From e7f80fc66d6f3bd909ae9b905bb148cd128ce48991f14bd46f443f1913922eaa Mon Sep 17 00:00:00 2001 From: Mark Post Date: Fri, 16 Nov 2018 16:33:50 +0000 Subject: [PATCH] Accepting request 649626 from home:markkp:branches:security - Upgraded to version 3.11.0 (Fate#325685) * opencryptoki 3.11.0 EP11 enhancements A lot of bug fixes - Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply properly to 3.11, and renamed it to ocki-3.11-remove-make-install-chgrp.patch - Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch - Upgraded to version 3.10.0 (Fate#325685) * opencryptoki 3.10.0 Add support to ECC on ICA token and to common code. Add SHA224 support to SOFT token. Improve pkcsslotd logging. Fix sha512_hmac_sign and rsa_x509_verify for ICA token. Fix tracing of session id. Fix and improve testcases. Fix spec file permission for log directory. Fix build warnings. * opencryptoki 3.9.0 Fix token reinitialization Fix conditional man pages EP11 enhancements EP11 EC Key import Increase RSA max key length Fix broken links on documentation Define CK_FALSE and CK_TRUE macros Improve build flags - Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - Made multiple changes to the spec file based on spec-cleaner output. - Added an rpmlintrc file to squelch warnings about adding ghost entries for files under /var/log/opencryptoki/ OBS-URL: https://build.opensuse.org/request/show/649626 OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=78 --- ... ocki-3.11-remove-make-install-chgrp.patch | 92 +- ocki-3.5-icsf-coverity-memoryleakfix.patch | 34 - ...-Feature-Object-validation-and-tests.patch | 965 ------------------ openCryptoki-rpmlintrc | 1 + openCryptoki.changes | 39 + openCryptoki.spec | 158 ++- opencryptoki-3.11.0.tar.gz | 3 + opencryptoki-3.8.2.tar.gz | 3 - 8 files changed, 141 insertions(+), 1154 deletions(-) rename ocki-3.1-remove-make-install-chgrp.patch => ocki-3.11-remove-make-install-chgrp.patch (67%) delete mode 100644 ocki-3.5-icsf-coverity-memoryleakfix.patch delete mode 100644 ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch create mode 100644 openCryptoki-rpmlintrc create mode 100644 opencryptoki-3.11.0.tar.gz delete mode 100644 opencryptoki-3.8.2.tar.gz diff --git a/ocki-3.1-remove-make-install-chgrp.patch b/ocki-3.11-remove-make-install-chgrp.patch similarity index 67% rename from ocki-3.1-remove-make-install-chgrp.patch rename to ocki-3.11-remove-make-install-chgrp.patch index 73bfc7c..98d4c46 100644 --- a/ocki-3.1-remove-make-install-chgrp.patch +++ b/ocki-3.11-remove-make-install-chgrp.patch @@ -1,16 +1,8 @@ ---- opencryptoki/usr/Makefile.am -+++ opencryptoki/usr/Makefile.am -@@ -6,5 +6,4 @@ - - install-data-hook: - $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) - $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) ---- opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/cca_stdll/Makefile.am -@@ -66,12 +66,9 @@ - cd $(DESTDIR)/$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_cca.so PKCS11_CCA.so +--- opencryptoki-3.11.0/Makefile.am 2018-11-16 09:53:03.000000000 -0500 ++++ opencryptoki-3.11.0/Makefile.am 2018-11-16 10:28:35.114837306 -0500 +@@ -51,24 +51,18 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_cca.so PKCS11_CCA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok @@ -19,13 +11,10 @@ $(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ccatok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok - - uninstall-hook: ---- opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/ep11_stdll/Makefile.am -@@ -49,12 +49,9 @@ + endif + if ENABLE_EP11TOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_ep11.so PKCS11_EP11.so + ln -fs libpkcs11_ep11.so PKCS11_EP11.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok @@ -34,13 +23,11 @@ $(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/ep11tok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok - - uninstall-hook: ---- opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/ica_s390_stdll/Makefile.am -@@ -64,12 +64,9 @@ + test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true + test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true +@@ -78,24 +72,18 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_ica.so PKCS11_ICA.so + ln -fs libpkcs11_ica.so PKCS11_ICA.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite @@ -49,26 +36,10 @@ $(MKDIR_P) $(DESTDIR)$(lockdir)/lite - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/lite $(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite - - uninstall-hook: ---- opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/icsf_stdll/Makefile.am -@@ -79,10 +79,8 @@ + endif + if ENABLE_SWTOK cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_icsf.so PKCS11_ICSF.so - $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf -- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf - $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf - $(MKDIR_P) $(DESTDIR)$(lockdir)/icsf -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf - $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf - - uninstall-hook: ---- opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/soft_stdll/Makefile.am -@@ -56,12 +56,9 @@ - cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_sw.so PKCS11_SW.so + ln -fs libpkcs11_sw.so PKCS11_SW.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok @@ -77,18 +48,35 @@ $(MKDIR_P) $(DESTDIR)$(lockdir)/swtok - $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/swtok $(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok - - uninstall-hook: ---- opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am -+++ opencryptoki/usr/lib/pkcs11/tpm_stdll/Makefile.am -@@ -71,10 +71,8 @@ + endif + if ENABLE_TPMTOK +@@ -103,10 +91,8 @@ cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ - ln -sf libpkcs11_tpm.so PKCS11_TPM.so + ln -fs libpkcs11_tpm.so PKCS11_TPM.so $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm - $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm $(MKDIR_P) $(DESTDIR)$(lockdir)/tpm -- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/tpm $(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm + endif + if ENABLE_ICSFTOK +@@ -114,10 +100,8 @@ + cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \ + ln -fs libpkcs11_icsf.so PKCS11_ICSF.so + $(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf +- $(CHGRP) pkcs11 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf + $(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf + $(MKDIR_P) $(DESTDIR)$(lockdir)/icsf +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir)/icsf + $(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf + endif + if ENABLE_DAEMON +@@ -139,7 +123,6 @@ + @echo "Remember you must run ldconfig before using the above settings" + @echo "--------------------------------------------------------------" + $(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) +- $(CHGRP) pkcs11 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) + $(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir) + - uninstall-hook: diff --git a/ocki-3.5-icsf-coverity-memoryleakfix.patch b/ocki-3.5-icsf-coverity-memoryleakfix.patch deleted file mode 100644 index 0905718..0000000 --- a/ocki-3.5-icsf-coverity-memoryleakfix.patch +++ /dev/null @@ -1,34 +0,0 @@ -commit 54013d80a2f5eaa9ac58712a57de0cd87a55cdae -Author: Jakub Jelen -Date: Thu May 19 17:05:46 2016 -0400 - - icsftok memory leak fix identified in coverity scan - Signed-off-by: Vineetha Pai - -diff --git a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -index 5b7fb45..1c25cd2 100644 ---- a/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -+++ b/usr/lib/pkcs11/icsf_stdll/icsf_specific.c -@@ -4664,6 +4664,7 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, - "(expected %lu)\n", - (unsigned long) mech->ulParameterLen, - (unsigned long) expected_block_size); -+ free(key_mapping); - return CKR_MECHANISM_PARAM_INVALID; - } - break; -@@ -4671,12 +4672,14 @@ CK_RV icsftok_unwrap_key(SESSION *session, CK_MECHANISM_PTR mech, - if (mech->ulParameterLen != 0){ - TRACE_ERROR("%s\n", - ock_err(ERR_MECHANISM_PARAM_INVALID)); -+ free(key_mapping); - return CKR_MECHANISM_PARAM_INVALID; - } - break; - default: - TRACE_ERROR("icsf invalid %lu mechanism for key wrapping\n", - mech->mechanism); -+ free(key_mapping); - return CKR_MECHANISM_INVALID; - } - diff --git a/ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch b/ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch deleted file mode 100644 index b57b1d8..0000000 --- a/ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch +++ /dev/null @@ -1,965 +0,0 @@ -From f55886b7fae14a7a13c2a532224584de51d6ad84 Mon Sep 17 00:00:00 2001 -From: Eduardo Barretto -Date: Thu, 8 Mar 2018 15:12:20 -0300 -Subject: [PATCH 1/3] Fix Hardware Feature Object validation and tests - -Monotonic Counters have read-only attributes. If during CreateObject the -supplied template specifies a value for any of the read-only attributes, -then the attempt should fail with the error code CKR_ATTRIBUTE_READ_ONLY. -Fixed tests that created Monotonic counters objects. - -Signed-off-by: Eduardo Barretto ---- - testcases/misc_tests/obj_mgmt.c | 451 ++++++++++++++++++++-------------------- - testcases/pkcs11/hw_fn.c | 413 ++++++++++++++++++------------------ - usr/lib/pkcs11/common/hwf_obj.c | 4 +- - 3 files changed, 444 insertions(+), 424 deletions(-) - -diff --git a/testcases/misc_tests/obj_mgmt.c b/testcases/misc_tests/obj_mgmt.c -index 3ab0d03a..bc875c7c 100644 ---- a/testcases/misc_tests/obj_mgmt.c -+++ b/testcases/misc_tests/obj_mgmt.c -@@ -1162,251 +1162,260 @@ CK_RV do_CreateTokenObjects(void) - } - - /* -- * do_HW_Feature_Search Test: -+ * do_HWFeatureSearch Test: - * -- * 1. Create 5 objects, 3 of which are HW_FEATURE objects. -+ * 1. Create 4 objects, 2 of which are HW_FEATURE objects (1 of them is a -+ * monotonic counter). - * 2. Search for objects using a template that does not have its - * HW_FEATURE attribute set. - * 3. Result should be that the other 2 objects are returned, and - * not the HW_FEATURE objects. - * 4. Search for objects using a template that does have its - * HW_FEATURE attribute set. -- * 5. Result should be that the 3 hardware feature objects are returned. -+ * 5. Result should be that the only hardware feature objects that is not a -+ * monotonic counter should be returned. - * - */ -- - CK_RV do_HWFeatureSearch(void) - { -- unsigned int i; -- CK_RV rc, loc_rc; -- CK_ULONG find_count; -- CK_SLOT_ID slot_id; -- CK_BBOOL false = FALSE; -- CK_BBOOL true = TRUE; -- -- CK_SESSION_HANDLE h_session; -- CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; -- CK_ULONG user_pin_len; -- -- /* A counter object */ -- CK_OBJECT_CLASS counter1_class = CKO_HW_FEATURE; -- CK_HW_FEATURE_TYPE feature1_type = CKH_MONOTONIC_COUNTER; -- CK_UTF8CHAR counter1_label[] = "Monotonic counter"; -- CK_CHAR counter1_value[16]; -- CK_ATTRIBUTE counter1_template[] = { -- {CKA_CLASS, &counter1_class, sizeof(counter1_class)}, -- {CKA_HW_FEATURE_TYPE, &feature1_type, sizeof(feature1_type)}, -- {CKA_LABEL, counter1_label, sizeof(counter1_label)-1}, -- {CKA_VALUE, counter1_value, sizeof(counter1_value)}, -- {CKA_RESET_ON_INIT, &true, sizeof(true)}, -- {CKA_HAS_RESET, &false, sizeof(false)} -- }; -- /* A clock object */ -- CK_OBJECT_CLASS clock_class = CKO_HW_FEATURE; -- CK_HW_FEATURE_TYPE clock_type = CKH_CLOCK; -- CK_UTF8CHAR clock_label[] = "Clock"; -- CK_CHAR clock_value[16]; -- CK_ATTRIBUTE clock_template[] = { -- {CKA_CLASS, &clock_class, sizeof(clock_class)}, -- {CKA_HW_FEATURE_TYPE, &clock_type, sizeof(clock_type)}, -- {CKA_LABEL, clock_label, sizeof(clock_label)-1}, -- {CKA_VALUE, clock_value, sizeof(clock_value)} -- }; -- /* A data object */ -- CK_OBJECT_CLASS obj1_class = CKO_DATA; -- CK_UTF8CHAR obj1_label[] = "Object 1"; -- CK_BYTE obj1_data[] = "Object 1's data"; -- CK_ATTRIBUTE obj1_template[] = { -- {CKA_CLASS, &obj1_class, sizeof(obj1_class)}, -- {CKA_TOKEN, &true, sizeof(true)}, -- {CKA_LABEL, obj1_label, sizeof(obj1_label)-1}, -- {CKA_VALUE, obj1_data, sizeof(obj1_data)} -- }; -- /* A secret key object */ -- CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY; -- CK_KEY_TYPE obj2_type = CKK_AES; -- CK_UTF8CHAR obj2_label[] = "Object 2"; -- CK_BYTE obj2_data[AES_KEY_SIZE_128]; -- CK_ATTRIBUTE obj2_template[] = { -- {CKA_CLASS, &obj2_class, sizeof(obj2_class)}, -- {CKA_TOKEN, &true, sizeof(true)}, -- {CKA_KEY_TYPE, &obj2_type, sizeof(obj2_type)}, -- {CKA_LABEL, obj2_label, sizeof(obj2_label)-1}, -- {CKA_VALUE, obj2_data, sizeof(obj2_data)} -- }; -- -- CK_OBJECT_HANDLE h_counter1, -- h_clock, -- h_obj1, -- h_obj2, -- obj_list[10]; -- CK_ATTRIBUTE