From a15255e127d2ff3153beb02c9a201c0b9697684a6cc28e2364cd8dc587907d5b Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 18 Dec 2014 14:21:44 +0000 Subject: [PATCH] Accepting request 265545 from home:posophe:branches:security Update + changes OBS-URL: https://build.opensuse.org/request/show/265545 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=24 --- ocki-3.1_01_ep11_makefile.patch | 42 - ocki-3.1_02_ep11_m_init.patch | 21 - ocki-3.1_03_ock_obj_mgr.patch | 129 --- ...-3.1_04_ep11_opaque2blob_error_handl.patch | 233 ------ ocki-3.1_05_ep11_readme_update.patch | 187 ----- ...ignored-bad-returncodes-from-the-cal.patch | 110 --- ...-confname-is-not-given-use-default-e.patch | 172 ---- ...ecking-for-the-ep11-lib-and-the-m_in.patch | 38 - ...-header-file-uses-some-std-int-types.patch | 35 - ocki-3.1_06_0005-Small-reworks.patch | 144 ---- ...-on-s390-showed-an-build-error-at-in.patch | 32 - ...ding-because-not-setting-with_zcrypt.patch | 27 - ocki-3.1_07_0001-Man-page-corrections.patch | 63 -- ...ol-to-help-migrate-cca-private-token.patch | 783 ------------------ ...n-pkcscca-manpage-and-README.cca_std.patch | 281 ------- ...1_09_0001-Fix-EOL-encoding-in-README.patch | 255 ------ ...3.1_10_0001-ica-sha-update-empty-msg.patch | 19 - openCryptoki.changes | 36 + openCryptoki.spec | 56 +- opencryptoki-v3.1.tar.bz2 | 3 - opencryptoki-v3.2.tgz | 3 + 21 files changed, 48 insertions(+), 2621 deletions(-) delete mode 100644 ocki-3.1_01_ep11_makefile.patch delete mode 100644 ocki-3.1_02_ep11_m_init.patch delete mode 100644 ocki-3.1_03_ock_obj_mgr.patch delete mode 100644 ocki-3.1_04_ep11_opaque2blob_error_handl.patch delete mode 100644 ocki-3.1_05_ep11_readme_update.patch delete mode 100644 ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch delete mode 100644 ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch delete mode 100644 ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch delete mode 100644 ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch delete mode 100644 ocki-3.1_06_0005-Small-reworks.patch delete mode 100644 ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch delete mode 100644 ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch delete mode 100644 ocki-3.1_07_0001-Man-page-corrections.patch delete mode 100644 ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch delete mode 100644 ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch delete mode 100644 ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch delete mode 100644 ocki-3.1_10_0001-ica-sha-update-empty-msg.patch delete mode 100644 opencryptoki-v3.1.tar.bz2 create mode 100644 opencryptoki-v3.2.tgz diff --git a/ocki-3.1_01_ep11_makefile.patch b/ocki-3.1_01_ep11_makefile.patch deleted file mode 100644 index 097bd9b..0000000 --- a/ocki-3.1_01_ep11_makefile.patch +++ /dev/null @@ -1,42 +0,0 @@ -commit f558043c9c7aa2ada4dd9d7548c2c713aea24753 -Author: Ingo Tuchscherer -Date: Fri Feb 7 15:03:48 2014 -0600 - - ep11: Fixed Makefile to complement common code dependencies - This will fix the side effect that the ep11 token could not - plugged into slot 0, because of unresolved symbols. - - Signed-off-by: Ingo Tuchscherer - -diff --git a/usr/lib/pkcs11/ep11_stdll/Makefile.am b/usr/lib/pkcs11/ep11_stdll/Makefile.am -index fd940ec..d587fd2 100644 ---- a/usr/lib/pkcs11/ep11_stdll/Makefile.am -+++ b/usr/lib/pkcs11/ep11_stdll/Makefile.am -@@ -28,10 +28,15 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \ - ../common/loadsave.c \ - ../common/key.c \ - ../common/key_mgr.c \ -- ../common/mech_md5.c \ -+ ../common/mech_des.c \ -+ ../common/mech_des3.c \ -+ ../common/mech_aes.c \ -+ ../common/mech_md5.c \ - ../common/mech_md2.c \ - ../common/mech_rng.c \ -+ ../common/mech_rsa.c \ - ../common/mech_sha.c \ -+ ../common/mech_ssl3.c \ - ../common/new_host.c \ - ../common/obj_mgr.c \ - ../common/object.c \ -@@ -44,8 +49,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \ - ../common/log.c \ - ../common/mech_list.c \ - ../common/shared_memory.c \ -- ../common/attributes.c \ -- ../common/sw_crypt.c \ -+ ../common/attributes.c \ -+ ../common/sw_crypt.c \ - ep11_specific.c - - noinst_HEADERS = ep11.h diff --git a/ocki-3.1_02_ep11_m_init.patch b/ocki-3.1_02_ep11_m_init.patch deleted file mode 100644 index 20bceeb..0000000 --- a/ocki-3.1_02_ep11_m_init.patch +++ /dev/null @@ -1,21 +0,0 @@ -commit d564279d2c2913021ca325507d1ce3af3aff078a -Author: Ingo Tuchscherer -Date: Fri Feb 7 15:08:27 2014 -0600 - - ep11: switched to official m_init() function based on library change - - Signed-off-by: Ingo Tuchscherer - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index a9a72e4..1a43ccb 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -1281,7 +1281,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na - /* for real HW on Z-series, this would open the - * device driver file /dev/zcrypt. - */ -- if (m_add_backend(NULL,0) < 0) { -+ if (m_init() < 0) { - EP11TOK_ELOG(1,"open of the zcrypt device driver failed"); - return CKR_DEVICE_ERROR; - } diff --git a/ocki-3.1_03_ock_obj_mgr.patch b/ocki-3.1_03_ock_obj_mgr.patch deleted file mode 100644 index 0056666..0000000 --- a/ocki-3.1_03_ock_obj_mgr.patch +++ /dev/null @@ -1,129 +0,0 @@ -commit 099a3a110a733ef3a91c41a88dcd45f15af8a6cd -Author: Joy Latten -Date: Wed Feb 12 12:06:53 2014 -0600 - - Scenario: processA creates private token key object and before he can - use it, processB gets it, uses it, and deletes it. - Because opencryptoki was not checking the global token object count, - process B segfaulted when count was zero, thinking there were objects in - shared memory to search. - Also, it was not checking return code of object_mgr_check_shm() in - object_mgr_find_in_map1 to see if anything was found in shm. - And lastly, return correct error code. - - Signed-off-by: Joy Latten - -diff --git a/usr/lib/pkcs11/common/obj_mgr.c b/usr/lib/pkcs11/common/obj_mgr.c -index 92c11c2..8d42d9e 100755 ---- a/usr/lib/pkcs11/common/obj_mgr.c -+++ b/usr/lib/pkcs11/common/obj_mgr.c -@@ -1340,13 +1340,28 @@ object_mgr_find_in_map1( CK_OBJECT_HANDLE handle, - goto done; - } - --// SAB XXX Fix me.. need to make it more efficient than just looking for the object to be changed --// set a global flag that contains the ref count to all objects.. if the shm ref count changes, then we update the object --// if not -- -- XProcLock(); -- object_mgr_check_shm( obj ); -- XProcUnLock(); -+ /* SAB XXX Fix me.. need to make it more efficient than just looking -+ * for the object to be changed. set a global flag that contains the -+ * ref count to all objects.. if the shm ref count changes, then we -+ * update the object. if not -+ */ -+ -+ /* Note: Each C_Initialize call loads up the public token objects -+ * and build corresponding tree(s). The same for private token objects -+ * upon successful C_Login. Since token objects can be shared, it is -+ * possible another process or session has deleted a token object. -+ * Accounting is done in shm, so check shm to see if object still exists. -+ */ -+ if (!object_is_session_object(obj)) { -+ XProcLock(); -+ rc = object_mgr_check_shm( obj ); -+ XProcUnLock(); -+ -+ if (rc != CKR_OK) { -+ OCK_LOG_ERR(ERR_FUNCTION_FAILED); -+ goto done; -+ } -+ } - - *ptr = obj; - done: -@@ -2101,8 +2116,8 @@ object_mgr_del_from_shm( OBJECT *obj ) - 0, global_shm->num_priv_tok_obj-1, - obj, &index ); - if (rc != CKR_OK){ -- OCK_LOG_ERR(ERR_FUNCTION_FAILED); -- return CKR_FUNCTION_FAILED; -+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); -+ return rc; - } - // Since the number of objects starts at 1 and index starts at zero, we - // decrement before we get count. This eliminates the need to perform -@@ -2139,8 +2154,8 @@ object_mgr_del_from_shm( OBJECT *obj ) - 0, global_shm->num_publ_tok_obj-1, - obj, &index ); - if (rc != CKR_OK){ -- OCK_LOG_ERR(ERR_FUNCTION_FAILED); -- return CKR_FUNCTION_FAILED; -+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); -+ return rc; - } - global_shm->num_publ_tok_obj--; - -@@ -2189,25 +2204,36 @@ object_mgr_check_shm( OBJECT *obj ) - // the calling routine is responsible for locking the global_shm mutex - // - -+ /* first check the object count. If it is 0, then just return. */ - priv = object_is_private( obj ); - - if (priv) { -+ -+ if (global_shm->num_priv_tok_obj == 0) { -+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); -+ return CKR_OBJECT_HANDLE_INVALID; -+ } - rc = object_mgr_search_shm_for_obj( global_shm->priv_tok_objs, - 0, global_shm->num_priv_tok_obj-1, - obj, &index ); - if (rc != CKR_OK){ -- OCK_LOG_ERR(ERR_FUNCTION_FAILED); -- return CKR_FUNCTION_FAILED; -+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); -+ return rc; - } - entry = &global_shm->priv_tok_objs[index]; - } - else { -+ -+ if (global_shm->num_publ_tok_obj == 0) { -+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); -+ return CKR_OBJECT_HANDLE_INVALID; -+ } - rc = object_mgr_search_shm_for_obj( global_shm->publ_tok_objs, - 0, global_shm->num_publ_tok_obj-1, - obj, &index ); - if (rc != CKR_OK){ -- OCK_LOG_ERR(ERR_FUNCTION_FAILED); -- return CKR_FUNCTION_FAILED; -+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH); -+ return rc; - } - entry = &global_shm->publ_tok_objs[index]; - } -@@ -2256,8 +2282,8 @@ object_mgr_search_shm_for_obj( TOK_OBJ_ENTRY * obj_list, - } - } - } -- OCK_LOG_ERR(ERR_FUNCTION_FAILED); -- return CKR_FUNCTION_FAILED; -+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID); -+ return CKR_OBJECT_HANDLE_INVALID; - } - - diff --git a/ocki-3.1_04_ep11_opaque2blob_error_handl.patch b/ocki-3.1_04_ep11_opaque2blob_error_handl.patch deleted file mode 100644 index 588890f..0000000 --- a/ocki-3.1_04_ep11_opaque2blob_error_handl.patch +++ /dev/null @@ -1,233 +0,0 @@ -commit 9d445b0294b588a834797e4f8c3d6ea3c1b3da2b -Author: Joy Latten -Date: Wed Feb 12 12:09:14 2014 -0600 - - ep11's h_opaque_2_blob needs to catch the return code from - object_mgr_find_in_map1 and return it. - - Signed-off-by: Joy Latten - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index 1a43ccb..90d3df1 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -1814,12 +1814,12 @@ CK_RV token_specific_derive_key(SESSION *session, CK_MECHANISM_PTR mech, - memset(&secret_op, 0, sizeof(secret_op)); - secret_op.blob_size = blobsize; - -- if (h_opaque_2_blob(hBaseKey, &blob, &blob_len) != CKR_OK) { -+ rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len); -+ if (rc != CKR_OK) { - EP11TOK_ELOG(1,"FAIL hBaseKey=0x%lx",hBaseKey); -- return CKR_CANCEL; -+ return rc; - } - -- - /* Get the keytype to use when creating the key object */ - rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class); - if (rc != CKR_OK) { -@@ -2732,36 +2732,19 @@ CK_RV token_specific_generate_key_pair(SESSION * sess, - private_key_obj->name, public_key_obj, private_key_obj); - } - -- /* Keys should be fully constructed, -- * assign object handles and store keys. -- */ -- rc = object_mgr_create_final(sess, public_key_obj, phPublicKey); -- if (rc != CKR_OK) { -- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); -- goto error; -- } -- -- rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey); -- if (rc != CKR_OK) { -- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); -- object_mgr_destroy_object(sess, *phPublicKey); -- public_key_obj = NULL; -- goto error; -- } -- - /* copy CKA_CLASS, CKA_KEY_TYPE to private template */ - if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) { - rc = build_attribute(attr->type, attr->pValue, - attr->ulValueLen, &n_attr); - if (rc != CKR_OK) { - EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); -- return rc; -+ goto error; - } - - rc = template_update_attribute(private_key_obj->template, n_attr); - if (rc != CKR_OK) { - EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); -- return rc; -+ goto error; - } - } - -@@ -2770,17 +2753,34 @@ CK_RV token_specific_generate_key_pair(SESSION * sess, - attr->ulValueLen, &n_attr); - if (rc != CKR_OK) { - EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc); -- return rc; -+ goto error; - } - - rc = template_update_attribute(private_key_obj->template, n_attr); - if (rc != CKR_OK) { - EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc); -- return rc; -+ goto error; - } - } - -+ /* Keys should be fully constructed, -+ * assign object handles and store