.21.0
- Resolves: #2159740, pkcsslotd hardening
- Resolves: #2159741, p11sak support Dilithium and Kyber keys
- Resolves: #2159742, ica and soft tokens: PKCS #11 3.0 - support AES_XTS
* Mon Jan 30 2023 Than Ngo <than@redhat.com> - 3.19.0-2 * Mon May 09 2022 Than Ngo <than@redhat.com> - 3.18.0-1
- Resolves: #2043856, Support of ep11 token for new IBM Z Hardware (IBM z16) - Resolves: #2044179, rebase to 3.18.0
- Resolves: #2068091, pkcsconf -t failed with Segmentation fault in FIPS mode
- Resolves: #2066763, Dilithium support not available
- Resolves: #2064697, OpenSSL 3.0 Compatibility for IBM Security Libraries and Tools
- Resolves: #2044181, support crypto profiles
- Resolves: #2044180, add crypto counters
* Tue May 03 2022 Than Ngo <than@redhat.com> - 3.17.0-6
- Resolves: #2066763, Dilithium support not available
* Tue Nov 01 2022 Than Ngo <than@redhat.com> - 3.19.0-1 * Mon Mar 14 2022 Than Ngo <than@redhat.com> - 3.17.0-5
- Resolves: #2126612, opencryptoki fails after generating > 500 RSA keys - Resolves: #2064697, ICA/EP11: Support libica version 4
- Resolves: #2110315, rebase to 3.19.0
- Resolves: #2110990, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
- Resolves: #2110477, openCryptoki ep11 token: master key consistency
- Resolves: #1984871, openCryptoki ep11 token: vendor specific key derivation
* Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-3 * Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-4
- Related: #2043854, do not touch opencryptoki.conf if it is in place already and even if it is unchanged - Resolves: #2040678, API: Unlock GlobMutex if user and group check fails
- Resolves: #2112785, EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL
* Tue Jun 07 2022 Than Ngo <than@redhat.com> - 3.18.0-2 * Sat Dec 04 2021 Than Ngo <than@redhat.com> - 3.17.0-3
- Related: #2043854, fix json output - Related: #2015888, added missing patch pkcsslotd-pidfile
* Tue May 24 2022 Than Ngo <than@redhat.com> - 3.18.0-1 * Wed Nov 24 2021 Than Ngo <than@redhat.com> - 3.17.0-2
- Resolves: #2043845, rebase to 3.18.0 - Related: #2015888, add missing p11sak_defined_attrs.conf
- Resolves: #2043854, add crypto counters
- Resolves: #2043855, support crypto profiles
* Fri Apr 15 2022 Than Ngo <than@redhat.com> - 3.17.0-4 * Wed Nov 03 2021 Than Ngo <than@redhat.com> - 3.17.0-1
- Resolves: #2066762, Dilithium support not available - Resolves: #2015888, rebase to 3.17.0
- Resolves: #2017720, openCryptoki key management tool
* Mon Jan 17 2022 Than Ngo <than@redhat.com> - 3.17.0-3 * Thu Aug 26 2021 Than Ngo <than@redhat.com> - 3.16.0-12
- Resolves: #2040677, API: Unlock GlobMutex if user and group check fails - Related: #1989138, Support for OpenSSL 3.0
* Tue Nov 09 2021 Than Ngo <than@redhat.com> - 3.17.0-2 * Mon Aug 23 2021 Than Ngo <than@redhat.com> - 3.16.0-11
- Related: #1984993, add missing p11sak_defined_attrs.conf - Resolves: #1989138, Support for OpenSSL 3.0
* Tue Oct 19 2021 Than Ngo <than@redhat.com> - 3.17.0-1 * Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-10
- Resolves: #1984993, rebase to 3.17.0 - Resolves: #1987186, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes
- Resolves: #1984870, openCryptoki key management tool
* Mon Sep 13 2021 Than Ngo <than@redhat.com> - 3.16.0-6 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-9
- Fix: Could not open /run/lock/opencryptoki/LCK..APIlock - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Aug 19 2021 Than Ngo <than@redhat.com> - 3.16.0-5 * Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 3.16.0-8
- Resolves: #1987256, pkcstok_migrate leaves options with multiple strings in opencryptoki.conf options without double-quotes - Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
* Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-4 * Fri Jul 16 2021 Than Ngo <than@redhat.com> - 3.16.0-7
- Resolves: #1964304, Fix detection if pkcsslotd is still running - Resolves: #1974365, Fix detection if pkcsslotd is still running
* Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-3 * Fri Jun 25 2021 Than Ngo <than@redhat.com> - 3.16.0-6
- Related: #1919223, add conditional requirement - Resolves: #1974693, pkcsslotd PIDfile below legacy directory /var/run/
* Fri Jun 11 2021 Than Ngo <than@redhat.com> - 3.16.0-2 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-5
- Related: #1919223, add requirement on selinux-policy >= 3.14.3-70 for using ipsec - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jun 01 2021 Than Ngo <than@redhat.com> - 3.16.0-1 * Tue Jun 15 2021 Than Ngo <than@redhat.com> - 3.16.0-4
- Resolves: #1919223, rebase to 3.16.0 - Related: #1924120, add conditional requirement on new selinux-policy
- Resolves: #1922195, Event Notification Support
- Resolves: #1959936, Soft token does not check if an EC key is valid * Mon May 17 2021 Than Ngo <than@redhat.com> - 3.16.0-3
- Resolves: #1851104, import and export of secure key objects - Resolves: #1959894, Soft token does not check if an EC key is valid
- Resolves: #1851106, openCryptoki ep11 token: protected key support - Resolves: #1924120, Event Notification Support
- Resolves: #1851107, openCryptoki ep11 token: support attribute bound keys
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.16.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 31 2021 Dan Horák <dan[at]danny.cz> - 3.16.0-1
- Rebase to 3.16.0
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.15.1-6
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5 * Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-5
- Resolves: #1928120, Fix problem with C_Get/SetOperationState and digest contexts - Added upstream patch, a slot ID has nothing to do with the number of slots
* Fri Feb 12 2021 Than Ngo <than@redhat.com> - 3.15.1-4 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.15.1-4
- Resolves: #1927745, pkcscca migration fails with usr/sb2 is not a valid slot ID - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-3 * Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-3
- Resolves: #1902022 - Drop tpm1.2 support by default
Fix compiling with c++
Added error message handling for p11sak remove-key command
* Thu Nov 26 2020 Than Ngo <than@redhat.com> - 3.15.1-2 * Tue Dec 22 2020 Than Ngo <than@redhat.com> - 3.15.1-2
- Related: #1847433, Added error message handling for p11sak remove-key command - Fix compiling with c++
- Added error message handling for p11sak remove-key command
- Add BR on make
* Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1 * Mon Nov 02 2020 Than Ngo <than@redhat.com> - 3.15.1-1
- Related: #1847433 - Rebase to 3.15.1
upstream fixes:
- Free generated key in all error cases * Mon Oct 19 2020 Dan Horák <dan[at]danny.cz> - 3.15.0-1
- CCA: Zeroize key buffer to avoid CCA 8/32 error - Rebase to 3.15.0
- Do not delete the map-btree entry if destroying an object is not allowed
- Remove now unused header timeb.h * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.14.0-6
- TESTCASES: Use FIPS conforming keys for 3DES CBC-MAC test vectors - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- Fix buffer overrun in C_CopyObject
- TPM: Fix double free in openssl_gen_key * Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.14.0-5
- Use make macros
* Mon Oct 19 2020 Than Ngo <than@redhat.com> - 3.15.0-1 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- Resolves: #1847433, rebase to 3.15.0