find_tmpl[] = { -- {CKA_CLASS, &counter1_class, sizeof(counter1_class)} -+ unsigned int i; -+ CK_RV rc, loc_rc; -+ CK_ULONG find_count; -+ CK_SLOT_ID slot_id; -+ CK_BBOOL false = FALSE; -+ CK_BBOOL true = TRUE; -+ -+ CK_SESSION_HANDLE h_session; -+ CK_BYTE user_pin[PKCS11_MAX_PIN_LEN]; -+ CK_ULONG user_pin_len; -+ -+ /* A counter object */ -+ CK_OBJECT_CLASS counter1_class = CKO_HW_FEATURE; -+ CK_HW_FEATURE_TYPE feature1_type = CKH_MONOTONIC_COUNTER; -+ CK_UTF8CHAR counter1_label[] = "Monotonic counter"; -+ CK_CHAR counter1_value[16]; -+ CK_ATTRIBUTE counter1_template[] = { -+ {CKA_CLASS, &counter1_class, sizeof(counter1_class)}, -+ {CKA_HW_FEATURE_TYPE, &feature1_type, sizeof(feature1_type)}, -+ {CKA_LABEL, counter1_label, sizeof(counter1_label)-1}, -+ {CKA_VALUE, counter1_value, sizeof(counter1_value)}, -+ {CKA_RESET_ON_INIT, &true, sizeof(true)}, -+ {CKA_HAS_RESET, &false, sizeof(false)} -+ }; -+ -+ /* A clock object */ -+ CK_OBJECT_CLASS clock_class = CKO_HW_FEATURE; -+ CK_HW_FEATURE_TYPE clock_type = CKH_CLOCK; -+ CK_UTF8CHAR clock_label[] = "Clock"; -+ CK_CHAR clock_value[16]; -+ CK_ATTRIBUTE clock_template[] = { -+ {CKA_CLASS, &clock_class, sizeof(clock_class)}, -+ {CKA_HW_FEATURE_TYPE, &clock_type, sizeof(clock_type)}, -+ {CKA_LABEL, clock_label, sizeof(clock_label)-1}, -+ {CKA_VALUE, clock_value, sizeof(clock_value)} -+ }; -+ -+ /* A data object */ -+ CK_OBJECT_CLASS obj1_class = CKO_DATA; -+ CK_UTF8CHAR obj1_label[] = "Object 1"; -+ CK_BYTE obj1_data[] = "Object 1's data"; -+ CK_ATTRIBUTE obj1_template[] = { -+ {CKA_CLASS, &obj1_class, sizeof(obj1_class)}, -+ {CKA_TOKEN, &true, sizeof(true)}, -+ {CKA_LABEL, obj1_label, sizeof(obj1_label)-1}, -+ {CKA_VALUE, obj1_data, sizeof(obj1_data)} -+ }; -+ -+ /* A secret key object */ -+ CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY; -+ CK_KEY_TYPE obj2_type = CKK_AES; -+ CK_UTF8CHAR obj2_label[] = "Object 2"; -+ CK_BYTE obj2_data[AES_KEY_SIZE_128]; -+ CK_ATTRIBUTE obj2_template[] = { -+ {CKA_CLASS, &obj2_class, sizeof(obj2_class)}, -+ {CKA_TOKEN, &true, sizeof(true)}, -+ {CKA_KEY_TYPE, &obj2_type, sizeof(obj2_type)}, -+ {CKA_LABEL, obj2_label, sizeof(obj2_label)-1}, -+ {CKA_VALUE, obj2_data, sizeof(obj2_data)} - }; - -- if (skip_token_obj == TRUE) { -- testcase_notice("Skipping tests that creates token objects"); -- return CKR_OK; -+ CK_OBJECT_HANDLE h_counter1, -+ h_clock, -+ h_obj1, -+ h_obj2, -+ obj_list[10]; -+ -+ CK_ATTRIBUTE find_tmpl[] = { -+ {CKA_CLASS, &counter1_class, sizeof(counter1_class)} -+ }; -+ -+ if (skip_token_obj == TRUE) { -+ testcase_notice("Skipping tests that creates token objects"); -+ return CKR_OK; -+ } -+ -+ slot_id = SLOT_ID; -+ -+ testcase_begin("starting..."); -+ -+ if (get_user_pin(user_pin)) -+ return CKR_FUNCTION_FAILED; -+ -+ user_pin_len = (CK_ULONG)strlen((char *)user_pin); -+ -+ /* Open a session with the token */ -+ rc = funcs->C_OpenSession(slot_id, -+ (CKF_SERIAL_SESSION|CKF_RW_SESSION), -+ NULL_PTR, -+ NULL_PTR, -+ &h_session); -+ if (rc != CKR_OK) { -+ testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc)); -+ goto done; -+ } -+ -+ // Login correctly -+ rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len); -+ if (rc != CKR_OK) { -+ testcase_fail("C_Login() rc = %s", p11_get_ckr(rc)); -+ goto session_close; -+ } -+ -+ /* Create the 4 test objects */ -+ rc = funcs->C_CreateObject(h_session, obj1_template, 4, &h_obj1); -+ if (rc != CKR_OK) { -+ testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -+ return rc; -+ } -+ -+ rc = funcs->C_CreateObject(h_session, obj2_template, 5, &h_obj2); -+ if (rc != CKR_OK) { -+ testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -+ goto destroy_1; -+ } -+ -+ /* try and create a monotonic object. This should fail -+ * since it is a read only feature. -+ */ -+ rc = funcs->C_CreateObject(h_session, counter1_template, 6, &h_counter1); -+ if (rc != CKR_ATTRIBUTE_READ_ONLY) { -+ testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -+ goto destroy_2; -+ } -+ -+ rc = funcs->C_CreateObject(h_session, clock_template, 4, &h_clock); -+ if (rc != CKR_OK) { -+ testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -+ goto destroy_2; -+ } -+ -+ -+ /* Search for the 2 objects w/o HW_FEATURE set */ -+ /* A NULL template here should return all objects in v2.01, but -+ * in v2.11, it should return all objects *except* HW_FEATURE -+ * objects. -+ */ -+ rc = funcs->C_FindObjectsInit(h_session, NULL, 0); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc)); -+ goto destroy; -+ } -+ -+ rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc)); -+ goto destroy; -+ } -+ -+ /* So, we created 4 objects before here, and then searched with a NULL -+ * template, so that should return all objects except our hardware -+ * feature object -+ */ -+ if (find_count != 2) { -+ testcase_fail("found %ld objects when expected 2", find_count); -+ rc = -1; -+ goto destroy; -+ } -+ -+ if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) { -+ testcase_fail("found the wrong object handle"); -+ rc = -1; -+ goto destroy; -+ } -+ -+ if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) { -+ testcase_fail("found the wrong object handle"); -+ rc = -1; -+ goto destroy; -+ } -+ -+ rc = funcs->C_FindObjectsFinal(h_session); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc)); -+ goto destroy; -+ } -+ -+ // Now find the hardware feature objects -+ rc = funcs->C_FindObjectsInit(h_session, find_tmpl, 1); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc)); -+ goto destroy; -+ } -+ -+ rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc)); -+ goto destroy; -+ } -+ -+ if (find_count != 1) { -+ testcase_fail("found %ld objects when expected 1", find_count); -+ funcs->C_FindObjectsFinal(h_session); -+ rc = -1; -+ goto destroy; -+ } -+ -+ /* Make sure we got the right ones */ -+ for (i=0; i < find_count; i++) { -+ if (obj_list[i] != h_counter1 && obj_list[i] != h_clock) { -+ testcase_fail("found the wrong object handles"); -+ rc = -1; - } -+ } - -- slot_id = SLOT_ID; -- -- testcase_begin("starting..."); -- -- if (get_user_pin(user_pin)) -- return CKR_FUNCTION_FAILED; -- user_pin_len = (CK_ULONG)strlen((char *)user_pin); -- -- /* Open a session with the token */ -- if( (rc = funcs->C_OpenSession(slot_id, -- (CKF_SERIAL_SESSION|CKF_RW_SESSION), -- NULL_PTR, -- NULL_PTR, -- &h_session)) != CKR_OK ) { -- testcase_fail("C_OpenSession() rc = %s", p11_get_ckr(rc)); -- goto done; -- } -- -- // Login correctly -- rc = funcs->C_Login(h_session, CKU_USER, user_pin, user_pin_len); -- if( rc != CKR_OK ) { -- testcase_fail("C_Login() rc = %s", p11_get_ckr(rc)); -- goto session_close; -- } -- -- /* Create the 3 test objects */ -- if( (rc = funcs->C_CreateObject(h_session, obj1_template, 4, &h_obj1)) != CKR_OK) { -- testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -- return rc; -- } -- -- if( (rc = funcs->C_CreateObject(h_session, obj2_template, 5, &h_obj2)) != CKR_OK) { -- testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -- goto destroy_1; -- } -- -- /* try and create a monotonic object. This should fail -- * since it is a read only feature. -- */ -- if( (rc = funcs->C_CreateObject(h_session, counter1_template, 6, &h_counter1)) != CKR_ATTRIBUTE_READ_ONLY) { -- testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -- goto destroy_2; -- } -- -- if( (rc = funcs->C_CreateObject(h_session, clock_template, 4, &h_clock)) != CKR_OK) { -- testcase_fail("C_CreateObject() rc = %s", p11_get_ckr(rc)); -- goto destroy_2; -- } -- -- -- /* Search for the 2 objects w/o HW_FEATURE set */ -- -- /* A NULL template here should return all objects in v2.01, but -- * in v2.11, it should return all objects *except* HW_FEATURE -- * objects. - KEY -- */ -- rc = funcs->C_FindObjectsInit(h_session, NULL, 0 ); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc)); -- goto destroy; -- } -- -- rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count ); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc)); -- goto destroy; -- } -- -- /* So, we created 3 objects before here, and then searched with a NULL -- * template, so that should return all objects except our hardware -- * feature object. -KEY */ -- if (find_count != 2) { -- testcase_fail("found %ld objects when expected 2", find_count); -- rc = -1; -- goto destroy; -- } -- -- if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) { -- testcase_fail("found the wrong object handle"); -- rc = -1; -- goto destroy; -- } -- -- if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) { -- testcase_fail("found the wrong object handle"); -- rc = -1; -- goto destroy; -- } -- -- rc = funcs->C_FindObjectsFinal(h_session); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc)); -- goto destroy; -- } -- -- -- // Now find the hardware feature objects -- rc = funcs->C_FindObjectsInit(h_session, find_tmpl, 1 ); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjectsInit() rc = %s", p11_get_ckr(rc)); -- goto destroy; -- } -+ rc = funcs->C_FindObjectsFinal(h_session); -+ if (rc != CKR_OK) { -+ testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc)); -+ } - -- rc = funcs->C_FindObjects(h_session, obj_list, 10, &find_count ); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjects() rc = %s", p11_get_ckr(rc)); -- goto destroy; -- } -- -- if (find_count != 1) { -- testcase_fail("found %ld objects when expected 1", find_count); -- funcs->C_FindObjectsFinal(h_session); // TODO: check if we really need this here -- rc = -1; -- goto destroy; -- } -- -- /* Make sure we got the right ones */ -- for( i=0; i < find_count; i++) { -- if(obj_list[i] != h_counter1 && -- obj_list[i] != h_clock) -- { -- -- testcase_fail("found the wrong object handles"); -- rc = -1; -- } -- } -- -- rc = funcs->C_FindObjectsFinal(h_session ); -- if (rc != CKR_OK) { -- testcase_fail("C_FindObjectsFinal() rc = %s", p11_get_ckr(rc)); -- } -- -- testcase_pass("Looks okay..."); -+ testcase_pass("Looks okay..."); - - destroy: -- /* Destroy the created objects, don't clobber the rc */ -- loc_rc = funcs->C_DestroyObject(h_session, h_clock); -- if( loc_rc != CKR_OK ) -- testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); -+ /* Destroy the created objects, don't clobber the rc */ -+ loc_rc = funcs->C_DestroyObject(h_session, h_clock); -+ if (loc_rc != CKR_OK) -+ testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); - destroy_2: -- loc_rc = funcs->C_DestroyObject(h_session, h_obj2); -- if( loc_rc != CKR_OK ) -- testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); -+ loc_rc = funcs->C_DestroyObject(h_session, h_obj2); -+ if (loc_rc != CKR_OK) -+ testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); - destroy_1: -- loc_rc = funcs->C_DestroyObject(h_session, h_obj1); -- if( loc_rc != CKR_OK ) -- testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); -+ loc_rc = funcs->C_DestroyObject(h_session, h_obj1); -+ if (loc_rc != CKR_OK) -+ testcase_fail("C_DestroyObject() rc = %s", p11_get_ckr(loc_rc)); - -- loc_rc = funcs->C_Logout(h_session); -- if( loc_rc != CKR_OK ) -- testcase_fail("C_Logout() rc = %s", p11_get_ckr(loc_rc)); -+ loc_rc = funcs->C_Logout(h_session); -+ if (loc_rc != CKR_OK) -+ testcase_fail("C_Logout() rc = %s", p11_get_ckr(loc_rc)); - - session_close: -- /* Close the session */ -- if( (loc_rc = funcs->C_CloseSession(h_session)) != CKR_OK ) -- testcase_fail("C_CloseSession() rc = %s", p11_get_ckr(loc_rc)); -+ /* Close the session */ -+ loc_rc = funcs->C_CloseSession(h_session); -+ if (loc_rc != CKR_OK) -+ testcase_fail("C_CloseSession() rc = %s", p11_get_ckr(loc_rc)); -+ - done: -- return rc; -+ return rc; - } - - CK_RV obj_mgmt_functions() -diff --git a/testcases/pkcs11/hw_fn.c b/testcases/pkcs11/hw_fn.c -index 701a6770..62632291 100644 ---- a/testcases/pkcs11/hw_fn.c -+++ b/testcases/pkcs11/hw_fn.c -@@ -40,227 +40,238 @@ CK_SESSION_HANDLE sess; - /* - * do_HW_Feature_Seatch Test: - * -- * 1. Create 5 objects, 3 of which are HW_FEATURE objects. -+ * 1. Create 5 objects, 3 of which are HW_FEATURE objects (2 of them are -+ * monotonic counters). - * 2. Search for objects using a template that does not have its - * HW_FEATURE attribute set. - * 3. Result should be that the other 2 objects are returned, and - * not the HW_FEATURE objects. - * 4. Search for objects using a template that does have its - * HW_FEATURE attribute set. -- * 5. Result should be that the 3 hardware feature objects are returned. -+ * 5. Result should be that the only hardware feature objects that are not -+ * monotonic counters should be returned. - * - */ -- - int do_HW_Feature_Search(void) - { -- unsigned int i; -- CK_RV rc; -- CK_ULONG find_count; -- -- CK_BBOOL false = FALSE; -- CK_BBOOL true = TRUE; -- -- // A counter object -- CK_OBJECT_CLASS counter1_class = CKO_HW_FEATURE; -- CK_HW_FEATURE_TYPE feature1_type = CKH_MONOTONIC_COUNTER; -- CK_UTF8CHAR counter1_label[] = "Monotonic counter"; -- CK_CHAR counter1_value[16]; -- CK_ATTRIBUTE counter1_template[] = { -- {CKA_CLASS, &counter1_class, sizeof(counter1_class)}, -- {CKA_HW_FEATURE_TYPE, &feature1_type, sizeof(feature1_type)}, -- {CKA_LABEL, counter1_label, sizeof(counter1_label)-1}, -- {CKA_VALUE, counter1_value, sizeof(counter1_value)}, -- {CKA_RESET_ON_INIT, &true, sizeof(true)}, -- {CKA_HAS_RESET, &false, sizeof(false)} -- }; -- // Another counter object -- CK_OBJECT_CLASS counter2_class = CKO_HW_FEATURE; -- CK_HW_FEATURE_TYPE feature2_type = CKH_MONOTONIC_COUNTER; -- CK_UTF8CHAR counter2_label[] = "Monotonic counter"; -- CK_CHAR counter2_value[16]; -- CK_ATTRIBUTE counter2_template[] = { -- {CKA_CLASS, &counter2_class, sizeof(counter2_class)}, -- {CKA_HW_FEATURE_TYPE, &feature2_type, sizeof(feature2_type)}, -- {CKA_LABEL, counter2_label, sizeof(counter2_label)-1}, -- {CKA_VALUE, counter2_value, sizeof(counter2_value)}, -- {CKA_RESET_ON_INIT, &true, sizeof(true)}, -- {CKA_HAS_RESET, &false, sizeof(false)} -- }; -- // A clock object -- CK_OBJECT_CLASS clock_class = CKO_HW_FEATURE; -- CK_HW_FEATURE_TYPE clock_type = CKH_CLOCK; -- CK_UTF8CHAR clock_label[] = "Clock"; -- CK_CHAR clock_value[16]; -- CK_ATTRIBUTE clock_template[] = { -- {CKA_CLASS, &clock_class, sizeof(clock_class)}, -- {CKA_HW_FEATURE_TYPE, &clock_type, sizeof(clock_type)}, -- {CKA_LABEL, clock_label, sizeof(clock_label)-1}, -- {CKA_VALUE, clock_value, sizeof(clock_value)} -- }; -- // A data object -- CK_OBJECT_CLASS obj1_class = CKO_DATA; -- CK_UTF8CHAR obj1_label[] = "Object 1"; -- CK_BYTE obj1_data[] = "Object 1's data"; -- CK_ATTRIBUTE obj1_template[] = { -- {CKA_CLASS, &obj1_class, sizeof(obj1_class)}, -- {CKA_TOKEN, &true, sizeof(true)}, -- {CKA_LABEL, obj1_label, sizeof(obj1_label)-1}, -- {CKA_VALUE, obj1_data, sizeof(obj1_data)} -- }; -- // A secret key object -- CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY; -- CK_KEY_TYPE obj2_type = CKK_AES; -- CK_UTF8CHAR obj2_label[] = "Object 2"; -- CK_BYTE obj2_data[AES_KEY_SIZE_128]; -- CK_ATTRIBUTE obj2_template[] = { -- {CKA_CLASS, &obj2_class, sizeof(obj2_class)}, -- {CKA_TOKEN, &true, sizeof(true)}, -- {CKA_KEY_TYPE, &obj2_type, sizeof(obj2_type)}, -- {CKA_LABEL, obj2_label, sizeof(obj2_label)-1}, -- {CKA_VALUE, obj2_data, sizeof(obj2_data)} -- }; -- -- CK_OBJECT_HANDLE h_counter1, -- h_counter2, -- h_clock, -- h_obj1, -- h_obj2, -- obj_list[10]; -- CK_ATTRIBUTE find_tmpl[] = { -- {CKA_CLASS, &counter1_class, sizeof(counter1_class)} -- }; -- -- -- /* Create the 3 test objects */ -- if( (rc = funcs->C_CreateObject(sess, obj1_template, 4, &h_obj1)) != CKR_OK) { -- show_error("C_CreateObject #1", rc); -- return rc; -- } -- -- if( (rc = funcs->C_CreateObject(sess, obj2_template, 5, &h_obj2)) != CKR_OK) { -- show_error("C_CreateObject #2", rc); -- goto destroy_1; -- } -- -- if( (rc = funcs->C_CreateObject(sess, counter1_template, 6, &h_counter1)) != CKR_OK) { -- show_error("C_CreateObject #3", rc); -- goto destroy_2; -- } -- -- if( (rc = funcs->C_CreateObject(sess, counter2_template, 6, &h_counter2)) != CKR_OK) { -- show_error("C_CreateObject #4", rc); -- goto destroy_3; -- } -- -- if( (rc = funcs->C_CreateObject(sess, clock_template, 4, &h_clock)) != CKR_OK) { -- show_error("C_CreateObject #5", rc); -- goto destroy_4; -- } -- -- -- // Search for the 2 objects w/o HW_FEATURE set -- // -- -- // A NULL template here should return all objects in v2.01, but -- // in v2.11, it should return all objects *except* HW_FEATURE -- // objects. - KEY -- rc = funcs->C_FindObjectsInit( sess, NULL, 0 ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjectsInit #1", rc ); -- goto done; -- } -- -- rc = funcs->C_FindObjects( sess, obj_list, 10, &find_count ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjects #1", rc ); -- goto done; -- } -- -- /* So, we created 3 objects before here, and then searched with a NULL -- * template, so that should return all objects except our hardware -- * feature object. -KEY */ -- if (find_count != 2) { -- printf("%s:%d ERROR: C_FindObjects #1 should have found 2 objects!\n" -- " It found %ld objects\n", __FILE__, __LINE__, -- find_count); -- rc = -1; -- goto done; -- } -- -- if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) { -- printf("%s:%d ERROR: C_FindObjects #1 found the wrong objects!\n", -- __FILE__, __LINE__); -- rc = -1; -- goto done; -- } -- -- if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) { -- printf("%s:%d ERROR: C_FindObjects #1 found the wrong objects!\n", -- __FILE__, __LINE__); -- rc = -1; -- goto done; -- } -- -- rc = funcs->C_FindObjectsFinal( sess ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjectsFinal #1", rc ); -- goto done; -- } -- -+ unsigned int i; -+ CK_RV rc; -+ CK_ULONG find_count; -+ -+ CK_BBOOL false = FALSE; -+ CK_BBOOL true = TRUE; -+ -+ // A counter object -+ CK_OBJECT_CLASS counter1_class = CKO_HW_FEATURE; -+ CK_HW_FEATURE_TYPE feature1_type = CKH_MONOTONIC_COUNTER; -+ CK_UTF8CHAR counter1_label[] = "Monotonic counter"; -+ CK_CHAR counter1_value[16]; -+ CK_ATTRIBUTE counter1_template[] = { -+ {CKA_CLASS, &counter1_class, sizeof(counter1_class)}, -+ {CKA_HW_FEATURE_TYPE, &feature1_type, sizeof(feature1_type)}, -+ {CKA_LABEL, counter1_label, sizeof(counter1_label)-1}, -+ {CKA_VALUE, counter1_value, sizeof(counter1_value)}, -+ {CKA_RESET_ON_INIT, &true, sizeof(true)}, -+ {CKA_HAS_RESET, &false, sizeof(false)} -+ }; -+ -+ // Another counter object -+ CK_OBJECT_CLASS counter2_class = CKO_HW_FEATURE; -+ CK_HW_FEATURE_TYPE feature2_type = CKH_MONOTONIC_COUNTER; -+ CK_UTF8CHAR counter2_label[] = "Monotonic counter"; -+ CK_CHAR counter2_value[16]; -+ CK_ATTRIBUTE counter2_template[] = { -+ {CKA_CLASS, &counter2_class, sizeof(counter2_class)}, -+ {CKA_HW_FEATURE_TYPE, &feature2_type, sizeof(feature2_type)}, -+ {CKA_LABEL, counter2_label, sizeof(counter2_label)-1}, -+ {CKA_VALUE, counter2_value, sizeof(counter2_value)}, -+ {CKA_RESET_ON_INIT, &true, sizeof(true)}, -+ {CKA_HAS_RESET, &false, sizeof(false)} -+ }; -+ -+ // A clock object -+ CK_OBJECT_CLASS clock_class = CKO_HW_FEATURE; -+ CK_HW_FEATURE_TYPE clock_type = CKH_CLOCK; -+ CK_UTF8CHAR