diff --git a/.gitignore b/.gitignore index c3c8ab0..bbcd392 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.10.0.tar.gz +SOURCES/opencryptoki-3.11.1.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index b92278a..64653b0 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/opencryptoki-3.10.0.tar.gz +26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz diff --git a/SOURCES/opencryptoki-2.4-group.patch b/SOURCES/opencryptoki-2.4-group.patch deleted file mode 100644 index dcabb60..0000000 --- a/SOURCES/opencryptoki-2.4-group.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -upr opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in ---- opencryptoki-3.7.0.orig/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:13:54.711536688 +0530 -+++ opencryptoki-3.7.0/usr/lib/pkcs11/api/shrd_mem.c.in 2017-05-17 15:22:27.758655055 +0530 -@@ -56,9 +56,6 @@ attach_shared_memory() { - int shmid; - char *shmp; - struct stat statbuf; -- struct group *grp; -- struct passwd *pw, *epw; -- uid_t uid, euid; - - #if !(MMAP) - // Really should fstat the tok_path, since it will be the actual -@@ -70,37 +67,6 @@ attach_shared_memory() { - return NULL; - } - -- uid = getuid(); -- euid = geteuid(); -- // only check group membership if not root user -- if (uid != 0 && euid != 0) { -- int i, member=0; -- grp = getgrnam("pkcs11"); -- if (!grp) { -- // group pkcs11 not known to the system -- return NULL; -- } -- pw = getpwuid(uid); -- epw = getpwuid(euid); -- for (i=0; grp->gr_mem[i]; i++) { -- if (pw) { -- if (!strncmp(pw->pw_name, grp->gr_mem[i],strlen(pw->pw_name))) { -- member = 1; -- break; -- } -- } -- if (epw) { -- if (!strncmp(epw->pw_name, grp->gr_mem[i],strlen(epw->pw_name))) { -- member = 1; -- break; -- } -- } -- } -- if (!member) { -- return NULL; -- } -- } -- - Anchor->shm_tok = ftok(TOK_PATH,'b'); - - // Get the shared memory id. diff --git a/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch b/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch deleted file mode 100644 index ec5de55..0000000 --- a/SOURCES/opencryptoki-227ffdba6b919e18b03fed59b07e2c0212b40303.patch +++ /dev/null @@ -1,61 +0,0 @@ -commit 227ffdba6b919e18b03fed59b07e2c0212b40303 -Author: Ingo Franzki -Date: Thu Aug 2 14:48:47 2018 +0200 - - Fix bug with master key encryption with FIPS enabled libica - - When running with a FIPS enabled libica, the ICA token fails to - initialize, because the 3DES key derived from the user or SO pin is - considered invalid because the first and the third part of the - 3DES key is the same. - - For clear key tokens, the token specific 3DES-CBC function is - used for the master key encryption. In case of the ICA token, - the ICA token specific 3DES-CBC function fails, because libica - rejects the key when compiled with FIPS support. This leads to - an error during token initialization. - - Instead of using the token specific 3DES-CBC function, the code - now always falls back to the (OpenSSL) based software encryption - function, as it is also done for secure key tokens. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c -index a593b932..a5532c9d 100644 ---- a/usr/lib/pkcs11/common/loadsave.c -+++ b/usr/lib/pkcs11/common/loadsave.c -@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata, - /* If token doesn't have a specific key size that means that it uses a - * clear key. - */ -- if (token_specific.token_keysize == 0) { -+ if (token_specific.token_keysize == 0 && -+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { - return encrypt_data(tokdata, key, keylen, iv, clear, clear_len, - cipher, p_cipher_len); - } - -- /* Fall back to a software alternative if key is secure. */ -+ /* Fall back to a software alternative if key is secure, or -+ * if token's data store encryption algorithm is 3DES_CBC */ - initial_vector = duplicate_initial_vector(iv); - if (initial_vector == NULL) { - TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata, - /* If token doesn't have a specific key size that means that it uses a - * clear key. - */ -- if (token_specific.token_keysize == 0) { -+ if (token_specific.token_keysize == 0 && -+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { - return decrypt_data(tokdata, key, keylen, iv, cipher, - cipher_len, clear, p_clear_len); - } - -- /* Fall back to a software alternative if key is secure. */ -+ /* Fall back to a software alternative if key is secure, or -+ * if token's data store encryption algorithm is 3DES_CBC */ - initial_vector = duplicate_initial_vector(iv); - if (initial_vector == NULL) { - TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); diff --git a/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch deleted file mode 100644 index 5373fe3..0000000 --- a/SOURCES/opencryptoki-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c ---- opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c.me 2018-12-14 18:48:48.945096527 +0100 -+++ opencryptoki-3.10.0/usr/lib/pkcs11/ep11_stdll/ep11_specific.c 2018-12-14 18:55:18.198260044 +0100 -@@ -6268,7 +6268,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat - } - } - -- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) { - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); -@@ -6310,7 +6310,7 @@ CK_RV ep11tok_login_session(STDLL_TokDat - done: - if (rc != CKR_OK) { - if (ep11_session->flags & (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { -- rc2 = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, -+ rc2 = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc2 != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc2); -@@ -6356,7 +6356,7 @@ CK_RV ep11tok_relogin_session(STDLL_TokD - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_login_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); -@@ -6401,7 +6401,7 @@ CK_RV ep11tok_logout_session(STDLL_TokDa - return CKR_USER_NOT_LOGGED_IN; - } - -- rc = handle_all_ep11_cards((ep11_target_t *)&ep11_data->target_list, -+ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, - ep11_logout_handler, ep11_session); - if (rc != CKR_OK) - TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lu\n", __func__, rc); diff --git a/SOURCES/opencryptoki-3.10.0-coverity.patch b/SOURCES/opencryptoki-3.10.0-coverity.patch deleted file mode 100644 index b994278..0000000 --- a/SOURCES/opencryptoki-3.10.0-coverity.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c ---- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c.me 2018-06-06 21:55:55.000000000 +0200 -+++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ec.c 2018-10-26 13:52:11.461448596 +0200 -@@ -797,6 +797,7 @@ ckm_kdf_X9_63(STDLL_TokData_t *tokdata, - counter++; - } - -+ free(ctx); - return CKR_OK; - } - -diff -up opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c ---- opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c.me 2018-06-06 21:55:55.000000000 +0200 -+++ opencryptoki-3.10.0/usr/lib/pkcs11/common/mech_ssl3.c 2018-10-26 13:51:12.538255825 +0200 -@@ -1195,7 +1195,7 @@ error: - if (value_len_attr) free( value_len_attr ); - if (always_sens_attr) free( always_sens_attr ); - if (extract_attr) free( extract_attr ); -- -+ if (derived_key_obj) object_free(derived_key_obj); - return rc; - } - diff --git a/SOURCES/opencryptoki-3.11.0-group.patch b/SOURCES/opencryptoki-3.11.0-group.patch new file mode 100644 index 0000000..e88b391 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-group.patch @@ -0,0 +1,31 @@ +diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in +--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100 ++++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100 +@@ -55,9 +55,11 @@ void *attach_shared_memory() + int shmid; + char *shmp; + struct stat statbuf; ++#if 0 + struct group *grp; + struct passwd *pw, *epw; + uid_t uid, euid; ++#endif + + #if !(MMAP) + // Really should fstat the tok_path, since it will be the actual +@@ -69,6 +71,7 @@ void *attach_shared_memory() + return NULL; + } + ++#if 0 + uid = getuid(); + euid = geteuid(); + // only check group membership if not root user +@@ -102,6 +105,7 @@ void *attach_shared_memory() + return NULL; + } + } ++#endif + + Anchor->shm_tok = ftok(TOK_PATH, 'b'); + diff --git a/SOURCES/opencryptoki-3.11.0-lockdir.patch b/SOURCES/opencryptoki-3.11.0-lockdir.patch new file mode 100644 index 0000000..936a654 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-lockdir.patch @@ -0,0 +1,12 @@ +diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac +--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100 ++++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100 +@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS]) + + dnl Define custom variables + +-lockdir=$localstatedir/lock/opencryptoki ++lockdir=/run/lock/opencryptoki + AC_SUBST(lockdir) + + logdir=$localstatedir/log/opencryptoki diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch new file mode 100644 index 0000000..756f55d --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch @@ -0,0 +1,13 @@ +diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c +--- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100 ++++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100 +@@ -1072,6 +1072,9 @@ CK_RV init(void) + if (rc != CKR_OK) { + printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc, + p11_get_ckr(rc)); ++ printf("Note: all non-root users that require access to PKCS#11 tokens " ++ "using opencryptoki must be assigned to the pkcs11 group to be " ++ "able to communicate with the pkcsslotd daemon.