pool/openCryptoki
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:slfo-1.2
Branches Tags
pool:slfo-main pool:factory pool:slfo-1.2

1 Commits
factory ... slfo-1.2

Author SHA256 Message Date
Adrian Schröter
c3bf64bbeb Sync changes to SLFO-1.2 branch 2025-08-20 09:58:19 +02:00
3 changed files with 11 additions and 205 deletions
Expand all files Collapse all files

179
ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
View File

@@ -1,179 +0,0 @@
From 144456ede9897662eed35ac8415d0ecb1c5907e3 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 13 Aug 2025 13:50:24 +0200
Subject: [PATCH] PKCSSLOTD: Remove the use of MD5
The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory
path, for easy checking if the same token directory has already been used by
other tokens.
The use of MD5 for this is just historical, and has no security relevance at
all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so
pkcsslotd will fail to start.
Change the code to use SHA256 instead.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcsslotd/pkcsslotd.h | 6 +---
usr/sbin/pkcsslotd/slotmgr.c | 52 ++++++++++++++--------------------
2 files changed, 23 insertions(+), 35 deletions(-)
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
index ec6a489a5..fa0db30f7 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
@@ -42,11 +42,7 @@
#endif /* DEV */
-#define HASH_SHA1 1
-#define HASH_MD5 2
-#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
-
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest);
+int compute_sha256(char *buf, int buf_size, char *digest);
/********************
* Global Variables *
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index 0c1a5586f..d0d85a85f 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -27,7 +27,7 @@
#include "configuration.h"
#define OBJ_DIR "TOK_OBJ"
-#define MD5_HASH_SIZE 16
+#define SHA256_HASH_SIZE 32
#define DEF_MANUFID "IBM"
@@ -44,8 +44,8 @@
#define DEF_SLOTDESC "Linux"
#endif
-typedef char md5_hash_entry[MD5_HASH_SIZE];
-md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
+typedef char sha256_hash_entry[SHA256_HASH_SIZE];
+sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
Slot_Mgr_Shr_t *shmp; // pointer to the shared memory region.
int shmid;
@@ -86,27 +86,19 @@ void DumpSharedMemory(void)
}
}
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
+int compute_sha256(char *buf, int buf_size, char *digest)
{
EVP_MD_CTX *md_ctx = NULL;
unsigned int result_size;
int rc;
md_ctx = EVP_MD_CTX_create();
-
- switch (hash_type) {
- case HASH_SHA1:
- rc = EVP_DigestInit(md_ctx, EVP_sha1());
- break;
- case HASH_MD5:
- rc = EVP_DigestInit(md_ctx, EVP_md5());
- break;
- default:
- EVP_MD_CTX_destroy(md_ctx);
+ if (md_ctx == NULL) {
+ fprintf(stderr, "EVP_MD_CTX_create() failed\n");
return -1;
- break;
}
+ rc = EVP_DigestInit(md_ctx, EVP_sha256());
if (rc != 1) {
fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
return -1;
@@ -374,12 +366,12 @@ void run_sanity_checks(void)
}
}
-int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table)
+int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table)
{
int i;
for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) {
- if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0)
+ if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0)
return 1;
}
@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
mode_t proc_umask;
char *tokdir = psinfo->tokname;
char *tokgroup = psinfo->usergroup;
- char token_md5_hash[MD5_HASH_SIZE];
+ char token_sha256_hash[SHA256_HASH_SIZE];
if (psinfo->present == FALSE)
return 0;
@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
*/
if (!tokdir || strlen(tokdir) == 0) {
/*
- * Build the md5 hash from the dll name prefixed with 'dll:' to
+ * Build the SHA256 hash from the dll name prefixed with 'dll:' to
* check for duplicate tokens with no 'tokname'.
*/
snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location);
- rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash);
+ rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token in slot %llu!\n",
psinfo->slot_number);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
return 0;
}
@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
return -1;
}
- /* calculate md5 hash from token name */
- rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash);
+ /* calculate SHA256 hash from token name */
+ rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token name '%s'!\n", tokdir);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
/* Create token specific directory */
/* sprintf checked above */

28
openCryptoki.changes
View File

@@ -1,16 +1,5 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Mon Jul 7 15:12:38 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1248002)
* ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
-------------------------------------------------------------------
Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
- Add riscv54 to openCryptoki_64bit_arch
-------------------------------------------------------------------
Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to version 3.25 (jsc#PED-3361) - Upgrade openCryptoki to version 3.25 (jsc#PED-3361)
* Updates/add supports * Updates/add supports
@@ -34,17 +23,17 @@ Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- ocki-3.24-remove-group-from-tests.patch - ocki-3.24-remove-group-from-tests.patch
- ocki-3.24-remove-make-install-chgrp.patch - ocki-3.24-remove-make-install-chgrp.patch
* Applied a new patch for version 3.25 * Applied a new patch for version 3.25
- ocki-3.25-remove-make-install-chgrp.patch - ocki-3.25-remove-make-install-chgrp.patch
* Bug fixes * Bug fixes
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Dec 11 07:25:11 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Wed Dec 11 07:35:28 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki - Moved pkcshsm_mk_change from openCryptoki-devel to openCryptoki
(jsc#PED-10291, jsc#PED-10290) (jsc#PED-10291, jsc#PED-10290)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Tue Dec 10 08:13:46 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290) - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
* Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below: * Changed attributes - %attr(0640,root,%{pkcs_group}) - of files below:
@@ -52,7 +41,7 @@ Tue Dec 10 07:08:59 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf - %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Nov 21 10:42:00 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Mon Nov 25 11:42:14 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the .spec file (jsc#PED-10291, jsc#PED-10290) - Amended the .spec file (jsc#PED-10291, jsc#PED-10290)
- Improved handling of user/group. use existing user/group if they - Improved handling of user/group. use existing user/group if they
@@ -1344,3 +1333,4 @@ Tue Feb 5 11:01:16 CET 2002 - froh@suse.de
Wed Jan 30 16:20:48 CET 2002 - froh@suse.de Wed Jan 30 16:20:48 CET 2002 - froh@suse.de
- initial version - initial version

9
openCryptoki.spec
View File

@@ -1,7 +1,7 @@
# #
# spec file for package openCryptoki # spec file for package openCryptoki
# #
# Copyright (c) 2025 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm} %define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
# support in the workings for: ppc64 # support in the workings for: ppc64
# no support in sight for: ia64 # no support in sight for: ia64
%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64 riscv64 %define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
# autobuild:/work/cd/lib/misc/group # autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64: # openCryptoki pkcs11:x:64:
%define pkcs11_group_id 64 %define pkcs11_group_id 64
@@ -41,7 +41,6 @@ Source3: openCryptoki-rpmlintrc
# and because we don't want(?) various file and directory permissions to be 0700. # and because we don't want(?) various file and directory permissions to be 0700.
Patch000: ocki-3.25-remove-make-install-chgrp.patch Patch000: ocki-3.25-remove-make-install-chgrp.patch
# #
Patch010: ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
# #
BuildRequires: bison BuildRequires: bison
BuildRequires: dos2unix BuildRequires: dos2unix
@@ -327,10 +326,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so %{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%endif %endif
%ifnarch i586
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%endif
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so %{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so %ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so %{_libdir}/opencryptoki/stdll/libpkcs11_sw.so