pool/openCryptoki
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:factory
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
...
pull from: pool:slfo-main
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2

3 Commits
factory ... slfo-main

Author SHA256 Message Date
Nikolay Gueorguiev
385978d731 Upgrade openCryptoki to 3.26 (jsc#PED-14609) 2025-12-12 09:22:59 +01:00
Nikolay Gueorguiev
a4136eb6b0 Applied a patch (bsc#1248002) 2025-10-20 14:39:49 +02:00
Adrian Schröter
c3bf64bbeb Sync changes to SLFO-1.2 branch 2025-08-20 09:58:19 +02:00
6 changed files with 37 additions and 189 deletions
Expand all files Collapse all files

179
ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
View File

@@ -1,179 +0,0 @@
From 144456ede9897662eed35ac8415d0ecb1c5907e3 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Wed, 13 Aug 2025 13:50:24 +0200
Subject: [PATCH] PKCSSLOTD: Remove the use of MD5
The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory
path, for easy checking if the same token directory has already been used by
other tokens.
The use of MD5 for this is just historical, and has no security relevance at
all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so
pkcsslotd will fail to start.
Change the code to use SHA256 instead.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
usr/sbin/pkcsslotd/pkcsslotd.h | 6 +---
usr/sbin/pkcsslotd/slotmgr.c | 52 ++++++++++++++--------------------
2 files changed, 23 insertions(+), 35 deletions(-)
diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
index ec6a489a5..fa0db30f7 100644
--- a/usr/sbin/pkcsslotd/pkcsslotd.h
+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
@@ -42,11 +42,7 @@
#endif /* DEV */
-#define HASH_SHA1 1
-#define HASH_MD5 2
-#define compute_md5(a,b,c) compute_hash(HASH_MD5,b,a,c)
-
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest);
+int compute_sha256(char *buf, int buf_size, char *digest);
/********************
* Global Variables *
diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
index 0c1a5586f..d0d85a85f 100644
--- a/usr/sbin/pkcsslotd/slotmgr.c
+++ b/usr/sbin/pkcsslotd/slotmgr.c
@@ -27,7 +27,7 @@
#include "configuration.h"
#define OBJ_DIR "TOK_OBJ"
-#define MD5_HASH_SIZE 16
+#define SHA256_HASH_SIZE 32
#define DEF_MANUFID "IBM"
@@ -44,8 +44,8 @@
#define DEF_SLOTDESC "Linux"
#endif
-typedef char md5_hash_entry[MD5_HASH_SIZE];
-md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
+typedef char sha256_hash_entry[SHA256_HASH_SIZE];
+sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
Slot_Mgr_Shr_t *shmp; // pointer to the shared memory region.
int shmid;
@@ -86,27 +86,19 @@ void DumpSharedMemory(void)
}
}
-int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
+int compute_sha256(char *buf, int buf_size, char *digest)
{
EVP_MD_CTX *md_ctx = NULL;
unsigned int result_size;
int rc;
md_ctx = EVP_MD_CTX_create();
-
- switch (hash_type) {
- case HASH_SHA1:
- rc = EVP_DigestInit(md_ctx, EVP_sha1());
- break;
- case HASH_MD5:
- rc = EVP_DigestInit(md_ctx, EVP_md5());
- break;
- default:
- EVP_MD_CTX_destroy(md_ctx);
+ if (md_ctx == NULL) {
+ fprintf(stderr, "EVP_MD_CTX_create() failed\n");
return -1;
- break;
}
+ rc = EVP_DigestInit(md_ctx, EVP_sha256());
if (rc != 1) {
fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
return -1;
@@ -374,12 +366,12 @@ void run_sanity_checks(void)
}
}
-int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table)
+int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table)
{
int i;
for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) {
- if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0)
+ if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0)
return 1;
}
@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
mode_t proc_umask;
char *tokdir = psinfo->tokname;
char *tokgroup = psinfo->usergroup;
- char token_md5_hash[MD5_HASH_SIZE];
+ char token_sha256_hash[SHA256_HASH_SIZE];
if (psinfo->present == FALSE)
return 0;
@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
*/
if (!tokdir || strlen(tokdir) == 0) {
/*
- * Build the md5 hash from the dll name prefixed with 'dll:' to
+ * Build the SHA256 hash from the dll name prefixed with 'dll:' to
* check for duplicate tokens with no 'tokname'.
*/
snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location);
- rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash);
+ rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token in slot %llu!\n",
psinfo->slot_number);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
return 0;
}
@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
return -1;
}
- /* calculate md5 hash from token name */
- rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash);
+ /* calculate SHA256 hash from token name */
+ rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash);
if (rc) {
- fprintf(stderr, "Error calculating MD5 of token name!\n");
+ fprintf(stderr, "Error calculating SHA256 of token name!\n");
return -1;
}
/* check for duplicate token names */
- if (is_duplicate(token_md5_hash, tokname_hash_table)) {
+ if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
fprintf(stderr, "Duplicate token name '%s'!\n", tokdir);
return -1;
}
/* add entry into hash table */
- memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
- MD5_HASH_SIZE);
+ memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
+ SHA256_HASH_SIZE);
/* Create token specific directory */
/* sprintf checked above */

4
ocki-3.25-remove-make-install-chgrp.patch → ocki-3.26-remove-make-install-chgrp.patch
View File

@@ -1,5 +1,5 @@
--- a/Makefile.am 2025-06-10 08:52:39.000000000 +0200
+++ b/Makefile.am 2025-06-16 12:25:31.040661532 +0200
--- a/Makefile.am 2025-11-11 08:58:19.000000000 +0100
+++ b/Makefile.am 2025-11-12 10:21:00.563936369 +0100
@@ -51,19 +51,9 @@
include doc/doc.mk

BIN
openCryptoki-3.25.0.tar.gz LFS
View File

Binary file not shown.

BIN
openCryptoki-3.26.0.tar.gz LFS Normal file
View File

Binary file not shown.

31
openCryptoki.changes
View File

@@ -1,3 +1,32 @@
-------------------------------------------------------------------
Wed Nov 12 09:04:02 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade openCryptoki to 3.26
* Soft: Add support for RSA keys up to 16K bits.
* CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
* p11sak: Add support for generating RSA keys up to 16K bits.
* Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
* Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
* p11sak: Add support for SHA-HMAC key types and key generation.
* p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping
with various key wrapping mechanism.
* p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
* p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
* Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
* EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
* p11sak: Add support for generating BLS12-381 EC keys.
* EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and
a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
* CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
* Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
* p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
* Bug fixes.
- Removed obsolete patches
* ocki-3.25-remove-make-install-chgrp.patch
* ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
- Applied a new patch for version 3.26
* ocki-3.26-remove-make-install-chgrp.patch
-------------------------------------------------------------------
Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
@@ -7,7 +36,7 @@ Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
-------------------------------------------------------------------
Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
- Add riscv54 to openCryptoki_64bit_arch
- Add riscv64 to openCryptoki_64bit_arch
-------------------------------------------------------------------
Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

6
openCryptoki.spec
View File

@@ -27,7 +27,7 @@
%define oc_cvs_tag opencryptoki
Name: openCryptoki
Version: 3.25.0
Version: 3.26.0
Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0
@@ -39,9 +39,7 @@ Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-rpmlintrc
# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch000: ocki-3.25-remove-make-install-chgrp.patch
#
Patch010: ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
Patch000: ocki-3.26-remove-make-install-chgrp.patch
#
BuildRequires: bison
BuildRequires: dos2unix