pool/openCryptoki
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 238818 from home:jjolly:branches:security

Browse Source 
Fixes for bnc#880217 - systemd enabled

OBS-URL: https://build.opensuse.org/request/show/238818
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=17
This commit is contained in:
Tomáš Chvátal 2014-07-02 09:29:50 +00:00 committed by Git OBS Bridge
parent 8883ecb0ec
commit d6c48bed19
17 changed files with 1430 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ocki-3.1-fix-libica-link.patch Normal file
View File

@ -0,0 +1,11 @@
--- opencryptoki/configure.in
+++ opencryptoki/configure.in
@@ -328,7 +328,7 @@
old_cflags="$CFLAGS"
old_libs="$LIBS"
CFLAGS="$CFLAGS $LIBICA_CFLAGS"
- LIBS="$LIBS $LIBICA_LIBS"
+ LIBS="$LIBS $LIBICA_LIBS -lrt -lcrypto -lpthread"
AC_CHECK_HEADER([ica_api.h], [], [
if test "x$with_libica" != "xcheck"; then
AC_MSG_ERROR([Build with Libica requested but Libica headers couldn't be found])

100
ocki-3.1-remove-make-install-chgrp-chmod.patch
View File

@ -1,6 +1,76 @@
--- opencryptoki.orig/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am 2014-01-31 08:15:21.781145000 -0700
@@ -54,13 +54,7 @@ install-data-hook:
--- opencryptoki/usr/Makefile.am
+++ opencryptoki/usr/Makefile.am
@@ -6,5 +6,3 @@
install-data-hook:
$(MKDIR_P) $(DESTDIR)$(lockdir)
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)
--- opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am
@@ -66,13 +66,7 @@
cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_cca.so PKCS11_CCA.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
uninstall-hook:
if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \
--- opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am
@@ -54,13 +54,7 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_ep11.so PKCS11_EP11.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
$(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
uninstall-hook:
if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
--- opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am
@@ -62,13 +62,7 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_ica.so PKCS11_ICA.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
$(MKDIR_P) $(DESTDIR)$(lockdir)/lite
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite
uninstall-hook:
if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
--- opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am
@@ -76,11 +76,7 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_icsf.so PKCS11_ICSF.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
uninstall-hook:
if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
--- opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am
+++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am
@@ -54,13 +54,7 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_sw.so PKCS11_SW.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
@ -28,27 +98,3 @@
uninstall-hook:
if test -d $(DESTDIR)$(libdir)/opencryptoki/stdll; then \
--- opencryptoki.orig/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am 2014-01-31 08:30:51.030956000 -0700
@@ -66,13 +66,7 @@ install-data-hook:
cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \
ln -sf libpkcs11_cca.so PKCS11_CCA.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
uninstall-hook:
if test -d $(DESTDIR)/$(libdir)/opencryptoki/stdll; then \
--- opencryptoki.orig/usr/Makefile.am 2014-01-27 15:01:58.000000000 -0700
+++ opencryptoki/usr/Makefile.am 2014-01-31 08:33:02.949361000 -0700
@@ -6,5 +6,3 @@ SUBDIRS = lib $(DAEMONDIRS)
install-data-hook:
$(MKDIR_P) $(DESTDIR)$(lockdir)
- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)
- $(CHMOD) 0770 $(DESTDIR)$(lockdir)

42
ocki-3.1_01_ep11_makefile.patch Normal file
View File

@ -0,0 +1,42 @@
commit f558043c9c7aa2ada4dd9d7548c2c713aea24753
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Feb 7 15:03:48 2014 -0600
ep11: Fixed Makefile to complement common code dependencies
This will fix the side effect that the ep11 token could not
plugged into slot 0, because of unresolved symbols.
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/Makefile.am b/usr/lib/pkcs11/ep11_stdll/Makefile.am
index fd940ec..d587fd2 100644
--- a/usr/lib/pkcs11/ep11_stdll/Makefile.am
+++ b/usr/lib/pkcs11/ep11_stdll/Makefile.am
@@ -28,10 +28,15 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
../common/loadsave.c \
../common/key.c \
../common/key_mgr.c \
- ../common/mech_md5.c \
+ ../common/mech_des.c \
+ ../common/mech_des3.c \
+ ../common/mech_aes.c \
+ ../common/mech_md5.c \
../common/mech_md2.c \
../common/mech_rng.c \
+ ../common/mech_rsa.c \
../common/mech_sha.c \
+ ../common/mech_ssl3.c \
../common/new_host.c \
../common/obj_mgr.c \
../common/object.c \
@@ -44,8 +49,8 @@ opencryptoki_stdll_libpkcs11_ep11_la_SOURCES = ../common/asn1.c \
../common/log.c \
../common/mech_list.c \
../common/shared_memory.c \
- ../common/attributes.c \
- ../common/sw_crypt.c \
+ ../common/attributes.c \
+ ../common/sw_crypt.c \
ep11_specific.c
noinst_HEADERS = ep11.h

21
ocki-3.1_02_ep11_m_init.patch Normal file
View File

@ -0,0 +1,21 @@
commit d564279d2c2913021ca325507d1ce3af3aff078a
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Fri Feb 7 15:08:27 2014 -0600
ep11: switched to official m_init() function based on library change
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index a9a72e4..1a43ccb 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1281,7 +1281,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
/* for real HW on Z-series, this would open the
* device driver file /dev/zcrypt.
*/
- if (m_add_backend(NULL,0) < 0) {
+ if (m_init() < 0) {
EP11TOK_ELOG(1,"open of the zcrypt device driver failed");
return CKR_DEVICE_ERROR;
}

