diff --git a/.gitignore b/.gitignore index d7ed41a..3e095fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.11.0.tar.gz +SOURCES/opencryptoki-3.12.1.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 7bea2cc..5177ce9 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -86808ac3d57f22e9ba7d27b0d3bd50a686e72fad SOURCES/opencryptoki-3.11.0.tar.gz +8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz diff --git a/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch deleted file mode 100644 index d5b516a..0000000 --- a/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch +++ /dev/null @@ -1,55 +0,0 @@ -commit 1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b -Author: Ingo Franzki -Date: Mon Nov 19 13:30:09 2018 +0100 - - EP11: Fix target_list passing for EP11-session logon/logoff - - The target list is passed incorrectly to the handle_all_ep11_cards() - function. Dependent on memory content, this can cause it to - fail processing all EP11 cards. This will most likely cause a - CKR_DEVICE_ERROR to be returned by C_Login when the STRICT_SESSION - and/or VHSM_MODE is enabled in the ep11tok.conf config file. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 2129762f..05332429 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -7600,7 +7600,7 @@ CK_RV ep11tok_login_session(STDLL_TokData_t * tokdata, SESSION * session) - } - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) { - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); -@@ -7646,8 +7646,7 @@ done: - if (ep11_session->flags & - (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { - rc2 = -- handle_all_ep11_cards((ep11_target_t *) & -- ep11_data->target_list, -+ handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc2 != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", -@@ -7700,7 +7699,7 @@ static CK_RV ep11tok_relogin_session(STDLL_TokData_t * tokdata, - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); -@@ -7747,7 +7746,7 @@ CK_RV ep11tok_logout_session(STDLL_TokData_t * tokdata, SESSION * session) - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); diff --git a/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch b/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch deleted file mode 100644 index 6a841c6..0000000 --- a/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch +++ /dev/null @@ -1,215 +0,0 @@ -commit bedf46da28da6231607a12e35414cd59b4432f9f -Author: Ingo Franzki -Date: Fri Mar 1 11:03:47 2019 +0100 - - EP11: Created MACed-SPKIs when importing public keys - - The EP11 host library does not allow to use plain SPKIs as - public key blobs for encrypt operations, this requires - MACed-SPKIs. Create MACed-SPKIs whenever public keys are - imported, and store it in CKA_IBM_OPAQUE instead of the - plain SPKI. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 41d500a4..5416a413 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -2043,6 +2043,120 @@ CK_RV ep11tok_final(STDLL_TokData_t * tokdata) - return CKR_OK; - } - -+/* -+ * Makes a public key blob which is a MACed SPKI of the public key. -+ */ -+static CK_RV make_maced_spki(STDLL_TokData_t *tokdata, SESSION * sess, -+ OBJECT *pub_key_obj, -+ CK_BYTE *spki, CK_ULONG spki_len, -+ CK_BYTE *maced_spki, CK_ULONG *maced_spki_len) -+{ -+ ep11_private_data_t *ep11_data = tokdata->private_data; -+ unsigned char *ep11_pin_blob = NULL; -+ CK_ULONG ep11_pin_blob_len = 0; -+ ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data; -+ CK_MECHANISM mech = { CKM_IBM_TRANSPORTKEY, 0, 0 }; -+ CK_ATTRIBUTE_PTR p_attrs = NULL; -+ CK_ULONG attrs_len = 0; -+ CK_ATTRIBUTE_PTR attr; -+ CK_BBOOL bool_value; -+ DL_NODE *node; -+ CK_BYTE csum[MAX_BLOBSIZE]; -+ CK_ULONG cslen = sizeof(csum); -+ CK_KEY_TYPE keytype; -+ CK_RV rc; -+ -+ rc = template_attribute_find(pub_key_obj->template, CKA_KEY_TYPE, &attr); -+ if (rc == FALSE) { -+ TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n"); -+ return CKR_TEMPLATE_INCOMPLETE; -+ } -+ keytype = *(CK_KEY_TYPE *)attr->pValue; -+ -+ /* -+ * m_UnwrapKey with CKM_IBM_TRANSPORTKEY allows boolean attributes only to -+ * be added to MACed-SPKIs -+ */ -+ node = pub_key_obj->template->attribute_list; -+ while (node != NULL) { -+ attr = node->data; -+ -+ switch (attr->type) { -+ case CKA_ENCRYPT: -+ case CKA_VERIFY: -+ case CKA_VERIFY_RECOVER: -+ /* -+ * EP11 does not allow to restrict public RSA/DSA/EC keys with -+ * CKA_VERIFY=FALSE and/or CKA_ENCRYPT=FALSE since it can not -+ * technically enforce the restrictions. Therefore override these -+ * attributes for the EP11 library, but keep the original attribute -+ * values in the object. -+ */ -+ if (keytype == CKK_EC || keytype == CKK_RSA || keytype == CKK_DSA) -+ bool_value = CK_TRUE; -+ else -+ bool_value = *(CK_BBOOL *)attr->pValue; -+ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, -+ &bool_value, sizeof(bool_value)); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", -+ __func__, attr->type, rc); -+ goto make_maced_spki_end; -+ } -+ break; -+ -+ case CKA_EXTRACTABLE: -+ //case CKA_NEVER_EXTRACTABLE: -+ //case CKA_MODIFIABLE: -+ case CKA_DERIVE: -+ case CKA_WRAP: -+ //case CKA_LOCAL: -+ case CKA_TRUSTED: -+ case CKA_IBM_RESTRICTABLE: -+ case CKA_IBM_NEVER_MODIFIABLE: -+ case CKA_IBM_ATTRBOUND: -+ case CKA_IBM_USE_AS_DATA: -+ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, -+ attr->pValue, attr->ulValueLen); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", -+ __func__, attr->type, rc); -+ goto make_maced_spki_end; -+ } -+ break; -+ -+ default: -+ break; -+ } -+ node = node->next; -+ } -+ -+ ep11_get_pin_blob(ep11_session, object_is_session_object(pub_key_obj), -+ &ep11_pin_blob, &ep11_pin_blob_len); -+ -+ RETRY_START -+ rc = dll_m_UnwrapKey(spki, spki_len, NULL, 0, NULL, 0, -+ ep11_pin_blob, ep11_pin_blob_len, &mech, -+ p_attrs, attrs_len, maced_spki, maced_spki_len, -+ csum, &cslen, -+ (uint64_t) ep11_data->target_list); -+ RETRY_END(rc, tokdata, sess) -+ -+ if (rc != CKR_OK) { -+ rc = ep11_error_to_pkcs11_error(rc, sess); -+ TRACE_ERROR("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", -+ __func__, rc, spki_len, *maced_spki_len); -+ } else { -+ TRACE_INFO("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", -+ __func__, rc, spki_len, *maced_spki_len); -+ } -+ -+make_maced_spki_end: -+ if (p_attrs != NULL) -+ cleanse_and_free_attribute_array(p_attrs, attrs_len); -+ -+ return rc; -+} - - /* - * makes blobs for private imported RSA keys and -@@ -2140,10 +2254,15 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess, - } - - /* save the SPKI as blob although it is not a blob. -- * The card expects SPKIs as public keys. -+ * The card expects MACed-SPKIs as public keys. - */ -- memcpy(blob, data, data_len); -- *blob_size = data_len; -+ rc = make_maced_spki(tokdata, sess, rsa_key_obj, data, data_len, -+ blob, blob_size); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", -+ __func__, rc); -+ goto import_RSA_key_end; -+ } - - } else { - -@@ -2331,10 +2450,15 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, - } - - /* save the SPKI as blob although it is not a blob. -- * The card expects SPKIs as public keys. -+ * The card expects MACed-SPKIs as public keys. - */ -- memcpy(blob, data, data_len); -- *blob_size = data_len; -+ rc = make_maced_spki(tokdata, sess, ec_key_obj, data, data_len, -+ blob, blob_size); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", -+ __func__, rc); -+ goto import_EC_key_end; -+ } - - } else { - -@@ -2531,10 +2655,15 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess, - } - - /* save the SPKI as blob although