diff --git a/.gitignore b/.gitignore index bbcd392..3e095fa 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/opencryptoki-3.11.1.tar.gz +SOURCES/opencryptoki-3.12.1.tar.gz diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata index 64653b0..5177ce9 100644 --- a/.opencryptoki.metadata +++ b/.opencryptoki.metadata @@ -1 +1 @@ -26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz +8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch deleted file mode 100644 index 756f55d..0000000 --- a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c ---- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me 2019-01-31 13:27:05.720647942 +0100 -+++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c 2019-01-31 13:36:05.763624633 +0100 -@@ -1072,6 +1072,9 @@ CK_RV init(void) - if (rc != CKR_OK) { - printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc, - p11_get_ckr(rc)); -+ printf("Note: all non-root users that require access to PKCS#11 tokens " -+ "using opencryptoki must be assigned to the pkcs11 group to be " -+ "able to communicate with the pkcsslotd daemon.\n"); - fflush(stdout); - cleanup(); - } diff --git a/SOURCES/opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch b/SOURCES/opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch deleted file mode 100644 index dca81c1..0000000 --- a/SOURCES/opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch +++ /dev/null @@ -1,59 +0,0 @@ -commit d6ba9ff61743ce869a5a677f6f77339642efef4b -Author: Ingo Franzki -Date: Tue Sep 24 14:35:59 2019 +0200 - - EP11: Support tolerated new crypto cards - - With just toleration support of new crypt cards, new crypto - cards are reported as the last known crypto card version. - E.g. a CEX7 card is reported as CEX6, when CEX6 is the last - known crypto card version. - - The EP11 token checks the card versions and needs to distinguish - tolerated cards from supported cards. New (tolerated) crypto cards - may have different API and firmware versions, and thus need to be - handled differently. - - Signed-off-by: Ingo Franzki - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index e22dad5d..a65accea 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -8253,6 +8253,7 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) - char fname[PATH_MAX]; - char buf[250]; - CK_RV rc; -+ CK_ULONG hwtype, rawtype; - - sprintf(fname, "%scard%02x/type", SYSFS_DEVICES_AP, adapter); - rc = file_fgets(fname, buf, sizeof(buf)); -@@ -8260,6 +8261,28 @@ static CK_RV get_card_type(uint_32 adapter, CK_ULONG *type) - return rc; - if (sscanf(buf, "CEX%luP", type) != 1) - return CKR_FUNCTION_FAILED; -+ -+ sprintf(fname, "%scard%02x/hwtype", SYSFS_DEVICES_AP, adapter); -+ rc = file_fgets(fname, buf, sizeof(buf)); -+ if (rc != CKR_OK) -+ return rc; -+ if (sscanf(buf, "%lu", &hwtype) != 1) -+ return CKR_FUNCTION_FAILED; -+ -+ sprintf(fname, "%scard%02x/raw_hwtype", SYSFS_DEVICES_AP, adapter); -+ rc = file_fgets(fname, buf, sizeof(buf)); -+ if (rc != CKR_OK) -+ return rc; -+ if (sscanf(buf, "%lu", &rawtype) != 1) -+ return CKR_FUNCTION_FAILED; -+ -+ if (rawtype > hwtype) { -+ TRACE_DEVEL("%s adapter: %u hwtype: %lu raw_hwtype: %lu\n", -+ __func__, adapter, hwtype, rawtype); -+ /* Tolerated new card level: report calculated type */ -+ *type += (rawtype - hwtype); -+ } -+ - return CKR_OK; - } - diff --git a/SOURCES/opencryptoki-3.11.1-use-soname.patch b/SOURCES/opencryptoki-3.11.1-use-soname.patch deleted file mode 100644 index 07793ee..0000000 --- a/SOURCES/opencryptoki-3.11.1-use-soname.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 73f05eb53f12197f081fd7ec75619c6ea3a39b2c Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 12 Aug 2019 10:54:27 +0200 -Subject: [opencryptoki PATCH 1/2] ICA: Refer libica by its so name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Ingo Franzki -Signed-off-by: Dan Horák ---- - usr/lib/ica_s390_stdll/ica_specific.