commit ac49ff6a3de9886bba6e35a0bf9208ae5ae1677e Author: MSVSphere Packaging Team Date: Fri Mar 29 16:08:06 2024 +0300 import p11-kit-0.23.22-2.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1dd2e3b --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +SOURCES/p11-kit-0.23.22.tar.xz +SOURCES/p11-kit-0.23.22.tar.xz.sig diff --git a/.p11-kit.metadata b/.p11-kit.metadata new file mode 100644 index 0000000..afd9afe --- /dev/null +++ b/.p11-kit.metadata @@ -0,0 +1,3 @@ +526f07b62624739ba318a171bab3352af91d0134 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +339e5163ed50a9984a74739b9207ea8cd77fa7e2 SOURCES/p11-kit-0.23.22.tar.xz +1ab50d9f01bb186c60c32b56467c6f9f56e365da SOURCES/p11-kit-0.23.22.tar.xz.sig diff --git a/SOURCES/001-dt-needed.patch b/SOURCES/001-dt-needed.patch new file mode 100644 index 0000000..9c07b87 --- /dev/null +++ b/SOURCES/001-dt-needed.patch @@ -0,0 +1,42 @@ +From a91266ef087532e2332c75c4fd9244df66f30b64 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 18 Dec 2020 13:37:10 +0100 +Subject: [PATCH] meson: Link trust/client modules explicitly to -ldl + +This adds the -ldl link flag missing in the meson build, but present +in the autotools build. Although the use-case is unlikely, this +allows those modules to be linked as a normal shared library to a +program. +--- + p11-kit/meson.build | 1 + + trust/meson.build | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/meson.build b/p11-kit/meson.build +index 7d57cd7..02147a9 100644 +--- a/p11-kit/meson.build ++++ b/p11-kit/meson.build +@@ -92,6 +92,7 @@ if host_system != 'windows' + 'client.c', 'client-init.c', + name_prefix: '', + include_directories: [configinc, commoninc], ++ dependencies: dlopen_deps, + link_args: p11_module_ldflags, + link_depends: [p11_module_symbol_map, + p11_module_symbol_def], +diff --git a/trust/meson.build b/trust/meson.build +index 482a3c1..d4a8e15 100644 +--- a/trust/meson.build ++++ b/trust/meson.build +@@ -56,7 +56,7 @@ shared_module('p11-kit-trust', + 'module-init.c', + name_prefix: '', + c_args: p11_kit_trust_c_args, +- dependencies: [asn_h_dep, libp11_library_dep] + libtasn1_deps, ++ dependencies: [asn_h_dep, libp11_library_dep] + dlopen_deps + libtasn1_deps, + link_args: p11_module_ldflags, + link_depends: [p11_module_symbol_map, + p11_module_symbol_def], +-- +2.29.2 + diff --git a/SOURCES/002-doc-dep.patch b/SOURCES/002-doc-dep.patch new file mode 100644 index 0000000..c173db9 --- /dev/null +++ b/SOURCES/002-doc-dep.patch @@ -0,0 +1,42 @@ +From 9f01a8a45ba913a9b65894cef9369b6010005096 Mon Sep 17 00:00:00 2001 +From: Eli Schwartz +Date: Tue, 11 Jan 2022 23:25:05 -0500 +Subject: [PATCH] gtkdoc: remove dependencies on custom target files + +Sadly, the `dependencies` kwarg does not actually do what it seems to be +trying to be used for, here. It is for listing dependency or library +objects whose compiler flags should be added to gtkdoc-scangobj. + +It will not actually add ninja target dependencies. The similar kwarg in +other meson functions (e.g. genmarshal and compile_schemas) that *do* +allow adding target dependencies, is `depend_files`. + +Older versions of meson simply did nothing in an if/elif/elif block +where these custom_targets never matched anything, and were thus +silently ignored. + +Meson 0.61 type-validates the arguments and rejects CustomTarget as +invalid: + +``` +doc/manual/meson.build:72:8: ERROR: gnome.gtkdoc keyword argument 'dependencies' was of type array[CustomTarget | PkgConfigDependency] but should have been array[Dependency | SharedLibrary | StaticLibrary] +``` + +Fixes #406 +--- + doc/manual/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/manual/meson.build b/doc/manual/meson.build +index cf8758dbf..560df8dbc 100644 +--- a/doc/manual/meson.build ++++ b/doc/manual/meson.build +@@ -73,7 +73,7 @@ if get_option('gtk_doc') + main_xml: 'p11-kit-docs.xml', + namespace: 'p11_kit', + src_dir: 'p11-kit', +- dependencies: libffi_deps + dlopen_deps + xml_deps, ++ dependencies: libffi_deps + dlopen_deps, + scan_args: [ + '--ignore-headers=' + ' '.join(ignore_headers), + '--rebuild-types', diff --git a/SOURCES/003-IBM-mechs-and-attrs.patch b/SOURCES/003-IBM-mechs-and-attrs.patch new file mode 100644 index 0000000..8561b16 --- /dev/null +++ b/SOURCES/003-IBM-mechs-and-attrs.patch @@ -0,0 +1,953 @@ +diff --color -ruNp a/common/attrs.c b/common/attrs.c +--- a/common/attrs.