diff --git a/.gitignore b/.gitignore index 6ecbd3b..d7ed41a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v3.10.0.tar.gz +SOURCES/opencryptoki-3.11.0.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index a3d1292..7bea2cc 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -93908d16d61ec2c60aa0809378308d2d9e634d5f SOURCES/v3.10.0.tar.gz +86808ac3d57f22e9ba7d27b0d3bd50a686e72fad SOURCES/opencryptoki-3.11.0.tar.gz diff --git a/SOURCES/opencryptoki-3.10-ica-token.patch b/SOURCES/opencryptoki-3.10-ica-token.patch deleted file mode 100644 index 2a32d4c..0000000 --- a/SOURCES/opencryptoki-3.10-ica-token.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 227ffdba6b919e18b03fed59b07e2c0212b40303 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 2 Aug 2018 14:48:47 +0200 -Subject: [PATCH 1/2] Fix bug with master key encryption with FIPS enabled - libica - -When running with a FIPS enabled libica, the ICA token fails to -initialize, because the 3DES key derived from the user or SO pin is -considered invalid because the first and the third part of the -3DES key is the same. - -For clear key tokens, the token specific 3DES-CBC function is -used for the master key encryption. In case of the ICA token, -the ICA token specific 3DES-CBC function fails, because libica -rejects the key when compiled with FIPS support. This leads to -an error during token initialization. - -Instead of using the token specific 3DES-CBC function, the code -now always falls back to the (OpenSSL) based software encryption -function, as it is also done for secure key tokens. - -Signed-off-by: Ingo Franzki ---- - usr/lib/pkcs11/common/loadsave.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/usr/lib/pkcs11/common/loadsave.c b/usr/lib/pkcs11/common/loadsave.c -index a593b932..a5532c9d 100644 ---- a/usr/lib/pkcs11/common/loadsave.c -+++ b/usr/lib/pkcs11/common/loadsave.c -@@ -206,12 +206,14 @@ static CK_RV encrypt_data_with_clear_key(STDLL_TokData_t * tokdata, - /* If token doesn't have a specific key size that means that it uses a - * clear key. - */ -- if (token_specific.token_keysize == 0) { -+ if (token_specific.token_keysize == 0 && -+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { - return encrypt_data(tokdata, key, keylen, iv, clear, clear_len, - cipher, p_cipher_len); - } - -- /* Fall back to a software alternative if key is secure. */ -+ /* Fall back to a software alternative if key is secure, or -+ * if token's data store encryption algorithm is 3DES_CBC */ - initial_vector = duplicate_initial_vector(iv); - if (initial_vector == NULL) { - TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); -@@ -322,12 +324,14 @@ static CK_RV decrypt_data_with_clear_key(STDLL_TokData_t *tokdata, - /* If token doesn't have a specific key size that means that it uses a - * clear key. - */ -- if (token_specific.token_keysize == 0) { -+ if (token_specific.token_keysize == 0 && -+ token_specific.data_store.encryption_algorithm != CKM_DES3_CBC) { - return decrypt_data(tokdata, key, keylen, iv, cipher, - cipher_len, clear, p_clear_len); - } - -- /* Fall back to a software alternative if key is secure. */ -+ /* Fall back to a software alternative if key is secure, or -+ * if token's data store encryption algorithm is 3DES_CBC */ - initial_vector = duplicate_initial_vector(iv); - if (initial_vector == NULL) { - TRACE_ERROR("%s\n", ock_err(ERR_HOST_MEMORY)); --- -2.17.1 - - -From 3e091d7ff34a56eac0b9a5e8eaf92e5a7cf11b7f Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Tue, 