129
ocki-3.1_03_ock_obj_mgr.patch Normal file
View File

@ -0,0 +1,129 @@
commit 099a3a110a733ef3a91c41a88dcd45f15af8a6cd
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Feb 12 12:06:53 2014 -0600
Scenario: processA creates private token key object and before he can
use it, processB gets it, uses it, and deletes it.
Because opencryptoki was not checking the global token object count,
process B segfaulted when count was zero, thinking there were objects in
shared memory to search.
Also, it was not checking return code of object_mgr_check_shm() in
object_mgr_find_in_map1 to see if anything was found in shm.
And lastly, return correct error code.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/common/obj_mgr.c b/usr/lib/pkcs11/common/obj_mgr.c
index 92c11c2..8d42d9e 100755
--- a/usr/lib/pkcs11/common/obj_mgr.c
+++ b/usr/lib/pkcs11/common/obj_mgr.c
@@ -1340,13 +1340,28 @@ object_mgr_find_in_map1( CK_OBJECT_HANDLE handle,
goto done;
}
-// SAB XXX Fix me.. need to make it more efficient than just looking for the object to be changed
-// set a global flag that contains the ref count to all objects.. if the shm ref count changes, then we update the object
-// if not
-
- XProcLock();
- object_mgr_check_shm( obj );
- XProcUnLock();
+ /* SAB XXX Fix me.. need to make it more efficient than just looking
+ * for the object to be changed. set a global flag that contains the
+ * ref count to all objects.. if the shm ref count changes, then we
+ * update the object. if not
+ */
+
+ /* Note: Each C_Initialize call loads up the public token objects
+ * and build corresponding tree(s). The same for private token objects
+ * upon successful C_Login. Since token objects can be shared, it is
+ * possible another process or session has deleted a token object.
+ * Accounting is done in shm, so check shm to see if object still exists.
+ */
+ if (!object_is_session_object(obj)) {
+ XProcLock();
+ rc = object_mgr_check_shm( obj );
+ XProcUnLock();
+
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_FUNCTION_FAILED);
+ goto done;
+ }
+ }
*ptr = obj;
done:
@@ -2101,8 +2116,8 @@ object_mgr_del_from_shm( OBJECT *obj )
0, global_shm->num_priv_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
// Since the number of objects starts at 1 and index starts at zero, we
// decrement before we get count. This eliminates the need to perform
@@ -2139,8 +2154,8 @@ object_mgr_del_from_shm( OBJECT *obj )
0, global_shm->num_publ_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
global_shm->num_publ_tok_obj--;
@@ -2189,25 +2204,36 @@ object_mgr_check_shm( OBJECT *obj )
// the calling routine is responsible for locking the global_shm mutex
//
+ /* first check the object count. If it is 0, then just return. */
priv = object_is_private( obj );
if (priv) {
+
+ if (global_shm->num_priv_tok_obj == 0) {
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
rc = object_mgr_search_shm_for_obj( global_shm->priv_tok_objs,
0, global_shm->num_priv_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
entry = &global_shm->priv_tok_objs[index];
}
else {
+
+ if (global_shm->num_publ_tok_obj == 0) {
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
rc = object_mgr_search_shm_for_obj( global_shm->publ_tok_objs,
0, global_shm->num_publ_tok_obj-1,
obj, &index );
if (rc != CKR_OK){
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJMGR_SEARCH);
+ return rc;
}
entry = &global_shm->publ_tok_objs[index];
}
@@ -2256,8 +2282,8 @@ object_mgr_search_shm_for_obj( TOK_OBJ_ENTRY * obj_list,
}
}
}
- OCK_LOG_ERR(ERR_FUNCTION_FAILED);
- return CKR_FUNCTION_FAILED;
+ OCK_LOG_ERR(ERR_OBJECT_HANDLE_INVALID);
+ return CKR_OBJECT_HANDLE_INVALID;
}

233
ocki-3.1_04_ep11_opaque2blob_error_handl.patch Normal file
View File

@ -0,0 +1,233 @@
commit 9d445b0294b588a834797e4f8c3d6ea3c1b3da2b
Author: Joy Latten <jmlatten@linux.vnet.ibm.com>
Date: Wed Feb 12 12:09:14 2014 -0600
ep11's h_opaque_2_blob needs to catch the return code from
object_mgr_find_in_map1 and return it.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 1a43ccb..90d3df1 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1814,12 +1814,12 @@ CK_RV token_specific_derive_key(SESSION *session, CK_MECHANISM_PTR mech,
memset(&secret_op, 0, sizeof(secret_op));
secret_op.blob_size = blobsize;
- if (h_opaque_2_blob(hBaseKey, &blob, &blob_len) != CKR_OK) {
+ rc = h_opaque_2_blob(hBaseKey, &blob, &blob_len);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"FAIL hBaseKey=0x%lx",hBaseKey);
- return CKR_CANCEL;
+ return rc;
}
-
/* Get the keytype to use when creating the key object */
rc = ep11_get_keytype(attrs, attrs_len, mech, &ktype, &class);
if (rc != CKR_OK) {
@@ -2732,36 +2732,19 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
private_key_obj->name, public_key_obj, private_key_obj);
}
- /* Keys should be fully constructed,
- * assign object handles and store keys.
- */
- rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
- if (rc != CKR_OK) {
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
- goto error;
- }
-
- rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
- if (rc != CKR_OK) {
- OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
- object_mgr_destroy_object(sess, *phPublicKey);
- public_key_obj = NULL;
- goto error;
- }
-
/* copy CKA_CLASS, CKA_KEY_TYPE to private template */
if (template_attribute_find(public_key_obj->template, CKA_CLASS, &attr)) {
rc = build_attribute(attr->type, attr->pValue,
attr->ulValueLen, &n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
rc = template_update_attribute(private_key_obj->template, n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
}
@@ -2770,17 +2753,34 @@ CK_RV token_specific_generate_key_pair(SESSION * sess,
attr->ulValueLen, &n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"build_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
rc = template_update_attribute(private_key_obj->template, n_attr);
if (rc != CKR_OK) {
EP11TOK_ELOG(1,"template_update_attribute failed with rc=0x%lx",rc);
- return rc;
+ goto error;
}
}
+ /* Keys should be fully constructed,
+ * assign object handles and store keys.
+ */
+ rc = object_mgr_create_final(sess, public_key_obj, phPublicKey);
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
+ goto error;
+ }
+
+ rc = object_mgr_create_final(sess, private_key_obj, phPrivateKey);
+ if (rc != CKR_OK) {
+ OCK_LOG_ERR(ERR_OBJMGR_CREATE_FINAL);
+ object_mgr_destroy_object(sess, *phPublicKey);
+ public_key_obj = NULL;
+ goto error;
+ }
return rc;
+
error:
if (public_key_obj) object_free(public_key_obj);
if (private_key_obj) object_free(private_key_obj);
@@ -2801,11 +2801,13 @@ static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
OBJECT *key_obj;
CK_ATTRIBUTE *attr = NULL;
ep11_opaque *op;
+ CK_RV rc;
/* find the key obj by the key handle */
- if (object_mgr_find_in_map1(handle,&key_obj) != CKR_OK) {
+ rc = object_mgr_find_in_map1(handle,&key_obj);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"key 0x%lx not mapped", handle);
- return CKR_FUNCTION_FAILED;
+ return rc;
}
/* blob already exists */
@@ -2844,30 +2846,31 @@ CK_RV token_specific_sign_init(SESSION *session, CK_MECHANISM *mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key,&privkey_blob,&blob_len) == CKR_OK) {
- rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
- mech, privkey_blob, blob_len, ep11tok_target) ;
+ rc = h_opaque_2_blob(key, &privkey_blob, &blob_len);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
+ return rc;
+ }
- /* SIGN_VERIFY_CONTEX holds all needed for continuing,
- * also by another adapter (stateless requests)
- */
- ctx->key = key;
- ctx->multi = FALSE;
- ctx->active = TRUE;
- ctx->context = ep11_sign_state;
- ctx->context_len = ep11_sign_state_l;
+ rc = m_SignInit(ep11_sign_state, &ep11_sign_state_l,
+ mech, privkey_blob, blob_len, ep11tok_target) ;
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
- } else {
- EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
- }
+ /* SIGN_VERIFY_CONTEX holds all needed for continuing,
+ * also by another adapter (stateless requests)
+ */
+ ctx->key = key;
+ ctx->multi = FALSE;
+ ctx->active = TRUE;
+ ctx->context = ep11_sign_state;
+ ctx->context_len = ep11_sign_state_l;
- return rc;
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
} else {
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ EP11TOK_LOG(2,"rc=0x%lx blob_len=0x%x key=0x%lx mech=0x%lx", rc, blob_len, key, mech->mechanism);
}
+
+ return rc;
}
@@ -2946,27 +2949,26 @@ CK_RV token_specific_verify_init(SESSION *session, CK_MECHANISM *mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key,&spki,&spki_len) == CKR_OK) {
- rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
- spki, spki_len, ep11tok_target);
-
- ctx->key = key;
- ctx->multi = FALSE;
- ctx->active = TRUE;
- ctx->context = ep11_sign_state;
- ctx->context_len = ep11_sign_state_l;
-
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
- } else {
- EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
- }
-
+ rc = h_opaque_2_blob(key, &spki, &spki_len);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
return rc;
+ }
+
+ rc = m_VerifyInit(ep11_sign_state, &ep11_sign_state_l, mech,
+ spki, spki_len, ep11tok_target);
+ ctx->key = key;
+ ctx->multi = FALSE;
+ ctx->active = TRUE;
+ ctx->context = ep11_sign_state;
+ ctx->context_len = ep11_sign_state_l;
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
} else {
- EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ EP11TOK_LOG(2,"rc=0x%lx spki_len=0x%x key=0x%lx ep11_sing_state_l=0x%x mech=0x%lx", rc, spki_len, key, ep11_sign_state_l, mech->mechanism);
}
+
+ return rc;
}
@@ -3169,11 +3171,12 @@ static CK_RV ep11_ende_crypt_init(SESSION *session, CK_MECHANISM_PTR mech,
return CKR_HOST_MEMORY;
}
- if (h_opaque_2_blob(key, &blob, &blob_len) != CKR_OK) {
+ rc = h_opaque_2_blob(key, &blob, &blob_len);
+ if (rc != CKR_OK) {
EP11TOK_ELOG(1,"no blob rc=0x%lx",rc);
- return CKR_FUNCTION_FAILED;
+ return rc;
}
-
+
if (op == DECRYPT) {
rc = m_DecryptInit(ep11_state, &ep11_state_l, mech, blob,
blob_len, ep11tok_target);