\n"); + fflush(stdout); + cleanup(); + } diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch new file mode 100644 index 0000000..07793ee --- /dev/null +++ b/SOURCES/opencryptoki-3.11.1-use-soname.patch @@ -0,0 +1,61 @@ +From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:27 +0200 +Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ica_s390_stdll/ica_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c +index d5a6d554..a72ce774 100644 +--- a/usr/lib/ica_s390_stdll/ica_specific.c ++++ b/usr/lib/ica_s390_stdll/ica_specific.c +@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11"; + + static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; + +-#define LIBICA_SHARED_LIB "libica.so" ++#define LIBICA_SHARED_LIB "libica.so.3" + #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym)) + + #ifndef NO_EC +-- +2.21.0 + + +From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 12 Aug 2019 10:54:44 +0200 +Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Ingo Franzki +Signed-off-by: Dan Horák +--- + usr/lib/ep11_stdll/ep11_specific.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 231dd200..a3f14351 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -58,7 +58,7 @@ + #include "ep11_specific.h" + + #define EP11SHAREDLIB "libep11.so" +-#define ICASHAREDLIB "libica.so" ++#define ICASHAREDLIB "libica.so.3" + + CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, + CK_MECHANISM_TYPE_PTR mlist, +-- +2.21.0 + diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index e18e1ac..51ded01 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,22 +1,19 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.10.0 -Release: 3%{?dist} +Version: 3.11.1 +Release: 2%{?dist} License: CPL Group: System Environment/Base -URL: http://sourceforge.net/projects/opencryptoki +URL: https://github.com/opencryptoki/opencryptoki Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # https://bugzilla.redhat.com/show_bug.cgi?id=732756 -Patch0: %{name}-2.4-group.patch -Patch1: %{name}-3.10.0-coverity.patch -# 1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode -Patch2: %{name}-3.10.0-backport-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch -# 1657683, can't establish libica token in FIPS mode -Patch3: %{name}-227ffdba6b919e18b03fed59b07e2c0212b40303.patch - -# Use --no-undefined to debug missing symbols -#Patch100: %{name}-3.2-no-undefined.patch - +Patch0: opencryptoki-3.11.0-group.patch +# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* +Patch1: opencryptoki-3.11.0-lockdir.patch +# bz#1063763, inform the user that he is not in pkcs11 group +Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1739433 +Patch3: opencryptoki-3.11.1-use-soname.patch Requires(pre): coreutils BuildRequires: gcc BuildRequires: openssl-devel @@ -231,6 +228,9 @@ exit 0 %post %systemd_post pkcsslotd.service +if test $1 -eq 1; then + %tmpfiles_create +fi %preun %systemd_preun pkcsslotd.service @@ -245,7 +245,7 @@ exit 0 %doc doc/README.token_data %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%{_prefix}/lib/tmpfiles.d/%{name}.conf +%{_tmpfilesdir}/%{name}.conf %{_unitdir}/pkcsslotd.service %{_sbindir}/pkcsconf %{_sbindir}/pkcsslotd @@ -256,8 +256,9 @@ exit 0 %{_libdir}/opencryptoki/methods %{_libdir}/pkcs11/methods %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/* +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name} +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/* +%dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %files libs %license LICENSE @@ -273,7 +274,6 @@ exit 0 %{_libdir}/pkcs11/libopencryptoki.so %{_libdir}/pkcs11/PKCS11_API.so %{_libdir}/pkcs11/stdll -%{_localstatedir}/log/opencryptoki %files devel %{_includedir}/%{name}/ @@ -330,6 +330,20 @@ exit 0 %changelog +* Mon Aug 26 2019 Dan Horák - 3.11.1-2 +- Resolves: #1739433, ICA HW token missing after the package update + +* Mon May 06 2019 Than Ngo - 3.11.1-1 +- Resolves: #1706140, rebase to 3.11.1 + +* Tue Mar 26 2019 Than Ngo - 3.11.0-3 +- Resolves: #1667941, 3des tests failures due to FIPS incompatible test scenarios +- Resolves: #1651731, ep11 token: enhanced IBM z14 functions +- Resolves: #1651732, ep11 token: support m_*Single functions from ep11 lib +- Resolves: #1525407, use CPACF hashes in ep11 token +- Resolves: #1651238, rebase to 3.11.0 +- Resolves: #1682530, gating + * Fri Dec 14 2018 Than Ngo - 3.10.0-3 - Resolves: #1657683, can't establish libica token in FIPS mode - Resolves: #1652856, EP11 token fails when using Strict-Session mode or VHSM-Mode