7 Aug 2018 14:45:05 +0200 -Subject: [PATCH 2/2] TESTCASE: Disable 3DES test vectors with non-FIPS - compliant keys - -The 3DES test vectors contain keys that are considered invalid -by a FIPS enabled libica because the first, middle and/and third -part of the 3DES key are the same. - -Signed-off-by: Ingo Franzki ---- - testcases/crypto/des3.h | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/testcases/crypto/des3.h b/testcases/crypto/des3.h -index e1bb1038..1860778e 100644 ---- a/testcases/crypto/des3.h -+++ b/testcases/crypto/des3.h -@@ -850,7 +850,16 @@ static struct des3_test_vector des3_ofb64_tv[] = { - } - }; - -+/* -+ * All above test vectors use keys that are not FIPS compliant. -+ * This will cause the testcase to fail when the token performs FIPS key -+ * checks. -+ */ -+#ifdef NON_FIPS_COMPLIANT_TEST_VECTORS - # define NUM_OF_PUBLISHED_TESTSUITES 5 -+#else -+# define NUM_OF_PUBLISHED_TESTSUITES 0 -+#endif - - struct published_test_suite_info published_test_suites[] = { - { --- -2.17.1 - diff --git a/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch b/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch new file mode 100644 index 0000000..d5b516a --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch @@ -0,0 +1,55 @@ +commit 1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b +Author: Ingo Franzki +Date: Mon Nov 19 13:30:09 2018 +0100 + + EP11: Fix target_list passing for EP11-session logon/logoff + + The target list is passed incorrectly to the handle_all_ep11_cards() + function. Dependent on memory content, this can cause it to + fail processing all EP11 cards. This will most likely cause a + CKR_DEVICE_ERROR to be returned by C_Login when the STRICT_SESSION + and/or VHSM_MODE is enabled in the ep11tok.conf config file. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 2129762f..05332429 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -7600,7 +7600,7 @@ CK_RV ep11tok_login_session(STDLL_TokData_t * tokdata, SESSION * session) + } + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) { + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); +@@ -7646,8 +7646,7 @@ done: + if (ep11_session->flags & + (EP11_SESS_PINBLOB_VALID | EP11_VHSM_PINBLOB_VALID)) { + rc2 = +- handle_all_ep11_cards((ep11_target_t *) & +- ep11_data->target_list, ++ handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc2 != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", +@@ -7700,7 +7699,7 @@ static CK_RV ep11tok_relogin_session(STDLL_TokData_t * tokdata, + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_login_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); +@@ -7747,7 +7746,7 @@ CK_RV ep11tok_logout_session(STDLL_TokData_t * tokdata, SESSION * session) + return CKR_USER_NOT_LOGGED_IN; + } + +- rc = handle_all_ep11_cards((ep11_target_t *) & ep11_data->target_list, ++ rc = handle_all_ep11_cards((ep11_target_t *)ep11_data->target_list, + ep11_logout_handler, ep11_session); + if (rc != CKR_OK) + TRACE_ERROR("%s handle_all_ep11_cards failed: 0x%lx\n", __func__, rc); diff --git a/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch b/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch new file mode 100644 index 0000000..6a841c6 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch @@ -0,0 +1,215 @@ +commit bedf46da28da6231607a12e35414cd59b4432f9f +Author: Ingo Franzki +Date: Fri Mar 1 11:03:47 2019 +0100 + + EP11: Created MACed-SPKIs when importing public keys + + The EP11 host library does not allow to use plain SPKIs as + public key blobs for encrypt operations, this requires + MACed-SPKIs. Create MACed-SPKIs whenever public keys are + imported, and store it in CKA_IBM_OPAQUE instead of the + plain SPKI. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 41d500a4..5416a413 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -2043,6 +2043,120 @@ CK_RV ep11tok_final(STDLL_TokData_t * tokdata) + return CKR_OK; + } + ++/* ++ * Makes a public key blob which is a MACed SPKI of the public key. ++ */ ++static CK_RV make_maced_spki(STDLL_TokData_t *tokdata, SESSION * sess, ++ OBJECT *pub_key_obj, ++ CK_BYTE *spki, CK_ULONG spki_len, ++ CK_BYTE *maced_spki, CK_ULONG *maced_spki_len) ++{ ++ ep11_private_data_t *ep11_data = tokdata->private_data; ++ unsigned char *ep11_pin_blob = NULL; ++ CK_ULONG ep11_pin_blob_len = 0; ++ ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data; ++ CK_MECHANISM mech = { CKM_IBM_TRANSPORTKEY, 0, 0 }; ++ CK_ATTRIBUTE_PTR p_attrs = NULL; ++ CK_ULONG attrs_len = 0; ++ CK_ATTRIBUTE_PTR attr; ++ CK_BBOOL bool_value; ++ DL_NODE *node; ++ CK_BYTE csum[MAX_BLOBSIZE]; ++ CK_ULONG cslen = sizeof(csum); ++ CK_KEY_TYPE keytype; ++ CK_RV rc; ++ ++ rc = template_attribute_find(pub_key_obj->template, CKA_KEY_TYPE, &attr); ++ if (rc == FALSE) { ++ TRACE_ERROR("Could not find CKA_KEY_TYPE for the key.\n"); ++ return CKR_TEMPLATE_INCOMPLETE; ++ } ++ keytype = *(CK_KEY_TYPE *)attr->pValue; ++ ++ /* ++ * m_UnwrapKey with CKM_IBM_TRANSPORTKEY allows boolean attributes only to ++ * be added to MACed-SPKIs ++ */ ++ node = pub_key_obj->template->attribute_list; ++ while (node != NULL) { ++ attr = node->data; ++ ++ switch (attr->type) { ++ case CKA_ENCRYPT: ++ case CKA_VERIFY: ++ case CKA_VERIFY_RECOVER: ++ /* ++ * EP11 does not allow to restrict public RSA/DSA/EC keys with ++ * CKA_VERIFY=FALSE and/or CKA_ENCRYPT=FALSE since it can not ++ * technically enforce the restrictions. Therefore override these ++ * attributes for the EP11 library, but keep the original attribute ++ * values in the object. ++ */ ++ if (keytype == CKK_EC || keytype == CKK_RSA || keytype == CKK_DSA) ++ bool_value = CK_TRUE; ++ else ++ bool_value = *(CK_BBOOL *)attr->pValue; ++ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, ++ &bool_value, sizeof(bool_value)); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", ++ __func__, attr->type, rc); ++ goto make_maced_spki_end; ++ } ++ break; ++ ++ case CKA_EXTRACTABLE: ++ //case CKA_NEVER_EXTRACTABLE: ++ //case CKA_MODIFIABLE: ++ case CKA_DERIVE: ++ case CKA_WRAP: ++ //case CKA_LOCAL: ++ case CKA_TRUSTED: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ rc = add_to_attribute_array(&p_attrs, &attrs_len, attr->type, ++ attr->pValue, attr->ulValueLen); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s adding attribute failed type=0x%lx rc=0x%lx\n", ++ __func__, attr->type, rc); ++ goto make_maced_spki_end; ++ } ++ break; ++ ++ default: ++ break; ++ } ++ node = node->next; ++ } ++ ++ ep11_get_pin_blob(ep11_session, object_is_session_object(pub_key_obj), ++ &ep11_pin_blob, &ep11_pin_blob_len); ++ ++ RETRY_START ++ rc = dll_m_UnwrapKey(spki, spki_len, NULL, 0, NULL, 0, ++ ep11_pin_blob, ep11_pin_blob_len, &mech, ++ p_attrs, attrs_len, maced_spki, maced_spki_len, ++ csum, &cslen, ++ (uint64_t) ep11_data->target_list); ++ RETRY_END(rc, tokdata, sess) ++ ++ if (rc != CKR_OK) { ++ rc = ep11_error_to_pkcs11_error(rc, sess); ++ TRACE_ERROR("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", ++ __func__, rc, spki_len, *maced_spki_len); ++ } else { ++ TRACE_INFO("%s unwrapping SPKI rc=0x%lx spki_len=0x%zx maced_spki_len=0x%zx\n", ++ __func__, rc, spki_len, *maced_spki_len); ++ } ++ ++make_maced_spki_end: ++ if (p_attrs != NULL) ++ cleanse_and_free_attribute_array(p_attrs, attrs_len); ++ ++ return rc; ++} + + /* + * makes blobs for private imported RSA keys and +@@ -2140,10 +2254,15 @@ static CK_RV import_RSA_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, rsa_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_RSA_key_end; ++ } + + } else { + +@@ -2331,10 +2450,15 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, ec_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_EC_key_end; ++ } + + } else { + +@@ -2531,10 +2655,15 @@ static CK_RV import_DSA_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, dsa_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_DSA_key_end; ++ } + + } else { + +@@ -2723,10 +2852,15 @@ static CK_RV import_DH_key(STDLL_TokData_t * tokdata, SESSION * sess, + } + + /* save the SPKI as blob although it is not a blob. +- * The card expects SPKIs as public keys. ++ * The card expects MACed-SPKIs as public keys. + */ +- memcpy(blob, data, data_len); +- *blob_size = data_len; ++ rc = make_maced_spki(tokdata, sess, dh_key_obj, data, data_len, ++ blob, blob_size); ++ if (rc != CKR_OK) { ++ TRACE_ERROR("%s failed to make a MACed-SPKI rc=0x%lx\n", ++ __func__, rc); ++ goto import_DH_key_end; ++ } + + } else { + diff --git a/SOURCES/opencryptoki-3.11.0-covscan.patch b/SOURCES/opencryptoki-3.11.0-covscan.patch new file mode 100644 index 0000000..b1538f4 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-covscan.patch @@ -0,0 +1,53 @@ +diff -up opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity opencryptoki-3.11.0/usr/lib/api/apiutil.c +--- opencryptoki-3.11.0/usr/lib/api/apiutil.c.coverity 2018-11-16 15:53:03.000000000 +0100 ++++ opencryptoki-3.11.0/usr/lib/api/apiutil.c 2019-02-21 11:56:00.131624101 +0100 +@@ -51,16 +51,12 @@ extern API_Proc_Struct_t *Anchor; + + CK_RV CreateProcLock(void) + { +- struct stat statbuf; +- + if (xplfd == -1) { + + /* The slot mgr daemon should have already created lock, + * so just open it so we can get a lock... + */ +- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) +- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); +- ++ xplfd = open(OCK_API_LOCK_FILE, O_RDONLY); + if (xplfd == -1) { + OCK_SYSLOG(LOG_ERR, "Could not open %s\n", OCK_API_LOCK_FILE); + return CKR_FUNCTION_FAILED; +diff -up opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c +--- opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c.coverity 2018-11-16 15:53:03.000000000 +0100 ++++ opencryptoki-3.11.0/usr/sbin/pkcsslotd/mutex.c 2019-02-21 11:47:52.097612395 +0100 +@@ -26,15 +26,10 @@ int CreateXProcLock(void) + { + struct group *grp; + mode_t mode = (S_IRUSR | S_IRGRP); +- struct stat statbuf; + + if (xplfd == -1) { +- if (stat(OCK_API_LOCK_FILE, &statbuf) == 0) { +- xplfd = open(OCK_API_LOCK_FILE, O_RDONLY, mode); +- } else { +- xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); +- +- if (xplfd != -1) { ++ xplfd = open(OCK_API_LOCK_FILE, O_CREAT | O_RDONLY, mode); ++ if (xplfd != -1) { + if (fchmod(xplfd, mode) == -1) { + DbgLog(DL0, "%s:fchmod(%s):%s\n", + __func__, OCK_API_LOCK_FILE, strerror(errno)); +@@ -54,9 +49,7 @@ int CreateXProcLock(void) + __func__, strerror(errno)); + goto error; + } +- } +- } +- if (xplfd == -1) { ++ } else { + DbgLog(DL0, "open(%s): %s\n", OCK_API_LOCK_FILE, strerror(errno)); + return FALSE; + } diff --git a/SOURCES/opencryptoki-3.11.0-group.patch b/SOURCES/opencryptoki-3.11.0-group.patch new file mode 100644 index 0000000..e88b391 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-group.patch @@ -0,0 +1,31 @@ +diff -up opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in +--- opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in.me 2019-01-31 10:42:23.325797012 +0100 ++++ opencryptoki-3.11.0/usr/lib/api/shrd_mem.c.in 2019-01-31 10:52:17.585191667 +0100 +@@ -55,9 +55,11 @@ void *attach_shared_memory() + int shmid; + char *shmp; + struct stat statbuf; ++#if 0 + struct group *grp; + struct passwd *pw, *epw; + uid_t uid, euid; ++#endif + + #if !(MMAP) + // Really should fstat the tok_path, since it will be the actual +@@ -69,6 +71,7 @@ void *attach_shared_memory() + return NULL; + } + ++#if 0 + uid = getuid(); + euid = geteuid(); + // only check group membership if not root user +@@ -102,6 +105,7 @@ void *attach_shared_memory() + return NULL; + } + } ++#endif + + Anchor->shm_tok = ftok(TOK_PATH, 'b'); + diff --git a/SOURCES/opencryptoki-3.11.0-lockdir.patch b/SOURCES/opencryptoki-3.11.0-lockdir.patch new file mode 100644 index 0000000..936a654 --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-lockdir.patch @@ -0,0 +1,12 @@ +diff -up opencryptoki-3.11.0/configure.ac.me opencryptoki-3.11.0/configure.ac +--- opencryptoki-3.11.0/configure.ac.me 2019-01-30 17:10:19.660952694 +0100 ++++ opencryptoki-3.11.0/configure.ac 2019-01-30 17:13:54.150089964 +0100 +@@ -62,7 +62,7 @@ AC_SUBST([OPENLDAP_LIBS]) + + dnl Define custom variables + +-lockdir=$localstatedir/lock/opencryptoki ++lockdir=/run/lock/opencryptoki + AC_SUBST(lockdir) + + logdir=$localstatedir/log/opencryptoki diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch new file mode 100644 index 0000000..756f55d --- /dev/null +++ b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch @@ -0,0 +1,13 @@ +diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c +--- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100 ++++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100 +@@ -1072,6 +1072,9 @@ CK_RV init(void) + if (rc != CKR_OK) { + printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc, + p11_get_ckr(rc)); ++ printf("Note: all non-root users that require access to PKCS#11 tokens " ++ "using opencryptoki must be assigned to the pkcs11 group to be " ++ "able to communicate with the pkcsslotd daemon.\n"); + fflush(stdout); + cleanup(); + } diff --git a/SOURCES/opencryptoki-tmpfiles.conf b/SOURCES/opencryptoki-tmpfiles.conf deleted file mode 100644 index 87332a8..0000000 --- a/SOURCES/opencryptoki-tmpfiles.conf +++ /dev/null @@ -1 +0,0 @@ -D /var/lock/opencryptoki 0770 root pkcs11 - diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index 3d83028..28cc2a3 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -2,15 +2,25 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.10.0 -Release: 2%{?dist} +Version: 3.11.0 +Release: 3%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki -Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}.tar.gz -Source1: %{name}-tmpfiles.conf - -Patch0: opencryptoki-3.10-ica-token.patch +Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz + +# https://bugzilla.redhat.com/show_bug.cgi?id=732756 +Patch0: opencryptoki-3.11.0-group.patch +# bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* +Patch1: opencryptoki-3.11.0-lockdir.patch +# bz#1063763, inform the user that he is not in pkcs11 group +Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch +# EP11 token fails when using Strict-Session mode or VHSM-Mode +Patch3: opencryptoki-3.11.0-1dae7c15e7bc3bb5b5aad72b851e0b9cd328bb0b.patch +# coverity issues +Patch4: opencryptoki-3.11.0-covscan.patch +# bz#1688891, C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key +Patch5: opencryptoki-3.11.0-bedf46da28da6231607a12e35414cd59b4432f9f.patch Requires(pre): shadow-utils coreutils sed BuildRequires: openssl-devel @@ -177,23 +187,16 @@ configured with Enterprise PKCS#11 (EP11) firmware. %prep %setup -q -n %{name}-%{version} -%patch0 -p1 -b .ica +%patch0 -p1 -b .group +%patch1 -p1 -b .lockdir +%patch2 -p1 -b .warn-user-not-in-pkcs11-group +%patch3 -p1 -b .EP11_token_fails_when_using_Strict-Session_mode_or_VHSM-Mode +%patch4 -p1 -b .coverity +%patch5 -p1 -b .created-MACed-SPKIs-when-importing-public-keys # Upstream tarball has unnecessary executable perms set on the sources find . -name '*.[ch]' -print0 | xargs -0 chmod -x -# append token specific subdirs to tmpfiles.d config -token_subdirs="icsf swtok tpm" -%ifarch s390 s390x -token_subdirs="$token_subdirs lite ccatok ep11tok" -%endif - -cp -p %{SOURCE1} %{name}-tmpfiles.conf -for d in $token_subdirs -do - echo "D /var/lock/opencryptoki/$d 0770 root pkcs11 -" >> %{name}-tmpfiles.conf -done - %build ./bootstrap.sh @@ -214,9 +217,6 @@ make install DESTDIR=$RPM_BUILD_ROOT CHGRP=/bin/true rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.la rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/stdll/*.la -# systemd must create /var/lock/opencryptoki -mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d -install -m 0644 %{name}-tmpfiles.conf $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf %post libs -p /sbin/ldconfig @@ -245,6 +245,9 @@ exit 0 %post %systemd_post pkcsslotd.service +if test $1 -eq 1; then + %tmpfiles_create +fi %preun %systemd_preun pkcsslotd.service @@ -270,8 +273,8 @@ exit 0 %{_libdir}/opencryptoki/methods %{_libdir}/pkcs11/methods %dir %attr(770,root,pkcs11) %{_sharedstatedir}/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name} -%dir %attr(770,root,pkcs11) %{_localstatedir}/lock/%{name}/* +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name} +%ghost %dir %attr(770,root,pkcs11) %{_rundir}/lock/%{name}/* %dir %attr(770,root,pkcs11) %{_localstatedir}/log/opencryptoki %files libs @@ -344,6 +347,20 @@ exit 0 %changelog +* Thu Mar 14 2019 Than Ngo - 3.11.0-3 +- Resolves: #1688891 - C_EncryptInit fails with CKR_KEY_TYPE_INCONSISTENT. on ep11 token when using imported RSA public key + +* Thu Feb 21 2019 Than Ngo - 3.11.0-2 +- Resolves: #1678788 - EP11 token fails when using Strict-Session mode or VHSM-Mode + +* Tue Feb 19 2019 Than Ngo - 3.11.0-1 +- Resolves: #1063763 - opencryptoki tools should inform the user that he is not in pkcs11 group +- Resolves: #1641027 - enhanced IBM z14 functions +- Resolves: #1641026 - support m_*Single functions from ep11 lib +- Resolves: #1641025 - rebase to 3.11.0 +- Resolves: #1519386 - use CPACF hashes in ep11 token +- Resolves: #1373833 - lock file directory is %%ghost now + * Thu Aug 23 2018 Sinny Kumari - 3.10.0-2 - Resolves: #1613743 - ICA Token specific des3 cbc encrypt failed - token not available