keys. -+ */ -+ rc = object_mgr_create_final(sess, public_key_obj, phPublicKey); -+ if (rc != CKR_OK) { -+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); -+ goto error; -+ } -+ -+ rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey); -+ if (rc != CKR_OK) { -+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL); -+ object_mgr_destroy_object(sess, *phPublicKey); -+ public_key_obj = NULL; -+ goto error; -+ } - return rc; -+ - error: - if (public_key_obj) object_free(public_key_obj); - if (private_key_obj) object_free(private_key_obj); -@@ -2801,11 +2801,13 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, - OBJECT *key_obj; - CK_ATTRIBUTE *attr = NULL; - ep11_opaque *op; -+ CK_RV rc; - - /* find the key obj by the key handle */ -- if (object_mgr_find_in_map1(handle,&key_obj) != CKR_OK) { -+ rc = object_mgr_find_in_map1(handle,&key_obj); -+ if (rc != CKR_OK) { - EP11TOK_ELOG(1,"key 0x%lx not mapped", handle); -- return CKR_FUNCTION_FAILED; -+ return rc; - } - - /* blob already exists */ -@@ -2844,30 +2846,31 @@ CK_RV token_specific_sign_init(SESSION *session, CK_MECHANISM *mech, - return CKR_HOST_MEMORY; - } - -- if (h_opaque_2_blob(key,&privkey_blob,&blob_len) == CKR_OK) { -- rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l, -- mech, privkey_blob, blob_len, ep11tok_target) ; -+ rc = h_opaque_2_blob(key, &privkey_blob, &blob_len); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); -+ return rc; -+ } - -- /* SIGN_VERIFY_CONTEX holds all needed for continuing, -- * also by another adapter (stateless requests) -- */ -- ctx->key = key; -- ctx->multi = FALSE; -- ctx->active = TRUE; -- ctx->context = ep11_sign_state; -- ctx->context_len = ep11_sign_state_l; -+ rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l, -+ mech, privkey_blob, blob_len, ep11tok_target) ; - -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); -- } else { -- EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); -- } -+ /* SIGN_VERIFY_CONTEX holds all needed for continuing, -+ * also by another adapter (stateless requests) -+ */ -+ ctx->key = key; -+ ctx->multi = FALSE; -+ ctx->active = TRUE; -+ ctx->context = ep11_sign_state; -+ ctx->context_len = ep11_sign_state_l; - -- return rc; -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); - } else { -- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); -- return CKR_FUNCTION_FAILED; -+ EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism); - } -+ -+ return rc; - } - - -@@ -2946,27 +2949,26 @@ CK_RV token_specific_verify_init(SESSION *session, CK_MECHANISM *mech, - return CKR_HOST_MEMORY; - } - -- if (h_opaque_2_blob(key,&spki,&spki_len) == CKR_OK) { -- rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech, -- spki, spki_len, ep11tok_target); -- -- ctx->key = key; -- ctx->multi = FALSE; -- ctx->active = TRUE; -- ctx->context = ep11_sign_state; -- ctx->context_len = ep11_sign_state_l; -- -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); -- } else { -- EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); -- } -- -+ rc = h_opaque_2_blob(key, &spki, &spki_len); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); - return rc; -+ } -+ -+ rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech, -+ spki, spki_len, ep11tok_target); -+ ctx->key = key; -+ ctx->multi = FALSE; -+ ctx->active = TRUE; -+ ctx->context = ep11_sign_state; -+ ctx->context_len = ep11_sign_state_l; -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); - } else { -- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); -- return CKR_FUNCTION_FAILED; -+ EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism); - } -+ -+ return rc; - } - - -@@ -3169,11 +3171,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech, - return CKR_HOST_MEMORY; - } - -- if (h_opaque_2_blob(key, &blob, &blob_len) != CKR_OK) { -+ rc = h_opaque_2_blob(key, &blob, &blob_len); -+ if (rc != CKR_OK) { - EP11TOK_ELOG(1,"no blob rc=0x%lx",rc); -- return CKR_FUNCTION_FAILED; -+ return rc; - } -- -+ - if (op == DECRYPT) { - rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob, - blob_len, ep11tok_target); diff --git a/ocki-3.1_05_ep11_readme_update.patch b/ocki-3.1_05_ep11_readme_update.patch deleted file mode 100644 index e4c2fce..0000000 --- a/ocki-3.1_05_ep11_readme_update.patch +++ /dev/null @@ -1,187 +0,0 @@ -commit 6589fae1561d1d050b743d3ff5e0b846616664a0 -Author: Ingo Tuchscherer -Date: Wed Feb 12 15:56:46 2014 -0600 - - EP11: some README updates about usage and restrictions. - - Signed-off-by: Joy Latten - -diff --git a/doc/README.ep11_stdll b/doc/README.ep11_stdll -index dedb76c..e972391 100644 ---- a/doc/README.ep11_stdll -+++ b/doc/README.ep11_stdll -@@ -3,8 +3,8 @@ EP11 Token - - The EP11 token is a token that uses the IBM Crypto Express adapters - (starting with Crypto Express 4S adapters) configured with Enterprise --PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with --that firmware load are also called CEXnP adapters for n >= 4. -+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that -+firmware load are also called CEXnP adapters for n >= 4. - - The EP11 token is only supported on the System z architecture and requires a - Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver -@@ -17,14 +17,13 @@ Configuration - ------------- - - To use the EP11 token a slot entry must be defined in the general opencryptoki --configuration file that sets the stdll attribute to libpkcs11_epp.so. -+configuration file that sets the stdll attribute to libpkcs11_ep11.so. - - A EP11 token specific configuration file must be set up to define the target --adapters and target adapter domains. The name of the configuration file must --be defined in the global openCryptoki configuration opencryptoki.conf file --as part of the token specification using the confname attribute. -- --E.g. the entry, -+adapters and target adapter domains. The name of the configuration file must be -+defined in the global openCryptoki configuration opencryptoki.conf file as part -+of the token specification using the confname attribute. -+E.g. the entry - - slot 4 - { -@@ -35,39 +34,39 @@ confname = ep11tok.conf - defines the name of the configuration file of the EP11 token to be - ep11tok.conf. Per default this file is searched in the directory where - openCryptoki searches its global configuration file. This default path can --be overwritten using the OCK_EP11_TOKEN_DIR environment variable. -- --EP11 token configuration files defines a list of adapter/domain pairs to --which the EP11 token sends its cryptographic requests. This list can be --specified as a white list starting with a line containing the key word --APQN_WHITELIST followed by one or more lines containing each 2 white space --separted positive integers followed by a line with the key word END. --In each of these lines the first integer denotes the adapter number --and the second integer denotes the domain id. Alternatively the keyword --APQN_ANY can be used to define that all adapter/domain pairs with EP11 --firmware load that are available to the system shall be used as target --adapters. An adapter number corresponds to the numerical part xx of an --adapter id of the form cardxx as displayed by the lszcrypt tool or in --the sys file system (e.g. in /sys/bus/ap/devices). --Currently Linux on z only supports a single domain. That domain number --can be displayed with lszcrypt -b (see the value of ap_domain) or --alternatively as contents of /sys/bus/ap/ap_domain. -+be overriden using the OCK_EP11_TOKEN_DIR environment variable. -+ -+EP11 token configuration files defines a list of adapter/domain pairs to which -+the EP11 token sends its cryptographic requests. This list can be specified as -+a white list starting with a line containing the key word APQN_WHITELIST -+followed by one or more lines containing each two integers (in the range -+of 0 - 255) separated by a white space. The white list is ended with a line -+containing the key word END. In each of lines of the white list the first -+integer denotes the adapter number and the second integer denotes the domain -+id. Alternatively the keyword APQN_ANY can be used to define that all -+adapter/domain pairs with EP11 firmware load that are available to the system -+shall be used as target adapters. An adapter number corresponds to the -+numerical part xx of an adapter id of the form cardxx as displayed by the -+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). -+Currently Linux on z only supports a single domain. That domain number can be -+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as -+contents of /sys/bus/ap/ap_domain. - - In addition to the target adapter a log level can be defined in the EP11 --configuration file using a line consisting of the key word LOGLEVEL --followed by an integer between 0 and 9. -+configuration file using a line consisting of the key word LOGLEVEL followed -+by an integer between 0 and 9. - - Logging - ------- - - If a log level greater than 0 is defined in the environment variable --OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 --configuration file then log entries are written to a log file --/var/log/ock_ep11_token..log where is the process id of the --process using the EP11 token. -+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration -+file then log entries are written to a log file -+/var/log/ock_ep11_token..log where is the process id of the process -+using the EP11 token. - --Note, that the handling of EP11 logs is subject to change in future --releases of opencryptoki. -+Note, that the handling of EP11 logs is subject to change in future releases -+of opencryptoki. - - Crypto Express Adapter EP11 Master Key Management - ------------------------------------------------- -@@ -77,28 +76,27 @@ object repository (in the TOK_OBJ directory within the EP11 token directory) - become invalid. - - The key migration tool pkcsep11_migrate can be used to perform the migration --of the current EP11 master keys to new master keys. Therefore the --following steps must be performed: -- --1) on the Trusted Key Entry console (TKE): submit and commit --new master keys on the EP11 adapter(s) --2) on Linux: stop all processes using openCryptoki with the EP11 token --3) on Linux: back up the token object repository of the EP11 token --4) on Linux: migrate keys of object repository of EP11 token with --migration tool. If a failure occurs restore the backed up token --repository and retry step 4 --5) on the TKE: activate new master keys on the EP11 adapter(s) --6) on Linux: restart applications using openCryptoki with the EP11 token -+of the current EP11 master keys to new master keys. Therefore the following -+steps must be performed: -+1) On the Trusted Key Entry console (TKE): Submit and commit new master -+keys on the EP11 adapter(s). -+2) On Linux: Stop all processes using openCryptoki with the EP11 token. -+3) On Linux: Back up the token object repository of the EP11 token. -+4) On Linux: Migrate keys of object repository of EP11 token with -+migration tool. If a failure occurs restore the backed up token repository -+and retry step 4. -+5) On the TKE: Activate new master keys on the EP11 adapter(s). -+6) On Linux: Restart applications using openCryptoki with the EP11 token. - - Token specifics - --------------- - --The EP11 token only supports secure keys (i.e. key wrapped by a master key --of the Crypto Express adapter). Therefore all keys must have the attribute --CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define --a (token specific) default for secure keys the attribute must be explicitly --provided whenever a secret key is generated, unwrapped or created with --C_CreateObject. In addition all keys used with the EP11 token are extractable -+The EP11 token only supports secure keys (i.e. key wrapped by a master key of -+the Crypto Express adapter). Therefore all keys must have the attribute -+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a -+(token specific) default for secure keys the attribute must be explicitly -+provided whenever a secret key is generated, unwrapped or build with -+C_CreateObject. In addition all keys used with the EP11 token are extractable. - i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. - - When creating keys the default values of the attributes