- Resolves: #1851105, PKCS #11 3.0 - baseline provider support * Wed Jul 08 2020 Than Ngo <than@redhat.com> - 3.14.0-4
- Resolves: #1851108, openCryptoki ep11 token: enhanced functionality - added PIN conversion tool
- Resolves: #1851109, openCryptoki key management tool: key deletion function
* Wed Jul 01 2020 Than Ngo <than@redhat.com> - 3.14.0-3
* Mon Jul 06 2020 Than Ngo <than@redhat.com> - 3.14.0-5 - upstream fix - handle early error cases in C_Initialize
- Related: #1853420, more fixes
* Wed May 27 2020 Than Ngo <than@redhat.com> - 3.14.0-2
* Fri Jul 03 2020 Than Ngo <than@redhat.com> - 3.14.0-4 - fix regression, segfault in C_SetPin
- Resolves: #1853420, endian issue
* Fri May 15 2020 Dan Horák <dan[at]danny.cz> - 3.14.0-1
* Mon Jun 15 2020 Than Ngo <than@redhat.com> - 3.14.0-3 - Rebase to 3.14.0
- Resolves: #1780294, PIN conversion tool
* Fri Mar 06 2020 Dan Horák <dan[at]danny.cz> - 3.13.0-1
* Tue May 26 2020 Than Ngo <than@redhat.com> - 3.14.0-2 - Rebase to 3.13.0
- Related: #1780293, fix regression, segfault in C_SetPin
* Mon Feb 03 2020 Dan Horák <dan[at]danny.cz> - 3.12.1-3
* Tue May 19 2020 Than Ngo <than@redhat.com> - 3.14.0-1 - fix build with gcc 10
- Resolves: #1723863 - ep11 token: Enhanced Support
- Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.12.1-2
- Resolves: #1780293 - rebase to 3.14.0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
- Resolves: #1800549 - key management tool: list keys function
-Resolves: #1800555 - key management tool: random key generation function * Wed Nov 27 2019 Dan Horák <dan[at]danny.cz> - 3.12.1-1
- Rebase to 3.12.1
* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
- Resolves: #1782445, EP11: Fix EC-uncompress buffer length * Wed Nov 13 2019 Dan Horák <dan[at]danny.cz> - 3.12.0-1
- Rebase to 3.12.0
* Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
- Resolves: #1777313, rebase to 3.12.1 * Sun Sep 22 2019 Dan Horák <dan[at]danny.cz> - 3.11.1-1
- Rebase to 3.11.1
* Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
- Resolves: #1726243, rebase to 3.12.0 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
- Resolves: #1739433, ICA HW token missing after the package update * Thu Mar 28 2019 Than Ngo <than@redhat.com> - 3.11.0-4
- enable testcase by default
* Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1 - fix URL
- Resolves: #1706140, rebase to 3.11.1
* Tue Feb 19 2019 Than Ngo <than@redhat.com> - 3.11.0-3
* Tue Mar 26 2019 Than Ngo <than@redhat.com> - 3.11.0-3 - Resolved #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group
- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios
- Resolves: #1651731, ep11 token: enhanced IBM z14 functions * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.11.0-2
- Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
- Resolves: #1525407, use CPACF hashes in ep11 token
- Resolves: #1651238, rebase to 3.11.0 * Thu Jan 31 2019 Than Ngo <than@redhat.com> - 3.11.0-1
- Resolves: #1682530, gating - Updated to 3.11.0
- Resolved #1341079 - Failed to create directory or subvolume "/var/lock/opencryptoki"
* Fri Dec 14 2018 Than Ngo <than@redhat.com> - 3.10.0-3 - Ported root's group membership's patch for 3.11.0
- Resolves: #1657683, can't establish libica token in FIPS mode
- Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.10.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Oct 25 2018 Than Ngo <than@redhat.com> - 3.10.0-2
- Resolves: #1602641, covscan
* Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1 * Tue Jun 12 2018 Dan Horák <dan[at]danny.cz> - 3.10.0-1
- Rebase to 3.10.0 - Rebase to 3.10.0

Write Preview
Loading…
Cancel
Save