it is not a blob. -- * The card expects SPKIs as public keys. -+ * The card expects MACed-SPKIs as public keys. - */ -- memcpy(blob, data, data_len); -- *blob_size = data_len; -+ rc = make_maced_spki(tokdata, sess, dsa_key_obj, data, data_len, -+ blob, blob_size); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", -+ __func__, rc); -+ goto import_DSA_key_end; -+ } - - } else { - -@@ -2723,10 +2852,15 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess, - } - - /* save the SPKI as blob although it is not a blob. -- * The card expects SPKIs as public keys. -+ * The card expects MACed-SPKIs as public keys. - */ -- memcpy(blob, data, data_len); -- *blob_size = data_len; -+ rc = make_maced_spki(tokdata, sess, dh_key_obj, data, data_len, -+ blob, blob_size); -+ if (rc != CKR_OK) { -+ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", -+ __func__, rc); -+ goto import_DH_key_end; -+ } - - } else { - diff --git a/SOURCES/opencryptoki-3.11.0-covscan.patch b/SOURCES/opencryptoki-3.11.0-covscan.patch deleted file mode 100644 index b1538f4..0000000 --- a/SOURCES/opencryptoki-3.11.0-covscan.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff -up opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity opencryptoki-3.11.0/usr/lib/api/apiutil.c ---- opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity 2018-11-16 15:53:03.000000000 +0100 -+++ opencryptoki-3.11.0/usr/lib/api/apiutil.c 2019-02-21 11:56:00.131624101 +0100 -@@ -51,16 +51,12 @@ extern API_Proc_Struct_t *Anchor; - - CK_RV CreateProcLock(void) - { -- struct stat statbuf; -- - if (xplfd == -1) { - - /* The slot mgr daemon should have already created lock, - * so just open it so we can get a lock... - */ -- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) -- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); -- -+ xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); - if (xplfd == -1) { - OCK_SYSLOG(LOG_ERR, "Could not open %s\n", OCK_API_LOCK_FILE); - return CKR_FUNCTION_FAILED; -diff -up opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c ---- opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity 2018-11-16 15:53:03.000000000 +0100 -+++ opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c 2019-02-21 11:47:52.097612395 +0100 -@@ -26,15 +26,10 @@ int CreateXProcLock(void) - { - struct group *grp; - mode_t mode = (S_IRUSR | S_IRGRP); -- struct stat statbuf; - - if (xplfd == -1) { -- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) { -- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY, mode); -- } else { -- xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); -- -- if (xplfd != -1) { -+ xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); -+ if (xplfd != -1) { - if (fchmod(xplfd, mode) == -1) { - DbgLog(DL0, "%s:fchmod(%s):%s\n", - __func__, OCK_API_LOCK_FILE, strerror(errno)); -@@ -54,9 +49,7 @@ int CreateXProcLock(void) - __func__, strerror(errno)); - goto error; - } -- } -- } -- if (xplfd == -1) { -+ } else { - DbgLog(DL0, "open(%s): %s\n", OCK_API_LOCK_FILE, strerror(errno)); - return FALSE; - } diff --git a/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch b/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch deleted file mode 100644 index dca81c1..0000000 --- a/SOURCES/opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch +++ /dev/null @@ -1,59 +0,0 @@ -commit d6ba9ff61743ce869a5a677f6f77339642efef4b -Author: Ingo Franzki -Date: Tue Sep 24 14:35:59 2019 +0200 - - EP11: Support tolerated new crypto cards - - With just toleration support of new crypt cards, new crypto - cards are reported as the last known crypto card version. - E.g. a CEX7 card is reported as CEX6, when CEX6 is the last - known crypto card version. - - The EP11 token checks the card versions and needs to distinguish - tolerated cards from supported cards. New (tolerated) crypto cards - may have different API and firmware versions, and thus need to be - handled differently. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index e22dad5d..a65accea 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -8253,6 +8253,7 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) - char fname[PATH_MAX]; - char buf[250]; - CK_RV rc; -+ CK_ULONG hwtype, rawtype; - - sprintf(fname, "%scard%02x/type", SYSFS_DEVICES_AP, adapter); - rc = file_fgets(fname, buf, sizeof(buf)); -@@ -8260,6 +8261,28 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) - return rc; - if (sscanf(buf, "CEX%luP", type) != 1) - return CKR_FUNCTION_FAILED; -+ -+ sprintf(fname, "%scard%02x/hwtype", SYSFS_DEVICES_AP, adapter); -+ rc = file_fgets(fname, buf, sizeof(buf)); -+ if (rc != CKR_OK) -+ return rc; -+ if (sscanf(buf, "%lu", &hwtype) != 1) -+ return CKR_FUNCTION_FAILED; -+ -+ sprintf(fname, "%scard%02x/raw_hwtype", SYSFS_DEVICES_AP, adapter); -+ rc = file_fgets(fname, buf, sizeof(buf)); -+ if (rc != CKR_OK) -+ return rc; -+ if (sscanf(buf, "%lu", &rawtype) != 1) -+ return CKR_FUNCTION_FAILED; -+ -+ if (rawtype > hwtype) { -+ TRACE_DEVEL("%s adapter: %u hwtype: %lu raw_hwtype: %lu\n", -+ __func__, adapter, hwtype, rawtype); -+ /* Tolerated new card level: report calculated type */ -+ *type += (rawtype - hwtype); -+ } -+ - return CKR_OK; - } - diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch deleted file mode 100644 index 756f55d..0000000 --- a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c ---- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100 -+++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100 -@@ -1072,6 +1072,9 @@ CK_RV init(void) - if (rc != CKR_OK) { - printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc, - p11_get_ckr(rc)); -+ printf("Note: all non-root users that require access to PKCS#11 tokens " -+ "using opencryptoki must be assigned to the pkcs11 group to be " -+ "able to communicate with the pkcsslotd daemon.\n"); - fflush(stdout); - cleanup(); - } diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch deleted file mode 100644 index 07793ee..0000000 --- a/SOURCES/opencryptoki-3.11.1-use-soname.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 12 Aug 2019 10:54:27 +0200 -Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Ingo Franzki -Signed-off-by: Dan Horák ---- - usr/lib/ica_s390_stdll/ica_specific.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c -index d5a6d554..a72ce774 100644 ---- a/usr/lib/ica_s390_stdll/ica_specific.c -+++ b/usr/lib/ica_s390_stdll/ica_specific.c -@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11"; - - static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; - --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym)) - - #ifndef NO_EC --- -2.21.0 - - -From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 12 Aug 2019 10:54:44 +0200 -Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Ingo Franzki -Signed-off-by: Dan Horák ---- - usr/lib/ep11_stdll/ep11_specific.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 231dd200..a3f14351 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -58,7 +58,7 @@ - #include "ep11_specific.h" - - #define EP11SHAREDLIB "libep11.so" --#define ICASHAREDLIB "libica.so" -+#define ICASHAREDLIB "libica.so.3" - - CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, - CK_MECHANISM_TYPE_PTR mlist, --- -2.21.0 - diff --git a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch new file mode 100644 index 0000000..3032fb6 --- /dev/null +++ b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch @@ -0,0 +1,33 @@ +commit 50a8a8806059647a3e446fd129995af61ec54867 +Author: Ingo Franzki +Date: Tue Dec 3 14:58:26 2019 +0100 + + EP11: Fix EC-uncompress buffer length + + Function ec_uncompress_public_key() expects the size of the output + buffer in out_pubkey to be specified in the out_len parameter. + However, variable pubkey_len is uninitialized when calling + ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL + dependent on the value of pubkey_len. + Fix this by setting pubkey_len to the size of the public key buffer + allocated above. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 38b6708f..10dfe4e0 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, + rc = get_ecsiglen(ec_key_obj, &privkey_len); + if (rc != CKR_OK) + goto import_EC_key_end; +- privkey_len /= 2; /* Public key is half the size of an EC signature */ ++ privkey_len /= 2; /* private key is half the size of an EC signature */ + +- pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len); ++ pubkey_len = 1 + 2 * privkey_len; ++ pubkey = (CK_BYTE *)malloc(pubkey_len); + if (pubkey == NULL) { + rc = CKR_HOST_MEMORY; + goto import_EC_key_end; diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 3cc6c7b..087e0b3 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -2,29 +2,18 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.11.0 -Release: 5%{?dist} +Version: 3.12.1 +Release: 2%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # https://bugzilla.redhat.com/show_bug.cgi?id=732756 -Patch0: opencryptoki-3.11.0-group.patch +Patch0: opencryptoki-3.11.0-group.patch # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* -Patch1: opencryptoki-3.11.0-lockdir.patch -# bz#1063763, inform the user that he is not in pkcs11 group -Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch -# EP11 token fails when using Strict-Session mode or VHSM-Mode -Patch3: opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch -# coverity issues -Patch4: opencryptoki-3.11.0-covscan.patch -# bz#1688891, C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key -Patch5: opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch -# bz#1766090, EP11: Support tolerated new crypto cards -Patch6: opencryptoki-3.11.0-d6ba9ff61743ce869a5a677f6f77339642efef.patch -# bz#1769258 - ICA HW token missing after the package update -Patch7: opencryptoki-3.11.1-use-soname.patch +Patch1: opencryptoki-3.11.0-lockdir.patch +Patch2: opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -193,15 +182,7 @@ configured with Enterprise PKCS#11 (EP11) firmware. %setup -q -n %{name}-%{version} %patch0 -p1 -b .group %patch1 -p1 -b .lockdir -%patch2 -p1 -b .warn-user-not-in-pkcs11-group -%patch3 -p1 -b .EP11_token_fails_when_using_Strict-Session_mode_or_VHSM-Mode -%patch4 -p1 -b .coverity -%patch5 -p1 -b .created-MACed-SPKIs-when-importing-public-keys -%patch6 -p1 -b .support-tolerated-new-crypto-cards -%patch7 -p1 -b .soname - -# Upstream tarball has unnecessary executable perms set on the sources -find . -name '*.[ch]' -print0 | xargs -0 chmod -x +%patch2 -p1 -b .bz1782444 %build ./bootstrap.sh @@ -353,11 +334,20 @@ fi %changelog -* Wed Nov 06 2019 Than Ngo - 3.11.0-5 -- Resolves: #1769258, ICA HW token missing after the package update +* Mon Dec 16 2019 Than Ngo - 3.12.1-2 +- Resolves: #1782444, EP11: Fix EC-uncompress buffer length + +* Thu Nov 28 2019 Than Ngo - 3.12.1-1 +- Related: #1770883, rebase to 3.12.1 + +* Tue Nov 12 2019 Than Ngo - 3.12.0-1 +- Resolves: #1770883, rebase to 3.12.0 + +* Mon Sep 30 2019 Than Ngo - 3.11.0-5 +- Resolves: #1756956, ICA HW token missing after the package update -* Mon Oct 28 2019 Than Ngo - 3.11.0-4 -- Resolves: #1766090, EP11: Support tolerated new crypto cards +* Thu Sep 26 2019 Than Ngo - 3.11.0-4 +- Resolves: #1755463, EP11: Support tolerated new crypto cards * Thu Mar 14 2019 Than Ngo - 3.11.0-3 - Resolves: #1688891 - C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key