187
ocki-3.1_05_ep11_readme_update.patch Normal file
View File

@ -0,0 +1,187 @@
commit 6589fae1561d1d050b743d3ff5e0b846616664a0
Author: Ingo Tuchscherer <ingo.tuchscherer@linux.vnet.ibm.com>
Date: Wed Feb 12 15:56:46 2014 -0600
EP11: some README updates about usage and restrictions.
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
diff --git a/doc/README.ep11_stdll b/doc/README.ep11_stdll
index dedb76c..e972391 100644
--- a/doc/README.ep11_stdll
+++ b/doc/README.ep11_stdll
@@ -3,8 +3,8 @@ EP11 Token
The EP11 token is a token that uses the IBM Crypto Express adapters
(starting with Crypto Express 4S adapters) configured with Enterprise
-PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with
-that firmware load are also called CEXnP adapters for n >= 4.
+PKCS#11 (EP11) firmware. By convention, Crypto Express n adapters with that
+firmware load are also called CEXnP adapters for n >= 4.
The EP11 token is only supported on the System z architecture and requires a
Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver
@@ -17,14 +17,13 @@ Configuration
-------------
To use the EP11 token a slot entry must be defined in the general opencryptoki
-configuration file that sets the stdll attribute to libpkcs11_epp.so.
+configuration file that sets the stdll attribute to libpkcs11_ep11.so.
A EP11 token specific configuration file must be set up to define the target
-adapters and target adapter domains. The name of the configuration file must
-be defined in the global openCryptoki configuration opencryptoki.conf file
-as part of the token specification using the confname attribute.
-
-E.g. the entry,
+adapters and target adapter domains. The name of the configuration file must be
+defined in the global openCryptoki configuration opencryptoki.conf file as part
+of the token specification using the confname attribute.
+E.g. the entry
slot 4
{
@@ -35,39 +34,39 @@ confname = ep11tok.conf
defines the name of the configuration file of the EP11 token to be
ep11tok.conf. Per default this file is searched in the directory where
openCryptoki searches its global configuration file. This default path can
-be overwritten using the OCK_EP11_TOKEN_DIR environment variable.
-
-EP11 token configuration files defines a list of adapter/domain pairs to
-which the EP11 token sends its cryptographic requests. This list can be
-specified as a white list starting with a line containing the key word
-APQN_WHITELIST followed by one or more lines containing each 2 white space
-separted positive integers followed by a line with the key word END.
-In each of these lines the first integer denotes the adapter number
-and the second integer denotes the domain id. Alternatively the keyword
-APQN_ANY can be used to define that all adapter/domain pairs with EP11
-firmware load that are available to the system shall be used as target
-adapters. An adapter number corresponds to the numerical part xx of an
-adapter id of the form cardxx as displayed by the lszcrypt tool or in
-the sys file system (e.g. in /sys/bus/ap/devices).
-Currently Linux on z only supports a single domain. That domain number
-can be displayed with lszcrypt -b (see the value of ap_domain) or
-alternatively as contents of /sys/bus/ap/ap_domain.
+be overriden using the OCK_EP11_TOKEN_DIR environment variable.
+
+EP11 token configuration files defines a list of adapter/domain pairs to which
+the EP11 token sends its cryptographic requests. This list can be specified as
+a white list starting with a line containing the key word APQN_WHITELIST
+followed by one or more lines containing each two integers (in the range
+of 0 - 255) separated by a white space. The white list is ended with a line
+containing the key word END. In each of lines of the white list the first
+integer denotes the adapter number and the second integer denotes the domain
+id. Alternatively the keyword APQN_ANY can be used to define that all
+adapter/domain pairs with EP11 firmware load that are available to the system
+shall be used as target adapters. An adapter number corresponds to the
+numerical part xx of an adapter id of the form cardxx as displayed by the
+lszcrypt tool or in the sys file system (e.g. in /sys/bus/ap/devices).
+Currently Linux on z only supports a single domain. That domain number can be
+displayed with lszcrypt -b (see the value of ap_domain) or alternatively as
+contents of /sys/bus/ap/ap_domain.
In addition to the target adapter a log level can be defined in the EP11
-configuration file using a line consisting of the key word LOGLEVEL
-followed by an integer between 0 and 9.
+configuration file using a line consisting of the key word LOGLEVEL followed
+by an integer between 0 and 9.
Logging
-------
If a log level greater than 0 is defined in the environment variable
-OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11
-configuration file then log entries are written to a log file
-/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the
-process using the EP11 token.
+OCK_EP11_TOKEN_LOGLEVEL or using the LOGLEVEL entry in the EP11 configuration
+file then log entries are written to a log file
+/var/log/ock_ep11_token.<pid>.log where <pid> is the process id of the process
+using the EP11 token.
-Note, that the handling of EP11 logs is subject to change in future
-releases of opencryptoki.
+Note, that the handling of EP11 logs is subject to change in future releases
+of opencryptoki.
Crypto Express Adapter EP11 Master Key Management
-------------------------------------------------
@@ -77,28 +76,27 @@ object repository (in the TOK_OBJ directory within the EP11 token directory)
become invalid.
The key migration tool pkcsep11_migrate can be used to perform the migration
-of the current EP11 master keys to new master keys. Therefore the
-following steps must be performed:
-
-1) on the Trusted Key Entry console (TKE): submit and commit
-new master keys on the EP11 adapter(s)
-2) on Linux: stop all processes using openCryptoki with the EP11 token
-3) on Linux: back up the token object repository of the EP11 token
-4) on Linux: migrate keys of object repository of EP11 token with
-migration tool. If a failure occurs restore the backed up token
-repository and retry step 4
-5) on the TKE: activate new master keys on the EP11 adapter(s)
-6) on Linux: restart applications using openCryptoki with the EP11 token
+of the current EP11 master keys to new master keys. Therefore the following
+steps must be performed:
+1) On the Trusted Key Entry console (TKE): Submit and commit new master
+keys on the EP11 adapter(s).