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/ica_s390_stdll/ica_specific.c b/usr/lib/ica_s390_stdll/ica_specific.c -index d5a6d554..a72ce774 100644 ---- a/usr/lib/ica_s390_stdll/ica_specific.c -+++ b/usr/lib/ica_s390_stdll/ica_specific.c -@@ -61,7 +61,7 @@ const char label[] = "IBM ICA PKCS #11"; - - static pthread_mutex_t rngmtx = PTHREAD_MUTEX_INITIALIZER; - --#define LIBICA_SHARED_LIB "libica.so" -+#define LIBICA_SHARED_LIB "libica.so.3" - #define BIND(dso, sym) (*(void **)(&p_##sym) = dlsym(dso, #sym)) - - #ifndef NO_EC --- -2.21.0 - - -From 7f4113ba8653b8b18a6f1af6ab1d8eb90987626d Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 12 Aug 2019 10:54:44 +0200 -Subject: [opencryptoki PATCH 2/2] EP11: Refer libica by its so name -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Ingo Franzki -Signed-off-by: Dan Horák ---- - usr/lib/ep11_stdll/ep11_specific.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c -index 231dd200..a3f14351 100644 ---- a/usr/lib/ep11_stdll/ep11_specific.c -+++ b/usr/lib/ep11_stdll/ep11_specific.c -@@ -58,7 +58,7 @@ - #include "ep11_specific.h" - - #define EP11SHAREDLIB "libep11.so" --#define ICASHAREDLIB "libica.so" -+#define ICASHAREDLIB "libica.so.3" - - CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata, - CK_MECHANISM_TYPE_PTR mlist, --- -2.21.0 - diff --git a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch new file mode 100644 index 0000000..3032fb6 --- /dev/null +++ b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch @@ -0,0 +1,33 @@ +commit 50a8a8806059647a3e446fd129995af61ec54867 +Author: Ingo Franzki +Date: Tue Dec 3 14:58:26 2019 +0100 + + EP11: Fix EC-uncompress buffer length + + Function ec_uncompress_public_key() expects the size of the output + buffer in out_pubkey to be specified in the out_len parameter. + However, variable pubkey_len is uninitialized when calling + ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL + dependent on the value of pubkey_len. + Fix this by setting pubkey_len to the size of the public key buffer + allocated above. + + Signed-off-by: Ingo Franzki + +diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c +index 38b6708f..10dfe4e0 100644 +--- a/usr/lib/ep11_stdll/ep11_specific.c ++++ b/usr/lib/ep11_stdll/ep11_specific.c +@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess, + rc = get_ecsiglen(ec_key_obj, &privkey_len); + if (rc != CKR_OK) + goto import_EC_key_end; +- privkey_len /= 2; /* Public key is half the size of an EC signature */ ++ privkey_len /= 2; /* private key is half the size of an EC signature */ + +- pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len); ++ pubkey_len = 1 + 2 * privkey_len; ++ pubkey = (CK_BYTE *)malloc(pubkey_len); + if (pubkey == NULL) { + rc = CKR_HOST_MEMORY; + goto import_EC_key_end; diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec index f6ab462..e739bb5 100644 --- a/SPECS/opencryptoki.spec +++ b/SPECS/opencryptoki.spec @@ -1,7 +1,7 @@ Name: opencryptoki Summary: Implementation of the PKCS#11 (Cryptoki) specification v2.11 -Version: 3.11.1 -Release: 3%{?dist} +Version: 3.12.1 +Release: 2%{?dist} License: CPL Group: System Environment/Base URL: https://github.com/opencryptoki/opencryptoki @@ -10,13 +10,7 @@ Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{ Patch0: opencryptoki-3.11.0-group.patch # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/* Patch1: opencryptoki-3.11.0-lockdir.patch -# bz#1063763, inform the user that he is not in pkcs11 group -Patch2: opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1739433 -Patch3: opencryptoki-3.11.1-use-soname.patch -# bz#1772108, Support tolerated new crypto cards -Patch4: opencryptoki-3.11.1-d6ba9ff61743ce869a5a677f6f77339642efef4b.patch - +Patch2: opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch Requires(pre): coreutils BuildRequires: gcc BuildRequires: openssl-devel @@ -333,8 +327,14 @@ fi %changelog -* Thu Nov 14 2019 Than Ngo - 3.11.1-3 -- Resolves: #1772108, support tolerated new crypto cards +* Fri Dec 13 2019 Than Ngo - 3.12.1-2 +- Resolves: #1782445, EP11: Fix EC-uncompress buffer length + +* Thu Nov 28 2019 Than Ngo - 3.12.1-1 +- Resolves: #1777313, rebase to 3.12.1 + +* Tue Nov 12 2019 Than Ngo - 3.12.0-1 +- Resolves: #1726243, rebase to 3.12.0 * Mon Aug 26 2019 Dan Horák - 3.11.1-2 - Resolves: #1739433, ICA HW token missing after the package update