CKA_ENCRYPT, -@@ -108,18 +106,21 @@ Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. - All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than - or equal to 17. - --See the mechanism list and mechanism info (pkcsconf -m) for supported --mechanisms together with supported functions and key sizes. --Note the supported mechanism list is currently fixed and matches the --most stringent setting of the Crypto Express adapter. -+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) -+according to ANSI X9.31. Therefore in the EP11 token the lengths of the -+RSA primes (p or q) must be a multiple of 128 bits and the length of the -+modulus (CKA_MODULUS_BITS) must be a multiple of 256. - --Temporary Restrictions & Circumventions ----------------------------------------- -+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have -+a length that is a multiple of the block size of DES3 or AES respectively. - --Wrapping 192 bit AES keys with the mechanism CKM_AES_CBC is not supported, use --CKM_AES_CBC_PAD instead. -+See the mechanism list and mechanism info (pkcsconf -m) for supported -+mechanisms together with supported functions and key sizes. Note the -+supported mechanism list is currently fix and matches the most stringent -+setting of the Crypto Express adapter. - --Importing RAS private keys with C_Unwrap is not supported for key sizes that --are not a multiple of AES blocksize. No circumvention possible. -+Note, the EP11 coprocessor adapter can be configured to restrict the -+cryptographic capababilities in order for the adapter to comply with specific -+security requirements and regulations. Such restrictions on the adapter impact -+the capabilitiy of the EP11 token. - --CKM_SHA512_HMAC is not supported. No circumvention possible. diff --git a/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch b/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch deleted file mode 100644 index 46bb07b..0000000 --- a/ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 68a30e9bf0e494057a889e06623dd0d8ab95acf7 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Wed, 2 Apr 2014 12:03:53 -0500 -Subject: [PATCH 1/6] print_mechanism() ignored bad returncodes from the - called function token_specific_get_mechanism_list(). So - the token init was just running fine but mechanism list - kept empty (eg. because of wrong adapter - configuration). Fixed this and adjusted some of the - related log messages. - -Signed-off-by: Harald Freudenberger ---- - usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 32 +++++++++++++++++++++++-------- - 1 file changed, 24 insertions(+), 8 deletions(-) - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index 90d3df1..4e3703b 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -1140,17 +1140,27 @@ static CK_RV print_mechanism(void) - CK_ULONG count = 0; - int i; - CK_MECHANISM_INFO m_info; -+ CK_RV rc; - -- /* only informational */ -- (void) token_specific_get_mechanism_list(list, &count); -+ /* first call is just to fetch the count value */ -+ rc = token_specific_get_mechanism_list(list, &count); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"can't fetch mechanism list."); -+ return rc; -+ } - list = (CK_MECHANISM_TYPE_PTR)malloc(sizeof(CK_MECHANISM_TYPE) * count); - if (!list) { - EP11TOK_ELOG(1,"Memory allocation failed."); - return CKR_HOST_MEMORY; - } - -- /* only informational */ -- (void) token_specific_get_mechanism_list(list, &count); -+ /* now really fill the list */ -+ rc = token_specific_get_mechanism_list(list, &count); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"can't fetch mechanism list!"); -+ free(list); -+ return rc; -+ } - - EP11TOK_LOG(2,"EP11 token mechanism list, %lu entries:", count); - for (i = 0; i < count; i++) { -@@ -1170,6 +1180,7 @@ static CK_RV print_mechanism(void) - EP11TOK_LOG(2," %s {%lu,%lu%s}", ep11_get_ckm(list[i]), - m_info.ulMinKeySize, m_info.ulMaxKeySize, strflags); - } -+ - free(list); - return CKR_OK; - } -@@ -1295,7 +1306,11 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na - } - - /* print mechanismlist to log file */ -- (void)print_mechanism(); -+ rc = print_mechanism(); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"failure on fetching mechanism list rc=0x%lx, maybe wrong config ?", rc); -+ return CKR_GENERAL_ERROR; -+ } - - /* create an AES key needed for importing keys - * (encrypt by wrap_key and m_UnwrapKey by wrap key) -@@ -3528,7 +3543,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, - rc = m_GetMechanismList(0, pMechanismList, pulCount, - ep11tok_target); - if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"bad rc #1 rc=0x%lx", rc); -+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); - return rc; - } - -@@ -3543,7 +3558,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, - } - rc = m_GetMechanismList(0, mlist, &counter, ep11tok_target); - if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"bad rc #2 rc=0x%lx", rc); -+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); - free(mlist); - return rc; - } -@@ -3573,7 +3588,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList, - */ - rc = m_GetMechanismList(0,mlist,&counter,ep11tok_target); - if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"bad rc #3 rc=0x%lx", rc); -+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc); - return rc; - } - -@@ -3743,6 +3758,7 @@ static int read_adapter_config_file(const char* conf_name) - - if (!conf_name) { - /* no conf_name was given, should not happen */ -+ EP11TOK_ELOG(1,"no conf_name argument found"); - return APQN_FILE_INV_1; - } - --- -1.7.12.4 - diff --git a/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch b/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch deleted file mode 100644 index c8a2c78..0000000 --- a/ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Wed, 2 Apr 2014 12:05:12 -0500 -Subject: [PATCH 2/6] Fix failure when confname is not given, use default - ep11tok.conf instead. - -Slight rework on the way how the ep11 token config file is found: -If env has no OCK_EP11_TOKEN_DIR - if confname is not null, try to use it - if this fails, try ock default config dir + confname - if this fails, try ock default config dir + ep11tok.conf -if OCK_EP11_TOKEN_DIR given then - if confname is not null, try OCK_EP11_TOKEN_DIR + confname - if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf -if still unsuccessful then token init will fail. - -Signed-off-by: Harald Freudenberger ---- - usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------ - 1 file changed, 52 insertions(+), 33 deletions(-) - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index 4e3703b..0eea8c9 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism) - static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle, - CK_BYTE **blob, size_t *blob_len); - -+#define EP11_DEFAULT_CFG_FILE "ep11tok.conf" - #define EP11_CFG_FILE_SIZE 4096 - - /* error rc for reading the adapter config file */ -@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na - } - } - EP11TOK_LOG(1,"init running"); -+ -+ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */ -+ rc = read_adapter_config_file(conf_name); -+ if (rc != CKR_OK) { -+ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc); -+ return CKR_GENERAL_ERROR; -+ } - - /* wrap key name */ - memset(wrap_key_name, 0, sizeof(wrap_key_name)); -@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na - return CKR_DEVICE_ERROR; - } - #endif -- -- /* user specified adapter/domain pairs the token is supposed to use */ -- rc = read_adapter_config_file(conf_name); -- if (rc != CKR_OK) { -- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc); -- return CKR_GENERAL_ERROR; -- } -- -+ - /* print mechanismlist to log file */ - rc = print_mechanism(); - if (rc != CKR_OK) { -@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name) - if (ep11_initialized) { - return 0; - } -- -+ - memset(fname,0,PATH_MAX); -- -- if (!conf_name) { -- /* no conf_name was given, should not happen */ -- EP11TOK_ELOG(1,"no conf_name argument found"); -- return APQN_FILE_INV_1; -- } - - /* via envrionment variable it is possible to overwrite the -- * config file given in the opencryptoki.conf. Then we use -- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf. -+ * directory where the ep11 token config file is searched. - */ - if (conf_dir) { -- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name); -- ap_fp = fopen(fname,"r"); -- } -- -- /* if there was no environment variable or fopen failed, use the -- * default given from opencryptoki.conf via conf_name argument. -- */ -- if (!ap_fp) { -- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name); -- ap_fp = fopen(fname,"r"); -+ if (conf_name && strlen(conf_name) > 0) { -+ /* extract filename part from conf_name */ -+ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--); -+ if (i < strlen(conf_name)-1) { -+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1); -+ fname[sizeof(fname)-1] = '\0'; -+ ap_fp = fopen(fname,"r"); -+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); -+ } -+ } -+ if (!ap_fp) { -+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE); -+ fname[sizeof(fname)-1] = '\0'; -+ ap_fp = fopen(fname,"r"); -+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); -+ } -+ } else { -+ if (conf_name && strlen(conf_name) > 0) { -+ strncpy(fname, conf_name, sizeof(fname)); -+ fname[sizeof(fname)-1] = '\0'; -+ ap_fp = fopen(fname,"r"); -+ if (!ap_fp) { -+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); -+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name); -+ fname[sizeof(fname)-1] = '\0'; -+ ap_fp = fopen(fname,"r"); -+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); -+ } -+ } else { -+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE); -+ fname[sizeof(fname)-1] = '\0'; -+ ap_fp = fopen(fname,"r"); -+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno); -+ } - } -- -+ - /* now we should really have an open ep11 token config file */ - if (!ap_fp) { - EP11TOK_ELOG(1,"no valid EP 11 config file found"); - return APQN_FILE_INV_2; - } -- -+ - EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname); -- -+ - /* read config file line by line, - * ignore empty and # and copy rest into file buf - */ -@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name) - } - - ep11_targets.length = 0; -- -+ - for (i=0,j=0,str=filebuf; rc == 0; str=NULL) { - /* strtok tokenizes the string, - * delimiters are newline and whitespace. - */ - token = strtok(str, "\n\t "); -- -+ - if (i == 0) { - /* expecting APQN_WHITELIST or APQN_BLACKLIST - * or APQN_ANY or LOGLEVEL or eof. -@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name) - /* do some checks: */ - if (rc == 0) { - if ( !