clock_label[] = "Clock"; -+ CK_CHAR clock_value[16]; -+ CK_ATTRIBUTE clock_template[] = { -+ {CKA_CLASS, &clock_class, sizeof(clock_class)}, -+ {CKA_HW_FEATURE_TYPE, &clock_type, sizeof(clock_type)}, -+ {CKA_LABEL, clock_label, sizeof(clock_label)-1}, -+ {CKA_VALUE, clock_value, sizeof(clock_value)} -+ }; -+ -+ // A data object -+ CK_OBJECT_CLASS obj1_class = CKO_DATA; -+ CK_UTF8CHAR obj1_label[] = "Object 1"; -+ CK_BYTE obj1_data[] = "Object 1's data"; -+ CK_ATTRIBUTE obj1_template[] = { -+ {CKA_CLASS, &obj1_class, sizeof(obj1_class)}, -+ {CKA_TOKEN, &true, sizeof(true)}, -+ {CKA_LABEL, obj1_label, sizeof(obj1_label)-1}, -+ {CKA_VALUE, obj1_data, sizeof(obj1_data)} -+ }; - -- // Now find the hardware feature objects -- rc = funcs->C_FindObjectsInit( sess, find_tmpl, 1 ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjectsInit #2", rc ); -- goto done; -- } -- -- rc = funcs->C_FindObjects( sess, obj_list, 10, &find_count ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjects #2", rc ); -- goto done; -- } -- -- if (find_count != 3) { -- printf("%s:%d ERROR: C_FindObjects #2 should have found 3 objects!\n" -- " It found %ld objects\n", __FILE__, __LINE__, -- find_count); -- funcs->C_FindObjectsFinal( sess ); -- rc = -1; -- goto done; -- } -- -- /* Make sure we got the right ones */ -- for( i=0; i < find_count; i++) { -- if( obj_list[i] != h_counter1 && -- obj_list[i] != h_counter2 && -- obj_list[i] != h_clock) -- { -- -- printf("%s:%d ERROR: C_FindObjects #2 found the wrong\n" -- " objects!", __FILE__, __LINE__); -- rc = -1; -- } -+ // A secret key object -+ CK_OBJECT_CLASS obj2_class = CKO_SECRET_KEY; -+ CK_KEY_TYPE obj2_type = CKK_AES; -+ CK_UTF8CHAR obj2_label[] = "Object 2"; -+ CK_BYTE obj2_data[AES_KEY_SIZE_128]; -+ CK_ATTRIBUTE obj2_template[] = { -+ {CKA_CLASS, &obj2_class, sizeof(obj2_class)}, -+ {CKA_TOKEN, &true, sizeof(true)}, -+ {CKA_KEY_TYPE, &obj2_type, sizeof(obj2_type)}, -+ {CKA_LABEL, obj2_label, sizeof(obj2_label)-1}, -+ {CKA_VALUE, obj2_data, sizeof(obj2_data)} -+ }; -+ -+ CK_OBJECT_HANDLE h_counter1, -+ h_counter2, -+ h_clock, -+ h_obj1, -+ h_obj2, -+ obj_list[10]; -+ -+ CK_ATTRIBUTE find_tmpl[] = { -+ {CKA_CLASS, &counter1_class, sizeof(counter1_class)} -+ }; -+ -+ /* Create the 5 test objects */ -+ rc = funcs->C_CreateObject(sess, obj1_template, 4, &h_obj1); -+ if (rc != CKR_OK) { -+ show_error("C_CreateObject #1", rc); -+ return rc; -+ } -+ -+ rc = funcs->C_CreateObject(sess, obj2_template, 5, &h_obj2); -+ if (rc != CKR_OK) { -+ show_error("C_CreateObject #2", rc); -+ goto destroy_1; -+ } -+ -+ rc = funcs->C_CreateObject(sess, counter1_template, 6, &h_counter1); -+ if (rc != CKR_ATTRIBUTE_READ_ONLY) { -+ show_error("C_CreateObject #3", rc); -+ goto destroy_2; -+ } -+ -+ rc = funcs->C_CreateObject(sess, counter2_template, 6, &h_counter2); -+ if (rc != CKR_ATTRIBUTE_READ_ONLY) { -+ show_error("C_CreateObject #4", rc); -+ goto destroy_3; -+ } -+ -+ rc = funcs->C_CreateObject(sess, clock_template, 4, &h_clock); -+ if (rc != CKR_OK) { -+ show_error("C_CreateObject #5", rc); -+ goto destroy_4; -+ } -+ -+ -+ /* Search for the 2 objects w/o HW_FEATURE set -+ * A NULL template here should return all objects in v2.01, but -+ * in v2.11, it should return all objects *except* HW_FEATURE -+ * objects. -+ */ -+ rc = funcs->C_FindObjectsInit(sess, NULL, 0); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjectsInit #1", rc); -+ goto done; -+ } -+ -+ rc = funcs->C_FindObjects(sess, obj_list, 10, &find_count); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjects #1", rc); -+ goto done; -+ } -+ -+ /* So, we created 5 objects before here, and then searched with a NULL -+ * template, so that should return all objects except our hardware -+ * feature object. -+ */ -+ if (find_count != 2) { -+ printf("%s:%d ERROR: C_FindObjects #1 should have found 2 objects!\n" -+ " It found %ld objects\n", __FILE__, __LINE__, -+ find_count); -+ rc = -1; -+ goto done; -+ } -+ -+ if (obj_list[0] != h_obj1 && obj_list[0] != h_obj2) { -+ printf("%s:%d ERROR: C_FindObjects #1 found the wrong objects!\n", -+ __FILE__, __LINE__); -+ rc = -1; -+ goto done; -+ } -+ -+ if (obj_list[1] != h_obj1 && obj_list[1] != h_obj2) { -+ printf("%s:%d ERROR: C_FindObjects #1 found the wrong objects!\n", -+ __FILE__, __LINE__); -+ rc = -1; -+ goto done; -+ } -+ -+ rc = funcs->C_FindObjectsFinal(sess); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjectsFinal #1", rc); -+ goto done; -+ } -+ -+ -+ /* Now find the hardware feature objects (should find only 1 since monotonic -+ * counters are read-only -+ */ -+ rc = funcs->C_FindObjectsInit(sess, find_tmpl, 1); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjectsInit #2", rc); -+ goto done; -+ } -+ -+ rc = funcs->C_FindObjects(sess, obj_list, 10, &find_count); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjects #2", rc); -+ goto done; -+ } -+ -+ if (find_count != 1) { -+ printf("%s:%d ERROR: C_FindObjects #2 should have found 1 object!\n" -+ " It found %ld objects\n", __FILE__, __LINE__, -+ find_count); -+ funcs->C_FindObjectsFinal(sess); -+ rc = -1; -+ goto done; -+ } -+ -+ /* Make sure we got the right ones */ -+ for( i=0; i < find_count; i++) { -+ if (obj_list[i] != h_counter1 && -+ obj_list[i] != h_counter2 && -+ obj_list[i] != h_clock) { -+ -+ printf("%s:%d ERROR: C_FindObjects #2 found the wrong\n" -+ " objects!", __FILE__, __LINE__); -+ rc = -1; - } -+ } - -- rc = funcs->C_FindObjectsFinal( sess ); -- if (rc != CKR_OK) { -- show_error(" C_FindObjectsFinal #2", rc ); -- } -+ rc = funcs->C_FindObjectsFinal(sess); -+ if (rc != CKR_OK) { -+ show_error(" C_FindObjectsFinal #2", rc); -+ } - - done: -- /* Destroy the created objects, don't clobber the rc */ -- funcs->C_DestroyObject(sess, h_clock); -+ /* Destroy the created objects, don't clobber the rc */ -+ funcs->C_DestroyObject(sess, h_clock); - destroy_4: -- funcs->C_DestroyObject(sess, h_counter2); -+ funcs->C_DestroyObject(sess, h_counter2); - destroy_3: -- funcs->C_DestroyObject(sess, h_counter1); -+ funcs->C_DestroyObject(sess, h_counter1); - destroy_2: -- funcs->C_DestroyObject(sess, h_obj2); -+ funcs->C_DestroyObject(sess, h_obj2); - destroy_1: -- funcs->C_DestroyObject(sess, h_obj1); -+ funcs->C_DestroyObject(sess, h_obj1); - -- return rc; -+ return rc; - } - - -diff --git a/usr/lib/pkcs11/common/hwf_obj.c b/usr/lib/pkcs11/common/hwf_obj.c -index 0decc22b..2a6ac45a 100644 ---- a/usr/lib/pkcs11/common/hwf_obj.c -+++ b/usr/lib/pkcs11/common/hwf_obj.c -@@ -169,8 +169,8 @@ counter_validate_attribute( TEMPLATE *tmpl, CK_ATTRIBUTE *attr, CK_ULONG mode) - case CKA_HAS_RESET: - /* Fall Through */ - case CKA_RESET_ON_INIT: -- return CKR_OK; -- -+ TRACE_ERROR("%s\n", ock_err(ERR_ATTRIBUTE_READ_ONLY)); -+ return CKR_ATTRIBUTE_READ_ONLY; - default: - return hwf_validate_attribute( tmpl, attr, mode ); - } --- -2.13.6 - diff --git a/openCryptoki-rpmlintrc b/openCryptoki-rpmlintrc new file mode 100644 index 0000000..d1ba8c3 --- /dev/null +++ b/openCryptoki-rpmlintrc @@ -0,0 +1 @@ +addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki/") diff --git a/openCryptoki.changes b/openCryptoki.changes index 9fd9b9e..4f21c0c 100644 --- a/openCryptoki.changes +++ b/openCryptoki.