+2) On Linux: Stop all processes using openCryptoki with the EP11 token.
+3) On Linux: Back up the token object repository of the EP11 token.
+4) On Linux: Migrate keys of object repository of EP11 token with
+migration tool. If a failure occurs restore the backed up token repository
+and retry step 4.
+5) On the TKE: Activate new master keys on the EP11 adapter(s).
+6) On Linux: Restart applications using openCryptoki with the EP11 token.
Token specifics
---------------
-The EP11 token only supports secure keys (i.e. key wrapped by a master key
-of the Crypto Express adapter). Therefore all keys must have the attribute
-CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define
-a (token specific) default for secure keys the attribute must be explicitly
-provided whenever a secret key is generated, unwrapped or created with
-C_CreateObject. In addition all keys used with the EP11 token are extractable
+The EP11 token only supports secure keys (i.e. key wrapped by a master key of
+the Crypto Express adapter). Therefore all keys must have the attribute
+CKA_SENISTIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
+(token specific) default for secure keys the attribute must be explicitly
+provided whenever a secret key is generated, unwrapped or build with
+C_CreateObject. In addition all keys used with the EP11 token are extractable.
i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.
When creating keys the default values of the attributes CKA_ENCRYPT,
@@ -108,18 +106,21 @@ Note, no EP11 mechanism supports the Sign/Recover or Verify/Recover functions.
All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than
or equal to 17.
-See the mechanism list and mechanism info (pkcsconf -m) for supported
-mechanisms together with supported functions and key sizes.
-Note the supported mechanism list is currently fixed and matches the
-most stringent setting of the Crypto Express adapter.
+The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
+according to ANSI X9.31. Therefore in the EP11 token the lengths of the
+RSA primes (p or q) must be a multiple of 128 bits and the length of the
+modulus (CKA_MODULUS_BITS) must be a multiple of 256.
-Temporary Restrictions & Circumventions
----------------------------------------
+The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have
+a length that is a multiple of the block size of DES3 or AES respectively.
-Wrapping 192 bit AES keys with the mechanism CKM_AES_CBC is not supported, use
-CKM_AES_CBC_PAD instead.
+See the mechanism list and mechanism info (pkcsconf -m) for supported
+mechanisms together with supported functions and key sizes. Note the
+supported mechanism list is currently fix and matches the most stringent
+setting of the Crypto Express adapter.
-Importing RAS private keys with C_Unwrap is not supported for key sizes that
-are not a multiple of AES blocksize. No circumvention possible.
+Note, the EP11 coprocessor adapter can be configured to restrict the
+cryptographic capababilities in order for the adapter to comply with specific
+security requirements and regulations. Such restrictions on the adapter impact
+the capabilitiy of the EP11 token.
-CKM_SHA512_HMAC is not supported. No circumvention possible.

110
ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch Normal file
View File

@ -0,0 +1,110 @@
From 68a30e9bf0e494057a889e06623dd0d8ab95acf7 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 2 Apr 2014 12:03:53 -0500
Subject: [PATCH 1/6] print_mechanism() ignored bad returncodes from the
called function token_specific_get_mechanism_list(). So
the token init was just running fine but mechanism list
kept empty (eg. because of wrong adapter
configuration). Fixed this and adjusted some of the
related log messages.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 32 +++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 90d3df1..4e3703b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -1140,17 +1140,27 @@ static CK_RV print_mechanism(void)
CK_ULONG count = 0;
int i;
CK_MECHANISM_INFO m_info;
+ CK_RV rc;
- /* only informational */
- (void) token_specific_get_mechanism_list(list, &count);
+ /* first call is just to fetch the count value */
+ rc = token_specific_get_mechanism_list(list, &count);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"can't fetch mechanism list.");
+ return rc;
+ }
list = (CK_MECHANISM_TYPE_PTR)malloc(sizeof(CK_MECHANISM_TYPE) * count);
if (!list) {
EP11TOK_ELOG(1,"Memory allocation failed.");
return CKR_HOST_MEMORY;
}
- /* only informational */
- (void) token_specific_get_mechanism_list(list, &count);
+ /* now really fill the list */
+ rc = token_specific_get_mechanism_list(list, &count);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"can't fetch mechanism list!");
+ free(list);
+ return rc;
+ }
EP11TOK_LOG(2,"EP11 token mechanism list, %lu entries:", count);
for (i = 0; i < count; i++) {
@@ -1170,6 +1180,7 @@ static CK_RV print_mechanism(void)
EP11TOK_LOG(2," %s {%lu,%lu%s}", ep11_get_ckm(list[i]),
m_info.ulMinKeySize, m_info.ulMaxKeySize, strflags);
}
+
free(list);
return CKR_OK;
}
@@ -1295,7 +1306,11 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
}
/* print mechanismlist to log file */
- (void)print_mechanism();
+ rc = print_mechanism();
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"failure on fetching mechanism list rc=0x%lx, maybe wrong config ?", rc);
+ return CKR_GENERAL_ERROR;
+ }
/* create an AES key needed for importing keys
* (encrypt by wrap_key and m_UnwrapKey by wrap key)
@@ -3528,7 +3543,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
rc = m_GetMechanismList(0, pMechanismList, pulCount,
ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #1 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
return rc;
}
@@ -3543,7 +3558,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
}
rc = m_GetMechanismList(0, mlist, &counter, ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #2 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
free(mlist);
return rc;
}
@@ -3573,7 +3588,7 @@ CK_RV token_specific_get_mechanism_list(CK_MECHANISM_TYPE_PTR pMechanismList,
*/
rc = m_GetMechanismList(0,mlist,&counter,ep11tok_target);
if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"bad rc #3 rc=0x%lx", rc);
+ EP11TOK_ELOG(1,"bad rc=0x%lx from m_GetMechanismList()", rc);
return rc;
}
@@ -3743,6 +3758,7 @@ static int read_adapter_config_file(const char* conf_name)
if (!conf_name) {
/* no conf_name was given, should not happen */
+ EP11TOK_ELOG(1,"no conf_name argument found");
return APQN_FILE_INV_1;
}
--
1.7.12.4