(whitemode || blackmode || anymode)) { -- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY"); -+ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:" -+ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY"); - rc = APQN_FILE_NO_APQN_MODE; - } else if (whitemode || blackmode) { - /* at least one APQN needs to be defined */ --- -1.7.12.4 - diff --git a/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch b/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch deleted file mode 100644 index 1183dc7..0000000 --- a/ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2bca1b392214241f84065d7709681c029b43b444 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Mon, 14 Apr 2014 11:48:56 -0500 -Subject: [PATCH 3/6] Configure was checking for the ep11 lib and the m_init() - function. As this library will be dynamically loaded at - run time and there is no dependency at build time (but - build will break if ep11 lib is not available) removed - this check. - -Signed-off-by: Harald Freudenberger ---- - configure.in | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/configure.in b/configure.in -index ac41e84..1a1601c 100644 ---- a/configure.in -+++ b/configure.in -@@ -372,14 +372,9 @@ if test "x$with_zcrypt" != "xno"; then - ]) - - if test "x$with_zcrypt" != "xno"; then -- AC_CHECK_LIB([ep11], [m_init], -- [with_zcrypt=yes], [ -- if test "x$with_zcrypt" != "xcheck"; then -- AC_MSG_ERROR([Build with zcrypt requested but zcrypt libraries couldn't be found]) -- fi -- with_zcrypt=no -- ]) -+ with_zcrypt=no - fi -+ - if test "x$with_zcrypt" = "xno"; then - CFLAGS="$old_cflags" - LIBS="$old_libs" --- -1.7.12.4 - diff --git a/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch b/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch deleted file mode 100644 index 3ada476..0000000 --- a/ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 11e808223faa9c334858e38acacf277079264beb Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Mon, 14 Apr 2014 12:02:48 -0500 -Subject: [PATCH 4/6] The asm/zcrypt.h header file uses some std int types and - so the stdint.h include statement should occur before - the zcrypt header file. - -Signed-off-by: Harald Freudenberger ---- - usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index 0eea8c9..373be5b 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -296,6 +296,7 @@ - #include - #include - #include -+#include - - #include "pkcs11types.h" - #include "defs.h" -@@ -314,7 +315,6 @@ - #include - #include - #include --#include - #include - #include - --- -1.7.12.4 - diff --git a/ocki-3.1_06_0005-Small-reworks.patch b/ocki-3.1_06_0005-Small-reworks.patch deleted file mode 100644 index 6619297..0000000 --- a/ocki-3.1_06_0005-Small-reworks.patch +++ /dev/null @@ -1,144 +0,0 @@ -From b0fc36e0e1fd549164a2502213163ce23d2f0138 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Mon, 14 Apr 2014 13:13:11 -0500 -Subject: [PATCH 5/6] Small reworks: - Some of the ock testcase c files are - tracked by git as 755. Fixed, c code files should - appear 644 now. - pkcs11 misc_func test improved to - show not just the mechanism number but also the - (preprocessor defined) mechanism name. - misc speed - test rsa encrypt receive buffer increased so the - "buffer size too small" is fixed now. - misc speed test - rsa uses now an exponent value of 17 (0x01,0x00,0x01) - instead of 3 (0x03). Some tokens (eg. ep11) do not - allow such low exponents and reject RSA key - generation. - -Signed-off-by: Harald Freudenberger -Signed-off-by: Joy Latten ---- - testcases/misc_tests/speed.c | 14 ++++++++------ - testcases/pkcs11/misc_func.c | 3 ++- - 2 files changed, 10 insertions(+), 7 deletions(-) - mode change 100755 => 100644 testcases/crypto/aes_func.c - mode change 100755 => 100644 testcases/crypto/des3_func.c - mode change 100755 => 100644 testcases/crypto/des_func.c - mode change 100755 => 100644 testcases/crypto/digest_func.c - mode change 100755 => 100644 testcases/crypto/dsa_func.c - mode change 100755 => 100644 testcases/crypto/rsa_func.c - mode change 100755 => 100644 testcases/crypto/ssl3_func.c - mode change 100755 => 100644 testcases/pkcs11/misc_func.c - mode change 100755 => 100644 testcases/pkcs11/sess_mgmt.c - mode change 100755 => 100644 testcases/pkcs11/sess_perf.c - -diff --git a/testcases/crypto/aes_func.c b/testcases/crypto/aes_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/des3_func.c b/testcases/crypto/des3_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/des_func.c b/testcases/crypto/des_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/digest_func.c b/testcases/crypto/digest_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/dsa_func.c b/testcases/crypto/dsa_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/crypto/ssl3_func.c b/testcases/crypto/ssl3_func.c -old mode 100755 -new mode 100644 -diff --git a/testcases/misc_tests/speed.c b/testcases/misc_tests/speed.c -index 102ba72..5df3169 100755 ---- a/testcases/misc_tests/speed.c -+++ b/testcases/misc_tests/speed.c -@@ -60,6 +60,7 @@ long speed_process_time(SYSTEMTIME t1, SYSTEMTIME t2) - int do_RSA_PKCS_EncryptDecrypt( void ) - { - CK_BYTE data1[100]; -+ CK_BYTE data2[200]; - CK_BYTE signature[256]; - CK_SLOT_ID slot_id; - CK_SESSION_HANDLE session; -@@ -69,14 +70,14 @@ int do_RSA_PKCS_EncryptDecrypt( void ) - CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; - CK_ULONG user_pin_len; - CK_ULONG i; -- CK_ULONG len1, sig_len; -+ CK_ULONG len1, len2, sig_len; - CK_RV rc; - - SYSTEMTIME t1, t2; - CK_ULONG diff, min_time, max_time, avg_time; - - CK_ULONG bits = 1024; -- CK_BYTE pub_exp[] = { 0x3 }; -+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; - - CK_ATTRIBUTE pub_tmpl[] = - { -@@ -190,7 +191,8 @@ int do_RSA_PKCS_EncryptDecrypt( void ) - return FALSE; - } - -- rc = funcs->C_Decrypt( session, signature,sig_len,data1, &len1 ); -+ len2 = sizeof(data2); -+ rc = funcs->C_Decrypt( session, signature, sig_len, data2, &len2 ); - if (rc != CKR_OK) { - show_error(" C_Decrypt #1", rc ); - return FALSE; -@@ -259,7 +261,7 @@ int do_RSA_KeyGen_2048( void ) - { - SYSTEMTIME t1, t2; - CK_ULONG bits = 2048; -- CK_BYTE pub_exp[] = { 0x3 }; -+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; - - CK_ATTRIBUTE pub_tmpl[] = - { -@@ -368,7 +370,7 @@ int do_RSA_KeyGen_1024( void ) - { - SYSTEMTIME t1, t2; - CK_ULONG bits = 1024; -- CK_BYTE pub_exp[] = { 0x3 }; -+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; - - CK_ATTRIBUTE pub_tmpl[] = - { -@@ -468,7 +470,7 @@ int do_RSA_PKCS_SignVerify_1024( void ) - CK_ULONG diff, min_time, max_time, avg_time; - - CK_ULONG bits = 1024; -- CK_BYTE pub_exp[] = { 0x3 }; -+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 }; - - CK_ATTRIBUTE pub_tmpl[] = - { -diff --git a/testcases/pkcs11/misc_func.c b/testcases/pkcs11/misc_func.c -old mode 100755 -new mode 100644 -index 8103649..d6619fd ---- a/testcases/pkcs11/misc_func.c -+++ b/testcases/pkcs11/misc_func.c -@@ -602,7 +602,8 @@ CK_RV do_GetMechanismInfo( void ) - return rc; - } - -- printf(" Mechanism #%ld\n", mech_list[i] ); -+ printf(" Mechanism #%ld %s\n", mech_list[i], -+ p11_get_ckm(mech_list[i]) ); - printf(" ulMinKeySize: %ld\n", info.ulMinKeySize ); - printf(" ulMaxKeySize: %ld\n", info.ulMaxKeySize ); - printf(" flags: %p\n", (void *)info.flags ); -diff --git a/testcases/pkcs11/sess_mgmt.c b/testcases/pkcs11/sess_mgmt.c -old mode 100755 -new mode 100644 -diff --git a/testcases/pkcs11/sess_perf.c b/testcases/pkcs11/sess_perf.c -old mode 100755 -new mode 100644 --- -1.7.12.4 - diff --git a/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch b/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch deleted file mode 100644 index 9fa3b14..0000000 --- a/ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 10f4766cd6782f3d15e42a985cdf909fe4c7762e Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Tue, 15 Apr 2014 13:16:33 -0500 -Subject: [PATCH 6/6] The 31 bit build on s390 showed an build error at - initialization of an static long long variable which - gets an address assigned. Fixed and tested on 31 and 64 - bit. - -Signed-off-by: Harald Freudenberger ---- - usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -index 373be5b..5aa890b 100644 ---- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c -@@ -407,9 +407,9 @@ static ep11_target_t ep11_targets; - /* defined in the makefile, ep11 library can run standalone (without HW card), - crypto algorithms are implemented in software then (no secure key) */ - #ifdef EP11_STANDALONE --unsigned long long ep11tok_target = 0x0000000100000008ull; -+static unsigned long long ep11tok_target = 0x0000000100000008ull; - #else --unsigned long long ep11tok_target = (unsigned long long) &ep11_targets; -+static void* ep11tok_target = (void*) &ep11_targets; - #endif - - /* */ --- -1.7.12.4 - diff --git a/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch b/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch deleted file mode 100644 index 0ebabab..0000000 --- a/ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 5b8d304e050467e4acfd02dcefdcebad0e61c472 Mon Sep 17 00:00:00 2001 -From: Harald Freudenberger -Date: Wed, 30 Apr 2014 11:42:29 -0500 -Subject: [PATCH] ep11 is not building because not setting with_zcrypt - correctly. - -Signed-off-by: Harald Freudenberger ---- - configure.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.in b/configure.in -index 1a1601c..66bb329 100644 ---- a/configure.in -+++ b/configure.in -@@ -372,7 +372,7 @@ if test "x$with_zcrypt" != "xno"; then - ]) - - if test "x$with_zcrypt" != "xno"; then -- with_zcrypt=no -+ with_zcrypt=yes - fi - - if test "x$with_zcrypt" = "xno"; then --- -1.7.12.4 - diff --git a/ocki-3.1_07_0001-Man-page-corrections.patch b/ocki-3.1_07_0001-Man-page-corrections.patch deleted file mode 100644 index ad7d31f..0000000 --- a/ocki-3.1_07_0001-Man-page-corrections.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 417e55a76a3a52dfb22f0055230c74b083d9e3a7 Mon Sep 17 00:00:00 2001 -From: Joy Latten -Date: Fri, 29 Aug 2014 12:40:35 -0500 -Subject: [PATCH] Man page corrections. - -Remove references to obsoleted pk_config_data and pkcs11_startup -in the pkcsslotd man page. Other changes made as necessary. - -Signed-off-by: Joy Latten ---- - man/man5/opencryptoki.conf.5.in | 12 +++++++++++- - man/man8/pkcsslotd.8.in | 6 ++---- - 2 files changed, 13 insertions(+), 5 deletions(-) - -diff --git a/man/man5/opencryptoki.conf.5.in b/man/man5/opencryptoki.conf.5.in -index e13c110..f3aabd1 100644 ---- a/man/man5/opencryptoki.conf.5.in -+++ b/man/man5/opencryptoki.conf.5.in -@@ -3,7 +3,7 @@ - opencryptoki.conf \- Configuration file for pkcsslotd. - - .SH DESCRIPTION --pkcsslotd uses a configuration file at "@sysconfdir@"/opencryptoki.conf -+pkcsslotd uses a configuration file at @sysconfdir@/opencryptoki/opencryptoki.conf - - This is a text file that contains information used to configure - pkcs#11 slots. At startup, the pkcsslotd daemon parses this file to -@@ -51,6 +51,16 @@ Version number of the slot's firmware, if any. The version number is composed - of a major version number (the integer portion of the version) and a - minor version number (the hundredths portion of the version). - .TP -+.BR confname -+If the slot is associated with a token that has its own configuration file, -+this option identifies the name of that configuration file. -+For example, confname=ep11tok.conf -+ -+.SH Notes -+The pound sign ('#') is used to indicate a comment. -+Both the comment character and any text after it, up to the end of the line, -+are ignored. The comment character cannot be used inside the brackets of -+slot descriptions, as this will cause a syntax error. - - .SH "SEE ALSO" - .PD 0 -diff --git a/man/man8/pkcsslotd.8.in b/man/man8/pkcsslotd.8.in -index c5d7280..db113e9 100644 ---- a/man/man8/pkcsslotd.8.in -+++ b/man/man8/pkcsslotd.8.in -@@ -29,9 +29,7 @@ manual page for details. - .TP - \fBopencryptoki\fP(7), - .TP --\fBpkcsconf\fP(1), --.TP --\fBpk_config_data\fP(5), -+\fBopencryptoki.conf\fP(5), - .TP --\fBpkcs11_startup\fP(1). -+\fBpkcsconf\fP(1), - .PD --- -1.8.1.4 - diff --git a/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch b/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch deleted file mode 100644 index b27d5de..0000000 --- a/ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch +++ /dev/null @@ -1,783 +0,0 @@ -From afb086ce22bd1ff4d0f1cf0768dfff3c03424096 Mon Sep 17 00:00:00 2001 -From: Joy Latten -Date: Thu, 28 Aug 2014 00:36:43 -0500 -Subject: [PATCH 1/2] Add a pkcscca tool to help migrate cca private token - objects from v2(encrypted with cca hardware) to v3 (encrypted in software) - -Signed-off-by: Joy Latten ---- - configure.in | 1 + - usr/sbin/Makefile.am | 6 +- - usr/sbin/pkcscca/Makefile.am | 14 + - usr/sbin/pkcscca/pkcscca.c | 661 +++++++++++++++++++++++++++++++++++++++++++ - usr/sbin/pkcscca/pkcscca.h | 49 ++++ - 5 files changed, 730 insertions(+), 1 deletion(-) - create mode 100644 usr/sbin/pkcscca/Makefile.am - create mode 100644 usr/sbin/pkcscca/pkcscca.c - create mode 100644 usr/sbin/pkcscca/pkcscca.h - -Index: opencryptoki/configure.in -=================================================================== ---- opencryptoki.orig/configure.in -+++ opencryptoki/configure.in -@@ -818,6 +818,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \ - usr/sbin/pkcsslotd/Makefile \ - usr/sbin/pkcsconf/Makefile \ - usr/sbin/pkcsicsf/Makefile \ -+ usr/sbin/pkcscca/Makefile \ - usr/sbin/pkcscca_migrate/Makefile \ - usr/sbin/pkcsep11_migrate/Makefile \ - usr/lib/pkcs11/methods/Makefile \ -Index: opencryptoki/usr/sbin/Makefile.am -=================================================================== ---- opencryptoki.orig/usr/sbin/Makefile.am -+++ opencryptoki/usr/sbin/Makefile.am -@@ -11,4 +11,8 @@ if ENABLE_PKCSEP11_MIGRATE - PKCSEP11_MIGRATE_DIR = pkcsep11_migrate - endif - --SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) -+if