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Fri Nov 16 15:00:52 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.11.0 (Fate#325685) + * opencryptoki 3.11.0 + EP11 enhancements + A lot of bug fixes +- Reworked the ocki-3.1-remove-make-install-chgrp.patch to apply + properly to 3.11, and renamed it to + ocki-3.11-remove-make-install-chgrp.patch +- Removed obsolete patch ocki-3.5-icsf-coverity-memoryleakfix.patch + +------------------------------------------------------------------- +Thu Nov 15 22:01:51 UTC 2018 - mpost@suse.com + +- Upgraded to version 3.10.0 (Fate#325685) + * opencryptoki 3.10.0 + Add support to ECC on ICA token and to common code. + Add SHA224 support to SOFT token. + Improve pkcsslotd logging. + Fix sha512_hmac_sign and rsa_x509_verify for ICA token. + Fix tracing of session id. + Fix and improve testcases. + Fix spec file permission for log directory. + Fix build warnings. +* opencryptoki 3.9.0 + Fix token reinitialization + Fix conditional man pages + EP11 enhancements + EP11 EC Key import + Increase RSA max key length + Fix broken links on documentation + Define CK_FALSE and CK_TRUE macros + Improve build flags +- Dropped obsolete patch ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch +- Made multiple changes to the spec file based on spec-cleaner output. +- Added an rpmlintrc file to squelch warnings about adding ghost + entries for files under /var/log/opencryptoki/ + ------------------------------------------------------------------- Tue Apr 17 22:56:43 UTC 2018 - mpost@suse.com diff --git a/openCryptoki.spec b/openCryptoki.spec index bb79ce6..57a5010 100644 --- a/openCryptoki.spec +++ b/openCryptoki.spec @@ -16,7 +16,7 @@ # -%define openCryptoki_32bit_arch %arm %ix86 s390 ppc +%define openCryptoki_32bit_arch %{arm} %{ix86} s390 ppc # support in the workings for: ppc64 # no support in sight for: ia64 %define openCryptoki_64bit_arch aarch64 s390x ppc64 ppc64le x86_64 @@ -32,47 +32,42 @@ %endif Name: openCryptoki -BuildRequires: bison -BuildRequires: flex -BuildRequires: gcc-c++ -%ifarch s390 s390x -BuildRequires: libica-devel -BuildRequires: libica-tools -%endif -BuildRequires: libtool -BuildRequires: openldap2-devel -BuildRequires: openssl-devel >= 1.0 -BuildRequires: pwdutils -BuildRequires: trousers-devel -%if %{uses_systemd} -BuildRequires: pkgconfig(systemd) -%{?systemd_requires} -%else -BuildRequires: %insserv_prereq -%endif -BuildRequires: dos2unix - +Version: 3.11.0 +Release: 0 Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware License: CPL-1.0 Group: Productivity/Security -Version: 3.8.2 -Release: 0 +Url: https://sourceforge.net/projects/opencryptoki/ Source: %{oc_cvs_tag}-%{version}.tar.gz Source1: openCryptoki.pkcsslotd Source2: openCryptoki-TFAQ.html Source3: openCryptoki-tmp.conf +Source4: openCryptoki-rpmlintrc # Patch 1 is needed because group pkcs11 doesn't exist in the build environment # and because we don't want(?) various file and directory permissions to be 0700. -Patch1: ocki-3.1-remove-make-install-chgrp.patch -Patch2: ocki-3.5-icsf-coverity-memoryleakfix.patch -Patch3: ocki-3.8.2-Fix-Hardware-Feature-Object-validation-and-tests.patch - -Url: https://sourceforge.net/projects/opencryptoki/ -BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: /usr/sbin/groupadd /usr/bin/id /usr/sbin/usermod /bin/sed +Patch1: ocki-3.11-remove-make-install-chgrp.patch +BuildRequires: bison +BuildRequires: dos2unix +BuildRequires: flex +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: openldap2-devel +BuildRequires: openssl-devel >= 1.0 +BuildRequires: pkgconfig +BuildRequires: pwdutils +BuildRequires: trousers-devel +BuildRequires: pkgconfig(systemd) +PreReq: %{_bindir}/id +PreReq: %{_sbindir}/groupadd +PreReq: %{_sbindir}/usermod +PreReq: /bin/sed # IBM maintains openCryptoki on these architectures: -ExclusiveArch: %openCryptoki_32bit_arch %openCryptoki_64bit_arch -# +ExclusiveArch: %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch} +%{?systemd_requires} +%ifarch s390 s390x +BuildRequires: libica-devel +BuildRequires: libica-tools +%endif %description The PKCS#11 version 2.11 API implemented for the IBM cryptographic @@ -80,17 +75,16 @@ cards. This package includes support for the IBM 4758 cryptographic coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries). - %package devel Summary: An Implementation of PKCS#11 (Cryptoki) v2.01 for IBM Cryptographic Hardware Group: Development/Languages/C and C++ Requires: glibc-devel -%ifarch s390 s390x -Requires: libica-devel -%endif Requires: libopenssl-devel Requires: openldap2-devel Requires: trousers-devel +%ifarch s390 s390x +Requires: libica-devel +%endif %description devel The PKCS#11 version 2.01 API implemented for the IBM cryptographic @@ -98,8 +92,7 @@ cards. This package includes support for the IBM 4758 cryptographic co-processor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries). - -%ifarch %openCryptoki_32bit_arch +%ifarch %{openCryptoki_32bit_arch} %package 32bit Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware @@ -107,7 +100,7 @@ Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptograp # installation: Group: Productivity/Security PreReq: openCryptoki -ExclusiveArch: %openCryptoki_32bit_arch +ExclusiveArch: %{openCryptoki_32bit_arch} %description 32bit This is a re-packaged binary rpm. For the package source, please look @@ -118,9 +111,9 @@ cards. This package includes support for the IBM 4758 cryptographic coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries). - %endif -%ifarch %openCryptoki_64bit_arch + +%ifarch %{openCryptoki_64bit_arch} %package 64bit Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware @@ -128,7 +121,7 @@ Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptograp # installation: Group: Productivity/Security PreReq: openCryptoki -ExclusiveArch: %openCryptoki_64bit_arch +ExclusiveArch: %{openCryptoki_64bit_arch} %description 64bit This is a re-packaged binary rpm. For the package source, please look @@ -139,14 +132,11 @@ cards. This package includes support for the IBM 4758 cryptographic coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer Cryptographic Accelerator (FC 4960 on pSeries). - %endif %prep %setup -q -n %{oc_cvs_tag}-%{version} %patch1 -p1 -%patch2 -p1 -%patch3 -p1 cp %{SOURCE2} . @@ -154,46 +144,33 @@ cp %{SOURCE2} . autoreconf --force --install %configure \ --enable-tpmtok \ -%if %{uses_systemd} --with-systemd=%{_unitdir} -%endif make %{?_smp_mflags} dos2unix doc/README.ep11_stdll %install %make_install -install -d $RPM_BUILD_ROOT/usr/include -install -d $RPM_BUILD_ROOT/var/lib/opencryptoki -install -d $RPM_BUILD_ROOT/etc/init.d -install -d $RPM_BUILD_ROOT/usr/sbin -%if %{uses_systemd} -install -d $RPM_BUILD_ROOT/usr/lib/tmpfiles.d -install -m 644 %{S:3} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/opencryptoki.conf -ln -s /usr/sbin/service $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd -%else -install -m 544 %{S:1} $RPM_BUILD_ROOT/etc/init.d/pkcsslotd -ln -sfv ../../etc/init.d/pkcsslotd $RPM_BUILD_ROOT/usr/sbin/rcpkcsslotd -%endif -rm -rf $RPM_BUILD_ROOT/tmp +install -d %{buildroot}%{_includedir} +install -d %{buildroot}%{_localstatedir}/lib/opencryptoki +install -d %{buildroot}%{_initddir} +install -d %{buildroot}%{_sbindir} +install -d %{buildroot}%{_prefix}/lib/tmpfiles.d +install -m 644 %{SOURCE3} %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf +ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd +rm -rf %{buildroot}/tmp # Remove all development files -find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" -delete -rm -f $RPM_BUILD_ROOT%{_libdir}/opencryptoki/methods +find %{buildroot} -type f -name "*.la" -delete -print +rm -f %{buildroot}%{_libdir}/opencryptoki/methods %pre -%if %{uses_systemd} %{service_add_pre pkcsslotd.service} -%endif # autobuild:/work/cd/lib/misc/group # openCryptoki pkcs11:x:64: -/usr/sbin/groupadd -g %pkcs11_group_id -r pkcs11 2>/dev/null || true -/usr/sbin/usermod -a -G pkcs11 root +%{_sbindir}/groupadd -g %{pkcs11_group_id} -r pkcs11 2>/dev/null || true +%{_sbindir}/usermod -a -G pkcs11 root %preun -%if %{uses_systemd} %{service_del_preun pkcsslotd.service} -%else -%{stop_on_removal pkcsslotd} -%endif %post # Symlink from /var/lib/opencryptoki to /etc/pkcs11 @@ -205,44 +182,30 @@ if [ ! -L %{_sysconfdir}/pkcs11 ] ; then fi fi /sbin/ldconfig -%if %{uses_systemd} %{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf} %{service_add_post pkcsslotd.service} -%else -%{fillup_and_insserv -f pkcsslotd} -%endif %postun if [ -L %{_sysconfdir}/pkcs11 ] ; then rm %{_sysconfdir}/pkcs11 fi -%if %{uses_systemd} %{service_del_postun pkcsslotd.service} -%else -%{restart_on_update pkcsslotd} -%{insserv_cleanup} -%endif -%ifarch %openCryptoki_32bit_arch +%ifarch %{openCryptoki_32bit_arch} %postun 32bit if [ -L %{_sysconfdir}/pkcs11 ] ; then rm %{_sysconfdir}/pkcs11 fi -%if %{uses_systemd} %{service_del_postun pkcsslotd.service} -%else -%{restart_on_update pkcsslotd} -%{insserv_cleanup} -%endif %post 32bit # Old library name links cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods rm -rf %{_libdir}/pkcs11/stdll -test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11 -cd /usr/lib/pkcs11 +test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 +cd %{_prefix}/lib/pkcs11 ln -sf ../opencryptoki/stdll stdll cd stdll [ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true @@ -251,12 +214,13 @@ cd stdll [ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true /sbin/ldconfig %endif -%ifarch %openCryptoki_64bit_arch + +%ifarch %{openCryptoki_64bit_arch} %post 64bit # Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only. -test -d /usr/lib/pkcs11 || mkdir -p /usr/lib/pkcs11 -ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so64 +test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11 +ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_API.so64 /sbin/ldconfig %endif @@ -268,19 +232,13 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %dir %{_sysconfdir}/opencryptoki %config %{_sysconfdir}/opencryptoki/opencryptoki.conf %ifarch s390 s390x +%{_sbindir}/pkcsep11_session %config %{_sysconfdir}/opencryptoki/ep11tok.conf +%config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf %{_sbindir}/pkcsep11_migrate %endif -%if %{uses_systemd} %{_unitdir}/pkcsslotd.service %{_tmpfilesdir}/opencryptoki.conf -%else -%{_sysconfdir}/init.d/pkcsslotd -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/ccatok -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/swtok -%ghost %dir %attr(770,root,pkcs11) %{_localstatedir}/lock/opencryptoki/tpm -%endif %{_sbindir}/rcpkcsslotd # utilities %{_sbindir}/pkcsslotd @@ -312,7 +270,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %dir %{_libdir}/opencryptoki/stdll %{_includedir}/opencryptoki -%ifarch %openCryptoki_32bit_arch +%ifarch %{openCryptoki_32bit_arch} %files 32bit %defattr(-,root,root) # these don't conflict because they only exist as 64bit binaries if @@ -342,7 +300,7 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so /usr/lib/pkcs11/PKCS11_API.so6 %{_sysconfdir}/ld.so.conf.d/* %endif -%ifarch %openCryptoki_64bit_arch +%ifarch %{openCryptoki_64bit_arch} %files 64bit %defattr(-,root,root) %dir %{_libdir}/opencryptoki diff --git a/opencryptoki-3.11.0.tar.gz b/opencryptoki-3.11.0.tar.gz new file mode 100644 index 0000000..528bddb --- /dev/null +++ b/opencryptoki-3.11.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4d901373b08ed0b0d56a4df5e3f35a7d17142bdc5c5bf9b37c8a10200a08d6fd +size 935891 diff --git a/opencryptoki-3.8.2.tar.gz b/opencryptoki-3.8.2.tar.gz deleted file mode 100644 index 311c181..0000000 --- a/opencryptoki-3.8.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d235d32a6c892139696f3372e203a90d718a5c9896eb536d1a077ea6185abe0e -size 835210