172
ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch Normal file
View File

@ -0,0 +1,172 @@
From 401de8a8b5131c8dea1eade85c00e248198dc916 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 2 Apr 2014 12:05:12 -0500
Subject: [PATCH 2/6] Fix failure when confname is not given, use default
ep11tok.conf instead.
Slight rework on the way how the ep11 token config file is found:
If env has no OCK_EP11_TOKEN_DIR
if confname is not null, try to use it
if this fails, try ock default config dir + confname
if this fails, try ock default config dir + ep11tok.conf
if OCK_EP11_TOKEN_DIR given then
if confname is not null, try OCK_EP11_TOKEN_DIR + confname
if this fails, try OCK_EP11_TOKEN_DIR + ep11tok.conf
if still unsuccessful then token init will fail.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 85 +++++++++++++++++++------------
1 file changed, 52 insertions(+), 33 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 4e3703b..0eea8c9 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -993,6 +993,7 @@ static const char* ep11_get_ckm(CK_ULONG mechanism)
static CK_RV h_opaque_2_blob(CK_OBJECT_HANDLE handle,
CK_BYTE **blob, size_t *blob_len);
+#define EP11_DEFAULT_CFG_FILE "ep11tok.conf"
#define EP11_CFG_FILE_SIZE 4096
/* error rc for reading the adapter config file */
@@ -1271,6 +1272,13 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
}
}
EP11TOK_LOG(1,"init running");
+
+ /* read ep11 specific config file with user specified adapter/domain pairs, loglevel, ... */
+ rc = read_adapter_config_file(conf_name);
+ if (rc != CKR_OK) {
+ EP11TOK_ELOG(1,"ep11 config file error rc=0x%lx", rc);
+ return CKR_GENERAL_ERROR;
+ }
/* wrap key name */
memset(wrap_key_name, 0, sizeof(wrap_key_name));
@@ -1297,14 +1305,7 @@ CK_RV token_specific_init(char *Correlator, CK_SLOT_ID SlotNumber, char *conf_na
return CKR_DEVICE_ERROR;
}
#endif
-
- /* user specified adapter/domain pairs the token is supposed to use */
- rc = read_adapter_config_file(conf_name);
- if (rc != CKR_OK) {
- EP11TOK_ELOG(1,"adapter config file error rc=0x%lx", rc);
- return CKR_GENERAL_ERROR;
- }
-
+
/* print mechanismlist to log file */
rc = print_mechanism();
if (rc != CKR_OK) {
@@ -3753,40 +3754,57 @@ static int read_adapter_config_file(const char* conf_name)
if (ep11_initialized) {
return 0;
}
-
+
memset(fname,0,PATH_MAX);
-
- if (!conf_name) {
- /* no conf_name was given, should not happen */
- EP11TOK_ELOG(1,"no conf_name argument found");
- return APQN_FILE_INV_1;
- }
/* via envrionment variable it is possible to overwrite the
- * config file given in the opencryptoki.conf. Then we use
- * $OCK_EP11_TOKEN_DIR/ock_ep11_token.conf.
+ * directory where the ep11 token config file is searched.
*/
if (conf_dir) {
- snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name);
- ap_fp = fopen(fname,"r");
- }
-
- /* if there was no environment variable or fopen failed, use the
- * default given from opencryptoki.conf via conf_name argument.
- */
- if (!ap_fp) {
- snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
- ap_fp = fopen(fname,"r");
+ if (conf_name && strlen(conf_name) > 0) {
+ /* extract filename part from conf_name */
+ for (i=strlen(conf_name)-1; i >= 0 && conf_name[i] != '/'; i--);
+ if (i < strlen(conf_name)-1) {
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, conf_name+i+1);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ }
+ if (!ap_fp) {
+ snprintf(fname, sizeof(fname), "%s/%s", conf_dir, EP11_DEFAULT_CFG_FILE);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ } else {
+ if (conf_name && strlen(conf_name) > 0) {
+ strncpy(fname, conf_name, sizeof(fname));
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) {
+ EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, conf_name);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
+ } else {
+ snprintf(fname, sizeof(fname), "%s/%s", OCK_CONFDIR, EP11_DEFAULT_CFG_FILE);
+ fname[sizeof(fname)-1] = '\0';
+ ap_fp = fopen(fname,"r");
+ if (!ap_fp) EP11TOK_LOG(2,"fopen('%s') failed with errno %d", fname, errno);
+ }
}
-
+
/* now we should really have an open ep11 token config file */
if (!ap_fp) {
EP11TOK_ELOG(1,"no valid EP 11 config file found");
return APQN_FILE_INV_2;
}
-
+
EP11TOK_LOG(2,"EP 11 token config file is '%s'", fname);
-
+
/* read config file line by line,
* ignore empty and # and copy rest into file buf
*/
@@ -3811,13 +3829,13 @@ static int read_adapter_config_file(const char* conf_name)
}
ep11_targets.length = 0;
-
+
for (i=0,j=0,str=filebuf; rc == 0; str=NULL) {
/* strtok tokenizes the string,
* delimiters are newline and whitespace.
*/
token = strtok(str, "\n\t ");
-
+
if (i == 0) {
/* expecting APQN_WHITELIST or APQN_BLACKLIST
* or APQN_ANY or LOGLEVEL or eof.
@@ -3906,7 +3924,8 @@ static int read_adapter_config_file(const char* conf_name)
/* do some checks: */
if (rc == 0) {
if ( !(whitemode || blackmode || anymode)) {
- EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile: APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
+ EP11TOK_ELOG(1,"At least one APQN mode needs to be present in configfile:"
+ " APQN_WHITEMODE or APQN_BLACKMODE or APQN_ANY");
rc = APQN_FILE_NO_APQN_MODE;
} else if (whitemode || blackmode) {
/* at least one APQN needs to be defined */
--
1.7.12.4