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/common/attrs.c 2023-11-29 14:29:45.130552239 +0100 +@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBU + X (CKA_TRUST_STEP_UP_APPROVED) + X (CKA_CERT_SHA1_HASH) + X (CKA_CERT_MD5_HASH) ++ X (CKA_IBM_OPAQUE) ++ X (CKA_IBM_RESTRICTABLE) ++ X (CKA_IBM_NEVER_MODIFIABLE) ++ X (CKA_IBM_RETAINKEY) ++ X (CKA_IBM_ATTRBOUND) ++ X (CKA_IBM_KEYTYPE) ++ X (CKA_IBM_CV) ++ X (CKA_IBM_MACKEY) ++ X (CKA_IBM_USE_AS_DATA) ++ X (CKA_IBM_STRUCT_PARAMS) ++ X (CKA_IBM_STD_COMPLIANCE1) ++ X (CKA_IBM_PROTKEY_EXTRACTABLE) ++ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE) ++ X (CKA_IBM_OPAQUE_PKEY) ++ X (CKA_IBM_DILITHIUM_KEYFORM) ++ X (CKA_IBM_DILITHIUM_RHO) ++ X (CKA_IBM_DILITHIUM_T1) + case CKA_VALUE: + return (klass != CKO_CERTIFICATE && + klass != CKO_X_CERTIFICATE_EXTENSION); +diff --color -ruNp a/common/constants.c b/common/constants.c +--- a/common/constants.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/common/constants.c 2023-11-29 14:29:45.130552239 +0100 +@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] + CT (CKA_WRAP_TEMPLATE, "wrap-template") + CT (CKA_UNWRAP_TEMPLATE, "unwrap-template") + CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms") ++ CT (CKA_IBM_OPAQUE, "ibm-opaque") ++ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable") ++ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable") ++ CT (CKA_IBM_RETAINKEY, "ibm-retainkey") ++ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound") ++ CT (CKA_IBM_KEYTYPE, "ibm-keytype") ++ CT (CKA_IBM_CV, "ibm-cv") ++ CT (CKA_IBM_MACKEY, "ibm-mackey") ++ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data") ++ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params") ++ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1") ++ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable") ++ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable") ++ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform") ++ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho") ++ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed") ++ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr") ++ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1") ++ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2") ++ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0") ++ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1") ++ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey") + CT (CKA_NSS_URL, "nss-url") + CT (CKA_NSS_EMAIL, "nss-email") + CT (CKA_NSS_SMIME_INFO, "nss-smime-constant") +@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = + CT (CKK_AES, "aes") + CT (CKK_BLOWFISH, "blowfish") + CT (CKK_TWOFISH, "twofish") ++ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium") + CT (CKK_NSS_PKCS8, "nss-pkcs8") + { CKA_INVALID }, + }; +@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanis + CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen") + CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen") + CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen") ++ CT (CKM_IBM_SHA3_224, "ibm-sha3-224") ++ CT (CKM_IBM_SHA3_256, "ibm-sha3-256") ++ CT (CKM_IBM_SHA3_384, "ibm-sha3-384") ++ CT (CKM_IBM_SHA3_512, "ibm-sha3-512") ++ CT (CKM_IBM_CMAC, "ibm-cmac") ++ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519") ++ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512") ++ CT (CKM_IBM_EC_X448, "ibm-ec-x448") ++ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3") ++ CT (CKM_IBM_DILITHIUM, "ibm-dilithium") ++ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac") ++ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac") ++ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac") ++ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac") ++ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap") + { CKA_INVALID }, + }; + +diff --color -ruNp a/common/pkcs11x.h b/common/pkcs11x.h +--- a/common/pkcs11x.h 2020-12-11 16:24:01.000000000 +0100 ++++ b/common/pkcs11x.h 2023-11-29 14:29:45.252554771 +0100 +@@ -181,6 +181,71 @@ typedef CK_ULONG + + #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */ + ++/* Define this if you want the IBM specific symbols */ ++#define CRYPTOKI_IBM_VENDOR_DEFINED 1 ++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED ++ ++#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023 ++ ++#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1) ++#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001) ++#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002) ++#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003) ++#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004) ++#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005) ++#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006) ++#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007) ++#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008) ++#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009) ++#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a) ++#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c) ++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d) ++#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001) ++#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002) ++#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003) ++#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004) ++#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005) ++#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006) ++#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007) ++#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008) ++#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100) ++ ++#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001) ++#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002) ++#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003) ++#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004) ++#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007) ++#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b) ++#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c) ++#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e) ++#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f) ++#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023) ++#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025) ++#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026) ++#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027) ++#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) ++#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) ++ ++/* ++ * If the caller is using the PKCS#11 GNU calling convention, then we cater ++ * to that here. ++ */ ++#ifdef CRYPTOKI_GNU ++#define hSignVerifyKey h_sign_verify_key ++#endif ++ ++struct ck_ibm_attributebound_wrap { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++}; ++ ++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#ifdef CRYPTOKI_GNU ++#undef hSignVerifyKey ++#endif ++ ++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ ++ + #if defined(__cplusplus) + } + #endif +diff --color -ruNp a/p11-kit/meson.build b/p11-kit/meson.build +--- a/p11-kit/meson.build 2023-11-29 14:27:53.265231072 +0100 ++++ b/p11-kit/meson.build 2023-11-29 14:29:45.264555020 +0100 +@@ -211,6 +211,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_hea + static_library('p11-kit-pkcs11-gnu', + gnu_h, + 'pkcs11-gnu.c', ++ c_args: [ ++ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1', ++ ], + include_directories: [configinc, commoninc]) + + # Tests ---------------------------------------------------------------- +diff --color -ruNp a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h +--- a/p11-kit/p11-kit.h 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/p11-kit.h 2023-11-29 14:29:45.265555041 +0100 +@@ -43,12 +43,17 @@ + */ + #ifdef CRYPTOKI_GNU + typedef ck_rv_t CK_RV; ++typedef ck_object_handle_t CK_OBJECT_HANDLE; ++typedef unsigned long int CK_ULONG; + typedef struct ck_function_list* CK_FUNCTION_LIST_PTR; + typedef struct ck_function_list CK_FUNCTION_LIST; + #endif + + #include "p11-kit/deprecated.h" + ++/* For size_t. */ ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --color -ruNp a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c +--- a/p11-kit/pkcs11-gnu.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/pkcs11-gnu.c 2023-11-29 14:29:45.265555041 +0100 +@@ -1,3 +1,8 @@ ++#include "config.h" ++ ++#include "p11-kit.h" ++#include "pkcs11x.h" ++ + #include "pkcs11-gnu-iter.h" + #include "pkcs11-gnu-pin.h" + #include "pkcs11-gnu-uri.h" +diff --color -ruNp a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +--- a/p11-kit/rpc-client.c 2020-12-11 15:48:46.000000000 +0100 ++++ b/p11-kit/rpc-client.c 2023-11-29 14:29:45.220554107 +0100 +@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_messag + #define IN_BYTE_BUFFER(arr, len) \ + if (len == NULL) \ + { _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \ +- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \ ++ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \ + { _ret = CKR_HOST_MEMORY; goto _cleanup; } + + #define IN_BYTE_ARRAY(arr, len) \ +@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *se + CK_BYTE_PTR part, + CK_ULONG part_len) + { +- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD); +- + BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID); + IN_ULONG (session); + IN_BYTE_ARRAY (part, part_len); +diff --color -ruNp a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +--- a/p11-kit/rpc-message.c 