ENABLE_CCATOK -+PKCSCCA_DIR = pkcscca -+endif -+ -+SUBDIRS = pkcsslotd pkcsconf $(PKCSICSF_DIR) $(PKCSCCA_MIGRATE_DIR) $(PKCSEP11_MIGRATE_DIR) $(PKCSCCA_DIR) -Index: opencryptoki/usr/sbin/pkcscca/Makefile.am -=================================================================== ---- /dev/null -+++ opencryptoki/usr/sbin/pkcscca/Makefile.am -@@ -0,0 +1,14 @@ -+sbin_PROGRAMS=pkcscca -+ -+pkcscca_CFLAGS = -DSTDLL_NAME=\"pkcscca\" -+pkcscca_LDFLAGS = -lcrypto -ldl -+ -+# Not all versions of automake observe sbinname_CFLAGS -+AM_CFLAGS = -DSTDLL_NAME=\"pkcscca\" -+ -+pkcscca_SOURCES = ../../lib/pkcs11/common/p11util.c \ -+ ../../lib/pkcs11/common/sw_crypt.c \ -+ ../../lib/pkcs11/common/log.c \ -+ pkcscca.c -+ -+INCLUDES = -I. -I../../include/pkcs11 -I../../lib/pkcs11/common -Index: opencryptoki/usr/sbin/pkcscca/pkcscca.c -=================================================================== ---- /dev/null -+++ opencryptoki/usr/sbin/pkcscca/pkcscca.c -@@ -0,0 +1,661 @@ -+/* -+ * Licensed materials - Property of IBM -+ * -+ * pkcscca - A tool for PKCS#11 CCA token. -+ * Currently, only migrates CCA private token objects from CCA cipher -+ * to using a software cipher. -+ * -+ * -+ * Copyright (C) International Business Machines Corp. 2014 -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "sw_crypt.h" -+#include "pkcscca.h" -+ -+void (*CSNBDEC)(); -+int v_flag = 0; -+ -+int compute_hash(int hash_type, int buf_size, char *buf, char *digest) -+{ -+ EVP_MD_CTX md_ctx; -+ unsigned int result_size; -+ int rc; -+ -+ switch (hash_type) { -+ case HASH_SHA1: -+ rc = EVP_DigestInit(&md_ctx, EVP_sha1()); -+ break; -+ case HASH_MD5: -+ rc = EVP_DigestInit(&md_ctx, EVP_md5()); -+ break; -+ default: -+ return -1; -+ break; -+ } -+ -+ if (rc != 1) { -+ fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc); -+ return -1; -+ } -+ -+ rc = EVP_DigestUpdate(&md_ctx, buf, buf_size); -+ if (rc != 1) { -+ fprintf(stderr, "EVP_DigestUpdate() failed: rc = %d\n", rc); -+ return -1; -+ } -+ -+ result_size = EVP_MD_CTX_size(&md_ctx); -+ rc = EVP_DigestFinal(&md_ctx, (unsigned char *)digest, &result_size); -+ if (rc != 1) { -+ fprintf(stderr, "EVP_DigestFinal() failed: rc = %d\n", rc); -+ return -1; -+ } -+ -+ return 0; -+} -+ -+int cca_decrypt(unsigned char *in_data, unsigned long in_data_len, -+ unsigned char *out_data, unsigned long *out_data_len, -+ unsigned char *init_v, unsigned char *key_value) -+{ -+ long return_code, reason_code, rule_array_count, length; -+ unsigned char chaining_vector[18]; -+ unsigned char rule_array[256]; -+ -+ length = in_data_len; -+ rule_array_count = 1; -+ memcpy(rule_array, "CBC ", 8); -+ -+ CSNBDEC(&return_code, &reason_code, NULL, NULL, key_value, -+ &length, in_data, init_v, &rule_array_count, -+ rule_array, chaining_vector, out_data); -+ -+ if (return_code != 0) { -+ fprintf(stderr, "CSNBDEC (DES3 DECRYPT) failed: return_code=%ld reason_code=%ld\n", return_code, reason_code); -+ return -1; -+ } -+ *out_data_len = length; -+ return 0; -+} -+ -+int reencrypt_private_token_object(unsigned char *data, unsigned long len, -+ unsigned char *new_cipher, -+ unsigned long *new_cipher_len, -+ unsigned char *masterkey) -+{ -+ unsigned char *clear = NULL; -+ unsigned char des3_key[64]; -+ unsigned char sw_des3_key[3 * DES_KEY_SIZE]; -+ unsigned long clear_len; -+ CK_RV rc; -+ int ret; -+ -+ /* cca wants 8 extra bytes for padding purposes */ -+ clear_len = len + 8; -+ clear = (unsigned char *) malloc(clear_len); -+ if (!clear) { -+ fprintf(stderr, "malloc() failed: %s.\n", strerror(errno)); -+ ret =-1; -+ goto done; -+ } -+ -+ /* decrypt using cca des3 */ -+ memcpy(des3_key, masterkey, MASTER_KEY_SIZE); -+ ret = cca_decrypt(data, len, clear, &clear_len, "10293847", des3_key); -+ if (ret) -+ goto done; -+ -+ /* now encrypt using software des3 */ -+ memcpy(sw_des3_key, masterkey, 3 * DES_KEY_SIZE); -+ rc = sw_des3_cbc_encrypt(clear, clear_len, new_cipher, new_cipher_len, -+ "10293847", sw_des3_key); -+ if (rc != CKR_OK) -+ ret = -1; -+done: -+ if (clear) -+ free(clear); -+ -+ return ret; -+} -+ -+int load_private_token_objects(unsigned char *data_store, -+ unsigned char *masterkey) -+{ -+ FILE *fp1 = NULL, *fp2 = NULL; -+ unsigned char *buf = NULL; -+ unsigned char tmp[PATH_MAX], fname[PATH_MAX], iname[PATH_MAX]; -+ CK_BBOOL priv; -+ unsigned int size; -+ int rc, scount= 0, fcount = 0; -+ size_t read_size; -+ unsigned char *new_cipher; -+ unsigned long new_cipher_len; -+ -+ snprintf(iname, sizeof(iname), "%s/TOK_OBJ/OBJ.IDX", data_store); -+ -+ fp1 = fopen((char *)iname, "r"); -+ if (!fp1) -+ return -1; // no token objects -+ -+ while (!feof(fp1)) { -+ (void)fgets((char *)tmp, 50, fp1); -+ if (!feof(fp1)) { -+ tmp[strlen((char *)tmp) - 1] = 0; -+ -+ snprintf((char *)fname, sizeof(fname), "%s/TOK_OBJ/", -+ data_store); -+ strcat((char *)fname, (char *)tmp); -+ -+ fp2 = fopen((char *)fname, "r"); -+ if (!fp2) -+ continue; -+ -+ fread(&size, sizeof(unsigned int), 1, fp2); -+ fread(&priv, sizeof(CK_BBOOL), 1, fp2); -+ if (priv == FALSE) { -+ fclose(fp2); -+ continue; -+ } -+ -+ size = size - sizeof(unsigned int) - sizeof(CK_BBOOL); -+ buf = (unsigned char *) malloc(size); -+ if (!buf) { -+ fprintf(stderr, "Cannot malloc for object %s " -+ "(ignoring it).\n", tmp); -+ goto cleanup; -+ } -+ -+ read_size = fread((char *)buf, 1, size, fp2); -+ if (read_size != size) { -+ fprintf(stderr, "Cannot read object %s " -+ "(ignoring it).\n", tmp); -+ goto cleanup; -+ } -+ -+ new_cipher_len = size; -+ new_cipher = malloc(new_cipher_len); -+ if (!new_cipher) { -+ fprintf(stderr, "Cannot malloc space for new " -+ "cipher (ignoring object %s).\n", tmp); -+ goto cleanup; -+ } -+ -+ /* After reading the private token object, -+ * decrypt it using CCA des3 and then re-encrypt it -+ * using software des3. -+ */ -+ memset(new_cipher, 0, new_cipher_len); -+ rc = reencrypt_private_token_object(buf, size, -+ new_cipher, &new_cipher_len, -+ masterkey); -+ if (rc) -+ goto cleanup; -+ -+ fclose(fp2); -+ -+ /* now save the newly re-encrypted object back to -+ * disk in its original file. -+ */ -+ fp2 = fopen((char *)fname, "w"); -+ size = sizeof(unsigned int) + sizeof(CK_BBOOL) -+ + new_cipher_len; -+ (void)fwrite(&size, sizeof(unsigned int), 1, fp2); -+ (void)fwrite(&priv, sizeof(CK_BBOOL), 1, fp2); -+ (void)fwrite(new_cipher, new_cipher_len, 1, fp2); -+ rc = 0; -+ -+cleanup: -+ if (fp2) -+ fclose(fp2); -+ if (buf) -+ free(buf); -+ if (new_cipher) -+ free(new_cipher); -+ -+ if (rc) { -+ if (v_flag) -+ printf("Failed to process %s\n", fname); -+ fcount++; -+ } else { -+ if (v_flag) -+ printf("Processed %s.\n", fname); -+ scount++; -+ } -+ } -+ } -+ fclose(fp1); -+ printf("Successfully migrated %d object(s).\n", scount); -+ -+ if (v_flag && fcount) -+ printf("Failed to migrate %d object(s).\n", fcount); -+ -+ return 0; -+} -+ -+int load_masterkey(char *mkfile, char *pin, char *masterkey) -+{ -+ unsigned char des3_key[3 * DES_KEY_SIZE]; -+ unsigned char hash_sha[SHA1_HASH_SIZE]; -+ unsigned char pin_md5_hash[MD5_HASH_SIZE]; -+ unsigned char *cipher = NULL; -+ unsigned char *clear = NULL; -+ unsigned long cipher_len, clear_len; -+ int ret; -+ CK_RV rc; -+ FILE *fp = NULL; -+ -+ clear_len = cipher_len = MASTER_KEY_SIZE + SHA1_HASH_SIZE + (DES_BLOCK_SIZE - 1) & ~(DES_BLOCK_SIZE - 1); -+ -+ fp = fopen((char *)mkfile, "r"); -+ if (!fp) { -+ fprintf(stderr, "Could not open %s: %s\n", mkfile, -+ strerror(errno)); -+ return -1; -+ } -+ -+ cipher = malloc(cipher_len); -+ clear = malloc(clear_len); -+ if (cipher == NULL || clear == NULL) { -+ ret = -1; -+ goto done; -+ } -+ -+ ret = fread(cipher, cipher_len, 1, fp); -+ if (ret != 1) { -+ fprintf(stderr, "Could not read %s: %s\n", mkfile, -+ strerror(errno)); -+ ret = -1; -+ goto done; -+ } -+ -+ /* decrypt the masterkey */ -+ -+ ret = compute_md5(pin, strlen(pin), pin_md5_hash); -+ if (ret) { -+ fprintf(stderr, "Error calculating MD5 of PIN!\n"); -+ goto done; -+ } -+ -+ memcpy(des3_key, pin_md5_hash, MD5_HASH_SIZE); -+ memcpy(des3_key + MD5_HASH_SIZE, pin_md5_hash, DES_KEY_SIZE); -+ -+ rc = sw_des3_cbc_decrypt(cipher, cipher_len, clear, &clear_len, -+ (unsigned char *)"12345678", des3_key); -+ if (rc != CKR_OK) { -+ fprintf(stderr, "Error decrypting master key file after read"); -+ ret = -1; -+ goto done; -+ } -+ -+ /* -+ * technically should strip PKCS padding here but since I already know -+ * what the length should be, I don't bother. -+ * -+ * compare the hashes to verify integrity -+ */ -+ -+ ret = compute_sha1(clear, MASTER_KEY_SIZE, hash_sha); -+ if (ret) { -+ fprintf(stderr, "Failed to compute sha for masterkey.\n"); -+ goto done; -+ } -+ -+ if (memcmp(hash_sha, clear + MASTER_KEY_SIZE, SHA1_HASH_SIZE) != 0) { -+ fprintf(stderr, "%s appears to have been tampered!\n", mkfile); -+ fprintf(stderr, "Cannot migrate.\n"); -+ ret = -1; -+ goto done; -+ } -+ -+ memcpy(masterkey, clear, MASTER_KEY_SIZE); -+ ret = 0; -+ -+done: -+ if (fp) -+ fclose(fp); -+ if (clear) -+ free(clear); -+ if (cipher) -+ free(cipher); -+ -+ return ret; -+} -+ -+int get_pin(char **pin, size_t *pinlen) -+{ -+ struct termios old, new; -+ int nread; -+ char *buff = NULL; -+ size_t buflen; -+ int rc = 0; -+ -+ /* turn echoing off */ -+ if (tcgetattr(fileno(stdin), &old) != 0) -+ return -1; -+ -+ new = old; -+ new.c_lflag &= ~ECHO; -+ if (tcsetattr (fileno(stdin), TCSAFLUSH, &new) != 0) -+ return -1; -+ -+ /* read the pin -+ * Note: getline will allocate memory for buff. free it when done. -+ */ -+ nread = getline(&buff, &buflen, stdin); -+ if (nread == -1) { -+ rc = -1; -+ goto done; -+ } -+ -+ /* Restore terminal */ -+ (void) tcsetattr(fileno(stdin), TCSAFLUSH, &old); -+ -+ /* start a newline */ -+ printf("\n"); -+ fflush(stdout); -+ -+ /* Allocate PIN. -+ * Note: nread includes carriage return. -+ * Replace with terminating NULL. -+ */ -+ *pin = (unsigned char *)malloc(nread); -+ if (*pin == NULL) { -+ rc = -ENOMEM; -+ goto done; -+ } -+ -+ /* strip the carriage return since not part of pin. */ -+ buff[nread - 1] = '\0'; -+ memcpy(*pin, buff, nread); -+ /* don't include the terminating null in the pinlen */ -+ *pinlen = nread - 1; -+ -+done: -+ if (buff) -+ free(buff); -+ -+ return rc; -+} -+ -+int verify_pins(char *data_store, char *sopin, unsigned long sopinlen, -+ char *userpin, unsigned long userpinlen) -+{ -+ TOKEN_DATA td; -+ unsigned char fname[PATH_MAX]; -+ unsigned char pin_sha[SHA1_HASH_SIZE]; -+ FILE *fp = NULL; -+ int ret; -+ -+ /* read the NVTOK.DAT */ -+ snprintf(fname, PATH_MAX, "%s/NVTOK.DAT", data_store); -+ fp = fopen((char *)fname, "r"); -+ if (!fp) { -+ fprintf(stderr, "Could not open %s: %s\n", fname, -+ strerror(errno)); -+ return -1; -+ } -+ -+ ret = fread(&td, sizeof(TOKEN_DATA), 1, fp); -+ if (ret != 1) { -+ fprintf(stderr, "Could not read %s: %s\n", fname, -+ strerror(errno)); -+ ret = -1; -+ goto done; -+ } -+ -+ /* Now compute the SHAs for the SO and USER pins entered. -+ * Compare with the SHAs for SO and USER PINs saved in -+ * NVTOK.DAT to verify. -+ */ -+ -+ if (sopin != NULL) { -+ ret = compute_sha1(sopin, sopinlen, pin_sha); -+ if (ret) { -+ fprintf(stderr, "Failed to compute sha for SO.\n"); -+ goto done; -+ } -+ -+ if (memcmp(td.so_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) { -+ fprintf(stderr, "SO PIN is incorrect.\n"); -+ ret = -1; -+ goto done; -+ } -+ } -+ -+ if (userpin != NULL) { -+ ret = compute_sha1(userpin, userpinlen, pin_sha); -+ if (ret) { -+ fprintf(stderr, "Failed to compute sha for USER.\n"); -+ goto done; -+ } -+ -+ if (memcmp(td.user_pin_sha, pin_sha, SHA1_HASH_SIZE) != 0) { -+ fprintf(stderr, "USER PIN is incorrect.