38
ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch Normal file
View File

@ -0,0 +1,38 @@
From 2bca1b392214241f84065d7709681c029b43b444 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 11:48:56 -0500
Subject: [PATCH 3/6] Configure was checking for the ep11 lib and the m_init()
function. As this library will be dynamically loaded at
run time and there is no dependency at build time (but
build will break if ep11 lib is not available) removed
this check.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
configure.in | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index ac41e84..1a1601c 100644
--- a/configure.in
+++ b/configure.in
@@ -372,14 +372,9 @@ if test "x$with_zcrypt" != "xno"; then
])
if test "x$with_zcrypt" != "xno"; then
- AC_CHECK_LIB([ep11], [m_init],
- [with_zcrypt=yes], [
- if test "x$with_zcrypt" != "xcheck"; then
- AC_MSG_ERROR([Build with zcrypt requested but zcrypt libraries couldn't be found])
- fi
- with_zcrypt=no
- ])
+ with_zcrypt=no
fi
+
if test "x$with_zcrypt" = "xno"; then
CFLAGS="$old_cflags"
LIBS="$old_libs"
--
1.7.12.4

35
ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch Normal file
View File

@ -0,0 +1,35 @@
From 11e808223faa9c334858e38acacf277079264beb Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 12:02:48 -0500
Subject: [PATCH 4/6] The asm/zcrypt.h header file uses some std int types and
so the stdint.h include statement should occur before
the zcrypt header file.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 0eea8c9..373be5b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -296,6 +296,7 @@
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
+#include <stdint.h>
#include "pkcs11types.h"
#include "defs.h"
@@ -314,7 +315,6 @@
#include <lber.h>
#include <asm/zcrypt.h>
#include <syslog.h>
-#include <stdint.h>
#include <dlfcn.h>
#include <lber.h>
--
1.7.12.4

144
ocki-3.1_06_0005-Small-reworks.patch Normal file
View File

@ -0,0 +1,144 @@
From b0fc36e0e1fd549164a2502213163ce23d2f0138 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Mon, 14 Apr 2014 13:13:11 -0500
Subject: [PATCH 5/6] Small reworks: - Some of the ock testcase c files are
tracked by git as 755. Fixed, c code files should
appear 644 now. - pkcs11 misc_func test improved to
show not just the mechanism number but also the
(preprocessor defined) mechanism name. - misc speed
test rsa encrypt receive buffer increased so the
"buffer size too small" is fixed now. - misc speed test
rsa uses now an exponent value of 17 (0x01,0x00,0x01)
instead of 3 (0x03). Some tokens (eg. ep11) do not
allow such low exponents and reject RSA key
generation.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Joy Latten <jmlatten@linux.vnet.ibm.com>
---
testcases/misc_tests/speed.c | 14 ++++++++------
testcases/pkcs11/misc_func.c | 3 ++-
2 files changed, 10 insertions(+), 7 deletions(-)
mode change 100755 => 100644 testcases/crypto/aes_func.c
mode change 100755 => 100644 testcases/crypto/des3_func.c
mode change 100755 => 100644 testcases/crypto/des_func.c
mode change 100755 => 100644 testcases/crypto/digest_func.c
mode change 100755 => 100644 testcases/crypto/dsa_func.c
mode change 100755 => 100644 testcases/crypto/rsa_func.c
mode change 100755 => 100644 testcases/crypto/ssl3_func.c
mode change 100755 => 100644 testcases/pkcs11/misc_func.c
mode change 100755 => 100644 testcases/pkcs11/sess_mgmt.c
mode change 100755 => 100644 testcases/pkcs11/sess_perf.c
diff --git a/testcases/crypto/aes_func.c b/testcases/crypto/aes_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/des3_func.c b/testcases/crypto/des3_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/des_func.c b/testcases/crypto/des_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/digest_func.c b/testcases/crypto/digest_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/dsa_func.c b/testcases/crypto/dsa_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/rsa_func.c b/testcases/crypto/rsa_func.c
old mode 100755
new mode 100644
diff --git a/testcases/crypto/ssl3_func.c b/testcases/crypto/ssl3_func.c
old mode 100755
new mode 100644
diff --git a/testcases/misc_tests/speed.c b/testcases/misc_tests/speed.c
index 102ba72..5df3169 100755
--- a/testcases/misc_tests/speed.c
+++ b/testcases/misc_tests/speed.c
@@ -60,6 +60,7 @@ long speed_process_time(SYSTEMTIME t1, SYSTEMTIME t2)
int do_RSA_PKCS_EncryptDecrypt( void )
{
CK_BYTE data1[100];
+ CK_BYTE data2[200];
CK_BYTE signature[256];
CK_SLOT_ID slot_id;
CK_SESSION_HANDLE session;
@@ -69,14 +70,14 @@ int do_RSA_PKCS_EncryptDecrypt( void )
CK_BYTE user_pin[PKCS11_MAX_PIN_LEN];
CK_ULONG user_pin_len;
CK_ULONG i;
- CK_ULONG len1, sig_len;
+ CK_ULONG len1, len2, sig_len;
CK_RV rc;
SYSTEMTIME t1, t2;
CK_ULONG diff, min_time, max_time, avg_time;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -190,7 +191,8 @@ int do_RSA_PKCS_EncryptDecrypt( void )
return FALSE;
}
- rc = funcs->C_Decrypt( session, signature,sig_len,data1, &len1 );
+ len2 = sizeof(data2);
+ rc = funcs->C_Decrypt( session, signature, sig_len, data2, &len2 );
if (rc != CKR_OK) {
show_error(" C_Decrypt #1", rc );
return FALSE;
@@ -259,7 +261,7 @@ int do_RSA_KeyGen_2048( void )
{
SYSTEMTIME t1, t2;
CK_ULONG bits = 2048;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -368,7 +370,7 @@ int do_RSA_KeyGen_1024( void )
{
SYSTEMTIME t1, t2;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
@@ -468,7 +470,7 @@ int do_RSA_PKCS_SignVerify_1024( void )
CK_ULONG diff, min_time, max_time, avg_time;
CK_ULONG bits = 1024;
- CK_BYTE pub_exp[] = { 0x3 };
+ CK_BYTE pub_exp[] = { 0x01, 0x00, 0x01 };
CK_ATTRIBUTE pub_tmpl[] =
{
diff --git a/testcases/pkcs11/misc_func.c b/testcases/pkcs11/misc_func.c
old mode 100755
new mode 100644
index 8103649..d6619fd
--- a/testcases/pkcs11/misc_func.c
+++ b/testcases/pkcs11/misc_func.c
@@ -602,7 +602,8 @@ CK_RV do_GetMechanismInfo( void )
return rc;
}
- printf(" Mechanism #%ld\n", mech_list[i] );
+ printf(" Mechanism #%ld %s\n", mech_list[i],
+ p11_get_ckm(mech_list[i]) );
printf(" ulMinKeySize: %ld\n", info.ulMinKeySize );
printf(" ulMaxKeySize: %ld\n", info.ulMaxKeySize );
printf(" flags: %p\n", (void *)info.flags );
diff --git a/testcases/pkcs11/sess_mgmt.c b/testcases/pkcs11/sess_mgmt.c
old mode 100755
new mode 100644
diff --git a/testcases/pkcs11/sess_perf.c b/testcases/pkcs11/sess_perf.c
old mode 100755
new mode 100644
--
1.7.12.4