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-message.c 2023-11-29 14:29:45.243554584 +0100 +@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rp + assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay")); + + /* No array, no data, just length */ +- if (!arr) { ++ if (!arr && num != 0) { + p11_rpc_buffer_add_byte (msg->output, 0); + p11_rpc_buffer_add_uint32 (msg->output, num); + } else { +@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_RESET_ON_INIT: + case CKA_HAS_RESET: + case CKA_COLOR: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_RETAINKEY: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ case CKA_IBM_PROTKEY_EXTRACTABLE: ++ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: + return P11_RPC_VALUE_BYTE; + case CKA_CLASS: + case CKA_CERTIFICATE_TYPE: +@@ -821,9 +828,13 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_CHAR_COLUMNS: + case CKA_BITS_PER_PIXEL: + case CKA_MECHANISM_TYPE: ++ case CKA_IBM_DILITHIUM_KEYFORM: ++ case CKA_IBM_STD_COMPLIANCE1: ++ case CKA_IBM_KEYTYPE: + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: ++ case CKA_DERIVE_TEMPLATE: + return P11_RPC_VALUE_ATTRIBUTE_ARRAY; + case CKA_ALLOWED_MECHANISMS: + return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY; +@@ -869,6 +880,18 @@ map_attribute_to_value_type (CK_ATTRIBUT + case CKA_REQUIRED_CMS_ATTRIBUTES: + case CKA_DEFAULT_CMS_ATTRIBUTES: + case CKA_SUPPORTED_CMS_ATTRIBUTES: ++ case CKA_IBM_OPAQUE: ++ case CKA_IBM_CV: ++ case CKA_IBM_MACKEY: ++ case CKA_IBM_STRUCT_PARAMS: ++ case CKA_IBM_OPAQUE_PKEY: ++ case CKA_IBM_DILITHIUM_RHO: ++ case CKA_IBM_DILITHIUM_SEED: ++ case CKA_IBM_DILITHIUM_TR: ++ case CKA_IBM_DILITHIUM_S1: ++ case CKA_IBM_DILITHIUM_S2: ++ case CKA_IBM_DILITHIUM_T0: ++ case CKA_IBM_DILITHIUM_T1: + return P11_RPC_VALUE_BYTE_ARRAY; + } + } +@@ -1406,9 +1429,466 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechani + return true; + } + ++void ++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */ ++ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.kdf can be converted to uint64_t. */ ++ if (params.kdf > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.kdf); ++ ++ /* parmas.shared_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.shared_data, ++ params.shared_data_len); ++ ++ /* parmas.public_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.public_data, ++ params.public_data_len); ++} ++ ++bool ++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ ++ ++ if (value) { ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ params.kdf = val; ++ params.shared_data = (void *) data1; ++ params.shared_data_len = len1; ++ params.public_data = (void *) data2; ++ params.public_data_len = len2; ++ ++ memcpy (value, ¶ms, sizeof (CK_ECDH1_DERIVE_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */ ++ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.hSignVerifyKey can be converted to uint64_t. */ ++ if (params.hSignVerifyKey > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey); ++} ++ ++bool ++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (value) { ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ params.hSignVerifyKey = val; ++ ++ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an AES IV. */ ++ if (value_length != 16) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 16) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_AES_CTR_PARAMS params; ++ ++ /* Check if value can be converted to CK_AES_CTR_PARAMS. */ ++ if (value_length != sizeof (CK_AES_CTR_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.counter_bits can be converted to uint64_t. */ ++ if (params.counter_bits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits); ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.cb, ++ sizeof(params.cb)); ++} ++ ++bool ++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (value) { ++ CK_AES_CTR_PARAMS params; ++ ++ params.ulCounterBits = val; ++ ++ if (len != sizeof (params.cb)) ++ return false; ++ ++ memcpy (params.cb, data, sizeof (params.cb)); ++ memcpy (value, ¶ms, sizeof (CK_AES_CTR_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_AES_CTR_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_GCM_PARAMS params; ++ ++ /* Check if value can be converted to CK_GCM_PARAMS. */ ++ if (value_length != sizeof (CK_GCM_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */ ++ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pIv, ++ params.ulIvLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits); ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pAAD, ++ params.ulAADLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits); ++} ++ ++bool ++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val1, val2; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2)) ++ return false; ++ ++ if (value) { ++ CK_GCM_PARAMS params; ++ ++ params.pIv = (void *) data1; ++ params.ulIvLen = len1; ++ params.ulIvBits = val1; ++ params.pAAD = (void *) data2; ++ params.ulAADLen = len2; ++ params.ulTagBits = val2; ++ ++ memcpy (value, ¶ms, sizeof (CK_GCM_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_GCM_PARAMS); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an DES IV. */ ++ if (value_length != 8) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 8) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ULONG val; ++ uint64_t params; ++ ++ /* ++ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which ++ * is a CK_ULONG. ++ */ ++ if (value_length != sizeof (CK_ULONG)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (&val, value, value_length); ++ params = val; ++ ++ p11_rpc_buffer_add_uint64 (buffer, params); ++} ++ ++bool ++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ CK_ULONG params; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ params = val; ++ ++ if (value) ++ memcpy (value, ¶ms, sizeof (params)); ++ ++ if (value_length) ++ *value_length = sizeof (params); ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Mechanism parameter is public value of the other party */ ++ if (value_length == 0) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len == 0) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value } ++ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, ++ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, ++ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, ++ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value }, ++ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1453,6 +1933,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: ++ case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: +@@ -1467,6 +1948,10 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_EC_KEY_PAIR_GEN: + case CKM_ECDSA: + case CKM_ECDSA_SHA1: ++ case CKM_ECDSA_SHA224: ++ case CKM_ECDSA_SHA256: ++ case CKM_ECDSA_SHA384: ++ case CKM_ECDSA_SHA512: + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_PARAMETER_GEN: + case CKM_X9_42_DH_KEY_PAIR_GEN: +@@ -1480,6 +1965,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_AES_KEY_GEN: + case CKM_AES_ECB: + case CKM_AES_MAC: ++ case CKM_AES_CMAC: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: +@@ -1505,6 +1991,7 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_RC2_MAC: + case CKM_DES_MAC: + case CKM_DES3_MAC: ++ case CKM_DES3_CMAC: + case CKM_CDMF_MAC: + case CKM_CAST_MAC: + case CKM_CAST3_MAC: +@@ -1521,18 +2008,46 @@ mechanism_has_no_parameters (CK_MECHANIS + case CKM_MD5_HMAC: + case CKM_SHA_1: + case CKM_SHA_1_HMAC: ++ case CKM_SHA1_KEY_DERIVATION: ++ case CKM_SHA224: ++ case CKM_SHA224_HMAC: ++ case CKM_SHA224_KEY_DERIVATION: + case CKM_SHA256: + case CKM_SHA256_HMAC: ++ case CKM_SHA256_KEY_DERIVATION: + case CKM_SHA384: + case CKM_SHA384_HMAC: ++ case CKM_SHA384_KEY_DERIVATION: + case CKM_SHA512: + case CKM_SHA512_HMAC: ++ case CKM_SHA512_KEY_DERIVATION: ++ case CKM_SHA512_T: ++ case CKM_SHA512_T_HMAC: ++ case CKM_SHA512_T_KEY_DERIVATION: ++ case CKM_SHA512_224: ++ case CKM_SHA512_224_HMAC: ++ case CKM_SHA512_224_KEY_DERIVATION: ++ case CKM_SHA512_256: ++ case CKM_SHA512_256_HMAC: ++ case CKM_SHA512_256_KEY_DERIVATION: + case CKM_FASTHASH: + case CKM_RIPEMD128: + case CKM_RIPEMD128_HMAC: + case CKM_RIPEMD160: + case CKM_RIPEMD160_HMAC: + case CKM_KEY_WRAP_LYNKS: ++ case CKM_IBM_SHA3_224: ++ case CKM_IBM_SHA3_256: ++ case CKM_IBM_SHA3_384: ++ case CKM_IBM_SHA3_512: ++ case CKM_IBM_CMAC: ++ case CKM_IBM_DILITHIUM: ++ case CKM_IBM_SHA3_224_HMAC: ++ case CKM_IBM_SHA3_256_HMAC: ++ case CKM_IBM_SHA3_384_HMAC: ++ case CKM_IBM_SHA3_512_HMAC: ++ case CKM_IBM_ED25519_SHA512: ++ case CKM_IBM_ED448_SHA3: + return true; + default: + return false; +diff --color -ruNp a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +--- a/p11-kit/rpc-message.h 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-message.h 2023-11-29 14:29:45.243554584 +0100 +@@ -42,6 +42,7 @@ + + #include "buffer.h" + #include "pkcs11.h" ++#include "pkcs11x.h" + + /* The calls, must be in sync with array below */ + enum { +@@ -478,5 +479,85 @@ bool p11_rpc_buffer_get_rsa_ + size_t *offset, + void *value, + CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); + + #endif /* _RPC_MESSAGE_H */ +diff --color -ruNp a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +--- a/p11-kit/rpc-server.c 2020-12-11 16:25:36.000000000 +0100 ++++ b/p11-kit/rpc-server.c 2023-11-29 14:29:45.221554128 +0100 +@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message + *n_buffer = length; + *buffer = NULL; + ++ /* length = -1 indicates length = 0, but buffer not NULL */ ++ if (length == (uint32_t)-1) { ++ *n_buffer = 0; ++ length = 1; /*allocate 1 dummy byte */ ++ } ++ + /* If set to zero, then they just want the length */ + if (length == 0) + return CKR_OK; diff --git a/SOURCES/p11-kit-client.service b/SOURCES/p11-kit-client.service new file mode 100644 index 0000000..c9b8e30 --- /dev/null +++ b/SOURCES/p11-kit-client.service @@ -0,0 +1,11 @@ +[Unit] +Description=p11-kit client + +[Service] +Type=oneshot +RemainAfterExit=true +RuntimeDirectory=p11-kit +ExecStart=/usr/bin/true + +[Install] +WantedBy=default.target diff --git a/SOURCES/trust-extract-compat b/SOURCES/trust-extract-compat new file mode 100755 index 0000000..1976f22 --- /dev/null +++ b/SOURCES/trust-extract-compat @@ -0,0 +1,15 @@ +#!/usr/bin/bash + +set -e + +if test "$UID" != "0"; then + echo "p11-kit: the 'extract-trust' command must be run as root" >&2 + exit 2 +fi + +if test $# -gt 1; then + echo "p11-kit: no additional arguments are supported for this command" >&2 + exit 2 +fi + +exec /usr/bin/update-ca-trust diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec new file mode 100644 index 0000000..b842443 --- /dev/null +++ b/SPECS/p11-kit.spec @@ -0,0 +1,430 @@ +# This spec file has been automatically updated +Version: 0.23.22 +Release: 2%{?dist} +Name: p11-kit +Summary: Library for loading and sharing PKCS#11 modules + +License: BSD-3-Clause +URL: http://p11-glue.freedesktop.org/p11-kit.html +Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz +Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg +Source3: trust-extract-compat +Source4: p11-kit-client.service + +Patch0: 001-dt-needed.patch +Patch1: 002-doc-dep.patch +# commits: 4059f17, d07a8ff, 218e971, c4ade85, 242e5db, ac0da82, 7235af6, +# b72aa47, 506b941, 3c0be1d, 7ea5901, 7675f86, d1782b6 +Patch2: 003-IBM-mechs-and-attrs.patch + +BuildRequires: gcc +BuildRequires: libtasn1-devel >= 2.3 +BuildRequires: libtasn1-tools +BuildRequires: libffi-devel +BuildRequires: gettext +BuildRequires: gtk-doc +BuildRequires: meson +BuildRequires: systemd-devel +BuildRequires: bash-completion +# Work around for https://bugzilla.redhat.com/show_bug.cgi?id=1497147 +# Remove this once it is fixed +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(systemd) +BuildRequires: gnupg2 +BuildRequires: /usr/bin/xsltproc + +%description +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%package trust +Summary: System trust module from %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): %{_sbindir}/alternatives +Requires(postun): %{_sbindir}/alternatives +Conflicts: nss < 3.14.3-9 + +%description trust +The %{name}-trust package contains a system trust PKCS#11 module which +contains certificate anchors and blocklists. + + +%package server +Summary: Server and client commands for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description server +The %{name}-server package contains command line tools that enable to +export PKCS#11 modules through a Unix domain socket. Note that this +feature is still experimental. + + +# solution taken from icedtea-web.spec +%define multilib_arches ppc64 sparc64 x86_64 ppc64le +%ifarch %{multilib_arches} +%define alt_ckbi libnssckbi.so.%{_arch} +%else +%define alt_ckbi libnssckbi.so +%endif + + +%prep +gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} + +%autosetup -p1 + +%build +# These paths are the source paths that come from the plan here: +# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks +%meson -Dgtk_doc=true -Dman=true -Dtrust_paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source +%meson_build + +%install +%meson_install +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules +install -p -m 755 %{SOURCE3} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ +# Install the example conf with %%doc instead +mkdir -p $RPM_BUILD_ROOT%{_docdir}/%{name} +mv $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example $RPM_BUILD_ROOT%{_docdir}/%{name}/pkcs11.conf.example +mkdir -p $RPM_BUILD_ROOT%{_userunitdir} +install -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_userunitdir} +%find_lang %{name} + +%check +%meson_test + + +%post trust +%{_sbindir}/alternatives --install %{_libdir}/libnssckbi.so %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 + +%postun trust +if [ $1 -eq 0 ] ; then + # package removal + %{_sbindir}/alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so +fi + + +%files -f %{name}.lang +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc AUTHORS NEWS README +%{_docdir}/%{name}/pkcs11.conf.example +%dir %{_sysconfdir}/pkcs11 +%dir %{_sysconfdir}/pkcs11/modules +%dir %{_datadir}/p11-kit +%dir %{_datadir}/p11-kit/modules +%dir %{_libexecdir}/p11-kit +%{_bindir}/p11-kit +%{_libdir}/libp11-kit.so.