diff --git a/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch b/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch new file mode 100644 index 0000000..dca81c1 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch @@ -0,0 +1,59 @@ +commit d6ba9ff61743ce869a5a677f6f77339642efef4b +Author: Ingo Franzki +Date: Tue Sep 24 14:35:59 2019 +0200 + + EP11: Support tolerated new crypto cards + + With just toleration support of new crypt cards, new crypto + cards are reported as the last known crypto card version. + E.g. a CEX7 card is reported as CEX6, when CEX6 is the last + known crypto card version. + + The EP11 token checks the card versions and needs to distinguish + tolerated cards from supported cards. New (tolerated) crypto cards + may have different API and firmware versions, and thus need to be + handled differently. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index e22dad5d..a65accea 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -8253,6 +8253,7 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) + char fname[PATH_MAX]; + char buf[250]; + CK_RV rc; ++ CK_ULONG hwtype, rawtype; + + sprintf(fname, "%scard%02x/type", SYSFS_DEVICES_AP, adapter); + rc = file_fgets(fname, buf, sizeof(buf)); +@@ -8260,6 +8261,28 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) + return rc; + if (sscanf(buf, "CEX%luP", type) != 1) + return CKR_FUNCTION_FAILED; ++ ++ sprintf(fname, "%scard%02x/hwtype", SYSFS_DEVICES_AP, adapter); ++ rc = file_fgets(fname, buf, sizeof(buf)); ++ if (rc != CKR_OK) ++ return rc; ++ if (sscanf(buf, "%lu", &hwtype) != 1) ++ return CKR_FUNCTION_FAILED; ++ ++ sprintf(fname, "%scard%02x/raw_hwtype", SYSFS_DEVICES_AP, adapter); ++ rc = file_fgets(fname, buf, sizeof(buf)); ++ if (rc != CKR_OK) ++ return rc; ++ if (sscanf(buf, "%lu", &rawtype) != 1) ++ return CKR_FUNCTION_FAILED; ++ ++ if (rawtype > hwtype) { ++ TRACE_DEVEL("%s adapter: %u hwtype: %lu raw_hwtype: %lu\n", ++ __func__, adapter, hwtype, rawtype); ++ /* Tolerated new card level: report calculated type */ ++ *type += (rawtype - hwtype); ++ } ++ + return CKR_OK; + } + diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch new file mode 100644 index 0000000..07793ee --- /dev/null +++ b/SOURCES/opencryptoki-3.11.1-use-soname.patch @@ -0,0 +1,61 @@ +From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:27 +0200 +Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ica_s390_stdll/ica_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c +index d5a6d554..a72ce774 100644 +--- a/usr/lib/ica_s390_stdll/ica_specific.c ++++ b/usr/lib/ica_s390_stdll/ica_specific.c +@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11"; + + static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; + +-#define LIBICA_SHARED_LIB "libica.so" ++#define LIBICA_SHARED_LIB "libica.so.3" + #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym)) + + #ifndef NO_EC +-- +2.21.0 + + +From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:44 +0200 +Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ep11_stdll/ep11_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 231dd200..a3f14351 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -58,7 +58,7 @@ + #include "ep11_specific.h" + + #define EP11SHAREDLIB "libep11.so" +-#define ICASHAREDLIB "libica.so" ++#define ICASHAREDLIB "libica.so.3" + + CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + CK_MECHANISM_TYPE_PTR mlist, +-- +2.21.0 + diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 28cc2a3..3cc6c7b 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -3,7 +3,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 Version: 3.11.0 -Release: 3%{?dist} +Release: 5%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -21,6 +21,10 @@ Patch3: opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patc Patch4: opencryptoki-3.11.0-covscan.patch # bz#1688891, C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key Patch5: opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch +# bz#1766090, EP11: Support tolerated new crypto cards +Patch6: opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch +# bz#1769258 - ICA HW token missing after the package update +Patch7: opencryptoki-3.11.1-use-soname.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -193,6 +197,8 @@ configured with Enterprise PKCS#11 (EP11) firmware. %patch3 -p1 -b .EP11_token_fails_when_using_Strict-Session_mode_or_VHSM-Mode %patch4 -p1 -b .coverity %patch5 -p1 -b .created-MACed-SPKIs-when-importing-public-keys +%patch6 -p1 -b .support-tolerated-new-crypto-cards +%patch7 -p1 -b .soname # Upstream tarball has unnecessary executable perms set on the sources find . -name '*.[ch]' -print0 | xargs -0 chmod -x @@ -347,6 +353,12 @@ fi %changelog +* Wed Nov 06 2019 Than Ngo - 3.11.0-5 +- Resolves: #1769258, ICA HW token missing after the package update + +* Mon Oct 28 2019 Than Ngo - 3.11.0-4 +- Resolves: #1766090, EP11: Support tolerated new crypto cards + * Thu Mar 14 2019 Than Ngo - 3.11.0-3 - Resolves: #1688891 - C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key