diff --git a/.gitignore b/.gitignore index 3e095fa..7229299 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.12.1.tar.gz +SOURCES/opencryptoki-3.14.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 5177ce9..9259d12 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz +9ddd1bbe34992707b20b314645fd92d35cb298ef SOURCES/opencryptoki-3.14.0.tar.gz diff --git a/SOURCES/opencryptoki-3.14.0-crash-in-c_setpin.patch b/SOURCES/opencryptoki-3.14.0-crash-in-c_setpin.patch new file mode 100644 index 0000000..0ea8ccd --- /dev/null +++ b/SOURCES/opencryptoki-3.14.0-crash-in-c_setpin.patch @@ -0,0 +1,63 @@ +diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c +--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c.me 2020-05-26 08:51:32.714189399 -0400 ++++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_openssl.c 2020-05-26 08:52:16.429412060 -0400 +@@ -57,7 +57,7 @@ void openssl_print_errors() + } + #endif + +-RSA *openssl_gen_key() ++RSA *openssl_gen_key(STDLL_TokData_t *tokdata) + { + RSA *rsa; + int rc, counter = 0; +@@ -66,7 +66,7 @@ RSA *openssl_gen_key() + BIGNUM *bne; + #endif + +- token_specific_rng(NULL, (CK_BYTE *) buf, 32); ++ token_specific_rng(tokdata, (CK_BYTE *) buf, 32); + RAND_seed(buf, 32); + + regen_rsa_key: +diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c +--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c.me 2020-05-26 08:52:26.351235628 -0400 ++++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.c 2020-05-26 08:53:15.928354051 -0400 +@@ -159,8 +159,6 @@ CK_RV token_specific_rng(STDLL_TokData_t + TSS_HTPM hTPM; + BYTE *random_bytes = NULL; + +- UNUSED(tokdata); +- + rc = Tspi_Context_GetTpmObject(tpm_data->tspContext, &hTPM); + if (rc) { + TRACE_ERROR("Tspi_Context_GetTpmObject: %x\n", rc); +@@ -1389,7 +1387,7 @@ CK_RV token_create_private_tree(STDLL_To + unsigned char n[256], p[256]; + + /* all sw generated keys are 2048 bits */ +- if ((rsa = openssl_gen_key()) == NULL) ++ if ((rsa = openssl_gen_key(tokdata)) == NULL) + return CKR_HOST_MEMORY; + + if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) { +@@ -1467,7 +1465,7 @@ CK_RV token_create_public_tree(STDLL_Tok + unsigned char n[256], p[256]; + + /* all sw generated keys are 2048 bits */ +- if ((rsa = openssl_gen_key()) == NULL) ++ if ((rsa = openssl_gen_key(tokdata)) == NULL) + return CKR_HOST_MEMORY; + + if (openssl_get_modulus_and_prime(rsa, &size_n, n, &size_p, p) != 0) { +diff -up opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h +--- opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h.me 2020-05-26 08:53:20.281276648 -0400 ++++ opencryptoki-3.14.0/usr/lib/tpm_stdll/tpm_specific.h 2020-05-26 08:54:08.356421779 -0400 +@@ -56,7 +56,7 @@ + /* retry count for generating software RSA keys */ + #define KEYGEN_RETRY 5 + +-RSA *openssl_gen_key(); ++RSA *openssl_gen_key(STDLL_TokData_t *); + int openssl_write_key(STDLL_TokData_t *, RSA *, char *, CK_BYTE *); + CK_RV openssl_read_key(STDLL_TokData_t *, char *, CK_BYTE *, RSA **); + int openssl_get_modulus_and_prime(RSA *, unsigned int *, unsigned char *, diff --git a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch deleted file mode 100644 index 3032fb6..0000000 --- a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch +++ /dev/null @@ -1,33 +0,0 @@ -commit 50a8a8806059647a3e446fd129995af61ec54867 -Author: Ingo Franzki -Date: Tue Dec 3 14:58:26 2019 +0100 - - EP11: Fix EC-uncompress buffer length - - Function ec_uncompress_public_key() expects the size of the output - buffer in out_pubkey to be specified in the out_len parameter. - However, variable pubkey_len is uninitialized when calling - ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL - dependent on the value of pubkey_len. - Fix this by setting pubkey_len to the size of the public key buffer - allocated above. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 38b6708f..10dfe4e0 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, - rc = get_ecsiglen(ec_key_obj, &privkey_len); - if (rc != CKR_OK) - goto import_EC_key_end; -- privkey_len /= 2; /* Public key is half the size of an EC signature */ -+ privkey_len /= 2; /* private key is half the size of an EC signature */ - -- pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len); -+ pubkey_len = 1 + 2 * privkey_len; -+ pubkey = (CK_BYTE *)malloc(pubkey_len); - if (pubkey == NULL) { - rc = CKR_HOST_MEMORY; - goto import_EC_key_end; diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index e739bb5..8f34054 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,6 +1,6 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.12.1 +Version: 3.14.0 Release: 2%{?dist} License: CPL Group: System Environment/Base @@ -10,7 +10,7 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{ Patch0: opencryptoki-3.11.0-group.patch # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* Patch1: opencryptoki-3.11.0-lockdir.patch -Patch2: opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch +Patch2: opencryptoki-3.14.0-crash-in-c_setpin.patch Requires(pre): coreutils BuildRequires: gcc BuildRequires: openssl-devel @@ -244,8 +244,10 @@ fi %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf %{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service +%{_sbindir}/p11sak %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd +%{_mandir}/man1/p11sak.1* %{_mandir}/man1/pkcsconf.1* %{_mandir}/man5/%{name}.conf.5* %{_mandir}/man7/%{name}.7* @@ -327,6 +329,16 @@ fi %changelog +* Tue May 26 2020 Than Ngo - 3.14.0-2 +- Related: #1780293, fix regression, segfault in C_SetPin + +* Tue May 19 2020 Than Ngo - 3.14.0-1 +- Resolves: #1723863 - ep11 token: Enhanced Support +- Resolves: #1780285 - ep11 token: Support for new IBM Z hardware z15 +- Resolves: #1780293 - rebase to 3.14.0 +- Resolves: #1800549 - key management tool: list keys function + -Resolves: #1800555 - key management tool: random key generation function + * Fri Dec 13 2019 Than Ngo - 3.12.1-2 - Resolves: #1782445, EP11: Fix EC-uncompress buffer length