* +%{_libdir}/p11-kit-proxy.so +%{_libexecdir}/p11-kit/p11-kit-remote +%{_mandir}/man1/trust.1.gz +%{_mandir}/man8/p11-kit.8.gz +%{_mandir}/man5/pkcs11.conf.5.gz +%{_datadir}/bash-completion/completions/p11-kit + +%files devel +%{_includedir}/p11-kit-1/ +%{_libdir}/libp11-kit.so +%{_libdir}/pkgconfig/p11-kit-1.pc +%doc %{_datadir}/gtk-doc/ + +%files trust +%{_bindir}/trust +%dir %{_libdir}/pkcs11 +%ghost %{_libdir}/libnssckbi.so +%{_libdir}/pkcs11/p11-kit-trust.so +%{_datadir}/p11-kit/modules/p11-kit-trust.module +%{_libexecdir}/p11-kit/trust-extract-compat +%{_datadir}/bash-completion/completions/trust + +%files server +%{_libdir}/pkcs11/p11-kit-client.so +%{_userunitdir}/p11-kit-client.service +%{_libexecdir}/p11-kit/p11-kit-server +%{_userunitdir}/p11-kit-server.service +%{_userunitdir}/p11-kit-server.socket + + +%changelog +* Fri Dec 01 2023 Zoltan Fridrich - 0.23.22-2 +- Add IBM specific mechanisms and attributes + Resolves: RHEL-10571 + +* Mon Jan 11 2021 Daiki Ueno - 0.23.22-1 +- Rebase to 0.23.22 to fix memory safety issues (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363) +- Preserve DT_NEEDED information from the previous version, flagged by rpmdiff +- Add xsltproc to BR + +* Tue Nov 10 2020 Daiki Ueno - 0.23.21-4 +- Fix realloc usage on proxy cleanup (#1894979) +- Make 'trust anchor --store' preserve all attributes from .p11-kit files + +* Tue Nov 3 2020 Daiki Ueno - 0.23.21-3 +- Restore clobbered changelog entry + +* Mon Nov 2 2020 Daiki Ueno - 0.23.21-2 +- Update p11-kit-invalid-config.patch to be more thorough (thanks to + Alexander Sosedkin) + +* Tue Oct 20 2020 Daiki Ueno - 0.23.21-1 +- Update to upstream 0.23.21 release + +* Fri Mar 29 2019 Daiki Ueno - 0.23.14-5 +- Fix crash on unloading the library, when it is both linked and dlopen'ed + +* Mon Oct 29 2018 Daiki Ueno - 0.23.14-4 +- Prefer fixed closures to libffi closures + +* Wed Oct 17 2018 Daiki Ueno - 0.23.14-3 +- Update p11-kit-coverity.patch + +* Tue Oct 16 2018 Daiki Ueno - 0.23.14-2 +- Fix issues spotted by coverity + +* Wed Oct 10 2018 Daiki Ueno - 0.23.14-1 +- Update to upstream 0.23.14 release + +* Wed May 30 2018 Daiki Ueno - 0.23.12-1 +- Update to upstream 0.23.11 release + +* Wed Feb 28 2018 Daiki Ueno - 0.23.10-1 +- Update to upstream 0.23.10 release + +* Thu Feb 08 2018 Fedora Release Engineering - 0.23.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Oct 05 2017 Daiki Ueno - 0.23.9-2 +- server: Make it possible to eval envvar settings + +* Wed Oct 04 2017 Daiki Ueno - 0.23.9-1 +- Update to upstream 0.23.9 + +* Fri Aug 25 2017 Kai Engert - 0.23.8-2 +- Fix a regression caused by a recent nss.rpm change, add a %%ghost file + for %%{_libdir}/libnssckbi.so that p11-kit-trust scripts install. + +* Tue Aug 15 2017 Daiki Ueno - 0.23.8-1 +- Update to 0.23.8 release + +* Thu Aug 03 2017 Fedora Release Engineering - 0.23.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.23.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jun 2 2017 Daiki Ueno - 0.23.7-1 +- Update to 0.23.7 release + +* Thu May 18 2017 Daiki Ueno - 0.23.5-3 +- Update p11-kit-modifiable.patch to simplify the logic + +* Thu May 18 2017 Daiki Ueno - 0.23.5-2 +- Make "trust anchor --remove" work again + +* Thu Mar 2 2017 Daiki Ueno - 0.23.5-1 +- Update to 0.23.5 release +- Rename -tools subpackage to -server and remove systemd unit files + +* Fri Feb 24 2017 Daiki Ueno - 0.23.4-3 +- Move p11-kit command back to main package + +* Fri Feb 24 2017 Daiki Ueno - 0.23.4-2 +- Split out command line tools to -tools subpackage, to avoid a + multilib issue with the main package. Suggested by Yanko Kaneti. + +* Wed Feb 22 2017 Daiki Ueno - 0.23.4-1 +- Update to 0.23.4 release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.23.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Jan 6 2017 Daiki Ueno - 0.23.3-2 +- Use internal hash implementation instead of NSS (#1390598) + +* Tue Dec 20 2016 Daiki Ueno - 0.23.3-1 +- Update to 0.23.3 release +- Adjust executables location from %%libdir to %%libexecdir + +* Thu Feb 04 2016 Fedora Release Engineering - 0.23.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 12 2016 Martin Preisler - 0.23.2-1 +- Update to stable 0.23.2 release + +* Tue Jun 30 2015 Martin Preisler - 0.23.1-4 +- In proxy module don't call C_Finalize on a forked process [#1217915] +- Do not deinitialize libffi's wrapper functions [#1217915] + +* Thu Jun 18 2015 Fedora Release Engineering - 0.23.