\n"); -+ ret = -1; -+ goto done; -+ } -+ } -+ ret = 0; -+ -+done: -+ /* clear out the hash */ -+ memset(pin_sha, 0, SHA1_HASH_SIZE); -+ if (fp) -+ fclose(fp); -+ -+ return ret; -+} -+ -+void usage(char *progname) -+{ -+ printf("usage:\t%s -h | -m v2objectsv3 [OPTIONS] \n", progname); -+ printf(" -h\t\t\t\tshow this help\n"); -+ printf(" -m=migration_type\t\tCurrently the only type of CCA "); -+ printf("migration\n\t\t\t\tsupported is v2objectsv3. v2objectsv3 "); -+ printf("migrates\n\t\t\t\tCCA private token objects from CCA "); -+ printf("encryption\n\t\t\t\t(used in v2)to software encryption "); -+ printf("(used in v3). \n\n"); -+ printf("Migrate options (with -m v2objectsv3):\n"); -+ printf(" -d, --datastore=DIRECTORY\tCCA token datastore location\n"); -+ printf(" -v, --verbose\t\t\tprovide more detailed output\n"); -+ -+ return; -+} -+ -+int main(int argc, char **argv) -+{ -+ int ret, opt; -+ unsigned int m_flag = 0; -+ char *sopin = NULL, *userpin = NULL; -+ size_t sopinlen, userpinlen; -+ unsigned char masterkey[MASTER_KEY_SIZE]; -+ unsigned char *data_store = NULL; -+ unsigned char *m_type = NULL; -+ int data_store_len; -+ char fname[PATH_MAX]; -+ struct stat statbuf; -+ void *lib_csulcca; -+ -+ struct option long_opts[] = { -+ { "datastore", required_argument, NULL, 'd' }, -+ { "verbose", no_argument, NULL, 'v'}, -+ { 0, 0, 0, 0 } -+ }; -+ -+ int long_index; -+ while ((opt = getopt_long(argc, argv, "d:m:hv", long_opts, NULL)) != -1) { -+ switch (opt) { -+ case 'd': -+ data_store = strdup(optarg); -+ break; -+ -+ case 'h': -+ usage(argv[0]); -+ return 0; -+ -+ case 'm': -+ m_type = strdup(optarg); -+ break; -+ -+ case 'v': -+ v_flag++; -+ break; -+ -+ default: -+ usage(argv[0]); -+ return -1; -+ } -+ } -+ -+ if (m_type) { -+ if (memcmp(m_type, "v2objectsv3", strlen("v2objectsv3"))) { -+ fprintf(stderr, "unknown migration type\n"); -+ usage(argv[0]); -+ return -1; -+ } -+ } -+ -+ /* use default data_store if one is not given */ -+ if (data_store == NULL) { -+ data_store_len = strlen(TOK_DATASTORE); -+ data_store = malloc(data_store_len + 1); -+ if (data_store == NULL) { -+ fprintf(stderr, "malloc failed: %s\n",strerror(errno)); -+ return -1; -+ } -+ memset(data_store, 0, data_store_len + 1); -+ memcpy(data_store, TOK_DATASTORE, data_store_len); -+ } -+ -+ /* Verify that the data store is valid by looking for -+ * MK_SO, MK_USER, and TOK_OBJ/OBJ.IDX. -+ */ -+ -+ memset(fname, 0, PATH_MAX); -+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store); -+ if (stat(fname, &statbuf) != 0) { -+ fprintf(stderr, "Cannot find %s.\n", fname); -+ ret = -1; -+ goto done; -+ } -+ -+ memset(fname, 0, PATH_MAX); -+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store); -+ if (stat(fname, &statbuf) != 0) { -+ fprintf(stderr, "Cannot find %s.\n", fname); -+ ret = -1; -+ goto done; -+ } -+ -+ memset(fname, 0, PATH_MAX); -+ snprintf(fname, PATH_MAX, "%s/TOK_OBJ/OBJ.IDX", data_store); -+ if (stat(fname, &statbuf) != 0) { -+ fprintf(stderr, "Cannot find %s.\n", fname); -+ ret = -1; -+ goto done; -+ } -+ -+ /* If the OBJ.IDX is empty, then no objects to migrate. */ -+ if (statbuf.st_size == 0) { -+ printf("OBJ.IDX file is empty. Thus no objects to migrate.\n"); -+ goto done; -+ } -+ -+ if (v_flag) -+ printf("%s has an MK_SO, MK_USER and TOK/OBJ.IDX\n", -+ data_store); -+ -+ /* get the SO pin to authorize migration */ -+ printf("Enter the SO PIN: "); -+ fflush(stdout); -+ ret = get_pin(&sopin, &sopinlen); -+ if (ret != 0) { -+ fprintf(stderr, "Could not get SO PIN.\n"); -+ goto done; -+ } -+ -+ /* get the USER pin to authorize migration */ -+ printf("Enter the USER PIN: "); -+ fflush(stdout); -+ ret = get_pin(&userpin, &userpinlen); -+ -+ if (ret != 0) { -+ fprintf(stderr, "Could not get USER PIN.\n"); -+ goto done; -+ } -+ -+ /* Verify the SO and USER PINs entered. */ -+ ret = verify_pins(data_store, sopin, sopinlen, userpin, userpinlen); -+ if (ret) -+ goto done; -+ -+ lib_csulcca = dlopen(CCA_LIBRARY, (RTLD_GLOBAL | RTLD_NOW)); -+ if (lib_csulcca == NULL) { -+ fprintf(stderr, "dlopen(%s) failed: %s\n", CCA_LIBRARY, -+ strerror(errno)); -+ return -1; -+ } -+ -+ CSNBDEC = dlsym(lib_csulcca, "CSNBDEC"); -+ -+ /* Get the masterkey from MK_SO. -+ * This also helps verify that correct SO pin was entered. -+ */ -+ memset(masterkey, 0, MASTER_KEY_SIZE); -+ memset(fname, 0, PATH_MAX); -+ snprintf(fname, PATH_MAX, "%s/MK_SO", data_store); -+ ret = load_masterkey(fname, sopin, masterkey); -+ if (ret) { -+ fprintf(stderr, "Could not load masterkey from MK_SO.\n"); -+ goto done; -+ } -+ -+ if (v_flag) -+ printf("Successfully verified SO Pin.\n"); -+ -+ /* Get the masterkey from MK_USER. -+ * This also helps verift that correct USER pin was entered. -+ */ -+ memset(masterkey, 0, MASTER_KEY_SIZE); -+ memset(fname, 0, PATH_MAX); -+ snprintf(fname, PATH_MAX, "%s/MK_USER", data_store); -+ ret = load_masterkey(fname, userpin, masterkey); -+ if (ret) { -+ fprintf(stderr, "Could not load masterkey from MK_USER.\n"); -+ goto done; -+ } -+ -+ if (v_flag) -+ printf("Successfully verified USER Pin.\n"); -+ -+ /* Load all the private token objects and re-encrypt them -+ * using software des3, instead of CSNBENC. -+ */ -+ (void)load_private_token_objects(data_store, masterkey); -+ -+done: -+ -+ if (sopin) -+ free(sopin); -+ if (userpin) -+ free(userpin); -+ if (data_store) -+ free(data_store); -+ -+ return ret; -+} -Index: opencryptoki/usr/sbin/pkcscca/pkcscca.h -=================================================================== ---- /dev/null -+++ opencryptoki/usr/sbin/pkcscca/pkcscca.h -@@ -0,0 +1,49 @@ -+/* -+ * Licensed materials - Property of IBM -+ * -+ * pkcscca - A tool for PKCS#11 CCA token. -+ * Currently, only migrates CCA private token objects from using a -+ * CCA cipher to using a software cipher. -+ * -+ * Copyright (C) International Business Machines Corp. 2014 -+ * -+ */ -+ -+ -+#ifndef __PKCSCCA_H_ -+#define __PKCSCCA_H_ -+ -+#define CCA_LIBRARY "libcsulcca.so" -+#define TOK_DATASTORE "/var/lib/opencryptoki/ccatok" -+#define MASTER_KEY_SIZE 64 -+#define SHA1_HASH_SIZE 20 -+#define MD5_HASH_SIZE 16 -+#define DES_BLOCK_SIZE 8 -+#define DES_KEY_SIZE 8 -+#define compute_sha1(a,b,c) compute_hash(HASH_SHA1,b,a,c) -+#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c) -+#define HASH_SHA1 1 -+#define HASH_MD5 2 -+ -+/* from host_defs.h */ -+#include "pkcs32.h" -+typedef struct _TWEAK_VEC -+{ -+ int allow_weak_des ; -+ int check_des_parity ; -+ int allow_key_mods ; -+ int netscape_mods ; -+} TWEAK_VEC; -+ -+typedef struct _TOKEN_DATA -+{ -+ CK_TOKEN_INFO_32 token_info; -+ -+ CK_BYTE user_pin_sha[3 * DES_BLOCK_SIZE]; -+ CK_BYTE so_pin_sha[3 * DES_BLOCK_SIZE]; -+ CK_BYTE next_token_object_name[8]; -+ TWEAK_VEC tweak_vector; -+} TOKEN_DATA; -+ -+ -+#endif diff --git a/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch b/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch deleted file mode 100644 index 783b660..0000000 --- a/ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch +++ /dev/null @@ -1,281 +0,0 @@ -From 13eda6d102b8c44f85cf4eac094ff8a964c630f4 Mon Sep 17 00:00:00 2001 -From: Joy Latten -Date: Mon, 1 Sep 2014 22:46:37 -0500 -Subject: [PATCH 2/2] Add documentation (pkcscca manpage and README.cca_stdll) - to assist in migrating cca private token objects from v2 to v3. - -Signed-off-by: Joy Latten ---- - configure.in | 1 + - doc/README.cca_stdll | 175 ++++++++++++++++++++++++++++++++++++++++++++++---- - man/man1/Makefile.am | 2 +- - man/man1/pkcscca.1.in | 45 +++++++++++++ - 4 files changed, 209 insertions(+), 14 deletions(-) - create mode 100644 man/man1/pkcscca.1.in - -diff --git a/configure.in b/configure.in -index f3fbe70..3e7e5e8 100644 ---- a/configure.in -+++ b/configure.in -@@ -843,6 +843,7 @@ AC_CONFIG_FILES([Makefile usr/Makefile \ - man/man1/Makefile \ - man/man1/pkcsconf.1 \ - man/man1/pkcsicsf.1 \ -+ man/man1/pkcscca.1 \ - man/man1/pkcsep11_migrate.1 \ - man/man5/Makefile \ - man/man5/opencryptoki.conf.5 \ -diff --git a/doc/README.cca_stdll b/doc/README.cca_stdll -index f535dfa..a0d13f1 100644 ---- a/doc/README.cca_stdll -+++ b/doc/README.cca_stdll -@@ -1,24 +1,173 @@ -+CCA TOKEN - --README for the CCA secure-key token -+OverView -+-------- -+The CCA token is a secure key token. -+A Secure key - key value does not exist in the clear outside of the HSM -+(secure, tamper-resistent boundary of the card). It is a clear key wrapped -+with the appropriate MasterKey that has been installed into the secure hardware. -+A clear key is generated in the hardware, wrapped with the appropriate -+master key that has been installed into the hardware. The wrapped key is then -+passed back to the invoker. Upon an encryption and/or decryption request, -+the wrapped key and the data to be encrypted are passed into the hardware. -+The wrapped key is verified, and the clear key is used to encrypt and/or -+decrypt the data. All this is done in the CCA hardware. - --Kent Yoder -+Within opencryptoki, this wrapped key value is stored in the CKA_IBM_OPAQUE -+attribute rather than the CKA_VALUE attribute. - -- The key used to encrypt private objects on disk is a secure key. -+Pre-requisites: -+The CCA token requires cca library, libcsulcca.so, which is part of the -+csulcca rpm. -+It also requires proper configuration and installation of the MK keys into -+the hardware which is outside the scope of this document. - -- The key used to encrypt that secure key is based on the hash of the --USER and SO pins. Therefore it is a clear key and software is used to --do the encryption/decryption of the secure key. -+Configuration -+------------- - --MK_USER: The secure key used for internal on-disk encryption, encrypted -+To use the CCA token a slot entry must be defined in the -+opencryptoki.conf configuration file that sets the stdll attribute to -+libcsulcca.so. -+ -+The CCA token also requires that the appropriate master keys have -+been installed into the hardware. The corresponding driver must also be -+loaded, i.e. modprobe z90crypt. -+ -+CCA Token Objects -+------------------------- -+ -+Opencryptoki stores token objects on disk. Public token objects are not -+encrypted. Private token objects are encrypted. -+Versions of opencryptoki prior to version 3, used a CCA generated secure key -+(des3 key) and the crypto adapter to encrypt the private token object's data. -+In version 3, a clear key (des3 key) and software crypto (openssl) are used -+to encrypt this data. -+ -+Migration Information -+--------------------- -+ -+Migrating version 2 private token objects to version 3 is ONLY required if -+the system will run opencryptoki version 3 and will use private token -+objects saved or preserved from version 2. -+Note, public token objects do not need to be migrated. -+If there are no private token objects from version 2, then the version 3 -+does not require any migrating. -+ -+In version 2 private token objects are encrypted and decrypted with a secure -+key in the crypto adapter. In version 3, this encryption and decryption is -+done with a clear key using software crypto. Therefore, opencryptoki -+version 3, will not succesfully decrypt a version 2 private token object. -+ -+Version 2 private token objects must be "migrated" to version 3 so that -+opencryptoki version 3 can access these objects. This migration will -+decrypt the objects using the CCA call, CSNBDEC and the current -+opencryptoki key stored in MK_USER. The objects will then be re-encrypted -+using software crypto. The key bits that are stored in MK_USER will then be -+used as a clear key. -+ -+Once the migration has completed, these private token objects should then be -+accessable to version 3. -+ -+Migration Steps -+--------------- -+ -+1. Either update or install version 3. -+a. Update to opencryptoki version 3. In most linux distributions, an update -+from version 2 to version 3 will preserve the contents of the CCA data-store. -+ -+b. Install opencryptoki version 3. In most distributions, an install will -+remove the contents of the CCA data-store. You will essentially be starting -+from the beginning and have to initialize the CCA token. -+ -+In this scenario, if a prior version of opencryptoki had been running on the -+system, and you wanted to preserve your token objects, you will have saved -+or backed them up somewhere. -+ -+2. Backup the CCA data-store before migrating. It is always a good idea to -+back up the data in case the migration is unsuccessful or data is corrupted. -+The data-store is the directory in which the CCA token information is stored -+on disk. In most distributions it can be found in /var/lib/opencryptoki/ccatok. -+Within this directory there is, -+ -+MK_USER: The des3 key used for internal on-disk encryption, encrypted - under the USER's PIN by software routines - --MK_SO: The secure key used for internal on-disk encryption, encrypted -+MK_SO: The des3 key used for internal on-disk encryption, encrypted - under the SO's PIN by software routines - --So, MK_USER and MK_SO