From 12cf547c4749d31525a1e00aff43a0c55ae637d9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 05:04:55 +0000 Subject: import opencryptoki-3.10.0-2.el7 --- diff --git a/.gitignore b/.gitignore index 505ebb9..6ecbd3b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v3.7.0.tar.gz +SOURCES/v3.10.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 9bdf187..a3d1292 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -9bc7d5796566c18583d6d4abb2e962d22bc8480e SOURCES/v3.7.0.tar.gz +93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/v3.10.0.tar.gz diff --git a/SOURCES/opencryptoki-3.10-ica-token.patch b/SOURCES/opencryptoki-3.10-ica-token.patch new file mode 100644 index 0000000..2a32d4c --- /dev/null +++ b/SOURCES/opencryptoki-3.10-ica-token.patch @@ -0,0 +1,107 @@ +From 227ffdba6b919e18b03fed59b07e2c0212b40303 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 2 Aug 2018 14:48:47 +0200 +Subject: [PATCH 1/2] Fix bug with master key encryption with FIPS enabled + libica + +When running with a FIPS enabled libica, the ICA token fails to +initialize, because the 3DES key derived from the user or SO pin is +considered invalid because the first and the third part of the +3DES key is the same. + +For clear key tokens, the token specific 3DES-CBC function is +used for the master key encryption. In case of the ICA token, +the ICA token specific 3DES-CBC function fails, because libica +rejects the key when compiled with FIPS support. This leads to +an error during token initialization. + +Instead of using the token specific 3DES-CBC function, the code +now always falls back to the (OpenSSL) based software encryption +function, as it is also done for secure key tokens. + +Signed-off-by: Ingo Franzki +--- + usr/lib/pkcs11/common/loadsave.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c +index a593b932..a5532c9d 100644 +--- a/usr/lib/pkcs11/common/loadsave.c ++++ b/usr/lib/pkcs11/common/loadsave.c +@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata, + /* If token doesn't have a specific key size that means that it uses a + * clear key. + */ +- if (token_specific.token_keysize == 0) { ++ if (token_specific.token_keysize == 0 && ++ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { + return encrypt_data(tokdata, key, keylen, iv, clear, clear_len, + cipher, p_cipher_len); + } + +- /* Fall back to a software alternative if key is secure. */ ++ /* Fall back to a software alternative if key is secure, or ++ * if token's data store encryption algorithm is 3DES_CBC */ + initial_vector = duplicate_initial_vector(iv); + if (initial_vector == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); +@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata, + /* If token doesn't have a specific key size that means that it uses a + * clear key. + */ +- if (token_specific.token_keysize == 0) { ++ if (token_specific.token_keysize == 0 && ++ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { + return decrypt_data(tokdata, key, keylen, iv, cipher, + cipher_len, clear, p_clear_len); + } + +- /* Fall back to a software alternative if key is secure. */ ++ /* Fall back to a software alternative if key is secure, or ++ * if token's data store encryption algorithm is 3DES_CBC */ + initial_vector = duplicate_initial_vector(iv); + if (initial_vector == NULL) { + TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); +-- +2.17.1 + + +From 3e091d7ff34a56eac0b9a5e8eaf92e5a7cf11b7f Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Tue, 7 Aug 2018 14:45:05 +0200 +Subject: [PATCH 2/2] TESTCASE: Disable 3DES test vectors with non-FIPS + compliant keys + +The 3DES test vectors contain keys that are considered invalid +by a FIPS enabled libica because the first, middle and/and third +part of the 3DES key are the same. + +Signed-off-by: Ingo Franzki +--- + testcases/crypto/des3.