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Feb 21 2015 Till Maas - 0.23.1-2 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Fri Feb 20 2015 Stef Walter - 0.23.1-1 +- Update to 0.23.1 release + +* Thu Oct 09 2014 Stef Walter - 0.22.1-1 +- Update to 0.22.1 release +- Use SubjectKeyIdentifier as a CKA_ID if possible rhbz#1148895 + +* Sat Oct 04 2014 Stef Walter 0.22.0-1 +- Update to 0.22.0 release + +* Wed Sep 17 2014 Stef Walter 0.21.3-1 +- Update to 0.21.3 release +- Includes definitions for trust extensions rhbz#1136817 + +* Fri Sep 05 2014 Stef Walter 0.21.2-1 +- Update to 0.21.2 release +- Fix problems with erroneous messages printed rhbz#1133857 + +* Sun Aug 17 2014 Fedora Release Engineering - 0.21.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Thu Aug 07 2014 Stef Walter - 0.21.1-1 +- Update to 0.21.1 release + +* Wed Jul 30 2014 Tom Callaway - 0.20.3-3 +- fix license handling + +* Fri Jul 04 2014 Stef Walter - 0.20.3-2 +- Update to stable 0.20.3 release + +* Fri Jun 06 2014 Fedora Release Engineering - 0.20.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Jan 25 2014 Ville Skyttä - 0.20.2-2 +- Own the %%{_libdir}/pkcs11 dir in -trust. + +* Tue Jan 14 2014 Stef Walter - 0.20.2-1 +- Update to upstream stable 0.20.2 release +- Fix regression involving blacklisted anchors [#1041328] +- Support ppc64le in build [#1052707] + +* Mon Sep 09 2013 Stef Walter - 0.20.1-1 +- Update to upstream stable 0.20.1 release +- Extract compat trust data after we've changes +- Skip compat extraction if running as non-root +- Better failure messages when removing anchors + +* Thu Aug 29 2013 Stef Walter - 0.19.4-1 +- Update to new upstream 0.19.4 release + +* Sat Aug 03 2013 Fedora Release Engineering - 0.19.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 24 2013 Stef Walter - 0.19.3-1 +- Update to new upstream 0.19.3 release (#967822) + +* Wed Jun 05 2013 Stef Walter - 0.18.3-1 +- Update to new upstream stable release +- Fix intermittent firefox cert validation issues (#960230) +- Include the manual pages in the package + +* Tue May 14 2013 Stef Walter - 0.18.2-1 +- Update to new upstream stable release +- Reduce the libtasn1 dependency minimum version + +* Thu May 02 2013 Stef Walter - 0.18.1-1 +- Update to new upstream stable release +- 'p11-kit extract-trust' lives in libdir + +* Thu Apr 04 2013 Stef Walter - 0.18.0-1 +- Update to new upstream stable release +- Various logging tweaks (#928914, #928750) +- Make the 'p11-kit extract-trust' explicitly reject + additional arguments + +* Thu Mar 28 2013 Stef Walter - 0.17.5-1 +- Make 'p11-kit extract-trust' call update-ca-trust +- Work around 32-bit oveflow of certificate dates +- Build fixes + +* Tue Mar 26 2013 Stef Walter - 0.17.4-2 +- Pull in patch from upstream to fix build on ppc (#927394) + +* Wed Mar 20 2013 Stef Walter - 0.17.4-1 +- Update to upstream version 0.17.4 + +* Mon Mar 18 2013 Stef Walter - 0.17.3-1 +- Update to upstream version 0.17.3 +- Put the trust input paths in the right order + +* Tue Mar 12 2013 Stef Walter - 0.16.4-1 +- Update to upstream version 0.16.4 + +* Fri Mar 08 2013 Stef Walter - 0.16.3-1 +- Update to upstream version 0.16.3 +- Split out system trust module into its own package. +- p11-kit-trust provides an alternative to an nss module + +* Tue Mar 05 2013 Stef Walter - 0.16.1-1 +- Update to upstream version 0.16.1 +- Setup source directories as appropriate for Shared System Certificates feature + +* Tue Mar 05 2013 Stef Walter - 0.16.0-1 +- Update to upstream version 0.16.0 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Sep 17 2012 Kalev Lember - 0.14-1 +- Update to 0.14 + +* Fri Jul 20 2012 Fedora Release Engineering - 0.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jul 16 2012 Kalev Lember - 0.13-1 +- Update to 0.13 + +* Tue Mar 27 2012 Kalev Lember - 0.12-1 +- Update to 0.12 +- Run self tests in %%check + +* Sat Feb 11 2012 Kalev Lember - 0.11-1 +- Update to 0.11 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Dec 20 2011 Matthias Clasen - 0.9-1 +- Update to 0.9 + +* Wed Oct 26 2011 Kalev Lember - 0.8-1 +- Update to 0.8 + +* Mon Sep 19 2011 Matthias Clasen - 0.6-1 +- Update to 0.6 + +* Sun Sep 04 2011 Kalev Lember - 0.5-1 +- Update to 0.5 + +* Sun Aug 21 2011 Kalev Lember - 0.4-1 +- Update to 0.4 +- Install the example config file to documentation directory + +* Wed Aug 17 2011 Kalev Lember - 0.3-2 +- Tighten -devel subpackage deps (#725905) + +* Fri Jul 29 2011 Kalev Lember - 0.3-1 +- Update to 0.3 +- Upstream rewrote the ASL 2.0 bits, which makes the whole package + BSD-licensed + +* Tue Jul 12 2011 Kalev Lember - 0.2-1 +- Initial RPM release