contain the same key, encrypted under different PINs -+NKTOK.DAT: Token information. -+ -+TOK_OBJ: The directory in which token objects are stored. -+ -+TOK_OBJ/OBJ.IDX: A list of current token objects. -+ -+**NOTE: MK_USER and MK_SO contain the same key, encrypted under -+different PINs -+ -+3. Ensure no opencryptoki processes are running. Stop the pkcsslotd daemon -+if it is running. -+ -+4. Run the pkcscca tool to perform the migration. -+For example, -+ pkcscca -m v2objectsv3 -v -+ -+Note that the "-v" option will allow you to see which objects did and did not -+get migrated. Specify the "-d" flag if you wish to migrate CCA token objects -+stored in a data-store different from the default, /var/lib/opencryptoki/ccatok. -+ -+5. (Optional) Removing shared memory may be required to pick up -+the newly migrated objects. -+ -+CCA token's shared memory segment tracks its token objects. -+Token objects stored on disk are only loaded into shared memory -+when the shared memory is created. The shared memory is usually -+created after a reboot, an install, or an update of the opencryptoki package. -+ -+If another opencryptoki process accessed the CCA token after install -+or update, then opencryptoki will have loaded all the token objects into -+shared memory, except for the private token objects requiring migration, -+since they will have failed decryption. Subsequent calls to the -+opencryptoki api will not find these objects since they have not -+been loaded into shared memory. Opencryptoki won't read the -+objects from disk and load into shared memory again until the next time -+shared memory is created. -+ -+So, in this case, shared memory must be removed and created again so -+that opencryptoki can successfuly load all the token objects including the -+newly migrated private token objects into CCA token's shared memory segment. -+ -+Remove shared memory if, -+ - after updating or installing, any opencryptoki processes or tools tried -+ to access the CCA token before migrating CCA token's private token -+ objects. For example, the pkcsconf command was run. -+ -+ The pre-migrated objects will have failed decryption and not -+ been loaded into shared memory. A reboot or removing shared memory -+ will cause the token to create shared memory again and load the newly -+ migrated private token objects into it. -+ -+CCA's shared memory can be removed two ways. -+ 1. a reboot -+ -+ 2. remove the shared memory file, -+ i.e. "rm /dev/shm/var.lib.opencryptoki.ccatok" -+ -+ Notes: (1). Ensure that no opencryptoki processes are running -+ before removing the shared memory. Otherwise, you risk corrupting -+ any running opencryptoki processes. -+ (2). If you have installed opencryptoki manually (not via a distro -+ rpm) the CCA token shared memory segment may be named -+ usr.local.var.lib.opencryptoki.ccatok. -+ -+The next opencryptoki process to run will cause opencryptoki to create -+a shared memory segment for the token and load the newly migrated objects -+as well as any other token objects for the token. - --PKCS#11 Notes: -+6. After a successful migration, the CCA private token objects should be -+encrypted and ready to be accessed by opencryptoki version 3. - --DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE --attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however --in this case, the id used to reference the secure key is stored here. -+TroubleShooting: -+1. If version 3 cannot find the newly migrated CCA private token objects, -+reboot or remove the shared memory file. This will cause token to create -+shared memory again and load the newly migrated private token objects -+into shared memory. -diff --git a/man/man1/Makefile.am b/man/man1/Makefile.am -index c4b4d95..f2274d7 100644 ---- a/man/man1/Makefile.am -+++ b/man/man1/Makefile.am -@@ -1,3 +1,3 @@ --man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 -+man1_MANS=pkcsconf.1 pkcsicsf.1 pkcsep11_migrate.1 pkcscca.1 - EXTRA_DIST = $(man1_MANS) - CLEANFILES = $(man1_MANS) -diff --git a/man/man1/pkcscca.1.in b/man/man1/pkcscca.1.in -new file mode 100644 -index 0000000..c6e49d6 ---- /dev/null -+++ b/man/man1/pkcscca.1.in -@@ -0,0 +1,45 @@ -+.TH PKCSCCA 1 "September 2014" "@PACKAGE_VERSION@" "openCryptoki" -+.SH NAME -+pkcscca \- configuration utility for the CCA token -+ -+.SH SYNOPSIS -+\fBpkcscca\fP -+[\fB-h\fP] -+[\fB-m v2objectsv3\fP] -+[\fIOPTIONS\fP] -+ -+.SH DESCRIPTION -+The \fBpkcscca\fP utility assists in administering the CCA token. Currently it -+migrates opencryptoki version 2 private token objects to the encryption -+method used in opencryptoki version 3. -+ -+In verion 2 of opencryptoki, CCA private token objects were encrypted in CCA -+hardware. In version 3 these objects are encrypted in software. The -+\fBv2objectsv3\fP migration option migrates these version 2 objects by -+decrypting them in CCA hardware using a secure key and then re-encrypting -+them in software using a software key. Afterwards, v2 objects can be accessed -+in version 3. -+ -+.SH "FLAGS" -+.IP "\fB-h\fP" 10 -+show usage information -+.IP "\fB-m\fP" 10 -+perform a migration. \fBv2objectsv3\fP is currently the only type of migration -+supported and must be specified along with this flag. -+ -+.SH "MIGRATION OPTIONS" -+.IP "\fB-d|--datastore\fP \fIdirectory\fp" 10 -+the directory where the CCA token information is kept. This directory will be -+used to locate the private token objects to be migrated. i.e. /var/lib/opencryptoki/ccatok -+.IP "\fB-v|--verbose\fP" 10 -+provide detailed output during migration -+ -+.SH "FILES" -+.IP "/var/lib/opencryptoki/ccatok/TOK_OBJ/OBJ.IDX" -+contains current list of public and private token objects for the CCA token. -+ -+.SH SEE ALSO -+.PD 0 -+.TP -+\fBREADME.cca_stdll\fP (in system's doc directory) -+.PD --- -1.8.1.4 - diff --git a/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch b/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch deleted file mode 100644 index 3b0c653..0000000 --- a/ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch +++ /dev/null @@ -1,255 +0,0 @@ ---- opencryptoki.orig/doc/README.ep11_stdll 2014-09-04 21:59:50.000000000 -0600 -+++ opencryptoki/doc/README.ep11_stdll 2014-09-04 22:01:27.223654000 -0600 -@@ -1,126 +1,126 @@ --EP11 Token --========== -- --The EP11 token is a token that uses the IBM Crypto Express adapters --(starting with Crypto Express 4S adapters) configured with Enterprise --PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that --firmware load are also called CEXnP adapters for n >= 4. -- --The EP11 token is only supported on the System z architecture and requires a --Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver --loaded into the kernel and the availability of EP11 library libep11. -- --The token directory of the EP11 token is opencryptoki/ep11tok typically --located in /var/lib. -- --Configuration --------------- -- --To use the EP11 token a slot entry must be defined in the general opencryptoki --configuration file that sets the stdll attribute to libpkcs11_ep11.so. -- --A EP11 token specific configuration file must be set up to define the target --adapters and target adapter domains. The name of the configuration file must be --defined in the global openCryptoki configuration opencryptoki.conf file as part --of the token specification using the confname attribute. --E.g. the entry -- --slot 4 --{ --stdll = libpkcs11_ep11.so --confname = ep11tok.conf --} -- --defines the name of the configuration file of the EP11 token to be --ep11tok.conf. Per default this file is searched in the directory where --openCryptoki searches its global configuration file. This default path can --be overriden using the OCK_EP11_TOKEN_DIR environment variable. -- --EP11 token configuration files defines a list of adapter/domain pairs to which --the EP11 token sends its cryptographic requests. This list can be specified as --a white list starting with a line containing the key word APQN_WHITELIST --followed by one or more lines containing each two integers (in the range --of 0 - 255) separated by a white space. The white list is ended with a line --containing the key word END. In each of lines of the white list the first --integer denotes the adapter number and the second integer denotes the domain --id. Alternatively the keyword APQN_ANY can be used to define that all --adapter/domain pairs with EP11 firmware load that are available to the system --shall be used as target adapters. An adapter number corresponds to the --numerical part xx of an adapter id of the form cardxx as displayed by the --lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). --Currently Linux on z only supports a single domain. That domain number can be --displayed with lszcrypt -b (see the value of ap_domain) or alternatively as --contents of /sys/bus/ap/ap_domain. -- --In addition to the target adapter a log level can be defined in the EP11 --configuration file using a line consisting of the key word LOGLEVEL followed --by an integer between 0 and 9. -- --Logging --------- -- --If a log level greater than 0 is defined in the environment variable --OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration --file then log entries are written to a log file --/var/log/ock_ep11_token..log where is the process id of the process --using the EP11 token. -- --Note, that the handling of EP11 logs is subject to change in future releases --of opencryptoki. -- --Crypto Express Adapter EP11 Master Key Management --------------------------------------------------- -- --If master keys are changed on an EP11 adapter all key objects in the token --object repository (in the TOK_OBJ directory within the EP11 token directory) --become invalid. -- --The key migration tool pkcsep11_migrate can be used to perform the migration --of the current EP11 master keys to new master keys. Therefore the following --steps must be performed: --1) On the Trusted Key Entry console (TKE): Submit and commit new master --keys on the EP11 adapter(s). --2) On Linux: Stop all processes using openCryptoki with the EP11 token. --3) On Linux: Back up the token object repository of the EP11 token. --4) On Linux: Migrate keys of object repository of EP11 token with --migration tool. If a failure occurs restore the backed up token repository --and retry step 4. --5) On the TKE: Activate new master keys on the EP11 adapter(s). --6) On Linux: Restart applications using openCryptoki with the EP11 token. -- --Token specifics ----------------- -- --The EP11 token only supports secure keys (i.e. key wrapped by a master key of --the Crypto Express adapter). Therefore all keys must have the attribute --CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a --(token specific) default for secure keys the attribute must be explicitly --provided whenever a secret key is generated, unwrapped or build with --C_CreateObject. In addition all keys used with the EP11 token are extractable. --i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. -- --When creating keys the default values of the attributes CKA_ENCRYPT, --CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. --Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. -- --All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than --or equal to 17. -- --The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) --according to ANSI X9.31. Therefore in the EP11 token the lengths of the --RSA primes (p or q) must be a multiple of 128 bits and the length of the --modulus (CKA_MODULUS_BITS) must be a multiple of 256. -- --The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have --a length that is a multiple of the block size of DES3 or AES respectively. -- --See the mechanism list and mechanism info (pkcsconf -m) for supported --mechanisms together with supported functions and key sizes. Note the --supported mechanism list is currently fix and matches the most stringent --setting of the Crypto Express adapter. -- --Note, the EP11 coprocessor adapter can be configured to restrict the --cryptographic capababilities in order for the adapter to comply with specific --security requirements and regulations. Such restrictions on the adapter impact --the capabilitiy of the EP11 token. -- -+EP11 Token -+========== -+ -+The EP11 token is a token that uses the IBM