32
ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch Normal file
View File

@ -0,0 +1,32 @@
From 10f4766cd6782f3d15e42a985cdf909fe4c7762e Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Tue, 15 Apr 2014 13:16:33 -0500
Subject: [PATCH 6/6] The 31 bit build on s390 showed an build error at
initialization of an static long long variable which
gets an address assigned. Fixed and tested on 31 and 64
bit.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
usr/lib/pkcs11/ep11_stdll/ep11_specific.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
index 373be5b..5aa890b 100644
--- a/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
+++ b/usr/lib/pkcs11/ep11_stdll/ep11_specific.c
@@ -407,9 +407,9 @@ static ep11_target_t ep11_targets;
/* defined in the makefile, ep11 library can run standalone (without HW card),
crypto algorithms are implemented in software then (no secure key) */
#ifdef EP11_STANDALONE
-unsigned long long ep11tok_target = 0x0000000100000008ull;
+static unsigned long long ep11tok_target = 0x0000000100000008ull;
#else
-unsigned long long ep11tok_target = (unsigned long long) &ep11_targets;
+static void* ep11tok_target = (void*) &ep11_targets;
#endif
/* */
--
1.7.12.4

27
ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch Normal file
View File

@ -0,0 +1,27 @@
From 5b8d304e050467e4acfd02dcefdcebad0e61c472 Mon Sep 17 00:00:00 2001
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Date: Wed, 30 Apr 2014 11:42:29 -0500
Subject: [PATCH] ep11 is not building because not setting with_zcrypt
correctly.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
configure.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.in b/configure.in
index 1a1601c..66bb329 100644
--- a/configure.in
+++ b/configure.in
@@ -372,7 +372,7 @@ if test "x$with_zcrypt" != "xno"; then
])
if test "x$with_zcrypt" != "xno"; then
- with_zcrypt=no
+ with_zcrypt=yes
fi
if test "x$with_zcrypt" = "xno"; then
--
1.7.12.4

7
openCryptoki-tmp.conf Normal file
View File

@ -0,0 +1,7 @@
# Lock directories needed by openCryptoki
D /var/lock/opencryptoki/swtok 0770 root pkcs11
D /var/lock/opencryptoki/lite 0770 root pkcs11
D /var/lock/opencryptoki/tpm 0770 root pkcs11
D /var/lock/opencryptoki/ccatok 0770 root pkcs11
D /var/lock/opencryptoki/icsf 0770 root pkcs11
D /var/lock/opencryptoki/ep11tok 0770 root pkcs11

61
openCryptoki.changes
View File

@ -1,3 +1,64 @@
-------------------------------------------------------------------
Thu Jun 26 06:55:03 UTC 2014 - jjolly@suse.com
- Several package changes as per bnc#880217
- Added openCryptoki-tmp.conf for lock directory management
- Added 'lite' token support
- Changed from init.d daemon to systemd service
- Updated macros in %pre %post %preun and %postun sections
- Added missing icsf and ep11tok directories to %files section
-------------------------------------------------------------------
Thu Jun 5 13:28:29 UTC 2014 - jjolly@suse.com
- Moved libpkcs11_icsf 32-bit out of s390-specific files
-------------------------------------------------------------------
Thu Jun 5 13:00:31 UTC 2014 - jjolly@suse.com
- Made ep11tok.conf and pkcsep11_migrate specific to s390/s390x
- Added libpkcs11_ep11.so and libpkcs11_icsf.so to 32-bit s390/s390x
-------------------------------------------------------------------
Thu Jun 5 05:06:34 UTC 2014 - jjolly@suse.com
- EP11 token available in the opencryptoki V3.1 package (bnc#879303)
- Specfile changed to include ep11tok.conf
- Specfile changed to include pkcsep11_migrate and pkcsicsf tools
- Specfile changed to BuildRequires openldap2-devel
- ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
- print_mechanism() ignored bad returncodes from the called
function token_specific_get_mechanism_list()
- ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
- Fix failure when confname is not given, use default
ep11tok.conf instead
- ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
- Removed check for ep11 lib at configure
- ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
- Move stdint.h before zcrypt.h to resolve dependencies
- ocki-3.1_06_0005-Small-reworks.patch
- testcase fixes and file permission changes
- ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
- Fix for s390 31-bit build error
- ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
- zcrypt library included in build by default
-------------------------------------------------------------------
Fri Mar 7 19:03:59 UTC 2014 - jjolly@suse.com
- Patches applied (bnc#865549)
- Fixed Makefile to complement common code dependencies
- switched to official m_init() function based on library change
- checking the global token object count
- catch the return code from object_mgr_find_in_map1
- some README updates about usage and restrictions
-------------------------------------------------------------------
Wed Mar 5 17:58:21 CET 2014 - ro@suse.de
- fix build on x86 (add CCA and TPM to filelist)
- fix libica detection on s390/s390x to get ICA module built
-------------------------------------------------------------------
Mon Feb 4 17:16:25 UTC 2014 - jjolly@suse.com