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/testcases/crypto/des3.h b/testcases/crypto/des3.h +index e1bb1038..1860778e 100644 +--- a/testcases/crypto/des3.h ++++ b/testcases/crypto/des3.h +@@ -850,7 +850,16 @@ static struct des3_test_vector des3_ofb64_tv[] = { + } + }; + ++/* ++ * All above test vectors use keys that are not FIPS compliant. ++ * This will cause the testcase to fail when the token performs FIPS key ++ * checks. ++ */ ++#ifdef NON_FIPS_COMPLIANT_TEST_VECTORS + # define NUM_OF_PUBLISHED_TESTSUITES 5 ++#else ++# define NUM_OF_PUBLISHED_TESTSUITES 0 ++#endif + + struct published_test_suite_info published_test_suites[] = { + { +-- +2.17.1 + diff --git a/SOURCES/opencryptoki-3.2-conditional-manpages.patch b/SOURCES/opencryptoki-3.2-conditional-manpages.patch deleted file mode 100644 index 0e15fdc..0000000 --- a/SOURCES/opencryptoki-3.2-conditional-manpages.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am -index f2274d7..d98ae8c 100644 ---- a/man/man1/Makefile.am -+++ b/man/man1/Makefile.am -@@ -1,3 +1,12 @@ --man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1 -+man1_MANS=pkcsconf.1 pkcsicsf.1 -+ -+if ENABLE_PKCSEP11_MIGRATE -+man1_MANS += pkcsep11_migrate.1 -+endif -+ -+if ENABLE_CCATOK -+man1_MANS += pkcscca.1 -+endif -+ - EXTRA_DIST = $(man1_MANS) - CLEANFILES = $(man1_MANS) diff --git a/SOURCES/opencryptoki-3.4-fix-root-checks.patch b/SOURCES/opencryptoki-3.4-fix-root-checks.patch deleted file mode 100644 index ba2b5c7..0000000 --- a/SOURCES/opencryptoki-3.4-fix-root-checks.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up opencryptoki/usr/lib/pkcs11/common/new_host.c.fix-root opencryptoki/usr/lib/pkcs11/common/new_host.c -diff -up opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root opencryptoki/usr/lib/pkcs11/common/utility.c ---- opencryptoki/usr/lib/pkcs11/common/utility.c.fix-root 2015-12-04 15:27:56.038413538 +0100 -+++ opencryptoki/usr/lib/pkcs11/common/utility.c 2015-12-04 15:28:02.557395798 +0100 -@@ -1122,7 +1122,7 @@ CK_RV check_user_and_group() - euid = geteuid(); - - /* Root or effective Root is ok */ -- if (uid == 0 && euid == 0) -+ if (uid == 0 || euid == 0) - return CKR_OK; - - /* diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 49a7ac1..3d83028 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -2,18 +2,15 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.7.0 -Release: 1%{?dist} +Version: 3.10.0 +Release: 2%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz Source1: %{name}-tmpfiles.conf -# do not install pkcsep11_migrate.1 and pkcscca.1 when it's not enabled -# https://bugzilla.redhat.com/show_bug.cgi?id=732756 -# https://bugzilla.redhat.com/show_bug.cgi?id=1122505#c8 -Patch0: %{name}-3.4-fix-root-checks.patch -Patch1: %{name}-3.2-conditional-manpages.patch + +Patch0: opencryptoki-3.10-ica-token.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -180,8 +177,7 @@ configured with Enterprise PKCS#11 (EP11) firmware. %prep %setup -q -n %{name}-%{version} -%patch0 -p1 -b .fix-root -%patch1 -p1 -b .man +%patch0 -p1 -b .ica # Upstream tarball has unnecessary executable perms set on the sources find . -name '*.[ch]' -print0 | xargs -0 chmod -x @@ -258,8 +254,8 @@ exit 0 %files -%doc ChangeLog FAQ README -%doc doc/openCryptoki-HOWTO.pdf +%doc ChangeLog FAQ README.md +%doc doc/opencryptoki-howto.md %doc doc/README.token_data %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf @@ -324,7 +320,6 @@ exit 0 %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/lite/TOK_OBJ/ %files ccatok -%doc doc/README-IBM_CCA_users %doc doc/README.cca_stdll %{_sbindir}/pkcscca %{_mandir}/man1/pkcscca.1* @@ -336,8 +331,11 @@ exit 0 %files ep11tok %doc doc/README.ep11_stdll %config(noreplace) %{_sysconfdir}/%{name}/ep11tok.conf +%config(noreplace) %{_sysconfdir}/%{name}/ep11cpfilter.conf %{_sbindir}/pkcsep11_migrate +%{_sbindir}/pkcsep11_session %{_mandir}/man1/pkcsep11_migrate.1.* +%{_mandir}/man1/pkcsep11_session.1* %{_libdir}/opencryptoki/stdll/libpkcs11_ep11.* %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name}/ep11tok/ @@ -346,6 +344,15 @@ exit 0 %changelog +* Thu Aug 23 2018 Sinny Kumari - 3.10.0-2 +- Resolves: #1613743 - ICA Token specific des3 cbc encrypt failed - token not available + +* Fri Jun 22 2018 Sinny Kumari - 3.10.0-1 +- Rebase to 3.10.0 +- Resolves: #1519383 - openCryptoki token for EP11 - crucial enhancements for s390x +- Remove opencryptoki-3.4-fix-root-checks.patch, fixed in 3.9.0 +- Remove opencryptoki-3.2-conditional-manpages.patch, fixed in 3.9.0 + * Tue Oct 03 2017 Sinny Kumari - 3.7.0-1 - RHBZ#1456520 - Rebase opencryptoki to 3.7.0 - Include libitm-devel as BuildRequires