Crypto Express adapters -+(starting with Crypto Express 4S adapters) configured with Enterprise -+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that -+firmware load are also called CEXnP adapters for n >= 4. -+ -+The EP11 token is only supported on the System z architecture and requires a -+Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver -+loaded into the kernel and the availability of EP11 library libep11. -+ -+The token directory of the EP11 token is opencryptoki/ep11tok typically -+located in /var/lib. -+ -+Configuration -+------------- -+ -+To use the EP11 token a slot entry must be defined in the general opencryptoki -+configuration file that sets the stdll attribute to libpkcs11_ep11.so. -+ -+A EP11 token specific configuration file must be set up to define the target -+adapters and target adapter domains. The name of the configuration file must be -+defined in the global openCryptoki configuration opencryptoki.conf file as part -+of the token specification using the confname attribute. -+E.g. the entry -+ -+slot 4 -+{ -+stdll = libpkcs11_ep11.so -+confname = ep11tok.conf -+} -+ -+defines the name of the configuration file of the EP11 token to be -+ep11tok.conf. Per default this file is searched in the directory where -+openCryptoki searches its global configuration file. This default path can -+be overriden using the OCK_EP11_TOKEN_DIR environment variable. -+ -+EP11 token configuration files defines a list of adapter/domain pairs to which -+the EP11 token sends its cryptographic requests. This list can be specified as -+a white list starting with a line containing the key word APQN_WHITELIST -+followed by one or more lines containing each two integers (in the range -+of 0 - 255) separated by a white space. The white list is ended with a line -+containing the key word END. In each of lines of the white list the first -+integer denotes the adapter number and the second integer denotes the domain -+id. Alternatively the keyword APQN_ANY can be used to define that all -+adapter/domain pairs with EP11 firmware load that are available to the system -+shall be used as target adapters. An adapter number corresponds to the -+numerical part xx of an adapter id of the form cardxx as displayed by the -+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices). -+Currently Linux on z only supports a single domain. That domain number can be -+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as -+contents of /sys/bus/ap/ap_domain. -+ -+In addition to the target adapter a log level can be defined in the EP11 -+configuration file using a line consisting of the key word LOGLEVEL followed -+by an integer between 0 and 9. -+ -+Logging -+------- -+ -+If a log level greater than 0 is defined in the environment variable -+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration -+file then log entries are written to a log file -+/var/log/ock_ep11_token..log where is the process id of the process -+using the EP11 token. -+ -+Note, that the handling of EP11 logs is subject to change in future releases -+of opencryptoki. -+ -+Crypto Express Adapter EP11 Master Key Management -+------------------------------------------------- -+ -+If master keys are changed on an EP11 adapter all key objects in the token -+object repository (in the TOK_OBJ directory within the EP11 token directory) -+become invalid. -+ -+The key migration tool pkcsep11_migrate can be used to perform the migration -+of the current EP11 master keys to new master keys. Therefore the following -+steps must be performed: -+1) On the Trusted Key Entry console (TKE): Submit and commit new master -+keys on the EP11 adapter(s). -+2) On Linux: Stop all processes using openCryptoki with the EP11 token. -+3) On Linux: Back up the token object repository of the EP11 token. -+4) On Linux: Migrate keys of object repository of EP11 token with -+migration tool. If a failure occurs restore the backed up token repository -+and retry step 4. -+5) On the TKE: Activate new master keys on the EP11 adapter(s). -+6) On Linux: Restart applications using openCryptoki with the EP11 token. -+ -+Token specifics -+--------------- -+ -+The EP11 token only supports secure keys (i.e. key wrapped by a master key of -+the Crypto Express adapter). Therefore all keys must have the attribute -+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a -+(token specific) default for secure keys the attribute must be explicitly -+provided whenever a secret key is generated, unwrapped or build with -+C_CreateObject. In addition all keys used with the EP11 token are extractable. -+i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE. -+ -+When creating keys the default values of the attributes CKA_ENCRYPT, -+CKA DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. -+Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions. -+ -+All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than -+or equal to 17. -+ -+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli) -+according to ANSI X9.31. Therefore in the EP11 token the lengths of the -+RSA primes (p or q) must be a multiple of 128 bits and the length of the -+modulus (CKA_MODULUS_BITS) must be a multiple of 256. -+ -+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have -+a length that is a multiple of the block size of DES3 or AES respectively. -+ -+See the mechanism list and mechanism info (pkcsconf -m) for supported -+mechanisms together with supported functions and key sizes. Note the -+supported mechanism list is currently fix and matches the most stringent -+setting of the Crypto Express adapter. -+ -+Note, the EP11 coprocessor adapter can be configured to restrict the -+cryptographic capababilities in order for the adapter to comply with specific -+security requirements and regulations. Such restrictions on the adapter impact -+the capabilitiy of the EP11 token. -+ diff --git a/ocki-3.1_10_0001-ica-sha-update-empty-msg.patch b/ocki-3.1_10_0001-ica-sha-update-empty-msg.patch deleted file mode 100644 index d1f6480..0000000 --- a/ocki-3.1_10_0001-ica-sha-update-empty-msg.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit 2094b476ab7c14caecc37add2da43bba11b71bf5 -Author: Ingo Tuchscherer -Date: Fri Aug 15 12:48:46 2014 +0200 - - Fixed ica token's SHA update function when passing zero message size - - Signed-off-by: Ingo Tuchscherer - ---- opencryptoki.orig/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-01-27 15:01:58.000000000 -0700 -+++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/ica_specific.c 2014-09-05 09:19:55.009080000 -0600 -@@ -859,7 +859,7 @@ token_specific_sha_update( DIGEST_CONTEX - * we're not stuck with 0 bytes when the MSG_PART_FINAL - * comes in. - KEY - */ -- if (!(in_data_len % 64)) { -+ if (!(in_data_len % 64) && (in_data_len != 0)) { - oc_sha_ctx->tail_len = 64; - memcpy(oc_sha_ctx->tail, in_data + in_data_len - 64, 64); - in_data_len -= 64; diff --git a/openCryptoki.changes b/openCryptoki.changes index 6f98bff..7f2e868 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Wed Dec 17 10:42:43 UTC 2014 - p.drouand@gmail.com + +- Update to version 3.2 + +New pkcscca tool. Currently it assists in migrating cca private token + objects from opencryptoki version 2 to the clear key encryption method + used in opencryptoki version 3. Includes a manpage for pkcscca tool. + Changes to README.cca_stdll to assist in using the CCA token and + migrating the private token objects. + + Support for CKM_RSA_PKCS_OAEP and CKM_RSA_PKCS_PSS algorithms. + + Various bugfixes. + + New testcases for various crypto algorithms. +- Only depend on insserv if builded with sysvinit support +- Remove obsolete patches; merged on upstream release + + ocki-3.1_01_ep11_makefile.patch + + ocki-3.1_02_ep11_m_init.patch + + ocki-3.1_03_ock_obj_mgr.patch + + ocki-3.1_04_ep11_opaque2blob_error_handl.patch + + ocki-3.1_05_ep11_readme_update.patch + + ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch + + ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch + + ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch + + ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch + + ocki-3.1_06_0005-Small-reworks.patch + + ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch + + ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch + + ocki-3.1_07_0001-Man-page-corrections.patch + + ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch + + ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch + + ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch + + ocki-3.1_10_0001-ica-sha-update-empty-msg.patch +- Project is now hosted on sourceforge; fix the Url +- Remove cvs related stuff; tarball is produced by upstream +- Use %configure macro instead of manually defined options +- Build with parallel support; use %{?_smp_mflags} macro + ------------------------------------------------------------------- Fri Sep 5 15:30:59 UTC 2014 - jjolly@suse.com diff --git a/openCryptoki.spec b/openCryptoki.spec index 57675dd..0cf0381 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -46,15 +46,15 @@ BuildRequires: trousers-devel %if %{uses_systemd} BuildRequires: pkgconfig(systemd) %{?systemd_requires} +%else +%insserv_prereq %endif Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: IPL-1.0 Group: Productivity/Security -Version: 3.1 +Version: 3.2 Release: 0 -# :pserver:anonymous@cvs.sourceforge.net:/cvsroot/opencryptoki -# cvs co -r openCryptoki-2-1-5 -d openCryptoki-2-1-5 . -Source: %{oc_cvs_tag}-v%{version}.tar.bz2 +Source: %{oc_cvs_tag}-v%{version}.tgz Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html Source3: openCryptoki-tmp.conf @@ -62,26 +62,9 @@ Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch Patch2: ocki-3.1-fix-init_d-path.patch Patch3: ocki-3.1-fix-implicit-decl.patch Patch4: ocki-3.1-fix-libica-link.patch -Patch5: ocki-3.1_01_ep11_makefile.patch -Patch6: ocki-3.1_02_ep11_m_init.patch -Patch7: ocki-3.1_03_ock_obj_mgr.patch -Patch8: ocki-3.1_04_ep11_opaque2blob_error_handl.patch -Patch9: ocki-3.1_05_ep11_readme_update.patch -Patch10: ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch -Patch11: ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch -Patch12: ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch -Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch -Patch14: ocki-3.1_06_0005-Small-reworks.patch -Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch -Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch -Patch17: ocki-3.1_07_0001-Man-page-corrections.patch -Patch18: ocki-3.1_08_0001-Add-a-pkcscca-tool-to-help-migrate-cca-private-token.patch -Patch19: ocki-3.1_08_0002-Add-documentation-pkcscca-manpage-and-README.cca_std.patch -Patch20: ocki-3.1_09_0001-Fix-EOL-encoding-in-README.patch -Patch21: ocki-3.1_10_0001-ica-sha-update-empty-msg.patch -Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki +Url: http://sourceforge.net/projects/opencryptoki/ BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq +PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed # IBM maintains openCryptoki on these architectures: ExclusiveArch: %openCryptoki_32bit_arch %openCryptoki_64bit_arch # @@ -160,37 +143,16 @@ Cryptographic Accelerator (FC 4960 on pSeries). %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 cp %{SOURCE2} . %build autoreconf --force --install -CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \ - --prefix=/usr \ - --libdir=%{_libdir} \ +CFLAGS="%optflags -D__USE_BSD" %configure \ --enable-tpmtok \ %if %{uses_systemd} - --with-systemd=/usr/lib/systemd/system \ + --with-systemd=/usr/lib/systemd/system %endif - --sysconfdir=%{_sysconfdir} \ - --localstatedir=%{_localstatedir} -%__make +make %{?_smp_mflags} %install %make_install DESTDIR=$RPM_BUILD_ROOT INSROOT=$RPM_BUILD_ROOT diff --git a/opencryptoki-v3.1.tar.bz2 b/opencryptoki-v3.1.tar.bz2 deleted file mode 100644 index 8d6f091..0000000 --- a/opencryptoki-v3.1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:05df5d5657e1de41ca7c81e0cc8c8c42d7b842fb062ad76f4961efffb0984aca -size 680250 diff --git a/opencryptoki-v3.2.tgz b/opencryptoki-v3.2.tgz new file mode 100644 index 0000000..43b2a94 --- /dev/null +++ b/opencryptoki-v3.2.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d0b4676766753449f4d9001436cf8371812ddff7b59869e8d5adef94c4fd261b +size 911965