126
openCryptoki.spec
View File

@ -25,15 +25,28 @@
%define pkcs11_group_id 64
%define oc_cvs_tag opencryptoki
%if 0%{?suse_version} > 1220
%define uses_systemd 1
%else
%define uses_systemd 0
%endif
Name: openCryptoki
BuildRequires: bison
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libica
%ifarch s390 s390x
BuildRequires: libica-2_3_0-devel
%endif
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: openssl-devel
BuildRequires: pwdutils
BuildRequires: trousers-devel
%if %{uses_systemd}
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: IPL-1.0
Group: Productivity/Security
@ -44,9 +57,23 @@ Release: 0
Source: %{oc_cvs_tag}-v%{version}.tar.bz2
Source1: openCryptoki.pkcsslotd
Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-tmp.conf
Patch1: ocki-3.1-remove-make-install-chgrp-chmod.patch
Patch2: ocki-3.1-fix-init_d-path.patch
Patch3: ocki-3.1-fix-implicit-decl.patch
Patch4: ocki-3.1-fix-libica-link.patch
Patch5: ocki-3.1_01_ep11_makefile.patch
Patch6: ocki-3.1_02_ep11_m_init.patch
Patch7: ocki-3.1_03_ock_obj_mgr.patch
Patch8: ocki-3.1_04_ep11_opaque2blob_error_handl.patch
Patch9: ocki-3.1_05_ep11_readme_update.patch
Patch10: ocki-3.1_06_0001-print_mechanism-ignored-bad-returncodes-from-the-cal.patch
Patch11: ocki-3.1_06_0002-Fix-failure-when-confname-is-not-given-use-default-e.patch
Patch12: ocki-3.1_06_0003-Configure-was-checking-for-the-ep11-lib-and-the-m_in.patch
Patch13: ocki-3.1_06_0004-The-asm-zcrypt.h-header-file-uses-some-std-int-types.patch
Patch14: ocki-3.1_06_0005-Small-reworks.patch
Patch15: ocki-3.1_06_0006-The-31-bit-build-on-s390-showed-an-build-error-at-in.patch
Patch16: ocki-3.1_06_0007-ep11-is-not-building-because-not-setting-with_zcrypt.patch
Url: http://oss.software.ibm.com/developerworks/opensource/opencryptoki
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed %insserv_prereq
@ -127,11 +154,32 @@ Cryptographic Accelerator (FC 4960 on pSeries).
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
cp %{SOURCE2} .
%build
autoreconf --force --install
CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure --prefix=/usr --libdir=%{_libdir} --enable-tpmtok --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir}
CFLAGS="$RPM_OPT_FLAGS -D__USE_BSD" ./configure \
--prefix=/usr \
--libdir=%{_libdir} \
--enable-tpmtok \
%if %{uses_systemd}
--with-systemd=/usr/lib/systemd/system \
%endif
--sysconfdir=%{_sysconfdir} \
--localstatedir=%{_localstatedir}
make
%install
@ -140,14 +188,23 @@ install -d $RPM_BUILD_ROOT/usr/include
install -d $RPM_BUILD_ROOT/var/lib/opencryptoki
install -d $RPM_BUILD_ROOT/etc/init.d
install -d $RPM_BUILD_ROOT/usr/sbin
%if %{uses_systemd}
install -d $RPM_BUILD_ROOT/usr/lib/tmpfiles.d
install -m 644 %{S:3} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/openCryptoki-tmp.conf
ln -s /usr/sbin/service $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd
%else
install -m 544 %{S:1} $RPM_BUILD_ROOT/etc/init.d/pkcsslotd
ln -sfv ../../etc/init.d/pkcsslotd $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd
%endif
rm -rf $RPM_BUILD_ROOT/tmp
# Remove all development files
rm -f $RPM_BUILD_ROOT${_libdir}/opencryptoki/libopencryptoki.la
rm -f $RPM_BUILD_ROOT/%_libdir/opencryptoki/methods
%pre
%if %{uses_systemd}
%{service_add_pre pkcsslotd.service}
%endif
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
/usr/sbin/groupadd -g %pkcs11_group_id -r pkcs11 2>/dev/null || true
@ -162,7 +219,11 @@ s/^,//
'),pkcs11 root
%preun
%if %{uses_systemd}
%{service_del_preun pkcsslotd.service}
%else
%{stop_on_removal pkcsslotd}
%endif
%post
# Symlink from /var/lib/opencryptoki to /etc/pkcs11
@ -174,14 +235,22 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
fi
fi
/sbin/ldconfig
%if %{uses_systemd}
%{service_add_post pkcsslotd.service}
%else
%{fillup_and_insserv -f pkcsslotd}
%endif
%postun
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%if %{uses_systemd}
%{service_del_postun pkcsslotd.service}
%else
%{restart_on_update pkcsslotd}
%{insserv_cleanup}
%endif
%ifarch %openCryptoki_32bit_arch
@ -194,13 +263,14 @@ fi
cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so
ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods
rm -rf %{_libdir}/pkcs11/stdll
if [ -d %{_libdir}/pkcs11 ] ; then
cd %{_libdir}/pkcs11
ln -sf ../opencryptoki/stdll stdll
cd stdll
[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true
[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true
fi
test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11
cd /usr/lib/pkcs11
ln -sf ../opencryptoki/stdll stdll
cd stdll
[ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true
[ -f libpkcs11_tpm.so ] && ln -sf ./libpkcs11_tpm.so PKCS11_TPM.so || true
[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true
[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true
/sbin/ldconfig
%endif
%ifarch %openCryptoki_64bit_arch
@ -218,11 +288,25 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
# configuration directory
%dir /etc/opencryptoki
%config /etc/opencryptoki/opencryptoki.conf
%ifarch s390 s390x
%config /etc/opencryptoki/ep11tok.conf
/usr/sbin/pkcsep11_migrate
%endif
%if %{uses_systemd}
/usr/lib/systemd/system/pkcsslotd.service
/usr/lib/tmpfiles.d/openCryptoki-tmp.conf
%else
/etc/init.d/pkcsslotd
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm
%endif
/usr/sbin/rcpkcsslotd
# utilities
/usr/sbin/pkcsslotd
/usr/sbin/pkcsconf
/usr/sbin/pkcsicsf
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
# State and lock directories
@ -232,10 +316,13 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/tpm
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok
%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/icsf
%ifarch s390 s390x
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok
%dir %attr(770,root,pkcs11) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
%endif
%{_mandir}/man*/*
%files devel
@ -254,16 +341,19 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6
%{_libdir}/opencryptoki/libopencryptoki.so
%ghost %{_libdir}/opencryptoki/PKCS11_API.so
%{_libdir}/opencryptoki/*.0
%ifnarch s390 s390x
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%else
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%ifarch s390 s390x
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%endif
%{_libdir}/opencryptoki/stdll/*.0
%dir %{_libdir}/pkcs11